From mailscanner at ecs.soton.ac.uk Wed Jan 1 11:48:50 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:48 2006 Subject: ANNOUNCE: Version 3.27 and 4.11 Message-ID: <5.2.0.9.2.20030101113005.02098d90@imap.ecs.soton.ac.uk> Happy New Year everyone! I have just released updated versions of both V3 and V4. The only change for V3 is an important security fix, which you can easily apply without upgrading if you don't want to. See the ChangeLog below for details. There are many improvements and changes for V4. A few of them are: - Security fix is included - Modify Subject: line to show a message has been scanned - Stop MailScanner replying to mailing lists that send it viruses - Quarantine-cleaning script included - Virus scanner update cron job replaced by global updater script - Full installation instructions for FreeBSD - Improved AntiVir, Sophos, F-Prot and F-Secure parsers Also, in the spirit of Perl tradition, there is now a MailScanner Poetry page for all you closet bards out there. Contributions are most welcome :-) It can all be downloaded as usual from www.mailscanner.info For completeness, here is the entry from the ChangeLog for V4.11: *Security* - *** Important Security Fix *** You must edit the "sendmail -bd ..." command in your init script and add -OPrivacyOptions=noetrn as otherwise people could maliciously bypass MailScanner on servers that are under heavy load. It is *vital* that you protect yourself with this change. However, please note there have been no reports at all of this problem being actively exploited. It is included in the init scripts that are part of the RPM distributions, so RPM users just need to upgrade to the latest mailscanner*rpm. *New Features and Improvements* - Added 2 more configuration options to modify the subject line whenever a message is scanned (but no other subject line changes have happened) so it is obvious to all that the message has been scanned. By default this will (if enabled) add "{Scanned}" to the end of the Subject: line. - Added "Never Notify Senders Of Precedence" configuration option so that you can stop MailScanner replying to postings to mailing lists and other bulk mail. - A modified version of Steve Patterson's "clean.quarantine" script is included as a daily cron job. It is disabled by default. Edit it to see how to enable it. If you edit it, it will not be over-written by later upgrades to MailScanner. - Written an update_virus_scanners script which updates all installed scanners. This is called hourly, as daily wasn't often enough and RedHat don't offer anything between hourly and daily. - Implemented full support for BSD with installation instructions based on the tar distribution. - Added Swedish translation of all reports. - Added Spanish and Slovak translation of language strings. - Added wrapper script for inoculan. - Added an AntiVir autoupdate script. - Improved AntiVir parser to handle new output format. - Sophos parser improved to detect Sophos complaining about being given 1 part of a multi-part archive. Gets flagged as a virus. - F-Prot and F-Secure parsers improved to handle unusual virus names and quieter handling of archives containing infected files. - Added "$filename" variable expansion in sender warnings. Used it in the English versions of the sender warnings. - Completely new daemonising code to fix problems with ssh sessions refusing to die. - Added "startin" and "startout" parameters to init.d scripts for RedHat and SuSE. - Improved error reporting slightly in configuration compiler. - Spam logging now includes the recipient domains as well as the sender. - Incoming Queue Dirs can now be a file listing directories which include wildcards. - Added the message's subject line to the sender spam reports. - Added a "sleep 5" in between the stop and start in "restart" in the init.d script. - Creates quarantine directories as required. - Added link checking in code for finding incoming queue dirs. - Added note for McAfee users about avoiding symlinks with anything even remotely connected to McAfee itself. - Added "Poetry" page to the web site for Nick's idle thoughts... *Fixes* - Fixed problem of orphaned queue files being left in incoming queue when MailScanner child processes are killed half-way through clearing a message. - Fixed file locking code in Config.pm so Exim users do not have to have the config files owned by exim.exim instead of root.root. - Fixed Exim missing-characters-from-start-of-message bug. - Fixed SpamAssassin "timeout 260 of 20" counter bug. - Fixed EximDiskStore file locking bug. - Fixed bug where unscanned messages are not properly archived if not archiving as raw queue files. - Fixed bug stopping Exim collecting large message batches. - Changed default virus scanner from "sophos" to "none". -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mike at ZANKER.ORG Wed Jan 1 11:55:41 2003 From: mike at ZANKER.ORG (Mike Zanker) Date: Thu Jan 12 21:16:48 2006 Subject: ANNOUNCE: Version 3.27 and 4.11 In-Reply-To: <5.2.0.9.2.20030101113005.02098d90@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030101113005.02098d90@imap.ecs.soton.ac.uk> Message-ID: <137044629.1041422141@jemima.zanker.org> On 01 January 2003 11:48 +0000 Julian Field wrote: > Happy New Year everyone! And you... > I have just released updated versions of both V3 and V4. Thanks - I assume that only the mailscanner rpm for version 4 has changed and that the support packages are unchanged? Thanks, Mike. From mailscanner at ecs.soton.ac.uk Wed Jan 1 11:59:32 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:48 2006 Subject: ANNOUNCE: Version 3.27 and 4.11 In-Reply-To: <137044629.1041422141@jemima.zanker.org> References: <5.2.0.9.2.20030101113005.02098d90@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030101113005.02098d90@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030101115837.03256e88@imap.ecs.soton.ac.uk> At 11:55 01/01/2003, you wrote: >>I have just released updated versions of both V3 and V4. > >Thanks - I assume that only the mailscanner rpm for version 4 has >changed and that the support packages are unchanged? Yes, correct. Sorry, I should have said that... -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From paul at ESPMAIL.CO.UK Wed Jan 1 13:11:17 2003 From: paul at ESPMAIL.CO.UK (Paul Welsh) Date: Thu Jan 12 21:16:48 2006 Subject: ANNOUNCE: Version 3.27 and 4.11 References: <5.2.0.9.2.20030101113005.02098d90@imap.ecs.soton.ac.uk> Message-ID: <001b01c2b197$484a4480$57e030d5@espmail> ----- Original Message ----- From: "Julian Field" To: Sent: 01 January 2003 11:48 Subject: ANNOUNCE: Version 3.27 and 4.11 > The only change for V3 is an important security fix, which you can easily > apply without upgrading if you don't want to. See the ChangeLog below for > details. > > - *** Important Security Fix *** > > You must edit the "sendmail -bd ..." command in your init script and add > -OPrivacyOptions=noetrn Happy New Year Julian. I have a raq3 and ETRN is disabled by default in the raq3 Sendmail configuration. Is this change therefore necessary? From joe at QITC.CO.UK Wed Jan 1 13:27:03 2003 From: joe at QITC.CO.UK (Joe Quinn) Date: Thu Jan 12 21:16:48 2006 Subject: ANNOUNCE: Version 3.27 and 4.11 A couple of questions References: <5.2.0.9.2.20030101113005.02098d90@imap.ecs.soton.ac.uk> Message-ID: <009a01c2b199$78e71d00$ed876751@T20> Hi, I just upgraded a RaQ4 and have a couple of questions; I would normally execute the following command to stop MailScanner; /etc/rc.d/init.d/MailScanner stop then check with; ps -auxw | grep -i mail just to make sure everything has stopped before restarting with; /etc/rc.d/init.d/MailScanner start However after the upgrade there are a few instances of mailscanner that won't shut down, should I just kill them? As I host loads of RaQs for customers, is there a way of determining which version of MailScanner is running, as sometimes I forget which RaQs have been updated? Perhaps something like; /etc/rc.d/init.d/MailScanner -V Next question, you say the autoupdate script has been changed, can I delete; f-prot.autoupdate -> /usr/lib/MailScanner/f-prot-autoupdate in the cron.daily directory? Also, when I manually execute; /etc/cron.daily/f-prot.autoupdate I would get an out put similar to; FTP address for retrieving files is ftp://eu-3.updates.f-prot.com/pub/ File SIGN.DEF is already up to date. File SIGN2.DEF is already up to date. File MACRO.DEF is already up to date. Nothing to be done. so I knew it was working OK but now if I try; /etc/cron.hourly/check_MailScanner I don't get any indication of whether it worked or not? Happy New Year to all :-) Joe Quinn, QITC Internet Solutions (joe@qitc.co.uk) Cisco re-seller, Cobalt Sapphire Partner. www.qitc.net/stocklist Web Site Hosting, Server Hosting, Co-location. Tel: (UK) +44 776 737 1234 From mike at ZANKER.ORG Wed Jan 1 13:43:34 2003 From: mike at ZANKER.ORG (Mike Zanker) Date: Thu Jan 12 21:16:48 2006 Subject: Version 4.11 wrapper scripts Message-ID: <143518118.1041428614@jemima.zanker.org> Just in case anyone else gets caught out, all the wrapper scripts have changed to support the new hourly update script and will be installed with an .rpmnew postfix (if you install the RPM version). You have to replace the previous one(s) by hand. It wasn't until cron mailed me a load of error messages that I noticed this :) Mike. From mailscanner at ecs.soton.ac.uk Wed Jan 1 14:29:44 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:48 2006 Subject: ANNOUNCE: Version 3.27 and 4.11 In-Reply-To: <001b01c2b197$484a4480$57e030d5@espmail> References: <5.2.0.9.2.20030101113005.02098d90@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030101142842.03325b50@imap.ecs.soton.ac.uk> At 13:11 01/01/2003, you wrote: >----- Original Message ----- >From: "Julian Field" >To: >Sent: 01 January 2003 11:48 >Subject: ANNOUNCE: Version 3.27 and 4.11 > > > > The only change for V3 is an important security fix, which you can >easily > > apply without upgrading if you don't want to. See the ChangeLog below >for > > details. > > > > - *** Important Security Fix *** > > > > You must edit the "sendmail -bd ..." command in your init script >and add > > -OPrivacyOptions=noetrn > >Happy New Year Julian. I have a raq3 and ETRN is disabled by default in >the raq3 Sendmail configuration. Is this change therefore necessary? No. The key thing is to make sure that ETRN is disabled by any means necessary. My suggested change is just the easiest way of doing it on most systems. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Jan 1 14:36:27 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:48 2006 Subject: Version 4.11 wrapper scripts In-Reply-To: <143518118.1041428614@jemima.zanker.org> Message-ID: <5.2.0.9.2.20030101143501.0328be50@imap.ecs.soton.ac.uk> At 13:43 01/01/2003, you wrote: >Just in case anyone else gets caught out, all the wrapper scripts have >changed to support the new hourly update script and will be installed >with an .rpmnew postfix (if you install the RPM version). You have to >replace the previous one(s) by hand. Well spotted. They are carefully marked to *not* overwrite in case you have changed them. But in this instance you do need to replace all your old ones with the new ones that support the optional "-IsItInstalled" command-line switch. >It wasn't until cron mailed me a load of error messages that I noticed >this :) Thankyou for pointing this out. I'll add a note to the downloads web page. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Jan 1 14:34:45 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:48 2006 Subject: ANNOUNCE: Version 3.27 and 4.11 A couple of questions In-Reply-To: <009a01c2b199$78e71d00$ed876751@T20> References: <5.2.0.9.2.20030101113005.02098d90@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030101142959.0325bea8@imap.ecs.soton.ac.uk> At 13:27 01/01/2003, you wrote: >I just upgraded a RaQ4 and have a couple of questions; >I would normally execute the following command to stop MailScanner; >/etc/rc.d/init.d/MailScanner stop >then check with; >ps -auxw | grep -i mail >just to make sure everything has stopped before restarting with; >/etc/rc.d/init.d/MailScanner start > >However after the upgrade there are a few instances of mailscanner that >won't shut down, should I just kill them? Yes. >As I host loads of RaQs for customers, is there a way of determining which >version of MailScanner is running, as sometimes I forget which RaQs have >been updated? Perhaps something like; > >/etc/rc.d/init.d/MailScanner -V There isn't at the moment (you need to look for the startup message in the logs, using something like fgrep "Virus Scanner version" /var/log/maillog If it is installed with RPM, you can of course just do rpm -q mailscanner >Next question, you say the autoupdate script has been changed, can I delete; > >f-prot.autoupdate -> /usr/lib/MailScanner/f-prot-autoupdate > >in the cron.daily directory? Yes. You should find the new one in the cron.hourly directory. >Also, when I manually execute; > >/etc/cron.daily/f-prot.autoupdate > >I would get an out put similar to; > >FTP address for retrieving files is ftp://eu-3.updates.f-prot.com/pub/ >File SIGN.DEF is already up to date. >File SIGN2.DEF is already up to date. >File MACRO.DEF is already up to date. >Nothing to be done. > >so I knew it was working OK but now if I try; > >/etc/cron.hourly/check_MailScanner > >I don't get any indication of whether it worked or not? The "check_MailScanner" script isn't the autoupdater, it's the check to ensure MailScanner is running. You want /etc/cron.hourly/update_virus_scanners -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Jan 1 14:56:06 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:48 2006 Subject: Version 4.11 wrapper scripts In-Reply-To: <5.2.0.9.2.20030101143501.0328be50@imap.ecs.soton.ac.uk> References: <143518118.1041428614@jemima.zanker.org> Message-ID: <5.2.0.9.2.20030101145446.0331fe40@imap.ecs.soton.ac.uk> At 14:36 01/01/2003, you wrote: >At 13:43 01/01/2003, you wrote: >>Just in case anyone else gets caught out, all the wrapper scripts have >>changed to support the new hourly update script and will be installed >>with an .rpmnew postfix (if you install the RPM version). You have to >>replace the previous one(s) by hand. There is now a little script on the downloads page for you to cut and paste which will do all the renaming for you, saving your old versions. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Jan 1 19:53:28 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:48 2006 Subject: Storing incoming work dir on ramdisk Message-ID: <5.2.0.9.2.20030101194245.02fa8ff0@imap.ecs.soton.ac.uk> I've just done an experiment on my biggest server (thankyou Transtec!). I am ignoring incoming SMTP traffic load for now, as I have yet to find enough machines to feed it SMTP traffic at 1.5 million messages per day. Using disk-based directories for mqueue.in mqueue MailScanner/incoming using Exim I can process about 1.1 million messages per day, using Sophos, SpamAssassin and the default RBL lists. With tmpfs-based directories for MailScanner/incoming this jumps to about 1.4 million messages per day, using the same settings. This is perfectly safe as the MailScanner/incoming directory is wiped at startup anyway, and no messages can be lost by power-outs. With tmpfs-based directories for mqueue.in mqueue MailScanner/incoming this increases to about 1.5 million messages per day, using the same settings. This is not safe as the mqueue.in and.mqueue would be lost on power-outs. So if you have the RAM to throw at it, and plenty of CPU horse-power to make use of it, you can increase your message throughput by roughly 30% by moving the MailScanner/incoming directory onto a tmpfs filesystem held in RAM. But if you run out of RAM and start swapping a lot, the performance will drop quickly. Tests done on a Transtec 2600 Workgroup Server, 2 x 2.4GHz/Zeon with 2Gb RAM, 15000rpm SCSI disk, 15 child processes. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From gerry at DORFAM.CA Wed Jan 1 20:37:16 2003 From: gerry at DORFAM.CA (Gerry Doris) Date: Thu Jan 12 21:16:48 2006 Subject: Storing incoming work dir on ramdisk In-Reply-To: <5.2.0.9.2.20030101194245.02fa8ff0@imap.ecs.soton.ac.uk> Message-ID: On Wed, 1 Jan 2003, Julian Field wrote: > I've just done an experiment on my biggest server (thankyou Transtec!). > > I am ignoring incoming SMTP traffic load for now, as I have yet to find > enough machines to feed it SMTP traffic at 1.5 million messages per day. > > Using disk-based directories for > mqueue.in > mqueue > MailScanner/incoming > using Exim > I can process about 1.1 million messages per day, using Sophos, > SpamAssassin and the default RBL lists. > > With tmpfs-based directories for > MailScanner/incoming > this jumps to about 1.4 million messages per day, using the same settings. > This is perfectly safe as the MailScanner/incoming directory is wiped at > startup anyway, and no messages can be lost by power-outs. > > With tmpfs-based directories for > mqueue.in > mqueue > MailScanner/incoming > this increases to about 1.5 million messages per day, using the same > settings. This is not safe as the mqueue.in and.mqueue would be lost on > power-outs. > > So if you have the RAM to throw at it, and plenty of CPU horse-power to > make use of it, you can increase your message throughput by roughly 30% by > moving the MailScanner/incoming directory onto a tmpfs filesystem held in RAM. > > But if you run out of RAM and start swapping a lot, the performance will > drop quickly. > > Tests done on a Transtec 2600 Workgroup Server, 2 x 2.4GHz/Zeon with 2Gb > RAM, 15000rpm SCSI disk, 15 child processes. > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support Those are pretty impressive numbers! I noticed that you're testing with Exim instead of sendmail. Do you think there would be much difference if you used sendmail? BTW, do you think that Transtec would like to provide me with one of those servers? It would give my home mail server a little more "head room"! -- Gerry "The lyfe so short, the craft so long to learne" Chaucer From gerry at DORFAM.CA Wed Jan 1 20:44:20 2003 From: gerry at DORFAM.CA (Gerry Doris) Date: Thu Jan 12 21:16:48 2006 Subject: Announce: mailscanner-mrtg version 0.04 is out! In-Reply-To: <95DD6F026D9C5C459E262B9C385C478E5981DB@h-file04.180096hotel.com> Message-ID: On Tue, 31 Dec 2002, Dale Lovelace wrote: > Hi! > > I have a new version of mailscanner-mrtg, Here is the latest > changelog: > > 0.04 Dec 15, 2002 > Changed subs to use sar for cross-platform (Solaris???): > iptraffic > remove Ethernet Device File from > mailscanner-mrtg.conf > add gauge option to mailscanner-mrtg.cfg > loadavg > memory > Die on even more things if not in $Config array > Increase MaxBytes for mailbytes in mailscanner-mrtg.cfg > Add the ability to restart MailScanner if processes are low > > As always mailscanner-mrtg is available in Red Hat RPM format and > .tar.gz from: > > http://mailscanner-mrtg.netfirms.com/ > > > Additional Credits in this release: > > Mike Brock pressed the send button for this email! He also spell-checked > it!!! > > Good Luck! > > Dale Lovelace > System Administrator > hotels.com > (214) 361-7311 Ext. 1074 Dale, once again, thanks for the package. I've started to rely a lot on those graphs but not just for MailScanner. I noticed the other day when I logged in from work that the cpu utilization was stuck at 100%. Turned out that my faxmodem had become wedged for some reason (never had that happen before??). However. I found that the amount of detail on the ethernet chart to be too much for the resolution being used. Also, I have no idea how to use the % data. It doesn't make any sense to me. I've commented out the option line in mailscanner-mrtg.cfg so that it doesn't bother with the % and just uses the default data. I find that more useful. Thanks again for your package! -- Gerry "The lyfe so short, the craft so long to learne" Chaucer From mike at CAMAROSS.NET Thu Jan 2 00:10:46 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:16:48 2006 Subject: ANNOUNCE: Version 3.27 and 4.11 In-Reply-To: <5.2.0.9.2.20030101113005.02098d90@imap.ecs.soton.ac.uk> Message-ID: <006b01c2b1f3$6685a8c0$6901a8c0@home.middlefinger.net> Anyone else seeing anything like this in the maillog: Jan 1 18:20:45 mail MailScanner[31377]: Spam Checks: Starting Jan 1 18:20:45 mail MailScanner[31377]: Looked up unknown string spam in language translation file /opt/MailScanner/etc/reports/en/languages.conf Jan 1 18:20:45 mail MailScanner[31377]: Looked up unknown string score in language translation file /opt/MailScanner/etc/reports/en/languages.conf Jan 1 18:20:45 mail MailScanner[31377]: Looked up unknown string required in language translation file /opt/MailScanner/etc/reports/en/languages.conf Jan 1 18:20:46 mail MailScanner[31377]: Looked up unknown string notspam in language translation file /opt/MailScanner/etc/reports/en/languages.conf Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Julian Field Sent: Wednesday, January 01, 2003 5:49 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: ANNOUNCE: Version 3.27 and 4.11 Happy New Year everyone! I have just released updated versions of both V3 and V4. The only change for V3 is an important security fix, which you can easily apply without upgrading if you don't want to. See the ChangeLog below for details. There are many improvements and changes for V4. A few of them are: - Security fix is included - Modify Subject: line to show a message has been scanned - Stop MailScanner replying to mailing lists that send it viruses - Quarantine-cleaning script included - Virus scanner update cron job replaced by global updater script - Full installation instructions for FreeBSD - Improved AntiVir, Sophos, F-Prot and F-Secure parsers Also, in the spirit of Perl tradition, there is now a MailScanner Poetry page for all you closet bards out there. Contributions are most welcome :-) It can all be downloaded as usual from www.mailscanner.info For completeness, here is the entry from the ChangeLog for V4.11: *Security* - *** Important Security Fix *** You must edit the "sendmail -bd ..." command in your init script and add -OPrivacyOptions=noetrn as otherwise people could maliciously bypass MailScanner on servers that are under heavy load. It is *vital* that you protect yourself with this change. However, please note there have been no reports at all of this problem being actively exploited. It is included in the init scripts that are part of the RPM distributions, so RPM users just need to upgrade to the latest mailscanner*rpm. *New Features and Improvements* - Added 2 more configuration options to modify the subject line whenever a message is scanned (but no other subject line changes have happened) so it is obvious to all that the message has been scanned. By default this will (if enabled) add "{Scanned}" to the end of the Subject: line. - Added "Never Notify Senders Of Precedence" configuration option so that you can stop MailScanner replying to postings to mailing lists and other bulk mail. - A modified version of Steve Patterson's "clean.quarantine" script is included as a daily cron job. It is disabled by default. Edit it to see how to enable it. If you edit it, it will not be over-written by later upgrades to MailScanner. - Written an update_virus_scanners script which updates all installed scanners. This is called hourly, as daily wasn't often enough and RedHat don't offer anything between hourly and daily. - Implemented full support for BSD with installation instructions based on the tar distribution. - Added Swedish translation of all reports. - Added Spanish and Slovak translation of language strings. - Added wrapper script for inoculan. - Added an AntiVir autoupdate script. - Improved AntiVir parser to handle new output format. - Sophos parser improved to detect Sophos complaining about being given 1 part of a multi-part archive. Gets flagged as a virus. - F-Prot and F-Secure parsers improved to handle unusual virus names and quieter handling of archives containing infected files. - Added "$filename" variable expansion in sender warnings. Used it in the English versions of the sender warnings. - Completely new daemonising code to fix problems with ssh sessions refusing to die. - Added "startin" and "startout" parameters to init.d scripts for RedHat and SuSE. - Improved error reporting slightly in configuration compiler. - Spam logging now includes the recipient domains as well as the sender. - Incoming Queue Dirs can now be a file listing directories which include wildcards. - Added the message's subject line to the sender spam reports. - Added a "sleep 5" in between the stop and start in "restart" in the init.d script. - Creates quarantine directories as required. - Added link checking in code for finding incoming queue dirs. - Added note for McAfee users about avoiding symlinks with anything even remotely connected to McAfee itself. - Added "Poetry" page to the web site for Nick's idle thoughts... *Fixes* - Fixed problem of orphaned queue files being left in incoming queue when MailScanner child processes are killed half-way through clearing a message. - Fixed file locking code in Config.pm so Exim users do not have to have the config files owned by exim.exim instead of root.root. - Fixed Exim missing-characters-from-start-of-message bug. - Fixed SpamAssassin "timeout 260 of 20" counter bug. - Fixed EximDiskStore file locking bug. - Fixed bug where unscanned messages are not properly archived if not archiving as raw queue files. - Fixed bug stopping Exim collecting large message batches. - Changed default virus scanner from "sophos" to "none". -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mike at CAMAROSS.NET Thu Jan 2 00:14:52 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:16:48 2006 Subject: ANNOUNCE: Version 3.27 and 4.11 In-Reply-To: <006b01c2b1f3$6685a8c0$6901a8c0@home.middlefinger.net> Message-ID: <006c01c2b1f3$f920c980$6901a8c0@home.middlefinger.net> Just to clarify, I am running the RPM version, so there is nothing pointing to /opt in this MailScanner.conf Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Mike Kercher Sent: Wednesday, January 01, 2003 6:11 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: ANNOUNCE: Version 3.27 and 4.11 Anyone else seeing anything like this in the maillog: Jan 1 18:20:45 mail MailScanner[31377]: Spam Checks: Starting Jan 1 18:20:45 mail MailScanner[31377]: Looked up unknown string spam in language translation file /opt/MailScanner/etc/reports/en/languages.conf Jan 1 18:20:45 mail MailScanner[31377]: Looked up unknown string score in language translation file /opt/MailScanner/etc/reports/en/languages.conf Jan 1 18:20:45 mail MailScanner[31377]: Looked up unknown string required in language translation file /opt/MailScanner/etc/reports/en/languages.conf Jan 1 18:20:46 mail MailScanner[31377]: Looked up unknown string notspam in language translation file /opt/MailScanner/etc/reports/en/languages.conf Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Julian Field Sent: Wednesday, January 01, 2003 5:49 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: ANNOUNCE: Version 3.27 and 4.11 Happy New Year everyone! I have just released updated versions of both V3 and V4. The only change for V3 is an important security fix, which you can easily apply without upgrading if you don't want to. See the ChangeLog below for details. There are many improvements and changes for V4. A few of them are: - Security fix is included - Modify Subject: line to show a message has been scanned - Stop MailScanner replying to mailing lists that send it viruses - Quarantine-cleaning script included - Virus scanner update cron job replaced by global updater script - Full installation instructions for FreeBSD - Improved AntiVir, Sophos, F-Prot and F-Secure parsers Also, in the spirit of Perl tradition, there is now a MailScanner Poetry page for all you closet bards out there. Contributions are most welcome :-) It can all be downloaded as usual from www.mailscanner.info For completeness, here is the entry from the ChangeLog for V4.11: *Security* - *** Important Security Fix *** You must edit the "sendmail -bd ..." command in your init script and add -OPrivacyOptions=noetrn as otherwise people could maliciously bypass MailScanner on servers that are under heavy load. It is *vital* that you protect yourself with this change. However, please note there have been no reports at all of this problem being actively exploited. It is included in the init scripts that are part of the RPM distributions, so RPM users just need to upgrade to the latest mailscanner*rpm. *New Features and Improvements* - Added 2 more configuration options to modify the subject line whenever a message is scanned (but no other subject line changes have happened) so it is obvious to all that the message has been scanned. By default this will (if enabled) add "{Scanned}" to the end of the Subject: line. - Added "Never Notify Senders Of Precedence" configuration option so that you can stop MailScanner replying to postings to mailing lists and other bulk mail. - A modified version of Steve Patterson's "clean.quarantine" script is included as a daily cron job. It is disabled by default. Edit it to see how to enable it. If you edit it, it will not be over-written by later upgrades to MailScanner. - Written an update_virus_scanners script which updates all installed scanners. This is called hourly, as daily wasn't often enough and RedHat don't offer anything between hourly and daily. - Implemented full support for BSD with installation instructions based on the tar distribution. - Added Swedish translation of all reports. - Added Spanish and Slovak translation of language strings. - Added wrapper script for inoculan. - Added an AntiVir autoupdate script. - Improved AntiVir parser to handle new output format. - Sophos parser improved to detect Sophos complaining about being given 1 part of a multi-part archive. Gets flagged as a virus. - F-Prot and F-Secure parsers improved to handle unusual virus names and quieter handling of archives containing infected files. - Added "$filename" variable expansion in sender warnings. Used it in the English versions of the sender warnings. - Completely new daemonising code to fix problems with ssh sessions refusing to die. - Added "startin" and "startout" parameters to init.d scripts for RedHat and SuSE. - Improved error reporting slightly in configuration compiler. - Spam logging now includes the recipient domains as well as the sender. - Incoming Queue Dirs can now be a file listing directories which include wildcards. - Added the message's subject line to the sender spam reports. - Added a "sleep 5" in between the stop and start in "restart" in the init.d script. - Creates quarantine directories as required. - Added link checking in code for finding incoming queue dirs. - Added note for McAfee users about avoiding symlinks with anything even remotely connected to McAfee itself. - Added "Poetry" page to the web site for Nick's idle thoughts... *Fixes* - Fixed problem of orphaned queue files being left in incoming queue when MailScanner child processes are killed half-way through clearing a message. - Fixed file locking code in Config.pm so Exim users do not have to have the config files owned by exim.exim instead of root.root. - Fixed Exim missing-characters-from-start-of-message bug. - Fixed SpamAssassin "timeout 260 of 20" counter bug. - Fixed EximDiskStore file locking bug. - Fixed bug where unscanned messages are not properly archived if not archiving as raw queue files. - Fixed bug stopping Exim collecting large message batches. - Changed default virus scanner from "sophos" to "none". -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mike at CAMAROSS.NET Thu Jan 2 00:20:19 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:16:48 2006 Subject: ANNOUNCE: Version 3.27 and 4.11 In-Reply-To: <006b01c2b1f3$6685a8c0$6901a8c0@home.middlefinger.net> Message-ID: <006e01c2b1f4$bc2b3500$6901a8c0@home.middlefinger.net> Nevermind...I'm an idiot! I missed the languages.conf entry when I diff'd the MailScanner.confs Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Mike Kercher Sent: Wednesday, January 01, 2003 6:11 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: ANNOUNCE: Version 3.27 and 4.11 Anyone else seeing anything like this in the maillog: Jan 1 18:20:45 mail MailScanner[31377]: Spam Checks: Starting Jan 1 18:20:45 mail MailScanner[31377]: Looked up unknown string spam in language translation file /opt/MailScanner/etc/reports/en/languages.conf Jan 1 18:20:45 mail MailScanner[31377]: Looked up unknown string score in language translation file /opt/MailScanner/etc/reports/en/languages.conf Jan 1 18:20:45 mail MailScanner[31377]: Looked up unknown string required in language translation file /opt/MailScanner/etc/reports/en/languages.conf Jan 1 18:20:46 mail MailScanner[31377]: Looked up unknown string notspam in language translation file /opt/MailScanner/etc/reports/en/languages.conf Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Julian Field Sent: Wednesday, January 01, 2003 5:49 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: ANNOUNCE: Version 3.27 and 4.11 Happy New Year everyone! I have just released updated versions of both V3 and V4. The only change for V3 is an important security fix, which you can easily apply without upgrading if you don't want to. See the ChangeLog below for details. There are many improvements and changes for V4. A few of them are: - Security fix is included - Modify Subject: line to show a message has been scanned - Stop MailScanner replying to mailing lists that send it viruses - Quarantine-cleaning script included - Virus scanner update cron job replaced by global updater script - Full installation instructions for FreeBSD - Improved AntiVir, Sophos, F-Prot and F-Secure parsers Also, in the spirit of Perl tradition, there is now a MailScanner Poetry page for all you closet bards out there. Contributions are most welcome :-) It can all be downloaded as usual from www.mailscanner.info For completeness, here is the entry from the ChangeLog for V4.11: *Security* - *** Important Security Fix *** You must edit the "sendmail -bd ..." command in your init script and add -OPrivacyOptions=noetrn as otherwise people could maliciously bypass MailScanner on servers that are under heavy load. It is *vital* that you protect yourself with this change. However, please note there have been no reports at all of this problem being actively exploited. It is included in the init scripts that are part of the RPM distributions, so RPM users just need to upgrade to the latest mailscanner*rpm. *New Features and Improvements* - Added 2 more configuration options to modify the subject line whenever a message is scanned (but no other subject line changes have happened) so it is obvious to all that the message has been scanned. By default this will (if enabled) add "{Scanned}" to the end of the Subject: line. - Added "Never Notify Senders Of Precedence" configuration option so that you can stop MailScanner replying to postings to mailing lists and other bulk mail. - A modified version of Steve Patterson's "clean.quarantine" script is included as a daily cron job. It is disabled by default. Edit it to see how to enable it. If you edit it, it will not be over-written by later upgrades to MailScanner. - Written an update_virus_scanners script which updates all installed scanners. This is called hourly, as daily wasn't often enough and RedHat don't offer anything between hourly and daily. - Implemented full support for BSD with installation instructions based on the tar distribution. - Added Swedish translation of all reports. - Added Spanish and Slovak translation of language strings. - Added wrapper script for inoculan. - Added an AntiVir autoupdate script. - Improved AntiVir parser to handle new output format. - Sophos parser improved to detect Sophos complaining about being given 1 part of a multi-part archive. Gets flagged as a virus. - F-Prot and F-Secure parsers improved to handle unusual virus names and quieter handling of archives containing infected files. - Added "$filename" variable expansion in sender warnings. Used it in the English versions of the sender warnings. - Completely new daemonising code to fix problems with ssh sessions refusing to die. - Added "startin" and "startout" parameters to init.d scripts for RedHat and SuSE. - Improved error reporting slightly in configuration compiler. - Spam logging now includes the recipient domains as well as the sender. - Incoming Queue Dirs can now be a file listing directories which include wildcards. - Added the message's subject line to the sender spam reports. - Added a "sleep 5" in between the stop and start in "restart" in the init.d script. - Creates quarantine directories as required. - Added link checking in code for finding incoming queue dirs. - Added note for McAfee users about avoiding symlinks with anything even remotely connected to McAfee itself. - Added "Poetry" page to the web site for Nick's idle thoughts... *Fixes* - Fixed problem of orphaned queue files being left in incoming queue when MailScanner child processes are killed half-way through clearing a message. - Fixed file locking code in Config.pm so Exim users do not have to have the config files owned by exim.exim instead of root.root. - Fixed Exim missing-characters-from-start-of-message bug. - Fixed SpamAssassin "timeout 260 of 20" counter bug. - Fixed EximDiskStore file locking bug. - Fixed bug where unscanned messages are not properly archived if not archiving as raw queue files. - Fixed bug stopping Exim collecting large message batches. - Changed default virus scanner from "sophos" to "none". -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From x.mailscanner.mail at MELLONI.COM Thu Jan 2 00:24:38 2003 From: x.mailscanner.mail at MELLONI.COM (Bruno) Date: Thu Jan 12 21:16:48 2006 Subject: Centralized aliases Message-ID: <200301020024.h020Oaa31083@ori.rl.ac.uk> Long description, short question: I have been happily using Mailscanner in the proxy + mail server configuration described in the web site. I use Linux/sendmail for both the proxy (in the DMZ) and the mail server (in the LAN). Users only interact with the mail server and are never aware of the mailscanner proxy (unless it catches viruses or flags mail as spam). Quite nice. :) I also use aliases extensively so that when I have to give a vendor an email address I can give them one that is easily deleted if I find them abuse it or if they sell it to other vendors. Also nice. :) One minor annoyance is that if the aliases (as well as every other valid email address) are not defined on the proxy then the mail is rejected. So, all the email IDs and aliases have to be on the proxy. But if any ID or alias is not ALSO defined on the mail server then mail sent from the LAN to that ID tends to bounce since the mail server (correctly) thinks the mail is destined to itself but does not find the ID or alias. So, user IDs and aliases need to be defined twice, identically, in both the server and alias. And finally here comes the question: Is there any way to do the ID and mail alias definition in just one place? Maybe have the proxy's sendmail and Mailscanner somehow validate IDs and aliases against the regular mail server instead of checking its own list? Or something else? Thanks, Bruno From mike at CAMAROSS.NET Thu Jan 2 01:34:19 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:16:48 2006 Subject: Centralized aliases In-Reply-To: <200301020024.h020Oaa31083@ori.rl.ac.uk> Message-ID: <001e01c2b1ff$12beb4a0$9901a8c0@home.middlefinger.net> You might consider locating your aliases file on an NFS share. You could then use cron to run newaliases every so often. You 'd have to modify your sendmail to tell it the new location of aliases. Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Bruno Sent: Wednesday, January 01, 2003 6:25 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Centralized aliases Long description, short question: I have been happily using Mailscanner in the proxy + mail server configuration described in the web site. I use Linux/sendmail for both the proxy (in the DMZ) and the mail server (in the LAN). Users only interact with the mail server and are never aware of the mailscanner proxy (unless it catches viruses or flags mail as spam). Quite nice. :) I also use aliases extensively so that when I have to give a vendor an email address I can give them one that is easily deleted if I find them abuse it or if they sell it to other vendors. Also nice. :) One minor annoyance is that if the aliases (as well as every other valid email address) are not defined on the proxy then the mail is rejected. So, all the email IDs and aliases have to be on the proxy. But if any ID or alias is not ALSO defined on the mail server then mail sent from the LAN to that ID tends to bounce since the mail server (correctly) thinks the mail is destined to itself but does not find the ID or alias. So, user IDs and aliases need to be defined twice, identically, in both the server and alias. And finally here comes the question: Is there any way to do the ID and mail alias definition in just one place? Maybe have the proxy's sendmail and Mailscanner somehow validate IDs and aliases against the regular mail server instead of checking its own list? Or something else? Thanks, Bruno From pg at NEWHONEST.COM Thu Jan 2 02:39:10 2003 From: pg at NEWHONEST.COM (pg) Date: Thu Jan 12 21:16:48 2006 Subject: ANNOUNCE: Version 3.27 and 4.11 References: <5.2.0.9.2.20030101113005.02098d90@imap.ecs.soton.ac.uk> Message-ID: <001d01c2b208$22bba300$2101a8c0@jasonnb> I'm using Redhat 7.2. I tried to upgrade to 3.27 from 3.26 but the following error message appeared : error: unpacking of archive failed on file /var/spool/mqueue.in: cpio: rename failed - Is a directory -Jason ----- Original Message ----- From: "Julian Field" To: Sent: Wednesday, January 01, 2003 7:48 PM Subject: ANNOUNCE: Version 3.27 and 4.11 > Happy New Year everyone! > > I have just released updated versions of both V3 and V4. > > The only change for V3 is an important security fix, which you can easily > apply without upgrading if you don't want to. See the ChangeLog below for > details. > > There are many improvements and changes for V4. A few of them are: > - Security fix is included > - Modify Subject: line to show a message has been scanned > - Stop MailScanner replying to mailing lists that send it viruses > - Quarantine-cleaning script included > - Virus scanner update cron job replaced by global updater script > - Full installation instructions for FreeBSD > - Improved AntiVir, Sophos, F-Prot and F-Secure parsers > > Also, in the spirit of Perl tradition, there is now a MailScanner Poetry > page for all you closet bards out there. Contributions are most welcome :-) > > It can all be downloaded as usual from > www.mailscanner.info > > > > > > For completeness, here is the entry from the ChangeLog for V4.11: > > *Security* > - *** Important Security Fix *** > > You must edit the "sendmail -bd ..." command in your init script and add > -OPrivacyOptions=noetrn > as otherwise people could maliciously bypass MailScanner on servers that > are under heavy load. > It is *vital* that you protect yourself with this change. > However, please note there have been no reports at all of this problem > being actively exploited. > It is included in the init scripts that are part of the RPM > distributions, so RPM users just need to upgrade to the latest mailscanner*rpm. > > *New Features and Improvements* > - Added 2 more configuration options to modify the subject line whenever a > message is scanned (but no other subject line changes have happened) so it > is obvious to all that the message has been scanned. By default this will > (if enabled) add "{Scanned}" to the end of the Subject: line. > - Added "Never Notify Senders Of Precedence" configuration option so that > you can stop MailScanner replying to postings to mailing lists and other > bulk mail. > - A modified version of Steve Patterson's "clean.quarantine" script is > included as a daily cron job. It is disabled by default. Edit it to see how > to enable it. If you edit it, it will not be over-written by later upgrades > to MailScanner. > - Written an update_virus_scanners script which updates all installed > scanners. This is called hourly, as daily wasn't often enough and RedHat > don't offer anything between hourly and daily. > - Implemented full support for BSD with installation instructions based on > the tar distribution. > - Added Swedish translation of all reports. > - Added Spanish and Slovak translation of language strings. > - Added wrapper script for inoculan. > - Added an AntiVir autoupdate script. > - Improved AntiVir parser to handle new output format. > - Sophos parser improved to detect Sophos complaining about being given 1 > part of a multi-part archive. Gets flagged as a virus. > - F-Prot and F-Secure parsers improved to handle unusual virus names and > quieter handling of archives containing infected files. > - Added "$filename" variable expansion in sender warnings. Used it in the > English versions of the sender warnings. > - Completely new daemonising code to fix problems with ssh sessions > refusing to die. > - Added "startin" and "startout" parameters to init.d scripts for RedHat > and SuSE. > - Improved error reporting slightly in configuration compiler. > - Spam logging now includes the recipient domains as well as the sender. > - Incoming Queue Dirs can now be a file listing directories which include > wildcards. > - Added the message's subject line to the sender spam reports. > - Added a "sleep 5" in between the stop and start in "restart" in the > init.d script. > - Creates quarantine directories as required. > - Added link checking in code for finding incoming queue dirs. > - Added note for McAfee users about avoiding symlinks with anything even > remotely connected to McAfee itself. > - Added "Poetry" page to the web site for Nick's idle thoughts... > > *Fixes* > - Fixed problem of orphaned queue files being left in incoming queue when > MailScanner child processes are killed half-way through clearing a message. > - Fixed file locking code in Config.pm so Exim users do not have to have > the config files owned by exim.exim instead of root.root. > - Fixed Exim missing-characters-from-start-of-message bug. > - Fixed SpamAssassin "timeout 260 of 20" counter bug. > - Fixed EximDiskStore file locking bug. > - Fixed bug where unscanned messages are not properly archived if not > archiving as raw queue files. > - Fixed bug stopping Exim collecting large message batches. > - Changed default virus scanner from "sophos" to "none". > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > From ucs_rat at SHSU.EDU Thu Jan 2 02:40:44 2003 From: ucs_rat at SHSU.EDU (Robert A. Thompson) Date: Thu Jan 12 21:16:48 2006 Subject: ANNOUNCE: Version 3.27 and 4.11 In-Reply-To: <001d01c2b208$22bba300$2101a8c0@jasonnb> References: <5.2.0.9.2.20030101113005.02098d90@imap.ecs.soton.ac.uk> <001d01c2b208$22bba300$2101a8c0@jasonnb> Message-ID: <1041475244.9856.11.camel@ra.thethompsonhouse.com> re-download the rpm. sounds like you have a bad rpm. Might try a md5sum to check the file. I assume the md5sums are on the website. --rat On Wed, 2003-01-01 at 20:39, pg wrote: > I'm using Redhat 7.2. I tried to upgrade to 3.27 from 3.26 but the following > error message appeared : > > error: unpacking of archive failed on file /var/spool/mqueue.in: cpio: > rename failed - Is a directory > > -Jason > > ----- Original Message ----- > From: "Julian Field" > To: > Sent: Wednesday, January 01, 2003 7:48 PM > Subject: ANNOUNCE: Version 3.27 and 4.11 > > > > Happy New Year everyone! > > > > I have just released updated versions of both V3 and V4. > > > > The only change for V3 is an important security fix, which you can easily > > apply without upgrading if you don't want to. See the ChangeLog below for > > details. > > > > There are many improvements and changes for V4. A few of them are: > > - Security fix is included > > - Modify Subject: line to show a message has been scanned > > - Stop MailScanner replying to mailing lists that send it viruses > > - Quarantine-cleaning script included > > - Virus scanner update cron job replaced by global updater script > > - Full installation instructions for FreeBSD > > - Improved AntiVir, Sophos, F-Prot and F-Secure parsers > > > > Also, in the spirit of Perl tradition, there is now a MailScanner Poetry > > page for all you closet bards out there. Contributions are most welcome > :-) > > > > It can all be downloaded as usual from > > www.mailscanner.info > > > > > > > > > > > > For completeness, here is the entry from the ChangeLog for V4.11: > > > > *Security* > > - *** Important Security Fix *** > > > > You must edit the "sendmail -bd ..." command in your init script and > add > > -OPrivacyOptions=noetrn > > as otherwise people could maliciously bypass MailScanner on servers > that > > are under heavy load. > > It is *vital* that you protect yourself with this change. > > However, please note there have been no reports at all of this problem > > being actively exploited. > > It is included in the init scripts that are part of the RPM > > distributions, so RPM users just need to upgrade to the latest > mailscanner*rpm. > > > > *New Features and Improvements* > > - Added 2 more configuration options to modify the subject line whenever a > > message is scanned (but no other subject line changes have happened) so it > > is obvious to all that the message has been scanned. By default this will > > (if enabled) add "{Scanned}" to the end of the Subject: line. > > - Added "Never Notify Senders Of Precedence" configuration option so that > > you can stop MailScanner replying to postings to mailing lists and other > > bulk mail. > > - A modified version of Steve Patterson's "clean.quarantine" script is > > included as a daily cron job. It is disabled by default. Edit it to see > how > > to enable it. If you edit it, it will not be over-written by later > upgrades > > to MailScanner. > > - Written an update_virus_scanners script which updates all installed > > scanners. This is called hourly, as daily wasn't often enough and RedHat > > don't offer anything between hourly and daily. > > - Implemented full support for BSD with installation instructions based on > > the tar distribution. > > - Added Swedish translation of all reports. > > - Added Spanish and Slovak translation of language strings. > > - Added wrapper script for inoculan. > > - Added an AntiVir autoupdate script. > > - Improved AntiVir parser to handle new output format. > > - Sophos parser improved to detect Sophos complaining about being given 1 > > part of a multi-part archive. Gets flagged as a virus. > > - F-Prot and F-Secure parsers improved to handle unusual virus names and > > quieter handling of archives containing infected files. > > - Added "$filename" variable expansion in sender warnings. Used it in the > > English versions of the sender warnings. > > - Completely new daemonising code to fix problems with ssh sessions > > refusing to die. > > - Added "startin" and "startout" parameters to init.d scripts for RedHat > > and SuSE. > > - Improved error reporting slightly in configuration compiler. > > - Spam logging now includes the recipient domains as well as the sender. > > - Incoming Queue Dirs can now be a file listing directories which include > > wildcards. > > - Added the message's subject line to the sender spam reports. > > - Added a "sleep 5" in between the stop and start in "restart" in the > > init.d script. > > - Creates quarantine directories as required. > > - Added link checking in code for finding incoming queue dirs. > > - Added note for McAfee users about avoiding symlinks with anything even > > remotely connected to McAfee itself. > > - Added "Poetry" page to the web site for Nick's idle thoughts... > > > > *Fixes* > > - Fixed problem of orphaned queue files being left in incoming queue when > > MailScanner child processes are killed half-way through clearing a > message. > > - Fixed file locking code in Config.pm so Exim users do not have to have > > the config files owned by exim.exim instead of root.root. > > - Fixed Exim missing-characters-from-start-of-message bug. > > - Fixed SpamAssassin "timeout 260 of 20" counter bug. > > - Fixed EximDiskStore file locking bug. > > - Fixed bug where unscanned messages are not properly archived if not > > archiving as raw queue files. > > - Fixed bug stopping Exim collecting large message batches. > > - Changed default virus scanner from "sophos" to "none". > > -- > > Julian Field > > www.MailScanner.info > > MailScanner thanks transtec Computers for their support > > From rhipolito at ECOMMSITE.COM Thu Jan 2 03:50:02 2003 From: rhipolito at ECOMMSITE.COM (Rodel P. Hipolito) Date: Thu Jan 12 21:16:48 2006 Subject: updating sophos Message-ID: HI Guys, How will i update the virus dat of sophos automatically? Thanks a lot!!! From lyons at digitalvoodoo.org Thu Jan 2 03:52:47 2003 From: lyons at digitalvoodoo.org (Tim Lyons) Date: Thu Jan 12 21:16:48 2006 Subject: updating sophos In-Reply-To: Message-ID: <000201c2b212$6ce90080$0200a8c0@keeper> Sophos should auto-update every night at ~4AM. The script that is executed is /usr/lib/MailScanner/sophos-autoupdate --Tim -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Rodel P. Hipolito Sent: Wednesday, January 01, 2003 22:50 To: MAILSCANNER@JISCMAIL.AC.UK Subject: updating sophos HI Guys, How will i update the virus dat of sophos automatically? Thanks a lot!!! From pg at NEWHONEST.COM Thu Jan 2 08:08:04 2003 From: pg at NEWHONEST.COM (pg) Date: Thu Jan 12 21:16:48 2006 Subject: Error installing Version 3.27 References: <5.2.0.9.2.20030101113005.02098d90@imap.ecs.soton.ac.uk> <001d01c2b208$22bba300$2101a8c0@jasonnb> <1041475244.9856.11.camel@ra.thethompsonhouse.com> Message-ID: <002d01c2b236$17d7ec40$0301a8c0@jasonnb> I re-downloaded, but the result is exactly the same. I attach the full message as following : [xxxx]# rpm -Uvh mailscanner-3.27-1.i386.rpm Preparing... ########################################### [100%] 1:mailscanner warning: /usr/local/MailScanner/etc/viruses.to.delete.conf created as /usr/local/MailScanner/etc/viruses.to.delete.conf.rpmnew error: unpacking of archive failed on file /var/spool/mqueue.in: cpio: rename failed - Is a directory -Jason ----- Original Message ----- From: "Robert A. Thompson" To: Sent: Thursday, January 02, 2003 10:40 AM Subject: Re: ANNOUNCE: Version 3.27 and 4.11 > re-download the rpm. sounds like you have a bad rpm. Might try a > md5sum to check the file. I assume the md5sums are on the website. > > --rat > > On Wed, 2003-01-01 at 20:39, pg wrote: > > I'm using Redhat 7.2. I tried to upgrade to 3.27 from 3.26 but the following > > error message appeared : > > > > error: unpacking of archive failed on file /var/spool/mqueue.in: cpio: > > rename failed - Is a directory > > > > -Jason > > > > ----- Original Message ----- > > From: "Julian Field" > > To: > > Sent: Wednesday, January 01, 2003 7:48 PM > > Subject: ANNOUNCE: Version 3.27 and 4.11 > > > > > > > Happy New Year everyone! > > > > > > I have just released updated versions of both V3 and V4. > > > > > > The only change for V3 is an important security fix, which you can easily > > > apply without upgrading if you don't want to. See the ChangeLog below for > > > details. > > > > > > There are many improvements and changes for V4. A few of them are: > > > - Security fix is included > > > - Modify Subject: line to show a message has been scanned > > > - Stop MailScanner replying to mailing lists that send it viruses > > > - Quarantine-cleaning script included > > > - Virus scanner update cron job replaced by global updater script > > > - Full installation instructions for FreeBSD > > > - Improved AntiVir, Sophos, F-Prot and F-Secure parsers > > > > > > Also, in the spirit of Perl tradition, there is now a MailScanner Poetry > > > page for all you closet bards out there. Contributions are most welcome > > :-) > > > > > > It can all be downloaded as usual from > > > www.mailscanner.info > > > > > > > > > > > > > > > > > > For completeness, here is the entry from the ChangeLog for V4.11: > > > > > > *Security* > > > - *** Important Security Fix *** > > > > > > You must edit the "sendmail -bd ..." command in your init script and > > add > > > -OPrivacyOptions=noetrn > > > as otherwise people could maliciously bypass MailScanner on servers > > that > > > are under heavy load. > > > It is *vital* that you protect yourself with this change. > > > However, please note there have been no reports at all of this problem > > > being actively exploited. > > > It is included in the init scripts that are part of the RPM > > > distributions, so RPM users just need to upgrade to the latest > > mailscanner*rpm. > > > > > > *New Features and Improvements* > > > - Added 2 more configuration options to modify the subject line whenever a > > > message is scanned (but no other subject line changes have happened) so it > > > is obvious to all that the message has been scanned. By default this will > > > (if enabled) add "{Scanned}" to the end of the Subject: line. > > > - Added "Never Notify Senders Of Precedence" configuration option so that > > > you can stop MailScanner replying to postings to mailing lists and other > > > bulk mail. > > > - A modified version of Steve Patterson's "clean.quarantine" script is > > > included as a daily cron job. It is disabled by default. Edit it to see > > how > > > to enable it. If you edit it, it will not be over-written by later > > upgrades > > > to MailScanner. > > > - Written an update_virus_scanners script which updates all installed > > > scanners. This is called hourly, as daily wasn't often enough and RedHat > > > don't offer anything between hourly and daily. > > > - Implemented full support for BSD with installation instructions based on > > > the tar distribution. > > > - Added Swedish translation of all reports. > > > - Added Spanish and Slovak translation of language strings. > > > - Added wrapper script for inoculan. > > > - Added an AntiVir autoupdate script. > > > - Improved AntiVir parser to handle new output format. > > > - Sophos parser improved to detect Sophos complaining about being given 1 > > > part of a multi-part archive. Gets flagged as a virus. > > > - F-Prot and F-Secure parsers improved to handle unusual virus names and > > > quieter handling of archives containing infected files. > > > - Added "$filename" variable expansion in sender warnings. Used it in the > > > English versions of the sender warnings. > > > - Completely new daemonising code to fix problems with ssh sessions > > > refusing to die. > > > - Added "startin" and "startout" parameters to init.d scripts for RedHat > > > and SuSE. > > > - Improved error reporting slightly in configuration compiler. > > > - Spam logging now includes the recipient domains as well as the sender. > > > - Incoming Queue Dirs can now be a file listing directories which include > > > wildcards. > > > - Added the message's subject line to the sender spam reports. > > > - Added a "sleep 5" in between the stop and start in "restart" in the > > > init.d script. > > > - Creates quarantine directories as required. > > > - Added link checking in code for finding incoming queue dirs. > > > - Added note for McAfee users about avoiding symlinks with anything even > > > remotely connected to McAfee itself. > > > - Added "Poetry" page to the web site for Nick's idle thoughts... > > > > > > *Fixes* > > > - Fixed problem of orphaned queue files being left in incoming queue when > > > MailScanner child processes are killed half-way through clearing a > > message. > > > - Fixed file locking code in Config.pm so Exim users do not have to have > > > the config files owned by exim.exim instead of root.root. > > > - Fixed Exim missing-characters-from-start-of-message bug. > > > - Fixed SpamAssassin "timeout 260 of 20" counter bug. > > > - Fixed EximDiskStore file locking bug. > > > - Fixed bug where unscanned messages are not properly archived if not > > > archiving as raw queue files. > > > - Fixed bug stopping Exim collecting large message batches. > > > - Changed default virus scanner from "sophos" to "none". > > > -- > > > Julian Field > > > www.MailScanner.info > > > MailScanner thanks transtec Computers for their support > > > > From mailscanner at ecs.soton.ac.uk Thu Jan 2 09:34:53 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:48 2006 Subject: updating sophos In-Reply-To: <000201c2b212$6ce90080$0200a8c0@keeper> References: Message-ID: <5.2.0.9.2.20030102093408.03c2b7c0@imap.ecs.soton.ac.uk> At 03:52 02/01/2003, you wrote: >Sophos should auto-update every night at ~4AM. > >The script that is executed is /usr/lib/MailScanner/sophos-autoupdate The new "update_virus_scanners" script (in /etc/cron.hourly) will automatically trigger updates of all installed virus scanners once per hour. >--Tim > >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf >Of Rodel P. Hipolito >Sent: Wednesday, January 01, 2003 22:50 >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: updating sophos > > >HI Guys, > > How will i update the virus dat of sophos automatically? > >Thanks a lot!!! -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Thu Jan 2 09:36:27 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:48 2006 Subject: Error installing Version 3.27 In-Reply-To: <002d01c2b236$17d7ec40$0301a8c0@jasonnb> References: <5.2.0.9.2.20030101113005.02098d90@imap.ecs.soton.ac.uk> <001d01c2b208$22bba300$2101a8c0@jasonnb> <1041475244.9856.11.camel@ra.thethompsonhouse.com> Message-ID: <5.2.0.9.2.20030102093524.03d8e228@imap.ecs.soton.ac.uk> This looks like a download problem, but you are the 2nd person to have the same problem. Can anyone confirm that the RPM for 3.27 actually does work on somebody's system, or do I need to rebuild it? At 08:08 02/01/2003, you wrote: >I re-downloaded, but the result is exactly the same. I attach the full >message as following : > >[xxxx]# rpm -Uvh mailscanner-3.27-1.i386.rpm >Preparing... ########################################### >[100%] > 1:mailscanner warning: >/usr/local/MailScanner/etc/viruses.to.delete.conf created as >/usr/local/MailScanner/etc/viruses.to.delete.conf.rpmnew >error: unpacking of archive failed on file /var/spool/mqueue.in: cpio: >rename failed - Is a directory > >-Jason > >----- Original Message ----- >From: "Robert A. Thompson" >To: >Sent: Thursday, January 02, 2003 10:40 AM >Subject: Re: ANNOUNCE: Version 3.27 and 4.11 > > > > re-download the rpm. sounds like you have a bad rpm. Might try a > > md5sum to check the file. I assume the md5sums are on the website. > > > > --rat > > > > On Wed, 2003-01-01 at 20:39, pg wrote: > > > I'm using Redhat 7.2. I tried to upgrade to 3.27 from 3.26 but the >following > > > error message appeared : > > > > > > error: unpacking of archive failed on file /var/spool/mqueue.in: cpio: > > > rename failed - Is a directory > > > > > > -Jason > > > > > > ----- Original Message ----- > > > From: "Julian Field" > > > To: > > > Sent: Wednesday, January 01, 2003 7:48 PM > > > Subject: ANNOUNCE: Version 3.27 and 4.11 > > > > > > > > > > Happy New Year everyone! > > > > > > > > I have just released updated versions of both V3 and V4. > > > > > > > > The only change for V3 is an important security fix, which you can >easily > > > > apply without upgrading if you don't want to. See the ChangeLog below >for > > > > details. > > > > > > > > There are many improvements and changes for V4. A few of them are: > > > > - Security fix is included > > > > - Modify Subject: line to show a message has been scanned > > > > - Stop MailScanner replying to mailing lists that send it viruses > > > > - Quarantine-cleaning script included > > > > - Virus scanner update cron job replaced by global updater script > > > > - Full installation instructions for FreeBSD > > > > - Improved AntiVir, Sophos, F-Prot and F-Secure parsers > > > > > > > > Also, in the spirit of Perl tradition, there is now a MailScanner >Poetry > > > > page for all you closet bards out there. Contributions are most >welcome > > > :-) > > > > > > > > It can all be downloaded as usual from > > > > www.mailscanner.info > > > > > > > > > > > > > > > > > > > > > > > > For completeness, here is the entry from the ChangeLog for V4.11: > > > > > > > > *Security* > > > > - *** Important Security Fix *** > > > > > > > > You must edit the "sendmail -bd ..." command in your init script >and > > > add > > > > -OPrivacyOptions=noetrn > > > > as otherwise people could maliciously bypass MailScanner on servers > > > that > > > > are under heavy load. > > > > It is *vital* that you protect yourself with this change. > > > > However, please note there have been no reports at all of this >problem > > > > being actively exploited. > > > > It is included in the init scripts that are part of the RPM > > > > distributions, so RPM users just need to upgrade to the latest > > > mailscanner*rpm. > > > > > > > > *New Features and Improvements* > > > > - Added 2 more configuration options to modify the subject line >whenever a > > > > message is scanned (but no other subject line changes have happened) >so it > > > > is obvious to all that the message has been scanned. By default this >will > > > > (if enabled) add "{Scanned}" to the end of the Subject: line. > > > > - Added "Never Notify Senders Of Precedence" configuration option so >that > > > > you can stop MailScanner replying to postings to mailing lists and >other > > > > bulk mail. > > > > - A modified version of Steve Patterson's "clean.quarantine" script is > > > > included as a daily cron job. It is disabled by default. Edit it to >see > > > how > > > > to enable it. If you edit it, it will not be over-written by later > > > upgrades > > > > to MailScanner. > > > > - Written an update_virus_scanners script which updates all installed > > > > scanners. This is called hourly, as daily wasn't often enough and >RedHat > > > > don't offer anything between hourly and daily. > > > > - Implemented full support for BSD with installation instructions >based on > > > > the tar distribution. > > > > - Added Swedish translation of all reports. > > > > - Added Spanish and Slovak translation of language strings. > > > > - Added wrapper script for inoculan. > > > > - Added an AntiVir autoupdate script. > > > > - Improved AntiVir parser to handle new output format. > > > > - Sophos parser improved to detect Sophos complaining about being >given 1 > > > > part of a multi-part archive. Gets flagged as a virus. > > > > - F-Prot and F-Secure parsers improved to handle unusual virus names >and > > > > quieter handling of archives containing infected files. > > > > - Added "$filename" variable expansion in sender warnings. Used it in >the > > > > English versions of the sender warnings. > > > > - Completely new daemonising code to fix problems with ssh sessions > > > > refusing to die. > > > > - Added "startin" and "startout" parameters to init.d scripts for >RedHat > > > > and SuSE. > > > > - Improved error reporting slightly in configuration compiler. > > > > - Spam logging now includes the recipient domains as well as the >sender. > > > > - Incoming Queue Dirs can now be a file listing directories which >include > > > > wildcards. > > > > - Added the message's subject line to the sender spam reports. > > > > - Added a "sleep 5" in between the stop and start in "restart" in the > > > > init.d script. > > > > - Creates quarantine directories as required. > > > > - Added link checking in code for finding incoming queue dirs. > > > > - Added note for McAfee users about avoiding symlinks with anything >even > > > > remotely connected to McAfee itself. > > > > - Added "Poetry" page to the web site for Nick's idle thoughts... > > > > > > > > *Fixes* > > > > - Fixed problem of orphaned queue files being left in incoming queue >when > > > > MailScanner child processes are killed half-way through clearing a > > > message. > > > > - Fixed file locking code in Config.pm so Exim users do not have to >have > > > > the config files owned by exim.exim instead of root.root. > > > > - Fixed Exim missing-characters-from-start-of-message bug. > > > > - Fixed SpamAssassin "timeout 260 of 20" counter bug. > > > > - Fixed EximDiskStore file locking bug. > > > > - Fixed bug where unscanned messages are not properly archived if not > > > > archiving as raw queue files. > > > > - Fixed bug stopping Exim collecting large message batches. > > > > - Changed default virus scanner from "sophos" to "none". > > > > -- > > > > Julian Field > > > > www.MailScanner.info > > > > MailScanner thanks transtec Computers for their support > > > > > > -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From zhangm at R3.SANYOSHK.COM Thu Jan 2 10:15:30 2003 From: zhangm at R3.SANYOSHK.COM (Zhang Ming(r3)) Date: Thu Jan 12 21:16:48 2006 Subject: Error installing Version 3.27 References: <5.2.0.9.2.20030101113005.02098d90@imap.ecs.soton.ac.uk> <001d01c2b208$22bba300$2101a8c0@jasonnb> <1041475244.9856.11.camel@ra.thethompsonhouse.com> <5.2.0.9.2.20030102093524.03d8e228@imap.ecs.soton.ac.uk> Message-ID: <057401c2b247$e1beb870$a4031bac@mis1n> Dear Mr.Julian, Just tested in my system, same error occured. for you inf. B.R. # rpm -Uvh mailscanner-3.27-1.i386.rpm Preparing... ########################################### [100%] 1:mailscanner error: unpacking of archive failed on file /var/spoo l/mqueue.in: cpio: rename failed - Is a directory ----- Original Message ----- From: "Julian Field" To: Sent: Thursday, January 02, 2003 5:36 PM Subject: Re: Error installing Version 3.27 > This looks like a download problem, but you are the 2nd person to have the > same problem. > > Can anyone confirm that the RPM for 3.27 actually does work on somebody's > system, or do I need to rebuild it? > > At 08:08 02/01/2003, you wrote: > >I re-downloaded, but the result is exactly the same. I attach the full > >message as following : > > > >[xxxx]# rpm -Uvh mailscanner-3.27-1.i386.rpm > >Preparing... ########################################### > >[100%] > > 1:mailscanner warning: > >/usr/local/MailScanner/etc/viruses.to.delete.conf created as > >/usr/local/MailScanner/etc/viruses.to.delete.conf.rpmnew > >error: unpacking of archive failed on file /var/spool/mqueue.in: cpio: > >rename failed - Is a directory > > > >-Jason > > > >----- Original Message ----- > >From: "Robert A. Thompson" > >To: > >Sent: Thursday, January 02, 2003 10:40 AM > >Subject: Re: ANNOUNCE: Version 3.27 and 4.11 > > > > > > > re-download the rpm. sounds like you have a bad rpm. Might try a > > > md5sum to check the file. I assume the md5sums are on the website. > > > > > > --rat > > > > > > On Wed, 2003-01-01 at 20:39, pg wrote: > > > > I'm using Redhat 7.2. I tried to upgrade to 3.27 from 3.26 but the > >following > > > > error message appeared : > > > > > > > > error: unpacking of archive failed on file /var/spool/mqueue.in: cpio: > > > > rename failed - Is a directory > > > > > > > > -Jason > > > > > > > > ----- Original Message ----- > > > > From: "Julian Field" > > > > To: > > > > Sent: Wednesday, January 01, 2003 7:48 PM > > > > Subject: ANNOUNCE: Version 3.27 and 4.11 > > > > > > > > > > > > > Happy New Year everyone! > > > > > > > > > > I have just released updated versions of both V3 and V4. > > > > > > > > > > The only change for V3 is an important security fix, which you can > >easily > > > > > apply without upgrading if you don't want to. See the ChangeLog below > >for > > > > > details. > > > > > > > > > > There are many improvements and changes for V4. A few of them are: > > > > > - Security fix is included > > > > > - Modify Subject: line to show a message has been scanned > > > > > - Stop MailScanner replying to mailing lists that send it viruses > > > > > - Quarantine-cleaning script included > > > > > - Virus scanner update cron job replaced by global updater script > > > > > - Full installation instructions for FreeBSD > > > > > - Improved AntiVir, Sophos, F-Prot and F-Secure parsers > > > > > > > > > > Also, in the spirit of Perl tradition, there is now a MailScanner > >Poetry > > > > > page for all you closet bards out there. Contributions are most > >welcome > > > > :-) > > > > > > > > > > It can all be downloaded as usual from > > > > > www.mailscanner.info > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > For completeness, here is the entry from the ChangeLog for V4.11: > > > > > > > > > > *Security* > > > > > - *** Important Security Fix *** > > > > > > > > > > You must edit the "sendmail -bd ..." command in your init script > >and > > > > add > > > > > -OPrivacyOptions=noetrn > > > > > as otherwise people could maliciously bypass MailScanner on servers > > > > that > > > > > are under heavy load. > > > > > It is *vital* that you protect yourself with this change. > > > > > However, please note there have been no reports at all of this > >problem > > > > > being actively exploited. > > > > > It is included in the init scripts that are part of the RPM > > > > > distributions, so RPM users just need to upgrade to the latest > > > > mailscanner*rpm. > > > > > > > > > > *New Features and Improvements* > > > > > - Added 2 more configuration options to modify the subject line > >whenever a > > > > > message is scanned (but no other subject line changes have happened) > >so it > > > > > is obvious to all that the message has been scanned. By default this > >will > > > > > (if enabled) add "{Scanned}" to the end of the Subject: line. > > > > > - Added "Never Notify Senders Of Precedence" configuration option so > >that > > > > > you can stop MailScanner replying to postings to mailing lists and > >other > > > > > bulk mail. > > > > > - A modified version of Steve Patterson's "clean.quarantine" script is > > > > > included as a daily cron job. It is disabled by default. Edit it to > >see > > > > how > > > > > to enable it. If you edit it, it will not be over-written by later > > > > upgrades > > > > > to MailScanner. > > > > > - Written an update_virus_scanners script which updates all installed > > > > > scanners. This is called hourly, as daily wasn't often enough and > >RedHat > > > > > don't offer anything between hourly and daily. > > > > > - Implemented full support for BSD with installation instructions > >based on > > > > > the tar distribution. > > > > > - Added Swedish translation of all reports. > > > > > - Added Spanish and Slovak translation of language strings. > > > > > - Added wrapper script for inoculan. > > > > > - Added an AntiVir autoupdate script. > > > > > - Improved AntiVir parser to handle new output format. > > > > > - Sophos parser improved to detect Sophos complaining about being > >given 1 > > > > > part of a multi-part archive. Gets flagged as a virus. > > > > > - F-Prot and F-Secure parsers improved to handle unusual virus names > >and > > > > > quieter handling of archives containing infected files. > > > > > - Added "$filename" variable expansion in sender warnings. Used it in > >the > > > > > English versions of the sender warnings. > > > > > - Completely new daemonising code to fix problems with ssh sessions > > > > > refusing to die. > > > > > - Added "startin" and "startout" parameters to init.d scripts for > >RedHat > > > > > and SuSE. > > > > > - Improved error reporting slightly in configuration compiler. > > > > > - Spam logging now includes the recipient domains as well as the > >sender. > > > > > - Incoming Queue Dirs can now be a file listing directories which > >include > > > > > wildcards. > > > > > - Added the message's subject line to the sender spam reports. > > > > > - Added a "sleep 5" in between the stop and start in "restart" in the > > > > > init.d script. > > > > > - Creates quarantine directories as required. > > > > > - Added link checking in code for finding incoming queue dirs. > > > > > - Added note for McAfee users about avoiding symlinks with anything > >even > > > > > remotely connected to McAfee itself. > > > > > - Added "Poetry" page to the web site for Nick's idle thoughts... > > > > > > > > > > *Fixes* > > > > > - Fixed problem of orphaned queue files being left in incoming queue > >when > > > > > MailScanner child processes are killed half-way through clearing a > > > > message. > > > > > - Fixed file locking code in Config.pm so Exim users do not have to > >have > > > > > the config files owned by exim.exim instead of root.root. > > > > > - Fixed Exim missing-characters-from-start-of-message bug. > > > > > - Fixed SpamAssassin "timeout 260 of 20" counter bug. > > > > > - Fixed EximDiskStore file locking bug. > > > > > - Fixed bug where unscanned messages are not properly archived if not > > > > > archiving as raw queue files. > > > > > - Fixed bug stopping Exim collecting large message batches. > > > > > - Changed default virus scanner from "sophos" to "none". > > > > > -- > > > > > Julian Field > > > > > www.MailScanner.info > > > > > MailScanner thanks transtec Computers for their support > > > > > > > > > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > From raymond at PROLOCATION.NET Thu Jan 2 10:19:38 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:16:48 2006 Subject: Error installing Version 3.27 In-Reply-To: <057401c2b247$e1beb870$a4031bac@mis1n> Message-ID: Hi! If you stop mailscanner, remove that irectory and then run the install? (quick and dirty) On Thu, 2 Jan 2003, Zhang Ming(r3) wrote: > Dear Mr.Julian, > > Just tested in my system, same error occured. > > for you inf. > > B.R. > > # rpm -Uvh mailscanner-3.27-1.i386.rpm > Preparing... ########################################### > [100%] > 1:mailscanner error: unpacking of archive failed on file > /var/spoo > l/mqueue.in: cpio: rename failed - Is a directory > > > > ----- Original Message ----- > From: "Julian Field" > To: > Sent: Thursday, January 02, 2003 5:36 PM > Subject: Re: Error installing Version 3.27 > > > > This looks like a download problem, but you are the 2nd person to have the > > same problem. > > > > Can anyone confirm that the RPM for 3.27 actually does work on somebody's > > system, or do I need to rebuild it? > > > > At 08:08 02/01/2003, you wrote: > > >I re-downloaded, but the result is exactly the same. I attach the full > > >message as following : > > > > > >[xxxx]# rpm -Uvh mailscanner-3.27-1.i386.rpm > > >Preparing... ########################################### > > >[100%] > > > 1:mailscanner warning: > > >/usr/local/MailScanner/etc/viruses.to.delete.conf created as > > >/usr/local/MailScanner/etc/viruses.to.delete.conf.rpmnew > > >error: unpacking of archive failed on file /var/spool/mqueue.in: cpio: > > >rename failed - Is a directory > > > > > >-Jason > > > > > >----- Original Message ----- > > >From: "Robert A. Thompson" > > >To: > > >Sent: Thursday, January 02, 2003 10:40 AM > > >Subject: Re: ANNOUNCE: Version 3.27 and 4.11 > > > > > > > > > > re-download the rpm. sounds like you have a bad rpm. Might try a > > > > md5sum to check the file. I assume the md5sums are on the website. > > > > > > > > --rat > > > > > > > > On Wed, 2003-01-01 at 20:39, pg wrote: > > > > > I'm using Redhat 7.2. I tried to upgrade to 3.27 from 3.26 but the > > >following > > > > > error message appeared : > > > > > > > > > > error: unpacking of archive failed on file /var/spool/mqueue.in: > cpio: > > > > > rename failed - Is a directory > > > > > > > > > > -Jason > > > > > > > > > > ----- Original Message ----- > > > > > From: "Julian