From rcooper at DIMENSION-FLM.COM Mon Dec 1 00:57:25 2003 From: rcooper at DIMENSION-FLM.COM (Rick Cooper) Date: Thu Jan 12 21:21:22 2006 Subject: f-prot eicar test In-Reply-To: Message-ID: Add -dumb to the options. Without that option it knows the eicar signatures are not an actual virus > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Noel Vargas > Sent: Sunday, November 30, 2003 5:45 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: f-prot eicar test > > > Hi: > > I've installed MailScanner on a Linux box with Postfix and > f-prot, and I've been trying to test the system. It delivers > and sends messages fine. I built the EICAR.COM test file from > windows and sent it to this box, but it keeps showing me the > eicar file and the logs don't show any attempt of disinfection. > > I just edited the f-prot wrapper to add the -auto -disinf > options to no avail. > > Any help will be greatly appreciated. > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mike at ZANKER.ORG Mon Dec 1 06:33:51 2003 From: mike at ZANKER.ORG (Mike Zanker) Date: Thu Jan 12 21:21:22 2006 Subject: New Batch message appearing twice In-Reply-To: <6.0.1.1.2.20031130223201.0284cb70@imap.ecs.soton.ac.uk> References: <200311300000.hAU006uS021920@gaia.elec.ucl.ac.be> <6.0.1.1.2.20031130223201.0284cb70@imap.ecs.soton.ac.uk> Message-ID: <124278968.1070260431@jemima.zanker.org> On 30 November 2003 22:33 +0000 Julian Field wrote: > I have just posted 4.25-12 which solves this. The only difference is > in Log.pm. Thanks, that has indeed fixed it. Mike. From m.sapsed at BANGOR.AC.UK Mon Dec 1 11:16:17 2003 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:21:22 2006 Subject: icheckd vs. SAVI-Perl References: Message-ID: <3FCB2301.9000007@bangor.ac.uk> Robin M. wrote: > I am testing sophos and initially I set it up to run as a daemon with the > icheckd interface, but after reading the mailscanner docs it appears to > suggest that not installing icheckd and compiling the Savi-Perl module > instead. Are there any benefits to running sophos with SAVI-Perl rather > than running icheckd. From my experience, all I get from icheckd is reporting of stuff from windows clients. I don't really see it fitting into the MailScanner equation at all? As far as I can see, the only question with Sophos is whether to use sweep or savi-perl? Cheers, Martin -- Martin Sapsed Information Services "Who do you say I am?" University of Wales, Bangor Jesus of Nazareth From smilga at MIKROTIK.COM Mon Dec 1 12:02:34 2003 From: smilga at MIKROTIK.COM (Martins Smilga) Date: Thu Jan 12 21:21:22 2006 Subject: Mailscanner with Debian 3 testing Message-ID: <052b01c3b803$01c0c890$a500010a@martinsss> Hello, May be somone have expierence with mailscanner how to install on Debian testing version. I have Spammassin + Sendmail. I installed mailscanner from apitude, I can not find any detailed documentation how to install mailscanner on Debina with sendmail. (http://www.sng.ecs.soton.ac.uk/mailscanner/install/sendmail.shtml) I can find where I can change these senttings (script). May be there is other way how to put mailscanner + Debian+ sendmail Martins From robin at PRIMUS.CA Mon Dec 1 13:31:41 2003 From: robin at PRIMUS.CA (Robin M.) Date: Thu Jan 12 21:21:22 2006 Subject: icheckd vs. SAVI-Perl In-Reply-To: <3FCB2301.9000007@bangor.ac.uk> References: <3FCB2301.9000007@bangor.ac.uk> Message-ID: On Mon, 1 Dec 2003, Martin Sapsed wrote: > From my experience, all I get from icheckd is reporting of stuff from > windows clients. I don't really see it fitting into the MailScanner > equation at all? > > As far as I can see, the only question with Sophos is whether to use > sweep or savi-perl? > Hi I realize now the purpose of icheckd. I had misunderstood the purpose of it. I did assume that it was part of the sophos virus checking scenario when in fact it was just using the command line sweep. I have since started using the SaVi interface. Thanks for this clarification. cheers. From jim at ENTROPHY-FREE.NET Mon Dec 1 13:47:44 2003 From: jim at ENTROPHY-FREE.NET (Jim Levie) Date: Thu Jan 12 21:21:22 2006 Subject: [OT] MS + Trend InterScan Virus Wall In-Reply-To: <1070060599.3522.3.camel@ra.thethompsonhouse.com> References: <1070060599.3522.3.camel@ra.thethompsonhouse.com> Message-ID: <1070286464.4136.3.camel@wilowisp.entrophy-free.net> On Fri, 2003-11-28 at 17:03, Robert A. Thompson wrote: > or the appropriate redhat/fedora release that RHEL is built from. > > --rat > > > On Fri, 2003-11-28 at 16:17, Michele Neylon :: Blacknight Solutions > wrote: > > Can't you simply grab it from MySQL.com ? > > I believe a better solution is to build the server components from the RHEL SRPMS, which is what I did before they relented and placed those components in the "Extras". -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= The instructions said to use Windows 98 or better, so I installed RedHat Jim Levie email:jim@entrophy-free.net From rc at ITSS.NERC.AC.UK Mon Dec 1 14:13:57 2003 From: rc at ITSS.NERC.AC.UK (Ron Campbell) Date: Thu Jan 12 21:21:22 2006 Subject: maps-rbl+ Message-ID: <3FCB4CA5.1010208@itss.nerc.ac.uk> This is probably not of interest to those who are not in ac.uk The MAPS-RBL+ list is actually the union of 4 separate lists (RBL, DUL, RSS and OPS). For details, see http://www.ja.net/CERT/JANET-CERT/mail/mail-abuse/rbl-plus-guide.html#available One of these - the "dial-up list" is probably our main reason for SPAM "false positives" at the moment. This is usually down to people working from home via an ISP. Is it possible to configure MS to use only some of the individual MAPS-RBL+ lists ? Or should we just give up on these lists and rely on SpamAssassin - all the "false positives" which I have seen, have negative SA scores so it is clearly getting these right. Of course, there will be other cases which the lists get right and SA misses ? Thanks ... Ron From sysadmins at ENHTECH.COM Mon Dec 1 14:39:51 2003 From: sysadmins at ENHTECH.COM (Errol Neal) Date: Thu Jan 12 21:21:22 2006 Subject: Mailscanner with Debian 3 testing In-Reply-To: <052b01c3b803$01c0c890$a500010a@martinsss> References: <052b01c3b803$01c0c890$a500010a@martinsss> Message-ID: <6.0.0.22.0.20031201093927.0251e1f0@mail.enhtech.com> At 07:02 AM 12/1/2003, Martins Smilga wrote: >Hello, > >May be somone have expierence with mailscanner how to install on Debian >testing version. > >I have Spammassin + Sendmail. > >I installed mailscanner from apitude, >I can not find any detailed documentation how to install mailscanner on >Debina with sendmail. >(http://www.sng.ecs.soton.ac.uk/mailscanner/install/sendmail.shtml) >I can find where I can change these senttings (script). > >May be there is other way how to put mailscanner + Debian+ sendmail > > >Martins Exactly what are you having problems with? Errol Neal From gabor at RC-SUBOTICA.CO.YU Mon Dec 1 14:33:44 2003 From: gabor at RC-SUBOTICA.CO.YU (=?iso-8859-1?Q?Szemer=E9dy=20G=E1bor?=) Date: Thu Jan 12 21:21:22 2006 Subject: MailScanner and RedHat 6.0 Message-ID: <3FCB5148.D2A5961F@rc-subotica.co.yu> Hello! We are using RH 6.0 , perl-5.00503-2 , and sendmail 8.9.3 and would like to use Mailscanner with clamav. We tryed MailScanner-3.27-1.i386.rpm and 4.24-5.rpm.tar.gz without any success. There are to many depependencie errors during the installation. Is somebody running MailScanner on RH 6.0 and which release? Thanks From brose at MED.WAYNE.EDU Mon Dec 1 14:44:01 2003 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:21:22 2006 Subject: maps-rbl+ Message-ID: DULs don't effect people sending emails from home unless they are running their own smtp server at home. If people are relaying their mail thru their ISP like they're supposed to then it's not a problem. The only issue with DULs is businesses with their own mail servers and using dialup or broadband for their internet connection. But then again ISPs tend not to want people using the cheaper residential services to run a business and want them pay a extra for static IPs and such which usually are not in the DULs. -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Ron Campbell Sent: Monday, December 01, 2003 9:14 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: maps-rbl+ This is probably not of interest to those who are not in ac.uk The MAPS-RBL+ list is actually the union of 4 separate lists (RBL, DUL, RSS and OPS). For details, see http://www.ja.net/CERT/JANET-CERT/mail/mail-abuse/rbl-plus-guide.html#av ailable One of these - the "dial-up list" is probably our main reason for SPAM "false positives" at the moment. This is usually down to people working from home via an ISP. Is it possible to configure MS to use only some of the individual MAPS-RBL+ lists ? Or should we just give up on these lists and rely on SpamAssassin - all the "false positives" which I have seen, have negative SA scores so it is clearly getting these right. Of course, there will be other cases which the lists get right and SA misses ? Thanks ... Ron From mailscanner at ecs.soton.ac.uk Mon Dec 1 14:51:55 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:22 2006 Subject: MailScanner and RedHat 6.0 In-Reply-To: <3FCB5148.D2A5961F@rc-subotica.co.yu> References: <3FCB5148.D2A5961F@rc-subotica.co.yu> Message-ID: <6.0.1.1.2.20031201145034.06ebe6b8@imap.ecs.soton.ac.uk> At 14:33 01/12/2003, you wrote: >Hello! >We are using RH 6.0 , perl-5.00503-2 , and sendmail 8.9.3 and would like >to >use Mailscanner with clamav. >We tryed MailScanner-3.27-1.i386.rpm and 4.24-5.rpm.tar.gz without any >success. >There are to many depependencie errors during the installation. Did you run the install.sh script? What dependencies did it complain about it? I don't really support anything before 6.2. If my calculations are correct, 6.0 is 6 or 7 versions out of date. Are RedHat still supporting it? >Is somebody running MailScanner on RH 6.0 and which release? >Thanks -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From michele at BLACKNIGHTSOLUTIONS.COM Mon Dec 1 14:52:43 2003 From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon :: Blacknight Solutions) Date: Thu Jan 12 21:21:22 2006 Subject: MailScanner and RedHat 6.0 In-Reply-To: <3FCB5148.D2A5961F@rc-subotica.co.yu> Message-ID: Hi Quite a number of people are running it on Cobalt RAQs, so you should look at the documents regarding this. WORD OF WARNING: Be very careful using the command line CPAN module, as it will probably upgrade your entire Perl installation even if you don't want it to Michele Mr. Michele Neylon Blacknight Internet Solutions Ltd http://www.blacknightsolutions.ie/ http://www.search.ie/ Tel. + 353 (0)59 9139897 Lowest price domains in Ireland > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Szemeredy Gabor > Sent: 01 December 2003 14:34 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: MailScanner and RedHat 6.0 > > > Hello! > We are using RH 6.0 , perl-5.00503-2 , and sendmail 8.9.3 and would like > to > use Mailscanner with clamav. > We tryed MailScanner-3.27-1.i386.rpm and 4.24-5.rpm.tar.gz without any > success. > There are to many depependencie errors during the installation. > Is somebody running MailScanner on RH 6.0 and which release? > Thanks > From raymond at PROLOCATION.NET Mon Dec 1 14:48:38 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:21:22 2006 Subject: MailScanner and RedHat 6.0 In-Reply-To: <3FCB5148.D2A5961F@rc-subotica.co.yu> Message-ID: Hi! > We are using RH 6.0 , perl-5.00503-2 , and sendmail 8.9.3 and would like > to use Mailscanner with clamav. > We tryed MailScanner-3.27-1.i386.rpm and 4.24-5.rpm.tar.gz without any > success. > There are to many depependencie errors during the installation. > Is somebody running MailScanner on RH 6.0 and which release? > Thanks I would recommend upgrading to a more recent version of RH, you are also missing security updates now. Bye, Raymond. From raymond at PROLOCATION.NET Mon Dec 1 14:57:17 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:21:22 2006 Subject: MailScanner and RedHat 6.0 In-Reply-To: <6.0.1.1.2.20031201145034.06ebe6b8@imap.ecs.soton.ac.uk> Message-ID: Hi! > Did you run the install.sh script? What dependencies did it complain about it? > I don't really support anything before 6.2. If my calculations are correct, > 6.0 is 6 or 7 versions out of date. Are RedHat still supporting it? RH doesnt support is anymore and wont make new errata either. I would stronly advise not to install new MS projects on a box like that ... :) Bye, Raymond. From Denis.Beauchemin at USHERBROOKE.CA Mon Dec 1 17:11:03 2003 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:21:22 2006 Subject: ANNOUNCE: Stable Release 4.25-11 In-Reply-To: <6.0.1.1.2.20031129115646.04c45e38@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20031129115646.04c45e38@imap.ecs.soton.ac.uk> Message-ID: <1070298662.3002.167.camel@dbeauchemin.sti.usherbrooke.ca> Hello Julian, Haven't tested 4.25-12 yet but I did upgrade my RPM (on Fedora) and the MailScanner.conf.rpmnew that was created still included Infinite-Monkeys: MailScanner]# grep Monk MailScanner.conf.rpmnew Spam List = ORDB-RBL Infinite-Monkeys # MAPS-RBL+ costs money (except .ac.uk) Denis Le sam 29/11/2003 ? 07:06, Julian Field a ?crit : > G'Day all! > > I have just released the latest stable version 4.25-11. > > Some of the most important new features in this release are > -- the ability to "disarm" dangerous HTML tags, while leaving the bulk of > the message intact; > -- a means to throttle SMTP connections from hosts which are deluging you > with spam or viruses. You set the limit on the number of messages to > receive per hour from any given host, and mail above that limit will be > refused in the SMTP connection (sendmail only at the moment, sorry). > -- the ability to set the permissions and ownership of temporary working > files and the quarantine. This means that external systems such as a web > server can access and manage the quarantine on behalf of your users, > without the need for any risky setuid scripts. > > Download as usual from > www.mailscanner.info > > The full ChangeLog for this release is here: > > 29/11/2003 New in Version 4.25-11 > ================================= > * New Features and Improvements * > - Added support for "disarm" option on all HTML tag detectors, which will > disarm those tags while leaving the rest of the HTML intact. > - Added support for more ways of specifying IP ranges in rulesets. > Can now do all of: > 152.78 > 152.78. > /^152\.78/ > 152.78.0.0/16 > 152.78.0.0-152.78.255.255 > - Added support for retrieving configuration from LDAP. > - Added support for changing uid, gid and permissions of both Incoming Work > Dir and Quarantine Dir. > - Added facility to limit the size of any individual attachment. > > - Added support for DrWeb virus scanner, courtesy of Konrad Madej > . > - Added support for Mail::ClamAV perl module, enabling ClamAV to scan without > having to call any external programs at all. > - Panda version 7.0 supported. > - Improved ClamAV parser to handle errors printed when processing viruses > containing corrupted zip files. > - Improved F-Prot output parser. > - Added inoculan autoupdater courtesy of "W-Mark Kubacki" . > - Improved bitdefender-autoupdate script to support BitDefender 7 rather > better. > > - Greatly improved IPBlock code that throttles incoming SMTP connections > when a host sends too many messages per hour. Now support netblocks in all > sorts of different formats, and is enormously faster than previous code. > It works much more reliably and effectively too. See CustomConfig.pm. > - Changed SpamAssassin timeout handler to kill processes and not process group. > - Improved documentation in virus.scanners.conf. > - Improved documentation of "disarm" configuration settings. > - Added optimisation to LDAP ruleset compiler that identifies 1-line rulesets > which hold the default value. > - Improved Linux install.sh script so it spots *.rpmnew files in amongst > -wrapper and -autoupdate scripts. > - Added 'spamblacklisted' message property for use by MailWatch. > - Added a new Custom Function to provide multiple outgoing queues for spam, > high-scoring spam, and real email. > - Improved Linux init.d script so the "restart" delay is configurable in > /etc/sysconfig/MailScanner as that is preserved across upgrades. > - Improved error message when unknown virus scanner name is used. > - Added SORBS RBLs to spam.lists.conf. > - Added some subject line sanity checks to cope with Outlook's bizarre > behaviour. > - Added speed logging of different parts of the processing of a batch. > See the new "Log Speed" configuration setting. > - Changed error handling in ruleset parser so it doesn't die if it finds > syntax errors, it now just warns you instead. > - Improved syntax checking of rules in configuration ruleset files. > > * Fixes* > - RPM distribution install.sh script now checks and creates pod2text properly. > - Fixed bug whereby the same message files could be deleted more than once, > which could delete unprocessed messages using MTAs that name files after > the inode and not the time. > - Syslogging should now start successfully on all versions of Solaris and IRIX. > - Bug fix in Postfix file handling code from Stefan Baltus which will > hopefully patch up the last Solaris Postfix problem. > - Fixed bug causing uid+gid to be ignored when quarantining whole messages. > - Fixed bug causing Maximum Message Size not to be enforced properly. > - Fixed bug where sender of bulk precedence mail would be sent some warnings > if their mail was identified as spam. > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From raymond at PROLOCATION.NET Mon Dec 1 17:24:48 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:21:22 2006 Subject: ANNOUNCE: Stable Release 4.25-11 In-Reply-To: <1070298662.3002.167.camel@dbeauchemin.sti.usherbrooke.ca> Message-ID: Hi! > Haven't tested 4.25-12 yet but I did upgrade my RPM (on Fedora) and the > MailScanner.conf.rpmnew that was created still included > Infinite-Monkeys: > MailScanner]# grep Monk MailScanner.conf.rpmnew > Spam List = ORDB-RBL Infinite-Monkeys # MAPS-RBL+ costs money (except .ac.uk) Its in 4.25-12, and this might casue trouble, since in the new spam.lists.conf its removed (or better, commented out with a #) So yes, that needs to be fixed, the default config should not have it anymore :) Thanks, Raymond. From mailscanner at ecs.soton.ac.uk Mon Dec 1 18:37:06 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:22 2006 Subject: ANNOUNCE: Stable Release 4.25-11 In-Reply-To: References: <1070298662.3002.167.camel@dbeauchemin.sti.usherbrooke.ca> Message-ID: <6.0.1.1.2.20031201183625.02782d20@imap.ecs.soton.ac.uk> At 17:24 01/12/2003, you wrote: >Hi! > > > Haven't tested 4.25-12 yet but I did upgrade my RPM (on Fedora) and the > > MailScanner.conf.rpmnew that was created still included > > Infinite-Monkeys: > > MailScanner]# grep Monk MailScanner.conf.rpmnew > > Spam List = ORDB-RBL Infinite-Monkeys # MAPS-RBL+ costs money (except > .ac.uk) > >Its in 4.25-12, and this might casue trouble, since in the new >spam.lists.conf its removed (or better, commented out with a #) So yes, >that needs to be fixed, the default config should not have it anymore :) You are quite right, it will cause trouble. Now fixed with release of 4.25-13. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From jacques at MONACO.NET Mon Dec 1 18:25:52 2003 From: jacques at MONACO.NET (Jacques Caruso) Date: Thu Jan 12 21:21:22 2006 Subject: Empty messages, again (on 4.25-9) Message-ID: <200312011920.50708.jacques@monaco.net> Hi everybody, I have upgraded to 4.25-9 since Thursday, and today the dreaded empty-mail problem has resurfaced. The problems always appear in the same order : * MS stops processing messages without logging anything. The messages start to clog up the postfix.in/deferred queue * We notice the problem (usually when the queue is very huge, around ~1400 messages today) and restart MS * Processing of messages restarts, the system load goes through the roof (from ~3 to ~15) * Postfix begins to emit 'Skipped, still being delivered' messages, as MS accesses messages in the (wrong) postfix.in/incoming queue : [root@sceuzi][~]# cat lsof.out | grep postfix.in/incom MailScann 15893 postfix 18uW REG 8,2 2362 1802747 /var/spool/postfix.in/incoming/4/4ABB91B81FB MailScann 15900 postfix 25uW REG 8,2 1672 1802536 /var/spool/postfix.in/incoming/7/701A91B8128 MailScann 15900 postfix 30uW REG 8,2 2204 1804071 /var/spool/postfix.in/incoming/7/707E41B8727 MailScann 15900 postfix 31uW REG 8,2 2306 1804100 /var/spool/postfix.in/incoming/7/7F8C41B8744 MailScann 15900 postfix 32uW REG 8,2 25385 1804118 /var/spool/postfix.in/incoming/7/7959C1B8756 MailScann 15900 postfix 33uW REG 8,2 3954 1802533 /var/spool/postfix.in/incoming/7/713D81B8125 MailScann 15900 postfix 34uW REG 8,2 2161 1802605 /var/spool/postfix.in/incoming/7/76CE31B816D MailScann 15900 postfix 35uW REG 8,2 2636 1803233 /var/spool/postfix.in/incoming/7/7CCAC1B83E1 MailScann 15910 postfix 20uW REG 8,2 1998 1802462 /var/spool/postfix.in/incoming/B/BDF961B80DE MailScann 15924 postfix 17uW REG 8,2 1771 1802541 /var/spool/postfix.in/incoming/7/761651B812D MailScann 15945 postfix 27uW REG 8,2 1614 1803853 /var/spool/postfix.in/incoming/7/73F9C1B864D cleanup 17875 postfix 16u REG 8,2 81920 1802800 /var/spool/postfix.in/incoming/5/57FDC1B8230 cleanup 18615 postfix 16u REG 8,2 0 1802797 /var/spool/postfix.in/incoming/4/45A501B822D MailScann 21344 postfix 18u REG 8,2 2362 1802747 /var/spool/postfix.in/incoming/4/4ABB91B81FB MailScann 21348 postfix 20u REG 8,2 1998 1802462 /var/spool/postfix.in/incoming/B/BDF961B80DE I noticed that a new version appeared on 29/11. Still, the changelog lists only two more fixes, apparently unrelated to my problem : - Fixed bug where sender of bulk precedence mail would be sent some warnings if their mail was identified as spam. - Fixed duplicate logging of New Batch messages. Abandoned support of syslog-ng until I can test it properly on my own systems. Like last time, I put the result of 'lsof' and 'ps -afx' on a web server : http://aragorn.monaco.net/tmp/ms/2/lsof.out.txt http://aragorn.monaco.net/tmp/ms/2/psafx.out.txt Could someone give me hints about : * preventing MS from stopping to process mail ? This happens every few days for apparently no reason. The processes just sit idle. * preventing MS from accessing mail in the postfix.in/incoming queue ? I've thought about permissions but I don't see how to let MS read in deferred but not in incoming (after all, they need to have the same permissions for Postfix to operate). Any help (like a hint to a probable cause for the problems) will be greatly appreciated. Cheers, -- [ Jacques Caruso D?veloppeur PHP ] [ Monaco Internet http://monaco-internet.mc/ ] [ T?l : (+377) 93 10 00 43 Cl? PGP : 0x41F5C63D ] [ * Tired of choosing the lesser of two evils? Vote Cthulhu in 2004! * ] From ccampbell at BRUEGGERS.COM Mon Dec 1 18:45:23 2003 From: ccampbell at BRUEGGERS.COM (Christian Campbell) Date: Thu Jan 12 21:21:22 2006 Subject: Upgrade Advice Message-ID: I am currently running MailScanner 8.12.8 and Spam Assassin 2.55 on a RedHat 8.0 server with Sendmail 8.12.8. This is a production server. I am interested in upgrading to the most recent versions of MS and SA. MS and SA were installed via RPM. Since then, I have heard that installing SA via RPM isn't the best idea, especially when wanting to upgrade SA. The ideal SA installation and upgrade is building from source, from what I've gathered. I am in the unfortunate position of running all this on a production box, and not having an identical test box to try my upgrade out. In addition, this server is responsible for DNS and our Apache server. IOW: I can't mess this box up. Looking for advice as to the best way to upgrade both MS and SA. Should I do a RPM upgrade on MS, uninstall the SA RPM and reinstall the new version of SA from source? Or, is there a better way to go about this? Does it matter which order I do this in? In addition, over time, more spam seems to not be tagged. I assume that with each release of SA, the SA rulebase is updated, and there will be a better chance of catching more spam? If that's the case, is there a way to update the SA rules without upgrading? Or, is a rule update the same as upgrading? Looking for suggestions. Pardon my ignorance...MS and SA are still pretty new to me. Thanks in advance, Christian Christian P. Campbell Systems Engineer Information Technology Department Bruegger's Enterprises, Inc. Desk: (802) 652-9270 Cell: (802) 734-5023 Email: ccampbell at brueggers dot com Registered Linux User #319324 PGP public key available via PGP keyservers or http://www2.brueggers.com/pgp/ccampbell.html "We all know Linux is great... it does infinite loops in 5 seconds." -- Linus Torvalds From ccampbell at BRUEGGERS.COM Mon Dec 1 18:47:05 2003 From: ccampbell at BRUEGGERS.COM (Christian Campbell) Date: Thu Jan 12 21:21:22 2006 Subject: Upgrade Advice Message-ID: > I am currently running MailScanner 8.12.8 and Spam Assassin Correction...my MS version is 4.23 From Denis.Beauchemin at USHERBROOKE.CA Mon Dec 1 18:48:34 2003 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:21:22 2006 Subject: upgrade_MailScanner_conf Message-ID: <1070304513.3002.182.camel@dbeauchemin.sti.usherbrooke.ca> Hello Julian, When running upgrade_MailScanner_conf I end up losing the default/recommended values you suggest for settings I have changed. I usually keep your value scommented out but upgrade_MailScanner_conf deletes them. I know about the --keep-comments option but I want the new values and improved configuration options too... Could upgrade_MailScanner_conf keep its default/recommended values as comments if they differ from our values? Thanks again! Denis -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From robin at PRIMUS.CA Mon Dec 1 18:56:10 2003 From: robin at PRIMUS.CA (Robin M.) Date: Thu Jan 12 21:21:22 2006 Subject: ANNOUNCE: Stable Release 4.25-13 In-Reply-To: <6.0.1.1.2.20031201183625.02782d20@imap.ecs.soton.ac.uk> References: <1070298662.3002.167.camel@dbeauchemin.sti.usherbrooke.ca> <6.0.1.1.2.20031201183625.02782d20@imap.ecs.soton.ac.uk> Message-ID: On Mon, 1 Dec 2003, Julian Field wrote: > You are quite right, it will cause trouble. Now fixed with release of 4.25-13. Hi Julian is there any way you would be willing to title your versions 4.25.13 when creating rpms the dash is not recognized as a proper delimiter for versions. When creating rpms the dash is used to delimit the release number. From kevins at BMRB.CO.UK Mon Dec 1 19:13:15 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:21:22 2006 Subject: Upgrade Advice In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB00188B6C2@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB00188B6C2@pascal.priv.bmrb.co.uk> Message-ID: <1070306600.10877.7.camel@bach.kevinspicer.co.uk> On Mon, 2003-12-01 at 18:45, Christian Campbell wrote: > Looking for advice as to the best way to upgrade both MS and SA. I would not do both upgrades at the same time (actually thats not completely true - I probably would do it but then I'm a fool). So if you have problems you'll know which upgrade caused them. I'd suggest upgrading MailScanner first when doing any upgrade [newer versions of external programs are more likely to cause problems for mailscanner that the other way around]. Remember that upgrade_MailScanner_conf is your friend. Once you're sure all is well with MS then upgrade SA. Turn off spamassassin in MailScanner (don't forget to restart MailScanner after changing the config file). rpm -e spamassassin, build and install the new version from the tarfile (follow the docs on the MailScanner site rather than the SA install docs, you'll save yourself some work). Then turn spamassassin back on. From Denis.Beauchemin at USHERBROOKE.CA Mon Dec 1 19:24:52 2003 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:21:22 2006 Subject: Maximum Attachment Size Message-ID: <1070306691.3002.192.camel@dbeauchemin.sti.usherbrooke.ca> Hi, I am testing the Maximum Attachment Size value and think it can save me time... once again! :-) I was wondering if the email that is sent to the sender (sender.error.report.txt) could include the size of the attachment that was rejected... If not, could it at least include the value of Maximum Attachment Size? How? Thanks again Julian! Denis -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From mailscanner at ecs.soton.ac.uk Mon Dec 1 19:31:42 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:22 2006 Subject: Upgrade Advice In-Reply-To: References: Message-ID: <6.0.1.1.2.20031201192528.03f57e90@imap.ecs.soton.ac.uk> Installing SA from RPM is indeed a bad idea. But to get the packaging, you can download the SRPM and "rpmbuild -rebuild" the RPM from it. This will give you an RPM which is set up for your system. I've done that on 1 or 2 machines and it all works fine. If you upgrade MS, be sure to run "upgrade_MailScanner_conf" afterwards so you get all the new config options in your MailScanner.conf. Also, note that Net::CIDR is a new dependency, so you may want to perl -MCPAN -e shell install Net::CIDR before you start doing anything. If that install command looks like it is downloading perl itself, thump Ctrl-C quickly and bail out. You will find the source of Net::CIDR under ~root/.cpan/build and you can build it from there without it trying to install Perl 5.8.2! Once you have installed MailScanner, stop the service and then it might be worth setting "Debug = yes" and then run check_MailScanner. If there are any errors, you will see them straight away and can fix them. Then set "Debug = no" again and start it as normal. I upgraded my own production servers today and it went okay :-) At 18:45 01/12/2003, you wrote: >I am currently running MailScanner 8.12.8 and Spam Assassin 2.55 on a RedHat >8.0 server with Sendmail 8.12.8. This is a production server. I am >interested in upgrading to the most recent versions of MS and SA. MS and SA >were installed via RPM. Since then, I have heard that installing SA via RPM >isn't the best idea, especially when wanting to upgrade SA. The ideal SA >installation and upgrade is building from source, from what I've gathered. > >I am in the unfortunate position of running all this on a production box, >and not having an identical test box to try my upgrade out. In addition, >this server is responsible for DNS and our Apache server. IOW: I can't >mess this box up. > >Looking for advice as to the best way to upgrade both MS and SA. > >Should I do a RPM upgrade on MS, uninstall the SA RPM and reinstall the new >version of SA from source? Or, is there a better way to go about this? >Does it matter which order I do this in? > >In addition, over time, more spam seems to not be tagged. I assume that >with each release of SA, the SA rulebase is updated, and there will be a >better chance of catching more spam? If that's the case, is there a way to >update the SA rules without upgrading? Or, is a rule update the same as >upgrading? > >Looking for suggestions. Pardon my ignorance...MS and SA are still pretty >new to me. > >Thanks in advance, > >Christian > > >Christian P. Campbell >Systems Engineer >Information Technology Department >Bruegger's Enterprises, Inc. >Desk: (802) 652-9270 >Cell: (802) 734-5023 >Email: ccampbell at brueggers dot com >Registered Linux User #319324 > >PGP public key available via PGP keyservers >or http://www2.brueggers.com/pgp/ccampbell.html > >"We all know Linux is great... >it does infinite loops in 5 seconds." > -- Linus Torvalds -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From jaearick at COLBY.EDU Mon Dec 1 19:47:14 2003 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:21:22 2006 Subject: Notes on new IPBlock code, 4.25-11 Message-ID: Gang, Julian introduced a newer, faster, cooler version of IPBlock (see CustomConfig.pm) in version 4.25-11. The new version allows you to dynamically block connections from rogue/spam machines in your sendmail access.db file in real time. IPBlock counts mail messages (good, bad, spam) from IP numbers, tracks these connection numbers in a DB file, and modifies your sendmail access.db file if the number of connections exceeds thresholds that you configure. The major new feature in IPBlock is that the config file understands CIDR netblocks, so you can set different thresholds for different netblocks. You can literally "rule the world" with about 30 lines in your config file, see: http://www.sng.ecs.soton.ac.uk/mailscanner/serve/cache/239.html for the details of how I set up things at my site. I have been running with this ruleset for about a week now, plus additional rulesets for my own domain -- admin offices get one setting and dorm rooms get a lower setting. I had asked Julian a couple of weeks ago if IPBlock could user Net::CIDR because my site has been getting hit with student computers that contain spam trojans. Julian graciously modified IPBlock to use CIDR and I tested it last week. When a spam trojan fires off, it can bury my mail server very quickly. IPBlock gives me a tool to fight this. The Good News and Bad News... Good News: The new IPBlock works as advertised. It will modify access.db and block a rogue site according to the config file, and the CIDR configs work. The Bad News: not that much happens, even with very low settings for my dorm networks, and my "world domination" CIDR settings for the planet. In one week, only three off-campus sites ended up in the access.db file, with zero emails actually blocked after the access.db changes. Last night was the acid test with an on-campus spam trojan. The rogue machine came alive at 00:01:32 last night. With a config limit of 100 messages/hour, the machine was IPBlocked at 00:14:07, with 6 subsequent connections blocked out. But, the rogue machine had flooded my mqueue.in with several thousand messages in those 13 minutes, and it took nearly two hours for this flood to be processed by my server. A lot of these messages were subsequently deleted as high-spam by Spamassassin and MS, or doublebounced, or were blocked by AOL (the target site). Some got delivered. The tsunami of spam was already on my mail server by the time MS shut the door, since IPBlock is run last in the MS process. Summary: IPBlock is useful against spam trojans, but not as useful as I had hoped. YMMV. Sendmail Note: sendmail 8.13.0 is on the horizon, see http://www.sendmail.org/8.13.0.PreAlpha4.html One new feature buried there is connection rate control, see the ChangeLog. This may aid in blocking rogue machines too. --- Jeff Earickson Colby College From raymond at PROLOCATION.NET Mon Dec 1 19:54:49 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:21:22 2006 Subject: Notes on new IPBlock code, 4.25-11 In-Reply-To: Message-ID: Hi! > machine came alive at 00:01:32 last night. With a config limit of 100 > messages/hour, the machine was IPBlocked at 00:14:07, with 6 subsequent > connections blocked out. But, the rogue machine had flooded my mqueue.in > with several thousand messages in those 13 minutes, and it took nearly > two hours for this flood to be processed by my server. A lot of these > messages were subsequently deleted as high-spam by Spamassassin and MS, > or doublebounced, or were blocked by AOL (the target site). Some got > delivered. The tsunami of spam was already on my mail server by the > time MS shut the door, since IPBlock is run last in the MS process. Thats due to Swen. But you could fight Swen. I assume you have currently the MX functions for your server AND the smtp relay function on the same box ? Swen does a MX lookup and starts to blow mail. If you want to stop this, seperate the MX and SMTP function. If your MX -ONLY- accepts mail for @yourdomain.com it will -completely- block this crap. Since its always mail to external party's, most of them AOL.COM and that wont pass the rules of your MX, since its not TO: @yourdomain. I didnt see a simgle AOL Swen thing pass since we altered our configs. Load dropped with around 1M messages a day, so i guess AOL was pretty happy when we activated the changes. Bye, Raymond. From raymond at PROLOCATION.NET Mon Dec 1 19:58:16 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:21:22 2006 Subject: Notes on new IPBlock code, 4.25-11 In-Reply-To: Message-ID: Hi! > connections blocked out. But, the rogue machine had flooded my mqueue.in > with several thousand messages in those 13 minutes, and it took nearly > two hours for this flood to be processed by my server. A lot of these > messages were subsequently deleted as high-spam by Spamassassin and MS, > or doublebounced, or were blocked by AOL (the target site). Some got > delivered. The tsunami of spam was already on my mail server by the > time MS shut the door, since IPBlock is run last in the MS process. Another thing you could do is use the simple script i have running. It can clean out your in and your out queue, i made it for bot h sendmail and exim. If you have a IP in your accesslist with DENY it will lookup the files of that sender and delete the according q* and d* files automaticly. That will clean your queue for the offending IPs amazingly fast. :) If you proceess the queue most likely you will end up in AOLs spamblock in a few days. If people are interested i can mail it. Bye, Raymond. From damin at NACS.NET Mon Dec 1 20:00:40 2003 From: damin at NACS.NET (Greg Boehnlein) Date: Thu Jan 12 21:21:22 2006 Subject: Notes on new IPBlock code, 4.25-11 In-Reply-To: Message-ID: On Mon, 1 Dec 2003, Raymond Dijkxhoorn wrote: > Hi! > > > connections blocked out. But, the rogue machine had flooded my mqueue.in > > with several thousand messages in those 13 minutes, and it took nearly > > two hours for this flood to be processed by my server. A lot of these > > messages were subsequently deleted as high-spam by Spamassassin and MS, > > or doublebounced, or were blocked by AOL (the target site). Some got > > delivered. The tsunami of spam was already on my mail server by the > > time MS shut the door, since IPBlock is run last in the MS process. > > Another thing you could do is use the simple script i have running. It > can clean out your in and your out queue, i made it for bot h sendmail > and exim. If you have a IP in your accesslist with DENY it will lookup > the files of that sender and delete the according q* and d* files > automaticly. That will clean your queue for the offending IPs amazingly > fast. :) If you proceess the queue most likely you will end up in AOLs > spamblock in a few days. > > If people are interested i can mail it. I am interested. Send it to me off list, or be a Pal and post a link to the list so everyone can share in the fun! :) -- Vice President of N2Net, a New Age Consulting Service, Inc. Company http://www.n2net.net Where everything clicks into place! KP-216-121-ST From ccampbell at BRUEGGERS.COM Mon Dec 1 20:26:40 2003 From: ccampbell at BRUEGGERS.COM (Christian Campbell) Date: Thu Jan 12 21:21:22 2006 Subject: Upgrade Advice Message-ID: > >Should I do a RPM upgrade on MS, uninstall the SA RPM and > reinstall the new > >version of SA from source? Or, is there a better way to go > about this? > >Does it matter which order I do this in? > > > > I upgraded my own production servers today and it went okay :-) Should I uninstall the perl-Mail-SpamAssassin-2.55-rh8.1.i386.rpm package along with the spamassassin and spamassassin-tools packages? Thanks, Christian Christian P. Campbell Systems Engineer Information Technology Department Bruegger's Enterprises Desk: (802) 652-9270 Cell: (802) 734-5023 Email: ccampbell at brueggers dot com Registered Linux User #319324 PGP public key available via PGP keyservers or http://www2.brueggers.com/pgp/ccampbell.html "We all know Linux is great...it does infinite loops in 5 seconds." -- Linus Torvalds From mailscanner at ecs.soton.ac.uk Mon Dec 1 20:30:58 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:22 2006 Subject: Upgrade Advice In-Reply-To: References: Message-ID: <6.0.1.1.2.20031201203015.027e4a88@imap.ecs.soton.ac.uk> At 20:26 01/12/2003, you wrote: > > >Should I do a RPM upgrade on MS, uninstall the SA RPM and > > reinstall the new > > >version of SA from source? Or, is there a better way to go > > about this? > > >Does it matter which order I do this in? > > > > > > > I upgraded my own production servers today and it went okay :-) > >Should I uninstall the perl-Mail-SpamAssassin-2.55-rh8.1.i386.rpm package >along with the spamassassin and spamassassin-tools packages? Yes, definitely. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From michele at BLACKNIGHTSOLUTIONS.COM Mon Dec 1 20:29:48 2003 From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon :: Blacknight Solutions) Date: Thu Jan 12 21:21:22 2006 Subject: Upgrade Advice In-Reply-To: Message-ID: Depends on how you plan to replace them :) If you run rpm -Uvh it should upgrade them Mr. Michele Neylon Blacknight Internet Solutions Ltd http://www.blacknightsolutions.ie/ http://www.search.ie/ Tel. + 353 (0)59 9139897 Lowest price domains in Ireland > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Christian Campbell > Sent: 01 December 2003 20:27 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Upgrade Advice > > > > >Should I do a RPM upgrade on MS, uninstall the SA RPM and > > reinstall the new > > >version of SA from source? Or, is there a better way to go > > about this? > > >Does it matter which order I do this in? > > > > > > > I upgraded my own production servers today and it went okay :-) > > Should I uninstall the perl-Mail-SpamAssassin-2.55-rh8.1.i386.rpm package > along with the spamassassin and spamassassin-tools packages? > > Thanks, > > Christian > > > Christian P. Campbell > Systems Engineer > Information Technology Department > Bruegger's Enterprises > Desk: (802) 652-9270 > Cell: (802) 734-5023 > Email: ccampbell at brueggers dot com > Registered Linux User #319324 > > PGP public key available via PGP keyservers > or http://www2.brueggers.com/pgp/ccampbell.html > > > "We all know Linux is great...it does infinite loops in 5 > seconds." -- Linus > Torvalds > From mike at TC3NET.COM Mon Dec 1 20:19:33 2003 From: mike at TC3NET.COM (Michael Baird) Date: Thu Jan 12 21:21:22 2006 Subject: Notes on new IPBlock code, 4.25-11 In-Reply-To: References: Message-ID: <1070309973.752.23.camel@mike-new2.tc3net.com> I run a cron script, based on software from 1997 that I found that was called "SpamShield", I run this every 3 minutes it counts the amount of recipients in that span, and if they are over the threshhold I've set it ads the deny. I realized this would be a problem to do in mailscanner, because the mail is received before mailscanner calculates it's statistics. I would expect the MailScanner blocks to be more effective as long term throttles, rather then instant spam flood stops. The MailStats.pl guy has something similar to the script I use to stop these spam storms, his might be more ready for other users then mine. Regards MIKE > Gang, > > Julian introduced a newer, faster, cooler version of IPBlock > (see CustomConfig.pm) in version 4.25-11. The new version allows > you to dynamically block connections from rogue/spam machines in > your sendmail access.db file in real time. IPBlock counts mail > messages (good, bad, spam) from IP numbers, tracks these connection > numbers in a DB file, and modifies your sendmail access.db file > if the number of connections exceeds thresholds that you configure. > > The major new feature in IPBlock is that the config file understands CIDR > netblocks, so you can set different thresholds for different netblocks. > You can literally "rule the world" with about 30 lines in your config > file, see: > > http://www.sng.ecs.soton.ac.uk/mailscanner/serve/cache/239.html > > for the details of how I set up things at my site. I have been running > with this ruleset for about a week now, plus additional rulesets for > my own domain -- admin offices get one setting and dorm rooms get a > lower setting. I had asked Julian a couple of weeks ago if IPBlock could > user Net::CIDR because my site has been getting hit with student computers > that contain spam trojans. Julian graciously modified IPBlock to use > CIDR and I tested it last week. When a spam trojan fires off, it can bury > my mail server very quickly. IPBlock gives me a tool to fight this. > > The Good News and Bad News... Good News: The new IPBlock works as > advertised. It will modify access.db and block a rogue site according > to the config file, and the CIDR configs work. The Bad News: not that > much happens, even with very low settings for my dorm networks, and my > "world domination" CIDR settings for the planet. In one week, only three > off-campus sites ended up in the access.db file, with zero emails actually > blocked after the access.db changes. > > Last night was the acid test with an on-campus spam trojan. The rogue > machine came alive at 00:01:32 last night. With a config limit of 100 > messages/hour, the machine was IPBlocked at 00:14:07, with 6 subsequent > connections blocked out. But, the rogue machine had flooded my mqueue.in > with several thousand messages in those 13 minutes, and it took nearly > two hours for this flood to be processed by my server. A lot of these > messages were subsequently deleted as high-spam by Spamassassin and MS, > or doublebounced, or were blocked by AOL (the target site). Some got > delivered. The tsunami of spam was already on my mail server by the > time MS shut the door, since IPBlock is run last in the MS process. > > Summary: IPBlock is useful against spam trojans, but not as useful as > I had hoped. YMMV. > > Sendmail Note: sendmail 8.13.0 is on the horizon, see > > http://www.sendmail.org/8.13.0.PreAlpha4.html > > One new feature buried there is connection rate control, see the ChangeLog. > This may aid in blocking rogue machines too. > > --- Jeff Earickson > Colby College > From ccampbell at BRUEGGERS.COM Mon Dec 1 20:39:13 2003 From: ccampbell at BRUEGGERS.COM (Christian Campbell) Date: Thu Jan 12 21:21:22 2006 Subject: Upgrade Advice Message-ID: > Also, note that Net::CIDR is a new dependency, so you may want to > perl -MCPAN -e shell > install Net::CIDR > before you start doing anything. If that install command > looks like it is > downloading perl itself, thump Ctrl-C quickly and bail out. > You will find > the source of Net::CIDR under ~root/.cpan/build and you can > build it from > there without it trying to install Perl 5.8.2! Output of "install Net::CIDR" : ----%< snip %<---- Checking if your kit is complete... Looks good Writing Makefile for Net::CIDR make: *** Warning: File `Makefile.PL' has modification time in the future (2003 11-18 19:22:55 > 2003-10-22 10:31:19) Makefile out-of-date with respect to Makefile.PL Cleaning current config before rebuilding Makefile... /usr/bin/make -f Makefile.old clean > /dev/null 2>&1 || /bin/sh -c true /usr/bin/perl Makefile.PL Checking if your kit is complete... Looks good Writing Makefile for Net::CIDR ==> Your Makefile has been rebuilt. <== ==> Please rerun the make command. <== false make: *** [Makefile] Error 1 /usr/bin/make -- NOT OK Running make test Can't test without successful make Running make install make had returned bad status, install seems impossible ----%< snip %<---- Any ideas? Christian From kodak at FRONTIERHOMEMORTGAGE.COM Mon Dec 1 21:01:54 2003 From: kodak at FRONTIERHOMEMORTGAGE.COM (Jason Balicki) Date: Thu Jan 12 21:21:22 2006 Subject: Upgrade Advice In-Reply-To: Message-ID: <00f601c3b84e$59b99400$0501a8c0@darkside> [snip] >make: *** Warning: File `Makefile.PL' has modification time in >the future >(2003 >11-18 19:22:55 > 2003-10-22 10:31:19) [snip] Looks like your system date is off, if I'm reading this correctly. Your system thinks it's October 22. --J(K) From mailscanner at ecs.soton.ac.uk Mon Dec 1 21:08:54 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:22 2006 Subject: Upgrade Advice In-Reply-To: References: Message-ID: <6.0.1.1.2.20031201210828.027a20a0@imap.ecs.soton.ac.uk> At 20:39 01/12/2003, you wrote: > > Also, note that Net::CIDR is a new dependency, so you may want to > > perl -MCPAN -e shell > > install Net::CIDR > > before you start doing anything. If that install command > > looks like it is > > downloading perl itself, thump Ctrl-C quickly and bail out. > > You will find > > the source of Net::CIDR under ~root/.cpan/build and you can > > build it from > > there without it trying to install Perl 5.8.2! > >Output of "install Net::CIDR" : > >----%< snip %<---- >Checking if your kit is complete... > >Looks good > >Writing Makefile for Net::CIDR > >make: *** Warning: File `Makefile.PL' has modification time in the future >(2003 >11-18 19:22:55 > 2003-10-22 10:31:19) Why does your machine think it is currently the 22nd of October? >Makefile out-of-date with respect to Makefile.PL > >Cleaning current config before rebuilding Makefile... > >/usr/bin/make -f Makefile.old clean > /dev/null 2>&1 || /bin/sh -c true > >/usr/bin/perl Makefile.PL > >Checking if your kit is complete... > >Looks good > >Writing Makefile for Net::CIDR > >==> Your Makefile has been rebuilt. <== > >==> Please rerun the make command. <== > >false > >make: *** [Makefile] Error 1 > > /usr/bin/make -- NOT OK > >Running make test > > Can't test without successful make > >Running make install > > make had returned bad status, install seems impossible > >----%< snip %<---- > >Any ideas? > >Christian -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscan at PRIS.CA Mon Dec 1 23:24:48 2003 From: mailscan at PRIS.CA (MailScanner Mailbox) Date: Thu Jan 12 21:21:22 2006 Subject: MS not logging in Solaris 9 (solved) In-Reply-To: <3FB9552E.90908@ucgbook.com> Message-ID: Hello Julian Thanks greatly for MS 4.25-13 , logging now works as it should. Great Work! Rick On Tue, 18 Nov 2003, Peter Bonivart wrote: > I'm sorry, but I don't think I can help since everything has worked > right out of the box for me for several versions. I have not changed > anything regarding logging in Solaris or MS. I have read about Solaris > log problems on this list a few times before but never had those > problems myself so I didn't pay much attention. Have you searched the > archives? > > I'm still on 4.23 though, maybe it's a new problem. I'm gonna test the > latest beta on my test system this week, I will post if I have a problem > but Julian can probably help you right away. I can't post from work but > if your problem is not solved tomorrow I will post my log configs this > time tomorrow from home for comparison. > > /Peter Bonivart > > --Unix lovers do it in the Sun > > Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.23-11, > SpamAssassin 2.60 + DCC 1.2.9, ClamAV 20030829 > > MailScanner Mailbox wrote: > > Hello All specifically Peter or other Solaris 9 users > > > > As well as the other problems I am having (patching Mimetools etc) > > > > I have downloaded the latest beta of MS in my hopes of getting something > > to work. I no longer get the errors while in Debug Mode (Yeah Julian) > > however I am not getting any logging at all. Not with the beta version, > > the stable version, or the production version I have running on a Solaris8 > > box. > > > > I do have the following in syslog.conf: mail.debug /var/maillog same as on > > my production box. I know MailScanner is running as I get a postmaster > > message when sending the eicar test virus through. > > > > So I figured as you are running Solaris 9 perhaps you may have some > > insight as to why I have no logging > From jfraley at glenraven.com Mon Dec 1 21:13:30 2003 From: jfraley at glenraven.com (Jon Fraley) Date: Thu Jan 12 21:21:22 2006 Subject: install Mail::ClamAV Message-ID: <1070313210.2087.9.camel@jfraleyx.glenraven.com> I just upgraded to MS-4.25-13 and installed clamav-0.65. I was following the directions on installing Mail::ClamAV and got this: Recursive dependency detected: Mail::ClamAV => S/SA/SABECK/Mail-ClamAV-0.04.tar.gz => Inline => I/IN/INGY/Inline-0.44.tar.gz => Digest::MD5 => G/GA/GAAS/Digest-MD5-2.31.tar.gz => Digest::base => G/GA/GAAS/Digest-1.04.tar.gz => Digest::MD5. Cannot continue. How can I proceed at this point? Thanks, Jon From mkettler at EVI-INC.COM Mon Dec 1 21:42:42 2003 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:21:23 2006 Subject: install Mail::ClamAV In-Reply-To: <1070313210.2087.9.camel@jfraleyx.glenraven.com> References: <1070313210.2087.9.camel@jfraleyx.glenraven.com> Message-ID: <6.0.0.22.0.20031201163705.02da9078@xanadu.evi-inc.com> At 04:13 PM 12/1/2003, Jon Fraley wrote: >How can I proceed at this point? You try using Digest-1.05 instead of 1.04. 2003-12-01 Gisle Aas Release 1.05 Drop Digest::MD5 dependency. Avoids circular dependency now that Digest::MD5 depend on this package to inherit Digest::base. Included a section about digest speed with benchmark results for some implementations of this API. From Denis.Beauchemin at USHERBROOKE.CA Mon Dec 1 22:00:04 2003 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:21:23 2006 Subject: McAfee doesn't time out Message-ID: <1070316003.3002.209.camel@dbeauchemin.sti.usherbrooke.ca> Hello, One of my 3 MS servers (Red Hat Linux release 7.3) occasionally gets stuck on one uvscan call. I've never seen this on my 2 other MS servers (same specs). I just killed one uvscan that was started about 45 minutes ago. My MS (mailscanner-4.23-11) is configured this way: Max Children = 5 Virus Scanner Timeout = 300 Virus Scanners = mcafee I run uvscan: Scan engine v4.2.40 for Linux. Virus data file v4306 created Nov 26 2003 Any idea what might be causing this? When it happens the CPU goes through the roof and the machine slows significantly. Thanks again! Denis -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From sevans at FOUNDATION.SDSU.EDU Mon Dec 1 22:52:26 2003 From: sevans at FOUNDATION.SDSU.EDU (Steve Evans) Date: Thu Jan 12 21:21:23 2006 Subject: Message Backups and Spam Checks Message-ID: <3A411846CD3C0D4CB3D8704F93735370646C@be-00.foundation.sdsu.edu> I had a lot of problems with backed up mail today. CPU usage was low, and there was plenty of free memory. When I changed MailScanner.conf to Spam Checks = no it quickly processed all the queued mail. So I assume that one of the net checks (RBL, Razor, or DCC) was causing problems. My question is how can I tell when one of the net checks is causing problems and how can I tell which one? Steve Evans SDSU Foundation From Kevin_Miller at CI.JUNEAU.AK.US Mon Dec 1 23:19:47 2003 From: Kevin_Miller at CI.JUNEAU.AK.US (Kevin Miller) Date: Thu Jan 12 21:21:23 2006 Subject: Message Backups and Spam Checks Message-ID: <08146035CA49D6119A36009027AC822A0264EABA@CITY-EXCH-NTS> >-----Original Message----- >From: Steve Evans [mailto:sevans@FOUNDATION.SDSU.EDU] >Sent: Monday, December 01, 2003 1:52 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Message Backups and Spam Checks > > >I had a lot of problems with backed up mail today. CPU usage was low, >and there was plenty of free memory. When I changed >MailScanner.conf to >Spam Checks = no it quickly processed all the queued mail. So I assume >that one of the net checks (RBL, Razor, or DCC) was causing problems. >My question is how can I tell when one of the net checks is causing >problems and how can I tell which one? I see a lot of timeouts for spamcop today - maybe the DOS attack boys are at it again. I noticed mine in /var/log/warn (SuSE)... ...Kevin ------------------- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Administrator, Mail Administrator 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From fmedery at VIDEOTRON.CA Tue Dec 2 00:28:28 2003 From: fmedery at VIDEOTRON.CA (=?ISO-8859-1?Q?Fr=E9d=E9ric_M=E9dery?=) Date: Thu Jan 12 21:21:23 2006 Subject: question about spambydomain Message-ID: <1070324907.3182.12.camel@bastion> Hello ML Users, We use the spambydmain function inside MailScanner.conf (with Customconfig.pm). My whitelist and blacklist folders contain : default file several domain files and several user@domain files. My questions are How does MS select those rules : is user@domain overwrite default and domain files ? What if a user is inside the default file inside blacklist and inside a user whitelist ? thanks ! From markcism at DOST.GOV.PH Tue Dec 2 01:10:57 2003 From: markcism at DOST.GOV.PH (Mark Hernandez) Date: Thu Jan 12 21:21:23 2006 Subject: receiving mails with executable. Message-ID: hi all, Im using Postfix on a Freebsd 4.8 O.S. and choose mailscanner to add features on my production mail server. Unfortunately, having the email up. Ive tested to send mails from my internal network to yahoo.com and vice versa and the results were bad. Its not filtering emails with executable. conf of my Mailscanner Filename Rules = %rules-dir%/filename.rules Filetype Rules = %rules-dir%/filetype.rules where rulesdir is %rules-dir% = /usr/local/etc/MailScanner/rules and etc-dir is %etc-dir% = /usr/local/etc/MailScanner content of filename.rules FromOrTo: default %etc-dir%/filename.rules.conf content of filetype.rules FromOrTo: default %etc-dir%/filetype.rules.conf Im using the default of filename and filetype.rules.conf. Still, I can receive/send attachments from/to outside . I am checking activities on /var/log/maillog and /var/log/messages but can seem to determine whats wrong. Pls. help.. Tnx, Mark -- Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/ From martyn at invictawiz.com Tue Dec 2 07:37:37 2003 From: martyn at invictawiz.com (InvictaWiz Customer Support) Date: Thu Jan 12 21:21:23 2006 Subject: maps-rbl+ In-Reply-To: <3FCB4CA5.1010208@itss.nerc.ac.uk> Message-ID: Why should homeworkers generate failures through the dial-up list? If they send their email through their ISP's mail server, their email should not be treated any different to an email from any other source as once it arrives at your server it will have come from a "propper" MX'd mail server. The dialup "problem" arises if the client is using a mailserver of their own on a dialup account that does not have an MX record assigned. This is the reason for the existence of the list of dialup ips as it used to be a common method for junk emailers to send out email. I suspect your false positive problem is from mis-configuration somewhere on your own network, not on the clients. Martyn Routley ----------------------------------------------------------------- InvictaWiz - The Internet in Plain English, Guaranteed http://www.invictawiz.com martyn@invictawiz.com phone: 08707 440180 fax: 08707 440181 Ask us about our online Antivirus and Junk mail scanning service. Ask us how you could save money on your telephone bill. ----------------------------------------------------------------- -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Ron Campbell Sent: 01 December 2003 14:14 To: MAILSCANNER@JISCMAIL.AC.UK Subject: maps-rbl+ This is probably not of interest to those who are not in ac.uk The MAPS-RBL+ list is actually the union of 4 separate lists (RBL, DUL, RSS and OPS). For details, see http://www.ja.net/CERT/JANET-CERT/mail/mail-abuse/rbl-plus-guide.html#available One of these - the "dial-up list" is probably our main reason for SPAM "false positives" at the moment. This is usually down to people working from home via an ISP. Is it possible to configure MS to use only some of the individual MAPS-RBL+ lists ? Or should we just give up on these lists and rely on SpamAssassin - all the "false positives" which I have seen, have negative SA scores so it is clearly getting these right. Of course, there will be other cases which the lists get right and SA misses ? Thanks ... Ron ----------------------------------------------------------------------------- This message has been scanned for viruses and dangerous content by the http://www.anti84787.com MailScanner, and is believed to be clean. ----------------------------------------------------------------------------- From P.G.M.Peters at utwente.nl Tue Dec 2 08:20:10 2003 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Thu Jan 12 21:21:23 2006 Subject: Notes on new IPBlock code, 4.25-11 In-Reply-To: References: Message-ID: On Mon, 1 Dec 2003 15:00:40 -0500, you wrote: >> If people are interested i can mail it. > >I am interested. Send it to me off list, or be a Pal and post a link to >the list so everyone can share in the fun! :) I would like it too. So a link would help everybody. -- Peter Peters, senior netwerkbeheerder Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ From gdoris at ROGERS.COM Tue Dec 2 08:24:46 2003 From: gdoris at ROGERS.COM (Gerry Doris) Date: Thu Jan 12 21:21:23 2006 Subject: Changelog for 4.25-13? Message-ID: I must of missed the message about announcing 4.25-13. Exactly what was changed from 4.25-12? -- Gerry "The lyfe so short, the craft so long to learne" Chaucer From raymond at PROLOCATION.NET Tue Dec 2 08:30:08 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:21:23 2006 Subject: Notes on new IPBlock code, 4.25-11 In-Reply-To: Message-ID: Hi! > >> If people are interested i can mail it. > > > >I am interested. Send it to me off list, or be a Pal and post a link to > >the list so everyone can share in the fun! :) > > I would like it too. So a link would help everybody. The code is quick and dirty, i dont think its worth posting (yet) :) I will mail it to the people who requested it, and work on a clean version the next days. The exim version is pretty much cleaned up allready, that one i can post somewhere. Bye, Raymond. From raymond at PROLOCATION.NET Tue Dec 2 08:31:15 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:21:23 2006 Subject: Changelog for 4.25-13? In-Reply-To: Message-ID: Hi! > I must of missed the message about announcing 4.25-13. Exactly what was > changed from 4.25-12? The Monkeys list was removed from the default config. Bye, Raymond. From mailscanner at ecs.soton.ac.uk Tue Dec 2 08:45:21 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:23 2006 Subject: question about spambydomain In-Reply-To: <1070324907.3182.12.camel@bastion> References: <1070324907.3182.12.camel@bastion> Message-ID: <6.0.1.1.2.20031202083427.039a4ea8@imap.ecs.soton.ac.uk> user@domain over-rides domain which over-rides default. At 00:28 02/12/2003, you wrote: >Hello ML Users, >We use the spambydmain function inside MailScanner.conf (with >Customconfig.pm). > >My whitelist and blacklist folders contain : >default file >several domain files >and several user@domain files. > >My questions are How does MS select those rules : >is user@domain overwrite default and domain files ? >What if a user is inside the default file inside blacklist and inside a >user whitelist ? > > >thanks ! -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Tue Dec 2 08:46:51 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:23 2006 Subject: Changelog for 4.25-13? In-Reply-To: References: Message-ID: <6.0.1.1.2.20031202084624.035fbf90@imap.ecs.soton.ac.uk> Removed "Infinite-Monkeys" from the list of "Spam List =" settings in the default MailScanner.conf file. At 08:24 02/12/2003, you wrote: >I must of missed the message about announcing 4.25-13. Exactly what was >changed from 4.25-12? > >-- >Gerry > >"The lyfe so short, the craft so long to learne" Chaucer -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Tue Dec 2 08:45:53 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:23 2006 Subject: receiving mails with executable. In-Reply-To: References: Message-ID: <6.0.1.1.2.20031202084537.03c21008@imap.ecs.soton.ac.uk> At 01:10 02/12/2003, you wrote: >hi all, > >Im using Postfix on a Freebsd 4.8 O.S. and choose mailscanner to add >features >on my production mail server. Unfortunately, having the email up. > >Ive tested to send mails from my internal network to yahoo.com and vice >versa >and the results were bad. Its not filtering emails with executable. > >conf of my Mailscanner >Filename Rules = %rules-dir%/filename.rules >Filetype Rules = %rules-dir%/filetype.rules > >where rulesdir is >%rules-dir% = /usr/local/etc/MailScanner/rules >and etc-dir is >%etc-dir% = /usr/local/etc/MailScanner > >content of filename.rules >FromOrTo: default %etc-dir%/filename.rules.conf You can't use %% variables in rulesets, only in MailScanner.conf. >content of filetype.rules >FromOrTo: default %etc-dir%/filetype.rules.conf > >Im using the default of filename and filetype.rules.conf. > >Still, I can receive/send attachments from/to outside . > >I am checking activities on /var/log/maillog and /var/log/messages >but can seem to determine whats wrong. > >Pls. help.. > >Tnx, > >Mark > > > > >-- >Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/ -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From andersjk at SOL-INVICTUS.ORG Tue Dec 2 09:07:41 2003 From: andersjk at SOL-INVICTUS.ORG (Kevin Anderson) Date: Thu Jan 12 21:21:23 2006 Subject: Notes on new IPBlock code, 4.25-11 In-Reply-To: Message-ID: I actually wrote a script that parses the mail log script looking for tell tale signs of a dictionary attack (yes I like reinventing the wheel mainly for my own lack of programming talent that needs refreshing :) it looks for grep "\.\.\. User unknown" then grep "lost input channel" which then gets the sendmail tag hxxxxxxxxxx from that I get a ip address which then chucks it into the access database, at the moment there are 50k ip's in there... would anyone like this db? I also log the ip addresses, culprits like comcast, rr.com, wanadoo.fr and a lot more show up. The program runs every hour from cron. thanks, kevin anderson On Mon, 1 Dec 2003, Jeff A. Earickson wrote: > Gang, > > Julian introduced a newer, faster, cooler version of IPBlock > (see CustomConfig.pm) in version 4.25-11. The new version allows > you to dynamically block connections from rogue/spam machines in > your sendmail access.db file in real time. IPBlock counts mail > messages (good, bad, spam) from IP numbers, tracks these connection > numbers in a DB file, and modifies your sendmail access.db file > if the number of connections exceeds thresholds that you configure. > > The major new feature in IPBlock is that the config file understands CIDR > netblocks, so you can set different thresholds for different netblocks. > You can literally "rule the world" with about 30 lines in your config > file, see: > > http://www.sng.ecs.soton.ac.uk/mailscanner/serve/cache/239.html > > for the details of how I set up things at my site. I have been running > with this ruleset for about a week now, plus additional rulesets for > my own domain -- admin offices get one setting and dorm rooms get a > lower setting. I had asked Julian a couple of weeks ago if IPBlock could > user Net::CIDR because my site has been getting hit with student computers > that contain spam trojans. Julian graciously modified IPBlock to use > CIDR and I tested it last week. When a spam trojan fires off, it can bury > my mail server very quickly. IPBlock gives me a tool to fight this. > > The Good News and Bad News... Good News: The new IPBlock works as > advertised. It will modify access.db and block a rogue site according > to the config file, and the CIDR configs work. The Bad News: not that > much happens, even with very low settings for my dorm networks, and my > "world domination" CIDR settings for the planet. In one week, only three > off-campus sites ended up in the access.db file, with zero emails actually > blocked after the access.db changes. > > Last night was the acid test with an on-campus spam trojan. The rogue > machine came alive at 00:01:32 last night. With a config limit of 100 > messages/hour, the machine was IPBlocked at 00:14:07, with 6 subsequent > connections blocked out. But, the rogue machine had flooded my mqueue.in > with several thousand messages in those 13 minutes, and it took nearly > two hours for this flood to be processed by my server. A lot of these > messages were subsequently deleted as high-spam by Spamassassin and MS, > or doublebounced, or were blocked by AOL (the target site). Some got > delivered. The tsunami of spam was already on my mail server by the > time MS shut the door, since IPBlock is run last in the MS process. > > Summary: IPBlock is useful against spam trojans, but not as useful as > I had hoped. YMMV. > > Sendmail Note: sendmail 8.13.0 is on the horizon, see > > http://www.sendmail.org/8.13.0.PreAlpha4.html > > One new feature buried there is connection rate control, see the ChangeLog. > This may aid in blocking rogue machines too. > > --- Jeff Earickson > Colby College > -- @ _____________________________________________ chaos, panic and disorder... my job is done... From smilga at MIKROTIK.COM Tue Dec 2 10:30:59 2003 From: smilga at MIKROTIK.COM (Martins Smilga) Date: Thu Jan 12 21:21:23 2006 Subject: Mailscanner with Debian 3 testing References: <052b01c3b803$01c0c890$a500010a@martinsss> <6.0.0.22.0.20031201093927.0251e1f0@mail.enhtech.com> Message-ID: <030101c3b8bf$607db020$a500010a@martinsss> I installed mailscanner through aptitude and started reading /usr/share/doc/mailscanner but didn`t found anything usefull. I started reading in internet >(http://www.sng.ecs.soton.ac.uk/mailscanner/install/sendmail.shtml) I made directory and stop at script, I can find where to change it. May be there is other way how to start working mailscanner with sendmail in Debian. Martins ----- Original Message ----- From: "Errol Neal" To: Sent: Monday, December 01, 2003 4:39 PM Subject: Re: Mailscanner with Debian 3 testing > At 07:02 AM 12/1/2003, Martins Smilga wrote: > >Hello, > > > >May be somone have expierence with mailscanner how to install on Debian > >testing version. > > > >I have Spammassin + Sendmail. > > > >I installed mailscanner from apitude, > >I can not find any detailed documentation how to install mailscanner on > >Debina with sendmail. > >(http://www.sng.ecs.soton.ac.uk/mailscanner/install/sendmail.shtml) > >I can find where I can change these senttings (script). > > > >May be there is other way how to put mailscanner + Debian+ sendmail > > > > > >Martins > > > > Exactly what are you having problems with? > > > Errol Neal From Kevin.Hansard at IPLBATH.COM Tue Dec 2 10:51:41 2003 From: Kevin.Hansard at IPLBATH.COM (Kevin Hansard) Date: Thu Jan 12 21:21:23 2006 Subject: Problem with subject tagging 4.25-13 Message-ID: I have upgraded from 4.24-5 to 4.25-13 and I am now experiencing a problem with the subject tagging of Spam messages. Most messages get the subject modified correctly. However, occasionally Mailscanner fails to replace the subject text, but instead adds another Subject header at the top. So I end up with two Subject headers and the recipient client uses the last, unmodified one. Microsoft Mail Internet Headers Version 2.0 Received: from xxx ([xx.xx.xx.xx]) by xxx.xxx.com with Microsoft SMTPSVC(5.0.2195.6713); Tue, 2 Dec 2003 09:48:00 +0000 Subject: *****SPAM***** Clean Colons chjpliapmkbp vfzp Received: from dhcp024-210-032-230.columbus.rr.com (dhcp024-210-032-230.columbus.rr.com [24.210.32.230]) by xxx (8.12.8/8.12.8) with SMTP id hB29lpBN025040 for ; Tue, 2 Dec 2003 09:47:53 GMT Received: from [113.48.195.3] by dhcp024-210-032-230.columbus.rr.com; Tue, 02 Dec 2003 14:45:55 +0500 Message-ID: From: "Cyril Patton" Reply-To: "Cyril Patton" To: rpc@iplbath.com Subject: Clean Colons chjpliapmkbp vfzp Date: Tue, 02 Dec 03 14:45:55 GMT X-Mailer: QUALCOMM Windows Eudora Version 5.1 MIME-Version: 1.0 Content-type: multipart/report; boundary="======18289==29249======" X-Priority: 3 X-MailScanner: Found to be clean X-MailScanner-SpamCheck: spam, SpamAssassin (score=28.654, required 5, BAYES_99 5.40, DATE_IN_FUTURE_03_06 1.93, DATE_SPAMWARE_Y2K 4.20, DCC_CHECK 2.91, FORGED_MUA_EUDORA 3.02, HTML_FONTCOLOR_RED 0.10, HTML_FONT_BIG 0.27, HTML_FONT_INVISIBLE 0.60, HTML_MESSAGE 0.10, MIME_HTML_NO_CHARSET 0.56, MIME_HTML_ONLY 0.32, MIME_HTML_ONLY_MULTI 1.10, MISSING_MIMEOLE 1.59, MISSING_OUTLOOK_NAME 0.10, PYZOR_CHECK 3.51, REMOVE_PAGE 0.50, REMOVE_REMOVAL_2WORD 1.95, RISK_FREE 0.50) X-OriginalArrivalTime: 02 Dec 2003 09:48:00.0748 (UTC) Has anyone got any ideas? I never had this problem with 4.24-5. Thanks Kevin Hansard --- From raymond at PROLOCATION.NET Tue Dec 2 11:04:48 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:21:23 2006 Subject: Problem with subject tagging 4.25-13 In-Reply-To: Message-ID: Hi! > Subject: *****SPAM***** Clean Colons chjpliapmkbp vfzp > Received: from dhcp024-210-032-230.columbus.rr.com > (dhcp024-210-032-230.columbus.rr.com [24.210.32.230]) > by xxx (8.12.8/8.12.8) with SMTP id hB29lpBN025040 > for ; Tue, 2 Dec 2003 09:47:53 GMT > Received: from [113.48.195.3] by dhcp024-210-032-230.columbus.rr.com; > Tue, 02 Dec 2003 14:45:55 +0500 > Message-ID: > From: "Cyril Patton" > Reply-To: "Cyril Patton" > To: rpc@iplbath.com > Subject: Clean Colons chjpliapmkbp vfzp I have seen this once, on 4.25-8 or something, but didnt see it again so didnt make any notice. I also wonder if the original message allready had a duplicate subject line. bye, Raymond. From miguelk at KONSULTEX.COM.BR Tue Dec 2 11:08:07 2003 From: miguelk at KONSULTEX.COM.BR (Miguel Koren O'Brien de Lacy) Date: Thu Jan 12 21:21:23 2006 Subject: [OT] - Re: maps-rbl+ References: Message-ID: <3FCC7297.8010803@konsultex.com.br> Martyn; Part of the problem lies in defining what is actually a "dial up domain". I'm going through an extremely frustrating experience with the "gang" at MAPS to get the ip block my ISP uses out of their list. The real problem here lies in self righteous "businesses" that sell these "services" to others who trust them to have quality information while they put in all kinds of junk. My suggestion is to completely ignore any DUL lists in general and MAPS in particular. So far the "MAPS police" has made my company lose many hours of productive work by tracking down people at the ISP and at MAPS itself for their declared purpose of "educating" ISPs. I have fixed IPs and valid reverse DNS. I believe the gang itself needs quite a bit of education of various kinds first. Miguel InvictaWiz Customer Support wrote: >Why should homeworkers generate failures through the dial-up list? >If they send their email through their ISP's mail server, their email should not be treated any >different to an email from any other source as once it arrives at your server it will have come from >a "propper" MX'd mail server. > >The dialup "problem" arises if the client is using a mailserver of their own on a dialup account >that does not have an MX record assigned. This is the reason for the existence of the list of dialup >ips as it used to be a common method for junk emailers to send out email. > >I suspect your false positive problem is from mis-configuration somewhere on your own network, not >on the clients. > >Martyn Routley >----------------------------------------------------------------- >InvictaWiz - The Internet in Plain English, Guaranteed >http://www.invictawiz.com >martyn@invictawiz.com >phone: 08707 440180 >fax: 08707 440181 >Ask us about our online Antivirus and Junk mail scanning service. >Ask us how you could save money on your telephone bill. >----------------------------------------------------------------- > >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On >Behalf Of Ron Campbell >Sent: 01 December 2003 14:14 >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: maps-rbl+ > > >This is probably not of interest to those who are not in ac.uk > > >The MAPS-RBL+ list is actually the union of 4 separate lists (RBL, DUL, >RSS and OPS). > >For details, see > >http://www.ja.net/CERT/JANET-CERT/mail/mail-abuse/rbl-plus-guide.html#available > > > One of these - the "dial-up list" is probably our >main reason for SPAM "false positives" at the moment. This is usually > down to people working from home via an ISP. Is it possible >to configure MS to use only some of the individual MAPS-RBL+ lists ? > >Or should we just give up on these lists and rely on SpamAssassin - all >the "false positives" which I have seen, have negative SA scores so it >is clearly getting these right. Of course, there will be other cases >which the lists get right and SA misses ? > > Thanks ... Ron > > >----------------------------------------------------------------------------- >This message has been scanned for viruses and >dangerous content by the http://www.anti84787.com >MailScanner, and is believed to be clean. >----------------------------------------------------------------------------- > > > From mailscanner at ecs.soton.ac.uk Tue Dec 2 11:50:08 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:23 2006 Subject: ANNOUNCE: Bug fix release 4.25-14 Message-ID: <6.0.1.1.2.20031202114746.038328f0@imap.ecs.soton.ac.uk> I have just released 4.25-14. Due to Outlook's bizarre behaviour, I now have to check for a few nasty things in the Subject: line of messages, and clean it up a bit; hopefully in ways that you won't notice. There was a bug in 4.25-13 and previous versions which would cause the Subject: line to be doubled up rather than replaced with the clean version of it. I have now fixed this and re-released 4.25 as 4.25-14. Download from www.mailscanner.info Sorry for this one folks! :-( Jules. P.S. If you are up to manually replacing files, the only files changed to fix this are Message.pm and SweepContent.pm. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Tue Dec 2 11:47:45 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:23 2006 Subject: Problem with subject tagging 4.25-13 In-Reply-To: References: Message-ID: <6.0.1.1.2.20031202114523.03832e10@imap.ecs.soton.ac.uk> This is indeed a problem in 4.25-13. You spotted it about 10 minutes before I did. It will cause problems with the Subject: line of delivered messages becoming doubled-up. Due to Outlook's bizarre behaviour, I now have to check for a few nasty things in the Subject: line of messages, and clean it up a bit; hopefully in ways that you won't notice. I have therefore just released 4.25-14 which fixed this problem. The only files which have changed are SweepContent.pm and Message.pm. At 11:04 02/12/2003, you wrote: >Hi! > > > Subject: *****SPAM***** Clean Colons chjpliapmkbp vfzp > > Received: from dhcp024-210-032-230.columbus.rr.com > > (dhcp024-210-032-230.columbus.rr.com [24.210.32.230]) > > by xxx (8.12.8/8.12.8) with SMTP id hB29lpBN025040 > > for ; Tue, 2 Dec 2003 09:47:53 GMT > > Received: from [113.48.195.3] by dhcp024-210-032-230.columbus.rr.com; > > Tue, 02 Dec 2003 14:45:55 +0500 > > Message-ID: > > From: "Cyril Patton" > > Reply-To: "Cyril Patton" > > To: rpc@iplbath.com > > Subject: Clean Colons chjpliapmkbp vfzp > >I have seen this once, on 4.25-8 or something, but didnt see it again so >didnt make any notice. I also wonder if the original message allready had >a duplicate subject line. > >bye, >Raymond. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From raymond at PROLOCATION.NET Tue Dec 2 12:28:52 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:21:23 2006 Subject: ANNOUNCE: Bug fix release 4.25-14 In-Reply-To: <6.0.1.1.2.20031202114746.038328f0@imap.ecs.soton.ac.uk> Message-ID: Hi Julian, > I have just released 4.25-14. > > Due to Outlook's bizarre behaviour, I now have to check for a few nasty > things in the Subject: line of messages, and clean it up a bit; hopefully > in ways that you won't notice. > > There was a bug in 4.25-13 and previous versions which would cause the > Subject: line to be doubled up rather than replaced with the clean version > of it. > > I have now fixed this and re-released 4.25 as 4.25-14. I also noticed 4.26-1 arrived, whats the difference ? bye, Raymond. From Ulysees at ULYSEES.COM Tue Dec 2 12:32:04 2003 From: Ulysees at ULYSEES.COM (Ulysees) Date: Thu Jan 12 21:21:23 2006 Subject: ClamAV module Message-ID: <000501c3b8d0$4aee1090$3201010a@nimitz> anybody else had trouble getting this working ? when I grab the module from cpan it seems to grumble about not being able to find clamav.h Should I be using a tarball of ClamAV instead of the RPM ? Uly cpan> install Mail::ClamAV Running install for module Mail::ClamAV Running make for S/SA/SABECK/Mail-ClamAV-0.04.tar.gz CPAN: Digest::MD5 loaded ok Checksum for /root/.cpan/sources/authors/id/S/SA/SABECK/Mail-ClamAV-0.04.tar.gz ok Scanning cache /root/.cpan/build for sizes Mail-ClamAV-0.04/ Mail-ClamAV-0.04/t/ Mail-ClamAV-0.04/t/virus.eml Mail-ClamAV-0.04/t/Mail-ClamAV.t Mail-ClamAV-0.04/README Mail-ClamAV-0.04/ClamAV.pm Mail-ClamAV-0.04/Changes Mail-ClamAV-0.04/Makefile.PL Mail-ClamAV-0.04/ppport.h Mail-ClamAV-0.04/META.yml Mail-ClamAV-0.04/MANIFEST Removing previously used /root/.cpan/build/Mail-ClamAV-0.04 CPAN.pm: Going to build S/SA/SABECK/Mail-ClamAV-0.04.tar.gz Checking if your kit is complete... Looks good Writing Makefile for Mail::ClamAV cp ClamAV.pm blib/lib/Mail/ClamAV.pm /usr/bin/perl -Mblib -MInline=NOISY,_INSTALL_ -MMail::ClamAV -e1 0.04 blib/arch Starting Build Prepocess Stage Finished Build Prepocess Stage Starting Build Parse Stage Finished Build Parse Stage Starting Build Glue 1 Stage Finished Build Glue 1 Stage Starting Build Glue 2 Stage Finished Build Glue 2 Stage Starting Build Glue 3 Stage Finished Build Glue 3 Stage Starting Build Compile Stage Starting "perl Makefile.PL" Stage Writing Makefile for Mail::ClamAV Finished "perl Makefile.PL" Stage Starting "make" Stage make[1]: Entering directory `/root/.cpan/build/Mail-ClamAV-0.04/_Inline/build/Mail/ClamAV' /usr/bin/perl /usr/lib/perl5/5.8.1/ExtUtils/xsubpp -typemap /usr/lib/perl5/5.8.1/ExtUtils/typemap ClamAV.xs > ClamAV.xsc && mv ClamAV.xsc ClamAV.c gcc -c -I/root/.cpan/build/Mail-ClamAV-0.04 -D_REENTRANT -D_GNU_SOURCE -DTH READS_HAVE_PIDS -DDEBUGGING -fno-strict-aliasing -I/usr/local/include -D_LAR GEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -I/usr/include/gdbm -O2 -g -pipe -march =i386 -mcpu=i686 -DVERSION=\"0.04\" -DXS_VERSION=\"0.04\" -fPIC "-I/usr/lib/perl5/5.8.1/i386-linux-thread-multi/CORE" ClamAV.c ClamAV.xs:11:20: clamav.h: No such file or directory ClamAV.xs:19: error: field `limits' has incomplete type ClamAV.xs: In function `clamav_perl_retdbdir': ClamAV.xs:59: warning: return makes pointer from integer without a cast ClamAV.xs: In function `clamav_perl__scanbuff': ClamAV.xs:122: error: `CL_VIRUS' undeclared (first use in this function) ClamAV.xs:122: error: (Each undeclared identifier is reported only once ClamAV.xs:122: error: for each function it appears in.) ClamAV.xs:124: error: `CL_CLEAN' undeclared (first use in this function) ClamAV.xs:127: warning: passing arg 2 of `Perl_newSVpv' makes pointer from integer without a cast ClamAV.xs: In function `clamav_perl__scanfd': ClamAV.xs:163: error: `CL_VIRUS' undeclared (first use in this function) ClamAV.xs:165: error: `CL_CLEAN' undeclared (first use in this function) ClamAV.xs:168: warning: passing arg 3 of `Perl_sv_setpv' makes pointer from integer without a cast ClamAV.xs: In function `clamav_perl__scanfile': ClamAV.xs:199: error: `CL_VIRUS' undeclared (first use in this function) ClamAV.xs:201: error: `CL_CLEAN' undeclared (first use in this function) ClamAV.xs:204: warning: passing arg 3 of `Perl_sv_setpv' makes pointer from integer without a cast ClamAV.xs: In function `error': ClamAV.xs:219: warning: assignment makes pointer from integer without a cast ClamAV.xs: In function `clamav_perl_constant': ClamAV.xs:226: error: `CL_EACCES' undeclared (first use in this function) ClamAV.xs:227: error: `CL_EBZIP' undeclared (first use in this function) ClamAV.xs:228: error: `CL_EFSYNC' undeclared (first use in this function) ClamAV.xs:229: error: `CL_EGZIP' undeclared (first use in this function) ClamAV.xs:230: error: `CL_EMALFDB' undeclared (first use in this function) ClamAV.xs:231: error: `CL_EMALFZIP' undeclared (first use in this function) ClamAV.xs:232: error: `CL_EMAXFILES' undeclared (first use in this function) ClamAV.xs:233: error: `CL_EMAXREC' undeclared (first use in this function) ClamAV.xs:234: error: `CL_EMAXSIZE' undeclared (first use in this function) ClamAV.xs:235: error: `CL_EMEM' undeclared (first use in this function) ClamAV.xs:236: error: `CL_ENULLARG' undeclared (first use in this function) ClamAV.xs:237: error: `CL_EOPEN' undeclared (first use in this function) ClamAV.xs:238: error: `CL_EPATSHORT' undeclared (first use in this function) ClamAV.xs:239: error: `CL_ERAR' undeclared (first use in this function) ClamAV.xs:240: error: `CL_ETMPDIR' undeclared (first use in this function) ClamAV.xs:241: error: `CL_ETMPFILE' undeclared (first use in this function) ClamAV.xs:242: error: `CL_EZIP' undeclared (first use in this function) ClamAV.xs:243: error: `CL_MIN_LENGTH' undeclared (first use in this function) ClamAV.xs:244: error: `CL_NUM_CHILDS' undeclared (first use in this function) ClamAV.xs:245: error: `CL_MAIL' undeclared (first use in this function) ClamAV.xs:246: error: `CL_ARCHIVE' undeclared (first use in this function) ClamAV.xs:247: error: `CL_RAW' undeclared (first use in this function) ClamAV.xs:248: error: `CL_VIRUS' undeclared (first use in this function) ClamAV.xs:249: error: `CL_CLEAN' undeclared (first use in this function) make[1]: *** [ClamAV.o] Error 1 make[1]: Leaving directory `/root/.cpan/build/Mail-ClamAV-0.04/_Inline/build/Mail/ClamAV' A problem was encountered while attempting to compile and install your Inline C code. The command that failed was: make The build directory was: /root/.cpan/build/Mail-ClamAV-0.04/_Inline/build/Mail/ClamAV To debug the problem, cd to the build directory, and inspect the output files. at /root/.cpan/build/Mail-ClamAV-0.04/blib/lib/Mail/ClamAV.pm line 141 BEGIN failed--compilation aborted at /root/.cpan/build/Mail-ClamAV-0.04/blib/lib/Mail/ClamAV.pm line 390. Compilation failed in require. BEGIN failed--compilation aborted. make: *** [ClamAV.inl] Error 2 /usr/bin/make -- NOT OK Running make test Can't test without successful make Running make install make had returned bad status, install seems impossible From mailscanner at ecs.soton.ac.uk Tue Dec 2 12:38:12 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:23 2006 Subject: ANNOUNCE: Bug fix release 4.25-14 In-Reply-To: References: <6.0.1.1.2.20031202114746.038328f0@imap.ecs.soton.ac.uk> Message-ID: <6.0.1.1.2.20031202123649.0762c858@imap.ecs.soton.ac.uk> At 12:28 02/12/2003, you wrote: >Hi Julian, > > > I have just released 4.25-14. > > > > Due to Outlook's bizarre behaviour, I now have to check for a few nasty > > things in the Subject: line of messages, and clean it up a bit; hopefully > > in ways that you won't notice. > > > > There was a bug in 4.25-13 and previous versions which would cause the > > Subject: line to be doubled up rather than replaced with the clean version > > of it. > > > > I have now fixed this and re-released 4.25 as 4.25-14. > >I also noticed 4.26-1 arrived, whats the difference ? The new support of Norman anti-virus, which I put into 4.26-1, happens to now be in 4.25-14 as I couldn't be bothered to remove it to roll back to 4.25-14. However, I don't guarantee it works, and it is marked "Alpha". -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From raymond at PROLOCATION.NET Tue Dec 2 12:42:55 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:21:23 2006 Subject: ANNOUNCE: Bug fix release 4.25-14 In-Reply-To: <6.0.1.1.2.20031202123649.0762c858@imap.ecs.soton.ac.uk> Message-ID: Hi! > > > I have now fixed this and re-released 4.25 as 4.25-14. > > > >I also noticed 4.26-1 arrived, whats the difference ? > > The new support of Norman anti-virus, which I put into 4.26-1, happens to > now be in 4.25-14 as I couldn't be bothered to remove it to roll back to > 4.25-14. However, I don't guarantee it works, and it is marked "Alpha". Just doublechecking, if people want to have the double subject fields fixed they should go for 4.25-14 or wait for 4.26-2 since i dont think its added there yet ? Or is it added on both allready now ? :) Bye, Raymond. From Rvdmerwe at MHG.CO.ZA Tue Dec 2 13:14:14 2003 From: Rvdmerwe at MHG.CO.ZA (Rabie van der Merwe) Date: Thu Jan 12 21:21:23 2006 Subject: install problem on Mandrake 9.2 of 4.25-* Message-ID: <39B69D20AF5DD611BA7F00306E1E8F2E02B13925@cptexc02.bankmed.co.za> Hi 4.24 Installed fine on MD9.2 using the RPM install, I now have a problem with 4.25-14 where the perl src rpms compiles fine on my dev box, but when it tries to install the rpms, it complains that my perl-base >= 5.801 and I have perl-base-5.8.1-0.RC4.3mdk installed, my guess is that is just is context mismatch when trying to matchup the Requires field for the spec file. But I looked in the spec file, and nothing, only a BuidRequires. I went into the BUILD dir and succesfully did a 'make install'. Any ideas? R ********************************************************************** ------ NOTICE ------ This message contains privileged and confidential information intended only for the person or entity to which it is addressed. Any review, retransmission, dissemination, copy or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient, is prohibited. If you received this message in error, please notify the sender immediately by e-mail, facsimile or telephone and thereafter delete the material from any computer. Metropolitan Health Group, its subsidiaries or associates do not accept liability for any personal views expressed in this message. ********************************************************************** -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20031202/010c19e9/attachment.html From fmedery at videotron.ca Tue Dec 2 13:38:29 2003 From: fmedery at videotron.ca (=?ISO-8859-15?B?RnLpZOlyaWMgTelkZXJ5?=) Date: Thu Jan 12 21:21:23 2006 Subject: question about spambydomain In-Reply-To: <6.0.1.1.2.20031202083427.039a4ea8@imap.ecs.soton.ac.uk> References: <1070324907.3182.12.camel@bastion> <6.0.1.1.2.20031202083427.039a4ea8@imap.ecs.soton.ac.uk> Message-ID: <14345834756.20031202083829@videotron.ca> Hello Julian, Tuesday, December 2, 2003, 3:45:21 AM, tu as ?crit: JF> user@domain over-rides domain which over-rides default. JF> At 00:28 02/12/2003, you wrote: JF> -- JF> Julian Field JF> www.MailScanner.info JF> MailScanner thanks transtec Computers for their support JF> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Thanks ! And How about conflict between white and black list ? -- Fr?d?ric email:fmedery@videotron.ca From ryan.finnesey at CORPDSG.COM Tue Dec 2 04:02:22 2003 From: ryan.finnesey at CORPDSG.COM (Ryan Finnesey) Date: Thu Jan 12 21:21:23 2006 Subject: code audit? Message-ID: <3041D4D2B8A6F746AD9217BE05AE68C407BBCD@dc012.corpdsg.com> Does anyone know if anyone has done a code audit of MS? Ryan From ryan.finnesey at CORPDSG.COM Tue Dec 2 02:05:09 2003 From: ryan.finnesey at CORPDSG.COM (Ryan Finnesey) Date: Thu Jan 12 21:21:23 2006 Subject: Linux list(s) Message-ID: <3041D4D2B8A6F746AD9217BE05AE68C407BBC1@dc012.corpdsg.com> Can anyone recommend some good Linux list(s) that I can join? Ryan From mike at CAMAROSS.NET Tue Dec 2 14:12:41 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:21:23 2006 Subject: code audit? In-Reply-To: <3041D4D2B8A6F746AD9217BE05AE68C407BBCD@dc012.corpdsg.com> Message-ID: <200312021407.hB2E7d2Q012320@genesis.camaross.net> An audit in what way(s)? > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Ryan Finnesey > Sent: Monday, December 01, 2003 10:02 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: code audit? > > Does anyone know if anyone has done a code audit of MS? > > > Ryan > From mike at CAMAROSS.NET Tue Dec 2 14:12:51 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:21:23 2006 Subject: Linux list(s) In-Reply-To: <3041D4D2B8A6F746AD9217BE05AE68C407BBC1@dc012.corpdsg.com> Message-ID: <200312021407.hB2E7o2Q012333@genesis.camaross.net> For which distro? > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Ryan Finnesey > Sent: Monday, December 01, 2003 8:05 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Linux list(s) > > Can anyone recommend some good Linux list(s) that I can join? > > > > Ryan > From evertjan at VANRAMSELAAR.NL Tue Dec 2 14:18:44 2003 From: evertjan at VANRAMSELAAR.NL (Evert Jan van Ramselaar) Date: Thu Jan 12 21:21:23 2006 Subject: Linux list(s) In-Reply-To: <3041D4D2B8A6F746AD9217BE05AE68C407BBC1@dc012.corpdsg.com> References: <3041D4D2B8A6F746AD9217BE05AE68C407BBC1@dc012.corpdsg.com> Message-ID: <29769.194.151.195.222.1070374724.squirrel@mail.vanramselaar.nl> Ryan Finnesey said: > Can anyone recommend some good Linux list(s) that I can join? ISP-Linux is a pretty good list at times, even when you're not an ISP. http://isp-lists.isp-planet.com/isp-linux/ -- Evert Jan van Ramselaar Van Ramselaar Info Tech Internet Consultancy & Webdesign From michele at BLACKNIGHTSOLUTIONS.COM Tue Dec 2 14:31:50 2003 From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon :: Blacknight Solutions) Date: Thu Jan 12 21:21:23 2006 Subject: code audit? In-Reply-To: <3041D4D2B8A6F746AD9217BE05AE68C407BBCD@dc012.corpdsg.com> Message-ID: What for? Mr. Michele Neylon Blacknight Internet Solutions Ltd http://www.blacknightsolutions.ie/ http://www.search.ie/ Tel. + 353 (0)59 9139897 Lowest price domains in Ireland > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Ryan Finnesey > Sent: 02 December 2003 04:02 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: code audit? > > > Does anyone know if anyone has done a code audit of MS? > > > Ryan > From jlarsen at RICHWEB.COM Tue Dec 2 13:46:40 2003 From: jlarsen at RICHWEB.COM (C. Jon Larsen) Date: Thu Jan 12 21:21:23 2006 Subject: receiving mails with executable. In-Reply-To: Message-ID: On Tue, 2 Dec 2003, Mark Hernandez wrote: > hi all, > > Im using Postfix on a Freebsd 4.8 O.S. and choose mailscanner to add > features Is MailScanner safe to use with postfix ? The postfix site and several messages in the archives advise strongly not to use postfix with MS because postfix does not like to have its queues manipulated by an external program. Postfix has a content filter interface they they suggest using and the current postfix snapshot has a new smtp content filter proxy interface that looks interesting. I don't like sendmail anymore (security issues seem to never stop), so I have switched to postfix for all mail relay and mailbox destinations - with a MailScanner + sendmail box that sits in the middle. From pndiku at DSMAGIC.COM Tue Dec 2 14:37:19 2003 From: pndiku at DSMAGIC.COM (Peter C. Ndikuwera) Date: Thu Jan 12 21:21:23 2006 Subject: ClamAV module In-Reply-To: <000501c3b8d0$4aee1090$3201010a@nimitz> References: <000501c3b8d0$4aee1090$3201010a@nimitz> Message-ID: <1070375839.2916.13.camel@mufasa.ds.co.ug> You need to install ClamAV first. On Tue, 2003-12-02 at 15:32, Ulysees wrote: > anybody else had trouble getting this working ? > when I grab the module from cpan it seems to grumble about not being able to > find clamav.h > > Should I be using a tarball of ClamAV instead of the RPM ? > > Uly > > > cpan> install Mail::ClamAV > Running install for module Mail::ClamAV > Running make for S/SA/SABECK/Mail-ClamAV-0.04.tar.gz > CPAN: Digest::MD5 loaded ok > Checksum for > /root/.cpan/sources/authors/id/S/SA/SABECK/Mail-ClamAV-0.04.tar.gz ok > Scanning cache /root/.cpan/build for sizes > Mail-ClamAV-0.04/ > Mail-ClamAV-0.04/t/ > Mail-ClamAV-0.04/t/virus.eml > Mail-ClamAV-0.04/t/Mail-ClamAV.t > Mail-ClamAV-0.04/README > Mail-ClamAV-0.04/ClamAV.pm > Mail-ClamAV-0.04/Changes > Mail-ClamAV-0.04/Makefile.PL > Mail-ClamAV-0.04/ppport.h > Mail-ClamAV-0.04/META.yml > Mail-ClamAV-0.04/MANIFEST > Removing previously used /root/.cpan/build/Mail-ClamAV-0.04 > > CPAN.pm: Going to build S/SA/SABECK/Mail-ClamAV-0.04.tar.gz > > Checking if your kit is complete... > Looks good > Writing Makefile for Mail::ClamAV > cp ClamAV.pm blib/lib/Mail/ClamAV.pm > /usr/bin/perl -Mblib -MInline=NOISY,_INSTALL_ -MMail::ClamAV -e1 0.04 > blib/arch > Starting Build Prepocess Stage > Finished Build Prepocess Stage > > Starting Build Parse Stage > Finished Build Parse Stage > > Starting Build Glue 1 Stage > Finished Build Glue 1 Stage > > Starting Build Glue 2 Stage > Finished Build Glue 2 Stage > > Starting Build Glue 3 Stage > Finished Build Glue 3 Stage > > Starting Build Compile Stage > Starting "perl Makefile.PL" Stage > Writing Makefile for Mail::ClamAV > Finished "perl Makefile.PL" Stage > > Starting "make" Stage > make[1]: Entering directory > `/root/.cpan/build/Mail-ClamAV-0.04/_Inline/build/Mail/ClamAV' > /usr/bin/perl /usr/lib/perl5/5.8.1/ExtUtils/xsubpp -typemap > /usr/lib/perl5/5.8.1/ExtUtils/typemap ClamAV.xs > ClamAV.xsc && mv > ClamAV.xsc ClamAV.c > gcc -c -I/root/.cpan/build/Mail-ClamAV-0.04 -D_REENTRANT -D_GNU_SOURCE -DTH > READS_HAVE_PIDS -DDEBUGGING -fno-strict-aliasing -I/usr/local/include -D_LAR > GEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -I/usr/include/gdbm -O2 -g -pipe -march > =i386 -mcpu=i686 -DVERSION=\"0.04\" -DXS_VERSION=\"0.04\" -fPIC > "-I/usr/lib/perl5/5.8.1/i386-linux-thread-multi/CORE" ClamAV.c > ClamAV.xs:11:20: clamav.h: No such file or directory > ClamAV.xs:19: error: field `limits' has incomplete type > ClamAV.xs: In function `clamav_perl_retdbdir': > ClamAV.xs:59: warning: return makes pointer from integer without a cast > ClamAV.xs: In function `clamav_perl__scanbuff': > ClamAV.xs:122: error: `CL_VIRUS' undeclared (first use in this function) > ClamAV.xs:122: error: (Each undeclared identifier is reported only once > ClamAV.xs:122: error: for each function it appears in.) > ClamAV.xs:124: error: `CL_CLEAN' undeclared (first use in this function) > ClamAV.xs:127: warning: passing arg 2 of `Perl_newSVpv' makes pointer from > integer without a cast > ClamAV.xs: In function `clamav_perl__scanfd': > ClamAV.xs:163: error: `CL_VIRUS' undeclared (first use in this function) > ClamAV.xs:165: error: `CL_CLEAN' undeclared (first use in this function) > ClamAV.xs:168: warning: passing arg 3 of `Perl_sv_setpv' makes pointer from > integer without a cast > ClamAV.xs: In function `clamav_perl__scanfile': > ClamAV.xs:199: error: `CL_VIRUS' undeclared (first use in this function) > ClamAV.xs:201: error: `CL_CLEAN' undeclared (first use in this function) > ClamAV.xs:204: warning: passing arg 3 of `Perl_sv_setpv' makes pointer from > integer without a cast > ClamAV.xs: In function `error': > ClamAV.xs:219: warning: assignment makes pointer from integer without a cast > ClamAV.xs: In function `clamav_perl_constant': > ClamAV.xs:226: error: `CL_EACCES' undeclared (first use in this function) > ClamAV.xs:227: error: `CL_EBZIP' undeclared (first use in this function) > ClamAV.xs:228: error: `CL_EFSYNC' undeclared (first use in this function) > ClamAV.xs:229: error: `CL_EGZIP' undeclared (first use in this function) > ClamAV.xs:230: error: `CL_EMALFDB' undeclared (first use in this function) > ClamAV.xs:231: error: `CL_EMALFZIP' undeclared (first use in this function) > ClamAV.xs:232: error: `CL_EMAXFILES' undeclared (first use in this function) > ClamAV.xs:233: error: `CL_EMAXREC' undeclared (first use in this function) > ClamAV.xs:234: error: `CL_EMAXSIZE' undeclared (first use in this function) > ClamAV.xs:235: error: `CL_EMEM' undeclared (first use in this function) > ClamAV.xs:236: error: `CL_ENULLARG' undeclared (first use in this function) > ClamAV.xs:237: error: `CL_EOPEN' undeclared (first use in this function) > ClamAV.xs:238: error: `CL_EPATSHORT' undeclared (first use in this function) > ClamAV.xs:239: error: `CL_ERAR' undeclared (first use in this function) > ClamAV.xs:240: error: `CL_ETMPDIR' undeclared (first use in this function) > ClamAV.xs:241: error: `CL_ETMPFILE' undeclared (first use in this function) > ClamAV.xs:242: error: `CL_EZIP' undeclared (first use in this function) > ClamAV.xs:243: error: `CL_MIN_LENGTH' undeclared (first use in this > function) > ClamAV.xs:244: error: `CL_NUM_CHILDS' undeclared (first use in this > function) > ClamAV.xs:245: error: `CL_MAIL' undeclared (first use in this function) > ClamAV.xs:246: error: `CL_ARCHIVE' undeclared (first use in this function) > ClamAV.xs:247: error: `CL_RAW' undeclared (first use in this function) > ClamAV.xs:248: error: `CL_VIRUS' undeclared (first use in this function) > ClamAV.xs:249: error: `CL_CLEAN' undeclared (first use in this function) > make[1]: *** [ClamAV.o] Error 1 > make[1]: Leaving directory > `/root/.cpan/build/Mail-ClamAV-0.04/_Inline/build/Mail/ClamAV' > > A problem was encountered while attempting to compile and install your > Inline > C code. The command that failed was: > make > > The build directory was: > /root/.cpan/build/Mail-ClamAV-0.04/_Inline/build/Mail/ClamAV > > To debug the problem, cd to the build directory, and inspect the output > files. > > at /root/.cpan/build/Mail-ClamAV-0.04/blib/lib/Mail/ClamAV.pm line 141 > BEGIN failed--compilation aborted at > /root/.cpan/build/Mail-ClamAV-0.04/blib/lib/Mail/ClamAV.pm line 390. > Compilation failed in require. > BEGIN failed--compilation aborted. > make: *** [ClamAV.inl] Error 2 > /usr/bin/make -- NOT OK > Running make test > Can't test without successful make > Running make install > make had returned bad status, install seems impossible > From RKearney at AZERTY.COM Tue Dec 2 14:56:31 2003 From: RKearney at AZERTY.COM (Kearney, Rob) Date: Thu Jan 12 21:21:23 2006 Subject: Message Backups and Spam Checks Message-ID: <210DF55DED65B547896F728FB057F3B2019C49F3@seaver.ussco.com> We were having issues with pyzor... An easy way to check.. is to try.. spamassassin -D --lint you will generally see the slowdown/timeout. However, you could try other methods in additions: pyzor ping razor-check -d -M dccproc -Q -i -H I don't know what to do for RBL's since I don't use them. -rob -----Original Message----- From: Steve Evans [mailto:sevans@FOUNDATION.SDSU.EDU] Sent: Monday, December 01, 2003 5:52 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Message Backups and Spam Checks I had a lot of problems with backed up mail today. CPU usage was low, and there was plenty of free memory. When I changed MailScanner.conf to Spam Checks = no it quickly processed all the queued mail. So I assume that one of the net checks (RBL, Razor, or DCC) was causing problems. My question is how can I tell when one of the net checks is causing problems and how can I tell which one? Steve Evans SDSU Foundation From mailscanner at ecs.soton.ac.uk Tue Dec 2 14:52:56 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:23 2006 Subject: code audit? In-Reply-To: <200312021407.hB2E7d2Q012320@genesis.camaross.net> References: <3041D4D2B8A6F746AD9217BE05AE68C407BBCD@dc012.corpdsg.com> <200312021407.hB2E7d2Q012320@genesis.camaross.net> Message-ID: <6.0.1.1.2.20031202145103.039fb150@imap.ecs.soton.ac.uk> Mariano and his colleagues in Argentina (might be Brazil) has gone through a lot of the code and thoroughly understands it. They wrote the ZMailer support. Tony Finch at Cambridge University has gone through all of the code in very great detail, which resulted in several bug fixes and performance improvements. At 14:12 02/12/2003, you wrote: >An audit in what way(s)? > > > > -----Original Message----- > > From: MailScanner mailing list > > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Ryan Finnesey > > Sent: Monday, December 01, 2003 10:02 PM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: code audit? > > > > Does anyone know if anyone has done a code audit of MS? > > > > > > Ryan > > -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Tue Dec 2 14:50:45 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:23 2006 Subject: receiving mails with executable. In-Reply-To: References: Message-ID: <6.0.1.1.2.20031202144346.076f2818@imap.ecs.soton.ac.uk> To give you the brief answer to this question.... The Postfix guys don't like me as I dared to use their software in a way they hadn't intended. Rather than publish the file format (which sendmail does) or happily let me use it (the Exim authors use MailScanner themselves), the Postfix guys throw their toys out of the pram and whinge a lot. I'm not going to apologise for daring to "think outside the box". Many people run MailScanner on Postfix without any problems. A few sites see a fault where very occasionally a message with no body is delivered. The correct version of the same message with its body is later delivered correctly, in addition to the version with the body missing. No mail is lost. As many MailScanner sites now run it on a dedicated server, it makes very little difference what MTA is chosen, as all the MTA's can take mail in and just punt it onto another server. My personal recommendation is probably Exim, especially if you don't like sendmail. Exim is very easy to configure and is very fast. When used with MailScanner it is considerably faster than Postfix as Postfix copies all the data around more often than it needs to, resulting in inefficient handling, particularly of large messages. At 13:46 02/12/2003, you wrote: >On Tue, 2 Dec 2003, Mark Hernandez wrote: > > > hi all, > > > > Im using Postfix on a Freebsd 4.8 O.S. and choose mailscanner to add > > features > >Is MailScanner safe to use with postfix ? The postfix site and several >messages in the archives advise strongly not to use postfix with MS >because postfix does not like to have its queues manipulated by an >external program. > >Postfix has a content filter interface they they suggest using and the >current postfix snapshot has a new smtp content filter proxy interface >that looks interesting. > >I don't like sendmail anymore (security issues seem to never stop), so I >have switched to postfix for all mail relay and mailbox destinations - >with a MailScanner + sendmail box that sits in the middle. