From mailscanner at ecs.soton.ac.uk Sat Feb 1 12:57:11 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:07 2006 Subject: MailScanner on Mac OS X 10.2 Jaguar In-Reply-To: <1511673.1044053716800.JavaMail.dbowen1@mac.com> Message-ID: <5.2.0.9.2.20030201125550.020a29b8@imap.ecs.soton.ac.uk> At 22:55 31/01/2003, you wrote: > I would like to know if anyone else has installed, or has hints on > installing MailScanner on Mac OS X, in particular, 10.2 Jaguar. I have > gotten it to work, mostly, though the startup seems kludgy, just the cron > entry for check_mailscanner. You will need to write your own init script or other startup script, following whatever you can copy from existing application startups in Jaguar. > I followed the instructions for BSD as best as possible, though there > is no rc.conf, so I'm not sure how much that will impact things. Also, > how have people dealt with starting sendmail, having no rc.conf, it's > entry in /System/Library/StartupItems/Sendmail/ is what I've edited, > though I'm not sure how well this will work out. Has anyone made a > startupitem out of MailScanner? Also, I'm using clamav - though I can't > say successfully, it all seems to be talking to eachother, though the > viruses that are found aren't actually disinfected. more on this in > another post here. See my other posting about this. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Sat Feb 1 12:55:23 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:07 2006 Subject: Not disinfecting detected viruses found by clamav! In-Reply-To: <2393663.1044053319641.JavaMail.dbowen1@mac.com> Message-ID: <5.2.0.9.2.20030201125422.0276cec8@imap.ecs.soton.ac.uk> In your MailScanner.conf file, have you put the *real* path to your incoming directory, or a path that follows a link but ends up in the same place. You must use the real path to it. At 22:48 31/01/2003, you wrote: >Hello, > I'm seeing the following message in the mail.log: > >Jan 31 17:37:43 mail MailScanner[704]: New Batch: Scanning 1 messages, >1186 bytes >Jan 31 17:37:43 mail MailScanner[704]: Virus and Content Scanning: Starting >Jan 31 17:37:43 mail MailScanner[704]: >/private/var/spool/MailScanner/incoming/704/./h0VMbdeN001832/test1: >ClamAV-Test-Signature FOUND >Jan 31 17:37:43 mail MailScanner[704]: Virus Scanning: clamav found 1 >infections >Jan 31 17:37:43 mail MailScanner[704]: Virus Scanning: Found 1 viruses >Jan 31 17:37:43 mail MailScanner[704]: Uninfected: Delivered 1 messages > >yet the message arrive at it's destination, complete with "cleaned" >signature, and the original virus containing attachment, as follows: > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > Mailscanner thanks transtec Computers for their support. > > [clamAV test signature was here, but deleted for posting to the list] > >Does anyone have any hints as to how to get the thing to disinfect??? > >Thanks, >Dan Bowen >Oak Ridge Schools >Oak Ridge, TN, USA -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Sat Feb 1 14:00:44 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:07 2006 Subject: ANNOUNCE: Version 4.12-1 released Message-ID: <5.2.0.9.2.20030201135648.027913c8@imap.ecs.soton.ac.uk> Hi folks! I have just released version 4.12-1. There are quite a few improvements and changes. The full ChangeLog is at the bottom of this message, but the highlights are: - "Hide Incoming Work Dir in Notices" configuration option - "X-MailScanner-Information:" header to all messages - "Notice Signature" configuration option - "Allow Partial Messages" configuration option - "Allow External Message Bodies" configuration option - "Detailed Spam Report" configuration option - Custom functions to implement per-domain spam whitelists and blacklists - Support for the Kasperksy daemon scanner Download as usual from www.mailscanner.info (and why not buy a T-shirt while you're there :-) The full Change Log is *New Features and Improvements* - Added "Hide Incoming Work Dir in Notices" configuration option so you can hide the local paths from the system administrator notices, in case your system administrators are actually customers who you don't want to give more information than is strictly necessary. - Added "X-MailScanner-Information:" header to all messages. You can of course switch this off. - Added "Notice Signature" configuration option so you can change what signature appears on the bottom of administrator notices. This can of course also be a ruleset so you can change it for each message. - Added "Allow Partial Messages" configuration option so you can disable the "partial message" check for some/all of your users. - Added "Allow External Message Bodies" configuration option so you can stop the IETF whinging about their messages being broken by MailScanner :-) - Added "Detailed Spam Report" option to allow sites to just use a simple "spam" or "not spam" header instead of the potentially confusing full detailed report. - Added set of custom functions to implement per-domain spam whitelists and blacklists. See /usr/lib/MailScanner/MailScanner/CustomConfig.pm for more information. - Added support for the daemon scanner from Kaspersky. Will be quicker for small servers not processing much mail, especially when the code is actually being used in Dan's Guardian and not MailScanner :-) - Added umask setting to handle SpamAssassin 2.50 resetting the umask all the time. - Added Jeremy Evans' installation guide for OpenBSD. - Improved SpamAssassin handling. After several timeouts it will disable SpamAssassin's RBL checks and keep trying to use it. If the timeouts continue to happen, then it will disable SpamAssassin completely until the next automatic restart. - Improved RedHat init.d script to make graceful shutdown more likely. - Improved error messages from sophos-autoupdate so it warns you that your Sophos installation may be too old. - Improved Sophos parser so it correctly quarantines "corrupt" files. - Updated all Swedish translations with ISO-8859 instead of UTF-8. - Updated Spanish translation. - Changed umask in update_virus_scanners to work with Exim better. - Filename rules improved to cope with ".txt .exe" as well as ".txt.exe" file-extension-hiding tactics. - Filename rules improved to catch Outlook Express attacks relying on bugs in OE related to very long filenames. All very long filenames will now be banned. - Improved errors produced when running with Exim and permissions/ownership of incoming work dir are wrong. *Fixes* - Fixed Exim bug that was corrupting queues. - Fixed variable-naming bug in AntiVir wrapper script. - Fixed bug where duplicate copies of "notices" are sent where several "notices" recipients are given. - Fixed bug where long-filename tests in filename.rules.conf would never match. - Merged all the check_mailscanner scripts into one. Now needs to be built by autoconf. - Fixed continuing problem with orphaned files being left in mqueue.in. - Fixed blank-subject-when-using-Exim bug. - Stopped sendmaili 8.12.7 complaining about closed std file descriptors. - Fixed filename rules problem with short+long filenames. - Fixed bug causing SpamAssassin to miss some spam messages. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Sat Feb 1 14:45:35 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:07 2006 Subject: ANNOUNCE: Version 4.12-1 released In-Reply-To: <5.2.0.9.2.20030201135648.027913c8@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030201144354.02938ed0@imap.ecs.soton.ac.uk> And to save the 1st question that is always asked: I have not changed any of the supporting modules this time around, so if you are upgrading from a very recent version you just need to upgrade the mailscanner*rpm. But running the install.sh won't do any harm... -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From evertjan at VANRAMSELAAR.NL Sat Feb 1 16:55:41 2003 From: evertjan at VANRAMSELAAR.NL (Evert Jan van Ramselaar) Date: Thu Jan 12 21:17:07 2006 Subject: FW: [SA-Announce] SpamAssassin 2.44 released Message-ID: <000f01c2ca12$c1fa1790$65000a0a@galaxy> Hey list and Julian, I suppose this one is still compatible with MailScanner? -- Evert Jan van Ramselaar Van Ramselaar Info Tech -----Original Message----- From: Justin Mason Sent: Saturday, February 01, 2003 4:50 PM To: SpamAssassin-announce@lists.sourceforge.net Subject: [SA-Announce] SpamAssassin 2.44 released Get it here: http://spamassassin.org/released/ This is a bug-fix release, which fixes the following bugs: - Backport fix for Bug 1306: Possible buffer overflow in libspamc when running in BSMTP mode (patch 1.15 -> 1.18) - Backport workaround from Bug 526: Failed sanity check because of clobbered STDOUT (patch 1.147 -> 1.148) - Backport fix for Debian Bug 160206: Insufficient buffer in libspamc (patch 1.8 -> 1.9) - Backport fix for warnings in sed_path (patch 1.141 -> 1.142) - Backport fix for Bug 1127: Existing lowercase x-spam-status header kills SpamAssassin (patch 1.40 -> 1.41) - localized %ENV to fix problem where Razor2 erases the PATH so DCC and pyzor don't work, etc. RPMs etc. should be out soon ;) Note that this is *not* 2.50, which offers Bayesian filtering etc. These bugs are already fixed in the 2.50 CVS tree, but that is not yet ready for release. This is a stable maintainance release only. --j. From mailscanner at ecs.soton.ac.uk Sat Feb 1 18:35:32 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:07 2006 Subject: FW: [SA-Announce] SpamAssassin 2.44 released In-Reply-To: <000f01c2ca12$c1fa1790$65000a0a@galaxy> Message-ID: <5.2.0.9.2.20030201183124.0241bea0@imap.ecs.soton.ac.uk> At 16:55 01/02/2003, you wrote: >Hey list and Julian, > >I suppose this one is still compatible with MailScanner? Just upgraded my servers to 2.44 and all appears to be working fine. >-----Original Message----- >From: Justin Mason >Sent: Saturday, February 01, 2003 4:50 PM >To: SpamAssassin-announce@lists.sourceforge.net >Subject: [SA-Announce] SpamAssassin 2.44 released > > >Get it here: > > http://spamassassin.org/released/ > >This is a bug-fix release, which fixes the following bugs: > > - Backport fix for Bug 1306: Possible buffer overflow in libspamc when > running in BSMTP mode (patch 1.15 -> 1.18) > > - Backport workaround from Bug 526: Failed sanity check because of > clobbered STDOUT (patch 1.147 -> 1.148) > > - Backport fix for Debian Bug 160206: Insufficient buffer in libspamc > (patch 1.8 -> 1.9) > > - Backport fix for warnings in sed_path (patch 1.141 -> 1.142) > > - Backport fix for Bug 1127: Existing lowercase x-spam-status header > kills SpamAssassin (patch 1.40 -> 1.41) > > - localized %ENV to fix problem where Razor2 erases the PATH so DCC >and > pyzor don't work, etc. > >RPMs etc. should be out soon ;) > >Note that this is *not* 2.50, which offers Bayesian filtering etc. >These >bugs are already fixed in the 2.50 CVS tree, but that is not yet ready >for >release. This is a stable maintainance release only. > >--j. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From Richard.Lush at HP.COM Sat Feb 1 18:40:59 2003 From: Richard.Lush at HP.COM (Lush, Richard) Date: Thu Jan 12 21:17:07 2006 Subject: New webmin module released. Version 0.3 Beta Message-ID: Hi All, The newest version of the webmin module has been released. Change log for Version 0.3 Beta Fixed: Selecting default on some options deleted them. Fixed: Options with more than one space are not saved Fixed: Some options were not being saved when changed Added: Ruleset editor (Thanks to Craig Bates for the code) Added: New options for MailScanner 4.12 Change: Restart just restarts MailScanner and leaves sendmail running It can be downloaded from http://lushsoft.dyndns.org/mailscanner-webmin Regards, Richard Lush Consulting and Integration Security Practice Reading UK Email richard.lush@hp.com Mobile +44 (0) 7788 916941 Office +44 (0) 118 920 2349 Fax +44 (0) 118 920 4612 D I S C L A I M E R The information contained in this communication is intended solely for use by the individual or entity to whom it is addressed. Use of this communication by others is prohibited. HP is neither liable for the proper and complete transmission of the information contained in this communication nor for any delay in its receipt nor for any special, incidental or consequential damages of any nature whatsoever resulting from receipt or use of this communication. If you are not the intended recipient, you may not peruse, use, disseminate, distribute or copy this message. If you have received this message in error, please notify the sender immediately by email, facsimile or telephone and return or destroy the original message. Thank you. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030201/7a0d4cb4/attachment.html From mike at ZANKER.ORG Sat Feb 1 18:45:51 2003 From: mike at ZANKER.ORG (Mike Zanker) Date: Thu Jan 12 21:17:07 2006 Subject: FW: [SA-Announce] SpamAssassin 2.44 released In-Reply-To: <000f01c2ca12$c1fa1790$65000a0a@galaxy> References: <000f01c2ca12$c1fa1790$65000a0a@galaxy> Message-ID: <775764890.1044125151@jemima.zanker.org> On 01 February 2003 17:55 +0100 Evert Jan van Ramselaar wrote: > I suppose this one is still compatible with MailScanner? No problems here - SpamAssassin 2.44 and MailScanner 4.12-1 on Red Hat 8.0. Mike. From mike at ZANKER.ORG Sun Feb 2 11:08:58 2003 From: mike at ZANKER.ORG (Mike Zanker) Date: Thu Jan 12 21:17:07 2006 Subject: FW: [SA-Announce] SpamAssassin 2.44 released In-Reply-To: <001e01c2caa9$5bc005b0$65000a0a@galaxy> References: <001e01c2caa9$5bc005b0$65000a0a@galaxy> Message-ID: <48329754.1044184138@jemima.zanker.org> On 02 February 2003 11:53 +0100 Evert Jan van Ramselaar wrote: > Great! Just updated to MailScanner 4.12-2 and SpamAssassin 2.44 myself > and all seems to work fine. Oh - what's the difference between 4.12-1 and 4.12-2? Thanks, Mike. From evertjan at VANRAMSELAAR.NL Sun Feb 2 10:53:43 2003 From: evertjan at VANRAMSELAAR.NL (Evert Jan van Ramselaar) Date: Thu Jan 12 21:17:07 2006 Subject: FW: [SA-Announce] SpamAssassin 2.44 released In-Reply-To: <775764890.1044125151@jemima.zanker.org> Message-ID: <001e01c2caa9$5bc005b0$65000a0a@galaxy> > -----Original Message----- > From: Mike Zanker > Sent: Saturday, February 01, 2003 7:46 PM > > No problems here - SpamAssassin 2.44 and MailScanner 4.12-1 on Red Hat > 8.0. Great! Just updated to MailScanner 4.12-2 and SpamAssassin 2.44 myself and all seems to work fine. Running on Redhat 7.2 with Sophos and F-Prot. -- Evert Jan van Ramselaar Van Ramselaar Info Tech From evertjan at VANRAMSELAAR.NL Sun Feb 2 11:15:53 2003 From: evertjan at VANRAMSELAAR.NL (Evert Jan van Ramselaar) Date: Thu Jan 12 21:17:07 2006 Subject: FW: [SA-Announce] SpamAssassin 2.44 released In-Reply-To: <48329754.1044184138@jemima.zanker.org> Message-ID: <002001c2caac$75481880$65000a0a@galaxy> > -----Original Message----- > From: Mike Zanker > Sent: Sunday, February 02, 2003 12:09 PM > > Oh - what's the difference between 4.12-1 and 4.12-2? >From the news section on the site: 1/2/2003 Released version 4.12-2. I missed the kavdaemonclient-wrapper out of the RPM distributions. Not very important if you do not use that scanner I guess... -- Evert Jan van Ramselaar Van Ramselaar Info Tech From mike at ZANKER.ORG Sun Feb 2 11:32:59 2003 From: mike at ZANKER.ORG (Mike Zanker) Date: Thu Jan 12 21:17:07 2006 Subject: FW: [SA-Announce] SpamAssassin 2.44 released In-Reply-To: <002001c2caac$75481880$65000a0a@galaxy> References: <002001c2caac$75481880$65000a0a@galaxy> Message-ID: <49771067.1044185579@jemima.zanker.org> On 02 February 2003 12:15 +0100 Evert Jan van Ramselaar wrote: > From the news section on the site: > 1/2/2003 Released version 4.12-2. I missed the kavdaemonclient-wrapper > out of the RPM distributions. Thanks, I missed that - probably had the page cached locally. Mike. From Kevin.Spicer at BMRB.CO.UK Mon Feb 3 00:32:32 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:17:07 2006 Subject: Feature suggestion... Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A32CC8@pascal.priv.bmrb.co.uk> (I can't think of any way to do this right now without modifying the MS code - if I've missed it please let me know! - I'm running 4.10 but I can't see anything like this in the 4.11 or 4.12 changelogs) I was wondering if it was possible for the postmaster report to be included in the reports directory and configurable via the conf file. I would like to see this because I would then be able to filter virus emails against a list of internal servers (IP's) using a ruleset so that outgoing viruses would trigger a different report (and I can put things like importance: high in the headers for the benefit of Outlook!) I can already use a ruleset to send reports of locally originating viruses to a wider set of people, but I'd like to change the text too. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From mailscanner at ecs.soton.ac.uk Mon Feb 3 01:59:54 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:07 2006 Subject: Feature suggestion... In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0A32CC8@pascal.priv.bmrb.co .uk> Message-ID: <5.2.0.9.2.20030203015742.02592da0@imap.ecs.soton.ac.uk> Probably a good idea. Didn't ever occur to me that anyone wanted to be able to customise this report as much as it appears they do. This will involve a little juggling with the conf file but is probably a good idea all the same. I should have done it that way to start with. At 00:32 03/02/2003, you wrote: >(I can't think of any way to do this right now without modifying the MS >code - if I've missed it please let me know! - I'm running 4.10 but I >can't see anything like this in the 4.11 or 4.12 changelogs) > >I was wondering if it was possible for the postmaster report to be >included in the reports directory and configurable via the conf file. I >would like to see this because I would then be able to filter virus emails >against a list of internal servers (IP's) using a ruleset so that outgoing >viruses would trigger a different report (and I can put things like >importance: high in the headers for the benefit of Outlook!) I can >already use a ruleset to send reports of locally originating viruses to a >wider set of people, but I'd like to change the text too. > > > >BMRB International >http://www.bmrb.co.uk >+44 (0)20 8566 5000 >_________________________________________________________________ >This message (and any attachment) is intended only for the >recipient and may contain confidential and/or privileged >material. If you have received this in error, please contact the >sender and delete this message immediately. Disclosure, copying >or other action taken in respect of this email or in >reliance on it is prohibited. BMRB International Limited >accepts no liability in relation to any personal emails, or >content of any email which does not directly relate to our >business. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Mon Feb 3 02:18:58 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:07 2006 Subject: Feature suggestion... In-Reply-To: <5.2.0.9.2.20030203015742.02592da0@imap.ecs.soton.ac.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0A32CC8@pascal.priv.bmrb.co .uk> Message-ID: <5.2.0.9.2.20030203020507.025dcdf0@imap.ecs.soton.ac.uk> I've just re-read all the code concerned with this, and found the reason I haven't done it before. The complication is that a message batch can generate several notices, each of which needs to go to a combination of notice recipients. Any individual notice may go to several recipients. But also many notices will go to the same recipient. So building the list of notices along with all the relevant headers is not trivial. Let's say you specified notice N1 for message M1 and notice N2 for message M2, using a ruleset to select the different notice template files. But then you also specify the same notice recipient to both M1 and M2. Then what do you send to the notice recipient? The notice N1 or the notice N2 or both? The only way I have seen of solving this is to only have 1 virus report in each notice. On a vaguely busy server this will create considerably more mail just generating reports and not pumping real mail for customers. I can't reduce it to only allowing 1 template for notices instead of being able to change it via a ruleset. There are users out there who already have a need for multiple notices, which are currently handled by being able to change the notice signature with a ruleset. Anyone got any ideas on how I might solve this one? At 01:59 03/02/2003, you wrote: >At 00:32 03/02/2003, you wrote: >>(I can't think of any way to do this right now without modifying the MS >>code - if I've missed it please let me know! - I'm running 4.10 but I >>can't see anything like this in the 4.11 or 4.12 changelogs) >> >>I was wondering if it was possible for the postmaster report to be >>included in the reports directory and configurable via the conf file. I >>would like to see this because I would then be able to filter virus emails >>against a list of internal servers (IP's) using a ruleset so that outgoing >>viruses would trigger a different report (and I can put things like >>importance: high in the headers for the benefit of Outlook!) I can >>already use a ruleset to send reports of locally originating viruses to a >>wider set of people, but I'd like to change the text too. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mike at CAMAROSS.NET Mon Feb 3 02:53:55 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:17:07 2006 Subject: Feature suggestion... In-Reply-To: <5.2.0.9.2.20030203020507.025dcdf0@imap.ecs.soton.ac.uk> Message-ID: <008301c2cb2f$7e64c570$9801a8c0@home.middlefinger.net> IBM has that Magic Pixie Dust, but I can't find a link on their site for it :) -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Julian Field Sent: Sunday, February 02, 2003 8:19 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Feature suggestion... I've just re-read all the code concerned with this, and found the reason I haven't done it before. The complication is that a message batch can generate several notices, each of which needs to go to a combination of notice recipients. Any individual notice may go to several recipients. But also many notices will go to the same recipient. So building the list of notices along with all the relevant headers is not trivial. Let's say you specified notice N1 for message M1 and notice N2 for message M2, using a ruleset to select the different notice template files. But then you also specify the same notice recipient to both M1 and M2. Then what do you send to the notice recipient? The notice N1 or the notice N2 or both? The only way I have seen of solving this is to only have 1 virus report in each notice. On a vaguely busy server this will create considerably more mail just generating reports and not pumping real mail for customers. I can't reduce it to only allowing 1 template for notices instead of being able to change it via a ruleset. There are users out there who already have a need for multiple notices, which are currently handled by being able to change the notice signature with a ruleset. Anyone got any ideas on how I might solve this one? At 01:59 03/02/2003, you wrote: >At 00:32 03/02/2003, you wrote: >>(I can't think of any way to do this right now without modifying the MS >>code - if I've missed it please let me know! - I'm running 4.10 but I >>can't see anything like this in the 4.11 or 4.12 changelogs) >> >>I was wondering if it was possible for the postmaster report to be >>included in the reports directory and configurable via the conf file. I >>would like to see this because I would then be able to filter virus emails >>against a list of internal servers (IP's) using a ruleset so that outgoing >>viruses would trigger a different report (and I can put things like >>importance: high in the headers for the benefit of Outlook!) I can >>already use a ruleset to send reports of locally originating viruses to a >>wider set of people, but I'd like to change the text too. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From bfriedman at TYCOINT.COM Mon Feb 3 07:34:45 2003 From: bfriedman at TYCOINT.COM (Brandon Friedman) Date: Thu Jan 12 21:17:07 2006 Subject: 3.x to 4.x Upgrade Message-ID: <000101c2cb56$606eb810$485f7ca0@brandonnb> I have been running 3.x for quite sometime and it is running great. My only concern is that support for 3.x will be stopped shortly. Is there an indication of when this will happen? I understand that 4.x is the current stable new version etc.....but I run 3.x on a production box and I can't afford too much downtime! -- Regards Brandon Friedman ADT South Africa E-mail: bfriedman@tycoint.com From raymond at PROLOCATION.NET Mon Feb 3 08:32:45 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:17:07 2006 Subject: 3.x to 4.x Upgrade In-Reply-To: <000101c2cb56$606eb810$485f7ca0@brandonnb> Message-ID: Hi! > My only concern is that support for 3.x will be stopped shortly. Is > there an indication of when this will happen? > > I understand that 4.x is the current stable new version etc.....but I > run 3.x on a production box and I can't afford too much downtime! I recently upgraded my 3 mailrelays from 3.x to 4.x i assume you have some backup achine, upgrade the first, and then the second. Upgrade took around 8 minutes per box on my end. If you dont have a fallback machine you should seriously consider one :) Bye, Raymond. From mailscanner at ecs.soton.ac.uk Mon Feb 3 10:33:18 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:07 2006 Subject: 3.x to 4.x Upgrade In-Reply-To: <000101c2cb56$606eb810$485f7ca0@brandonnb> Message-ID: <5.2.0.9.2.20030203102902.02792830@imap.ecs.soton.ac.uk> At 07:34 03/02/2003, you wrote: >I have been running 3.x for quite sometime and it is running great. > >My only concern is that support for 3.x will be stopped shortly. Is >there an indication of when this will happen? I am only fixing urgent security issues in 3.x now. No new features will be added to it. >I understand that 4.x is the current stable new version etc.....but I >run 3.x on a production box and I can't afford too much downtime! The long bit of doing the upgrade depends on how much you have customised the setup for your site. You cannot just use the mailscanner.conf file from 3.x and try to run 4.x with it. You need to edit the MailScanner.conf for 4.x and include all your customisations. Note that some things like per-domain scanning control and spam white/black lists have changed a bit, you will need to read the contents of the /etc/MailScanner/rules directory to see what you need to understand. You will need to uninstall 3.x completely first, then install and customise 4.x. I advise you install 4.x on another machine so you can sort out all your customisations. Then the upgrade on your production server should only take a few minutes. If you get stuck and need some help, do ask! -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From paul at ESPMAIL.CO.UK Mon Feb 3 11:14:57 2003 From: paul at ESPMAIL.CO.UK (Paul Welsh) Date: Thu Jan 12 21:17:07 2006 Subject: 3.x to 4.x Upgrade References: <5.2.0.9.2.20030203102902.02792830@imap.ecs.soton.ac.uk> Message-ID: <00b001c2cb75$7ca25220$6a0110ac@sbsplc.com> Julian On a low end machine (raq3 in my case), do you think v4 will be slower? From mailscanner at ecs.soton.ac.uk Mon Feb 3 11:22:15 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:07 2006 Subject: 3.x to 4.x Upgrade In-Reply-To: <00b001c2cb75$7ca25220$6a0110ac@sbsplc.com> References: <5.2.0.9.2.20030203102902.02792830@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030203112131.02934f88@imap.ecs.soton.ac.uk> At 11:14 03/02/2003, you wrote: >On a low end machine (raq3 in my case), do you think v4 will be slower? Run 2 or 3 child processes and it should be noticeably quicker. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From rvitoria at CI.UCP.PT Mon Feb 3 11:40:47 2003 From: rvitoria at CI.UCP.PT (Rui Vit=?ISO-8859-1?Q?=F3ria?=) Date: Thu Jan 12 21:17:07 2006 Subject: spam error Message-ID: Hi Mr. Julian I upgraded with the last release and i receive this error. Feb 3 11:41:35 fagote MailScanner[3199]: Looked up unknown string spam in language translation file /etc/MailScanner/reports/en/languages.conf Can you help me Rgdrs rui Vit?ria From mailscanner at ecs.soton.ac.uk Mon Feb 3 11:48:27 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:07 2006 Subject: spam error In-Reply-To: Message-ID: <5.2.0.9.2.20030203114627.02949f50@imap.ecs.soton.ac.uk> At 11:40 03/02/2003, you wrote: >Hi Mr. Julian > >I upgraded with the last release and i receive this error. > >Feb 3 11:41:35 fagote MailScanner[3199]: Looked up unknown string spam in >language translation file /etc/MailScanner/reports/en/languages.conf If you have edited the languages.conf file at all from a previous version, the new one will not have overwritten your changes, but created a languages.conf.rpmnew file. You need to merge the 2 files by copying your alterations from languages.conf into languages.conf.rpmnew, then "mv languages.conf.rpmnew languages.conf". -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From R.A.Gardener at SHU.AC.UK Mon Feb 3 13:17:24 2003 From: R.A.Gardener at SHU.AC.UK (Ray Gardener) Date: Thu Jan 12 21:17:07 2006 Subject: version 4.12 - (Exim and header rewrites) References: <5.2.0.9.2.20030203114627.02949f50@imap.ecs.soton.ac.uk> Message-ID: <002e01c2cb86$97beb830$5a14348f@videoproducer> Hi, I have just installed version 4.12 and the problem that I mentioned in an earlier posting still seems to be there. Briefly, the email headers line weren't been formed in the exact way that exim expected, which resulted in rewrites not working. Is this still logged as a problem or should 4.12 have fixed it? Regards Ray Gardener Sheffield Hallam University From mailscanner at ecs.soton.ac.uk Mon Feb 3 13:54:27 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:07 2006 Subject: version 4.12 - (Exim and header rewrites) In-Reply-To: <002e01c2cb86$97beb830$5a14348f@videoproducer> References: <5.2.0.9.2.20030203114627.02949f50@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030203135338.042dadd0@imap.ecs.soton.ac.uk> At 13:17 03/02/2003, you wrote: >I have just installed version 4.12 and the problem that I mentioned in an >earlier posting still seems to be there. Briefly, the email headers line >weren't been formed in the exact way that exim expected, which resulted in >rewrites not working. Is this still logged as a problem or should 4.12 have >fixed it? Nick didn't get a chance to look at it before 4.12 went out. I've asked him to take a look, so hopefully he will have a fix v.soon. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From Peter.Bates at LSHTM.AC.UK Mon Feb 3 13:43:32 2003 From: Peter.Bates at LSHTM.AC.UK (Peter Bates) Date: Thu Jan 12 21:17:07 2006 Subject: FW: [SA-Announce] SpamAssassin 2.44 released Message-ID: Hello all... > evertjan@VANRAMSELAAR.NL 02/02/03 10:53:43 >>> > No problems here - SpamAssassin 2.44 and MailScanner 4.12-1 on Red Hat > 8.0. >Great! Just updated to MailScanner 4.12-2 and SpamAssassin 2.44 myself >and all seems to work fine. >Running on Redhat 7.2 with Sophos and F-Prot. Okay... apologies if this is a FAQ, but you can literally just (I'm running MS 4.11 from the RPM) download MS 4.12, and do 'rpm -Uvh new-version.rpm' ? And as for SA, are people just downloading it, and doing the usual 'make... make install' routine without complaint? ---------------------------------------------------------------------------------------------------> Peter Bates, Systems Support Officer, Network Support Team. London School of Hygiene & Tropical Medicine. Telephone:0207-958 8353 / Fax: 0207- 636 9838 From mailscanner at ecs.soton.ac.uk Mon Feb 3 14:41:22 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:07 2006 Subject: FW: [SA-Announce] SpamAssassin 2.44 released Message-ID: <5.2.0.9.2.20030203144048.042cb820@wheresmymailserver.com> At 13:43 03/02/2003, you wrote: >Okay... apologies if this is a FAQ, but you can literally just (I'm >running MS 4.11 >from the RPM) download MS 4.12, and do 'rpm -Uvh new-version.rpm' ? Yes. Please see me earlier posting on this: >>Date: Sat, 1 Feb 2003 14:45:35 +0000 >>From: Julian Field >>Subject: Re: ANNOUNCE: Version 4.12-1 released >>To: MAILSCANNER@JISCMAIL.AC.UK >And as for SA, are people just downloading it, and doing the usual >'make... make install' routine without complaint? perl Makefile.PL make make test make install seems to work quite happily. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From jaearick at COLBY.EDU Mon Feb 3 14:53:21 2003 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:17:07 2006 Subject: 4.12-2 Solaris buglet Message-ID: Julian, I upgraded from 4.11-1 to 4.12-2 today, Solaris 8, and got complaints from my startup script: /bin/fgrep: illegal option -- q I dug around and found that bin/check_mailscanner has a define at the top of FGREP=/bin/fgrep. Then a few lines down, the script says: if $UNAME | $FGREP -q "SunOS" ; then which causes the complaints. How about just a test against "uname -s" instead? UNAME=`/bin/uname -s` if [ $UNAME = "SunOS" ]; then My quick fix to the problem was to change the definition of FGREP to use /usr/local/bin/fgrep, the GNU version that supports -q. ----------------------------------- Jeff A. Earickson, Ph.D Senior UNIX Sysadmin and Email Guru Information Technology Services Colby College, 4214 Mayflower Hill, Waterville ME, 04901-8842 phone: 207-872-3659 (fax = 3076) ----------------------------------- From rvitoria at CI.UCP.PT Mon Feb 3 15:03:37 2003 From: rvitoria at CI.UCP.PT (Rui Vit=?ISO-8859-1?Q?=F3ria?=) Date: Thu Jan 12 21:17:07 2006 Subject: spam error Message-ID: Thank you it`s fine. Rui Vit?ria From mailscanner at ecs.soton.ac.uk Mon Feb 3 15:03:37 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:07 2006 Subject: 4.12-2 Solaris buglet In-Reply-To: Message-ID: <5.2.0.9.2.20030203150227.044013c0@imap.ecs.soton.ac.uk> Any comments from anyone else on the portability of "uname -s"? At 14:53 03/02/2003, you wrote: >Julian, > I upgraded from 4.11-1 to 4.12-2 today, Solaris 8, and got >complaints from my startup script: > >/bin/fgrep: illegal option -- q > >I dug around and found that bin/check_mailscanner has a define at >the top of FGREP=/bin/fgrep. Then a few lines down, the script >says: > >if $UNAME | $FGREP -q "SunOS" ; then > >which causes the complaints. How about just a test against "uname -s" >instead? > >UNAME=`/bin/uname -s` >if [ $UNAME = "SunOS" ]; then > >My quick fix to the problem was to change the definition of >FGREP to use /usr/local/bin/fgrep, the GNU version that supports -q. > >----------------------------------- >Jeff A. Earickson, Ph.D >Senior UNIX Sysadmin and Email Guru >Information Technology Services >Colby College, 4214 Mayflower Hill, >Waterville ME, 04901-8842 >phone: 207-872-3659 (fax = 3076) >----------------------------------- -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From brandonf at BFCONSULT.CO.ZA Mon Feb 3 15:12:43 2003 From: brandonf at BFCONSULT.CO.ZA (Brandon Friedman) Date: Thu Jan 12 21:17:07 2006 Subject: 3.x to 4.x Upgrade In-Reply-To: <5.2.0.9.2.20030203102902.02792830@imap.ecs.soton.ac.uk> Message-ID: <000501c2cb96$c8cdd220$4c5f7ca0@brandonnb> Thanks Julian I will setup the spare server later.....are there some FAQs on upgrading to 4.x? What are the gotchas etc to look out for? -- Regards Brandon Friedman ADT South Africa E-mail: bfriedman@tycoint.com > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@jiscmail.ac.uk] On Behalf Of Julian Field > Sent: 03 February 2003 12:33 > To: MAILSCANNER@jiscmail.ac.uk > Subject: Re: 3.x to 4.x Upgrade > > > At 07:34 03/02/2003, you wrote: > >I have been running 3.x for quite sometime and it is running great. > > > >My only concern is that support for 3.x will be stopped shortly. Is > >there an indication of when this will happen? > > I am only fixing urgent security issues in 3.x now. No new > features will be added to it. > > >I understand that 4.x is the current stable new version > etc.....but I > >run 3.x on a production box and I can't afford too much downtime! > > The long bit of doing the upgrade depends on how much you > have customised the setup for your site. You cannot just use > the mailscanner.conf file from 3.x and try to run 4.x with > it. You need to edit the MailScanner.conf for 4.x and include > all your customisations. Note that some things like > per-domain scanning control and spam white/black lists have > changed a bit, you will need to read the contents of the > /etc/MailScanner/rules directory to see what you need to understand. > > You will need to uninstall 3.x completely first, then install > and customise 4.x. > > I advise you install 4.x on another machine so you can sort > out all your customisations. Then the upgrade on your > production server should only take a few minutes. > > If you get stuck and need some help, do ask! > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > -- > This message has been scanned for viruses and dangerous > content by Modiredi E-mail Virus Protection Service. > > From Kevin.Spicer at BMRB.CO.UK Mon Feb 3 15:17:53 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:17:07 2006 Subject: 4.12-2 Solaris buglet Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A32CD2@pascal.priv.bmrb.co.uk> IMHO it would be safest to redirect the output of fgrep to /dev/null, then you don't have to worry about command line flags on either uname or fgrep. > -----Original Message----- > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > Sent: 03 February 2003 15:04 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: 4.12-2 Solaris buglet > > > Any comments from anyone else on the portability of "uname -s"? > > At 14:53 03/02/2003, you wrote: > >Julian, > > I upgraded from 4.11-1 to 4.12-2 today, Solaris 8, and got > >complaints from my startup script: > > > >/bin/fgrep: illegal option -- q > > > >I dug around and found that bin/check_mailscanner has a define at > >the top of FGREP=/bin/fgrep. Then a few lines down, the script > >says: > > > >if $UNAME | $FGREP -q "SunOS" ; then > > > >which causes the complaints. How about just a test against > "uname -s" > >instead? > > > >UNAME=`/bin/uname -s` > >if [ $UNAME = "SunOS" ]; then > > > >My quick fix to the problem was to change the definition of > >FGREP to use /usr/local/bin/fgrep, the GNU version that supports -q. > > > >----------------------------------- > >Jeff A. Earickson, Ph.D > >Senior UNIX Sysadmin and Email Guru > >Information Technology Services > >Colby College, 4214 Mayflower Hill, > >Waterville ME, 04901-8842 > >phone: 207-872-3659 (fax = 3076) > >----------------------------------- > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From mbowman at UDCOM.COM Mon Feb 3 15:33:15 2003 From: mbowman at UDCOM.COM (Matthew Bowman) Date: Thu Jan 12 21:17:07 2006 Subject: MRTG on RH 7.2 Message-ID: Hello Our Mailscanner machine has Redhat 7.2 sendmail 8.11.6 SpamAssassion 2.43 MailScanner 4.10 Having installed mrtg via the source NOT rpm, the mrtg runs with mrtg.cfg file but does not update the .png files (I'm not using cron atm just having MRTG daemonized) -rw-r--r-- 1 root root 5246 Feb 3 09:47 mail.html -rw-r--r-- 1 root root 39 Feb 3 09:47 mail.html.meta -rw-r--r-- 1 root root 47955 Feb 3 09:47 mail.log -rw-r--r-- 1 root root 75 Feb 3 09:30 mail-month.png -rw-r--r-- 1 root root 39 Feb 3 09:30 mail-month.png.meta -rw-r--r-- 1 root root 47928 Feb 3 09:30 mail.old -rw-r--r-- 1 root root 75 Feb 3 09:30 mail-week.png -rw-r--r-- 1 root root 39 Feb 3 09:30 mail-week.png.meta -rw-r--r-- 1 root root 75 Feb 3 09:30 mail-year.png -rw-r--r-- 1 root root 39 Feb 3 09:30 mail-year.png.meta The URL is http://smithers.vbcomm.net/mail/mail/mail.html I don't think its a .cfg problem (I'm using the one off www.mailscanner.info) My libraries are at gd-1.8.4-4 libpng-1.0.12-2 libpng-devel-1.0.12-2 zlib-1.1.3-25.7 zlib-devel-1.1.3-25.7 If anyone has got a running mrtg on a RH 7.2 w/mailscanner setup I would like to know how to fix it and if I need to update the libraries above Matthew K Bowman Systems Administrator; Hostmaster; Miva Administrator Universal Digital Communications, Mansfield Ohio. From mailscanner at ecs.soton.ac.uk Mon Feb 3 15:39:36 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:07 2006 Subject: 3.x to 4.x Upgrade In-Reply-To: <000501c2cb96$c8cdd220$4c5f7ca0@brandonnb> References: <5.2.0.9.2.20030203102902.02792830@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030203153634.02c3ce78@imap.ecs.soton.ac.uk> At 15:12 03/02/2003, you wrote: >Thanks Julian > >I will setup the spare server later.....are there some FAQs on upgrading >to 4.x? What are the gotchas etc to look out for? Read the "What's new in V4" page on the web site. No particular gotchas that come to mind. When you run MailScanner V4 for the first time, keep a close eye on your maillog for any errors it finds. If it finds errors it won't be able to startup properly. Once it is running, expect there to be several MailScanner processes, you can use the init.d script to control them all. If you keep seeing defunct processes that keep re-spawning themselves, then there is an error in your configuration somewhere which is stopping it loading properly. Check your maillog for signs of the error. Basically just take it slowly and methodically and you should be fine. >-- >Regards >Brandon Friedman >ADT South Africa >E-mail: bfriedman@tycoint.com > > > > -----Original Message----- > > From: MailScanner mailing list > > [mailto:MAILSCANNER@jiscmail.ac.uk] On Behalf Of Julian Field > > Sent: 03 February 2003 12:33 > > To: MAILSCANNER@jiscmail.ac.uk > > Subject: Re: 3.x to 4.x Upgrade > > > > > > At 07:34 03/02/2003, you wrote: > > >I have been running 3.x for quite sometime and it is running great. > > > > > >My only concern is that support for 3.x will be stopped shortly. Is > > >there an indication of when this will happen? > > > > I am only fixing urgent security issues in 3.x now. No new > > features will be added to it. > > > > >I understand that 4.x is the current stable new version > > etc.....but I > > >run 3.x on a production box and I can't afford too much downtime! > > > > The long bit of doing the upgrade depends on how much you > > have customised the setup for your site. You cannot just use > > the mailscanner.conf file from 3.x and try to run 4.x with > > it. You need to edit the MailScanner.conf for 4.x and include > > all your customisations. Note that some things like > > per-domain scanning control and spam white/black lists have > > changed a bit, you will need to read the contents of the > > /etc/MailScanner/rules directory to see what you need to understand. > > > > You will need to uninstall 3.x completely first, then install > > and customise 4.x. > > > > I advise you install 4.x on another machine so you can sort > > out all your customisations. Then the upgrade on your > > production server should only take a few minutes. > > > > If you get stuck and need some help, do ask! > > -- > > Julian Field > > www.MailScanner.info > > MailScanner thanks transtec Computers for their support > > > > -- > > This message has been scanned for viruses and dangerous > > content by Modiredi E-mail Virus Protection Service. > > > > -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From simon at ADVANTAGE-INTERACTIVE.COM Mon Feb 3 15:42:48 2003 From: simon at ADVANTAGE-INTERACTIVE.COM (Simon Dick) Date: Thu Jan 12 21:17:07 2006 Subject: 4.12-2 Solaris buglet In-Reply-To: <5.2.0.9.2.20030203150227.044013c0@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030203150227.044013c0@imap.ecs.soton.ac.uk> Message-ID: <1044286968.1750.4.camel@devbox> On Mon, 2003-02-03 at 15:03, Julian Field wrote: > Any comments from anyone else on the portability of "uname -s"? Works for me on freebsd 4.7, suse 8.0 and solaris 9 :) -- Simon Dick simon@advantage-interactive.com From ivan at NUCCI.COM.BR Mon Feb 3 16:07:22 2003 From: ivan at NUCCI.COM.BR (Ivan Mirisola) Date: Thu Jan 12 21:17:07 2006 Subject: Not disinfecting detected viruses found by clamav! References: <2393663.1044053319641.JavaMail.dbowen1@mac.com> Message-ID: <3E3E93BA.3080902@nucci.com.br> Daniel, I use clamav just to inform that the message was infected. Clamav is currently not able to perform desinfection, as far as I know... Best regards, --- Ivan Mirisola Nucci Systems S?o Paulo, Brasil Daniel Bowen wrote: >Hello, > I'm seeing the following message in the mail.log: > >Jan 31 17:37:43 mail MailScanner[704]: New Batch: Scanning 1 messages, 1186 bytes >Jan 31 17:37:43 mail MailScanner[704]: Virus and Content Scanning: Starting >Jan 31 17:37:43 mail MailScanner[704]: /private/var/spool/MailScanner/incoming/704/./h0VMbdeN001832/test1: ClamAV-Test-Signature FOUND >Jan 31 17:37:43 mail MailScanner[704]: Virus Scanning: clamav found 1 infections >Jan 31 17:37:43 mail MailScanner[704]: Virus Scanning: Found 1 viruses >Jan 31 17:37:43 mail MailScanner[704]: Uninfected: Delivered 1 messages > >yet the message arrive at it's destination, complete with "cleaned" signature, and the original virus containing attachment, as follows: > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > Mailscanner thanks transtec Computers for their support. > > [clamAV test signature was here, but deleted for posting to the list] > >Does anyone have any hints as to how to get the thing to disinfect??? > >Thanks, >Dan Bowen >Oak Ridge Schools >Oak Ridge, TN, USA > > From mailscanner at ecs.soton.ac.uk Mon Feb 3 16:30:33 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:07 2006 Subject: 4.12-2 Solaris buglet In-Reply-To: Message-ID: <5.2.0.9.2.20030203162808.04613ec0@imap.ecs.soton.ac.uk> Jeff, Here's a new check_mailscanner for you to try out. I haven't gone for a "uname -s" approach yet, as I don't know the exact string they all produce (e.g. does HP-UX say "HP", "HPUX" or "HP-UX"?). But using "fgrep >/dev/null" instead of "fgrep -q" seems to work okay, if not quite as fast as just running "uname -s" once. But I am not remotely interested in the speed of this script. At 14:53 03/02/2003, you wrote: >Julian, > I upgraded from 4.11-1 to 4.12-2 today, Solaris 8, and got >complaints from my startup script: > >/bin/fgrep: illegal option -- q > >I dug around and found that bin/check_mailscanner has a define at >the top of FGREP=/bin/fgrep. Then a few lines down, the script >says: > >if $UNAME | $FGREP -q "SunOS" ; then > >which causes the complaints. How about just a test against "uname -s" >instead? > >UNAME=`/bin/uname -s` >if [ $UNAME = "SunOS" ]; then > >My quick fix to the problem was to change the definition of >FGREP to use /usr/local/bin/fgrep, the GNU version that supports -q. -------------- next part -------------- A non-text attachment was scrubbed... Name: check_mailscanner Type: application/octet-stream Size: 3294 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030203/fe7105ad/check_mailscanner.obj -------------- next part -------------- -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscannerlist at TNJINFL.COM Mon Feb 3 16:57:35 2003 From: mailscannerlist at TNJINFL.COM (James Pifer) Date: Thu Jan 12 21:17:07 2006 Subject: MRTG on RH 7.2 In-Reply-To: References: Message-ID: <1044291456.23132.8.camel@tweety.tnjinfl.com> I had this exact problem on RH7.3. I got on the mrtg mailing list and their response was that it's a problem with the Redhat RPMs. Their suggestion was to reinstall MRTG from the source. I moved to Redhat 8 so I never tried it. I have not had the same problem on RH8. HTH, James On Mon, 2003-02-03 at 10:33, Matthew Bowman wrote: > Hello > > Our Mailscanner machine has > > Redhat 7.2 > sendmail 8.11.6 > SpamAssassion 2.43 > MailScanner 4.10 > > Having installed mrtg via the source NOT rpm, the mrtg runs with mrtg.cfg > file but does not update the .png files (I'm not using cron atm just > having MRTG daemonized) > > > -rw-r--r-- 1 root root 5246 Feb 3 09:47 mail.html > -rw-r--r-- 1 root root 39 Feb 3 09:47 mail.html.meta > -rw-r--r-- 1 root root 47955 Feb 3 09:47 mail.log > -rw-r--r-- 1 root root 75 Feb 3 09:30 mail-month.png > -rw-r--r-- 1 root root 39 Feb 3 09:30 > mail-month.png.meta > -rw-r--r-- 1 root root 47928 Feb 3 09:30 mail.old > -rw-r--r-- 1 root root 75 Feb 3 09:30 mail-week.png > -rw-r--r-- 1 root root 39 Feb 3 09:30 mail-week.png.meta > -rw-r--r-- 1 root root 75 Feb 3 09:30 mail-year.png > -rw-r--r-- 1 root root 39 Feb 3 09:30 mail-year.png.meta > > The URL is http://smithers.vbcomm.net/mail/mail/mail.html > > I don't think its a .cfg problem (I'm using the one off > www.mailscanner.info) > > > My libraries are at > > gd-1.8.4-4 > libpng-1.0.12-2 > libpng-devel-1.0.12-2 > zlib-1.1.3-25.7 > zlib-devel-1.1.3-25.7 > > If anyone has got a running mrtg on a RH 7.2 w/mailscanner setup I would > like to know how to fix it and if I need to update the libraries above > > > Matthew K Bowman > Systems Administrator; Hostmaster; Miva Administrator > Universal Digital Communications, Mansfield Ohio. From nerijus at USERS.SOURCEFORGE.NET Mon Feb 3 17:33:56 2003 From: nerijus at USERS.SOURCEFORGE.NET (Nerijus Baliunas) Date: Thu Jan 12 21:17:07 2006 Subject: 4.12-2 Solaris buglet In-Reply-To: <1044286968.1750.4.camel@devbox> References: <5.2.0.9.2.20030203150227.044013c0@imap.ecs.soton.ac.uk> <1044286968.1750.4.camel@devbox> Message-ID: <200302031739.h13Hdo9u006368@mx.ktv.lt> > Any comments from anyone else on the portability of "uname -s"? root# uname -s AIX Regards, Nerijus From dpowell at LSSI.NET Mon Feb 3 18:53:09 2003 From: dpowell at LSSI.NET (Darrin Powell) Date: Thu Jan 12 21:17:07 2006 Subject: SpamAssassin spamc BSMTP Buffer Overflow Message-ID: <1044298390.2040.82.camel@powell> Not sure if this effects this list. The affected software is said to be in the Beta development stage, and the vulnerability is present only in a specific non-default configuration. However, the program is popular with Unix administrators providing web-based access to mailing list archives. Ease of Exploitation: Straightforward. An attacker sending a malicious email with an over-long attachment name can overflow a buffer on the stack and control Hypermail's execution. An example email that will trigger the overflow has been posted. Darrin From mailscanner at ecs.soton.ac.uk Mon Feb 3 18:58:27 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:07 2006 Subject: SpamAssassin spamc BSMTP Buffer Overflow In-Reply-To: <1044298390.2040.82.camel@powell> Message-ID: <5.2.0.9.2.20030203185805.0245bd30@imap.ecs.soton.ac.uk> Thanks for the posting, but MailScanner does not use spamc at all. At 18:53 03/02/2003, you wrote: >Not sure if this effects this list. > >The affected software is said to be in the Beta development stage, >and the vulnerability is present only in a specific non-default >configuration. However, the program is popular with Unix administrators >providing web-based access to mailing list archives. > >Ease of Exploitation: Straightforward. >An attacker sending a malicious email with an over-long attachment name >can overflow a buffer on the stack and control Hypermail's execution. >An example email that will trigger the overflow has been posted. > > >Darrin -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From jjohanns at sewanee.edu Mon Feb 3 19:44:27 2003 From: jjohanns at sewanee.edu (jj) Date: Thu Jan 12 21:17:07 2006 Subject: 4.12-2 Solaris buglet In-Reply-To: <200302031739.h13Hdo9u006368@mx.ktv.lt> Message-ID: > Any comments from anyone else on the portability of "uname -s"? root> uname -s uname -s HP-UX And to add to that the -x option in check_mailscanner ps -efx dose not work on our server L1000 HP-UX 11.0 The output from ps -ef also truncates the path to MailScanner root 5676 28152 1 13:24:55 ? 0:00 /usr/bin/perl -I/opt/MailScanner /opt/MailScanner/bin/Ma so if it fgreps for $msbindir/$process and those are set to MailScanner and /opt/MailScanner/bin it does not return the pids of MailScanner But after adjusting check_mailscanner to the output from ps -ef it works fine. Thanks Johannes Johannsson From sean at NISD.NET Mon Feb 3 19:42:57 2003 From: sean at NISD.NET (Sean Embry) Date: Thu Jan 12 21:17:07 2006 Subject: 4.12-2 Solaris buglet Message-ID: uname -s (On 7.3) Linux uname -s (On 5.0.5 & 5.0.6) SCO_SV Allright, no wise cracks about SCO now. I've already heard 'em. If I recall correctly, the only *nix that uname -s didn't really work on was some off the wall version. I can't even recall which vendor it was that published it. It was on an Intel 8086 though. I think is was even SYS III, not even SYS V. I think AT&T 2b2 and 2b3 gave correct answers, but I don't think any of those boat anchors are running anymore... >>> nerijus@USERS.SOURCEFORGE.NET 02/03/03 11:33AM >>> > Any comments from anyone else on the portability of "uname -s"? root# uname -s AIX Regards, Nerijus From dpowell at LSSI.NET Mon Feb 3 19:46:51 2003 From: dpowell at LSSI.NET (Darrin Powell) Date: Thu Jan 12 21:17:07 2006 Subject: SpamAssassin spamc BSMTP Buffer Overflow In-Reply-To: <5.2.0.9.2.20030203185805.0245bd30@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030203185805.0245bd30@imap.ecs.soton.ac.uk> Message-ID: <1044301611.2040.97.camel@powell> Julian Does the configuration for MailScanner and SpamAssassin use spamc? Thanks Darrin On Mon, 2003-02-03 at 13:58, Julian Field wrote: > Thanks for the posting, but MailScanner does not use spamc at all. > > At 18:53 03/02/2003, you wrote: > >Not sure if this effects this list. > > > >The affected software is said to be in the Beta development stage, > >and the vulnerability is present only in a specific non-default > >configuration. However, the program is popular with Unix administrators > >providing web-based access to mailing list archives. > > > >Ease of Exploitation: Straightforward. > >An attacker sending a malicious email with an over-long attachment name > >can overflow a buffer on the stack and control Hypermail's execution. > >An example email that will trigger the overflow has been posted. > > > > > >Darrin > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Mon Feb 3 19:58:20 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:07 2006 Subject: SpamAssassin spamc BSMTP Buffer Overflow In-Reply-To: <1044301611.2040.97.camel@powell> References: <5.2.0.9.2.20030203185805.0245bd30@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030203185805.0245bd30@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030203195806.0247ad00@imap.ecs.soton.ac.uk> See my previous answer. At 19:46 03/02/2003, you wrote: >Julian > > Does the configuration for MailScanner and SpamAssassin use spamc? > > > >Thanks >Darrin > >On Mon, 2003-02-03 at 13:58, Julian Field wrote: > > Thanks for the posting, but MailScanner does not use spamc at all. > > > > At 18:53 03/02/2003, you wrote: > > >Not sure if this effects this list. > > > > > >The affected software is said to be in the Beta development stage, > > >and the vulnerability is present only in a specific non-default > > >configuration. However, the program is popular with Unix administrators > > >providing web-based access to mailing list archives. > > > > > >Ease of Exploitation: Straightforward. > > >An attacker sending a malicious email with an over-long attachment name > > >can overflow a buffer on the stack and control Hypermail's execution. > > >An example email that will trigger the overflow has been posted. > > > > > > > > >Darrin > > > > -- > > Julian Field > > www.MailScanner.info > > MailScanner thanks transtec Computers for their support -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From brose at MED.WAYNE.EDU Mon Feb 3 20:37:55 2003 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:17:07 2006 Subject: 4.12-2 Solaris buglet Message-ID: This check_mailscanner works on Solaris 8. No fgreps here whereas there were with the 4.12-2 check_mailscanner. -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Monday, February 03, 2003 11:31 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: 4.12-2 Solaris buglet Jeff, Here's a new check_mailscanner for you to try out. I haven't gone for a "uname -s" approach yet, as I don't know the exact string they all produce (e.g. does HP-UX say "HP", "HPUX" or "HP-UX"?). But using "fgrep >/dev/null" instead of "fgrep -q" seems to work okay, if not quite as fast as just running "uname -s" once. But I am not remotely interested in the speed of this script. At 14:53 03/02/2003, you wrote: >Julian, > I upgraded from 4.11-1 to 4.12-2 today, Solaris 8, and got >complaints from my startup script: > >/bin/fgrep: illegal option -- q > >I dug around and found that bin/check_mailscanner has a define at the >top of FGREP=/bin/fgrep. Then a few lines down, the script >says: > >if $UNAME | $FGREP -q "SunOS" ; then > >which causes the complaints. How about just a test against "uname -s" >instead? > >UNAME=`/bin/uname -s` >if [ $UNAME = "SunOS" ]; then > >My quick fix to the problem was to change the definition of FGREP to >use /usr/local/bin/fgrep, the GNU version that supports -q. From mailscanner at ecs.soton.ac.uk Mon Feb 3 20:38:56 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:07 2006 Subject: version 4.12 - (Exim and header rewrites) In-Reply-To: References: <5.2.0.9.2.20030203135338.042dadd0@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030203202049.02436e60@imap.ecs.soton.ac.uk> At 19:58 03/02/2003, you wrote: >On Tuesday, February 4, 2003, at 02:54 am, Julian Field wrote: >>At 13:17 03/02/2003, you wrote: >>>I have just installed version 4.12 and the problem that I mentioned >>>in an >>>earlier posting still seems to be there. Briefly, the email headers >>>line >>>weren't been formed in the exact way that exim expected, which >>>resulted in >>>rewrites not working. Is this still logged as a problem or should >>>4.12 have >>>fixed it? >> >>Nick didn't get a chance to look at it before 4.12 went out. I've >>asked him >>to take a look, so hopefully he will have a fix v.soon. > >Have fixed it (one typo and one thinko). It's in CVS now, and should be >included in >the next release. I'll also post a patch if I get a chance. If quite a few people are having problems with this, I'll issue a new -3 release. Do shout if you want me to do that. Here's the patch: --- /usr/lib/MailScanner/MailScanner/old/Exim.pm Mon Jan 20 20:27:42 2003 +++ Exim.pm Mon Feb 3 02:27:38 2003 @@ -624,7 +624,7 @@ $header->{name} = $1; $header->{body} = $2 . "\n"; # Ugly ugly ugly - $header->{flags} = " "; + $header->{flag} = " "; # Important next; @@ -973,7 +973,7 @@ foreach (keys %{$metadata->{vanishedflags}}) { $metadata->{vanishedflags}{$_} and FindAndFlag($metadata->{headers}, "$_"); } -# print STDERR Dumper($metadata->{headers}); +# MailScanner::Log::InfoLog(Dumper($metadata->{headers})); foreach (@{$metadata->{headers}}) { my $htext = $_->{name} . $_->{body}; # We want exactly one \n at the end of each header @@ -1013,8 +1013,10 @@ my $foundone = 0; foreach (@$headerary) { + $_->{flag} ne " " and next; - $headers{uc($flag) . ":"} eq lc $_->{name} or next; + $headers{uc($flag)}.":" eq lc $_->{name} or next; + # OK, found one $foundone = 1; $_->{flag} = $flag; -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mkettler at EVI-INC.COM Mon Feb 3 22:11:33 2003 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:17:07 2006 Subject: SpamAssassin 2.50 news In-Reply-To: Message-ID: <5.1.1.6.0.20030203170433.0159e720@192.168.50.2> Agreed, if you manually do the learning process, it should be fine, even with multiple users, as long as the spam/nonspam it is fed is reasonably representative. However, auto-learning will be subject to the same ALL_SPAM_TO type problems that the AWL is subject to. Really I don't think that autolearning is all that good an idea anyway, since it causes false positives and/or false negatives to be self-perpetuating. Probably the best solution is to have some kind of special email address that users can send mail to manually to cause SA to learn from it. (ie: learn_nonspam@mydomain.com, learn_spam@mydomain.com) and use a procmail script to crank emails to these fake accounts to the learning commands of SA. You'll probably also want to add some sender and/or recieved path checks to that procmail script to avoid abuse from the outside by spammers. At 10:59 PM 1/29/2003 -0500, Rose, Bobby wrote: >Autolearning isn't in there yet. Even so it'll be a configurable >option. > >-----Original Message----- >From: Steve Evans [mailto:sevans@FOUNDATION.SDSU.EDU] >Sent: Wednesday, January 29, 2003 10:31 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: SpamAssassin 2.50 news > > >Have you looked into how the bayes filtering is going to work with >MailScanner? My understanding is that bayes is designed to learn off a >single user, and may not have desirable affects when the learning >process uses your entire mail flow. > >Steve Evans >SDSU Foundation >(619) 594-0653 > > >-----Original Message----- >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] >Sent: Wednesday, January 29, 2003 1:45 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: SpamAssassin 2.50 news > > >For all the SpamAssassin users, here is a reply I just got on the SAtalk >mailing list. > > >On Wed, Jan 29, 2003 at 09:14:35PM +0000, Julian Field wrote: > > > I know this is probably a dangerous question, but is there yet any > > > idea of a very rough ETA for the next version of this wonderful > > > package? > > > >Very rough: by end of Q1. Less, but still, rough: by end of Februrary. > > > > > Just want to know whether I should start trying out CVS versions or > > > just wait a couple of weeks for the real release. > > > >The main code is pretty much done, but the stuff that's in progress are > > >the scores. > >So we've got a good 6 weeks (or thereabouts) to go before the new >version of SA will be available and settled. >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support From brose at MED.WAYNE.EDU Mon Feb 3 22:38:30 2003 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:17:07 2006 Subject: New webmin module released. Version 0.3 Beta Message-ID: Under Notices to system administrators, there still needs to be a field for at least Send Notices. I think everything can be rule based so you might want to add fields to all the options that don't already have them. I use a rule for the Send Notices to filter out all notifications from external networks since I can only resolve virus infections on my own networks. -----Original Message----- From: Lush, Richard [mailto:Richard.Lush@HP.COM] Sent: Saturday, February 01, 2003 1:41 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: New webmin module released. Version 0.3 Beta Hi All, The newest version of the webmin module has been released. Change log for Version 0.3 Beta Fixed: Selecting default on some options deleted them. Fixed: Options with more than one space are not saved Fixed: Some options were not being saved when changed Added: Ruleset editor (Thanks to Craig Bates for the code) Added: New options for MailScanner 4.12 Change: Restart just restarts MailScanner and leaves sendmail running It can be downloaded from http://lushsoft.dyndns.org/mailscanner-webmin Regards, Richard Lush Consulting and Integration Security Practice Reading UK Email richard.lush@hp.com Mobile +44 (0) 7788 916941 Office +44 (0) 118 920 2349 Fax +44 (0) 118 920 4612 D I S C L A I M E R The information contained in this communication is intended solely for use by the individual or entity to whom it is addressed. Use of this communication by others is prohibited. HP is neither liable for the proper and complete transmission of the information contained in this communication nor for any delay in its receipt nor for any special, incidental or consequential damages of any nature whatsoever resulting from receipt or use of this communication. If you are not the intended recipient, you may not peruse, use, disseminate, distribute or copy this message. If you have received this message in error, please notify the sender immediately by email, facsimile or telephone and return or destroy the original message. Thank you. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030203/897903c9/attachment.html From JeremyE at BSA.CA.GOV Tue Feb 4 00:45:39 2003 From: JeremyE at BSA.CA.GOV (Jeremy Evans) Date: Thu Jan 12 21:17:07 2006 Subject: 4.12-2 Solaris buglet Message-ID: <2739ECF7268CD0118F50080009DCC9F00235D2B6@pebble.bsa.ca.gov> >OK, I'd be grateful if I could get at least one person on each >non-Linux OS to try the attached version of check_mailscanner, and let >me know: >1) Does it work? No, unless changes are made to the script (besides than the obvious changes to the paths). Regardless of whether MailScanner is currently running, it will start a new process for it. I modified the script, and I've gotten it to partially work. The only problem is that it occasionally will report a pid even when MailScanner isn't already running (and thus, not start it). This seems more common if you try to run check_mailscanner right after you've killed MailScanner's pid (even after making sure that MailScanner isn't running using ps -axww). I've attached the script, if you're interested in looking at it. FWIW, The 4.12 check_mailscanner script works fine after the paths are changed appropriately, and I'm sticking to that. >2) Your OS, with full version info. OpenBSD 3.2, MailScanner 4.12 >3) If it didn't work, why not? I'm guessing the reason it doesn't work without modification is because there is a space between $msbindir and $process in OpenBSD's ps -axww output, while in the check_mailscanner script there is a slash between them. Changing $msbindir/$process to $config seems to fix the problem. >4) Exactly what output is coming from the ps command in question. Output attached as ps.txt >I did a fair bit of research into weird and wonderful OSes before I >wrote this version, yet >Julian tells me it still doesn't work on some; I'm guessing it's most >likely that this will be >non-current versions of SysV-descended UNIXes (that don't do POSIX >right), but I >really want to get it exactly right (with the minumum of guff in the >script, too)... I'd prefer to have a different check_mailscanner script for every OS (check_mailscanner.linux, check_mailscanner.solaris, etc.), with a link pointing to the appropriate one. > >Oh, don't forget to replace the PERL, GREP, AWK, config and msbindir >settings with >something appropriate for your installation. In OpenBSD, uname is located in /usr/bin (as are perl, grep, and awk). Also, uname -s produces 'OpenBSD'. Jeremy Evans Information Systems Analyst California State Auditor 916-445-0255 phone 916-322-7801 fax -------------- next part -------------- PID TT STAT TIME COMMAND 1 ?? Is 0:00.14 /sbin/init 12424 ?? Is 0:03.13 syslogd 30112 ?? Is 0:00.08 inetd 17395 ?? Is 0:03.38 /usr/sbin/sshd 24565 ?? Is 0:45.65 sendmail: accepting connections (sendmail) 15132 ?? Is 0:05.89 sendmail: Queue runner@00:15:00 for /var/spool/mqueue (sendmail) 11453 ?? Is 0:02.54 cron 15541 ?? Is 0:00.05 /usr/bin/perl -I/opt/MailScanner/bin MailScanner /opt/MailScanner/etc/MailScanner.conf 12996 ?? I 0:05.65 /usr/bin/perl -I/opt/MailScanner/bin MailScanner /opt/MailScanner/etc/MailScanner.conf 24344 ?? I 0:05.64 /usr/bin/perl -I/opt/MailScanner/bin MailScanner /opt/MailScanner/etc/MailScanner.conf 4022 ?? I 0:05.70 /usr/bin/perl -I/opt/MailScanner/bin MailScanner /opt/MailScanner/etc/MailScanner.conf 22424 ?? I 0:05.63 /usr/bin/perl -I/opt/MailScanner/bin MailScanner /opt/MailScanner/etc/MailScanner.conf 597 ?? I 0:05.66 /usr/bin/perl -I/opt/MailScanner/bin MailScanner /opt/MailScanner/etc/MailScanner.conf 18440 C0 Is 0:00.07 -csh (csh) 12170 C0 I 0:01.31 ksh 11676 C0 R+ 0:00.00 ps -awxx 17016 C1 Is 0:00.08 -csh (csh) 25597 C1 I+ 0:00.47 ksh 17258 C2 Is+ 0:00.02 /usr/libexec/getty Pc ttyC2 20495 C3 Is+ 0:00.01 /usr/libexec/getty Pc ttyC3 25618 C5 Is+ 0:00.01 /usr/libexec/getty Pc ttyC5 -------------- next part -------------- A non-text attachment was scrubbed... Name: check_mailscanner Type: application/octet-stream Size: 2514 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030203/4b10f86b/check_mailscanner.obj From mkettler at EVI-INC.COM Tue Feb 4 00:54:00 2003 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:17:07 2006 Subject: SpamAssassin spamc BSMTP Buffer Overflow In-Reply-To: <5.2.0.9.2.20030203195806.0247ad00@imap.ecs.soton.ac.uk> References: <1044301611.2040.97.camel@powell> <5.2.0.9.2.20030203185805.0245bd30@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030203185805.0245bd30@imap.ecs.soton.ac.uk> Message-ID: <5.1.1.6.0.20030203171505.01f733a0@192.168.50.2> Agreed, as Julian said, MailScanner does not use spamc, and I'm pretty sure no version ever has.. And to add some more detail before someone leaps to conclusions and states that using the command-line spamassassin is slow compared to spamc, it doesn't use that either. MailScanner is written in perl, so it calls the perl Mail:SpamAssassin API directly without externally invoking either spamc or spamassassin. If you do it right, calling SpamAssassin directly via it's perl interface is substantially faster than either of the command-line methods of invoking it. See man Mail::SpamAssassin for details on the perl interface. The only bug that might be relevant to MailScanner that's fixed in SA 2.44 over 2.43 is: * Existing lowercase x-spam-status header kills SpamAssassin (Bug 1127). http://bugzilla.spamassassin.org/show_bug.cgi?id=1127 But all of the spamc/libspamc fixes, and the stdout bug are not relevant to the methods of calling SpamAssassin used by MailScanner. At 07:58 PM 2/3/2003 +0000, you wrote: >See my previous answer. > >At 19:46 03/02/2003, you wrote: >>Julian >> >> Does the configuration for MailScanner and SpamAssassin use spamc? >> >> >> >>Thanks >>Darrin From rybar at DATALOCK.SK Tue Feb 4 06:09:09 2003 From: rybar at DATALOCK.SK (Patrik Rybar) Date: Thu Jan 12 21:17:07 2006 Subject: mailscanner and rar attachments Message-ID: <3E3F5905.7010102@datalock.sk> Hi all, how can i handle problems with checking 'rar' attachments I have unrar on my system MessageID: PAA01460 Report: Could not check ./PAA01460/Firma2001.rar/Firma2001\FIRMA\PODNIK.DBF (format not supported) Could not check ./PAA01460/Firma2001.rar/Firma2001\FIRMA\PODNI2.DBF (format not supported) Could not check ./PAA01460/Firma2001.rar/Firma2001\FIRMA\PDP.DBF (format not supported) Could not check ./PAA01460/Firma2001.rar/Firma2001\FIRMA\KP.DBF (format not supported) Could not check ./PAA01460/Firma2001.rar/Firma2001\FIRMA\KP_PLAT.DBF (format not supported) Could not check ./PAA01460/Firma2001.rar/Firma2001\FIRMA\KZ.DBF (format not supported) Could not check ./PAA01460/Firma2001.rar/Firma2001\FIRMA\KZ_PLAT.DBF (format not supported) . . . Could not check ./PAA01460/Firma2001.rar/Firma2001\FIRMA\TBINIT.DBF (format not supported) Could not check ./PAA01460/Firma2001.rar (corrupt) patrik From mailscanner at ecs.soton.ac.uk Tue Feb 4 09:11:21 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:07 2006 Subject: mailscanner and rar attachments In-Reply-To: <3E3F5905.7010102@datalock.sk> Message-ID: <5.2.0.9.2.20030204091048.02a215a8@imap.ecs.soton.ac.uk> This is caused by Sophos not being able to scan inside RAR version 3 archives. This is a known problem, and Sophos are working on it. At 06:09 04/02/2003, you wrote: >Hi all, >how can i handle problems with checking 'rar' attachments >I have unrar on my system > >MessageID: PAA01460 > Report: Could not check > ./PAA01460/Firma2001.rar/Firma2001\FIRMA\PODNIK.DBF (format not supported) >Could not check ./PAA01460/Firma2001.rar/Firma2001\FIRMA\PODNI2.DBF >(format not supported) >Could not check ./PAA01460/Firma2001.rar/Firma2001\FIRMA\PDP.DBF (format >not supported) >Could not check ./PAA01460/Firma2001.rar/Firma2001\FIRMA\KP.DBF (format >not supported) >Could not check ./PAA01460/Firma2001.rar/Firma2001\FIRMA\KP_PLAT.DBF >(format not supported) >Could not check ./PAA01460/Firma2001.rar/Firma2001\FIRMA\KZ.DBF (format >not supported) >Could not check ./PAA01460/Firma2001.rar/Firma2001\FIRMA\KZ_PLAT.DBF >(format not supported) >. >. >. >Could not check ./PAA01460/Firma2001.rar/Firma2001\FIRMA\TBINIT.DBF >(format not supported) >Could not check ./PAA01460/Firma2001.rar (corrupt) > >patrik -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Tue Feb 4 09:19:25 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:07 2006 Subject: 4.12-2 Solaris buglet In-Reply-To: <2739ECF7268CD0118F50080009DCC9F00235D2B6@pebble.bsa.ca.gov > Message-ID: <5.2.0.9.2.20030204091418.04135ed0@imap.ecs.soton.ac.uk> At 00:45 04/02/2003, you wrote: > >1) Does it work? > >No, unless changes are made to the script (besides than the obvious changes >to the paths). Regardless of whether MailScanner is currently running, it >will start a new process for it. I'll get back to you on that. >I modified the script, and I've gotten it to partially work. The only >problem is that it occasionally will report a pid even when MailScanner >isn't already running (and thus, not start it). This seems more common if >you try to run check_mailscanner right after you've killed MailScanner's pid MailScanner can easily take 4 seconds to die properly. The "parent" process gives the children 3 seconds to die gracefully and clear up after themselves before it does the final clearup and exits itself. The init.d script in the RPM distributions contains a "sleep 5" in the middle of the restart code to handle this. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From rybar at DATALOCK.SK Tue Feb 4 09:29:31 2003 From: rybar at DATALOCK.SK (Patrik Rybar) Date: Thu Jan 12 21:17:07 2006 Subject: mailscanner and rar attachments In-Reply-To: <5.2.0.9.2.20030204091048.02a215a8@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030204091048.02a215a8@imap.ecs.soton.ac.uk> Message-ID: <3E3F87FB.3090000@datalock.sk> Julian Field wrote: > This is caused by Sophos not being able to scan inside RAR version 3 > archives. This is a known problem, and Sophos are working on it. > and multi volume arj too :-( thank's > From linux at mostert.nom.za Tue Feb 4 11:57:19 2003 From: linux at mostert.nom.za (Mozzi) Date: Thu Jan 12 21:17:07 2006 Subject: Initial research Message-ID: <200302041357.19605.linux@mostert.nom.za> This is my first post to this list. So hallo evereyone. I am just starting my research on virus scanners and I have decided on mailscanner, looks great. I was wondering about a few things that are not immediately obvious from the documentation. Has eneyone here tried sophie for scanning? How do I handle different domains on different servers (mailhub)? Will I have to do that from postfix/sendmail or will mailscanner handle it? What other opensource virus scanners are available and witch one is the best ? Tnx again Mozzi From mailscanner at ecs.soton.ac.uk Tue Feb 4 12:17:13 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:07 2006 Subject: Initial research In-Reply-To: <200302041357.19605.linux@mostert.nom.za> Message-ID: <5.2.0.9.2.20030204121059.0540edd0@imap.ecs.soton.ac.uk> At 11:57 04/02/2003, you wrote: >This is my first post to this list. >So hallo evereyone. > >I am just starting my research on virus scanners and I have decided on >mailscanner, looks great. > >I was wondering about a few things that are not immediately obvious from the >documentation. >Has eneyone here tried sophie for scanning? No. As MailScanner only starts up the virus scanning engine once for each *batch* of messages, rather than for every message (which is how certain products I could mention do it), Sophie doesn't actually help. It also increases a single point of failure. If Sophie dies or locks up, what can MailScanner do about it? MailScanner is designed to be as robust as possible. My MailScanner servers run for months on end with no intervention whatsoever. >How do I handle different domains on different servers (mailhub)? Will I have >to do that from postfix/sendmail or will mailscanner handle it? MailScanner can happily handle completely different settings for thousands of domains at the same time. This can all be done on a per-domain, per-user and per-just-about-anything-you-can-think-of basis. How you choose to arrange your mail system is entirely up to you. Get your sendmail/Exim configuration working the way you want it, then simply install MailScanner over the top of it. No sendmail.cf changes required at all. MailScanner doesn't deliver mail or provide SMTP service itself, there are already other packages that are very good at that (e.g. sendmail and Exim). I don't do anything which would be better done elsewhere, it results in a far more robust system. >What other opensource virus scanners are available and witch one is the best ? The only open source virus scanning engine is Clam. My opinion of that is improving :-) One of the cheapest and one of the better commercial scanning engines is F-Prot, as they and RAV charge per *server* instead of per *user*. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From P.G.M.Peters at civ.utwente.nl Tue Feb 4 13:21:13 2003 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:17:07 2006 Subject: ANNOUNCE: Version 4.12-1 released In-Reply-To: <5.2.0.9.2.20030201144354.02938ed0@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030201135648.027913c8@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030201144354.02938ed0@imap.ecs.soton.ac.uk> Message-ID: On Sat, 1 Feb 2003 14:45:35 +0000, you wrote: >I have not changed any of the supporting modules this time around, so if >you are upgrading from a very recent version you just need to upgrade the >mailscanner*rpm. But running the install.sh won't do any harm... This was my first rpm-based upgrade and I have had some problems. The updated files in /etc/MailScanner have nice .rpmnew files next to them. But the upgrade just replaced /etc/sysconfig/MailScanner and /etc/rc.d/MailScanner without any hesitation. And it changed the owner of /var/spool/mqueue.in and subidrs of /var/spool/MailScanner. Because I run MailScanner as user mail I can't get to those spool-dirs anymore. :-( -- Peter Peters senior netwerkbeheerder Centrum voor InformatieTechnologie, Bibliotheek en Educatie Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From mailscanner at ecs.soton.ac.uk Tue Feb 4 13:39:44 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:08 2006 Subject: ANNOUNCE: Version 4.12-1 released In-Reply-To: References: <5.2.0.9.2.20030201144354.02938ed0@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030201135648.027913c8@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030201144354.02938ed0@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030204133658.07d562a8@imap.ecs.soton.ac.uk> At 13:21 04/02/2003, you wrote: >On Sat, 1 Feb 2003 14:45:35 +0000, you wrote: > > >I have not changed any of the supporting modules this time around, so if > >you are upgrading from a very recent version you just need to upgrade the > >mailscanner*rpm. But running the install.sh won't do any harm... > >This was my first rpm-based upgrade and I have had some problems. The >updated files in /etc/MailScanner have nice .rpmnew files next to them. >But the upgrade just replaced /etc/sysconfig/MailScanner and >/etc/rc.d/MailScanner without any hesitation. Fixed. Thanks for spotting that. > And it changed the owner >of /var/spool/mqueue.in and subidrs of /var/spool/MailScanner. Not quite sure how to solve that one. I might have to try having config "directories" as well as config files, but I'm not convinced yet. Will work on that. >Because I run MailScanner as user mail I can't get to those spool-dirs >anymore. :-( -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From brandonf at BFCONSULT.CO.ZA Tue Feb 4 13:53:06 2003 From: brandonf at BFCONSULT.CO.ZA (Brandon Friedman) Date: Thu Jan 12 21:17:08 2006 Subject: New webmin module released. Version 0.3 Beta In-Reply-To: Message-ID: <001801c2cc54$d4d679a0$e55f7ca0@brandonnb> Does this webmin module only work for 4.x? -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@jiscmail.ac.uk] On Behalf Of Rose, Bobby Sent: 04 February 2003 00:39 To: MAILSCANNER@jiscmail.ac.uk Subject: Re: New webmin module released. Version 0.3 Beta Under Notices to system administrators, there still needs to be a field for at least Send Notices. I think everything can be rule based so you might want to add fields to all the options that don't already have them. I use a rule for the Send Notices to filter out all notifications from external networks since I can only resolve virus infections on my own networks. -----Original Message----- From: Lush, Richard [mailto:Richard.Lush@HP.COM] Sent: Saturday, February 01, 2003 1:41 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: New webmin module released. Version 0.3 Beta Hi All, The newest version of the webmin module has been released. Change log for Version 0.3 Beta Fixed: Selecting default on some options deleted them. Fixed: Options with more than one space are not saved Fixed: Some options were not being saved when changed Added: Ruleset editor (Thanks to Craig Bates for the code) Added: New options for MailScanner 4.12 Change: Restart just restarts MailScanner and leaves sendmail running It can be downloaded from http://lushsoft.dyndns.org/mailscanner-webmin Regards, Richard Lush Consulting and Integration Security Practice Reading UK Email richard.lush@hp.com Mobile +44 (0) 7788 916941 Office +44 (0) 118 920 2349 Fax +44 (0) 118 920 4612 D I S C L A I M E R The information contained in this communication is intended solely for use by the individual or entity to whom it is addressed. Use of this communication by others is prohibited. HP is neither liable for the proper and complete transmission of the information contained in this communication nor for any delay in its receipt nor for any special, incidental or consequential damages of any nature whatsoever resulting from receipt or use of this communication. If you are not the intended recipient, you may not peruse, use, disseminate, distribute or copy this message. If you have received this message in error, please notify the sender immediately by email, facsimile or telephone and return or destroy the original message. Thank you. -- This message has been scanned for viruses and dangerous content by Modiredi Email Virus Protection Service -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030204/3c2a76eb/attachment.html From brose at MED.WAYNE.EDU Tue Feb 4 14:31:41 2003 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:17:08 2006 Subject: New webmin module released. Version 0.3 Beta Message-ID: I'd say yes because the Mailscanner files are different between the 3 and 4 plus it came out afte 4.x which is alot better than 3. -----Original Message----- From: Brandon Friedman [mailto:brandonf@BFCONSULT.CO.ZA] Sent: Tuesday, February 04, 2003 8:53 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: New webmin module released. Version 0.3 Beta Does this webmin module only work for 4.x? -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@jiscmail.ac.uk] On Behalf Of Rose, Bobby Sent: 04 February 2003 00:39 To: MAILSCANNER@jiscmail.ac.uk Subject: Re: New webmin module released. Version 0.3 Beta Under Notices to system administrators, there still needs to be a field for at least Send Notices. I think everything can be rule based so you might want to add fields to all the options that don't already have them. I use a rule for the Send Notices to filter out all notifications from external networks since I can only resolve virus infections on my own networks. -----Original Message----- From: Lush, Richard [mailto:Richard.Lush@HP.COM] Sent: Saturday, February 01, 2003 1:41 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: New webmin module released. Version 0.3 Beta Hi All, The newest version of the webmin module has been released. Change log for Version 0.3 Beta Fixed: Selecting default on some options deleted them. Fixed: Options with more than one space are not saved Fixed: Some options were not being saved when changed Added: Ruleset editor (Thanks to Craig Bates for the code) Added: New options for MailScanner 4.12 Change: Restart just restarts MailScanner and leaves sendmail running It can be downloaded from http://lushsoft.dyndns.org/mailscanner-webmin Regards, Richard Lush Consulting and Integration Security Practice Reading UK Email richard.lush@hp.com Mobile +44 (0) 7788 916941 Office +44 (0) 118 920 2349 Fax +44 (0) 118 920 4612 D I S C L A I M E R The information contained in this communication is intended solely for use by the individual or entity to whom it is addressed. Use of this communication by others is prohibited. HP is neither liable for the proper and complete transmission of the information contained in this communication nor for any delay in its receipt nor for any special, incidental or consequential damages of any nature whatsoever resulting from receipt or use of this communication. If you are not the intended recipient, you may not peruse, use, disseminate, distribute or copy this message. If you have received this message in error, please notify the sender immediately by email, facsimile or telephone and return or destroy the original message. Thank you. -- This message has been scanned for viruses and dangerous content by Modiredi Email Virus Protection Service -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030204/0f4566e6/attachment.html From richard.lush at HP.COM Tue Feb 4 14:52:01 2003 From: richard.lush at HP.COM (Richard Lush) Date: Thu Jan 12 21:17:08 2006 Subject: New webmin module released. Version 0.3 Beta In-Reply-To: <001801c2cc54$d4d679a0$e55f7ca0@brandonnb> References: <001801c2cc54$d4d679a0$e55f7ca0@brandonnb> Message-ID: <1044370321.1167.3.camel@vader> On Tue, 2003-02-04 at 13:53, Brandon Friedman wrote: > Does this webmin module only work for 4.x? Yes. I've only written it to work with 4.x MailScanner.conf. Richard > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@jiscmail.ac.uk] On Behalf Of Rose, Bobby > Sent: 04 February 2003 00:39 > To: MAILSCANNER@jiscmail.ac.uk > Subject: Re: New webmin module released. Version 0.3 Beta > > > Under Notices to system administrators, there still needs to > be a field for at least Send Notices. I think everything can > be rule based so you might want to add fields to all the > options that don't already have them. I use a rule for the > Send Notices to filter out all notifications from external > networks since I can only resolve virus infections on my own > networks. > -----Original Message----- > From: Lush, Richard [mailto:Richard.Lush@HP.COM] > Sent: Saturday, February 01, 2003 1:41 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: New webmin module released. Version 0.3 Beta > > > > Hi All, > > The newest version of the webmin module has been > released. > > Change log for Version 0.3 Beta > Fixed: Selecting default on some options deleted them. > Fixed: Options with more than one space are not saved > Fixed: Some options were not being saved when changed > Added: Ruleset editor (Thanks to Craig Bates for the > code) > Added: New options for MailScanner 4.12 > Change: Restart just restarts MailScanner and leaves > sendmail running > > It can be downloaded from > http://lushsoft.dyndns.org/mailscanner-webmin > > Regards, > > Richard Lush > > Consulting and Integration > Security Practice > Reading UK > Email richard.lush@hp.com > Mobile +44 (0) 7788 916941 > Office +44 (0) 118 920 2349 > Fax +44 (0) 118 920 4612 > D I S C L A I M E R > The information contained in this communication is > intended solely for use by the individual or entity to > whom it is addressed. Use of this communication by > others is prohibited. HP is neither liable for the > proper and complete transmission of the information > contained in this communication nor for any delay in > its receipt nor for any special, incidental or > consequential damages of any nature whatsoever > resulting from receipt or use of this communication. > If you are not the intended recipient, you may not > peruse, use, disseminate, distribute or copy this > message. If you have received this message in error, > please notify the sender immediately by email, > facsimile or telephone and return or destroy the > original message. Thank you. > > > -- > This message has been scanned for viruses and > dangerous content by Modiredi Email Virus Protection Service -- Richard Lush From dbowen1 at MAC.COM Tue Feb 4 15:28:05 2003 From: dbowen1 at MAC.COM (Daniel Bowen) Date: Thu Jan 12 21:17:08 2006 Subject: Notices not being sent to postmaster Message-ID: <1635839.1044372485854.JavaMail.dbowen1@mac.com> Hello, any suggesstions for why MailScanner is not sending mail to the postmaster, though I believe I've done all the proper settings for it. I am including a segment of MailScanner.conf and the Mail.log: Thanks, Dan Bowen Oak Ridge Schools Oak Ridge, TN MailScanner.conf # Notify the local system administrators ("Notices To") when any infections # are found? # This can also be the filename of a ruleset. Send Notices = yes # Include the full headers of each message in the notices sent to the local # system administrators? # This can also be the filename of a ruleset. Notices Include Full Headers = yes # Where to send the notices. # This can also be the filename of a ruleset. Notices To = postmaster@ortn.edu # Address of the local Postmaster, which is used as the "From" address in # virus warnings sent to users. # This can also be the filename of a ruleset. Local Postmaster = postmaster@ortn.edu Mail.log: Feb 4 10:11:38 mail MailScanner[549]: /private/var/spool/MailScanner/incoming/549/./h14FBYZR000990/kitty.exe: Worm/Klez.H FOUND Feb 4 10:11:38 mail MailScanner[549]: Virus Scanning: clamav found 1 infections Feb 4 10:11:38 mail MailScanner[549]: Virus Scanning: Found 1 viruses Feb 4 10:11:38 mail MailScanner[549]: Filename Checks: Windows/DOS Executable (kitty.exe) Feb 4 10:11:38 mail MailScanner[549]: Other Checks: Found 1 problems Feb 4 10:11:38 mail MailScanner[549]: Silent: Delivered 1 messages containing silent viruses Feb 4 10:11:38 mail sendmail[995]: NOQUEUE: 0: fl=0x0, mode=20666: CHR: dev=2/8295364, ino=43122308, nlink=1, u/gid=0/0, size=0 Feb 4 10:11:38 mail sendmail[995]: NOQUEUE: 1: fl=0x0, mode=100644: dev=14/6, ino=3124312, nlink=1, u/gid=0/0, size=9717 Feb 4 10:11:38 mail sendmail[995]: NOQUEUE: 3: fl=0x2, mode=140000: SOCK [0]->[[UNIX: /var/run/syslog]] Feb 4 10:11:38 mail sendmail[996]: NOQUEUE: 0: fl=0x0, mode=140000: SOCK [0]->(Socket is not connected) Feb 4 10:11:38 mail sendmail[996]: NOQUEUE: 1: fl=0x0, mode=100644: dev=14/6, ino=3124312, nlink=1, u/gid=0/0, size=9717 Feb 4 10:11:38 mail sendmail[996]: NOQUEUE: 3: fl=0x2, mode=140000: SOCK [0]->[[UNIX: /var/run/syslog]] Feb 4 10:11:38 mail MailScanner[549]: Notices: Warned about 1 messages From mailscanner at ecs.soton.ac.uk Tue Feb 4 15:29:21 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:08 2006 Subject: Notices not being sent to postmaster In-Reply-To: <1635839.1044372485854.JavaMail.dbowen1@mac.com> Message-ID: <5.2.0.9.2.20030204152817.02a989a0@imap.ecs.soton.ac.uk> At 15:28 04/02/2003, you wrote: >Hello, any suggesstions for why MailScanner is not sending mail to the >postmaster, though I believe I've done all the proper settings for it. I >am including a segment of MailScanner.conf and the Mail.log: The maillog shows that it is indeed trying to send the messages. Have you got any email filters in place catching mail from MailScanner? This is quite a common mistake (your notices turn up in your mailing list folder). >Thanks, >Dan Bowen >Oak Ridge Schools >Oak Ridge, TN > >MailScanner.conf > ># Notify the local system administrators ("Notices To") when any infections ># are found? ># This can also be the filename of a ruleset. >Send Notices = yes > ># Include the full headers of each message in the notices sent to the local ># system administrators? ># This can also be the filename of a ruleset. >Notices Include Full Headers = yes > ># Where to send the notices. ># This can also be the filename of a ruleset. >Notices To = postmaster@ortn.edu > ># Address of the local Postmaster, which is used as the "From" address in ># virus warnings sent to users. ># This can also be the filename of a ruleset. >Local Postmaster = postmaster@ortn.edu > > > >Mail.log: > >Feb 4 10:11:38 mail MailScanner[549]: >/private/var/spool/MailScanner/incoming/549/./h14FBYZR000990/kitty.exe: >Worm/Klez.H FOUND >Feb 4 10:11:38 mail MailScanner[549]: Virus Scanning: clamav found 1 >infections >Feb 4 10:11:38 mail MailScanner[549]: Virus Scanning: Found 1 viruses >Feb 4 10:11:38 mail MailScanner[549]: Filename Checks: Windows/DOS >Executable (kitty.exe) >Feb 4 10:11:38 mail MailScanner[549]: Other Checks: Found 1 problems >Feb 4 10:11:38 mail MailScanner[549]: Silent: Delivered 1 messages >containing silent viruses >Feb 4 10:11:38 mail sendmail[995]: NOQUEUE: 0: fl=0x0, mode=20666: CHR: >dev=2/8295364, ino=43122308, nlink=1, u/gid=0/0, size=0 >Feb 4 10:11:38 mail sendmail[995]: NOQUEUE: 1: fl=0x0, mode=100644: >dev=14/6, ino=3124312, nlink=1, u/gid=0/0, size=9717 >Feb 4 10:11:38 mail sendmail[995]: NOQUEUE: 3: fl=0x2, mode=140000: >SOCK [0]->[[UNIX: /var/run/syslog]] >Feb 4 10:11:38 mail sendmail[996]: NOQUEUE: 0: fl=0x0, mode=140000: >SOCK [0]->(Socket is not connected) >Feb 4 10:11:38 mail sendmail[996]: NOQUEUE: 1: fl=0x0, mode=100644: >dev=14/6, ino=3124312, nlink=1, u/gid=0/0, size=9717 >Feb 4 10:11:38 mail sendmail[996]: NOQUEUE: 3: fl=0x2, mode=140000: >SOCK [0]->[[UNIX: /var/run/syslog]] >Feb 4 10:11:38 mail MailScanner[549]: Notices: Warned about 1 messages -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From billa at STERLING.NET Tue Feb 4 16:57:29 2003 From: billa at STERLING.NET (Bill Anderson) Date: Thu Jan 12 21:17:08 2006 Subject: Order of processing high spam... Message-ID: I have a quick question about order of processing based on regular spam score and high spam score. If I have regular spam processing to do the following: To: default deliver To: bob@cc.com bounce And a high spam processing to do the following: To: default deliver striphtml Will any spam that has a high score get delivered to bob@cc.com or does the bounce in the regular spam score take precedence over the high spam score? Thanks. From mailscanner at ecs.soton.ac.uk Tue Feb 4 17:01:27 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:08 2006 Subject: Order of processing high spam... In-Reply-To: Message-ID: <5.2.0.9.2.20030204170009.05b2e338@imap.ecs.soton.ac.uk> At 16:57 04/02/2003, you wrote: >I have a quick question about order of processing based on regular spam >score and high spam score. > >If I have regular spam processing to do the following: > >To: default deliver >To: bob@cc.com bounce > >And a high spam processing to do the following: > >To: default deliver striphtml > >Will any spam that has a high score get delivered to bob@cc.com Yes. > or does the >bounce in the regular spam score take precedence over the high spam score? No. High Scoring spam will only do the high-scoring actions. Low Scoring spam will only do the low-scoring actions. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From sailer at BNL.GOV Tue Feb 4 17:02:10 2003 From: sailer at BNL.GOV (Tim Sailer) Date: Thu Jan 12 21:17:08 2006 Subject: Processing large email Message-ID: <20030204170210.GA28379@bnl.gov> I've been using mailscanner with great success for a while, but every once in a while, the mail queue seems to jam up. Investigation shows that it's large emails, either attachments, or just text, but 100MB+. Is there any way (running exim) to either push this off to another queue, or give the large email a low priority, so it doesn't get scanned until there's nothing left to do? Tim -- Tim Sailer Application Services Information Technology Division Brookhaven National Laboratory (631) 344-3001 From RHerban at GRAMTEL.NET Tue Feb 4 17:09:51 2003 From: RHerban at GRAMTEL.NET (Randy Herban) Date: Thu Jan 12 21:17:08 2006 Subject: Processing large email Message-ID: One suggestion is to have sendmail cap attachment sizes at some arbitrary number. Unless of course you need files this large for whatever reason. -Randy -----Original Message----- From: Tim Sailer [mailto:sailer@BNL.GOV] Sent: Tuesday, February 04, 2003 12:02 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Processing large email I've been using mailscanner with great success for a while, but every once in a while, the mail queue seems to jam up. Investigation shows that it's large emails, either attachments, or just text, but 100MB+. Is there any way (running exim) to either push this off to another queue, or give the large email a low priority, so it doesn't get scanned until there's nothing left to do? Tim -- Tim Sailer Application Services Information Technology Division Brookhaven National Laboratory (631) 344-3001 From RHerban at GRAMTEL.NET Tue Feb 4 17:12:46 2003 From: RHerban at GRAMTEL.NET (Randy Herban) Date: Thu Jan 12 21:17:08 2006 Subject: Outbound and Inbound mail on same server Message-ID: I'm curious to see everyones reactions to this subject. I know it was brought up several weeks ago but it was brought up as a 'Should I scan outbound mail' question, which is completely valid, but I want to take it a step further. And I apologize now if this is considered off-topic to the mailscanner mailing list. I feel it relevant as I am beginning to standardize on MailScanner for all my machines that accept incoming mail and want to know the best way to position servers and others experience with the similar task. Maybe I'll answer my own question and convince myself in the process of this email, but I continue. Background: We support mail accounts for several tens of thousand customers. The majority of the mail we deal with is spam coming into our accounts using dictionary attacks or the like. With this in mind, the majority of the mail in the Outgoing queue at any time are MAILER-DAEMON messages with bounce-backs of user unknowns tryin to send mail to a host that doesn't accept mail. The major offenders I notice I add to our access file so sendmail will block them with a 550. This helps to lessen the load on mailscanner. Another item I have done is shorten the timeouts within sendmail so that mail that could not be sent after 4 days was discarded, is now discarded after 6 hours. I have also added RBL blocking into sendmail itself. If someone tries to do a dictionary spam attack on 1000 users, it would have mailscanner and spamassassin and sophos scanning 1000 messages. If I get lucky and they are already blocked via an RBL, then MS doesn't have to deal with it to begin with. With this in mind, should I have outbound smtp traffic hitting my MailScanner machines or set it up on a separate server all together. Probably 95% of outbound traffic is legit and bound for someone who does exist at a domain that does exist. So outbound mail usually only takes a few seconds to deliver. Those customers of ours that get a virus would be safe and the virus would not spread. From what I have seen of the Klez, it creates a direct outbound connection to the receiving mail server, bypassing the specified smtp server. Is this a growing trend or highly successful coincidence? Whomever wants to send spam from their dialup will probably be using their own mail server or hijacked servers in other countries. But the 1 or 2 who try to send mail through my server would, depending on the spamassassin scoring, be blocked. This isn't enough to justify scanning all outbound traffic, however. The main reason I am concerned with scanning outbound traffic is that our customers need to have near-100% availability to a SMTP server. With Mailscanner the load tends to be artificially high and could have sendmail to reject connections. Other thing to consider is that when the queues build up high enough, it takes extra time to sort through the mail queues and subsequentially for sendmail to respond. I know Julian has implemented multiple queues for both incoming and outgoing mail, but I have not had a chance to configure this. It is built into the RFC for mail traffic that it will retry if a connection has failed, so my MX boxes can reject connections and I would not be concerned. But with customers trying to sendmail through the same host, it causes problems if it is rejecting. Is there another possibility that I have overlooked? Any other suggestions or comments are appreciated and hopefully can help everyone, maybe even just a little bit. -Randy From mailscanner at ecs.soton.ac.uk Tue Feb 4 17:15:34 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:08 2006 Subject: Processing large email In-Reply-To: <20030204170210.GA28379@bnl.gov> Message-ID: <5.2.0.9.2.20030204171411.05cbfed8@imap.ecs.soton.ac.uk> At 17:02 04/02/2003, you wrote: >I've been using mailscanner with great success for a while, but >every once in a while, the mail queue seems to jam up. Investigation >shows that it's large emails, either attachments, or just text, >but 100MB+. Is there any way (running exim) to either push this >off to another queue, or give the large email a low priority, so >it doesn't get scanned until there's nothing left to do? A large email will only block up one of the child processes. The others will continue scanning other mail. If you run with the default 5 children, then you would have to have 5 huge mails turn up at *exactly* the right moments so as to block all 5 children. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From sailer at BNL.GOV Tue Feb 4 17:20:36 2003 From: sailer at BNL.GOV (Tim Sailer) Date: Thu Jan 12 21:17:08 2006 Subject: Processing large email In-Reply-To: References: Message-ID: <20030204172036.GA30025@bnl.gov> On Tue, Feb 04, 2003 at 12:09:51PM -0500, Randy Herban wrote: > One suggestion is to have sendmail cap attachment sizes at some arbitrary > number. Unless of course you need files this large for whatever reason. Well, we are doing that, but it's still a large number. We have people that think email is the universal file transport medium... Tim -- Tim Sailer Application Services Information Technology Division Brookhaven National Laboratory (631) 344-3001 From sailer at BNL.GOV Tue Feb 4 17:22:13 2003 From: sailer at BNL.GOV (Tim Sailer) Date: Thu Jan 12 21:17:08 2006 Subject: Processing large email In-Reply-To: <5.2.0.9.2.20030204171411.05cbfed8@imap.ecs.soton.ac.uk> References: <20030204170210.GA28379@bnl.gov> <5.2.0.9.2.20030204171411.05cbfed8@imap.ecs.soton.ac.uk> Message-ID: <20030204172213.GB30025@bnl.gov> On Tue, Feb 04, 2003 at 05:15:34PM +0000, Julian Field wrote: > At 17:02 04/02/2003, you wrote: > >I've been using mailscanner with great success for a while, but > >every once in a while, the mail queue seems to jam up. Investigation > >shows that it's large emails, either attachments, or just text, > >but 100MB+. Is there any way (running exim) to either push this > >off to another queue, or give the large email a low priority, so > >it doesn't get scanned until there's nothing left to do? > > A large email will only block up one of the child processes. The others > will continue scanning other mail. If you run with the default 5 children, > then you would have to have 5 huge mails turn up at *exactly* the right > moments so as to block all 5 children. It happens, trust me. I'm graphing mail latency, and sometimes the latency goes up to 40+ minutes. :( Tim -- Tim Sailer Application Services Information Technology Division Brookhaven National Laboratory (631) 344-3001 From David.Sullivan at BARNET.AC.UK Tue Feb 4 17:45:31 2003 From: David.Sullivan at BARNET.AC.UK (David Sullivan) Date: Thu Jan 12 21:17:08 2006 Subject: Outbound and Inbound mail on same server In-Reply-To: Message-ID: On 4 Feb 2003 at 12:12, Randy Herban wrote: > > Background: > We support mail accounts for several tens of thousand customers. The > majority of the mail we deal with is spam coming into our accounts > using dictionary attacks or the like. With this in mind, the majority > of the mail in the Outgoing queue at any time are MAILER-DAEMON > messages with bounce-backs of user unknowns tryin to send mail to a > host that doesn't accept mail. > If you're running a mail server that acts as a "gateway" mail server like this it might be worth looking at exim, I'm not intending to start an MTA war with such a comment but this is very easy to do with exim 4 acls which can reject a message at the SMTP stage if recipient callout checks determine that the address isn't valid. I don't believe that sendmail can do similar but I couldn't say for sure. Relevant section of the manual: http://www.exim.org/exim-html-4.10/doc/html/spec_37.html#IX1724 The section mentioning resource usage is probably less of a problem now since caching for these callouts was included in 4.11 but the documentation has not yet been updated. If you're then not accepting these messages to users that don't exist and not scanning them or trying to send bounce messages this might resolve some loading issues. Regards. David ============================================================== This communication may contain privileged or confidential information which is for the exclusive use of the intended recipient. If you are not the intended recipient, please note that you may not distribute or use this communication or the information it contains. If this e-mail has reached you in error, please delete it and any attachment. Internet communications are not secure and Barnet College does not accept legal responsibility for the content of this message. Any views or opinions expressed are those of the author and not necessarily those of Barnet College. Please note that Barnet College reserves the right to monitor the source/destinations of all incoming or outgoing e-mail communications. ============================================================== From RHerban at GRAMTEL.NET Tue Feb 4 18:02:55 2003 From: RHerban at GRAMTEL.NET (Randy Herban) Date: Thu Jan 12 21:17:08 2006 Subject: Outbound and Inbound mail on same server Message-ID: Not that I have anything against Exim, I have never touched it. But from what I have seen with other MTAs (postfix and dmail mainly) is they have very poor queue management. Sometimes the only notification of a problem is items in the queue and reasons why they can't be sent. Neither of the two programs I mentioned allow you to do some of the things you can do with sendmail and it's queues. Quick shell script to delete all mailq items from a certain domain (say, used to spam messages). Easy way to count/sort the items in mailq to determine which domains have the most in queue. Process all mail in queue destined/from a certain domain. Items like this tend to drive me back to 'old faithful'. Ugly as sendmail is, it has ALWAYS proven itself time and time again to help get the job done. Randy -----Original Message----- From: David Sullivan [mailto:David.Sullivan@BARNET.AC.UK] Sent: Tuesday, February 04, 2003 12:46 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Outbound and Inbound mail on same server On 4 Feb 2003 at 12:12, Randy Herban wrote: > > Background: > We support mail accounts for several tens of thousand customers. The > majority of the mail we deal with is spam coming into our accounts > using dictionary attacks or the like. With this in mind, the majority > of the mail in the Outgoing queue at any time are MAILER-DAEMON > messages with bounce-backs of user unknowns tryin to send mail to a > host that doesn't accept mail. > If you're running a mail server that acts as a "gateway" mail server like this it might be worth looking at exim, I'm not intending to start an MTA war with such a comment but this is very easy to do with exim 4 acls which can reject a message at the SMTP stage if recipient callout checks determine that the address isn't valid. I don't believe that sendmail can do similar but I couldn't say for sure. Relevant section of the manual: http://www.exim.org/exim-html-4.10/doc/html/spec_37.html#IX1724 The section mentioning resource usage is probably less of a problem now since caching for these callouts was included in 4.11 but the documentation has not yet been updated. If you're then not accepting these messages to users that don't exist and not scanning them or trying to send bounce messages this might resolve some loading issues. Regards. David ============================================================== This communication may contain privileged or confidential information which is for the exclusive use of the intended recipient. If you are not the intended recipient, please note that you may not distribute or use this communication or the information it contains. If this e-mail has reached you in error, please delete it and any attachment. Internet communications are not secure and Barnet College does not accept legal responsibility for the content of this message. Any views or opinions expressed are those of the author and not necessarily those of Barnet College. Please note that Barnet College reserves the right to monitor the source/destinations of all incoming or outgoing e-mail communications. ============================================================== From jaearick at COLBY.EDU Tue Feb 4 18:28:58 2003 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:17:08 2006 Subject: Processing large email In-Reply-To: <20030204172213.GB30025@bnl.gov> References: <20030204170210.GA28379@bnl.gov> <5.2.0.9.2.20030204171411.05cbfed8@imap.ecs.soton.ac.uk> <20030204172213.GB30025@bnl.gov> Message-ID: Hi, I suggest setting a maximum message size in sendmail. The m4 entry is: define(`confMAX_MESSAGE_SIZE', `10485760')dnl for a 10MB maximum, for instance. The third edition of the Bat Book (O'Reilly's sendmail book) has a good write-up about configuring multiple sendmail queues and multiple .cf files to handle queues of different size/speeds. They give an example of a "fast" queue and a "slow" queue. Every email gets one chance to get processed with the fast queue options and if it doesn't go out the first time, then it ends up in the "slow" queue for later retries. I read thru the chapter when I had the Bat Book in hand at a book store; I've ordered a copy but don't have it yet. --- Jeff Earickson On Tue, 4 Feb 2003, Tim Sailer wrote: > Date: Tue, 4 Feb 2003 12:22:13 -0500 > From: Tim Sailer > Reply-To: MailScanner mailing list > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Processing large email > > On Tue, Feb 04, 2003 at 05:15:34PM +0000, Julian Field wrote: > > At 17:02 04/02/2003, you wrote: > > >I've been using mailscanner with great success for a while, but > > >every once in a while, the mail queue seems to jam up. Investigation > > >shows that it's large emails, either attachments, or just text, > > >but 100MB+. Is there any way (running exim) to either push this > > >off to another queue, or give the large email a low priority, so > > >it doesn't get scanned until there's nothing left to do? > > > > A large email will only block up one of the child processes. The others > > will continue scanning other mail. If you run with the default 5 children, > > then you would have to have 5 huge mails turn up at *exactly* the right > > moments so as to block all 5 children. > > It happens, trust me. I'm graphing mail latency, and sometimes the > latency goes up to 40+ minutes. :( > > Tim > > -- > Tim Sailer > Application Services > Information Technology Division > Brookhaven National Laboratory (631) 344-3001 > From sailer at BNL.GOV Tue Feb 4 18:32:41 2003 From: sailer at BNL.GOV (Tim Sailer) Date: Thu Jan 12 21:17:08 2006 Subject: Processing large email In-Reply-To: References: <20030204170210.GA28379@bnl.gov> <5.2.0.9.2.20030204171411.05cbfed8@imap.ecs.soton.ac.uk> <20030204172213.GB30025@bnl.gov> Message-ID: <20030204183241.GA4749@bnl.gov> I appreciate all the good suggestions, both on and offlist, but, like I said in the email, we're running Exim, and switching to sendmail is not a option. Tim On Tue, Feb 04, 2003 at 01:28:58PM -0500, Jeff A. Earickson wrote: > Hi, > > I suggest setting a maximum message size in sendmail. The > m4 entry is: > > define(`confMAX_MESSAGE_SIZE', `10485760')dnl > > for a 10MB maximum, for instance. > > The third edition of the Bat Book (O'Reilly's sendmail book) has > a good write-up about configuring multiple sendmail queues and > multiple .cf files to handle queues of different size/speeds. > They give an example of a "fast" queue and a "slow" queue. > Every email gets one chance to get processed with the fast queue > options and if it doesn't go out the first time, then it ends up > in the "slow" queue for later retries. I read thru the chapter > when I had the Bat Book in hand at a book store; I've ordered a > copy but don't have it yet. > > --- Jeff Earickson > > On Tue, 4 Feb 2003, Tim Sailer wrote: > > > Date: Tue, 4 Feb 2003 12:22:13 -0500 > > From: Tim Sailer > > Reply-To: MailScanner mailing list > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: Processing large email > > > > On Tue, Feb 04, 2003 at 05:15:34PM +0000, Julian Field wrote: > > > At 17:02 04/02/2003, you wrote: > > > >I've been using mailscanner with great success for a while, but > > > >every once in a while, the mail queue seems to jam up. Investigation > > > >shows that it's large emails, either attachments, or just text, > > > >but 100MB+. Is there any way (running exim) to either push this > > > >off to another queue, or give the large email a low priority, so > > > >it doesn't get scanned until there's nothing left to do? > > > > > > A large email will only block up one of the child processes. The others > > > will continue scanning other mail. If you run with the default 5 children, > > > then you would have to have 5 huge mails turn up at *exactly* the right > > > moments so as to block all 5 children. > > > > It happens, trust me. I'm graphing mail latency, and sometimes the > > latency goes up to 40+ minutes. :( > > > > Tim > > > > -- > > Tim Sailer > > Application Services > > Information Technology Division > > Brookhaven National Laboratory (631) 344-3001 > > > -- Tim Sailer Application Services Information Technology Division Brookhaven National Laboratory (631) 344-3001 From sailer at BNL.GOV Tue Feb 4 19:45:50 2003 From: sailer at BNL.GOV (Tim Sailer) Date: Thu Jan 12 21:17:08 2006 Subject: Processing large email In-Reply-To: References: <20030204170210.GA28379@bnl.gov> <5.2.0.9.2.20030204171411.05cbfed8@imap.ecs.soton.ac.uk> <20030204172213.GB30025@bnl.gov> Message-ID: <20030204194550.GA11063@bnl.gov> On Tue, Feb 04, 2003 at 07:29:49PM +0000, Tony Finch wrote: > Tim Sailer wrote: > >I appreciate all the good suggestions, both on and offlist, but, > >like I said in the email, we're running Exim, and switching to > >sendmail is not a option. > > message_size_limit is your friend It's at 120MB at the moment. Tim -- Tim Sailer Application Services Information Technology Division Brookhaven National Laboratory (631) 344-3001 From dot at DOTAT.AT Tue Feb 4 19:49:10 2003 From: dot at DOTAT.AT (Tony Finch) Date: Thu Jan 12 21:17:08 2006 Subject: Outbound and Inbound mail on same server In-Reply-To: Message-ID: Randy Herban wrote: > I feel honour-bound to do a bit of advocacy... >Quick shell script to delete all mailq items from a certain domain (say, >used to spam messages). exim -bpr | sed -e '/^[ 0-9][0-9].