Field" > > > > > To: > > > > > Sent: Wednesday, January 01, 2003 7:48 PM > > > > > Subject: ANNOUNCE: Version 3.27 and 4.11 > > > > > > > > > > > > > > > > Happy New Year everyone! > > > > > > > > > > > > I have just released updated versions of both V3 and V4. > > > > > > > > > > > > The only change for V3 is an important security fix, which you can > > >easily > > > > > > apply without upgrading if you don't want to. See the ChangeLog > below > > >for > > > > > > details. > > > > > > > > > > > > There are many improvements and changes for V4. A few of them are: > > > > > > - Security fix is included > > > > > > - Modify Subject: line to show a message has been scanned > > > > > > - Stop MailScanner replying to mailing lists that send it viruses > > > > > > - Quarantine-cleaning script included > > > > > > - Virus scanner update cron job replaced by global updater script > > > > > > - Full installation instructions for FreeBSD > > > > > > - Improved AntiVir, Sophos, F-Prot and F-Secure parsers > > > > > > > > > > > > Also, in the spirit of Perl tradition, there is now a MailScanner > > >Poetry > > > > > > page for all you closet bards out there. Contributions are most > > >welcome > > > > > :-) > > > > > > > > > > > > It can all be downloaded as usual from > > > > > > www.mailscanner.info > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > For completeness, here is the entry from the ChangeLog for V4.11: > > > > > > > > > > > > *Security* > > > > > > - *** Important Security Fix *** > > > > > > > > > > > > You must edit the "sendmail -bd ..." command in your init > script > > >and > > > > > add > > > > > > -OPrivacyOptions=noetrn > > > > > > as otherwise people could maliciously bypass MailScanner on > servers > > > > > that > > > > > > are under heavy load. > > > > > > It is *vital* that you protect yourself with this change. > > > > > > However, please note there have been no reports at all of this > > >problem > > > > > > being actively exploited. > > > > > > It is included in the init scripts that are part of the RPM > > > > > > distributions, so RPM users just need to upgrade to the latest > > > > > mailscanner*rpm. > > > > > > > > > > > > *New Features and Improvements* > > > > > > - Added 2 more configuration options to modify the subject line > > >whenever a > > > > > > message is scanned (but no other subject line changes have > happened) > > >so it > > > > > > is obvious to all that the message has been scanned. By default > this > > >will > > > > > > (if enabled) add "{Scanned}" to the end of the Subject: line. > > > > > > - Added "Never Notify Senders Of Precedence" configuration option > so > > >that > > > > > > you can stop MailScanner replying to postings to mailing lists and > > >other > > > > > > bulk mail. > > > > > > - A modified version of Steve Patterson's "clean.quarantine" > script is > > > > > > included as a daily cron job. It is disabled by default. Edit it > to > > >see > > > > > how > > > > > > to enable it. If you edit it, it will not be over-written by later > > > > > upgrades > > > > > > to MailScanner. > > > > > > - Written an update_virus_scanners script which updates all > installed > > > > > > scanners. This is called hourly, as daily wasn't often enough and > > >RedHat > > > > > > don't offer anything between hourly and daily. > > > > > > - Implemented full support for BSD with installation instructions > > >based on > > > > > > the tar distribution. > > > > > > - Added Swedish translation of all reports. > > > > > > - Added Spanish and Slovak translation of language strings. > > > > > > - Added wrapper script for inoculan. > > > > > > - Added an AntiVir autoupdate script. > > > > > > - Improved AntiVir parser to handle new output format. > > > > > > - Sophos parser improved to detect Sophos complaining about being > > >given 1 > > > > > > part of a multi-part archive. Gets flagged as a virus. > > > > > > - F-Prot and F-Secure parsers improved to handle unusual virus > names > > >and > > > > > > quieter handling of archives containing infected files. > > > > > > - Added "$filename" variable expansion in sender warnings. Used it > in > > >the > > > > > > English versions of the sender warnings. > > > > > > - Completely new daemonising code to fix problems with ssh > sessions > > > > > > refusing to die. > > > > > > - Added "startin" and "startout" parameters to init.d scripts for > > >RedHat > > > > > > and SuSE. > > > > > > - Improved error reporting slightly in configuration compiler. > > > > > > - Spam logging now includes the recipient domains as well as the > > >sender. > > > > > > - Incoming Queue Dirs can now be a file listing directories which > > >include > > > > > > wildcards. > > > > > > - Added the message's subject line to the sender spam reports. > > > > > > - Added a "sleep 5" in between the stop and start in "restart" in > the > > > > > > init.d script. > > > > > > - Creates quarantine directories as required. > > > > > > - Added link checking in code for finding incoming queue dirs. > > > > > > - Added note for McAfee users about avoiding symlinks with > anything > > >even > > > > > > remotely connected to McAfee itself. > > > > > > - Added "Poetry" page to the web site for Nick's idle thoughts... > > > > > > > > > > > > *Fixes* > > > > > > - Fixed problem of orphaned queue files being left in incoming > queue > > >when > > > > > > MailScanner child processes are killed half-way through clearing a > > > > > message. > > > > > > - Fixed file locking code in Config.pm so Exim users do not have > to > > >have > > > > > > the config files owned by exim.exim instead of root.root. > > > > > > - Fixed Exim missing-characters-from-start-of-message bug. > > > > > > - Fixed SpamAssassin "timeout 260 of 20" counter bug. > > > > > > - Fixed EximDiskStore file locking bug. > > > > > > - Fixed bug where unscanned messages are not properly archived if > not > > > > > > archiving as raw queue files. > > > > > > - Fixed bug stopping Exim collecting large message batches. > > > > > > - Changed default virus scanner from "sophos" to "none". > > > > > > -- > > > > > > Julian Field > > > > > > www.MailScanner.info > > > > > > MailScanner thanks transtec Computers for their support > > > > > > > > > > > > > > -- > > Julian Field > > www.MailScanner.info > > MailScanner thanks transtec Computers for their support > > > From mailscanner at ecs.soton.ac.uk Thu Jan 2 10:21:35 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:48 2006 Subject: Error installing Version 3.27 In-Reply-To: <057401c2b247$e1beb870$a4031bac@mis1n> References: <5.2.0.9.2.20030101113005.02098d90@imap.ecs.soton.ac.uk> <001d01c2b208$22bba300$2101a8c0@jasonnb> <1041475244.9856.11.camel@ra.thethompsonhouse.com> <5.2.0.9.2.20030102093524.03d8e228@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030102101835.03aa5330@imap.ecs.soton.ac.uk> I have just rebuilt the RPM, can you try downloading and installing it again, to see if it is fixed now please? At 10:15 02/01/2003, you wrote: >Dear Mr.Julian, > >Just tested in my system, same error occured. > >for you inf. > >B.R. > ># rpm -Uvh mailscanner-3.27-1.i386.rpm >Preparing... ########################################### >[100%] > 1:mailscanner error: unpacking of archive failed on file >/var/spoo >l/mqueue.in: cpio: rename failed - Is a directory > > > >----- Original Message ----- >From: "Julian Field" >To: >Sent: Thursday, January 02, 2003 5:36 PM >Subject: Re: Error installing Version 3.27 > > > > This looks like a download problem, but you are the 2nd person to have the > > same problem. > > > > Can anyone confirm that the RPM for 3.27 actually does work on somebody's > > system, or do I need to rebuild it? > > > > At 08:08 02/01/2003, you wrote: > > >I re-downloaded, but the result is exactly the same. I attach the full > > >message as following : > > > > > >[xxxx]# rpm -Uvh mailscanner-3.27-1.i386.rpm > > >Preparing... ########################################### > > >[100%] > > > 1:mailscanner warning: > > >/usr/local/MailScanner/etc/viruses.to.delete.conf created as > > >/usr/local/MailScanner/etc/viruses.to.delete.conf.rpmnew > > >error: unpacking of archive failed on file /var/spool/mqueue.in: cpio: > > >rename failed - Is a directory > > > > > >-Jason > > > > > >----- Original Message ----- > > >From: "Robert A. Thompson" > > >To: > > >Sent: Thursday, January 02, 2003 10:40 AM > > >Subject: Re: ANNOUNCE: Version 3.27 and 4.11 > > > > > > > > > > re-download the rpm. sounds like you have a bad rpm. Might try a > > > > md5sum to check the file. I assume the md5sums are on the website. > > > > > > > > --rat > > > > > > > > On Wed, 2003-01-01 at 20:39, pg wrote: > > > > > I'm using Redhat 7.2. I tried to upgrade to 3.27 from 3.26 but the > > >following > > > > > error message appeared : > > > > > > > > > > error: unpacking of archive failed on file /var/spool/mqueue.in: >cpio: > > > > > rename failed - Is a directory > > > > > > > > > > -Jason > > > > > > > > > > ----- Original Message ----- > > > > > From: "Julian Field" > > > > > To: > > > > > Sent: Wednesday, January 01, 2003 7:48 PM > > > > > Subject: ANNOUNCE: Version 3.27 and 4.11 > > > > > > > > > > > > > > > > Happy New Year everyone! > > > > > > > > > > > > I have just released updated versions of both V3 and V4. > > > > > > > > > > > > The only change for V3 is an important security fix, which you can > > >easily > > > > > > apply without upgrading if you don't want to. See the ChangeLog >below > > >for > > > > > > details. > > > > > > > > > > > > There are many improvements and changes for V4. A few of them are: > > > > > > - Security fix is included > > > > > > - Modify Subject: line to show a message has been scanned > > > > > > - Stop MailScanner replying to mailing lists that send it viruses > > > > > > - Quarantine-cleaning script included > > > > > > - Virus scanner update cron job replaced by global updater script > > > > > > - Full installation instructions for FreeBSD > > > > > > - Improved AntiVir, Sophos, F-Prot and F-Secure parsers > > > > > > > > > > > > Also, in the spirit of Perl tradition, there is now a MailScanner > > >Poetry > > > > > > page for all you closet bards out there. Contributions are most > > >welcome > > > > > :-) > > > > > > > > > > > > It can all be downloaded as usual from > > > > > > www.mailscanner.info > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > For completeness, here is the entry from the ChangeLog for V4.11: > > > > > > > > > > > > *Security* > > > > > > - *** Important Security Fix *** > > > > > > > > > > > > You must edit the "sendmail -bd ..." command in your init >script > > >and > > > > > add > > > > > > -OPrivacyOptions=noetrn > > > > > > as otherwise people could maliciously bypass MailScanner on >servers > > > > > that > > > > > > are under heavy load. > > > > > > It is *vital* that you protect yourself with this change. > > > > > > However, please note there have been no reports at all of this > > >problem > > > > > > being actively exploited. > > > > > > It is included in the init scripts that are part of the RPM > > > > > > distributions, so RPM users just need to upgrade to the latest > > > > > mailscanner*rpm. > > > > > > > > > > > > *New Features and Improvements* > > > > > > - Added 2 more configuration options to modify the subject line > > >whenever a > > > > > > message is scanned (but no other subject line changes have >happened) > > >so it > > > > > > is obvious to all that the message has been scanned. By default >this > > >will > > > > > > (if enabled) add "{Scanned}" to the end of the Subject: line. > > > > > > - Added "Never Notify Senders Of Precedence" configuration option >so > > >that > > > > > > you can stop MailScanner replying to postings to mailing lists and > > >other > > > > > > bulk mail. > > > > > > - A modified version of Steve Patterson's "clean.quarantine" >script is > > > > > > included as a daily cron job. It is disabled by default. Edit it >to > > >see > > > > > how > > > > > > to enable it. If you edit it, it will not be over-written by later > > > > > upgrades > > > > > > to MailScanner. > > > > > > - Written an update_virus_scanners script which updates all >installed > > > > > > scanners. This is called hourly, as daily wasn't often enough and > > >RedHat > > > > > > don't offer anything between hourly and daily. > > > > > > - Implemented full support for BSD with installation instructions > > >based on > > > > > > the tar distribution. > > > > > > - Added Swedish translation of all reports. > > > > > > - Added Spanish and Slovak translation of language strings. > > > > > > - Added wrapper script for inoculan. > > > > > > - Added an AntiVir autoupdate script. > > > > > > - Improved AntiVir parser to handle new output format. > > > > > > - Sophos parser improved to detect Sophos complaining about being > > >given 1 > > > > > > part of a multi-part archive. Gets flagged as a virus. > > > > > > - F-Prot and F-Secure parsers improved to handle unusual virus >names > > >and > > > > > > quieter handling of archives containing infected files. > > > > > > - Added "$filename" variable expansion in sender warnings. Used it >in > > >the > > > > > > English versions of the sender warnings. > > > > > > - Completely new daemonising code to fix problems with ssh >sessions > > > > > > refusing to die. > > > > > > - Added "startin" and "startout" parameters to init.d scripts for > > >RedHat > > > > > > and SuSE. > > > > > > - Improved error reporting slightly in configuration compiler. > > > > > > - Spam logging now includes the recipient domains as well as the > > >sender. > > > > > > - Incoming Queue Dirs can now be a file listing directories which > > >include > > > > > > wildcards. > > > > > > - Added the message's subject line to the sender spam reports. > > > > > > - Added a "sleep 5" in between the stop and start in "restart" in >the > > > > > > init.d script. > > > > > > - Creates quarantine directories as required. > > > > > > - Added link checking in code for finding incoming queue dirs. > > > > > > - Added note for McAfee users about avoiding symlinks with >anything > > >even > > > > > > remotely connected to McAfee itself. > > > > > > - Added "Poetry" page to the web site for Nick's idle thoughts... > > > > > > > > > > > > *Fixes* > > > > > > - Fixed problem of orphaned queue files being left in incoming >queue > > >when > > > > > > MailScanner child processes are killed half-way through clearing a > > > > > message. > > > > > > - Fixed file locking code in Config.pm so Exim users do not have >to > > >have > > > > > > the config files owned by exim.exim instead of root.root. > > > > > > - Fixed Exim missing-characters-from-start-of-message bug. > > > > > > - Fixed SpamAssassin "timeout 260 of 20" counter bug. > > > > > > - Fixed EximDiskStore file locking bug. > > > > > > - Fixed bug where unscanned messages are not properly archived if >not > > > > > > archiving as raw queue files. > > > > > > - Fixed bug stopping Exim collecting large message batches. > > > > > > - Changed default virus scanner from "sophos" to "none". > > > > > > -- > > > > > > Julian Field > > > > > > www.MailScanner.info > > > > > > MailScanner thanks transtec Computers for their support > > > > > > > > > > > > > > -- > > Julian Field > > www.MailScanner.info > > MailScanner thanks transtec Computers for their support > > -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From clong at ALPHASYS.FR Thu Jan 2 11:36:05 2003 From: clong at ALPHASYS.FR (Christophe Long) Date: Thu Jan 12 21:16:48 2006 Subject: lock and mkdir problem with 4.11 Message-ID: <200301021236.05897.clong@alphasys.fr> I have installed the 4.11-1 from the tar ball archive, my system is a debian I have on it a perl 5.6.1 and sendmail 8.12.3 (-4) When I let MailScanner try to figure out which lock to use, it choses flock and I have ... Jan 2 03:00:40 halfdome mailscanner[21572]: MailScanner Jan 2 03:00:40 halfdome mailscanner[21572]: MailScanner E-Mail Virus Scanner version 4.11-1 starting... Jan 2 03:00:42 halfdome mailscanner[21572]: Using locktype = flock Jan 2 03:00:58 halfdome mailscanner[21572]: Could not open file >/var/spool/MailScanner/incoming/21572/h02B0Sv0021564.header: No such file or directory Jan 2 03:00:58 halfdome mailscanner[21572]: Cannot create + lock headers file /var/spool/MailScanner/incoming/21572/h02B0Sv0021564.header, When I switch to posix I have the same problem ... Any idea ? -- Christophe Long Technical Director - Alphasys Phone: +33 1 64 61 83 50 Fax: +33 1 64 73 53 42 From S.R.Patterson at SOTON.AC.UK Thu Jan 2 11:53:21 2003 From: S.R.Patterson at SOTON.AC.UK (Patterson S.R.) Date: Thu Jan 12 21:16:48 2006 Subject: lock and mkdir problem with 4.11 Message-ID: > -----Original Message----- > From: Christophe Long [mailto:clong@ALPHASYS.FR] > Sent: 02 January 2003 11:36 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: lock and mkdir problem with 4.11 > > > I have installed the 4.11-1 from the tar ball archive, my > system is a debian I have on it a perl 5.6.1 and sendmail 8.12.3 (-4) > > When I let MailScanner try to figure out which lock to use, > it choses flock and I have ... > > Jan 2 03:00:40 halfdome mailscanner[21572]: MailScanner > Jan 2 03:00:40 halfdome mailscanner[21572]: MailScanner > E-Mail Virus Scanner version 4.11-1 starting... Jan 2 > 03:00:42 halfdome mailscanner[21572]: Using locktype = flock > Jan 2 03:00:58 halfdome mailscanner[21572]: Could not open file > >/var/spool/MailScanner/incoming/21572/h02B0Sv0021564.header: No such > >file or > directory > Jan 2 03:00:58 halfdome mailscanner[21572]: Cannot create + > lock headers file > /var/spool/MailScanner/incoming/21572/h02B0Sv0021564.header, Do you have a /var/spool/MailScanner/incoming directory? Or indeed a /var/spool/MailScanner - beware the case sensitivity? Is it writeable by whichever user MailScanner is running as? (Not applicable if running as root) Is their execute permission for the MailScanner running user or group (not applicable if running as root) on every directory to that point, i.e. on /, /var, /var/spool, /var/spool/MailScanner, /var/spool/MailScanner/incoming ? Steve -- Steven Patterson MSci OCP. Tel: +44 (0)2380 595810 Primary Information Services Support and Development Information Systems Services, University of Southampton, UK. Public PGP Key: http://www.bottleneck.org/pubkey.php From clong at ALPHASYS.FR Thu Jan 2 12:29:37 2003 From: clong at ALPHASYS.FR (Christophe Long) Date: Thu Jan 12 21:16:48 2006 Subject: lock and mkdir problem with 4.11 In-Reply-To: References: Message-ID: <200301021329.37872.clong@alphasys.fr> it was more stupid than that, I make the migration from mailscanner 3 to 4 and I have stopped mailscanner 3 for that but have forgotten the script check_mailscanner ... Now it works ! Sorry ... Christophe Le Jeudi 2 Janvier 2003 12:53, vous avez ?crit : > > -----Original Message----- > > From: Christophe Long [mailto:clong@ALPHASYS.FR] > > Sent: 02 January 2003 11:36 > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: lock and mkdir problem with 4.11 > > > > > > I have installed the 4.11-1 from the tar ball archive, my > > system is a debian I have on it a perl 5.6.1 and sendmail 8.12.3 (-4) > > > > When I let MailScanner try to figure out which lock to use, > > it choses flock and I have ... > > > > Jan 2 03:00:40 halfdome mailscanner[21572]: MailScanner > > Jan 2 03:00:40 halfdome mailscanner[21572]: MailScanner > > E-Mail Virus Scanner version 4.11-1 starting... Jan 2 > > 03:00:42 halfdome mailscanner[21572]: Using locktype = flock > > Jan 2 03:00:58 halfdome mailscanner[21572]: Could not open file > > > > >/var/spool/MailScanner/incoming/21572/h02B0Sv0021564.header: No such > > >file or > > > > directory > > Jan 2 03:00:58 halfdome mailscanner[21572]: Cannot create + > > lock headers file > > /var/spool/MailScanner/incoming/21572/h02B0Sv0021564.header, > > Do you have a /var/spool/MailScanner/incoming directory? Or indeed a > /var/spool/MailScanner - beware the case sensitivity? > > Is it writeable by whichever user MailScanner is running as? (Not > applicable if running as root) > > Is their execute permission for the MailScanner running user or group > (not applicable if running as root) on every directory to that point, > i.e. on /, /var, /var/spool, /var/spool/MailScanner, > /var/spool/MailScanner/incoming ? > > Steve -- Christophe Long Technical Director - Alphasys Phone: +33 1 64 61 83 50 Fax: +33 1 64 73 53 42 From alan at ESSEX.AC.UK Thu Jan 2 12:35:54 2003 From: alan at ESSEX.AC.UK (Stanier, Alan M) Date: Thu Jan 12 21:16:48 2006 Subject: Problem updating Sophos with MailScanner 3.26-2 Message-ID: <32381F0D81B1544ABED4BE3284266B09024841@sernt4.essex.ac.uk> I'm doing the regular updating of Sophos, and all goes well until the Sophos.install script tries to fetch the latest IDEs. Then it says Fetching latest IDE virus identities from www.sophos.com Lynx failed with error return 1 , Bad file descriptor at /usr/local/Sophos/bin/autoupdate line 83. What am I doing wrong? -------- Alan Stanier Essex University Information Systems Services Systems Group From Kevin.Spicer at BMRB.CO.UK Thu Jan 2 13:02:27 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:16:48 2006 Subject: Problem updating Sophos with MailScanner 3.26-2 Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A32BEE@pascal.priv.bmrb.co.uk> > Fetching latest IDE virus identities from www.sophos.com > Lynx failed with error return 1 > , Bad file descriptor at /usr/local/Sophos/bin/autoupdate line 83. > > What am I doing wrong? > You're not doing anything wrong, as such. You need to install the latest version of Sophos. Sophos only provide IDES for versions less than three months old. Grab the latest package from the website (then you get 3 months rather than 2 months from the CD version). From alan at ESSEX.AC.UK Thu Jan 2 13:28:24 2003 From: alan at ESSEX.AC.UK (Stanier, Alan M) Date: Thu Jan 12 21:16:48 2006 Subject: Problem updating Sophos with MailScanner 3.26-2 Message-ID: <32381F0D81B1544ABED4BE3284266B09024842@sernt4.essex.ac.uk> > You're not doing anything wrong, as such. You need to > install the latest version of Sophos. Sophos only provide > IDES for versions less than three months old. Grab the latest > package from the website (then you get 3 months rather than 2 > months from the CD version). > Thanks for that. But that is what I thought I had done ... I obtained the latest version of linux.intel.libc6.tar.Z, put it on /tmp, then cd /tmp /usr/local/MailScanner/bin/Sophos.install It was at the end of that that I got the warning about File Descriptors. I believed that to install the lastest version of Sophos: was I wrong? From Kevin.Spicer at BMRB.CO.UK Thu Jan 2 13:44:41 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:16:48 2006 Subject: Problem updating Sophos with MailScanner 3.26-2 Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A32BEF@pascal.priv.bmrb.co.uk> Check you have the right version... LD_LIBRARY_PATH=/usr/local/Sophos/lib export LD_LIBRARY_PATH /usr/local/Sophos/bin/sweep --version I get v. 3.64 (I think 3.65 is latest, so you should have 3.63, 3.64 or 3.65) > -----Original Message----- > From: Stanier, Alan M [mailto:alan@ESSEX.AC.UK] > Sent: 02 January 2003 13:28 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Problem updating Sophos with MailScanner 3.26-2 > > > > You're not doing anything wrong, as such. You need to > > install the latest version of Sophos. Sophos only provide > > IDES for versions less than three months old. Grab the latest > > package from the website (then you get 3 months rather than 2 > > months from the CD version). > > > > Thanks for that. But that is what I thought I had done ... I > obtained the latest version of linux.intel.libc6.tar.Z, put it > on /tmp, then > > cd /tmp > /usr/local/MailScanner/bin/Sophos.install > > It was at the end of that that I got the warning about > File Descriptors. > > I believed that to install the lastest version of Sophos: was > I wrong? > From pg at NEWHONEST.COM Thu Jan 2 14:52:44 2003 From: pg at NEWHONEST.COM (pg) Date: Thu Jan 12 21:16:48 2006 Subject: Error installing Version 3.27 References: <5.2.0.9.2.20030101113005.02098d90@imap.ecs.soton.ac.uk> <001d01c2b208$22bba300$2101a8c0@jasonnb> <1041475244.9856.11.camel@ra.thethompsonhouse.com> <5.2.0.9.2.20030102093524.03d8e228@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030102101835.03aa5330@imap.ecs.soton.ac.uk> Message-ID: <001f01c2b26e$9f0d7080$0301a8c0@jasonnb> The new rpm of mailscanner is working great now. Thank you! -Jason ----- Original Message ----- From: "Julian Field" To: Sent: Thursday, January 02, 2003 6:21 PM Subject: Re: Error installing Version 3.27 > I have just rebuilt the RPM, can you try downloading and installing it > again, to see if it is fixed now please? > > At 10:15 02/01/2003, you wrote: > >Dear Mr.Julian, > > > >Just tested in my system, same error occured. > > > >for you inf. > > > >B.R. > > > ># rpm -Uvh mailscanner-3.27-1.i386.rpm > >Preparing... ########################################### > >[100%] > > 1:mailscanner error: unpacking of archive failed on file > >/var/spoo > >l/mqueue.in: cpio: rename failed - Is a directory > > > > > > > >----- Original Message ----- > >From: "Julian Field" > >To: > >Sent: Thursday, January 02, 2003 5:36 PM > >Subject: Re: Error installing Version 3.27 > > > > > > > This looks like a download problem, but you are the 2nd person to have the > > > same problem. > > > > > > Can anyone confirm that the RPM for 3.27 actually does work on somebody's > > > system, or do I need to rebuild it? > > > > > > At 08:08 02/01/2003, you wrote: > > > >I re-downloaded, but the result is exactly the same. I attach the full > > > >message as following : > > > > > > > >[xxxx]# rpm -Uvh mailscanner-3.27-1.i386.rpm > > > >Preparing... ########################################### > > > >[100%] > > > > 1:mailscanner warning: > > > >/usr/local/MailScanner/etc/viruses.to.delete.conf created as > > > >/usr/local/MailScanner/etc/viruses.to.delete.conf.rpmnew > > > >error: unpacking of archive failed on file /var/spool/mqueue.in: cpio: > > > >rename failed - Is a directory > > > > > > > >-Jason > > > > > > > >----- Original Message ----- > > > >From: "Robert A. Thompson" > > > >To: > > > >Sent: Thursday, January 02, 2003 10:40 AM > > > >Subject: Re: ANNOUNCE: Version 3.27 and 4.11 > > > > > > > > > > > > > re-download the rpm. sounds like you have a bad rpm. Might try a > > > > > md5sum to check the file. I assume the md5sums are on the website. > > > > > > > > > > --rat > > > > > > > > > > On Wed, 2003-01-01 at 20:39, pg wrote: > > > > > > I'm using Redhat 7.2. I tried to upgrade to 3.27 from 3.26 but the > > > >following > > > > > > error message appeared : > > > > > > > > > > > > error: unpacking of archive failed on file /var/spool/mqueue.in: > >cpio: > > > > > > rename failed - Is a directory > > > > > > > > > > > > -Jason > > > > > > > > > > > > ----- Original Message ----- > > > > > > From: "Julian Field" > > > > > > To: > > > > > > Sent: Wednesday, January 01, 2003 7:48 PM > > > > > > Subject: ANNOUNCE: Version 3.27 and 4.11 > > > > > > > > > > > > > > > > > > > Happy New Year everyone! > > > > > > > > > > > > > > I have just released updated versions of both V3 and V4. > > > > > > > > > > > > > > The only change for V3 is an important security fix, which you can > > > >easily > > > > > > > apply without upgrading if you don't want to. See the ChangeLog > >below > > > >for > > > > > > > details. > > > > > > > > > > > > > > There are many improvements and changes for V4. A few of them are: > > > > > > > - Security fix is included > > > > > > > - Modify Subject: line to show a message has been scanned > > > > > > > - Stop MailScanner replying to mailing lists that send it viruses > > > > > > > - Quarantine-cleaning script included > > > > > > > - Virus scanner update cron job replaced by global updater script > > > > > > > - Full installation instructions for FreeBSD > > > > > > > - Improved AntiVir, Sophos, F-Prot and F-Secure parsers > > > > > > > > > > > > > > Also, in the spirit of Perl tradition, there is now a MailScanner > > > >Poetry > > > > > > > page for all you closet bards out there. Contributions are most > > > >welcome > > > > > > :-) > > > > > > > > > > > > > > It can all be downloaded as usual from > > > > > > > www.mailscanner.info > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > For completeness, here is the entry from the ChangeLog for V4.11: > > > > > > > > > > > > > > *Security* > > > > > > > - *** Important Security Fix *** > > > > > > > > > > > > > > You must edit the "sendmail -bd ..." command in your init > >script > > > >and > > > > > > add > > > > > > > -OPrivacyOptions=noetrn > > > > > > > as otherwise people could maliciously bypass MailScanner on > >servers > > > > > > that > > > > > > > are under heavy load. > > > > > > > It is *vital* that you protect yourself with this change. > > > > > > > However, please note there have been no reports at all of this > > > >problem > > > > > > > being actively exploited. > > > > > > > It is included in the init scripts that are part of the RPM > > > > > > > distributions, so RPM users just need to upgrade to the latest > > > > > > mailscanner*rpm. > > > > > > > > > > > > > > *New Features and Improvements* > > > > > > > - Added 2 more configuration options to modify the subject line > > > >whenever a > > > > > > > message is scanned (but no other subject line changes have > >happened) > > > >so it > > > > > > > is obvious to all that the message has been scanned. By default > >this > > > >will > > > > > > > (if enabled) add "{Scanned}" to the end of the Subject: line. > > > > > > > - Added "Never Notify Senders Of Precedence" configuration option > >so > > > >that > > > > > > > you can stop MailScanner replying to postings to mailing lists and > > > >other > > > > > > > bulk mail. > > > > > > > - A modified version of Steve Patterson's "clean.quarantine" > >script is > > > > > > > included as a daily cron job. It is disabled by default. Edit it > >to > > > >see > > > > > > how > > > > > > > to enable it. If you edit it, it will not be over-written by later > > > > > > upgrades > > > > > > > to MailScanner. > > > > > > > - Written an update_virus_scanners script which updates all > >installed > > > > > > > scanners. This is called hourly, as daily wasn't often enough and > > > >RedHat > > > > > > > don't offer anything between hourly and daily. > > > > > > > - Implemented full support for BSD with installation instructions > > > >based on > > > > > > > the tar distribution. > > > > > > > - Added Swedish translation of all reports. > > > > > > > - Added Spanish and Slovak translation of language strings. > > > > > > > - Added wrapper script for inoculan. > > > > > > > - Added an AntiVir autoupdate script. > > > > > > > - Improved AntiVir parser to handle new output format. > > > > > > > - Sophos parser improved to detect Sophos complaining about being > > > >given 1 > > > > > > > part of a multi-part archive. Gets flagged as a virus. > > > > > > > - F-Prot and F-Secure parsers improved to handle unusual virus > >names > > > >and > > > > > > > quieter handling of archives containing infected files. > > > > > > > - Added "$filename" variable expansion in sender warnings. Used it > >in > > > >the > > > > > > > English versions of the sender warnings. > > > > > > > - Completely new daemonising code to fix problems with ssh > >sessions > > > > > > > refusing to die. > > > > > > > - Added "startin" and "startout" parameters to init.d scripts for > > > >RedHat > > > > > > > and SuSE. > > > > > > > - Improved error reporting slightly in configuration compiler. > > > > > > > - Spam logging now includes the recipient domains as well as the > > > >sender. > > > > > > > - Incoming Queue Dirs can now be a file listing directories which > > > >include > > > > > > > wildcards. > > > > > > > - Added the message's subject line to the sender spam reports. > > > > > > > - Added a "sleep 5" in between the stop and start in "restart" in > >the > > > > > > > init.d script. > > > > > > > - Creates quarantine directories as required. > > > > > > > - Added link checking in code for finding incoming queue dirs. > > > > > > > - Added note for McAfee users about avoiding symlinks with > >anything > > > >even > > > > > > > remotely connected to McAfee itself. > > > > > > > - Added "Poetry" page to the web site for Nick's idle thoughts... > > > > > > > > > > > > > > *Fixes* > > > > > > > - Fixed problem of orphaned queue files being left in incoming > >queue > > > >when > > > > > > > MailScanner child processes are killed half-way through clearing a > > > > > > message. > > > > > > > - Fixed file locking code in Config.pm so Exim users do not have > >to > > > >have > > > > > > > the config files owned by exim.exim instead of root.root. > > > > > > > - Fixed Exim missing-characters-from-start-of-message bug. > > > > > > > - Fixed SpamAssassin "timeout 260 of 20" counter bug. > > > > > > > - Fixed EximDiskStore file locking bug. > > > > > > > - Fixed bug where unscanned messages are not properly archived if > >not > > > > > > > archiving as raw queue files. > > > > > > > - Fixed bug stopping Exim collecting large message batches. > > > > > > > - Changed default virus scanner from "sophos" to "none". > > > > > > > -- > > > > > > > Julian Field > > > > > > > www.MailScanner.info > > > > > > > MailScanner thanks transtec Computers for their support > > > > > > > > > > > > > > > > > > -- > > > Julian Field > > > www.MailScanner.info > > > MailScanner thanks transtec Computers for their support > > > > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > From mailscanner at ecs.soton.ac.uk Thu Jan 2 15:28:43 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:48 2006 Subject: Storing incoming work dir on ramdisk In-Reply-To: References: <5.2.0.9.2.20030101194245.02fa8ff0@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030102152450.03e43088@imap.ecs.soton.ac.uk> At 20:37 01/01/2003, you wrote: >On Wed, 1 Jan 2003, Julian Field wrote: > > I've just done an experiment on my biggest server (thankyou Transtec!). > > > > I am ignoring incoming SMTP traffic load for now, as I have yet to find > > enough machines to feed it SMTP traffic at 1.5 million messages per day. > > > > Using disk-based directories for > > mqueue.in > > mqueue > > MailScanner/incoming > > using Exim > > I can process about 1.1 million messages per day, using Sophos, > > SpamAssassin and the default RBL lists. > > > > With tmpfs-based directories for > > MailScanner/incoming > > this jumps to about 1.4 million messages per day, using the same settings. > > This is perfectly safe as the MailScanner/incoming directory is wiped at > > startup anyway, and no messages can be lost by power-outs. > > > > With tmpfs-based directories for > > mqueue.in > > mqueue > > MailScanner/incoming > > this increases to about 1.5 million messages per day, using the same > > settings. This is not safe as the mqueue.in and.mqueue would be lost on > > power-outs. > > > > So if you have the RAM to throw at it, and plenty of CPU horse-power to > > make use of it, you can increase your message throughput by roughly 30% by > > moving the MailScanner/incoming directory onto a tmpfs filesystem held > in RAM. > > > > But if you run out of RAM and start swapping a lot, the performance will > > drop quickly. > > > > Tests done on a Transtec 2600 Workgroup Server, 2 x 2.4GHz/Zeon with 2Gb > > RAM, 15000rpm SCSI disk, 15 child processes. > > -- > > Julian Field > > www.MailScanner.info > > MailScanner thanks transtec Computers for their support > >Those are pretty impressive numbers! I noticed that you're testing with >Exim instead of sendmail. Do you think there would be much difference if >you used sendmail? Sorry for the delay, I have been pumping a few hundred thousand email messages through my server to find the timings. Sendmail is working a *lot* slower than Exim. All outgoing mail is pumped to a dual-CPU 1GHz P3 machine which is running a very simple SMTP "sink" that throws away everything it is sent, but speaks just enough SMTP to make the clients think they are talking to a real SMTP server. With sendmail, the stats are these: Sendmail, all directories on disk, 387300 per day. Sendmail, incoming+quarantine on tmpfs, 10:18:29-11:23:21, 444000 per day. Sendmail, all on tmpfs, 453000 per day. So with sendmail it isn't worth the bother as the overhead of just sending the SMTP traffic is so high. Interesting that Exim manages to do the same job in about 1/3 of the time! -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From jaearick at COLBY.EDU Thu Jan 2 15:41:17 2003 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:16:48 2006 Subject: Storing incoming work dir on ramdisk In-Reply-To: <5.2.0.9.2.20030102152450.03e43088@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030101194245.02fa8ff0@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030102152450.03e43088@imap.ecs.soton.ac.uk> Message-ID: Julian, Sendmail has *always* been the performance pig and bottleneck on my mail-server. While MailScanner 4.x is great, the performance of MS 3.x was sufficiently fast to outrun sendmail on my system (a dual-CPU Sun E220R), always. ----------------------------------- Jeff A. Earickson, Ph.D Senior UNIX Sysadmin and Email Guru Information Technology Services Colby College, 4214 Mayflower Hill, Waterville ME, 04901-8842 phone: 207-872-3659 (fax = 3076) ----------------------------------- From chicks at CHICKS.NET Thu Jan 2 16:03:54 2003 From: chicks at CHICKS.NET (Christopher Hicks) Date: Thu Jan 12 21:16:48 2006 Subject: Centralized aliases In-Reply-To: <200301020024.h020Oaa31083@ori.rl.ac.uk> Message-ID: On Thu, 2 Jan 2003, Bruno wrote: > Is there any way to do the ID and mail alias definition in just one place? We've been looking at using sendmail's LDAP purported capabilities for this sort of thing, but we haven't even tested it yet. -- Programming is a Dark Art, and it will always be. The programmer is fighting against the two most destructive forces in the universe: entropy and human stupidity. They're not things you can always overcome with a "methodology" or on a schedule. -Damian Conway, Perl God From Kevin.Spicer at BMRB.CO.UK Thu Jan 2 16:12:22 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:16:48 2006 Subject: Centralized aliases Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A32BF5@pascal.priv.bmrb.co.uk> > One minor annoyance is that if the aliases (as well as every > other valid > email address) are not defined on the proxy then the mail is > rejected. So, > all the email IDs and aliases have to be on the proxy. But > if any ID or > alias is not ALSO defined on the mail server then mail sent > from the LAN to > that ID tends to bounce since the mail server (correctly) > thinks the mail is > destined to itself but does not find the ID or alias. So, > user IDs and > aliases need to be defined twice, identically, in both the > server and alias. Maybe I'm missing something here, but I can't see why you need to duplicate your aliases - unless your mailscanner box isn't set up to relay for your domain. I use mailscanner in front of an exchange box and my mailscanner box doesn't know any of my users names. From smhickel at CHARTERMI.NET Thu Jan 2 16:19:28 2003 From: smhickel at CHARTERMI.NET (Steve Hickel) Date: Thu Jan 12 21:16:48 2006 Subject: ANNOUNCE: Version 3.27 and 4.11 In-Reply-To: <5.2.0.9.2.20030101113005.02098d90@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030101113005.02098d90@imap.ecs.soton.ac.uk> Message-ID: <1041524367.2173.1.camel@steve.hickel.info> Julan, Thanks for all the work. Thanks for helping me troubleshoot my virus scan 'not-sure-it-is-scanning' issue the other day. Turns out it was scanning outgoing message, it just doesn't put any message in the body like my home system does, which I haven't figured out why not yet, but it is scanning. Again, Thanks, STeve On Wed, 2003-01-01 at 06:48, Julian Field wrote: > Happy New Year everyone! > > I have just released updated versions of both V3 and V4. > > The only change for V3 is an important security fix, which you can easily > apply without upgrading if you don't want to. See the ChangeLog below for > details. > > There are many improvements and changes for V4. A few of them are: > - Security fix is included > - Modify Subject: line to show a message has been scanned > - Stop MailScanner replying to mailing lists that send it viruses > - Quarantine-cleaning script included > - Virus scanner update cron job replaced by global updater script > - Full installation instructions for FreeBSD > - Improved AntiVir, Sophos, F-Prot and F-Secure parsers > > Also, in the spirit of Perl tradition, there is now a MailScanner Poetry > page for all you closet bards out there. Contributions are most welcome :-) > > It can all be downloaded as usual from > www.mailscanner.info > > > > > > For completeness, here is the entry from the ChangeLog for V4.11: > > *Security* > - *** Important Security Fix *** > > You must edit the "sendmail -bd ..." command in your init script and add > -OPrivacyOptions=noetrn > as otherwise people could maliciously bypass MailScanner on servers that > are under heavy load. > It is *vital* that you protect yourself with this change. > However, please note there have been no reports at all of this problem > being actively exploited. > It is included in the init scripts that are part of the RPM > distributions, so RPM users just need to upgrade to the latest mailscanner*rpm. > > *New Features and Improvements* > - Added 2 more configuration options to modify the subject line whenever a > message is scanned (but no other subject line changes have happened) so it > is obvious to all that the message has been scanned. By default this will > (if enabled) add "{Scanned}" to the end of the Subject: line. > - Added "Never Notify Senders Of Precedence" configuration option so that > you can stop MailScanner replying to postings to mailing lists and other > bulk mail. > - A modified version of Steve Patterson's "clean.quarantine" script is > included as a daily cron job. It is disabled by default. Edit it to see how > to enable it. If you edit it, it will not be over-written by later upgrades > to MailScanner. > - Written an update_virus_scanners script which updates all installed > scanners. This is called hourly, as daily wasn't often enough and RedHat > don't offer anything between hourly and daily. > - Implemented full support for BSD with installation instructions based on > the tar distribution. > - Added Swedish translation of all reports. > - Added Spanish and Slovak translation of language strings. > - Added wrapper script for inoculan. > - Added an AntiVir autoupdate script. > - Improved AntiVir parser to handle new output format. > - Sophos parser improved to detect Sophos complaining about being given 1 > part of a multi-part archive. Gets flagged as a virus. > - F-Prot and F-Secure parsers improved to handle unusual virus names and > quieter handling of archives containing infected files. > - Added "$filename" variable expansion in sender warnings. Used it in the > English versions of the sender warnings. > - Completely new daemonising code to fix problems with ssh sessions > refusing to die. > - Added "startin" and "startout" parameters to init.d scripts for RedHat > and SuSE. > - Improved error reporting slightly in configuration compiler. > - Spam logging now includes the recipient domains as well as the sender. > - Incoming Queue Dirs can now be a file listing directories which include > wildcards. > - Added the message's subject line to the sender spam reports. > - Added a "sleep 5" in between the stop and start in "restart" in the > init.d script. > - Creates quarantine directories as required. > - Added link checking in code for finding incoming queue dirs. > - Added note for McAfee users about avoiding symlinks with anything even > remotely connected to McAfee itself. > - Added "Poetry" page to the web site for Nick's idle thoughts... > > *Fixes* > - Fixed problem of orphaned queue files being left in incoming queue when > MailScanner child processes are killed half-way through clearing a message. > - Fixed file locking code in Config.pm so Exim users do not have to have > the config files owned by exim.exim instead of root.root. > - Fixed Exim missing-characters-from-start-of-message bug. > - Fixed SpamAssassin "timeout 260 of 20" counter bug. > - Fixed EximDiskStore file locking bug. > - Fixed bug where unscanned messages are not properly archived if not > archiving as raw queue files. > - Fixed bug stopping Exim collecting large message batches. > - Changed default virus scanner from "sophos" to "none". > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support -- Steve Hickel -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030102/dac9c005/attachment.bin From t.d.lee at DURHAM.AC.UK Thu Jan 2 16:20:06 2003 From: t.d.lee at DURHAM.AC.UK (David Lee) Date: Thu Jan 12 21:16:48 2006 Subject: Storing incoming work dir on ramdisk In-Reply-To: Message-ID: On Thu, 2 Jan 2003, Jeff A. Earickson wrote: > Julian, > Sendmail has *always* been the performance pig and bottleneck > on my mail-server. While MailScanner 4.x is great, the performance > of MS 3.x was sufficiently fast to outrun sendmail on my system > (a dual-CPU Sun E220R), always. Interesting. Poor old sendmail always seems to have blame heaped upon it. So I'm going to try to defend it (just a little at least). With MS 3.x we (university with 100,000 messages/day) found MS (and its environment), not sendmail, to be the bottleneck. This may have been because we did ORDB checks from MS, and the apparent MS slowness was actually DNS/ORDB latency. Certainly the migration to MS 4.x, with its ability for multiple, parallel MS processes has helped matters enormously. For our site MS 4.x/sendmail-8.11 on Sun Ultra-10/Solaris-8 copes adequately. The critical difference was upgrading MS from 3.x to 4.x. (But we are now moving to new dual-Intel Redhat, which seems even more comfortable. Still sendmail!) -- : David Lee I.T. Service : : Systems Programmer Computer Centre : : University of Durham : : http://www.dur.ac.uk/t.d.lee/ South Road : : Durham : : Phone: +44 191 374 2882 U.K. : From jaearick at COLBY.EDU Thu Jan 2 16:31:55 2003 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:16:49 2006 Subject: sendmail 8.12.7 squawking after MS 4.11-1 upgrade Message-ID: Gang, I upgraded from Mailscanner 4.10-1 to 4.11-1 this morning. Afterwords, sendmail 8.12.7 starting complaining: [ID 702911 mail.warning] File descriptors missing on startup: stderr; Bad file number I've seen a pile 'o these this morning. I dropped back to 4.10-1 and sendmail shut up. I upgraded from 8.12.6 to 8.12.7 on Dec 31, so this may be a new feature/bug of sendmail. The complaint above comes out of sendmail's main() routine. A quick look at the sendmail code, and it looks like sendmail is checking that the stdio file descriptors are available, and complains if not. Maybe stderr is closed/gone in MS when a sendmail process gets launched in 4.11-1? ----------------------------------- Jeff A. Earickson, Ph.D Senior UNIX Sysadmin and Email Guru Information Technology Services Colby College, 4214 Mayflower Hill, Waterville ME, 04901-8842 phone: 207-872-3659 (fax = 3076) ----------------------------------- From gavin at NETERGY.COM Thu Jan 2 16:49:18 2003 From: gavin at NETERGY.COM (Gavin Nelmes-Crocker) Date: Thu Jan 12 21:16:49 2006 Subject: sendmail 8.12.7 squawking after MS 4.11-1 upgrade In-Reply-To: Message-ID: I've also noticed something odd with sendmail when I installed 4.11 on a test box it keeps rebuilding the aliases after every message Jan 3 08:13:13 localhost MailScanner[2997]: Spam Checks: Found 1 spam messages Jan 3 08:13:13 localhost MailScanner[2997]: Spam Actions: message g03GDC803162 actions are deliver Jan 3 08:13:13 localhost MailScanner[2997]: Virus and Content Scanning: Starting Jan 3 08:13:14 localhost MailScanner[2997]: Filename Checks: Allowing g03GDC803162.header (no rule matched) Jan 3 08:13:14 localhost MailScanner[2997]: Filename Checks: Allowing msg-2997-1.txt Jan 3 08:13:14 localhost MailScanner[2997]: Uninfected: Delivered 1 messages Jan 3 16:13:14 localhost sendmail[3168]: alias database /etc/mail/aliases autorebuilt by root Jan 3 16:13:14 localhost sendmail[3168]: /etc/mail/aliases: 17 aliases, longest 10 bytes, 189 bytes total Jan 3 16:13:14 localhost sendmail[3168]: alias database /etc/mail/aliases.majordomo autorebuilt by root Jan 3 16:13:14 localhost sendmail[3168]: /etc/mail/aliases.majordomo: 12 aliases, longest 69 bytes, 519 bytes total this is a RaQ4 if that helps Gavin ps Julian thanks for your help on the MakeMaker and perl rpm stuff I've built fixed rpms for the RaQs. > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Jeff A. Earickson > Sent: 02 January 2003 16:32 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: sendmail 8.12.7 squawking after MS 4.11-1 upgrade > > > Gang, > I upgraded from Mailscanner 4.10-1 to 4.11-1 this morning. > Afterwords, sendmail 8.12.7 starting complaining: > > [ID 702911 mail.warning] File descriptors > missing on startup: stderr; Bad file number > > I've seen a pile 'o these this morning. I dropped back to 4.10-1 > and sendmail shut up. I upgraded from 8.12.6 to 8.12.7 on Dec 31, > so this may be a new feature/bug of sendmail. The complaint above > comes out of sendmail's main() routine. A quick look at the > sendmail code, and it looks like sendmail is checking that the stdio > file descriptors are available, and complains if not. Maybe stderr > is closed/gone in MS when a sendmail process gets launched in 4.11-1? > > ----------------------------------- > Jeff A. Earickson, Ph.D > Senior UNIX Sysadmin and Email Guru > Information Technology Services > Colby College, 4214 Mayflower Hill, > Waterville ME, 04901-8842 > phone: 207-872-3659 (fax = 3076) > ----------------------------------- -- This message has been scanned for viruses and dangerous content by the Netergy Virus Spam Defence, and is believed to be clean. For details on having your email scanned email nvsd@netergy.com From mailscanner at ecs.soton.ac.uk Thu Jan 2 17:54:25 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:49 2006 Subject: sendmail 8.12.7 squawking after MS 4.11-1 upgrade In-Reply-To: Message-ID: <5.2.0.9.2.20030102175232.03a5ed70@imap.ecs.soton.ac.uk> At 16:31 02/01/2003, you wrote: >Gang, > I upgraded from Mailscanner 4.10-1 to 4.11-1 this morning. >Afterwords, sendmail 8.12.7 starting complaining: > >[ID 702911 mail.warning] File descriptors > missing on startup: stderr; Bad file number > >I've seen a pile 'o these this morning. I dropped back to 4.10-1 >and sendmail shut up. I upgraded from 8.12.6 to 8.12.7 on Dec 31, >so this may be a new feature/bug of sendmail. The complaint above >comes out of sendmail's main() routine. A quick look at the >sendmail code, and it looks like sendmail is checking that the stdio >file descriptors are available, and complains if not. Maybe stderr >is closed/gone in MS when a sendmail process gets launched in 4.11-1? MS 4.11 does indeed close all the stdout, stdin stderr. This means that the forking off the daemon works properly, so you can close an SSH session that started MailScanner. If you look in /usr/sbin/MailScanner, you will find 3 consecutive "close(" function calls. Try commenting them out and see what happens. I might need to add some code attempt to re-open them later, but I'm not 100% sure how to do that yet. :-) -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Thu Jan 2 17:52:29 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:49 2006 Subject: sendmail 8.12.7 squawking after MS 4.11-1 upgrade In-Reply-To: References: Message-ID: <5.2.0.9.2.20030102175150.05d309d0@imap.ecs.soton.ac.uk> At 16:49 02/01/2003, you wrote: >I've also noticed something odd with sendmail when I installed 4.11 on a >test box it keeps rebuilding the aliases after every message > >Jan 3 08:13:13 localhost MailScanner[2997]: Spam Checks: Found 1 spam >messages >Jan 3 08:13:13 localhost MailScanner[2997]: Spam Actions: message >g03GDC803162 actions are deliver >Jan 3 08:13:13 localhost MailScanner[2997]: Virus and Content Scanning: >Starting >Jan 3 08:13:14 localhost MailScanner[2997]: Filename Checks: Allowing >g03GDC803162.header (no rule matched) >Jan 3 08:13:14 localhost MailScanner[2997]: Filename Checks: Allowing >msg-2997-1.txt >Jan 3 08:13:14 localhost MailScanner[2997]: Uninfected: Delivered 1 >messages >Jan 3 16:13:14 localhost sendmail[3168]: alias database /etc/mail/aliases >autorebuilt by root >Jan 3 16:13:14 localhost sendmail[3168]: /etc/mail/aliases: 17 aliases, >longest 10 bytes, 189 bytes total >Jan 3 16:13:14 localhost sendmail[3168]: alias database >/etc/mail/aliases.majordomo autorebuilt by root >Jan 3 16:13:14 localhost sendmail[3168]: /etc/mail/aliases.majordomo: 12 >aliases, longest 69 bytes, 519 bytes total > >this is a RaQ4 if that helps How about you just turn off AutoRebuildAliases? Quick and simple solution to the problem, though I haven't a clue what might be causing it. Your clock hasn't skewed has it? >Gavin >ps Julian thanks for your help on the MakeMaker and perl rpm stuff I've >built fixed rpms for the RaQs. > > > -----Original Message----- > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > Behalf Of Jeff A. Earickson > > Sent: 02 January 2003 16:32 > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: sendmail 8.12.7 squawking after MS 4.11-1 upgrade > > > > > > Gang, > > I upgraded from Mailscanner 4.10-1 to 4.11-1 this morning. > > Afterwords, sendmail 8.12.7 starting complaining: > > > > [ID 702911 mail.warning] File descriptors > > missing on startup: stderr; Bad file number > > > > I've seen a pile 'o these this morning. I dropped back to 4.10-1 > > and sendmail shut up. I upgraded from 8.12.6 to 8.12.7 on Dec 31, > > so this may be a new feature/bug of sendmail. The complaint above > > comes out of sendmail's main() routine. A quick look at the > > sendmail code, and it looks like sendmail is checking that the stdio > > file descriptors are available, and complains if not. Maybe stderr > > is closed/gone in MS when a sendmail process gets launched in 4.11-1? > > > > ----------------------------------- > > Jeff A. Earickson, Ph.D > > Senior UNIX Sysadmin and Email Guru > > Information Technology Services > > Colby College, 4214 Mayflower Hill, > > Waterville ME, 04901-8842 > > phone: 207-872-3659 (fax = 3076) > > ----------------------------------- > > >-- >This message has been scanned for viruses and dangerous content >by the Netergy Virus Spam Defence, and is believed to be clean. >For details on having your email scanned email nvsd@netergy.com -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Thu Jan 2 17:51:20 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:49 2006 Subject: Storing incoming work dir on ramdisk In-Reply-To: References: Message-ID: <5.2.0.9.2.20030102174748.03a47270@imap.ecs.soton.ac.uk> At 16:20 02/01/2003, you wrote: >On Thu, 2 Jan 2003, Jeff A. Earickson wrote: > > Julian, > > Sendmail has *always* been the performance pig and bottleneck > > on my mail-server. While MailScanner 4.x is great, the performance > > of MS 3.x was sufficiently fast to outrun sendmail on my system > > (a dual-CPU Sun E220R), always. > >Interesting. Poor old sendmail always seems to have blame heaped upon it. >So I'm going to try to defend it (just a little at least). > >With MS 3.x we (university with 100,000 messages/day) found MS (and its >environment), not sendmail, to be the bottleneck. This may have been >because we did ORDB checks from MS, and the apparent MS slowness was >actually DNS/ORDB latency. Yes, that's what I always found too. >Certainly the migration to MS 4.x, with its ability for multiple, parallel >MS processes has helped matters enormously. > >For our site MS 4.x/sendmail-8.11 on Sun Ultra-10/Solaris-8 copes >adequately. The critical difference was upgrading MS from 3.x to 4.x. >(But we are now moving to new dual-Intel Redhat, which seems even more >comfortable. Still sendmail!) I still run sendmail here too. Our servers cope happily with the mail load we give them, so I see no point in doing anything like trying to replace our (complicated) sendmail setup with anything else. We have been running a similar (in function) system since at least 1988 and it works just fine. The amusing thing is that is operates in a very similar way to the way a cluster of Exchange servers would behave (but has decent centralised management, etc). I have no plans to implement any production Exim servers here, but I was quite surprised with the test results. Next thing to try is on a much slower machine to see how much it is CPU-dependent. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From llasad1 at YAHOO.COM Thu Jan 2 20:53:46 2003 From: llasad1 at YAHOO.COM (lester lasad) Date: Thu Jan 12 21:16:49 2006 Subject: spam.whitelist.rules and domain of sender does not exist Message-ID: <20030102205346.2114.qmail@web41415.mail.yahoo.com> I am running MailScanner 4.10-1 on RedHat 7.3 and would like to allow email from a non-existent domain to be delivered. There are several reports that are generated in our internal network that are delivered via SMTP ( thru MailScanner ) and the email is not going thru because the sender does not exist. I have tried adding both and the ip address and the sender to the spam.whitelist.rules file but it continues to deny the emails. Has anyone run into this or is there a solution for this problem? I have stopped and restarted MailScanner "service MailScanner stop" and "service MailScanner start" after making the changes. I have also tried "service MailScanner restart". I have added the following line to spam.whitelist.rules From: invalidsender@abc.com yes From: 10.2.1.1 yes --------------------------------- Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030102/ad0abc4e/attachment.html From mike at CAMAROSS.NET Thu Jan 2 21:01:16 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:16:49 2006 Subject: spam.whitelist.rules and domain of sender does not exist In-Reply-To: <20030102205346.2114.qmail@web41415.mail.yahoo.com> Message-ID: <004001c2b2a2$17945b80$9901a8c0@home.middlefinger.net> Domain of sender error message is coming from sendmail and not MailScanner. Take a look at your /etc/mail/sendmail.mc and look for this line: dnl FEATURE(`accept_unresolvable_domains')dnl Remove the leading 'dnl' and rebuild your sendmail.cf and see if that helps. Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of lester lasad Sent: Thursday, January 02, 2003 2:54 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: spam.whitelist.rules and domain of sender does not exist I am running MailScanner 4.10-1 on RedHat 7.3 and would like to allow email from a non-existent domain to be delivered. There are several reports that are generated in our internal network that are delivered via SMTP ( thru MailScanner ) and the email is not going thru because the sender does not exist. I have tried adding both and the ip address and the sender to the spam.whitelist.rules file but it continues to deny the emails. Has anyone run into this or is there a solution for this problem? I have stopped and restarted MailScanner "service MailScanner stop" and "service MailScanner start" after making the changes. I have also tried "service MailScanner restart". I have added the following line to spam.whitelist.rules From: invalidsender@abc.com yes From: 10.2.1.1 yes --------------------------------- Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now From gavin at NETERGY.COM Thu Jan 2 22:09:45 2003 From: gavin at NETERGY.COM (Gavin Nelmes-Crocker) Date: Thu Jan 12 21:16:49 2006 Subject: sendmail 8.12.7 squawking after MS 4.11-1 upgrade In-Reply-To: <5.2.0.9.2.20030102175150.05d309d0@imap.ecs.soton.ac.uk> Message-ID: dmail[3168]: /etc/mail/aliases.majordomo: 12 > >aliases, longest 69 bytes, 519 bytes total > > > >this is a RaQ4 if that helps > > How about you just turn off AutoRebuildAliases? Quick and simple solution > to the problem, though I haven't a clue what might be causing it. Your > clock hasn't skewed has it? > > well I could if I knew where and how on a cobalt without breaking it - I'm presuming that turning it off is something within Sendmail not mailscanner as I didn't see anything in the conf file. The clock issue is an odd one - I've just restarted Mailscanner again and I notice its putting a different time into the log than the system time which is weird in itself Jan 3 22:05:52 localhost sendmail[17386]: starting daemon (8.10.2): SMTP Jan 3 22:05:52 localhost sendmail[17389]: starting daemon (8.10.2): queueing@00:15:00 Jan 3 14:05:55 localhost MailScanner[17399]: MailScanner Jan 3 14:05:55 localhost MailScanner[17399]: MailScanner E-Mail Virus Scanner version 4.11-1 starting... Jan 3 14:05:58 localhost MailScanner[17399]: Using locktype = flock Jan 3 14:06:05 localhost MailScanner[17406]: MailScanner Any ideas Gavin -- This message has been scanned for viruses and dangerous content by the Netergy Virus Spam Defence, and is believed to be clean. For details on having your email scanned email nvsd@netergy.com From michael at NSEC.DK Thu Jan 2 22:18:57 2003 From: michael at NSEC.DK (Michael Svendsen) Date: Thu Jan 12 21:16:49 2006 Subject: Centralized aliases Message-ID: <200301022218.h02MIvP24833@ns1.computopic.dk> You just have to arrange a so called "drop-box" ;) A possible solution could be: on your DMZ-mailserver you have to add one account for each domain. In your virtusertable just add: @yourdomain domainaccount On your LAN-mailserver you shall use fetchmail (you may already use fetchmail now) in your .fetchmailrc you shall have something like: poll DMZ-mailserver with proto pop3 user domainaccount there with password "hidden" is * here That should work ;) > > One minor annoyance is that if the aliases (as well as every > > other valid > > email address) are not defined on the proxy then the mail is > > rejected. So, > > all the email IDs and aliases have to be on the proxy. But > > if any ID or > > alias is not ALSO defined on the mail server then mail sent > > from the LAN to > > that ID tends to bounce since the mail server (correctly) > > thinks the mail is > > destined to itself but does not find the ID or alias. So, > > user IDs and > > aliases need to be defined twice, identically, in both the > > server and alias. > > Maybe I'm missing something here, but I can't see why you need to duplicate your aliases - unless your mailscanner box isn't set up to relay for your domain. I use mailscanner in front of an exchange box and my mailscanner box doesn't know any of my users names. > > Med venlig hilsen / Best Regards Michael Svendsen Newage Security From dwinkler at ALGORITHMICS.COM Thu Jan 2 22:22:47 2003 From: dwinkler at ALGORITHMICS.COM (Derek Winkler) Date: Thu Jan 12 21:16:49 2006 Subject: Centralized aliases Message-ID: <06EE2C86D3DAD5119A6C0060943F3C970402C0A8@tormail1.algorithmics.com> or You could define you internal server as your smart host on the proxy server and there's no need to define any users or aliases on the proxy. -----Original Message----- From: Michael Svendsen [mailto:michael@nsec.dk] Sent: Thursday, January 02, 2003 5:19 PM To: MAILSCANNER@jiscmail.ac.uk Subject: Re: Centralized aliases You just have to arrange a so called "drop-box" ;) A possible solution could be: on your DMZ-mailserver you have to add one account for each domain. In your virtusertable just add: @yourdomain domainaccount On your LAN-mailserver you shall use fetchmail (you may already use fetchmail now) in your .fetchmailrc you shall have something like: poll DMZ-mailserver with proto pop3 user domainaccount there with password "hidden" is * here That should work ;) > > One minor annoyance is that if the aliases (as well as every > > other valid > > email address) are not defined on the proxy then the mail is > > rejected. So, > > all the email IDs and aliases have to be on the proxy. But > > if any ID or > > alias is not ALSO defined on the mail server then mail sent > > from the LAN to > > that ID tends to bounce since the mail server (correctly) > > thinks the mail is > > destined to itself but does not find the ID or alias. So, > > user IDs and > > aliases need to be defined twice, identically, in both the > > server and alias. > > Maybe I'm missing something here, but I can't see why you need to duplicate your aliases - unless your mailscanner box isn't set up to relay for your domain. I use mailscanner in front of an exchange box and my mailscanner box doesn't know any of my users names. > > Med venlig hilsen / Best Regards Michael Svendsen Newage Security -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030102/59018387/attachment.html From S.R.Patterson at SOTON.AC.UK Fri Jan 3 09:27:14 2003 From: S.R.Patterson at SOTON.AC.UK (Patterson S.R.) Date: Thu Jan 12 21:16:49 2006 Subject: sendmail 8.12.7 squawking after MS 4.11-1 upgrade Message-ID: > -----Original Message----- > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > Sent: 02 January 2003 17:52 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: sendmail 8.12.7 squawking after MS 4.11-1 upgrade > > How about you just turn off AutoRebuildAliases? Quick and > simple solution to the problem, though I haven't a clue what > might be causing it. Your clock hasn't skewed has it? How about this? If autorebuild aliases is on in the cf file then presumably sendmail rebuilds the aliases each time the sendmail binary is run, and then periodically after that. Presumably, then, when mailscanner calls sendmail -qI then the aliases are rebuild as part of the start up of sendmail. Hence aliases are rebuilt after every (batch of) message(s) scanned. Turn off autorebuild either in your cf (well, in your m4 sources!), or if you feel you really do want it done periodically by the sendmail daemon (the sendmail -bd) then make sure it's explicitly turned off in the queue runs done by mailscanner with a command line option, or preferably make sure it's explicitly turned on by a command line option to the daemon sendmail (sendmail -bd -OAutoRebuildAliases=... if memory serves) Just my thoughts. Steve -- Steven Patterson MSci OCP. Tel: +44 (0)2380 595810 Primary Information Services Support and Development Information Systems Services, University of Southampton, UK. Public PGP Key: http://www.bottleneck.org/pubkey.php From mailscanner at ecs.soton.ac.uk Fri Jan 3 10:17:34 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:49 2006 Subject: sendmail 8.12.7 squawking after MS 4.11-1 upgrade In-Reply-To: Message-ID: <5.2.0.9.2.20030103101649.05e5eea0@imap.ecs.soton.ac.uk> At 09:27 03/01/2003, you wrote: > > -----Original Message----- > > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > > Sent: 02 January 2003 17:52 > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: sendmail 8.12.7 squawking after MS 4.11-1 upgrade > > > > How about you just turn off AutoRebuildAliases? Quick and > > simple solution to the problem, though I haven't a clue what > > might be causing it. Your clock hasn't skewed has it? > >How about this? > >If autorebuild aliases is on in the cf file then presumably sendmail >rebuilds the aliases each time the sendmail binary is run, and then >periodically after that. Presumably, then, when mailscanner calls >sendmail -qI then the aliases are rebuild as part of the >start up of sendmail. Hence aliases are rebuilt after every (batch of) >message(s) scanned. Sendmail should compare the date stamps and only rebuild it if the source is newer than the db file(s). >Turn off autorebuild either in your cf (well, in your m4 sources!), or >if you feel you really do want it done periodically by the sendmail >daemon (the sendmail -bd) then make sure it's explicitly turned off in >the queue runs done by mailscanner with a command line option, or >preferably make sure it's explicitly turned on by a command line option >to the daemon sendmail (sendmail -bd -OAutoRebuildAliases=... if memory >serves) > >Just my thoughts. > >Steve -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Fri Jan 3 10:18:59 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:49 2006 Subject: sendmail 8.12.7 squawking after MS 4.11-1 upgrade In-Reply-To: References: <5.2.0.9.2.20030102175150.05d309d0@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030103101800.03b78930@imap.ecs.soton.ac.uk> At 22:09 02/01/2003, you wrote: >dmail[3168]: /etc/mail/aliases.majordomo: 12 > > >aliases, longest 69 bytes, 519 bytes total > > > > > >this is a RaQ4 if that helps > > > > How about you just turn off AutoRebuildAliases? Quick and simple solution > > to the problem, though I haven't a clue what might be causing it. Your > > clock hasn't skewed has it? > > > > >well I could if I knew where and how on a cobalt without breaking it - I'm >presuming that turning it off is something within Sendmail not mailscanner >as I didn't see anything in the conf file. > >The clock issue is an odd one - I've just restarted Mailscanner again and I >notice its putting a different time into the log than the system time which >is weird in itself That would certainly explain the behaviour you are seeing. I'm afraid I can only suggest that you check /etc/sysconfig/clock to ensure your timezone is set correctly. >Jan 3 22:05:52 localhost sendmail[17386]: starting daemon (8.10.2): SMTP >Jan 3 22:05:52 localhost sendmail[17389]: starting daemon (8.10.2): >queueing@00:15:00 >Jan 3 14:05:55 localhost MailScanner[17399]: MailScanner >Jan 3 14:05:55 localhost MailScanner[17399]: MailScanner E-Mail Virus >Scanner version 4.11-1 starting... >Jan 3 14:05:58 localhost MailScanner[17399]: Using locktype = flock >Jan 3 14:06:05 localhost MailScanner[17406]: MailScanner > >Any ideas > >Gavin > > >-- >This message has been scanned for viruses and dangerous content >by the Netergy Virus Spam Defence, and is believed to be clean. >For details on having your email scanned email nvsd@netergy.com -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From dustin.baer at IHS.COM Fri Jan 3 13:24:31 2003 From: dustin.baer at IHS.COM (Dustin Baer) Date: Thu Jan 12 21:16:49 2006 Subject: AutoRebuildAliases Message-ID: <3E158F0F.FA0E477A@ihs.com> AutoRebuildAliases has been deprecated since 8.10 and completely removed in 8.12.0: RELEASE_NOTES: Remove AutoRebuildAliases option, deprecated since 8.10. Dustin From Bobby at LIFE-EXTREME.COM Fri Jan 3 14:18:49 2003 From: Bobby at LIFE-EXTREME.COM (Bobbejaan van Elst) Date: Thu Jan 12 21:16:49 2006 Subject: Unrecognised keyword and Looked up unknown string In-Reply-To: <5.2.0.9.2.20030103101649.05e5eea0@imap.ecs.soton.ac.uk> References: Message-ID: <5.1.0.14.2.20030103145620.01bf2b50@mail.the-mask.net> Hi, I have installed the latest version of mailscanner and I get the following errors in my syslog: 1.) Jan 3 14:52:38 the-mask sendmail[3465]: h03DqbJ03465: from=, size=350, class=0, nrcpts=1, msgid=<5.1.0.14.2.20030103145209.01beec70@mail.the-mask.net>, proto=ESMTP, daemon=MTA, relay=iawxsrt-sst-fw01.wxs.nl [195.121.14.2] (may be forged) Jan 3 14:52:38 the-mask MailScanner[2411]: New Batch: Scanning 1 messages, 845 bytes Jan 3 14:52:38 the-mask MailScanner[2411]: Spam Checks: Starting Jan 3 14:52:38 the-mask MailScanner[2411]: Looked up unknown string spam in language translation file /opt/MailScanner/etc/reports/en/languages.conf Jan 3 14:52:39 the-mask MailScanner[2411]: Looked up unknown string score in language translation file /opt/MailScanner/etc/reports/en/languages.conf Jan 3 14:52:39 the-mask MailScanner[2411]: Looked up unknown string required in language translation file /opt/MailScanner/etc/reports/en/languages.conf Jan 3 14:52:39 the-mask MailScanner[2411]: Looked up unknown string notspam in language translation file /opt/MailScanner/etc/reports/en/languages.conf Jan 3 14:52:39 the-mask MailScanner[2411]: Virus and Content Scanning: Starting Jan 3 14:52:41 the-mask MailScanner[2411]: Uninfected: Delivered 1 messages Jan 3 14:52:42 the-mask sendmail[3473]: h03DqbJ03465: to=bvanelst, delay=00:00:05, xdelay=00:00:01, mailer=local, pri=120350, dsn=2.0.0, stat=Sent The problem here is I have not a directory /opt/MailScanner/ the file languages.conf is located in this directory: /etc/MailScanner/reports/en/languages.conf. My question how or where can I change this. 2.) Jan 3 15:07:53 the-mask sendmail[4199]: starting daemon (8.11.2): queueing@00:15:00 Jan 3 15:07:54 the-mask MailScanner[4210]: MailScanner Jan 3 15:07:54 the-mask MailScanner[4210]: MailScanner E-Mail Virus Scanner version 4.11-1 starting... Jan 3 15:07:54 the-mask MailScanner[4210]: Syntax error(s) in configuration file: Jan 3 15:07:54 the-mask MailScanner[4210]: Unrecognised keyword "piddir" at line 80 Jan 3 15:07:54 the-mask MailScanner[4210]: Aborting due to syntax errors in /etc/MailScanner/MailScanner.conf. I have put a "#" before line 80 and the problem is gone.. Has someone any idea? Met vriendelijke groet, Bobbejaan van Elst http://www.Life-eXtreme.com http://www.the-mask.net -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030103/ca0f7ce0/attachment.html From florusb at ASCIO.COM Fri Jan 3 14:24:15 2003 From: florusb at ASCIO.COM (Florus Both) Date: Thu Jan 12 21:16:49 2006 Subject: Unrecognised keyword and Looked up unknown string Message-ID: <2F15A97500CFA0469C9BACC2041F8AC7032E82B2@aries.dk.speednames.com> 2) the keyword has changed : PID file = /var/run/MailScanner.pid (i had the same after an upgrade, keeping the old MailScanner.conf file) Florus -----Original Message----- From: Bobbejaan van Elst [mailto:Bobby@LIFE-EXTREME.COM] Sent: 3. januar 2003 15:19 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Unrecognised keyword and Looked up unknown string Hi, I have installed the latest version of mailscanner and I get the following errors in my syslog: 1.) Jan 3 14:52:38 the-mask sendmail[3465]: h03DqbJ03465: from=, size=350, class=0, nrcpts=1, msgid=<5.1.0.14.2.20030103145209.01beec70@mail.the-mask.net>, proto=ESMTP, daemon=MTA, relay=iawxsrt-sst-fw01.wxs.nl [195.121.14.2] (may be forged) Jan 3 14:52:38 the-mask MailScanner[2411]: New Batch: Scanning 1 messages, 845 bytes Jan 3 14:52:38 the-mask MailScanner[2411]: Spam Checks: Starting Jan 3 14:52:38 the-mask MailScanner[2411]: Looked up unknown string spam in language translation file /opt/MailScanner/etc/reports/en/languages.conf Jan 3 14:52:39 the-mask MailScanner[2411]: Looked up unknown string score in language translation file /opt/MailScanner/etc/reports/en/languages.conf Jan 3 14:52:39 the-mask MailScanner[2411]: Looked up unknown string required in language translation file /opt/MailScanner/etc/reports/en/languages.conf Jan 3 14:52:39 the-mask MailScanner[2411]: Looked up unknown string notspam in language translation file /opt/MailScanner/etc/reports/en/languages.conf Jan 3 14:52:39 the-mask MailScanner[2411]: Virus and Content Scanning: Starting Jan 3 14:52:41 the-mask MailScanner[2411]: Uninfected: Delivered 1 messages Jan 3 14:52:42 the-mask sendmail[3473]: h03DqbJ03465: to=bvanelst, delay=00:00:05, xdelay=00:00:01, mailer=local, pri=120350, dsn=2.0.0, stat=Sent The problem here is I have not a directory /opt/MailScanner/ the file languages.conf is located in this directory: /etc/MailScanner/reports/en/languages.conf. My question how or where can I change this. 2.) Jan 3 15:07:53 the-mask sendmail[4199]: starting daemon (8.11.2): queueing@00:15:00 Jan 3 15:07:54 the-mask MailScanner[4210]: MailScanner Jan 3 15:07:54 the-mask MailScanner[4210]: MailScanner E-Mail Virus Scanner version 4.11-1 starting... Jan 3 15:07:54 the-mask MailScanner[4210]: Syntax error(s) in configuration file: Jan 3 15:07:54 the-mask MailScanner[4210]: Unrecognised keyword "piddir" at line 80 Jan 3 15:07:54 the-mask MailScanner[4210]: Aborting due to syntax errors in /etc/MailScanner/MailScanner.conf. I have put a "#" before line 80 and the problem is gone.. Has someone any idea? Met vriendelijke groet, Bobbejaan van Elst http://www.Life-eXtreme.com http://www.the-mask.net -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030103/0de5e511/attachment.html From paul_houselander at BRISTOL-LEA.ORG.UK Fri Jan 3 14:30:14 2003 From: paul_houselander at BRISTOL-LEA.ORG.UK (Paul Houselander) Date: Thu Jan 12 21:16:49 2006 Subject: MailScanner directory in 4.11-1 Message-ID: <01f201c2b334$a1ce0520$7b10140a@education.bcc.lan> Hi Just looking at version 4.11-1 I unpacked the tar archive and I noticed /opt/MailScanner/bin/MailScanner/* /opt/MailScanner/bin/MailScanner.pm Were now located in /opt/MailScanner/lib/MailScanner/* /opt/MailScanner/lib/MailScanner.pm Can I just confirm this new location is the correct location. Cheers Paul -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. Mailscanner thanks transtec Computers for their support. From mailscanner at ecs.soton.ac.uk Fri Jan 3 14:37:45 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:49 2006 Subject: Unrecognised keyword and Looked up unknown string In-Reply-To: <5.1.0.14.2.20030103145620.01bf2b50@mail.the-mask.net> References: <5.2.0.9.2.20030103101649.05e5eea0@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030103143556.03b586e0@imap.ecs.soton.ac.uk> At 14:18 03/01/2003, you wrote: >I have installed the latest version of mailscanner and I get the following >errors in my syslog: > >1.) > >Jan 3 14:52:38 the-mask sendmail[3465]: h03DqbJ03465: >from=, size=350, class=0, nrcpts=1, >msgid=<5.1.0.14.2.20030103145209.01beec70@mail.the-mask.net>, proto=ESMTP, >daemon=MTA, relay=iawxsrt-sst-fw01.wxs.nl [195.121.14.2] (may be forged) >Jan 3 14:52:38 the-mask MailScanner[2411]: New Batch: Scanning 1 >messages, 845 bytes >Jan 3 14:52:38 the-mask MailScanner[2411]: Spam Checks: Starting >Jan 3 14:52:38 the-mask MailScanner[2411]: Looked up unknown string spam >in language translation file /opt/MailScanner/etc/reports/en/languages.conf >Jan 3 14:52:39 the-mask MailScanner[2411]: Looked up unknown string score >in language translation file /opt/MailScanner/etc/reports/en/languages.conf >Jan 3 14:52:39 the-mask MailScanner[2411]: Looked up unknown string >required in language translation file >/opt/MailScanner/etc/reports/en/languages.conf >Jan 3 14:52:39 the-mask MailScanner[2411]: Looked up unknown string >notspam in language translation file >/opt/MailScanner/etc/reports/en/languages.conf >Jan 3 14:52:39 the-mask MailScanner[2411]: Virus and Content Scanning: >Starting >Jan 3 14:52:41 the-mask MailScanner[2411]: Uninfected: Delivered 1 messages >Jan 3 14:52:42 the-mask sendmail[3473]: h03DqbJ03465: to=bvanelst, >delay=00:00:05, xdelay=00:00:01, mailer=local, pri=120350, dsn=2.0.0, stat=Sent > >The problem here is I have not a directory /opt/MailScanner/ the file >languages.conf is located in this directory: >/etc/MailScanner/reports/en/languages.conf. > >My question how or where can I change this. You haven't incorporated your changes into the new MailScanner.conf file, you have just blindly used your old one and are therefore missing the configuration option # Set where to find all the strings used so they can be translated into # your local language. # This can also be the filename of a ruleset so you can produce different # languages for different messages. Language Strings = /etc/MailScanner/reports/en/languages.conf >2.) > >Jan 3 15:07:53 the-mask sendmail[4199]: starting daemon (8.11.2): >queueing@00:15:00 >Jan 3 15:07:54 the-mask MailScanner[4210]: MailScanner >Jan 3 15:07:54 the-mask MailScanner[4210]: MailScanner E-Mail Virus >Scanner version 4.11-1 starting... >Jan 3 15:07:54 the-mask MailScanner[4210]: Syntax error(s) in >configuration file: >Jan 3 15:07:54 the-mask MailScanner[4210]: Unrecognised keyword "piddir" >at line 80 >Jan 3 15:07:54 the-mask MailScanner[4210]: Aborting due to syntax errors >in /etc/MailScanner/MailScanner.conf. > >I have put a "#" before line 80 and the problem is gone.. Same problem as above. It is now a "PID File" and not a "PID Dir". Full description in your newly supplied MailScanner.conf file is # Set where to store the process id number so you can stop MailScanner PID file = /var/run/MailScanner.pid -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030103/5367dfe5/attachment.html From mailscanner at ecs.soton.ac.uk Fri Jan 3 14:38:29 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:49 2006 Subject: MailScanner directory in 4.11-1 In-Reply-To: <01f201c2b334$a1ce0520$7b10140a@education.bcc.lan> Message-ID: <5.2.0.9.2.20030103143801.06463008@imap.ecs.soton.ac.uk> At 14:30 03/01/2003, you wrote: >Hi > >Just looking at version 4.11-1 > >I unpacked the tar archive and I noticed > >/opt/MailScanner/bin/MailScanner/* >/opt/MailScanner/bin/MailScanner.pm > >Were now located in > >/opt/MailScanner/lib/MailScanner/* >/opt/MailScanner/lib/MailScanner.pm > >Can I just confirm this new location is the correct location. Yes, indeed. I moved them so that the RPM and tar distributions both use the same structure. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From Bobby at LIFE-EXTREME.COM Fri Jan 3 14:56:50 2003 From: Bobby at LIFE-EXTREME.COM (Bobbejaan van Elst) Date: Thu Jan 12 21:16:49 2006 Subject: Unrecognised keyword and Looked up unknown string In-Reply-To: <5.2.0.9.2.20030103143556.03b586e0@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20030103145620.01bf2b50@mail.the-mask.net> <5.2.0.9.2.20030103101649.05e5eea0@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20030103155029.01bf9b18@mail.the-mask.net> Julian, Thanx for your help. I did not know I was using the old config file, I tought that the new one replaced the old one. Met vriendelijke groet, Bobbejaan van Elst http://www.Life-eXtreme.com http://www.the-mask.net At 14:37 3-1-2003 +0000, you wrote: >At 14:18 03/01/2003, you wrote: >>I have installed the latest version of mailscanner and I get the >>following errors in my syslog: >> >>1.) >> >>Jan 3 14:52:38 the-mask sendmail[3465]: h03DqbJ03465: >>from=, size=350, class=0, nrcpts=1, >>msgid=<5.1.0.14.2.20030103145209.01beec70@mail.the-mask.net>, >>proto=ESMTP, daemon=MTA, relay=iawxsrt-sst-fw01.wxs.nl [195.121.14.2] >>(may be forged) >>Jan 3 14:52:38 the-mask MailScanner[2411]: New Batch: Scanning 1 >>messages, 845 bytes >>Jan 3 14:52:38 the-mask MailScanner[2411]: Spam Checks: Starting >>Jan 3 14:52:38 the-mask MailScanner[2411]: Looked up unknown string spam >>in language translation file /opt/MailScanner/etc/reports/en/languages.conf >>Jan 3 14:52:39 the-mask MailScanner[2411]: Looked up unknown string >>score in language translation file >>/opt/MailScanner/etc/reports/en/languages.conf >>Jan 3 14:52:39 the-mask MailScanner[2411]: Looked up unknown string >>required in language translation file >>/opt/MailScanner/etc/reports/en/languages.conf >>Jan 3 14:52:39 the-mask MailScanner[2411]: Looked up unknown string >>notspam in language translation file >>/opt/MailScanner/etc/reports/en/languages.conf >>Jan 3 14:52:39 the-mask MailScanner[2411]: Virus and Content Scanning: >>Starting >>Jan 3 14:52:41 the-mask MailScanner[2411]: Uninfected: Delivered 1 messages >>Jan 3 14:52:42 the-mask sendmail[3473]: h03DqbJ03465: to=bvanelst, >>delay=00:00:05, xdelay=00:00:01, mailer=local, pri=120350, dsn=2.0.0, stat=Sent >> >>The problem here is I have not a directory /opt/MailScanner/ the file >>languages.conf is located in this directory: >>/etc/MailScanner/reports/en/languages.conf. >> >>My question how or where can I change this. > >You haven't incorporated your changes into the new MailScanner.conf file, >you have just blindly used your old one and are therefore missing the >configuration option > ># Set where to find all the strings used so they can be translated into ># your local language. ># This can also be the filename of a ruleset so you can produce different ># languages for different messages. >Language Strings = /etc/MailScanner/reports/en/languages.conf > >>2.) >> >>Jan 3 15:07:53 the-mask sendmail[4199]: starting daemon (8.11.2): >>queueing@00:15:00 >>Jan 3 15:07:54 the-mask MailScanner[4210]: MailScanner >>Jan 3 15:07:54 the-mask MailScanner[4210]: MailScanner E-Mail Virus >>Scanner version 4.11-1 starting... >>Jan 3 15:07:54 the-mask MailScanner[4210]: Syntax error(s) in >>configuration file: >>Jan 3 15:07:54 the-mask MailScanner[4210]: Unrecognised keyword "piddir" >>at line 80 >>Jan 3 15:07:54 the-mask MailScanner[4210]: Aborting due to syntax errors >>in /etc/MailScanner/MailScanner.conf. >> >>I have put a "#" before line 80 and the problem is gone.. > >Same problem as above. >It is now a "PID File" and not a "PID Dir". Full description in your newly >supplied MailScanner.conf file is > ># Set where to store the process id number so you can stop MailScanner >PID file = /var/run/MailScanner.pid > >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030103/9d6830b9/attachment.html From andersan at LTKALMAR.SE Fri Jan 3 15:03:28 2003 From: andersan at LTKALMAR.SE (Anders Andersson, IT) Date: Thu Jan 12 21:16:50 2006 Subject: Regarding a good but not to hard RBl and upgrade/reinstall Message-ID: <7B475DC5E9502B4D91EA73C283AE48D70263ED8E@lkl22.ltkalmar.se> Hi I was planning to use an RBL in sendmail but Im not sure which one to use. Since IM not to experinced at this I was hoping somone could recommend a good but pretty safe RBL. We prolly get around 500 msg's a day that makes it all the way to exchange and then get bounced. Planning to make a routine for extracting adresses from exchange and build aliases but this could be a short cut until thats done.... any suggestions? Oh, btw, any recommendation regarding upgrade to newest version. Uninstall prevous or just do upgrade? /Anders From mailscanner at ecs.soton.ac.uk Fri Jan 3 15:26:53 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:50 2006 Subject: Regarding a good but not to hard RBl and upgrade/reinstall In-Reply-To: <7B475DC5E9502B4D91EA73C283AE48D70263ED8E@lkl22.ltkalmar.se > Message-ID: <5.2.0.9.2.20030103152459.03a2a4b8@imap.ecs.soton.ac.uk> At 15:03 03/01/2003, you wrote: >I was planning to use an RBL in sendmail but Im not sure >which one to use. Since IM not to experinced at this >I was hoping somone could recommend a good but pretty >safe RBL. We prolly get around 500 msg's a day that makes it >all the way to exchange and then get bounced. >Planning to make a routine for extracting adresses from >exchange and build aliases but this could be a short cut until >thats done.... any suggestions? ORDB is good. Very few problems with them. >Oh, btw, any recommendation regarding upgrade to newest version. >Uninstall prevous or just do upgrade? Just upgrade. If you are using the RPM distribution, then you only need to upgrade the actual mailscanner*rpm file, you don't need to re-run install.sh. Be warned that you will need to check your configuration file carefully. In particular, definitely look out for PID File (new) PID Dir (old and removed) Language Strings (new) They are the 3 most important changes in there, and it will object if they aren't right. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Fri Jan 3 15:24:33 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:50 2006 Subject: Unrecognised keyword and Looked up unknown string In-Reply-To: <5.1.0.14.2.20030103155029.01bf9b18@mail.the-mask.net> References: <5.2.0.9.2.20030103143556.03b586e0@imap.ecs.soton.ac.uk> <5.1.0.14.2.20030103145620.01bf2b50@mail.the-mask.net> <5.2.0.9.2.20030103101649.05e5eea0@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030103152349.05e49010@imap.ecs.soton.ac.uk> At 14:56 03/01/2003, you wrote: >Thanx for your help. No problem. >I did not know I was using the old config file, I tought that the new one >replaced the old one. It very carefully does not overwrite any configuration file, report or virus engine wrapper script that you have changed so that your customisations don't get lost. >Met vriendelijke groet, > > Bobbejaan van Elst >http://www.Life-eXtreme.com > http://www.the-mask.net > > >At 14:37 3-1-2003 +0000, you wrote: >>At 14:18 03/01/2003, you wrote: >>>I have installed the latest version of mailscanner and I get the >>>following errors in my syslog: >>> >>>1.) >>> >>>Jan 3 14:52:38 the-mask sendmail[3465]: h03DqbJ03465: >>>from=, size=350, class=0, nrcpts=1, >>>msgid=<5.1.0.14.2.20030103145209.01beec70@mail.the-mask.net>, >>>proto=ESMTP, daemon=MTA, relay=iawxsrt-sst-fw01.wxs.nl [195.121.14.2] >>>(may be forged) >>>Jan 3 14:52:38 the-mask MailScanner[2411]: New Batch: Scanning 1 >>>messages, 845 bytes >>>Jan 3 14:52:38 the-mask MailScanner[2411]: Spam Checks: Starting >>>Jan 3 14:52:38 the-mask MailScanner[2411]: Looked up unknown string >>>spam in language translation file >>>/opt/MailScanner/etc/reports/en/languages.conf >>>Jan 3 14:52:39 the-mask MailScanner[2411]: Looked up unknown string >>>score in language translation file >>>/opt/MailScanner/etc/reports/en/languages.conf >>>Jan 3 14:52:39 the-mask MailScanner[2411]: Looked up unknown string >>>required in language translation file >>>/opt/MailScanner/etc/reports/en/languages.conf >>>Jan 3 14:52:39 the-mask MailScanner[2411]: Looked up unknown string >>>notspam in language translation file >>>/opt/MailScanner/etc/reports/en/languages.conf >>>Jan 3 14:52:39 the-mask MailScanner[2411]: Virus and Content Scanning: >>>Starting >>>Jan 3 14:52:41 the-mask MailScanner[2411]: Uninfected: Delivered 1 >>>messages >>>Jan 3 14:52:42 the-mask sendmail[3473]: h03DqbJ03465: to=bvanelst, >>>delay=00:00:05, xdelay=00:00:01, mailer=local, pri=120350, dsn=2.0.0, stat=Sent >>> >>>The problem here is I have not a directory /opt/MailScanner/ the file >>>languages.conf is located in this directory: >>>/etc/MailScanner/reports/en/languages.conf. >>> >>>My question how or where can I change this. >> >>You haven't incorporated your changes into the new MailScanner.conf file, >>you have just blindly used your old one and are therefore missing the >>configuration option >> >># Set where to find all the strings used so they can be translated into >># your local language. >># This can also be the filename of a ruleset so you can produce different >># languages for different messages. >>Language Strings = /etc/MailScanner/reports/en/languages.conf >> >>>2.) >>> >>>Jan 3 15:07:53 the-mask sendmail[4199]: starting daemon (8.11.2): >>>queueing@00:15:00 >>>Jan 3 15:07:54 the-mask MailScanner[4210]: MailScanner >>>Jan 3 15:07:54 the-mask MailScanner[4210]: MailScanner E-Mail Virus >>>Scanner version 4.11-1 starting... >>>Jan 3 15:07:54 the-mask MailScanner[4210]: Syntax error(s) in >>>configuration file: >>>Jan 3 15:07:54 the-mask MailScanner[4210]: Unrecognised keyword >>>"piddir" at line 80 >>>Jan 3 15:07:54 the-mask MailScanner[4210]: Aborting due to syntax >>>errors in /etc/MailScanner/MailScanner.conf. >>> >>>I have put a "#" before line 80 and the problem is gone.. >> >>Same problem as above. >>It is now a "PID File" and not a "PID Dir". Full description in your >>newly supplied MailScanner.conf file is >> >># Set where to store the process id number so you can stop MailScanner >>PID file = /var/run/MailScanner.pid >> >>-- >>Julian Field >>www.MailScanner.info >>MailScanner thanks transtec Computers for their support -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From rc at ITSS.NERC.AC.UK Fri Jan 3 15:39:07 2003 From: rc at ITSS.NERC.AC.UK (Ron Campbell) Date: Thu Jan 12 21:16:50 2006 Subject: MailScanner speed query ? Message-ID: <3E15AE9B.9020509@itss.nerc.ac.uk> I just noticed MailScanner take 3 1/2 minutes to process a batch containing one 2.5 MB message. I have Max SpamAssassin Size = 50000 in mailscanner.conf so this cannot be down to SA. Is this reasonable ? This is MS 4.05-3 and we dont have a linux server with lots of GHz - just a SUN ULTRA 5 :-( Cheers -- Ron From mailscanner at ecs.soton.ac.uk Fri Jan 3 16:05:46 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:50 2006 Subject: MailScanner speed query ? In-Reply-To: <3E15AE9B.9020509@itss.nerc.ac.uk> Message-ID: <5.2.0.9.2.20030103160426.063fa7a8@imap.ecs.soton.ac.uk> At 15:39 03/01/2003, you wrote: > I just noticed MailScanner take 3 1/2 minutes to process a batch >containing one 2.5 MB message. I have > >Max SpamAssassin Size = 50000 > >in mailscanner.conf so this cannot be down to SA. Is this reasonable ? That sounds very slow to me. What's the load average on your server like? Nothing hogging all your RAM or nicking your CPU by any chance? MailScanner should be a *lot* faster than that. I run it here on 2 Ultra-5's and they handle our department's mail load (13,000 incoming per day) with very great ease. >This is MS 4.05-3 and we dont have a linux server with lots of GHz - >just a SUN ULTRA 5 :-( -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From evertjan at VANRAMSELAAR.NL Fri Jan 3 17:23:50 2003 From: evertjan at VANRAMSELAAR.NL (Evert Jan van Ramselaar) Date: Thu Jan 12 21:16:50 2006 Subject: Scanner update result in log Message-ID: <000001c2b34c$e1d84a50$65000a0a@galaxy> Hi all, Just upgraded to v4.11, wich went perfectly! However, when running the new scanner update script (my compliments for that), I only get a success result for f-prot in my log, and not for sophos: Jan 3 18:01:03 ram1 update.virus.scanners: Found f-prot installed Jan 3 18:01:03 ram1 update.virus.scanners: Updating f-prot Jan 3 18:01:05 ram1 F-Prot autoupdate[23625]: F-Prot successfully updated. Jan 3 18:01:05 ram1 update.virus.scanners: Found sophos installed Jan 3 18:01:05 ram1 update.virus.scanners: Updating sophos Is there a difference between the update routines for f-prot and sophos? -- Evert Jan van Ramselaar Van Ramselaar Info Tech From mailscanner at ecs.soton.ac.uk Fri Jan 3 17:34:16 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:50 2006 Subject: Scanner update result in log In-Reply-To: <000001c2b34c$e1d84a50$65000a0a@galaxy> Message-ID: <5.2.0.9.2.20030103173308.06279568@imap.ecs.soton.ac.uk> At 17:23 03/01/2003, you wrote: >Hi all, > >Just upgraded to v4.11, wich went perfectly! > >However, when running the new scanner update script (my compliments for >that), I only get a success result for f-prot in my log, and not for >sophos: > >Jan 3 18:01:03 ram1 update.virus.scanners: Found f-prot installed >Jan 3 18:01:03 ram1 update.virus.scanners: Updating f-prot >Jan 3 18:01:05 ram1 F-Prot autoupdate[23625]: F-Prot successfully >updated. >Jan 3 18:01:05 ram1 update.virus.scanners: Found sophos installed >Jan 3 18:01:05 ram1 update.virus.scanners: Updating sophos > >Is there a difference between the update routines for f-prot and sophos? I have a feeling the Sophos one is silent. You can always add a line to /usr/lib/MailScanner/sophos-autoupdate so that it prints something. It's just that, as it is run by cron, you will get all the output mailed to you. I use the Sophos one so I wrote it to be quiet. Sorry they aren't consistent :-( -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From gavin at NETERGY.COM Fri Jan 3 18:04:17 2003 From: gavin at NETERGY.COM (Gavin Nelmes-Crocker) Date: Thu Jan 12 21:16:50 2006 Subject: AutoRebuildAliases In-Reply-To: <3E158F0F.FA0E477A@ihs.com> Message-ID: There hangs the problem - Cobalt RaQs are not as upgradeable (without breaking) and they run patched versions of Sendmail 8.10.2 on a RaQ4 so we are stuck with that. Unless some brave and Guru like person can build a Cobalt pkg to upgrade it failing that we have to fix this some other way and then wait for Cobalt to release an upgrade Gavin > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Dustin Baer > Sent: 03 January 2003 13:25 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: AutoRebuildAliases > > > AutoRebuildAliases has been deprecated since 8.10 and completely removed > in 8.12.0: > > RELEASE_NOTES: > > Remove AutoRebuildAliases option, deprecated since 8.10. > > Dustin > > -- > This message has been scanned for viruses and dangerous content > by the Netergy Virus Spam Defence, and is believed to be clean. > For details on having your email scanned email nvsd@netergy.com > -- This message has been scanned for viruses and dangerous content by the Netergy Virus Spam Defence, and is believed to be clean. For details on having your email scanned email nvsd@netergy.com From john.hanks at USU.EDU Fri Jan 3 18:44:12 2003 From: john.hanks at USU.EDU (John B. Hanks) Date: Thu Jan 12 21:16:50 2006 Subject: Quarantine configuration problem Message-ID: <5CA287DBA85BF649A45916B75FD20E0E029DB6@exchange01.blue.usu.edu> Hello, I have the following quarantine specific stuff specified in mailscanner.conf: Action = delete Quarantine Whole Message = no Quarantine Dir = /var/spool/MailScanner/quarantine I thought "Action = delete" was sufficient to disable quarantining, but messages are still being quarantined as follows: -- begin log entries -- Jan 3 11:38:02 noturus MailScanner[21587]: New Batch: Scanning 6 messages, 68717 bytes Jan 3 11:38:03 noturus MailScanner[21587]: Virus and Content Scanning: Starting Jan 3 11:38:03 noturus MailScanner[21587]: Content Checks: Detected Microsoft-specific exploits in h03Ibo424800 Jan 3 11:38:03 noturus MailScanner[21587]: Content Checks: Found 1 problems Jan 3 11:38:03 noturus MailScanner[21587]: Saved infected "msg-21587-145.html" to /var/spool/MailScanner/quarantine/20030103/h03Ibo 424800 Jan 3 11:38:03 noturus MailScanner[21587]: Uninfected: Delivered 5 messages Jan 3 11:38:03 noturus MailScanner[21587]: Cleaned: Delivered 1 cleaned messages Jan 3 11:38:03 noturus MailScanner[21587]: Sender Warnings: Delivered 1 warnings to virus senders Jan 3 11:38:04 noturus MailScanner[21587]: Notices: Warned about 1 messages -- end log entries -- What other parameters I need to modify to make MS stop quarantining messages? I don't have any deny rules in filenames.rules.conf so nothing should be happening there. Setup is RH 7.3, MailScanner 4.11-1, SpamAssasssin 2.42. Thanks, jbh From mailscanner at ecs.soton.ac.uk Fri Jan 3 19:01:08 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:50 2006 Subject: Quarantine configuration problem In-Reply-To: <5CA287DBA85BF649A45916B75FD20E0E029DB6@exchange01.blue.usu .edu> Message-ID: <5.2.0.9.2.20030103185927.02087a80@imap.ecs.soton.ac.uk> At 18:44 03/01/2003, you wrote: >I have the following quarantine specific stuff specified in >mailscanner.conf: > >Action = delete >Quarantine Whole Message = no >Quarantine Dir = /var/spool/MailScanner/quarantine "Action" isn't a valid option in MailScanner 4.x. What you are looking for is Quarantine Infections = no (the default supplied value is "yes"). >I thought "Action = delete" was sufficient to disable quarantining, but >messages are still being quarantined as follows: > >-- begin log entries -- >Jan 3 11:38:02 noturus MailScanner[21587]: New Batch: Scanning 6 messages, >68717 bytes >Jan 3 11:38:03 noturus MailScanner[21587]: Virus and Content Scanning: >Starting >Jan 3 11:38:03 noturus MailScanner[21587]: Content Checks: Detected >Microsoft-specific exploits in h03Ibo424800 >Jan 3 11:38:03 noturus MailScanner[21587]: Content Checks: Found 1 problems >Jan 3 11:38:03 noturus MailScanner[21587]: Saved infected >"msg-21587-145.html" to /var/spool/MailScanner/quarantine/20030103/h03Ibo >424800 >Jan 3 11:38:03 noturus MailScanner[21587]: Uninfected: Delivered 5 messages >Jan 3 11:38:03 noturus MailScanner[21587]: Cleaned: Delivered 1 cleaned >messages >Jan 3 11:38:03 noturus MailScanner[21587]: Sender Warnings: Delivered 1 >warnings to virus senders >Jan 3 11:38:04 noturus MailScanner[21587]: Notices: Warned about 1 messages >-- end log entries -- > >What other parameters I need to modify to make MS stop quarantining >messages? I don't have any deny rules in filenames.rules.conf so nothing >should be happening there. > >Setup is RH 7.3, MailScanner 4.11-1, SpamAssasssin 2.42. > >Thanks, > >jbh -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Fri Jan 3 18:58:31 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:50 2006 Subject: AutoRebuildAliases In-Reply-To: References: <3E158F0F.FA0E477A@ihs.com> Message-ID: <5.2.0.9.2.20030103185800.01fb3480@imap.ecs.soton.ac.uk> Why not just disable the AutoRebuildAliases option and do a manual newaliases command when you change the aliases files. At 18:04 03/01/2003, you wrote: >There hangs the problem - Cobalt RaQs are not as upgradeable (without >breaking) and they run patched versions of Sendmail 8.10.2 on a RaQ4 so we >are stuck with that. Unless some brave and Guru like person can build a >Cobalt pkg to upgrade it failing that we have to fix this some other >way and then wait for Cobalt to release an upgrade > >Gavin > > > -----Original Message----- > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > Behalf Of Dustin Baer > > Sent: 03 January 2003 13:25 > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: AutoRebuildAliases > > > > > > AutoRebuildAliases has been deprecated since 8.10 and completely removed > > in 8.12.0: > > > > RELEASE_NOTES: > > > > Remove AutoRebuildAliases option, deprecated since 8.10. > > > > Dustin > > > > -- > > This message has been scanned for viruses and dangerous content > > by the Netergy Virus Spam Defence, and is believed to be clean. > > For details on having your email scanned email nvsd@netergy.com > > > > >-- >This message has been scanned for viruses and dangerous content >by the Netergy Virus Spam Defence, and is believed to be clean. >For details on having your email scanned email nvsd@netergy.com -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From llasad1 at YAHOO.COM Fri Jan 3 19:03:12 2003 From: llasad1 at YAHOO.COM (lester lasad) Date: Thu Jan 12 21:16:50 2006 Subject: spam.whitelist.rules and domain of sender does not exist In-Reply-To: <004001c2b2a2$17945b80$9901a8c0@home.middlefinger.net> Message-ID: <20030103190312.22099.qmail@web41410.mail.yahoo.com> Thanks for the response, I removed dnl from the line referenced below and rebuilt the sendmail.cf and it is working now. I am curious to know if anyone is aware of any security issues involved in allowing unresolvable domains to send mail? What is the preferred setting for most people? Thanks again for the response. Mike Kercher wrote:Domain of sender error message is coming from sendmail and not MailScanner. Take a look at your /etc/mail/sendmail.mc and look for this line: dnl FEATURE(`accept_unresolvable_domains')dnl Remove the leading 'dnl' and rebuild your sendmail.cf and see if that helps. Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of lester lasad Sent: Thursday, January 02, 2003 2:54 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: spam.whitelist.rules and domain of sender does not exist I am running MailScanner 4.10-1 on RedHat 7.3 and would like to allow email from a non-existent domain to be delivered. There are several reports that are generated in our internal network that are delivered via SMTP ( thru MailScanner ) and the email is not going thru because the sender does not exist. I have tried adding both and the ip address and the sender to the spam.whitelist.rules file but it continues to deny the emails. Has anyone run into this or is there a solution for this problem? I have stopped and restarted MailScanner "service MailScanner stop" and "service MailScanner start" after making the changes. I have also tried "service MailScanner restart". I have added the following line to spam.whitelist.rules From: invalidsender@abc.com yes From: 10.2.1.1 yes --------------------------------- Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now --------------------------------- Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030103/9992eea2/attachment.html From mailscanner at ecs.soton.ac.uk Fri Jan 3 19:08:35 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:50 2006 Subject: spam.whitelist.rules and domain of sender does not exist In-Reply-To: <20030103190312.22099.qmail@web41410.mail.yahoo.com> References: <004001c2b2a2$17945b80$9901a8c0@home.middlefinger.net> Message-ID: <5.2.0.9.2.20030103190556.02e30e40@imap.ecs.soton.ac.uk> At 19:03 03/01/2003, you wrote: >Thanks for the response, I removed dnl from the line referenced below and >rebuilt the sendmail.cf and it is working now. I am curious to know if >anyone is aware of any security issues involved in allowing unresolvable >domains to send mail? What is the preferred setting for most people? Most people (AFAIK) don't allow messages from unresolvable domains as a mild anti-spam measure, as spammers used to use fake domain names. Anyone else got better reasons than that? It comes partly from the fact that if the domain name cannot be resolved, then you will never be able to deliver directly to the domain anyway, so why bother accepting the message at all? >Thanks again for the response. > > Mike Kercher wrote: >Domain of sender error message is coming from sendmail and not MailScanner. > >Take a look at your /etc/mail/sendmail.mc and look for this line: > >dnl FEATURE(`accept_unresolvable_domains')dnl > >Remove the leading 'dnl' and rebuild your sendmail.cf and see if that helps. > >Mike > > >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf >Of lester lasad >Sent: Thursday, January 02, 2003 2:54 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: spam.whitelist.rules and domain of sender does not exist > > > >I am running MailScanner 4.10-1 on RedHat 7.3 and would like to allow email >from a non-existent domain to be delivered. There are several reports that >are generated in our internal network that are delivered via SMTP ( thru >MailScanner ) and the email is not going thru because the sender does n! ot >exist. > >I have tried adding both and the ip address and the sender to the >spam.whitelist.rules file but it continues to deny the emails. Has anyone >run into this or is there a solution for this problem? I have stopped and >restarted MailScanner "service MailScanner stop" and "service MailScanner >start" after making the changes. I have also tried "service MailScanner >restart". I have added the following line to spam.whitelist.rules > >From: invalidsender@abc.com yes > >From: 10.2.1.1 yes > > > >--------------------------------- >Do you Yahoo!? >Yahoo! Mail Plus - Powerful. Affordable. Sign up now > > > >Do you Yahoo!? >Yahoo! Mail >Plus - Powerful. Affordable. >Sign up now -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From john.hanks at USU.EDU Fri Jan 3 19:08:47 2003 From: john.hanks at USU.EDU (John B. Hanks) Date: Thu Jan 12 21:16:50 2006 Subject: Quarantine configuration problem Message-ID: <5CA287DBA85BF649A45916B75FD20E0E4AE8@exchange01.blue.usu.edu> > "Action" isn't a valid option in MailScanner 4.x. > What you are looking for is > Quarantine Infections = no > (the default supplied value is "yes"). Thanks Julian, I am upgrading and that got brought over when I made the new conf file. jbh From support at INVICTANET.CO.UK Fri Jan 3 21:14:13 2003 From: support at INVICTANET.CO.UK (InvictaNet Customer Support) Date: Thu Jan 12 21:16:50 2006 Subject: FreeBSD Instructions Message-ID: I hope I don't seem picky, but.... I have been using FreeBsd since 3.0 and none of them have had an "opt" directory. I have allways installed software into /usr/local Apart from that, the instructions seem ok. Martyn Routley ----------------------------------------------------------------- InvictaNet - The Internet in Plain English, Guaranteed http://www.invictanet.co.uk martyn@support.invictanet.co.uk phone: 08707 440180 fax: 08707 440181 Ask us about our online Antivirus and Junk mail scanning service ----------------------------------------------------------------- JKF 26/12/2002 Installation instructions for FreeBSD ===================================== 1. Unpack the distribution into /opt and make a link to the new version cd /opt tar xvf MailScanner-4.11-1.tar ln -s MailScanner-4.11-1 MailScanner From john.hanks at USU.EDU Fri Jan 3 22:01:21 2003 From: john.hanks at USU.EDU (John B. Hanks) Date: Thu Jan 12 21:16:50 2006 Subject: Quarantine configuration problem Message-ID: <5CA287DBA85BF649A45916B75FD20E0E4AE9@exchange01.blue.usu.edu> > -----Original Message----- > From: John B. Hanks > Sent: Friday, January 03, 2003 12:09 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Quarantine configuration problem > > > > "Action" isn't a valid option in MailScanner 4.x. > > What you are looking for is > > Quarantine Infections = no > > (the default supplied value is "yes"). > > Thanks Julian, I am upgrading and that got brought over when > I made the new conf file. Ok, I was wrong (but I'm used to that.) When I look at mailscanner.conf.rpmnew it still has the following section: # Set what to do with infected attachments or messages. # keep ==> Store under the "Quarantine Dir" # delete ==> Just delete them #Action = delete Action = keep That is why I kept the Action line in my new conf file. I removed the Action = line and added a line to my mailscanner.conf like this: Quarantine Infections = no But infected messages are still being quarantined. When I upgraded I took the following steps (using the rpm version): 1. Stopped old mailscanner processes. 2. Ran Update-MakeMaker.sh 3. Ran install.sh 4. Compared rpmsave and rpmnew versions of conf files and migrated my settings over. 5. Started MailScanner Maybe I've missed some simple step or performed something out of order? Mailscanner is working fine with the exception of the quarantining. Thanks, jbh From mike at CAMAROSS.NET Fri Jan 3 22:07:48 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:16:50 2006 Subject: Quarantine configuration problem In-Reply-To: <5CA287DBA85BF649A45916B75FD20E0E4AE9@exchange01.blue.usu.edu> Message-ID: <011d01c2b374$8da31a50$6901a8c0@home.middlefinger.net> You should be looking at MailScanner.conf...maybe in /etc/MailScanner -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of John B. Hanks Sent: Friday, January 03, 2003 4:01 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Quarantine configuration problem > -----Original Message----- > From: John B. Hanks > Sent: Friday, January 03, 2003 12:09 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Quarantine configuration problem > > > > "Action" isn't a valid option in MailScanner 4.x. > > What you are looking for is > > Quarantine Infections = no > > (the default supplied value is "yes"). > > Thanks Julian, I am upgrading and that got brought over when I made > the new conf file. Ok, I was wrong (but I'm used to that.) When I look at mailscanner.conf.rpmnew it still has the following section: # Set what to do with infected attachments or messages. # keep ==> Store under the "Quarantine Dir" # delete ==> Just delete them #Action = delete Action = keep That is why I kept the Action line in my new conf file. I removed the Action = line and added a line to my mailscanner.conf like this: Quarantine Infections = no But infected messages are still being quarantined. When I upgraded I took the following steps (using the rpm version): 1. Stopped old mailscanner processes. 2. Ran Update-MakeMaker.sh 3. Ran install.sh 4. Compared rpmsave and rpmnew versions of conf files and migrated my settings over. 5. Started MailScanner Maybe I've missed some simple step or performed something out of order? Mailscanner is working fine with the exception of the quarantining. Thanks, jbh From mailscanner at ecs.soton.ac.uk Fri Jan 3 23:17:00 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:50 2006 Subject: FreeBSD Instructions In-Reply-To: Message-ID: <5.2.0.9.2.20030103231557.02b65960@imap.ecs.soton.ac.uk> At 21:14 03/01/2003, you wrote: >I hope I don't seem picky, but.... > >I have been using FreeBsd since 3.0 and none of them have had an "opt" >directory. I have allways installed software into /usr/local Future versions will have a "configure" script which will solve this problem. >Apart from that, the instructions seem ok. Great! >Martyn Routley >----------------------------------------------------------------- >InvictaNet - The Internet in Plain English, Guaranteed >http://www.invictanet.co.uk >martyn@support.invictanet.co.uk >phone: 08707 440180 >fax: 08707 440181 >Ask us about our online Antivirus and Junk mail scanning service >----------------------------------------------------------------- > > > > > >JKF 26/12/2002 > >Installation instructions for FreeBSD >===================================== > >1. Unpack the distribution into /opt and make a link to the new version > > cd /opt > tar xvf MailScanner-4.11-1.tar > ln -s MailScanner-4.11-1 MailScanner -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From john.hanks at USU.EDU Fri Jan 3 23:13:22 2003 From: john.hanks at USU.EDU (John B. Hanks) Date: Thu Jan 12 21:16:50 2006 Subject: Quarantine configuration problem Message-ID: <5CA287DBA85BF649A45916B75FD20E0E4AEA@exchange01.blue.usu.edu> Good point, editing the right set of configuration files is a very good idea. Thankfully it is Friday and this is almost over for a few days. Thanks, jbh > -----Original Message----- > From: Mike Kercher [mailto:mike@CAMAROSS.NET] > Sent: Friday, January 03, 2003 3:08 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Quarantine configuration problem > > > You should be looking at MailScanner.conf...maybe in /etc/MailScanner > From mailscanner-sub at WIREHUB.NET Sun Jan 5 01:04:19 2003 From: mailscanner-sub at WIREHUB.NET (Ben C. O. Grimm) Date: Thu Jan 12 21:16:50 2006 Subject: Regarding a good but not to hard RBl and upgrade/reinstall In-Reply-To: References: <7B475DC5E9502B4D91EA73C283AE48D70263ED8E@lkl22.ltkalmar.se > Message-ID: On 3 Jan 2003 16:30:23 +0100, Julian Field wrote: > ORDB is good. Very few problems with them. ORDB is losing some of its importance since the majority of spammers go through open proxies rather than open relays nowadays. We have very good results with our own DNSBL (blackholes.wirehub.net, which lists spam sources and open proxies, and includes the entire Spamhaus database) and DNSBLs listing insecure servers. See http://basic.wirehub.nl/spamstats.html for our numbers. Please note that spamfilering takes place in the listed order (first hit wins), so the blackholes.wirehub.net figures would be substantially higher when the order would be reversed. We are running these spamfilters for a pretty large business ISP, so the number of false positives is very low. Moreover, blackholes.wirehub.net is used by Excite and Ameritech, who are probably pretty conservative considering their massive mailflow. -- - Ben C. O. Grimm ----------------- Ben.Grimm@wirehub.net - - Wirehub! Internet Engineering - http://www.wirehub.net/ - - Private Ponderings ----------- http://www.bengrimm.net/ - - Wirehub! Internet ----------- part of easynet Group plc - From jorgen at GIVERSEN.NET Sun Jan 5 11:41:07 2003 From: jorgen at GIVERSEN.NET (=?ISO-8859-1?Q?J=F8rgen_Giversen?=) Date: Thu Jan 12 21:16:50 2006 Subject: Writing a extra line to the mail header Message-ID: <3E1819D3.9010200@giversen.net> Dear all I am trying to write an extra line into evry mail header. In Mailscanner.conf you can specify a vaiable like Mail Header = X-MailScanner: and the same for spam header and spam score How can i automaticaly write an extra line just under the line X-MailScanner: in all mail headers, with the content X-mailcheck ? setup: OS=RH7.3 MTA=Exim 3.36 Virusscanner=Mailscanner 4.11.1 & Sophos -- Best Regards J?rgen Giversen -- Denne meddelelse er blevet skannet for virus og farligt indhold af MailScanneren p? giversen.net. From mailscanner at ecs.soton.ac.uk Sun Jan 5 12:27:17 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:50 2006 Subject: Writing a extra line to the mail header In-Reply-To: <3E1819D3.9010200@giversen.net> Message-ID: <5.2.0.9.2.20030105122455.02f05ca0@imap.ecs.soton.ac.uk> At 11:41 05/01/2003, you wrote: >Dear all >I am trying to write an extra line into evry mail header. >In Mailscanner.conf you can specify a vaiable like >Mail Header = X-MailScanner: >and the same for spam header and spam score >How can i automaticaly write an extra line just under the line >X-MailScanner: >in all mail headers, with the content X-mailcheck ? > >setup: >OS=RH7.3 >MTA=Exim 3.36 >Virusscanner=Mailscanner 4.11.1 & Sophos That's more of an mta question really. I'm sure sendmail can do it, so can 1 of the Exim experts out there tell him how to do it in Exim? The other possibility, if this just applies to incoming mail, would be to use procmail to do it (though I'm no procmail expert, so don't ask me how... :-) -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From jorgen at GIVERSEN.NET Sun Jan 5 12:28:06 2003 From: jorgen at GIVERSEN.NET (=?ISO-8859-1?Q?J=F8rgen_Giversen?=) Date: Thu Jan 12 21:16:51 2006 Subject: Writing a extra line to the mail header In-Reply-To: <3E1819D3.9010200@giversen.net> References: <3E1819D3.9010200@giversen.net> Message-ID: <3E1824D6.5050201@giversen.net> J?rgen Giversen skrev: > Dear all > I am trying to write an extra line into evry mail header. > In Mailscanner.conf you can specify a vaiable like > Mail Header = X-MailScanner: > and the same for spam header and spam score > How can i automaticaly write an extra line just under the line > X-MailScanner: > in all mail headers, with the content X-mailcheck ? > > setup: > OS=RH7.3 > MTA=Exim 3.36 > Virusscanner=Mailscanner 4.11.1 & Sophos Never mind i found out by my self i will use the headers_add = in the exim.conf -- Best regards J?rgen Giversen www.giversen.net -- Denne meddelelse er blevet skannet for virus og farligt indhold af MailScanneren p? giversen.net. From P.G.M.Peters at civ.utwente.nl Sun Jan 5 12:35:31 2003 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:16:51 2006 Subject: spam.whitelist.rules and domain of sender does not exist In-Reply-To: <5.2.0.9.2.20030103190556.02e30e40@imap.ecs.soton.ac.uk> References: <004001c2b2a2$17945b80$9901a8c0@home.middlefinger.net> <20030103190312.22099.qmail@web41410.mail.yahoo.com> <5.2.0.9.2.20030103190556.02e30e40@imap.ecs.soton.ac.uk> Message-ID: <5h9g1v83k6sdt2uq76rp7p807npr0mddku@4ax.com> On Fri, 3 Jan 2003 19:08:35 +0000, you wrote: >At 19:03 03/01/2003, you wrote: >>Thanks for the response, I removed dnl from the line referenced below and >>rebuilt the sendmail.cf and it is working now. I am curious to know if >>anyone is aware of any security issues involved in allowing unresolvable >>domains to send mail? What is the preferred setting for most people? > >Most people (AFAIK) don't allow messages from unresolvable domains as a >mild anti-spam measure, as spammers used to use fake domain names. Anyone >else got better reasons than that? It comes partly from the fact that if >the domain name cannot be resolved, then you will never be able to deliver >directly to the domain anyway, so why bother accepting the message at all? This was the main reason when spammers used only fake domains. Nowadays spammers use excisting domains so it won't work that well. But it turned out to be a good measure to prevent users from typing errors in their addresses. And to educate users who use munged addresses when using e-mail instead of only with usenet. -- Peter Peters senior netwerkbeheerder, Centrum voor Informatievoorziening, Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From bill at SPIS.NET Sun Jan 5 21:25:47 2003 From: bill at SPIS.NET (Bill Omer) Date: Thu Jan 12 21:16:51 2006 Subject: MailScanner causing server to crash Message-ID: <1041801959.1004.32.camel@bill> I'm having a major problem with MailScanner (indirectly) and I am hoping that someone here may be able to help me with it. It seems that when MailScanner (4.10) is running, the server tends to reboot. However I don't believe that it is a problem with MailScanner. I say this because the server is running on a RAID5 setup with a Mylex DAC960 controller with Barracuda SCSI drives. I suspect that the machine is rebooting due to the slowness of the RAID array. I'm not exactly sure though, but I do feel that it is directly related. I'm currently running sendmail with spamass-milter with procmail to filter out and delete spam, but I would like to be able to filter viruses again. I have tried disabling Virus Scanning and Spam Checks, with both disabled the machine still crashes. The crashes are random, sometimes the server will stay up and work correctly for a few days, sometimes it can't last an hour. The machine its self is a quad Xeon 500MHz setup with a gig and a half of ram, running RedHat 8.0. There is nothing in the log files to point anywhere since the machine is rebooting before it can write to syslog. Could anyone offer any insight on this problem? Regards, Bill Omer From rkeech at KEECH.CX Sun Jan 5 21:46:08 2003 From: rkeech at KEECH.CX (Richard Keech) Date: Thu Jan 12 21:16:51 2006 Subject: MailScanner causing server to crash In-Reply-To: <1041801959.1004.32.camel@bill> References: <1041801959.1004.32.camel@bill> Message-ID: <1041803169.1346.120.camel@ender.keech.cx> Bill, Run the system in runlevel 3 so you have a text console. This will better let you see what messages are generated that might otherwise be lost. You need to determine if it is experiencing a kernel panic. So the console messages at the time of the event are vital. I suspect the only involvement with mailscanner is the load mailscanner places on the system. regards On Mon, 2003-01-06 at 08:25, Bill Omer wrote: > I'm having a major problem with MailScanner (indirectly) and I am hoping > that someone here may be able to help me with it. It seems that when > MailScanner (4.10) is running, the server tends to reboot. However I > don't believe that it is a problem with MailScanner. I say this because > the server is running on a RAID5 setup with a Mylex DAC960 controller > with Barracuda SCSI drives. > > I suspect that the machine is rebooting due to the slowness of the RAID > array. I'm not exactly sure though, but I do feel that it is directly > related. > > I'm currently running sendmail with spamass-milter with procmail to > filter out and delete spam, but I would like to be able to filter > viruses again. I have tried disabling Virus Scanning and Spam Checks, > with both disabled the machine still crashes. > > The crashes are random, sometimes the server will stay up and work > correctly for a few days, sometimes it can't last an hour. The machine > its self is a quad Xeon 500MHz setup with a gig and a half of ram, > running RedHat 8.0. There is nothing in the log files to point anywhere > since the machine is rebooting before it can write to syslog. > > Could anyone offer any insight on this problem? > > Regards, > Bill Omer > -- G. Richard Keech Chief Instructor / Senior Consultant Red Hat Asia-Pacific rkeech@redhat.com, richard@keech.cx Melbourne Australia http://people.redhat.com/rkeech +61-419-036-463 mobile +61-3-9370-5611 fax Legal: http://apac.redhat.com/disclaimer From bill at SPIS.NET Sun Jan 5 22:06:28 2003 From: bill at SPIS.NET (Bill Omer) Date: Thu Jan 12 21:16:51 2006 Subject: MailScanner causing server to crash In-Reply-To: <1041803169.1346.120.camel@ender.keech.cx> References: <1041801959.1004.32.camel@bill> <1041803169.1346.120.camel@ender.keech.cx> Message-ID: <1041804399.1004.38.camel@bill> I do have a console on the machine, but the machine doesn't sit there dead, it power-cycles it's self. That makes me want to believe that it's not a kernel panic. I'm going to try the version 3 series of mailscanner and see what kind of results I get with that. Since it doesn't fork (as I understand it) it may not create such a load to cause the machine to reboot. On Sun, 2003-01-05 at 15:46, Richard Keech wrote: > Bill, > > Run the system in runlevel 3 so you have a text console. > This will better let you see what messages are generated > that might otherwise be lost. > > You need to determine if it is experiencing a kernel panic. > So the console messages at the time of the event are vital. > > I suspect the only involvement with mailscanner is the load > mailscanner places on the system. > > regards > > On Mon, 2003-01-06 at 08:25, Bill Omer wrote: > > I'm having a major problem with MailScanner (indirectly) and I am hoping > > that someone here may be able to help me with it. It seems that when > > MailScanner (4.10) is running, the server tends to reboot. However I > > don't believe that it is a problem with MailScanner. I say this because > > the server is running on a RAID5 setup with a Mylex DAC960 controller > > with Barracuda SCSI drives. > > > > I suspect that the machine is rebooting due to the slowness of the RAID > > array. I'm not exactly sure though, but I do feel that it is directly > > related. > > > > I'm currently running sendmail with spamass-milter with procmail to > > filter out and delete spam, but I would like to be able to filter > > viruses again. I have tried disabling Virus Scanning and Spam Checks, > > with both disabled the machine still crashes. > > > > The crashes are random, sometimes the server will stay up and work > > correctly for a few days, sometimes it can't last an hour. The machine > > its self is a quad Xeon 500MHz setup with a gig and a half of ram, > > running RedHat 8.0. There is nothing in the log files to point anywhere > > since the machine is rebooting before it can write to syslog. > > > > Could anyone offer any insight on this problem? > > > > Regards, > > Bill Omer > > > -- > G. Richard Keech Chief Instructor / Senior Consultant > Red Hat Asia-Pacific rkeech@redhat.com, richard@keech.cx > Melbourne Australia http://people.redhat.com/rkeech > +61-419-036-463 mobile +61-3-9370-5611 fax > Legal: http://apac.redhat.com/disclaimer From rkeech at KEECH.CX Sun Jan 5 22:25:25 2003 From: rkeech at KEECH.CX (Richard Keech) Date: Thu Jan 12 21:16:51 2006 Subject: MailScanner causing server to crash In-Reply-To: <1041804399.1004.38.camel@bill> References: <1041801959.1004.32.camel@bill> <1041803169.1346.120.camel@ender.keech.cx> <1041804399.1004.38.camel@bill> Message-ID: <1041805525.2176.131.camel@ender.keech.cx> what value returns when you run cat /proc/sys/kernel/panic if it is 0 then on a panic the system should wait indefinitely. if it non-zero, then it will wait that many seconds. if it is not a kernel panic that you are seeing, and it is completely spontaneous with no log indication, then I'd be inclined to think that the problem is hardware related; either thermal or a memory problem. On Mon, 2003-01-06 at 09:06, Bill Omer wrote: > I do have a console on the machine, but the machine doesn't sit there > dead, it power-cycles it's self. That makes me want to believe that > it's not a kernel panic. > > I'm going to try the version 3 series of mailscanner and see what kind > of results I get with that. Since it doesn't fork (as I understand it) > it may not create such a load to cause the machine to reboot. > > > > On Sun, 2003-01-05 at 15:46, Richard Keech wrote: > > Bill, > > > > Run the system in runlevel 3 so you have a text console. > > This will better let you see what messages are generated > > that might otherwise be lost. > > > > You need to determine if it is experiencing a kernel panic. > > So the console messages at the time of the event are vital. > > > > I suspect the only involvement with mailscanner is the load > > mailscanner places on the system. > > > > regards > > > > On Mon, 2003-01-06 at 08:25, Bill Omer wrote: > > > I'm having a major problem with MailScanner (indirectly) and I am hoping > > > that someone here may be able to help me with it. It seems that when > > > MailScanner (4.10) is running, the server tends to reboot. However I > > > don't believe that it is a problem with MailScanner. I say this because > > > the server is running on a RAID5 setup with a Mylex DAC960 controller > > > with Barracuda SCSI drives. > > > > > > I suspect that the machine is rebooting due to the slowness of the RAID > > > array. I'm not exactly sure though, but I do feel that it is directly > > > related. > > > > > > I'm currently running sendmail with spamass-milter with procmail to > > > filter out and delete spam, but I would like to be able to filter > > > viruses again. I have tried disabling Virus Scanning and Spam Checks, > > > with both disabled the machine still crashes. > > > > > > The crashes are random, sometimes the server will stay up and work > > > correctly for a few days, sometimes it can't last an hour. The machine > > > its self is a quad Xeon 500MHz setup with a gig and a half of ram, > > > running RedHat 8.0. There is nothing in the log files to point anywhere > > > since the machine is rebooting before it can write to syslog. > > > > > > Could anyone offer any insight on this problem? > > > > > > Regards, > > > Bill Omer > > > > > -- > > G. Richard Keech Chief Instructor / Senior Consultant > > Red Hat Asia-Pacific rkeech@redhat.com, richard@keech.cx > > Melbourne Australia http://people.redhat.com/rkeech > > +61-419-036-463 mobile +61-3-9370-5611 fax > > Legal: http://apac.redhat.com/disclaimer > -- G. Richard Keech Chief Instructor / Senior Consultant Red Hat Asia-Pacific rkeech@redhat.com, richard@keech.cx Melbourne Australia http://people.redhat.com/rkeech +61-419-036-463 mobile +61-3-9370-5611 fax Legal: http://apac.redhat.com/disclaimer From jim at ENTROPHY-FREE.NET Sun Jan 5 23:31:42 2003 From: jim at ENTROPHY-FREE.NET (Jim Levie) Date: Thu Jan 12 21:16:51 2006 Subject: MailScanner causing server to crash In-Reply-To: <1041804399.1004.38.camel@bill> References: <1041801959.1004.32.camel@bill> <1041803169.1346.120.camel@ender.keech.cx> <1041804399.1004.38.camel@bill> Message-ID: <1041809502.15633.6.camel@chaos.entrophy-free.net> On Sun, 2003-01-05 at 16:06, Bill Omer wrote: > I do have a console on the machine, but the machine doesn't sit there > dead, it power-cycles it's self. That makes me want to believe that > it's not a kernel panic. > I take it that you've already examined the logs to see if anything interesting was logged before the reboot? Is the system up to date w/respect to the 8.0 errata? I did see some spontaneous reboots on a dual processor 8.0 box before the first or second round of errata was made available. I keep the boxes up to data and haven't see anything like that since. > I'm going to try the version 3 series of mailscanner and see what kind > of results I get with that. Since it doesn't fork (as I understand it) > it may not create such a load to cause the machine to reboot. > System load, per se, won't cause the reboot. However, if there's something flaky in the hardware configuration a high system load is more likely to expose the flaw. What is the typical system load? How much memory is installed? -- The instructions said to use Windows 98 or better, so I installed RedHat. From bill at SPIS.NET Sun Jan 5 22:41:22 2003 From: bill at SPIS.NET (Bill Omer) Date: Thu Jan 12 21:16:51 2006 Subject: MailScanner causing server to crash In-Reply-To: <1041805525.2176.131.camel@ender.keech.cx> References: <1041801959.1004.32.camel@bill> <1041803169.1346.120.camel@ender.keech.cx> <1041804399.1004.38.camel@bill> <1041805525.2176.131.camel@ender.keech.cx> Message-ID: <1041806497.1004.41.camel@bill> It returned a 0. On Sun, 2003-01-05 at 16:25, Richard Keech wrote: > what value returns when you run > > cat /proc/sys/kernel/panic > > > if it is 0 then on a panic the system should wait indefinitely. > if it non-zero, then it will wait that many seconds. > > if it is not a kernel panic that you are seeing, and it is > completely spontaneous with no log indication, then I'd > be inclined to think that the problem is hardware related; > either thermal or a memory problem. > > On Mon, 2003-01-06 at 09:06, Bill Omer wrote: > > I do have a console on the machine, but the machine doesn't sit there > > dead, it power-cycles it's self. That makes me want to believe that > > it's not a kernel panic. > > > > I'm going to try the version 3 series of mailscanner and see what kind > > of results I get with that. Since it doesn't fork (as I understand it) > > it may not create such a load to cause the machine to reboot. > > > > > > > > On Sun, 2003-01-05 at 15:46, Richard Keech wrote: > > > Bill, > > > > > > Run the system in runlevel 3 so you have a text console. > > > This will better let you see what messages are generated > > > that might otherwise be lost. > > > > > > You need to determine if it is experiencing a kernel panic. > > > So the console messages at the time of the event are vital. > > > > > > I suspect the only involvement with mailscanner is the load > > > mailscanner places on the system. > > > > > > regards > > > > > > On Mon, 2003-01-06 at 08:25, Bill Omer wrote: > > > > I'm having a major problem with MailScanner (indirectly) and I am hoping > > > > that someone here may be able to help me with it. It seems that when > > > > MailScanner (4.10) is running, the server tends to reboot. However I > > > > don't believe that it is a problem with MailScanner. I say this because > > > > the server is running on a RAID5 setup with a Mylex DAC960 controller > > > > with Barracuda SCSI drives. > > > > > > > > I suspect that the machine is rebooting due to the slowness of the RAID > > > > array. I'm not exactly sure though, but I do feel that it is directly > > > > related. > > > > > > > > I'm currently running sendmail with spamass-milter with procmail to > > > > filter out and delete spam, but I would like to be able to filter > > > > viruses again. I have tried disabling Virus Scanning and Spam Checks, > > > > with both disabled the machine still crashes. > > > > > > > > The crashes are random, sometimes the server will stay up and work > > > > correctly for a few days, sometimes it can't last an hour. The machine > > > > its self is a quad Xeon 500MHz setup with a gig and a half of ram, > > > > running RedHat 8.0. There is nothing in the log files to point anywhere > > > > since the machine is rebooting before it can write to syslog. > > > > > > > > Could anyone offer any insight on this problem? > > > > > > > > Regards, > > > > Bill Omer > > > > > > > -- > > > G. Richard Keech Chief Instructor / Senior Consultant > > > Red Hat Asia-Pacific rkeech@redhat.com, richard@keech.cx > > > Melbourne Australia http://people.redhat.com/rkeech > > > +61-419-036-463 mobile +61-3-9370-5611 fax > > > Legal: http://apac.redhat.com/disclaimer > > > -- > G. Richard Keech Chief Instructor / Senior Consultant > Red Hat Asia-Pacific rkeech@redhat.com, richard@keech.cx > Melbourne Australia http://people.redhat.com/rkeech > +61-419-036-463 mobile +61-3-9370-5611 fax > Legal: http://apac.redhat.com/disclaimer From bill at SPIS.NET Sun Jan 5 22:48:10 2003 From: bill at SPIS.NET (Bill Omer) Date: Thu Jan 12 21:16:51 2006 Subject: MailScanner causing server to crash In-Reply-To: <1041809502.15633.6.camel@chaos.entrophy-free.net> References: <1041801959.1004.32.camel@bill> <1041803169.1346.120.camel@ender.keech.cx> <1041804399.1004.38.camel@bill> <1041809502.15633.6.camel@chaos.entrophy-free.net> Message-ID: <1041806903.1004.47.camel@bill> On Sun, 2003-01-05 at 17:31, Jim Levie wrote: > On Sun, 2003-01-05 at 16:06, Bill Omer wrote: > > I do have a console on the machine, but the machine doesn't sit there > > dead, it power-cycles it's self. That makes me want to believe that > > it's not a kernel panic. > > > I take it that you've already examined the logs to see if anything > interesting was logged before the reboot? I try to monitor the logs as much as possible, but I've yet to see anything related to this problem. > > Is the system up to date w/respect to the 8.0 errata? I did see some > spontaneous reboots on a dual processor 8.0 box before the first or > second round of errata was made available. I keep the boxes up to data > and haven't see anything like that since. > > > I'm going to try the version 3 series of mailscanner and see what kind > > of results I get with that. Since it doesn't fork (as I understand it) > > it may not create such a load to cause the machine to reboot. > > > System load, per se, won't cause the reboot. However, if there's > something flaky in the hardware configuration a high system load is more > likely to expose the flaw. > > What is the typical system load? How much memory is installed? With MailScanner running, around 1.5. With only sendmail with spamass-milter running, around 0.5. There's a gig of ram installed (I earlier said a gig and a half, I was mistaken). Quad Xeon 500MHz cpu's. Again, without MailScanner running, I've been able to get over a week of uptime. With it running, it never goes more than a day or two. And that is with Virus Scanner = no and Spam Checks = no. -B > -- > The instructions said to use Windows 98 or better, so I installed > RedHat. From jim at ENTROPHY-FREE.NET Mon Jan 6 00:34:55 2003 From: jim at ENTROPHY-FREE.NET (Jim Levie) Date: Thu Jan 12 21:16:51 2006 Subject: MailScanner causing server to crash In-Reply-To: <1041806903.1004.47.camel@bill> References: <1041801959.1004.32.camel@bill> <1041803169.1346.120.camel@ender.keech.cx> <1041804399.1004.38.camel@bill> <1041809502.15633.6.camel@chaos.entrophy-free.net> <1041806903.1004.47.camel@bill> Message-ID: <1041813295.15579.22.camel@chaos.entrophy-free.net> On Sun, 2003-01-05 at 16:48, Bill Omer wrote: > On Sun, 2003-01-05 at 17:31, Jim Levie wrote: > > > > > I take it that you've already examined the logs to see if anything > > interesting was logged before the reboot? > > I try to monitor the logs as much as possible, but I've yet to see > anything related to this problem. > I figured as much... > > > > Is the system up to date w/respect to the 8.0 errata? I did see some > > spontaneous reboots on a dual processor 8.0 box before the first or > > second round of errata was made available. I keep the boxes up to data > > and haven't see anything like that since. > > What about the RedHat updates for 8.0? Are they in place? > > > > What is the typical system load? How much memory is installed? > > With MailScanner running, around 1.5. With only sendmail with > spamass-milter running, around 0.5. > System load doesn't sound like it is you problem. A load average of 1.5 is pretty much nothing. Now if it was running 15-20 that might be cause for concern. > There's a gig of ram installed (I earlier said a gig and a half, I was > mistaken). Quad Xeon 500MHz cpu's. > That should be plenty of memory for a mail server/scanner unless there are other demands on RAM. How much swap space is typically in use? > Again, without MailScanner running, I've been able to get over a week of > uptime. With it running, it never goes more than a day or two. And > that is with Virus Scanner = no and Spam Checks = no. > MailScanner bangs on the disk quite a bit as compared to just sendmail/procmail. My suspicion is that the fault is associated with the disk subsystem activity. Are the system and RAID controller BIOS versions current? -- The instructions said to use Windows 98 or better, so I installed RedHat. From nerijus at USERS.SOURCEFORGE.NET Mon Jan 6 01:39:10 2003 From: nerijus at USERS.SOURCEFORGE.NET (Nerijus Baliunas) Date: Thu Jan 12 21:16:51 2006 Subject: MailScanner causing server to crash In-Reply-To: <8C94C6E8-210B-11D7-948E-000393D6F5B0@lemon-computing.com> References: <8C94C6E8-210B-11D7-948E-000393D6F5B0@lemon-computing.com> Message-ID: <200301060140.h061e0i1032591@mx.ktv.lt> Please take this discussion offline, it is totally offtopic. One suggestion though - run http://www.memtest86.com. Nerijus From mailscanner at ecs.soton.ac.uk Mon Jan 6 04:00:35 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:51 2006 Subject: MailScanner causing server to crash In-Reply-To: <1041813295.15579.22.camel@chaos.entrophy-free.net> References: <1041806903.1004.47.camel@bill> <1041801959.1004.32.camel@bill> <1041803169.1346.120.camel@ender.keech.cx> <1041804399.1004.38.camel@bill> <1041809502.15633.6.camel@chaos.entrophy-free.net> <1041806903.1004.47.camel@bill> Message-ID: <5.2.0.9.2.20030106035912.01fcb010@imap.ecs.soton.ac.uk> At 00:34 06/01/2003, you wrote: >MailScanner bangs on the disk quite a bit as compared to just >sendmail/procmail. My suspicion is that the fault is associated with the >disk subsystem activity. You can considerably reduce the amount of disk traffic by moving the "incoming" and "quarantine" directories onto /dev/shm (ie into tmpfs) as you should have plenty of RAM spare to do it with. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From tdavis at COMSTECH.COM Mon Jan 6 03:59:47 2003 From: tdavis at COMSTECH.COM (Troy Davis) Date: Thu Jan 12 21:16:51 2006 Subject: Header not being written too Message-ID: RH 8.0 Sendmail Standard .conf file When I send an email to someone on that machine, when I look at the email in /var/spool/mail there not extra header that the mail scanner should be adding. Any help where to check what not happening would be great.. # service MailScanner status Checking MailScanner daemons: MailScanner: [ OK ] incoming sendmail: [ OK ] outgoing sendmail: [ OK ] Thanks Troy From ucs_rat at SHSU.EDU Mon Jan 6 02:09:35 2003 From: ucs_rat at SHSU.EDU (Robert A. Thompson) Date: Thu Jan 12 21:16:51 2006 Subject: MailScanner causing server to crash In-Reply-To: <8C94C6E8-210B-11D7-948E-000393D6F5B0@lemon-computing.com> References: <8C94C6E8-210B-11D7-948E-000393D6F5B0@lemon-computing.com> Message-ID: <1041818975.7328.36.camel@ra.thethompsonhouse.com> we use DAC960 hardware adn have seen similar things. Usually form pushing scsi limits(e.g. to long of cable, improper cable, and etc). The drives are fine and are logged in /var/log/messages along with dmesg. You can control the drives with /proc/rd/c0/user_command (where c0 stands for controller 0). You can see what is going on with /proc/rd/c0/current_status. I have a script that dumps the status to a port and a little visual c program that our helpdesk uses to monitor the status of the raid(since converted to VB). Even wrote a mon script at one point to parse the output and notify me of a failed drive, and planning on writing a nagios module for it(however this is low priority since I quite building things that pushed the scsi limits drives don't fail). Once notified, you can echo "make-online channel:ID" > /proc/rd/c0/user_command replacing channel and ID with the correct channel and ID of the drive that is dead. If you boot off the raid and loose 2 drives (or as I often see a channel) you will have a kernel panic. If your mounting /var/spool/mail on the raid then you will find your machine almost hangs just b/c of the amount of processing going on trying to find where to put mail on a busy server. Hope this help, and if you have any questions please feel free to contact me directly. --rat On Sun, 2003-01-05 at 18:12, Nick Phillips wrote: > On Monday, January 6, 2003, at 01:34 pm, Jim Levie wrote: > > > MailScanner bangs on the disk quite a bit as compared to just > > sendmail/procmail. My suspicion is that the fault is associated with > > the > > disk subsystem activity. > > Are you getting log messages from the DAC960 driver at all? You might > want to check > that by, say, fiddling with the control files in /proc (sorry, can't > remember which ones) to manually take a drive offline and see whether > it gets logged. > > It's just that I've seen problems with a DAC960 before where there were > communication errors between the controller and the drives (introduced > by the drive bay's backplane, IIRC), which caused the drives to be > marked as bad by the controller, one after the other. > > Once they were all down, kernel panic followed, IIRC. > > What type of server is it (brand, model etc.)? > > > > Cheers, > > > Nick From lists at MASONC.COM Mon Jan 6 10:03:36 2003 From: lists at MASONC.COM (Chris Mason) Date: Thu Jan 12 21:16:51 2006 Subject: Mailscanner and f-prot Message-ID: <000001c2b56a$e1439a20$7300a8c0@poseiden> I downloaded and installed the free Linux server f-prot and it seems to work well, is there a rp,m that will install mailscanner on a Redhat 7.3 server without much bother? I'm using spamassassin as well, will it integrate OK? Chris Mason masonc@masonc.com Box 340, The Valley, Anguilla, British West Indies Tel: 264 497 5670 Fax: 264 497 8463 Cell: 264 235 5670 http://www.anguillaguide.com/ The Anguilla Guide Talk to me in real time: Yahoo:netconcepts_anguilla US Fax and Voicemail: (815)301-9759 From mailscanner at ecs.soton.ac.uk Mon Jan 6 10:48:02 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:51 2006 Subject: Header not being written too In-Reply-To: Message-ID: <5.2.0.9.2.20030106104704.0296cab8@imap.ecs.soton.ac.uk> At 03:59 06/01/2003, you wrote: >RH 8.0 >Sendmail >Standard .conf file >When I send an email to someone on that machine, when I look at the email in >/var/spool/mail there not extra header that the mail scanner should be >adding. > >Any help where to check what not happening would be great.. ># service MailScanner status >Checking MailScanner daemons: > MailScanner: [ OK ] > incoming sendmail: [ OK ] > outgoing sendmail: [ OK ] Make sure you have done a service sendmail stop before you did service MailScanner start It sounds like your original sendmail process might still be alive. >Thanks >Troy -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Mon Jan 6 10:51:51 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:51 2006 Subject: Mailscanner and f-prot In-Reply-To: <000001c2b56a$e1439a20$7300a8c0@poseiden> Message-ID: <5.2.0.9.2.20030106105007.02d84e78@imap.ecs.soton.ac.uk> At 10:03 06/01/2003, you wrote: >I downloaded and installed the free Linux server f-prot and it seems to >work well, is there a rp,m that will install mailscanner on a Redhat 7.3 >server without much bother? Have you tried looking at the MailScanner web site before asking this? I advise you try the "Downloads" page. >I'm using spamassassin as well, will it integrate OK? Again, please RTM. The answer is yes. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From j.cormie at ABERTAY.AC.UK Mon Jan 6 13:43:57 2003 From: j.cormie at ABERTAY.AC.UK (Jason Cormie) Date: Thu Jan 12 21:16:51 2006 Subject: Exim Weirdness Message-ID: Mailscanner 3.26 Exim 3.35 just back from my hols looking at my mailscanner box. used eximstats to look at this mornings exim logs and found this... List of errors -------------- 1 0010295@ABERTAY.AC.UK: retry timeout exceeded 1 0010295@abertay.ac.uk: retry timeout exceeded 1 0010314@TAY.AC.UK: retry timeout exceeded 1 0010314@tay.ac.uk: retry timeout exceeded 1 0010331@abertay.ac.uk: retry timeout exceeded ....... These are all valid addresses which mailscanner should pickup scan then pass onto our exchange box I also found this which is disturbing... This message was created automatically by mail delivery software (Exim). A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed: w.robb@abertay.ac.uk remote host address is the local host: retry timeout exceeded This is an address that should have been passed to exchange server. From mailscanner at ecs.soton.ac.uk Mon Jan 6 15:31:18 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:51 2006 Subject: Exim Weirdness In-Reply-To: Message-ID: <5.2.0.9.2.20030106153051.055be3d0@imap.ecs.soton.ac.uk> MailScanner does not get involved with the delivery process at all, so I don't think this is likely to be a MailScanner problem. At 13:43 06/01/2003, you wrote: >Mailscanner 3.26 >Exim 3.35 > >just back from my hols looking at my mailscanner box. >used eximstats to look at this mornings exim logs and found this... > >List of errors >-------------- > > 1 0010295@ABERTAY.AC.UK: retry timeout exceeded > > 1 0010295@abertay.ac.uk: retry timeout exceeded > > 1 0010314@TAY.AC.UK: retry timeout exceeded > > 1 0010314@tay.ac.uk: retry timeout exceeded > > 1 0010331@abertay.ac.uk: retry timeout exceeded > > >....... > >These are all valid addresses which mailscanner should pickup scan then pass >onto our exchange box >I also found this which is disturbing... > > This message was created automatically by mail delivery software >(Exim). > > A message that you sent could not be delivered to one or more of its > recipients. This is a permanent error. The following address(es) >failed: > > w.robb@abertay.ac.uk > remote host address is the local host: retry timeout >exceeded > >This is an address that should have been passed to exchange server. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From MHewryk at SYMCOR.COM Mon Jan 6 15:42:42 2003 From: MHewryk at SYMCOR.COM (Magda Hewryk) Date: Thu Jan 12 21:16:51 2006 Subject: MailScanner forwards only " localdomain.localhost" emails to SpamAssassin Spam Checks: Found 1 spam messag Message-ID: Hello, I've installed and configured MailScanner v. 4.10 with SpamAssassin v. 2.43. It works OK (rbl disabled) but only if it sees the FROM ADDRESS like "...@localhost.localdomain" for eg. root@localhost.localdomain. In the summary if it is " from=" Spam Assasin is called and it checks email for spam. I accomplished it (sending email form xxx@localhost.localdomain by changing hosts file: 127.0.0.1 myhost localhost.localdomain localhost xxx.xxx.22.22 myhost myhost.mydomain.com At the end of mailog you can see that Spam Check worked and found a spam message! /var/log/maillog: Jan 2 11:32:38 myhost sendmail[28023]: h02GWc7o028023: from=root size=28, class=0, nrcpts=1, msgid =<200301021632.h02GWc7o028023@localhost.localdomain>, relay=root@localhost Jan 2 11:32:39 myhost sendmail[28029]: h02GWcLh028029: from =, size=333, class=0, nrcpts=1, msgid =<200301021632.h02GWc7o028023@localhost.localdomain>, proto=ESMTP, daemon=MTA, relay=myhost [127.0.0.1] Jan 2 11:32:39 myhost sendmail[28029]: h02GWcLh028029: to =, delay=00:00:01, mailer=esmtp, pri=30328, stat=queued Jan 2 11:32:40 myhost sendmail[28023]: h02GWc7o028023: to=maga@symcor.com, ctladdr=root (500/500), delay=00:00:02, xdelay=00:00:02, mailer=relay, pri=30023, relay=localhost.localdomain. [127.0.0.1], dsn=2.0.0, stat=Sent (h02GWcLh028029 Message accepted for delivery) Jan 2 11:32:41 myhost MailScanner[26429]: New Batch: Found 2 messages waiting Jan 2 11:32:41 myhost MailScanner[26429]: New Batch: Scanning 1 messages, 789 bytes Jan 2 11:33:11 myhost MailScanner[26519]: Spam Checks: Found 1 spam messages PROBLEM: If MailScanner/SpamAssassin sees that email is sent from eg. root@myhost.mydomain.com or any other domain is doesn't call SpamAssassin and doesn't do the spam check OR SpamAssassin doesn't do the Spam Check. In summary if the line is like this: from= or from= Spam Check is not performed. This is my hosts file for the example above. 127.0.01 localhost.localdomain localhost xxx.xxx.22.22 myhost myhost.mydomain.com I've disabled all rules in MailScanner.conf making sure that domains.to.scan and whitelists are not set up so stopping mydomain or anydomain by rules shoudn't be the issue. Any hint what I'm missing here. Thanks, Magda Hewryk From andrewh at CQG.COM Mon Jan 6 16:29:15 2003 From: andrewh at CQG.COM (Andrew M. Hoying) Date: Thu Jan 12 21:16:51 2006 Subject: OT: Dynamically updating /etc/mail/access Message-ID: <8A6DFB0865502242A29E25BDAEFBB9451ABE6A@d2sexchtest.cqg.com> Hello, Every day I go through and pull the top spamming domains and relays, except for the common ones that legitimate mail also comes from, verify them in net-abuse.sightings and add them to /etc/mail/access as REJECTed. Is there any program which dynamically updates with new spamming domains, and verified by a human, which can be used to update the /etc/mail/access.db file in near real time, instead of a day later like I usually do? Thanks, Andrew From thomas_duvally at BROWN.EDU Mon Jan 6 16:32:43 2003 From: thomas_duvally at BROWN.EDU (Thomas DuVally) Date: Thu Jan 12 21:16:51 2006 Subject: Negative SA value and scoring Message-ID: <1041870763.4148.13.camel@croithine> Question: If Spam Assassin returned a negative score for a piece of mail, would MailScanner still add a "Spam Score" (the sssss) to the message? I'm seeing some messages that don't have a Spam Report attached, but are getting a Spam Score of less than the threshold. The message IS spam, but has some phrases that could give it a negative value is SA. Does MailScanner handle the minus sign right for SpamScore like it does for SpamReport? -- Thomas J. DuVally Lead Systems Prog. CIS, Brown Univ. From mike at CAMAROSS.NET Mon Jan 6 16:41:04 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:16:51 2006 Subject: Dynamically updating /etc/mail/access In-Reply-To: <8A6DFB0865502242A29E25BDAEFBB9451ABE6A@d2sexchtest.cqg.com> Message-ID: <000401c2b5a2$682fd5d0$6901a8c0@home.middlefinger.net> http://staff.cie.uce.ac.uk/~dwhile/mailstats/ -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Andrew M. Hoying Sent: Monday, January 06, 2003 10:29 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: OT: Dynamically updating /etc/mail/access Hello, Every day I go through and pull the top spamming domains and relays, except for the common ones that legitimate mail also comes from, verify them in net-abuse.sightings and add them to /etc/mail/access as REJECTed. Is there any program which dynamically updates with new spamming domains, and verified by a human, which can be used to update the /etc/mail/access.db file in near real time, instead of a day later like I usually do? Thanks, Andrew From richard at HELPPLC.COM Mon Jan 6 17:00:49 2003 From: richard at HELPPLC.COM (Richard Sidlin) Date: Thu Jan 12 21:16:51 2006 Subject: Sophos Update File Message-ID: <000d01c2b5a5$2ce1ebf0$1d00000a@rich> Up to now, the file name has been linux.intel.libc6.tar.z but now, from the CD, the .z is missing. How would I install this update please. Richard Sidlin Help Internet Ltd 8 Brownfields Court Welwyn Garden City Herts AL7 1AJ T 01707 897111 F 01707 897143 M 07970 289773 E richard@helpinternet.co.uk From Kevin.Spicer at BMRB.CO.UK Mon Jan 6 17:04:02 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:16:51 2006 Subject: Sophos Update File Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A32BFE@pascal.priv.bmrb.co.uk> > Up to now, the file name has been linux.intel.libc6.tar.z but > now, from > the CD, the .z is missing. How would I install this update please. The version on the web has the correct name - I'd recommend using the web version as the CD version is always a month out of date - which means you have to upgrade it every two months (when they stop supplying IDE files for it), whereas the web version only needs upgrading every three months. But maybe I'm just lazy.... From richard at HELPPLC.COM Mon Jan 6 17:10:08 2003 From: richard at HELPPLC.COM (Richard Sidlin) Date: Thu Jan 12 21:16:51 2006 Subject: Sophos Update File In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0A32BFE@pascal.priv.bmrb.co.uk> Message-ID: <000e01c2b5a6$79e6c280$1d00000a@rich> I don't have a web login, I only receive the disk :-) > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Spicer, Kevin > Sent: 06 January 2003 17:04 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Sophos Update File > > > > Up to now, the file name has been linux.intel.libc6.tar.z but > > now, from > > the CD, the .z is missing. How would I install this update please. > > The version on the web has the correct name - I'd recommend > using the web version as the CD version is always a month out > of date - which means you have to upgrade it every two months > (when they stop supplying IDE files for it), whereas the web > version only needs upgrading every three months. > > But maybe I'm just lazy.... > From mailscanner at ecs.soton.ac.uk Mon Jan 6 17:13:14 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:51 2006 Subject: Sophos Update File In-Reply-To: <000d01c2b5a5$2ce1ebf0$1d00000a@rich> Message-ID: <5.2.0.9.2.20030106171219.0545c4b0@imap.ecs.soton.ac.uk> At 17:00 06/01/2003, you wrote: >Up to now, the file name has been linux.intel.libc6.tar.z but now, from >the CD, the .z is missing. How would I install this update please. In which case cd /tmp tar xvf linux.intel.libc6.tar Sophos.install or else cd /tmp compress linux.intel.libc6.tar Sophos.install -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Mon Jan 6 17:11:50 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:51 2006 Subject: Negative SA value and scoring In-Reply-To: <1041870763.4148.13.camel@croithine> Message-ID: <5.2.0.9.2.20030106171107.0548fc30@imap.ecs.soton.ac.uk> At 16:32 06/01/2003, you wrote: >Question: > If Spam Assassin returned a negative score for a piece of mail, would >MailScanner still add a "Spam Score" (the sssss) to the message? I'm >seeing some messages that don't have a Spam Report attached, but are >getting a Spam Score of less than the threshold. The message IS spam, >but has some phrases that could give it a negative value is SA. > > Does MailScanner handle the minus sign right for SpamScore like > it does >for SpamReport? Can you give me an example of exactly what you mean? -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Mon Jan 6 17:15:48 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:51 2006 Subject: Sophos Update File In-Reply-To: <000e01c2b5a6$79e6c280$1d00000a@rich> References: <5C0296D26910694BB9A9BBFC577E7AB0A32BFE@pascal.priv.bmrb.co.uk> Message-ID: <5.2.0.9.2.20030106171510.0548f8e0@imap.ecs.soton.ac.uk> In which case I advise you email them all the relevant info about your purchase, and ask for a web login. At 17:10 06/01/2003, you wrote: >I don't have a web login, I only receive the disk :-) > > > -----Original Message----- > > From: MailScanner mailing list > > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Spicer, Kevin > > Sent: 06 January 2003 17:04 > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: Sophos Update File > > > > > > > Up to now, the file name has been linux.intel.libc6.tar.z but > > > now, from > > > the CD, the .z is missing. How would I install this update please. > > > > The version on the web has the correct name - I'd recommend > > using the web version as the CD version is always a month out > > of date - which means you have to upgrade it every two months > > (when they stop supplying IDE files for it), whereas the web > > version only needs upgrading every three months. > > > > But maybe I'm just lazy.... > > -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From thomas_duvally at BROWN.EDU Mon Jan 6 18:44:04 2003 From: thomas_duvally at BROWN.EDU (Thomas DuVally) Date: Thu Jan 12 21:16:51 2006 Subject: Negative SA value and scoring In-Reply-To: <5.2.0.9.2.20030106171107.0548fc30@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030106171107.0548fc30@imap.ecs.soton.ac.uk> Message-ID: <1041878643.4150.37.camel@croithine> This message received a SpamScore of ss (2), but got no report and did NOT get logged as spam in syslogd. I am using 2.41 of SA, which I know has and older ruleset, but I think this is regardless of the rules. MS seems to be acting on the results of SA. Looking at the code in Message.pm, the function to handle sascore doesn't check the result of SAsaysspam. It just sees the score and acts on it as an integer. Does that possibly ignore the minus sign? From: Melissia Ozer To: Subject: user_name Cure Employment Stagnation Date: Sun, 05 Jan 2003 11:34:31 -0500 Mime-Version: 1.0 Content-Type: text/html Message-Id: X-Brown-MailScanner: Found to be clean X-Brown-MailScanner-SpamScore: ss Hi , user_name

YOUR DEGREE MAY BE CLOSER THAN YOU THINK
We remove the obstacles that cause adults to abandon hope.
DID YOU KNOW that you could earn your legitimate Associate's, Bachelor's, Master's or even
Doctorate degree, utilizing your already existing professional or academic expertise?