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Tue Dec 2 14:41:17 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:23 2006 Subject: ANNOUNCE: Bug fix release 4.25-14 In-Reply-To: References: <6.0.1.1.2.20031202123649.0762c858@imap.ecs.soton.ac.uk> Message-ID: <6.0.1.1.2.20031202144039.03695068@imap.ecs.soton.ac.uk> At 12:42 02/12/2003, you wrote: >Hi! > > > > > I have now fixed this and re-released 4.25 as 4.25-14. > > > > > >I also noticed 4.26-1 arrived, whats the difference ? > > > > The new support of Norman anti-virus, which I put into 4.26-1, happens to > > now be in 4.25-14 as I couldn't be bothered to remove it to roll back to > > 4.25-14. However, I don't guarantee it works, and it is marked "Alpha". > >Just doublechecking, if people want to have the double subject fields >fixed they should go for 4.25-14 Yes. > or wait for 4.26-2 since i dont think its >added there yet ? Or is it added on both allready now ? :) It's on both (there is only 1 code tree, I don't like maintaining more than I need to). -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From kevins at BMRB.CO.UK Tue Dec 2 15:39:14 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:21:23 2006 Subject: install problem on Mandrake 9.2 of 4.25-* In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB00188B6EF@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB00188B6EF@pascal.priv.bmrb.co.uk> Message-ID: <1070379555.11842.42.camel@bach.kevinspicer.co.uk> On Tue, 2003-12-02 at 13:14, Rabie van der Merwe wrote: Hi >4.24 Installed fine on MD9.2 using the RPM install, I now have a >problem with 4.25-14 where the perl src rpms compiles fine on my dev >box, but when it tries to install the rpms, it complains that my >perl-base >= 5.801 and I have perl-base-5.8.1-0.RC4.3mdk installed, my >guess is that is just is context mismatch when trying to matchup the >Requires field for the spec file. But I looked in the spec file, and >nothing, only a BuidRequires. >I went into the BUILD dir and succesfully did a 'make install'. >Any ideas? ./install.sh nodeps From Rvdmerwe at MHG.CO.ZA Tue Dec 2 15:49:15 2003 From: Rvdmerwe at MHG.CO.ZA (Rabie van der Merwe) Date: Thu Jan 12 21:21:23 2006 Subject: install problem on Mandrake 9.2 of 4.25-* Message-ID: <39B69D20AF5DD611BA7F00306E1E8F2E02B13927@cptexc02.bankmed.co.za> I managed to rewrite the SPEC file for perl-Net-CIDR to compile and install properly on MD9.2. If I get all SPEC files converted (I'll only do the ones that doesn't come with md9.2 or the contribs) I'll provide the spec files if anyone is interested. Regards Rabie ********************************************************************** ------ NOTICE ------ This message contains privileged and confidential information intended only for the person or entity to which it is addressed. Any review, retransmission, dissemination, copy or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient, is prohibited. If you received this message in error, please notify the sender immediately by e-mail, facsimile or telephone and thereafter delete the material from any computer. Metropolitan Health Group, its subsidiaries or associates do not accept liability for any personal views expressed in this message. ********************************************************************** -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20031202/b6d092da/attachment.html From jlarsen at RICHWEB.COM Tue Dec 2 15:52:10 2003 From: jlarsen at RICHWEB.COM (C. Jon Larsen) Date: Thu Jan 12 21:21:23 2006 Subject: postfix comments ... was: Re: receiving mails with executable. In-Reply-To: <6.0.1.1.2.20031202144346.076f2818@imap.ecs.soton.ac.uk> Message-ID: On Tue, 2 Dec 2003, Julian Field wrote: > To give you the brief answer to this question.... > > The Postfix guys don't like me as I dared to use their software in a way > they hadn't intended. Rather than publish the file format (which sendmail > does) or happily let me use it (the Exim authors use MailScanner > themselves), the Postfix guys throw their toys out of the pram and whinge a > lot. I see your point :=) I think postfix is supposed to be formalizing their APIs for dealing with queues, etc. Thanks for the background info. > > I'm not going to apologise for daring to "think outside the box". MailScanner is *great* software. You have a lot to be proud of. Postfix guys seem to suggest using Amavis-new instead of MS. But to me thats a step backwards and away from the best software to scan and protect emails (MailScanner). I wanted postfix and I wanted MailScanner :=) Here's what I did to make them work together - see below ... > > Many people run MailScanner on Postfix without any problems. A few sites > see a fault where very occasionally a message with no body is delivered. > The correct version of the same message with its body is later delivered > correctly, in addition to the version with the body missing. No mail is lost. I did not want to take that chance, so I setup 1 postfix instance as an external smtp router and proxy that looks up incoming domains in an SQL database and makes routing decisions based on a content_scan column. It can route the mail directly to the destination, drop the mail if its for an invalid domain, or route it to the dedicated MailScanner box, which uses sendmail. The MailScanner box does its job, and then sends the mail to a third postfix box which does message delivery to mailboxes, and handles SMTP AUTH for customers that send email from mail clients. Exim was not my cup of tea for a secure internet facing MTA :=) I'm not saying its not secure, its just not what I wanted. I did not see Exim as being more secure than sendmail due to its design (my opinion only, send flames to /dev/null). I was looking for something that had privilege separation like qmail or postfix for an internet facing MTA. Since my internal mailscanner box is locked down from an SMTP listener perspective, I am o.k. running sendmail on that, though exim would probably make a better host than sendmail for the MS - thanks for the tips though. I looked as smtp.proxy, Obtuse/juniper smtp proxy, qpsmtpd, and mailfront as ways to improve the security of the internet facing MTA. qpsmtpd and mailfront were too qmailish (also not my preference) and none of the smtp proxies gave me a warm and fuzzy regarding protocol support/workaround (ESMTP, cisco pix workarounds like postfix has). They seemed o.k. for hobbyists but not for production networks that get a lot of mail from a lot of different networks with different (often partially broken MTAs). I kept coming back to postfix as the best combination of security, protocol support, and usability for my external MTA. I had already picked postfix as my MTA for my mailboxes. So I went from 2 boxes (mailscanner + postfix) to 3 boxes (inbound postfix message router, mailscanner/sendmail, mailbox, smtp auth postfix). Hopefully this will help someone else. If not, thats fine too. Just relaying my experiences and research. -jon > > As many MailScanner sites now run it on a dedicated server, it makes very > little difference what MTA is chosen, as all the MTA's can take mail in and > just punt it onto another server. > > My personal recommendation is probably Exim, especially if you don't like > sendmail. Exim is very easy to configure and is very fast. When used with > MailScanner it is considerably faster than Postfix as Postfix copies all > the data around more often than it needs to, resulting in inefficient > handling, particularly of large messages. > > At 13:46 02/12/2003, you wrote: > >On Tue, 2 Dec 2003, Mark Hernandez wrote: > > > > > hi all, > > > > > > Im using Postfix on a Freebsd 4.8 O.S. and choose mailscanner to add > > > features > > > >Is MailScanner safe to use with postfix ? The postfix site and several > >messages in the archives advise strongly not to use postfix with MS > >because postfix does not like to have its queues manipulated by an > >external program. > > > >Postfix has a content filter interface they they suggest using and the > >current postfix snapshot has a new smtp content filter proxy interface > >that looks interesting. > > > >I don't like sendmail anymore (security issues seem to never stop), so I > >have switched to postfix for all mail relay and mailbox destinations - > >with a MailScanner + sendmail box that sits in the middle. > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > -- + Jon Larsen: Chief Technology Officer, Richweb, Inc. + Richweb.com: Providing Internet-Based Business Solutions since 1995 + GnuPG Public Key: http://richweb.com/jlarsen.gpg + Business: (804) 359.2220 x 101; Mobile: (804) 307.6939 From james.ogley at PINNACLE.CO.UK Tue Dec 2 16:09:17 2003 From: james.ogley at PINNACLE.CO.UK (James Ogley) Date: Thu Jan 12 21:21:23 2006 Subject: Questions about how MailScanner deals with mails to be quarantined Message-ID: <1070381356.1507.108.camel@jogley.pinnacle.co.uk> Hi, As the annoying auto-append will reveal, we're currently using MAILSweeper, but we're evaluating MailScanner as a replacement. We really like the functionality of MAILSweeper, but equally dislike the implementation. We're running MS 4.25-13 on SuSE 8.2 on our test machine, and we've been sending various test mails though it, to see how it dealt with them. Basically, our requirements would be to be able to quarantine mails because of being too large, virus-laden, with attachments of various types. Once a mail is quarantined, we would like to have the option to notify three groups of people, the sender, the recipient and the admin, depending on the reason the mail had been quarantined. Our testing of quarantining large mails threw up some confusion, as the mails from MS always said that the mails had been stopped as virii, which was not the case, however it seems to be that it says that irrespective of the actual reason in the mails to the admin, which could cause confusion. It would be better if a different notification mail could be sent according to why the mail had been stopped (ie, "this mail is too large", "this mail had an executable file attached", "this mail has a script attached"). Also, we would prefer to be able to notify the recipient, rather than delivering a 'disinfected' version of the mail to them, something like "you have been sent a mail that exceeds size limitations by foo@bar.baz. If this mail is for business purposes, please contact systems admin". Have I totally misunderstood the way MS deals with mails, and these options are possible? (I hope so) I can provide my MailScanner.conf if that will be helpful. James -- James Ogley, Unix Systems Administrator, Pinnacle Insurance Plc Work: james.ogley@pinnacle.co.uk www.pinnacle.co.uk +44 (0) 20 8731 3619 Personal: james@rubberturnip.org.uk www.rubberturnip.org.uk Updated GNOME RPMs for SuSE Linux: www.usr-local-bin.org *********************************************************************** CONFIDENTIALITY. This e-mail and any attachments are confidential and may also be privileged. If you are not the named recipient, please notify the sender immediately and do not disclose the contents to another person, use it for any purpose, or store or copy the information in any medium. Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Pinnacle Insurance Plc. If you have received this e-mail in error please immediately notify our Helpdesk on +44 (0) 20 8207 9555. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.mimesweeper.com ********************************************************************** From Kevin.Hansard at IPLBATH.COM Tue Dec 2 16:26:15 2003 From: Kevin.Hansard at IPLBATH.COM (Kevin Hansard) Date: Thu Jan 12 21:21:23 2006 Subject: Problem with subject tagging 4.25-13 Message-ID: Thanks! 4.25-14 seems to be working ok. Kevin Hansard --- From mailscanner at ecs.soton.ac.uk Tue Dec 2 16:36:47 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:23 2006 Subject: Questions about how MailScanner deals with mails to be quarantined In-Reply-To: <1070381356.1507.108.camel@jogley.pinnacle.co.uk> References: <1070381356.1507.108.camel@jogley.pinnacle.co.uk> Message-ID: <6.0.1.1.2.20031202162219.03d68ec0@imap.ecs.soton.ac.uk> At 16:09 02/12/2003, you wrote: >Hi, > >As the annoying auto-append will reveal, we're currently using >MAILSweeper, but we're evaluating MailScanner as a replacement. We >really like the functionality of MAILSweeper, but equally dislike the >implementation. > >We're running MS 4.25-13 on SuSE 8.2 on our test machine, and we've been >sending various test mails though it, to see how it dealt with them. > >Basically, our requirements would be to be able to quarantine mails >because of being too large, virus-laden, with attachments of various >types. > >Once a mail is quarantined, we would like to have the option to notify >three groups of people, the sender, the recipient and the admin, >depending on the reason the mail had been quarantined. > >Our testing of quarantining large mails threw up some confusion, as the >mails from MS always said that the mails had been stopped as virii, >which was not the case, however it seems to be that it says that >irrespective of the actual reason in the mails to the admin, which could >cause confusion. It would be better if a different notification mail >could be sent according to why the mail had been stopped (ie, "this mail >is too large", "this mail had an executable file attached", "this mail >has a script attached"). The individual "Report" lines in the mail to the sysadmin give the exact reason the message was stopped. The Subject: line is always the same (just makes it easier to filter on). I didn't really intend human beings to read every admin notification. Most sysadmins don't have the time to read stuff like this anyway. >Also, we would prefer to be able to notify the recipient, rather than >delivering a 'disinfected' version of the mail to them, something like >"you have been sent a mail that exceeds size limitations by >foo@bar.baz. If this mail is for business purposes, please contact >systems admin". That's all down to what you put in the VirusWarning.txt file, which you might well rename as well. >Have I totally misunderstood the way MS deals with mails, and these >options are possible? (I hope so) > >I can provide my MailScanner.conf if that will be helpful. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From carlos.pacheco at DIPROTECH.COM Tue Dec 2 16:22:45 2003 From: carlos.pacheco at DIPROTECH.COM (Carlos Pacheco) Date: Thu Jan 12 21:21:23 2006 Subject: Not modify attach if content-transfer-enconding is quoted-printable. Message-ID: Hi all. I've that problem. I have a mail server using Debian 2.4.18, sendmail and mailscanner. If a user sends me an old PDF file (1.2) from outlook, it's transfered in MIME, and the content-transfer-encoding is by default set to quoted- printable (I think in outlook 2000 you can't change it...). When the message passes through mailscanner, I suposse it analyses the attach, and modifies it, because all the 0x0A binary bytes are transformed into 0x0D 0x0A. Considering the PDF version I've told you, this corrupts PDF file and it can't be seen, so the solution for me (since I can't change outlook encoding) is to tell mailscanner not to modify content if MIME is an application/pdf, for example. Is that possible ? Thanks a lot. From Kevin.Hansard at IPLBATH.COM Tue Dec 2 16:43:54 2003 From: Kevin.Hansard at IPLBATH.COM (Kevin Hansard) Date: Thu Jan 12 21:21:23 2006 Subject: Small feature request Message-ID: I have started tagging spam messages with the spam score in the subject because this makes it much easier for people to see the score if they use Outlook. It would be nice if a user could sort their spam folder by subject and then the marginal spams would be at the top, allowing for easier spotting of false positives. Unfortunately this doesn't work because the spam score doesn't have a leading zero. Is it possible that a leading zero could be added in the next release? Many Thanks Kevin Hansard --- From mailscanner at ecs.soton.ac.uk Tue Dec 2 16:50:23 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:23 2006 Subject: Small feature request In-Reply-To: References: Message-ID: <6.0.1.1.2.20031202164723.0384add0@imap.ecs.soton.ac.uk> At 16:43 02/12/2003, you wrote: >I have started tagging spam messages with the spam score in the subject >because this makes it much easier for people to see the score if they >use Outlook. > >It would be nice if a user could sort their spam folder by subject and >then the marginal spams would be at the top, allowing for easier >spotting of false positives. > >Unfortunately this doesn't work because the spam score doesn't have a >leading zero. Is it possible that a leading zero could be added in the >next release? I'm not going to add this as a feature unless loads of people want it, it's a rather specialised request. However all you need to do is apply the attached patch to /usr/lib/MailScanner/MailScanner/Message.pm and then restart MailScanner. A command like cd /usr/lib/MailScanner/MailScanner patch < Message.pm.leadingzero.patch service MailScanner restart should do the trick for you. Don't lose the patch as you will need it for future upgrades. -------------- next part -------------- A non-text attachment was scrubbed... Name: Message.pm.leadingzero.patch Type: application/octet-stream Size: 1480 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20031202/f358214d/Message.pm.leadingzero.obj -------------- next part -------------- -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From james.ogley at PINNACLE.CO.UK Tue Dec 2 16:48:35 2003 From: james.ogley at PINNACLE.CO.UK (James Ogley) Date: Thu Jan 12 21:21:23 2006 Subject: Questions about how MailScanner deals with mails to be quarantined In-Reply-To: <6.0.1.1.2.20031202162219.03d68ec0@imap.ecs.soton.ac.uk> References: <1070381356.1507.108.camel@jogley.pinnacle.co.uk> <6.0.1.1.2.20031202162219.03d68ec0@imap.ecs.soton.ac.uk> Message-ID: <1070383714.1511.117.camel@jogley.pinnacle.co.uk> > The individual "Report" lines in the mail to the sysadmin give the exact > reason the message was stopped. That much is certainly true :) > The Subject: line is always the same (just makes it easier to filter on). I > didn't really intend human beings to read every admin notification. Most > sysadmins don't have the time to read stuff like this anyway. Well, we tend to skim the subject lines, unless something looks like we need to attend to it, only then do we actually read the mail, and then to verify which machine sent it (we have multiple sweepers for resiliency). Obviously on MScanner, we'd include the machine name in our report mails :) Having the actual reason a mail was stopped in the Subject: line makes this a lot easier. > That's all down to what you put in the VirusWarning.txt file, which you > might well rename as well. I realise that, but it still delivers the rest of the mail, doesn't it? Also, there the option to only notify/deliver disinfected to the recipient on certain reasons for quarantining would be helpful (eg, we notify recipients of large mails, but not executables or videos). -- James Ogley, Unix Systems Administrator, Pinnacle Insurance Plc Work: james.ogley@pinnacle.co.uk www.pinnacle.co.uk +44 (0) 20 8731 3619 Personal: james@rubberturnip.org.uk www.rubberturnip.org.uk Updated GNOME RPMs for SuSE Linux: www.usr-local-bin.org *********************************************************************** CONFIDENTIALITY. This e-mail and any attachments are confidential and may also be privileged. If you are not the named recipient, please notify the sender immediately and do not disclose the contents to another person, use it for any purpose, or store or copy the information in any medium. Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Pinnacle Insurance Plc. If you have received this e-mail in error please immediately notify our Helpdesk on +44 (0) 20 8207 9555. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.mimesweeper.com ********************************************************************** From mailscanner at ecs.soton.ac.uk Tue Dec 2 16:56:41 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:23 2006 Subject: Questions about how MailScanner deals with mails to be quarantined In-Reply-To: <1070383714.1511.117.camel@jogley.pinnacle.co.uk> References: <1070381356.1507.108.camel@jogley.pinnacle.co.uk> <6.0.1.1.2.20031202162219.03d68ec0@imap.ecs.soton.ac.uk> <1070383714.1511.117.camel@jogley.pinnacle.co.uk> Message-ID: <6.0.1.1.2.20031202165429.036b3580@imap.ecs.soton.ac.uk> At 16:48 02/12/2003, you wrote: > > The individual "Report" lines in the mail to the sysadmin give the exact > > reason the message was stopped. > >That much is certainly true :) > > > The Subject: line is always the same (just makes it easier to filter on). I > > didn't really intend human beings to read every admin notification. Most > > sysadmins don't have the time to read stuff like this anyway. > >Well, we tend to skim the subject lines, unless something looks like we >need to attend to it, only then do we actually read the mail, and then >to verify which machine sent it (we have multiple sweepers for >resiliency). Obviously on MScanner, we'd include the machine name in >our report mails :) > >Having the actual reason a mail was stopped in the Subject: line makes >this a lot easier. But there can be many reasons, often at least 3 (HTML exploit trying to load a .pif which has a virus in it, for example). What then? > > That's all down to what you put in the VirusWarning.txt file, which you > > might well rename as well. > >I realise that, but it still delivers the rest of the mail, doesn't it? >Also, there the option to only notify/deliver disinfected to the >recipient on certain reasons for quarantining would be helpful (eg, we >notify recipients of large mails, but not executables or videos). But then what do you do with large executables? You have conflicting requests, which is kinda hard to code. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From dot at DOTAT.AT Tue Dec 2 16:53:33 2003 From: dot at DOTAT.AT (Tony Finch) Date: Thu Jan 12 21:21:23 2006 Subject: code audit? In-Reply-To: References: <3041D4D2B8A6F746AD9217BE05AE68C407BBCD@dc012.corpdsg.com> <200312021407.hB2E7d2Q012320@genesis.camaross.net> <200312021407.hB2E7d2Q012320@genesis.camaross.net> Message-ID: Julian Field wrote: > >Tony Finch at Cambridge University has gone through all of the code in very >great detail, which resulted in several bug fixes and performance improvements. I wouldn't quite go that far :-) I did not look at all the code in detail, and I wasn't particularly looking out for security problems -- I don't have the right kind of deviousness to spot them reliably. Since MailScanner is written in Perl, buffer overflow bugs aren't a problem, so security problems are more likely to be related to dodgy filenames (but MailScanner sanitizes them) or denial-of-service (but MailScanner uses timeouts to protect itself) or something else... (which short list shows why I don't count myself as a security person). Tony. -- f.a.n.finch http://dotat.at/ SELSEY BILL TO LYME REGIS: NORTHEAST 3 OR 4, EASING VARIABLE 2 OR LESS. NORTHEAST 4 LATER. RAIN, FAIR LATER. MODERATE OR GOOD, LATER GOOD. SMOOTH OR SLIGHT. From james.ogley at PINNACLE.CO.UK Tue Dec 2 17:07:31 2003 From: james.ogley at PINNACLE.CO.UK (James Ogley) Date: Thu Jan 12 21:21:23 2006 Subject: Questions about how MailScanner deals with mails to be quarantined In-Reply-To: <6.0.1.1.2.20031202165429.036b3580@imap.ecs.soton.ac.uk> References: <1070381356.1507.108.camel@jogley.pinnacle.co.uk> <6.0.1.1.2.20031202162219.03d68ec0@imap.ecs.soton.ac.uk> <1070383714.1511.117.camel@jogley.pinnacle.co.uk> <6.0.1.1.2.20031202165429.036b3580@imap.ecs.soton.ac.uk> Message-ID: <1070384850.1507.130.camel@jogley.pinnacle.co.uk> [Disclaimer: I'm approaching this from the POV of how MAILsweeper does it...] > But there can be many reasons, often at least 3 (HTML exploit trying to > load a .pif which has a virus in it, for example). What then? Then the 'big' issue is that it's a virus. > But then what do you do with large executables? You have conflicting > requests, which is kinda hard to code. MAILsweeper allows you to order by priority the things it scans for, so in our case, large file checks come before executables, but after virii (virus being the most important thing to check for, but once we're confident it's not a virus-laden, we check the size, and if it's too big, stop there so we don't have to load it into memory to check it's content again). If it's stopped, we examine the mail to determine whether it should be released to the recipient, and part of that is seeing it's an executable, and dealing accordingly with that information. -- James Ogley, Unix Systems Administrator, Pinnacle Insurance Plc Work: james.ogley@pinnacle.co.uk www.pinnacle.co.uk +44 (0) 20 8731 3619 Personal: james@rubberturnip.org.uk www.rubberturnip.org.uk Updated GNOME RPMs for SuSE Linux: www.usr-local-bin.org ********************************************************************** CONFIDENTIALITY.This e-mail and any attachments are confidential and may also be privileged. If you are not the named recipient, please notify the sender immediately and do not disclose the contents to another person, use it for any purpose, or store or copy the information in any medium. Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Pinnacle Insurance plc. If you have received this email in error please immediately notify the Pinnacle Helpdesk on +44 (0) 20 8207 9555. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.mimesweeper.com ********************************************************************** From michel at SENTINIX.ORG Tue Dec 2 17:05:41 2003 From: michel at SENTINIX.ORG (Michel (by way of Michel )) Date: Thu Jan 12 21:21:23 2006 Subject: SENTINIX Postfix+MailScanner+SpamAssassin Message-ID: <200312021805.41300.michel@sentinix.org> Hi! First, thanks Julian for a great piece of software!! I'm the project manager of SENTINIX (http://sentinix.org), a Linux distro that includes Postfix with MailScanner and SpamAssassin. An earlier thread mentioned problems with Postfix and MailScanner. I've read about this elsewhere too, but never experienced any problem myself. I do now consider changing MTA.... I'm orginally a "Sendmail-guy" but would like to test Exim or Zmailer before falling back to Sendmail (if). Julian recommended Exim, so perhaps that's the logical choice?! *but*, I'm reading about some local root exploits for, although earlier versions of, Exim, which is why I'm hesitating. :) If anyone of you MailScanner users would want to use a pre-configured anti-virus & anti-spam e-mail system, what configuration would you want? Preferred MTA? Exim or Zmailer or {insert favourite MTA} ? Anyone got good/bad experience of Zmailer + MailScanner ( + SpamAssassin) ?? On a busy (1000+ e-mails per day) proxy/gateway or server?? Compared to {insert favourite MTA} ? Thanks! -- Michel Blomgren SENTINIX Project Manager http://sentinix.org From dh at UPTIME.AT Tue Dec 2 17:22:32 2003 From: dh at UPTIME.AT (David H.) Date: Thu Jan 12 21:21:23 2006 Subject: SENTINIX Postfix+MailScanner+SpamAssassin In-Reply-To: <200312021805.41300.michel@sentinix.org> References: <200312021805.41300.michel@sentinix.org> Message-ID: <3FCCCA58.6080600@uptime.at> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Michel (by way of Michel ) wrote: > I do now consider changing MTA.... I'm orginally a "Sendmail-guy" but would > like to test Exim or Zmailer before falling back to Sendmail I am a sendmail guy as well (and happy with it :P) but currently evaluating Exim + MailScanner, which seems to work fine too. (if). Julian > recommended Exim, so perhaps that's the logical choice?! *but*, I'm reading > about some local root exploits for, although earlier versions of, Exim, which > is why I'm hesitating. :) Is that Exim3 ? > > Preferred MTA? Exim or Zmailer or {insert favourite MTA} ? > I'd want First Choice Sendmail + MailScanner (due to milter support) Second Choice Exim + MailScanner > Anyone got good/bad experience of Zmailer + MailScanner ( + SpamAssassin) ?? > On a busy (1000+ e-mails per day) proxy/gateway or server?? 1000+ I would not call anywhere near busy ;) One of the Server we have on sendmail+MailScanner does around 20K a day and is happy. But even that is a laughable amount of daily mail. - -d -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (Darwin) iD8DBQE/zMpdPMoaMn4kKR4RA9ctAJ9P0Ttz87Lc7FG9hG7/emb2/toBTwCfYfF1 i+UAOeXBGUrsI9VipTC7pcw= =qOvr -----END PGP SIGNATURE----- From michel at SENTINIX.ORG Tue Dec 2 17:31:32 2003 From: michel at SENTINIX.ORG (Michel) Date: Thu Jan 12 21:21:23 2006 Subject: SENTINIX Postfix+MailScanner+SpamAssassin In-Reply-To: <3FCCCA58.6080600@uptime.at> References: <200312021805.41300.michel@sentinix.org> <3FCCCA58.6080600@uptime.at> Message-ID: <200312021831.32477.michel@sentinix.org> That should be 10000 (10k) :) but you get the point, all depends on the processing power anyway... I meant if anyone has run Zmailer + MailScanner absolutely stable on an active e-mail server for an extended perior of time without stopping it (say, a few months)? /Michel On Tuesday 02 December 2003 18:22, David H. wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: RIPEMD160 > > Michel (by way of Michel ) wrote: > > > > > I do now consider changing MTA.... I'm orginally a "Sendmail-guy" but > > would like to test Exim or Zmailer before falling back to Sendmail > > I am a sendmail guy as well (and happy with it :P) but currently > evaluating Exim + MailScanner, which seems to work fine too. > > > (if). Julian > > > recommended Exim, so perhaps that's the logical choice?! *but*, I'm > > reading about some local root exploits for, although earlier versions of, > > Exim, which is why I'm hesitating. :) > > Is that Exim3 ? > > > Preferred MTA? Exim or Zmailer or {insert favourite MTA} ? > > I'd want > First Choice Sendmail + MailScanner (due to milter support) > Second Choice Exim + MailScanner > > > Anyone got good/bad experience of Zmailer + MailScanner ( + SpamAssassin) > > ?? On a busy (1000+ e-mails per day) proxy/gateway or server?? > > 1000+ I would not call anywhere near busy ;) One of the Server we have > on sendmail+MailScanner does around 20K a day and is happy. But even > that is a laughable amount of daily mail. > > > - -d > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.3 (Darwin) > > iD8DBQE/zMpdPMoaMn4kKR4RA9ctAJ9P0Ttz87Lc7FG9hG7/emb2/toBTwCfYfF1 > i+UAOeXBGUrsI9VipTC7pcw= > =qOvr > -----END PGP SIGNATURE----- From dbird at SGHMS.AC.UK Tue Dec 2 19:30:07 2003 From: dbird at SGHMS.AC.UK (Daniel Bird) Date: Thu Jan 12 21:21:23 2006 Subject: AOL blocking MailScanner messages! Message-ID: <3FCCE83F.7070500@sghms.ac.uk> Dear all, Apologies for the shock subject line, but it seems to be the case (at least for our site;-). Recently, we started seeing messages like: 2003-12-02 16:09:43 1ARD5c-0002Sm-Rm ** ******@aol.com <*****@aol.com> R=dnslookup T=remote_smtp: SMTP error from remote mailer after end of data: host mailin-03.mx.aol.com [64.12.137.152]: 554 TRANSACTION FAILED 554 AOL will not accept delivery of this message in our Exim mail logs After numerous emails to postmaster@aol.com (all replys were automated "sorry for the inconvenience", "read this/that policy" types) I ended up calling them (at international rates I might add!!!). The 'helpful' gentleman on the end of the phone suggested turning off any scanning software and retrying. Now, all I did was add the line To: *@aol.com no to /etc/MailScanner/rules/virus.scanning.rules and restart. After this change all was well and delivery started. The only differences I can think of between the two emails that would have been sent would be the omission of the X-MailScanner headers (apart from X-MailScanner-: not scanned,etc )and a MailScanner signature Looking at the error message they are rejecting on data content after the initial SMTP connection so this makes me think (a hunch) they are rejecting on X-MailScanner-xxxx : Found to be clean or other MailScanner headers. (Sobig.F springs to mind!) Has anyone else noticed this behavior from AOL on their MTA? I have opened a ticket with their postmaster team to see if I can verify the above assumptions. In the mean time I've left the virus scanning off for AOL recipients. Additionally, if they are blocking on "X-MailScanner-: Found to be clean" I am wondering if it would be possible to customize the "found to be clean message" as this would be the value in the MailScanner headers from my 4 mail hubs that would be consistent. Regards Dan -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From chicks at CHICKS.NET Tue Dec 2 19:37:37 2003 From: chicks at CHICKS.NET (Christopher Hicks) Date: Thu Jan 12 21:21:23 2006 Subject: AOL blocking MailScanner messages! In-Reply-To: <3FCCE83F.7070500@sghms.ac.uk> Message-ID: On Tue, 2 Dec 2003, Daniel Bird wrote: > In the mean time I've left the virus scanning off for AOL recipients. hehehe. hohoho. They must want more viruses or something! I love it. -- I would not, could not SAVE ON PHONE, I would not, could not BUY YOUR LOAN, I would not, could not MAKE MONEY FAST, (by I would not, could not SEND NO CA$H, Matthew I would not, could not SEE YOUR SITE, Kennel) I would not, could not EAT VEG-I-MITE, I do *not* *like* GREEN CARDS AND SPAM! Mad-I-Am! From mailscanner at ecs.soton.ac.uk Tue Dec 2 19:39:53 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:23 2006 Subject: AOL blocking MailScanner messages! In-Reply-To: <3FCCE83F.7070500@sghms.ac.uk> References: <3FCCE83F.7070500@sghms.ac.uk> Message-ID: <6.0.1.1.2.20031202193821.03de5fd0@imap.ecs.soton.ac.uk> At 19:30 02/12/2003, you wrote: >Additionally, if they are blocking on "X-MailScanner-: Found >to be clean" I am wondering if it would be possible to customize the >"found to be clean message" as this would be the value in the >MailScanner headers from my 4 mail hubs that would be consistent. This can already be done. Assign a ruleset to the Clean Header Value configuration option in MailScanner.conf. AOL move in mysterious ways :-( -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mike at TC3NET.COM Tue Dec 2 19:40:04 2003 From: mike at TC3NET.COM (Michael Baird) Date: Thu Jan 12 21:21:23 2006 Subject: AOL blocking MailScanner messages! In-Reply-To: <3FCCE83F.7070500@sghms.ac.uk> References: <3FCCE83F.7070500@sghms.ac.uk> Message-ID: <1070394004.5205.83.camel@mike-new2.tc3net.com> No such problems here, MailScanner 4.25-9, on linux. to=, ctladdr= (22724/111), delay=00:00:30, xdelay=00:00:18, mailer=esmtp, pri=120420, relay=mailin-04.mx.aol.com. [64.12.138.152], dsn=2.0.0, stat=Sent (OK) Regards MIKE > Dear all, > Apologies for the shock subject line, but it seems to be the case (at > least for our site;-). > > Recently, we started seeing messages like: > 2003-12-02 16:09:43 1ARD5c-0002Sm-Rm ** ******@aol.com <*****@aol.com> > R=dnslookup T=remote_smtp: SMTP error from remote mailer after end of > data: host mailin-03.mx.aol.com [64.12.137.152]: 554 TRANSACTION FAILED > 554 AOL will not accept delivery of this message > > in our Exim mail logs > > After numerous emails to postmaster@aol.com (all replys were automated > "sorry for the inconvenience", "read this/that policy" types) I ended up > calling them (at international rates I might add!!!). > > The 'helpful' gentleman on the end of the phone suggested turning off > any scanning software and retrying. Now, all I did was add the line > > To: *@aol.com no > > to /etc/MailScanner/rules/virus.scanning.rules > > and restart. > > After this change all was well and delivery started. The only > differences I can think of between the two emails that would have been > sent would be the omission of the X-MailScanner headers (apart from > X-MailScanner-: not scanned,etc )and a MailScanner signature > > Looking at the error message they are rejecting on data content after > the initial SMTP connection so this makes me think (a hunch) they are > rejecting on X-MailScanner-xxxx : Found to be clean or other MailScanner > headers. (Sobig.F springs to mind!) > > Has anyone else noticed this behavior from AOL on their MTA? > > I have opened a ticket with their postmaster team to see if I can verify > the above assumptions. In the mean time I've left the virus scanning off > for AOL recipients. > > Additionally, if they are blocking on "X-MailScanner-: Found > to be clean" I am wondering if it would be possible to customize the > "found to be clean message" as this would be the value in the > MailScanner headers from my 4 mail hubs that would be consistent. > > Regards > Dan > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > From dbird at SGHMS.AC.UK Tue Dec 2 20:01:32 2003 From: dbird at SGHMS.AC.UK (Daniel Bird) Date: Thu Jan 12 21:21:23 2006 Subject: AOL blocking MailScanner messages! In-Reply-To: <6.0.1.1.2.20031202193821.03de5fd0@imap.ecs.soton.ac.uk> References: <3FCCE83F.7070500@sghms.ac.uk> <6.0.1.1.2.20031202193821.03de5fd0@imap.ecs.soton.ac.uk> Message-ID: <3FCCEF9C.3070806@sghms.ac.uk> Julian Field wrote: > At 19:30 02/12/2003, you wrote: > >> Additionally, if they are blocking on "X-MailScanner-: Found >> to be clean" I am wondering if it would be possible to customize the >> "found to be clean message" as this would be the value in the >> MailScanner headers from my 4 mail hubs that would be consistent. > > > This can already be done. Assign a ruleset to the > Clean Header Value > configuration option in MailScanner.conf. Thanks Julian, don't know how I missed that one. I must need glasses ;-) > > AOL move in mysterious ways :-( Indeed they do! Has anyone read thier "mail acceptance" policies? Abosulte nightmare! Anyhow, I changed the "Found to be clean" value to "No virueses detected" and turned on the virus scanning. My MTA now looks like its delivering to AOL, virus scanned and all!. Thanks again. Dan > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mailscanner at ecs.soton.ac.uk Tue Dec 2 20:06:19 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:24 2006 Subject: AOL blocking MailScanner messages! In-Reply-To: <3FCCE83F.7070500@sghms.ac.uk> References: <3FCCE83F.7070500@sghms.ac.uk> Message-ID: <6.0.1.1.2.20031202200450.027f3d30@imap.ecs.soton.ac.uk> I have just tested this and found it not to be true: 220-rly-yb03.mx.aol.com ESMTP mail_relay_in-yb3.3; Tue, 02 Dec 2003 15:01:11 -0500 220-America Online (AOL) and its affiliated companies do not 220- authorize the use of its proprietary computers and computer 220- networks to accept, transmit, or distribute unsolicited bulk 220- e-mail sent from the internet. Effective immediately: AOL 220- may no longer accept connections from IP addresses which 220 have no reverse-DNS (PTR record) assigned. HELO mailscanner.biz 250 rly-yb03.mx.aol.com OK MAIL from: 250 OK RCPT to: 250 OK DATA 354 START MAIL INPUT, END WITH "." ON A LINE BY ITSELF From: jules@jules.fm To: steve1@aol.com Date: Tue, 2 Dec 2003 18:33:41 +0000 Subject: This is a test message X-MailScanner: Found to be clean This is a test message. Please delete me. -- Jules . 250 OK which appears to say it has accepted the message. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Tue Dec 2 20:19:32 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:24 2006 Subject: Virus scanners and universities In-Reply-To: <1070395964.18455.35.camel@cis-staff-kntx90.cis.brown.edu> References: <1070395964.18455.35.camel@cis-staff-kntx90.cis.brown.edu> Message-ID: <6.0.1.1.2.20031202201752.03f5fe78@imap.ecs.soton.ac.uk> At 20:12 02/12/2003, you wrote: >Hi all, > I'm looking for some info on what other universities and colleges are >doing in the MS/virus scanning area. > > We (Brown University, USA) are using MS and hacked in support for >Symantec Scan Engine. Cost issues are starting to creep in again and we >want to know what some other options are. We love MS and just wanna >know what the virus scanners cost you (total or per >address/user/FTE/whatever) ClamAV is free and open source, and is remarkably good. eTrust from Computer Associates (www.ca.com) is only $129 per server. Norman (www.norman.de) is free for non-commercial use. Sophos have extremely good educational discounts. Start with those... -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From dnsadmin at 1BIGTHINK.COM Tue Dec 2 20:28:16 2003 From: dnsadmin at 1BIGTHINK.COM (DNSAdmin) Date: Thu Jan 12 21:21:24 2006 Subject: AOL blocking MailScanner messages! In-Reply-To: <6.0.1.1.2.20031202200450.027f3d30@imap.ecs.soton.ac.uk> References: <3FCCE83F.7070500@sghms.ac.uk> <3FCCE83F.7070500@sghms.ac.uk> Message-ID: <5.2.1.1.0.20031202152704.04d31ed8@mail.1bigthink.com> At 08:06 PM 12/2/2003 +0000, you wrote: >I have just tested this and found it not to be true: > >220-rly-yb03.mx.aol.com ESMTP mail_relay_in-yb3.3; Tue, 02 Dec 2003 >15:01:11 -0500 >220-America Online (AOL) and its affiliated companies do not >220- authorize the use of its proprietary computers and computer >220- networks to accept, transmit, or distribute unsolicited bulk >220- e-mail sent from the internet. Effective immediately: AOL >220- may no longer accept connections from IP addresses which >220 have no reverse-DNS (PTR record) assigned. Which means that you never had your reverse DNS correct, or maybe something happened to it recently. Perhaps your upstream provider? Cheers, Glenn >HELO mailscanner.biz >250 rly-yb03.mx.aol.com OK >MAIL from: >250 OK >RCPT to: >250 OK >DATA >354 START MAIL INPUT, END WITH "." ON A LINE BY ITSELF >From: jules@jules.fm >To: steve1@aol.com >Date: Tue, 2 Dec 2003 18:33:41 +0000 >Subject: This is a test message >X-MailScanner: Found to be clean > >This is a test message. Please delete me. >-- >Jules >. >250 OK > >which appears to say it has accepted the message. >-- >Julian Field >www.MailScanner.info >Professional Support Services at www.MailScanner.biz >MailScanner thanks transtec Computers for their support >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From tduvally at BROWN.EDU Tue Dec 2 20:36:05 2003 From: tduvally at BROWN.EDU (Thomas DuVally) Date: Thu Jan 12 21:21:24 2006 Subject: Virus scanners and universities In-Reply-To: <6.0.1.1.2.20031202201752.03f5fe78@imap.ecs.soton.ac.uk> References: <1070395964.18455.35.camel@cis-staff-kntx90.cis.brown.edu> <6.0.1.1.2.20031202201752.03f5fe78@imap.ecs.soton.ac.uk> Message-ID: <1070397364.18455.67.camel@cis-staff-kntx90.cis.brown.edu> On Tue, 2003-12-02 at 15:19, Julian Field wrote: > At 20:12 02/12/2003, you wrote: > >Hi all, > > I'm looking for some info on what other universities and colleges are > >doing in the MS/virus scanning area. > > > > We (Brown University, USA) are using MS and hacked in support for > >Symantec Scan Engine. Cost issues are starting to creep in again and we > >want to know what some other options are. We love MS and just wanna > >know what the virus scanners cost you (total or per > >address/user/FTE/whatever) > > ClamAV is free and open source, and is remarkably good. > eTrust from Computer Associates (www.ca.com) is only $129 per server. I was not aware that MS supported eTrust. I don't see any documentation anywhere. Which version did that start in? > Norman (www.norman.de) is free for non-commercial use. > Sophos have extremely good educational discounts. > > Start with those... > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- Thomas J. DuVally Lead Systems Prog. CIS, Brown Univ. http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x15F233F6 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20031202/9c4bf53f/attachment.bin From dustin.baer at IHS.COM Tue Dec 2 20:34:11 2003 From: dustin.baer at IHS.COM (Dustin Baer) Date: Thu Jan 12 21:21:24 2006 Subject: AOL blocking MailScanner messages! References: <3FCCE83F.7070500@sghms.ac.uk> <6.0.1.1.2.20031202193821.03de5fd0@imap.ecs.soton.ac.uk> <3FCCEF9C.3070806@sghms.ac.uk> Message-ID: <3FCCF743.3D8ABFC6@ihs.com> Daniel Bird wrote: > > Julian Field wrote: > > > AOL move in mysterious ways :-( > > Indeed they do! > Has anyone read thier "mail acceptance" policies? Abosulte nightmare! Which is why they are listed on two rfc-ignorant lists: http://www.rfc-ignorant.org/tools/lookup.php?domain=aol.com Dustin From tduvally at BROWN.EDU Tue Dec 2 20:12:45 2003 From: tduvally at BROWN.EDU (Thomas DuVally) Date: Thu Jan 12 21:21:24 2006 Subject: Virus scanners and universities Message-ID: <1070395964.18455.35.camel@cis-staff-kntx90.cis.brown.edu> Hi all, I'm looking for some info on what other universities and colleges are doing in the MS/virus scanning area. We (Brown University, USA) are using MS and hacked in support for Symantec Scan Engine. Cost issues are starting to creep in again and we want to know what some other options are. We love MS and just wanna know what the virus scanners cost you (total or per address/user/FTE/whatever) Thanks! -- Thomas J. DuVally Lead Systems Prog. CIS, Brown Univ. http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x15F233F6 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20031202/f6d18da2/attachment.bin From mailscanner at ecs.soton.ac.uk Tue Dec 2 20:55:52 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:24 2006 Subject: Virus scanners and universities In-Reply-To: <1070397364.18455.67.camel@cis-staff-kntx90.cis.brown.edu> References: <1070395964.18455.35.camel@cis-staff-kntx90.cis.brown.edu> <6.0.1.1.2.20031202201752.03f5fe78@imap.ecs.soton.ac.uk> <1070397364.18455.67.camel@cis-staff-kntx90.cis.brown.edu> Message-ID: <6.0.1.1.2.20031202205456.040e55f0@imap.ecs.soton.ac.uk> At 20:36 02/12/2003, you wrote: >*** PGP SIGNATURE VERIFICATION *** >*** Status: Good Signature from Invalid Key >*** Alert: Please verify signer's key before trusting signature. >*** Signer: Thomas J. Du Vally (0x15F233F6) >*** Signed: 02/12/2003 20:36:03 >*** Verified: 02/12/2003 20:53:28 >*** BEGIN PGP VERIFIED MESSAGE *** > >On Tue, 2003-12-02 at 15:19, Julian Field wrote: > > At 20:12 02/12/2003, you wrote: > > >Hi all, > > > I'm looking for some info on what other universities and > colleges are > > >doing in the MS/virus scanning area. > > > > > > We (Brown University, USA) are using MS and hacked in support for > > >Symantec Scan Engine. Cost issues are starting to creep in again and we > > >want to know what some other options are. We love MS and just wanna > > >know what the virus scanners cost you (total or per > > >address/user/FTE/whatever) > > > > ClamAV is free and open source, and is remarkably good. > > eTrust from Computer Associates (www.ca.com) is only $129 per server. > >I was not aware that MS supported eTrust. I don't see any documentation >anywhere. Which version did that start in? 4.23. I need to write an up-to-date feature list, including all the supported scanners and all the major features I have added since the first release of 4.00. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Wed Dec 3 01:02:45 2003 From: mailscanner at ecs.soton.ac.uk (mailscanner@ecs.soton.ac.uk) Date: Thu Jan 12 21:21:24 2006 Subject: NOTIFY-New Guestbook Entry Message-ID: <200312030102.hB312j8Z029970@seer.ecs.soton.ac.uk> New Guestbook-Entry from Paul Thanks for a tool that is a cinch to setup and works very well From res at AUSICS.NET Tue Dec 2 21:16:34 2003 From: res at AUSICS.NET (Res) Date: Thu Jan 12 21:21:24 2006 Subject: AOL blocking MailScanner messages! In-Reply-To: <3FCCE83F.7070500@sghms.ac.uk> References: <3FCCE83F.7070500@sghms.ac.uk> Message-ID: On Tue, 2 Dec 2003, Daniel Bird wrote: > > To: *@aol.com no > > to /etc/MailScanner/rules/virus.scanning.rules > > and restart. > > After this change all was well and delivery started. The only AOL are renowned for stopping people trying to stop their customers from spa.. errr mailing out and have all these mystical policies, but when it comes to acting on their own spmmers they never do, we have blocked aol here totally for a year, and its all been good :) -- Regards, Res Network Administrator Postmaster / Abusemaster / Flamemaster http://www.ausics.net Australian Hosting Services From res at AUSICS.NET Tue Dec 2 21:19:06 2003 From: res at AUSICS.NET (Res) Date: Thu Jan 12 21:21:24 2006 Subject: AOL blocking MailScanner messages! In-Reply-To: <6.0.1.1.2.20031202200450.027f3d30@imap.ecs.soton.ac.uk> References: <3FCCE83F.7070500@sghms.ac.uk> <6.0.1.1.2.20031202200450.027f3d30@imap.ecs.soton.ac.uk> Message-ID: On Tue, 2 Dec 2003, Julian Field wrote: > 220- e-mail sent from the internet. Effective immediately: AOL So they DO have a policy about their customers are allowd to send spam :) > -- Regards, Res Network Administrator Postmaster / Abusemaster / Flamemaster http://www.ausics.net Australian Hosting Services From hermit921 at YAHOO.COM Tue Dec 2 21:19:47 2003 From: hermit921 at YAHOO.COM (hermit921) Date: Thu Jan 12 21:21:24 2006 Subject: Sophos updates In-Reply-To: <6.0.1.1.2.20031128111939.0383b578@imap.ecs.soton.ac.uk> References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C3AD@jessica.herefords hire.gov.uk> <0EBC45FCABFC95428EBFC3A51B368C9501C9C3AD@jessica.herefordshire.gov.uk> Message-ID: <5.1.0.14.2.20031202131729.01cd84e8@pop.mail.yahoo.com> Does the automatic Sophos updating process installed with MailScanner include engine updates or just new virus signatures? The mail logs show new Sophos ide files every hour on most days. Are virus signatures updated that often or is this an artifact of the update script? hermit921 From jaearick at COLBY.EDU Tue Dec 2 21:23:18 2003 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:21:24 2006 Subject: clamavmodule and 4.25-14 Message-ID: Setup: Solaris 9, perl 5.8.2, MS 4.25-14, ClamAV 0.65 installed in /opt/clamav-0.65, with a symlink clamav->clamav-0.65. The "clamav" module in "Virus scanners" works just fine, with the directory "/opt/clamav" specified for clamav in virus.scanners.conf. No problems. So I want to use clamavmodule instead. I couldn't get Mail-ClamAV-0.04 to build properly until the author clued me into how to specify non-standard clam locations. See FAQ http://www.sng.ecs.soton.ac.uk/mailscanner/serve/cache/242.html So, with Mail-ClamAV-0.04 installed, I try clamavmodule. I get the syslog complaint: None of the files matched by the "Monitors For ClamAV Updates" patterns exist! from lib/MailScanner/SweepViruses.pm. What's wrong?? From jstuart at EDENPR.K12.MN.US Tue Dec 2 21:27:42 2003 From: jstuart at EDENPR.K12.MN.US (Joe Stuart) Date: Thu Jan 12 21:21:24 2006 Subject: .hoststat Message-ID: Hi, I'm running mailscanner with postfix on suse linux and whenever I start Mailscanner up it starts as a defunct process and the maillog keeps printing this and I cant find any info in the net. MailScanner[5588]: Cannot open dir .hoststat when finding depth Any help is appreciated Thanks From kodak at FRONTIERHOMEMORTGAGE.COM Tue Dec 2 21:27:25 2003 From: kodak at FRONTIERHOMEMORTGAGE.COM (Jason Balicki) Date: Thu Jan 12 21:21:24 2006 Subject: Sophos updates In-Reply-To: <5.1.0.14.2.20031202131729.01cd84e8@pop.mail.yahoo.com> Message-ID: <005101c3b91b$14cf6ea0$0501a8c0@darkside> >Does the automatic Sophos updating process installed with MailScanner >include engine updates or just new virus signatures? MailScanner only updates the ide files. You can use a script called MajorSophos to download the engine, then run the Sophos.install script included with MS. I run it all from cron on a monthly basis. >The mail logs show new Sophos ide files every hour on most >days. Are virus >signatures updated that often or is this an artifact of the >update script? In my experience, Sophos updates frequently, but to answer the question I think you're asking: no, it's probably not Sophos updating every hour. The autoupdate script does check every hour, and AFAIK, it reports a sucessful update wether you needed the update or not -- that's what you're seeing in your logs. You can find MajorSophos here: http://www.tippingmar.com/majorsophos/ --J(K) From dbird at SGHMS.AC.UK Tue Dec 2 21:26:32 2003 From: dbird at SGHMS.AC.UK (Daniel Bird) Date: Thu Jan 12 21:21:24 2006 Subject: AOL blocking MailScanner messages! In-Reply-To: <6.0.1.1.2.20031202200450.027f3d30@imap.ecs.soton.ac.uk> References: <3FCCE83F.7070500@sghms.ac.uk> <6.0.1.1.2.20031202200450.027f3d30@imap.ecs.soton.ac.uk> Message-ID: <3FCD0388.3070201@sghms.ac.uk> Julian Field wrote: > 250 OK > R > which appears to say it has accepted the message. Indeed, if I do the same it appears to be accepted for me also. Like I said earlier, this was all based on an assumption. To make things even more weird, I checked back thru our logs and found **some** of AOL;'s relays were accepting mail and some weren't. I've changed the Cleaned header back to "Found to be clean" in MailScanner.conf , and checked it. It works as expected. i.e mail gets through. It's all very strange. I haven't had anything from AOL support as yet, but I did give them my mail relay IP's earlier so maybe they've white listed me?? :-) I'll leave as is for now and see how we get on, but I'll let you know if I find out any more info. Dan > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From jase at SENSIS.COM Tue Dec 2 21:29:15 2003 From: jase at SENSIS.COM (Desai, Jason) Date: Thu Jan 12 21:21:24 2006 Subject: AOL blocking MailScanner messages! Message-ID: Does your site-name have any weird characters in it? Maybe an underscore or something else? They could be blocking email based on what they thing is an invalid header. Jason > -----Original Message----- > From: Daniel Bird [mailto:dbird@SGHMS.AC.UK] > Sent: Tuesday, December 02, 2003 2:30 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: [MAILSCANNER] AOL blocking MailScanner messages! > > > Dear all, > Apologies for the shock subject line, but it seems to be the case (at > least for our site;-). > > Recently, we started seeing messages like: > 2003-12-02 16:09:43 1ARD5c-0002Sm-Rm ** ******@aol.com <*****@aol.com> > R=dnslookup T=remote_smtp: SMTP error from remote mailer after end of > data: host mailin-03.mx.aol.com [64.12.137.152]: 554 > TRANSACTION FAILED > 554 AOL will not accept delivery of this message > > in our Exim mail logs > > After numerous emails to postmaster@aol.com (all replys were automated > "sorry for the inconvenience", "read this/that policy" types) > I ended up > calling them (at international rates I might add!!!). > > The 'helpful' gentleman on the end of the phone suggested turning off > any scanning software and retrying. Now, all I did was add the line > > To: *@aol.com no > > to /etc/MailScanner/rules/virus.scanning.rules > > and restart. > > After this change all was well and delivery started. The only > differences I can think of between the two emails that would have been > sent would be the omission of the X-MailScanner headers (apart from > X-MailScanner-: not scanned,etc )and a MailScanner > signature > > Looking at the error message they are rejecting on data content after > the initial SMTP connection so this makes me think (a hunch) they are > rejecting on X-MailScanner-xxxx : Found to be clean or other > MailScanner > headers. (Sobig.F springs to mind!) > > Has anyone else noticed this behavior from AOL on their MTA? > > I have opened a ticket with their postmaster team to see if I > can verify > the above assumptions. In the mean time I've left the virus > scanning off > for AOL recipients. > > Additionally, if they are blocking on > "X-MailScanner-: Found > to be clean" I am wondering if it would be possible to customize the > "found to be clean message" as this would be the value in the > MailScanner headers from my 4 mail hubs that would be consistent. > > Regards > Dan > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > From dbird at SGHMS.AC.UK Tue Dec 2 21:31:54 2003 From: dbird at SGHMS.AC.UK (Daniel Bird) Date: Thu Jan 12 21:21:24 2006 Subject: AOL blocking MailScanner messages! In-Reply-To: References: Message-ID: <3FCD04CA.6000009@sghms.ac.uk> Desai, Jason wrote: >Does your site-name have any weird characters in it? Maybe an underscore or >something else? They could be blocking email based on what they thing is an >invalid header. > > nope, just MH then 1 thru 4. Dan >Jason > > > >>-----Original Message----- >>From: Daniel Bird [mailto:dbird@SGHMS.AC.UK] >>Sent: Tuesday, December 02, 2003 2:30 PM >>To: MAILSCANNER@JISCMAIL.AC.UK >>Subject: [MAILSCANNER] AOL blocking MailScanner messages! >> >> >>Dear all, >>Apologies for the shock subject line, but it seems to be the case (at >>least for our site;-). >> >>Recently, we started seeing messages like: >>2003-12-02 16:09:43 1ARD5c-0002Sm-Rm ** ******@aol.com <*****@aol.com> >>R=dnslookup T=remote_smtp: SMTP error from remote mailer after end of >>data: host mailin-03.mx.aol.com [64.12.137.152]: 554 >>TRANSACTION FAILED >>554 AOL will not accept delivery of this message >> >>in our Exim mail logs >> >>After numerous emails to postmaster@aol.com (all replys were automated >>"sorry for the inconvenience", "read this/that policy" types) >>I ended up >>calling them (at international rates I might add!!!). >> >>The 'helpful' gentleman on the end of the phone suggested turning off >>any scanning software and retrying. Now, all I did was add the line >> >>To: *@aol.com no >> >>to /etc/MailScanner/rules/virus.scanning.rules >> >>and restart. >> >>After this change all was well and delivery started. The only >>differences I can think of between the two emails that would have been >>sent would be the omission of the X-MailScanner headers (apart from >>X-MailScanner-: not scanned,etc )and a MailScanner >>signature >> >>Looking at the error message they are rejecting on data content after >>the initial SMTP connection so this makes me think (a hunch) they are >>rejecting on X-MailScanner-xxxx : Found to be clean or other >>MailScanner >>headers. (Sobig.F springs to mind!) >> >>Has anyone else noticed this behavior from AOL on their MTA? >> >>I have opened a ticket with their postmaster team to see if I >>can verify >>the above assumptions. In the mean time I've left the virus >>scanning off >>for AOL recipients. >> >>Additionally, if they are blocking on >>"X-MailScanner-: Found >>to be clean" I am wondering if it would be possible to customize the >>"found to be clean message" as this would be the value in the >>MailScanner headers from my 4 mail hubs that would be consistent. >> >>Regards >>Dan >> >> >>-- >>This message has been scanned for viruses and >>dangerous content by MailScanner, and is >>believed to be clean. >> >> >> > > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From dwinkler at ALGORITHMICS.COM Tue Dec 2 21:32:45 2003 From: dwinkler at ALGORITHMICS.COM (Derek Winkler) Date: Thu Jan 12 21:21:24 2006 Subject: Sophos updates Message-ID: <20CEA27AF49D7F4691F02E7ADC5D4ECD04B0BD@tormail2.algorithmics.com> You don't experience any problems running Sophos.install while MailScanner/Sophos are running? No uninstall necessary? Thanks, Derek Winkler Security Administrator Algorithmics Inc., Toronto Tel: (416) 217-4107 Fax: (416) 971-6263 www.algorithmics.com -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Jason Balicki Sent: Tuesday, December 02, 2003 4:27 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Sophos updates >Does the automatic Sophos updating process installed with MailScanner >include engine updates or just new virus signatures? MailScanner only updates the ide files. You can use a script called MajorSophos to download the engine, then run the Sophos.install script included with MS. I run it all from cron on a monthly basis. >The mail logs show new Sophos ide files every hour on most >days. Are virus >signatures updated that often or is this an artifact of the >update script? In my experience, Sophos updates frequently, but to answer the question I think you're asking: no, it's probably not Sophos updating every hour. The autoupdate script does check every hour, and AFAIK, it reports a sucessful update wether you needed the update or not -- that's what you're seeing in your logs. You can find MajorSophos here: http://www.tippingmar.com/majorsophos/ --J(K) -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20031202/c4eb6d38/attachment.html From Jan-Peter.Koopmann at SECEIDOS.DE Tue Dec 2 21:37:36 2003 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:21:24 2006 Subject: ANNOUNCE: Bug fix release 4.25-14 / FreeBSD port Message-ID: I just upgraded the MailScanner port to 4.25-14. The PR is on ist way but since there is a ports freeze at the moment you should rather download it at www.mailscanner.info or here http://www.seceidos.de/downloads/freebsd/ports/MailScanner.tgz Have fun. Regards, JP From kodak at FRONTIERHOMEMORTGAGE.COM Tue Dec 2 21:44:20 2003 From: kodak at FRONTIERHOMEMORTGAGE.COM (Jason Balicki) Date: Thu Jan 12 21:21:24 2006 Subject: Sophos updates In-Reply-To: <20CEA27AF49D7F4691F02E7ADC5D4ECD04B0BD@tormail2.algorithmics.com> Message-ID: <005401c3b91d$71b8ea40$0501a8c0@darkside> >You don't experience any problems running Sophos.install while MailScanner/Sophos are running? >No uninstall necessary? I've never had a problem BEFORE. But now that YOU'VE said something.... Seriously, no. I run in place upgrades all the time -- Sophos.install will reload MS I believe. --J(K) From hermit921 at YAHOO.COM Tue Dec 2 21:56:42 2003 From: hermit921 at YAHOO.COM (hermit921) Date: Thu Jan 12 21:21:24 2006 Subject: Sophos updates In-Reply-To: <005101c3b91b$14cf6ea0$0501a8c0@darkside> References: <5.1.0.14.2.20031202131729.01cd84e8@pop.mail.yahoo.com> Message-ID: <5.1.0.14.2.20031202135416.01d4b130@pop.mail.yahoo.com> At 01:27 PM 12/2/2003, Jason Balicki wrote: > >Does the automatic Sophos updating process installed with MailScanner > >include engine updates or just new virus signatures? > >MailScanner only updates the ide files. You can use a script >called MajorSophos to download the engine, then run the >Sophos.install script included with MS. I run it all from >cron on a monthly basis. > > >The mail logs show new Sophos ide files every hour on most > >days. Are virus > >signatures updated that often or is this an artifact of the > >update script? > >In my experience, Sophos updates frequently, but to answer the >question I think you're asking: no, it's probably not Sophos >updating every hour. The autoupdate script does check every >hour, and AFAIK, it reports a sucessful update wether you needed >the update or not -- that's what you're seeing in your logs. > >You can find MajorSophos here: >http://www.tippingmar.com/majorsophos/ > >--J(K) I see a new file (373_ides.zip) in /usr/local/Sophos/ide each time I check, not just the log entry. If the updates are really new files, that implies MailScanner is downloading new files every hour whether virus data is new or not. hermit921 From nvargas at NICATECH.COM.NI Tue Dec 2 22:12:59 2003 From: nvargas at NICATECH.COM.NI (Noel Vargas) Date: Thu Jan 12 21:21:24 2006 Subject: f-prot eicar test Message-ID: Thank you for your answer, but It seems not to be working, and followed the Install guide step by step. I would like to send the MailScanner.conf file to see what could be wrong. I tested f-prot and it runs fine. From Kevin_Miller at CI.JUNEAU.AK.US Tue Dec 2 22:13:11 2003 From: Kevin_Miller at CI.JUNEAU.AK.US (Kevin Miller) Date: Thu Jan 12 21:21:24 2006 Subject: False positives Message-ID: <08146035CA49D6119A36009027AC822A0264EAC9@CITY-EXCH-NTS> Last week I upgraded SA to 2.6, and am catching a lot more spam, but I'm also getting a number of false positives, and what's just as weird, spam is being caught that doesn't add up to 5. The false positives are often negative numbers, the low scoring (but still caught) true positives are usually in the 3 - 4.99 range. At least the one's I've looked at. Spam Actions are: Spam Actions = forward Alphonse_Spamdog@mx.ci.juneau.ak.us delete High Scoring Spam Actions = forward Alphonse_Spamdog@mx.ci.juneau.ak.us delete I've also noticed that some, but not all, the notices to postmaster are being rerouted as spam too. I'm running Exchange on the inside. Anybody have any clues as to why/how a low scoring message would still be getting zapped? Here's the headers from one - as you can see, it scored a -19.9: Received: from mis-mxg-lnx.ci.juneau.ak.us (mail.ci.juneau.ak.us [199.58.55.24]) by city-exch-nts.ci.juneau.ak.us with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id YBVH5H42; Tue, 2 Dec 2003 00:34:00 -0900 Received: from abv-sfo1-acmta3.cnet.com (abv-sfo1-acmta3.cnet.com [206.16.1.138]) by mis-mxg-lnx.ci.juneau.ak.us (8.12.3/8.12.3/SuSE Linux 0.6) with SMTP id hB29Xtch004167 for ; Tue, 2 Dec 2003 00:33:56 -0900 Received: by abv-sfo1-acmta3.cnet.com (PowerMTA(TM) v2.0r1) id hphe88042i03; Tue, 2 Dec 2003 04:33:55 -0500 (envelope-from ) Message-ID: <2723353.1070357635567.JavaMail.accucast@206.16.1.138> Date: Tue, 2 Dec 2003 01:33:55 -0800 (PST) From: "Linux Tips at TechRepublic.com" Reply-To: CNET_Networks_#3.110928.3330383834353230@newsletters.online.com To: kevin_miller@ci.juneau.ak.us Subject: {Spam?} [TechRepublic] Find system holes with chkrootkit Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Mailer-Version: 3.5.3 build 710 X-Mailer: Accucast X-Accutrak: CNET_Networks_#3.110928.3330383834353230@newsletters.online.com X-MailScanner-Information: For more information see www . mailscanner . info X-CBJ-MailScanner: Found to be clean X-CBJ-MailScanner-SpamCheck: spam, spamcop.net, SpamAssassin (score=-19.9, required 5, BAYES_00, USER_IN_DEF_WHITELIST) Thanks... ...Kevin ------------------- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Administrator, Mail Administrator 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From mikea at MIKEA.ATH.CX Tue Dec 2 22:14:03 2003 From: mikea at MIKEA.ATH.CX (mikea) Date: Thu Jan 12 21:21:24 2006 Subject: (change request) Infected message came from Message-ID: <20031202161403.A22204@mikea.ath.cx> ClamAV gives me the following for each hit: (stuff deleted) Virus Scanning: ClamAV found 1 infections (stuff deleted) Infected message hB2LXjks045635 came from 192.149.244.18 which is well and good, as far as that goes: I got an infected message in the inbound mail, and ClamAV told MailScanner to quarantine it. I _love_ that. But my MailScanner box is fed by our firewall's SMTP proxy, rather than seeing the other end of the SMTP conversation directly, and so the offending IP number always is the same, and I don't get to see who the real offender is. Is there a handle that can be tweaked to run backwards down the chain of "Received:" headers, or the IP addresses in them, at this point? I see that the message is generated in MergeReports, which is called by ScanBatch after all the AV scanners have run, but I haven't dug deep enough into the code to see what handles are available at this time. I really need to go one "Received:" header back in the chain, to the one that set up the SMTP session with our SMTP proxy. If possible, I'd _love_ to see something like : Infected message hB2LXjks045635 came from 192.149.244.18 : which got it from 12.24.199.207 : which got it from 42.140.77.222 : which got it from 24.12.44.139 all the way back through all the "Received:" headers, but I can see how that might be _very_ difficult. Oh, and I updated to MailScanner-4.25-13 today. It Just Works. But I've been saying that about MailScanner all along. Thanks for a great product, Julian! -- Mike Andrews mikea@mikea.ath.cx Tired old sysadmin From Kevin at MICA.NET Tue Dec 2 22:16:48 2003 From: Kevin at MICA.NET (Kevin Hanser) Date: Thu Jan 12 21:21:24 2006 Subject: False positives Message-ID: <8B699873CEBA3543926B467E768082321A679A@sol.hq.mica.net> Look like spamcop.net is saying it's spam: X-CBJ-MailScanner-SpamCheck: spam, spamcop.net, SpamAssassin (score=-19.9, required 5, BAYES_00, USER_IN_DEF_WHITELIST) That first part that says "spam, spamcop.net" means that spamcop thinks it's spam. I don't really know how spamcop decides something is spam, however... k -----Original Message----- From: Kevin Miller [mailto:Kevin_Miller@CI.JUNEAU.AK.US] Sent: Tuesday, December 02, 2003 17:13 To: MAILSCANNER@JISCMAIL.AC.UK Subject: False positives Last week I upgraded SA to 2.6, and am catching a lot more spam, but I'm also getting a number of false positives, and what's just as weird, spam is being caught that doesn't add up to 5. The false positives are often negative numbers, the low scoring (but still caught) true positives are usually in the 3 - 4.99 range. At least the one's I've looked at. Spam Actions are: Spam Actions = forward Alphonse_Spamdog@mx.ci.juneau.ak.us delete High Scoring Spam Actions = forward Alphonse_Spamdog@mx.ci.juneau.ak.us delete I've also noticed that some, but not all, the notices to postmaster are being rerouted as spam too. I'm running Exchange on the inside. Anybody have any clues as to why/how a low scoring message would still be getting zapped? Here's the headers from one - as you can see, it scored a -19.9: Received: from mis-mxg-lnx.ci.juneau.ak.us (mail.ci.juneau.ak.us [199.58.55.24]) by city-exch-nts.ci.juneau.ak.us with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id YBVH5H42; Tue, 2 Dec 2003 00:34:00 -0900 Received: from abv-sfo1-acmta3.cnet.com (abv-sfo1-acmta3.cnet.com [206.16.1.138]) by mis-mxg-lnx.ci.juneau.ak.us (8.12.3/8.12.3/SuSE Linux 0.6) with SMTP id hB29Xtch004167 for ; Tue, 2 Dec 2003 00:33:56 -0900 Received: by abv-sfo1-acmta3.cnet.com (PowerMTA(TM) v2.0r1) id hphe88042i03; Tue, 2 Dec 2003 04:33:55 -0500 (envelope-from ) Message-ID: <2723353.1070357635567.JavaMail.accucast@206.16.1.138> Date: Tue, 2 Dec 2003 01:33:55 -0800 (PST) From: "Linux Tips at TechRepublic.com" Reply-To: CNET_Networks_#3.110928.3330383834353230@newsletters.online.com To: kevin_miller@ci.juneau.ak.us Subject: {Spam?} [TechRepublic] Find system holes with chkrootkit Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Mailer-Version: 3.5.3 build 710 X-Mailer: Accucast X-Accutrak: CNET_Networks_#3.110928.3330383834353230@newsletters.online.com X-MailScanner-Information: For more information see www . mailscanner . info X-CBJ-MailScanner: Found to be clean X-CBJ-MailScanner-SpamCheck: spam, spamcop.net, SpamAssassin (score=-19.9, required 5, BAYES_00, USER_IN_DEF_WHITELIST) Thanks... ...Kevin ------------------- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Administrator, Mail Administrator 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From Kevin_Miller at CI.JUNEAU.AK.US Tue Dec 2 23:08:10 2003 From: Kevin_Miller at CI.JUNEAU.AK.US (Kevin Miller) Date: Thu Jan 12 21:21:24 2006 Subject: False positives Message-ID: <08146035CA49D6119A36009027AC822A0264EAD1@CITY-EXCH-NTS> >-----Original Message----- >From: Kevin Hanser [mailto:Kevin@MICA.NET] >Sent: Tuesday, December 02, 2003 1:17 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: False positives > > >Look like spamcop.net is saying it's spam: > >X-CBJ-MailScanner-SpamCheck: spam, spamcop.net, SpamAssassin >(score=-19.9, > required 5, BAYES_00, USER_IN_DEF_WHITELIST) > >That first part that says "spam, spamcop.net" means that spamcop thinks >it's spam. I don't really know how spamcop decides something is spam, >however... I was wondering about that, but I would expect that MS would just take that under advisement but depend on the total score but I'd never given it too much thought. I just took spamcop out of the mix, so we'll see how much difference it makes. I have a .forward file in roots home dir, so any messages get routed to our main mail server. I guess all those virus and dangerous content messages must have gotten routed to spamcop.net before being delivered. Kinda funny, blacklisting myself. Go figure. Thanks... ...Kevin ------------------- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Administrator, Mail Administrator 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From michel at SENTINIX.ORG Tue Dec 2 23:08:47 2003 From: michel at SENTINIX.ORG (Michel) Date: Thu Jan 12 21:21:24 2006 Subject: Arguments for Amavisd-new or MailScanner? Message-ID: <200312030008.47682.michel@sentinix.org> Hi! As a long time MailScanner user and without any experience of AMAVISD-new, what are the arguments against using amavisd-new for, e.g. this config: Sendmail + {AMAVISD-new,MailScanner} + SpamAssassin (+ ClamAV) Postfix + Amavisd-new is, I know, without doubt the best combo, since it's using the Postfix content filter... but what about Sendmail and/or other MTAs? (just trying to pick up some good arguments to say whenever I need to explain why I'm choosing MailScanner and not amavisd-new) Thanks! /Michel From mkettler at EVI-INC.COM Tue Dec 2 23:21:43 2003 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:21:24 2006 Subject: False positives In-Reply-To: <8B699873CEBA3543926B467E768082321A679A@sol.hq.mica.net> References: <8B699873CEBA3543926B467E768082321A679A@sol.hq.mica.net> Message-ID: <6.0.0.22.0.20031202181222.0201de50@xanadu.evi-inc.com> At 05:16 PM 12/2/2003, Kevin Hanser wrote: >Look like spamcop.net is saying it's spam: > >X-CBJ-MailScanner-SpamCheck: spam, spamcop.net, SpamAssassin >(score=-19.9, > required 5, BAYES_00, USER_IN_DEF_WHITELIST) > >That first part that says "spam, spamcop.net" means that spamcop thinks >it's spam. I don't really know how spamcop decides something is spam, >however... Spamcop is a straight "IP address block list" system. It's a semi-automated system based on spamtraps, and a few other things. 206.16.1.138 listed in bl.spamcop.net (127.0.0.2) http://www.spamcop.net/w3m?action=checkblock&ip=206.16.1.138 From the looks of it, one of the spamcop spamtraps is subscribed to the CNN mailing lists. Due to the way modern virii work, it's common for such accidental subscribes to occur if a mailing list simply subscribes *anyone* who sends *any* email to a given address. Of course, any smart system should require at _least_ something like "subscribe" in the subject, and really should do confirmed opt-in. From mkettler at EVI-INC.COM Tue Dec 2 23:25:45 2003 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:21:24 2006 Subject: False positives In-Reply-To: <08146035CA49D6119A36009027AC822A0264EAD1@CITY-EXCH-NTS> References: <08146035CA49D6119A36009027AC822A0264EAD1@CITY-EXCH-NTS> Message-ID: <6.0.0.22.0.20031202182327.0201d508@xanadu.evi-inc.com> At 06:08 PM 12/2/2003, Kevin Miller wrote: >I was wondering about that, but I would expect that MS would just take that >under advisement but depend on the total score but I'd never given it too >much thought. I just took spamcop out of the mix, so we'll see how much >difference it makes. If you configure MailScanner to use "spam lists" it WILL consider any message in them to be spam. Basically at the MailScanner level, any of the spam detectors will flag a message a spam, just as any virus scanner firing off will flag a message as containing a virus. If you want to use score-totaling type behaviors, disable all the spam lists in mailscanner, and enable DNSBLs in spamassassin (be sure to install Net::DNS). Spamassassin scores things, MailScanner does not. From hermit921 at YAHOO.COM Tue Dec 2 23:33:51 2003 From: hermit921 at YAHOO.COM (hermit921) Date: Thu Jan 12 21:21:24 2006 Subject: silent virus In-Reply-To: <6.0.0.22.0.20031202182327.0201d508@xanadu.evi-inc.com> References: <08146035CA49D6119A36009027AC822A0264EAD1@CITY-EXCH-NTS> <08146035CA49D6119A36009027AC822A0264EAD1@CITY-EXCH-NTS> Message-ID: <5.1.0.14.2.20031202153109.01cc8eb0@pop.mail.yahoo.com> I am testing the dropping of silent viruses. MailScanner 4.23 with postfix. The logs show the message arriving and being scanned (virus found), but nothing telling me the message was dropped. That is an important piece of information to me. Is there some way to add this to the maillog? Or is it already there and I just don't recognize it? hermit921 From james at PCXPERIENCE.COM Wed Dec 3 00:23:19 2003 From: james at PCXPERIENCE.COM (James Pattie) Date: Thu Jan 12 21:21:24 2006 Subject: Mailscanner with Debian 3 testing In-Reply-To: <030101c3b8bf$607db020$a500010a@martinsss> References: <052b01c3b803$01c0c890$a500010a@martinsss> <6.0.0.22.0.20031201093927.0251e1f0@mail.enhtech.com> <030101c3b8bf$607db020$a500010a@martinsss> Message-ID: <3FCD2CF7.1030707@pcxperience.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Martins Smilga wrote: | I installed mailscanner through aptitude and started reading | /usr/share/doc/mailscanner but didn`t found anything usefull. | | I started reading in internet | |>(http://www.sng.ecs.soton.ac.uk/mailscanner/install/sendmail.shtml) | | I made directory and stop at script, I can find where to change it. | | May be there is other way how to start working mailscanner with sendmail in | Debian. | have you searched the FAQ for Debian? There is a section that details the changes that need to be made to /etc/mail/sendmail.conf to get sendmail properly configured under Debian for MailScanner. Then you just have to modify the MailScanner.conf file using the sendmail options. - -- James A. Pattie james@pcxperience.com Linux -- SysAdmin / Programmer Xperience, Inc. http://www.pcxperience.com/ http://www.xperienceinc.com/ GPG Key Available at http://www.pcxperience.com/gpgkeys/james.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/zSz1tUXjwPIRLVERAjtpAKCnk1zxNt+H6jxmy9UXYz7NcTeK5wCgsJkV p5QC6HlEWWBC15nZubiiRuQ= =qXxo -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. From nathan at TCPNETWORKS.NET Wed Dec 3 03:49:18 2003 From: nathan at TCPNETWORKS.NET (Nathan Johanson) Date: Thu Jan 12 21:21:24 2006 Subject: Virus scanners and universities Message-ID: CA (etrust) is actually ~$129.00 for five node licenses. You could install it on five "servers" for that price. --Nathan -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Tuesday, December 02, 2003 12:20 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Virus scanners and universities At 20:12 02/12/2003, you wrote: >Hi all, > I'm looking for some info on what other universities and colleges are >doing in the MS/virus scanning area. > > We (Brown University, USA) are using MS and hacked in support for >Symantec Scan Engine. Cost issues are starting to creep in again and we >want to know what some other options are. We love MS and just wanna >know what the virus scanners cost you (total or per >address/user/FTE/whatever) ClamAV is free and open source, and is remarkably good. eTrust from Computer Associates (www.ca.com) is only $129 per server. Norman (www.norman.de) is free for non-commercial use. Sophos have extremely good educational discounts. Start with those... -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Wed Dec 3 08:57:13 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:24 2006 Subject: clamavmodule and 4.25-14 In-Reply-To: References: Message-ID: <6.0.1.1.2.20031203085649.03b12a80@imap.ecs.soton.ac.uk> At 21:23 02/12/2003, you wrote: >Setup: Solaris 9, perl 5.8.2, MS 4.25-14, ClamAV 0.65 installed >in /opt/clamav-0.65, with a symlink clamav->clamav-0.65. The >"clamav" module in "Virus scanners" works just fine, with the >directory "/opt/clamav" specified for clamav in virus.scanners.conf. >No problems. > >So I want to use clamavmodule instead. I couldn't get >Mail-ClamAV-0.04 to build properly until the author clued me >into how to specify non-standard clam locations. See FAQ > >http://www.sng.ecs.soton.ac.uk/mailscanner/serve/cache/242.html > >So, with Mail-ClamAV-0.04 installed, I try clamavmodule. I get >the syslog complaint: > >None of the files matched by the "Monitors For ClamAV Updates" >patterns exist! > >from lib/MailScanner/SweepViruses.pm. What's wrong?? Have you looked in MailScanner.conf for the setting "Monitors for clamav updates"? -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Wed Dec 3 08:56:20 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:24 2006 Subject: Sophos updates In-Reply-To: <5.1.0.14.2.20031202135416.01d4b130@pop.mail.yahoo.com> References: <5.1.0.14.2.20031202131729.01cd84e8@pop.mail.yahoo.com> <5.1.0.14.2.20031202135416.01d4b130@pop.mail.yahoo.com> Message-ID: <6.0.1.1.2.20031203085430.03ae3a30@imap.ecs.soton.ac.uk> At 21:56 02/12/2003, you wrote: >At 01:27 PM 12/2/2003, Jason Balicki wrote: >> >Does the automatic Sophos updating process installed with MailScanner >> >include engine updates or just new virus signatures? >> >>MailScanner only updates the ide files. You can use a script >>called MajorSophos to download the engine, then run the >>Sophos.install script included with MS. I run it all from >>cron on a monthly basis. >> >> >The mail logs show new Sophos ide files every hour on most >> >days. Are virus >> >signatures updated that often or is this an artifact of the >> >update script? >> >>In my experience, Sophos updates frequently, but to answer the >>question I think you're asking: no, it's probably not Sophos >>updating every hour. The autoupdate script does check every >>hour, and AFAIK, it reports a sucessful update wether you needed >>the update or not -- that's what you're seeing in your logs. >> >>You can find MajorSophos here: >>http://www.tippingmar.com/majorsophos/ >> >>--J(K) > > >I see a new file (373_ides.zip) in /usr/local/Sophos/ide each time I check, >not just the log entry. If the updates are really new files, that implies >MailScanner is downloading new files every hour whether virus data is new >or not. It downloads the 373_ides.zip file every hour. It's a very small file. It doesn't necessarily contain any new files it hasn't seen before. But unless you remember the size of the file from a previous run of the script, there's no way to tell whether it actually contains any new files or not. So it always gets unpacked and installed, regardless. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Wed Dec 3 08:58:58 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:24 2006 Subject: .hoststat In-Reply-To: References: Message-ID: <6.0.1.1.2.20031203085759.03b086c0@imap.ecs.soton.ac.uk> At 21:27 02/12/2003, you wrote: >Hi, >I'm running mailscanner with postfix on suse linux and whenever I start >Mailscanner up it starts as a defunct process and the maillog keeps >printing this and I cant find any info in the net. > >MailScanner[5588]: Cannot open dir .hoststat when finding depth Your Postfix queues are set out strangely. It's not expecting to see a .hoststat file/dir when scanning for the directory hashing depth. If you delete .hoststat does it re-appear? -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Wed Dec 3 09:06:50 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:24 2006 Subject: (change request) Infected message came from In-Reply-To: <20031202161403.A22204@mikea.ath.cx> References: <20031202161403.A22204@mikea.ath.cx> Message-ID: <6.0.1.1.2.20031203090532.03af95f8@imap.ecs.soton.ac.uk> SpamAssassin will check all the Received: headers, MailScanner doesn't. So just use the RBL rules within SpamAssassin, rather than the "Spam List" setting in MailScanner.conf. You might want to increase the scores on SA rules that are RBL checks, to make it behave more like using the "Spam List" setting. At 22:14 02/12/2003, you wrote: >ClamAV gives me the following for each hit: > >(stuff deleted) Virus Scanning: ClamAV found 1 infections >(stuff deleted) Infected message hB2LXjks045635 came from 192.149.244.18 > >which is well and good, as far as that goes: I got an infected message >in the inbound mail, and ClamAV told MailScanner to quarantine it. I >_love_ that. > >But my MailScanner box is fed by our firewall's SMTP proxy, rather >than seeing the other end of the SMTP conversation directly, and so >the offending IP number always is the same, and I don't get to see >who the real offender is. > >Is there a handle that can be tweaked to run backwards down the chain >of "Received:" headers, or the IP addresses in them, at this point? I >see that the message is generated in MergeReports, which is called by >ScanBatch after all the AV scanners have run, but I haven't dug deep >enough into the code to see what handles are available at this time. >I really need to go one "Received:" header back in the chain, to the >one that set up the SMTP session with our SMTP proxy. > >If possible, I'd _love_ to see something like >: Infected message hB2LXjks045635 came from 192.149.244.18 >: which got it from 12.24.199.207 >: which got it from 42.140.77.222 >: which got it from 24.12.44.139 >all the way back through all the "Received:" headers, but I can see >how that might be _very_ difficult. > > > >Oh, and I updated to MailScanner-4.25-13 today. It Just Works. But >I've been saying that about MailScanner all along. > >Thanks for a great product, Julian! > >-- >Mike Andrews >mikea@mikea.ath.cx >Tired old sysadmin -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From sb-list at CRI01.ORG Wed Dec 3 09:09:49 2003 From: sb-list at CRI01.ORG (Sylvain Blanc - CRI du Pays De Gex et du Bassin Bellegardien) Date: Thu Jan 12 21:21:24 2006 Subject: Mailscanner with Debian 3 testing References: <052b01c3b803$01c0c890$a500010a@martinsss> Message-ID: <06e501c3b97d$34b91060$6c01cac3@ccpaysdegex.fr> I use debian woody + sendmail + mailscanner 4.24 + f-prot + spamassassin In sendmail.conf change DAEMON_PARMS to DAEMON_PARMS="-ODeliveryMode=queueonly -OQueueDirectory=/var/spool/mqueue.in "; That's all for sendmail Configure your mailscanner.conf and uncomment the line run_mailscanner=1 in /etc/default/mailscanner restart sendmail restart mailscanner ----- Original Message ----- From: "Martins Smilga" To: Sent: Monday, December 01, 2003 1:02 PM Subject: Mailscanner with Debian 3 testing > Hello, > > May be somone have expierence with mailscanner how to install on Debian > testing version. > > I have Spammassin + Sendmail. > > I installed mailscanner from apitude, > I can not find any detailed documentation how to install mailscanner on > Debina with sendmail. > (http://www.sng.ecs.soton.ac.uk/mailscanner/install/sendmail.shtml) > I can find where I can change these senttings (script). > > May be there is other way how to put mailscanner + Debian+ sendmail > > > Martins > From pete at eatathome.com.au Wed Dec 3 12:51:14 2003 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:21:24 2006 Subject: postfix comments ... was: Re: receiving mails with executable. In-Reply-To: References: Message-ID: <3FCDDC42.5010407@eatathome.com.au> C. Jon Larsen wrote: >On Tue, 2 Dec 2003, Julian Field wrote: > > > >>To give you the brief answer to this question.... >> >>The Postfix guys don't like me as I dared to use their software in a way >>they hadn't intended. Rather than publish the file format (which sendmail >>does) or happily let me use it (the Exim authors use MailScanner >>themselves), the Postfix guys throw their toys out of the pram and whinge a >>lot. >> >> > >I see your point :=) I think postfix is supposed to be formalizing their >APIs for dealing with queues, etc. Thanks for the background info. > > > >>I'm not going to apologise for daring to "think outside the box". >> >> > >MailScanner is *great* software. You have a lot to be proud of. Postfix >guys seem to suggest using Amavis-new instead of MS. But to me thats a >step backwards and away from the best software to scan and protect emails >(MailScanner). > >I wanted postfix and I wanted MailScanner :=) Here's what I did to make >them work together - see below ... > > > >>Many people run MailScanner on Postfix without any problems. A few sites >>see a fault where very occasionally a message with no body is delivered. >>The correct version of the same message with its body is later delivered >>correctly, in addition to the version with the body missing. No mail is lost. >> >> > >I did not want to take that chance, so I setup 1 postfix instance as an >external smtp router and proxy that looks up incoming domains in an SQL >database and makes routing decisions based on a content_scan column. It >can route the mail directly to the destination, drop the mail if its for an >invalid domain, or route it to the dedicated MailScanner box, which uses >sendmail. The MailScanner box does its job, and then sends the mail to a >third postfix box which does message delivery to mailboxes, and handles >SMTP AUTH for customers that send email from mail clients. > >Exim was not my cup of tea for a secure internet facing MTA :=) I'm not >saying its not secure, its just not what I wanted. I did not see Exim as >being more secure than sendmail due to its design (my opinion only, send >flames to /dev/null). > >I was looking for something that had privilege separation like qmail or >postfix for an internet facing MTA. Since my internal mailscanner box is >locked down from an SMTP listener perspective, I am o.k. running sendmail >on that, though exim would probably make a better host than sendmail for >the MS - thanks for the tips though. > >I looked as smtp.proxy, Obtuse/juniper smtp proxy, qpsmtpd, and mailfront >as ways to improve the security of the internet facing MTA. qpsmtpd and >mailfront were too qmailish (also not my preference) and none of the smtp >proxies gave me a warm and fuzzy regarding protocol support/workaround >(ESMTP, cisco pix workarounds like postfix has). They seemed o.k. for >hobbyists but not for production networks that get a lot of mail from a >lot of different networks with different (often partially broken MTAs). > >I kept coming back to postfix as the best combination of security, >protocol support, and usability for my external MTA. > >I had already picked postfix as my MTA for my mailboxes. So I >went from 2 boxes (mailscanner + postfix) to 3 boxes (inbound postfix >message router, mailscanner/sendmail, mailbox, smtp auth postfix). > >Hopefully this will help someone else. If not, thats fine too. Just >relaying my experiences and research. > >-jon > > > > >>As many MailScanner sites now run it on a dedicated server, it makes very >>little difference what MTA is chosen, as all the MTA's can take mail in and >>just punt it onto another server. >> >>My personal recommendation is probably Exim, especially if you don't like >>sendmail. Exim is very easy to configure and is very fast. When used with >>MailScanner it is considerably faster than Postfix as Postfix copies all >>the data around more often than it needs to, resulting in inefficient >>handling, particularly of large messages. >> >>At 13:46 02/12/2003, you wrote: >> >> >>>On Tue, 2 Dec 2003, Mark Hernandez wrote: >>> >>> >>> >>>>hi all, >>>> >>>>Im using Postfix on a Freebsd 4.8 O.S. and choose mailscanner to add >>>>features >>>> >>>> >>>Is MailScanner safe to use with postfix ? The postfix site and several >>>messages in the archives advise strongly not to use postfix with MS >>>because postfix does not like to have its queues manipulated by an >>>external program. >>> >>>Postfix has a content filter interface they they suggest using and the >>>current postfix snapshot has a new smtp content filter proxy interface >>>that looks interesting. >>> >>>I don't like sendmail anymore (security issues seem to never stop), so I >>>have switched to postfix for all mail relay and mailbox destinations - >>>with a MailScanner + sendmail box that sits in the middle. >>> >>> >>-- >>Julian Field >>www.MailScanner.info >>MailScanner thanks transtec Computers for their support >> >>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> >> >> >> > >-- >+ Jon Larsen: Chief Technology Officer, Richweb, Inc. >+ Richweb.com: Providing Internet-Based Business Solutions since 1995 >+ GnuPG Public Key: http://richweb.com/jlarsen.gpg >+ Business: (804) 359.2220 x 101; Mobile: (804) 307.6939 > > > > > There is already haps of info in the list - but i am still pretty new with MailScanner, and mine works flawlessly with postfix 2.016 on RH9. These 2 boxes sit in the DMZ and handle all our inbound mail - its fast enough (how fast does smtp mail need to be?) very reliable and stops almost all of our spam - perfect! I personally tried for so long to get amavis, sa and postfix working nicely together i gavce up entirely until i stumbled accorss a post about mailscanner elsewhere - gave it a try and was hooked, inside of 3 weeks we had conducted testing, planned and executed a rollout - a rollout that has not required the restart of the MS service or box once, not even once since going live with 2 machines in a multi domain environment - not bad for a linux newbie :) My point is, its works SO well, and is very easy to get going, i cant understand why anyone wouldnt use it... From pete at eatathome.com.au Wed Dec 3 13:11:57 2003 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:21:24 2006 Subject: Arguments for Amavisd-new or MailScanner? In-Reply-To: <200312030008.47682.michel@sentinix.org> References: <200312030008.47682.michel@sentinix.org> Message-ID: <3FCDE11D.9040908@eatathome.com.au> Michel wrote: >Hi! > >As a long time MailScanner user and without any experience of AMAVISD-new, >what are the arguments against using amavisd-new for, e.g. this config: > >Sendmail + {AMAVISD-new,MailScanner} + SpamAssassin (+ ClamAV) > >Postfix + Amavisd-new is, I know, without doubt the best combo, since it's >using the Postfix content filter... but what about Sendmail and/or other >MTAs? > >(just trying to pick up some good arguments to say whenever I need to explain >why I'm choosing MailScanner and not amavisd-new) > >Thanks! >/Michel > > > > > I am NOT a linux guru, and after trying really hard and following 3 ro 4 different guides, i could never get it working - MailScanner on the other hand seems to be very simple to install and configure, and is written by Julian, who would have to be the most helpful software author going around - how many times do you see him write and post a patch to meet some ones specific needs, or if they suggest something that could be usefull to everyone, its in the next release, he is here responding to newbie and experienced peoples questions 'every' day (seems like every day?). He doesnt give you shit and put you down when you ask for help or ask a question 50 other people have asked this month - i think this kinda of support, from an author, is about as good as software gets...hard to imagine what his paying customers get out of him? Feet rubs and massages while he maintains thier email security? From jaearick at COLBY.EDU Wed Dec 3 13:52:47 2003 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:21:24 2006 Subject: clamavmodule and 4.25-14 In-Reply-To: <6.0.1.1.2.20031203085649.03b12a80@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20031203085649.03b12a80@imap.ecs.soton.ac.uk> Message-ID: Doh! I had my path wrong in "Monitors for ClamAV Updates". Thanks, working now. On Wed, 3 Dec 2003, Julian Field wrote: > Date: Wed, 3 Dec 2003 08:57:13 +0000 > From: Julian Field > Reply-To: MailScanner mailing list > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: clamavmodule and 4.25-14 > > At 21:23 02/12/2003, you wrote: > >Setup: Solaris 9, perl 5.8.2, MS 4.25-14, ClamAV 0.65 installed > >in /opt/clamav-0.65, with a symlink clamav->clamav-0.65. The > >"clamav" module in "Virus scanners" works just fine, with the > >directory "/opt/clamav" specified for clamav in virus.scanners.conf. > >No problems. > > > >So I want to use clamavmodule instead. I couldn't get > >Mail-ClamAV-0.04 to build properly until the author clued me > >into how to specify non-standard clam locations. See FAQ > > > >http://www.sng.ecs.soton.ac.uk/mailscanner/serve/cache/242.html > > > >So, with Mail-ClamAV-0.04 installed, I try clamavmodule. I get > >the syslog complaint: > > > >None of the files matched by the "Monitors For ClamAV Updates" > >patterns exist! > > > >from lib/MailScanner/SweepViruses.pm. What's wrong?? > > Have you looked in MailScanner.conf for the setting "Monitors for clamav > updates"? > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > From tduvally at BROWN.EDU Wed Dec 3 14:01:56 2003 From: tduvally at BROWN.EDU (Thomas DuVally) Date: Thu Jan 12 21:21:24 2006 Subject: Virus scanners and universities In-Reply-To: References: Message-ID: <1070460115.20543.0.camel@cis-staff-kntx90.cis.brown.edu> On Tue, 2003-12-02 at 22:49, Nathan Johanson wrote: > CA (etrust) is actually ~$129.00 for five node licenses. You could > install it on five "servers" for that price. > --Nathan > That sounds great, but is anyone using it and how is it? > > -----Original Message----- > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > Sent: Tuesday, December 02, 2003 12:20 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Virus scanners and universities > > > At 20:12 02/12/2003, you wrote: > >Hi all, > > I'm looking for some info on what other universities and > colleges are > >doing in the MS/virus scanning area. > > > > We (Brown University, USA) are using MS and hacked in support > for > >Symantec Scan Engine. Cost issues are starting to creep in again and > we > >want to know what some other options are. We love MS and just wanna > >know what the virus scanners cost you (total or per > >address/user/FTE/whatever) > > ClamAV is free and open source, and is remarkably good. > eTrust from Computer Associates (www.ca.com) is only $129 per server. > Norman (www.norman.de) is free for non-commercial use. > Sophos have extremely good educational discounts. > > Start with those... > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- Thomas J. DuVally Lead Systems Prog. CIS, Brown Univ. http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x15F233F6 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20031203/f3cc079d/attachment.bin From mike at TC3NET.COM Wed Dec 3 13:58:09 2003 From: mike at TC3NET.COM (Michael Baird) Date: Thu Jan 12 21:21:24 2006 Subject: AOL blocking MailScanner messages! In-Reply-To: <6.0.1.1.2.20031202193821.03de5fd0@imap.ecs.soton.ac.uk> References: <3FCCE83F.7070500@sghms.ac.uk> <6.0.1.1.2.20031202193821.03de5fd0@imap.ecs.soton.ac.uk> Message-ID: <1070459889.9562.0.camel@mike-new2.tc3net.com> What would the ruleset look like? To: *aol.com no FromTo: default Found To Be Clean ? Regards MIKE > At 19:30 02/12/2003, you wrote: > >Additionally, if they are blocking on "X-MailScanner-: Found > >to be clean" I am wondering if it would be possible to customize the > >"found to be clean message" as this would be the value in the > >MailScanner headers from my 4 mail hubs that would be consistent. > > This can already be done. Assign a ruleset to the > Clean Header Value > configuration option in MailScanner.conf. > > AOL move in mysterious ways :-( > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > From sanjay.patel at REXWIRE.COM Wed Dec 3 14:16:44 2003 From: sanjay.patel at REXWIRE.COM (Sanjay K. Patel) Date: Thu Jan 12 21:21:24 2006 Subject: Virus scanners and universities In-Reply-To: Message-ID: <200312031425.hB3EPLqj002848@mx.sargam.com> CA -etrust is only $14 you can install this on any device server or workstation. Here is the part number I got from a CA rep ETRAVE7001CMPE2C. Give this to your reseller and they should be able to purchase it for you. -SKP -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Nathan Johanson Sent: Tuesday, December 02, 2003 10:49 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Virus scanners and universities CA (etrust) is actually ~$129.00 for five node licenses. You could install it on five "servers" for that price. --Nathan -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Tuesday, December 02, 2003 12:20 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Virus scanners and universities At 20:12 02/12/2003, you wrote: >Hi all, > I'm looking for some info on what other universities and colleges are >doing in the MS/virus scanning area. > > We (Brown University, USA) are using MS and hacked in support for >Symantec Scan Engine. Cost issues are starting to creep in again and we >want to know what some other options are. We love MS and just wanna >know what the virus scanners cost you (total or per >address/user/FTE/whatever) ClamAV is free and open source, and is remarkably good. eTrust from Computer Associates (www.ca.com) is only $129 per server. Norman (www.norman.de) is free for non-commercial use. Sophos have extremely good educational discounts. Start with those... -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From jbuda at NOTICIASARGENTINAS.COM Wed Dec 3 14:19:58 2003 From: jbuda at NOTICIASARGENTINAS.COM (Jose Julian Buda) Date: Thu Jan 12 21:21:24 2006 Subject: BadTNEF References: <200312031425.hB3EPLqj002848@mx.sargam.com> Message-ID: <003201c3b9a8$8c30ab70$6000a8c0@noticiasargentinas.com> Why appear this reports? "Could not parse Outlook Rich Text Atachment" i saw this reports sometimes on some warnings. what is it mean? thank you Jose Julian Buda From mailscanner at ecs.soton.ac.uk Wed Dec 3 14:33:37 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:24 2006 Subject: BadTNEF In-Reply-To: <003201c3b9a8$8c30ab70$6000a8c0@noticiasargentinas.com> References: <200312031425.hB3EPLqj002848@mx.sargam.com> <003201c3b9a8$8c30ab70$6000a8c0@noticiasargentinas.com> Message-ID: <6.0.1.1.2.20031203143131.09106a88@imap.ecs.soton.ac.uk> At 14:19 03/12/2003, you wrote: >Why appear this reports? > >"Could not parse Outlook Rich Text Atachment" > >i saw this reports sometimes on some warnings. > >what is it mean? It means one of these: 1) You haven't built the "tnef" program in /opt/MailScanner/bin for your architecture. 2) For some reason MailScanner is failing to run the "tnef" program 3) The "tnef" program really couldn't decode the winmail.dat attachment in the message 4) You might be better off setting the location of the "tnef" program to "internal" so that MailScanner uses the internal Perl module which is slower but often better at decoding TNEF attachments (winmail.dat). -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Wed Dec 3 14:31:10 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:24 2006 Subject: AOL blocking MailScanner messages! In-Reply-To: <1070459889.9562.0.camel@mike-new2.tc3net.com> References: <3FCCE83F.7070500@sghms.ac.uk> <6.0.1.1.2.20031202193821.03de5fd0@imap.ecs.soton.ac.uk> <1070459889.9562.0.camel@mike-new2.tc3net.com> Message-ID: <6.0.1.1.2.20031203143045.036a6de8@imap.ecs.soton.ac.uk> To: aol.com Some other text saying it is clean FromOrTo: default Found to be clean At 13:58 03/12/2003, you wrote: >What would the ruleset look like? >To: *aol.com no >FromTo: default Found To Be Clean >? > >Regards >MIKE > > > > At 19:30 02/12/2003, you wrote: > > >Additionally, if they are blocking on "X-MailScanner-: Found > > >to be clean" I am wondering if it would be possible to customize the > > >"found to be clean message" as this would be the value in the > > >MailScanner headers from my 4 mail hubs that would be consistent. > > > > This can already be done. Assign a ruleset to the > > Clean Header Value > > configuration option in MailScanner.conf. > > > > AOL move in mysterious ways :-( > > -- > > Julian Field > > www.MailScanner.info > > Professional Support Services at www.MailScanner.biz > > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From jah at CALEOTECH.COM Wed Dec 3 14:21:51 2003 From: jah at CALEOTECH.COM (Jens Ahlin) Date: Thu Jan 12 21:21:24 2006 Subject: Virus scanners and universities In-Reply-To: <1070460115.20543.0.camel@cis-staff-kntx90.cis.brown.edu> Message-ID: We have been using CA eTrust for a couple of months now. I't works ok for us. I haven't seen any viruses that has escaped through yet... (KOW) Jens -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Thomas DuVally Sent: den 3 december 2003 15:02 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Virus scanners and universities On Tue, 2003-12-02 at 22:49, Nathan Johanson wrote: > CA (etrust) is actually ~$129.00 for five node licenses. You could > install it on five "servers" for that price. > --Nathan > That sounds great, but is anyone using it and how is it? From Ulysees at ULYSEES.COM Wed Dec 3 14:57:56 2003 From: Ulysees at ULYSEES.COM (Ulysees) Date: Thu Jan 12 21:21:24 2006 Subject: ClamAV module References: <000501c3b8d0$4aee1090$3201010a@nimitz> <1070375839.2916.13.camel@mufasa.ds.co.ug> Message-ID: <000801c3b9ad$d61e5a20$3201010a@nimitz> > You need to install ClamAV first. > > On Tue, 2003-12-02 at 15:32, Ulysees wrote: > > anybody else had trouble getting this working ? > > when I grab the module from cpan it seems to grumble about not being able to > > find clamav.h > > > > Should I be using a tarball of ClamAV instead of the RPM ? > > > > Uly > > Ok the clamav.h error was because I didn't have the clamav-devel rpm installed, I got that, and then the install went a bit further and stopped. I then just went and removed the rpms and used a tarball instead, worked first time. Has anybody actually done it from rpms or is everybody using the tarball ? Uly From Denis.Beauchemin at USHERBROOKE.CA Wed Dec 3 14:54:33 2003 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:21:24 2006 Subject: BadTNEF In-Reply-To: <6.0.1.1.2.20031203143131.09106a88@imap.ecs.soton.ac.uk> References: <200312031425.hB3EPLqj002848@mx.sargam.com> <003201c3b9a8$8c30ab70$6000a8c0@noticiasargentinas.com> <6.0.1.1.2.20031203143131.09106a88@imap.ecs.soton.ac.uk> Message-ID: <1070463273.4514.47.camel@dbeauchemin.sti.usherbrooke.ca> Le mer 03/12/2003 ? 09:33, Julian Field a ?crit : > 3) The "tnef" program really couldn't decode the winmail.dat attachment in > the message > 4) You might be better off setting the location of the "tnef" program to > "internal" so that MailScanner uses the internal Perl module which is > slower but often better at decoding TNEF attachments (winmail.dat). Julian, Could MS be modified to use both tnef decoders if need be? Let's say the first decoder cannot analyze the winmail.dat file, then MS fires off the second one to try to do better. We could write something like: External TNEF Expander = /usr/bin/tnef --maxsize=100000000 TNEF Expander = external internal Denis -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From mikea at MIKEA.ATH.CX Wed Dec 3 15:02:33 2003 From: mikea at MIKEA.ATH.CX (mikea) Date: Thu Jan 12 21:21:24 2006 Subject: ProcessClamAVOutput: Zip module failure. Message-ID: <20031203090233.A26202@mikea.ath.cx> Seen only once so far. The rest of the time, things seem to Just Work, Ideas? Dec 3 07:59:23 isdmon2 MailScanner[4416]: Virus and Content Scanning: Starting Dec 3 07:59:27 isdmon2 MailScanner[4416]: ProcessClamAVOutput: Zip module failure. Dec 3 07:59:28 isdmon2 MailScanner[4416]: ERROR: Can't run unzip Dec 3 07:59:29 isdmon2 MailScanner[4416]: ERROR: Can't execute some unpacker. Check paths and permissions on the temporary directory. -- Mike Andrews mikea@mikea.ath.cx Tired old sysadmin From raymond at PROLOCATION.NET Wed Dec 3 15:05:38 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:21:24 2006 Subject: ProcessClamAVOutput: Zip module failure. In-Reply-To: <20031203090233.A26202@mikea.ath.cx> Message-ID: Hi! > Ideas? > > Dec 3 07:59:23 isdmon2 MailScanner[4416]: Virus and Content Scanning: Starting > Dec 3 07:59:27 isdmon2 MailScanner[4416]: ProcessClamAVOutput: Zip module failure. > Dec 3 07:59:28 isdmon2 MailScanner[4416]: ERROR: Can't run unzip > Dec 3 07:59:29 isdmon2 MailScanner[4416]: ERROR: Can't execute some > unpacker. Check paths and permissions on the temporary directory. Do you have unzip in your path somewhere ? It seems it cant find it. Bye, Raymond. From mailscanner at ecs.soton.ac.uk Wed Dec 3 15:26:17 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:24 2006 Subject: ProcessClamAVOutput: Zip module failure. In-Reply-To: References: <20031203090233.A26202@mikea.ath.cx> Message-ID: <6.0.1.1.2.20031203152513.09109758@imap.ecs.soton.ac.uk> At 15:05 03/12/2003, you wrote: >Hi! > > > Ideas? > > > > Dec 3 07:59:23 isdmon2 MailScanner[4416]: Virus and Content Scanning: > Starting > > Dec 3 07:59:27 isdmon2 MailScanner[4416]: ProcessClamAVOutput: Zip > module failure. > > Dec 3 07:59:28 isdmon2 MailScanner[4416]: ERROR: Can't run unzip > > Dec 3 07:59:29 isdmon2 MailScanner[4416]: ERROR: Can't execute some > > unpacker. Check paths and permissions on the temporary directory. > >Do you have unzip in your path somewhere ? It seems it cant find it. Also you may need to change the "Incoming Work Permissions" setting so that the unpacker (run as a non-root user) can read the files it is trying to unpack in the temporary directory. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Wed Dec 3 15:24:14 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:24 2006 Subject: BadTNEF In-Reply-To: <1070463273.4514.47.camel@dbeauchemin.sti.usherbrooke.ca> References: <200312031425.hB3EPLqj002848@mx.sargam.com> <003201c3b9a8$8c30ab70$6000a8c0@noticiasargentinas.com> <6.0.1.1.2.20031203143131.09106a88@imap.ecs.soton.ac.uk> <1070463273.4514.47.camel@dbeauchemin.sti.usherbrooke.ca> Message-ID: <6.0.1.1.2.20031203152342.03d005d8@imap.ecs.soton.ac.uk> Not really worth the effort any more. TNEF is now (thankfully) a rare sight, since Microsoft learnt the error of their ways and started using HTML instead. At 14:54 03/12/2003, you wrote: >Le mer 03/12/2003 ? 09:33, Julian Field a ?crit : > > > 3) The "tnef" program really couldn't decode the winmail.dat attachment in > > the message > > 4) You might be better off setting the location of the "tnef" program to > > "internal" so that MailScanner uses the internal Perl module which is > > slower but often better at decoding TNEF attachments (winmail.dat). > >Julian, > >Could MS be modified to use both tnef decoders if need be? > >Let's say the first decoder cannot analyze the winmail.dat file, then MS >fires off the second one to try to do better. > >We could write something like: >External TNEF Expander = /usr/bin/tnef --maxsize=100000000 >TNEF Expander = external internal > >Denis >-- >Denis Beauchemin, analyste >Universit? de Sherbrooke, S.T.I. >T: 819.821.8000x2252 F: 819.821.8045 -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From jbuda at NOTICIASARGENTINAS.COM Wed Dec 3 15:30:56 2003 From: jbuda at NOTICIASARGENTINAS.COM (Jose Julian Buda) Date: Thu Jan 12 21:21:24 2006 Subject: BadTNEF References: <200312031425.hB3EPLqj002848@mx.sargam.com> <003201c3b9a8$8c30ab70$6000a8c0@noticiasargentinas.com> <6.0.1.1.2.20031203143131.09106a88@imap.ecs.soton.ac.uk> Message-ID: <00b801c3b9b2$71f2f150$6000a8c0@noticiasargentinas.com> mmmm, i have compiled tnef-1.1.4+sizelimit.tar already but on /opt/MailScanner/bin i have: tnef -> tnef.solaris tnef.linux tnef.solaris could it be this? i change to tnef -> tnef.linux and let's see if this work thank you ----- Original Message ----- From: "Julian Field" To: Sent: Wednesday, December 03, 2003 11:33 AM Subject: Re: BadTNEF > At 14:19 03/12/2003, you wrote: > >Why appear this reports? > > > >"Could not parse Outlook Rich Text Atachment" > > > >i saw this reports sometimes on some warnings. > > > >what is it mean? > > It means one of these: > 1) You haven't built the "tnef" program in /opt/MailScanner/bin for your > architecture. > 2) For some reason MailScanner is failing to run the "tnef" program > 3) The "tnef" program really couldn't decode the winmail.dat attachment in > the message > 4) You might be better off setting the location of the "tnef" program to > "internal" so that MailScanner uses the internal Perl module which is > slower but often better at decoding TNEF attachments (winmail.dat). > > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From jstuart at EDENPR.K12.MN.US Wed Dec 3 15:45:18 2003 From: jstuart at EDENPR.K12.MN.US (Joe Stuart) Date: Thu Jan 12 21:21:24 2006 Subject: .hoststat Message-ID: I dont know much about mail but I did a chown -R postfix.postfix /var/spool/mqueue and now it is done complaining. Is that correct permissions or is it a stupid thing to do? Thanks, Joe >>> mailscanner@ECS.SOTON.AC.UK 12/03/03 02:58AM >>> At 21:27 02/12/2003, you wrote: >Hi, >I'm running mailscanner with postfix on suse linux and whenever I start >Mailscanner up it starts as a defunct process and the maillog keeps >printing this and I cant find any info in the net. > >MailScanner[5588]: Cannot open dir .hoststat when finding depth Your Postfix queues are set out strangely. It's not expecting to see a .hoststat file/dir when scanning for the directory hashing depth. If you delete .hoststat does it re-appear? -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From Denis.Beauchemin at USHERBROOKE.CA Wed Dec 3 16:02:49 2003 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:21:24 2006 Subject: BadTNEF In-Reply-To: <6.0.1.1.2.20031203152342.03d005d8@imap.ecs.soton.ac.uk> References: <200312031425.hB3EPLqj002848@mx.sargam.com> <003201c3b9a8$8c30ab70$6000a8c0@noticiasargentinas.com> <6.0.1.1.2.20031203143131.09106a88@imap.ecs.soton.ac.uk> <1070463273.4514.47.camel@dbeauchemin.sti.usherbrooke.ca> <6.0.1.1.2.20031203152342.03d005d8@imap.ecs.soton.ac.uk> Message-ID: <1070467368.4514.51.camel@dbeauchemin.sti.usherbrooke.ca> Le mer 03/12/2003 ? 10:24, Julian Field a ?crit : > Not really worth the effort any more. TNEF is now (thankfully) a rare > sight, since Microsoft learnt the error of their ways and started using > HTML instead. Maybe some day they will be rare, but I get an average of 175 "Corrupt TNEF" messages per day using the external decoder (this includes weekends where they drop near zero). I think I will try the internal one to see if it can do better. Denis > > At 14:54 03/12/2003, you wrote: > >Le mer 03/12/2003 ? 