\{8\}\(.\{16\}\) <.*@domain>$/!d;s//\1/' | xargs exim -Mrm >Easy way to count/sort the items in mailq to determine which domains have >the most in queue. exim -bpr | sed -e '/^[ 0-9][0-9].\{8\}.\{16\} <.*@\([^@]*\)>$/!d;s//\1/' | sort | uniq -c | sort -n (yes, that sed bit could be made easier) >Process all mail in queue destined/from a certain domain. exim -qR domain Tony. -- f.a.n.finch http://dotat.at/ NORTH FORELAND TO SELSEY BILL: NORTHWEST 5 TO 7 LOCALLY GALE 8 GRADUALLY DECREASING 4 LOCALLY 5. MOSTLY FINE AND DRY. GOOD. SLIGHT TO MODERATE LOCALLY ROUGH DECAYING SLIGHT. From dot at DOTAT.AT Tue Feb 4 19:55:58 2003 From: dot at DOTAT.AT (Tony Finch) Date: Thu Jan 12 21:17:08 2006 Subject: Processing large email In-Reply-To: References: <20030204170210.GA28379@bnl.gov> <5.2.0.9.2.20030204171411.05cbfed8@imap.ecs.soton.ac.uk> <20030204172213.GB30025@bnl.gov> Message-ID: One other possibility which is not amazingly elegant would be to get the SMTP listener to pass all messages straight to the outgoing Exim (or somewhere else entirely) rather than leave them on the queue for MailScanner. This would require each Exim instance to use very a different configuration file, rather than the same file as is possible with a normal setup. Tony. -- f.a.n.finch http://dotat.at/ LUNDY FASTNET IRISH SEA: NORTH OR NORTHWEST 5 TO 7 DECREASING 4. WINTRY SHOWERS, THEN RAIN IN FASTNET LATER. MODERATE OR GOOD. From brose at MED.WAYNE.EDU Tue Feb 4 20:14:36 2003 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:17:08 2006 Subject: Bug in long filename rule? Message-ID: Is this a bug in the new rule? Report: Very long filenames are good signs of attacks against Microsoft e-mail packages (Sn-Mesoporphyr.htm) -=B From gavin at NETERGY.COM Tue Feb 4 22:26:21 2003 From: gavin at NETERGY.COM (Gavin Nelmes-Crocker) Date: Thu Jan 12 21:17:08 2006 Subject: adding anti spam rules Message-ID: I'm struggling to work out how I can add a rule to block mails with specific content in a mail i.e. Want a free flowing and trouble free Septic Tank? would I add this to spam.assassin.prefs? and in what way - the only examples I've seen seem to be for info in the header,subject or from specific people. What I need is somewhere or some method of adding specific sound bites from within the mail - I realize this is risky if something was added that could be legitimate but I'm assured no one wants the above or if they do they have it already without assistance form some unknown person in another part of the world tinkering with their septic tank. Thanks Gavin From dwinkler at ALGORITHMICS.COM Tue Feb 4 22:28:22 2003 From: dwinkler at ALGORITHMICS.COM (Derek Winkler) Date: Thu Jan 12 21:17:08 2006 Subject: adding anti spam rules Message-ID: <06EE2C86D3DAD5119A6C0060943F3C970402C153@tormail1.algorithmics.com> On my system... In /etc/mail/spamassassin/local.cf body LOCAL_SEPTIC /Want a free flowing and trouble free Septic Tank/i describe LOCAL_SEPTIC "Septic Tank Content" score LOCAL_SEPTIC -5 -----Original Message----- From: Gavin Nelmes-Crocker [mailto:gavin@NETERGY.COM] Sent: Tuesday, February 04, 2003 5:26 PM To: MAILSCANNER@jiscmail.ac.uk Subject: adding anti spam rules I'm struggling to work out how I can add a rule to block mails with specific content in a mail i.e. Want a free flowing and trouble free Septic Tank? would I add this to spam.assassin.prefs? and in what way - the only examples I've seen seem to be for info in the header,subject or from specific people. What I need is somewhere or some method of adding specific sound bites from within the mail - I realize this is risky if something was added that could be legitimate but I'm assured no one wants the above or if they do they have it already without assistance form some unknown person in another part of the world tinkering with their septic tank. Thanks Gavin -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030204/7f1a579d/attachment.html From dwinkler at ALGORITHMICS.COM Tue Feb 4 22:33:38 2003 From: dwinkler at ALGORITHMICS.COM (Derek Winkler) Date: Thu Jan 12 21:17:08 2006 Subject: adding anti spam rules Message-ID: <06EE2C86D3DAD5119A6C0060943F3C970402C154@tormail1.algorithmics.com> Oops copied this from a vendors rule who has a bad history of open relays, score should be 5 or whatever amount you want to add to the score. -----Original Message----- From: Derek Winkler [mailto:dwinkler@algorithmics.com] Sent: Tuesday, February 04, 2003 5:28 PM To: MAILSCANNER@jiscmail.ac.uk Subject: Re: adding anti spam rules On my system... In /etc/mail/spamassassin/local.cf body LOCAL_SEPTIC /Want a free flowing and trouble free Septic Tank/i describe LOCAL_SEPTIC "Septic Tank Content" score LOCAL_SEPTIC -5 -----Original Message----- From: Gavin Nelmes-Crocker [ mailto:gavin@NETERGY.COM ] Sent: Tuesday, February 04, 2003 5:26 PM To: MAILSCANNER@jiscmail.ac.uk Subject: adding anti spam rules I'm struggling to work out how I can add a rule to block mails with specific content in a mail i.e. Want a free flowing and trouble free Septic Tank? would I add this to spam.assassin.prefs? and in what way - the only examples I've seen seem to be for info in the header,subject or from specific people. What I need is somewhere or some method of adding specific sound bites from within the mail - I realize this is risky if something was added that could be legitimate but I'm assured no one wants the above or if they do they have it already without assistance form some unknown person in another part of the world tinkering with their septic tank. Thanks Gavin -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030204/84826d51/attachment.html From bfriedman at TYCOINT.COM Wed Feb 5 06:37:41 2003 From: bfriedman at TYCOINT.COM (Brandon Friedman) Date: Thu Jan 12 21:17:08 2006 Subject: Maill Cluster Message-ID: <001401c2cce0$8ddc2270$595f7ca0@brandonnb> Hi Folks I am looking to setup a cluster mail server (failover cluster).... I have few questions: 1) Has anybody got a howto for sendmail/exim clustering? 2) How does mailscanner handle/work in a cluster enviroment? 3) Should I use mailscanner with sendmail or exim in the cluster? -- Regards Brandon Friedman ADT South Africa E-mail: bfriedman@tycoint.com From jrudd at UCSC.EDU Wed Feb 5 08:03:05 2003 From: jrudd at UCSC.EDU (John Rudd) Date: Thu Jan 12 21:17:08 2006 Subject: Rule Problem Message-ID: <41A61E6E-38E0-11D7-9173-003065F939FE@ucsc.edu> I've set "Spam Checks" to a rules file: Spam Checks = /opt/MailScanner/etc/rules/spam.check.rules and here's the content of the rules file: From: 128.114. no From: *@*.ucsc.edu no From: *@ucsc.edu no FromTo: default yes What I want: if it's from our domain/network, don't scan it for spam. Otherwise, do scan it for spam. What I'm getting: nothing is getting scanned for spam. (but, when I just had "yes" instead of a rule file, spam scanning was doing just fine) What have I done wrong? John From paul.hamilton at sme-ecom.co.uk Wed Feb 5 08:57:06 2003 From: paul.hamilton at sme-ecom.co.uk (Paul Hamilton) Date: Thu Jan 12 21:17:08 2006 Subject: Site administrators report Message-ID: <000101c2ccf4$9016e020$fc32000a@4> Hi all, We would like to use the 'Site Administrators' report feature to notify additional users of infections to their site. Whereas we are able to change the footer within this report could someone advise us how we could change both the 'From' field and the 'Subject' field. We would like to alter 'MailScanner' in the 'From' Field and change the wording 'Warning: E-mail viruses detected' Many thanks in advance. Regards Paul H. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030205/18dbcb51/attachment.html From P.G.M.Peters at civ.utwente.nl Wed Feb 5 09:15:21 2003 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:17:08 2006 Subject: Outbound and Inbound mail on same server In-Reply-To: References: Message-ID: <08l14v8h6p92dr87r2miujda3kk2m9gdgj@4ax.com> On Tue, 4 Feb 2003 17:45:31 -0000, you wrote: >> We support mail accounts for several tens of thousand customers. The >> majority of the mail we deal with is spam coming into our accounts >> using dictionary attacks or the like. With this in mind, the majority >> of the mail in the Outgoing queue at any time are MAILER-DAEMON >> messages with bounce-backs of user unknowns tryin to send mail to a >> host that doesn't accept mail. >> >If you're running a mail server that acts as a "gateway" mail server >like this it might be worth looking at exim, I'm not intending to >start an MTA war with such a comment but this is very easy to do with >exim 4 acls which can reject a message at the SMTP stage if recipient >callout checks determine that the address isn't valid. I don't >believe that sendmail can do similar but I couldn't say for sure. We do the address-account/host translation on our border mailgateway but still we end up with thousands of bounces in the outgoing queue. The problem is sendmail tries to do it "the right way". When somebody uses a non-existant address we return a 5xx. Normally the other system would respond with QUIT or something like that. But most spamware just disconnects. So sendmail (and any other MTA) doesn't know whether the sending MTA has ever received the 5xx. So he decides to report the failure himself. If it were only for the spamware I would clean this out, but there is some MTA(-like) software that acts the same way. (and even MUA(-like) software from the same vendor does it occasionally. -- Peter Peters senior netwerkbeheerder Centrum voor InformatieTechnologie, Bibliotheek en Educatie Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From P.G.M.Peters at civ.utwente.nl Wed Feb 5 09:21:16 2003 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:17:08 2006 Subject: Maill Cluster In-Reply-To: <001401c2cce0$8ddc2270$595f7ca0@brandonnb> References: <001401c2cce0$8ddc2270$595f7ca0@brandonnb> Message-ID: <3jl14vkjrp2266d22n9c464628v0u2vrsb@4ax.com> On Wed, 5 Feb 2003 08:37:41 +0200, you wrote: >I am looking to setup a cluster mail server (failover cluster).... We are running a kind-of-cluster. It consists of two (identical configured) systems. One is called mx1 and the other mx2 with identical preferences in DNS (for the outside). We als have smtp which points to both systems for internal use. >I have few questions: >1) Has anybody got a howto for sendmail/exim clustering? The sendmail configuration is no different from a normal system. We only made extra entries in some Makefile's which copy (cpio over ssh) the changed alias and configuration files over to the other system. We have discussed whether we would use a fail-over system, but we decided if we have two system let them share the work. Both are powerfull enough to keep up with the load when the other dies. This actually is the way we ran after the fire. Only this week we are planning on putting the second system back online again. -- Peter Peters senior netwerkbeheerder Centrum voor InformatieTechnologie, Bibliotheek en Educatie Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From florusb at ASCIO.COM Wed Feb 5 10:23:03 2003 From: florusb at ASCIO.COM (Florus Both) Date: Thu Jan 12 21:17:08 2006 Subject: Maill Cluster Message-ID: <2F15A97500CFA0469C9BACC2041F8AC7032E858E@aries.dk.speednames.com> Here I have actually setup 'two layers': The first consists of two machines with postfix where all external mail comes to. Mail for our office will be sent to two other servers running sendmail/mailscanner/sophos/spamassassin, and these forward it to the exchange server (if found clean etc etc). MX values for each layer is the same. Looks something like this: # external Speednames.com MX 10 smtp3.mail.ascio.net. Speednames.com MX 10 smtp2.mail.ascio.net. #internal Dk.speednames.com MX 10 voyager.dk.speednames.com. Dk.speednames.com MX 10 venus.dk.speednames.com. Florus -----Original Message----- From: Peter Peters [mailto:P.G.M.Peters@civ.utwente.nl] Sent: 5. februar 2003 10:21 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Maill Cluster On Wed, 5 Feb 2003 08:37:41 +0200, you wrote: >I am looking to setup a cluster mail server (failover cluster).... We are running a kind-of-cluster. It consists of two (identical configured) systems. One is called mx1 and the other mx2 with identical preferences in DNS (for the outside). We als have smtp which points to both systems for internal use. >I have few questions: >1) Has anybody got a howto for sendmail/exim clustering? The sendmail configuration is no different from a normal system. We only made extra entries in some Makefile's which copy (cpio over ssh) the changed alias and configuration files over to the other system. We have discussed whether we would use a fail-over system, but we decided if we have two system let them share the work. Both are powerfull enough to keep up with the load when the other dies. This actually is the way we ran after the fire. Only this week we are planning on putting the second system back online again. -- Peter Peters senior netwerkbeheerder Centrum voor InformatieTechnologie, Bibliotheek en Educatie Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From mailscanner at ecs.soton.ac.uk Wed Feb 5 10:39:56 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:08 2006 Subject: Outbound and Inbound mail on same server In-Reply-To: Message-ID: <5.2.0.9.2.20030205103039.0288b8b8@imap.ecs.soton.ac.uk> I am a definite fan of having incoming and outgoing mail on completely separate servers. Having incoming and outgoing on the same servers just seems like too many jobs on 1 server. Hardware is cheap, service loss is expensive. Here I run 2 incoming servers, a bunch of internal ones which deliver peer-to-peer, and 2 outgoing servers. Each half of the pairs are in different buildings and run from different power company sub-stations. So everything is multiply redundant, I can take out either of the incoming or outgoing servers at any time without loss of service to anyone. If I need to take both outgoing servers out at the same time (which hardly ever happens anyway) then no-one loses any SMTP service, the incoming and internal servers just queue it all until the outgoing servers re-appear. FYI this is a sendmail-only setup (which is why MailScanner supported sendmail first :-) The same setup has done us well for many years now. I re-wrote it all from scratch back when the UK joined the Internet for the first time, but haven't really touched it since other than to add support for multiple domains, virtual users, stuff like that. Major mail outages just don't happen. Not ever. Just my 2p worth... -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Feb 5 10:49:42 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:08 2006 Subject: Rule Problem In-Reply-To: <41A61E6E-38E0-11D7-9173-003065F939FE@ucsc.edu> Message-ID: <5.2.0.9.2.20030205104839.02587c50@imap.ecs.soton.ac.uk> At 08:03 05/02/2003, you wrote: >I've set "Spam Checks" to a rules file: > >Spam Checks = /opt/MailScanner/etc/rules/spam.check.rules > >and here's the content of the rules file: > >From: 128.114. no Is all the mail from the outside world hitting a server in 128.114 first (a proxy perhaps), which then sends it onto your MailScanner server? Try taking out this rule and see what happens... >From: *@*.ucsc.edu no >From: *@ucsc.edu no >FromTo: default yes > > >What I want: if it's from our domain/network, don't scan it for spam. > Otherwise, do scan it for spam. > >What I'm getting: nothing is getting scanned for spam. > (but, when I just had "yes" instead of a rule file, spam scanning was > doing just fine) > > >What have I done wrong? > > >John -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Feb 5 10:45:43 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:08 2006 Subject: Bug in long filename rule? In-Reply-To: Message-ID: <5.2.0.9.2.20030205104053.025ccb00@imap.ecs.soton.ac.uk> The filename included in the report is the sanitised filename, not the original one that was contained in the message. First rule for avoiding odd security vulnerabilities you haven't thought of: Never put user input into anything that is ever presented as output. Hundreds of packages have been caught out by this. All you need to do here would be to have a nasty MIME attachment completely contained within the filename of another (harmless) MIME attachment. Then this rule would report the filename it didn't like, which in the outgoing message would look like a (nasty) MIME attachment, so the email application would present it as an attachment, thereby avoiding all the virus scanning. The filename you see has a short maximum length, and can only contain a very small set of harmless characters and certainly no punctuation or control characters. At 20:14 04/02/2003, you wrote: >Is this a bug in the new rule? > >Report: Very long filenames are good signs of attacks against Microsoft >e-mail packages (Sn-Mesoporphyr.htm) > >-=B -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Feb 5 10:47:21 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:08 2006 Subject: adding anti spam rules In-Reply-To: <06EE2C86D3DAD5119A6C0060943F3C970402C154@tormail1.algorith mics.com> Message-ID: <5.2.0.9.2.20030205104659.02897ec8@imap.ecs.soton.ac.uk> Also, read "man Mail::SpamAssassin::Conf". At 22:33 04/02/2003, you wrote: >Oops copied this from a vendors rule who has a bad history of open relays, >score should be 5 or whatever amount you want to add to the score. >-----Original Message----- >From: Derek Winkler [mailto:dwinkler@algorithmics.com] >Sent: Tuesday, February 04, 2003 5:28 PM >To: MAILSCANNER@jiscmail.ac.uk >Subject: Re: adding anti spam rules > >On my system... > >In /etc/mail/spamassassin/local.cf > >body LOCAL_SEPTIC /Want a free flowing and trouble free Septic >Tank/i >describe LOCAL_SEPTIC "Septic Tank Content" >score LOCAL_SEPTIC -5 > >-----Original Message----- >From: Gavin Nelmes-Crocker >[mailto:gavin@NETERGY.COM] >Sent: Tuesday, February 04, 2003 5:26 PM >To: MAILSCANNER@jiscmail.ac.uk >Subject: adding anti spam rules > >I'm struggling to work out how I can add a rule to block mails with specific >content in a mail > >i.e. Want a free flowing and trouble free Septic Tank? > >would I add this to spam.assassin.prefs? and in what way - the only examples >I've seen seem to be for info in the header,subject or from specific people. >What I need is somewhere or some method of adding specific sound bites from >within the mail - I realize this is risky if something was added that could >be legitimate but I'm assured no one wants the above or if they do they have >it already without assistance form some unknown person in another part of >the world tinkering with their septic tank. > >Thanks > >Gavin -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030205/3bf5382e/attachment.html From mike at ZANKER.ORG Wed Feb 5 10:53:22 2003 From: mike at ZANKER.ORG (Mike Zanker) Date: Thu Jan 12 21:17:08 2006 Subject: Odd "update_virus_scanners" behaviour Message-ID: <77991859.1044442402@mallard.open.ac.uk> Can anyone think of a reason why the hourly "update_virus_scanners" cron job should suddenly fire off at 29 minutes past the hour, even though it has already run on the hour with the other hourly cron jobs? None of my other hourly cron jobs ran at 9:29, only update_virus_scanners. It then failed to run at 10:01 with the other hourly cron jobs. This is on RH 8.0. Thanks, Mike. From gavin at NETERGY.COM Wed Feb 5 11:39:38 2003 From: gavin at NETERGY.COM (Gavin Nelmes-Crocker) Date: Thu Jan 12 21:17:08 2006 Subject: adding anti spam rules In-Reply-To: <5.2.0.9.2.20030205104659.02897ec8@imap.ecs.soton.ac.uk> Message-ID: okay I'm confused now - I didn't have a /etc/mail/spamassassin/local.cf on my system so I created it and put the rule in as below but with no effect - I've tried reading the man page as suggested and either I need to have some alcohol to help understand or I need a translator as this is way over my head. But now I don't understand the use of the spam.assassin.prefs file I thought that's where this stuff would go maybe I'm not grasping how MailScanner interacts with Spamassassin properly. Gavin -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Julian Field Sent: 05 February 2003 10:47 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: adding anti spam rules Also, read "man Mail::SpamAssassin::Conf". At 22:33 04/02/2003, you wrote: Oops copied this from a vendors rule who has a bad history of open relays, score should be 5 or whatever amount you want to add to the score. -----Original Message----- From: Derek Winkler [mailto:dwinkler@algorithmics.com] Sent: Tuesday, February 04, 2003 5:28 PM To: MAILSCANNER@jiscmail.ac.uk Subject: Re: adding anti spam rules On my system... In /etc/mail/spamassassin/local.cf body LOCAL_SEPTIC /Want a free flowing and trouble free Septic Tank/i describe LOCAL_SEPTIC "Septic Tank Content" score LOCAL_SEPTIC -5 -----Original Message----- From: Gavin Nelmes-Crocker [mailto:gavin@NETERGY.COM] Sent: Tuesday, February 04, 2003 5:26 PM To: MAILSCANNER@jiscmail.ac.uk Subject: adding anti spam rules I'm struggling to work out how I can add a rule to block mails with specific content in a mail i.e. Want a free flowing and trouble free Septic Tank? would I add this to spam.assassin.prefs? and in what way - the only examples I've seen seem to be for info in the header,subject or from specific people. What I need is somewhere or some method of adding specific sound bites from within the mail - I realize this is risky if something was added that could be legitimate but I'm assured no one wants the above or if they do they have it already without assistance form some unknown person in another part of the world tinkering with their septic tank. Thanks Gavin -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support -- This message has been scanned for viruses and dangerous content by the Netergy Virus Spam Defence, and is believed to be clean. For details on having your email scanned email nvsd@netergy.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030205/46bc0f9d/attachment.html From Kevin.Spicer at BMRB.CO.UK Wed Feb 5 13:07:28 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:17:08 2006 Subject: Small bug in install.sh Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A32CE8@pascal.priv.bmrb.co.uk> When calling install.sh nodeps it attempts to use the flag -nodeps rather than --nodeps. Easily fixed by changing it at line 92 in the script! BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From Kevin.Spicer at BMRB.CO.UK Wed Feb 5 13:22:57 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:17:08 2006 Subject: Another buglet? Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A4AD1D@pascal.priv.bmrb.co.uk> This time in sophos-autoupdate. I accidentally ran sophos-autoupdate before opening up my firewall and got the following error... syslog: invalid level/facility: warn at /usr/lin/MailScanner/sophos-autoupdate line 59 Changing warn to warning at line 59 seems to solve this. Not very important I guess! BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From mailscanner at ecs.soton.ac.uk Wed Feb 5 13:48:04 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:08 2006 Subject: Small bug in install.sh In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0A32CE8@pascal.priv.bmrb.co .uk> Message-ID: <5.2.0.9.2.20030205134756.04e8e2b0@imap.ecs.soton.ac.uk> At 13:07 05/02/2003, you wrote: >When calling install.sh nodeps it attempts to use the flag -nodeps rather >than --nodeps. Easily fixed by changing it at line 92 in the script! Well spotted. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Feb 5 13:47:54 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:08 2006 Subject: Another buglet? In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0A4AD1D@pascal.priv.bmrb.co .uk> Message-ID: <5.2.0.9.2.20030205134658.04ca5548@imap.ecs.soton.ac.uk> That one is a new problem. I just checked in the man pages, and apparently "warn" has been deprecated recently in favour of "warning". I'll switch to "warning". I think there is enough to justify a 4.12-3 release just to clear up these loose ends. At 13:22 05/02/2003, you wrote: >This time in sophos-autoupdate. > >I accidentally ran sophos-autoupdate before opening up my firewall and got >the following error... >syslog: invalid level/facility: warn at >/usr/lin/MailScanner/sophos-autoupdate line 59 > >Changing warn to warning at line 59 seems to solve this. > >Not very important I guess! -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Feb 5 13:42:42 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:08 2006 Subject: adding anti spam rules In-Reply-To: References: <5.2.0.9.2.20030205104659.02897ec8@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030205134214.04ed8eb0@imap.ecs.soton.ac.uk> You can add rules to the /etc/MailScanner/spam.assassin.prefs.conf file, that's where I put them and it appears to work fine. At 11:39 05/02/2003, you wrote: >okay I'm confused now - I didn't have a /etc/mail/spamassassin/local.cf >on my system so I created it and put the rule in as below but with no >effect - I've tried reading the man page as suggested and either I need to >have some alcohol to help understand or I need a translator as this is way >over my head. > >But now I don't understand the use of the spam.assassin.prefs file I >thought that's where this stuff would go maybe I'm not grasping how >MailScanner interacts with Spamassassin properly. > >Gavin >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On >Behalf Of Julian Field >Sent: 05 February 2003 10:47 >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: adding anti spam rules > >Also, read "man Mail::SpamAssassin::Conf". > >At 22:33 04/02/2003, you wrote: >>Oops copied this from a vendors rule who has a bad history of open >>relays, score should be 5 or whatever amount you want to add to the score. >>-----Original Message----- >>From: Derek Winkler [mailto:dwinkler@algorithmics.com] >>Sent: Tuesday, February 04, 2003 5:28 PM >>To: MAILSCANNER@jiscmail.ac.uk >>Subject: Re: adding anti spam rules >> >>On my system... >> >>In /etc/mail/spamassassin/local.cf >> >>body LOCAL_SEPTIC /Want a free flowing and trouble free Septic >>Tank/i >>describe LOCAL_SEPTIC "Septic Tank Content" >>score LOCAL_SEPTIC -5 >> >>-----Original Message----- >>From: Gavin Nelmes-Crocker >>[mailto:gavin@NETERGY.COM] >>Sent: Tuesday, February 04, 2003 5:26 PM >>To: MAILSCANNER@jiscmail.ac.uk >>Subject: adding anti spam rules >> >>I'm struggling to work out how I can add a rule to block mails with specific >>content in a mail >> >>i.e. Want a free flowing and trouble free Septic Tank? >> >>would I add this to spam.assassin.prefs? and in what way - the only examples >>I've seen seem to be for info in the header,subject or from specific people. >>What I need is somewhere or some method of adding specific sound bites from >>within the mail - I realize this is risky if something was added that could >>be legitimate but I'm assured no one wants the above or if they do they have >>it already without assistance form some unknown person in another part of >>the world tinkering with their septic tank. >> >>Thanks >> >>Gavin > >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support >-- >This message has been scanned for viruses and dangerous content >by the Netergy Virus Spam Defence, and is >believed to be clean. >For details on having your email scanned email nvsd@netergy.com -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From dlovelace at HOTELS.COM Wed Feb 5 15:46:26 2003 From: dlovelace at HOTELS.COM (Dale Lovelace) Date: Thu Jan 12 21:17:08 2006 Subject: Spam Scoring on whitelisted message Message-ID: <20030205094626.789373d4.dlovelace@hotels.com> Is a mail that is spam whitelisted supposed to still have the Spam Score Header added? -- Dale Lovelace System Administrator hotels.com (214) 361-7311 Ext. 1074 From adkinss at OHIO.EDU Wed Feb 5 15:50:53 2003 From: adkinss at OHIO.EDU (Scott Adkins) Date: Thu Jan 12 21:17:08 2006 Subject: Sophos and Corrupt Files Message-ID: <660227667.1044442253@Callisto> Julan, I know we have had considerable discussion on this topic already, and I need to find some resolution to it. The issue seems to be that users are sending documents via attachments that get flagged as corrupt by Sophos and labeled as a virus in MailScanner. So far, all the documents I have managed to get my hands on indicate that these documents are indeed in some way corrupt. Most of the time, I can't even open the documents myself on my desktop. Periodically, I can find a PDF document that appears to open and look fine without generating any errors, but scanning it with Sophos indicates that the PDF is corrupt. This isn't necessarily untrue, as all of the PDF tools that I have at my disposal (conversion utilities to convert to postscript format, or other programs that can open and view the document) also say that the document is corrupt and refuse to do anything with it... It just happens to be that Adobe Acrobat Reader was forgiving enough in that particular case to allow me to view it successfully. So, I see two problems here: 1) Sophos is very strict in following the document format standards, and if the document doesn't follow that standard, it says that it can't scan the document and labels it corrupt. I do not know how sctrict Sophos is on this, but most of the documents I have found does indeed have problems when trying to open them up with whatever standard software installed on my machine. Indicidentally, Sophos claims that it couldn't find the start *and* end of the document and that is why it claims it can't scan the document. I really don't believe this claim. The errors I typically see when opening the documents myself are things like invalid variable names, etc. This could be the result of a newer version of document formats that Sophos doesn't yet understand, or non-standard software used to create those documents to begin with. 2) When Sophos comes back and says that the document couldn't be scanned for whatever reason, MailScanner simply labels the file as a virus and moves on. I don't agree with this, as I think the administrator is the one that should decide how to handle these situations. This is no different than how external MIME attachments are handled, since those attachments can't be scanned by the virus scanner as well. What are the solutions to this problem? 1) Sophos probably should be a lot less restrictive when scanning some document formats. Aren't virus patterns determined by the patterns themselves and not how closely a PDF document adheres to Adobe's format standards? If you don't see the virus patterns, shouldn't you say the document is clean? We are going to generate a support call to them on this later this morning. 2) MailScanner should give us the option to allow documents that are unable to be scanned by the virus scanner through. We are getting a lot of calls about this now to our Support Center, and it is being pushed through the higher ranks. We are an educational institution, and what we think may be the right answer (i.e. no external MIME attachments, do filename checking, etc etc), politics dictate the policies. Anyways, I think we need an option in the config file to allow these documents through. Thanks, Scott -- +-----------------------------------------------------------------------+ Scott W. Adkins http://www.cns.ohiou.edu/~sadkins/ UNIX Systems Engineer mailto:adkinss@ohio.edu ICQ 7626282 Work (740)593-9478 Fax (740)593-1944 +-----------------------------------------------------------------------+ PGP Public Key available at http://www.cns.ohiou.edu/~sadkins/pgp/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 231 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030205/04e31fe7/attachment.bin From mike at CAMAROSS.NET Wed Feb 5 16:48:49 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:17:08 2006 Subject: Sophos and Corrupt Files In-Reply-To: <660227667.1044442253@Callisto> Message-ID: <007401c2cd36$7764ad90$9801a8c0@home.middlefinger.net> I have zero defects with .pdf documents going through my servers and we do a LOT of pdf's with HP Digital Senders all over the place. Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Scott Adkins Sent: Wednesday, February 05, 2003 9:51 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Sophos and Corrupt Files Julan, I know we have had considerable discussion on this topic already, and I need to find some resolution to it. The issue seems to be that users are sending documents via attachments that get flagged as corrupt by Sophos and labeled as a virus in MailScanner. So far, all the documents I have managed to get my hands on indicate that these documents are indeed in some way corrupt. Most of the time, I can't even open the documents myself on my desktop. Periodically, I can find a PDF document that appears to open and look fine without generating any errors, but scanning it with Sophos indicates that the PDF is corrupt. This isn't necessarily untrue, as all of the PDF tools that I have at my disposal (conversion utilities to convert to postscript format, or other programs that can open and view the document) also say that the document is corrupt and refuse to do anything with it... It just happens to be that Adobe Acrobat Reader was forgiving enough in that particular case to allow me to view it successfully. So, I see two problems here: 1) Sophos is very strict in following the document format standards, and if the document doesn't follow that standard, it says that it can't scan the document and labels it corrupt. I do not know how sctrict Sophos is on this, but most of the documents I have found does indeed have problems when trying to open them up with whatever standard software installed on my machine. Indicidentally, Sophos claims that it couldn't find the start *and* end of the document and that is why it claims it can't scan the document. I really don't believe this claim. The errors I typically see when opening the documents myself are things like invalid variable names, etc. This could be the result of a newer version of document formats that Sophos doesn't yet understand, or non-standard software used to create those documents to begin with. 2) When Sophos comes back and says that the document couldn't be scanned for whatever reason, MailScanner simply labels the file as a virus and moves on. I don't agree with this, as I think the administrator is the one that should decide how to handle these situations. This is no different than how external MIME attachments are handled, since those attachments can't be scanned by the virus scanner as well. What are the solutions to this problem? 1) Sophos probably should be a lot less restrictive when scanning some document formats. Aren't virus patterns determined by the patterns themselves and not how closely a PDF document adheres to Adobe's format standards? If you don't see the virus patterns, shouldn't you say the document is clean? We are going to generate a support call to them on this later this morning. 2) MailScanner should give us the option to allow documents that are unable to be scanned by the virus scanner through. We are getting a lot of calls about this now to our Support Center, and it is being pushed through the higher ranks. We are an educational institution, and what we think may be the right answer (i.e. no external MIME attachments, do filename checking, etc etc), politics dictate the policies. Anyways, I think we need an option in the config file to allow these documents through. Thanks, Scott -- +-----------------------------------------------------------------------+ Scott W. Adkins http://www.cns.ohiou.edu/~sadkins/ UNIX Systems Engineer mailto:adkinss@ohio.edu ICQ 7626282 Work (740)593-9478 Fax (740)593-1944 +-----------------------------------------------------------------------+ PGP Public Key available at http://www.cns.ohiou.edu/~sadkins/pgp/ From mailscanner at ecs.soton.ac.uk Wed Feb 5 17:16:07 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:08 2006 Subject: Sophos and Corrupt Files In-Reply-To: <660227667.1044442253@Callisto> Message-ID: <5.2.0.9.2.20030205171136.02d459f8@imap.ecs.soton.ac.uk> What version of Sophos are you running? The "corrupt" errors seem to disappear with 3.66 (i.e. the very latest off the web). I have seen 3.62 - 3.65 complain about documents that 3.66 is perfectly happy with. And the fact that absolutely no-one except Sophos users are having any corrupted file problems does slightly point the finger at Sophos. Maybe when asked to disinfect a file that it thinks is corrupt, it damages it? Just a thought. I know Sophos are blaming me for this problem. But it strikes me as very odd that only Sophos users are having file corruption problems... And I can't reproduce it in Sophos 3.66. At 15:50 05/02/2003, you wrote: >Julan, > >I know we have had considerable discussion on this topic already, and I >need to find some resolution to it. > >The issue seems to be that users are sending documents via attachments >that get flagged as corrupt by Sophos and labeled as a virus in MailScanner. >So far, all the documents I have managed to get my hands on indicate that >these documents are indeed in some way corrupt. Most of the time, I can't >even open the documents myself on my desktop. Periodically, I can find a >PDF document that appears to open and look fine without generating any >errors, but scanning it with Sophos indicates that the PDF is corrupt. >This isn't necessarily untrue, as all of the PDF tools that I have at my >disposal (conversion utilities to convert to postscript format, or other >programs that can open and view the document) also say that the document >is corrupt and refuse to do anything with it... It just happens to be that >Adobe Acrobat Reader was forgiving enough in that particular case to allow >me to view it successfully. > >So, I see two problems here: > > 1) Sophos is very strict in following the document format standards, and > if the document doesn't follow that standard, it says that it can't > scan the document and labels it corrupt. I do not know how sctrict > Sophos is on this, but most of the documents I have found does indeed > have problems when trying to open them up with whatever standard > software installed on my machine. > > Indicidentally, Sophos claims that it couldn't find the start *and* > end of the document and that is why it claims it can't scan the > document. I really don't believe this claim. The errors I typically > see when opening the documents myself are things like invalid variable > names, etc. This could be the result of a newer version of document > formats that Sophos doesn't yet understand, or non-standard software > used to create those documents to begin with. > > 2) When Sophos comes back and says that the document couldn't be scanned > for whatever reason, MailScanner simply labels the file as a virus and > moves on. I don't agree with this, as I think the administrator is > the one that should decide how to handle these situations. This is > no different than how external MIME attachments are handled, since > those attachments can't be scanned by the virus scanner as well. > >What are the solutions to this problem? > > 1) Sophos probably should be a lot less restrictive when scanning some > document formats. Aren't virus patterns determined by the patterns > themselves and not how closely a PDF document adheres to Adobe's > format standards? If you don't see the virus patterns, shouldn't > you say the document is clean? We are going to generate a support > call to them on this later this morning. > > 2) MailScanner should give us the option to allow documents that are > unable to be scanned by the virus scanner through. We are getting a > lot of calls about this now to our Support Center, and it is being > pushed through the higher ranks. We are an educational institution, > and what we think may be the right answer (i.e. no external MIME > attachments, do filename checking, etc etc), politics dictate the > policies. Anyways, I think we need an option in the config file to > allow these documents through. > >Thanks, >Scott >-- >+-----------------------------------------------------------------------+ > Scott W. Adkins http://www.cns.ohiou.edu/~sadkins/ > UNIX Systems Engineer mailto:adkinss@ohio.edu > ICQ 7626282 Work (740)593-9478 Fax (740)593-1944 >+-----------------------------------------------------------------------+ > PGP Public Key available at > http://www.cns.ohiou.edu/~sadkins/pgp/ -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From jrudd at UCSC.EDU Wed Feb 5 18:55:36 2003 From: jrudd at UCSC.EDU (John Rudd) Date: Thu Jan 12 21:17:08 2006 Subject: Rule Problem Message-ID: <200302051855.h15Ita126029@kzin.ucsc.edu> > From: Julian Field > > At 08:03 05/02/2003, you wrote: > >I've set "Spam Checks" to a rules file: > > > >Spam Checks = /opt/MailScanner/etc/rules/spam.check.rules > > > >and here's the content of the rules file: > > > >From: 128.114. no > > Is all the mail from the outside world hitting a server in 128.114 first (a > proxy perhaps), which then sends it onto your MailScanner server? Try > taking out this rule and see what happens... My first answer was going to be "they shouldn't hit another server first, because these are our front line SMTP servers", but as I was writing that I remembered "no, these are our test servers that are going to become our front line servers next month". In the mean time, the only machines that feed them messages are the current production SMTP servers (because their existence is hidden from the public). Duh. I was thinking of how they'd work in production without remembering that that's not reality yet. I commented this line out, and it all works now. Thanks :-) > >From: *@*.ucsc.edu no > >From: *@ucsc.edu no > >FromTo: default yes > > > > > >What I want: if it's from our domain/network, don't scan it for spam. > > Otherwise, do scan it for spam. > > > >What I'm getting: nothing is getting scanned for spam. > > (but, when I just had "yes" instead of a rule file, spam scanning was > > doing just fine) > > > > > >What have I done wrong? From adkinss at OHIO.EDU Wed Feb 5 18:57:20 2003 From: adkinss at OHIO.EDU (Scott Adkins) Date: Thu Jan 12 21:17:08 2006 Subject: Sophos and Corrupt Files In-Reply-To: <5.2.0.9.2.20030205171136.02d459f8@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030205171136.02d459f8@imap.ecs.soton.ac.uk> Message-ID: <671415424.1044453440@Callisto> --On Wednesday, February 05, 2003 5:16 PM +0000 Julian Field wrote: > What version of Sophos are you running? Running version 3.66. > The "corrupt" errors seem to disappear with 3.66 (i.e. the very latest off > the web). I have seen 3.62 - 3.65 complain about documents that 3.66 is > perfectly happy with. And the fact that absolutely no-one except Sophos > users are having any corrupted file problems does slightly point the > finger at Sophos. Maybe when asked to disinfect a file that it thinks is > corrupt, it damages it? Just a thought. Sophos just released a 3.66a version of their product. Apparently, this version fixes a bunch of issues with PDF documents, especially when the PDF document contains errors or does anything with the .z libraries. I was told that Sophos should better handle PDF documents in general with that release. This version is not available on their web site right now, but they did give me a direct link for download. I am in the process of installing it, so I will let you know what happens. As far as Sophos vs the rest of the world goes, there is no doubt that this is a Sophos issue, namely, Sophos is having problems scanning the document, and if it can't scan it, it claims it is corrupt. I have more information about this below. However, this also doesn't mean that MailScanner shouldn't allow me the option of allowing these documents through anyways, much like how external MIME attachments are handled. > I know Sophos are blaming me for this problem. > But it strikes me as very odd that only Sophos users are having file > corruption problems... > And I can't reproduce it in Sophos 3.66. The only blame Sophos is placing on MailScanner is the fact that if for some reason Sophos can't scan the file, MailScanner automatically assumes it is a virus. They provided a bunch of reasons why this may be the case: 1) A header in a file may be corrupted... such as an EXE file that says it is something else or just happens to be invalid. 2) Excel and Word documents may have locked forms, locked/password protected cells, etc. Apparently, the UNIX versions of Sophos have problems with Microsoft documents that do forms/cell locking and password protection. They are in the process of trying to fix this, but they have to apparently write extra code for UNIX, since they don't have access to the same API calls that happen to be built into Windows that do the same things... That is the basic gist. We have tried to duplicate this with Excel ourselves, and I have yet to cause a document to get flagged as corrupt... I will probably have to ask them for a sample document. 3) PDF files with errors in them or PDF files that used the libz library caused problems. This issue in particular should be dealt with more cleanly in 3.66a. However, this problem is probably not completely solved. 4) We were told that there were actually about 15 different reasons why a document couldn't be scanned... I couldn't write them down fast enough. We emailed them asking for a complete list. I can post here if anyone is interested. They also told us that Sophos has the ability to send back extended error codes as to the reason why it couldn't scan the document. I was told that "sweep -eec" would do that. This is far better than seeing just the error message of "(corrupt)". However, I don't know what all changes when using that option... I am going to play with it today. Ideally, we would like to distinguish out of those 15 possible reasons which cases should allow the message through (maybe with a message report attached describing that the message wasn't scanned and what they can do to change that) and which cases should automatically deny the message from getting through. For example, if we see an error that is "(password protected document)" or something like that, we can just pass the document on to the user with a warning about the attachment not being scanned and if they want it scanned to have the sender remove the password protection from the document and resend. Since I don't know what all the error messages could be, I don't know if any of them would be more harmful if simply passed through untouched. Anyways, that is what I know so far. Scott > At 15:50 05/02/2003, you wrote: >> Julan, >> >> I know we have had considerable discussion on this topic already, and I >> need to find some resolution to it. >> >> The issue seems to be that users are sending documents via attachments >> that get flagged as corrupt by Sophos and labeled as a virus in >> MailScanner. So far, all the documents I have managed to get my hands on >> indicate that these documents are indeed in some way corrupt. Most of >> the time, I can't even open the documents myself on my desktop. >> Periodically, I can find a PDF document that appears to open and look >> fine without generating any errors, but scanning it with Sophos >> indicates that the PDF is corrupt. This isn't necessarily untrue, as all >> of the PDF tools that I have at my disposal (conversion utilities to >> convert to postscript format, or other programs that can open and view >> the document) also say that the document is corrupt and refuse to do >> anything with it... It just happens to be that Adobe Acrobat Reader was >> forgiving enough in that particular case to allow me to view it >> successfully. >> >> So, I see two problems here: >> >> 1) Sophos is very strict in following the document format standards, and >> if the document doesn't follow that standard, it says that it can't >> scan the document and labels it corrupt. I do not know how sctrict >> Sophos is on this, but most of the documents I have found does indeed >> have problems when trying to open them up with whatever standard >> software installed on my machine. >> >> Indicidentally, Sophos claims that it couldn't find the start *and* >> end of the document and that is why it claims it can't scan the >> document. I really don't believe this claim. The errors I typically >> see when opening the documents myself are things like invalid >> variable names, etc. This could be the result of a newer version of >> document formats that Sophos doesn't yet understand, or non-standard >> software used to create those documents to begin with. >> >> 2) When Sophos comes back and says that the document couldn't be scanned >> for whatever reason, MailScanner simply labels the file as a virus >> and moves on. I don't agree with this, as I think the administrator >> is the one that should decide how to handle these situations. This >> is no different than how external MIME attachments are handled, since >> those attachments can't be scanned by the virus scanner as well. >> >> What are the solutions to this problem? >> >> 1) Sophos probably should be a lot less restrictive when scanning some >> document formats. Aren't virus patterns determined by the patterns >> themselves and not how closely a PDF document adheres to Adobe's >> format standards? If you don't see the virus patterns, shouldn't >> you say the document is clean? We are going to generate a support >> call to them on this later this morning. >> >> 2) MailScanner should give us the option to allow documents that are >> unable to be scanned by the virus scanner through. We are getting a >> lot of calls about this now to our Support Center, and it is being >> pushed through the higher ranks. We are an educational institution, >> and what we think may be the right answer (i.e. no external MIME >> attachments, do filename checking, etc etc), politics dictate the >> policies. Anyways, I think we need an option in the config file to >> allow these documents through. >> >> Thanks, >> Scott >> -- >> +-----------------------------------------------------------------------+ >> Scott W. Adkins http://www.cns.ohiou.edu/~sadkins/ >> UNIX Systems Engineer mailto:adkinss@ohio.edu >> ICQ 7626282 Work (740)593-9478 Fax (740)593-1944 >> +-----------------------------------------------------------------------+ >> PGP Public Key available at >> http://www.cns.ohiou.edu/~sadkins/pgp/ > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support -- +-----------------------------------------------------------------------+ Scott W. Adkins http://www.cns.ohiou.edu/~sadkins/ UNIX Systems Engineer mailto:adkinss@ohio.edu ICQ 7626282 Work (740)593-9478 Fax (740)593-1944 +-----------------------------------------------------------------------+ PGP Public Key available at http://www.cns.ohiou.edu/~sadkins/pgp/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 231 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030205/cae7bd6e/attachment.bin From mailscanner at ecs.soton.ac.uk Wed Feb 5 20:01:02 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:08 2006 Subject: Sophos and Corrupt Files In-Reply-To: <671415424.1044453440@Callisto> References: <5.2.0.9.2.20030205171136.02d459f8@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030205171136.02d459f8@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030205195814.02989e60@imap.ecs.soton.ac.uk> Many thanks for al that, it has given me some topics to think about. I don't suppose they gave a reason as to why they never discuss these issues with me? I have asked to become a Sophos "partner" but have been ignored. They just don't want to talk to me, but are happy to blame me for problems caused by MailScanner/Sophos interaction. It doesn't exactly help :-( -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From adkinss at OHIO.EDU Wed Feb 5 19:04:20 2003 From: adkinss at OHIO.EDU (Scott Adkins) Date: Thu Jan 12 21:17:08 2006 Subject: Sophos and Corrupt Files In-Reply-To: <007401c2cd36$7764ad90$9801a8c0@home.middlefinger.net> References: <007401c2cd36$7764ad90$9801a8c0@home.middlefinger.net> Message-ID: <671835528.1044453860@Callisto> That may be, but that isn't the case for us. I don't know what you mean with respect to "HP Digital Senders". Is that an application that somehow generates the PDF documents on the fly? If that is the case, then I would say that it would make sense that you would have zero defects with a LOT of PDFs, especially if they all come from a single source that generates valid PDF documents. We are a University environment with all kinds of software installed on all kinds of machines. Lots of applications can now save directly to PDF format and I don't believe that all of them would necessarily follow the Adobe specifications to the tee... I imagine some of the cheaper products would cheat here and there, and may even some products would inject their own additions to the format in hopes of making the PDF documents work or look better in their products. *shrugs* The point is, we do see them here. On the grand scheme of things, the number of corrupted documents is a small number compared to the number of documents that are fine and scan properly... but the ones that scan fine aren't the ones that complain to our Support Center. It further doesn't help when I can take some of these documents and look at them fine with Acrobat Reader, but any other PDF tool won't even touch them... From the perspective of the users, who mostly use Reader around here), the file is okay and not corrupted, but the emails are saying they contain viruses (and they don't seem to read what the message actually says, which says the document is corrupt). They see the {Virus?} in the subject line and basically freak out. *shakes head* Anyways, maybe the newer verson of Sophos (3.66a) will help. Scott --On Wednesday, February 05, 2003 10:48 AM -0600 Mike Kercher wrote: > I have zero defects with .pdf documents going through my servers and we > do a LOT of pdf's with HP Digital Senders all over the place. > > Mike > > > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Scott Adkins > Sent: Wednesday, February 05, 2003 9:51 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Sophos and Corrupt Files > > > Julan, > > I know we have had considerable discussion on this topic already, and I > need to find some resolution to it. > > The issue seems to be that users are sending documents via attachments > that get flagged as corrupt by Sophos and labeled as a virus in > MailScanner. So far, all the documents I have managed to get my hands on > indicate that these documents are indeed in some way corrupt. Most of > the time, I can't even open the documents myself on my desktop. > Periodically, I can find a PDF document that appears to open and look > fine without generating any errors, but scanning it with Sophos indicates > that the PDF is corrupt. This isn't necessarily untrue, as all of the PDF > tools that I have at my disposal (conversion utilities to convert to > postscript format, or other programs that can open and view the document) > also say that the document is corrupt and refuse to do anything with > it... It just happens to be that Adobe Acrobat Reader was forgiving > enough in that particular case to allow me to view it successfully. > > So, I see two problems here: > > 1) Sophos is very strict in following the document format standards, and > if the document doesn't follow that standard, it says that it can't > scan the document and labels it corrupt. I do not know how sctrict > Sophos is on this, but most of the documents I have found does indeed > have problems when trying to open them up with whatever standard > software installed on my machine. > > Indicidentally, Sophos claims that it couldn't find the start *and* > end of the document and that is why it claims it can't scan the > document. I really don't believe this claim. The errors I typically > see when opening the documents myself are things like invalid > variable names, etc. This could be the result of a newer version of > document formats that Sophos doesn't yet understand, or non-standard > software used to create those documents to begin with. > > 2) When Sophos comes back and says that the document couldn't be scanned > for whatever reason, MailScanner simply labels the file as a virus > and moves on. I don't agree with this, as I think the administrator > is the one that should decide how to handle these situations. This > is no different than how external MIME attachments are handled, since > those attachments can't be scanned by the virus scanner as well. > > What are the solutions to this problem? > > 1) Sophos probably should be a lot less restrictive when scanning some > document formats. Aren't virus patterns determined by the patterns > themselves and not how closely a PDF document adheres to Adobe's > format standards? If you don't see the virus patterns, shouldn't > you say the document is clean? We are going to generate a support > call to them on this later this morning. > > 2) MailScanner should give us the option to allow documents that are > unable to be scanned by the virus scanner through. We are getting a > lot of calls about this now to our Support Center, and it is being > pushed through the higher ranks. We are an educational institution, > and what we think may be the right answer (i.e. no external MIME > attachments, do filename checking, etc etc), politics dictate the > policies. Anyways, I think we need an option in the config file to > allow these documents through. > > Thanks, > Scott > -- > +-----------------------------------------------------------------------+ > Scott W. Adkins http://www.cns.ohiou.edu/~sadkins/ > UNIX Systems Engineer mailto:adkinss@ohio.edu > ICQ 7626282 Work (740)593-9478 Fax (740)593-1944 > +-----------------------------------------------------------------------+ > PGP Public Key available at http://www.cns.ohiou.edu/~sadkins/pgp/ -- +-----------------------------------------------------------------------+ Scott W. Adkins http://www.cns.ohiou.edu/~sadkins/ UNIX Systems Engineer mailto:adkinss@ohio.edu ICQ 7626282 Work (740)593-9478 Fax (740)593-1944 +-----------------------------------------------------------------------+ PGP Public Key available at http://www.cns.ohiou.edu/~sadkins/pgp/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 231 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030205/1c125498/attachment.bin From mike at CAMAROSS.NET Wed Feb 5 20:42:26 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:17:08 2006 Subject: Sophos and Corrupt Files In-Reply-To: <671835528.1044453860@Callisto> Message-ID: <00af01c2cd57$18cea580$9801a8c0@home.middlefinger.net> A Digital Sender is a piece of hardware that takes a document, scans it in either color or black and white and emails it as either a pdf or tif document. HP Digital Sender 9100C is the part number. Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Scott Adkins Sent: Wednesday, February 05, 2003 1:04 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Sophos and Corrupt Files That may be, but that isn't the case for us. I don't know what you mean with respect to "HP Digital Senders". Is that an application that somehow generates the PDF documents on the fly? If that is the case, then I would say that it would make sense that you would have zero defects with a LOT of PDFs, especially if they all come from a single source that generates valid PDF documents. We are a University environment with all kinds of software installed on all kinds of machines. Lots of applications can now save directly to PDF format and I don't believe that all of them would necessarily follow the Adobe specifications to the tee... I imagine some of the cheaper products would cheat here and there, and may even some products would inject their own additions to the format in hopes of making the PDF documents work or look better in their products. *shrugs* The point is, we do see them here. On the grand scheme of things, the number of corrupted documents is a small number compared to the number of documents that are fine and scan properly... but the ones that scan fine aren't the ones that complain to our Support Center. It further doesn't help when I can take some of these documents and look at them fine with Acrobat Reader, but any other PDF tool won't even touch them... From the perspective of the users, who mostly use Reader around here), the file is okay and not corrupted, but the emails are saying they contain viruses (and they don't seem to read what the message actually says, which says the document is corrupt). They see the {Virus?} in the subject line and basically freak out. *shakes head* Anyways, maybe the newer verson of Sophos (3.66a) will help. Scott --On Wednesday, February 05, 2003 10:48 AM -0600 Mike Kercher wrote: > I have zero defects with .pdf documents going through my servers and we > do a LOT of pdf's with HP Digital Senders all over the place. > > Mike > > > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Scott Adkins > Sent: Wednesday, February 05, 2003 9:51 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Sophos and Corrupt Files > > > Julan, > > I know we have had considerable discussion on this topic already, and I > need to find some resolution to it. > > The issue seems to be that users are sending documents via attachments > that get flagged as corrupt by Sophos and labeled as a virus in > MailScanner. So far, all the documents I have managed to get my hands on > indicate that these documents are indeed in some way corrupt. Most of > the time, I can't even open the documents myself on my desktop. > Periodically, I can find a PDF document that appears to open and look > fine without generating any errors, but scanning it with Sophos indicates > that the PDF is corrupt. This isn't necessarily untrue, as all of the PDF > tools that I have at my disposal (conversion utilities to convert to > postscript format, or other programs that can open and view the document) > also say that the document is corrupt and refuse to do anything with > it... It just happens to be that Adobe Acrobat Reader was forgiving > enough in that particular case to allow me to view it successfully. > > So, I see two problems here: > > 1) Sophos is very strict in following the document format standards, and > if the document doesn't follow that standard, it says that it can't > scan the document and labels it corrupt. I do not know how sctrict > Sophos is on this, but most of the documents I have found does indeed > have problems when trying to open them up with whatever standard > software installed on my machine. > > Indicidentally, Sophos claims that it couldn't find the start *and* > end of the document and that is why it claims it can't scan the > document. I really don't believe this claim. The errors I typically > see when opening the documents myself are things like invalid > variable names, etc. This could be the result of a newer version of > document formats that Sophos doesn't yet understand, or non-standard > software used to create those documents to begin with. > > 2) When Sophos comes back and says that the document couldn't be scanned > for whatever reason, MailScanner simply labels the file as a virus > and moves on. I don't agree with this, as I think the administrator > is the one that should decide how to handle these situations. This > is no different than how external MIME attachments are handled, since > those attachments can't be scanned by the virus scanner as well. > > What are the solutions to this problem? > > 1) Sophos probably should be a lot less restrictive when scanning some > document formats. Aren't virus patterns determined by the patterns > themselves and not how closely a PDF document adheres to Adobe's > format standards? If you don't see the virus patterns, shouldn't > you say the document is clean? We are going to generate a support > call to them on this later this morning. > > 2) MailScanner should give us the option to allow documents that are > unable to be scanned by the virus scanner through. We are getting a > lot of calls about this now to our Support Center, and it is being > pushed through the higher ranks. We are an educational institution, > and what we think may be the right answer (i.e. no external MIME > attachments, do filename checking, etc etc), politics dictate the > policies. Anyways, I think we need an option in the config file to > allow these documents through. > > Thanks, > Scott > -- > +-----------------------------------------------------------------------+ > Scott W. Adkins http://www.cns.ohiou.edu/~sadkins/ > UNIX Systems Engineer mailto:adkinss@ohio.edu > ICQ 7626282 Work (740)593-9478 Fax (740)593-1944 > +-----------------------------------------------------------------------+ > PGP Public Key available at http://www.cns.ohiou.edu/~sadkins/pgp/ -- +-----------------------------------------------------------------------+ Scott W. Adkins http://www.cns.ohiou.edu/~sadkins/ UNIX Systems Engineer mailto:adkinss@ohio.edu ICQ 7626282 Work (740)593-9478 Fax (740)593-1944 +-----------------------------------------------------------------------+ PGP Public Key available at http://www.cns.ohiou.edu/~sadkins/pgp/ From mike at CAMAROSS.NET Wed Feb 5 21:04:00 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:17:08 2006 Subject: Sophos and Corrupt Files In-Reply-To: <671835528.1044453860@Callisto> Message-ID: <00b501c2cd5a$1b515160$9801a8c0@home.middlefinger.net> Sorry for the short answer...I was in the middle of a water change in my aquarium. You bring up some very valid points. One of our environments is an accounting firm and pdf's are a must. All of our documents are either generated in-house by the Digital Sender or the full blown Acrobat product. In my own experience, I have created a few pdf's with lesser products, but have yet to have a failure from it. I can certainly understand your position though...not having a standardized routine for generating a pdf could certainly produce unexpected and less that favorable results. I was just throwing my $0.02 out there. Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Scott Adkins Sent: Wednesday, February 05, 2003 1:04 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Sophos and Corrupt Files That may be, but that isn't the case for us. I don't know what you mean with respect to "HP Digital Senders". Is that an application that somehow generates the PDF documents on the fly? If that is the case, then I would say that it would make sense that you would have zero defects with a LOT of PDFs, especially if they all come from a single source that generates valid PDF documents. We are a University environment with all kinds of software installed on all kinds of machines. Lots of applications can now save directly to PDF format and I don't believe that all of them would necessarily follow the Adobe specifications to the tee... I imagine some of the cheaper products would cheat here and there, and may even some products would inject their own additions to the format in hopes of making the PDF documents work or look better in their products. *shrugs* The point is, we do see them here. On the grand scheme of things, the number of corrupted documents is a small number compared to the number of documents that are fine and scan properly... but the ones that scan fine aren't the ones that complain to our Support Center. It further doesn't help when I can take some of these documents and look at them fine with Acrobat Reader, but any other PDF tool won't even touch them... From the perspective of the users, who mostly use Reader around here), the file is okay and not corrupted, but the emails are saying they contain viruses (and they don't seem to read what the message actually says, which says the document is corrupt). They see the {Virus?} in the subject line and basically freak out. *shakes head* Anyways, maybe the newer verson of Sophos (3.66a) will help. Scott --On Wednesday, February 05, 2003 10:48 AM -0600 Mike Kercher wrote: > I have zero defects with .pdf documents going through my servers and we > do a LOT of pdf's with HP Digital Senders all over the place. > > Mike > > > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Scott Adkins > Sent: Wednesday, February 05, 2003 9:51 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Sophos and Corrupt Files > > > Julan, > > I know we have had considerable discussion on this topic already, and I > need to find some resolution to it. > > The issue seems to be that users are sending documents via attachments > that get flagged as corrupt by Sophos and labeled as a virus in > MailScanner. So far, all the documents I have managed to get my hands on > indicate that these documents are indeed in some way corrupt. Most of > the time, I can't even open the documents myself on my desktop. > Periodically, I can find a PDF document that appears to open and look > fine without generating any errors, but scanning it with Sophos indicates > that the PDF is corrupt. This isn't necessarily untrue, as all of the PDF > tools that I have at my disposal (conversion utilities to convert to > postscript format, or other programs that can open and view the document) > also say that the document is corrupt and refuse to do anything with > it... It just happens to be that Adobe Acrobat Reader was forgiving > enough in that particular case to allow me to view it successfully. > > So, I see two problems here: > > 1) Sophos is very strict in following the document format standards, and > if the document doesn't follow that standard, it says that it can't > scan the document and labels it corrupt. I do not know how sctrict > Sophos is on this, but most of the documents I have found does indeed > have problems when trying to open them up with whatever standard > software installed on my machine. > > Indicidentally, Sophos claims that it couldn't find the start *and* > end of the document and that is why it claims it can't scan the > document. I really don't believe this claim. The errors I typically > see when opening the documents myself are things like invalid > variable names, etc. This could be the result of a newer version of > document formats that Sophos doesn't yet understand, or non-standard > software used to create those documents to begin with. > > 2) When Sophos comes back and says that the document couldn't be scanned > for whatever reason, MailScanner simply labels the file as a virus > and moves on. I don't agree with this, as I think the administrator > is the one that should decide how to handle these situations. This > is no different than how external MIME attachments are handled, since > those attachments can't be scanned by the virus scanner as well. > > What are the solutions to this problem? > > 1) Sophos probably should be a lot less restrictive when scanning some > document formats. Aren't virus patterns determined by the patterns > themselves and not how closely a PDF document adheres to Adobe's > format standards? If you don't see the virus patterns, shouldn't > you say the document is clean? We are going to generate a support > call to them on this later this morning. > > 2) MailScanner should give us the option to allow documents that are > unable to be scanned by the virus scanner through. We are getting a > lot of calls about this now to our Support Center, and it is being > pushed through the higher ranks. We are an educational institution, > and what we think may be the right answer (i.e. no external MIME > attachments, do filename checking, etc etc), politics dictate the > policies. Anyways, I think we need an option in the config file to > allow these documents through. > > Thanks, > Scott > -- > +-----------------------------------------------------------------------+ > Scott W. Adkins http://www.cns.ohiou.edu/~sadkins/ > UNIX Systems Engineer mailto:adkinss@ohio.edu > ICQ 7626282 Work (740)593-9478 Fax (740)593-1944 > +-----------------------------------------------------------------------+ > PGP Public Key available at http://www.cns.ohiou.edu/~sadkins/pgp/ -- +-----------------------------------------------------------------------+ Scott W. Adkins http://www.cns.ohiou.edu/~sadkins/ UNIX Systems Engineer mailto:adkinss@ohio.edu ICQ 7626282 Work (740)593-9478 Fax (740)593-1944 +-----------------------------------------------------------------------+ PGP Public Key available at http://www.cns.ohiou.edu/~sadkins/pgp/ From mailscanner at ecs.soton.ac.uk Wed Feb 5 21:04:18 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:09 2006 Subject: Sophos and Corrupt Files In-Reply-To: <671835528.1044453860@Callisto> References: <007401c2cd36$7764ad90$9801a8c0@home.middlefinger.net> <007401c2cd36$7764ad90$9801a8c0@home.middlefinger.net> Message-ID: <5.2.0.9.2.20030205210057.029e7f68@imap.ecs.soton.ac.uk> At 19:04 05/02/2003, you wrote: >The point is, we do see them here. On the grand scheme of things, the >number of corrupted documents is a small number compared to the number of >documents that are fine and scan properly... but the ones that scan fine >aren't the ones that complain to our Support Center. It further doesn't >help when I can take some of these documents and look at them fine with >Acrobat Reader, but any other PDF tool won't even touch them... From the >perspective of the users, who mostly use Reader around here), the file >is okay and not corrupted, but the emails are saying they contain viruses >(and they don't seem to read what the message actually says, which says >the document is corrupt). They see the {Virus?} in the subject line and >basically freak out. *shakes head* > >Anyways, maybe the newer verson of Sophos (3.66a) will help. > >-----Original Message----- >>From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On >>Behalf Of Scott Adkins >> >> 2) When Sophos comes back and says that the document couldn't be scanned >> for whatever reason, MailScanner simply labels the file as a virus >>and moves on. I don't agree with this, as I think the administrator >>is the one that should decide how to handle these situations. This >>is no different than how external MIME attachments are handled, since >> those attachments can't be scanned by the virus scanner as well. >> >>What are the solutions to this problem? >> >> 2) MailScanner should give us the option to allow documents that are >> unable to be scanned by the virus scanner through. We are getting a >> lot of calls about this now to our Support Center, and it is being >> pushed through the higher ranks. We are an educational institution, >> and what we think may be the right answer (i.e. no external MIME >> attachments, do filename checking, etc etc), politics dictate the >> policies. Anyways, I think we need an option in the config file to >> allow these documents through. Please try 3.66a to see if it improves things. But if you want a list of allowable words to appear in the brackets after the attachment name, just for Sophos use, then I could add that for you. It would probably be a patch to start with, so you can try it out. I would really like to see a resolution to this problem too :-) Let me know what you think. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From adkinss at OHIO.EDU Wed Feb 5 20:25:06 2003 From: adkinss at OHIO.EDU (Scott Adkins) Date: Thu Jan 12 21:17:09 2006 Subject: Sophos and Corrupt Files In-Reply-To: <5.2.0.9.2.20030205195814.02989e60@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030205195814.02989e60@imap.ecs.soton.ac.uk> Message-ID: <676681346.1044458706@Callisto> --On Wednesday, February 05, 2003 8:01 PM +0000 Julian Field wrote: > Many thanks for al that, it has given me some topics to think about. No problem... any new developments will be passed along... > I don't suppose they gave a reason as to why they never discuss these > issues with me? > I have asked to become a Sophos "partner" but have been ignored. They just > don't want to talk to me, but are happy to blame me for problems caused by > MailScanner/Sophos interaction. No, they don't say anything, but we don't ask either... We could ask them if they are planning on forming a partnershipt with you sometime down the road and see what they say. Thanks, Scott > It doesn't exactly help :-( > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support -- +-----------------------------------------------------------------------+ Scott W. Adkins http://www.cns.ohiou.edu/~sadkins/ UNIX Systems Engineer mailto:adkinss@ohio.edu ICQ 7626282 Work (740)593-9478 Fax (740)593-1944 +-----------------------------------------------------------------------+ PGP Public Key available at http://www.cns.ohiou.edu/~sadkins/pgp/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 231 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030205/f75105e5/attachment.bin From mailscanner at ecs.soton.ac.uk Wed Feb 5 21:53:18 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:09 2006 Subject: Sophos and Corrupt Files In-Reply-To: <676681346.1044458706@Callisto> References: <5.2.0.9.2.20030205195814.02989e60@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030205195814.02989e60@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030205213033.02445ae0@imap.ecs.soton.ac.uk> At 20:25 05/02/2003, you wrote: >--On Wednesday, February 05, 2003 8:01 PM +0000 Julian Field > wrote: > >>Many thanks for al that, it has given me some topics to think about. > >No problem... any new developments will be passed along... > >>I don't suppose they gave a reason as to why they never discuss these >>issues with me? >>I have asked to become a Sophos "partner" but have been ignored. They just >>don't want to talk to me, but are happy to blame me for problems caused by >>MailScanner/Sophos interaction. > >No, they don't say anything, but we don't ask either... We could ask >them if they are planning on forming a partnershipt with you sometime >down the road and see what they say. That would be helpful, thanks. I would hope Sophos and I are in a position to be able to help each other. In the mean time, see what happens with the enclosed patches. One to ConfigDefs.pl, one to SweepViruses.pm and one to MailScanner.conf. Please can only the people immediately involved with this problem try these out, I haven't had much of a chance to test this out, and it may not be needed in the end anyway. -------------- next part -------------- A non-text attachment was scrubbed... Name: SweepViruses.pm.patch Type: application/octet-stream Size: 968 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030205/07a6f52b/SweepViruses.pm.obj -------------- next part -------------- A non-text attachment was scrubbed... Name: ConfigDefs.pl.patch Type: application/octet-stream Size: 658 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030205/07a6f52b/ConfigDefs.pl.obj -------------- next part -------------- A non-text attachment was scrubbed... Name: MailScanner.conf.patch Type: application/octet-stream Size: 666 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030205/07a6f52b/MailScanner.conf.obj -------------- next part -------------- -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From jrudd at UCSC.EDU Wed Feb 5 22:24:10 2003 From: jrudd at UCSC.EDU (John Rudd) Date: Thu Jan 12 21:17:09 2006 Subject: Sophos and Corrupt Files Message-ID: <200302052224.h15MOA927491@kzin.ucsc.edu> > From: Julian Field > > I would hope Sophos and I are in a position to be able to help each other. > They may consider you to be competition, though. When we were getting together our anti-virus solution this time last year, they said "buy SAVI from us, and we'll give our mail gateway for it for free". But, instead, we went with mailscanner. It wasn't a loss for them in our case, because they would have been giving it to us for free ... but how many sales for their mail gateway have they lost because you have a free thing in a similar market niche? (and theirs might not do spam stuff) That might be why they're not very helpful to you. From acragg-lists at CTF.COM Wed Feb 5 22:32:56 2003 From: acragg-lists at CTF.COM (Alan Cragg) Date: Thu Jan 12 21:17:09 2006 Subject: Sophos and Corrupt Files In-Reply-To: <200302052224.h15MOA927491@kzin.ucsc.edu> Message-ID: <00f301c2cd66$8784a290$8947a8c0@ctf.com> First time poster but felt I must chime in on this one. We had never even considered SOPHOS until after using MailScanner (which is a great program), they should be giving you a cut of the sales because we probably would have stayed with Symantec if not for MailScanner. IMHO Alan Cragg -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of John Rudd Sent: Wednesday, February 05, 2003 2:24 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Sophos and Corrupt Files > From: Julian Field > > I would hope Sophos and I are in a position to be able to help each other. > They may consider you to be competition, though. When we were getting together our anti-virus solution this time last year, they said "buy SAVI from us, and we'll give our mail gateway for it for free". But, instead, we went with mailscanner. It wasn't a loss for them in our case, because they would have been giving it to us for free ... but how many sales for their mail gateway have they lost because you have a free thing in a similar market niche? (and theirs might not do spam stuff) That might be why they're not very helpful to you. From adkinss at OHIO.EDU Wed Feb 5 21:55:25 2003 From: adkinss at OHIO.EDU (Scott Adkins) Date: Thu Jan 12 21:17:09 2006 Subject: Sophos and Corrupt Files In-Reply-To: <5.2.0.9.2.20030205210057.029e7f68@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030205210057.029e7f68@imap.ecs.soton.ac.uk> Message-ID: <682099887.1044464125@Callisto> --On Wednesday, February 05, 2003 9:04 PM +0000 Julian Field wrote: > Please try 3.66a to see if it improves things. Okay, initial testing shows that the PDF documents that I have still come back as corrupted. *shrugs* I guess these are more problematic docs than Sophos can deal with. Did you ever get those PDF files from that guy that offered them to anyone that wanted to check them out? > But if you want a list of allowable words to appear in the brackets after > the attachment name, just for Sophos use, then I could add that for you. > It would probably be a patch to start with, so you can try it out. > > I would really like to see a resolution to this problem too :-) I tried out the -eec option. It appears to only affect the exit status of sophos, but does not change the output of the text in any way... this means it still says "(corrupt)". I do notice that the PDF documents no longer have sophos exitting with a return code of 2, but rather an 8. We just got a list of exit codes from one of their techs (shorter than what they told us on the phone), and they are below: > EEC style: > 0 No errors or viruses > 8 Survivable errors encountered > 12 Compressed files found and decompressed > 16 Compressed files found and not decompressed > 20 Viruses found and disinfected > 24 Viruses found and not disinfected > 28 Viruses found memory > 32 Integrity check failed > 36 Unsurvivable errors encountered > 40 Scan interrupted Basically, this is as clear as mud :) We have requested more information on what these mean. Looking at the above, it isn't even clear how exit code of 12 is exactly an error... And there is nothing in there indicating that a file had a corrupted header, or the file was password protected, or there was a locked form cell, or whatever the nature of the problem is. So, I am not sure how much this is going to help. Anyways, we are still trying to get information from them about it. Thanks, Scott -- +-----------------------------------------------------------------------+ Scott W. Adkins http://www.cns.ohiou.edu/~sadkins/ UNIX Systems Engineer mailto:adkinss@ohio.edu ICQ 7626282 Work (740)593-9478 Fax (740)593-1944 +-----------------------------------------------------------------------+ PGP Public Key available at http://www.cns.ohiou.edu/~sadkins/pgp/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 231 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030205/168a158e/attachment.bin From mailscanner at ecs.soton.ac.uk Wed Feb 5 23:05:01 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:09 2006 Subject: Sophos and Corrupt Files In-Reply-To: <200302052224.h15MOA927491@kzin.ucsc.edu> Message-ID: <5.2.0.9.2.20030205230356.029d6058@imap.ecs.soton.ac.uk> At 22:24 05/02/2003, you wrote: > > From: Julian Field > > I would hope Sophos and I are in a position to be able to help each other. > >They may consider you to be competition, though. When we were getting >together our anti-virus solution this time last year, they said "buy >SAVI from us, and we'll give our mail gateway for it for free". But, >instead, we went with mailscanner. It wasn't a loss for them in our >case, because they would have been giving it to us for free ... but >how many sales for their mail gateway have they lost because you have >a free thing in a similar market niche? (and theirs might not do spam >stuff) I would hope that I made them more sales in extra SAVI licences than I cost them in lost MailMonitor sales. But maybe not :-) -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From Q.G.Campbell at NEWCASTLE.AC.UK Thu Feb 6 10:40:10 2003 From: Q.G.Campbell at NEWCASTLE.AC.UK (Quentin Campbell) Date: Thu Jan 12 21:17:09 2006 Subject: Spam.whitelist.rules file question Message-ID: <08AC2E825474534ABB2D6EDB643FC7F8199B5E@bond.ncl.ac.uk> > -----Original Message----- > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > Sent: 30 January 2003 12:28 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Spam.whitelist.rules file question > > > At 12:21 30/01/2003, you wrote: > >So you are saying that he needed to put 194.205.110.133 > instead or in > >addition to? > > Instead. > > Normally the thing in the rule is (a pattern matching) the > email address. But if it doesn't contain any letters, it > interprets it as (a pattern > matching) the IP address. > Julian Is the ~MailScanner/etc/rules/EXAMPLES file correct? In its "Spam WhiteList" examples it gives: From: 123.234. yes From: /^192\.168\.6[4567]/ yes Assuming the first line specifies a Class B address range then that pattern should allow for 123.234.xxx.xxx addresses to be whitelisted. If the second line specifies a Class C address range then that pattern should allow for 192.168.64.xxx addresses (say) but as there is no terminating "." would that pattern work as expected? That is, I think it should read: From: /^192\.168\.6[4567]\./ yes Quentin --- PHONE: +44 191 222 8209 Computing Service, University of Newcastle FAX: +44 191 222 8765 Newcastle upon Tyne, United Kingdom, NE1 7RU. ------------------------------------------------------------------------ "Any opinion expressed above is mine. The University can get its own." From mailscanner at ecs.soton.ac.uk Thu Feb 6 11:05:56 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:09 2006 Subject: Spam.whitelist.rules file question In-Reply-To: <08AC2E825474534ABB2D6EDB643FC7F8199B5E@bond.ncl.ac.uk> Message-ID: <5.2.0.9.2.20030206110428.0251ae00@imap.ecs.soton.ac.uk> At 10:40 06/02/2003, you wrote: > > -----Original Message----- > > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > > Sent: 30 January 2003 12:28 > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: Spam.whitelist.rules file question > > > > > > At 12:21 30/01/2003, you wrote: > > >So you are saying that he needed to put 194.205.110.133 > > instead or in > > >addition to? > > > > Instead. > > > > Normally the thing in the rule is (a pattern matching) the > > email address. But if it doesn't contain any letters, it > > interprets it as (a pattern > > matching) the IP address. > > > >Julian > >Is the ~MailScanner/etc/rules/EXAMPLES file correct? > >In its "Spam WhiteList" examples it gives: > >From: 123.234. yes >From: /^192\.168\.6[4567]/ yes > >Assuming the first line specifies a Class B address range then that >pattern >should allow for 123.234.xxx.xxx addresses to be whitelisted. > >If the second line specifies a Class C address range then that pattern >should allow for 192.168.64.xxx addresses (say) but as there is no >terminating "." would that pattern work as expected? That is, I think it >should read: > >From: /^192\.168\.6[4567]\./ yes You can add the "\." if you like, but no 3-digit (or more) number starting with a 6 is less than 256 anyway, so you can't have an IP address that is, for example, 192.168.641.123. But yes, having the "\." makes it a bit clearer, I'll change the docs. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From Q.G.Campbell at NEWCASTLE.AC.UK Thu Feb 6 11:21:55 2003 From: Q.G.Campbell at NEWCASTLE.AC.UK (Quentin Campbell) Date: Thu Jan 12 21:17:09 2006 Subject: Spam.whitelist.rules file question Message-ID: <08AC2E825474534ABB2D6EDB643FC7F8199B71@bond.ncl.ac.uk> > -----Original Message----- > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > Sent: 06 February 2003 11:06 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Spam.whitelist.rules file question >[snip] > >I think it should read: > > > >From: /^192\.168\.6[4567]\./ yes > > You can add the "\." if you like, but no 3-digit (or more) > number starting with a 6 is less than 256 anyway, so you > can't have an IP address that is, for example, > 192.168.641.123. But yes, having the "\." makes it a bit > clearer, I'll change the docs. OK, Thanks. A more realistic example to use is (say): From: /^192\.100\.13[67]\./ yes Quentin From mailscanner at ecs.soton.ac.uk Thu Feb 6 11:42:47 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:09 2006 Subject: Spam.whitelist.rules file question In-Reply-To: <08AC2E825474534ABB2D6EDB643FC7F8199B71@bond.ncl.ac.uk> Message-ID: <5.2.0.9.2.20030206114212.028ee508@imap.ecs.soton.ac.uk> At 11:21 06/02/2003, you wrote: > > -----Original Message----- > > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > > Sent: 06 February 2003 11:06 > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: Spam.whitelist.rules file question > >[snip] > > >I think it should read: > > > > > >From: /^192\.168\.6[4567]\./ yes > > > > You can add the "\." if you like, but no 3-digit (or more) > > number starting with a 6 is less than 256 anyway, so you > > can't have an IP address that is, for example, > > 192.168.641.123. But yes, having the "\." makes it a bit > > clearer, I'll change the docs. > >OK, Thanks. A more realistic example to use is (say): > >From: /^192\.100\.13[67]\./ yes I have put in /^192\.168\.1[4567]\./ as that really does need the dot to work as intended. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From P.G.M.Peters at civ.utwente.nl Thu Feb 6 13:19:02 2003 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:17:09 2006 Subject: F-Prot successfully updated. Message-ID: I get this message in my log every hour. I didn't believe F-Prot updated their files this often so I started f-prot-autoupdate by hand. Even when it reports "Nothing to be done." I get "F-Prot successfully updated." Could the logging be changed to show whether a real update has taken place or not? I tried this patch: |~> diff -u /usr/lib/MailScanner/f-prot-autoupdate . |--- /usr/lib/MailScanner/f-prot-autoupdate 2003-02-01 14:50:09.000000000 +0100 |+++ ./f-prot-autoupdate 2003-02-06 14:18:02.000000000 +0100 |@@ -219,7 +219,11 @@ | CleanTempDir(); | &UnlockFProt(); | Sys::Syslog::openlog("F-Prot autoupdate", 'pid, nowait', 'mail'); |-Sys::Syslog::syslog('info', "F-Prot successfully updated."); |+if ($updated) { |+ Sys::Syslog::syslog('info', "F-Prot successfully updated."); |+} else { |+ Sys::Syslog::syslog('info', "F-Prot didn't need updating."); |+} | Sys::Syslog::closelog(); | exit 0; (| added to keep long lines long) -- Peter Peters senior netwerkbeheerder Centrum voor InformatieTechnologie, Bibliotheek en Educatie Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From mailscanner at ecs.soton.ac.uk Thu Feb 6 14:46:15 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:09 2006 Subject: F-Prot successfully updated. In-Reply-To: Message-ID: <5.2.0.9.2.20030206144537.02ed8200@imap.ecs.soton.ac.uk> Good idea. Changed for the next release. I used a slightly more concise syntax than you but the effect is the same. At 13:19 06/02/2003, you wrote: >I get this message in my log every hour. I didn't believe F-Prot updated >their files this often so I started f-prot-autoupdate by hand. Even when >it reports "Nothing to be done." I get "F-Prot successfully updated." > >Could the logging be changed to show whether a real update has taken >place or not? > >I tried this patch: >|~> diff -u /usr/lib/MailScanner/f-prot-autoupdate . >|--- /usr/lib/MailScanner/f-prot-autoupdate 2003-02-01 >14:50:09.000000000 +0100 >|+++ ./f-prot-autoupdate 2003-02-06 14:18:02.000000000 +0100 >|@@ -219,7 +219,11 @@ >| CleanTempDir(); >| &UnlockFProt(); >| Sys::Syslog::openlog("F-Prot autoupdate", 'pid, nowait', 'mail'); >|-Sys::Syslog::syslog('info', "F-Prot successfully updated."); >|+if ($updated) { >|+ Sys::Syslog::syslog('info', "F-Prot successfully updated."); >|+} else { >|+ Sys::Syslog::syslog('info', "F-Prot didn't need updating."); >|+} >| Sys::Syslog::closelog(); >| exit 0; > >(| added to keep long lines long) > >-- >Peter Peters senior netwerkbeheerder >Centrum voor InformatieTechnologie, Bibliotheek en Educatie >Universiteit Twente, Postbus 217, 7500 AE Enschede >telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From jaearick at COLBY.EDU Thu Feb 6 15:09:22 2003 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:17:09 2006 Subject: Sophos and Corrupt Files In-Reply-To: <5.2.0.9.2.20030205230356.029d6058@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030205230356.029d6058@imap.ecs.soton.ac.uk> Message-ID: Julian, Back in April of 2002, I found MailScanner because the gang at Sophos recommended it to me after I complained about aspects of Mailmonitor that I didn't like (the fact that it wants to control port 25 instead of sendmail; I want sendmail to have first crack at incoming email, then virus-scanning downstream from there). Their recommendation answered all of my prayers and I bought a SAVI license to use Sophos with MailScanner. MailScanner clearly has MailMonitor beat on technical merits, but I'll bet that you *have* sold a lot of SAVI licenses for them. If Sophos had any sense, they would drop MailMonitor and support your efforts 100%. You have the better mousetrap. I'm copying my Sophos salesperson on this, in case she is listening... ----------------------------------- Jeff A. Earickson, Ph.D Senior UNIX Sysadmin and Email Guru Information Technology Services Colby College, 4214 Mayflower Hill, Waterville ME, 04901-8842 phone: 207-872-3659 (fax = 3076) ----------------------------------- On Wed, 5 Feb 2003, Julian Field wrote: > Date: Wed, 5 Feb 2003 23:05:01 +0000 > From: Julian Field > Reply-To: MailScanner mailing list > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Sophos and Corrupt Files > > At 22:24 05/02/2003, you wrote: > > > From: Julian Field > > > I would hope Sophos and I are in a position to be able to help each other. > > > >They may consider you to be competition, though. When we were getting > >together our anti-virus solution this time last year, they said "buy > >SAVI from us, and we'll give our mail gateway for it for free". But, > >instead, we went with mailscanner. It wasn't a loss for them in our > >case, because they would have been giving it to us for free ... but > >how many sales for their mail gateway have they lost because you have > >a free thing in a similar market niche? (and theirs might not do spam > >stuff) > > I would hope that I made them more sales in extra SAVI licences than I cost > them in lost MailMonitor sales. But maybe not :-) > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > From adkinss at OHIO.EDU Thu Feb 6 15:03:01 2003 From: adkinss at OHIO.EDU (Scott Adkins) Date: Thu Jan 12 21:17:09 2006 Subject: Sophos and Corrupt Files In-Reply-To: <5.2.0.9.2.20030205213033.02445ae0@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030205213033.02445ae0@imap.ecs.soton.ac.uk> Message-ID: <743755844.1044525781@Callisto> Julian, The patches worked great... so, for the time being, anything that comes from Sophos labeled as "corrupt" will be passed through. Obviously, this isn't an ideal solution and we will continue to push on Sophos to get better error messages returned from the attempted scans and to be more tolerant of documents that may not fully follow the format specifications. Thanks! Scott --On Wednesday, February 05, 2003 9:53 PM +0000 Julian Field wrote: > At 20:25 05/02/2003, you wrote: >> --On Wednesday, February 05, 2003 8:01 PM +0000 Julian Field >> wrote: >> >>> Many thanks for al that, it has given me some topics to think about. >> >> No problem... any new developments will be passed along... >> >>> I don't suppose they gave a reason as to why they never discuss these >>> issues with me? >>> I have asked to become a Sophos "partner" but have been ignored. They >>> just don't want to talk to me, but are happy to blame me for problems >>> caused by MailScanner/Sophos interaction. >> >> No, they don't say anything, but we don't ask either... We could ask >> them if they are planning on forming a partnershipt with you sometime >> down the road and see what they say. > > That would be helpful, thanks. I would hope Sophos and I are in a position > to be able to help each other. > > In the mean time, see what happens with the enclosed patches. One to > ConfigDefs.pl, one to SweepViruses.pm and one to MailScanner.conf. > > Please can only the people immediately involved with this problem try > these out, I haven't had much of a chance to test this out, and it may > not be needed in the end anyway. -- +-----------------------------------------------------------------------+ Scott W. Adkins http://www.cns.ohiou.edu/~sadkins/ UNIX Systems Engineer mailto:adkinss@ohio.edu ICQ 7626282 Work (740)593-9478 Fax (740)593-1944 +-----------------------------------------------------------------------+ PGP Public Key available at http://www.cns.ohiou.edu/~sadkins/pgp/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 231 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030206/3457af40/attachment.bin From ryanb at INTERSOFTCORP.COM Thu Feb 6 16:28:59 2003 From: ryanb at INTERSOFTCORP.COM (Ryan Bingham) Date: Thu Jan 12 21:17:09 2006 Subject: House of Commons and Clearswift MAILsweeper Message-ID: <91D099333AA74D42B0C75BE0BEF096831A8673@access4.intersoft.com> I apologize to the list if this is considered an off-topic post, but I couldn't help myself. Below is a link to a recent article in the Register that describes the House of Commons amusing difficulties with another anti-spam program: http://www.theregister.co.uk/content/6/29199.html Julian, this would be a perfect opportunity to suggest to the Commons that they use MailScanner! By the way, keep up the outstanding work! It is much appreciated out here. Ryan Bingham Director, Information Technology American Association of Collegiate Registrars and Admissions Officers One Dupont Circle, NW, Suite 520 Washington, DC 20036-1135 Tel: (202) 293-9161 x6204 Fax: (202) 872-8857 www.aacrao.org From sean at NISD.NET Thu Feb 6 16:38:34 2003 From: sean at NISD.NET (Sean Embry) Date: Thu Jan 12 21:17:09 2006 Subject: McAfee-autoupdate Message-ID: Dear list members, If you are using McAfee, please remember to edit /usr/lib/MailScanner/mcafee-autoupdate and put your contact information in for the ftp session. Change my($ftppassword) to your contact details. My updates had been failing, but when I changed this on a hunch, it worked. Do I have to do the "Doh!" slap now? (grin!) From mailscanner at ecs.soton.ac.uk Thu Feb 6 16:41:41 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:09 2006 Subject: House of Commons and Clearswift MAILsweeper In-Reply-To: <91D099333AA74D42B0C75BE0BEF096831A8673@access4.intersoft.c om> Message-ID: <5.2.0.9.2.20030206164044.0487c168@imap.ecs.soton.ac.uk> At 16:28 06/02/2003, you wrote: >I apologize to the list if this is considered an off-topic post, but I >couldn't help myself. Below is a link to a recent article in the Register >that describes the House of Commons amusing difficulties with another >anti-spam program: > >http://www.theregister.co.uk/content/6/29199.html > > >Julian, this would be a perfect opportunity to suggest to the Commons that >they use MailScanner! Don't worry, beat you to it. Did it last night. Once you know the email address format for MP's it is very easy :-) >By the way, keep up the outstanding work! It is much appreciated out here. Thanks! Keep spreading the word... -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From chicks at CHICKS.NET Thu Feb 6 16:49:15 2003 From: chicks at CHICKS.NET (Christopher Hicks) Date: Thu Jan 12 21:17:09 2006 Subject: Sophos and Corrupt Files In-Reply-To: <5.2.0.9.2.20030205230356.029d6058@imap.ecs.soton.ac.uk> Message-ID: On Wed, 5 Feb 2003, Julian Field wrote: > At 22:24 05/02/2003, you wrote: > > > From: Julian Field > > > I would hope Sophos and I are in a position to be able to help each other. > > > >They may consider you to be competition, though. When we were getting > >together our anti-virus solution this time last year, they said "buy > >SAVI from us, and we'll give our mail gateway for it for free". But, > >instead, we went with mailscanner. It wasn't a loss for them in our > >case, because they would have been giving it to us for free ... but > >how many sales for their mail gateway have they lost because you have > >a free thing in a similar market niche? (and theirs might not do spam > >stuff) > > I would hope that I made them more sales in extra SAVI licences than I cost > them in lost MailMonitor sales. But maybe not :-) When I was talking to them and telling them that we were interested in using sophos in conjunction with mailscanner, their sales people didn't seem to have any trouble saying good things about mailscanner and the mailscanner-sophos combination. Of course their educational pricing would have eaten about 30% of the IT budget for some of the small educational orgs I was hoping to use it for, so it never worked out. -- "Never offend people with style when you can offend them with substance." - Sam Brown From mailscanner at ecs.soton.ac.uk Thu Feb 6 16:54:19 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:09 2006 Subject: Sophos and Corrupt Files In-Reply-To: References: <5.2.0.9.2.20030205230356.029d6058@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030206165238.048dcdf8@imap.ecs.soton.ac.uk> At 16:49 06/02/2003, you wrote: >On Wed, 5 Feb 2003, Julian Field wrote: > > At 22:24 05/02/2003, you wrote: > > > > From: Julian Field > > > > I would hope Sophos and I are in a position to be able to help each > other. > > > > > >They may consider you to be competition, though. When we were getting > > >together our anti-virus solution this time last year, they said "buy > > >SAVI from us, and we'll give our mail gateway for it for free". But, > > >instead, we went with mailscanner. It wasn't a loss for them in our > > >case, because they would have been giving it to us for free ... but > > >how many sales for their mail gateway have they lost because you have > > >a free thing in a similar market niche? (and theirs might not do spam > > >stuff) > > > > I would hope that I made them more sales in extra SAVI licences than I cost > > them in lost MailMonitor sales. But maybe not :-) > >When I was talking to them and telling them that we were interested in >using sophos in conjunction with mailscanner, their sales people didn't >seem to have any trouble saying good things about mailscanner and the >mailscanner-sophos combination. Of course their educational pricing would >have eaten about 30% of the IT budget for some of the small educational >orgs I was hoping to use it for, so it never worked out. But some of their sales people have never heard of it, and some of their tech support staff blame it by default. I really don't understand them. MessageLabs are much more polite (so far :-) I haven't yet read the small print in their licence, but RAV sell their Linux version for about $29 or something silly like that! I doubt anyone can beat that on price (except Clam of course)! -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From tjc at ecs.soton.ac.uk Thu Feb 6 16:48:36 2003 From: tjc at ecs.soton.ac.uk (Tim Chown) Date: Thu Jan 12 21:17:09 2006 Subject: House of Commons and Clearswift MAILsweeper In-Reply-To: <5.2.0.9.2.20030206164044.0487c168@imap.ecs.soton.ac.uk> References: <91D099333AA74D42B0C75BE0BEF096831A8673@access4.intersoft.com> <5.2.0.9.2.20030206164044.0487c168@imap.ecs.soton.ac.uk> Message-ID: <20030206164836.GA20702@login.ecs.soton.ac.uk> On Thu, Feb 06, 2003 at 04:41:41PM +0000, Julian Field wrote: > > > >Julian, this would be a perfect opportunity to suggest to the Commons that > >they use MailScanner! > > Don't worry, beat you to it. Did it last night. Once you know the email > address format for MP's it is very easy :-) Hmm, so you spam them to tell them how to avoid spam? :) Tim From mailscanner at ecs.soton.ac.uk Thu Feb 6 17:07:28 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:09 2006 Subject: House of Commons and Clearswift MAILsweeper In-Reply-To: <20030206164836.GA20702@login.ecs.soton.ac.uk> References: <5.2.0.9.2.20030206164044.0487c168@imap.ecs.soton.ac.uk> <91D099333AA74D42B0C75BE0BEF096831A8673@access4.intersoft.com> <5.2.0.9.2.20030206164044.0487c168@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030206170612.04885ad0@imap.ecs.soton.ac.uk> At 16:48 06/02/2003, you wrote: >On Thu, Feb 06, 2003 at 04:41:41PM +0000, Julian Field wrote: > > > > > >Julian, this would be a perfect opportunity to suggest to the Commons that > > >they use MailScanner! > > > > Don't worry, beat you to it. Did it last night. Once you know the email > > address format for MP's it is very easy :-) > >Hmm, so you spam them to tell them how to avoid spam? :) There are 4 people in the House of Commons that are worth talking to about this stuff, anyway :-) Shame Paddy Ashdown retired, really, he was always really up to date on all this sort of thing. He could quite easily have held down a night job as a PC sysadmin! -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From adkinss at OHIO.EDU Thu Feb 6 17:20:48 2003 From: adkinss at OHIO.EDU (Scott Adkins) Date: Thu Jan 12 21:17:09 2006 Subject: Sophos and Corrupt Files In-Reply-To: References: Message-ID: <752021950.1044534047@Callisto> Even though I have been complaining about the corrupt file issues from Sophos and MailScanner's interaction with that, I wanted to make clear that Sophos has never badmouthed MailScanner to us... I think their tendency is to believe the problem is elsewhere and not necessarily with their own product, and that isn't exactly badmouthing. When we first contacted Sophos, we were using MIMEDefang for our spam checking. The guys we talked to hadn't really heard of MIMEDefang. We were told that they primarily used MailScanner. (I am surprised about that, since MailMonitor is something they sell, and I didn't even hear about that until recently on *this* mailing list!) They suggested we give MailScanner a try, meanwhile, they were going to look at MIMEDefang to see what kind of support it had for Sophos and maybe get support put in if it didn't have any. The following day, we switched to MailScanner and have been using it ever since. We never even heard of MailScanner until they suggested it to us, and look at us now, it is what we use. When did this all happen? Right at the turn of the year... they were very *very* anxious for us to buy into Sophos, since it was the end of their fiscal year and us buying the license from them meant that our sales rep was going to get a nice promotion. (Apparently, he did and he has since showered us with shirts and cups... :->) In any the case, yeah, we are having some problems with the corrupt issue thing, but they don't seem to be unwilling to work with us at all, and all our calls seems to land us with a programming engineer in order to get our quesions answered correctly. In the end, this isn't as bad as it could be, and I don't want to be the one that implied it was... Juilian: You have a fine product... keep up the good work! Scott --On Thursday, February 06, 2003 9:01 AM -0800 Steve Evans wrote: > Same here. I don't think I had even heard of Sophos until MailScanner > came into my life. We were a NAI shop before that with WebShield > (***shudder***) > > Steve Evans > SDSU Foundation > (619) 594-0653 > > > -----Original Message----- > From: Alan Cragg [mailto:acragg-lists@CTF.COM] > Sent: Wednesday, February 05, 2003 2:33 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Sophos and Corrupt Files > > > First time poster but felt I must chime in on this one. > We had never even considered SOPHOS until after using MailScanner (which > is a great program), they should be giving you a cut of the sales > because we probably would have stayed with Symantec if not for > MailScanner. > > IMHO > > Alan Cragg > > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of John Rudd > Sent: Wednesday, February 05, 2003 2:24 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Sophos and Corrupt Files > >> From: Julian Field >> >> I would hope Sophos and I are in a position to be able to help each > other. >> > > They may consider you to be competition, though. When we were getting > together our anti-virus solution this time last year, they said "buy > SAVI from us, and we'll give our mail gateway for it for free". But, > instead, we went with mailscanner. It wasn't a loss for them in our > case, because they would have been giving it to us for free ... but how > many sales for their mail gateway have they lost because you have a free > thing in a similar market niche? (and theirs might not do spam > stuff) > > That might be why they're not very helpful to you. -- +-----------------------------------------------------------------------+ Scott W. Adkins http://www.cns.ohiou.edu/~sadkins/ UNIX Systems Engineer mailto:adkinss@ohio.edu ICQ 7626282 Work (740)593-9478 Fax (740)593-1944 +-----------------------------------------------------------------------+ PGP Public Key available at http://www.cns.ohiou.edu/~sadkins/pgp/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 231 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030206/8e6b5ff8/attachment.bin From dbowen1 at MAC.COM Thu Feb 6 19:14:44 2003 From: dbowen1 at MAC.COM (Daniel Bowen) Date: Thu Jan 12 21:17:09 2006 Subject: Strange unlabeled sendmail NOQUEUE errors, and a Thankyou Message-ID: <8208511.1044558884230.JavaMail.dbowen1@mac.com> Hello All, Mailscanner seems to be doing a very nice job scanning for viruses and spam. The administration here at Oak Ridge Schools is very pleased, and the rumors of MS Exchange servers have died down. Thankyou Julian et. al. However, I am still having concerns about this strange NOQUEUE error sendmail puts in the mail.log every time MailScanner executes, no matter how many messages in the batch. Here is a sample log entry, please let me know if you have any advice. Thanks, Dan Bowen Oak Ridge Schools Feb 6 14:05:55 mail sendmail[25263]: h16J5t95025263: from=, size=2989, class=0, nrcpts=1, msgid=, proto=SMTP, daemon=MTA, relay=orhs-5613.orhs.ortn.edu [66.4.195.145] Feb 6 14:05:55 mail sendmail[25263]: h16J5t95025263: to=, delay=00:00:00, mailer=esmtp, pri=30518, stat=queued Feb 6 14:05:55 mail MailScanner[17255]: New Batch: Scanning 1 messages, 3465 bytes Feb 6 14:05:55 mail MailScanner[17255]: Spam Checks: Starting Feb 6 14:05:58 mail MailScanner[17255]: Virus and Content Scanning: Starting Feb 6 14:05:58 mail MailScanner[17255]: Uninfected: Delivered 1 messages Feb 6 14:05:58 mail sendmail[25271]: NOQUEUE: 0: fl=0x0, mode=20666: CHR: dev=2/9302996, ino=43122180, nlink=1, u/gid=0/0, size=0 Feb 6 14:05:58 mail sendmail[25271]: NOQUEUE: 1: fl=0x0, mode=100644: dev=14/5, ino=3124312, nlink=1, u/gid=0/0, size=9717 Feb 6 14:05:58 mail sendmail[25271]: NOQUEUE: 3: fl=0x2, mode=140000: SOCK [0]->[[UNIX: /var/run/syslog]] From Kevin.Spicer at BMRB.CO.UK Thu Feb 6 19:57:09 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:17:09 2006 Subject: Multiple scanners Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A32CFE@pascal.priv.bmrb.co.uk> I'm experimenting with using two virus scanners & I'm not sure whether its working as intended (just not as expected) or whether something weird is going on. My home machine is running f-prot and clam (MS 4.10), and has been for some time. When I send eicar through it I get a virus warning (to postmaster) with a one line report for each scanner. This is fine (although I wish it said which scanner was talking on each line) The machine I've just built at work is running MS 4.12 with sophos and clam (I've been pleased with my experience of clam at home and am really just trying it in the homes it will provide some level of protection in the period betwen the sophos updates screwing up and someone noticing and fixing them). However this machine only produces the single line of Sophos output in the postmaster alert (although the mail logs show that Clam is spotting the virus too). Does anyone know whether this has changed between 4.10 and 4.12, or whether this is due to MailScanner handling different scanners differently, or whether its something else...? BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From gary.morgan at ASYNCHRONY.COM Thu Feb 6 21:13:15 2003 From: gary.morgan at ASYNCHRONY.COM (Gary Morgan) Date: Thu Jan 12 21:17:09 2006 Subject: local addresses and file name rules Message-ID: <1044565995.2658.40.camel@windu.asynchrony.com> Hello all, Is is possible to block attachments via filename rules EXCEPT if it comes from an specific domain headed for a specific name (ie FROM: user1@abc123.com TO: user2@abc123.com)? Basically I want to skip the file extension checking for internal only email. Can this be done? TIA, Gary Morgan -- This message has been scanned for viruses and dangerous content by MailScanner at asynchrony.com, and is believed to be clean. From hden at KCBBS.GEN.NZ Thu Feb 6 23:22:13 2003 From: hden at KCBBS.GEN.NZ (Hendrik den Hartog) Date: Thu Jan 12 21:17:09 2006 Subject: Changes in Conf In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0A32CFE@pascal.priv.bmrb.co.uk>; from Kevin.Spicer@BMRB.CO.UK on Thu, Feb 06, 2003 at 07:57:09PM -0000 References: <5C0296D26910694BB9A9BBFC577E7AB0A32CFE@pascal.priv.bmrb.co.uk> Message-ID: <20030207122213.A25823@mew.kcbbs.gen.nz> Hello Is there any shortcut/easy way to merge changes [additions] in the MailScanner.conf file? If not, is it possible to Mark additions [in the conf file] between versions so they can be easily identified and cut-n-pasted into the config being used? Or is my lazy attitude out of line here >From a *very* satisfied MS user Cheers! Hendrik From paul.hamilton at sme-ecom.co.uk Thu Feb 6 23:13:42 2003 From: paul.hamilton at sme-ecom.co.uk (Paul Hamilton) Date: Thu Jan 12 21:17:09 2006 Subject: Plain Text issue Message-ID: <000b01c2ce35$644dbd00$fc32000a@4> Hi all, Taking that we are continual tweakers and fiddlers, this could well be something we've done. If we send an email with 'Eicar' or a 'VBS' attachment as a test from our machines with Outlook 2000 in 'Plain Text' mode, when it arrives back through MS we get the correct notices, but what is worrying the recipient's notice has the eicar or VBS file still attached, It does not contain any viruswarning.txt attachments and the warning message in the body is missing. We're at MS 4.10-1 I'm sure this is something we've done? Has anybody the original syntax for the 'inline.warning.txt' so we can compare and see whether we have altered something that is causing this problem. Many thanks Paul H. From mkettler at EVI-INC.COM Thu Feb 6 23:33:44 2003 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:17:09 2006 Subject: Changes in Conf In-Reply-To: <20030207122213.A25823@mew.kcbbs.gen.nz> References: <5C0296D26910694BB9A9BBFC577E7AB0A32CFE@pascal.priv.bmrb.co.uk> <5C0296D26910694BB9A9BBFC577E7AB0A32CFE@pascal.priv.bmrb.co.uk> Message-ID: <5.1.1.6.0.20030206182955.01e76fa0@192.168.50.2> I suspect that diff and patch are the friends you are seeking. Just keep an "unmodified" MailScanner.conf around. diff MailScanner.conf MailScanner.conf.orig you can then hand copy the diffs in, or dump the diff output to a file and use patch to auto-apply them (might fail in some cases, but it's worth a shot). At 12:22 PM 2/7/2003 +1300, Hendrik den Hartog wrote: >Hello > > Is there any shortcut/easy way to merge changes [additions] in > the MailScanner.conf file? > > If not, is it possible to Mark additions [in the conf file] > between versions so they can be easily identified and > cut-n-pasted into the config being used? > > Or is my lazy attitude out of line here > > >From a *very* satisfied MS user >Cheers! >Hendrik From mailscanner at ecs.soton.ac.uk Fri Feb 7 09:08:32 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:09 2006 Subject: local addresses and file name rules In-Reply-To: <1044565995.2658.40.camel@windu.asynchrony.com> Message-ID: <5.2.0.9.2.20030207090421.04fa1e78@imap.ecs.soton.ac.uk> At 21:13 06/02/2003, you wrote: >Hello all, > >Is is possible to block attachments via filename rules EXCEPT if it >comes from an specific domain headed for a specific name (ie FROM: >user1@abc123.com TO: user2@abc123.com)? > >Basically I want to skip the file extension checking for internal only >email. Can this be done? Yes. Create another filename rules file containing allow . - - which will allow *everything*. Call it /etc/MailScanner/filename.rules.allow.conf Then in MailScanner.conf put this: Filename Rules = /etc/MailScanner/rules/filename.rules.rules (that filename needs to end in .rule or .rules or it can't work out what it is). In /etc/MailScanner/rules/filename.rules.rules put this FromAndTo: *@abc123.com /etc/MailScanner/filename.rules.allow.conf FromOrTo: default /etc/MailScanner/filename.rules.conf The first line matches all mail whose from *and* to addresses are in abc123.com, and gives the "allow all" set of rules. The second line provides the default set of rules, for everyone else. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Fri Feb 7 09:02:36 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:09 2006 Subject: Sophos and Corrupt Files In-Reply-To: <752021950.1044534047@Callisto> References: Message-ID: <5.2.0.9.2.20030207090106.04fa7020@imap.ecs.soton.ac.uk> At 17:20 06/02/2003, you wrote: >Even though I have been complaining about the corrupt file issues from >Sophos and MailScanner's interaction with that, I wanted to make clear >that Sophos has never badmouthed MailScanner to us... I think their >tendency is to believe the problem is elsewhere and not necessarily with >their own product, and that isn't exactly badmouthing. That explains their position rather better than I knew it before. I still wish they would forward possible MailScanner problems to me. >When did this all happen? Right at the turn of the year... they were >very *very* anxious for us to buy into Sophos, since it was the end of >their fiscal year and us buying the license from them meant that our >sales rep was going to get a nice promotion. (Apparently, he did and >he has since showered us with shirts and cups... :->) More than I ever got... >In any the case, yeah, we are having some problems with the corrupt >issue thing, but they don't seem to be unwilling to work with us at all, >and all our calls seems to land us with a programming engineer in order >to get our quesions answered correctly. In the end, this isn't as bad >as it could be, and I don't want to be the one that implied it was... > >Juilian: You have a fine product... keep up the good work! Cheers! >Scott > >--On Thursday, February 06, 2003 9:01 AM -0800 Steve Evans > wrote: > >>Same here. I don't think I had even heard of Sophos until MailScanner >>came into my life. We were a NAI shop before that with WebShield >>(***shudder***) >> >>Steve Evans >>SDSU Foundation >>(619) 594-0653 >> >> >>-----Original Message----- >>From: Alan Cragg [mailto:acragg-lists@CTF.COM] >>Sent: Wednesday, February 05, 2003 2:33 PM >>To: MAILSCANNER@JISCMAIL.AC.UK >>Subject: Re: Sophos and Corrupt Files >> >> >>First time poster but felt I must chime in on this one. >>We had never even considered SOPHOS until after using MailScanner (which >>is a great program), they should be giving you a cut of the sales >>because we probably would have stayed with Symantec if not for >>MailScanner. >> >>IMHO >> >>Alan Cragg >> >>-----Original Message----- >>From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On >>Behalf Of John Rudd >>Sent: Wednesday, February 05, 2003 2:24 PM >>To: MAILSCANNER@JISCMAIL.AC.UK >>Subject: Re: Sophos and Corrupt Files >> >>>From: Julian Field >>> >>>I would hope Sophos and I are in a position to be able to help each >>other. >> >>They may consider you to be competition, though. When we were getting >>together our anti-virus solution this time last year, they said "buy >>SAVI from us, and we'll give our mail gateway for it for free". But, >>instead, we went with mailscanner. It wasn't a loss for them in our >>case, because they would have been giving it to us for free ... but how >>many sales for their mail gateway have they lost because you have a free >>thing in a similar market niche? (and theirs might not do spam >>stuff) >> >>That might be why they're not very helpful to you. > > >-- >+-----------------------------------------------------------------------+ > Scott W. Adkins http://www.cns.ohiou.edu/~sadkins/ > UNIX Systems Engineer mailto:adkinss@ohio.edu > ICQ 7626282 Work (740)593-9478 Fax (740)593-1944 >+-----------------------------------------------------------------------+ > PGP Public Key available at > http://www.cns.ohiou.edu/~sadkins/pgp/ -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From linux at mostert.nom.za Fri Feb 7 10:23:58 2003 From: linux at mostert.nom.za (Mozzi) Date: Thu Jan 12 21:17:09 2006 Subject: F-Prot on linux Message-ID: <200302071223.59571.linux@mostert.nom.za> Hallo all I took your previous advice and investigated F-Prot for virus scanning and I like it.Espesially the price structure ;-) Tnx Julian I just have a couple of pretty much newbe questions to ask. On the F-Prot products page http://www.f-prot.com/products/fplin.html They give two versions small business and Enterprise. My understanding is that the enterprize version is the daemon version and small business is the commandline version. Going by the installation FAQ you do not use the daemon version, so I have to use the small bussiness version? Is that correct ? Tnx Mozzi From P.G.M.Peters at civ.utwente.nl Fri Feb 7 10:26:44 2003 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:17:09 2006 Subject: F-Prot on linux In-Reply-To: <200302071223.59571.linux@mostert.nom.za> References: <200302071223.59571.linux@mostert.nom.za> Message-ID: On Fri, 7 Feb 2003 12:23:58 +0200, you wrote: >Hallo all > >I took your previous advice and investigated F-Prot for virus scanning and I >like it.Espesially the price structure ;-) >Tnx Julian > >I just have a couple of pretty much newbe questions to ask. >On the F-Prot products page http://www.f-prot.com/products/fplin.html >They give two versions small business and Enterprise. My understanding is that >the enterprize version is the daemon version and small business is the >commandline version. The enterprize version includes both the deamon and the CLI version. If you plan on using the daemon version in the near future (http-proxy scanning) you could go with the enterpize version. Else I would suggest the small business. -- Peter Peters senior netwerkbeheerder Centrum voor InformatieTechnologie, Bibliotheek en Educatie Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From linux at mostert.nom.za Fri Feb 7 13:00:52 2003 From: linux at mostert.nom.za (Mozzi) Date: Thu Jan 12 21:17:09 2006 Subject: tagline/disclaimer Message-ID: <200302071500.52614.linux@mostert.nom.za> Hallo again Last thing that is not completely obvious to me is how do I insert a tagline or disclaimer @ the end of each message. My current scanning system does that and if it suddenly disappears all my users are going to go ballistic ;-) If they don't see the disclaimer they recon that it is not protected. Now with over 65 000 of them it is going to be hard ;-) Mozzi From Kevin.Spicer at BMRB.CO.UK Fri Feb 7 13:16:11 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:17:09 2006 Subject: tagline/disclaimer Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A32D08@pascal.priv.bmrb.co.uk> Sorry meant to send this to the list not to Mozzi directly! > Use "Sign Clean Messages" and put your disclaimer in > /etc/MailScanner/reports/en/inline.sig.html and > inline.sig.txt (or whatever report dir you are using). > If the same machine handles incoming and outgoing mail you'll > need to make "Sign Clean Messages" a ruleset to only sign > outgoing mail. > If you need to use different disclaimers for different domains > you can make "Inline HTML Signature" and "Inline Text > Signature" rulesets. > > > > -----Original Message----- > > From: Mozzi [mailto:linux@mostert.nom.za] > > Sent: 07 February 2003 13:01 > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: tagline/disclaimer > > > > > > Hallo again > > > > Last thing that is not completely obvious to me is how do I > > insert a tagline > > or disclaimer @ the end of each message. > > My current scanning system does that and if it suddenly > > disappears all my > > users are going to go ballistic ;-) > > If they don't see the disclaimer they recon that it is not > protected. > > Now with over 65 000 of them it is going to be hard ;-) > > > > Mozzi > > > BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From marco at MUW.EDU Fri Feb 7 14:09:41 2003 From: marco at MUW.EDU (Marco Obaid) Date: Thu Jan 12 21:17:09 2006 Subject: Sophos and Corrupt Files In-Reply-To: <5.2.0.9.2.20030207090106.04fa7020@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030207090106.04fa7020@imap.ecs.soton.ac.uk> Message-ID: <1044626981.3e43be2507ccd@webmail.MUW.Edu> Hello All, This is my first post and I just want to write Juilian a note to thank you for this great and wonderful software. I think to many, you are a life saver :) I too would not have considered Sophos in a million years had it not been for your website Juilian. They ought to be extremely happy that your software has attracted many customers to their product. Thank you for a job well done and keep it up !!! Marco ____________________________________________________________ _/ _/ _/ _/ _/ _/ | Marco Obaid _/_/ _/_/ _/ _/ _/ _/ | Network Administrator _/ _/ _/ _/ _/ _/ _/ _/ | McDevitt Hall _/ _/ _/ _/ _/_/ _/_/ | W-Box 1621 _/ _/ _/_/_/ _/ _/ | Columbus MS 39701 ____________________________________________________________ M I S S I S S I P P I U N I V E R S I T Y F O R W O M E N _________________________________________________________________ This mail is sent through MUW Webmail: http://www.MUW.Edu/webmail For the latest MUW Events, visit http://www.MUW.Edu/calendar From Lou.Baccari at HP.COM Fri Feb 7 13:35:14 2003 From: Lou.Baccari at HP.COM (Baccari, Lou) Date: Thu Jan 12 21:17:09 2006 Subject: Mailscanner / Spamassassin prob w/ spam not being run Message-ID: Hello, I've installed MailScanner on a linux Redhat Server v8.0 and for the most part it appears to be working correctly. I do have this problem with mailscanner not detecting spam mail. I've checked the headers and I see no indication that it scanned for spam. Can you help shed some light on the possible cause to this problem? Lou Versions: mailscanner-4.11-1 spamassassin-2.31-16 ===================== Undetected spam mail ===================== Subject: Dixie Chick fans - EXCLUSIVE Presale Tix + much more from the Chicks! Errors-To: yahoo_delivers_11257154@reply.yahoo.com Reply-To: launch-backstage@yahoo-inc.com Mime-Version: 1.0 Content-Type: text/html; charset="iso-8859-1" Message-Id: <20030206095818.6A7561F52C@postal.hp.com> X-OriginalArrivalTime: 06 Feb 2003 09:58:24.0362 (UTC) FILETIME=[49B51CA0:01C2CDC6] X-MailScanner: Found to be clean Love The Dixie Chicks? Do anything to get access to exclusive pre-sale tickets to their up-coming concert series? Even better, how about front row seats? Then join The Dixie Chicks Official Artist Club! It's the only world-wide artist organization that is exclusively endorsed and participated in by The Dixie Chicks. That means The Dixie Chicks will be offering lots of exclusive and personal stuff you won't find anywhere else including: • pre-sale concert tickets • photo gallery • diary entries • videos • chat • message boards • desktop wallpaper & more So join now and be part of the Dixie Chicks Artist Club. And maybe we'll see you in the front row at their next concert! [but_join_the_club_now.gif] You received this email because you indicated that you wish to receive LAUNCH Backstage. If you no longer wish to receive LAUNCH Backstage, unsubscribe by clicking here. Please note that replying to this email will not unsubscribe you. You must click on the link above in order to remove your name from this list. To learn more about Yahoo!'s use of personal information, including the use of web beacons in HTML-based email, please read our Privacy Policy. ================= Undetected Spam mail #2 ====================== Subject: When are your holidays? Date: Wed, 05 Feb 2003 15:19:18 -0300 MiME-Version: 1.0 Content-Type: text/html; charset="iso-8859-1" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: eGroups Message Poster Importance: Normal X-MailScanner: Found to be clean This site will not cost you a cent. Free sex on the web Pictures, movies, games, chat and most importantly. Webcams, livechat and movies all for nothing, right now for you. Enter to join for nothing right now Lou Baccari lou.baccari@hp.com HP Labs, Hewlett-Packard Company 617-551-7623 From mike at CAMAROSS.NET Fri Feb 7 14:59:31 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:17:09 2006 Subject: Mailscanner / Spamassassin prob w/ spam not being run In-Reply-To: Message-ID: <002a01c2ceb9$85c0ec80$9801a8c0@home.middlefinger.net> You might want to upgrade to a more recent version of SpamAssassin -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Baccari, Lou Sent: Friday, February 07, 2003 7:35 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Mailscanner / Spamassassin prob w/ spam not being run Hello, I've installed MailScanner on a linux Redhat Server v8.0 and for the most part it appears to be working correctly. I do have this problem with mailscanner not detecting spam mail. I've checked the headers and I see no indication that it scanned for spam. Can you help shed some light on the possible cause to this problem? Lou Versions: mailscanner-4.11-1 spamassassin-2.31-16 ===================== Undetected spam mail ===================== Subject: Dixie Chick fans - EXCLUSIVE Presale Tix + much more from the Chicks! Errors-To: yahoo_delivers_11257154@reply.yahoo.com Reply-To: launch-backstage@yahoo-inc.com Mime-Version: 1.0 Content-Type: text/html; charset="iso-8859-1" Message-Id: <20030206095818.6A7561F52C@postal.hp.com> X-OriginalArrivalTime: 06 Feb 2003 09:58:24.0362 (UTC) FILETIME=[49B51CA0:01C2CDC6] X-MailScanner: Found to be clean Love The Dixie Chicks? Do anything to get access to exclusive pre-sale tickets to their up-coming concert series? Even better, how about front row seats? Then join The Dixie Chicks Official Artist Club! It's the only world-wide artist organization that is exclusively endorsed and participated in by The Dixie Chicks. That means The Dixie Chicks will be offering lots of exclusive and personal stuff you won't find anywhere else including: • pre-sale concert tickets • photo gallery • diary entries • videos • chat • message boards • desktop wallpaper & more So join now and be part of the Dixie Chicks Artist Club. And maybe we'll see you in the front row at their next concert! [but_join_the_club_now.gif] You received this email because you indicated that you wish to receive LAUNCH Backstage. If you no longer wish to receive LAUNCH Backstage, unsubscribe by clicking here. Please note that replying to this email will not unsubscribe you. You must click on the link above in order to remove your name from this list. To learn more about Yahoo!'s use of personal information, including the use of web beacons in HTML-based email, please read our Privacy Policy. ================= Undetected Spam mail #2 ====================== Subject: When are your holidays? Date: Wed, 05 Feb 2003 15:19:18 -0300 MiME-Version: 1.0 Content-Type: text/html; charset="iso-8859-1" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: eGroups Message Poster Importance: Normal X-MailScanner: Found to be clean This site will not cost you a cent. Free sex on the web Pictures, movies, games, chat and most importantly. Webcams, livechat and movies all for nothing, right now for you. Enter to join for nothing right now Lou Baccari lou.baccari@hp.com HP Labs, Hewlett-Packard Company 617-551-7623 From mbowman at UDCOM.COM Fri Feb 7 18:49:15 2003 From: mbowman at UDCOM.COM (Matthew Bowman) Date: Thu Jan 12 21:17:09 2006 Subject: Mailscanner MRTG Message-ID: Hello I am hoping someone from the list can help mailscanner-mrtg questions that I have. 1. The Graphs for Load Average and Server ethernet traffic don't represent the true status of the server. What (if any) config can we change. I am a newbie to MRTG so that's why I'm asking. 2. Is it easy to breakdown the number of spam (deleted, forwarded, bounced, stored etc) within the MRTG reports? Rather than just using the reject=55 from maillog (/etc/mail/access) ? The server is a Dell Poweredge 2550 w/ Dual 933MHZ processors and 1GB memory. The link for reference is http://smithers.vbcomm.net/mailscanner-mrtg Thank you Matthew K Bowman Systems Administrator; Hostmaster; Miva Administrator Universal Digital Communications, Mansfield Ohio. Email: mbowman@udcom.com Web: http://www.udcom.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030207/13a15e5c/attachment.html From Harish.Amin at DEG.STATE.WI.US Fri Feb 7 19:01:16 2003 From: Harish.Amin at DEG.STATE.WI.US (Amin, Harish) Date: Thu Jan 12 21:17:09 2006 Subject: Upgrading SpamAssasin 2.44 Message-ID: <47F3EDACE4BC3A4594D0D7B504062BBD019C6924@doamail04.doa.wistate.us> I am getting this error ...anyone know which module I am missing >CPAN CPAN.pm: Going to build J/JM/JMASON/Mail-SpamAssassin-2.44.tar.gz Checking if your kit is complete... Looks good Writing Makefile for Mail::SpamAssassin /usr/local/bin/perl build/preprocessor -Mvars -DVERSION="2.44" -DPREFIX="/usr/local" -DDEF_RULES_DIR="/usr/local/share/spamassassin" -DLOCAL_RULES_DIR="/etc/mail/spamassassin" -DINSTALLSITELIB="/usr/local/lib/perl5/site_perl/5.8.0" -Msharpbang spamassassin chmod 755 spamassassin /usr/local/bin/perl "-MExtUtils::Command" -e mkpath doc /usr/local/bin/perl build/preprocessor -Mvars -DVERSION="2.44" -DPREFIX="/usr/local" -DDEF_RULES_DIR="/usr/local/share/spamassassin" -DLOCAL_RULES_DIR="/etc/mail/spamassassin" -DINSTALLSITELIB="/usr/local/lib/perl5/site_perl/5.8.0" -Msharpbang spamd/spamd chmod 755 spamd/spamd for f in spamassassin spamd/spamc.pod spamd/spamd lib/Mail/SpamAssassin.pm lib/Mail/SpamAssassin/Conf.pm lib/Mail/SpamAssassin/PerMsgStatus.pm lib/Mail/SpamAssassin/PersistentAddrList.pm ; do \ echo Converting POD in $f; \ pod2html $f > doc/`echo $f | /usr/local/bin/perl -pe \ 's,^(lib|spamd)/|\.(pod|pm)$,,g; tr,/,_,;'`.html ; \ pod2text $f > doc/`echo $f | /usr/local/bin/perl -pe \ 's,^(lib|spamd)/|\.(pod|pm)$,,g; tr,/,_,;'`.txt ; \ done Converting POD in spamassassin sh: pod2html: not found *** Error code 1 make: Fatal error: Command failed for target `doc/.made' /usr/bin/make -- NOT OK Running make test Can't test without successful make Running make install make had returned bad status, install seems impossible - From mailscanner at ecs.soton.ac.uk Fri Feb 7 19:04:25 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:09 2006 Subject: Upgrading SpamAssasin 2.44 In-Reply-To: <47F3EDACE4BC3A4594D0D7B504062BBD019C6924@doamail04.doa.wis tate.us> Message-ID: <5.2.0.9.2.20030207190320.024fda30@imap.ecs.soton.ac.uk> At 19:01 07/02/2003, you wrote: >I am getting this error ...anyone know which module I am missing You are missing the pod2html command. You can do worse than ln -s pod2man /usr/bin/pod2html or ln -s pod2text /usr/bin/pod2html > >CPAN > >CPAN.pm: Going to build J/JM/JMASON/Mail-SpamAssassin-2.44.tar.gz > >Checking if your kit is complete... >Looks good >Writing Makefile for Mail::SpamAssassin >/usr/local/bin/perl build/preprocessor -Mvars -DVERSION="2.44" >-DPREFIX="/usr/local" -DDEF_RULES_DIR="/usr/local/share/spamassassin" >-DLOCAL_RULES_DIR="/etc/mail/spamassassin" >-DINSTALLSITELIB="/usr/local/lib/perl5/site_perl/5.8.0" -Msharpbang >spamassassin >chmod 755 spamassassin >/usr/local/bin/perl "-MExtUtils::Command" -e mkpath doc >/usr/local/bin/perl build/preprocessor -Mvars -DVERSION="2.44" >-DPREFIX="/usr/local" -DDEF_RULES_DIR="/usr/local/share/spamassassin" >-DLOCAL_RULES_DIR="/etc/mail/spamassassin" >-DINSTALLSITELIB="/usr/local/lib/perl5/site_perl/5.8.0" -Msharpbang >spamd/spamd >chmod 755 spamd/spamd >for f in spamassassin spamd/spamc.pod spamd/spamd lib/Mail/SpamAssassin.pm >lib/Mail/SpamAssassin/Conf.pm lib/Mail/SpamAssassin/PerMsgStatus.pm >lib/Mail/SpamAssassin/PersistentAddrList.pm ; do \ > echo Converting POD in $f; \ > pod2html $f > doc/`echo $f | /usr/local/bin/perl -pe \ > 's,^(lib|spamd)/|\.(pod|pm)$,,g; tr,/,_,;'`.html ; \ > pod2text $f > doc/`echo $f | /usr/local/bin/perl -pe \ > 's,^(lib|spamd)/|\.(pod|pm)$,,g; tr,/,_,;'`.txt ; \ >done >Converting POD in spamassassin >sh: pod2html: not found >*** Error code 1 >make: Fatal error: Command failed for target `doc/.made' > /usr/bin/make -- NOT OK >Running make test > Can't test without successful make >Running make install > make had returned bad status, install seems impossible > >- -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From nicholas_esborn at AFFYMETRIX.COM Fri Feb 7 19:19:34 2003 From: nicholas_esborn at AFFYMETRIX.COM (Nicholas Esborn) Date: Thu Jan 12 21:17:09 2006 Subject: MailScanner not adding headers Message-ID: <20030207191934.GC79189@affymetrix.com> Hello. I'm a newbie on this list. I'm working on a MailScanner installation for my employer. I had MailScanner-4.11-1 working well on a RedHat 8.0 machine. I recently upgraded to 4.12-2, but now when mail goes through the system, MailScanner never seems to apply any headers to the message. It *will* modify the subject line if it detects SPAM or a virus, and it will kill attachments containing viruses, but still no headers. I merged in the changes to /etc/MailScanner/MailScanner.conf by hand when I upgraded. I've looked at the diffs between my 4.11-1 config and my merged 4.12-2 config, and compared my 4.12-2 to the stock 4.12-2, and I can't see any "Don't Apply Headers" option or other obvious gaffe. :) Anybody have any suggestions? I'd greatly appreciate any pointers. Thanks, -nick -- Nicholas Esborn Affymetrix, Inc. 510/428.8505 Every message PGP signed -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030207/b93f6bf5/attachment.bin From mkettler at EVI-INC.COM Fri Feb 7 20:34:14 2003 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:17:09 2006 Subject: Mailscanner / Spamassassin prob w/ spam not being run In-Reply-To: <002a01c2ceb9$85c0ec80$9801a8c0@home.middlefinger.net> References: Message-ID: <5.1.1.6.0.20030207152515.017c8a50@192.168.50.2> Agreed, you almost certainly do NOT want to be running v 2.31. There are VERY significant issues with the default whitelist_from entries in that version. For MailScanner use 2.43, 2.44, or the very-soon-to-be-released 2.45 should work fine. The spamc security bugs in 2.43 are NOT a problem for MailScanner. (Based on the saDev list 2.45 is going to be is a two-patch version spin that fixes a obscure crash bug in 2.44 for spamc type users and makes timeouts for razor checks work better) However, I don't think that's likely the problem.. did you enable spam checks in your mailscanner.conf? MailScanner will by default NOT use spamassassin unless explicitly told to do so. I'll admit I'm using a old version of MailScanner, but I don't think the command has changed in mailscanner.conf: Spam Checks = yes Use SpamAssassin = yes Max SpamAssassin Size = 50000 Also, the quoted emails look like you left out most of the message headers. Without full message headers it's hard to say much. Full headers could tell us if the message is even passing through Mailscanner, if mailscanner is calling spamassassin, what score spamassassin is giving, is spamassassin timing out, etc. At 08:59 AM 2/7/2003 -0600, Mike Kercher wrote: >You might want to upgrade to a more recent version of SpamAssassin > >-----Original Message----- > >Hello, > > I've installed MailScanner on a linux Redhat Server v8.0 and for the most >part it appears to be working correctly. I do have this problem with >mailscanner not detecting spam mail. I've checked the headers and I see no >indication that it scanned for spam. Can you help shed some light on the >possible cause to this problem? > >Lou > >Versions: mailscanner-4.11-1 > spamassassin-2.31-16 > From Kevin.Spicer at BMRB.CO.UK Sat Feb 8 00:46:10 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:17:09 2006 Subject: Multiple scanners Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A4AD22@pascal.priv.bmrb.co.uk> Sorry I've cracked this now - turned out the version of clam I had was a bit (well very) old and had a different output format. Latest version fixes that. I saw the message that clam had found an infection, but missed the warnings about the output format - so assumed clam was working as expected. Doh! > -----Original Message----- > From: Spicer, Kevin > Sent: 06 February 2003 19:57 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Multiple scanners > > > I'm experimenting with using two virus scanners & I'm not > sure whether its working as intended (just not as expected) > or whether something weird is going on. > > My home machine is running f-prot and clam (MS 4.10), and has > been for some time. When I send eicar through it I get a > virus warning (to postmaster) with a one line report for each > scanner. This is fine (although I wish it said which scanner > was talking on each line) > > The machine I've just built at work is running MS 4.12 with > sophos and clam (I've been pleased with my experience of clam > at home and am really just trying it in the homes it will > provide some level of protection in the period betwen the > sophos updates screwing up and someone noticing and fixing > them). However this machine only produces the single line of > Sophos output in the postmaster alert (although the mail logs > show that Clam is spotting the virus too). Does anyone know > whether this has changed between 4.10 and 4.12, or whether > this is due to MailScanner handling different scanners > differently, or whether its something else...? > > > > BMRB International > http://www.bmrb.co.uk > +44 (0)20 8566 5000 > _________________________________________________________________ > This message (and any attachment) is intended only for the > recipient and may contain confidential and/or privileged > material. If you have received this in error, please contact the > sender and delete this message immediately. Disclosure, copying > or other action taken in respect of this email or in > reliance on it is prohibited. BMRB International Limited > accepts no liability in relation to any personal emails, or > content of any email which does not directly relate to our > business. > BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From henker at SHCOM.US Sat Feb 8 02:04:53 2003 From: henker at SHCOM.US (Steffan Henke) Date: Thu Jan 12 21:17:09 2006 Subject: Sophos and Corrupt Files In-Reply-To: <5.2.0.9.2.20030206165238.048dcdf8@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030205230356.029d6058@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030206165238.048dcdf8@imap.ecs.soton.ac.uk> Message-ID: On Thu, 6 Feb 2003, Julian Field wrote: > I haven't yet read the small print in their licence, but RAV sell their > Linux version for about $29 or something silly like that! I doubt anyone > can beat that on price (except Clam of course)! Has there anybody done any research on this ? I visited their website and could not find any limitations if you plan to use it on a server instead of a desktop. Besides, does anybody have experiences with RAV, eg. compared to f-prot ? Regards, Steffan From mailscanner at ecs.soton.ac.uk Sat Feb 8 16:40:22 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:09 2006 Subject: MailScanner not adding headers In-Reply-To: <20030207191934.GC79189@affymetrix.com> Message-ID: <5.2.0.9.2.20030208163923.029c2f50@imap.ecs.soton.ac.uk> Check that chkconfig --list | grep -i mail shows sendmail switched off in all runlevels, and MailScanner turned on when it should be. You might need to do chkconfig sendmail off chkconfig MailScanner on service sendmail stop service MailScanner restart and then try it again. At 19:19 07/02/2003, you wrote: >Hello. > >I'm a newbie on this list. I'm working on a MailScanner installation for >my employer. > >I had MailScanner-4.11-1 working well on a RedHat 8.0 machine. I recently >upgraded to 4.12-2, but now when mail goes through the system, MailScanner >never seems to apply any headers to the message. > >It *will* modify the subject line if it detects SPAM or a virus, and it >will kill attachments containing viruses, but still no headers. > >I merged in the changes to /etc/MailScanner/MailScanner.conf by hand >when I upgraded. I've looked at the diffs between my 4.11-1 config and >my merged 4.12-2 config, and compared my 4.12-2 to the stock 4.12-2, and >I can't see any "Don't Apply Headers" option or other obvious gaffe. :) > >Anybody have any suggestions? I'd greatly appreciate any pointers. > >Thanks, > >-nick > >-- >Nicholas Esborn >Affymetrix, Inc. > >510/428.8505 > >Every message PGP signed -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From henker at SHCOM.US Sun Feb 9 02:16:36 2003 From: henker at SHCOM.US (Steffan Henke) Date: Thu Jan 12 21:17:09 2006 Subject: rav not scanning archives by default Message-ID: While testing rav against an eicar file wrapped in a .zip, I noticed that rav does not scan archives by default, it needs an additional "-A" parameter. Regards, Steffan From steve at CGPSYSTEMS.COM Sun Feb 9 02:54:45 2003 From: steve at CGPSYSTEMS.COM (Steve Barr) Date: Thu Jan 12 21:17:09 2006 Subject: Log question Message-ID: <033d01c2cfe6$9a261550$6e96a8c0@DELL> I have been looking through my mail logs and found something I don't understand. The following 5 lines are from /var/log/mail.info: Feb 8 21:22:16 www MailScanner[20264]: New Batch: Found 6 messages waiting Feb 8 21:22:16 www MailScanner[20264]: New Batch: Scanning 1 messages, 4443 bytes Feb 8 21:22:16 www MailScanner[20264]: Spam Checks: Starting Feb 8 21:22:17 www MailScanner[20264]: Virus and Content Scanning: Starting Feb 8 21:22:19 www MailScanner[20264]: Uninfected: Delivered 1 messages MailScanner thinks it found 6 messages, scanned 1 and delivered 1. When I check my mail, I received 1 message. Where did the other 5 messages go? I'm not exactly sure when this started. I scanned back though the logs, and found a similar message on Feb 2nd. I don't think I'm loosing messages, because the message volume on the server hasn't changed. I'm running MailScanner 4.11-1 on Debian Woody with Exim and Sophos. Steve (steve at cgpsystems.com) -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. (MailScanner 4.11-1, 3.66) From nicholas_esborn at AFFYMETRIX.COM Sun Feb 9 06:36:04 2003 From: nicholas_esborn at AFFYMETRIX.COM (Nicholas Esborn) Date: Thu Jan 12 21:17:09 2006 Subject: MailScanner not adding headers In-Reply-To: <5.2.0.9.2.20030208163923.029c2f50@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030208163923.029c2f50@imap.ecs.soton.ac.uk> Message-ID: <20030209063604.GA2531@affymetrix.com> I just checked, and it's still not adding headers. It's definitely starting the MailScanner script. It's strange, because the Subject: line will be modified if the scanner detects SPAM or a virus, and MailScanner logs when it scans. -nick On Sat, Feb 08, 2003 at 08:40:22AM -0800, Julian Field wrote: > Check that > chkconfig --list | grep -i mail > shows sendmail switched off in all runlevels, and MailScanner turned on > when it should be. > You might need to do > chkconfig sendmail off > chkconfig MailScanner on > service sendmail stop > service MailScanner restart > and then try it again. > > At 19:19 07/02/2003, you wrote: > >Hello. > > > >I'm a newbie on this list. I'm working on a MailScanner installation > for > >my employer. > > > >I had MailScanner-4.11-1 working well on a RedHat 8.0 machine. I > recently > >upgraded to 4.12-2, but now when mail goes through the system, > MailScanner > >never seems to apply any headers to the message. > > > >It *will* modify the subject line if it detects SPAM or a virus, and it > >will kill attachments containing viruses, but still no headers. > > > >I merged in the changes to /etc/MailScanner/MailScanner.conf by hand > >when I upgraded. I've looked at the diffs between my 4.11-1 config and > >my merged 4.12-2 config, and compared my 4.12-2 to the stock 4.12-2, > and > >I can't see any "Don't Apply Headers" option or other obvious gaffe. :) > > > >Anybody have any suggestions? I'd greatly appreciate any pointers. > > > >Thanks, > > > >-nick > > > >-- > >Nicholas Esborn > >Affymetrix, Inc. > > > >510/428.8505 > > > >Every message PGP signed > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support -- Nicholas Esborn Affymetrix, Inc. 510/428.8505 Every message PGP signed -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030208/35899e21/attachment.bin From ramon at LINUX-LABS.NET Sun Feb 9 11:13:09 2003 From: ramon at LINUX-LABS.NET (Ramon) Date: Thu Jan 12 21:17:09 2006 Subject: Spanish HOWTO for Mailscanner 4 Message-ID: <1044789189.370.13.camel@k71400> Hi, I've written a howto for sendmail/mailscanner/mcafee/debian in spanish. I think it's quiet complete but as allways it could be better, for example I'd like a better way to restart sendmail when running with mailscanner (you know there are two sendmail's running) in Debian. I've made also a init script for mailscanner which I've included in the document. You can find it here: http://linux-labs.net/docs/SendmailAntivirus.html Anyway, I hope that someone find it usefull. C u! -- Ramon -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Esta parte del mensaje esta firmada digitalmente Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030209/903b23ef/attachment.bin From mailscanner at ecs.soton.ac.uk Sun Feb 9 12:00:17 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:09 2006 Subject: Log question In-Reply-To: <033d01c2cfe6$9a261550$6e96a8c0@DELL> Message-ID: <5.2.0.9.2.20030209115821.02591d68@imap.ecs.soton.ac.uk> At 02:54 09/02/2003, you wrote: >I have been looking through my mail logs and found something I don't >understand. The following 5 lines are from /var/log/mail.info: > >Feb 8 21:22:16 www MailScanner[20264]: New Batch: Found 6 messages waiting >Feb 8 21:22:16 www MailScanner[20264]: New Batch: Scanning 1 messages, 4443 >bytes >Feb 8 21:22:16 www MailScanner[20264]: Spam Checks: Starting >Feb 8 21:22:17 www MailScanner[20264]: Virus and Content Scanning: Starting >Feb 8 21:22:19 www MailScanner[20264]: Uninfected: Delivered 1 messages > >MailScanner thinks it found 6 messages, scanned 1 and delivered 1. It found 6 messages. However only 1 of them was actually completely delivered by sendmail, the other 5 were still being received. So it could only start processing 1 of the 6 that appeared to be there. > When I >check my mail, I received 1 message. Where did the other 5 messages go? Still being read into your system by sendmail. >I'm not exactly sure when this started. I scanned back though the logs, and >found a similar message on Feb 2nd. I don't think I'm loosing messages, >because the message volume on the server hasn't changed. > >I'm running MailScanner 4.11-1 on Debian Woody with Exim and Sophos. > >Steve >(steve at cgpsystems.com) > > >-- >This message has been scanned for viruses and dangerous content by >MailScanner, >and is believed to be clean. (MailScanner 4.11-1, 3.66) Giving exact version numbers away to anyone who gets your mail is probably a very bad idea from a security point of view. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Sun Feb 9 11:58:07 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:09 2006 Subject: rav not scanning archives by default In-Reply-To: Message-ID: <5.2.0.9.2.20030209115738.025b5de8@imap.ecs.soton.ac.uk> At 02:16 09/02/2003, you wrote: >While testing rav against an eicar file wrapped in a .zip, I noticed that >rav does not scan archives by default, it needs an additional "-A" >parameter. MailScanner runs rav with the following parameters --all --mail --archive which I believe will turn the archive scanning on. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From henker at SHCOM.US Sun Feb 9 21:27:39 2003 From: henker at SHCOM.US (Steffan Henke) Date: Thu Jan 12 21:17:09 2006 Subject: rav not scanning archives by default In-Reply-To: <5.2.0.9.2.20030209115738.025b5de8@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030209115738.025b5de8@imap.ecs.soton.ac.uk> Message-ID: On Sun, 9 Feb 2003, Julian Field wrote: > MailScanner runs rav with the following parameters > --all --mail --archive > which I believe will turn the archive scanning on. Julian, is that defined somewhere else than in /usr/lib/MailScanner/rav-wrapper ? As far as I can see, it simply runs ravlin8 w/o the archive option. I sent a few test.com files infected with eicar, all got detected, but the ones in a .zip pass through. Regards, Steffan From linux at mostert.nom.za Mon Feb 10 08:23:07 2003 From: linux at mostert.nom.za (Mozzi) Date: Thu Jan 12 21:17:09 2006 Subject: Sendmail Message-ID: <200302101023.07386.linux@mostert.nom.za> Morning all This is probably one of those questions that should go to another list but I can't think witch one ;-) I have setup mailscanner(latest) on a rehat 7.3 server(all updates apllied) with the rpm's and fprot Now I want to make that machine my gateway. point all mx records there accept all mail, scan it and then pass it along to the main mailserver. Now my problem it is for over 4000 domains and growing!!! And secondly how do I do it ? Just a kick in the right direction will help me a lot allready, a howto will be nice ;-) Mozzi From smohan at VSNL.COM Mon Feb 10 08:30:05 2003 From: smohan at VSNL.COM (S Mohan) Date: Thu Jan 12 21:17:09 2006 Subject: Sendmail In-Reply-To: <200302101023.07386.linux@mostert.nom.za> Message-ID: First point all MX records to the MS Server. In sendmail, you can use mailertable and pump messages meant for one domain to a specific IP/Host. Use that feature to send mails to hosts that serve that domain. Make sure the MS machine is the SMTP server for all outgoing mails from those servers using SMARTHOST definition if you want them to be scanned. You may want to look at the recent thread on using tmp file systems in memory to enhance mail processing speeds. No of domains is not an issue. It is the number of messages per hour. Make sure your machine has enough juice to crunch as many mails. If it is a high volume mailserver, I'd suggest you get MailScanner to restart every hour instead of standard 4 hours to avoid memory leaks/ MS hangs. MS will cope up with this comfortably - thanks to Julian's untiring efforts. Mohan -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Mozzi Sent: 10 February 2003 13:53 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Sendmail Now I want to make that machine my gateway. point all mx records there accept all mail, scan it and then pass it along to the main mailserver. Now my problem it is for over 4000 domains and growing!!! And secondly how do I do it ? Just a kick in the right direction will help me a lot allready, a howto will be nice ;-) Mozzi From mailscanner at BARENDSE.TO Mon Feb 10 09:16:08 2003 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:17:09 2006 Subject: OT: html2text Message-ID: Is there any simple way of using the html2text feature also on regular files not received by e-mail? I have some html files that I wget from the website but I need those in plain text, not html code. Sorry that this question is a bit off-topic! Thanks! Remco -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From Kevin.Spicer at BMRB.CO.UK Mon Feb 10 09:23:02 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:17:09 2006 Subject: OT html2text Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A32D11@pascal.priv.bmrb.co.uk> > Is there any simple way of using the html2text feature also on regular > files not received by e-mail? > > I have some html files that I wget from the website but I > need those in > plain text, not html code. > > Sorry that this question is a bit off-topic! use lynx --dump instead of wget. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From Declan.Grady at NUVOTEM.COM Mon Feb 10 12:51:46 2003 From: Declan.Grady at NUVOTEM.COM (Declan Grady) Date: Thu Jan 12 21:17:10 2006 Subject: OT sendmail and ODMR (ATRN) ? Message-ID: <20030210125146.GC4610@nuvotem.com> Hi, Sorry for the OT. Ive moved mail hosting providers, and need to use ODMR (ATRN) in place of previous fixed IP address SMTP. I've searched the sendmail docs but cannot find any reference to ATRN. Does this mean sendmail does not provide ATRN functionality, and I'll have to move to a different MTA ? Anyone else on the list currently using mailscanner with any MTA supporting ATRN ? - Please help ! Thanks, Declan From Kevin.Spicer at BMRB.CO.UK Mon Feb 10 15:21:36 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:17:10 2006 Subject: OT sendmail and ODMR (ATRN) ? Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A4AD23@pascal.priv.bmrb.co.uk> > > Hi, > Sorry for the OT. > > Ive moved mail hosting providers, and need to use ODMR (ATRN) > in place of previous > fixed IP address SMTP. > > I've searched the sendmail docs but cannot find any reference to ATRN. > > Does this mean sendmail does not provide ATRN functionality, > and I'll have to > move to a different MTA ? > > Anyone else on the list currently using mailscanner with any > MTA supporting > ATRN ? - Please help ! I don't think sendmail supports ATRN, but it does support ETRN if thats any good for you. However you can't run sendmail with ETRN enabled on a MailScanner server (ie the machine that mail is being downloaded from) as ETRN commands cause sendmail to send out mail in its incoming queue, bypassing mailscanner. However I think you should be able to use ETRN to fetch mail to a local machine and then pass it through mailscanner locally (not sure on the details though!). The other possibility, which may or may not be useful - depending on your exact setup and volume of accounts - is to use a pop3 server on the remote end and collect mail using fetchmail, which in turn passes to sendmail and mailscanner. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From hostmaster at NEXNET.ES Mon Feb 10 16:08:24 2003 From: hostmaster at NEXNET.ES (Jesus Garrote) Date: Thu Jan 12 21:17:10 2006 Subject: Using filenames rules Message-ID: <4.3.2.7.0.20030210165048.023bc560@carrota.nexnet.es> Hello all, We want to block attachments via filename rules for ALL of our users, except for staff. Is it possible to do this without writing N lines in "filename.rules" like: ? From: user1@* From: user2@* ... From: userN@* FromOrTo: default Thanks in advance, Jesus From jrudd at UCSC.EDU Mon Feb 10 20:25:59 2003 From: jrudd at UCSC.EDU (John Rudd) Date: Thu Jan 12 21:17:10 2006 Subject: not OT: html2txt (was Re: OT: html2text) In-Reply-To: Message-ID: Speaking of "html2txt", or "striphtml" in the mailscanner spam actions ... I'd like it if mailscanner had an option for handling html emails apart from the spam actions. It would be a rule that can have one of three values: "striphtml" (remove html mime segments replacing them with in-line notices that an html segment was removed), "html2txt" (convert html mime segments to plain text segments, not deleting any of the mime segments, with an in-line notice at the start of each of the segments that used to be html saying "was converted by ..."), "as-is" (don't modify anything). And it could also be set to have a rule file, so that the preference could be set on a per-sender or per-recipient (or both) basis. I would find such a feature VERY useful at home. My wife loves to send and get html encoded email. I _HATE_ it. I'd love to have the copy of mailscanner I use at home set up to do "html2txt" for mail coming to me and "as-is" for going to my wife. (I only mention "striphtml" as an option because 1) mailscanner already has code for that, 2) I know some people prefer to just drop those segments instead of converting them ... but that would'nt be useful to me) I'm not sure if I would also use the feature at work, or not. On Monday, Feb 10, 2003, at 01:16 US/Pacific, Remco Barendse wrote: > Is there any simple way of using the html2text feature also on regular > files not received by e-mail? > > I have some html files that I wget from the website but I need those in > plain text, not html code. From Kevin.Spicer at BMRB.CO.UK Mon Feb 10 20:47:33 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:17:10 2006 Subject: not OT: html2txt (was Re: OT: html2text) Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A32D19@pascal.priv.bmrb.co.uk> > > Speaking of "html2txt", or "striphtml" in the mailscanner spam actions > ... I'd like it if mailscanner had an option for handling html emails > apart from the spam actions. > I believe that the configuration file option 'Convert HTML To Text" may provide most of the functionality you want. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From jrudd at UCSC.EDU Mon Feb 10 21:03:25 2003 From: jrudd at UCSC.EDU (John Rudd) Date: Thu Jan 12 21:17:10 2006 Subject: not OT: html2txt (was Re: OT: html2text) In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0A32D19@pascal.priv.bmrb.co.uk> Message-ID: <186CEAFC-3D3B-11D7-AFB2-003065F939FE@ucsc.edu> On Monday, Feb 10, 2003, at 12:47 US/Pacific, Spicer, Kevin wrote: >> >> Speaking of "html2txt", or "striphtml" in the mailscanner spam actions >> ... I'd like it if mailscanner had an option for handling html emails >> apart from the spam actions. >> > I believe that the configuration file option 'Convert HTML To Text" > may provide most of the functionality you want. > > Hm. I hadn't noticed that option before. Thanks. John From hden at KCBBS.GEN.NZ Mon Feb 10 23:17:46 2003 From: hden at KCBBS.GEN.NZ (Hendrik den Hartog) Date: Thu Jan 12 21:17:10 2006 Subject: Wrapper Script on WEB Page In-Reply-To: <5.2.0.9.2.20030208163923.029c2f50@imap.ecs.soton.ac.uk>; from mailscanner@ECS.SOTON.AC.UK on Sat, Feb 08, 2003 at 04:40:22PM +0000 References: <20030207191934.GC79189@affymetrix.com> <5.2.0.9.2.20030208163923.029c2f50@imap.ecs.soton.ac.uk> Message-ID: <20030211121746.A26989@mew.kcbbs.gen.nz> Hello Just checking my installation procedure.. I've just upgraded to 4:12-2, on a RedHat 7.2 Box using the rpm files. I noted earlier messages to this group, and at the top of the Downloads WEB page, that there is a need to manually copy over the old wrapper scripts using the rpmnew files. However, After the rpm upgrade there are no rpmnew scripts in /usr/lib/MailScanner... Is this replacement automatic with this later upgrade? Cheers! Hendrik From wkuiters at FREE.FR Tue Feb 11 11:06:38 2003 From: wkuiters at FREE.FR (Willem Kuiters) Date: Thu Jan 12 21:17:10 2006 Subject: Blacklist individual addresses Message-ID: <20030211110638.GA1848@bragann> 'lut ML, I use a combination of fetchmail exim mailscanner procmail. Since a few days I keep receiving a whole stack of Yaha-E virusses from one and the same address. MailScanner catches them all but I wondered if there is no way to delete mail from certain addresses I predefine before they even get passed on to MailScanner? -- |\ /| Willem G.J. Kuiters |0 0| (/"\) --- "The greatest enemy of creativity is --- / \ --- good taste" -- Picasso --- (( U U )) --- --- " " " " --(Htag.pl 0.0.22)-- From mailscanner at BARENDSE.TO Tue Feb 11 13:15:00 2003 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:17:10 2006 Subject: Blacklist individual addresses In-Reply-To: <20030211110638.GA1848@bragann> Message-ID: Just put Yaha in the list of viruses to silently drop. This way you can still receive real e-mails from that account without the junk :) On Tue, 11 Feb 2003, Willem Kuiters wrote: > 'lut ML, > > I use a combination of fetchmail exim mailscanner procmail. Since a few > days I keep receiving a whole stack of Yaha-E virusses from one and the > same address. MailScanner catches them all but I wondered if there is no > way to delete mail from certain addresses I predefine before they even > get passed on to MailScanner? > > -- > |\ /| Willem G.J. Kuiters > |0 0| > (/"\) --- "The greatest enemy of creativity is --- > / \ --- good taste" -- Picasso --- > (( U U )) --- --- > " " " " > --(Htag.pl 0.0.22)-- > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From linux at mostert.nom.za Tue Feb 11 14:14:16 2003 From: linux at mostert.nom.za (Mozzi) Date: Thu Jan 12 21:17:10 2006 Subject: Sendmail relay Message-ID: <200302111614.16812.linux@mostert.nom.za> Hallo all I am posting here in the hopes that someone can help me, I am out of ideas :( I have setup mailscanner on red-hat 7.3 with sendmail using the rpm's I used the standard sendmail install just modified the sendmail.cf file. This is meant as a mailgateway Now my problem begins I put a domain in my mailertable eg: .mydomain.com smtp:[192.168.1.1] Now it keeps on giving me a local config error and doesn't pass it along to the other server where the pop3 is on. If I put it in the access file or local-host-names file it just says the username doesn't exist as it should. For some reason I just cannot persuade sendmail to pump the mail for any domain through to the other box. I am getting beyond reason here. Please help *pulling hair as we speak* Mozzi -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. Mailscanner thanks transtec Computers for their support. From paul_houselander at BRISTOL-LEA.ORG.UK Tue Feb 11 14:15:58 2003 From: paul_houselander at BRISTOL-LEA.ORG.UK (Paul Houselander) Date: Thu Jan 12 21:17:10 2006 Subject: Sendmail relay References: <200302111614.16812.linux@mostert.nom.za> Message-ID: <011301c2d1d8$193c0460$7b10140a@education.bcc.lan> Have a similar setup here. Have you added the domain you want to relay for in /etc/mail/access? After adding to mailertable did you run makemap hash mailertable.db < mailertable and makemap hash access.db < access Hope it helps Cheers Paul ----- Original Message ----- From: "Mozzi" To: Sent: Tuesday, February 11, 2003 2:14 PM Subject: Sendmail relay > Hallo all > I am posting here in the hopes that someone can help me, I am out of ideas :( > I have setup mailscanner on red-hat 7.3 with sendmail using the rpm's > I used the standard sendmail install just modified the sendmail.cf file. > This is meant as a mailgateway > > Now my problem begins > I put a domain in my mailertable eg: > .mydomain.com smtp:[192.168.1.1] > > Now it keeps on giving me a local config error and doesn't pass it along to > the other server where the pop3 is on. > If I put it in the access file or local-host-names file it just says the > username doesn't exist as it should. > For some reason I just cannot persuade sendmail to pump the mail for any > domain through to the other box. > > I am getting beyond reason here. Please help > *pulling hair as we speak* > > Mozzi > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > Mailscanner thanks transtec Computers for their support. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From wkuiters at FREE.FR Tue Feb 11 15:33:11 2003 From: wkuiters at FREE.FR (Willem Kuiters) Date: Thu Jan 12 21:17:10 2006 Subject: Blacklist individual addresses In-Reply-To: References: <20030211110638.GA1848@bragann> Message-ID: <20030211153311.GA3086@bragann> On Tue, Feb 11, 2003 at 02:15:00PM +0100, Remco Barendse wrote: > Just put Yaha in the list of viruses to silently drop. > > This way you can still receive real e-mails from that account without the > junk :) > > I use a combination of fetchmail exim mailscanner procmail. Since a few > > days I keep receiving a whole stack of Yaha-E virusses from one and the > > same address. MailScanner catches them all but I wondered if there is no > > way to delete mail from certain addresses I predefine before they even > > get passed on to MailScanner? Hmmm, that's not realy what I want. Who knows what other junk there may be on the infected machine. I would like to block certain addresses which I find sending us virusses regularly. They receive a message that they have been blacklisted for my domain and need to contact the administrator should they want to use that address again to send us mail after they have cleaned the machine(s). It is basically to spare me some alerts. Ideally I wanted fetchmail to delete the mail on the remote server of the ISP hosting the POP boxes before it even gets to our local mailserver but I did not find an option for that. Apparently it is possible in Sendmail but I use Exim. -- |\ /| Willem G.J. Kuiters |0 0| (/"\) --- "An elephant - a mouse built to --- / \ --- government specifications" -- R. Henlein --- (( U U )) --- --- " " " " --(Htag.pl 0.0.22)-- From Kevin.Spicer at BMRB.CO.UK Tue Feb 11 15:42:03 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:17:10 2006 Subject: Blacklist individual addresses Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0EBF39E@pascal.priv.bmrb.co.uk> > Hmmm, that's not realy what I want. Who knows what other junk > there may > be on the infected machine. I would like to block certain addresses > which I find sending us virusses regularly. They receive a > message that > they have been blacklisted for my domain and need to contact the > administrator should they want to use that address again to > send us mail > after they have cleaned the machine(s). It is basically to > spare me some > alerts. I think that's maybe not a good idea, given the number of viruses forging sender addresses these days you're likely to end up excluding genuine messages from people who are not infected - meaning that getting out of your blacklist is entirely out of their control. If you are only worried about reducing the number of alerts why not just set up a rule in your mail client to move those messages you are not interested in to a different repository (/dev/null ?!). Also if you blacklist them you need to make sure they can still email you to tell you they are now clean - and you're also assuming that they know what they are doing & will be able to clean their machine to your satisfaction... BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From wkuiters at FREE.FR Tue Feb 11 16:21:27 2003 From: wkuiters at FREE.FR (Willem Kuiters) Date: Thu Jan 12 21:17:10 2006 Subject: Blacklist individual addresses In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0EBF39E@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0EBF39E@pascal.priv.bmrb.co.uk> Message-ID: <20030211162127.GA3217@bragann> On Tue, Feb 11, 2003 at 03:42:03PM -0000, Spicer, Kevin wrote: > > Hmmm, that's not realy what I want. Who knows what other junk > > there may > > be on the infected machine. I would like to block certain addresses > > which I find sending us virusses regularly. They receive a > > message that > > they have been blacklisted for my domain and need to contact the > > administrator should they want to use that address again to > > send us mail > > after they have cleaned the machine(s). It is basically to > > spare me some > > alerts. > > I think that's maybe not a good idea, given the number of viruses forging sender addresses these days you're likely to end up excluding genuine messages from people who are not infected - meaning that getting out of your blacklist is entirely out of their control. Yes, I know that. My message is quite polite and taking this into account. >If you are only worried about reducing the number of alerts why not just set up a >rule in your mail client to move those messages you are not interested in to a >different repository (/dev/null ?!). Oh, yes. That's done. The messages don't get delivered anymore. By that time the messages have already been scanned though, the virusses quarantined etc. I just wanted to stop some of them even before they get to my server. >Also if you blacklist them you need to make sure they can still email you to >tell you they are now clean - and you're also assuming that they know what they >are doing & will be able to clean their machine to your satisfaction... Yes, they can still mail me. As to knowing if they are able to clean their machine, no I can't control that. But I can put them back on the list ... Thanks anyway, I'll think it all over once again. Willem From stone at HKUST.SE Tue Feb 11 16:25:16 2003 From: stone at HKUST.SE (Magnus Stenman) Date: Thu Jan 12 21:17:10 2006 Subject: OT sendmail and ODMR (ATRN) ? References: <5C0296D26910694BB9A9BBFC577E7AB0A4AD23@pascal.priv.bmrb.co.uk> Message-ID: <3E4923EC.C9635C2C@hkust.se> fetchmail supports ETRN and ODMR /m "Spicer, Kevin" wrote: > > > > > Hi, > > Sorry for the OT. > > > > Ive moved mail hosting providers, and need to use ODMR (ATRN) > > in place of previous > > fixed IP address SMTP. > > > > I've searched the sendmail docs but cannot find any reference to ATRN. > > > > Does this mean sendmail does not provide ATRN functionality, > > and I'll have to > > move to a different MTA ? > > > > Anyone else on the list currently using mailscanner with any > > MTA supporting > > ATRN ? - Please help ! > > I don't think sendmail supports ATRN, but it does support ETRN if thats any good for you. However you can't run sendmail with ETRN enabled on a MailScanner server (ie the machine that mail is being downloaded from) as ETRN commands cause sendmail to send out mail in its incoming queue, bypassing mailscanner. However I think you should be able to use ETRN to fetch mail to a local machine and then pass it through mailscanner locally (not sure on the details though!). The other possibility, which may or may not be useful - depending on your exact setup and volume of accounts - is to use a pop3 server on the remote end and collect mail using fetchmail, which in turn passes to sendmail and mailscanner. > > BMRB International > http://www.bmrb.co.uk > +44 (0)20 8566 5000 > _________________________________________________________________ > This message (and any attachment) is intended only for the > recipient and may contain confidential and/or privileged > material. If you have received this in error, please contact the > sender and delete this message immediately. Disclosure, copying > or other action taken in respect of this email or in > reliance on it is prohibited. BMRB International Limited > accepts no liability in relation to any personal emails, or > content of any email which does not directly relate to our > business. From dgeorgiades at POWERENG.COM Tue Feb 11 18:38:00 2003 From: dgeorgiades at POWERENG.COM (Derrick Georgiades) Date: Thu Jan 12 21:17:10 2006 Subject: MS + SA Whitelisting Message-ID: I believe this has been brought up before, but I was wondering what the status was. An email with multiple recipients is completely whitelisted if any addresses in the email are in the whitelist file. This becomes a major problem for my users. Emails that are tagged upwards of 19 SA points is delivered to a user that is not whitelisted. Is there a new version that takes care of this? Will there ever be one? Thanks Derrick Georgiades Power Engineers, Inc. From mkettler at EVI-INC.COM Tue Feb 11 20:25:02 2003 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:17:10 2006 Subject: MS + SA Whitelisting In-Reply-To: Message-ID: <5.1.1.6.0.20030211151644.01cd26a0@192.168.50.2> Fixing this is in fact impossible. This is due to the fact that there's only one email despite there being multiple recipients. Since there's only one email at the time that MailScanner and SpamAssassin see it, there can only be one spam markup. Thus there are only 2 actions that can be done for a multi-recipient email with one user as a whitelist-to entry. 1) Go with the principle of most privilege, and whitelist the email and everyone gets it that way. 2) Go with the principle of least privilege, and don't whitelist it, and everyone gets it that way. Currently SpamAssassin does option 1. I suppose one could make it have an option to behave like option 2, but neither case gives you the desired behavior of whitelisting the copy delivered to user A and not whitelisting the copy given to user B. The ONLY way to solve the fundamental problem is to run SpamAsssassin AFTER it's delivered to the mailboxes of the users, and NOT at the MTA level like MailScanner does. It's a fundamental limitation of running at the MTA level and it's something that MailScanner will never be able to do unless the definition of what it is changes to something radically different. Of course, running per-user post delivery has drawbacks too.. ie: this only works if all the users have actual user accounts on the mailserver running SpamAssassin. It does not work for a forwarding type mailserver. At 11:38 AM 2/11/2003 -0700, Derrick Georgiades wrote: >I believe this has been brought up before, but I was wondering what the >status was. >An email with multiple recipients is completely whitelisted if any addresses >in the email are in the whitelist file. >This becomes a major problem for my users. Emails that are tagged upwards >of 19 SA points is delivered to a user that is not whitelisted. Is there a >new version that takes care of this? Will there ever be one? > >Thanks >Derrick Georgiades >Power Engineers, Inc. From ragan_davis at COLSTATE.EDU Tue Feb 11 21:54:23 2003 From: ragan_davis at COLSTATE.EDU (Mack Ragan) Date: Thu Jan 12 21:17:10 2006 Subject: question for sendmail experts Message-ID: Hi! I need some hints. I would like to have all incoming mail hit my mailscanner/sendmail box, be scanned/cleaned, and then be sent unaltered to an internal mail server for delivery to internal mailboxes. By unaltered, I mean I want the messages to be exactly the same minus any mailscanner changes. I know there's some way within sendmail.cf to make this happen, but I can't seem to find the right combination. Anyone have any suggestions as to how I should configure sendmail? Versions: MailScanner v4.12-2 Sendmail v8.12.7 RedHat Linux v8.0 Thanks for your help! Mack From mailscanner at ecs.soton.ac.uk Tue Feb 11 23:14:39 2003 From: mailscanner at ecs.soton.ac.uk (mailscanner) Date: Thu Jan 12 21:17:10 2006 Subject: {VIRUS?} Fw:jules,please try again Message-ID: <0HA6005RL37KNO@SMTP.Prodigy.Net.mx> An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030211/645bbe2c/attachment.html -------------- next part -------------- This is a message from the MailScanner E-Mail Virus Protection Service ---------------------------------------------------------------------- The original e-mail attachment "height.pif" was believed to be infected by a virus and has been replaced by this warning message. If you wish to receive a copy of the *infected* attachment, please e-mail helpdesk and include the whole of this message in your request. Alternatively, you can call them, with the contents of this message to hand when you call. At Tue Feb 11 23:15:31 2003 the virus scanner said: >>> Virus 'W32/Klez-H' found in file height.pif Shortcuts to MS-Dos programs are very dangerous in email (height.pif) Note to Help Desk: Look on magpie in /export/2/var/MailScanner/quarantine/20030211 (message XAA21916). -- Postmaster Mailscanner thanks transtec Computers for their support -------------- next part -------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/octet-stream Size: 34519 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030211/645bbe2c/attachment.obj From mkettler at EVI-INC.COM Tue Feb 11 23:16:56 2003 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:17:10 2006 Subject: question for sendmail experts In-Reply-To: Message-ID: <5.1.1.6.0.20030211180744.01821820@192.168.50.2> I'll admitt I do this using a cheap hack and do it by using aliases, but there are much better ways. In my case the number of users is low, so creating a bunch of: alias mkettler@evi-inc.com mkettler@internalserver.evi-inc.com entries is pretty trivial. I will admit that this is the "wrong way" to do it. Someone else on the list can probably describe the proper way of doing it, which if I recall correctly is to use the mailertable feature in your sendmail.mc/cf, but I'm likely to be wrong about it so I'll leave the proper explanation to someone else. At 09:54 PM 2/11/2003 +0000, Mack Ragan wrote: >Hi! > >I need some hints. I would like to have all incoming mail hit my >mailscanner/sendmail box, be scanned/cleaned, and then be sent unaltered to >an internal mail server for delivery to internal mailboxes. By unaltered, >I mean I want the messages to be exactly the same minus any mailscanner >changes. I know there's some way within sendmail.cf to make this happen, >but I can't seem to find the right combination. Anyone have any >suggestions as to how I should configure sendmail? > >Versions: >MailScanner v4.12-2 >Sendmail v8.12.7 >RedHat Linux v8.0 > >Thanks for your help! >Mack From brad at LTINETWORKS.COM Wed Feb 12 00:26:49 2003 From: brad at LTINETWORKS.COM (Brad White) Date: Thu Jan 12 21:17:10 2006 Subject: question for sendmail experts Message-ID: <561AAE0556C2594B815E391DDF5F0CC5058243@exchange.lscom.net> You can easily do this with the mailertable feature. If you are running a recent RedHat it's enabled in the cf already. You add an entry like this into /etc/mail/mailertable: domain.com smtp:[ip.of.internal.server] Then in /etc/mail/relay-domains you add the domain name that you added above, domain.com on a line by itself. Then, while in /etc/mail, type make all, and for luck restart mailscanner(can't remember if this step is required). Change your mx record to point to your mailscanner server and your done. Mail will come from the Internet, hit you scanner, get scanned, and the requeued for delivery to the real server. brad -----Original Message----- From: Mack Ragan [mailto:ragan_davis@COLSTATE.EDU] Sent: Tue 2/11/2003 1:54 PM To: MAILSCANNER@JISCMAIL.AC.UK Cc: Subject: question for sendmail experts Hi! I need some hints. I would like to have all incoming mail hit my mailscanner/sendmail box, be scanned/cleaned, and then be sent unaltered to an internal mail server for delivery to internal mailboxes. By unaltered, I mean I want the messages to be exactly the same minus any mailscanner changes. I know there's some way within sendmail.cf to make this happen, but I can't seem to find the right combination. Anyone have any suggestions as to how I should configure sendmail? Versions: MailScanner v4.12-2 Sendmail v8.12.7 RedHat Linux v8.0 Thanks for your help! Mack From smohan at vsnl.com Wed Feb 12 01:37:22 2003 From: smohan at vsnl.com (S Mohan) Date: Thu Jan 12 21:17:10 2006 Subject: question for sendmail experts In-Reply-To: <561AAE0556C2594B815E391DDF5F0CC5058243@exchange.lscom.net> Message-ID: <001201c2d237$4d860c20$28405bca@18yamuna> Restarting MailScanner will restart sendmail which, as a rule on startup, will build all the hash tables like virtusertable, aliases, mailertable etc for every run/ invocation. Useful to do so lest we miss a step. Mohan -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Brad White Sent: Wednesday, February 12, 2003 5:57 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: question for sendmail experts You can easily do this with the mailertable feature. If you are running a recent RedHat it's enabled in the cf already. You add an entry like this into /etc/mail/mailertable: domain.com smtp:[ip.of.internal.server] Then in /etc/mail/relay-domains you add the domain name that you added above, domain.com on a line by itself. Then, while in /etc/mail, type make all, and for luck restart mailscanner(can't remember if this step is required). Change your mx record to point to your mailscanner server and your done. Mail will come from the Internet, hit you scanner, get scanned, and the requeued for delivery to the real server. brad -----Original Message----- From: Mack Ragan [mailto:ragan_davis@COLSTATE.EDU] Sent: Tue 2/11/2003 1:54 PM To: MAILSCANNER@JISCMAIL.AC.UK Cc: Subject: question for sendmail experts Hi! I need some hints. I would like to have all incoming mail hit my mailscanner/sendmail box, be scanned/cleaned, and then be sent unaltered to an internal mail server for delivery to internal mailboxes. By unaltered, I mean I want the messages to be exactly the same minus any mailscanner changes. I know there's some way within sendmail.cf to make this happen, but I can't seem to find the right combination. Anyone have any suggestions as to how I should configure sendmail? Versions: MailScanner v4.12-2 Sendmail v8.12.7 RedHat Linux v8.0 Thanks for your help! Mack From joelc at CTCHOUSTON.COM Wed Feb 12 04:04:21 2003 From: joelc at CTCHOUSTON.COM (Joel Colvin) Date: Thu Jan 12 21:17:10 2006 Subject: question for sendmail experts In-Reply-To: <001201c2d237$4d860c20$28405bca@18yamuna> Message-ID: <017001c2d24b$d67fe000$c300a8c0@hewlett9por0s0> It isn't necessary to even restart sendmail for this. After a make, mailertable and the related files in /etc/mail are immediately effective. I change mailertable all the time for testing sites and all I do is run the make. -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of S Mohan Sent: Tuesday, February 11, 2003 7:37 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: question for sendmail experts Restarting MailScanner will restart sendmail which, as a rule on startup, will build all the hash tables like virtusertable, aliases, mailertable etc for every run/ invocation. Useful to do so lest we miss a step. Mohan -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Brad White Sent: Wednesday, February 12, 2003 5:57 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: question for sendmail experts You can easily do this with the mailertable feature. If you are running a recent RedHat it's enabled in the cf already. You add an entry like this into /etc/mail/mailertable: domain.com smtp:[ip.of.internal.server] Then in /etc/mail/relay-domains you add the domain name that you added above, domain.com on a line by itself. Then, while in /etc/mail, type make all, and for luck restart mailscanner(can't remember if this step is required). Change your mx record to point to your mailscanner server and your done. Mail will come from the Internet, hit you scanner, get scanned, and the requeued for delivery to the real server. brad -----Original Message----- From: Mack Ragan [mailto:ragan_davis@COLSTATE.EDU] Sent: Tue 2/11/2003 1:54 PM To: MAILSCANNER@JISCMAIL.AC.UK Cc: Subject: question for sendmail experts Hi! I need some hints. I would like to have all incoming mail hit my mailscanner/sendmail box, be scanned/cleaned, and then be sent unaltered to an internal mail server for delivery to internal mailboxes. By unaltered, I mean I want the messages to be exactly the same minus any mailscanner changes. I know there's some way within sendmail.cf to make this happen, but I can't seem to find the right combination. Anyone have any suggestions as to how I should configure sendmail? Versions: MailScanner v4.12-2 Sendmail v8.12.7 RedHat Linux v8.0 Thanks for your help! Mack From P.G.M.Peters at civ.utwente.nl Wed Feb 12 07:41:26 2003 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:17:10 2006 Subject: question for sendmail experts In-Reply-To: References: Message-ID: On Tue, 11 Feb 2003 21:54:23 +0000, you wrote: >I need some hints. I would like to have all incoming mail hit my >mailscanner/sendmail box, be scanned/cleaned, and then be sent unaltered to >an internal mail server for delivery to internal mailboxes. By unaltered, >I mean I want the messages to be exactly the same minus any mailscanner >changes. I know there's some way within sendmail.cf to make this happen, >but I can't seem to find the right combination. Anyone have any >suggestions as to how I should configure sendmail? I have seen the (good) other tips but at first I understand from "exactly the same" that there shouldn't be any additional Received: headers. If that is necessary you could do the following: - Don't start the queue-running sendmail - Copy all files on a regular basis from /var/spool/mqueue to the same directory on the second system. - Do a queue-run on that system. -- Peter Peters senior netwerkbeheerder Centrum voor InformatieTechnologie, Bibliotheek en Educatie Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From smohan at VSNL.COM Wed Feb 12 08:08:14 2003 From: smohan at VSNL.COM (S Mohan) Date: Thu Jan 12 21:17:10 2006 Subject: FW: question for sendmail experts Message-ID: Should have hit Reply All - missed this. Peter: Please excuse the duplicate you'd get due to this mistake. Mohan -----Original Message----- From: S Mohan [mailto:smohan@vsnl.com] Sent: 12 February 2003 13:36 To: peter.peters@civ.utwente.nl Subject: RE: question for sendmail experts This would assume only one mail server internally then. With this scheme, forwarding per domain will not be feasible. Correct me if I'm wrong please. Setting up rsync may be a better solution than just a cron job. Another option is to have a separate queue per domain and do the same as above from different directories to different machines. Can we set up mailscanner to deliver mails depending on domains to different queues? I think we can using rulesets in MailScanner.conf. I cannot but help admiring how much flexibility this ruleset feature gives us time and again. Great Stuff and very innovative thinking Julian => Thanks. Outgoing Queue Dir = /var/spool/mqueue is the line to work on and convert to a ruleset in MailScanner.conf. I'd also like to know why header should not be changed - need to be expanded for my understanding. Do we want to hide the fact that it came thro' a relay system that runs the scanner for the sake of some application that processes last received headers? Mohan -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Peter Peters Sent: 12 February 2003 13:11 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: question for sendmail experts On Tue, 11 Feb 2003 21:54:23 +0000, you wrote: >I need some hints. I would like to have all incoming mail hit my >mailscanner/sendmail box, be scanned/cleaned, and then be sent unaltered to >an internal mail server for delivery to internal mailboxes. By unaltered, >I mean I want the messages to be exactly the same minus any mailscanner >changes. I know there's some way within sendmail.cf to make this happen, >but I can't seem to find the right combination. Anyone have any >suggestions as to how I should configure sendmail? I have seen the (good) other tips but at first I understand from "exactly the same" that there shouldn't be any additional Received: headers. If that is necessary you could do the following: - Don't start the queue-running sendmail - Copy all files on a regular basis from /var/spool/mqueue to the same directory on the second system. - Do a queue-run on that system. -- Peter Peters senior netwerkbeheerder Centrum voor InformatieTechnologie, Bibliotheek en Educatie Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From cameron at TERAGEN.COM.AU Wed Feb 12 08:36:39 2003 From: cameron at TERAGEN.COM.AU (Cameron Pitt-Downton) Date: Thu Jan 12 21:17:10 2006 Subject: Outgoing queue dir question References: Message-ID: <005401c2d273$8479ec10$02ee22cb@rogue> Hi all, I was just wondering if anyone has wildcards (/var/spool/mqueue/*) or rulsets working with the "Outgoing Queue Dir" option. With wildcards I get the following error: "Error in configuration file line 72, directory /var/spool/mqueue/* for outqueuedir does not exist (or is not readable)" and with rulesets all I get: "Syntax error in line 1 of ruleset file /etc/MailScanner/mqueue.out.list.conf for keyword outqueuedir". I don't get either of these errors with the "Incoming Queue Dir" option. Thanks Cameron From raymond at PROLOCATION.NET Wed Feb 12 08:31:42 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:17:10 2006 Subject: question for sendmail experts In-Reply-To: <017001c2d24b$d67fe000$c300a8c0@hewlett9por0s0> Message-ID: Hi! > It isn't necessary to even restart sendmail for this. After a make, > mailertable and the related files in /etc/mail are immediately > effective. I change mailertable all the time for testing sites and all > I do is run the make. Uh, my experience is that virtusertable and mailertable are dynamic, since those are updated to a .db. relay-domains and local-host-names are not. So if you only do a make all you are missing some bits and pieces. Bye, Raymond. From brandonf at BFCONSULT.CO.ZA Wed Feb 12 12:07:19 2003 From: brandonf at BFCONSULT.CO.ZA (Brandon Friedman) Date: Thu Jan 12 21:17:10 2006 Subject: Redhat Advanced Server Message-ID: <000901c2d28f$4e54c5d0$9150ef9b@brandonnb> Is anybody running mailscanner on RH Advanced Server? I would just like to find out your experience with it? -- Regards Brandon Friedman ADT South Africa E-mail: bfriedman@tycoint.com From andersjk at SOL-INVICTUS.ORG Wed Feb 12 13:24:03 2003 From: andersjk at SOL-INVICTUS.ORG (Kevin Anderson) Date: Thu Jan 12 21:17:10 2006 Subject: funny header! Message-ID: what happened here? X-MailScanner-SpamCheck: not spam, SpamAssassin (score=-97.9, required 5, INVALID_MSGID, MSGID_CHARS_SPAM, SPAM_PHRASE_05_08, SUB_FREE_OFFER, USER_IN_WHITELIST, US_DOLLARS_2) it was from a message from amazon.co.uk, there were also no ssssss in the list... thanks, kevin -- @ _____________________________________________ chaos, panic and disorder... my job is done... From Kevin.Spicer at BMRB.CO.UK Wed Feb 12 13:34:21 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:17:10 2006 Subject: funny header! Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0EBF3A7@pascal.priv.bmrb.co.uk> You have the sender whitelisted (maybe you have auto-whitlisting enabled, not generally recommended). Whitelisting in SpamAssassin applies a score of -100 which is why you have a negative score and no sssssssssssssssssssssssssssssssssssss.... > -----Original Message----- > From: Kevin Anderson [mailto:andersjk@SOL-INVICTUS.ORG] > Sent: 12 February 2003 13:24 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: funny header! > > > what happened here? > > X-MailScanner-SpamCheck: not spam, SpamAssassin (score=-97.9, > required 5, > INVALID_MSGID, MSGID_CHARS_SPAM, SPAM_PHRASE_05_08, > SUB_FREE_OFFER, > USER_IN_WHITELIST, US_DOLLARS_2) > > it was from a message from amazon.co.uk, there were also no > ssssss in the > list... > > thanks, > kevin > > -- > @ > _____________________________________________ > chaos, panic and disorder... my job is done... > BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From mailscanner at BARENDSE.TO Wed Feb 12 14:03:25 2003 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:17:10 2006 Subject: OT html2text In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0A32D11@pascal.priv.bmrb.co.uk> Message-ID: I tried, lynx will not run from a cron job, it will complain "Your terminal lacks the ability to clear the screen or position the cursor." and do nothing. I also tried starting screen from cron, then executing lynx and have everything return but screen will complain too "$HOME must match passwd entry for multiuser screens." Think the best solution will be to have it run through the html2text filter of Mailscanner. Can it be invoked from the commandline? On Mon, 10 Feb 2003, Spicer, Kevin wrote: > > Is there any simple way of using the html2text feature also on regular > > files not received by e-mail? > > > > I have some html files that I wget from the website but I > > need those in > > plain text, not html code. > > > > Sorry that this question is a bit off-topic! > > use lynx --dump instead of wget. > > > > BMRB International > http://www.bmrb.co.uk > +44 (0)20 8566 5000 > _________________________________________________________________ > This message (and any attachment) is intended only for the > recipient and may contain confidential and/or privileged > material. If you have received this in error, please contact the > sender and delete this message immediately. Disclosure, copying > or other action taken in respect of this email or in > reliance on it is prohibited. BMRB International Limited > accepts no liability in relation to any personal emails, or > content of any email which does not directly relate to our > business. > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From andersjk at SOL-INVICTUS.ORG Wed Feb 12 13:40:57 2003 From: andersjk at SOL-INVICTUS.ORG (Kevin Anderson) Date: Thu Jan 12 21:17:10 2006 Subject: funny header! In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0EBF3A7@pascal.priv.bmrb.co.uk> Message-ID: ah ok... it was set... but that mail wasn't whitelisted... thanks, k On Wed, 12 Feb 2003, Spicer, Kevin wrote: > You have the sender whitelisted (maybe you have auto-whitlisting enabled, not generally recommended). Whitelisting in SpamAssassin applies a score of -100 which is why you have a negative score and no sssssssssssssssssssssssssssssssssssss.... > > > -----Original Message----- > > From: Kevin Anderson [mailto:andersjk@SOL-INVICTUS.ORG] > > Sent: 12 February 2003 13:24 > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: funny header! > > > > > > what happened here? > > > > X-MailScanner-SpamCheck: not spam, SpamAssassin (score=-97.9, > > required 5, > > INVALID_MSGID, MSGID_CHARS_SPAM, SPAM_PHRASE_05_08, > > SUB_FREE_OFFER, > > USER_IN_WHITELIST, US_DOLLARS_2) > > > > it was from a message from amazon.co.uk, there were also no > > ssssss in the > > list... > > > > thanks, > > kevin > > > > -- > > @ > > _____________________________________________ > > chaos, panic and disorder... my job is done... > > > > > > BMRB International > http://www.bmrb.co.uk > +44 (0)20 8566 5000 > _________________________________________________________________ > This message (and any attachment) is intended only for the > recipient and may contain confidential and/or privileged > material. If you have received this in error, please contact the > sender and delete this message immediately. Disclosure, copying > or other action taken in respect of this email or in > reliance on it is prohibited. BMRB International Limited > accepts no liability in relation to any personal emails, or > content of any email which does not directly relate to our > business. > -- @ _____________________________________________ chaos, panic and disorder... my job is done... From mike at CAMAROSS.NET Wed Feb 12 14:25:27 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:17:10 2006 Subject: Redhat Advanced Server In-Reply-To: <000901c2d28f$4e54c5d0$9150ef9b@brandonnb> Message-ID: <02a601c2d2a2$97f70b40$9801a8c0@home.middlefinger.net> I run it on a RHAS and have no problems with it. -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Brandon Friedman Sent: Wednesday, February 12, 2003 6:07 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Redhat Advanced Server Is anybody running mailscanner on RH Advanced Server? I would just like to find out your experience with it? -- Regards Brandon Friedman ADT South Africa E-mail: bfriedman@tycoint.com From Kevin.Spicer at BMRB.CO.UK Wed Feb 12 14:33:13 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:17:10 2006 Subject: OT html2text Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0EBF3A8@pascal.priv.bmrb.co.uk> > > I tried, lynx will not run from a cron job, it will complain "Your > terminal lacks the ability to clear the screen or position > the cursor." > and do nothing. > > Sorry, I didn't realise that. I've just tried it using w3m from cron and that seems to work (although I'm testing on a Solaris box so your milage might vary). the commandline for w3m is... w3m -dump http://somesite.com/ > somefile.txt You can grab w3m from www.rpmfind.net if you have an rpm based distro, theres links to the w3m homepage from there too. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From isp-list at TULSACONNECT.COM Wed Feb 12 14:41:42 2003 From: isp-list at TULSACONNECT.COM (ISP List) Date: Thu Jan 12 21:17:10 2006 Subject: RBL Checks Broken Message-ID: <5.1.1.6.2.20030212083622.035f6ea0@securemail.tulsaconnect.com> I'm struggling with a problem that is driving me nuts. Here are the details. MailScanner 4.12-2 SpamAssassin 2.44 FreeBSD 4.7 exim 4.10 The crux of the problem is that I can't get SA to run any RBL checks. I've made sure that "skip_rbl_checks" is *not* set to 1 anywhere and that the RBL checks have a positive score assigned to them in 50_scores.cf (note that I am not trying to use any paid RBLs, just the free ones that are enabled by default). I've eliminated all user_prefs files that might be lurking about, and even explicitly set "skip_rbl_checks" to 1 in /opt/MailScanner/etc/spam.assassin.prefs.conf. I'm using an out-of-the-box SpamAssassin and MailScanner (that is, no modifications to the code have been made). I have one machine that *will* run the RBL checks, and one that won't, and as far as I can see they are identically configured. Any pointers on where to start looking? --Mike From isp-list at TULSACONNECT.COM Wed Feb 12 14:43:05 2003 From: isp-list at TULSACONNECT.COM (ISP List) Date: Thu Jan 12 21:17:10 2006 Subject: RBL Checks Broken In-Reply-To: <5.1.1.6.2.20030212083622.035f6ea0@securemail.tulsaconnect. com> Message-ID: <5.1.1.6.2.20030212084231.04ac4010@securemail.tulsaconnect.com> >I've eliminated all user_prefs files that might be >lurking about, and even explicitly set "skip_rbl_checks" to 1 in >/opt/MailScanner/etc/spam.assassin.prefs.conf. Whoops, i meant to say set it to "0" in /opt/MailScanner/etc/spam.assassin.prefs.conf.. --Mike From dbowen1 at MAC.COM Wed Feb 12 14:45:09 2003 From: dbowen1 at MAC.COM (Daniel Bowen) Date: Thu Jan 12 21:17:10 2006 Subject: Can't invoke sendmail directly for notices? Message-ID: <766775.1045061109453.JavaMail.dbowen1@mac.com> Hi guys, I can't get MailScanner to send Notices - MailScanner's direct invocation of sendmail always comes up with a strange NOQUEUE error, and the message is never delivered. This also originally happened upon batch sending, though switching to queue sending avoided the issue for regular mail. Now the NOQUEUE happens only on Notice sending, and the notices never do get sent. I suspect it has to do with the way the sendmail command is called from MailScanner, though I'm not sure if I can add option modifiers to the sendmail command in the MailScanner.conf. I've been having this problem since I first installed MailScanner. Also, MailScanner seems to run at max 3 processess now, though when I first installed it, it would usually start up nearly all 10 I allowed in the conf file - any thoughts? Thanks, Dan Bowen I'm Running: MailScanner 4-11-1 Sendmail 8.12.6 Mac OS X 10.2.3 Sendmail System StartupItem: queue=/var/spool/mqueue rm -f ${queue}/nf* ${queue}/lf* /usr/sbin/sendmail -L sendmailMTA -bd -OPrivacyOptions=noetrn -ODeliveryMode=queueonly -OQueueDirectory=/private/var/spool/mqueue.in /usr/sbin/sendmail -L sendmailQrunner -q1m #Don't know what the following command was for, but it was active before I installed Mailscanner. #/usr/sbin/sendmail -C /etc/mail/submit.cf -q15m mail.log: Feb 12 09:27:31 mail sendmailMTA[5396]: h1CERUVN005396: from=, size=709, class=0, nrcpts=1, msgid=<6727392.1045060049301.JavaMail.dbowen1@mac.com>, proto=ESMTP, daemon=MTA, relay=a17-250-248-89.apple.com [17.250.248.89] Feb 12 09:27:33 mail MailScanner[430]: New Batch: Found 2 messages waiting Feb 12 09:27:33 mail MailScanner[430]: New Batch: Scanning 1 messages, 1171 bytes Feb 12 09:27:33 mail MailScanner[430]: Spam Checks: Starting Feb 12 09:27:34 mail MailScanner[430]: Virus and Content Scanning: Starting Feb 12 09:27:34 mail MailScanner[430]: /private/var/spool/MailScanner/incoming/430/./h1CERUVN005396/msg-430-460.txt: ClamAV-Test-Signature FOUND Feb 12 09:27:34 mail MailScanner[430]: Virus Scanning: clamav found 1 infections Feb 12 09:27:34 mail MailScanner[430]: Virus Scanning: Found 1 viruses Feb 12 09:27:34 mail MailScanner[430]: Cleaned: Delivered 1 cleaned messages Feb 12 09:27:35 mail sendmail[5403]: NOQUEUE: 0: fl=0x0, mode=140000: SOCK [0]->(Socket is not connected) Feb 12 09:27:35 mail sendmail[5403]: NOQUEUE: 1: fl=0x0, mode=100644: dev=14/6, ino=3124312, nlink=1, u/gid=0/0, size=9717 Feb 12 09:27:35 mail sendmail[5403]: NOQUEUE: 3: fl=0x2, mode=140000: SOCK [0]->[[UNIX: /var/run/syslog]] Feb 12 09:27:35 mail MailScanner[430]: Notices: Warned about 1 messages Feb 12 09:27:35 mail MailScanner[430]: Disinfection: Attempting to disinfect 1 messages Feb 12 09:27:35 mail MailScanner[430]: /private/var/spool/MailScanner/incoming/430/./h1CERUVN005396/msg-430-460.txt: ClamAV-Test-Signature FOUND Feb 12 09:27:35 mail MailScanner[430]: Virus Re-scanning: clamav found 1 infections Feb 12 09:27:35 mail MailScanner[430]: Disinfection: Rescan found only 1 viruses Feb 12 09:28:12 mail sendmailQrunner[5425]: h1CERUVN005396: to=, delay=00:00:42, xdelay=00:00:00, mailer=local, pri=120658, dsn=2.0.0, stat=Sent From davide at hire.com Wed Feb 12 16:00:58 2003 From: davide at hire.com (David Eckelkamp) Date: Thu Jan 12 21:17:10 2006 Subject: Redhat Advanced Server In-Reply-To: <000901c2d28f$4e54c5d0$9150ef9b@brandonnb> References: <000901c2d28f$4e54c5d0$9150ef9b@brandonnb> Message-ID: <15946.28602.432654.391319@locutus.hire.com> I'm running MailScanner+Sophos+SpamAssassin on RedHatAS-2.1 without any problems. We process about 50,000 messages a day without breaking a sweat on a dual 733Mhz Dell PowerEdge 2450 with 1Gig of RAM. Let me know if there's something else you'd like to know about the setup. DavidE From dbowen1 at MAC.COM Wed Feb 12 17:15:20 2003 From: dbowen1 at MAC.COM (Daniel Bowen) Date: Thu Jan 12 21:17:10 2006 Subject: Can't invoke sendmail directly for notices? Message-ID: <395375.1045070120274.JavaMail.dbowen1@mac.com> Never mind, all these issues cleared up once I installed 4-12-2. Thanks Julian! On Wednesday, February 12, 2003, at 09:45AM, Daniel Bowen wrote: >Hi guys, > I can't get MailScanner to send Notices - MailScanner's direct invocation of sendmail always comes up with a strange NOQUEUE error, and the message is never delivered. This also originally happened upon batch sending, though switching to queue sending avoided the issue for regular mail. Now the NOQUEUE happens only on Notice sending, and the notices never do get sent. I suspect it has to do with the way the sendmail command is called from MailScanner, though I'm not sure if I can add option modifiers to the sendmail command in the MailScanner.conf. I've been having this problem since I first installed MailScanner. Also, MailScanner seems to run at max 3 processess now, though when I first installed it, it would usually start up nearly all 10 I allowed in the conf file - any thoughts? >Thanks, >Dan Bowen > >I'm Running: >MailScanner 4-11-1 >Sendmail 8.12.6 >Mac OS X 10.2.3 > >Sendmail System StartupItem: > queue=/var/spool/mqueue > rm -f ${queue}/nf* ${queue}/lf* > > /usr/sbin/sendmail -L sendmailMTA -bd -OPrivacyOptions=noetrn -ODeliveryMode=queueonly -OQueueDirectory=/private/var/spool/mqueue.in > /usr/sbin/sendmail -L sendmailQrunner -q1m > #Don't know what the following command was for, but it was active before I installed Mailscanner. > #/usr/sbin/sendmail -C /etc/mail/submit.cf -q15m > > > >mail.log: >Feb 12 09:27:31 mail sendmailMTA[5396]: h1CERUVN005396: from=, size=709, class=0, nrcpts=1, msgid=<6727392.1045060049301.JavaMail.dbowen1@mac.com>, proto=ESMTP, daemon=MTA, relay=a17-250-248-89.apple.com [17.250.248.89] >Feb 12 09:27:33 mail MailScanner[430]: New Batch: Found 2 messages waiting >Feb 12 09:27:33 mail MailScanner[430]: New Batch: Scanning 1 messages, 1171 bytes >Feb 12 09:27:33 mail MailScanner[430]: Spam Checks: Starting >Feb 12 09:27:34 mail MailScanner[430]: Virus and Content Scanning: Starting >Feb 12 09:27:34 mail MailScanner[430]: /private/var/spool/MailScanner/incoming/430/./h1CERUVN005396/msg-430-460.txt: ClamAV-Test-Signature FOUND >Feb 12 09:27:34 mail MailScanner[430]: Virus Scanning: clamav found 1 infections >Feb 12 09:27:34 mail MailScanner[430]: Virus Scanning: Found 1 viruses >Feb 12 09:27:34 mail MailScanner[430]: Cleaned: Delivered 1 cleaned messages >Feb 12 09:27:35 mail sendmail[5403]: NOQUEUE: 0: fl=0x0, mode=140000: SOCK [0]->(Socket is not connected) >Feb 12 09:27:35 mail sendmail[5403]: NOQUEUE: 1: fl=0x0, mode=100644: dev=14/6, ino=3124312, nlink=1, u/gid=0/0, size=9717 >Feb 12 09:27:35 mail sendmail[5403]: NOQUEUE: 3: fl=0x2, mode=140000: SOCK [0]->[[UNIX: /var/run/syslog]] >Feb 12 09:27:35 mail MailScanner[430]: Notices: Warned about 1 messages >Feb 12 09:27:35 mail MailScanner[430]: Disinfection: Attempting to disinfect 1 messages >Feb 12 09:27:35 mail MailScanner[430]: /private/var/spool/MailScanner/incoming/430/./h1CERUVN005396/msg-430-460.txt: ClamAV-Test-Signature FOUND >Feb 12 09:27:35 mail MailScanner[430]: Virus Re-scanning: clamav found 1 infections >Feb 12 09:27:35 mail MailScanner[430]: Disinfection: Rescan found only 1 viruses >Feb 12 09:28:12 mail sendmailQrunner[5425]: h1CERUVN005396: to=, delay=00:00:42, xdelay=00:00:00, mailer=local, pri=120658, dsn=2.0.0, stat=Sent > > From mike at ZANKER.ORG Wed Feb 12 17:15:41 2003 From: mike at ZANKER.ORG (Mike Zanker) Date: Thu Jan 12 21:17:10 2006 Subject: RBL Checks Broken In-Reply-To: <5.1.1.6.2.20030212083622.035f6ea0@securemail.tulsaconnect.com> References: <5.1.1.6.2.20030212083622.035f6ea0@securemail.tulsaconnect.c om> Message-ID: <165234644.1045070141@jemima.zanker.org> On 12 February 2003 08:41 -0600 ISP List wrote: > The crux of the problem is that I can't get SA to run any RBL checks. Do you have Net::DNS installed? Mike. From isp-list at TULSACONNECT.COM Wed Feb 12 18:10:01 2003 From: isp-list at TULSACONNECT.COM (ISP List) Date: Thu Jan 12 21:17:10 2006 Subject: RBL Checks Broken In-Reply-To: <165234644.1045070141@jemima.zanker.org> References: <5.1.1.6.2.20030212083622.035f6ea0@securemail.tulsaconnect.com> <5.1.1.6.2.20030212083622.035f6ea0@securemail.tulsaconnect.c om> Message-ID: <5.1.1.6.2.20030212120955.03669a60@pop3.tulsaconnect.com> At 05:15 PM 2/12/2003 +0000, you wrote: >On 12 February 2003 08:41 -0600 ISP List >wrote: > >>The crux of the problem is that I can't get SA to run any RBL checks. > >Do you have Net::DNS installed? > >Mike. Yep. --Mike From mkettler at EVI-INC.COM Wed Feb 12 18:45:54 2003 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:17:10 2006 Subject: funny header! In-Reply-To: References: <5C0296D26910694BB9A9BBFC577E7AB0EBF3A7@pascal.priv.bmrb.co.uk> Message-ID: <5.1.1.6.0.20030212134413.0167abe0@192.168.50.2> Yes it was whitelisted, read you /usr/share/spamassassin/60_whitelist.cf. whitelist_from_rcvd *@*.amazon.co.uk amazon.com It's one of the default whitelist entries that ships with SpamAssassin and you have to over-ride with and unwhitelist_from command if you don't want it on. At 02:40 PM 2/12/2003 +0100, Kevin Anderson wrote: >ah ok... it was set... but that mail wasn't whitelisted... > >thanks, >k From mkettler at EVI-INC.COM Wed Feb 12 18:51:19 2003 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:17:10 2006 Subject: RBL Checks Broken In-Reply-To: <5.1.1.6.2.20030212120955.03669a60@pop3.tulsaconnect.com> References: <165234644.1045070141@jemima.zanker.org> <5.1.1.6.2.20030212083622.035f6ea0@securemail.tulsaconnect.com> <5.1.1.6.2.20030212083622.035f6ea0@securemail.tulsaconnect.c om> Message-ID: <5.1.1.6.0.20030212134650.0167bb38@192.168.50.2> run this: spamassassin -tD /dev/null and read the debug output, this will tell you at least if SA can read your config files, and if it thinks you have a working dns setup. sample-nonspam.txt comes in the SA tarball as a test message.. In particular, look for this line near the top of the debug output: debug: is Net::DNS::Resolver unavailable? 0 And be on the lookout it complaining about syntax issues while trying to parse your rule files. At 12:10 PM 2/12/2003 -0600, you wrote: >At 05:15 PM 2/12/2003 +0000, you wrote: >>On 12 February 2003 08:41 -0600 ISP List >>wrote: >> >>>The crux of the problem is that I can't get SA to run any RBL checks. >> >>Do you have Net::DNS installed? >> >>Mike. > >Yep. > >--Mike From john.hanks at USU.EDU Wed Feb 12 19:06:27 2003 From: john.hanks at USU.EDU (John B. Hanks) Date: Thu Jan 12 21:17:10 2006 Subject: Something I did. Message-ID: <5CA287DBA85BF649A45916B75FD20E0E125781@exchange.usu.edu> This is probably old news to most of you, but I am pretty pleased with how well it solved my problem so I thought I'd share it and see if it were useful or if someone has a better way. I have two MailScanner/SpamAssassin machines which act as gateways for our campus. Lately, as our mail load has increased (more people are diverting incoming mail through us) I have seen a slow rise in the size of the outgoing mail queue. Recently when one of our major mailservers was experiencing problems, my queues grew to > 8,000 messages and the boxes became heavily loaded with sendmail attempting to deliver from this large queue directory, to the point where sendmail stopped accepting mail on one of the machines. I wanted to make our setup more robust and meet the following goals: 1. I must queue mail for 5 days before rejecting it, I promised the users that I would do so. 2. I did not want to manage multiple queues for different domains or run multiple sendmails on different IP addresses to split the load among directories. 3. I wanted to keep the queues on the mailscanner machines as small as possible but not have to manually move messages to alternate queues. 4. I wanted the solution to be as simple as possible. I found my solution in the FallbackMXhost option. This option basically tells sendmail if all else fails when delivering, use this host. I set up a third machine which acts as a pretty standard RedHat/sendmail relay box, accepting messages and relaying for or to any campus machine (*.usu.edu). Then on each mailscanner machine I added this to sendmail.mc: define(`confFALLBACK_MX',`queued.usu.edu') Then with sendmail.cf regenerated as per the instructions in the sendmail.mc file, I restarted MailScanner and watched with great joy as roughly 5,000 undeliverable SPAM NDRs flowed off the machines and onto the new box. The queued.usu.edu machine can be much more patient with retries since once mail is there I'm not in any particular hurry to get it delivered. YMMV, but it worked for me. jbh From isp-list at TULSACONNECT.COM Wed Feb 12 19:33:48 2003 From: isp-list at TULSACONNECT.COM (ISP List) Date: Thu Jan 12 21:17:10 2006 Subject: RBL Checks Broken In-Reply-To: <5.1.1.6.0.20030212134650.0167bb38@192.168.50.2> References: <5.1.1.6.2.20030212120955.03669a60@pop3.tulsaconnect.com> <165234644.1045070141@jemima.zanker.org> <5.1.1.6.2.20030212083622.035f6ea0@securemail.tulsaconnect.com> <5.1.1.6.2.20030212083622.035f6ea0@securemail.tulsaconnect.c om> Message-ID: <5.1.1.6.2.20030212133259.03412148@pop3.tulsaconnect.com> At 01:51 PM 2/12/2003 -0500, you wrote: >run this: > >spamassassin -tD /dev/null > >and read the debug output, this will tell you at least if SA can read your >config files, and if it thinks you have a working dns setup. > >sample-nonspam.txt comes in the SA tarball as a test message.. > >In particular, look for this line near the top of the debug output: > >debug: is Net::DNS::Resolver unavailable? 0 > >And be on the lookout it complaining about syntax issues while trying to >parse your rule files. After doing some checking, it appears that, while Net::DNS was installed, SA was having trouble using it. I used cpan to upgrade to the latest version of it, and now it works fine. Thanks for the help on this. --Mike From Cleveland at MAIL.WINNEFOX.ORG Wed Feb 12 20:15:53 2003 From: Cleveland at MAIL.WINNEFOX.ORG (Jody Cleveland) Date: Thu Jan 12 21:17:10 2006 Subject: messages routing - MailScanner not working Message-ID: <84CFA712F666B44A94CE6BE116BAF4B0B4E350@MAIL> Hello, Here's my setup. I've got an Exchange Server running Exchange 5.5. I got a new redhat 8 box setup, which I installed the latest MailScanner rpm onto, along with f-prot for antivirus. I have mail now successfully being routed through the linux box through to exchange. The problem comes in with MailScanner. It's as if it doesn't know that mail is going through. We are a library consortium. One of the things we do is provide 30 library's with email. One of those domains is working with MailScanner. I send messages to xxx@ourguide.org, and in the headers it says that MailScanner saw it as clean. And, if I send eicar through, it catches it, and so forth. Does anyone have any idea why none of the other domains are working with this? -- Jody Cleveland (cleveland@mail.winnefox.org) Winnefox Library System Computer Support Specialist From mbowman at UDCOM.COM Wed Feb 12 20:26:47 2003 From: mbowman at UDCOM.COM (Matthew Bowman) Date: Thu Jan 12 21:17:10 2006 Subject: messages routing - MailScanner not working Message-ID: Hello Just checking the following Is your relay_domains file setup with each domain that is supposed to be routed? Also does your MX point to the mailscanner box ? Is your mailertable setup to the forwarding to the exchange server ? Regards, Matthew K Bowman Systems Administrator; Hostmaster; Miva Administrator Universal Digital Communications, Mansfield Ohio. Jody Cleveland Sent by: MailScanner mailing list 02/12/2003 03:15 PM Please respond to MailScanner mailing list To: MAILSCANNER@JISCMAIL.AC.UK cc: Subject: messages routing - MailScanner not working Hello, Here's my setup. I've got an Exchange Server running Exchange 5.5. I got a new redhat 8 box setup, which I installed the latest MailScanner rpm onto, along with f-prot for antivirus. I have mail now successfully being routed through the linux box through to exchange. The problem comes in with MailScanner. It's as if it doesn't know that mail is going through. We are a library consortium. One of the things we do is provide 30 library's with email. One of those domains is working with MailScanner. I send messages to xxx@ourguide.org, and in the headers it says that MailScanner saw it as clean. And, if I send eicar through, it catches it, and so forth. Does anyone have any idea why none of the other domains are working with this? -- Jody Cleveland (cleveland@mail.winnefox.org) Winnefox Library System Computer Support Specialist From Cleveland at MAIL.WINNEFOX.ORG Wed Feb 12 20:39:49 2003 From: Cleveland at MAIL.WINNEFOX.ORG (Jody Cleveland) Date: Thu Jan 12 21:17:10 2006 Subject: messages routing - MailScanner not working Message-ID: <84CFA712F666B44A94CE6BE116BAF4B0B4E351@MAIL> Hello, > Is your relay_domains file setup with each domain that is > supposed to be routed? I'm using webmin for all the configuration, and I have all the domains listed in the Relay Domains section. > Also does your MX point to the mailscanner box ? Yes. All 30 domains have identical dns mx settings. > Is your mailertable setup to the forwarding to the exchange server ? /etc/mail/mailertable is completely empty. But, mail does successfully get routed through from all 30 domains to the exchange server. It's just that only one out of those 30 gets "seen" by MailScanner. Any ideas? From Kevin.Spicer at BMRB.CO.UK Wed Feb 12 20:44:55 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:17:10 2006 Subject: messages routing - MailScanner not working Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A4AD2A@pascal.priv.bmrb.co.uk> > /etc/mail/mailertable is completely empty. But, mail does > successfully get > routed through from all 30 domains to the exchange server. > It's just that > only one out of those 30 gets "seen" by MailScanner. > > Any ideas? > Are you sure that the mail is actually passing through the mailscanner server (whether its possible for it to be bypassed depends on your MX records and whether your exchange server is visable from outside). Check the headers of your unscanned messages and see if they have actually passed through your mailscanner machine. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From Cleveland at MAIL.WINNEFOX.ORG Wed Feb 12 21:27:16 2003 From: Cleveland at MAIL.WINNEFOX.ORG (Jody Cleveland) Date: Thu Jan 12 21:17:10 2006 Subject: messages routing - MailScanner not working [SOLVED] Message-ID: <84CFA712F666B44A94CE6BE116BAF4B0B4E353@MAIL> > Are you sure that the mail is actually passing through the > mailscanner server (whether its possible for it to be > bypassed depends on your MX records and whether your exchange > server is visable from outside). Check the headers of your > unscanned messages and see if they have actually passed > through your mailscanner machine. Oh. My. Gosh. Wow. You know, the first question I ask when someone calls to say something isn't working, is to ask them if the power is on. Never thought to do that myself. Anyway, we did (or so we thought) set the mx record correctly. But, per your suggestion, I checked the mail headers. Sure enough, the linux box wasn't touching them. So, we double checked the records. The settings we changed must not have stuck. So, we re-changed the settings, and now everything works like a charm. THANK YOU!!! Jody From mike at ZANKER.ORG Wed Feb 12 21:37:20 2003 From: mike at ZANKER.ORG (Mike Zanker) Date: Thu Jan 12 21:17:10 2006 Subject: Mailscanner 4.12 on Solaris 9 x86 Message-ID: <7518681.1045085840@jemima.zanker.org> Anybody running Mailscanner 4.12 on Solaris 9 x86? Any pitfalls to be aware of? Thanks, Mike. From carl.boberg at NRM.SE Thu Feb 13 12:58:36 2003 From: carl.boberg at NRM.SE (Carl Boberg) Date: Thu Jan 12 21:17:10 2006 Subject: Restoring quarantine files? Message-ID: Hi, I dont know if this has been explained earlier. I have searched the list archves and havnt found any answer... What is the easiest(best) way to restore an attachment that has been quarantined? Best regards --------------------------------- Carl Boberg System & Network Administrator Dept. of Information Technology Swedish Museum of Natural History Frescativ. 40 104 05 Stockholm carl.boberg@nrm.se Phone: 08-519 551 16 Mobile: 0701-82 40 55 --------------------------------- From Denis.Beauchemin at USHERBROOKE.CA Thu Feb 13 14:17:07 2003 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:17:10 2006 Subject: Something I did. In-Reply-To: <5CA287DBA85BF649A45916B75FD20E0E125781@exchange.usu.edu> References: <5CA287DBA85BF649A45916B75FD20E0E125781@exchange.usu.edu> Message-ID: <1045145826.28217.56.camel@dbeauchemin.si.usherbrooke.ca> Hi John, Here we solved the problem defining multiple outgoing queues that get processed less and less often as time goes by. We also have a job that moves mails from one queue to the next after some time: # du -sh /var/spool/mqueue* 3.1M /var/spool/mqueue 2.2M /var/spool/mqueue.in 72k /var/spool/mqueue2 2.5M /var/spool/mqueue3 7.7M /var/spool/mqueue4 # ls -ld /var/spool/mqueue* drwxr-xr-x 2 root mail 36864 Feb 13 09:06 /var/spool/mqueue/ drwxr-xr-x 2 root mail 20480 Feb 13 08:33 /var/spool/mqueue2/ drwxr-xr-x 2 root mail 16384 Feb 13 09:03 /var/spool/mqueue3/ drwxr-xr-x 2 root mail 32768 Feb 13 09:03 /var/spool/mqueue4/ drwx------ 2 root root 98304 Feb 13 09:06 /var/spool/mqueue.in/ # crontab -l|egrep "send|mq" 13 * * * * /usr/local/bin/re-mqueue /var/spool/mqueue /var/spool/mqueue2 2700 > /dev/null 2>&1 33 * * * * /usr/local/bin/re-mqueue /var/spool/mqueue2 /var/spool/mqueue3 11700 > /dev/null 2>&1 03 * * * * /usr/local/bin/re-mqueue /var/spool/mqueue3 /var/spool/mqueue4 100000 > /dev/null 2>&1 20 * * * * /usr/sbin/sendmail -oQ/var/spool/mqueue2 -q > /dev/null 2>&1 40 0-23/4 * * * /usr/sbin/sendmail -oQ/var/spool/mqueue3 -q > /dev/null 2>&1 10 0-23/6 * * * /usr/sbin/sendmail -oQ/var/spool/mqueue4 -q > /dev/null 2>&1 Here is some info on re-mqueue: # re-mqueue -- requeue messages from queueA to queueB based on age. # # Contributed by Paul Pomes . # http://www.qualcomm.com/~ppomes/ # # Usage: re-mqueue [-d] queueA queueB seconds # # -d enable debugging # queueA source directory # queueB destination directory # seconds select files older than this number of seconds # # Example: re-mqueue /var/spool/mqueue /var/spool/mqueue2 2700 # # Moves the qf* and df* files for a message from /var/spool/mqueue to # /var/spool/mqueue2 if the df* file is over 2700 seconds old. # # The qf* file can't be used for age checking as it's partially re-written # with the results of the last queue run. # # Rationale: With a limited number of sendmail processes allowed to run, # messages that can't be delivered immediately slow down the ones that can. # This becomes especially important when messages are being queued instead # of delivered right away, or when the queue becomes excessively deep. # By putting messages that have already failed one or more delivery attempts # into another queue, the primary queue can be kept small and fast. # # On postoffice.cso.uiuc.edu, the primary sendmail daemon runs the queue # every thirty minutes. Messages over 45 minutues old are moved to # /var/spool/mqueue2 where sendmail runs every hour. Messages more than # 3.25 hours old are moved to /var/spool/mqueue3 where sendmail runs every # four hours. Messages more than a day old are moved to /var/spool/mqueue4 # where sendmail runs three times a day. The idea is that a message is # tried at least twice in the first three queues before being moved to the # old-age ghetto. I just checked and the link to the author is no longer working. I could send it to the list if people are interested. Denis Le mer 12/02/2003 ? 14:06, John B. Hanks a ?crit : > This is probably old news to most of you, but I am pretty pleased with how > well it solved my problem so I thought I'd share it and see if it were > useful or if someone has a better way. > > I have two MailScanner/SpamAssassin machines which act as gateways for our > campus. Lately, as our mail load has increased (more people are diverting > incoming mail through us) I have seen a slow rise in the size of the > outgoing mail queue. Recently when one of our major mailservers was > experiencing problems, my queues grew to > 8,000 messages and the boxes > became heavily loaded with sendmail attempting to deliver from this large > queue directory, to the point where sendmail stopped accepting mail on one > of the machines. > > I wanted to make our setup more robust and meet the following goals: > > 1. I must queue mail for 5 days before rejecting it, I promised the users > that I would do so. > 2. I did not want to manage multiple queues for different domains or run > multiple sendmails on different IP addresses to split the load among > directories. > 3. I wanted to keep the queues on the mailscanner machines as small as > possible but not have to manually move messages to alternate queues. > 4. I wanted the solution to be as simple as possible. > > I found my solution in the FallbackMXhost option. This option basically > tells sendmail if all else fails when delivering, use this host. I set up a > third machine which acts as a pretty standard RedHat/sendmail relay box, > accepting messages and relaying for or to any campus machine (*.usu.edu). > > Then on each mailscanner machine I added this to sendmail.mc: > > define(`confFALLBACK_MX',`queued.usu.edu') > > Then with sendmail.cf regenerated as per the instructions in the sendmail.mc > file, I restarted MailScanner and watched with great joy as roughly 5,000 > undeliverable SPAM NDRs flowed off the machines and onto the new box. The > queued.usu.edu machine can be much more patient with retries since once mail > is there I'm not in any particular hurry to get it delivered. > > YMMV, but it worked for me. > > jbh -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From mike at CAMAROSS.NET Thu Feb 13 14:22:55 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:17:10 2006 Subject: Something I did. In-Reply-To: <1045145826.28217.56.camel@dbeauchemin.si.usherbrooke.ca> Message-ID: <039701c2d36b$66e74870$9801a8c0@home.middlefinger.net> Please do! -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Denis Beauchemin Sent: Thursday, February 13, 2003 8:17 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Something I did. Hi John, Here we solved the problem defining multiple outgoing queues that get processed less and less often as time goes by. We also have a job that moves mails from one queue to the next after some time: # du -sh /var/spool/mqueue* 3.1M /var/spool/mqueue 2.2M /var/spool/mqueue.in 72k /var/spool/mqueue2 2.5M /var/spool/mqueue3 7.7M /var/spool/mqueue4 # ls -ld /var/spool/mqueue* drwxr-xr-x 2 root mail 36864 Feb 13 09:06 /var/spool/mqueue/ drwxr-xr-x 2 root mail 20480 Feb 13 08:33 /var/spool/mqueue2/ drwxr-xr-x 2 root mail 16384 Feb 13 09:03 /var/spool/mqueue3/ drwxr-xr-x 2 root mail 32768 Feb 13 09:03 /var/spool/mqueue4/ drwx------ 2 root root 98304 Feb 13 09:06 /var/spool/mqueue.in/ # crontab -l|egrep "send|mq" 13 * * * * /usr/local/bin/re-mqueue /var/spool/mqueue /var/spool/mqueue2 2700 > /dev/null 2>&1 33 * * * * /usr/local/bin/re-mqueue /var/spool/mqueue2 /var/spool/mqueue3 11700 > /dev/null 2>&1 03 * * * * /usr/local/bin/re-mqueue /var/spool/mqueue3 /var/spool/mqueue4 100000 > /dev/null 2>&1 20 * * * * /usr/sbin/sendmail -oQ/var/spool/mqueue2 -q > /dev/null 2>&1 40 0-23/4 * * * /usr/sbin/sendmail -oQ/var/spool/mqueue3 -q > /dev/null 2>&1 10 0-23/6 * * * /usr/sbin/sendmail -oQ/var/spool/mqueue4 -q > /dev/null 2>&1 Here is some info on re-mqueue: # re-mqueue -- requeue messages from queueA to queueB based on age. # # Contributed by Paul Pomes . # http://www.qualcomm.com/~ppomes/ # # Usage: re-mqueue [-d] queueA queueB seconds # # -d enable debugging # queueA source directory # queueB destination directory # seconds select files older than this number of seconds # # Example: re-mqueue /var/spool/mqueue /var/spool/mqueue2 2700 # # Moves the qf* and df* files for a message from /var/spool/mqueue to # /var/spool/mqueue2 if the df* file is over 2700 seconds old. # # The qf* file can't be used for age checking as it's partially re-written # with the results of the last queue run. # # Rationale: With a limited number of sendmail processes allowed to run, # messages that can't be delivered immediately slow down the ones that can. # This becomes especially important when messages are being queued instead # of delivered right away, or when the queue becomes excessively deep. # By putting messages that have already failed one or more delivery attempts # into another queue, the primary queue can be kept small and fast. # # On postoffice.cso.uiuc.edu, the primary sendmail daemon runs the queue # every thirty minutes. Messages over 45 minutues old are moved to # /var/spool/mqueue2 where sendmail runs every hour. Messages more than # 3.25 hours old are moved to /var/spool/mqueue3 where sendmail runs every # four hours. Messages more than a day old are moved to /var/spool/mqueue4 # where sendmail runs three times a day. The idea is that a message is # tried at least twice in the first three queues before being moved to the # old-age ghetto. I just checked and the link to the author is no longer working. I could send it to the list if people are interested. Denis Le mer 12/02/2003 ? 