Prepare for the professional advancement you deserve
If you are an adult with a *CLIP* On Mon, 2003-01-06 at 12:11, Julian Field wrote: > At 16:32 06/01/2003, you wrote: > >Question: > > If Spam Assassin returned a negative score for a piece of mail, would > >MailScanner still add a "Spam Score" (the sssss) to the message? I'm > >seeing some messages that don't have a Spam Report attached, but are > >getting a Spam Score of less than the threshold. The message IS spam, > >but has some phrases that could give it a negative value is SA. > > > > Does MailScanner handle the minus sign right for SpamScore like > > it does > >for SpamReport? > > Can you give me an example of exactly what you mean? > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support -- Thomas DuVally Lead Sys. Prog. CIS, Brown Univ. 401.863.9466 From mailscanner at ecs.soton.ac.uk Mon Jan 6 18:51:22 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:51 2006 Subject: Negative SA value and scoring In-Reply-To: <1041878643.4150.37.camel@croithine> References: <5.2.0.9.2.20030106171107.0548fc30@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030106171107.0548fc30@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030106184528.02d77d70@imap.ecs.soton.ac.uk> At 18:44 06/01/2003, you wrote: >This message received a SpamScore of ss (2), but got no report and did >NOT get logged as spam in syslogd. If the score (2) is less than your "Required SpamAssassin Score" value, then this is exactly what you should see. This means that your users can filter on SA scores less than your defined threshold, if they want to. If you want to always get the spam header, you have to tell it to always include it. > I am using 2.41 of SA, which I know >has and older ruleset, but I think this is regardless of the rules. MS >seems to be acting on the results of SA. > Looking at the code in Message.pm, the function to handle sascore >doesn't check the result of SAsaysspam. It just sees the score and acts >on it as an integer. Does that possibly ignore the minus sign? No. >From: Melissia Ozer >To: >Subject: user_name Cure Employment Stagnation >Date: Sun, 05 Jan 2003 11:34:31 -0500 >Mime-Version: 1.0 >Content-Type: text/html >Message-Id: >X-Brown-MailScanner: Found to be clean >X-Brown-MailScanner-SpamScore: ss > >Hi , user_name > >YOUR DEGREE MAY BE CLOSER THAN YOU THINK >We remove the obstacles that cause adults to abandon hope. >DID YOU KNOW that you could earn your legitimate Associate's, Bachelor's, >Master's or even >Doctorate degree, utilizing your already existing professional or academic >expertise? > >Prepare for the professional advancement you deserve >If you are an adult with a *CLIP* On Mon, 2003-01-06 at 12:11, Julian >Field wrote: > At 16:32 06/01/2003, you wrote: > >Question: > > If Spam >Assassin returned a negative score for a piece of mail, >would > >MailScanner still add a "Spam Score" (the sssss) to the message? >I'm > >seeing some messages that don't have a Spam Report attached, but >are > >getting a Spam Score of less than the threshold. The message IS >spam, > >but has some phrases that could give it a negative value is >SA. > > > > Does MailScanner handle the minus sign right for SpamScore >like > > it does > >for SpamReport? > > Can you give me an example of >exactly what you mean? > -- > Julian Field > www.MailScanner.info > >MailScanner thanks transtec Computers for their support -- Thomas DuVally >Lead Sys. Prog. CIS, Brown Univ. 401.863.9466 -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From thomas_duvally at BROWN.EDU Mon Jan 6 19:25:19 2003 From: thomas_duvally at BROWN.EDU (Thomas DuVally) Date: Thu Jan 12 21:16:51 2006 Subject: Negative SA value and scoring In-Reply-To: <5.2.0.9.2.20030106184528.02d77d70@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030106171107.0548fc30@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030106171107.0548fc30@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030106184528.02d77d70@imap.ecs.soton.ac.uk> Message-ID: <1041881118.4150.44.camel@croithine> On Mon, 2003-01-06 at 13:51, Julian Field wrote: > At 18:44 06/01/2003, you wrote: > >This message received a SpamScore of ss (2), but got no report and did > >NOT get logged as spam in syslogd. > > If the score (2) is less than your "Required SpamAssassin Score" value, > then this is exactly what you should see. This means that your users can > filter on SA scores less than your defined threshold, if they want to. If > you want to always get the spam header, you have to tell it to always > include it. > We don't include the report unless it hits the threshold (Always Include SpamAssassin Report = no). So if it doesn't create a report, it shouldn't score it either, which is exactly how we see it working, with the exception of instances like this one. -- Thomas DuVally Lead Sys. Prog. CIS, Brown Univ. 401.863.9466 From MHewryk at SYMCOR.COM Mon Jan 6 19:28:12 2003 From: MHewryk at SYMCOR.COM (Magda Hewryk) Date: Thu Jan 12 21:16:51 2006 Subject: MailScanner forwards only " localdomain.localhost" emails to SpamAssassin Spam Checks: Found 1 spam messag Message-ID: Any thought why MailScanner/SpamAssassin does the Spam Checks only for localhost? Thanks, Magda Hewryk -------------------------------- Mid-Range Systems RSP: 905-273-1637 CELL: 416-948-4427 Magda Hewryk cc: Sent by: Subject: MailScanner forwards only " localdomain.localhost" MailScanner emails to SpamAssassin Spam Checks: Found 1 spam messag mailing list 01/06/2003 10:42 AM Please respond to MailScanner mailing list Hello, I've installed and configured MailScanner v. 4.10 with SpamAssassin v. 2.43. It works OK (rbl disabled) but only if it sees the FROM ADDRESS like "...@localhost.localdomain" for eg. root@localhost.localdomain. In the summary if it is " from=" Spam Assasin is called and it checks email for spam. I accomplished it (sending email form xxx@localhost.localdomain by changing hosts file: 127.0.0.1 myhost localhost.localdomain localhost xxx.xxx.22.22 myhost myhost.mydomain.com At the end of mailog you can see that Spam Check worked and found a spam message! /var/log/maillog: Jan 2 11:32:38 myhost sendmail[28023]: h02GWc7o028023: from=root size=28, class=0, nrcpts=1, msgid =<200301021632.h02GWc7o028023@localhost.localdomain>, relay=root@localhost Jan 2 11:32:39 myhost sendmail[28029]: h02GWcLh028029: from =, size=333, class=0, nrcpts=1, msgid =<200301021632.h02GWc7o028023@localhost.localdomain>, proto=ESMTP, daemon=MTA, relay=myhost [127.0.0.1] Jan 2 11:32:39 myhost sendmail[28029]: h02GWcLh028029: to =, delay=00:00:01, mailer=esmtp, pri=30328, stat=queued Jan 2 11:32:40 myhost sendmail[28023]: h02GWc7o028023: to=maga@symcor.com, ctladdr=root (500/500), delay=00:00:02, xdelay=00:00:02, mailer=relay, pri=30023, relay=localhost.localdomain. [127.0.0.1], dsn=2.0.0, stat=Sent (h02GWcLh028029 Message accepted for delivery) Jan 2 11:32:41 myhost MailScanner[26429]: New Batch: Found 2 messages waiting Jan 2 11:32:41 myhost MailScanner[26429]: New Batch: Scanning 1 messages, 789 bytes Jan 2 11:33:11 myhost MailScanner[26519]: Spam Checks: Found 1 spam messages PROBLEM: If MailScanner/SpamAssassin sees that email is sent from eg. root@myhost.mydomain.com or any other domain is doesn't call SpamAssassin and doesn't do the spam check OR SpamAssassin doesn't do the Spam Check. In summary if the line is like this: from= or from= Spam Check is not performed. This is my hosts file for the example above. 127.0.01 localhost.localdomain localhost xxx.xxx.22.22 myhost myhost.mydomain.com I've disabled all rules in MailScanner.conf making sure that domains.to.scan and whitelists are not set up so stopping mydomain or anydomain by rules shoudn't be the issue. Any hint what I'm missing here. Thanks, Magda Hewryk From j.cormie at ABERTAY.AC.UK Mon Jan 6 19:48:29 2003 From: j.cormie at ABERTAY.AC.UK (Jason Cormie) Date: Thu Jan 12 21:16:51 2006 Subject: OT: Exim Weirdness Message-ID: Sorry Julian, All I know of exim has come from using it with mailscanner so I thought I'd try here before trying the exim lists. I have exim configured as it says in the mailscanner docs, so if it is a problem with my config then it is also a problem with either the documentation or the version of exim I am running. -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: 06, January, 2003 15:31 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Exim Weirdness MailScanner does not get involved with the delivery process at all, so I don't think this is likely to be a MailScanner problem. At 13:43 06/01/2003, you wrote: >Mailscanner 3.26 >Exim 3.35 > >just back from my hols looking at my mailscanner box. >used eximstats to look at this mornings exim logs and found this... > >List of errors >-------------- > > 1 0010295@ABERTAY.AC.UK: retry timeout exceeded > > 1 0010295@abertay.ac.uk: retry timeout exceeded > > 1 0010314@TAY.AC.UK: retry timeout exceeded > > 1 0010314@tay.ac.uk: retry timeout exceeded > > 1 0010331@abertay.ac.uk: retry timeout exceeded > > >....... > >These are all valid addresses which mailscanner should pickup scan then pass >onto our exchange box >I also found this which is disturbing... > > This message was created automatically by mail delivery software >(Exim). > > A message that you sent could not be delivered to one or more of its > recipients. This is a permanent error. The following address(es) >failed: > > w.robb@abertay.ac.uk > remote host address is the local host: retry timeout >exceeded > >This is an address that should have been passed to exchange server. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From scouty at BROMBERG.DEMON.NL Mon Jan 6 21:10:32 2003 From: scouty at BROMBERG.DEMON.NL (Matthijs Althoff) Date: Thu Jan 12 21:16:51 2006 Subject: MailScanner 4.11-1 errors Message-ID: <200301062110.h06LAWa29119@ori.rl.ac.uk> Just upgraded to the new mailscanner but found some errors at the end I can not define.. I also notice many perl conflicts during the upgrade is this all bad? To activate MailScanner run the following commands: service sendmail stop chkconfig sendmail off chkconfig --level 2345 MailScanner on service MailScanner start Can't call method "Destroy" on an undefined value at /usr/sbin/MailScanner line 426. BEGIN failed--compilation aborted at /usr/lib/perl5/vendor_perl/5.8.0/Mail/SpamAssassin/Dns.pm line 9. Compilation failed in require at /usr/lib/perl5/vendor_perl/5.8.0/Mail/SpamAssassin/EvalTests.pm line 9. BEGIN failed--compilation aborted at /usr/lib/perl5/vendor_perl/5.8.0/Mail/SpamAssassin/EvalTests.pm line 9. Compilation failed in require at /usr/lib/perl5/vendor_perl/5.8.0/Mail/SpamAssassin/PerMsgStatus.pm line 39. BEGIN failed--compilation aborted at /usr/lib/perl5/vendor_perl/5.8.0/Mail/SpamAssassin/PerMsgStatus.pm line 39. Compilation failed in require at /usr/lib/perl5/vendor_perl/5.8.0/Mail/SpamAssassin.pm line 50. BEGIN failed--compilation aborted at /usr/lib/perl5/vendor_perl/5.8.0/Mail/SpamAssassin.pm line 50. Compilation failed in require at /usr/lib/MailScanner/MailScanner/SA.pm line 74. Please do not forget to kill your MailScanner version 3 processes before starting version 4. From mailscanner-sub at WIREHUB.NET Mon Jan 6 21:14:02 2003 From: mailscanner-sub at WIREHUB.NET (Ben C. O. Grimm) Date: Thu Jan 12 21:16:51 2006 Subject: OT: Dynamically updating /etc/mail/access In-Reply-To: References: Message-ID: On 6 Jan 2003 17:29:59 +0100, "Andrew M. Hoying" wrote: > Hello, > > Every day I go through and pull the top spamming domains and relays, > except for the common ones that legitimate mail also comes from, verify > them in net-abuse.sightings and add them to /etc/mail/access as > REJECTed. Is there any program which dynamically updates with new > spamming domains, and verified by a human, which can be used to update > the /etc/mail/access.db file in near real time, instead of a day later > like I usually do? If you have rsync, try this one: http://basic.wirehub.nl/spamlist-usage.html The spamlist (http://basic.wirehub.nl/spamlist-extended.txt, 3,5 MB) is updated every hour. If you like, you can just use the domain names by grepping "JUNK$" from http://basic.wirehub.nl/spamlist.txt. -- - Ben C. O. Grimm ----------------- Ben.Grimm@wirehub.net - - Wirehub! Internet Engineering - http://www.wirehub.net/ - - Private Ponderings ----------- http://www.bengrimm.net/ - - Wirehub! Internet ----------- part of easynet Group plc - From andrewh at CQG.COM Mon Jan 6 21:20:21 2003 From: andrewh at CQG.COM (Andrew M. Hoying) Date: Thu Jan 12 21:16:51 2006 Subject: OT: Dynamically updating /etc/mail/access Message-ID: <8A6DFB0865502242A29E25BDAEFBB9451ABE7B@d2sexchtest.cqg.com> Thank you, that looks very useful. Andrew > -----Original Message----- > From: Ben C. O. Grimm [mailto:mailscanner-sub@WIREHUB.NET] > Sent: Monday, January 06, 2003 2:14 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: OT: Dynamically updating /etc/mail/access > > > On 6 Jan 2003 17:29:59 +0100, "Andrew M. Hoying" > wrote: > > > Hello, > > > > Every day I go through and pull the top spamming domains and relays, > > except for the common ones that legitimate mail also comes > from, verify > > them in net-abuse.sightings and add them to /etc/mail/access as > > REJECTed. Is there any program which dynamically updates with new > > spamming domains, and verified by a human, which can be > used to update > > the /etc/mail/access.db file in near real time, instead of > a day later > > like I usually do? > > If you have rsync, try this one: > http://basic.wirehub.nl/spamlist-usage.html The spamlist (http://basic.wirehub.nl/spamlist-extended.txt, 3,5 MB) is updated every hour. If you like, you can just use the domain names by grepping "JUNK$" from http://basic.wirehub.nl/spamlist.txt. -- - Ben C. O. Grimm ----------------- Ben.Grimm@wirehub.net - - Wirehub! Internet Engineering - http://www.wirehub.net/ - - Private Ponderings ----------- http://www.bengrimm.net/ - - Wirehub! Internet ----------- part of easynet Group plc - From mailscanner at ecs.soton.ac.uk Mon Jan 6 21:33:38 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:51 2006 Subject: MailScanner 4.11-1 errors In-Reply-To: <200301062110.h06LAWa29119@ori.rl.ac.uk> Message-ID: <5.2.0.9.2.20030106213123.02b18e20@imap.ecs.soton.ac.uk> At 21:10 06/01/2003, you wrote: >Just upgraded to the new mailscanner but found some errors >at the end I can not define.. I also notice many perl conflicts >during the upgrade is this all bad? Is your SpamAssassin correctly installed? That would produce the errors below. Installing SA from the tarball is the most reliable way. >To activate MailScanner run the following commands: > >service sendmail stop >chkconfig sendmail off >chkconfig --level 2345 MailScanner on >service MailScanner start > >Can't call method "Destroy" on an undefined value at > /usr/sbin/MailScanner line 426. >BEGIN failed--compilation aborted at >/usr/lib/perl5/vendor_perl/5.8.0/Mail/SpamAssassin/Dns.pm line 9. >Compilation failed in require >at /usr/lib/perl5/vendor_perl/5.8.0/Mail/SpamAssassin/EvalTests.pm >line 9. >BEGIN failed--compilation aborted >at /usr/lib/perl5/vendor_perl/5.8.0/Mail/SpamAssassin/EvalTests.pm line 9. >Compilation failed in require >at /usr/lib/perl5/vendor_perl/5.8.0/Mail/SpamAssassin/PerMsgStatus.pm line >39. >BEGIN failed--compilation aborted >at /usr/lib/perl5/vendor_perl/5.8.0/Mail/SpamAssassin/PerMsgStatus.pm line >39. >Compilation failed in require >at /usr/lib/perl5/vendor_perl/5.8.0/Mail/SpamAssassin.pm line 50. >BEGIN failed--compilation aborted >at /usr/lib/perl5/vendor_perl/5.8.0/Mail/SpamAssassin.pm line 50. >Compilation failed in require at /usr/lib/MailScanner/MailScanner/SA.pm >line 74. >Please do not forget to kill your MailScanner version 3 processes >before starting version 4. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From rybar at DATALOCK.SK Tue Jan 7 06:48:15 2003 From: rybar at DATALOCK.SK (Patrik Rybar) Date: Thu Jan 12 21:16:52 2006 Subject: notify sender Message-ID: <3E1A782F.9000300@datalock.sk> hallo, what i'm doing wrong ? in /etc/MailScanner/MailScanner.conf i have Notify Senders = /etc/MailScanner/rules/notify.rules in /etc/MailScanner/rules/notify.rules FromTo: default yes but notify mails goes to recipient not to the sender From bigdog at DOGPOUND.VNET.NET Tue Jan 7 04:15:30 2003 From: bigdog at DOGPOUND.VNET.NET (Matthew Davis) Date: Thu Jan 12 21:16:52 2006 Subject: Mailscanner and f-prot In-Reply-To: <1041903620.2689.7.camel@localhost.localdomain>; from lists@MASONC.COM on Mon, Jan 06, 2003 at 09:40:21PM -0400 References: <5.2.0.9.2.20030106105007.02d84e78@imap.ecs.soton.ac.uk> <1041903620.2689.7.camel@localhost.localdomain> Message-ID: <20030106231530.E5691@dogpound.vnet.net> Then from a rh7.3+spamassassin+mailscanner+f-prot user, it works great. They all behave very much nicely together. * Chris Mason (lists@MASONC.COM) wrote: > Thanks Julian. > I should be more clear - I'm not asking if there are RPMs, I seen them, > I wanted any personal experience with this combination from people who > have done this. I'll try it and see how it goes. > > Thanks again > > > On Mon, 2003-01-06 at 06:51, Julian Field wrote: > > At 10:03 06/01/2003, you wrote: > > >I downloaded and installed the free Linux server f-prot and it seems to > > >work well, is there a rp,m that will install mailscanner on a Redhat 7.3 > > >server without much bother? ---------------------------------------------- | Matthew Davis /\ http://dogpound.vnet.net/ | |--------------------------------------------| | Monday, January 06, 2003 / 11:10PM | ---------------------------------------------- Even in this corner of the galaxy, Captain, 2+2=4 ... Spock From lists at MASONC.COM Tue Jan 7 01:40:21 2003 From: lists at MASONC.COM (Chris Mason) Date: Thu Jan 12 21:16:52 2006 Subject: Mailscanner and f-prot In-Reply-To: <5.2.0.9.2.20030106105007.02d84e78@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030106105007.02d84e78@imap.ecs.soton.ac.uk> Message-ID: <1041903620.2689.7.camel@localhost.localdomain> Thanks Julian. I should be more clear - I'm not asking if there are RPMs, I seen them, I wanted any personal experience with this combination from people who have done this. I'll try it and see how it goes. Thanks again On Mon, 2003-01-06 at 06:51, Julian Field wrote: > At 10:03 06/01/2003, you wrote: > >I downloaded and installed the free Linux server f-prot and it seems to > >work well, is there a rp,m that will install mailscanner on a Redhat 7.3 > >server without much bother? > > Have you tried looking at the MailScanner web site before asking this? I > advise you try the "Downloads" page. > > >I'm using spamassassin as well, will it integrate OK? > > Again, please RTM. The answer is yes. > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support From slawler at SYDNEY.NII.COM.AU Mon Jan 6 23:38:47 2003 From: slawler at SYDNEY.NII.COM.AU (Stewart Lawler) Date: Thu Jan 12 21:16:52 2006 Subject: OT: Dynamically updating /etc/mail/access In-Reply-To: <8A6DFB0865502242A29E25BDAEFBB9451ABE7B@d2sexchtest.cqg.com> References: <8A6DFB0865502242A29E25BDAEFBB9451ABE7B@d2sexchtest.cqg.com> Message-ID: <1041896326.2087.5.camel@empc-l01> this looks like a great solution - but what is the performance impact? The relay machine i'm running mailscanner on at the moment is rather old and might not cope with being given much more to do. :-) cheers, ..S. On Tue, 2003-01-07 at 08:20, Andrew M. Hoying wrote: > Thank you, that looks very useful. > > Andrew > > > -----Original Message----- > > From: Ben C. O. Grimm [mailto:mailscanner-sub@WIREHUB.NET] > > Sent: Monday, January 06, 2003 2:14 PM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: OT: Dynamically updating /etc/mail/access > > > > > > On 6 Jan 2003 17:29:59 +0100, "Andrew M. Hoying" > > wrote: > > > > > Hello, > > > > > > Every day I go through and pull the top spamming domains and relays, > > > except for the common ones that legitimate mail also comes > > from, verify > > > them in net-abuse.sightings and add them to /etc/mail/access as > > > REJECTed. Is there any program which dynamically updates with new > > > spamming domains, and verified by a human, which can be > > used to update > > > the /etc/mail/access.db file in near real time, instead of > > a day later > > > like I usually do? > > > > If you have rsync, try this one: > > > http://basic.wirehub.nl/spamlist-usage.html > > The spamlist (http://basic.wirehub.nl/spamlist-extended.txt, 3,5 MB) is > updated every hour. If you like, you can just use the domain names by > grepping "JUNK$" from http://basic.wirehub.nl/spamlist.txt. > > -- > - Ben C. O. Grimm ----------------- Ben.Grimm@wirehub.net - > - Wirehub! Internet Engineering - http://www.wirehub.net/ - > - Private Ponderings ----------- http://www.bengrimm.net/ - > - Wirehub! Internet ----------- part of easynet Group plc - -- Stewart Lawler Empower Group From mailscanner at ecs.soton.ac.uk Tue Jan 7 08:22:36 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:52 2006 Subject: notify sender In-Reply-To: <3E1A782F.9000300@datalock.sk> Message-ID: <5.2.0.9.2.20030107082203.03c34818@imap.ecs.soton.ac.uk> At 06:48 07/01/2003, you wrote: >hallo, >what i'm doing wrong ? > >in /etc/MailScanner/MailScanner.conf >i have >Notify Senders = /etc/MailScanner/rules/notify.rules > >in /etc/MailScanner/rules/notify.rules > >FromTo: default yes > >but notify mails goes to recipient not to the sender Have you edited the message file (ie what is in /etc/MailScanner/reports/en/....) and got the sender and recipient addresses the wrong way around? -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From j.cormie at ABERTAY.AC.UK Tue Jan 7 08:46:51 2003 From: j.cormie at ABERTAY.AC.UK (Jason Cormie) Date: Thu Jan 12 21:16:52 2006 Subject: Exim Weirdness Message-ID: Thanks Nick, Somehow I lost that section of my own docs between pilot 1, pilot 2 and production :-( Will implement and see what happens. Just out of curiosity, what exactly does it do and what would have happened without it? Jason On Mon, 2003-01-06 at 20:44, Nick Phillips wrote: > On Tuesday, January 7, 2003, at 04:31 am, Julian Field wrote: > > > MailScanner does not get involved with the delivery process at all, so > > I > > don't think this is likely to be a MailScanner problem. > > > > At 13:43 06/01/2003, you wrote: > >> Mailscanner 3.26 > >> Exim 3.35 > >> > >> just back from my hols looking at my mailscanner box. > >> used eximstats to look at this mornings exim logs and found this... > > > I expect you aren't calling exim_tidydb to clear out the retry database > on the incoming > side. Exactly what's needed is in the installation instructions (either > on the web site or in > the docs directory in the tarball). > > > Cheers, > > > Nick From Richard.Lush at HP.COM Tue Jan 7 09:30:18 2003 From: Richard.Lush at HP.COM (Lush, Richard) Date: Thu Jan 12 21:16:52 2006 Subject: Sophos Update File Message-ID: You don't need a web login you can download it as an eval customer. It is the same code as Sophos give it away free for unix. FWIW -----Original Message----- From: Richard Sidlin [mailto:richard@HELPPLC.COM] Sent: 06 January 2003 17:10 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Sophos Update File I don't have a web login, I only receive the disk :-) > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Spicer, Kevin > Sent: 06 January 2003 17:04 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Sophos Update File > > > > Up to now, the file name has been linux.intel.libc6.tar.z but now, > > from the CD, the .z is missing. How would I install this update > > please. > > The version on the web has the correct name - I'd recommend using the > web version as the CD version is always a month out of date - which > means you have to upgrade it every two months (when they stop > supplying IDE files for it), whereas the web version only needs > upgrading every three months. > > But maybe I'm just lazy.... > From support at INVICTANET.CO.UK Tue Jan 7 11:46:13 2003 From: support at INVICTANET.CO.UK (InvictaNet Customer Support) Date: Thu Jan 12 21:16:52 2006 Subject: SpamAssassin timeout Message-ID: Hi Since mid afternoon yesterday, spamassassin has timed out every time. I have tried increasing the timeout period to 30 seconds but that didn't help. Where can I find information on what is causing the timeout? - Mailscanner itself doesn't seem to have a problem and viruses are being detected ok. Martyn Routley From daniel at ZAJD.COM Tue Jan 7 12:16:53 2003 From: daniel at ZAJD.COM (Daniel Zajd) Date: Thu Jan 12 21:16:52 2006 Subject: SpamAssassin timeout In-Reply-To: Message-ID: Hi! I got the same problem since this morning. Everything have been working perfect until now. Anyone else having the same problem? Suggestions? //Daniel Mailsystem.net > Hi > Since mid afternoon yesterday, spamassassin has timed out every time. I have > tried increasing the timeout period to 30 seconds but that didn't help. > > Where can I find information on what is causing the timeout? - Mailscanner > itself doesn't seem to have a problem and viruses are being detected ok. > > > > Martyn Routley > > From Kevin.Spicer at BMRB.CO.UK Tue Jan 7 12:32:11 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:16:52 2006 Subject: SpamAssassin timeout Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A4ACF6@pascal.priv.bmrb.co.uk> It may be a problem with one of the RBL checks not responding. I think you should be able to disable these by uncommenting skip rbl checks = 1 in /etc/MailScanner/spam.assassin.prefs.conf and then doing a 'service MailScanner reload' (I'm assuming this option is effective when SA is caled from MS?) > -----Original Message----- > From: Daniel Zajd [mailto:daniel@ZAJD.COM] > Sent: 07 January 2003 12:17 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: SpamAssassin timeout > > > Hi! > > I got the same problem since this morning. Everything have > been working > perfect until now. Anyone else having the same problem? Suggestions? > > //Daniel > Mailsystem.net > > > Hi > > Since mid afternoon yesterday, spamassassin has timed out > every time. I have > > tried increasing the timeout period to 30 seconds but that > didn't help. > > > > Where can I find information on what is causing the > timeout? - Mailscanner > > itself doesn't seem to have a problem and viruses are being > detected ok. > > > > > > > > Martyn Routley > > > > > From florusb at ASCIO.COM Tue Jan 7 12:34:18 2003 From: florusb at ASCIO.COM (Florus Both) Date: Thu Jan 12 21:16:52 2006 Subject: SpamAssassin timeout Message-ID: <2F15A97500CFA0469C9BACC2041F8AC7032E82E1@aries.dk.speednames.com> Same here. To make spamassassin at least do some check I commented "skip_rbl_checks 1" out in /etc/MailScanner/spam.assassin.prefs.conf Not a nice solution, but better then the timeout error. florus -----Original Message----- From: Daniel Zajd [mailto:daniel@ZAJD.COM] Sent: 7. januar 2003 13:17 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: SpamAssassin timeout Hi! I got the same problem since this morning. Everything have been working perfect until now. Anyone else having the same problem? Suggestions? //Daniel Mailsystem.net > Hi > Since mid afternoon yesterday, spamassassin has timed out every time. > I have tried increasing the timeout period to 30 seconds but that > didn't help. > > Where can I find information on what is causing the timeout? - > Mailscanner itself doesn't seem to have a problem and viruses are > being detected ok. > > > > Martyn Routley > > From David.Sullivan at BARNET.AC.UK Tue Jan 7 12:36:02 2003 From: David.Sullivan at BARNET.AC.UK (David Sullivan) Date: Thu Jan 12 21:16:52 2006 Subject: SpamAssassin timeout In-Reply-To: References: Message-ID: <3E1AC9D3.28252.1A578D09@localhost> On 7 Jan 2003 at 13:16, Daniel Zajd wrote: > Hi! > > I got the same problem since this morning. Everything have been > working perfect until now. Anyone else having the same problem? > Suggestions? > If you're doing RBL checks within SpamAssassin it may be down to that, the Osirusoft RBL seems to be having real problems at the moment. David. ============================================================== This communication may contain privileged or confidential information which is for the exclusive use of the intended recipient. If you are not the intended recipient, please note that you may not distribute or use this communication or the information it contains. If this e-mail has reached you in error, please delete it and any attachment. Internet communications are not secure and Barnet College does not accept legal responsibility for the content of this message. Any views or opinions expressed are those of the author and not necessarily those of Barnet College. Please note that Barnet College reserves the right to monitor the source/destinations of all incoming or outgoing e-mail communications. ============================================================== From daniel at ZAJD.COM Tue Jan 7 12:52:21 2003 From: daniel at ZAJD.COM (Daniel Zajd) Date: Thu Jan 12 21:16:52 2006 Subject: SpamAssassin timeout In-Reply-To: <3E1AC9D3.28252.1A578D09@localhost> Message-ID: I also uncommented "skip_rbl_checks 1" to get rid of the Time Out. Now it does some checking. So if the RBL-server doesn't answer MailScanner just kills the SpamAssain process then? Is it possible to test if the RBL-server answer and if not just skip it and do the rest? I saw that there is a new version (2.50) of SpamAssassin. Anyone tried it? //Daniel > On 7 Jan 2003 at 13:16, Daniel Zajd wrote: > >> Hi! >> >> I got the same problem since this morning. Everything have been >> working perfect until now. Anyone else having the same problem? >> Suggestions? >> > > If you're doing RBL checks within SpamAssassin it may be down to > that, the Osirusoft RBL seems to be having real problems at the > moment. > > David. > > ============================================================== > This communication may contain privileged or confidential information which > is for the exclusive use of the intended recipient. If you are not the > intended recipient, please note that you may not distribute or use this > communication or the information it contains. If this e-mail has reached you > in error, please delete it and any attachment. > > Internet communications are not secure and Barnet College does not accept > legal responsibility for the content of this message. Any views or opinions > expressed are those of the author and not necessarily those of Barnet College. > > Please note that Barnet College reserves the right to monitor the > source/destinations of all incoming or outgoing e-mail communications. > ============================================================== > > From Heinz.Knutzen at DZSH.DE Tue Jan 7 13:08:51 2003 From: Heinz.Knutzen at DZSH.DE (Knutzen, Heinz (DZ-SH)) Date: Thu Jan 12 21:16:52 2006 Subject: *.otf cause Windows to restart Message-ID: <6C645222B0A8BC4FBFACD7606D4306A822FDEC@dzrz-ex-1.dzsh.landsh.de> It seems to be possible to crash w2k and XP by opening special *.otf files. We will block these files using filename.rules.conf. >From bugtraq http://online.securityfocus.com/archive/1/305382 >>>> Subject: Opentype font file causes Windows to restart. Problem ------- The attached OpenType font file will cause Windows to restart immediately when the file is opened by the default viewer (fontview). I doubt anyone would suspect a "harmless" little font file of being able to cause such a thing to happen! Software affected ----------------- It has been tested on both Windows 2000 and Windows XP with exactly the same result -- an immediate restart. Other versions of Windows are untested. Fix --- No fix known. attachment: restart.otf <<<< Viele Gr??e -- Heinz From j.cormie at ABERTAY.AC.UK Tue Jan 7 13:17:35 2003 From: j.cormie at ABERTAY.AC.UK (Jason Cormie) Date: Thu Jan 12 21:16:52 2006 Subject: SpamAssassin timeout Message-ID: which rbl's are you using that are causing the timeout? -----Original Message----- From: Florus Both [mailto:florusb@ASCIO.COM] Sent: 07, January, 2003 12:34 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: SpamAssassin timeout Same here. To make spamassassin at least do some check I commented "skip_rbl_checks 1" out in /etc/MailScanner/spam.assassin.prefs.conf Not a nice solution, but better then the timeout error. florus -----Original Message----- From: Daniel Zajd [mailto:daniel@ZAJD.COM] Sent: 7. januar 2003 13:17 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: SpamAssassin timeout Hi! I got the same problem since this morning. Everything have been working perfect until now. Anyone else having the same problem? Suggestions? //Daniel Mailsystem.net > Hi > Since mid afternoon yesterday, spamassassin has timed out every time. > I have tried increasing the timeout period to 30 seconds but that > didn't help. > > Where can I find information on what is causing the timeout? - > Mailscanner itself doesn't seem to have a problem and viruses are > being detected ok. > > > > Martyn Routley > > From support at INVICTANET.CO.UK Tue Jan 7 13:24:48 2003 From: support at INVICTANET.CO.UK (InvictaNet Customer Support) Date: Thu Jan 12 21:16:52 2006 Subject: SpamAssassin timeout In-Reply-To: Message-ID: This seems to have been the case for me. I also disabled the rbl checks in mailscanner.conf, thus stopping all rbl checks. The message from David Sullivan about Osirusoft might explain why the problem arose in the first place. Thanks to all who responded so quickly. Martyn Routley ----------------------------------------------------------------- InvictaNet - The Internet in Plain English, Guaranteed http://www.invictanet.co.uk martyn@support.invictanet.co.uk phone: 08707 440180 fax: 08707 440181 Ask us about our online Antivirus and Junk mail scanning service ----------------------------------------------------------------- -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Spicer, Kevin Sent: 07 January 2003 12:32 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: SpamAssassin timeout It may be a problem with one of the RBL checks not responding. I think you should be able to disable these by uncommenting skip rbl checks = 1 in /etc/MailScanner/spam.assassin.prefs.conf and then doing a 'service MailScanner reload' (I'm assuming this option is effective when SA is caled from MS?) > -----Original Message----- > From: Daniel Zajd [mailto:daniel@ZAJD.COM] > Sent: 07 January 2003 12:17 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: SpamAssassin timeout > > > Hi! > > I got the same problem since this morning. Everything have > been working > perfect until now. Anyone else having the same problem? Suggestions? > > //Daniel > Mailsystem.net > > > Hi > > Since mid afternoon yesterday, spamassassin has timed out > every time. I have > > tried increasing the timeout period to 30 seconds but that > didn't help. > > > > Where can I find information on what is causing the > timeout? - Mailscanner > > itself doesn't seem to have a problem and viruses are being > detected ok. > > > > > > > > Martyn Routley > > > > > ---------------------------------------------- This message has been scanned for viruses and dangerous content by the http://www.anti84787.com MailScanner, and is believed to be clean. From Denis.Beauchemin at USHERBROOKE.CA Tue Jan 7 13:26:56 2003 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:16:52 2006 Subject: MailScanner-MRTG problem Message-ID: <1041946016.15742.5747.camel@dbeauchemin.si.usherbrooke.ca> Hello, One of my graphs maxes out and I can't seem to do what is right to correct it: The text below the graph is: Max : 2146.1 M bytes Average : 801.5 M bytes Current : 112.7 M bytes The definition for it is: # grep mailbytes /etc/mrtg/mailscanner-mrtg.cfg Target[mailbytes]: `/usr/sbin/mailscanner-mrtg mailbytes` Title[mailbytes]: Bytes of Mail Processed Background[mailbytes]: #ffffff PageTop[mailbytes]:

Bytes of Mail Processed

WithPeak[mailbytes]: wmy Directory[mailbytes]: mailbytes MaxBytes[mailbytes]: 5000000000000 AbsMax[mailbytes]: 100000000000000 YLegend[mailbytes]: Bytes ShortLegend[mailbytes]:  bytes     Legend1[mailbytes]: Average Bytes Legend2[mailbytes]: Legend3[mailbytes]: Maximum Bytes Legend4[mailbytes]: LegendI[mailbytes]: : LegendO[mailbytes]: I'm using mailscanner-mrtg-0.04-2.noarch.rpm. Any ideas? THanks! Denis -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: mailbytes-day.png Type: image/png Size: 2085 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030107/f7e14a18/mailbytes-day.png From mailscanner at ecs.soton.ac.uk Tue Jan 7 13:48:23 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:52 2006 Subject: SpamAssassin timeout In-Reply-To: References: <3E1AC9D3.28252.1A578D09@localhost> Message-ID: <5.2.0.9.2.20030107134556.03cb8f98@imap.ecs.soton.ac.uk> At 12:52 07/01/2003, you wrote: >I also uncommented "skip_rbl_checks 1" to get rid of the Time Out. Now it >does some checking. > >So if the RBL-server doesn't answer MailScanner just kills the SpamAssain >process then? Yes. And once it has timed out several times in a row, SpamAssassin will be ignored entirely until the next auto-restart a few hours later. >Is it possible to test if the RBL-server answer and if not >just skip it and do the rest? SpamAssassin can't do that. If you do the RBL checking with MailScanner, it will do what you want. SpamAssassin isn't very robust when services it is using fail. >I saw that there is a new version (2.50) of SpamAssassin. Anyone tried it? I never touch their x.x0 releases. The x.x1 released are usually better :-) > > On 7 Jan 2003 at 13:16, Daniel Zajd wrote: > > > >> Hi! > >> > >> I got the same problem since this morning. Everything have been > >> working perfect until now. Anyone else having the same problem? > >> Suggestions? > >> > > > > If you're doing RBL checks within SpamAssassin it may be down to > > that, the Osirusoft RBL seems to be having real problems at the > > moment. > > > > David. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From t.d.lee at DURHAM.AC.UK Tue Jan 7 12:56:53 2003 From: t.d.lee at DURHAM.AC.UK (David Lee) Date: Thu Jan 12 21:16:52 2006 Subject: SpamAssassin timeout In-Reply-To: Message-ID: On Tue, 7 Jan 2003, InvictaNet Customer Support wrote: > Since mid afternoon yesterday, spamassassin has timed out every time. I have > tried increasing the timeout period to 30 seconds but that didn't help. > > Where can I find information on what is causing the timeout? - Mailscanner > itself doesn't seem to have a problem and viruses are being detected ok. Ah! Interesting. Around 11:00 GMT/UT yesterday (Mon 6th Jan), I noticed our MailScanner inbound queue similarly started piling up and not clearing. Likewise we got SpamAssassin timeouts and I ended up inserting "skip_rbl_checks 1" into "spam.assassin.prefs.conf" which seemed to avoid the immediate problem. As far as I know there were no local changes coincident with this (it had been running happily since well before the Christmas holiday). We are: Redhat 7.3 MailScanner: 4.05-3 SpamAssassin 2.43 configuration policy: as delivered, change as little as possible ~25,000 emails per day Is there someone on this list who knows the murky depths of SpamAssassin and their interaction with MailScanner? (I don't!) My suspicion is that some RBL check, called from SpamAssassin, is in trouble, and that SpamAssassin's timeouts (either internally or as guided somehow by MailScanner) are not behaving properly. -- : David Lee I.T. Service : : Systems Programmer Computer Centre : : University of Durham : : http://www.dur.ac.uk/t.d.lee/ South Road : : Durham : : Phone: +44 191 374 2882 U.K. : From mailscanner at ecs.soton.ac.uk Tue Jan 7 14:40:11 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:52 2006 Subject: SpamAssassin timeout In-Reply-To: References: Message-ID: <5.2.0.9.2.20030107143819.03c9c9f0@imap.ecs.soton.ac.uk> At 12:56 07/01/2003, you wrote: >On Tue, 7 Jan 2003, InvictaNet Customer Support wrote: > > > Since mid afternoon yesterday, spamassassin has timed out every time. I > have > > tried increasing the timeout period to 30 seconds but that didn't help. > > > > Where can I find information on what is causing the timeout? - Mailscanner > > itself doesn't seem to have a problem and viruses are being detected ok. > >Ah! Interesting. > >Around 11:00 GMT/UT yesterday (Mon 6th Jan), I noticed our MailScanner >inbound queue similarly started piling up and not clearing. Likewise we >got SpamAssassin timeouts and I ended up inserting "skip_rbl_checks 1" >into "spam.assassin.prefs.conf" which seemed to avoid the immediate >problem. > >As far as I know there were no local changes coincident with this (it had >been running happily since well before the Christmas holiday). > >We are: > Redhat 7.3 > MailScanner: 4.05-3 > SpamAssassin 2.43 > configuration policy: as delivered, change as little as possible > ~25,000 emails per day > >Is there someone on this list who knows the murky depths of SpamAssassin >and their interaction with MailScanner? (I don't!) My suspicion is that >some RBL check, called from SpamAssassin, is in trouble, and that >SpamAssassin's timeouts (either internally or as guided somehow by >MailScanner) are not behaving properly. Have a look in your maillog for SpamAssassin timed out and was killed This should be followed by the failure number, which will hopefully slowly count up from 1. What log entries have you got of this type? -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From email-ian at POST1.COM Tue Jan 7 14:59:57 2003 From: email-ian at POST1.COM (eejs) Date: Thu Jan 12 21:16:52 2006 Subject: InoculateIT and Mailscanner for rh 7.3 and 8.0 References: <000201c2607b$45ee6350$6401a8c0@jamesdesktop> <3E1AEB30.77F65D05@post1.com> Message-ID: <3E1AEB6D.DD1D1D63@post1.com> you can also use this wrapper for cmdline scanning. eejs wrote: > > 1. Edit the wrapper script (mine is called inowrapper, f-prot user will have > this as f-protwrapper), uncomment the option header "LD_LIBRARY_PATH=" and > "export LD_LIBRARY_PATH" so it look something like this: > > LD_LIBRARY_PATH=/ino/lib: inoculateit>/ino/config:/ino/secu/lib > export LD_LIBRARY_PATH > > 2. Create symbolic link for file inoculateit>/ino/config/libarclib.so in > /ino/lib > > JS. -- |\,/| ()-@@ , `--')/ Kind regards, Ju Seong From email-ian at POST1.COM Tue Jan 7 15:04:52 2003 From: email-ian at POST1.COM (eejs) Date: Thu Jan 12 21:16:52 2006 Subject: InoculateIT and Mailscanner for rh 7.3 and 8.0 References: <000201c2607b$45ee6350$6401a8c0@jamesdesktop> <3E1AEB30.77F65D05@post1.com> <3E1AEB6D.DD1D1D63@post1.com> Message-ID: <3E1AEC94.2AAEDD88@post1.com> oops, this post was sent by mistake!! please ignore, sorry. eejs wrote: > > you can also use this wrapper for cmdline scanning. > > eejs wrote: > > > > 1. Edit the wrapper script (mine is called inowrapper, f-prot user will have > > this as f-protwrapper), uncomment the option header "LD_LIBRARY_PATH=" and > > "export LD_LIBRARY_PATH" so it look something like this: > > > > LD_LIBRARY_PATH=/ino/lib: > inoculateit>/ino/config:/ino/secu/lib > > export LD_LIBRARY_PATH > > > > 2. Create symbolic link for file > inoculateit>/ino/config/libarclib.so in > > /ino/lib > > > > JS. > > -- > |\,/| > ()-@@ , > `--')/ > Kind regards, > Ju Seong -- |\,/| ()-@@ , `--')/ Kind regards, Ju Seong From support at INVICTANET.CO.UK Tue Jan 7 15:14:55 2003 From: support at INVICTANET.CO.UK (InvictaNet Customer Support) Date: Thu Jan 12 21:16:52 2006 Subject: SpamAssassin timeout In-Reply-To: <5.2.0.9.2.20030107143819.03c9c9f0@imap.ecs.soton.ac.uk> Message-ID: From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Julian Field Sent: 07 January 2003 14:40 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: SpamAssassin timeout At 12:56 07/01/2003, you wrote: >On Tue, 7 Jan 2003, InvictaNet Customer Support wrote: > > > Since mid afternoon yesterday, spamassassin has timed out every time. I > have > > tried increasing the timeout period to 30 seconds but that didn't help. > > > > Where can I find information on what is causing the timeout? - Mailscanner > > itself doesn't seem to have a problem and viruses are being detected ok. > >Ah! Interesting. > >Around 11:00 GMT/UT yesterday (Mon 6th Jan), I noticed our MailScanner >inbound queue similarly started piling up and not clearing. Likewise we >got SpamAssassin timeouts and I ended up inserting "skip_rbl_checks 1" >into "spam.assassin.prefs.conf" which seemed to avoid the immediate >problem. > >As far as I know there were no local changes coincident with this (it had >been running happily since well before the Christmas holiday). > >We are: > Redhat 7.3 > MailScanner: 4.05-3 > SpamAssassin 2.43 > configuration policy: as delivered, change as little as possible > ~25,000 emails per day > >Is there someone on this list who knows the murky depths of SpamAssassin >and their interaction with MailScanner? (I don't!) My suspicion is that >some RBL check, called from SpamAssassin, is in trouble, and that >SpamAssassin's timeouts (either internally or as guided somehow by >MailScanner) are not behaving properly. Have a look in your maillog for SpamAssassin timed out and was killed This should be followed by the failure number, which will hopefully slowly count up from 1. What log entries have you got of this type? -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support I don't know about slowly....... Mine went from 1 to 10 quite rapidly. Since I disabled the RBL checks everything has gone fine. Martyn Routley ----------------------------------------------------------------- InvictaNet - The Internet in Plain English, Guaranteed http://www.invictanet.co.uk martyn@support.invictanet.co.uk phone: 08707 440180 fax: 08707 440181 Ask us about our online Antivirus and Junk mail scanning service ----------------------------------------------------------------- From Kevin.Spicer at BMRB.CO.UK Tue Jan 7 15:28:25 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:16:52 2006 Subject: SpamAssassin timeout Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A4ACF7@pascal.priv.bmrb.co.uk> > >Is it possible to test if the RBL-server answer and if not > >just skip it and do the rest? > > SpamAssassin can't do that. If you do the RBL checking with > MailScanner, it > will do what you want. SpamAssassin isn't very robust when > services it is > using fail. > My understanding (read assumption!) was that if you use MailScanner to do the RBL checks, and then pass to SpamAssassin for further checks that any message from a host found in the RBL will be marked as SPAM, even if the spamassassin score would have been lower than the spam threshold. In other words the mailscanner RBL checks and the spamassassin checks are completely seperate(?). From mailscanner at ecs.soton.ac.uk Tue Jan 7 15:34:26 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:52 2006 Subject: SpamAssassin timeout In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0A4ACF7@pascal.priv.bmrb.co .uk> Message-ID: <5.2.0.9.2.20030107153414.04ed9d80@imap.ecs.soton.ac.uk> At 15:28 07/01/2003, you wrote: > > >Is it possible to test if the RBL-server answer and if not > > >just skip it and do the rest? > > > > SpamAssassin can't do that. If you do the RBL checking with > > MailScanner, it > > will do what you want. SpamAssassin isn't very robust when > > services it is > > using fail. > > > >My understanding (read assumption!) was that if you use MailScanner to do >the RBL checks, and then pass to SpamAssassin for further checks that any >message from a host found in the RBL will be marked as SPAM, even if the >spamassassin score would have been lower than the spam threshold. In >other words the mailscanner RBL checks and the spamassassin checks are >completely seperate(?). Correct. They are separate. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From MHewryk at SYMCOR.COM Tue Jan 7 15:38:18 2003 From: MHewryk at SYMCOR.COM (Magda Hewryk) Date: Thu Jan 12 21:16:52 2006 Subject: SpamAssassin timeout - can't disable RBL check Message-ID: For some reason even if I disabled RBL checks I'm still timeout out from SpamAssassin. Yes, I stop/start MailScanner. Jan 7 10:28:28 tonka MailScanner[15526]: RBL Check no timed out and was killed, consecutive failure 1 of 7 Any hints why RBL is still active? I'm running : Redhat 7.3 MailScanner: 4.10 SpamAssassin 2.43 1)I've changes RBL check in spam.assassin.prefs.conf file: # By default, SpamAssassin will run RBL checks. If your ISP already # does this, set this to 1. # # skip_rbl_checks 1 - mnh this is by default commented out skip_rbl_checks 1 2) I've disabled RBLs from MailScanner.conf file # This is the list of spam blacklists (RBLs) which you are using. # See the "Spam List Definitions" file for more information about what # you can put here. # This can also be the filename of a ruleset. # mnh Spam List = ORDB-RBL Infinite-Monkeys # MAPS-RBL+ costs money (except .ac.uk) # mnh Spam List = ORDB-RBL #MAPS-RBL+ costs money (except .ac.uk) Spam List = no Thanks, Magda Hewryk -------------------------------- Mid-Range Systems RSP: 905-273-1637 CELL: 416-948-4427 InvictaNet Customer Support To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: SpamAssassin timeout Sent by: MailScanner mailing list 01/07/2003 10:14 AM Please respond to MailScanner mailing list From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Julian Field Sent: 07 January 2003 14:40 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: SpamAssassin timeout At 12:56 07/01/2003, you wrote: >On Tue, 7 Jan 2003, InvictaNet Customer Support wrote: > > > Since mid afternoon yesterday, spamassassin has timed out every time. I > have > > tried increasing the timeout period to 30 seconds but that didn't help. > > > > Where can I find information on what is causing the timeout? - Mailscanner > > itself doesn't seem to have a problem and viruses are being detected ok. > >Ah! Interesting. > >Around 11:00 GMT/UT yesterday (Mon 6th Jan), I noticed our MailScanner >inbound queue similarly started piling up and not clearing. Likewise we >got SpamAssassin timeouts and I ended up inserting "skip_rbl_checks 1" >into "spam.assassin.prefs.conf" which seemed to avoid the immediate >problem. > >As far as I know there were no local changes coincident with this (it had >been running happily since well before the Christmas holiday). > >We are: > Redhat 7.3 > MailScanner: 4.05-3 > SpamAssassin 2.43 > configuration policy: as delivered, change as little as possible > ~25,000 emails per day > >Is there someone on this list who knows the murky depths of SpamAssassin >and their interaction with MailScanner? (I don't!) My suspicion is that >some RBL check, called from SpamAssassin, is in trouble, and that >SpamAssassin's timeouts (either internally or as guided somehow by >MailScanner) are not behaving properly. Have a look in your maillog for SpamAssassin timed out and was killed This should be followed by the failure number, which will hopefully slowly count up from 1. What log entries have you got of this type? -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support I don't know about slowly....... Mine went from 1 to 10 quite rapidly. Since I disabled the RBL checks everything has gone fine. Martyn Routley ----------------------------------------------------------------- InvictaNet - The Internet in Plain English, Guaranteed http://www.invictanet.co.uk martyn@support.invictanet.co.uk phone: 08707 440180 fax: 08707 440181 Ask us about our online Antivirus and Junk mail scanning service ----------------------------------------------------------------- From David.Sullivan at BARNET.AC.UK Tue Jan 7 15:38:09 2003 From: David.Sullivan at BARNET.AC.UK (David Sullivan) Date: Thu Jan 12 21:16:52 2006 Subject: SpamAssassin timeout In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0A4ACF7@pascal.priv.bmrb.co.uk> Message-ID: <3E1AF483.10417.1AFE4BCF@localhost> On 7 Jan 2003 at 15:28, Spicer, Kevin wrote: > > >Is it possible to test if the RBL-server answer and if not > > >just skip it and do the rest? > > > > SpamAssassin can't do that. If you do the RBL checking with > > MailScanner, it > > will do what you want. SpamAssassin isn't very robust when > > services it is > > using fail. > > > > My understanding (read assumption!) was that if you use MailScanner to > do the RBL checks, and then pass to SpamAssassin for further checks > that any message from a host found in the RBL will be marked as SPAM, > even if the spamassassin score would have been lower than the spam > threshold. In other words the mailscanner RBL checks and the > spamassassin checks are completely seperate(?). I think you're misunderstanding the comment slightly. If MailScanner doing RBL checks notices that they've timed out a number of times in a row it will stop using the RBL checks till the next MailScanner restart. If you do the RBL checks within SpamAssassin this means that SpamAssasin as a whole will time out and cannot "disable the RBL checks" itself (as MailScanner does). In turn MailScanner should see that SpamAssassin is timing out and disable it till the next MailScanner restart. David. ============================================================== This communication may contain privileged or confidential information which is for the exclusive use of the intended recipient. If you are not the intended recipient, please note that you may not distribute or use this communication or the information it contains. If this e-mail has reached you in error, please delete it and any attachment. Internet communications are not secure and Barnet College does not accept legal responsibility for the content of this message. Any views or opinions expressed are those of the author and not necessarily those of Barnet College. Please note that Barnet College reserves the right to monitor the source/destinations of all incoming or outgoing e-mail communications. ============================================================== From MHewryk at SYMCOR.COM Tue Jan 7 15:50:06 2003 From: MHewryk at SYMCOR.COM (Magda Hewryk) Date: Thu Jan 12 21:16:52 2006 Subject: Whitelist and MailScanner/SpamAssassin Message-ID: Hi, I'm running : Redhat 7.3 MailScanner: 4.10 SpamAssassin 2.43 I had a specific domain entered in MailScanner and SpamAssassin list. When I removed that domain form whitelists and stop/start MailScanner for some reason that domain is still not scanned for SPAM! I've disabled whitelists and still this domain is ignored: 1.) Is Definitely Not Spam = no # Is Definitely Not Spam = /etc/MailScanner/rules/spam.whitelist.rules 2.) SpamAssassin Auto Whitelist = no # mnh SpamAssassin Auto Whitelist = yes How can I check if the new configuration is really set and MailScanner.conf file is really reload properly? All logs show successful re-load. Is this something is the .spamassassin directory which overrides the setup from MailScanner.conf file? [root@tonka .spamassassin]# ls -ltr total 16 -rw-r--r-- 1 root root 1123 Dec 17 15:54 user_prefs -rw------- 1 root root 13111 Jan 3 00:22 auto-whitelist [root@tonka .spamassassin]# root@tonka MailScanner]# service MailScanner reload Reloading MailScanner workers: MailScanner: [ OK ] [root@tonka MailScanner]# n 7 10:46:02 tonka MailScanner[20269]: MailScanner child caught a SIGHUP Jan 7 10:46:02 tonka MailScanner[20308]: MailScanner child caught a SIGHUP Jan 7 10:46:02 tonka MailScanner[20376]: MailScanner child caught a SIGHUP Jan 7 10:46:02 tonka MailScanner[20412]: MailScanner child caught a SIGHUP Jan 7 10:46:02 tonka MailScanner[20415]: MailScanner child caught a SIGHUP Jan 7 10:46:02 tonka MailScanner[20557]: MailScanner Jan 7 10:46:02 tonka MailScanner[20557]: MailScanner E-Mail Virus Scanner version 4.10-1 starting... Jan 7 10:46:12 tonka MailScanner[20559]: MailScanner Jan 7 10:46:12 tonka MailScanner[20559]: MailScanner E-Mail Virus Scanner version 4.10-1 starting... root@tonka MailScanner]# ps -ef | grep Mail root 20265 1 0 10:43 ? 00:00:00 /usr/bin/perl -I/usr/lib/MailSca root 20557 20265 5 10:46 ? 00:00:04 /usr/bin/perl -I/usr/lib/MailSca root 20559 20265 7 10:46 ? 00:00:04 /usr/bin/perl -I/usr/lib/MailSca root 20602 20265 8 10:46 ? 00:00:04 /usr/bin/perl -I/usr/lib/MailSca root 20625 20265 10 10:46 ? 00:00:04 /usr/bin/perl -I/usr/lib/MailSca root 20626 20265 14 10:46 ? 00:00:04 /usr/bin/perl -I/usr/lib/MailSca Thanks, Magda Hewryk -------------------------------- Mid-Range Systems RSP: 905-273-1637 CELL: 416-948-4427 From t.d.lee at DURHAM.AC.UK Tue Jan 7 15:34:11 2003 From: t.d.lee at DURHAM.AC.UK (David Lee) Date: Thu Jan 12 21:16:52 2006 Subject: SpamAssassin timeout In-Reply-To: <5.2.0.9.2.20030107143819.03c9c9f0@imap.ecs.soton.ac.uk> Message-ID: On Tue, 7 Jan 2003, Julian Field wrote: > At 12:56 07/01/2003, you wrote: > >[...] > >Around 11:00 GMT/UT yesterday (Mon 6th Jan), I noticed our MailScanner > >inbound queue similarly started piling up and not clearing. Likewise we > >got SpamAssassin timeouts and I ended up inserting "skip_rbl_checks 1" > >into "spam.assassin.prefs.conf" which seemed to avoid the immediate > >problem. > > > >As far as I know there were no local changes coincident with this (it had > >been running happily since well before the Christmas holiday). > > > > Have a look in your maillog for > SpamAssassin timed out and was killed > This should be followed by the failure number, which will hopefully slowly > count up from 1. What log entries have you got of this type? Yes, I saw those, and the numbers (e.g "failure 272 of 20"(!)) supported the conviction that something was wrong deep within the bowels of SpamAssassin. Jan 6 14:24:38 mailrelay1 MailScanner[8198]: SpamAssassin timed out and was killed, consecutive failure 270 of 20 Jan 6 14:24:41 mailrelay1 MailScanner[8162]: SpamAssassin timed out and was killed, consecutive failure 271 of 20 Jan 6 14:24:46 mailrelay1 MailScanner[8129]: SpamAssassin timed out and was killed, consecutive failure 272 of 20 Jan 6 14:25:01 mailrelay1 MailScanner[8185]: SpamAssassin timed out and was killed, consecutive failure 270 of 20 Jan 6 14:25:03 mailrelay1 MailScanner[8211]: SpamAssassin timed out and was killed, consecutive failure 271 of 20 Jan 6 14:25:09 mailrelay1 MailScanner[8198]: SpamAssassin timed out and was killed, consecutive failure 271 of 20 Jan 6 14:25:12 mailrelay1 MailScanner[8162]: SpamAssassin timed out and was killed, consecutive failure 272 of 20 Hence my earlier question: > >Is there someone on this list who knows the murky depths of SpamAssassin > >and their interaction with MailScanner? (I don't!) My suspicion is that > >some RBL check, called from SpamAssassin, is in trouble, and that > >SpamAssassin's timeouts (either internally or as guided somehow by > >MailScanner) are not behaving properly. Hope that helps. -- : David Lee I.T. Service : : Systems Programmer Computer Centre : : University of Durham : : http://www.dur.ac.uk/t.d.lee/ South Road : : Durham : : Phone: +44 191 374 2882 U.K. : From RHerban at GRAMTEL.NET Tue Jan 7 16:21:34 2003 From: RHerban at GRAMTEL.NET (Randy Herban) Date: Thu Jan 12 21:16:52 2006 Subject: SpamAssassin timeout Message-ID: Unfortunately something that I noticed yesterday when the RBL's were offline was that MailScanner was not ceasing to use spamassassin even though I was up to 75 consecutive failures out of 20. I just upgraded to the newest MS-4.11-1 yesterday as well. RedHat 8.0 if it helps. -randy -----Original Message----- From: David Sullivan [mailto:David.Sullivan@BARNET.AC.UK] Sent: Tuesday, January 07, 2003 10:38 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: SpamAssassin timeout On 7 Jan 2003 at 15:28, Spicer, Kevin wrote: > > >Is it possible to test if the RBL-server answer and if not just > > >skip it and do the rest? > > > > SpamAssassin can't do that. If you do the RBL checking with > > MailScanner, it will do what you want. SpamAssassin isn't very > > robust when services it is > > using fail. > > > > My understanding (read assumption!) was that if you use MailScanner to > do the RBL checks, and then pass to SpamAssassin for further checks > that any message from a host found in the RBL will be marked as SPAM, > even if the spamassassin score would have been lower than the spam > threshold. In other words the mailscanner RBL checks and the > spamassassin checks are completely seperate(?). I think you're misunderstanding the comment slightly. If MailScanner doing RBL checks notices that they've timed out a number of times in a row it will stop using the RBL checks till the next MailScanner restart. If you do the RBL checks within SpamAssassin this means that SpamAssasin as a whole will time out and cannot "disable the RBL checks" itself (as MailScanner does). In turn MailScanner should see that SpamAssassin is timing out and disable it till the next MailScanner restart. David. ============================================================== This communication may contain privileged or confidential information which is for the exclusive use of the intended recipient. If you are not the intended recipient, please note that you may not distribute or use this communication or the information it contains. If this e-mail has reached you in error, please delete it and any attachment. Internet communications are not secure and Barnet College does not accept legal responsibility for the content of this message. Any views or opinions expressed are those of the author and not necessarily those of Barnet College. Please note that Barnet College reserves the right to monitor the source/destinations of all incoming or outgoing e-mail communications. ============================================================== From mike at CAMAROSS.NET Tue Jan 7 16:40:35 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:16:52 2006 Subject: SpamAssassin timeout In-Reply-To: Message-ID: <007401c2b66b$885e42f0$6901a8c0@home.middlefinger.net> I had a similar problem yesterday...I think Osirusoft was down. Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of InvictaNet Customer Support Sent: Tuesday, January 07, 2003 5:46 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: SpamAssassin timeout Hi Since mid afternoon yesterday, spamassassin has timed out every time. I have tried increasing the timeout period to 30 seconds but that didn't help. Where can I find information on what is causing the timeout? - Mailscanner itself doesn't seem to have a problem and viruses are being detected ok. Martyn Routley From dwinkler at ALGORITHMICS.COM Tue Jan 7 16:50:08 2003 From: dwinkler at ALGORITHMICS.COM (Derek Winkler) Date: Thu Jan 12 21:16:52 2006 Subject: Whitelisting problem Message-ID: <06EE2C86D3DAD5119A6C0060943F3C970402C0B3@tormail1.algorithmics.com> IBM is a partner of ours so I have whitelisted ibm.com But now some spammer is forging both the envelope and header to look like it cam from ibm.com The spammer appears to be creating random addresses ending in @ibm.com Is my only choice to remove ibm.com from the whitelist? Thanks, Derek Winkler Security Administrator Algorithmics Inc., Toronto Tel: (416) 217-4107 Fax: (416) 971-6263 www.algorithmics.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030107/6d8477d3/attachment.html From mailscanner at ecs.soton.ac.uk Tue Jan 7 16:37:05 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:52 2006 Subject: SpamAssassin timeout - can't disable RBL check In-Reply-To: Message-ID: <5.2.0.9.2.20030107163648.03bb6008@imap.ecs.soton.ac.uk> At 15:38 07/01/2003, you wrote: >For some reason even if I disabled RBL checks I'm still timeout out from >SpamAssassin. Yes, I stop/start MailScanner. > >Jan 7 10:28:28 tonka MailScanner[15526]: RBL Check no timed out and was >killed, consecutive failure 1 of 7 You created an RBL list of "no". What you want is an empty list. >Any hints why RBL is still active? > > >I'm running : >Redhat 7.3 >MailScanner: 4.10 >SpamAssassin 2.43 > >1)I've changes RBL check in spam.assassin.prefs.conf file: > ># By default, SpamAssassin will run RBL checks. If your ISP already ># does this, set this to 1. ># ># skip_rbl_checks 1 - mnh this is by default commented out >skip_rbl_checks 1 > >2) I've disabled RBLs from MailScanner.conf file ># This is the list of spam blacklists (RBLs) which you are using. ># See the "Spam List Definitions" file for more information about what ># you can put here. ># This can also be the filename of a ruleset. ># mnh Spam List = ORDB-RBL Infinite-Monkeys # MAPS-RBL+ costs money (except >.ac.uk) ># mnh Spam List = ORDB-RBL #MAPS-RBL+ costs money (except .ac.uk) >Spam List = no > > > >Thanks, > >Magda Hewryk >-------------------------------- >Mid-Range Systems >RSP: 905-273-1637 >CELL: 416-948-4427 > > > > InvictaNet > Customer > Support To: MAILSCANNER@JISCMAIL.AC.UK > T.CO.UK> Subject: Re: > SpamAssassin timeout > Sent by: > MailScanner > mailing list > AIL.AC.UK> > > > 01/07/2003 10:14 > AM > Please respond to > MailScanner > mailing list > > > > > > >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On >Behalf Of Julian Field >Sent: 07 January 2003 14:40 >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: SpamAssassin timeout > > >At 12:56 07/01/2003, you wrote: > >On Tue, 7 Jan 2003, InvictaNet Customer Support wrote: > > > > > Since mid afternoon yesterday, spamassassin has timed out every time. I > > have > > > tried increasing the timeout period to 30 seconds but that didn't help. > > > > > > Where can I find information on what is causing the timeout? - >Mailscanner > > > itself doesn't seem to have a problem and viruses are being detected >ok. > > > >Ah! Interesting. > > > >Around 11:00 GMT/UT yesterday (Mon 6th Jan), I noticed our MailScanner > >inbound queue similarly started piling up and not clearing. Likewise we > >got SpamAssassin timeouts and I ended up inserting "skip_rbl_checks 1" > >into "spam.assassin.prefs.conf" which seemed to avoid the immediate > >problem. > > > >As far as I know there were no local changes coincident with this (it had > >been running happily since well before the Christmas holiday). > > > >We are: > > Redhat 7.3 > > MailScanner: 4.05-3 > > SpamAssassin 2.43 > > configuration policy: as delivered, change as little as possible > > ~25,000 emails per day > > > >Is there someone on this list who knows the murky depths of SpamAssassin > >and their interaction with MailScanner? (I don't!) My suspicion is that > >some RBL check, called from SpamAssassin, is in trouble, and that > >SpamAssassin's timeouts (either internally or as guided somehow by > >MailScanner) are not behaving properly. > >Have a look in your maillog for > SpamAssassin timed out and was killed >This should be followed by the failure number, which will hopefully slowly >count up from 1. What log entries have you got of this type? >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support > > > >I don't know about slowly....... >Mine went from 1 to 10 quite rapidly. Since I disabled the RBL checks >everything has gone fine. > >Martyn Routley >----------------------------------------------------------------- >InvictaNet - The Internet in Plain English, Guaranteed >http://www.invictanet.co.uk >martyn@support.invictanet.co.uk >phone: 08707 440180 >fax: 08707 440181 >Ask us about our online Antivirus and Junk mail scanning service >----------------------------------------------------------------- -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Tue Jan 7 16:55:33 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:52 2006 Subject: Whitelisting problem In-Reply-To: <06EE2C86D3DAD5119A6C0060943F3C970402C0B3@tormail1.algorith mics.com> Message-ID: <5.2.0.9.2.20030107165515.05051d58@imap.ecs.soton.ac.uk> At 16:50 07/01/2003, you wrote: >IBM is a partner of ours so I have whitelisted ibm.com > >But now some spammer is forging both the envelope and header to look like >it cam from ibm.com > >The spammer appears to be creating random addresses ending in @ibm.com > >Is my only choice to remove ibm.com from the whitelist? If ibm.com only use a few outgoing mail servers, you could whitelist their IP addresses instead. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mkettler at EVI-INC.COM Tue Jan 7 17:05:50 2003 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:16:52 2006 Subject: Whitelisting problem In-Reply-To: <06EE2C86D3DAD5119A6C0060943F3C970402C0B3@tormail1.algorith mics.com> Message-ID: <5.1.1.6.0.20030107120328.00b84410@192.168.50.2> If you're using SpamAssassin 2.40 or higher under MailScanner, you can always use SpamAssassin's "whitelist_from_rcvd" feature. This requires a match of both a from: line and a recieved: line prior to being whitelisted. ie: whitelist_from_rcvd mkettler@evi-inc.com 208-39-141-94.isp.comcastbusiness.net At 11:50 AM 1/7/2003 -0500, Derek Winkler wrote: >IBM is a partner of ours so I have whitelisted ibm.com > >But now some spammer is forging both the envelope and header to look like >it cam from ibm.com > >The spammer appears to be creating random addresses ending in @ibm.com > >Is my only choice to remove ibm.com from the whitelist? > >Thanks, > >Derek Winkler >Security Administrator >Algorithmics Inc., Toronto >Tel: (416) 217-4107 >Fax: (416) 971-6263 >www.algorithmics.com From mbowman at UDCOM.COM Tue Jan 7 17:03:24 2003 From: mbowman at UDCOM.COM (Matthew Bowman) Date: Thu Jan 12 21:16:52 2006 Subject: spam actions query Message-ID: Greetings, This is relating to Derek's recent post. Until now my spam.actions.conf has been behaving well until I added two of our local domains (i'm using example domain names) as follows:- FromTo: *@abcd.efghi.net delete FromTo: *@abcdefg.efghi.net delete Both of these are amongst 2 of our mail servers. The problem is that spammers are forging both domains to send out spam. I thought including the above lines and restarting mailscanner would prevent:- 1. Outbound e-mail from our servers that was tagged as spam from either domain would not get sent but deleted 2. Inbound e-mail to our servers/clients that was tagged as spam from either domain would be recieved but deleted There is nothing one can do to stop ppl forging domains (AFAIK). A penny for your thoughts please! Thanks Matthew Bowman Systems Administrator www.udcom.com From brose at MED.WAYNE.EDU Tue Jan 7 17:17:03 2003 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:16:52 2006 Subject: SpamAssassin timeout Message-ID: I think there is more to it. I've always use skip_rbl for SA because I use the rbls on the MTA side and I've been seeing the mail backing up in queue. This also started happening after I updated to 4.11-1 on Sunday. I think it's Mailscanner and it's mother process not restarting properly. What I've noticed so far is that I only have 3 MS processes running even though my setting is set to 5. Once process has been running for 4 hours 11 mins and the others are the spawned processess. If I kill MS and restart then I get all my processes back. If I look at my logs, it looks like only one MS processes was doing anything. -----Original Message----- From: Randy Herban [mailto:RHerban@GRAMTEL.NET] Sent: Tuesday, January 07, 2003 11:22 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: SpamAssassin timeout Unfortunately something that I noticed yesterday when the RBL's were offline was that MailScanner was not ceasing to use spamassassin even though I was up to 75 consecutive failures out of 20. I just upgraded to the newest MS-4.11-1 yesterday as well. RedHat 8.0 if it helps. -randy -----Original Message----- From: David Sullivan [mailto:David.Sullivan@BARNET.AC.UK] Sent: Tuesday, January 07, 2003 10:38 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: SpamAssassin timeout On 7 Jan 2003 at 15:28, Spicer, Kevin wrote: > > >Is it possible to test if the RBL-server answer and if not just > > >skip it and do the rest? > > > > SpamAssassin can't do that. If you do the RBL checking with > > MailScanner, it will do what you want. SpamAssassin isn't very > > robust when services it is using fail. > > > > My understanding (read assumption!) was that if you use MailScanner to > do the RBL checks, and then pass to SpamAssassin for further checks > that any message from a host found in the RBL will be marked as SPAM, > even if the spamassassin score would have been lower than the spam > threshold. In other words the mailscanner RBL checks and the > spamassassin checks are completely seperate(?). I think you're misunderstanding the comment slightly. If MailScanner doing RBL checks notices that they've timed out a number of times in a row it will stop using the RBL checks till the next MailScanner restart. If you do the RBL checks within SpamAssassin this means that SpamAssasin as a whole will time out and cannot "disable the RBL checks" itself (as MailScanner does). In turn MailScanner should see that SpamAssassin is timing out and disable it till the next MailScanner restart. David. ============================================================== This communication may contain privileged or confidential information which is for the exclusive use of the intended recipient. If you are not the intended recipient, please note that you may not distribute or use this communication or the information it contains. If this e-mail has reached you in error, please delete it and any attachment. Internet communications are not secure and Barnet College does not accept legal responsibility for the content of this message. Any views or opinions expressed are those of the author and not necessarily those of Barnet College. Please note that Barnet College reserves the right to monitor the source/destinations of all incoming or outgoing e-mail communications. ============================================================== From MHewryk at SYMCOR.COM Tue Jan 7 17:33:30 2003 From: MHewryk at SYMCOR.COM (Magda Hewryk) Date: Thu Jan 12 21:16:52 2006 Subject: SpamAssassin timeout - can't disable RBL check Message-ID: I've changed it to Spam List = and still have a problem with RBL check: Jan 7 12:19:21 tonka MailScanner[2890]: RBL Check timed out and was killed, consecutive failure 1 of 7 Julian Field cc: Sent by: Subject: Re: SpamAssassin timeout - can't disable RBL check MailScanner mailing list 01/07/2003 11:37 AM Please respond to MailScanner mailing list At 15:38 07/01/2003, you wrote: >For some reason even if I disabled RBL checks I'm still timeout out from >SpamAssassin. Yes, I stop/start MailScanner. > >Jan 7 10:28:28 tonka MailScanner[15526]: RBL Check no timed out and was >killed, consecutive failure 1 of 7 You created an RBL list of "no". What you want is an empty list. >Any hints why RBL is still active? > > >I'm running : >Redhat 7.3 >MailScanner: 4.10 >SpamAssassin 2.43 > >1)I've changes RBL check in spam.assassin.prefs.conf file: > ># By default, SpamAssassin will run RBL checks. If your ISP already ># does this, set this to 1. ># ># skip_rbl_checks 1 - mnh this is by default commented out >skip_rbl_checks 1 > >2) I've disabled RBLs from MailScanner.conf file ># This is the list of spam blacklists (RBLs) which you are using. ># See the "Spam List Definitions" file for more information about what ># you can put here. ># This can also be the filename of a ruleset. ># mnh Spam List = ORDB-RBL Infinite-Monkeys # MAPS-RBL+ costs money (except >.ac.uk) ># mnh Spam List = ORDB-RBL #MAPS-RBL+ costs money (except .ac.uk) >Spam List = no > > > >Thanks, > >Magda Hewryk >-------------------------------- >Mid-Range Systems >RSP: 905-273-1637 >CELL: 416-948-4427 > > > > InvictaNet > Customer > Support To: MAILSCANNER@JISCMAIL.AC.UK > T.CO.UK> Subject: Re: > SpamAssassin timeout > Sent by: > MailScanner > mailing list > AIL.AC.UK> > > > 01/07/2003 10:14 > AM > Please respond to > MailScanner > mailing list > > > > > > >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On >Behalf Of Julian Field >Sent: 07 January 2003 14:40 >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: SpamAssassin timeout > > >At 12:56 07/01/2003, you wrote: > >On Tue, 7 Jan 2003, InvictaNet Customer Support wrote: > > > > > Since mid afternoon yesterday, spamassassin has timed out every time. I > > have > > > tried increasing the timeout period to 30 seconds but that didn't help. > > > > > > Where can I find information on what is causing the timeout? - >Mailscanner > > > itself doesn't seem to have a problem and viruses are being detected >ok. > > > >Ah! Interesting. > > > >Around 11:00 GMT/UT yesterday (Mon 6th Jan), I noticed our MailScanner > >inbound queue similarly started piling up and not clearing. Likewise we > >got SpamAssassin timeouts and I ended up inserting "skip_rbl_checks 1" > >into "spam.assassin.prefs.conf" which seemed to avoid the immediate > >problem. > > > >As far as I know there were no local changes coincident with this (it had > >been running happily since well before the Christmas holiday). > > > >We are: > > Redhat 7.3 > > MailScanner: 4.05-3 > > SpamAssassin 2.43 > > configuration policy: as delivered, change as little as possible > > ~25,000 emails per day > > > >Is there someone on this list who knows the murky depths of SpamAssassin > >and their interaction with MailScanner? (I don't!) My suspicion is that > >some RBL check, called from SpamAssassin, is in trouble, and that > >SpamAssassin's timeouts (either internally or as guided somehow by > >MailScanner) are not behaving properly. > >Have a look in your maillog for > SpamAssassin timed out and was killed >This should be followed by the failure number, which will hopefully slowly >count up from 1. What log entries have you got of this type? >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support > > > >I don't know about slowly....... >Mine went from 1 to 10 quite rapidly. Since I disabled the RBL checks >everything has gone fine. > >Martyn Routley >----------------------------------------------------------------- >InvictaNet - The Internet in Plain English, Guaranteed >http://www.invictanet.co.uk >martyn@support.invictanet.co.uk >phone: 08707 440180 >fax: 08707 440181 >Ask us about our online Antivirus and Junk mail scanning service >----------------------------------------------------------------- -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mdm at INTERNET-TOOLS.COM Tue Jan 7 17:25:31 2003 From: mdm at INTERNET-TOOLS.COM (mark david mcCreary) Date: Thu Jan 12 21:16:53 2006 Subject: MS 4, Exim 4 on Debian 3 Install Notes In-Reply-To: <5.2.0.9.2.20021219224834.0209acd8@imap.ecs.soton.ac.uk> Message-ID: I have not found a Debian package for this combination, and have included my notes on such an install. I'm looking to compare notes with somebody else doing this. I started out basing this on the Debian package for MailScanner 3, although not sure where I am now. The current gotcha is the file permissions error when executing Sophos. I have gotten around this before, but have been unable to duplicate the magic combination. Plus I thought that this 4.11 version was supposed to eliminate this problem. Comments, suggestions and nitpicking welcome, either via the list or private email. Thanks mark Install Debian 3 (Woody) Machine Install Perl Modules Run as shell script CNUM=1.63 echo Downloading CPAN $CNUM ... lynx -source http://www.perl.com/CPAN/authors/id/ANDK/CPAN-$CNUM.tar.gz > CPAN-$CNUM.tar.gz gunzip -f CPAN-$CNUM.tar.gz tar xvf CPAN-$CNUM.tar echo Installing CPAN $CNUM cd CPAN-$CNUM perl Makefile.PL make make test make install Copy following config file to /usr/share/perl/5.6.1/CPAN/Config.pm $CPAN::Config = { 'build_cache' => q[10], 'build_dir' => q[/root/.cpan/build], 'cache_metadata' => q[1], 'cpan_home' => q[/root/.cpan], 'ftp' => q[/usr/bin/ftp], 'ftp_proxy' => q[], 'getcwd' => q[cwd], 'gzip' => q[/bin/gzip], 'http_proxy' => q[], 'inactivity_timeout' => q[0], 'index_expire' => q[1], 'inhibit_startup_message' => q[0], 'keep_source_where' => q[/root/.cpan/sources], 'lynx' => q[/usr/bin/lynx], 'make' => q[/usr/bin/make], 'make_arg' => q[], 'make_install_arg' => q[], 'makepl_arg' => q[], 'ncftpget' => q[/usr/bin/ncftpget], 'no_proxy' => q[], 'pager' => q[/usr/bin/less], 'prerequisites_policy' => q[follow], 'scan_cache' => q[atstart], 'shell' => q[/bin/bash], 'tar' => q[/bin/tar], 'term_is_latin' => q[1], 'unzip' => q[/bin/gunzip], 'urllist' => [], 'wait_list' => [q[wait://ls6.informatik.uni-dortmund.de:1404]], 'wget' => q[/usr/bin/wget], }; 1; __END__ Install Perl Modules via CPAN Run as shell script perl -MCPAN -e "install 'Net::FTP'" perl -MCPAN -e "install 'Digest::MD5'" perl -MCPAN -e "install 'Bundle::CPAN'" perl -MCPAN -e "install 'Convert::TNEF'" perl -MCPAN -e "install 'Data::Dumper'" perl -MCPAN -e "install 'Date::Calc'" perl -MCPAN -e "install 'Date::Format'" perl -MCPAN -e "install 'Date::Manip'" perl -MCPAN -e "install 'Digest::HMAC'" perl -MCPAN -e "install 'Digest::Nilsimsa'" perl -MCPAN -e "install 'Digest::SHA1'" perl -MCPAN -e "install 'Email::Valid'" perl -MCPAN -e "install 'File::Spec'" perl -MCPAN -e "install 'File::Tail'" perl -MCPAN -e "install 'File::Temp'" perl -MCPAN -e "install 'HTML::Parser'" perl -MCPAN -e "install 'HTML::Tagset'" perl -MCPAN -e "install 'IO::Stringy'" perl -MCPAN -e "install 'Mail::Address'" perl -MCPAN -e "install 'Mail::Audit'" perl -MCPAN -e "install 'Mail::Header'" perl -MCPAN -e "install 'Mail::Internet'" perl -MCPAN -e "install 'MIME::Base64'" perl -MCPAN -e "install 'MIME::Tools'" perl -MCPAN -e "install 'Net::DNS'" perl -MCPAN -e "install 'Net::Ping'" perl -MCPAN -e "install 'Pod::Usage'" perl -MCPAN -e "install 'Term::ReadKey'" perl -MCPAN -e "install 'Test::More'" perl -MCPAN -e "install 'Time::HiRes'" perl -MCPAN -e "install 'Mail::SpamAssassin'" echo Done. Apply MIME-tools patches Run as shell script cp /usr/local/share/perl/5.6.1/MIME/Field/ParamVal.pm /usr/local/share/perl/5.6.1/MIME/Field/ParamVal.pm.bak cp /usr/local/share/perl/5.6.1/MIME/Parser.pm /usr/local/share/perl/5.6.1/MIME/Parser.pm.bak cp /usr/local/share/perl/5.6.1/MIME/Words.pm /usr/local/share/perl/5.6.1/MIME/Words.pm.bak perl -pe "s%MIME-tools-5.411-ORIG/lib%/usr/local/share/perl/5.6.1%ig;" \ /usr/local/bin/mime-tools-patch.txt perl -pe "s%MIME-tools-5.411/lib%/usr/local/share/perl/5.6.1%ig;" \ /usr/local/bin/mime-tools-patch2.txt perl -pe "s%MIME-tools-5.411/lib%/usr/local/share/perl/5.6.1%ig;" \ /usr/local/bin/mime-tools-patch3.txt perl -pe "s%MIME-tools-5.411/lib%/usr/local/share/perl/5.6.1%ig;" \ /usr/local/bin/mime-tools-patch4.txt patch -p0 >/etc/sysctl.conf echo "fs.inode-max = 131072" >>/etc/sysctl.conf echo "* soft nofile 8192" >>/etc/security/limits.conf echo "* hard nofile 32768" >>/etc/security/limits.conf perl -i.bak -pe "s#/opt#/usr/local#;" /usr/local/MailScanner/bin/MailScanner Build Exim 4.12 or better Overlay existing Exim 3 setup of Debian 3 Exim Makefile - Use something like this ################################################## # The Exim mail transport agent # ################################################## # This is the template for Exim's main build-time configuration file. It # contains settings that are independent of any operating system. These are # things that are mostly sysadmin choices. The items below are divided into # those you must specify, those you probably want to specify, those you might # often want to specify, and those that you almost never need to mention. # Edit this file and save the result to a file called Local/Makefile within the # Exim distribution directory before running the "make" command. # Things that depend on the operating system have default settings in # OS/Makefile-Default, but these are overridden for some OS by files called # called OS/Makefile-. You can further override these by creating files # called Local/Makefile-, where "" stands for the name of your # operating system - look at the names in the OS directory to see which names # are recognized. # However, if you are building Exim for a single OS only, you don't need to # worry about setting up Local/Makefile-. Any build-time configuration # settings you require can in fact be placed in the one file called # Local/Makefile. It is only if you are building for several OS from the same # source files that you need to worry about splitting off your own OS-dependent # settings into separate files. (There's more explanation about how this all # works in the toplevel README file, under "Modifying the building process", as # well as in the Exim specification.) # One OS-specific thing that may need to be changed is the command for running # the C compiler; the overall default is gcc, but some OS Makefiles specify cc. # You can override anything that is set by putting CC=whatever in your # Local/Makefile. # NOTE: You should never need to edit any of the distributed Makefiles; all # overriding can be done in your Local/Makefile(s). This will make it easier # for you when the next release comes along. # The location of the X11 libraries is something else that is quite variable # even between different versions of the same operating system (and indeed # there are different versions of X11 as well, of course). The four settings # concerned here are X11, XINCLUDE, XLFLAGS (linking flags) and X11_LD_LIB # (dynamic run-time library). You need not worry about X11 unless you want to # compile the Exim monitor utility. Exim itself does not use X11. # Another area of variability between systems is the type and location of the # DBM library package. Exim has support for ndbm, gdbm, tdb, and Berkeley DB. # By default the code assumes ndbm; this often works with gdbm or DB, provided # they are correctly installed, via their compatibility interfaces. However, # Exim can also be configured to use the native calls for Berkeley DB (obsolete # versions 1.85 and 2.x, or the current 3.x version) and also for gdbm. # For some operating systems, a default DBM library (other than ndbm) is # selected by a setting in the OS-specific Makefile. Most modern OS now have # a DBM library installed as standard, and in many cases this will be selected # for you by the OS-specific configuration. If Exim compiles without any # problems, you probably do not have to worry about the DBM library. If you # do want or need to change it, you should first read the discussion in the # file doc/dbm.discuss.txt, which also contains instructions for testing Exim's # interface to the DBM library. # In Local/Makefiles blank lines and lines starting with # are ignored. It is # also permitted to use the # character to add a comment to a setting, for # example # # EXIM_GID=42 # the "mail" group # # However, with some versions of "make" this works only if there is no white # space between the end of the setting and the #, so perhaps it is best # avoided. A consequence of this facility is that it is not possible to have # the # character present in any setting, but I can't think of any cases where # this would be wanted. ############################################################################### ############################################################################### # THESE ARE THINGS YOU MUST SPECIFY # ############################################################################### # Exim will not build unless you specify BIN_DIRECTORY, CONFIGURE_FILE, and # EXIM_USER. You also need EXIM_GROUP if EXIM_USER specifies a uid by number. # If you don't specify SPOOL_DIRECTORY, Exim won't fail to build. However, it # really is a very good idea to specify it here rather than at run time. This # is particularly true if you let the logs go to their default location in the # spool directory, because it means that the location of the logs is known # before Exim has read the run time configuration file. #------------------------------------------------------------------------------ # BIN_DIRECTORY defines where the exim binary will be installed by "make # install". The path is also used internally by Exim when it needs to re-invoke # itself, either to send an error message, or to recover root privilege. Exim's # utility binaries and scripts are also installed in this directory. There is # no "standard" place for the