09:33, Julian Field a ?crit : > > > > > 3) The "tnef" program really couldn't decode the winmail.dat attachment in > > > the message > > > 4) You might be better off setting the location of the "tnef" program to > > > "internal" so that MailScanner uses the internal Perl module which is > > > slower but often better at decoding TNEF attachments (winmail.dat). > > > >Julian, > > > >Could MS be modified to use both tnef decoders if need be? > > > >Let's say the first decoder cannot analyze the winmail.dat file, then MS > >fires off the second one to try to do better. > > > >We could write something like: > >External TNEF Expander = /usr/bin/tnef --maxsize=100000000 > >TNEF Expander = external internal > > > >Denis > >-- > >Denis Beauchemin, analyste > >Universit? de Sherbrooke, S.T.I. > >T: 819.821.8000x2252 F: 819.821.8045 -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From ccampbell at BRUEGGERS.COM Wed Dec 3 16:10:10 2003 From: ccampbell at BRUEGGERS.COM (Christian Campbell) Date: Thu Jan 12 21:21:24 2006 Subject: Update SA Rules Message-ID: Is it safe to use SA 2.6 .cf files in my SA 2.55 installation? I just want to update the rules until I get a chance to properly upgrade to 2.6. Christian Christian P. Campbell Systems Engineer Information Technology Department Bruegger's Enterprises, Inc. Desk: (802) 652-9270 Cell: (802) 734-5023 Email: ccampbell at brueggers dot com Registered Linux User #319324 PGP public key available via PGP keyservers or http://www2.brueggers.com/pgp/ccampbell.html "We all know Linux is great... it does infinite loops in 5 seconds." -- Linus Torvalds From james at CHE.UTEXAS.EDU Wed Dec 3 16:06:05 2003 From: james at CHE.UTEXAS.EDU (James Hammett) Date: Thu Jan 12 21:21:24 2006 Subject: Modifying the Filter for HTML (spefically allowing HTML-forms or address based allowing them). Message-ID: Several of my users receive a mailing from a Science journal which includes an HTML From. I've looked through the various config files and the documentation and I can't find how to allow these through. Alternative (and I haven't looked into this as much), is there a way to allow HTM-Form email from just that address? Please send me an off response, and I'll post a summary to the list. thanks, James -- -------------------------------------------------------------------------- James Hammett Users Services / Server and Lab Administration (SLAM) Information Technology Services ( (ITS) CPE 4.442 Chemical Engineering Unix Support 471-9701 ---------------------------------------------------------------------------- An injustice anywhere is a threat to justice everywhere - MLK jr. ---------------------------------------------------------------------------- From mailscanner at ecs.soton.ac.uk Wed Dec 3 16:20:08 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:24 2006 Subject: Modifying the Filter for HTML (spefically allowing HTML-forms or address based allowing them). In-Reply-To: References: Message-ID: <6.0.1.1.2.20031203161625.094c3ea0@imap.ecs.soton.ac.uk> This is yet another job for a ruleset. In MailScanner.conf, set Allow Form Tags = /etc/MailScanner/rules/allow.forms.rules And then in /etc/MailScanner/rules/allow.forms.rules put this: From: somejournal@science.com yes FromOrTo: default no where "somejournal@science.com" is the address the journal comes from. Note this is not the address in the "From:" header of the message, but the envelope sender address which you may find in either the "Return-Path:" header (if there is one) or else in your mail log. You can apply rulesets to virtually any configuration setting in MailScanner, and they can happily each be several hundred lines long if that's the complexity of configuration you need. At 16:06 03/12/2003, you wrote: >Several of my users receive a mailing from a Science journal which >includes an HTML From. I've looked through the various config files >and the documentation and I can't find how to allow these through. > >Alternative (and I haven't looked into this as much), is there a way >to allow HTM-Form email from just that address? > >Please send me an off response, and I'll post a summary to the list. > >thanks, >James >-- > >-------------------------------------------------------------------------- >James Hammett >Users Services / Server and Lab Administration (SLAM) >Information Technology Services ( (ITS) CPE 4.442 >Chemical Engineering Unix Support 471-9701 >---------------------------------------------------------------------------- > An injustice anywhere is a threat to justice everywhere - MLK jr. >---------------------------------------------------------------------------- -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Wed Dec 3 16:15:14 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:24 2006 Subject: BadTNEF In-Reply-To: <00b801c3b9b2$71f2f150$6000a8c0@noticiasargentinas.com> References: <200312031425.hB3EPLqj002848@mx.sargam.com> <003201c3b9a8$8c30ab70$6000a8c0@noticiasargentinas.com> <6.0.1.1.2.20031203143131.09106a88@imap.ecs.soton.ac.uk> <00b801c3b9b2$71f2f150$6000a8c0@noticiasargentinas.com> Message-ID: <6.0.1.1.2.20031203161427.0379b1a8@imap.ecs.soton.ac.uk> You clearly need to be running the correct tnef for you CPU and OS. I supply ones pre-built for Linux on i386 and for Solaris on SPARC. Anything else you will have to compile your own version. At 15:30 03/12/2003, you wrote: >mmmm, i have compiled tnef-1.1.4+sizelimit.tar already >but on /opt/MailScanner/bin i have: > >tnef -> tnef.solaris >tnef.linux >tnef.solaris > >could it be this? > >i change to >tnef -> tnef.linux >and let's see if this work > >thank you > > > > >----- Original Message ----- >From: "Julian Field" >To: >Sent: Wednesday, December 03, 2003 11:33 AM >Subject: Re: BadTNEF > > > > At 14:19 03/12/2003, you wrote: > > >Why appear this reports? > > > > > >"Could not parse Outlook Rich Text Atachment" > > > > > >i saw this reports sometimes on some warnings. > > > > > >what is it mean? > > > > It means one of these: > > 1) You haven't built the "tnef" program in /opt/MailScanner/bin for your > > architecture. > > 2) For some reason MailScanner is failing to run the "tnef" program > > 3) The "tnef" program really couldn't decode the winmail.dat attachment in > > the message > > 4) You might be better off setting the location of the "tnef" program to > > "internal" so that MailScanner uses the internal Perl module which is > > slower but often better at decoding TNEF attachments (winmail.dat). > > > > > > -- > > Julian Field > > www.MailScanner.info > > MailScanner thanks transtec Computers for their support > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From jbuda at NOTICIASARGENTINAS.COM Wed Dec 3 16:24:30 2003 From: jbuda at NOTICIASARGENTINAS.COM (Jose Julian Buda) Date: Thu Jan 12 21:21:24 2006 Subject: BadTNEF References: <200312031425.hB3EPLqj002848@mx.sargam.com> <003201c3b9a8$8c30ab70$6000a8c0@noticiasargentinas.com> <6.0.1.1.2.20031203143131.09106a88@imap.ecs.soton.ac.uk> <00b801c3b9b2$71f2f150$6000a8c0@noticiasargentinas.com> <6.0.1.1.2.20031203161427.0379b1a8@imap.ecs.soton.ac.uk> Message-ID: <005501c3b9b9$ee8b70f0$6000a8c0@noticiasargentinas.com> yes i know but when i compile the default is tnef -> tnef.solaris and i did not see it,sorry i change the link to the tnef.linux file on the directory tnef -> tnef.linux thank you i hope this time it work ----- Original Message ----- From: "Julian Field" To: Sent: Wednesday, December 03, 2003 1:15 PM Subject: Re: BadTNEF > You clearly need to be running the correct tnef for you CPU and OS. I > supply ones pre-built for Linux on i386 and for Solaris on SPARC. Anything > else you will have to compile your own version. > > At 15:30 03/12/2003, you wrote: > >mmmm, i have compiled tnef-1.1.4+sizelimit.tar already > >but on /opt/MailScanner/bin i have: > > > >tnef -> tnef.solaris > >tnef.linux > >tnef.solaris > > > >could it be this? > > > >i change to > >tnef -> tnef.linux > >and let's see if this work > > > >thank you > > > > > > > > > >----- Original Message ----- > >From: "Julian Field" > >To: > >Sent: Wednesday, December 03, 2003 11:33 AM > >Subject: Re: BadTNEF > > > > > > > At 14:19 03/12/2003, you wrote: > > > >Why appear this reports? > > > > > > > >"Could not parse Outlook Rich Text Atachment" > > > > > > > >i saw this reports sometimes on some warnings. > > > > > > > >what is it mean? > > > > > > It means one of these: > > > 1) You haven't built the "tnef" program in /opt/MailScanner/bin for your > > > architecture. > > > 2) For some reason MailScanner is failing to run the "tnef" program > > > 3) The "tnef" program really couldn't decode the winmail.dat attachment in > > > the message > > > 4) You might be better off setting the location of the "tnef" program to > > > "internal" so that MailScanner uses the internal Perl module which is > > > slower but often better at decoding TNEF attachments (winmail.dat). > > > > > > > > > -- > > > Julian Field > > > www.MailScanner.info > > > MailScanner thanks transtec Computers for their support > > > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From Denis.Beauchemin at USHERBROOKE.CA Wed Dec 3 16:29:52 2003 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:21:24 2006 Subject: BadTNEF In-Reply-To: <1070467368.4514.51.camel@dbeauchemin.sti.usherbrooke.ca> References: <200312031425.hB3EPLqj002848@mx.sargam.com> <003201c3b9a8$8c30ab70$6000a8c0@noticiasargentinas.com> <6.0.1.1.2.20031203143131.09106a88@imap.ecs.soton.ac.uk> <1070463273.4514.47.camel@dbeauchemin.sti.usherbrooke.ca> <6.0.1.1.2.20031203152342.03d005d8@imap.ecs.soton.ac.uk> <1070467368.4514.51.camel@dbeauchemin.sti.usherbrooke.ca> Message-ID: <1070468992.4514.54.camel@dbeauchemin.sti.usherbrooke.ca> I just looked at how often the external tnef decoder fails and it is disturbing... The following stats are from Oct 1st : 22102 winmail.dat seen (11040 corrupt 49.95%) I already have switched to the internal decoder! Denis Le mer 03/12/2003 ? 11:02, Denis Beauchemin a ?crit : > Le mer 03/12/2003 ? 10:24, Julian Field a ?crit : > > Not really worth the effort any more. TNEF is now (thankfully) a rare > > sight, since Microsoft learnt the error of their ways and started using > > HTML instead. > > Maybe some day they will be rare, but I get an average of 175 "Corrupt > TNEF" messages per day using the external decoder (this includes > weekends where they drop near zero). > > I think I will try the internal one to see if it can do better. > > Denis > > > > At 14:54 03/12/2003, you wrote: > > >Le mer 03/12/2003 ? 09:33, Julian Field a ?crit : > > > > > > > 3) The "tnef" program really couldn't decode the winmail.dat attachment in > > > > the message > > > > 4) You might be better off setting the location of the "tnef" program to > > > > "internal" so that MailScanner uses the internal Perl module which is > > > > slower but often better at decoding TNEF attachments (winmail.dat). > > > > > >Julian, > > > > > >Could MS be modified to use both tnef decoders if need be? > > > > > >Let's say the first decoder cannot analyze the winmail.dat file, then MS > > >fires off the second one to try to do better. > > > > > >We could write something like: > > >External TNEF Expander = /usr/bin/tnef --maxsize=100000000 > > >TNEF Expander = external internal > > > > > >Denis > > >-- > > >Denis Beauchemin, analyste > > >Universit? de Sherbrooke, S.T.I. > > >T: 819.821.8000x2252 F: 819.821.8045 -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From mkettler at EVI-INC.COM Wed Dec 3 16:41:45 2003 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:21:25 2006 Subject: Update SA Rules In-Reply-To: References: Message-ID: <6.0.0.22.0.20031203113950.029ff038@xanadu.evi-inc.com> At 11:10 AM 12/3/2003, Christian Campbell wrote: >Is it safe to use SA 2.6 .cf files in my SA 2.55 installation? I just want >to update the rules until I get a chance to properly upgrade to 2.6. No. The rules and code of SA are not separable. Many rules use perl code (eval tests) and many rules depend on the way a particular version of SA processes HTML tags, new rule syntax features, etc. From m.sapsed at BANGOR.AC.UK Wed Dec 3 17:35:02 2003 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:21:25 2006 Subject: Sophos updates References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C3AD@jessica.herefords hire.gov.uk> <0EBC45FCABFC95428EBFC3A51B368C9501C9C3AD@jessica.herefordshire.gov.uk> <5.1.0.14.2.20031202131729.01cd84e8@pop.mail.yahoo.com> Message-ID: <3FCE1EC6.6080504@bangor.ac.uk> hermit921 wrote: > Does the automatic Sophos updating process installed with MailScanner > include engine updates or just new virus signatures? > > The mail logs show new Sophos ide files every hour on most days. Are virus > signatures updated that often or is this an artifact of the update script? as an aside to this, my beta testing of the new version of Enterprise Manager (now to be called EM Library I think) seems to be going ok. My test version of MailScanner has been using an EM maintained Sophos installation for some weeks now. If you use (or are thinking of using) EM to manage CIDs for windows boxes, you will soon (think the beta finishes soon) be able to use it to manage the copy MailScanner uses too. That will then take care of engine updates, new virus signatures and new versions of the engine because they've realised the release version has "issues"! If you're just using Sophos with MailScanner, you're not interested in the above! Cheers, Martin -- Martin Sapsed Information Services "Who do you say I am?" University of Wales, Bangor Jesus of Nazareth From gdoris at rogers.com Wed Dec 3 17:50:11 2003 From: gdoris at rogers.com (Gerry Doris) Date: Thu Jan 12 21:21:25 2006 Subject: Norman Scanner? Message-ID: <64570.129.80.22.143.1070473812.squirrel@tiger.dorfam.ca> I saw a reference to the Norman scanner in an earlier email. This is a new one for me and I thought I'd check it out especially as the email stated it was free for personal use. I went to the Norman site and I assume the product we're discussing is the Norman Virus Control for Linux. However, I couldn't find any reference about it being free for personal use. They have a trial copy that expires in 30 days or the full retail version. Are we sure that it is free for personal use? Do I just download the trial copy? Gerry From kodak at FRONTIERHOMEMORTGAGE.COM Wed Dec 3 18:14:22 2003 From: kodak at FRONTIERHOMEMORTGAGE.COM (Jason Balicki) Date: Thu Jan 12 21:21:25 2006 Subject: Sophos updates In-Reply-To: <3FCE1EC6.6080504@bangor.ac.uk> Message-ID: <002a01c3b9c9$46b296a0$0501a8c0@darkside> >EM to manage CIDs for windows boxes, you will soon (think the beta >finishes soon) be able to use it to manage the copy MailScanner uses >too. That will then take care of engine updates, new virus signatures W00t! I've been using EM to manage my client boxes for quite a while now, and I love it. This addition is wonderful news, even though I've found ways around not having EM support my Linux "clients". --J(K) From jen at AH.DK Wed Dec 3 18:42:59 2003 From: jen at AH.DK (Jan Elmqvist Nielsen) Date: Thu Jan 12 21:21:25 2006 Subject: Svar: Norman Scanner? Message-ID: http://www.norman.com/de/news/031126.shtml?menulang=de in german langauge /jan elmqvist nielsen >>> Gerry Doris 03-12-03 18:50 >>> I saw a reference to the Norman scanner in an earlier email. This is a new one for me and I thought I'd check it out especially as the email stated it was free for personal use. I went to the Norman site and I assume the product we're discussing is the Norman Virus Control for Linux. However, I couldn't find any reference about it being free for personal use. They have a trial copy that expires in 30 days or the full retail version. Are we sure that it is free for personal use? Do I just download the trial copy? Gerry From aseelye-lists at ELTOPIA.COM Wed Dec 3 18:44:31 2003 From: aseelye-lists at ELTOPIA.COM (Aaron Seelye) Date: Thu Jan 12 21:21:25 2006 Subject: Sophos updates References: <5.1.0.14.2.20031202131729.01cd84e8@pop.mail.yahoo.com> <5.1.0.14.2.20031202135416.01d4b130@pop.mail.yahoo.com> <6.0.1.1.2.20031203085430.03ae3a30@imap.ecs.soton.ac.uk> Message-ID: <004101c3b9cd$7df183c0$7a01a8c0@metallus> You always can look at the latest files in /usr/local/Sophos/ide to see what files have been recently updated. Aaron Seelye ----- Original Message ----- From: "Julian Field" To: Sent: Wednesday, December 03, 2003 12:56 AM Subject: Re: Sophos updates [snip] > > It downloads the 373_ides.zip file every hour. It's a very small file. It > doesn't necessarily contain any new files it hasn't seen before. But unless > you remember the size of the file from a previous run of the script, > there's no way to tell whether it actually contains any new files or not. > So it always gets unpacked and installed, regardless. > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From dh at UPTIME.AT Wed Dec 3 18:53:34 2003 From: dh at UPTIME.AT (David H.) Date: Thu Jan 12 21:21:25 2006 Subject: Svar: Norman Scanner? In-Reply-To: References: Message-ID: <3FCE312E.3070307@uptime.at> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Jan Elmqvist Nielsen wrote: > http://www.norman.com/de/news/031126.shtml?menulang=de > > in german langauge > > /jan elmqvist nielsen > And the download link seems to be http://www.norman.com/download_nvc_linux.shtml?menulang=de# am I seeing this right? I sit utilizing Java ? - -d -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (Darwin) iD8DBQE/zjEyPMoaMn4kKR4RAwx0AJ4n0j1JKrEjtGSKdVgoOYGH7gh7hQCffc+X hSi5nyC7WtADD6M7DH2Vs0E= =UGHF -----END PGP SIGNATURE----- From mailscanner at ecs.soton.ac.uk Wed Dec 3 19:01:57 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:25 2006 Subject: Svar: Norman Scanner? In-Reply-To: References: Message-ID: <6.0.1.1.2.20031203190046.03a08cc8@imap.ecs.soton.ac.uk> I have just translated the relevant bit into English (badly) and it says this: "Norman virus control for LINUX user the Norwegian safety specialist Norman offers free of charge immediately a free Norman to virus control version for LINUX. This offer applies to all private and not commercial LINUX user in Germany." So the offer is apparently only valid in Germany. At 18:42 03/12/2003, you wrote: >http://www.norman.com/de/news/031126.shtml?menulang=de > >in german langauge > >/jan elmqvist nielsen > > >>> Gerry Doris 03-12-03 18:50 >>> >I saw a reference to the Norman scanner in an earlier email. This is a >new one for me and I thought I'd check it out especially as the email >stated it was free for personal use. > >I went to the Norman site and I assume the product we're discussing is >the >Norman Virus Control for Linux. However, I couldn't find any reference >about it being free for personal use. They have a trial copy that >expires >in 30 days or the full retail version. > >Are we sure that it is free for personal use? Do I just download the >trial copy? > > >Gerry -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From shrek-m at GMX.DE Wed Dec 3 20:00:42 2003 From: shrek-m at GMX.DE (shrek-m@gmx.de) Date: Thu Jan 12 21:21:25 2006 Subject: Svar: Norman Scanner? In-Reply-To: <3FCE312E.3070307@uptime.at> References: <3FCE312E.3070307@uptime.at> Message-ID: <3FCE40EA.3050304@gmx.de> David H. wrote: > And the download link seems to be > http://www.norman.com/download_nvc_linux.shtml?menulang=de# 83(nvcc) < 86(sweep) discovered viruses :-( sorry, but i couldn?t find the new virus definitions for download :-( $ rpm -q nvcc nvcc-5.60.06-0 Norman Virus Control Version 5.60.10 Sep 9 2003 12:31:01 Copyright (c) 1993-2003 Norman ASA NSE revision 5.60.13 nvcbin.def revision 5.60 of 2003/10/03 (49233 variants) nvcmacro.def revision 5.60 of 2003/09/30 (9514 variants) Total number of variants: 58747 $ nvcc -s -u -c:1 /tmp/viren/ [...] 83 possible infections found. 53 archives unpacked, 621 files found. 621 files, 48448 kbytes scanned. Total scanning time: 0 min. 06 secs. 8074 kbytes per second. vs. $ sweep --version Product version : 3.74 Engine version : 2.17 User interface version : 2.07.025 Platform : Linux/Intel Released : 06 October 2003 Total viruses (with IDEs) : 85062 $ sweep -all -archive -mime /tmp/viren/ [...] 549 files swept in 6 seconds. 86 viruses were discovered. 86 files out of 549 were infected. -- shrek-m From pages at ntin.net Wed Dec 3 20:13:04 2003 From: pages at ntin.net (NTIN Page Guy) Date: Thu Jan 12 21:21:25 2006 Subject: John Rudd's cgp2ms and ms2cgp Message-ID: <2722029250.20031203141304@ntin.net> Hello MailScanner, There seems to be a problem with cgp2ms and ms2cgp when a email address contains an & sign. For example I send an email to jena&jema@example.com where example.com is not a local domain. The message goes out to mailscanner via cgp2ms 4:03:35.73 2 ENQUEUERRULES [29540630] rule(MailScanner) action #0: launching external task: [FILE]/usr/local/etc/cgp2ms 14:03:35.84 2 ENQUEUERRULES [29540630] rule(MailScanner) discarded the message 14:03:35.84 2 ENQUEUER-03([29540630]) discarded by Rules 14:03:35.84 2 DEQUEUER [29540630] SYSTEM()jena&jemma@baldwinfamily.us delivered Then root@mailadmin.nortex.net gets the following email, the original sender of the message gets no failure notice. Failed to deliver to '' address is blacklisted Reporting-MTA: dns; mailadmin.nortex.net Original-Recipient: rfc822; Final-Recipient: system; Action: failed Status: 5.0.0 Received: by mailadmin.nortex.net (CommuniGate Pro PIPE 4.1.5) with PIPE id 29540658; Wed, 03 Dec 2003 14:03:47 -0600 Received: by mailadmin.nortex.net (CommuniGate Pro PIPE 4.1.5) with PIPE id 29540650; Wed, 03 Dec 2003 14:03:42 -0600 Date: Wed, 03 Dec 2003 14:03:42 -0600 Message-ID: X-NTIN-MailScanner-Information: Please contact support@ntin.net for more information X-NTIN-MailScanner: Found to be clean X-NTIN-MailScanner-SpamCheck: not spam, SpamAssassin (score=0.129, required 5, BAYES_00 -4.90, FROM_NO_LOWER 2.00, MSGID_FROM_MTA_SHORT 3.03) From: root@mailadmin.nortex.net X-Mailer: CommuniGate Pro CLI mailer Best regards, Robert B, NTIN mailto:pages@ntin.net From raymond at PROLOCATION.NET Wed Dec 3 20:28:46 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:21:25 2006 Subject: Norman Scanner? In-Reply-To: <64570.129.80.22.143.1070473812.squirrel@tiger.dorfam.ca> Message-ID: Hi! > I went to the Norman site and I assume the product we're discussing is the > Norman Virus Control for Linux. However, I couldn't find any reference > about it being free for personal use. They have a trial copy that expires > in 30 days or the full retail version. On the German site there was a not about that. I installed and tested it, but for the autoupdates it required some registration stuff, and thats not really flexible. If i recall right they want java on the machine running doing the register. So i quit at that point. > Are we sure that it is free for personal use? Do I just download the > trial copy? According the the german site, yes. Bye, Raymond. From pages at ntin.net Wed Dec 3 20:49:21 2003 From: pages at ntin.net (NTIN Page Guy) Date: Thu Jan 12 21:21:25 2006 Subject: John Rudd's ms2cgp and cgp2ms Message-ID: <18424211843.20031203144921@ntin.net> There seems to be a problem with cgp2ms and ms2cgp when a email address contains an & sign. For example I send an email to jena&jema@example.com where example.com is not a local domain. The message goes out to mailscanner via cgp2ms 4:03:35.73 2 ENQUEUERRULES [29540630] rule(MailScanner) action #0: launching external task: [FILE]/usr/local/etc/cgp2ms 14:03:35.84 2 ENQUEUERRULES [29540630] rule(MailScanner) discarded the message 14:03:35.84 2 ENQUEUER-03([29540630]) discarded by Rules 14:03:35.84 2 DEQUEUER [29540630] SYSTEM()jena&jemma@baldwinfamily.us delivered Then root@ gets the following email, the original sender of the message gets no failure notice. Failed to deliver to '' address is blacklisted I have fixed the proceeding problem, here is how I did it. I found a bug in ms2cgp which was causing problems with email addresses with & signs in them. ms2cgp had the following lines, this caused a problem because the & sign is a special character. # send the message off to CommuniGate Pro system("$CGPBIN/sendmail -i $rcpt < $msg"); Below is my fix, by inclosing the $rcpt in quotes I have convinced it to accept special characters in email addresses. # send the message off to CommuniGate Pro system("$CGPBIN/sendmail -i \"$rcpt\" < $msg"); If you see any flaws in my logic, please let me know. Best regards, Robert B, NTIN mailto:pages@ntin.net From stahl at SOEST.HAWAII.EDU Wed Dec 3 20:40:56 2003 From: stahl at SOEST.HAWAII.EDU (Sharon Stahl) Date: Thu Jan 12 21:21:25 2006 Subject: Advanced SpamAssassin Settings Message-ID: Hi, I was wondering about the search for spamassassin site-local rules. The conf file says ..... # The site-local rules are searched for here, and in prefix/etc/spamassassin, # prefix/etc/mail/spamassassin, /usr/local/etc/spamassassin, /etc/spamassassin, # /etc/mail/spamassassin, and maybe others. I do not want it to search /usr/local for these rules. Is there a way for me to set the search path? Aloha, Sharon Stahl From jrudd at UCSC.EDU Wed Dec 3 20:50:54 2003 From: jrudd at UCSC.EDU (John Rudd) Date: Thu Jan 12 21:21:25 2006 Subject: John Rudd's cgp2ms and ms2cgp References: <2722029250.20031203141304@ntin.net> Message-ID: <3FCE4CAE.4D38B711@ucsc.edu> It's going to take a few days for me to get to this, but I'll get on it as soon as I can. (it's pretty much a perl quoting issue, I just have to remember how to fix it) John NTIN Page Guy wrote: > > Hello MailScanner, > > There seems to be a problem with cgp2ms and ms2cgp when a email > address contains an & sign. > > For example > I send an email to jena&jema@example.com where example.com > is not a local domain. > > The message goes out to mailscanner via cgp2ms > > 4:03:35.73 2 ENQUEUERRULES [29540630] rule(MailScanner) action #0: launching external task: [FILE]/usr/local/etc/cgp2ms > 14:03:35.84 2 ENQUEUERRULES [29540630] rule(MailScanner) discarded the message > 14:03:35.84 2 ENQUEUER-03([29540630]) discarded by Rules > 14:03:35.84 2 DEQUEUER [29540630] SYSTEM()jena&jemma@baldwinfamily.us delivered > > Then root@mailadmin.nortex.net gets the following email, the original > sender of the message gets no failure notice. > > Failed to deliver to '' > address is blacklisted > > Reporting-MTA: dns; mailadmin.nortex.net > > Original-Recipient: rfc822; > Final-Recipient: system; > Action: failed > Status: 5.0.0 > > Received: by mailadmin.nortex.net (CommuniGate Pro PIPE 4.1.5) > with PIPE id 29540658; Wed, 03 Dec 2003 14:03:47 -0600 > Received: by mailadmin.nortex.net (CommuniGate Pro PIPE 4.1.5) > with PIPE id 29540650; Wed, 03 Dec 2003 14:03:42 -0600 > Date: Wed, 03 Dec 2003 14:03:42 -0600 > Message-ID: > X-NTIN-MailScanner-Information: Please contact support@ntin.net for more information > X-NTIN-MailScanner: Found to be clean > X-NTIN-MailScanner-SpamCheck: not spam, SpamAssassin (score=0.129, > required 5, BAYES_00 -4.90, FROM_NO_LOWER 2.00, > MSGID_FROM_MTA_SHORT 3.03) > From: root@mailadmin.nortex.net > X-Mailer: CommuniGate Pro CLI mailer > > Best regards, > Robert B, NTIN mailto:pages@ntin.net From mkettler at EVI-INC.COM Wed Dec 3 21:16:32 2003 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:21:25 2006 Subject: Advanced SpamAssassin Settings In-Reply-To: References: Message-ID: <6.0.0.22.0.20031203161603.027ea310@xanadu.evi-inc.com> At 03:40 PM 12/3/2003, Sharon Stahl wrote: >Hi, > I was wondering about the search for spamassassin site-local rules. >The conf file says ..... ># The site-local rules are searched for here, and in prefix/etc/spamassassin, ># prefix/etc/mail/spamassassin, /usr/local/etc/spamassassin, >/etc/spamassassin, ># /etc/mail/spamassassin, and maybe others. > > > I do not want it to search /usr/local for these rules. >Is there a way for me to set the search path? Hack the spamassassin source code.. From steve.swaney at FSL.COM Wed Dec 3 21:25:19 2003 From: steve.swaney at FSL.COM (Stephen Swaney) Date: Thu Jan 12 21:21:25 2006 Subject: Advanced SpamAssassin Settings In-Reply-To: <6.0.0.22.0.20031203161603.027ea310@xanadu.evi-inc.com> Message-ID: <20031203212455.030CD21C34C@mail.fsl.com> Sharon, All SpamAssassin settings can (and should) be placed in: /spam.assassin.prefs.conf This will save your settings when next you upgrade SpamAssassin. The other files can be empty or non-existent. Steve Stephen Swaney President Fortress Systems Ltd. steve.swaney@fsl.com > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Matt Kettler > Sent: Wednesday, December 03, 2003 4:17 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Advanced SpamAssassin Settings > > At 03:40 PM 12/3/2003, Sharon Stahl wrote: > >Hi, > > I was wondering about the search for spamassassin site-local rules. > >The conf file says ..... > ># The site-local rules are searched for here, and in > prefix/etc/spamassassin, > ># prefix/etc/mail/spamassassin, /usr/local/etc/spamassassin, > >/etc/spamassassin, > ># /etc/mail/spamassassin, and maybe others. > > > > > > I do not want it to search /usr/local for these rules. > >Is there a way for me to set the search path? > > Hack the spamassassin source code.. From Denis.Beauchemin at USHERBROOKE.CA Wed Dec 3 21:35:07 2003 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:21:25 2006 Subject: BadTNEF (followup) In-Reply-To: <1070468992.4514.54.camel@dbeauchemin.sti.usherbrooke.ca> References: <200312031425.hB3EPLqj002848@mx.sargam.com> <003201c3b9a8$8c30ab70$6000a8c0@noticiasargentinas.com> <6.0.1.1.2.20031203143131.09106a88@imap.ecs.soton.ac.uk> <1070463273.4514.47.camel@dbeauchemin.sti.usherbrooke.ca> <6.0.1.1.2.20031203152342.03d005d8@imap.ecs.soton.ac.uk> <1070467368.4514.51.camel@dbeauchemin.sti.usherbrooke.ca> <1070468992.4514.54.camel@dbeauchemin.sti.usherbrooke.ca> Message-ID: <1070487307.4514.78.camel@dbeauchemin.sti.usherbrooke.ca> > I just looked at how often the external tnef decoder fails and it is > disturbing... The following stats are from Oct 1st : > 22102 winmail.dat seen (11040 corrupt 49.95%) > > I already have switched to the internal decoder! > Since I switched to the internal decoder I didn't get a single corrupt tnef (in close to 300 decoded attachments). I highly recommend that everyone switch to the internal decoder! Denis -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From mike at TC3NET.COM Wed Dec 3 21:25:06 2003 From: mike at TC3NET.COM (Michael Baird) Date: Thu Jan 12 21:21:25 2006 Subject: mcafee-autoupdate. Message-ID: <1070486706.9562.49.camel@mike-new2.tc3net.com> I noticed the mcafee-autoupdate doesn't write to syslog, when it updates the virus scanner (mailstats.pl uses this for it's statistics). It is just a bash script, so I stuck in a logger line, with syntax matching other updaters, if this functionality could be added into the main updater that would be nice. run wget --passive-ftp --progress=dot:mega $FTPDIR/$TARFILE run tar xvf $TARFILE #### Added for mailstats.pl virus update time graphing ##### logger -p mail.info McAfee-autoupdate: McAfee updated Regards MIKE From mkettler at EVI-INC.COM Wed Dec 3 21:40:31 2003 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:21:25 2006 Subject: Advanced SpamAssassin Settings In-Reply-To: <20031203212455.030CD21C34C@mail.fsl.com> References: <6.0.0.22.0.20031203161603.027ea310@xanadu.evi-inc.com> <20031203212455.030CD21C34C@mail.fsl.com> Message-ID: <6.0.0.22.0.20031203163043.024e1dc0@xanadu.evi-inc.com> At 04:25 PM 12/3/2003, Stephen Swaney wrote: >All SpamAssassin settings can (and should) be placed in: > /spam.assassin.prefs.conf > >This will save your settings when next you upgrade SpamAssassin. >The other files can be empty or non-existent. True, but this has nothing to do with the poster's actual question. spam.assassin.prefs.conf is used to replace the "user_prefs" file in SpamAssassin. None of this will stop spamassassin from automatically reading the "site rules" as well, even when called via MailScanner. ie: /usr/local/etc/spamassassin/*.cf (although duplicate options in spam.assassin.prefs.conf will take priority, the other files will still be read.) And the original poster's question regards how to prevent SA from reading files in /usr/local. The *only* way to do that is to hack the SpamAssassin source code.. the list of paths used for this search are hard coded into spamassassin. Also, as an added detail, SA will only handle the *first* site-rules dir it finds.. it will not try any others.. The raw SA source code for 2.60 has this path search in SpamAssassin.pm: # first 3 are BSDish, latter 2 Linuxish @site_rules_path = ( '__local_rules_dir__', '__prefix__/etc/mail/spamassassin', '__prefix__/etc/spamassassin', '/usr/local/etc/spamassassin', '/usr/pkg/etc/spamassassin', '/usr/etc/spamassassin', '/etc/mail/spamassassin', '/etc/spamassassin', ); Note that __local_rules_dir__ and __prefix__ are filled in with information determined when you compile/install SA. From pages at ntin.net Wed Dec 3 21:54:41 2003 From: pages at ntin.net (NTIN Page Guy) Date: Thu Jan 12 21:21:25 2006 Subject: John Rudd's ms2cgp and cgp2ms In-Reply-To: <18424211843.20031203144921@ntin.net> References: <18424211843.20031203144921@ntin.net> Message-ID: <15528128062.20031203155441@ntin.net> Hello NTIN, Strange, I posted this message hours ago and it just now appeared. John pointed out that my fix below breaks messages that addressed to multiple recipients. Wednesday, December 03, 2003, you wrote: NPG> There seems to be a problem with cgp2ms and ms2cgp when a email NPG> address contains an & sign. NPG> For example NPG> I send an email to jena&jema@example.com where example.com NPG> is not a local domain. NPG> The message goes out to mailscanner via cgp2ms NPG> 4:03:35.73 2 ENQUEUERRULES [29540630] rule(MailScanner) action #0: launching external task: NPG> [FILE]/usr/local/etc/cgp2ms NPG> 14:03:35.84 2 ENQUEUERRULES [29540630] rule(MailScanner) discarded the message NPG> 14:03:35.84 2 ENQUEUER-03([29540630]) discarded by Rules NPG> 14:03:35.84 2 DEQUEUER [29540630] SYSTEM()jena&jemma@baldwinfamily.us delivered NPG> Then root@ gets the following email, the original NPG> sender of the message gets no failure notice. NPG> Failed to deliver to '' NPG> address is blacklisted NPG> I have fixed the proceeding problem, here is how I did it. NPG> I found a bug in ms2cgp which was causing problems with email NPG> addresses with & signs in them. NPG> ms2cgp had the following lines, this caused a problem because the & NPG> sign is a special character. NPG> # send the message off to CommuniGate Pro NPG> system("$CGPBIN/sendmail -i $rcpt < $msg"); NPG> Below is my fix, by inclosing the $rcpt in quotes I have convinced it NPG> to accept special characters in email addresses. NPG> # send the message off to CommuniGate Pro NPG> system("$CGPBIN/sendmail -i \"$rcpt\" < $msg"); NPG> If you see any flaws in my logic, please let me know. NPG> Best regards, NPG> Robert B, NTIN mailto:pages@ntin.net Best regards, Robert B, NTIN mailto:pages@ntin.net From mailscanner at ecs.soton.ac.uk Thu Dec 4 03:26:46 2003 From: mailscanner at ecs.soton.ac.uk (mailscanner@ecs.soton.ac.uk) Date: Thu Jan 12 21:21:25 2006 Subject: NOTIFY-New Guestbook Entry Message-ID: <200312040326.hB43Qk5q024970@seer.ecs.soton.ac.uk> New Guestbook-Entry from usa Should have multi outqueuedir like inqueuedir (/var/spool/mqueue.in/*) From jstuart at EDENPR.K12.MN.US Wed Dec 3 22:32:24 2003 From: jstuart at EDENPR.K12.MN.US (Joe Stuart) Date: Thu Jan 12 21:21:25 2006 Subject: postfix defer_transport Message-ID: Ok so I have Maiscanner running with Postfix on a suse linux server that scans all the messages then forwards them off to a groupwise server. I set up Postfix and Mailscanner just like the Mailscanner insallation guide - Postfix says. But everytime I would send mail to it the maillog would say postfix/qmgr[15673]: EEBBA5A400A: to=, relay=none, delay=1, status=deferred (deferred transport) So I changed the line in /etc/postfix.in/main.cf from this defer_transports = smtp local virtual relay to defer_transports = and it now works, but I'm not comfortable with it not working like the website says. I am wondering if anyone could help me figure out why it's not working like it is supposed to. Thanks, Joe From id at W98.US Wed Dec 3 23:25:59 2003 From: id at W98.US (ian douglas) Date: Thu Jan 12 21:21:25 2006 Subject: AOL blocking MailScanner messages! In-Reply-To: <5.2.1.1.0.20031202152704.04d31ed8@mail.1bigthink.com> Message-ID: > Which means that you never had your reverse DNS correct, or maybe something > happened to it recently. Perhaps your upstream provider? Yeah, this happened to me a few weeks ago - AOL started blocking all Emails from my server because my reverse DNS wasn't configured correctly. Soon as I fixed that, it worked like a charm. -id From pete at eatathome.com.au Thu Dec 4 00:09:26 2003 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:21:25 2006 Subject: postfix defer_transport In-Reply-To: References: Message-ID: <3FCE7B36.2060306@eatathome.com.au> Joe Stuart wrote: >Ok so I have Maiscanner running with Postfix on a suse linux server that >scans all the messages then forwards them off to a groupwise server. I >set up Postfix and Mailscanner just like the Mailscanner insallation >guide - Postfix says. But everytime I would send mail to it the maillog >would say > >postfix/qmgr[15673]: EEBBA5A400A: to=, relay=none, >delay=1, status=deferred (deferred transport) > >So I changed the line in /etc/postfix.in/main.cf from this > >defer_transports = smtp local virtual relay > >to > >defer_transports = > >and it now works, but I'm not comfortable with it not working like the >website says. I am wondering if anyone could help me figure out why it's >not working like it is supposed to. > >Thanks, >Joe > > > > > So now mail isnt being scanned by mailscanner though is it? You need to change the main.cf back. 1.Postfix (inbound) accepts mail for processing, it defers the incoming mail eg - hold the mail and do nothing else, 2.MailScanner collect the mail and process it, place it in the outbound queue, 3. Postfix.in (outbound) then discovers mail in the queue ready for delivery, it does the smtp delivery. A complete log entry looks like Dec 4 11:15:35 mail01 postfix/smtpd[4713]: disconnect from gizmo06bw.bigpond.com[144.140.70.16] Dec 4 11:15:35 mail01 postfix/qmgr[25649]: EC38633BCD: to=, relay=none, delay=1, status=deferred (deferred transport) Dec 4 11:15:35 mail01 MailScanner[321]: New Batch: Scanning 1 messages, 3869 bytes Dec 4 11:15:36 mail01 MailScanner[321]: SIGPIPE received - trying new log socket Dec 4 11:15:36 mail01 MailScanner[321]: New Batch: Scanning 1 messages, 3869 bytes Dec 4 11:15:36 mail01 MailScanner[321]: Spam Checks: Starting Dec 4 11:15:39 mail01 MailScanner[321]: Virus and Content Scanning: Starting Dec 4 11:15:41 mail01 postfix/qmgr[25659]: 2C474C6E1: from=, size=3680, nrcpt=1 (queue active) Dec 4 11:15:41 mail01 MailScanner[321]: Uninfected: Delivered 1 messages Dec 4 11:15:46 mail01 postfix/smtp[4728]: 2C474C6E1: to=, relay=203.00.00.90[203.00.00.90], delay=12, status=sent (250 Message accepted for delivery) From res at AUSICS.NET Thu Dec 4 00:16:30 2003 From: res at AUSICS.NET (Res) Date: Thu Jan 12 21:21:25 2006 Subject: AOL blocking MailScanner messages! In-Reply-To: References: Message-ID: On Wed, 3 Dec 2003, ian douglas wrote: > > Which means that you never had your reverse DNS correct, or maybe something > > happened to it recently. Perhaps your upstream provider? > > > Yeah, this happened to me a few weeks ago - AOL started blocking all Emails from > my server because my reverse DNS wasn't configured correctly. > > Soon as I fixed that, it worked like a charm. It's a shame other admins don't do this, however I do support AOL on this move -- Regards, Res Network Administrator Postmaster / Abusemaster / Flamemaster http://www.ausics.net Australian Hosting Services From mkettler at EVI-INC.COM Thu Dec 4 00:55:52 2003 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:21:25 2006 Subject: AOL blocking MailScanner messages! In-Reply-To: References: Message-ID: <6.0.0.22.0.20031203194846.01fcbd50@xanadu.evi-inc.com> At 07:16 PM 12/3/2003, you wrote: >It's a shame other admins don't do this, however I do support AOL on this >move As do I.. Hopefully it will at least cause _some_ of the lazy network admins out there to get off their butts and set up their reverse DNS zones. Unfortunately, right now there's an awful lot of admins that VERY bad about getting their butts in gear and making RDNS entires. I can't afford to bounce email just because the system admin of the other site is lazy, incompetent, or just massively understaffed and not getting the time to do it all. (note that said ineffective admin isn't always the same as the admin of the affected mailserver, but there's always SOMEONE who should be responsible for the RDNS that isn't getting the job done). I do however require a MX for the Mail From: address.. I figure if they don't have that much, nobody can reply to them anyway. It occasionally delays mail with DNS server outages, but no biggie, it's a 4xx error so it gets retried. From nathan at TCPNETWORKS.NET Thu Dec 4 01:31:47 2003 From: nathan at TCPNETWORKS.NET (Nathan Johanson) Date: Thu Jan 12 21:21:25 2006 Subject: Virus scanners and universities Message-ID: I've tested it w/out issue and am actually putting it into production tonight. My only knock is lack of support for recent distributions, notably Red Hat 9.0 (not really recent anymore) and Red Hat Enterprise Linux ES 3.0. http://support.ca.com/techbases/ilnt/etav70linux-prodann.html It won a recent reward for "Best Security Solution" at the Linuxworld Expo in New York. Frankly, I think the real winner should have been MailScanner. http://www3.ca.com/press/PressRelease.asp?CID=39095 Nathan -----Original Message----- From: Thomas DuVally [mailto:tduvally@BROWN.EDU] Sent: Wed 12/3/2003 6:01 AM To: MAILSCANNER@JISCMAIL.AC.UK Cc: Subject: Re: Virus scanners and universities From jaearick at COLBY.EDU Thu Dec 4 01:46:07 2003 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:21:25 2006 Subject: AOL blocking MailScanner messages! In-Reply-To: <6.0.0.22.0.20031203194846.01fcbd50@xanadu.evi-inc.com> References: <6.0.0.22.0.20031203194846.01fcbd50@xanadu.evi-inc.com> Message-ID: Gang, Are you guys talking about the "accept_unresolvable_domains" mc setting in sendmail? As of version 8.9, sendmail won't accept email from unresolvable domains unless this feature is defined. I've never enabled it at my site after sendmail 8.9 (a while ago), and I've never had any complaints about it. Or is there some other setting to reject sites lacking RDNS? We have a lot of users with Adelphia broadband at home, and Adelphia is notoriously bad about no RDNS for their cable modems. Since we run tcpwrappers in paranoid mode, I see lots of remote connections from Adelphia to our academic system rejected by tcpwrappers. Still, almost no complaints from our users. Maybe they are just timid. --- Jeff Earickson Colby College On Wed, 3 Dec 2003, Matt Kettler wrote: > Date: Wed, 3 Dec 2003 19:55:52 -0500 > From: Matt Kettler > Reply-To: MailScanner mailing list > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: AOL blocking MailScanner messages! > > At 07:16 PM 12/3/2003, you wrote: > >It's a shame other admins don't do this, however I do support AOL on this > >move > > As do I.. Hopefully it will at least cause _some_ of the lazy network > admins out there to get off their butts and set up their reverse DNS zones. > > Unfortunately, right now there's an awful lot of admins that VERY bad about > getting their butts in gear and making RDNS entires. I can't afford to > bounce email just because the system admin of the other site is lazy, > incompetent, or just massively understaffed and not getting the time to do > it all. > > (note that said ineffective admin isn't always the same as the admin of the > affected mailserver, but there's always SOMEONE who should be responsible > for the RDNS that isn't getting the job done). > > I do however require a MX for the Mail From: address.. I figure if they > don't have that much, nobody can reply to them anyway. It occasionally > delays mail with DNS server outages, but no biggie, it's a 4xx error so it > gets retried. > From mkettler at EVI-INC.COM Thu Dec 4 02:02:31 2003 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:21:25 2006 Subject: AOL blocking MailScanner messages! In-Reply-To: References: <6.0.0.22.0.20031203194846.01fcbd50@xanadu.evi-inc.com> Message-ID: <6.0.0.22.0.20031203205539.02ab9a18@xanadu.evi-inc.com> At 08:46 PM 12/3/2003, Jeff A. Earickson wrote: >Gang, > Are you guys talking about the "accept_unresolvable_domains" mc setting >in sendmail? As of version 8.9, sendmail won't accept email from unresolvable >domains unless this feature is defined. I've never enabled it at my site >after sendmail 8.9 (a while ago), and I've never had any complaints about it. >Or is there some other setting to reject sites lacking RDNS? accept_unresolvable_domains has to do with being able to find a MX for the envelope's From: address.. Some distros (ie: older redhat) ship with accpet_unresolvable_domains enabled, I disabled it, hence my comment that I reject unresolvable from's However, this has nothing to do with RDNS at all, and nothing to do with what AOL is doing. AOL is implementing refusal of mail from servers that do not have a reverse DNS lookup for their IP. It's not rocket science to do in sendmail, i.e. something like this: http://www.cs.niu.edu/~rickert/cf/hack/require_rdns.m4 From chris at trudeau.org Thu Dec 4 03:31:30 2003 From: chris at trudeau.org (Chris Trudeau) Date: Thu Jan 12 21:21:25 2006 Subject: postfix defer_transport In-Reply-To: Message-ID: <010801c3ba17$1bcbefb0$23c8a8c0@serv> Joe... The "deferred transport" message you received is exactly as it should be. The way a postfix installation works is as such (roughly) Postfix.in receives the message and drops it into a mail queue. MailScanner every "n" seconds scans that directory, grabs the messages out of the directory and scans them pursuant to your config. Once completed, the MailScanner process then drops the message back into the outbound postfix instance allowing delivery based on that config. This probably doesn't help, but maybe it gives you an idea... CT -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Joe Stuart Sent: Wednesday, December 03, 2003 5:32 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: postfix defer_transport Ok so I have Maiscanner running with Postfix on a suse linux server that scans all the messages then forwards them off to a groupwise server. I set up Postfix and Mailscanner just like the Mailscanner insallation guide - Postfix says. But everytime I would send mail to it the maillog would say postfix/qmgr[15673]: EEBBA5A400A: to=, relay=none, delay=1, status=deferred (deferred transport) So I changed the line in /etc/postfix.in/main.cf from this defer_transports = smtp local virtual relay to defer_transports = and it now works, but I'm not comfortable with it not working like the website says. I am wondering if anyone could help me figure out why it's not working like it is supposed to. Thanks, Joe From shrek-m at GMX.DE Thu Dec 4 07:26:52 2003 From: shrek-m at GMX.DE (shrek-m@gmx.de) Date: Thu Jan 12 21:21:25 2006 Subject: wendy.zip - encrypted - mimail Message-ID: <3FCEE1BC.9020002@gmx.de> hi, ms and sweep don?t recognize wendy.zip as mimail because it is encrypted, it should be blocked via filename/filetype http://www.sophos.com/virusinfo/analyses/w32mimaill.html $ ll wendy.zip -rw------- 1 admin admin 9903 Dec 4 08:02 wendy.zip $ md5sum wendy.zip 18aa642a0b7f275a51e31fe02d82ba35 /data4/doku/viren/wendy.zip $ sweep -archive wendy.zip [...] Password protected file wendy.zip/wendy.exe 1 file swept in 1 second. 1 error was encountered. No viruses were discovered. 1 encrypted file was not checked. -- shrek-m From tim-lists at BISHNET.NET Thu Dec 4 08:36:43 2003 From: tim-lists at BISHNET.NET (Tim Bishop) Date: Thu Jan 12 21:21:25 2006 Subject: wendy.zip - encrypted - mimail In-Reply-To: <3FCEE1BC.9020002@gmx.de> References: <3FCEE1BC.9020002@gmx.de> Message-ID: <20031204083643.GG78290@carrick.bishnet.net> On Thu, Dec 04, 2003 at 08:26:52AM +0100, shrek-m@gmx.de wrote: > $ sweep -archive wendy.zip > [...] > Password protected file wendy.zip/wendy.exe > > 1 file swept in 1 second. > 1 error was encountered. > No viruses were discovered. > 1 encrypted file was not checked. More worryingly, if you do unzip this some virus scanners don't detect the .exe file as a virus. Neither f-prot or f-secure detected the .exe as a virus, although sophos did. But as you say, that's going to be irrelevent if we can't even look inside the zip file. I guess a good compromise would be to have an option to block encrypted zip files in mailscanner? Cheers, Tim. -- Tim Bishop http://www.bishnet.net/tim PGP Key: 0x5AE7D984 From smilga at MIKROTIK.COM Thu Dec 4 09:12:13 2003 From: smilga at MIKROTIK.COM (Martins Smilga) Date: Thu Jan 12 21:21:25 2006 Subject: Mailscanner with Debian 3 testing References: <052b01c3b803$01c0c890$a500010a@martinsss> <06e501c3b97d$34b91060$6c01cac3@ccpaysdegex.fr> Message-ID: <096601c3ba46$b4a81fe0$a500010a@martinsss> Thanks, now it put into new direcoty files. I also edited mailscanner.conf and chose f-prot. Now all files just standing in /var/spool/mqueue.in direcotry When I do "ps -axf " I see that mailscanner ir running, but I need to understand if these mails is checked by mailscanner and why they just stand in this directory, what I need to do to deliver these mails to /var/spool/mail directory for each users Martins ----- Original Message ----- From: "Sylvain Blanc - CRI du Pays De Gex et du Bassin Bellegardien" To: "MailScanner mailing list" Cc: Sent: Wednesday, December 03, 2003 11:09 AM Subject: Re: Mailscanner with Debian 3 testing > I use debian woody + sendmail + mailscanner 4.24 + f-prot + spamassassin > > In sendmail.conf change DAEMON_PARMS to > DAEMON_PARMS="-ODeliveryMode=queueonly -OQueueDirectory=/var/spool/mqueue.in > "; > That's all for sendmail > > Configure your > mailscanner.conf > > and uncomment the line > run_mailscanner=1 > in /etc/default/mailscanner > > restart sendmail > restart mailscanner > > > > > ----- Original Message ----- > From: "Martins Smilga" > To: > Sent: Monday, December 01, 2003 1:02 PM > Subject: Mailscanner with Debian 3 testing > > > > Hello, > > > > May be somone have expierence with mailscanner how to install on Debian > > testing version. > > > > I have Spammassin + Sendmail. > > > > I installed mailscanner from apitude, > > I can not find any detailed documentation how to install mailscanner on > > Debina with sendmail. > > (http://www.sng.ecs.soton.ac.uk/mailscanner/install/sendmail.shtml) > > I can find where I can change these senttings (script). > > > > May be there is other way how to put mailscanner + Debian+ sendmail > > > > > > Martins > > From martinh at SOLID-STATE-LOGIC.COM Thu Dec 4 09:18:23 2003 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:21:25 2006 Subject: AOL blocking MailScanner messages! In-Reply-To: References: <6.0.0.22.0.20031203194846.01fcbd50@xanadu.evi-inc.com> Message-ID: <3FCEFBDF.2050105@solid-state-logic.com> All there's a massive rant^Wdiscussion going on about all this on nanog as well - might be more worth while moving to this thread to that list? -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From martinh at SOLID-STATE-LOGIC.COM Thu Dec 4 09:24:15 2003 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:21:25 2006 Subject: wendy.zip - encrypted - mimail In-Reply-To: <3FCEE1BC.9020002@gmx.de> References: <3FCEE1BC.9020002@gmx.de> Message-ID: <3FCEFD3F.3050207@solid-state-logic.com> shrek-m@gmx.de wrote: > hi, > > ms and sweep don?t recognize wendy.zip as mimail because it is encrypted, > it should be blocked via filename/filetype > > http://www.sophos.com/virusinfo/analyses/w32mimaill.html > > > $ ll wendy.zip > -rw------- 1 admin admin 9903 Dec 4 08:02 wendy.zip > $ md5sum wendy.zip > 18aa642a0b7f275a51e31fe02d82ba35 /data4/doku/viren/wendy.zip > > > > $ sweep -archive wendy.zip > [...] > Password protected file wendy.zip/wendy.exe > > 1 file swept in 1 second. > 1 error was encountered. > No viruses were discovered. > 1 encrypted file was not checked. > > Hi Sophos are calling this MiMail-L http://www.sophos.com/virusinfo/analyses/w32mimaill.html and claim to detect it since 2 Dec 04.17. I guess if not let their support dept know... -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From res at AUSICS.NET Thu Dec 4 10:29:10 2003 From: res at AUSICS.NET (Res) Date: Thu Jan 12 21:21:25 2006 Subject: AOL blocking MailScanner messages! In-Reply-To: <3FCEFBDF.2050105@solid-state-logic.com> References: <6.0.0.22.0.20031203194846.01fcbd50@xanadu.evi-inc.com> <3FCEFBDF.2050105@solid-state-logic.com> Message-ID: On Thu, 4 Dec 2003, Martin Hepworth wrote: > there's a massive rant^Wdiscussion going on about all this on nanog as > well - might be more worth while moving to this thread to that list? Many of us on this 'international' list, are not on that list u mention. But I agree that this may not be the list for an ongoing discussion on it either. -- Regards, Res Network Administrator Postmaster / Abusemaster / Flamemaster http://www.ausics.net Australian Hosting Services From dbird at SGHMS.AC.UK Thu Dec 4 10:29:40 2003 From: dbird at SGHMS.AC.UK (Daniel Bird) Date: Thu Jan 12 21:21:25 2006 Subject: AOL blocking MailScanner messages! In-Reply-To: <5.2.1.1.0.20031202152704.04d31ed8@mail.1bigthink.com> References: <3FCCE83F.7070500@sghms.ac.uk> <3FCCE83F.7070500@sghms.ac.uk> <5.2.1.1.0.20031202152704.04d31ed8@mail.1bigthink.com> Message-ID: <3FCF0C94.3080306@sghms.ac.uk> DNSAdmin wrote: > At 08:06 PM 12/2/2003 +0000, you wrote: > >> I have just tested this and found it not to be true: >> >> 220-rly-yb03.mx.aol.com ESMTP mail_relay_in-yb3.3; Tue, 02 Dec 2003 >> 15:01:11 -0500 >> 220-America Online (AOL) and its affiliated companies do not >> 220- authorize the use of its proprietary computers and computer >> 220- networks to accept, transmit, or distribute unsolicited bulk >> 220- e-mail sent from the internet. Effective immediately: AOL >> 220- may no longer accept connections from IP addresses which >> 220 have no reverse-DNS (PTR record) assigned. > > > > Which means that you never had your reverse DNS correct, or maybe > something > happened to it recently. Perhaps your upstream provider? Our RDNS resolves, and we run all our own services. This problem has now become an intermittent issue. I've now ruled out any involvement with MailScanner as it's started happening with mail from our domain which hasn't been scanned (i.e I have a rule set which does not scan mails destined for AOL) It's all very odd. If MailScanner scans the messages ALL mail gets blocked by them If it's turned off some gets blocked and some doesn't. The denial is on DATA, so I'm collecting mail to AOL so I can comare those that get blocked and those that don't. I've called and called AOL and my "ticket is being processed". Frustrated Dan > > Cheers, > Glenn > >> HELO mailscanner.biz >> 250 rly-yb03.mx.aol.com OK >> MAIL from: >> 250 OK >> RCPT to: >> 250 OK >> DATA >> 354 START MAIL INPUT, END WITH "." ON A LINE BY ITSELF >> From: jules@jules.fm >> To: steve1@aol.com >> Date: Tue, 2 Dec 2003 18:33:41 +0000 >> Subject: This is a test message >> X-MailScanner: Found to be clean >> >> This is a test message. Please delete me. >> -- >> Jules >> . >> 250 OK >> >> which appears to say it has accepted the message. >> -- >> Julian Field >> www.MailScanner.info >> Professional Support Services at www.MailScanner.biz >> MailScanner thanks transtec Computers for their support >> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From res at AUSICS.NET Thu Dec 4 10:30:02 2003 From: res at AUSICS.NET (Res) Date: Thu Jan 12 21:21:25 2006 Subject: AOL blocking MailScanner messages! In-Reply-To: References: <6.0.0.22.0.20031203194846.01fcbd50@xanadu.evi-inc.com> Message-ID: Jeff, On Wed, 3 Dec 2003, Jeff A. Earickson wrote: > Gang, > Are you guys talking about the "accept_unresolvable_domains" mc setting We are talking about enforcement of RFC1912 -- Regards, Res Network Administrator Postmaster / Abusemaster / Flamemaster http://www.ausics.net Australian Hosting Services From Ulysees at ULYSEES.COM Thu Dec 4 11:22:26 2003 From: Ulysees at ULYSEES.COM (Ulysees) Date: Thu Jan 12 21:21:25 2006 Subject: Log permitted filenames Message-ID: <001401c3ba58$e580fcb0$3201010a@nimitz> Don't know if this already exists or not but I'm looking to get a bit more out of the log permitted filenames option. Currently it generates Dec 2 06:55:16 $hostname MailScanner[11630]: Filename Checks: Windows/DOS Executable (patch.exe) What I think would be really usefull would be Dec 2 06:55:16 $hostname MailScanner[11630]: Filename Checks: Windows/DOS Executable (patch.exe) in $msgid Any ideas ? Uly From mailscanner at ecs.soton.ac.uk Thu Dec 4 11:43:36 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:25 2006 Subject: Log permitted filenames In-Reply-To: <001401c3ba58$e580fcb0$3201010a@nimitz> References: <001401c3ba58$e580fcb0$3201010a@nimitz> Message-ID: <6.0.1.1.2.20031204114227.093dd948@imap.ecs.soton.ac.uk> At 11:22 04/12/2003, you wrote: >Don't know if this already exists or not but I'm looking to get a bit more >out of the log permitted filenames option. >Currently it generates >Dec 2 06:55:16 $hostname MailScanner[11630]: Filename Checks: Windows/DOS >Executable (patch.exe) >What I think would be really usefull would be >Dec 2 06:55:16 $hostname MailScanner[11630]: Filename Checks: Windows/DOS >Executable (patch.exe) in $msgid > >Any ideas ? > >Uly Steve F -- Will this change upset MailWatch at all? I don't want to break anything... To get the extra logging, apply this patch to SweepOther.pm : --- SweepOther.pm.old 2003-12-04 11:42:28.000000000 +0000 +++ SweepOther.pm 2003-12-04 11:42:43.000000000 +0000 @@ -197,8 +197,8 @@ #print STDERR "\"$attach\" matched \"$regexp\" or \"$safename\" did\n"; if ($allowdeny =~ 'deny') { # It's a rejection rule, so log the error. - MailScanner::Log::InfoLog("Filename Checks: %s (%s)", - $logtext, $attach); + MailScanner::Log::InfoLog("Filename Checks: %s (%s) in %s", + $logtext, $attach, $id); $message->{namereports}{$safename} .= "$usertext ($safename)\n"; $message->{nametypes}{$safename} .= "f"; $counter++; -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From raymond at PROLOCATION.NET Thu Dec 4 11:56:23 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:21:25 2006 Subject: Log permitted filenames In-Reply-To: <6.0.1.1.2.20031204114227.093dd948@imap.ecs.soton.ac.uk> Message-ID: Hi! > Steve F -- Will this change upset MailWatch at all? I don't want to break > anything... > > To get the extra logging, apply this patch to SweepOther.pm : > > --- SweepOther.pm.old 2003-12-04 11:42:28.000000000 +0000 > +++ SweepOther.pm 2003-12-04 11:42:43.000000000 +0000 > @@ -197,8 +197,8 @@ > #print STDERR "\"$attach\" matched \"$regexp\" or \"$safename\" > did\n"; > if ($allowdeny =~ 'deny') { > # It's a rejection rule, so log the error. > - MailScanner::Log::InfoLog("Filename Checks: %s (%s)", > - $logtext, $attach); > + MailScanner::Log::InfoLog("Filename Checks: %s (%s) in %s", > + $logtext, $attach, $id); > $message->{namereports}{$safename} .= "$usertext ($safename)\n"; > $message->{nametypes}{$safename} .= "f"; > $counter++; If it doesnt break anything it would be a nice addiction, since its hard to track down messages now. =) with the msgid its pretty simple to grep around. Bye, Raymond. From raymond at PROLOCATION.NET Thu Dec 4 12:03:09 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:21:25 2006 Subject: Log permitted filenames In-Reply-To: Message-ID: Hi! > If it doesnt break anything it would be a nice addiction, since its hard ^ Addition... Bye, Raymond. From dot at DOTAT.AT Thu Dec 4 12:03:07 2003 From: dot at DOTAT.AT (Tony Finch) Date: Thu Jan 12 21:21:25 2006 Subject: Log permitted filenames In-Reply-To: Message-ID: Ulysees wrote: > >What I think would be really usefull would be >Dec 2 06:55:16 $hostname MailScanner[11630]: Filename Checks: Windows/DOS >Executable (patch.exe) in $msgid I have a pile of patches to make tracking message-IDs possible. Here's a selection related to file types and names... --- SweepOther.pm 4 Jul 2003 18:08:28 -0000 1.1.1.6 +++ SweepOther.pm 7 Aug 2003 09:38:46 -0000 1.7 @@ -195,19 +196,20 @@ $MatchFound = 1; if ($allowdeny eq 'deny') { # It's a rejection rule, so log the error. - MailScanner::Log::InfoLog("Filename Checks: %s (%s)", - $logtext, $attach); + MailScanner::Log::InfoLog("Filename Checks: %s (%s %s)", + $logtext, $id, $attach); $message->{namereports}{$safename} .= "$usertext ($safename)\n"; $message->{nametypes}{$safename} .= "f"; $counter++; $message->{nameinfected}++; } else { - MailScanner::Log::InfoLog("Filename Checks: Allowing %s", $safename) + MailScanner::Log::InfoLog("Filename Checks: Allowing %s %s", + $id, $safename) if $LogNames; } } - MailScanner::Log::InfoLog("Filename Checks: Allowing %s " . - "(no rule matched)", $safename) + MailScanner::Log::InfoLog("Filename Checks: Allowing %s %s " . + "(no rule matched)", $id, $safename) if $LogNames && !$MatchFound; } } @@ -348,14 +350,15 @@ $MatchFound = 1; if ($allowdeny eq 'deny') { # It's a rejection rule, so log the error. - MailScanner::Log::InfoLog("Filetype Checks: %s (%s)", - $logtext, $attach); + MailScanner::Log::InfoLog("Filetype Checks: %s (%s %s)", + $logtext, $id, $attach); $message->{namereports}{$safename} .= "$usertext ($safename)\n"; $message->{nametypes}{$safename} .= "f"; $counter++; $message->{nameinfected}++; } else { - MailScanner::Log::InfoLog("Filetype Checks: Allowing %s", $safename) + MailScanner::Log::InfoLog("Filetype Checks: Allowing %s %s", + $id, $safename) if $LogTypes; } } Tony. -- f.a.n.finch http://dotat.at/ THE WASH TO NORTH FORELAND: NORTHEAST 5 OR 6, PERHAPS INCREASING LOCALLY 7 FOR A TIME, LATER VEERING EAST AND DECREASING 3 OR 4 OCCASIONALLY 5. RATHER HAZY. MODERATE OR GOOD. MODERATE BUILDING LOCALLY ROUGH, LATER DECAYING SLIGHT TO MODERATE. From dbird at SGHMS.AC.UK Thu Dec 4 12:15:47 2003 From: dbird at SGHMS.AC.UK (Daniel Bird) Date: Thu Jan 12 21:21:25 2006 Subject: blocked conent problem in 4.25-14 Message-ID: <3FCF2573.9020303@sghms.ac.uk> This is a snippet from MailScanner.conf Allow IFrame Tags = /etc/MailScanner/rules/iframe.tags.rules Log IFrame Tags = yes Allow Form Tags =/etc/MailScanner/rules/form.tags.rules Allow Object Codebase Tags = /etc/MailScanner/rules/codebase.tags.rules Convert Dangerous HTML To Text = yes Convert HTML To Text = no /etc/MailScanner/rules/iframe.tags.rules contains: From: *@nature.com yes From: *@info.nature.com yes FromTo: default no so according to the comments we should be hitting the last option below for messages from nature.com : # Allow...Tags Convert Danger... Action Taken on HTML Message # ============ ================= ============================ # no no Blocked # no yes Blocked # disarm no Specified HTML tags disarmed # disarm yes Specified HTML tags disarmed # yes no Nothing, allowed to pass *# yes yes All HTML tags stripped** * But our users are still getting Blocked content reports on email from nature.com containing I-Frame tags. ie: At Thu Dec 4 08:32:22 2003 the content filters said: MailScanner: Found dangerous IFrame tag in HTML message This worked previously on 4-22 (upgraded to 4-25-14 yesterday) Anyone have any idea's where I'm going wrong? -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From shrek-m at GMX.DE Thu Dec 4 12:20:23 2003 From: shrek-m at GMX.DE (shrek-m@gmx.de) Date: Thu Jan 12 21:21:25 2006 Subject: wendy.zip - encrypted - mimail In-Reply-To: <3FCEFD3F.3050207@solid-state-logic.com> References: <3FCEE1BC.9020002@gmx.de> <3FCEFD3F.3050207@solid-state-logic.com> Message-ID: <3FCF2687.5070202@gmx.de> Martin Hepworth wrote: > shrek-m@gmx.de wrote: > >> http://www.sophos.com/virusinfo/analyses/w32mimaill.html > > Sophos are calling this MiMail-L > > http://www.sophos.com/virusinfo/analyses/w32mimaill.html > > and claim to detect it since 2 Dec 04.17. > > I guess if not let their support dept know... done, together with my email to this list. apropos, mimail-l was detected without problems but not mimail-m http://www.sophos.com/virusinfo/analyses/w32mimailm.html mimail-m will be recogniced since *today* $ sweep -archive -mime /data4/doku/viren/mimail/ Password protected file /data4/doku/viren/mimail/wendy-encrypted.eml/wendy.zip/wendy.exe >>> Virus 'W32/Mimail-M' found in file /data4/doku/viren/mimail/wendy-encrypted.eml/wendy.zip Password protected file /data4/doku/viren/mimail/wendy.zip/wendy.exe >>> Virus 'W32/Mimail-M' found in file /data4/doku/viren/mimail/wendy.zip 2 files swept in 1 second. 2 errors were encountered. 2 viruses were discovered. 2 files out of 2 were infected. -- shrek-m From martinh at SOLID-STATE-LOGIC.COM Thu Dec 4 12:25:45 2003 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:21:25 2006 Subject: wendy.zip - encrypted - mimail In-Reply-To: <3FCF2687.5070202@gmx.de> References: <3FCEE1BC.9020002@gmx.de> <3FCEFD3F.3050207@solid-state-logic.com> <3FCF2687.5070202@gmx.de> Message-ID: <3FCF27C9.8060106@solid-state-logic.com> > > done, > together with my email to this list. > > apropos, mimail-l was detected without problems but not mimail-m > http://www.sophos.com/virusinfo/analyses/w32mimailm.html > > mimail-m will be recogniced since *today* > > > $ sweep -archive -mime /data4/doku/viren/mimail/ > > Password protected file > /data4/doku/viren/mimail/wendy-encrypted.eml/wendy.zip/wendy.exe > >>> Virus 'W32/Mimail-M' found in file > /data4/doku/viren/mimail/wendy-encrypted.eml/wendy.zip > Password protected file /data4/doku/viren/mimail/wendy.zip/wendy.exe > >>> Virus 'W32/Mimail-M' found in file /data4/doku/viren/mimail/wendy.zip > > 2 files swept in 1 second. > 2 errors were encountered. > 2 viruses were discovered. > 2 files out of 2 were infected. > > -- > shrek-m yeah I saw an update come in this morning...I dunno if clamAV works better, nothing triggered either overnight so... -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From jaearick at COLBY.EDU Thu Dec 4 12:27:18 2003 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:21:25 2006 Subject: Log permitted filenames In-Reply-To: References: Message-ID: > Date: Thu, 4 Dec 2003 12:03:07 +0000 > From: Tony Finch > Reply-To: MailScanner mailing list > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Log permitted filenames > > Ulysees wrote: > > > >What I think would be really usefull would be > >Dec 2 06:55:16 $hostname MailScanner[11630]: Filename Checks: Windows/DOS > >Executable (patch.exe) in $msgid > > I have a pile of patches to make tracking message-IDs possible. Here's > a selection related to file types and names... > Julian, I second this effort. The more that the message-id appears in mailScanner syslogs, the happier I am. I routinely grep for msg ids to find out what happened to a piece of email, MS actions should appear in that output. Jeff Earickson Colby College From dbird at SGHMS.AC.UK Thu Dec 4 12:34:17 2003 From: dbird at SGHMS.AC.UK (Daniel Bird) Date: Thu Jan 12 21:21:25 2006 Subject: blocked conent problem in 4.25-14 In-Reply-To: <3FCF2573.9020303@sghms.ac.uk> References: <3FCF2573.9020303@sghms.ac.uk> Message-ID: <3FCF29C9.3060507@sghms.ac.uk> Daniel Bird wrote: > This is a snippet from MailScanner.conf > > Allow IFrame Tags = /etc/MailScanner/rules/iframe.tags.rules > Log IFrame Tags = yes > Allow Form Tags =/etc/MailScanner/rules/form.tags.rules > Allow Object Codebase Tags = /etc/MailScanner/rules/codebase.tags.rules > Convert Dangerous HTML To Text = yes > Convert HTML To Text = no > > /etc/MailScanner/rules/iframe.tags.rules contains: > From: *@nature.com yes > From: *@info.nature.com yes > FromTo: default no > > so according to the comments we should be hitting the last option below > for messages from nature.com > : > # Allow...Tags Convert Danger... Action Taken on HTML Message > # ============ ================= ============================ > # no no Blocked > # no yes Blocked > # disarm no Specified HTML tags disarmed > # disarm yes Specified HTML tags disarmed > # yes no Nothing, allowed to pass > *# yes yes All HTML tags stripped** > * > > But our users are still getting Blocked content reports on email from > nature.com containing I-Frame tags. > > ie: > > At Thu Dec 4 08:32:22 2003 the content filters said: > MailScanner: Found dangerous IFrame tag in HTML message > > > This worked previously on 4-22 (upgraded to 4-25-14 yesterday) > Anyone have any idea's where I'm going wrong? Sorry to reply to my own posting, but I think I've figured it. It looks like nature.com has changed the way they send mail shots (or this a new one which we haven't seen before). The envelope address was not the same as listed in the email (as was previously). I've added the new address to the rules file, so all should be well. Regards -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mailscanner at ecs.soton.ac.uk Thu Dec 4 12:38:13 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:25 2006 Subject: Svar: Norman Scanner? In-Reply-To: <3FCE312E.3070307@uptime.at> References: <3FCE312E.3070307@uptime.at> Message-ID: <6.0.1.1.2.20031204123755.092ae5b8@imap.ecs.soton.ac.uk> At 18:53 03/12/2003, you wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: RIPEMD160 > >Jan Elmqvist Nielsen wrote: > >>http://www.norman.com/de/news/031126.shtml?menulang=de >> >>in german langauge >> >>/jan elmqvist nielsen >And the download link seems to be >http://www.norman.com/download_nvc_linux.shtml?menulang=de# > >am I seeing this right? I sit utilizing Java ? They are just about to produce a version which does not require Java for entering the licence key. Yay! :-) -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Thu Dec 4 12:45:34 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:25 2006 Subject: Log permitted filenames In-Reply-To: References: Message-ID: <6.0.1.1.2.20031204124522.092afcf0@imap.ecs.soton.ac.uk> All adopted into the main source tree. Will be in the next release. At 12:03 04/12/2003, you wrote: >Ulysees wrote: > > > >What I think would be really usefull would be > >Dec 2 06:55:16 $hostname MailScanner[11630]: Filename Checks: Windows/DOS > >Executable (patch.exe) in $msgid > >I have a pile of patches to make tracking message-IDs possible. Here's >a selection related to file types and names... > >--- SweepOther.pm 4 Jul 2003 18:08:28 -0000 1.1.1.6 >+++ SweepOther.pm 7 Aug 2003 09:38:46 -0000 1.7 >@@ -195,19 +196,20 @@ > $MatchFound = 1; > if ($allowdeny eq 'deny') { > # It's a rejection rule, so log the error. >- MailScanner::Log::InfoLog("Filename Checks: %s (%s)", >- $logtext, $attach); >+ MailScanner::Log::InfoLog("Filename Checks: %s (%s %s)", >+ $logtext, $id, $attach); > $message->{namereports}{$safename} .= "$usertext ($safename)\n"; > $message->{nametypes}{$safename} .= "f"; > $counter++; > $message->{nameinfected}++; > } else { >- MailScanner::Log::InfoLog("Filename Checks: Allowing %s", >$safename) >+ MailScanner::Log::InfoLog("Filename Checks: Allowing %s %s", >+ $id, $safename) > if $LogNames; > } > } >- MailScanner::Log::InfoLog("Filename Checks: Allowing %s " . >- "(no rule matched)", $safename) >+ MailScanner::Log::InfoLog("Filename Checks: Allowing %s %s " . >+ "(no rule matched)", $id, $safename) > if $LogNames && !$MatchFound; > } > } >@@ -348,14 +350,15 @@ > $MatchFound = 1; > if ($allowdeny eq 'deny') { > # It's a rejection rule, so log the error. >- MailScanner::Log::InfoLog("Filetype Checks: %s (%s)", >- $logtext, $attach); >+ MailScanner::Log::InfoLog("Filetype Checks: %s (%s %s)", >+ $logtext, $id, $attach); > $message->{namereports}{$safename} .= "$usertext ($safename)\n"; > $message->{nametypes}{$safename} .= "f"; > $counter++; > $message->{nameinfected}++; > } else { >- MailScanner::Log::InfoLog("Filetype Checks: Allowing %s", >$safename) >+ MailScanner::Log::InfoLog("Filetype Checks: Allowing %s %s", >+ $id, $safename) > if $LogTypes; > } > } > > >Tony. >-- >f.a.n.finch http://dotat.at/ >THE WASH TO NORTH FORELAND: NORTHEAST 5 OR 6, PERHAPS INCREASING LOCALLY 7 FOR >A TIME, LATER VEERING EAST AND DECREASING 3 OR 4 OCCASIONALLY 5. RATHER HAZY. >MODERATE OR GOOD. MODERATE BUILDING LOCALLY ROUGH, LATER DECAYING SLIGHT TO >MODERATE. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From steve.freegard at LBSLTD.CO.UK Thu Dec 4 12:49:23 2003 From: steve.freegard at LBSLTD.CO.UK (Steve Freegard) Date: Thu Jan 12 21:21:25 2006 Subject: Log permitted filenames Message-ID: <67D9E7698329D411936E00508B6590B902773D1E@neelix.lbsltd.co.uk> Nope ... It shouldn't make any difference to MailWatch as I don't scrape the maillog for anything MailScanner related - I get everything I need from the database. Cheers, Steve. -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: 04 December 2003 11:44 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Log permitted filenames At 11:22 04/12/2003, you wrote: >Don't know if this already exists or not but I'm looking to get a bit >more out of the log permitted filenames option. Currently it generates >Dec 2 06:55:16 $hostname MailScanner[11630]: Filename Checks: Windows/DOS >Executable (patch.exe) >What I think would be really usefull would be >Dec 2 06:55:16 $hostname MailScanner[11630]: Filename Checks: Windows/DOS >Executable (patch.exe) in $msgid > >Any ideas ? > >Uly Steve F -- Will this change upset MailWatch at all? I don't want to break anything... To get the extra logging, apply this patch to SweepOther.pm : --- SweepOther.pm.old 2003-12-04 11:42:28.000000000 +0000 +++ SweepOther.pm 2003-12-04 11:42:43.000000000 +0000 @@ -197,8 +197,8 @@ #print STDERR "\"$attach\" matched \"$regexp\" or \"$safename\" did\n"; if ($allowdeny =~ 'deny') { # It's a rejection rule, so log the error. - MailScanner::Log::InfoLog("Filename Checks: %s (%s)", - $logtext, $attach); + MailScanner::Log::InfoLog("Filename Checks: %s (%s) in %s", + $logtext, $attach, $id); $message->{namereports}{$safename} .= "$usertext ($safename)\n"; $message->{nametypes}{$safename} .= "f"; $counter++; -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender and delete the message from your mailbox. This footnote also confirms that this email message has been swept by MailScanner (www.mailscanner.info) for the presence of computer viruses. From raymond at PROLOCATION.NET Thu Dec 4 13:15:30 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:21:25 2006 Subject: Svar: Norman Scanner? In-Reply-To: <6.0.1.1.2.20031204123755.092ae5b8@imap.ecs.soton.ac.uk> Message-ID: Hi! > >am I seeing this right? I sit utilizing Java ? > They are just about to produce a version which does not require Java for > entering the licence key. Yay! :-) If thats available i would love to try. Did anyone speedtest this product yet ? Bye, Raymond. From steinkel at PA.NET Thu Dec 4 13:57:58 2003 From: steinkel at PA.NET (Leland J. Steinke) Date: Thu Jan 12 21:21:25 2006 Subject: John Rudd's ms2cgp and cgp2ms References: <18424211843.20031203144921@ntin.net> <15528128062.20031203155441@ntin.net> Message-ID: <3FCF3D66.9070704@pa.net> NTIN Page Guy wrote: > Hello NTIN, > > Strange, I posted this message hours ago and it just now appeared. > > John pointed out that my fix below breaks messages that addressed to > multiple recipients. for my early postfix integration hack, I solved the same problem with a fork() and exec(). Here is the relevant code. Since I did some minor header processing earlier in the script, the headers were already available in a variable. You will have to adapt to how ms2cgp does things. 8<============= $cmd = "/usr/sbin/sendmail"; open(DATFILE, "$outgoing_spool/df$id") || die("no such id as $id"); $pid = open(INSERT, "|-"); #fork $SIG{ALRM} = sub { die "pipe broke" }; if ($pid) { #parent print INSERT "$headers\n"; while () { print INSERT; } close INSERT || die "$cmd exited $?"; } else { #child exec($cmd, '-f', $from, '--', @to) || die("cannot exec $cmd"); } close DATFILE; 8<============== I hope this helps. Leland From steinkel at PA.NET Thu Dec 4 14:01:17 2003 From: steinkel at PA.NET (Leland J. Steinke) Date: Thu Jan 12 21:21:25 2006 Subject: Virus scanners and universities References: Message-ID: <3FCF3E2D.3070708@pa.net> Nathan Johanson wrote: > > It won a recent reward for "Best Security Solution" at the Linuxworld Expo in New York. Frankly, I think the real winner should have been MailScanner. > > http://www3.ca.com/press/PressRelease.asp?CID=39095 MailScanner does not sponsor trade shows! ;-) Leland From dot at DOTAT.AT Thu Dec 4 13:52:33 2003 From: dot at DOTAT.AT (Tony Finch) Date: Thu Jan 12 21:21:25 2006 Subject: Log permitted filenames In-Reply-To: References: Message-ID: Julian Field wrote: >All adopted into the main source tree. Will be in the next release. I have some more along the same lines, partly for spotting which instance of MailScanner processed a particular message, and partly just general extra message tracking. I'm fairly sure I've posted this before (but probably buried in other stuff). I haven't included the patch to ConfigDefs.pl because it's a pain to unpick from my other changes. Tony. -- f.a.n.finch http://dotat.at/ NORTH FORELAND TO SELSEY BILL: NORTHEAST 5 TO 7 LOCALLY GALE 8 LATER VEERING EAST AND DECREASING 4 OR 5. RATHER HAZY WITH SOME PATCHY DRIZZLE AT TIMES. MODERATE OR GOOD. MODERATE TO ROUGH DECAYING MODERATE. --- Exim.pm 4 Jul 2003 18:08:28 -0000 1.1.1.8 +++ Exim.pm 8 Jul 2003 16:25:12 -0000 1.20 @@ -1320,6 +1321,8 @@ $HitLimit4 = 1 if $DirtyBytes>=$MaxDirtyB; $newmessage->WriteHeaderFile(); # Write the file of headers + MailScanner::Log::InfoLog("New Message: $id to be scanned") + if MailScanner::Config::Value('logmessageids'); } else { $newmessage->NeedsScanning(0); $CleanMsgs++; @@ -1329,6 +1332,8 @@ $HitLimit2 = 1 if $CleanBytes>=$MaxCleanB; $newmessage->WriteHeaderFile(); # Write the file of headers + MailScanner::Log::InfoLog("New Message: $id to be forwarded") + if MailScanner::Config::Value('logmessageids'); } } --- MessageBatch.pm 4 Jul 2003 18:08:28 -0000 1.1.1.6 +++ MessageBatch.pm 26 Aug 2003 09:44:27 -0000 1.12 @@ -231,9 +241,13 @@ # or the HTML stripping. if ($message->{bodymodified}) { $message->DeliverModifiedBody('unscannedheader'); + MailScanner::Log::InfoLog("Delivered modified message $id") + if MailScanner::Config::Value('logmessageids'); } else { $OutQ = MailScanner::Config::Value('outqueuedir', $message); $message->DeliverUnscanned($OutQ); + MailScanner::Log::InfoLog("Delivered unscanned message $id") + if MailScanner::Config::Value('logmessageids'); } $message->{deleted} = 1; # This marks it for purging from disk push @messages, $message; @@ -465,6 +479,8 @@ next if $message->{infected}; #print STDERR "Delivering uninfected message $id\n"; $message->DeliverUninfected(); + MailScanner::Log::InfoLog("Delivered uninfected message $id") + if MailScanner::Config::Value('logmessageids'); $message->{deleted} = 1; push @messages, $message; } @@ -531,6 +547,11 @@ $message->DeliverCleaned(); #print STDERR "Deleting silent-infected message " . $message->{id} . "\n"; push @messages, $message; + MailScanner::Log::InfoLog("Delivering message $id with silent virus") + if MailScanner::Config::Value('logmessageids'); + } else { + MailScanner::Log::InfoLog("DISCARDED message $id with silent virus") + if MailScanner::Config::Value('logmessageids'); } $message->{deleted} = 1; $message->{stillwarn} = 1; @@ -557,6 +578,8 @@ #print STDERR "Deleting cleaned message " . $message->{id} . "\n"; # BUGFIX: JKF $message->{deleted} = 1; push @messages, $message; + MailScanner::Log::InfoLog("Delivering cleaned message $id") + if MailScanner::Config::Value('logmessageids'); } MailScanner::Mail::TellAbout(@messages); From mailscanner at LISTS.COM.AR Thu Dec 4 14:53:41 2003 From: mailscanner at LISTS.COM.AR (Mariano Absatz) Date: Thu Jan 12 21:21:25 2006 Subject: wendy.zip - encrypted - mimail In-Reply-To: <3FCF27C9.8060106@solid-state-logic.com> References: <3FCF2687.5070202@gmx.de> Message-ID: <3FCF2045.28322.52C1740@localhost> Yesterday, minutes before 17:00 hs local (20:00 GMT) I got the latest McAffe update. From the readme (graciously logged by Tony's mcaffee- autoupdate): # Product Release: December 3, 2003 # # - DAT Version: 4307 # - Engine Version: 4.2.60 ... # NEW DETECTIONS ... # INTERNET WORM (33) # ------------------ ... # W32/MIMAIL.L@MM <-- ... # NEW REMOVALS # INTERNET WORM (33) # ------------------ ... # W32/MIMAIL.L@MM <-- ... However, later yesternight, a wendy.zip passed thru... would that be innocuous? or a newer version of mimail? here's the log: Dec 3 22:38:06 alerce MailScanner[358]: Virus and Content Scanning: Starting Dec 3 22:38:06 alerce MailScanner[358]: Filename Checks: Allowing wendy.zip Dec 3 22:38:06 alerce MailScanner[358]: Filename Checks: Allowing msg-358-70.txt Dec 3 22:38:06 alerce MailScanner[358]: Filetype Checks: Allowing wendy.zip Dec 3 22:38:06 alerce MailScanner[358]: Filetype Checks: Allowing msg-358-70.txt Dec 3 22:38:06 alerce MailScanner[358]: ZM: message 1612517 renamed into 1563662 Dec 3 22:38:06 alerce MailScanner[358]: Uninfected: Delivered 1 messages :-( NAI says ( http://vil.nai.com/vil/content/v_100856.htm ) that mimail.m is detected by 4307... however, I don't find it in the logs of the readme's: $ grep -i mimail mcaffee-autoupdate.log # W32/MIMAIL.C@MM <-- # W32/MIMAIL.C@MM <-- # W32/MIMAIL.I@MM <-- # W32/MIMAIL.I.HTA # W32/MIMAIL.I@MM <-- # W32/MIMAIL.I.HTA # W32/MIMAIL.HTA # W32/MIMAIL.I!DATA # W32/MIMAIL.J@MM <-- # W32/MIMAIL.J@MM <-- # W32/MIMAIL.L@MM <-- # W32/MIMAIL.L@MM <-- Does anyone have a copy of mimail.l & mimail.m that would like to send to me so I can test it? (please contact me off-list so I tell you to which address) Otherwise, a sample of possible subjects might help me find one thru one of my unprotected spamtraps TIA El 4 Dec 2003 a las 12:25, Martin Hepworth escribi?: > > > > done, > > together with my email to this list. > > > > apropos, mimail-l was detected without problems but not mimail-m > > http://www.sophos.com/virusinfo/analyses/w32mimailm.html > > > > mimail-m will be recogniced since *today* > > > > > > $ sweep -archive -mime /data4/doku/viren/mimail/ > > > > Password protected file > > /data4/doku/viren/mimail/wendy-encrypted.eml/wendy.zip/wendy.exe > > >>> Virus 'W32/Mimail-M' found in file > > /data4/doku/viren/mimail/wendy-encrypted.eml/wendy.zip > > Password protected file /data4/doku/viren/mimail/wendy.zip/wendy.exe > > >>> Virus 'W32/Mimail-M' found in file /data4/doku/viren/mimail/wendy.zip > > > > 2 files swept in 1 second. > > 2 errors were encountered. > > 2 viruses were discovered. > > 2 files out of 2 were infected. > > > > -- > > shrek-m > > yeah I saw an update come in this morning...I dunno if clamAV works > better, nothing triggered either overnight so... > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > > ********************************************************************** > > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the system manager. > > This footnote confirms that this email message has been swept > for the presence of computer viruses and is believed to be clean. > > ********************************************************************** -- Mariano Absatz El Baby ---------------------------------------------------------- If I held you any closer I would be on the other side of you. -- Groucho Marx From ugob at CAMO-ROUTE.COM Thu Dec 4 14:57:28 2003 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:21:25 2006 Subject: wendy.zip - encrypted - mimail Message-ID: <54C38A0B814C8E438EF73FC76F3629273AE270@mtlnt501fs.CAMOROUTE.COM> > -----Message d'origine----- > De : Mariano Absatz [mailto:mailscanner@LISTS.COM.AR] > Envoy? : Thursday, December 04, 2003 9:54 AM > ? : MAILSCANNER@JISCMAIL.AC.UK > Objet : Re: wendy.zip - encrypted - mimail > > > Yesterday, minutes before 17:00 hs local (20:00 GMT) I got the latest > McAffe update. From the readme (graciously logged by Tony's mcaffee- > autoupdate): > > # Product Release: December 3, 2003 > # > # - DAT Version: 4307 > # - Engine Version: 4.2.60 > ... > # NEW DETECTIONS > ... > # INTERNET WORM (33) > # ------------------ > ... > # W32/MIMAIL.L@MM <-- > ... > # NEW REMOVALS > # INTERNET WORM (33) > # ------------------ > ... > # W32/MIMAIL.L@MM <-- > ... > > However, later yesternight, a wendy.zip passed thru... would that be > innocuous? or a newer version of mimail? > yup, it might be mimail.m. Ugo > here's the log: > Dec 3 22:38:06 alerce MailScanner[358]: Virus and Content > Scanning: Starting > Dec 3 22:38:06 alerce MailScanner[358]: Filename Checks: > Allowing wendy.zip > Dec 3 22:38:06 alerce MailScanner[358]: Filename Checks: > Allowing msg-358-70.txt > Dec 3 22:38:06 alerce MailScanner[358]: Filetype Checks: > Allowing wendy.zip > Dec 3 22:38:06 alerce MailScanner[358]: Filetype Checks: > Allowing msg-358-70.txt > Dec 3 22:38:06 alerce MailScanner[358]: ZM: message 1612517 > renamed into 1563662 > Dec 3 22:38:06 alerce MailScanner[358]: Uninfected: > Delivered 1 messages > > > :-( > > NAI says ( http://vil.nai.com/vil/content/v_100856.htm ) that > mimail.m is > detected by 4307... however, I don't find it in the logs of > the readme's: > > $ grep -i mimail mcaffee-autoupdate.log > # W32/MIMAIL.C@MM <-- > # W32/MIMAIL.C@MM <-- > # W32/MIMAIL.I@MM <-- > # W32/MIMAIL.I.HTA > # W32/MIMAIL.I@MM <-- > # W32/MIMAIL.I.HTA > # W32/MIMAIL.HTA > # W32/MIMAIL.I!DATA > # W32/MIMAIL.J@MM <-- > # W32/MIMAIL.J@MM <-- > # W32/MIMAIL.L@MM <-- > # W32/MIMAIL.L@MM <-- > > Does anyone have a copy of mimail.l & mimail.m that would > like to send to > me so I can test it? (please contact me off-list so I tell > you to which > address) > > Otherwise, a sample of possible subjects might help me find > one thru one > of my unprotected spamtraps > > TIA > > El 4 Dec 2003 a las 12:25, Martin Hepworth escribi?: > > > > > > > done, > > > together with my email to this list. > > > > > > apropos, mimail-l was detected without problems but not mimail-m > > > http://www.sophos.com/virusinfo/analyses/w32mimailm.html > > > > > > mimail-m will be recogniced since *today* > > > > > > > > > $ sweep -archive -mime /data4/doku/viren/mimail/ > > > > > > Password protected file > > > /data4/doku/viren/mimail/wendy-encrypted.eml/wendy.zip/wendy.exe > > > >>> Virus 'W32/Mimail-M' found in file > > > /data4/doku/viren/mimail/wendy-encrypted.eml/wendy.zip > > > Password protected file > /data4/doku/viren/mimail/wendy.zip/wendy.exe > > > >>> Virus 'W32/Mimail-M' found in file > /data4/doku/viren/mimail/wendy.zip > > > > > > 2 files swept in 1 second. > > > 2 errors were encountered. > > > 2 viruses were discovered. > > > 2 files out of 2 were infected. > > > > > > -- > > > shrek-m > > > > yeah I saw an update come in this morning...I dunno if clamAV works > > better, nothing triggered either overnight so... > > > > -- > > Martin Hepworth > > Snr Systems Administrator > > Solid State Logic > > Tel: +44 (0)1865 842300 > > > > > > > ********************************************************************** > > > > This email and any files transmitted with it are confidential and > > intended solely for the use of the individual or entity to whom they > > are addressed. If you have received this email in error > please notify > > the system manager. > > > > This footnote confirms that this email message has been swept > > for the presence of computer viruses and is believed to be clean. > > > > > ********************************************************************** > > > -- > Mariano Absatz > El Baby > ---------------------------------------------------------- > If I held you any closer I would be on the other side of you. > -- Groucho Marx > From raymond at PROLOCATION.NET Thu Dec 4 15:00:41 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:21:25 2006 Subject: wendy.zip - encrypted - mimail In-Reply-To: <3FCF2045.28322.52C1740@localhost> Message-ID: Hi! > # NEW DETECTIONS > ... > # INTERNET WORM (33) > # ------------------ > ... > # W32/MIMAIL.L@MM <-- > ... > # NEW REMOVALS > # INTERNET WORM (33) > # ------------------ > ... > # W32/MIMAIL.L@MM <-- > ... > > However, later yesternight, a wendy.zip passed thru... would that be > innocuous? or a newer version of mimail? Most likely the new M version. http://www.sophos.com/virusinfo/analyses/w32mimailm.html > Otherwise, a sample of possible subjects might help me find one thru one > of my unprotected spamtraps Subject line: Re[3]<44 spaces> Message text: Hello Greg, I was shocked, when I found out that it wasn't you but your twin brother!!! That's amazing, you're as like as two peas. No one in bed is better than you Greg. I remember, I remember everything very well, that promised you to tell how it was, I'll give you a call today after 9. He took my skirt off, then my panties, then my bra, he sucked my tits, with the same fury you do it. He was writing alphabet on my pussy for 20 minutes, then suddenly stopped, put me in doggy style position and stuck his dagger.But Greg, why didn't you warn me that his dick is 15 inches long?? I was struck, we fucked whole night. I'm so thankful to you, for acquainted me to your brother. I think we can do it on the next Saturday all three together? What do you think? O yes, as you wanted I've made a few pictures check them out in archive, I hope they will excite you, and you will dream of our new meeting... Wendy. Attached file: only_for_greg.zip (contains for_greg.jpg.exe) The second email format, which appears to have been manually mass-mailed out, has the following characteristics: Subject line: Re:Greg Message text: Hi Greg its Wendy. I was shocked, when I found out that it wasn't you but your twin brother, that's amazing, you're as like as two peas. No one in bed is better than you Greg. I remember, I remember everything very well, that promised you to tell how it was, I'll give you a call today after 9. He took my skirt off, then my panties, then my bra, he sucked my tits, with the same fury you do it. He was writing alphabet on my pussy for 20 minutes, then suddenly stopped, put me in doggy style position and stuck his dagger. But Greg, why didn't you warn me that his dick is 15 inches long? I was struck, we fucked whole night. I'm so thankful to you, for acquainted me to your brother. I think we can do it on the next Saturday all three together? What do you think? O yes, as you wanted I've made a few pictures check them out in archive, I hope they will excite you, and you will dream of our new meeting... For unzip archiver download WinZip: http://download.winzip.com/winzip81.exe Password for archive is "kiss". Attached file: wendy.zip (contains file wendy.exe) this is most likely better material for the SPAM-L. Bye, Raymond From Cleveland at MAIL.WINNEFOX.ORG Thu Dec 4 15:04:47 2003 From: Cleveland at MAIL.WINNEFOX.ORG (Jody Cleveland) Date: Thu Jan 12 21:21:25 2006 Subject: Email is only an image - tag as spam? Message-ID: <7D3DDF19D93C3642931C3EB8803165A92E08EE@mail.winnefox.org> Hello, I've noticed a new trend with spam lately. I've been getting emails that are one big image, which aren't caught by mailscanner or spamassassin. Is there a rule somewhere, where I can specify that if an email contains only an image to tag it as spam? -- Jody Cleveland (cleveland@mail.winnefox.org) From michele at BLACKNIGHTSOLUTIONS.COM Thu Dec 4 15:07:06 2003 From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon :: Blacknight Solutions) Date: Thu Jan 12 21:21:25 2006 Subject: Email is only an image - tag as spam? In-Reply-To: <7D3DDF19D93C3642931C3EB8803165A92E08EE@mail.winnefox.org> Message-ID: I've had the same problem :( Mr. Michele Neylon Blacknight Internet Solutions Ltd http://www.blacknightsolutions.ie/ http://www.search.ie/ Tel. + 353 (0)59 9139897 Lowest price domains in Ireland > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Jody Cleveland > Sent: 04 December 2003 15:05 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Email is only an image - tag as spam? > > > Hello, > > I've noticed a new trend with spam lately. I've been getting emails that > are one big image, which aren't caught by mailscanner or spamassassin. > Is there a rule somewhere, where I can specify that if an email contains > only an image to tag it as spam? > > > -- > Jody Cleveland > (cleveland@mail.winnefox.org) > From martinh at SOLID-STATE-LOGIC.COM Thu Dec 4 15:08:46 2003 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:21:25 2006 Subject: Email is only an image - tag as spam? In-Reply-To: <7D3DDF19D93C3642931C3EB8803165A92E08EE@mail.winnefox.org> References: <7D3DDF19D93C3642931C3EB8803165A92E08EE@mail.winnefox.org> Message-ID: <3FCF4DFE.4010608@solid-state-logic.com> Jody Cleveland wrote: > Hello, > > I've noticed a new trend with spam lately. I've been getting emails that > are one big image, which aren't caught by mailscanner or spamassassin. > Is there a rule somewhere, where I can specify that if an email contains > only an image to tag it as spam? > > > -- > Jody Cleveland > (cleveland@mail.winnefox.org) Jody are you using the bayes scanner in SA? alot of the html based stuff gets caught by SA 2.60 with bayes for me... -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From johnl at OREGONISONLINE.NET Thu Dec 4 15:12:23 2003 From: johnl at OREGONISONLINE.NET (John P. Lang) Date: Thu Jan 12 21:21:25 2006 Subject: unsubscribe Message-ID: <000201c3ba79$057049c0$6501a8c0@zander> -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20031204/c8d12505/attachment.html From mailscanner at LISTS.COM.AR Thu Dec 4 15:18:45 2003 From: mailscanner at LISTS.COM.AR (Mariano Absatz) Date: Thu Jan 12 21:21:25 2006 Subject: wendy.zip - encrypted - mimail In-Reply-To: References: <3FCF2045.28322.52C1740@localhost> Message-ID: <3FCF2625.1849.5430A9D@localhost> Hi Raymond... (or should I call you Greg?) ;-P Thanx for the info... I didn't find it in my traps :-( What I dislike is that NAI says (in the web: http://vil.nai.com/vil/content/v_100856.htm ) that the current dat files find & remove the ".m" release... I even forced a .dat update just in case they had re-released it, but the .dat's are identical... Would you mind sending me an infected message to another account? I'd send you a request from that account (I can "double opt-in" if you want to be more assured). El 4 Dec 2003 a las 16:00, Raymond Dijkxhoorn escribi?: > Hi! > > > # NEW DETECTIONS > > ... > > # INTERNET WORM (33) > > # ------------------ > > ... > > # W32/MIMAIL.L@MM <-- > > ... > > # NEW REMOVALS > > # INTERNET WORM (33) > > # ------------------ > > ... > > # W32/MIMAIL.L@MM <-- > > ... > > > > However, later yesternight, a wendy.zip passed thru... would that be > > innocuous? or a newer version of mimail? > > Most likely the new M version. > > http://www.sophos.com/virusinfo/analyses/w32mimailm.html > > > Otherwise, a sample of possible subjects might help me find one thru one > > of my unprotected spamtraps > > Subject line: Re[3]<44 spaces> > > Message text: > > Hello Greg, > > > > I was shocked, when I found out that it wasn't you but your twin > brother!!! That's amazing, you're as like as two peas. No one in bed is > better than you Greg. I remember, I remember everything very well, that > promised you to tell how it was, I'll give you a call today after 9. > -- Mariano Absatz El Baby ---------------------------------------------------------- When I was kidnapped, my parents snapped into action. They rented out my room. -- Woody Allen From smilga at MIKROTIK.COM Thu Dec 4 15:23:40 2003 From: smilga at MIKROTIK.COM (Martins Smilga) Date: Thu Jan 12 21:21:25 2006 Subject: mqueue.in problem References: <7D3DDF19D93C3642931C3EB8803165A92E08EE@mail.winnefox.org> <3FCF4DFE.4010608@solid-state-logic.com> Message-ID: <0c9301c3ba7a$98792b00$a500010a@martinsss> Hello, I have probelem with /var/spool/mqueue.in It is not deliver to direcotry /var/spool/mail I understood that mailscanner will deliver from mqueue.in to mail directory, where are these setting Thanks Martins From Cleveland at MAIL.WINNEFOX.ORG Thu Dec 4 15:22:54 2003 From: Cleveland at MAIL.WINNEFOX.ORG (Jody Cleveland) Date: Thu Jan 12 21:21:25 2006 Subject: Email is only an image - tag as spam? Message-ID: <7D3DDF19D93C3642931C3EB8803165A92E08EF@mail.winnefox.org> > are you using the bayes scanner in SA? Yes. - Jody From martinh at SOLID-STATE-LOGIC.COM Thu Dec 4 15:30:54 2003 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:21:26 2006 Subject: Email is only an image - tag as spam? In-Reply-To: <7D3DDF19D93C3642931C3EB8803165A92E08EF@mail.winnefox.org> References: <7D3DDF19D93C3642931C3EB8803165A92E08EF@mail.winnefox.org> Message-ID: <3FCF532E.2010005@solid-state-logic.com> Jody Cleveland wrote: >>are you using the bayes scanner in SA? > > > Yes. > > - Jody Then maybe you need to learn them? What version of SA are you using. I know 2.55 didn't catch alot of the html stuff as they use hex numbers for the ascii characters ie http://%77%77%77 for http://www. the 2.6 update catches these. I do see quite of bit stuff getting through that I have to place into sa-learn. I use a shared imap folder and a variation of a generic sa-learn script I found on a SA email list archive (or the MS list I don't remember). -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From martinh at SOLID-STATE-LOGIC.COM Thu Dec 4 15:33:59 2003 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:21:26 2006 Subject: mqueue.in problem In-Reply-To: <0c9301c3ba7a$98792b00$a500010a@martinsss> References: <7D3DDF19D93C3642931C3EB8803165A92E08EE@mail.winnefox.org> <3FCF4DFE.4010608@solid-state-logic.com> <0c9301c3ba7a$98792b00$a500010a@martinsss> Message-ID: <3FCF53E7.2080903@solid-state-logic.com> Martins Smilga wrote: > Hello, > > > I have probelem with /var/spool/mqueue.in > It is not deliver to direcotry /var/spool/mail > I understood that mailscanner will deliver from mqueue.in to mail directory, > where are these setting > > Thanks > > Martins Martins it's set in the MailScanner.conf file. the specific lines are... Incoming Queue Dir = /var/spool/mqueue.in # Set location of outgoing mail queue. # This can also be the filename of a ruleset. Outgoing Queue Dir = /var/spool/mqueue What does your log file say when MailScanner is running? Also have you tried MailScanner in debug mode to see what's its doing? -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From mailscanner at LISTS.COM.AR Thu Dec 4 15:35:44 2003 From: mailscanner at LISTS.COM.AR (Mariano Absatz) Date: Thu Jan 12 21:21:26 2006 Subject: Email is only an image - tag as spam? In-Reply-To: <7D3DDF19D93C3642931C3EB8803165A92E08EE@mail.winnefox.org> Message-ID: <3FCF2A20.11723.55296B6@localhost> Jody, these standard SA 2.6 rules should match these messages: # HTML_IMAGE_AREA - lots of image area (absolute) body HTML_IMAGE_AREA_04 eval:html_range('image_area','400000','500000') body HTML_IMAGE_AREA_05 eval:html_range('image_area','500000','600000') body HTML_IMAGE_AREA_06 eval:html_range('image_area','600000','700000') body HTML_IMAGE_AREA_07 eval:html_range('image_area','700000','800000') body HTML_IMAGE_AREA_08 eval:html_range('image_area','800000','900000') body HTML_IMAGE_AREA_09 eval:html_range('image_area','900000') describe HTML_IMAGE_AREA_04 HTML has 4-5 kilopixels of images describe HTML_IMAGE_AREA_05 HTML has 5-6 kilopixels of images describe HTML_IMAGE_AREA_06 HTML has 6-7 kilopixels of images describe HTML_IMAGE_AREA_07 HTML has 7-8 kilopixels of images describe HTML_IMAGE_AREA_08 HTML has 8-9 kilopixels of images describe HTML_IMAGE_AREA_09 HTML has over 9 kilopixels of images # HTML_IMAGE_ONLY - not much text with images (absolute) body HTML_IMAGE_ONLY_02 eval:html_image_only('0000','0200') body HTML_IMAGE_ONLY_04 eval:html_image_only('0200','0400') body HTML_IMAGE_ONLY_06 eval:html_image_only('0400','0600') body HTML_IMAGE_ONLY_08 eval:html_image_only('0600','0800') body HTML_IMAGE_ONLY_10 eval:html_image_only('0800','1000') body HTML_IMAGE_ONLY_12 eval:html_image_only('1000','1200') describe HTML_IMAGE_ONLY_02 HTML: images with 0-200 bytes of words describe HTML_IMAGE_ONLY_04 HTML: images with 200-400 bytes of words describe HTML_IMAGE_ONLY_06 HTML: images with 400-600 bytes of words describe HTML_IMAGE_ONLY_08 HTML: images with 600-800 bytes of words describe HTML_IMAGE_ONLY_10 HTML: images with 800-1000 bytes of words describe HTML_IMAGE_ONLY_12 HTML: images with 1000-1200 bytes of words # HTML_IMAGE_RATIO - more image area than text (ratio) body HTML_IMAGE_RATIO_02 eval:html_image_ratio('0.000','0.002') body HTML_IMAGE_RATIO_04 eval:html_image_ratio('0.002','0.004') body HTML_IMAGE_RATIO_06 eval:html_image_ratio('0.004','0.006') body HTML_IMAGE_RATIO_08 eval:html_image_ratio('0.006','0.008') body HTML_IMAGE_RATIO_10 eval:html_image_ratio('0.008','0.010') body HTML_IMAGE_RATIO_12 eval:html_image_ratio('0.010','0.012') body HTML_IMAGE_RATIO_14 eval:html_image_ratio('0.012','0.014') describe HTML_IMAGE_RATIO_02 HTML has a low ratio of text to image area describe HTML_IMAGE_RATIO_04 HTML has a low ratio of text to image area describe HTML_IMAGE_RATIO_06 HTML has a low ratio of text to image area describe HTML_IMAGE_RATIO_08 HTML has a low ratio of text to image area describe HTML_IMAGE_RATIO_10 HTML has a low ratio of text to image area describe HTML_IMAGE_RATIO_12 HTML has a low ratio of text to image area describe HTML_IMAGE_RATIO_14 HTML has a low ratio of text to image area And these are the standard scores for them: score HTML_IMAGE_AREA_05 0.283 1.342 1.122 2.199 score HTML_IMAGE_AREA_07 1.615 1.681 1.997 1.022 score HTML_IMAGE_ONLY_02 2.751 2.244 1.472 1.230 score HTML_IMAGE_ONLY_04 1.898 1.527 1.136 1.001 score HTML_IMAGE_ONLY_06 1.531 1.709 0.527 1.439 score HTML_IMAGE_ONLY_08 0.525 0.837 0 0 score HTML_IMAGE_ONLY_10 0.615 1.138 0.431 0.019 score HTML_IMAGE_ONLY_12 0.787 1.012 0.483 0 score HTML_IMAGE_RATIO_04 0.821 0.892 0.667 1.050 score HTML_IMAGE_RATIO_06 0.935 0.317 0.649 0 score HTML_IMAGE_RATIO_08 0.605 0.408 0.413 0.359 score HTML_IMAGE_RATIO_10 0.535 0.488 0.619 0.315 score HTML_IMAGE_RATIO_12 0.324 0 0 0 score HTML_IMAGE_RATIO_14 0 0.276 0 0 score HTML_IMAGE_AREA_04 0 score HTML_IMAGE_AREA_09 0 score HTML_IMAGE_AREA_08 0 score HTML_IMAGE_RATIO_02 0 score HTML_IMAGE_AREA_06 0 Strangely enough (I'll never understand the "genetic algorithms" used to generate these scores) some of them "in the middle" are 0... that is, HTML_IMAGE_ONLY_06 and HTML_IMAGE_ONLY_10 are non-0, but HTML_IMAGE_ONLY_08 is 0 (in the fourth column). What you can do is to raise these scores in spam.assassin.conf so they are more likely to trigger. One of the things I've seen are messages which apparently are only comprised of an image, but that have hidden text (same color as background), even specially crafted "non-spam-looking" text that decreases the score and avoids some of these rules... I've even seen almost identical messages to score somehow above 5 and the next day score below 3... evidently many spammers are checking their messages with SpamAssassin, and adjusting them... playing around with some scores (especially, raising these "0" scores) might help you a lot (but be careful with false positives, check your logs). HTH El 4 Dec 2003 a las 9:04, Jody Cleveland escribi?: > Hello, > > I've noticed a new trend with spam lately. I've been getting emails that > are one big image, which aren't caught by mailscanner or spamassassin. > Is there a rule somewhere, where I can specify that if an email contains > only an image to tag it as spam? > > > -- > Jody Cleveland > (cleveland@mail.winnefox.org) -- Mariano Absatz El Baby ---------------------------------------------------------- Suicidal twin kills sister by mistake! From Cleveland at MAIL.WINNEFOX.ORG Thu Dec 4 15:46:52 2003 From: Cleveland at MAIL.WINNEFOX.ORG (Jody Cleveland) Date: Thu Jan 12 21:21:26 2006 Subject: Email is only an image - tag as spam? Message-ID: <7D3DDF19D93C3642931C3EB8803165A92E08F1@mail.winnefox.org> Hi Steve, > Are you using MailScanner in front of Microsoft Exchange?? Yeah. My mail comes into a redhat 9 box with mailscanner, spamassassin, f-prot, and mailwatch, then gets forwarded on to an exchange server. - Jody From martinh at SOLID-STATE-LOGIC.COM Thu Dec 4 15:45:06 2003 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:21:26 2006 Subject: Email is only an image - tag as spam? In-Reply-To: <7D3DDF19D93C3642931C3EB8803165A92E08F0@mail.winnefox.org> References: <7D3DDF19D93C3642931C3EB8803165A92E08F0@mail.winnefox.org> Message-ID: <3FCF5682.3090706@solid-state-logic.com> Jody Cleveland wrote: >>Then maybe you need to learn them? > > > How do I do that? > > >>What version of SA are you using. I know 2.55 didn't catch >>alot of the html stuff as they use hex numbers for the ascii >>characters ie >>http://%77%77%77 for http://www. the 2.6 update catches these. > > > I just updated SA to 2.60. It is catching quite a bit of spam, but not > the picture ones. It wouldn't be such a big deal, but normally the > pictures are things I don't care to be seeing. > > - Jody Jody If you've just upgraded to 2.6 you'll either need to convert the bayes DB to the new format (there's some emails in the archive about this back in October when 2.6 cam out), or create a new db. There's some sa-learn scripts about in the FAQ that will take a pop based account and populate the database with examples of spam and ham (valid email). I've got one for imap based email systems if you need that (should work with MS-Exchange once you turn on the imap access). You'll need at least 200 of each before the bayes engine will start to operate within SA. Also check the MailScanner spam.assassin.prefs.conf file and make sure that has the correct path for the DB and bayes is enabled.. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From jlarsen at RICHWEB.COM Thu Dec 4 15:51:36 2003 From: jlarsen at RICHWEB.COM (C. Jon Larsen) Date: Thu Jan 12 21:21:26 2006 Subject: Email is only an image - tag as spam? In-Reply-To: <3FCF5682.3090706@solid-state-logic.com> Message-ID: On Thu, 4 Dec 2003, Martin Hepworth wrote: > I've got one for imap based email systems if you need that (should work > with MS-Exchange once you turn on the imap access). Could you post a link to that tool ? > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > > ********************************************************************** > > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the system manager. > > This footnote confirms that this email message has been swept > for the presence of computer viruses and is believed to be clean. > > ********************************************************************** > > -- + Jon Larsen: Chief Technology Officer, Richweb, Inc. + Richweb.com: Providing Internet-Based Business Solutions since 1995 + GnuPG Public Key: http://richweb.com/jlarsen.gpg + Business: (804) 359.2220 x 101; Mobile: (804) 307.6939 From Cleveland at MAIL.WINNEFOX.ORG Thu Dec 4 15:36:31 2003 From: Cleveland at MAIL.WINNEFOX.ORG (Jody Cleveland) Date: Thu Jan 12 21:21:26 2006 Subject: Email is only an image - tag as spam? Message-ID: <7D3DDF19D93C3642931C3EB8803165A92E08F0@mail.winnefox.org> > Then maybe you need to learn them? How do I do that? > > What version of SA are you using. I know 2.55 didn't catch > alot of the html stuff as they use hex numbers for the ascii > characters ie > http://%77%77%77 for http://www. the 2.6 update catches these. I just updated SA to 2.60. It is catching quite a bit of spam, but not the picture ones. It wouldn't be such a big deal, but normally the pictures are things I don't care to be seeing. - Jody From raymond at PROLOCATION.NET Thu Dec 4 15:35:27 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:21:26 2006 Subject: wendy.zip - encrypted - mimail In-Reply-To: <3FCF2625.1849.5430A9D@localhost> Message-ID: Hi! > I even forced a .dat update just in case they had re-released it, but the > .dat's are identical... > > Would you mind sending me an infected message to another account? I'd > send you a request from that account (I can "double opt-in" if you want > to be more assured). It cant unpack the zip, so ONLY if a enduser unpacks it, and execues it, the scanner will catch it (localy at the enduser). At least, thats my impression about this. I dont think it will be catched within MS due to this. Bye, Raymond. From steve.freegard at LBSLTD.CO.UK Thu Dec 4 15:39:09 2003 From: steve.freegard at LBSLTD.CO.UK (Steve Freegard) Date: Thu Jan 12 21:21:26 2006 Subject: Email is only an image - tag as spam? Message-ID: <67D9E7698329D411936E00508B6590B902773D22@neelix.lbsltd.co.uk> Hi Jody, Are you using MailScanner in front of Microsoft Exchange?? Kind regards, Steve. -----Original Message----- From: Jody Cleveland [mailto:Cleveland@MAIL.WINNEFOX.ORG] Sent: 04 December 2003 15:37 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Email is only an image - tag as spam? > Then maybe you need to learn them? How do I do that? > > What version of SA are you using. I know 2.55 didn't catch alot of the > html stuff as they use hex numbers for the ascii characters ie > http://%77%77%77 for http://www. the 2.6 update catches these. I just updated SA to 2.60. It is catching quite a bit of spam, but not the picture ones. It wouldn't be such a big deal, but normally the pictures are things I don't care to be seeing. - Jody -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender and delete the message from your mailbox. This footnote also confirms that this email message has been swept by MailScanner (www.mailscanner.info) for the presence of computer viruses. From Cleveland at MAIL.WINNEFOX.ORG Thu Dec 4 15:55:45 2003 From: Cleveland at MAIL.WINNEFOX.ORG (Jody Cleveland) Date: Thu Jan 12 21:21:26 2006 Subject: Email is only an image - tag as spam? Message-ID: <7D3DDF19D93C3642931C3EB8803165A92E08F2@mail.winnefox.org> > > I've got one for imap based email systems if you need that (should > > work with MS-Exchange once you turn on the imap access). > > Could you post a link to that tool ? ditto From Kevin.Hansard at IPLBATH.COM Thu Dec 4 16:06:39 2003 From: Kevin.Hansard at IPLBATH.COM (Kevin Hansard) Date: Thu Jan 12 21:21:26 2006 Subject: Small feature request Message-ID: Hi, Thanks for the patch. I couldn't seem to get it to work, the score in the subject still didn't have leading zeros. Anyway I have it working now by changing all occurrences in Message.pm of $spamtag =~ s/_SCORE_/$starcount/; To $spamtag =~ s/_SCORE_/sprintf("%02d",$starcount)/e; I think that is basically what your patch was trying to achieve. Many thanks Kevin Hansard --- From martinh at SOLID-STATE-LOGIC.COM Thu Dec 4 16:10:18 2003 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:21:26 2006 Subject: Email is only an image - tag as spam? In-Reply-To: References: Message-ID: <3FCF5C6A.2090502@solid-state-logic.com> C. Jon Larsen wrote: > On Thu, 4 Dec 2003, Martin Hepworth wrote: > > >>I've got one for imap based email systems if you need that (should work >>with MS-Exchange once you turn on the imap access). > > > Could you post a link to that tool ? find the script attached. You need to call it with the parameters as below. the userid will need a spam and ham folder to contain the emails to be learnt.. /usr/local/bin/learn_spam.pl -uid=spamupdate \ -pwd=passwd only thing you'll to change is the myserver param at the top of the script. As I said I got this from a SA email list archive. Only change I made was to add in $imap->delete_message (@msgs); in the read_email function. You'll need the Mail::IMAPClient perl module to make it run too (CPAN will have it). Seems to work for me, but I use Courier imapd rather than exchange.....YMMV !!!! -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** -------------- next part -------------- #!/usr/bin/perl -w use strict; use Mail::IMAPClient; use Shell; use Env qw(HOME); use Getopt::Long; use File::Temp qw/ tempfile tempdir /; my $imapserver = "myserver"; # set to 1 to enable imapclient debugging my $debug = 0; # set to 1 if running under cron (disables output) my $cron = 1; my $filename; my $fh; my %options = ( uid => undef, pwd => undef ); my $cmdsts = GetOptions ("uid=s" => \$options{uid}, "pwd=s" => \$options{pwd}); if (!$options {uid}) { die "[SPAMASSASSIN] uid not set (-uid=username)\n"; } if (!$options {pwd}) { die "[SPAMASSASSIN] pwd not set (-pwd=password)\n"; } my $uid = $options{uid}; my $pwd = $options{pwd}; # login to imap server my $imap = Mail::IMAPClient->new (Server=>$imapserver, User=>$uid, Password=>$pwd, Debug=>$debug) or die "Can't connect to $uid\@$imapserver: $@ $\n"; if ($imap) { my $count; # Deal with spam first learn_mail ($HOME."/spam/", ".spam", "INBOX.spam", 0, "--spam --showdots --prefs-file=/opt/MailScanner/etc/spam.assassin.prefs.conf"); # Now deal with ham learn_mail ($HOME."