14:06, John B. Hanks a ?crit : > This is probably old news to most of you, but I am pretty pleased with how > well it solved my problem so I thought I'd share it and see if it were > useful or if someone has a better way. > > I have two MailScanner/SpamAssassin machines which act as gateways for our > campus. Lately, as our mail load has increased (more people are diverting > incoming mail through us) I have seen a slow rise in the size of the > outgoing mail queue. Recently when one of our major mailservers was > experiencing problems, my queues grew to > 8,000 messages and the boxes > became heavily loaded with sendmail attempting to deliver from this large > queue directory, to the point where sendmail stopped accepting mail on one > of the machines. > > I wanted to make our setup more robust and meet the following goals: > > 1. I must queue mail for 5 days before rejecting it, I promised the users > that I would do so. > 2. I did not want to manage multiple queues for different domains or run > multiple sendmails on different IP addresses to split the load among > directories. > 3. I wanted to keep the queues on the mailscanner machines as small as > possible but not have to manually move messages to alternate queues. > 4. I wanted the solution to be as simple as possible. > > I found my solution in the FallbackMXhost option. This option basically > tells sendmail if all else fails when delivering, use this host. I set up a > third machine which acts as a pretty standard RedHat/sendmail relay box, > accepting messages and relaying for or to any campus machine (*.usu.edu). > > Then on each mailscanner machine I added this to sendmail.mc: > > define(`confFALLBACK_MX',`queued.usu.edu') > > Then with sendmail.cf regenerated as per the instructions in the sendmail.mc > file, I restarted MailScanner and watched with great joy as roughly 5,000 > undeliverable SPAM NDRs flowed off the machines and onto the new box. The > queued.usu.edu machine can be much more patient with retries since once mail > is there I'm not in any particular hurry to get it delivered. > > YMMV, but it worked for me. > > jbh -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From Peter.Bates at LSHTM.AC.UK Thu Feb 13 14:30:39 2003 From: Peter.Bates at LSHTM.AC.UK (Peter Bates) Date: Thu Jan 12 21:17:10 2006 Subject: Sophos and Corrupt Files (belated response) Message-ID: Hello all... I'll start off with saying that we primarily run Amavis with Postfix here, but are doing some tests with MailScanner at the moment... Just a thing I noted from a recent discussion about amavis (which has split into three forks, and there is presently interesting arguing going on): | I'm using amavisd-new with Sophos Sweep as the scanner. Since sweep can | not scan inside password protected MS-Excel or MS-Word files, it returns a | code 2, causing amavisd to fail. It lets the parts in /var/amavis and the | e-mail remains in the defer queue of the MTA (postfix, in this case). But | mail is not delivered (!). Is there any way to avoid this?, another | scanner?. >Add status code 2 along with 0 to the success 'if' branch >(file ./amavis/av/sophos), or upgrade to amavisd-new-20021227-p2. So the basic bottom line is that sweep returns an error code of 2, 'corrupt file', and both MailScanner and amavis have had to work around this. I've seen about 5 messages (a sudden burst) labelled as 'corrupt' today on our test MailScanner (Sophos 3.66 & McAffee) box... are the patches going to appear in a future MS release that might happen any time soon? ... ---------------------------------------------------------------------------------------------------> Peter Bates, Systems Support Officer, Network Support Team. London School of Hygiene & Tropical Medicine. Telephone:0207-958 8353 / Fax: 0207- 636 9838 From Denis.Beauchemin at USHERBROOKE.CA Thu Feb 13 14:37:50 2003 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:17:10 2006 Subject: Something I did. In-Reply-To: <039701c2d36b$66e74870$9801a8c0@home.middlefinger.net> References: <039701c2d36b$66e74870$9801a8c0@home.middlefinger.net> Message-ID: <1045147070.1231.3.camel@dbeauchemin.si.usherbrooke.ca> Le jeu 13/02/2003 ? 09:22, Mike Kercher a ?crit : > Please do! Here it goes... Denis -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: re-mqueue Type: text/x-perl Size: 10088 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030213/d1d6a330/re-mqueue.bin From Peter.Bates at LSHTM.AC.UK Thu Feb 13 14:38:23 2003 From: Peter.Bates at LSHTM.AC.UK (Peter Bates) Date: Thu Jan 12 21:17:10 2006 Subject: F-Prot & MailScanner... Message-ID: Hello all... I've been looking at F-prot, to consider using it as an AV scanner with MailScanner. There is the 'F-Prot for Small Business' and 'F-Prot for Enterprise Business'... If I just want to try it out, which should I use? It also says: "License shall be without charge for personal users of F-Prot Linux for Small Business, when used on personal workstations." ... so if I downloaded this version, how does it know it's not a 'personal workstation'? Thanks... ---------------------------------------------------------------------------------------------------> Peter Bates, Systems Support Officer, Network Support Team. London School of Hygiene & Tropical Medicine. Telephone:0207-958 8353 / Fax: 0207- 636 9838 From Kevin.Spicer at BMRB.CO.UK Thu Feb 13 14:44:10 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:17:10 2006 Subject: F-Prot & MailScanner... Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0EBF3B1@pascal.priv.bmrb.co.uk> > Hello all... > > I've been looking at F-prot, to consider using it as > an AV scanner with MailScanner. > > There is the 'F-Prot for Small Business' and > 'F-Prot for Enterprise Business'... > > If I just want to try it out, which should I use? MailScanner only needs the command line version, 'F-Prot for Small Business' > > It also says: > "License shall be without charge for personal users of F-Prot > Linux for Small Business, > when used on personal workstations." > > ... so if I downloaded this version, how does it know it's > not a 'personal workstation'? I guess it doesn't but that doesn't alter the fact that you would be in breach of the license. F-Prots pricing isn't bad from what I've heard (I only use it at home where it is definately free). If you don't want to pay use Clam. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From m.sapsed at BANGOR.AC.UK Thu Feb 13 18:14:21 2003 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:17:10 2006 Subject: Sophos and Corrupt Files (belated response) References: Message-ID: <3E4BE07D.8080108@bangor.ac.uk> Peter Bates wrote: > I've seen about 5 messages (a sudden burst) labelled as 'corrupt' today > on our test MailScanner (Sophos 3.66 & McAffee) box... are the patches > going to appear in a future MS release that might happen any time soon? If these were PDF files then you've hit the "known issue" of 3.66 not liking PDF files. You can get a version 3.66a from Sophos which resolves this issue. If they were Excel or Word files then please feel free to ignore this message! Cheers, Martin -- Martin Sapsed Information Services "Who do you say I am?" University of Wales, Bangor Jesus of Nazareth From mkettler at EVI-INC.COM Thu Feb 13 19:01:51 2003 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:17:10 2006 Subject: Restoring quarantine files? In-Reply-To: Message-ID: <5.1.1.6.0.20030213135536.018a3d58@192.168.50.2> Well, the quarantined file is just dropped onto your server. I generally go ahead and re-send it to them using mutt: mutt "user@evi-inc.com" -a quarantined_file -s "here's your file" Hi, >I dont know if this has been explained earlier. I have searched the list >archves and havnt found any answer... > >What is the easiest(best) way to restore an attachment that has been >quarantined? > >Best regards >--------------------------------- >Carl Boberg >System & Network Administrator >Dept. of Information Technology >Swedish Museum of Natural History >Frescativ. 40 >104 05 Stockholm >carl.boberg@nrm.se >Phone: 08-519 551 16 >Mobile: 0701-82 40 55 >--------------------------------- From Peter.Bates at LSHTM.AC.UK Fri Feb 14 10:56:36 2003 From: Peter.Bates at LSHTM.AC.UK (Peter Bates) Date: Thu Jan 12 21:17:10 2006 Subject: Sophos and Corrupt Files (belated response) Message-ID: Hello all... I wish it was PDFs, as I would then talk to Sophos about 3.66a. However: " Sender: IP Address: 193.63.251.36 Recipient: postmaster@hancock.lshtm.ac.uk Subject: Undelivered Mail Returned to Sender MessageID: h1E8wCY31248 Report: Could not check ./h1E8wCY31248/laos second draft.doc (corrupt) Sender: IP Address: 193.63.251.36 Recipient: postmaster@hancock.lshtm.ac.uk Subject: Undelivered Mail Returned to Sender MessageID: h1E9KYY31429 Report: Could not check ./h1E9KYY31429/PLANNING TABLE FOR RHIYA WORKSHOPS.doc (corrupt)" ... I've also seen an .xls file. All of these, interestingly, appear to be bounces back to our postmaster (mail is routing around our systems in a most-amusing way at the moment). They are, in fact, messages being sent to a user at our site who redirects/forwards her email to Hotmail. Hotmail is presently returning a 'user exceeded storage allocation' message, so it bounces back to our Postmaster. Whether this tortuous route mangles the Word files along the way, I'm not sure... Julian, are the patches to deal with the Sophos return codes going into a forthcoming version of MailScanner, and when might that appear? ... ---------------------------------------------------------------------------------------------------> Peter Bates, Systems Support Officer, Network Support Team. London School of Hygiene & Tropical Medicine. Telephone:0207-958 8353 / Fax: 0207- 636 9838 From daniele.antoniazzi at ACCENT.IT Fri Feb 14 13:23:59 2003 From: daniele.antoniazzi at ACCENT.IT (Daniele Antoniazzi) Date: Thu Jan 12 21:17:10 2006 Subject: MailScanner is not processing files in /var/spool/mqueue.in Message-ID: <3E4CEDEF.4090107@accent.it> Dear All, I've installed MailScanner following the instructions at: http://www.sng.ecs.soton.ac.uk/mailscanner/install/other.shtml on a Solaris machine. My platform is: Solaris 2.6 perl v5.6.0 built for sun4-solaris MailScanner 4.12-2 no SpamAssassin fresh install from tarball I've checked all paths in conf files, and everything seems consistent. I receive correctly the mails in /var/spool/mqueue.in, but afterwards nothing happens... I've enabled mail scanning in /opt/MailScanner/etc/MailScanner.conf I've started MailScanner with: /opt/MailScanner/bin/check_mailscanner and I can see MailScanner with ps, I see running: /usr/local/bin/perl -I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/MailScanner/etc/MailScanner.conf I've also monitored it with truss, it sleep for a while and then wakes up and forks, I've also seen that it fails on this: stat64("/var/spool/MailScanner/incoming/15742", 0x000ED998) Err#2 ENOENT where 15742 is just a number increasing. No file is created in: /var/spool/MailScanner/incoming and nothing disappears from: /var/spool/mqueue.in Could you please help me? Ciao Daniele From mike at CAMAROSS.NET Fri Feb 14 13:45:49 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:17:10 2006 Subject: MailScanner is not processing files in /var/spool/mqueue.in In-Reply-To: <3E4CEDEF.4090107@accent.it> Message-ID: <051401c2d42f$626b0f10$9801a8c0@home.middlefinger.net> I don't know Solaris, but on a Linux system we have to disable the normal sendmail processes and let MailScanner start them up in its own way. Did you do something similar on your Solaris box? Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Daniele Antoniazzi Sent: Friday, February 14, 2003 7:24 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: MailScanner is not processing files in /var/spool/mqueue.in Dear All, I've installed MailScanner following the instructions at: http://www.sng.ecs.soton.ac.uk/mailscanner/install/other.shtml on a Solaris machine. My platform is: Solaris 2.6 perl v5.6.0 built for sun4-solaris MailScanner 4.12-2 no SpamAssassin fresh install from tarball I've checked all paths in conf files, and everything seems consistent. I receive correctly the mails in /var/spool/mqueue.in, but afterwards nothing happens... I've enabled mail scanning in /opt/MailScanner/etc/MailScanner.conf I've started MailScanner with: /opt/MailScanner/bin/check_mailscanner and I can see MailScanner with ps, I see running: /usr/local/bin/perl -I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/MailScanner/etc/MailScanner.conf I've also monitored it with truss, it sleep for a while and then wakes up and forks, I've also seen that it fails on this: stat64("/var/spool/MailScanner/incoming/15742", 0x000ED998) Err#2 ENOENT where 15742 is just a number increasing. No file is created in: /var/spool/MailScanner/incoming and nothing disappears from: /var/spool/mqueue.in Could you please help me? Ciao Daniele From Kevin.Spicer at BMRB.CO.UK Fri Feb 14 13:53:39 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:17:10 2006 Subject: MailScanner is not processing files in /var/spool/mqueue.in Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0EBF3B9@pascal.priv.bmrb.co.uk> > stat64("/var/spool/MailScanner/incoming/15742", 0x000ED998) > Err#2 ENOENT > ENOENT means the file does not exist... > where 15742 is just a number increasing. > No file is created in: > > /var/spool/MailScanner/incoming which is probably why it doesn't exist :) > > and nothing disappears from: > > /var/spool/mqueue.in > Have you checked that the user running mailscanner can read and write to incoming and mqueue.in. And that the permissions that sendmail is queing files with make thoses files readable and writable by the mailscanner user (probably this is root - so it shouldn't really be a problem). Does mqueue.in contain both qf and df files? Anything in the logs (mail logs go to syslog by default on Sol2.6 IIRC)? How many MailScanner processes does ps show (normally 5 unless you've tweaked this - I've seen it fail to fork children, at least ones that survive, when the configuration file has an error in it) BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From linux at mostert.nom.za Fri Feb 14 14:02:34 2003 From: linux at mostert.nom.za (Mozzi) Date: Thu Jan 12 21:17:10 2006 Subject: messages building up Message-ID: <200302141602.34404.linux@mostert.nom.za> Hallo all I have a server here that is under fairly high load. My problem is that the messages seem to keep on building up in the mque.in directory. Now I have set the Max Children = 60 as you can see and setup sendmail to deque everey 5 mins (sendmail -bd -q15m) Any ideas how I can get the performance up ? The server is a dual pIII 800 with 3Gigs ram and a raid5 array It is running Redhat 7.3 with sendmail (standard) all patches were apllied with up2date. Mailscanner is Version 4.12-2 installed from rpm's using f-prot Tnx Mozzi From Denis.Beauchemin at USHERBROOKE.CA Fri Feb 14 15:13:00 2003 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:17:10 2006 Subject: Problems with winmail.dat Message-ID: <1045235579.1239.93.camel@dbeauchemin.si.usherbrooke.ca> Hi, I use MS with "Expand TNEF = yes" but a message in a winmail.dat bypasses the filename.rules.conf file tests! I quarantine all .EXE files but if someone sends one in a winmail.dat it will be delivered without even a warning. Could this be fixed? I thought I tested this in a previous release and using the external TNEF expander solved this problem. I am running mailscanner-4.12-2. Thanks again! Denis -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From kovalcik at ORION-DESIGN.COM Fri Feb 14 15:28:31 2003 From: kovalcik at ORION-DESIGN.COM (Tom Kovalcik) Date: Thu Jan 12 21:17:11 2006 Subject: Mailscanner logs In-Reply-To: <1045235579.1239.93.camel@dbeauchemin.si.usherbrooke.ca> Message-ID: <5.2.0.9.0.20030214102025.04c3a778@oriongw> When I configured mail scanner, I told it to log Iframe and Object codebase tags. Where do these get logged? I checked /var/log/maillog, but I do not see any entries that mention them. I am running Redhat 7.3, and last weeks released versions of MailScanner, SpamAssassin, and Razor. Can anyone give me examples of some popular legitimate mailings that use the tags, maybe I am not receiving any. Thanks From etate01 at sun.hazelwood.k12.mo.us Fri Feb 14 15:32:09 2003 From: etate01 at sun.hazelwood.k12.mo.us (Ed Tate) Date: Thu Jan 12 21:17:11 2006 Subject: MailScanner is not processing files in /var/spool/mqueue.in In-Reply-To: <3E4CEDEF.4090107@accent.it> Message-ID: <002801c2d43e$4ec74be0$be46460a@hazelwood.k12.mo.us> Did you make the changes for starting sendmail? http://www.sng.ecs.soton.ac.uk/mailscanner/install/sendmail.shtml Ed Tate (etate01@hazelwoodschools.org) Coordinator of Technology Services Hazelwood School District Florissant, Missouri -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Daniele Antoniazzi Sent: Friday, February 14, 2003 7:24 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: MailScanner is not processing files in /var/spool/mqueue.in Dear All, I've installed MailScanner following the instructions at: http://www.sng.ecs.soton.ac.uk/mailscanner/install/other.shtml on a Solaris machine. My platform is: Solaris 2.6 perl v5.6.0 built for sun4-solaris MailScanner 4.12-2 no SpamAssassin fresh install from tarball I've checked all paths in conf files, and everything seems consistent. I receive correctly the mails in /var/spool/mqueue.in, but afterwards nothing happens... I've enabled mail scanning in /opt/MailScanner/etc/MailScanner.conf I've started MailScanner with: /opt/MailScanner/bin/check_mailscanner and I can see MailScanner with ps, I see running: /usr/local/bin/perl -I/opt/MailScanner/lib /opt/MailScanner/bin/MailScanner /opt/MailScanner/etc/MailScanner.conf I've also monitored it with truss, it sleep for a while and then wakes up and forks, I've also seen that it fails on this: stat64("/var/spool/MailScanner/incoming/15742", 0x000ED998) Err#2 ENOENT where 15742 is just a number increasing. No file is created in: /var/spool/MailScanner/incoming and nothing disappears from: /var/spool/mqueue.in Could you please help me? Ciao Daniele From daniele.antoniazzi at ACCENT.IT Fri Feb 14 15:57:12 2003 From: daniele.antoniazzi at ACCENT.IT (Daniele Antoniazzi) Date: Thu Jan 12 21:17:11 2006 Subject: MailScanner is not processing files in /var/spool/mqueue.in References: <051401c2d42f$626b0f10$9801a8c0@home.middlefinger.net> Message-ID: <3E4D11D8.9030405@accent.it> Thanks Mike, on Solaris the installation instructions say that there should be 2 sendmail running: 1 accepting mails from extern and putting them in /var/spool/mqueue.in and the other getting mails from /var/spool/mqueue (after processed by MailScanner) and dispatching them towards internal. I've done like that, and mails arrive correctly into /var/spool/mqueue.in. Bye Daniele Mike Kercher wrote: > I don't know Solaris, but on a Linux system we have to disable the normal > sendmail processes and let MailScanner start them up in its own way. Did > you do something similar on your Solaris box? > > Mike > > > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf > Of Daniele Antoniazzi > Sent: Friday, February 14, 2003 7:24 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: MailScanner is not processing files in /var/spool/mqueue.in > > > Dear All, > > I've installed MailScanner following the instructions at: > > http://www.sng.ecs.soton.ac.uk/mailscanner/install/other.shtml > > on a Solaris machine. My platform is: > > Solaris 2.6 > perl v5.6.0 built for sun4-solaris > MailScanner 4.12-2 > no SpamAssassin > fresh install from tarball > > I've checked all paths in conf files, and everything seems consistent. > I receive correctly the mails in /var/spool/mqueue.in, but afterwards > nothing happens... > > I've enabled mail scanning in /opt/MailScanner/etc/MailScanner.conf > I've started MailScanner with: > > /opt/MailScanner/bin/check_mailscanner > > and I can see MailScanner with ps, I see running: > > /usr/local/bin/perl -I/opt/MailScanner/lib > /opt/MailScanner/bin/MailScanner /opt/MailScanner/etc/MailScanner.conf > > I've also monitored it with truss, it sleep for a while and then wakes > up and forks, I've also seen that it fails on this: > > stat64("/var/spool/MailScanner/incoming/15742", 0x000ED998) Err#2 ENOENT > > where 15742 is just a number increasing. > No file is created in: > > /var/spool/MailScanner/incoming > > and nothing disappears from: > > /var/spool/mqueue.in > > Could you please help me? > > Ciao > Daniele > > > From daniele.antoniazzi at ACCENT.IT Fri Feb 14 16:00:21 2003 From: daniele.antoniazzi at ACCENT.IT (Daniele Antoniazzi) Date: Thu Jan 12 21:17:11 2006 Subject: MailScanner is not processing files in /var/spool/mqueue.in References: <002801c2d43e$4ec74be0$be46460a@hazelwood.k12.mo.us> Message-ID: <3E4D1295.2050002@accent.it> Thanks Ed, I've followed all the instructions i the docs for installing on Solaris. The only thing I've not done is to install Spam Assassin, but I hope this is not mandatory. Bye Daniele Ed Tate wrote: > Did you make the changes for starting sendmail? > > http://www.sng.ecs.soton.ac.uk/mailscanner/install/sendmail.shtml > > > Ed Tate (etate01@hazelwoodschools.org) > Coordinator of Technology Services > Hazelwood School District > Florissant, Missouri > > > > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf > Of Daniele Antoniazzi > Sent: Friday, February 14, 2003 7:24 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: MailScanner is not processing files in /var/spool/mqueue.in > > > Dear All, > > I've installed MailScanner following the instructions at: > > http://www.sng.ecs.soton.ac.uk/mailscanner/install/other.shtml > > on a Solaris machine. My platform is: > > Solaris 2.6 > perl v5.6.0 built for sun4-solaris > MailScanner 4.12-2 > no SpamAssassin > fresh install from tarball > > I've checked all paths in conf files, and everything seems consistent. > I receive correctly the mails in /var/spool/mqueue.in, but afterwards > nothing happens... > > I've enabled mail scanning in /opt/MailScanner/etc/MailScanner.conf > I've started MailScanner with: > > /opt/MailScanner/bin/check_mailscanner > > and I can see MailScanner with ps, I see running: > > /usr/local/bin/perl -I/opt/MailScanner/lib > /opt/MailScanner/bin/MailScanner /opt/MailScanner/etc/MailScanner.conf > > I've also monitored it with truss, it sleep for a while and then wakes > up and forks, I've also seen that it fails on this: > > stat64("/var/spool/MailScanner/incoming/15742", 0x000ED998) Err#2 ENOENT > > where 15742 is just a number increasing. > No file is created in: > > /var/spool/MailScanner/incoming > > and nothing disappears from: > > /var/spool/mqueue.in > > Could you please help me? > > Ciao > Daniele > > > From mike at TECHINTER.COM Fri Feb 14 16:06:03 2003 From: mike at TECHINTER.COM (Mike Williams) Date: Thu Jan 12 21:17:11 2006 Subject: Blocking empty To with rules In-Reply-To: <5.1.1.6.0.20030213135536.018a3d58@192.168.50.2> Message-ID: Is it possible to block a spam message where the To is empty? We are getting a ton of spam from AOL and in the sendmail logfile the To is blank. I wouldn't mind shutting AOL down from having access to our server but I'm sure our customers would complain :) Mike From daniele.antoniazzi at ACCENT.IT Fri Feb 14 16:07:17 2003 From: daniele.antoniazzi at ACCENT.IT (Daniele Antoniazzi) Date: Thu Jan 12 21:17:11 2006 Subject: MailScanner is not processing files in /var/spool/mqueue.in References: <5C0296D26910694BB9A9BBFC577E7AB0EBF3B9@pascal.priv.bmrb.co.uk> Message-ID: <3E4D1435.3070805@accent.it> Thanks Kevin, the directories are all owned by root and MailScanner is running as root. Dir /var/spool/mqueue.in contains both qf and df files, they are OK. Actually I've just one process running MailScanner, that I can see with ps, and not 5. You say that there could be some problem with conf file; I've not tweaked a lot it, I've just enabled virus scanning, and enabled sophos as antivirus. Is there a way to understand if it fails in processing conf file? Bye Daniele Spicer, Kevin wrote: > > Have you checked that the user running mailscanner can read and write to incoming and mqueue.in. And that the permissions that sendmail is queing files with make thoses files readable and writable by the mailscanner user (probably this is root - so it shouldn't really be a problem). Does mqueue.in contain both qf and df files? Anything in the logs (mail logs go to syslog by default on Sol2.6 IIRC)? How many MailScanner processes does ps show (normally 5 unless you've tweaked this - I've seen it fail to fork children, at least ones that survive, when the configuration file has an error in it) > From Antony at SOFT-SOLUTIONS.CO.UK Fri Feb 14 16:15:08 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:17:11 2006 Subject: MailScanner is not processing files in /var/spool/mqueue.in In-Reply-To: <3E4D1435.3070805@accent.it> References: <5C0296D26910694BB9A9BBFC577E7AB0EBF3B9@pascal.priv.bmrb.co.uk> <3E4D1435.3070805@accent.it> Message-ID: <200302141615.h1EGFEG09788@vulcan.rissington.net> On Friday 14 February 2003 4:07 pm, Daniele Antoniazzi wrote: > Actually I've just one process running MailScanner, that I can see with > ps, and not 5. You say that there could be some problem with conf file; > I've not tweaked a lot it, I've just enabled virus scanning, and enabled > sophos as antivirus. Is there a way to understand if it fails in > processing conf file? Check in /var/log/syslog or else kill the (single) instance and then run /opt/MailScanner/bin/check_mailscanner and see what it says... Only 1 running instance does sound like a problem to me. Antony. -- Normal people think "if it ain't broke, don't fix it". Engineers think "if it ain't broke, it doesn't have enough features yet". From Kevin.Spicer at BMRB.CO.UK Fri Feb 14 16:13:56 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:17:11 2006 Subject: MailScanner is not processing files in /var/spool/mqueue.in Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0EBF3BE@pascal.priv.bmrb.co.uk> Usually it logs to syslog (unless your mail logs go to another file) Try stopping and starting it then tailing the logs. BTW. SpamAssassin isn't required and is off by default, so unless you turned it on that won't be your problem. > -----Original Message----- > From: Daniele Antoniazzi [mailto:daniele.antoniazzi@ACCENT.IT] > Sent: 14 February 2003 16:07 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: MailScanner is not processing files in > /var/spool/mqueue.in > > > Thanks Kevin, > > the directories are all owned by root and MailScanner is > running as root. > > Dir /var/spool/mqueue.in contains both qf and df files, they are OK. > > Actually I've just one process running MailScanner, that I > can see with > ps, and not 5. You say that there could be some problem with > conf file; > I've not tweaked a lot it, I've just enabled virus scanning, > and enabled > sophos as antivirus. Is there a way to understand if it fails in > processing conf file? > > Bye > Daniele > > > > Spicer, Kevin wrote: > > > > > > Have you checked that the user running mailscanner can read > and write to incoming and mqueue.in. And that the > permissions that sendmail is queing files with make thoses > files readable and writable by the mailscanner user (probably > this is root - so it shouldn't really be a problem). Does > mqueue.in contain both qf and df files? Anything in the logs > (mail logs go to syslog by default on Sol2.6 IIRC)? How many > MailScanner processes does ps show (normally 5 unless you've > tweaked this - I've seen it fail to fork children, at least > ones that survive, when the configuration file has an error in it) > > > BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From mkettler at EVI-INC.COM Fri Feb 14 17:03:42 2003 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:17:11 2006 Subject: Blocking empty To with rules In-Reply-To: References: <5.1.1.6.0.20030213135536.018a3d58@192.168.50.2> Message-ID: <5.2.0.9.0.20030214115517.01e6be60@192.168.50.2> Some general Suggestions (I'm assuming sendmail): Edit your sendmail.mc: define(`confPRIVACY_FLAGS', `needmailhelo,authwarnings,novrfy,noexpn,restrictqrun')dnl Most important here is "needmailhelo".. this gets rid of tools that are too stupid to issue a HELO/EHLO, which no valid mailserver does. Most email showing up with no HELO issued is wildly mis-formatted spam, so that just prevents that problem right off. I've never seen a real email server fail to HELO when told it must do so. Also, if you're running SpamAssassin with mailscanner, the rule for this is MISSING_HEADERS.. jack up the score for it and watch em get spam-tags, or if you jack it up high enough, high-scoring spam actions, every time. It should be noted however that according to the STATISTICS.txt with spamassassin 2.43, some reasonable percentage of the SA nonspam corpus has a missing To: header (0.64% of the nonspam corpus matched). At 10:06 AM 2/14/2003 -0600, Mike Williams wrote: >Is it possible to block a spam message where the To is empty? We are >getting a ton of spam from AOL and in the sendmail logfile the To is blank. >I wouldn't mind shutting AOL down from having access to our server but I'm >sure our customers would complain :) > >Mike From phvt at EMAIL.COM Fri Feb 14 17:06:19 2003 From: phvt at EMAIL.COM (Paul Hansen) Date: Thu Jan 12 21:17:11 2006 Subject: MailScanner continously respawns without processing Message-ID: <000001c2d44b$661604f0$22c5fea9@squall> Hi all-- I have a new installation of MailScanner 4.12-2, Exim 4.12, Kaspersky and SpamAssassin. At this point I am just trying to troubleshoot MailScanner itself (from queue to queue) since Exim does accept a new message and drop it in the incoming queue. I installed MailScanner using the tar distribution. I manually installed all of the required Perl modules with the recommended versions and patches. My main problem is I've been unable to get any troubleshooting logs out of MailScanner itself. I get almost nothing in syslog (syslogd -r -m 0) and when run in with Debug I get the same log entries as otherwise: Feb 14 11:01:12 granite MailScanner[20449]: MailScanner Feb 14 11:01:12 granite MailScanner[20449]: MailScanner E-Mail Virus Scanner version 4.12-2 starting... Feb 14 11:01:22 granite MailScanner[20507]: MailScanner Feb 14 11:01:22 granite MailScanner[20507]: MailScanner E-Mail Virus Scanner version 4.12-2 starting... Feb 14 11:18:40 granite MailScanner[27699]: MailScanner Feb 14 11:18:40 granite MailScanner[27699]: MailScanner E-Mail Virus Scanner version 4.12-2 starting... Feb 14 11:18:50 granite MailScanner[27748]: MailScanner Feb 14 11:18:50 granite MailScanner[27748]: MailScanner E-Mail Virus Scanner version 4.12-2 starting... Feb 14 11:19:00 granite MailScanner[27827]: MailScanner Feb 14 11:19:00 granite MailScanner[27827]: MailScanner E-Mail Virus Scanner version 4.12-2 starting... It appears MailScanner is repeatedly trying to initialize itself but never succeeds. This continues until I kill the MailScanner process. I never have more than one MailScanner process running (there's usually a one lurking too). MailScanner does change to the exim UID/GID and I've made sure /opt/MailScanner/var is writable by that UID--the only time I caught an error message in syslog was when it wasn't. I am using Red Hat Linux 7.2. Is it possible to turn on more verbose logging? I just have so little to troubleshoot with. Any suggestions? Thank you! Paul From JeremyE at BSA.CA.GOV Fri Feb 14 17:19:27 2003 From: JeremyE at BSA.CA.GOV (Jeremy Evans) Date: Thu Jan 12 21:17:11 2006 Subject: MailScanner continously respawns without processing Message-ID: <2739ECF7268CD0118F50080009DCC9F00235D2C4@pebble.bsa.ca.gov> That is normal behavior I believe. It's MailScanner setting up the number of child processes specified in MailScanner.conf. If you get more than the number of child processes (plus one for the parent process), then something might be wrong. Also, I've noticed that if check_mailscanner is not setup properly, running it again will add another parent process, so you might want to check that. Jeremy Evans Information Systems Analyst California State Auditor 916-445-0255 phone 916-322-7801 fax -----Original Message----- From: Paul Hansen [mailto:phvt@EMAIL.COM] Sent: Friday, February 14, 2003 9:06 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: MailScanner continously respawns without processing Hi all-- I have a new installation of MailScanner 4.12-2, Exim 4.12, Kaspersky and SpamAssassin. At this point I am just trying to troubleshoot MailScanner itself (from queue to queue) since Exim does accept a new message and drop it in the incoming queue. I installed MailScanner using the tar distribution. I manually installed all of the required Perl modules with the recommended versions and patches. My main problem is I've been unable to get any troubleshooting logs out of MailScanner itself. I get almost nothing in syslog (syslogd -r -m 0) and when run in with Debug I get the same log entries as otherwise: Feb 14 11:01:12 granite MailScanner[20449]: MailScanner Feb 14 11:01:12 granite MailScanner[20449]: MailScanner E-Mail Virus Scanner version 4.12-2 starting... Feb 14 11:01:22 granite MailScanner[20507]: MailScanner Feb 14 11:01:22 granite MailScanner[20507]: MailScanner E-Mail Virus Scanner version 4.12-2 starting... Feb 14 11:18:40 granite MailScanner[27699]: MailScanner Feb 14 11:18:40 granite MailScanner[27699]: MailScanner E-Mail Virus Scanner version 4.12-2 starting... Feb 14 11:18:50 granite MailScanner[27748]: MailScanner Feb 14 11:18:50 granite MailScanner[27748]: MailScanner E-Mail Virus Scanner version 4.12-2 starting... Feb 14 11:19:00 granite MailScanner[27827]: MailScanner Feb 14 11:19:00 granite MailScanner[27827]: MailScanner E-Mail Virus Scanner version 4.12-2 starting... It appears MailScanner is repeatedly trying to initialize itself but never succeeds. This continues until I kill the MailScanner process. I never have more than one MailScanner process running (there's usually a one lurking too). MailScanner does change to the exim UID/GID and I've made sure /opt/MailScanner/var is writable by that UID--the only time I caught an error message in syslog was when it wasn't. I am using Red Hat Linux 7.2. Is it possible to turn on more verbose logging? I just have so little to troubleshoot with. Any suggestions? Thank you! Paul From lindsay at pa.net Fri Feb 14 17:27:00 2003 From: lindsay at pa.net (Lindsay Snider) Date: Thu Jan 12 21:17:11 2006 Subject: MailScanner continously respawns without processing In-Reply-To: <000001c2d44b$661604f0$22c5fea9@squall> References: <000001c2d44b$661604f0$22c5fea9@squall> Message-ID: <200302141227.00431.lindsay@pa.net> Hey Paul, On Friday 14 February 2003 12:06, you wrote: > Hi all-- > > I have a new installation of MailScanner 4.12-2, Exim 4.12, Kaspersky > and SpamAssassin. At this point I am just trying to troubleshoot > MailScanner itself (from queue to queue) since Exim does accept a new > message and drop it in the incoming queue. > > I installed MailScanner using the tar distribution. I manually installed > all of the required Perl modules with the recommended versions and > patches. > > My main problem is I've been unable to get any troubleshooting logs out > of MailScanner itself. I get almost nothing in syslog (syslogd -r -m 0) > and when run in with Debug I get the same log entries as otherwise: > > Feb 14 11:01:12 granite MailScanner[20449]: MailScanner > Feb 14 11:01:12 granite MailScanner[20449]: MailScanner E-Mail Virus > Scanner version 4.12-2 starting... > Feb 14 11:01:22 granite MailScanner[20507]: MailScanner > Feb 14 11:01:22 granite MailScanner[20507]: MailScanner E-Mail Virus > Scanner version 4.12-2 starting... > Feb 14 11:18:40 granite MailScanner[27699]: MailScanner > Feb 14 11:18:40 granite MailScanner[27699]: MailScanner E-Mail Virus > Scanner version 4.12-2 starting... > Feb 14 11:18:50 granite MailScanner[27748]: MailScanner > Feb 14 11:18:50 granite MailScanner[27748]: MailScanner E-Mail Virus > Scanner version 4.12-2 starting... > Feb 14 11:19:00 granite MailScanner[27827]: MailScanner > Feb 14 11:19:00 granite MailScanner[27827]: MailScanner E-Mail Virus > Scanner version 4.12-2 starting... > This is normal, you should be seeing MailScanner's children loading. Each one is delayed 10 seconds. Check MailScanner.conf 'Max Children' to see/specify how many children MailScanner should create. > It appears MailScanner is repeatedly trying to initialize itself but > never succeeds. This continues until I kill the MailScanner process. I > never have more than one MailScanner process running (there's usually a > one lurking too). > > MailScanner does change to the exim UID/GID and I've made sure > /opt/MailScanner/var is writable by that UID--the only time I caught an > error message in syslog was when it wasn't. > > I am using Red Hat Linux 7.2. > > Is it possible to turn on more verbose logging? I just have so little to > troubleshoot with. When mail starts passing through the server, there is quite a bit of logging. However, you can turn up the logging by turning debugging on.. To turn on debugging, set Debug=yes in MailScanner.conf. > > Any suggestions? Thank you! > > Paul Goodluck, hope it helps! Lindsay From mike at TECHINTER.COM Fri Feb 14 18:05:36 2003 From: mike at TECHINTER.COM (Mike Williams) Date: Thu Jan 12 21:17:11 2006 Subject: Blocking empty To with rules In-Reply-To: <5.2.0.9.0.20030214115517.01e6be60@192.168.50.2> Message-ID: Thanks for the info I was missing the needmailhelo. Is it possible that this will prevent blank from: also? Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Matt Kettler Sent: Friday, February 14, 2003 11:04 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Blocking empty To with rules Some general Suggestions (I'm assuming sendmail): Edit your sendmail.mc: define(`confPRIVACY_FLAGS', `needmailhelo,authwarnings,novrfy,noexpn,restrictqrun')dnl Most important here is "needmailhelo".. this gets rid of tools that are too stupid to issue a HELO/EHLO, which no valid mailserver does. Most email showing up with no HELO issued is wildly mis-formatted spam, so that just prevents that problem right off. I've never seen a real email server fail to HELO when told it must do so. Also, if you're running SpamAssassin with mailscanner, the rule for this is MISSING_HEADERS.. jack up the score for it and watch em get spam-tags, or if you jack it up high enough, high-scoring spam actions, every time. It should be noted however that according to the STATISTICS.txt with spamassassin 2.43, some reasonable percentage of the SA nonspam corpus has a missing To: header (0.64% of the nonspam corpus matched). At 10:06 AM 2/14/2003 -0600, Mike Williams wrote: >Is it possible to block a spam message where the To is empty? We are >getting a ton of spam from AOL and in the sendmail logfile the To is blank. >I wouldn't mind shutting AOL down from having access to our server but I'm >sure our customers would complain :) > >Mike From raymond at PROLOCATION.NET Fri Feb 14 18:13:08 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:17:11 2006 Subject: MailScanner continously respawns without processing In-Reply-To: <200302141227.00431.lindsay@pa.net> Message-ID: Hi! > > Feb 14 11:18:40 granite MailScanner[27699]: MailScanner E-Mail Virus > > Scanner version 4.12-2 starting... > > Feb 14 11:18:50 granite MailScanner[27748]: MailScanner > > Feb 14 11:18:50 granite MailScanner[27748]: MailScanner E-Mail Virus > > Scanner version 4.12-2 starting... > > Feb 14 11:19:00 granite MailScanner[27827]: MailScanner > > Feb 14 11:19:00 granite MailScanner[27827]: MailScanner E-Mail Virus > > Scanner version 4.12-2 starting... > > > > This is normal, you should be seeing MailScanner's children loading. Each one > is delayed 10 seconds. Check MailScanner.conf 'Max Children' to see/specify > how many children MailScanner should create. Since its not the first time we got questions posted about this, would it not be wise to do the log message like: > > Feb 14 11:18:40 granite MailScanner[27699]: MailScanner E-Mail Virus > > Scanner version 4.12-2 starting... (parent) > > Feb 14 11:18:40 granite MailScanner[27699]: MailScanner E-Mail Virus > > Scanner version 4.12-2 starting... (child #1) So people see whats going on? Bye, Raymond. From mkettler at EVI-INC.COM Fri Feb 14 18:38:23 2003 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:17:11 2006 Subject: Blocking empty To with rules In-Reply-To: References: <5.2.0.9.0.20030214115517.01e6be60@192.168.50.2> Message-ID: <5.2.0.9.0.20030214133449.018b4bf8@192.168.50.2> It's possible, although that restriction doesn't directly block email that is missing either from or to.. it just blocks email from severely broken senders that don't issue HELO... However, one can conjecture that if a sender so broken that they can't issue a HELO, then it wouldn't be surprising if the message was devoid of other required parts of a mail transfer, such as from: to: or subject:. As for the missing/blank From: line, SA has rules for those too, you might want to check into adjusting that score as well. At 12:05 PM 2/14/2003 -0600, you wrote: >Thanks for the info I was missing the needmailhelo. Is it possible that >this will prevent blank from: also? > >Mike From lindsay at pa.net Fri Feb 14 19:19:22 2003 From: lindsay at pa.net (Lindsay Snider) Date: Thu Jan 12 21:17:11 2006 Subject: MailScanner continously respawns without processing In-Reply-To: <000001c2d44b$661604f0$22c5fea9@squall> References: <000001c2d44b$661604f0$22c5fea9@squall> Message-ID: <200302141419.22700.lindsay@pa.net> Hey Paul, I apologize, I read your email wrong thinking that you didn't have any mail sitting in mqueue.in. Given that, I might have a very similar problem of which I have not yet resolved. We upgraded our mailservers running mailscanner 4.12-2 from 4.11-1. In our conf, we have changed the locations of the spool directories. We also run mailscanner as an unprivileged user. On just one of the servers, the upgrade did not go so well and the new mailscanner will not start. We too get the mailscanners. I debugged the code down to a chdir command in Sendmail.pm line 740. It seems to lock up w/ no error messages or graceful dieing. The paths that it is trying to change to exist. I can su - mailscanneruser and switch to the directories just fine so permissions seem fine. I also wrote a mini setuid script which, dropped to our mailscanneruser and changed to the directory line 740 was having problems with, and that worked as well. If we run mailscanner as root, it works fine. If your problem is similar, maybe try running as root just to see? I'm thinking we might have a buggy setuid perl....? More info: The servers that did work were RH8.0 whereas the server that did not was 7.3 RH7.3 box has perl 5.6.1 RH8.0 boxes have perl 5.8.0 Curious to what you find, Lindsay On Friday 14 February 2003 12:06, you wrote: > Hi all-- > > I have a new installation of MailScanner 4.12-2, Exim 4.12, Kaspersky > and SpamAssassin. At this point I am just trying to troubleshoot > MailScanner itself (from queue to queue) since Exim does accept a new > message and drop it in the incoming queue. > > I installed MailScanner using the tar distribution. I manually installed > all of the required Perl modules with the recommended versions and > patches. > > My main problem is I've been unable to get any troubleshooting logs out > of MailScanner itself. I get almost nothing in syslog (syslogd -r -m 0) > and when run in with Debug I get the same log entries as otherwise: > > Feb 14 11:01:12 granite MailScanner[20449]: MailScanner > Feb 14 11:01:12 granite MailScanner[20449]: MailScanner E-Mail Virus > Scanner version 4.12-2 starting... > Feb 14 11:01:22 granite MailScanner[20507]: MailScanner > Feb 14 11:01:22 granite MailScanner[20507]: MailScanner E-Mail Virus > Scanner version 4.12-2 starting... > Feb 14 11:18:40 granite MailScanner[27699]: MailScanner > Feb 14 11:18:40 granite MailScanner[27699]: MailScanner E-Mail Virus > Scanner version 4.12-2 starting... > Feb 14 11:18:50 granite MailScanner[27748]: MailScanner > Feb 14 11:18:50 granite MailScanner[27748]: MailScanner E-Mail Virus > Scanner version 4.12-2 starting... > Feb 14 11:19:00 granite MailScanner[27827]: MailScanner > Feb 14 11:19:00 granite MailScanner[27827]: MailScanner E-Mail Virus > Scanner version 4.12-2 starting... > > It appears MailScanner is repeatedly trying to initialize itself but > never succeeds. This continues until I kill the MailScanner process. I > never have more than one MailScanner process running (there's usually a > one lurking too). > > MailScanner does change to the exim UID/GID and I've made sure > /opt/MailScanner/var is writable by that UID--the only time I caught an > error message in syslog was when it wasn't. > > I am using Red Hat Linux 7.2. > > Is it possible to turn on more verbose logging? I just have so little to > troubleshoot with. > > Any suggestions? Thank you! > > Paul From phvt at EMAIL.COM Fri Feb 14 19:27:25 2003 From: phvt at EMAIL.COM (Paul Hansen) Date: Thu Jan 12 21:17:11 2006 Subject: MailScanner continously respawns without processing In-Reply-To: <200302141227.00431.lindsay@pa.net> Message-ID: <000201c2d45f$1c47e2d0$22c5fea9@squall> Hi, I have narrowed the problem down to MailScanner dying silently during MailScanner::SA::initialise(). I started going through bin/MailScanner, first in ForkDaemon() then WorkForHours() where I added several new InfoLog() calls. With this additional information I went back to etc/MailScanner.conf and set Spam Checks and Use SpamAssassin to no. Now MailScanner appears to be running nicely and it processed my queued message. So--now it's time to dig into why the SpamAssassin interface isn't working...I do have SA 2.44 and the test message in the SA documentation worked fine. Any tips there would be greatly appreciated. For the future, it seems clear that more error trapping is needed during these initialization steps--during which there is currently no output. I see a bunch of commented-out STDERR printouts that would be great to change to "if($Debug)...". Here's what my MailScanner spits out now (so at least I know "I got this far..."): Feb 14 14:01:43 granite MailScanner[27858]: Finished reading /opt/MailScanner/etc/MailScanner.conf Feb 14 14:01:43 granite MailScanner[27858]: Finished checking Queues Feb 14 14:01:43 granite MailScanner[27858]: Finished initialising MessageBatch Feb 14 14:01:43 granite MailScanner[27858]: Finished initialising SA Feb 14 14:01:43 granite MailScanner[27858]: Finished initialising TNEF Feb 14 14:01:43 granite MailScanner[27858]: Finished initialising Sendmail Thanks! Paul From mailscanner at ecs.soton.ac.uk Fri Feb 14 20:36:17 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:11 2006 Subject: Using filenames rules In-Reply-To: <4.3.2.7.0.20030210165048.023bc560@carrota.nexnet.es> Message-ID: <5.2.0.9.2.20030214201606.02871eb8@imap.ecs.soton.ac.uk> At 16:08 10/02/2003, you wrote: >Hello all, > >We want to block attachments via filename rules for ALL of our users, >except for staff. > >Is it possible to do this without writing N lines in "filename.rules" like: ? > >From: user1@* >From: user2@* >... >From: userN@* >FromOrTo: default Not quite. But what you can do is make a ruleset produce the name of the filename.rules.conf file. So create: /etc/MailScanner/filename.rules.staff.conf containing allow . - - and /etc/MailScanner/rules/filename.rules.rules containing From: user1@* /etc/MailScanner/filename.rules.staff.conf From: user2@* /etc/MailScanner/filename.rules.staff.conf ... FromOrTo: default /etc/MailScanner/filename.rules.conf -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Fri Feb 14 21:06:25 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:11 2006 Subject: Sophos and Corrupt Files (belated response) In-Reply-To: Message-ID: <5.2.0.9.2.20030214210350.026d30c8@imap.ecs.soton.ac.uk> At 14:30 13/02/2003, you wrote: >I'll start off with saying that we primarily run Amavis with Postfix here, I'll let you off, but only this once... :-) >Just a thing I noted from a recent discussion about amavis (which has split >into three forks, and there is presently interesting arguing going on): > >| I'm using amavisd-new with Sophos Sweep as the scanner. Since sweep can >| not scan inside password protected MS-Excel or MS-Word files, it returns a >| code 2, causing amavisd to fail. It lets the parts in /var/amavis and the >| e-mail remains in the defer queue of the MTA (postfix, in this case). But >| mail is not delivered (!). Is there any way to avoid this?, another >| scanner?. > > >Add status code 2 along with 0 to the success 'if' branch > >(file ./amavis/av/sophos), or upgrade to amavisd-new-20021227-p2. > >So the basic bottom line is that sweep returns an error code of 2, >'corrupt file', >and both MailScanner and amavis have had to work around this. > >I've seen about 5 messages (a sudden burst) labelled as 'corrupt' today >on our test MailScanner (Sophos 3.66 & McAffee) box... are the patches >going to appear in a future MS release that might happen any time soon? This will appear in the 1st March release. But I will mail the 3 patches to you off-list as you appear to want them earlier. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Fri Feb 14 20:12:43 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:11 2006 Subject: rav not scanning archives by default In-Reply-To: References: <5.2.0.9.2.20030209115738.025b5de8@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030209115738.025b5de8@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030214201220.0283c278@imap.ecs.soton.ac.uk> At 21:27 09/02/2003, you wrote: >On Sun, 9 Feb 2003, Julian Field wrote: > > > MailScanner runs rav with the following parameters > > --all --mail --archive > > which I believe will turn the archive scanning on. > >Julian, > >is that defined somewhere else than in /usr/lib/MailScanner/rav-wrapper ? It's in /usr/lib/MailScanner/MailScanner/SweepViruses.pm. >As far as I can see, it simply runs ravlin8 w/o the archive option. >I sent a few test.com files infected with eicar, all got detected, but the >ones in a .zip pass through. > >Regards, > >Steffan -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Fri Feb 14 21:13:08 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:11 2006 Subject: F-Prot & MailScanner... In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0EBF3B1@pascal.priv.bmrb.co .uk> Message-ID: <5.2.0.9.2.20030214210803.022c7b38@imap.ecs.soton.ac.uk> At 14:44 13/02/2003, you wrote: > > Hello all... > > > > I've been looking at F-prot, to consider using it as > > an AV scanner with MailScanner. > > > > There is the 'F-Prot for Small Business' and > > 'F-Prot for Enterprise Business'... > > > > If I just want to try it out, which should I use? > >MailScanner only needs the command line version, 'F-Prot for Small Business' > > > > > It also says: > > "License shall be without charge for personal users of F-Prot > > Linux for Small Business, > > when used on personal workstations." > > > > ... so if I downloaded this version, how does it know it's > > not a 'personal workstation'? > >I guess it doesn't but that doesn't alter the fact that you would be in >breach of the license. F-Prots pricing isn't bad from what I've heard (I >only use it at home where it is definately free). If you don't want to >pay use Clam. If you want good coverage and small bills, try running F-Prot ($300) and RAV ($29) and Clam ($0). MailScanner will happily run all 3. Kaspersky is pretty cheap too. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Fri Feb 14 20:51:46 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:11 2006 Subject: Outgoing queue dir question In-Reply-To: <005401c2d273$8479ec10$02ee22cb@rogue> References: Message-ID: <5.2.0.9.2.20030214204838.0287dc48@imap.ecs.soton.ac.uk> At 08:36 12/02/2003, you wrote: >I was just wondering if anyone has wildcards (/var/spool/mqueue/*) or >rulsets working with the "Outgoing Queue Dir" option. This is only valid in the Incoming Queue Dir option, as explained in the comments in the MailScanner.conf file. >With wildcards I get the following error: >"Error in configuration file line 72, directory /var/spool/mqueue/* for >outqueuedir does not exist (or is not readable)" > >and with rulesets all I get: >"Syntax error in line 1 of ruleset file >/etc/MailScanner/mqueue.out.list.conf for keyword outqueuedir". The ruleset /etc/MailScanner/rules/mqueue.out.rules should look like this: To: domain1.com /var/spool/mqueue.domain1 To: *@domain2.com /var/spool/mqueue.domain2 FromOrTo: default /var/spool/mqueue This will put mail for domain1.com into 1 directory, mail for domain2.com into another, and everything else into a third. You will then need to run sendmail "queue runners" for each of the outgoing queue directories. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Fri Feb 14 21:23:30 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:11 2006 Subject: messages building up In-Reply-To: <200302141602.34404.linux@mostert.nom.za> Message-ID: <5.2.0.9.2.20030214211707.02836e60@imap.ecs.soton.ac.uk> At 14:02 14/02/2003, you wrote: >Hallo all > >I have a server here that is under fairly high load. >My problem is that the messages seem to keep on building up in the mque.in >directory. >Now I have set the Max Children = 60 You won't gain anything on a small machine (less than about 8 CPU's) by giving it a number as high as that. It will just spend all its CPU time sorting directory entries. > as you can see and setup sendmail to >deque everey 5 mins (sendmail -bd -q15m) If you specify -bd -q15m then it will bypass MailScanner completely, as it will be delivering from the same queue it is reading into. >Any ideas how I can get the performance up ? >The server is a dual pIII 800 with 3Gigs ram and a raid5 array >It is running Redhat 7.3 with sendmail (standard) all patches were apllied >with up2date. >Mailscanner is Version 4.12-2 installed from rpm's >using f-prot I am about to try switching ext3 to data journalling. Note that you can also increase the performance quite a bit by putting the MailScanner/incoming directory on a tmpfs filesystem. MailScanner does a lot of file i/o to the MailScanner/incoming dir, and this hammers real disks quite hard. I have personally seen 30% speed improvement by doing this. It only takes a minute to change and is definitely worth a try. All the data in the MailScanner/incoming directory is temporary anyway, so you don't need to worry about losing anything on power-outs. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Fri Feb 14 20:41:19 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:11 2006 Subject: Wrapper Script on WEB Page In-Reply-To: <20030211121746.A26989@mew.kcbbs.gen.nz> References: <5.2.0.9.2.20030208163923.029c2f50@imap.ecs.soton.ac.uk> <20030207191934.GC79189@affymetrix.com> <5.2.0.9.2.20030208163923.029c2f50@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030214204038.023528d0@imap.ecs.soton.ac.uk> At 23:17 10/02/2003, you wrote: >Hello > > Just checking my installation procedure.. > > I've just upgraded to 4:12-2, on a RedHat 7.2 Box using the rpm files. > >I noted earlier messages to this group, and at the top >of the Downloads WEB page, that there is a need to >manually copy over the old wrapper scripts using >the rpmnew files. > >However, After the rpm upgrade there are no rpmnew scripts >in /usr/lib/MailScanner... > >Is this replacement automatic with this later upgrade? It would only happen if you had modified the wrapper scripts. You hadn't changed any of them, so it didn't need to create and .rpmnew files. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From lindsay at pa.net Fri Feb 14 21:47:04 2003 From: lindsay at pa.net (Lindsay Snider) Date: Thu Jan 12 21:17:11 2006 Subject: messages building up In-Reply-To: <5.2.0.9.2.20030214211707.02836e60@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030214211707.02836e60@imap.ecs.soton.ac.uk> Message-ID: <200302141647.04614.lindsay@pa.net> On Friday 14 February 2003 16:23, you wrote: > At 14:02 14/02/2003, you wrote: > >Hallo all > > > >I have a server here that is under fairly high load. > >My problem is that the messages seem to keep on building up in the mque.in > >directory. > >Now I have set the Max Children = 60 > > You won't gain anything on a small machine (less than about 8 CPU's) by > giving it a number as high as that. It will just spend all its CPU time > sorting directory entries. > > > as you can see and setup sendmail to > >deque everey 5 mins (sendmail -bd -q15m) > > If you specify -bd -q15m then it will bypass MailScanner completely, as it > will be delivering from the same queue it is reading into. > > >Any ideas how I can get the performance up ? > >The server is a dual pIII 800 with 3Gigs ram and a raid5 array > >It is running Redhat 7.3 with sendmail (standard) all patches were apllied > >with up2date. > >Mailscanner is Version 4.12-2 installed from rpm's > >using f-prot > > I am about to try switching ext3 to data journalling. Note that you can > also increase the performance quite a bit by putting the > MailScanner/incoming directory on a tmpfs filesystem. MailScanner does a > lot of file i/o to the MailScanner/incoming dir, and this hammers real > disks quite hard. I have personally seen 30% speed improvement by doing > this. It only takes a minute to change and is definitely worth a try. All > the data in the MailScanner/incoming directory is temporary anyway, so you > don't need to worry about losing anything on power-outs. Has anyone else had problems using tmpfs and f-prot? If I'm wrong, please correct me but It seems that mailscanner depends on the virus scanner to recurse down through a directory to scan all the attachments exploded out. For some reason, f-prot won't recurse on tmpfs thus the files don't get scanned. Can anyone else verify this? From kwang at UCALGARY.CA Fri Feb 14 22:08:42 2003 From: kwang at UCALGARY.CA (Kai Wang) Date: Thu Jan 12 21:17:11 2006 Subject: spam action = bounce Message-ID: <3E4D68EA.E40D7E12@ucalgary.ca> Hi, We plan to migrate our anti-spam features to our MailScanner servers. We want to bounce the original message (as an attachment) to the sender. With MailScanner 4.12-2, I did not find such an option. Is there possible that we get such a feature in a few days? Thanks E-Mail Administrator University of Calgary, Canada Kai Wang From tyler at BELOIT.EDU Fri Feb 14 22:22:33 2003 From: tyler at BELOIT.EDU (Tim Tyler) Date: Thu Jan 12 21:17:11 2006 Subject: False Positive ? Message-ID: <5.1.1.6.0.20030214161010.021dd1b0@beloit.edu> An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030214/0f58f9a4/attachment.html From raymond at PROLOCATION.NET Fri Feb 14 22:24:21 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:17:11 2006 Subject: spam action = bounce In-Reply-To: <3E4D68EA.E40D7E12@ucalgary.ca> Message-ID: Hi! > servers. We want to bounce the original message (as an attachment) > to the sender. With MailScanner 4.12-2, I did not find such an > option. Is there possible that we get such a feature in a few > days? You want to bounce spam ? Are you nuts ? Thats even worse then the spammers sending it. Most of the time the addresses used are not even aware that their address was abused. Are you sure this is what you want to do, i hounestly i hope i am misunderstanding you. Bye, Raymond. From mike at CAMAROSS.NET Fri Feb 14 22:35:08 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:17:11 2006 Subject: False Positive ? In-Reply-To: <5.1.1.6.0.20030214161010.021dd1b0@beloit.edu> Message-ID: <058801c2d479$555c5140$9801a8c0@home.middlefinger.net> I'd read up on Sircam: http://www.sophos.com/virusinfo/analyses/w32sircama.html Since Sircam has its own SMTP engine, she doesn't even have to be sending out the email manually. Sircam, also being network aware, I'd have her people check their whole network. The attachment that Sophos is catching is coming from somewhere. Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Tim Tyler Sent: Friday, February 14, 2003 4:23 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: False Positive ? Mailcanner experts, ? We are running mailscanner 2.6 on an aix 4.3 system along with Sophos engine.? It has been running fine for more than a year without any real issues.? I just received a complaint from an outside site where the sender claims that they send very simple messages (no attachments and signature turned off).? However, she always gets back the following response. ------------------ ?MailScanner wrote:Date: Wed, 12 Feb 2003 15:26:34 -0600 From: "MailScanner" To: Subject: Warning: E-mail viruses detected Our virus detector has just been triggered by a message you sent:- To: Subject: signature file Date: Wed Feb 12 15:26:34 2003 Any infected parts of the message have not been delivered. This message is simply to warn you that your computer system may have a virus present and should be checked. The virus detector said this about the message: Report: >>> Virus 'W32/Sircam-A' found in file ./h1CLQDb23038/signature file.doc .com -- MailScanner Email Virus Scanner ------------------------------------------------- end of message. ?? ? Currently we have mailscanner configured to simply delete any message that is determined to have a virus and simply send notification back to the sender.? So she always gets the above message.? They can't find any viruses on her computer.? I had her send me a message to a smtp server without any mailscanner intercept so that I would get the entire message without any filtering:? Below is the raw message with her name replaced by xxxxx: >From xxxxx@mail.uca.edu Thu Feb 13 10:43:13 2003 Received: from list.uca.edu (list.uca.edu [161.31.208.98]) ??????? by www.beloit.edu (8.11.6/8.11.6) with ESMTP id h1DGhCf22588 ??????? for ; Thu, 13 Feb 2003 10:43:12 -0600 Received: from localhost (list.uca.edu [127.0.0.1]) ??????? by list.uca.edu (Postfix) with ESMTP id F2AB049F5 ??????? for ; Thu, 13 Feb 2003 10:45:45 -0600 (CST) Received: from mail.uca.edu (mail.uca.edu [161.31.208.25]) ??????? by list.uca.edu (Postfix) with ESMTP id 415194822 ??????? for ; Thu, 13 Feb 2003 10:45:45 -0600 (CST) Received: from MAIL/SpoolDir by mail.uca.edu (Mercury 1.48); ??? 13 Feb 03 10:43:18 -0600 Received: from SpoolDir by MAIL (Mercury 1.48); 13 Feb 03 10:42:51 -0600 Received: from a5o3j9 (161.31.120.111) by mail.uca.edu (Mercury 1.48); ??? 13 Feb 03 10:42:49 -0600 Message-ID: <004d01c2d37e$f14a17a0$6f781fa1@uca.edu> From: "xxxx xxx" To: Subject: hello Date: Thu, 13 Feb 2003 10:42:48 -0600 MIME-Version: 1.0 Content-Type: multipart/alternative; ??????? boundary="----=_NextPart_000_004A_01C2D34C.A69EDEC0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 X-Virus-Scanned: by AMaViS new-20020517 Status: OR This is a multi-part message in MIME format. ------=_NextPart_000_004A_01C2D34C.A69EDEC0 Content-Type: text/plain; ??????? charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable hi tim,=20 here's the message, the funny thing is, all the people I normally email = everyday aren't having any problems.. just people i've never heard of!!? = alli=20 ------=_NextPart_000_004A_01C2D34C.A69EDEC0 Content-Type: text/html; ??????? charset="iso-8859-1" ?------=_NextPart_000_004A_01C2D34C.A69EDEC0 Content-Type: text/html; ??????? charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
hi tim,
here's the message, the funny thing is, = all the=20 people I normally email everyday aren't having any problems.. just = people i've=20 never heard of!! 
alli
------=_NextPart_000_004A_01C2D34C.A69EDEC0-- ---------------------------------------------- Is there any reason why the above email message would results in triggering the former mailscanner response? Tim Tyler Network Engineer - Beloit College tyler@beloit.edu From tyler at BELOIT.EDU Fri Feb 14 22:55:09 2003 From: tyler at BELOIT.EDU (Tim Tyler) Date: Thu Jan 12 21:17:11 2006 Subject: False Positive ? In-Reply-To: <058801c2d479$555c5140$9801a8c0@home.middlefinger.net> References: <5.1.1.6.0.20030214161010.021dd1b0@beloit.edu> Message-ID: <5.1.1.6.0.20030214164435.02f59320@beloit.edu> Mike, Others, Yes, but two things make me think otherwise. 1. She does send to us manually and it triggers that response back to her. 2. I had her send to us at another smtp server where we don't have mailscanner. Naturually, she doesn't get a mailscanner reponse, but I also can't find any virus within it. It looks clean to me. Her content is below for examination. I suspect that something is triggering a warning response. Its also peculiar, because we configured mailscanner to drop any messages with viruses and only notify the sender. Her messages always get through. she just gets a warning response as described below. Do warnings get treated differently? There really isn't that much to her message. No attachments that I can see. Tim At 04:35 PM 2/14/2003 -0600, you wrote: >I'd read up on Sircam: > >http://www.sophos.com/virusinfo/analyses/w32sircama.html > >Since Sircam has its own SMTP engine, she doesn't even have to be sending >out the email manually. Sircam, also being network aware, I'd have her >people check their whole network. The attachment that Sophos is catching is >coming from somewhere. > >Mike > > >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf >Of Tim Tyler >Sent: Friday, February 14, 2003 4:23 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: False Positive ? > > >Mailcanner experts, > We are running mailscanner 2.6 on an aix 4.3 system along with Sophos >engine. It has been running fine for more than a year without any real >issues. I just received a complaint from an outside site where the sender >claims that they send very simple messages (no attachments and signature >turned off). However, she always gets back the following response. >------------------ > MailScanner wrote:Date: Wed, 12 Feb 2003 15:26:34 -0600 >From: "MailScanner" >To: >Subject: Warning: E-mail viruses detected >Our virus detector has just been triggered by a message you sent:- >To: >Subject: signature file >Date: Wed Feb 12 15:26:34 2003 >Any infected parts of the message have not been delivered. >This message is simply to warn you that your computer system may have a >virus present and should be checked. >The virus detector said this about the message: >Report: >>> Virus 'W32/Sircam-A' found in file ./h1CLQDb23038/signature >file.doc >.com >-- >MailScanner >Email Virus Scanner >------------------------------------------------- end of message. > > Currently we have mailscanner configured to simply delete any message that >is determined to have a virus and simply send notification back to the >sender. So she always gets the above message. They can't find any viruses >on her computer. I had her send me a message to a smtp server without any >mailscanner intercept so that I would get the entire message without any >filtering: Below is the raw message with her name replaced by xxxxx: > >From xxxxx@mail.uca.edu Thu Feb 13 10:43:13 2003 >Received: from list.uca.edu (list.uca.edu [161.31.208.98]) > by >www.beloit.edu >(8.11.6/8.11.6) with ESMTP id h1DGhCf22588 > for ; Thu, 13 Feb 2003 10:43:12 -0600 >Received: from localhost (list.uca.edu [127.0.0.1]) > by list.uca.edu (Postfix) with ESMTP id F2AB049F5 > for ; Thu, 13 Feb 2003 10:45:45 -0600 (CST) >Received: from mail.uca.edu (mail.uca.edu [161.31.208.25]) > by list.uca.edu (Postfix) with ESMTP id 415194822 > for ; Thu, 13 Feb 2003 10:45:45 -0600 (CST) >Received: from MAIL/SpoolDir by mail.uca.edu (Mercury 1.48); > 13 Feb 03 10:43:18 -0600 >Received: from SpoolDir by MAIL (Mercury 1.48); 13 Feb 03 10:42:51 -0600 >Received: from a5o3j9 (161.31.120.111) by mail.uca.edu (Mercury 1.48); > 13 Feb 03 10:42:49 -0600 >Message-ID: <004d01c2d37e$f14a17a0$6f781fa1@uca.edu> >From: "xxxx xxx" >To: >Subject: hello >Date: Thu, 13 Feb 2003 10:42:48 -0600 >MIME-Version: 1.0 >Content-Type: multipart/alternative; > boundary="----=_NextPart_000_004A_01C2D34C.A69EDEC0" >X-Priority: 3 >X-MSMail-Priority: Normal >X-Mailer: Microsoft Outlook Express 6.00.2600.0000 >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 >X-Virus-Scanned: by AMaViS new-20020517 >Status: OR >This is a multi-part message in MIME format. >------=_NextPart_000_004A_01C2D34C.A69EDEC0 >Content-Type: text/plain; > charset="iso-8859-1" >Content-Transfer-Encoding: quoted-printable >hi tim,=20 >here's the message, the funny thing is, all the people I normally email = >everyday aren't having any problems.. just people i've never heard of!! = >alli=20 >------=_NextPart_000_004A_01C2D34C.A69EDEC0 >Content-Type: text/html; > charset="iso-8859-1" > ------=_NextPart_000_004A_01C2D34C.A69EDEC0 >Content-Type: text/html; > charset="iso-8859-1" >Content-Transfer-Encoding: quoted-printable > >hi tim, >here's the message, the funny thing is, = all the=20 people I normally >email everyday aren't having any problems.. just = people i've=20 never >heard of!! >alli >------=_NextPart_000_004A_01C2D34C.A69EDEC0-- >---------------------------------------------- >Is there any reason why the above email message would results in triggering >the former mailscanner response? >Tim Tyler >Network Engineer - Beloit College >tyler@beloit.edu Tim Tyler Network Engineer - Beloit College tyler@beloit.edu From mailscanner at ecs.soton.ac.uk Fri Feb 14 22:52:51 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:11 2006 Subject: MailScanner continously respawns without processing In-Reply-To: <200302141419.22700.lindsay@pa.net> References: <000001c2d44b$661604f0$22c5fea9@squall> <000001c2d44b$661604f0$22c5fea9@squall> Message-ID: <5.2.0.9.2.20030214225128.01b16200@imap.ecs.soton.ac.uk> At 19:19 14/02/2003, you wrote: >debugged the code down to a chdir command in Sendmail.pm line 740. It seems >to lock up w/ no error messages or graceful dieing. Currently the chdir in line 740 is wrapped with a warning message to the log, so I assume I must have fixed this one already. > The paths that it is >trying to change to exist. I can su - mailscanneruser and switch to the >directories just fine so permissions seem fine. I also wrote a mini setuid >script which, dropped to our mailscanneruser and changed to the directory >line 740 was having problems with, and that worked as well. If we run >mailscanner as root, it works fine. If your problem is similar, maybe try >running as root just to see? I'm thinking we might have a buggy setuid >perl....? > >More info: >The servers that did work were RH8.0 whereas the server that did not was 7.3 >RH7.3 box has perl 5.6.1 >RH8.0 boxes have perl 5.8.0 > >Curious to what you find, >Lindsay > >On Friday 14 February 2003 12:06, you wrote: > > Hi all-- > > > > I have a new installation of MailScanner 4.12-2, Exim 4.12, Kaspersky > > and SpamAssassin. At this point I am just trying to troubleshoot > > MailScanner itself (from queue to queue) since Exim does accept a new > > message and drop it in the incoming queue. > > > > I installed MailScanner using the tar distribution. I manually installed > > all of the required Perl modules with the recommended versions and > > patches. > > > > My main problem is I've been unable to get any troubleshooting logs out > > of MailScanner itself. I get almost nothing in syslog (syslogd -r -m 0) > > and when run in with Debug I get the same log entries as otherwise: > > > > Feb 14 11:01:12 granite MailScanner[20449]: MailScanner > > Feb 14 11:01:12 granite MailScanner[20449]: MailScanner E-Mail Virus > > Scanner version 4.12-2 starting... > > Feb 14 11:01:22 granite MailScanner[20507]: MailScanner > > Feb 14 11:01:22 granite MailScanner[20507]: MailScanner E-Mail Virus > > Scanner version 4.12-2 starting... > > Feb 14 11:18:40 granite MailScanner[27699]: MailScanner > > Feb 14 11:18:40 granite MailScanner[27699]: MailScanner E-Mail Virus > > Scanner version 4.12-2 starting... > > Feb 14 11:18:50 granite MailScanner[27748]: MailScanner > > Feb 14 11:18:50 granite MailScanner[27748]: MailScanner E-Mail Virus > > Scanner version 4.12-2 starting... > > Feb 14 11:19:00 granite MailScanner[27827]: MailScanner > > Feb 14 11:19:00 granite MailScanner[27827]: MailScanner E-Mail Virus > > Scanner version 4.12-2 starting... > > > > It appears MailScanner is repeatedly trying to initialize itself but > > never succeeds. This continues until I kill the MailScanner process. I > > never have more than one MailScanner process running (there's usually a > > one lurking too). > > > > MailScanner does change to the exim UID/GID and I've made sure > > /opt/MailScanner/var is writable by that UID--the only time I caught an > > error message in syslog was when it wasn't. > > > > I am using Red Hat Linux 7.2. > > > > Is it possible to turn on more verbose logging? I just have so little to > > troubleshoot with. > > > > Any suggestions? Thank you! > > > > Paul -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Fri Feb 14 22:33:01 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:11 2006 Subject: Problems with winmail.dat In-Reply-To: <1045235579.1239.93.camel@dbeauchemin.si.usherbrooke.ca> Message-ID: <5.2.0.9.2.20030214223110.02862d28@imap.ecs.soton.ac.uk> At 15:13 14/02/2003, you wrote: >I use MS with "Expand TNEF = yes" but a message in a winmail.dat >bypasses the filename.rules.conf file tests! >I quarantine all .EXE files but if someone sends one in a winmail.dat it >will be delivered without even a warning. >Could this be fixed? I thought I tested this in a previous release and >using the external TNEF expander solved this problem. This will be fixed in 4.13. I can't find a way of generating TNEF any more, my Outlook(s) have been updated and no longer create winmail.dat files. What I would like is a TNEF file containing eicar.com, if someone could put it in a password-protected zip file and mail it to me off-list. Thanks folks. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Fri Feb 14 22:40:42 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:11 2006 Subject: MailScanner continously respawns without processing In-Reply-To: <000001c2d44b$661604f0$22c5fea9@squall> Message-ID: <5.2.0.9.2.20030214223933.022b2da8@imap.ecs.soton.ac.uk> *If* it is continuously respawning then check that the mail UID+GID can write to the MailScanner/incoming and MailScanner/quarantine directories, as well as the incoming and outgoing queue directories and the PID file. That is normally the cause of this. If it is just starting up, expect it to produce a parent + 5 child processes by default, you just need to try putting some mail in the incoming queue. If you are using Exim 4, then the incoming and outgoing queue dirs set in MailScanner need to be the "input" directories of each Exim queue directory structure. At 17:06 14/02/2003, you wrote: >Hi all-- > >I have a new installation of MailScanner 4.12-2, Exim 4.12, Kaspersky >and SpamAssassin. At this point I am just trying to troubleshoot >MailScanner itself (from queue to queue) since Exim does accept a new >message and drop it in the incoming queue. > >I installed MailScanner using the tar distribution. I manually installed >all of the required Perl modules with the recommended versions and >patches. > >My main problem is I've been unable to get any troubleshooting logs out >of MailScanner itself. I get almost nothing in syslog (syslogd -r -m 0) >and when run in with Debug I get the same log entries as otherwise: > >Feb 14 11:01:12 granite MailScanner[20449]: MailScanner >Feb 14 11:01:12 granite MailScanner[20449]: MailScanner E-Mail Virus >Scanner version 4.12-2 starting... >Feb 14 11:01:22 granite MailScanner[20507]: MailScanner >Feb 14 11:01:22 granite MailScanner[20507]: MailScanner E-Mail Virus >Scanner version 4.12-2 starting... >Feb 14 11:18:40 granite MailScanner[27699]: MailScanner >Feb 14 11:18:40 granite MailScanner[27699]: MailScanner E-Mail Virus >Scanner version 4.12-2 starting... >Feb 14 11:18:50 granite MailScanner[27748]: MailScanner >Feb 14 11:18:50 granite MailScanner[27748]: MailScanner E-Mail Virus >Scanner version 4.12-2 starting... >Feb 14 11:19:00 granite MailScanner[27827]: MailScanner >Feb 14 11:19:00 granite MailScanner[27827]: MailScanner E-Mail Virus >Scanner version 4.12-2 starting... > >It appears MailScanner is repeatedly trying to initialize itself but >never succeeds. This continues until I kill the MailScanner process. I >never have more than one MailScanner process running (there's usually a > one lurking too). > >MailScanner does change to the exim UID/GID and I've made sure >/opt/MailScanner/var is writable by that UID--the only time I caught an >error message in syslog was when it wasn't. > >I am using Red Hat Linux 7.2. > >Is it possible to turn on more verbose logging? I just have so little to >troubleshoot with. > >Any suggestions? Thank you! > >Paul -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Fri Feb 14 22:34:36 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:11 2006 Subject: Mailscanner logs In-Reply-To: <5.2.0.9.0.20030214102025.04c3a778@oriongw> References: <1045235579.1239.93.camel@dbeauchemin.si.usherbrooke.ca> Message-ID: <5.2.0.9.2.20030214223335.0287bfa0@imap.ecs.soton.ac.uk> At 15:28 14/02/2003, you wrote: >When I configured mail scanner, I told it to log Iframe and Object codebase >tags. Where do these get logged? I checked /var/log/maillog, but I do not >see any entries that mention them. I am running Redhat 7.3, and last weeks >released versions of MailScanner, SpamAssassin, and Razor. Check your syslog.conf and see where mail.info is logged. It might not be to your maillog. >Can anyone give me examples of some popular legitimate mailings that use >the tags, maybe I am not receiving any. The Dilbert daily comic strip uses IFrames, so I am told. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Fri Feb 14 22:57:19 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:11 2006 Subject: messages building up In-Reply-To: <200302141647.04614.lindsay@pa.net> References: <5.2.0.9.2.20030214211707.02836e60@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030214211707.02836e60@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030214225602.02848bf0@imap.ecs.soton.ac.uk> At 21:47 14/02/2003, you wrote: >On Friday 14 February 2003 16:23, you wrote: > > At 14:02 14/02/2003, you wrote: > > >Hallo all > > > > > >I have a server here that is under fairly high load. > > >My problem is that the messages seem to keep on building up in the mque.in > > >directory. > > >Now I have set the Max Children = 60 > > > > You won't gain anything on a small machine (less than about 8 CPU's) by > > giving it a number as high as that. It will just spend all its CPU time > > sorting directory entries. > > > > > as you can see and setup sendmail to > > >deque everey 5 mins (sendmail -bd -q15m) > > > > If you specify -bd -q15m then it will bypass MailScanner completely, as it > > will be delivering from the same queue it is reading into. > > > > >Any ideas how I can get the performance up ? > > >The server is a dual pIII 800 with 3Gigs ram and a raid5 array > > >It is running Redhat 7.3 with sendmail (standard) all patches were apllied > > >with up2date. > > >Mailscanner is Version 4.12-2 installed from rpm's > > >using f-prot > > > > I am about to try switching ext3 to data journalling. Note that you can > > also increase the performance quite a bit by putting the > > MailScanner/incoming directory on a tmpfs filesystem. MailScanner does a > > lot of file i/o to the MailScanner/incoming dir, and this hammers real > > disks quite hard. I have personally seen 30% speed improvement by doing > > this. It only takes a minute to change and is definitely worth a try. All > > the data in the MailScanner/incoming directory is temporary anyway, so you > > don't need to worry about losing anything on power-outs. > >Has anyone else had problems using tmpfs and f-prot? If I'm wrong, please >correct me but It seems that mailscanner depends on the virus scanner to >recurse down through a directory to scan all the attachments exploded out. >For some reason, f-prot won't recurse on tmpfs thus the files don't get >scanned. Can anyone else verify this? Yes, this has been reported to this list before. Also, McAfee has problems with soft-links. I strongly recommend testing before rolling out production servers with any new software. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Fri Feb 14 22:38:08 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:11 2006 Subject: Blocking empty To with rules In-Reply-To: References: <5.1.1.6.0.20030213135536.018a3d58@192.168.50.2> Message-ID: <5.2.0.9.2.20030214223629.028a2e68@imap.ecs.soton.ac.uk> At 16:06 14/02/2003, you wrote: >Is it possible to block a spam message where the To is empty? We are >getting a ton of spam from AOL and in the sendmail logfile the To is blank. >I wouldn't mind shutting AOL down from having access to our server but I'm >sure our customers would complain :) In a ruleset you can specify arbitrary regular expressions, which is perfect for this. You could write a ruleset for the "Is Definitely Spam" parameter that contains the line To: /^$/ yes which would say that all mail with no To address is spam. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Fri Feb 14 22:55:36 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:11 2006 Subject: MailScanner continously respawns without processing In-Reply-To: <000201c2d45f$1c47e2d0$22c5fea9@squall> References: <200302141227.00431.lindsay@pa.net> Message-ID: <5.2.0.9.2.20030214225433.02303600@imap.ecs.soton.ac.uk> At 19:27 14/02/2003, you wrote: >Hi, > >I have narrowed the problem down to MailScanner dying silently during >MailScanner::SA::initialise(). Did you happen to work out exactly where in SA::initialise it failed, and/or why? >I started going through bin/MailScanner, first in ForkDaemon() then >WorkForHours() where I added several new InfoLog() calls. With this >additional information I went back to etc/MailScanner.conf and set Spam >Checks and Use SpamAssassin to no. Now MailScanner appears to be running >nicely and it processed my queued message. > >So--now it's time to dig into why the SpamAssassin interface isn't >working...I do have SA 2.44 and the test message in the SA documentation >worked fine. Any tips there would be greatly appreciated. > >For the future, it seems clear that more error trapping is needed during >these initialization steps--during which there is currently no output. I >see a bunch of commented-out STDERR printouts that would be great to >change to "if($Debug)...". Here's what my MailScanner spits out now (so >at least I know "I got this far..."): > >Feb 14 14:01:43 granite MailScanner[27858]: Finished reading >/opt/MailScanner/etc/MailScanner.conf >Feb 14 14:01:43 granite MailScanner[27858]: Finished checking Queues >Feb 14 14:01:43 granite MailScanner[27858]: Finished initialising >MessageBatch >Feb 14 14:01:43 granite MailScanner[27858]: Finished initialising SA >Feb 14 14:01:43 granite MailScanner[27858]: Finished initialising TNEF >Feb 14 14:01:43 granite MailScanner[27858]: Finished initialising >Sendmail > >Thanks! >Paul -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mike at CAMAROSS.NET Fri Feb 14 23:40:44 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:17:11 2006 Subject: False Positive ? In-Reply-To: <5.1.1.6.0.20030214164435.02f59320@beloit.edu> Message-ID: <059201c2d482$7ece9520$9801a8c0@home.middlefinger.net> >The virus detector said this about the message: >Report: >>> Virus 'W32/Sircam-A' found in file ./h1CLQDb23038/signature >file.doc This is what makes me think that Sircam itself is sending the message and not her MUA...signature file.doc -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Tim Tyler Sent: Friday, February 14, 2003 4:55 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: False Positive ? Mike, Others, Yes, but two things make me think otherwise. 1. She does send to us manually and it triggers that response back to her. 2. I had her send to us at another smtp server where we don't have mailscanner. Naturually, she doesn't get a mailscanner reponse, but I also can't find any virus within it. It looks clean to me. Her content is below for examination. I suspect that something is triggering a warning response. Its also peculiar, because we configured mailscanner to drop any messages with viruses and only notify the sender. Her messages always get through. she just gets a warning response as described below. Do warnings get treated differently? There really isn't that much to her message. No attachments that I can see. Tim At 04:35 PM 2/14/2003 -0600, you wrote: >I'd read up on Sircam: > >http://www.sophos.com/virusinfo/analyses/w32sircama.html > >Since Sircam has its own SMTP engine, she doesn't even have to be sending >out the email manually. Sircam, also being network aware, I'd have her >people check their whole network. The attachment that Sophos is catching is >coming from somewhere. > >Mike > > >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf >Of Tim Tyler >Sent: Friday, February 14, 2003 4:23 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: False Positive ? > > >Mailcanner experts, > We are running mailscanner 2.6 on an aix 4.3 system along with Sophos >engine. It has been running fine for more than a year without any real >issues. I just received a complaint from an outside site where the sender >claims that they send very simple messages (no attachments and signature >turned off). However, she always gets back the following response. >------------------ > MailScanner wrote:Date: Wed, 12 Feb 2003 15:26:34 -0600 >From: "MailScanner" >To: >Subject: Warning: E-mail viruses detected >Our virus detector has just been triggered by a message you sent:- >To: >Subject: signature file >Date: Wed Feb 12 15:26:34 2003 >Any infected parts of the message have not been delivered. >This message is simply to warn you that your computer system may have a >virus present and should be checked. >The virus detector said this about the message: >Report: >>> Virus 'W32/Sircam-A' found in file ./h1CLQDb23038/signature >file.doc >.com >-- >MailScanner >Email Virus Scanner >------------------------------------------------- end of message. > > Currently we have mailscanner configured to simply delete any message that >is determined to have a virus and simply send notification back to the >sender. So she always gets the above message. They can't find any viruses >on her computer. I had her send me a message to a smtp server without any >mailscanner intercept so that I would get the entire message without any >filtering: Below is the raw message with her name replaced by xxxxx: > >From xxxxx@mail.uca.edu Thu Feb 13 10:43:13 2003 >Received: from list.uca.edu (list.uca.edu [161.31.208.98]) > by >www.beloit.edu >(8.11.6/8.11.6) with ESMTP id h1DGhCf22588 > for ; Thu, 13 Feb 2003 10:43:12 -0600 >Received: from localhost (list.uca.edu [127.0.0.1]) > by list.uca.edu (Postfix) with ESMTP id F2AB049F5 > for ; Thu, 13 Feb 2003 10:45:45 -0600 (CST) >Received: from mail.uca.edu (mail.uca.edu [161.31.208.25]) > by list.uca.edu (Postfix) with ESMTP id 415194822 > for ; Thu, 13 Feb 2003 10:45:45 -0600 (CST) >Received: from MAIL/SpoolDir by mail.uca.edu (Mercury 1.48); > 13 Feb 03 10:43:18 -0600 >Received: from SpoolDir by MAIL (Mercury 1.48); 13 Feb 03 10:42:51 -0600 >Received: from a5o3j9 (161.31.120.111) by mail.uca.edu (Mercury 1.48); > 13 Feb 03 10:42:49 -0600 >Message-ID: <004d01c2d37e$f14a17a0$6f781fa1@uca.edu> >From: "xxxx xxx" >To: >Subject: hello >Date: Thu, 13 Feb 2003 10:42:48 -0600 >MIME-Version: 1.0 >Content-Type: multipart/alternative; > boundary="----=_NextPart_000_004A_01C2D34C.A69EDEC0" >X-Priority: 3 >X-MSMail-Priority: Normal >X-Mailer: Microsoft Outlook Express 6.00.2600.0000 >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 >X-Virus-Scanned: by AMaViS new-20020517 >Status: OR >This is a multi-part message in MIME format. >------=_NextPart_000_004A_01C2D34C.A69EDEC0 >Content-Type: text/plain; > charset="iso-8859-1" >Content-Transfer-Encoding: quoted-printable >hi tim,=20 >here's the message, the funny thing is, all the people I normally email = >everyday aren't having any problems.. just people i've never heard of!! = >alli=20 >------=_NextPart_000_004A_01C2D34C.A69EDEC0 >Content-Type: text/html; > charset="iso-8859-1" > ------=_NextPart_000_004A_01C2D34C.A69EDEC0 >Content-Type: text/html; > charset="iso-8859-1" >Content-Transfer-Encoding: quoted-printable > >hi tim, >here's the message, the funny thing is, = all the=20 people I normally >email everyday aren't having any problems.. just = people i've=20 never >heard of!! >alli >------=_NextPart_000_004A_01C2D34C.A69EDEC0-- >---------------------------------------------- >Is there any reason why the above email message would results in triggering >the former mailscanner response? >Tim Tyler >Network Engineer - Beloit College >tyler@beloit.edu Tim Tyler Network Engineer - Beloit College tyler@beloit.edu From mweiser at FACHSCHAFT.IMN.HTWK-LEIPZIG.DE Sat Feb 15 07:50:40 2003 From: mweiser at FACHSCHAFT.IMN.HTWK-LEIPZIG.DE (Michael Weiser) Date: Thu Jan 12 21:17:11 2006 Subject: memory footprint Message-ID: Hello, I'm running mailscanner 4.12-1 with SpamAssassin-2.44 on a rather small leaf node scanning mail for viruses using sophos and f-prot. The machine runs RedHat Linux 8.0 with perl 5.8.0 in the Linux-Distri-typical max-feature-install. After some time mailscanner's memory consumption will look something like this: PID PPID SIZE RSS SWAP COMMAND (sz-rss) 31942 1 10556 1940 8616 /usr/bin/perl 32132 31942 19004 17044 1960 /usr/bin/perl 32391 31942 19140 17284 1856 /usr/bin/perl So I understand that perl is rather fat in its footprint all by itself which accounts for the 19MB for the two children. But from the fact that almost all of the parent gets swapped out I suspect that it doesn't do much more than see that the two children stay alive. Are these assumptions correct? What do others see with different versions of perl? Would it make sense to compile mailscanner its own perl-5.0004 or so? Is there any way to slim mailscanner down, especially the parent process? Where would I want to start looking if I had some perl experience and were willing to do some hacking on my own? -- Thanks in advance. bye, Micha From henker at SHCOM.US Sat Feb 15 08:07:46 2003 From: henker at SHCOM.US (Steffan Henke) Date: Thu Jan 12 21:17:11 2006 Subject: rav not scanning archives by default In-Reply-To: <5.2.0.9.2.20030214201220.0283c278@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030209115738.025b5de8@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030209115738.025b5de8@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030214201220.0283c278@imap.ecs.soton.ac.uk> Message-ID: On Fri, 14 Feb 2003, Julian Field wrote: > At 21:27 09/02/2003, you wrote: > >On Sun, 9 Feb 2003, Julian Field wrote: > > > > > MailScanner runs rav with the following parameters > > > --all --mail --archive > > > which I believe will turn the archive scanning on. > > > >Julian, > > > >is that defined somewhere else than in /usr/lib/MailScanner/rav-wrapper ? > > It's in /usr/lib/MailScanner/MailScanner/SweepViruses.pm. Hmm, looks like I have more problems then... I was wrong in the first place, the .com-files were not scanned too, they were only rejected because of filetype rules. I changed them, allowing .com and .exe, but still rav does not scan them. If I turn debugging on, I get Feb 15 09:00:25 mail MailScanner[4678]: Commencing scanning by rav... Feb 15 09:00:26 mail MailScanner[4678]: Completed scanning by rav but it looks like /usr/lib/MailScanner never gets executed at all. That's really strange, f-prot and/or clamav are still working great, but no success with rav on my side so far and this is the AV package I have opted for. Regards, Steffan From henker at SHCOM.US Sat Feb 15 08:28:59 2003 From: henker at SHCOM.US (Steffan Henke) Date: Thu Jan 12 21:17:11 2006 Subject: rav not scanning archives by default In-Reply-To: References: <5.2.0.9.2.20030209115738.025b5de8@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030209115738.025b5de8@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030214201220.0283c278@imap.ecs.soton.ac.uk> Message-ID: On Sat, 15 Feb 2003, Steffan Henke wrote: > but it looks like /usr/lib/MailScanner never gets executed at all. ^^^^^^^^^^^ I mean /usr/lib/MailScanner/rav-wrapper of course. From mailscanner at BARENDSE.TO Sat Feb 15 08:30:00 2003 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:17:11 2006 Subject: False spam? In-Reply-To: <5.2.0.9.2.20030214223629.028a2e68@imap.ecs.soton.ac.uk> Message-ID: For some strange reason some mails are being tagged as spam where I don't think they should. I am running MailScanner 4.12 with SpamAssassin 2.44 with the skip rbl checks set to 1 (no rbl checks) in spam.assassin.prefs.conf. This is what the envelope of the tagged message says: X-MailScanner-SpamCheck: spam, Infinite-Monkeys, SpamAssassin (score=1.3, required 6, IN_REP_TO, NO_REAL_NAME, SPAM_PHRASE_00_01) X-MailScanner-SpamScore: s Really low score, still it's being tagged. There is no clue in the maillog either. Why is it being tagged as spam? -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From henker at SHCOM.US Sat Feb 15 09:20:16 2003 From: henker at SHCOM.US (Steffan Henke) Date: Thu Jan 12 21:17:11 2006 Subject: False spam? In-Reply-To: References: Message-ID: On Sat, 15 Feb 2003, Remco Barendse wrote: > This is what the envelope of the tagged message says: > X-MailScanner-SpamCheck: spam, Infinite-Monkeys, SpamAssassin (score=1.3, > required 6, IN_REP_TO, NO_REAL_NAME, SPAM_PHRASE_00_01) > X-MailScanner-SpamScore: s > Really low score, still it's being tagged. There is no clue in the maillog either. > Why is it being tagged as spam? I think it has been marked because of MailScanner's internal RBL checks. To me, it looks like the sender is listed by Infinite-Monkeys and therefore, you get the above result. Have you tried disabling MailScanner's RBL checks ? They are independent of the SpamAssassin ones. Regards, Steffan From tony.johansson at SVENSKAKYRKAN.SE Sat Feb 15 09:57:58 2003 From: tony.johansson at SVENSKAKYRKAN.SE (Tony Johansson) Date: Thu Jan 12 21:17:11 2006 Subject: rav question Message-ID: <3C4F5084EF16D4119CE700508B6B8B10058D0A50@nt.svenskakyrkan.se> I decided to try RAV as a complementary scanner to f-prot in our mailscanner setup. The machine I use for testing is a redhat 7.3 (with all errata updates), sendmail, rav antivirus desktop for linux v8.1.4 and MailScanner 4.12-2 No graphical interface (X) is installed. /usr/local/rav8/bin/ravlin8 produces the error "error while loading shared libraries: libgtk-1.2.so.0: cannot open shared object file: No such file or directory" obvoiusly my mailscanner wont work as rav-wrapper points to ravlin8. Im not sure what the error is but I would guess it needs some sort of graphical libraries? however, /usr/local/rav8/bin/ravav seems to work ok - atleast from the command line Is there any way to use ravav instead of ravlin8 with mailscanner? I tried adjusting rav-wrapper but that didnt help much... regards, Tony From henker at SHCOM.US Sat Feb 15 10:31:06 2003 From: henker at SHCOM.US (Steffan Henke) Date: Thu Jan 12 21:17:11 2006 Subject: rav question In-Reply-To: <3C4F5084EF16D4119CE700508B6B8B10058D0A50@nt.svenskakyrkan.se> References: <3C4F5084EF16D4119CE700508B6B8B10058D0A50@nt.svenskakyrkan.se> Message-ID: On Sat, 15 Feb 2003, Tony Johansson wrote: > /usr/local/rav8/bin/ravlin8 produces the error "error while loading shared > libraries: libgtk-1.2.so.0: cannot open shared object file: No such file or > directory" It looks like rav requires gtk, I have installed gtk+-1.2.10-11 here. AFAIK, rav has 2 operational modes, one is text-mode, the other one is the graphical mode in X. Regards, Steffan From mailscanner at ecs.soton.ac.uk Sat Feb 15 13:46:14 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:11 2006 Subject: Automating MailScanner.conf upgrades Message-ID: <5.2.0.9.2.20030215132222.024fa228@imap.ecs.soton.ac.uk> Morning all, The biggest pain in doing an upgrade of MailScanner is working out what has changed between your current MailScanner.conf and the new one. So I have written a tool to help you do this. It will - copy over all your old settings into the new file - copy over all the comments you have added to settings - add the default settings for all new settings - delete obsolete settings - print a summary of what it has done, including the settings that were added/removed It is attached to this message. To find out how to use it, just run it and it will tell you. The only time it will run into trouble is when the supplied value for a setting is commented out, and you have uncommented it. It can't tell the difference between lines like that and normal comments. So Exim users beware! It can't be perfect, but you should find it helps. -------------- next part -------------- A non-text attachment was scrubbed... Name: upgrade_MailScanner_conf Type: application/octet-stream Size: 4999 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030215/d6e519c6/upgrade_MailScanner_conf.obj -------------- next part -------------- -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Sat Feb 15 14:17:08 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:11 2006 Subject: memory footprint In-Reply-To: Message-ID: <5.2.0.9.2.20030215141605.0280f7f8@imap.ecs.soton.ac.uk> At 07:50 15/02/2003, you wrote: >I'm running mailscanner 4.12-1 with SpamAssassin-2.44 on a rather small >leaf node scanning mail for viruses using sophos and f-prot. The machine >runs RedHat Linux 8.0 with perl 5.8.0 in the Linux-Distri-typical >max-feature-install. > >After some time mailscanner's memory consumption will look something like >this: >PID PPID SIZE RSS SWAP COMMAND > (sz-rss) >31942 1 10556 1940 8616 /usr/bin/perl >32132 31942 19004 17044 1960 /usr/bin/perl >32391 31942 19140 17284 1856 /usr/bin/perl > >So I understand that perl is rather fat in its footprint all by itself >which accounts for the 19MB for the two children. But from the fact that >almost all of the parent gets swapped out I suspect that it doesn't do >much more than see that the two children stay alive. Indeed. >Are these assumptions correct? What do others see with different versions >of perl? >Would it make sense to compile mailscanner its own perl-5.0004 or so? MailScanner will only work with Perl 5.005 or above. >Is there any way to slim mailscanner down, especially the parent process? As it is virtually all swapped out, what's the point? >Where would I want to start looking if I had some perl experience and were >willing to do some hacking on my own? The source :-) -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Sat Feb 15 14:20:19 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:11 2006 Subject: rav not scanning archives by default In-Reply-To: References: <5.2.0.9.2.20030214201220.0283c278@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030209115738.025b5de8@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030209115738.025b5de8@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030214201220.0283c278@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030215142009.02568e78@imap.ecs.soton.ac.uk> See the "rav question" thread. At 08:07 15/02/2003, you wrote: >On Fri, 14 Feb 2003, Julian Field wrote: > > > At 21:27 09/02/2003, you wrote: > > >On Sun, 9 Feb 2003, Julian Field wrote: > > > > > > > MailScanner runs rav with the following parameters > > > > --all --mail --archive > > > > which I believe will turn the archive scanning on. > > > > > >Julian, > > > > > >is that defined somewhere else than in /usr/lib/MailScanner/rav-wrapper ? > > > > It's in /usr/lib/MailScanner/MailScanner/SweepViruses.pm. > >Hmm, > >looks like I have more problems then... I was wrong in the first place, >the .com-files were not scanned too, they were only rejected because of >filetype rules. >I changed them, allowing .com and .exe, but still rav does not scan them. >If I turn debugging on, I get >Feb 15 09:00:25 mail MailScanner[4678]: Commencing scanning by rav... >Feb 15 09:00:26 mail MailScanner[4678]: Completed scanning by rav > >but it looks like /usr/lib/MailScanner never gets executed at all. >That's really strange, f-prot and/or clamav are still working great, but >no success with rav on my side so far and this is the AV package I have >opted for. > > >Regards, > >Steffan -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Sat Feb 15 14:18:32 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:11 2006 Subject: rav not scanning archives by default In-Reply-To: References: <5.2.0.9.2.20030209115738.025b5de8@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030209115738.025b5de8@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030214201220.0283c278@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030215141807.02557718@imap.ecs.soton.ac.uk> At 08:28 15/02/2003, you wrote: >On Sat, 15 Feb 2003, Steffan Henke wrote: > > > but it looks like /usr/lib/MailScanner never gets executed at all. > ^^^^^^^^^^^ > >I mean /usr/lib/MailScanner/rav-wrapper of course. What happens to the last-accessed date stamp on rav-wrapper? That will tell you if it is being touched. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From henker at SHCOM.US Sat Feb 15 15:49:06 2003 From: henker at SHCOM.US (Steffan Henke) Date: Thu Jan 12 21:17:11 2006 Subject: rav not scanning archives by default In-Reply-To: <5.2.0.9.2.20030215141807.02557718@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030209115738.025b5de8@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030209115738.025b5de8@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030214201220.0283c278@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030215141807.02557718@imap.ecs.soton.ac.uk> Message-ID: On Sat, 15 Feb 2003, Julian Field wrote: > What happens to the last-accessed date stamp on rav-wrapper? That will tell > you if it is being touched. Julian, it is touched, so I assume it has been exec'ed, but even if I call that script from the shell, it stays silent (no output at all). This is perl 5.61 here. Regards, Steffan From nerijus at USERS.SOURCEFORGE.NET Sat Feb 15 15:50:29 2003 From: nerijus at USERS.SOURCEFORGE.NET (Nerijus Baliunas) Date: Thu Jan 12 21:17:11 2006 Subject: MailScanner continously respawns without processing In-Reply-To: <000001c2d44b$661604f0$22c5fea9@squall> References: <000001c2d44b$661604f0$22c5fea9@squall> Message-ID: <200302151550.h1FFo7i7013871@mx.ktv.lt> On Fri, 14 Feb 2003 12:06:19 -0500 Paul Hansen wrote: > I have a new installation of MailScanner 4.12-2, Exim 4.12, Kaspersky > and SpamAssassin. At this point I am just trying to troubleshoot > MailScanner itself (from queue to queue) since Exim does accept a new > message and drop it in the incoming queue. I had the same problem. Change code status to beta. Regards, Nerijus From henker at SHCOM.US Sat Feb 15 16:00:20 2003 From: henker at SHCOM.US (Steffan Henke) Date: Thu Jan 12 21:17:11 2006 Subject: rav not scanning archives by default In-Reply-To: <5.2.0.9.2.20030215142009.02568e78@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030214201220.0283c278@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030209115738.025b5de8@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030209115738.025b5de8@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030214201220.0283c278@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030215142009.02568e78@imap.ecs.soton.ac.uk> Message-ID: On Sat, 15 Feb 2003, Julian Field wrote: > See the "rav question" thread. Huh ? I answered that one :) Regards, Steffan From mailscanner at ecs.soton.ac.uk Sat Feb 15 16:18:02 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:11 2006 Subject: rav not scanning archives by default In-Reply-To: References: <5.2.0.9.2.20030215141807.02557718@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030209115738.025b5de8@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030209115738.025b5de8@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030214201220.0283c278@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030215141807.02557718@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030215161417.0264e558@imap.ecs.soton.ac.uk> At 15:49 15/02/2003, you wrote: >On Sat, 15 Feb 2003, Julian Field wrote: > > > What happens to the last-accessed date stamp on rav-wrapper? That will tell > > you if it is being touched. > >Julian, > >it is touched, so I assume it has been exec'ed, but even if I call that >script from the shell, it stays silent (no output at all). >This is perl 5.61 here. I get this output: >[root@sailor lib]# ./rav-wrapper . > > >RAV AntiVirus command line for Linux i686. >Version: 8.3.1. >Copyright (c) 1996-2001 GeCAD The Software Company. All rights reserved. > >Scan engine 8.9 for i386. >Last update: Fri Feb 14 17:07:20 2003 >Scanning for 78161 malwares (viruses, trojans and worms). > >Scan started on Sat Feb 15 16:14:44 2003 > > >Scan ended on Sat Feb 15 16:14:44 2003 > > >Scan results: >Time: 0 second(s). >Objects scanned: 50. New objects: 50 >Infected: 0. Different virus bodies: 0. >Files: 50. Directories: 2. Archives: 0. Packed: 0. Mail files: 0. >Warnings: 0. What do you get when you ls -l /usr/local/rav8/bin/ravlin8 file /usr/local/rav8/bin/ravlin8 ldd /usr/local/rav8/bin/ravlin8 It should be a statically linked executable, so ldd should produce an error. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From splee at PLEXIO.COM Sat Feb 15 16:18:38 2003 From: splee at PLEXIO.COM (Stephen Lee) Date: Thu Jan 12 21:17:11 2006 Subject: Upgrading from MS 3.23 to 4.12 on Trustix 1.5 Message-ID: <1045325918.30724.219.camel@ralph.plexio.private> Hi, I would like to upgrade my MS 3.23 (from tar) to MS 4.12 on a Trustix 1.5/Exim box (uses RPM). Has anyone tried using the rpm version of MS on Trustix? Looking at the tarball version, I would need to scan for every reference to the /opt/MailScanner directory and change it to /usr/local/MailScanner. This is a rather large task considering the number of files under MailScanner/lib and regularity of MS updates. Or is there a better way to do it? Thanks for your suggestions. Stephen From splee at PLEXIO.COM Sat Feb 15 16:28:18 2003 From: splee at PLEXIO.COM (Stephen Lee) Date: Thu Jan 12 21:17:11 2006 Subject: Upgrading from MS 3.23 to 4.12 on Trustix 1.5 In-Reply-To: <1045325918.30724.219.camel@ralph.plexio.private> References: <1045325918.30724.219.camel@ralph.plexio.private> Message-ID: <1045326497.30724.223.camel@ralph.plexio.private> On Sat, 2003-02-15 at 08:18, Stephen Lee wrote: > Hi, > > I would like to upgrade my MS 3.23 (from tar) to MS 4.12 on a Trustix > 1.5/Exim box (uses RPM). Has anyone tried using the rpm version of MS on > Trustix? Looking at the tarball version, I would need to scan for every > reference to the /opt/MailScanner directory and change it to > /usr/local/MailScanner. This is a rather large task considering the > number of files under MailScanner/lib and regularity of MS updates. Or > is there a better way to do it? > > Thanks for your suggestions. > Stephen Or is it as simple as pointing /opt/MailScanner to /usr/local/MailScanner? Stephen -- splee@spl-linux.com www.spl-linux.com From mailscanner at ecs.soton.ac.uk Sat Feb 15 16:35:21 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:11 2006 Subject: Upgrading from MS 3.23 to 4.12 on Trustix 1.5 In-Reply-To: <1045326497.30724.223.camel@ralph.plexio.private> References: <1045325918.30724.219.camel@ralph.plexio.private> <1045325918.30724.219.camel@ralph.plexio.private> Message-ID: <5.2.0.9.2.20030215163307.0296e528@imap.ecs.soton.ac.uk> At 16:28 15/02/2003, you wrote: >On Sat, 2003-02-15 at 08:18, Stephen Lee wrote: > > Hi, > > > > I would like to upgrade my MS 3.23 (from tar) to MS 4.12 on a Trustix > > 1.5/Exim box (uses RPM). Has anyone tried using the rpm version of MS on > > Trustix? Looking at the tarball version, I would need to scan for every > > reference to the /opt/MailScanner directory and change it to > > /usr/local/MailScanner. This is a rather large task considering the > > number of files under MailScanner/lib and regularity of MS updates. Or > > is there a better way to do it? > > > > Thanks for your suggestions. > > Stephen > >Or is it as simple as pointing /opt/MailScanner to >/usr/local/MailScanner? MailScanner 4 doesn't live in /usr/local/MailScanner by default any more. I would try the RPM route and see how you get on. It will install MailScanner into /usr/sbin, /usr/lib/MailScanner and /etc/MailScanner. But it installs all the required Perl modules first, which will definitely save you time. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From henker at SHCOM.US Sat Feb 15 16:34:29 2003 From: henker at SHCOM.US (Steffan Henke) Date: Thu Jan 12 21:17:11 2006 Subject: rav not scanning archives by default In-Reply-To: <5.2.0.9.2.20030215161417.0264e558@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030215141807.02557718@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030209115738.025b5de8@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030209115738.025b5de8@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030214201220.0283c278@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030215141807.02557718@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030215161417.0264e558@imap.ecs.soton.ac.uk> Message-ID: On Sat, 15 Feb 2003, Julian Field wrote: > I get this output: > >[root@sailor lib]# ./rav-wrapper . > >RAV AntiVirus command line for Linux i686. > >Version: 8.3.1. OK, that's the same output I get when I append the "." - before that, I checked against files, not directories. > What do you get when you > ls -l /usr/local/rav8/bin/ravlin8 > file /usr/local/rav8/bin/ravlin8 > ldd /usr/local/rav8/bin/ravlin8 > It should be a statically linked executable, so ldd should produce an error. Yes it does: not a dynamic executable Regards, Steffan From mweiser at FACHSCHAFT.IMN.HTWK-LEIPZIG.DE Sat Feb 15 16:56:00 2003 From: mweiser at FACHSCHAFT.IMN.HTWK-LEIPZIG.DE (Michael Weiser) Date: Thu Jan 12 21:17:11 2006 Subject: memory footprint In-Reply-To: <5.2.0.9.2.20030215141605.0280f7f8@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030215141605.0280f7f8@imap.ecs.soton.ac.uk> Message-ID: On Sat, 15 Feb 2003, Julian Field wrote: > >Are these assumptions correct? What do others see with different versions > >of perl? > >Would it make sense to compile mailscanner its own perl-5.0004 or so? > MailScanner will only work with Perl 5.005 or above. Will perl-5.005 make it noticeably smaller? > >Is there any way to slim mailscanner down, especially the parent process? > As it is virtually all swapped out, what's the point? It's there, needlessly consuming system resources. As I understand it the mailscanner perl program first "uses" all the Modules it will ever need and then forks. I thought about a scenario where the parent process first forks and then the children load all the modules they require for their work. Wouldn't that make the parent a lot more lightweight? > >Where would I want to start looking if I had some perl experience and were > >willing to do some hacking on my own? > The source :-) I see. ;) -- bye, Micha From splee at PLEXIO.COM Sat Feb 15 17:56:25 2003 From: splee at PLEXIO.COM (Stephen Lee) Date: Thu Jan 12 21:17:11 2006 Subject: Upgrading from MS 3.23 to 4.12 on Trustix 1.5/Exim In-Reply-To: <5.2.0.9.2.20030215163307.0296e528@imap.ecs.soton.ac.uk> References: <1045325918.30724.219.camel@ralph.plexio.private> <1045325918.30724.219.camel@ralph.plexio.private> <5.2.0.9.2.20030215163307.0296e528@imap.ecs.soton.ac.uk> Message-ID: <1045331785.30724.246.camel@ralph.plexio.private> On Sat, 2003-02-15 at 08:35, Julian Field wrote: > At 16:28 15/02/2003, you wrote: > >On Sat, 2003-02-15 at 08:18, Stephen Lee wrote: > > > Hi, > > > > > > I would like to upgrade my MS 3.23 (from tar) to MS 4.12 on a Trustix > > > 1.5/Exim box (uses RPM). Has anyone tried using the rpm version of MS on > > > Trustix? Looking at the tarball version, I would need to scan for every > > > reference to the /opt/MailScanner directory and change it to > > > /usr/local/MailScanner. This is a rather large task considering the > > > number of files under MailScanner/lib and regularity of MS updates. Or > > > is there a better way to do it? > > > > > > Thanks for your suggestions. > > > Stephen > > > >Or is it as simple as pointing /opt/MailScanner to > >/usr/local/MailScanner? > > MailScanner 4 doesn't live in /usr/local/MailScanner by default any more. I > would try the RPM route and see how you get on. It will install MailScanner > into /usr/sbin, /usr/lib/MailScanner and /etc/MailScanner. But it installs > all the required Perl modules first, which will definitely save you time. It works now, thanks! Notes on how I got MS 4.12 rpm version to work with Exim with Trustix 1.5: 1. The MS rpm installs fine. Very slick Julian! 2. Even though I set "Outgoing Queue Dir = /var/spool/exim/input", MS complained about " MailScanner[24486]: Error in configuration file line 72, directory /var/spool/mqueue for outqueuedir does not exist (or is not readable)". I changed OutQueueDir in /usr/lib/MailScanner/MailScanner/ConfigDefs.pl from /var/spool/mqueue to /var/spool/exim/input. 