/ham/", ".ham", "INBOX.ham", 0, "--ham --showdots --prefs-file=/opt/MailScanner/etc/spam.assassin.prefs.conf"); } else { die "[SPAMASSASSIN] Unable to logon to IMAP mail account! $options{uid}\n"; } exit; # # read and learn mail from imap server # # arguments # $dir directory to place retrieved messages in # $ext file extension to use on retrieved messages # $folder imap folder name on server # $shared 0 if imap folder is in users mailbox # 1 if imap folder is in shared name space or # $sa_args additional arguments to specify to sa-learn # (e.g. --spam or --ham) # sub learn_mail { my $dir = shift (@_); my $ext = shift (@_); my $folder = shift (@_); my $shared = shift (@_); my $sa_args = shift (@_); my $count = 0; # tidy up directory before run clear_directory ($dir, $ext); # read mail from server $count = read_mail ($dir, $ext, $folder, $shared); if ($count > 0) { # learn about mail sa_learn ($dir, $ext, $sa_args); # tidy up files after sa-learn is called clear_directory ($dir, $ext); } } # # reads mail from an imap folder and saves in a local directory # # arguments # $dir directory to place retrieved messages in # $ext file extension to use on retrieved messages # $folder imap folder name on server # $shared 0 if imap folder is in users mailbox # 1 if imap folder is in shared name space or sub read_mail { my $dir = shift (@_); my $ext = shift (@_); my $folder = shift (@_); my $shared = shift (@_); my $count = 0; my $target = ""; if ($shared) { # use a shared public folder instead my ($prefix, $sep) = @{$imap->namespace->[2][0]} or die "Can't get shared folder namespace or seperator: $@\n"; $target = $prefix. ($prefix =~ /\Q$sep\E$/ || $folder =~ /^\Q$sep/ ? "" : $sep). $folder; } else { $target = $folder; } $imap->select ($target) or die "Cannot select $target: $@\n"; # If a shared public folder is required uncomment the following # lines and comment out the previous $imap->select line # read through all messages my @msgs = $imap->search("ALL"); foreach my $msg (@msgs) { ($fh, $filename) = tempfile (SUFFIX => $ext, DIR => $dir); $imap->message_to_file ($fh, $msg); close $fh; $count++; } $imap->delete_message (@msgs); if ($cron == 0) { print "Retrieved $count messages from $target\n"; } return $count; } # # Removes files in directory $dir with extension $ext # sub clear_directory{ my $dir = shift (@_); my $ext = shift (@_); opendir (DIR, $dir) or die "Couldn't open dir: $dir\n"; my @files = readdir (DIR); close (DIR); for (my $i = 0; $i <= $#files; $i++ ) { if ($files[$i] =~ /.*?$ext$/) { unlink ($dir.$files[$i]); } } } # # execute sa-learn command # sub sa_learn { my $dir = shift (@_); my $ext = shift (@_); my $type = shift (@_); my $learncmd = "/usr/local/bin/sa-learn ".$type." --dir ".$dir; if ($cron == 0) { $learncmd .= " --showdots"; } else { $learncmd .= " > /dev/null 2>&1"; } # # Run sa-learn script on spam directory # my $sh = Shell->new; my @args = ($learncmd); system (@args) == 0 or die "system @args failed: $?"; } From jaearick at COLBY.EDU Thu Dec 4 17:15:41 2003 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:21:26 2006 Subject: AOL blocking MailScanner messages! In-Reply-To: <6.0.0.22.0.20031203205539.02ab9a18@xanadu.evi-inc.com> References: <6.0.0.22.0.20031203194846.01fcbd50@xanadu.evi-inc.com> <6.0.0.22.0.20031203205539.02ab9a18@xanadu.evi-inc.com> Message-ID: > > However, this has nothing to do with RDNS at all, and nothing to do with > what AOL is doing. AOL is implementing refusal of mail from servers that do > not have a reverse DNS lookup for their IP. It's not rocket science to do > in sendmail, i.e. something like this: > > http://www.cs.niu.edu/~rickert/cf/hack/require_rdns.m4 > Does anybody else out there run this hack, or something similar for Exim/ Postfix? I'm giving it a test run on my mail server right now, and I wonder if I am shooting myself in the foot. Virtually all of the rejections I see smell spammy to me. Comments? Jeff Earickson Colby College From butler at GLOBESERVER.COM Thu Dec 4 18:23:54 2003 From: butler at GLOBESERVER.COM (Philip Butler) Date: Thu Jan 12 21:21:26 2006 Subject: Blank lines inserted into header... In-Reply-To: <6.0.1.1.2.20031127084627.0385c670@imap.ecs.soton.ac.uk> References: <4F3AF4BE-204D-11D8-B3FA-000393D75504@globeserver.com> <6.0.1.1.2.20031127084627.0385c670@imap.ecs.soton.ac.uk> Message-ID: <04BF9DB4-2687-11D8-B8EB-000393D75504@globeserver.com> Julian, Here's a bit more information. I am still having the problem - I have noticed it's with any X- header that may be "too long" whatever that may mean. For example, I got an email that had the following header in it: X-Exclaimer-OnMessagePostCategorize-{50a0a0f9-c0e6-4bf3-be44 -9194dd1a3dbc}: F:\Program Files\exclaimer\eXclaimer.dll - 2.0.4.67 and it has a blank line preceding this in the output of mailscanner/sendmail. This effectively makes this header line become the start of the message body. However, when I change it to: X-Exclaimer: F:\Program Files\exclaimer\eXclaimer.dll - 2.0.4.67 there is no blank line added and the message headers remain intact. Therefore, it's not the X-%org-name% logic that I previously thought it was, but rather it seems to be the length of the header name. Of course, it could be sendmail that is doing this perhaps. I bet I have a misconfiguration somehow - I can't believe that nobody else is seeing this same problem otherwise. Just so everyone knows - here's how I tested: cat /file.txt | sendmail butler@globeserver.com (where /file.txt has the original email with the blank line removed) by editing the /file.txt and shortening the X- header name, it works as it should. Phil Butler On Nov 27, 2003, at 3:46 AM, Julian Field wrote: > Is anyone else experiencing this problem? > > At 20:15 26/11/2003, you wrote: >> Hi all, >> >> Sorry if this is a repeated issue. >> >> I have noticed messages with the: >> >> X-%org-name%-MailScanner-Information: (and other X-%org-name% >> headers) >> >> >> For example, an email that just came in: >> >> X-WADSNET550-MailScanner-Information: Please contact >> admin@wadsnet.net >> for more >> info >> >> >> These lines seem to have a blank line in front of them, which >> basically >> ends the header and puts the X-header as the first line of the email >> body. Is there a switch that keeps these headers in the header and >> does not start the body ?? I can see that some might want the message >> to be visible in the message, but I think I would prefer these headers >> to remain in the email header. >> >> BTW, messages like this have a blank subject and From:/To: because the >> X-org-name headers tend to show up before the Subject/etc. headers. >> These are visible in the body of the message, but it messes up email >> filters. >> >> Any comments ?? >> >> Sorry again if this is repeated - and as always: >> >> MailScanner (and Julian !!) rules !!! >> >> Phil > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From butler at GLOBESERVER.COM Thu Dec 4 19:23:28 2003 From: butler at GLOBESERVER.COM (Philip Butler) Date: Thu Jan 12 21:21:26 2006 Subject: Blank lines inserted into header... In-Reply-To: <04BF9DB4-2687-11D8-B8EB-000393D75504@globeserver.com> References: <4F3AF4BE-204D-11D8-B3FA-000393D75504@globeserver.com> <6.0.1.1.2.20031127084627.0385c670@imap.ecs.soton.ac.uk> <04BF9DB4-2687-11D8-B8EB-000393D75504@globeserver.com> Message-ID: <56AC8386-268F-11D8-B8EB-000393D75504@globeserver.com> Even more information - it's a sendmail problem. The "lightbulb" finally came on and I tried the same test on a system without MailScanner - same problem - so it must be sendmail. Sorry for the false alarm. Phil On Dec 4, 2003, at 1:23 PM, Philip Butler wrote: > Julian, > > Here's a bit more information. I am still having the problem - I have > noticed it's with any X- header that may be "too long" whatever that > may mean. > > For example, I got an email that had the following header in it: > > > X-Exclaimer-OnMessagePostCategorize-{50a0a0f9-c0e6-4bf3-be44 > -9194dd1a3dbc}: F:\Program Files\exclaimer\eXclaimer.dll - 2.0.4.67 > > and it has a blank line preceding this in the output of > mailscanner/sendmail. This effectively makes this header line become > the start of the message body. > > However, when I change it to: > > X-Exclaimer: F:\Program Files\exclaimer\eXclaimer.dll - 2.0.4.67 > > there is no blank line added and the message headers remain intact. > > > Therefore, it's not the X-%org-name% logic that I previously thought it > was, but rather it seems to be the length of the header name. Of > course, it could be sendmail that is doing this perhaps. I bet I have > a misconfiguration somehow - I can't believe that nobody else is seeing > this same problem otherwise. > > Just so everyone knows - here's how I tested: > > cat /file.txt | sendmail butler@globeserver.com (where /file.txt > has the original email with the blank line removed) > > by editing the /file.txt and shortening the X- header name, it works as > it should. > > > Phil Butler > > On Nov 27, 2003, at 3:46 AM, Julian Field wrote: > >> Is anyone else experiencing this problem? >> >> At 20:15 26/11/2003, you wrote: >>> Hi all, >>> >>> Sorry if this is a repeated issue. >>> >>> I have noticed messages with the: >>> >>> X-%org-name%-MailScanner-Information: (and other X-%org-name% >>> headers) >>> >>> >>> For example, an email that just came in: >>> >>> X-WADSNET550-MailScanner-Information: Please contact >>> admin@wadsnet.net >>> for more >>> info >>> >>> >>> These lines seem to have a blank line in front of them, which >>> basically >>> ends the header and puts the X-header as the first line of the email >>> body. Is there a switch that keeps these headers in the header and >>> does not start the body ?? I can see that some might want the >>> message >>> to be visible in the message, but I think I would prefer these >>> headers >>> to remain in the email header. >>> >>> BTW, messages like this have a blank subject and From:/To: because >>> the >>> X-org-name headers tend to show up before the Subject/etc. headers. >>> These are visible in the body of the message, but it messes up email >>> filters. >>> >>> Any comments ?? >>> >>> Sorry again if this is repeated - and as always: >>> >>> MailScanner (and Julian !!) rules !!! >>> >>> Phil >> >> -- >> Julian Field >> www.MailScanner.info >> MailScanner thanks transtec Computers for their support >> >> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From jendries at PRAGMETA.COM Thu Dec 4 19:20:20 2003 From: jendries at PRAGMETA.COM (Josh Endries) Date: Thu Jan 12 21:21:26 2006 Subject: Problems disabling viruswarning.txt attachment (making it inline) In-Reply-To: <04BF9DB4-2687-11D8-B8EB-000393D75504@globeserver.com> References: <4F3AF4BE-204D-11D8-B3FA-000393D75504@globeserver.com> <6.0.1.1.2.20031127084627.0385c670@imap.ecs.soton.ac.uk> <04BF9DB4-2687-11D8-B8EB-000393D75504@globeserver.com> Message-ID: <3FCF88F4.9080100@pragmeta.com> Hi all, I just recently installed MailScanner on a server here and I'm having trouble with diabling the attachment of the viruswarning.txt file. My config file contains this: # When a virus or attachment is replaced by a plain-text warning, # should the warning be in an attachment? If "no" then it will be # placed in-line. This can also be the filename of a ruleset. Warning Is Attachment = no I thought this would dump the text into the message (at the end) and not attach the file. It does append the text, but still attaches the text file, which I don't want. Is there another setting I need to change to get this to work? This wouldn't be an issue if I could use the same variables that are in viruswarning.txt ($date and $report) in inline.warning.txt. Is there a list anywhere of the available variables for these files, since they apparently have different access? Thanks! -- Josh From dan.farmer at PHONEDIR.COM Thu Dec 4 23:31:22 2003 From: dan.farmer at PHONEDIR.COM (Dan Farmer) Date: Thu Jan 12 21:21:26 2006 Subject: AOL blocking MailScanner messages! In-Reply-To: References: <6.0.0.22.0.20031203194846.01fcbd50@xanadu.evi-inc.com> <6.0.0.22.0.20031203205539.02ab9a18@xanadu.evi-inc.com> Message-ID: Hopefully, AOL will keep this up despite the legitimate mail it will block, as it will force many admins to step up and finish the setup of their mail servers. Even better would be if yahoo, msn/hotmail, juno or some other large site would also step up and implement this, increasing the pressure. Until then, there are many more legitimate servers that have bad or no rdns than you can imagine. And the users on the other side whose mail is bounced back (usually with a message indicating they should contact their own server admins) will assume that since they can email all these other places, you have set up your server incorrectly. I had similar blocks in place for about a month after SoBig.F, and educated 3 or 4 companies (ones my users told me were having problems) about how to fix the issue with their rdns, but eventually the blocks were removed for business reasons (any more than 0 legitimate emails blocked was unacceptable). Good luck! dan On Dec 4, 2003, at 10:15 AM, Jeff A. Earickson wrote: >> >> However, this has nothing to do with RDNS at all, and nothing to do >> with >> what AOL is doing. AOL is implementing refusal of mail from servers >> that do >> not have a reverse DNS lookup for their IP. It's not rocket science >> to do >> in sendmail, i.e. something like this: >> >> http://www.cs.niu.edu/~rickert/cf/hack/require_rdns.m4 >> > > Does anybody else out there run this hack, or something similar for > Exim/ > Postfix? I'm giving it a test run on my mail server right now, and I > wonder if I am shooting myself in the foot. Virtually all of the > rejections > I see smell spammy to me. Comments? > > Jeff Earickson > Colby College > From mike at CAMAROSS.NET Fri Dec 5 00:37:34 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:21:26 2006 Subject: AOL blocking MailScanner messages! In-Reply-To: Message-ID: <200312050032.hB50WRGr030539@genesis.camaross.net> I'm running it and I love it. For the most part, legit email has legit DNS. If not, admins on the other end need to get off their ass and make their networking correct, complete and in compliance with the RFC's. Mike > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Jeff A. Earickson > Sent: Thursday, December 04, 2003 11:16 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: AOL blocking MailScanner messages! > > > > > However, this has nothing to do with RDNS at all, and nothing to do > > with what AOL is doing. AOL is implementing refusal of mail from > > servers that do not have a reverse DNS lookup for their IP. > It's not > > rocket science to do in sendmail, i.e. something like this: > > > > http://www.cs.niu.edu/~rickert/cf/hack/require_rdns.m4 > > > > Does anybody else out there run this hack, or something > similar for Exim/ Postfix? I'm giving it a test run on my > mail server right now, and I wonder if I am shooting myself > in the foot. Virtually all of the rejections I see smell > spammy to me. Comments? > > Jeff Earickson > Colby College > From mike at CAMAROSS.NET Fri Dec 5 00:40:17 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:21:26 2006 Subject: Something I'd love to see in MailScanner In-Reply-To: Message-ID: <200312050035.hB50ZAGr030649@genesis.camaross.net> I would LOVE it if, for a Spam Action or High Scoring Spam Action, I could forward the spam to abuse@. Perhaps, if these ISP's like comcast.net, t-dialin.net, rr.com, adelphia, etc would stop allowing their users to connect to SMTP ports outside their own networks. I'm sure MS users in countries other than the US have their own homeland spam friendly ISP's. Spammers have turned up the heat...let's bug their ISP's to death :) Mike From mkettler at EVI-INC.COM Fri Dec 5 00:55:36 2003 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:21:26 2006 Subject: Something I'd love to see in MailScanner In-Reply-To: <200312050035.hB50ZAGr030649@genesis.camaross.net> References: <200312050035.hB50ZAGr030649@genesis.camaross.net> Message-ID: <6.0.0.22.0.20031204194712.02716208@xanadu.evi-inc.com> At 07:40 PM 12/4/2003, you wrote: >Spammers have turned up the heat...let's bug their ISP's to death :) Realistically, all the "automated carpet bomb complaint" type systems do is make ISP's procmail them all to /dev/null.. they create so much noise that they overload abuse systems. And personally, the first time I got *one* false auto-report, I'd 550 the IP of the server that delivered it. 10.0.0.1 550 broken autoresponders are not welcome here. Feel free to send the abuse address here legit abuse reports, but be sure they are accurate. I certainly will have zero tolerance for automated systems spamming my system accounts with false reports. That's IMO worse than being a spammer. There's an old closed bug in SA's bugzilla where someone suggested SA add an "auto abuse report" feature.. That flew about as far as a lead balloon. From lists at STHOMAS.NET Fri Dec 5 01:01:25 2003 From: lists at STHOMAS.NET (Steve Thomas) Date: Thu Jan 12 21:21:26 2006 Subject: AOL blocking MailScanner messages! In-Reply-To: <200312050032.hB50WRGr030539@genesis.camaross.net>; from mike@CAMAROSS.NET on Thu, Dec 04, 2003 at 06:37:34PM -0600 References: <200312050032.hB50WRGr030539@genesis.camaross.net> Message-ID: <20031204170125.B21729@sthomas.net> On Thu, Dec 04, 2003 at 06:37:34PM -0600, Mike Kercher is rumored to have said: > > If not, admins on the other end need to get off their ass and make their > networking correct, complete and in compliance with the RFC's. I've only been skimming this thread, so this may have been stated already. If so, I apologize... You're forgetting that reverse dns is a totally different animal than forward, and that just about anyone with less than a /24 (and many with a /24 or larger) don't have the reverse zones delegated to their servers. If I own foo.com, I can easily create any forward entry in the foo.com domain, but making something in the in-addr.arpa domain point to mailserver.foo.com is not nearly as easy. As a for instance, the machine I'm sending this message from is on a RoadRunner network. We've got a block of addresses allocated to us and despite repeated assurances that they would delegate the in-addr.arpa zone for our netblock to our dns server, it's never happened. Now if RR managed to have a corrupt zone file, forgot to generate PTR records for our netblock or for some other reason wasn't on the ball, I'd be "an admin who was sitting on my ass not making my network correct"? I think not. My dns server is properly configured to serve requests for the /28 we've been allocated but RR is still in control of the zone. Then there's network outages, software failures, fiber cuts, DDoS attacks, etc, etc to consider. You'll reject mail just because the DNS server serving the in-addr.arpa zone for the connecting machine is unreachable? I can see adding a warning header or something innocuous like that, but outright rejecting mail from machines without RDNS properly configured is overkill, IMHO. Steve -- "Blessed is the man, who having nothing to say, abstains from giving wordy evidence of the fact." - George Eliot (1819-1880) From gdoris at ROGERS.COM Fri Dec 5 01:14:24 2003 From: gdoris at ROGERS.COM (Gerry Doris) Date: Thu Jan 12 21:21:26 2006 Subject: AOL blocking MailScanner messages! In-Reply-To: <200312050032.hB50WRGr030539@genesis.camaross.net> Message-ID: On Thu, 4 Dec 2003, Mike Kercher wrote: > I'm running it and I love it. For the most part, legit email has legit DNS. > If not, admins on the other end need to get off their ass and make their > networking correct, complete and in compliance with the RFC's. > > Mike I'm not sure where I picked up the following sendmail local rules (it may have been right here on this list) but they've been working well for me. I've ended up commenting out the replies and just discard the messages that are caught. It's amazing how many people have made obvious typo's in their dns tables! It's also amazing how much spam is discarded. These just go in sendmail.mc and you do the normal stuff to activate. The longer lines have wrapped. LOCAL_RULESETS SLocal_check_relay R$* $: $&{client_resolve} RTEMP $#discard $: discard RFORGED $#discard $: discard RFAIL $#discard $: discard dnl dnl RTEMP $#error $@ 5.7.1 $: "550 Access Denied ; Incomplete DNS. Cannot resolve PTR record for "$&{client_addr}" Please have your system administrator correct the zone entries." dnl dnl RFORGED $#error $@ 5.7.1 $: "550 Access Denied ; Incomplete DNS. IP name possibly forged " $&{client_name}" Please have your system administrator correct the zone entries." dnl dnl RFAIL $#error $@ 5.7.1 $: "550 Access Denied ; Incomplete DNS. Hostname lookup failed for " $&{client_name}" please have your system administrator correct the zone entries." -- Gerry "The lyfe so short, the craft so long to learne" Chaucer From mike at CAMAROSS.NET Fri Dec 5 01:23:28 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:21:26 2006 Subject: AOL blocking MailScanner messages! In-Reply-To: <20031204170125.B21729@sthomas.net> Message-ID: <200312050118.hB51IJGr032215@genesis.camaross.net> I understand you're on cable and have a block less than /24. In this case, it is RR's responsibility to maintain their DNS. It is your right, as their customer, to ensure that they do what they are supposed to. I haven't forgotten anything about DNS. I run MANY DNS servers :) You may have noticed different types of error messages in your mail logs. Some are temporary failures (like if a DNS server in unreachable). That is totally different from an authoritative nameserver saying "I have no information about my zones". Is it possible to delegate RDNS for a network of less than a /24? What would the zone be? Mike > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Steve Thomas > Sent: Thursday, December 04, 2003 7:01 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: AOL blocking MailScanner messages! > > On Thu, Dec 04, 2003 at 06:37:34PM -0600, Mike Kercher is > rumored to have said: > > > > If not, admins on the other end need to get off their ass and make > > their networking correct, complete and in compliance with the RFC's. > > I've only been skimming this thread, so this may have been > stated already. If so, I apologize... > > You're forgetting that reverse dns is a totally different > animal than forward, and that just about anyone with less > than a /24 (and many with a /24 or larger) don't have the > reverse zones delegated to their servers. If I own foo.com, I > can easily create any forward entry in the foo.com domain, > but making something in the in-addr.arpa domain point to > mailserver.foo.com is not nearly as easy. > > As a for instance, the machine I'm sending this message from > is on a RoadRunner network. We've got a block of addresses > allocated to us and despite repeated assurances that they > would delegate the in-addr.arpa zone for our netblock to our > dns server, it's never happened. Now if RR managed to have a > corrupt zone file, forgot to generate PTR records for our > netblock or for some other reason wasn't on the ball, I'd be > "an admin who was sitting on my ass not making my network > correct"? I think not. My dns server is properly configured > to serve requests for the /28 we've been allocated but RR is > still in control of the zone. > > Then there's network outages, software failures, fiber cuts, > DDoS attacks, etc, etc to consider. You'll reject mail just > because the DNS server serving the in-addr.arpa zone for the > connecting machine is unreachable? > > I can see adding a warning header or something innocuous like > that, but outright rejecting mail from machines without RDNS > properly configured is overkill, IMHO. > > > Steve > > > -- > "Blessed is the man, who having nothing to say, abstains from > giving wordy evidence of the fact." > - George Eliot (1819-1880) > From mike at CAMAROSS.NET Fri Dec 5 01:36:19 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:21:26 2006 Subject: AOL blocking MailScanner messages! In-Reply-To: Message-ID: <200312050131.hB51VCGr032663@genesis.camaross.net> See, I have a bigger problem with discarding mail based on incorrect RDNS. I'd rather reject the message so that HOPEFULLY, someone can fix the problem. If the emails are accepted by your MTA and then discarded, the sender assumes that his/her email was delivered successfully. Mike > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Gerry Doris > Sent: Thursday, December 04, 2003 7:14 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: AOL blocking MailScanner messages! > > On Thu, 4 Dec 2003, Mike Kercher wrote: > > > I'm running it and I love it. For the most part, legit > email has legit DNS. > > If not, admins on the other end need to get off their ass and make > > their networking correct, complete and in compliance with the RFC's. > > > > Mike > > I'm not sure where I picked up the following sendmail local > rules (it may have been right here on this list) but they've > been working well for me. > I've ended up commenting out the replies and just discard the > messages that are caught. > > It's amazing how many people have made obvious typo's in > their dns tables! > It's also amazing how much spam is discarded. > > These just go in sendmail.mc and you do the normal stuff to > activate. The longer lines have wrapped. > > LOCAL_RULESETS > SLocal_check_relay > R$* $: $&{client_resolve} > RTEMP $#discard $: discard > RFORGED $#discard $: discard > RFAIL $#discard $: discard > dnl > dnl RTEMP $#error $@ 5.7.1 $: "550 Access Denied ; > Incomplete DNS. > Cannot resolve PTR record for "$&{client_addr}" Please have > your system administrator correct the zone entries." > dnl > dnl RFORGED $#error $@ 5.7.1 $: "550 Access Denied ; > Incomplete DNS. > IP name possibly forged " $&{client_name}" Please have your > system administrator correct the zone entries." > dnl > dnl RFAIL $#error $@ 5.7.1 $: "550 Access Denied ; > Incomplete DNS. > Hostname lookup failed for " $&{client_name}" please have > your system administrator correct the zone entries." > > -- > Gerry > > "The lyfe so short, the craft so long to learne" Chaucer > From gdoris at ROGERS.COM Fri Dec 5 02:02:25 2003 From: gdoris at ROGERS.COM (Gerry Doris) Date: Thu Jan 12 21:21:26 2006 Subject: AOL blocking MailScanner messages! In-Reply-To: <200312050131.hB51VCGr032663@genesis.camaross.net> Message-ID: On Thu, 4 Dec 2003, Mike Kercher wrote: > See, I have a bigger problem with discarding mail based on incorrect RDNS. > I'd rather reject the message so that HOPEFULLY, someone can fix the > problem. If the emails are accepted by your MTA and then discarded, the > sender assumes that his/her email was delivered successfully. > > Mike I got a few snotty replies so I just discard them all. -- Gerry "The lyfe so short, the craft so long to learne" Chaucer From mkettler at EVI-INC.COM Fri Dec 5 02:06:49 2003 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:21:26 2006 Subject: [OT] AOL blocking MailScanner messages! In-Reply-To: <200312050118.hB51IJGr032215@genesis.camaross.net> References: <20031204170125.B21729@sthomas.net> <200312050118.hB51IJGr032215@genesis.camaross.net> Message-ID: <6.0.0.22.0.20031204210142.02741b50@xanadu.evi-inc.com> At 08:23 PM 12/4/2003, Mike Kercher wrote: >Is it possible to delegate RDNS for a network of less than a /24? What >would the zone be? This is basic DNS admin stuff, and a bit OT for this list. There's an RFC specifying how to do classless in-addr-arpa delegations. In short, it's done with cnames. Need more info, read the RFC and/or ask on a DNS oriented list. http://www.faqs.org/rfcs/rfc2317.html From jrudd at UCSC.EDU Fri Dec 5 07:36:24 2003 From: jrudd at UCSC.EDU (John Rudd) Date: Thu Jan 12 21:21:26 2006 Subject: AOL blocking MailScanner messages! In-Reply-To: <20031204170125.B21729@sthomas.net> References: <200312050032.hB50WRGr030539@genesis.camaross.net> <20031204170125.B21729@sthomas.net> Message-ID: 1) So why can't you route all of your outgoing mail through your ISP? (I know, some people do, and some people don't ... I don't, but my reverse DNS works, so I don't need to ... but, that IS what you're supposed to be doing, so if you're having problems, why not do what you're supposed to be doing instead?) 2) If you don't control the in-addr for your IP block, then presumably it's your ISP's -- so make them fix their in-addr allocation. The problem isn't that the in-addr information has to match your mail domain, it just has to _exist_ (mail always comes from hosts that don't match the mail domain indicated). If it doesn't, and it's not your block to host on your DNS server, then your ISP isn't doing their job. Make them fix it, or switch to an ISP that isn't broken. 3) If they wont fix it, then ask them to delegate those addresses to you with NS records (which can be done on a per-IP addr basis, it doesn't have to be done in full class-C blocks). On Dec 4, 2003, at 5:01 PM, Steve Thomas wrote: > > On Thu, Dec 04, 2003 at 06:37:34PM -0600, Mike Kercher is rumored to > have said: >> >> If not, admins on the other end need to get off their ass and make >> their >> networking correct, complete and in compliance with the RFC's. > > I've only been skimming this thread, so this may have been stated > already. If so, I apologize... > > You're forgetting that reverse dns is a totally different animal than > forward, and that just about anyone with less than a /24 (and many > with a /24 or larger) don't have the reverse zones delegated to their > servers. If I own foo.com, I can easily create any forward entry in > the foo.com domain, but making something in the in-addr.arpa domain > point to mailserver.foo.com is not nearly as easy. > > As a for instance, the machine I'm sending this message from is on a > RoadRunner network. We've got a block of addresses allocated to us and > despite repeated assurances that they would delegate the in-addr.arpa > zone for our netblock to our dns server, it's never happened. Now if > RR managed to have a corrupt zone file, forgot to generate PTR records > for our netblock or for some other reason wasn't on the ball, I'd be > "an admin who was sitting on my ass not making my network correct"? I > think not. My dns server is properly configured to serve requests for > the /28 we've been allocated but RR is still in control of the zone. > > Then there's network outages, software failures, fiber cuts, DDoS > attacks, etc, etc to consider. You'll reject mail just because the DNS > server serving the in-addr.arpa zone for the connecting machine is > unreachable? > > I can see adding a warning header or something innocuous like that, > but outright rejecting mail from machines without RDNS properly > configured is overkill, IMHO. > > > Steve > > > -- > "Blessed is the man, who having nothing to say, abstains from giving > wordy evidence of the fact." > - George Eliot (1819-1880) From jrudd at UCSC.EDU Fri Dec 5 07:42:13 2003 From: jrudd at UCSC.EDU (John Rudd) Date: Thu Jan 12 21:21:26 2006 Subject: [OT] AOL blocking MailScanner messages! In-Reply-To: <6.0.0.22.0.20031204210142.02741b50@xanadu.evi-inc.com> References: <20031204170125.B21729@sthomas.net> <200312050118.hB51IJGr032215@genesis.camaross.net> <6.0.0.22.0.20031204210142.02741b50@xanadu.evi-inc.com> Message-ID: <8A785C00-26F6-11D8-B3EE-003065F939FE@ucsc.edu> On Dec 4, 2003, at 6:06 PM, Matt Kettler wrote: > > At 08:23 PM 12/4/2003, Mike Kercher wrote: >> Is it possible to delegate RDNS for a network of less than a /24? >> What >> would the zone be? > > This is basic DNS admin stuff, and a bit OT for this list. > > There's an RFC specifying how to do classless in-addr-arpa > delegations. In > short, it's done with cnames. Need more info, read the RFC and/or ask > on a > DNS oriented list. > > http://www.faqs.org/rfcs/rfc2317.html > You don't even need to use cnames, you can use ns records. From tony.johansson at SVENSKAKYRKAN.SE Fri Dec 5 08:49:58 2003 From: tony.johansson at SVENSKAKYRKAN.SE (Tony Johansson) Date: Thu Jan 12 21:21:26 2006 Subject: Small log request Message-ID: Wouldnt it be interesting to see what version of SpamAssasin MailScanner is using when it starts? "MailScanner E-Mail Virus Scanner version 4.24-5 starting..." followed by perl -MMail::SpamAssassin -e 'print "MailScanner using SpamAssassin version $Mail::SpamAssassin::VERSION\n";' would be nice IMO Regards, Tony From mailscanner at ecs.soton.ac.uk Fri Dec 5 09:40:40 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:26 2006 Subject: Small log request In-Reply-To: References: Message-ID: <6.0.1.1.2.20031205094020.036be0d0@imap.ecs.soton.ac.uk> At 08:49 05/12/2003, you wrote: >Wouldnt it be interesting to see what version of SpamAssasin MailScanner is >using when it starts? > >"MailScanner E-Mail Virus Scanner version 4.24-5 starting..." followed by > >perl -MMail::SpamAssassin -e 'print "MailScanner using SpamAssassin version >$Mail::SpamAssassin::VERSION\n";' would be nice IMO At that point it doesn't know whether you want to use SA, or even have it installed. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Fri Dec 5 09:41:06 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:26 2006 Subject: Something I'd love to see in MailScanner In-Reply-To: <200312050035.hB50ZAGr030649@genesis.camaross.net> References: <200312050035.hB50ZAGr030649@genesis.camaross.net> Message-ID: <6.0.1.1.2.20031205094044.03aebc60@imap.ecs.soton.ac.uk> At 00:40 05/12/2003, you wrote: >I would LOVE it if, for a Spam Action or High Scoring Spam Action, I could >forward the spam to abuse@. Read the manual please. Check out the "forward" spam action. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From prandal at HEREFORDSHIRE.GOV.UK Fri Dec 5 10:07:04 2003 From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil) Date: Thu Jan 12 21:21:26 2006 Subject: mcafee-autoupdate. Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C3BB@jessica.herefordshire.gov.uk> If you're going to log, do it properly: logger -p mail.info McAfee-autoupdate: McAfee updated to version $VERSION Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Michael Baird > Sent: 03 December 2003 21:25 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: mcafee-autoupdate. > > > I noticed the mcafee-autoupdate doesn't write to syslog, when > it updates > the virus scanner (mailstats.pl uses this for it's statistics). It is > just a bash script, so I stuck in a logger line, with syntax matching > other updaters, if this functionality could be added into the main > updater that would be nice. > > run wget --passive-ftp --progress=dot:mega $FTPDIR/$TARFILE > run tar xvf $TARFILE > #### Added for mailstats.pl virus update time graphing ##### > logger -p mail.info McAfee-autoupdate: McAfee updated > > Regards > MIKE > From mailscanner at ecs.soton.ac.uk Fri Dec 5 10:21:57 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:26 2006 Subject: mcafee-autoupdate. In-Reply-To: <0EBC45FCABFC95428EBFC3A51B368C9501C9C3BB@jessica.herefords hire.gov.uk> References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C3BB@jessica.herefordshire.gov.uk> Message-ID: <6.0.1.1.2.20031205102126.039433f0@imap.ecs.soton.ac.uk> I have implemented it like this: +++ mcafee-autoupdate 2003-12-05 10:20:54.000000000 +0000 @@ -236,6 +236,7 @@ esac say Completed OK +run logger -p mail.info McAfee-autoupdate: McAfee updated to version $VERSION 2>/dev/null run exit 0 # done Tony --- Does that look okay? I don't want errors if logger happens not to exist. At 10:07 05/12/2003, you wrote: >If you're going to log, do it properly: > >logger -p mail.info McAfee-autoupdate: McAfee updated to version $VERSION > >Phil > >--------------------------------------------- >Phil Randal >Network Engineer >Herefordshire Council >Hereford, UK > > > -----Original Message----- > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > Behalf Of Michael Baird > > Sent: 03 December 2003 21:25 > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: mcafee-autoupdate. > > > > > > I noticed the mcafee-autoupdate doesn't write to syslog, when > > it updates > > the virus scanner (mailstats.pl uses this for it's statistics). It is > > just a bash script, so I stuck in a logger line, with syntax matching > > other updaters, if this functionality could be added into the main > > updater that would be nice. > > > > run wget --passive-ftp --progress=dot:mega $FTPDIR/$TARFILE > > run tar xvf $TARFILE > > #### Added for mailstats.pl virus update time graphing ##### > > logger -p mail.info McAfee-autoupdate: McAfee updated > > > > Regards > > MIKE > > -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From dh at UPTIME.AT Fri Dec 5 11:13:45 2003 From: dh at UPTIME.AT (David H.) Date: Thu Jan 12 21:21:26 2006 Subject: Small log request In-Reply-To: <6.0.1.1.2.20031205094020.036be0d0@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20031205094020.036be0d0@imap.ecs.soton.ac.uk> Message-ID: <3FD06869.4050500@uptime.at> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Julian Field wrote: > At 08:49 05/12/2003, you wrote: > >> Wouldnt it be interesting to see what version of SpamAssasin >> MailScanner is >> using when it starts? >> >> "MailScanner E-Mail Virus Scanner version 4.24-5 starting..." followed by >> >> perl -MMail::SpamAssassin -e 'print "MailScanner using SpamAssassin >> version >> $Mail::SpamAssassin::VERSION\n";' would be nice IMO > > > At that point it doesn't know whether you want to use SA, or even have it > installed. > -- Not to mention that MailScanner isvery noisy in my logfiles already :) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (Darwin) iD8DBQE/0GhpPMoaMn4kKR4RAyRMAJ9aJyBs9T/FtqbY63tAwP9z6mEY/wCfZnyk UhlLxl68nCBZcyVOp7l9M/g= =QHXs -----END PGP SIGNATURE----- From mailscanner at ecs.soton.ac.uk Fri Dec 5 12:18:19 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:26 2006 Subject: Small log request In-Reply-To: <3FD06869.4050500@uptime.at> References: <6.0.1.1.2.20031205094020.036be0d0@imap.ecs.soton.ac.uk> <3FD06869.4050500@uptime.at> Message-ID: <6.0.1.1.2.20031205121635.03ceb270@imap.ecs.soton.ac.uk> At 11:13 05/12/2003, you wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: RIPEMD160 > >Julian Field wrote: > >>At 08:49 05/12/2003, you wrote: >> >>>Wouldnt it be interesting to see what version of SpamAssasin >>>MailScanner is >>>using when it starts? >>> >>>"MailScanner E-Mail Virus Scanner version 4.24-5 starting..." followed by >>> >>>perl -MMail::SpamAssassin -e 'print "MailScanner using SpamAssassin >>>version >>>$Mail::SpamAssassin::VERSION\n";' would be nice IMO >> >> >>At that point it doesn't know whether you want to use SA, or even have it >>installed. >>-- >Not to mention that MailScanner isvery noisy in my logfiles already > :) If you make it log to something other than mail, say local0 and set up a syslog.conf entry that does something like local0.notice /var/log/MailScanner.log then you won't log any info, just the important warnings. You don't have to write everything into your logs if you don't want to. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From jaearick at COLBY.EDU Fri Dec 5 12:37:14 2003 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:21:26 2006 Subject: AOL blocking MailScanner messages! In-Reply-To: <200312050032.hB50WRGr030539@genesis.camaross.net> References: <200312050032.hB50WRGr030539@genesis.camaross.net> Message-ID: Y'all, I ran Rickert's sendmail ruleset for about 6 hours yesterday, then removed it and looked at the 500 sendmail rejects that it generated for the "Fix reverse DNS" error. I rejected emails from 364 unique IP numbers. I wrote a script to do a whois on these numbers and the info was ugly. Yes I was rejecting probable spam from APNIC, but I also zapped a lot of stuff from other universities, McGraw-Hill books and other publishers, Amazon (the original spammers!), IBM, the FAA (!), etc. I expect to hear some screaming about my experiment. While I think this is a great idea in theory, in practice it does a lot of collateral damage. I'll let AOL reform the world before trying it again. They will have to convince AT&T (for one) to change their DNS for their subblocks. --- Jeff Earickson Colby College On Thu, 4 Dec 2003, Mike Kercher wrote: > Date: Thu, 4 Dec 2003 18:37:34 -0600 > From: Mike Kercher > Reply-To: MailScanner mailing list > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: AOL blocking MailScanner messages! > > I'm running it and I love it. For the most part, legit email has legit DNS. > If not, admins on the other end need to get off their ass and make their > networking correct, complete and in compliance with the RFC's. > > Mike > > > > -----Original Message----- > > From: MailScanner mailing list > > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Jeff A. Earickson > > Sent: Thursday, December 04, 2003 11:16 AM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: AOL blocking MailScanner messages! > > > > > > > > However, this has nothing to do with RDNS at all, and nothing to do > > > with what AOL is doing. AOL is implementing refusal of mail from > > > servers that do not have a reverse DNS lookup for their IP. > > It's not > > > rocket science to do in sendmail, i.e. something like this: > > > > > > http://www.cs.niu.edu/~rickert/cf/hack/require_rdns.m4 > > > > > > > Does anybody else out there run this hack, or something > > similar for Exim/ Postfix? I'm giving it a test run on my > > mail server right now, and I wonder if I am shooting myself > > in the foot. Virtually all of the rejections I see smell > > spammy to me. Comments? > > > > Jeff Earickson > > Colby College > > > From mike at TC3NET.COM Fri Dec 5 13:34:22 2003 From: mike at TC3NET.COM (Michael Baird) Date: Thu Jan 12 21:21:26 2006 Subject: mcafee-autoupdate. In-Reply-To: <0EBC45FCABFC95428EBFC3A51B368C9501C9C3BB@jessica.herefordshire.gov.uk> References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C3BB@jessica.herefordshire.gov.uk> Message-ID: <1070631261.8599.2.camel@mike-new2.tc3net.com> Sure, for use in mailstats.pl, you must also have [ after the autoupdate (or change the regexp in mailstats), empty braces will work, the perl updaters would place the PID in between the braces. logger -p mail.info McAfee-autoupdate[]: McAfee updated to version $VERSION Regards MIKE > If you're going to log, do it properly: > > logger -p mail.info McAfee-autoupdate: McAfee updated to version $VERSION > > Phil > > --------------------------------------------- > Phil Randal > Network Engineer > Herefordshire Council > Hereford, UK > > > -----Original Message----- > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > Behalf Of Michael Baird > > Sent: 03 December 2003 21:25 > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: mcafee-autoupdate. > > > > > > I noticed the mcafee-autoupdate doesn't write to syslog, when > > it updates > > the virus scanner (mailstats.pl uses this for it's statistics). It is > > just a bash script, so I stuck in a logger line, with syntax matching > > other updaters, if this functionality could be added into the main > > updater that would be nice. > > > > run wget --passive-ftp --progress=dot:mega $FTPDIR/$TARFILE > > run tar xvf $TARFILE > > #### Added for mailstats.pl virus update time graphing ##### > > logger -p mail.info McAfee-autoupdate: McAfee updated > > > > Regards > > MIKE > > > From ccampbell at BRUEGGERS.COM Fri Dec 5 14:32:23 2003 From: ccampbell at BRUEGGERS.COM (Christian Campbell) Date: Thu Jan 12 21:21:26 2006 Subject: Custom SA Rules...where to put them? Message-ID: I've tried putting my custom SA .cf file in ~/.spamassassin, /etc/MailScanner/mcp, and /usr/share/spamassassin. The only place it works is /usr/share/spamassassin. However I've read that putting it in /usr/share/spamassassin risks loosing any custom work if there is an upgrade. Where is the proper location for me to put my custom .cf files? Christian Christian P. Campbell Systems Engineer Information Technology Department Bruegger's Enterprises, Inc. Desk: (802) 652-9270 Cell: (802) 734-5023 Email: ccampbell at brueggers dot com Registered Linux User #319324 PGP public key available via PGP keyservers or http://www2.brueggers.com/pgp/ccampbell.html "We all know Linux is great... it does infinite loops in 5 seconds." -- Linus Torvalds From prandal at HEREFORDSHIRE.GOV.UK Fri Dec 5 14:42:36 2003 From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil) Date: Thu Jan 12 21:21:26 2006 Subject: Custom SA Rules...where to put them? Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C3BE@jessica.herefordshire.gov.uk> /etc/mail/spamassassin Cheers, Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Christian Campbell > Sent: 05 December 2003 14:32 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Custom SA Rules...where to put them? > > > I've tried putting my custom SA .cf file in ~/.spamassassin, > /etc/MailScanner/mcp, and /usr/share/spamassassin. The only > place it works > is /usr/share/spamassassin. However I've read that putting it in > /usr/share/spamassassin risks loosing any custom work if there is an > upgrade. > > Where is the proper location for me to put my custom .cf files? > > Christian > > > Christian P. Campbell > Systems Engineer > Information Technology Department > Bruegger's Enterprises, Inc. > Desk: (802) 652-9270 > Cell: (802) 734-5023 > Email: ccampbell at brueggers dot com > Registered Linux User #319324 > > PGP public key available via PGP keyservers > or http://www2.brueggers.com/pgp/ccampbell.html > > "We all know Linux is great... > it does infinite loops in 5 seconds." > -- Linus Torvalds > From mike at CAMAROSS.NET Fri Dec 5 14:49:51 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:21:26 2006 Subject: Something I'd love to see in MailScanner In-Reply-To: <6.0.1.1.2.20031205094044.03aebc60@imap.ecs.soton.ac.uk> Message-ID: <200312051444.hB5EihGr024908@genesis.camaross.net> I understand the forwarding action...I use that now. The problem is that the address which would be forwarded to is dynamic. It also would be to be based on the relaying hostname and not the envelope sender. Make any sense? Mike > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Julian Field > Sent: Friday, December 05, 2003 3:41 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Something I'd love to see in MailScanner > > At 00:40 05/12/2003, you wrote: > >I would LOVE it if, for a Spam Action or High Scoring Spam Action, I > >could forward the spam to abuse@. > > Read the manual please. Check out the "forward" spam action. > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > From dot at DOTAT.AT Fri Dec 5 14:53:26 2003 From: dot at DOTAT.AT (Tony Finch) Date: Thu Jan 12 21:21:26 2006 Subject: mcafee-autoupdate. In-Reply-To: References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C3BB@jessica.herefordshire.gov.uk> Message-ID: Julian Field wrote: >I have implemented it like this: > >+++ mcafee-autoupdate 2003-12-05 10:20:54.000000000 +0000 >@@ -236,6 +236,7 @@ > esac > > say Completed OK >+run logger -p mail.info McAfee-autoupdate: McAfee updated to version >$VERSION 2>/dev/null > run exit 0 > > # done > >Tony --- Does that look okay? I don't want errors if logger happens not to >exist. Looks plausible. Tony. -- f.a.n.finch http://dotat.at/ LYME REGIS TO LANDS END INCLUDING THE ISLES OF SCILLY: EAST OR NORTHEAST 5, LOCAL 6 AT FIRST. EASING NORTHEAST 4. PATCHY DRIZZLE. MAINLY GOOD, OCCASIONAL MODERATE. MODERATE OR ROUGH, EASING MAINLY SLIGHT. From mike at ZANKER.ORG Fri Dec 5 15:13:14 2003 From: mike at ZANKER.ORG (Mike Zanker) Date: Thu Jan 12 21:21:26 2006 Subject: Red Hat Advanced Server Academic Edition Message-ID: <343090343.1070637194@mallard.open.ac.uk> There was some recent conversation about what to do when Red Hat 8.0 and below are no longer supported at the end of this year. Higher education institutions may be interested to know that an annual license for RHEL AS can be purchased for $50 from http://www.redhat.com/. This gives you access to ISOs and RHN updates for versions 2.1 and 3.0. I can confirm that MailScanner works fine on RHAS 2.1 (which is based on RH 7.2) with either the supplied sendmail or Exim. I haven't tried version 3.0, but if MailScanner works on RH 8 and 9 it should be OK. Regards, Mike. From Denis.Beauchemin at USHERBROOKE.CA Fri Dec 5 15:17:35 2003 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:21:26 2006 Subject: Red Hat Advanced Server Academic Edition In-Reply-To: <343090343.1070637194@mallard.open.ac.uk> References: <343090343.1070637194@mallard.open.ac.uk> Message-ID: <1070637455.1935.25.camel@dbeauchemin.sti.usherbrooke.ca> If you're interested in the management feature of Red Hat Network to keep your systems up to date then this won't cut it because it is an update only. In clear it means that you can't install patch X to servers A, B, C and D in a single operation unless your systems are under a management option. This feature is important to us because we have close to 40 servers to maintain. Denis Le ven 05/12/2003 ? 10:13, Mike Zanker a ?crit : > There was some recent conversation about what to do when Red Hat 8.0 > and below are no longer supported at the end of this year. Higher > education institutions may be interested to know that an annual license > for RHEL AS can be purchased for $50 from http://www.redhat.com/. > > This gives you access to ISOs and RHN updates for versions 2.1 and 3.0. > I can confirm that MailScanner works fine on RHAS 2.1 (which is based > on RH 7.2) with either the supplied sendmail or Exim. I haven't tried > version 3.0, but if MailScanner works on RH 8 and 9 it should be OK. > > Regards, > > Mike. -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From raymond at PROLOCATION.NET Fri Dec 5 15:23:00 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:21:26 2006 Subject: Red Hat Advanced Server Academic Edition In-Reply-To: <343090343.1070637194@mallard.open.ac.uk> Message-ID: Hi! > This gives you access to ISOs and RHN updates for versions 2.1 and 3.0. > I can confirm that MailScanner works fine on RHAS 2.1 (which is based > on RH 7.2) with either the supplied sendmail or Exim. I haven't tried > version 3.0, but if MailScanner works on RH 8 and 9 it should be OK. Works ok on RHEL 3.0 also. Runs faster then my 1:1 equal server with RH9. Bye, Raymond. From jburzenski at AMERICANHM.COM Fri Dec 5 15:27:57 2003 From: jburzenski at AMERICANHM.COM (Jason Burzenski) Date: Thu Jan 12 21:21:26 2006 Subject: Spam.blacklist.rules critical mass Message-ID: <9BDD6D4AD0795C46974D7D46C17883B809185694@ahm_exchange2> Does anyone know if there is a maximum limit to the number of entries in a rules file? I've been regularly adding entries to my spam.blacklist.rules file which has now reached about 30K in size. I haven't noticed much impact on system performance or memory use but was wondering if someone else has seen a direct correlation between a growing rules file and decreased system performance? At what level did your system start to choke? Whats the best practice for blacklisting? Thanks, Jason Burzenski -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20031205/e6261c1d/attachment.html From mailscanner at ecs.soton.ac.uk Fri Dec 5 16:00:23 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:26 2006 Subject: Custom SA Rules...where to put them? In-Reply-To: References: Message-ID: <6.0.1.1.2.20031205160005.09832330@imap.ecs.soton.ac.uk> You can just add rules straight onto the end of spam.assassin.prefs.conf if you like. At 14:32 05/12/2003, you wrote: >I've tried putting my custom SA .cf file in ~/.spamassassin, >/etc/MailScanner/mcp, and /usr/share/spamassassin. The only place it works >is /usr/share/spamassassin. However I've read that putting it in >/usr/share/spamassassin risks loosing any custom work if there is an >upgrade. > >Where is the proper location for me to put my custom .cf files? > >Christian > > >Christian P. Campbell >Systems Engineer >Information Technology Department >Bruegger's Enterprises, Inc. >Desk: (802) 652-9270 >Cell: (802) 734-5023 >Email: ccampbell at brueggers dot com >Registered Linux User #319324 > >PGP public key available via PGP keyservers >or http://www2.brueggers.com/pgp/ccampbell.html > >"We all know Linux is great... >it does infinite loops in 5 seconds." > -- Linus Torvalds -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mike at ZANKER.ORG Fri Dec 5 16:11:18 2003 From: mike at ZANKER.ORG (Mike Zanker) Date: Thu Jan 12 21:21:26 2006 Subject: Red Hat Advanced Server Academic Edition In-Reply-To: <1070640153.1935.30.camel@dbeauchemin.sti.usherbrooke.ca> References: <343090343.1070637194@mallard.open.ac.uk> <1070637455.1935.25.camel@dbeauchemin.sti.usherbrooke.ca> <345668875.1070639772@mallard.open.ac.uk> <1070640153.1935.30.camel@dbeauchemin.sti.usherbrooke.ca> Message-ID: <346574406.1070640678@mallard.open.ac.uk> On 05 December 2003 11:02 -0500 Denis Beauchemin wrote: > Their web site says otherwise (from > http://www.redhat.com/solutions/industries/education/products/): > > Specific features of the academic editions include: > > * 1 Year access to Red Hat Network with Update Module Hmm - maybe their system isn't working properly yet. We purchased some individual subscriptions (not the Site Subscription) yet we have been given management service on all of them. Mike. From ivan at NUCCI.COM.BR Fri Dec 5 16:22:17 2003 From: ivan at NUCCI.COM.BR (Ivan Mirisola) Date: Thu Jan 12 21:21:26 2006 Subject: AOL blocking MailScanner messages! In-Reply-To: References: <6.0.0.22.0.20031203194846.01fcbd50@xanadu.evi-inc.com> <6.0.0.22.0.20031203205539.02ab9a18@xanadu.evi-inc.com> Message-ID: <3FD0B0B9.4000908@nucci.com.br> Hi people, I have been reading a lot of posts about this issue and I wandering about something. A lot of people here in Brazil use broadband connections like xDSL and so to implement their own MTA and use it to send spam and other bulk email. Let say, if a local ISP provides a dynamic IP address to you like 200.174.45.114 you can easily get it?s reverse DNS name which is 114.45.174.200.in-addr.arpa. Well to me this M4 ruleset doen?t help at all, because I wouldn?t be rejecting mail coming from these addresses. I get an average spam of 300+ a day coming from these type of addresses. I think that if we do in fact reject mail based on RDNS we are just forcing those who have a bronken DNS configuration to fix their RR records, that?s all. I am just trying to share my point of veiw (if in fact I am right about it). But than again this is going to be way OT here. Feel free to send me PVT email anyone who wants to discuss this any further with me. Best regards to all. Ivan >>> >>> However, this has nothing to do with RDNS at all, and nothing to do >>> with >>> what AOL is doing. AOL is implementing refusal of mail from servers >>> that do >>> not have a reverse DNS lookup for their IP. It's not rocket science >>> to do >>> in sendmail, i.e. something like this: >>> >>> http://www.cs.niu.edu/~rickert/cf/hack/require_rdns.m4 >> From Kevin_Miller at CI.JUNEAU.AK.US Fri Dec 5 16:34:25 2003 From: Kevin_Miller at CI.JUNEAU.AK.US (Kevin Miller) Date: Thu Jan 12 21:21:26 2006 Subject: Really tiny feature request Message-ID: <08146035CA49D6119A36009027AC822A0264EB0B@CITY-EXCH-NTS> Was upgrading MS yesterday, and as I was comparing MailScanner.conf and MailScanner.conf.rpmnew it occured to me that it might be nice to have the version number in the comments at the top of the file. Since there seems to often be a new feature/option added it would help keep things straight when comparing files. No biggie if it doesn't happen - just a small niceity if it does... ...Kevin ------------------- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Administrator, Mail Administrator 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From mikea at MIKEA.ATH.CX Fri Dec 5 16:01:24 2003 From: mikea at MIKEA.ATH.CX (mikea) Date: Thu Jan 12 21:21:26 2006 Subject: Spam.blacklist.rules critical mass In-Reply-To: <9BDD6D4AD0795C46974D7D46C17883B809185694@ahm_exchange2>; from jburzenski@AMERICANHM.COM on Fri, Dec 05, 2003 at 10:27:57AM -0500 References: <9BDD6D4AD0795C46974D7D46C17883B809185694@ahm_exchange2> Message-ID: <20031205100124.A42956@mikea.ath.cx> On Fri, Dec 05, 2003 at 10:27:57AM -0500, Jason Burzenski wrote: > Does anyone know if there is a maximum limit to the number of entries in a > rules file? I've been regularly adding entries to my spam.blacklist.rules > file which has now reached about 30K in size. I haven't noticed much impact > on system performance or memory use but was wondering if someone else has > seen a direct correlation between a growing rules file and decreased system > performance? At what level did your system start to choke? Whats the best > practice for blacklisting? I've noticed that there is some correlation between rulefile linecount (and complexity) and SA process time-to-scan, but that is only to be expected. It is much more evident on older, slower machines (e.g., _mine_ *sigh*) than on newer, roomer, faster machines, but (again) that is only to be expected. Even if you can keep the rulefiles in RAM, you still have to go through the rules, and even RAM access time is nonzero. Best practice? Minimal ruleset size and complexity consistent with blocking efficiently. It's not a static thing: rulesets themselves are works in progress. My system starts to choke at about 5K rules, running MS 4.25-13 and SA 2.50, with 5 instances of MS and of SA running. But my box is, as I wrote above, old, small, and slow. Not as small and slow as its predecessor, but small and slow by modern standards. -- Mike Andrews mikea@mikea.ath.cx Tired old sysadmin From mike at ZANKER.ORG Fri Dec 5 15:56:12 2003 From: mike at ZANKER.ORG (Mike Zanker) Date: Thu Jan 12 21:21:26 2006 Subject: Red Hat Advanced Server Academic Edition In-Reply-To: <1070637455.1935.25.camel@dbeauchemin.sti.usherbrooke.ca> References: <343090343.1070637194@mallard.open.ac.uk> <1070637455.1935.25.camel@dbeauchemin.sti.usherbrooke.ca> Message-ID: <345668875.1070639772@mallard.open.ac.uk> On 05 December 2003 10:17 -0500 Denis Beauchemin wrote: > If you're interested in the management feature of Red Hat Network to > keep your systems up to date then this won't cut it because it is an > update only. On the contrary, the ones we have purchased today under the scheme show as management service, not just update. Mike. From Denis.Beauchemin at USHERBROOKE.CA Fri Dec 5 16:02:34 2003 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:21:26 2006 Subject: Red Hat Advanced Server Academic Edition In-Reply-To: <345668875.1070639772@mallard.open.ac.uk> References: <343090343.1070637194@mallard.open.ac.uk> <1070637455.1935.25.camel@dbeauchemin.sti.usherbrooke.ca> <345668875.1070639772@mallard.open.ac.uk> Message-ID: <1070640153.1935.30.camel@dbeauchemin.sti.usherbrooke.ca> > On 05 December 2003 10:17 -0500 Denis Beauchemin > wrote: > > > If you're interested in the management feature of Red Hat Network to > > keep your systems up to date then this won't cut it because it is an > > update only. > > On the contrary, the ones we have purchased today under the scheme show > as management service, not just update. > > Mike. Their web site says otherwise (from http://www.redhat.com/solutions/industries/education/products/): Specific features of the academic editions include: * 1 Year access to Red Hat Network with Update Module * Red Hat Enterprise Linux WS (x86, IPF, or AMD64) channel for WS * Red Hat Enterprise Linux AS (x86, IPF, or AMD64) channel for AS Denis -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From mailscanner at ecs.soton.ac.uk Fri Dec 5 16:44:13 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:26 2006 Subject: Spam.blacklist.rules critical mass In-Reply-To: <9BDD6D4AD0795C46974D7D46C17883B809185694@ahm_exchange2> References: <9BDD6D4AD0795C46974D7D46C17883B809185694@ahm_exchange2> Message-ID: <6.0.1.1.2.20031205164206.0394a0b8@imap.ecs.soton.ac.uk> At 15:27 05/12/2003, you wrote: >Does anyone know if there is a maximum limit to the number of entries in a >rules file? No theoretical fixed limit, no. > I've been regularly adding entries to my spam.blacklist.rules file > which has now reached about 30K in size. I haven't noticed much impact > on system performance or memory use but was wondering if someone else has > seen a direct correlation between a growing rules file and decreased > system performance? At what level did your system start to choke? Whats > the best practice for blacklisting? If you want fast per-domain spam blacklist/whitelisting, use the per-domain stuff in CustomConfig.pm. If you want a straightforward spam blacklist that works very fast, look in the latest CustomConfig.pm and search for "FastSpamList". That code isn't quite what you want, but will be a very good starting point to implement it. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Fri Dec 5 16:49:03 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:26 2006 Subject: Really tiny feature request In-Reply-To: <08146035CA49D6119A36009027AC822A0264EB0B@CITY-EXCH-NTS> References: <08146035CA49D6119A36009027AC822A0264EB0B@CITY-EXCH-NTS> Message-ID: <6.0.1.1.2.20031205164752.03ce6ec0@imap.ecs.soton.ac.uk> At 16:34 05/12/2003, you wrote: >Was upgrading MS yesterday, and as I was comparing MailScanner.conf and >MailScanner.conf.rpmnew it occured to me that it might be nice to have the >version number in the comments at the top of the file. Since there seems to >often be a new feature/option added it would help keep things straight when >comparing files. > >No biggie if it doesn't happen - just a small niceity if it does... Let me take a look over the weekend, it's just a change to the Build scripts. I'll probably put in a magic "version number" line and replace that when the package is bolted together. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Fri Dec 5 16:45:21 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:26 2006 Subject: Something I'd love to see in MailScanner In-Reply-To: <200312051444.hB5EihGr024908@genesis.camaross.net> References: <6.0.1.1.2.20031205094044.03aebc60@imap.ecs.soton.ac.uk> <200312051444.hB5EihGr024908@genesis.camaross.net> Message-ID: <6.0.1.1.2.20031205164430.03949e28@imap.ecs.soton.ac.uk> At 14:49 05/12/2003, you wrote: >I understand the forwarding action...I use that now. The problem is that >the address which would be forwarded to is dynamic. It also would be to be >based on the relaying hostname and not the envelope sender. Make any sense? In which case use a very simple Custom Function to produce the "Spam Actions" and "High Scoring Spam Actions" which use the $message->{from} and $message->{clientip} to produce their result. >Mike > > > -----Original Message----- > > From: MailScanner mailing list > > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Julian Field > > Sent: Friday, December 05, 2003 3:41 AM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: Something I'd love to see in MailScanner > > > > At 00:40 05/12/2003, you wrote: > > >I would LOVE it if, for a Spam Action or High Scoring Spam Action, I > > >could forward the spam to abuse@. > > > > Read the manual please. Check out the "forward" spam action. > > -- > > Julian Field > > www.MailScanner.info > > MailScanner thanks transtec Computers for their support > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Fri Dec 5 16:47:30 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:26 2006 Subject: AOL blocking MailScanner messages! In-Reply-To: <3FD0B0B9.4000908@nucci.com.br> References: <6.0.0.22.0.20031203194846.01fcbd50@xanadu.evi-inc.com> <6.0.0.22.0.20031203205539.02ab9a18@xanadu.evi-inc.com> <3FD0B0B9.4000908@nucci.com.br> Message-ID: <6.0.1.1.2.20031205164644.03949b98@imap.ecs.soton.ac.uk> At 16:22 05/12/2003, you wrote: >Hi people, > >I have been reading a lot of posts about this issue and I wandering >about something. >A lot of people here in Brazil use broadband connections like xDSL and >so to implement their own MTA and use it to send spam and other bulk >email. Let say, if a local ISP provides a dynamic IP address to you like >200.174.45.114 you can easily get it?s reverse DNS name which is >114.45.174.200.in-addr.arpa. In which case use one of the DULs as a blacklist. These contain all the known dial-up IP addresses, so you can just reject mail that hasn't been sent through their ISP's mail server. >Well to me this M4 ruleset doen?t help at all, because I wouldn?t be >rejecting mail coming from these addresses. I get an average spam of >300+ a day coming from these type of addresses. I think that if we do in >fact reject mail based on RDNS we are just forcing those who have a >bronken DNS configuration to fix their RR records, that?s all. >I am just trying to share my point of veiw (if in fact I am right about >it). But than again this is going to be way OT here. >Feel free to send me PVT email anyone who wants to discuss this any >further with me. > >Best regards to all. >Ivan > >>>> >>>>However, this has nothing to do with RDNS at all, and nothing to do >>>>with >>>>what AOL is doing. AOL is implementing refusal of mail from servers >>>>that do >>>>not have a reverse DNS lookup for their IP. It's not rocket science >>>>to do >>>>in sendmail, i.e. something like this: >>>> >>>>http://www.cs.niu.edu/~rickert/cf/hack/require_rdns.m4 -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From michele at BLACKNIGHTSOLUTIONS.COM Fri Dec 5 17:07:11 2003 From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon :: Blacknight Solutions) Date: Thu Jan 12 21:21:26 2006 Subject: Ip to country query Message-ID: Has anybody done anything with IP to country regarding sources of spam etc? Mr. Michele Neylon Blacknight Internet Solutions Ltd http://www.blacknightsolutions.ie/ http://www.search.ie/ Tel. + 353 (0)59 9139897 Lowest price domains in Ireland From ugob at CAMO-ROUTE.COM Fri Dec 5 17:18:10 2003 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:21:26 2006 Subject: Ip to country query Message-ID: <54C38A0B814C8E438EF73FC76F3629273AE271@mtlnt501fs.CAMOROUTE.COM> > -----Message d'origine----- > De : Michele Neylon :: Blacknight Solutions > [mailto:michele@BLACKNIGHTSOLUTIONS.COM] > Envoy? : Friday, December 05, 2003 12:07 PM > ? : MAILSCANNER@JISCMAIL.AC.UK > Objet : Ip to country query > > > Has anybody done anything with IP to country regarding > sources of spam etc? what do you mean? do you use mailstats? Gives you stats on countries. > > > Mr. Michele Neylon > Blacknight Internet Solutions Ltd > http://www.blacknightsolutions.ie/ > http://www.search.ie/ > Tel. + 353 (0)59 9139897 > Lowest price domains in Ireland > From sailer at BNL.GOV Fri Dec 5 17:20:23 2003 From: sailer at BNL.GOV (Tim Sailer) Date: Thu Jan 12 21:21:26 2006 Subject: Ip to country query In-Reply-To: References: Message-ID: <20031205172023.GA13158@bnl.gov> On Fri, Dec 05, 2003 at 05:07:11PM -0000, Michele Neylon :: Blacknight Solutions wrote: > Has anybody done anything with IP to country regarding sources of spam etc? We routinely look at the country that email was sent from, by IP (using GEO-IP). China, then USA, seem to be the highest sources, at least that we see here... Tim -- Tim Sailer Information and Special Technologies Program Office of CounterIntelligence Brookhaven National Laboratory (631) 344-3001 From mkettler at EVI-INC.COM Fri Dec 5 18:06:19 2003 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:21:26 2006 Subject: Ip to country query In-Reply-To: References: Message-ID: <6.0.0.22.0.20031205130249.029cf5c0@xanadu.evi-inc.com> At 12:07 PM 12/5/2003, Michele Neylon :: Blacknight Solutions wrote: >Has anybody done anything with IP to country regarding sources of spam etc? I use a couple of the blackholes.us lists to add a small amount (max 1.0) to the SA scores of email coming from countries that aren't normally much of the day-to-day email here but generate a lot of spam. Mostly cn-kr and brazil. I keep the scores low to avoid tagging posts to mailing lists (as I do get some legitimate traffic from these countries) but it's helpful with some of the "not quite 5.0" scoring spam. From lists at STHOMAS.NET Fri Dec 5 18:06:21 2003 From: lists at STHOMAS.NET (Steve Thomas) Date: Thu Jan 12 21:21:26 2006 Subject: AOL blocking MailScanner messages! In-Reply-To: ; from jrudd@UCSC.EDU on Thu, Dec 04, 2003 at 11:36:24PM -0800 References: <200312050032.hB50WRGr030539@genesis.camaross.net> <20031204170125.B21729@sthomas.net> Message-ID: <20031205100621.A16375@sthomas.net> On Thu, Dec 04, 2003 at 11:36:24PM -0800, John Rudd is rumored to have said: > > 1) So why can't you route all of your outgoing mail through your ISP? We don't want or need to. We pay for business class service and run all our own services. The only outside services we rely on are the root DNS servers. > (I know, some people do, and some people don't ... I don't, but my > reverse DNS works, so I don't need to ... but, that IS what you're > supposed to be doing, so if you're having problems, why not do what > you're supposed to be doing instead?) We're not having problems - I simply pointed out a scenario that is entire possible. And why is relaying through our ISP what we're "supposed to be doing"??!! I thought that what we were "supposed to be doing" is using our Internet connection in any way that pleases us as long as we're not violating our ISPs TOS or breaking any laws. > 2) If you don't control the in-addr for your IP block, then presumably > it's your ISP's -- so make them fix their in-addr allocation. The > problem isn't that the in-addr information has to match your mail > domain, it just has to _exist_ (mail always comes from hosts that don't > match the mail domain indicated). If it doesn't, and it's not your > block to host on your DNS server, then your ISP isn't doing their job. > Make them fix it, or switch to an ISP that isn't broken. Again, it's not broken. I only posed a hypothetical scenario. > 3) If they wont fix it, then ask them to delegate those addresses to > you with NS records (which can be done on a per-IP addr basis, it > doesn't have to be done in full class-C blocks). I think it's pretty clear at this point that you either didn't read or didn't understand my original message. Steve > On Dec 4, 2003, at 5:01 PM, Steve Thomas wrote: > > > > > On Thu, Dec 04, 2003 at 06:37:34PM -0600, Mike Kercher is rumored to > > have said: > >> > >> If not, admins on the other end need to get off their ass and make > >> their > >> networking correct, complete and in compliance with the RFC's. > > > > I've only been skimming this thread, so this may have been stated > > already. If so, I apologize... > > > > You're forgetting that reverse dns is a totally different animal than > > forward, and that just about anyone with less than a /24 (and many > > with a /24 or larger) don't have the reverse zones delegated to their > > servers. If I own foo.com, I can easily create any forward entry in > > the foo.com domain, but making something in the in-addr.arpa domain > > point to mailserver.foo.com is not nearly as easy. > > > > As a for instance, the machine I'm sending this message from is on a > > RoadRunner network. We've got a block of addresses allocated to us and > > despite repeated assurances that they would delegate the in-addr.arpa > > zone for our netblock to our dns server, it's never happened. Now if > > RR managed to have a corrupt zone file, forgot to generate PTR records > > for our netblock or for some other reason wasn't on the ball, I'd be > > "an admin who was sitting on my ass not making my network correct"? I > > think not. My dns server is properly configured to serve requests for > > the /28 we've been allocated but RR is still in control of the zone. > > > > Then there's network outages, software failures, fiber cuts, DDoS > > attacks, etc, etc to consider. You'll reject mail just because the DNS > > server serving the in-addr.arpa zone for the connecting machine is > > unreachable? > > > > I can see adding a warning header or something innocuous like that, > > but outright rejecting mail from machines without RDNS properly > > configured is overkill, IMHO. > > > > > > Steve > > > > > > -- > > "Blessed is the man, who having nothing to say, abstains from giving > > wordy evidence of the fact." > > - George Eliot (1819-1880) -- "Don't be so humble - you are not that great." - Golda Meir (1898-1978) to a visiting diplomat From lists at STHOMAS.NET Fri Dec 5 18:12:36 2003 From: lists at STHOMAS.NET (Steve Thomas) Date: Thu Jan 12 21:21:26 2006 Subject: Ip to country query In-Reply-To: <6.0.0.22.0.20031205130249.029cf5c0@xanadu.evi-inc.com>; from mkettler@EVI-INC.COM on Fri, Dec 05, 2003 at 01:06:19PM -0500 References: <6.0.0.22.0.20031205130249.029cf5c0@xanadu.evi-inc.com> Message-ID: <20031205101236.B16375@sthomas.net> On Fri, Dec 05, 2003 at 01:06:19PM -0500, Matt Kettler is rumored to have said: > > I use a couple of the blackholes.us lists to add a small amount (max 1.0) > to the SA scores of email coming from countries that aren't normally much > of the day-to-day email here but generate a lot of spam. Mostly cn-kr and > brazil. On my personal server, I outright reject mail from hosts on cn-kr. I don't know anyone in those countries and if someone there needs to get a hold of me that badly, they can use a throwaway hotmail account or something. I have *never* received a legitimate e-mail from China or Korea. Of course, YMMV and I'd never do this on our servers at work (being an international company, it'd be a Bad Thing). Steve -- "Talent does what it can; genius does what it must." - Edward George Bulwer-Lytton (1803-1873) From mkettler at EVI-INC.COM Fri Dec 5 18:36:37 2003 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:21:26 2006 Subject: Something I'd love to see in MailScanner In-Reply-To: <6.0.1.1.2.20031205164430.03949e28@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20031205094044.03aebc60@imap.ecs.soton.ac.uk> <200312051444.hB5EihGr024908@genesis.camaross.net> <6.0.1.1.2.20031205164430.03949e28@imap.ecs.soton.ac.uk> Message-ID: <6.0.0.22.0.20031205132318.0203e0e0@xanadu.evi-inc.com> At 11:45 AM 12/5/2003, Julian Field wrote: > >I understand the forwarding action...I use that now. The problem is that > >the address which would be forwarded to is dynamic. It also would be to be > >based on the relaying hostname and not the envelope sender. Make any sense? > >In which case use a very simple Custom Function to produce the "Spam >Actions" and "High Scoring Spam Actions" which use the $message->{from} and >$message->{clientip} to produce their result. Ugh... now the world can be infected with more broken mailservers. I love MailScanner, it's just unfortunate that it's so easy to do incredibly foolish things with it. Really a system like this should use abuse.net lookups or use a semi-smart system like spamcop, and not do what is suggested above. That's just broken beyond belief. If you're going to do something incredibly stupid like auto-abuse-report spam, at least do it correctly. Comment #3 in SA bug 1219 has some good insights on doing this kind of thing correctly. http://bugzilla.spamassassin.org/show_bug.cgi?id=1219 And note that this was considered as an option for *manual* reporting, it was never considered as an automatic thing. You might want to consider looking at Theo's handlespam script and/or using spamcop. From michele at BLACKNIGHTSOLUTIONS.COM Fri Dec 5 20:40:24 2003 From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon :: Blacknight Solutions) Date: Thu Jan 12 21:21:26 2006 Subject: Ip to country query In-Reply-To: <54C38A0B814C8E438EF73FC76F3629273AE271@mtlnt501fs.CAMOROUTE.COM> Message-ID: > > Has anybody done anything with IP to country regarding > > sources of spam etc? > > what do you mean? do you use mailstats? Gives you stats on countries. > > That uses Geo IP, which is a different data source. The IP to country database is freely available at: http://ip-to-country.webhosting.info/ We are using an older version of mailwatch (http://mailwatch.sourceforge.net/) for statistics on spam etc., as it can log multiple servers to a central MySQL database. However getting some kind of geographical information would be handy :) The IP to country database seems to be fairly comprehensive and could be stored locally, thus decreasing lookup times M From jrudd at UCSC.EDU Fri Dec 5 20:51:53 2003 From: jrudd at UCSC.EDU (John Rudd) Date: Thu Jan 12 21:21:27 2006 Subject: AOL blocking MailScanner messages! References: <200312050032.hB50WRGr030539@genesis.camaross.net> <20031204170125.B21729@sthomas.net> <20031205100621.A16375@sthomas.net> Message-ID: <3FD0EFE9.F68B869D@ucsc.edu> Steve Thomas wrote: > > On Thu, Dec 04, 2003 at 11:36:24PM -0800, John Rudd is rumored to have said: > > > > 1) So why can't you route all of your outgoing mail through your ISP? > > We don't want or need to. We pay for business class service and run all our own services. The only outside services we rely on are the root DNS servers. > > > (I know, some people do, and some people don't ... I don't, but my > > reverse DNS works, so I don't need to ... but, that IS what you're > > supposed to be doing, so if you're having problems, why not do what > > you're supposed to be doing instead?) > > We're not having problems - I simply pointed out a scenario that is entire possible. And the questions are framed within that senario. If you're not having problems in real life, then answer the questions from within the scenario (ie. as if you were having the problem). > And why is relaying through our ISP what we're "supposed to be doing"??!! I thought that what we were "supposed to be doing" is using our Internet connection in any way that pleases us as long as we're not violating our ISPs TOS or breaking any laws. That's one way to look at it. Another is that you're using IP addresses that belong to your ISP, and with the current state of the net many people don't want to receive direct mail connections from end-customers on low end connections (ie. where you don't have enough fixed infrastructure in place that you control everything INCLUDING your reverse DNS). It's not just that they might be spammers (low end -> non-permanent -> the spammer's "ISP account of the day"), it's that they might legitimate end users who might be hosting the latest open-proxy trojan that has turned their workstation into a spam relay. Rather than play those whack-a-mole games, you simply block all of those addresses. For some, that means blocking DUL lists, for some they expand that to include DSL customers. And another good way to catch those people is to target people whose reverse DNS isn't propperly set up ... because in many cases, it's not set up propperly because they don't control it, because they don't own the network address block. So, make those people relay through their ISP, and you don't have to deal with all of those head-aches and potential-whack-a-mole's. It's simple, effective, and doesn't place an unreasonable burden upon the mail senders. > > 2) If you don't control the in-addr for your IP block, then presumably > > it's your ISP's -- so make them fix their in-addr allocation. The > > problem isn't that the in-addr information has to match your mail > > domain, it just has to _exist_ (mail always comes from hosts that don't > > match the mail domain indicated). If it doesn't, and it's not your > > block to host on your DNS server, then your ISP isn't doing their job. > > Make them fix it, or switch to an ISP that isn't broken. > > Again, it's not broken. I only posed a hypothetical scenario. And, again, answer it from within the hypothetical scenario. If you were having the problem, and you didn't control your in-addr block, then it's presumably your ISP's block, so why can't you make them fix it or move to a different ISP if they're not responsible enough to fix it? > > 3) If they wont fix it, then ask them to delegate those addresses to > > you with NS records (which can be done on a per-IP addr basis, it > > doesn't have to be done in full class-C blocks). > > I think it's pretty clear at this point that you either didn't read or didn't understand my original message. It doesn't fit the very specific case you gave of "what if RR hadn't..", but it does fit the general problem. Just because you don't own the block doesn't mean you can't ask your ISP to delegate the specific in-addr addresses to you so that you can manage them yourself. That WOULD fix the problem for some of the people who have reverse DNS problems. > > Steve > > > On Dec 4, 2003, at 5:01 PM, Steve Thomas wrote: > > > > > > > > On Thu, Dec 04, 2003 at 06:37:34PM -0600, Mike Kercher is rumored to > > > have said: > > >> > > >> If not, admins on the other end need to get off their ass and make > > >> their > > >> networking correct, complete and in compliance with the RFC's. > > > > > > I've only been skimming this thread, so this may have been stated > > > already. If so, I apologize... > > > > > > You're forgetting that reverse dns is a totally different animal than > > > forward, and that just about anyone with less than a /24 (and many > > > with a /24 or larger) don't have the reverse zones delegated to their > > > servers. If I own foo.com, I can easily create any forward entry in > > > the foo.com domain, but making something in the in-addr.arpa domain > > > point to mailserver.foo.com is not nearly as easy. > > > > > > As a for instance, the machine I'm sending this message from is on a > > > RoadRunner network. We've got a block of addresses allocated to us and > > > despite repeated assurances that they would delegate the in-addr.arpa > > > zone for our netblock to our dns server, it's never happened. Now if > > > RR managed to have a corrupt zone file, forgot to generate PTR records > > > for our netblock or for some other reason wasn't on the ball, I'd be > > > "an admin who was sitting on my ass not making my network correct"? I > > > think not. My dns server is properly configured to serve requests for > > > the /28 we've been allocated but RR is still in control of the zone. > > > > > > Then there's network outages, software failures, fiber cuts, DDoS > > > attacks, etc, etc to consider. You'll reject mail just because the DNS > > > server serving the in-addr.arpa zone for the connecting machine is > > > unreachable? > > > > > > I can see adding a warning header or something innocuous like that, > > > but outright rejecting mail from machines without RDNS properly > > > configured is overkill, IMHO. > > > > > > > > > Steve > > > > > > > > > -- > > > "Blessed is the man, who having nothing to say, abstains from giving > > > wordy evidence of the fact." > > > - George Eliot (1819-1880) > > -- > "Don't be so humble - you are not that great." > - Golda Meir (1898-1978) to a visiting diplomat From michele at BLACKNIGHTSOLUTIONS.COM Fri Dec 5 21:17:31 2003 From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon :: Blacknight Solutions) Date: Thu Jan 12 21:21:27 2006 Subject: weird ClamAv error Message-ID: ClamAv module blocked this today: The following e-mail messages were found to have viruses in them: Sender: xxxx@xxxxx.net IP Address: 127.0.0.1 Recipient: xxxx@xxxx.de Subject: STL Round 2 MessageID: hB5H9Hi2021280 Report: ClamAV Module: Round2.zip was infected: Oversized Zip It was a valid zip file of a text document. The total size of the file was less than 1kb, so our sysadmin is rather confused - especially as the file was clean Anybody??? Mr. Michele Neylon Blacknight Internet Solutions Ltd http://www.blacknightsolutions.ie/ http://www.search.ie/ Tel. + 353 (0)59 9139897 Lowest price domains in Ireland From DHarding at GILATLA.COM Fri Dec 5 21:16:31 2003 From: DHarding at GILATLA.COM (Devon Harding - GTHLA) Date: Thu Jan 12 21:21:27 2006 Subject: No subject Message-ID: <97D0DDFA3C2F5B44AAC0960B99E962130172F8CC@VMX.gilatla.com> _____________________ Devon Harding System Administrator Gilat Latin America 954-858-1600 dharding@gilatla.com This e-mail is intended for the above named addressee(s), and may contain information which is confidential or privileged. If you are not the intended recipient, please inform us immediately: you should not copy or use this e-mail for any purpose nor disclose its contents to any person. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20031205/272a4307/attachment.html From kevins at BMRB.CO.UK Fri Dec 5 21:27:45 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:21:27 2006 Subject: weird ClamAv error In-Reply-To: References: Message-ID: <1070659669.15679.10.camel@bach.kevinspicer.co.uk> On Fri, 2003-12-05 at 21:17, Michele Neylon :: Blacknight Solutions wrote: > > It was a valid zip file of a text document. The total size of the file was > less than 1kb, so our sysadmin is rather confused - especially as the file > was clean There are thresholds for both total size of zip and compression ratio. The default max compression ratio is currently 20:1 This is rather low actually. If you built clam from source you can tweak this... Direct quote from the clam list... Please edit libclamav/scanners.c, the line 64: #define ZIPOSDET 20 /* FIXME: Make it user definable */ and increase the value to 50. [others have since suggested this should be 70 or higher] From michele at BLACKNIGHTSOLUTIONS.COM Fri Dec 5 21:33:13 2003 From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon :: Blacknight Solutions) Date: Thu Jan 12 21:21:27 2006 Subject: weird ClamAv error In-Reply-To: <1070659669.15679.10.camel@bach.kevinspicer.co.uk> Message-ID: If this wasn't a public mailing list my comment would be a lot more blunt :) Curses! (that was restrained) Mr. Michele Neylon Blacknight Internet Solutions Ltd http://www.blacknightsolutions.ie/ http://www.search.ie/ Tel. + 353 (0)59 9139897 Lowest price domains in Ireland > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Kevin Spicer > Sent: 05 December 2003 21:28 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: weird ClamAv error > > > On Fri, 2003-12-05 at 21:17, Michele Neylon :: Blacknight Solutions > wrote: > > > > It was a valid zip file of a text document. The total size of > the file was > > less than 1kb, so our sysadmin is rather confused - especially > as the file > > was clean > > There are thresholds for both total size of zip and compression ratio. > The default max compression ratio is currently 20:1 This is rather low > actually. If you built clam from source you can tweak this... > > Direct quote from the clam list... > > Please edit libclamav/scanners.c, the line 64: > > #define ZIPOSDET 20 /* FIXME: Make it user definable */ > > and increase the value to 50. > > > [others have since suggested this should be 70 or higher] > From dwinkler at ALGORITHMICS.COM Fri Dec 5 21:38:14 2003 From: dwinkler at ALGORITHMICS.COM (Derek Winkler) Date: Thu Jan 12 21:21:27 2006 Subject: weird ClamAv error Message-ID: <20CEA27AF49D7F4691F02E7ADC5D4ECD04B0CB@tormail2.algorithmics.com> I increased it to 50 and still got this error, maybe I'll try 70. -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Kevin Spicer Sent: Friday, December 05, 2003 4:28 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: weird ClamAv error On Fri, 2003-12-05 at 21:17, Michele Neylon :: Blacknight Solutions wrote: > > It was a valid zip file of a text document. The total size of the file was > less than 1kb, so our sysadmin is rather confused - especially as the file > was clean There are thresholds for both total size of zip and compression ratio. The default max compression ratio is currently 20:1 This is rather low actually. If you built clam from source you can tweak this... Direct quote from the clam list... Please edit libclamav/scanners.c, the line 64: #define ZIPOSDET 20 /* FIXME: Make it user definable */ and increase the value to 50. [others have since suggested this should be 70 or higher] -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20031205/4ae79d67/attachment.html From mkettler at EVI-INC.COM Fri Dec 5 21:43:31 2003 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:21:27 2006 Subject: [OT] In-Reply-To: <97D0DDFA3C2F5B44AAC0960B99E962130172F8CC@VMX.gilatla.com> References: <97D0DDFA3C2F5B44AAC0960B99E962130172F8CC@VMX.gilatla.com> Message-ID: <6.0.0.22.0.20031205164142.0204c530@xanadu.evi-inc.com> At 04:16 PM 12/5/2003, Devon Harding - GTHLA wrote: >his e-mail is intended for the above named addressee(s), and may contain >information which is confidential or privileged. In fact, the information is so confidential, that it's not even there! WOW! Gotta love HTML messages... 6k of cruft for an empty message. From jrudd at UCSC.EDU Fri Dec 5 22:02:44 2003 From: jrudd at UCSC.EDU (John Rudd) Date: Thu Jan 12 21:21:27 2006 Subject: Help in testing AV Plugins References: Message-ID: <3FD10084.7EE8F381@ucsc.edu> (I'm cc'ing this to the MailScanner list so that they can run the tests and maybe incorporate these results into their future versions; while I don't care about Outlook, I'm sure others do, and 4/7 of the Outlook tests did get through) Stefan Seiz wrote: > > Hi, > > over on the cgvirusscan list, someone was just running some tests against > our little self made av-scanner which uses Mcafee Virex. It failed on quite > some of the test viruses. > > I'd be interessted if anyone on this list could specificaly run these tests > using the *real* CommuniGate McAfee Plugin. It'd also be interresting to > know how the other AV Plugins are doing with the tests. > > Here's the url to the tests: > > What I use: MailScanner-4.24-5 (with cgp2ms/ms2cgp) and sophos 3.74 w/current IDE's (the sophos AV/savi engine through MailScanner's sophos-wrapper, not via the CGP plug-in) (my IDE update script runs every night at midnight, so my IDE's are current as of last night at 12am Pacific time). I did all of the tests on that page, including the outlook ones. Here's what made it through: - Eicar virus sent using BinHex encoding - Outlook 'Space Gap' vulnerability - Outlook 'Blank Folding' Vulnerability - Outlook 'Boundary Space Gap' Vulnerability - Outlook 'Long Boundary' Vulnerability Here's what showed up in my virus folder (with infections removed and replaced by warnings): - Eicar virus sent using BinHex encoding within a MIME segment - (one with a fragmented message, which I think is the second-to-the-last Outlook one, but the message itself was removed and only the warning was present) - A file with a CLSID extension which may hide the real file extension So, those had been cleaned, but got through because they weren't technically viruses according to which MailScanner rules had blocked them (they were blocked because they had dangerous formatting, which was triggered before it determined whether or not they had viruses). The first was blocked because it was a .com file, and we block .com files. The second was blocked because we block fragmented messages. The third was blocked because we block attachments that appear to have multiple file extensions (like foo.txt.exe) because that can mean it's someone trying to sneak an executable through. (and when I say "we block", I mean "we have configured MailScanner to block") ALL of the other messages were completely removed, they never even made it to my virus folder. So, 1/20 that I care about got through. 5/20 could have deployed their payload (4 of those on Outlook, where my standard response is "that's what you get for using Outlook"). 12/20 were silently deleted. Seems decent. There's a little room for improvement, though. It would be nice if MailScanner had been able to open up the BinHex attachment, but it may be that MailScanner expects the AV engine to take that into account. I'm not sure. Unlike John Radel, my MailScanner (using Sophos instead of F-Prot) _DID_ block the "Eicar virus sent using BinHex encoding within a MIME segment" one. That might be because of MailScanner versions, or it might be because it really is an AV engine issue (where John Radel thought it was probably more of a MailScanner issue). John From res at AUSICS.NET Fri Dec 5 22:20:31 2003 From: res at AUSICS.NET (Res) Date: Thu Jan 12 21:21:27 2006 Subject: AOL blocking MailScanner messages! In-Reply-To: References: <200312050032.hB50WRGr030539@genesis.camaross.net> Message-ID: Jeff, On Fri, 5 Dec 2003, Jeff A. Earickson wrote: > Y'all, > I ran Rickert's sendmail ruleset for about 6 hours yesterday, then > removed it and looked at the 500 sendmail rejects that it generated > for the "Fix reverse DNS" error. I rejected emails from 364 unique > IP numbers. I wrote a script to do a whois on these numbers and the > info was ugly. Yes I was rejecting probable spam from APNIC, but I > also zapped a lot of stuff from other universities, McGraw-Hill books > and other publishers, Amazon (the original spammers!), IBM, the FAA (!), > etc. I expect to hear some screaming about my experiment. > > While I think this is a great idea in theory, in practice it does a > lot of collateral damage. I'll let AOL reform the world before Can you explain why we should operate non compliant mail servers? JUST to get mail from other non complaint mail servers? Sure, RFC1912 is not law, but its there and its there for a good reason, so do we now start to ignore other RFC's ? or just the ones we dont like? When these people get all there bounced mails they soon get the picture, complain to their IT unit who in turn should get off there lazy asses and fix what should have been setup correctly in the first place! There are just too many lazy incompetant idiots in the IT industry. -- Regards, Res Network Administrator Postmaster / Abusemaster / Flamemaster http://www.ausics.net Australian Hosting Services From ka at PACIFIC.NET Fri Dec 5 23:14:56 2003 From: ka at PACIFIC.NET (Ken Anderson) Date: Thu Jan 12 21:21:27 2006 Subject: AOL blocking MailScanner messages! In-Reply-To: References: <200312050032.hB50WRGr030539@genesis.camaross.net> Message-ID: <3FD11170.20205@pacific.net> Res wrote: > Jeff, > > On Fri, 5 Dec 2003, Jeff A. Earickson wrote: > > >>Y'all, >> I ran Rickert's sendmail ruleset for about 6 hours yesterday, then >>removed it and looked at the 500 sendmail rejects that it generated >>for the "Fix reverse DNS" error. I rejected emails from 364 unique >>IP numbers. I wrote a script to do a whois on these numbers and the >>info was ugly. Yes I was rejecting probable spam from APNIC, but I >>also zapped a lot of stuff from other universities, McGraw-Hill books >>and other publishers, Amazon (the original spammers!), IBM, the FAA (!), >>etc. I expect to hear some screaming about my experiment. >> >>While I think this is a great idea in theory, in practice it does a >>lot of collateral damage. I'll let AOL reform the world before > > > > Can you explain why we should operate non compliant mail servers? JUST to > get mail from other non complaint mail servers? Is accepting mail from non-compliant servers non-compliant? > Sure, RFC1912 is not law, but its there and its there for a good reason, > so do we now start to ignore other RFC's ? or just the ones we dont like? > > When these people get all there bounced mails they soon get the picture, > complain to their IT unit who in turn should get off there lazy asses and > fix what should have been setup correctly in the first place! > There are just too many lazy incompetant idiots in the IT industry. > > -- > Regards, > Res > Network Administrator > Postmaster / Abusemaster / Flamemaster > http://www.ausics.net Australian Hosting Services > > From jim at ENTROPHY-FREE.NET Fri Dec 5 23:53:36 2003 From: jim at ENTROPHY-FREE.NET (Jim Levie) Date: Thu Jan 12 21:21:27 2006 Subject: Red Hat Advanced Server Academic Edition In-Reply-To: References: Message-ID: <1070668416.5370.2.camel@chaos.entrophy-free.net> On Fri, 2003-12-05 at 09:23, Raymond Dijkxhoorn wrote: > Hi! > > > This gives you access to ISOs and RHN updates for versions 2.1 and 3.0. > > I can confirm that MailScanner works fine on RHAS 2.1 (which is based > > on RH 7.2) with either the supplied sendmail or Exim. I haven't tried > > version 3.0, but if MailScanner works on RH 8 and 9 it should be OK. > > Works ok on RHEL 3.0 also. Runs faster then my 1:1 equal server with RH9. > I'll second that. My load test showed 3.0 ES to be almost 20% faster than RH 9 on the same hardware. -- The instructions said to use Windows 98 or better, so I installed RedHat. From dan.farmer at PHONEDIR.COM Fri Dec 5 23:56:29 2003 From: dan.farmer at PHONEDIR.COM (Dan Farmer) Date: Thu Jan 12 21:21:27 2006 Subject: AOL blocking MailScanner messages! In-Reply-To: References: <200312050032.hB50WRGr030539@genesis.camaross.net> Message-ID: On Dec 5, 2003, at 3:20 PM, Res wrote: > Jeff, > > On Fri, 5 Dec 2003, Jeff A. Earickson wrote: > >> Y'all, >> I ran Rickert's sendmail ruleset for about 6 hours yesterday, then >> removed it and looked at the 500 sendmail rejects that it generated >> for the "Fix reverse DNS" error. I rejected emails from 364 unique >> IP numbers. I wrote a script to do a whois on these numbers and the >> info was ugly. Yes I was rejecting probable spam from APNIC, but I >> also zapped a lot of stuff from other universities, McGraw-Hill books >> and other publishers, Amazon (the original spammers!), IBM, the FAA >> (!), >> etc. I expect to hear some screaming about my experiment. >> >> While I think this is a great idea in theory, in practice it does a >> lot of collateral damage. I'll let AOL reform the world before > > > Can you explain why we should operate non compliant mail servers? JUST > to > get mail from other non complaint mail servers? Uh, aren't these blocking rules non-default configurations? So you're saying that 99% of mail servers are non-compliant as installed because they don't block servers with missing rdns? > Sure, RFC1912 is not law, but its there and its there for a good > reason, > so do we now start to ignore other RFC's ? or just the ones we dont > like? > > When these people get all there bounced mails they soon get the > picture, > complain to their IT unit who in turn should get off there lazy asses > and > fix what should have been setup correctly in the first place! Having used these blocks for nearly a month on real production servers, what really happens is this: user1@remotedomain.com sends mail to user2@ourdomain.com, they get the reject and don't read it. They proceed to contact user2 by phone to say their mail was rejected and they don't know why. user1 then sends mail to user2@homedomain.com and it goes through fine since homedomain.com isn't blocking missing rdns. Since user1 gets their mail through fine to user2's home/alternate address, they never say anything to their mail server admin, but user2 complains that ourdomain.com is blocking customer/business email's and they can't do their work. And user2 is right - ourdomain.com may be trying to limit spam/viruses/etc by requiring other mail servers to have proper rdns, but it is the server "blocking" legitimate mail (legitimate mail = non-spam, non-virus, business/personal communication, albeit from a server with no rdns) Servers can get away with incorrect/bad rdns simply because 99% of servers will not bounce their messages back, which is why it is a good sign that a large force like AOL is starting to push in that direction, it will make it easier on us when we decide to implement these changes. > There are just too many lazy incompetant idiots in the IT industry. ^-ent Not sure if you're directing this at the non-compliant server admins or the 99% of server admins who aren't blocking like you, but this isn't a black or white issue (I once thought it was, and I spent a month trying to prove it, unsuccessfully.) I will re-implement the blocking when it becomes more commonplace, but I agree with Jeff - I'll let AOL blaze the initial path, in hopes that when I re-implement 99% of servers will be compliant and our users won't be so inconvenienced by it. > -- > Regards, > Res > Network Administrator > Postmaster / Abusemaster / Flamemaster > http://www.ausics.net Australian Hosting Services > From res at AUSICS.NET Fri Dec 5 23:58:46 2003 From: res at AUSICS.NET (Res) Date: Thu Jan 12 21:21:27 2006 Subject: AOL blocking MailScanner messages! In-Reply-To: <3FD11170.20205@pacific.net> References: <200312050032.hB50WRGr030539@genesis.camaross.net> <3FD11170.20205@pacific.net> Message-ID: On Fri, 5 Dec 2003, Ken Anderson wrote: > > Can you explain why we should operate non compliant mail servers? JUST to > > get mail from other non complaint mail servers? > > Is accepting mail from non-compliant servers non-compliant? Well, that comes down to each individuals interpretation, mine is yes, a non compliant server, is in effect 'broken', why should my network be at risk from somthing a broken server sends, I mean if you know a server is an open relay, do you knowingly allow it to send mail into your network? -- Regards, Res Network Administrator Postmaster / Abusemaster / Flamemaster http://www.ausics.net Australian Hosting Services From res at AUSICS.NET Sat Dec 6 00:10:37 2003 From: res at AUSICS.NET (Res) Date: Thu Jan 12 21:21:27 2006 Subject: AOL blocking MailScanner messages! In-Reply-To: References: <200312050032.hB50WRGr030539@genesis.camaross.net> Message-ID: On Fri, 5 Dec 2003, Dan Farmer wrote: > > Can you explain why we should operate non compliant mail servers? JUST > > to > > get mail from other non complaint mail servers? > > Uh, aren't these blocking rules non-default configurations? So you're > saying that 99% of mail servers are non-compliant as installed because > they don't block servers with missing rdns? In there default configuration, sendmail and qmail only get fussy about forwards. > Having used these blocks for nearly a month on real production servers, likewise, 100's of emails a minute 24/7, we've had about 8 complaints all told. > what really happens is this: user1@remotedomain.com sends mail to > user2@ourdomain.com, they get the reject and don't read it. They If they dont read a reject message why is that our fault. > Servers can get away with incorrect/bad rdns simply because 99% of > servers will not bounce their messages back, which is why it is a good > sign that a large force like AOL is starting to push in that direction, > it will make it easier on us when we decide to implement these changes. > > There are just too many lazy incompetant idiots in the IT industry. > ^-ent > > Not sure if you're directing this at the non-compliant server admins or > the 99% of server admins who aren't blocking like you, but this isn't a Anyone who sets up a server that any part directly or indirectly is not correct, fits in that class. It is more so with DNS related material. -- Regards, Res Network Administrator Postmaster / Abusemaster / Flamemaster http://www.ausics.net Australian Hosting Services From res at AUSICS.NET Sat Dec 6 00:04:17 2003 From: res at AUSICS.NET (Res) Date: Thu Jan 12 21:21:27 2006 Subject: AOL blocking MailScanner messages! In-Reply-To: <3FD0B0B9.4000908@nucci.com.br> References: <6.0.0.22.0.20031203194846.01fcbd50@xanadu.evi-inc.com> <6.0.0.22.0.20031203205539.02ab9a18@xanadu.evi-inc.com> <3FD0B0B9.4000908@nucci.com.br> Message-ID: Hi Ivan, On Fri, 5 Dec 2003, Ivan Mirisola wrote: > fact reject mail based on RDNS we are just forcing those who have a > bronken DNS configuration to fix their RR records, that?s all. The vast majority of spam in this region comes from Asia/Europe, and the majority of them have no PTR, our spam levels dropped like you'd never believe when we implimented these checks. However the use of a DNSBL that checks for residential IP/Hostname groups would be advantageous to you. -- Regards, Res Network Administrator Postmaster / Abusemaster / Flamemaster http://www.ausics.net Australian Hosting Services From ka at PACIFIC.NET Sat Dec 6 00:59:13 2003 From: ka at PACIFIC.NET (Ken Anderson) Date: Thu Jan 12 21:21:27 2006 Subject: AOL blocking MailScanner messages! In-Reply-To: References: <200312050032.hB50WRGr030539@genesis.camaross.net> <3FD11170.20205@pacific.net> Message-ID: <3FD129E1.2060901@pacific.net> Res wrote: > On Fri, 5 Dec 2003, Ken Anderson wrote: > > >>>Can you explain why we should operate non compliant mail servers? JUST to >>>get mail from other non complaint mail servers? >> >>Is accepting mail from non-compliant servers non-compliant? > > > Well, that comes down to each individuals interpretation, mine is yes, a > non compliant server, is in effect 'broken', why should my network be at > risk from somthing a broken server sends, I mean if you know a server is > an open relay, do you knowingly allow it to send mail into your network? That's not an rfc, that's not non-compliance. That's your interpretation (or rather opinion). But if that works for you, that's great. I have customers, and it's their interpretation that quickly becomes my problem if I block mail from their relatives. :-) Ken Pacific.Net > > -- > Regards, > Res > Network Administrator > Postmaster / Abusemaster / Flamemaster > http://www.ausics.net Australian Hosting Services > > From chris at trudeau.org Sat Dec 6 05:14:13 2003 From: chris at trudeau.org (Chris Trudeau) Date: Thu Jan 12 21:21:27 2006 Subject: AOL blocking MailScanner messages! In-Reply-To: Message-ID: <000101c3bbb7$c9b00070$23c8a8c0@serv> There (in my interpretation) is no reference to reverse records in the RFC cited below that address mail flow relative to PTR (reverse) records anywhere. The RFC clearly states: Make sure your PTR and A records match. For every IP address, there should be a matching PTR record in the in-addr.arpa domain. If a host is multi-homed, (more than one IP address) make sure that all IP addresses have a corresponding PTR record (not just the first one). Failure to have matching PTR and A records can cause loss of Internet services similar to not being registered in the DNS at all. Also, PTR records must point back to a valid A record, not a alias defined by a CNAME. It is highly recommended that you use some software which automates this checking, or generate your DNS data from a database which automatically creates consistent data. That a PTR record should exist. Unfortunately, it says that for every A record, a PTR should exist. While that IS valid, I'm not sure, I understand how that relates to a configurable entry on almost every MTA created. Methinks the thread has taken a bad turn...and should either be brough back on course or abandoned altogether. CT -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Res Sent: Friday, December 05, 2003 5:21 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: AOL blocking MailScanner messages! Jeff, On Fri, 5 Dec 2003, Jeff A. Earickson wrote: > Y'all, > I ran Rickert's sendmail ruleset for about 6 hours yesterday, then > removed it and looked at the 500 sendmail rejects that it generated > for the "Fix reverse DNS" error. I rejected emails from 364 unique > IP numbers. I wrote a script to do a whois on these numbers and the > info was ugly. Yes I was rejecting probable spam from APNIC, but I > also zapped a lot of stuff from other universities, McGraw-Hill books > and other publishers, Amazon (the original spammers!), IBM, the FAA (!), > etc. I expect to hear some screaming about my experiment. > > While I think this is a great idea in theory, in practice it does a > lot of collateral damage. I'll let AOL reform the world before Can you explain why we should operate non compliant mail servers? JUST to get mail from other non complaint mail servers? Sure, RFC1912 is not law, but its there and its there for a good reason, so do we now start to ignore other RFC's ? or just the ones we dont like? When these people get all there bounced mails they soon get the picture, complain to their IT unit who in turn should get off there lazy asses and fix what should have been setup correctly in the first place! There are just too many lazy incompetant idiots in the IT industry. -- Regards, Res Network Administrator Postmaster / Abusemaster / Flamemaster http://www.ausics.net Australian Hosting Services From harryh at CET.COM Sat Dec 6 05:16:50 2003 From: harryh at CET.COM (Harry Hanson) Date: Thu Jan 12 21:21:27 2006 Subject: Mailscanner/freebsd 5.1/postfix In-Reply-To: <6.0.1.1.2.20031202084537.03c21008@imap.ecs.soton.ac.uk> Message-ID: <200312060517.hB65HCfX013515@fili.jiscmail.ac.uk> Trying to get it setup. Have it all installed and configured, however I can't seem to get MS to start. /usr/local/libexec/MailScanner: Permission denied Tho from docs I am unclear on how exaclty it needs to be set up to start. Any advice? Thanks. From res at AUSICS.NET Sat Dec 6 05:32:25 2003 From: res at AUSICS.NET (Res) Date: Thu Jan 12 21:21:27 2006 Subject: AOL blocking MailScanner messages! In-Reply-To: <3FD129E1.2060901@pacific.net> References: <200312050032.hB50WRGr030539@genesis.camaross.net> <3FD11170.20205@pacific.net> <3FD129E1.2060901@pacific.net> Message-ID: On Fri, 5 Dec 2003, Ken Anderson wrote: > > Well, that comes down to each individuals interpretation, mine is yes, a > > non compliant server, is in effect 'broken', why should my network be at > > risk from somthing a broken server sends, I mean if you know a server is > > an open relay, do you knowingly allow it to send mail into your network? > > That's not an rfc, that's not non-compliance. That's your interpretation not but RFC1912 is. > (or rather opinion). But if that works for you, that's great. much like it is yours :) > I have customers, and it's their interpretation that quickly becomes my > problem if I block mail from their relatives. :-) Well, like I said, 8 complaints... 140K emails a day, now even if i took those 8 in just one day, thats like .000005 of a percent, but its worse, because those 8 are for ever, total.. IOW its so few it doesnt even register. But yes it suprises me because 2 of them were large banking corps, 4 Govt depts, and the other couple were pvt companies. -- Regards, Res Network Administrator Postmaster / Abusemaster / Flamemaster http://www.ausics.net Australian Hosting Services From res at AUSICS.NET Sat Dec 6 06:00:18 2003 From: res at AUSICS.NET (Res) Date: Thu Jan 12 21:21:27 2006 Subject: AOL blocking MailScanner messages! Message-ID: On Sat, 6 Dec 2003, Chris Trudeau wrote: > That a PTR record should exist. Unfortunately, it says that for every A > record, a PTR should exist. While that IS valid, I'm not sure, I By your own quote, in particular to the commencement of teh second sentance: > The RFC clearly states: Make sure your PTR and A records match. For every IP address, there should be a matching PTR record in the in-addr.arpa domain. -- Regards, Res Network Administrator Postmaster / Abusemaster / Flamemaster http://www.ausics.net Australian Hosting Services From mike at TC3NET.COM Fri Dec 5 15:46:44 2003 From: mike at TC3NET.COM (Michael Baird) Date: Thu Jan 12 21:21:27 2006 Subject: Could not analyze. Message-ID: <1070639204.8601.22.camel@mike-new2.tc3net.com> Suddenly I seem to be getting customer complaints about MailScanner sending these messages back to the clients. My Virus Scanner appears to be working properly, what other factors would cause such errors, (they seem to be forwarded messages). I'm using MailScanner-4.25-9/Mcafee Uvscan, max attachments per message = 10. Regards MIKE At Fri Dec 5 08:37:00 2003 the virus scanner said: Could not analyze message From P.G.M.Peters at utwente.nl Sat Dec 6 14:35:57 2003 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Thu Jan 12 21:21:27 2006 Subject: Ip to country query In-Reply-To: References: Message-ID: On Fri, 5 Dec 2003 17:07:11 -0000, you wrote: >Has anybody done anything with IP to country regarding sources of spam etc? I believe zz.countries.nerd.dk gives the ISO-code of the country. -- Peter Peters, senior netwerkbeheerder Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ From mailscanner at ecs.soton.ac.uk Sat Dec 6 14:45:05 2003 From: mailscanner at ecs.soton.ac.uk (mailscanner@ecs.soton.ac.uk) Date: Thu Jan 12 21:21:27 2006 Subject: NOTIFY-New Guestbook Entry Message-ID: <200312061445.hB6Ej5Pc011234@seer.ecs.soton.ac.uk> New Guestbook-Entry from Johannes Hoen MailScanner + SpamAssassin is the most powerful team against spam and viruses.



Thanks and go on !



From stiret at ONEREDSHOE.NET Sun Dec 7 16:35:25 2003 From: stiret at ONEREDSHOE.NET (Scott Tiret) Date: Thu Jan 12 21:21:27 2006 Subject: Mailwatch Installation Message-ID: <1070814925.4347.13.camel@alain.oneredshoe.net> Greetings, I'm having some trouble installing MailWatch on Gentoo. detta MailScanner # bin/check_mailscanner Starting MailScanner... syntax error at /opt/MailScanner/lib/MailScanner/CustomConfig.pm line 143, near "my " Global symbol "$WhitelistDir" requires explicit package name at /opt/MailScanner/lib/MailScanner/CustomConfig.pm line 143. BEGIN not safe after errors--compilation aborted at /opt/MailScanner/lib/MailScanner/CustomConfig.pm line 146. Compilation failed in require at /opt/MailScanner/bin/MailScanner line 43. BEGIN failed--compilation aborted at /opt/MailScanner/bin/MailScanner line 43. I've checked and changed the directory locations in CustomConfig.pm at line 143 # Set these to be the location of your whitelist files and blacklist files my $WhitelistDir = '/opt/MailScanner/etc/spam.bydomain/whitelist'; my $BlacklistDir = '/opt/MailScanner/etc/spam.bydomain/blacklist'; The directories exist and there does not appear to be any problem with the syntax. Any suggestions? Thanks very much, -- Scott Tiret 04458494 Scott Tiret stiret AT oneredshoe DOT net Fingerprint = EA80 6414 79DC 6D7D 992F 2F98 F93C 9CB9 0445 8494 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20031207/69fa5346/attachment.bin From mailscanner at ecs.soton.ac.uk Sun Dec 7 16:57:46 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:27 2006 Subject: Mailwatch Installation In-Reply-To: <1070814925.4347.13.camel@alain.oneredshoe.net> References: <1070814925.4347.13.camel@alain.oneredshoe.net> Message-ID: <6.0.1.1.2.20031207165541.03e02340@imap.ecs.soton.ac.uk> At 16:35 07/12/2003, you wrote: >I've checked and changed the directory locations in CustomConfig.pm at >line 143 > ># Set these to be the location of your whitelist files and blacklist >files >my $WhitelistDir = '/opt/MailScanner/etc/spam.bydomain/whitelist'; >my $BlacklistDir = '/opt/MailScanner/etc/spam.bydomain/blacklist'; It looks like you may have made the comment line split itself over 2 lines. Make sure it is only 1 line, or else put a # at the start of the 2nd line. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From stiret at ONEREDSHOE.NET Sun Dec 7 17:09:43 2003 From: stiret at ONEREDSHOE.NET (Scott Tiret) Date: Thu Jan 12 21:21:27 2006 Subject: Mailwatch Installation In-Reply-To: <6.0.1.1.2.20031207165541.03e02340@imap.ecs.soton.ac.uk> References: <1070814925.4347.13.camel@alain.oneredshoe.net> <6.0.1.1.2.20031207165541.03e02340@imap.ecs.soton.ac.uk> Message-ID: <1070816983.4348.16.camel@alain.oneredshoe.net> On Sun, 2003-12-07 at 11:57, Julian Field wrote: > It looks like you may have made the comment line split itself over 2 lines. > Make sure it is only 1 line, or else put a # at the start of the 2nd line. The mail client just wrapped the line. The actual CustomConfig.pm has # Set these to be the location of your whitelist files and blacklist files all on the same line. -- Scott Tiret 04458494 Scott Tiret stiret AT oneredshoe DOT net Fingerprint = EA80 6414 79DC 6D7D 992F 2F98 F93C 9CB9 0445 8494 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20031207/f25d2218/attachment.bin From Jan-Peter.Koopmann at SECEIDOS.DE Mon Dec 8 07:31:29 2003 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:21:27 2006 Subject: Could not analyze. Message-ID: > At Fri Dec 5 08:37:00 2003 the virus scanner said: > Could not analyze message Can you give us any more input on the messages that cause this? Attachment yes/no? Encrypted yes/no? Etc. Regards, JP From john at zol.co.zw Mon Dec 8 08:22:33 2003 From: john at zol.co.zw (John Sheppard) Date: Thu Jan 12 21:21:27 2006 Subject: clamav-0.65 on RH7.3 Message-ID: <3FD450E9.17286.10DBD00@localhost> Hi all I am relatively new to this list so pardon me if this question has been asked and answered previously. I am trying to install clamav-0.65-2 and MS 4.24-5 on a RedHat 7.3 system. The kernel is 2.4.20-24.7 and the version of glibc is 2.2.5- 44. rpm -ivh clamav-0.65-2.i386.rpm gives me: error: failed dependencies libc.so.6 (GLIBC_2.3) is needed by clamav -0.65-2. On checking the RedHat site I see that glibc-2.3 is apparently not available for RH7.3 but is available for RH8.0 What next? Give up on RH7.3 and move to RH8? All comments gratefully received! Regards John Sheppard -- John Sheppard john@zol.co.zw 211 Harare Drive Cell: 011 704 220 Mount Pleasant Phone (263 4) 884783 HARARE Fax: (263 4) 850653 Zimbabwe From vinayak at THEARGONCOMPANY.COM Mon Dec 8 08:34:27 2003 From: vinayak at THEARGONCOMPANY.COM (Vinayakam Murugan) Date: Thu Jan 12 21:21:27 2006 Subject: MailScanner overrides HoldExpensive feature in Sendmail? Message-ID: <200312081404.27234.vinayak@theargoncompany.com> Hi We are using Sendmail 8.12.8 along with MailScanner 4.21. We would like to have the HoldExpensive feature enabled in Sendmail so that sendmail does not deliver mail immediately. However ever since we have started MailScanner, we notice that mail gets delivered immediately. Anybody faced this before? Any pointers on what settings could be tweaked? -- Warm Regards ~~~~~~~~~~~~~~~~~~~~~~~ Vinayakam Murugan Manager - Software The Argon Company 7th floor, Nanavati Mahalaya, 18, Homi Modi Street, Fort, Mumbai 400 023. Tel: 91-22 - 2288 2163 Ext 118 Help Desk: 91-22 - 2288 2774 Fax Number: 91-22 - 2288 2812 http://www.TheArgonCompany.com Viruses getting you down? Get your virus protected mailbox at http://www.tassm.com It's not just about natural talent ? it's about perseverance, about putting building blocks in place, about focusing on the processes not the results. From martinh at SOLID-STATE-LOGIC.COM Mon Dec 8 08:46:19 2003 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:21:27 2006 Subject: Mailscanner/freebsd 5.1/postfix In-Reply-To: <200312060517.hB65HCfX013515@fili.jiscmail.ac.uk> References: <200312060517.hB65HCfX013515@fili.jiscmail.ac.uk> Message-ID: <3FD43A5B.3050507@solid-state-logic.com> Harry Hanson wrote: > Trying to get it setup. Have it all installed and configured, however I > can't seem to get MS to start. > > /usr/local/libexec/MailScanner: Permission denied > > Tho from docs I am unclear on how exaclty it needs to be set up to start. > > Any advice? Thanks. Harry check that the MailScanner script is executable and that /usr/bin/perl is installed (it's not by default on 5.x). Also the debug flag in MailScanner.conf can be helpful in trying to figure out what's happening, as are the log files in /var/log/maillog. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From martinh at SOLID-STATE-LOGIC.COM Mon Dec 8 08:48:04 2003 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:21:27 2006 Subject: Mailwatch Installation In-Reply-To: <1070816983.4348.16.camel@alain.oneredshoe.net> References: <1070814925.4347.13.camel@alain.oneredshoe.net> <6.0.1.1.2.20031207165541.03e02340@imap.ecs.soton.ac.uk> <1070816983.4348.16.camel@alain.oneredshoe.net> Message-ID: <3FD43AC4.5080103@solid-state-logic.com> Scott Tiret wrote: > On Sun, 2003-12-07 at 11:57, Julian Field wrote: > > >>It looks like you may have made the comment line split itself over 2 lines. >>Make sure it is only 1 line, or else put a # at the start of the 2nd line. > > > The mail client just wrapped the line. The actual CustomConfig.pm has > > # Set these to be the location of your whitelist files and blacklist > files > > all on the same line. > Scott take out the ' characters in the whitelist defns... -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From martinh at SOLID-STATE-LOGIC.COM Mon Dec 8 08:51:00 2003 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:21:27 2006 Subject: Mailwatch Installation In-Reply-To: <1070816983.4348.16.camel@alain.oneredshoe.net> References: <1070814925.4347.13.camel@alain.oneredshoe.net> <6.0.1.1.2.20031207165541.03e02340@imap.ecs.soton.ac.uk> <1070816983.4348.16.camel@alain.oneredshoe.net> Message-ID: <3FD43B74.2050600@solid-state-logic.com> Scott Tiret wrote: > On Sun, 2003-12-07 at 11:57, Julian Field wrote: > > >>It looks like you may have made the comment line split itself over 2 lines. >>Make sure it is only 1 line, or else put a # at the start of the 2nd line. > > > The mail client just wrapped the line. The actual CustomConfig.pm has > > # Set these to be the location of your whitelist files and blacklist > files > > all on the same line. > Scott forget that last email - too little coffee (+ a call out at 7.30 this morning to fix a duff switch) :-) what have you got in the lines previous to the comment? -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From raymond at PROLOCATION.NET Mon Dec 8 08:58:44 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:21:27 2006 Subject: clamav-0.65 on RH7.3 In-Reply-To: <3FD450E9.17286.10DBD00@localhost> Message-ID: Hi! > rpm -ivh clamav-0.65-2.i386.rpm gives me: > error: failed dependencies > libc.so.6 (GLIBC_2.3) is needed by clamav -0.65-2. > > On checking the RedHat site I see that glibc-2.3 is apparently not > available for RH7.3 but is available for RH8.0 > > What next? Give up on RH7.3 and move to RH8? All comments > gratefully received! Would be better to move to Fedora-1 or RedHat 9, but besides that, the Clam install is plain simple. I would suggest installing it from source. Or if there's a SRPMS also, make your own RPM out of it. Bye, Raymond. From Kevin.Spicer at BMRB.CO.UK Mon Dec 8 09:04:01 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:21:27 2006 Subject: clamav-0.65 on RH7.3 Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0016498DB@pascal.priv.bmrb.co.uk> John Sheppard wrote: > What next? Give up on RH7.3 and move to RH8? All comments gratefully > received! Build from source (or rebuild the srpm) From mailscanner at ecs.soton.ac.uk Mon Dec 8 09:18:20 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:27 2006 Subject: MailScanner overrides HoldExpensive feature in Sendmail? In-Reply-To: <200312081404.27234.vinayak@theargoncompany.com> References: <200312081404.27234.vinayak@theargoncompany.com> Message-ID: <6.0.1.1.2.20031208091733.035ae5e8@imap.ecs.soton.ac.uk> At 08:34 08/12/2003, you wrote: >Hi > >We are using Sendmail 8.12.8 along with MailScanner 4.21. We would like to >have the HoldExpensive feature enabled in Sendmail so that sendmail does not >deliver mail immediately. However ever since we have started MailScanner, we >notice that mail gets delivered immediately. Anybody faced this before? Any >pointers on what settings could be tweaked? If you deliver the "expensive" mail to a separate outgoing queue using a MailScanner ruleset, that won't get the immediate delivery attempt. The other, simpler, route is to set Delivery Method = queue instead of batch. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From vinayak at THEARGONCOMPANY.COM Mon Dec 8 09:48:27 2003 From: vinayak at THEARGONCOMPANY.COM (Vinayakam Murugan) Date: Thu Jan 12 21:21:27 2006 Subject: MailScanner overrides HoldExpensive feature in Sendmail? In-Reply-To: <6.0.1.1.2.20031208091733.035ae5e8@imap.ecs.soton.ac.uk> References: <200312081404.27234.vinayak@theargoncompany.com> <6.0.1.1.2.20031208091733.035ae5e8@imap.ecs.soton.ac.uk> Message-ID: <200312081518.27491.vinayak@theargoncompany.com> That solves it. Thanks a ton, Julian On Monday 08 December 2003 14:48, you wrote: > The other, simpler, route is to set > Delivery Method = queue > instead of batch -- Warm Regards ~~~~~~~~~~~~~~~~~~~~~~~ Vinayakam Murugan Manager - Software The Argon Company 7th floor, Nanavati Mahalaya, 18, Homi Modi Street, Fort, Mumbai 400 023. Tel: 91-22 - 2288 2163 Ext 118 Help Desk: 91-22 - 2288 2774 Fax Number: 91-22 - 2288 2812 http://www.TheArgonCompany.com Viruses getting you down? Get your virus protected mailbox at http://www.tassm.com It's not just about natural talent ? it's about perseverance, about putting building blocks in place, about focusing on the processes not the results. From Rvdmerwe at MHG.CO.ZA Mon Dec 8 10:34:31 2003 From: Rvdmerwe at MHG.CO.ZA (Rabie van der Merwe) Date: Thu Jan 12 21:21:27 2006 Subject: ClamAV 0.65 Message-ID: <39B69D20AF5DD611BA7F00306E1E8F2E02B1395F@cptexc02.bankmed.co.za> ClamAV appears to be using /root/tmp to scan the mail passing through my box, any ideas on how to change this behaviour? Using MD9.2 ClamAV0.65 and MailScanner4.25-14 I'm currently not using the perl ClamAV module. Regards Rabie -----Original Message----- From: Spicer, Kevin [mailto:Kevin.Spicer@BMRB.CO.UK] Sent: 08 December 2003 11:04 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: clamav-0.65 on RH7.3 John Sheppard wrote: > What next? Give up on RH7.3 and move to RH8? All comments gratefully > received! Build from source (or rebuild the srpm) ********************************************************************** ------ NOTICE ------ This message contains privileged and confidential information intended only for the person or entity to which it is addressed. Any review, retransmission, dissemination, copy or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient, is prohibited. If you received this message in error, please notify the sender immediately by e-mail, facsimile or telephone and thereafter delete the material from any computer. Metropolitan Health Group, its subsidiaries or associates do not accept liability for any personal views expressed in this message. ********************************************************************** -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20031208/7e8069c1/attachment.html From smilga at MIKROTIK.COM Mon Dec 8 12:51:41 2003 From: smilga at MIKROTIK.COM (Martins Smilga) Date: Thu Jan 12 21:21:27 2006 Subject: lock.pl References: <39B69D20AF5DD611BA7F00306E1E8F2E02B1395F@cptexc02.bankmed.co.za> Message-ID: <181301c3bd8a$06ea22d0$a500010a@martinsss> Untitled May be some one can say what meen this: (if i type /etc/init.d/mailscanner restart it hang up on restarting and logs say this ) I founf in mailscanner.conf but if I comment it is no matter again in logs I see this. What it can bee) Dec 8 15:57:55 frog MailScanner[7168]: MailScanner E-Mail Virus Scanner version 4.24-5 starting... Dec 8 15:57:56 frog MailScanner[7168]: lock.pl sees Config LockType = flock Dec 8 15:57:56 frog MailScanner[7168]: lock.pl sees have_module = 0 Dec 8 15:57:56 frog MailScanner[7168]: Using locktype = flock Martins -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20031208/c126d2c6/attachment.html From Antony at SOFT-SOLUTIONS.CO.UK Mon Dec 8 12:55:28 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:21:27 2006 Subject: lock.pl In-Reply-To: <181301c3bd8a$06ea22d0$a500010a@martinsss> References: <39B69D20AF5DD611BA7F00306E1E8F2E02B1395F@cptexc02.bankmed.co.za> <181301c3bd8a$06ea22d0$a500010a@martinsss> Message-ID: <200312081255.28210.Antony@Soft-Solutions.co.uk> On Monday 08 December 2003 12:51 pm, Martins Smilga wrote: > May be some one can say what meen this: > (if i type /etc/init.d/mailscanner restart it hang up on restarting and > logs say this ) I founf in mailscanner.conf but if I comment it is no > matter again in logs I see this. What it can bee) > > Dec 8 15:57:55 frog MailScanner[7168]: MailScanner E-Mail Virus Scanner > version 4.24-5 starting... > Dec 8 15:57:56 frog MailScanner[7168]: lock.pl sees Config LockType = > flock > Dec 8 15:57:56 frog MailScanner[7168]: lock.pl sees have_module = 0 > Dec 8 15:57:56 frog MailScanner[7168]: Using locktype = flock What machine / OS / version are you using? Antony. -- 90% of networking problems are routing problems. 9 of the remaining 10% are routing problems in the other direction. The remaining 1% might be something else, but check the routing anyway. Please reply to the list; please don't CC me. From ccampbell at BRUEGGERS.COM Mon Dec 8 13:59:45 2003 From: ccampbell at BRUEGGERS.COM (Christian Campbell) Date: Thu Jan 12 21:21:27 2006 Subject: Upgrade Production Box Message-ID: I'm planning to upgrade MailScanner on a production server, which I can't take down. I assume if I stop MailScanner, and leave Sendmail running, will sendmail keep accepting mail into it's queue while I'm upgrading MS which MS can process after upgrading? Christian Christian P. Campbell Systems Engineer Information Technology Department Bruegger's Enterprises, Inc. Desk: (802) 652-9270 Cell: (802) 734-5023 Email: ccampbell at brueggers dot com Registered Linux User #319324 PGP public key available via PGP keyservers or http://www2.brueggers.com/pgp/ccampbell.html "We all know Linux is great... it does infinite loops in 5 seconds." -- Linus Torvalds From raymond at PROLOCATION.NET Mon Dec 8 14:02:00 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:21:27 2006 Subject: Upgrade Production Box In-Reply-To: Message-ID: Hi! > I'm planning to upgrade MailScanner on a production server, which I can't > take down. I assume if I stop MailScanner, and leave Sendmail running, will > sendmail keep accepting mail into it's queue while I'm upgrading MS which MS > can process after upgrading? Yes, thats basicly what the first sendmail process will do after upgrading anyway. bye, Raymond. From Antony at SOFT-SOLUTIONS.CO.UK Mon Dec 8 14:04:14 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:21:27 2006 Subject: Upgrade Production Box In-Reply-To: References: Message-ID: <200312081404.14929.Antony@Soft-Solutions.co.uk> On Monday 08 December 2003 1:59 pm, Christian Campbell wrote: > I'm planning to upgrade MailScanner on a production server, which I can't > take down. I assume if I stop MailScanner, and leave Sendmail running, > will sendmail keep accepting mail into its queue while I'm upgrading MS > which MS can process after upgrading? Indeed. Antony. -- Wanted: telepath. You know where to apply. Please reply to the list; please don't CC me. From smilga at MIKROTIK.COM Mon Dec 8 14:04:56 2003 From: smilga at MIKROTIK.COM (Martins Smilga) Date: Thu Jan 12 21:21:27 2006 Subject: lock.pl References: <39B69D20AF5DD611BA7F00306E1E8F2E02B1395F@cptexc02.bankmed.co.za> <181301c3bd8a$06ea22d0$a500010a@martinsss> <200312081255.28210.Antony@Soft-Solutions.co.uk> Message-ID: <192a01c3bd94$425daa30$a500010a@martinsss> Hello, I have Debian testing version. Also SMTP is not working may this is related. ----- Original Message ----- From: "Antony Stone" To: Sent: Monday, December 08, 2003 2:55 PM Subject: Re: lock.pl > On Monday 08 December 2003 12:51 pm, Martins Smilga wrote: > > > May be some one can say what meen this: > > (if i type /etc/init.d/mailscanner restart it hang up on restarting and > > logs say this ) I founf in mailscanner.conf but if I comment it is no > > matter again in logs I see this. What it can bee) > > > > Dec 8 15:57:55 frog MailScanner[7168]: MailScanner E-Mail Virus Scanner > > version 4.24-5 starting... > > Dec 8 15:57:56 frog MailScanner[7168]: lock.pl sees Config LockType = > > flock > > Dec 8 15:57:56 frog MailScanner[7168]: lock.pl sees have_module = 0 > > Dec 8 15:57:56 frog MailScanner[7168]: Using locktype = flock > > What machine / OS / version are you using? > > Antony. > > -- > 90% of networking problems are routing problems. > 9 of the remaining 10% are routing problems in the other direction. > The remaining 1% might be something else, but check the routing anyway. > > Please reply to the list; > please don't CC me. From pndiku at DSMAGIC.COM Mon Dec 8 14:12:55 2003 From: pndiku at DSMAGIC.COM (Peter C. Ndikuwera) Date: Thu Jan 12 21:21:27 2006 Subject: Mailwatch & clamav module Message-ID: <1070892774.5970.29.camel@mufasa.ds.co.ug> If you're using the clamav module, you may want to add the following line to /var/www/html/mailscanner/functions.php to correctly parse virus reports: define(VIRUS_REGEX, '/(.+) infected: (\S+)/'); // ClamAVModule A Patch file is attached -- Peter C. Ndikuwera Digital Solutions Ltd -------------- next part -------------- --- functions.php.old 2003-12-08 17:12:18.285244256 +0300 +++ functions.php 2003-12-08 17:11:16.093698808 +0300 @@ -42,8 +42,9 @@ // Regex to pick up the virus names from the reports. //// Change this to match the output of one of your scanners. -define(VIRUS_REGEX, '/(\S+) was infected by (\S+)/'); // SophosSAVI +//define(VIRUS_REGEX, '/(\S+) was infected by (\S+)/'); // SophosSAVI //define(VIRUS_REGEX, '/(.+) contains (\S+)/'); // ClamAV +define(VIRUS_REGEX, '/(.+) infected: (\S+)/'); // ClamAVModule //define(VIRUS_REGEX, '/(>>>) Virus \'(.+)\' found/'); // Sophos //define(VIRUS_REGEX, '/(.+) Infection: (\S+)/'; // F-prot //define(VIRUS_REGEX, '/(.+) Found the (\S+) virus !!!/'); // McAfee From michele at BLACKNIGHTSOLUTIONS.COM Mon Dec 8 14:17:10 2003 From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon :: Blacknight Solutions) Date: Thu Jan 12 21:21:27 2006 Subject: Upgrade Production Box In-Reply-To: Message-ID: You don't really need to stop anything. We upgrade on production boxes all the time. Basically ignore the running instance of MailScanner completely, run the install script make the upgrade to the .conf files and then restart it. No mail will be lost Mr. Michele Neylon Blacknight Internet Solutions Ltd http://www.blacknightsolutions.ie/ http://www.search.ie/ Tel. + 353 (0)59 9137101 Lowest price domains in Ireland > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Christian Campbell > Sent: 08 December 2003 14:00 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Upgrade Production Box > > > I'm planning to upgrade MailScanner on a production server, which I can't > take down. I assume if I stop MailScanner, and leave Sendmail > running, will > sendmail keep accepting mail into it's queue while I'm upgrading > MS which MS > can process after upgrading? > > Christian > > Christian P. Campbell > Systems Engineer > Information Technology Department > Bruegger's Enterprises, Inc. > Desk: (802) 652-9270 > Cell: (802) 734-5023 > Email: ccampbell at brueggers dot com > Registered Linux User #319324 > > PGP public key available via PGP keyservers > or http://www2.brueggers.com/pgp/ccampbell.html > > "We all know Linux is great... > it does infinite loops in 5 seconds." > -- Linus Torvalds > From Antony at SOFT-SOLUTIONS.CO.UK Mon Dec 8 14:22:41 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:21:27 2006 Subject: Upgrade Production Box In-Reply-To: References: Message-ID: <200312081422.41764.Antony@Soft-Solutions.co.uk> On Monday 08 December 2003 2:17 pm, Michele Neylon :: Blacknight Solutions wrote: > You don't really need to stop anything. We upgrade on production boxes all > the time. > Basically ignore the running instance of MailScanner completely, run the > install script make the upgrade to the .conf files and then restart it. I think the reliability of this depends on how long you take to do the upgrade. If MailScanner decides to kill off an old child and restart a new one, or does its periodic reload of the conf file, whilst you're halfway through the upgrade, it might do something you hadn't expected / intended. Safer I think to shutdown, upgrade, restart. > No mail will be lost True enough, but some of it could get processed in a way you hadn't anticipated. Antony. -- "Reports that say that something hasn't happened are always interesting to me, because as we know, there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns - the ones we don't know we don't know." - Donald Rumsfeld, US Secretary of Defence Please reply to the list; please don't CC me. From mailscanner at ecs.soton.ac.uk Mon Dec 8 14:29:53 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:27 2006 Subject: Upgrade Production Box In-Reply-To: References: Message-ID: <6.0.1.1.2.20031208142836.0371b4e0@imap.ecs.soton.ac.uk> At 13:59 08/12/2003, you wrote: >I'm planning to upgrade MailScanner on a production server, which I can't >take down. I assume if I stop MailScanner, and leave Sendmail running, will >sendmail keep accepting mail into it's queue while I'm upgrading MS which MS >can process after upgrading? You don't say what OS/Version you are running, so it's hard to precise. If you are running one of the RPM-based systems, then service MailScanner stop service MailScanner startin will leave it just running the incoming sendmail but nothing else. Then when you are finished upgrading, service MailScanner restart to get it all going again. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From ccampbell at BRUEGGERS.COM Mon Dec 8 14:44:37 2003 From: ccampbell at BRUEGGERS.COM (Christian Campbell) Date: Thu Jan 12 21:21:27 2006 Subject: Upgrade Production Box Message-ID: > > At 13:59 08/12/2003, you wrote: > >I'm planning to upgrade MailScanner on a production server, > which I can't > >take down. I assume if I stop MailScanner, and leave > Sendmail running, will > >sendmail keep accepting mail into it's queue while I'm > upgrading MS which MS > >can process after upgrading? > > You don't say what OS/Version you are running, so it's hard > to precise. > If you are running one of the RPM-based systems, then > service MailScanner stop > service MailScanner startin > will leave it just running the incoming sendmail but nothing else. > Then when you are finished upgrading, > service MailScanner restart > to get it all going again. Thanks for the reply Julian. Should I use the ./install.sh script to do the installation, or do an rpm -Uvh on all the packages individually? Christian From newsgroup2 at SPACELINK.COM.AU Mon Dec 8 14:42:40 2003 From: newsgroup2 at SPACELINK.COM.AU (Stuart Clark) Date: Thu Jan 12 21:21:27 2006 Subject: per_user prefs not working ? Message-ID: Hi I am trying to get the per_user preferences working I set SpamAssassin User State Dir = ~/.spamassassin/ in /etc/MailScanner.conf I then created a .spamassassin directory in my home dir I then create a file user_prefs in this directory inside the user_prefs file i put required_hits 10 i then chown and chmod accordingly Restart MailScanner and send a test spam. The headers still tell me it is working on a required hits of 5 What am i doing wrong? Regards Stuart Clark RHCE Spacelink Communications Pty Ltd From tsevy at EPX.COM Mon Dec 8 14:56:51 2003 From: tsevy at EPX.COM (Tom Sevy) Date: Thu Jan 12 21:21:27 2006 Subject: Upgrade Production Box In-Reply-To: <6.0.1.1.2.20031208142836.0371b4e0@imap.ecs.soton.ac.uk> Message-ID: Will the cron job affect this? Or is only checking for a missing process? > From: Julian Field > Reply-To: MailScanner mailing list > Date: Mon, 8 Dec 2003 14:29:53 +0000 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Upgrade Production Box > > At 13:59 08/12/2003, you wrote: >> I'm planning to upgrade MailScanner on a production server, which I can't >> take down. I assume if I stop MailScanner, and leave Sendmail running, will >> sendmail keep accepting mail into it's queue while I'm upgrading MS which MS >> can process after upgrading? > > You don't say what OS/Version you are running, so it's hard to precise. > If you are running one of the RPM-based systems, then > service MailScanner stop > service MailScanner startin > will leave it just running the incoming sendmail but nothing else. > Then when you are finished upgrading, > service MailScanner restart > to get it all going again. > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > From HancockS at MORGANCO.COM Mon Dec 8 16:30:28 2003 From: HancockS at MORGANCO.COM (Hancock, Scott) Date: Thu Jan 12 21:21:27 2006 Subject: Exim queue running cron.d fragment? recomplie cron? - debian Message-ID: <3EA1A302A4978A4C970D2C63F327156E02406C97@worc-mail2.int.morganco.com> >> 08,23,38,53 * * * * mail if [ -x /usr/lib/exim/exim3 -a -f >/etc/exim/exim_send.conf ]; then /usr/lib/exim/exim3 -C >/etc/exim/exim_send.conf /-q ; fi > >This is mentioned in the docs somewhere, isn't it? I could have sworn I >mentioned it in there somewhere... You did. ******************************************************** /usr/exim/bin/exim_tidydb /var/spool/exim.in callout > /dev/null /usr/exim/bin/exim_tidydb /var/spool/exim.in retry > /dev/null /usr/exim/bin/exim_tidydb /var/spool/exim.in reject > /dev/null /usr/exim/bin/exim_tidydb /var/spool/exim.in wait-smtp > /dev/null Instead of running Exim as a daemon, some people run it from inetd (for incoming SMTP) and cron (for queue runs), though this disables some of Exim's load management features. If you do this then you do not need to change inetd.conf, but you do need to modify the queue running command in the crontab to /usr/exim/bin/exim -q -C /usr/exim/configure.out ********************************************************** > >That would be correct. Debian's cron no longer uses -odi in testing and >unstable distributions, so when sarge releases (soon, I hope :-) ), it >will be >sorted. But yes, just get rid of the -odi. > I see the fix in the change logs now (after a week off). I was looking at the original package .tar. >> My retry and remote db on the listening side are about 500 MB each when >they should be empty. > >Have you added the cron job to empty them (also in the docs)? > I believe so if you're referring to the above lines from the install page. If not please advise. Sorry for the bother. It was a matter of understanding and applying the notes on my part. I was under the gun at the time of the last email and should have walked away before sending. Thanks for taking the time. Scott From dan.farmer at PHONEDIR.COM Mon Dec 8 16:55:11 2003 From: dan.farmer at PHONEDIR.COM (Dan Farmer) Date: Thu Jan 12 21:21:28 2006 Subject: Could not analyze. In-Reply-To: References: Message-ID: <494CEDE6-299F-11D8-971D-0030656E138E@phonedir.com> On Dec 8, 2003, at 12:31 AM, Jan-Peter Koopmann wrote: >> At Fri Dec 5 08:37:00 2003 the virus scanner said: >> Could not analyze message > > > Can you give us any more input on the messages that cause this? > Attachment yes/no? Encrypted yes/no? Etc. > > Regards, > JP I've just recently had the same thing, here is the report: The following e-mail messages were found to have viruses in them: Sender: xxxxx@phonedir.com IP Address: xxx.xxx.x.xx Recipient: xxxxxxxxxx@aol.com Subject: MessageID: hB8FQg329094 Report: Could not analyze message When I checked the quarantined message, it looks like a folder of 391 files was attached (7.5MB encoded - all word docs, I think), here's the jist of the message: --Apple-Mail-32-248296212 Content-Disposition: attachment; filename=Ad_Analysis_Sheets Content-Type: multipart/x-folder; boundary=Apple-Mail-33-248296213; x-unix-mode=0777; name="Ad_Analysis_Sheets" --Apple-Mail-33-248296213 Content-Disposition: attachment; filename=LUGGAGE.DOC Content-Transfer-Encoding: base64 Content-Type: application/msword; x-unix-mode=0755; name="LUGGAGE.DOC" (250-300 lines of base64 encoding) --Apple-Mail-33-248296213 Content-Disposition: attachment; filename=NEXTFILE.DOC Content-Transfer-Encoding: base64 Content-Type: application/msword; x-unix-mode=0755; name="NEXTFILE.DOC" (250-300 lines of base64 encoding) (repeat 389 more different filenames...) I've called the user and left a message, so I can try and get him to stuff/zip the folder before sending to see if it'll go through that way (especially since AOL would probably reject a 7.5MB attachment if it made it through MS/ClamAV). My relay is RH AS 2.1, w/MS 4.24-5, ClamAV 0.65, SA 2.60. Any ideas? dan From steve.freegard at LBSLTD.CO.UK Mon Dec 8 17:03:27 2003 From: steve.freegard at LBSLTD.CO.UK (Steve Freegard) Date: Thu Jan 12 21:21:28 2006 Subject: Mailwatch & clamav module Message-ID: <67D9E7698329D411936E00508B6590B902773D33@neelix.lbsltd.co.uk> Hi Peter, This is already in MailWatch CVS, but thanks anyway. Kind regards, Steve. -----Original Message----- From: Peter C. Ndikuwera [mailto:pndiku@DSMAGIC.COM] Sent: 08 December 2003 14:13 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Mailwatch & clamav module If you're using the clamav module, you may want to add the following line to /var/www/html/mailscanner/functions.php to correctly parse virus reports: define(VIRUS_REGEX, '/(.+) infected: (\S+)/'); // ClamAVModule A Patch file is attached -- Peter C. Ndikuwera Digital Solutions Ltd -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender and delete the message from your mailbox. This footnote also confirms that this email message has been swept by MailScanner (www.mailscanner.info) for the presence of computer viruses. From mailscanner at ecs.soton.ac.uk Mon Dec 8 16:04:00 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:28 2006 Subject: Upgrade Production Box In-Reply-To: References: Message-ID: <6.0.1.1.2.20031208160326.03883480@imap.ecs.soton.ac.uk> At 14:44 08/12/2003, you wrote: > > > > At 13:59 08/12/2003, you wrote: > > >I'm planning to upgrade MailScanner on a production server, > > which I can't > > >take down. I assume if I stop MailScanner, and leave > > Sendmail running, will > > >sendmail keep accepting mail into it's queue while I'm > > upgrading MS which MS > > >can process after upgrading? > > > > You don't say what OS/Version you are running, so it's hard > > to precise. > > If you are running one of the RPM-based systems, then > > service MailScanner stop > > service MailScanner startin > > will leave it just running the incoming sendmail but nothing else. > > Then when you are finished upgrading, > > service MailScanner restart > > to get it all going again. > >Thanks for the reply Julian. Should I use the ./install.sh script to do the >installation, or do an rpm -Uvh on all the packages individually? You can't rpm -Uvh the packages as most of them are SRPMs and not RPMs. So use install.sh. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Mon Dec 8 16:04:35 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:28 2006 Subject: Upgrade Production Box In-Reply-To: References: <6.0.1.1.2.20031208142836.0371b4e0@imap.ecs.soton.ac.uk> Message-ID: <6.0.1.1.2.20031208160403.038a62d0@imap.ecs.soton.ac.uk> At 14:56 08/12/2003, you wrote: >Will the cron job affect this? Or is only checking for a missing process? If you do service MailScanner stop it tells the cron to disable itself until you do a service MailScanner start or "restart". > > From: Julian Field > > Reply-To: MailScanner mailing list > > Date: Mon, 8 Dec 2003 14:29:53 +0000 > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: Upgrade Production Box > > > > At 13:59 08/12/2003, you wrote: > >> I'm planning to upgrade MailScanner on a production server, which I can't > >> take down. I assume if I stop MailScanner, and leave Sendmail > running, will > >> sendmail keep accepting mail into it's queue while I'm upgrading MS > which MS > >> can process after upgrading? > > > > You don't say what OS/Version you are running, so it's hard to precise. > > If you are running one of the RPM-based systems, then > > service MailScanner stop > > service MailScanner startin > > will leave it just running the incoming sendmail but nothing else. > > Then when you are finished upgrading, > > service MailScanner restart > > to get it all going again. > > -- > > Julian Field > > www.MailScanner.info > > MailScanner thanks transtec Computers for their support > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From steve.freegard at LBSLTD.CO.UK Mon Dec 8 17:02:12 2003 From: steve.freegard at LBSLTD.CO.UK (Steve Freegard) Date: Thu Jan 12 21:21:28 2006 Subject: per_user prefs not working ? Message-ID: <67D9E7698329D411936E00508B6590B902773D32@neelix.lbsltd.co.uk> Hi Stuart, This doesn't work as you expect because MailScanner runs as a daemon under the account specified by 'Run As User/Run As Group' settings in MailScanner.conf (default=root) so will pick-up the home directory set-up for that account (~/.spamassassin/ is the default). I'm not sure that the Advanced SpamAssassin Settings are able to handle a ruleset as I've never tried this (and don't plan to) - but you *might* be able to do this to get it to work as you want: E.g. SpamAssassin User State Dir = /etc/MailScanner/rules/sa_prefs.rules Which contains: FromOrTo: your@e-mail.address.here /home/test/.spamassassin/ FromOrTo: default /root/.spamassassin/ You'll soon know if this value isn't able to handle a ruleset as MailScanner should complain on start if not. Hope this helps. Kind regards, Steve. -- Steve Freegard Systems Manager Littlehampton Book Services Ltd. -----Original Message----- From: Stuart Clark [mailto:newsgroup2@SPACELINK.COM.AU] Sent: 08 December 2003 14:43 To: MAILSCANNER@JISCMAIL.AC.UK Subject: per_user prefs not working ? Hi I am trying to get the per_user preferences working I set SpamAssassin User State Dir = ~/.spamassassin/ in /etc/MailScanner.conf I then created a .spamassassin directory in my home dir I then create a file user_prefs in this directory inside the user_prefs file i put required_hits 10 i then chown and chmod accordingly Restart MailScanner and send a test spam. The headers still tell me it is working on a required hits of 5 What am i doing wrong? Regards Stuart Clark RHCE Spacelink Communications Pty Ltd -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender and delete the message from your mailbox. This footnote also confirms that this email message has been swept by MailScanner (www.mailscanner.info) for the presence of computer viruses. From mailscanner at ecs.soton.ac.uk Mon Dec 8 17:05:55 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:28 2006 Subject: Could not analyze. In-Reply-To: <494CEDE6-299F-11D8-971D-0030656E138E@phonedir.com> References: <494CEDE6-299F-11D8-971D-0030656E138E@phonedir.com> Message-ID: <6.0.1.1.2.20031208170533.0388e510@imap.ecs.soton.ac.uk> That's the 200 attachments per message limit kicking in. See MailScanner.conf. At 16:55 08/12/2003, you wrote: >On Dec 8, 2003, at 12:31 AM, Jan-Peter Koopmann wrote: > >>>At Fri Dec 5 08:37:00 2003 the virus scanner said: >>> Could not analyze message >> >> >>Can you give us any more input on the messages that cause this? >>Attachment yes/no? Encrypted yes/no? Etc. >> >>Regards, >> JP > >I've just recently had the same thing, here is the report: > >The following e-mail messages were found to have viruses in them: > > Sender: xxxxx@phonedir.com >IP Address: xxx.xxx.x.xx > Recipient: xxxxxxxxxx@aol.com > Subject: > MessageID: hB8FQg329094 > Report: Could not analyze message > >When I checked the quarantined message, it looks like a folder of 391 >files was attached (7.5MB encoded - all word docs, I think), here's the >jist of the message: > >--Apple-Mail-32-248296212 >Content-Disposition: attachment; > filename=Ad_Analysis_Sheets >Content-Type: multipart/x-folder; > boundary=Apple-Mail-33-248296213; > x-unix-mode=0777; > name="Ad_Analysis_Sheets" > > >--Apple-Mail-33-248296213 >Content-Disposition: attachment; > filename=LUGGAGE.DOC >Content-Transfer-Encoding: base64 >Content-Type: application/msword; > x-unix-mode=0755; > name="LUGGAGE.DOC" > >(250-300 lines of base64 encoding) > >--Apple-Mail-33-248296213 >Content-Disposition: attachment; > filename=NEXTFILE.DOC >Content-Transfer-Encoding: base64 >Content-Type: application/msword; > x-unix-mode=0755; > name="NEXTFILE.DOC" > >(250-300 lines of base64 encoding) > >(repeat 389 more different filenames...) > >I've called the user and left a message, so I can try and get him to >stuff/zip the folder before sending to see if it'll go through that way >(especially since AOL would probably reject a 7.5MB attachment if it >made it through MS/ClamAV). My relay is RH AS 2.1, w/MS 4.24-5, ClamAV >0.65, SA 2.60. Any ideas? > >dan -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From Antony at SOFT-SOLUTIONS.CO.UK Mon Dec 8 17:08:53 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:21:28 2006 Subject: Could not analyze. In-Reply-To: <6.0.1.1.2.20031208170533.0388e510@imap.ecs.soton.ac.uk> References: <494CEDE6-299F-11D8-971D-0030656E138E@phonedir.com> <6.0.1.1.2.20031208170533.0388e510@imap.ecs.soton.ac.uk> Message-ID: <200312081708.53020.Antony@Soft-Solutions.co.uk> On Monday 08 December 2003 5:05 pm, Julian Field wrote: > That's the 200 attachments per message limit kicking in. Sounds more than reasonable to me :) Antony. > See MailScanner.conf. > > At 16:55 08/12/2003, you wrote: > >On Dec 8, 2003, at 12:31 AM, Jan-Peter Koopmann wrote: > >>>At Fri Dec 5 08:37:00 2003 the virus scanner said: > >>> Could not analyze message > >> > >>Can you give us any more input on the messages that cause this? > >>Attachment yes/no? Encrypted yes/no? Etc. > >> > >>Regards, > >> JP > > > >I've just recently had the same thing, here is the report: > > > >The following e-mail messages were found to have viruses in them: > > > > Sender: xxxxx@phonedir.com > >IP Address: xxx.xxx.x.xx > > Recipient: xxxxxxxxxx@aol.com > > Subject: > > MessageID: hB8FQg329094 > > Report: Could not analyze message > > > >When I checked the quarantined message, it looks like a folder of 391 > >files was attached (7.5MB encoded - all word docs, I think), here's the > >jist of the message: > > > >--Apple-Mail-32-248296212 > >Content-Disposition: attachment; > > filename=Ad_Analysis_Sheets > >Content-Type: multipart/x-folder; > > boundary=Apple-Mail-33-248296213; > > x-unix-mode=0777; > > name="Ad_Analysis_Sheets" > > > > > >--Apple-Mail-33-248296213 > >Content-Disposition: attachment; > > filename=LUGGAGE.DOC > >Content-Transfer-Encoding: base64 > >Content-Type: application/msword; > > x-unix-mode=0755; > > name="LUGGAGE.DOC" > > > >(250-300 lines of base64 encoding) > > > >--Apple-Mail-33-248296213 > >Content-Disposition: attachment; > > filename=NEXTFILE.DOC > >Content-Transfer-Encoding: base64 > >Content-Type: application/msword; > > x-unix-mode=0755; > > name="NEXTFILE.DOC" > > > >(250-300 lines of base64 encoding) > > > >(repeat 389 more different filenames...) > > > >I've called the user and left a message, so I can try and get him to > >stuff/zip the folder before sending to see if it'll go through that way > >(especially since AOL would probably reject a 7.5MB attachment if it > >made it through MS/ClamAV). My relay is RH AS 2.1, w/MS 4.24-5, ClamAV > >0.65, SA 2.60. Any ideas? > > > >dan -- The idea that Bill Gates appeared like a knight in shining armour to lead all customers out of a mire of technological chaos neatly ignores the fact that it was he who, by peddling second-rate technology, led them into it in the first place. - Douglas Adams in The Guardian, 25th August 1995 Please reply to the list; please don't CC me. From steve.freegard at LBSLTD.CO.UK Mon Dec 8 17:18:02 2003 From: steve.freegard at LBSLTD.CO.UK (Steve Freegard) Date: Thu Jan 12 21:21:28 2006 Subject: Upgrade Production Box Message-ID: <67D9E7698329D411936E00508B6590B902773D34@neelix.lbsltd.co.uk> Hi Julian, Did this change on a semi-recent version as I upgraded my remaining box to 4.25-14 from 4.24-5 today - I did: service MailScanner stop service MailScanner startin service MailScanner start But MailScanner was restarted mid-upgrade by the hourly cron job?? - did I do something stupid, or was this introduced in a later version?? Cheers, Steve. -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: 08 December 2003 16:05 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Upgrade Production Box At 14:56 08/12/2003, you wrote: >Will the cron job affect this? Or is only checking for a missing >process? If you do service MailScanner stop it tells the cron to disable itself until you do a service MailScanner start or "restart". > > From: Julian Field > > Reply-To: MailScanner mailing list > > Date: Mon, 8 Dec 2003 14:29:53 +0000 > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: Upgrade Production Box > > > > At 13:59 08/12/2003, you wrote: > >> I'm planning to upgrade MailScanner on a production server, which I > >> can't take down. I assume if I stop MailScanner, and leave > >> Sendmail > running, will > >> sendmail keep accepting mail into it's queue while I'm upgrading MS > which MS > >> can process after upgrading? > > > > You don't say what OS/Version you are running, so it's hard to > > precise. If you are running one of the RPM-based systems, then > > service MailScanner stop > > service MailScanner startin > > will leave it just running the incoming sendmail but nothing else. > > Then when you are finished upgrading, > > service MailScanner restart > > to get it all going again. > > -- > > Julian Field > > www.MailScanner.info > > MailScanner thanks transtec Computers for their support > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender and delete the message from your mailbox. This footnote also confirms that this email message has been swept by MailScanner (www.mailscanner.info) for the presence of computer viruses. From listas at VIRUSATTACK.COM.AR Mon Dec 8 17:22:12 2003 From: listas at VIRUSATTACK.COM.AR (Ignacio M. Sbampato) Date: Thu Jan 12 21:21:28 2006 Subject: Trustix & MailScanner References: <6.0.1.1.2.20031208160326.03883480@imap.ecs.soton.ac.uk> Message-ID: <002b01c3bdaf$dc8165a0$010010ac@fibertel.com.ar> People, i'm wondering if MailScanner is able to run under Trustix Secure Linux 2.0, working with Trustix Mail Server 4.0 (this system use Postfix as MTA), could you tell me if it's possible? Any experience with this combo? Best regards, Ignacio From gdoris at rogers.com Mon Dec 8 18:03:31 2003 From: gdoris at rogers.com (Gerry Doris) Date: Thu Jan 12 21:21:28 2006 Subject: mailscanner-mrtg question Message-ID: <53113.129.80.22.143.1070906611.squirrel@tiger.dorfam.ca> I'm been struggling to make a small change to the mailscanner-mrtg.cfg file but am obviously missing something rather basic. I only have a few MB of mail running through my server daily. If I use the cfg as released I get a couple of large step functions for the graph that displays the number of MB of mail received. I'd prefer to display smaller values so that the graph is a little more meaningful. No matter what I do I can't seem to change the scale of the graph to something smaller. I'd like to display KB of mail. How is that done? Gerry From mailscanner at ecs.soton.ac.uk Mon Dec 8 18:12:33 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:28 2006 Subject: Upgrade Production Box In-Reply-To: <67D9E7698329D411936E00508B6590B902773D34@neelix.lbsltd.co. uk> References: <67D9E7698329D411936E00508B6590B902773D34@neelix.lbsltd.co.uk> Message-ID: <6.0.1.1.2.20031208181150.028b0700@imap.ecs.soton.ac.uk> Curious. I have a nasty feeling that the rpm -Uvh mailscanner.... does a "service MailScanner restart" at the end, though not quite sure why I wrote that :( At 17:18 08/12/2003, you wrote: >Hi Julian, > >Did this change on a semi-recent version as I upgraded my remaining box to >4.25-14 from 4.24-5 today - I did: > >service MailScanner stop >service MailScanner startin > >service MailScanner start > >But MailScanner was restarted mid-upgrade by the hourly cron job?? - did I >do something stupid, or was this introduced in a later version?? > >Cheers, >Steve. > >-----Original Message----- >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] >Sent: 08 December 2003 16:05 >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Upgrade Production Box > > >At 14:56 08/12/2003, you wrote: > >Will the cron job affect this? Or is only checking for a missing > >process? > >If you do > service MailScanner stop >it tells the cron to disable itself until you do a > service MailScanner start >or "restart". > > > > > From: Julian Field > > > Reply-To: MailScanner mailing list > > > Date: Mon, 8 Dec 2003 14:29:53 +0000 > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > Subject: Re: Upgrade Production Box > > > > > > At 13:59 08/12/2003, you wrote: > > >> I'm planning to upgrade MailScanner on a production server, which I > > >> can't take down. I assume if I stop MailScanner, and leave > > >> Sendmail > > running, will > > >> sendmail keep accepting mail into it's queue while I'm upgrading MS > > which MS > > >> can process after upgrading? > > > > > > You don't say what OS/Version you are running, so it's hard to > > > precise. If you are running one of the RPM-based systems, then > > > service MailScanner stop > > > service MailScanner startin > > > will leave it just running the incoming sendmail but nothing else. > > > Then when you are finished upgrading, > > > service MailScanner restart > > > to get it all going again. > > > -- > > > Julian Field > > > www.MailScanner.info > > > MailScanner thanks transtec Computers for their support > > > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > > >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support > >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > >-- >This email and any files transmitted with it are confidential and >intended solely for the use of the individual or entity to whom they >are addressed. If you have received this email in error please notify >the sender and delete the message from your mailbox. > >This footnote also confirms that this email message has been swept by >MailScanner (www.mailscanner.info) for the presence of computer viruses. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From raymond at PROLOCATION.NET Mon Dec 8 18:24:13 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:21:28 2006 Subject: Upgrade Production Box In-Reply-To: <6.0.1.1.2.20031208181150.028b0700@imap.ecs.soton.ac.uk> Message-ID: Hi! > I have a nasty feeling that the rpm -Uvh mailscanner.... does a "service > MailScanner restart" at the end, though not quite sure why I wrote that :( Yes it does. Noticed that several times during upgrading... :) > >But MailScanner was restarted mid-upgrade by the hourly cron job?? - did I > >do something stupid, or was this introduced in a later version?? Bye, Raymond. From kevin at KEVINSPICER.CO.UK Mon Dec 8 18:49:07 2003 From: kevin at KEVINSPICER.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:21:28 2006 Subject: mailscanner-mrtg question In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB00188B80B@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB00188B80B@pascal.priv.bmrb.co.uk> Message-ID: <1070909347.16923.7.camel@bach.kevinspicer.co.uk> On Mon, 2003-12-08 at 18:03, Gerry Doris wrote: >No matter what I do I can't seem to change the scale of the graph to >something smaller. I'd like to display KB of mail. How is that done? This is scaled by mailscanner-mrtg itself so needs to be altered in the mailscanner-mrtg script. Assuming you are running the latest version... Find the following fragment in /usr/sbin/mailscanner-mrtg (around line 666) if ($_[0] =~ /mailbytes/){ # Mod to convert in MB $Total /= 1024 * 1024; } And change it to... if ($_[0] =~ /mailbytes/){ # Mod to convert in MB $Total /= 1024; } You'll also need to change the mrtg cfg lines in /etc/mrtg/mailscanner-mrtg.cfg (about line 36 onwards...) - hopefully this should be fairly obvious (ustb turn all refernces to Mbytes in Kbytes. I hope to find a more graceful solution to this issue for the next release. -- Kevin Spicer (kevin AT kevinspicer DOT co DOT uk) This message is digitally signed using the GNU Privacy Guard. My public key may be obtained from http://www.keyserver.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20031208/cda7b16d/attachment.bin From jones at ODENSE.KOLLEGIENET.DK Mon Dec 8 19:54:39 2003 From: jones at ODENSE.KOLLEGIENET.DK (Jonas Bardino) Date: Thu Jan 12 21:21:28 2006 Subject: DoS, locale, spool file and unrar log noise Message-ID: <20031208195439.GI1461@bardino.dk> Hi! We're using the latest Debian Testing MailScanner package which is based on a 4.24 version. At the moment it uses SpamAssassin with Pyzor and Razor2 for spam and ClamAV for virus scanning. Exim 3 is used as MTA and almost everything seems to be working fine. The average daily load is about 10000 mails, which does not overburden the server in any way. However, there's quite a bit of "noise" in the logs. We have searched google and the archives for solutions, but so far without any luck. We keep getting a few DoS warnings every day about mails that appear to be quite harmless: Dec 7 14:55:10 cindy MailScanner[27894]: Commercial scanner clamav timed out! Dec 7 14:55:10 cindy MailScanner[27894]: Virus Scanning: Denial Of Service attack detected! (Btw, the clam developers may not like being called commercial :-) Unfortunately the attachments aren't quarantined when that happens, so it's a bit hard to reproduce the problem. According to a google search the default setting related to DoS checks are: max-files = 500, max-size = 10000 (=10 MB), max-recursion = 5 We tried increasing the DoS prevention arguments to ClamAV by adding the following line in /etc/MailScanner/wrapper/clamav-wrapper: ExtraScanOptions="--max-files=10000 --max-space=100000 --max-recursion=20 $ExtraScanOptions" But we still see the DoS warnings. Did anyone find a good way around that, or is it necessary to completely disable the limits? Other occasional log entries include: Dec 3 03:48:42 cindy MailScanner[4208]: Don't know what to do with line 'Content-type :text/html; charset:iso-8859-1' in header array! Is that due to some kind of missing internationalization or a broken client? Dec 8 20:01:46 cindy exim[28643]: 2003-12-08 20:01:46 1ATQby-0007K8-00 Spool file 1ATQby-0007K8-00-D not found Google gives a few hits but no answers (we're not running eximon as one of the answers talks about). Another issue is the use of unrar. We used to get log entries like the following occasionally: Dec 7 19:06:59 cindy MailScanner[16206]: ProcessClamAVOutput: RAR module failure. Dec 7 19:06:59 cindy MailScanner[16206]: UNRAR 2.71 freeware Copyright (c) 1993-2000 Eugene Roshal Dec 7 19:06:59 cindy MailScanner[16206]: ProcessClamAVOutput: unrecognised line "UNRAR 2.71 freeware Copyright (c) 1993-2000 Eugene Roshal". Please contact the authors! Dec 7 19:06:59 cindy MailScanner[16206]: Extracting from /var/spool/MailScanner/incoming/16206/./1AT3Ib-0000ex-00/Renusse.part2.rar Dec 7 19:06:59 cindy MailScanner[16206]: ProcessClamAVOutput: unrecognised line "Extracting from /var/spool/MailScanner/incoming/16206/./1AT3Ib-0000ex-00/Renusse.part2.rar". Please contact the authors! Dec 7 19:06:59 cindy MailScanner[16206]: Unknown method in Billede073.jpg Dec 7 19:06:59 cindy MailScanner[16206]: ProcessClamAVOutput: unrecognised line "Unknown method in Billede 073.jpg". Please contact the authors! ...repeated for every file in the archive... Dec 7 19:06:59 cindy MailScanner[16206]: No files to extract Dec 7 19:06:59 cindy MailScanner[16206]: ProcessClamAVOutput: unrecognised line "No files to extract". Please contact the authors! The default unrar package in Debian testing is based on a version 2.71, which, like clam itself, does not support 3.x rar archives. That seems to be the reason for most of the above junk in the logs. After installing a backported version 3.1.3 of unrar, only the module failure notice from Clam's internal extractor as well as the "Copyright" and "Extracting" notices remain. Is that a Debian specific problem? The internal RAR module failure can probably be removed by adding "--disable-archive" to the clamav wrapper, but we're not sure if that's a good idea, since it disables all unpacking features of Clam. Some of the output from the separate unrar binary should probably be ignored in SweepViruses.pm. We've tried adding code for that and it appears to work in the installed version. Version 4.25-14 does not seem to change that part of the code, so it is probably only a difference in line numbers. Diffs against the Debian version 4.24.5-1 and the general version 4.25-14 are attached. Can someone please confirm if they do the job? Thanks! ...and sorry if this mail is a too long and messy. Kind regards, Jonas ..and the rest of the FKO Server admins -------------- next part -------------- --- SweepViruses.pm 2003-12-08 15:25:42.000000000 +0100 +++ SweepViruses.pm.fix_debian_rar 2003-12-08 14:52:06.000000000 +0100 @@ -1835,6 +1835,10 @@ return 0; } + # Ignore unrar freeware version info similar to: + # "UNRAR 3.10 freeware Copyright (c) 1993-2002 Eugene Roshal" + return 0 if $line =~ /^UNRAR \d+\.\d+ freeware/; + # clamscan currently stops as soon as one virus is found # therefore there is little point saying which part # it's still a start mind! @@ -1846,6 +1850,13 @@ $clamav_archive = $1; return 0; } + # Catch unrar extracting info on the form: + # "Extracting from INCOMING_PATH/rarfail.rar" + if (/^Extracting from (.*)$/) + { + $clamav_archive = $1; + return 0; + } return 0 if /Empty file.$/; # Normally means you just havn't asked for it if (/: (\S+ module failure\.)/) @@ -1854,6 +1865,9 @@ return 0; } return 0 if /^ /; # " inflating", " deflating.." from --unzip + # Ignore "Extracting FILE COMPRESSIONRATE OK " lines from --unrar + return 0 if /^Extracting .*OK $/; + return 0 if /^$/; # blank lines from --unrar if ($clamav_archive && /^$clamav_archive:/) { $clamav_archive = ""; -------------- next part -------------- --- SweepViruses.pm 2003-12-01 17:37:12.000000000 +0100 +++ SweepViruses.pm.rar_fix 2003-12-08 15:27:32.000000000 +0100 @@ -2089,6 +2089,10 @@ # therefore there is little point saying which part # it's still a start mind! + # Ignore unrar freeware version info similar to: + # "UNRAR 3.10 freeware Copyright (c) 1993-2002 Eugene Roshal" + return 0 if $line =~ /^UNRAR \d+\.\d+ freeware/; + # Only tested with --unzip since only windows boxes get viruses ;-) if (/^Archive: (.*)$/) @@ -2096,6 +2100,13 @@ $clamav_archive = $1; return 0; } + # Catch unrar extracting info on the form: + # "Extracting from INCOMING_PATH/rarfail.rar" + if (/^Extracting from (.*)$/) + { + $clamav_archive = $1; + return 0; + } return 0 if /Empty file.$/; # Normally means you just havn't asked for it if (/: (\S+ module failure\.)/) @@ -2104,6 +2115,9 @@ return 0; } return 0 if /^ /; # " inflating", " deflating.." from --unzip + # Ignore "Extracting FILE COMPRESSIONRATE OK " lines from --unrar + return 0 if /^Extracting .*OK $/; + return 0 if /^$/; # blank lines from --unrar if ($clamav_archive && /^$clamav_archive:/) { $clamav_archive = ""; From kmoss at DHOS.NET Mon Dec 8 20:54:21 2003 From: kmoss at DHOS.NET (Ken Moss) Date: Thu Jan 12 21:21:28 2006 Subject: MailScanner, Suse 9, and Sendmail Problems Message-ID: <001301c3bdcd$747f7000$0b0c000a@Hospital.dhos.net> I am trying to run MailScanner on SuSe 9. I downloaded the most recent release from the web site and tried to install. I had to manually install a few of the dependencies off the SuSe CD's. I have also installed SendMail and uninstalled postfix as I prefer SendMail. It appeared everything was going to work properly but when I tried to run the .rc file it tries to run my setup as a "postfix" system. I looked at the .rc and .conf files and they both are set as the MTA being SendMail. Any Ideas??? Ken Moss Information Services/Technology Doctors Hospital of Springfield 2828 N National Ave Springfield, MO 65803 (417) 837-4019 Fax: (417) 837-4109 kmoss@dhos.net -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20031208/f80937dc/attachment.html From Kevin_Miller at CI.JUNEAU.AK.US Mon Dec 8 21:26:25 2003 From: Kevin_Miller at CI.JUNEAU.AK.US (Kevin Miller) Date: Thu Jan 12 21:21:28 2006 Subject: MailScanner, Suse 9, and Sendmail Problems Message-ID: <08146035CA49D6119A36009027AC822A0264EB31@CITY-EXCH-NTS> Check /etc/sysconfig/MailScanner (if memory serves)... ...Kevin ------------------- Kevin Miller CBJ MIS Dept. Network Systems Administrator, Mail Administrator 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 -----Original Message----- From: Ken Moss [mailto:kmoss@DHOS.NET] Sent: Monday, December 08, 2003 11:54 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: MailScanner, Suse 9, and Sendmail Problems I am trying to run MailScanner on SuSe 9. I downloaded the most recent release from the web site and tried to install. I had to manually install a few of the dependencies off the SuSe CD's. I have also installed SendMail and uninstalled postfix as I prefer SendMail. It appeared everything was going to work properly but when I tried to run the .rc file it tries to run my setup as a "postfix" system. I looked at the .rc and .conf files and they both are set as the MTA being SendMail. Any Ideas??? Ken Moss Information Services/Technology Doctors Hospital of Springfield 2828 N National Ave Springfield, MO 65803 (417) 837-4019 Fax: (417) 837-4109 kmoss@dhos.net -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20031208/5b998dd2/attachment.html From mike at TC3NET.COM Mon Dec 8 15:15:52 2003 From: mike at TC3NET.COM (Michael Baird) Date: Thu Jan 12 21:21:28 2006 Subject: per_user prefs not working ? In-Reply-To: References: Message-ID: <1070896552.14580.31.camel@mike-new2.tc3net.com> MailScanner won't use per user spamassassin preferences, it uses the prefs file specified in MailScanner.conf for all users or /root/.spamassassin, since MailScanner runs as root. I faced this issue myself when I migrated my spam scanning to MailScanner, my solution was to create a procmail ruleset, which duplicates all my users individual spamassassin user_prefs behaviors (hit threshold, spam tag, whitelist, blacklist). I just have MailScanner check the spamlevel and such. I'll post the recipe here (I'm still working on making the whitelist/blacklist work better). Scanning all messages through MailScanner and filtering via a procmail ruleset, has lowered my load averages tremendously, as opposed to calling spamc via a procmail ruleset. INCLUDERC=$HOME/.procmail/.spamprefs WHITELIST=$HOME/.procmail/.whitelist BLACKLIST=$HOME/.procmail/.blacklist :0 * < 20000 { :0 * ?egrep --silent --file $WHITELIST $DEFAULT :0 * ?egrep --silent --file $BLACKLIST /dev/null :0 *$ ^X-TC3Net-Level: $SPAMLEVEL { :0 * ^Subject:[ ]*\/[^ ].* { SUBJECT=$MATCH } :0 fw | formail -I "Subject: $SPAMTAG $SUBJECT" :0 $SPAMBOX } } Where .whitelist and .blacklist are just list of email addresses, and .spamprefs contains a few variable definitions used in the recipe. SPAMLEVEL=xxxxxxxxxx SPAMTAG=*****SPAM***** SPAMBOX=.maildir/ Regards MIKE > Hi > > I am trying to get the per_user preferences working > > I set SpamAssassin User State Dir = ~/.spamassassin/ > in /etc/MailScanner.conf > > I then created a .spamassassin directory in my home dir > > I then create a file user_prefs in this directory > > inside the user_prefs file i put required_hits 10 > > i then chown and chmod accordingly > > Restart MailScanner and send a test spam. > > The headers still tell me it is working on a required hits of 5 > > What am i doing wrong? > > Regards > > Stuart Clark RHCE > Spacelink Communications Pty Ltd > From mailscanner at ecs.soton.ac.uk Tue Dec 9 08:55:43 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:28 2006 Subject: per_user prefs not working ? In-Reply-To: <1070896552.14580.31.camel@mike-new2.tc3net.com> References: <1070896552.14580.31.camel@mike-new2.tc3net.com> Message-ID: <6.0.1.1.2.20031209085503.03d1e130@imap.ecs.soton.ac.uk> You can do all the user_prefs mentioned below in MailScanner rulesets. No need for procmail hacks. See /etc/MailScanner/rules/* At 15:15 08/12/2003, you wrote: >MailScanner won't use per user spamassassin preferences, it uses the >prefs file specified in MailScanner.conf for all users or >/root/.spamassassin, since MailScanner runs as root. I faced this issue >myself when I migrated my spam scanning to MailScanner, my solution was >to create a procmail ruleset, which duplicates all my users individual >spamassassin user_prefs behaviors (hit threshold, spam tag, whitelist, >blacklist). I just have MailScanner check the spamlevel and such. I'll >post the recipe here (I'm still working on making the >whitelist/blacklist work better). Scanning all messages through >MailScanner and filtering via a procmail ruleset, has lowered my load >averages tremendously, as opposed to calling spamc via a procmail >ruleset. > > >INCLUDERC=$HOME/.procmail/.spamprefs >WHITELIST=$HOME/.procmail/.whitelist >BLACKLIST=$HOME/.procmail/.blacklist > >:0 >* < 20000 >{ > :0 > * ?egrep --silent --file $WHITELIST > $DEFAULT > :0 > * ?egrep --silent --file $BLACKLIST > /dev/null > :0 > *$ ^X-TC3Net-Level: $SPAMLEVEL > { > :0 > * ^Subject:[ ]*\/[^ ].* > { > SUBJECT=$MATCH > } > :0 fw > | formail -I "Subject: $SPAMTAG $SUBJECT" > :0 > $SPAMBOX > } >} > >Where .whitelist and .blacklist are just list of email addresses, and >.spamprefs contains a few variable definitions used in the recipe. > >SPAMLEVEL=xxxxxxxxxx >SPAMTAG=*****SPAM***** >SPAMBOX=.maildir/ > >Regards >MIKE > > > Hi > > > > I am trying to get the per_user preferences working > > > > I set SpamAssassin User State Dir = ~/.spamassassin/ > > in /etc/MailScanner.conf > > > > I then created a .spamassassin directory in my home dir > > > > I then create a file user_prefs in this directory > > > > inside the user_prefs file i put required_hits 10 > > > > i then chown and chmod accordingly > > > > Restart MailScanner and send a test spam. > > > > The headers still tell me it is working on a required hits of 5 > > > > What am i doing wrong? > > > > Regards > > > > Stuart Clark RHCE > > Spacelink Communications Pty Ltd > > -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From martinh at SOLID-STATE-LOGIC.COM Tue Dec 9 09:21:16 2003 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:21:28 2006 Subject: SpamAssassin 2.61 Released In-Reply-To: <67D9E7698329D411936E00508B6590B902773D38@neelix.lbsltd.co.uk> References: <67D9E7698329D411936E00508B6590B902773D38@neelix.lbsltd.co.uk> Message-ID: <3FD5940C.1030701@solid-state-logic.com> Steve Freegard wrote: > Hi All, > > The announcement was on the sa-list earlier - I've installed the tar.gz on > one of my MailScanner boxes with no problems so far. > > Kind regards, > Steve. > > -- > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the sender and delete the message from your mailbox. > > This footnote also confirms that this email message has been swept by > MailScanner (www.mailscanner.info) for the presence of computer viruses. Steve Just check CPAN and it's not showing just yet. Prob be tomorrow I guess... -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From gioia at bclink.it Tue Dec 9 10:18:22 2003 From: gioia at bclink.it (Gioia Bastioni) Date: Thu Jan 12 21:21:28 2006 Subject: Postfix and Mailscanner not working Message-ID: I guys, I've a bog problem on my mail server running postfix 2.0.15 and Mailscanner 2.24.5 on a Slack 9.1 it has been working for a couple of days, and now it's no longer working, I cant'see ANYTHING on my Maillog, it is all frozen from sunday at 16.56 .. I can send messages, I have no error shown or logged, but at the end I can't receive anything ..!! What I found out is that Mailscanner is not running, so it can't send out the messagges sent .. doing a ps-aux here's what I get : SER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 727 0.0 0.4 1408 540 ? S 09:48 0:00 /usr/sbin/inetd root 730 0.0 1.1 3080 1416 ? S 09:48 0:00 /usr/sbin/sshd root 734 0.0 2.1 4716 2732 ? S 09:48 0:01 /usr/sbin/named root 745 0.0 0.4 1500 592 ? S 09:48 0:00 /usr/sbin/crond - daemon 747 0.0 0.5 1504 644 ? S 09:48 0:00 /usr/sbin/atd -b root 846 0.0 3.3 74244 4256 ? S 09:48 0:00 /usr/sbin/httpd nobody 862 0.0 7.5 81052 9596 ? S 09:48 0:02 /usr/sbin/httpd nobody 863 0.0 7.6 81068 9632 ? S 09:48 0:02 /usr/sbin/httpd nobody 864 0.0 7.5 81068 9612 ? S 09:48 0:01 /usr/sbin/httpd nobody 865 0.0 7.5 81064 9612 ? S 09:48 0:01 /usr/sbin/httpd nobody 866 0.0 7.5 81044 9588 ? S 09:48 0:01 /usr/sbin/httpd root 872 0.0 0.3 1368 480 tty2 S 09:48 0:00 /sbin/agetty 3840 root 873 0.0 0.3 1368 480 tty3 S 09:48 0:00 /sbin/agetty 3840 root 874 0.0 0.3 1368 480 tty4 S 09:48 0:00 /sbin/agetty 3840 root 875 0.0 0.3 1368 480 tty5 S 09:48 0:00 /sbin/agetty 3840 root 877 0.0 0.3 1368 480 tty6 S 09:48 0:00 /sbin/agetty 3840 nobody 878 0.0 7.6 81120 9644 ? S 09:48 0:00 /usr/sbin/httpd root 1262 0.0 0.7 2320 888 ? S 10:20 0:00 /usr/libexec/post postfix 1263 0.0 0.6 2276 824 ? S 10:20 0:00 pickup -l -t fifo postfix 1264 0.0 0.7 2328 940 ? S 10:20 0:00 qmgr -l -t fifo - postfix 1713 0.0 0.6 2292 832 ? S 11:09 0:00 trivial-rewrite - postfix 1715 0.0 0.6 2296 852 ? S 11:09 0:00 bounce -z -n defe postfix 1716 0.0 0.6 2288 848 ? S 11:09 0:00 flush -z -t unix root 1724 0.0 0.3 1368 480 tty1 S 11:09 0:00 /sbin/agetty 3840 postfix 1771 0.0 0.8 2420 1028 ? S 11:11 0:00 smtpd -n smtp -t postfix 1772 0.0 0.7 2352 948 ? S 11:11 0:00 cleanup -z -t uni root 1823 0.0 0.6 2280 860 ? S 11:11 0:00 /usr/libexec/post postfix 1826 0.0 0.6 2272 824 ? S 11:11 0:00 pickup -l -t fifo postfix 1827 0.0 0.6 2308 852 ? S 11:11 0:00 qmgr -l -t fifo - root 1864 0.0 0.6 2724 780 pts/0 R 11:13 0:00 ps -aux postfix 1890 1.0 7.8 11240 9940 ? S 11:15 0:00 /usr/bin/perl -I/opt/MailScanner/lib postfix 1891 3.0 0.0 0 0 ? Z 11:15 0:00 [MailScanner ] thanks for the help From martinh at SOLID-STATE-LOGIC.COM Tue Dec 9 10:52:31 2003 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:21:28 2006 Subject: R: [MAILSCANNER] Postfix and Mailscanner not working In-Reply-To: References: Message-ID: <3FD5A96F.7060902@solid-state-logic.com> Looks like the syslogd isn't very happy. Is there anything in /var/log/messages around the time MS stopped working? Is the filesystem containing /var/log full? -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 gioia@bclink.it wrote: > Yes, I meant 4.24 .. :) > ok, using the debug mode now I get: > > Starting MailScanner... > In Debugging mode, not forking... > unix dgram connect: Connection refused at > /opt/MailScanner/lib/MailScanner/Log.pm line 132 > no connection to syslog available at /opt/MailScanner/lib/MailScanner/Log.pm > line 132 > > what does it mean ?! ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From joshua.hirsh at PARTNERSOLUTIONS.CA Tue Dec 9 12:46:51 2003 From: joshua.hirsh at PARTNERSOLUTIONS.CA (Hirsh, Joshua) Date: Thu Jan 12 21:21:28 2006 Subject: Postfix and Mailscanner not working Message-ID: <75FEDC422E2309419A9303E7B18F206E04DB5E66@eqmail1.efni.vpn> > What I found out is that Mailscanner is not running, so it > can't send out the messagges sent .. What happens when you try and restart MailScanner? -Joshua From gioia at bclink.it Tue Dec 9 12:57:33 2003 From: gioia at bclink.it (Gioia Bastioni) Date: Thu Jan 12 21:21:28 2006 Subject: R: Postfix and Mailscanner not working In-Reply-To: <75FEDC422E2309419A9303E7B18F206E04DB5E66@eqmail1.efni.vpn> Message-ID: I think I fix that, Running the check_mailscanner script in debug mode I had In Debugging mode, not forking... > unix dgram connect: Connection refused at > /opt/MailScanner/lib/MailScanner/Log.pm line 132 > no connection to syslog available at /opt/MailScanner/lib/MailScanner/Log.pm > line 132 checking LOG files what I found out was that the syslog LOG file became so big.. just renamed the old one, and create a new empty file .. now it's working.. thanks for the help :) -----Messaggio originale----- Da: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]Per conto di Hirsh, Joshua Inviato: marted? 9 dicembre 2003 13.47 A: MAILSCANNER@JISCMAIL.AC.UK Oggetto: Re: Postfix and Mailscanner not working > What I found out is that Mailscanner is not running, so it > can't send out the messagges sent .. What happens when you try and restart MailScanner? -Joshua From mike at CAMAROSS.NET Tue Dec 9 13:58:09 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:21:28 2006 Subject: Postfix Question In-Reply-To: Message-ID: <200312091351.hB9Dp1la030311@genesis.camaross.net> Ok...I was up until 3am working on this, but started getting foggy :) I have several domains that I scan mail for and pass on to other mail servers. Other domains are delivered locally. I have successfully gotten one domain to scan and forward on to another mail server. I can also scan and deliver a domain locally. The problem is this: I made SO many changes to my configs along the way that I'm not sure which ones made things work! Again, this is my first REAL experience with postfix, so a little guidance would be appreciated. I'd be happy to take this off the list if someone is willing to help me. I've created an /etc/postfix/transport|virtual, an /etc/postfix.in/transport|virtual Which one belongs where? Mike > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Robin M. > Sent: Monday, December 08, 2003 9:56 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Postfix Question > > On Mon, 8 Dec 2003, Mike Kercher wrote: > > > For relay_domains and my local delivery domains, these are also > > specified in my /etc/postfix.in/main.cf as well? > > > yes. this will be the file which you will make all your edits > to for restrictions and such. > From david at PLATFORMHOSTING.COM Tue Dec 9 13:55:15 2003 From: david at PLATFORMHOSTING.COM (David Hooton) Date: Thu Jan 12 21:21:28 2006 Subject: MS not using spam.assassin.prefs.conf In-Reply-To: References: Message-ID: <3FD5D443.6000607@platformhosting.com> Hi, I've just recently noticed that Mail Scanner has stopped parsing all the rules in my spam.assassin.prefs.conf I do have quite a few, but none are overly complex. Does anyone have a suggestion as to why this would be happening? I've gone through the rules with a fine toothed comb, but can't find any reason for it. Regards, David Hooton Senior Partner Platform Hosting www.platformhosting.com ======================================================================== This message has been scanned for spam & viruses by Mail Security. To report SPAM forward the message to: spam@mailsecurity.net.au Mail Security www.mailsecurity.net.au ======================================================================== From mailscanner at ecs.soton.ac.uk Tue Dec 9 14:02:51 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:28 2006 Subject: MS not using spam.assassin.prefs.conf In-Reply-To: <3FD5D443.6000607@platformhosting.com> References: <3FD5D443.6000607@platformhosting.com> Message-ID: <6.0.1.1.2.20031209140225.072bd1d0@imap.ecs.soton.ac.uk> At 13:55 09/12/2003, you wrote: >Hi, > >I've just recently noticed that Mail Scanner has stopped parsing all the >rules in my spam.assassin.prefs.conf I do have quite a few, but none are >overly complex. > >Does anyone have a suggestion as to why this would be happening? I've >gone through the rules with a fine toothed comb, but can't find any >reason for it. You haven't got any dashes in any rule names have you? You can only use _ and not - -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From RKearney at AZERTY.COM Tue Dec 9 14:42:04 2003 From: RKearney at AZERTY.COM (Kearney, Rob) Date: Thu Jan 12 21:21:28 2006 Subject: MS not using spam.assassin.prefs.conf Message-ID: <210DF55DED65B547896F728FB057F3B2019C4A44@seaver.ussco.com> try .. spamassassin -D --lint -p /etc/MailScanner/spam.assassin.prefs.conf you generally will see errors if there are any in your rules. -rob -----Original Message----- From: David Hooton [mailto:david@PLATFORMHOSTING.COM] Sent: Tuesday, December 09, 2003 8:55 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: MS not using spam.assassin.prefs.conf Hi, I've just recently noticed that Mail Scanner has stopped parsing all the rules in my spam.assassin.prefs.conf I do have quite a few, but none are overly complex. Does anyone have a suggestion as to why this would be happening? I've gone through the rules with a fine toothed comb, but can't find any reason for it. Regards, David Hooton Senior Partner Platform Hosting www.platformhosting.com ======================================================================== This message has been scanned for spam & viruses by Mail Security. To report SPAM forward the message to: spam@mailsecurity.net.au Mail Security www.mailsecurity.net.au ======================================================================== From sysadmins at ENHTECH.COM Tue Dec 9 15:05:15 2003 From: sysadmins at ENHTECH.COM (Errol Neal) Date: Thu Jan 12 21:21:28 2006 Subject: Skipping queue run -- load average too high In-Reply-To: <200312090520.hB95KGfX032392@fili.jiscmail.ac.uk> References: <200312090520.hB95KGfX032392@fili.jiscmail.ac.uk> Message-ID: <6.0.0.22.0.20031209095912.02b5fb70@mail.enhtech.com> At 12:19 AM 12/9/2003, Harry Hanson wrote: >Is this due to mailscanner or MTA (sendmail)? Does it simply hold the queue >to rescan later? Is there some tuning that can be done to alleviate this? > >Thanks. > > >Dec 8 18:34:31 mx01 sm-mta-in[11584]: rejecting connections on daemon MSA: >load average: 52 >Dec 8 18:34:49 mx01 sm-mta-in[11584]: rejecting connections on daemon MSA: >load average: 40 >Dec 8 18:35:04 mx01 sm-mta-in[11584]: rejecting connections on daemon MSA: >load average: 31 >Dec 8 18:35:19 mx01 sm-mta-in[11584]: rejecting connections on daemon MSA: >load average: 24 This behavior is set in the sendmail.mc/.cf file. It basically tells the daemon at to stop accepting connections at a certain load average. One setting also tells the daemon to only begin only queuing messages at a certain LA. Those settings are defined in your .mc as: confQUEUE_LA confREFUSE_LA In your .cf they are: # load average at which we just queue messages O QueueLA # load average at which we refuse connections O RefuseLA The load average on your systems can be determined by using 'uptime' or top. Best Regards, Errol Neal From gareth at GRIFFIN.NET.UK Tue Dec 9 15:24:38 2003 From: gareth at GRIFFIN.NET.UK (Gareth Campling) Date: Thu Jan 12 21:21:28 2006 Subject: Advanced function in spam.actions.rules Message-ID: <4116B9E82087024DB2755B25BB4B494C742196@msx.network.griffin.net.uk> Hi All Wonder if anyone can help were running Mailscanner and Postfix with mysql backend and at present we just tag email and send it on, except for certain domains which are deleted or forward, but for messages that appear in a RBL we are wanting to dump these but not sure exactly how to specify this in spam.actions.rules Hopefully this makes sense for example When a message comes up like this smtp-1 MailScanner[29251]: RBL cheks: 7D26825806D found in NJABL, spamcop.net When found in appears we would like to dump or forward elsewhere. -- Gareth Campling Griffin Internet www.griffin.com Tel : 0870 000 7100 Fax : 0870 000 7101 Network Status : Tel: 0870 000 7099 Web: http://status.griffin.com From xpoint at JUNC.ORG Tue Dec 9 16:07:19 2003 From: xpoint at JUNC.ORG (Benny Pedersen) Date: Thu Jan 12 21:21:28 2006 Subject: MailScanner and RedHat 6.0 In-Reply-To: References: Message-ID: <1070986039.7381.9.camel@home.junc.org> On Mon, 2003-12-01 at 15:57, Raymond Dijkxhoorn wrote: > RH doesnt support is anymore and wont make new errata either. I would > stronly advise not to install new MS projects on a box like that ... :) # Fedora Linux repositories for Red Hat Linux 8.0 repository # University of Hawaii Honolulu, Hawaii, USA rpm http://download.fedora.us/fedora/ redhat/8.0/i386 os updates stable rpm-src http://download.fedora.us/fedora/ redhat/8.0/i386 os updates stable why change ? it works well here with apt-get only up2date will die, apt-get will live forever :-) well lets go on with postfix, will mailscanner change to use content filter style of postfix ? From mailscanner at ecs.soton.ac.uk Tue Dec 9 16:35:21 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:28 2006 Subject: MailScanner and RedHat 6.0 In-Reply-To: <1070986039.7381.9.camel@home.junc.org> References: <1070986039.7381.9.camel@home.junc.org> Message-ID: <6.0.1.1.2.20031209163432.028a4008@imap.ecs.soton.ac.uk> At 16:07 09/12/2003, you wrote: >On Mon, 2003-12-01 at 15:57, Raymond Dijkxhoorn wrote: > > > RH doesnt support is anymore and wont make new errata either. I would > > stronly advise not to install new MS projects on a box like that ... :) > ># Fedora Linux repositories for Red Hat Linux 8.0 repository ># University of Hawaii Honolulu, Hawaii, USA >rpm http://download.fedora.us/fedora/ redhat/8.0/i386 os updates stable >rpm-src http://download.fedora.us/fedora/ redhat/8.0/i386 os updates stable One of you is misreading/mistyping. Are we talking about RedHat 8 or RedHat 6? >well lets go on with postfix, will mailscanner change to use content >filter style of postfix ? Unlikely. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From jaearick at COLBY.EDU Tue Dec 9 16:54:18 2003 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:21:28 2006 Subject: could not analyze/too many attachments Message-ID: Julian, I know there was a thread recently about "Could not analyze message" coming out in the virus report, when the issue is really "too many attachments" from the "Maximum Attachments Per Message" setting. I did a bonehead move of setting this to 20 instead of 200, and then had to quarantine the problem message after the sender complained, stare at it and MS code, and figure out the problem. Will this "Could not analyze" message be clearer in the next version? Jeff Earickson Colby College From xpoint at JUNC.ORG Tue Dec 9 17:19:22 2003 From: xpoint at JUNC.ORG (Benny Pedersen) Date: Thu Jan 12 21:21:28 2006 Subject: MailScanner and RedHat 6.0 In-Reply-To: <6.0.1.1.2.20031209163432.028a4008@imap.ecs.soton.ac.uk> References: <1070986039.7381.9.camel@home.junc.org> <6.0.1.1.2.20031209163432.028a4008@imap.ecs.soton.ac.uk> Message-ID: <1070990362.8142.4.camel@home.junc.org> On Tue, 2003-12-09 at 17:35, Julian Field wrote: > One of you is misreading/mistyping. Are we talking about RedHat 8 or RedHat 6? sorry i readed 6.0 as 8.0 :( >>well lets go on with postfix, will mailscanner change to use content >>filter style of postfix ? > Unlikely. why not ? the mailscanner is imho okay for sendmail, but i have changed to use amavisd new to stay away for running postfix as sendmail, well maybe i just need to laern more about why :/ From Antony at SOFT-SOLUTIONS.CO.UK Tue Dec 9 18:13:29 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:21:28 2006 Subject: MailScanner and RedHat 6.0 In-Reply-To: <1070990362.8142.4.camel@home.junc.org> References: <6.0.1.1.2.20031209163432.028a4008@imap.ecs.soton.ac.uk> <1070990362.8142.4.camel@home.junc.org> Message-ID: <200312091813.29497.Antony@Soft-Solutions.co.uk> On Tuesday 09 December 2003 5:19 pm, Benny Pedersen wrote: > On Tue, 2003-12-09 at 17:35, Julian Field wrote: > > One of you is misreading/mistyping. Are we talking about RedHat 8 or > > RedHat 6? > > sorry i readed 6.0 as 8.0 :( > > >>well lets go on with postfix, will mailscanner change to use content > >>filter style of postfix ? > > > > Unlikely. > > why not ? > > the mailscanner is imho okay for sendmail, but i have changed to use > amavisd new to stay away for running postfix as sendmail, well maybe i > just need to laern more about why :/ Perhaps someone can explain to me what the advantage of postfix is over sendmail or exim? I've only ever used sendmail, and I believe that exim is a convenient replacement for higher performance on the same hardware. What would be the advantage of choosing postfix instead? Not trying to start a religious flame war here - just curious, looking for information. Antony. -- RTFM may be the appropriate reply, but please specify exactly which FM to R. Please reply to the list; please don't CC me. From mailscanner at ecs.soton.ac.uk Tue Dec 9 18:24:49 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:28 2006 Subject: Translation request Message-ID: <6.0.1.1.2.20031209182323.027bf820@imap.ecs.soton.ac.uk> Hi all! Please can you translate Too many attachments in message into all your favourite languages. It is used as a report in a message that contains more file attachments than are permitted in MailScanner.conf. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Tue Dec 9 18:23:22 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:28 2006 Subject: could not analyze/too many attachments In-Reply-To: References: Message-ID: <6.0.1.1.2.20031209181211.035c7f28@imap.ecs.soton.ac.uk> At 16:54 09/12/2003, you wrote: >Julian, > I know there was a thread recently about "Could not >analyze message" coming out in the virus report, when the >issue is really "too many attachments" from the >"Maximum Attachments Per Message" setting. I did a bonehead >move of setting this to 20 instead of 200, and then had to >quarantine the problem message after the sender complained, >stare at it and MS code, and figure out the problem. Will >this "Could not analyze" message be clearer in the next >version? You can already change the error message, but only for all unparsable messages. It's in your languages.conf file, the line that starts "CantAnalyze". However, I agree that it should be separate from that error message. The fix will be in the next release, but attached are patches to Message.pm, MessageBatch.pm and languages.conf (English only right now) which will implement it. -------------- next part -------------- A non-text attachment was scrubbed... Name: en.languages.conf.patch Type: application/octet-stream Size: 381 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20031209/010d8335/en.languages.conf.obj -------------- next part -------------- A non-text attachment was scrubbed... Name: Message.pm.patch Type: application/octet-stream Size: 1383 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20031209/010d8335/Message.pm.obj -------------- next part -------------- A non-text attachment was scrubbed... Name: MessageBatch.pm.patch Type: application/octet-stream Size: 710 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20031209/010d8335/MessageBatch.pm.obj -------------- next part -------------- -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From raymond at PROLOCATION.NET Tue Dec 9 18:35:39 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:21:28 2006 Subject: Translation request In-Reply-To: <6.0.1.1.2.20031209182323.027bf820@imap.ecs.soton.ac.uk> Message-ID: Hi! > Please can you translate > Too many attachments in message > into all your favourite languages. > > It is used as a report in a message that contains more file attachments > than are permitted in MailScanner.conf. Dutch: Te veel bijlagen in bericht Bye, Raymond. From jen at AH.DK Tue Dec 9 19:01:26 2003 From: jen at AH.DK (Jan Elmqvist Nielsen) Date: Thu Jan 12 21:21:28 2006 Subject: Svar: Translation request - danish Message-ID: "For mange bilag i brevet" or "For mange bilag i mail'en" I perfer the last, but the first one is "more" correct danish. Jan Elmqvist Nielsen >>> mailscanner@ECS.SOTON.AC.UK 09-12-03 19:24 >>> Hi all! Please can you translate Too many attachments in message into all your favourite languages. It is used as a report in a message that contains more file attachments than are permitted in MailScanner.conf. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From listas at VIRUSATTACK.COM.AR Tue Dec 9 19:00:22 2003 From: listas at VIRUSATTACK.COM.AR (Ignacio M. Sbampato) Date: Thu Jan 12 21:21:28 2006 Subject: Translation request References: <6.0.1.1.2.20031209182323.027bf820@imap.ecs.soton.ac.uk> Message-ID: <000a01c3be86$b379b9a0$010010ac@fibertel.com.ar> Spanish: "Demasiados archivos adjuntos en el mensaje". Bye! ----- Original Message ----- From: "Julian Field" To: Sent: Tuesday, December 09, 2003 3:24 PM Subject: Translation request > Hi all! > > Please can you translate > Too many attachments in message > into all your favourite languages. > > It is used as a report in a message that contains more file attachments > than are permitted in MailScanner.conf. > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > From kodak at FRONTIERHOMEMORTGAGE.COM Tue Dec 9 19:17:53 2003 From: kodak at FRONTIERHOMEMORTGAGE.COM (Jason Balicki) Date: Thu Jan 12 21:21:28 2006 Subject: MailScanner and RedHat 6.0 In-Reply-To: <200312091813.29497.Antony@Soft-Solutions.co.uk> Message-ID: <007301c3be89$24e99270$0501a8c0@darkside> >What would be the advantage of choosing postfix instead? This isn't the answer you were looking for, but here it is anyway... Sometimes it's not a matter of choosing. We run a packaged server that is a open source based Exchange replacement. The system is an all in one bundle that includes Postfix. While I'm sure I could change things around to use Sendmail or Exim, it's not broke so I'm not fixing it. Well, I guess that is a choice, but you get what I'm saying, hopefully. :) --J(K) From Antony at SOFT-SOLUTIONS.CO.UK Tue Dec 9 19:24:49 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:21:28 2006 Subject: MailScanner and RedHat 6.0 In-Reply-To: <007301c3be89$24e99270$0501a8c0@darkside> References: <007301c3be89$24e99270$0501a8c0@darkside> Message-ID: <200312091924.49673.Antony@Soft-Solutions.co.uk> On Tuesday 09 December 2003 7:17 pm, Jason Balicki wrote: > >What would be the advantage of choosing postfix instead? > > This isn't the answer you were looking for, but here it is > anyway... > > Sometimes it's not a matter of choosing. We run a packaged > server that is a open source based Exchange replacement. > > The system is an all in one bundle that includes Postfix. > > While I'm sure I could change things around to use Sendmail > or Exim, it's not broke so I'm not fixing it. Well, I guess > that is a choice, but you get what I'm saying, hopefully. :) Indeed - I understand what you're saying. Hopefully some others on the list can contribute their opinions on why someone would choose postfix over sendmail or exim, assuming the opportunity for choice exists. I'm still curious to know postfix's advantages. Thanks for the response. Just out of interest, what is the bundled solution you are using? Antony. -- Most people are aware that the Universe is big. - Paul Davies, Professor of Theoretical Physics Please reply to the list; please don't CC me. From esandquist at IHMS.NET Tue Dec 9 19:22:30 2003 From: esandquist at IHMS.NET (Eric Sandquist) Date: Thu Jan 12 21:21:28 2006 Subject: Postfix configuration/efficiency.... Message-ID: Periodically I see reference to setting up MailScanner with a single instance of Postfix, instead of the standard 2 Postfix install described in the instructions. Is there any advantage in doing this? Memory savings? Server load? I need to maximize the efficiency of this machine... Are there any instructions for this type of installation? or for converting from a working standard installation? Are there any drawbacks to this type of installation? Currently, we are running Dual PIII 500, 512Megs Ram... I've worked very hard to get the server load down to about 4.... It has been as high as 10... We are processing about 40,000 mails per day.... I realize that the best soution is a more powerful machine than this, but the client company won't do it (until this one dies).... -------------------------------------------------------------------------- Eric Sandquist Systems Engineer ICQ#: 10274846 Current ICQ status: + More ways to contact me www.ihms.net www.messianicgroups.com www.nazarene.net www.amazinggroups.com www.613commandments.com www.hebrew-roots.com www.netzarim.cc www.momsonthego.us -------------------------------------------------------------------------- Home Business Opportunity!! - Travel, Taxes, Health, and More -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20031209/b6b556d1/attachment.html From Denis.Beauchemin at USHERBROOKE.CA Tue Dec 9 18:49:22 2003 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:21:28 2006 Subject: Translation request (French) In-Reply-To: <6.0.1.1.2.20031209182323.027bf820@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20031209182323.027bf820@imap.ecs.soton.ac.uk> Message-ID: <1070995762.16734.54.camel@dbeauchemin.sti.usherbrooke.ca> Message contenant trop de pi?ces jointes Denis Le mar 09/12/2003 ? 13:24, Julian Field a ?crit : > Hi all! > > Please can you translate > Too many attachments in message > into all your favourite languages. > > It is used as a report in a message that contains more file attachments > than are permitted in MailScanner.conf. > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From kodak at FRONTIERHOMEMORTGAGE.COM Tue Dec 9 19:59:46 2003 From: kodak at FRONTIERHOMEMORTGAGE.COM (Jason Balicki) Date: Thu Jan 12 21:21:28 2006 Subject: OT: RE: MailScanner and RedHat 6.0 In-Reply-To: <200312091924.49673.Antony@Soft-Solutions.co.uk> Message-ID: <007c01c3be8e$fe969220$0501a8c0@darkside> >Thanks for the response. Just out of interest, what is the >bundled solution >you are using? Bynari Insight server. http://www.bynari.net -- I wrote a MailScanner howto for them, so now they have a MailScanner link on their page. Insight is pretty good. It is a commercial product, but it costs much less than Exchange. The real benefit is the Insight Connector which is a plugin for Outlook that lets you store outlook data in any IMAP server. So if you've got an IMAP server that supports folder sharing and ACLs you can use this plugin for outlook and share all your data, including contacts and calendars. The only drawback I've had is that because it's a packaged deal your changes don't stick. They have a web interface that controls everything and if you do something outside of it and then upgrade your changes are lost. So every time I upgrade the server (via RPM) I have to go back in and install MailScanner and Sophos and ClamAV and make any changes I had again. It's not as big a problem as I make it out to be though, since it's really just some config files that I have to restore -- and they're backed up automaticaly anyway. --J(K) From mailscanner at SMITS.CO.UK Tue Dec 9 23:12:08 2003 From: mailscanner at SMITS.CO.UK (Bart J. Smit) Date: Thu Jan 12 21:21:28 2006 Subject: Translation request Dutch References: <6.0.1.1.2.20031209182323.027bf820@imap.ecs.soton.ac.uk> Message-ID: <000a01c3bea9$dead36b0$8f14a8c0@clumpton.homeip.net> Teveel bijvoegsels in boodschap ----- Original Message ----- From: "Julian Field" To: Sent: Tuesday, December 09, 2003 6:24 PM Subject: Translation request > Hi all! > > Please can you translate > Too many attachments in message > into all your favourite languages. > > It is used as a report in a message that contains more file attachments > than are permitted in MailScanner.conf. > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > From mike at CAMAROSS.NET Tue Dec 9 20:14:16 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:21:29 2006 Subject: Rules Question Message-ID: <200312092007.hB9K77Jq021918@genesis.camaross.net> I about to write a php interface to allow users to manage their own whitelists and blacklists. Is the CaSe of the strings inside a ruleset a consideration or does notaspammer@domain.org look the same as NotaSpammer@domain.ORG to MailScanner? Mike _\|/_ (@ @) -----oOOo-(_)-oOOo----- From Antony at SOFT-SOLUTIONS.CO.UK Tue Dec 9 20:17:38 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:21:29 2006 Subject: Rules Question In-Reply-To: <200312092007.hB9K77Jq021918@genesis.camaross.net> References: <200312092007.hB9K77Jq021918@genesis.camaross.net> Message-ID: <200312092017.38518.Antony@Soft-Solutions.co.uk> On Tuesday 09 December 2003 8:14 pm, Mike Kercher wrote: > I about to write a php interface to allow users to manage their own > whitelists and blacklists. Is the CaSe of the strings inside a ruleset a > consideration or does notaspammer@domain.org look the same as > NotaSpammer@domain.ORG to MailScanner? MailScanner is case insensitive. Antony. -- This email is intended for the use of the individual addressee(s) named above and may contain information that is confidential, privileged or unsuitable for overly sensitive persons with low self-esteem, no sense of humour, or irrational religious beliefs. If you have received this email in error, you are required to shred it immediately, add some nutmeg, three egg whites and a dessertspoonful of caster sugar. Whisk until soft peaks form, then place in a warm oven for 40 minutes. Remove promptly and let stand for 2 hours before adding some decorative kiwi fruit and cream. Then notify me immediately by return email and eat the original message. Please reply to the list; please don't CC me. From dafydd.tomos at IMAGINET.CO.UK Tue Dec 9 20:53:12 2003 From: dafydd.tomos at IMAGINET.CO.UK (Dafydd Tomos) Date: Thu Jan 12 21:21:29 2006 Subject: Translation request In-Reply-To: <6.0.1.1.2.20031209182323.027bf820@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20031209182323.027bf820@imap.ecs.soton.ac.uk> Message-ID: <20031209205312.GA21319@imaginet.co.uk> On Dec 09, 2003, Julian Field wrote: > Hi all! > > Please can you translate > Too many attachments in message Welsh: Gormod o atodiadau yn y neges -- Dafydd Tomos Systems Administrator Gweinyddwr Systemau Imaginet Ltd http://www.imaginet.co.uk/ From gebhard at EPOST.DE Tue Dec 9 20:56:11 2003 From: gebhard at EPOST.DE (Holger) Date: Thu Jan 12 21:21:29 2006 Subject: Syslog MailScanner Question Message-ID: Hi Julian, hi Group, i just upgraded my System to MailScanner Version 4.25-14... All works fine, but there are some unusually Entries in Syslog. When a Message processed by MailScanner with more than one Recipient to my Domain the Syslog shows something like this when the RBL-Checks are done: RBL-Checks: "Mail-ID" found in sorbs, spamcop, sorbs, spamcop, sorbs, etc. In Previous Versions there was only one entry per RBL-List... Is this intended??? Thanks for help Holger From harryh at CET.COM Tue Dec 9 21:11:46 2003 From: harryh at CET.COM (Harry Hanson) Date: Thu Jan 12 21:21:29 2006 Subject: Skipping queue run -- load average too high In-Reply-To: <200312060517.hB65HCfX013515@fili.jiscmail.ac.uk> Message-ID: <200312092112.hB9LCKfX016449@fili.jiscmail.ac.uk> Is this due to mailscanner or MTA (sendmail)? Does it simply hold the queue to rescan later? Is there some tuning that can be done to alleviate this? Thanks. Dec 8 18:12:30 mx01 sm-mta-in[11584]: rejecting connections on daemon MSA: load average: 249 Dec 8 18:12:45 mx01 sm-mta-in[11584]: rejecting connections on daemon MSA: load average: 194 Dec 8 18:13:02 mx01 sm-mta-in[11584]: rejecting connections on daemon MSA: load average: 151 Dec 8 18:13:17 mx01 sm-mta-in[11584]: rejecting connections on daemon MSA: load average: 108 Dec 8 18:13:35 mx01 sm-mta-in[11584]: rejecting connections on daemon MSA: load average: 84 Dec 8 18:13:50 mx01 sm-mta-in[11584]: rejecting connections on daemon MSA: load average: 66 Dec 8 18:14:05 mx01 sm-mta-in[11584]: rejecting connections on daemon MSA: load average: 52 Dec 8 18:14:23 mx01 sm-mta-in[11584]: rejecting connections on daemon MSA: load average: 37 Dec 8 18:14:38 mx01 sm-mta-in[11584]: rejecting connections on daemon MSA: load average: 27 Dec 8 18:20:30 mx01 sm-mta-in[11584]: rejecting connections on daemon MSA: load average: 24 Dec 8 18:32:59 mx01 sm-mta-in[11584]: rejecting connections on daemon MSA: load average: 229 Dec 8 18:33:16 mx01 sm-mta-in[11584]: rejecting connections on daemon MSA: load average: 179 Dec 8 18:33:31 mx01 sm-mta-in[11584]: rejecting connections on daemon MSA: load average: 139 Dec 8 18:33:46 mx01 sm-mta-in[11584]: rejecting connections on daemon MSA: load average: 109 Dec 8 18:34:01 mx01 sm-mta-in[11584]: rejecting connections on daemon MSA: load average: 85 Dec 8 18:34:16 mx01 sm-mta-in[11584]: rejecting connections on daemon MSA: load average: 66 Dec 8 18:34:31 mx01 sm-mta-in[11584]: rejecting connections on daemon MSA: load average: 52 Dec 8 18:34:49 mx01 sm-mta-in[11584]: rejecting connections on daemon MSA: load average: 40 Dec 8 18:35:04 mx01 sm-mta-in[11584]: rejecting connections on daemon MSA: load average: 31 Dec 8 18:35:19 mx01 sm-mta-in[11584]: rejecting connections on daemon MSA: load average: 24 From pete at eatathome.com.au Tue Dec 9 21:12:40 2003 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:21:29 2006 Subject: Postfix Question In-Reply-To: <200312091351.hB9Dp1la030311@genesis.camaross.net> References: <200312091351.hB9Dp1la030311@genesis.camaross.net> Message-ID: <3FD63AC8.9040007@eatathome.com.au> Mike Kercher wrote: >Ok...I was up until 3am working on this, but started getting foggy :) > >I have several domains that I scan mail for and pass on to other mail >servers. Other domains are delivered locally. I have successfully gotten >one domain to scan and forward on to another mail server. I can also scan >and deliver a domain locally. The problem is this: > >I made SO many changes to my configs along the way that I'm not sure which >ones made things work! Again, this is my first REAL experience with >postfix, so a little guidance would be appreciated. I'd be happy to take >this off the list if someone is willing to help me. > >I've created an /etc/postfix/transport|virtual, an >/etc/postfix.in/transport|virtual Which one belongs where? > >Mike > > > > >>-----Original Message----- >>From: MailScanner mailing list >>[mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Robin M. >>Sent: Monday, December 08, 2003 9:56 PM >>To: MAILSCANNER@JISCMAIL.AC.UK >>Subject: Re: Postfix Question >> >>On Mon, 8 Dec 2003, Mike Kercher wrote: >> >> >> >>>For relay_domains and my local delivery domains, these are also >>>specified in my /etc/postfix.in/main.cf as well? >>> >>> >>> >>yes. this will be the file which you will make all your edits >>to for restrictions and such. >> >> >> > > > > > I have 2 virtual domains - i have made these changes to /etc/postfix.in/main.cf (incoming) and /etc/postfix.main.cf (outgoing) created /etc/postfix/transport and /etc/postfix.in/relay - these changes block all mail not addressed to *@domain1.com.au and *@domain2.com.au and deliver to the SMTP server for each domain, after scanning etc has occured. It works flawlessly and i am very new to postfix and mailscanner too. You can make a bundle of other changes and have all kinds of security and relay/user options, but start with these and get your set up working - once working then begin to add stuff like RBL checking - if your site is not hugely busy, just get SA tio do all the RBL checks and let MS use these to score the mail, it much neater and simple and will work great, i think i have 1 report of an actual spam message getting through this system and almost no false positives now bayes is working - remember you arent going to cure spam altogether (without getting false positives) your goal should be to reduce spam and have a gateway system that requires minimal maintenance. /etc/postfix.in/main.cf - Incoming defer_transports = smtp local virtual relay smtpd_recipient_restrictions = permit_auth_destination, reject_unauth_destination smtpd_banner = $myhostname SMTP queue_directory = /var/spool/postfix.in myhostname = mail01.mygatewaydomain.com.au relay_domains = /etc/postfix.in/relay alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases /etc/postfix.in/relay - Incoming domain1.com.au domain2.com.au /etc/postfix/main.cf - Outgoing transport_maps = hash:/etc/postfix/transport queue_directory = /var/spool/postfix alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases /etc/postfix/transport - Outgoing domain1.com.au smtp:192.64.54.20 domain2.com.au smtp:192.64.54.15 From pete at eatathome.com.au Tue Dec 9 21:15:33 2003 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:21:29 2006 Subject: Postfix configuration/efficiency.... In-Reply-To: References: Message-ID: <3FD63B75.4080903@eatathome.com.au> Eric Sandquist wrote: > Periodically I see reference to setting up MailScanner with a single > instance of Postfix, instead of the standard 2 Postfix install > described in the instructions. > > Is there any advantage in doing this? Memory savings? Server load? I > need to maximize the efficiency of this machine... Are there any > instructions for this type of installation? or for converting from a > working standard installation? Are there any drawbacks to this type > of installation? > > Currently, we are running Dual PIII 500, 512Megs Ram... I've worked > very hard to get the server load down to about 4.... It has been as > high as 10... > > We are processing about 40,000 mails per day.... > > I realize that the best soution is a more powerful machine than this, > but the client company won't do it (until this one dies).... > ------------------------------------------------------------------------ > *Eric Sandquist* > *Systems Engineer* > *ICQ#: 10274846* > *Current ICQ status:* > > *+* *More ways to contact me * > www.ihms.net > www.messianicgroups.com > www.nazarene.net > www.amazinggroups.com > www.613commandments.com > www.hebrew-roots.com > www.netzarim.cc > www.momsonthego.us > ------------------------------------------------------------------------ > > *Home Business Opportunity!! > *- Travel, Taxes, Health, and More > > I am no expert - but Julian has repeatedly posted he believes that Sendmail and Exim are much faster than postfix when used with mailscanner. From raymond at PROLOCATION.NET Tue Dec 9 21:19:32 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:21:29 2006 Subject: Skipping queue run -- load average too high In-Reply-To: <200312092112.hB9LCKfX016449@fili.jiscmail.ac.uk> Message-ID: Hi! > Dec 8 18:12:30 mx01 sm-mta-in[11584]: rejecting connections on daemon MSA: > load average: 249 Dec 8 18:12:45 mx01 sm-mta-in[11584]: rejecting > connections on daemon MSA: load average: 194 Dec 8 18:13:02 mx01 > sm-mta-in[11584]: rejecting connections on daemon MSA: load average: 151 Dec > 8 18:13:17 mx01 sm-mta-in[11584]: rejecting connections on daemon MSA: load > average: 108 Dec 8 18:13:35 mx01 sm-mta-in[11584]: rejecting connections on > daemon MSA: load average: 84 Dec 8 18:13:50 mx01 sm-mta-in[11584]: With this load its most likely a undersized system. Reduce spam checks, disable SA and so on, to see where your problem is located. What system is it and whats your mail volume ? Bye, Raymond. From esandquist at IHMS.NET Tue Dec 9 21:17:03 2003 From: esandquist at IHMS.NET (Eric Sandquist) Date: Thu Jan 12 21:21:29 2006 Subject: MailScanner and RedHat 6.0 In-Reply-To: <200312091924.49673.Antony@Soft-Solutions.co.uk> Message-ID: Well, I run Postfix on one server because it was the default in the Mandrake install... Also, the configuration was much easier than the cryptic .cf files in sendmail... I have a RH7.2 server running sendmail and it seems to run at a much lower load than Postfix does... Both are running MailScanner and SpamAssassin and ClamAV... Both running Apache, Squirelmail, and Sympa... The RH7.2 is handling about 28 domains, and about 100 users... The Mandrake 9.1 machine is running 1 domain and about 300 users... The Mandrake machine is a dual PIII 500, 512megs ram, raid 5 array - server load never goes below 3, almost always 6, sometimes higher.. The RH7.2 is a 800mhz Celeron, 128meg ram, single IDE drive - Server load is almost never 1... usually about .1-.5 Wish I could get the Postfix machine to perform like that... :( Don't know why the difference in performance is so great... Been beating this horse for while now... I would have expected the Mandrake machine to outperform the RH machine based on the higher end hardware... Eric -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Antony Stone Sent: Tuesday, December 09, 2003 1:25 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: MailScanner and RedHat 6.0 On Tuesday 09 December 2003 7:17 pm, Jason Balicki wrote: > >What would be the advantage of choosing postfix instead? > > This isn't the answer you were looking for, but here it is > anyway... > > Sometimes it's not a matter of choosing. We run a packaged > server that is a open source based Exchange replacement. > > The system is an all in one bundle that includes Postfix. > > While I'm sure I could change things around to use Sendmail > or Exim, it's not broke so I'm not fixing it. Well, I guess > that is a choice, but you get what I'm saying, hopefully. :) Indeed - I understand what you're saying. Hopefully some others on the list can contribute their opinions on why someone would choose postfix over sendmail or exim, assuming the opportunity for choice exists. I'm still curious to know postfix's advantages. Thanks for the response. Just out of interest, what is the bundled solution you are using? Antony. -- Most people are aware that the Universe is big. - Paul Davies, Professor of Theoretical Physics Please reply to the list; please don't CC me. From sysadmins at ENHTECH.COM Tue Dec 9 22:26:21 2003 From: sysadmins at ENHTECH.COM (Errol Neal) Date: Thu Jan 12 21:21:29 2006 Subject: Upgrading on RPM based system Message-ID: <6.0.0.22.0.20031209172357.02c1d670@mail.enhtech.com> Hi folks, I'm using RH 7.3 and I am using one MailScanner release below the most current version; installed from RPM. When upgrading MailScanner from RPM, is the configuration from my existing install merged into the new install? Or do I need to pretty much go through and reconfigure everything again? Best Regards, Errol Neal From peter at UCGBOOK.COM Tue Dec 9 22:41:42 2003 From: peter at UCGBOOK.COM (Peter Bonivart) Date: Thu Jan 12 21:21:29 2006 Subject: Translation request - Swedish In-Reply-To: <6.0.1.1.2.20031209182323.027bf820@imap.ecs.soton.ac.uk> References: <6.0.1.1.2.20031209182323.027bf820@imap.ecs.soton.ac.uk> Message-ID: <3FD64FA6.5010501@ucgbook.com> "F?r m?nga bilagor i meddelandet" /Peter Bonivart --Unix lovers do it in the Sun Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.23-11, SpamAssassin 2.60 + DCC 1.2.9, ClamAV 20030829 Julian Field wrote: > Hi all! > > Please can you translate > Too many attachments in message > into all your favourite languages. > > It is used as a report in a message that contains more file attachments > than are permitted in MailScanner.conf. > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > From KCollins at NESBITTENGINEERING.COM Tue Dec 9 23:57:08 2003 From: KCollins at NESBITTENGINEERING.COM (Collins, Kevin) Date: Thu Jan 12 21:21:29 2006 Subject: Slackware 9.1, Postfix, and MailScanner Message-ID: <2B1F39EA56FA7643A328F66521D41B760EAB@magellan.nesbitt.local> Ok, I've tried for about 7 hours to get the above combination to work. I've been successful with the first two. My box sends e-mail with Postfix just fine, I've even have it so it relay's to my Exchange box. So far so good. But I can't get MailScanner to check any of the mails. Here is a piece of the maillog. ---------------------------------------------------------------------------- ----- Dec 9 13:22:52 freedom MailScanner[8244]: MailScanner E-Mail Virus Scanner version 4.25-14 starting... Dec 9 13:22:52 freedom MailScanner[8244]: Using locktype = flock Dec 9 13:23:03 freedom postfix/pickup[8155]: 17EAA2A9F5: uid=0 from= Dec 9 13:23:03 freedom postfix/cleanup[8248]: 17EAA2A9F5: message-id=<20031209182303.GA8240@freedom.nesbittengineering.com> Dec 9 13:23:03 freedom postfix/qmgr[8156]: 17EAA2A9F5: from=, size=470, nrcpt=1 (queue active) Dec 9 13:23:03 freedom postfix/smtp[8250]: 17EAA2A9F5: to=, relay=magellan.nesbitt.local[10.200.8.252], delay=0, status=sent (250 OK) ---------------------------------------------------------------------------- ----- As you can see MailScanner is running, and Postfix properly picks up and delivers the e-mail. But MailScanner never touches it. I followed the following websites direction to setup Postfix and MailScanner: MailScanner Install: http://www.sng.ecs.soton.ac.uk/mailscanner/install/mailscanner.shtml MailScanner with Postfix Configuration: http://www.sng.ecs.soton.ac.uk/mailscanner/install/postfix.shtml So my question is this: What have I got screwed to cause this kind of behavior? As of right now, I've just got MailScanner and Postfix installed. Once I get the scanning taking place - i.e. I get a "Scanned" added to the subject line of my e-mails - I'm going to add SpamAssassin and ClamAV to the mix. If there are additional pieces of information needed, just let me know. I'll pass that along as I can. -- Kevin L. Collins, MCSE Systems Manager Nesbitt Engineering, Inc. From pete at eatathome.com.au Wed Dec 10 01:03:17 2003 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:21:29 2006 Subject: Slackware 9.1, Postfix, and MailScanner In-Reply-To: <2B1F39EA56FA7643A328F66521D41B760EAB@magellan.nesbitt.local> References: <2B1F39EA56FA7643A328F66521D41B760EAB@magellan.nesbitt.local> Message-ID: <3FD670D5.8020509@eatathome.com.au> Collins, Kevin wrote: >Ok, I've tried for about 7 hours to get the above combination to work. I've >been successful with the first two. My box sends e-mail with Postfix just >fine, I've even have it so it relay's to my Exchange box. So far so good. > >But I can't get MailScanner to check any of the mails. Here is a piece of >the maillog. > >---------------------------------------------------------------------------- >----- >Dec 9 13:22:52 freedom MailScanner[8244]: MailScanner E-Mail Virus Scanner >version 4.25-14 starting... >Dec 9 13:22:52 freedom MailScanner[8244]: Using locktype = flock >Dec 9 13:23:03 freedom postfix/pickup[8155]: 17EAA2A9F5: uid=0 from= >Dec 9 13:23:03 freedom postfix/cleanup[8248]: 17EAA2A9F5: >message-id=<20031209182303.GA8240@freedom.nesbittengineering.com> >Dec 9 13:23:03 freedom postfix/qmgr[8156]: 17EAA2A9F5: >from=, size=470, nrcpt=1 (queue active) >Dec 9 13:23:03 freedom postfix/smtp[8250]: 17EAA2A9F5: >to=, >relay=magellan.nesbitt.local[10.200.8.252], delay=0, status=sent (250 OK) >---------------------------------------------------------------------------- >----- > >As you can see MailScanner is running, and Postfix properly picks up and >delivers the e-mail. But MailScanner never touches it. > >I followed the following websites direction to setup Postfix and >MailScanner: > >MailScanner Install: >http://www.sng.ecs.soton.ac.uk/mailscanner/install/mailscanner.shtml > >MailScanner with Postfix Configuration: >http://www.sng.ecs.soton.ac.uk/mailscanner/install/postfix.shtml > > >So my question is this: What have I got screwed to cause this kind of >behavior? > >As of right now, I've just got MailScanner and Postfix installed. Once I >get the scanning taking place - i.e. I get a "Scanned" added to the subject >line of my e-mails - I'm going to add SpamAssassin and ClamAV to the mix. > >If there are additional pieces of information needed, just let me know. >I'll pass that along as I can. > >-- >Kevin L. Collins, MCSE >Systems Manager >Nesbitt Engineering, Inc. > > > > > I am no expert - but it looks like you are sending mail from the local machine - mailscanner wont be scanning this mail - get a mail client on another machine, make the outbound SMTP addy your mailscanner machine and send your new mail - have a tail -f /var/yourlogfilepath console running to watch what happens. From kodak at FRONTIERHOMEMORTGAGE.COM Wed Dec 10 01:04:16 2003 From: kodak at FRONTIERHOMEMORTGAGE.COM (Jason Balicki) Date: Thu Jan 12 21:21:29 2006 Subject: Slackware 9.1, Postfix, and MailScanner In-Reply-To: <2B1F39EA56FA7643A328F66521D41B760EAB@magellan.nesbitt.local> Message-ID: <000401c3beb9$88d34440$0501a8c0@darkside> > >If there are additional pieces of information needed, just let me know. >I'll pass that along as I can. Post *both* of your main.cf files. You should have one in /etc/postfix.in and /etc/postfix. Please label as to which is which. (Nothing personal, just experience... :) --J(K) From harryh at CET.COM Wed Dec 10 02:17:26 2003 From: harryh at CET.COM (Harry Hanson) Date: Thu Jan 12 21:21:29 2006 Subject: Skipping queue run -- load average too high In-Reply-To: Message-ID: <200312100217.hBA2HlfX000445@fili.jiscmail.ac.uk> Dual 1.6 xeon, 1gb memory, 10k rpm u320 scsi drives in raid0 config, 1gb ram. Freebsd 5.1 It would seem to me either an I/O issue, as the cpu rarely exceeds 5% useage, or perhaps I have something set too low? > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Raymond Dijkxhoorn > Sent: Tuesday, December 09, 2003 1:20 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Skipping queue run -- load average too high > > Hi! > > > Dec 8 18:12:30 mx01 sm-mta-in[11584]: rejecting > connections on daemon MSA: > > load average: 249 Dec 8 18:12:45 mx01 sm-mta-in[11584]: rejecting > > connections on daemon MSA: load average: 194 Dec 8 18:13:02 mx01 > > sm-mta-in[11584]: rejecting connections on daemon MSA: load > average: > > 151 Dec > > 8 18:13:17 mx01 sm-mta-in[11584]: rejecting connections on > daemon MSA: > > load > > average: 108 Dec 8 18:13:35 mx01 sm-mta-in[11584]: rejecting > > connections on daemon MSA: load average: 84 Dec 8 18:13:50 > mx01 sm-mta-in[11584]: > > With this load its most likely a undersized system. Reduce > spam checks, disable SA and so on, to see where your problem > is located. > > What system is it and whats your mail volume ? > > Bye, > Raymond. > From ugob at CAMO-ROUTE.COM Wed Dec 10 03:02:44 2003 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:21:29 2006 Subject: Skipping queue run -- load average too high Message-ID: <54C38A0B814C8E438EF73FC76F3629273AE281@mtlnt501fs.CAMOROUTE.COM> > -----Message d'origine----- > De : Harry Hanson [mailto:harryh@CET.COM] > Envoy? : Tuesday, December 09, 2003 9:17 PM > ? : MAILSCANNER@JISCMAIL.AC.UK > Objet : Re: Skipping queue run -- load average too high > > > Dual 1.6 xeon, 1gb memory, 10k rpm u320 scsi drives in raid0 > config, 1gb > ram. What is your daily mail volume? > > Freebsd 5.1 > > It would seem to me either an I/O issue, as the cpu rarely exceeds 5% > useage, or perhaps I have something set too low? > If you've got vmstat on freebsd, use it... type vmstat 1. this will tell you if you have processes waiting for I/O. (see man vmstat) > > > > -----Original Message----- > > From: MailScanner mailing list > > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Raymond Dijkxhoorn > > Sent: Tuesday, December 09, 2003 1:20 PM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: Skipping queue run -- load average too high > > > > Hi! > > > > > Dec 8 18:12:30 mx01 sm-mta-in[11584]: rejecting > > connections on daemon MSA: > > > load average: 249 Dec 8 18:12:45 mx01 sm-mta-in[11584]: rejecting > > > connections on daemon MSA: load average: 194 Dec 8 18:13:02 mx01 > > > sm-mta-in[11584]: rejecting connections on daemon MSA: load > > average: > > > 151 Dec > > > 8 18:13:17 mx01 sm-mta-in[11584]: rejecting connections on > > daemon MSA: > > > load > > > average: 108 Dec 8 18:13:35 mx01 sm-mta-in[11584]: rejecting > > > connections on daemon MSA: load average: 84 Dec 8 18:13:50 > > mx01 sm-mta-in[11584]: > > > > With this load its most likely a undersized system. Reduce > > spam checks, disable SA and so on, to see where your problem > > is located. > > > > What system is it and whats your mail volume ? > > > > Bye, > > Raymond. > > > From hahanson at COMCAST.NET Wed Dec 10 04:32:29 2003 From: hahanson at COMCAST.NET (Harry Hanson) Date: Thu Jan 12 21:21:29 2006 Subject: MailScanner (Batch: Found invalid qf queue file..) Message-ID: <002801c3bed6$a16a1a70$6800a8c0@elebrin> all fo the sudden started seeing these types of errors.. Dec 9 18:10:05 mx01 MailScanner[96276]: Batch: Found invalid qf queue file for message hB926xWh038695 Dec 9 18:10:05 mx01 MailScanner[96276]: Batch: Found invalid qf queue file for message hB927GWh038481 Dec 9 18:10:05 mx01 MailScanner[96543]: Batch: Found invalid qf queue file for message hB926xWh038695 Dec 9 18:10:05 mx01 MailScanner[96543]: Batch: Found invalid qf queue file for message hB927GWh038481 Dec 9 18:10:05 mx01 MailScanner[96416]: Virus and Content Scanning: Starting Dec 9 18:10:05 mx01 MailScanner[96160]: Batch: Found invalid qf queue file for message hB926xWh038695 Dec 9 18:10:05 mx01 MailScanner[96160]: Batch: Found invalid qf queue file for message hB927GWh038481 Dec 9 18:10:06 mx01 MailScanner[96696]: Batch: Found invalid qf queue file for message hB926xWh038695 Dec 9 18:10:06 mx01 MailScanner[96696]: Batch: Found invalid qf queue file for message hB927GWh038481 any ideas what might be causing these, or why? thanks. From harryh at CET.COM Wed Dec 10 05:47:19 2003 From: harryh at CET.COM (Harry Hanson) Date: Thu Jan 12 21:21:29 2006 Subject: Skipping queue run -- load average too high In-Reply-To: <54C38A0B814C8E438EF73FC76F3629273AE281@mtlnt501fs.CAMOROUTE.COM> Message-ID: <200312100547.hBA5lhfX007571@fili.jiscmail.ac.uk> > > -----Message d'origine----- > > De : Harry Hanson [mailto:harryh@CET.COM] Envoy? : Tuesday, > December > > 09, 2003 9:17 PM ? : MAILSCANNER@JISCMAIL.AC.UK Objet : Re: > Skipping > > queue run -- load average too high > > > > > > Dual 1.6 xeon, 1gb memory, 10k rpm u320 scsi drives in > raid0 config, > > 1gb ram. > > What is your daily mail volume? Here's and example from midnight to current time: Log starts at Dec 9 00 00:01 and ends at Dec 9 21 41:42 Total bytes transferred: 1496649 Total bytes In: 0 Messages Out: 33742 Messages In: 0 Messages per hour (each dot is 181 messages) ________________ 0: 827 .... 1: 838 .... 2: 745 .... 3: 793 .... 4: 778 .... 5: 804 .... 6: 805 .... 7: 856 .... 8: 781 .... 9: 839 .... 10: 748 .... 11: 871 .... 12: 799 .... 13: 778 .... 14: 823 .... 15: 9056 .................................................. 16: 6625 .................................... 17: 1462 ........ 18: 1478 ........ 19: 1383 ....... 20: 1364 ....... 21: 1056 ..... 22: 0 23: 0 > > > > Freebsd 5.1 > > > > It would seem to me either an I/O issue, as the cpu rarely > exceeds 5% > > useage, or perhaps I have something set too low? > > > If you've got vmstat on freebsd, use it... type vmstat 1. > > this will tell you if you have processes waiting for I/O. > (see man vmstat) My apoligies; I am rather a newbie with freebsd; this is my first. Here's a current snapshot (tho I have to read the man page more; it scrolls coninually and not sure how to interpret the output): procs memory page disks faults cpu r b w avm fre flt re pi po fr sr aa0 aa1 in sy cs us sy id 0 0 0 224380 314004 11724 0 0 0 10377 0 17 0 533 0 2964 34 28 38 0 1 0 224896 313344 147 0 0 0 41 0 3 57 688 0 1570 2 11 87 0 0 1 221424 315056 48 0 0 0 469 0 0 5 445 0 595 0 4 96 0 1 1 224296 313860 331 0 0 0 80 0 0 26 553 0 927 1 5 94 0 0 1 224332 313400 124 0 0 0 43 0 0 32 626 0 1106 1 5 94 0 0 1 226080 312884 5447 0 0 0 4632 0 8 32 660 0 1577 16 13 71 0 0 1 222444 314720 178 0 0 0 685 0 0 56 714 0 1401 1 8 91 0 0 1 222940 314612 292 0 0 0 305 0 0 30 492 0 782 0 4 96 0 0 1 223712 314196 113 0 0 0 13 0 0 0 404 0 488 0 4 96 0 0 3 233728 311680 5302 0 0 0 4153 0 10 0 490 0 981 9 15 76 0 0 1 220824 315280 3880 0 0 0 4300 0 2 0 593 0 1151 14 10 76 0 0 1 219360 315836 266 0 0 0 436 0 0 24 553 0 929 1 4 95 0 2 1 220908 315104 468 0 0 0 315 0 0 7 607 0 1027 1 7 92 0 0 1 219352 316120 256 0 0 0 557 0 0 43 602 0 1086 1 5 94 0 1 2 224964 313308 6070 0 0 0 4839 0 20 9 518 0 1083 11 16 72 0 0 0 221508 315068 3038 0 0 0 3045 0 0 17 641 0 1304 16 8 76 0 0 0 221552 315000 135 0 0 0 130 0 0 11 496 0 744 0 6 94 0 0 0 220272 315616 117 0 0 0 303 0 11 36 540 0 914 1 4 95 0 0 0 220264 315652 362 0 0 0 387 0 0 9 517 0 777 1 4 95 0 1 1 223036 314032 4288 0 0 0 3483 0 12 19 567 0 1294 11 13 76 0 0 0 218800 316340 2958 0 0 0 3155 0 0 57 797 0 3355 13 18 69 0 0 0 215380 318212 488 0 0 0 971 0 0 9 540 0 855 0 7 92 procs memory page disks faults cpu From gioia at bclink.it Wed Dec 10 07:59:57 2003 From: gioia at bclink.it (Gioia Bastioni) Date: Thu Jan 12 21:21:29 2006 Subject: R: Translation request - italian In-Reply-To: <6.0.1.1.2.20031209182323.027bf820@imap.ecs.soton.ac.uk> Message-ID: - Troppi allegati nel messaggio - -----Messaggio originale----- Da: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]Per conto di Julian Field Inviato: marted? 