3. Changed ownership of /var/spool/MailScanner queues back to exim.exim 4. Made a bunch of changes to /etc/init.d/MailScanner to reflect mostly Exim requirements and some Trustix specifics. I've attached the file. With minor modifications, it also works on Redhat 7.3/Exim. 5. Previously installed Sophos 3.65 and Spamassassin 2.42 works fine. Thanks for a great product! Stephen -------------- next part -------------- A non-text attachment was scrubbed... Name: mailscanner Type: text/x-sh Size: 2876 bytes Desc: Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030215/45a7c494/mailscanner.bin From mailscanner at ecs.soton.ac.uk Sat Feb 15 18:01:41 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:11 2006 Subject: Upgrading from MS 3.23 to 4.12 on Trustix 1.5/Exim In-Reply-To: <1045331785.30724.246.camel@ralph.plexio.private> References: <5.2.0.9.2.20030215163307.0296e528@imap.ecs.soton.ac.uk> <1045325918.30724.219.camel@ralph.plexio.private> <1045325918.30724.219.camel@ralph.plexio.private> <5.2.0.9.2.20030215163307.0296e528@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030215180039.02490ae8@imap.ecs.soton.ac.uk> At 17:56 15/02/2003, you wrote: >On Sat, 2003-02-15 at 08:35, Julian Field wrote: > > At 16:28 15/02/2003, you wrote: > > >On Sat, 2003-02-15 at 08:18, Stephen Lee wrote: > > > > Hi, > > > > > > > > I would like to upgrade my MS 3.23 (from tar) to MS 4.12 on a Trustix > > > > 1.5/Exim box (uses RPM). Has anyone tried using the rpm version of > MS on > > > > Trustix? Looking at the tarball version, I would need to scan for every > > > > reference to the /opt/MailScanner directory and change it to > > > > /usr/local/MailScanner. This is a rather large task considering the > > > > number of files under MailScanner/lib and regularity of MS updates. Or > > > > is there a better way to do it? > > > > > > > > Thanks for your suggestions. > > > > Stephen > > > > > >Or is it as simple as pointing /opt/MailScanner to > > >/usr/local/MailScanner? > > > > MailScanner 4 doesn't live in /usr/local/MailScanner by default any more. I > > would try the RPM route and see how you get on. It will install MailScanner > > into /usr/sbin, /usr/lib/MailScanner and /etc/MailScanner. But it installs > > all the required Perl modules first, which will definitely save you time. > >It works now, thanks! Notes on how I got MS 4.12 rpm version to work >with Exim with Trustix 1.5: > >1. The MS rpm installs fine. Very slick Julian! > >2. Even though I set "Outgoing Queue Dir = /var/spool/exim/input", MS >complained about " MailScanner[24486]: Error in configuration file line >72, directory /var/spool/mqueue for outqueuedir does not exist (or is >not readable)". I changed OutQueueDir in >/usr/lib/MailScanner/MailScanner/ConfigDefs.pl from /var/spool/mqueue to >/var/spool/exim/input. When you tested this did you try to run MailScanner directly, or did you use check_MailScanner to start it? This will happen if you don't use check_MailScanner. >3. Changed ownership of /var/spool/MailScanner queues back to exim.exim > >4. Made a bunch of changes to /etc/init.d/MailScanner to reflect mostly >Exim requirements and some Trustix specifics. I've attached the file. >With minor modifications, it also works on Redhat 7.3/Exim. > >5. Previously installed Sophos 3.65 and Spamassassin 2.42 works fine. > >Thanks for a great product! >Stephen > -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From phvt at EMAIL.COM Sat Feb 15 18:09:26 2003 From: phvt at EMAIL.COM (Paul Hansen) Date: Thu Jan 12 21:17:11 2006 Subject: MailScanner continously respawns without processing In-Reply-To: <5.2.0.9.2.20030214223933.022b2da8@imap.ecs.soton.ac.uk> Message-ID: <000001c2d51d$614561a0$22c5fea9@squall> Hi all-- Thanks for the replies. I forgot to mention in my original message that I'm using Perl 5.6.1. Here's where I am so far. Nerijus Baliunas wrote: > I had the same problem. Change code status to beta. I had tried even alpha previously, but this didn't help. Julian Field wrote: > *If* it is continuously respawning then check that the mail UID+GID can > write to the MailScanner/incoming and MailScanner/quarantine directories, > as well as the incoming and outgoing queue directories and the PID file. > That is normally the cause of this. > > If it is just starting up, expect it to produce a parent + 5 child > processes by default, you just need to try putting some mail in the > incoming queue. If you are using Exim 4, then the incoming and outgoing > queue dirs set in MailScanner need to be the "input" directories of each > Exim queue directory structure. Before posting I checked all the dirs that MailScanner needs and they were correct. I'd already caught myself making both of the above mistakes ;) Julian Field wrote: > >I have narrowed the problem down to MailScanner dying silently during > >MailScanner::SA::initialise(). > Did you happen to work out exactly where in SA::initialise it failed, > and/or why? I now have this code in MailScanner::SA::initialise(): MailScanner::Log::InfoLog("SA: SAspamtest->compile_now()..."); $MailScanner::SA::SAspamtest->compile_now(); MailScanner::Log::InfoLog("SA: SAspamtest->read_scoreonly_config()..."); $MailScanner::SA::SAspamtest->read_scoreonly_config($prefs); MailScanner::Log::InfoLog("SA: Done with initialise()"); I never see the "SA: SAspamtest->read_scoreonly_config..." line in maillog, so it appears the compile_now() call is failing. I wrote a tiny test program that creates a new SA object (with MailScanner's SA prefs file) and calls compile_now() on it. This worked fine. I have not edited the etc/spam.assassin.prefs.conf file from the distributed one. Any suggestions on why compile_now() from within the SAspamtest object is failing? I can't seem to trap any errors returned from it--MailScanner just stops at that point. If someone can propose some better debugging steps I'd be happy to try them. Thanks! Paul From splee at PLEXIO.COM Sat Feb 15 18:05:56 2003 From: splee at PLEXIO.COM (Stephen Lee) Date: Thu Jan 12 21:17:11 2006 Subject: Upgrading from MS 3.23 to 4.12 on Trustix 1.5/Exim In-Reply-To: <5.2.0.9.2.20030215180039.02490ae8@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030215163307.0296e528@imap.ecs.soton.ac.uk> <1045325918.30724.219.camel@ralph.plexio.private> <1045325918.30724.219.camel@ralph.plexio.private> <5.2.0.9.2.20030215163307.0296e528@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030215180039.02490ae8@imap.ecs.soton.ac.uk> Message-ID: <1045332356.1295.251.camel@ralph.plexio.private> On Sat, 2003-02-15 at 10:01, Julian Field wrote: > At 17:56 15/02/2003, you wrote: > > > >2. Even though I set "Outgoing Queue Dir = /var/spool/exim/input", MS > >complained about " MailScanner[24486]: Error in configuration file line > >72, directory /var/spool/mqueue for outqueuedir does not exist (or is > >not readable)". I changed OutQueueDir in > >/usr/lib/MailScanner/MailScanner/ConfigDefs.pl from /var/spool/mqueue to > >/var/spool/exim/input. > > When you tested this did you try to run MailScanner directly, or did you > use check_MailScanner to start it? This will happen if you don't use > check_MailScanner. > The only way I ran MailScanner was via the init.d script and it uses "/usr/sbin/check_mailscanner >/dev/null" Stephen From andersjk at SOL-INVICTUS.ORG Sat Feb 15 17:59:18 2003 From: andersjk at SOL-INVICTUS.ORG (Kevin Anderson) Date: Thu Jan 12 21:17:11 2006 Subject: Spam lists how to turn off Message-ID: hi All! Is there a way to turn off the infinite monkey lookups?? By marking it out MailScanner won't start, I was wondering if there is a way to turn it off completely. thanks in advance! kevin anderson -- @ _____________________________________________ chaos, panic and disorder... my job is done... From mike at CAMAROSS.NET Sat Feb 15 18:13:18 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:17:12 2006 Subject: Spam lists how to turn off In-Reply-To: Message-ID: <060301c2d51d$eb75a9c0$9801a8c0@home.middlefinger.net> In your MS.conf, just set the list of RBL's = None Don't comment out the line...just make the value None -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Kevin Anderson Sent: Saturday, February 15, 2003 11:59 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Spam lists how to turn off hi All! Is there a way to turn off the infinite monkey lookups?? By marking it out MailScanner won't start, I was wondering if there is a way to turn it off completely. thanks in advance! kevin anderson -- @ _____________________________________________ chaos, panic and disorder... my job is done... From mailscanner at ecs.soton.ac.uk Sat Feb 15 18:15:05 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:12 2006 Subject: MailScanner continously respawns without processing In-Reply-To: <000001c2d51d$614561a0$22c5fea9@squall> References: <5.2.0.9.2.20030214223933.022b2da8@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030215181049.02489ca0@imap.ecs.soton.ac.uk> At 18:09 15/02/2003, you wrote: >Hi all-- > >Thanks for the replies. I forgot to mention in my original message that >I'm using Perl 5.6.1. > >Here's where I am so far. > >Nerijus Baliunas wrote: > > I had the same problem. Change code status to beta. > >I had tried even alpha previously, but this didn't help. > >Julian Field wrote: > > *If* it is continuously respawning then check that the mail UID+GID >can > > write to the MailScanner/incoming and MailScanner/quarantine >directories, > > as well as the incoming and outgoing queue directories and the PID >file. > > That is normally the cause of this. > > > > If it is just starting up, expect it to produce a parent + 5 child > > processes by default, you just need to try putting some mail in the > > incoming queue. If you are using Exim 4, then the incoming and >outgoing > > queue dirs set in MailScanner need to be the "input" directories of >each > > Exim queue directory structure. > >Before posting I checked all the dirs that MailScanner needs and they >were correct. I'd already caught myself making both of the above >mistakes ;) > >Julian Field wrote: > > >I have narrowed the problem down to MailScanner dying silently during > > >MailScanner::SA::initialise(). > > > Did you happen to work out exactly where in SA::initialise it failed, > > and/or why? > >I now have this code in MailScanner::SA::initialise(): > >MailScanner::Log::InfoLog("SA: SAspamtest->compile_now()..."); >$MailScanner::SA::SAspamtest->compile_now(); >MailScanner::Log::InfoLog("SA: SAspamtest->read_scoreonly_config()..."); >$MailScanner::SA::SAspamtest->read_scoreonly_config($prefs); >MailScanner::Log::InfoLog("SA: Done with initialise()"); > >I never see the "SA: SAspamtest->read_scoreonly_config..." line in >maillog, so it appears the compile_now() call is failing. Okay, yet another thing to try. As you are using Exim, MailScanner is being run as some other user (possibly "mail"?). Does "mail" have a home directory that it can write to? The compile_now() might well be trying to read+write some config files from there. To get the error output, take a look in /usr/sbin/MailScanner. You should find 3 adjacent calls to close() and 3 adjacent calls to open(). Comment them all out and try it. This sounds like an awkward SA "feature".... >I wrote a tiny test program that creates a new SA object (with >MailScanner's SA prefs file) and calls compile_now() on it. This worked >fine. But was that running as root? > I have not edited the etc/spam.assassin.prefs.conf file from the >distributed one. > >Any suggestions on why compile_now() from within the SAspamtest object >is failing? I can't seem to trap any errors returned from >it--MailScanner just stops at that point. If someone can propose some >better debugging steps I'd be happy to try them. > >Thanks! >Paul -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Sat Feb 15 18:16:07 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:12 2006 Subject: Spam lists how to turn off In-Reply-To: Message-ID: <5.2.0.9.2.20030215181533.024a5e80@imap.ecs.soton.ac.uk> At 17:59 15/02/2003, you wrote: >Is there a way to turn off the infinite monkey lookups?? By marking it out >MailScanner won't start, I was wondering if there is a way to turn it off >completely. What happens if you set Spam Lists = in MailScanner.conf ? -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From andersjk at SOL-INVICTUS.ORG Sat Feb 15 18:18:36 2003 From: andersjk at SOL-INVICTUS.ORG (Kevin Anderson) Date: Thu Jan 12 21:17:12 2006 Subject: Spam lists how to turn off In-Reply-To: <5.2.0.9.2.20030215181533.024a5e80@imap.ecs.soton.ac.uk> Message-ID: ok... call me *stoopid* thanks! kevin On Sat, 15 Feb 2003, Julian Field wrote: > At 17:59 15/02/2003, you wrote: > >Is there a way to turn off the infinite monkey lookups?? By marking it out > >MailScanner won't start, I was wondering if there is a way to turn it off > >completely. > > What happens if you set > Spam Lists = > in MailScanner.conf ? > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > -- @ _____________________________________________ chaos, panic and disorder... my job is done... From phvt at EMAIL.COM Sat Feb 15 18:33:36 2003 From: phvt at EMAIL.COM (Paul Hansen) Date: Thu Jan 12 21:17:12 2006 Subject: MailScanner continously respawns without processing In-Reply-To: <5.2.0.9.2.20030215181049.02489ca0@imap.ecs.soton.ac.uk> Message-ID: <000601c2d520$c0d94750$22c5fea9@squall> > >Julian Field wrote: > > > Did you happen to work out exactly where in SA::initialise it failed, > > > and/or why? > > > >I now have this code in MailScanner::SA::initialise(): > > > >MailScanner::Log::InfoLog("SA: SAspamtest->compile_now()..."); > >$MailScanner::SA::SAspamtest->compile_now(); > >MailScanner::Log::InfoLog("SA: SAspamtest->read_scoreonly_config()..."); > >$MailScanner::SA::SAspamtest->read_scoreonly_config($prefs); > >MailScanner::Log::InfoLog("SA: Done with initialise()"); > > > >I never see the "SA: SAspamtest->read_scoreonly_config..." line in > >maillog, so it appears the compile_now() call is failing. > > Okay, yet another thing to try. As you are using Exim, MailScanner is > being > run as some other user (possibly "mail"?). Does "mail" have a home > directory that it can write to? The compile_now() might well be trying to > read+write some config files from there. This fixed it! I don't generally have a homedir for server processes and I wasn't expecting such a dependency from SA the way I thought Mailscanner used it. But ~exim/.spamassassin has now been dutifully created and MailScanner appears to be running properly. > >I wrote a tiny test program that creates a new SA object (with > >MailScanner's SA prefs file) and calls compile_now() on it. This worked > >fine. > > But was that running as root? Indeed, it was. Thanks! Paul From tony.johansson at SVENSKAKYRKAN.SE Sat Feb 15 19:08:15 2003 From: tony.johansson at SVENSKAKYRKAN.SE (Tony Johansson) Date: Thu Jan 12 21:17:12 2006 Subject: SV: rav not scanning archives by default Message-ID: <3C4F5084EF16D4119CE700508B6B8B10058D0A51@nt.svenskakyrkan.se> should I interpret it as to be able to run rav with mailscanner i need gtk and x? or can i install just gtk with no x and use ravlin8? I really dont want to install x on a server, i prefer keeping it as stripped down as possible regards, Tony -----Ursprungligt meddelande----- Fr?n: Steffan Henke [mailto:henker@SHCOM.US] Skickat: den 15 februari 2003 17:00PM. Till: MAILSCANNER@JISCMAIL.AC.UK ?mne: Re: rav not scanning archives by default On Sat, 15 Feb 2003, Julian Field wrote: > See the "rav question" thread. Huh ? I answered that one :) Regards, Steffan From mailscanner at ecs.soton.ac.uk Sat Feb 15 18:33:50 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:12 2006 Subject: Spam lists how to turn off In-Reply-To: References: <5.2.0.9.2.20030215181533.024a5e80@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030215183219.02aa6018@imap.ecs.soton.ac.uk> At 18:18 15/02/2003, you wrote: >ok... call me *stoopid* The thing to remember is that the code has default values in it for keywords that aren't specified in the conf file. If you want a parameter to be empty, you need to include it and define it to be blank. If you comment it out, then it is not specified at all and so the internal default value is used. >thanks! > >kevin > >On Sat, 15 Feb 2003, Julian Field wrote: > > > At 17:59 15/02/2003, you wrote: > > >Is there a way to turn off the infinite monkey lookups?? By marking it out > > >MailScanner won't start, I was wondering if there is a way to turn it off > > >completely. > > > > What happens if you set > > Spam Lists = > > in MailScanner.conf ? > > -- > > Julian Field > > www.MailScanner.info > > MailScanner thanks transtec Computers for their support > > > >-- >@ >_____________________________________________ >chaos, panic and disorder... my job is done... -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Sat Feb 15 19:15:54 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:12 2006 Subject: SV: rav not scanning archives by default In-Reply-To: <3C4F5084EF16D4119CE700508B6B8B10058D0A51@nt.svenskakyrkan. se> Message-ID: <5.2.0.9.2.20030215191444.02a575f0@imap.ecs.soton.ac.uk> At 19:08 15/02/2003, you wrote: >should I interpret it as to be able to run rav with mailscanner i need gtk >and x? >or can i install just gtk with no x and use ravlin8? You will need to install gtk and its dependencies. You just need the X libraries, not much else. As you attempt to install each one, it will tell you the dependencies it needs. >I really dont want to install x on a server, i prefer keeping it as stripped >down as possible You will need the X libraries to install gtk. >-----Ursprungligt meddelande----- >Fr?n: Steffan Henke [mailto:henker@SHCOM.US] >Skickat: den 15 februari 2003 17:00PM. >Till: MAILSCANNER@JISCMAIL.AC.UK >?mne: Re: rav not scanning archives by default > > >On Sat, 15 Feb 2003, Julian Field wrote: > > > See the "rav question" thread. > >Huh ? I answered that one :) > >Regards, > >Steffan -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From tony.johansson at SVENSKAKYRKAN.SE Sat Feb 15 20:57:12 2003 From: tony.johansson at SVENSKAKYRKAN.SE (Tony Johansson) Date: Thu Jan 12 21:17:12 2006 Subject: SV: SV: rav not scanning archives by default Message-ID: <3C4F5084EF16D4119CE700508B6B8B10058D0A52@nt.svenskakyrkan.se> is "ravav" in any significance different from "ravlin8" when it comes to detecting/reporting viruses? it would be a real bonus if you could just use ravav and not mess with gtk and all its dependencies regards, Tony -----Ursprungligt meddelande----- Fr?n: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Skickat: den 15 februari 2003 20:16PM. Till: MAILSCANNER@JISCMAIL.AC.UK ?mne: Re: SV: rav not scanning archives by default At 19:08 15/02/2003, you wrote: >should I interpret it as to be able to run rav with mailscanner i need gtk >and x? >or can i install just gtk with no x and use ravlin8? You will need to install gtk and its dependencies. You just need the X libraries, not much else. As you attempt to install each one, it will tell you the dependencies it needs. >I really dont want to install x on a server, i prefer keeping it as stripped >down as possible You will need the X libraries to install gtk. From mailscanner at ecs.soton.ac.uk Sat Feb 15 21:24:55 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:12 2006 Subject: SV: SV: rav not scanning archives by default In-Reply-To: <3C4F5084EF16D4119CE700508B6B8B10058D0A52@nt.svenskakyrkan. se> Message-ID: <5.2.0.9.2.20030215212304.02602118@imap.ecs.soton.ac.uk> I will try it out and consider changing. I suspect that ravav didn't exist when the RAV support was written (not by me, so I can't say for definite). No promises though. It only takes a few minutes to install the GTK dependencies. At 20:57 15/02/2003, you wrote: >is "ravav" in any significance different from "ravlin8" when it comes to >detecting/reporting viruses? > >it would be a real bonus if you could just use ravav and not mess with gtk >and all its dependencies > >regards, Tony > > > >-----Ursprungligt meddelande----- >Fr?n: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] >Skickat: den 15 februari 2003 20:16PM. >Till: MAILSCANNER@JISCMAIL.AC.UK >?mne: Re: SV: rav not scanning archives by default > >At 19:08 15/02/2003, you wrote: > >should I interpret it as to be able to run rav with mailscanner i need gtk > >and x? > >or can i install just gtk with no x and use ravlin8? > >You will need to install gtk and its dependencies. You just need the X >libraries, not much else. As you attempt to install each one, it will tell >you the dependencies it needs. > > >I really dont want to install x on a server, i prefer keeping it as >stripped > >down as possible > >You will need the X libraries to install gtk. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Sat Feb 15 21:38:36 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:12 2006 Subject: SV: SV: rav not scanning archives by default In-Reply-To: <5.2.0.9.2.20030215212304.02602118@imap.ecs.soton.ac.uk> References: <3C4F5084EF16D4119CE700508B6B8B10058D0A52@nt.svenskakyrkan. se> Message-ID: <5.2.0.9.2.20030215213436.02647e78@imap.ecs.soton.ac.uk> Trying ravav on a reasonable sample of files produced no differences in output between ravlin8 and ravav. So edit /usr/lib/MailScanner/ravav-wrapper and change line4 to say ravav instead of ravlin8. Please give this a try and let me know how you get on. If there are no problems, this will be changed in the next release. At 21:24 15/02/2003, you wrote: >I will try it out and consider changing. I suspect that ravav didn't exist >when the RAV support was written (not by me, so I can't say for definite). >No promises though. It only takes a few minutes to install the GTK >dependencies. > >At 20:57 15/02/2003, you wrote: >>is "ravav" in any significance different from "ravlin8" when it comes to >>detecting/reporting viruses? >> >>it would be a real bonus if you could just use ravav and not mess with gtk >>and all its dependencies >> >>regards, Tony >> >> >> >>-----Ursprungligt meddelande----- >>Fr?n: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] >>Skickat: den 15 februari 2003 20:16PM. >>Till: MAILSCANNER@JISCMAIL.AC.UK >>?mne: Re: SV: rav not scanning archives by default >> >>At 19:08 15/02/2003, you wrote: >> >should I interpret it as to be able to run rav with mailscanner i need gtk >> >and x? >> >or can i install just gtk with no x and use ravlin8? >> >>You will need to install gtk and its dependencies. You just need the X >>libraries, not much else. As you attempt to install each one, it will tell >>you the dependencies it needs. >> >> >I really dont want to install x on a server, i prefer keeping it as >>stripped >> >down as possible >> >>You will need the X libraries to install gtk. > >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support > -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From so-mlist-alias at all-about-shift.com Sat Feb 15 21:43:27 2003 From: so-mlist-alias at all-about-shift.com (Soeren Gerlach) Date: Thu Jan 12 21:17:12 2006 Subject: memory footprint In-Reply-To: References: <5.2.0.9.2.20030215141605.0280f7f8@imap.ecs.soton.ac.uk> Message-ID: > > >Is there any way to slim mailscanner down, especially the parent > > > process? > > > > As it is virtually all swapped out, what's the point? > > It's there, needlessly consuming system resources. > > As I understand it the mailscanner perl program first "uses" all the > Modules it will ever need and then forks. I thought about a scenario where > the parent process first forks and then the children load all the modules > they require for their work. Wouldn't that make the parent a lot more > lightweight? As far as I can see, MailScanner is supposed to be optimized on speed not on the memory footprint. There is a certain tradeoff between those two and you just have to set the flag somewhere. Loading the modules on demand would cause a certain performance impact. And although most of the memory is shared memory at all (modules get used by all the child processes) I suppose memory isn't quite a big problem even for greater mail gateways running M.S. regards, Soeren Gerlach -- Diese Nachricht wurde auf Viren und andere gefaehrliche Inhalte untersucht From mailscanner at ecs.soton.ac.uk Sat Feb 15 22:00:11 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:12 2006 Subject: memory footprint In-Reply-To: References: <5.2.0.9.2.20030215141605.0280f7f8@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030215215812.025e6e98@imap.ecs.soton.ac.uk> At 21:43 15/02/2003, you wrote: > > > >Is there any way to slim mailscanner down, especially the parent > > > > process? > > > > > > As it is virtually all swapped out, what's the point? > > > > It's there, needlessly consuming system resources. > > > > As I understand it the mailscanner perl program first "uses" all the > > Modules it will ever need and then forks. I thought about a scenario where > > the parent process first forks and then the children load all the modules > > they require for their work. Wouldn't that make the parent a lot more > > lightweight? > >As far as I can see, MailScanner is supposed to be optimized on speed not on >the memory footprint. There is a certain tradeoff between those two and you >just have to set the flag somewhere. Loading the modules on demand would >cause a certain performance impact. And although most of the memory is shared >memory at all (modules get used by all the child processes) I suppose memory >isn't quite a big problem even for greater mail gateways running M.S. Well put. If you want to save memory, run less child processes. 1 or 2 is sufficient on lightly-loaded servers. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From jrudd at UCSC.EDU Sat Feb 15 23:13:24 2003 From: jrudd at UCSC.EDU (John Rudd) Date: Thu Jan 12 21:17:12 2006 Subject: Automating MailScanner.conf upgrades In-Reply-To: <5.2.0.9.2.20030215132222.024fa228@imap.ecs.soton.ac.uk> Message-ID: <155127F4-413B-11D7-AA3E-003065F939FE@ucsc.edu> Cool! I was just about to send a freq for something like this. :-) What's the oldest version of mailscanner it'll work with? At home I'm still running 3.15, but at work I'm relatively current. And, I'm assuming this makes room for having multiple current installs of mailscanner? For example, I tend to have multiple /opt/mailscanner-$VER laying around, and then /opt/mailscanner is a symlink to the current production copy of mailscanner-$VER ... so when I install a new mailscanner, I install it in a new /opt/mailscanner-$VER directory, tinker with the config file (and then I'd like to test it, but there seem to be too many things in the program that depend upon non-version-specific paths), and then once I think it's ready for production, I kill the existing mailscanner, re-build the symlink, and then restart mailscanner. This also means that if something breaks, I can fall back to the old version. (the main wrinkle is that lately, mailscanner has started making more and more assumptions about where things are ... like /opt/Mailscanner instead of /opt/mailscanner ... rather than fix mailscanner (because it IS wrong -- programs belong where I put them, not where someone else assumed they would be), I've just been adding more and more symlink-hell so that I don't have to track down each and every one of these errors) So, the question is: how well will this script work in my environment? And, despite the complaint there about changing locations between versions, I do greatly appreciate both Mailscanner and the creation of this new upgrade tool. On Saturday, Feb 15, 2003, at 05:46 US/Pacific, Julian Field wrote: > > The biggest pain in doing an upgrade of MailScanner is working out > what has > changed between your current MailScanner.conf and the new one. From jrudd at UCSC.EDU Sat Feb 15 23:38:28 2003 From: jrudd at UCSC.EDU (John Rudd) Date: Thu Jan 12 21:17:12 2006 Subject: my other FREQ of the day Message-ID: <956DB04A-413E-11D7-AA3E-003065F939FE@ucsc.edu> The three main weaknesses I see in mailscanner at the moment are: 1) the dual queue approach combined with the "wait and see if anything arrived while we were asleep" approach to scanning messages 2) its difficulty in working with certain mta's (it's not immediately obvious to me how I'd use it with courier, qmail, or communigate pro, and we're evaluating switching to courier or communigate pro ... but I'd like to stick with mailscanner) 3) somewhat related to #1 is that you cannot reject messages based upon results. You can try to bounce them, after the fact, but that isn't reliable (because you cannot trust the return addresses). I'd rather reject them outright. I have an idea that would solve all 3 problems, I think. Have an option for MailScanner to run as an SMTP daemon. This would eliminate the sendmail daemon that runs in queueonly mode. It would mean that it could work with courier and communigate pro because it would just invoke their "sendmail" command line command when it's done processing the message, it could be set up to reject messages during the initial session, and you wouldn't end up with messages backing up in mqueue.in during heavy traffic periods (we still get that, even under 4.x) because there wouldn't be an mqueue.in. I wouldn't expect its daemon features to be terribly extensive. You'll want something similar to sendmail's "stop accepting new connections when the load is over X" feature, as well as a throttling feature to keep individual sites from flooding the server. The main mailscanner process would do the listen, and then fork children to handle the individual connections (the way sendmail does). And, you'd want to add two new rule types to mailscanner: a) relay rules (who we will or wont relay for), and b) something which will function like the sendmail access db. And you'd want a few new action options (instead of bouncing messages back to virus or spam senders, you'd want an option to reject them with a specific message, like "550 Contained the $VIRNAME virus" or "550 Looks like Spam" etc.). (in my case, I would probably reject viruses, deliver "Spam", and reject "High Spam") I understand that to a certain extent this may be unattractive because it duplicates several things that sendmail already does (and does well), but the gap between the initial sendmail daemon and mailscanner continues to annoy me (more and more every day, really). I'd really like to eliminate it, and I think eliminating it would improve mailscanner on those 3 fronts. We could reject messages without bouncing them, we wouldn't ever have mqueue.in backing up with unprocessed messages, and it could be made to seamlessly work with any MTA which has a command line "sendmail" program. Am I the only person who would find that to be a useful direction for Mailscanner? I could probably help some with implementation (in fact, I might even be able to convince my boss that it's important enough to our services that I could make it one of my front-burner projects), and I would definitely be able to provide a machine or two for testing. John From brian at UNEARTHED.ORG Sun Feb 16 00:30:41 2003 From: brian at UNEARTHED.ORG (Brian May) Date: Thu Jan 12 21:17:12 2006 Subject: my other FREQ of the day References: <956DB04A-413E-11D7-AA3E-003065F939FE@ucsc.edu> Message-ID: <000601c2d552$a3180490$4d00000a@local.unearthed.org> If MailScanner became a MTA, I think most people would not use it. I wouldn't trust perl to be the main engine behind a MTA. Besides, making MailScanner an MTA would take a *while*.. but that's just what I think.. other people may/will disagree.. I like the dual queue... if I didn't have fetchmail running for a day, and then started it, my mail server would crawl.. use up all available swap forking the virus scanner and spamc... granted this was all under aMaViS.. for me.. the current state of MailScanner works well.. Brian ----- Original Message ----- From: "John Rudd" To: Sent: Saturday, February 15, 2003 3:38 PM Subject: my other FREQ of the day > The three main weaknesses I see in mailscanner at the moment are: > > 1) the dual queue approach combined with the "wait and see if anything > arrived while we were asleep" approach to scanning messages > > 2) its difficulty in working with certain mta's (it's not immediately > obvious to me how I'd use it with courier, qmail, or communigate pro, > and we're evaluating switching to courier or communigate pro ... but > I'd like to stick with mailscanner) > > 3) somewhat related to #1 is that you cannot reject messages based upon > results. You can try to bounce them, after the fact, but that isn't > reliable (because you cannot trust the return addresses). I'd rather > reject them outright. > > > I have an idea that would solve all 3 problems, I think. > > Have an option for MailScanner to run as an SMTP daemon. This would > eliminate the sendmail daemon that runs in queueonly mode. It would > mean that it could work with courier and communigate pro because it > would just invoke their "sendmail" command line command when it's done > processing the message, it could be set up to reject messages during > the initial session, and you wouldn't end up with messages backing up > in mqueue.in during heavy traffic periods (we still get that, even > under 4.x) because there wouldn't be an mqueue.in. > > I wouldn't expect its daemon features to be terribly extensive. You'll > want something similar to sendmail's "stop accepting new connections > when the load is over X" feature, as well as a throttling feature to > keep individual sites from flooding the server. The main mailscanner > process would do the listen, and then fork children to handle the > individual connections (the way sendmail does). And, you'd want to add > two new rule types to mailscanner: a) relay rules (who we will or wont > relay for), and b) something which will function like the sendmail > access db. And you'd want a few new action options (instead of > bouncing messages back to virus or spam senders, you'd want an option > to reject them with a specific message, like "550 Contained the > $VIRNAME virus" or "550 Looks like Spam" etc.). > > (in my case, I would probably reject viruses, deliver "Spam", and > reject "High Spam") > > I understand that to a certain extent this may be unattractive because > it duplicates several things that sendmail already does (and does > well), but the gap between the initial sendmail daemon and mailscanner > continues to annoy me (more and more every day, really). I'd really > like to eliminate it, and I think eliminating it would improve > mailscanner on those 3 fronts. > > We could reject messages without bouncing them, we wouldn't ever have > mqueue.in backing up with unprocessed messages, and it could be made to > seamlessly work with any MTA which has a command line "sendmail" > program. > > > Am I the only person who would find that to be a useful direction for > Mailscanner? I could probably help some with implementation (in fact, > I might even be able to convince my boss that it's important enough to > our services that I could make it one of my front-burner projects), and > I would definitely be able to provide a machine or two for testing. > > > John > From jrudd at UCSC.EDU Sun Feb 16 01:35:08 2003 From: jrudd at UCSC.EDU (John Rudd) Date: Thu Jan 12 21:17:12 2006 Subject: Another question Message-ID: Can mailscanner be told to process rfc(forget the number) messages in mqueue.in instead of expecting sendmail mailq formatted messages? I seem to recall that it can be told to process and quarantine them in rfc format, but I don't recall if it can be told to start with rfc compliant messages. That would help with one of my current goals (being able to use courier and/or communigate-pro with mailscanner). From smohan at vsnl.com Sun Feb 16 02:47:17 2003 From: smohan at vsnl.com (S Mohan) Date: Thu Jan 12 21:17:12 2006 Subject: Blocking empty To with rules In-Reply-To: <5.2.0.9.2.20030214223629.028a2e68@imap.ecs.soton.ac.uk> Message-ID: <003901c2d565$b9ea2be0$3b6041db@18yamuna> Would it not be better to change outgoing queue directory to /dev/null for such mails. What would happen if I set incoming directory to /dev/null? Will MailScanner try to read from /dev/null to scan or will it just drop them? Why waste resources scanning when we want to drop them off the cliff anyway? Mohan -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Julian Field Sent: Saturday, February 15, 2003 4:08 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Blocking empty To with rules At 16:06 14/02/2003, you wrote: >Is it possible to block a spam message where the To is empty? We are >getting a ton of spam from AOL and in the sendmail logfile the To is >blank. I wouldn't mind shutting AOL down from having access to our >server but I'm sure our customers would complain :) In a ruleset you can specify arbitrary regular expressions, which is perfect for this. You could write a ruleset for the "Is Definitely Spam" parameter that contains the line To: /^$/ yes which would say that all mail with no To address is spam. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Sun Feb 16 10:01:01 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:12 2006 Subject: Another question In-Reply-To: Message-ID: <5.2.0.9.2.20030216100006.02326dc8@imap.ecs.soton.ac.uk> At 01:35 16/02/2003, you wrote: >Can mailscanner be told to process rfc(forget the number) messages in >mqueue.in instead of expecting sendmail mailq formatted messages? That is possible, but again it would take quite a lot of work to implement. And there hasn't been any demand for this (you are the first to mention it). >I seem to recall that it can be told to process and quarantine them in >rfc format, but I don't recall if it can be told to start with rfc >compliant messages. That would help with one of my current goals >(being able to use courier and/or communigate-pro with mailscanner). -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Sun Feb 16 09:58:09 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:12 2006 Subject: my other FREQ of the day In-Reply-To: <956DB04A-413E-11D7-AA3E-003065F939FE@ucsc.edu> Message-ID: <5.2.0.9.2.20030216095402.025f1dd8@imap.ecs.soton.ac.uk> At 23:38 15/02/2003, you wrote: >The three main weaknesses I see in mailscanner at the moment are: > >1) the dual queue approach combined with the "wait and see if anything >arrived while we were asleep" approach to scanning messages MailScanner 4 has multiple child processes all watching the queue, so the response is very fast. >2) its difficulty in working with certain mta's (it's not immediately >obvious to me how I'd use it with courier, qmail, or communigate pro, >and we're evaluating switching to courier or communigate pro ... but >I'd like to stick with mailscanner) It currently works with sendmail and Exim. Postfix is next on the list, but that is going to take quite a while to write. >3) somewhat related to #1 is that you cannot reject messages based upon >results. You can try to bounce them, after the fact, but that isn't >reliable (because you cannot trust the return addresses). I'd rather >reject them outright. That's your MTA's job. >I have an idea that would solve all 3 problems, I think. > >Have an option for MailScanner to run as an SMTP daemon. I don't mean to be rude, but sorry, there is no way that is going to happen. I wouldn't trust it. Being an SMTP daemon is very hard, and the MTA's are already very good at it. I don't re-invent the wheel. >Am I the only person who would find that to be a useful direction for >Mailscanner? I could probably help some with implementation (in fact, >I might even be able to convince my boss that it's important enough to >our services that I could make it one of my front-burner projects), and >I would definitely be able to provide a machine or two for testing. Feel free to write your own email virus scanner :-) -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Sun Feb 16 10:02:13 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:12 2006 Subject: Blocking empty To with rules In-Reply-To: <003901c2d565$b9ea2be0$3b6041db@18yamuna> References: <5.2.0.9.2.20030214223629.028a2e68@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030216100134.025e2e58@imap.ecs.soton.ac.uk> I very much doubt that setting any "directory" settings to /dev/null would work, as it's not a directory. At 02:47 16/02/2003, you wrote: >Would it not be better to change outgoing queue directory to /dev/null >for such mails. What would happen if I set incoming directory to >/dev/null? Will MailScanner try to read from /dev/null to scan or will >it just drop them? Why waste resources scanning when we want to drop >them off the cliff anyway? > >Mohan > >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On >Behalf Of Julian Field >Sent: Saturday, February 15, 2003 4:08 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Blocking empty To with rules > > >At 16:06 14/02/2003, you wrote: > >Is it possible to block a spam message where the To is empty? We are > >getting a ton of spam from AOL and in the sendmail logfile the To is > >blank. I wouldn't mind shutting AOL down from having access to our > >server but I'm sure our customers would complain :) > >In a ruleset you can specify arbitrary regular expressions, which is >perfect for this. You could write a ruleset for the "Is Definitely Spam" >parameter that contains the line >To: /^$/ yes >which would say that all mail with no To address is spam. >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Sun Feb 16 09:52:45 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:12 2006 Subject: Automating MailScanner.conf upgrades In-Reply-To: <155127F4-413B-11D7-AA3E-003065F939FE@ucsc.edu> References: <5.2.0.9.2.20030215132222.024fa228@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030216095100.02630998@imap.ecs.soton.ac.uk> At 23:13 15/02/2003, you wrote: >What's the oldest version of mailscanner it'll work with? At home I'm >still running 3.15, but at work I'm relatively current. Should work with any version, except the 3 - 4 transition. It doesn't rely on any other data to run, just the files you give it on the command-line. >And, I'm assuming this makes room for having multiple current installs >of mailscanner? For example, I tend to have multiple > >/opt/mailscanner-$VER Yes, it just works with whatever filenames you give it. >On Saturday, Feb 15, 2003, at 05:46 US/Pacific, Julian Field wrote: >> >>The biggest pain in doing an upgrade of MailScanner is working out >>what has >>changed between your current MailScanner.conf and the new one. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From jrudd at UCSC.EDU Sun Feb 16 11:10:29 2003 From: jrudd at UCSC.EDU (John Rudd) Date: Thu Jan 12 21:17:12 2006 Subject: my other FREQ of the day In-Reply-To: <5.2.0.9.2.20030216095402.025f1dd8@imap.ecs.soton.ac.uk> Message-ID: <4261531A-419F-11D7-AA3E-003065F939FE@ucsc.edu> On Sunday, Feb 16, 2003, at 01:58 US/Pacific, Julian Field wrote: > At 23:38 15/02/2003, you wrote: > >> 3) somewhat related to #1 is that you cannot reject messages based >> upon >> results. You can try to bounce them, after the fact, but that isn't >> reliable (because you cannot trust the return addresses). I'd rather >> reject them outright. > > That's your MTA's job. > Yes, it should be the MTA's job, but the decision about what to reject depends upon (or, in an ideal world, would involve) the results of what Mailscanner has found. Sort of a chicken and the egg thing -- mailscanner wont make a decision until after the MTA has accepted the message, but if mailscanner finds something bad, then the MTA might want to reject the message ... except that it already accepted it. From mailscanner at ecs.soton.ac.uk Sun Feb 16 11:27:55 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:12 2006 Subject: my other FREQ of the day In-Reply-To: <4261531A-419F-11D7-AA3E-003065F939FE@ucsc.edu> References: <5.2.0.9.2.20030216095402.025f1dd8@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030216112236.02530c18@imap.ecs.soton.ac.uk> At 11:10 16/02/2003, you wrote: >On Sunday, Feb 16, 2003, at 01:58 US/Pacific, Julian Field wrote: >>At 23:38 15/02/2003, you wrote: >>>3) somewhat related to #1 is that you cannot reject messages based >>>upon >>>results. You can try to bounce them, after the fact, but that isn't >>>reliable (because you cannot trust the return addresses). I'd rather >>>reject them outright. >> >>That's your MTA's job. > >Yes, it should be the MTA's job, but the decision about what to reject >depends upon (or, in an ideal world, would involve) the results of what >Mailscanner has found. Sort of a chicken and the egg thing -- >mailscanner wont make a decision until after the MTA has accepted the >message, but if mailscanner finds something bad, then the MTA might >want to reject the message ... except that it already accepted it. As you cannot trust the return addresses, the only thing you could do (other than deliver it, obviously) is to discard the message. And you don't want to do that until all the spam+virus tests have been done. So you would achieve the same effect by setting the outgoing queue dir using a custom function. This would do whatever checks it wanted to on the message, and then possibly produce an outgoing queue dir that is "special". This "special" directory would have no "queue runner" process, but instead a little cron job that just deletes everything in the directory every hour or so. This would have the effect of throwing away the messages if they meet various criteria of your choosing, which I think is what you are trying to achieve. It would only take a few minutes to set up. Take a look in CustomConfig.pm for example Custom Functions, and all the properties of a message are listed at the start of Message.pm. If you know what you want to do, and are prepared to pay me for my time, I'll write it for you if you can't do it yourself. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mike at ZANKER.ORG Sun Feb 16 15:58:57 2003 From: mike at ZANKER.ORG (Mike Zanker) Date: Thu Jan 12 21:17:12 2006 Subject: Web site poorly? Message-ID: <160320906.1045411137@jemima.zanker.org> Trying to get some info off the web site about installing MailScanner on Solaris - it's veeeerrrrryyyy slow. Mike. From mailscanner at ecs.soton.ac.uk Sun Feb 16 16:01:49 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:12 2006 Subject: Web site poorly? In-Reply-To: <160320906.1045411137@jemima.zanker.org> Message-ID: <5.2.0.9.2.20030216160012.024c0d38@imap.ecs.soton.ac.uk> At 15:58 16/02/2003, you wrote: >Trying to get some info off the web site about installing MailScanner >on Solaris - it's veeeerrrrryyyy slow. Our dept web server is having a very bad weekend. I have told the guys who look after it, and hopefully it will wake up again tomorrow. The server *is* still working but, as you say, veeeerrrryyyy slowly. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Sun Feb 16 16:02:50 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:12 2006 Subject: Web site poorly? In-Reply-To: <160320906.1045411137@jemima.zanker.org> Message-ID: <5.2.0.9.2.20030216160225.02a38f68@imap.ecs.soton.ac.uk> Remember that most of the web site is included in the distributions. At 15:58 16/02/2003, you wrote: >Trying to get some info off the web site about installing MailScanner >on Solaris - it's veeeerrrrryyyy slow. > >Mike. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From henker at SHCOM.US Sun Feb 16 16:16:24 2003 From: henker at SHCOM.US (Steffan Henke) Date: Thu Jan 12 21:17:12 2006 Subject: SV: SV: rav not scanning archives by default In-Reply-To: <5.2.0.9.2.20030215213436.02647e78@imap.ecs.soton.ac.uk> References: <3C4F5084EF16D4119CE700508B6B8B10058D0A52@nt.svenskakyrkan. se> <5.2.0.9.2.20030215213436.02647e78@imap.ecs.soton.ac.uk> Message-ID: On Sat, 15 Feb 2003, Julian Field wrote: > output between ravlin8 and ravav. So edit > /usr/lib/MailScanner/ravav-wrapper and change line4 to say ravav instead of > ravlin8. > Please give this a try and let me know how you get on. > If there are no problems, this will be changed in the next release. Hello, now, I did this as well, but still no go for me, this is really strange. I had no problems with sophos, f-prot, even clamav, but rav does not work for me, I have no idea *what* goes wrong. Regards, Steffan From mailscanner at ecs.soton.ac.uk Sun Feb 16 16:28:06 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:12 2006 Subject: SV: SV: rav not scanning archives by default In-Reply-To: References: <5.2.0.9.2.20030215213436.02647e78@imap.ecs.soton.ac.uk> <3C4F5084EF16D4119CE700508B6B8B10058D0A52@nt.svenskakyrkan. se> <5.2.0.9.2.20030215213436.02647e78@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030216162659.024caf50@imap.ecs.soton.ac.uk> At 16:16 16/02/2003, you wrote: >On Sat, 15 Feb 2003, Julian Field wrote: > > > output between ravlin8 and ravav. So edit > > /usr/lib/MailScanner/ravav-wrapper and change line4 to say ravav instead of > > ravlin8. > > Please give this a try and let me know how you get on. > > If there are no problems, this will be changed in the next release. > >Hello, > >now, I did this as well, but still no go for me, this is really strange. >I had no problems with sophos, f-prot, even clamav, but rav does not work >for me, I have no idea *what* goes wrong. and running the wrapper (with "." as the only command-line parameter) produces no output at all? Any chance of remote access to your system so I can take a look for you? -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mike at ZANKER.ORG Sun Feb 16 16:50:17 2003 From: mike at ZANKER.ORG (Mike Zanker) Date: Thu Jan 12 21:17:12 2006 Subject: Web site poorly? In-Reply-To: <5.2.0.9.2.20030216160225.02a38f68@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030216160225.02a38f68@imap.ecs.soton.ac.uk> Message-ID: <163400421.1045414217@jemima.zanker.org> On 16 February 2003 16:02 +0000 Julian Field wrote: > Remember that most of the web site is included in the distributions. Hmm, so it is... I've been having loads of problems trying to get MS and SA installed under Solaris 9 (x86). However, what isn't helping is that Sun's perl (5.6.1) is compiled with their C compiler rather than gcc - and 64-bit, too. Hence it's either a case of editing Config.pm or recompiling perl with gcc. I'm doing the latter :) Mike. From mike at CAMAROSS.NET Sun Feb 16 17:15:11 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:17:12 2006 Subject: Spambayes? In-Reply-To: <163400421.1045414217@jemima.zanker.org> Message-ID: <066201c2d5de$f6e2f440$9801a8c0@home.middlefinger.net> I was reading my latest Linux Journal last night and a couple of articles touched on Spambayes. Julian, have you done any reading about this? If so, thoughts? Mike From mailscanner at ecs.soton.ac.uk Sun Feb 16 17:25:09 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:12 2006 Subject: Spambayes? In-Reply-To: <066201c2d5de$f6e2f440$9801a8c0@home.middlefinger.net> References: <163400421.1045414217@jemima.zanker.org> Message-ID: <5.2.0.9.2.20030216172131.02a2fe28@imap.ecs.soton.ac.uk> At 17:15 16/02/2003, you wrote: >I was reading my latest Linux Journal last night and a couple of articles >touched on Spambayes. Julian, have you done any reading about this? If so, >thoughts? Bayesian filtering methods are the current "hot topic" in spam detection. The next release of SpamAssassin (due out within the next month or so) will include a Bayesian filter. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From henker at SHCOM.US Sun Feb 16 18:38:19 2003 From: henker at SHCOM.US (Steffan Henke) Date: Thu Jan 12 21:17:12 2006 Subject: SV: SV: rav not scanning archives by default In-Reply-To: <5.2.0.9.2.20030216162659.024caf50@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030215213436.02647e78@imap.ecs.soton.ac.uk> <3C4F5084EF16D4119CE700508B6B8B10058D0A52@nt.svenskakyrkan. se> <5.2.0.9.2.20030215213436.02647e78@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030216162659.024caf50@imap.ecs.soton.ac.uk> Message-ID: On Sun, 16 Feb 2003, Julian Field wrote: > and running the wrapper (with "." as the only command-line parameter) > produces no output at all? Julian, no, it does give an output if I call it from the command line. Regards, Steffan [root@mail MailScanner]# ./rav-wrapper . RAV AntiVirus command line for Linux i686. Version: 8.3.1. Copyright (c) 1996-2001 GeCAD The Software Company. All rights reserved. Scan engine 8.9 for i386. Last update: Fri Feb 14 18:07:20 2003 Scanning for 78161 malwares (viruses, trojans and worms). Scan started on Sun Feb 16 19:36:42 2003 Scan ended on Sun Feb 16 19:36:42 2003 Scan results: Time: 0 second(s). Objects scanned: 46. New objects: 46 Infected: 0. Different virus bodies: 0. Files: 46. Directories: 1. Archives: 0. Packed: 0. Mail files: 0. Warnings: 0. From mailscanner at ecs.soton.ac.uk Sun Feb 16 18:50:18 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:12 2006 Subject: SV: SV: rav not scanning archives by default In-Reply-To: References: <5.2.0.9.2.20030216162659.024caf50@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030215213436.02647e78@imap.ecs.soton.ac.uk> <3C4F5084EF16D4119CE700508B6B8B10058D0A52@nt.svenskakyrkan. se> <5.2.0.9.2.20030215213436.02647e78@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030216162659.024caf50@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030216184558.0297ff20@imap.ecs.soton.ac.uk> At 18:38 16/02/2003, you wrote: >On Sun, 16 Feb 2003, Julian Field wrote: > > > and running the wrapper (with "." as the only command-line parameter) > > produces no output at all? > >Julian, > >no, it does give an output if I call it from the command line. Well where did the output at the bottom of your message come from? Sure looks like output from rav-wrapper to me. Please do cd /tmp ls -l /usr/lib/MailScanner/rav-wrapper --all --mail --archive . with some viruses and stuff in /tmp. The output you have included below says that rav-wrapper is basically working. Why do I feel we are going round in circles? I'm afraid I can't remember the salient points of all the previous postings on this thread... >Regards, > >Steffan > >[root@mail MailScanner]# ./rav-wrapper . > > >RAV AntiVirus command line for Linux i686. >Version: 8.3.1. >Copyright (c) 1996-2001 GeCAD The Software Company. All rights reserved. > >Scan engine 8.9 for i386. >Last update: Fri Feb 14 18:07:20 2003 >Scanning for 78161 malwares (viruses, trojans and worms). >Scan started on Sun Feb 16 19:36:42 2003 >Scan ended on Sun Feb 16 19:36:42 2003 >Scan results: >Time: 0 second(s). >Objects scanned: 46. New objects: 46 >Infected: 0. Different virus bodies: 0. >Files: 46. Directories: 1. Archives: 0. Packed: 0. Mail files: 0. >Warnings: 0. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From henker at SHCOM.US Sun Feb 16 19:00:09 2003 From: henker at SHCOM.US (Steffan Henke) Date: Thu Jan 12 21:17:12 2006 Subject: SV: SV: rav not scanning archives by default In-Reply-To: <5.2.0.9.2.20030216184558.0297ff20@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030216162659.024caf50@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030215213436.02647e78@imap.ecs.soton.ac.uk> <3C4F5084EF16D4119CE700508B6B8B10058D0A52@nt.svenskakyrkan. se> <5.2.0.9.2.20030215213436.02647e78@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030216162659.024caf50@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030216184558.0297ff20@imap.ecs.soton.ac.uk> Message-ID: On Sun, 16 Feb 2003, Julian Field wrote: > ls -l > /usr/lib/MailScanner/rav-wrapper --all --mail --archive . > with some viruses and stuff in /tmp. > The output you have included below says that rav-wrapper is basically working. Yes, I think so, it detected the eicar strings in a .com and a .zip-file, but I get nothing back when calling it through MailScanner. Weird. Regards, Steffan From mailscanner at ecs.soton.ac.uk Sun Feb 16 19:21:33 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:12 2006 Subject: SV: SV: rav not scanning archives by default In-Reply-To: References: <5.2.0.9.2.20030216184558.0297ff20@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030216162659.024caf50@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030215213436.02647e78@imap.ecs.soton.ac.uk> <3C4F5084EF16D4119CE700508B6B8B10058D0A52@nt.svenskakyrkan. se> <5.2.0.9.2.20030215213436.02647e78@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030216162659.024caf50@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030216184558.0297ff20@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030216191847.02a2d5b8@imap.ecs.soton.ac.uk> At 19:00 16/02/2003, you wrote: >On Sun, 16 Feb 2003, Julian Field wrote: > > > ls -l > > /usr/lib/MailScanner/rav-wrapper --all --mail --archive . > > with some viruses and stuff in /tmp. > > The output you have included below says that rav-wrapper is basically > working. > >Yes, I think so, it detected the eicar strings in a .com and a .zip-file, >but I get nothing back when calling it through MailScanner. Weird. The -wrapper script requires write permission to the directory containing the messages. Can you check the ownership and permissions of the /var/spool/MailScanner/incoming/* directories? Are they being created writeable and readable by the Exim user? The rav-wrapper script has to generate an output log file from ravav itself, and then print that out. This is due to it truncating filenames when using output straight to a terminal window, but not when outputing to a file. Nasty :-( >Regards, > >Steffan -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From applein at IG.COM.BR Sun Feb 16 19:17:19 2003 From: applein at IG.COM.BR (applein) Date: Thu Jan 12 21:17:12 2006 Subject: Spambayes? References: <163400421.1045414217@jemima.zanker.org> <5.2.0.9.2.20030216172131.02a2fe28@imap.ecs.soton.ac.uk> Message-ID: <000b01c2d5f0$08b14da0$0d4bd3c8@A3C4J5> mailscanner support spam assassin? ----- Original Message ----- From: "Julian Field" To: Sent: Sunday, February 16, 2003 2:25 PM Subject: Re: Spambayes? > At 17:15 16/02/2003, you wrote: > >I was reading my latest Linux Journal last night and a couple of articles > >touched on Spambayes. Julian, have you done any reading about this? If so, > >thoughts? > > Bayesian filtering methods are the current "hot topic" in spam detection. > The next release of SpamAssassin (due out within the next month or so) will > include a Bayesian filter. > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > _______________________________________________________________________ Busca Yahoo! O servi?o de busca mais completo da Internet. O que voc? pensar o Yahoo! encontra. http://br.busca.yahoo.com/ From mailscanner at ecs.soton.ac.uk Sun Feb 16 19:30:04 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:12 2006 Subject: Spambayes? In-Reply-To: <000b01c2d5f0$08b14da0$0d4bd3c8@A3C4J5> References: <163400421.1045414217@jemima.zanker.org> <5.2.0.9.2.20030216172131.02a2fe28@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030216192841.028c5408@imap.ecs.soton.ac.uk> At 19:17 16/02/2003, you wrote: >mailscanner support spam assassin? Yes. Set Use SpamAssassin = yes in your MailScanner.conf file (assuming you have installed SpamAssassin). You do *not* need to install the spamassassin script, or spamc or spamd. >----- Original Message ----- >From: "Julian Field" >To: >Sent: Sunday, February 16, 2003 2:25 PM >Subject: Re: Spambayes? > > > > At 17:15 16/02/2003, you wrote: > > >I was reading my latest Linux Journal last night and a couple of articles > > >touched on Spambayes. Julian, have you done any reading about this? If >so, > > >thoughts? > > > > Bayesian filtering methods are the current "hot topic" in spam detection. > > The next release of SpamAssassin (due out within the next month or so) >will > > include a Bayesian filter. > > -- > > Julian Field > > www.MailScanner.info > > MailScanner thanks transtec Computers for their support > > > >_______________________________________________________________________ >Busca Yahoo! >O servi?o de busca mais completo da Internet. O que voc? pensar o Yahoo! >encontra. >http://br.busca.yahoo.com/ -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From raymond at PROLOCATION.NET Sun Feb 16 19:30:51 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:17:12 2006 Subject: Spambayes? In-Reply-To: <000b01c2d5f0$08b14da0$0d4bd3c8@A3C4J5> Message-ID: Hi! > mailscanner support spam assassin? Did you ever have a look inside mailscanner.conf ?? Especially the: # SpamAssassin part might be interesting. > > Bayesian filtering methods are the current "hot topic" in spam detection. > > The next release of SpamAssassin (due out within the next month or so) > > include a Bayesian filter. Bye, Raymond. From applein at IG.COM.BR Sun Feb 16 19:37:32 2003 From: applein at IG.COM.BR (applein) Date: Thu Jan 12 21:17:12 2006 Subject: Spambayes? References: <163400421.1045414217@jemima.zanker.org> <5.2.0.9.2.20030216172131.02a2fe28@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030216192841.028c5408@imap.ecs.soton.ac.uk> Message-ID: <005a01c2d5f2$e26d21c0$0d4bd3c8@A3C4J5> Thanks I'm trying setup amavisd-news because her support spam assasin now I'm to try setup mailscanner in my system thanks yours awers... ----- Original Message ----- From: "Julian Field" To: Sent: Sunday, February 16, 2003 4:30 PM Subject: Re: Spambayes? At 19:17 16/02/2003, you wrote: >mailscanner support spam assassin? Yes. Set Use SpamAssassin = yes in your MailScanner.conf file (assuming you have installed SpamAssassin). You do *not* need to install the spamassassin script, or spamc or spamd. >----- Original Message ----- >From: "Julian Field" >To: >Sent: Sunday, February 16, 2003 2:25 PM >Subject: Re: Spambayes? > > > > At 17:15 16/02/2003, you wrote: > > >I was reading my latest Linux Journal last night and a couple of articles > > >touched on Spambayes. Julian, have you done any reading about this? If >so, > > >thoughts? > > > > Bayesian filtering methods are the current "hot topic" in spam detection. > > The next release of SpamAssassin (due out within the next month or so) >will > > include a Bayesian filter. > > -- > > Julian Field > > www.MailScanner.info > > MailScanner thanks transtec Computers for their support > > > >_______________________________________________________________________ >Busca Yahoo! >O servi?o de busca mais completo da Internet. O que voc? pensar o Yahoo! >encontra. >http://br.busca.yahoo.com/ -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support _______________________________________________________________________ Busca Yahoo! O servi?o de busca mais completo da Internet. O que voc? pensar o Yahoo! encontra. http://br.busca.yahoo.com/ From henker at SHCOM.US Sun Feb 16 19:39:36 2003 From: henker at SHCOM.US (Steffan Henke) Date: Thu Jan 12 21:17:12 2006 Subject: SV: SV: rav not scanning archives by default In-Reply-To: <5.2.0.9.2.20030216191847.02a2d5b8@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030216184558.0297ff20@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030216162659.024caf50@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030215213436.02647e78@imap.ecs.soton.ac.uk> <3C4F5084EF16D4119CE700508B6B8B10058D0A52@nt.svenskakyrkan. se> <5.2.0.9.2.20030215213436.02647e78@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030216162659.024caf50@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030216184558.0297ff20@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030216191847.02a2d5b8@imap.ecs.soton.ac.uk> Message-ID: On Sun, 16 Feb 2003, Julian Field wrote: > /var/spool/MailScanner/incoming/* directories? Are they being created > writeable and readable by the Exim user? Julian, this is sendmail here, not Exim. It may have to do something with the permissions, but I would think the moment it gets called it is running as root, so it should be able to create the report file. > The rav-wrapper script has to generate an output log file from ravav > itself, and then print that out. This is due to it truncating filenames > when using output straight to a terminal window, but not when outputing to > a file. Nasty :-( Yes, it really confused me the first time I had a look at it - well, it still does :) Regards, Steffan From mailscanner at ecs.soton.ac.uk Sun Feb 16 19:43:23 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:12 2006 Subject: Spambayes? In-Reply-To: <005a01c2d5f2$e26d21c0$0d4bd3c8@A3C4J5> References: <163400421.1045414217@jemima.zanker.org> <5.2.0.9.2.20030216172131.02a2fe28@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030216192841.028c5408@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030216194022.029ebbe8@imap.ecs.soton.ac.uk> At 19:37 16/02/2003, you wrote: >Thanks I'm trying setup amavisd-news because her support spam assasin now >I'm to try setup mailscanner in my system thanks yours awers... I realise you probably expect me to say this, but... I think you will find MailScanner much easier to use and that it is faster, has more features and easier to maintain. That's what I have aimed for, anyway... amavis is widely linked on the net, but always to questions about how on earth to install it. I think you will find MailScanner much easier to use. If you have any more questions, please feel free to ask us. >----- Original Message ----- >From: "Julian Field" >To: >Sent: Sunday, February 16, 2003 4:30 PM >Subject: Re: Spambayes? > > >At 19:17 16/02/2003, you wrote: > >mailscanner support spam assassin? > >Yes. >Set > Use SpamAssassin = yes >in your MailScanner.conf file (assuming you have installed SpamAssassin). >You do *not* need to install the spamassassin script, or spamc or spamd. > > >----- Original Message ----- > >From: "Julian Field" > >To: > >Sent: Sunday, February 16, 2003 2:25 PM > >Subject: Re: Spambayes? > > > > > > > At 17:15 16/02/2003, you wrote: > > > >I was reading my latest Linux Journal last night and a couple of >articles > > > >touched on Spambayes. Julian, have you done any reading about this? >If > >so, > > > >thoughts? > > > > > > Bayesian filtering methods are the current "hot topic" in spam >detection. > > > The next release of SpamAssassin (due out within the next month or so) > >will > > > include a Bayesian filter. > > > -- > > > Julian Field > > > www.MailScanner.info > > > MailScanner thanks transtec Computers for their support > > > > > > >_______________________________________________________________________ > >Busca Yahoo! > >O servi?o de busca mais completo da Internet. O que voc? pensar o Yahoo! > >encontra. > >http://br.busca.yahoo.com/ > >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support > > >_______________________________________________________________________ >Busca Yahoo! >O servi?o de busca mais completo da Internet. O que voc? pensar o Yahoo! >encontra. >http://br.busca.yahoo.com/ -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From tony.johansson at SVENSKAKYRKAN.SE Sun Feb 16 19:50:42 2003 From: tony.johansson at SVENSKAKYRKAN.SE (Tony Johansson) Date: Thu Jan 12 21:17:12 2006 Subject: SV: SV: SV: rav not scanning archives by default Message-ID: <3C4F5084EF16D4119CE700508B6B8B10058D0A53@nt.svenskakyrkan.se> I tried /usr/lib/MailScanner/rav-wrapper . in /tmp with some viruses and it seems to work ok. I get a report and it also produces a "report.vir" file with the report in it If I send the very same virus files through MailScanner and rav, nothing is reported though... They get delivered as uninfected Julian, let me know if you want access to the machine in question and I will set it up regards, Tony ps: When trying f-prot along with rav I noticed this in the log: Feb 16 20:01:01 redhat73 update.virus.scanners: Found f-prot installed Feb 16 20:01:01 redhat73 update.virus.scanners: Updating f-prot Feb 16 20:01:02 redhat73 F-Prot autoupdate[20938]: F-Prot successfully updated. Feb 16 20:01:02 redhat73 update.virus.scanners: Found rav installed Feb 16 20:01:02 redhat73 update.virus.scanners: Updating rav No word about rav having been successfully updated? From henker at SHCOM.US Sun Feb 16 19:51:37 2003 From: henker at SHCOM.US (Steffan Henke) Date: Thu Jan 12 21:17:12 2006 Subject: Spambayes? In-Reply-To: <5.2.0.9.2.20030216194022.029ebbe8@imap.ecs.soton.ac.uk> References: <163400421.1045414217@jemima.zanker.org> <5.2.0.9.2.20030216172131.02a2fe28@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030216192841.028c5408@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030216194022.029ebbe8@imap.ecs.soton.ac.uk> Message-ID: On Sun, 16 Feb 2003, Julian Field wrote: > I think you will find MailScanner much easier to use and that it is faster, > has more features and easier to maintain. /me agrees. I had setup amavis for postfix a long time ago, that was not much of a problem, but for sendmail integration... Compared to that, MailScanner installation was *really* easy. What I actually have today is: 3 RBLs at the main gate, MailScanner using SpamAssassin on the mailhost, junkfilter and spambaynes via procmail at home - and all this just to keep junk out of my mailbox. *sigh* Regards, Steffan From henker at SHCOM.US Sun Feb 16 20:04:03 2003 From: henker at SHCOM.US (Steffan Henke) Date: Thu Jan 12 21:17:12 2006 Subject: SV: SV: SV: rav not scanning archives by default In-Reply-To: <3C4F5084EF16D4119CE700508B6B8B10058D0A53@nt.svenskakyrkan.se> References: <3C4F5084EF16D4119CE700508B6B8B10058D0A53@nt.svenskakyrkan.se> Message-ID: On Sun, 16 Feb 2003, Tony Johansson wrote: > If I send the very same virus files through MailScanner and rav, nothing is > reported though... They get delivered as uninfected That's exactly what I have here. Is there anybody who is running MS+sendmail+rav who could give us a hint ? Regards, Steffan From ucs_rat at SHSU.EDU Sun Feb 16 19:53:50 2003 From: ucs_rat at SHSU.EDU (Robert A. Thompson) Date: Thu Jan 12 21:17:12 2006 Subject: Spambayes? In-Reply-To: <5.2.0.9.2.20030216194022.029ebbe8@imap.ecs.soton.ac.uk> References: <163400421.1045414217@jemima.zanker.org> <5.2.0.9.2.20030216172131.02a2fe28@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030216192841.028c5408@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030216194022.029ebbe8@imap.ecs.soton.ac.uk> Message-ID: <1045425230.15410.66.camel@ra.thethompsonhouse.com> I would second that notion. I used to run amavis, before mailscanner... it was somewhat hard to upgrade, I always had to taylor it to our system in some way, and worst of all it used to spawn a process for each mail... things like love letter killed it. On it's behalf it did save my behind a few times, and I'm sure the problems it had have been fixed(I havn't kept up with it). Ever since switching to mailscanner I have not had a problem of over running my mail server (processing about a million emails a week) running both virus scanning and spam assassin. Configuring is much easier, and Julian is quick to help if you have a problem. Well worth time to setup & learn. --Robert On Sun, 2003-02-16 at 13:43, Julian Field wrote: > At 19:37 16/02/2003, you wrote: > >Thanks I'm trying setup amavisd-news because her support spam assasin now > >I'm to try setup mailscanner in my system thanks yours awers... > > I realise you probably expect me to say this, but... > > I think you will find MailScanner much easier to use and that it is faster, > has more features and easier to maintain. > > That's what I have aimed for, anyway... > > amavis is widely linked on the net, but always to questions about how on > earth to install it. I think you will find MailScanner much easier to use. > > If you have any more questions, please feel free to ask us. > > >----- Original Message ----- > >From: "Julian Field" > >To: > >Sent: Sunday, February 16, 2003 4:30 PM > >Subject: Re: Spambayes? > > > > > >At 19:17 16/02/2003, you wrote: > > >mailscanner support spam assassin? > > > >Yes. > >Set > > Use SpamAssassin = yes > >in your MailScanner.conf file (assuming you have installed SpamAssassin). > >You do *not* need to install the spamassassin script, or spamc or spamd. > > > > >----- Original Message ----- > > >From: "Julian Field" > > >To: > > >Sent: Sunday, February 16, 2003 2:25 PM > > >Subject: Re: Spambayes? > > > > > > > > > > At 17:15 16/02/2003, you wrote: > > > > >I was reading my latest Linux Journal last night and a couple of > >articles > > > > >touched on Spambayes. Julian, have you done any reading about this? > >If > > >so, > > > > >thoughts? > > > > > > > > Bayesian filtering methods are the current "hot topic" in spam > >detection. > > > > The next release of SpamAssassin (due out within the next month or so) > > >will > > > > include a Bayesian filter. > > > > -- > > > > Julian Field > > > > www.MailScanner.info > > > > MailScanner thanks transtec Computers for their support > > > > > > > > > >_______________________________________________________________________ > > >Busca Yahoo! > > >O servi?o de busca mais completo da Internet. O que voc? pensar o Yahoo! > > >encontra. > > >http://br.busca.yahoo.com/ > > > >-- > >Julian Field > >www.MailScanner.info > >MailScanner thanks transtec Computers for their support > > > > > >_______________________________________________________________________ > >Busca Yahoo! > >O servi?o de busca mais completo da Internet. O que voc? pensar o Yahoo! > >encontra. > >http://br.busca.yahoo.com/ From jrudd at UCSC.EDU Sun Feb 16 21:50:42 2003 From: jrudd at UCSC.EDU (John Rudd) Date: Thu Jan 12 21:17:12 2006 Subject: my other FREQ of the day Message-ID: <200302162150.h1GLogq00945@kzin.ucsc.edu> > From: Julian Field > > At 11:10 16/02/2003, you wrote: > >On Sunday, Feb 16, 2003, at 01:58 US/Pacific, Julian Field wrote: > >>At 23:38 15/02/2003, you wrote: > >>>3) somewhat related to #1 is that you cannot reject messages based > >>>upon > >>>results. You can try to bounce them, after the fact, but that isn't > >>>reliable (because you cannot trust the return addresses). I'd rather > >>>reject them outright. > >> > >>That's your MTA's job. > > > >Yes, it should be the MTA's job, but the decision about what to reject > >depends upon (or, in an ideal world, would involve) the results of what > >Mailscanner has found. Sort of a chicken and the egg thing -- > >mailscanner wont make a decision until after the MTA has accepted the > >message, but if mailscanner finds something bad, then the MTA might > >want to reject the message ... except that it already accepted it. > > As you cannot trust the return addresses, the only thing you could do > (other than deliver it, obviously) is to discard the message. And you don't [snip description of how to discard messages] Actually, if I were trying to throw away all offending messages, then that's what I would do -- I would see if I could put a wildcard into the "silently delete these viruses" feature (and request that ability if I can't), I would set the spam and high-spam actions to delete, and I would ask for a similar "actions" item for viruses, and file name matches (that gives the same "store, deliver, delete, ..." options). (actually, having those action items would be good, but not necessary for _me_ because that's not my goal) No, what I want is the option to refuse to accept high spam (things that score over 10, in my case). Not delete it, refuse it. I'm not _bouncing_ it, as you suggest, but instead I'm forcing it to clog the sender's mail queue. If they're a spam relay (open or not), then it will disrupt their operations over time, and they will be forced to a) find out why I'm refusing those messages and thus find out that they're a spam relay, b) either stop relaying spam to me or stop relaying spam all together. Hopefully, that leads to there being one less spam relay in the world. If they're not a spam relay, but the actual spammers, then hopefully it degrades the operation of their systems. If enough people are _refusing_ these messages, then those spam relays and spam senders will eventually end up with huge backlogs of messages and systems which are not performing well as long as they're in the spam business. I agree that bouncing is useless. You can't depend upon the claimed sender address, and even if you could there's no guarantee that they'll do anything with the bounce other than automatically delete it. But rejecting isn't anywhere near the same thing as bouncing. Rejecting leaves it sitting in the sending-relay's queue, taking up the sending-relay's resources, until the sending-relay starts being proactive about handling spam. If they're a high-spam-volume site, then they'll quickly have problems ... if they're low volume, then it might just be a minor annoyance to them. That seems to me to be about right. From mailscanner at ecs.soton.ac.uk Sun Feb 16 22:29:13 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:12 2006 Subject: SV: SV: SV: rav not scanning archives by default In-Reply-To: References: <3C4F5084EF16D4119CE700508B6B8B10058D0A53@nt.svenskakyrkan.se> <3C4F5084EF16D4119CE700508B6B8B10058D0A53@nt.svenskakyrkan.se> Message-ID: <5.2.0.9.2.20030216222711.02a369e8@imap.ecs.soton.ac.uk> Okay, I have got a solution. This has been tested on Steffan's system and appears to work fine. It appears that RAV does not work unless STDIN is tied to a real tty. Let us know if this solves the problem for you. Unless I hear otherwise, it will be included in the next release. At 20:04 16/02/2003, you wrote: >On Sun, 16 Feb 2003, Tony Johansson wrote: > > > If I send the very same virus files through MailScanner and rav, nothing is > > reported though... They get delivered as uninfected > >That's exactly what I have here. >Is there anybody who is running MS+sendmail+rav who could give us a hint ? > >Regards, > >Steffan -------------- next part -------------- A non-text attachment was scrubbed... Name: rav-wrapper Type: application/octet-stream Size: 1269 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030216/03920a6a/rav-wrapper.obj -------------- next part -------------- -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From smohan at vsnl.com Mon Feb 17 00:27:43 2003 From: smohan at vsnl.com (S Mohan) Date: Thu Jan 12 21:17:12 2006 Subject: my other FREQ of the day In-Reply-To: <5.2.0.9.2.20030216112236.02530c18@imap.ecs.soton.ac.uk> Message-ID: <000a01c2d61b$661d6a20$276041db@18yamuna> Dear Julian: Would it be possible to scan the rules file for any header name and match like procmail instead of just From and To. This would make the rule set mighty powerful. Mohan -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Julian Field Sent: Sunday, February 16, 2003 4:58 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: my other FREQ of the day At 11:10 16/02/2003, you wrote: >On Sunday, Feb 16, 2003, at 01:58 US/Pacific, Julian Field wrote: >>At 23:38 15/02/2003, you wrote: >>>3) somewhat related to #1 is that you cannot reject messages based >>>upon results. You can try to bounce them, after the fact, but that >>>isn't reliable (because you cannot trust the return addresses). I'd >>>rather reject them outright. >> >>That's your MTA's job. > >Yes, it should be the MTA's job, but the decision about what to reject >depends upon (or, in an ideal world, would involve) the results of what >Mailscanner has found. Sort of a chicken and the egg thing -- >mailscanner wont make a decision until after the MTA has accepted the >message, but if mailscanner finds something bad, then the MTA might >want to reject the message ... except that it already accepted it. As you cannot trust the return addresses, the only thing you could do (other than deliver it, obviously) is to discard the message. And you don't want to do that until all the spam+virus tests have been done. So you would achieve the same effect by setting the outgoing queue dir using a custom function. This would do whatever checks it wanted to on the message, and then possibly produce an outgoing queue dir that is "special". This "special" directory would have no "queue runner" process, but instead a little cron job that just deletes everything in the directory every hour or so. This would have the effect of throwing away the messages if they meet various criteria of your choosing, which I think is what you are trying to achieve. It would only take a few minutes to set up. Take a look in CustomConfig.pm for example Custom Functions, and all the properties of a message are listed at the start of Message.pm. If you know what you want to do, and are prepared to pay me for my time, I'll write it for you if you can't do it yourself. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From smohan at vsnl.com Mon Feb 17 00:27:43 2003 From: smohan at vsnl.com (S Mohan) Date: Thu Jan 12 21:17:12 2006 Subject: Spambayes? In-Reply-To: <1045425230.15410.66.camel@ra.thethompsonhouse.com> Message-ID: <000901c2d61b$6533cd70$276041db@18yamuna> Another second. I used amavis. Had to change sendmail.cf. Getting it to scan outgoing mails involved a convoluted method of changing ports ... MailScanner is miles ahead and has so much flexibility built in that it is unbelievable. Mohan -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Robert A. Thompson Sent: Monday, February 17, 2003 1:24 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Spambayes? I would second that notion. I used to run amavis, before mailscanner... it was somewhat hard to upgrade, I always had to taylor it to our system in some way, and worst of all it used to spawn a process for each mail... things like love letter killed it. On it's behalf it did save my behind a few times, and I'm sure the problems it had have been fixed(I havn't kept up with it). Ever since switching to mailscanner I have not had a problem of over running my mail server (processing about a million emails a week) running both virus scanning and spam assassin. Configuring is much easier, and Julian is quick to help if you have a problem. Well worth time to setup & learn. --Robert On Sun, 2003-02-16 at 13:43, Julian Field wrote: > At 19:37 16/02/2003, you wrote: > >Thanks I'm trying setup amavisd-news because her support spam assasin > >now I'm to try setup mailscanner in my system thanks yours awers... > > I realise you probably expect me to say this, but... > > I think you will find MailScanner much easier to use and that it is > faster, > has more features and easier to maintain. > > That's what I have aimed for, anyway... > > amavis is widely linked on the net, but always to questions about how > on > earth to install it. I think you will find MailScanner much easier to use. > > If you have any more questions, please feel free to ask us. > > >----- Original Message ----- > >From: "Julian Field" > >To: > >Sent: Sunday, February 16, 2003 4:30 PM > >Subject: Re: Spambayes? > > > > > >At 19:17 16/02/2003, you wrote: > > >mailscanner support spam assassin? > > > >Yes. > >Set > > Use SpamAssassin = yes > >in your MailScanner.conf file (assuming you have installed > >SpamAssassin). You do *not* need to install the spamassassin script, > >or spamc or spamd. > > > > >----- Original Message ----- > > >From: "Julian Field" > > >To: > > >Sent: Sunday, February 16, 2003 2:25 PM > > >Subject: Re: Spambayes? > > > > > > > > > > At 17:15 16/02/2003, you wrote: > > > > >I was reading my latest Linux Journal last night and a couple > > > > >of > >articles > > > > >touched on Spambayes. Julian, have you done any reading about > > > > >this? > >If > > >so, > > > > >thoughts? > > > > > > > > Bayesian filtering methods are the current "hot topic" in spam > >detection. > > > > The next release of SpamAssassin (due out within the next month > > > > or so) > > >will > > > > include a Bayesian filter. > > > > -- > > > > Julian Field > > > > www.MailScanner.info > > > > MailScanner thanks transtec Computers for their support > > > > > > > > > >___________________________________________________________________ > > >____ > > >Busca Yahoo! > > >O servi?o de busca mais completo da Internet. O que voc? pensar o Yahoo! > > >encontra. > > >http://br.busca.yahoo.com/ > > > >-- > >Julian Field > >www.MailScanner.info > >MailScanner thanks transtec Computers for their support > > > > > >_____________________________________________________________________ > >__ > >Busca Yahoo! > >O servi?o de busca mais completo da Internet. O que voc? pensar o Yahoo! > >encontra. > >http://br.busca.yahoo.com/ From smohan at vsnl.com Mon Feb 17 00:27:43 2003 From: smohan at vsnl.com (S Mohan) Date: Thu Jan 12 21:17:12 2006 Subject: my other FREQ of the day In-Reply-To: <5.2.0.9.2.20030216095402.025f1dd8@imap.ecs.soton.ac.uk> Message-ID: <000b01c2d61b$66d76b50$276041db@18yamuna> 1. From what I have seen and read of postfix, it is a drop in replacement for sendmail. Which means it works the same way and uses the same configuration files. The one thing that could possibly vary is the command line invocation with options that MalScanner script does. 2. I think the current design of MailScanner is ideal as it allows us to use the MTA we want (atleast 2) and does not mess around trying to be an MTA. As more options come around in the MTA like sendmail, we should be able to use them. I'd trust a software that has been around and stable for a long while instead of experimentation. Atleast in the current scheme, if I know something is wrong with MailScanner, I shut it down and start up sendmail as usual and I'm on without virus or spam scanning. 3. Deamonised approach Vs individual instances. I'm not an expert but hey, if either does the job with a 5% difference in efficiency, why change? Mohan -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Julian Field Sent: Sunday, February 16, 2003 3:28 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: my other FREQ of the day At 23:38 15/02/2003, you wrote: >The three main weaknesses I see in mailscanner at the moment are: > >1) the dual queue approach combined with the "wait and see if anything >arrived while we were asleep" approach to scanning messages MailScanner 4 has multiple child processes all watching the queue, so the response is very fast. >2) its difficulty in working with certain mta's (it's not immediately >obvious to me how I'd use it with courier, qmail, or communigate pro, >and we're evaluating switching to courier or communigate pro ... but >I'd like to stick with mailscanner) It currently works with sendmail and Exim. Postfix is next on the list, but that is going to take quite a while to write. >3) somewhat related to #1 is that you cannot reject messages based upon >results. You can try to bounce them, after the fact, but that isn't >reliable (because you cannot trust the return addresses). I'd rather >reject them outright. That's your MTA's job. >I have an idea that would solve all 3 problems, I think. > >Have an option for MailScanner to run as an SMTP daemon. I don't mean to be rude, but sorry, there is no way that is going to happen. I wouldn't trust it. Being an SMTP daemon is very hard, and the MTA's are already very good at it. I don't re-invent the wheel. >Am I the only person who would find that to be a useful direction for >Mailscanner? I could probably help some with implementation (in fact, >I might even be able to convince my boss that it's important enough to >our services that I could make it one of my front-burner projects), and >I would definitely be able to provide a machine or two for testing. Feel free to write your own email virus scanner :-) -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From jrudd at UCSC.EDU Mon Feb 17 03:08:50 2003 From: jrudd at UCSC.EDU (John Rudd) Date: Thu Jan 12 21:17:12 2006 Subject: my other FREQ of the day In-Reply-To: <20030217023537.GC4199@hoiho.nz.lemon-computing.com> Message-ID: <2361CE3B-4225-11D7-AA3E-003065F939FE@ucsc.edu> On Sunday, Feb 16, 2003, at 18:35 US/Pacific, Nick Phillips wrote: > On Sun, Feb 16, 2003 at 03:10:29AM -0800, John Rudd wrote: >> On Sunday, Feb 16, 2003, at 01:58 US/Pacific, Julian Field wrote: >> >>> At 23:38 15/02/2003, you wrote: >>> >>>> 3) somewhat related to #1 is that you cannot reject messages based >>>> upon >>>> results. You can try to bounce them, after the fact, but that isn't >>>> reliable (because you cannot trust the return addresses). I'd >>>> rather >>>> reject them outright. >>> >>> That's your MTA's job. >>> >> >> Yes, it should be the MTA's job, but the decision about what to reject >> depends upon (or, in an ideal world, would involve) the results of >> what >> Mailscanner has found. Sort of a chicken and the egg thing -- >> mailscanner wont make a decision until after the MTA has accepted the >> message, but if mailscanner finds something bad, then the MTA might >> want to reject the message ... except that it already accepted it. > > You might want to look at Ian Jackson's SAUCE (which works with Exim) > on the incoming side. I haven't tried it yet, but it basically deals > with SMTP-time stuff. > > Try http://www.chiark.greenend.org.uk/~ian/software/ > I don't really think that that's what I want. It's doing its best to check the integrity of the return and relay addresses, but that doesn't mean that the end result is valid. It just means that the hops along the way actually exist and that the return address exists. That doesn't mean that the message came from the individual in question. What I want is probably something like a milter, that does everything mailscanner does, and the way mailscanner does it (a persistent process that works upon a file on disk instead of receiving the file via socket) ... but unlike a milter, it would work with MTA's other than sendmail. That's a bit of a tall order. Though, for those who say "being and MTA is hard" -- what exactly is the queueonly sendmail doing that is hard to do? It does access checking, which isn't very sophisticated. Depending upon configuration, it checks that the sender's DNS and reverse DNS work. It does some relaying checks. It decides about when to answer connection requests based upon the current load, and it throttles the connection based upon how many messages it's taking from a single host. And it is looking at whether or not the queue disk is full. What else? I don't think it's doing any form of address rewriting. It's not doing virtusertable expansion. It's not doing alias expansion. It's not deciding which mailer to use, whether or not it's a local address for local delivery or not, etc. etc. etc. It seems to me that the parts I suggested offloading on to mailscanner (and only as an option) are NOT the "hard part" of being an MTA. The hardest part, I think, would be the logic for deciding how and when the throttle the connection. Just thought of two things I missed (because they aren't done at either of my sites): SMTP AUTH and SMTP-SSL. I can see SMTP AUTH being tricky. Not sure about SMTP-SSL. From linux at mostert.nom.za Mon Feb 17 07:23:41 2003 From: linux at mostert.nom.za (Mozzi) Date: Thu Jan 12 21:17:12 2006 Subject: Not processing Message-ID: <200302170923.41578.linux@mostert.nom.za> Hallo all, I hope you all had a verey good weekend. I am still having problems with my scanner server. I have a lot of messages in my in que [root@mailscan spool]# ls mqueue.in | wc -w 10559 And for 3 days now it is not being processed or sent out. I have done the following: Changed from perl 5.6.0 ->5.8.0 downloaded sources and compiled myself Installed all modules from C-PAN Reinstalled MailScanner from the tarbal and started up the sendmail in and out que I can see the process in ps [root@mailscan spool]# ps ax | grep Mail 15725 ? S 0:00 /usr//local/bin/perl -I/opt/MailScanner/lib /opt/Mail 15726 ? S 8:26 /usr//local/bin/perl -I/opt/MailScanner/lib /opt/Mail 15728 ? S 8:24 /usr//local/bin/perl -I/opt/MailScanner/lib /opt/Mail 15729 ? S 8:26 /usr//local/bin/perl -I/opt/MailScanner/lib /opt/Mail 15731 ? S 8:28 /usr//local/bin/perl -I/opt/MailScanner/lib /opt/Mail 15732 ? S 8:27 /usr//local/bin/perl -I/opt/MailScanner/lib /opt/Mail 17470 pts/3 S 0:00 grep Mail But nothing happens.Tailing the logfile all I can see is bunches of spam being processed but they never go out of the que. The rate @ witch the messages get processed also worry me as it looks extremely slow Tnx Mozzi From mailscanner at BARENDSE.TO Mon Feb 17 08:24:57 2003 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:17:12 2006 Subject: SpamAssassin spamassassin-2.44-7.8.x.src.rpm In-Reply-To: <5.2.0.9.2.20030215132222.024fa228@imap.ecs.soton.ac.uk> Message-ID: I just downloaded and --rebuild the latest rawhide SpamAssassin SRPM, Before creating the RPM package it showed this message: Obsoletes: perl-Mail-SpamAssassin Is this anything I should be worried about since MailScanner is using the perl version of SA? -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mailscanner at ecs.soton.ac.uk Mon Feb 17 11:00:05 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:12 2006 Subject: my other FREQ of the day In-Reply-To: <000b01c2d61b$66d76b50$276041db@18yamuna> References: <5.2.0.9.2.20030216095402.025f1dd8@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030217105904.022ee9d8@imap.ecs.soton.ac.uk> At 00:27 17/02/2003, you wrote: >1. From what I have seen and read of postfix, it is a drop in >replacement for sendmail. Which means it works the same way and uses the >same configuration files. The configuration file is where the similarity stops. Internally it is totally different. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Mon Feb 17 11:04:22 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:12 2006 Subject: Not processing In-Reply-To: <200302170923.41578.linux@mostert.nom.za> Message-ID: <5.2.0.9.2.20030217110350.025d8d88@imap.ecs.soton.ac.uk> Can you mail me your MailScanner.conf file please? At 07:23 17/02/2003, you wrote: >Hallo all, >I hope you all had a verey good weekend. > >I am still having problems with my scanner server. > >I have a lot of messages in my in que >[root@mailscan spool]# ls mqueue.in | wc -w > 10559 > >And for 3 days now it is not being processed or sent out. > >I have done the following: >Changed from perl 5.6.0 ->5.8.0 downloaded sources and compiled myself >Installed all modules from C-PAN >Reinstalled MailScanner from the tarbal and started up the sendmail in and >out >que > >I can see the process in ps >[root@mailscan spool]# ps ax | grep Mail >15725 ? S 0:00 /usr//local/bin/perl -I/opt/MailScanner/lib >/opt/Mail >15726 ? S 8:26 /usr//local/bin/perl -I/opt/MailScanner/lib >/opt/Mail >15728 ? S 8:24 /usr//local/bin/perl -I/opt/MailScanner/lib >/opt/Mail >15729 ? S 8:26 /usr//local/bin/perl -I/opt/MailScanner/lib >/opt/Mail >15731 ? S 8:28 /usr//local/bin/perl -I/opt/MailScanner/lib >/opt/Mail >15732 ? S 8:27 /usr//local/bin/perl -I/opt/MailScanner/lib >/opt/Mail >17470 pts/3 S 0:00 grep Mail > >But nothing happens.Tailing the logfile all I can see is bunches of spam >being >processed but they never go out of the que. >The rate @ witch the messages get processed also worry me as it looks >extremely slow > >Tnx > >Mozzi -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Mon Feb 17 11:02:14 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:12 2006 Subject: my other FREQ of the day In-Reply-To: <2361CE3B-4225-11D7-AA3E-003065F939FE@ucsc.edu> References: <20030217023537.GC4199@hoiho.nz.lemon-computing.com> Message-ID: <5.2.0.9.2.20030217110014.0231c078@imap.ecs.soton.ac.uk> At 03:08 17/02/2003, you wrote: >Though, for those who say "being and MTA is hard" -- what exactly is >the queueonly sendmail doing that is hard to do? It does access >checking, which isn't very sophisticated. Depending upon >configuration, it checks that the sender's DNS and reverse DNS work. >It does some relaying checks. It decides about when to answer >connection requests based upon the current load, and it throttles the >connection based upon how many messages it's taking from a single host. > And it is looking at whether or not the queue disk is full. What else? It provides a fully-featured, reliable, robust, SMTP service. Anyone who thinks that is simple has never tried writing anything of this sort themselves. It's not a job I would like to attempt. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Mon Feb 17 11:05:36 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:12 2006 Subject: SpamAssassin spamassassin-2.44-7.8.x.src.rpm In-Reply-To: References: <5.2.0.9.2.20030215132222.024fa228@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030217110443.0231be80@imap.ecs.soton.ac.uk> At 08:24 17/02/2003, you wrote: >I just downloaded and --rebuild the latest rawhide SpamAssassin SRPM, > >Before creating the RPM package it showed this message: >Obsoletes: perl-Mail-SpamAssassin > >Is this anything I should be worried about since MailScanner is using the >perl version of SA? Shouldn't be anything to worry about, but I still say that the easiest/best way of installing SA is from the source. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From linux at mostert.nom.za Mon Feb 17 11:32:33 2003 From: linux at mostert.nom.za (Mozzi) Date: Thu Jan 12 21:17:12 2006 Subject: Not processing In-Reply-To: <5.2.0.9.2.20030217110350.025d8d88@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030217110350.025d8d88@imap.ecs.soton.ac.uk> Message-ID: <200302171332.33046.linux@mostert.nom.za> You will recieve it shortly Mozzi On Monday 17 February 2003 13:04, Julian Field wrote: > Can you mail me your MailScanner.conf file please? > > At 07:23 17/02/2003, you wrote: > >Hallo all, > >I hope you all had a verey good weekend. > > > >I am still having problems with my scanner server. > > > >I have a lot of messages in my in que > >[root@mailscan spool]# ls mqueue.in | wc -w > > 10559 > > > >And for 3 days now it is not being processed or sent out. > > > >I have done the following: > >Changed from perl 5.6.0 ->5.8.0 downloaded sources and compiled myself > >Installed all modules from C-PAN > >Reinstalled MailScanner from the tarbal and started up the sendmail in and > >out > >que > > > >I can see the process in ps > >[root@mailscan spool]# ps ax | grep Mail > >15725 ? S 0:00 /usr//local/bin/perl -I/opt/MailScanner/lib > >/opt/Mail > >15726 ? S 8:26 /usr//local/bin/perl -I/opt/MailScanner/lib > >/opt/Mail > >15728 ? S 8:24 /usr//local/bin/perl -I/opt/MailScanner/lib > >/opt/Mail > >15729 ? S 8:26 /usr//local/bin/perl -I/opt/MailScanner/lib > >/opt/Mail > >15731 ? S 8:28 /usr//local/bin/perl -I/opt/MailScanner/lib > >/opt/Mail > >15732 ? S 8:27 /usr//local/bin/perl -I/opt/MailScanner/lib > >/opt/Mail > >17470 pts/3 S 0:00 grep Mail > > > >But nothing happens.Tailing the logfile all I can see is bunches of spam > >being > >processed but they never go out of the que. > >The rate @ witch the messages get processed also worry me as it looks > >extremely slow > > > >Tnx > > > >Mozzi From linux at mostert.nom.za Mon Feb 17 11:32:33 2003 From: linux at mostert.nom.za (Mozzi) Date: Thu Jan 12 21:17:12 2006 Subject: Not processing In-Reply-To: <5.2.0.9.2.20030217110350.025d8d88@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030217110350.025d8d88@imap.ecs.soton.ac.uk> Message-ID: <200302171332.33046.linux@mostert.nom.za> You will recieve it shortly Mozzi On Monday 17 February 2003 13:04, Julian Field wrote: > Can you mail me your MailScanner.conf file please? > > At 07:23 17/02/2003, you wrote: > >Hallo all, > >I hope you all had a verey good weekend. > > > >I am still having problems with my scanner server. > > > >I have a lot of messages in my in que > >[root@mailscan spool]# ls mqueue.in | wc -w > > 10559 > > > >And for 3 days now it is not being processed or sent out. > > > >I have done the following: > >Changed from perl 5.6.0 ->5.8.0 downloaded sources and compiled myself > >Installed all modules from C-PAN > >Reinstalled MailScanner from the tarbal and started up the sendmail in and > >out > >que > > > >I can see the process in ps > >[root@mailscan spool]# ps ax | grep Mail > >15725 ? S 0:00 /usr//local/bin/perl -I/opt/MailScanner/lib > >/opt/Mail > >15726 ? S 8:26 /usr//local/bin/perl -I/opt/MailScanner/lib > >/opt/Mail > >15728 ? S 8:24 /usr//local/bin/perl -I/opt/MailScanner/lib > >/opt/Mail > >15729 ? S 8:26 /usr//local/bin/perl -I/opt/MailScanner/lib > >/opt/Mail > >15731 ? S 8:28 /usr//local/bin/perl -I/opt/MailScanner/lib > >/opt/Mail > >15732 ? S 8:27 /usr//local/bin/perl -I/opt/MailScanner/lib > >/opt/Mail > >17470 pts/3 S 0:00 grep Mail > > > >But nothing happens.Tailing the logfile all I can see is bunches of spam > >being > >processed but they never go out of the que. > >The rate @ witch the messages get processed also worry me as it looks > >extremely slow > > > >Tnx > > > >Mozzi From P.G.M.Peters at civ.utwente.nl Mon Feb 17 12:30:02 2003 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:17:12 2006 Subject: my other FREQ of the day In-Reply-To: <2361CE3B-4225-11D7-AA3E-003065F939FE@ucsc.edu> References: <20030217023537.GC4199@hoiho.nz.lemon-computing.com> <2361CE3B-4225-11D7-AA3E-003065F939FE@ucsc.edu> Message-ID: <5bl15vseb12kvvlijjctd1dsd40qu10kf3@4ax.com> On Sun, 16 Feb 2003 19:08:50 -0800, you wrote: >I don't think it's doing any form of address rewriting. It's not doing >virtusertable expansion. It's not doing alias expansion. It's not >deciding which mailer to use, whether or not it's a local address for >local delivery or not, etc. etc. etc. It checks whether the offered addresses are in the alias-files and/or virtuser-files when it thinks it's authorized to do so based on domain. -- Peter Peters, senior netwerkbeheerder Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ From mailscanner at ecs.soton.ac.uk Mon Feb 17 12:33:18 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:12 2006 Subject: Bug in black/whitelist spam rules In-Reply-To: References: <5.2.0.9.2.20030217110837.025ca6b8@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030217123244.0255eff8@imap.ecs.soton.ac.uk> At 12:16 17/02/2003, you wrote: >Indeed but the mail to www@ecem.com. is not being recognized or treated >as blacklisted by MailScanner because the address www@ecem.com is in my >blacklist without a dot at the end. Ah! Now I see the point. Sorry, I missed the "." the first time around. Will fix this for the next release. >On Mon, 17 Feb 2003, Julian Field wrote: > > > That doesn't seem to show anything wrong. You received 1 message to > > e@ecem.com and another to www@ecem.com. > > > > At 10:05 17/02/2003, you wrote: > > >Hi Julian, > > > > > >Sorry i'm writing to you offlist but some spammers seem to have found a > > >way to circumvent the black/whitelisting feature and I'm sending the > > >output of maillog which I did not want to send on list. > > > > > >I have To: www@ecem.com blacklisted and deleted. Still was mail getting > > >through. > > > > > >It seems that adding a dot after our domain name still generates a valid > > >mail envelope/message but bypasses the balck/whitelisting feature. > > > > > >This is from the maillog: > > > > > >Feb 16 16:08:50 linuxgw sendmail[31824]: h1GF8nEM031824: > > >from=, size=610, class > > >=0, nrcpts=1, msgid=<3$a5166$09--$j05f@5vfo88>>, proto=SMTP, daemon=MTA, > > >relay=h-66-134-36-76.HSTQTX > > >02.covad.net [66.134.36.76] > > >Feb 16 16:08:50 linuxgw sendmail[31824]: h1GF8nEM031824: to=, > > >delay=00:00:00, mailer=esm > > >tp, pri=30542, stat=queued > > >Feb 16 16:08:50 linuxgw sendmail[31825]: h1GF8nEM031825: > > >from=, size=625, class > > >=0, nrcpts=1, msgid=<3e00v$l4vo$h73-tgo7t8140-5--fu8@uci2a99j.o2uy>>, > > >proto=SMTP, daemon=MTA, relay= > > >h-66-134-36-76.HSTQTX02.covad.net [66.134.36.76] > > >Feb 16 16:08:50 linuxgw sendmail[31825]: h1GF8nEM031825: > > >to=, delay=00:00:00, mailer= > > >esmtp, pri=30557, stat=queued > > >Feb 16 16:08:51 linuxgw MailScanner[30099]: New Batch: Scanning 2 > > >messages, 2172 bytes > > >Feb 16 16:08:52 linuxgw MailScanner[30099]: Spam Checks: Found 2 spam > > >messages > > >Feb 16 16:08:52 linuxgw MailScanner[30099]: Virus and Content Scanning: > > >Starting > > >Feb 16 16:09:00 linuxgw sendmail[31827]: h1GF8xEM031827: > > >from=, size=623, class > > >=0, nrcpts=1, msgid=<78uc9130p-7wrw$4ft$-f8-$5u--s$8@aif6v33>>, > > >proto=SMTP, daemon=MTA, relay=h-66-1 > > >34-36-76.HSTQTX02.covad.net [66.134.36.76] > > >Feb 16 16:09:00 linuxgw sendmail[31827]: h1GF8xEM031827: > > >to=, delay=00:00:01, mailer= > > >esmtp, pri=30555, stat=queued > > > > > > > > >Hope this is helpful. > > > > > >Best regards, > > >Remco > > > > > > > > >-- > > >This message has been scanned for viruses and > > >dangerous content by MailScanner, and is > > >believed to be clean. > > > > > > >-- >This message has been scanned for viruses and >dangerous content by MailScanner, and is >believed to be clean. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From tony.johansson at SVENSKAKYRKAN.SE Mon Feb 17 12:46:16 2003 From: tony.johansson at SVENSKAKYRKAN.SE (Tony Johansson) Date: Thu Jan 12 21:17:12 2006 Subject: RAV License Message-ID: <3C4F5084EF16D4119CE700508B6B8B10058D0A65@nt.svenskakyrkan.se> I'm currently looking for a second virus scanner to our Mailscanner/F-Prot solution. I saw someone mentioning RAV as a cheap option, priced at $29/workstation Has anyone talked to a RAV sales representative and verified that only one license is needed to use RAV with MailScanner (and with it possibly protecting thousands of mail users) ? While F-Prot clearly states their license is per server, RAV's licensing policy is sketchy at best; QUOTE: Licensing Policy Purchasing the first license: RAV AntiVirus Desktop has a volume sensitive licensing scheme, therefore the more you buy, the less you pay for a license. Thus, you can purchase the exact number of licenses that suites you better, and in time, purchase additional licenses as you need. What does the license include: The license includes 1 year Virus updates, Technical support. After this first year, you may purchase an Update Extension, which will extend the right to update and benefit from technical support for another year. Purchasing additional licenses: You can purchase additional licenses in any number, for the same standard price. The price volume sensitivity is available only per order! :END QUOTE regards, Tony From mailscanner at ecs.soton.ac.uk Mon Feb 17 13:42:51 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:12 2006 Subject: Bug in black/whitelist spam rules In-Reply-To: <5.2.0.9.2.20030217123244.0255eff8@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030217110837.025ca6b8@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030217134152.029dfc00@imap.ecs.soton.ac.uk> Here is a patch to Config.pm to solve this problem. It will be included in the next release. Let me know if you have any problems with it. --- /usr/lib/MailScanner/MailScanner/Config.pm Sun Feb 2 11:14:04 2003 +++ Config.pm Mon Feb 17 13:46:05 2003 @@ -1059,6 +1059,8 @@ $rule =~ s/\@/\\@/g; $rule =~ s/\./\\./g; $rule =~ s/\*/.*/g; + # and tack on the optional "." at the end + $rule .= '\.?'; # and tack on the start+end anchors $rule = '^' . $rule . '$'; ('t',$rule); At 12:33 17/02/2003, you wrote: >At 12:16 17/02/2003, you wrote: >>Indeed but the mail to www@ecem.com. is not being recognized or treated >>as blacklisted by MailScanner because the address www@ecem.com is in my >>blacklist without a dot at the end. > >Ah! Now I see the point. Sorry, I missed the "." the first time around. >Will fix this for the next release. > > > >>On Mon, 17 Feb 2003, Julian Field wrote: >> >> > That doesn't seem to show anything wrong. You received 1 message to >> > e@ecem.com and another to www@ecem.com. >> > >> > At 10:05 17/02/2003, you wrote: >> > >Hi Julian, >> > > >> > >Sorry i'm writing to you offlist but some spammers seem to have found a >> > >way to circumvent the black/whitelisting feature and I'm sending the >> > >output of maillog which I did not want to send on list. >> > > >> > >I have To: www@ecem.com blacklisted and deleted. Still was mail getting >> > >through. >> > > >> > >It seems that adding a dot after our domain name still generates a valid >> > >mail envelope/message but bypasses the balck/whitelisting feature. >> > > >> > >This is from the maillog: >> > > >> > >Feb 16 16:08:50 linuxgw sendmail[31824]: h1GF8nEM031824: >> > >from=, size=610, class >> > >=0, nrcpts=1, msgid=<3$a5166$09--$j05f@5vfo88>>, proto=SMTP, daemon=MTA, >> > >relay=h-66-134-36-76.HSTQTX >> > >02.covad.net [66.134.36.76] >> > >Feb 16 16:08:50 linuxgw sendmail[31824]: h1GF8nEM031824: to=, >> > >delay=00:00:00, mailer=esm >> > >tp, pri=30542, stat=queued >> > >Feb 16 16:08:50 linuxgw sendmail[31825]: h1GF8nEM031825: >> > >from=, size=625, class >> > >=0, nrcpts=1, msgid=<3e00v$l4vo$h73-tgo7t8140-5--fu8@uci2a99j.o2uy>>, >> > >proto=SMTP, daemon=MTA, relay= >> > >h-66-134-36-76.HSTQTX02.covad.net [66.134.36.76] >> > >Feb 16 16:08:50 linuxgw sendmail[31825]: h1GF8nEM031825: >> > >to=, delay=00:00:00, mailer= >> > >esmtp, pri=30557, stat=queued >> > >Feb 16 16:08:51 linuxgw MailScanner[30099]: New Batch: Scanning 2 >> > >messages, 2172 bytes >> > >Feb 16 16:08:52 linuxgw MailScanner[30099]: Spam Checks: Found 2 spam >> > >messages >> > >Feb 16 16:08:52 linuxgw MailScanner[30099]: Virus and Content Scanning: >> > >Starting >> > >Feb 16 16:09:00 linuxgw sendmail[31827]: h1GF8xEM031827: >> > >from=, size=623, class >> > >=0, nrcpts=1, msgid=<78uc9130p-7wrw$4ft$-f8-$5u--s$8@aif6v33>>, >> > >proto=SMTP, daemon=MTA, relay=h-66-1 >> > >34-36-76.HSTQTX02.covad.net [66.134.36.76] >> > >Feb 16 16:09:00 linuxgw sendmail[31827]: h1GF8xEM031827: >> > >to=, delay=00:00:01, mailer= >> > >esmtp, pri=30555, stat=queued >> > > >> > > >> > >Hope this is helpful. >> > > >> > >Best regards, >> > >Remco >> > > >> > > >> > >-- >> > >This message has been scanned for viruses and >> > >dangerous content by MailScanner, and is >> > >believed to be clean. >> > >> > >> >> >>-- >>This message has been scanned for viruses and >>dangerous content by MailScanner, and is >>believed to be clean. > >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From tyler at beloit.edu Mon Feb 17 15:33:31 2003 From: tyler at beloit.edu (Tim Tyler) Date: Thu Jan 12 21:17:12 2006 Subject: False Positive ? In-Reply-To: <059201c2d482$7ece9520$9801a8c0@home.middlefinger.net> from "Mike Kercher" at Feb 14, 2003 05:40:44 PM Message-ID: <200302171533.h1HFXVS31766@beloit.edu> Mike, Thanks! Yes, I didn't think about it, but every time she sends a message, a blind one might be getting sent through the hidden virus smtp. I will take that possiblity up with her. -thanks again! Tim > >>The virus detector said this about the message: >>Report: >>> Virus 'W32/Sircam-A' found in file ./h1CLQDb23038/signature >>file.doc > >This is what makes me think that Sircam itself is sending the message and >not her MUA...signature file.doc > >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf >Of Tim Tyler >Sent: Friday, February 14, 2003 4:55 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: False Positive ? > > >Mike, Others, > Yes, but two things make me think otherwise. 1. She does send to us >manually and it triggers that response back to her. 2. I had her send to >us at another smtp server where we don't have mailscanner. Naturually, she >doesn't get a mailscanner reponse, but I also can't find any virus within >it. It looks clean to me. Her content is below for examination. I >suspect that something is triggering a warning response. Its also >peculiar, because we configured mailscanner to drop any messages with >viruses and only notify the sender. Her messages always get through. she >just gets a warning response as described below. Do warnings get treated >differently? There really isn't that much to her message. No attachments >that I can see. > Tim > >At 04:35 PM 2/14/2003 -0600, you wrote: >>I'd read up on Sircam: >> >>http://www.sophos.com/virusinfo/analyses/w32sircama.html >> >>Since Sircam has its own SMTP engine, she doesn't even have to be sending >>out the email manually. Sircam, also being network aware, I'd have her >>people check their whole network. The attachment that Sophos is catching >is >>coming from somewhere. >> >>Mike >> >> >>-----Original Message----- >>From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On >Behalf >>Of Tim Tyler >>Sent: Friday, February 14, 2003 4:23 PM >>To: MAILSCANNER@JISCMAIL.AC.UK >>Subject: False Positive ? >> >> >>Mailcanner experts, >> We are running mailscanner 2.6 on an aix 4.3 system along with Sophos >>engine. It has been running fine for more than a year without any real >>issues. I just received a complaint from an outside site where the sender >>claims that they send very simple messages (no attachments and signature >>turned off). However, she always gets back the following response. >>------------------ >> MailScanner wrote:Date: Wed, 12 Feb 2003 15:26:34 -0600 >>From: "MailScanner" >>To: >>Subject: Warning: E-mail viruses detected >>Our virus detector has just been triggered by a message you sent:- >>To: >>Subject: signature file >>Date: Wed Feb 12 15:26:34 2003 >>Any infected parts of the message have not been delivered. >>This message is simply to warn you that your computer system may have a >>virus present and should be checked. >>The virus detector said this about the message: >>Report: >>> Virus 'W32/Sircam-A' found in file ./h1CLQDb23038/signature >>file.doc >>.com >>-- >>MailScanner >>Email Virus Scanner >>------------------------------------------------- end of message. >> >> Currently we have mailscanner configured to simply delete any message >that >>is determined to have a virus and simply send notification back to the >>sender. So she always gets the above message. They can't find any viruses >>on her computer. I had her send me a message to a smtp server without any >>mailscanner intercept so that I would get the entire message without any >>filtering: Below is the raw message with her name replaced by xxxxx: >> >From xxxxx@mail.uca.edu Thu Feb 13 10:43:13 2003 >>Received: from list.uca.edu (list.uca.edu [161.31.208.98]) >> by >>www.beloit.edu >>(8.11.6/8.11.6) with ESMTP id h1DGhCf22588 >> for ; Thu, 13 Feb 2003 10:43:12 -0600 >>Received: from localhost (list.uca.edu [127.0.0.1]) >> by list.uca.edu (Postfix) with ESMTP id F2AB049F5 >> for ; Thu, 13 Feb 2003 10:45:45 -0600 (CST) >>Received: from mail.uca.edu (mail.uca.edu [161.31.208.25]) >> by list.uca.edu (Postfix) with ESMTP id 415194822 >> for ; Thu, 13 Feb 2003 10:45:45 -0600 (CST) >>Received: from MAIL/SpoolDir by mail.uca.edu (Mercury 1.48); >> 13 Feb 03 10:43:18 -0600 >>Received: from SpoolDir by MAIL (Mercury 1.48); 13 Feb 03 10:42:51 -0600 >>Received: from a5o3j9 (161.31.120.111) by mail.uca.edu (Mercury 1.48); >> 13 Feb 03 10:42:49 -0600 >>Message-ID: <004d01c2d37e$f14a17a0$6f781fa1@uca.edu> >>From: "xxxx xxx" >>To: >>Subject: hello >>Date: Thu, 13 Feb 2003 10:42:48 -0600 >>MIME-Version: 1.0 >>Content-Type: multipart/alternative; >> boundary="----=_NextPart_000_004A_01C2D34C.A69EDEC0" >>X-Priority: 3 >>X-MSMail-Priority: Normal >>X-Mailer: Microsoft Outlook Express 6.00.2600.0000 >>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 >>X-Virus-Scanned: by AMaViS new-20020517 >>Status: OR >>This is a multi-part message in MIME format. >>------=_NextPart_000_004A_01C2D34C.A69EDEC0 >>Content-Type: text/plain; >> charset="iso-8859-1" >>Content-Transfer-Encoding: quoted-printable >>hi tim,=20 >>here's the message, the funny thing is, all the people I normally email = >>everyday aren't having any problems.. just people i've never heard of!! = >>alli=20 >>------=_NextPart_000_004A_01C2D34C.A69EDEC0 >>Content-Type: text/html; >> charset="iso-8859-1" >> ------=_NextPart_000_004A_01C2D34C.A69EDEC0 >>Content-Type: text/html; >> charset="iso-8859-1" >>Content-Transfer-Encoding: quoted-printable >> >>hi tim, >>here's the message, the funny thing is, = all the=20 people I normally >>email everyday aren't having any problems.. just = people i've=20 never >>heard of!! >>alli >>------=_NextPart_000_004A_01C2D34C.A69EDEC0-- >>---------------------------------------------- >>Is there any reason why the above email message would results in triggering >>the former mailscanner response? >>Tim Tyler >>Network Engineer - Beloit College >>tyler@beloit.edu > >Tim Tyler >Network Engineer - Beloit College >tyler@beloit.edu > -- Tim Tyler Network Manager - Beloit College tyler@beloit.edu From ragan_davis at COLSTATE.EDU Mon Feb 17 15:40:50 2003 From: ragan_davis at COLSTATE.EDU (Mack Ragan) Date: Thu Jan 12 21:17:13 2006 Subject: question for sendmail experts Message-ID: Thanks, Brad. Your suggestion is exactly the solution I needed. Works like a charm. From applein at IG.COM.BR Mon Feb 17 17:48:54 2003 From: applein at IG.COM.BR (applein) Date: Thu Jan 12 21:17:13 2006 Subject: multiples queueu Message-ID: <009f01c2d6ac$d8dd5ca0$0d4bd3c8@A3C4J5> mailscanner support multiples queues of sendmail(/var/spool/mqueue/q*)? _______________________________________________________________________ Busca Yahoo! O servi?o de busca mais completo da Internet. O que voc? pensar o Yahoo! encontra. http://br.busca.yahoo.com/ From mailscanner at ecs.soton.ac.uk Mon Feb 17 17:57:17 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:13 2006 Subject: multiples queueu In-Reply-To: <009f01c2d6ac$d8dd5ca0$0d4bd3c8@A3C4J5> Message-ID: <5.2.0.9.2.20030217175533.02669a08@imap.ecs.soton.ac.uk> At 17:48 17/02/2003, you wrote: >mailscanner support multiples queues of sendmail(/var/spool/mqueue/q*)? Not directly, no. Not the type you are thinking of. It can take mail in from multiple directories (useful for Ensim systems with virtual sites on them) and can put mail into different outgoing queues based upon where it came from (or is going to). So you can have, for example, 1 queue for internal mail and another queue for outbound mail. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From henker at SHCOM.US Mon Feb 17 18:15:07 2003 From: henker at SHCOM.US (Steffan Henke) Date: Thu Jan 12 21:17:13 2006 Subject: RAV License In-Reply-To: <3C4F5084EF16D4119CE700508B6B8B10058D0A65@nt.svenskakyrkan.se> References: <3C4F5084EF16D4119CE700508B6B8B10058D0A65@nt.svenskakyrkan.se> Message-ID: On Mon, 17 Feb 2003, Tony Johansson wrote: > Has anyone talked to a RAV sales representative and verified that only one > license is needed to use RAV with MailScanner (and with it possibly > protecting thousands of mail users) ? Hi, hmm, I have asked that a while before, looks like nobody has investigated further... I think I'll just give it a try once my trial license runs out (2 weeks) and purchase a license. Until I hear anything else, I think it's ok to install it on a server. If it's not, I still can use it on my desktop :) Regards, Steffan From ragan_davis at COLSTATE.EDU Mon Feb 17 18:22:37 2003 From: ragan_davis at COLSTATE.EDU (Mack Ragan) Date: Thu Jan 12 21:17:13 2006 Subject: MailScanner & SpamAssassin Message-ID: Hi! If I understand things correctly, MailScanner will by default add the SpamAssassin report into the body of the email message if it's tagged as spam. Correct? Well, I haven't seen this happen yet. As far as I know, I haven't changed anything from the defaults that would affect this. I do see some header modifications related to SpamAssassin that MailScanner adds. But, no report (in the body or header). Can anyone shed some light? (Maybe I'm doing something wrong). Thanks! Mack From baldguy33165 at YAHOO.COM Mon Feb 17 18:32:57 2003 From: baldguy33165 at YAHOO.COM (Juan Quesada) Date: Thu Jan 12 21:17:13 2006 Subject: spam.whitelist.rules help Message-ID: <20030217183257.72521.qmail@web20807.mail.yahoo.com> I want to allow all mail to one user to flow unscanned. is there a way of doing this with a ruleset? __________________________________________________ Do you Yahoo!? Yahoo! Shopping - Send Flowers for Valentine's Day http://shopping.yahoo.com From Kevin.Spicer at BMRB.CO.UK Mon Feb 17 18:31:03 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:17:13 2006 Subject: MailScanner & SpamAssassin Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0EBF3CB@pascal.priv.bmrb.co.uk> > If I understand things correctly, MailScanner will by default add the > SpamAssassin report into the body of the email message if > it's tagged as > spam. Correct? Well, I haven't seen this happen yet. As > far as I know, I > haven't changed anything from the defaults that would affect > this. I do > see some header modifications related to SpamAssassin that MailScanner > adds. But, no report (in the body or header). Can anyone > shed some light? > (Maybe I'm doing something wrong). MailScanner doesn't include the report in the body of the mail - the report mentioned in MailScanner.conf is just the one in the headers. I can't remember where but I'm sure I've seen an explanation by Julian of why this isn't easily achievable. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From Peter.Bates at LSHTM.AC.UK Mon Feb 17 18:39:41 2003 From: Peter.Bates at LSHTM.AC.UK (Peter Bates) Date: Thu Jan 12 21:17:13 2006 Subject: Spambayes? Message-ID: Hello all... > S Mohan 17/02/03 00:27:43 >>> >Another second. I used amavis. Had to change sendmail.cf. Getting it to >scan outgoing mails involved a convoluted method of changing ports ... >MailScanner is miles ahead and has so much flexibility built in that it >is unbelievable. Playing devil's advocate, and also as a current user of both amavis(d-new) and MailScanner, I quite like both in different ways... I'm also probably a bit historically biased because Amavis was the first system I got working and also contributed a tiny bit of code to, but mainly I'm still using it because the Postfix support is very good. MTA holy wars belong somewhere else, but I never really liked Sendmail, and now I've travelled down a road of learning Postfix (and didn't plump for Exim either), I have to presently have Postfix on one box doing regexp checks on headers and body content, RBL checks and sender address verification, and then to eventually have this pass over to MailScanner with Sendmail. It took me about half an hour or so to get MS working, so I have to hand it to Julian that it's one clever piece of software... it's just a shame, perhaps that the MTA holy wars ever existed and there wasn't one unified 'content filter' method that could be used regardless of whether you were a Sendmail/Postfix/Exim/Qmail fan, and then MS could be truly 'agnostic' in that regard. ... ---------------------------------------------------------------------------------------------------> Peter Bates, Systems Support Officer, Network Support Team. London School of Hygiene & Tropical Medicine. Telephone:0207-958 8353 / Fax: 0207- 636 9838 From mike at TECHINTER.COM Mon Feb 17 18:48:59 2003 From: mike at TECHINTER.COM (Mike Williams) Date: Thu Jan 12 21:17:13 2006 Subject: Blocking empty To with rules In-Reply-To: <5.2.0.9.2.20030214223629.028a2e68@imap.ecs.soton.ac.uk> Message-ID: I found out that an empty To: field is filled with MAILER-DAEMON by sendmail. This is used for purposes such as when an email message bounces. This is exactly what was happening. Some spammer decided to use a return address of one of our domains and is sending spam to dictionary of AOL users. For the return address they chose about 7 names such as mail offer newest special host webhost and tryit. Then they appended a random number of 5-8 digits to the end of the username. So what we ended up with was mail324365@domain.com as the return address. We use a mail gateway that accepts all main, scans it and then delivers it to the real mail server. Tried to block it using Local_Ruleset in Sendmail but no luck. Finally I had to add mail*@domain.com ect... to the blacklist and then to the Virus Scanning and Spam Checks lists. Then in the spam actions I listed each one with a bounce delete action. It is now bouncing all the mail back to AOL so maybe they will shut this spammer down who is abusing their system but I am not holding my breath... Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Julian Field Sent: Friday, February 14, 2003 4:38 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Blocking empty To with rules At 16:06 14/02/2003, you wrote: >Is it possible to block a spam message where the To is empty? We are >getting a ton of spam from AOL and in the sendmail logfile the To is blank. >I wouldn't mind shutting AOL down from having access to our server but I'm >sure our customers would complain :) In a ruleset you can specify arbitrary regular expressions, which is perfect for this. You could write a ruleset for the "Is Definitely Spam" parameter that contains the line To: /^$/ yes which would say that all mail with no To address is spam. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Mon Feb 17 18:55:53 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:13 2006 Subject: MailScanner & SpamAssassin In-Reply-To: Message-ID: <5.2.0.9.2.20030217185434.039ed978@imap.ecs.soton.ac.uk> At 18:22 17/02/2003, you wrote: >Hi! > >If I understand things correctly, MailScanner will by default add the >SpamAssassin report into the body of the email message if it's tagged as >spam. Correct? Well, I haven't seen this happen yet. As far as I know, I >haven't changed anything from the defaults that would affect this. I do >see some header modifications related to SpamAssassin that MailScanner >adds. But, no report (in the body or header). Can anyone shed some light? >(Maybe I'm doing something wrong). MailScanner will only (by default) add the SpamAssassin report in the X-MailScanner-SpamCheck header if SpamAssassin actually thought it was spam. If you always want it, you need to set Always Include SpamAssassin Report = yes -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Mon Feb 17 18:58:02 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:13 2006 Subject: spam.whitelist.rules help In-Reply-To: <20030217183257.72521.qmail@web20807.mail.yahoo.com> Message-ID: <5.2.0.9.2.20030217185606.03a73870@imap.ecs.soton.ac.uk> At 18:32 17/02/2003, you wrote: >I want to allow all mail to one user to flow >unscanned. >is there a way of doing this with a ruleset? Not scanned for viruses, not scanned for spam? Assuming you are just talking about spam, then set Is Definitely Not Spam = /opt/MailScanner/etc/rules/spam.whitelist.rules and then in that file put this: FromOrTo: user1@domain1.com yes FromOrTo: default no >__________________________________________________ >Do you Yahoo!? >Yahoo! Shopping - Send Flowers for Valentine's Day >http://shopping.yahoo.com -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From kovalcik at ORION-DESIGN.COM Mon Feb 17 19:29:14 2003 From: kovalcik at ORION-DESIGN.COM (Tom Kovalcik) Date: Thu Jan 12 21:17:13 2006 Subject: Handling HTML In-Reply-To: <5.2.0.9.2.20030217185434.039ed978@imap.ecs.soton.ac.uk> References: Message-ID: <5.2.0.9.0.20030217142134.040a9d88@oriongw> When receiving HTML mail, is it possible to attach the unaltered HTML message as an HTML file attachment and deliver it? The body of the original message could be blank or text stripped of HTML commands. I am looking for a good way to handle the porn messages while still allowing newsletters and (requested) ads which are in HTML. My server setup is MailScanner 4.11, Spam Assassin 2.43, and Razor 2.22. Redhat 7.3. Clients are all running Outlook on Windows. Thanks From mailscanner at ecs.soton.ac.uk Mon Feb 17 19:46:07 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:13 2006 Subject: Handling HTML In-Reply-To: <5.2.0.9.0.20030217142134.040a9d88@oriongw> References: <5.2.0.9.2.20030217185434.039ed978@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030217194522.01e116a8@imap.ecs.soton.ac.uk> At 19:29 17/02/2003, you wrote: >When receiving HTML mail, is it possible to attach the unaltered HTML >message as an HTML file attachment and deliver it? The body of the original >message could be blank or text stripped of HTML commands. I am looking for >a good way to handle the porn messages while still allowing newsletters and >(requested) ads which are in HTML. Not currently, no. You can strip HTML down to plain text, which would pretty much achieve what you are trying to do. >My server setup is MailScanner 4.11, Spam Assassin 2.43, and Razor 2.22. >Redhat 7.3. Clients are all running Outlook on Windows. > >Thanks -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at BARENDSE.TO Mon Feb 17 20:11:05 2003 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:17:13 2006 Subject: Automating MailScanner.conf upgrades In-Reply-To: <5.2.0.9.2.20030215132222.024fa228@imap.ecs.soton.ac.uk> Message-ID: Thanks for this excellent script Julian! This will save me tons of time when doing upgrades on several servers. Will the script be supplies with every version of MailScanner? Would it be possible to have the script even detect a 4.x version of MailScanner and have rpm run the script on the default installation paths? That would make the upgrading process automagically :) I tried it on my MS systems and it works like a charm! On Sat, 15 Feb 2003, Julian Field wrote: > Morning all, > > The biggest pain in doing an upgrade of MailScanner is working out what has > changed between your current MailScanner.conf and the new one. > > So I have written a tool to help you do this. It will > - copy over all your old settings into the new file > - copy over all the comments you have added to settings > - add the default settings for all new settings > - delete obsolete settings > - print a summary of what it has done, > including the settings that were added/removed > > It is attached to this message. To find out how to use it, just run it and > it will tell you. > > The only time it will run into trouble is when the supplied value for a > setting is commented out, and you have uncommented it. It can't tell the > difference between lines like that and normal comments. So Exim users beware! > > It can't be perfect, but you should find it helps. > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From baldguy33165 at YAHOO.COM Mon Feb 17 20:16:05 2003 From: baldguy33165 at YAHOO.COM (Juan Quesada) Date: Thu Jan 12 21:17:13 2006 Subject: filtering foul language Message-ID: <20030217201605.96999.qmail@web20807.mail.yahoo.com> I want to filter out foul language immediately, How do I accomplish this? I would have looked in the archives, but the proxy here filters out message boards. __________________________________________________ Do you Yahoo!? Yahoo! Shopping - Send Flowers for Valentine's Day http://shopping.yahoo.com From mailscanner at ecs.soton.ac.uk Mon Feb 17 21:00:32 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:13 2006 Subject: filtering foul language In-Reply-To: <20030217201605.96999.qmail@web20807.mail.yahoo.com> Message-ID: <5.2.0.9.2.20030217205920.01e36b08@imap.ecs.soton.ac.uk> At 20:16 17/02/2003, you wrote: >I want to filter out foul language immediately, How do >I accomplish this? I would have looked in the >archives, but the proxy here filters out message >boards. Your best bet for general content filtering is to create some SpamAssassin rules. Check man Mail::SpamAssassin::Conf for more information. You could give "foul language detector" rules very high scores, and delete all high-scoring spam. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Mon Feb 17 20:59:14 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:13 2006 Subject: Automating MailScanner.conf upgrades In-Reply-To: References: <5.2.0.9.2.20030215132222.024fa228@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030217205630.0208f300@imap.ecs.soton.ac.uk> At 20:11 17/02/2003, you wrote: >Thanks for this excellent script Julian! > >This will save me tons of time when doing upgrades on several >servers. I got fed up of doing it the hard way too. After sitting down explaining the problem (to my long-suffering lodger!) I realised that it wasn't that hard to do. >Will the script be supplies with every version of MailScanner? Would it be >possible to have the script even detect a 4.x version of MailScanner and >have rpm run the script on the default installation paths? I didn't really intend it to go and fetch the new rpm for you. But it should work with just about any version of MailScanner as it doesn't use anything outside the 2 conf files supplied on the command line. It will even do *some* of the work upgrading V3 to V4. >I tried it on my MS systems and it works like a charm! Cool :-) >On Sat, 15 Feb 2003, Julian Field wrote: > > > Morning all, > > > > The biggest pain in doing an upgrade of MailScanner is working out what has > > changed between your current MailScanner.conf and the new one. > > > > So I have written a tool to help you do this. It will > > - copy over all your old settings into the new file > > - copy over all the comments you have added to settings > > - add the default settings for all new settings > > - delete obsolete settings > > - print a summary of what it has done, > > including the settings that were added/removed > > > > It is attached to this message. To find out how to use it, just run it and > > it will tell you. > > > > The only time it will run into trouble is when the supplied value for a > > setting is commented out, and you have uncommented it. It can't tell the > > difference between lines like that and normal comments. So Exim users > beware! > > > > It can't be perfect, but you should find it helps. > > > > >-- >This message has been scanned for viruses and >dangerous content by MailScanner, and is >believed to be clean. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From joe at QITC.CO.UK Mon Feb 17 21:06:27 2003 From: joe at QITC.CO.UK (Joe Quinn) Date: Thu Jan 12 21:17:13 2006 Subject: filtering foul language References: <5.2.0.9.2.20030217205920.01e36b08@imap.ecs.soton.ac.uk> Message-ID: <12f001c2d6c8$6fb2d770$18720550@T20> > delete all high-scoring spam Where do we do this please? Joe www.qitc.net Tel: (UK) +44 776 737 1234 From mbowman at UDCOM.COM Mon Feb 17 21:10:48 2003 From: mbowman at UDCOM.COM (Matthew Bowman) Date: Thu Jan 12 21:17:13 2006 Subject: Filtering username@ Message-ID: Hello We have majordomo lists running on our servers. It appears that majordomo@domain.tld gets spam. How do I setup a message rule so that anything tagged as spam for majordom@domain.tld is deleted? i.e. spam.actions.conf To: majordomo@* delete ^^^ will the above work? Thanks Matthew K Bowman Systems Administrator; Hostmaster; Miva Administrator Universal Digital Communications, Mansfield Ohio. From mike at CAMAROSS.NET Mon Feb 17 21:14:52 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:17:13 2006 Subject: filtering foul language In-Reply-To: <12f001c2d6c8$6fb2d770$18720550@T20> Message-ID: <075e01c2d6c9$9db91c00$9801a8c0@home.middlefinger.net> -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Joe Quinn Sent: Monday, February 17, 2003 3:06 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: filtering foul language > delete all high-scoring spam Where do we do this please? Joe www.qitc.net Tel: (UK) +44 776 737 1234 From mike at CAMAROSS.NET Mon Feb 17 21:14:42 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:17:13 2006 Subject: filtering foul language In-Reply-To: <12f001c2d6c8$6fb2d770$18720550@T20> Message-ID: <075d01c2d6c9$97cf21e0$9801a8c0@home.middlefinger.net> MailScanner.conf...the High Scoring Spam Action = delete -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Joe Quinn Sent: Monday, February 17, 2003 3:06 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: filtering foul language > delete all high-scoring spam Where do we do this please? Joe www.qitc.net Tel: (UK) +44 776 737 1234 From mailscanner at ecs.soton.ac.uk Mon Feb 17 22:01:17 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:13 2006 Subject: Filtering username@ In-Reply-To: Message-ID: <5.2.0.9.2.20030217220055.01d75ae8@imap.ecs.soton.ac.uk> What version are you running? spam.actions.conf does not exist in the current version. At 21:10 17/02/2003, you wrote: >Hello > >We have majordomo lists running on our servers. It appears that >majordomo@domain.tld gets spam. How do I setup a message rule so that >anything tagged as spam for majordom@domain.tld is deleted? > >i.e. spam.actions.conf > >To: majordomo@* delete > >^^^ will the above work? > >Thanks > >Matthew K Bowman >Systems Administrator; Hostmaster; Miva Administrator >Universal Digital Communications, Mansfield Ohio. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From ragan_davis at COLSTATE.EDU Mon Feb 17 22:04:53 2003 From: ragan_davis at COLSTATE.EDU (Mack Ragan) Date: Thu Jan 12 21:17:13 2006 Subject: MailScanner & SpamAssassin Message-ID: I think I understand it now. Tell me if this is correct: MailScanner will never put the SpamAssassin report in the body of a message, whether it's spam or not. MailScanner will always put the report in the header if it is spam, and you have the option to put the report in the header even if it isn't spam (all messages). However, I may be confused on the terminology. The only thing I see in the header is something like this: X-MailScanner-SpamCheck: spam, SpamAssassin (score=12.3, required 9, CALL_FREE, DRASTIC_REDUCED, FROM_AND_TO_SAME_5, HOME_EMPLOYMENT, LINES_OF_YELLING, MAILTO_LINK, ONCE_IN_LIFETIME, OUTLOOK_FW_MSG, RAZOR2_CHECK, REMOVE_SUBJ, SPAM_PHRASE_13_21, USER_AGENT_OE) But, I thought that the SpamAssassin report was supposed to look something like this (I left out some of it to conserve space): SPAM: -------------------- Start SpamAssassin results ---------------------- SPAM: This mail is probably spam. The original message has been altered SPAM: so you can recognise or block similar unwanted mail in future. SPAM: See http://spamassassin.org/tag/ for more details. SPAM: SPAM: Content analysis details: (18.80 hits, 5 required) SPAM: INVALID_DATE (1.5 points) Invalid Date: header (not RFC 2822) SPAM: UNDISC_RECIPS (1.5 points) Valid-looking To "undisclosed- recipients" SPAM: NO_REAL_NAME (1.3 points) From: does not include a real name SPAM: SMTPD_IN_RCVD (1.2 points) Received via SMTPD32 server (SMTPD32- n.n) SPAM: MSGID_HAS_NO_AT (0.3 points) Message-Id has no @ sign SPAM: FROM_HAS_MIXED_NUMS (0.3 points) From: contains numbers mixed in with letters (etc, etc, etc) SPAM: -------------------- End of SpamAssassin results --------------------- I can see this in the output file if I issue the command: spamassassin -t < sample-spam.txt > spam.out And, the file /usr/share/spamassassin/10_misc.cf contains something like this. So, when MailScanner says it's gonna put this in the body or header, why do I never see this? Have I misconfigured something, or am I just confused with the terminology used by SpamAssassin and MailScanner (report means one thing to SpamAssasin, but means something different to MailScanner). Thanks! Mack From mailscanner at ecs.soton.ac.uk Mon Feb 17 22:11:34 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:13 2006 Subject: MailScanner & SpamAssassin In-Reply-To: Message-ID: <5.2.0.9.2.20030217220748.03b49f20@imap.ecs.soton.ac.uk> At 22:04 17/02/2003, you wrote: >I think I understand it now. Tell me if this is correct: >MailScanner will never put the SpamAssassin report in the body of a >message, whether it's spam or not. MailScanner will always put the report >in the header if it is spam, and you have the option to put the report in >the header even if it isn't spam (all messages). Correct. >However, I may be confused on the terminology. The only thing I see in the >header is something like this: > >X-MailScanner-SpamCheck: spam, SpamAssassin (score=12.3, required 9, > CALL_FREE, DRASTIC_REDUCED, FROM_AND_TO_SAME_5, HOME_EMPLOYMENT, > LINES_OF_YELLING, MAILTO_LINK, ONCE_IN_LIFETIME, OUTLOOK_FW_MSG, > RAZOR2_CHECK, REMOVE_SUBJ, SPAM_PHRASE_13_21, USER_AGENT_OE) which is the standard MailScanner version of the SpamAssassin header. It is the list of rules that "hit" as given by SpamAssassin. >But, I thought that the SpamAssassin report was supposed to look something >like this (I left out some of it to conserve space): > >SPAM: -------------------- Start SpamAssassin results ---------------------- >SPAM: This mail is probably spam. The original message has been altered >SPAM: so you can recognise or block similar unwanted mail in future. >SPAM: See http://spamassassin.org/tag/ for more details. >SPAM: >SPAM: Content analysis details: (18.80 hits, 5 required) >SPAM: INVALID_DATE (1.5 points) Invalid Date: header (not RFC 2822) >SPAM: UNDISC_RECIPS (1.5 points) Valid-looking To "undisclosed- >recipients" >SPAM: NO_REAL_NAME (1.3 points) From: does not include a real name >SPAM: SMTPD_IN_RCVD (1.2 points) Received via SMTPD32 server (SMTPD32- >n.n) >SPAM: MSGID_HAS_NO_AT (0.3 points) Message-Id has no @ sign >SPAM: FROM_HAS_MIXED_NUMS (0.3 points) From: contains numbers mixed in >with letters >(etc, etc, etc) >SPAM: -------------------- End of SpamAssassin results --------------------- That is the really noisy verbose report that is useful for testing but not much else. MailScanner never produces this. After all, do your users really want this at the top of every message they receive? I doubt it. >I can see this in the output file if I issue the command: >spamassassin -t < sample-spam.txt > spam.out Agreed. >And, the file /usr/share/spamassassin/10_misc.cf contains something like >this. So, when MailScanner says it's gonna put this in the body or header, >why do I never see this? Because it uses the "brief and to the point" version of the report, rather than the (overly) verbose version. > Have I misconfigured something, or am I just >confused with the terminology used by SpamAssassin and MailScanner (report >means one thing to SpamAssasin, but means something different to >MailScanner). SpamAssassin can be configured to produce pretty much the same report as MailScanner produces. The "spamassassin -t" output is only intended for testing. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From jrudd at UCSC.EDU Mon Feb 17 22:15:44 2003 From: jrudd at UCSC.EDU (John Rudd) Date: Thu Jan 12 21:17:13 2006 Subject: MailScanner & SpamAssassin Message-ID: <200302172215.h1HMFiV05792@kzin.ucsc.edu> > From: Mack Ragan > > However, I may be confused on the terminology. The only thing I see in the > header is something like this: > > X-MailScanner-SpamCheck: spam, SpamAssassin (score=12.3, required 9, > CALL_FREE, DRASTIC_REDUCED, FROM_AND_TO_SAME_5, HOME_EMPLOYMENT, > LINES_OF_YELLING, MAILTO_LINK, ONCE_IN_LIFETIME, OUTLOOK_FW_MSG, > RAZOR2_CHECK, REMOVE_SUBJ, SPAM_PHRASE_13_21, USER_AGENT_OE) Right, that's the header report, which is similar to the spam assassin header "X-Spam-Status", where it lists an indication of "spam or not spam" by saying "Yes" or "No", it lists the number of hits, the required threshold, and then lists which tests were triggered. It's almost exactly the same. (except that mailscanner makes room for other tests in this report). > > But, I thought that the SpamAssassin report was supposed to look something > like this (I left out some of it to conserve space): > > SPAM: -------------------- Start SpamAssassin results ---------------------- [snip specific results report] > SPAM: -------------------- End of SpamAssassin results --------------------- > That's the spam assassin body report. Even spam assassin doesn't call this its header report. > And, the file /usr/share/spamassassin/10_misc.cf contains something like > this. So, when MailScanner says it's gonna put this in the body or header, > why do I never see this? Have I misconfigured something, or am I just > confused with the terminology used by SpamAssassin and MailScanner (report > means one thing to SpamAssasin, but means something different to > MailScanner). I think the way to look at it is this: Mailscanner reports what Spam Assassin had in its "X-Spam-Status" header, but not what Spam Assassin had in its full body report. AFAIK, there is no mailscanner option for showing/preserving the body report. Though, a helper-tool which would take a message or even just a cut-n-paste of the mailscanner header and make a spam assassin body report out of it would be cool (I don't have a need to see the full report in the actual message body, but I sometimes do want to see the gory details for a particular message). Of course, the easy way to do that would be to send the message through spam assassin by hand ... but just being able to see that report from pasting in the mailscanner header would be nice. Maybe I'll write something like that at some point. From applein at IG.COM.BR Tue Feb 18 01:15:37 2003 From: applein at IG.COM.BR (applein) Date: Thu Jan 12 21:17:13 2006 Subject: No subject Message-ID: <002101c2d6eb$5ab587a0$0d4bd3c8@A3C4J5> How I use multiples rbl's list with mailscanner? _______________________________________________________________________ Busca Yahoo! O servi?o de busca mais completo da Internet. O que voc? pensar o Yahoo! encontra. http://br.busca.yahoo.com/ From cameron at TERAGEN.COM.AU Tue Feb 18 03:20:56 2003 From: cameron at TERAGEN.COM.AU (Cameron Pitt-Downton) Date: Thu Jan 12 21:17:13 2006 Subject: changing user and group Message-ID: <06f301c2d6fc$c17b6f70$02ee22cb@rogue> Hi, I've been playing around with changing the user and group that mailscanner runs as, I've changed the permissions of the queues and the incoming and quarantine directories to match, but mailscanner is still unhappy. It starts up fine without any errors, but once it's spawned the 5 child processes it kills them all off and then just sits there spawning and killing off a child processes in an endless loop, nothing gets processed either. So I was wondering what else I've missed. Cameron From mailscanner at ecs.soton.ac.uk Tue Feb 18 09:21:49 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:13 2006 Subject: No subject In-Reply-To: <002101c2d6eb$5ab587a0$0d4bd3c8@A3C4J5> Message-ID: <5.2.0.9.2.20030218092052.02f52c80@imap.ecs.soton.ac.uk> At 01:15 18/02/2003, you wrote: >How I use multiples rbl's list with mailscanner? As shown in the default supplied MailScanner.conf file (have you looked at it before posting here?), you can just specify Spam Lists = ORDB-RBL infinite-monkeys i.e. a space-separated list of RBL's to use. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Tue Feb 18 09:22:27 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:13 2006 Subject: changing user and group In-Reply-To: <06f301c2d6fc$c17b6f70$02ee22cb@rogue> Message-ID: <5.2.0.9.2.20030218092206.02f0b908@imap.ecs.soton.ac.uk> At 03:20 18/02/2003, you wrote: >Hi, > >I've been playing around with changing the user and group that mailscanner >runs as, I've changed the permissions of the queues and the incoming and >quarantine directories to match, but mailscanner is still unhappy. It starts >up fine without any errors, but once it's spawned the 5 child processes it >kills them all off and then just sits there spawning and killing off a child >processes in an endless loop, nothing gets processed either. > >So I was wondering what else I've missed. > > >Cameron Does the user you are running as have a real home directory that it can read from and write to? -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From linux at mostert.nom.za Tue Feb 18 09:15:13 2003 From: linux at mostert.nom.za (Mozzi) Date: Thu Jan 12 21:17:13 2006 Subject: changing user and group In-Reply-To: <06f301c2d6fc$c17b6f70$02ee22cb@rogue> References: <06f301c2d6fc$c17b6f70$02ee22cb@rogue> Message-ID: <200302181115.13438.linux@mostert.nom.za> I have the same problem here either that or it seems to be running but doesn't pick up any messages from the mque.in. Here if I relay through the box it sends the message out but doesn't scan it, I know this as I can't see the footer it usually puts on. Let us know what os and version you are using Myne is Redhat 7.3 all patches applied(up2date) Self compiled perl 5.8.0 MailScanner Version 4.12-2 installed from tarball Something I also picked up in the mailing list was someone had a problem that was running the Myles Acceleraid 170, I also have that smae card here running raid 5. There was someone on the list earlier that had the same problem on a sun box if I remember correctly, did you fix it? How? anybody else know of something? Mozzi On Tuesday 18 February 2003 05:20, you wrote: > Hi, > > I've been playing around with changing the user and group that mailscanner > runs as, I've changed the permissions of the queues and the incoming and > quarantine directories to match, but mailscanner is still unhappy. It > starts up fine without any errors, but once it's spawned the 5 child > processes it kills them all off and then just sits there spawning and > killing off a child processes in an endless loop, nothing gets processed > either. > > So I was wondering what else I've missed. > > > Cameron From linux at mostert.nom.za Tue Feb 18 10:44:20 2003 From: linux at mostert.nom.za (Mozzi) Date: Thu Jan 12 21:17:13 2006 Subject: Sendmail on Suse 8.1 Message-ID: <200302181244.20251.linux@mostert.nom.za> Hallo all You will notice I am trying mailscanner on Suse 8.1 now as I am starting to suspect that Red Hat and something here doesn't like each other. Let's see When trying to start the sendmail incoming process I get the following error Warning: Cannot use HostStatusDirectory = .hoststat: No such file or directory Tghe command I use is sendmail -bd -OPrivacyOptions=noetrn -ODeliveryMode=queueonly -OQueueDirectory=/var/spool/mqueue.in Exactly as in the documentation Mozzi From applein at IG.COM.BR Tue Feb 18 11:17:08 2003 From: applein at IG.COM.BR (applein) Date: Thu Jan 12 21:17:13 2006 Subject: many process check_mailscanner Message-ID: <000f01c2d73f$48b18460$0d4bd3c8@A3C4J5> Today tomorrom existing many process from crontab check_mailscanner overload my sendmail server why? _______________________________________________________________________ Busca Yahoo! O servi?o de busca mais completo da Internet. O que voc? pensar o Yahoo! encontra. http://br.busca.yahoo.com/ From mailscanner at ecs.soton.ac.uk Tue Feb 18 11:36:10 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:13 2006 Subject: Sendmail on Suse 8.1 In-Reply-To: <200302181244.20251.linux@mostert.nom.za> Message-ID: <5.2.0.9.2.20030218113351.02eb6a98@imap.ecs.soton.ac.uk> Do you have spaces around it? Do the directories /var/spool/mqueue.in/.hoststat and /var/spool/mqueue/.hoststat exist? At 10:44 18/02/2003, you wrote: >Hallo all > >You will notice I am trying mailscanner on Suse 8.1 now as I am starting to >suspect that Red Hat and something here doesn't like each other. >Let's see > >When trying to start the sendmail incoming process I get the following error >Warning: Cannot use HostStatusDirectory = .hoststat: No such file or directory > >Tghe command I use is >sendmail -bd -OPrivacyOptions=noetrn -ODeliveryMode=queueonly >-OQueueDirectory=/var/spool/mqueue.in > >Exactly as in the documentation > >Mozzi -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Tue Feb 18 11:37:47 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:13 2006 Subject: many process check_mailscanner In-Reply-To: <000f01c2d73f$48b18460$0d4bd3c8@A3C4J5> Message-ID: <5.2.0.9.2.20030218113646.02eb4c10@imap.ecs.soton.ac.uk> Check that when MailScanner is running the check_mailscanner script just prints out the process ids of the MailScanner processes. If it always says "Starting MailScanner" or something like that, then the script isn't working correctly. Take a look at it and see if there is a section in there for your OS. At 11:17 18/02/2003, you wrote: >Today tomorrom existing many process from crontab check_mailscanner overload >my sendmail server why? > >_______________________________________________________________________ >Busca Yahoo! >O servi?o de busca mais completo da Internet. O que voc? pensar o Yahoo! >encontra. >http://br.busca.yahoo.com/ -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From applein at IG.COM.BR Tue Feb 18 11:47:10 2003 From: applein at IG.COM.BR (applein) Date: Thu Jan 12 21:17:13 2006 Subject: many process check_mailscanner References: <5.2.0.9.2.20030218113646.02eb4c10@imap.ecs.soton.ac.uk> Message-ID: <009501c2d743$7a0abd20$0d4bd3c8@A3C4J5> I use Debian Linux and sendmail wokfine with MailScanner I have few tests sucessfull... my mail log show MailScanner lines... ----- Original Message ----- From: "Julian Field" To: Sent: Tuesday, February 18, 2003 8:37 AM Subject: Re: many process check_mailscanner Check that when MailScanner is running the check_mailscanner script just prints out the process ids of the MailScanner processes. If it always says "Starting MailScanner" or something like that, then the script isn't working correctly. Take a look at it and see if there is a section in there for your OS. At 11:17 18/02/2003, you wrote: >Today tomorrom existing many process from crontab check_mailscanner overload >my sendmail server why? > >_______________________________________________________________________ >Busca Yahoo! >O servi?o de busca mais completo da Internet. O que voc? pensar o Yahoo! >encontra. >http://br.busca.yahoo.com/ -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support _______________________________________________________________________ Busca Yahoo! O servi?o de busca mais completo da Internet. O que voc? pensar o Yahoo! encontra. http://br.busca.yahoo.com/ From applein at IG.COM.BR Tue Feb 18 11:52:43 2003 From: applein at IG.COM.BR (applein) Date: Thu Jan 12 21:17:13 2006 Subject: many process check_mailscanner References: <5.2.0.9.2.20030218113646.02eb4c10@imap.ecs.soton.ac.uk> Message-ID: <009d01c2d744$40bbe980$0d4bd3c8@A3C4J5> All right the path awk in my Debian Linux is /usr/bin/awk and check_mailscanner search her in /bin/awk I'm fix is now is woking fine thanks... ----- Original Message ----- From: "Julian Field" To: Sent: Tuesday, February 18, 2003 8:37 AM Subject: Re: many process check_mailscanner Check that when MailScanner is running the check_mailscanner script just prints out the process ids of the MailScanner processes. If it always says "Starting MailScanner" or something like that, then the script isn't working correctly. Take a look at it and see if there is a section in there for your OS. At 11:17 18/02/2003, you wrote: >Today tomorrom existing many process from crontab check_mailscanner overload >my sendmail server why? > >_______________________________________________________________________ >Busca Yahoo! >O servi?o de busca mais completo da Internet. O que voc? pensar o Yahoo! >encontra. >http://br.busca.yahoo.com/ -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support _______________________________________________________________________ Busca Yahoo! O servi?o de busca mais completo da Internet. O que voc? pensar o Yahoo! encontra. http://br.busca.yahoo.com/ From linux at mostert.nom.za Tue Feb 18 13:20:06 2003 From: linux at mostert.nom.za (Mozzi) Date: Thu Jan 12 21:17:13 2006 Subject: Sendmail startup problems Message-ID: <200302181520.06481.linux@mostert.nom.za> Hallo all When starting up sendmail I get the following errors in my maillog file I cannot explain them as it just worked Espesially the ones between the arrows --> Tnx Mozzi NOQUEUE: SYSERR(root): opendaemonsocket: daemon MTA: cannot bind: Address already in use Feb 18 15:15:03 darkstar sendmail[5980]: daemon MTA: problem creating SMTP socket Feb 18 15:15:08 darkstar sendmail[5980]: NOQUEUE: SYSERR(root): opendaemonsocket: daemon MTA: cannot bind: Address already in use Feb 18 15:15:08 darkstar sendmail[5980]: daemon MTA: problem creating SMTP socket Feb 18 15:15:13 darkstar sendmail[5980]: NOQUEUE: SYSERR(root): opendaemonsocket: daemon MTA: cannot bind: Address already in use Feb 18 15:15:13 darkstar sendmail[5980]: daemon MTA: problem creating SMTP socket Feb 18 15:15:18 darkstar sendmail[5980]: NOQUEUE: SYSERR(root): opendaemonsocket: daemon MTA: cannot bind: Address already in use Feb 18 15:15:18 darkstar sendmail[5980]: daemon MTA: problem creating SMTP socket Feb 18 15:15:23 darkstar sendmail[5980]: NOQUEUE: SYSERR(root): opendaemonsocket: daemon MTA: cannot bind: Address already in use Feb 18 15:15:23 darkstar sendmail[5980]: daemon MTA: problem creating SMTP socket Feb 18 15:15:23 darkstar sendmail[5980]: NOQUEUE: SYSERR(root): opendaemonsocket: daemon MTA: server SMTP socket wedged: exiting ---> Feb 18 15:16:12 darkstar sendmail[6109]: daemon invoked without full pathname; kill -1 won't work Feb 18 15:16:12 darkstar sendmail[6110]: starting daemon (8.12.6): SMTP+queueing@00:15:00 Feb 18 15:16:15 darkstar sendmail[6112]: daemon invoked without full pathname; kill -1 won't work --> Feb 18 15:16:15 darkstar sendmail[6113]: starting daemon (8.12.6): SMTP Feb 18 15:16:15 darkstar sendmail[6113]: NOQUEUE: SYSERR(root): opendaemonsocket: daemon MTA: cannot bind: Address already in use Feb 18 15:16:15 darkstar sendmail[6113]: daemon MTA: problem creating SMTP socket Feb 18 15:16:20 darkstar sendmail[6113]: NOQUEUE: SYSERR(root): opendaemonsocket: daemon MTA: cannot bind: Address already in use Feb 18 15:16:20 darkstar sendmail[6113]: daemon MTA: problem creating SMTP socket From tony.johansson at SVENSKAKYRKAN.SE Tue Feb 18 13:17:58 2003 From: tony.johansson at SVENSKAKYRKAN.SE (Tony Johansson) Date: Thu Jan 12 21:17:13 2006 Subject: Load test Message-ID: <3C4F5084EF16D4119CE700508B6B8B10058D0A75@nt.svenskakyrkan.se> Apologies as this might be slightly off topic I'm looking for a tool to test the mail processing power of a system. The ideal tool would send a configurable amount of mails per second/minute with randomly attached files, viruses aswell as allowed and disallowed files, to a mailbox. I'm fairly confident this would be easily achived with perl or some script, unfortunatly my coding skills are not the best... Does anyone know if such a tool exists? regards, Tony From jase at SENSIS.COM Tue Feb 18 13:55:38 2003 From: jase at SENSIS.COM (Desai, Jason) Date: Thu Jan 12 21:17:13 2006 Subject: Small check_mailscanner change Message-ID: I would like to run check_mailscanner periodically from cron to make sure that MailScanner is still running. But I get an email every time, telling me the pids. I don't want to redirect the output to /dev/null to prevent the emails, because I want to know if check_mailscanner actually had to start a new MailScanner process. So, I would like to add a "-q" parameter (q for quiet) to the check_mailscanner script which, if specified, would not print out the pids. Running it without any parameters would print the pids as normal. Any thoughts? This may not be the best way to do it, but here is a patch to check_mailscanner that accomplishes this. --- check_mailscanner.orig Sat Feb 1 11:06:53 2003 +++ check_mailscanner Tue Feb 18 08:43:31 2003 @@ -105,6 +105,8 @@ cd $msbindir $process $config else - echo MailScanner running with pid $pid + if [ "x$1" != "x-q" ]; then + echo MailScanner running with pid $pid + fi fi Jason Desai Network Administrator Sensis Corporation jase@sensis.com http://www.sensis.com (315) 445-5811 From mailscanner at ecs.soton.ac.uk Tue Feb 18 13:55:11 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:13 2006 Subject: Load test In-Reply-To: <3C4F5084EF16D4119CE700508B6B8B10058D0A75@nt.svenskakyrkan. se> Message-ID: <5.2.0.9.2.20030218134140.02dc34c8@imap.ecs.soton.ac.uk> At 13:17 18/02/2003, you wrote: >Apologies as this might be slightly off topic > >I'm looking for a tool to test the mail processing power of a system. > >The ideal tool would send a configurable amount of mails per second/minute >with randomly attached files, viruses aswell as allowed and disallowed >files, to a mailbox. > >I'm fairly confident this would be easily achived with perl or some script, >unfortunatly my coding skills are not the best... > >Does anyone know if such a tool exists? > >regards, Tony I use a test set of real messages collected using the "Archive Mail" feature. Controlling the speed of the incoming messages is something I haven't got sorted out at all yet. I use a little perl script on host 1 to squirt messages at the MailScanner host 2. My script does have some very simple speed control, but I haven't found the control much use yet. I usually just need to go as fast as possible. I then have a very minimal SMTP "sink" server process on host 3 to receive all the mail that MailScanner on host 2 sends out. It just talks SMTP and throws away all the messages it is sent. This way you can get some figures that include the network load of the messages coming in and out, which is quite important. With my current tests I am hitting disk speed bottlenecks (using Ultra 160 SCSI Seagate Cheetah disk), seems to be maxing out at about 15Mbytes/s write. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Tue Feb 18 14:06:49 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:13 2006 Subject: Small check_mailscanner change In-Reply-To: Message-ID: <5.2.0.9.2.20030218140625.02dcc068@imap.ecs.soton.ac.uk> Great idea. It will be in the next release. I have also edited the cron job so that it uses -q rather than just throwing away all output. At 13:55 18/02/2003, you wrote: >I would like to run check_mailscanner periodically from cron to make sure >that MailScanner is still running. But I get an email every time, telling >me the pids. I don't want to redirect the output to /dev/null to prevent >the emails, because I want to know if check_mailscanner actually had to >start a new MailScanner process. So, I would like to add a "-q" parameter >(q for quiet) to the check_mailscanner script which, if specified, would not >print out the pids. Running it without any parameters would print the pids >as normal. Any thoughts? > >This may not be the best way to do it, but here is a patch to >check_mailscanner that accomplishes this. > >--- check_mailscanner.orig Sat Feb 1 11:06:53 2003 >+++ check_mailscanner Tue Feb 18 08:43:31 2003 >@@ -105,6 +105,8 @@ > cd $msbindir > $process $config > else >- echo MailScanner running with pid $pid >+ if [ "x$1" != "x-q" ]; then >+ echo MailScanner running with pid $pid >+ fi > fi > > >Jason Desai >Network Administrator >Sensis Corporation >jase@sensis.com >http://www.sensis.com >(315) 445-5811 -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From andersan at LTKALMAR.SE Tue Feb 18 14:20:09 2003 From: andersan at LTKALMAR.SE (Anders Andersson, IT) Date: Thu Jan 12 21:17:13 2006 Subject: REQ or rewonder :) Message-ID: <9F18B7DDBA88E544AB1F1995148916660145DF@lkl63.ltkalmar.se> Hi I asked if it was possible to make MS use a text-file for certain rules ie all service folks can recieve/send exe-files. From:To ok_ppl.rules ok_ppl.filenames.rules.conf Have you considered it and rejected it or just forgotten? I know it might be oveerkill but I think it would make life easier... Kind regards /Anders From sean at DIGISILK.NET Tue Feb 18 14:52:57 2003 From: sean at DIGISILK.NET (Sean Closson) Date: Thu Jan 12 21:17:13 2006 Subject: Sendmail startup problems In-Reply-To: <200302181520.06481.linux@mostert.nom.za> References: <200302181520.06481.linux@mostert.nom.za> Message-ID: <1045579977.2516.72.camel@localhost.localdomain> (typo on list address; d'oh!) This happened to me also, and it was caused by extra sendmail processes. on RH, issue a "service sendmail stop" and then "ps auxww |grep mail" and look for a running sendmail process. Kill it and then issue a "service mailscanner start" which will start sendmail also. As far as the full pathname issue, I'm not sure off the top of my pointy head... -- =========================== Sean Closson sean@digisilk.net MCSE / MCDBA / GSEC / CISSP =========================== On Tue, 2003-02-18 at 07:20, Mozzi wrote: > Hallo all > When starting up sendmail I get the following errors in my maillog file > I cannot explain them as it just worked > Espesially the ones between the arrows --> > > Tnx > > Mozzi > > NOQUEUE: SYSERR(root): opendaemonsocket: daemon MTA: cannot bind: Address > already in use > Feb 18 15:15:03 darkstar sendmail[5980]: daemon MTA: problem creating SMTP > socket > Feb 18 15:15:08 darkstar sendmail[5980]: NOQUEUE: SYSERR(root): > opendaemonsocket: daemon MTA: cannot bind: Address already in use > Feb 18 15:15:08 darkstar sendmail[5980]: daemon MTA: problem creating SMTP > socket > Feb 18 15:15:13 darkstar sendmail[5980]: NOQUEUE: SYSERR(root): > opendaemonsocket: daemon MTA: cannot bind: Address already in use > Feb 18 15:15:13 darkstar sendmail[5980]: daemon MTA: problem creating SMTP > socket > Feb 18 15:15:18 darkstar sendmail[5980]: NOQUEUE: SYSERR(root): > opendaemonsocket: daemon MTA: cannot bind: Address already in use > Feb 18 15:15:18 darkstar sendmail[5980]: daemon MTA: problem creating SMTP > socket > Feb 18 15:15:23 darkstar sendmail[5980]: NOQUEUE: SYSERR(root): > opendaemonsocket: daemon MTA: cannot bind: Address already in use > Feb 18 15:15:23 darkstar sendmail[5980]: daemon MTA: problem creating SMTP > socket > Feb 18 15:15:23 darkstar sendmail[5980]: NOQUEUE: SYSERR(root): > opendaemonsocket: daemon MTA: server SMTP socket wedged: exiting > ---> > Feb 18 15:16:12 darkstar sendmail[6109]: daemon invoked without full pathname; > kill -1 won't work > Feb 18 15:16:12 darkstar sendmail[6110]: starting daemon (8.12.6): > SMTP+queueing@00:15:00 > Feb 18 15:16:15 darkstar sendmail[6112]: daemon invoked without full pathname; > kill -1 won't work > --> > Feb 18 15:16:15 darkstar sendmail[6113]: starting daemon (8.12.6): SMTP > Feb 18 15:16:15 darkstar sendmail[6113]: NOQUEUE: SYSERR(root): > opendaemonsocket: daemon MTA: cannot bind: Address already in use > Feb 18 15:16:15 darkstar sendmail[6113]: daemon MTA: problem creating SMTP > socket > Feb 18 15:16:20 darkstar sendmail[6113]: NOQUEUE: SYSERR(root): > opendaemonsocket: daemon MTA: cannot bind: Address already in use > Feb 18 15:16:20 darkstar sendmail[6113]: daemon MTA: problem creating SMTP > socket > -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030218/a0e2f2d5/attachment.bin From applein at IG.COM.BR Tue Feb 18 15:43:30 2003 From: applein at IG.COM.BR (applein) Date: Thu Jan 12 21:17:13 2006 Subject: allow IFrame Message-ID: <000d01c2d764$7eb52f60$0d4bd3c8@A3C4J5> How I allow IFrame tag, I have recived messagens with: Found dangerous IFrame tag in HTML message _______________________________________________________________________ Busca Yahoo! O servi?o de busca mais completo da Internet. O que voc? pensar o Yahoo! encontra. http://br.busca.yahoo.com/ From andersan at LTKALMAR.SE Tue Feb 18 15:47:06 2003 From: andersan at LTKALMAR.SE (Anders Andersson, IT) Date: Thu Jan 12 21:17:13 2006 Subject: SV: allow IFrame Message-ID: <9F18B7DDBA88E544AB1F1995148916660145E0@lkl63.ltkalmar.se> Go and look in /etc/MailScanner/MailScanner.conf there you will find everything you need to change > -----Ursprungligt meddelande----- > Fr?n: applein [mailto:applein@IG.COM.BR] > Skickat: den 18 februari 2003 16:44 > Till: MAILSCANNER@JISCMAIL.AC.UK > ?mne: allow IFrame > > > How I allow IFrame tag, I have recived messagens with: > > Found dangerous IFrame tag in HTML message > > ______________________________________________________________ > _________ > > Busca Yahoo! > > O servi?o de busca mais completo da Internet. O que voc? > pensar o Yahoo! encontra. > > http://br.busca.yahoo.com/ > From mailscanner at ecs.soton.ac.uk Tue Feb 18 15:56:33 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:13 2006 Subject: Sendmail startup problems In-Reply-To: <1045579977.2516.72.camel@localhost.localdomain> References: <200302181520.06481.linux@mostert.nom.za> <200302181520.06481.linux@mostert.nom.za> Message-ID: <5.2.0.9.2.20030218155617.02ca89f0@imap.ecs.soton.ac.uk> Check you have done chkconfig sendmail off as well, or it will restart when you next boot. At 14:52 18/02/2003, you wrote: >(typo on list address; d'oh!) > >This happened to me also, and it was caused by extra sendmail >processes. on RH, issue a "service sendmail stop" and then "ps auxww >|grep mail" and look for a running sendmail process. Kill it and then >issue a "service mailscanner start" which will start sendmail also. >As far as the full pathname issue, I'm not sure off the top of my pointy >head... > >-- >=========================== >Sean Closson >sean@digisilk.net >MCSE / MCDBA / GSEC / CISSP >=========================== > >On Tue, 2003-02-18 at 07:20, Mozzi wrote: > > Hallo all > > When starting up sendmail I get the following errors in my maillog file > > I cannot explain them as it just worked > > Espesially the ones between the arrows --> > > > > Tnx > > > > Mozzi > > > > NOQUEUE: SYSERR(root): opendaemonsocket: daemon MTA: cannot bind: Address > > already in use > > Feb 18 15:15:03 darkstar sendmail[5980]: daemon MTA: problem creating SMTP > > socket > > Feb 18 15:15:08 darkstar sendmail[5980]: NOQUEUE: SYSERR(root): > > opendaemonsocket: daemon MTA: cannot bind: Address already in use > > Feb 18 15:15:08 darkstar sendmail[5980]: daemon MTA: problem creating SMTP > > socket > > Feb 18 15:15:13 darkstar sendmail[5980]: NOQUEUE: SYSERR(root): > > opendaemonsocket: daemon MTA: cannot bind: Address already in use > > Feb 18 15:15:13 darkstar sendmail[5980]: daemon MTA: problem creating SMTP > > socket > > Feb 18 15:15:18 darkstar sendmail[5980]: NOQUEUE: SYSERR(root): > > opendaemonsocket: daemon MTA: cannot bind: Address already in use > > Feb 18 15:15:18 darkstar sendmail[5980]: daemon MTA: problem creating SMTP > > socket > > Feb 18 15:15:23 darkstar sendmail[5980]: NOQUEUE: SYSERR(root): > > opendaemonsocket: daemon MTA: cannot bind: Address already in use > > Feb 18 15:15:23 darkstar sendmail[5980]: daemon MTA: problem creating SMTP > > socket > > Feb 18 15:15:23 darkstar sendmail[5980]: NOQUEUE: SYSERR(root): > > opendaemonsocket: daemon MTA: server SMTP socket wedged: exiting > > ---> > > Feb 18 15:16:12 darkstar sendmail[6109]: daemon invoked without full > pathname; > > kill -1 won't work > > Feb 18 15:16:12 darkstar sendmail[6110]: starting daemon (8.12.6): > > SMTP+queueing@00:15:00 > > Feb 18 15:16:15 darkstar sendmail[6112]: daemon invoked without full > pathname; > > kill -1 won't work > > --> > > Feb 18 15:16:15 darkstar sendmail[6113]: starting daemon (8.12.6): SMTP > > Feb 18 15:16:15 darkstar sendmail[6113]: NOQUEUE: SYSERR(root): > > opendaemonsocket: daemon MTA: cannot bind: Address already in use > > Feb 18 15:16:15 darkstar sendmail[6113]: daemon MTA: problem creating SMTP > > socket > > Feb 18 15:16:20 darkstar sendmail[6113]: NOQUEUE: SYSERR(root): > > opendaemonsocket: daemon MTA: cannot bind: Address already in use > > Feb 18 15:16:20 darkstar sendmail[6113]: daemon MTA: problem creating SMTP > > socket > > > -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From ragan_davis at COLSTATE.EDU Tue Feb 18 16:07:19 2003 From: ragan_davis at COLSTATE.EDU (Mack Ragan) Date: Thu Jan 12 21:17:13 2006 Subject: MailScanner & SpamAssassin Message-ID: Good points. So, it seems everything is working by design. I agree with Julian in that I wouldn't want my users to see the spamassassin report in the body anyway. It would more than likely just generate additional help desk calls. It would be neat to have a means to insert a block of text into the body that would explain to the user in simple terms that the mail gateway suspects this to be spam, and gives them options on how to take action to block further messages like it. Maybe there's already a way to do this...I'm not familiar enough with MailScanner yet to know. Thanks for all of your help! Mack From mailscanner at ecs.soton.ac.uk Tue Feb 18 16:13:28 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:13 2006 Subject: MailScanner & SpamAssassin In-Reply-To: Message-ID: <5.2.0.9.2.20030218161131.02f05748@imap.ecs.soton.ac.uk> At 16:07 18/02/2003, you wrote: >It would be neat to have a means to insert a block of text into the body >that would explain to the user in simple terms that the mail gateway >suspects this to be spam, and gives them options on how to take action to >block further messages like it. Maybe there's already a way to do >this...I'm not familiar enough with MailScanner yet to know. So, some sort of an Inline Spam Text Warning and Inline Spam HTML Warning and an option to turn them on/off. What would happen when a message was spam and also contained a virus? What do other people think of this idea? Would this be widely used? -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at BARENDSE.TO Tue Feb 18 16:25:01 2003 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:17:13 2006 Subject: Automating MailScanner.conf upgrades In-Reply-To: <5.2.0.9.2.20030217205630.0208f300@imap.ecs.soton.ac.uk> Message-ID: Sorry if this was unclear, i didn't mean that the upgrade script should fetch the rpm but the other way around. I was thinking of including the upgrade script in the RPM, and after RPM is done upgrading the MS binaries have it check which version of MailScanner is running and then run the script from the RPM wrapper to do the upgrading automagically. On Mon, 17 Feb 2003, Julian Field wrote: > At 20:11 17/02/2003, you wrote: > >Thanks for this excellent script Julian! > > > >This will save me tons of time when doing upgrades on several > >servers. > > I got fed up of doing it the hard way too. After sitting down explaining > the problem (to my long-suffering lodger!) I realised that it wasn't that > hard to do. > > >Will the script be supplies with every version of MailScanner? Would it be > >possible to have the script even detect a 4.x version of MailScanner and > >have rpm run the script on the default installation paths? > > I didn't really intend it to go and fetch the new rpm for you. But it > should work with just about any version of MailScanner as it doesn't use > anything outside the 2 conf files supplied on the command line. It will > even do *some* of the work upgrading V3 to V4. > > >I tried it on my MS systems and it works like a charm! > > Cool :-) > > > >On Sat, 15 Feb 2003, Julian Field wrote: > > > > > Morning all, > > > > > > The biggest pain in doing an upgrade of MailScanner is working out what has > > > changed between your current MailScanner.conf and the new one. > > > > > > So I have written a tool to help you do this. It will > > > - copy over all your old settings into the new file > > > - copy over all the comments you have added to settings > > > - add the default settings for all new settings > > > - delete obsolete settings > > > - print a summary of what it has done, > > > including the settings that were added/removed > > > > > > It is attached to this message. To find out how to use it, just run it and > > > it will tell you. > > > > > > The only time it will run into trouble is when the supplied value for a > > > setting is commented out, and you have uncommented it. It can't tell the > > > difference between lines like that and normal comments. So Exim users > > beware! > > > > > > It can't be perfect, but you should find it helps. > > > > > > > > >-- > >This message has been scanned for viruses and > >dangerous content by MailScanner, and is > >believed to be clean. > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From Kevin.Spicer at BMRB.CO.UK Tue Feb 18 16:25:04 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:17:13 2006 Subject: MailScanner & SpamAssassin Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0EBF3D6@pascal.priv.bmrb.co.uk> > So, some sort of an > Inline Spam Text Warning > and > Inline Spam HTML Warning > and an option to turn them on/off. > > What would happen when a message was spam and also contained a virus? > > What do other people think of this idea? > Would this be widely used? I'd certainly use it - I have a page on our intranet which explains our spam tagging policy and how to set up rules to filter tagged spam in Outlook and I'd like the ability to add that URL with a line of explanation into the top of messages (and also to prompt users to bring false positives to my attention so that I can tune the SpamAssassin rules, add appropriate whitelist entries etc). I think the virus warning should always take precedence, as pretty soon users will come to understand why they have spam tags - but virus tags are less common and rather more of a cause for concern BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From mailscanner at BARENDSE.TO Tue Feb 18 16:32:27 2003 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:17:13 2006 Subject: MailScanner & SpamAssassin In-Reply-To: <5.2.0.9.2.20030218161131.02f05748@imap.ecs.soton.ac.uk> Message-ID: I am quite happy with the way MailScanner modifies the subject line. It is quite easy to create a rule in Outlook which moves tagged mails to deleted items :) I don't see the need to have an inline warning, I usually don't get any legitimate porn or nigerian scam mails myself which makes them easy to spot :) On Tue, 18 Feb 2003, Julian Field wrote: > At 16:07 18/02/2003, you wrote: > >It would be neat to have a means to insert a block of text into the body > >that would explain to the user in simple terms that the mail gateway > >suspects this to be spam, and gives them options on how to take action to > >block further messages like it. Maybe there's already a way to do > >this...I'm not familiar enough with MailScanner yet to know. > > So, some sort of an > Inline Spam Text Warning > and > Inline Spam HTML Warning > and an option to turn them on/off. > > What would happen when a message was spam and also contained a virus? > > What do other people think of this idea? > Would this be widely used? > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From steve.freegard at LBSLTD.CO.UK Tue Feb 18 16:34:16 2003 From: steve.freegard at LBSLTD.CO.UK (Steve Freegard) Date: Thu Jan 12 21:17:13 2006 Subject: FW: Rejected posting to MAILSCANNER@JISCMAIL.AC.UK Message-ID: <67D9E7698329D411936E00508B6590B902793114@neelix.lbsltd.co.uk> Hi, I haven't posted to the list in quite a while - and we changed our default e-mail addresses a while back. I was listed as smf@lbsltd.co.uk - could this be changed to steve.freegard@lbsltd.co.uk. Thanks in advance. Steve. -----Original Message----- From: L-Soft list server at JISCMAIL (1.8e) [mailto:LISTSERV@JISCMAIL.AC.UK] Sent: 18 February 2003 16:26 To: steve.freegard@lbsltd.co.uk Subject: Rejected posting to MAILSCANNER@JISCMAIL.AC.UK You are not authorized to send mail to the MAILSCANNER list from your steve.freegard@LBSLTD.CO.UK account. You might be authorized to send to the list from another of your accounts, or perhaps when using another mail program which generates slightly different addresses, but LISTSERV has no way to associate this other account or address with yours. If you need assistance or if you have any question regarding the policy of the MAILSCANNER list, please contact the list owners: MAILSCANNER-request@JISCMAIL.AC.UK. ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.lbsltd.co.uk ********************************************************************** -------------- next part -------------- An embedded message was scrubbed... From: Steve Freegard Subject: RE: MailScanner & SpamAssassin Date: Tue, 18 Feb 2003 16:26:01 -0000 Size: 2181 Url: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030218/98c9ba99/attachment.mht From andersan at LTKALMAR.SE Tue Feb 18 16:42:03 2003 From: andersan at LTKALMAR.SE (Anders Andersson, IT) Date: Thu Jan 12 21:17:13 2006 Subject: SV: MailScanner & SpamAssassin Message-ID: <9F18B7DDBA88E544AB1F1995148916660145E1@lkl63.ltkalmar.se> Unless is to much of a hassle to add it I think it could be usefull. Probably not for reader of this list but for the admins to help users by pointing to webbpage for info, create filter rules etc. Shouldn't be on default but an an option would be nice /Anders > -----Ursprungligt meddelande----- > Fr?n: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > Skickat: den 18 februari 2003 17:13 > Till: MAILSCANNER@JISCMAIL.AC.UK > ?mne: Re: MailScanner & SpamAssassin > > > At 16:07 18/02/2003, you wrote: > >It would be neat to have a means to insert a block of text > into the body > >that would explain to the user in simple terms that the mail gateway > >suspects this to be spam, and gives them options on how to > take action to > >block further messages like it. Maybe there's already a way to do > >this...I'm not familiar enough with MailScanner yet to know. > > So, some sort of an > Inline Spam Text Warning > and > Inline Spam HTML Warning > and an option to turn them on/off. > > What would happen when a message was spam and also contained a virus? > > What do other people think of this idea? > Would this be widely used? > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > From mailscanner at ecs.soton.ac.uk Tue Feb 18 16:37:09 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:14 2006 Subject: Automating MailScanner.conf upgrades In-Reply-To: References: <5.2.0.9.2.20030217205630.0208f300@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030218163525.02f30888@imap.ecs.soton.ac.uk> At 16:25 18/02/2003, you wrote: >Sorry if this was unclear, i didn't mean that the upgrade script should >fetch the rpm but the other way around. > >I was thinking of including the upgrade script in the RPM, and after >RPM is done upgrading the MS binaries have it check which version of >MailScanner is running and then run the script from the RPM wrapper to do >the upgrading automagically. I'm being a bit cautious first time round. When it works out you are doing an upgrade of the RPM, it will tell you to run the script. When you run the script it will tell you exactly what you need to type to have it do all the work for you. >On Mon, 17 Feb 2003, Julian Field wrote: > > > At 20:11 17/02/2003, you wrote: > > >Thanks for this excellent script Julian! > > > > > >This will save me tons of time when doing upgrades on several > > >servers. > > > > I got fed up of doing it the hard way too. After sitting down explaining > > the problem (to my long-suffering lodger!) I realised that it wasn't that > > hard to do. > > > > >Will the script be supplies with every version of MailScanner? Would it be > > >possible to have the script even detect a 4.x version of MailScanner and > > >have rpm run the script on the default installation paths? > > > > I didn't really intend it to go and fetch the new rpm for you. But it > > should work with just about any version of MailScanner as it doesn't use > > anything outside the 2 conf files supplied on the command line. It will > > even do *some* of the work upgrading V3 to V4. > > > > >I tried it on my MS systems and it works like a charm! > > > > Cool :-) > > > > > > >On Sat, 15 Feb 2003, Julian Field wrote: > > > > > > > Morning all, > > > > > > > > The biggest pain in doing an upgrade of MailScanner is working out > what has > > > > changed between your current MailScanner.conf and the new one. > > > > > > > > So I have written a tool to help you do this. It will > > > > - copy over all your old settings into the new file > > > > - copy over all the comments you have added to settings > > > > - add the default settings for all new settings > > > > - delete obsolete settings > > > > - print a summary of what it has done, > > > > including the settings that were added/removed > > > > > > > > It is attached to this message. To find out how to use it, just run > it and > > > > it will tell you. > > > > > > > > The only time it will run into trouble is when the supplied value for a > > > > setting is commented out, and you have uncommented it. It can't > tell the > > > > difference between lines like that and normal comments. So Exim users > > > beware! > > > > > > > > It can't be perfect, but you should find it helps. > > > > > > > > > > > > >-- > > >This message has been scanned for viruses and > > >dangerous content by MailScanner, and is > > >believed to be clean. > > > > -- > > Julian Field > > www.MailScanner.info > > MailScanner thanks transtec Computers for their support > > > > > > >-- >This message has been scanned for viruses and >dangerous content by MailScanner, and is >believed to be clean. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From applein at IG.COM.BR Tue Feb 18 17:35:35 2003 From: applein at IG.COM.BR (applein) Date: Thu Jan 12 21:17:14 2006 Subject: allow IFrame References: <9F18B7DDBA88E544AB1F1995148916660145E0@lkl63.ltkalmar.se> Message-ID: <005201c2d774$26dea9a0$0d4bd3c8@A3C4J5> I change Allow IFrame Tags = yes but not wok ----- Original Message ----- From: "Anders Andersson, IT" To: Sent: Tuesday, February 18, 2003 12:47 PM Subject: SV: allow IFrame Go and look in /etc/MailScanner/MailScanner.conf there you will find everything you need to change > -----Ursprungligt meddelande----- > Fr?n: applein [mailto:applein@IG.COM.BR] > Skickat: den 18 februari 2003 16:44 > Till: MAILSCANNER@JISCMAIL.AC.UK > ?mne: allow IFrame > > > How I allow IFrame tag, I have recived messagens with: > > Found dangerous IFrame tag in HTML message > > ______________________________________________________________ > _________ > > Busca Yahoo! > > O servi?o de busca mais completo da Internet. O que voc? > pensar o Yahoo! encontra. > > http://br.busca.yahoo.com/ > _______________________________________________________________________ Busca Yahoo! O servi?o de busca mais completo da Internet. O que voc? pensar o Yahoo! encontra. http://br.busca.yahoo.com/ From joe at QITC.CO.UK Tue Feb 18 17:49:49 2003 From: joe at QITC.CO.UK (Joe Quinn) Date: Thu Jan 12 21:17:14 2006 Subject: Custom spam score References: <9F18B7DDBA88E544AB1F1995148916660145E0@lkl63.ltkalmar.se> <005201c2d774$26dea9a0$0d4bd3c8@A3C4J5> Message-ID: <007201c2d776$21e6ecd0$01000001@Compaq> Hi, I'm trying to set custom spam scores for email from certain sources but it doesn't seem to work. In the /etc/MailScanner/spam.assassin.prefs.conf file, I've put; body HELPFULOFFERS /helpfuloffers.com/i describe HELPFULOFFERS "spam from helpfuloffers.com" score HELPFULOFFERS 100.0 body EMAILBUCKS.COM /emailbucks.com/i describe EMAILBUCKS.COM "spam from emailbucks.com" score EMAILBUCKS.COM 100.0 to hopefully catch the reply to address in the body of the email. As I've set the high score spam action to delete, I hoped it would get rid of these..... Any advice please? Joe www.qitc.net From mailscanner at ecs.soton.ac.uk Tue Feb 18 18:12:37 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:14 2006 Subject: allow IFrame In-Reply-To: <005201c2d774$26dea9a0$0d4bd3c8@A3C4J5> References: <9F18B7DDBA88E544AB1F1995148916660145E0@lkl63.ltkalmar.se> Message-ID: <5.2.0.9.2.20030218181147.02440100@imap.ecs.soton.ac.uk> At 17:35 18/02/2003, you wrote: >I change Allow IFrame Tags = yes but not wok Did you restart it after you changed the setting? Please remember at least to read the documentation before posting here. >----- Original Message ----- >From: "Anders Andersson, IT" >To: >Sent: Tuesday, February 18, 2003 12:47 PM >Subject: SV: allow IFrame > > >Go and look in /etc/MailScanner/MailScanner.conf >there you will find everything you need to change > > > -----Ursprungligt meddelande----- > > Fr?n: applein [mailto:applein@IG.COM.BR] > > Skickat: den 18 februari 2003 16:44 > > Till: MAILSCANNER@JISCMAIL.AC.UK > > ?mne: allow IFrame > > > > > > How I allow IFrame tag, I have recived messagens with: > > > > Found dangerous IFrame tag in HTML message > > > > ______________________________________________________________ > > _________ > > > > Busca Yahoo! > > > > O servi?o de busca mais completo da Internet. O que voc? > > pensar o Yahoo! encontra. > > > > http://br.busca.yahoo.com/ > > > > >_______________________________________________________________________ >Busca Yahoo! >O servi?o de busca mais completo da Internet. O que voc? pensar o Yahoo! >encontra. >http://br.busca.yahoo.com/ -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From dustin.baer at IHS.COM Tue Feb 18 18:22:15 2003 From: dustin.baer at IHS.COM (Dustin Baer) Date: Thu Jan 12 21:17:14 2006 Subject: Quarantined filename with brackets Message-ID: <3E5279D7.F1C58E0D@ihs.com> The following is a report from a quarantined attachment extension (mp3): -- Subject: Warning: E-mail attachment quarantined Date: Tue, 18 Feb 2003 10:57:10 -0700 (MST) From: "MailScanner" To: postmaster@ihs.com The following e-mail messages were found to have viruses in them: Sender: kamtakebay@aol.com IP Address: 152.163.225.99 Recipient: blah@ihs.com Subject: funny sound clip MessageID: h1IHuCoq007228 Report: (.mp3) -- According to dfh1IHuCoq007228, the actual filename of the attachment is "TowYardComplaint[1].mp3" Is there a bug in MailScanner that doesn't report the correct name of an attachment, if the filename contains brackets? Thanks, Dustin From mailscanner at ecs.soton.ac.uk Tue Feb 18 18:36:11 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:14 2006 Subject: Quarantined filename with brackets In-Reply-To: <3E5279D7.F1C58E0D@ihs.com> Message-ID: <5.2.0.9.2.20030218183333.028ed1e0@imap.ecs.soton.ac.uk> At 18:22 18/02/2003, you wrote: > Report: (.mp3) > >According to dfh1IHuCoq007228, the actual filename of the attachment is >"TowYardComplaint[1].mp3" > >Is there a bug in MailScanner that doesn't report the correct name of an >attachment, if the filename contains brackets? The new version should do a much better job of giving you a filename closer to the original. However, it won't put in the complete original name as that contains the characters "[]" which might be abused in an attempt to remotely hack MailScanner. The filename that appears in the reports is a "sanitised" version of the original filename, so that no exploits are possible using malicious filenames in attachments. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From Denis.Beauchemin at USHERBROOKE.CA Tue Feb 18 18:47:48 2003 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:17:14 2006 Subject: Custom spam score In-Reply-To: <007201c2d776$21e6ecd0$01000001@Compaq> References: <9F18B7DDBA88E544AB1F1995148916660145E0@lkl63.ltkalmar.se> <005201c2d774$26dea9a0$0d4bd3c8@A3C4J5> <007201c2d776$21e6ecd0$01000001@Compaq> Message-ID: <1045594068.2167.3.camel@dbeauchemin.si.usherbrooke.ca> Joe, Whenever I add rules to /etc/MailScanner/spam.assassin.prefs.conf, I test them beforehand in ~/.spamassassin/user_prefs with: spamassassin --lint Your mods gave an error... I corrected it by removing the "." in all occurrences of "EMAILBUCKS.COM". Looks like a period is not valid in a rule tag. Denis Le mar 18/02/2003 ? 12:49, Joe Quinn a ?crit : > Hi, > > I'm trying to set custom spam scores for email from certain sources but it > doesn't seem to work. In the /etc/MailScanner/spam.assassin.prefs.conf file, > I've put; > > body HELPFULOFFERS /helpfuloffers.com/i > describe HELPFULOFFERS "spam from helpfuloffers.com" > score HELPFULOFFERS 100.0 > > body EMAILBUCKS.COM /emailbucks.com/i > describe EMAILBUCKS.COM "spam from emailbucks.com" > score EMAILBUCKS.COM 100.0 > > to hopefully catch the reply to address in the body of the email. As I've > set the high score spam action to delete, I hoped it would get rid of > these..... > > Any advice please? > > Joe > www.qitc.net -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From adkinss at OHIO.EDU Tue Feb 18 20:41:26 2003 From: adkinss at OHIO.EDU (Scott Adkins) Date: Thu Jan 12 21:17:14 2006 Subject: Custom spam score In-Reply-To: <1045594068.2167.3.camel@dbeauchemin.si.usherbrooke.ca> References: <1045594068.2167.3.camel@dbeauchemin.si.usherbrooke.ca> Message-ID: <522263124.1045582886@Callisto> --On Tuesday, February 18, 2003 1:47 PM -0500 Denis Beauchemin wrote: > Joe, > > Whenever I add rules to /etc/MailScanner/spam.assassin.prefs.conf, I > test them beforehand in ~/.spamassassin/user_prefs with: > spamassassin --lint > > Your mods gave an error... I corrected it by removing the "." in all > occurrences of "EMAILBUCKS.COM". What if you put a backslash in front of it? The "." has special meaning in regular expressions (meaning, "match any character in that position"). I would not have expected the pattern to cause the match to fail, but if I had to guess, escaping the dot with a backslash should do the work. I am curious... you said you removed the "." in all the occurrences of "EMAILBUCKS.COM". So, what did it look like after that? Were you just trying to eliminate the error, or were you also trying to make the rules work properly? My guess is that simply removing the dot will not make the pattern match anything that comes through. You would have to remove ".COM" and leave "EMAILBUCKS" in order to match something... fortunately, it is unlikely to cause false positives in this particular case... Scott > > Looks like a period is not valid in a rule tag. > > Denis > Le mar 18/02/2003 ? 12:49, Joe Quinn a ?crit : >> Hi, >> >> I'm trying to set custom spam scores for email from certain sources but >> it doesn't seem to work. In the >> /etc/MailScanner/spam.assassin.prefs.conf file, I've put; >> >> body HELPFULOFFERS /helpfuloffers.com/i >> describe HELPFULOFFERS "spam from helpfuloffers.com" >> score HELPFULOFFERS 100.0 >> >> body EMAILBUCKS.COM /emailbucks.com/i >> describe EMAILBUCKS.COM "spam from emailbucks.com" >> score EMAILBUCKS.COM 100.0 >> >> to hopefully catch the reply to address in the body of the email. As I've >> set the high score spam action to delete, I hoped it would get rid of >> these..... >> >> Any advice please? >> >> Joe >> www.qitc.net > -- > Denis Beauchemin, analyste > Universit? de Sherbrooke, S.T.I. > T: 819.821.8000x2252 F: 819.821.8045 -- +-----------------------------------------------------------------------+ Scott W. Adkins http://www.cns.ohiou.edu/~sadkins/ UNIX Systems Engineer mailto:adkinss@ohio.edu ICQ 7626282 Work (740)593-9478 Fax (740)593-1944 +-----------------------------------------------------------------------+ PGP Public Key available at http://www.cns.ohiou.edu/~sadkins/pgp/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 231 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030218/99c628c4/attachment.bin From Denis.Beauchemin at USHERBROOKE.CA Tue Feb 18 21:02:56 2003 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:17:14 2006 Subject: Custom spam score In-Reply-To: <522263124.1045582886@Callisto> References: <1045594068.2167.3.camel@dbeauchemin.si.usherbrooke.ca> <522263124.1045582886@Callisto> Message-ID: <1045602176.2167.22.camel@dbeauchemin.si.usherbrooke.ca> Scott, This is what I had: body HELPFULOFFERS /helpfuloffers.com/i describe HELPFULOFFERS "spam from helpfuloffers.com" score HELPFULOFFERS 100.0 body EMAILBUCKSCOM /emailbucks.com/i describe EMAILBUCKSCOM "spam from emailbucks.com" score EMAILBUCKSCOM 100.0 I didn't change any rule, I just changed their "title". I agree that the periods should be escaped in the search pattern, giving: body HELPFULOFFERS /helpfuloffers\.com/i body EMAILBUCKSCOM /emailbucks\.com/i Denis Le mar 18/02/2003 ? 15:41, Scott Adkins a ?crit : > --On Tuesday, February 18, 2003 1:47 PM -0500 Denis Beauchemin > wrote: > > > Joe, > > > > Whenever I add rules to /etc/MailScanner/spam.assassin.prefs.conf, I > > test them beforehand in ~/.spamassassin/user_prefs with: > > spamassassin --lint > > > > Your mods gave an error... I corrected it by removing the "." in all > > occurrences of "EMAILBUCKS.COM". > > What if you put a backslash in front of it? The "." has special meaning > in regular expressions (meaning, "match any character in that position"). > I would not have expected the pattern to cause the match to fail, but if > I had to guess, escaping the dot with a backslash should do the work. > > I am curious... you said you removed the "." in all the occurrences of > "EMAILBUCKS.COM". So, what did it look like after that? Were you just > trying to eliminate the error, or were you also trying to make the rules > work properly? My guess is that simply removing the dot will not make > the pattern match anything that comes through. You would have to remove > ".COM" and leave "EMAILBUCKS" in order to match something... fortunately, > it is unlikely to cause false positives in this particular case... > > Scott > > > > > > Looks like a period is not valid in a rule tag. > > > > Denis > > Le mar 18/02/2003 ? 12:49, Joe Quinn a ?crit : > >> Hi, > >> > >> I'm trying to set custom spam scores for email from certain sources but > >> it doesn't seem to work. In the > >> /etc/MailScanner/spam.assassin.prefs.conf file, I've put; > >> > >> body HELPFULOFFERS /helpfuloffers.com/i > >> describe HELPFULOFFERS "spam from helpfuloffers.com" > >> score HELPFULOFFERS 100.0 > >> > >> body EMAILBUCKS.COM /emailbucks.com/i > >> describe EMAILBUCKS.COM "spam from emailbucks.com" > >> score EMAILBUCKS.COM 100.0 > >> > >> to hopefully catch the reply to address in the body of the email. As I've > >> set the high score spam action to delete, I hoped it would get rid of > >> these..... > >> > >> Any advice please? > >> > >> Joe > >> www.qitc.net > > -- > > Denis Beauchemin, analyste > > Universit? de Sherbrooke, S.T.I. > > T: 819.821.8000x2252 F: 819.821.8045 -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From jrudd at UCSC.EDU Tue Feb 18 22:08:42 2003 From: jrudd at UCSC.EDU (John Rudd) Date: Thu Jan 12 21:17:14 2006 Subject: Custom spam score Message-ID: <200302182208.h1IM8gu12234@kzin.ucsc.edu> > From: Scott Adkins > > --On Tuesday, February 18, 2003 1:47 PM -0500 Denis Beauchemin=20 > wrote: > > > Your mods gave an error... I corrected it by removing the "." in all > > occurrences of "EMAILBUCKS.COM". > > What if you put a backslash in front of it? The "." has special meaning > in regular expressions (meaning, "match any character in that position"). > > >> body EMAILBUCKS.COM /emailbucks.com/i I think you misunderstood what he's saying. He didn't say remove the dot from the regular expression, he said remove the dot from the RULE name. So it would look like: body EMAILBUCKSCOM /emailbucks.com/i Though, yes, it would also be a good idea to escape the . in the regular expression. From kovalcik at ORION-DESIGN.COM Tue Feb 18 22:21:32 2003 From: kovalcik at ORION-DESIGN.COM (Tom Kovalcik) Date: Thu Jan 12 21:17:14 2006 Subject: Related to: Custom spam score In-Reply-To: <200302182208.h1IM8gu12234@kzin.ucsc.edu> Message-ID: <5.2.0.9.0.20030218171317.04081b48@oriongw> Just wanted a clarification. When I look at the spam assassin web site, the page for tests and default scores is very long. I assume these tests and scores are hard coded into spam assassin and not in a config file. If I want to change the defaults for Mail Scanner use, I add the tests and new scores to spam.assassin.prefs.conf as opposed to a spamassassin.cf which the Spam Assassin web page talks about. Is this correct? Sorry to take up bandwidth with what seems like a simple question, but I am at the bottom of the learning curve and trying to claw my way up. Thanks From cameron at TERAGEN.COM.AU Tue Feb 18 22:35:00 2003 From: cameron at TERAGEN.COM.AU (Cameron Pitt-Downton) Date: Thu Jan 12 21:17:14 2006 Subject: changing user and group References: <5.2.0.9.2.20030218092206.02f0b908@imap.ecs.soton.ac.uk> Message-ID: <083701c2d79d$f9247ab0$02ee22cb@rogue> Yes, as I was just testing it, so I changed it to my uid and gid. I'm running Red Hat 7.3 with all the latest rpms. sendmail 8.11.6-15 perl 5.6.1-34.99.6 on a celeron 400 Cameron > > Does the user you are running as have a real home directory that it can > read from and write to? > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > From jrudd at UCSC.EDU Tue Feb 18 22:40:04 2003 From: jrudd at UCSC.EDU (John Rudd) Date: Thu Jan 12 21:17:14 2006 Subject: Related to: Custom spam score Message-ID: <200302182240.h1IMe4q12425@kzin.ucsc.edu> > From: Tom Kovalcik > > Just wanted a clarification. When I look at the spam assassin web site, the > page for tests and default scores is very long. I assume these tests and > scores are hard coded into spam assassin and not in a config file. If I > want to change the defaults for Mail Scanner use, I add the tests and new > scores to spam.assassin.prefs.conf as opposed to a spamassassin.cf which > the Spam Assassin web page talks about. Is this correct? > Well, yes and no. They are in a conf file somewhere. Usually in /usr/share/spamassassin/* or /usr/local/share/spamassassin/* But don't change those cf files. If you find a score in there that you don't agree with, you can raise or lower it's score in the spam.assassin.prefs.conf file. Just copy the same score line out of the default spam assassin files (being sure to use tabs instead of spaces to seperate the 3 fields), and then give it whatever new score you want. If you give it a score of 0, you effectively disable that test. You can also change the test's themselves by doing the same thing. But I'd recommend against changing their tests. Just the scores that you think need to be adjusted. The only things that I actually change in their cf files are: in the 60_whitelist.cf file they have a bunch of default whitelist entries ... I comment out all but the first 3 (which are related to domain registration). Some of their entries are actually technically wrong (giving the wrong address for yahoo mailing lists, etc.), others are judgementally wrong (amazon.com _does_ spam people). But asside from that, I tend to avoid touching their cf files. For one, if you do touch their cf files, it means that next time you upgrade Spam Assassin, you'll have to make your changes all over again. Better to just put them in your local conf file, in MailScanner. (and, you SHOULD keep up to date on Spam Assassin, because spammers are starting to use various tools like spam assassin for writing "better spam", so current versions of spam assassin are current to current bodies of spam, and older versions of spam assassin have already been worked around by spammers) From lindsay at pa.net Tue Feb 18 23:07:11 2003 From: lindsay at pa.net (Lindsay Snider) Date: Thu Jan 12 21:17:14 2006 Subject: changing user and group In-Reply-To: <083701c2d79d$f9247ab0$02ee22cb@rogue> References: <5.2.0.9.2.20030218092206.02f0b908@imap.ecs.soton.ac.uk> <083701c2d79d$f9247ab0$02ee22cb@rogue> Message-ID: <200302181807.11138.lindsay@pa.net> On the server I'm having difficulty setting the user/group id, I am also running perl 5.6.1-34.99.6. For me, the mailscanner is dieing on line 740 of Sendmail.pm. Line 740 reads: unless (chdir $queuedirname) { Within the 'unless', a log entry is posted and next is called. However, nothing within or after the loop gets executed. I tried adding 'chdir $queuedirname' a few lines before the 'unless' and that then too dies. I debug printed the chdir $queuedirname and switched to the directory as the user in bash and it worked fine. I also wrote a perl script that setuid's and changes to the directory, that too worked. Seems to be a perl bug. Cameron, do you want to see if mailscanner is dieing at the same place for you? I'm not in a good position to upgrade my perl but if that is something you can try, want to see if that helps? Good luck! lindsay On Tuesday 18 February 2003 17:35, you wrote: > Yes, as I was just testing it, so I changed it to my uid and gid. > > I'm running Red Hat 7.3 with all the latest rpms. > sendmail 8.11.6-15 > perl 5.6.1-34.99.6 > on a celeron 400 > > Cameron > > > Does the user you are running as have a real home directory that it can > > read from and write to? > > -- > > Julian Field > > www.MailScanner.info > > MailScanner thanks transtec Computers for their support From gavin at NETERGY.COM Tue Feb 18 23:10:36 2003 From: gavin at NETERGY.COM (Gavin Nelmes-Crocker) Date: Thu Jan 12 21:17:14 2006 Subject: Cobalt/ Sendmail Problem Message-ID: Ok Guys, I'm starting to knock my head against the familiar brick wall. The Problem I think this is possibly specific to Cobalt or more possibly something stupid that I am doing and I just can't see what. First I rebuild a Cobalt and install all the patches (actually this bit is automatic) Then I do the web based setup :- domain, password, time zone etc and then I go about installing Mailscanner using a script and the rpms. stop sendmail and startup MailScanner. Now I look at the maillog and I see everything is working normally except that when MailScanner writes a log entry it shows as a time almost exactly 8hours earlier than the RaQ is running. I know there can be 2 system times the motherboard time and the OS time but I can't remember where or how to see the different ones and make sure that they are synced. I used to see this problem when I took the MailScanner src rpm and rebuilt it then installed it now I see it every time I do a blooming install, this is driving me nuts I have a pkg all done to release except for this error. Bear in mind that I have a production server running exactly the same setup and using the same install script that I am now using (I've even ditched the pkg and gone back a step to try and isolate if I screwed up somewhere) I've discussed this briefly with Julian off list but don't want to pester him. Maybe someone can see the wood through the trees and point me in the right direction. Thanks Gavin From linux at mostert.nom.za Wed Feb 19 07:12:27 2003 From: linux at mostert.nom.za (Mozzi) Date: Thu Jan 12 21:17:14 2006 Subject: changing user and group(poll) In-Reply-To: <200302181807.11138.lindsay@pa.net> References: <5.2.0.9.2.20030218092206.02f0b908@imap.ecs.soton.ac.uk> <083701c2d79d$f9247ab0$02ee22cb@rogue> <200302181807.11138.lindsay@pa.net> Message-ID: <200302190912.27760.linux@mostert.nom.za> So is anyone on the list running MS successfully on a rehat 7.3 server? I have upgraded my perl and still it is a problem Mozzi On Wednesday 19 February 2003 01:07, Lindsay Snider wrote: > On the server I'm having difficulty setting the user/group id, I am also > running perl 5.6.1-34.99.6. For me, the mailscanner is dieing on line 740 > of Sendmail.pm. Line 740 reads: > > unless (chdir $queuedirname) { > > Within the 'unless', a log entry is posted and next is called. However, > nothing within or after the loop gets executed. I tried adding 'chdir > $queuedirname' a few lines before the 'unless' and that then too dies. I > debug printed the chdir $queuedirname and switched to the directory as the > user in bash and it worked fine. I also wrote a perl script that setuid's > and changes to the directory, that too worked. Seems to be a perl bug. > > Cameron, do you want to see if mailscanner is dieing at the same place for > you? I'm not in a good position to upgrade my perl but if that is > something you can try, want to see if that helps? > > Good luck! > lindsay > > On Tuesday 18 February 2003 17:35, you wrote: > > Yes, as I was just testing it, so I changed it to my uid and gid. > > > > I'm running Red Hat 7.3 with all the latest rpms. > > sendmail 8.11.6-15 > > perl 5.6.1-34.99.6 > > on a celeron 400 > > > > Cameron > > > > > Does the user you are running as have a real home directory that it can > > > read from and write to? > > > -- > > > Julian Field > > > www.MailScanner.info > > > MailScanner thanks transtec Computers for their support -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. Mailscanner thanks transtec Computers for their support. From raymond at PROLOCATION.NET Wed Feb 19 07:17:40 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:17:14 2006 Subject: changing user and group(poll) In-Reply-To: <200302190912.27760.linux@mostert.nom.za> Message-ID: Hi! > So is anyone on the list running MS successfully on a rehat 7.3 server? > I have upgraded my perl and still it is a problem Yes, runs like a charm. Bye, Raymond. From joe at QITC.CO.UK Wed Feb 19 11:15:48 2003 From: joe at QITC.CO.UK (Joe Quinn) Date: Thu Jan 12 21:17:14 2006 Subject: f-prot sit down? Causing problems with autoupdate References: Message-ID: <037601c2d808$4203abb0$18720550@T20> Hi, I noticed that we weren't getting email so tailed the maillog and nothing was coming in so I did; ps -auxw | grep -i mail and noticed that the f-prot autoupdate was still trying to run. Does MailScanner stop while the autoupdate is running? When I checked the incoming mail queue there were plenty of emails but no scanning was being done. Anyway, I killed the autoupdate and now MailScanner is running again and we are getting plenty emails. Is this a problem with the autoupdate script? Perhaps a timeout if the f-prot site is down? Regards, Joe www.qitc.net From joe at QITC.CO.UK Wed Feb 19 11:24:47 2003 From: joe at QITC.CO.UK (Joe Quinn) Date: Thu Jan 12 21:17:14 2006 Subject: Custom spam score References: <9F18B7DDBA88E544AB1F1995148916660145E0@lkl63.ltkalmar.se> <005201c2d774$26dea9a0$0d4bd3c8@A3C4J5> <007201c2d776$21e6ecd0$01000001@Compaq> Message-ID: <038901c2d809$8307b1a0$18720550@T20> > I'm trying to set custom spam scores for email from certain sources but it > doesn't seem to work. In the /etc/MailScanner/spam.assassin.prefs.conf file, > I've put; > > body HELPFULOFFERS /helpfuloffers.com/i > describe HELPFULOFFERS "spam from helpfuloffers.com" > score HELPFULOFFERS 100.0 > > body EMAILBUCKS.COM /emailbucks.com/i > describe EMAILBUCKS.COM "spam from emailbucks.com" > score EMAILBUCKS.COM 100.0 > > to hopefully catch the reply to address in the body of the email. As I've > set the high score spam action to delete, I hoped it would get rid of > these..... > Let's forget the emailbucks one just now, if I concentrate on the one below; body HELPFULOFFERS /helpfuloffers.com/i describe HELPFULOFFERS "spam from helpfuloffers.com" score HELPFULOFFERS 100.0 All I'm trying to do is have any email with helpfuloffers tagged as spam with a score of 100 then it gets deleted. I've tried the above but it doesn't work. What am I doing wrong? Regards, Joe www.qitc.net From mailscanner at ecs.soton.ac.uk Wed Feb 19 11:56:34 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:14 2006 Subject: changing user and group(poll) In-Reply-To: References: <200302190912.27760.linux@mostert.nom.za> Message-ID: <5.2.0.9.2.20030219115623.04574f90@imap.ecs.soton.ac.uk> At 07:17 19/02/2003, you wrote: >Hi! > > > So is anyone on the list running MS successfully on a rehat 7.3 server? > > I have upgraded my perl and still it is a problem > >Yes, runs like a charm. Me too -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Feb 19 12:01:56 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:14 2006 Subject: f-prot sit down? Causing problems with autoupdate In-Reply-To: <037601c2d808$4203abb0$18720550@T20> References: Message-ID: <5.2.0.9.2.20030219120109.0451f868@imap.ecs.soton.ac.uk> I have moved the "Lock out MailScanner" code further down in the script, so if the FTP server fails in such a way that it can't timeout then MailScanner will continue to operate as normal. This will be included in the next release. At 11:15 19/02/2003, you wrote: >Hi, > >I noticed that we weren't getting email so tailed the maillog and nothing >was coming in so I did; > >ps -auxw | grep -i mail > >and noticed that the f-prot autoupdate was still trying to run. Does >MailScanner stop while the autoupdate is running? > >When I checked the incoming mail queue there were plenty of emails but no >scanning was being done. > >Anyway, I killed the autoupdate and now MailScanner is running again and we >are getting plenty emails. > >Is this a problem with the autoupdate script? Perhaps a timeout if the >f-prot site is down? > >Regards, > >Joe >www.qitc.net -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mikew at CRUCIS.NET Wed Feb 19 13:46:21 2003 From: mikew at CRUCIS.NET (Mike Watson) Date: Thu Jan 12 21:17:14 2006 Subject: changing user and group(poll) In-Reply-To: <5.2.0.9.2.20030219115623.04574f90@imap.ecs.soton.ac.uk> References: <200302190912.27760.linux@mostert.nom.za> <5.2.0.9.2.20030219115623.04574f90@imap.ecs.soton.ac.uk> Message-ID: <200302190746.21594.mikew@crucis.net> On Wednesday 19 February 2003 05:56 am, you wrote: > At 07:17 19/02/2003, you wrote: > >Hi! > > > > > So is anyone on the list running MS successfully on a rehat 7.3 > > > server? I have upgraded my perl and still it is a problem > > > >Yes, runs like a charm. > > Me too No problem here either. -- Registered Linux - 256979 NRA Life ARS: W?TMW -- This message has been scanned for viruses and dangerous content by F-Prot and MailScanner, and is believed to be clean. From kovalcik at ORION-DESIGN.COM Wed Feb 19 13:59:06 2003 From: kovalcik at ORION-DESIGN.COM (Tom Kovalcik) Date: Thu Jan 12 21:17:14 2006 Subject: changing user and group(poll) In-Reply-To: References: <200302190912.27760.linux@mostert.nom.za> Message-ID: <5.2.0.9.0.20030219085844.04089cd0@oriongw> I am also running on 7.3 with no problems. At 08:17 AM 2/19/2003 +0100, you wrote: >Hi! > > > So is anyone on the list running MS successfully on a rehat 7.3 server? > > I have upgraded my perl and still it is a problem > >Yes, runs like a charm. > >Bye, >Raymond. Tom Kovalcik Orion Design Technologies 122 Mast Road Lee, NH 03824 Phone: (603) 659-9800 x104 FAX: (603) 659-9870 kovalcik@orion-design.com Web site: http://www.orion-design.com From adkinss at OHIO.EDU Wed Feb 19 13:48:01 2003 From: adkinss at OHIO.EDU (Scott Adkins) Date: Thu Jan 12 21:17:14 2006 Subject: Custom spam score In-Reply-To: <200302182208.h1IM8gu12234@kzin.ucsc.edu> References: <200302182208.h1IM8gu12234@kzin.ucsc.edu> Message-ID: <583858263.1045644481@Callisto> --On Tuesday, February 18, 2003 2:08 PM -0800 John Rudd wrote: >> --On Tuesday, February 18, 2003 1:47 PM -0500 Denis Beauchemin=20 >> >> wrote: >> > Your mods gave an error... I corrected it by removing the "." in all >> > occurrences of "EMAILBUCKS.COM". >> >> What if you put a backslash in front of it? The "." has special meaning >> in regular expressions (meaning, "match any character in that position"). >> >> >> body EMAILBUCKS.COM /emailbucks.com/i > > I think you misunderstood what he's saying. > > He didn't say remove the dot from the regular expression, he said remove > the dot from the RULE name. So it would look like: > > body EMAILBUCKSCOM /emailbucks.com/i > > Though, yes, it would also be a good idea to escape the . in the regular > expression. Yeah, I picked up on that :) Thanks for the clarification... :) Scott -- +-----------------------------------------------------------------------+ Scott W. Adkins http://www.cns.ohiou.edu/~sadkins/ UNIX Systems Engineer mailto:adkinss@ohio.edu ICQ 7626282 Work (740)593-9478 Fax (740)593-1944 +-----------------------------------------------------------------------+ PGP Public Key available at http://www.cns.ohiou.edu/~sadkins/pgp/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 231 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030219/d2798e42/attachment.bin From campbell at CNPAPERS.COM Wed Feb 19 13:50:55 2003 From: campbell at CNPAPERS.COM (Stephe Campbell) Date: Thu Jan 12 21:17:14 2006 Subject: Old RBL problem References: <200302190912.27760.linux@mostert.nom.za> <5.2.0.9.2.20030219115623.04574f90@imap.ecs.soton.ac.uk> Message-ID: <003e01c2d81d$ed025740$4801a8c0@cnpapers.net> Mr. Field, I just wanted to update you on a problem that seemed to go on for ever which we were discussing about RBL checks in MS and SA. I was having a problem with SA not doing RBL checks and MS only checking for the last relay, which would not suit my needs. After watching the list for a while, another person was having the same problem with SA not doing the RBL checks. The solution turned out to be the version of Perl Net::DNS which was installed. For any who may be interested: RedHat 7.3 sendmail 8.11.6-15 vimap (imap 2001a-10.virtual) MailScanner 4.12-2 spamassassin 2.44 perl 5.6.1-34 perl Net::DNS 0.32-1 (0.31 would not work, though I never saw error messages) The perl module was all that needed changing to make it happen! Everything is installed from RPMs where possible. Thanks for the efforts you put into this problem and the efforts you and everyone else have made to make MS possible. Steve Campbell campbell@cnpapers.com From joe at QITC.CO.UK Wed Feb 19 15:58:10 2003 From: joe at QITC.CO.UK (Joe Quinn) Date: Thu Jan 12 21:17:14 2006 Subject: Custom spam score References: <9F18B7DDBA88E544AB1F1995148916660145E0@lkl63.ltkalmar.se> <005201c2d774$26dea9a0$0d4bd3c8@A3C4J5> <007201c2d776$21e6ecd0$01000001@Compaq> <038901c2d809$8307b1a0$18720550@T20> <1045666320.2167.44.camel@dbeauchemin.si.usherbrooke.ca> Message-ID: <004501c2d82f$b3ab84a0$2d30c3c1@T20> Yipeeeeeeeee! Thanks, it now works perfectly! Thanks. :-) Why would it make a difference using tabs instead of spaces? Regards, Joe www.qitc.net From Peter.Bates at LSHTM.AC.UK Wed Feb 19 17:44:59 2003 From: Peter.Bates at LSHTM.AC.UK (Peter Bates) Date: Thu Jan 12 21:17:14 2006 Subject: Sophos related questions... Message-ID: Hello all... Just a few quickies about Sophos in conjunction with MS. I was experiencing the 'corrupt files' issue, applied Julian's patches, and was then still confused to find some messages/attachments being labelled as 'corrupt'. It was at that point I noticed I was still running Sophos 3.63, when I'd assumed I'd put 3.66 on earlier this month... Two questions... 1) Is there any way of identifying Sophos as being 'well out of date', and firing off a warning 'Your AV scanner is really old and creaky' sort of message as part of MS? 2) When I first started to investigate properly, 'sweep' wouldn't run because it couldn't find vdl.dat because /usr/local/Sophos/lib wasn't referenced in /etc/ld.so.conf, and equally /usr/local/Sophos/bin still isn't in my $PATH... presumably MS sidesteps both of these configuration errors on my part? 3) /usr/local/Sophos has about 129 '363.200302181701' type directories... I'm presuming these are part of the autoupdate process, but does their existence show it isn't updating correctly, and when can I safely tidy them up and through them away? (from cron?) ... ---------------------------------------------------------------------------------------------------> Peter Bates, Systems Support Officer, Network Support Team. London School of Hygiene & Tropical Medicine. Telephone:0207-958 8353 / Fax: 0207- 636 9838 From Kevin.Spicer at BMRB.CO.UK Wed Feb 19 18:15:35 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:17:14 2006 Subject: Sophos related questions... Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A4AD31@pascal.priv.bmrb.co.uk> > Two questions... > > 1) Is there any way of identifying Sophos as being 'well out of date', > and firing off a warning 'Your AV scanner is really old and > creaky' sort of message > as part of MS? > Normally you get mailed an error message (its not a very helpful message though) from the autoupdate script when Sophos stop supplying IDE's for your version at which point it needs updating urgently. Given that Sophos updates their engine at the start of each month and supplies updates for three months your best bet is to set yourself a two monthly reminder to upgrade the engine. I would suggest using the engine on the website not the one from the disc as the disc is always a month behind. > > 3) /usr/local/Sophos has about 129 '363.200302181701' > type directories... I'm presuming these are part of the > autoupdate process, Yes, but they should be deleted (there should be only one of them present) - probably the autoupdate script is bombing before the point it deletes them [3.63 isn't supported by Sophos anymore so the script should be bombing!] > but does their existence show it isn't updating correctly, > and when can I safely tidy them up > and through them away? (from cron?) Upgrade to 3.66 now and then get rid of all the 363 directories (I think you'll find they are all empty anyway - at least those beginning 363.200302). You need to take a look at where mail sent to the mailscanner user (probably root if you use sendmail) is going to as you should be seeing mails for every failed upgrade attempt (unless you're just deleting them). BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From mailscanner at ecs.soton.ac.uk Wed Feb 19 18:24:21 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:14 2006 Subject: Sophos related questions... In-Reply-To: Message-ID: <5.2.0.9.2.20030219182114.02311e38@imap.ecs.soton.ac.uk> At 17:44 19/02/2003, you wrote: >1) Is there any way of identifying Sophos as being 'well out of date', >and firing off a warning 'Your AV scanner is really old and creaky' sort >of message >as part of MS? I will take a look at that one. The updater may already be able to do this. I just need to find an out-of-date copy :-( >2) When I first started to investigate properly, 'sweep' wouldn't run >because it couldn't find vdl.dat because /usr/local/Sophos/lib wasn't >referenced in /etc/ld.so.conf, and equally /usr/local/Sophos/bin still isn't >in my $PATH... presumably MS sidesteps both of these configuration errors >on my part? MailScanner uses its "sophos-wrapper" script which solves all these problems. Run sophos-wrapper instead of sweep. >3) /usr/local/Sophos has about 129 '363.200302181701' >type directories... I'm presuming these are part of the autoupdate process, >but does their existence show it isn't updating correctly, and when can I >safely tidy them up >and through them away? (from cron?) The "ide" directory is actually a soft-link to the latest numbered directory. Don't delete the latest one! The other ones should be removed by the sophos-autoupdate script anyway, I am interested to know why it isn't... -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Feb 19 18:26:18 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:14 2006 Subject: Sophos related questions... In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0A4AD31@pascal.priv.bmrb.co .uk> Message-ID: <5.2.0.9.2.20030219182511.023422c0@imap.ecs.soton.ac.uk> At 18:15 19/02/2003, you wrote: > > Two questions... > > > > 1) Is there any way of identifying Sophos as being 'well out of date', > > and firing off a warning 'Your AV scanner is really old and > > creaky' sort of message > > as part of MS? > > >Normally you get mailed an error message (its not a very helpful message >though) from the autoupdate script when Sophos stop supplying IDE's for >your version at which point it needs updating urgently. I have improved the script so that the error message should now be more helpful. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From etate01 at sun.hazelwood.k12.mo.us Wed Feb 19 18:43:22 2003 From: etate01 at sun.hazelwood.k12.mo.us (Ed Tate) Date: Thu Jan 12 21:17:14 2006 Subject: HTML-Parser won't compile on Solaris 2.6 Message-ID: <000001c2d846$d9f68f80$be46460a@hazelwood.k12.mo.us> I'm trying to upgrade mailscanner, spamassassin, et. al. to the latest releases. I was at version 3.22 of Mailscanner before this. I'm running on a Sun Solaris 2.6, Perl 5.8, and gcc compiler. Try as I might, I just cannot get HTML-Parser to compile and I don't have enough experience with Perl to understand what to do. I've tried changing the compiler definitions to gcc as Julian suggests in his hints but that doesn't help much either. Version 2.25 of this compiles great but SpamAssassin requires v3. HTML-Tagset went without a hitch. Any hints? Thanks. Here's what's happening: # make /opt/SUNWspro/bin/cc -c -I/usr/local/include -I/opt/gnu/include -D_LARGEFILE_S OURCE -D_FILE_OFFSET_BITS=64 -O -DVERSION=\"3.26\" -DXS_VERSION=\"3.26\" -KPIC "-I/usr/local/lib/perl5/5.8.0/sun4-solaris/CORE" -DMARKED_SECTION Parser.c License Error : Cannot connect to the license server (sun).. for product(SPARCompiler C). (License server may not have been started) cc: acomp failed for Parser.c make: *** [Parser.o] Error 2 # Ed Tate (etate01@hazelwoodschools.org) Coordinator of Technology Services Hazelwood School District Florissant, Missouri -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030219/c04cc05d/attachment.html From hciss at HCIWS.COM Wed Feb 19 18:50:13 2003 From: hciss at HCIWS.COM (Matt) Date: Thu Jan 12 21:17:14 2006 Subject: Checking Mailscanner Message-ID: <006801c2d847$c0c8fbf0$6401a8c0@matthew> Has anyone written a script that checks to ensure Mailscanner is scanning messages for viruses and if not email a warning to the system admin? I am running Mailscanner 3.27 and F-prot on a Raq4i and for some reason it stopped scanning yesterday and naturally one of my users got infected with a virus in that time. I stopped it, killed it and restarted it and now it is going again. Matt From mailscanner at ecs.soton.ac.uk Wed Feb 19 19:02:37 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:14 2006 Subject: Checking Mailscanner In-Reply-To: <006801c2d847$c0c8fbf0$6401a8c0@matthew> Message-ID: <5.2.0.9.2.20030219190110.027d5a20@imap.ecs.soton.ac.uk> At 18:50 19/02/2003, you wrote: >Has anyone written a script that checks to ensure Mailscanner is scanning >messages for viruses and if not email a warning to the system admin? > >I am running Mailscanner 3.27 and F-prot on a Raq4i and for some reason it >stopped scanning yesterday and naturally one of my users got infected with a >virus in that time. I stopped it, killed it and restarted it and now it is >going again. Did the default "sendmail" processes start? You need to stop your Raq from starting the default sendmail processes, as otherwise viruses can (and, in your case, did) get through. Hopefully someone else can help you do this (or search Google for "raqfaq mailscanner". -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From jharnish at CI.GRAND-RAPIDS.MI.US Wed Feb 19 19:08:07 2003 From: jharnish at CI.GRAND-RAPIDS.MI.US (Harnish, Joe) Date: Thu Jan 12 21:17:14 2006 Subject: spam.scanning.rules Message-ID: <221C759285B78647AEE6181FD6AF36A703A8E240@bambi.grand-rapids.mi.us> Hello, I am wondering how easy it would be to add a file called spam.scanning.rules and implement it the same as the virus.scanning.rules? I need to apply SpamAssassin to only a select few accounts and I think this would be a very easy way of accomplishing it. Thanks Joseph Harnish Northrop Grumman City of Grand Rapids -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030219/f7ba60ce/attachment.html From nerijus at USERS.SOURCEFORGE.NET Wed Feb 19 19:20:38 2003 From: nerijus at USERS.SOURCEFORGE.NET (Nerijus Baliunas) Date: Thu Jan 12 21:17:14 2006 Subject: HTML-Parser won't compile on Solaris 2.6 In-Reply-To: <000001c2d846$d9f68f80$be46460a@hazelwood.k12.mo.us> References: <000001c2d846$d9f68f80$be46460a@hazelwood.k12.mo.us> Message-ID: <200302191929.h1JJTIi7011829@mx.ktv.lt> On Wed, 19 Feb 2003 12:43:22 -0600 Ed Tate wrote: > I'm running on a Sun Solaris 2.6, Perl 5.8, and gcc compiler. > > Try as I might, I just cannot get HTML-Parser to compile and I don't have > enough experience with Perl to understand what to do. I've tried changing > the compiler definitions to gcc as Julian suggests in his hints but that > doesn't help much either. Version 2.25 of this compiles great but > SpamAssassin requires v3. HTML-Tagset went without a hitch. > Here's what's happening: > > # make > /opt/SUNWspro/bin/cc -c -I/usr/local/include -I/opt/gnu/include Don't you see it's using Sun's cc, not gcc? > -D_LARGEFILE_S > OURCE -D_FILE_OFFSET_BITS=64 -O -DVERSION=\"3.26\" -DXS_VERSION=\"3.26\" > -KPIC > "-I/usr/local/lib/perl5/5.8.0/sun4-solaris/CORE" -DMARKED_SECTION Parser.c > > License Error : Cannot connect to the license server (sun).. > for product(SPARCompiler C). The same here. Check Makefiles, or point (link) cc to gcc. Regards, Nerijus From mailscanner at ecs.soton.ac.uk Wed Feb 19 19:32:55 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:14 2006 Subject: spam.scanning.rules In-Reply-To: <221C759285B78647AEE6181FD6AF36A703A8E240@bambi.grand-rapid s.mi.us> Message-ID: <5.2.0.9.2.20030219193145.027af6d8@imap.ecs.soton.ac.uk> At 19:08 19/02/2003, you wrote: >I am wondering how easy it would be to add a file called >spam.scanning.rules and implement it the same as the virus.scanning.rules? You already can. Just set something along the lines of Spam Checks = /etc/MailScanner/rules/spam.scanning.rules and put rules in there. You can do this for virtually any parameter. > I need to apply SpamAssassin to only a select few accounts and I think > this would be a very easy way of accomplishing it. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030219/de2da500/attachment.html From kwang at UCALGARY.CA Wed Feb 19 23:04:35 2003 From: kwang at UCALGARY.CA (Kai Wang) Date: Thu Jan 12 21:17:14 2006 Subject: Name server timeout and I/O error Message-ID: <3E540D83.CF2C410B@ucalgary.ca> Hello, We run MailScanner 4.12-2 and sendmail 8.11.6. I noticed we have many I/O error on our MailScanner server. I did some investigation. It seems that sendmail checks the domain names in the data part of the message. Is there a way to disable this kind of checking? [root@mhub2 mqueue]# time /usr/sbin/sendmail -v -qIh1GNRAw02189 Running /var/spool/mqueue/h1GNRAw02189 (sequence 1 of 1) ... Connecting to mr1.ucalgary.ca. via relay... 220 mr1.ucalgary.ca ESMTP Postfix >>> EHLO mhub2.ucalgary.ca 250-mr1.ucalgary.ca 250-PIPELINING 250-SIZE 61440000 250-ETRN 250-XVERP 250 8BITMIME >>> MAIL From: SIZE=18392 250 Ok >>> RCPT To: 250 Ok >>> DATA 354 End data with . evolution.optdeals.com: Name server timeout I/O error Closing connection to mr1.ucalgary.ca. real 3m44.565s user 0m0.010s sys 0m0.010s [root@mhub2 mqueue]# less qfh1GNRAw02189 V4 T1045438030 K1045683344 N1271 P114563178 I8/7/32232 MI/O error: Input/output error Fwb $_mserve4.acs.ucalgary.ca [136.159.34.57] $rESMTP $sucalgary.ca ${daemon_flags} ${if_addr}136.159.34.162 S RPFD: H?P?Return-Path: <<81>g> H??Received: from ucalgary.ca (mserve4.acs.ucalgary.ca [136.159.34.57]) by mhub1.ucalgary.ca (8.11.6/8.11.6) with ESMTP id h1GNRAw02189 for ; Sun, 16 Feb 2003 16:27:10 -0700 H??Received: from outbound01.telus.net(199.185.220.220) by mserve4.acs.ucalgary.ca via smap (V2.0) id ZZ167130; Sun, 16 Feb 2003 16:26:58 -0700 H??Received: from Fpd ([66.222.233.176]) by priv-edtnes61.telusplanet.net (InterMail vM.5.01.05.17 201-253-122-126-117-20021021) with SMTP id <20030216232654.HSNF15786.priv-edtnes61.telusplanet.net@Fpd> for ; Sun, 16 Feb 2003 16:26:54 -0700 H??From: UNAME3 H??To: UNAME2@ucalgary.ca H??Subject: {Virus?