9 dicembre 2003 19.25 A: MAILSCANNER@JISCMAIL.AC.UK Oggetto: Translation request Hi all! Please can you translate Too many attachments in message into all your favourite languages. It is used as a report in a message that contains more file attachments than are permitted in MailScanner.conf. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mike at TC3NET.COM Tue Dec 9 13:42:24 2003 From: mike at TC3NET.COM (Michael Baird) Date: Thu Jan 12 21:21:29 2006 Subject: per_user prefs not working ? In-Reply-To: <6.0.1.1.2.20031209085503.03d1e130@imap.ecs.soton.ac.uk> References: <1070896552.14580.31.camel@mike-new2.tc3net.com> <6.0.1.1.2.20031209085503.03d1e130@imap.ecs.soton.ac.uk> Message-ID: <1070977344.18391.17.camel@mike-new2.tc3net.com> Ok, I looked in the rulesets, still not sure, how to go about it, can you give me an example, of what needs to be set in MailScanner and a default ruleset (I read on the list it doesn't work, so I stopped trying). I imagine the ruleset would look like To: test@domain.com /home/users/test/.spamassassin/user_prefs FromOrTo: default /etc/MailScanner/user_prefs In MailScanner.conf I would point SpamAssassin Prefs File to this ruleset? What about Spamassassin User State Dir, I have that set to nothing, should the ruleset go here? Should this look up each individual's ~/.spamassassin/user_prefs by default? If there is an easy way to do this I'd prefer it. Regards MIKE > You can do all the user_prefs mentioned below in MailScanner rulesets. No > need for procmail hacks. > See /etc/MailScanner/rules/* > > At 15:15 08/12/2003, you wrote: > >MailScanner won't use per user spamassassin preferences, it uses the > >prefs file specified in MailScanner.conf for all users or > >/root/.spamassassin, since MailScanner runs as root. I faced this issue > >myself when I migrated my spam scanning to MailScanner, my solution was > >to create a procmail ruleset, which duplicates all my users individual > >spamassassin user_prefs behaviors (hit threshold, spam tag, whitelist, > >blacklist). I just have MailScanner check the spamlevel and such. I'll > >post the recipe here (I'm still working on making the > >whitelist/blacklist work better). Scanning all messages through > >MailScanner and filtering via a procmail ruleset, has lowered my load > >averages tremendously, as opposed to calling spamc via a procmail > >ruleset. > > > > > >INCLUDERC=$HOME/.procmail/.spamprefs > >WHITELIST=$HOME/.procmail/.whitelist > >BLACKLIST=$HOME/.procmail/.blacklist > > > >:0 > >* < 20000 > >{ > > :0 > > * ?egrep --silent --file $WHITELIST > > $DEFAULT > > :0 > > * ?egrep --silent --file $BLACKLIST > > /dev/null > > :0 > > *$ ^X-TC3Net-Level: $SPAMLEVEL > > { > > :0 > > * ^Subject:[ ]*\/[^ ].* > > { > > SUBJECT=$MATCH > > } > > :0 fw > > | formail -I "Subject: $SPAMTAG $SUBJECT" > > :0 > > $SPAMBOX > > } > >} > > > >Where .whitelist and .blacklist are just list of email addresses, and > >.spamprefs contains a few variable definitions used in the recipe. > > > >SPAMLEVEL=xxxxxxxxxx > >SPAMTAG=*****SPAM***** > >SPAMBOX=.maildir/ > > > >Regards > >MIKE > > > > > Hi > > > > > > I am trying to get the per_user preferences working > > > > > > I set SpamAssassin User State Dir = ~/.spamassassin/ > > > in /etc/MailScanner.conf > > > > > > I then created a .spamassassin directory in my home dir > > > > > > I then create a file user_prefs in this directory > > > > > > inside the user_prefs file i put required_hits 10 > > > > > > i then chown and chmod accordingly > > > > > > Restart MailScanner and send a test spam. > > > > > > The headers still tell me it is working on a required hits of 5 > > > > > > What am i doing wrong? > > > > > > Regards > > > > > > Stuart Clark RHCE > > > Spacelink Communications Pty Ltd > > > > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > From andersjk at SOL-INVICTUS.ORG Wed Dec 10 09:03:30 2003 From: andersjk at SOL-INVICTUS.ORG (Kevin Anderson) Date: Thu Jan 12 21:21:29 2006 Subject: Translation request (German) In-Reply-To: <6.0.1.1.2.20031209182323.027bf820@imap.ecs.soton.ac.uk> Message-ID: Zu viele Anh?nge in e-mail. thanks, k On Tue, 9 Dec 2003, Julian Field wrote: > Hi all! > > Please can you translate > Too many attachments in message > into all your favourite languages. > > It is used as a report in a message that contains more file attachments > than are permitted in MailScanner.conf. > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > -- @ _____________________________________________ chaos, panic and disorder... my job is done... From martinh at SOLID-STATE-LOGIC.COM Wed Dec 10 09:09:26 2003 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:21:29 2006 Subject: Skipping queue run -- load average too high In-Reply-To: <200312100547.hBA5lhfX007571@fili.jiscmail.ac.uk> References: <200312100547.hBA5lhfX007571@fili.jiscmail.ac.uk> Message-ID: <3FD6E2C6.1080902@solid-state-logic.com> Harry Hanson wrote: >>>-----Message d'origine----- >>>De : Harry Hanson [mailto:harryh@CET.COM] Envoy? : Tuesday, >> >>December >> >>>09, 2003 9:17 PM ? : MAILSCANNER@JISCMAIL.AC.UK Objet : Re: >> >>Skipping >> >>>queue run -- load average too high >>> >>> >>>Dual 1.6 xeon, 1gb memory, 10k rpm u320 scsi drives in >> >>raid0 config, >> >>>1gb ram. >> >>What is your daily mail volume? > > > Here's and example from midnight to current time: > > Log starts at Dec 9 00 00:01 and ends at Dec 9 21 41:42 > > Total bytes transferred: 1496649 > Total bytes In: 0 > Messages Out: 33742 > Messages In: 0 > > Messages per hour (each dot is 181 messages) > ________________ > 0: 827 .... > 1: 838 .... > 2: 745 .... > 3: 793 .... > 4: 778 .... > 5: 804 .... > 6: 805 .... > 7: 856 .... > 8: 781 .... > 9: 839 .... > 10: 748 .... > 11: 871 .... > 12: 799 .... > 13: 778 .... > 14: 823 .... > 15: 9056 .................................................. > 16: 6625 .................................... > 17: 1462 ........ > 18: 1478 ........ > 19: 1383 ....... > 20: 1364 ....... > 21: 1056 ..... > 22: 0 > 23: 0 > > > >>>Freebsd 5.1 >>> >>>It would seem to me either an I/O issue, as the cpu rarely >> >>exceeds 5% >> >>>useage, or perhaps I have something set too low? >>> >> >>If you've got vmstat on freebsd, use it... type vmstat 1. >> >>this will tell you if you have processes waiting for I/O. >>(see man vmstat) > > > My apoligies; I am rather a newbie with freebsd; this is my first. Here's a > current snapshot (tho I have to read the man page more; it scrolls > coninually and not sure how to interpret the output): > > > procs memory page disks faults cpu > r b w avm fre flt re pi po fr sr aa0 aa1 in sy cs us sy > id > 0 0 0 224380 314004 11724 0 0 0 10377 0 17 0 533 0 2964 34 > 28 38 > 0 1 0 224896 313344 147 0 0 0 41 0 3 57 688 0 1570 2 11 > 87 > 0 0 1 221424 315056 48 0 0 0 469 0 0 5 445 0 595 0 4 > 96 > 0 1 1 224296 313860 331 0 0 0 80 0 0 26 553 0 927 1 5 > 94 > 0 0 1 224332 313400 124 0 0 0 43 0 0 32 626 0 1106 1 5 > 94 > 0 0 1 226080 312884 5447 0 0 0 4632 0 8 32 660 0 1577 16 13 > 71 > 0 0 1 222444 314720 178 0 0 0 685 0 0 56 714 0 1401 1 8 > 91 > 0 0 1 222940 314612 292 0 0 0 305 0 0 30 492 0 782 0 4 > 96 > 0 0 1 223712 314196 113 0 0 0 13 0 0 0 404 0 488 0 4 > 96 > 0 0 3 233728 311680 5302 0 0 0 4153 0 10 0 490 0 981 9 15 > 76 > 0 0 1 220824 315280 3880 0 0 0 4300 0 2 0 593 0 1151 14 10 > 76 > 0 0 1 219360 315836 266 0 0 0 436 0 0 24 553 0 929 1 4 > 95 > 0 2 1 220908 315104 468 0 0 0 315 0 0 7 607 0 1027 1 7 > 92 > 0 0 1 219352 316120 256 0 0 0 557 0 0 43 602 0 1086 1 5 > 94 > 0 1 2 224964 313308 6070 0 0 0 4839 0 20 9 518 0 1083 11 16 > 72 > 0 0 0 221508 315068 3038 0 0 0 3045 0 0 17 641 0 1304 16 8 > 76 > 0 0 0 221552 315000 135 0 0 0 130 0 0 11 496 0 744 0 6 > 94 > 0 0 0 220272 315616 117 0 0 0 303 0 11 36 540 0 914 1 4 > 95 > 0 0 0 220264 315652 362 0 0 0 387 0 0 9 517 0 777 1 4 > 95 > 0 1 1 223036 314032 4288 0 0 0 3483 0 12 19 567 0 1294 11 13 > 76 > 0 0 0 218800 316340 2958 0 0 0 3155 0 0 57 797 0 3355 13 18 > 69 > 0 0 0 215380 318212 488 0 0 0 971 0 0 9 540 0 855 0 7 > 92 > procs memory page disks faults cpu hmm seems to be page faulting quite a bit, which is unusual for something relatively high CPU/memory wise. what checks have you got on SA and MS? Esp what checks are running for RBL's and pyzor? sendmail is saying the machine is too busy to process mail, hence the log messages.. you say you've got the disk configured as RAID 0 (striping), is this hardware or software RAID (vinum?). have you turned on softupdates on the filesystem containing the spool files - this can make alot of difference as regards I/O. How have you split up the filesystems? single / or /, /usr, /home and /var? Just wondering why you choose FreeBSD 5.1 as this is still considered 'unstable'? The current 'stable' release is 4.9. But my tests seem to indicate 5.x tree is much faster than 4.8... I run FreeBSD 4.8 with Exim 4.24 and MS 4.24 (no RBL's/pyzor) using Sophos-Savi and ClamAV with Mailwatch and the mysql DB all on the same machine - celeron 600mhz, single ATA1-100 disk and a single / partition. runs 9,000 messages a day without breaking above 1.5 on load average. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From mailscanner at ecs.soton.ac.uk Wed Dec 10 09:11:14 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:29 2006 Subject: Upgrading on RPM based system In-Reply-To: <6.0.0.22.0.20031209172357.02c1d670@mail.enhtech.com> References: <6.0.0.22.0.20031209172357.02c1d670@mail.enhtech.com> Message-ID: <6.0.1.1.2.20031210091049.03a3a988@imap.ecs.soton.ac.uk> Do the "./install.sh" and then type "upgrade_MailScanner_conf". At 22:26 09/12/2003, you wrote: >Hi folks, > >I'm using RH 7.3 and I am using one MailScanner release below the most >current version; installed from RPM. When upgrading MailScanner from RPM, >is the configuration from my existing install merged into the new install? >Or do I need to pretty much go through and reconfigure everything again? > > >Best Regards, > > >Errol Neal -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From joan.bryan at KCL.AC.UK Wed Dec 10 10:31:34 2003 From: joan.bryan at KCL.AC.UK (Joan Bryan) Date: Thu Jan 12 21:21:29 2006 Subject: Solaris with stats options In-Reply-To: <1070936884.3fd533348e7fc@webemail.bsd.uchicago.edu> References: <1070936884.3fd533348e7fc@webemail.bsd.uchicago.edu> Message-ID: Hi Ian I have mailscanner-mrtg running on solaris 9. However the graphs for ethernet traffic and memory are not working as there are no easy way of gathering these statisistics, and I have not had time to look at this further. Also I had to slightly alter the option for the number of mailscanners running in /usr/sbin/mailscanner-mrtg from ps -oe to ps -ef, as for some reason it gave a blank line for the mailscanner processes and possibly other processes. I did not have to do this for the number of mailscanners - a solaris bug! Feel free to contact me off list. Joan On Mon, 8 Dec 2003 20:28:04 -0600 Ian Miller wrote: > Has anyone had any luck setting up mailscanner-mrtg on solaris? > I am running solaris 9 and only get alot of error in the cronlog and nothing on > the stats page. > > > -- > Ian Miller > Sr. Systems Engineer > University of Chicago > imiller@bsd.uchicago.edu ---------------------- Joan Bryan Unix Systems Administrator Information Systems Telephone: +44 (0) 20 7848 2671 mailto:joan.bryan@kcl.ac.uk From prandal at HEREFORDSHIRE.GOV.UK Wed Dec 10 10:32:49 2003 From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil) Date: Thu Jan 12 21:21:29 2006 Subject: could not analyze/too many attachments Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C3C5@jessica.herefordshire.gov.uk> On the subject of confusing error messages, the following is starting to get a tad irritating: Subject: Warning: E-mail viruses detected Body: The following e-mail messages were found to have viruses in them: Sender: a@b.c.d IP Address: 10.2.3.4 Recipient: me@here Subject: Whatever MessageID: xxxxxxxxxxxxxx Report: MailScanner: No AVI movies allowed (worldcup1.avi) Excuse me, it's not a virus! I've had a quick peek at the report files and it seems that there is no clear delineation between viruses and other blocked attachments. Am I missing something obvious here? Cheers, Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Julian Field > Sent: 09 December 2003 18:23 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: could not analyze/too many attachments > > > At 16:54 09/12/2003, you wrote: > >Julian, > > I know there was a thread recently about "Could not > >analyze message" coming out in the virus report, when the > >issue is really "too many attachments" from the > >"Maximum Attachments Per Message" setting. I did a bonehead > >move of setting this to 20 instead of 200, and then had to > >quarantine the problem message after the sender complained, > >stare at it and MS code, and figure out the problem. Will > >this "Could not analyze" message be clearer in the next > >version? > > You can already change the error message, but only for all unparsable > messages. It's in your languages.conf file, the line that > starts "CantAnalyze". > > However, I agree that it should be separate from that error > message. The > fix will be in the next release, but attached are patches to > Message.pm, > MessageBatch.pm and languages.conf (English only right now) which will > implement it. > From mailscanner at ecs.soton.ac.uk Wed Dec 10 11:04:36 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:29 2006 Subject: could not analyze/too many attachments In-Reply-To: <0EBC45FCABFC95428EBFC3A51B368C9501C9C3C5@jessica.herefords hire.gov.uk> References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C3C5@jessica.herefordshire.gov.uk> Message-ID: <6.0.1.1.2.20031210110312.08f21b78@imap.ecs.soton.ac.uk> If you don't like it, change it. Read languages.conf and you will see there is a "NoticeSubject" entry in there. As a general point, before posting stuff like this to the list *please* check that you can't configure the setting you don't like. Repeatedly saying RTFM is getting kinda tedious. At 10:32 10/12/2003, you wrote: >On the subject of confusing error messages, the following is starting to get >a tad irritating: > >Subject: Warning: E-mail viruses detected > >Body: > >The following e-mail messages were found to have viruses in them: > > Sender: a@b.c.d >IP Address: 10.2.3.4 > Recipient: me@here > Subject: Whatever > MessageID: xxxxxxxxxxxxxx > Report: MailScanner: No AVI movies allowed (worldcup1.avi) > >Excuse me, it's not a virus! > >I've had a quick peek at the report files and it seems that there is no >clear delineation between viruses and other blocked attachments. Am I >missing something obvious here? > >Cheers, > >Phil >--------------------------------------------- >Phil Randal >Network Engineer >Herefordshire Council >Hereford, UK > > > -----Original Message----- > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > Behalf Of Julian Field > > Sent: 09 December 2003 18:23 > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: could not analyze/too many attachments > > > > > > At 16:54 09/12/2003, you wrote: > > >Julian, > > > I know there was a thread recently about "Could not > > >analyze message" coming out in the virus report, when the > > >issue is really "too many attachments" from the > > >"Maximum Attachments Per Message" setting. I did a bonehead > > >move of setting this to 20 instead of 200, and then had to > > >quarantine the problem message after the sender complained, > > >stare at it and MS code, and figure out the problem. Will > > >this "Could not analyze" message be clearer in the next > > >version? > > > > You can already change the error message, but only for all unparsable > > messages. It's in your languages.conf file, the line that > > starts "CantAnalyze". > > > > However, I agree that it should be separate from that error > > message. The > > fix will be in the next release, but attached are patches to > > Message.pm, > > MessageBatch.pm and languages.conf (English only right now) which will > > implement it. > > -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From james.ogley at PINNACLE.CO.UK Wed Dec 10 11:25:34 2003 From: james.ogley at PINNACLE.CO.UK (James Ogley) Date: Thu Jan 12 21:21:29 2006 Subject: could not analyze/too many attachments In-Reply-To: <6.0.1.1.2.20031210110312.08f21b78@imap.ecs.soton.ac.uk> References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C3C5@jessica.herefordshire.gov.uk> <6.0.1.1.2.20031210110312.08f21b78@imap.ecs.soton.ac.uk> Message-ID: <1071055533.5589.28.camel@jogley.pinnacle.co.uk> > If you don't like it, change it. > Read languages.conf and you will see there is a "NoticeSubject" entry in there. > >I've had a quick peek at the report files and it seems that there is no > >clear delineation between viruses and other blocked attachments. Am I > >missing something obvious here? That's not what he was asking, the point he was making was that there isn't a delineation between virii and other reasons for blocking messages, and he's right. When it's a virus, yes, you want the Subject to read "Virus blah blah" When it's a video, you want it to read "Video blah blah", when it's a large file, you want "Large file blah" etc etc... -- James Ogley, Unix Systems Administrator, Pinnacle Insurance Plc Work: james.ogley@pinnacle.co.uk www.pinnacle.co.uk +44 (0) 20 8731 3619 Personal: james@rubberturnip.org.uk www.rubberturnip.org.uk Updated GNOME RPMs for SuSE Linux: www.usr-local-bin.org *********************************************************************** CONFIDENTIALITY. This e-mail and any attachments are confidential and may also be privileged. If you are not the named recipient, please notify the sender immediately and do not disclose the contents to another person, use it for any purpose, or store or copy the information in any medium. Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Pinnacle Insurance Plc. If you have received this e-mail in error please immediately notify our Helpdesk on +44 (0) 20 8207 9555. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.mimesweeper.com ********************************************************************** From dh at UPTIME.AT Wed Dec 10 11:23:59 2003 From: dh at UPTIME.AT (David H.) Date: Thu Jan 12 21:21:29 2006 Subject: Translation request (German) In-Reply-To: References: Message-ID: <3FD7024F.4090204@uptime.at> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Kevin Anderson wrote: > Zu viele Anh?nge in e-mail. > Don't get me wrong Kevin but that is awefully bad german *winks* Something like: Zu hohe Anzahl an Anh?ngen or Eine zu hohe Anzahl an Attachments wurde gefunden make a lot more sense. Translating into german in a literal approach often yields a bad result as you sure know :) - -d -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (Darwin) iD8DBQE/1wJPPMoaMn4kKR4RA5YcAJ9yJQx8Ly3clVzj+VZpr2lSsXAWkACghK8N XlIzArI7P3pSHIRifX19iQM= =Nsil -----END PGP SIGNATURE----- From dh at UPTIME.AT Wed Dec 10 11:26:11 2003 From: dh at UPTIME.AT (David H.) Date: Thu Jan 12 21:21:29 2006 Subject: Translation request (German) In-Reply-To: <3FD7024F.4090204@uptime.at> References: <3FD7024F.4090204@uptime.at> Message-ID: <3FD702D3.40600@uptime.at> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 David H. wrote: Ok, please overlook my blunt mistakes. Geezes I cannot type nor spell today. - -d - - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (Darwin) iD8DBQE/1wLTPMoaMn4kKR4RA24DAJ4hDKPWyegV7Ho3vHA54OBIoa1tvgCbBe73 dYVRWHjCruigmZTXj6IYGOI= =fHn9 -----END PGP SIGNATURE----- From mailscanner at ecs.soton.ac.uk Wed Dec 10 11:35:34 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:29 2006 Subject: Translation request (German) In-Reply-To: <3FD7024F.4090204@uptime.at> References: <3FD7024F.4090204@uptime.at> Message-ID: <6.0.1.1.2.20031210113501.03826f68@imap.ecs.soton.ac.uk> Can we have some agreement on this please? Suggesting 2 or 3 alternatives doesn't help when I don't know what any of them say... At 11:23 10/12/2003, you wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: RIPEMD160 > >Kevin Anderson wrote: > >>Zu viele Anh?nge in e-mail. >Don't get me wrong Kevin but that is awefully bad german *winks* Something >like: > >Zu hohe Anzahl an Anh?ngen > >or > >Eine zu hohe Anzahl an Attachments wurde gefunden > >make a lot more sense. Translating into german in a literal approach often >yields a bad result as you sure know :) > >- -d > >-----BEGIN PGP SIGNATURE----- >Version: GnuPG v1.2.3 (Darwin) > >iD8DBQE/1wJPPMoaMn4kKR4RA5YcAJ9yJQx8Ly3clVzj+VZpr2lSsXAWkACghK8N >XlIzArI7P3pSHIRifX19iQM= >=Nsil >-----END PGP SIGNATURE----- > -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Wed Dec 10 11:34:40 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:29 2006 Subject: could not analyze/too many attachments In-Reply-To: <1071055533.5589.28.camel@jogley.pinnacle.co.uk> References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C3C5@jessica.herefordshire.gov.uk> <6.0.1.1.2.20031210110312.08f21b78@imap.ecs.soton.ac.uk> <1071055533.5589.28.camel@jogley.pinnacle.co.uk> Message-ID: <6.0.1.1.2.20031210113145.08eb9b40@imap.ecs.soton.ac.uk> At 11:25 10/12/2003, you wrote: > > If you don't like it, change it. > > Read languages.conf and you will see there is a "NoticeSubject" entry > in there. > > >I've had a quick peek at the report files and it seems that there is no > > >clear delineation between viruses and other blocked attachments. Am I > > >missing something obvious here? > >That's not what he was asking, the point he was making was that there >isn't a delineation between virii and other reasons for blocking >messages, and he's right. > >When it's a virus, yes, you want the Subject to read "Virus blah blah" > >When it's a video, you want it to read "Video blah blah", when it's a >large file, you want "Large file blah" etc etc... I never intended anyone to actually read every notice. I intentionally kept the subject the same so that it was easy to automatically filter into a mailbox from which you could gather statistics from time to time. The Admininstrator Notices were never intended to be read by a customer. If you want to read every notice by hand, you should probably get out more :o) If you want to separate the notices into different types, why not just filter on the contents of the message? -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From prandal at HEREFORDSHIRE.GOV.UK Wed Dec 10 11:44:57 2003 From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil) Date: Thu Jan 12 21:21:29 2006 Subject: could not analyze/too many attachments Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C3C7@jessica.herefordshire.gov.uk> Thanks Julian, I'll take a look at the option of filtering. In the meantime, I've changed the text to: NoticeSubject = Warning: E-mail viruses or illegal attachments detected and NoticeHeading = The following e-mail messages were found to have viruses or illegal attachments in them Cheers, Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Julian Field > Sent: 10 December 2003 11:35 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: could not analyze/too many attachments > > > At 11:25 10/12/2003, you wrote: > > > If you don't like it, change it. > > > Read languages.conf and you will see there is a > "NoticeSubject" entry > > in there. > > > >I've had a quick peek at the report files and it seems > that there is no > > > >clear delineation between viruses and other blocked > attachments. Am I > > > >missing something obvious here? > > > >That's not what he was asking, the point he was making was that there > >isn't a delineation between virii and other reasons for blocking > >messages, and he's right. > > > >When it's a virus, yes, you want the Subject to read "Virus > blah blah" > > > >When it's a video, you want it to read "Video blah blah", when it's a > >large file, you want "Large file blah" etc etc... > > I never intended anyone to actually read every notice. I > intentionally kept > the subject the same so that it was easy to automatically > filter into a > mailbox from which you could gather statistics from time to time. The > Admininstrator Notices were never intended to be read by a > customer. If you > want to read every notice by hand, you should probably get > out more :o) > > If you want to separate the notices into different types, why not just > filter on the contents of the message? > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > From andersjk at SOL-INVICTUS.ORG Wed Dec 10 11:55:35 2003 From: andersjk at SOL-INVICTUS.ORG (Kevin Anderson) Date: Thu Jan 12 21:21:29 2006 Subject: Translation request (German) In-Reply-To: <6.0.1.1.2.20031210113501.03826f68@imap.ecs.soton.ac.uk> Message-ID: well, being Canadian... and just wanting to help... Zu viele Anh?nge in e-mail wurde gefunden. is ok... On Wed, 10 Dec 2003, Julian Field wrote: > Can we have some agreement on this please? Suggesting 2 or 3 alternatives > doesn't help when I don't know what any of them say... > > At 11:23 10/12/2003, you wrote: > >-----BEGIN PGP SIGNED MESSAGE----- > >Hash: RIPEMD160 > > > >Kevin Anderson wrote: > > > >>Zu viele Anh?nge in e-mail. > >Don't get me wrong Kevin but that is awefully bad german *winks* Something > >like: > > > >Zu hohe Anzahl an Anh?ngen > > > >or > > > >Eine zu hohe Anzahl an Attachments wurde gefunden > > > >make a lot more sense. Translating into german in a literal approach often > >yields a bad result as you sure know :) > > > >- -d > > > >-----BEGIN PGP SIGNATURE----- > >Version: GnuPG v1.2.3 (Darwin) > > > >iD8DBQE/1wJPPMoaMn4kKR4RA5YcAJ9yJQx8Ly3clVzj+VZpr2lSsXAWkACghK8N > >XlIzArI7P3pSHIRifX19iQM= > >=Nsil > >-----END PGP SIGNATURE----- > > > > -- @ _____________________________________________ chaos, panic and disorder... my job is done... From henker at S-H-COM.DE Wed Dec 10 11:52:45 2003 From: henker at S-H-COM.DE (Steffan Henke) Date: Thu Jan 12 21:21:29 2006 Subject: Translation request (German) In-Reply-To: <6.0.1.1.2.20031210113501.03826f68@imap.ecs.soton.ac.uk> References: <3FD7024F.4090204@uptime.at> <6.0.1.1.2.20031210113501.03826f68@imap.ecs.soton.ac.uk> Message-ID: On Wed, 10 Dec 2003, Julian Field wrote: > Can we have some agreement on this please? Suggesting 2 or 3 alternatives > doesn't help when I don't know what any of them say... Uh, sorry, I read your request yesterday and thought I'd better reply off-list, but didn't because I was thinking somebody sure sent you a pm already. Maybe it's time for an alias like languages@ to avoid language discussions/suggestions on the list ? I hope, no one is bothered by this one. > >Kevin Anderson wrote: > > > >>Zu viele Anh?nge in e-mail. Personally, I would write something like "Zu viele Anh?nge in der Email." > >Don't get me wrong Kevin but that is awefully bad german *winks* Something > >like: > >Zu hohe Anzahl an Anh?ngen > >or > >Eine zu hohe Anzahl an Attachments wurde gefunden These are *very* formal from my POV, but of course correct. Regards, Steffan From Uwe.Krause at FEP.FHG.DE Wed Dec 10 12:00:56 2003 From: Uwe.Krause at FEP.FHG.DE (Krause, Uwe) Date: Thu Jan 12 21:21:29 2006 Subject: Translation request (German) Message-ID: <8DDE8CA53DC5F24DA4B7D074DDE8109F21CAF9@midgard.fep.fhg.de> Es wurden zu viele Anh?nge in der e-mail gefunden. Ciao from Germany :-) Uwe From mailscanner at ecs.soton.ac.uk Wed Dec 10 12:18:05 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:29 2006 Subject: Translation request (German) In-Reply-To: <8DDE8CA53DC5F24DA4B7D074DDE8109F21CAF9@midgard.fep.fhg.de> References: <8DDE8CA53DC5F24DA4B7D074DDE8109F21CAF9@midgard.fep.fhg.de> Message-ID: <6.0.1.1.2.20031210121305.08e8c438@imap.ecs.soton.ac.uk> 1) Es wurden zu viele Anh?nge in der e-mail gefunden 2) Zu viele Anh?nge in e-mail wurde gefunden 3) Zu viele Anh?nge in e-mail 4) Zu viele Anh?nge in der Email 5) Zu hohe Anzahl an Anh?ngen 6) Eine zu hohe Anzahl an Attachments wurde gefunden Votes for the above please. By number. Only native German speakers please. If you didn't learn "gaah gaah" in German before the age of 1 then please don't vote. And I thought the Spanish could never agree on anything... ;-) -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From dh at UPTIME.AT Wed Dec 10 12:25:03 2003 From: dh at UPTIME.AT (David H.) Date: Thu Jan 12 21:21:29 2006 Subject: Translation request (German) In-Reply-To: <6.0.1.1.2.20031210121305.08e8c438@imap.ecs.soton.ac.uk> References: <8DDE8CA53DC5F24DA4B7D074DDE8109F21CAF9@midgard.fep.fhg.de> <6.0.1.1.2.20031210121305.08e8c438@imap.ecs.soton.ac.uk> Message-ID: <3FD7109F.4030505@uptime.at> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Julian Field wrote: > 1) Es wurden zu viele Anh?nge in der e-mail gefunden > 2) Zu viele Anh?nge in e-mail wurde gefunden > 3) Zu viele Anh?nge in e-mail > 4) Zu viele Anh?nge in der Email > 5) Zu hohe Anzahl an Anh?ngen > 6) Eine zu hohe Anzahl an Attachments wurde gefunden > I may complicate this even further? I just looked it up and in this special case one apprently has to write "Zuviele" not "Zu viele" I vote for 6 though since it is the most formal and anyone from 10 to 60 will understand it properly - -d -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (Darwin) iD8DBQE/1xCkPMoaMn4kKR4RA7b0AKCX2quz/1sa4ffpaEU1JJ7bmLHntgCeKUSn XuQ9ylTQt9qYfOK+vuEKiA8= =AeS0 -----END PGP SIGNATURE----- From Heinz.Knutzen at DZSH.DE Wed Dec 10 12:24:03 2003 From: Heinz.Knutzen at DZSH.DE (Knutzen, Heinz (DZ-SH)) Date: Thu Jan 12 21:21:29 2006 Subject: AW: Translation request (German) Message-ID: I vote for (4) Viele Gr??e -- Heinz -----Urspr?ngliche Nachricht----- Von: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]Im Auftrag von Julian Field Gesendet am: Mittwoch, 10. Dezember 2003 13:18 An: MAILSCANNER@JISCMAIL.AC.UK Betreff: Re: Translation request (German) 1) Es wurden zu viele Anh?nge in der e-mail gefunden 2) Zu viele Anh?nge in e-mail wurde gefunden 3) Zu viele Anh?nge in e-mail 4) Zu viele Anh?nge in der Email 5) Zu hohe Anzahl an Anh?ngen 6) Eine zu hohe Anzahl an Attachments wurde gefunden Votes for the above please. By number. Only native German speakers please. If you didn't learn "gaah gaah" in German before the age of 1 then please don't vote. And I thought the Spanish could never agree on anything... ;-) -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From henker at S-H-COM.DE Wed Dec 10 12:44:52 2003 From: henker at S-H-COM.DE (Steffan Henke) Date: Thu Jan 12 21:21:29 2006 Subject: Translation request (German) In-Reply-To: <3FD7109F.4030505@uptime.at> References: <8DDE8CA53DC5F24DA4B7D074DDE8109F21CAF9@midgard.fep.fhg.de> <6.0.1.1.2.20031210121305.08e8c438@imap.ecs.soton.ac.uk> <3FD7109F.4030505@uptime.at> Message-ID: On Wed, 10 Dec 2003, David H. wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: RIPEMD160 > > Julian Field wrote: > > > 1) Es wurden zu viele Anh?nge in der e-mail gefunden > > 2) Zu viele Anh?nge in e-mail wurde gefunden > > 3) Zu viele Anh?nge in e-mail > > 4) Zu viele Anh?nge in der Email > > 5) Zu hohe Anzahl an Anh?ngen > > 6) Eine zu hohe Anzahl an Attachments wurde gefunden > > > > I may complicate this even further? > I just looked it up and in this special case one apprently has to write > "Zuviele" not "Zu viele" > I vote for 6 though since it is the most formal and anyone from 10 to 60 > will understand it properly Uh, oh, I was thinking about "zu viele" and "zuviele"... From m.sapsed at BANGOR.AC.UK Wed Dec 10 12:45:25 2003 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:21:29 2006 Subject: Translation request - Welsh References: <6.0.1.1.2.20031209182323.027bf820@imap.ecs.soton.ac.uk> Message-ID: <3FD71565.4010708@bangor.ac.uk> Julian Field wrote: > Hi all! > > Please can you translate > Too many attachments in message > into all your favourite languages. Gormod o atodiadau yn y neges Cheers, Martin -- Martin Sapsed Information Services "Who do you say I am?" University of Wales, Bangor Jesus of Nazareth From Uwe.Krause at FEP.FHG.DE Wed Dec 10 12:51:56 2003 From: Uwe.Krause at FEP.FHG.DE (Krause, Uwe) Date: Thu Jan 12 21:21:29 2006 Subject: Translation request (German) Message-ID: <8DDE8CA53DC5F24DA4B7D074DDE8109F21CAFD@midgard.fep.fhg.de> 1 > -----Original Message----- > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > Sent: Wednesday, December 10, 2003 1:18 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Translation request (German) > > > 1) Es wurden zu viele Anh?nge in der e-mail gefunden > 2) Zu viele Anh?nge in e-mail wurde gefunden > 3) Zu viele Anh?nge in e-mail > 4) Zu viele Anh?nge in der Email > 5) Zu hohe Anzahl an Anh?ngen > 6) Eine zu hohe Anzahl an Attachments wurde gefunden > > Votes for the above please. By number. > > Only native German speakers please. If you didn't learn "gaah > gaah" in > German before the age of 1 then please don't vote. > > And I thought the Spanish could never agree on anything... ;-) > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > From Peter.Bates at LSHTM.AC.UK Wed Dec 10 13:23:59 2003 From: Peter.Bates at LSHTM.AC.UK (Peter Bates) Date: Thu Jan 12 21:21:29 2006 Subject: Bayesian horrors Message-ID: Hello all... MailScanner, SpamAssassin (2.60) and Postfix 2... I upgraded today using the RPM version to 4.25(14)... after the upgrade/rebuild of this and that, MS started up happily with my old configuration. (One point I'd like to throw in is can we have a switch to 'install.sh' to build MailScanner and friends, but not necessarily kick it into place?) While I worked on upgrading my configuration to add in the new bits, etc. I noticed the queues building up... Eventually, tracking down a load of 'bayes.lock' files in /var/spool/spamassassin, I gathered that all was not well in the world of Bayes. I quickly uncommented the 'use_bayes 0' in the default spam.assassin.prefs.conf, and things flowed happily. Looking at the new configuration, I see: SpamAssassin User State Dir = /var/spool/MailScanner/spamassassin So, I have a few problems. Firstly, is it possible my Bayes DB is corrupt, and if so, what do I do? Does SA use this 'User State Dir' to look for the Bayes DBs, or is that tied to the 'bayes_path' setting in spam.assassin.prefs.conf? And finally, should I upgrade to SA 2.61 anyway? Any advice would be appreciated! ---------------------------------------------------------------------------------------------------> Peter Bates, Systems Support Officer, Network Support Team. London School of Hygiene & Tropical Medicine. Telephone:0207-958 8353 / Fax: 0207- 636 9838 From shrek-m at GMX.DE Wed Dec 10 13:34:30 2003 From: shrek-m at GMX.DE (shrek-m@gmx.de) Date: Thu Jan 12 21:21:29 2006 Subject: Translation request (German) In-Reply-To: References: <8DDE8CA53DC5F24DA4B7D074DDE8109F21CAF9@midgard.fep.fhg.de> <6.0.1.1.2.20031210121305.08e8c438@imap.ecs.soton.ac.uk> <3FD7109F.4030505@uptime.at> Message-ID: <3FD720E6.3000005@gmx.de> Steffan Henke wrote: >On Wed, 10 Dec 2003, David H. wrote: > > >>Julian Field wrote: >> >>>1) Es wurden zu viele Anh?nge in der e-mail gefunden >>>2) Zu viele Anh?nge in e-mail wurde gefunden >>>3) Zu viele Anh?nge in e-mail >>>4) Zu viele Anh?nge in der Email >>>5) Zu hohe Anzahl an Anh?ngen >>>6) Eine zu hohe Anzahl an Attachments wurde gefunden >>> >>> >According to David's correction, it should be written as >"Es wurden zuviele Anh?nge in der e-mail gefunden." >For simplicity, #4 "Zuviele Anh?nge in der Email". > if it should be be a complete sentence "1" with the correction "zuviele" if it should be a short report "4" with the correction "Zuviele" -- shrek-m From m.sapsed at bangor.ac.uk Wed Dec 10 13:21:42 2003 From: m.sapsed at bangor.ac.uk (Martin Sapsed) Date: Thu Jan 12 21:21:29 2006 Subject: netiquette Message-ID: <3FD71DE6.3050607@bangor.ac.uk> Hi Julian, Just found this in my Spam folder. Have you had words about the HTML stuff/advertising sig? Martin -------- Original Message -------- Subject: {Spam?} Postfix configuration/efficiency.... Date: Tue, 9 Dec 2003 13:22:30 -0600 From: "Eric Sandquist" To: Periodically I see reference to setting up MailScanner with a single instance of Postfix, instead of the standard 2 Postfix install described in the instructions. Is there any advantage in doing this? Memory savings? Server load? I need to maximize the efficiency of this machine... Are there any instructions for this type of installation? or for converting from a working standard installation? Are there any drawbacks to this type of installation? Currently, we are running Dual PIII 500, 512Megs Ram... I've worked very hard to get the server load down to about 4.... It has been as high as 10... We are processing about 40,000 mails per day.... I realize that the best soution is a more powerful machine than this, but the client company won't do it (until this one dies).... ------------------------------------------------------------------------ Eric Sandquist Systems Engineer ICQ#: 10274846 Current ICQ status: + More ways to contact me www.ihms.net www.messianicgroups.com www.nazarene.net www.amazinggroups.com www.613commandments.com www.hebrew-roots.com www.netzarim.cc www.momsonthego.us ------------------------------------------------------------------------ Home Business Opportunity!! - Travel, Taxes, Health, and More From mailscanner at ecs.soton.ac.uk Wed Dec 10 13:50:29 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:29 2006 Subject: Bayesian horrors In-Reply-To: References: Message-ID: <6.0.1.1.2.20031210134916.0383d9b8@imap.ecs.soton.ac.uk> At 13:23 10/12/2003, you wrote: >Looking at the new configuration, I see: >SpamAssassin User State Dir = /var/spool/MailScanner/spamassassin That must have been in your previous MailScanner.conf, it is undefined by default. >So, I have a few problems. > >Firstly, is it possible my Bayes DB is corrupt, and if so, what do I >do? sa-learn --rebuilddb (I think. Run sa-learn on its own and it should print its help) >And finally, should I upgrade to SA 2.61 anyway? Yes. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Wed Dec 10 13:47:58 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:29 2006 Subject: Translation request (German) In-Reply-To: <6.0.1.1.2.20031210121305.08e8c438@imap.ecs.soton.ac.uk> References: <8DDE8CA53DC5F24DA4B7D074DDE8109F21CAF9@midgard.fep.fhg.de> <6.0.1.1.2.20031210121305.08e8c438@imap.ecs.soton.ac.uk> Message-ID: <6.0.1.1.2.20031210134650.08eaab20@imap.ecs.soton.ac.uk> I clearly missed something from the original voting request. This is not some fancy transferrable vote system. You have 1 vote only. If I don't get a clear result I will pick one at random :) At 12:18 10/12/2003, you wrote: >1) Es wurden zu viele Anh?nge in der e-mail gefunden >2) Zu viele Anh?nge in e-mail wurde gefunden >3) Zu viele Anh?nge in e-mail >4) Zu viele Anh?nge in der Email >5) Zu hohe Anzahl an Anh?ngen >6) Eine zu hohe Anzahl an Attachments wurde gefunden > >Votes for the above please. By number. > >Only native German speakers please. If you didn't learn "gaah gaah" in >German before the age of 1 then please don't vote. > >And I thought the Spanish could never agree on anything... ;-) >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support > >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From ugob at CAMO-ROUTE.COM Wed Dec 10 14:33:37 2003 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:21:29 2006 Subject: Skipping queue run -- load average too high Message-ID: <54C38A0B814C8E438EF73FC76F3629273132BF@mtlnt501fs.CAMOROUTE.COM> > -----Message d'origine----- > De : Harry Hanson [mailto:harryh@CET.COM] > Envoy? : Wednesday, December 10, 2003 12:47 AM > ? : MAILSCANNER@JISCMAIL.AC.UK > Objet : Re: Skipping queue run -- load average too high > > > > > -----Message d'origine----- > > > De : Harry Hanson [mailto:harryh@CET.COM] Envoy? : Tuesday, > > December > > > 09, 2003 9:17 PM ? : MAILSCANNER@JISCMAIL.AC.UK Objet : Re: > > Skipping > > > queue run -- load average too high > > > > > > > > > Dual 1.6 xeon, 1gb memory, 10k rpm u320 scsi drives in > > raid0 config, > > > 1gb ram. > > > > What is your daily mail volume? > > Here's and example from midnight to current time: > > Log starts at Dec 9 00 00:01 and ends at Dec 9 21 41:42 > > Total bytes transferred: 1496649 > Total bytes In: 0 > Messages Out: 33742 > Messages In: 0 > > Messages per hour (each dot is 181 messages) > ________________ > 0: 827 .... > 1: 838 .... > 2: 745 .... > 3: 793 .... > 4: 778 .... > 5: 804 .... > 6: 805 .... > 7: 856 .... > 8: 781 .... > 9: 839 .... > 10: 748 .... > 11: 871 .... > 12: 799 .... > 13: 778 .... > 14: 823 .... > 15: 9056 .................................................. > 16: 6625 .................................... > 17: 1462 ........ > 18: 1478 ........ > 19: 1383 ....... > 20: 1364 ....... > 21: 1056 ..... > 22: 0 > 23: 0 > > > > > > > > Freebsd 5.1 > > > > > > It would seem to me either an I/O issue, as the cpu rarely > > exceeds 5% > > > useage, or perhaps I have something set too low? > > > > > If you've got vmstat on freebsd, use it... type vmstat 1. > > > > this will tell you if you have processes waiting for I/O. > > (see man vmstat) > > My apoligies; I am rather a newbie with freebsd; this is my > first. Here's a > current snapshot (tho I have to read the man page more; it scrolls > coninually and not sure how to interpret the output): You have to stop it with ctrl-c. To interpret the output, see the manpage for vmstat. The first column I check is usually the second one (b). And in your case, is seems ok, because it is 0 or 1 (there is one or zero process waiting for I/O). I don't have a freebsd box here, so I can't interpret everything. > > > procs memory page disks > faults cpu > r b w avm fre flt re pi po fr sr aa0 aa1 in > sy cs us sy > id > 0 0 0 224380 314004 11724 0 0 0 10377 0 17 0 > 533 0 2964 34 > 28 38 > 0 1 0 224896 313344 147 0 0 0 41 0 3 57 688 > 0 1570 2 11 > 87 > 0 0 1 221424 315056 48 0 0 0 469 0 0 5 445 > 0 595 0 4 > 96 > 0 1 1 224296 313860 331 0 0 0 80 0 0 26 553 > 0 927 1 5 > 94 > 0 0 1 224332 313400 124 0 0 0 43 0 0 32 626 > 0 1106 1 5 > 94 > 0 0 1 226080 312884 5447 0 0 0 4632 0 8 32 660 > 0 1577 16 13 > 71 > 0 0 1 222444 314720 178 0 0 0 685 0 0 56 714 > 0 1401 1 8 > 91 > 0 0 1 222940 314612 292 0 0 0 305 0 0 30 492 > 0 782 0 4 > 96 > 0 0 1 223712 314196 113 0 0 0 13 0 0 0 404 > 0 488 0 4 > 96 > 0 0 3 233728 311680 5302 0 0 0 4153 0 10 0 490 > 0 981 9 15 > 76 > 0 0 1 220824 315280 3880 0 0 0 4300 0 2 0 593 > 0 1151 14 10 > 76 > 0 0 1 219360 315836 266 0 0 0 436 0 0 24 553 > 0 929 1 4 > 95 > 0 2 1 220908 315104 468 0 0 0 315 0 0 7 607 > 0 1027 1 7 > 92 > 0 0 1 219352 316120 256 0 0 0 557 0 0 43 602 > 0 1086 1 5 > 94 > 0 1 2 224964 313308 6070 0 0 0 4839 0 20 9 518 > 0 1083 11 16 > 72 > 0 0 0 221508 315068 3038 0 0 0 3045 0 0 17 641 > 0 1304 16 8 > 76 > 0 0 0 221552 315000 135 0 0 0 130 0 0 11 496 > 0 744 0 6 > 94 > 0 0 0 220272 315616 117 0 0 0 303 0 11 36 540 > 0 914 1 4 > 95 > 0 0 0 220264 315652 362 0 0 0 387 0 0 9 517 > 0 777 1 4 > 95 > 0 1 1 223036 314032 4288 0 0 0 3483 0 12 19 567 > 0 1294 11 13 > 76 > 0 0 0 218800 316340 2958 0 0 0 3155 0 0 57 797 > 0 3355 13 18 > 69 > 0 0 0 215380 318212 488 0 0 0 971 0 0 9 540 > 0 855 0 7 > 92 > procs memory page disks > faults cpu > From Janssen at RZ.UNI-FRANKFURT.DE Wed Dec 10 14:39:15 2003 From: Janssen at RZ.UNI-FRANKFURT.DE (Michael Janssen) Date: Thu Jan 12 21:21:29 2006 Subject: Translation request (German) In-Reply-To: <6.0.1.1.2.20031210121305.08e8c438@imap.ecs.soton.ac.uk> References: <8DDE8CA53DC5F24DA4B7D074DDE8109F21CAF9@midgard.fep.fhg.de> <6.0.1.1.2.20031210121305.08e8c438@imap.ecs.soton.ac.uk> Message-ID: On Wed, 10 Dec 2003, Julian Field wrote: > 1) Es wurden zu viele Anh?nge in der e-mail gefunden > 2) Zu viele Anh?nge in e-mail wurde gefunden > 3) Zu viele Anh?nge in e-mail > 4) Zu viele Anh?nge in der Email > 5) Zu hohe Anzahl an Anh?ngen > 6) Eine zu hohe Anzahl an Attachments wurde gefunden > > Votes for the above please. By number. 4) The spelling of "Email" is another problem. "Email" seems actually preferred in reports/de but "Email" (beside e-mail and e-Mail) was a german word long before the net has occoured: enamel ("gloss paint on metal"). Therefore correct spelling (as suggested by e.g. http://dict.leo.org/?p=lURE.&search=e-mail) is E-Mail (which is not easy to type, so people type something like e-Mail, eMail, e-mail (plain good english) or Email) The good thing is, Email in the sense of enamel isn't used a lot and especially not with computers ;-) People who cooks, might have trubble. Michael PS: google and dict.leo.org want "zu viele" in two words. > > Only native German speakers please. If you didn't learn "gaah gaah" in > German before the age of 1 then please don't vote. > > And I thought the Spanish could never agree on anything... ;-) > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > From Uwe.Krause at FEP.FHG.DE Wed Dec 10 13:58:12 2003 From: Uwe.Krause at FEP.FHG.DE (Krause, Uwe) Date: Thu Jan 12 21:21:29 2006 Subject: Translation request (German) Message-ID: <8DDE8CA53DC5F24DA4B7D074DDE8109F21CAFF@midgard.fep.fhg.de> Hallo, > if it should be be a complete sentence > "1" with the correction "zuviele" Musste grad im Duden nachschaun, aber zuviel wird nach neuer dt. Rechtschreibung auseinander geschrieben :-). > if it should be a short report > "4" with the correction "Zuviele" > > -- > shrek-m Tschau Uwe From m.sapsed at bangor.ac.uk Wed Dec 10 14:35:18 2003 From: m.sapsed at bangor.ac.uk (Martin Sapsed) Date: Thu Jan 12 21:21:29 2006 Subject: netiquette References: <3FD71DE6.3050607@bangor.ac.uk> <6.0.1.1.2.20031210134042.0901dcf0@imap.ecs.soton.ac.uk> Message-ID: <3FD72F26.6010604@bangor.ac.uk> Julian Field wrote: > No, I haven't. I'm not sure it's necessarily worth the bother. If the > silly bloke winds up in your spam folder, I would leave him there. Yeah - fair point. > But feel free to drop him a line asking him to remove all the commercial > stuff from his sig just in case he doesn't realise he is getting > filtered out by people. I guess he might say something useful... :-) He might also realise that no-one's replying to his messages... Noticed you getting a bit ratty yesterday/today - chill man! Have a beer! Cheers, Martin -- Martin Sapsed Information Services "Who do you say I am?" University of Wales, Bangor Jesus of Nazareth From KCollins at NESBITTENGINEERING.COM Wed Dec 10 14:45:55 2003 From: KCollins at NESBITTENGINEERING.COM (Collins, Kevin) Date: Thu Jan 12 21:21:29 2006 Subject: Slackware 9.1, Postfix, and MailScanner Message-ID: <2B1F39EA56FA7643A328F66521D41B760EAC@magellan.nesbitt.local> > I am no expert - but it looks like you are sending mail from > the local machine - mailscanner wont be scanning this mail - > get a mail client on another machine, make the outbound SMTP > addy your mailscanner machine and send your new mail - have a > tail -f /var/yourlogfilepath console running to watch what happens. Thanks for replying. Yes you're right, I was sending from the local machine. I was not aware that MailScanner wouldn't scan e-mails when delivered this way - you live and learn. So I set up a machine on my LAN that uses "Freedom" (my new MS Box) as an SMTP host, and I've been able to verify that MailScanner is actually working. Thanks for your help. Kevin From KCollins at NESBITTENGINEERING.COM Wed Dec 10 14:47:27 2003 From: KCollins at NESBITTENGINEERING.COM (Collins, Kevin) Date: Thu Jan 12 21:21:29 2006 Subject: Slackware 9.1, Postfix, and MailScanner Message-ID: <2B1F39EA56FA7643A328F66521D41B760EAD@magellan.nesbitt.local> > > > >If there are additional pieces of information needed, just > let me know. > >I'll pass that along as I can. > > Post *both* of your main.cf files. You should have one in > /etc/postfix.in and /etc/postfix. Please label as to which > is which. (Nothing personal, just experience... :) > > --J(K) > Jason, I actually was sending e-mail from the MailScanner machine itself and that's what was throwing me off. Another poster "Pete" pointed this out to me. Thanks for the reply and the willingness to help. Kevin From john at TRADOC.FR Wed Dec 10 15:49:05 2003 From: john at TRADOC.FR (John Wilcock) Date: Thu Jan 12 21:21:29 2006 Subject: Skipped; still being delivered - even in 4.25 In-Reply-To: References: <6.0.1.1.2.20031120103306.03ba1df8@imap.ecs.soton.ac.uk> Message-ID: On Thu, 20 Nov 2003 11:47:08 +0100, John Wilcock wrote: > On Thu, 20 Nov 2003 10:33:32 +0000, Julian Field wrote: > > On what version of what OS? > > RedHat 9 with all the latest up2date patches. > > > Does your latest ChangeLog mention Postfix fix for Solaris? > > Assuming you mean the MailScanner ChangeLog, then no, no mention of a > postfix fix for Solaris. Just spotted three more occurrences of this, after two weeks with not a single case. I'm now on MS 4.25-14 (i.e. with the postfix fix "for Solaris") and Postfix 2.0.16-7, still on RH9 for i386. Any more ideas, Julian? (not that the problem bothers me much - I'd rather have the occasional mail twice than not at all - but there must be something slightly amiss). Any other postfix users out there still seeing this? John. -- -- Over 2000 webcams from ski resorts around the world - www.snoweye.com -- Translate your technical documents and web pages - www.tradoc.fr From gdoris at rogers.com Wed Dec 10 16:28:39 2003 From: gdoris at rogers.com (Gerry Doris) Date: Thu Jan 12 21:21:29 2006 Subject: New SpamAssassin - Big Jump in CPU Utilization Message-ID: <50188.129.80.22.143.1071073719.squirrel@tiger.dorfam.ca> Last night I upgraded SpamAssassin from 2.60 to the latest 2.61. I noticed that Razor2 didn't appear to be running so I did a discover command which seemed to get it working again. Other than that all seemed to be working as advertised. I just noticed that the box's CPU utilization has jumped from around 5% to more than 50% on average and as high as 90% at peaks (thanks to graphs from mailscanner-mrtg). The increase started at exactly the same time I performed the SpamAssassin upgrade. Other than the increase in utilization everything still seems to be working correctly. Has anyone else noticed anything like this? Gerry From Wilfred.Bolten at TOMMY-EUROPE.COM Wed Dec 10 16:21:16 2003 From: Wilfred.Bolten at TOMMY-EUROPE.COM (Wilfred Bolten) Date: Thu Jan 12 21:21:29 2006 Subject: MailScanner installation problems Message-ID: <022DE3728F924649909E989B955E68F8040A58@NLDAMS0139.Tommy-Europe.com> Hi, I haven't done a awfull lot with Linux before so this is probably the reason why I am having problems with the installation of the MailScanner. I have Linux Suse 9 with Sendmail running. I can send emails through my Exchange organization to this Senmail box and deliver them to the remote hosts. Also incoming email works fine. So I am pretty sure the SendMail part if working. To add virus scanning and anti-SPAM measurements I want to add MailScanner to sendmail. For this I have downloaded MailScanner-4.25-14.suse.tar and performed the steps described on http://www.sng.ecs.soton.ac.uk/MailScanner/Install but I am not getting the response I am expecting from the system I ran the tar xvf MailScanner-4.25-14.suse.tar and I got the directories and files listed as it should. The bit about the TNEF I don't really understand. Can somebody help me out here? For the rest I followed the steps to change the lines that are needed to start sendmail but again. What is described on the website is different from my information. This bit on the website does not make any sense to me http://www.sng.ecs.soton.ac.uk/mailscanner/install/sendmail.shtml Currently, your copy of sendmail will be started by a script such as /etc/init.d/mail or /etc/rc.d/init.d/sendmail. Somewhere in this script will be the command to start sendmail itself. This should look like this: sendmail -bd -q15m You should change this to the following two lines: sendmail -bd -OPrivacyOptions=noetrn -ODeliveryMode=queueonly -OQueueDirectory=/var/spool/mqueue.in sendmail -q15m I don't have the line sendmail -bd -q15m But have # Description: Start the Sendmail MTA ### END INIT INFO test -s /etc/sysconfig/mail && \ . /etc/sysconfig/mail test -s /etc/sysconfig/sendmail && \ . /etc/sysconfig/sendmail if test -z "$SENDMAIL_ARGS" ; then SENDMAIL_ARGS="-L sendmail -Am -bd -q15m -om" fi if test -z "$SENDMAIL_CLIENT_ARGS" ; then SENDMAIL_CLIENT_ARGS="-L sendmail-client -Ac -qp30m" fi if test "$SMTPD_LISTEN_REMOTE" != "yes" ; then SENDMAIL_ARGS="-O DaemonPortOptions=Addr=127.0.0.1 $SENDMAIL_ARGS" fi msppid=/var/spool/clientmqueue/sm-client.pid srvpid=/var/run/sendmail.pid What do I need to change now? Many thanks Wilfred ******************************************************* Confidentiality: This e-mail and its attachments are intended for the above named only and may be confidential. If they have come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please reply to this e-mail and highlight the error. Security Warning: Please note that this e-mail has been created in the knowledge that Internet e-mail is not a 100% secure communications medium. We advise that you understand and observe this lack of security when e-mailing us. Viruses: Although we have taken steps to ensure that this e-mail and attachments are free from any virus. We advise that in keeping with good computing practice the recipient should ensure they are actually virus free. From m.sapsed at bangor.ac.uk Wed Dec 10 16:53:42 2003 From: m.sapsed at bangor.ac.uk (Martin Sapsed) Date: Thu Jan 12 21:21:29 2006 Subject: netiquette References: <3FD71DE6.3050607@bangor.ac.uk> <6.0.1.1.2.20031210134042.0901dcf0@imap.ecs.soton.ac.uk> <3FD72F26.6010604@bangor.ac.uk> <6.0.1.1.2.20031210164108.08f6fa98@imap.ecs.soton.ac.uk> Message-ID: <3FD74F96.5010309@bangor.ac.uk> Julian Field wrote: > At 14:35 10/12/2003, you wrote: > >> Noticed you getting a bit ratty yesterday/today - chill man! Have a beer! > > Thanks for telling me, you are quite right. Been living on painkillers, > tends to make me very dopey. It's nasty stuff called "oxycodone" which > is the same strength as morphine. Real painkillers, not Smarties :-) I should have added that it was mostly justified. Too many people who can't be bothered to Read The Friendly Manual or search the archives. The painkillers sound heavy - this recent or a long term thing? Cheers, Martin -- Martin Sapsed Information Services "Who do you say I am?" University of Wales, Bangor Jesus of Nazareth From Kevin_Miller at CI.JUNEAU.AK.US Wed Dec 10 17:14:02 2003 From: Kevin_Miller at CI.JUNEAU.AK.US (Kevin Miller) Date: Thu Jan 12 21:21:29 2006 Subject: MailScanner installation problems Message-ID: <08146035CA49D6119A36009027AC822A0264EB4C@CITY-EXCH-NTS> >-----Original Message----- >From: Wilfred Bolten [mailto:Wilfred.Bolten@TOMMY-EUROPE.COM] >Sent: Wednesday, December 10, 2003 7:21 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: MailScanner installation problems > > >Hi, > >I haven't done a awfull lot with Linux before so this is probably the >reason why I am having problems with the installation of the >MailScanner. > >I have Linux Suse 9 with Sendmail running. I can send emails through my >Exchange organization to this Senmail box and deliver them to >the remote >hosts. Also incoming email works fine. So I am pretty sure the SendMail >part if working. > >To add virus scanning and anti-SPAM measurements I want to add >MailScanner to sendmail. > >For this I have downloaded MailScanner-4.25-14.suse.tar and performed >the steps described on >http://www.sng.ecs.soton.ac.uk/MailScanner/Install but I am not getting >the response I am expecting from the system > >I ran the tar xvf MailScanner-4.25-14.suse.tar and I got the >directories >and files listed as it should. > >The bit about the TNEF I don't really understand. Can somebody help me >out here? > >For the rest I followed the steps to change the lines that are >needed to >start sendmail but again. What is described on the website is different >from my information. > >This bit on the website does not make any sense to me >http://www.sng.ecs.soton.ac.uk/mailscanner/install/sendmail.shtml > >Currently, your copy of sendmail will be started by a script such as >/etc/init.d/mail or /etc/rc.d/init.d/sendmail. Somewhere in this script >will be the command to start sendmail itself. This should look like >this: > > sendmail -bd -q15m >You should change this to the following two lines: > sendmail -bd -OPrivacyOptions=noetrn -ODeliveryMode=queueonly >-OQueueDirectory=/var/spool/mqueue.in > sendmail -q15m > >I don't have the line > sendmail -bd -q15m > >But have ># Description: Start the Sendmail MTA >### END INIT INFO > >test -s /etc/sysconfig/mail && \ >. /etc/sysconfig/mail > >test -s /etc/sysconfig/sendmail && \ >. /etc/sysconfig/sendmail > >if test -z "$SENDMAIL_ARGS" ; then >SENDMAIL_ARGS="-L sendmail -Am -bd -q15m -om" >fi >if test -z "$SENDMAIL_CLIENT_ARGS" ; then >SENDMAIL_CLIENT_ARGS="-L sendmail-client -Ac -qp30m" >fi >if test "$SMTPD_LISTEN_REMOTE" != "yes" ; then >SENDMAIL_ARGS="-O DaemonPortOptions=Addr=127.0.0.1 $SENDMAIL_ARGS" >fi >msppid=/var/spool/clientmqueue/sm-client.pid >srvpid=/var/run/sendmail.pid > >What do I need to change now? > >Many thanks >Wilfred Don't worry about the missing sendmail line in the /etc/init.d/sendmail script. The proper parameters are set in /etc/sysconfig/MailScanner, or in the /etc/init.d/MailScanner script. Make sure that in /etc/sysconfig/MailScanner that you have the proper MTA selected - it's the first couple of lines. By default it's Postfix; I had to comment that out and uncomment sendmail. Just go to the command line and enter: chkconfig sendmail off which will insure that sendmail doesn't start on it's own. When you're happy that everything is working fine, enter chkconfig MailScanner on to enable it to start automatically at boot. To control it, use rcMailScanner [stop, start, reload, etc.] Redhat nomenclature would be "service MailScanner [stop, start...]" so if you see that in the docs or elsewhere just mentally substitute the rcSCRIPTNAME verbage instead. FWIW, that works for all the scripts so you can say rcsendmail as well. You may have already done it, but in /etc/sysconfig/mail you want to set the following: MAIL_CREATE_CONFIG="no" SMTPD_LISTEN_REMOTE="yes" The first turns keeps SuSEConfig from clobbering your customizations, and the second tells sendmail to accept mail from other hosts. By default it will only accept mail from itself. SuSE seems to have changed things around a bit in sendmail. If you want to alter your /etc/sendmail.cf file, edit the linux.mc file in /etc/mail then do the m4 magic that turns all the various .mc files into the sendmail.cf file. I forget the syntax off the top of my head. I think that outta about cover it. Good luck... ...Kevin ------------------- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Administrator, Mail Administrator 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From greyhair at GREYHAIR.NET Wed Dec 10 17:32:36 2003 From: greyhair at GREYHAIR.NET (greyhair) Date: Thu Jan 12 21:21:29 2006 Subject: DNS based block lists and the like question. Message-ID: <3FD758B4.5050806@greyhair.net> Hi. If I use a dnsbl like SORBS (www.sorbs.net) in MailScanner, do I also need to set the same dnsbl in sendmail, or any MTA in general? If no, what happens if there is a dnsbl listing in the MTA? Thanks. greyhair From raymond at PROLOCATION.NET Wed Dec 10 17:41:20 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:21:29 2006 Subject: DNS based block lists and the like question. In-Reply-To: <3FD758B4.5050806@greyhair.net> Message-ID: Hi! > If I use a dnsbl like SORBS (www.sorbs.net) in MailScanner, do I also > need to set the same dnsbl in sendmail, or any MTA in general? If no, > what happens if there is a dnsbl listing in the MTA? If you block in your MTA you wont ever have any use of using the list in MailScanner, since you dont get those mails :) Bye, Raymond. From ugob at CAMO-ROUTE.COM Wed Dec 10 17:44:47 2003 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:21:29 2006 Subject: DNS based block lists and the like question. Message-ID: <54C38A0B814C8E438EF73FC76F3629273AE285@mtlnt501fs.CAMOROUTE.COM> > -----Message d'origine----- > De : greyhair [mailto:greyhair@GREYHAIR.NET] > Envoy? : Wednesday, December 10, 2003 12:33 PM > ? : MAILSCANNER@JISCMAIL.AC.UK > Objet : DNS based block lists and the like question. > > > Hi. > If I use a dnsbl like SORBS (www.sorbs.net) in MailScanner, > do I also > need to set the same dnsbl in sendmail, or any MTA in general? If no, > what happens if there is a dnsbl listing in the MTA? > > Thanks. > > greyhair > Block list in MTA: messages are not accepted Block list in MS: messages are tagged and treated as spam Block list in SA: messages are give an increased score. Cpu usage grows from Mta to SA, apparently. From jones at ODENSE.KOLLEGIENET.DK Wed Dec 10 17:49:04 2003 From: jones at ODENSE.KOLLEGIENET.DK (Jonas Bardino) Date: Thu Jan 12 21:21:30 2006 Subject: DNS based block lists and the like question. In-Reply-To: <3FD758B4.5050806@greyhair.net> References: <3FD758B4.5050806@greyhair.net> Message-ID: <20031210174904.GA2723@bardino.dk> * greyhair [Dec 10. 2003 18:33]: > Hi. > If I use a dnsbl like SORBS (www.sorbs.net) in MailScanner, do I also > need to set the same dnsbl in sendmail, or any MTA in general? If no, > what happens if there is a dnsbl listing in the MTA? > > Thanks. > > greyhair That depends on what strategy you wan't to use with respect to rejecting messages. The FAQ at http://www.sng.ecs.soton.ac.uk/mailscanner/serve/cache/157.html may help you. Kind regards, Jonas From jfraley at glenraven.com Wed Dec 10 18:33:41 2003 From: jfraley at glenraven.com (Jon Fraley) Date: Thu Jan 12 21:21:30 2006 Subject: mailscanner Message-ID: <1071081220.2033.30.camel@jfraleyx.glenraven.com> I will be adding MailScanner to a server already running SpamAssassin 2.60 that has been running for awhile now. I am looking for the best way to integrate the two together. I would like to keep using the current config files and directories for SA if possible. Or, is it best to move all our stuff in local.cf to spam.assassin.prefs.conf? This is on a mail gateway so the bayes DB and auto-whitelist are at /home/stopspam/.spamassassin/. I definitely need to keep these as is. Do the setting in MailScanner.conf override what is in local.cf? I have gone through MailScanner.conf and am not sure exactly what needs to be set. Thanks, Jon From m.sapsed at BANGOR.AC.UK Wed Dec 10 18:36:30 2003 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:21:30 2006 Subject: Internet Explorer URL Display problem Message-ID: <3FD767AE.2050006@bangor.ac.uk> Hi all, I've received this via the UK academic network security team. -------------- An issue was identified yesterday with Internet Explorer and the way it displays URLs in the address bar. >From the original Bugtraq posting: "By opening a window using the http://user@domain nomenclature an attacker can hide the real location of the page by including a 0x01 character after the "@" character. Internet Explorer doesn't display the rest of the URL making the page appear to be at a different domain. " Proof of Concept http://www.zapthedingbat.com/security/ex01/vun1.htm This is particularly pertinent given the recent spate of emails from fraudulent online banking sites, such as those pretending to be Natwest. This problem makes these types of scams a great deal harder for end users to spot, as it is now possible to have eg www.natwest.com appear in the address bar when the end user is looking at a fraudulent site. There is as yet no fix from Microsoft for this issue, nor is there a workaround for Internet Explorer. As soon as one becomes available we'll let you know. ------------- Would I be right in thinking that the only way MailScanner could do anything about this type of thing in an e-mail would be to use MCP or would a simple addition to the SpamAssassin rules do the trick? I guess though if you modify the normal SA rules you might end up marking it as Spam whereas actually, you want to identify it as malicious. Any thoughts anyone? Cheers, Martin -- Martin Sapsed Information Services "Who do you say I am?" University of Wales, Bangor Jesus of Nazareth From mkettler at EVI-INC.COM Wed Dec 10 19:09:23 2003 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:21:30 2006 Subject: Bayesian horrors In-Reply-To: References: Message-ID: <6.0.0.22.0.20031210140446.024a0a90@xanadu.evi-inc.com> At 08:23 AM 12/10/2003, Peter Bates wrote: >Firstly, is it possible my Bayes DB is corrupt, and if so, what do I >do? It's possible.. you can check it by doing a sa-learn -D --rebuild. If that can't successfully do a rebuild, delete the bayes_* files and start over. >Does SA use this 'User State Dir' to look for the Bayes DBs, or is that >tied to the 'bayes_path' setting in spam.assassin.prefs.conf? It's tied to bayes_path. By default, bayes_path is ~/.spamassasssin/bayes. Thus, on most MailScanner setups, the bayes DB winds up in root's home dir. You can force it someplace else, just be sure to RTFM about bayes_path.. it's important to know the last part isn't a directory, it's part of a filename. Thus ~/.spamassassin/bayes causes it to create ~/.spamasassin/bayes_toks, not ~/.spamassassin/bayes/bayes_toks. >And finally, should I upgrade to SA 2.61 anyway? If you're using bayes, yes.. the reduced memory footprint during expiry is VERY helpful at preventing SA from killing a server. From jacques at MONACO.NET Wed Dec 10 19:17:55 2003 From: jacques at MONACO.NET (Jacques Caruso) Date: Thu Jan 12 21:21:30 2006 Subject: Skipped; still being delivered - even in 4.25 In-Reply-To: References: Message-ID: <200312102017.55502.jacques@monaco.net> Le Mercredi 10 D?cembre 2003 16:49, John Wilcock a ?crit : > Any other postfix users out there still seeing this? Yes, indeed : apparently, it's the old ? MailScanner picks mail in the wrong queue ? bug that persists (have a look at my last message at ). For the moment, I've just setup a cron job to do a daily restart of MS, so it doesn't die and clog the incoming queue. But that's a real kludge. If someone has an idea about what could be tried to mitigate the problem, I'm interested, too (else, I'll try to research the matter further, but this will have to wait for the moment)... Greetings, -- [ Jacques Caruso D?veloppeur PHP ] [ Monaco Internet http://monaco-internet.mc/ ] [ T?l : (+377) 93 10 00 43 Cl? PGP : 0x41F5C63D ] [ -*- Quand le doigt montre la lune, l'imb?cile regarde le doigt -*- ] From jones at ODENSE.KOLLEGIENET.DK Wed Dec 10 19:28:42 2003 From: jones at ODENSE.KOLLEGIENET.DK (Jonas Bardino) Date: Thu Jan 12 21:21:30 2006 Subject: DoS, locale, spool file and unrar log noise In-Reply-To: <20031208195439.GI1461@bardino.dk> References: <20031208195439.GI1461@bardino.dk> Message-ID: <20031210192842.GB2723@bardino.dk> * Jonas Bardino [Dec 08. 2003 21:06]: > Hi! Hate to reply to my own mail, but we got a bit closer to the solution. --- cut: server specs --- > We keep getting a few DoS warnings every day about mails that appear to > be quite harmless: > Dec 7 14:55:10 cindy MailScanner[27894]: Commercial scanner clamav timed out! > Dec 7 14:55:10 cindy MailScanner[27894]: Virus Scanning: Denial Of Service attack detected! > (Btw, the clam developers may not like being called commercial :-) > Unfortunately the attachments aren't quarantined when that happens, so > it's a bit hard to reproduce the problem. Further analysis indicates that the quarantined message did in fact include a RAR file! It just didn't show up as a separate file in the quarantine dir. > According to a google search the default setting related to DoS checks are: > max-files = 500, max-size = 10000 (=10 MB), max-recursion = 5 > We tried increasing the DoS prevention arguments to ClamAV by adding the > following line in /etc/MailScanner/wrapper/clamav-wrapper: > ExtraScanOptions="--max-files=10000 --max-space=100000 --max-recursion=20 $ExtraScanOptions" > But we still see the DoS warnings. > Did anyone find a good way around that, or is it necessary to > completely disable the limits? Manual runs of "clamscan --mbox message" goes on forever unless the internal ClamAV unpacking functions are disabled. Therefore they have now been disabled in MailScanner by adding: ExtraScanOptions="--disable-archive $ExtraScanOptions" to /etc/MailScanner/wrapper/clamav-wrapper. So far it seems to have solved the "DoS warning" problem. Indeed it also removed the "RAR module failure" log entries. So that's one down, three to go. I still hope that someone can help with those or point us in the right direction. Thanks in advance! Kind regards, Jonas From chris at FRACTALWEB.COM Wed Dec 10 19:35:55 2003 From: chris at FRACTALWEB.COM (Chris Yuzik) Date: Thu Jan 12 21:21:30 2006 Subject: Internet Explorer URL Display problem In-Reply-To: <3FD767AE.2050006@bangor.ac.uk> References: <3FD767AE.2050006@bangor.ac.uk> Message-ID: <1431.24.83.44.30.1071084955.squirrel@www.fractalweb.com> > Would I be right in thinking that the only way MailScanner could do > anything about this type of thing in an e-mail would be to use MCP or > would a simple addition to the SpamAssassin rules do the trick? I guess > though if you modify the normal SA rules you might end up marking it as > Spam whereas actually, you want to identify it as malicious. I agree that this is a serious exploit indeed. It certainly wouldn't take a genius to build a site the looks "just like a specific bank" or "exactly like eBay" or "exactly like Visa" etc. I've known about the exploit for a while, but wasn't aware of the "%01" variation. Perhaps someone (Julian?) can create a patch that will restrict this exploit much the same way as MailScanner currently finds malicious I-Frame tags and such. I'm not certain if the regex would be as simple as searching for "\.[a-zA-Z]{2,3,4}%01@" within the body of a message, or if that would catch too much. It's frustrating that Microsoft, who has more cash than most countries, leaves its users open to things like this. It's interesting to note that Mozilla (1.5) doesn't display this vulnerability. Cheers, Chris Yuzik From mkettler at EVI-INC.COM Wed Dec 10 19:49:12 2003 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:21:30 2006 Subject: mailscanner In-Reply-To: <1071081220.2033.30.camel@jfraleyx.glenraven.com> References: <1071081220.2033.30.camel@jfraleyx.glenraven.com> Message-ID: <6.0.0.22.0.20031210144317.0251e4f0@xanadu.evi-inc.com> At 01:33 PM 12/10/2003, Jon Fraley wrote: >Or, is it best to move all our stuff in local.cf to >spam.assassin.prefs.conf? Don't bother. >Do the setting in MailScanner.conf override what is in local.cf? I have >gone through MailScanner.conf and am not sure exactly what needs to be >set. No, spam.assassin.prefs.conf replaces your user_prefs file, it does not replace local.cf. Personally I do most of my custom work at the user_prefs level, not the local.cf level. I like to use a non-prived users "user_prefs" file as a test-case for configurations. I make my edits to the user_prefs file, then run spamassassin --lint to make sure it runs clean, then do some test emails through the command-line tool. After I'm satisfied the tweaks work as expected, I su and copy that user_prefs over top of my spam.assassin.prefs.conf, and restart MailScanner. This gives me a great amount of "test and try" flexibility, but I do have to keep to the pattern, if I edit spam.assassin.prefs.conf directly, I then have to back-port those changes to the unprived user's user_prefs file.. but why would I ever want to load an untested conf file?? :) Since MS uses SA directly, it's not subject to the "no rules in user_prefs" restrictions imposed by spamd/spamc, so you can do custom rules this way. It also always uses the same user_prefs file, so provided it's only root writable, it's not a security concern. From dbird at SGHMS.AC.UK Wed Dec 10 19:46:29 2003 From: dbird at SGHMS.AC.UK (Daniel Bird) Date: Thu Jan 12 21:21:30 2006 Subject: Internet Explorer URL Display problem In-Reply-To: <3FD767AE.2050006@bangor.ac.uk> References: <3FD767AE.2050006@bangor.ac.uk> Message-ID: <3FD77815.2070206@sghms.ac.uk> Martin Sapsed wrote: > Hi all, > > I've received this via the UK academic network security team. > > > > Any thoughts anyone? > Off the top of my head, could you not do a simple SA rule like so: describe IE_VULN Body of email contains %01@ in a url uri IE_VULN / %01@/ score IE_VULN 10.0 Which would look for that pattern in a url. Of course I could be wrong -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From Antony at SOFT-SOLUTIONS.CO.UK Wed Dec 10 19:55:20 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:21:30 2006 Subject: Internet Explorer URL Display problem In-Reply-To: <3FD77815.2070206@sghms.ac.uk> References: <3FD767AE.2050006@bangor.ac.uk> <3FD77815.2070206@sghms.ac.uk> Message-ID: <200312101955.20491.Antony@Soft-Solutions.co.uk> On Wednesday 10 December 2003 7:46 pm, Daniel Bird wrote: > Off the top of my head, could you not do a simple SA rule like so: > > describe IE_VULN Body of email contains %01@ in a url > uri IE_VULN / %01@/ > score IE_VULN 10.0 > > Which would look for that pattern in a url. The above isn't specific to finding the pattern in a URL - although admittedly I can't think of a valid reason why you'd expect to see a %01 anywhere, URL or not. Note by the way that the original notification referred to the %01 being *after* the @ sign, not before it (before too many people go off and concoct various pattern matches for the wrong pattern!) Antony. -- Ramdisk is not an installation procedure. Please reply to the list; please don't CC me. From dbird at SGHMS.AC.UK Wed Dec 10 20:05:36 2003 From: dbird at SGHMS.AC.UK (Daniel Bird) Date: Thu Jan 12 21:21:30 2006 Subject: Internet Explorer URL Display problem In-Reply-To: <200312101955.20491.Antony@Soft-Solutions.co.uk> References: <3FD767AE.2050006@bangor.ac.uk> <3FD77815.2070206@sghms.ac.uk> <200312101955.20491.Antony@Soft-Solutions.co.uk> Message-ID: <3FD77C90.5060705@sghms.ac.uk> Antony Stone wrote: >On Wednesday 10 December 2003 7:46 pm, Daniel Bird wrote: > > > >>Off the top of my head, could you not do a simple SA rule like so: >> >>describe IE_VULN Body of email contains %01@ in a url >>uri IE_VULN / %01@/ >>score IE_VULN 10.0 >> >>Which would look for that pattern in a url. >> >> > >The above isn't specific to finding the pattern in a URL > Agreed > - although admittedly >I can't think of a valid reason why you'd expect to see a %01 anywhere, URL >or not. > >Note by the way that the original notification referred to the %01 being >*after* the @ sign, not before it (before too many people go off and concoct >various pattern matches for the wrong pattern!) > > Indeed, that's what I thought. But looking at the html source of the proof of concept, the following is used: Obviously the pattern could be extended to look for a-z,0-9 etc after the @ Dan >Antony. > >-- >Ramdisk is not an installation procedure. > > Please reply to the list; > please don't CC me. > > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From chris at FRACTALWEB.COM Wed Dec 10 20:10:09 2003 From: chris at FRACTALWEB.COM (Chris Yuzik) Date: Thu Jan 12 21:21:30 2006 Subject: Internet Explorer URL Display problem In-Reply-To: <200312101955.20491.Antony@Soft-Solutions.co.uk> References: <3FD767AE.2050006@bangor.ac.uk> <3FD77815.2070206@sghms.ac.uk> <200312101955.20491.Antony@Soft-Solutions.co.uk> Message-ID: <1559.24.83.44.30.1071087009.squirrel@www.fractalweb.com> > On Wednesday 10 December 2003 7:46 pm, Antony wrote: > Note by the way that the original notification referred to the %01 being > *after* the @ sign, not before it (before too many people go off and > concoct various pattern matches for the wrong pattern!) I believe the *after* is a typo on the vulnerability proof of concept page. If you click the link or view the html source you'll note that the link goes to: http://www.microsoft.com%01@zapthedingbat.com/security/ex01/vun2.htm If you try it *after* the @ then it doesn't work at all. http://www.microsoft.com@%01zapthedingbat.com/security/ex01/vun2.htm Cheers, Chris From kevins at BMRB.CO.UK Wed Dec 10 20:10:58 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:21:30 2006 Subject: Internet Explorer URL Display problem In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB00188B87C@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB00188B87C@pascal.priv.bmrb.co.uk> Message-ID: <1071087058.30309.86.camel@bach.kevinspicer.co.uk> On Wed, 2003-12-10 at 19:55, Antony Stone wrote: >Note by the way that the original notification referred to the %01 >being >*after* the @ sign, not before it (before too many people go off and >concoct >various pattern matches for the wrong pattern!) Yes, but the proof of concept has the %01 before the @. (I'm not sure which you were saying was wrong though). It is worth noting that since the %01 hides anything after it the @ need not follow immediately, for example www.amazon.com%01Iwantallyourmoney@www.evil.com From dbird at SGHMS.AC.UK Wed Dec 10 20:11:47 2003 From: dbird at SGHMS.AC.UK (Daniel Bird) Date: Thu Jan 12 21:21:30 2006 Subject: Internet Explorer URL Display problem In-Reply-To: <3FD77C90.5060705@sghms.ac.uk> References: <3FD767AE.2050006@bangor.ac.uk> <3FD77815.2070206@sghms.ac.uk> <200312101955.20491.Antony@Soft-Solutions.co.uk> <3FD77C90.5060705@sghms.ac.uk> Message-ID: <3FD77E03.3010209@sghms.ac.uk> Daniel Bird wrote: > Antony Stone wrote: > >> On Wednesday 10 December 2003 7:46 pm, Daniel Bird wrote: >> >> >> >>> Off the top of my head, could you not do a simple SA rule like so: >>> >>> describe IE_VULN Body of email contains %01@ in a url >>> uri IE_VULN / %01@/ >>> score IE_VULN 10.0 >>> >>> Which would look for that pattern in a url. >>> >>> >> >> The above isn't specific to finding the pattern in a URL >> > Agreed > >> - although admittedly >> I can't think of a valid reason why you'd expect to see a %01 >> anywhere, URL >> or not. >> >> Note by the way that the original notification referred to the %01 being >> *after* the @ sign, not before it (before too many people go off and >> concoct >> various pattern matches for the wrong pattern!) >> >> > Indeed, that's what I thought. But looking at the html source of the > proof of concept, the following is used: > > > > Obviously the pattern could be extended to look for a-z,0-9 etc after > the @ Ignore the *'s in the above URL. My MUA decided to replace the bold with * (must have sent plain text only) sorry. Should be : http://www.microsoft.com%01@zapthedingbat.com/security/ex01/vun2.htm > > Dan > >> Antony. >> >> -- >> Ramdisk is not an installation procedure. >> >> Please reply to >> the list; >> please >> don't CC me. >> >> >> > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mailscanner at ecs.soton.ac.uk Wed Dec 10 20:27:52 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:30 2006 Subject: Internet Explorer URL Display problem In-Reply-To: <3FD77C90.5060705@sghms.ac.uk> References: <3FD767AE.2050006@bangor.ac.uk> <3FD77815.2070206@sghms.ac.uk> <200312101955.20491.Antony@Soft-Solutions.co.uk> <3FD77C90.5060705@sghms.ac.uk> Message-ID: <6.0.1.1.2.20031210202408.027e59f8@imap.ecs.soton.ac.uk> At 20:05 10/12/2003, you wrote: >Antony Stone wrote: >>On Wednesday 10 December 2003 7:46 pm, Daniel Bird wrote: >>>Off the top of my head, could you not do a simple SA rule like so: >>> >>>describe IE_VULN Body of email contains %01@ in a url >>>uri IE_VULN / %01@/ >>>score IE_VULN 10.0 >>> >>>Which would look for that pattern in a url. >>> >> >>The above isn't specific to finding the pattern in a URL >Agreed > >>- although admittedly >>I can't think of a valid reason why you'd expect to see a %01 anywhere, URL >>or not. >> >>Note by the way that the original notification referred to the %01 being >>*after* the @ sign, not before it (before too many people go off and concoct >>various pattern matches for the wrong pattern!) >> >Indeed, that's what I thought. But looking at the html source of the >proof of concept, the following is used: > > > >Obviously the pattern could be extended to look for a-z,0-9 etc after the @ Should uri IE_VULN /%01.*@/ score IE_VULN 10.0 describe IE_VULN Internet Explorer vulnerability work? -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From dbird at SGHMS.AC.UK Wed Dec 10 20:25:08 2003 From: dbird at SGHMS.AC.UK (Daniel Bird) Date: Thu Jan 12 21:21:30 2006 Subject: Internet Explorer URL Display problem In-Reply-To: <1071087058.30309.86.camel@bach.kevinspicer.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB00188B87C@pascal.priv.bmrb.co.uk> <1071087058.30309.86.camel@bach.kevinspicer.co.uk> Message-ID: <3FD78124.2030101@sghms.ac.uk> Kevin Spicer wrote: >On Wed, 2003-12-10 at 19:55, Antony Stone wrote: > > > >>Note by the way that the original notification referred to the %01 >>being >>*after* the @ sign, not before it (before too many people go off and >>concoct >>various pattern matches for the wrong pattern!) >> >> > >Yes, but the proof of concept has the %01 before the @. (I'm not sure >which you were saying was wrong though). > >It is worth noting that since the %01 hides anything after it the @ need >not follow immediately, for example > >www.amazon.com%01Iwantallyourmoney@www.evil.com > > > so how about the regexp: \%01.+@.+\ ? -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ka at PACIFIC.NET Wed Dec 10 20:32:22 2003 From: ka at PACIFIC.NET (Ken Anderson) Date: Thu Jan 12 21:21:30 2006 Subject: Internet Explorer URL Display problem In-Reply-To: <3FD77C90.5060705@sghms.ac.uk> References: <3FD767AE.2050006@bangor.ac.uk> <3FD77815.2070206@sghms.ac.uk> <200312101955.20491.Antony@Soft-Solutions.co.uk> <3FD77C90.5060705@sghms.ac.uk> Message-ID: <3FD782D6.4050007@pacific.net> So, combining the suggestions so far - are we getting close? describe IE6_URL_VULN Body of email contains %01@ in a url uri IE6_URL_VULN /\.[a-zA-Z]{2,4}%01\S+@/ score IE6_URL_VULN 10.0 Ken A. Pacific.Net Daniel Bird wrote: > Antony Stone wrote: > >> On Wednesday 10 December 2003 7:46 pm, Daniel Bird wrote: >> >> >> >>> Off the top of my head, could you not do a simple SA rule like so: >>> >>> describe IE_VULN Body of email contains %01@ in a url >>> uri IE_VULN / %01@/ >>> score IE_VULN 10.0 >>> >>> Which would look for that pattern in a url. >>> >>> >> >> The above isn't specific to finding the pattern in a URL >> > Agreed > >> - although admittedly >> I can't think of a valid reason why you'd expect to see a %01 >> anywhere, URL >> or not. >> >> Note by the way that the original notification referred to the %01 being >> *after* the @ sign, not before it (before too many people go off and >> concoct >> various pattern matches for the wrong pattern!) >> >> > Indeed, that's what I thought. But looking at the html source of the > proof of concept, the following is used: > > > > Obviously the pattern could be extended to look for a-z,0-9 etc after the @ > > Dan > >> Antony. >> >> -- >> Ramdisk is not an installation procedure. >> >> Please reply to >> the list; >> please don't >> CC me. >> >> >> > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > From ka at PACIFIC.NET Wed Dec 10 20:34:11 2003 From: ka at PACIFIC.NET (Ken Anderson) Date: Thu Jan 12 21:21:30 2006 Subject: Internet Explorer URL Display problem In-Reply-To: <3FD78124.2030101@sghms.ac.uk> References: <5C0296D26910694BB9A9BBFC577E7AB00188B87C@pascal.priv.bmrb.co.uk> <1071087058.30309.86.camel@bach.kevinspicer.co.uk> <3FD78124.2030101@sghms.ac.uk> Message-ID: <3FD78343.2020109@pacific.net> Daniel Bird wrote: > Kevin Spicer wrote: > >> On Wed, 2003-12-10 at 19:55, Antony Stone wrote: >> >> >> >>> Note by the way that the original notification referred to the %01 >>> being >>> *after* the @ sign, not before it (before too many people go off and >>> concoct >>> various pattern matches for the wrong pattern!) >>> >>> >> >> Yes, but the proof of concept has the %01 before the @. (I'm not sure >> which you were saying was wrong though). >> >> It is worth noting that since the %01 hides anything after it the @ need >> not follow immediately, for example >> >> www.amazon.com%01Iwantallyourmoney@www.evil.com >> >> >> > so how about the regexp: > > \%01.+@.+\ > > ? I think the .+ could gobble up quite a bit of text looking for an '@' Ken A. Pacific.Net > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > From ka at PACIFIC.NET Wed Dec 10 20:37:59 2003 From: ka at PACIFIC.NET (Ken Anderson) Date: Thu Jan 12 21:21:30 2006 Subject: Internet Explorer URL Display problem In-Reply-To: <6.0.1.1.2.20031210202408.027e59f8@imap.ecs.soton.ac.uk> References: <3FD767AE.2050006@bangor.ac.uk> <3FD77815.2070206@sghms.ac.uk> <200312101955.20491.Antony@Soft-Solutions.co.uk> <3FD77C90.5060705@sghms.ac.uk> <6.0.1.1.2.20031210202408.027e59f8@imap.ecs.soton.ac.uk> Message-ID: <3FD78427.9050801@pacific.net> Julian Field wrote: > At 20:05 10/12/2003, you wrote: > >> Antony Stone wrote: >> >>> On Wednesday 10 December 2003 7:46 pm, Daniel Bird wrote: >>> >>>> Off the top of my head, could you not do a simple SA rule like so: >>>> >>>> describe IE_VULN Body of email contains %01@ in a url >>>> uri IE_VULN / %01@/ >>>> score IE_VULN 10.0 >>>> >>>> Which would look for that pattern in a url. >>>> >>> >>> The above isn't specific to finding the pattern in a URL >> >> Agreed >> >>> - although admittedly >>> I can't think of a valid reason why you'd expect to see a %01 >>> anywhere, URL >>> or not. >>> >>> Note by the way that the original notification referred to the %01 being >>> *after* the @ sign, not before it (before too many people go off and >>> concoct >>> various pattern matches for the wrong pattern!) >>> >> Indeed, that's what I thought. But looking at the html source of the >> proof of concept, the following is used: >> >> >> >> Obviously the pattern could be extended to look for a-z,0-9 etc after >> the @ > > > Should > > uri IE_VULN /%01.*@/ > score IE_VULN 10.0 > describe IE_VULN Internet Explorer vulnerability > > work? consider a recipe.. Add chemical X to a %01 solution of Sugar and Spice and Everything Nice Bake @ 400 degrees. Send off to capture Mojo Jo Jo. I think it would match. Ken A. > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > From Antony at SOFT-SOLUTIONS.CO.UK Wed Dec 10 20:39:13 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:21:30 2006 Subject: Internet Explorer URL Display problem In-Reply-To: <3FD78343.2020109@pacific.net> References: <5C0296D26910694BB9A9BBFC577E7AB00188B87C@pascal.priv.bmrb.co.uk> <3FD78124.2030101@sghms.ac.uk> <3FD78343.2020109@pacific.net> Message-ID: <200312102039.13075.Antony@Soft-Solutions.co.uk> On Wednesday 10 December 2003 8:34 pm, Ken Anderson wrote: > Daniel Bird wrote: > > > so how about the regexp: > > > > \%01.+@.+\ > > > > ? > > I think the .+ could gobble up quite a bit of text looking for an '@' Good point. Depends how likely it is you'll find the opening %01 in the first place. Could form the basis of a DoS attack, though. Antony. -- RTFM may be the appropriate reply, but please specify exactly which FM to R. Please reply to the list; please don't CC me. From dbird at SGHMS.AC.UK Wed Dec 10 20:40:19 2003 From: dbird at SGHMS.AC.UK (Daniel Bird) Date: Thu Jan 12 21:21:30 2006 Subject: Internet Explorer URL Display problem In-Reply-To: <3FD782D6.4050007@pacific.net> References: <3FD767AE.2050006@bangor.ac.uk> <3FD77815.2070206@sghms.ac.uk> <200312101955.20491.Antony@Soft-Solutions.co.uk> <3FD77C90.5060705@sghms.ac.uk> <3FD782D6.4050007@pacific.net> Message-ID: <3FD784B3.5090204@sghms.ac.uk> Ken Anderson wrote: > So, combining the suggestions so far - are we getting close? > > describe IE6_URL_VULN Body of email contains %01@ in a url > uri IE6_URL_VULN /\.[a-zA-Z]{2,4}%01\S+@/ > score IE6_URL_VULN 10.0 Just ran that through Regex coach and could not find any false matches, or character combos that would be missed, so I say yay! Dan > > Ken A. > Pacific.Net > > Daniel Bird wrote: > >> Antony Stone wrote: >> >>> On Wednesday 10 December 2003 7:46 pm, Daniel Bird wrote: >>> >>> >>> >>>> Off the top of my head, could you not do a simple SA rule like so: >>>> >>>> describe IE_VULN Body of email contains %01@ in a url >>>> uri IE_VULN / %01@/ >>>> score IE_VULN 10.0 >>>> >>>> Which would look for that pattern in a url. >>>> >>>> >>> >>> The above isn't specific to finding the pattern in a URL >>> >> Agreed >> >>> - although admittedly >>> I can't think of a valid reason why you'd expect to see a %01 >>> anywhere, URL >>> or not. >>> >>> Note by the way that the original notification referred to the %01 >>> being >>> *after* the @ sign, not before it (before too many people go off and >>> concoct >>> various pattern matches for the wrong pattern!) >>> >>> >> Indeed, that's what I thought. But looking at the html source of the >> proof of concept, the following is used: >> >> >> >> Obviously the pattern could be extended to look for a-z,0-9 etc after >> the @ >> >> Dan >> >>> Antony. >>> >>> -- >>> Ramdisk is not an installation procedure. >>> >>> Please reply to >>> the list; >>> please don't >>> CC me. >>> >>> >>> >> >> >> >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. >> >> > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mailscanner at ecs.soton.ac.uk Wed Dec 10 20:50:51 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:30 2006 Subject: Internet Explorer URL Display problem In-Reply-To: <3FD78427.9050801@pacific.net> References: <3FD767AE.2050006@bangor.ac.uk> <3FD77815.2070206@sghms.ac.uk> <200312101955.20491.Antony@Soft-Solutions.co.uk> <3FD77C90.5060705@sghms.ac.uk> <6.0.1.1.2.20031210202408.027e59f8@imap.ecs.soton.ac.uk> <3FD78427.9050801@pacific.net> Message-ID: <6.0.1.1.2.20031210204536.027d22b0@imap.ecs.soton.ac.uk> At 20:37 10/12/2003, you wrote: >Julian Field wrote: > >>At 20:05 10/12/2003, you wrote: >> >>>Antony Stone wrote: >>> >>>>On Wednesday 10 December 2003 7:46 pm, Daniel Bird wrote: >>>> >>>>>Off the top of my head, could you not do a simple SA rule like so: >>>>> >>>>>describe IE_VULN Body of email contains %01@ in a url >>>>>uri IE_VULN / %01@/ >>>>>score IE_VULN 10.0 >>>>> >>>>>Which would look for that pattern in a url. >>>> >>>>The above isn't specific to finding the pattern in a URL >>> >>>Agreed >>> >>>>- although admittedly >>>>I can't think of a valid reason why you'd expect to see a %01 >>>>anywhere, URL >>>>or not. >>>> >>>>Note by the way that the original notification referred to the %01 being >>>>*after* the @ sign, not before it (before too many people go off and >>>>concoct >>>>various pattern matches for the wrong pattern!) >>>Indeed, that's what I thought. But looking at the html source of the >>>proof of concept, the following is used: >>> >>> >>> >>>Obviously the pattern could be extended to look for a-z,0-9 etc after >>>the @ >> >> >>Should >> >>uri IE_VULN /%01.*@/ >>score IE_VULN 10.0 >>describe IE_VULN Internet Explorer vulnerability >> >>work? > >consider a recipe.. > >Add chemical X to a %01 solution of Sugar and Spice and Everything Nice >Bake @ 400 degrees. >Send off to capture Mojo Jo Jo. > >I think it would match. No it shouldn't. That's why I made it a URI test and not just a body or rawbody test. From the SA docs: The 'uri' in this case is a list of all the URIs in the body of the email, and the test will be run on each and every one of those URIs, adjusting the score if a match is found. Use this test instead of one of the body tests when you need to match a URI, as it is more accurately bound to the start/end points of the URI, and will also be faster. And it needs to be a * and not a + as you don't need any text between %01 and @. I don't see the need to try to match a country code before the %01 either, what happens when they put in a space %20 or other unprintable (or nearly invisible) character? I feel you are adding restrictions to the test, which the hacker can easily work around. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Wed Dec 10 20:53:41 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:30 2006 Subject: Internet Explorer URL Display problem In-Reply-To: <3FD784B3.5090204@sghms.ac.uk> References: <3FD767AE.2050006@bangor.ac.uk> <3FD77815.2070206@sghms.ac.uk> <200312101955.20491.Antony@Soft-Solutions.co.uk> <3FD77C90.5060705@sghms.ac.uk> <3FD782D6.4050007@pacific.net> <3FD784B3.5090204@sghms.ac.uk> Message-ID: <6.0.1.1.2.20031210205221.0287fad8@imap.ecs.soton.ac.uk> At 20:40 10/12/2003, you wrote: >Ken Anderson wrote: > >>So, combining the suggestions so far - are we getting close? >> >>describe IE6_URL_VULN Body of email contains %01@ in a url >>uri IE6_URL_VULN /\.[a-zA-Z]{2,4}%01\S+@/ >>score IE6_URL_VULN 10.0 > >Just ran that through Regex coach and could not find any false matches, >or character combos that would be missed, so I say yay! How about this: http://www.microsoft.com%20%01%20@nasty.hacker.com/hohoho That will appear to be http://www.microsoft.com and yet you won't catch it. >Dan > >> >>Ken A. >>Pacific.Net >> >>Daniel Bird wrote: >> >>>Antony Stone wrote: >>> >>>>On Wednesday 10 December 2003 7:46 pm, Daniel Bird wrote: >>>> >>>> >>>> >>>>>Off the top of my head, could you not do a simple SA rule like so: >>>>> >>>>>describe IE_VULN Body of email contains %01@ in a url >>>>>uri IE_VULN / %01@/ >>>>>score IE_VULN 10.0 >>>>> >>>>>Which would look for that pattern in a url. >>>>> >>>> >>>>The above isn't specific to finding the pattern in a URL >>>Agreed >>> >>>>- although admittedly >>>>I can't think of a valid reason why you'd expect to see a %01 >>>>anywhere, URL >>>>or not. >>>> >>>>Note by the way that the original notification referred to the %01 >>>>being >>>>*after* the @ sign, not before it (before too many people go off and >>>>concoct >>>>various pattern matches for the wrong pattern!) >>>> >>>Indeed, that's what I thought. But looking at the html source of the >>>proof of concept, the following is used: >>> >>> >>> >>>Obviously the pattern could be extended to look for a-z,0-9 etc after >>>the @ >>> >>>Dan >>> >>>>Antony. >>>> >>>>-- >>>>Ramdisk is not an installation procedure. >>>> >>>> Please reply to >>>>the list; >>>> please don't >>>>CC me. >>>> >>>> >>> >>> >>> >>>-- >>>This message has been scanned for viruses and >>>dangerous content by MailScanner, and is >>>believed to be clean. >>> > > > >-- >This message has been scanned for viruses and >dangerous content by MailScanner, and is >believed to be clean. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From chris at fractalweb.com Wed Dec 10 20:52:23 2003 From: chris at fractalweb.com (chris@fractalweb.com) Date: Thu Jan 12 21:21:30 2006 Subject: Internet Explorer URL Display problem In-Reply-To: <6.0.1.1.2.20031210202408.027e59f8@imap.ecs.soton.ac.uk> References: <3FD767AE.2050006@bangor.ac.uk> <3FD77815.2070206@sghms.ac.uk> <200312101955.20491.Antony@Soft-Solutions.co.uk> <3FD77C90.5060705@sghms.ac.uk> <6.0.1.1.2.20031210202408.027e59f8@imap.ecs.soton.ac.uk> Message-ID: <1587.24.83.44.30.1071089543.squirrel@www.fractalweb.com> > At 20:05 10/12/2003, you wrote: > Should > > uri IE_VULN /%01.*@/ > score IE_VULN 10.0 > describe IE_VULN Internet Explorer vulnerability > > work? Julian, Wouldn't this only mark the message as spam? Maybe I'm alone on this, but I think that this presents a far more serious threat than just spam. If someone opens the spam anyways and sees a message from their bank, requesting verification of online banking information, they might be tempted to follow the links AND complain to me that this important message from their bank was marked as spam. My thought is that this should fall under the same general area of the flowchart as the I-Frame exploits, if possible. Your thoughts? Chris From chris at FRACTALWEB.COM Wed Dec 10 20:52:23 2003 From: chris at FRACTALWEB.COM (Chris Yuzik) Date: Thu Jan 12 21:21:30 2006 Subject: Internet Explorer URL Display problem In-Reply-To: <6.0.1.1.2.20031210202408.027e59f8@imap.ecs.soton.ac.uk> References: <3FD767AE.2050006@bangor.ac.uk> <3FD77815.2070206@sghms.ac.uk> <200312101955.20491.Antony@Soft-Solutions.co.uk> <3FD77C90.5060705@sghms.ac.uk> <6.0.1.1.2.20031210202408.027e59f8@imap.ecs.soton.ac.uk> Message-ID: <1587.24.83.44.30.1071089543.squirrel@www.fractalweb.com> > At 20:05 10/12/2003, you wrote: > Should > > uri IE_VULN /%01.*@/ > score IE_VULN 10.0 > describe IE_VULN Internet Explorer vulnerability > > work? Julian, Wouldn't this only mark the message as spam? Maybe I'm alone on this, but I think that this presents a far more serious threat than just spam. If someone opens the spam anyways and sees a message from their bank, requesting verification of online banking information, they might be tempted to follow the links AND complain to me that this important message from their bank was marked as spam. My thought is that this should fall under the same general area of the flowchart as the I-Frame exploits, if possible. Your thoughts? Chris From ka at PACIFIC.NET Wed Dec 10 20:59:13 2003 From: ka at PACIFIC.NET (Ken Anderson) Date: Thu Jan 12 21:21:30 2006 Subject: Internet Explorer URL Display problem In-Reply-To: <6.0.1.1.2.20031210204536.027d22b0@imap.ecs.soton.ac.uk> References: <3FD767AE.2050006@bangor.ac.uk> <3FD77815.2070206@sghms.ac.uk> <200312101955.20491.Antony@Soft-Solutions.co.uk> <3FD77C90.5060705@sghms.ac.uk> <6.0.1.1.2.20031210202408.027e59f8@imap.ecs.soton.ac.uk> <3FD78427.9050801@pacific.net> <6.0.1.1.2.20031210204536.027d22b0@imap.ecs.soton.ac.uk> Message-ID: <3FD78921.3060603@pacific.net> Julian Field wrote: > At 20:37 10/12/2003, you wrote: > >> Julian Field wrote: >> >>> At 20:05 10/12/2003, you wrote: >>> >>>> Antony Stone wrote: >>>> >>>>> On Wednesday 10 December 2003 7:46 pm, Daniel Bird wrote: >>>>> >>>>>> Off the top of my head, could you not do a simple SA rule like so: >>>>>> >>>>>> describe IE_VULN Body of email contains %01@ in a url >>>>>> uri IE_VULN / %01@/ >>>>>> score IE_VULN 10.0 >>>>>> >>>>>> Which would look for that pattern in a url. >>>>> >>>>> >>>>> The above isn't specific to finding the pattern in a URL >>>> >>>> >>>> Agreed >>>> >>>>> - although admittedly >>>>> I can't think of a valid reason why you'd expect to see a %01 >>>>> anywhere, URL >>>>> or not. >>>>> >>>>> Note by the way that the original notification referred to the %01 >>>>> being >>>>> *after* the @ sign, not before it (before too many people go off and >>>>> concoct >>>>> various pattern matches for the wrong pattern!) >>>> >>>> Indeed, that's what I thought. But looking at the html source of the >>>> proof of concept, the following is used: >>>> >>>> >>>> >>>> Obviously the pattern could be extended to look for a-z,0-9 etc after >>>> the @ >>> >>> >>> >>> Should >>> >>> uri IE_VULN /%01.*@/ >>> score IE_VULN 10.0 >>> describe IE_VULN Internet Explorer vulnerability >>> >>> work? >> >> >> consider a recipe.. >> >> Add chemical X to a %01 solution of Sugar and Spice and Everything Nice >> Bake @ 400 degrees. >> Send off to capture Mojo Jo Jo. >> >> I think it would match. > > > No it shouldn't. > That's why I made it a URI test and not just a body or rawbody test. From > the SA docs: > The 'uri' in this case is a list of all the URIs in the body > of the > email, and the test will be run on each and every one of those > URIs, adjusting the score if a match is found. Use this test > instead of one of the body tests when you need to match a > URI, as > it is more accurately bound to the start/end points of the > URI, and > will also be faster. > And it needs to be a * and not a + as you don't need any text between %01 > and @. I don't see the need to try to match a country code before the %01 > either, what happens when they put in a space %20 or other unprintable (or > nearly invisible) character? I feel you are adding restrictions to the > test, which the hacker can easily work around. Good catch! Thanks for the info about uri test. Ken A. Pacific.Net > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > From dbird at SGHMS.AC.UK Wed Dec 10 20:58:55 2003 From: dbird at SGHMS.AC.UK (Daniel Bird) Date: Thu Jan 12 21:21:30 2006 Subject: Internet Explorer URL Display problem In-Reply-To: <6.0.1.1.2.20031210205221.0287fad8@imap.ecs.soton.ac.uk> References: <3FD767AE.2050006@bangor.ac.uk> <3FD77815.2070206@sghms.ac.uk> <200312101955.20491.Antony@Soft-Solutions.co.uk> <3FD77C90.5060705@sghms.ac.uk> <3FD782D6.4050007@pacific.net> <3FD784B3.5090204@sghms.ac.uk> <6.0.1.1.2.20031210205221.0287fad8@imap.ecs.soton.ac.uk> Message-ID: <3FD7890F.5050107@sghms.ac.uk> Julian Field wrote: > At 20:40 10/12/2003, you wrote: > >> Ken Anderson wrote: >> >>> So, combining the suggestions so far - are we getting close? >>> >>> describe IE6_URL_VULN Body of email contains %01@ in a url >>> uri IE6_URL_VULN /\.[a-zA-Z]{2,4}%01\S+@/ >>> score IE6_URL_VULN 10.0 >> >> >> Just ran that through Regex coach and could not find any false matches, >> or character combos that would be missed, so I say yay! > > > How about this: > http://www.microsoft.com%20%01%20@nasty.hacker.com/hohoho > That will appear to be > http://www.microsoft.com > and yet you won't catch it. > > Yep, just worked that one out! I thin the URI match on your original rule would be best: -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From dbird at SGHMS.AC.UK Wed Dec 10 21:05:04 2003 From: dbird at SGHMS.AC.UK (Daniel Bird) Date: Thu Jan 12 21:21:30 2006 Subject: Internet Explorer URL Display problem In-Reply-To: <1587.24.83.44.30.1071089543.squirrel@www.fractalweb.com> References: <3FD767AE.2050006@bangor.ac.uk> <3FD77815.2070206@sghms.ac.uk> <200312101955.20491.Antony@Soft-Solutions.co.uk> <3FD77C90.5060705@sghms.ac.uk> <6.0.1.1.2.20031210202408.027e59f8@imap.ecs.soton.ac.uk> <1587.24.83.44.30.1071089543.squirrel@www.fractalweb.com> Message-ID: <3FD78A80.9030109@sghms.ac.uk> Chris Yuzik wrote: >>At 20:05 10/12/2003, you wrote: >> >> > > > >>Should >> >>uri IE_VULN /%01.*@/ >>score IE_VULN 10.0 >>describe IE_VULN Internet Explorer vulnerability >> >>work? >> >> > >Julian, > >Wouldn't this only mark the message as spam? Maybe I'm alone on this, but >I think that this presents a far more serious threat than just spam. If >someone opens the spam anyways and sees a message from their bank, >requesting verification of online banking information, they might be >tempted to follow the links AND complain to me that this important message >from their bank was marked as spam. > >My thought is that this should fall under the same general area of the >flowchart as the I-Frame exploits, if possible. > >Your thoughts? > > My 2 pennith : IF a rule in SA can catch it (without FP's), it can simply be scored really high (say 100) and just run the high scoreing pam actions on it. For us that would be no notifications, nada. I can see a reason for something simialr to the IFrame stuff if you wanted MS to do other stuff with it, like rule sets etc, but this you really want bin. Dan >Chris > > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mailscanner at ecs.soton.ac.uk Wed Dec 10 21:22:49 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:30 2006 Subject: Internet Explorer URL Display problem In-Reply-To: <1587.24.83.44.30.1071089543.squirrel@www.fractalweb.com> References: <3FD767AE.2050006@bangor.ac.uk> <3FD77815.2070206@sghms.ac.uk> <200312101955.20491.Antony@Soft-Solutions.co.uk> <3FD77C90.5060705@sghms.ac.uk> <6.0.1.1.2.20031210202408.027e59f8@imap.ecs.soton.ac.uk> <1587.24.83.44.30.1071089543.squirrel@www.fractalweb.com> Message-ID: <6.0.1.1.2.20031210211659.027caaf0@imap.ecs.soton.ac.uk> At 20:52 10/12/2003, you wrote: > > At 20:05 10/12/2003, you wrote: > > > Should > > > > uri IE_VULN /%01.*@/ > > score IE_VULN 10.0 > > describe IE_VULN Internet Explorer vulnerability > > > > work? > >Julian, > >Wouldn't this only mark the message as spam? Maybe I'm alone on this, but >I think that this presents a far more serious threat than just spam. If >someone opens the spam anyways and sees a message from their bank, >requesting verification of online banking information, they might be >tempted to follow the links AND complain to me that this important message >from their bank was marked as spam. > >My thought is that this should fall under the same general area of the >flowchart as the I-Frame exploits, if possible. I don't want to do what SA already does very well, nor do I want to write code that is part of the arms race, I've probably done too much of that already. So I would prefer SA to do this. Maybe it is time to "plug" MCP rather more, and do more testing of it. From the people who have tried it, does it work? I am particularly interested in hearing if you have had problems making MCP and the normal SA code work together. There's a bug in SA that I haven't found yet that causes problems here. I *believe* I have worked around it, but I'm not sure. There's a performance hit in running them both because of this bug. For docs on MCP, see www.sng.ecs.soton.ac.uk/mailscanner/install/mcp -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From pete at eatathome.com.au Wed Dec 10 21:22:25 2003 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:21:30 2006 Subject: Slackware 9.1, Postfix, and MailScanner In-Reply-To: <2B1F39EA56FA7643A328F66521D41B760EAC@magellan.nesbitt.local> References: <2B1F39EA56FA7643A328F66521D41B760EAC@magellan.nesbitt.local> Message-ID: <3FD78E91.2070106@eatathome.com.au> Collins, Kevin wrote: >>I am no expert - but it looks like you are sending mail from >>the local machine - mailscanner wont be scanning this mail - >>get a mail client on another machine, make the outbound SMTP >>addy your mailscanner machine and send your new mail - have a >>tail -f /var/yourlogfilepath console running to watch what happens. >> >> > >Thanks for replying. Yes you're right, I was sending from the local >machine. I was not aware that MailScanner wouldn't scan e-mails when >delivered this way - you live and learn. > >So I set up a machine on my LAN that uses "Freedom" (my new MS Box) as an >SMTP host, and I've been able to verify that MailScanner is actually >working. > >Thanks for your help. > >Kevin > So Glad i was able to help - have recieved so much help from folks on here and really happy i was able assist some one else :) Pete From pete at eatathome.com.au Wed Dec 10 21:36:05 2003 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:21:30 2006 Subject: Effort to manage MailScanner Message-ID: <3FD791C5.2010102@eatathome.com.au> Sorry i couldnt think of a better subject heading. I have had MS running now for a full month and it appears to be working perfectly - in our ORg we cannot be too agressive as false positives would a lot of criticsm, so i have used almost defaults settings, but we get no UCEs delivered to staff or students and have had only one false positive so far. We have 600-700 mail accounts but only recieve 1500 emails a day %30 being spam. I have noticed on these forums a lot of people spending a lot of time changing settings, adding RBLs, upgrading every new release or beta and i wanted to know what benifits these folks recieves vs thier effort - its starting to make me feel like i shouold be upgrading to latest too - except i dont want to have my head buried in MS config every day for the next month - i thought this and install, config and forget type system, which is how i have been treating it (though i check quarrantine daily at the momment), are you guys getting some benifit that i am not, or is because you ahve far greater volumes of mail that you get more spam through MS aqnd have to work harder to stop it? I suppose its my cautious, no downtime nature that keeps us a few versions behind with alsmot all of my systems... From ka at PACIFIC.NET Wed Dec 10 21:57:03 2003 From: ka at PACIFIC.NET (Ken Anderson) Date: Thu Jan 12 21:21:30 2006 Subject: Effort to manage MailScanner In-Reply-To: <3FD791C5.2010102@eatathome.com.au> References: <3FD791C5.2010102@eatathome.com.au> Message-ID: <3FD796AF.2030107@pacific.net> Pete wrote: > Sorry i couldnt think of a better subject heading. > > I have had MS running now for a full month and it appears to be working > perfectly - in our ORg we cannot be too agressive as false positives > would a lot of criticsm, so i have used almost defaults settings, but we > get no UCEs delivered to staff or students and have had only one false > positive so far. > > We have 600-700 mail accounts but only recieve 1500 emails a day %30 > being spam. > > I have noticed on these forums a lot of people spending a lot of time > changing settings, adding RBLs, upgrading every new release or beta and > i wanted to know what benifits these folks recieves vs thier effort - > its starting to make me feel like i shouold be upgrading to latest too - > except i dont want to have my head buried in MS config every day for the > next month - i thought this and install, config and forget type system, > which is how i have been treating it (though i check quarrantine daily > at the momment), are you guys getting some benifit that i am not, or is > because you ahve far greater volumes of mail that you get more spam > through MS aqnd have to work harder to stop it? > > I suppose its my cautious, no downtime nature that keeps us a few > versions behind with alsmot all of my systems... > > "If it ain't broke, don't fix it" and "The squeaky wheel gets the grease" and other similar sayings apply to most open source software and related email lists respectively. MailScanner is a great piece of software, and your experience is a good testimony to that. The list is populated by people who love this stuff, love adding features and making tweaks to make MS work better in a given environment. If you have a problem, you can find the answer here. Sometimes it's necessary to make performance tweaks, but it's probably a waste of your time if you are just scanning 1500 emails a day. We scan 600,000 messages a day using 2 machines and get about 50% spam. Performance tweaks are important! But, we don't upgrade unless there's a new feature in MS we need, a new SA version. Ken A. Pacific.Net From mailscanner at ecs.soton.ac.uk Thu Dec 11 08:22:24 2003 From: mailscanner at ecs.soton.ac.uk (mailscanner@ecs.soton.ac.uk) Date: Thu Jan 12 21:21:30 2006 Subject: NOTIFY-New Guestbook Entry Message-ID: <200312110822.hBB8MOOa006991@seer.ecs.soton.ac.uk> New Guestbook-Entry from Wayne MailScanner unable detect the zip file viruses From greyhair at GREYHAIR.NET Wed Dec 10 22:07:14 2003 From: greyhair at GREYHAIR.NET (greyhair) Date: Thu Jan 12 21:21:30 2006 Subject: DNS based block lists and the like question. In-Reply-To: <20031210174904.GA2723@bardino.dk> References: <3FD758B4.5050806@greyhair.net> <20031210174904.GA2723@bardino.dk> Message-ID: <3FD79912.3060506@greyhair.net> Thanks to you all that responded!! I love this list for their quick, accurate and friendly responses! Thanks again, It really helps. greyhair. Jonas Bardino wrote: >* greyhair [Dec 10. 2003 18:33]: > > >>Hi. >> If I use a dnsbl like SORBS (www.sorbs.net) in MailScanner, do I also >>need to set the same dnsbl in sendmail, or any MTA in general? If no, >>what happens if there is a dnsbl listing in the MTA? >> >>Thanks. >> >>greyhair >> >> > >That depends on what strategy you wan't to use with respect to rejecting >messages. > >The FAQ at >http://www.sng.ecs.soton.ac.uk/mailscanner/serve/cache/157.html >may help you. > >Kind regards, Jonas > > > > From brian at SOLUSCORP.COM Wed Dec 10 08:37:05 2003 From: brian at SOLUSCORP.COM (Brian Wells) Date: Thu Jan 12 21:21:30 2006 Subject: Blacklist file changes getting removed by something Message-ID: <076001c3bef8$cb44dac0$d700600a@merlintest.net> Hi, Much to my annoyance, I noticed after I had entered by hand a bunch of hosts to my blacklist file, that my changes had been removed and a new blacklist file was in place. Looking at the timestamp on the file, it is getting replaced once an hour. I searched quite a bit for an explanation for this behaviour. Something like the auto whitelist feature except for the blacklist file. But I could not find anything. Does anyone have an explanation for this and how to turn it off? Thanks, Brian Wells Merlin Internet Solutions -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20031210/6668457c/attachment.html From Antony at SOFT-SOLUTIONS.CO.UK Wed Dec 10 23:30:41 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:21:30 2006 Subject: Blacklist file changes getting removed by something In-Reply-To: <076001c3bef8$cb44dac0$d700600a@merlintest.net> References: <076001c3bef8$cb44dac0$d700600a@merlintest.net> Message-ID: <200312102330.41858.Antony@Soft-Solutions.co.uk> On Wednesday 10 December 2003 8:37 am, Brian Wells wrote: > Hi, > > Much to my annoyance, I noticed after I had entered by hand a bunch of > hosts to my blacklist file, that my changes had been removed and a new > blacklist file was in place. Looking at the timestamp on the file, it is > getting replaced once an hour. > > I searched quite a bit for an explanation for this behaviour. Something > like the auto whitelist feature except for the blacklist file. But I could > not find anything. Does anyone have an explanation for this and how to > turn it off? Does the timestamp on the file coincide with any cron jobs you have running? Antony -- Software development can be quick, high quality, or low cost. The customer gets to pick any two out of three. Please reply to the list; please don't CC me. From john at TRADOC.FR Thu Dec 11 08:04:24 2003 From: john at TRADOC.FR (John Wilcock) Date: Thu Jan 12 21:21:30 2006 Subject: Skipped; still being delivered - even in 4.25 In-Reply-To: <200312102017.55502.jacques@monaco.net> References: <200312102017.55502.jacques@monaco.net> Message-ID: On Wed, 10 Dec 2003 20:17:55 +0100, Jacques Caruso wrote: > Yes, indeed : apparently, it's the old ? MailScanner picks mail in the > wrong queue ? bug that persists (have a look at my last message at > ). I don't see MS dying as described in that message. I simply (very occasionally) get duplicate mails - usually one with a body and one without, though I have seen cases where both copies have a body - during otherwise normal MS operation. The dupes correspond to a postfix "Skipped, still being delivered" message in the logs. John. -- -- Over 2000 webcams from ski resorts around the world - www.snoweye.com -- Translate your technical documents and web pages - www.tradoc.fr From harryh at CET.COM Thu Dec 11 10:36:12 2003 From: harryh at CET.COM (Harry Hanson) Date: Thu Jan 12 21:21:30 2006 Subject: Skipping queue run -- load average too high In-Reply-To: <3FD6E2C6.1080902@solid-state-logic.com> Message-ID: <200312111036.hBBAaifX031425@fili.jiscmail.ac.uk> > hmm seems to be page faulting quite a bit, which is unusual > for something relatively high CPU/memory wise. > > what checks have you got on SA and MS? Esp what checks are > running for RBL's and pyzor? During that time SA was disabled. Most MS settings are default, as I felt it best to ask for advice from this list before making any changes. RBL's are not being used via mailscanner; they are rejected by sendmail, so those that are listed don't even make it thru MA for processing. > sendmail is saying the machine is too busy to process mail, > hence the log messages.. > > you say you've got the disk configured as RAID 0 (striping), > is this hardware or software RAID (vinum?). It is hardware raid. > have you turned on softupdates on the filesystem containing > the spool files - this can make alot of difference as regards I/O. I am unfamiliar with this.. How would I check? > How have you split up the filesystems? single / or /, /usr, > /home and /var? Yes, /var is on different physical drives. > Just wondering why you choose FreeBSD 5.1 as this is still > considered 'unstable'? The current 'stable' release is 4.9. > But my tests seem to indicate 5.x tree is much faster than 4.8... Honeslty, this was not my choice, but I figured since it was already there, and most of what I read indicated it's quite stable, I decided to stick with it and check it out. > I run FreeBSD 4.8 with Exim 4.24 and MS 4.24 (no RBL's/pyzor) > using Sophos-Savi and ClamAV with Mailwatch and the mysql DB > all on the same machine - celeron 600mhz, single ATA1-100 > disk and a single / partition. > runs 9,000 messages a day without breaking above 1.5 on load average. load averages: 0.28, 0.27, 0.23 Yes, this seems unusual, which is why I am deferring to the mailing list members hoping someone has some useful insight :) > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > > ********************************************************************** > > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the system manager. > > This footnote confirms that this email message has been swept > for the presence of computer viruses and is believed to be clean. > > ********************************************************************** > From harryh at CET.COM Thu Dec 11 10:38:31 2003 From: harryh at CET.COM (Harry Hanson) Date: Thu Jan 12 21:21:30 2006 Subject: Skipping queue run -- load average too high In-Reply-To: <54C38A0B814C8E438EF73FC76F3629273132BF@mtlnt501fs.CAMOROUTE.COM> Message-ID: <200312111039.hBBAd0fX031682@fili.jiscmail.ac.uk> > You have to stop it with ctrl-c. To interpret the output, > see the manpage for vmstat. The first column I check is > usually the second one (b). And in your case, is seems ok, > because it is 0 or 1 (there is one or zero process waiting > for I/O). I don't have a freebsd box here, so I can't > interpret everything. Ahh.. Yes, I knew how to stop it, but wasn't quite understanding the output. Thanks :) From martinh at SOLID-STATE-LOGIC.COM Thu Dec 11 11:01:07 2003 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:21:30 2006 Subject: Skipping queue run -- load average too high In-Reply-To: <200312111036.hBBAaifX031425@fili.jiscmail.ac.uk> References: <200312111036.hBBAaifX031425@fili.jiscmail.ac.uk> Message-ID: <3FD84E73.9060605@solid-state-logic.com> Harry Hanson wrote: >>hmm seems to be page faulting quite a bit, which is unusual >>for something relatively high CPU/memory wise. >> >>what checks have you got on SA and MS? Esp what checks are >>running for RBL's and pyzor? > > > During that time SA was disabled. > > Most MS settings are default, as I felt it best to ask for advice from this > list before making any changes. > > RBL's are not being used via mailscanner; they are rejected by sendmail, so > those that are listed don't even make it thru MA for processing. > > >>sendmail is saying the machine is too busy to process mail, >>hence the log messages.. >> >>you say you've got the disk configured as RAID 0 (striping), >>is this hardware or software RAID (vinum?). > > > It is hardware raid. > > >>have you turned on softupdates on the filesystem containing >>the spool files - this can make alot of difference as regards I/O. > > > I am unfamiliar with this.. How would I check? > > >>How have you split up the filesystems? single / or /, /usr, >>/home and /var? > > > Yes, /var is on different physical drives. > > >>Just wondering why you choose FreeBSD 5.1 as this is still >>considered 'unstable'? The current 'stable' release is 4.9. >>But my tests seem to indicate 5.x tree is much faster than 4.8... > > > Honeslty, this was not my choice, but I figured since it was already there, > and most of what I read indicated it's quite stable, I decided to stick with > it and check it out. > > >>I run FreeBSD 4.8 with Exim 4.24 and MS 4.24 (no RBL's/pyzor) >>using Sophos-Savi and ClamAV with Mailwatch and the mysql DB >>all on the same machine - celeron 600mhz, single ATA1-100 >>disk and a single / partition. >>runs 9,000 messages a day without breaking above 1.5 on load average. > > > load averages: 0.28, 0.27, 0.23 > > Yes, this seems unusual, which is why I am deferring to the mailing list > members hoping someone has some useful insight :) > OK check out tunefs to turn on softupdates for the /var filesystem (you'll need to unmount it first. so you're prob going have to drop to single user mode..) Would be interesting to see what iostat and vmstat report when run at the same time. Also getting a dump from 'top' and netstat might help to see what's occurring at the time things go awry. the default for sendmail to stop accepting mail is when the load average goes about 12 (and to queue at load avg above 8)..so perhaps sendmail is getting the load average wrong??/ from the sendmail.cf - default FreeBSD 5.1...(/etc/mail/sendmail.cf) # load average at which we just queue messages #O QueueLA=8 # load average at which we refuse connections #O RefuseLA=12 I'd check that these are still correct.. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From michele at BLACKNIGHTSOLUTIONS.COM Thu Dec 11 11:14:23 2003 From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon :: Blacknight Solutions) Date: Thu Jan 12 21:21:30 2006 Subject: Firewall woes - ports to be used Message-ID: After installing a new firewall we seem to have run into a number of issues regarding required ports. Can anybody help/advise? We are using: MailScanner with SA, Razor, Pyzor, DCC and the RBLs (of course) THanks M Mr. Michele Neylon Blacknight Internet Solutions Ltd http://www.blacknightsolutions.ie/ http://www.search.ie/ Tel. + 353 (0)59 9137101 Lowest price domains in Ireland From Kevin.Spicer at BMRB.CO.UK Thu Dec 11 11:19:44 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:21:30 2006 Subject: Firewall woes - ports to be used Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0016498FC@pascal.priv.bmrb.co.uk> Michele Neylon :: Blacknight Solutions wrote: > After installing a new firewall we seem to have run into a number of > issues regarding required ports. > Can anybody help/advise? > We are using: > MailScanner > with SA, Razor, Pyzor, DCC and the RBLs (of course) > I _think_ this is in the FAQ From Antony at SOFT-SOLUTIONS.CO.UK Thu Dec 11 11:26:57 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:21:30 2006 Subject: Firewall woes - ports to be used In-Reply-To: References: Message-ID: <200312111126.57799.Antony@Soft-Solutions.co.uk> On Thursday 11 December 2003 11:14 am, Michele Neylon :: Blacknight Solutions wrote: > After installing a new firewall we seem to have run into a number of issues > regarding required ports. > Can anybody help/advise? > We are using: > MailScanner > with SA, Razor, Pyzor, DCC and the RBLs (of course) Presumably you mean that the firewall is blocking traffic because appropriate rules haven't been added, and therefore some of the above are not able to work? If you can't easily find out what protocols/ports the above services use, the best way to solve the problem is to put a Log rule at the end of your firewall rules, just before the default Drop of all other packets (I'm using netfilter terminology here, but the same principle applies to any packet filtering firewall), and then look at what gets logged when one of the services fails. The log entry will tell you what protocol and port you need to add a rule for, and once you've done that enough times that nothing gets logged, you will be allowing exactly what you need to. Regards, Antony. -- If the human brain were so simple that we could understand it, we'd be so simple that we couldn't. Please reply to the list; please don't CC me. From michele at BLACKNIGHTSOLUTIONS.COM Thu Dec 11 11:27:24 2003 From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon :: Blacknight Solutions) Date: Thu Jan 12 21:21:30 2006 Subject: Firewall woes - ports to be used In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0016498FC@pascal.priv.bmrb.co.uk> Message-ID: I can't see any reference to it in the FAQ :( Help!! Mr. Michele Neylon Blacknight Internet Solutions Ltd http://www.blacknightsolutions.ie/ http://www.search.ie/ Tel. + 353 (0)59 9137101 Lowest price domains in Ireland > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Spicer, Kevin > Sent: 11 December 2003 11:20 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Firewall woes - ports to be used > > > Michele Neylon :: Blacknight Solutions wrote: > > After installing a new firewall we seem to have run into a number of > > issues regarding required ports. > > Can anybody help/advise? > > We are using: > > MailScanner > > with SA, Razor, Pyzor, DCC and the RBLs (of course) > > > > I _think_ this is in the FAQ > From prandal at HEREFORDSHIRE.GOV.UK Thu Dec 11 11:42:57 2003 From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil) Date: Thu Jan 12 21:21:30 2006 Subject: Firewall woes - ports to be used Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C3CA@jessica.herefordshire.gov.uk> Razor: 7/tcp and 2703/tcp DCC: 6277/udp pyzor: 24441/udp Cheers, Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Michele Neylon :: Blacknight Solutions > Sent: 11 December 2003 11:27 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Firewall woes - ports to be used > > > I can't see any reference to it in the FAQ :( > Help!! > > Mr. Michele Neylon > Blacknight Internet Solutions Ltd > http://www.blacknightsolutions.ie/ > http://www.search.ie/ > Tel. + 353 (0)59 9137101 > Lowest price domains in Ireland > > > -----Original Message----- > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > Behalf Of Spicer, Kevin > > Sent: 11 December 2003 11:20 > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: Firewall woes - ports to be used > > > > > > Michele Neylon :: Blacknight Solutions wrote: > > > After installing a new firewall we seem to have run into > a number of > > > issues regarding required ports. > > > Can anybody help/advise? > > > We are using: > > > MailScanner > > > with SA, Razor, Pyzor, DCC and the RBLs (of course) > > > > > > > I _think_ this is in the FAQ > > > From michele at BLACKNIGHTSOLUTIONS.COM Thu Dec 11 11:48:47 2003 From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon :: Blacknight Solutions) Date: Thu Jan 12 21:21:30 2006 Subject: Firewall woes - ports to be used In-Reply-To: <0EBC45FCABFC95428EBFC3A51B368C9501C9C3CA@jessica.herefordshire.gov.uk> Message-ID: Thanks :) You may turn out to be my lifesaver! It's a managed firewall, so we do not have direct access to the configuration :( M Mr. Michele Neylon Blacknight Internet Solutions Ltd http://www.blacknightsolutions.ie/ http://www.search.ie/ Tel. + 353 (0)59 9137101 Lowest price domains in Ireland > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Randal, Phil > Sent: 11 December 2003 11:43 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Firewall woes - ports to be used > > > Razor: 7/tcp and 2703/tcp > > DCC: 6277/udp > > pyzor: 24441/udp > > Cheers, > > Phil > > --------------------------------------------- > Phil Randal > Network Engineer > Herefordshire Council > Hereford, UK > > > -----Original Message----- > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > Behalf Of Michele Neylon :: Blacknight Solutions > > Sent: 11 December 2003 11:27 > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: Firewall woes - ports to be used > > > > > > I can't see any reference to it in the FAQ :( > > Help!! > > > > Mr. Michele Neylon > > Blacknight Internet Solutions Ltd > > http://www.blacknightsolutions.ie/ > > http://www.search.ie/ > > Tel. + 353 (0)59 9137101 > > Lowest price domains in Ireland > > > > > -----Original Message----- > > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > > Behalf Of Spicer, Kevin > > > Sent: 11 December 2003 11:20 > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > Subject: Re: Firewall woes - ports to be used > > > > > > > > > Michele Neylon :: Blacknight Solutions wrote: > > > > After installing a new firewall we seem to have run into > > a number of > > > > issues regarding required ports. > > > > Can anybody help/advise? > > > > We are using: > > > > MailScanner > > > > with SA, Razor, Pyzor, DCC and the RBLs (of course) > > > > > > > > > > I _think_ this is in the FAQ > > > > > > From Kevin.Spicer at BMRB.CO.UK Thu Dec 11 11:52:40 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:21:30 2006 Subject: Firewall woes - ports to be used Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0016498FE@pascal.priv.bmrb.co.uk> Michele Neylon :: Blacknight Solutions wrote: > I can't see any reference to it in the FAQ :( > Help!! http://www.sng.ecs.soton.ac.uk/mailscanner/serve/cache/125.html From dean.plant at ROKE.CO.UK Thu Dec 11 12:26:33 2003 From: dean.plant at ROKE.CO.UK (Plant, Dean) Date: Thu Jan 12 21:21:30 2006 Subject: Firewall woes - ports to be used Message-ID: FYI - the Razor ports are only required outbound. -----Original Message----- From: Randal, Phil [mailto:prandal@HEREFORDSHIRE.GOV.UK] Sent: 11 December 2003 11:43 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Firewall woes - ports to be used Razor: 7/tcp and 2703/tcp DCC: 6277/udp pyzor: 24441/udp Cheers, Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Michele Neylon :: Blacknight Solutions > Sent: 11 December 2003 11:27 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Firewall woes - ports to be used > > > I can't see any reference to it in the FAQ :( > Help!! > > Mr. Michele Neylon > Blacknight Internet Solutions Ltd > http://www.blacknightsolutions.ie/ > http://www.search.ie/ > Tel. + 353 (0)59 9137101 > Lowest price domains in Ireland > > > -----Original Message----- > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > Behalf Of Spicer, Kevin > > Sent: 11 December 2003 11:20 > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: Firewall woes - ports to be used > > > > > > Michele Neylon :: Blacknight Solutions wrote: > > > After installing a new firewall we seem to have run into > a number of > > > issues regarding required ports. > > > Can anybody help/advise? > > > We are using: > > > MailScanner > > > with SA, Razor, Pyzor, DCC and the RBLs (of course) > > > > > > > I _think_ this is in the FAQ > > > -- Registered Office: Roke Manor Research Ltd, Siemens House, Oldbury, Bracknell, Berkshire. RG12 8FZ The information contained in this e-mail and any attachments is confidential to Roke Manor Research Ltd and must not be passed to any third party without permission. This communication is for information only and shall not create or change any contractual relationship. From Antony at SOFT-SOLUTIONS.CO.UK Thu Dec 11 12:29:48 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:21:30 2006 Subject: Firewall woes - ports to be used In-Reply-To: References: Message-ID: <200312111229.48130.Antony@Soft-Solutions.co.uk> On Thursday 11 December 2003 12:26 pm, Plant, Dean wrote: > FYI - the Razor ports are only required outbound. I should hope that is true of all of them!? (Assuming your firewall allows in reply packets - but none of the services should be initiated from outside....) Antony. > -----Original Message----- > From: Randal, Phil [mailto:prandal@HEREFORDSHIRE.GOV.UK] > Sent: 11 December 2003 11:43 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Firewall woes - ports to be used > > > Razor: 7/tcp and 2703/tcp > > DCC: 6277/udp > > pyzor: 24441/udp > > Cheers, > > Phil > > --------------------------------------------- > Phil Randal > Network Engineer > Herefordshire Council > Hereford, UK > > > -----Original Message----- > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > Behalf Of Michele Neylon :: Blacknight Solutions > > Sent: 11 December 2003 11:27 > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: Firewall woes - ports to be used > > > > > > I can't see any reference to it in the FAQ :( > > Help!! > > > > Mr. Michele Neylon > > Blacknight Internet Solutions Ltd > > http://www.blacknightsolutions.ie/ > > http://www.search.ie/ > > Tel. + 353 (0)59 9137101 > > Lowest price domains in Ireland > > > > > -----Original Message----- > > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > > Behalf Of Spicer, Kevin > > > Sent: 11 December 2003 11:20 > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > Subject: Re: Firewall woes - ports to be used > > > > > > Michele Neylon :: Blacknight Solutions wrote: > > > > After installing a new firewall we seem to have run into > > > > a number of > > > > > > issues regarding required ports. > > > > Can anybody help/advise? > > > > We are using: > > > > MailScanner > > > > with SA, Razor, Pyzor, DCC and the RBLs (of course) > > > > > > I _think_ this is in the FAQ -- This email is intended for the use of the individual addressee(s) named above and may contain information that is confidential, privileged or unsuitable for overly sensitive persons with low self-esteem, no sense of humour, or irrational religious beliefs. If you have received this email in error, you are required to shred it immediately, add some nutmeg, three egg whites and a dessertspoonful of caster sugar. Whisk until soft peaks form, then place in a warm oven for 40 minutes. Remove promptly and let stand for 2 hours before adding some decorative kiwi fruit and cream. Then notify me immediately by return email and eat the original message. Please reply to the list; please don't CC me. From Q.G.Campbell at NEWCASTLE.AC.UK Thu Dec 11 12:44:17 2003 From: Q.G.Campbell at NEWCASTLE.AC.UK (Quentin Campbell) Date: Thu Jan 12 21:21:30 2006 Subject: Unexpected whitelisting behaviour Message-ID: <74BC2BBF06470148911E64E2B48FE13964C5F9@pinewood.ncl.ac.uk> A colleague here sent me a message from the Dilbert website. It was a message containing a link to a cartoon I might enjoy. The message itself was unexceptional. However I noticed that the message headers did not contain the usual X-Newcastle-MailScanner-SpamScore: ss... header. This implies that the envelope sender domain/IP was whitelisted. Am I correct in this supposition? Both the message headers and the Sendmail logs show that the envelope sender address is "A.N.Other@ncl.ac.uk". Ignore the local part which I have changed and focus on the domain part which is one of our mail domains. The message clearly originated at the Dilbert web site as is evident from both the Sendmail logs and the message headers but the Dilbert site apparently allows the user to specify their own reply address and that it makes this address the envelope sender address. So far so good. Now here is the curious thing: I whitelist all mail originating at this site by IP address and NOT by domain. So I am perplexed as to how this message from an off-site IP address, but containing our domain in the envelope sender address, was apparently whitelisted when it was received by our mail relays. It should not have been whitelisted! I have got the user to repeat what she did and received a similar message showing the same behaviour via another one of our MX hosts. So it appears to be a consistent fault. I am running with MS 4.24-5 and Sendmail. Quentin --- PHONE: +44 191 222 8209 Information Systems and Services (ISS), University of Newcastle, Newcastle upon Tyne, FAX: +44 191 222 8765 United Kingdom, NE1 7RU. ------------------------------------------------------------------------ "Any opinion expressed above is mine. The University can get its own." From m.sapsed at BANGOR.AC.UK Thu Dec 11 12:48:16 2003 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:21:30 2006 Subject: Internet Explorer URL Display problem References: <3FD767AE.2050006@bangor.ac.uk> <3FD77815.2070206@sghms.ac.uk> <200312101955.20491.Antony@Soft-Solutions.co.uk> <3FD77C90.5060705@sghms.ac.uk> <6.0.1.1.2.20031210202408.027e59f8@imap.ecs.soton.ac.uk> <1587.24.83.44.30.1071089543.squirrel@www.fractalweb.com> <6.0.1.1.2.20031210211659.027caaf0@imap.ecs.soton.ac.uk> Message-ID: <3FD86790.3050407@bangor.ac.uk> Julian Field wrote: > At 20:52 10/12/2003, you wrote: >> Wouldn't this only mark the message as spam? Maybe I'm alone on this, but >> I think that this presents a far more serious threat than just spam. If >> someone opens the spam anyways and sees a message from their bank, >> requesting verification of online banking information, they might be >> tempted to follow the links AND complain to me that this important >> message >> from their bank was marked as spam. >> >> My thought is that this should fall under the same general area of the >> flowchart as the I-Frame exploits, if possible. I was thinking this but have added Julian's rules to my SA prefs for now anyway. "Owt's better than nowt!" springs to mind... > I don't want to do what SA already does very well, nor do I want to write > code that is part of the arms race, I've probably done too much of that > already. So I would prefer SA to do this. Maybe it is time to "plug" MCP > rather more, and do more testing of it. > > For docs on MCP, see > www.sng.ecs.soton.ac.uk/mailscanner/install/mcp I will have a look at this - Julian, have you got patches for SA 2.61 yet? (The page says to ask for patches for new versions of SA!! ;-) (Also, btw, there are still some references to TCP rather than MCP in that page.) Cheers, Martin -- Martin Sapsed Information Services "Who do you say I am?" University of Wales, Bangor Jesus of Nazareth From mailscanner at ecs.soton.ac.uk Thu Dec 11 13:47:51 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:30 2006 Subject: Unexpected whitelisting behaviour In-Reply-To: <74BC2BBF06470148911E64E2B48FE13964C5F9@pinewood.ncl.ac.uk> References: <74BC2BBF06470148911E64E2B48FE13964C5F9@pinewood.ncl.ac.uk> Message-ID: <6.0.1.1.2.20031211134709.03ab3fe0@imap.ecs.soton.ac.uk> At 12:44 11/12/2003, you wrote: >A colleague here sent me a message from the Dilbert website. It was a >message containing a link to a cartoon I might enjoy. The message itself >was unexceptional. > >However I noticed that the message headers did not contain the usual > > X-Newcastle-MailScanner-SpamScore: ss... That will only happen if MS thinks it is spam. >header. This implies that the envelope sender domain/IP was whitelisted. >Am I correct in this supposition? No. If it would have been spam, but was whitelisted, then it would say it was whitelisted. >Both the message headers and the Sendmail logs show that the envelope >sender address is "A.N.Other@ncl.ac.uk". Ignore the local part which I >have changed and focus on the domain part which is one of our mail >domains. > >The message clearly originated at the Dilbert web site as is evident >from both the Sendmail logs and the message headers but the Dilbert site >apparently allows the user to specify their own reply address and that >it makes this address the envelope sender address. So far so good. > >Now here is the curious thing: I whitelist all mail originating at this >site by IP address and NOT by domain. So I am perplexed as to how this >message from an off-site IP address, but containing our domain in the >envelope sender address, was apparently whitelisted when it was received >by our mail relays. It should not have been whitelisted! > >I have got the user to repeat what she did and received a similar >message showing the same behaviour via another one of our MX hosts. So >it appears to be a consistent fault. I am running with MS 4.24-5 and >Sendmail. > >Quentin >--- >PHONE: +44 191 222 8209 Information Systems and Services (ISS), > University of Newcastle, > Newcastle upon Tyne, >FAX: +44 191 222 8765 United Kingdom, NE1 7RU. >------------------------------------------------------------------------ >"Any opinion expressed above is mine. The University can get its own." -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Thu Dec 11 13:49:37 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:30 2006 Subject: Internet Explorer URL Display problem In-Reply-To: <3FD86790.3050407@bangor.ac.uk> References: <3FD767AE.2050006@bangor.ac.uk> <3FD77815.2070206@sghms.ac.uk> <200312101955.20491.Antony@Soft-Solutions.co.uk> <3FD77C90.5060705@sghms.ac.uk> <6.0.1.1.2.20031210202408.027e59f8@imap.ecs.soton.ac.uk> <1587.24.83.44.30.1071089543.squirrel@www.fractalweb.com> <6.0.1.1.2.20031210211659.027caaf0@imap.ecs.soton.ac.uk> <3FD86790.3050407@bangor.ac.uk> Message-ID: <6.0.1.1.2.20031211134806.083f6ec0@imap.ecs.soton.ac.uk> At 12:48 11/12/2003, you wrote: >Julian Field wrote: >>At 20:52 10/12/2003, you wrote: >>>Wouldn't this only mark the message as spam? Maybe I'm alone on this, but >>>I think that this presents a far more serious threat than just spam. If >>>someone opens the spam anyways and sees a message from their bank, >>>requesting verification of online banking information, they might be >>>tempted to follow the links AND complain to me that this important >>>message >>>from their bank was marked as spam. >>> >>>My thought is that this should fall under the same general area of the >>>flowchart as the I-Frame exploits, if possible. > >I was thinking this but have added Julian's rules to my SA prefs for now >anyway. "Owt's better than nowt!" springs to mind... What I have done is set the score of the rule to 100, set my high scoring threshold to 100, and set the high scoring spam actions to "delete". That way the users never knew they were going to get it. >>I don't want to do what SA already does very well, nor do I want to write >>code that is part of the arms race, I've probably done too much of that >>already. So I would prefer SA to do this. Maybe it is time to "plug" MCP >>rather more, and do more testing of it. >> >>For docs on MCP, see >>www.sng.ecs.soton.ac.uk/mailscanner/install/mcp > >I will have a look at this - Julian, have you got patches for SA 2.61 >yet? (The page says to ask for patches for new versions of SA!! ;-) Not yet, but will do that this afternoon (nearly end of term here so actually have my head above water for once!). >(Also, btw, there are still some references to TCP rather than MCP in >that page.) Will take a look. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Thu Dec 11 14:04:07 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:30 2006 Subject: Internet Explorer URL Display problem In-Reply-To: <6.0.1.1.2.20031211134806.083f6ec0@imap.ecs.soton.ac.uk> References: <3FD767AE.2050006@bangor.ac.uk> <3FD77815.2070206@sghms.ac.uk> <200312101955.20491.Antony@Soft-Solutions.co.uk> <3FD77C90.5060705@sghms.ac.uk> <6.0.1.1.2.20031210202408.027e59f8@imap.ecs.soton.ac.uk> <1587.24.83.44.30.1071089543.squirrel@www.fractalweb.com> <6.0.1.1.2.20031210211659.027caaf0@imap.ecs.soton.ac.uk> <3FD86790.3050407@bangor.ac.uk> <6.0.1.1.2.20031211134806.083f6ec0@imap.ecs.soton.ac.uk> Message-ID: <6.0.1.1.2.20031211140338.08c99568@imap.ecs.soton.ac.uk> At 13:49 11/12/2003, you wrote: >>>I don't want to do what SA already does very well, nor do I want to write >>>code that is part of the arms race, I've probably done too much of that >>>already. So I would prefer SA to do this. Maybe it is time to "plug" MCP >>>rather more, and do more testing of it. >>> >>>For docs on MCP, see >>>www.sng.ecs.soton.ac.uk/mailscanner/install/mcp >> >>I will have a look at this - Julian, have you got patches for SA 2.61 >>yet? (The page says to ask for patches for new versions of SA!! ;-) > >Not yet, but will do that this afternoon (nearly end of term here so >actually have my head above water for once!). They are there now. >>(Also, btw, there are still some references to TCP rather than MCP in >>that page.) > >Will take a look. Fixed. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From t.d.lee at DURHAM.AC.UK Thu Dec 11 14:22:12 2003 From: t.d.lee at DURHAM.AC.UK (David Lee) Date: Thu Jan 12 21:21:30 2006 Subject: Internet Explorer URL Display problem In-Reply-To: <6.0.1.1.2.20031211134806.083f6ec0@imap.ecs.soton.ac.uk> References: <3FD767AE.2050006@bangor.ac.uk> <3FD77815.2070206@sghms.ac.uk> <200312101955.20491.Antony@Soft-Solutions.co.uk> <3FD77C90.5060705@sghms.ac.uk> <6.0.1.1.2.20031210202408.027e59f8@imap.ecs.soton.ac.uk> <1587.24.83.44.30.1071089543.squirrel@www.fractalweb.com> <6.0.1.1.2.20031210211659.027caaf0@imap.ecs.soton.ac.uk> <3FD86790.3050407@bangor.ac.uk> <6.0.1.1.2.20031211134806.083f6ec0@imap.ecs.soton.ac.uk> Message-ID: On Thu, 11 Dec 2003, Julian Field wrote: > What I have done is set the score of the rule to 100, set my high scoring > threshold to 100, and set the high scoring spam actions to "delete". That > way the users never knew they were going to get it. Julian: There was a massive overnight discussion about what the "rule" should be, and I must confess to not having absorbed every last detail or two (or three or four... thousand). Could you summarise the consensus SA rule etc., please? Thanks. > >I will have a look at this - Julian, have you got patches for SA 2.61 > >yet? (The page says to ask for patches for new versions of SA!! ;-) > > Not yet, but will do that this afternoon (nearly end of term here so > actually have my head above water for once!). Julian: Could you get the SA folk to include your patches in their distributions? This is similar to an earlier discussion about MIME::Tools. MS is a great product, but this business of its requiring patches, over extended time periods, to other software can trip people up, and put them off, at the first hurdle (however understandble (or at least manageable) it might become to us n'th hurdle geeks). (Get back to me about the MIME::Tools one if you want to discuss it further.) Incidentally, we've been running the new SA 2.61 in full production for just over a day and it seems fine. (Hmmm, that's tempting fate...) Hope that helps. -- : David Lee I.T. Service : : Systems Programmer Computer Centre : : University of Durham : : http://www.dur.ac.uk/t.d.lee/ South Road : : Durham : : Phone: +44 191 334 2752 U.K. : From Q.G.Campbell at NEWCASTLE.AC.UK Thu Dec 11 14:34:23 2003 From: Q.G.Campbell at NEWCASTLE.AC.UK (Quentin Campbell) Date: Thu Jan 12 21:21:30 2006 Subject: Unexpected whitelisting behaviour Message-ID: <74BC2BBF06470148911E64E2B48FE13964C616@pinewood.ncl.ac.uk> >-----Original Message----- >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] >Sent: 11 December 2003 13:48 >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Unexpected whitelisting behaviour > I said that: >>However I noticed that the message headers did not contain the usual >> >> X-Newcastle-MailScanner-SpamScore: ss... > and Julian replied: That will only happen if MS thinks it is spam. ------------------------------------------------ Julian At the cost of sounding a little dense could I ask you to please explain what you mean by that statement? Surely MS only thinks a message is "spam" if the spam score exceeds the SA threshold, currently 5.0 at this site, or the sender is in one of the RBL sites specified in the MS config file? Why, then, do I see most messages that have a spam score less than 5 (ie. Not spam) showing a "X-Newcastle-MailScanner-SpamScore:" header with 1 to 4 "s" characters? Are you saying that the message in question must have had a spam score less than or equal to zero or less than the -2.0 used by the Bayes auto-learn as the "ham" threshold? Quentin --- PHONE: +44 191 222 8209 Information Systems and Services (ISS), University of Newcastle, Newcastle upon Tyne, FAX: +44 191 222 8765 United Kingdom, NE1 7RU. ------------------------------------------------------------------------ "Any opinion expressed above is mine. The University can get its own." From RKearney at AZERTY.COM Thu Dec 11 14:40:56 2003 From: RKearney at AZERTY.COM (Kearney, Rob) Date: Thu Jan 12 21:21:30 2006 Subject: Firewall woes - ports to be used Message-ID: <210DF55DED65B547896F728FB057F3B2019C4A59@seaver.ussco.com> Also, Pyzor discover requires port 80 for HTTP traffic. -rob -----Original Message----- From: Randal, Phil [mailto:prandal@HEREFORDSHIRE.GOV.UK] Sent: Thursday, December 11, 2003 6:43 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Firewall woes - ports to be used Razor: 7/tcp and 2703/tcp DCC: 6277/udp pyzor: 24441/udp Cheers, Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Michele Neylon :: Blacknight Solutions > Sent: 11 December 2003 11:27 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Firewall woes - ports to be used > > > I can't see any reference to it in the FAQ :( > Help!! > > Mr. Michele Neylon > Blacknight Internet Solutions Ltd > http://www.blacknightsolutions.ie/ > http://www.search.ie/ > Tel. + 353 (0)59 9137101 > Lowest price domains in Ireland > > > -----Original Message----- > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > Behalf Of Spicer, Kevin > > Sent: 11 December 2003 11:20 > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: Firewall woes - ports to be used > > > > > > Michele Neylon :: Blacknight Solutions wrote: > > > After installing a new firewall we seem to have run into > a number of > > > issues regarding required ports. > > > Can anybody help/advise? > > > We are using: > > > MailScanner > > > with SA, Razor, Pyzor, DCC and the RBLs (of course) > > > > > > > I _think_ this is in the FAQ > > > From michele at BLACKNIGHTSOLUTIONS.COM Thu Dec 11 14:50:05 2003 From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon :: Blacknight Solutions) Date: Thu Jan 12 21:21:30 2006 Subject: Firewall woes - ports to be used In-Reply-To: <210DF55DED65B547896F728FB057F3B2019C4A59@seaver.ussco.com> Message-ID: Port 80 is fine (thankfully!) Mr. Michele Neylon Blacknight Internet Solutions Ltd http://www.blacknightsolutions.ie/ http://www.search.ie/ Tel. + 353 (0)59 9137101 Lowest price domains in Ireland > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Kearney, Rob > Sent: 11 December 2003 14:41 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Firewall woes - ports to be used > > > Also, > > Pyzor discover requires port 80 for HTTP traffic. > > -rob > > -----Original Message----- > From: Randal, Phil [mailto:prandal@HEREFORDSHIRE.GOV.UK] > Sent: Thursday, December 11, 2003 6:43 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Firewall woes - ports to be used > > > Razor: 7/tcp and 2703/tcp > > DCC: 6277/udp > > pyzor: 24441/udp > > Cheers, > > Phil > > --------------------------------------------- > Phil Randal > Network Engineer > Herefordshire Council > Hereford, UK > > > -----Original Message----- > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > Behalf Of Michele Neylon :: Blacknight Solutions > > Sent: 11 December 2003 11:27 > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: Firewall woes - ports to be used > > > > > > I can't see any reference to it in the FAQ :( > > Help!! > > > > Mr. Michele Neylon > > Blacknight Internet Solutions Ltd > > http://www.blacknightsolutions.ie/ > > http://www.search.ie/ > > Tel. + 353 (0)59 9137101 > > Lowest price domains in Ireland > > > > > -----Original Message----- > > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > > Behalf Of Spicer, Kevin > > > Sent: 11 December 2003 11:20 > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > Subject: Re: Firewall woes - ports to be used > > > > > > > > > Michele Neylon :: Blacknight Solutions wrote: > > > > After installing a new firewall we seem to have run into > > a number of > > > > issues regarding required ports. > > > > Can anybody help/advise? > > > > We are using: > > > > MailScanner > > > > with SA, Razor, Pyzor, DCC and the RBLs (of course) > > > > > > > > > > I _think_ this is in the FAQ > > > > > > From mailscanner at ecs.soton.ac.uk Thu Dec 11 14:59:17 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:30 2006 Subject: Internet Explorer URL Display problem In-Reply-To: References: <3FD767AE.2050006@bangor.ac.uk> <3FD77815.2070206@sghms.ac.uk> <200312101955.20491.Antony@Soft-Solutions.co.uk> <3FD77C90.5060705@sghms.ac.uk> <6.0.1.1.2.20031210202408.027e59f8@imap.ecs.soton.ac.uk> <1587.24.83.44.30.1071089543.squirrel@www.fractalweb.com> <6.0.1.1.2.20031210211659.027caaf0@imap.ecs.soton.ac.uk> <3FD86790.3050407@bangor.ac.uk> <6.0.1.1.2.20031211134806.083f6ec0@imap.ecs.soton.ac.uk> Message-ID: <6.0.1.1.2.20031211145853.038059c8@imap.ecs.soton.ac.uk> At 14:22 11/12/2003, you wrote: >On Thu, 11 Dec 2003, Julian Field wrote: > > > What I have done is set the score of the rule to 100, set my high scoring > > threshold to 100, and set the high scoring spam actions to "delete". That > > way the users never knew they were going to get it. > >Julian: There was a massive overnight discussion about what the "rule" >should be, and I must confess to not having absorbed every last detail or >two (or three or four... thousand). > >Could you summarise the consensus SA rule etc., please? Thanks. # JKF 11/12/2003 # This next rule provides some protection against the latest IE vulnerability uri IE_VULN /%01.*@/ score IE_VULN 100.0 describe IE_VULN Internet Explorer vulnerability > > >I will have a look at this - Julian, have you got patches for SA 2.61 > > >yet? (The page says to ask for patches for new versions of SA!! ;-) > > > > Not yet, but will do that this afternoon (nearly end of term here so > > actually have my head above water for once!). > >Julian: Could you get the SA folk to include your patches in their >distributions? I've tried before, to no avail. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Thu Dec 11 15:04:21 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:30 2006 Subject: Unexpected whitelisting behaviour In-Reply-To: <74BC2BBF06470148911E64E2B48FE13964C616@pinewood.ncl.ac.uk> References: <74BC2BBF06470148911E64E2B48FE13964C616@pinewood.ncl.ac.uk> Message-ID: <6.0.1.1.2.20031211150008.08ceb858@imap.ecs.soton.ac.uk> At 14:34 11/12/2003, you wrote: > >-----Original Message----- > >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > >Sent: 11 December 2003 13:48 > >To: MAILSCANNER@JISCMAIL.AC.UK > >Subject: Re: Unexpected whitelisting behaviour > > > >I said that: > > >>However I noticed that the message headers did not contain the usual > >> > >> X-Newcastle-MailScanner-SpamScore: ss... > > >and Julian replied: > >That will only happen if MS thinks it is spam. > >------------------------------------------------ > >Julian > >At the cost of sounding a little dense could I ask you to please explain >what you mean by that statement? Surely MS only thinks a message is >"spam" if the spam score exceeds the SA threshold, currently 5.0 at this >site, or the sender is in one of the RBL sites specified in the MS >config file? > >Why, then, do I see most messages that have a spam score less than 5 >(ie. Not spam) showing a "X-Newcastle-MailScanner-SpamScore:" header >with 1 to 4 "s" characters? Sounds like I must be talking rubbish then. This week, that really wouldn't surprise me. From the code, it looks like it adds the "SpamScore" header if the score > 0. However, the main Spam Header (SpamCheck) is only added if it is actually spam, or would be spam if it wasn't whitelisted (I think). Too much oxycodone ==> fried brain :-) -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From campbell at CNPAPERS.COM Thu Dec 11 15:27:08 2003 From: campbell at CNPAPERS.COM (Stephe Campbell) Date: Thu Jan 12 21:21:30 2006 Subject: Patches for SA 2.61 References: <3FD767AE.2050006@bangor.ac.uk> <3FD77815.2070206@sghms.ac.uk> <200312101955.20491.Antony@Soft-Solutions.co.uk> <3FD77C90.5060705@sghms.ac.uk> <6.0.1.1.2.20031210202408.027e59f8@imap.ecs.soton.ac.uk> <1587.24.83.44.30.1071089543.squirrel@www.fractalweb.com> <6.0.1.1.2.20031210211659.027caaf0@imap.ecs.soton.ac.uk> <3FD86790.3050407@bangor.ac.uk> <6.0.1.1.2.20031211134806.083f6ec0@imap.ecs.soton.ac.uk> <6.0.1.1.2.20031211140338.08c99568@imap.ecs.soton.ac.uk> Message-ID: <000f01c3bffb$3d848f60$2b01a8c0@cnpapers.net> I have looked around and can no references of any page suggesting patches. Can someone point me to the SA or MS "page" and "where" they are now? >>>I will have a look at this - Julian, have you got patches for SA 2.61 >>>yet? (The page says to ask for patches for new versions of SA!! ;-) >> >>Not yet, but will do that this afternoon (nearly end of term here so >>actually have my head above water for once!). > >They are there now. Thanks, Steve Campbell campbell@cnpapers.com Charleston Newspapers From mailscanner at ecs.soton.ac.uk Thu Dec 11 15:27:20 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:30 2006 Subject: Patches for SA 2.61 In-Reply-To: <000f01c3bffb$3d848f60$2b01a8c0@cnpapers.net> References: <3FD767AE.2050006@bangor.ac.uk> <3FD77815.2070206@sghms.ac.uk> <200312101955.20491.Antony@Soft-Solutions.co.uk> <3FD77C90.5060705@sghms.ac.uk> <6.0.1.1.2.20031210202408.027e59f8@imap.ecs.soton.ac.uk> <1587.24.83.44.30.1071089543.squirrel@www.fractalweb.com> <6.0.1.1.2.20031210211659.027caaf0@imap.ecs.soton.ac.uk> <3FD86790.3050407@bangor.ac.uk> <6.0.1.1.2.20031211134806.083f6ec0@imap.ecs.soton.ac.uk> <6.0.1.1.2.20031211140338.08c99568@imap.ecs.soton.ac.uk> <000f01c3bffb$3d848f60$2b01a8c0@cnpapers.net> Message-ID: <6.0.1.1.2.20031211152713.08c5ace0@imap.ecs.soton.ac.uk> At 15:27 11/12/2003, you wrote: >I have looked around and can no references of any page suggesting patches. >Can someone point me to the SA or MS "page" and "where" they are now? http://www.sng.ecs.soton.ac.uk/mailscanner/install/mcp/ -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Thu Dec 11 15:34:17 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:31 2006 Subject: Internet Explorer URL Display problem In-Reply-To: <0EBC45FCABFC95428EBFC3A51B368C9501C9C3CC@jessica.herefords hire.gov.uk> References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C3CC@jessica.herefordshire.gov.uk> Message-ID: <6.0.1.1.2.20031211153242.03716920@imap.ecs.soton.ac.uk> At 15:27 11/12/2003, you wrote: >%0[0-9] would be better (or something like that). %[01][0-9a-fA-F] instead of %01 perhaps? I would imagine that the guy who found this exploit tested other characters too and found them not to be vulnerable. So %01 is probably good enough. >Or, any obfuscated "unprintable" ASCII code which isn't legitimate. >I'd hazard a guess that anything other than %20 is dodgy, but I'm no expert. > >Phil > >--------------------------------------------- >Phil Randal >Network Engineer >Herefordshire Council >Hereford, UK > > > -----Original Message----- > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > Behalf Of Julian Field > > Sent: 11 December 2003 14:59 > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: Internet Explorer URL Display problem > > > > > > At 14:22 11/12/2003, you wrote: > > >On Thu, 11 Dec 2003, Julian Field wrote: > > > > > > > What I have done is set the score of the rule to 100, set > > my high scoring > > > > threshold to 100, and set the high scoring spam actions > > to "delete". That > > > > way the users never knew they were going to get it. > > > > > >Julian: There was a massive overnight discussion about what > > the "rule" > > >should be, and I must confess to not having absorbed every > > last detail or > > >two (or three or four... thousand). > > > > > >Could you summarise the consensus SA rule etc., please? Thanks. > > > > # JKF 11/12/2003 > > # This next rule provides some protection against the latest > > IE vulnerability > > uri IE_VULN /%01.*@/ > > score IE_VULN 100.0 > > describe IE_VULN Internet Explorer vulnerability > > > > > > >I will have a look at this - Julian, have you got > > patches for SA 2.61 > > > > >yet? (The page says to ask for patches for new versions > > of SA!! ;-) > > > > > > > > Not yet, but will do that this afternoon (nearly end of > > term here so > > > > actually have my head above water for once!). > > > > > >Julian: Could you get the SA folk to include your patches in their > > >distributions? > > > > I've tried before, to no avail. > > -- > > Julian Field > > www.MailScanner.info > > MailScanner thanks transtec Computers for their support > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From Antony at SOFT-SOLUTIONS.CO.UK Thu Dec 11 15:42:25 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:21:31 2006 Subject: Internet Explorer URL Display problem In-Reply-To: <6.0.1.1.2.20031211153242.03716920@imap.ecs.soton.ac.uk> References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C3CC@jessica.herefordshire.gov.uk> <6.0.1.1.2.20031211153242.03716920@imap.ecs.soton.ac.uk> Message-ID: <200312111542.26004.Antony@Soft-Solutions.co.uk> On Thursday 11 December 2003 3:34 pm, Julian Field wrote: > At 15:27 11/12/2003, you wrote: > >%0[0-9] would be better (or something like that). > > %[01][0-9a-fA-F] > instead of > %01 > perhaps? > > I would imagine that the guy who found this exploit tested other characters > too and found them not to be vulnerable. So %01 is probably good enough. The report at http://www.secunia.com/advisories/10395 mentions that %00 at least is also effective. Antony. -- If you want to be happy for an hour, get drunk. If you want to be happy for a year, get married. If you want to be happy for a lifetime, get a garden. Please reply to the list; please don't CC me. From nathan at TCPNETWORKS.NET Thu Dec 11 15:44:13 2003 From: nathan at TCPNETWORKS.NET (Nathan Johanson) Date: Thu Jan 12 21:21:31 2006 Subject: Updating HTML::Parser and ExtUtils::MakeMaker Message-ID: Hello all, I'm in the process of building a new system around MailScanner, installing Razor, DCC, SpamAssassin, MailScanner, etc. and all of the appropriate perl modules. I started off my installing MailScanner using the install script to make sure I get all of the appropriate perl modules and patches. The system is fully functional, but I noticed that the SpamAssassin 2.6x documentation recommends HTML::Parser > 3.29 and ExtUtils::MakeMaker > 6.16. To satisfy this recommendation, I used CPAN to update these modules to versions 3.34 and 6.21 respectively. Things still appear to work fine, but I have a few questions after the fact: * I'm assuming MailScanner doesn't have compatibility problems with the latest versions of these modules? HTML::Parser 3.26 is included with MailScanner and ExtUtils::MakeMaker was updated to version 6.05 during the install process. Obviously, I'm a few iterations beyond these versions and wanted to make sure I'm not introducing any potential issues. * After updating, I remembered that HTML::Parser was installed via rpm. I did not remove this rpm before updating the module. Will this cause any problems? Nathan From mailscanner at ecs.soton.ac.uk Thu Dec 11 21:27:15 2003 From: mailscanner at ecs.soton.ac.uk (mailscanner@ecs.soton.ac.uk) Date: Thu Jan 12 21:21:31 2006 Subject: NOTIFY-New Guestbook Entry Message-ID: <200312112127.hBBLRFls012870@seer.ecs.soton.ac.uk> New Guestbook-Entry from Ken This is really a fantastic product when used in conjunction with spamassassin. Extrememly easy to configure and highly cutomizable with tons of options. Keep up the good work From prandal at HEREFORDSHIRE.GOV.UK Thu Dec 11 15:27:45 2003 From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil) Date: Thu Jan 12 21:21:31 2006 Subject: Internet Explorer URL Display problem Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C3CC@jessica.herefordshire.gov.uk> %0[0-9] would be better (or something like that). Or, any obfuscated "unprintable" ASCII code which isn't legitimate. I'd hazard a guess that anything other than %20 is dodgy, but I'm no expert. Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Julian Field > Sent: 11 December 2003 14:59 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Internet Explorer URL Display problem > > > At 14:22 11/12/2003, you wrote: > >On Thu, 11 Dec 2003, Julian Field wrote: > > > > > What I have done is set the score of the rule to 100, set > my high scoring > > > threshold to 100, and set the high scoring spam actions > to "delete". That > > > way the users never knew they were going to get it. > > > >Julian: There was a massive overnight discussion about what > the "rule" > >should be, and I must confess to not having absorbed every > last detail or > >two (or three or four... thousand). > > > >Could you summarise the consensus SA rule etc., please? Thanks. > > # JKF 11/12/2003 > # This next rule provides some protection against the latest > IE vulnerability > uri IE_VULN /%01.*@/ > score IE_VULN 100.0 > describe IE_VULN Internet Explorer vulnerability > > > > >I will have a look at this - Julian, have you got > patches for SA 2.61 > > > >yet? (The page says to ask for patches for new versions > of SA!! ;-) > > > > > > Not yet, but will do that this afternoon (nearly end of > term here so > > > actually have my head above water for once!). > > > >Julian: Could you get the SA folk to include your patches in their > >distributions? > > I've tried before, to no avail. > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > From dean.plant at ROKE.CO.UK Thu Dec 11 17:00:11 2003 From: dean.plant at ROKE.CO.UK (Plant, Dean) Date: Thu Jan 12 21:21:31 2006 Subject: Firewall woes - ports to be used Message-ID: The information from the Spamassassin docs (below) show two rules, is only the outbound rule required? Also note that DCC requires that you open your firewall for DCC reply packets on UDP port 6277. DCC uses UDP packets when replying, which are blocked by most firewalls by default. As a result, it requires that you open your firewall for DCC reply packets on UDP port 6277. Here's sample firewall rules required: allow udp local gt 1023 to remote 6277 allow udp remote 6277 to local gt 1023 -----Original Message----- From: Antony Stone [mailto:Antony@SOFT-SOLUTIONS.CO.UK] Sent: 11 December 2003 12:30 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Firewall woes - ports to be used On Thursday 11 December 2003 12:26 pm, Plant, Dean wrote: > FYI - the Razor ports are only required outbound. I should hope that is true of all of them!? (Assuming your firewall allows in reply packets - but none of the services should be initiated from outside....) Antony. > -----Original Message----- > From: Randal, Phil [mailto:prandal@HEREFORDSHIRE.GOV.UK] > Sent: 11 December 2003 11:43 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Firewall woes - ports to be used > > > Razor: 7/tcp and 2703/tcp > > DCC: 6277/udp > > pyzor: 24441/udp > > Cheers, > > Phil > > --------------------------------------------- > Phil Randal > Network Engineer > Herefordshire Council > Hereford, UK > > > -----Original Message----- > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > Behalf Of Michele Neylon :: Blacknight Solutions > > Sent: 11 December 2003 11:27 > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: Firewall woes - ports to be used > > > > > > I can't see any reference to it in the FAQ :( > > Help!! > > > > Mr. Michele Neylon > > Blacknight Internet Solutions Ltd > > http://www.blacknightsolutions.ie/ > > http://www.search.ie/ > > Tel. + 353 (0)59 9137101 > > Lowest price domains in Ireland > > > > > -----Original Message----- > > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > > Behalf Of Spicer, Kevin > > > Sent: 11 December 2003 11:20 > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > Subject: Re: Firewall woes - ports to be used > > > > > > Michele Neylon :: Blacknight Solutions wrote: > > > > After installing a new firewall we seem to have run into > > > > a number of > > > > > > issues regarding required ports. > > > > Can anybody help/advise? > > > > We are using: > > > > MailScanner > > > > with SA, Razor, Pyzor, DCC and the RBLs (of course) > > > > > > I _think_ this is in the FAQ -- This email is intended for the use of the individual addressee(s) named above and may contain information that is confidential, privileged or unsuitable for overly sensitive persons with low self-esteem, no sense of humour, or irrational religious beliefs. If you have received this email in error, you are required to shred it immediately, add some nutmeg, three egg whites and a dessertspoonful of caster sugar. Whisk until soft peaks form, then place in a warm oven for 40 minutes. Remove promptly and let stand for 2 hours before adding some decorative kiwi fruit and cream. Then notify me immediately by return email and eat the original message. Please reply to the list; please don't CC me. -- Registered Office: Roke Manor Research Ltd, Siemens House, Oldbury, Bracknell, Berkshire. RG12 8FZ The information contained in this e-mail and any attachments is confidential to Roke Manor Research Ltd and must not be passed to any third party without permission. This communication is for information only and shall not create or change any contractual relationship. From Antony at SOFT-SOLUTIONS.CO.UK Thu Dec 11 17:43:21 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:21:31 2006 Subject: Firewall woes - ports to be used In-Reply-To: References: Message-ID: <200312111743.21870.Antony@Soft-Solutions.co.uk> On Thursday 11 December 2003 5:00 pm, Plant, Dean wrote: > The information from the Spamassassin docs (below) show two rules, is only > the outbound rule required? Depends whether your firewall is stateful or not (ie: whether it can allow "reply packets" without needing to be told explicitly what those are going to be). In the Linux world, if you're using the old ipchains, you need two rules per service, one for the outbound requests, and one for the inbound replies. If you're using the new iptables, you need one rule for the outbound request, and a single generic rule allowing reply packets (in response to anything going out of the firewall), which is not specific to DCC, Razor, Pyzor, or whatever. Stateful (iptables) is more secure, because it does not allow packets in from remote servers to high ports on local machines unless they are replies to something you were happy to allow out in the first place. Stateless (ipchains) will allow external systems more opportunity to port scan your network, and possibly even access some services, depending on what port numbers you're running them on (eg Squid on 3128 falls into the high range). Stateful is also simpler, because you need N+1 rules to support N services. Stateless requires 2N rules. If you want more detail on this I can recommend the netfilter mailing list - about as busy as this one and almost as friendly :) Antony. > Also note that DCC requires that you open your firewall for DCC reply > packets on UDP port 6277. DCC uses UDP packets when replying, which > are blocked by most firewalls by default. As a result, it requires > that you open your firewall for DCC reply packets on UDP port 6277. > Here's sample firewall rules required: > > allow udp local gt 1023 to remote 6277 > allow udp remote 6277 to local gt 1023 > > > -----Original Message----- > From: Antony Stone [mailto:Antony@SOFT-SOLUTIONS.CO.UK] > Sent: 11 December 2003 12:30 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Firewall woes - ports to be used > > On Thursday 11 December 2003 12:26 pm, Plant, Dean wrote: > > FYI - the Razor ports are only required outbound. > > I should hope that is true of all of them!? > > (Assuming your firewall allows in reply packets - but none of the services > should be initiated from outside....) > > Antony. > > > -----Original Message----- > > From: Randal, Phil [mailto:prandal@HEREFORDSHIRE.GOV.UK] > > Sent: 11 December 2003 11:43 > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: Firewall woes - ports to be used > > > > > > Razor: 7/tcp and 2703/tcp > > > > DCC: 6277/udp > > > > pyzor: 24441/udp > > > > Cheers, > > > > Phil > > > > --------------------------------------------- > > Phil Randal > > Network Engineer > > Herefordshire Council > > Hereford, UK > > > > > -----Original Message----- > > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > > Behalf Of Michele Neylon :: Blacknight Solutions > > > Sent: 11 December 2003 11:27 > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > Subject: Re: Firewall woes - ports to be used > > > > > > > > > I can't see any reference to it in the FAQ :( > > > Help!! > > > > > > Mr. Michele Neylon > > > Blacknight Internet Solutions Ltd > > > http://www.blacknightsolutions.ie/ > > > http://www.search.ie/ > > > Tel. + 353 (0)59 9137101 > > > Lowest price domains in Ireland > > > > > > > -----Original Message----- > > > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > > > Behalf Of Spicer, Kevin > > > > Sent: 11 December 2003 11:20 > > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > > Subject: Re: Firewall woes - ports to be used > > > > > > > > Michele Neylon :: Blacknight Solutions wrote: > > > > > After installing a new firewall we seem to have run into > > > > > > a number of > > > > > > > > issues regarding required ports. > > > > > Can anybody help/advise? > > > > > We are using: > > > > > MailScanner > > > > > with SA, Razor, Pyzor, DCC and the RBLs (of course) > > > > > > > > I _think_ this is in the FAQ -- Perfection in design is achieved not when there is nothing left to add, but rather when there is nothing left to take away. - Antoine de Saint-Exupery Please reply to the list; please don't CC me. From sysadmins at ENHTECH.COM Thu Dec 11 17:44:54 2003 From: sysadmins at ENHTECH.COM (Errol Neal) Date: Thu Jan 12 21:21:31 2006 Subject: barracudanetworks devices Message-ID: <6.0.0.22.0.20031211124451.02bb2e30@mail.enhtech.com> Anybody heard of these devices? http://www.barracudanetworks.com/products_key_features.php Dedicated 1u spam filtering devices? I wonder how they stack up to MailScanner. Errol Neal From Antony at SOFT-SOLUTIONS.CO.UK Thu Dec 11 17:56:01 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:21:31 2006 Subject: barracudanetworks devices In-Reply-To: <6.0.0.22.0.20031211124451.02bb2e30@mail.enhtech.com> References: <6.0.0.22.0.20031211124451.02bb2e30@mail.enhtech.com> Message-ID: <200312111756.01777.Antony@Soft-Solutions.co.uk> On Thursday 11 December 2003 5:44 pm, Errol Neal wrote: > Anybody heard of these devices? > > http://www.barracudanetworks.com/products_key_features.php > > I wonder how they stack up to MailScanner. Reading from the features on their website: > Blacklisting of websites & domains If you can still find a working DNS RBL, MailScanner will do this. > Keyword scanning of emails Use the new MCP and MailScanner will do this (as well as the default keyword/phrase checking which SpamAssassin does) > Checksum technology Razor, Pyzor, DCC > Message authenticity checking MTA reverse MX lookup. > Blacklists and Whitelists MailScanner does these. > Rate controls I seem to recall there's a new feature in MailScanner for this, even if you're not already doing it in sendmail. > File type attachment blocking MailScanner does this (I bet Barrauda does it by file extension only, not by file content type as well :) I think it's interesting that they're offering an anti-spam solution without any mention of anti-virus - seems a strange omission? Antony. -- In science, one tries to tell people in such a way as to be understood by everyone something that no-one ever knew before. In poetry, it is the exact opposite. - Paul Dirac Please reply to the list; please don't CC me. From brian at SOLUSCORP.COM Thu Dec 11 03:50:28 2003 From: brian at SOLUSCORP.COM (Brian Wells) Date: Thu Jan 12 21:21:31 2006 Subject: Blacklist file changes getting removed by something References: <076001c3bef8$cb44dac0$d700600a@merlintest.net> <200312102330.41858.Antony@Soft-Solutions.co.uk> Message-ID: <07a601c3bf99$ee250190$d700600a@merlintest.net> Yes, check_mailscanner runs at the time that the files are being changed. Then I guess my question is why is check_mailscanner replacing my blacklist.rules file? Brian ----- Original Message ----- From: "Antony Stone" To: Sent: Wednesday, December 10, 2003 6:30 PM Subject: Re: Blacklist file changes getting removed by something > On Wednesday 10 December 2003 8:37 am, Brian Wells wrote: > > > Hi, > > > > Much to my annoyance, I noticed after I had entered by hand a bunch of > > hosts to my blacklist file, that my changes had been removed and a new > > blacklist file was in place. Looking at the timestamp on the file, it is > > getting replaced once an hour. > > > > I searched quite a bit for an explanation for this behaviour. Something > > like the auto whitelist feature except for the blacklist file. But I could > > not find anything. Does anyone have an explanation for this and how to > > turn it off? > > Does the timestamp on the file coincide with any cron jobs you have running? > > Antony > > -- > Software development can be quick, high quality, or low cost. > > The customer gets to pick any two out of three. > > Please reply to the list; > please don't CC me. > From tristanr at CI.GRANDJCT.CO.US Thu Dec 11 18:54:28 2003 From: tristanr at CI.GRANDJCT.CO.US (Tristan Rhodes) Date: Thu Jan 12 21:21:31 2006 Subject: barracudanetworks devices Message-ID: These products do scan for viruses. It looks like they even use two anti-virus engines... Look at the flowchart at the bottom of this page... http://www.barracudanetworks.com/products.php I agree, Mailscanner and its numerous helper applications can attain the same functionality. It would be nice if all the applications were bundled up in a single package, though. Perhaps Mailscanner Enterprise Edition from Fortress will provide this capability when it is released??? On a side note, Mailscanner Basic Edition is listed in Network World Fusion's Anti-spam buyers guide. Apparently it takes a commercial entity to be listed in this guide. :( - (Mailscanner Basic Edition is free) :) http://www.nwfusion.com/bg/2003/spam/details.jsp?_tablename=antispam&name='MailScanner+Basic+Edition' Also found a reference to Mailscanner Basic Edition on the SpamHelp.org website. http://www.spamhelp.org/software/software.php?cat=3 I look forward to future Mailscanner-based products created by Fortress. Tristan Rhodes >>> Antony@SOFT-SOLUTIONS.CO.UK 12/11/03 10:56AM >>> On Thursday 11 December 2003 5:44 pm, Errol Neal wrote: > Anybody heard of these devices? > > http://www.barracudanetworks.com/products_key_features.php > > I wonder how they stack up to MailScanner. Reading from the features on their website: > Blacklisting of websites & domains If you can still find a working DNS RBL, MailScanner will do this. > Keyword scanning of emails Use the new MCP and MailScanner will do this (as well as the default keyword/phrase checking which SpamAssassin does) > Checksum technology Razor, Pyzor, DCC > Message authenticity checking MTA reverse MX lookup. > Blacklists and Whitelists MailScanner does these. > Rate controls I seem to recall there's a new feature in MailScanner for this, even if you're not already doing it in sendmail. > File type attachment blocking MailScanner does this (I bet Barrauda does it by file extension only, not by file content type as well :) I think it's interesting that they're offering an anti-spam solution without any mention of anti-virus - seems a strange omission? Antony. -- In science, one tries to tell people in such a way as to be understood by everyone something that no-one ever knew before. In poetry, it is the exact opposite. - Paul Dirac Please reply to the list; please don't CC me. From mikea at MIKEA.ATH.CX Thu Dec 11 21:06:08 2003 From: mikea at MIKEA.ATH.CX (mikea) Date: Thu Jan 12 21:21:31 2006 Subject: (slightly OT) "Gaven Stubberfield" arrested Message-ID: <20031211150608.A83136@mikea.ath.cx> for more info. Up to 5 years jail time and/or $2500 per count. I think it wouldn't be difficult to come up with a few thousand Stubberfield spams. Could be my spam load will go down a little bit. And this is promising: "Kilgore said although these are the first indictments, it is likely his computer crimes unit will be busy for an extended period to come." So mote it be! -- Mike Andrews mikea@mikea.ath.cx Tired old sysadmin From steve.swaney at FSL.COM Thu Dec 11 21:14:42 2003 From: steve.swaney at FSL.COM (Stephen Swaney) Date: Thu Jan 12 21:21:31 2006 Subject: (slightly OT) "Gaven Stubberfield" arrested In-Reply-To: <20031211150608.A83136@mikea.ath.cx> Message-ID: <20031211211429.64E3321C3C9@mail.fsl.com> > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of mikea > Sent: Thursday, December 11, 2003 4:06 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: (slightly OT) "Gaven Stubberfield" arrested > > > > for more info. > > Up to 5 years jail time and/or $2500 per count. I think it wouldn't be > difficult to come up with a few thousand Stubberfield spams. > Unfortunately I believe that when the can-sapm bill is signed by president bush, the tougher state laws, i.e. California and Virginia, are superceded by the weaker Federal law and no longer in force. Stubberfield's arrest by authorities in Virginia wouldn't be possible. > Could be my spam load will go down a little bit. > > And this is promising: "Kilgore said although these are the first > indictments, it is likely his computer crimes unit will be busy for an > extended period to come." > > So mote it be! > > -- > Mike Andrews > mikea@mikea.ath.cx > Tired old sysadmin Stephen Swaney President Fortress Systems Ltd. steve.swaney@fsl.com From mkettler at EVI-INC.COM Thu Dec 11 21:45:49 2003 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:21:31 2006 Subject: (slightly OT) "Gaven Stubberfield" arrested In-Reply-To: <20031211211429.64E3321C3C9@mail.fsl.com> References: <20031211150608.A83136@mikea.ath.cx> <20031211211429.64E3321C3C9@mail.fsl.com> Message-ID: <6.0.0.22.0.20031211163553.0242bdc8@xanadu.evi-inc.com> At 04:14 PM 12/11/2003, Stephen Swaney wrote: >Unfortunately I believe that when the can-sapm bill is signed by president >bush, the tougher state laws, i.e. California and Virginia, are superceded >by the weaker Federal law and no longer in force. > >Stubberfield's arrest by authorities in Virginia wouldn't be possible. Well he was arrested in NC by authorities in NC, and is being extradited to VA, not arrested in VA. Even the weak federal law still enacts penalties against forged sender addresses, which is the part of the VA law they are being charged with. Had he committed the same act post can-spam, he'd be facing a federal offense instead of a state one. Not to say that can-spam isn't full of holes to the point of being useless, but his exact acts are illegal under can-spam's provisions per 1037(a)(3). He probably violated (a)(2) and (a)(4) as well. See page 13 of http://www.cauce.org/S877.pdf. Of course, post can-spam, he'd have just modified his spam tactics slightly and be more-or-less home free :( From mikea at MIKEA.ATH.CX Thu Dec 11 22:05:12 2003 From: mikea at MIKEA.ATH.CX (mikea) Date: Thu Jan 12 21:21:31 2006 Subject: (slightly OT) "Gaven Stubberfield" arrested In-Reply-To: <20031211211429.64E3321C3C9@mail.fsl.com>; from steve.swaney@FSL.COM on Thu, Dec 11, 2003 at 04:14:42PM -0500 References: <20031211150608.A83136@mikea.ath.cx> <20031211211429.64E3321C3C9@mail.fsl.com> Message-ID: <20031211160512.A83501@mikea.ath.cx> On Thu, Dec 11, 2003 at 04:14:42PM -0500, Stephen Swaney wrote: > > -----Original Message----- > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > > Behalf Of mikea > > Sent: Thursday, December 11, 2003 4:06 PM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: (slightly OT) "Gaven Stubberfield" arrested > > > > > > > > for more info. > > > > Up to 5 years jail time and/or $2500 per count. I think it wouldn't be > > difficult to come up with a few thousand Stubberfield spams. > > > Unfortunately I believe that when the can-sapm bill is signed by president > bush, the tougher state laws, i.e. California and Virginia, are superceded > by the weaker Federal law and no longer in force. > Stubberfield's arrest by authorities in Virginia wouldn't be possible. > > Could be my spam load will go down a little bit. > > > > And this is promising: "Kilgore said although these are the first > > indictments, it is likely his computer crimes unit will be busy for an > > extended period to come." Erm ... I _really_ don't want to drag this out here; it's getting lots and lots of publicity in SPAM-l, and no doubt on nana* as well. But a lawyer friend did an analysis, and concluded that since the .va.us laws treat what Stubberfield & Co. did as _trespassing_ in various ways, it's a series of Class 6 felonies and _not_ pre-empted by You-Can-Spam. I'll be watching the bonfires and the torchlight parade on SPAM-l and nana*. Y'all have fun, y'heah? -- Mike Andrews mikea@mikea.ath.cx Tired old sysadmin From brose at MED.WAYNE.EDU Fri Dec 12 03:16:49 2003 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:21:31 2006 Subject: MailScanner and SA Config Message-ID: I don't think this was realized until now but since MailScanner calls SA with the specified config file option, then SA doesn't read all the .cf files in /etc/mail/spamassassin I only found out recently on the SA lists that SA would do this. SA will read in every cf file located there. The benefit is that you don't have to keep modifying one file for example using the frequently updated evil rules found on the SA custom rule emporium http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm Can the next Mailscanner have the ability to specify a file or path or turn off the sa conf option? -=Bobby From ryan.finnesey at CORPDSG.COM Fri Dec 12 05:31:59 2003 From: ryan.finnesey at CORPDSG.COM (Ryan Finnesey) Date: Thu Jan 12 21:21:31 2006 Subject: barracudanetworks devices Message-ID: <3041D4D2B8A6F746AD9217BE05AE68C407BCA3@dc012.corpdsg.com> What does Mailscanner Enterprise Edition do that Basic can not do? Ryan -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Tristan Rhodes Sent: Thursday, December 11, 2003 1:54 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: barracudanetworks devices These products do scan for viruses. It looks like they even use two anti-virus engines... Look at the flowchart at the bottom of this page... http://www.barracudanetworks.com/products.php I agree, Mailscanner and its numerous helper applications can attain the same functionality. It would be nice if all the applications were bundled up in a single package, though. Perhaps Mailscanner Enterprise Edition from Fortress will provide this capability when it is released??? On a side note, Mailscanner Basic Edition is listed in Network World Fusion's Anti-spam buyers guide. Apparently it takes a commercial entity to be listed in this guide. :( - (Mailscanner Basic Edition is free) :) http://www.nwfusion.com/bg/2003/spam/details.jsp?_tablename=antispam&nam e='MailScanner+Basic+Edition' Also found a reference to Mailscanner Basic Edition on the SpamHelp.org website. http://www.spamhelp.org/software/software.php?cat=3 I look forward to future Mailscanner-based products created by Fortress. Tristan Rhodes >>> Antony@SOFT-SOLUTIONS.CO.UK 12/11/03 10:56AM >>> On Thursday 11 December 2003 5:44 pm, Errol Neal wrote: > Anybody heard of these devices? > > http://www.barracudanetworks.com/products_key_features.php > > I wonder how they stack up to MailScanner. Reading from the features on their website: > Blacklisting of websites & domains If you can still find a working DNS RBL, MailScanner will do this. > Keyword scanning of emails Use the new MCP and MailScanner will do this (as well as the default keyword/phrase checking which SpamAssassin does) > Checksum technology Razor, Pyzor, DCC > Message authenticity checking MTA reverse MX lookup. > Blacklists and Whitelists MailScanner does these. > Rate controls I seem to recall there's a new feature in MailScanner for this, even if you're not already doing it in sendmail. > File type attachment blocking MailScanner does this (I bet Barrauda does it by file extension only, not by file content type as well :) I think it's interesting that they're offering an anti-spam solution without any mention of anti-virus - seems a strange omission? Antony. -- In science, one tries to tell people in such a way as to be understood by everyone something that no-one ever knew before. In poetry, it is the exact opposite. - Paul Dirac Please reply to the list; please don't CC me. From Q.G.Campbell at NEWCASTLE.AC.UK Fri Dec 12 08:37:52 2003 From: Q.G.Campbell at NEWCASTLE.AC.UK (Quentin Campbell) Date: Thu Jan 12 21:21:31 2006 Subject: Unexpected whitelisting behaviour Message-ID: <74BC2BBF06470148911E64E2B48FE13964C650@pinewood.ncl.ac.uk> [snip] >From the code, it looks like it adds the "SpamScore" header >if the score > 0. >However, the main Spam Header (SpamCheck) is only added if it >is actually spam, or would be spam if it wasn't whitelisted (I think). Julian I have done some further tests and the code for the "SpamCore" header seems to work more or less as you describe above. If the score is < 1.0 there is no "SpamScore" header. If the score is >= 1.0 then the number of "s" characters in the "SpamScore" header appears to be the score rounded down to the nearest integer. Quentin From mailscanner at ecs.soton.ac.uk Fri Dec 12 08:22:21 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:31 2006 Subject: Blacklist file changes getting removed by something In-Reply-To: <07a601c3bf99$ee250190$d700600a@merlintest.net> References: <076001c3bef8$cb44dac0$d700600a@merlintest.net> <200312102330.41858.Antony@Soft-Solutions.co.uk> <07a601c3bf99$ee250190$d700600a@merlintest.net> Message-ID: <6.0.1.1.2.20031212082135.038e4a60@imap.ecs.soton.ac.uk> At 03:50 11/12/2003, you wrote: >Yes, check_mailscanner runs at the time that the files are being changed. >Then I guess my question is why is check_mailscanner replacing my >blacklist.rules file? It's not. Something else must be happening too. Take a look at the code of check_mailscanner and you won't find any reference to any rules files. >Brian >----- Original Message ----- >From: "Antony Stone" >To: >Sent: Wednesday, December 10, 2003 6:30 PM >Subject: Re: Blacklist file changes getting removed by something > > > > On Wednesday 10 December 2003 8:37 am, Brian Wells wrote: > > > > > Hi, > > > > > > Much to my annoyance, I noticed after I had entered by hand a bunch of > > > hosts to my blacklist file, that my changes had been removed and a new > > > blacklist file was in place. Looking at the timestamp on the file, it >is > > > getting replaced once an hour. > > > > > > I searched quite a bit for an explanation for this behaviour. Something > > > like the auto whitelist feature except for the blacklist file. But I >could > > > not find anything. Does anyone have an explanation for this and how to > > > turn it off? > > > > Does the timestamp on the file coincide with any cron jobs you have >running? > > > > Antony > > > > -- > > Software development can be quick, high quality, or low cost. > > > > The customer gets to pick any two out of three. > > > > Please reply to the >list; > > please don't CC >me. > > -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From dean.plant at ROKE.CO.UK Fri Dec 12 09:25:06 2003 From: dean.plant at ROKE.CO.UK (Plant, Dean) Date: Thu Jan 12 21:21:31 2006 Subject: Firewall woes - ports to be used Message-ID: Thanks for the info. -----Original Message----- From: Antony Stone [mailto:Antony@SOFT-SOLUTIONS.CO.UK] Sent: 11 December 2003 17:43 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Firewall woes - ports to be used On Thursday 11 December 2003 5:00 pm, Plant, Dean wrote: > The information from the Spamassassin docs (below) show two rules, is only > the outbound rule required? Depends whether your firewall is stateful or not (ie: whether it can allow "reply packets" without needing to be told explicitly what those are going to be). In the Linux world, if you're using the old ipchains, you need two rules per service, one for the outbound requests, and one for the inbound replies. If you're using the new iptables, you need one rule for the outbound request, and a single generic rule allowing reply packets (in response to anything going out of the firewall), which is not specific to DCC, Razor, Pyzor, or whatever. Stateful (iptables) is more secure, because it does not allow packets in from remote servers to high ports on local machines unless they are replies to something you were happy to allow out in the first place. Stateless (ipchains) will allow external systems more opportunity to port scan your network, and possibly even access some services, depending on what port numbers you're running them on (eg Squid on 3128 falls into the high range). Stateful is also simpler, because you need N+1 rules to support N services. Stateless requires 2N rules. If you want more detail on this I can recommend the netfilter mailing list - about as busy as this one and almost as friendly :) Antony. > Also note that DCC requires that you open your firewall for DCC reply > packets on UDP port 6277. DCC uses UDP packets when replying, which > are blocked by most firewalls by default. As a result, it requires > that you open your firewall for DCC reply packets on UDP port 6277. > Here's sample firewall rules required: > > allow udp local gt 1023 to remote 6277 > allow udp remote 6277 to local gt 1023 > > > -----Original Message----- > From: Antony Stone [mailto:Antony@SOFT-SOLUTIONS.CO.UK] > Sent: 11 December 2003 12:30 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Firewall woes - ports to be used > > On Thursday 11 December 2003 12:26 pm, Plant, Dean wrote: > > FYI - the Razor ports are only required outbound. > > I should hope that is true of all of them!? > > (Assuming your firewall allows in reply packets - but none of the services > should be initiated from outside....) > > Antony. > > > -----Original Message----- > > From: Randal, Phil [mailto:prandal@HEREFORDSHIRE.GOV.UK] > > Sent: 11 December 2003 11:43 > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: Firewall woes - ports to be used > > > > > > Razor: 7/tcp and 2703/tcp > > > > DCC: 6277/udp > > > > pyzor: 24441/udp > > > > Cheers, > > > > Phil > > > > --------------------------------------------- > > Phil Randal > > Network Engineer > > Herefordshire Council > > Hereford, UK > > > > > -----Original Message----- > > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > > Behalf Of Michele Neylon :: Blacknight Solutions > > > Sent: 11 December 2003 11:27 > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > Subject: Re: Firewall woes - ports to be used > > > > > > > > > I can't see any reference to it in the FAQ :( > > > Help!! > > > > > > Mr. Michele Neylon > > > Blacknight Internet Solutions Ltd > > > http://www.blacknightsolutions.ie/ > > > http://www.search.ie/ > > > Tel. + 353 (0)59 9137101 > > > Lowest price domains in Ireland > > > > > > > -----Original Message----- > > > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > > > Behalf Of Spicer, Kevin > > > > Sent: 11 December 2003 11:20 > > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > > Subject: Re: Firewall woes - ports to be used > > > > > > > > Michele Neylon :: Blacknight Solutions wrote: > > > > > After installing a new firewall we seem to have run into > > > > > > a number of > > > > > > > > issues regarding required ports. > > > > > Can anybody help/advise? > > > > > We are using: > > > > > MailScanner > > > > > with SA, Razor, Pyzor, DCC and the RBLs (of course) > > > > > > > > I _think_ this is in the FAQ -- Perfection in design is achieved not when there is nothing left to add, but rather when there is nothing left to take away. - Antoine de Saint-Exupery Please reply to the list; please don't CC me. -- Registered Office: Roke Manor Research Ltd, Siemens House, Oldbury, Bracknell, Berkshire. RG12 8FZ The information contained in this e-mail and any attachments is confidential to Roke Manor Research Ltd and must not be passed to any third party without permission. This communication is for information only and shall not create or change any contractual relationship. From prandal at HEREFORDSHIRE.GOV.UK Fri Dec 12 10:23:44 2003 From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil) Date: Thu Jan 12 21:21:31 2006 Subject: Internet Explorer URL Display problem Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C3D4@jessica.herefordshire.gov.uk> When in doubt, consult the RFCs. RFC 1738 (http://www.faqs.org/rfcs/rfc1738.html) says: "3.3. HTTP The HTTP URL scheme is used to designate Internet resources accessible using HTTP (HyperText Transfer Protocol). The HTTP protocol is specified elsewhere. This specification only describes the syntax of HTTP URLs. An HTTP URL takes the form: http://:/? where and are as described in Section 3.1. If : is omitted, the port defaults to 80. No user name or password is allowed." Interesting! I wonder what would break if we were that strict? Cheers, Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Antony Stone > Sent: 11 December 2003 15:42 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Internet Explorer URL Display problem > > > On Thursday 11 December 2003 3:34 pm, Julian Field wrote: > > > At 15:27 11/12/2003, you wrote: > > >%0[0-9] would be better (or something like that). > > > > %[01][0-9a-fA-F] > > instead of > > %01 > > perhaps? > > > > I would imagine that the guy who found this exploit tested > other characters > > too and found them not to be vulnerable. So %01 is probably > good enough. > > The report at http://www.secunia.com/advisories/10395 > mentions that %00 at > least is also effective. > > Antony. > > -- > If you want to be happy for an hour, get drunk. > If you want to be happy for a year, get married. > If you want to be happy for a lifetime, get a garden. > > Please > reply to the list; > > please don't CC me. > From nejc.skoberne at guest.arnes.si Fri Dec 12 10:28:29 2003 From: nejc.skoberne at guest.arnes.si (Nejc Skoberne) Date: Thu Jan 12 21:21:31 2006 Subject: Defining messages to be spamchecked Message-ID: <1196863268.20031212112829@guest.arnes.si> Hi, list. Currently my server checks all mail (from all the domains) for spam. I would like it to check just specific domains (defined by me) for spam. Where could I do that? Thanks. -- Nejc Skoberne Grajska 5 SI-5220 Tolmin E-mail: nejc.skoberne@guest.arnes.si From mailscanner at ecs.soton.ac.uk Fri Dec 12 10:35:20 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:31 2006 Subject: Defining messages to be spamchecked In-Reply-To: <1196863268.20031212112829@guest.arnes.si> References: <1196863268.20031212112829@guest.arnes.si> Message-ID: <6.0.1.1.2.20031212103502.07cd23e8@imap.ecs.soton.ac.uk> Please read up about rulesets in /etc/MailScanner/rules/* and on the FAQ. At 10:28 12/12/2003, you wrote: >Hi, list. > >Currently my server checks all mail (from all the domains) for spam. I >would like it to check just specific domains (defined by me) for spam. > >Where could I do that? > >Thanks. > >-- >Nejc Skoberne >Grajska 5 >SI-5220 Tolmin >E-mail: nejc.skoberne@guest.arnes.si -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From raymond at PROLOCATION.NET Fri Dec 12 10:31:34 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:21:31 2006 Subject: Defining messages to be spamchecked In-Reply-To: <1196863268.20031212112829@guest.arnes.si> Message-ID: Hi! > Currently my server checks all mail (from all the domains) for spam. I > would like it to check just specific domains (defined by me) for spam. > > Where could I do that? Have a look on the included ruleset examples. You can pick the up very easilly i think. Bye, Raymond. From jrawcliffe at LONDON.EDU Fri Dec 12 11:16:24 2003 From: jrawcliffe at LONDON.EDU (Julian Rawcliffe) Date: Thu Jan 12 21:21:31 2006 Subject: Filename scanning preference order Message-ID: <1071227784.16528.249.camel@isd92.lbs.ac.uk> I am having a number of users complain about attachments being quarantined (and confusing this with virus infection) because of double extension filenames, eg. file.tmp.pdf. There is no reason to block these files. Can I get away with specifying a filename rule to allow any .pdf file whilst still keeping the generic mulitple extension deny rule in place. Would something like, allow \.pdf$ be suficient or do the deny rules take precedence over allows? -- Julian Rawcliffe London Business School, Sussex Place, Regents Park, London. NW1 4SA t: +44 (0)20 7000 7782 direct --- Helpdesk t: +44 (0)20 7000 7700 m: +44 (0)7966 90 7782 mobile --- Helpdesk f: +44 (0)20 7724 6300 mailto:jrawcliffe@london.edu --- http://www.london.edu/technology/ From mailscanner at ecs.soton.ac.uk Fri Dec 12 11:35:59 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:31 2006 Subject: Filename scanning preference order In-Reply-To: <1071227784.16528.249.camel@isd92.lbs.ac.uk> References: <1071227784.16528.249.camel@isd92.lbs.ac.uk> Message-ID: <6.0.1.1.2.20031212113526.0395f9a0@imap.ecs.soton.ac.uk> At 11:16 12/12/2003, you wrote: >I am having a number of users complain about attachments being >quarantined (and confusing this with virus infection) because >of double extension filenames, eg. file.tmp.pdf. There is >no reason to block these files. > >Can I get away with specifying a filename rule to allow any >.pdf file whilst still keeping the generic mulitple extension >deny rule in place. Would something like, >allow \.pdf$ >be suficient or do the deny rules take precedence over allows? Yes, that's fine. The rules are strictly checked in the order they are in the file. The first rule that matches produces the result. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From prandal at HEREFORDSHIRE.GOV.UK Fri Dec 12 11:47:22 2003 From: prandal at HEREFORDSHIRE.GOV.UK (Randal, Phil) Date: Thu Jan 12 21:21:31 2006 Subject: Internet Explorer URL Display problem Message-ID: <0EBC45FCABFC95428EBFC3A51B368C9501C9C3D5@jessica.herefordshire.gov.uk> Oops, egg on face time... RFC 2396 (http://www.faqs.org/rfcs/rfc2396.html) generalises URIs. Sorry for the noise, Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Randal, Phil > Sent: 12 December 2003 10:24 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Internet Explorer URL Display problem > > > When in doubt, consult the RFCs. RFC 1738 > (http://www.faqs.org/rfcs/rfc1738.html) > says: > > "3.3. HTTP > > The HTTP URL scheme is used to designate Internet resources > accessible using HTTP (HyperText Transfer Protocol). > > The HTTP protocol is specified elsewhere. This specification only > describes the syntax of HTTP URLs. > > An HTTP URL takes the form: > > http://:/? > > where and are as described in Section 3.1. If : > is omitted, the port defaults to 80. No user name or password is > allowed." > > Interesting! I wonder what would break if we were that strict? > > Cheers, > > Phil > > --------------------------------------------- > Phil Randal > Network Engineer > Herefordshire Council > Hereford, UK > > > -----Original Message----- > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > Behalf Of Antony Stone > > Sent: 11 December 2003 15:42 > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: Internet Explorer URL Display problem > > > > > > On Thursday 11 December 2003 3:34 pm, Julian Field wrote: > > > > > At 15:27 11/12/2003, you wrote: > > > >%0[0-9] would be better (or something like that). > > > > > > %[01][0-9a-fA-F] > > > instead of > > > %01 > > > perhaps? > > > > > > I would imagine that the guy who found this exploit tested > > other characters > > > too and found them not to be vulnerable. So %01 is probably > > good enough. > > > > The report at http://www.secunia.com/advisories/10395 > > mentions that %00 at > > least is also effective. > > > > Antony. > > > > -- > > If you want to be happy for an hour, get drunk. > > If you want to be happy for a year, get married. > > If you want to be happy for a lifetime, get a garden. > > > > Please > > reply to the list; > > > > please don't CC me. > > > From tristanr at CI.GRANDJCT.CO.US Fri Dec 12 15:44:07 2003 From: tristanr at CI.GRANDJCT.CO.US (Tristan Rhodes) Date: Thu Jan 12 21:21:31 2006 Subject: barracudanetworks devices (and MailScanner products from Fortress) Message-ID: I do not have much information, except what is posted on their website. Perhaps a representative from Fortress could explain it better. http://www.fsl.com/store.htm ------------------------------------------- MailScanner Basic: Free Download. In addition to the binary or source distributions, our basic edition download includes some extras: * Expanded documentation for installation and configuration * Configuration file examples * Optional packages such as DCC, Pyzor and Razor MailScanner Enterprise Edition: Download will be available for a fee. In addition to the all of the Basic Edition features, this enhanced edition includes tools and utilities for the multiple mail scanner configurations typically required for a large enterprise: * Centralized configuration databases for MTAs, MailScanner, SpamAssassin and User Preferences * Performance monitoring tools for email gateways * Automated reporting tools * Update service * Web Support service MailScanner and SpamAssassin Updates: Keep your email gateways current with the latest editions of MailScanner, SpamAssassin and our custom spam filtering rules. You will receive email notifications of available updates after the new releases have been thoroughly tested on our email gateways. Timely spam filter updates will be released as spammers change tactics to avoid detection. One year of this service is included in the download fee for the Enterprise Edition and will be available for a fee with the Basic Edition of MailScanner. ------------------------------------------- I do not think the enterprise edition is available yet, and from what I can tell the basic edition is simply a list of links to download Mailscanner and its helper applications. ( Note: This list is outdated, using versions from several releases back, such as SpamAssassin 2.55) Tristan Rhodes >>> ryan.finnesey@CORPDSG.COM 12/11/03 10:31PM >>> What does Mailscanner Enterprise Edition do that Basic can not do? Ryan -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Tristan Rhodes Sent: Thursday, December 11, 2003 1:54 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: barracudanetworks devices These products do scan for viruses. It looks like they even use two anti-virus engines... Look at the flowchart at the bottom of this page... http://www.barracudanetworks.com/products.php I agree, Mailscanner and its numerous helper applications can attain the same functionality. It would be nice if all the applications were bundled up in a single package, though. Perhaps Mailscanner Enterprise Edition from Fortress will provide this capability when it is released??? On a side note, Mailscanner Basic Edition is listed in Network World Fusion's Anti-spam buyers guide. Apparently it takes a commercial entity to be listed in this guide. :( - (Mailscanner Basic Edition is free) :) http://www.nwfusion.com/bg/2003/spam/details.jsp?_tablename=antispam&nam e='MailScanner+Basic+Edition' Also found a reference to Mailscanner Basic Edition on the SpamHelp.org website. http://www.spamhelp.org/software/software.php?cat=3 I look forward to future Mailscanner-based products created by Fortress. Tristan Rhodes >>> Antony@SOFT-SOLUTIONS.CO.UK 12/11/03 10:56AM >>> On Thursday 11 December 2003 5:44 pm, Errol Neal wrote: > Anybody heard of these devices? > > http://www.barracudanetworks.com/products_key_features.php > > I wonder how they stack up to MailScanner. Reading from the features on their website: > Blacklisting of websites & domains If you can still find a working DNS RBL, MailScanner will do this. > Keyword scanning of emails Use the new MCP and MailScanner will do this (as well as the default keyword/phrase checking which SpamAssassin does) > Checksum technology Razor, Pyzor, DCC > Message authenticity checking MTA reverse MX lookup. > Blacklists and Whitelists MailScanner does these. > Rate controls I seem to recall there's a new feature in MailScanner for this, even if you're not already doing it in sendmail. > File type attachment blocking MailScanner does this (I bet Barrauda does it by file extension only, not by file content type as well :) I think it's interesting that they're offering an anti-spam solution without any mention of anti-virus - seems a strange omission? Antony. -- In science, one tries to tell people in such a way as to be understood by everyone something that no-one ever knew before. In poetry, it is the exact opposite. - Paul Dirac Please reply to the list; please don't CC me. From tristanr at CI.GRANDJCT.CO.US Fri Dec 12 15:53:56 2003 From: tristanr at CI.GRANDJCT.CO.US (Tristan Rhodes) Date: Thu Jan 12 21:21:31 2006 Subject: Yahoo Developing Open Source Server Software For Spam-Resistant E-Mail Message-ID: Since we were talking about AOL's anti-spam tactics, here is some info about Yahoo. "The company is developing code, called DomainKeys, that's compatible with Sendmail and qmail, two popular E-mail transmission programs known as message transfer agents. It anticipates release sometime next year. DomainKeys will use public key cryptography to digitally sign outgoing messages to reassure a public now suspicious of E-mail. " http://www.linuxpipeline.com/news/showArticle.jhtml;jsessionid=HY12EQWM4BORKQSNDBCCKHY?articleId=16700123 What do you think of this strategy? Tristan From ka at PACIFIC.NET Fri Dec 12 16:05:45 2003 From: ka at PACIFIC.NET (Ken Anderson) Date: Thu Jan 12 21:21:31 2006 Subject: Yahoo Developing Open Source Server Software For Spam-Resistant E-Mail In-Reply-To: References: Message-ID: <3FD9E759.1080708@pacific.net> It's not going to limit spam, but I think it's a step in the right direction. It will also take some significant cpu power to handle the DomainKeys, but it will certainly be nice to be able to trust that mail FROM Yahoo.com and any other often impersonated domain that implements this system actually came FROM that domain. It will also have the effect of making domain whitelists (allow *.mydomain.com) very useful. Ken Pacific.Net Tristan Rhodes wrote: > Since we were talking about AOL's anti-spam tactics, here is some info about Yahoo. > > "The company is developing code, called DomainKeys, that's compatible with Sendmail and qmail, two popular E-mail transmission programs known as message transfer agents. It anticipates release sometime next year. DomainKeys will use public key cryptography to digitally sign outgoing messages to reassure a public now suspicious of E-mail. " > > http://www.linuxpipeline.com/news/showArticle.jhtml;jsessionid=HY12EQWM4BORKQSNDBCCKHY?articleId=16700123 > > What do you think of this strategy? > > Tristan > > From mailscanner at ecs.soton.ac.uk Fri Dec 12 16:26:24 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:31 2006 Subject: Yahoo Developing Open Source Server Software For Spam-Resistant E-Mail In-Reply-To: <3FD9E759.1080708@pacific.net> References: <3FD9E759.1080708@pacific.net> Message-ID: <6.0.1.1.2.20031212162002.07d88530@imap.ecs.soton.ac.uk> Unfortunately it suffers from the same problem affecting pretty much all such systems being mooted at the moment. They seem to think that a ==> b is the same as not a ==> not b (where "==>" is "implies") The presence of a correct version of this domainkeys header does indeed imply that the message came from Yahoo server. But plenty of mail from perfectly valid Yahoo accounts is not sent from Yahoo servers. I, for example, send mail from "jules@mailscanner.info" from servers belonging to "ecs.soton.ac.uk". And I send mail from "mailscanner@ecs.soton.ac.uk" from servers belonging to BT Openworld. The lack of a correct Yahoo domainkeys header does *not* imply that the mail is not from a perfectly valid Yahoo user. So when you get a mail without a correct domainkeys header, you know absolutely nothing about its validity. You may like to think you know it is not a valid Yahoo account, but you are wrong. You have absolutely no information about whether it is valid or not. The press don't appear to understand this, and the companies' marketing teams don't either. They are trying to sell systems which are next to useless. Just my 2p worth... At 16:05 12/12/2003, you wrote: >It's not going to limit spam, but I think it's a step in the right >direction. It will also take some significant cpu power to handle the >DomainKeys, but it will certainly be nice to be able to trust that mail >FROM Yahoo.com and any other often impersonated domain that implements >this system actually came FROM that domain. It will also have the effect >of making domain whitelists (allow *.mydomain.com) very useful. > >Ken >Pacific.Net > > >Tristan Rhodes wrote: > >>Since we were talking about AOL's anti-spam tactics, here is some info >>about Yahoo. >> >>"The company is developing code, called DomainKeys, that's compatible >>with Sendmail and qmail, two popular E-mail transmission programs known >>as message transfer agents. It anticipates release sometime next year. >>DomainKeys will use public key cryptography to digitally sign outgoing >>messages to reassure a public now suspicious of E-mail. " >> >>http://www.linuxpipeline.com/news/showArticle.jhtml;jsessionid=HY12EQWM4BORKQSNDBCCKHY?articleId=16700123 >> >>What do you think of this strategy? >> >>Tristan >> -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From steve.swaney at FSL.COM Fri Dec 12 16:40:10 2003 From: steve.swaney at FSL.COM (Stephen Swaney) Date: Thu Jan 12 21:21:31 2006 Subject: FW: barracudanetworks devices Message-ID: <20031212163955.6633721C3D3@mail.fsl.com> I would not normally post commercial product information to a support list but Julian asked me to respond to your query. > What does MailScanner Enterprise Edition do that Basic can not do? The actual answer is - Nothing. There is and always will be one code tree for MailScanner. Any improvements contributions to core MailScanner code will remain open source. What we are adding is: A web interface for configuration and user preferences A web interface for setting user preferences A MySQL database for storing configuration changes and MailWatch data An LDAP backend for MailScanner and SpamAssassin configuration data Packaging and configuring: MailScanner SpamAssassin MailWatch LDAP Pyzor Razor DCC ClamAV And all the supporting packages they require along with new, expanded documentation. There will also be a very simple installation procedure and an automated update service will be available by subscription. We plan to ship the first produce sometime in January. What we are doing is simply attempting to make MailScanner easier to use and more "acceptable" to the non Linux shops and providing the commercial support that many firms require before implementing open source software. I think that many will be glad to hear that a substantial portion of our business is coming from previously all Microsoft shops. Obviously we welcome inquires but please send these to me and not clutter up this excellent support list. Steve Stephen Swaney President Fortress Systems Ltd. steve.swaney@fsl.com > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Ryan Finnesey > Sent: Friday, December 12, 2003 12:32 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: barracudanetworks devices > > What does Mailscanner Enterprise Edition do that Basic can not do? > > > Ryan > > > > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Tristan Rhodes > Sent: Thursday, December 11, 2003 1:54 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: barracudanetworks devices > > These products do scan for viruses. It looks like they even use two > anti-virus engines... > > Look at the flowchart at the bottom of this page... > http://www.barracudanetworks.com/products.php > > I agree, Mailscanner and its numerous helper applications can attain the > same functionality. It would be nice if all the applications were > bundled up in a single package, though. > > Perhaps Mailscanner Enterprise Edition from Fortress will provide this > capability when it is released??? > > On a side note, Mailscanner Basic Edition is listed in Network World > Fusion's Anti-spam buyers guide. Apparently it takes a commercial > entity to be listed in this guide. :( - (Mailscanner Basic Edition is > free) :) > http://www.nwfusion.com/bg/2003/spam/details.jsp?_tablename=antispam&nam > e='MailScanner+Basic+Edition' > > Also found a reference to Mailscanner Basic Edition on the SpamHelp.org > website. > http://www.spamhelp.org/software/software.php?cat=3 > > I look forward to future Mailscanner-based products created by Fortress. > > Tristan Rhodes > > >>> Antony@SOFT-SOLUTIONS.CO.UK 12/11/03 10:56AM >>> > On Thursday 11 December 2003 5:44 pm, Errol Neal wrote: > > > Anybody heard of these devices? > > > > http://www.barracudanetworks.com/products_key_features.php > > > > I wonder how they stack up to MailScanner. > > Reading from the features on their website: > > > Blacklisting of websites & domains > > If you can still find a working DNS RBL, MailScanner will do this. > > > Keyword scanning of emails > > Use the new MCP and MailScanner will do this (as well as the default > keyword/phrase checking which SpamAssassin does) > > > Checksum technology > > Razor, Pyzor, DCC > > > Message authenticity checking > > MTA reverse MX lookup. > > > Blacklists and Whitelists > > MailScanner does these. > > > Rate controls > > I seem to recall there's a new feature in MailScanner for this, even if > you're > not already doing it in sendmail. > > > File type attachment blocking > > MailScanner does this (I bet Barrauda does it by file extension only, > not by > file content type as well :) > > I think it's interesting that they're offering an anti-spam solution > without > any mention of anti-virus - seems a strange omission? > > Antony. > > -- > In science, one tries to tell people > in such a way as to be understood by everyone > something that no-one ever knew before. > > In poetry, it is the exact opposite. > > - Paul Dirac > > Please reply to the > list; > please don't > CC me. From mailscanner at CARLO65.DE Fri Dec 12 16:42:15 2003 From: mailscanner at CARLO65.DE (Roland Ehle) Date: Thu Jan 12 21:21:31 2006 Subject: Sophos Install warnings In-Reply-To: References: Message-ID: <3FD9EFE7.4080305@carlo65.de> Hi. Baccari, Lou schrieb: > I'm just finishing installing sophos using /usr/sbin/Sophos.install and > recieved the following two warnings > Warning: $PATH does not include /usr/local/Sophos/bin > To run Sophos Anti-Virus you need to set environment variable > $PATH so > that it includes /usr/local/Sophos/bin. > Warning: Neither $LD_LIBRARY_PATH nor /etc/ld.so.conf include > /usr/local/Sophos/lib. > How do I correct these warnings? corrections as follows: 1. Enter as root the following command: export PATH=$PATH:/usr/local/Sophos/bin 2. Find the file /etc/ld.so.conf and append /usr/local/Sophos/lib to it. Regards, Roland From chris at fractalweb.com Fri Dec 12 17:09:19 2003 From: chris at fractalweb.com (Chris Yuzik) Date: Thu Jan 12 21:21:31 2006 Subject: Internet Explorer URL Display problem In-Reply-To: <0EBC45FCABFC95428EBFC3A51B368C9501C9C3D5@jessica.herefordshire.gov.uk> References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C3D5@jessica.herefordshire.gov.uk> Message-ID: <1071248959.3568.14.camel@localhost.localdomain> On Fri, 2003-12-12 at 03:47, Randal, Phil wrote: > RFC 2396 (http://www.faqs.org/rfcs/rfc2396.html) generalises URIs. I only skimmed the spec. But what I gathered, unless I completely misunderstood the document is that characters from %00 through %1F inclusive and %7F are control characters and shouldn't be in a URI. Although they are disallowed within the URI syntax, we include here a description of those US-ASCII characters that have been excluded and the reasons for their exclusion. The control characters in the US-ASCII coded character set are not used within a URI, both because they are non-printable and because they are likely to be misinterpreted by some control mechanisms. control = So how much trouble would we cause if we just disallowed the entire range of control characters from URIs? Can anyone think of a real website that legitimately uses any of these control codes within their URIs? I'm particularly concerned about shopping sites with their massive URIs. I still think I would rather have MailScanner do the checking for this so we can notify the recipient properly, rather than just marking the message as high spam and/or deleting the message altogether. Perhaps we could even have MailScanner remove the link code altogether but still deliver the rest of the message. Thoughts? Chris From mailscanner at ecs.soton.ac.uk Fri Dec 12 17:27:35 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:31 2006 Subject: Sophos Install warnings In-Reply-To: <3FD9EFE7.4080305@carlo65.de> References: <3FD9EFE7.4080305@carlo65.de> Message-ID: <6.0.1.1.2.20031212172615.07db0888@imap.ecs.soton.ac.uk> At 16:42 12/12/2003, you wrote: >Hi. > >Baccari, Lou schrieb: >>I'm just finishing installing sophos using /usr/sbin/Sophos.install and >>recieved the following two warnings >>Warning: $PATH does not include /usr/local/Sophos/bin >> To run Sophos Anti-Virus you need to set environment variable >>$PATH so >> that it includes /usr/local/Sophos/bin. >>Warning: Neither $LD_LIBRARY_PATH nor /etc/ld.so.conf include >> /usr/local/Sophos/lib. >>How do I correct these warnings? > >corrections as follows: >1. Enter as root the following command: export >PATH=$PATH:/usr/local/Sophos/bin > >2. Find the file /etc/ld.so.conf and append /usr/local/Sophos/lib to it. Neither of these 2 changes are required to make MailScanner work properly. It drives Sophos via a short script which avoids any editing of configuration files on your system. You only want these 2 changes if you want to be able to call the "sweep" program directly from the command-line on your system. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Fri Dec 12 17:29:52 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:31 2006 Subject: Internet Explorer URL Display problem In-Reply-To: <1071248959.3568.14.camel@localhost.localdomain> References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C3D5@jessica.herefordshire.gov.uk> <1071248959.3568.14.camel@localhost.localdomain> Message-ID: <6.0.1.1.2.20031212172756.07d818b0@imap.ecs.soton.ac.uk> At 17:09 12/12/2003, you wrote: >On Fri, 2003-12-12 at 03:47, Randal, Phil wrote: > > RFC 2396 (http://www.faqs.org/rfcs/rfc2396.html) generalises URIs. > >I only skimmed the spec. But what I gathered, unless I completely >misunderstood the document is that characters from %00 through %1F >inclusive and %7F are control characters and shouldn't be in a URI. > > Although they are disallowed within the URI syntax, we include here a > description of those US-ASCII characters that have been excluded and > the reasons for their exclusion. > > The control characters in the US-ASCII coded character set are not > used within a URI, both because they are non-printable and because > they are likely to be misinterpreted by some control mechanisms. > > control = > >So how much trouble would we cause if we just disallowed the entire >range of control characters from URIs? Can anyone think of a real website >that legitimately uses any of these control codes within their URIs? I'm >particularly concerned about shopping sites with their massive URIs. Sounds good to me. >I still think I would rather have MailScanner do the checking for this >so we can notify the recipient properly, rather than just marking >the message as high spam and/or deleting the message altogether. Perhaps >we could even have MailScanner remove the link code altogether but still >deliver the rest of the message. Spotting the occurrence of these inside URIs is very hard to do reliably. SpamAssassin goes to considerable lengths to do this, and I don't want to attempt to duplicate their work. So I still say do it in SpamAssassin, but probably in the MCP code which is used for direct actions on mail, rather than the spam detection which is really just attempting to qualify the message. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From lou.baccari at HP.COM Fri Dec 12 16:31:09 2003 From: lou.baccari at HP.COM (Baccari, Lou) Date: Thu Jan 12 21:21:31 2006 Subject: Sophos Install warnings Message-ID: I'm just finishing installing sophos using /usr/sbin/Sophos.install and recieved the following two warnings Warning: $PATH does not include /usr/local/Sophos/bin To run Sophos Anti-Virus you need to set environment variable $PATH so that it includes /usr/local/Sophos/bin. Warning: Neither $LD_LIBRARY_PATH nor /etc/ld.so.conf include /usr/local/Sophos/lib. How do I correct these warnings? From TGFurnish at HERFF-JONES.COM Fri Dec 12 16:43:08 2003 From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G) Date: Thu Jan 12 21:21:31 2006 Subject: Yahoo Developing Open Source Server Software For Spam-Resista nt E-Mail Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF037335C7@inex1.herffjones.hj-int> I for one would be quite willing to consider the ability to send email as domains you aren't authoritative for as a casualty of war. Ie if your server won't accept mail for yahoo.com, then I have no problem with the idea of rejecting email you claim to be delivering on behalf of someone @yahoo.com. I would expect their implementation to be just an extension of that idea - ie if you didn't sign the message with a valid "domainkey" for yahoo.com, then you aren't really yahoo.com and shouldn't be sending email purporting to be from that domain. Is that a loss of functionality for many people? Yes. Is that loss acceptable? IMO, yes. If you are the admin of all systems involved (ie mailscanner.info and ecs.soton.ac.uk), then making the needed arrangements to allow both of these domains to be served by your servers should be within your authority and capability. I haven't seen any details on the technical implementation they're proposing - has anyone got a link to more extensive info? -- Trever > -----Original Message----- > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > Sent: Friday, December 12, 2003 11:26 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Yahoo Developing Open Source Server Software For > Spam-Resistant E-Mail > > > Unfortunately it suffers from the same problem affecting > pretty much all > such systems being mooted at the moment. > > They seem to think that > a ==> b > is the same as > not a ==> not b > (where "==>" is "implies") > > The presence of a correct version of this domainkeys header > does indeed > imply that the message came from Yahoo server. But plenty of mail from > perfectly valid Yahoo accounts is not sent from Yahoo servers. I, for > example, send mail from "jules@mailscanner.info" from servers > belonging to > "ecs.soton.ac.uk". And I send mail from > "mailscanner@ecs.soton.ac.uk" from > servers belonging to BT Openworld. > > The lack of a correct Yahoo domainkeys header does *not* > imply that the > mail is not from a perfectly valid Yahoo user. > > So when you get a mail without a correct domainkeys header, you know > absolutely nothing about its validity. You may like to think > you know it is > not a valid Yahoo account, but you are wrong. You have absolutely no > information about whether it is valid or not. > > The press don't appear to understand this, and the companies' > marketing > teams don't either. They are trying to sell systems which are > next to useless. > > Just my 2p worth... > > At 16:05 12/12/2003, you wrote: > >It's not going to limit spam, but I think it's a step in the right > >direction. It will also take some significant cpu power to handle the > >DomainKeys, but it will certainly be nice to be able to > trust that mail > >FROM Yahoo.com and any other often impersonated domain that > implements > >this system actually came FROM that domain. It will also > have the effect > >of making domain whitelists (allow *.mydomain.com) very useful. > > > >Ken > >Pacific.Net > > > > > >Tristan Rhodes wrote: > > > >>Since we were talking about AOL's anti-spam tactics, here > is some info > >>about Yahoo. > >> > >>"The company is developing code, called DomainKeys, that's > compatible > >>with Sendmail and qmail, two popular E-mail transmission > programs known > >>as message transfer agents. It anticipates release sometime > next year. > >>DomainKeys will use public key cryptography to digitally > sign outgoing > >>messages to reassure a public now suspicious of E-mail. " > >> > >>http://www.linuxpipeline.com/news/showArticle.jhtml;jsession id=HY12EQWM4BORKQSNDBCCKHY?articleId=16700123 >> >>What do you think of this strategy? >> >>Tristan >> -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From ka at PACIFIC.NET Fri Dec 12 17:45:28 2003 From: ka at PACIFIC.NET (Ken Anderson) Date: Thu Jan 12 21:21:31 2006 Subject: Yahoo Developing Open Source Server Software For Spam-Resista nt E-Mail In-Reply-To: <8FFC76593085ED4A80D3601BC41EFCDF037335C7@inex1.herffjones.hj-int> References: <8FFC76593085ED4A80D3601BC41EFCDF037335C7@inex1.herffjones.hj-int> Message-ID: <3FD9FEB8.2050905@pacific.net> Furnish, Trever G wrote: > I for one would be quite willing to consider the ability to send email as > domains you aren't authoritative for as a casualty of war. > > Ie if your server won't accept mail for yahoo.com, then I have no problem > with the idea of rejecting email you claim to be delivering on behalf of > someone @yahoo.com. I would expect their implementation to be just an > extension of that idea - ie if you didn't sign the message with a valid > "domainkey" for yahoo.com, then you aren't really yahoo.com and shouldn't be > sending email purporting to be from that domain. > > Is that a loss of functionality for many people? Yes. Is that loss > acceptable? IMO, yes. > > If you are the admin of all systems involved (ie mailscanner.info and > ecs.soton.ac.uk), then making the needed arrangements to allow both of these > domains to be served by your servers should be within your authority and > capability. > > I haven't seen any details on the technical implementation they're proposing > - has anyone got a link to more extensive info? > > -- > Trever I would have to agree as well. The problem requires some changes be made that are not going to be easy, but are worth it. The domainkeys system will need to call for authentication or trust relationships between mailservers, so that users on one A.com can send outgoing mail through B.com as user@B.com, or mailserver MX.A.com can pretend to be B.com for user@B.com. It's not impossible, but it's definitely got some difficulties as Julian pointed out. Ken A. Pacific.Net > > >>-----Original Message----- >>From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] >>Sent: Friday, December 12, 2003 11:26 AM >>To: MAILSCANNER@JISCMAIL.AC.UK >>Subject: Re: Yahoo Developing Open Source Server Software For >>Spam-Resistant E-Mail >> >> >>Unfortunately it suffers from the same problem affecting >>pretty much all >>such systems being mooted at the moment. >> >>They seem to think that >> a ==> b >>is the same as >> not a ==> not b >>(where "==>" is "implies") >> >>The presence of a correct version of this domainkeys header >>does indeed >>imply that the message came from Yahoo server. But plenty of mail from >>perfectly valid Yahoo accounts is not sent from Yahoo servers. I, for >>example, send mail from "jules@mailscanner.info" from servers >>belonging to >>"ecs.soton.ac.uk". And I send mail from >>"mailscanner@ecs.soton.ac.uk" from >>servers belonging to BT Openworld. >> >>The lack of a correct Yahoo domainkeys header does *not* >>imply that the >>mail is not from a perfectly valid Yahoo user. >> >>So when you get a mail without a correct domainkeys header, you know >>absolutely nothing about its validity. You may like to think >>you know it is >>not a valid Yahoo account, but you are wrong. You have absolutely no >>information about whether it is valid or not. >> >>The press don't appear to understand this, and the companies' >>marketing >>teams don't either. They are trying to sell systems which are >>next to useless. >> >>Just my 2p worth... >> >>At 16:05 12/12/2003, you wrote: >> >>>It's not going to limit spam, but I think it's a step in the right >>>direction. It will also take some significant cpu power to handle the >>>DomainKeys, but it will certainly be nice to be able to >> >>trust that mail >>>FROM Yahoo.com and any other often impersonated domain that >>implements >> >>>this system actually came FROM that domain. It will also >> >>have the effect >> >>>of making domain whitelists (allow *.mydomain.com) very useful. >>> >>>Ken >>>Pacific.Net >>> >>> >>>Tristan Rhodes wrote: >>> >>> >>>>Since we were talking about AOL's anti-spam tactics, here >> >>is some info >> >>>>about Yahoo. >>>> >>>>"The company is developing code, called DomainKeys, that's >> >>compatible >> >>>>with Sendmail and qmail, two popular E-mail transmission >> >>programs known >> >>>>as message transfer agents. It anticipates release sometime >> >>next year. >> >>>>DomainKeys will use public key cryptography to digitally >> >>sign outgoing >> >>>>messages to reassure a public now suspicious of E-mail. " >>>> >>>>http://www.linuxpipeline.com/news/showArticle.jhtml;jsession > > id=HY12EQWM4BORKQSNDBCCKHY?articleId=16700123 > >>>What do you think of this strategy? >>> >>>Tristan >>> > > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > From robin at PRIMUS.CA Fri Dec 12 19:49:11 2003 From: robin at PRIMUS.CA (Robin M.) Date: Thu Jan 12 21:21:31 2006 Subject: cpu utilization Message-ID: Is there any way to set the nice value of MailScanner processes. I notice that when it runs top reports that MailScanner uses 99% of the cpu. I have a small mailserver which only does about 2000 messages per 24 hours. I currently have set the Queue Scan Interval = 60 Max Children = 4 The box is a powerful dual Xeon 3gigs RAM but has a very busy mod_perl/mysql website on it as well From RKearney at AZERTY.COM Fri Dec 12 20:08:46 2003 From: RKearney at AZERTY.COM (Kearney, Rob) Date: Thu Jan 12 21:21:31 2006 Subject: cpu utilization Message-ID: <210DF55DED65B547896F728FB057F3B2019C4A7E@seaver.ussco.com> you can use nice or renice.. renice will "renice" a process that is currently running nice will set the nice value of a command you specify . i.e. nice -20 /usr/sbin/MailScanner will give it the highest priority nice 19 /usr/sbin/MailScanner will give it the lowest priority check the man pages out. you may also only need 1 worker, so setting Max Children to 1 might not bge a bad idea. -rob -----Original Message----- From: Robin M. [mailto:robin@PRIMUS.CA] Sent: Friday, December 12, 2003 2:49 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: cpu utilization Is there any way to set the nice value of MailScanner processes. I notice that when it runs top reports that MailScanner uses 99% of the cpu. I have a small mailserver which only does about 2000 messages per 24 hours. I currently have set the Queue Scan Interval = 60 Max Children = 4 The box is a powerful dual Xeon 3gigs RAM but has a very busy mod_perl/mysql website on it as well From Kevin_Miller at CI.JUNEAU.AK.US Fri Dec 12 21:12:32 2003 From: Kevin_Miller at CI.JUNEAU.AK.US (Kevin Miller) Date: Thu Jan 12 21:21:31 2006 Subject: RBL defluglery... Message-ID: <08146035CA49D6119A36009027AC822A0264EB75@CITY-EXCH-NTS> I have a couple RBLs in the MailScanner.conf and they caught some non-spam the other day. bl.spamcop.net had blacklisted a server at a local architect's firm, and ORDB dinged another outfit down in Washington. Turns out that the local firm has been an open relay for the past 26 days, and the other was listed as an open relay a couple years ago and apparently never cleared. Probably a fly-by-night that did their spamming then moved on and didn't care, leaving a tainted IP address block behind. For some reason, the senders of the message were never notified that they had been RBLed. Bummer. Spam action is forward to "Alphonse Spamdog" on our internal server, and delete. I thought that the RBLed messages would generate a notice to the sender. What/where do I set that? We caught one via glancing at the messages in the Alphonse inbox, and the other because an internal user complained. I sure don't want to send "you're blocked" messages to normal spammers, but it seems like it's important to send RBL notifications to hapless legitimate users who's servers are open so they can do a beat-up on their mail administrators to close them... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Administrator, Mail Administrator 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From DARYL at MONM.EDU Fri Dec 12 21:46:55 2003 From: DARYL at MONM.EDU (Carr, Daryl B.) Date: Thu Jan 12 21:21:31 2006 Subject: Which Virus Scanner Product Message-ID: <995C465EA5BB0D42A493986D8D2E07508936@ntmail2.monm.edu> I'm new. I've scoured the archives. The chart of anti-virus products for UNIX in the installation area is helpful but I can't determine which particular product to purchase. For example; which Sophos anti-virus product should I purchase? Also, which product from which vendor do you prefer? Thanks, Daryl Daryl Carr Monmouth College Monmouth, IL 61462 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20031212/044e3e11/attachment.html From kodak at FRONTIERHOMEMORTGAGE.COM Fri Dec 12 22:06:01 2003 From: kodak at FRONTIERHOMEMORTGAGE.COM (Jason Balicki) Date: Thu Jan 12 21:21:31 2006 Subject: Which Virus Scanner Product In-Reply-To: <995C465EA5BB0D42A493986D8D2E07508936@ntmail2.monm.edu> Message-ID: <005101c3c0fc$210df400$0501a8c0@darkside> >I'm new. I've scoured the archives. The chart of anti-virus products for UNIX in the installation >area is helpful but I can't determine which particular product to purchase. There's no "right" one -- that's what the chart was for. You find which license works best for your situation. Any one that works with MS is going to be OK. It's best to use multiple scanners though, as no one scanner catches everything. And one of those multiples might as well be clamav, since it's very good and it's free (in that order.) >For example; which Sophos anti-virus product should I purchase? Also, which product from which >vendor do you prefer? Sophos is kind of a weird beast. When I bought it they didn't have a "one off" license so I had to buy a package that included licenses for the client machines on my network. I'm glad I did, since I'm really happy with Sophos, but you may not need that. They may have a "mailserver" version by now, I don't know -- you may want to check with a reseller. HTH, --J(K) From jburzenski at AMERICANHM.COM Fri Dec 12 22:32:21 2003 From: jburzenski at AMERICANHM.COM (Jason Burzenski) Date: Thu Jan 12 21:21:31 2006 Subject: Effort to manage MailScanner Message-ID: <9BDD6D4AD0795C46974D7D46C17883B809185A27@ahm_exchange2> I have faced similar situations regarding false positives. One method that I found useful was to DELETE high scoring spam and DELIVER normal spam. Using this model you can set your spam score more aggressively because users still receive the mail with a {Spam?} or similar markup in the subject line. High scoring spam (which you can keep at a high score) is rarely a false positive but I usually opt to forward to a review account to keep an eye on it. Once you have a configuration like this in place you would either want to instruct your help desk to show users how to setup a mail rule to drop subjects containing {spam?} into a spam review folder or distribute a document to your users with the procedure. I found this method to allow me to catch more spam while lowering the risk of true false positives. Seeing all the {Spam?} messages also lets the user populace know that the filter is working (nice side effect). Another process I like to use (with caution) is to setup a mailbox for spam issues that users can send mail to. Most of these messages turn out to be "please black list this message, it is spam" with an occasional "please white list this domain" or even a "thank you so much, I can now get through my inbox in less than 8 hours!" Once a week you can go through the messages, document your white list, black list and possibly rules modifications, fill out your change control form (you do practice proper change management, right?) and you're all set. This administrative mailbox is the main drive for my tweaking. NOTE: I also do not upgrade unless there is a feature I need or want. > -----Original Message----- > From: Pete [mailto:pete@eatathome.com.au] > Sent: Wednesday, December 10, 2003 4:36 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Effort to manage MailScanner > > > Sorry i couldnt think of a better subject heading. > > I have had MS running now for a full month and it appears to > be working perfectly - in our ORg we cannot be too agressive > as false positives would a lot of criticsm, so i have used > almost defaults settings, but we get no UCEs delivered to > staff or students and have had only one false positive so far. > > We have 600-700 mail accounts but only recieve 1500 emails a > day %30 being spam. > > I have noticed on these forums a lot of people spending a lot > of time changing settings, adding RBLs, upgrading every new > release or beta and i wanted to know what benifits these > folks recieves vs thier effort - its starting to make me feel > like i shouold be upgrading to latest too - except i dont > want to have my head buried in MS config every day for the > next month - i thought this and install, config and forget > type system, which is how i have been treating it (though i > check quarrantine daily at the momment), are you guys getting > some benifit that i am not, or is because you ahve far > greater volumes of mail that you get more spam through MS > aqnd have to work harder to stop it? > > I suppose its my cautious, no downtime nature that keeps us a > few versions behind with alsmot all of my systems... > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20031212/b4cc5055/attachment.html From dbird at SGHMS.AC.UK Sat Dec 13 01:08:35 2003 From: dbird at SGHMS.AC.UK (Daniel Bird) Date: Thu Jan 12 21:21:31 2006 Subject: Internet Explorer URL Display problem In-Reply-To: <6.0.1.1.2.20031212172756.07d818b0@imap.ecs.soton.ac.uk> References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C3D5@jessica.herefordshire.gov.uk> <1071248959.3568.14.camel@localhost.localdomain> <6.0.1.1.2.20031212172756.07d818b0@imap.ecs.soton.ac.uk> Message-ID: <3FDA6693.909@sghms.ac.uk> Julian Field wrote: >> I still think I would rather have MailScanner do the checking for this >> so we can notify the recipient properly, rather than just marking >> the message as high spam and/or deleting the message altogether. Perhaps >> we could even have MailScanner remove the link code altogether but still >> deliver the rest of the message. > for info, SA (I'm running 2.61 - not sure about previous) already has a rule to catch these: in 20_uri_test.cf: # Have gotten FPs off this, and whitespace can't be in the host, so... # % Visit my homepage: http://i.like.foo.com % uri HTTP_ESCAPED_HOST /^https?\:\/\/[^\/\s]*%[0-9a-fA-F][0-9a-fA-F]/ describe HTTP_ESCAPED_HOST Uses %-escapes inside a URL's hostname So the score could just be ramped up spam.assassin.prefs.conf so it hits above high spam actions or (I'm presuming ) that test included in MCP config. Julian, as an aside could I (say) score HTTP_ESCAPED_HOST 100 simply be added to mcp.spam.assassin.prefs.conf or would the rule also have to be added to a .cf file in the MCP directory? Regards -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From nupur at THEARGONCOMPANY.COM Sat Dec 13 09:33:13 2003 From: nupur at THEARGONCOMPANY.COM (Nupur Dave) Date: Thu Jan 12 21:21:31 2006 Subject: Problem deleting virtual site on RaQ550 Message-ID: <200312131503.13764.nupur@theargoncompany.com> Hi , I have a Cobalt RaQ550 with MailScanner-4.24-5 and clamav 0.60 installed on it. I have noticed 2 problems while deleting a virtual site. 1. MailScanner stops functioning and hence the viruses are not trapped. 2. The /etc /proftpd.conf file is overwritten due to which my ftp settings are messed up. Can anybody provide me a link to understand why this is happening? OR Can anyone help me to undertand this problem ? -- Regards Nupur Dave Engineer-Technical Support The Argon Company 7th Floor,Nanavati Mahalaya, Fort,Mumbai-400023. Tel Number: +91-22-22882160 Helpdesk: +91-22-22882774 Website:www.theargoncompany.com From mailscanner at ecs.soton.ac.uk Sat Dec 13 10:14:07 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:31 2006 Subject: Yahoo Developing Open Source Server Software For Spam-Resista nt E-Mail In-Reply-To: <3FD9FEB8.2050905@pacific.net> References: <8FFC76593085ED4A80D3601BC41EFCDF037335C7@inex1.herffjones.hj-int> <3FD9FEB8.2050905@pacific.net> Message-ID: <6.0.1.1.2.20031213101258.027f6760@imap.ecs.soton.ac.uk> At 17:45 12/12/2003, you wrote: >Furnish, Trever G wrote: >>I for one would be quite willing to consider the ability to send email as >>domains you aren't authoritative for as a casualty of war. I think all of the (possibly millions) of people around the world who own a domain while not owning an outgoing mail server would disagree. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Sat Dec 13 10:23:38 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:31 2006 Subject: Internet Explorer URL Display problem In-Reply-To: <6.0.1.1.2.20031212172756.07d818b0@imap.ecs.soton.ac.uk> References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C3D5@jessica.herefordshire.gov.uk> <1071248959.3568.14.camel@localhost.localdomain> <6.0.1.1.2.20031212172756.07d818b0@imap.ecs.soton.ac.uk> Message-ID: <6.0.1.1.2.20031213102117.04f14d68@imap.ecs.soton.ac.uk> At 17:29 12/12/2003, you wrote: >At 17:09 12/12/2003, you wrote: >>On Fri, 2003-12-12 at 03:47, Randal, Phil wrote: >> > RFC 2396 (http://www.faqs.org/rfcs/rfc2396.html) generalises URIs. >> >>I only skimmed the spec. But what I gathered, unless I completely >>misunderstood the document is that characters from %00 through %1F >>inclusive and %7F are control characters and shouldn't be in a URI. >> >> Although they are disallowed within the URI syntax, we include here a >> description of those US-ASCII characters that have been excluded and >> the reasons for their exclusion. >> >> The control characters in the US-ASCII coded character set are not >> used within a URI, both because they are non-printable and because >> they are likely to be misinterpreted by some control mechanisms. >> >> control = >> >>So how much trouble would we cause if we just disallowed the entire >>range of control characters from URIs? Can anyone think of a real website >>that legitimately uses any of these control codes within their URIs? I'm >>particularly concerned about shopping sites with their massive URIs. > >Sounds good to me. The pattern for matching this is therefore /%([01][0-9a-f]|7f).*@/i so add this to spam.assassin.prefs.conf: uri IE_VULN /%([01][0-9a-f]|7f).*@/i score IE_VULN 100.0 describe IE_VULN Internet Explorer vulnerability and then restart MailScanner. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Sat Dec 13 10:26:58 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:31 2006 Subject: Internet Explorer URL Display problem In-Reply-To: <3FDA6693.909@sghms.ac.uk> References: <0EBC45FCABFC95428EBFC3A51B368C9501C9C3D5@jessica.herefordshire.gov.uk> <1071248959.3568.14.camel@localhost.localdomain> <6.0.1.1.2.20031212172756.07d818b0@imap.ecs.soton.ac.uk> <3FDA6693.909@sghms.ac.uk> Message-ID: <6.0.1.1.2.20031213102627.03b1bbe8@imap.ecs.soton.ac.uk> At 01:08 13/12/2003, you wrote: >Julian Field wrote: > >>>I still think I would rather have MailScanner do the checking for this >>>so we can notify the recipient properly, rather than just marking >>>the message as high spam and/or deleting the message altogether. Perhaps >>>we could even have MailScanner remove the link code altogether but still >>>deliver the rest of the message. >for info, SA (I'm running 2.61 - not sure about previous) already has a >rule to catch these: > >in 20_uri_test.cf: > ># Have gotten FPs off this, and whitespace can't be in the host, so... ># % Visit my homepage: http://i.like.foo.com % >uri HTTP_ESCAPED_HOST >/^https?\:\/\/[^\/\s]*%[0-9a-fA-F][0-9a-fA-F]/ >describe HTTP_ESCAPED_HOST Uses %-escapes inside a URL's hostname > >So the score could just be ramped up spam.assassin.prefs.conf so it hits >above high spam actions or (I'm presuming ) that test included in MCP >config. > >Julian, as an aside could I (say) > >score HTTP_ESCAPED_HOST 100 > >simply be added to mcp.spam.assassin.prefs.conf or would the rule also >have to be added to a .cf file in the MCP directory? You need to add it to a .cf file in the MCP directory. MCP starts off with no rules at all. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From tsevy at EPX.COM Sat Dec 13 12:46:58 2003 From: tsevy at EPX.COM (Tom Sevy) Date: Thu Jan 12 21:21:31 2006 Subject: Internet Explorer URL Display problem In-Reply-To: <6.0.1.1.2.20031213102117.04f14d68@imap.ecs.soton.ac.uk> Message-ID: Is there a minimum version of MS & SA that is required for this to work? > From: Julian Field > Reply-To: MailScanner mailing list > Date: Sat, 13 Dec 2003 10:23:38 +0000 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Internet Explorer URL Display problem > > At 17:29 12/12/2003, you wrote: >> At 17:09 12/12/2003, you wrote: >>> On Fri, 2003-12-12 at 03:47, Randal, Phil wrote: >>>> RFC 2396 (http://www.faqs.org/rfcs/rfc2396.html) generalises URIs. >>> >>> I only skimmed the spec. But what I gathered, unless I completely >>> misunderstood the document is that characters from %00 through %1F >>> inclusive and %7F are control characters and shouldn't be in a URI. >>> >>> Although they are disallowed within the URI syntax, we include here a >>> description of those US-ASCII characters that have been excluded and >>> the reasons for their exclusion. >>> >>> The control characters in the US-ASCII coded character set are not >>> used within a URI, both because they are non-printable and because >>> they are likely to be misinterpreted by some control mechanisms. >>> >>> control = >>> >>> So how much trouble would we cause if we just disallowed the entire >>> range of control characters from URIs? Can anyone think of a real website >>> that legitimately uses any of these control codes within their URIs? I'm >>> particularly concerned about shopping sites with their massive URIs. >> >> Sounds good to me. > > The pattern for matching this is therefore > > /%([01][0-9a-f]|7f).*@/i > > so add this to spam.assassin.prefs.conf: > > uri IE_VULN /%([01][0-9a-f]|7f).*@/i > score IE_VULN 100.0 > describe IE_VULN Internet Explorer vulnerability > > and then restart MailScanner. > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > From eja at URBAKKEN.DK Sat Dec 13 15:16:57 2003 From: eja at URBAKKEN.DK (Erik Jakobsen) Date: Thu Jan 12 21:21:31 2006 Subject: Patch. Message-ID: <3FDB2D69.7040501@urbakken.dk> Hi I install MailScanner on a new server. The following is shown using the ./install.sh. What patch is it that is asking for ?. [root@gateway root]# cd /opt/MailScanner-4.25-14 [root@gateway MailScanner-4.25-14]# ./install.sh You need to install the patch command from your Linux distribution. Once you have done that, please try running this script again. -- Med venlig hilsen - Best regards. Erik Jakobsen - eja@urbakken.dk. Licensed radioamateur with the callsign OZ4KK. SuSE Linux 8.2 Proff. Registered as user #319488 with the Linux Counter, http://counter.li.org. From dbird at SGHMS.AC.UK Sat Dec 13 15:15:16 2003 From: dbird at SGHMS.AC.UK (Daniel Bird) Date: Thu Jan 12 21:21:31 2006 Subject: MaliScanner config in LDAP Message-ID: <3FDB2D04.7020605@sghms.ac.uk> Hi, I noticed in the "barracudanetworks devices" thread a refrence to storing the config in LDAP. Also, I've seen some code in Config.pm that will seach for values from an LDAP server. My question is are there any docs on setting it up? Dan -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From evertjan at VANRAMSELAAR.NL Sat Dec 13 15:30:41 2003 From: evertjan at VANRAMSELAAR.NL (Evert Jan van Ramselaar) Date: Thu Jan 12 21:21:31 2006 Subject: Patch. In-Reply-To: <3FDB2D69.7040501@urbakken.dk> References: <3FDB2D69.7040501@urbakken.dk> Message-ID: <32787.10.10.0.101.1071329441.squirrel@intranet> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Erik Jakobsen said: > Hi I install MailScanner on a new server. The following is shown using > the ./install.sh. What patch is it that is asking for ?. > You need to install the patch command from your Linux distribution. > Once you have done that, please try running this script again. It is the "patch" command itself it is asking for. The command is either not on your system or cannot be found in your PATH. - -- Evert Jan van Ramselaar Van Ramselaar Info Tech Internet Consultancy & Webdesign Mail pgpkey@vanramselaar.nl to get my G/PGP Public Key. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE/2zCYtQzUJRIC2pURAsyNAJ0V/lFyiggnq2Ts36ESTLChVrk8MwCg2T9h 1kCTQudoS2/FSG/zlkjEFd0= =2xV7 -----END PGP SIGNATURE----- From robin at PRIMUS.CA Sat Dec 13 15:24:02 2003 From: robin at PRIMUS.CA (Robin M.) Date: Thu Jan 12 21:21:31 2006 Subject: graceful shutdown Message-ID: What is the best way to hut MailScanner down. the check_mailscanner does not seem to take a stop argument. If I do kill `/usr/sbin/check_mailscanner` will this cause a problem with mail that it is currently working on ? From eja at URBAKKEN.DK Sat Dec 13 15:48:24 2003 From: eja at URBAKKEN.DK (Erik Jakobsen) Date: Thu Jan 12 21:21:31 2006 Subject: Patch. In-Reply-To: <32787.10.10.0.101.1071329441.squirrel@intranet> References: <3FDB2D69.7040501@urbakken.dk> <32787.10.10.0.101.1071329441.squirrel@intranet> Message-ID: <3FDB34C8.9050706@urbakken.dk> Evert Jan van Ramselaar wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Erik Jakobsen said: > >>Hi I install MailScanner on a new server. The following is shown using >>the ./install.sh. What patch is it that is asking for ?. >>You need to install the patch command from your Linux distribution. >>Once you have done that, please try running this script again. > > > It is the "patch" command itself it is asking for. The command is either > not on your system or cannot be found in your PATH. Ok thank you for this nice information, and have a nice evening. > - -- > Evert Jan van Ramselaar > Van Ramselaar Info Tech > Internet Consultancy & Webdesign > > Mail pgpkey@vanramselaar.nl to get my G/PGP Public Key. > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.7 (GNU/Linux) > > iD8DBQE/2zCYtQzUJRIC2pURAsyNAJ0V/lFyiggnq2Ts36ESTLChVrk8MwCg2T9h > 1kCTQudoS2/FSG/zlkjEFd0= > =2xV7 > -----END PGP SIGNATURE----- > > -- Med venlig hilsen - Best regards. Erik Jakobsen - eja@urbakken.dk. Licensed radioamateur with the callsign OZ4KK. SuSE Linux 8.2 Proff. Registered as user #319488 with the Linux Counter, http://counter.li.org. From mkettler at EVI-INC.COM Sat Dec 13 17:22:58 2003 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:21:31 2006 Subject: graceful shutdown In-Reply-To: References: Message-ID: <6.0.0.22.0.20031213122133.022f0708@xanadu.evi-inc.com> At 10:24 AM 12/13/2003, Robin M. wrote: >What is the best way to hut MailScanner down. >the check_mailscanner does not seem to take a stop argument. Most current versions come with an init script... run that and pass it "stop". Where exactly init scripts go is a bit dependant on your OS vendor.. typicaly /etc/init.d and /etc/rc.d/init.d are good candidates to check on linux boxes. /etc/init.d/MailScanner stop From rgutlon at YAHOO.COM Sat Dec 13 17:13:00 2003 From: rgutlon at YAHOO.COM (Rick G) Date: Thu Jan 12 21:21:32 2006 Subject: MailScanner and FormMail Exploits Message-ID: I've noticed in our maillog that when web-based email forms are submitted they do not pass through MailScanner. I bring this up as a site I host recently had a spammer exploit (what was reported to be) a hack-proof perl based FormMail script. I became aware of this when the bounces and rejections started to arrive in the postmaster mailbox. In looking at the content of the spam message, it would have been caught as spam had it been intercepted by MailScanner. Is there a way to configure MailScanner and/or any of the rulesets so that submitted web-based forms run through the typical MailScanner checks? Rick From steve.swaney at FSL.COM Sat Dec 13 17:26:37 2003 From: steve.swaney at FSL.COM (Stephen Swaney) Date: Thu Jan 12 21:21:32 2006 Subject: graceful shutdown In-Reply-To: Message-ID: <20031213172618.D1B1321C27B@mail.fsl.com> > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Robin M. > Sent: Saturday, December 13, 2003 10:24 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: graceful shutdown > > If I do > kill `/usr/sbin/check_mailscanner` > will this cause a problem with mail that it is currently working on ? This will not work. Mail will still be received but since MailScanner is not running, this mail will just pile up in the incoming mail queue. It will not be processed, delivered or relayed. Steve Stephen Swaney President Fortress Systems Ltd. steve.swaney@fsl.com www.FSL.com From mailscanner at ecs.soton.ac.uk Sat Dec 13 17:38:29 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:32 2006 Subject: MaliScanner config in LDAP In-Reply-To: <3FDB2D04.7020605@sghms.ac.uk> References: <3FDB2D04.7020605@sghms.ac.uk> Message-ID: <6.0.1.1.2.20031213173801.0282e4f0@imap.ecs.soton.ac.uk> At 15:15 13/12/2003, you wrote: >Hi, I noticed in the "barracudanetworks devices" thread a refrence to >storing the config in LDAP. Also, I've seen some code in Config.pm that >will seach for values from an LDAP server. > >My question is are there any docs on setting it up? Not yet, sorry. I will get around to it some time... -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Sat Dec 13 17:46:15 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:32 2006 Subject: MailScanner and FormMail Exploits In-Reply-To: References: Message-ID: <6.0.1.1.2.20031213174348.028a4e68@imap.ecs.soton.ac.uk> At 17:13 13/12/2003, you wrote: >I've noticed in our maillog that when web-based email forms are submitted >they do not pass through MailScanner. > >I bring this up as a site I host recently had a spammer exploit (what was >reported to be) a hack-proof perl based FormMail script. I became aware of >this when the bounces and rejections started to arrive in the postmaster >mailbox. In looking at the content of the spam message, it would have been >caught as spam had it been intercepted by MailScanner. > >Is there a way to configure MailScanner and/or any of the rulesets so that >submitted web-based forms run through the typical MailScanner checks? Your problem is that you are running a fairly old sendmail and the form handler code is invoking the sendmail binary directly. You either need to configure it so that it talks SMTP to localhost to send its mail, or else upgrade to a more recent sendmail that has the clientmqueue stuff. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Sat Dec 13 17:37:47 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:32 2006 Subject: Internet Explorer URL Display problem In-Reply-To: References: <6.0.1.1.2.20031213102117.04f14d68@imap.ecs.soton.ac.uk> Message-ID: <6.0.1.1.2.20031213173717.028221b8@imap.ecs.soton.ac.uk> No. At 12:46 13/12/2003, you wrote: >Is there a minimum version of MS & SA that is required for this to work? > > > so add this to spam.assassin.prefs.conf: > > > > uri IE_VULN /%([01][0-9a-f]|7f).*@/i > > score IE_VULN 100.0 > > describe IE_VULN Internet Explorer vulnerability > > > > and then restart MailScanner. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Sat Dec 13 17:43:25 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:32 2006 Subject: graceful shutdown In-Reply-To: <20031213172618.D1B1321C27B@mail.fsl.com> References: <20031213172618.D1B1321C27B@mail.fsl.com> Message-ID: <6.0.1.1.2.20031213173956.02892e60@imap.ecs.soton.ac.uk> At 17:26 13/12/2003, you wrote: > > -----Original Message----- > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > > Behalf Of Robin M. > > Sent: Saturday, December 13, 2003 10:24 AM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: graceful shutdown > > > > If I do > > kill `/usr/sbin/check_mailscanner` > > will this cause a problem with mail that it is currently working on ? > >This will not work. Mail will still be received but since MailScanner is not >running, this mail will just pile up in the incoming mail queue. It will not >be processed, delivered or relayed. In the MailScanner.conf file, there is a definition "PID file" which is the name of the file that holds the main PID. Kill that process and give it 10 to 15 seconds to shut down tidily, at the end of which there should be no MailScanner processes running. However, as Steve says, the incoming and outgoing sendmails will still be running, so your system is still accepting mail but doing nothing with it. So it will just collect in the mqueue.in and will not be delivered. If you want to stop MailScanner and start your original mail configuration so that mail is still delivered, but not scanned, then service MailScanner stop sleep 15 service sendmail start mv /var/spool/mqueue.in/* /var/spool/mqueue -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From robin at PRIMUS.CA Sat Dec 13 17:49:12 2003 From: robin at PRIMUS.CA (Robin M.) Date: Thu Jan 12 21:21:32 2006 Subject: graceful shutdown In-Reply-To: <20031213172618.D1B1321C27B@mail.fsl.com> References: <20031213172618.D1B1321C27B@mail.fsl.com> Message-ID: On Sat, 13 Dec 2003, Stephen Swaney wrote: > > If I do > > kill `/usr/sbin/check_mailscanner` > > will this cause a problem with mail that it is currently working on ? > > This will not work. Mail will still be received but since MailScanner is not > running, this mail will just pile up in the incoming mail queue. It will not > be processed, delivered or relayed. > Thats ok I have a separate script for the postfix in and out, and one just for MailScanner. I do not have a redhat/suse linux so I want to just issue the command that will gracefully stop just MailScanner. Having the queue pile up is not a concern but I just do not want MailScanner to be interuppted in the middle of processing a message and then possibly delete or corrupt it. Looking through the rpm I see the line killproc MailScanner -15 killproc is a redhat/suse function and it appears that it will basically do kill -15 `/usr/sbin/check_mailscanner` as long as MailScanner is running the output of /usr/sbin/check_mailscanner is to print out the pids. From mailscanner at ecs.soton.ac.uk Sat Dec 13 18:57:03 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:32 2006 Subject: graceful shutdown In-Reply-To: References: <20031213172618.D1B1321C27B@mail.fsl.com> Message-ID: <6.0.1.1.2.20031213185333.0289e108@imap.ecs.soton.ac.uk> At 17:49 13/12/2003, you wrote: >On Sat, 13 Dec 2003, Stephen Swaney wrote: > > > If I do > > > kill `/usr/sbin/check_mailscanner` > > > will this cause a problem with mail that it is currently working on ? > > > > This will not work. Mail will still be received but since MailScanner > is not > > running, this mail will just pile up in the incoming mail queue. It > will not > > be processed, delivered or relayed. > > >Thats ok I have a separate script for the postfix in and out, and one just >for MailScanner. I do not have a redhat/suse linux so I want to just issue >the command that will gracefully stop just MailScanner. Having the queue >pile up is not a concern but I just do not want MailScanner to be >interuppted in the middle of processing a message and then possibly delete >or corrupt it. Don't worry, that can't happen. MailScanner never actually takes ownership of a message at all. You can kill the MailScanner processes any way you like, but if you do it with a simple "kill" command then they will tidy up all their temporary working directories before shutting down, so you don't leave stray temp dirs behind. >Looking through the rpm I see the line >killproc MailScanner -15 > >killproc is a redhat/suse function and it appears that it will basically >do > >kill -15 `/usr/sbin/check_mailscanner` It's a bit more complicated than that, as running check_mailscanner will output some words other than the actual list of PIDs. It prints out "MailScanner running with pid" as well as the PIDs themselves. So you could do kill `/usr/sbin/check_mailscanner | sed -e 's/^MailScanner running with pid//'` -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From faq at mailscanner.info Sun Dec 14 00:28:05 2003 From: faq at mailscanner.info (faq@mailscanner.info) Date: Thu Jan 12 21:21:32 2006 Subject: Faq-O-Matic Error Log Message-ID: <200312140028.hBE0S56V025881@seer.ecs.soton.ac.uk> Errors from MailScanner Faq-O-Matic (v. 2.717): 2003-12-08-05-51-22 2.717 error faq 26352 <(noID)> The file (16>) doesn't exist. From rgutlon at YAHOO.COM Sat Dec 13 20:08:38 2003 From: rgutlon at YAHOO.COM (Rick G) Date: Thu Jan 12 21:21:32 2006 Subject: MailScanner and FormMail Exploits Message-ID: Thank you Julian. As a quick fix I switched the forms to SMTP and noticed the submissions are being intercepted and run through the normal checks by MailScanner. On Sat, 13 Dec 2003 17:46:15 +0000, Julian Field wrote: >Your problem is that you are running a fairly old sendmail and the form >handler code is invoking the sendmail binary directly. You either need to >configure it so that it talks SMTP to localhost to send its mail, or else >upgrade to a more recent sendmail that has the clientmqueue stuff. >-- >Julian Field >www.MailScanner.info >Professional Support Services at www.MailScanner.biz >MailScanner thanks transtec Computers for their support >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From Jon.Beets at PACER.COM Sat Dec 13 20:37:13 2003 From: Jon.Beets at PACER.COM (Jon Beets) Date: Thu Jan 12 21:21:32 2006 Subject: IPBlock and RaQ Message-ID: <000601c3c1b8$e40e1fe0$6401a8c0@pgx01> I apologize in advance for being an idiot.. :) I have MailScanner 4.26-1 installed on my RaQ 550.. I cannot locate the IPBlock settings on any of the .conf files.. Am I still looking in the wrong place or does it not exist in the MailScanner version I am running? I have already searched the archives.. ( I am a relative newbie to *nix). Jon Beets From ryan.egeland at OXAMER.COM Sat Dec 13 20:41:28 2003 From: ryan.egeland at OXAMER.COM (Ryan D. Egeland) Date: Thu Jan 12 21:21:32 2006 Subject: Oversight in MailScanner's Bayes Implementation? Message-ID: <6.0.1.1.2.20031213202239.04ac3818@egeland.net> It appears the Bayes feature available through spamassassin specifically the way MailScanner implements it evaluates all incoming mail in a bulk fashion, i.e. each individual user does not have his own Bayes database. Is my assumption correct? If so, it seems the power of the Bayes analysis seems markedly reduced through the default MailScanner configuration. As the accuracy of the Bayes algorithm relies upon the specific patterns unique to each individual user's collection of spam and ham, processing all incoming mail to a single Bayes database seems less powerful than per-user databases. Of course, with a small number of users receiving similar types of incoming ham and spam, the decrease in Bayes accuracy might not be noticable. But with larger variations in incoming mail between users, could this not reduce the power of the Bayes implementation to the standard of the traditional spamassassin rules? My own experience seems to suggest so. A recent addition of a user with quite different spam and ham patterns from others on the same server seemed to qualitatively increase the false negatives for all users. Migration of his account to a seperate server immediately restored the spam detection accuracy. I'm sure per-user databases would be possible through a hack of MailScanner, but might their default availability in a future release enhance MailScanner's sophistication? From isp-list at TULSACONNECT.COM Sat Dec 13 21:45:25 2003 From: isp-list at TULSACONNECT.COM (ISP List) Date: Thu Jan 12 21:21:32 2006 Subject: Oversight in MailScanner's Bayes Implementation? In-Reply-To: <6.0.1.1.2.20031213202239.04ac3818@egeland.net> Message-ID: <5.2.1.1.2.20031213154310.070d0ea0@securemail.tulsaconnect.com> At 08:41 PM 12/13/2003 +0000, Ryan D. Egeland wrote: >It appears the Bayes feature available through spamassassin specifically >the way MailScanner implements it evaluates all incoming mail in a bulk >fashion, i.e. each individual user does not have his own Bayes database. > >Is my assumption correct? Yes. >If so, it seems the power of the Bayes analysis seems markedly reduced >through the default MailScanner configuration. Somewhat, maybe. However, there is no practical/scalable way to implement a per-user Bayes database that MailScanner (or rather, SA) checks that I can think of. The best approach is to use MailScanner+SA at the relays and let the user do a second line of Bayesian filtering on their mail client (many of which are adding Bayesian stuff, e.g. Mozilla Mail/Thunderbird, Eudora 6.0, SpamBayes for Outlook, and others..) --------------------------------------- Mike Bacher / mike@sparklogic.com SparkLogic Development / ISP Consulting Use OptiGold ISP? Check out OptiSkin! http://www.sparklogic.com/optiskin/ --------------------------------------- From mkettler at EVI-INC.COM Sat Dec 13 21:59:53 2003 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:21:32 2006 Subject: Oversight in MailScanner's Bayes Implementation? In-Reply-To: <6.0.1.1.2.20031213202239.04ac3818@egeland.net> References: <6.0.1.1.2.20031213202239.04ac3818@egeland.net> Message-ID: <6.0.0.22.0.20031213164609.02307e88@xanadu.evi-inc.com> At 03:41 PM 12/13/2003, Ryan D. Egeland wrote: >t appears the Bayes feature available through spamassassin specifically >the way MailScanner implements it evaluates all incoming mail in a bulk >fashion, i.e. each individual user does not have his own Bayes database. > >Is my assumption correct? Yes, that is correct. However, the default manner in which SA processes bayes makes per-user bayes an impossiblity on many mailservers. You see, in order to do per-user bayes the way SA does it, you need an account for every user on your server. Many mailservers that run MailScanner are relaying servers, like mine. This means that my mailserver doesn't have accounts or home directories per-user. Yes, it's well known you get reduced accuracy by doing an aggregate bayes database, but it's not THAT significant in most real-world cases. In fact, in some real-world cases you get *better* accuracy, because some users get too little mail to ever have enough tokens in their bayes DB, and thus can't reap the benefits if the implementation is per-user. The only significant case where per-user matters a lot is where all your users get enough mail to have large bayes DBs, and you have two sub-groups which have conflicting spam/nonspam email patterns. ie: if you bayes together a bunch of sysadmins and a bunch of mortgage brokers, you're going to have problems. It's theoretically possible for MailScanner to do per-user bayes with some substantial work on Julian's part, but I'd question the value of it. If you realistically think it's that big a deal, do some side-by-side tests with corpii, and generate some hard factual statistics that show just how bad it is.. But I can tell you from my real-world experience using bayes with mailscanner in a site-wide mode for a 100ish-user corporate network, it works quite well. From mailscanner at ecs.soton.ac.uk Sun Dec 14 11:31:06 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:32 2006 Subject: IPBlock and RaQ In-Reply-To: <000601c3c1b8$e40e1fe0$6401a8c0@pgx01> References: <000601c3c1b8$e40e1fe0$6401a8c0@pgx01> Message-ID: <6.0.1.1.2.20031214112850.028acaf8@imap.ecs.soton.ac.uk> Read /usr/lib/MailScanner/MailScanner/CustomConfig.pm and search for IPBlock. There is a bunch of docs in there that will tell you how to add this feature very simply. I haven't made it into a mainstream feature as it currently only works with sendmail. If anyone wants to take a look at it and work out how to do similar controls for postfix, zmailer and exim, I would very much appreciate it. At 20:37 13/12/2003, you wrote: >I apologize in advance for being an idiot.. :) > >I have MailScanner 4.26-1 installed on my RaQ 550.. I cannot locate the >IPBlock settings on any of the .conf files.. Am I still looking in the wrong >place or does it not exist in the MailScanner version I am running? I have >already searched the archives.. ( I am a relative newbie to *nix). > >Jon Beets -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From wppiphoto at wppi.com Sun Dec 14 18:03:18 2003 From: wppiphoto at wppi.com (SW) Date: Thu Jan 12 21:21:32 2006 Subject: Mailscanner not scanning e-mails Message-ID: <005301c3c26c$8d9dee60$3a95a644@Toshiba> I've installed Mailscanner 4.25-14 on a Raq3 server but I think I did something wrong because e-mails are not being scanned by mailscanner (no e-mail headers are being added X-MailScanner). I've checked to make sure mailscanner is running and everything seems fine: [root@ns1 admin]# ps auxw | grep -i mail root 690 0.0 4.1 11728 10596 ? S 03:26 0:00 perl -I/usr/lib/MailScanner /usr/sbin/MailScanner /etc/MailScanner/Ma root 693 0.0 0.0 0 0 ? Z 03:26 0:00 [MailScanner ] root 809 0.0 0.0 0 0 ? Z 03:26 0:00 [MailScanner ] root 813 0.0 0.0 0 0 ? Z 03:26 0:00 [MailScanner ] root 821 0.0 0.0 0 0 ? Z 03:26 0:00 [MailScanner ] root 25062 0.0 0.5 2364 1344 ? S 11:31 0:00 sendmail: server pcp03455749pcs.csouth01.va.comcast.net [68.57.171.42 root 25083 0.0 0.5 2388 1404 ? S 11:31 0:00 sendmail: LAA25083 pcp03455749pcs.csouth01.va.comcast.net [68.57.171. root 26616 0.0 0.8 3284 2124 ? S 12:01 0:00 perl /usr/lib/MailScanner/f-prot-autoupdate /usr/local/f-prot root 26892 0.0 0.4 2048 1072 ? S 12:04 0:00 sendmail: accepting connections on port 25 root 27853 0.0 0.5 2640 1396 ? S 12:25 0:00 sendmail: MAA27851 mail.labalaba.com.: user open root 28090 0.0 0.5 2640 1412 ? S 12:30 0:00 sendmail: MAA28088 c240.dsg.uniroma1.it.: user open root 28466 21.0 0.0 0 0 ? Z 12:37 0:00 [MailScanner ] root 28468 0.0 0.1 1196 472 pts/0 S 12:37 0:00 grep -i mail I think my problem occured when I tried to follow the instructions I followed ( ) about moving the mqueue/q*/* etc. Can someone help on what I should have in sendmail.conf and Mailscanner.conf to scan e-mails. BTW, I also installed f-prot and spamassassin on this machine to work with mailscanner. Thanks, SW From Jon.Beets at PACER.COM Sun Dec 14 17:44:24 2003 From: Jon.Beets at PACER.COM (Jon Beets) Date: Thu Jan 12 21:21:32 2006 Subject: IPBlock and RaQ - Fixed.. But now a new problem In-Reply-To: <6.0.1.1.2.20031214112850.028acaf8@imap.ecs.soton.ac.uk> Message-ID: <003001c3c26b$3d83c180$6401a8c0@pgx01> I did find it and have it working Thanks... My problem now is after upgrading sendmail and restarting MailScanner I get a SASL warningit: incoming sendmail: Warning: Option: AuthMechanisms requires SASL support (-DSASL) Warning: Option: CACERTPath requires TLS support ok outgoing sendmail: Warning: Option: AuthMechanisms requires SASL support (-DSASL) Warning: Option: CACERTPath requires TLS support ok I found what appears to be a fix but am weary of doing it since it seems somewhat involved and requires cyrus-ssl to be installed... Jon -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Julian Field Sent: Sunday, December 14, 2003 5:31 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: IPBlock and RaQ Read /usr/lib/MailScanner/MailScanner/CustomConfig.pm and search for IPBlock. There is a bunch of docs in there that will tell you how to add this feature very simply. I haven't made it into a mainstream feature as it currently only works with sendmail. If anyone wants to take a look at it and work out how to do similar controls for postfix, zmailer and exim, I would very much appreciate it. At 20:37 13/12/2003, you wrote: >I apologize in advance for being an idiot.. :) > >I have MailScanner 4.26-1 installed on my RaQ 550.. I cannot locate the >IPBlock settings on any of the .conf files.. Am I still looking in the wrong >place or does it not exist in the MailScanner version I am running? I have >already searched the archives.. ( I am a relative newbie to *nix). > >Jon Beets -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From raymond at PROLOCATION.NET Sun Dec 14 18:21:45 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:21:32 2006 Subject: Mailscanner not scanning e-mails In-Reply-To: <005301c3c26c$8d9dee60$3a95a644@Toshiba> Message-ID: Hi! > /usr/lib/MailScanner/f-prot-autoupdate /usr/local/f-prot > root 26892 0.0 0.4 2048 1072 ? S 12:04 0:00 sendmail: > accepting connections on port 25 > root 27853 0.0 0.5 2640 1396 ? S 12:25 0:00 sendmail: > MAA27851 mail.labalaba.com.: user open > root 28090 0.0 0.5 2640 1412 ? S 12:30 0:00 sendmail: > MAA28088 c240.dsg.uniroma1.it.: user open > root 28466 21.0 0.0 0 0 ? Z 12:37 0:00 [MailScanner > ] > root 28468 0.0 0.1 1196 472 pts/0 S 12:37 0:00 grep -i mail > > I think my problem occured when I tried to follow the instructions I > followed ( ) about moving the mqueue/q*/* etc. Can someone help on what I > should have in sendmail.conf and Mailscanner.conf to scan e-mails. > > BTW, I also installed f-prot and spamassassin on this machine to work with > mailscanner. Analyze this step by step. Take out SpamAssassin in your config and restart. Most likely you have a configuration isse... Bye, Raymond. From mailscanner at ecs.soton.ac.uk Sun Dec 14 18:31:18 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:32 2006 Subject: Mailscanner not scanning e-mails In-Reply-To: <005301c3c26c$8d9dee60$3a95a644@Toshiba> References: <005301c3c26c$8d9dee60$3a95a644@Toshiba> Message-ID: <6.0.1.1.2.20031214182955.03694250@imap.ecs.soton.ac.uk> At 18:03 14/12/2003, you wrote: >root 693 0.0 0.0 0 0 ? Z 03:26 0:00 [MailScanner >] >root 809 0.0 0.0 0 0 ? Z 03:26 0:00 [MailScanner >] >root 813 0.0 0.0 0 0 ? Z 03:26 0:00 [MailScanner >] >root 821 0.0 0.0 0 0 ? Z 03:26 0:00 [MailScanner >] Take a look at MailScanner entries in your maillog. Looks like a configuration error. Best idea is to start from a default setup with no local tweaks at all, then slowly introduce the extras. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From wppiphoto at wppi.com Sun Dec 14 18:38:21 2003 From: wppiphoto at wppi.com (SW) Date: Thu Jan 12 21:21:32 2006 Subject: Mailscanner not scanning e-mails References: Message-ID: <00a701c3c271$73228140$3a95a644@Toshiba> Raymond, I've tried that, Mailscanner never really scanned any e-mails. It starts fine and runs but it deosn't scan any incoming or outgoing e-mails. This is why i think I something is wrong w/ where mailscanner looks for incoming/outgoing e-mails and where cobalt sendmail puts them. Also, when I try to run /etc/rc.d/init.d/Mailscanner stop or stop, I get the following error message: [root@ns1 admin]# /etc/rc.d/init.d/MailScanner start Starting MailScanner daemons: incoming sendmail: 554 readcf: unknown option name PidFile ok outgoing sendmail: readcf: unknown option name PidFile ok MailScanner: ok [root@ns1 admin]# /etc/rc.d/init.d/MailScanner stop Shutting down MailScanner daemons: MailScanner: MailScanner ok incoming sendmail: head: /var/run/sendmail.in.pid: No such file or directory ok outgoing sendmail: head: /var/run/sendmail.out.pid: No such file or directory ok I've read some e-mails which say that is due to Cobalt using sendmail v. 8.9.3. Thanks, SW ----- Original Message ----- From: "Raymond Dijkxhoorn" To: Sent: Sunday, December 14, 2003 1:21 PM Subject: Re: Mailscanner not scanning e-mails Hi! > /usr/lib/MailScanner/f-prot-autoupdate /usr/local/f-prot > root 26892 0.0 0.4 2048 1072 ? S 12:04 0:00 sendmail: > accepting connections on port 25 > root 27853 0.0 0.5 2640 1396 ? S 12:25 0:00 sendmail: > MAA27851 mail.labalaba.com.: user open > root 28090 0.0 0.5 2640 1412 ? S 12:30 0:00 sendmail: > MAA28088 c240.dsg.uniroma1.it.: user open > root 28466 21.0 0.0 0 0 ? Z 12:37 0:00 [MailScanner > ] > root 28468 0.0 0.1 1196 472 pts/0 S 12:37 0:00 grep -i mail > > I think my problem occured when I tried to follow the instructions I > followed ( ) about moving the mqueue/q*/* etc. Can someone help on what I > should have in sendmail.conf and Mailscanner.conf to scan e-mails. > > BTW, I also installed f-prot and spamassassin on this machine to work with > mailscanner. Analyze this step by step. Take out SpamAssassin in your config and restart. Most likely you have a configuration isse... Bye, Raymond. From wppiphoto at wppi.com Sun Dec 14 19:08:52 2003 From: wppiphoto at wppi.com (SW) Date: Thu Jan 12 21:21:32 2006 Subject: Mailscanner not scanning e-mails References: <005301c3c26c$8d9dee60$3a95a644@Toshiba> <6.0.1.1.2.20031214182955.03694250@imap.ecs.soton.ac.uk> Message-ID: <00c601c3c275$c0327400$3a95a644@Toshiba> Julian, Yeap, you were right. It seemed that in mailscanner.conf, virus scanners = I was missing the 's' at the end of scanners. I fixed that and now in my logs I see the following: Dec 14 13:45:22 ns1 MailScanner[697]: MailScanner E-Mail Virus Scanner version 4.25-14 starting... Dec 14 13:45:23 ns1 sendmail[730]: starting daemon (8.9.3): SMTP+queueing@01:00:00 Dec 14 13:45:32 ns1 MailScanner[810]: MailScanner E-Mail Virus Scanner version 4.25-14 starting... Dec 14 13:45:33 ns1 MailScanner[697]: Using locktype = flock Dec 14 13:45:33 ns1 MailScanner[697]: New Batch: Found 6 messages waiting Dec 14 13:45:33 ns1 MailScanner[697]: New Batch: Scanning 4 messages, 4618 bytes Dec 14 13:45:33 ns1 MailScanner[697]: Spam Checks: Starting Dec 14 13:45:38 ns1 MailScanner[810]: Using locktype = flock Dec 14 13:45:42 ns1 MailScanner[819]: MailScanner E-Mail Virus Scanner version 4.25-14 starting... Dec 14 13:45:43 ns1 MailScanner[697]: RBL Check ORDB-RBL timed out and was killed, consecutive failure 1 of 7 Dec 14 13:45:49 ns1 MailScanner[819]: Using locktype = flock Dec 14 13:45:53 ns1 MailScanner[838]: MailScanner E-Mail Virus Scanner version 4.25-14 starting... Dec 14 13:45:53 ns1 MailScanner[697]: Virus and Content Scanning: Starting Dec 14 13:45:55 ns1 MailScanner[697]: Uninfected: Delivered 4 messages Dec 14 13:46:00 ns1 MailScanner[838]: Using locktype = flock Dec 14 13:46:02 ns1 MailScanner[870]: MailScanner E-Mail Virus Scanner version 4.25-14 starting... Dec 14 13:46:08 ns1 MailScanner[870]: Using locktype = flock But still no header info in the e-mails. I think Mailscanner is looking somewhere where there are 4 old messges which it scans but are not delivered. Does this make any sense? The RBL check failing is I think due to our firewall which blocks entire IP blocks. I need to check what IP it uses and port to allow traffic out/in thru our firewall. Thanks for all the help! SW ----- Original Message ----- From: "Julian Field" To: Sent: Sunday, December 14, 2003 1:31 PM Subject: Re: Mailscanner not scanning e-mails At 18:03 14/12/2003, you wrote: >root 693 0.0 0.0 0 0 ? Z 03:26 0:00 [MailScanner >] >root 809 0.0 0.0 0 0 ? Z 03:26 0:00 [MailScanner >] >root 813 0.0 0.0 0 0 ? Z 03:26 0:00 [MailScanner >] >root 821 0.0 0.0 0 0 ? Z 03:26 0:00 [MailScanner >] Take a look at MailScanner entries in your maillog. Looks like a configuration error. Best idea is to start from a default setup with no local tweaks at all, then slowly introduce the extras. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Sun Dec 14 19:49:40 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:32 2006 Subject: Mailscanner not scanning e-mails In-Reply-To: <00c601c3c275$c0327400$3a95a644@Toshiba> References: <005301c3c26c$8d9dee60$3a95a644@Toshiba> <6.0.1.1.2.20031214182955.03694250@imap.ecs.soton.ac.uk> <00c601c3c275$c0327400$3a95a644@Toshiba> Message-ID: <6.0.1.1.2.20031214194839.03730ec0@imap.ecs.soton.ac.uk> If you are running 8.9.3, then MailScanner won't scan mail created by invoking the sendmail binary directly. You need to tell whatever you are using to send mail via an SMTP server called localhost. At 19:08 14/12/2003, you wrote: >Julian, > >Yeap, you were right. It seemed that in mailscanner.conf, virus scanners = >I was missing the 's' at the end of scanners. I fixed that and now in my >logs I see the following: > >Dec 14 13:45:22 ns1 MailScanner[697]: MailScanner E-Mail Virus Scanner >version 4.25-14 starting... >Dec 14 13:45:23 ns1 sendmail[730]: starting daemon (8.9.3): >SMTP+queueing@01:00:00 >Dec 14 13:45:32 ns1 MailScanner[810]: MailScanner E-Mail Virus Scanner >version 4.25-14 starting... >Dec 14 13:45:33 ns1 MailScanner[697]: Using locktype = flock >Dec 14 13:45:33 ns1 MailScanner[697]: New Batch: Found 6 messages waiting >Dec 14 13:45:33 ns1 MailScanner[697]: New Batch: Scanning 4 messages, 4618 >bytes >Dec 14 13:45:33 ns1 MailScanner[697]: Spam Checks: Starting >Dec 14 13:45:38 ns1 MailScanner[810]: Using locktype = flock >Dec 14 13:45:42 ns1 MailScanner[819]: MailScanner E-Mail Virus Scanner >version 4.25-14 starting... >Dec 14 13:45:43 ns1 MailScanner[697]: RBL Check ORDB-RBL timed out and was >killed, consecutive failure 1 of 7 >Dec 14 13:45:49 ns1 MailScanner[819]: Using locktype = flock >Dec 14 13:45:53 ns1 MailScanner[838]: MailScanner E-Mail Virus Scanner >version 4.25-14 starting... >Dec 14 13:45:53 ns1 MailScanner[697]: Virus and Content Scanning: Starting >Dec 14 13:45:55 ns1 MailScanner[697]: Uninfected: Delivered 4 messages >Dec 14 13:46:00 ns1 MailScanner[838]: Using locktype = flock >Dec 14 13:46:02 ns1 MailScanner[870]: MailScanner E-Mail Virus Scanner >version 4.25-14 starting... >Dec 14 13:46:08 ns1 MailScanner[870]: Using locktype = flock > >But still no header info in the e-mails. I think Mailscanner is looking >somewhere where there are 4 old messges which it scans but are not >delivered. Does this make any sense? > >The RBL check failing is I think due to our firewall which blocks entire IP >blocks. I need to check what IP it uses and port to allow traffic out/in >thru our firewall. > >Thanks for all the help! > >SW >----- Original Message ----- >From: "Julian Field" >To: >Sent: Sunday, December 14, 2003 1:31 PM >Subject: Re: Mailscanner not scanning e-mails > > >At 18:03 14/12/2003, you wrote: > >root 693 0.0 0.0 0 0 ? Z 03:26 0:00 [MailScanner > >] > >root 809 0.0 0.0 0 0 ? Z 03:26 0:00 [MailScanner > >] > >root 813 0.0 0.0 0 0 ? Z 03:26 0:00 [MailScanner > >] > >root 821 0.0 0.0 0 0 ? Z 03:26 0:00 [MailScanner > >] > >Take a look at MailScanner entries in your maillog. Looks like a >configuration error. Best idea is to start from a default setup with no >local tweaks at all, then slowly introduce the extras. >-- >Julian Field >www.MailScanner.info >Professional Support Services at www.MailScanner.biz >MailScanner thanks transtec Computers for their support >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From drew at THEMARSHALLS.CO.UK Sun Dec 14 20:33:34 2003 From: drew at THEMARSHALLS.CO.UK (Drew Marshall) Date: Thu Jan 12 21:21:32 2006 Subject: Postfix message duplication - again! Message-ID: <3FDCC91E.9070902@themarshalls.co.uk> I have read many threads on both the MailScanner mailing list and the Postfix groups about this problem but haven't yet seen a solution. I guess the first question is, is there a solution? I love MS and have done since I first deployed it on my first trip to Linux (On Sendmail) and latterly, having got fed up with the patching required, on Postfix (When the MS for Postfix first was released). I have only recently been having these duplication problems and started looking for answers to find the author of Postfix says not to use MailScanner as it 'Gropes mail files from the active queue'. While understandable from his point of view, not helpful to me, an inexperienced *nix admin just looking to implement easy, fast and safe computing for my users (Hence my love for Postfix and MailScanner, both excellent, fast and simple to administer). I have played with Exim but disliked it's config setup and seemed very complex to set up to use my MySQL alias database, domain list etc. I also played with AMAVIS- new (For two hours and gave up when I found the full extent of the feature set!) which is 'approved for Postfix use'. If there is not current cure for the POstfix problem, is there any way to pipe the mail to MailScanner or even bolt a SMTP engine to it to receive the mail like AMAVIS (Which would then extend MS for use with all MTAs?!)? Sorry for the long post but I am quite passionate about this one ;-) Regards From mark.carbonaro at IT.ALSTOM.COM.AU Sun Dec 14 21:28:55 2003 From: mark.carbonaro at IT.ALSTOM.COM.AU (Mark Carbonaro) Date: Thu Jan 12 21:21:32 2006 Subject: Nested rulesets or Multiple ruleset conditions Message-ID: I have a need to use a nested ruleset within MS. Is this possible? I am unable to find anything in the documentation about this. To help understand my reason here is my scenario... One division of my company needs to relay (almost) all email off a third party (they provide virus scanning services, its political & not something I can change). We have a central SMTP server that runs Postfix & MS and I am able to send route all email successfully by having 2 outbound Postfix queues (and 2 instances of outbound postfix), the first queue delivers directly while the second sends all email to the relay (for scanning etc). I did this by using a ruleset on the outbound queue config line (works great), all email from that server (192.168.0.29) is put in the second queue and off she goes. The problem is that there is one mailbox on that server that should not be sent via the second queue (I can't go into details why, it just can't :-), that server is running MSExchange 5.5 so my email routing options are very limited. My way of thinking is to implement a nested ruleset that looks like this... ruleset1.rules From: 192.168.0.29 /opt/MailScanner/etc/rules/ruleset2.rules FromorTo: default /var/spool/postfix/incoming ruleset2.rules From: *@mycompany.com /var/spool/postfix.thirdparty/incoming FromOrTo: default /var/spool/postfix/incoming To avoid mail routing loops (if that's possible) I don't want to just have one ruleset with *@mycompany.com as some of our monitoring equipment uses an @mycompany.com email address and they are sent to @mycompany.com addresses. Or is it possible to have multiple conditions in the ruleset, e.g. From: 192.168.0.29 AND *@mycompany.com? I hope that all makes sense, maybe I'm just looking at this the wrong way, please feel free to provide suggestions on how I might do this better. Thank you for your time. Cheers, Mark _____________________________________________________________________ CONFIDENTIALITY: This e-mail and any attachments are confidential and may be privileged. If you are not a named recipient,please notify the sender immediately and do not disclose the contents to another person, use it for any purpose or store or copy the information in any medium. From csm-lists at CSMA.BIZ Sun Dec 14 23:04:56 2003 From: csm-lists at CSMA.BIZ (Corey S. McFadden) Date: Thu Jan 12 21:21:32 2006 Subject: OT: Linux Exchange Server Message-ID: <6.0.0.22.0.20031214175838.027ac7a8@mail.csma.biz> Sorry for the OT post, but I wanted to solicit some informed opinions and couldn't think of a better group... I was wondering what experiences anyone has had with some of the 3rd-party MS Exchange Server simulators for Linux. We evaluated a couple of solutions about a year ago without going very far with it, but are going to be revisiting the subject for a new client. (Have you seen Exchange Server 2003 CAL costs?!) In the past, OpenExchange looked very attractive, but we don't have any practical experience with it. Anyhow, if anyone can offer any personal experience with OpenExchange or any of the other products (off-list if you like) I would appreciate it! -Corey -- Corey S. McFadden & Associates, Technology Consultants main +1.215.689.4984 - direct +1.610.972.4347 c@csma.biz - www.csma.biz ********************************************* This message has been scanned for viruses and dangerous content, and is believed to be clean. From mike at CAMAROSS.NET Sun Dec 14 23:09:06 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:21:32 2006 Subject: Linux Exchange Server In-Reply-To: <6.0.0.22.0.20031214175838.027ac7a8@mail.csma.biz> Message-ID: <200312142308.hBEN8vxC016091@avwall.bladeware.com> I run 3 OpenExchange servers and like them very well. None of them accept email from the internet though. I run a MailScanner box in front of them and forward on using mailertable. I've had no problems with reliability or connection with MUA's. I'm pleased with the outcome. Mike > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Corey S. McFadden > Sent: Sunday, December 14, 2003 5:05 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: OT: Linux Exchange Server > > Sorry for the OT post, but I wanted to solicit some informed > opinions and couldn't think of a better group... > > I was wondering what experiences anyone has had with some of > the 3rd-party MS Exchange Server simulators for Linux. We > evaluated a couple of solutions about a year ago without > going very far with it, but are going to be revisiting the > subject for a new client. (Have you seen Exchange Server > 2003 CAL costs?!) In the past, OpenExchange looked very > attractive, but we don't have any practical experience with it. > > Anyhow, if anyone can offer any personal experience with > OpenExchange or any of the other products (off-list if you > like) I would appreciate it! > > -Corey > > > > -- > Corey S. McFadden & Associates, > Technology Consultants > main +1.215.689.4984 - direct +1.610.972.4347 c@csma.biz - > www.csma.biz > > > ********************************************* > This message has been scanned for viruses and dangerous > content, and is believed to be clean. > From mike at TC3NET.COM Sun Dec 14 23:12:07 2003 From: mike at TC3NET.COM (Michael Baird) Date: Thu Jan 12 21:21:32 2006 Subject: Linux Exchange Server In-Reply-To: <200312142308.hBEN8vxC016091@avwall.bladeware.com> References: <200312142308.hBEN8vxC016091@avwall.bladeware.com> Message-ID: <1071443526.1697.15.camel@localhost.localdomain> Check out the bynari connector, http://www.bynari.net and ExchangeIT http://net-itech.com/america/products/pd_exchangeit.htm, of course Samsung Contact is out there, and one other one I can't remember which showed promise, openexchange isn't exactly low cost. Regards MIKE > I run 3 OpenExchange servers and like them very well. None of them accept > email from the internet though. I run a MailScanner box in front of them > and forward on using mailertable. I've had no problems with reliability or > connection with MUA's. I'm pleased with the outcome. > > Mike > > > > -----Original Message----- > > From: MailScanner mailing list > > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Corey S. McFadden > > Sent: Sunday, December 14, 2003 5:05 PM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: OT: Linux Exchange Server > > > > Sorry for the OT post, but I wanted to solicit some informed > > opinions and couldn't think of a better group... > > > > I was wondering what experiences anyone has had with some of > > the 3rd-party MS Exchange Server simulators for Linux. We > > evaluated a couple of solutions about a year ago without > > going very far with it, but are going to be revisiting the > > subject for a new client. (Have you seen Exchange Server > > 2003 CAL costs?!) In the past, OpenExchange looked very > > attractive, but we don't have any practical experience with it. > > > > Anyhow, if anyone can offer any personal experience with > > OpenExchange or any of the other products (off-list if you > > like) I would appreciate it! > > > > -Corey > > > > > > > > -- > > Corey S. McFadden & Associates, > > Technology Consultants > > main +1.215.689.4984 - direct +1.610.972.4347 c@csma.biz - > > www.csma.biz > > > > > > ********************************************* > > This message has been scanned for viruses and dangerous > > content, and is believed to be clean. > > > From sevans at FOUNDATION.SDSU.EDU Mon Dec 15 00:31:05 2003 From: sevans at FOUNDATION.SDSU.EDU (Steve Evans) Date: Thu Jan 12 21:21:32 2006 Subject: Linux Exchange Server Message-ID: <3A411846CD3C0D4CB3D8704F937353701641BB@be-00.foundation.sdsu.edu> I'm assuming you've done more research on the price of the CAL's than the Microsoft Exchange website? I don't anyone pays the $67 list price. Steve Evans SDSU Foundation -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Corey S. McFadden Sent: Sunday, December 14, 2003 3:05 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: OT: Linux Exchange Server Sorry for the OT post, but I wanted to solicit some informed opinions and couldn't think of a better group... I was wondering what experiences anyone has had with some of the 3rd-party MS Exchange Server simulators for Linux. We evaluated a couple of solutions about a year ago without going very far with it, but are going to be revisiting the subject for a new client. (Have you seen Exchange Server 2003 CAL costs?!) In the past, OpenExchange looked very attractive, but we don't have any practical experience with it. Anyhow, if anyone can offer any personal experience with OpenExchange or any of the other products (off-list if you like) I would appreciate it! -Corey -- Corey S. McFadden & Associates, Technology Consultants main +1.215.689.4984 - direct +1.610.972.4347 c@csma.biz - www.csma.biz ********************************************* This message has been scanned for viruses and dangerous content, and is believed to be clean. From csm-lists at CSMA.BIZ Mon Dec 15 00:49:56 2003 From: csm-lists at CSMA.BIZ (Corey S. McFadden) Date: Thu Jan 12 21:21:32 2006 Subject: Linux Exchange Server In-Reply-To: <3A411846CD3C0D4CB3D8704F937353701641BB@be-00.foundation.sd su.edu> References: <3A411846CD3C0D4CB3D8704F937353701641BB@be-00.foundation.sdsu.edu> Message-ID: <6.0.0.22.0.20031214194612.03827380@mail.csma.biz> Sure. :-) I think it's easily half the list price when you get into any serious volume, but it's still based on a hard-count of devices or users. Some larger clients have expressed interest in concurrent (or unlimited...) license models, so we're looking into alternatives. Anyhow, thanks for the responses. -Corey At 07:31 PM 12/14/2003, you wrote: >I'm assuming you've done more research on the price of the CAL's than >the Microsoft Exchange website? I don't anyone pays the $67 list price. > > > >Steve Evans >SDSU Foundation -- Corey S. McFadden & Associates, Technology Consultants main +1.215.689.4984 - direct +1.610.972.4347 c@csma.biz - www.csma.biz ********************************************* This message has been scanned for viruses and dangerous content, and is believed to be clean. From sevans at FOUNDATION.SDSU.EDU Mon Dec 15 00:57:28 2003 From: sevans at FOUNDATION.SDSU.EDU (Steve Evans) Date: Thu Jan 12 21:21:32 2006 Subject: Linux Exchange Server Message-ID: <3A411846CD3C0D4CB3D8704F937353701641BC@be-00.foundation.sdsu.edu> There is the external connector license. But it sounds like that probably wouldn't apply to your situation. Impossible to say without knowing anything about your scenario. I think one of the best ways I've heard someone justify the cost of Exchange is, "When your paying your employee $x0,000 a year, another $50 to make them productive isn't a big deal." Hope I didn't start an Exchange/Anti-Exchange flame war. Steve Evans SDSU Foundation -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Corey S. McFadden Sent: Sunday, December 14, 2003 4:50 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Linux Exchange Server Sure. :-) I think it's easily half the list price when you get into any serious volume, but it's still based on a hard-count of devices or users. Some larger clients have expressed interest in concurrent (or unlimited...) license models, so we're looking into alternatives. Anyhow, thanks for the responses. -Corey At 07:31 PM 12/14/2003, you wrote: >I'm assuming you've done more research on the price of the CAL's than >the Microsoft Exchange website? I don't anyone pays the $67 list price. > > > >Steve Evans >SDSU Foundation -- Corey S. McFadden & Associates, Technology Consultants main +1.215.689.4984 - direct +1.610.972.4347 c@csma.biz - www.csma.biz ********************************************* This message has been scanned for viruses and dangerous content, and is believed to be clean. From robin at PRIMUS.CA Mon Dec 15 01:01:22 2003 From: robin at PRIMUS.CA (Robin M.) Date: Thu Jan 12 21:21:32 2006 Subject: OT: Linux Exchange Server In-Reply-To: <6.0.0.22.0.20031214175838.027ac7a8@mail.csma.biz> References: <6.0.0.22.0.20031214175838.027ac7a8@mail.csma.biz> Message-ID: On Sun, 14 Dec 2003, Corey S. McFadden wrote: > Sorry for the OT post, but I wanted to solicit some informed opinions and > couldn't think of a better group... > > I was wondering what experiences anyone has had with some of the 3rd-party > MS Exchange Server simulators for Linux. We evaluated a couple of > solutions about a year ago without going very far with it, but are going to > be revisiting the subject for a new client. (Have you seen Exchange Server > 2003 CAL costs?!) In the past, OpenExchange looked very attractive, but we > don't have any practical experience with it. > > Anyhow, if anyone can offer any personal experience with OpenExchange or > any of the other products (off-list if you like) I would appreciate it! > > -Corey > > There are a few products that do this. At the heart of it all is the cyrus imap server as it does access control lists which can be used to create shared folders per user. Each vendor complements the cyrus server with other software such as squirrelmail with enhancements, smartsieve, phpical, postnuke/phpnuke/metadot etc.. etc.. Most of the server side stuff is all open source except for a resource management software, which is when you schedule meetings with resources such as boardrooms and they automatically accept or decline. The biggest difference between vendors is really the client code which is a plugin which you install for use with outlook. I have tried the bynari plugin and it seems to be the most advanced and everything does seem to work properly. I do not beleive that SuSE has their own outlook connector plugin and you have to additionally use the Ximian plugin. I could be wrong. The Bynari server does not come budled with very many features but it is quite easy to add any other components. I have installed a bynari server for a customer and installed MailScanner onto it and it works perfectly fine. They also actually promote MailScanner on their site. From ryan.finnesey at CORPDSG.COM Mon Dec 15 01:58:40 2003 From: ryan.finnesey at CORPDSG.COM (Ryan Finnesey) Date: Thu Jan 12 21:21:33 2006 Subject: Linux Exchange Server Message-ID: <3041D4D2B8A6F746AD9217BE05AE68C407BCD4@dc012.corpdsg.com> I also hope that I do not start an Exchange/Anti-Exchange flame war. But one other thing you can look into is licensing Exchange via an ASP model. I do not know how many users you need to support but Diversified and many other company's offer hosted Exchange for about $20 a user and can get as low as $14 per user monthly. This will include your Microsoft Outlook client license, Microsoft Exchange CAL, Backup services, Active Directory ect... -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Steve Evans Sent: Sunday, December 14, 2003 7:57 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Linux Exchange Server There is the external connector license. But it sounds like that probably wouldn't apply to your situation. Impossible to say without knowing anything about your scenario. I think one of the best ways I've heard someone justify the cost of Exchange is, "When your paying your employee $x0,000 a year, another $50 to make them productive isn't a big deal." Hope I didn't start an Exchange/Anti-Exchange flame war. Steve Evans SDSU Foundation -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Corey S. McFadden Sent: Sunday, December 14, 2003 4:50 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Linux Exchange Server Sure. :-) I think it's easily half the list price when you get into any serious volume, but it's still based on a hard-count of devices or users. Some larger clients have expressed interest in concurrent (or unlimited...) license models, so we're looking into alternatives. Anyhow, thanks for the responses. -Corey At 07:31 PM 12/14/2003, you wrote: >I'm assuming you've done more research on the price of the CAL's than >the Microsoft Exchange website? I don't anyone pays the $67 list price. > > > >Steve Evans >SDSU Foundation -- Corey S. McFadden & Associates, Technology Consultants main +1.215.689.4984 - direct +1.610.972.4347 c@csma.biz - www.csma.biz ********************************************* This message has been scanned for viruses and dangerous content, and is believed to be clean. From jaearick at COLBY.EDU Mon Dec 15 02:02:42 2003 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:21:33 2006 Subject: IPBlock and RaQ - Fixed.. But now a new problem In-Reply-To: <003001c3c26b$3d83c180$6401a8c0@pgx01> References: <003001c3c26b$3d83c180$6401a8c0@pgx01> Message-ID: Hi, This is a sendmail issue, not a mailscanner issue. Pull out your copy of the Bat Book and look inside, or google for this phrase to find out where it might come from in sendamil. Unless Raq is strange/special, you shouldn't need TLS and/or SASL to run sendmail. Jeff Earickson Colby College On Sun, 14 Dec 2003, Jon Beets wrote: > Date: Sun, 14 Dec 2003 11:44:24 -0600 > From: Jon Beets > Reply-To: MailScanner mailing list > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: IPBlock and RaQ - Fixed.. But now a new problem > > I did find it and have it working Thanks... My problem now is after > upgrading sendmail and restarting MailScanner I get a SASL warningit: > > incoming sendmail: Warning: Option: AuthMechanisms requires SASL support > (-DSASL) > Warning: Option: CACERTPath requires TLS support > ok > outgoing sendmail: Warning: Option: AuthMechanisms requires SASL support > (-DSASL) > Warning: Option: CACERTPath requires TLS support > ok > > I found what appears to be a fix but am weary of doing it since it seems > somewhat involved and requires cyrus-ssl to be installed... > > Jon > > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Julian Field > Sent: Sunday, December 14, 2003 5:31 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: IPBlock and RaQ > > > Read /usr/lib/MailScanner/MailScanner/CustomConfig.pm and search for > IPBlock. There is a bunch of docs in there that will tell you how to add > this feature very simply. > > I haven't made it into a mainstream feature as it currently only works with > sendmail. If anyone wants to take a look at it and work out how to do > similar controls for postfix, zmailer and exim, I would very much > appreciate it. > > At 20:37 13/12/2003, you wrote: > >I apologize in advance for being an idiot.. :) > > > >I have MailScanner 4.26-1 installed on my RaQ 550.. I cannot locate the > >IPBlock settings on any of the .conf files.. Am I still looking in the > wrong > >place or does it not exist in the MailScanner version I am running? I have > >already searched the archives.. ( I am a relative newbie to *nix). > > > >Jon Beets > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > From vanhorn at WHIDBEY.COM Mon Dec 15 09:12:48 2003 From: vanhorn at WHIDBEY.COM (G. Armour Van Horn) Date: Thu Jan 12 21:21:33 2006 Subject: Ignore outbound mail In-Reply-To: References: Message-ID: <3FDD7B10.1050102@whidbey.com> I know I've asked this in the distant past, at which point I don't think it was possible. However, I'd still very much like to have MailScanner completely ignore mail generated on localhost. The machine doesn't accept mail from users, but I do have a large daily mailing that goes out every night, and the mailing takes far too long and causes MS/SA to use far too many resources. I was planning on moving all mail clients off to another machine so I could run without MS on this server, but it just isn't practical. So I'd like to revisit this if I may. Van Currently running MailScanner 4.23-11, but I suppose I could upgrade easily enough if that would help. From mailscanner at ecs.soton.ac.uk Mon Dec 15 09:10:55 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:33 2006 Subject: Nested rulesets or Multiple ruleset conditions In-Reply-To: References: Message-ID: <6.0.1.1.2.20031215084151.035c75e8@imap.ecs.soton.ac.uk> At 21:28 14/12/2003, you wrote: >I have a need to use a nested ruleset within MS. Is this possible? Not directly in a ruleset, no. Sorry about that. What you would need is a short Custom Function to do it. There are plenty of examples in CustomConfig.pm, the shortest of which is at the start of the file (a skeleton framework to work from). You would end up with something like this: my $OutgoingQueueDefault = '/var/spool/postfix/incoming'; my $OutgoingQueueSpecial = '/var/spool/postfix.thirdparty/incoming'; my $OutgoingQueueSpecialIP = '192.168.0.29'; my $OutgoingQueueMyDomain = 'mycompany.com'; sub InitOutgoingQueue { # No initialisation needs doing here at all. MailScanner::Log::InfoLog("Initialising OutgoingQueue to %s", $OutgoingQueueSpecial); } sub EndOutgoingQueue { # No shutdown code needed here at all. # This function could log total stats, close databases, etc. MailScanner::Log::InfoLog("Ending OutgoingQueue"); } # This will return 1 for all messages except those generated by this # computer. sub OutgoingQueue{ my($message) = @_; return $OutgoingQueueDefault unless $message; # Default if no message passed in return $OutgoingQueueSpecial if $message->{clientip} eq $OutgoingQueueSpecialIP && $message->{fromdomain} eq $OutgoingQueueMyDomain; return $OutgoingQueueDefault; } Then in your MailScanner.conf set this: OutgoingQueueDir = &OutgoingQueue Notes ===== a) my mail client will probably have wrapped that in all sorts of nasty places, so you'll need to be careful. b) I haven't tested this code at all. If you are really lucky it might even compile (do a "perl -c CustomConfig.pm" to iron out the syntax errors before you try running it). c) You don't have the call the functions "OutgoingQueue". "Fred" will work just as well. But you do need "sub InitFred", "sub EndFred" and "sub Fred" itself. > I am >unable to find anything in the documentation about this. > >To help understand my reason here is my scenario... > >One division of my company needs to relay (almost) all email off a third >party (they provide virus scanning services, its political & not something I >can change). We have a central SMTP server that runs Postfix & MS and I am >able to send route all email successfully by having 2 outbound Postfix >queues (and 2 instances of outbound postfix), the first queue delivers >directly while the second sends all email to the relay (for scanning etc). >I did this by using a ruleset on the outbound queue config line (works >great), all email from that server (192.168.0.29) is put in the second queue >and off she goes. The problem is that there is one mailbox on that server >that should not be sent via the second queue (I can't go into details why, >it just can't :-), that server is running MSExchange 5.5 so my email routing >options are very limited. >My way of thinking is to implement a nested ruleset that looks like this... > >ruleset1.rules >From: 192.168.0.29 >/opt/MailScanner/etc/rules/ruleset2.rules >FromorTo: default /var/spool/postfix/incoming > >ruleset2.rules >From: *@mycompany.com /var/spool/postfix.thirdparty/incoming >FromOrTo: default /var/spool/postfix/incoming > >To avoid mail routing loops (if that's possible) I don't want to just have >one ruleset with *@mycompany.com as some of our monitoring equipment uses an >@mycompany.com email address and they are sent to @mycompany.com addresses. > >Or is it possible to have multiple conditions in the ruleset, e.g. From: >192.168.0.29 AND *@mycompany.com? > >I hope that all makes sense, maybe I'm just looking at this the wrong way, >please feel free to provide suggestions on how I might do this better. >Thank you for your time. > >Cheers, >Mark > > >_____________________________________________________________________ >CONFIDENTIALITY: This e-mail and any attachments are confidential and may >be privileged. If you are not a named recipient,please notify the sender >immediately and do not disclose the contents to another person, use it for >any purpose or store or copy the information in any medium. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Mon Dec 15 09:14:00 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:33 2006 Subject: OT: Linux Exchange Server In-Reply-To: References: <6.0.0.22.0.20031214175838.027ac7a8@mail.csma.biz> Message-ID: <6.0.1.1.2.20031215091236.03746920@imap.ecs.soton.ac.uk> Once this conversation has quietened down, it would be very handy if someone could turn the good bits into an entry in the FAQ. It's a question that I get asked about quite a lot, but know nearly nothing about. At 01:01 15/12/2003, you wrote: >On Sun, 14 Dec 2003, Corey S. McFadden wrote: > > Sorry for the OT post, but I wanted to solicit some informed opinions and > > couldn't think of a better group... > > > > I was wondering what experiences anyone has had with some of the 3rd-party > > MS Exchange Server simulators for Linux. We evaluated a couple of > > solutions about a year ago without going very far with it, but are going to > > be revisiting the subject for a new client. (Have you seen Exchange Server > > 2003 CAL costs?!) In the past, OpenExchange looked very attractive, but we > > don't have any practical experience with it. > > > > Anyhow, if anyone can offer any personal experience with OpenExchange or > > any of the other products (off-list if you like) I would appreciate it! > > > > -Corey > > > > >There are a few products that do this. At the heart of it all is the >cyrus imap server as it does access control lists which can be used to >create shared folders per user. Each vendor complements the cyrus server >with other software such as squirrelmail with enhancements, smartsieve, >phpical, postnuke/phpnuke/metadot etc.. etc.. >Most of the server side stuff is all open source except for a resource >management software, which is when you schedule meetings with resources >such as boardrooms and they automatically accept or decline. > >The biggest difference between vendors is really the client code which is >a plugin which you install for use with outlook. I have tried the bynari >plugin and it seems to be the most advanced and everything does seem to >work properly. I do not beleive that SuSE has their own outlook connector >plugin and you have to additionally use the Ximian plugin. I could be >wrong. The Bynari server does not come budled with very many features but >it is quite easy to add any other components. I have installed a bynari >server for a customer and installed MailScanner onto it and it works >perfectly fine. They also actually promote MailScanner on their site. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Mon Dec 15 09:27:45 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:33 2006 Subject: Ignore outbound mail In-Reply-To: <3FDD7B10.1050102@whidbey.com> References: <3FDD7B10.1050102@whidbey.com> Message-ID: <6.0.1.1.2.20031215091903.03e71a18@imap.ecs.soton.ac.uk> At 09:12 15/12/2003, you wrote: >I know I've asked this in the distant past, at which point I don't think >it was possible. However, I'd still very much like to have MailScanner >completely ignore mail generated on localhost. The machine doesn't >accept mail from users, but I do have a large daily mailing that goes >out every night, and the mailing takes far too long and causes MS/SA to >use far too many resources. > >I was planning on moving all mail clients off to another machine so I >could run without MS on this server, but it just isn't practical. So I'd >like to revisit this if I may. > >Van > >Currently running MailScanner 4.23-11, but I suppose I could upgrade >easily enough if that would help. Yet another ruleset application. In MailScanner.conf set this: Virus Scanning = /etc/MailScanner/rules/not.localhost.rules Spam Checks = /etc/MailScanner/rules/not.localhost.rules and then in /etc/MailScanner/rules/not.localhost.rules put this: From: 127.0.0.1 no From: 10.11.12.13 no FromOrTo: default yes (where the IP address of the server is 10.11.12.13). Simple as that. We should start collecting these together into a lovely great library of example ruleset applications. Another job for a part-time FAQ maintainer/author perhaps? Any offers? It would really help and requires no great programming knowledge or anything like that. Thanks folks! -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From martyn at INVICTAWIZ.COM Mon Dec 15 10:42:25 2003 From: martyn at INVICTAWIZ.COM (InvictaWiz Customer Support) Date: Thu Jan 12 21:21:33 2006 Subject: odd errors Message-ID: Over the weekend, I upgraded to 4.25-14. Since then I have seen quite a few messages with SA score of 0 as below. Does anyone have any ideas as to why (the messages are probably 5+ in reality) Date: Mon, 15 Dec 2003 04:30:53 -0500 Message-ID: <1071480653.9711@thedealsmaster.com> From: Reduce and Save Reply-To: Subject: Tackle Your Debt X-MimeOLE: Prodigy Compatibility V 4.1bdd2391 or later Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-MailScanner-Information: Please contact sales@invictawiz.com for more information X-MailScanner: Found to be clean X-MailScanner-SpamCheck: not spam, SpamAssassin (score=0, required 5) Status: Martyn Routley ----------------------------------------------------------------- InvictaWiz - The Internet in Plain English, Guaranteed http://www.invictawiz.com martyn@invictawiz.com phone: 08707 440180 fax: 08707 440181 Ask us about our online Antivirus and Junk mail scanning service. Ask us how you could save money on your telephone bill. ----------------------------------------------------------------- ----------------------------------------------------------------------------- This message has been scanned for viruses and dangerous content by the http://www.anti84787.com MailScanner, and is believed to be clean. ----------------------------------------------------------------------------- From slwatts at WINCKWORTHS.CO.UK Mon Dec 15 10:47:13 2003 From: slwatts at WINCKWORTHS.CO.UK (Samuel Luxford-Watts) Date: Thu Jan 12 21:21:33 2006 Subject: [OT]RE: Linux Exchange Server Message-ID: We too are looking at the possibility of moving away from the MS Exchange platform. I have not spent much time looking at the opensource/linux options. Openexchange looked very good, and yes it uses the ximian plugin to allow outlook access. Whilst I am always looking at the price - for us its not the overriding factor. We need a messaging platform that allows easy sharing of knowledge contained within those emails, meetings and tasks. Exchange locks all this away. From initial glances, cyrus does the same. I would be interested in what you find out from your testing..... Sam -----Original Message----- From: Corey S. McFadden [mailto:csm-lists@CSMA.BIZ] Sent: 14 December 2003 23:05 To: MAILSCANNER@JISCMAIL.AC.UK Subject: OT: Linux Exchange Server Sorry for the OT post, but I wanted to solicit some informed opinions and couldn't think of a better group... I was wondering what experiences anyone has had with some of the 3rd-party MS Exchange Server simulators for Linux. We evaluated a couple of solutions about a year ago without going very far with it, but are going to be revisiting the subject for a new client. (Have you seen Exchange Server 2003 CAL costs?!) In the past, OpenExchange looked very attractive, but we don't have any practical experience with it. Anyhow, if anyone can offer any personal experience with OpenExchange or any of the other products (off-list if you like) I would appreciate it! -Corey -- Corey S. McFadden & Associates, Technology Consultants main +1.215.689.4984 - direct +1.610.972.4347 c@csma.biz - www.csma.biz ********************************************* This message has been scanned for viruses and dangerous content, and is believed to be clean. -------------- Winckworth Sherwood Solicitors and Parliamentary Agents DX 148400 WESTMINSTER 5 : 35 Great Peter Street, London SW1P 3LR Telephone 020 7593 5000 Fax 020 7593 5099 -Confidentiality- This email message and any attachments are confidential; they may be subject to legal professional privilege and are intended for the named recipient only. If you are not the named recipient, please return the message and enclosures immediately and delete them from your system. -Caution- Before advice received only by email (whether by attachment or otherwise) may be relied on, the authenticity of the communication must be verified by means independent of email. -Regulation- The firm is regulated by the Law Society. -Partners- A list of partners is available for inspection at each office of the firm and on the firm's website at http://www.winckworths.co.uk From P.G.M.Peters at utwente.nl Mon Dec 15 11:01:57 2003 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Thu Jan 12 21:21:33 2006 Subject: Yahoo Developing Open Source Server Software For Spam-Resistant E-Mail In-Reply-To: <6.0.1.1.2.20031212162002.07d88530@imap.ecs.soton.ac.uk> References: <3FD9E759.1080708@pacific.net> <6.0.1.1.2.20031212162002.07d88530@imap.ecs.soton.ac.uk> Message-ID: On Fri, 12 Dec 2003 16:26:24 +0000, you wrote: >So when you get a mail without a correct domainkeys header, you know >absolutely nothing about its validity. You may like to think you know it is >not a valid Yahoo account, but you are wrong. You have absolutely no >information about whether it is valid or not. It also won't block spam that is injected by a compromised system using as from-header the domain of that system (or perhaps pulled from the mailer on that system). -- Peter Peters, senior netwerkbeheerder Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ From mailscanner at ecs.soton.ac.uk Mon Dec 15 11:19:00 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:33 2006 Subject: Yahoo Developing Open Source Server Software For Spam-Resistant E-Mail In-Reply-To: References: <3FD9E759.1080708@pacific.net> <6.0.1.1.2.20031212162002.07d88530@imap.ecs.soton.ac.uk> Message-ID: <6.0.1.1.2.20031215111506.037d4440@imap.ecs.soton.ac.uk> At 11:01 15/12/2003, you wrote: >On Fri, 12 Dec 2003 16:26:24 +0000, you wrote: > > >So when you get a mail without a correct domainkeys header, you know > >absolutely nothing about its validity. You may like to think you know it is > >not a valid Yahoo account, but you are wrong. You have absolutely no > >information about whether it is valid or not. > >It also won't block spam that is injected by a compromised system using >as from-header the domain of that system (or perhaps pulled from the >mailer on that system). And then there's the little matter of verifying all these domainkeys headers. Is every vendor really going to add this feature to their mail client? Are Hotmail and AOL going to start helping Yahoo users by verifying the domainkeys, when it doesn't really help their users much? I can see it being a feature that people just see the headers and assume "it's got a domainkeys header and therefore must be valid" while never actually bothering to check the validity because they have no way of doing so. All the spammers add likely-looking random strings as a domainkeys header in all the mail they send, and all you have succeeded in doing is making every spam message a bit bigger. Or maybe I'm just a cynical old sod and the world really is pink, fluffy and full of people who aren't trying to make money... -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From pete at eatathome.com.au Mon Dec 15 11:32:54 2003 From: pete at eatathome.com.au (Pete) Date: Thu Jan 12 21:21:33 2006 Subject: Linux Exchange Server In-Reply-To: <1071443526.1697.15.camel@localhost.localdomain> References: <200312142308.hBEN8vxC016091@avwall.bladeware.com> <1071443526.1697.15.camel@localhost.localdomain> Message-ID: <3FDD9BE6.7090202@eatathome.com.au> Michael Baird wrote: >Check out the bynari connector, http://www.bynari.net and ExchangeIT >http://net-itech.com/america/products/pd_exchangeit.htm, of course >Samsung Contact is out there, and one other one I can't remember which >showed promise, openexchange isn't exactly low cost. > >Regards >MIKE > > > >>I run 3 OpenExchange servers and like them very well. None of them accept >>email from the internet though. I run a MailScanner box in front of them >>and forward on using mailertable. I've had no problems with reliability or >>connection with MUA's. I'm pleased with the outcome. >> >>Mike >> >> >> >> >>>-----Original Message----- >>>From: MailScanner mailing list >>>[mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Corey S. McFadden >>>Sent: Sunday, December 14, 2003 5:05 PM >>>To: MAILSCANNER@JISCMAIL.AC.UK >>>Subject: OT: Linux Exchange Server >>> >>>Sorry for the OT post, but I wanted to solicit some informed >>>opinions and couldn't think of a better group... >>> >>>I was wondering what experiences anyone has had with some of >>>the 3rd-party MS Exchange Server simulators for Linux. We >>>evaluated a couple of solutions about a year ago without >>>going very far with it, but are going to be revisiting the >>>subject for a new client. (Have you seen Exchange Server >>>2003 CAL costs?!) In the past, OpenExchange looked very >>>attractive, but we don't have any practical experience with it. >>> >>>Anyhow, if anyone can offer any personal experience with >>>OpenExchange or any of the other products (off-list if you >>>like) I would appreciate it! >>> >>>-Corey >>> >>> >>> >>>-- >>>Corey S. McFadden & Associates, >>>Technology Consultants >>>main +1.215.689.4984 - direct +1.610.972.4347 c@csma.biz - >>>www.csma.biz >>> >>> >>>********************************************* >>>This message has been scanned for viruses and dangerous >>>content, and is believed to be clean. >>> >>> >>> > > > > > None of those thing look low/no cost - but they do look very very nice. I dont wanna hi jack, but if of you knowledgable folks know - what is a good all in one, MTA/IMAP/webmail server that will provide the obvious MTA features, IMAP and webmail, but if a user can be found in the access map (generated via perl from the active directory) but hasnt previously recieved mail, a new user, the server will check they exist, create approriate files, permissions and deliver the mail? I have most of this thrown together with courier and postfix - but i failt to understand some basic bits, so i need an allin one solution. Hope some one can help, email is fine... From chris at TRUDEAU.ORG Mon Dec 15 12:49:48 2003 From: chris at TRUDEAU.ORG (Chris Trudeau) Date: Thu Jan 12 21:21:33 2006 Subject: Postfix message duplication - again! References: <3FDCC91E.9070902@themarshalls.co.uk> Message-ID: <009201c3c309$ed26a280$4e19000a@ATLCPW13671> > I have read many threads on both the MailScanner mailing list and the > Postfix groups about this problem but haven't yet seen a solution. I > guess the first question is, is there a solution? To my knowledge in answering your question, "NO" there has not been a fix released for this that I am aware of. I WAS able to get MYSQL logging working with no duplication, but that was repaired in the perl components of the MAILWATCH packages, NOT the internals of MailScanner. The resulting problem was that duplicate notification email messages are still a problem etc... > I love MS and have done since I first deployed it on my first trip to > Linux (On Sendmail) and latterly, having got fed up with the patching > required, on Postfix (When the MS for Postfix first was released). I > have only recently been having these duplication problems and started > looking for answers to find the author of Postfix says not to use > MailScanner as it 'Gropes mail files from the active queue'. While > understandable from his point of view, not helpful to me, an > inexperienced *nix admin just looking to implement easy, fast and safe > computing for my users (Hence my love for Postfix and MailScanner, both > excellent, fast and simple to administer). I simply took the route of every other non-developer in the world and realized that support of MailScanner on Exim or Sendmail would make my life easier in the long run. Even with the inherent insecurities and complexities of maintaining sendmail. The resulting scenario leaves me in a much better place. I have side-by-side instances of postfix/MS/SA/DCC/Razor/Sophos/ClamAV AND sendmail/MS/SA/DCC/Razor/Sophos/ClamAV and sendmail is by far easier to maintain and less prone to trivial mail handling problems. (if you have high traffic server, postfix/MS will butcher messages and do other unpredictable things. > I have played with Exim but disliked it's config setup and seemed very > complex to set up to use my MySQL alias database, domain list etc. ME TOO! While I know its supposed to be more secure and flexible and perform a bit better than sendmail....I have just never had the time or the patience to learn the configuration ins and outs of yet another MTA. > I also played with AMAVIS- new (For two hours and gave up when I found > the full extent of the feature set!) which is 'approved for Postfix use'. I started out with amavisd-new and ditched it after learning about the functionality offered in MailScanner (approved or not) > If there is not current cure for the POstfix problem, is there any way > to pipe the mail to MailScanner or even bolt a SMTP engine to it to > receive the mail like AMAVIS (Which would then extend MS for use with > all MTAs?!)? I haven't seen anything like that...not sure I could use the functionality myself. I would prefer to use postfix, but decided long ago, that Julian's level of support here far surpasses anything you can find on postfix mailing lists. In addition, Julian doesn't make a regular habit of demeaning those who are less learned about his software. From P.G.M.Peters at utwente.nl Mon Dec 15 13:20:15 2003 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Thu Jan 12 21:21:33 2006 Subject: Yahoo Developing Open Source Server Software For Spam-Resistant E-Mail In-Reply-To: <6.0.1.1.2.20031215111506.037d4440@imap.ecs.soton.ac.uk> References: <3FD9E759.1080708@pacific.net> <6.0.1.1.2.20031212162002.07d88530@imap.ecs.soton.ac.uk> <6.0.1.1.2.20031215111506.037d4440@imap.ecs.soton.ac.uk> Message-ID: On Mon, 15 Dec 2003 11:19:00 +0000, you wrote: >I can see it being a feature that people just see the headers and assume >"it's got a domainkeys header and therefore must be valid" while never >actually bothering to check the validity because they have no way of doing >so. All the spammers add likely-looking random strings as a domainkeys >header in all the mail they send, and all you have succeeded in doing is >making every spam message a bit bigger. At first I would (especially with Yahoo involved) start tagging messages with domainkey headers as supicisous. -- Peter Peters, senior netwerkbeheerder Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ From gioia at bclink.it Mon Dec 15 13:52:53 2003 From: gioia at bclink.it (Gioia Bastioni) Date: Thu Jan 12 21:21:33 2006 Subject: F-prot update script Message-ID: Hi all! how can I disable the f-prot-autoupdate script option to not send email notifications if it did not need to be updated ? I wouldn't receive this every hour.. ------------------------ FTP address for retrieving files is ftp://us-3.updates.f-prot.com/pub/ File SIGN.DEF is already up to date. File SIGN2.DEF is already up to date. File MACRO.DEF is already up to date. Nothing to be done. ------------------------ I've had some experiences with Sophos Antivirus too, and I noticed that it downloads new ide files as soon as they were realeased .. it's not possible to have the same feature with other Antivirus software as f-prot and Antivir ?! thanks for the help From peter at UCGBOOK.COM Mon Dec 15 13:54:59 2003 From: peter at UCGBOOK.COM (Peter Bonivart) Date: Thu Jan 12 21:21:33 2006 Subject: Postfix message duplication - again! In-Reply-To: <009201c3c309$ed26a280$4e19000a@ATLCPW13671> References: <3FDCC91E.9070902@themarshalls.co.uk> <009201c3c309$ed26a280$4e19000a@ATLCPW13671> Message-ID: <3FDDBD33.2080501@ucgbook.com> >>I love MS and have done since I first deployed it on my first trip to >>Linux (On Sendmail) and latterly, having got fed up with the patching >>required, on Postfix (When the MS for Postfix first was released). > Even with the inherent insecurities and > complexities of maintaining sendmail. Isn't this a little exaggerated these days? If I remember correctly I have updated Sendmail twice this year and even if you might want to reply that you haven't updated Postfix at all I don't feel bad about the one hour I spent doing those two updates. If you want Postfix as your internet facing MTA for security reasons, can't you put up a simple relay machine with Postfix that delivers to a MS/Sendmail-machine? Best of both worlds..? /Peter Bonivart --Unix lovers do it in the Sun Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.23-11, SpamAssassin 2.60 + DCC 1.2.9, ClamAV 20030829 From jacques at MONACO.NET Mon Dec 15 14:28:02 2003 From: jacques at MONACO.NET (Jacques Caruso) Date: Thu Jan 12 21:21:33 2006 Subject: Bogus "denial of service" messages, and postdrop not working Message-ID: <200312151528.02031.jacques@monaco.net> Hi, I'm encountering (surprise?!?:-) some new problems. Some legitimate messages get their attachments scrubbed by MS with the mention that they contain a ??denial of service attack??. I looked at the documentation, the FAQ, the mailing-list archives (even grepped the source code files for the 'DOSAttack' string), to no avail. I can't seem to find what triggers those denial of service alerts, and how to deactivate them... Another problem is that I've thus far failed to reinject a message into the queue by conventional means. I quarantine messages with?: Quarantine Infections = yes Quarantine Whole Message = yes Quarantine Whole Messages As Queue Files = yes When I use postdrop on a quarantined message, I get a cryptic error message?: [root@sceuzi][/var/spool/MailScanner/quarantine/20031213/3CC271B8114]# postdrop < 3CC271B8114 queue_idEB92220C06Bpostdrop: fatal: uid=0: unexpected record type: 67 The only clue I've been able to find is a message where this behaviour was attributed to a version discrepancy between postfix and the postdrop command. Of course, I double-checked all my commands come from the same version, thus I'm in the dark. A postcat on the same file works fine, so I've for the moment settled on a script which parses the postcat output and reinjects it on the internal Postfix instance, but it's a truly lousy solution. Can someone point me to where I should look to get rid of this problem?? BTW, my MailScanner.conf (without comments) is at . I don't know if it can help in understanding what happens, but then, better safe than sorry... Greets, -- [ Jacques Caruso D?veloppeur PHP ] [ Monaco Internet http://monaco-internet.mc/ ] [ T?l : (+377) 93 10 00 43 Cl? PGP : 0x41F5C63D ] [ -*- Quand le doigt montre la lune, l'imb?cile regarde le doigt -*- ] From mailscanner at ecs.soton.ac.uk Mon Dec 15 14:24:38 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:33 2006 Subject: F-prot update script In-Reply-To: References: Message-ID: <6.0.1.1.2.20031215142347.037d2530@imap.ecs.soton.ac.uk> At 13:52 15/12/2003, you wrote: >Hi all! > >how can I disable the f-prot-autoupdate script option to not send email >notifications if it did not need to be updated ? >I wouldn't receive this every hour.. > >------------------------ >FTP address for retrieving files is ftp://us-3.updates.f-prot.com/pub/ >File SIGN.DEF is already up to date. >File SIGN2.DEF is already up to date. >File MACRO.DEF is already up to date. >Nothing to be done. >------------------------ Is your cron job calling update_virus_scanners or calling f-prot-autoupdate directly? >I've had some experiences with Sophos Antivirus too, and I noticed that it >downloads new ide files as soon as they were realeased .. >it's not possible to have the same feature with other Antivirus software as >f-prot and Antivir ?! My sophos-autoupdate script just updates hourly, the same as all the others. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From chris at TRUDEAU.ORG Mon Dec 15 15:00:09 2003 From: chris at TRUDEAU.ORG (Chris Trudeau) Date: Thu Jan 12 21:21:33 2006 Subject: Postfix message duplication - again! References: <3FDCC91E.9070902@themarshalls.co.uk> <009201c3c309$ed26a280$4e19000a@ATLCPW13671> <3FDDBD33.2080501@ucgbook.com> Message-ID: <012501c3c31c$221ca8b0$4e19000a@ATLCPW13671> > > Even with the inherent insecurities and > > complexities of maintaining sendmail. > > Isn't this a little exaggerated these days? If I remember correctly I > have updated Sendmail twice this year and even if you might want to > reply that you haven't updated Postfix at all I don't feel bad about the > one hour I spent doing those two updates. > > If you want Postfix as your internet facing MTA for security reasons, > can't you put up a simple relay machine with Postfix that delivers to a > MS/Sendmail-machine? Best of both worlds..? Yep definite possibility...bit expensive (twice) and introduces another point of failure to worry about. I think you missed my point. I was advising to USE sendmail instead of postfix when considering the issues related to postfix/mailscanner functionally....vs the effort involved in maintaining sendmail....I've migrated to sendmail...and just accepted the possibility of security/reliability issues with sendmail (if any arise) CT From gioia at bclink.it Mon Dec 15 15:01:56 2003 From: gioia at bclink.it (Gioia Bastioni) Date: Thu Jan 12 21:21:33 2006 Subject: R: F-prot update script In-Reply-To: <6.0.1.1.2.20031215142347.037d2530@imap.ecs.soton.ac.uk> Message-ID: I'm running the f-prot-autoupdate script, if I run the update_virus_scanners script I receive no emails, but I wish to use the f-prot-autoupdate script directly to run separately the updates for both f-prot and Antivir .. -----Messaggio originale----- Da: Julian Field [mailto:mailscanner@ecs.soton.ac.uk] Inviato: luned? 15 dicembre 2003 15.25 A: gioia@bclink.it Cc: mailscanner@jiscmail.ac.uk Oggetto: Re: F-prot update script At 13:52 15/12/2003, you wrote: >Hi all! > >how can I disable the f-prot-autoupdate script option to not send email >notifications if it did not need to be updated ? >I wouldn't receive this every hour.. > >------------------------ >FTP address for retrieving files is ftp://us-3.updates.f-prot.com/pub/ >File SIGN.DEF is already up to date. >File SIGN2.DEF is already up to date. >File MACRO.DEF is already up to date. >Nothing to be done. >------------------------ Is your cron job calling update_virus_scanners or calling f-prot-autoupdate directly? >I've had some experiences with Sophos Antivirus too, and I noticed that it >downloads new ide files as soon as they were realeased .. >it's not possible to have the same feature with other Antivirus software as >f-prot and Antivir ?! My sophos-autoupdate script just updates hourly, the same as all the others. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Mon Dec 15 15:07:12 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:33 2006 Subject: R: F-prot update script In-Reply-To: References: <6.0.1.1.2.20031215142347.037d2530@imap.ecs.soton.ac.uk> Message-ID: <6.0.1.1.2.20031215150639.03e77438@imap.ecs.soton.ac.uk> Search through the script for the logging lines that produce the output you don't want and comment them out. At 15:01 15/12/2003, you wrote: >I'm running the f-prot-autoupdate script, >if I run the update_virus_scanners script I receive no emails, but I wish to >use the f-prot-autoupdate script directly to run separately the updates for >both f-prot and Antivir .. > > >-----Messaggio originale----- >Da: Julian Field [mailto:mailscanner@ecs.soton.ac.uk] >Inviato: luned? 15 dicembre 2003 15.25 >A: gioia@bclink.it >Cc: mailscanner@jiscmail.ac.uk >Oggetto: Re: F-prot update script > > >At 13:52 15/12/2003, you wrote: > >Hi all! > > > >how can I disable the f-prot-autoupdate script option to not send email > >notifications if it did not need to be updated ? > >I wouldn't receive this every hour.. > > > >------------------------ > >FTP address for retrieving files is ftp://us-3.updates.f-prot.com/pub/ > >File SIGN.DEF is already up to date. > >File SIGN2.DEF is already up to date. > >File MACRO.DEF is already up to date. > >Nothing to be done. > >------------------------ > >Is your cron job calling update_virus_scanners or calling f-prot-autoupdate >directly? > > >I've had some experiences with Sophos Antivirus too, and I noticed that it > >downloads new ide files as soon as they were realeased .. > >it's not possible to have the same feature with other Antivirus software as > >f-prot and Antivir ?! > >My sophos-autoupdate script just updates hourly, the same as all the others. >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support > >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Mon Dec 15 15:08:38 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:33 2006 Subject: Bogus "denial of service" messages, and postdrop not working In-Reply-To: <200312151528.02031.jacques@monaco.net> References: <200312151528.02031.jacques@monaco.net> Message-ID: <6.0.1.1.2.20031215150744.03d19fa0@imap.ecs.soton.ac.uk> At 14:28 15/12/2003, you wrote: >Hi, > >I'm encountering (surprise ! :-) some new problems. Some legitimate >messages get their attachments scrubbed by MS with the mention that they >contain a ? denial of service attack ?. I looked at the documentation, >the FAQ, the mailing-list archives (even grepped the source code files >for the 'DOSAttack' string), to no avail. I can't seem to find what >triggers those denial of service alerts, and how to deactivate them... The DOS attack detection happens when either ClamAV thinks the zip file expands too big, or else the virus scanner (whichever one it is) never returns within the timeout period it is given to run in (usually 5 or 10 minutes). >Another problem is that I've thus far failed to reinject a message into >the queue by conventional means. I quarantine messages with : > >Quarantine Infections = yes >Quarantine Whole Message = yes >Quarantine Whole Messages As Queue Files = yes > >When I use postdrop on a quarantined message, I get a cryptic error >message : > >[root@sceuzi][/var/spool/MailScanner/quarantine/20031213/3CC271B8114]# >postdrop < 3CC271B8114 >queue_idEB92220C06Bpostdrop: fatal: uid=0: unexpected record type: 67 > >The only clue I've been able to find is a message where this behaviour >was attributed to a version discrepancy between postfix and the postdrop >command. Of course, I double-checked all my commands come from the same >version, thus I'm in the dark. A postcat on the same file works fine, so >I've for the moment settled on a script which parses the postcat output >and reinjects it on the internal Postfix instance, but it's a truly >lousy solution. Can someone point me to where I should look to get rid >of this problem ? > >BTW, my MailScanner.conf (without comments) is at >. I don't know >if it can help in understanding what happens, but then, better safe than >sorry... > >Greets, >-- >[ Jacques Caruso D?veloppeur PHP ] >[ Monaco Internet http://monaco-internet.mc/ ] >[ T?l : (+377) 93 10 00 43 Cl? PGP : 0x41F5C63D ] >[ -*- Quand le doigt montre la lune, l'imb?cile regarde le doigt -*- ] -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From raymond at PROLOCATION.NET Mon Dec 15 15:11:09 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:21:33 2006 Subject: R: F-prot update script In-Reply-To: Message-ID: Hi! > I'm running the f-prot-autoupdate script, > if I run the update_virus_scanners script I receive no emails, but I wish to > use the f-prot-autoupdate script directly to run separately the updates for > both f-prot and Antivir .. Check your cron job, you can make it noisy there. Its now (default) directed to /dev/null. Bye, Raymond. From dh at UPTIME.AT Mon Dec 15 15:11:09 2003 From: dh at UPTIME.AT (=?ISO-8859-1?Q?David_H=F6hn?=) Date: Thu Jan 12 21:21:33 2006 Subject: Postfix message duplication - again! In-Reply-To: <012501c3c31c$221ca8b0$4e19000a@ATLCPW13671> References: <3FDCC91E.9070902@themarshalls.co.uk> <009201c3c309$ed26a280$4e19000a@ATLCPW13671> <3FDDBD33.2080501@ucgbook.com> <012501c3c31c$221ca8b0$4e19000a@ATLCPW13671> Message-ID: <3FDDCF0D.1020509@uptime.at> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Chris Trudeau wrote: | and just accepted the possibility of | security/reliability issues with sendmail (if any arise) | Dear Mister Trudeau. I can assure you that the likelyhood of finding reliabilty issues with sendmail is minimal to none. I have been running sendmail for a _very_ long time and even though security might be an issues (as one could expect with a project that has such a huge, old and grown source base, I have never had to worry about teh reliabilty of my mail services. This is just ment to reassure you of your choice. - -d - -- nee amata wo mitsukete soshite midoto wasrezu ~ domma mi mumega itakutemo soba mi iru mo ~ zutto...zutto...zutto -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (Darwin) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD4DBQE/3c8MPMoaMn4kKR4RA+sRAJj8FLD2CdMU42vmQaibQp0lublFAJ9QPV0A KBlTyvA3ifHDf+sjj67y7A== =Oo1I -----END PGP SIGNATURE----- From drew at THEMARSHALLS.CO.UK Mon Dec 15 15:22:20 2003 From: drew at THEMARSHALLS.CO.UK (Drew Marshall) Date: Thu Jan 12 21:21:33 2006 Subject: Postfix message duplication - again! In-Reply-To: <012501c3c31c$221ca8b0$4e19000a@ATLCPW13671> References: <3FDCC91E.9070902@themarshalls.co.uk> <009201c3c309$ed26a280$4e19000a@ATLCPW13671> <3FDDBD33.2080501@ucgbook.com> <012501c3c31c$221ca8b0$4e19000a@ATLCPW13671> Message-ID: <41828.194.70.180.170.1071501740.squirrel@net.themarshalls.co.uk> >> > Even with the inherent insecurities and >> > complexities of maintaining sendmail. >> >> Isn't this a little exaggerated these days? If I remember correctly I >> have updated Sendmail twice this year and even if you might want to >> reply that you haven't updated Postfix at all I don't feel bad about the >> one hour I spent doing those two updates. >> >> If you want Postfix as your internet facing MTA for security reasons, >> can't you put up a simple relay machine with Postfix that delivers to a >> MS/Sendmail-machine? Best of both worlds..? > > Yep definite possibility...bit expensive (twice) and introduces another > point of failure to worry about. I have to agree, I wouldn't run both. Seems a mite excessive :) > > I think you missed my point. I was advising to USE sendmail instead of > postfix when considering the issues related to postfix/mailscanner > functionally....vs the effort involved in maintaining sendmail....I've > migrated to sendmail...and just accepted the possibility of > security/reliability issues with sendmail (if any arise) I guess that's the option. It's a shame as I have found Postfix easier to set up and since I last used Sendmail I have made the setup more complex including maildir's, MySQL user list, virtual domains etc. > CT > I have to agree that Julian offers much better support than the Postfix forums and doesn't just enforce the 'that's the way it works' attitude. It's just frustrating that two good programs just can't quite 'get it together' in all situations (It worked fine on my Slackware box until I move to Gentoo. No logic really). Drew From jacques at MONACO.NET Mon Dec 15 15:25:17 2003 From: jacques at MONACO.NET (Jacques Caruso) Date: Thu Jan 12 21:21:33 2006 Subject: Bogus "denial of service" messages, and postdrop not working In-Reply-To: <6.0.1.1.2.20031215150744.03d19fa0@imap.ecs.soton.ac.uk> References: <200312151528.02031.jacques@monaco.net> <6.0.1.1.2.20031215150744.03d19fa0@imap.ecs.soton.ac.uk> Message-ID: <200312151625.17026.jacques@monaco.net> Le Lundi 15 D?cembre 2003 16:08, Julian Field a ?crit?: > The DOS attack detection happens when either ClamAV thinks the zip > file expands too big, or else the virus scanner (whichever one it is) > never returns within the timeout period it is given to run in > (usually 5 or 10 minutes). Is there an option to force the delivery of these messages?? Or do I need to modify the source directly?? If so, in what file should I make the changes?? -- [ Jacques Caruso D?veloppeur PHP ] [ Monaco Internet http://monaco-internet.mc/ ] [ T?l : (+377) 93 10 00 43 Cl? PGP : 0x41F5C63D ] [ -*- Quand le doigt montre la lune, l'imb?cile regarde le doigt -*- ] From wppiphoto at wppi.com Mon Dec 15 15:32:19 2003 From: wppiphoto at wppi.com (SW) Date: Thu Jan 12 21:21:33 2006 Subject: Mailscanner not scanning e-mails Message-ID: <00b601c3c320$a0c01ae0$3a95a644@Toshiba> (I'm not sure if this made it to the mailing list...so I'm sending again) Julian, OK, did exactly what you said by making the delivery method = queue it seems that /var/spool/mqueue/q* files seem to have the Mailscanner header added to them. But here is a new problem, the mail is not being delivered. It just sits in the mqueue directory. Can you help? Thanks, SW ----- Original Message ----- From: "Julian Field" To: "SW" Sent: Sunday, December 14, 2003 3:53 PM Subject: Re: Mailscanner not scanning e-mails Sounds like it is scanning them. Set the Delivery Method = queue and look in your /var/spool/mqueue/q* files for MailScanner headers (they are text files, you can just "cat" them). You should find any MailScanner headers towards the end of each of the q* files. At 20:09 14/12/2003, you wrote: >Julian, > >Any ideas how to do this? I'm not that verstial w/ sendmail and I don't want >to break something. :-) > >BTW, why does my log files show mailscanner scanning e-mails? Or did I read >them incorrectly: > >Dec 14 13:45:33 ns1 MailScanner[697]: New Batch: Found 6 messages waiting >Dec 14 13:45:33 ns1 MailScanner[697]: New Batch: Scanning 4 messages, 4618 >bytes > >Thanks, > >SW >----- Original Message ----- >From: "Julian Field" >To: "SW" >Cc: >Sent: Sunday, December 14, 2003 2:49 PM >Subject: Re: Mailscanner not scanning e-mails > > >If you are running 8.9.3, then MailScanner won't scan mail created by >invoking the sendmail binary directly. You need to tell whatever you are >using to send mail via an SMTP server called localhost. > >At 19:08 14/12/2003, you wrote: > >Julian, > > > >Yeap, you were right. It seemed that in mailscanner.conf, virus scanners = > >I was missing the 's' at the end of scanners. I fixed that and now in my > >logs I see the following: > > > >Dec 14 13:45:22 ns1 MailScanner[697]: MailScanner E-Mail Virus Scanner > >version 4.25-14 starting... > >Dec 14 13:45:23 ns1 sendmail[730]: starting daemon (8.9.3): > >SMTP+queueing@01:00:00 > >Dec 14 13:45:32 ns1 MailScanner[810]: MailScanner E-Mail Virus Scanner > >version 4.25-14 starting... > >Dec 14 13:45:33 ns1 MailScanner[697]: Using locktype = flock > >Dec 14 13:45:33 ns1 MailScanner[697]: New Batch: Found 6 messages waiting > >Dec 14 13:45:33 ns1 MailScanner[697]: New Batch: Scanning 4 messages, 4618 > >bytes > >Dec 14 13:45:33 ns1 MailScanner[697]: Spam Checks: Starting > >Dec 14 13:45:38 ns1 MailScanner[810]: Using locktype = flock > >Dec 14 13:45:42 ns1 MailScanner[819]: MailScanner E-Mail Virus Scanner > >version 4.25-14 starting... > >Dec 14 13:45:43 ns1 MailScanner[697]: RBL Check ORDB-RBL timed out and was > >killed, consecutive failure 1 of 7 > >Dec 14 13:45:49 ns1 MailScanner[819]: Using locktype = flock > >Dec 14 13:45:53 ns1 MailScanner[838]: MailScanner E-Mail Virus Scanner > >version 4.25-14 starting... > >Dec 14 13:45:53 ns1 MailScanner[697]: Virus and Content Scanning: Starting > >Dec 14 13:45:55 ns1 MailScanner[697]: Uninfected: Delivered 4 messages > >Dec 14 13:46:00 ns1 MailScanner[838]: Using locktype = flock > >Dec 14 13:46:02 ns1 MailScanner[870]: MailScanner E-Mail Virus Scanner > >version 4.25-14 starting... > >Dec 14 13:46:08 ns1 MailScanner[870]: Using locktype = flock > > > >But still no header info in the e-mails. I think Mailscanner is looking > >somewhere where there are 4 old messges which it scans but are not > >delivered. Does this make any sense? > > > >The RBL check failing is I think due to our firewall which blocks entire IP > >blocks. I need to check what IP it uses and port to allow traffic out/in > >thru our firewall. > > > >Thanks for all the help! > > > >SW > >----- Original Message ----- > >From: "Julian Field" > >To: > >Sent: Sunday, December 14, 2003 1:31 PM > >Subject: Re: Mailscanner not scanning e-mails > > > > > >At 18:03 14/12/2003, you wrote: > > >root 693 0.0 0.0 0 0 ? Z 03:26 0:00 >[MailScanner > > >] > > >root 809 0.0 0.0 0 0 ? Z 03:26 0:00 >[MailScanner > > >] > > >root 813 0.0 0.0 0 0 ? Z 03:26 0:00 >[MailScanner > > >] > > >root 821 0.0 0.0 0 0 ? Z 03:26 0:00 >[MailScanner > > >] > > > >Take a look at MailScanner entries in your maillog. Looks like a > >configuration error. Best idea is to start from a default setup with no > >local tweaks at all, then slowly introduce the extras. > >-- > >Julian Field > >www.MailScanner.info > >Professional Support Services at www.MailScanner.biz > >MailScanner thanks transtec Computers for their support > >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > >-- >Julian Field >www.MailScanner.info >Professional Support Services at www.MailScanner.biz >MailScanner thanks transtec Computers for their support >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 __________________________________ Do you Yahoo!? Free Pop-Up Blocker - Get it now http://companion.yahoo.com/ From mailscanner at ecs.soton.ac.uk Mon Dec 15 15:32:42 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:33 2006 Subject: Bogus "denial of service" messages, and postdrop not working In-Reply-To: <200312151625.17026.jacques@monaco.net> References: <200312151528.02031.jacques@monaco.net> <6.0.1.1.2.20031215150744.03d19fa0@imap.ecs.soton.ac.uk> <200312151625.17026.jacques@monaco.net> Message-ID: <6.0.1.1.2.20031215153134.0a125e10@imap.ecs.soton.ac.uk> At 15:25 15/12/2003, you wrote: >Le Lundi 15 D?cembre 2003 16:08, Julian Field a ?crit : > > The DOS attack detection happens when either ClamAV thinks the zip > > file expands too big, or else the virus scanner (whichever one it is) > > never returns within the timeout period it is given to run in > > (usually 5 or 10 minutes). > >Is there an option to force the delivery of these messages ? Or do I >need to modify the source directly ? If so, in what file should I make >the changes ? How you solve it depends on why it is happening. Are you using ClamAV, and if so does it complain about expanding a zip file when you try to scan one of the quarantined attachments? Or is your virus scanner taking 10 minutes to scan a file? -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Mon Dec 15 15:35:11 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:33 2006 Subject: Mailscanner not scanning e-mails In-Reply-To: <00b601c3c320$a0c01ae0$3a95a644@Toshiba> References: <00b601c3c320$a0c01ae0$3a95a644@Toshiba> Message-ID: <6.0.1.1.2.20031215153338.0a1e9180@imap.ecs.soton.ac.uk> At 15:32 15/12/2003, you wrote: >(I'm not sure if this made it to the mailing list...so I'm sending again) > >Julian, > >OK, did exactly what you said by making the delivery method = queue In your /etc/MailScanner/MailScanner.conf, set Delivery Method = queue instead of the normal Delivery Method = batch This just helps when peering at the outgoing queue as it doesn't tell sendmail to immediately deliver messages that have been processed by MailScanner. >it seems >that /var/spool/mqueue/q* files seem to have the Mailscanner header added to >them. Good, in which case MailScanner is processing all your mail fine. > But here is a new problem, the mail is not being delivered. It just >sits in the mqueue directory. Can you help? See explanation of "batch" versus "queue" above. >Thanks, > >SW >----- Original Message ----- >From: "Julian Field" >To: "SW" >Sent: Sunday, December 14, 2003 3:53 PM >Subject: Re: Mailscanner not scanning e-mails > > >Sounds like it is scanning them. Set the Delivery Method = queue and look >in your /var/spool/mqueue/q* files for MailScanner headers (they are text >files, you can just "cat" them). You should find any MailScanner headers >towards the end of each of the q* files. > >At 20:09 14/12/2003, you wrote: > >Julian, > > > >Any ideas how to do this? I'm not that verstial w/ sendmail and I don't >want > >to break something. :-) > > > >BTW, why does my log files show mailscanner scanning e-mails? Or did I read > >them incorrectly: > > > >Dec 14 13:45:33 ns1 MailScanner[697]: New Batch: Found 6 messages waiting > >Dec 14 13:45:33 ns1 MailScanner[697]: New Batch: Scanning 4 messages, 4618 > >bytes > > > >Thanks, > > > >SW > >----- Original Message ----- > >From: "Julian Field" > >To: "SW" > >Cc: > >Sent: Sunday, December 14, 2003 2:49 PM > >Subject: Re: Mailscanner not scanning e-mails > > > > > >If you are running 8.9.3, then MailScanner won't scan mail created by > >invoking the sendmail binary directly. You need to tell whatever you are > >using to send mail via an SMTP server called localhost. > > > >At 19:08 14/12/2003, you wrote: > > >Julian, > > > > > >Yeap, you were right. It seemed that in mailscanner.conf, virus scanners >= > > >I was missing the 's' at the end of scanners. I fixed that and now in my > > >logs I see the following: > > > > > >Dec 14 13:45:22 ns1 MailScanner[697]: MailScanner E-Mail Virus Scanner > > >version 4.25-14 starting... > > >Dec 14 13:45:23 ns1 sendmail[730]: starting daemon (8.9.3): > > >SMTP+queueing@01:00:00 > > >Dec 14 13:45:32 ns1 MailScanner[810]: MailScanner E-Mail Virus Scanner > > >version 4.25-14 starting... > > >Dec 14 13:45:33 ns1 MailScanner[697]: Using locktype = flock > > >Dec 14 13:45:33 ns1 MailScanner[697]: New Batch: Found 6 messages waiting > > >Dec 14 13:45:33 ns1 MailScanner[697]: New Batch: Scanning 4 messages, >4618 > > >bytes > > >Dec 14 13:45:33 ns1 MailScanner[697]: Spam Checks: Starting > > >Dec 14 13:45:38 ns1 MailScanner[810]: Using locktype = flock > > >Dec 14 13:45:42 ns1 MailScanner[819]: MailScanner E-Mail Virus Scanner > > >version 4.25-14 starting... > > >Dec 14 13:45:43 ns1 MailScanner[697]: RBL Check ORDB-RBL timed out and >was > > >killed, consecutive failure 1 of 7 > > >Dec 14 13:45:49 ns1 MailScanner[819]: Using locktype = flock > > >Dec 14 13:45:53 ns1 MailScanner[838]: MailScanner E-Mail Virus Scanner > > >version 4.25-14 starting... > > >Dec 14 13:45:53 ns1 MailScanner[697]: Virus and Content Scanning: >Starting > > >Dec 14 13:45:55 ns1 MailScanner[697]: Uninfected: Delivered 4 messages > > >Dec 14 13:46:00 ns1 MailScanner[838]: Using locktype = flock > > >Dec 14 13:46:02 ns1 MailScanner[870]: MailScanner E-Mail Virus Scanner > > >version 4.25-14 starting... > > >Dec 14 13:46:08 ns1 MailScanner[870]: Using locktype = flock > > > > > >But still no header info in the e-mails. I think Mailscanner is looking > > >somewhere where there are 4 old messges which it scans but are not > > >delivered. Does this make any sense? > > > > > >The RBL check failing is I think due to our firewall which blocks entire >IP > > >blocks. I need to check what IP it uses and port to allow traffic out/in > > >thru our firewall. > > > > > >Thanks for all the help! > > > > > >SW > > >----- Original Message ----- > > >From: "Julian Field" > > >To: > > >Sent: Sunday, December 14, 2003 1:31 PM > > >Subject: Re: Mailscanner not scanning e-mails > > > > > > > > >At 18:03 14/12/2003, you wrote: > > > >root 693 0.0 0.0 0 0 ? Z 03:26 0:00 > >[MailScanner > > > >] > > > >root 809 0.0 0.0 0 0 ? Z 03:26 0:00 > >[MailScanner > > > >] > > > >root 813 0.0 0.0 0 0 ? Z 03:26 0:00 > >[MailScanner > > > >] > > > >root 821 0.0 0.0 0 0 ? Z 03:26 0:00 > >[MailScanner > > > >] > > > > > >Take a look at MailScanner entries in your maillog. Looks like a > > >configuration error. Best idea is to start from a default setup with no > > >local tweaks at all, then slowly introduce the extras. > > >-- > > >Julian Field > > >www.MailScanner.info > > >Professional Support Services at www.MailScanner.biz > > >MailScanner thanks transtec Computers for their support > > >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > >-- > >Julian Field > >www.MailScanner.info > >Professional Support Services at www.MailScanner.biz > >MailScanner thanks transtec Computers for their support > >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > >-- >Julian Field >www.MailScanner.info >Professional Support Services at www.MailScanner.biz >MailScanner thanks transtec Computers for their support >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > >__________________________________ >Do you Yahoo!? >Free Pop-Up Blocker - Get it now >http://companion.yahoo.com/ -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From dnsadmin at 1BIGTHINK.COM Mon Dec 15 15:45:09 2003 From: dnsadmin at 1BIGTHINK.COM (DNSAdmin) Date: Thu Jan 12 21:21:33 2006 Subject: MailScanner/SpamAssassin on RaQ3; help?! Message-ID: <5.2.1.1.0.20031215104430.04bd1858@mail.1bigthink.com> Hello All, I have MailScanner and SpamAssassin installed on a RaQ3 and performing okay, believe it or not! It was a very complicated install. It took me a week to figure out how it was working even with some background, but still don't know how to tweak it the way I want. The problem is that I cannot get SpamAssassin to work except for plugging it in through a procmailrc script: DROPPRIVS=yes # :0fw * < 256000 | spamc This script forces mail through spamc which connects to the spamd daemno in performing my spam checks. However, this setup does not allow for any global configurations through the MailScanner facility. All my configuration options have to be set at the user account level in ~*/.spamassassin/user_prefs. Ultimately, I would like to affect global configurations at the MailScanner level and then override configurations on individual accounts at ~*/.spamassassin/user_prefs. I'm sure this is probably specific to the Cobalt OS. Can anyone help? Thanks, Glenn Parsons From gioia at bclink.it Mon Dec 15 16:11:30 2003 From: gioia at bclink.it (Gioia Bastioni) Date: Thu Jan 12 21:21:33 2006 Subject: R: R: F-prot update script In-Reply-To: Message-ID: /opt/MailScanner/lib/f-prot-autoupdate 1> /dev/null thanks Raymond and thanks Julian ! Bye -----Messaggio originale----- Da: Raymond Dijkxhoorn [mailto:raymond@prolocation.net] Inviato: luned? 15 dicembre 2003 16.11 A: Gioia Bastioni Cc: MAILSCANNER@jiscmail.ac.uk Oggetto: Re: R: F-prot update script Hi! > I'm running the f-prot-autoupdate script, > if I run the update_virus_scanners script I receive no emails, but I wish to > use the f-prot-autoupdate script directly to run separately the updates for > both f-prot and Antivir .. Check your cron job, you can make it noisy there. Its now (default) directed to /dev/null. Bye, Raymond. From jacques at MONACO.NET Mon Dec 15 16:16:39 2003 From: jacques at MONACO.NET (Jacques Caruso) Date: Thu Jan 12 21:21:33 2006 Subject: Bogus "denial of service" messages, and postdrop not working In-Reply-To: <6.0.1.1.2.20031215153134.0a125e10@imap.ecs.soton.ac.uk> References: <200312151528.02031.jacques@monaco.net> <200312151625.17026.jacques@monaco.net> <6.0.1.1.2.20031215153134.0a125e10@imap.ecs.soton.ac.uk> Message-ID: <200312151716.39574.jacques@monaco.net> [repost. Sorry, my mailer sent the message at the wrong address] Le Lundi 15 D?cembre 2003 16:32, Julian Field a ?crit?: > How you solve it depends on why it is happening. Are you using > ClamAV, and if so does it complain about expanding a zip file when Yes, I am using ClamAV version 0.60+CVS20030916 > you try to scan one of the quarantined attachments? > > Or is your virus scanner taking 10 minutes to scan a file? No, but I've greatly reduced the timeout (and the incriminated attachment was over 10 MB, which of course took too much time to scan). The server is quite overloaded, and I don't want to have batches of messages lingering there while new messages clog up the queue. Probably the best solution (short of upgrading the server) would be to avoid scanning large messages (IIRC, SpamAssassin has this very behaviour). Is there a way to prevent messages over a certain size to be passed through the antivirus scanner?? -- [ Jacques Caruso D?veloppeur PHP ] [ Monaco Internet http://monaco-internet.mc/ ] [ T?l : (+377) 93 10 00 43 Cl? PGP : 0x41F5C63D ] [ -*- Quand le doigt montre la lune, l'imb?cile regarde le doigt -*- ] From TGFurnish at HERFF-JONES.COM Mon Dec 15 16:42:05 2003 From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G) Date: Thu Jan 12 21:21:33 2006 Subject: Yahoo Developing Open Source Server Software For Spam-Resista nt E-Mail Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF037335CE@inex1.herffjones.hj-int> > -----Original Message----- > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > Sent: Saturday, December 13, 2003 5:14 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Yahoo Developing Open Source Server Software For > Spam-Resista nt E-Mail > > > At 17:45 12/12/2003, you wrote: > >Furnish, Trever G wrote: > >>I for one would be quite willing to consider the ability to > send email as > >>domains you aren't authoritative for as a casualty of war. > > I think all of the (possibly millions) of people around the > world who own a > domain while not owning an outgoing mail server would disagree. I am operating under the assumption that if you own a domain, then you will have the authority and capability to control which servers are designated as mail senders within your domain, even if your domain is hosted by an ISP. You seem to be making the exact opposite assumption (and you may be right, given that I've seen no technical details on this implementation). Not allowing for such a set-up would indeed make such a system next to worthless. Again though, more technical details on the implementation are needed. -- Trever From Kevin_Miller at CI.JUNEAU.AK.US Mon Dec 15 17:05:58 2003 From: Kevin_Miller at CI.JUNEAU.AK.US (Kevin Miller) Date: Thu Jan 12 21:21:33 2006 Subject: Blindsided... Message-ID: <08146035CA49D6119A36009027AC822A0264EB82@CITY-EXCH-NTS> I got a note from a user that she had been unsubscribed from HTMLQUICKNEWS from cnn. I have an iframe.whitelist.rules which I've edited so future emails can pass, but it would have been handy if postmaster (or even she) had gotten a notice from MS to the effect that these were being filtered. She'll probably have to resubscribe. She got several notices, but ignored the first couple. With so much nonsense coming into users mailboxes these days (even w/the filters up) I can understand why she didn't pay much attention but it would have been nice to have been told after the first notice. Sigh. I checked the logs this morning, but that's tedious and it's easy to miss things. If there was an automatic notice then when a non-whitelisted iframe tag or whatever comes through, the mail administrator or user would immediately know it, and could either whitelist it or not depending on the appropriateness rather than waiting for the user to get a notice (if one actually comes) from the originator. I used to get a lot of object-codebase tags, until I upgraded to the 4.25-14. Now I disarm them (which is great) and no more messages in the postmaster mailbox. I also used to allow all i-frames but now whitelist them which is just dapper too. For those not whitelisted a message to the postmaster would have been quite handy. Or maybe there's a way to do that already & I'm just a bonehead? Thanks... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Administrator, Mail Administrator 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From mailscanner at ecs.soton.ac.uk Mon Dec 15 17:40:36 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:21:33 2006 Subject: Blindsided... In-Reply-To: <08146035CA49D6119A36009027AC822A0264EB82@CITY-EXCH-NTS> References: <08146035CA49D6119A36009027AC822A0264EB82@CITY-EXCH-NTS> Message-ID: <6.0.1.1.2.20031215173937.03c6ce38@imap.ecs.soton.ac.uk> At 17:05 15/12/2003, you wrote: >I also used to allow all i-frames but now whitelist >them which is just