} A IE 6.0 patch H??MIME-Version: 1.0 H??Content-type: multipart/mixed; boundary="Qp0eXY28L6btnm994g" H??Message-Id: <20030216232654.HSNF15786.priv-edtnes61.telusplanet.net@Fpd> H??Date: Sun, 16 Feb 2003 16:26:57 -0700 H??X-MailScanner: Found to be infected H??X-MailScanner-Information: Please contact IT Help Desk at (403) 220-5555 for more information . Thanks Kai Wang From dbowen1 at MAC.COM Thu Feb 20 06:36:05 2003 From: dbowen1 at MAC.COM (Dan Bowen) Date: Thu Jan 12 21:17:14 2006 Subject: Checking Mailscanner In-Reply-To: <006801c2d847$c0c8fbf0$6401a8c0@matthew> Message-ID: <964F9694-449D-11D7-A637-0050E4668E3F@mac.com> Yes Actually, I just did that today. it is very simple though, and not mailscanner specific. What it does, is check the mail queue directories at regular intervals (30 minute cron job in my case) and email the postmaster when any of the queues get more messages than an allowed number in them. The script includes the queue name and the number of messages in the queue. I can email it to you if it sounds like you would like it, it's in perl. Dan Bowen On Wednesday, February 19, 2003, at 01:50 PM, Matt wrote: > Has anyone written a script that checks to ensure Mailscanner is > scanning > messages for viruses and if not email a warning to the system admin? > > I am running Mailscanner 3.27 and F-prot on a Raq4i and for some > reason it > stopped scanning yesterday and naturally one of my users got infected > with a > virus in that time. I stopped it, killed it and restarted it and now > it is > going again. > > Matt > From mailscanner at ecs.soton.ac.uk Thu Feb 20 10:07:02 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:14 2006 Subject: Name server timeout and I/O error In-Reply-To: <3E540D83.CF2C410B@ucalgary.ca> Message-ID: <5.2.0.9.2.20030220100558.02422958@imap.ecs.soton.ac.uk> From what I can see, this is a sendmail / DNS resolution problem on mr1.ucalgary.ca and not a MailScanner poblem at all. At 23:04 19/02/2003, you wrote: >Hello, > >We run MailScanner 4.12-2 and sendmail 8.11.6. I noticed we have >many I/O error on our MailScanner server. I did some investigation. >It seems that sendmail checks the domain names in the data part of >the message. Is there a way to disable this kind of checking? > > > >[root@mhub2 mqueue]# time /usr/sbin/sendmail -v -qIh1GNRAw02189 > >Running /var/spool/mqueue/h1GNRAw02189 (sequence 1 of 1) >... Connecting to mr1.ucalgary.ca. via relay... >220 mr1.ucalgary.ca ESMTP Postfix > >>> EHLO mhub2.ucalgary.ca >250-mr1.ucalgary.ca >250-PIPELINING >250-SIZE 61440000 >250-ETRN >250-XVERP >250 8BITMIME > >>> MAIL From: SIZE=18392 >250 Ok > >>> RCPT To: >250 Ok > >>> DATA >354 End data with . >evolution.optdeals.com: Name server timeout >I/O error >Closing connection to mr1.ucalgary.ca. > >real 3m44.565s >user 0m0.010s >sys 0m0.010s >[root@mhub2 mqueue]# less qfh1GNRAw02189 >V4 >T1045438030 >K1045683344 >N1271 >P114563178 >I8/7/32232 >MI/O error: Input/output error >Fwb >$_mserve4.acs.ucalgary.ca [136.159.34.57] >$rESMTP >$sucalgary.ca >${daemon_flags} >${if_addr}136.159.34.162 >S >RPFD: >H?P?Return-Path: <<81>g> >H??Received: from ucalgary.ca (mserve4.acs.ucalgary.ca [136.159.34.57]) > by mhub1.ucalgary.ca (8.11.6/8.11.6) with ESMTP id h1GNRAw02189 > for ; Sun, 16 Feb 2003 16:27:10 -0700 >H??Received: from outbound01.telus.net(199.185.220.220) by >mserve4.acs.ucalgary.ca via smap (V2.0) > id ZZ167130; Sun, 16 Feb 2003 16:26:58 -0700 >H??Received: from Fpd ([66.222.233.176]) by >priv-edtnes61.telusplanet.net > (InterMail vM.5.01.05.17 201-253-122-126-117-20021021) with >SMTP > id ><20030216232654.HSNF15786.priv-edtnes61.telusplanet.net@Fpd> > for ; Sun, 16 Feb 2003 16:26:54 -0700 >H??From: UNAME3 >H??To: UNAME2@ucalgary.ca >H??Subject: {Virus?} A IE 6.0 patch >H??MIME-Version: 1.0 >H??Content-type: multipart/mixed; boundary="Qp0eXY28L6btnm994g" >H??Message-Id: ><20030216232654.HSNF15786.priv-edtnes61.telusplanet.net@Fpd> >H??Date: Sun, 16 Feb 2003 16:26:57 -0700 >H??X-MailScanner: Found to be infected >H??X-MailScanner-Information: Please contact IT Help Desk at (403) >220-5555 for more information >. > > > >Thanks >Kai Wang -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From Q.G.Campbell at NEWCASTLE.AC.UK Thu Feb 20 13:51:09 2003 From: Q.G.Campbell at NEWCASTLE.AC.UK (Quentin Campbell) Date: Thu Jan 12 21:17:14 2006 Subject: Sophos related questions... Message-ID: <08AC2E825474534ABB2D6EDB643FC7F819A32E@bond.ncl.ac.uk> > -----Original Message----- > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > Sent: 19 February 2003 18:26 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Sophos related questions... > > > At 18:15 19/02/2003, you wrote: > > > Two questions... > > > > > > 1) Is there any way of identifying Sophos as being 'well out of > > > date', and firing off a warning 'Your AV scanner is > really old and > > > creaky' sort of message as part of MS? > > > > >Normally you get mailed an error message (its not a very helpful > >message > >though) from the autoupdate script when Sophos stop > supplying IDE's for > >your version at which point it needs updating urgently. > > I have improved the script so that the error message should > now be more helpful. Julian Our "sophos-autoupdate" script stopped working recently because the /etc/wgetrc file (on Linux RedHat) had been replaced and thus information about our http proxy server lost. The "lynx" command (actually a "wget -q -O- ..." command was eventually timing out after 19(?) retries (since there was no route to the host) and an attempt was then being made to unzip a non-existent "n.nn_ide.zip" file by the sophos-autoupdate script! Will your mods to the error reporting deal correctly with these sorts of failures? Quentin --- PHONE: +44 191 222 8209 Computing Service, University of Newcastle FAX: +44 191 222 8765 Newcastle upon Tyne, United Kingdom, NE1 7RU. ------------------------------------------------------------------------ "Any opinion expressed above is mine. The University can get its own." From mailscanner at ecs.soton.ac.uk Thu Feb 20 14:36:30 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:14 2006 Subject: Sophos related questions... In-Reply-To: <08AC2E825474534ABB2D6EDB643FC7F819A32E@bond.ncl.ac.uk> Message-ID: <5.2.0.9.2.20030220143537.049b42d0@imap.ecs.soton.ac.uk> At 13:51 20/02/2003, you wrote: > > -----Original Message----- > > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > > Sent: 19 February 2003 18:26 > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: Sophos related questions... > > > > > > At 18:15 19/02/2003, you wrote: > > > > Two questions... > > > > > > > > 1) Is there any way of identifying Sophos as being 'well out of > > > > date', and firing off a warning 'Your AV scanner is > > really old and > > > > creaky' sort of message as part of MS? > > > > > > >Normally you get mailed an error message (its not a very helpful > > >message > > >though) from the autoupdate script when Sophos stop > > supplying IDE's for > > >your version at which point it needs updating urgently. > > > > I have improved the script so that the error message should > > now be more helpful. > >Julian > >Our "sophos-autoupdate" script stopped working recently because the >/etc/wgetrc file (on Linux RedHat) had been replaced and thus >information about our http proxy server lost. > >The "lynx" command (actually a "wget -q -O- ..." command was eventually >timing out after 19(?) retries (since there was no route to the host) >and an attempt was then being made to unzip a non-existent >"n.nn_ide.zip" file by the sophos-autoupdate script! > >Will your mods to the error reporting deal correctly with these sorts of >failures? I have just added some more error detection to it so hopefully it will spot this happening. Attached is my latest version, which will be included in the next release unless I hear any bad reports about it. -------------- next part -------------- A non-text attachment was scrubbed... Name: sophos-autoupdate Type: application/octet-stream Size: 3673 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030220/e262f5cb/sophos-autoupdate.obj -------------- next part -------------- -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From raymond at PROLOCATION.NET Thu Feb 20 15:02:06 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:17:14 2006 Subject: Sophos related questions... In-Reply-To: <5.2.0.9.2.20030220143537.049b42d0@imap.ecs.soton.ac.uk> Message-ID: Hi! > >Will your mods to the error reporting deal correctly with these sorts of > >failures? > I have just added some more error detection to it so hopefully it will spot > this happening. Attached is my latest version, which will be included in > the next release unless I hear any bad reports about it. Will this be added for the other ones also? Since i had a simmilar issue with f-prot also where i accidently removed wget :) Bye, Raymond. From ryanb at AACRAO.ORG Thu Feb 20 15:02:48 2003 From: ryanb at AACRAO.ORG (Bingham, Ryan) Date: Thu Jan 12 21:17:14 2006 Subject: spamassassin 2.5 Message-ID: <87D5B85DDDAAD111960F0060971C59D1019713F6@AACRAO4> Hi Julian, I just noticed that SA 2.5 with Bayesian filtering has been released. Any initial thoughts on how this will work with MS or how we should implement it? Thanks! Ryan -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030220/81977cea/attachment.html From davide at hire.com Thu Feb 20 15:11:18 2003 From: davide at hire.com (David Eckelkamp) Date: Thu Jan 12 21:17:14 2006 Subject: Sophos related questions... In-Reply-To: <5.2.0.9.2.20030219182114.02311e38@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030219182114.02311e38@imap.ecs.soton.ac.uk> Message-ID: <15956.61462.670337.262259@locutus.hire.com> ++++ You [JF>] say: JF> At 17:44 19/02/2003, you wrote: JF> I will take a look at that one. The updater may already be able to do this. JF> I just need to find an out-of-date copy JF> :-( How old do you want? I have Sophos CDs dating back to March 2002. I can easily get you the linux tarball from the CD. DavidE From mailscanner at ecs.soton.ac.uk Thu Feb 20 15:08:58 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:14 2006 Subject: Sophos related questions... In-Reply-To: References: <5.2.0.9.2.20030220143537.049b42d0@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030220150748.02e50500@imap.ecs.soton.ac.uk> At 15:02 20/02/2003, you wrote: >Hi! > > > >Will your mods to the error reporting deal correctly with these sorts of > > >failures? > > > I have just added some more error detection to it so hopefully it will spot > > this happening. Attached is my latest version, which will be included in > > the next release unless I hear any bad reports about it. > >Will this be added for the other ones also? Since i had a simmilar issue >with f-prot also where i accidently removed wget :) The F-Prot one should bail out with this error to your syslog and output: Updates download from http://updates.f-prot.com failed. Suspect server could not be reached. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From gerry at DORFAM.CA Thu Feb 20 15:26:06 2003 From: gerry at DORFAM.CA (Gerry Doris) Date: Thu Jan 12 21:17:14 2006 Subject: SpamAssassin 2.50 Released Message-ID: SA 2.50 has now been released. I'd interested in any feedback from those who decide to try it out. -- Gerry "The lyfe so short, the craft so long to learne" Chaucer From jrudd at UCSC.EDU Thu Feb 20 15:34:09 2003 From: jrudd at UCSC.EDU (John Rudd) Date: Thu Jan 12 21:17:14 2006 Subject: SpamAssassin 2.50 Released Message-ID: <200302201534.h1KFY9424440@kzin.ucsc.edu> > From: Gerry Doris > > SA 2.50 has now been released. I'd interested in any feedback from those > who decide to try it out. > Well, it's beta released. Time to start developing around it, but not time to start deploying it, I think :-} From adkinss at OHIO.EDU Thu Feb 20 15:46:51 2003 From: adkinss at OHIO.EDU (Scott Adkins) Date: Thu Jan 12 21:17:14 2006 Subject: Spam Assassin 2.50 and MailScanner Message-ID: <677386730.1045738011@Callisto> Okay, now that 2.50 is out, I am wondering how the bayesion stuff will work with MailScanner. I am still trying to understand how all of that works... my understanding is that there is a per-user database of what is typically classified as spam and non-spam (ham). I also believe that using a global bayesion database is not such a good idea, since what one user thinks is spam may not be another user's spam. So, if this is on a per-user basis, I don't see this working at all with MailScanner, since it really doesn't have a concept of users when it is processing the mail in the message queue. Any thoughts on how this will all work together? While I am at it, I might as well ask this too: I know that Spam Assassin is supposed to support ~/.spamassassinrc files (or something like that) which would allow users to set custom scores, add stuff to their white/black lists, etc. (I may be wrong on all this, but I thought that was the case). Again, I don't see how MailScanner would allow this to work... Thoughts on this? Scott -- +-----------------------------------------------------------------------+ Scott W. Adkins http://www.cns.ohiou.edu/~sadkins/ UNIX Systems Engineer mailto:adkinss@ohio.edu ICQ 7626282 Work (740)593-9478 Fax (740)593-1944 +-----------------------------------------------------------------------+ PGP Public Key available at http://www.cns.ohiou.edu/~sadkins/pgp/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 231 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030220/2f8540fe/attachment.bin From brose at MED.WAYNE.EDU Thu Feb 20 16:04:12 2003 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:17:14 2006 Subject: spamassassin 2.5 Message-ID: I've been using 2.50 CVS for along time without any issues. My last update before this released version was from 2 weeks ago from CVS. -----Original Message----- From: Bingham, Ryan [mailto:ryanb@AACRAO.ORG] Sent: Thursday, February 20, 2003 10:03 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: spamassassin 2.5 Hi Julian, I just noticed that SA 2.5 with Bayesian filtering has been released. Any initial thoughts on how this will work with MS or how we should implement it? Thanks! Ryan -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030220/65a7592d/attachment.html From mailscanner at ecs.soton.ac.uk Thu Feb 20 17:20:52 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:14 2006 Subject: SpamAssassin 2.50 Released In-Reply-To: Message-ID: <5.2.0.9.2.20030220171851.04a461c8@imap.ecs.soton.ac.uk> I have tried the CVS versions and had no real problems. I have just installed the released version. The spamc and spamd tests had trouble, but MailScanner doesn't care about those anyway. And if you have any trouble testing with the "spamassassin" script and sample-nonspam.txt / sample-spam.txt then just copy the 3 files to /tmp and run them from there and they are fine. It is now running live on 2 systems, I will let you know of any problems. At 15:26 20/02/2003, you wrote: >SA 2.50 has now been released. I'd interested in any feedback from those >who decide to try it out. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From Peter.Bates at LSHTM.AC.UK Fri Feb 21 12:10:37 2003 From: Peter.Bates at LSHTM.AC.UK (Peter Bates) Date: Thu Jan 12 21:17:14 2006 Subject: New March Sophos, 3.67... Message-ID: Hello all... Terribly premature of course (seeing as it has only just come out), but I've just been looking at the release notes for Sophos 3.67 - http://www.sophos.com/readmes/readunix.txt Other than it featuring 'Improved scanning of Petite files' (What???), I note this release features a new version of the SAV interface (version 3)... There is an explicit '-so' option to the install script to create a symlink from libsavi.so -> libsavi.so.3 ... I'm assuming MS doesn't actually use SAVI, but does anything in the release notes imply there might be a problem in just downloading this new release, and doing the normal 'Sophos.install' routine? ... ---------------------------------------------------------------------------------------------------> Peter Bates, Systems Support Officer, Network Support Team. London School of Hygiene & Tropical Medicine. Telephone:0207-958 8353 / Fax: 0207- 636 9838 From Peter.Bates at LSHTM.AC.UK Fri Feb 21 12:22:01 2003 From: Peter.Bates at LSHTM.AC.UK (Peter Bates) Date: Thu Jan 12 21:17:14 2006 Subject: SpamAssassin 2.50 Released Message-ID: > mailscanner@ECS.SOTON.AC.UK 20/02/03 17:20:52 >>> >I have tried the CVS versions and had no real problems. >I have just installed the released version. >It is now running live on 2 systems, I will let you know of any problems. It seems to build OK here, but the razor2 tests fail because they claim I never ran 'razor-register' at some point, which I probably didn't. Running './spamassassin -t < sample-nonspam.txt > nonspam.out' and so forth seems to be fine, and the 'spam' sample registers in DCC and Razor2. As the default behaviour of SA seems now to be to avoid Subject: rewriting and to move identified 'spam' to an attachment rather than retain it in the body, is this a problem for MailScanner, or I guess it's only pertinent to people using procmail as MS must set very specific settings when initially loading the SA Perl modules? ... ---------------------------------------------------------------------------------------------------> Peter Bates, Systems Support Officer, Network Support Team. London School of Hygiene & Tropical Medicine. Telephone:0207-958 8353 / Fax: 0207- 636 9838 From steve.freegard at LBSLTD.CO.UK Fri Feb 21 13:06:58 2003 From: steve.freegard at LBSLTD.CO.UK (Steve Freegard) Date: Thu Jan 12 21:17:14 2006 Subject: Spamassassin 2.50 & SQL logging Message-ID: <67D9E7698329D411936E00508B6590B90279316C@neelix.lbsltd.co.uk> Hi all, I'm evaluating MailScanner + SA 2.50/DCC/Razor2 on RedHat 7.3 for use at my company in place of MIMEsweeper that we use at the moment and I'm wondering how to use the new Bayesian features effectively. At the moment I'm thinking that I configure SpamAssassin to use auto learning on all messages that it processes (auto_learn 1 in spam.assassin.prefs.conf), and train it using false positives and false negatives by getting my users to use the Outlook re-send feature to send the messages to a 'not-spam', 'spam' & 'ham' mailbox held on the linux box and then having a cron job that runs 'sa-learn' across the relevant mailboxes each day, but I was wondering what other people are doing or thinking of doing in this regard?? Also - I was wondering if anyone had tried getting MailScanner to log to a MySQL database?? - I was looking at the CustomConfig.pm and was thinking that I could create a custom function that would connect to the database and do something like 'INSERT INTO maillog VALUES ('$message->{id}','$message->{size}','$message->{from}' etc..)' - or is this just a really bad idea?? The existing software we use does this into an Access database but we don't use it because it causes too much overhead, but I thought Perl's DBI/DBD and MySQL would probably be much more efficient than Access/ODBC! Thoughts? Kind regards, Steve -- Steve Freegard Systems Manager Littlehampton Book Services Ltd. Tel: +44 (0)1903 82 8594 Fax: +44 (0)1903 82 8620 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.lbsltd.co.uk ********************************************************************** From dbird at SGHMS.AC.UK Fri Feb 21 14:20:04 2003 From: dbird at SGHMS.AC.UK (Daniel Bird) Date: Thu Jan 12 21:17:14 2006 Subject: Virus Statistics Message-ID: <3E563594.5070908@sghms.ac.uk> Dear all, I am wondering if anyone has a script that generates a graph (a nice pie chart would be good;) of the viri caught by MailScanner. By this I mean a breakdown of which ones have been caught rather than just totals. Just hoping, save re-inventing the wheel... plus my perl isn't that good ;-) TIA Dan -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From andersan at LTKALMAR.SE Fri Feb 21 14:23:54 2003 From: andersan at LTKALMAR.SE (Anders Andersson, IT) Date: Thu Jan 12 21:17:14 2006 Subject: SV: Virus Statistics Message-ID: <9F18B7DDBA88E544AB1F1995148916660145EE@lkl63.ltkalmar.se> What about mrtg for mailscanner? Go to http://www.sng.ecs.soton.ac.uk/mailscanner/mrtg.shtml and you will find it /Anders > -----Ursprungligt meddelande----- > Fr?n: Daniel Bird [mailto:dbird@SGHMS.AC.UK] > Skickat: den 21 februari 2003 15:20 > Till: MAILSCANNER@JISCMAIL.AC.UK > ?mne: Virus Statistics > > > Dear all, > I am wondering if anyone has a script that generates a graph > (a nice pie > chart would be good;) of the viri caught by MailScanner. > By this I mean a breakdown of which ones have been caught rather than > just totals. > > Just hoping, save re-inventing the wheel... plus my perl > isn't that good ;-) > > TIA > > Dan > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > From dustin.baer at IHS.COM Fri Feb 21 14:21:40 2003 From: dustin.baer at IHS.COM (Dustin Baer) Date: Thu Jan 12 21:17:14 2006 Subject: /var/spool/MailScanner/incoming/* Message-ID: <3E5635F4.65B3198A@ihs.com> Does anybody else have an large number of empty directories in /var/spool/MailScanner/incoming/? I had 500+ empty directories dating back to October 17. Dustin From ryan at MARINOCRANE.COM Fri Feb 21 14:24:48 2003 From: ryan at MARINOCRANE.COM (Ryan Pitt) Date: Thu Jan 12 21:17:14 2006 Subject: Virus Statistics References: <3E563594.5070908@sghms.ac.uk> Message-ID: <3E5636B0.4080409@marinocrane.com> I use both of the following stat pages They are very easy to install http://staff.cie.uce.ac.uk/~dwhile/mailstats/ http://mailscanner-mrtg.netfirms.com/ Daniel Bird wrote: > Dear all, > I am wondering if anyone has a script that generates a graph (a nice pie > chart would be good;) of the viri caught by MailScanner. > By this I mean a breakdown of which ones have been caught rather than > just totals. > > Just hoping, save re-inventing the wheel... plus my perl isn't that > good ;-) > > TIA > > Dan > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > From mike at CAMAROSS.NET Fri Feb 21 14:32:41 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:17:14 2006 Subject: Virus Statistics In-Reply-To: <3E5636B0.4080409@marinocrane.com> Message-ID: <005801c2d9b6$183077a0$6a01a8c0@home.middlefinger.net> I do too and am very pleased with the results of both. Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Ryan Pitt Sent: Friday, February 21, 2003 8:25 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Virus Statistics I use both of the following stat pages They are very easy to install http://staff.cie.uce.ac.uk/~dwhile/mailstats/ http://mailscanner-mrtg.netfirms.com/ Daniel Bird wrote: > Dear all, > I am wondering if anyone has a script that generates a graph (a nice pie > chart would be good;) of the viri caught by MailScanner. > By this I mean a breakdown of which ones have been caught rather than > just totals. > > Just hoping, save re-inventing the wheel... plus my perl isn't that > good ;-) > > TIA > > Dan > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > From dbird at SGHMS.AC.UK Fri Feb 21 14:33:59 2003 From: dbird at SGHMS.AC.UK (Daniel Bird) Date: Thu Jan 12 21:17:14 2006 Subject: Virus Statistics References: <3E563594.5070908@sghms.ac.uk> <3E5636B0.4080409@marinocrane.com> Message-ID: <3E5638D7.3000601@sghms.ac.uk> Thanks, I'm already using MailScanner-MRTG. What I'm after is something like David While's Mailstats, but with just the virus breakdown which would also be graphed, no point in doing the Virus/Spam totals etc twice..... Thanks for all responses so far, and David's script is a very good start.. Ryan Pitt wrote: > I use both of the following stat pages > They are very easy to install > > http://staff.cie.uce.ac.uk/~dwhile/mailstats/ > http://mailscanner-mrtg.netfirms.com/ > > Daniel Bird wrote: > >> Dear all, >> I am wondering if anyone has a script that generates a graph (a nice pie >> chart would be good;) of the viri caught by MailScanner. >> By this I mean a breakdown of which ones have been caught rather than >> just totals. >> >> Just hoping, save re-inventing the wheel... plus my perl isn't that >> good ;-) >> >> TIA >> >> Dan >> >> >> >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. >> > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From etate01 at sun.hazelwood.k12.mo.us Fri Feb 21 15:15:02 2003 From: etate01 at sun.hazelwood.k12.mo.us (Ed Tate) Date: Thu Jan 12 21:17:15 2006 Subject: HTML-Parser won't compile on Solaris 2.6 In-Reply-To: <5.2.0.9.2.20030219185838.02798008@imap.ecs.soton.ac.uk> Message-ID: <002801c2d9bc$13ab7d00$be46460a@hazelwood.k12.mo.us> Just an FYI for anyone that runs into this problem. Julian was right in that the Sun compiler was on the box without a license. I removed it but HTML-Parser still wouldn't make. Turns out that when we installed Perl, it too found the Sun compiler instead of gcc and had some pointers to it in the Perl config files. Reinstalling Perl after removing the Sun compiler solved the problem completely. Thanks to everyone who responded. Ed Tate (etate01@hazelwoodschools.org) Coordinator of Technology Services Hazelwood School District Florissant, Missouri -----Original Message----- From: Julian Field [mailto:mailscanner@ecs.soton.ac.uk] Sent: Wednesday, February 19, 2003 1:01 PM To: etate01@sun.hazelwood.k12.mo.us Subject: Re: HTML-Parser won't compile on Solaris 2.6 At 18:43 19/02/2003, you wrote: Here's what's happening: # make /opt/SUNWspro/bin/cc -c -I/usr/local/include -I/opt/gnu/include -D_LARGEFILE_S OURCE -D_FILE_OFFSET_BITS=64 -O -DVERSION=\"3.26\" -DXS_VERSION=\"3.26\" -KPIC "-I/usr/local/lib/perl5/5.8.0/sun4-solaris/CORE" -DMARKED_SECTION Parser.c License Error : Cannot connect to the license server (sun).. for product(SPARCompiler C). (License server may not have been started) cc: acomp failed for Parser.c make: *** [Parser.o] Error 2 # You need to change the Makefile to use gcc instead of cc. Search the Makefile for cc and change them to gcc. Also get rid of "-O3 -xdepend". I might have the -O number wrong, so look through the Makefile for "depend". Basic problem is that you have SUNWspro installed, but no licence for it. I would remove SUNWspro if you have not purchased a licence for it. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030221/fbad01ad/attachment.html From mailscanner at ecs.soton.ac.uk Fri Feb 21 14:35:41 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:15 2006 Subject: /var/spool/MailScanner/incoming/* In-Reply-To: <3E5635F4.65B3198A@ihs.com> Message-ID: <5.2.0.9.2.20030221143410.06201730@imap.ecs.soton.ac.uk> For some reason your MailScanner is unable to shut down gracefully or restart gracefully. To get rid of them, shut down MailScanner, delete the lot, then re-start MailScanner. They are only used for temporary working data while MailScanner is running. Deleting it all (when MailScanner isn't running) won't lose anything at all. More recent versions of the code are better at cleaning up after themselves than old versions. At 14:21 21/02/2003, you wrote: >Does anybody else have an large number of empty directories in >/var/spool/MailScanner/incoming/? > >I had 500+ empty directories dating back to October 17. > >Dustin -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Fri Feb 21 14:21:22 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:15 2006 Subject: SpamAssassin 2.50 Released In-Reply-To: Message-ID: <5.2.0.9.2.20030221142101.061358b0@imap.ecs.soton.ac.uk> At 12:22 21/02/2003, you wrote: > > mailscanner@ECS.SOTON.AC.UK 20/02/03 17:20:52 >>> > >I have tried the CVS versions and had no real problems. > >I have just installed the released version. > > >It is now running live on 2 systems, I will let you know of any problems. > >As the default behaviour of SA seems now to be >to avoid Subject: rewriting and to move identified 'spam' to an attachment >rather than retain it in the body, is this a problem for MailScanner, No, this doesn't make any difference to MailScanner at all. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Fri Feb 21 14:33:44 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:15 2006 Subject: Spamassassin 2.50 & SQL logging In-Reply-To: <67D9E7698329D411936E00508B6590B90279316C@neelix.lbsltd.co. uk> Message-ID: <5.2.0.9.2.20030221142600.02f0d830@imap.ecs.soton.ac.uk> At 13:06 21/02/2003, you wrote: >Hi all, > >I'm evaluating MailScanner + SA 2.50/DCC/Razor2 on RedHat 7.3 for use at my >company in place of MIMEsweeper that we use at the moment and I'm wondering >how to use the new Bayesian features effectively. > >At the moment I'm thinking that I configure SpamAssassin to use auto >learning on all messages that it processes (auto_learn 1 in >spam.assassin.prefs.conf), According to the docs (man Mail::SpamAssassin::Conf) that should be on by default anyway. auto_learn ( 0 | 1 ) (default: 1) Whether SpamAssassin should automatically feed high-scoring mails (or low-scoring mails, for non-spam) into its learning systems. >Also - I was wondering if anyone had tried getting MailScanner to log to a >MySQL database?? - I was looking at the CustomConfig.pm and was thinking >that I could create a custom function that would connect to the database and >do something like 'INSERT INTO maillog VALUES >('$message->{id}','$message->{size}','$message->{from}' etc..)' - or is this >just a really bad idea?? The existing software we use does this into an >Access database but we don't use it because it causes too much overhead, but >I thought Perl's DBI/DBD and MySQL would probably be much more efficient >than Access/ODBC! You are still talking a database "insert" for every batch of messages. That's going to carry a fair sized overhead. How about writing them to a file and then periodically pushing the file data into a database? -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From simon at ADVANTAGE-INTERACTIVE.COM Fri Feb 21 15:41:54 2003 From: simon at ADVANTAGE-INTERACTIVE.COM (Simon Dick) Date: Thu Jan 12 21:17:15 2006 Subject: Spamassassin 2.50 & SQL logging In-Reply-To: <5.2.0.9.2.20030221142600.02f0d830@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030221142600.02f0d830@imap.ecs.soton.ac.uk> Message-ID: <1045842114.3012.13.camel@devbox> On Fri, 2003-02-21 at 14:33, Julian Field wrote: > At 13:06 21/02/2003, you wrote: > >Also - I was wondering if anyone had tried getting MailScanner to log to a > >MySQL database?? - I was looking at the CustomConfig.pm and was thinking > >that I could create a custom function that would connect to the database and > >do something like 'INSERT INTO maillog VALUES > >('$message->{id}','$message->{size}','$message->{from}' etc..)' - or is this > >just a really bad idea?? The existing software we use does this into an > >Access database but we don't use it because it causes too much overhead, but > >I thought Perl's DBI/DBD and MySQL would probably be much more efficient > >than Access/ODBC! > > You are still talking a database "insert" for every batch of messages. > That's going to carry a fair sized overhead. How about writing them to a > file and then periodically pushing the file data into a database? How reasonable would it be to just insert entries when a virus or spam is found? -- Simon Dick simon@advantage-interactive.com From paul at ESPMAIL.CO.UK Fri Feb 21 16:00:31 2003 From: paul at ESPMAIL.CO.UK (Paul Welsh) Date: Thu Jan 12 21:17:15 2006 Subject: Spamassassin 2.50 & SQL logging References: <67D9E7698329D411936E00508B6590B90279316C@neelix.lbsltd.co.uk> Message-ID: <002901c2d9c2$5c7db420$6a0110ac@sbsplc.com> I don't think MailScanner can replace MailSweeper. At the end of the day, it is not as flexible (unless you're highly skilled in linux/sendmail etc). I have MailSweeper and MailScanner and I use a linux box to do the MailScanner/SpamAssassin stuff. ----- Original Message ----- From: "Steve Freegard" To: Sent: Friday, February 21, 2003 1:06 PM Subject: Spamassassin 2.50 & SQL logging I'm evaluating MailScanner + SA 2.50/DCC/Razor2 on RedHat 7.3 for use at my company in place of MIMEsweeper that we use at the moment From mailscanner at ecs.soton.ac.uk Fri Feb 21 15:59:58 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:15 2006 Subject: Spamassassin 2.50 & SQL logging In-Reply-To: <1045842114.3012.13.camel@devbox> References: <5.2.0.9.2.20030221142600.02f0d830@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030221142600.02f0d830@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030221155740.02f9de90@imap.ecs.soton.ac.uk> At 15:41 21/02/2003, you wrote: >On Fri, 2003-02-21 at 14:33, Julian Field wrote: > > At 13:06 21/02/2003, you wrote: > > >Also - I was wondering if anyone had tried getting MailScanner to log to a > > >MySQL database?? - I was looking at the CustomConfig.pm and was thinking > > >that I could create a custom function that would connect to the > database and > > >do something like 'INSERT INTO maillog VALUES > > >('$message->{id}','$message->{size}','$message->{from}' etc..)' - or > is this > > >just a really bad idea?? The existing software we use does this into an > > >Access database but we don't use it because it causes too much > overhead, but > > >I thought Perl's DBI/DBD and MySQL would probably be much more efficient > > >than Access/ODBC! > > > > You are still talking a database "insert" for every batch of messages. > > That's going to carry a fair sized overhead. How about writing them to a > > file and then periodically pushing the file data into a database? > >How reasonable would it be to just insert entries when a virus or spam >is found? Again, it all depends how fast your database is. You could keep the db connection open permanently, so it *should* be pretty quick. You would have to hook it into one of the configuration parameters that gets used fairly late on in the batch processing, and use a Custom Function for that parameter that had the side-effect of logging all sorts of things about messages. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Fri Feb 21 16:17:03 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:15 2006 Subject: Spamassassin 2.50 & SQL logging In-Reply-To: <002901c2d9c2$5c7db420$6a0110ac@sbsplc.com> References: <67D9E7698329D411936E00508B6590B90279316C@neelix.lbsltd.co.uk> Message-ID: <5.2.0.9.2.20030221161502.0621de40@imap.ecs.soton.ac.uk> At 16:00 21/02/2003, you wrote: >I don't think MailScanner can replace MailSweeper. At the end of the day, >it is not as flexible (unless you're highly skilled in linux/sendmail etc). Okay, what can MailSweeper do that MailScanner cannot? (ignoring MTA issues as that is just a matter of setting up Exim which is pretty easy). I would like to know, so that I can think about any extra facilities that the commercial guys have that I haven't. I freely admit it doesn't have the pretty user-interface, but that's why people have written things like the Webmin module for it, and MailScanner-MRTG for monitoring it. >I have MailSweeper and MailScanner and I use a linux box to do the >MailScanner/SpamAssassin stuff. > >----- Original Message ----- >From: "Steve Freegard" >To: >Sent: Friday, February 21, 2003 1:06 PM >Subject: Spamassassin 2.50 & SQL logging > > >I'm evaluating MailScanner + SA 2.50/DCC/Razor2 on RedHat 7.3 for use at my >company in place of MIMEsweeper that we use at the moment -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From dustin.baer at IHS.COM Fri Feb 21 16:30:52 2003 From: dustin.baer at IHS.COM (Dustin Baer) Date: Thu Jan 12 21:17:15 2006 Subject: /var/spool/MailScanner/incoming/* References: <5.2.0.9.2.20030221143410.06201730@imap.ecs.soton.ac.uk> Message-ID: <3E56543C.4DA0F776@ihs.com> Julian Field wrote: > > For some reason your MailScanner is unable to shut down gracefully or > restart gracefully. That is what I figured. Probably my fault. > To get rid of them, shut down MailScanner, delete the lot, then re-start > MailScanner. That is what I did. I mentioned that the oldest directories were dated from October 17. I checked /opt/MailScanner/var and noticed a pid file with the same date. I also trashed everything in that directory before restarting MailScanner. > More recent versions of the code are better at cleaning up after themselves > than old versions. I am currently using 4.03-1...must be time to upgrade! As always - AWESOME product! Dustin -- Dustin Baer Unix Administrator/Postmaster Information Handling Services 15 Inverness Way East Englewood, CO 80112 303-397-2836 From steve.freegard at LBSLTD.CO.UK Fri Feb 21 16:34:12 2003 From: steve.freegard at LBSLTD.CO.UK (Steve Freegard) Date: Thu Jan 12 21:17:15 2006 Subject: Spamassassin 2.50 & SQL logging Message-ID: <67D9E7698329D411936E00508B6590B902793176@neelix.lbsltd.co.uk> Hi Julian, I like your idea about writing the data to a text file and then periodically reading it into MySQL as this would do exactly what I want and never runs the risk of the database being unavailable - it would also be useful as one could do a 'tail -f' on the file and watch the traffic going through. What would be the best configuration option to use to do this? - ideally I'd like to be able to record date, time, id, size, from, to, subject, sascore, spamwhitelisted, isspam, issaspam, isrblspam, ishigh, spamreport plus the virus and other reports. I'm pretty much a Perl beginner but don't mind getting my hands dirty - I take it that I would open the file handle in the Init sub, write to it in the 'main' sub and close in the End sub?? - my only other question would be how do you reference the filehandles and variable between the subroutines as my OO experience with Perl is 0... I should be able to work out the rest. I'm thinking of putting this together and posting it for anyone else that wants to do similar as me for graphing daily reports, showing top users, top mail size per user, average spam score etc. that can be run as daily/monthly/weekly/yearly reports from the database. Thanks, Steve. -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: 21 February 2003 16:00 To: MAILSCANNER@jiscmail.ac.uk Subject: Re: Spamassassin 2.50 & SQL logging At 15:41 21/02/2003, you wrote: >On Fri, 2003-02-21 at 14:33, Julian Field wrote: > > At 13:06 21/02/2003, you wrote: > > >Also - I was wondering if anyone had tried getting MailScanner to log to a > > >MySQL database?? - I was looking at the CustomConfig.pm and was thinking > > >that I could create a custom function that would connect to the > database and > > >do something like 'INSERT INTO maillog VALUES > > >('$message->{id}','$message->{size}','$message->{from}' etc..)' - or > is this > > >just a really bad idea?? The existing software we use does this into an > > >Access database but we don't use it because it causes too much > overhead, but > > >I thought Perl's DBI/DBD and MySQL would probably be much more efficient > > >than Access/ODBC! > > > > You are still talking a database "insert" for every batch of messages. > > That's going to carry a fair sized overhead. How about writing them to a > > file and then periodically pushing the file data into a database? > >How reasonable would it be to just insert entries when a virus or spam >is found? Again, it all depends how fast your database is. You could keep the db connection open permanently, so it *should* be pretty quick. You would have to hook it into one of the configuration parameters that gets used fairly late on in the batch processing, and use a Custom Function for that parameter that had the side-effect of logging all sorts of things about messages. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.lbsltd.co.uk ********************************************************************** From raymond at PROLOCATION.NET Fri Feb 21 16:37:26 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:17:15 2006 Subject: Virus Statistics In-Reply-To: <3E5636B0.4080409@marinocrane.com> Message-ID: Hi! > http://staff.cie.uce.ac.uk/~dwhile/mailstats/ I noticed that the names of the virusses found are not listed in the logfile, so its a little hard for this script to extract the numbers :) Is this f-prot related that i dont get a those ? Bye, Raymond. From sylvain.phaneuf at IMSU.OXFORD.AC.UK Fri Feb 21 16:37:12 2003 From: sylvain.phaneuf at IMSU.OXFORD.AC.UK (Sylvain Phaneuf) Date: Thu Jan 12 21:17:15 2006 Subject: Virus Statistics Message-ID: mailstats looks great We have got MRTG running already, and I have just tried to run mailstats without success. Any FAQ or manual available? I am new to unix, and I am afraid I have a few stupid questions to ask... Sylvain >>> mike@CAMAROSS.NET 21/02/2003 14:32:41 >>> I do too and am very pleased with the results of both. Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Ryan Pitt Sent: Friday, February 21, 2003 8:25 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Virus Statistics I use both of the following stat pages They are very easy to install http://staff.cie.uce.ac.uk/~dwhile/mailstats/ http://mailscanner-mrtg.netfirms.com/ Daniel Bird wrote: > Dear all, > I am wondering if anyone has a script that generates a graph (a nice pie > chart would be good;) of the viri caught by MailScanner. > By this I mean a breakdown of which ones have been caught rather than > just totals. > > Just hoping, save re-inventing the wheel... plus my perl isn't that > good ;-) > > TIA > > Dan > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > From sean at DIGISILK.NET Fri Feb 21 16:43:47 2003 From: sean at DIGISILK.NET (Sean Closson) Date: Thu Jan 12 21:17:15 2006 Subject: Spamassassin 2.50 & SQL logging In-Reply-To: <67D9E7698329D411936E00508B6590B902793176@neelix.lbsltd.co.uk> References: <67D9E7698329D411936E00508B6590B902793176@neelix.lbsltd.co.uk> Message-ID: <1045845825.1435.5.camel@localhost.localdomain> I share a similar desire to record important stats into a database. I'm a DBA so it's a natural avenue for me! I also consider myself a Perl beginner, but I've written a few scripts that do some pretty intense munging of CSV files, so perhaps I have something to contribute. If you would like to coordinate on this, I'd be happy to work with you. If you think it would be too close to the blind leading the blind, I understand that too. Sean Closson sean@digisilk.net MCSE / MCDBA / GSEC / CISSP On Fri, 2003-02-21 at 10:34, Steve Freegard wrote: > Hi Julian, > > I like your idea about writing the data to a text file and then periodically > reading it into MySQL as this would do exactly what I want and never runs > the risk of the database being unavailable - it would also be useful as one > could do a 'tail -f' on the file and watch the traffic going through. > > What would be the best configuration option to use to do this? - ideally I'd > like to be able to record date, time, id, size, from, to, subject, sascore, > spamwhitelisted, isspam, issaspam, isrblspam, ishigh, spamreport plus the > virus and other reports. > > I'm pretty much a Perl beginner but don't mind getting my hands dirty - I > take it that I would open the file handle in the Init sub, write to it in > the 'main' sub and close in the End sub?? - my only other question would be > how do you reference the filehandles and variable between the subroutines as > my OO experience with Perl is 0... I should be able to work out the rest. > > I'm thinking of putting this together and posting it for anyone else that > wants to do similar as me for graphing daily reports, showing top users, top > mail size per user, average spam score etc. that can be run as > daily/monthly/weekly/yearly reports from the database. > > Thanks, > Steve. > > -----Original Message----- > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > Sent: 21 February 2003 16:00 > To: MAILSCANNER@jiscmail.ac.uk > Subject: Re: Spamassassin 2.50 & SQL logging > > > At 15:41 21/02/2003, you wrote: > >On Fri, 2003-02-21 at 14:33, Julian Field wrote: > > > At 13:06 21/02/2003, you wrote: > > > >Also - I was wondering if anyone had tried getting MailScanner to log > to a > > > >MySQL database?? - I was looking at the CustomConfig.pm and was > thinking > > > >that I could create a custom function that would connect to the > > database and > > > >do something like 'INSERT INTO maillog VALUES > > > >('$message->{id}','$message->{size}','$message->{from}' etc..)' - or > > is this > > > >just a really bad idea?? The existing software we use does this into > an > > > >Access database but we don't use it because it causes too much > > overhead, but > > > >I thought Perl's DBI/DBD and MySQL would probably be much more > efficient > > > >than Access/ODBC! > > > > > > You are still talking a database "insert" for every batch of messages. > > > That's going to carry a fair sized overhead. How about writing them to a > > > file and then periodically pushing the file data into a database? > > > >How reasonable would it be to just insert entries when a virus or spam > >is found? > > Again, it all depends how fast your database is. You could keep the db > connection open permanently, so it *should* be pretty quick. You would have > to hook it into one of the configuration parameters that gets used fairly > late on in the batch processing, and use a Custom Function for that > parameter that had the side-effect of logging all sorts of things about > messages. > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > > ********************************************************************** > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the system manager. > > This footnote also confirms that this email message has been swept by > MIMEsweeper for the presence of computer viruses. > > www.lbsltd.co.uk > ********************************************************************** -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030221/84d1b391/attachment.bin From raymond at PROLOCATION.NET Fri Feb 21 16:46:30 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:17:15 2006 Subject: Virus Statistics In-Reply-To: Message-ID: Hi! > > http://staff.cie.uce.ac.uk/~dwhile/mailstats/ > > I noticed that the names of the virusses found are not listed in the > logfile, so its a little hard for this script to extract the numbers :) > Is this f-prot related that i dont get a those ? Working now, my mistake: Virus Count (Last 10 mins) W32/Klez.H@mm 9 (9) W32/Sobig.A@mm 1 (1) Bye, Raymond. From paul at ESPMAIL.CO.UK Fri Feb 21 16:29:12 2003 From: paul at ESPMAIL.CO.UK (Paul Welsh) Date: Thu Jan 12 21:17:15 2006 Subject: Spamassassin 2.50 & SQL logging References: <67D9E7698329D411936E00508B6590B90279316C@neelix.lbsltd.co.uk> <5.2.0.9.2.20030221161502.0621de40@imap.ecs.soton.ac.uk> Message-ID: <003001c2d9c6$5edb5660$6a0110ac@sbsplc.com> Oh dear! I knew I'd get a big backlash for that comment! And I'm top posting! I'm sure MailScanner can do all that MailSweeper does but yes, it boils down to the fact that MailScanner has a command line interface and therefore has a steeper learning curve. I was presuming that the chap who wrote the first message was a Windows person. Don't get me wrong, I love MailScanner, SpamAssassin etc but I spend 99% of my time dealing with MS Windows products and therefore tend to use MailScanner etc as a first line of defence and MailSweeper to do the more fiddly stuff. This is partly because I inherited MailSweeper. If I was starting from scratch I might well decide to do without it. It's simply a case of user friendliness. I have no experience of the Webmin module. ----- Original Message ----- From: "Julian Field" To: Sent: Friday, February 21, 2003 4:17 PM Subject: Re: Spamassassin 2.50 & SQL logging At 16:00 21/02/2003, you wrote: >I don't think MailScanner can replace MailSweeper. At the end of the day, >it is not as flexible (unless you're highly skilled in linux/sendmail etc). Okay, what can MailSweeper do that MailScanner cannot? (ignoring MTA issues as that is just a matter of setting up Exim which is pretty easy). I would like to know, so that I can think about any extra facilities that the commercial guys have that I haven't. I freely admit it doesn't have the pretty user-interface, but that's why people have written things like the Webmin module for it, and MailScanner-MRTG for monitoring it. >I have MailSweeper and MailScanner and I use a linux box to do the >MailScanner/SpamAssassin stuff. > >----- Original Message ----- >From: "Steve Freegard" >To: >Sent: Friday, February 21, 2003 1:06 PM >Subject: Spamassassin 2.50 & SQL logging > > >I'm evaluating MailScanner + SA 2.50/DCC/Razor2 on RedHat 7.3 for use at my >company in place of MIMEsweeper that we use at the moment -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From steve.freegard at LBSLTD.CO.UK Fri Feb 21 16:56:44 2003 From: steve.freegard at LBSLTD.CO.UK (Steve Freegard) Date: Thu Jan 12 21:17:15 2006 Subject: Spamassassin 2.50 & SQL logging Message-ID: <67D9E7698329D411936E00508B6590B902793177@neelix.lbsltd.co.uk> Hi Sean, I too am an Oracle DBA amongst other things - I would be happy to have assistance from anyone who would like to do similar. I was going to primarily focus my efforts on MySQL to begin with as importing CSV data into it is trivial from a LOAD DATA INFILE statement. What ideally would you like to record/achieve? I'll put together a document of what I would like to do over the weekend - and we can decide how to split the work. The first hurdle is getting the CSV written out from MailScanner using the CustomConfig.pm Regards, Steve. -----Original Message----- From: Sean Closson [mailto:sean@DIGISILK.NET] Sent: 21 February 2003 16:44 To: MAILSCANNER@jiscmail.ac.uk Subject: Re: Spamassassin 2.50 & SQL logging I share a similar desire to record important stats into a database. I'm a DBA so it's a natural avenue for me! I also consider myself a Perl beginner, but I've written a few scripts that do some pretty intense munging of CSV files, so perhaps I have something to contribute. If you would like to coordinate on this, I'd be happy to work with you. If you think it would be too close to the blind leading the blind, I understand that too. Sean Closson sean@digisilk.net MCSE / MCDBA / GSEC / CISSP On Fri, 2003-02-21 at 10:34, Steve Freegard wrote: > Hi Julian, > > I like your idea about writing the data to a text file and then periodically > reading it into MySQL as this would do exactly what I want and never runs > the risk of the database being unavailable - it would also be useful as one > could do a 'tail -f' on the file and watch the traffic going through. > > What would be the best configuration option to use to do this? - ideally I'd > like to be able to record date, time, id, size, from, to, subject, sascore, > spamwhitelisted, isspam, issaspam, isrblspam, ishigh, spamreport plus the > virus and other reports. > > I'm pretty much a Perl beginner but don't mind getting my hands dirty - I > take it that I would open the file handle in the Init sub, write to it in > the 'main' sub and close in the End sub?? - my only other question would be > how do you reference the filehandles and variable between the subroutines as > my OO experience with Perl is 0... I should be able to work out the rest. > > I'm thinking of putting this together and posting it for anyone else that > wants to do similar as me for graphing daily reports, showing top users, top > mail size per user, average spam score etc. that can be run as > daily/monthly/weekly/yearly reports from the database. > > Thanks, > Steve. > > -----Original Message----- > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > Sent: 21 February 2003 16:00 > To: MAILSCANNER@jiscmail.ac.uk > Subject: Re: Spamassassin 2.50 & SQL logging > > > At 15:41 21/02/2003, you wrote: > >On Fri, 2003-02-21 at 14:33, Julian Field wrote: > > > At 13:06 21/02/2003, you wrote: > > > >Also - I was wondering if anyone had tried getting MailScanner to log > to a > > > >MySQL database?? - I was looking at the CustomConfig.pm and was > thinking > > > >that I could create a custom function that would connect to the > > database and > > > >do something like 'INSERT INTO maillog VALUES > > > >('$message->{id}','$message->{size}','$message->{from}' etc..)' - or > > is this > > > >just a really bad idea?? The existing software we use does this into > an > > > >Access database but we don't use it because it causes too much > > overhead, but > > > >I thought Perl's DBI/DBD and MySQL would probably be much more > efficient > > > >than Access/ODBC! > > > > > > You are still talking a database "insert" for every batch of messages. > > > That's going to carry a fair sized overhead. How about writing them to a > > > file and then periodically pushing the file data into a database? > > > >How reasonable would it be to just insert entries when a virus or spam > >is found? > > Again, it all depends how fast your database is. You could keep the db > connection open permanently, so it *should* be pretty quick. You would have > to hook it into one of the configuration parameters that gets used fairly > late on in the batch processing, and use a Custom Function for that > parameter that had the side-effect of logging all sorts of things about > messages. > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > > ********************************************************************** > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the system manager. > > This footnote also confirms that this email message has been swept by > MIMEsweeper for the presence of computer viruses. > > www.lbsltd.co.uk > ********************************************************************** From simon at ADVANTAGE-INTERACTIVE.COM Fri Feb 21 17:02:35 2003 From: simon at ADVANTAGE-INTERACTIVE.COM (Simon Dick) Date: Thu Jan 12 21:17:15 2006 Subject: Spamassassin 2.50 & SQL logging In-Reply-To: <67D9E7698329D411936E00508B6590B902793177@neelix.lbsltd.co.uk> References: <67D9E7698329D411936E00508B6590B902793177@neelix.lbsltd.co.uk> Message-ID: <1045846955.3549.1.camel@devbox> On Fri, 2003-02-21 at 16:56, Steve Freegard wrote: > Hi Sean, > > I too am an Oracle DBA amongst other things - I would be happy to have > assistance from anyone who would like to do similar. I was going to > primarily focus my efforts on MySQL to begin with as importing CSV data into > it is trivial from a LOAD DATA INFILE statement. > > What ideally would you like to record/achieve? > > I'll put together a document of what I would like to do over the weekend - > and we can decide how to split the work. The first hurdle is getting the > CSV written out from MailScanner using the CustomConfig.pm I already have custom config options written which use a database for input which uses a persistant connection to a local mysql database. If I ever get time I may look into the logging part too :) -- Simon Dick simon@advantage-interactive.com From mailscanner at ecs.soton.ac.uk Fri Feb 21 16:51:56 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:15 2006 Subject: Spamassassin 2.50 & SQL logging In-Reply-To: <67D9E7698329D411936E00508B6590B902793176@neelix.lbsltd.co. uk> Message-ID: <5.2.0.9.2.20030221164859.05fdc350@imap.ecs.soton.ac.uk> At 16:34 21/02/2003, you wrote: >Hi Julian, > >I like your idea about writing the data to a text file and then periodically >reading it into MySQL as this would do exactly what I want and never runs >the risk of the database being unavailable - it would also be useful as one >could do a 'tail -f' on the file and watch the traffic going through. > >What would be the best configuration option to use to do this? - ideally I'd >like to be able to record date, time, id, size, from, to, subject, sascore, >spamwhitelisted, isspam, issaspam, isrblspam, ishigh, spamreport plus the >virus and other reports. For spam you probably want to catch the "Spam Actions" and "High Scoring Spam Actions" keywords. For viruses then you could use "Deliver Silent viruses". Ideally I guess I could add a configuration value that effectively did nothing but got evaluated for every message right at the end of the loop. Would that be worth doing? (and what could I call the conf file parameter?) >I'm pretty much a Perl beginner but don't mind getting my hands dirty - I >take it that I would open the file handle in the Init sub, write to it in >the 'main' sub and close in the End sub?? That's right. > - my only other question would be >how do you reference the filehandles and variable between the subroutines as >my OO experience with Perl is 0... I should be able to work out the rest. Just declare variables outside of any function using "my". >I'm thinking of putting this together and posting it for anyone else that >wants to do similar as me for graphing daily reports, showing top users, top >mail size per user, average spam score etc. that can be run as >daily/monthly/weekly/yearly reports from the database. I think that would be much appreciated. It might even find its way into the distribution... >-----Original Message----- >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] >Sent: 21 February 2003 16:00 >To: MAILSCANNER@jiscmail.ac.uk >Subject: Re: Spamassassin 2.50 & SQL logging > > >At 15:41 21/02/2003, you wrote: > >On Fri, 2003-02-21 at 14:33, Julian Field wrote: > > > At 13:06 21/02/2003, you wrote: > > > >Also - I was wondering if anyone had tried getting MailScanner to log >to a > > > >MySQL database?? - I was looking at the CustomConfig.pm and was >thinking > > > >that I could create a custom function that would connect to the > > database and > > > >do something like 'INSERT INTO maillog VALUES > > > >('$message->{id}','$message->{size}','$message->{from}' etc..)' - or > > is this > > > >just a really bad idea?? The existing software we use does this into >an > > > >Access database but we don't use it because it causes too much > > overhead, but > > > >I thought Perl's DBI/DBD and MySQL would probably be much more >efficient > > > >than Access/ODBC! > > > > > > You are still talking a database "insert" for every batch of messages. > > > That's going to carry a fair sized overhead. How about writing them to a > > > file and then periodically pushing the file data into a database? > > > >How reasonable would it be to just insert entries when a virus or spam > >is found? > >Again, it all depends how fast your database is. You could keep the db >connection open permanently, so it *should* be pretty quick. You would have >to hook it into one of the configuration parameters that gets used fairly >late on in the batch processing, and use a Custom Function for that >parameter that had the side-effect of logging all sorts of things about >messages. >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support > > >********************************************************************** >This email and any files transmitted with it are confidential and >intended solely for the use of the individual or entity to whom they >are addressed. If you have received this email in error please notify >the system manager. > >This footnote also confirms that this email message has been swept by >MIMEsweeper for the presence of computer viruses. > >www.lbsltd.co.uk >********************************************************************** -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Fri Feb 21 16:46:06 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:15 2006 Subject: /var/spool/MailScanner/incoming/* In-Reply-To: <3E56543C.4DA0F776@ihs.com> References: <5.2.0.9.2.20030221143410.06201730@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030221164439.02f0d690@imap.ecs.soton.ac.uk> At 16:30 21/02/2003, you wrote: >Julian Field wrote: > > > > For some reason your MailScanner is unable to shut down gracefully or > > restart gracefully. > >That is what I figured. Probably my fault. > > > To get rid of them, shut down MailScanner, delete the lot, then re-start > > MailScanner. > >That is what I did. I mentioned that the oldest directories were dated >from October 17. I checked /opt/MailScanner/var and noticed a pid file >with the same date. I also trashed everything in that directory before >restarting MailScanner. > > > More recent versions of the code are better at cleaning up after themselves > > than old versions. > >I am currently using 4.03-1...must be time to upgrade! 4.13 due at the start of next month... >As always - AWESOME product! Thanks! Spread the word... For your info, we can now offer full-service professional support contracts to sites around the globe. If you are interested in having guaranteed support for MailScanner when you need it, please contact me off-list. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Fri Feb 21 16:55:22 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:15 2006 Subject: Spamassassin 2.50 & SQL logging In-Reply-To: <003001c2d9c6$5edb5660$6a0110ac@sbsplc.com> References: <67D9E7698329D411936E00508B6590B90279316C@neelix.lbsltd.co.uk> <5.2.0.9.2.20030221161502.0621de40@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030221165327.02e95fd8@imap.ecs.soton.ac.uk> At 16:29 21/02/2003, you wrote: >Oh dear! I knew I'd get a big backlash for that comment! :-) >I spend 99% of >my time dealing with MS Windows products That's the problem, you see. I spend too much of my time with MS Windows products, too. Things like MailScanner just look after themselves and don't occupy my (admin) time. >It's simply a case of user friendliness. I have no experience of the >Webmin module. Nor have I! I'm getting a couple of new machines shortly and will try it out on one of them. >----- Original Message ----- >From: "Julian Field" >To: >Sent: Friday, February 21, 2003 4:17 PM >Subject: Re: Spamassassin 2.50 & SQL logging > > >At 16:00 21/02/2003, you wrote: > >I don't think MailScanner can replace MailSweeper. At the end of the day, > >it is not as flexible (unless you're highly skilled in linux/sendmail etc). > >Okay, what can MailSweeper do that MailScanner cannot? (ignoring MTA issues >as that is just a matter of setting up Exim which is pretty easy). I would >like to know, so that I can think about any extra facilities that the >commercial guys have that I haven't. > >I freely admit it doesn't have the pretty user-interface, but that's why >people have written things like the Webmin module for it, and >MailScanner-MRTG for monitoring it. > > > >I have MailSweeper and MailScanner and I use a linux box to do the > >MailScanner/SpamAssassin stuff. > > > >----- Original Message ----- > >From: "Steve Freegard" > >To: > >Sent: Friday, February 21, 2003 1:06 PM > >Subject: Spamassassin 2.50 & SQL logging > > > > > >I'm evaluating MailScanner + SA 2.50/DCC/Razor2 on RedHat 7.3 for use at my > >company in place of MIMEsweeper that we use at the moment > >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Fri Feb 21 16:52:43 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:15 2006 Subject: Spamassassin 2.50 & SQL logging In-Reply-To: <1045845825.1435.5.camel@localhost.localdomain> References: <67D9E7698329D411936E00508B6590B902793176@neelix.lbsltd.co.uk> <67D9E7698329D411936E00508B6590B902793176@neelix.lbsltd.co.uk> Message-ID: <5.2.0.9.2.20030221165215.06147740@imap.ecs.soton.ac.uk> At 16:43 21/02/2003, you wrote: >I share a similar desire to record important stats into a database. I'm >a DBA so it's a natural avenue for me! I also consider myself a Perl >beginner, but I've written a few scripts that do some pretty intense >munging of CSV files, so perhaps I have something to contribute. >If you would like to coordinate on this, I'd be happy to work with you. >If you think it would be too close to the blind leading the blind, I >understand that too. I can give you a bit of help using a DB from Perl, I've got some good sample code somewhere. >On Fri, 2003-02-21 at 10:34, Steve Freegard wrote: > > Hi Julian, > > > > I like your idea about writing the data to a text file and then > periodically > > reading it into MySQL as this would do exactly what I want and never runs > > the risk of the database being unavailable - it would also be useful as one > > could do a 'tail -f' on the file and watch the traffic going through. > > > > What would be the best configuration option to use to do this? - > ideally I'd > > like to be able to record date, time, id, size, from, to, subject, sascore, > > spamwhitelisted, isspam, issaspam, isrblspam, ishigh, spamreport plus the > > virus and other reports. > > > > I'm pretty much a Perl beginner but don't mind getting my hands dirty - I > > take it that I would open the file handle in the Init sub, write to it in > > the 'main' sub and close in the End sub?? - my only other question would be > > how do you reference the filehandles and variable between the > subroutines as > > my OO experience with Perl is 0... I should be able to work out the rest. > > > > I'm thinking of putting this together and posting it for anyone else that > > wants to do similar as me for graphing daily reports, showing top > users, top > > mail size per user, average spam score etc. that can be run as > > daily/monthly/weekly/yearly reports from the database. > > > > Thanks, > > Steve. > > > > -----Original Message----- > > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > > Sent: 21 February 2003 16:00 > > To: MAILSCANNER@jiscmail.ac.uk > > Subject: Re: Spamassassin 2.50 & SQL logging > > > > > > At 15:41 21/02/2003, you wrote: > > >On Fri, 2003-02-21 at 14:33, Julian Field wrote: > > > > At 13:06 21/02/2003, you wrote: > > > > >Also - I was wondering if anyone had tried getting MailScanner to log > > to a > > > > >MySQL database?? - I was looking at the CustomConfig.pm and was > > thinking > > > > >that I could create a custom function that would connect to the > > > database and > > > > >do something like 'INSERT INTO maillog VALUES > > > > >('$message->{id}','$message->{size}','$message->{from}' etc..)' - or > > > is this > > > > >just a really bad idea?? The existing software we use does this into > > an > > > > >Access database but we don't use it because it causes too much > > > overhead, but > > > > >I thought Perl's DBI/DBD and MySQL would probably be much more > > efficient > > > > >than Access/ODBC! > > > > > > > > You are still talking a database "insert" for every batch of messages. > > > > That's going to carry a fair sized overhead. How about writing them > to a > > > > file and then periodically pushing the file data into a database? > > > > > >How reasonable would it be to just insert entries when a virus or spam > > >is found? > > > > Again, it all depends how fast your database is. You could keep the db > > connection open permanently, so it *should* be pretty quick. You would have > > to hook it into one of the configuration parameters that gets used fairly > > late on in the batch processing, and use a Custom Function for that > > parameter that had the side-effect of logging all sorts of things about > > messages. > > -- > > Julian Field > > www.MailScanner.info > > MailScanner thanks transtec Computers for their support > > > > > > ********************************************************************** > > This email and any files transmitted with it are confidential and > > intended solely for the use of the individual or entity to whom they > > are addressed. If you have received this email in error please notify > > the system manager. > > > > This footnote also confirms that this email message has been swept by > > MIMEsweeper for the presence of computer viruses. > > > > www.lbsltd.co.uk > > ********************************************************************** -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From steve.freegard at LBSLTD.CO.UK Fri Feb 21 17:09:12 2003 From: steve.freegard at LBSLTD.CO.UK (Steve Freegard) Date: Thu Jan 12 21:17:15 2006 Subject: Spamassassin 2.50 & SQL logging Message-ID: <67D9E7698329D411936E00508B6590B902793178@neelix.lbsltd.co.uk> Julian, I am in agreement with you on this - which I why am in the process of getting the Board of Directors to approve the replacement of MIMEsweeper. Granted - MailScanner doesn't have some of the UI that MIMEsweeper currently has - but from a functionality and stability point MIMEsweeper sucks totally - we regularly have stability issues, the UI leaks memory if you leave it on the 'Recent Messages' screen, the 'Policy Editor' is dead-slow and doing Sophos upgrades/IDE updates is a major pain and has to be done manually with the services stopped otherwise the link to SAVI breaks, and all the mail gets held off... I am attempting to write some stuff to make the day-to-day running of MailScanner easier for the Network Support people here who only know NT/2000 e.g. Releasing quarantined mail, monitoring the mail queues/delivery times, producing detailed reports etc. hence the interest of writing to MySQL etc. I'll make anything I come up with I'll happily make available to all. MailScanner rocks Julian - don't let anyone else tell you otherwise... Kind regards, Steve. -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: 21 February 2003 16:17 To: MAILSCANNER@jiscmail.ac.uk Subject: Re: Spamassassin 2.50 & SQL logging At 16:00 21/02/2003, you wrote: >I don't think MailScanner can replace MailSweeper. At the end of the day, >it is not as flexible (unless you're highly skilled in linux/sendmail etc). Okay, what can MailSweeper do that MailScanner cannot? (ignoring MTA issues as that is just a matter of setting up Exim which is pretty easy). I would like to know, so that I can think about any extra facilities that the commercial guys have that I haven't. I freely admit it doesn't have the pretty user-interface, but that's why people have written things like the Webmin module for it, and MailScanner-MRTG for monitoring it. >I have MailSweeper and MailScanner and I use a linux box to do the >MailScanner/SpamAssassin stuff. > >----- Original Message ----- >From: "Steve Freegard" >To: >Sent: Friday, February 21, 2003 1:06 PM >Subject: Spamassassin 2.50 & SQL logging > > >I'm evaluating MailScanner + SA 2.50/DCC/Razor2 on RedHat 7.3 for use at my >company in place of MIMEsweeper that we use at the moment -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.lbsltd.co.uk ********************************************************************** From mailscanner at ecs.soton.ac.uk Fri Feb 21 17:17:38 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:15 2006 Subject: Spamassassin 2.50 & SQL logging In-Reply-To: <5.2.0.9.2.20030221164859.05fdc350@imap.ecs.soton.ac.uk> References: <67D9E7698329D411936E00508B6590B902793176@neelix.lbsltd.co. uk> Message-ID: <5.2.0.9.2.20030221171540.062464f8@imap.ecs.soton.ac.uk> Sounds like you all need a Always Looked Up Last parameter, whose value was ignored. This will be evaluated for every message, right at the end of the message batch loop. If it is just set to "yes" or "no" the overhead will be minimal for people that don't use it for anything. It is there specifically to have "side-effects" so you can do your logging. Any better suggestions for the name? At 16:51 21/02/2003, you wrote: >At 16:34 21/02/2003, you wrote: >>Hi Julian, >> >>I like your idea about writing the data to a text file and then periodically >>reading it into MySQL as this would do exactly what I want and never runs >>the risk of the database being unavailable - it would also be useful as one >>could do a 'tail -f' on the file and watch the traffic going through. >> >>What would be the best configuration option to use to do this? - ideally I'd >>like to be able to record date, time, id, size, from, to, subject, sascore, >>spamwhitelisted, isspam, issaspam, isrblspam, ishigh, spamreport plus the >>virus and other reports. > >For spam you probably want to catch the "Spam Actions" and "High Scoring >Spam Actions" keywords. >For viruses then you could use "Deliver Silent viruses". > >Ideally I guess I could add a configuration value that effectively did >nothing but got evaluated for every message right at the end of the loop. >Would that be worth doing? (and what could I call the conf file parameter?) > >>I'm pretty much a Perl beginner but don't mind getting my hands dirty - I >>take it that I would open the file handle in the Init sub, write to it in >>the 'main' sub and close in the End sub?? > >That's right. > >> - my only other question would be >>how do you reference the filehandles and variable between the subroutines as >>my OO experience with Perl is 0... I should be able to work out the rest. > >Just declare variables outside of any function using "my". > >>I'm thinking of putting this together and posting it for anyone else that >>wants to do similar as me for graphing daily reports, showing top users, top >>mail size per user, average spam score etc. that can be run as >>daily/monthly/weekly/yearly reports from the database. > >I think that would be much appreciated. It might even find its way into the >distribution... > >>-----Original Message----- >>From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] >>Sent: 21 February 2003 16:00 >>To: MAILSCANNER@jiscmail.ac.uk >>Subject: Re: Spamassassin 2.50 & SQL logging >> >> >>At 15:41 21/02/2003, you wrote: >> >On Fri, 2003-02-21 at 14:33, Julian Field wrote: >> > > At 13:06 21/02/2003, you wrote: >> > > >Also - I was wondering if anyone had tried getting MailScanner to log >>to a >> > > >MySQL database?? - I was looking at the CustomConfig.pm and was >>thinking >> > > >that I could create a custom function that would connect to the >> > database and >> > > >do something like 'INSERT INTO maillog VALUES >> > > >('$message->{id}','$message->{size}','$message->{from}' etc..)' - or >> > is this >> > > >just a really bad idea?? The existing software we use does this into >>an >> > > >Access database but we don't use it because it causes too much >> > overhead, but >> > > >I thought Perl's DBI/DBD and MySQL would probably be much more >>efficient >> > > >than Access/ODBC! >> > > >> > > You are still talking a database "insert" for every batch of messages. >> > > That's going to carry a fair sized overhead. How about writing them to a >> > > file and then periodically pushing the file data into a database? >> > >> >How reasonable would it be to just insert entries when a virus or spam >> >is found? >> >>Again, it all depends how fast your database is. You could keep the db >>connection open permanently, so it *should* be pretty quick. You would have >>to hook it into one of the configuration parameters that gets used fairly >>late on in the batch processing, and use a Custom Function for that >>parameter that had the side-effect of logging all sorts of things about >>messages. >>-- >>Julian Field >>www.MailScanner.info >>MailScanner thanks transtec Computers for their support >> >> >>********************************************************************** >>This email and any files transmitted with it are confidential and >>intended solely for the use of the individual or entity to whom they >>are addressed. If you have received this email in error please notify >>the system manager. >> >>This footnote also confirms that this email message has been swept by >>MIMEsweeper for the presence of computer viruses. >> >>www.lbsltd.co.uk >>********************************************************************** > >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From steve.freegard at LBSLTD.CO.UK Fri Feb 21 17:25:32 2003 From: steve.freegard at LBSLTD.CO.UK (Steve Freegard) Date: Thu Jan 12 21:17:15 2006 Subject: Spamassassin 2.50 & SQL logging Message-ID: <67D9E7698329D411936E00508B6590B902793179@neelix.lbsltd.co.uk> Hi Julian, Argh... This is turning into a big thread!! The 'blank' config option that could pick up _all_ the $message->{*} variables, would be the best - as the call to the file only has to happen once, won't need munging together, and can easily be imported to a database if it's comma-seperated. Thanks for the comments, and tips on how I need to do this. Regards, Steve. -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: 21 February 2003 16:52 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Spamassassin 2.50 & SQL logging At 16:34 21/02/2003, you wrote: >Hi Julian, > >I like your idea about writing the data to a text file and then periodically >reading it into MySQL as this would do exactly what I want and never runs >the risk of the database being unavailable - it would also be useful as one >could do a 'tail -f' on the file and watch the traffic going through. > >What would be the best configuration option to use to do this? - ideally I'd >like to be able to record date, time, id, size, from, to, subject, sascore, >spamwhitelisted, isspam, issaspam, isrblspam, ishigh, spamreport plus the >virus and other reports. For spam you probably want to catch the "Spam Actions" and "High Scoring Spam Actions" keywords. For viruses then you could use "Deliver Silent viruses". Ideally I guess I could add a configuration value that effectively did nothing but got evaluated for every message right at the end of the loop. Would that be worth doing? (and what could I call the conf file parameter?) >I'm pretty much a Perl beginner but don't mind getting my hands dirty - I >take it that I would open the file handle in the Init sub, write to it in >the 'main' sub and close in the End sub?? That's right. > - my only other question would be >how do you reference the filehandles and variable between the subroutines as >my OO experience with Perl is 0... I should be able to work out the rest. Just declare variables outside of any function using "my". >I'm thinking of putting this together and posting it for anyone else that >wants to do similar as me for graphing daily reports, showing top users, top >mail size per user, average spam score etc. that can be run as >daily/monthly/weekly/yearly reports from the database. I think that would be much appreciated. It might even find its way into the distribution... >-----Original Message----- >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] >Sent: 21 February 2003 16:00 >To: MAILSCANNER@jiscmail.ac.uk >Subject: Re: Spamassassin 2.50 & SQL logging > > >At 15:41 21/02/2003, you wrote: > >On Fri, 2003-02-21 at 14:33, Julian Field wrote: > > > At 13:06 21/02/2003, you wrote: > > > >Also - I was wondering if anyone had tried getting MailScanner to log >to a > > > >MySQL database?? - I was looking at the CustomConfig.pm and was >thinking > > > >that I could create a custom function that would connect to the > > database and > > > >do something like 'INSERT INTO maillog VALUES > > > >('$message->{id}','$message->{size}','$message->{from}' etc..)' - or > > is this > > > >just a really bad idea?? The existing software we use does this into >an > > > >Access database but we don't use it because it causes too much > > overhead, but > > > >I thought Perl's DBI/DBD and MySQL would probably be much more >efficient > > > >than Access/ODBC! > > > > > > You are still talking a database "insert" for every batch of messages. > > > That's going to carry a fair sized overhead. How about writing them to a > > > file and then periodically pushing the file data into a database? > > > >How reasonable would it be to just insert entries when a virus or spam > >is found? > >Again, it all depends how fast your database is. You could keep the db >connection open permanently, so it *should* be pretty quick. You would have >to hook it into one of the configuration parameters that gets used fairly >late on in the batch processing, and use a Custom Function for that >parameter that had the side-effect of logging all sorts of things about >messages. >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support > > >********************************************************************** >This email and any files transmitted with it are confidential and >intended solely for the use of the individual or entity to whom they >are addressed. If you have received this email in error please notify >the system manager. > >This footnote also confirms that this email message has been swept by >MIMEsweeper for the presence of computer viruses. > >www.lbsltd.co.uk >********************************************************************** -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.lbsltd.co.uk ********************************************************************** From steve.freegard at LBSLTD.CO.UK Fri Feb 21 17:32:22 2003 From: steve.freegard at LBSLTD.CO.UK (Steve Freegard) Date: Thu Jan 12 21:17:15 2006 Subject: Spamassassin 2.50 & SQL logging Message-ID: <67D9E7698329D411936E00508B6590B90279317B@neelix.lbsltd.co.uk> Julian, That would be perfect! How about hiding the config option instead - created as CustomLogging which is called at the end of the batch that tests to see if InitCustomLogging/CustomLogging/EndCustomLogging has been defined or not and calls them if they are - possible?? - at least it would save on confusion in the config file... Thanks, Steve. -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: 21 February 2003 17:18 To: MAILSCANNER@jiscmail.ac.uk Subject: Re: Spamassassin 2.50 & SQL logging Sounds like you all need a Always Looked Up Last parameter, whose value was ignored. This will be evaluated for every message, right at the end of the message batch loop. If it is just set to "yes" or "no" the overhead will be minimal for people that don't use it for anything. It is there specifically to have "side-effects" so you can do your logging. Any better suggestions for the name? At 16:51 21/02/2003, you wrote: >At 16:34 21/02/2003, you wrote: >>Hi Julian, >> >>I like your idea about writing the data to a text file and then periodically >>reading it into MySQL as this would do exactly what I want and never runs >>the risk of the database being unavailable - it would also be useful as one >>could do a 'tail -f' on the file and watch the traffic going through. >> >>What would be the best configuration option to use to do this? - ideally I'd >>like to be able to record date, time, id, size, from, to, subject, sascore, >>spamwhitelisted, isspam, issaspam, isrblspam, ishigh, spamreport plus the >>virus and other reports. > >For spam you probably want to catch the "Spam Actions" and "High Scoring >Spam Actions" keywords. >For viruses then you could use "Deliver Silent viruses". > >Ideally I guess I could add a configuration value that effectively did >nothing but got evaluated for every message right at the end of the loop. >Would that be worth doing? (and what could I call the conf file parameter?) > >>I'm pretty much a Perl beginner but don't mind getting my hands dirty - I >>take it that I would open the file handle in the Init sub, write to it in >>the 'main' sub and close in the End sub?? > >That's right. > >> - my only other question would be >>how do you reference the filehandles and variable between the subroutines as >>my OO experience with Perl is 0... I should be able to work out the rest. > >Just declare variables outside of any function using "my". > >>I'm thinking of putting this together and posting it for anyone else that >>wants to do similar as me for graphing daily reports, showing top users, top >>mail size per user, average spam score etc. that can be run as >>daily/monthly/weekly/yearly reports from the database. > >I think that would be much appreciated. It might even find its way into the >distribution... > >>-----Original Message----- >>From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] >>Sent: 21 February 2003 16:00 >>To: MAILSCANNER@jiscmail.ac.uk >>Subject: Re: Spamassassin 2.50 & SQL logging >> >> >>At 15:41 21/02/2003, you wrote: >> >On Fri, 2003-02-21 at 14:33, Julian Field wrote: >> > > At 13:06 21/02/2003, you wrote: >> > > >Also - I was wondering if anyone had tried getting MailScanner to log >>to a >> > > >MySQL database?? - I was looking at the CustomConfig.pm and was >>thinking >> > > >that I could create a custom function that would connect to the >> > database and >> > > >do something like 'INSERT INTO maillog VALUES >> > > >('$message->{id}','$message->{size}','$message->{from}' etc..)' - or >> > is this >> > > >just a really bad idea?? The existing software we use does this into >>an >> > > >Access database but we don't use it because it causes too much >> > overhead, but >> > > >I thought Perl's DBI/DBD and MySQL would probably be much more >>efficient >> > > >than Access/ODBC! >> > > >> > > You are still talking a database "insert" for every batch of messages. >> > > That's going to carry a fair sized overhead. How about writing them to a >> > > file and then periodically pushing the file data into a database? >> > >> >How reasonable would it be to just insert entries when a virus or spam >> >is found? >> >>Again, it all depends how fast your database is. You could keep the db >>connection open permanently, so it *should* be pretty quick. You would have >>to hook it into one of the configuration parameters that gets used fairly >>late on in the batch processing, and use a Custom Function for that >>parameter that had the side-effect of logging all sorts of things about >>messages. >>-- >>Julian Field >>www.MailScanner.info >>MailScanner thanks transtec Computers for their support >> >> >>********************************************************************** >>This email and any files transmitted with it are confidential and >>intended solely for the use of the individual or entity to whom they >>are addressed. If you have received this email in error please notify >>the system manager. >> >>This footnote also confirms that this email message has been swept by >>MIMEsweeper for the presence of computer viruses. >> >>www.lbsltd.co.uk >>********************************************************************** > >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.lbsltd.co.uk ********************************************************************** From mailscanner at ecs.soton.ac.uk Fri Feb 21 17:29:20 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:15 2006 Subject: SQL logging In-Reply-To: <67D9E7698329D411936E00508B6590B902793179@neelix.lbsltd.co. uk> Message-ID: <5.2.0.9.2.20030221172454.063cff58@imap.ecs.soton.ac.uk> Please note the Subject: change as we aren't talking about SA 2.50 any more! At 17:25 21/02/2003, you wrote: >Argh... This is turning into a big thread!! But it's a very good idea! >The 'blank' config option that could pick up _all_ the $message->{*} >variables, would be the best - as the call to the file only has to happen >once, won't need munging together, and can easily be imported to a database >if it's comma-seperated. I can't do one Custom Function call per batch, only 1 per message. But that could easily keep the file open in between calls. You then have an hourly job which "tail"s the file to read and store the hour's values in your db. You can write your logging data into a file in any format you like. Given CSV's full spec (quotes, embedded commas, embedded quotes, etc..) you might find something like tab-separated easier to read automatically. If people need some help getting started and can't help each other, I'll write a skeleton Custom Function for you which logs a few parameters about every message to a file. >-----Original Message----- >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] >Sent: 21 February 2003 16:52 >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Spamassassin 2.50 & SQL logging > > >At 16:34 21/02/2003, you wrote: > >Hi Julian, > > > >I like your idea about writing the data to a text file and then >periodically > >reading it into MySQL as this would do exactly what I want and never runs > >the risk of the database being unavailable - it would also be useful as one > >could do a 'tail -f' on the file and watch the traffic going through. > > > >What would be the best configuration option to use to do this? - ideally >I'd > >like to be able to record date, time, id, size, from, to, subject, sascore, > >spamwhitelisted, isspam, issaspam, isrblspam, ishigh, spamreport plus the > >virus and other reports. > >For spam you probably want to catch the "Spam Actions" and "High Scoring >Spam Actions" keywords. >For viruses then you could use "Deliver Silent viruses". > >Ideally I guess I could add a configuration value that effectively did >nothing but got evaluated for every message right at the end of the loop. >Would that be worth doing? (and what could I call the conf file parameter?) > > >I'm pretty much a Perl beginner but don't mind getting my hands dirty - I > >take it that I would open the file handle in the Init sub, write to it in > >the 'main' sub and close in the End sub?? > >That's right. > > > - my only other question would be > >how do you reference the filehandles and variable between the subroutines >as > >my OO experience with Perl is 0... I should be able to work out the rest. > >Just declare variables outside of any function using "my". > > >I'm thinking of putting this together and posting it for anyone else that > >wants to do similar as me for graphing daily reports, showing top users, >top > >mail size per user, average spam score etc. that can be run as > >daily/monthly/weekly/yearly reports from the database. > >I think that would be much appreciated. It might even find its way into the >distribution... > > >-----Original Message----- > >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > >Sent: 21 February 2003 16:00 > >To: MAILSCANNER@jiscmail.ac.uk > >Subject: Re: Spamassassin 2.50 & SQL logging > > > > > >At 15:41 21/02/2003, you wrote: > > >On Fri, 2003-02-21 at 14:33, Julian Field wrote: > > > > At 13:06 21/02/2003, you wrote: > > > > >Also - I was wondering if anyone had tried getting MailScanner to log > >to a > > > > >MySQL database?? - I was looking at the CustomConfig.pm and was > >thinking > > > > >that I could create a custom function that would connect to the > > > database and > > > > >do something like 'INSERT INTO maillog VALUES > > > > >('$message->{id}','$message->{size}','$message->{from}' etc..)' - or > > > is this > > > > >just a really bad idea?? The existing software we use does this into > >an > > > > >Access database but we don't use it because it causes too much > > > overhead, but > > > > >I thought Perl's DBI/DBD and MySQL would probably be much more > >efficient > > > > >than Access/ODBC! > > > > > > > > You are still talking a database "insert" for every batch of messages. > > > > That's going to carry a fair sized overhead. How about writing them to >a > > > > file and then periodically pushing the file data into a database? > > > > > >How reasonable would it be to just insert entries when a virus or spam > > >is found? > > > >Again, it all depends how fast your database is. You could keep the db > >connection open permanently, so it *should* be pretty quick. You would have > >to hook it into one of the configuration parameters that gets used fairly > >late on in the batch processing, and use a Custom Function for that > >parameter that had the side-effect of logging all sorts of things about > >messages. > >-- > >Julian Field > >www.MailScanner.info > >MailScanner thanks transtec Computers for their support > > > > > >********************************************************************** > >This email and any files transmitted with it are confidential and > >intended solely for the use of the individual or entity to whom they > >are addressed. If you have received this email in error please notify > >the system manager. > > > >This footnote also confirms that this email message has been swept by > >MIMEsweeper for the presence of computer viruses. > > > >www.lbsltd.co.uk > >********************************************************************** > >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support > > >********************************************************************** >This email and any files transmitted with it are confidential and >intended solely for the use of the individual or entity to whom they >are addressed. If you have received this email in error please notify >the system manager. > >This footnote also confirms that this email message has been swept by >MIMEsweeper for the presence of computer viruses. > >www.lbsltd.co.uk >********************************************************************** -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Fri Feb 21 17:32:25 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:15 2006 Subject: SQL logging In-Reply-To: <67D9E7698329D411936E00508B6590B90279317B@neelix.lbsltd.co. uk> Message-ID: <5.2.0.9.2.20030221172958.02e90b98@imap.ecs.soton.ac.uk> At 17:32 21/02/2003, you wrote: >Julian, > >That would be perfect! > >How about hiding the config option instead - created as CustomLogging which >is called at the end of the batch that tests to see if >InitCustomLogging/CustomLogging/EndCustomLogging has been defined or not and >calls them if they are - possible?? - at least it would save on confusion in >the config file... I'll just put the "Always Evaluated Last" in the "Advanced" section at the bottom so most people won't try touching it until they start searching for a way to do this. I would rather not have "hidden" config options. As the option's value is ignored anyway, very little processing has to be done to evaluate it for every message. I would expect the overhead to be a tiny fraction of 1% of the time it takes to do the whole loop. >-----Original Message----- >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] >Sent: 21 February 2003 17:18 >To: MAILSCANNER@jiscmail.ac.uk >Subject: Re: Spamassassin 2.50 & SQL logging > > >Sounds like you all need a > Always Looked Up Last >parameter, whose value was ignored. This will be evaluated for every >message, right at the end of the message batch loop. If it is just set to >"yes" or "no" the overhead will be minimal for people that don't use it for >anything. It is there specifically to have "side-effects" so you can do >your logging. > >Any better suggestions for the name? > >At 16:51 21/02/2003, you wrote: > >At 16:34 21/02/2003, you wrote: > >>Hi Julian, > >> > >>I like your idea about writing the data to a text file and then >periodically > >>reading it into MySQL as this would do exactly what I want and never runs > >>the risk of the database being unavailable - it would also be useful as >one > >>could do a 'tail -f' on the file and watch the traffic going through. > >> > >>What would be the best configuration option to use to do this? - ideally >I'd > >>like to be able to record date, time, id, size, from, to, subject, >sascore, > >>spamwhitelisted, isspam, issaspam, isrblspam, ishigh, spamreport plus the > >>virus and other reports. > > > >For spam you probably want to catch the "Spam Actions" and "High Scoring > >Spam Actions" keywords. > >For viruses then you could use "Deliver Silent viruses". > > > >Ideally I guess I could add a configuration value that effectively did > >nothing but got evaluated for every message right at the end of the loop. > >Would that be worth doing? (and what could I call the conf file parameter?) > > > >>I'm pretty much a Perl beginner but don't mind getting my hands dirty - I > >>take it that I would open the file handle in the Init sub, write to it in > >>the 'main' sub and close in the End sub?? > > > >That's right. > > > >> - my only other question would be > >>how do you reference the filehandles and variable between the subroutines >as > >>my OO experience with Perl is 0... I should be able to work out the rest. > > > >Just declare variables outside of any function using "my". > > > >>I'm thinking of putting this together and posting it for anyone else that > >>wants to do similar as me for graphing daily reports, showing top users, >top > >>mail size per user, average spam score etc. that can be run as > >>daily/monthly/weekly/yearly reports from the database. > > > >I think that would be much appreciated. It might even find its way into the > >distribution... > > > >>-----Original Message----- > >>From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > >>Sent: 21 February 2003 16:00 > >>To: MAILSCANNER@jiscmail.ac.uk > >>Subject: Re: Spamassassin 2.50 & SQL logging > >> > >> > >>At 15:41 21/02/2003, you wrote: > >> >On Fri, 2003-02-21 at 14:33, Julian Field wrote: > >> > > At 13:06 21/02/2003, you wrote: > >> > > >Also - I was wondering if anyone had tried getting MailScanner to >log > >>to a > >> > > >MySQL database?? - I was looking at the CustomConfig.pm and was > >>thinking > >> > > >that I could create a custom function that would connect to the > >> > database and > >> > > >do something like 'INSERT INTO maillog VALUES > >> > > >('$message->{id}','$message->{size}','$message->{from}' etc..)' - or > >> > is this > >> > > >just a really bad idea?? The existing software we use does this >into > >>an > >> > > >Access database but we don't use it because it causes too much > >> > overhead, but > >> > > >I thought Perl's DBI/DBD and MySQL would probably be much more > >>efficient > >> > > >than Access/ODBC! > >> > > > >> > > You are still talking a database "insert" for every batch of >messages. > >> > > That's going to carry a fair sized overhead. How about writing them >to a > >> > > file and then periodically pushing the file data into a database? > >> > > >> >How reasonable would it be to just insert entries when a virus or spam > >> >is found? > >> > >>Again, it all depends how fast your database is. You could keep the db > >>connection open permanently, so it *should* be pretty quick. You would >have > >>to hook it into one of the configuration parameters that gets used fairly > >>late on in the batch processing, and use a Custom Function for that > >>parameter that had the side-effect of logging all sorts of things about > >>messages. > >>-- > >>Julian Field > >>www.MailScanner.info > >>MailScanner thanks transtec Computers for their support > >> > >> > >>********************************************************************** > >>This email and any files transmitted with it are confidential and > >>intended solely for the use of the individual or entity to whom they > >>are addressed. If you have received this email in error please notify > >>the system manager. > >> > >>This footnote also confirms that this email message has been swept by > >>MIMEsweeper for the presence of computer viruses. > >> > >>www.lbsltd.co.uk > >>********************************************************************** > > > >-- > >Julian Field > >www.MailScanner.info > >MailScanner thanks transtec Computers for their support > >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support > > >********************************************************************** >This email and any files transmitted with it are confidential and >intended solely for the use of the individual or entity to whom they >are addressed. If you have received this email in error please notify >the system manager. > >This footnote also confirms that this email message has been swept by >MIMEsweeper for the presence of computer viruses. > >www.lbsltd.co.uk >********************************************************************** -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailings at ULTIMATE-SYSTEMS.DE Fri Feb 21 17:38:25 2003 From: mailings at ULTIMATE-SYSTEMS.DE (Oliver Siegmar) Date: Thu Jan 12 21:17:15 2006 Subject: Different spam actions based on what MailScanner caused to mark the Mail as spam Message-ID: <28468968.1045852705@[192.168.18.2]> Hello, I'd like to delete a mail if it is recognised as spam because the MTA is on a RBL-List (defined using the Spam List option). Everything else should be delivered, but marked. Is this possible? I didn't found such option. Bye, Oliver From steve.freegard at LBSLTD.CO.UK Fri Feb 21 17:48:20 2003 From: steve.freegard at LBSLTD.CO.UK (Steve Freegard) Date: Thu Jan 12 21:17:15 2006 Subject: SQL logging Message-ID: <67D9E7698329D411936E00508B6590B90279317C@neelix.lbsltd.co.uk> Julian, Glad you like the idea, and fine about the 'Always Evaluated Last' config option. You're right - tab seperation would be a _lot_ easier to handle - if you could do a quick example Custom function that I could use as a base it would really help - can you include an example of how to explode out the recepients/virus reports arrays as that would save me a huge amount of time (reading through the 'Camel' book) so I can use it as a base and tweak it to get the values I'd like and then get on with writing the schema for the database. Thanks again, Steve. -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: 21 February 2003 17:29 To: MAILSCANNER@jiscmail.ac.uk Subject: Re: SQL logging Please note the Subject: change as we aren't talking about SA 2.50 any more! At 17:25 21/02/2003, you wrote: >Argh... This is turning into a big thread!! But it's a very good idea! >The 'blank' config option that could pick up _all_ the $message->{*} >variables, would be the best - as the call to the file only has to happen >once, won't need munging together, and can easily be imported to a database >if it's comma-seperated. I can't do one Custom Function call per batch, only 1 per message. But that could easily keep the file open in between calls. You then have an hourly job which "tail"s the file to read and store the hour's values in your db. You can write your logging data into a file in any format you like. Given CSV's full spec (quotes, embedded commas, embedded quotes, etc..) you might find something like tab-separated easier to read automatically. If people need some help getting started and can't help each other, I'll write a skeleton Custom Function for you which logs a few parameters about every message to a file. >-----Original Message----- >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] >Sent: 21 February 2003 16:52 >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Spamassassin 2.50 & SQL logging > > >At 16:34 21/02/2003, you wrote: > >Hi Julian, > > > >I like your idea about writing the data to a text file and then >periodically > >reading it into MySQL as this would do exactly what I want and never runs > >the risk of the database being unavailable - it would also be useful as one > >could do a 'tail -f' on the file and watch the traffic going through. > > > >What would be the best configuration option to use to do this? - ideally >I'd > >like to be able to record date, time, id, size, from, to, subject, sascore, > >spamwhitelisted, isspam, issaspam, isrblspam, ishigh, spamreport plus the > >virus and other reports. > >For spam you probably want to catch the "Spam Actions" and "High Scoring >Spam Actions" keywords. >For viruses then you could use "Deliver Silent viruses". > >Ideally I guess I could add a configuration value that effectively did >nothing but got evaluated for every message right at the end of the loop. >Would that be worth doing? (and what could I call the conf file parameter?) > > >I'm pretty much a Perl beginner but don't mind getting my hands dirty - I > >take it that I would open the file handle in the Init sub, write to it in > >the 'main' sub and close in the End sub?? > >That's right. > > > - my only other question would be > >how do you reference the filehandles and variable between the subroutines >as > >my OO experience with Perl is 0... I should be able to work out the rest. > >Just declare variables outside of any function using "my". > > >I'm thinking of putting this together and posting it for anyone else that > >wants to do similar as me for graphing daily reports, showing top users, >top > >mail size per user, average spam score etc. that can be run as > >daily/monthly/weekly/yearly reports from the database. > >I think that would be much appreciated. It might even find its way into the >distribution... > > >-----Original Message----- > >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > >Sent: 21 February 2003 16:00 > >To: MAILSCANNER@jiscmail.ac.uk > >Subject: Re: Spamassassin 2.50 & SQL logging > > > > > >At 15:41 21/02/2003, you wrote: > > >On Fri, 2003-02-21 at 14:33, Julian Field wrote: > > > > At 13:06 21/02/2003, you wrote: > > > > >Also - I was wondering if anyone had tried getting MailScanner to log > >to a > > > > >MySQL database?? - I was looking at the CustomConfig.pm and was > >thinking > > > > >that I could create a custom function that would connect to the > > > database and > > > > >do something like 'INSERT INTO maillog VALUES > > > > >('$message->{id}','$message->{size}','$message->{from}' etc..)' - or > > > is this > > > > >just a really bad idea?? The existing software we use does this into > >an > > > > >Access database but we don't use it because it causes too much > > > overhead, but > > > > >I thought Perl's DBI/DBD and MySQL would probably be much more > >efficient > > > > >than Access/ODBC! > > > > > > > > You are still talking a database "insert" for every batch of messages. > > > > That's going to carry a fair sized overhead. How about writing them to >a > > > > file and then periodically pushing the file data into a database? > > > > > >How reasonable would it be to just insert entries when a virus or spam > > >is found? > > > >Again, it all depends how fast your database is. You could keep the db > >connection open permanently, so it *should* be pretty quick. You would have > >to hook it into one of the configuration parameters that gets used fairly > >late on in the batch processing, and use a Custom Function for that > >parameter that had the side-effect of logging all sorts of things about > >messages. > >-- > >Julian Field > >www.MailScanner.info > >MailScanner thanks transtec Computers for their support > > > > > >********************************************************************** > >This email and any files transmitted with it are confidential and > >intended solely for the use of the individual or entity to whom they > >are addressed. If you have received this email in error please notify > >the system manager. > > > >This footnote also confirms that this email message has been swept by > >MIMEsweeper for the presence of computer viruses. > > > >www.lbsltd.co.uk > >********************************************************************** > >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support > > >********************************************************************** >This email and any files transmitted with it are confidential and >intended solely for the use of the individual or entity to whom they >are addressed. If you have received this email in error please notify >the system manager. > >This footnote also confirms that this email message has been swept by >MIMEsweeper for the presence of computer viruses. > >www.lbsltd.co.uk >********************************************************************** -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.lbsltd.co.uk ********************************************************************** From ryanb at AACRAO.ORG Fri Feb 21 17:49:47 2003 From: ryanb at AACRAO.ORG (Bingham, Ryan) Date: Thu Jan 12 21:17:15 2006 Subject: sophos question Message-ID: <87D5B85DDDAAD111960F0060971C59D10197141F@AACRAO4> We've already used MailScanner (with great success) for anti-spam filtering and are planning to start using it for anti-virus as well (to this point we've been doing anti-virus on Exchange with Sybari's Antigen, which we'll probably keep doing, but I'd like to shift the bulk of the work over to MailScanner). I'm considering purchasing Sophos for sitewide implementation, mainly on the basis of its connection to MailScanner. Can anyone give advice on the features of Sophos in general, i.e. desktop performance, auto-updates, centralized management etc.? I'm prepared to go with Sophos the whole way (at least for a year), in order to get the convenience of its integration with MailScanner and avoid having to buy a separate product (Symantec) for server/desktop deployment. In my talks with the Sophos reps, I've mentioned that my main reason for even looking at Sophos in the first place was MailScanner. They seemed pretty receptive to that idea and had only good things to say about MailScanner (they also mentioned Amavis). In my opinion they should give some credit (or compensation!) to Julian for the increased attention to their software. Ryan From so-mlist-alias at all-about-shift.com Fri Feb 21 18:37:41 2003 From: so-mlist-alias at all-about-shift.com (Soeren Gerlach) Date: Thu Jan 12 21:17:15 2006 Subject: Glitch in the virus database update scripts Message-ID: <200302211937.41321.so-mlist-alias@all-about-shift.com> Hi, as I just recently installed my MailScanner and also a couple of virus scanners I was able to block the whole system with a little mistake I made. For security reasons I run the complete scanning systems together with the MTA (exim) under the user "mail". I also chowned the /opt/MailScanner and virus scanning stuff to "mail:mail" (yes, I'm running a debian box *g*). Right after installation I performed a sophos-update for the virus database. I later installed the update in the crontab of user __mail__. THIS was a problem, because I did the first update as user root and the other ones as user mail; but he was not able to get the lockfile because this is owned by root and chmod'ed 644. The problem starts when an arbitrarly user creates a lock file for one of the update-scripts and chmods it to 600, he can easily blow the whole update stuff without really doing anything "bad" because the locks simply are set in the /tmp directory which normally is world-writeable on most OSes. Although no other users resides on the mail servers I care for I recommend to change the lock files to another place. For my boxes I created a /var/run/MailScanner directory and changed all scripts which I needed to use this directory. As I changed it to mail:mail with 700 grants it's now not possible to lock the updates for another user. Another directory could be /opt/MailScanner/locks or so. best regards, soeren gerlach -- Diese Nachricht wurde auf Viren und andere gefaehrliche Inhalte untersucht From mailscanner at ecs.soton.ac.uk Fri Feb 21 18:40:55 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:15 2006 Subject: sophos question In-Reply-To: <87D5B85DDDAAD111960F0060971C59D10197141F@AACRAO4> Message-ID: <5.2.0.9.2.20030221183512.020cceb0@imap.ecs.soton.ac.uk> At 17:49 21/02/2003, you wrote: >We've already used MailScanner (with great success) for anti-spam filtering >and are planning to start using it for anti-virus as well (to this point >we've been doing anti-virus on Exchange with Sybari's Antigen, which we'll >probably keep doing, but I'd like to shift the bulk of the work over to >MailScanner). I'm considering purchasing Sophos for sitewide >implementation, mainly on the basis of its connection to MailScanner. Can >anyone give advice on the features of Sophos in general, i.e. desktop >performance, auto-updates, centralized management etc.? It is very much designed for the corporate market, not the home market. You can set up a central update-server which all the Windows desktops use to pull all their updates, and automating the updates of the central update-server is pretty easy to do (our Windows admins have done it, so it can't be too hard). Its desktop performance is pretty good, the virus detection engine is superb (my favourite). The auto-updates can be done as frequently as you like, and are very straight-forward to do. I believe the centralised management is okay too. We have used a site licence for Sophos for 4 or 5 years now, and our campus-wide Computing Services dept are very happy with it. >I'm prepared to go with Sophos the whole way (at least for a year), in order >to get the convenience of its integration with MailScanner and avoid having >to buy a separate product (Symantec) for server/desktop deployment. There is a gain to be made from using a different product for your mail gateway as to the one you use for your desktops. If, for some reason, one of them fails an update (or the company is slow to react to a particular virus) then you are protected at 2 levels giving a more robust system. > In my >talks with the Sophos reps, I've mentioned that my main reason for even >looking at Sophos in the first place was MailScanner. They seemed pretty >receptive to that idea and had only good things to say about MailScanner >(they also mentioned Amavis). In my opinion they should give some credit >(or compensation!) to Julian for the increased attention to their software. They don't even talk to me any more :-( Bit of a change from the days when they tried to head-hunt me. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Fri Feb 21 18:34:42 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:15 2006 Subject: Different spam actions based on what MailScanner caused to mark the Mail as spam In-Reply-To: <28468968.1045852705@[192.168.18.2]> Message-ID: <5.2.0.9.2.20030221182945.0244dd40@imap.ecs.soton.ac.uk> At 17:38 21/02/2003, you wrote: >Hello, > >I'd like to delete a mail if it is recognised as spam because >the MTA is on a RBL-List (defined using the Spam List option). > >Everything else should be delivered, but marked. >Is this possible? I didn't found such option. This can be achieved with a little bit of SpamAssassin configuration. Set "Spam List =" to disable MailScanner's RBL checking, and use SpamAssassin's RBL checking instead. Set a very high score (e.g. 100) for all the rules that affect RBL's. To do this, look for "RBL" in /usr/share/spamassassin/20_head_tests.cf for the names of the rules, and read "man Mail::SpamAssassin::Conf" to find out how to modify the scores for certain rules. Then use "High SpamAssassin Score = 100" and "High Scoring Spam Actions = delete" in MailScanner.conf. If you can't find the rules or want to confirm that you are doing it right, drop me a line. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From lists at STHOMAS.NET Fri Feb 21 18:33:48 2003 From: lists at STHOMAS.NET (Steve Thomas) Date: Thu Jan 12 21:17:15 2006 Subject: sophos question In-Reply-To: <87D5B85DDDAAD111960F0060971C59D10197141F@AACRAO4> Message-ID: | MailScanner). I'm considering purchasing Sophos for sitewide | implementation, mainly on the basis of its connection to MailScanner. Can | anyone give advice on the features of Sophos in general, i.e. desktop | performance, auto-updates, centralized management etc.? Sophos rocks. We've been using it at my office for about 18 months. I was using it with amavis for most of that time, and just switched over to MailScanner last week. As for client/server usage, it's fantastic. Installation onto desktops can be done remotely, desktop updates are done automatically when the central installation has been updated, it's FAST and it's reasonable when it comes to CPU usage. I dug around a little before choosing an A/V solution for our company, and Sophos was the one that was consistantly getting the highest ratings for ease of use, speed and accuracy in the various reviews I read. I endorse those findings whole-heartedly. HTH, St- From mailscanner at ecs.soton.ac.uk Fri Feb 21 20:06:55 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:15 2006 Subject: SQL logging In-Reply-To: <67D9E7698329D411936E00508B6590B90279317C@neelix.lbsltd.co. uk> Message-ID: <5.2.0.9.2.20030221200416.02248540@imap.ecs.soton.ac.uk> Here are the patches to make the "Always Looked Up Last" option work, so you can set it to a Custom Function to do all your logging. Sample code for the Custom Function itself will follow later, when I've had a chance to write some. At 17:48 21/02/2003, you wrote: >Glad you like the idea, and fine about the 'Always Evaluated Last' config >option. > >You're right - tab seperation would be a _lot_ easier to handle - if you >could do a quick example Custom function that I could use as a base it would >really help - can you include an example of how to explode out the >recepients/virus reports arrays as that would save me a huge amount of time >(reading through the 'Camel' book) so I can use it as a base and tweak it to >get the values I'd like and then get on with writing the schema for the >database. > >Thanks again, >Steve. > > >-----Original Message----- >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] >Sent: 21 February 2003 17:29 >To: MAILSCANNER@jiscmail.ac.uk >Subject: Re: SQL logging > > >Please note the Subject: change as we aren't talking about SA 2.50 any more! > >At 17:25 21/02/2003, you wrote: > >Argh... This is turning into a big thread!! > >But it's a very good idea! > > >The 'blank' config option that could pick up _all_ the $message->{*} > >variables, would be the best - as the call to the file only has to happen > >once, won't need munging together, and can easily be imported to a database > >if it's comma-seperated. > >I can't do one Custom Function call per batch, only 1 per message. But that >could easily keep the file open in between calls. You then have an hourly >job which "tail"s the file to read and store the hour's values in your db. > >You can write your logging data into a file in any format you like. Given >CSV's full spec (quotes, embedded commas, embedded quotes, etc..) you might >find something like tab-separated easier to read automatically. > >If people need some help getting started and can't help each other, I'll >write a skeleton Custom Function for you which logs a few parameters about >every message to a file. > > >-----Original Message----- > >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > >Sent: 21 February 2003 16:52 > >To: MAILSCANNER@JISCMAIL.AC.UK > >Subject: Re: Spamassassin 2.50 & SQL logging > > > > > >At 16:34 21/02/2003, you wrote: > > >Hi Julian, > > > > > >I like your idea about writing the data to a text file and then > >periodically > > >reading it into MySQL as this would do exactly what I want and never runs > > >the risk of the database being unavailable - it would also be useful as >one > > >could do a 'tail -f' on the file and watch the traffic going through. > > > > > >What would be the best configuration option to use to do this? - ideally > >I'd > > >like to be able to record date, time, id, size, from, to, subject, >sascore, > > >spamwhitelisted, isspam, issaspam, isrblspam, ishigh, spamreport plus the > > >virus and other reports. > > > >For spam you probably want to catch the "Spam Actions" and "High Scoring > >Spam Actions" keywords. > >For viruses then you could use "Deliver Silent viruses". > > > >Ideally I guess I could add a configuration value that effectively did > >nothing but got evaluated for every message right at the end of the loop. > >Would that be worth doing? (and what could I call the conf file parameter?) > > > > >I'm pretty much a Perl beginner but don't mind getting my hands dirty - I > > >take it that I would open the file handle in the Init sub, write to it in > > >the 'main' sub and close in the End sub?? > > > >That's right. > > > > > - my only other question would be > > >how do you reference the filehandles and variable between the subroutines > >as > > >my OO experience with Perl is 0... I should be able to work out the rest. > > > >Just declare variables outside of any function using "my". > > > > >I'm thinking of putting this together and posting it for anyone else that > > >wants to do similar as me for graphing daily reports, showing top users, > >top > > >mail size per user, average spam score etc. that can be run as > > >daily/monthly/weekly/yearly reports from the database. > > > >I think that would be much appreciated. It might even find its way into the > >distribution... > > > > >-----Original Message----- > > >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > > >Sent: 21 February 2003 16:00 > > >To: MAILSCANNER@jiscmail.ac.uk > > >Subject: Re: Spamassassin 2.50 & SQL logging > > > > > > > > >At 15:41 21/02/2003, you wrote: > > > >On Fri, 2003-02-21 at 14:33, Julian Field wrote: > > > > > At 13:06 21/02/2003, you wrote: > > > > > >Also - I was wondering if anyone had tried getting MailScanner to >log > > >to a > > > > > >MySQL database?? - I was looking at the CustomConfig.pm and was > > >thinking > > > > > >that I could create a custom function that would connect to the > > > > database and > > > > > >do something like 'INSERT INTO maillog VALUES > > > > > >('$message->{id}','$message->{size}','$message->{from}' etc..)' - >or > > > > is this > > > > > >just a really bad idea?? The existing software we use does this >into > > >an > > > > > >Access database but we don't use it because it causes too much > > > > overhead, but > > > > > >I thought Perl's DBI/DBD and MySQL would probably be much more > > >efficient > > > > > >than Access/ODBC! > > > > > > > > > > You are still talking a database "insert" for every batch of >messages. > > > > > That's going to carry a fair sized overhead. How about writing them >to > >a > > > > > file and then periodically pushing the file data into a database? > > > > > > > >How reasonable would it be to just insert entries when a virus or spam > > > >is found? > > > > > >Again, it all depends how fast your database is. You could keep the db > > >connection open permanently, so it *should* be pretty quick. You would >have > > >to hook it into one of the configuration parameters that gets used fairly > > >late on in the batch processing, and use a Custom Function for that > > >parameter that had the side-effect of logging all sorts of things about > > >messages. > > >-- > > >Julian Field > > >www.MailScanner.info > > >MailScanner thanks transtec Computers for their support > > > > > > > > >********************************************************************** > > >This email and any files transmitted with it are confidential and > > >intended solely for the use of the individual or entity to whom they > > >are addressed. If you have received this email in error please notify > > >the system manager. > > > > > >This footnote also confirms that this email message has been swept by > > >MIMEsweeper for the presence of computer viruses. > > > > > >www.lbsltd.co.uk > > >********************************************************************** > > > >-- > >Julian Field > >www.MailScanner.info > >MailScanner thanks transtec Computers for their support > > > > > >********************************************************************** > >This email and any files transmitted with it are confidential and > >intended solely for the use of the individual or entity to whom they > >are addressed. If you have received this email in error please notify > >the system manager. > > > >This footnote also confirms that this email message has been swept by > >MIMEsweeper for the presence of computer viruses. > > > >www.lbsltd.co.uk > >********************************************************************** > >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support > > >********************************************************************** >This email and any files transmitted with it are confidential and >intended solely for the use of the individual or entity to whom they >are addressed. If you have received this email in error please notify >the system manager. > >This footnote also confirms that this email message has been swept by >MIMEsweeper for the presence of computer viruses. > >www.lbsltd.co.uk >********************************************************************** -------------- next part -------------- A non-text attachment was scrubbed... Name: MessageBatch.pm.patch Type: application/octet-stream Size: 625 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030221/aff562f7/MessageBatch.pm.obj -------------- next part -------------- A non-text attachment was scrubbed... Name: ConfigDefs.pl.patch Type: application/octet-stream Size: 664 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030221/aff562f7/ConfigDefs.pl.obj -------------- next part -------------- A non-text attachment was scrubbed... Name: MailScanner.conf.patch Type: application/octet-stream Size: 902 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030221/aff562f7/MailScanner.conf.obj -------------- next part -------------- A non-text attachment was scrubbed... Name: MailScanner.patch Type: application/octet-stream Size: 529 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030221/aff562f7/MailScanner.obj -------------- next part -------------- -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Fri Feb 21 20:12:00 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:15 2006 Subject: SQL logging In-Reply-To: <5.2.0.9.2.20030221200416.02248540@imap.ecs.soton.ac.uk> References: <67D9E7698329D411936E00508B6590B90279317C@neelix.lbsltd.co. uk> Message-ID: <5.2.0.9.2.20030221201128.021d5b10@imap.ecs.soton.ac.uk> And line 720 of MessageBatch.pm should of course have 1 less ")" at the end of it. :-) At 20:06 21/02/2003, you wrote: >Here are the patches to make the "Always Looked Up Last" option work, so >you can set it to a Custom Function to do all your logging. > >Sample code for the Custom Function itself will follow later, when I've had >a chance to write some. > >At 17:48 21/02/2003, you wrote: >>Glad you like the idea, and fine about the 'Always Evaluated Last' config >>option. >> >>You're right - tab seperation would be a _lot_ easier to handle - if you >>could do a quick example Custom function that I could use as a base it would >>really help - can you include an example of how to explode out the >>recepients/virus reports arrays as that would save me a huge amount of time >>(reading through the 'Camel' book) so I can use it as a base and tweak it to >>get the values I'd like and then get on with writing the schema for the >>database. >> >>Thanks again, >>Steve. >> >> >>-----Original Message----- >>From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] >>Sent: 21 February 2003 17:29 >>To: MAILSCANNER@jiscmail.ac.uk >>Subject: Re: SQL logging >> >> >>Please note the Subject: change as we aren't talking about SA 2.50 any more! >> >>At 17:25 21/02/2003, you wrote: >> >Argh... This is turning into a big thread!! >> >>But it's a very good idea! >> >> >The 'blank' config option that could pick up _all_ the $message->{*} >> >variables, would be the best - as the call to the file only has to happen >> >once, won't need munging together, and can easily be imported to a database >> >if it's comma-seperated. >> >>I can't do one Custom Function call per batch, only 1 per message. But that >>could easily keep the file open in between calls. You then have an hourly >>job which "tail"s the file to read and store the hour's values in your db. >> >>You can write your logging data into a file in any format you like. Given >>CSV's full spec (quotes, embedded commas, embedded quotes, etc..) you might >>find something like tab-separated easier to read automatically. >> >>If people need some help getting started and can't help each other, I'll >>write a skeleton Custom Function for you which logs a few parameters about >>every message to a file. >> >> >-----Original Message----- >> >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] >> >Sent: 21 February 2003 16:52 >> >To: MAILSCANNER@JISCMAIL.AC.UK >> >Subject: Re: Spamassassin 2.50 & SQL logging >> > >> > >> >At 16:34 21/02/2003, you wrote: >> > >Hi Julian, >> > > >> > >I like your idea about writing the data to a text file and then >> >periodically >> > >reading it into MySQL as this would do exactly what I want and never runs >> > >the risk of the database being unavailable - it would also be useful as >>one >> > >could do a 'tail -f' on the file and watch the traffic going through. >> > > >> > >What would be the best configuration option to use to do this? - ideally >> >I'd >> > >like to be able to record date, time, id, size, from, to, subject, >>sascore, >> > >spamwhitelisted, isspam, issaspam, isrblspam, ishigh, spamreport plus the >> > >virus and other reports. >> > >> >For spam you probably want to catch the "Spam Actions" and "High Scoring >> >Spam Actions" keywords. >> >For viruses then you could use "Deliver Silent viruses". >> > >> >Ideally I guess I could add a configuration value that effectively did >> >nothing but got evaluated for every message right at the end of the loop. >> >Would that be worth doing? (and what could I call the conf file parameter?) >> > >> > >I'm pretty much a Perl beginner but don't mind getting my hands dirty - I >> > >take it that I would open the file handle in the Init sub, write to it in >> > >the 'main' sub and close in the End sub?? >> > >> >That's right. >> > >> > > - my only other question would be >> > >how do you reference the filehandles and variable between the subroutines >> >as >> > >my OO experience with Perl is 0... I should be able to work out the rest. >> > >> >Just declare variables outside of any function using "my". >> > >> > >I'm thinking of putting this together and posting it for anyone else that >> > >wants to do similar as me for graphing daily reports, showing top users, >> >top >> > >mail size per user, average spam score etc. that can be run as >> > >daily/monthly/weekly/yearly reports from the database. >> > >> >I think that would be much appreciated. It might even find its way into the >> >distribution... >> > >> > >-----Original Message----- >> > >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] >> > >Sent: 21 February 2003 16:00 >> > >To: MAILSCANNER@jiscmail.ac.uk >> > >Subject: Re: Spamassassin 2.50 & SQL logging >> > > >> > > >> > >At 15:41 21/02/2003, you wrote: >> > > >On Fri, 2003-02-21 at 14:33, Julian Field wrote: >> > > > > At 13:06 21/02/2003, you wrote: >> > > > > >Also - I was wondering if anyone had tried getting MailScanner to >>log >> > >to a >> > > > > >MySQL database?? - I was looking at the CustomConfig.pm and was >> > >thinking >> > > > > >that I could create a custom function that would connect to the >> > > > database and >> > > > > >do something like 'INSERT INTO maillog VALUES >> > > > > >('$message->{id}','$message->{size}','$message->{from}' etc..)' - >>or >> > > > is this >> > > > > >just a really bad idea?? The existing software we use does this >>into >> > >an >> > > > > >Access database but we don't use it because it causes too much >> > > > overhead, but >> > > > > >I thought Perl's DBI/DBD and MySQL would probably be much more >> > >efficient >> > > > > >than Access/ODBC! >> > > > > >> > > > > You are still talking a database "insert" for every batch of >>messages. >> > > > > That's going to carry a fair sized overhead. How about writing them >>to >> >a >> > > > > file and then periodically pushing the file data into a database? >> > > > >> > > >How reasonable would it be to just insert entries when a virus or spam >> > > >is found? >> > > >> > >Again, it all depends how fast your database is. You could keep the db >> > >connection open permanently, so it *should* be pretty quick. You would >>have >> > >to hook it into one of the configuration parameters that gets used fairly >> > >late on in the batch processing, and use a Custom Function for that >> > >parameter that had the side-effect of logging all sorts of things about >> > >messages. >> > >-- >> > >Julian Field >> > >www.MailScanner.info >> > >MailScanner thanks transtec Computers for their support >> > > >> > > >> > >********************************************************************** >> > >This email and any files transmitted with it are confidential and >> > >intended solely for the use of the individual or entity to whom they >> > >are addressed. If you have received this email in error please notify >> > >the system manager. >> > > >> > >This footnote also confirms that this email message has been swept by >> > >MIMEsweeper for the presence of computer viruses. >> > > >> > >www.lbsltd.co.uk >> > >********************************************************************** >> > >> >-- >> >Julian Field >> >www.MailScanner.info >> >MailScanner thanks transtec Computers for their support >> > >> > >> >********************************************************************** >> >This email and any files transmitted with it are confidential and >> >intended solely for the use of the individual or entity to whom they >> >are addressed. If you have received this email in error please notify >> >the system manager. >> > >> >This footnote also confirms that this email message has been swept by >> >MIMEsweeper for the presence of computer viruses. >> > >> >www.lbsltd.co.uk >> >********************************************************************** >> >>-- >>Julian Field >>www.MailScanner.info >>MailScanner thanks transtec Computers for their support >> >> >>********************************************************************** >>This email and any files transmitted with it are confidential and >>intended solely for the use of the individual or entity to whom they >>are addressed. If you have received this email in error please notify >>the system manager. >> >>This footnote also confirms that this email message has been swept by >>MIMEsweeper for the presence of computer viruses. >> >>www.lbsltd.co.uk >>********************************************************************** > > > > > >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailings at ULTIMATE-SYSTEMS.DE Fri Feb 21 20:31:27 2003 From: mailings at ULTIMATE-SYSTEMS.DE (Oliver Siegmar) Date: Thu Jan 12 21:17:15 2006 Subject: Different spam actions based on what MailScanner caused to mark the Mail as spam In-Reply-To: <5.2.0.9.2.20030221182945.0244dd40@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030221182945.0244dd40@imap.ecs.soton.ac.uk> Message-ID: <38851906.1045863087@[192.168.18.2]> --On Freitag, 21. Februar 2003 18:34 +0000 Julian Field wrote: > Set a very high score (e.g. 100) for all the rules that affect RBL's. To > do this, look for "RBL" in /usr/share/spamassassin/20_head_tests.cf for > the names of the rules, and read "man Mail::SpamAssassin::Conf" to find > out how to modify the scores for certain rules. So I have to add a "score-line" to each (there are plenty of them) RBL-Block in 20_head_tests.cf? From mailscanner at ecs.soton.ac.uk Fri Feb 21 20:57:25 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:15 2006 Subject: Different spam actions based on what MailScanner caused to mark the Mail as spam In-Reply-To: <38851906.1045863087@[192.168.18.2]> References: <5.2.0.9.2.20030221182945.0244dd40@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030221182945.0244dd40@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030221205020.0220d938@imap.ecs.soton.ac.uk> At 20:31 21/02/2003, you wrote: >--On Freitag, 21. Februar 2003 18:34 +0000 Julian Field > wrote: > >>Set a very high score (e.g. 100) for all the rules that affect RBL's. To >>do this, look for "RBL" in /usr/share/spamassassin/20_head_tests.cf for >>the names of the rules, and read "man Mail::SpamAssassin::Conf" to find >>out how to modify the scores for certain rules. > >So I have to add a "score-line" to each (there are plenty of them) >RBL-Block in 20_head_tests.cf? Only the RBL's you actually want to use (which is probably only 3 or 4). However, if you want the full list of RBL rules, here they are. Any ones you want to use, replace the number at the end of the line with 100.0 and put it in /etc/MailScanner/spam.assassin.prefs.conf score RCVD_IN_OSIRUSOFT_COM 0.38 score X_OSIRU_OPEN_RELAY 2.72 score X_OSIRU_DUL 0.62 score X_OSIRU_DUL_FH 0.36 score X_OSIRU_SPAM_SRC 2.73 score X_OSIRU_SPAMWARE_SITE 0.30 score X_OSIRU_DUL_FH 0.36 score RCVD_IN_RELAYS_ORDB_ORG 0.61 score RCVD_IN_VISI 2.62 score RCVD_IN_SBL 3.18 score RCVD_IN_ORBS 2.25 score RCVD_IN_OPM 1.00 score RCVD_IN_DSBL 3.25 score RCVD_IN_MULTIHOP_DSBL 0.81 score RCVD_IN_UNCONFIRMED_DSBL 0.77 score RCVD_IN_RFCI 2.28 score HABEAS_HIL 4.0 score RCVD_IN_BONDEDSENDER -10.0 # These ones are commercial. score RCVD_IN_BL_SPAMCOP_NET 0.0 # These ones are commercial and you *have* to pay for them. score RCVD_IN_RBL 0.0 score RCVD_IN_RSS 0.0 score RCVD_IN_DUL 0.0 score RCVD_IN_DUL_FH 0.0 score RCVD_IN_DUL_FH 0.0 score RCVD_IN_NJABL 0.01 score X_NJABL_OPEN_PROXY 2.00 score X_NJABL_DIALUP 0.50 -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From RHerban at GRAMTEL.NET Fri Feb 21 20:54:47 2003 From: RHerban at GRAMTEL.NET (Randy Herban) Date: Thu Jan 12 21:17:15 2006 Subject: SQL logging Message-ID: Another option might be to use a syslog that logs to mysql directly (msyslogd) instead of other scripts to hack mailscanner or parse logs after the fact. Just an idea. -Randy -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Friday, February 21, 2003 3:12 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: SQL logging And line 720 of MessageBatch.pm should of course have 1 less ")" at the end of it. :-) At 20:06 21/02/2003, you wrote: >Here are the patches to make the "Always Looked Up Last" option work, >so you can set it to a Custom Function to do all your logging. > >Sample code for the Custom Function itself will follow later, when I've >had a chance to write some. > >At 17:48 21/02/2003, you wrote: >>Glad you like the idea, and fine about the 'Always Evaluated Last' >>config option. >> >>You're right - tab seperation would be a _lot_ easier to handle - if >>you could do a quick example Custom function that I could use as a >>base it would really help - can you include an example of how to >>explode out the recepients/virus reports arrays as that would save me >>a huge amount of time (reading through the 'Camel' book) so I can use >>it as a base and tweak it to get the values I'd like and then get on >>with writing the schema for the database. >> >>Thanks again, >>Steve. >> >> >>-----Original Message----- >>From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] >>Sent: 21 February 2003 17:29 >>To: MAILSCANNER@jiscmail.ac.uk >>Subject: Re: SQL logging >> >> >>Please note the Subject: change as we aren't talking about SA 2.50 any >>more! >> >>At 17:25 21/02/2003, you wrote: >> >Argh... This is turning into a big thread!! >> >>But it's a very good idea! >> >> >The 'blank' config option that could pick up _all_ the $message->{*} >> >variables, would be the best - as the call to the file only has to >> >happen once, won't need munging together, and can easily be imported >> >to a database if it's comma-seperated. >> >>I can't do one Custom Function call per batch, only 1 per message. But >>that could easily keep the file open in between calls. You then have >>an hourly job which "tail"s the file to read and store the hour's >>values in your db. >> >>You can write your logging data into a file in any format you like. >>Given CSV's full spec (quotes, embedded commas, embedded quotes, >>etc..) you might find something like tab-separated easier to read >>automatically. >> >>If people need some help getting started and can't help each other, >>I'll write a skeleton Custom Function for you which logs a few >>parameters about every message to a file. >> >> >-----Original Message----- >> >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] >> >Sent: 21 February 2003 16:52 >> >To: MAILSCANNER@JISCMAIL.AC.UK >> >Subject: Re: Spamassassin 2.50 & SQL logging >> > >> > >> >At 16:34 21/02/2003, you wrote: >> > >Hi Julian, >> > > >> > >I like your idea about writing the data to a text file and then >> >periodically >> > >reading it into MySQL as this would do exactly what I want and >> > >never runs the risk of the database being unavailable - it would >> > >also be useful as >>one >> > >could do a 'tail -f' on the file and watch the traffic going >> > >through. >> > > >> > >What would be the best configuration option to use to do this? - >> > >ideally >> >I'd >> > >like to be able to record date, time, id, size, from, to, subject, >>sascore, >> > >spamwhitelisted, isspam, issaspam, isrblspam, ishigh, spamreport >> > >plus the virus and other reports. >> > >> >For spam you probably want to catch the "Spam Actions" and "High >> >Scoring Spam Actions" keywords. For viruses then you could use >> >"Deliver Silent viruses". >> > >> >Ideally I guess I could add a configuration value that effectively >> >did nothing but got evaluated for every message right at the end of >> >the loop. Would that be worth doing? (and what could I call the conf >> >file parameter?) >> > >> > >I'm pretty much a Perl beginner but don't mind getting my hands >> > >dirty - I take it that I would open the file handle in the Init >> > >sub, write to it in the 'main' sub and close in the End sub?? >> > >> >That's right. >> > >> > > - my only other question would be >> > >how do you reference the filehandles and variable between the >> > >subroutines >> >as >> > >my OO experience with Perl is 0... I should be able to work out >> > >the rest. >> > >> >Just declare variables outside of any function using "my". >> > >> > >I'm thinking of putting this together and posting it for anyone >> > >else that wants to do similar as me for graphing daily reports, >> > >showing top users, >> >top >> > >mail size per user, average spam score etc. that can be run as >> > >daily/monthly/weekly/yearly reports from the database. >> > >> >I think that would be much appreciated. It might even find its way >> >into the distribution... >> > >> > >-----Original Message----- >> > >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] >> > >Sent: 21 February 2003 16:00 >> > >To: MAILSCANNER@jiscmail.ac.uk >> > >Subject: Re: Spamassassin 2.50 & SQL logging >> > > >> > > >> > >At 15:41 21/02/2003, you wrote: >> > > >On Fri, 2003-02-21 at 14:33, Julian Field wrote: >> > > > > At 13:06 21/02/2003, you wrote: >> > > > > >Also - I was wondering if anyone had tried getting >> > > > > >MailScanner to >>log >> > >to a >> > > > > >MySQL database?? - I was looking at the CustomConfig.pm and >> > > > > >was >> > >thinking >> > > > > >that I could create a custom function that would connect to >> > > > > >the >> > > > database and >> > > > > >do something like 'INSERT INTO maillog VALUES >> > > > > >('$message->{id}','$message->{size}','$message->{from}' >> > > > > >etc..)' - >>or >> > > > is this >> > > > > >just a really bad idea?? The existing software we use does >> > > > > >this >>into >> > >an >> > > > > >Access database but we don't use it because it causes too >> > > > > >much >> > > > overhead, but >> > > > > >I thought Perl's DBI/DBD and MySQL would probably be much >> > > > > >more >> > >efficient >> > > > > >than Access/ODBC! >> > > > > >> > > > > You are still talking a database "insert" for every batch of >>messages. >> > > > > That's going to carry a fair sized overhead. How about >> > > > > writing them >>to >> >a >> > > > > file and then periodically pushing the file data into a >> > > > > database? >> > > > >> > > >How reasonable would it be to just insert entries when a virus >> > > >or spam is found? >> > > >> > >Again, it all depends how fast your database is. You could keep >> > >the db connection open permanently, so it *should* be pretty >> > >quick. You would >>have >> > >to hook it into one of the configuration parameters that gets used >> > >fairly late on in the batch processing, and use a Custom Function >> > >for that parameter that had the side-effect of logging all sorts >> > >of things about messages. >> > >-- >> > >Julian Field >> > >www.MailScanner.info >> > >MailScanner thanks transtec Computers for their support >> > > >> > > >> > >****************************************************************** >> > >**** >> > >This email and any files transmitted with it are confidential and >> > >intended solely for the use of the individual or entity to whom they >> > >are addressed. If you have received this email in error please notify >> > >the system manager. >> > > >> > >This footnote also confirms that this email message has been swept >> > >by MIMEsweeper for the presence of computer viruses. >> > > >> > >www.lbsltd.co.uk >> > >****************************************************************** >> > >**** >> > >> >-- >> >Julian Field >> >www.MailScanner.info >> >MailScanner thanks transtec Computers for their support >> > >> > >> >******************************************************************** >> >** >> >This email and any files transmitted with it are confidential and >> >intended solely for the use of the individual or entity to whom they >> >are addressed. If you have received this email in error please notify >> >the system manager. >> > >> >This footnote also confirms that this email message has been swept >> >by MIMEsweeper for the presence of computer viruses. >> > >> >www.lbsltd.co.uk >> >******************************************************************** >> >** >> >>-- >>Julian Field >>www.MailScanner.info >>MailScanner thanks transtec Computers for their support >> >> >>********************************************************************** >>This email and any files transmitted with it are confidential and >>intended solely for the use of the individual or entity to whom they >>are addressed. If you have received this email in error please notify >>the system manager. >> >>This footnote also confirms that this email message has been swept by >>MIMEsweeper for the presence of computer viruses. >> >>www.lbsltd.co.uk >>********************************************************************** > > > > > >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Fri Feb 21 21:06:11 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:15 2006 Subject: SQL logging In-Reply-To: Message-ID: <5.2.0.9.2.20030221210519.02665f08@imap.ecs.soton.ac.uk> That would be my preferred option too, but I don't think MailScanner is currently outputting as much log info as they would like. At 20:54 21/02/2003, you wrote: >Another option might be to use a syslog that logs to mysql directly >(msyslogd) instead of other scripts to hack mailscanner or parse logs after >the fact. > >Just an idea. > >-Randy > >-----Original Message----- >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] >Sent: Friday, February 21, 2003 3:12 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: SQL logging > > >And line 720 of MessageBatch.pm should of course have 1 less ")" at the end >of it. >:-) > >At 20:06 21/02/2003, you wrote: > >Here are the patches to make the "Always Looked Up Last" option work, > >so you can set it to a Custom Function to do all your logging. > > > >Sample code for the Custom Function itself will follow later, when I've > >had a chance to write some. > > > >At 17:48 21/02/2003, you wrote: > >>Glad you like the idea, and fine about the 'Always Evaluated Last' > >>config option. > >> > >>You're right - tab seperation would be a _lot_ easier to handle - if > >>you could do a quick example Custom function that I could use as a > >>base it would really help - can you include an example of how to > >>explode out the recepients/virus reports arrays as that would save me > >>a huge amount of time (reading through the 'Camel' book) so I can use > >>it as a base and tweak it to get the values I'd like and then get on > >>with writing the schema for the database. > >> > >>Thanks again, > >>Steve. > >> > >> > >>-----Original Message----- > >>From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > >>Sent: 21 February 2003 17:29 > >>To: MAILSCANNER@jiscmail.ac.uk > >>Subject: Re: SQL logging > >> > >> > >>Please note the Subject: change as we aren't talking about SA 2.50 any > >>more! > >> > >>At 17:25 21/02/2003, you wrote: > >> >Argh... This is turning into a big thread!! > >> > >>But it's a very good idea! > >> > >> >The 'blank' config option that could pick up _all_ the $message->{*} > >> >variables, would be the best - as the call to the file only has to > >> >happen once, won't need munging together, and can easily be imported > >> >to a database if it's comma-seperated. > >> > >>I can't do one Custom Function call per batch, only 1 per message. But > >>that could easily keep the file open in between calls. You then have > >>an hourly job which "tail"s the file to read and store the hour's > >>values in your db. > >> > >>You can write your logging data into a file in any format you like. > >>Given CSV's full spec (quotes, embedded commas, embedded quotes, > >>etc..) you might find something like tab-separated easier to read > >>automatically. > >> > >>If people need some help getting started and can't help each other, > >>I'll write a skeleton Custom Function for you which logs a few > >>parameters about every message to a file. > >> > >> >-----Original Message----- > >> >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > >> >Sent: 21 February 2003 16:52 > >> >To: MAILSCANNER@JISCMAIL.AC.UK > >> >Subject: Re: Spamassassin 2.50 & SQL logging > >> > > >> > > >> >At 16:34 21/02/2003, you wrote: > >> > >Hi Julian, > >> > > > >> > >I like your idea about writing the data to a text file and then > >> >periodically > >> > >reading it into MySQL as this would do exactly what I want and > >> > >never runs the risk of the database being unavailable - it would > >> > >also be useful as > >>one > >> > >could do a 'tail -f' on the file and watch the traffic going > >> > >through. > >> > > > >> > >What would be the best configuration option to use to do this? - > >> > >ideally > >> >I'd > >> > >like to be able to record date, time, id, size, from, to, subject, > >>sascore, > >> > >spamwhitelisted, isspam, issaspam, isrblspam, ishigh, spamreport > >> > >plus the virus and other reports. > >> > > >> >For spam you probably want to catch the "Spam Actions" and "High > >> >Scoring Spam Actions" keywords. For viruses then you could use > >> >"Deliver Silent viruses". > >> > > >> >Ideally I guess I could add a configuration value that effectively > >> >did nothing but got evaluated for every message right at the end of > >> >the loop. Would that be worth doing? (and what could I call the conf > >> >file parameter?) > >> > > >> > >I'm pretty much a Perl beginner but don't mind getting my hands > >> > >dirty - I take it that I would open the file handle in the Init > >> > >sub, write to it in the 'main' sub and close in the End sub?? > >> > > >> >That's right. > >> > > >> > > - my only other question would be > >> > >how do you reference the filehandles and variable between the > >> > >subroutines > >> >as > >> > >my OO experience with Perl is 0... I should be able to work out > >> > >the rest. > >> > > >> >Just declare variables outside of any function using "my". > >> > > >> > >I'm thinking of putting this together and posting it for anyone > >> > >else that wants to do similar as me for graphing daily reports, > >> > >showing top users, > >> >top > >> > >mail size per user, average spam score etc. that can be run as > >> > >daily/monthly/weekly/yearly reports from the database. > >> > > >> >I think that would be much appreciated. It might even find its way > >> >into the distribution... > >> > > >> > >-----Original Message----- > >> > >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > >> > >Sent: 21 February 2003 16:00 > >> > >To: MAILSCANNER@jiscmail.ac.uk > >> > >Subject: Re: Spamassassin 2.50 & SQL logging > >> > > > >> > > > >> > >At 15:41 21/02/2003, you wrote: > >> > > >On Fri, 2003-02-21 at 14:33, Julian Field wrote: > >> > > > > At 13:06 21/02/2003, you wrote: > >> > > > > >Also - I was wondering if anyone had tried getting > >> > > > > >MailScanner to > >>log > >> > >to a > >> > > > > >MySQL database?? - I was looking at the CustomConfig.pm and > >> > > > > >was > >> > >thinking > >> > > > > >that I could create a custom function that would connect to > >> > > > > >the > >> > > > database and > >> > > > > >do something like 'INSERT INTO maillog VALUES > >> > > > > >('$message->{id}','$message->{size}','$message->{from}' > >> > > > > >etc..)' - > >>or > >> > > > is this > >> > > > > >just a really bad idea?? The existing software we use does > >> > > > > >this > >>into > >> > >an > >> > > > > >Access database but we don't use it because it causes too > >> > > > > >much > >> > > > overhead, but > >> > > > > >I thought Perl's DBI/DBD and MySQL would probably be much > >> > > > > >more > >> > >efficient > >> > > > > >than Access/ODBC! > >> > > > > > >> > > > > You are still talking a database "insert" for every batch of > >>messages. > >> > > > > That's going to carry a fair sized overhead. How about > >> > > > > writing them > >>to > >> >a > >> > > > > file and then periodically pushing the file data into a > >> > > > > database? > >> > > > > >> > > >How reasonable would it be to just insert entries when a virus > >> > > >or spam is found? > >> > > > >> > >Again, it all depends how fast your database is. You could keep > >> > >the db connection open permanently, so it *should* be pretty > >> > >quick. You would > >>have > >> > >to hook it into one of the configuration parameters that gets used > >> > >fairly late on in the batch processing, and use a Custom Function > >> > >for that parameter that had the side-effect of logging all sorts > >> > >of things about messages. > >> > >-- > >> > >Julian Field > >> > >www.MailScanner.info > >> > >MailScanner thanks transtec Computers for their support > >> > > > >> > > > >> > >****************************************************************** > >> > >**** > >> > >This email and any files transmitted with it are confidential and > >> > >intended solely for the use of the individual or entity to whom they > >> > >are addressed. If you have received this email in error please notify > >> > >the system manager. > >> > > > >> > >This footnote also confirms that this email message has been swept > >> > >by MIMEsweeper for the presence of computer viruses. > >> > > > >> > >www.lbsltd.co.uk > >> > >****************************************************************** > >> > >**** > >> > > >> >-- > >> >Julian Field > >> >www.MailScanner.info > >> >MailScanner thanks transtec Computers for their support > >> > > >> > > >> >******************************************************************** > >> >** > >> >This email and any files transmitted with it are confidential and > >> >intended solely for the use of the individual or entity to whom they > >> >are addressed. If you have received this email in error please notify > >> >the system manager. > >> > > >> >This footnote also confirms that this email message has been swept > >> >by MIMEsweeper for the presence of computer viruses. > >> > > >> >www.lbsltd.co.uk > >> >******************************************************************** > >> >** > >> > >>-- > >>Julian Field > >>www.MailScanner.info > >>MailScanner thanks transtec Computers for their support > >> > >> > >>********************************************************************** > >>This email and any files transmitted with it are confidential and > >>intended solely for the use of the individual or entity to whom they > >>are addressed. If you have received this email in error please notify > >>the system manager. > >> > >>This footnote also confirms that this email message has been swept by > >>MIMEsweeper for the presence of computer viruses. > >> > >>www.lbsltd.co.uk > >>********************************************************************** > > > > > > > > > > > >-- > >Julian Field > >www.MailScanner.info > >MailScanner thanks transtec Computers for their support > >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From rick at PRIS.CA Fri Feb 21 21:06:16 2003 From: rick at PRIS.CA (System Administration) Date: Thu Jan 12 21:17:15 2006 Subject: Rules for Virus Scanning Message-ID: <3E5694C8.DA87770C@pris.ca> Hello All I have recentley added a rule to the mailscanner config file telling it that if mail comes from a certain IP address to not bother scanning it. Upon checking the mail logs I have noticed the following error: Config Error: Cannot match against destination IP address when resolving configuration option "virusscan" The mailscanner config file looks like this: Virus Scanning = /opt/MailScanner/etc/rules/viruscan.rules The rules file contains the following: FromTo: 12.129.199.61 no FromTo: 63.161.60.29 no FromTo: 63.161.60.61 no FromTo: 63.161.60.93 no FromTo: 63.211.220.125 no FromTo: 216.35.189.221 no FromTo: 216.148.222.61 no FromTo: *@pris.ca yes FromTo: *@pris.bc.ca yes When I don't use a ruleset, everything appears to work fine and I don't receive any errors. However I need the ruleset to prevent the Mailscanner from scanning the same piece of mail twice. Another error I have noticed which does not have anything to do with the above is the following: Global symbol "$file" requires explicit package name at (eval 496) line 1, chunk 3. Any and all help is most appreciated. Thank you Rick From mailscanner at ecs.soton.ac.uk Fri Feb 21 22:56:45 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:15 2006 Subject: Rules for Virus Scanning In-Reply-To: <3E5694C8.DA87770C@pris.ca> Message-ID: <5.2.0.9.2.20030221224309.025fe748@imap.ecs.soton.ac.uk> At 21:06 21/02/2003, you wrote: >Hello All > >I have recentley added a rule to the mailscanner config file telling it >that if mail comes from a certain IP address to not bother scanning it. >Upon checking the mail logs I have noticed the following error: > Config Error: Cannot match against destination IP address when > resolving configuration option "virusscan" > >The mailscanner config file looks like this: > Virus Scanning = /opt/MailScanner/etc/rules/viruscan.rules > >The rules file contains the following: > >FromTo: 12.129.199.61 no >FromTo: 63.161.60.29 no >FromTo: 63.161.60.61 no >FromTo: 63.161.60.93 no >FromTo: 63.211.220.125 no >FromTo: 216.35.189.221 no >FromTo: 216.148.222.61 no >FromTo: *@pris.ca yes >FromTo: *@pris.bc.ca yes > >When I don't use a ruleset, everything appears to work fine and I don't >receive any errors. However I need the ruleset to prevent the >Mailscanner from scanning the same piece of mail twice. You cannot specify an IP address when matching "To" addresses. You won't know what IP address the message is sent to until it has actually been delivered, by which time it's too late. So when specifying IP addresses in rules, you can only use "From:". >Another error I have noticed which does not have anything to do with the > >above is the following: > Global symbol "$file" requires explicit package name at (eval 496) > line 1, chunk 3. It looks like whoever wrote the Danish (dk) translations used "$file" instead of "$filename" in 4 of the files. They are /etc/MailScanner/reports/dk/deleted.filename.message.txt /etc/MailScanner/reports/dk/deleted.virus.message.txt /etc/MailScanner/reports/dk/stored.filename.message.txt /etc/MailScanner/reports/dk/stored.virus.message.txt This will be fixed in the next release. >Any and all help is most appreciated. > >Thank you > >Rick -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Fri Feb 21 23:06:02 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:15 2006 Subject: SQL logging In-Reply-To: <5.2.0.9.2.20030221200416.02248540@imap.ecs.soton.ac.uk> References: <67D9E7698329D411936E00508B6590B90279317C@neelix.lbsltd.co. uk> Message-ID: <5.2.0.9.2.20030221230422.0246b5d8@imap.ecs.soton.ac.uk> I made a right hash up of the last lot of patches I posted to help set this up (the filenames were wrong too). Attached is a rather more useful version. -------------- next part -------------- A non-text attachment was scrubbed... Name: LoggingPatches.tar.gz Type: application/octet-stream Size: 1499 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030221/c841dfe7/LoggingPatches.tar.obj -------------- next part -------------- -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From marco at MUW.EDU Fri Feb 21 23:13:10 2003 From: marco at MUW.EDU (Marco Obaid) Date: Thu Jan 12 21:17:15 2006 Subject: Newbie Question In-Reply-To: <5.2.0.9.2.20030221224309.025fe748@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030221224309.025fe748@imap.ecs.soton.ac.uk> Message-ID: <1045869190.3e56b28635195@webmail.MUW.Edu> Hello all, I am just new to the Ruleset concept and just need a little push. How do I write a ruleset to mark messages from a subnet 10.10.10.0/24 as spam? How do I write a ruleset to deny message coming to a generic account, for example rpc@mysite.com? I am receiving a low-score spam to rpc@mysite.com. Also, for some reason, some spam is making it through. The pattern is the originating servers. For example, they all are 10.10.10.2,10.10.10.223, ... etc. The spam score for those messages is ssss, which I am assuming low to be denied. Thank you for any hints you may offer I love MailScanner Marco _________________________________________________________________ This mail is sent through MUW Webmail: http://www.MUW.Edu/webmail For the latest MUW Events, visit http://www.MUW.Edu/calendar From rick at PRIS.CA Fri Feb 21 23:41:53 2003 From: rick at PRIS.CA (System Administration) Date: Thu Jan 12 21:17:15 2006 Subject: Rules for Virus Scanning Message-ID: <3E56B941.611A16EA@pris.ca> Hello Julian thanks very much, that fixed everything up. I also found the $file variable in the following EN reports deleted.filename.message.txt deleted.virus.message.txt Rick On Fri, 21 Feb 2003, Julian Field wrote: > At 21:06 21/02/2003, you wrote: > >Hello All > > > >I have recentley added a rule to the mailscanner config file telling it > >that if mail comes from a certain IP address to not bother scanning it. > >Upon checking the mail logs I have noticed the following error: > > Config Error: Cannot match against destination IP address when > > resolving configuration option "virusscan" > > > >The mailscanner config file looks like this: > > Virus Scanning = /opt/MailScanner/etc/rules/viruscan.rules > > > >The rules file contains the following: > > > >FromTo: 12.129.199.61 no > >FromTo: 63.161.60.29 no > >FromTo: 63.161.60.61 no > >FromTo: 63.161.60.93 no > >FromTo: 63.211.220.125 no > >FromTo: 216.35.189.221 no > >FromTo: 216.148.222.61 no > >FromTo: *@pris.ca yes > >FromTo: *@pris.bc.ca yes > > > >When I don't use a ruleset, everything appears to work fine and I don't > >receive any errors. However I need the ruleset to prevent the > >Mailscanner from scanning the same piece of mail twice. > > You cannot specify an IP address when matching "To" addresses. You won't > know what IP address the message is sent to until it has actually been > delivered, by which time it's too late. > > So when specifying IP addresses in rules, you can only use "From:". > > >Another error I have noticed which does not have anything to do with the > > > >above is the following: > > Global symbol "$file" requires explicit package name at (eval 496) > > line 1, chunk 3. > It looks like whoever wrote the Danish (dk) translations used "$file" > instead of "$filename" in 4 of the files. They are > /etc/MailScanner/reports/dk/deleted.filename.message.txt > /etc/MailScanner/reports/dk/deleted.virus.message.txt > /etc/MailScanner/reports/dk/stored.filename.message.txt > /etc/MailScanner/reports/dk/stored.virus.message.txt > This will be fixed in the next release. > > >Any and all help is most appreciated. > > > >Thank you > > > >Rick > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > From steve.freegard at LBSLTD.CO.UK Sat Feb 22 00:07:16 2003 From: steve.freegard at LBSLTD.CO.UK (Steve Freegard) Date: Thu Jan 12 21:17:15 2006 Subject: SQL logging Message-ID: <67D9E7698329D411936E00508B6590B902793182@neelix.lbsltd.co.uk> Thanks Julian - I've just applied the patches and tried it out by doing some InfoLog calls - works perfectly. -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: 21 February 2003 23:06 To: MAILSCANNER@jiscmail.ac.uk Subject: Re: SQL logging I made a right hash up of the last lot of patches I posted to help set this up (the filenames were wrong too). Attached is a rather more useful version. ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.lbsltd.co.uk ********************************************************************** From mkettler at EVI-INC.COM Sat Feb 22 00:12:30 2003 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:17:15 2006 Subject: Newbie Question In-Reply-To: <1045869190.3e56b28635195@webmail.MUW.Edu> References: <5.2.0.9.2.20030221224309.025fe748@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030221224309.025fe748@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.0.20030221181739.01d8ac30@192.168.50.2> First, 10.*.*.* is a reserved set of IP addresses which are non-routable on the public internet. If you really are getting spam directly delivered to your mailserver from a machine with those IP addresses it is a part of your local network, or a VPN tunnel to it. If those IP's appear in headers way back in the message Received trail, realize that lots of people use 10.* subnets, me included (my workstation here has the non-routable IP 10.0.4.21, but I could assign it anything I wanted in the 10.*.*.* range). I would strongly advise against using any such rule which looks for 10.10.10.* in the message headers as a critera for spam, as those IP addresses are non-routable and can be used by anyone inside their network borders. Instead I'd look at the IP's of the machines delivering the mail to your mailserver... that IP has to be real and routeable. As for denying inbound messages, that is really best done at the sendmail level using /etc/mail/access or virtusertable's. But I'm not sure offhand the best way of doing it for a rcpt to:. At 05:13 PM 2/21/2003 -0600, Marco Obaid wrote: >Hello all, > >I am just new to the Ruleset concept and just need a little push. >How do I write a ruleset to mark messages from a subnet 10.10.10.0/24 as spam? >How do I write a ruleset to deny message coming to a generic account, for >example rpc@mysite.com? > >I am receiving a low-score spam to rpc@mysite.com. Also, for some reason, some >spam is making it through. The pattern is the originating servers. For >example, >they all are 10.10.10.2,10.10.10.223, ... etc. The spam score for those >messages is ssss, which I am assuming low to be denied. > >Thank you for any hints you may offer > >I love MailScanner >Marco > >_________________________________________________________________ >This mail is sent through MUW Webmail: http://www.MUW.Edu/webmail >For the latest MUW Events, visit http://www.MUW.Edu/calendar From marco at MUW.EDU Sat Feb 22 01:29:56 2003 From: marco at MUW.EDU (Marco Obaid) Date: Thu Jan 12 21:17:15 2006 Subject: Newbie Question In-Reply-To: <5.2.0.9.0.20030221181739.01d8ac30@192.168.50.2> References: <5.2.0.9.2.20030221224309.025fe748@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030221224309.025fe748@imap.ecs.soton.ac.uk> <5.2.0.9.0.20030221181739.01d8ac30@192.168.50.2> Message-ID: <1045877396.3e56d294740ac@webmail.MUW.Edu> Quoting Matt Kettler : > First, 10.*.*.* is a reserved set of IP addresses which are non-routable on > the public internet. > I know that Matt. I used 10.10.10.0 in my question as an example. My question was how would you reject mail from a subnet using a ruleset? I hope I am clear now ... Thank you for your response Matt. Marco _________________________________________________________________ This mail is sent through MUW Webmail: http://www.MUW.Edu/webmail For the latest MUW Events, visit http://www.MUW.Edu/calendar From smohan at vsnl.com Sat Feb 22 01:39:37 2003 From: smohan at vsnl.com (S Mohan) Date: Thu Jan 12 21:17:15 2006 Subject: Newbie Question In-Reply-To: <1045877396.3e56d294740ac@webmail.MUW.Edu> Message-ID: <003201c2da13$445c5210$206041db@18yamuna> Cannot. This is the job of the MTA e.g. sendmail where you block this entering this IP REJECT in access.db Mohan -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Marco Obaid Sent: Saturday, February 22, 2003 7:00 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Newbie Question Quoting Matt Kettler : > First, 10.*.*.* is a reserved set of IP addresses which are > non-routable on the public internet. > I know that Matt. I used 10.10.10.0 in my question as an example. My question was how would you reject mail from a subnet using a ruleset? I hope I am clear now ... Thank you for your response Matt. Marco _________________________________________________________________ This mail is sent through MUW Webmail: http://www.MUW.Edu/webmail For the latest MUW Events, visit http://www.MUW.Edu/calendar From mkettler at EVI-INC.COM Sat Feb 22 03:41:07 2003 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:17:16 2006 Subject: Newbie Question In-Reply-To: <1045877396.3e56d294740ac@webmail.MUW.Edu> References: <5.2.0.9.0.20030221181739.01d8ac30@192.168.50.2> <5.2.0.9.2.20030221224309.025fe748@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030221224309.025fe748@imap.ecs.soton.ac.uk> <5.2.0.9.0.20030221181739.01d8ac30@192.168.50.2> Message-ID: <5.2.0.9.0.20030221223246.01d3b6e0@192.168.50.2> Best done by the MTA, and the only way to issue a true, genuine reject message in the "proper" way. On a typical Linux/sendmail setup: cd /etc/mail add the following line to the file "access" 10.10.10 REJECT " Access from this range of IPs is prohibited " run make, which will rebuild your access.db then restart your copy of sendmail This will cause them to fail to deliver mail, and you can customize the quoted message to say whatever you want to them as an error message following the rejection code. At 07:29 PM 2/21/2003 -0600, Marco Obaid wrote: >I know that Matt. I used 10.10.10.0 in my question as an example. >My question was how would you reject mail from a subnet using a ruleset? From gerry at DORFAM.CA Sat Feb 22 07:25:57 2003 From: gerry at DORFAM.CA (Gerry Doris) Date: Thu Jan 12 21:17:16 2006 Subject: SpamAssassin 2.50 Problems Message-ID: I upgraded from SA 2.44 to 2.50 tonight and have had nothing but problems. MailScanner hits nearly 100% CPU utilization and just sits there until SA is killed. I've had to go back to using SA 2.44 and everything is back to normal. Is anyone else seeing this? -- Gerry "The lyfe so short, the craft so long to learne" Chaucer From bigdog at DOGPOUND.VNET.NET Sat Feb 22 06:16:13 2003 From: bigdog at DOGPOUND.VNET.NET (Matthew Davis) Date: Thu Jan 12 21:17:16 2006 Subject: FYI: new f-prot available (3.12d) Message-ID: <20030222011613.A29197@dogpound.vnet.net> I didn't see any mention of this previousally. And this version fixes a vulnerability reported on the vuln-dev list for commandline scanners of f-prot on linux and FreeBSD [1]. I don't see any thing else this update changes/fixes. Linux: ftp://ftp.f-prot.com/pub/linux/fp-linux-sb-3.12d.tar.gz ftp://ftp.f-prot.com/pub/linux/fp-linux-sb-3.12d.tar.gz.md5 ftp://ftp.f-prot.com/pub/linux/fp-linux-sb_3.12d-1_i386.deb ftp://ftp.f-prot.com/pub/linux/fp-linux-sb_3.12d-1_i386.deb.md5 ftp://ftp.f-prot.com/pub/linux/fp-linux-sb-3.12d-1.i386.rpm ftp://ftp.f-prot.com/pub/linux/fp-linux-sb-3.12d-1.i386.rpm.md5 BSD: ftp://ftp.f-prot.com/pub/bsd/fp-freebsd-sb-3.12d.tar.gz ftp://ftp.f-prot.com/pub/bsd/fp-freebsd-sb-3.12d.tar.gz.md5 [1] - http://www.f-prot.com/news/gen_news/fplinux_vuln.html -- Matthew Davis http://dogpound.vnet.net/ Time wounds all heels... From steve.freegard at LBSLTD.CO.UK Sat Feb 22 08:30:06 2003 From: steve.freegard at LBSLTD.CO.UK (Steve Freegard) Date: Thu Jan 12 21:17:16 2006 Subject: SpamAssassin 2.50 Problems Message-ID: <67D9E7698329D411936E00508B6590B902793186@neelix.lbsltd.co.uk> Gerry, I upgraded to SA 2.50 yesterday morning - no problems so far running under RedHat 7.3. Did the SA tests work correctly (spamassassin -t < test-spam.txt > report.out)?? - I noticed that the first time I ran this it did take quite a bit of time when compared to 2.43 although subsequent tests were fine (may have been just a one-off though)... Regards, Steve. -----Original Message----- From: Gerry Doris [mailto:gerry@DORFAM.CA] Sent: 22 February 2003 07:26 To: MAILSCANNER@jiscmail.ac.uk Subject: SpamAssassin 2.50 Problems I upgraded from SA 2.44 to 2.50 tonight and have had nothing but problems. MailScanner hits nearly 100% CPU utilization and just sits there until SA is killed. I've had to go back to using SA 2.44 and everything is back to normal. Is anyone else seeing this? -- Gerry "The lyfe so short, the craft so long to learne" Chaucer ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.lbsltd.co.uk ********************************************************************** From mike at ZANKER.ORG Sat Feb 22 08:31:21 2003 From: mike at ZANKER.ORG (Mike Zanker) Date: Thu Jan 12 21:17:16 2006 Subject: Request Message-ID: <45694000.1045902681@jemima.zanker.org> When people start a new topic can they *please* post a new message rather than replying to an old one and deleting Subject and body. It really messes up threading for those of us with MUAs that follow the References: header! Thanks, -- Mike Zanker Northampton, UK PGP Public Key: pgp@zanker.org From mailscanner at ecs.soton.ac.uk Sat Feb 22 09:01:03 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:16 2006 Subject: FYI: new f-prot available (3.12d) In-Reply-To: <20030222011613.A29197@dogpound.vnet.net> Message-ID: <5.2.0.9.2.20030222085923.02116d68@imap.ecs.soton.ac.uk> You haven't got the original posting have you? I can't find it and securityfocus.com appears to be unreachable from here. If it involves clever things on the command-line, then I suspect that MailScanner is not vulnerable anyway due to its own internal protection mechanisms but I can't say for sure without the full vulnerability report. F-Prot's site doesn't give a link to the original posting which is a shame. At 06:16 22/02/2003, you wrote: >I didn't see any mention of this previousally. And this version fixes a >vulnerability reported on the vuln-dev list for commandline scanners of >f-prot on linux and FreeBSD [1]. > >I don't see any thing else this update changes/fixes. > >Linux: >ftp://ftp.f-prot.com/pub/linux/fp-linux-sb-3.12d.tar.gz >ftp://ftp.f-prot.com/pub/linux/fp-linux-sb-3.12d.tar.gz.md5 >ftp://ftp.f-prot.com/pub/linux/fp-linux-sb_3.12d-1_i386.deb >ftp://ftp.f-prot.com/pub/linux/fp-linux-sb_3.12d-1_i386.deb.md5 >ftp://ftp.f-prot.com/pub/linux/fp-linux-sb-3.12d-1.i386.rpm >ftp://ftp.f-prot.com/pub/linux/fp-linux-sb-3.12d-1.i386.rpm.md5 > >BSD: >ftp://ftp.f-prot.com/pub/bsd/fp-freebsd-sb-3.12d.tar.gz >ftp://ftp.f-prot.com/pub/bsd/fp-freebsd-sb-3.12d.tar.gz.md5 > >[1] - http://www.f-prot.com/news/gen_news/fplinux_vuln.html > >-- >Matthew Davis >http://dogpound.vnet.net/ > >Time wounds all heels... -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Sat Feb 22 08:32:38 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:16 2006 Subject: SpamAssassin 2.50 Problems In-Reply-To: Message-ID: <5.2.0.9.2.20030222083117.020e23f8@imap.ecs.soton.ac.uk> At 07:25 22/02/2003, you wrote: >I upgraded from SA 2.44 to 2.50 tonight and have had nothing but problems. >MailScanner hits nearly 100% CPU utilization and just sits there until SA >is killed. > >I've had to go back to using SA 2.44 and everything is back to normal. Is >anyone else seeing this? No. The only odd thing I saw on one installation of SA 2.50 was that it didn't actually install all the code first time around, I couldn't find the Bayes*.pm files anywhere. I came back later and did the "make install" again and this time they all appeared where I had expected them. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Sat Feb 22 08:42:41 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:16 2006 Subject: Newbie Question In-Reply-To: <1045869190.3e56b28635195@webmail.MUW.Edu> References: <5.2.0.9.2.20030221224309.025fe748@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030221224309.025fe748@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030222083527.020fca70@imap.ecs.soton.ac.uk> At 23:13 21/02/2003, you wrote: >I am just new to the Ruleset concept and just need a little push. >How do I write a ruleset to mark messages from a subnet 10.10.10.0/24 as spam? The rest of your questions have, I believe, been answered by others. But to do what you want above, you effectively are asking "how do I create a spam blacklist which will match against a range of IP's". In MailScanner.conf, put this Is Definitely Spam = /etc/MailScanner/rules/spam.blacklist.rules and then in that file you can put any matches you like, including IP address patterns. So From: 10.10.10.* yes among other things. If you need to do a more complicated match against IP addresses, rather than just a prefix, you can use any Perl regular expressions you like, such as From: /^10\.10\.10\.[12345]0\./ yes which says Matching against the start of the string, look for '10.10.10.' followed by any of 10, 20, 30, 40, 50 followed by another '.'. The "yes" on the end says "the result of a match against this rule is the value yes", i.e. the message is definitely spam. In any ruleset, always include a line like FromOrTo: default no so that you specify the default value you want to give if none of the rules match. In this case, "no" is the sensible answer as you don't want to say that everything is spam. Take a look in /etc/MailScanner/rules and you will find a bit more documentation and a few examples of what can be done. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Sat Feb 22 09:36:56 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:16 2006 Subject: SpamAssassin 2.50 Problems In-Reply-To: <67D9E7698329D411936E00508B6590B902793186@neelix.lbsltd.co. uk> Message-ID: <5.2.0.9.2.20030222093528.021ece50@imap.ecs.soton.ac.uk> At 08:30 22/02/2003, you wrote: >Did the SA tests work correctly (spamassassin -t < test-spam.txt > >report.out)?? - I noticed that the first time I ran this it did take quite a >bit of time when compared to 2.43 although subsequent tests were fine (may >have been just a one-off though)... Just for info: I ran a test yesterday putting 600,000 messages through MailScanner running SA 2.50 to compare speed against previous versions, and there was no noticeable difference in speed (4.4 million messages per day). -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From gerry at DORFAM.CA Sat Feb 22 12:31:45 2003 From: gerry at DORFAM.CA (Gerry Doris) Date: Thu Jan 12 21:17:16 2006 Subject: SpamAssassin 2.50 Problems In-Reply-To: <5.2.0.9.2.20030222093528.021ece50@imap.ecs.soton.ac.uk> Message-ID: On Sat, 22 Feb 2003, Julian Field wrote: > At 08:30 22/02/2003, you wrote: > >Did the SA tests work correctly (spamassassin -t < test-spam.txt > > >report.out)?? - I noticed that the first time I ran this it did take quite a > >bit of time when compared to 2.43 although subsequent tests were fine (may > >have been just a one-off though)... > > Just for info: I ran a test yesterday putting 600,000 messages through > MailScanner running SA 2.50 to compare speed against previous versions, and > there was no noticeable difference in speed (4.4 million messages per day). > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > I installed SA 2.50 using CPAN. I've gone back and re-installed using the SA 2.50 rpm's (wasn't sure how to force another CPAN install???). That still didn't stop MailScanner from using 100% CPU and then timing out SA. I have now done a complete new MailScanner re-install. Everything seems to be working now. I'm even calling SA after MailScanner using procmail and all is well. My guess is that CPAN messed up something with MailScanner??? -- Gerry "The lyfe so short, the craft so long to learne" Chaucer From mikew at CRUCIS.NET Sat Feb 22 13:26:17 2003 From: mikew at CRUCIS.NET (Mike Watson) Date: Thu Jan 12 21:17:16 2006 Subject: Newbie Question In-Reply-To: <5.2.0.9.0.20030221223246.01d3b6e0@192.168.50.2> References: <5.2.0.9.0.20030221181739.01d8ac30@192.168.50.2> <5.2.0.9.0.20030221223246.01d3b6e0@192.168.50.2> Message-ID: <200302220726.17210.mikew@crucis.net> On Friday 21 February 2003 09:41 pm, you wrote: > Best done by the MTA, and the only way to issue a true, genuine > reject message in the "proper" way. > > On a typical Linux/sendmail setup: > > cd /etc/mail > > add the following line to the file "access" > 10.10.10 REJECT " Access from this range of IPs is > prohibited " > > run make, which will rebuild your access.db > > then restart your copy of sendmail Question: Is the correct format "10.10.10", "10.10.10.", or "10.10.10.*"? mw -- Registered Linux - 256979 NRA Life ARS: W?TMW -- This message has been scanned for viruses and dangerous content by F-Prot and MailScanner, and is believed to be clean. From gerry at DORFAM.CA Sat Feb 22 13:37:24 2003 From: gerry at DORFAM.CA (Gerry Doris) Date: Thu Jan 12 21:17:16 2006 Subject: SpamAssassin 2.50 Problems In-Reply-To: Message-ID: On Sat, 22 Feb 2003, Gerry Doris wrote: > I installed SA 2.50 using CPAN. I've gone back and re-installed using the > SA 2.50 rpm's (wasn't sure how to force another CPAN install???). That > still didn't stop MailScanner from using 100% CPU and then timing out SA. > > I have now done a complete new MailScanner re-install. Everything seems > to be working now. I'm even calling SA after MailScanner using procmail > and all is well. > > My guess is that CPAN messed up something with MailScanner??? > > -- > Gerry > Well, I was a little too hasty to claim success. After all my experimenting I had forgotten to turn on spamassassin checking in MailScanner.conf. All I was getting was the empty x-header. I went back and turned on SpamAssassin in MailScanner.conf and immediately the MailScanner processes used up all CPU cycles and started timing out SpamAssassin. I'm now back to just running SpamAssassin from procmail and everything is working again??? -- Gerry "The lyfe so short, the craft so long to learne" Chaucer From gerry at DORFAM.CA Sat Feb 22 13:51:26 2003 From: gerry at DORFAM.CA (Gerry Doris) Date: Thu Jan 12 21:17:16 2006 Subject: Newbie Question In-Reply-To: <200302220726.17210.mikew@crucis.net> Message-ID: On Sat, 22 Feb 2003, Mike Watson wrote: > On Friday 21 February 2003 09:41 pm, you wrote: > > Best done by the MTA, and the only way to issue a true, genuine > > reject message in the "proper" way. > > > > On a typical Linux/sendmail setup: > > > > cd /etc/mail > > > > add the following line to the file "access" > > 10.10.10 REJECT " Access from this range of IPs is > > prohibited " > > > > run make, which will rebuild your access.db > > > > then restart your copy of sendmail > > Question: Is the correct format "10.10.10", "10.10.10.", or > "10.10.10.*"? > > mw 10.0.10 -- Gerry "The lyfe so short, the craft so long to learne" Chaucer From gerry at DORFAM.CA Sat Feb 22 14:11:34 2003 From: gerry at DORFAM.CA (Gerry Doris) Date: Thu Jan 12 21:17:16 2006 Subject: SpamAssassin 2.50 Problems In-Reply-To: <67D9E7698329D411936E00508B6590B902793186@neelix.lbsltd.co.uk> Message-ID: On Sat, 22 Feb 2003, Steve Freegard wrote: > Gerry, > > I upgraded to SA 2.50 yesterday morning - no problems so far running under > RedHat 7.3. > > Did the SA tests work correctly (spamassassin -t < test-spam.txt > > report.out)?? - I noticed that the first time I ran this it did take quite a > bit of time when compared to 2.43 although subsequent tests were fine (may > have been just a one-off though)... > > Regards, > Steve. Yes, everything is working fine with SpamAssassin 2.50 as long as I don't call it from within MailScanner. Going back to SA 2.44 works either being called within MailScanner or from procmail. Calling SA 2.50 from MailScanner will peg the CPU cycles at 100% and then MailScanner starts shutting down SA. I'm using Redhat 7.3, MailScanner 4.12-2. The rest of the system is stock Redhat. -- Gerry "The lyfe so short, the craft so long to learne" Chaucer From mailscanner at ecs.soton.ac.uk Sat Feb 22 15:00:21 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:16 2006 Subject: SpamAssassin 2.50 Problems In-Reply-To: References: <67D9E7698329D411936E00508B6590B902793186@neelix.lbsltd.co.uk> Message-ID: <5.2.0.9.2.20030222145638.022c4eb0@imap.ecs.soton.ac.uk> On a related subject, I have finally pursuaded SpamAssassin 2.50 to install on a Raq, after an hour fighting it. The "make test" was failing horribly with it being unable to work out the local hostname. Some sort of Taint mode problem with Sys::Hostname. In the end I hardwired the hostname as that was the only way to get it working. Sounds like the SA guys have a few "issues" with the installation of 2.50, similar to most of the recent previous versions. If an up-to-date SA isn't vital to you, I would personally advise holding off until 2.51 is released. At 14:11 22/02/2003, you wrote: >On Sat, 22 Feb 2003, Steve Freegard wrote: > > > Gerry, > > > > I upgraded to SA 2.50 yesterday morning - no problems so far running under > > RedHat 7.3. > > > > Did the SA tests work correctly (spamassassin -t < test-spam.txt > > > report.out)?? - I noticed that the first time I ran this it did take > quite a > > bit of time when compared to 2.43 although subsequent tests were fine (may > > have been just a one-off though)... > > > > Regards, > > Steve. > >Yes, everything is working fine with SpamAssassin 2.50 as long as I don't >call it from within MailScanner. Going back to SA 2.44 works either being >called within MailScanner or from procmail. > >Calling SA 2.50 from MailScanner will peg the CPU cycles at 100% and then >MailScanner starts shutting down SA. > >I'm using Redhat 7.3, MailScanner 4.12-2. The rest of the system is stock >Redhat. > >-- >Gerry > >"The lyfe so short, the craft so long to learne" Chaucer -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From marco at MUW.EDU Sat Feb 22 18:56:17 2003 From: marco at MUW.EDU (Marco Obaid) Date: Thu Jan 12 21:17:16 2006 Subject: SpamAssassin 2.50 Problems In-Reply-To: <5.2.0.9.2.20030222145638.022c4eb0@imap.ecs.soton.ac.uk> References: <67D9E7698329D411936E00508B6590B902793186@neelix.lbsltd.co.uk> <5.2.0.9.2.20030222145638.022c4eb0@imap.ecs.soton.ac.uk> Message-ID: <1045940177.3e57c7d1a33fd@webmail.MUW.Edu> Quoting Julian Field : > Sounds like the SA guys have a few "issues" with the installation of 2.50, > similar to most of the recent previous versions. If an up-to-date SA isn't > vital to you, I would personally advise holding off until 2.51 is released. I upgraded to SpamAssassin 2.50 on a busy server running Red Hat 7.1 and the server load went sky rocketing. I reverted back to 2.44 and the load is back to normal right now. SA 2.5 certainly has performance issues. Marco _________________________________________________________________ This mail is sent through MUW Webmail: http://www.MUW.Edu/webmail For the latest MUW Events, visit http://www.MUW.Edu/calendar From lists at STHOMAS.NET Sat Feb 22 21:23:23 2003 From: lists at STHOMAS.NET (Steve Thomas) Date: Thu Jan 12 21:17:16 2006 Subject: SpamAssassin 2.50 Problems In-Reply-To: Message-ID: <000101c2dab8$a319a640$02001fac@winxp> | I upgraded from SA 2.44 to 2.50 tonight and have had nothing | but problems. MailScanner hits nearly 100% CPU utilization | and just sits there until SA is killed. | | Is anyone else seeing this? Yes! Hurrah - I'm not alone after all... I have MailScanner installed on two machines - my personal server and our mail server at my office. On my personal machine, I run SA (spamc) via procmail, and at work I run it from MailScanner. There haven't been any problems on my personal machine at all. We use a custom MDA at work, which I wrapped in a perl script to run the messages through spamc before delivery. I went back to the perl wrapper and everything works - it only happens when using SA via MailScanner. Within a minute or two, the load average gets pushed to 4-6, with the mail queues growing. Both machines are running Perl 5.6.1 on RH 7.2 with all applicable errata updates applied. St- From gerry at dorfam.ca Sun Feb 23 03:42:08 2003 From: gerry at dorfam.ca (Gerry Doris) Date: Thu Jan 12 21:17:16 2006 Subject: CPAN Question Message-ID: <2571.10.0.10.1.1045971728.squirrel@tiger.dorfam.ca> I know this isn't strictly a MailScanner question but I'm sure many of you can answer it... Every time I use CPAN I have to wait a LONG time as it goes through trying various methods of downloading my files until it finally get around to using ncftpget. All the rest fail but ncftpget always works. Is there an easy way to configure CPAN to use ncftpget first? I've been looking at CPAN.pm but don't want to mess with it. Gerry From mike at CAMAROSS.NET Sun Feb 23 05:52:54 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:17:16 2006 Subject: SpamAssassin 2.50 Problems In-Reply-To: <1045940177.3e57c7d1a33fd@webmail.MUW.Edu> Message-ID: <017c01c2daff$d155c510$6a01a8c0@home.middlefinger.net> I tried the same thing on one of my boxes today. MailScanner processes went through the roof, stuck there and tons of mail got piled up. Went back to 2.44, restarted MS and ALL that mail got delivered :) -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Marco Obaid Sent: Saturday, February 22, 2003 12:56 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: SpamAssassin 2.50 Problems Quoting Julian Field : > Sounds like the SA guys have a few "issues" with the installation of 2.50, > similar to most of the recent previous versions. If an up-to-date SA isn't > vital to you, I would personally advise holding off until 2.51 is released. I upgraded to SpamAssassin 2.50 on a busy server running Red Hat 7.1 and the server load went sky rocketing. I reverted back to 2.44 and the load is back to normal right now. SA 2.5 certainly has performance issues. Marco _________________________________________________________________ This mail is sent through MUW Webmail: http://www.MUW.Edu/webmail For the latest MUW Events, visit http://www.MUW.Edu/calendar From jrudd at UCSC.EDU Sun Feb 23 07:38:14 2003 From: jrudd at UCSC.EDU (John Rudd) Date: Thu Jan 12 21:17:16 2006 Subject: SpamAssassin 2.50 Problems In-Reply-To: Message-ID: On Friday, Feb 21, 2003, at 23:25 US/Pacific, Gerry Doris wrote: > I upgraded from SA 2.44 to 2.50 tonight and have had nothing but > problems. > MailScanner hits nearly 100% CPU utilization and just sits there until > SA > is killed. > > I've had to go back to using SA 2.44 and everything is back to normal. > Is > anyone else seeing this? I was just installing 2.50 via "perl -MCPAN -e shell", and during the "t/spamd_parallel" test, the load, network, and CPU utilization went through the roof (it was specifically stuck at test 14/20). I suspect that it's somewhere in spamd that's the problem (and may only be something that comes up once, as someone else suggested). As soon as that test was over (and it took a LONG time), everything went back to normal. I'll have to wait and see if it keeps up. I hope not, as I've been waiting for 2.50 for a while. (I'm cc'ing sa-talk on this, in case they have any other insights) System notes: freebsd 4.2, dual p2-350, 128k ram, and in case it matters it's on a 58k link to the net. Mailscanner version is 4.12-2. John From mike at ZANKER.ORG Sun Feb 23 07:46:21 2003 From: mike at ZANKER.ORG (Mike Zanker) Date: Thu Jan 12 21:17:16 2006 Subject: CPAN Question In-Reply-To: <2571.10.0.10.1.1045971728.squirrel@tiger.dorfam.ca> References: <2571.10.0.10.1.1045971728.squirrel@tiger.dorfam.ca> Message-ID: <129394437.1045986381@jemima.zanker.org> On 22 February 2003 22:42 -0500 Gerry Doris wrote: > Is there an easy way to configure CPAN to use ncftpget first? I've > been looking at CPAN.pm but don't want to mess with it. The file you want to look at is Config.pm in /usr/lib/perl5/5.x.x/CPAN. Regards, Mike. From jrudd at ucsc.edu Sun Feb 23 07:38:14 2003 From: jrudd at ucsc.edu (John Rudd) Date: Thu Jan 12 21:17:16 2006 Subject: [SAtalk] Re: SpamAssassin 2.50 Problems In-Reply-To: Message-ID: On Friday, Feb 21, 2003, at 23:25 US/Pacific, Gerry Doris wrote: > I upgraded from SA 2.44 to 2.50 tonight and have had nothing but > problems. > MailScanner hits nearly 100% CPU utilization and just sits there until > SA > is killed. > > I've had to go back to using SA 2.44 and everything is back to normal. > Is > anyone else seeing this? I was just installing 2.50 via "perl -MCPAN -e shell", and during the "t/spamd_parallel" test, the load, network, and CPU utilization went through the roof (it was specifically stuck at test 14/20). I suspect that it's somewhere in spamd that's the problem (and may only be something that comes up once, as someone else suggested). As soon as that test was over (and it took a LONG time), everything went back to normal. I'll have to wait and see if it keeps up. I hope not, as I've been waiting for 2.50 for a while. (I'm cc'ing sa-talk on this, in case they have any other insights) System notes: freebsd 4.2, dual p2-350, 128k ram, and in case it matters it's on a 58k link to the net. Mailscanner version is 4.12-2. John ------------------------------------------------------- This SF.net email is sponsored by: SlickEdit Inc. Develop an edge. The most comprehensive and flexible code editor you can use. Code faster. C/C++, C#, Java, HTML, XML, many more. FREE 30-Day Trial. www.slickedit.com/sourceforge _______________________________________________ Spamassassin-talk mailing list Spamassassin-talk@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/spamassassin-talk From jrudd at UCSC.EDU Sun Feb 23 08:30:53 2003 From: jrudd at UCSC.EDU (John Rudd) Date: Thu Jan 12 21:17:16 2006 Subject: SpamAssassin 2.50 Problems In-Reply-To: Message-ID: <1F3D7BA5-4709-11D7-AA3E-003065F939FE@ucsc.edu> On Saturday, Feb 22, 2003, at 23:38 US/Pacific, John Rudd wrote: > On Friday, Feb 21, 2003, at 23:25 US/Pacific, Gerry Doris wrote: > >> I upgraded from SA 2.44 to 2.50 tonight and have had nothing but >> problems. >> MailScanner hits nearly 100% CPU utilization and just sits there until >> SA >> is killed. >> >> I've had to go back to using SA 2.44 and everything is back to normal. >> Is >> anyone else seeing this? > > > I was just installing 2.50 via "perl -MCPAN -e shell", and during the > "t/spamd_parallel" test, the load, network, and CPU utilization went > through the roof (it was specifically stuck at test 14/20). I suspect > that it's somewhere in spamd that's the problem (and may only be > something that comes up once, as someone else suggested). As soon as > that test was over (and it took a LONG time), everything went back to > normal. > > I'll have to wait and see if it keeps up. I hope not, as I've been > waiting for 2.50 for a while. > > (I'm cc'ing sa-talk on this, in case they have any other insights) > > System notes: freebsd 4.2, dual p2-350, 128k ram, and in case it > matters it's on a 58k link to the net. Mailscanner version is 4.12-2. > Just as a follow up, the problem hasn't come up again. I haven't had a huge flood of messages this evening, but I _am_ getting new messages without any load, network, or cpu spikes. From evertjan at VANRAMSELAAR.NL Sun Feb 23 09:47:05 2003 From: evertjan at VANRAMSELAAR.NL (Evert Jan van Ramselaar) Date: Thu Jan 12 21:17:16 2006 Subject: SpamAssassin 2.50 Problems In-Reply-To: <017c01c2daff$d155c510$6a01a8c0@home.middlefinger.net> References: <017c01c2daff$d155c510$6a01a8c0@home.middlefinger.net> Message-ID: <3E589899.90407@vanramselaar.nl> Mike Kercher wrote: > I tried the same thing on one of my boxes today. MailScanner processes went > through the roof, stuck there and tons of mail got piled up. Went back to > 2.44, restarted MS and ALL that mail got delivered :) I decided to upgrade SA to 2.50 yesterday. The 'make test' really abused my system too, but then again, it's just an old and slow machine. I restarted MS and the first messages came through fine, even without high loads when checking for spam. However, sometime later I noticed SA timing out every time! Sometimes with piling up the mail and not delivering it. I downgraded SA back to 2.44 and all seems back to 'normal' now. -- Evert Jan van Ramselaar Van Ramselaar Info Tech From paul at ESPMAIL.CO.UK Sun Feb 23 12:14:42 2003 From: paul at ESPMAIL.CO.UK (Paul Welsh) Date: Thu Jan 12 21:17:16 2006 Subject: IFRAME References: <017c01c2daff$d155c510$6a01a8c0@home.middlefinger.net> <3E589899.90407@vanramselaar.nl> Message-ID: <013601c2db35$28b511a0$22e230d5@espmail> Hi I'm using version 3.26-1 and keep getting messages like the one below, even though in mailscanner.conf I have: Allow IFrame Tags = yes In filename.rules.conf I don't have the text "Microsoft security". Can someone pls tell me how to let such messages through? ----- Original Message ----- From: "MailScanner" To: Sent: 22 February 2003 18:55 Subject: Warning: E-mail viruses detected > The following e-mail messages were found to have viruses in them: > > Sender: > IP address: 65.61.143.147 > Recipient: > Subject: Better Pasta Pot: As Seen On TV > MessageID: SAA00793 > Report: Possible Microsoft security vulnerability attack > > -- > MailScanner > Email Virus Scanner > > From mailscanner at ecs.soton.ac.uk Sun Feb 23 11:55:45 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:16 2006 Subject: SpamAssassin 2.50 Problems In-Reply-To: <20030223043613.GB16852@hoiho.nz.lemon-computing.com> References: <5.2.0.9.2.20030222145638.022c4eb0@imap.ecs.soton.ac.uk> <67D9E7698329D411936E00508B6590B902793186@neelix.lbsltd.co.uk> <5.2.0.9.2.20030222145638.022c4eb0@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030223115433.02239080@imap.ecs.soton.ac.uk> At 04:36 23/02/2003, you wrote: >On Sat, Feb 22, 2003 at 03:00:21PM +0000, Julian Field wrote: > > On a related subject, I have finally pursuaded SpamAssassin 2.50 to install > > on a Raq, after an hour fighting it. The "make test" was failing horribly > > with it being unable to work out the local hostname. Some sort of Taint > > mode problem with Sys::Hostname. In the end I hardwired the hostname as > > that was the only way to get it working. > >I've found the same problem before, but not on a Raq; I can't remember >the details, but if of determining the hostname failed, >Sys::Syslog somehow ended up calling `hostname` with an insecure path; That was exactly the same error I hit yesterday. >I stuck a comment in the main mailscanner script somewhere where I was >setting the path explicitly to avoid the problem. Essentially a bug in >Sys::Syslog (maybe it was going via Sys::Hostname, I don't recall) >that it won't work reliably with taint mode on, and won't produce a >sensible error message if you end up in the situation where it >matters. Indeed :-( Is the Sys::Hostname in perl >=5.6 better? -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Sun Feb 23 12:38:12 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:16 2006 Subject: SpamAssassin 2.50 Problems In-Reply-To: References: Message-ID: <5.2.0.9.2.20030223123635.02366648@imap.ecs.soton.ac.uk> I wonder if the problem is actually caused by the "make test" phase? What happens if you reboot before starting using SA2.50 with MailScanner? If not, then it sounds like a parallel threads problem in SA2.50. Hopefully this will get caught by the SA guys fairly quickly, as it affects the "make test" of spamd as well. At 07:38 23/02/2003, you wrote: >On Friday, Feb 21, 2003, at 23:25 US/Pacific, Gerry Doris wrote: > >>I upgraded from SA 2.44 to 2.50 tonight and have had nothing but >>problems. >>MailScanner hits nearly 100% CPU utilization and just sits there until >>SA >>is killed. >> >>I've had to go back to using SA 2.44 and everything is back to normal. >> Is >>anyone else seeing this? > > >I was just installing 2.50 via "perl -MCPAN -e shell", and during the >"t/spamd_parallel" test, the load, network, and CPU utilization went >through the roof (it was specifically stuck at test 14/20). I suspect >that it's somewhere in spamd that's the problem (and may only be >something that comes up once, as someone else suggested). As soon as >that test was over (and it took a LONG time), everything went back to >normal. > >I'll have to wait and see if it keeps up. I hope not, as I've been >waiting for 2.50 for a while. > >(I'm cc'ing sa-talk on this, in case they have any other insights) > >System notes: freebsd 4.2, dual p2-350, 128k ram, and in case it >matters it's on a 58k link to the net. Mailscanner version is 4.12-2. > > >John -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Sun Feb 23 12:41:46 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:16 2006 Subject: IFRAME In-Reply-To: <013601c2db35$28b511a0$22e230d5@espmail> References: <017c01c2daff$d155c510$6a01a8c0@home.middlefinger.net> <3E589899.90407@vanramselaar.nl> Message-ID: <5.2.0.9.2.20030223124108.02367818@imap.ecs.soton.ac.uk> Try setting Allow Object Codebase Tags = yes as well, as both it and the iframe check are Microsoft security vulnerability checks. At 12:14 23/02/2003, you wrote: >Hi > >I'm using version 3.26-1 and keep getting messages like the one below, >even though in mailscanner.conf I have: > >Allow IFrame Tags = yes > >In filename.rules.conf I don't have the text "Microsoft security". > >Can someone pls tell me how to let such messages through? > >----- Original Message ----- >From: "MailScanner" >To: >Sent: 22 February 2003 18:55 >Subject: Warning: E-mail viruses detected > > > > The following e-mail messages were found to have viruses in them: > > > > Sender: > > IP address: 65.61.143.147 > > Recipient: > > Subject: Better Pasta Pot: As Seen On TV > > MessageID: SAA00793 > > Report: Possible Microsoft security vulnerability attack > > > > -- > > MailScanner > > Email Virus Scanner > > > > -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Sun Feb 23 12:59:23 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:16 2006 Subject: SpamAssassin 2.50 Problems In-Reply-To: <5.2.0.9.2.20030223123635.02366648@imap.ecs.soton.ac.uk> References: Message-ID: <5.2.0.9.2.20030223125831.021972c8@imap.ecs.soton.ac.uk> Another suggestion from the SAtalk list is to place this in your spam.assassin.prefs.conf score HABEAS_HIL 0 as this is a new RBL they are using (I believe) and it seems to be timing out a lot. At 12:38 23/02/2003, you wrote: >I wonder if the problem is actually caused by the "make test" phase? What >happens if you reboot before starting using SA2.50 with MailScanner? > >If not, then it sounds like a parallel threads problem in SA2.50. Hopefully >this will get caught by the SA guys fairly quickly, as it affects the "make >test" of spamd as well. > >At 07:38 23/02/2003, you wrote: >>On Friday, Feb 21, 2003, at 23:25 US/Pacific, Gerry Doris wrote: >> >>>I upgraded from SA 2.44 to 2.50 tonight and have had nothing but >>>problems. >>>MailScanner hits nearly 100% CPU utilization and just sits there until >>>SA >>>is killed. >>> >>>I've had to go back to using SA 2.44 and everything is back to normal. >>> Is >>>anyone else seeing this? >> >> >>I was just installing 2.50 via "perl -MCPAN -e shell", and during the >>"t/spamd_parallel" test, the load, network, and CPU utilization went >>through the roof (it was specifically stuck at test 14/20). I suspect >>that it's somewhere in spamd that's the problem (and may only be >>something that comes up once, as someone else suggested). As soon as >>that test was over (and it took a LONG time), everything went back to >>normal. >> >>I'll have to wait and see if it keeps up. I hope not, as I've been >>waiting for 2.50 for a while. >> >>(I'm cc'ing sa-talk on this, in case they have any other insights) >> >>System notes: freebsd 4.2, dual p2-350, 128k ram, and in case it >>matters it's on a 58k link to the net. Mailscanner version is 4.12-2. >> >> >>John > >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From paul at ESPMAIL.CO.UK Sun Feb 23 13:59:06 2003 From: paul at ESPMAIL.CO.UK (Paul Welsh) Date: Thu Jan 12 21:17:16 2006 Subject: IFRAME References: <017c01c2daff$d155c510$6a01a8c0@home.middlefinger.net> <3E589899.90407@vanramselaar.nl> <5.2.0.9.2.20030223124108.02367818@imap.ecs.soton.ac.uk> Message-ID: <001001c2db43$bff6a7a0$28ca30d5@espmail> ----- Original Message ----- From: "Julian Field" To: Sent: 23 February 2003 12:41 Subject: Re: IFRAME > Try setting > > Allow Object Codebase Tags = yes > > as well, as both it and the iframe check are Microsoft security > vulnerability checks. > Thanks, Julian. I see you say in the comments: # This is a very bad idea as it allow various Microsoft vulnerabilities # to go unprotected. Do you still believe this is "a very bad idea"? What it leads to is a lot of virus warning messages clogging up my mailq and a fair number of clearly false alarms. From mailscanner at ecs.soton.ac.uk Sun Feb 23 14:21:08 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:16 2006 Subject: IFRAME In-Reply-To: <001001c2db43$bff6a7a0$28ca30d5@espmail> References: <017c01c2daff$d155c510$6a01a8c0@home.middlefinger.net> <3E589899.90407@vanramselaar.nl> <5.2.0.9.2.20030223124108.02367818@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030223141837.026dc008@imap.ecs.soton.ac.uk> At 13:59 23/02/2003, you wrote: >----- Original Message ----- >From: "Julian Field" >To: >Sent: 23 February 2003 12:41 >Subject: Re: IFRAME > > > > Try setting > > > > Allow Object Codebase Tags = yes > > > > as well, as both it and the iframe check are Microsoft security > > vulnerability checks. > > >Thanks, Julian. I see you say in the comments: > ># This is a very bad idea as it allow various Microsoft vulnerabilities ># to go unprotected. > >Do you still believe this is "a very bad idea"? What it leads to is a >lot of virus warning messages clogging up my mailq and a fair number of >clearly false alarms. Very few people use Object Codebase tags in mail. Using Version 4, you could set them up to be rules so that mail containing IFrames (or Object Codebase tags or both) could be permitted from a few "trusted" addresses (such as the Daily Dilbert cartoon) and banned from everywhere else. The other alternative is version 4 is to take messages containing either of these tags and strip the HTML out of them, which leaves you the message content but in a known safe form. People can still click on the links to look at the pictures and so on which are held on a web server, while still providing protection against attacks. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From aliassoft at WANADOO.FR Sun Feb 23 14:23:56 2003 From: aliassoft at WANADOO.FR (Alain g) Date: Thu Jan 12 21:17:16 2006 Subject: Warning Is Attachment = no Message-ID: I have some problems with Warning Is Attachment = no in the config file. I want to have all the mailscanner text in the email body it does not work if I send an infected messave with eicar.scr the recipient receive alway an attachment VirusWarnig.txt Is there a way to solve this problem ? Note : If the body of my message is empty The attachment has the name of the virus eicar.scr instead of VirusWarnig.txt My system is FreeBSD 4.6.2-RELEASE Alain g aliassoft@wanadoo.fr From mailscanner at ecs.soton.ac.uk Sun Feb 23 14:33:13 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:16 2006 Subject: SQL logging In-Reply-To: <67D9E7698329D411936E00508B6590B902793182@neelix.lbsltd.co. uk> Message-ID: <5.2.0.9.2.20030223142123.02287a58@imap.ecs.soton.ac.uk> Folks, I have written you some code which will do this: 1. Log information about every message to a temporary file while MailScanner is running, giving you minimum performance hit. I've written all the code you need to do this bit. 2. When MailScanner worker processes die of old age, or are shutdown cleanly (don't use kill -9 on them!), they will read their log file and pump the contents into an SQL database all at 1 go, which should be nice and quick. There are bits missing from this, see the comments in the code. I don't log everything about each message, but I log a fair chunk of info about each one. I assume you will customise this to log what you reckon you need. It creates 1 record per message (whether clean or infected) and then also generates an extra record for each infection report. So a clean message will produce 1 record, a message with 2 infections will produce 3 records. The SQL "INSERT" code is deliberately missing. You can write that better than me anyway. To use it, apply the other patches I supplied the other day to give you a new configuration option "Always Looked Up Last". Then insert the attached file on the end of CustomConfig.pm and write the SQL code you need, and create the database and the db table this lot is going to be written to. Then set Always Looked Up Last = &SQLLogging in your MailScanner.conf and "restart" (not just "reload") MailScanner. To find obvious syntax errors, I would advise you do perl -c CustomConfig.pm before trying to use it, as that will catch syntax screw-ups. I make no guarantees whatsoever about the attached code actually working. I have written it to get you started, and to show you how to pull interesting things out of the "Message" data structure. If you want the full list of Message attributes, read the top of Message.pm. Please let me know how you get on. If someone can post me some working code with all the SQL bits written and tested, I will happily include it in future releases (next release due on 1st March). -------------- next part -------------- A non-text attachment was scrubbed... Name: SQLLogging Type: application/octet-stream Size: 4416 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030223/e4861a95/SQLLogging.obj -------------- next part -------------- -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Sun Feb 23 14:37:35 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:16 2006 Subject: Warning Is Attachment = no In-Reply-To: Message-ID: <5.2.0.9.2.20030223143532.021fed20@imap.ecs.soton.ac.uk> At 14:23 23/02/2003, you wrote: >I have some problems with Warning Is Attachment = no in the config file. >I want to have all the mailscanner text in the email body >it does not work > >if I send an infected messave with eicar.scr >the recipient receive alway an attachment VirusWarnig.txt >Is there a way to solve this problem ? This is a problem with some email apps not handling in-line MIME sections properly. MailScanner does it the way you are meant to, but some email apps don't support it properly. >Note : >If the body of my message is empty >The attachment has the name of the virus eicar.scr instead of >VirusWarnig.txt Oops, interesting... Fortunately messages with totally empty bodies are quite rare so it's not a major problem. You usually at least get a sig in the body, even if the user didn't type anything. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From aliassoft at WANADOO.FR Sun Feb 23 15:39:25 2003 From: aliassoft at WANADOO.FR (Alain g) Date: Thu Jan 12 21:17:16 2006 Subject: Warning Is Attachment = no Message-ID: I understand but, The problem come from Outlook. Even with outlook express an attached file "VirusWarnig.txt " is created. that mean 80% of email clients in the world see a suspicious attachment. If The problem come with in-line MIME is there a way to create this message directly in the body without any attachment ? Alain g aliassoft@wanadoo.fr From brose at MED.WAYNE.EDU Sun Feb 23 15:51:25 2003 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:17:16 2006 Subject: IFRAME Message-ID: Most of the ones I see are from Klez messages. Some virus scanners out there remove the infected attachment and send the message on which in the case for Klez, still contains the IFRAME markup to klez. -----Original Message----- From: Paul Welsh [mailto:paul@ESPMAIL.CO.UK] Sent: Sunday, February 23, 2003 8:59 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: IFRAME ----- Original Message ----- From: "Julian Field" To: Sent: 23 February 2003 12:41 Subject: Re: IFRAME > Try setting > > Allow Object Codebase Tags = yes > > as well, as both it and the iframe check are Microsoft security > vulnerability checks. > Thanks, Julian. I see you say in the comments: # This is a very bad idea as it allow various Microsoft vulnerabilities # to go unprotected. Do you still believe this is "a very bad idea"? What it leads to is a lot of virus warning messages clogging up my mailq and a fair number of clearly false alarms. From evertjan at VANRAMSELAAR.NL Sun Feb 23 17:09:19 2003 From: evertjan at VANRAMSELAAR.NL (Evert Jan van Ramselaar) Date: Thu Jan 12 21:17:16 2006 Subject: SpamAssassin 2.50 Problems In-Reply-To: <5.2.0.9.2.20030223125831.021972c8@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030223125831.021972c8@imap.ecs.soton.ac.uk> Message-ID: <3E59003F.6090106@vanramselaar.nl> Julian Field wrote: > Another suggestion from the SAtalk list is to place this in your > spam.assassin.prefs.conf > > score HABEAS_HIL 0 > > as this is a new RBL they are using (I believe) and it seems to be timing > out a lot. I tried this, but SA 2.50 keeps timing out, where 2.44 doesn't. -- Evert Jan van Ramselaar Van Ramselaar Info Tech From mailscanner at ecs.soton.ac.uk Sun Feb 23 17:30:36 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:16 2006 Subject: SpamAssassin 2.50 Problems In-Reply-To: <3E59003F.6090106@vanramselaar.nl> References: <5.2.0.9.2.20030223125831.021972c8@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030223125831.021972c8@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030223172934.02703d48@imap.ecs.soton.ac.uk> At 17:09 23/02/2003, you wrote: >Julian Field wrote: >>Another suggestion from the SAtalk list is to place this in your >>spam.assassin.prefs.conf >> >>score HABEAS_HIL 0 >> >>as this is a new RBL they are using (I believe) and it seems to be timing >>out a lot. > >I tried this, but SA 2.50 keeps timing out, where 2.44 doesn't. What happens if you archive a bit of mail to a text file (not raw queue files), and then use "spamassassin -t < your-message-file" to see what happens? This is clearly very OS-dependent or location-dependent :-( -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From gerry at DORFAM.CA Sun Feb 23 17:59:07 2003 From: gerry at DORFAM.CA (Gerry Doris) Date: Thu Jan 12 21:17:16 2006 Subject: SpamAssassin 2.50 Problems In-Reply-To: <5.2.0.9.2.20030223172934.02703d48@imap.ecs.soton.ac.uk> Message-ID: On Sun, 23 Feb 2003, Julian Field wrote: > At 17:09 23/02/2003, you wrote: > >Julian Field wrote: > >>Another suggestion from the SAtalk list is to place this in your > >>spam.assassin.prefs.conf > >> > >>score HABEAS_HIL 0 > >> > >>as this is a new RBL they are using (I believe) and it seems to be timing > >>out a lot. > > > >I tried this, but SA 2.50 keeps timing out, where 2.44 doesn't. > > What happens if you archive a bit of mail to a text file (not raw queue > files), and then use "spamassassin -t < your-message-file" to see what happens? > This is clearly very OS-dependent or location-dependent :-( > -- > Julian Field Using 2.50 and running "spamassassin -t < sample-spam.txt > spam" works perfectly. In fact, I've turned off MailScanner calling spamassassin directly and started calling it via procmail. That also works perfectly. The 100% CPU utilization only occurs when I call spamassassin from within MailScanner. MailScanner sits there waiting and then eventually kills off the spamassassin process. It looks to me that the spamassassin 2.50 api is broken. 2.44 works perfectly with no changes to MailScanner. -- Gerry "The lyfe so short, the craft so long to learne" Chaucer From evertjan at VANRAMSELAAR.NL Sun Feb 23 18:15:57 2003 From: evertjan at VANRAMSELAAR.NL (Evert Jan van Ramselaar) Date: Thu Jan 12 21:17:16 2006 Subject: SpamAssassin 2.50 Problems In-Reply-To: References: Message-ID: <3E590FDD.6020108@vanramselaar.nl> Gerry Doris wrote: > Using 2.50 and running "spamassassin -t < sample-spam.txt > spam" works > perfectly. I have about the same experience. When invoked from the commandline, response times for SA 2.44 and 2.50 are about the same. A nice way to test this is with "time spamassassin -t < testmail" Additional info: - Redhat 7.2 - Kernel 2.4.18-24.7.x - Perl v5.6.1 - MailScanner 4.12-2 -- Evert Jan van Ramselaar Van Ramselaar Info Tech From mailscanner at ecs.soton.ac.uk Sun Feb 23 18:18:06 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:16 2006 Subject: SpamAssassin 2.50 Problems In-Reply-To: References: <5.2.0.9.2.20030223172934.02703d48@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030223181611.0274df50@imap.ecs.soton.ac.uk> At 17:59 23/02/2003, you wrote: >On Sun, 23 Feb 2003, Julian Field wrote: > > > At 17:09 23/02/2003, you wrote: > > >Julian Field wrote: > > >>Another suggestion from the SAtalk list is to place this in your > > >>spam.assassin.prefs.conf > > >> > > >>score HABEAS_HIL 0 > > >> > > >>as this is a new RBL they are using (I believe) and it seems to be timing > > >>out a lot. > > > > > >I tried this, but SA 2.50 keeps timing out, where 2.44 doesn't. > > > > What happens if you archive a bit of mail to a text file (not raw queue > > files), and then use "spamassassin -t < your-message-file" to see what > happens? > > This is clearly very OS-dependent or location-dependent :-( > > -- > > Julian Field > >Using 2.50 and running "spamassassin -t < sample-spam.txt > spam" works >perfectly. In fact, I've turned off MailScanner calling spamassassin >directly and started calling it via procmail. That also works perfectly. > >The 100% CPU utilization only occurs when I call spamassassin from within >MailScanner. MailScanner sits there waiting and then eventually kills >off the spamassassin process. > >It looks to me that the spamassassin 2.50 api is broken. 2.44 works >perfectly with no changes to MailScanner. Can you try something for me. Set "Max Children = 1" then restart MailScanner. Does this make a difference? (I'm looking for file locking problems) Also, cd /root/.spamassassin && fuser * with 1 child and with several. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Sun Feb 23 18:22:38 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:16 2006 Subject: SpamAssassin 2.50 Problems In-Reply-To: <5.2.0.9.2.20030223181611.0274df50@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030223172934.02703d48@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030223182201.0275fb10@imap.ecs.soton.ac.uk> At 18:18 23/02/2003, you wrote: >At 17:59 23/02/2003, you wrote: >>On Sun, 23 Feb 2003, Julian Field wrote: >> >> > At 17:09 23/02/2003, you wrote: >> > >Julian Field wrote: >> > >>Another suggestion from the SAtalk list is to place this in your >> > >>spam.assassin.prefs.conf >> > >> >> > >>score HABEAS_HIL 0 >> > >> >> > >>as this is a new RBL they are using (I believe) and it seems to be >> timing >> > >>out a lot. >> > > >> > >I tried this, but SA 2.50 keeps timing out, where 2.44 doesn't. >> > >> > What happens if you archive a bit of mail to a text file (not raw queue >> > files), and then use "spamassassin -t < your-message-file" to see what >>happens? >> > This is clearly very OS-dependent or location-dependent :-( >> > -- >> > Julian Field >> >>Using 2.50 and running "spamassassin -t < sample-spam.txt > spam" works >>perfectly. In fact, I've turned off MailScanner calling spamassassin >>directly and started calling it via procmail. That also works perfectly. >> >>The 100% CPU utilization only occurs when I call spamassassin from within >>MailScanner. MailScanner sits there waiting and then eventually kills >>off the spamassassin process. >> >>It looks to me that the spamassassin 2.50 api is broken. 2.44 works >>perfectly with no changes to MailScanner. > >Can you try something for me. Set "Max Children = 1" then restart MailScanner. >Does this make a difference? (I'm looking for file locking problems) >Also, cd /root/.spamassassin && fuser * >with 1 child and with several. Trying to think of other arbitrary differences between your perl and mine: have you installed Net::DNS? -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From evertjan at VANRAMSELAAR.NL Sun Feb 23 18:36:04 2003 From: evertjan at VANRAMSELAAR.NL (Evert Jan van Ramselaar) Date: Thu Jan 12 21:17:16 2006 Subject: SpamAssassin 2.50 Problems In-Reply-To: <5.2.0.9.2.20030223182201.0275fb10@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030223172934.02703d48@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030223182201.0275fb10@imap.ecs.soton.ac.uk> Message-ID: <3E591494.3010309@vanramselaar.nl> Julian Field wrote: >> Can you try something for me. Set "Max Children = 1" then restart >> MailScanner. >> Does this make a difference? (I'm looking for file locking problems) >> Also, cd /root/.spamassassin && fuser * >> with 1 child and with several. I normally run with just 1 child, as mail load on my server is pretty low. [root@ram1 .spamassassin]# fuser * bayes_seen.db: 31156 31165 bayes_toks.db: 31156 31165 [root@ram1 .spamassassin]# ps -fp 31165 UID PID PPID C STIME TTY TIME CMD root 31165 31156 78 19:28 ? 00:00:22 /usr/bin/perl -I/usr/lib/MailScanner /usr/sbin/MailScanner /etc/MailScanner/MailScanner.conf After timing out, and message delivered (mailsystem idle): [root@ram1 .spamassassin]# fuser * bayes_seen.db: 31156 bayes_toks.db: 31156 And when another message comes in and SA is invoked: [root@ram1 .spamassassin]# fuser * bayes_seen.db: 31156 31288 bayes_toks.db: 31156 31288 [root@ram1 .spamassassin]# ps -fp 31288 UID PID PPID C STIME TTY TIME CMD root 31288 31156 86 19:32 ? 00:00:18 /usr/bin/perl -I/usr/lib/MailScanner /usr/sbin/MailScanner /etc/MailScanner/MailScanner.conf > Trying to think of other arbitrary differences between your perl and mine: > have you installed Net::DNS? Yeps. -- Evert Jan van Ramselaar Van Ramselaar Info Tech From vic at vicsfamily.net Sun Feb 23 18:37:27 2003 From: vic at vicsfamily.net (Victor R. Cain) Date: Thu Jan 12 21:17:16 2006 Subject: F-Prot Lock file error Message-ID: <200302231337.27766.vic@vicsfamily.net> I have looked for this one in the archives with no luck, so I hope someone knows the answer: /etc/mailscanner/autoupdate/f-prot ran at 4:27 this morning and created a lock file: /tmp/FProtBusy.lock, containing: Locking for updating FProt virus files by 20397 Unlocked after updateing FProt virus files by 20397 Then later that day, I got this: Cannot create /tmp/FProtBusy.lock, Permission denied at /usr/share/mailscanner/logger.pl, line 64. /tmp/FProtBusy.lock was still there -- shouldn't the script have deleted it? I am running Debian "testing" which uses Mailscanner 3.27, Spamassassin 2.43, and the latest version of F-Prot (installed by a Debian installer). Since installing all this, the mail delivery seems to work fine, at least I'm getting all the mail I expect in and the outgoing mail seems to go out like it should. I don't really know how to test the spam and virus catching capabilities. I'm unsure what other information might be pertinent. Thanks in advance, Vic Cain -- Victor R. Cain (865)435-5084 Fax:(865)435-9709 E: vic@vicsfamily.net Web: www.vicsfamily.net ------------ Quote of the Hour ------------ Gravity is a myth, the Earth sucks. From mailscanner at ecs.soton.ac.uk Sun Feb 23 19:12:01 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:16 2006 Subject: F-Prot Lock file error In-Reply-To: <200302231337.27766.vic@vicsfamily.net> Message-ID: <5.2.0.9.2.20030223190919.02715ef8@imap.ecs.soton.ac.uk> At 18:37 23/02/2003, you wrote: >I have looked for this one in the archives with no luck, so I hope someone >knows the answer: > >/etc/mailscanner/autoupdate/f-prot ran at 4:27 this morning and created a >lock file: /tmp/FProtBusy.lock, containing: > Locking for updating FProt virus files by 20397 > Unlocked after updateing FProt virus files by 20397 > >Then later that day, I got this: > Cannot create /tmp/FProtBusy.lock, > Permission denied at /usr/share/mailscanner/logger.pl, line 64. > >/tmp/FProtBusy.lock was still there -- shouldn't the script have deleted it? If you are using Exim or not running MailScanner as root, you may hit this problem. You want to ensure that the user who runs the "autoupdate" script is the same as the one that MailScanner is running as. >I am running Debian "testing" which uses Mailscanner 3.27, Spamassassin 2.43, >and the latest version of F-Prot (installed by a Debian installer). Since >installing all this, the mail delivery seems to work fine, at least I'm >getting all the mail I expect in and the outgoing mail seems to go out like >it should. I don't really know how to test the spam and virus catching >capabilities. I'm unsure what other information might be pertinent. There are a couple of files supplied with SpamAssassin, "sample-nonspam.txt" and "sample-spam.txt". To get a test file for virus checking, go to www.eicar.org. >Thanks in advance, >Vic Cain > >-- >Victor R. Cain (865)435-5084 Fax:(865)435-9709 >E: vic@vicsfamily.net Web: www.vicsfamily.net > >------------ Quote of the Hour ------------ >Gravity is a myth, the Earth sucks. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Sun Feb 23 19:12:59 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:16 2006 Subject: SpamAssassin 2.50 Problems In-Reply-To: <3E591494.3010309@vanramselaar.nl> References: <5.2.0.9.2.20030223182201.0275fb10@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030223172934.02703d48@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030223182201.0275fb10@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030223184909.02267e40@imap.ecs.soton.ac.uk> My RedHat 7.1 and 8.0 boxes behave similarly. It doesn't seem to cause a problem for me unfortunately. While it is running (but idle), does spamassassin -t < sample-spam.txt produce? And while it has blocked on a message? It just really behaves as if it is stuck on a file lock call, that would explain why absolutely nothing happens. At 18:36 23/02/2003, you wrote: >Julian Field wrote: >>>Can you try something for me. Set "Max Children = 1" then restart >>>MailScanner. >>>Does this make a difference? (I'm looking for file locking problems) >>>Also, cd /root/.spamassassin && fuser * >>>with 1 child and with several. > >I normally run with just 1 child, as mail load on my server is pretty low. > >[root@ram1 .spamassassin]# fuser * >bayes_seen.db: 31156 31165 >bayes_toks.db: 31156 31165 >[root@ram1 .spamassassin]# ps -fp 31165 >UID PID PPID C STIME TTY TIME CMD >root 31165 31156 78 19:28 ? 00:00:22 /usr/bin/perl >-I/usr/lib/MailScanner /usr/sbin/MailScanner >/etc/MailScanner/MailScanner.conf > >After timing out, and message delivered (mailsystem idle): > >[root@ram1 .spamassassin]# fuser * >bayes_seen.db: 31156 >bayes_toks.db: 31156 > >And when another message comes in and SA is invoked: > >[root@ram1 .spamassassin]# fuser * >bayes_seen.db: 31156 31288 >bayes_toks.db: 31156 31288 >[root@ram1 .spamassassin]# ps -fp 31288 >UID PID PPID C STIME TTY TIME CMD >root 31288 31156 86 19:32 ? 00:00:18 /usr/bin/perl >-I/usr/lib/MailScanner /usr/sbin/MailScanner >/etc/MailScanner/MailScanner.conf > > >>Trying to think of other arbitrary differences between your perl and mine: >>have you installed Net::DNS? > >Yeps. > >-- > Evert Jan van Ramselaar > Van Ramselaar Info Tech -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From so-mlist-alias at all-about-shift.com Sun Feb 23 19:16:21 2003 From: so-mlist-alias at all-about-shift.com (Soeren Gerlach) Date: Thu Jan 12 21:17:16 2006 Subject: F-Prot Lock file error In-Reply-To: <200302231337.27766.vic@vicsfamily.net> References: <200302231337.27766.vic@vicsfamily.net> Message-ID: <200302232016.21561.so-mlist-alias@all-about-shift.com> > I have looked for this one in the archives with no luck, so I hope > someone knows the answer: > > /etc/mailscanner/autoupdate/f-prot ran at 4:27 this morning and created > a lock file: /tmp/FProtBusy.lock, containing: > Locking for updating FProt virus files by 20397 > Unlocked after updateing FProt virus files by 20397 > > Then later that day, I got this: > Cannot create /tmp/FProtBusy.lock, > Permission denied at /usr/share/mailscanner/logger.pl, line 64. Looks sort like something I discusses some days ago with Julian; topic "Lock files" ,-))) Just remove the lock file and everything should be working again. Check the file permissions of the current file and of the user running the update. I'd place a bet the later one cannot create the file, i.e. it's another's user's file. > /tmp/FProtBusy.lock was still there -- shouldn't the script have deleted > it? No, it stays there even after the update. regards, Soeren -- Diese Nachricht wurde auf Viren und andere gefaehrliche Inhalte untersucht From j.cormie at ABERTAY.AC.UK Sun Feb 23 19:26:57 2003 From: j.cormie at ABERTAY.AC.UK (Jason Cormie) Date: Thu Jan 12 21:17:16 2006 Subject: F-Prot Lock file error In-Reply-To: <5.2.0.9.2.20030223190919.02715ef8@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030223190919.02715ef8@imap.ecs.soton.ac.uk> Message-ID: <1046028417.488.2.camel@belial.wormwood.org.uk> > If you are using Exim or not running MailScanner as root, you may hit this > problem. You want to ensure that the user who runs the "autoupdate" script > is the same as the one that MailScanner is running as. mailscanner runs as user mail on Debian, whilst the cron job doesn't -- Jason Cormie -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030223/311163b3/attachment.bin From mailscanner at ecs.soton.ac.uk Sun Feb 23 19:33:09 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:16 2006 Subject: F-Prot Lock file error In-Reply-To: <1046028417.488.2.camel@belial.wormwood.org.uk> References: <5.2.0.9.2.20030223190919.02715ef8@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030223190919.02715ef8@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030223193237.0275fe88@imap.ecs.soton.ac.uk> At 19:26 23/02/2003, you wrote: > > If you are using Exim or not running MailScanner as root, you may hit this > > problem. You want to ensure that the user who runs the "autoupdate" script > > is the same as the one that MailScanner is running as. > >mailscanner runs as user mail on Debian, whilst the cron job doesn't Can someone tell the Debian people about this please? It's a packaging problem. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From paul at ESPMAIL.CO.UK Sun Feb 23 20:10:30 2003 From: paul at ESPMAIL.CO.UK (Paul Welsh) Date: Thu Jan 12 21:17:16 2006 Subject: IFRAME References: Message-ID: <003c01c2db77$a0a738e0$4fe030d5@espmail> ----- Original Message ----- From: "Rose, Bobby" To: Sent: 23 February 2003 15:51 Subject: Re: IFRAME > Most of the ones I see are from Klez messages. Some virus scanners out > there remove the infected attachment and send the message on which in > the case for Klez, still contains the IFRAME markup to klez. > Presumably, therefore, Klez wouldn't work because the iframe markup would have pointed to the missing attachment. From jrudd at UCSC.EDU Sun Feb 23 21:02:22 2003 From: jrudd at UCSC.EDU (John Rudd) Date: Thu Jan 12 21:17:16 2006 Subject: SpamAssassin 2.50 Problems Message-ID: <200302232102.h1NL2MY13102@kzin.ucsc.edu> > From: Evert Jan van Ramselaar > > Julian Field wrote: > > Another suggestion from the SAtalk list is to place this in your > > spam.assassin.prefs.conf > > > > score HABEAS_HIL 0 > > > > as this is a new RBL they are using (I believe) and it seems to be timing > > out a lot. > > I tried this, but SA 2.50 keeps timing out, where 2.44 doesn't. > Are you just having a timeout problem at this point, or are you also having the CPU/Load issue? If it's just the timeout, have you tried raising the mailscanner timeout threshold? I raised mine from 30 to 90, I think (before 2.50 even), and things were much smoother. But this is on a machine that just serves my home. If you're talking about a machine that serves a HUGE volume of messages, I might look into disabling external lookups (RBL's, Razor, etc). Those will kill ya. From admin at COVE.COM Sun Feb 23 20:53:05 2003 From: admin at COVE.COM (Bill Ostaski) Date: Thu Jan 12 21:17:16 2006 Subject: Spam-only HTML to text? Message-ID: We recently upgraded to 4.12.-2; great job as usual, Julian! I like the idea of being able to convert html messages to text - especially the pornographic messages. Yet I don't see a way to limit the html-to-text conversion to only those messages identified as spam. MailScanner.conf provides a switch for messages containing