binary directory. Some people like to keep all # the Exim files under one directory such as /usr/exim; others just let the # Exim binaries go into an existing directory such as /usr/sbin or # /usr/local/sbin. The installation script will try to create this directory, # and any superior directories, if they do not exist. BIN_DIRECTORY=/usr/sbin #------------------------------------------------------------------------------ # CONFIGURE_FILE defines where Exim's run time configuration file is to be # found. The location of all other run time files and directories can be # changed in the run time configuration file. There is a lot of variety in the # choice of location in different OS, and in the preferences of different # sysadmins. Some common locations are in /etc or /etc/mail or /usr/local/etc # or /usr/local/etc/mail. Another possibility is to keep all the Exim files # under a single directory such as /usr/exim. Whatever you choose, the # installation script will try to make the directory and any superior # directories if they don't exist. It will also install a default run time # configuration if this file does not exist. CONFIGURE_FILE=/etc/exim/exim.conf #------------------------------------------------------------------------------ # The Exim binary must normally be setuid root, so that it starts executing as # root, but (depending on the options with which it is called) it does not # always need to retain the root privilege. These settings define the user and # group that is used for Exim processes when they no longer need to be root. In # particular, this applies when receiving messages and when doing remote # deliveries. (Local deliveries run as various non-root users, typically as the # owner of a local mailbox.) Specifying these values as root is very strongly # discouraged. These values are compiled into the binary. EXIM_USER=mail # If the setting of EXIM_USER is numeric (e.g. EXIM_USER=42), there must # also be a setting of EXIM_GROUP. If, on the other hand, you use a name # for EXIM_USER (e.g. EXIM_USER=exim), you don't need to set EXIM_GROUP unless # you want to use a group other than the default group for the given user. EXIM_GROUP=adm # Many sites define a user called "exim", with an appropriate default group, # and use # # EXIM_USER=exim # # while leaving EXIM_GROUP unspecified (commented out). #------------------------------------------------------------------------------ # SPOOL_DIRECTORY defines the directory where all the data for messages in # transit is kept. It is strongly recommended that you define it here, though # it is possible to leave this till the run time configuration. # Exim creates the spool directory if it does not exist. The owner and group # will be those defined by EXIM_USER and EXIM_GROUP, and this also applies to # all the files and directories that are created in the spool directory. # Almost all installations choose this: SPOOL_DIRECTORY=/var/spool/exim ############################################################################### # THESE ARE THINGS YOU PROBABLY WANT TO SPECIFY # ############################################################################### # You need to specify some routers and transports if you want the Exim that you # are building to be capable of delivering mail. You almost certainly need at # least one type of lookup. You should consider whether you want to build # the Exim monitor or not. #------------------------------------------------------------------------------ # These settings determine which individual router drivers are included in the # Exim binary. There are no defaults in the code; those routers that are wanted # must be defined here by setting the appropriate variables to the value "yes". # Including a router in the binary does not cause it to be used automatically. # It has also to be configured in the run time configuration file. By # commenting out those you know you don't want to use, you can make the binary # a bit smaller. If you are unsure, leave all of these included for now. ROUTER_ACCEPT=yes ROUTER_DNSLOOKUP=yes ROUTER_IPLITERAL=yes ROUTER_MANUALROUTE=yes ROUTER_QUERYPROGRAM=yes ROUTER_REDIRECT=yes # This one is very special-purpose, so is not included by default. # ROUTER_IPLOOKUP=yes #------------------------------------------------------------------------------ # These settings determine which individual transport drivers are included in # the Exim binary. There are no defaults; those transports that are wanted must # be defined here by setting the appropriate variables to the value "yes". # Including a transport in the binary does not cause it to be used # automatically. It has also to be configured in the run time configuration # file. By commenting out those you know you don't want to use, you can make # the binary a bit smaller. If you are unsure, leave all of these included for # now. TRANSPORT_APPENDFILE=yes #TRANSPORT_AUTOREPLY=yes TRANSPORT_PIPE=yes TRANSPORT_SMTP=yes # This one is special-purpose, and commonly not required, so it is not # included by default. # TRANSPORT_LMTP=yes #------------------------------------------------------------------------------ # The appendfile transport can write messages to local mailboxes in a number # of formats. The code for three specialist formats, maildir, mailstore, and # MBX, is included only when requested. If you do not know what this is about, # leave these settings commented out. # SUPPORT_MAILDIR=yes # SUPPORT_MAILSTORE=yes # SUPPORT_MBX=yes #------------------------------------------------------------------------------ # These settings determine which file and database lookup methods are included # in the binary. See the manual chapter entitled "File and database lookups" # for discussion. DBM and lsearch (linear search) are included by default. If # you are unsure about the others, leave them commented out for now. # LOOKUP_DNSDB does *not* refer to general mail routing using the DNS. It is # for the specialist case of using the DNS as a general database facility (not # common). LOOKUP_DBM=yes LOOKUP_LSEARCH=yes LOOKUP_CDB=yes # LOOKUP_DNSDB=yes # LOOKUP_DSEARCH=yes # LOOKUP_LDAP=yes # LOOKUP_MYSQL=yes # LOOKUP_NIS=yes # LOOKUP_NISPLUS=yes # LOOKUP_ORACLE=yes # LOOKUP_PGSQL=yes # LOOKUP_WHOSON=yes #------------------------------------------------------------------------------ # If you have set LDAP=yes, you should set LDAP_LIB_TYPE to indicate which LDAP # library you have. Unfortunately, though most of their functions are the # same, there are minor differences. Currently Exim knows about four LDAP # libraries: the one from the University of Michigan (also known as OpenLDAP 1), # OpenLDAP 2, the Netscape SDK library, and the library that comes with Solaris # 7 onwards. Uncomment whichever of these you are using. # LDAP_LIB_TYPE=OPENLDAP1 # LDAP_LIB_TYPE=OPENLDAP2 # LDAP_LIB_TYPE=NETSCAPE # LDAP_LIB_TYPE=SOLARIS # If you don't set any of these, Exim assumes the original University of # Michigan (OpenLDAP 1) library. #------------------------------------------------------------------------------ # Additional libraries and include directories may be required for some # lookup styles (e.g. LDAP, MYSQL or PGSQL). LOOKUP_LIBS is included only on # the command for linking Exim itself, not on any auxiliary programs. You # don't need to set LOOKUP_INCLUDE if the relevant directories are already # specified in INCLUDE. # LOOKUP_INCLUDE=-I /usr/local/ldap/include -I /usr/local/mysql/include -I /usr/local/pgsql/include # LOOKUP_LIBS=-L/usr/local/lib -lldap -llber -lmysqlclient -lpq #------------------------------------------------------------------------------ # Compiling the Exim monitor: If you want to compile the Exim monitor, a # program that requires an X11 display, then EXIM_MONITOR should be set to the # value "eximon.bin". Comment out this setting to disable compilation of the # monitor. The locations of various X11 directories for libraries and include # files are defaulted in the OS/Makefile-Default file, but can be overridden in # local OS-specific make files. #EXIM_MONITOR=eximon.bin ############################################################################### # THESE ARE THINGS YOU MIGHT WANT TO SPECIFY # ############################################################################### # The items in this section are those that are commonly changed according to # the sysadmin's preferences, but whose defaults are often acceptable. #------------------------------------------------------------------------------ # Exim has support for the AUTH (authentication) extension of the SMTP # protocol, as defined by RFC 2554. If you don't know what SMTP authentication # is, you probably won't want to include this code, so you should leave these # settings commented out. If you do want to make use of SMTP authentication, # you must uncomment at least one of the following, so that appropriate code is # included in the Exim binary. You will then need to set up the run time # configuration to make use of the mechanism(s) selected. #AUTH_CRAM_MD5=yes #AUTH_PLAINTEXT=yes # AUTH_SPA=yes #------------------------------------------------------------------------------ # Exim can be built to support the SMTP STARTTLS command, which implements # Transport Layer Security using SSL (Secure Sockets Layer). To do this, you # must install the OpenSSL library package. Exim contains no cryptographic # code of its own. Uncomment the following lines if you want to build Exim # with TLS support. If you don't know what this is all about, leave these # settings commented out. # SUPPORT_TLS=yes # TLS_LIBS=-lssl -lcrypto # If you are running Exim as a server, note that just building it with TLS # support is not all you need to do. You also need to set up a suitable # certificate, and tell Exim about it by means of the tls_certificate # and tls_privatekey run time options. You also need to set tls_advertise_hosts # to specify the hosts to which Exim advertises TLS support. On the other hand, # if you are running Exim only as a client, building it with TLS support # is all you need to do. # Additional libraries and include files are required for OpenSSL. The TLS_LIBS # setting above assumes that the libraries are installed with all your other # libraries. If they are in a special directory, you may need something like # TLS_LIBS=-L/usr/local/openssl/lib -lssl -lcrypto # TLS_LIBS is included only on the command for linking Exim itself, not on any # auxiliary programs. If the include files are not in a standard place, you can # set TLS_INCLUDE to specify where they are: # TLS_INCLUDE=-I/usr/local/openssl/include/ # You don't need to set TLS_INCLUDE if the relevant directories are already # specified in INCLUDE. #------------------------------------------------------------------------------ # The default distribution of Exim contains only the plain text form of the # documentation. Other forms are available separately. If you want to install # the documentation in "info" format, first fetch the Texinfo documentation # sources from the ftp directory and unpack them, which should create files # with the extension "texinfo" in the doc directory. You may find that the # version number of the texinfo files is different to your Exim version number, # because the main documentation isn't updated as often as the code. For # example, if you have Exim version 4.03, the source tarball upacks into a # directory called exim-4.03, but the texinfo tarball unpacks into exim-4.00. # In this case, move the contents of exim-4.00/doc into exim-4.03/doc after you # have unpacked them. Then set INFO_DIRECTORY to the location of your info # directory. This varies from system to system, but is often /usr/share/info. # Once you have done this, "make install" will build the info files and # install them in the directory you have defined. # INFO_DIRECTORY=/usr/share/info #------------------------------------------------------------------------------ # Exim log directory and files: Exim creates several log files inside a # single log directory. You can define the directory and the form of the # log file name here. If you do not set anything, Exim creates a directory # called "log" inside its spool directory (see SPOOL_DIRECTORY above) and uses # the filenames "mainlog", "paniclog", and "rejectlog". If you want to change # this, you can set LOG_FILE_PATH to a path name containing one occurrence of # %s. This will be replaced by one of the strings "main", "panic", or "reject" # to form the final file names. Some installations may want something like this: LOG_FILE_PATH=/var/log/exim/%slog # which results in files with names /var/log/exim_mainlog, etc. The directory # in which the log files are placed must exist; Exim does not try to create # it for itself. It is also your responsibility to ensure that Exim is capable # of writing files using this path name. The Exim user (see EXIM_USER above) # must be able to create and update files in the directory you have specified. # You can also configure Exim to use syslog, instead of or as well as log # files, by settings such as these # LOG_FILE_PATH=syslog # LOG_FILE_PATH=syslog:/var/log/exim_%slog # The first of these uses only syslog; the second uses syslog and also writes # to log files. Do not include white space in such a setting as it messes up # the building process. #------------------------------------------------------------------------------ # Cycling log files: this variable specifies the maximum number of old # log files that are kept by the exicyclog log-cycling script. You don't have # to use exicyclog. If your operating system has other ways of cycling log # files, you can use them instead. The exicyclog script isn't run by default; # you have to set up a cron job for it if you want it. EXICYCLOG_MAX=10 #------------------------------------------------------------------------------ # The compress command is used by the exicyclog script to compress old log # files. Both the name of the command and the suffix that it adds to files # need to be defined here. See also the EXICYCLOG_MAX configuration. COMPRESS_COMMAND=/bin/gzip COMPRESS_SUFFIX=gz #------------------------------------------------------------------------------ # If the exigrep utility is fed compressed log files, it tries to uncompress # them using this command. ZCAT_COMMAND=/bin/zcat #------------------------------------------------------------------------------ # Compiling in support for embedded Perl: If you want to be able to # use Perl code in Exim's string manipulation language and you have Perl # (version 5.004 or later) installed, set EXIM_PERL to perl.o. Using embedded # Perl costs quite a lot of resources. Only do this if you really need it. # EXIM_PERL=perl.o #------------------------------------------------------------------------------ # Exim has support for PAM (Pluggable Authentication Modules), a facility # which is available in the latest releases of Solaris and in some GNU/Linux # distributions (see http://ftp.kernel.org/pub/linux/libs/pam/). The Exim # support, which is intended for use in conjunction with the SMTP AUTH # facilities, is included only when requested by the following setting: # SUPPORT_PAM=yes # You probably need to add -lpam to EXTRALIBS, and in some releases of # GNU/Linux -ldl is also needed. #------------------------------------------------------------------------------ # Support for authentication via Radius is also available. The Exim support, # which is intended for use in conjunction with the SMTP AUTH facilities, # is included only when requested by setting the following parameter to the # location of your Radius configuration file: # RADIUS_CONFIG_FILE=/etc/radiusclient/radiusclient.conf #------------------------------------------------------------------------------ # Support for authentication via the Cyrus SASL pwcheck daemon is available. # The Exim support, which is intented for use in conjunction with the SMTP AUTH # facilities, is included only when requested by setting the following # parameter to the location of the pwcheck daemon's socket directory. # # There is no need to install all of SASL on your system. You just need to run # ./configure --with-pwcheck, cd to the pwcheck directory with sources, make # and make install. You must create the socket directory (default /var/pwcheck) # and chown it to exim's user and group. Once you have installed pwcheck, you # should arrange for it to be started by root at boot time. # CYRUS_PWCHECK_SOCKET=/var/pwcheck/pwcheck #------------------------------------------------------------------------------ # TCP wrappers: If you want to use tcpwrappers from within Exim, uncomment # this setting. See the manual section entitled "Use of tcpwrappers" in the # chapter on building and installing Exim. # USE_TCP_WRAPPERS=yes # You may well also have to specify a local "include" file and an additional # library for TCP wrappers, so you probably need something like this: # USE_TCP_WRAPPERS=yes # CFLAGS=-O -I/usr/local/include # EXTRALIBS_EXIM=-L/usr/local/lib -lwrap # but of course there may need to be other things in CFLAGS and EXTRALIBS_EXIM # as well. #------------------------------------------------------------------------------ # The default action of the exim_install script is to install the Exim binary # with a unique name such as exim-4.00-1, and then set up a symbolic link # called "exim" to reference it, moving the symbolic link from any previous # version. If you define NO_SYMLINK (the value doesn't matter), the symbolic # link is not created or moved. You will then have to "turn Exim on" by setting # up the link manually. # NO_SYMLINK=yes ############################################################################### # THINGS YOU ALMOST NEVER NEED TO MENTION # ############################################################################### # The settings in this section are available for use in special circumstances. # In the vast majority of installations you need not change anything below. #------------------------------------------------------------------------------ # The following commands live in different places in some OS. Either the # ultimate default settings, or the OS-specific files should already point to # the right place, but they can be overridden here if necessary. These settings # are used when building various scripts to ensure that the correct paths are # used when the scripts are run. They are not used in the Makefile itself. Perl # is not necessary for running Exim unless you set EXIM_PERL (see above) to get # it embedded, but there are some utilities that are Perl scripts. If you # haven't got Perl, Exim will still build and run; you just won't be able to # use those utilities. CHOWN_COMMAND=/bin/chown CHGRP_COMMAND=/bin/chgrp # MV_COMMAND=/bin/mv # RM_COMMAND=/bin/rm # PERL_COMMAND=/usr/bin/perl #------------------------------------------------------------------------------ # The following macro can be used to change the command for building a library # of functions. By default the "ar" command is used, with options "cq". # Only in rare circumstances should you need to change this. # AR=ar cq #------------------------------------------------------------------------------ # The following macros can be used to change the default modes that are used # by the appendfile transport. In most installations the defaults are just # fine, and in any case, you can change particular instances of the transport # at run time if you want. # APPENDFILE_MODE=0600 # APPENDFILE_DIRECTORY_MODE=0700 # APPENDFILE_LOCKFILE_MODE=0600 #------------------------------------------------------------------------------ # In some installations there may be multiple machines sharing file systems, # where a different configuration file is required for Exim on the different # machines. If CONFIGURE_FILE_USE_NODE is defined, then Exim will first look # for a configuration file whose name is that defined by CONFIGURE_FILE, # with the node name obtained by uname() tacked on the end, separated by a # period (for example, /usr/exim/configure.host.in.some.domain). If this file # does not exist, then the bare configuration file name is tried. # CONFIGURE_FILE_USE_NODE=yes #------------------------------------------------------------------------------ # In some esoteric configurations two different versions of Exim are run, # with different setuid values, and different configuration files are required # to handle the different cases. If CONFIGURE_FILE_USE_EUID is defined, then # Exim will first look for a configuration file whose name is that defined # by CONFIGURE_FILE, with the effective uid tacked on the end, separated by # a period (for eximple, /usr/exim/configure.0). If this file does not exist, # then the bare configuration file name is tried. In the case when both # CONFIGURE_FILE_USE_EUID and CONFIGURE_FILE_USE_NODE are set, four files # are tried: .., ., ., and . # CONFIGURE_FILE_USE_EUID=yes #------------------------------------------------------------------------------ # The size of the delivery buffer: This specifies the size (in bytes) of # the buffer which is used when copying a message from the spool to a # destination. The default value built into the source is 8192 and there is # rarely any need to change this. # DELIVER_BUFFER_SIZE=8192 #------------------------------------------------------------------------------ # The mode of the database directory: Exim creates a directory called "db" # in its spool directory, to hold its databases of hints. This variable # determines the mode of the created directory. The default value in the # source is 0750. # EXIMDB_DIRECTORY_MODE=0750 #------------------------------------------------------------------------------ # Database file mode: The mode of files created in the "db" directory defaults # to 0640 in the source, and can be changed here. # EXIMDB_MODE=0640 #------------------------------------------------------------------------------ # Database lock file mode: The mode of zero-length files created in the "db" # directory to use for locking purposes defaults to 0640 in the source, and # can be changed here. # EXIMDB_LOCKFILE_MODE=0640 #------------------------------------------------------------------------------ # This parameter sets the maximum length of the header portion of a message # that Exim is prepared to process. The default setting is one megabyte. The # limit exists in order to catch rogue mailers that might connect to your SMTP # port, start off a header line, and then just pump junk at it for ever. The # message_size_limit option would also catch this, but it may not be set. # HEADER_MAXSIZE="(1024*1024)" #------------------------------------------------------------------------------ # The mode of the input directory: The input directory is where messages are # kept while awaiting delivery. Exim creates it if necessary, using a mode # which can be defined here (default 0750). # INPUT_DIRECTORY_MODE=0750 #------------------------------------------------------------------------------ # The mode of Exim's log directory, when it is created by Exim inside the spool # directory, defaults to 0750 but can be changed here. # LOG_DIRECTORY_MODE=0750 #------------------------------------------------------------------------------ # The log files themselves are created as required, with a mode that defaults # to 0640, but which can be changed here. # LOG_MODE=0640 #------------------------------------------------------------------------------ # The TESTDB lookup is for performing tests on the handling of lookup results, # and is not useful for general running. It should be included only when # debugging the code of Exim. # LOOKUP_TESTDB=yes #------------------------------------------------------------------------------ # /bin/sh is used by default as the shell in which to run commands that are # defined in the makefiles. This can be changed if necessary, by uncommenting # this line and specifying another shell, but note that a Bourne-compatible # shell is expected. # MAKE_SHELL=/bin/sh #------------------------------------------------------------------------------ # The maximum number of named lists of each type (address, domain, host, and # local part) can be increased by changing this value. It should be set to # a multiple of 16. # MAX_NAMED_LIST=16 #------------------------------------------------------------------------------ # Network interfaces: Unless you set the local_interfaces option in the runtime # configuration file to restrict Exim to certain interfaces only, it will run # code to find all the interfaces there are on your host. Unfortunately, # the call to the OS that does this requires a buffer large enough to hold # data for all the interfaces - it was designed in the days when a host rarely # had more than three or four interfaces. Nowadays hosts can have very many # virtual interfaces running on the same hardware. If you have more than 250 # virtual interfaces, you will need to uncomment this setting and increase the # value. # MAXINTERFACES=250 #------------------------------------------------------------------------------ # Per-message logs: While a message is in the process of being delivered, # comments on its progress are written to a message log, for the benefit of # human administrators. These logs are held in a directory called "msglog" # in the spool directory. Its mode defaults to 0750, but can be changed here. # The message log directory is also used for storing files that are used by # transports for returning data to a message's sender (see the "return_output" # option for transports). # MSGLOG_DIRECTORY_MODE=0750 #------------------------------------------------------------------------------ # There are three options which are used when compiling the Perl interface and # when linking with Perl. The default values for these are placed automatically # at the head of the Makefile by the script which builds it. However, if you # want to override them, you can do so here. # PERL_CC= # PERL_CCOPTS= # PERL_LIBS= #------------------------------------------------------------------------------ # Identifying the daemon: When an Exim daemon starts up, it writes its pid # (process id) to a file so that it can easily be identified. The path of the # file can be specified here. Some installations may want something like this: # PID_FILE_PATH=/var/lock/exim.pid # If PID_FILE_PATH is not defined, Exim writes a file in its spool directory # using the name "exim-daemon.pid". # If you start up a daemon without the -bd option (for example, with just # the -q15m option), a pid file is not written. Also, if you override the # configuration file with the -oX option, no pid file is written. In other # words, the pid file is written only for a "standard" daemon. #------------------------------------------------------------------------------ # If Exim creates the spool directory, it is given this mode, defaulting in the # source to 0750. # SPOOL_DIRECTORY_MODE=0750 #------------------------------------------------------------------------------ # The mode of files on the input spool which hold the contents of messages can # be changed here. The default is 0640 so that information from the spool is # available to anyone who is a member of the Exim group. # SPOOL_MODE=0640 #------------------------------------------------------------------------------ # Moving frozen messages: If the following is uncommented, Exim is compiled # with support for automatically moving frozen messages out of the main spool # directory, a facility that is found useful by some large installations. A # run time option is required to cause the moving actually to occur. Such # messages become "invisible" to the normal management tools. # SUPPORT_MOVE_FROZEN_MESSAGES=yes # End of EDITME for Exim 4. Exim OS Makefile # Exim: OS-specific make file for Linux. This is for modern Linuxes, # which use libc6. BASENAME_COMMAND=look_for_it CFLAGS=-O DBMLIB = -ldb USE_DB = yes LIBS = -lnsl -lcrypt LIBRESOLV = -lresolv X11=/usr/X11R6 XINCLUDE=-I$(X11)/include XLFLAGS=-L$(X11)/lib X11_LD_LIB=$(X11)/lib EXIWHAT_PS_ARG=ax EXIWHAT_EGREP_ARG='/exim( |$$)' EXIWHAT_KILL_ARG=-USR1 # End Use something like this Exim 4 Configuration file to accept incoming email Name file as /etc/exim/exim.conf acl_smtp_rcpt = check_recipient acl_smtp_data = check_message domainlist local_domains = @ : @[] accept_8bitmime allow_domain_literals allow_mx_to_ip auto_thaw = 3h check_log_inodes = 100 check_log_space = 10M check_spool_inodes = 100 check_spool_space = 10M delay_warning = 0s queue_only_load = 4 deliver_queue_load_max = 5 delivery_date_remove host_lookup = * ignore_bounce_errors_after = 0s log_selector = +address_rewrite \ +arguments \ -delay_delivery \ +delivery_size \ +lost_incoming_connection \ -queue_run \ +received_recipients \ +received_sender \ -retry_defer \ +sender_on_delivery \ +size_reject \ -skip_delivery \ +smtp_confirmation \ +smtp_connection \ +smtp_syntax_error \ +subject lookup_open_max = 199 message_body_visible = 2500 message_id_header_text = "${tod_log}" message_size_limit = 16384000 never_users = root prod_requires_admin = false queue_list_requires_admin = false queue_run_max = 15 queue_only queue_run_in_order = true receive_timeout = 60s received_headers_max = 30 remote_max_parallel = 5 retry_interval_max = 12h retry_data_expire = 2d return_path_remove return_size_limit = 2500 smtp_accept_max = 60 smtp_accept_max_per_host = 15 smtp_accept_queue = 15 smtp_accept_queue_per_connection = 15 smtp_accept_reserve = 5 smtp_banner = "ESMTP Exim ${version_number} #${compile_number} ${tod_full}" no_smtp_check_spool_space smtp_connect_backlog = 50 smtp_load_reserve = 5 smtp_receive_timeout = 2m smtp_reserve_hosts = 127.0.0.0/24 spool_directory = /var/spool/exim_incoming strip_excess_angle_brackets strip_trailing_dot trusted_users = "mail" begin acl check_recipient: warn message = X-Spam-RBL: $sender_host_address is listed at $dnslist_domain log_message = found in $dnslist_domain dnslists = rbl-plus.mail-abuse.org accept local_parts = postmaster : hostmaster domains = +local_domains require verify = sender accept domains = +local_domains deny message = relay not permitted check_message: warn !verify = header_syntax warn !verify = header_sender accept begin routers lookuphost: driver = dnslookup ignore_target_hosts = 0.0.0.0 : 10.0.0.0/8 : 127.0.0.0/8 :\ 172.16.0.0/12 : 192.168.0.0/16 verify_only transport = smtp literal: driver = ipliteral verify_only transport = smtp defer_router: driver = manualroute route_list = * 127.0.0.1 byname self = defer begin transports smtp: driver = smtp begin retry * * F,8h,10m; G, 2d,1h,1.5; F,10d,4h # End of Exim 4 configuration Use something like this Exim 4 configuration file to process your mail after MailScanner has run Name file /etc/exim/exim.conf.outgoing # # Email has already been accepted, and moved to this queue by MailScanner # # This version of Exim merely needs to deliver the email # acl_smtp_rcpt = check_recipient domainlist local_domains = @ : @[] accept_8bitmime allow_domain_literals allow_mx_to_ip auto_thaw = 3h bounce_return_message = true check_log_inodes = 100 check_log_space = 10M check_spool_inodes = 100 check_spool_space = 10M delay_warning = 0s queue_only_load = 4 deliver_queue_load_max = 18 delivery_date_remove no_envelope_to_remove host_lookup = * ignore_bounce_errors_after = 0s log_selector = +address_rewrite \ +arguments \ -delay_delivery \ +delivery_size \ +lost_incoming_connection \ -queue_run \ +received_recipients \ +received_sender \ -retry_defer \ +sender_on_delivery \ +size_reject \ -skip_delivery \ +smtp_confirmation \ +smtp_connection \ +smtp_syntax_error \ +subject lookup_open_max = 499 message_body_visible = 1000 message_id_header_text = ${tod_log} message_size_limit = 16384000 never_users = root prod_requires_admin = false queue_list_requires_admin = false queue_only queue_run_in_order queue_run_max = 15 queue_smtp_domains = * receive_timeout = 60s received_headers_max = 30 remote_max_parallel = 1 retry_interval_max = 8h retry_data_expire = 2d return_path_remove return_size_limit = 2000 no_smtp_check_spool_space smtp_accept_max = 80 smtp_accept_max_per_host = 15 smtp_accept_queue = 15 smtp_accept_queue_per_connection = 15 smtp_accept_reserve = 5 smtp_banner = "ESMTP Exim ${version_number} #${compile_number} ${tod_full}" smtp_connect_backlog = 50 smtp_load_reserve = 5 smtp_receive_timeout = 2m smtp_reserve_hosts = 127.0.0.0/24 spool_directory = /var/spool/exim strip_excess_angle_brackets strip_trailing_dot timezone = UTC trusted_users = "mail" begin acl check_recipient: accept hosts = : begin routers localuser: driver = accept domains = +local_domains check_local_user transport = local_delivery lookuphost: driver = dnslookup domains = ! +local_domains ignore_target_hosts = 0.0.0.0 : 10.0.0.0/8 : 127.0.0.0/8 :\ 172.16.0.0/12 : 192.168.0.0/16 self = defer transport = smtp literal: driver = ipliteral domains = ! +local_domains self = defer transport = smtp begin transports address_pipe: driver = pipe envelope_to_add ignore_status address_file: driver = appendfile local_delivery: driver = appendfile envelope_to_add return_path_add group = mail file = /var/mail/${local_part}/Mailbox smtp: driver = smtp connection_max_messages = 500 hosts_max_try = 5 size_addition = -1 max_rcpt = 1 begin retry * * F,8h,10m; G, 2d,1h,1.5; F,10d,4h # End of Exim 4 configuration Get rid of mailq program mv /usr/bin/mailq /usr/bin/orig-mailq Send over special version of mailq to /usr/local/bin/mailq #!/bin/bash # # # Replace Exim mailq with this version that handles the two spool areas # echo "mail queue for incoming email" exim -bpu echo "" echo "" echo "" echo "mail queue for outgoing email" exim -bpu -C /etc/exim/exim.conf.outgoing Send over special startup init of Exim for MailScanner #! /bin/sh # /etc/init.d/exim # # Written by Miquel van Smoorenburg . # Modified for Debian GNU/Linux by Ian Murdock . # Modified for exim by Tim Cutts # set -e # Exit if exim runs from /etc/inetd.conf if grep -q "^ *smtp" /etc/inetd.conf; then exit 0 fi DAEMON=/usr/sbin/exim NAME=exim test -x $DAEMON || exit 0 case "$1" in start) update-inetd --disable smtp echo -n "Starting MTA: " start-stop-daemon --start --exec $DAEMON -- -bd /usr/sbin/exim -C /etc/exim/exim.conf.outgoing -q1m echo "exim." ;; stop) echo -n "Stopping MTA: " start-stop-daemon --stop --oknodo --exec $DAEMON echo "exim." ;; restart) echo "Restarting MTA: " start-stop-daemon --stop --oknodo --exec $DAEMON start-stop-daemon --start --exec $DAEMON -- -bd -q1m echo "exim." ;; reload|force-reload) echo "Reloading $NAME configuration files" start-stop-daemon --stop --signal 1 --exec $DAEMON ;; *) echo "Usage: /etc/init.d/$NAME {start|stop|reload}" exit 1 ;; esac exit 0 Send over special version of sophos-autoupdate to /etc/MailScanner/wrapper/sophos-autoupdate #!/usr/bin/perl use Sys::Syslog; $SophosRoot = "/usr/local/Sophos"; $IDELink = "$SophosRoot/ide"; $VDLDir = "../lib"; #$Lynx = "/usr/local/bin/lynx -dump"; $Lynx = "/usr/bin/wget -q -O-"; # On Linux use this $Unzip = "/bin/gunzip -qq"; $rm = "/bin/rm"; $LockFile = "/tmp/SophosBusy.lock"; $LOCK_SH = 1; $LOCK_EX = 2; $LOCK_NB = 4; $LOCK_UN = 8; Sys::Syslog::openlog("Sophos-autoupdate", 'pid, nowait', 'mail'); # Work out the current VDL (and hence Sophos Sweep) version number chdir "$SophosRoot/bin/$VDLDir"; opendir(LIBDIR, ".") || &BailOut("Cannot open Sophos/lib directory"); foreach $vdlname (sort readdir(LIBDIR)) { next unless $vdlname =~ /^vdl-(\d+)\.(\d+)([a-z]?)\.dat$/; $MajorVer = $1; $MinorVer = $2; $NSVFlag = $3; } closedir(LIBDIR); &BailOut("Could not calculate Sophos version number") unless defined($MajorVer) && defined($MinorVer); $SophosVersion = "$MajorVer$MinorVer"; $VDLVersion = "$MajorVer.$MinorVer"; # Derive other variables, filenames and URLs from the version numbers $ZipName = $SophosVersion . "_ides.zip"; $URL = "http://www.sophos.com/downloads/ide/$ZipName"; ($min,$hour,$date,$month,$year) = (localtime)[1,2,3,4,5]; $month++; $year+=1900; $IDEDir = "$SophosRoot/$SophosVersion." . sprintf("%04d%02d%02d%02d%02d", $year, $month, $date, $hour, $min); # If the directory already exists, then we have already done the update # for today, so quietly exit. Sys::Syslog::syslog('info', "Sophos already up-to-date"),exit 0 if -d $IDEDir; # Create the IDE files directory umask 0022; mkdir $IDEDir, 0755; chdir $IDEDir or &BailOut("Cannot cd $IDEDir, $!"); # Fetch and unpack the IDE zip file from Sophos $result = system("$Lynx $URL > $ZipName"); &BailOut("Lynx failed with error return " . ($result>>8) . "\n") if $result>>8; $result = system("$Unzip $ZipName"); &BailOut("Unzip failed with error return " . ($result>>8) . "\n") if $result>>8; symlink("$VDLDir/vdl-$VDLVersion$NSVFlag.dat", "vdl.dat"); # Add the new vdl*.vdb files if they are there foreach $number (1..99) { $string = "vdl" . sprintf("%02d", $number) . ".vdb"; symlink("$VDLDir/$string", $string) if -f "$VDLDir/$string"; } # Link in this new directory to Sophos chdir $SophosRoot or &BailOut("Cannot cd $SophosRoot, $!"); $OldLinkTarget = readlink $IDELink; &LockSophos(); unlink $IDELink if -l $IDELink; symlink $IDEDir, $IDELink; &UnlockSophos(); system("$rm -rf $OldLinkTarget") if defined $OldLinkTarget && -e $OldLinkTarget; Sys::Syslog::syslog('info', "Sophos successfully updated in $IDEDir"); Sys::Syslog::closelog(); exit 0; sub BailOut { Sys::Syslog::syslog('err', @_); Sys::Syslog::closelog(); warn "@_, $!"; chdir $SophosRoot or die "Cannot cd $SophosRoot, $!"; system("$rm -rf $IDEDir") if -d $IDEDir; exit 1; } sub LockSophos { open(LOCK, ">$LockFile") or return; flock(LOCK, $LOCK_EX); print LOCK "Locked for updating Sophos IDE files by $$\n"; } sub UnlockSophos { print LOCK "Unlocked after updating Sophos IDE files by $$\n"; flock(LOCK, $LOCK_UN); close LOCK; } Send over special version of sophos-wrapper to /etc/MailScanner/wrapper/sophos-wrapper #!/bin/sh # MailScanner - SMTP E-Mail Virus Scanner # Copyright (C) 2001 Julian Field # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # # The author, Julian Field, can be contacted by email at # Jules@JulianField.net # or by paper mail at # Julian Field # Dept of Electronics & Computer Science # University of Southampton # Southampton # SO17 1BJ # United Kingdom # # JKF Wrapper Sophos programs with the correct LD_LIBRARY_PATH # Modified for solaris by CJG # Then tweaked for heron by JKF again PackageDir=/usr/local/Sophos prog=sweep # `basename $0` SAV_IDE=$PackageDir/ide LD_LIBRARY_PATH=$PackageDir/lib export SAV_IDE export LD_LIBRARY_PATH if [ "x$1" = "x-IsItInstalled" ]; then [ -x ${PackageDir}/bin/$prog ] && exit 0 exit 1 fi exec ${PackageDir}/bin/$prog "$@" Get Sophos Anti-Virus Package installed Send over special version of Sophos.Install to /usr/local/src/sav-install/Sophos.Install #!/bin/bash # # $Id: Sophos.install.linux,v 1.1 2002/11/10 14:54:52 jkf Exp $ # # Run this script to install Sophos in the right place, with the right # options for the MailScanner. # Run this script from inside the directory in which you have copied # and unpacked the Sophos distribution. # Tweaked for Solaris. SOPHOS=/usr/local/Sophos SCRIPTS=/etc/MailScanner/wrapper COMPD=linux.intel.libc6.tar.Z DISTRIB=linux.intel.libc6.tar mkdir -p ${SOPHOS} chown -R root ${SOPHOS} chmod -R go+rX ${SOPHOS} # Clear out any old libs from /usr/local/lib which is where # a default SAVI installation will have left them echo Clearing out old default Sophos installation libraries #mdm#rm -f /usr/local/lib/libsavi.so* # Have we got to uncompress the distribution for them? if [ -f $COMPD ]; then echo Uncompressing Sophos distribution uncompress $COMPD fi # Have we got to unpack the distribution for them? if [ -f $DISTRIB ]; then # Is there an old unpacked distribution here too?? if [ -d sav-install ]; then echo Clearing out unpacked distribution rm -rf sav-install fi # Unpack the distribution echo Unpacking distribution tar xBf $DISTRIB fi # JKF 31/08/2001 Remove any existing vdl.dat files if [ -f ${SOPHOS}/lib/vdl.dat ]; then rm -f ${SOPHOS}/lib/vdl* fi if [ -f ${SOPHOS}/lib/vdln.dat ]; then rm -f ${SOPHOS}/lib/vdl* fi if [ -f ${SOPHOS}/lib/vdl01.vdb ]; then rm -f ${SOPHOS}/lib/vdl* fi # Are we in the right directory, or one above it? if [ -d sav-install ]; then cd sav-install fi # Check we have found the install.sh script if [ \! -f install.sh ]; then echo Please cd into the directory containing the Sophos install.sh echo script and run this command again. exit 1 fi echo Installing Sophos for MailScanner ./install.sh -v -d ${SOPHOS} -s lib -ni echo #mdm#echo Fetching latest IDE virus identities from www.sophos.com #mdm#${SCRIPTS}/sophos-autoupdate if [ -f ${SCRIPTS}/sophos-wrapper ]; then chmod a=rx ${SCRIPTS}/sophos-wrapper echo Done. else echo Something has gone wrong. There should be a copy of the echo script sophos-wrapper in the directory ${SCRIPTS}. echo Please re-install the MailScanner or fetch another copy of echo sophoswrapper from the distribution web site. fi exit 0 Run as shell script cd /usr/local/src/sav-install /usr/local/src/sav-install/Sophos.Install /etc/MailScanner/wrapper/sophos-autoupdate chmod 755 /etc/MailScanner/wrapper chown mail.adm -R /etc/MailScanner/wrapper chmod 755 /etc/MailScanner/wrapper/sophos-autoupdate chmod 755 /etc/MailScanner/wrapper/sophos-wrapper chmod 755 /etc/MailScanner/wrapper/update_virus_scanners update-rc.d -f spamassassin remove update-rc.d MailScanner start 22 2 3 4 5 . stop 22 0 1 6 . chmod +x /etc/init.d/MailScanner chmod 666 /etc/MailScanner/* mkdir /var/spool/MailScanner mkdir /var/spool/MailScanner/incoming mkdir /var/spool/MailScanner/quarantine mkdir /var/spool/MailScanner/archive chown -R mail.adm /var/spool/MailScanner mkdir -p /var/lock/subsys/MailScanner chown -R mail.adm /var/lock/subsys Copy following data to /etc/sav.conf SAV virus data directory = /usr/local/Sophos/ide SAV temp directory = /var/tmp Exim and Debian aspects of /etc/MailScanner/MailScanner.conf # User to run as (provided for Exim users) Run As User = mail # Group to run as (provided for Exim users) Run As Group = adm Incoming Queue Dir = /var/spool/exim_incoming/input # Set location of outgoing mail queue. # This can also be the filename of a ruleset. Outgoing Queue Dir = /var/spool/exim/input # Set where to unpack incoming messages before scanning them Incoming Work Dir = /var/spool/MailScanner/incoming # Set where to store infected and message attachments (if they are kept) # This can also be the filename of a ruleset. Quarantine Dir = /var/spool/MailScanner/quarantine # Set where to store all the process id numbers so you can stop MailScanner PID file = /var/run/MailScanner/MailScanner.pid # Set whether to use sendmail or exim MTA = exim # Set how to invoke MTA when sending messages MailScanner has created Sendmail = /usr/sbin/exim Sendmail2 = /usr/sbin/exim -C /etc/exim/exim.conf.outgoing Language Strings = /etc/MailScanner/languages.conf # Set where to find the message text sent to users when one of their # attachments has been deleted from a message. # These can also be the filenames of rulesets. Deleted Bad Filename Message Report = /etc/MailScanner/deleted.filename.message.txt Deleted Virus Message Report = /etc/MailScanner/deleted.virus.message.txt From dwinkler at ALGORITHMICS.COM Tue Jan 7 17:39:17 2003 From: dwinkler at ALGORITHMICS.COM (Derek Winkler) Date: Thu Jan 12 21:16:53 2006 Subject: Whitelisting problem Message-ID: <06EE2C86D3DAD5119A6C0060943F3C970402C0B4@tormail1.algorithmics.com> Don't think I'd be able to find what servers they send out all their mail from. Possible feature: Whitelisting based on reverse name lookups. If the email was sent from a server that reverse looks up as domain then whitelist. From: *@ibm.com lookup lookup as an additional parameter to yes no. -----Original Message----- From: Julian Field [mailto:mailscanner@ecs.soton.ac.uk] Sent: Tuesday, January 07, 2003 11:56 AM To: MAILSCANNER@jiscmail.ac.uk Subject: Re: Whitelisting problem At 16:50 07/01/2003, you wrote: >IBM is a partner of ours so I have whitelisted ibm.com > >But now some spammer is forging both the envelope and header to look like >it cam from ibm.com > >The spammer appears to be creating random addresses ending in @ibm.com > >Is my only choice to remove ibm.com from the whitelist? If ibm.com only use a few outgoing mail servers, you could whitelist their IP addresses instead. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030107/c82ef97b/attachment.html From mike at CAMAROSS.NET Tue Jan 7 17:21:27 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:16:53 2006 Subject: SpamAssassin timeout In-Reply-To: Message-ID: <008101c2b671$38786850$6901a8c0@home.middlefinger.net> Since MS has nothing to do with mail delivery, I don't think you can point the finger at it. Yesterday, about 2PM CST, I started getting complaints from people not being able to send email...connections were timing out while sendmail attempted to look up via osirusoft. I removed that from my sendmail.cf, and everything started to flow again. -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Rose, Bobby Sent: Tuesday, January 07, 2003 11:17 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: SpamAssassin timeout I think there is more to it. I've always use skip_rbl for SA because I use the rbls on the MTA side and I've been seeing the mail backing up in queue. This also started happening after I updated to 4.11-1 on Sunday. I think it's Mailscanner and it's mother process not restarting properly. What I've noticed so far is that I only have 3 MS processes running even though my setting is set to 5. Once process has been running for 4 hours 11 mins and the others are the spawned processess. If I kill MS and restart then I get all my processes back. If I look at my logs, it looks like only one MS processes was doing anything. -----Original Message----- From: Randy Herban [mailto:RHerban@GRAMTEL.NET] Sent: Tuesday, January 07, 2003 11:22 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: SpamAssassin timeout Unfortunately something that I noticed yesterday when the RBL's were offline was that MailScanner was not ceasing to use spamassassin even though I was up to 75 consecutive failures out of 20. I just upgraded to the newest MS-4.11-1 yesterday as well. RedHat 8.0 if it helps. -randy -----Original Message----- From: David Sullivan [mailto:David.Sullivan@BARNET.AC.UK] Sent: Tuesday, January 07, 2003 10:38 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: SpamAssassin timeout On 7 Jan 2003 at 15:28, Spicer, Kevin wrote: > > >Is it possible to test if the RBL-server answer and if not just > > >skip it and do the rest? > > > > SpamAssassin can't do that. If you do the RBL checking with > > MailScanner, it will do what you want. SpamAssassin isn't very > > robust when services it is using fail. > > > > My understanding (read assumption!) was that if you use MailScanner to > do the RBL checks, and then pass to SpamAssassin for further checks > that any message from a host found in the RBL will be marked as SPAM, > even if the spamassassin score would have been lower than the spam > threshold. In other words the mailscanner RBL checks and the > spamassassin checks are completely seperate(?). I think you're misunderstanding the comment slightly. If MailScanner doing RBL checks notices that they've timed out a number of times in a row it will stop using the RBL checks till the next MailScanner restart. If you do the RBL checks within SpamAssassin this means that SpamAssasin as a whole will time out and cannot "disable the RBL checks" itself (as MailScanner does). In turn MailScanner should see that SpamAssassin is timing out and disable it till the next MailScanner restart. David. ============================================================== This communication may contain privileged or confidential information which is for the exclusive use of the intended recipient. If you are not the intended recipient, please note that you may not distribute or use this communication or the information it contains. If this e-mail has reached you in error, please delete it and any attachment. Internet communications are not secure and Barnet College does not accept legal responsibility for the content of this message. Any views or opinions expressed are those of the author and not necessarily those of Barnet College. Please note that Barnet College reserves the right to monitor the source/destinations of all incoming or outgoing e-mail communications. ============================================================== From RHerban at GRAMTEL.NET Tue Jan 7 17:44:46 2003 From: RHerban at GRAMTEL.NET (Randy Herban) Date: Thu Jan 12 21:16:53 2006 Subject: SpamAssassin timeout OT: SpamAssassin timeouts Message-ID: The lookups from osirusoft were causing a problem and spamassassin was timing out while doing these checks. What I noticed was that MailScanner was continuing to use spamassassin at 75 consecutive timeouts out of a possible 20. When the number of timeouts hit 20, it should have stopped using spamassassin (I don't think I'm makin this part up, it's in the documentation and has been mentioned several times on the list) until the next restart. At next restart the counters should drop to 0 (assumption on my part) and if it hits 20 again, it will stop using spamassassin again. Instead, spamassassin was continuing to be used even with 75+ consecutive timeouts and kept queueing up the incoming mail because of this. -Randy -----Original Message----- From: Mike Kercher [mailto:mike@CAMAROSS.NET] Sent: Tuesday, January 07, 2003 12:21 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: SpamAssassin timeout Since MS has nothing to do with mail delivery, I don't think you can point the finger at it. Yesterday, about 2PM CST, I started getting complaints from people not being able to send email...connections were timing out while sendmail attempted to look up via osirusoft. I removed that from my sendmail.cf, and everything started to flow again. -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Rose, Bobby Sent: Tuesday, January 07, 2003 11:17 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: SpamAssassin timeout I think there is more to it. I've always use skip_rbl for SA because I use the rbls on the MTA side and I've been seeing the mail backing up in queue. This also started happening after I updated to 4.11-1 on Sunday. I think it's Mailscanner and it's mother process not restarting properly. What I've noticed so far is that I only have 3 MS processes running even though my setting is set to 5. Once process has been running for 4 hours 11 mins and the others are the spawned processess. If I kill MS and restart then I get all my processes back. If I look at my logs, it looks like only one MS processes was doing anything. -----Original Message----- From: Randy Herban [mailto:RHerban@GRAMTEL.NET] Sent: Tuesday, January 07, 2003 11:22 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: SpamAssassin timeout Unfortunately something that I noticed yesterday when the RBL's were offline was that MailScanner was not ceasing to use spamassassin even though I was up to 75 consecutive failures out of 20. I just upgraded to the newest MS-4.11-1 yesterday as well. RedHat 8.0 if it helps. -randy -----Original Message----- From: David Sullivan [mailto:David.Sullivan@BARNET.AC.UK] Sent: Tuesday, January 07, 2003 10:38 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: SpamAssassin timeout On 7 Jan 2003 at 15:28, Spicer, Kevin wrote: > > >Is it possible to test if the RBL-server answer and if not just > > >skip it and do the rest? > > > > SpamAssassin can't do that. If you do the RBL checking with > > MailScanner, it will do what you want. SpamAssassin isn't very > > robust when services it is using fail. > > > > My understanding (read assumption!) was that if you use MailScanner to > do the RBL checks, and then pass to SpamAssassin for further checks > that any message from a host found in the RBL will be marked as SPAM, > even if the spamassassin score would have been lower than the spam > threshold. In other words the mailscanner RBL checks and the > spamassassin checks are completely seperate(?). I think you're misunderstanding the comment slightly. If MailScanner doing RBL checks notices that they've timed out a number of times in a row it will stop using the RBL checks till the next MailScanner restart. If you do the RBL checks within SpamAssassin this means that SpamAssasin as a whole will time out and cannot "disable the RBL checks" itself (as MailScanner does). In turn MailScanner should see that SpamAssassin is timing out and disable it till the next MailScanner restart. David. ============================================================== This communication may contain privileged or confidential information which is for the exclusive use of the intended recipient. If you are not the intended recipient, please note that you may not distribute or use this communication or the information it contains. If this e-mail has reached you in error, please delete it and any attachment. Internet communications are not secure and Barnet College does not accept legal responsibility for the content of this message. Any views or opinions expressed are those of the author and not necessarily those of Barnet College. Please note that Barnet College reserves the right to monitor the source/destinations of all incoming or outgoing e-mail communications. ============================================================== From dbird at SGHMS.AC.UK Tue Jan 7 18:12:42 2003 From: dbird at SGHMS.AC.UK (Daniel Bird) Date: Thu Jan 12 21:16:53 2006 Subject: deersoft bought by NAI Message-ID: <3E1B189A.7040005@sghms.ac.uk> All, just in case you haven't heard (haven't noticed anything on the list, but then again I haven't finished reading all my mail from the NY holiday ;), Deersoft, the producers of SpamAssain for windows (out look etc) have been bought out by NAI (see: http://www.mcafeeb2b.com/other/jump/deersoft.asp). This has caused quite a stir on the SATalk mailing lists, with it looking likely 3 of the mail developers will be stopping their contributions. Julian, will this have any impact on your development of MailScanner? regards Dan -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mkettler at EVI-INC.COM Tue Jan 7 18:28:24 2003 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:16:53 2006 Subject: Whitelisting problem In-Reply-To: <06EE2C86D3DAD5119A6C0060943F3C970402C0B4@tormail1.algorith mics.com> Message-ID: <5.1.1.6.0.20030107132624.01fc9598@192.168.50.2> hmm why not: whitelist_from_rcvd *@ibm.com ibm.com The second part of the command does not have to be a complete server name. Just a substring of it. So if any of the mailservers are reported as (something).ibm.com in the received headers, this will have the same effect as your "lookup" feature. At 12:39 PM 1/7/2003 -0500, you wrote: >Don't think I'd be able to find what servers they send out all their mail >from. > >Possible feature: > >Whitelisting based on reverse name lookups. > >If the email was sent from a server that reverse looks up as domain then >whitelist. > >From: *@ibm.com lookup > >lookup as an additional parameter to yes no. From dwinkler at ALGORITHMICS.COM Tue Jan 7 18:32:30 2003 From: dwinkler at ALGORITHMICS.COM (Derek Winkler) Date: Thu Jan 12 21:16:53 2006 Subject: Whitelisting problem Message-ID: <06EE2C86D3DAD5119A6C0060943F3C970402C0B5@tormail1.algorithmics.com> SpamAssassin gets these from the headers and they're easily forged. My feature would be whitelist only if received from a server which reverse looks up as being that domain. Two different mechanisms. -----Original Message----- From: Matt Kettler [mailto:mkettler@EVI-INC.COM] Sent: Tuesday, January 07, 2003 1:28 PM To: MAILSCANNER@jiscmail.ac.uk Subject: Re: Whitelisting problem hmm why not: whitelist_from_rcvd *@ibm.com ibm.com The second part of the command does not have to be a complete server name. Just a substring of it. So if any of the mailservers are reported as (something).ibm.com in the received headers, this will have the same effect as your "lookup" feature. At 12:39 PM 1/7/2003 -0500, you wrote: >Don't think I'd be able to find what servers they send out all their mail >from. > >Possible feature: > >Whitelisting based on reverse name lookups. > >If the email was sent from a server that reverse looks up as domain then >whitelist. > >From: *@ibm.com lookup > >lookup as an additional parameter to yes no. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030107/8abbc998/attachment.html From brose at MED.WAYNE.EDU Tue Jan 7 18:49:11 2003 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:16:53 2006 Subject: SpamAssassin timeout Message-ID: MS does interfer with delivery. Mail comes into the incoming queue and will sit there until MS scans it and drops it into the outgoing queue if you have it set to the queue option. If it's set to batch then it actually fires off a sendmail process to deliver it. So in effect it does have a lot to do with delivery. Regardless of all that, what I've seen with the 4.11-1 code is that there is something going on either with the automatic 4 hr restart or with the starting of new processes after that 4hr restart. This morning I had 700 message in the incoming queue with 3 MS processes and no RBL checks being done by SA so I'm not seeing the SA timeouts. After I killed MS and restarted it, everything cleared up again. So there is something else going on here. -----Original Message----- From: Mike Kercher [mailto:mike@CAMAROSS.NET] Sent: Tuesday, January 07, 2003 12:21 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: SpamAssassin timeout Since MS has nothing to do with mail delivery, I don't think you can point the finger at it. Yesterday, about 2PM CST, I started getting complaints from people not being able to send email...connections were timing out while sendmail attempted to look up via osirusoft. I removed that from my sendmail.cf, and everything started to flow again. -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Rose, Bobby Sent: Tuesday, January 07, 2003 11:17 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: SpamAssassin timeout I think there is more to it. I've always use skip_rbl for SA because I use the rbls on the MTA side and I've been seeing the mail backing up in queue. This also started happening after I updated to 4.11-1 on Sunday. I think it's Mailscanner and it's mother process not restarting properly. What I've noticed so far is that I only have 3 MS processes running even though my setting is set to 5. Once process has been running for 4 hours 11 mins and the others are the spawned processess. If I kill MS and restart then I get all my processes back. If I look at my logs, it looks like only one MS processes was doing anything. -----Original Message----- From: Randy Herban [mailto:RHerban@GRAMTEL.NET] Sent: Tuesday, January 07, 2003 11:22 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: SpamAssassin timeout Unfortunately something that I noticed yesterday when the RBL's were offline was that MailScanner was not ceasing to use spamassassin even though I was up to 75 consecutive failures out of 20. I just upgraded to the newest MS-4.11-1 yesterday as well. RedHat 8.0 if it helps. -randy -----Original Message----- From: David Sullivan [mailto:David.Sullivan@BARNET.AC.UK] Sent: Tuesday, January 07, 2003 10:38 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: SpamAssassin timeout On 7 Jan 2003 at 15:28, Spicer, Kevin wrote: > > >Is it possible to test if the RBL-server answer and if not just > > >skip it and do the rest? > > > > SpamAssassin can't do that. If you do the RBL checking with > > MailScanner, it will do what you want. SpamAssassin isn't very > > robust when services it is using fail. > > > > My understanding (read assumption!) was that if you use MailScanner to > do the RBL checks, and then pass to SpamAssassin for further checks > that any message from a host found in the RBL will be marked as SPAM, > even if the spamassassin score would have been lower than the spam > threshold. In other words the mailscanner RBL checks and the > spamassassin checks are completely seperate(?). I think you're misunderstanding the comment slightly. If MailScanner doing RBL checks notices that they've timed out a number of times in a row it will stop using the RBL checks till the next MailScanner restart. If you do the RBL checks within SpamAssassin this means that SpamAssasin as a whole will time out and cannot "disable the RBL checks" itself (as MailScanner does). In turn MailScanner should see that SpamAssassin is timing out and disable it till the next MailScanner restart. David. ============================================================== This communication may contain privileged or confidential information which is for the exclusive use of the intended recipient. If you are not the intended recipient, please note that you may not distribute or use this communication or the information it contains. If this e-mail has reached you in error, please delete it and any attachment. Internet communications are not secure and Barnet College does not accept legal responsibility for the content of this message. Any views or opinions expressed are those of the author and not necessarily those of Barnet College. Please note that Barnet College reserves the right to monitor the source/destinations of all incoming or outgoing e-mail communications. ============================================================== From mailscanner at ecs.soton.ac.uk Tue Jan 7 19:01:58 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:53 2006 Subject: deersoft bought by NAI In-Reply-To: <3E1B189A.7040005@sghms.ac.uk> Message-ID: <5.2.0.9.2.20030107190007.0205c0b0@imap.ecs.soton.ac.uk> At 18:12 07/01/2003, you wrote: >All, >just in case you haven't heard (haven't noticed anything on the list, >but then again I haven't finished reading all my mail from the NY >holiday ;), Deersoft, the producers of SpamAssain for windows (out look >etc) have been bought out by NAI (see: >http://www.mcafeeb2b.com/other/jump/deersoft.asp). This has caused quite >a stir on the SATalk mailing lists, I bet it has! > with it looking likely 3 of the mail >developers will be stopping their contributions. Great, just what we need :-( I wonder if MessageLabs will continue Open Source development of it at all, or will they move completely in-house and not release anything. >Julian, will this have any impact on your development of MailScanner? Probably, yes :( Let's give them a few weeks and see how the dust settles. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Tue Jan 7 18:55:54 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:53 2006 Subject: SpamAssassin timeout OT: SpamAssassin timeouts In-Reply-To: Message-ID: <5.2.0.9.2.20030107185527.02ad6ac0@imap.ecs.soton.ac.uk> At 17:44 07/01/2003, you wrote: >The lookups from osirusoft were causing a problem and spamassassin was >timing out while doing these checks. What I noticed was that MailScanner >was continuing to use spamassassin at 75 consecutive timeouts out of a >possible 20. >When the number of timeouts hit 20, it should have stopped using >spamassassin (I don't think I'm makin this part up, it's in the >documentation and has been mentioned several times on the list) until the >next restart. At next restart the counters should drop to 0 (assumption on >my part) and if it hits 20 again, it will stop using spamassassin again. >Instead, spamassassin was continuing to be used even with 75+ consecutive >timeouts and kept queueing up the incoming mail because of this. This fix is noted in the 4.11 ChangeLog. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Tue Jan 7 18:59:58 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:53 2006 Subject: SpamAssassin timeout -- suggested fix? In-Reply-To: <008101c2b671$38786850$6901a8c0@home.middlefinger.net> References: Message-ID: <5.2.0.9.2.20030107185704.01fdd900@imap.ecs.soton.ac.uk> For the adventurous among you, I've come up with an idea to improve the RBL timeout in SpamAssassin problem. What I wanted to be able to do was disable the RBL checking that SpamAssassin does, without disabling SpamAssassin completely. It's in SA.pm. There is a line that says "sub Checks {" which is the start of the "Checks" subroutine. About 10 lines down there is a chunk of code that says return (0,0, sprintf(MailScanner::Config::LanguageValue($message,'sadisabled'), $maxfailures), 0) if $maxfailures>0 && $safailures>=$maxfailures; Please change that to $MailScanner::SA::SAspamtest->{conf}->{skip_rbl_checks} = 1 if $maxfailures>0 && $safailures>=$maxfailures; Then hopefully instead of disabling SpamAssassin altogether, it will just disable the RBL checking in it. The bit I haven't done yet is a way of still disabling SA altogether if it continues to fail even after stopping its RBL checks. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Tue Jan 7 19:03:46 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:53 2006 Subject: MS 4, Exim 4 on Debian 3 Install Notes In-Reply-To: References: <5.2.0.9.2.20021219224834.0209acd8@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030107190302.02bd6c70@imap.ecs.soton.ac.uk> At 17:25 07/01/2003, you wrote: >I have not found a Debian package for this combination, and have >included my notes on such an install. I believe Nick is intending to start on this very soon. Drop him a line at nick@mailscanner.info. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From MHewryk at SYMCOR.COM Tue Jan 7 19:45:09 2003 From: MHewryk at SYMCOR.COM (Magda Hewryk) Date: Thu Jan 12 21:16:53 2006 Subject: ruleset=check_rcpt Message-ID: Hi, >I'm running : >Redhat 7.3 >MailScanner: 4.10 >SpamAssassin 2.43 I've disabled all rulesets in my /etc/MailScanner.conf file and for some reason I'm getting ruleset=check_rcpt message in my maillog file. Why am I getting this error? Jan 7 14:36:01 tonka sendmail[27109]: h07Ja1cc027109: ruleset=check_rcpt, arg1=, relay=ns.xxx.com [xxx.xxx.12.xx] (may be forged), reject=550 5.7.1 ... Relaying denied. IP name possibly forged [xxx.xxx.12.xx] Thanks, Magda From dwinkler at ALGORITHMICS.COM Tue Jan 7 19:48:22 2003 From: dwinkler at ALGORITHMICS.COM (Derek Winkler) Date: Thu Jan 12 21:16:53 2006 Subject: ruleset=check_rcpt Message-ID: <06EE2C86D3DAD5119A6C0060943F3C970402C0B8@tormail1.algorithmics.com> That's a sendmail message not MailScanner -----Original Message----- From: Magda Hewryk [mailto:MHewryk@symcor.com] Sent: Tuesday, January 07, 2003 2:45 PM To: MAILSCANNER@jiscmail.ac.uk Subject: ruleset=check_rcpt Hi, >I'm running : >Redhat 7.3 >MailScanner: 4.10 >SpamAssassin 2.43 I've disabled all rulesets in my /etc/MailScanner.conf file and for some reason I'm getting ruleset=check_rcpt message in my maillog file. Why am I getting this error? Jan 7 14:36:01 tonka sendmail[27109]: h07Ja1cc027109: ruleset=check_rcpt, arg1=, relay=ns.xxx.com [xxx.xxx.12.xx] (may be forged), reject=550 5.7.1 ... Relaying denied. IP name possibly forged [xxx.xxx.12.xx] Thanks, Magda -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030107/d507089b/attachment.html From lbergman at wtxs.net Tue Jan 7 19:49:25 2003 From: lbergman at wtxs.net (Lewis Bergman) Date: Thu Jan 12 21:16:53 2006 Subject: ruleset=check_rcpt In-Reply-To: References: Message-ID: <200301071349.25481.lbergman@wtxs.net> > Jan 7 14:36:01 tonka sendmail[27109]: h07Ja1cc027109: ruleset=check_rcpt, > arg1=, relay=ns.xxx.com [xxx.xxx.12.xx] (may be forged), > reject=550 5.7.1 ... Relaying denied. IP name possibly > forged [xxx.xxx.12.xx] That is a sendmial error (550). Mailscanner doesn't have anything to do with it. If you control dns for all those x's you put in there then fix that. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 915-695-6962 ext 115 From Kevin.Spicer at BMRB.CO.UK Tue Jan 7 19:51:07 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:16:53 2006 Subject: ruleset=check_rcpt Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A4ACF8@pascal.priv.bmrb.co.uk> > I've disabled all rulesets in my /etc/MailScanner.conf file > and for some > reason I'm getting ruleset=check_rcpt message in my maillog file. > Why am I getting this error? > > Jan 7 14:36:01 tonka sendmail[27109]: h07Ja1cc027109: > ruleset=check_rcpt, > arg1=, relay=ns.xxx.com [xxx.xxx.12.xx] (may > be forged), > reject=550 5.7.1 ... Relaying denied. IP name possibly > forged [xxx.xxx.12.xx] > Thats a sendmail error, nothing to do with MailScanner. Its not clear from your obfuscated headers why, or whether this is a genuine message or some unauthorised person trying to relay through your server. From MHewryk at SYMCOR.COM Tue Jan 7 20:30:00 2003 From: MHewryk at SYMCOR.COM (Magda Hewryk) Date: Thu Jan 12 21:16:53 2006 Subject: Spam Checks: Starting Message-ID: Hi, It is unclear to me why MailScanner still reads rules even though I disabled them through MailScanner.conf file? Example: ========== I've changed ../rules/deliver.clean.rules file to look like (added "To"): FromTo: default yes (I've always had " Log Spam = yes" turned on) and FINALLY I started getting detailed logs from SpamAssassin but rules are turned off in MailScanner.conf file !!!!!!!!!!!!!!!!!!! Jan 7 15:20:18 tonka MailScanner[32537]: New Batch: Scanning 1 messages, 885 bytes Jan 7 15:20:18 tonka MailScanner[32537]: Spam Checks: Starting Jan 7 15:20:53 tonka MailScanner[32537]: Message h07KKEH7032751 from 127.0.0.1 (tonka.aberfoyle.com) is spam, SpamAssassin (score=7.9, required 5, FREE_MONEY, NO_MX_FOR_FROM, PLING_PLING, SPAM_PHRASE_00_01, SUBJ_ALL_CAPS, SUBJ_FREE_CAP, SUB_FREE_OFFER, UPPERCASE_75_100) Jan 7 15:20:54 tonka MailScanner[32537]: Spam Checks: Found 1 spam messages Jan 7 15:20:54 tonka MailScanner[32537]: Spam Actions: message h07KKEH7032751 actions are deliver Question: ========= Why the change done above will take effect if my rules are disabled in MailScanner.conf file: Deliver Cleaned Messages = yes # mnh Deliver Cleaned Messages = /etc/MailScanner/rules/deliver.clean.rules Spam Checks = yes # mnh Spam Checks = /etc/MailScanner/rules/deliver.clean.rules Any tips? Thanks, Magda Hewryk -------------------------------- Mid-Range Systems RSP: 905-273-1637 CELL: 416-948-4427 From mailscanner at ecs.soton.ac.uk Tue Jan 7 20:41:41 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:53 2006 Subject: Spam Checks: Starting In-Reply-To: Message-ID: <5.2.0.9.2.20030107204024.02e083e0@imap.ecs.soton.ac.uk> Have you done a reload or a restart of MailScanner since you edited the conf files? At 20:30 07/01/2003, you wrote: >Hi, > >It is unclear to me why MailScanner still reads rules even though I >disabled them through MailScanner.conf file? > >Example: >========== >I've changed ../rules/deliver.clean.rules file to look like (added "To"): >FromTo: default yes > >(I've always had " Log Spam = yes" turned on) > >and FINALLY I started getting detailed logs from SpamAssassin but rules are >turned off in MailScanner.conf file !!!!!!!!!!!!!!!!!!! > >Jan 7 15:20:18 tonka MailScanner[32537]: New Batch: Scanning 1 messages, >885 bytes >Jan 7 15:20:18 tonka MailScanner[32537]: Spam Checks: Starting >Jan 7 15:20:53 tonka MailScanner[32537]: Message h07KKEH7032751 from >127.0.0.1 (tonka.aberfoyle.com) is spam, SpamAssassin (score=7.9, required >5, FREE_MONEY, NO_MX_FOR_FROM, PLING_PLING, SPAM_PHRASE_00_01, >SUBJ_ALL_CAPS, SUBJ_FREE_CAP, SUB_FREE_OFFER, UPPERCASE_75_100) >Jan 7 15:20:54 tonka MailScanner[32537]: Spam Checks: Found 1 spam >messages >Jan 7 15:20:54 tonka MailScanner[32537]: Spam Actions: message >h07KKEH7032751 actions are deliver > >Question: >========= >Why the change done above will take effect if my rules are disabled in >MailScanner.conf file: >Deliver Cleaned Messages = yes ># mnh Deliver Cleaned Messages = /etc/MailScanner/rules/deliver.clean.rules >Spam Checks = yes ># mnh Spam Checks = /etc/MailScanner/rules/deliver.clean.rules > >Any tips? > >Thanks, > >Magda Hewryk >-------------------------------- >Mid-Range Systems >RSP: 905-273-1637 >CELL: 416-948-4427 -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From combs at magnet.fsu.edu Tue Jan 7 20:58:15 2003 From: combs at magnet.fsu.edu (Tom Combs) Date: Thu Jan 12 21:16:53 2006 Subject: ok to link /opt/ms to /usr/local/ms ??? Message-ID: <200301072058.h07KwFOK001983@osprey.magnet.fsu.edu> Hello All, I prefer to run mailscanner out of /usr/local/mailscanner instead of /opt/mailscanner. Is there any reason I should not just ln -s /usr/local/mailscanner /opt/mailscanner instead of changing all the directory entries in the code? TIA! -- Tom Combs E-mail: combs@magnet.fsu.edu National High Magnetic Field Laboratory Phone: (850) 644-1657 1800 E. Paul Dirac Drive Tallahassee, FL 32310 From MHewryk at SYMCOR.COM Tue Jan 7 21:12:07 2003 From: MHewryk at SYMCOR.COM (Magda Hewryk) Date: Thu Jan 12 21:16:53 2006 Subject: Spam Checks: Starting Message-ID: I've done stop/start of MailScanner. Thanks, Magda Hewryk -------------------------------- Mid-Range Systems RSP: 905-273-1637 CELL: 416-948-4427 Julian Field cc: Sent by: Subject: Re: Spam Checks: Starting MailScanner mailing list 01/07/2003 03:41 PM Please respond to MailScanner mailing list Have you done a reload or a restart of MailScanner since you edited the conf files? At 20:30 07/01/2003, you wrote: >Hi, > >It is unclear to me why MailScanner still reads rules even though I >disabled them through MailScanner.conf file? > >Example: >========== >I've changed ../rules/deliver.clean.rules file to look like (added "To"): >FromTo: default yes > >(I've always had " Log Spam = yes" turned on) > >and FINALLY I started getting detailed logs from SpamAssassin but rules are >turned off in MailScanner.conf file !!!!!!!!!!!!!!!!!!! > >Jan 7 15:20:18 tonka MailScanner[32537]: New Batch: Scanning 1 messages, >885 bytes >Jan 7 15:20:18 tonka MailScanner[32537]: Spam Checks: Starting >Jan 7 15:20:53 tonka MailScanner[32537]: Message h07KKEH7032751 from >127.0.0.1 (tonka.aberfoyle.com) is spam, SpamAssassin (score=7.9, required >5, FREE_MONEY, NO_MX_FOR_FROM, PLING_PLING, SPAM_PHRASE_00_01, >SUBJ_ALL_CAPS, SUBJ_FREE_CAP, SUB_FREE_OFFER, UPPERCASE_75_100) >Jan 7 15:20:54 tonka MailScanner[32537]: Spam Checks: Found 1 spam >messages >Jan 7 15:20:54 tonka MailScanner[32537]: Spam Actions: message >h07KKEH7032751 actions are deliver > >Question: >========= >Why the change done above will take effect if my rules are disabled in >MailScanner.conf file: >Deliver Cleaned Messages = yes ># mnh Deliver Cleaned Messages = /etc/MailScanner/rules/deliver.clean.rules >Spam Checks = yes ># mnh Spam Checks = /etc/MailScanner/rules/deliver.clean.rules > >Any tips? > >Thanks, > >Magda Hewryk >-------------------------------- >Mid-Range Systems >RSP: 905-273-1637 >CELL: 416-948-4427 -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From gerben at BREKELMANS.COM Tue Jan 7 21:29:02 2003 From: gerben at BREKELMANS.COM (Gerben Welter) Date: Thu Jan 12 21:16:53 2006 Subject: MailScanner causing server to crash In-Reply-To: <1041801959.1004.32.camel@bill> Message-ID: <5.2.0.9.2.20030107221831.02c39ad0@brekelmans.com> Hi. A few months ago I had a similar problem. Our Linux proxy server which had been up for over 7 months started to reset spontaneously . At first it would happen only once in a few days. At the end the box wouldn't last longer than a few hours. I knew I didn't change anything to the software that would explain the change in stability. I began to suspect hardware failure due to heat problems (bad cpufan e.g.) Once the server was opened I saw the problem: the capacitors surrounding the cpu looked like they were going to burst or were already leaking. That probably made the powersupply to the cpu unstable. The motherboard was replaced and the server has been rock solid again. Once I saw the capacitors I remembered reading somewhere that lots of motherboard manufacturers had bought batches of bad capacitors and a lot of motherboards starting to get returned. So my advice is to check your server hardware for obvious signs of degradation. Gerben. At 15:25 1/5/2003 -0600, you wrote: >I'm having a major problem with MailScanner (indirectly) and I am hoping >that someone here may be able to help me with it. It seems that when >MailScanner (4.10) is running, the server tends to reboot. However I >don't believe that it is a problem with MailScanner. I say this because >the server is running on a RAID5 setup with a Mylex DAC960 controller >with Barracuda SCSI drives. > >I suspect that the machine is rebooting due to the slowness of the RAID >array. I'm not exactly sure though, but I do feel that it is directly >related. > >I'm currently running sendmail with spamass-milter with procmail to >filter out and delete spam, but I would like to be able to filter >viruses again. I have tried disabling Virus Scanning and Spam Checks, >with both disabled the machine still crashes. > >The crashes are random, sometimes the server will stay up and work >correctly for a few days, sometimes it can't last an hour. The machine >its self is a quad Xeon 500MHz setup with a gig and a half of ram, >running RedHat 8.0. There is nothing in the log files to point anywhere >since the machine is rebooting before it can write to syslog. > >Could anyone offer any insight on this problem? > >Regards, >Bill Omer From mailscanner at ecs.soton.ac.uk Tue Jan 7 21:54:27 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:53 2006 Subject: MailScanner causing server to crash In-Reply-To: <5.2.0.9.2.20030107221831.02c39ad0@brekelmans.com> References: <1041801959.1004.32.camel@bill> Message-ID: <5.2.0.9.2.20030107215011.02c0ae78@imap.ecs.soton.ac.uk> At 21:29 07/01/2003, you wrote: >Once I saw the capacitors I remembered reading somewhere that lots of >motherboard manufacturers had bought batches of bad capacitors and a lot of >motherboards starting to get returned. We have recently had many motherboards 2 or 3 years old (P3/800 era) die from exactly this problem. One of the main component manufacturers produced several months worth bad capacitors. The other one that came to a conclusion is the Fujitsu hard disk problem. Caused by a bad batch of ceramic used by Cirrus Logic to package one of their IC's on the controller boards of Fujitsu disks. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Tue Jan 7 21:59:32 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:53 2006 Subject: ok to link /opt/ms to /usr/local/ms ??? In-Reply-To: <200301072058.h07KwFOK001983@osprey.magnet.fsu.edu> Message-ID: <5.2.0.9.2.20030107215444.02955008@imap.ecs.soton.ac.uk> At 20:58 07/01/2003, you wrote: > I prefer to run mailscanner out of /usr/local/mailscanner instead of > /opt/mailscanner. Is there any reason I should not just > ln -s /usr/local/mailscanner /opt/mailscanner Not that I can think of. If you do ln -s /usr/local/MailScanner-4.11-1 /opt/mailscanner then you will find upgrading to a new version much easier. > instead of changing > all the directory entries in the code? TIA! You don't need to touch the code, just all the config files and the shell scripts. The one exception to that is the very first line of /opt/MailScanner/bin/MailScanner. >National High Magnetic Field Laboratory Phone: (850) 644-1657 >1800 E. Paul Dirac Drive Tallahassee, FL 32310 Can I add you to my "list of users" web page please? Your lab would look good on the list :-) -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From jase at SENSIS.COM Tue Jan 7 21:56:48 2003 From: jase at SENSIS.COM (Desai, Jason) Date: Thu Jan 12 21:16:53 2006 Subject: Exim and MS 4.11-1 Message-ID: Hello. I am trying to upgrade MS from version 3 to 4.11-1. I have shut down the old version and renamed its directory, and I am treating this as a new install. But when I run the new version, the spawned processes seem to scan the mail for spam, then for viruses, and then partially move one message from the in queue to the out queue before crashing. Then another process does the same thing. I set Debug = yes in the config file and ran MS again, and this is what I get: # /usr/local/MailScanner/bin/MailScanner /usr/local/MailScanner/etc/MailScanner.conf In Debugging mode, not forking... Not an ARRAY reference at /usr/local/MailScanner/lib/MailScanner/Exim.pm line 1082. Stopping now as you are debugging me. # Not an ARRAY reference at /usr/local/MailScanner/lib/MailScanner/Exim.pm line 1082. After this run, the -D file from one of my messages in the in queue has been moved to the out queue, and the -H file is nowhere to be found. I know a little bit of perl, and took a look at Exim.pm, but I don't know what it is supposed to be doing. It must be something I've configured wrong, as nobody else seems to be having this problem. Any ideas? I am using Exim 3.35. Here are some lines from my config file - I can post the whole thing if needed: Run As User = mail Incoming Queue Dir = /var/spool/exim_incoming/input Outgoing Queue Dir = /var/spool/exim/input MTA = exim Sendmail = /usr/sbin/exim Sendmail2 = /usr/sbin/exim -C /etc/exim_outgoing.conf Deliver In Background = yes Delivery Method = batch Thanks for any thoughts. Jason Desai From paul at ESPMAIL.CO.UK Tue Jan 7 21:58:47 2003 From: paul at ESPMAIL.CO.UK (Paul Welsh) Date: Thu Jan 12 21:16:53 2006 Subject: deersoft bought by NAI References: <3E1B189A.7040005@sghms.ac.uk> Message-ID: <006f01c2b698$7d45b600$9ce230d5@espmail> ----- Original Message ----- From: "Daniel Bird" To: Sent: 07 January 2003 18:12 Subject: deersoft bought by NAI > Deersoft, the producers of SpamAssain for windows (out look > etc) have been bought out by NAI (see: > http://www.mcafeeb2b.com/other/jump/deersoft.asp). This has caused quite > a stir on the SATalk mailing lists, with it looking likely 3 of the mail > developers will be stopping their contributions. > Doesn't look promising, does it? To quote from http://www.mcafeeb2b.com/other/jump/deersoft-faq.asp: "The SpamAssassin open source project will continue and will be maintained by its current authors including Justin Mason and Craig Hughes." Sounds good. However, it goes on to say in the next sentence: "Mason and Hughes will be employees of Network Associates and will devote their energies to the development of the proprietary McAfee product." Er, so if Mason and Hughes will put all their energies into the McAfee product how on earth are they going to maintain the open source project? What double speak! The icing on the cake? Network Associates now own the SpamAssassin name. From mailscanner at ecs.soton.ac.uk Tue Jan 7 22:06:56 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:53 2006 Subject: Exim and MS 4.11-1 In-Reply-To: Message-ID: <5.2.0.9.2.20030107220532.02bf7f80@imap.ecs.soton.ac.uk> At 21:56 07/01/2003, you wrote: >I am trying to upgrade MS from version 3 to 4.11-1. I have shut down the >old version and renamed its directory, and I am treating this as a new >install. But when I run the new version, the spawned processes seem to scan >the mail for spam, then for viruses, and then partially move one message >from the in queue to the out queue before crashing. Then another process >does the same thing. You probably still have the cron job which regularly restarts version 3. Check /etc/cron*/*. >I set Debug = yes in the config file and ran MS again, and this is what I >get: > ># /usr/local/MailScanner/bin/MailScanner >/usr/local/MailScanner/etc/MailScanner.conf >In Debugging mode, not forking... >Not an ARRAY reference at /usr/local/MailScanner/lib/MailScanner/Exim.pm >line 1082. >Stopping now as you are debugging me. ># Not an ARRAY reference at /usr/local/MailScanner/lib/MailScanner/Exim.pm >line 1082. > >After this run, the -D file from one of my messages in the in queue has been >moved to the out queue, and the -H file is nowhere to be found. > >I know a little bit of perl, and took a look at Exim.pm, but I don't know >what it is supposed to be doing. It must be something I've configured >wrong, as nobody else seems to be having this problem. Any ideas? > >I am using Exim 3.35. Here are some lines from my config file - I can post >the whole thing if needed: > >Run As User = mail >Incoming Queue Dir = /var/spool/exim_incoming/input >Outgoing Queue Dir = /var/spool/exim/input >MTA = exim >Sendmail = /usr/sbin/exim >Sendmail2 = /usr/sbin/exim -C /etc/exim_outgoing.conf >Deliver In Background = yes >Delivery Method = batch > >Thanks for any thoughts. > >Jason Desai -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From jase at SENSIS.COM Tue Jan 7 22:15:17 2003 From: jase at SENSIS.COM (Desai, Jason) Date: Thu Jan 12 21:16:53 2006 Subject: Exim and MS 4.11-1 Message-ID: > -----Original Message----- > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > Sent: Tuesday, January 07, 2003 5:07 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: [MAILSCANNER] Exim and MS 4.11-1 > > > At 21:56 07/01/2003, you wrote: > >I am trying to upgrade MS from version 3 to 4.11-1. I have > shut down the > >old version and renamed its directory, and I am treating > this as a new > >install. But when I run the new version, the spawned > processes seem to scan > >the mail for spam, then for viruses, and then partially move > one message > >from the in queue to the out queue before crashing. Then > another process > >does the same thing. > > You probably still have the cron job which regularly restarts > version 3. > Check /etc/cron*/*. > I was running check_mailscanner from root's crontab, and taking that out was the first thing I did. I also checked for any processes hanging around: # ps auxw |grep -i mailscanner root 18499 0.0 0.6 1332 436 pts/5 S 17:13 0:00 grep -i mailscanner Any other thoughts? Thanks. Jason Desai From mailscanner at ecs.soton.ac.uk Tue Jan 7 22:27:01 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:53 2006 Subject: Exim and MS 4.11-1 In-Reply-To: Message-ID: <5.2.0.9.2.20030107222556.02cc9a90@imap.ecs.soton.ac.uk> At 22:15 07/01/2003, you wrote: > > -----Original Message----- > > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > > Sent: Tuesday, January 07, 2003 5:07 PM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: [MAILSCANNER] Exim and MS 4.11-1 > > > > > > At 21:56 07/01/2003, you wrote: > > >I am trying to upgrade MS from version 3 to 4.11-1. I have > > shut down the > > >old version and renamed its directory, and I am treating > > this as a new > > >install. But when I run the new version, the spawned > > processes seem to scan > > >the mail for spam, then for viruses, and then partially move > > one message > > >from the in queue to the out queue before crashing. Then > > another process > > >does the same thing. > > > > You probably still have the cron job which regularly restarts > > version 3. > > Check /etc/cron*/*. > > > >I was running check_mailscanner from root's crontab, and taking that out was >the first thing I did. I also checked for any processes hanging around: > ># ps auxw |grep -i mailscanner >root 18499 0.0 0.6 1332 436 pts/5 S 17:13 0:00 grep -i >mailscanner Also check the permissions and ownership on the "incoming" and "quarantine" directories. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From support at INVICTANET.CO.UK Tue Jan 7 22:50:22 2003 From: support at INVICTANET.CO.UK (InvictaNet Customer Support) Date: Thu Jan 12 21:16:53 2006 Subject: deersoft bought by NAI In-Reply-To: <006f01c2b698$7d45b600$9ce230d5@espmail> Message-ID: Wasn't it NAI that bought that other fine product, PGP, for a vast amount of money. Then, when they realised that nobody was buying it, dumped it quietly?................ Martyn Routley ----------------------------------------------------------------- InvictaNet - The Internet in Plain English, Guaranteed http://www.invictanet.co.uk martyn@support.invictanet.co.uk phone: 08707 440180 fax: 08707 440181 Ask us about our online Antivirus and Junk mail scanning service ----------------------------------------------------------------- -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Paul Welsh Sent: 07 January 2003 21:59 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: deersoft bought by NAI ----- Original Message ----- From: "Daniel Bird" To: Sent: 07 January 2003 18:12 Subject: deersoft bought by NAI > Deersoft, the producers of SpamAssain for windows (out look > etc) have been bought out by NAI (see: > http://www.mcafeeb2b.com/other/jump/deersoft.asp). This has caused quite > a stir on the SATalk mailing lists, with it looking likely 3 of the mail > developers will be stopping their contributions. > Doesn't look promising, does it? To quote from http://www.mcafeeb2b.com/other/jump/deersoft-faq.asp: "The SpamAssassin open source project will continue and will be maintained by its current authors including Justin Mason and Craig Hughes." Sounds good. However, it goes on to say in the next sentence: "Mason and Hughes will be employees of Network Associates and will devote their energies to the development of the proprietary McAfee product." Er, so if Mason and Hughes will put all their energies into the McAfee product how on earth are they going to maintain the open source project? What double speak! The icing on the cake? Network Associates now own the SpamAssassin name. ---------------------------------------------- This message has been scanned for viruses and dangerous content by the http://www.anti84787.com MailScanner, and is believed to be clean. From mailscanner-sub at WIREHUB.NET Tue Jan 7 23:03:20 2003 From: mailscanner-sub at WIREHUB.NET (Ben C. O. Grimm) Date: Thu Jan 12 21:16:53 2006 Subject: OT: Dynamically updating /etc/mail/access In-Reply-To: References: <8A6DFB0865502242A29E25BDAEFBB9451ABE7B@d2sexchtest.cqg.com> Message-ID: On 7 Jan 2003 00:50:03 +0100, Stewart Lawler wrote: > this looks like a great solution - but what is the performance impact? > The relay machine i'm running mailscanner on at the moment is rather old > and might not cope with being given much more to do. :-) The only performance impact will be hashing the database when using the full list. Shouldn't be too much work though. You don't have to worry about the size of the resulting db; hash lookups are blazingly fast. Our access.db is >20 MB in size (we put a lot of extra information in it), and it gets called at least 2 times per second. I sleep well. -- - Ben C. O. Grimm ----------------- Ben.Grimm@wirehub.net - - Wirehub! Internet Engineering - http://www.wirehub.net/ - - Private Ponderings ----------- http://www.bengrimm.net/ - - Wirehub! Internet ----------- part of easynet Group plc - From jase at SENSIS.COM Tue Jan 7 23:04:22 2003 From: jase at SENSIS.COM (Desai, Jason) Date: Thu Jan 12 21:16:53 2006 Subject: Exim and MS 4.11-1 Message-ID: > -----Original Message----- > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > Sent: Tuesday, January 07, 2003 5:27 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: [MAILSCANNER] Exim and MS 4.11-1 > > > At 22:15 07/01/2003, you wrote: > > > -----Original Message----- > > > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > > > Sent: Tuesday, January 07, 2003 5:07 PM > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > Subject: Re: [MAILSCANNER] Exim and MS 4.11-1 > > > > > > > > > At 21:56 07/01/2003, you wrote: > > > >I am trying to upgrade MS from version 3 to 4.11-1. I have > > > shut down the > > > >old version and renamed its directory, and I am treating > > > this as a new > > > >install. But when I run the new version, the spawned > > > processes seem to scan > > > >the mail for spam, then for viruses, and then partially move > > > one message > > > >from the in queue to the out queue before crashing. Then > > > another process > > > >does the same thing. > > > > > > You probably still have the cron job which regularly restarts > > > version 3. > > > Check /etc/cron*/*. > > > > > > >I was running check_mailscanner from root's crontab, and > taking that out was > >the first thing I did. I also checked for any processes > hanging around: > > > ># ps auxw |grep -i mailscanner > >root 18499 0.0 0.6 1332 436 pts/5 S 17:13 > 0:00 grep -i > >mailscanner > > Also check the permissions and ownership on the "incoming" > and "quarantine" > directories. They look ok to me: # ls -ald /var/spool/MailScanner/incoming drwxrwxr-x 9 root mail 3072 Jan 7 16:48 /var/spool/MailScanner/incoming # ls -ald /var/spool/MailScanner/quarantine/ drwxrwxr-x 349 root mail 6144 Jan 7 00:14 /var/spool/MailScanner/quarantine/ # ls -ald /var/spool/exim/input/ drwxrwx--- 2 mail mail 3072 Jan 7 17:06 /var/spool/exim/input/ # ls -ald /var/spool/exim_incoming/input/ drwxrwx--- 2 mail mail 3072 Jan 7 18:00 /var/spool/exim_incoming/input/ The user mail is in the group mail, so he should have full access to these directories. These are the same directories that I used for version 3. I'm open to any other suggestions. Thanks! Jason Desai From LSMailScanner at infopackaging.com Tue Jan 7 23:47:25 2003 From: LSMailScanner at infopackaging.com (Troy Sorzano) Date: Thu Jan 12 21:16:53 2006 Subject: Centralized aliases In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0A32BF5@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0A32BF5@pascal.priv.bmrb.co.uk> Message-ID: >>I use mailscanner in front of an exchange box and my mailscanner box >>doesn't know any of my users names. Kevin, How are you managing users preferences for whitelists and blacklists? I have the same configuration as you but need to figgure out how to use difference preferences for each email account. Thanks, Troy Sorzano From nwp at LEMON-COMPUTING.COM Wed Jan 8 00:26:06 2003 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:16:53 2006 Subject: Exim and MS 4.11-1 In-Reply-To: Message-ID: On Wednesday, January 8, 2003, at 10:56 am, Desai, Jason wrote: > # /usr/local/MailScanner/bin/MailScanner > /usr/local/MailScanner/etc/MailScanner.conf > In Debugging mode, not forking... > Not an ARRAY reference at > /usr/local/MailScanner/lib/MailScanner/Exim.pm > line 1082. > Stopping now as you are debugging me. > # Not an ARRAY reference at > /usr/local/MailScanner/lib/MailScanner/Exim.pm > line 1082. > > After this run, the -D file from one of my messages in the in queue > has been > moved to the out queue, and the -H file is nowhere to be found. Odd. It may be something particular about the files you're trying to process that's tickling a bug; does it happen no matter what is in the queue when you start it up, or does it only happen for particular messages? Cheers, Nick From jase at SENSIS.COM Wed Jan 8 00:48:07 2003 From: jase at SENSIS.COM (Desai, Jason) Date: Thu Jan 12 21:16:53 2006 Subject: Exim and MS 4.11-1 Message-ID: > -----Original Message----- > From: Nick Phillips [mailto:nwp@LEMON-COMPUTING.COM] > Sent: Tuesday, January 07, 2003 7:26 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: [MAILSCANNER] Exim and MS 4.11-1 > > > On Wednesday, January 8, 2003, at 10:56 am, Desai, Jason wrote: > > > # /usr/local/MailScanner/bin/MailScanner > > /usr/local/MailScanner/etc/MailScanner.conf > > In Debugging mode, not forking... > > Not an ARRAY reference at > > /usr/local/MailScanner/lib/MailScanner/Exim.pm > > line 1082. > > Stopping now as you are debugging me. > > # Not an ARRAY reference at > > /usr/local/MailScanner/lib/MailScanner/Exim.pm > > line 1082. > > > > After this run, the -D file from one of my messages in the in queue > > has been > > moved to the out queue, and the -H file is nowhere to be found. > > Odd. It may be something particular about the files you're trying to > process that's > tickling a bug; does it happen no matter what is in the queue when you > start it up, or > does it only happen for particular messages? It seems to be very consistent. With each run, there is one less message in the first batch. I have run it with as little as 4 messages in the in queue, with the same result. It almost seems like there were multiple instances of MailScanner running. Notice that I got my prompt back and then got another error message about the Exim.pm file. Is there anything I can do to help you debug this? Thanks! Jason Desai From jase at SENSIS.COM Wed Jan 8 00:54:54 2003 From: jase at SENSIS.COM (Desai, Jason) Date: Thu Jan 12 21:16:53 2006 Subject: Exim and MS 4.11-1 Message-ID: > It almost seems like there were multiple instances of > MailScanner running. > Notice that I got my prompt back and then got another error > message about > the Exim.pm file. Is there anything I can do to help you debug this? > Well, I think I figured out why there were multiple instances of MailScanner running - I had Max Children = 2. I would have thought that if Debug = yes, that it would not start multiple children. Anyways, even with Max Children = 1, I'm still getting the error about Exim.pm. Jason Desai From mdm at INTERNET-TOOLS.COM Wed Jan 8 02:17:10 2003 From: mdm at INTERNET-TOOLS.COM (mark david mcCreary) Date: Thu Jan 12 21:16:53 2006 Subject: MS 4, Exim 4 on Debian 3 Install Notes In-Reply-To: <843C3BF8-227F-11D7-948E-000393D6F5B0@lemon-computing.com> References: Message-ID: > >Eeeek! > >It's generally a really bad idea to install Perl modules from CPAN on a >Debian system. >If there is no package containing the CPAN module you need, then there >is a helper >somewhere (sorry, I can't remember what it's called) which will create >a Debian package >from a CPAN module with very little if any manual intervention. > >Anyway, you should find Debian has packages of all the modules relevant >to MailScanner. > Nick Thanks for that tip. It never occured to me that straight CPAN modules might not work, and to date, I have not had any problems using this method. However, I will re-work this part to call in lots of debian packages. Looks like there might be 30 or more packages. > >> Exim and Debian aspects of /etc/MailScanner/MailScanner.conf >> >> # User to run as (provided for Exim users) >> Run As User = mail >> >> # Group to run as (provided for Exim users) >> Run As Group = adm >> > >Why run as group adm? What's wrong with mail? > I'm trying to model existing Debian packages, and I think that's how it's done in the Debian 3 Exim 3.36 series. > > >So, after all that, what was the problem again? > Thanks for the multitude of tips. I will rework things and try again. I have things screwed up with regard to file permissions, and get this error message. Jan 6 18:26:15 wire MailScanner[5638]: Commercial virus checker failed with real error: Can't run commercial checker sophos ("/etc/MailScanner/wrapper/sophos-wrapper"): Permission denied at /usr/local/MailScanner/lib/MailScanner/SweepViruses.pm line 454. It could be the mail.adm ownership, or a few other areas like that. I'll see if it still happens after I re-work it. Also, is there a Debian way for the SpamAssassin package. The Woody package is SA 2.20. Thanks again mark From nwp at LEMON-COMPUTING.COM Wed Jan 8 04:04:01 2003 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:16:53 2006 Subject: MS 4, Exim 4 on Debian 3 Install Notes In-Reply-To: Message-ID: <3838AA90-22BE-11D7-948E-000393D6F5B0@lemon-computing.com> On Wednesday, January 8, 2003, at 03:17 pm, mark david mcCreary wrote: >> Anyway, you should find Debian has packages of all the modules >> relevant >> to MailScanner. > Thanks for that tip. It never occured to me that straight CPAN modules > might not work, and to date, I have not had any problems using this > method. They'll work, so long as they don't get confused. But when it comes to managing updates, you'll be asking for trouble. > However, I will re-work this part to call in lots of debian packages. > Looks like there might be 30 or more packages. I don't recall that many, but it's likely quite a few. >> Why run as group adm? What's wrong with mail? > I'm trying to model existing Debian packages, and I think that's how > it's > done in the Debian 3 Exim 3.36 series. Is it? I've never noticed if it is... >> So, after all that, what was the problem again? > I have things screwed up with regard to file permissions, and get this > error message. > I'll see if it still happens after I re-work it. OK... Cheers, Nick From jase at SENSIS.COM Wed Jan 8 04:39:14 2003 From: jase at SENSIS.COM (Desai, Jason) Date: Thu Jan 12 21:16:53 2006 Subject: Exim and MS 4.11-1 Message-ID: I've been able to get MailScanner to run without crashing if I comment out line 955 of Exim.pm # $Qfile .= BTreeString($metadata->{nonrcpts}); But it looks like the header file that gets created is not valid. Exim complains with delivering message 18W7ra-0000UY-00 (queue run pid 1985 fd 5) Format error in spool file 18W7ra-0000UY-00-H LOG: 0 MAIN Format error in spool file 18W7ra-0000UY-00-H: size=2351 I don't know if this information helps at all. I'm calling it a night for now. If anyone has any ideas please let me know. Thanks! Jason Desai > -----Original Message----- > From: Nick Phillips [mailto:nwp@LEMON-COMPUTING.COM] > Sent: Tuesday, January 07, 2003 7:26 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: [MAILSCANNER] Exim and MS 4.11-1 > > > On Wednesday, January 8, 2003, at 10:56 am, Desai, Jason wrote: > > > # /usr/local/MailScanner/bin/MailScanner > > /usr/local/MailScanner/etc/MailScanner.conf > > In Debugging mode, not forking... > > Not an ARRAY reference at > > /usr/local/MailScanner/lib/MailScanner/Exim.pm > > line 1082. > > Stopping now as you are debugging me. > > # Not an ARRAY reference at > > /usr/local/MailScanner/lib/MailScanner/Exim.pm > > line 1082. > > > > After this run, the -D file from one of my messages in the in queue > > has been > > moved to the out queue, and the -H file is nowhere to be found. > > Odd. It may be something particular about the files you're trying to > process that's > tickling a bug; does it happen no matter what is in the queue when you > start it up, or > does it only happen for particular messages? > > > Cheers, > > > Nick > From nwp at LEMON-COMPUTING.COM Wed Jan 8 05:43:55 2003 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:16:53 2006 Subject: Exim and MS 4.11-1 In-Reply-To: References: Message-ID: <20030108054355.GB1323@hoiho.nz.lemon-computing.com> On Tue, Jan 07, 2003 at 11:39:14PM -0500, Desai, Jason wrote: > I've been able to get MailScanner to run without crashing if I comment out > line 955 of Exim.pm > > # $Qfile .= BTreeString($metadata->{nonrcpts}); OK, thought it might be something to do with that (a largish chunk of code that had appeared to work first time)... > But it looks like the header file that gets created is not valid. It wouldn't be... > I don't know if this information helps at all. I'm calling it a night for > now. If anyone has any ideas please let me know. Thanks! It has; thanks. I'll have a look at it now. It would probably still be helpful if you could send me over a -D and -H file pair that will cause this. Cheers, Nick -- Nick Phillips -- nwp@lemon-computing.com You are not dead yet. But watch for further reports. From support at INVICTANET.CO.UK Wed Jan 8 07:59:40 2003 From: support at INVICTANET.CO.UK (InvictaNet Customer Support) Date: Thu Jan 12 21:16:53 2006 Subject: MS 4, Exim 4 on Debian 3 Install Notes In-Reply-To: Message-ID: Debian won't use CPAN modules? Why not call it Microsoft Linux then everyone would know it's non standards based. Martyn Routley ----------------------------------------------------------------- InvictaNet - The Internet in Plain English, Guaranteed http://www.invictanet.co.uk martyn@support.invictanet.co.uk phone: 08707 440180 fax: 08707 440181 Ask us about our online Antivirus and Junk mail scanning service ----------------------------------------------------------------- -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of mark david mcCreary Sent: 08 January 2003 02:17 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: MS 4, Exim 4 on Debian 3 Install Notes > >Eeeek! > >It's generally a really bad idea to install Perl modules from CPAN on a >Debian system. >If there is no package containing the CPAN module you need, then there >is a helper >somewhere (sorry, I can't remember what it's called) which will create >a Debian package >from a CPAN module with very little if any manual intervention. > >Anyway, you should find Debian has packages of all the modules relevant >to MailScanner. > Nick Thanks for that tip. It never occured to me that straight CPAN modules might not work, and to date, I have not had any problems using this method. However, I will re-work this part to call in lots of debian packages. Looks like there might be 30 or more packages. > >> Exim and Debian aspects of /etc/MailScanner/MailScanner.conf >> >> # User to run as (provided for Exim users) >> Run As User = mail >> >> # Group to run as (provided for Exim users) >> Run As Group = adm >> > >Why run as group adm? What's wrong with mail? > I'm trying to model existing Debian packages, and I think that's how it's done in the Debian 3 Exim 3.36 series. > > >So, after all that, what was the problem again? > Thanks for the multitude of tips. I will rework things and try again. I have things screwed up with regard to file permissions, and get this error message. Jan 6 18:26:15 wire MailScanner[5638]: Commercial virus checker failed with real error: Can't run commercial checker sophos ("/etc/MailScanner/wrapper/sophos-wrapper"): Permission denied at /usr/local/MailScanner/lib/MailScanner/SweepViruses.pm line 454. It could be the mail.adm ownership, or a few other areas like that. I'll see if it still happens after I re-work it. Also, is there a Debian way for the SpamAssassin package. The Woody package is SA 2.20. Thanks again mark ---------------------------------------------- This message has been scanned for viruses and dangerous content by the http://www.anti84787.com MailScanner, and is believed to be clean. From Kevin.Spicer at BMRB.CO.UK Wed Jan 8 08:18:13 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:16:53 2006 Subject: FW: Centralized aliases Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A32C07@pascal.priv.bmrb.co.uk> mailscanner@ > How are you managing users preferences for whitelists and > blacklists? > I have the same configuration as you but need to figgure out > how to use > difference preferences for each email account. To be honest I'm not, I haven't had any requests from users for this (partly because I haven't publicised the ability to do this). We only intercept virus email (& blocked attachments) - for SPAM we only modify the subject & inculde the spamcheck header (we strip HTML on high score spams, to reduce the amount of pornographic spam) - spam doesn't seem to be a huge problem for us right now, I expect this will change as we increase the level of internet access within the company. For users who want special processing of 'SPAM' messages we have a document prepared which explains to them how to set up rules in Outlook. I suppose you could write a webmin/usermin module - this would probably not be too hard if your IT staff were updating the lists, but could be more tricky if you want to let users do it themselves (maybe set up winbind- from samba - to authenticate them against your domain?) From mailscanner at BARENDSE.TO Wed Jan 8 09:11:59 2003 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:16:53 2006 Subject: Whitelisting problem In-Reply-To: <5.2.0.9.2.20030107165515.05051d58@imap.ecs.soton.ac.uk> Message-ID: How does whitelisting on IP work? Do we need to use the same file and format as we do with domain names?? From: 194.109.9.99 yes On Tue, 7 Jan 2003, Julian Field wrote: > At 16:50 07/01/2003, you wrote: > > >IBM is a partner of ours so I have whitelisted ibm.com > > > >But now some spammer is forging both the envelope and header to look like > >it cam from ibm.com > > > >The spammer appears to be creating random addresses ending in @ibm.com > > > >Is my only choice to remove ibm.com from the whitelist? > > If ibm.com only use a few outgoing mail servers, you could whitelist their > IP addresses instead. > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From nwp at LEMON-COMPUTING.COM Wed Jan 8 09:07:08 2003 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:16:53 2006 Subject: Exim and MS 4.11-1 In-Reply-To: <20030108054355.GB1323@hoiho.nz.lemon-computing.com> References: <20030108054355.GB1323@hoiho.nz.lemon-computing.com> Message-ID: <20030108090708.GC1323@hoiho.nz.lemon-computing.com> On Wed, Jan 08, 2003 at 06:43:55PM +1300, Nick Phillips wrote: > > I don't know if this information helps at all. I'm calling it a night for > > now. If anyone has any ideas please let me know. Thanks! > > It has; thanks. I'll have a look at it now. It would probably still be helpful > if you could send me over a -D and -H file pair that will cause this. OK, I see what's happening. I think the problem will only appear when there are messages in mailscanner's incoming queue which have delivered recipients; if you can clear the queue of all partially-delivered messages, that should do the trick until and unless you create a message using the -bm and -t options with nonrecipients listed. In other words, in normal use, it ain't gonna happen. I'll test the fix now, too. Out of interest, what version of Perl are you using? Cheers, Nick -- Nick Phillips -- nwp@lemon-computing.com Be different: conform. From j.cormie at ABERTAY.AC.UK Wed Jan 8 09:27:54 2003 From: j.cormie at ABERTAY.AC.UK (Jason Cormie) Date: Thu Jan 12 21:16:53 2006 Subject: Exim Weirdness Message-ID: Just mailing to say that since I setup and ran the tidydb their have been no more errors :) -----Original Message----- From: Nick Phillips [mailto:nwp@LEMON-COMPUTING.COM] Sent: 07, January, 2003 10:53 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Exim Weirdness On Tue, Jan 07, 2003 at 08:46:51AM -0000, Jason Cormie wrote: > Thanks Nick, > Somehow I lost that section of my own docs between pilot 1, pilot 2 > and > production :-( > > Will implement and see what happens. > Just out of curiosity, what exactly does it do and what would have happened > without it? The problem is that Exim really isn't designed to not deliver anything. It's difficult to make the "incoming" Exim make no delivery attempts on any messages ever (pretty much impossible, in fact), and when it does make an attempt, it's difficult to get it to do nothing in a harmless way. The solution I've been recommending chooses to try to prevent delivery attempts by setting queue_only and not running cron jobs/queue runners with that configuration anyway. This should prevent delivery attempts being made for messages received by SMTP (as the queue_only setting should cause them to be just dumped into the queue), but some locally generated messages will still cause delivery attempts to be made (e.g. cron using the "-odi" option when it invokes what it thinks is sendmail). When delivery attempts are made for these (locally generated) messages, the director described in the docs should cause the messages to be deferred. The problem with this is that Exim counts a deferral as a failure as far as the retry database for the destination host is concerned. If one delivery attempt is made, then that causes an entry to be made in the retry database. This would be cleared if a successful delivery was ever made (but since we don't want any deliveries to be made, that won't happen). So, at that point the clock starts ticking. After your maximum configured retry time has passed, Exim may bounce new messages for that host without even making a delivery attempt (this depends a little on configuration). So, to sort it out, we just clear the retry database well within the maximum retry timeout. The maximum timeout is then never reached and Exim never gets to do its extra clever special efficient tricks. I'm a little worried to see so many addresses listed in your original mail (I wouldn't usually expect that many deliveries to be attempted), so would like to know what turns out to be the reason. Cheers, Nick -- Nick Phillips -- nwp@lemon-computing.com If you sow your wild oats, hope for a crop failure. From nwp at LEMON-COMPUTING.COM Wed Jan 8 09:27:07 2003 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:16:53 2006 Subject: MS 4, Exim 4 on Debian 3 Install Notes In-Reply-To: References: Message-ID: <20030108092707.GE1323@hoiho.nz.lemon-computing.com> On Wed, Jan 08, 2003 at 07:59:40AM -0000, InvictaNet Customer Support wrote: > Debian won't use CPAN modules? Of course you *can* use modules direct from CPAN on a Debian system, just like you *can* choose to build sendmail from source on a Debian system (or any other linux system). It's just that in most cases you'd be mad to do that rather than using the packages that are available. > Why not call it Microsoft Linux then everyone would know it's non standards > based. Oh *do* behave... Debian generally takes standards compliance *at least* as seriously as any other Linux distribution out there. -- Nick Phillips -- nwp@lemon-computing.com Try to relax and enjoy the crisis. From nwp at LEMON-COMPUTING.COM Wed Jan 8 09:35:07 2003 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:16:53 2006 Subject: Exim and MS 4.11-1 In-Reply-To: <20030108090708.GC1323@hoiho.nz.lemon-computing.com> References: <20030108054355.GB1323@hoiho.nz.lemon-computing.com> <20030108090708.GC1323@hoiho.nz.lemon-computing.com> Message-ID: <20030108093507.GF1323@hoiho.nz.lemon-computing.com> On Wed, Jan 08, 2003 at 10:07:08PM +1300, Nick Phillips wrote: > I'll test the fix now, too. Fix follows (will be in next release): Index: mailscanner/bin/MailScanner/Exim.pm =================================================================== RCS file: /var/cvs/mailscanner/mailscanner/bin/MailScanner/Exim.pm,v retrieving revision 1.21 retrieving revision 1.22 diff -r1.21 -r1.22 5c5 < # $Id: Exim.pm,v 1.21 2002/12/20 15:33:00 jkf Exp $ --- > # $Id: Exim.pm,v 1.22 2003/01/08 09:31:22 nwp Exp $ 44c44 < $VERSION = substr q$Revision: 1.21 $, 10; --- > $VERSION = substr q$Revision: 1.22 $, 10; 1082,1083c1082,1083 < $string .= (@{$treeref->{left}}?"Y":"N"); < $string .= (@{$treeref->{right}}?"Y":"N"); --- > $string .= (exists $treeref->{left}{data}?"Y":"N"); > $string .= (exists $treeref->{right}{data}?"Y":"N"); Cheers, Nick -- Nick Phillips -- nwp@lemon-computing.com Beware of a tall blond man with one black shoe. From a.phillips at DNMI.NO Wed Jan 8 09:42:31 2003 From: a.phillips at DNMI.NO (Adrian Phillips) Date: Thu Jan 12 21:16:53 2006 Subject: MS 4, Exim 4 on Debian 3 Install Notes In-Reply-To: References: Message-ID: <878yxw7zaw.fsf@freeze.oslo.dnmi.no> >>>>> "Mark" == mark david mcCreary writes: >> Eeeek! >> >> It's generally a really bad idea to install Perl modules from >> CPAN on a Debian system. If there is no package containing the >> CPAN module you need, then there is a helper somewhere (sorry, >> I can't remember what it's called) which will create a Debian >> package from a CPAN module with very little if any manual >> intervention. Its called dh-make-perl and yes CPAN modules do work nicely on Debian and other Linux systems BUT be careful. If you later install a Debian (or other Linux dist.) package after installing a CPAN module in /usr/local then the system will continue to use the old CPAN module Sincerely, Adrian Phillips -- Your mouse has moved. Windows NT must be restarted for the change to take effect. Reboot now? [OK] From David.While at UCE.AC.UK Wed Jan 8 10:06:42 2003 From: David.While at UCE.AC.UK (David While) Date: Thu Jan 12 21:16:53 2006 Subject: spamassassin timeout Message-ID: I seem to recall a discussion on this in the past where MS was not giving SA enough time - having searched the archives I think the relevant post is: http://www.jiscmail.ac.uk/cgi-bin/wa.exe?A2=ind0210&L=mailscanner&P=R73136&I=-3&m=3466 The main issue is that MS gives SA 30 seconds before timing out. Unfortunately SA gives DNSBL lookups 30 seconds before it gives up so MS kills SA before its timed out and returned. My solution which seems to work was to increase the MS timeout of SA to 40. The post above gives a fuller solution which reduces the timeout that SA uses on the RBLs. ----------------------------------------------------------------- David While Technical Development Manager Faculty of Computing, Information & English University of Central England Tel: 0121 331 6211 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030108/043f300f/attachment.html From mailscanner at BARENDSE.TO Wed Jan 8 10:24:30 2003 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:16:53 2006 Subject: Spam blacklist? Message-ID: I have a rule list that will mark certain messages as spam even though there is no other reason to mark them as spam. This is working perfectly. I have noticed however that MailScanner will treat messages that are marked by a blacklist rule as low scoring spam? Would it be possible to change this to high scoring spam? After all you want to blacklist them. I allow low scoring spam messages to go through but high scoring stuff is forwarded to an alternate address. I would like to do the same for the blacklisted stuff. :) Remco -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From butler at GLOBESERVER.COM Wed Jan 8 13:04:25 2003 From: butler at GLOBESERVER.COM (Philip Butler) Date: Thu Jan 12 21:16:53 2006 Subject: Upgrade from 4.10-1 to 4.11-1... Message-ID: Hi all, I upgraded from 4.10-1 to 4.11-1 yesterday and ran into a problem that others may have seen also. First off, the bin/mailscanner file seems to have been renamed to bin/MailScanner. This was easy to fix since I had my own check_mailscanner script that kicks things off with my own paths. Secondly, I had to modify the bin/MailScanner file (first line only) to have: -I/usr/local/mailscanner/lib instead of -I/opt/MailScanner/lib I install Mail Scanner in the /usr/local/mailscanner directory instead of the /opt/MailScanner path. QUESTION: Is there a way that MailScanner can be started with a custom -I directive without modifying Julian's distribution ?? I tried adding the -I... to the check_mailscanner script but that didn't seem to work. It's not a big deal to make this change, however, it makes for one more thing to do when Julian updates. I like seeing the frequent updates and just want to make it easier to get them going. Thanks, Phil Butler From jase at SENSIS.COM Wed Jan 8 14:25:58 2003 From: jase at SENSIS.COM (Desai, Jason) Date: Thu Jan 12 21:16:53 2006 Subject: Exim and MS 4.11-1 Message-ID: I did see directories in mailscanner's incoming queue while doing these tests. But I did clear it out and still saw the problem. I also cleared out Exim's incoming queue, and dropped a test message in there, and still saw the problem. Although a message did make it through once or twice, most of the time mailscanner crashed. Could this have anything to do with the fact that I am using fetchmail to retrieve mail, which delivers it to exim? I am using perl 5.6.1 (Debian Woody). Thanks! Jason Desai > -----Original Message----- > From: Nick Phillips [mailto:nwp@LEMON-COMPUTING.COM] > Sent: Wednesday, January 08, 2003 4:07 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: [MAILSCANNER] Exim and MS 4.11-1 > > > On Wed, Jan 08, 2003 at 06:43:55PM +1300, Nick Phillips wrote: > > > > I don't know if this information helps at all. I'm > calling it a night for > > > now. If anyone has any ideas please let me know. Thanks! > > > > It has; thanks. I'll have a look at it now. It would > probably still be helpful > > if you could send me over a -D and -H file pair that will > cause this. > > > OK, I see what's happening. > > I think the problem will only appear when there are messages > in mailscanner's > incoming queue which have delivered recipients; if you can clear the > queue of all partially-delivered messages, that should do the > trick until > and unless you create a message using the -bm and -t options > with nonrecipients > listed. In other words, in normal use, it ain't gonna happen. > > I'll test the fix now, too. > > Out of interest, what version of Perl are you using? > > > Cheers, > > > Nick > > -- > Nick Phillips -- nwp@lemon-computing.com > Be different: conform. > From mailscanner at BARENDSE.TO Wed Jan 8 14:42:52 2003 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:16:53 2006 Subject: Archiving e-mail ruleset Message-ID: I'm a bit lost here, I want to archive e-mail that certain users send so I created a ruleset. Now I'm not sure what the below means, where do I put the ruleset and where do I put the directory to archive mail? Is this the comma separated list or did I overlook something? # Space-separated list of email address and directory names where you want # a copy of all mail to be forwarded or stored. # # If you give this option a ruleset, you can control exactly whose mail # is archived or forwarded. If you do this, beware of the legal implications # as this could be deemed to be illegal interception unless the police have # asked you to do this. Archive Mail = /var/spool/MailScanner/archive -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From lbergman at wtxs.net Wed Jan 8 14:49:47 2003 From: lbergman at wtxs.net (Lewis Bergman) Date: Thu Jan 12 21:16:53 2006 Subject: Spam blacklist? In-Reply-To: References: Message-ID: <200301080849.47027.lbergman@wtxs.net> On Wednesday 08 January 2003 04:24 am, Remco Barendse wrote: > I have a rule list that will mark certain messages as spam even though > there is no other reason to mark them as spam. This is working perfectly. > > I have noticed however that MailScanner will treat messages that are > marked by a blacklist rule as low scoring spam? > > Would it be possible to change this to high scoring spam? After all you > want to blacklist them. I allow low scoring spam messages to go through > but high scoring stuff is forwarded to an alternate address. I would like > to do the same for the blacklisted stuff. Why not use SA to do the RBL checks and then assign them a score which will force them into the high score category using the spam.assassin.prefs.conf file? -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 915-695-6962 ext 115 From lbergman at wtxs.net Wed Jan 8 14:52:31 2003 From: lbergman at wtxs.net (Lewis Bergman) Date: Thu Jan 12 21:16:53 2006 Subject: Upgrade from 4.10-1 to 4.11-1... In-Reply-To: References: Message-ID: <200301080852.31877.lbergman@wtxs.net> On Wednesday 08 January 2003 07:04 am, Philip Butler wrote: > Hi all, > > I upgraded from 4.10-1 to 4.11-1 yesterday and ran into a problem that > others may have seen also. > > First off, the bin/mailscanner file seems to have been renamed to > bin/MailScanner. This was easy to fix since I had my own > check_mailscanner script that kicks things off with my own paths. > > Secondly, I had to modify the bin/MailScanner file (first line only) to > have: > > -I/usr/local/mailscanner/lib > > instead of > > -I/opt/MailScanner/lib > > I install Mail Scanner in the /usr/local/mailscanner directory instead > of the /opt/MailScanner path. > > QUESTION: Is there a way that MailScanner can be started with a custom > -I directive without modifying Julian's distribution ?? I tried adding > the -I... to the check_mailscanner script but that didn't seem to work. > > It's not a big deal to make this change, however, it makes for one more > thing to do when Julian updates. I like seeing the frequent updates > and just want to make it easier to get them going. What is wrong with the location and naming of Julian's stuff? Why not use it as it is designed rather than asking him to change it to fit your file layout? I can understand a feature request but file location is a pretty arbitrary thing. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 915-695-6962 ext 115 From jase at SENSIS.COM Wed Jan 8 14:50:47 2003 From: jase at SENSIS.COM (Desai, Jason) Date: Thu Jan 12 21:16:53 2006 Subject: Exim and MS 4.11-1 Message-ID: This patch seems to fix the problem. Thank you very much! > -----Original Message----- > From: Nick Phillips [mailto:nwp@LEMON-COMPUTING.COM] > Sent: Wednesday, January 08, 2003 4:35 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: [MAILSCANNER] Exim and MS 4.11-1 > > > On Wed, Jan 08, 2003 at 10:07:08PM +1300, Nick Phillips wrote: > > > I'll test the fix now, too. > > Fix follows (will be in next release): > > Index: mailscanner/bin/MailScanner/Exim.pm > =================================================================== > RCS file: /var/cvs/mailscanner/mailscanner/bin/MailScanner/Exim.pm,v > retrieving revision 1.21 > retrieving revision 1.22 > diff -r1.21 -r1.22 > 5c5 > < # $Id: Exim.pm,v 1.21 2002/12/20 15:33:00 jkf Exp $ > --- > > # $Id: Exim.pm,v 1.22 2003/01/08 09:31:22 nwp Exp $ > 44c44 > < $VERSION = substr q$Revision: 1.21 $, 10; > --- > > $VERSION = substr q$Revision: 1.22 $, 10; > 1082,1083c1082,1083 > < $string .= (@{$treeref->{left}}?"Y":"N"); > < $string .= (@{$treeref->{right}}?"Y":"N"); > --- > > $string .= (exists $treeref->{left}{data}?"Y":"N"); > > $string .= (exists $treeref->{right}{data}?"Y":"N"); > > > > Cheers, > > > Nick > -- > Nick Phillips -- nwp@lemon-computing.com > Beware of a tall blond man with one black shoe. > From andrewh at CQG.COM Wed Jan 8 16:01:50 2003 From: andrewh at CQG.COM (Andrew M. Hoying) Date: Thu Jan 12 21:16:53 2006 Subject: OT: Dynamically updating /etc/mail/access Message-ID: <8A6DFB0865502242A29E25BDAEFBB9451ABE87@d2sexchtest.cqg.com> I implemented this and a few other things in a script and now we are blocking 80% of incoming spam without having to bother MailScanner or SpamAssassin with processing it. Spam Caught / Total Incoming E-mail: 444 / 3103 High Scoring Spam:177 Spam blocked by sendmail:1748 > -----Original Message----- > From: Ben C. O. Grimm [mailto:mailscanner-sub@WIREHUB.NET] > Sent: Tuesday, January 07, 2003 4:03 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: OT: Dynamically updating /etc/mail/access > > > On 7 Jan 2003 00:50:03 +0100, Stewart Lawler > > wrote: > > > this looks like a great solution - but what is the > performance impact? > > The relay machine i'm running mailscanner on at the moment > is rather old > > and might not cope with being given much more to do. :-) > > The only performance impact will be hashing the database when > using the > full list. Shouldn't be too much work though. You don't have > to worry about > the size of the resulting db; hash lookups are blazingly fast. Our > access.db is >20 MB in size (we put a lot of extra > information in it), and > it gets called at least 2 times per second. I sleep well. > > -- > - Ben C. O. Grimm ----------------- Ben.Grimm@wirehub.net - > - Wirehub! Internet Engineering - http://www.wirehub.net/ - > - Private Ponderings ----------- http://www.bengrimm.net/ - > - Wirehub! Internet ----------- part of easynet Group plc - > From thomas_duvally at BROWN.EDU Wed Jan 8 16:11:35 2003 From: thomas_duvally at BROWN.EDU (Thomas DuVally) Date: Thu Jan 12 21:16:53 2006 Subject: Upgrade from 4.10-1 to 4.11-1... In-Reply-To: <200301080852.31877.lbergman@wtxs.net> References: <200301080852.31877.lbergman@wtxs.net> Message-ID: <1042042294.4610.10.camel@croithine> On Wed, 2003-01-08 at 09:52, Lewis Bergman wrote: > What is wrong with the location and naming of Julian's stuff? > Why not use it as it is designed rather than asking him to change it to fit > your file layout? I can understand a feature request but file location is a > pretty arbitrary thing. While Julian has done a great job of setting up the directory tree, every site will have it's own quirks. We use /usr/local as a mounted filesystem via NFS so we don't have to install stuff everywhere. I could put MS there, but it has problems with NFS and I wouldn't use NFS for ANYTHING critical. Also, we put MS on our SAN for the speed and for failover between two machine. For this we need them to have different paths then each other if we wanted to process any stuck mail from one system on the other. For every reason you can think of to keep something standard, someone else can think up one for allowing the choice. I for one never had any problem changing the scripts. That's what's great about OSS, you can! I always thought it was such a minor issue. I'm sure he has plenty of other things to work on. I'm sure someone out there could easily change it and submit a patch. > -- > Lewis Bergman > Texas Communications > 4309 Maple St. > Abilene, TX 79602-8044 > 915-695-6962 ext 115 -- Thomas J. DuVally Lead Systems Prog. CIS, Brown Univ. From Declan.Grady at NUVOTEM.COM Wed Jan 8 16:58:55 2003 From: Declan.Grady at NUVOTEM.COM (Declan Grady) Date: Thu Jan 12 21:16:53 2006 Subject: [OT] Laptop virus protection ? Message-ID: <20030108165854.GB4993@nuvotem.com> Hi, Sorry for the Off Topic, but I cant think of a better place to ask this... Being a happy mailscanner user, I was surprised to find the W32.Opaserv.Worm doing the rounds of the win98 lan machines until I tracked it down to one of the few laptops in use here. I can only assume this laptop was used to dial an isp, and was infected while online, then when it physically got 0connected to the lan, it had bypassed all the security measures. If this is the case, which is my only explanation, what do you folks use to avoid this situation happening ? Is its as simple as individual anti-virus on each of the 5 laptops, and assume the user will keep it up to date ? Thanks, Declan From Kevin.Spicer at BMRB.CO.UK Wed Jan 8 17:03:17 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:16:53 2006 Subject: [OT] Laptop virus protection ? Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A32C10@pascal.priv.bmrb.co.uk> We have virus protection on all machines which is updated automatically when connected to the network (Sophos). Simply scanning mail for viruses isn't enough to prevent them entering via other means... (web / floppy disks / CDR's etc.) > -----Original Message----- > From: Declan Grady [mailto:Declan.Grady@NUVOTEM.COM] > Sent: 08 January 2003 16:59 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: [OT] Laptop virus protection ? > > > Hi, > Sorry for the Off Topic, but I cant think of a better place > to ask this... > > Being a happy mailscanner user, I was surprised to find the > W32.Opaserv.Worm > doing the rounds of the win98 lan machines until I tracked it > down to one of > the few laptops in use here. > > I can only assume this laptop was used to dial an isp, and > was infected while > online, then when it physically got 0connected to the lan, > it had bypassed all the security measures. > > If this is the case, which is my only explanation, what do > you folks use to > avoid this situation happening ? > > Is its as simple as individual anti-virus on each of the 5 > laptops, and > assume the user will keep it up to date ? > > Thanks, > Declan > From MHewryk at SYMCOR.COM Wed Jan 8 18:12:46 2003 From: MHewryk at SYMCOR.COM (Magda Hewryk) Date: Thu Jan 12 21:16:53 2006 Subject: Attachments are not scanned Message-ID: Hi, I'm trying to send the binary with the extension "exe" but for some reason MailScanner doesn't report it as a spam or an infected email. Nothing is put is the quarantine queue and I'm not getting any report.... My filename.rules.conf file is set up properly, it denies .exe and it is activated in MailScanner.conf. What is wrong here? Some configurations from my MailScanner.conf ===================================== Virus Scanning = no Filename Rules = /etc/MailScanner/filename.rules.conf Quarantine Infections = yes Deleted Bad Filename Message Report = /etc/MailScanner/reports/en/deleted.filename.message.txt Stored Bad Filename Message Report = /etc/MailScanner/reports/en/stored.filename.message.txt Some logs: ========== # mail -v mhewryk < f-prot.exe 1.) binary sent with .exe extension Jan 8 12:58:43 tonka MailScanner[11670]: New Batch: Forwarding 1 unscanned messages, 28449 bytes Jan 8 12:58:43 tonka MailScanner[11670]: Spam Checks: Starting Jan 8 12:58:43 tonka sendmail[11924]: h08Hwg39011924: to=mhewryk, ctladdr=root (0/0), delay=00:00:01, xdelay=00:00:01, mailer=relay, pri=30029, relay=localdomain.localhost. [127.0.0.1], dsn=2.0.0, stat=Sent (h08Hwg32011930 Message accepted for delivery) 2.) binary sent with .exe extension and SPAM subject line Jan 8 13:01:18 tonka MailScanner[11756]: New Batch: Forwarding 1 unscanned messages, 28488 bytes Jan 8 13:01:18 tonka MailScanner[11756]: Spam Checks: Starting Jan 8 13:01:58 tonka MailScanner[11756]: Message h08I1F32012337 from 127.0.0.1 (tonka.aberfoyle.com) is spam, SpamAssassin (score=5.6, required 5, BALANCE_FOR_LONG_20K, FREE_MONEY, NO_MX_FOR_FROM, SPAM_PHRASE_00_01, SUBJ_ALL_CAPS, SUBJ_FREE_CAP, SUB_FREE_OFFER, SUPERLONG_LINE, UPPERCASE_25_50) Jan 8 13:01:58 tonka MailScanner[11756]: Spam Checks: Found 1 spam messages Jan 8 13:01:58 tonka MailScanner[11756]: Spam Actions: message h08I1F32012337 actions are deliver Jan 8 13:01:58 tonka MailScanner[11756]: Unscanned: Delivered 1 messages Jan 8 13:01:59 tonka MailScanner[11756]: Virus and Content Scanning: Starting Jan 8 13:02:00 tonka sendmail[12502]: h08I1F32012337: to =, ctladdr= (0/0), delay=00:00:44, xdelay=00:00:00, mailer=local, pri=120367, dsn=2.0.0, stat=Sent Thanks, Magda Hewryk -------------------------------- Mid-Range Systems RSP: 905-273-1637 CELL: 416-948-4427 From mailscanner at ecs.soton.ac.uk Wed Jan 8 18:18:35 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:53 2006 Subject: MailScanner Online Store Message-ID: <5.2.0.9.2.20030108180249.06b0a890@imap.ecs.soton.ac.uk> I have just opened up an online store selling all sorts of MailScanner goodies. I am not making any huge profits or anything, it's there if you want it... Check it out at http://www.mailscanner.info/store -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From sevans at FOUNDATION.SDSU.EDU Wed Jan 8 19:13:53 2003 From: sevans at FOUNDATION.SDSU.EDU (Steve Evans) Date: Thu Jan 12 21:16:53 2006 Subject: MailScanner Online Store Message-ID: <6214C3F9233D764C9E7029396C355015682872@mail.foundation.sdsu.edu> What? No baby clothes? Steve Evans SDSU Foundation (619) 594-0653 -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Wednesday, January 08, 2003 10:19 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: MailScanner Online Store I have just opened up an online store selling all sorts of MailScanner goodies. I am not making any huge profits or anything, it's there if you want it... Check it out at http://www.mailscanner.info/store -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mbowman at UDCOM.COM Wed Jan 8 19:12:48 2003 From: mbowman at UDCOM.COM (Matthew Bowman) Date: Thu Jan 12 21:16:53 2006 Subject: MailScanner Online Store In-Reply-To: <6214C3F9233D764C9E7029396C355015682872@mail.foundation.sdsu.edu> Message-ID: What? No Beer Mat? lol Matthew K Bowman Systems Administrator, UDCom Steve Evans cc: Sent by: Subject: Re: MailScanner Online Store MailScanner mailing list 01/08/2003 02:13 PM Please respond to MailScanner mailing list What? No baby clothes? Steve Evans SDSU Foundation (619) 594-0653 -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Wednesday, January 08, 2003 10:19 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: MailScanner Online Store I have just opened up an online store selling all sorts of MailScanner goodies. I am not making any huge profits or anything, it's there if you want it... Check it out at http://www.mailscanner.info/store -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From chicks at CHICKS.NET Wed Jan 8 19:29:51 2003 From: chicks at CHICKS.NET (Christopher Hicks) Date: Thu Jan 12 21:16:53 2006 Subject: MailScanner Online Store In-Reply-To: <6214C3F9233D764C9E7029396C355015682872@mail.foundation.sdsu.edu> Message-ID: On Wed, 8 Jan 2003, Steve Evans wrote: > What? No baby clothes? MailScanner prevents babies from spamming or spreading viruses. What will Julian think of next? -- "The first rule of Perl club is you do not talk about Perl club." -- Chip Salzenberg From MHewryk at SYMCOR.COM Wed Jan 8 20:01:36 2003 From: MHewryk at SYMCOR.COM (Magda Hewryk) Date: Thu Jan 12 21:16:54 2006 Subject: Attachments are not scanned - no help from anybody? Message-ID: Magda Hewryk cc: Sent by: Subject: Attachments are not scanned MailScanner mailing list 01/08/2003 01:12 PM Please respond to MailScanner mailing list Hi, I'm trying to send the binary with the extension "exe" but for some reason MailScanner doesn't report it as a spam or an infected email. Nothing is put is the quarantine queue and I'm not getting any report.... My filename.rules.conf file is set up properly, it denies .exe and it is activated in MailScanner.conf. What is wrong here? Some configurations from my MailScanner.conf ===================================== Virus Scanning = no Filename Rules = /etc/MailScanner/filename.rules.conf Quarantine Infections = yes Deleted Bad Filename Message Report = /etc/MailScanner/reports/en/deleted.filename.message.txt Stored Bad Filename Message Report = /etc/MailScanner/reports/en/stored.filename.message.txt Some logs: ========== # mail -v mhewryk < f-prot.exe 1.) binary sent with .exe extension Jan 8 12:58:43 tonka MailScanner[11670]: New Batch: Forwarding 1 unscanned messages, 28449 bytes Jan 8 12:58:43 tonka MailScanner[11670]: Spam Checks: Starting Jan 8 12:58:43 tonka sendmail[11924]: h08Hwg39011924: to=mhewryk, ctladdr=root (0/0), delay=00:00:01, xdelay=00:00:01, mailer=relay, pri=30029, relay=localdomain.localhost. [127.0.0.1], dsn=2.0.0, stat=Sent (h08Hwg32011930 Message accepted for delivery) 2.) binary sent with .exe extension and SPAM subject line Jan 8 13:01:18 tonka MailScanner[11756]: New Batch: Forwarding 1 unscanned messages, 28488 bytes Jan 8 13:01:18 tonka MailScanner[11756]: Spam Checks: Starting Jan 8 13:01:58 tonka MailScanner[11756]: Message h08I1F32012337 from 127.0.0.1 (tonka.aberfoyle.com) is spam, SpamAssassin (score=5.6, required 5, BALANCE_FOR_LONG_20K, FREE_MONEY, NO_MX_FOR_FROM, SPAM_PHRASE_00_01, SUBJ_ALL_CAPS, SUBJ_FREE_CAP, SUB_FREE_OFFER, SUPERLONG_LINE, UPPERCASE_25_50) Jan 8 13:01:58 tonka MailScanner[11756]: Spam Checks: Found 1 spam messages Jan 8 13:01:58 tonka MailScanner[11756]: Spam Actions: message h08I1F32012337 actions are deliver Jan 8 13:01:58 tonka MailScanner[11756]: Unscanned: Delivered 1 messages Jan 8 13:01:59 tonka MailScanner[11756]: Virus and Content Scanning: Starting Jan 8 13:02:00 tonka sendmail[12502]: h08I1F32012337: to =, ctladdr= (0/0), delay=00:00:44, xdelay=00:00:00, mailer=local, pri=120367, dsn=2.0.0, stat=Sent Thanks, Magda Hewryk -------------------------------- Mid-Range Systems RSP: 905-273-1637 CELL: 416-948-4427 From Kevin.Spicer at BMRB.CO.UK Wed Jan 8 20:10:47 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:16:54 2006 Subject: Attachments are not scanned - no help from anybody? Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A32C11@pascal.priv.bmrb.co.uk> > Some configurations from my MailScanner.conf > ===================================== > Virus Scanning = no > Filename Rules = /etc/MailScanner/filename.rules.conf > Quarantine Infections = yes > Deleted Bad Filename Message Report = > /etc/MailScanner/reports/en/deleted.filename.message.txt > Stored Bad Filename Message Report = > /etc/MailScanner/reports/en/stored.filename.message.txt > Virus Scanning = no turns off all processing of the messages. I think you want Virus Scanning = yes Virus Scanners = none [The config files suggest you can turn off virus scanning by Virus Scanners = sophos - but I suspect that's an error, maybe its fixed in 4.11?] From MHewryk at SYMCOR.COM Wed Jan 8 20:54:44 2003 From: MHewryk at SYMCOR.COM (Magda Hewryk) Date: Thu Jan 12 21:16:54 2006 Subject: Attachments are not scanned - still is not rejecting denied extensions like .exe Message-ID: Hi, I've changed config file for Scanning and Scanner's but still MailScanner doesn't flag the email as "wrong attachment" Virus Scanning = yes Virus Scanners = none # mail -v mhewryk -s "report No. 5" < f-prot.exe Jan 8 15:48:46 tonka MailScanner[6561]: New Batch: Scanning 1 messages, 28455 bytes Jan 8 15:48:48 tonka MailScanner[6561]: Spam Checks: Starting Jan 8 15:49:02 tonka MailScanner[6561]: RBL Check timed out and was killed, consecutive failure 1 of 7 Jan 8 15:51:07 tonka MailScanner[6561]: Virus and Content Scanning: Starting Jan 8 15:51:07 tonka MailScanner[6561]: Uninfected: Delivered 1 messages Thanks, Magda Hewryk -------------------------------- Mid-Range Systems RSP: 905-273-1637 CELL: 416-948-4427 "Spicer, Kevin" cc: Sent by: Subject: Re: Attachments are not scanned - no help from MailScanner anybody? mailing list 01/08/2003 03:10 PM Please respond to MailScanner mailing list > Some configurations from my MailScanner.conf > ===================================== > Virus Scanning = no > Filename Rules = /etc/MailScanner/filename.rules.conf > Quarantine Infections = yes > Deleted Bad Filename Message Report = > /etc/MailScanner/reports/en/deleted.filename.message.txt > Stored Bad Filename Message Report = > /etc/MailScanner/reports/en/stored.filename.message.txt > Virus Scanning = no turns off all processing of the messages. I think you want Virus Scanning = yes Virus Scanners = none [The config files suggest you can turn off virus scanning by Virus Scanners = sophos - but I suspect that's an error, maybe its fixed in 4.11?] From mbowman at UDCOM.COM Wed Jan 8 21:06:28 2003 From: mbowman at UDCOM.COM (Matthew Bowman) Date: Thu Jan 12 21:16:54 2006 Subject: Attachments are not scanned - still is not rejecting denied extensions like .exe In-Reply-To: Message-ID: Hello Magda The server that you are running mail -v on - does that run MailScanner? I ran a similiar command to yours on my server running MailScanner and it sent it through embedded into the e-mail not as an attachment. I then sent an e-mail from a domain thats filtered through MailScanner with an attachment .exe and it removed the file from the e-mail ok. Regards, Matthew K Bowman Systems Administrator; Hostmaster; Miva Administrator Universal Digital Communications, Mansfield Ohio. Magda Hewryk cc: Sent by: Subject: Re: Attachments are not scanned - still is not rejecting denied extensions like MailScanner .exe mailing list 01/08/2003 03:54 PM Please respond to MailScanner mailing list Hi, I've changed config file for Scanning and Scanner's but still MailScanner doesn't flag the email as "wrong attachment" Virus Scanning = yes Virus Scanners = none # mail -v mhewryk -s "report No. 5" < f-prot.exe Jan 8 15:48:46 tonka MailScanner[6561]: New Batch: Scanning 1 messages, 28455 bytes Jan 8 15:48:48 tonka MailScanner[6561]: Spam Checks: Starting Jan 8 15:49:02 tonka MailScanner[6561]: RBL Check timed out and was killed, consecutive failure 1 of 7 Jan 8 15:51:07 tonka MailScanner[6561]: Virus and Content Scanning: Starting Jan 8 15:51:07 tonka MailScanner[6561]: Uninfected: Delivered 1 messages Thanks, Magda Hewryk -------------------------------- Mid-Range Systems RSP: 905-273-1637 CELL: 416-948-4427 "Spicer, Kevin" cc: Sent by: Subject: Re: Attachments are not scanned - no help from MailScanner anybody? mailing list 01/08/2003 03:10 PM Please respond to MailScanner mailing list > Some configurations from my MailScanner.conf > ===================================== > Virus Scanning = no > Filename Rules = /etc/MailScanner/filename.rules.conf > Quarantine Infections = yes > Deleted Bad Filename Message Report = > /etc/MailScanner/reports/en/deleted.filename.message.txt > Stored Bad Filename Message Report = > /etc/MailScanner/reports/en/stored.filename.message.txt > Virus Scanning = no turns off all processing of the messages. I think you want Virus Scanning = yes Virus Scanners = none [The config files suggest you can turn off virus scanning by Virus Scanners = sophos - but I suspect that's an error, maybe its fixed in 4.11?] From Kevin.Spicer at BMRB.CO.UK Wed Jan 8 21:13:22 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:16:54 2006 Subject: Attachments are not scanned - still is not rejecting denied extensions like .exe Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A4ACFB@pascal.priv.bmrb.co.uk> > # mail -v mhewryk -s "report No. 5" < f-prot.exe I don't know what you get on your system, but I would guess you get what I do - an email full of binary junk in the body. Since this puts the contents of the exe file in the body of the mail, not encoded as an attachment mailscanner will not block it - because no attachment is present for it to block. I'm not sure how/if you can send non-text attachements using the mail command - you can with pine (which I use when I'm not at the console) or flip to a GUI and use just about any GUI mail client. From MHewryk at SYMCOR.COM Wed Jan 8 21:18:06 2003 From: MHewryk at SYMCOR.COM (Magda Hewryk) Date: Thu Jan 12 21:16:54 2006 Subject: Attachments are not scanned - still is not rejecting denied extensions like .exe Message-ID: It makes sense, this file is not an attachment. Thank you! Magda Hewryk -------------------------------- Mid-Range Systems RSP: 905-273-1637 CELL: 416-948-4427 "Spicer, Kevin" cc: Sent by: Subject: Re: Attachments are not scanned - still is not MailScanner rejecting denied extensions like .exe mailing list 01/08/2003 04:13 PM Please respond to MailScanner mailing list > # mail -v mhewryk -s "report No. 5" < f-prot.exe I don't know what you get on your system, but I would guess you get what I do - an email full of binary junk in the body. Since this puts the contents of the exe file in the body of the mail, not encoded as an attachment mailscanner will not block it - because no attachment is present for it to block. I'm not sure how/if you can send non-text attachements using the mail command - you can with pine (which I use when I'm not at the console) or flip to a GUI and use just about any GUI mail client. From dwinkler at ALGORITHMICS.COM Wed Jan 8 21:21:49 2003 From: dwinkler at ALGORITHMICS.COM (Derek Winkler) Date: Thu Jan 12 21:16:54 2006 Subject: Attachments are not scanned - still is not rejecting denied extensions like .exe Message-ID: <06EE2C86D3DAD5119A6C0060943F3C970402C0CE@tormail1.algorithmics.com> What you're doing doesn't attach the .exe file, it make the .exe file the contents of the email. uuencode is a pretty easy way of attaching files from the command line. uuencode whatever.exe < whatever.exe | mail -s "Whatever" whoever@wherever.com -----Original Message----- From: Matthew Bowman [mailto:mbowman@udcom.com] Sent: Wednesday, January 08, 2003 4:06 PM To: MAILSCANNER@jiscmail.ac.uk Subject: Re: Attachments are not scanned - still is not rejecting denied extensions like .exe Hello Magda The server that you are running mail -v on - does that run MailScanner? I ran a similiar command to yours on my server running MailScanner and it sent it through embedded into the e-mail not as an attachment. I then sent an e-mail from a domain thats filtered through MailScanner with an attachment .exe and it removed the file from the e-mail ok. Regards, Matthew K Bowman Systems Administrator; Hostmaster; Miva Administrator Universal Digital Communications, Mansfield Ohio. Magda Hewryk cc: Sent by: Subject: Re: Attachments are not scanned - still is not rejecting denied extensions like MailScanner .exe mailing list 01/08/2003 03:54 PM Please respond to MailScanner mailing list Hi, I've changed config file for Scanning and Scanner's but still MailScanner doesn't flag the email as "wrong attachment" Virus Scanning = yes Virus Scanners = none # mail -v mhewryk -s "report No. 5" < f-prot.exe Jan 8 15:48:46 tonka MailScanner[6561]: New Batch: Scanning 1 messages, 28455 bytes Jan 8 15:48:48 tonka MailScanner[6561]: Spam Checks: Starting Jan 8 15:49:02 tonka MailScanner[6561]: RBL Check timed out and was killed, consecutive failure 1 of 7 Jan 8 15:51:07 tonka MailScanner[6561]: Virus and Content Scanning: Starting Jan 8 15:51:07 tonka MailScanner[6561]: Uninfected: Delivered 1 messages Thanks, Magda Hewryk -------------------------------- Mid-Range Systems RSP: 905-273-1637 CELL: 416-948-4427 "Spicer, Kevin" cc: Sent by: Subject: Re: Attachments are not scanned - no help from MailScanner anybody? mailing list 01/08/2003 03:10 PM Please respond to MailScanner mailing list > Some configurations from my MailScanner.conf > ===================================== > Virus Scanning = no > Filename Rules = /etc/MailScanner/filename.rules.conf > Quarantine Infections = yes > Deleted Bad Filename Message Report = > /etc/MailScanner/reports/en/deleted.filename.message.txt > Stored Bad Filename Message Report = > /etc/MailScanner/reports/en/stored.filename.message.txt > Virus Scanning = no turns off all processing of the messages. I think you want Virus Scanning = yes Virus Scanners = none [The config files suggest you can turn off virus scanning by Virus Scanners = sophos - but I suspect that's an error, maybe its fixed in 4.11?] -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030108/f1ca05d5/attachment.html From mailscanner at BARENDSE.TO Wed Jan 8 21:24:17 2003 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:16:54 2006 Subject: Spam blacklist? In-Reply-To: <200301080849.47027.lbergman@wtxs.net> Message-ID: Indeed, that is one possible solution. But not all of my boxes run spamassassin, particularly RedHat 6.2 is very difficult to get SA properly installed. Lots of things to upgrade and 90% of the spam problem is from or to a limited set of e-mail adresses on my boxes. But one would think that a blacklisted mail adress would be processed according to high scoring rules, otherwise there isn't much use in blacklisting them :) On Wed, 8 Jan 2003, Lewis Bergman wrote: > On Wednesday 08 January 2003 04:24 am, Remco Barendse wrote: > > I have a rule list that will mark certain messages as spam even though > > there is no other reason to mark them as spam. This is working perfectly. > > > > I have noticed however that MailScanner will treat messages that are > > marked by a blacklist rule as low scoring spam? > > > > Would it be possible to change this to high scoring spam? After all you > > want to blacklist them. I allow low scoring spam messages to go through > > but high scoring stuff is forwarded to an alternate address. I would like > > to do the same for the blacklisted stuff. > Why not use SA to do the RBL checks and then assign them a score which will > force them into the high score category using the spam.assassin.prefs.conf > file? > -- > Lewis Bergman > Texas Communications > 4309 Maple St. > Abilene, TX 79602-8044 > 915-695-6962 ext 115 > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From dwinkler at ALGORITHMICS.COM Wed Jan 8 21:28:04 2003 From: dwinkler at ALGORITHMICS.COM (Derek Winkler) Date: Thu Jan 12 21:16:54 2006 Subject: MailScanner Online Store Message-ID: <06EE2C86D3DAD5119A6C0060943F3C970402C0CF@tormail1.algorithmics.com> I betcha Julian is wearing the boxers right now. -----Original Message----- From: Julian Field [mailto:mailscanner@ecs.soton.ac.uk] Sent: Wednesday, January 08, 2003 1:19 PM To: MAILSCANNER@jiscmail.ac.uk Subject: MailScanner Online Store I have just opened up an online store selling all sorts of MailScanner goodies. I am not making any huge profits or anything, it's there if you want it... Check it out at http://www.mailscanner.info/store -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030108/f7e1aa8b/attachment.html From MHewryk at SYMCOR.COM Wed Jan 8 21:31:08 2003 From: MHewryk at SYMCOR.COM (Magda Hewryk) Date: Thu Jan 12 21:16:54 2006 Subject: Attachments are not scanned - still is not rejecting denied extensions like .exe Message-ID: Thank you, I'll do the same! Magda Hewryk -------------------------------- Mid-Range Systems RSP: 905-273-1637 CELL: 416-948-4427 Matthew Bowman cc: Sent by: Subject: Re: Attachments are not scanned - still is not MailScanner rejecting denied extensions like .exe mailing list 01/08/2003 04:06 PM Please respond to MailScanner mailing list Hello Magda The server that you are running mail -v on - does that run MailScanner? I ran a similiar command to yours on my server running MailScanner and it sent it through embedded into the e-mail not as an attachment. I then sent an e-mail from a domain thats filtered through MailScanner with an attachment .exe and it removed the file from the e-mail ok. Regards, Matthew K Bowman Systems Administrator; Hostmaster; Miva Administrator Universal Digital Communications, Mansfield Ohio. Magda Hewryk cc: Sent by: Subject: Re: Attachments are not scanned - still is not rejecting denied extensions like MailScanner .exe mailing list 01/08/2003 03:54 PM Please respond to MailScanner mailing list Hi, I've changed config file for Scanning and Scanner's but still MailScanner doesn't flag the email as "wrong attachment" Virus Scanning = yes Virus Scanners = none # mail -v mhewryk -s "report No. 5" < f-prot.exe Jan 8 15:48:46 tonka MailScanner[6561]: New Batch: Scanning 1 messages, 28455 bytes Jan 8 15:48:48 tonka MailScanner[6561]: Spam Checks: Starting Jan 8 15:49:02 tonka MailScanner[6561]: RBL Check timed out and was killed, consecutive failure 1 of 7 Jan 8 15:51:07 tonka MailScanner[6561]: Virus and Content Scanning: Starting Jan 8 15:51:07 tonka MailScanner[6561]: Uninfected: Delivered 1 messages Thanks, Magda Hewryk -------------------------------- Mid-Range Systems RSP: 905-273-1637 CELL: 416-948-4427 "Spicer, Kevin" cc: Sent by: Subject: Re: Attachments are not scanned - no help from MailScanner anybody? mailing list 01/08/2003 03:10 PM Please respond to MailScanner mailing list > Some configurations from my MailScanner.conf > ===================================== > Virus Scanning = no > Filename Rules = /etc/MailScanner/filename.rules.conf > Quarantine Infections = yes > Deleted Bad Filename Message Report = > /etc/MailScanner/reports/en/deleted.filename.message.txt > Stored Bad Filename Message Report = > /etc/MailScanner/reports/en/stored.filename.message.txt > Virus Scanning = no turns off all processing of the messages. I think you want Virus Scanning = yes Virus Scanners = none [The config files suggest you can turn off virus scanning by Virus Scanners = sophos - but I suspect that's an error, maybe its fixed in 4.11?] From mbowman at UDCOM.COM Wed Jan 8 21:35:11 2003 From: mbowman at UDCOM.COM (Matthew Bowman) Date: Thu Jan 12 21:16:54 2006 Subject: clamav Message-ID: Hi Is anyone using clamav with their MailScanner installation - if so, how good is it? Is there any reason why I should not get it. I'm running:- Redhat 7.3 sendmail 8.11.6-3 MailScanner 4.10-1 SpamAssassin 2.43 Matthew K Bowman Systems Administrator; Hostmaster; Miva Administrator Universal Digital Communications, Mansfield Ohio. From jase at SENSIS.COM Wed Jan 8 21:51:13 2003 From: jase at SENSIS.COM (Desai, Jason) Date: Thu Jan 12 21:16:54 2006 Subject: Exim and MS 4.11-1 Message-ID: > -----Original Message----- > From: Nick Phillips [mailto:nwp@LEMON-COMPUTING.COM] > Sent: Wednesday, January 08, 2003 4:15 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: [MAILSCANNER] Exim and MS 4.11-1 > > > On Thursday, January 9, 2003, at 03:25 am, Desai, Jason wrote: > > > I did see directories in mailscanner's incoming queue while > doing these > > tests. But I did clear it out and still saw the problem. I also > > cleared > > out Exim's incoming queue, and dropped a test message in there, and > > still > > saw the problem. Although a message did make it through once or > > twice, most > > of the time mailscanner crashed. > > > > Could this have anything to do with the fact that I am > using fetchmail > > to > > retrieve mail, which delivers it to exim? > > > > OK, something else which I wasn't expecting also causes nonrecipients > to be set in > the queue file; use of the system-wide message filter on the incoming > Exim. > > I'm not yet sure of exactly when this happens (i.e. does it > only happen > when a delivery > attempt is made?), but will be looking into it. > > > The diff I posted before should fix the crashing problem, but there is > another potential > problem with the system message filter causing messages to bypass > mailscanner. > > I *hope* that Exim does not run the message through the filter until a > delivery attempt is > made, in which case the solution is to avoid injecting messages with > the "-odi" or equivalent options (note that some crons do this as, it > appears, may netsaint/nagios). > > If this bothers you, you can simply remove the "message > filter" setting > from your "incoming" exim config. > > > > Cheers, > > > Nick My system filter is very simple. It just logs the email for me into a directory with the current date. The filter is: ###### if not first_delivery then finish endif unseen save /var/log/mail-save/${substr_0_10:${tod_log}}/ ###### So is the save what is causing the nonrecipients? The filter is not delivering any other email, so I don't think this will be a problem. This was set up this way before MailScanner had the ability to archive email. Maybe I'll have MailScanner do it now. The Nagios test message I gave you was sent from another server to my pop account. Then I used fetchmail to retrieve it, which I think is supposed to talk to the smtp server using tcp port 25 not calling sendmail or exim directly. With your fix, MailScanner has been running fine. Thanks for your help! Jason Desai From daniel at ZAJD.COM Wed Jan 8 22:31:00 2003 From: daniel at ZAJD.COM (Daniel Zajd) Date: Thu Jan 12 21:16:54 2006 Subject: OT: Dynamically updating /etc/mail/access In-Reply-To: <8A6DFB0865502242A29E25BDAEFBB9451ABE87@d2sexchtest.cqg.com> Message-ID: Is it possible to get a copy of your script to have as a base? > I implemented this and a few other things in a script and now we are > blocking 80% of incoming spam without having to bother MailScanner or > SpamAssassin with processing it. > > Spam Caught / Total Incoming E-mail: > 444 / 3103 > High Scoring Spam:177 > Spam blocked by sendmail:1748 > >> -----Original Message----- >> From: Ben C. O. Grimm [mailto:mailscanner-sub@WIREHUB.NET] >> Sent: Tuesday, January 07, 2003 4:03 PM >> To: MAILSCANNER@JISCMAIL.AC.UK >> Subject: Re: OT: Dynamically updating /etc/mail/access >> >> >> On 7 Jan 2003 00:50:03 +0100, Stewart Lawler >> >> wrote: >> >>> this looks like a great solution - but what is the >> performance impact? >>> The relay machine i'm running mailscanner on at the moment >> is rather old >>> and might not cope with being given much more to do. :-) >> >> The only performance impact will be hashing the database when >> using the >> full list. Shouldn't be too much work though. You don't have >> to worry about >> the size of the resulting db; hash lookups are blazingly fast. Our >> access.db is >20 MB in size (we put a lot of extra >> information in it), and >> it gets called at least 2 times per second. I sleep well. >> >> -- >> - Ben C. O. Grimm ----------------- Ben.Grimm@wirehub.net - >> - Wirehub! Internet Engineering - http://www.wirehub.net/ - >> - Private Ponderings ----------- http://www.bengrimm.net/ - >> - Wirehub! Internet ----------- part of easynet Group plc - >> > > From gavin at NETERGY.COM Wed Jan 8 22:32:18 2003 From: gavin at NETERGY.COM (Gavin Nelmes-Crocker) Date: Thu Jan 12 21:16:54 2006 Subject: clamav In-Reply-To: Message-ID: > Is anyone using clamav with their MailScanner installation - if so, how > good is it? Is there any reason why I should not get it. > > I'm running:- > > Redhat 7.3 > sendmail 8.11.6-3 > MailScanner 4.10-1 > SpamAssassin 2.43 > No reason not to use it except for the caveat that it still has an unsupported status with MailScanner code but saying that its running very well on our live system along with Sophos and F-prot so far it hasn't missed anything that the others have found - it was a bit flaky a while ago when we were running a test suite but we joined the clamav mailing list and soon saw others having similar problems and the virus database got cleaned up. I have an rpm for it for a Cobalt box should work on plain Red Hat as well but no promises. Regards Gavin -- This message has been scanned for viruses and dangerous content by the Netergy Virus Spam Defence, and is believed to be clean. For details on having your email scanned email nvsd@netergy.com From mailscanner at BARENDSE.TO Wed Jan 8 22:32:53 2003 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:16:54 2006 Subject: Bug when using rulesets for sender error reports? Message-ID: I tried a rule file to localize the error report according to the senders domain. I put the name of the rule file in MailScanner.conf but it doesn't work. When an error needs to be sent there are errors appearing in the maillog complaining about the last line of this ruleset. From: *@*.de /etc/MailScanner/reports/de/sender.error.report.txt From: *@*.dk /etc/MailScanner/reports/dk/sender.error.report.txt From: *@*.uk /etc/MailScanner/reports/en/sender.error.report.txt From: *@*.es /etc/MailScanner/reports/es/sender.error.report.txt From: *@*.fr /etc/MailScanner/reports/fr/sender.error.report.txt From: *@*.it /etc/MailScanner/reports/it/sender.error.report.txt From: *@*.nl /etc/MailScanner/reports/nl/sender.error.report.txt From: *@*.br /etc/MailScanner/reports/pt_br/sender.error.report.txt From: *@*.ro /etc/MailScanner/reports/ro/sender.error.report.txt From: *@*.sk /etc/MailScanner/reports/sk/sender.error.report.txt FromTo: default I tried using default and the name of the english file, but still the errors in the maillog appear and no report is being sent. Could it be that there is no default value set here?? -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From dwinkler at ALGORITHMICS.COM Wed Jan 8 22:36:37 2003 From: dwinkler at ALGORITHMICS.COM (Derek Winkler) Date: Thu Jan 12 21:16:54 2006 Subject: Bug when using rulesets for sender error reports? Message-ID: <06EE2C86D3DAD5119A6C0060943F3C970402C0D1@tormail1.algorithmics.com> Your last line should be: FromTo: default /etc/MailScanner/reports/en/sender.error.report.txt or whatever report you want. -----Original Message----- From: Remco Barendse [mailto:mailscanner@barendse.to] Sent: Wednesday, January 08, 2003 5:33 PM To: MAILSCANNER@jiscmail.ac.uk Subject: Bug when using rulesets for sender error reports? I tried a rule file to localize the error report according to the senders domain. I put the name of the rule file in MailScanner.conf but it doesn't work. When an error needs to be sent there are errors appearing in the maillog complaining about the last line of this ruleset. From: *@*.de /etc/MailScanner/reports/de/sender.error.report.txt From: *@*.dk /etc/MailScanner/reports/dk/sender.error.report.txt From: *@*.uk /etc/MailScanner/reports/en/sender.error.report.txt From: *@*.es /etc/MailScanner/reports/es/sender.error.report.txt From: *@*.fr /etc/MailScanner/reports/fr/sender.error.report.txt From: *@*.it /etc/MailScanner/reports/it/sender.error.report.txt From: *@*.nl /etc/MailScanner/reports/nl/sender.error.report.txt From: *@*.br /etc/MailScanner/reports/pt_br/sender.error.report.txt From: *@*.ro /etc/MailScanner/reports/ro/sender.error.report.txt From: *@*.sk /etc/MailScanner/reports/sk/sender.error.report.txt FromTo: default I tried using default and the name of the english file, but still the errors in the maillog appear and no report is being sent. Could it be that there is no default value set here?? -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030108/fdf9760e/attachment.html From andrewh at CQG.COM Wed Jan 8 22:40:32 2003 From: andrewh at CQG.COM (Andrew M. Hoying) Date: Thu Jan 12 21:16:54 2006 Subject: OT: Dynamically updating /etc/mail/access Message-ID: <8A6DFB0865502242A29E25BDAEFBB9451ABE93@d2sexchtest.cqg.com> Here is what I'm using basically, I run this hourly: #!/bin/bash # Should probably use mktemp here cd /tmp rm -rf accessdb mkdir accessdb cd accessdb # access.manual contains entries that are maintained locally cp /etc/mail/access.manual /tmp/accessdb # download the latest spamlist update wget -q http://basic.wirehub.nl/spamlist-extended.txt # combine into temp access file cat /tmp/accessdb/spamlist-extended.txt /tmp/accessdb/access.manual > /tmp/accessdb/access.tmp # Hash new access file and add duplicate lines to a sed script /usr/bin/makemap hash access < access.tmp 2>&1 |awk '{print $4}'|sort -n -r|sed 's/:/d/g' > /tmp/accessdb/script.sed # Run sed script to remove dups and remove the lines # which are in spamlist that you don't want cat /tmp/accessdb/access.tmp|sed -f /tmp/accessdb/script.sed| \ grep -v -i zmail.ru > /tmp/accessdb/access # Rerun hash, output errors /usr/bin/makemap hash access < access 2>&1 > /tmp/accessdb/errors.txt # Verify that there were no errors. If there are, mail them. x=$? if [ $x -ne 0 ] then echo "Makemap of new access.db failed with an exit code of "$x". Errors are `/bin/cat /tmp/accessdb/errors.txt`"| \ mail -s "Makemap failed on `/bin/hostname`" youremail@domain.com > /dev/null exit $x # If there aren't update the master access.db else cp /tmp/accessdb/access /etc/mail/access cp /tmp/accessdb/access.db /etc/mail/access.db fi exit 0 > -----Original Message----- > From: Daniel Zajd [mailto:daniel@ZAJD.COM] > Sent: Wednesday, January 08, 2003 3:31 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: OT: Dynamically updating /etc/mail/access > > > Is it possible to get a copy of your script to have as a base? > > > I implemented this and a few other things in a script and now we are > > blocking 80% of incoming spam without having to bother > MailScanner or > > SpamAssassin with processing it. > > > > Spam Caught / Total Incoming E-mail: > > 444 / 3103 > > High Scoring Spam:177 > > Spam blocked by sendmail:1748 > > > >> -----Original Message----- > >> From: Ben C. O. Grimm [mailto:mailscanner-sub@WIREHUB.NET] > >> Sent: Tuesday, January 07, 2003 4:03 PM > >> To: MAILSCANNER@JISCMAIL.AC.UK > >> Subject: Re: OT: Dynamically updating /etc/mail/access > >> > >> > >> On 7 Jan 2003 00:50:03 +0100, Stewart Lawler > >> > >> wrote: > >> > >>> this looks like a great solution - but what is the > >> performance impact? > >>> The relay machine i'm running mailscanner on at the moment > >> is rather old > >>> and might not cope with being given much more to do. :-) > >> > >> The only performance impact will be hashing the database when > >> using the > >> full list. Shouldn't be too much work though. You don't have > >> to worry about > >> the size of the resulting db; hash lookups are blazingly fast. Our > >> access.db is >20 MB in size (we put a lot of extra > >> information in it), and > >> it gets called at least 2 times per second. I sleep well. > >> > >> -- > >> - Ben C. O. Grimm ----------------- Ben.Grimm@wirehub.net - > >> - Wirehub! Internet Engineering - http://www.wirehub.net/ - > >> - Private Ponderings ----------- http://www.bengrimm.net/ - > >> - Wirehub! Internet ----------- part of easynet Group plc - > >> > > > > > From nerijus at USERS.SOURCEFORGE.NET Wed Jan 8 23:49:55 2003 From: nerijus at USERS.SOURCEFORGE.NET (Nerijus Baliunas) Date: Thu Jan 12 21:16:54 2006 Subject: OT: Dynamically updating /etc/mail/access In-Reply-To: <8A6DFB0865502242A29E25BDAEFBB9451ABE93@d2sexchtest.cqg.com> References: <8A6DFB0865502242A29E25BDAEFBB9451ABE93@d2sexchtest.cqg.com> Message-ID: <200301082353.h08NrF8F005429@mx.ktv.lt> On Wed, 8 Jan 2003 15:40:32 -0700 "Andrew M. Hoying" wrote: > Here is what I'm using basically, I run this hourly: > > #!/bin/bash > > # Should probably use mktemp here > cd /tmp > rm -rf accessdb > mkdir accessdb > cd accessdb > > # access.manual contains entries that are maintained locally > cp /etc/mail/access.manual /tmp/accessdb > > # download the latest spamlist update > wget -q http://basic.wirehub.nl/spamlist-extended.txt They ask to switch to rsync btw: ### 4. All files are now available using rsync; please switch to rsync whenever possible; see http://basic.wirehub.nl/spamstats.html. Regards, Nerijus From dlovelace at HOTELS.COM Wed Jan 8 20:31:43 2003 From: dlovelace at HOTELS.COM (Dale Lovelace) Date: Thu Jan 12 21:16:54 2006 Subject: MailScanner Online Store Message-ID: <95DD6F026D9C5C459E262B9C385C478E5981F4@h-file04.180096hotel.com> One request... Could we get a golf shirt with the logo only on the front? Thanks, Dale -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Wed 1/8/2003 12:18 PM To: MAILSCANNER@JISCMAIL.AC.UK Cc: Subject: MailScanner Online Store I have just opened up an online store selling all sorts of MailScanner goodies. I am not making any huge profits or anything, it's there if you want it... Check it out at http://www.mailscanner.info/store -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Jan 8 23:29:40 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:54 2006 Subject: Upgrade from 4.10-1 to 4.11-1... In-Reply-To: <1042042294.4610.10.camel@croithine> References: <200301080852.31877.lbergman@wtxs.net> <200301080852.31877.lbergman@wtxs.net> Message-ID: <5.2.0.9.2.20030108232838.02a4c788@imap.ecs.soton.ac.uk> Once the autoconf stuff works on lots of OS's, MailScanner will ship with that so you can use a "configure" script to apply all these path changes to everywhere they are needed. At 16:11 08/01/2003, you wrote: >On Wed, 2003-01-08 at 09:52, Lewis Bergman wrote: > > What is wrong with the location and naming of Julian's stuff? > > Why not use it as it is designed rather than asking him to change it to fit > > your file layout? I can understand a feature request but file location is a > > pretty arbitrary thing. > >While Julian has done a great job of setting up the directory tree, >every site will have it's own quirks. > >We use /usr/local as a mounted filesystem via NFS so we don't have to >install stuff everywhere. I could put MS there, but it has problems >with NFS and I wouldn't use NFS for ANYTHING critical. > >Also, we put MS on our SAN for the speed and for failover between two >machine. For this we need them to have different paths then each other >if we wanted to process any stuck mail from one system on the other. > >For every reason you can think of to keep something standard, someone >else can think up one for allowing the choice. > >I for one never had any problem changing the scripts. That's what's >great about OSS, you can! I always thought it was such a minor issue. >I'm sure he has plenty of other things to work on. I'm sure someone out >there could easily change it and submit a patch. > > > > -- > > Lewis Bergman > > Texas Communications > > 4309 Maple St. > > Abilene, TX 79602-8044 > > 915-695-6962 ext 115 >-- >Thomas J. DuVally >Lead Systems Prog. >CIS, Brown Univ. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Jan 8 23:36:43 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:54 2006 Subject: Attachments are not scanned In-Reply-To: Message-ID: <5.2.0.9.2.20030108233550.02cd8c98@imap.ecs.soton.ac.uk> At 18:12 08/01/2003, you wrote: >Hi, > >I'm trying to send the binary with the extension "exe" but for some reason >MailScanner doesn't report it as a spam or an infected email. >Nothing is put is the quarantine queue and I'm not getting any report.... > >My filename.rules.conf file is set up properly, it denies .exe and it is >activated in MailScanner.conf. >What is wrong here? > >Some configurations from my MailScanner.conf >===================================== >Virus Scanning = no Due to nasty historical reasons, "Virus Scanning = no" switches off the virus scanning *and* the attachment filename checking. Sorry about that. What you need is Virus Scanning = yes Virus Scanners = none >Filename Rules = /etc/MailScanner/filename.rules.conf >Quarantine Infections = yes >Deleted Bad Filename Message Report = >/etc/MailScanner/reports/en/deleted.filename.message.txt >Stored Bad Filename Message Report = >/etc/MailScanner/reports/en/stored.filename.message.txt > >Some logs: >========== > ># mail -v mhewryk < f-prot.exe > >1.) binary sent with .exe extension >Jan 8 12:58:43 tonka MailScanner[11670]: New Batch: Forwarding 1 unscanned >messages, 28449 bytes >Jan 8 12:58:43 tonka MailScanner[11670]: Spam Checks: Starting >Jan 8 12:58:43 tonka sendmail[11924]: h08Hwg39011924: to=mhewryk, >ctladdr=root (0/0), delay=00:00:01, xdelay=00:00:01, mailer=relay, >pri=30029, relay=localdomain.localhost. [127.0.0.1], dsn=2.0.0, stat=Sent >(h08Hwg32011930 Message accepted for delivery) > >2.) binary sent with .exe extension and SPAM subject line >Jan 8 13:01:18 tonka MailScanner[11756]: New Batch: Forwarding 1 unscanned >messages, 28488 bytes >Jan 8 13:01:18 tonka MailScanner[11756]: Spam Checks: Starting >Jan 8 13:01:58 tonka MailScanner[11756]: Message h08I1F32012337 from >127.0.0.1 (tonka.aberfoyle.com) is spam, SpamAssassin (score=5.6, required >5, BALANCE_FOR_LONG_20K, FREE_MONEY, NO_MX_FOR_FROM, SPAM_PHRASE_00_01, >SUBJ_ALL_CAPS, SUBJ_FREE_CAP, SUB_FREE_OFFER, SUPERLONG_LINE, >UPPERCASE_25_50) >Jan 8 13:01:58 tonka MailScanner[11756]: Spam Checks: Found 1 spam >messages >Jan 8 13:01:58 tonka MailScanner[11756]: Spam Actions: message >h08I1F32012337 actions are deliver >Jan 8 13:01:58 tonka MailScanner[11756]: Unscanned: Delivered 1 messages >Jan 8 13:01:59 tonka MailScanner[11756]: Virus and Content Scanning: >Starting >Jan 8 13:02:00 tonka sendmail[12502]: h08I1F32012337: to >=, ctladdr= (0/0), >delay=00:00:44, xdelay=00:00:00, mailer=local, pri=120367, dsn=2.0.0, >stat=Sent > > >Thanks, > >Magda Hewryk >-------------------------------- >Mid-Range Systems >RSP: 905-273-1637 >CELL: 416-948-4427 -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Jan 8 23:33:32 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:54 2006 Subject: Archiving e-mail ruleset In-Reply-To: Message-ID: <5.2.0.9.2.20030108233051.02028d78@imap.ecs.soton.ac.uk> At 14:42 08/01/2003, you wrote: >I'm a bit lost here, I want to archive e-mail that certain users send so I >created a ruleset. > >Now I'm not sure what the below means, where do I put the ruleset and >where do I put the directory to archive mail? Is this the comma separated >list or did I overlook something? > ># Space-separated list of email address and directory names where you want ># a copy of all mail to be forwarded or stored. ># ># If you give this option a ruleset, you can control exactly whose mail ># is archived or forwarded. If you do this, beware of the legal >implications ># as this could be deemed to be illegal interception unless the police >have ># asked you to do this. >Archive Mail = /var/spool/MailScanner/archive Set Archive Mail = /etc/MailScanner/rules/archive.mail.rules And then in that file put things like From: user1@yourdomain.com /var/spool/MailScanner/archive/user1 From: user2@yourdomain.com /var/spool/MailScanner/archive/user2 From: *@yourdomain.com /var/spool/MailScanner/archive/otherusers FromOrTo: default So mail from user1 gets put in the user1 archive (ditto for user2). Mail from any other address in your domain gets put in the "otherusers" archive. No other mail is archived (which is why the default is blank). -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Jan 8 23:53:00 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:54 2006 Subject: MailScanner Online Store In-Reply-To: <6214C3F9233D764C9E7029396C355015682872@mail.foundation.sds u.edu> Message-ID: <5.2.0.9.2.20030108235234.01fe0750@imap.ecs.soton.ac.uk> At 19:13 08/01/2003, you wrote: >What? No baby clothes? There's now a toddler hooded jacket :-) >Steve Evans >SDSU Foundation >(619) 594-0653 > >-----Original Message----- >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] >Sent: Wednesday, January 08, 2003 10:19 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: MailScanner Online Store > > >I have just opened up an online store selling all sorts of MailScanner >goodies. I am not making any huge profits or anything, it's there if you >want it... > >Check it out at http://www.mailscanner.info/store >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Jan 8 23:11:41 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:54 2006 Subject: spamassassin timeout In-Reply-To: Message-ID: <5.2.0.9.2.20030108230955.02cee468@imap.ecs.soton.ac.uk> At 10:06 08/01/2003, you wrote: >I seem to recall a discussion on this in the past where MS was not giving >SA enough time - having searched the archives I think the relevant post is: > >http://www.jiscmail.ac.uk/cgi-bin/wa.exe?A2=ind0210&L=mailscanner&P=R73136&I=-3&m=3466 > > >The main issue is that MS gives SA 30 seconds before timing out. >Unfortunately SA gives DNSBL lookups 30 seconds before it gives up so MS >kills SA before its timed out and returned. > >My solution which seems to work was to increase the MS timeout of SA to >40. The post above gives a fuller solution which reduces the timeout that >SA uses on the RBLs. What I will endeavour to add to the next version is an improvement to the SA timeout code. So if SA times out lots of times in a row it will remove SA's ability to do RBL lookups. If that fixes the timeouts then it will carry on like that. If SA still times out after some more attempts, then it will kill SA completely. All this state is reset when MailScanner next does its auto restart in a few hours time. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Thu Jan 9 00:10:03 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:54 2006 Subject: Spam blacklist? In-Reply-To: References: <200301080849.47027.lbergman@wtxs.net> Message-ID: <5.2.0.9.2.20030109000924.02cf5068@imap.ecs.soton.ac.uk> At 21:24 08/01/2003, you wrote: >Indeed, that is one possible solution. > >But not all of my boxes run spamassassin, particularly RedHat 6.2 is very >difficult to get SA properly installed. Lots of things to upgrade and 90% >of the spam problem is from or to a limited set of e-mail adresses on my >boxes. > >But one would think that a blacklisted mail adress would be processed >according to high scoring rules, otherwise there isn't much use in >blacklisting them :) My black/white-listing isn't really connected to the SpamAssassin scoring code. Maybe it should be. >On Wed, 8 Jan 2003, Lewis Bergman wrote: > > > On Wednesday 08 January 2003 04:24 am, Remco Barendse wrote: > > > I have a rule list that will mark certain messages as spam even though > > > there is no other reason to mark them as spam. This is working perfectly. > > > > > > I have noticed however that MailScanner will treat messages that are > > > marked by a blacklist rule as low scoring spam? > > > > > > Would it be possible to change this to high scoring spam? After all you > > > want to blacklist them. I allow low scoring spam messages to go through > > > but high scoring stuff is forwarded to an alternate address. I would like > > > to do the same for the blacklisted stuff. > > Why not use SA to do the RBL checks and then assign them a score which will > > force them into the high score category using the spam.assassin.prefs.conf > > file? > > -- > > Lewis Bergman > > Texas Communications > > 4309 Maple St. > > Abilene, TX 79602-8044 > > 915-695-6962 ext 115 > > > > > > >-- >This message has been scanned for viruses and >dangerous content by MailScanner, and is >believed to be clean. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Thu Jan 9 00:10:35 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:54 2006 Subject: MailScanner Online Store In-Reply-To: <06EE2C86D3DAD5119A6C0060943F3C970402C0CF@tormail1.algorith mics.com> Message-ID: <5.2.0.9.2.20030109001014.02cf9dd8@imap.ecs.soton.ac.uk> At 21:28 08/01/2003, you wrote: >I betcha Julian is wearing the boxers right now. Not yet... (shipping from the US always takes ages :-) >-----Original Message----- >From: Julian Field >[mailto:mailscanner@ecs.soton.ac.uk] >Sent: Wednesday, January 08, 2003 1:19 PM >To: MAILSCANNER@jiscmail.ac.uk >Subject: MailScanner Online Store > >I have just opened up an online store selling all sorts of MailScanner >goodies. >I am not making any huge profits or anything, it's there if you want it... > >Check it out at >http://www.mailscanner.info/store >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030109/428eeab5/attachment.html From mailscanner at ecs.soton.ac.uk Wed Jan 8 23:05:23 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:54 2006 Subject: Whitelisting problem In-Reply-To: References: <5.2.0.9.2.20030107165515.05051d58@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030108225714.02cf9ff0@imap.ecs.soton.ac.uk> At 09:11 08/01/2003, you wrote: >How does whitelisting on IP work? It spots the fact the pattern you are matching only contains digits and no letters. If so, it matches against the IP address where the SMTP connection is coming from. > Do we need to use the same file and >format as we do with domain names?? Yes. You can use patterns such as 1. Full IP addresses 194.109.9.99 2. IP address prefixes 194.109. would match 194.109.*.* 3. Regular expressions using IP addresses /194.109.(9|10|11|12)./ would match 194.109.9.* - 194.109.12.* If you don't know much about regular expressions then type "man perlre" for a very detailed explanation. >From: 194.109.9.99 yes > > >On Tue, 7 Jan 2003, Julian Field wrote: > > > At 16:50 07/01/2003, you wrote: > > > > >IBM is a partner of ours so I have whitelisted ibm.com > > > > > >But now some spammer is forging both the envelope and header to look like > > >it cam from ibm.com > > > > > >The spammer appears to be creating random addresses ending in @ibm.com > > > > > >Is my only choice to remove ibm.com from the whitelist? > > > > If ibm.com only use a few outgoing mail servers, you could whitelist their > > IP addresses instead. > > -- > > Julian Field > > www.MailScanner.info > > MailScanner thanks transtec Computers for their support > > > > > > >-- >This message has been scanned for viruses and >dangerous content by MailScanner, and is >believed to be clean. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Thu Jan 9 00:02:46 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:54 2006 Subject: MailScanner Online Store In-Reply-To: References: <6214C3F9233D764C9E7029396C355015682872@mail.foundation.sdsu.edu> Message-ID: <5.2.0.9.2.20030109000233.02d0beb0@imap.ecs.soton.ac.uk> At 19:12 08/01/2003, you wrote: >What? No Beer Mat? Consider it done... >lol > >Matthew K Bowman >Systems Administrator, UDCom > > > > > Steve Evans > MAILSCANNER@JISCMAIL.AC.UK > .SDSU.EDU> cc: > Sent by: Subject: Re: MailScanner > Online Store > MailScanner > mailing list > AIL.AC.UK> > > > 01/08/2003 02:13 > PM > Please respond to > MailScanner > mailing list > > > > > >What? No baby clothes? > >Steve Evans >SDSU Foundation >(619) 594-0653 > >-----Original Message----- >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] >Sent: Wednesday, January 08, 2003 10:19 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: MailScanner Online Store > > >I have just opened up an online store selling all sorts of MailScanner >goodies. I am not making any huge profits or anything, it's there if you >want it... > >Check it out at http://www.mailscanner.info/store >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From gerry at DORFAM.CA Thu Jan 9 00:44:21 2003 From: gerry at DORFAM.CA (Gerry Doris) Date: Thu Jan 12 21:16:54 2006 Subject: MailScanner Online Store In-Reply-To: <06EE2C86D3DAD5119A6C0060943F3C970402C0CF@tormail1.algorithmics.com> Message-ID: On Wed, 8 Jan 2003, Derek Winkler wrote: > I betcha Julian is wearing the boxers right now. > I suspect that his entire wardrobe has been selected from the new store. He's probably a walking advertisement for MailScanner...kind like those guys wearing sandwich boards only better. -- Gerry "The lyfe so short, the craft so long to learne" Chaucer From dlovelace at HOTELS.COM Thu Jan 9 00:53:52 2003 From: dlovelace at HOTELS.COM (Dale Lovelace) Date: Thu Jan 12 21:16:54 2006 Subject: clamav Message-ID: <95DD6F026D9C5C459E262B9C385C478E5981F6@h-file04.180096hotel.com> I am running it at hotels.com scanning about 40,000 mails per day (is everyone's mail volume down since Christmas?). I haven't seen any problems with it, but it definitely doesn't catch everything. Our Exchange administrators run Anti-Gen on the Exchange servers which still catch as many virii as I do with Clamav, after going through the MailScanner server. I am simply using it to offload some of the work the Exchange servers do... -----Original Message----- From: Matthew Bowman [mailto:mbowman@UDCOM.COM] Sent: Wed 1/8/2003 3:35 PM To: MAILSCANNER@JISCMAIL.AC.UK Cc: Subject: clamav Hi Is anyone using clamav with their MailScanner installation - if so, how good is it? Is there any reason why I should not get it. I'm running:- Redhat 7.3 sendmail 8.11.6-3 MailScanner 4.10-1 SpamAssassin 2.43 Matthew K Bowman Systems Administrator; Hostmaster; Miva Administrator Universal Digital Communications, Mansfield Ohio. From paul.hamilton at sme-ecom.co.uk Thu Jan 9 07:31:26 2003 From: paul.hamilton at sme-ecom.co.uk (Paul Hamilton) Date: Thu Jan 12 21:16:54 2006 Subject: 'System Administrators' report. Message-ID: <000501c2b7b1$1ebea460$fc32000a@4> Hi All, Has anybody experienced the same? We have recently set up a ruleset so that specific users receive a copy of the 'System Administrators' report. Within the 'Notices To' ruleset we have set the following: FromTo: default infection@sent-to-me.xxx FromTo: *@users-domain.xxx user@users-domain.xxx infection@sent-to-me.xxx This in theory sends a copy on 'default' users to me and on the specified user, one to the them and one to me. This is working fine but where we specify *@users-domain.xxx user@users-domain.xxx infection@sent-to-me.xxx the reports are being duplicated so in effect we are generating 4 copies of the 'System Administrators' report, two to the specified user and two to me. If we set the specified user to: FromTo: *@users-domain.xxx user@users-domain.xxx only one copy is generated (the specified users copy) but infection@sent-to-me.xxx does not get a copy. We obviously would like to eliminate the duplication. Any suggestions? Many thanks in advance Paul H -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030109/86b931c7/attachment.html From Q.G.Campbell at NEWCASTLE.AC.UK Thu Jan 9 09:41:42 2003 From: Q.G.Campbell at NEWCASTLE.AC.UK (Quentin Campbell) Date: Thu Jan 12 21:16:54 2006 Subject: Archiving e-mail ruleset Message-ID: > -----Original Message----- > From: Julian Field [mailto:mailscanner@ecs.soton.ac.uk] > Sent: 08 January 2003 23:34 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Archiving e-mail ruleset > > > At 14:42 08/01/2003, you wrote: > >I'm a bit lost here, I want to archive e-mail that certain > users send > >so I created a ruleset. > > > >Now I'm not sure what the below means, where do I put the > ruleset and > >where do I put the directory to archive mail? Is this the comma > >separated list or did I overlook something? > > > ># Space-separated list of email address and directory names > where you > >want # a copy of all mail to be forwarded or stored. # > ># If you give this option a ruleset, you can control exactly > whose mail > ># is archived or forwarded. If you do this, beware of the legal > >implications > ># as this could be deemed to be illegal interception unless > the police > >have > ># asked you to do this. > >Archive Mail = /var/spool/MailScanner/archive > > Set > Archive Mail = /etc/MailScanner/rules/archive.mail.rules > And then in that file put things like > From: user1@yourdomain.com /var/spool/MailScanner/archive/user1 > From: user2@yourdomain.com /var/spool/MailScanner/archive/user2 > From: *@yourdomain.com > /var/spool/MailScanner/archive/otherusers > FromOrTo: default > > So mail from user1 gets put in the user1 archive (ditto for > user2). Mail from any other address in your domain gets put > in the "otherusers" archive. No other mail is archived (which > is why the default is blank). > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > Directories specified in the Archive rules file must be created _before_ they are first used. The Archive facility does not create them for you. MailScanner will object if it tries to archive a message and the specified directory is not there. Quentin --- PHONE: +44 191 222 8209 Computing Service, University of Newcastle FAX: +44 191 222 8765 Newcastle upon Tyne, United Kingdom, NE1 7RU. ------------------------------------------------------------------------ "Any opinion expressed above is mine. The University can get its own." From mailscanner at ecs.soton.ac.uk Thu Jan 9 09:46:01 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:54 2006 Subject: 'System Administrators' report. In-Reply-To: <000501c2b7b1$1ebea460$fc32000a@4> Message-ID: <5.2.0.9.2.20030109094419.029d2010@imap.ecs.soton.ac.uk> At 07:31 09/01/2003, you wrote: >Has anybody experienced the same? > >We have recently set up a ruleset so that specific users receive a copy of the >'System Administrators' report. >Within the 'Notices To' ruleset we have set the following: >FromTo: default >infection@sent-to-me.xxx >FromTo: >*@users-domain.xxx >user@users-domain.xxx >infection@sent-to-me.xxx > >This in theory sends a copy on 'default' users to me and on the specified >user, one to >the them and one to me. This is working fine but where we specify >*@users-domain.xxx >user@users-domain.xxx >infection@sent-to-me.xxx the reports are >being duplicated so >in effect we are generating 4 copies of the 'System Administrators' >report, two to the >specified user and two to me. I'll have to take a look at this one. >If we set the specified user to: > >FromTo: >*@users-domain.xxx user@users-domain.xxx > >only one copy is generated (the specified users copy) but >infection@sent-to-me.xxx does not >get a copy. Which is correct. It adds together all the lists in all the matching rules, but only uses the "default" list if none of the rules matched. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Thu Jan 9 09:42:58 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:54 2006 Subject: clamav In-Reply-To: <95DD6F026D9C5C459E262B9C385C478E5981F6@h-file04.180096hote l.com> Message-ID: <5.2.0.9.2.20030109094223.01eedd20@imap.ecs.soton.ac.uk> Have you tried it with, perhaps, F-Prot or Sophos with a 30-day trial licence? At 00:53 09/01/2003, you wrote: > I am running it at hotels.com scanning about 40,000 mails per day (is > everyone's mail volume down since Christmas?). I haven't seen any > problems with it, but it definitely doesn't catch everything. Our > Exchange administrators run Anti-Gen on the Exchange servers which still > catch as many virii as I do with Clamav, after going through the > MailScanner server. I am simply using it to offload some of the work the > Exchange servers do... > > >-----Original Message----- >From: Matthew Bowman [mailto:mbowman@UDCOM.COM] >Sent: Wed 1/8/2003 3:35 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Cc: >Subject: clamav >Hi > >Is anyone using clamav with their MailScanner installation - if so, how >good is it? Is there any reason why I should not get it. > >I'm running:- > >Redhat 7.3 >sendmail 8.11.6-3 >MailScanner 4.10-1 >SpamAssassin 2.43 > >Matthew K Bowman >Systems Administrator; Hostmaster; Miva Administrator >Universal Digital Communications, Mansfield Ohio. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Thu Jan 9 09:41:46 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:54 2006 Subject: MailScanner Online Store In-Reply-To: <95DD6F026D9C5C459E262B9C385C478E5981F4@h-file04.180096hote l.com> Message-ID: <5.2.0.9.2.20030109094105.02857398@imap.ecs.soton.ac.uk> At 20:31 08/01/2003, you wrote: > One request... Could we get a golf shirt with the logo only on the front? Done. With or without the back logo, it's your choice :) >-----Original Message----- >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] >Sent: Wed 1/8/2003 12:18 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Cc: >Subject: MailScanner Online Store >I have just opened up an online store selling all sorts of MailScanner >goodies. >I am not making any huge profits or anything, it's there if you want it... > >Check it out at http://www.mailscanner.info/store >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From francis at CROSSEN.ORG Thu Jan 9 10:30:47 2003 From: francis at CROSSEN.ORG (Francis Crossen) Date: Thu Jan 12 21:16:54 2006 Subject: How about an announcement list...? Message-ID: <3E1D4F57.25996.12BFD4@localhost> What about it? This list is a bit too high volume for me to catch important announcements. Francis. From mailscanner at ecs.soton.ac.uk Thu Jan 9 10:51:08 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:54 2006 Subject: How about an announcement list...? In-Reply-To: <3E1D4F57.25996.12BFD4@localhost> Message-ID: <5.2.0.9.2.20030109105015.0286a9a0@imap.ecs.soton.ac.uk> At 10:30 09/01/2003, you wrote: >What about it? > >This list is a bit too high volume for me to catch important announcements. That's why I suggest you subscribe to the project page on www.freshmeat.net. To quote from the MailScanner home page: >"If you only want to hear announcements of new versions, then I suggest >you subscribe to the project at >FreshMeat." -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030109/80112e7d/attachment.html From andersan at LTKALMAR.SE Thu Jan 9 12:45:30 2003 From: andersan at LTKALMAR.SE (Anders Andersson, IT) Date: Thu Jan 12 21:16:54 2006 Subject: SV: [OT] Laptop virus protection ? Message-ID: <7B475DC5E9502B4D91EA73C283AE48D70263ED9C@lkl22.ltkalmar.se> > -----Ursprungligt meddelande----- > Fr?n: Declan Grady [mailto:Declan.Grady@NUVOTEM.COM] > Skickat: den 8 januari 2003 17:59 > Till: MAILSCANNER@JISCMAIL.AC.UK > ?mne: [OT] Laptop virus protection ? > > > Hi, > Sorry for the Off Topic, but I cant think of a better place > to ask this... > > Being a happy mailscanner user, I was surprised to find the > W32.Opaserv.Worm > doing the rounds of the win98 lan machines until I tracked it > down to one of > the few laptops in use here. > > I can only assume this laptop was used to dial an isp, and > was infected while > online, then when it physically got 0connected to the lan, > it had bypassed all the security measures. > > If this is the case, which is my only explanation, what do > you folks use to > avoid this situation happening ? > > Is its as simple as individual anti-virus on each of the 5 > laptops, and > assume the user will keep it up to date ? Never trust a single protection... users are to clever or stupid and catch get viruses from all places ie webb, floppy, cd's. I think especially with laptops you should aim to have a good client based AV-prog as well. Norton, NAI or something you like and consider safe. /Anders > > Thanks, > Declan > From dlovelace at HOTELS.COM Thu Jan 9 14:34:58 2003 From: dlovelace at HOTELS.COM (Dale Lovelace) Date: Thu Jan 12 21:16:54 2006 Subject: clamav Message-ID: <95DD6F026D9C5C459E262B9C385C478E5981F7@h-file04.180096hotel.com> No, I'm not particularly worried about catching virus, the Exchange guys are not getting rid of Anti-Gen, since it keeps users inside the office from sending virus to each other as well... I installed Clamav at first just to have the virus log messages for mailscanner-mrtg :-) I think I will keep it around now that I have it though, unless it breaks something... Dale -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Thu 1/9/2003 3:42 AM To: MAILSCANNER@JISCMAIL.AC.UK Cc: Subject: Re: clamav Have you tried it with, perhaps, F-Prot or Sophos with a 30-day trial licence? At 00:53 09/01/2003, you wrote: > I am running it at hotels.com scanning about 40,000 mails per day (is > everyone's mail volume down since Christmas?). I haven't seen any > problems with it, but it definitely doesn't catch everything. Our > Exchange administrators run Anti-Gen on the Exchange servers which still > catch as many virii as I do with Clamav, after going through the > MailScanner server. I am simply using it to offload some of the work the > Exchange servers do... > > >-----Original Message----- >From: Matthew Bowman [mailto:mbowman@UDCOM.COM] >Sent: Wed 1/8/2003 3:35 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Cc: >Subject: clamav >Hi > >Is anyone using clamav with their MailScanner installation - if so, how >good is it? Is there any reason why I should not get it. > >I'm running:- > >Redhat 7.3 >sendmail 8.11.6-3 >MailScanner 4.10-1 >SpamAssassin 2.43 > >Matthew K Bowman >Systems Administrator; Hostmaster; Miva Administrator >Universal Digital Communications, Mansfield Ohio. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Thu Jan 9 14:29:41 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:54 2006 Subject: mailscanner enhancement (patch) In-Reply-To: <3E1D77AD.2E3D19C5@hkust.se> Message-ID: <5.2.0.9.2.20030109142818.047412a0@imap.ecs.soton.ac.uk> At 13:22 09/01/2003, you wrote: >I've been searching *a lot* for a nice *nix mail scanning program >that does not require mailer brain surgery, or is sensitive >to heavy load, and MailScanner seems to fit the bill... Nice program! :-) >I'm currently running it on 2 production sites, and it probably >will be included in my standard toolbox if it behaves... :-) > >one tweak I made: > >I wanted to be able to adjust the queue scan frequency in order >to batch process slightly less often than every 5 sec per daemon, > >(mail arrive maybe every 5-10 seconds at peak time, so basically > every incoming mail spawned a new sendmail+anti-vir process, > generating unnecessary load. ) > >[that's about 2000 messages/day, for your stats] > >I also didn't want to decrease the sendmail queue (-q) frequency and >use "queue" mode since that would cause it to process the outgoing >mail queue too often. > > >So I added a QueueScanInterval variable to get what I wanted. Good idea. This will definitely help reduce overall load on quiet mail servers. >Include it into the program if you want. It will be in the next release. Many thanks for the contribution. The entry to go into the MailScanner.conf file is this: # How often (in seconds) should each process check the incoming mail # queue for new messages? If you have a quiet mail server, you might # want to increase this value so it causes less load on your server, at # the cost of slightly increasing the time taken for an average message # to be processed. Queue Scan Interval = 5 -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From sean at NISD.NET Thu Jan 9 14:40:06 2003 From: sean at NISD.NET (Sean Embry) Date: Thu Jan 12 21:16:54 2006 Subject: SV: [OT] Laptop virus protection ? Message-ID: We've found that we still get e-mail borne viruses. The cause? People using POP accounts at work from unprotected servers. Why doesn't the desktop AV stop it? Because the users turn them off. *SIGH* At least we aren't getting nearly so many now. Thanks Julian! >>> andersan@LTKALMAR.SE 01/09/03 06:45AM >>> > -----Ursprungligt meddelande----- > Fr?n: Declan Grady [mailto:Declan.Grady@NUVOTEM.COM] > Skickat: den 8 januari 2003 17:59 > Till: MAILSCANNER@JISCMAIL.AC.UK > ?mne: [OT] Laptop virus protection ? > > > Hi, > Sorry for the Off Topic, but I cant think of a better place > to ask this... > > Being a happy mailscanner user, I was surprised to find the > W32.Opaserv.Worm > doing the rounds of the win98 lan machines until I tracked it > down to one of > the few laptops in use here. > > I can only assume this laptop was used to dial an isp, and > was infected while > online, then when it physically got 0connected to the lan, > it had bypassed all the security measures. > > If this is the case, which is my only explanation, what do > you folks use to > avoid this situation happening ? > > Is its as simple as individual anti-virus on each of the 5 > laptops, and > assume the user will keep it up to date ? Never trust a single protection... users are to clever or stupid and catch get viruses from all places ie webb, floppy, cd's. I think especially with laptops you should aim to have a good client based AV-prog as well. Norton, NAI or something you like and consider safe. /Anders > > Thanks, > Declan > From Denis.Beauchemin at USHERBROOKE.CA Thu Jan 9 14:47:36 2003 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:16:54 2006 Subject: 4.11 related error? Message-ID: <1042123655.11190.20.camel@dbeauchemin.si.usherbrooke.ca> Hello, I installed MS 4.11 on one of my mail gateways and since then sendmail is quite verbose about unknown users: Jan 8 08:14:40 smtp2 sendmail[3642]: h08DEaU03241: SYSERR: putoutmsg (hermes-s.usherbrooke.ca.): error on output channel sending "550 5.1.1 ... User unknown": Bad file descriptor Jan 8 08:18:27 smtp2 sendmail[4102]: h08DIQU04090: SYSERR: putoutmsg (mx.videotron.ca.): error on output channel sending "550 5.1.1 ... User unknown": Bad file descriptor I get plenty of these errors on the console and in my logs. My other server running 4.10 isn't that verbose. Both are RH 7.3 systems with the same patch levels. Any ideas what is causing this? I tried to remove the -OPrivacyOptions=noetrn option in the startup file but it didn't stop the messages. Thanks again! Denis -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From lele at PROFIM.FLORIDA.IT Thu Jan 9 15:49:54 2003 From: lele at PROFIM.FLORIDA.IT (Emanuele Salvador) Date: Thu Jan 12 21:16:54 2006 Subject: Remember to separate fields... Message-ID: I'm currently on MS 4.11-1. After adding some lines to filenames.rules.conf (deny \.exe.$some text, I see on my maillog the messages: Possible syntax error on line <> of /etc/mailscanner/filename.rules.conf Remeber to separate fields with tab characters! That's exactly what I do! any help appreciated. Regards, Emanuele I think that man has the most highly developed intelligence. I think men get so intelligent that they're stupid. - Don Van Vliet - From mailscanner at BARENDSE.TO Thu Jan 9 16:08:06 2003 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:16:54 2006 Subject: Orphaned, undelivered files in mqueue.in Message-ID: Ever since I upgraded to MailScanner 4.11-1 yesterday I have several orphaned files that are piling up in mqueue.in The only files sitting there are the df files, without any other files. Also these messages have never been delivered to the intended recipient. Any ideas?? Can I still get these df files delivered or extract them to make them readable? -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mailscanner at ecs.soton.ac.uk Thu Jan 9 16:20:16 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:54 2006 Subject: Remember to separate fields... In-Reply-To: Message-ID: <5.2.0.9.2.20030109161926.02b91fd8@imap.ecs.soton.ac.uk> At 15:49 09/01/2003, you wrote: >I'm currently on MS 4.11-1. After adding some lines to >filenames.rules.conf (deny \.exe.$some >text, I see on my maillog the messages: > >Possible syntax error on line <> of >/etc/mailscanner/filename.rules.conf >Remeber to separate fields with tab characters! You have missed off the last field, which is the message that the users get. You can't just leave that blank, it has to exist. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Thu Jan 9 16:21:33 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:54 2006 Subject: Orphaned, undelivered files in mqueue.in In-Reply-To: Message-ID: <5.2.0.9.2.20030109162030.02a82cd0@imap.ecs.soton.ac.uk> At 16:08 09/01/2003, you wrote: >Ever since I upgraded to MailScanner 4.11-1 yesterday I have several >orphaned files that are piling up in mqueue.in > >The only files sitting there are the df files, without any other files. >Also these messages have never been delivered to the intended recipient. > >Any ideas?? > >Can I still get these df files delivered or extract them to make them >readable? Check both your /var/spool/mqueue and your maillog to see if the message ids have already been delivered (or at least placed in the outgoing queue). I thought I had fixed this in 4.11, but obviously not well enough. Do the times on the files correspond to times when you have done a MailScanner "reload" or "restart"? -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From Denis.Beauchemin at USHERBROOKE.CA Thu Jan 9 16:31:19 2003 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:16:54 2006 Subject: MailScanner-MRTG problem In-Reply-To: <1041946016.15742.5747.camel@dbeauchemin.si.usherbrooke.ca> References: <1041946016.15742.5747.camel@dbeauchemin.si.usherbrooke.ca> Message-ID: <1042129879.11187.33.camel@dbeauchemin.si.usherbrooke.ca> I found my problem: mailscanner-mrtg was returning a number greater than what would fit in a 32bit counter and MRTG uses 32bit counters (except for some quite recent releases). To correct it I changed from bytes to MBytes: /etc/mrtg/mailscanner-mrtg.cfg: Target[mailbytes]: `/usr/sbin/mailscanner-mrtg mailbytes` Title[mailbytes]: Bytes of Mail Processed Background[mailbytes]: #ffffff PageTop[mailbytes]:

MBytes of Mail Processed

WithPeak[mailbytes]: wmy Directory[mailbytes]: mailbytes MaxBytes[mailbytes]: 4096 AbsMax[mailbytes]: 8192 YLegend[mailbytes]: MBytes ShortLegend[mailbytes]:  Mbytes     Legend1[mailbytes]: Average MBytes Legend2[mailbytes]: Legend3[mailbytes]: Maximum MBytes Legend4[mailbytes]: LegendI[mailbytes]: : LegendO[mailbytes]: I also modified /usr/sbin/mailscanner-mrtg at the end of the MailBytes function: close LOG; # Mod to convert in MB $Total /= 1024 * 1024; if ($debug) { Debug("Total", $Total); Debug("Leaving sub Mail"); } } and deleted all my data in the mailbytes directory where MRTG puts its logs and graphs. Denis Le mar 07/01/2003 ? 08:26, Denis Beauchemin a ?crit : > Hello, > > One of my graphs maxes out and I can't seem to do what is right to > correct it: > > The text below the graph is: > Max : 2146.1 M bytes Average : 801.5 M bytes Current : 112.7 M > bytes > > The definition for it is: > # grep mailbytes /etc/mrtg/mailscanner-mrtg.cfg > Target[mailbytes]: `/usr/sbin/mailscanner-mrtg mailbytes` > Title[mailbytes]: Bytes of Mail Processed > Background[mailbytes]: #ffffff > PageTop[mailbytes]:

Bytes of Mail Processed

> WithPeak[mailbytes]: wmy > Directory[mailbytes]: mailbytes > MaxBytes[mailbytes]: 5000000000000 > AbsMax[mailbytes]: 100000000000000 > YLegend[mailbytes]: Bytes > ShortLegend[mailbytes]:  bytes     > Legend1[mailbytes]: Average Bytes > Legend2[mailbytes]: > Legend3[mailbytes]: Maximum Bytes > Legend4[mailbytes]: > LegendI[mailbytes]: : > LegendO[mailbytes]: > > I'm using mailscanner-mrtg-0.04-2.noarch.rpm. > > Any ideas? > > THanks! > > Denis -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From j.cormie at ABERTAY.AC.UK Thu Jan 9 16:55:40 2003 From: j.cormie at ABERTAY.AC.UK (Jason Cormie) Date: Thu Jan 12 21:16:54 2006 Subject: Spamassasin timing Out Message-ID: Debian 3 Mailscanner 3.26 Exim 3.35 Spamassassin 2.43 Yes, I know this has been covered, but this afternoon my incoming queue started growing without transfering anything to outgoing... My RBLs are done by exim, so It can't be anything to do with that 'spamassasin timeout' is set to 60 'skip_rbl_checks' is set to 1 If I set 'Use Spamassassin' to no and restart mailscanner my mail gets processed... Any ideas? Jason the Troubled From mailscanner at BARENDSE.TO Thu Jan 9 17:17:30 2003 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:16:54 2006 Subject: Orphaned, undelivered files in mqueue.in In-Reply-To: <5.2.0.9.2.20030109162030.02a82cd0@imap.ecs.soton.ac.uk> Message-ID: This was the first thing I have checked. I took different parts of the numbers of these df files and grepped the maillog for it. Strangely enough I cannot find them. Also when browsing through the maillog and looking around the same date/time as these orphaned files in some cases there isn't any message whatsoever of mail being delivered / received. I have about 10 orphaned files in the mqueue.in, none in the outdir and they are all from yesterday and this morning. I know for sure that I didn't restart MailScanner last night or this morning. It's hardly possible that MailScanner would restart itself at exactly the same time as these 10 e-mails in 1,5 day? (This is a very low volume home server). On Thu, 9 Jan 2003, Julian Field wrote: > At 16:08 09/01/2003, you wrote: > >Ever since I upgraded to MailScanner 4.11-1 yesterday I have several > >orphaned files that are piling up in mqueue.in > > > >The only files sitting there are the df files, without any other files. > >Also these messages have never been delivered to the intended recipient. > > > >Any ideas?? > > > >Can I still get these df files delivered or extract them to make them > >readable? > > Check both your /var/spool/mqueue and your maillog to see if the message > ids have already been delivered (or at least placed in the outgoing queue). > > I thought I had fixed this in 4.11, but obviously not well enough. > > Do the times on the files correspond to times when you have done a > MailScanner "reload" or "restart"? > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From Kevin.Spicer at BMRB.CO.UK Thu Jan 9 17:17:00 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:16:54 2006 Subject: Spamassasin timing Out Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A32C1A@pascal.priv.bmrb.co.uk> I had almost what seems like the same problem over the Xmas holidays. I turned off spamassassin's auto-whitelist functionality and it cleared the problem. I really don't know whether that was source of the problem or not - but you might like to try it! > -----Original Message----- > From: Jason Cormie [mailto:j.cormie@ABERTAY.AC.UK] > Sent: 09 January 2003 16:56 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: [MAILSCANNER] Spamassasin timing Out > > > Debian 3 > Mailscanner 3.26 > Exim 3.35 > Spamassassin 2.43 > > > Yes, I know this has been covered, but this afternoon my > incoming queue > started growing without transfering anything to outgoing... > > My RBLs are done by exim, so It can't be anything to do with that > 'spamassasin timeout' is set to 60 > 'skip_rbl_checks' is set to 1 > > If I set 'Use Spamassassin' to no and restart mailscanner my mail gets > processed... > > Any ideas? > > Jason the Troubled > From j.cormie at ABERTAY.AC.UK Thu Jan 9 17:24:15 2003 From: j.cormie at ABERTAY.AC.UK (Jason Cormie) Date: Thu Jan 12 21:16:54 2006 Subject: Spamassasin timing Out Message-ID: Sorry, auto whitelist is off already, I do have razor 1.20 installed as well, don't know if that could be causing a problem -----Original Message----- From: Spicer, Kevin [mailto:Kevin.Spicer@BMRB.CO.UK] Sent: 09, January, 2003 17:17 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Spamassasin timing Out I had almost what seems like the same problem over the Xmas holidays. I turned off spamassassin's auto-whitelist functionality and it cleared the problem. I really don't know whether that was source of the problem or not - but you might like to try it! > -----Original Message----- > From: Jason Cormie [mailto:j.cormie@ABERTAY.AC.UK] > Sent: 09 January 2003 16:56 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: [MAILSCANNER] Spamassasin timing Out > > > Debian 3 > Mailscanner 3.26 > Exim 3.35 > Spamassassin 2.43 > > > Yes, I know this has been covered, but this afternoon my > incoming queue > started growing without transfering anything to outgoing... > > My RBLs are done by exim, so It can't be anything to do with that > 'spamassasin timeout' is set to 60 > 'skip_rbl_checks' is set to 1 > > If I set 'Use Spamassassin' to no and restart mailscanner my mail gets > processed... > > Any ideas? > > Jason the Troubled > From andrewh at CQG.COM Thu Jan 9 17:29:07 2003 From: andrewh at CQG.COM (Andrew M. Hoying) Date: Thu Jan 12 21:16:54 2006 Subject: OT: Dynamically updating /etc/mail/access Message-ID: <8A6DFB0865502242A29E25BDAEFBB9451ABE9C@d2sexchtest.cqg.com> I'm including the spamassassin list in this because I think it is relevant there as well. Has anyone thought about starting some kind of distributed (like razor and dcc) or community (like spamassassin) based effort to build a near real time access list like this? Obviously this list doesn't catch everything. If there was a way to submit new items for the list to be reviewed and added by a large group of users, or automatically tested and added in some cases, I think it could be even more effective. Not that I'm unhappy with 70-80% of spam getting blocked by the current access list at my site, but more is always better. -- > http://basic.wirehub.nl/spamlist-usage.html > The spamlist (http://basic.wirehub.nl/spamlist-extended.txt, 3,5 MB) is > updated every hour. If you like, you can just use the domain names by > grepping "JUNK$" from http://basic.wirehub.nl/spamlist.txt. > -- > - Ben C. O. Grimm ----------------- Ben.Grimm@wirehub.net - > - Wirehub! Internet Engineering - http://www.wirehub.net/ - > - Private Ponderings ----------- http://www.bengrimm.net/ - > - Wirehub! Internet ----------- part of easynet Group plc - From mailscanner at ecs.soton.ac.uk Thu Jan 9 17:31:01 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:54 2006 Subject: Orphaned, undelivered files in mqueue.in In-Reply-To: References: <5.2.0.9.2.20030109162030.02a82cd0@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030109172953.02a9c0d0@imap.ecs.soton.ac.uk> It is possible that you merely got them for non-MailScanner related problems, such as an SMTP client getting cut off half way through sending a message. Sorry if that sounds like I'm passing the buck... At 17:17 09/01/2003, you wrote: >This was the first thing I have checked. I took different parts of the >numbers of these df files and grepped the maillog for it. Strangely enough >I cannot find them. Also when browsing through the maillog and looking >around the same date/time as these orphaned files in some cases there >isn't any message whatsoever of mail being delivered / received. > >I have about 10 orphaned files in the mqueue.in, none in the outdir and >they are all from yesterday and this morning. I know for sure that I >didn't restart MailScanner last night or this morning. It's hardly >possible that MailScanner would restart itself at exactly the same time as >these 10 e-mails in 1,5 day? (This is a very low volume home server). > >On Thu, 9 Jan 2003, Julian Field wrote: > > > At 16:08 09/01/2003, you wrote: > > >Ever since I upgraded to MailScanner 4.11-1 yesterday I have several > > >orphaned files that are piling up in mqueue.in > > > > > >The only files sitting there are the df files, without any other files. > > >Also these messages have never been delivered to the intended recipient. > > > > > >Any ideas?? > > > > > >Can I still get these df files delivered or extract them to make them > > >readable? > > > > Check both your /var/spool/mqueue and your maillog to see if the message > > ids have already been delivered (or at least placed in the outgoing queue). > > > > I thought I had fixed this in 4.11, but obviously not well enough. > > > > Do the times on the files correspond to times when you have done a > > MailScanner "reload" or "restart"? > > -- > > Julian Field > > www.MailScanner.info > > MailScanner thanks transtec Computers for their support > > > > > > >-- >This message has been scanned for viruses and >dangerous content by MailScanner, and is >believed to be clean. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Thu Jan 9 17:31:38 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:54 2006 Subject: Spamassasin timing Out In-Reply-To: Message-ID: <5.2.0.9.2.20030109173119.02e2a590@imap.ecs.soton.ac.uk> At 16:55 09/01/2003, you wrote: >Debian 3 >Mailscanner 3.26 >Exim 3.35 >Spamassassin 2.43 > > >Yes, I know this has been covered, but this afternoon my incoming queue >started growing without transfering anything to outgoing... > >My RBLs are done by exim, so It can't be anything to do with that >'spamassasin timeout' is set to 60 >'skip_rbl_checks' is set to 1 > >If I set 'Use Spamassassin' to no and restart mailscanner my mail gets >processed... What does your maillog say about it? -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From j.cormie at ABERTAY.AC.UK Thu Jan 9 18:08:57 2003 From: j.cormie at ABERTAY.AC.UK (Jason Cormie) Date: Thu Jan 12 21:16:54 2006 Subject: Spamassasin timing Out Message-ID: > What does your maillog say about it? When I restart mailscanner it comes up, sits at scanning first 100 messages then spamassassin times out mailscanner continues to run and eat processor and memory below is a segment of todays logs at 15:38 I started mailscanner up with spamassassin enabled at 16:35 I stopped it, waited a bit, started it without spamassassin Jan 9 15:38:21 uadspa01 mailscanner[13733]: MailScanner E-Mail Virus Scanner version 3.26-1 starting. Jan 9 15:38:21 uadspa01 mailscanner[13733]: Configuring mailscanner for Exim mailer... Jan 9 15:38:21 uadspa01 mailscanner[13733]: Using locktype = posix Jan 9 15:38:21 uadspa01 mailscanner[13733]: Creating hardcoded struct_flock subroutine for linux (Linux-type) Jan 9 15:38:21 uadspa01 mailscanner[13734]: ECS MailScanner setting GID to mail (8) Jan 9 15:38:21 uadspa01 mailscanner[13734]: ECS MailScanner setting UID to mail (8) Jan 9 15:38:31 uadspa01 mailscanner[13734]: Startup: found 3 messages waiting Jan 9 15:38:31 uadspa01 mailscanner[13734]: Scanning 3 messages, 15079 bytes Jan 9 15:39:12 uadspa01 mailscanner[13734]: Scanned 3 messages, 15079 bytes in 0 seconds Jan 9 15:39:12 uadspa01 mailscanner[13734]: Scanning 8 messages, 88547 bytes Jan 9 15:41:45 uadspa01 mailscanner[13734]: Scanned 8 messages, 88547 bytes in 0 seconds Jan 9 15:41:45 uadspa01 mailscanner[13734]: Scanning 28 messages, 395670 bytes Jan 9 15:48:54 uadspa01 mailscanner[13734]: Scanned 28 messages, 395670 bytes in 1 seconds Jan 9 15:48:55 uadspa01 mailscanner[13734]: Scanning 86 messages, 813639 bytes Jan 9 15:51:19 uadspa01 mailscanner[13734]: SpamAssassin timed out and was killed, consecutive failure 1 of 10 Jan 9 16:10:11 uadspa01 mailscanner[13734]: Scanned 86 messages, 813639 bytes in 5 seconds Jan 9 16:10:15 uadspa01 mailscanner[13734]: Scanning 100 messages, 830555 bytes Jan 9 16:13:55 uadspa01 mailscanner[13734]: SpamAssassin timed out and was killed, consecutive failure 1 of 10 Jan 9 16:30:00 uadspa01 mailscanner[13734]: Scanned 100 messages, 830555 bytes in 7 seconds Jan 9 16:30:07 uadspa01 mailscanner[13734]: Scanning 100 messages, 1024265 bytes Jan 9 16:35:00 uadspa01 mailscanner[18520]: MailScanner E-Mail Virus Scanner version 3.26-1 starting. Jan 9 16:35:00 uadspa01 mailscanner[18520]: Configuring mailscanner for Exim mailer... Jan 9 16:35:00 uadspa01 mailscanner[18520]: Using locktype = posix Jan 9 16:35:00 uadspa01 mailscanner[18520]: Creating hardcoded struct_flock subroutine for linux (Linux-type) Jan 9 16:35:00 uadspa01 mailscanner[18521]: ECS MailScanner setting GID to mail (8) Jan 9 16:35:00 uadspa01 mailscanner[18521]: ECS MailScanner setting UID to mail (8) Jan 9 16:35:00 uadspa01 mailscanner[18521]: Startup: found 516 messages waiting Jan 9 16:35:00 uadspa01 mailscanner[18521]: Scanning 100 messages, 1024265 bytes Jan 9 16:35:07 uadspa01 mailscanner[18521]: Scanned 100 messages, 1024265 bytes in 7 seconds Jan 9 16:35:14 uadspa01 mailscanner[18521]: Scanning 100 messages, 1611938 bytes Jan 9 16:35:21 uadspa01 mailscanner[18521]: Scanned 100 messages, 1611938 bytes in 7 seconds Jan 9 16:35:25 uadspa01 mailscanner[18521]: Scanning 100 messages, 689528 bytes Jan 9 16:35:36 uadspa01 mailscanner[18521]: Detected Microsoft-specific exploits in 18WfHz-0004Et-00 Jan 9 16:35:37 uadspa01 mailscanner[18521]: Found 1 viruses in messages 18WfHz-0004Et-00 Jan 9 16:35:37 uadspa01 mailscanner[18521]: Scanned 100 messages, 689528 bytes in 11 seconds Jan 9 16:35:37 uadspa01 mailscanner[18521]: Saved entire message to /var/spool/mailscanner/quarantine/20030109/18WfHz-0004Et-00 Jan 9 16:35:38 uadspa01 mailscanner[18521]: Notified uadspa01@abertay.ac.uk about 1 infections Jan 9 16:35:42 uadspa01 mailscanner[18521]: Scanning 100 messages, 1291793 bytes Jan 9 16:35:53 uadspa01 mailscanner[18521]: Scanned 100 messages, 1291793 bytes in 11 seconds Jan 9 16:35:57 uadspa01 mailscanner[18521]: Scanning 100 messages, 3287604 bytes Jan 9 16:36:05 uadspa01 mailscanner[18521]: Scanned 100 messages, 3287604 bytes in 8 seconds Jan 9 16:36:07 uadspa01 mailscanner[18521]: Scanning 33 messages, 772701 bytes Jan 9 16:36:08 uadspa01 mailscanner[18521]: Scanned 33 messages, 772701 bytes in 1 seconds Jan 9 16:36:19 uadspa01 mailscanner[18521]: Scanning 1 messages, 5277 bytes Jan 9 16:36:21 uadspa01 mailscanner[18521]: Scanned 1 messages, 5277 bytes in 2 seconds Jan 9 16:36:27 uadspa01 mailscanner[18521]: Scanning 1 messages, 4327 bytes Jan 9 16:36:27 uadspa01 mailscanner[18521]: Scanned 1 messages, 4327 bytes in 0 seconds Jan 9 16:36:32 uadspa01 mailscanner[18521]: Scanning 1 messages, 11562 bytes Jan 9 16:36:32 uadspa01 mailscanner[18521]: Scanned 1 messages, 11562 bytes in 0 seconds Jan 9 16:36:53 uadspa01 mailscanner[18521]: Scanning 1 messages, 2713 bytes Jan 9 16:36:55 uadspa01 mailscanner[18521]: Scanned 1 messages, 2713 bytes in 2 seconds Jan 9 16:37:10 uadspa01 mailscanner[18521]: Scanning 1 messages, 9386 bytes Jan 9 16:37:10 uadspa01 mailscanner[18521]: Scanned 1 messages, 9386 bytes in 0 seconds Jan 9 16:37:15 uadspa01 mailscanner[18521]: Scanning 1 messages, 3332 bytes Jan 9 16:37:15 uadspa01 mailscanner[18521]: Scanned 1 messages, 3332 bytes in 0 seconds Jan 9 16:37:20 uadspa01 mailscanner[18521]: Scanning 2 messages, 6956 bytes Jan 9 16:37:20 uadspa01 mailscanner[18521]: Scanned 2 messages, 6956 bytes in 0 seconds Jan 9 16:37:25 uadspa01 mailscanner[18521]: Scanning 4 messages, 16826 bytes Jan 9 16:37:26 uadspa01 mailscanner[18521]: Scanned 4 messages, 16826 bytes in 1 seconds Jan 9 16:37:31 uadspa01 mailscanner[18521]: Scanning 2 messages, 8660 bytes Jan 9 16:37:31 uadspa01 mailscanner[18521]: Scanned 2 messages, 8660 bytes in 0 seconds Jan 9 16:37:36 uadspa01 mailscanner[18521]: Scanning 4 messages, 35121 bytes Jan 9 16:37:36 uadspa01 mailscanner[18521]: Scanned 4 messages, 35121 bytes in 0 seconds Jan 9 16:37:42 uadspa01 mailscanner[18521]: Scanning 3 messages, 14442 bytes Jan 9 16:37:42 uadspa01 mailscanner[18521]: Scanned 3 messages, 14442 bytes in 0 seconds Jan 9 16:37:47 uadspa01 mailscanner[18521]: Scanning 5 messages, 22115 bytes Jan 9 16:37:47 uadspa01 mailscanner[18521]: Scanned 5 messages, 22115 bytes in 0 seconds Jan 9 16:37:52 uadspa01 mailscanner[18521]: Scanning 1 messages, 3397 bytes Jan 9 16:37:52 uadspa01 mailscanner[18521]: Scanned 1 messages, 3397 bytes in 0 seconds Jan 9 16:37:57 uadspa01 mailscanner[18521]: Scanning 2 messages, 23587 bytes Jan 9 16:37:58 uadspa01 mailscanner[18521]: Scanned 2 messages, 23587 bytes in 1 seconds Jan 9 16:37:58 uadspa01 mailscanner[18521]: Scanning 1 messages, 2942 bytes Jan 9 16:37:58 uadspa01 mailscanner[18521]: Scanned 1 messages, 2942 bytes in 0 seconds Jan 9 16:38:03 uadspa01 mailscanner[18521]: Scanning 2 messages, 6947 bytes Jan 9 16:38:03 uadspa01 mailscanner[18521]: Scanned 2 messages, 6947 bytes in 0 seconds Jan 9 16:38:08 uadspa01 mailscanner[18521]: Scanning 3 messages, 12991 bytes Jan 9 16:38:09 uadspa01 mailscanner[18521]: Scanned 3 messages, 12991 bytes in 1 seconds Jan 9 16:38:14 uadspa01 mailscanner[18521]: Scanning 3 messages, 13782 bytes Jan 9 16:38:14 uadspa01 mailscanner[18521]: Scanned 3 messages, 13782 bytes in 0 seconds Jan 9 16:38:19 uadspa01 mailscanner[18521]: Scanning 3 messages, 15573 bytes Jan 9 16:38:20 uadspa01 mailscanner[18521]: Scanned 3 messages, 15573 bytes in 1 seconds Jan 9 16:38:25 uadspa01 mailscanner[18521]: Scanning 6 messages, 69217 bytes Jan 9 16:38:25 uadspa01 mailscanner[18521]: Scanned 6 messages, 69217 bytes in 0 seconds Jan 9 16:38:35 uadspa01 mailscanner[18521]: Scanning 5 messages, 20344 bytes Jan 9 16:38:35 uadspa01 mailscanner[18521]: Scanned 5 messages, 20344 bytes in 0 seconds Jan 9 16:38:35 uadspa01 mailscanner[18521]: Scanning 1 messages, 2157 bytes Jan 9 16:38:36 uadspa01 mailscanner[18521]: Scanned 1 messages, 2157 bytes in 0 seconds Jan 9 16:38:41 uadspa01 mailscanner[18521]: Scanning 1 messages, 2157 bytes Jan 9 16:38:41 uadspa01 mailscanner[18521]: Scanned 1 messages, 2157 bytes in 0 seconds Jan 9 16:38:46 uadspa01 mailscanner[18521]: Scanning 4 messages, 17190 bytes Jan 9 16:38:46 uadspa01 mailscanner[18521]: Scanned 4 messages, 17190 bytes in 0 seconds Jan 9 16:38:46 uadspa01 mailscanner[18521]: Scanning 1 messages, 4451 bytes From andrewh at CQG.COM Thu Jan 9 18:13:44 2003 From: andrewh at CQG.COM (Andrew M. Hoying) Date: Thu Jan 12 21:16:54 2006 Subject: [SAtalk] RE: OT: Dynamically updating /etc/mail/access Message-ID: <8A6DFB0865502242A29E25BDAEFBB9451ABE9D@d2sexchtest.cqg.com> They don't get individual email addresses like this list does. And you can't tailor them for your environment. They are too bold, often, or not bold enough, in their blocking. Andrew > -----Original Message----- > From: Steve Thomas [mailto:sthomas@apexvoice.com] > Sent: Thursday, January 09, 2003 11:02 AM > To: Andrew M. Hoying; MailScanner mailing list > Cc: SpamAssassin Users' list > Subject: RE: [SAtalk] RE: OT: Dynamically updating /etc/mail/access > > > Isn't that the point of DNS RBLs? > > | -----Original Message----- > | From: spamassassin-talk-admin@lists.sourceforge.net > | [mailto:spamassassin-talk-admin@lists.sourceforge.net]On Behalf Of > | Andrew M. Hoying > | Sent: Thursday, January 09, 2003 9:29 AM > | To: MailScanner mailing list > | Cc: SpamAssassin Users' list > | Subject: [SAtalk] RE: OT: Dynamically updating /etc/mail/access > | > | > | I'm including the spamassassin list in this because I think it is > | relevant there as well. Has anyone thought about starting > some kind of > | distributed (like razor and dcc) or community (like > spamassassin) based > | effort to build a near real time access list like this? > Obviously this > | list doesn't catch everything. If there was a way to submit > new items > | for the list to be reviewed and added by a large group of users, or > | automatically tested and added in some cases, I think it > could be even > | more effective. Not that I'm unhappy with 70-80% of spam > getting blocked > | by the current access list at my site, but more is always better. > > From Kevin.Spicer at BMRB.CO.UK Thu Jan 9 18:36:05 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:16:55 2006 Subject: Spamassasin timing Out Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A4ACFC@pascal.priv.bmrb.co.uk> Thats not like the logs I was getting, so I imagine this is a different problem (mine was a sequence like the following... MailScanner starts, detects 1400 messages, says 'scanning 100 messages', 'Found 16 spam messages'- and just did this every 2 minutes!). It looks like your mailscanner is scanning messages(?) Have you checked the headers of the stuck messages to see if mailscanner has altered them? > -----Original Message----- > From: Jason Cormie [mailto:j.cormie@ABERTAY.AC.UK] > Sent: 09 January 2003 18:09 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Spamassasin timing Out > > > > What does your maillog say about it? > > When I restart mailscanner it comes up, sits at scanning > first 100 messages > then spamassassin times out > > mailscanner continues to run and eat processor and memory > > below is a segment of todays logs > at 15:38 I started mailscanner up with spamassassin enabled > at 16:35 I stopped it, waited a bit, started it without spamassassin > > Jan 9 15:38:21 uadspa01 mailscanner[13733]: MailScanner E-Mail Virus > Scanner version 3.26-1 starting. > Jan 9 15:38:21 uadspa01 mailscanner[13733]: Configuring > mailscanner for > Exim mailer... > Jan 9 15:38:21 uadspa01 mailscanner[13733]: Using locktype = posix > Jan 9 15:38:21 uadspa01 mailscanner[13733]: Creating > hardcoded struct_flock > subroutine for linux (Linux-type) > Jan 9 15:38:21 uadspa01 mailscanner[13734]: ECS MailScanner > setting GID to > mail (8) > Jan 9 15:38:21 uadspa01 mailscanner[13734]: ECS MailScanner > setting UID to > mail (8) > Jan 9 15:38:31 uadspa01 mailscanner[13734]: Startup: found 3 messages > waiting > Jan 9 15:38:31 uadspa01 mailscanner[13734]: Scanning 3 > messages, 15079 > bytes > Jan 9 15:39:12 uadspa01 mailscanner[13734]: Scanned 3 > messages, 15079 bytes > in 0 seconds > Jan 9 15:39:12 uadspa01 mailscanner[13734]: Scanning 8 > messages, 88547 > bytes > Jan 9 15:41:45 uadspa01 mailscanner[13734]: Scanned 8 > messages, 88547 bytes > in 0 seconds > Jan 9 15:41:45 uadspa01 mailscanner[13734]: Scanning 28 > messages, 395670 > bytes > Jan 9 15:48:54 uadspa01 mailscanner[13734]: Scanned 28 > messages, 395670 > bytes in 1 seconds > Jan 9 15:48:55 uadspa01 mailscanner[13734]: Scanning 86 > messages, 813639 > bytes > Jan 9 15:51:19 uadspa01 mailscanner[13734]: SpamAssassin > timed out and was > killed, consecutive failure 1 of 10 > Jan 9 16:10:11 uadspa01 mailscanner[13734]: Scanned 86 > messages, 813639 > bytes in 5 seconds > Jan 9 16:10:15 uadspa01 mailscanner[13734]: Scanning 100 > messages, 830555 > bytes > Jan 9 16:13:55 uadspa01 mailscanner[13734]: SpamAssassin > timed out and was > killed, consecutive failure 1 of 10 > Jan 9 16:30:00 uadspa01 mailscanner[13734]: Scanned 100 > messages, 830555 > bytes in 7 seconds > Jan 9 16:30:07 uadspa01 mailscanner[13734]: Scanning 100 > messages, 1024265 > bytes > Jan 9 16:35:00 uadspa01 mailscanner[18520]: MailScanner E-Mail Virus > Scanner version 3.26-1 starting. > Jan 9 16:35:00 uadspa01 mailscanner[18520]: Configuring > mailscanner for > Exim mailer... > Jan 9 16:35:00 uadspa01 mailscanner[18520]: Using locktype = posix > Jan 9 16:35:00 uadspa01 mailscanner[18520]: Creating > hardcoded struct_flock > subroutine for linux (Linux-type) > Jan 9 16:35:00 uadspa01 mailscanner[18521]: ECS MailScanner > setting GID to > mail (8) > Jan 9 16:35:00 uadspa01 mailscanner[18521]: ECS MailScanner > setting UID to > mail (8) > Jan 9 16:35:00 uadspa01 mailscanner[18521]: Startup: found > 516 messages > waiting > Jan 9 16:35:00 uadspa01 mailscanner[18521]: Scanning 100 > messages, 1024265 > bytes > Jan 9 16:35:07 uadspa01 mailscanner[18521]: Scanned 100 > messages, 1024265 > bytes in 7 seconds > Jan 9 16:35:14 uadspa01 mailscanner[18521]: Scanning 100 > messages, 1611938 > bytes > Jan 9 16:35:21 uadspa01 mailscanner[18521]: Scanned 100 > messages, 1611938 > bytes in 7 seconds > Jan 9 16:35:25 uadspa01 mailscanner[18521]: Scanning 100 > messages, 689528 > bytes > Jan 9 16:35:36 uadspa01 mailscanner[18521]: Detected > Microsoft-specific > exploits in 18WfHz-0004Et-00 > Jan 9 16:35:37 uadspa01 mailscanner[18521]: Found 1 viruses > in messages > 18WfHz-0004Et-00 > Jan 9 16:35:37 uadspa01 mailscanner[18521]: Scanned 100 > messages, 689528 > bytes in 11 seconds > Jan 9 16:35:37 uadspa01 mailscanner[18521]: Saved entire message to > /var/spool/mailscanner/quarantine/20030109/18WfHz-0004Et-00 > Jan 9 16:35:38 uadspa01 mailscanner[18521]: Notified > uadspa01@abertay.ac.uk > about 1 infections > Jan 9 16:35:42 uadspa01 mailscanner[18521]: Scanning 100 > messages, 1291793 > bytes > Jan 9 16:35:53 uadspa01 mailscanner[18521]: Scanned 100 > messages, 1291793 > bytes in 11 seconds > Jan 9 16:35:57 uadspa01 mailscanner[18521]: Scanning 100 > messages, 3287604 > bytes > Jan 9 16:36:05 uadspa01 mailscanner[18521]: Scanned 100 > messages, 3287604 > bytes in 8 seconds > Jan 9 16:36:07 uadspa01 mailscanner[18521]: Scanning 33 > messages, 772701 > bytes > Jan 9 16:36:08 uadspa01 mailscanner[18521]: Scanned 33 > messages, 772701 > bytes in 1 seconds > Jan 9 16:36:19 uadspa01 mailscanner[18521]: Scanning 1 > messages, 5277 bytes > > Jan 9 16:36:21 uadspa01 mailscanner[18521]: Scanned 1 > messages, 5277 bytes > in 2 seconds > Jan 9 16:36:27 uadspa01 mailscanner[18521]: Scanning 1 > messages, 4327 bytes > > Jan 9 16:36:27 uadspa01 mailscanner[18521]: Scanned 1 > messages, 4327 bytes > in 0 seconds > Jan 9 16:36:32 uadspa01 mailscanner[18521]: Scanning 1 > messages, 11562 > bytes > Jan 9 16:36:32 uadspa01 mailscanner[18521]: Scanned 1 > messages, 11562 bytes > in 0 seconds > Jan 9 16:36:53 uadspa01 mailscanner[18521]: Scanning 1 > messages, 2713 bytes > > Jan 9 16:36:55 uadspa01 mailscanner[18521]: Scanned 1 > messages, 2713 bytes > in 2 seconds > Jan 9 16:37:10 uadspa01 mailscanner[18521]: Scanning 1 > messages, 9386 bytes > > Jan 9 16:37:10 uadspa01 mailscanner[18521]: Scanned 1 > messages, 9386 bytes > in 0 seconds > Jan 9 16:37:15 uadspa01 mailscanner[18521]: Scanning 1 > messages, 3332 bytes > > Jan 9 16:37:15 uadspa01 mailscanner[18521]: Scanned 1 > messages, 3332 bytes > in 0 seconds > Jan 9 16:37:20 uadspa01 mailscanner[18521]: Scanning 2 > messages, 6956 bytes > > Jan 9 16:37:20 uadspa01 mailscanner[18521]: Scanned 2 > messages, 6956 bytes > in 0 seconds > Jan 9 16:37:25 uadspa01 mailscanner[18521]: Scanning 4 > messages, 16826 > bytes > Jan 9 16:37:26 uadspa01 mailscanner[18521]: Scanned 4 > messages, 16826 bytes > in 1 seconds > Jan 9 16:37:31 uadspa01 mailscanner[18521]: Scanning 2 > messages, 8660 bytes > > Jan 9 16:37:31 uadspa01 mailscanner[18521]: Scanned 2 > messages, 8660 bytes > in 0 seconds > Jan 9 16:37:36 uadspa01 mailscanner[18521]: Scanning 4 > messages, 35121 > bytes > Jan 9 16:37:36 uadspa01 mailscanner[18521]: Scanned 4 > messages, 35121 bytes > in 0 seconds > Jan 9 16:37:42 uadspa01 mailscanner[18521]: Scanning 3 > messages, 14442 > bytes > Jan 9 16:37:42 uadspa01 mailscanner[18521]: Scanned 3 > messages, 14442 bytes > in 0 seconds > Jan 9 16:37:47 uadspa01 mailscanner[18521]: Scanning 5 > messages, 22115 > bytes > Jan 9 16:37:47 uadspa01 mailscanner[18521]: Scanned 5 > messages, 22115 bytes > in 0 seconds > Jan 9 16:37:52 uadspa01 mailscanner[18521]: Scanning 1 > messages, 3397 bytes > > Jan 9 16:37:52 uadspa01 mailscanner[18521]: Scanned 1 > messages, 3397 bytes > in 0 seconds > Jan 9 16:37:57 uadspa01 mailscanner[18521]: Scanning 2 > messages, 23587 > bytes > Jan 9 16:37:58 uadspa01 mailscanner[18521]: Scanned 2 > messages, 23587 bytes > in 1 seconds > Jan 9 16:37:58 uadspa01 mailscanner[18521]: Scanning 1 > messages, 2942 bytes > > Jan 9 16:37:58 uadspa01 mailscanner[18521]: Scanned 1 > messages, 2942 bytes > in 0 seconds > Jan 9 16:38:03 uadspa01 mailscanner[18521]: Scanning 2 > messages, 6947 bytes > > Jan 9 16:38:03 uadspa01 mailscanner[18521]: Scanned 2 > messages, 6947 bytes > in 0 seconds > Jan 9 16:38:08 uadspa01 mailscanner[18521]: Scanning 3 > messages, 12991 > bytes > Jan 9 16:38:09 uadspa01 mailscanner[18521]: Scanned 3 > messages, 12991 bytes > in 1 seconds > Jan 9 16:38:14 uadspa01 mailscanner[18521]: Scanning 3 > messages, 13782 > bytes > Jan 9 16:38:14 uadspa01 mailscanner[18521]: Scanned 3 > messages, 13782 bytes > in 0 seconds > Jan 9 16:38:19 uadspa01 mailscanner[18521]: Scanning 3 > messages, 15573 > bytes > Jan 9 16:38:20 uadspa01 mailscanner[18521]: Scanned 3 > messages, 15573 bytes > in 1 seconds > Jan 9 16:38:25 uadspa01 mailscanner[18521]: Scanning 6 > messages, 69217 > bytes > Jan 9 16:38:25 uadspa01 mailscanner[18521]: Scanned 6 > messages, 69217 bytes > in 0 seconds > Jan 9 16:38:35 uadspa01 mailscanner[18521]: Scanning 5 > messages, 20344 > bytes > Jan 9 16:38:35 uadspa01 mailscanner[18521]: Scanned 5 > messages, 20344 bytes > in 0 seconds > Jan 9 16:38:35 uadspa01 mailscanner[18521]: Scanning 1 > messages, 2157 bytes > > Jan 9 16:38:36 uadspa01 mailscanner[18521]: Scanned 1 > messages, 2157 bytes > in 0 seconds > Jan 9 16:38:41 uadspa01 mailscanner[18521]: Scanning 1 > messages, 2157 bytes > > Jan 9 16:38:41 uadspa01 mailscanner[18521]: Scanned 1 > messages, 2157 bytes > in 0 seconds > Jan 9 16:38:46 uadspa01 mailscanner[18521]: Scanning 4 > messages, 17190 > bytes > Jan 9 16:38:46 uadspa01 mailscanner[18521]: Scanned 4 > messages, 17190 bytes > in 0 seconds > Jan 9 16:38:46 uadspa01 mailscanner[18521]: Scanning 1 > messages, 4451 bytes > From mailscanner at ecs.soton.ac.uk Thu Jan 9 18:54:59 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:55 2006 Subject: spamassassin timeout - patch In-Reply-To: <5.2.0.9.2.20030108230955.02cee468@imap.ecs.soton.ac.uk> References: Message-ID: <5.2.0.9.2.20030109185119.02042e90@imap.ecs.soton.ac.uk> At 23:11 08/01/2003, you wrote: >What I will endeavour to add to the next version is an improvement to the >SA timeout code. So if SA times out lots of times in a row it will remove >SA's ability to do RBL lookups. If that fixes the timeouts then it will >carry on like that. If SA still times out after some more attempts, then it >will kill SA completely. > >All this state is reset when MailScanner next does its auto restart in a >few hours time. I have attached a patch to implement this. From the comment in the code, which explains it: If we get maxfailures consecutive timeouts, then disable the SpamAssassin RBL checks in an attempt to get it working again. If it continues to time out for another maxfailures consecutive attempts, then disable it completely. The factor of 2 involved in this saves having to have a configuration variable that is very hard to explain unless you have seen it in action, at which point you understand it anyway :-) Please can someone try it out and let me know if it works okay? Hopefully this will make SpamAssassin much robust when an RBL goes down. -------------- next part -------------- A non-text attachment was scrubbed... Name: SA.pm.patch Type: application/octet-stream Size: 2943 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030109/4c3ceecd/SA.pm.obj -------------- next part -------------- -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner-sub at WIREHUB.NET Thu Jan 9 19:54:23 2003 From: mailscanner-sub at WIREHUB.NET (Ben C. O. Grimm) Date: Thu Jan 12 21:16:55 2006 Subject: OT: Dynamically updating /etc/mail/access In-Reply-To: References: Message-ID: On 9 Jan 2003 18:29:40 +0100, "Andrew M. Hoying" wrote: > I'm including the spamassassin list in this because I think it is > relevant there as well. Has anyone thought about starting some kind of > distributed (like razor and dcc) or community (like spamassassin) based > effort to build a near real time access list like this? Obviously this > list doesn't catch everything. If there was a way to submit new items > for the list to be reviewed and added by a large group of users, or > automatically tested and added in some cases, I think it could be even > more effective. Not that I'm unhappy with 70-80% of spam getting blocked > by the current access list at my site, but more is always better. We get about 50-100 spam samples every day (we don't need more, thanks ..) and use them to update our lists. Please note that this list only handles 1/3 of our spam filters. The blackholes.wirehub.net DNSBL is just as important. Both databases have a degree of 'self-learning'. Hits on the address/domain blocks find their way into the IP-based blockers (when a patterns emerges), and new spamming domains from already listed IPs get added to the spamlist. Any of the blockers will get you a nice result; combining them is the way to go. -- - Ben C. O. Grimm ----------------- Ben.Grimm@wirehub.net - - Wirehub! Internet Engineering - http://www.wirehub.net/ - - Private Ponderings ----------- http://www.bengrimm.net/ - - Wirehub! Internet ----------- part of easynet Group plc - From mailscanner-sub at WIREHUB.NET Thu Jan 9 20:13:29 2003 From: mailscanner-sub at WIREHUB.NET (Ben C. O. Grimm) Date: Thu Jan 12 21:16:55 2006 Subject: Reviving an old idea about renaming forbidden extensions In-Reply-To: References: Message-ID: Almost a year ago (Jan 2002), I sent a mail to Julian with the following suggestion: >I would like to make the following suggestion with regards to >'forbidden extensions'. There are currently two options: ban them if >they're on the list, or allow them if they do not contain a virus. >How about a third option: rename the file (if it does not contain a >known virus, of course) to make it not immediately executable, for >instance by replacing .ext with ~ext and adding an explanatory line >like 'MailScanner changed filename.pif to filename~pif to prevent >immediate execution; shortcuts to (&etc) are dangerous, so be very >cautious about renaming the file and executing it.' Or something >like that. Some people actually send virus-free files with .pif and >.reg extension through our servers ... they're not too happy .. I implemented the .exe restriction about three days ago, and the sun doesn't shine anymore over here. I had to let it go, even though I'm fully opposed to sending directly executable content through email. Lots of users (mainly businesses in our case) were severely hindered by this restriction, and even though I'm as BOFH as they come, frustrating clients' mailflow is not on my priority list (well, not in the top 10 at the moment). I do see the need to 'treat' extensions like 'exe' though, and adding the 'rewrite' option (and the proposed functionality) to the filenames.rules.conf would be the best of both worlds. For example, renaming an attachment from file.exe to file.~exe or file.exe~ (the latter sounds easier, you can anchor to $) would a) show the original extension on 'platforms' that have a tendency to hide them (happily exploited by the virus.jpg.scr type virus) b) leave the file untouched, but you have to actively rename and execute it to run it. Of course, MailScanner will include a warning and a short explanation as to why and how. Best of both worlds, it seems. People get their files, and they can't say they weren't informed about the risks. Of course, the primary goal is to intercept new viruses that are not in the DAT files yet (or at least to inform recipients of that possibility), but maintaining the lowest level of impact regarding those who have to send this kind of content using email. I may even start ordering MailScanner goodies. -- - Ben C. O. Grimm ----------------- Ben.Grimm@wirehub.net - - Wirehub! Internet Engineering - http://www.wirehub.net/ - - Private Ponderings ----------- http://www.bengrimm.net/ - - Wirehub! Internet ----------- part of easynet Group plc - From mailscanner at ecs.soton.ac.uk Thu Jan 9 20:20:19 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:55 2006 Subject: Reviving an old idea about renaming forbidden extensions In-Reply-To: References: Message-ID: <5.2.0.9.2.20030109201943.02869090@imap.ecs.soton.ac.uk> Good idea. I'll take a look, but no promises. At 20:13 09/01/2003, you wrote: >Almost a year ago (Jan 2002), I sent a mail to Julian with the following >suggestion: > > >I would like to make the following suggestion with regards to > >'forbidden extensions'. There are currently two options: ban them if > >they're on the list, or allow them if they do not contain a virus. > >How about a third option: rename the file (if it does not contain a > >known virus, of course) to make it not immediately executable, for > >instance by replacing .ext with ~ext and adding an explanatory line > >like 'MailScanner changed filename.pif to filename~pif to prevent > >immediate execution; shortcuts to (&etc) are dangerous, so be very > >cautious about renaming the file and executing it.' Or something > >like that. Some people actually send virus-free files with .pif and > >.reg extension through our servers ... they're not too happy .. > >I implemented the .exe restriction about three days ago, and the sun >doesn't shine anymore over here. I had to let it go, even though I'm fully >opposed to sending directly executable content through email. Lots of users >(mainly businesses in our case) were severely hindered by this restriction, >and even though I'm as BOFH as they come, frustrating clients' mailflow is >not on my priority list (well, not in the top 10 at the moment). > >I do see the need to 'treat' extensions like 'exe' though, and adding the >'rewrite' option (and the proposed functionality) to the >filenames.rules.conf would be the best of both worlds. For example, >renaming an attachment from file.exe to file.~exe or file.exe~ (the latter >sounds easier, you can anchor to $) would a) show the original extension on >'platforms' that have a tendency to hide them (happily exploited by the >virus.jpg.scr type virus) b) leave the file untouched, but you have to >actively rename and execute it to run it. Of course, MailScanner will >include a warning and a short explanation as to why and how. Best of both >worlds, it seems. People get their files, and they can't say they weren't >informed about the risks. > >Of course, the primary goal is to intercept new viruses that are not in the >DAT files yet (or at least to inform recipients of that possibility), but >maintaining the lowest level of impact regarding those who have to send >this kind of content using email. I may even start ordering MailScanner >goodies. > >-- >- Ben C. O. Grimm ----------------- Ben.Grimm@wirehub.net - >- Wirehub! Internet Engineering - http://www.wirehub.net/ - >- Private Ponderings ----------- http://www.bengrimm.net/ - >- Wirehub! Internet ----------- part of easynet Group plc - -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mbowman at UDCOM.COM Thu Jan 9 20:20:27 2003 From: mbowman at UDCOM.COM (Matthew Bowman) Date: Thu Jan 12 21:16:55 2006 Subject: Reviving an old idea about renaming forbidden extensions In-Reply-To: Message-ID: On the same topic What about accepted filenames regardless of extensions. For example if we wanted to receive send and email that has the same filename attachment like projects.exe (archived zip) that contains documents, demos, presentations etc? Would it be possible to cater for that. Or simply if the domain is 'whitelisted', ignore filename.rules altogether? Matthew From mailscanner at BARENDSE.TO Thu Jan 9 20:27:34 2003 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:16:55 2006 Subject: Reviving an old idea about renaming forbidden extensions In-Reply-To: Message-ID: Is whitelisting by domain really a good idea? If you want to whitelist a domain it means you'll regularly receive mail from them. You would need to trust all of the users in the foreign domain to not send/open any viruses to your site! And chances are that viruses come in from people you communicate with, not from strangers. On Thu, 9 Jan 2003, Matthew Bowman wrote: > On the same topic > > What about accepted filenames regardless of extensions. > > For example if we wanted to receive send and email that has the same > filename attachment like projects.exe (archived zip) that contains > documents, demos, presentations etc? Would it be possible to cater for > that. Or simply if the domain is 'whitelisted', ignore filename.rules > altogether? > > Matthew > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mailscanner-sub at WIREHUB.NET Thu Jan 9 20:31:33 2003 From: mailscanner-sub at WIREHUB.NET (Ben C. O. Grimm) Date: Thu Jan 12 21:16:55 2006 Subject: OT: Dynamically updating /etc/mail/access In-Reply-To: References: Message-ID: On 8 Jan 2003 17:02:56 +0100, "Andrew M. Hoying" wrote: > I implemented this and a few other things in a script and now we are > blocking 80% of incoming spam without having to bother MailScanner or > SpamAssassin with processing it. By the way: you can add IP checking as well, by adding the LHS of http://basic.wirehub.nl/blockedIPs.txt and a RHS of REJECT (or an error message of your choice) to your access.db. That is how it used to work over here before we moved IP blocking to a DNSBL. Something like fetch -m http://basic.wirehub.nl/blockedIPs.txt awk '{print $1" REJECT"}' < blockedIPs.txt >> access (*) and hashing it to an access.db is all you need, really. (*) of course, '>' or '>>' depends on the order in which you create the access file, and where you start adding stuff to it) The file is not yet available through rsync, but making it available is not too hard, of course. -- - Ben C. O. Grimm ----------------- Ben.Grimm@wirehub.net - - Wirehub! Internet Engineering - http://www.wirehub.net/ - - Private Ponderings ----------- http://www.bengrimm.net/ - - Wirehub! Internet ----------- part of easynet Group plc - From mailscanner at BARENDSE.TO Thu Jan 9 20:36:19 2003 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:16:55 2006 Subject: Orphaned, undelivered files in mqueue.in In-Reply-To: <5.2.0.9.2.20030109172953.02a9c0d0@imap.ecs.soton.ac.uk> Message-ID: The thought crossed my mind, and it may not even be unlikely. I think I found the cause of the problem. The time stamp of the orphaned files is about the same as these messages in the maillog: Jan 9 21:20:15 raveon MailScanner[30971]: MailScanner child caught a SIGHUP Jan 9 21:20:15 raveon MailScanner[30946]: MailScanner child caught a SIGHUP Jan 9 21:20:25 raveon sendmail[31137]: alias database /etc/aliases rebuilt by root Jan 9 21:20:25 raveon sendmail[31137]: /etc/aliases: 66 aliases, longest 10 bytes, 658 bytes total Jan 9 21:20:25 raveon sendmail[31146]: starting daemon (8.12.5): SMTP Jan 9 21:20:25 raveon sendmail[31151]: starting daemon (8.12.5): queueing@00:15:00 Jan 9 21:20:26 raveon MailScanner[31162]: MailScanner Jan 9 21:20:27 raveon MailScanner[31162]: MailScanner E-Mail Virus Scanner version 4.11-1 starting... Jan 9 21:20:28 raveon MailScanner[31162]: Using locktype = flock But.... no reference to receiving any e-mail. I think sendmail is in the process of receiving the e-mail, which is not finished, hence no entry in the maillog and then MailScanner kills and restarts sendmail?? Or does the sighup mean that something has crashed? I seem to have an awful lot of those :( Every 5 minutes!!!! If the sender's connection isn't all that fast it is very well possible that the mail transfer indeed gets killed before transmission is completed. I never had this SIGHUP problem with 4.10? On Thu, 9 Jan 2003, Julian Field wrote: > It is possible that you merely got them for non-MailScanner related > problems, such as an SMTP client getting cut off half way through sending a > message. Sorry if that sounds like I'm passing the buck... > > At 17:17 09/01/2003, you wrote: > >This was the first thing I have checked. I took different parts of the > >numbers of these df files and grepped the maillog for it. Strangely enough > >I cannot find them. Also when browsing through the maillog and looking > >around the same date/time as these orphaned files in some cases there > >isn't any message whatsoever of mail being delivered / received. > > > >I have about 10 orphaned files in the mqueue.in, none in the outdir and > >they are all from yesterday and this morning. I know for sure that I > >didn't restart MailScanner last night or this morning. It's hardly > >possible that MailScanner would restart itself at exactly the same time as > >these 10 e-mails in 1,5 day? (This is a very low volume home server). > > > >On Thu, 9 Jan 2003, Julian Field wrote: > > > > > At 16:08 09/01/2003, you wrote: > > > >Ever since I upgraded to MailScanner 4.11-1 yesterday I have several > > > >orphaned files that are piling up in mqueue.in > > > > > > > >The only files sitting there are the df files, without any other files. > > > >Also these messages have never been delivered to the intended recipient. > > > > > > > >Any ideas?? > > > > > > > >Can I still get these df files delivered or extract them to make them > > > >readable? > > > > > > Check both your /var/spool/mqueue and your maillog to see if the message > > > ids have already been delivered (or at least placed in the outgoing queue). > > > > > > I thought I had fixed this in 4.11, but obviously not well enough. > > > > > > Do the times on the files correspond to times when you have done a > > > MailScanner "reload" or "restart"? > > > -- > > > Julian Field > > > www.MailScanner.info > > > MailScanner thanks transtec Computers for their support > > > > > > > > > > > >-- > >This message has been scanned for viruses and > >dangerous content by MailScanner, and is > >believed to be clean. > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mbowman at UDCOM.COM Thu Jan 9 20:45:43 2003 From: mbowman at UDCOM.COM (Matthew Bowman) Date: Thu Jan 12 21:16:55 2006 Subject: Reviving an old idea about renaming forbidden extensions In-Reply-To: Message-ID: >Is whitelisting by domain really a good idea? If you want to whitelist a >domain it means you'll regularly receive mail from them. Its my preference purely for ease of administration and its less hassle. Our own domains are whitelisted (From:) and a couple of external ones e.g. travelocity.com, weather.com. There is a potential risk but I am keeping on top of all inbound and outbound e-mail to stop potentional chaos. >You would need to trust all of the users in the foreign domain to not >send/open any viruses to your site! And chances are that viruses come in >from people you communicate with, not from strangers. All outbound e-mail is scanned with Symantec AV 8.0 for Lotus Notes since we are all on a Domino Server. Outbound attachments from our local domains with .exe extensions are rare, however from time to time some of our departments need to send out files with .exe extensions. Rather than changing the rule to Allow .exe, restarting MailScanner, having them send out the e-mail, change the rule, restart mailscanner every time I would be interested in having other 'options' within MailScanner to allow .exe's to go to certain email addresses with minimal intervention. Matthew Remco Barendse cc: Sent by: Subject: Re: Reviving an old idea about renaming forbidden extensions MailScanner mailing list 01/09/2003 03:27 PM Please respond to MailScanner mailing list Is whitelisting by domain really a good idea? If you want to whitelist a domain it means you'll regularly receive mail from them. You would need to trust all of the users in the foreign domain to not send/open any viruses to your site! And chances are that viruses come in from people you communicate with, not from strangers. On Thu, 9 Jan 2003, Matthew Bowman wrote: > On the same topic > > What about accepted filenames regardless of extensions. > > For example if we wanted to receive send and email that has the same > filename attachment like projects.exe (archived zip) that contains > documents, demos, presentations etc? Would it be possible to cater for > that. Or simply if the domain is 'whitelisted', ignore filename.rules > altogether? > > Matthew > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ivan at NUCCI.COM.BR Thu Jan 9 20:49:28 2003 From: ivan at NUCCI.COM.BR (Ivan Mirisola) Date: Thu Jan 12 21:16:55 2006 Subject: clamav References: Message-ID: <3E1DE058.7010700@nucci.com.br> Hi List, It's allways good news to hear about people using clamav. I am using it for a while with no problems. I use clamav-0.54-2, an RPM compilation built under the PLD distribution (www.pld.org.pl), on a Red-Hat compatible distribution called Conectiva Linux 8.0 (a brazilian distributor). It should install just fine on any Red Hat System. I had tested clamav with a series o viruses I found on the net and it went pretty well - cought all of them. All except one I don't recall the name. But it was a mistake made on the virus database by the OpenAntiVirus Project people. Since then they fixed the database and clamav started to catch that virus. Anyway, the virus was an old one and it was not really spreading arround. I dont't use any other anti-virus software since its not really an area I am responsible for. I think people should be well prepared not to get their systems infected as new viruses are appear faster than their vacines. I am not really worried about viruses anymore as MailScanner take it to a next level of security. No more EXE ou double extention files go through my system and viruses get stopped before the anti-virus system kicks in action. In fact, I don't see a real reason why this software should be treated as UNSUPPORTED by MailScanner. Anyone has any comments about this? Regards --- Ivan Gavin Nelmes-Crocker wrote: >>Is anyone using clamav with their MailScanner installation - if so, how >>good is it? Is there any reason why I should not get it. >> >>I'm running:- >> >>Redhat 7.3 >>sendmail 8.11.6-3 >>MailScanner 4.10-1 >>SpamAssassin 2.43 >> >> >> >No reason not to use it except for the caveat that it still has an >unsupported status with MailScanner code but saying that its running very >well on our live system along with Sophos and F-prot so far it hasn't missed >anything that the others have found - it was a bit flaky a while ago when we >were running a test suite but we joined the clamav mailing list and soon saw >others having similar problems and the virus database got cleaned up. > >I have an rpm for it for a Cobalt box should work on plain Red Hat as well >but no promises. > >Regards > >Gavin > > >-- >This message has been scanned for viruses and dangerous content >by the Netergy Virus Spam Defence, and is believed to be clean. >For details on having your email scanned email nvsd@netergy.com > > From mailscanner at BARENDSE.TO Thu Jan 9 21:10:06 2003 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:16:55 2006 Subject: Orphaned, undelivered files in mqueue.in In-Reply-To: Message-ID: Oops! Correct that, I have checked my logs and it started on January 4th on 23:59 up untill now. I didn't really change anything in the config/setup, only yesterday I upgraded to 4.11 and started tweaking some rulesets. The strange thing is that these SIGHUPS are logged *exactly* every 5 minutes, usually no more than 2 seconds off! Hmmmm, I haven't seen any SIGHUPS now for more than 15 minutes. Because the log mentions MailScanner *child* I raised my number of Max Children = setting in the MailScanner.conf file. My setting was 2, I changed it back to 5 again (I don't need 5 child processes running on a home server, together with SpamAssassin they are just munching up huge amounts of mem/cpu in case several messages arrive at the same time). Is there an internal check in MailScanner that checks on the child processes that may be bugged or hard coded for 5 child processes and kills the lot off if there's only 2 instances of MS running? On Thu, 9 Jan 2003, Remco Barendse wrote: > The thought crossed my mind, and it may not even be unlikely. I think I > found the cause of the problem. The time stamp of the orphaned files is > about the same as these messages in the maillog: > Jan 9 21:20:15 raveon MailScanner[30971]: MailScanner child caught a > SIGHUP > Jan 9 21:20:15 raveon MailScanner[30946]: MailScanner child caught a > SIGHUP > Jan 9 21:20:25 raveon sendmail[31137]: alias database /etc/aliases > rebuilt by root > Jan 9 21:20:25 raveon sendmail[31137]: /etc/aliases: 66 aliases, longest > 10 bytes, 658 bytes total > Jan 9 21:20:25 raveon sendmail[31146]: starting daemon (8.12.5): SMTP > Jan 9 21:20:25 raveon sendmail[31151]: starting daemon (8.12.5): > queueing@00:15:00 > Jan 9 21:20:26 raveon MailScanner[31162]: MailScanner > Jan 9 21:20:27 raveon MailScanner[31162]: MailScanner E-Mail Virus > Scanner version 4.11-1 starting... > Jan 9 21:20:28 raveon MailScanner[31162]: Using locktype = flock > > But.... no reference to receiving any e-mail. I think sendmail is in the > process of receiving the e-mail, which is not finished, hence no entry in > the maillog and then MailScanner kills and restarts sendmail?? > > Or does the sighup mean that something has crashed? I seem to have an > awful lot of those :( > > Every 5 minutes!!!! > > If the sender's connection isn't all that fast it is very well possible > that the mail transfer indeed gets killed before transmission is > completed. > > I never had this SIGHUP problem with 4.10? > > On Thu, 9 Jan 2003, Julian Field wrote: > > > It is possible that you merely got them for non-MailScanner related > > problems, such as an SMTP client getting cut off half way through sending a > > message. Sorry if that sounds like I'm passing the buck... > > > > At 17:17 09/01/2003, you wrote: > > >This was the first thing I have checked. I took different parts of the > > >numbers of these df files and grepped the maillog for it. Strangely enough > > >I cannot find them. Also when browsing through the maillog and looking > > >around the same date/time as these orphaned files in some cases there > > >isn't any message whatsoever of mail being delivered / received. > > > > > >I have about 10 orphaned files in the mqueue.in, none in the outdir and > > >they are all from yesterday and this morning. I know for sure that I > > >didn't restart MailScanner last night or this morning. It's hardly > > >possible that MailScanner would restart itself at exactly the same time as > > >these 10 e-mails in 1,5 day? (This is a very low volume home server). > > > > > >On Thu, 9 Jan 2003, Julian Field wrote: > > > > > > > At 16:08 09/01/2003, you wrote: > > > > >Ever since I upgraded to MailScanner 4.11-1 yesterday I have several > > > > >orphaned files that are piling up in mqueue.in > > > > > > > > > >The only files sitting there are the df files, without any other files. > > > > >Also these messages have never been delivered to the intended recipient. > > > > > > > > > >Any ideas?? > > > > > > > > > >Can I still get these df files delivered or extract them to make them > > > > >readable? > > > > > > > > Check both your /var/spool/mqueue and your maillog to see if the message > > > > ids have already been delivered (or at least placed in the outgoing queue). > > > > > > > > I thought I had fixed this in 4.11, but obviously not well enough. > > > > > > > > Do the times on the files correspond to times when you have done a > > > > MailScanner "reload" or "restart"? > > > > -- > > > > Julian Field > > > > www.MailScanner.info > > > > MailScanner thanks transtec Computers for their support > > > > > > > > > > > > > > > > >-- > > >This message has been scanned for viruses and > > >dangerous content by MailScanner, and is > > >believed to be clean. > > > > -- > > Julian Field > > www.MailScanner.info > > MailScanner thanks transtec Computers for their support > > > > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mailscanner at ecs.soton.ac.uk Thu Jan 9 21:22:40 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:55 2006 Subject: clamav In-Reply-To: <3E1DE058.7010700@nucci.com.br> References: Message-ID: <5.2.0.9.2.20030109212057.02000238@imap.ecs.soton.ac.uk> At 20:49 09/01/2003, you wrote: >In fact, I don't see a real reason why this software should be treated >as UNSUPPORTED by MailScanner. >Anyone has any comments about this? The only reason for that state is that I haven't had a chance to install it and test it thoroughly. I hope to offload a bunch of my current work responsibilities to someone else fairly soon (next month or so) so I will have a bit more time to work on MailScanner. I just don't have the time at the moment :-( -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Thu Jan 9 21:10:48 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:55 2006 Subject: Reviving an old idea about renaming forbidden extensions In-Reply-To: References: Message-ID: <5.2.0.9.2.20030109210635.02020500@imap.ecs.soton.ac.uk> At 20:45 09/01/2003, you wrote: >Rather than changing the rule to Allow .exe, restarting MailScanner, having >them send out the e-mail, change the rule, >restart mailscanner every time I would be interested in having other >'options' within MailScanner to allow .exe's to >go to certain email addresses with minimal intervention. You can do that already with a ruleset. In MailScanner.conf, set Filename Rules = /etc/MailScanner/rules/filename.rules In filename.rules, set From: user1@domain.com /etc/MailScanner/filename.rules.allow.conf To: user2@other.com /etc/MailScanner/filename.rules.allow.conf FromOrTo: default /etc/MailScanner/filename.rules.conf Then make the first line of filename.rules.allow.conf to be allow \.exe$ - - Then *.exe attachments from user1@domain.com or to user2@other.com will be allowed, but not for any other addresses. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Thu Jan 9 21:19:43 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:55 2006 Subject: Orphaned, undelivered files in mqueue.in In-Reply-To: References: <5.2.0.9.2.20030109172953.02a9c0d0@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030109211244.02061460@imap.ecs.soton.ac.uk> At 20:36 09/01/2003, you wrote: >The thought crossed my mind, and it may not even be unlikely. I think I >found the cause of the problem. The time stamp of the orphaned files is >about the same as these messages in the maillog: >Jan 9 21:20:15 raveon MailScanner[30971]: MailScanner child caught a >SIGHUP >Jan 9 21:20:15 raveon MailScanner[30946]: MailScanner child caught a >SIGHUP >Jan 9 21:20:25 raveon sendmail[31137]: alias database /etc/aliases >rebuilt by root >Jan 9 21:20:25 raveon sendmail[31137]: /etc/aliases: 66 aliases, longest >10 bytes, 658 bytes total >Jan 9 21:20:25 raveon sendmail[31146]: starting daemon (8.12.5): SMTP >Jan 9 21:20:25 raveon sendmail[31151]: starting daemon (8.12.5): >queueing@00:15:00 >Jan 9 21:20:26 raveon MailScanner[31162]: MailScanner >Jan 9 21:20:27 raveon MailScanner[31162]: MailScanner E-Mail Virus >Scanner version 4.11-1 starting... >Jan 9 21:20:28 raveon MailScanner[31162]: Using locktype = flock > >But.... no reference to receiving any e-mail. I think sendmail is in the >process of receiving the e-mail, which is not finished, hence no entry in >the maillog and then MailScanner kills and restarts sendmail?? > >Or does the sighup mean that something has crashed? I seem to have an >awful lot of those :( > >Every 5 minutes!!!! There is nothing in the code that would cause a SIGHUP every 5 minutes, something external must be causing that. The only time the parent process sends a SIGHUP to the children is when it is terminated with a "kill" command. I carefully added code to 4.11 so that these orphaned files would not be left behind. Can you just double-check you really have 4.11 and not 4.10 fragments anywhere? 4.11 has a "deletes pending" list which it will execute if the process is HUP-ed during a "delete message" operation. So this really shouldn't happen any more.... >If the sender's connection isn't all that fast it is very well possible >that the mail transfer indeed gets killed before transmission is >completed. > >I never had this SIGHUP problem with 4.10? > >On Thu, 9 Jan 2003, Julian Field wrote: > > > It is possible that you merely got them for non-MailScanner related > > problems, such as an SMTP client getting cut off half way through sending a > > message. Sorry if that sounds like I'm passing the buck... > > > > At 17:17 09/01/2003, you wrote: > > >This was the first thing I have checked. I took different parts of the > > >numbers of these df files and grepped the maillog for it. Strangely enough > > >I cannot find them. Also when browsing through the maillog and looking > > >around the same date/time as these orphaned files in some cases there > > >isn't any message whatsoever of mail being delivered / received. > > > > > >I have about 10 orphaned files in the mqueue.in, none in the outdir and > > >they are all from yesterday and this morning. I know for sure that I > > >didn't restart MailScanner last night or this morning. It's hardly > > >possible that MailScanner would restart itself at exactly the same time as > > >these 10 e-mails in 1,5 day? (This is a very low volume home server). > > > > > >On Thu, 9 Jan 2003, Julian Field wrote: > > > > > > > At 16:08 09/01/2003, you wrote: > > > > >Ever since I upgraded to MailScanner 4.11-1 yesterday I have several > > > > >orphaned files that are piling up in mqueue.in > > > > > > > > > >The only files sitting there are the df files, without any other > files. > > > > >Also these messages have never been delivered to the intended > recipient. > > > > > > > > > >Any ideas?? > > > > > > > > > >Can I still get these df files delivered or extract them to make them > > > > >readable? > > > > > > > > Check both your /var/spool/mqueue and your maillog to see if the > message > > > > ids have already been delivered (or at least placed in the outgoing > queue). > > > > > > > > I thought I had fixed this in 4.11, but obviously not well enough. > > > > > > > > Do the times on the files correspond to times when you have done a > > > > MailScanner "reload" or "restart"? > > > > -- > > > > Julian Field > > > > www.MailScanner.info > > > > MailScanner thanks transtec Computers for their support > > > > > > > > > > > > > > > > >-- > > >This message has been scanned for viruses and > > >dangerous content by MailScanner, and is > > >believed to be clean. > > > > -- > > Julian Field > > www.MailScanner.info > > MailScanner thanks transtec Computers for their support > > > > > > >-- >This message has been scanned for viruses and >dangerous content by MailScanner, and is >believed to be clean. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Thu Jan 9 21:24:46 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:55 2006 Subject: Orphaned, undelivered files in mqueue.in In-Reply-To: References: Message-ID: <5.2.0.9.2.20030109212331.029cfeb8@imap.ecs.soton.ac.uk> At 21:10 09/01/2003, you wrote: >Is there an internal check in MailScanner that checks on the child >processes that may be bugged or hard coded for 5 child processes and kills >the lot off if there's only 2 instances of MS running? No. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From Kevin.Spicer at BMRB.CO.UK Thu Jan 9 22:00:04 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:16:55 2006 Subject: FW: Reviving an old idea about renaming forbidden extensions Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A32C1C@pascal.priv.bmrb.co.uk> It might be less irritating to users (and easier to understand) to zip the file rather than obfuscate the filename (although obviously more CPU intensive). The option to add text to the message explaining what has been done and how dangerous it is to execute unsolicited files may also prove attractive. (Not for me though I just block 'em!) On Thu, 2003-01-09 at 20:20, Julian Field wrote: Good idea. I'll take a look, but no promises. At 20:13 09/01/2003, you wrote: >Almost a year ago (Jan 2002), I sent a mail to Julian with the following >suggestion: > > >I would like to make the following suggestion with regards to > >'forbidden extensions'. There are currently two options: ban them if > >they're on the list, or allow them if they do not contain a virus. > >How about a third option: rename the file (if it does not contain a > >known virus, of course) to make it not immediately executable, for > >instance by replacing .ext with ~ext and adding an explanatory line > >like 'MailScanner changed filename.pif to filename~pif to prevent > >immediate execution; shortcuts to (&etc) are dangerous, so be very > >cautious about renaming the file and executing it.' Or something > >like that. Some people actually send virus-free files with .pif and > >.reg extension through our servers ... they're not too happy .. > >I implemented the .exe restriction about three days ago, and the sun >doesn't shine anymore over here. I had to let it go, even though I'm fully >opposed to sending directly executable content through email. Lots of users >(mainly businesses in our case) were severely hindered by this restriction, >and even though I'm as BOFH as they come, frustrating clients' mailflow is >not on my priority list (well, not in the top 10 at the moment). > >I do see the need to 'treat' extensions like 'exe' though, and adding the >'rewrite' option (and the proposed functionality) to the >filenames.rules.conf would be the best of both worlds. For example, >renaming an attachment from file.exe to file.~exe or file.exe~ (the latter >sounds easier, you can anchor to $) would a) show the original extension on >'platforms' that have a tendency to hide them (happily exploited by the >virus.jpg.scr type virus) b) leave the file untouched, but you have to >actively rename and execute it to run it. Of course, MailScanner will >include a warning and a short explanation as to why and how. Best of both >worlds, it seems. People get their files, and they can't say they weren't >informed about the risks. > >Of course, the primary goal is to intercept new viruses that are not in the >DAT files yet (or at least to inform recipients of that possibility), but >maintaining the lowest level of impact regarding those who have to send >this kind of content using email. I may even start ordering MailScanner >goodies. > >-- >- Ben C. O. Grimm ----------------- Ben.Grimm@wirehub.net - >- Wirehub! Internet Engineering - http://www.wirehub.net/ - >- Private Ponderings ----------- http://www.bengrimm.net/ - >- Wirehub! Internet ----------- part of easynet Group plc - -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner-sub at WIREHUB.NET Thu Jan 9 22:28:29 2003 From: mailscanner-sub at WIREHUB.NET (Ben C. O. Grimm) Date: Thu Jan 12 21:16:55 2006 Subject: FW: Reviving an old idea about renaming forbidden extensions In-Reply-To: References: Message-ID: On 9 Jan 2003 23:02:04 +0100, "Spicer, Kevin" wrote: > It might be less irritating to users (and easier to understand) to zip > the file rather than obfuscate the filename Suggesting to people to zip those files proved counterproductive. Most people were already sending self-extracting archives and some of these archives are automatically produced and distributed (software updates, patches, stuff like that). The 'zip solution' simply does not apply in all cases. Suggesting it didn't get me anywhere. > The option to add text to the message explaining what has > been done and how dangerous it is to execute unsolicited files may also > prove attractive. That's the solution I'm aiming for. Renaming a file by simply stripping off an added character is probably more acceptable (and not too hard). While on the subject (, Julian): I mailed a file with the name file.exe~ (yes, with a trailing tilde). It still got rejected by the exe rule .. even though the file shouldn't match exe$ in the ruleset .. -- - Ben C. O. Grimm ----------------- Ben.Grimm@wirehub.net - - Wirehub! Internet Engineering - http://www.wirehub.net/ - - Private Ponderings ----------- http://www.bengrimm.net/ - - Wirehub! Internet ----------- part of easynet Group plc - From mailscanner at BARENDSE.TO Thu Jan 9 22:31:53 2003 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:16:55 2006 Subject: Orphaned, undelivered files in mqueue.in In-Reply-To: <5.2.0.9.2.20030109211244.02061460@imap.ecs.soton.ac.uk> Message-ID: Yes, I really have only 4.11-1 running. Strangely enough, immediately after increasing the Max Children = setting back to 5 the problem disappeared and I had not had a single SIGHUP since! That is the only thing I changed and immediately solved the problem. On Thu, 9 Jan 2003, Julian Field wrote: > At 20:36 09/01/2003, you wrote: > >The thought crossed my mind, and it may not even be unlikely. I think I > >found the cause of the problem. The time stamp of the orphaned files is > >about the same as these messages in the maillog: > >Jan 9 21:20:15 raveon MailScanner[30971]: MailScanner child caught a > >SIGHUP > >Jan 9 21:20:15 raveon MailScanner[30946]: MailScanner child caught a > >SIGHUP > >Jan 9 21:20:25 raveon sendmail[31137]: alias database /etc/aliases > >rebuilt by root > >Jan 9 21:20:25 raveon sendmail[31137]: /etc/aliases: 66 aliases, longest > >10 bytes, 658 bytes total > >Jan 9 21:20:25 raveon sendmail[31146]: starting daemon (8.12.5): SMTP > >Jan 9 21:20:25 raveon sendmail[31151]: starting daemon (8.12.5): > >queueing@00:15:00 > >Jan 9 21:20:26 raveon MailScanner[31162]: MailScanner > >Jan 9 21:20:27 raveon MailScanner[31162]: MailScanner E-Mail Virus > >Scanner version 4.11-1 starting... > >Jan 9 21:20:28 raveon MailScanner[31162]: Using locktype = flock > > > >But.... no reference to receiving any e-mail. I think sendmail is in the > >process of receiving the e-mail, which is not finished, hence no entry in > >the maillog and then MailScanner kills and restarts sendmail?? > > > >Or does the sighup mean that something has crashed? I seem to have an > >awful lot of those :( > > > >Every 5 minutes!!!! > > There is nothing in the code that would cause a SIGHUP every 5 minutes, > something external must be causing that. The only time the parent process > sends a SIGHUP to the children is when it is terminated with a "kill" command. > > I carefully added code to 4.11 so that these orphaned files would not be > left behind. Can you just double-check you really have 4.11 and not 4.10 > fragments anywhere? 4.11 has a "deletes pending" list which it will execute > if the process is HUP-ed during a "delete message" operation. So this > really shouldn't happen any more.... > > >If the sender's connection isn't all that fast it is very well possible > >that the mail transfer indeed gets killed before transmission is > >completed. > > > >I never had this SIGHUP problem with 4.10? > > > >On Thu, 9 Jan 2003, Julian Field wrote: > > > > > It is possible that you merely got them for non-MailScanner related > > > problems, such as an SMTP client getting cut off half way through sending a > > > message. Sorry if that sounds like I'm passing the buck... > > > > > > At 17:17 09/01/2003, you wrote: > > > >This was the first thing I have checked. I took different parts of the > > > >numbers of these df files and grepped the maillog for it. Strangely enough > > > >I cannot find them. Also when browsing through the maillog and looking > > > >around the same date/time as these orphaned files in some cases there > > > >isn't any message whatsoever of mail being delivered / received. > > > > > > > >I have about 10 orphaned files in the mqueue.in, none in the outdir and > > > >they are all from yesterday and this morning. I know for sure that I > > > >didn't restart MailScanner last night or this morning. It's hardly > > > >possible that MailScanner would restart itself at exactly the same time as > > > >these 10 e-mails in 1,5 day? (This is a very low volume home server). > > > > > > > >On Thu, 9 Jan 2003, Julian Field wrote: > > > > > > > > > At 16:08 09/01/2003, you wrote: > > > > > >Ever since I upgraded to MailScanner 4.11-1 yesterday I have several > > > > > >orphaned files that are piling up in mqueue.in > > > > > > > > > > > >The only files sitting there are the df files, without any other > > files. > > > > > >Also these messages have never been delivered to the intended > > recipient. > > > > > > > > > > > >Any ideas?? > > > > > > > > > > > >Can I still get these df files delivered or extract them to make them > > > > > >readable? > > > > > > > > > > Check both your /var/spool/mqueue and your maillog to see if the > > message > > > > > ids have already been delivered (or at least placed in the outgoing > > queue). > > > > > > > > > > I thought I had fixed this in 4.11, but obviously not well enough. > > > > > > > > > > Do the times on the files correspond to times when you have done a > > > > > MailScanner "reload" or "restart"? > > > > > -- > > > > > Julian Field > > > > > www.MailScanner.info > > > > > MailScanner thanks transtec Computers for their support > > > > > > > > > > > > > > > > > > > > > >-- > > > >This message has been scanned for viruses and > > > >dangerous content by MailScanner, and is > > > >believed to be clean. > > > > > > -- > > > Julian Field > > > www.MailScanner.info > > > MailScanner thanks transtec Computers for their support > > > > > > > > > > > >-- > >This message has been scanned for viruses and > >dangerous content by MailScanner, and is > >believed to be clean. > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From Kevin.Spicer at BMRB.CO.UK Thu Jan 9 22:45:22 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:16:55 2006 Subject: FW: Reviving an old idea about renaming forbidden extensions Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A4ACFD@pascal.priv.bmrb.co.uk> > > > It might be less irritating to users (and easier to > understand) to zip > > the file rather than obfuscate the filename > > Suggesting to people to zip those files proved counterproductive. Most > people were already sending self-extracting archives and some of these > archives are automatically produced and distributed (software updates, > patches, stuff like that). The 'zip solution' simply does not > apply in all > cases. Suggesting it didn't get me anywhere. Sorry I think you thought I meant users should zip the files. I actually meant maybe MailScanner could have an option to zip offending files. Maybe along the lines of the existing spam actions you could have a series of 'blocked attachement actions' eg. obfuscate-filename, zip, deliver, delete etc. You'd probably want the ability to change this for different extensions so I guess this would be another field in filename.rules.conf? Sorry if I wasn't clear enough. > From Kevin.Spicer at BMRB.CO.UK Thu Jan 9 23:05:26 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:16:55 2006 Subject: clamav Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A32C1E@pascal.priv.bmrb.co.uk> > At 20:49 09/01/2003, you wrote: > >In fact, I don't see a real reason why this software should > be treated > >as UNSUPPORTED by MailScanner. > >Anyone has any comments about this? I've just added it to my home MailScanner (using fprot and clam now) using the Mandrake rpms (from Cooker). Seems to work fine, except I had to edit clamav-autoupdate and clamav-wrapper because it was installed in /usr rather than /usr/local by the rpm's. I'm heisitating to put it on my work box because I'd like to know if there are any other potential risks from changing the minimum code status on a production server. Frankly I'd be suprised if it caught anything Sophos didn't but you never know! It would be nice if the virus reports indicated which virus scanner had identified the virus. From mailscanner-sub at WIREHUB.NET Thu Jan 9 23:30:15 2003 From: mailscanner-sub at WIREHUB.NET (Ben C. O. Grimm) Date: Thu Jan 12 21:16:55 2006 Subject: FW: Reviving an old idea about renaming forbidden extensions In-Reply-To: References: Message-ID: On 9 Jan 2003 23:47:13 +0100, "Spicer, Kevin" wrote: > > > It might be less irritating to users (and easier to > > > understand) to zip > > > the file rather than obfuscate the filename > > Suggesting to people to zip those files proved counterproductive.[..] > Sorry I think you thought I meant users should zip the files. Um, yes, I did .. > I actually meant maybe MailScanner could have an option to zip offending files. Maybe along the lines of the existing spam actions you could have a series of 'blocked attachement actions' eg. obfuscate-filename, zip, deliver, delete etc. You'd probably want the ability to change this for different extensions so I guess this would be another field in filename.rules.conf? Some people don't have any (de)compression software at all or don't understand the file format at all ... some companies may not want to buy 50 WinZip licenses .... So this may prove to be just as arbitary as downright refusing the file. Just passing the file along with a small change to the filename and a short explanation may save cpu cycles (in the server and in the recipient's wetware). -- - Ben C. O. Grimm ----------------- Ben.Grimm@wirehub.net - - Wirehub! Internet Engineering - http://www.wirehub.net/ - - Private Ponderings ----------- http://www.bengrimm.net/ - - Wirehub! Internet ----------- part of easynet Group plc - From adkinss at OHIO.EDU Fri Jan 10 07:26:04 2003 From: adkinss at OHIO.EDU (Scott Adkins) Date: Thu Jan 12 21:16:55 2006 Subject: Attempted delivery BATCH vs QUEUE Message-ID: <13370015.1042165564@IO> Okay, maybe I am a bit confused about how this works... But I changed our queues a bit tonight on the system and decided to change MailScanner back to "batch" mode. Basically, the configuration is as follows: Incoming Queue Dir = /var_spool/cyrus-fast Outgoing Queue Dir = /var_spool/cyrus-slow Incoming Work Dir = /var_spool/MailScanner/incoming Quarantine Dir = /var_spool/MailScanner/quarantine Sendmail = /usr/sbin/sendmail Deliver In Background = yes Delivery Method = batch When I had the Delivery Method set to "queue", it worked as I expected in that MailScanner would deposit the email into the "cyrus-slow" queue after the messages had been scanned, and my cron jobs would eventually come through and do the delivery themselves. Now, what I want instead is for MailScanner to try and deliver the message first and if it couldn't, then and only then deposit the message in the "cyrus-slow" queue. I still have the cron jobs, so the email will get delivered eventually. However, from what I can see in the logs and the behavior, MailScanner isn't doing any kind of delivery. All of the messages after being scanned are put into the "cyrus-slow" queue. I have sendmail configured to deliver to LMTP, and checking my cyrus logs shows that the lmtp server isn't even being contacted, meaning that sendmail isn't getting ran to do the delivery. The MailScanner logs show the following: Spam Checks: Found 38 spam messages Spam Actions: message h0A7PmYV932698 actions are deliver Spam Actions: message h0A7PVYV960562 actions are deliver Spam Actions: message h0A7P1YV544776 actions are deliver .... Spam Actions: message h0A7PqYV947802 actions are deliver Spam Actions: message h0A7PpYV963580 actions are deliver Spam Actions: message h0A7PnYV958534 actions are deliver Unscanned: Delivered 60 messages Virus and Content Scanning: Starting New Batch: Found 129 messages waiting New Batch: Forwarding 100 unscanned messages, 782674 bytes Spam Checks: Starting I am wondering about the "Unscanned: Delivered 60 messages" entry, and not sure what the "Forwarding 100 unscanned messages" is all about. Am I just confused about what "batch" mode is all about? Scott -- +-----------------------------------------------------------------------+ Scott W. Adkins http://www.cns.ohiou.edu/~sadkins/ UNIX Systems Engineer mailto:adkinss@ohio.edu ICQ 7626282 Work (740)593-9478 Fax (740)593-1944 +-----------------------------------------------------------------------+ PGP Public Key available at http://www.cns.ohiou.edu/~sadkins/pgp/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 231 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030110/b47f442d/attachment.bin From adkinss at OHIO.EDU Fri Jan 10 07:40:39 2003 From: adkinss at OHIO.EDU (Scott Adkins) Date: Thu Jan 12 21:16:55 2006 Subject: Performance Enhancements Message-ID: <14245584.1042166439@IO> Okay, since we turned on MailScanner with Spam Assassin and Sophos, we have definitely seen high load come out of the server... It looks like the culprit is Spam Assassin. SA seems to take about 5 times as much CPU to process mail as what Sophos does (which is backwards from what I was expecting, actually). The system we are running this on is a pretty decent system. It is a two member Compaq Alpha Tru64 5.1a cluster. One member is an ES40 with 4 EV6.7 667Mhz CPU's, 4GB CPU cache and 8GB memory. The other member is an Alpha 4100 with 4 EV5.6 600Mhz CPU's, 4GB CPU cache and 6GB memory. The first member is more than twice as powerful as the second member is. This is our primary email system, and we regularly see 400-500k worth of emails go through the system on a daily basis. We support well over 60k users and typically have 1500+ concurrent IMAP/POP users logged onto the system. The system performs great under these conditions... The idea was to run MailScanner and mail queue processing on one machine, and our Cyrus IMAP and IMSP servers, as well as everything else on the other machine. We still saw high loads coming from the MailScanner stuff. In fact, MailScanner literally drover our second member into the ground (poor thing). I am interested in what other large sites have done to optimize the processing of spam and virus scanning. I currently run with 20 MailScanner processes, since we have 4 CPU's. From what I can tell, it pulls in 100 messages at a time to process in a large batch and then sends them on their way. Doing it this way shows that disk IO gets slammed, and when it does recover, the CPU gets slammed, and then it starts all over again. I am thinking that maybe processing smaller chunks of emails might even out the load a little and maybe make things run a bit better. Another thought is with Spam Assassin. I know it has the capability to run in daemon mode (spamd). Does MailScanner even support this? Does running spamd in daemon mode give you any performance advantage at all? Anyways, I thought I would check to see what other people are doing... Thanks! Scott -- +-----------------------------------------------------------------------+ Scott W. Adkins http://www.cns.ohiou.edu/~sadkins/ UNIX Systems Engineer mailto:adkinss@ohio.edu ICQ 7626282 Work (740)593-9478 Fax (740)593-1944 +-----------------------------------------------------------------------+ PGP Public Key available at http://www.cns.ohiou.edu/~sadkins/pgp/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 231 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030110/1929bb26/attachment.bin From mailscanner at BARENDSE.TO Fri Jan 10 08:17:50 2003 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:16:55 2006 Subject: Performance Enhancements In-Reply-To: <14245584.1042166439@IO> Message-ID: You are right in your suspicions about SpamAssassin. I have encountered the exact same problem on several boxes, when I disable SA there is almost no load on the server, when I enable SA to load goes through the roof! A friend of mine only wanted spam scanning and not virusscanning and first tried MS/SA but backed away due to extremely high load figures. He is now using SA with sendmail's milter option with much better load figures. They have a relatively large volume server (hosting provider). I suspect that this load is cause because milter runs the mail through SA as it arrives and rejects is before it even enters the server and MS runs SA on mail in batches. Maybe it is just too much for any server to have multiple instances of SA running at the same time? On Fri, 10 Jan 2003, Scott Adkins wrote: > Okay, since we turned on MailScanner with Spam Assassin and Sophos, we > have definitely seen high load come out of the server... It looks like > the culprit is Spam Assassin. SA seems to take about 5 times as much > CPU to process mail as what Sophos does (which is backwards from what > I was expecting, actually). > > The system we are running this on is a pretty decent system. It is a > two member Compaq Alpha Tru64 5.1a cluster. One member is an ES40 with > 4 EV6.7 667Mhz CPU's, 4GB CPU cache and 8GB memory. The other member > is an Alpha 4100 with 4 EV5.6 600Mhz CPU's, 4GB CPU cache and 6GB memory. > The first member is more than twice as powerful as the second member is. > > This is our primary email system, and we regularly see 400-500k worth of > emails go through the system on a daily basis. We support well over 60k > users and typically have 1500+ concurrent IMAP/POP users logged onto the > system. The system performs great under these conditions... > > The idea was to run MailScanner and mail queue processing on one machine, > and our Cyrus IMAP and IMSP servers, as well as everything else on the > other machine. We still saw high loads coming from the MailScanner stuff. > In fact, MailScanner literally drover our second member into the ground > (poor thing). > > I am interested in what other large sites have done to optimize the > processing of spam and virus scanning. I currently run with 20 MailScanner > processes, since we have 4 CPU's. From what I can tell, it pulls in 100 > messages at a time to process in a large batch and then sends them on their > way. Doing it this way shows that disk IO gets slammed, and when it does > recover, the CPU gets slammed, and then it starts all over again. I am > thinking that maybe processing smaller chunks of emails might even out the > load a little and maybe make things run a bit better. > > Another thought is with Spam Assassin. I know it has the capability to run > in daemon mode (spamd). Does MailScanner even support this? Does running > spamd in daemon mode give you any performance advantage at all? > > Anyways, I thought I would check to see what other people are doing... > > Thanks! > Scott > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From P.G.M.Peters at civ.utwente.nl Fri Jan 10 09:29:23 2003 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:16:55 2006 Subject: Orphaned, undelivered files in mqueue.in In-Reply-To: References: <5.2.0.9.2.20030109211244.02061460@imap.ecs.soton.ac.uk> Message-ID: <6i4t1vcmfl5pja96m582gqpadsj96mlaqg@4ax.com> On Thu, 9 Jan 2003 23:31:53 +0100, you wrote: >Strangely enough, immediately after increasing the Max Children = setting >back to 5 the problem disappeared and I had not had a single SIGHUP since! > >That is the only thing I changed and immediately solved the problem. Try changing it back to 2 and check whether the SIGHUP's start reappearing again. -- Peter Peters senior netwerkbeheerder, Centrum voor Informatievoorziening, Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From P.G.M.Peters at civ.utwente.nl Fri Jan 10 09:36:00 2003 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:16:55 2006 Subject: FW: Reviving an old idea about renaming forbidden extensions In-Reply-To: <1C94995A-242A-11D7-948E-000393D6F5B0@lemon-computing.com> References: <5C0296D26910694BB9A9BBFC577E7AB0A4ACFD@pascal.priv.bmrb.co.uk> <1C94995A-242A-11D7-948E-000393D6F5B0@lemon-computing.com> Message-ID: On Fri, 10 Jan 2003 12:28:51 +1300, you wrote: >If you were feeling particularly BOFH-like, you could zip them with a >unique password, and provide a message id as a reference. >Helpdesk/BOFH/whoever could then provide suitably clueful users with >the password on request... You could also use part of excisting information (QueueID perhaps) as a password. That way you also teach users there is more information than just "Aan", "Van", "Onderwerp". And they now how to get to that information (Some clients tend to change the way to do that every release). -- Peter Peters senior netwerkbeheerder, Centrum voor Informatievoorziening, Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From j.cormie at ABERTAY.AC.UK Fri Jan 10 09:55:07 2003 From: j.cormie at ABERTAY.AC.UK (Jason Cormie) Date: Thu Jan 12 21:16:55 2006 Subject: Spamassasin timing Out Message-ID: Strange but True... Started up mailscanner this morning using Spamassassin... And now it works... -----Original Message----- From: Spicer, Kevin [mailto:Kevin.Spicer@BMRB.CO.UK] Sent: 09, January, 2003 18:36 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Spamassasin timing Out Thats not like the logs I was getting, so I imagine this is a different problem (mine was a sequence like the following... MailScanner starts, detects 1400 messages, says 'scanning 100 messages', 'Found 16 spam messages'- and just did this every 2 minutes!). It looks like your mailscanner is scanning messages(?) Have you checked the headers of the stuck messages to see if mailscanner has altered them? > -----Original Message----- > From: Jason Cormie [mailto:j.cormie@ABERTAY.AC.UK] > Sent: 09 January 2003 18:09 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Spamassasin timing Out > > > > What does your maillog say about it? > > When I restart mailscanner it comes up, sits at scanning > first 100 messages > then spamassassin times out > > mailscanner continues to run and eat processor and memory > > below is a segment of todays logs > at 15:38 I started mailscanner up with spamassassin enabled > at 16:35 I stopped it, waited a bit, started it without spamassassin > > Jan 9 15:38:21 uadspa01 mailscanner[13733]: MailScanner E-Mail Virus > Scanner version 3.26-1 starting. > Jan 9 15:38:21 uadspa01 mailscanner[13733]: Configuring > mailscanner for > Exim mailer... > Jan 9 15:38:21 uadspa01 mailscanner[13733]: Using locktype = posix > Jan 9 15:38:21 uadspa01 mailscanner[13733]: Creating > hardcoded struct_flock > subroutine for linux (Linux-type) > Jan 9 15:38:21 uadspa01 mailscanner[13734]: ECS MailScanner > setting GID to > mail (8) > Jan 9 15:38:21 uadspa01 mailscanner[13734]: ECS MailScanner > setting UID to > mail (8) > Jan 9 15:38:31 uadspa01 mailscanner[13734]: Startup: found 3 messages > waiting > Jan 9 15:38:31 uadspa01 mailscanner[13734]: Scanning 3 > messages, 15079 > bytes > Jan 9 15:39:12 uadspa01 mailscanner[13734]: Scanned 3 > messages, 15079 bytes > in 0 seconds > Jan 9 15:39:12 uadspa01 mailscanner[13734]: Scanning 8 > messages, 88547 > bytes > Jan 9 15:41:45 uadspa01 mailscanner[13734]: Scanned 8 > messages, 88547 bytes > in 0 seconds > Jan 9 15:41:45 uadspa01 mailscanner[13734]: Scanning 28 > messages, 395670 > bytes > Jan 9 15:48:54 uadspa01 mailscanner[13734]: Scanned 28 > messages, 395670 > bytes in 1 seconds > Jan 9 15:48:55 uadspa01 mailscanner[13734]: Scanning 86 > messages, 813639 > bytes > Jan 9 15:51:19 uadspa01 mailscanner[13734]: SpamAssassin > timed out and was > killed, consecutive failure 1 of 10 > Jan 9 16:10:11 uadspa01 mailscanner[13734]: Scanned 86 > messages, 813639 > bytes in 5 seconds > Jan 9 16:10:15 uadspa01 mailscanner[13734]: Scanning 100 > messages, 830555 > bytes > Jan 9 16:13:55 uadspa01 mailscanner[13734]: SpamAssassin > timed out and was > killed, consecutive failure 1 of 10 > Jan 9 16:30:00 uadspa01 mailscanner[13734]: Scanned 100 > messages, 830555 > bytes in 7 seconds > Jan 9 16:30:07 uadspa01 mailscanner[13734]: Scanning 100 > messages, 1024265 > bytes > Jan 9 16:35:00 uadspa01 mailscanner[18520]: MailScanner E-Mail Virus > Scanner version 3.26-1 starting. > Jan 9 16:35:00 uadspa01 mailscanner[18520]: Configuring > mailscanner for > Exim mailer... > Jan 9 16:35:00 uadspa01 mailscanner[18520]: Using locktype = posix > Jan 9 16:35:00 uadspa01 mailscanner[18520]: Creating > hardcoded struct_flock > subroutine for linux (Linux-type) > Jan 9 16:35:00 uadspa01 mailscanner[18521]: ECS MailScanner > setting GID to > mail (8) > Jan 9 16:35:00 uadspa01 mailscanner[18521]: ECS MailScanner > setting UID to > mail (8) > Jan 9 16:35:00 uadspa01 mailscanner[18521]: Startup: found > 516 messages > waiting > Jan 9 16:35:00 uadspa01 mailscanner[18521]: Scanning 100 > messages, 1024265 > bytes > Jan 9 16:35:07 uadspa01 mailscanner[18521]: Scanned 100 > messages, 1024265 > bytes in 7 seconds > Jan 9 16:35:14 uadspa01 mailscanner[18521]: Scanning 100 > messages, 1611938 > bytes > Jan 9 16:35:21 uadspa01 mailscanner[18521]: Scanned 100 > messages, 1611938 > bytes in 7 seconds > Jan 9 16:35:25 uadspa01 mailscanner[18521]: Scanning 100 > messages, 689528 > bytes > Jan 9 16:35:36 uadspa01 mailscanner[18521]: Detected > Microsoft-specific > exploits in 18WfHz-0004Et-00 > Jan 9 16:35:37 uadspa01 mailscanner[18521]: Found 1 viruses > in messages > 18WfHz-0004Et-00 > Jan 9 16:35:37 uadspa01 mailscanner[18521]: Scanned 100 > messages, 689528 > bytes in 11 seconds > Jan 9 16:35:37 uadspa01 mailscanner[18521]: Saved entire message to > /var/spool/mailscanner/quarantine/20030109/18WfHz-0004Et-00 > Jan 9 16:35:38 uadspa01 mailscanner[18521]: Notified > uadspa01@abertay.ac.uk > about 1 infections > Jan 9 16:35:42 uadspa01 mailscanner[18521]: Scanning 100 > messages, 1291793 > bytes > Jan 9 16:35:53 uadspa01 mailscanner[18521]: Scanned 100 > messages, 1291793 > bytes in 11 seconds > Jan 9 16:35:57 uadspa01 mailscanner[18521]: Scanning 100 > messages, 3287604 > bytes > Jan 9 16:36:05 uadspa01 mailscanner[18521]: Scanned 100 > messages, 3287604 > bytes in 8 seconds > Jan 9 16:36:07 uadspa01 mailscanner[18521]: Scanning 33 > messages, 772701 > bytes > Jan 9 16:36:08 uadspa01 mailscanner[18521]: Scanned 33 > messages, 772701 > bytes in 1 seconds > Jan 9 16:36:19 uadspa01 mailscanner[18521]: Scanning 1 > messages, 5277 bytes > > Jan 9 16:36:21 uadspa01 mailscanner[18521]: Scanned 1 > messages, 5277 bytes > in 2 seconds > Jan 9 16:36:27 uadspa01 mailscanner[18521]: Scanning 1 > messages, 4327 bytes > > Jan 9 16:36:27 uadspa01 mailscanner[18521]: Scanned 1 > messages, 4327 bytes > in 0 seconds > Jan 9 16:36:32 uadspa01 mailscanner[18521]: Scanning 1 > messages, 11562 > bytes > Jan 9 16:36:32 uadspa01 mailscanner[18521]: Scanned 1 > messages, 11562 bytes > in 0 seconds > Jan 9 16:36:53 uadspa01 mailscanner[18521]: Scanning 1 > messages, 2713 bytes > > Jan 9 16:36:55 uadspa01 mailscanner[18521]: Scanned 1 > messages, 2713 bytes > in 2 seconds > Jan 9 16:37:10 uadspa01 mailscanner[18521]: Scanning 1 > messages, 9386 bytes > > Jan 9 16:37:10 uadspa01 mailscanner[18521]: Scanned 1 > messages, 9386 bytes > in 0 seconds > Jan 9 16:37:15 uadspa01 mailscanner[18521]: Scanning 1 > messages, 3332 bytes > > Jan 9 16:37:15 uadspa01 mailscanner[18521]: Scanned 1 > messages, 3332 bytes > in 0 seconds > Jan 9 16:37:20 uadspa01 mailscanner[18521]: Scanning 2 > messages, 6956 bytes > > Jan 9 16:37:20 uadspa01 mailscanner[18521]: Scanned 2 > messages, 6956 bytes > in 0 seconds > Jan 9 16:37:25 uadspa01 mailscanner[18521]: Scanning 4 > messages, 16826 > bytes > Jan 9 16:37:26 uadspa01 mailscanner[18521]: Scanned 4 > messages, 16826 bytes > in 1 seconds > Jan 9 16:37:31 uadspa01 mailscanner[18521]: Scanning 2 > messages, 8660 bytes > > Jan 9 16:37:31 uadspa01 mailscanner[18521]: Scanned 2 > messages, 8660 bytes > in 0 seconds > Jan 9 16:37:36 uadspa01 mailscanner[18521]: Scanning 4 > messages, 35121 > bytes > Jan 9 16:37:36 uadspa01 mailscanner[18521]: Scanned 4 > messages, 35121 bytes > in 0 seconds > Jan 9 16:37:42 uadspa01 mailscanner[18521]: Scanning 3 > messages, 14442 > bytes > Jan 9 16:37:42 uadspa01 mailscanner[18521]: Scanned 3 > messages, 14442 bytes > in 0 seconds > Jan 9 16:37:47 uadspa01 mailscanner[18521]: Scanning 5 > messages, 22115 > bytes > Jan 9 16:37:47 uadspa01 mailscanner[18521]: Scanned 5 > messages, 22115 bytes > in 0 seconds > Jan 9 16:37:52 uadspa01 mailscanner[18521]: Scanning 1 > messages, 3397 bytes > > Jan 9 16:37:52 uadspa01 mailscanner[18521]: Scanned 1 > messages, 3397 bytes > in 0 seconds > Jan 9 16:37:57 uadspa01 mailscanner[18521]: Scanning 2 > messages, 23587 > bytes > Jan 9 16:37:58 uadspa01 mailscanner[18521]: Scanned 2 > messages, 23587 bytes > in 1 seconds > Jan 9 16:37:58 uadspa01 mailscanner[18521]: Scanning 1 > messages, 2942 bytes > > Jan 9 16:37:58 uadspa01 mailscanner[18521]: Scanned 1 > messages, 2942 bytes > in 0 seconds > Jan 9 16:38:03 uadspa01 mailscanner[18521]: Scanning 2 > messages, 6947 bytes > > Jan 9 16:38:03 uadspa01 mailscanner[18521]: Scanned 2 > messages, 6947 bytes > in 0 seconds > Jan 9 16:38:08 uadspa01 mailscanner[18521]: Scanning 3 > messages, 12991 > bytes > Jan 9 16:38:09 uadspa01 mailscanner[18521]: Scanned 3 > messages, 12991 bytes > in 1 seconds > Jan 9 16:38:14 uadspa01 mailscanner[18521]: Scanning 3 > messages, 13782 > bytes > Jan 9 16:38:14 uadspa01 mailscanner[18521]: Scanned 3 > messages, 13782 bytes > in 0 seconds > Jan 9 16:38:19 uadspa01 mailscanner[18521]: Scanning 3 > messages, 15573 > bytes > Jan 9 16:38:20 uadspa01 mailscanner[18521]: Scanned 3 > messages, 15573 bytes > in 1 seconds > Jan 9 16:38:25 uadspa01 mailscanner[18521]: Scanning 6 > messages, 69217 > bytes > Jan 9 16:38:25 uadspa01 mailscanner[18521]: Scanned 6 > messages, 69217 bytes > in 0 seconds > Jan 9 16:38:35 uadspa01 mailscanner[18521]: Scanning 5 > messages, 20344 > bytes > Jan 9 16:38:35 uadspa01 mailscanner[18521]: Scanned 5 > messages, 20344 bytes > in 0 seconds > Jan 9 16:38:35 uadspa01 mailscanner[18521]: Scanning 1 > messages, 2157 bytes > > Jan 9 16:38:36 uadspa01 mailscanner[18521]: Scanned 1 > messages, 2157 bytes > in 0 seconds > Jan 9 16:38:41 uadspa01 mailscanner[18521]: Scanning 1 > messages, 2157 bytes > > Jan 9 16:38:41 uadspa01 mailscanner[18521]: Scanned 1 > messages, 2157 bytes > in 0 seconds > Jan 9 16:38:46 uadspa01 mailscanner[18521]: Scanning 4 > messages, 17190 > bytes > Jan 9 16:38:46 uadspa01 mailscanner[18521]: Scanned 4 > messages, 17190 bytes > in 0 seconds > Jan 9 16:38:46 uadspa01 mailscanner[18521]: Scanning 1 > messages, 4451 bytes > From mailscanner at ecs.soton.ac.uk Fri Jan 10 09:21:10 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:55 2006 Subject: Performance Enhancements In-Reply-To: <14245584.1042166439@IO> Message-ID: <5.2.0.9.2.20030110085438.04976de8@imap.ecs.soton.ac.uk> At 07:40 10/01/2003, you wrote: >I am interested in what other large sites have done to optimize the >processing of spam and virus scanning. I currently run with 20 MailScanner >processes, since we have 4 CPU's. From what I can tell, it pulls in 100 >messages at a time to process in a large batch and then sends them on their >way. Doing it this way shows that disk IO gets slammed, and when it does >recover, the CPU gets slammed, and then it starts all over again. I am >thinking that maybe processing smaller chunks of emails might even out the >load a little and maybe make things run a bit better. The idea was that the processes all start at different times, and should therefore be out of phase with each other. So while 1 process is doing lots of disk IO, another is doing lots of CPU, another is doing lots of network access. If you find them all running doing the same thing at the same time (so lots of processes are collecting new batches, then they all do SA together, then they all virus scan together, etc) then you are seeing a very strange symptom that I have seen on my dual-Xeon box here. I haven't the foggiest idea how it happens, there's nothing wrong with the code (I've had some computer science experts stare at it). But, I did find a way around it. If you put the incoming directory ("incoming", not "mqueue.in") in RAM using tmpfs, the problem disappears. >Another thought is with Spam Assassin. I know it has the capability to run >in daemon mode (spamd). Does MailScanner even support this? Does running >spamd in daemon mode give you any performance advantage at all? The spamd daemon merely provides a (narrow) route to the SpamAssassin code, which is all written in perl. MailScanner talks to the perl code directly, which is considerably faster than having to poke all the files down a socket to it. Using spamd would be slower. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Fri Jan 10 08:51:56 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:55 2006 Subject: Attempted delivery BATCH vs QUEUE In-Reply-To: <13370015.1042165564@IO> Message-ID: <5.2.0.9.2.20030110084906.02a07de0@imap.ecs.soton.ac.uk> The only difference between "queue" and "batch" is that, after putting the messages in the outgoing queue, "batch" tells sendmail to do a delivery attempt. "queue" just leaves them there for the sendmail queue runner process to find later. If you want to do something like put internal email into 1 queue and outgoing email into another queue, you can make the "Outgoing Queue Dir" a ruleset. You can also make "delivery method" a ruleset too, so you can do different actions on mail to/from different addresses. That *should* be enough for you to do what you want. I hope it is anyway :-) At 07:26 10/01/2003, you wrote: >Okay, maybe I am a bit confused about how this works... But I changed >our queues a bit tonight on the system and decided to change MailScanner >back to "batch" mode. Basically, the configuration is as follows: > > Incoming Queue Dir = /var_spool/cyrus-fast > Outgoing Queue Dir = /var_spool/cyrus-slow > Incoming Work Dir = /var_spool/MailScanner/incoming > Quarantine Dir = /var_spool/MailScanner/quarantine > Sendmail = /usr/sbin/sendmail > Deliver In Background = yes > Delivery Method = batch > >When I had the Delivery Method set to "queue", it worked as I expected in >that MailScanner would deposit the email into the "cyrus-slow" queue after >the messages had been scanned, and my cron jobs would eventually come through >and do the delivery themselves. > >Now, what I want instead is for MailScanner to try and deliver the message >first and if it couldn't, then and only then deposit the message in the >"cyrus-slow" queue. I still have the cron jobs, so the email will get >delivered eventually. > >However, from what I can see in the logs and the behavior, MailScanner isn't >doing any kind of delivery. All of the messages after being scanned are put >into the "cyrus-slow" queue. I have sendmail configured to deliver to LMTP, >and checking my cyrus logs shows that the lmtp server isn't even being >contacted, meaning that sendmail isn't getting ran to do the delivery. The >MailScanner logs show the following: > > Spam Checks: Found 38 spam messages > Spam Actions: message h0A7PmYV932698 actions are deliver > Spam Actions: message h0A7PVYV960562 actions are deliver > Spam Actions: message h0A7P1YV544776 actions are deliver > .... > Spam Actions: message h0A7PqYV947802 actions are deliver > Spam Actions: message h0A7PpYV963580 actions are deliver > Spam Actions: message h0A7PnYV958534 actions are deliver > Unscanned: Delivered 60 messages > Virus and Content Scanning: Starting > New Batch: Found 129 messages waiting > New Batch: Forwarding 100 unscanned messages, 782674 bytes > Spam Checks: Starting > >I am wondering about the "Unscanned: Delivered 60 messages" entry, and not >sure what the "Forwarding 100 unscanned messages" is all about. Am I just >confused about what "batch" mode is all about? > >Scott >-- >+-----------------------------------------------------------------------+ > Scott W. Adkins http://www.cns.ohiou.edu/~sadkins/ > UNIX Systems Engineer mailto:adkinss@ohio.edu > ICQ 7626282 Work (740)593-9478 Fax (740)593-1944 >+-----------------------------------------------------------------------+ > PGP Public Key available at > http://www.cns.ohiou.edu/~sadkins/pgp/ -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Fri Jan 10 09:24:42 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:55 2006 Subject: Performance Enhancements In-Reply-To: References: <14245584.1042166439@IO> Message-ID: <5.2.0.9.2.20030110092133.02d1b170@imap.ecs.soton.ac.uk> At 08:17 10/01/2003, you wrote: >I suspect that this load is cause because milter runs the mail through >SA as it arrives and rejects is before it even enters the server and MS >runs SA on mail in batches. Maybe it is just too much for any server to >have multiple instances of SA running at the same time? SA is quite memory-hungry. You can always try reducing the number of child processes to, say, 2 and see if that actually performs better than 5. My guess at 5 was made on the basis of using all the RAM in a 512MB machine with some sample test messages. I would not be at all surprised if it wasn't the right figure for other systems. Keep an eye on the overall load, as some systems (SPARC systems come to mind) have a very high context-switching overhead, so the more CPU-intensive jobs it is switching between, the slower it goes. >On Fri, 10 Jan 2003, Scott Adkins wrote: > > Okay, since we turned on MailScanner with Spam Assassin and Sophos, we > > have definitely seen high load come out of the server... It looks like > > the culprit is Spam Assassin. SA seems to take about 5 times as much > > CPU to process mail as what Sophos does (which is backwards from what > > I was expecting, actually). > > > > The system we are running this on is a pretty decent system. It is a > > two member Compaq Alpha Tru64 5.1a cluster. One member is an ES40 with > > 4 EV6.7 667Mhz CPU's, 4GB CPU cache and 8GB memory. The other member > > is an Alpha 4100 with 4 EV5.6 600Mhz CPU's, 4GB CPU cache and 6GB memory. > > The first member is more than twice as powerful as the second member is. > > > > This is our primary email system, and we regularly see 400-500k worth of > > emails go through the system on a daily basis. We support well over 60k > > users and typically have 1500+ concurrent IMAP/POP users logged onto the > > system. The system performs great under these conditions... > > > > The idea was to run MailScanner and mail queue processing on one machine, > > and our Cyrus IMAP and IMSP servers, as well as everything else on the > > other machine. We still saw high loads coming from the MailScanner stuff. > > In fact, MailScanner literally drover our second member into the ground > > (poor thing). > > > > I am interested in what other large sites have done to optimize the > > processing of spam and virus scanning. I currently run with 20 MailScanner > > processes, since we have 4 CPU's. From what I can tell, it pulls in 100 > > messages at a time to process in a large batch and then sends them on their > > way. Doing it this way shows that disk IO gets slammed, and when it does > > recover, the CPU gets slammed, and then it starts all over again. I am > > thinking that maybe processing smaller chunks of emails might even out the > > load a little and maybe make things run a bit better. > > > > Another thought is with Spam Assassin. I know it has the capability to run > > in daemon mode (spamd). Does MailScanner even support this? Does running > > spamd in daemon mode give you any performance advantage at all? > > > > Anyways, I thought I would check to see what other people are doing... > > > > Thanks! > > Scott > > > > >-- >This message has been scanned for viruses and >dangerous content by MailScanner, and is >believed to be clean. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Fri Jan 10 10:04:49 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:55 2006 Subject: Spamassasin timing Out In-Reply-To: Message-ID: <5.2.0.9.2.20030110100423.02adab68@imap.ecs.soton.ac.uk> At 09:55 10/01/2003, you wrote: >Strange but True... > >Started up mailscanner this morning using Spamassassin... > >And now it works... Dodgy RBL's being used by SpamAssassin? >-----Original Message----- >From: Spicer, Kevin [mailto:Kevin.Spicer@BMRB.CO.UK] >Sent: 09, January, 2003 18:36 >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Spamassasin timing Out > > >Thats not like the logs I was getting, so I imagine this is a different >problem (mine was a sequence like the following... MailScanner starts, >detects 1400 messages, says 'scanning 100 messages', 'Found 16 spam >messages'- and just did this every 2 minutes!). It looks like your >mailscanner is scanning messages(?) Have you checked the headers of the >stuck messages to see if mailscanner has altered them? > > > -----Original Message----- > > From: Jason Cormie [mailto:j.cormie@ABERTAY.AC.UK] > > Sent: 09 January 2003 18:09 > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: Spamassasin timing Out > > > > > > > What does your maillog say about it? > > > > When I restart mailscanner it comes up, sits at scanning > > first 100 messages > > then spamassassin times out > > > > mailscanner continues to run and eat processor and memory > > > > below is a segment of todays logs > > at 15:38 I started mailscanner up with spamassassin enabled > > at 16:35 I stopped it, waited a bit, started it without spamassassin > > > > Jan 9 15:38:21 uadspa01 mailscanner[13733]: MailScanner E-Mail Virus > > Scanner version 3.26-1 starting. > > Jan 9 15:38:21 uadspa01 mailscanner[13733]: Configuring > > mailscanner for > > Exim mailer... > > Jan 9 15:38:21 uadspa01 mailscanner[13733]: Using locktype = posix > > Jan 9 15:38:21 uadspa01 mailscanner[13733]: Creating > > hardcoded struct_flock > > subroutine for linux (Linux-type) > > Jan 9 15:38:21 uadspa01 mailscanner[13734]: ECS MailScanner > > setting GID to > > mail (8) > > Jan 9 15:38:21 uadspa01 mailscanner[13734]: ECS MailScanner > > setting UID to > > mail (8) > > Jan 9 15:38:31 uadspa01 mailscanner[13734]: Startup: found 3 messages > > waiting > > Jan 9 15:38:31 uadspa01 mailscanner[13734]: Scanning 3 > > messages, 15079 > > bytes > > Jan 9 15:39:12 uadspa01 mailscanner[13734]: Scanned 3 > > messages, 15079 bytes > > in 0 seconds > > Jan 9 15:39:12 uadspa01 mailscanner[13734]: Scanning 8 > > messages, 88547 > > bytes > > Jan 9 15:41:45 uadspa01 mailscanner[13734]: Scanned 8 > > messages, 88547 bytes > > in 0 seconds > > Jan 9 15:41:45 uadspa01 mailscanner[13734]: Scanning 28 > > messages, 395670 > > bytes > > Jan 9 15:48:54 uadspa01 mailscanner[13734]: Scanned 28 > > messages, 395670 > > bytes in 1 seconds > > Jan 9 15:48:55 uadspa01 mailscanner[13734]: Scanning 86 > > messages, 813639 > > bytes > > Jan 9 15:51:19 uadspa01 mailscanner[13734]: SpamAssassin > > timed out and was > > killed, consecutive failure 1 of 10 > > Jan 9 16:10:11 uadspa01 mailscanner[13734]: Scanned 86 > > messages, 813639 > > bytes in 5 seconds > > Jan 9 16:10:15 uadspa01 mailscanner[13734]: Scanning 100 > > messages, 830555 > > bytes > > Jan 9 16:13:55 uadspa01 mailscanner[13734]: SpamAssassin > > timed out and was > > killed, consecutive failure 1 of 10 > > Jan 9 16:30:00 uadspa01 mailscanner[13734]: Scanned 100 > > messages, 830555 > > bytes in 7 seconds > > Jan 9 16:30:07 uadspa01 mailscanner[13734]: Scanning 100 > > messages, 1024265 > > bytes > > Jan 9 16:35:00 uadspa01 mailscanner[18520]: MailScanner E-Mail Virus > > Scanner version 3.26-1 starting. > > Jan 9 16:35:00 uadspa01 mailscanner[18520]: Configuring > > mailscanner for > > Exim mailer... > > Jan 9 16:35:00 uadspa01 mailscanner[18520]: Using locktype = posix > > Jan 9 16:35:00 uadspa01 mailscanner[18520]: Creating > > hardcoded struct_flock > > subroutine for linux (Linux-type) > > Jan 9 16:35:00 uadspa01 mailscanner[18521]: ECS MailScanner > > setting GID to > > mail (8) > > Jan 9 16:35:00 uadspa01 mailscanner[18521]: ECS MailScanner > > setting UID to > > mail (8) > > Jan 9 16:35:00 uadspa01 mailscanner[18521]: Startup: found > > 516 messages > > waiting > > Jan 9 16:35:00 uadspa01 mailscanner[18521]: Scanning 100 > > messages, 1024265 > > bytes > > Jan 9 16:35:07 uadspa01 mailscanner[18521]: Scanned 100 > > messages, 1024265 > > bytes in 7 seconds > > Jan 9 16:35:14 uadspa01 mailscanner[18521]: Scanning 100 > > messages, 1611938 > > bytes > > Jan 9 16:35:21 uadspa01 mailscanner[18521]: Scanned 100 > > messages, 1611938 > > bytes in 7 seconds > > Jan 9 16:35:25 uadspa01 mailscanner[18521]: Scanning 100 > > messages, 689528 > > bytes > > Jan 9 16:35:36 uadspa01 mailscanner[18521]: Detected > > Microsoft-specific > > exploits in 18WfHz-0004Et-00 > > Jan 9 16:35:37 uadspa01 mailscanner[18521]: Found 1 viruses > > in messages > > 18WfHz-0004Et-00 > > Jan 9 16:35:37 uadspa01 mailscanner[18521]: Scanned 100 > > messages, 689528 > > bytes in 11 seconds > > Jan 9 16:35:37 uadspa01 mailscanner[18521]: Saved entire message to > > /var/spool/mailscanner/quarantine/20030109/18WfHz-0004Et-00 > > Jan 9 16:35:38 uadspa01 mailscanner[18521]: Notified > > uadspa01@abertay.ac.uk > > about 1 infections > > Jan 9 16:35:42 uadspa01 mailscanner[18521]: Scanning 100 > > messages, 1291793 > > bytes > > Jan 9 16:35:53 uadspa01 mailscanner[18521]: Scanned 100 > > messages, 1291793 > > bytes in 11 seconds > > Jan 9 16:35:57 uadspa01 mailscanner[18521]: Scanning 100 > > messages, 3287604 > > bytes > > Jan 9 16:36:05 uadspa01 mailscanner[18521]: Scanned 100 > > messages, 3287604 > > bytes in 8 seconds > > Jan 9 16:36:07 uadspa01 mailscanner[18521]: Scanning 33 > > messages, 772701 > > bytes > > Jan 9 16:36:08 uadspa01 mailscanner[18521]: Scanned 33 > > messages, 772701 > > bytes in 1 seconds > > Jan 9 16:36:19 uadspa01 mailscanner[18521]: Scanning 1 > > messages, 5277 bytes > > > > Jan 9 16:36:21 uadspa01 mailscanner[18521]: Scanned 1 > > messages, 5277 bytes > > in 2 seconds > > Jan 9 16:36:27 uadspa01 mailscanner[18521]: Scanning 1 > > messages, 4327 bytes > > > > Jan 9 16:36:27 uadspa01 mailscanner[18521]: Scanned 1 > > messages, 4327 bytes > > in 0 seconds > > Jan 9 16:36:32 uadspa01 mailscanner[18521]: Scanning 1 > > messages, 11562 > > bytes > > Jan 9 16:36:32 uadspa01 mailscanner[18521]: Scanned 1 > > messages, 11562 bytes > > in 0 seconds > > Jan 9 16:36:53 uadspa01 mailscanner[18521]: Scanning 1 > > messages, 2713 bytes > > > > Jan 9 16:36:55 uadspa01 mailscanner[18521]: Scanned 1 > > messages, 2713 bytes > > in 2 seconds > > Jan 9 16:37:10 uadspa01 mailscanner[18521]: Scanning 1 > > messages, 9386 bytes > > > > Jan 9 16:37:10 uadspa01 mailscanner[18521]: Scanned 1 > > messages, 9386 bytes > > in 0 seconds > > Jan 9 16:37:15 uadspa01 mailscanner[18521]: Scanning 1 > > messages, 3332 bytes > > > > Jan 9 16:37:15 uadspa01 mailscanner[18521]: Scanned 1 > > messages, 3332 bytes > > in 0 seconds > > Jan 9 16:37:20 uadspa01 mailscanner[18521]: Scanning 2 > > messages, 6956 bytes > > > > Jan 9 16:37:20 uadspa01 mailscanner[18521]: Scanned 2 > > messages, 6956 bytes > > in 0 seconds > > Jan 9 16:37:25 uadspa01 mailscanner[18521]: Scanning 4 > > messages, 16826 > > bytes > > Jan 9 16:37:26 uadspa01 mailscanner[18521]: Scanned 4 > > messages, 16826 bytes > > in 1 seconds > > Jan 9 16:37:31 uadspa01 mailscanner[18521]: Scanning 2 > > messages, 8660 bytes > > > > Jan 9 16:37:31 uadspa01 mailscanner[18521]: Scanned 2 > > messages, 8660 bytes > > in 0 seconds > > Jan 9 16:37:36 uadspa01 mailscanner[18521]: Scanning 4 > > messages, 35121 > > bytes > > Jan 9 16:37:36 uadspa01 mailscanner[18521]: Scanned 4 > > messages, 35121 bytes > > in 0 seconds > > Jan 9 16:37:42 uadspa01 mailscanner[18521]: Scanning 3 > > messages, 14442 > > bytes > > Jan 9 16:37:42 uadspa01 mailscanner[18521]: Scanned 3 > > messages, 14442 bytes > > in 0 seconds > > Jan 9 16:37:47 uadspa01 mailscanner[18521]: Scanning 5 > > messages, 22115 > > bytes > > Jan 9 16:37:47 uadspa01 mailscanner[18521]: Scanned 5 > > messages, 22115 bytes > > in 0 seconds > > Jan 9 16:37:52 uadspa01 mailscanner[18521]: Scanning 1 > > messages, 3397 bytes > > > > Jan 9 16:37:52 uadspa01 mailscanner[18521]: Scanned 1 > > messages, 3397 bytes > > in 0 seconds > > Jan 9 16:37:57 uadspa01 mailscanner[18521]: Scanning 2 > > messages, 23587 > > bytes > > Jan 9 16:37:58 uadspa01 mailscanner[18521]: Scanned 2 > > messages, 23587 bytes > > in 1 seconds > > Jan 9 16:37:58 uadspa01 mailscanner[18521]: Scanning 1 > > messages, 2942 bytes > > > > Jan 9 16:37:58 uadspa01 mailscanner[18521]: Scanned 1 > > messages, 2942 bytes > > in 0 seconds > > Jan 9 16:38:03 uadspa01 mailscanner[18521]: Scanning 2 > > messages, 6947 bytes > > > > Jan 9 16:38:03 uadspa01 mailscanner[18521]: Scanned 2 > > messages, 6947 bytes > > in 0 seconds > > Jan 9 16:38:08 uadspa01 mailscanner[18521]: Scanning 3 > > messages, 12991 > > bytes > > Jan 9 16:38:09 uadspa01 mailscanner[18521]: Scanned 3 > > messages, 12991 bytes > > in 1 seconds > > Jan 9 16:38:14 uadspa01 mailscanner[18521]: Scanning 3 > > messages, 13782 > > bytes > > Jan 9 16:38:14 uadspa01 mailscanner[18521]: Scanned 3 > > messages, 13782 bytes > > in 0 seconds > > Jan 9 16:38:19 uadspa01 mailscanner[18521]: Scanning 3 > > messages, 15573 > > bytes > > Jan 9 16:38:20 uadspa01 mailscanner[18521]: Scanned 3 > > messages, 15573 bytes > > in 1 seconds > > Jan 9 16:38:25 uadspa01 mailscanner[18521]: Scanning 6 > > messages, 69217 > > bytes > > Jan 9 16:38:25 uadspa01 mailscanner[18521]: Scanned 6 > > messages, 69217 bytes > > in 0 seconds > > Jan 9 16:38:35 uadspa01 mailscanner[18521]: Scanning 5 > > messages, 20344 > > bytes > > Jan 9 16:38:35 uadspa01 mailscanner[18521]: Scanned 5 > > messages, 20344 bytes > > in 0 seconds > > Jan 9 16:38:35 uadspa01 mailscanner[18521]: Scanning 1 > > messages, 2157 bytes > > > > Jan 9 16:38:36 uadspa01 mailscanner[18521]: Scanned 1 > > messages, 2157 bytes > > in 0 seconds > > Jan 9 16:38:41 uadspa01 mailscanner[18521]: Scanning 1 > > messages, 2157 bytes > > > > Jan 9 16:38:41 uadspa01 mailscanner[18521]: Scanned 1 > > messages, 2157 bytes > > in 0 seconds > > Jan 9 16:38:46 uadspa01 mailscanner[18521]: Scanning 4 > > messages, 17190 > > bytes > > Jan 9 16:38:46 uadspa01 mailscanner[18521]: Scanned 4 > > messages, 17190 bytes > > in 0 seconds > > Jan 9 16:38:46 uadspa01 mailscanner[18521]: Scanning 1 > > messages, 4451 bytes > > -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From tony.johansson at SVENSKAKYRKAN.SE Fri Jan 10 10:19:08 2003 From: tony.johansson at SVENSKAKYRKAN.SE (Tony Johansson) Date: Thu Jan 12 21:16:55 2006 Subject: SV: Performance Enhancements Message-ID: <3C4F5084EF16D4119CE700508B6B8B10058D0921@nt.svenskakyrkan.se> >>Another thought is with Spam Assassin. I know it has the capability to run >>in daemon mode (spamd). Does MailScanner even support this? Does running >>spamd in daemon mode give you any performance advantage at all? >The spamd daemon merely provides a (narrow) route to the SpamAssassin code, >which is all written in perl. MailScanner talks to the perl code directly, >which is considerably faster than having to poke all the files down a >socket to it. Using spamd would be slower. I see spamd running on my MailScanner boxes (default rpm install of spamassassin) I guess I could just "chkconfig spamassassin off" and MailScanner would run just as well as before then? regards, Tony From mailscanner at ecs.soton.ac.uk Fri Jan 10 10:19:42 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:55 2006 Subject: SV: Performance Enhancements In-Reply-To: <3C4F5084EF16D4119CE700508B6B8B10058D0921@nt.svenskakyrkan. se> Message-ID: <5.2.0.9.2.20030110101911.02da5e50@imap.ecs.soton.ac.uk> At 10:19 10/01/2003, you wrote: > >>Another thought is with Spam Assassin. I know it has the capability to >run > >>in daemon mode (spamd). Does MailScanner even support this? Does running > >>spamd in daemon mode give you any performance advantage at all? > > >The spamd daemon merely provides a (narrow) route to the SpamAssassin code, > >which is all written in perl. MailScanner talks to the perl code directly, > >which is considerably faster than having to poke all the files down a > >socket to it. Using spamd would be slower. > >I see spamd running on my MailScanner boxes (default rpm install of >spamassassin) >I guess I could just "chkconfig spamassassin off" and MailScanner would run >just as well as before then? Indeed. You don't need spamd running. You might want to do service spamassassin stop as well. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From j.cormie at ABERTAY.AC.UK Fri Jan 10 10:30:53 2003 From: j.cormie at ABERTAY.AC.UK (Jason Cormie) Date: Thu Jan 12 21:16:55 2006 Subject: Spamassasin timing Out Message-ID: Only RBL I use is janets and thats on Exim I see if I can dig up my installation notes... vim /etc/mailscanner/mailscanner.conf Host Name = Abertay Mailscanner 1 Virus Scanner = mcafee Sweep = /etc/mailscanner/wrapper/mcafeewrapper Attachment Warning Filename = alert.txt Expand TNEF = no Notify Senders = no Local Postmaster = uadspa01@abertay.ac.uk Still Deliver Quietly Deleted Viruses = no Allow Iframe Tags = yes SpamAssassin Auto Whitelist = no Always Include SpamAssassin Report = yes High SpamAssassin Score = 15 High Scoring Spam Action = delete add a # in front of Spam List = ORDB-RBL, relays.ordb.org vim /etc/mailscanner/spamassassin.prefs.conf required_hits 10 skip_rbl_checks 1 -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: 10, January, 2003 10:05 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Spamassasin timing Out At 09:55 10/01/2003, you wrote: >Strange but True... > >Started up mailscanner this morning using Spamassassin... > >And now it works... Dodgy RBL's being used by SpamAssassin? From paul at ESPMAIL.CO.UK Fri Jan 10 11:16:46 2003 From: paul at ESPMAIL.CO.UK (Paul Welsh) Date: Thu Jan 12 21:16:55 2006 Subject: SpamCop vs Osirusoft References: <5.2.0.9.2.20030110100423.02adab68@imap.ecs.soton.ac.uk> Message-ID: <00e601c2b899$c3661730$6a0110ac@sbsplc.com> I've been monitoring the hit rate of SpamCop and Osirusoft for the last month. There were very few false hits. The trigger value I've used is 9 (Julian's recommendation) but I've given spamcop and osirusoft values of 7. Here are the results for anyone who wants an idea of whether it's worth paying for SpamCop. Naturally, there is overlap; some messages will appear in both spamcop and osirusoft: TOTAL 2843 RCVD_IN_BL_SPAMCOP_NET 2247 RCVD_IN_OSIRUSOFT_COM 1595 I appreciate that Osirusoft's RBL seems to having problems responding to demand at the moment. That to me is another reason to go the SpamCop route. From j.cormie at ABERTAY.AC.UK Fri Jan 10 11:17:38 2003 From: j.cormie at ABERTAY.AC.UK (Jason Cormie) Date: Thu Jan 12 21:16:55 2006 Subject: Spamassasin timing Out Message-ID: Spoke to soon, mailq now lists 300 messages that have been sitting their some for 40 minutes... It looks like it just keeps scanning and scanning the same messages It was working, honest :( -----Original Message----- From: Jason Cormie [mailto:j.cormie@ABERTAY.AC.UK] Sent: 10, January, 2003 10:31 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Spamassasin timing Out Only RBL I use is janets and thats on Exim I see if I can dig up my installation notes... vim /etc/mailscanner/mailscanner.conf Host Name = Abertay Mailscanner 1 Virus Scanner = mcafee Sweep = /etc/mailscanner/wrapper/mcafeewrapper Attachment Warning Filename = alert.txt Expand TNEF = no Notify Senders = no Local Postmaster = uadspa01@abertay.ac.uk Still Deliver Quietly Deleted Viruses = no Allow Iframe Tags = yes SpamAssassin Auto Whitelist = no Always Include SpamAssassin Report = yes High SpamAssassin Score = 15 High Scoring Spam Action = delete add a # in front of Spam List = ORDB-RBL, relays.ordb.org vim /etc/mailscanner/spamassassin.prefs.conf required_hits 10 skip_rbl_checks 1 -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: 10, January, 2003 10:05 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Spamassasin timing Out At 09:55 10/01/2003, you wrote: >Strange but True... > >Started up mailscanner this morning using Spamassassin... > >And now it works... Dodgy RBL's being used by SpamAssassin? From mailscanner at ecs.soton.ac.uk Fri Jan 10 11:23:00 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:55 2006 Subject: Spamassasin timing Out In-Reply-To: Message-ID: <5.2.0.9.2.20030110112237.04c90860@imap.ecs.soton.ac.uk> At 11:17 10/01/2003, you wrote: >Spoke to soon, mailq now lists 300 messages that have been sitting their >some for 40 minutes... >It looks like it just keeps scanning and scanning the same messages Anything in the logs? If not, we'll have to do a bit of off-list debugging. >It was working, honest :( > >-----Original Message----- >From: Jason Cormie [mailto:j.cormie@ABERTAY.AC.UK] >Sent: 10, January, 2003 10:31 >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Spamassasin timing Out > > >Only RBL I use is janets and thats on Exim >I see if I can dig up my installation notes... > >vim /etc/mailscanner/mailscanner.conf >Host Name = Abertay Mailscanner 1 >Virus Scanner = mcafee >Sweep = /etc/mailscanner/wrapper/mcafeewrapper >Attachment Warning Filename = alert.txt >Expand TNEF = no >Notify Senders = no >Local Postmaster = uadspa01@abertay.ac.uk >Still Deliver Quietly Deleted Viruses = no >Allow Iframe Tags = yes >SpamAssassin Auto Whitelist = no >Always Include SpamAssassin Report = yes >High SpamAssassin Score = 15 >High Scoring Spam Action = delete >add a # in front of Spam List = ORDB-RBL, relays.ordb.org > > >vim /etc/mailscanner/spamassassin.prefs.conf >required_hits 10 >skip_rbl_checks 1 > > > >-----Original Message----- >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] >Sent: 10, January, 2003 10:05 >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Spamassasin timing Out > > >At 09:55 10/01/2003, you wrote: > >Strange but True... > > > >Started up mailscanner this morning using Spamassassin... > > > >And now it works... > >Dodgy RBL's being used by SpamAssassin? -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From j.cormie at ABERTAY.AC.UK Fri Jan 10 11:41:40 2003 From: j.cormie at ABERTAY.AC.UK (Jason Cormie) Date: Thu Jan 12 21:16:55 2006 Subject: Spamassasin timing Out Message-ID: syslog below, nowt interesting Just though yesterday I ran these home-made command to wipe out frozen and bounces stuck in outgoing queue exim -C/etc/exim/exim_outgoing.conf -Mrm $(mailq -C/etc/exim/exim_outgoing.conf | grep '<>' | cut -c11-27) exim -C/etc/exim/exim_outgoing.conf -Mrm $(mailq -C/etc/exim/exim_outgoing.conf | grep '*** frozen' | cut -c11-27) perhaps this may have had an effect? Jan 10 10:12:49 uadspa01 mailscanner[4527]: Scanning 1 messages, 72747 bytes Jan 10 10:12:49 uadspa01 mailscanner[4527]: Scanned 1 messages, 72747 bytes in 0 seconds Jan 10 10:12:54 uadspa01 mailscanner[4527]: Scanning 2 messages, 10462 bytes Jan 10 10:12:56 uadspa01 mailscanner[4527]: Scanned 2 messages, 10462 bytes in 1 seconds Jan 10 10:13:11 uadspa01 mailscanner[4527]: Scanning 2 messages, 7242 bytes Jan 10 10:13:31 uadspa01 mailscanner[4527]: Scanned 2 messages, 7242 bytes in 0 seconds Jan 10 10:13:31 uadspa01 mailscanner[4527]: Scanning 1 messages, 4900 bytes Jan 10 10:13:42 uadspa01 mailscanner[4527]: Scanned 1 messages, 4900 bytes in 1 seconds Jan 10 10:13:42 uadspa01 mailscanner[4527]: Scanning 3 messages, 7407 bytes Jan 10 10:14:12 uadspa01 mailscanner[4527]: Scanned 3 messages, 7407 bytes in 0 seconds Jan 10 10:14:12 uadspa01 mailscanner[4527]: Scanning 5 messages, 62119 bytes Jan 10 10:15:04 uadspa01 mailscanner[4527]: Scanned 5 messages, 62119 bytes in 0 seconds Jan 10 10:15:04 uadspa01 mailscanner[4527]: Scanning 12 messages, 458227 bytes Jan 10 10:16:57 uadspa01 mailscanner[4527]: Scanned 12 messages, 458227 bytes in 1 seconds Jan 10 10:16:58 uadspa01 mailscanner[4527]: Scanning 24 messages, 185383 bytes Jan 10 10:21:03 uadspa01 mailscanner[4527]: Scanned 24 messages, 185383 bytes in 2 seconds Jan 10 10:21:03 uadspa01 mailscanner[4527]: Scanning 53 messages, 454720 bytes Jan 10 10:23:01 uadspa01 /USR/SBIN/CRON[13362]: (mail) CMD ( if [ -x /usr/sbin/exim -a -f /etc/exim/exim.conf ]; then /usr/sbin/exim -q ; fi) Jan 10 10:30:01 uadspa01 mailscanner[4527]: Scanned 53 messages, 454720 bytes in 3 seconds Jan 10 10:30:03 uadspa01 mailscanner[4527]: Scanning 100 messages, 1769779 bytes Jan 10 10:38:01 uadspa01 /USR/SBIN/CRON[14378]: (mail) CMD ( if [ -x /usr/sbin/exim -a -f /etc/exim/exim.conf ]; then /usr/sbin/exim -q ; fi) Jan 10 10:46:26 uadspa01 mailscanner[4527]: Scanned 100 messages, 1769779 bytes in 7 seconds Jan 10 10:46:33 uadspa01 mailscanner[4527]: Scanning 100 messages, 1097136 bytes Jan 10 10:53:01 uadspa01 /USR/SBIN/CRON[15834]: (mail) CMD ( if [ -x /usr/sbin/exim -a -f /etc/exim/exim.conf ]; then /usr/sbin/exim -q ; fi) Jan 10 11:00:01 uadspa01 /USR/SBIN/CRON[16467]: (root) CMD ([ -f $LOCKFILE ] && exit 0; run_mailscanner=0; if [ -f /etc/default/mailscanner ]; then . /etc/default/mailscanner; fi; [ $run_mailscanner = 0 ] && exit 0; trap "rm -f $LOCKFILE" EXIT; touch $LOCKFILE; /usr/sbin/check_mailscanner >/dev/null 2>&1; exit 0) Jan 10 11:02:44 uadspa01 mailscanner[4527]: Scanned 100 messages, 1097136 bytes in 7 seconds Jan 10 11:02:52 uadspa01 mailscanner[4527]: Scanning 100 messages, 814068 bytes Jan 10 11:08:01 uadspa01 /USR/SBIN/CRON[17450]: (mail) CMD ( if [ -x /usr/sbin/exim -a -f /etc/exim/exim.conf ]; then /usr/sbin/exim -q ; fi) Jan 10 11:19:34 uadspa01 mailscanner[4527]: Scanned 100 messages, 814068 bytes in 6 seconds Jan 10 11:19:41 uadspa01 mailscanner[4527]: Scanning 100 messages, 2725204 bytes Jan 10 11:23:01 uadspa01 /USR/SBIN/CRON[19029]: (mail) CMD ( if [ -x /usr/sbin/exim -a -f /etc/exim/exim.conf ]; then /usr/sbin/exim -q ; fi) -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: 10, January, 2003 11:23 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Spamassasin timing Out At 11:17 10/01/2003, you wrote: >Spoke to soon, mailq now lists 300 messages that have been sitting their >some for 40 minutes... >It looks like it just keeps scanning and scanning the same messages Anything in the logs? If not, we'll have to do a bit of off-list debugging. >It was working, honest :( > >-----Original Message----- >From: Jason Cormie [mailto:j.cormie@ABERTAY.AC.UK] >Sent: 10, January, 2003 10:31 >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Spamassasin timing Out > > >Only RBL I use is janets and thats on Exim >I see if I can dig up my installation notes... > >vim /etc/mailscanner/mailscanner.conf >Host Name = Abertay Mailscanner 1 >Virus Scanner = mcafee >Sweep = /etc/mailscanner/wrapper/mcafeewrapper >Attachment Warning Filename = alert.txt >Expand TNEF = no >Notify Senders = no >Local Postmaster = uadspa01@abertay.ac.uk >Still Deliver Quietly Deleted Viruses = no >Allow Iframe Tags = yes >SpamAssassin Auto Whitelist = no >Always Include SpamAssassin Report = yes >High SpamAssassin Score = 15 >High Scoring Spam Action = delete >add a # in front of Spam List = ORDB-RBL, relays.ordb.org > > >vim /etc/mailscanner/spamassassin.prefs.conf >required_hits 10 >skip_rbl_checks 1 > > > >-----Original Message----- >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] >Sent: 10, January, 2003 10:05 >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Spamassasin timing Out > > >At 09:55 10/01/2003, you wrote: > >Strange but True... > > > >Started up mailscanner this morning using Spamassassin... > > > >And now it works... > >Dodgy RBL's being used by SpamAssassin? -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From tony.johansson at SVENSKAKYRKAN.SE Fri Jan 10 12:25:12 2003 From: tony.johansson at SVENSKAKYRKAN.SE (Tony Johansson) Date: Thu Jan 12 21:16:55 2006 Subject: Silent viruses rule file Message-ID: <3C4F5084EF16D4119CE700508B6B8B10058D0922@nt.svenskakyrkan.se> Hello, I'm in the process of upgrading a MailScanner 3.25 system to 4.11 3.25 has a "viruses.to.delete.conf" file which is pretty straight forward, one unique identifier per line. I have problems converting this to a 4.11 rule file as I dont want to list them all in MailScanner.conf Has someone done this and is willing to share the rule file? (or rather the correct syntax for the file) regards, Tony From mailscanner at BARENDSE.TO Fri Jan 10 12:32:28 2003 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:16:55 2006 Subject: Spam blacklist? In-Reply-To: <5.2.0.9.2.20030109000924.02cf5068@imap.ecs.soton.ac.uk> Message-ID: Maybe it's possible to just give blacklisted mail the same treatment as high scoring spam although some ppl do filtering at the client and may be undesirable for them? The high scoring stuff isn't delivered at all here, it's deleted. Also we are seeing lots of Chinese spam. Complete rubbish mails without even 1 legible character in it, only chinese. Most of these aren't rated by SpamAssassin, probably Chinese rules aren't implemented yet :) Is there any other clever way to get rid of these mails? I can't filter out all e-mails that contain some chinese characters of some sort because we do have some mail flow with china and their header when replying on our e-mails will contain some chinese characters. I was thinking of a solution where all the characters in the body of an e-mail are counted and if the number of chinese characters exceeds a certain percentage the mail would be marked as spam. Anybody else bothered by this chinese rubbish? On Thu, 9 Jan 2003, Julian Field wrote: > At 21:24 08/01/2003, you wrote: > >Indeed, that is one possible solution. > > > >But not all of my boxes run spamassassin, particularly RedHat 6.2 is very > >difficult to get SA properly installed. Lots of things to upgrade and 90% > >of the spam problem is from or to a limited set of e-mail adresses on my > >boxes. > > > >But one would think that a blacklisted mail adress would be processed > >according to high scoring rules, otherwise there isn't much use in > >blacklisting them :) > > My black/white-listing isn't really connected to the SpamAssassin scoring > code. Maybe it should be. > > > > >On Wed, 8 Jan 2003, Lewis Bergman wrote: > > > > > On Wednesday 08 January 2003 04:24 am, Remco Barendse wrote: > > > > I have a rule list that will mark certain messages as spam even though > > > > there is no other reason to mark them as spam. This is working perfectly. > > > > > > > > I have noticed however that MailScanner will treat messages that are > > > > marked by a blacklist rule as low scoring spam? > > > > > > > > Would it be possible to change this to high scoring spam? After all you > > > > want to blacklist them. I allow low scoring spam messages to go through > > > > but high scoring stuff is forwarded to an alternate address. I would like > > > > to do the same for the blacklisted stuff. > > > Why not use SA to do the RBL checks and then assign them a score which will > > > force them into the high score category using the spam.assassin.prefs.conf > > > file? > > > -- > > > Lewis Bergman > > > Texas Communications > > > 4309 Maple St. > > > Abilene, TX 79602-8044 > > > 915-695-6962 ext 115 > > > > > > > > > > > >-- > >This message has been scanned for viruses and > >dangerous content by MailScanner, and is > >believed to be clean. > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From Kevin.Spicer at BMRB.CO.UK Fri Jan 10 13:52:07 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:16:55 2006 Subject: Spam blacklist? Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A32C1F@pascal.priv.bmrb.co.uk> Spamassassin does have a rule for detecting spam in a foreign language (haven't looked to see how it works!) - I've had some Asian spam recently & I'm fairly sure the ones I looked at were tagged by this rule. Maybe this rule is being triggered but there aren't enough other indicators to produce a score above the threshold? -----Original Message----- From: Remco Barendse [mailto:mailscanner@BARENDSE.TO] Sent: Friday, January 10, 2003 12:32 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Spam blacklist? Maybe it's possible to just give blacklisted mail the same treatment as high scoring spam although some ppl do filtering at the client and may be undesirable for them? The high scoring stuff isn't delivered at all here, it's deleted. Also we are seeing lots of Chinese spam. Complete rubbish mails without even 1 legible character in it, only chinese. Most of these aren't rated by SpamAssassin, probably Chinese rules aren't implemented yet :) Is there any other clever way to get rid of these mails? I can't filter out all e-mails that contain some chinese characters of some sort because we do have some mail flow with china and their header when replying on our e-mails will contain some chinese characters. I was thinking of a solution where all the characters in the body of an e-mail are counted and if the number of chinese characters exceeds a certain percentage the mail would be marked as spam. Anybody else bothered by this chinese rubbish? On Thu, 9 Jan 2003, Julian Field wrote: > At 21:24 08/01/2003, you wrote: > >Indeed, that is one possible solution. > > > >But not all of my boxes run spamassassin, particularly RedHat 6.2 is very > >difficult to get SA properly installed. Lots of things to upgrade and 90% > >of the spam problem is from or to a limited set of e-mail adresses on my > >boxes. > > > >But one would think that a blacklisted mail adress would be processed > >according to high scoring rules, otherwise there isn't much use in > >blacklisting them :) > > My black/white-listing isn't really connected to the SpamAssassin scoring > code. Maybe it should be. > > > > >On Wed, 8 Jan 2003, Lewis Bergman wrote: > > > > > On Wednesday 08 January 2003 04:24 am, Remco Barendse wrote: > > > > I have a rule list that will mark certain messages as spam even though > > > > there is no other reason to mark them as spam. This is working perfectly. > > > > > > > > I have noticed however that MailScanner will treat messages that are > > > > marked by a blacklist rule as low scoring spam? > > > > > > > > Would it be possible to change this to high scoring spam? After all you > > > > want to blacklist them. I allow low scoring spam messages to go through > > > > but high scoring stuff is forwarded to an alternate address. I would like > > > > to do the same for the blacklisted stuff. > > > Why not use SA to do the RBL checks and then assign them a score which will > > > force them into the high score category using the spam.assassin.prefs.conf > > > file? > > > -- > > > Lewis Bergman > > > Texas Communications > > > 4309 Maple St. > > > Abilene, TX 79602-8044 > > > 915-695-6962 ext 115 > > > > > > > > > > > >-- > >This message has been scanned for viruses and > >dangerous content by MailScanner, and is > >believed to be clean. > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mailscanner at ecs.soton.ac.uk Fri Jan 10 13:57:47 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:55 2006 Subject: Spam blacklist? In-Reply-To: References: <5.2.0.9.2.20030109000924.02cf5068@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030110135617.02b1d670@imap.ecs.soton.ac.uk> At 12:32 10/01/2003, you wrote: >I was thinking of a solution where all the characters in the body of an >e-mail are counted and if the number of chinese characters exceeds a >certain percentage the mail would be marked as spam. How about a SpamAssassin rule that looks for several 8-bit (ie bit 7 is 1) characters in a row? But you say you don't want to remove all chinese mail, only some of it. Difficult... -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Fri Jan 10 13:51:37 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:55 2006 Subject: Spamassasin timing Out In-Reply-To: Message-ID: <5.2.0.9.2.20030110134828.02b25e88@imap.ecs.soton.ac.uk> At 11:41 10/01/2003, you wrote: >syslog below, nowt interesting >Just though yesterday I ran these home-made command to wipe out frozen and >bounces stuck in outgoing queue >exim -C/etc/exim/exim_outgoing.conf -Mrm $(mailq >-C/etc/exim/exim_outgoing.conf | grep '<>' | cut -c11-27) >exim -C/etc/exim/exim_outgoing.conf -Mrm $(mailq >-C/etc/exim/exim_outgoing.conf | grep '*** frozen' | cut -c11-27) >perhaps this may have had an effect? > >Jan 10 10:23:01 uadspa01 /USR/SBIN/CRON[13362]: (mail) CMD ( if [ -x >/usr/sbin/exim -a -f /etc/exim/exim.conf ]; then /usr/sbin/exim -q ; fi) That looks wrong. Surely you are trying to run the outgoing queue, not the mqueue.in? In that case you presumably need the "-C/etc/exim/exim_outgoing.conf" option in your cron job. It may well also be the cause of the number of messages in your incoming queue to go shooting upwards. From the fact that the PID is the same on all of these log entries, MailScanner is not crashing and restarting or anything like that. It really does think there are over 100 messages in the incoming queue. The number of bytes in each batch changes as well, so it is not rescanning exactly the same 100 messages over and over again. >Jan 10 10:30:01 uadspa01 mailscanner[4527]: Scanned 53 messages, 454720 >bytes in 3 seconds >Jan 10 10:30:03 uadspa01 mailscanner[4527]: Scanning 100 messages, 1769779 >bytes >Jan 10 10:38:01 uadspa01 /USR/SBIN/CRON[14378]: (mail) CMD ( if [ -x >/usr/sbin/exim -a -f /etc/exim/exim.conf ]; then /usr/sbin/exim -q ; fi) >Jan 10 10:46:26 uadspa01 mailscanner[4527]: Scanned 100 messages, 1769779 >bytes in 7 seconds >Jan 10 10:46:33 uadspa01 mailscanner[4527]: Scanning 100 messages, 1097136 >bytes >Jan 10 10:53:01 uadspa01 /USR/SBIN/CRON[15834]: (mail) CMD ( if [ -x >/usr/sbin/exim -a -f /etc/exim/exim.conf ]; then /usr/sbin/exim -q ; fi) >Jan 10 11:00:01 uadspa01 /USR/SBIN/CRON[16467]: (root) CMD ([ -f $LOCKFILE ] >&& exit 0; run_mailscanner=0; if [ -f /etc/default/mailscanner ]; then . >/etc/default/mailscanner; fi; [ $run_mailscanner = 0 ] && exit 0; trap "rm >-f $LOCKFILE" EXIT; touch $LOCKFILE; /usr/sbin/check_mailscanner >/dev/null >2>&1; exit 0) >Jan 10 11:02:44 uadspa01 mailscanner[4527]: Scanned 100 messages, 1097136 >bytes in 7 seconds >Jan 10 11:02:52 uadspa01 mailscanner[4527]: Scanning 100 messages, 814068 >bytes >Jan 10 11:08:01 uadspa01 /USR/SBIN/CRON[17450]: (mail) CMD ( if [ -x >/usr/sbin/exim -a -f /etc/exim/exim.conf ]; then /usr/sbin/exim -q ; fi) >Jan 10 11:19:34 uadspa01 mailscanner[4527]: Scanned 100 messages, 814068 >bytes in 6 seconds >Jan 10 11:19:41 uadspa01 mailscanner[4527]: Scanning 100 messages, 2725204 >bytes >Jan 10 11:23:01 uadspa01 /USR/SBIN/CRON[19029]: (mail) CMD ( if [ -x >/usr/sbin/exim -a -f /etc/exim/exim.conf ]; then /usr/sbin/exim -q ; fi) > >-----Original Message----- >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] >Sent: 10, January, 2003 11:23 >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Spamassasin timing Out > > >At 11:17 10/01/2003, you wrote: > >Spoke to soon, mailq now lists 300 messages that have been sitting their > >some for 40 minutes... > >It looks like it just keeps scanning and scanning the same messages > >Anything in the logs? >If not, we'll have to do a bit of off-list debugging. > > >It was working, honest :( > > > >-----Original Message----- > >From: Jason Cormie [mailto:j.cormie@ABERTAY.AC.UK] > >Sent: 10, January, 2003 10:31 > >To: MAILSCANNER@JISCMAIL.AC.UK > >Subject: Re: Spamassasin timing Out > > > > > >Only RBL I use is janets and thats on Exim > >I see if I can dig up my installation notes... > > > >vim /etc/mailscanner/mailscanner.conf > >Host Name = Abertay Mailscanner 1 > >Virus Scanner = mcafee > >Sweep = /etc/mailscanner/wrapper/mcafeewrapper > >Attachment Warning Filename = alert.txt > >Expand TNEF = no > >Notify Senders = no > >Local Postmaster = uadspa01@abertay.ac.uk > >Still Deliver Quietly Deleted Viruses = no > >Allow Iframe Tags = yes > >SpamAssassin Auto Whitelist = no > >Always Include SpamAssassin Report = yes > >High SpamAssassin Score = 15 > >High Scoring Spam Action = delete > >add a # in front of Spam List = ORDB-RBL, relays.ordb.org > > > > > >vim /etc/mailscanner/spamassassin.prefs.conf > >required_hits 10 > >skip_rbl_checks 1 > > > > > > > >-----Original Message----- > >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > >Sent: 10, January, 2003 10:05 > >To: MAILSCANNER@JISCMAIL.AC.UK > >Subject: Re: Spamassasin timing Out > > > > > >At 09:55 10/01/2003, you wrote: > > >Strange but True... > > > > > >Started up mailscanner this morning using Spamassassin... > > > > > >And now it works... > > > >Dodgy RBL's being used by SpamAssassin? > >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Fri Jan 10 13:54:55 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:55 2006 Subject: Silent viruses rule file In-Reply-To: <3C4F5084EF16D4119CE700508B6B8B10058D0922@nt.svenskakyrkan. se> Message-ID: <5.2.0.9.2.20030110135202.02ba8a58@imap.ecs.soton.ac.uk> At 12:25 10/01/2003, you wrote: >Hello, > >I'm in the process of upgrading a MailScanner 3.25 system to 4.11 > >3.25 has a "viruses.to.delete.conf" file which is pretty straight forward, >one unique identifier per line. >I have problems converting this to a 4.11 rule file as I dont want to list >them all in MailScanner.conf > >Has someone done this and is willing to share the rule file? (or rather the >correct syntax for the file) It would just contain FromOrTo: default Yaha BugBear Klez or else FromOrTo: *@* Yaha FromOrTo: *@* BugBear FromOrTo: *@* Klez etc... or else even FromOrTo: *@* Yaha BugBear FromOrTo: *@* Klez But the first form will be slightly quicker as it can look them all up at once. There is no limit to the length of each line, so you can list dozens of viruses on each line if you want to. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mike at ZANKER.ORG Fri Jan 10 14:09:07 2003 From: mike at ZANKER.ORG (Mike Zanker) Date: Thu Jan 12 21:16:55 2006 Subject: IFrame and Object Codebase silent? Message-ID: <78375890.1042207747@mallard.open.ac.uk> Is it possible to "silence" these? I don't really want warnings sent to senders of spam which is where I see most of these. Thanks, Mike. From mailscanner at ecs.soton.ac.uk Fri Jan 10 14:33:40 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:55 2006 Subject: IFrame and Object Codebase silent? In-Reply-To: <78375890.1042207747@mallard.open.ac.uk> Message-ID: <5.2.0.9.2.20030110143058.04a4f1d0@imap.ecs.soton.ac.uk> At 14:09 10/01/2003, you wrote: >Is it possible to "silence" these? I don't really want warnings sent to >senders of spam which is where I see most of these. Try this: --- SweepContent.pm Sat Dec 28 22:49:56 2002 +++ /tmp/SweepContent.pm Fri Jan 10 15:47:54 2003 @@ -301,6 +301,7 @@ MailScanner::Config::LanguageValue($message, 'foundiframe') . "\n"; $message->{othertypes}{"$attach"} .= "v"; $message->{otherinfected}++; + $message->{silent} = 1; $counter++; } } @@ -317,6 +318,7 @@ MailScanner::Config::LanguageValue($message, 'foundobject') . "\n"; $message->{othertypes}{"$attach"} .= "v"; $message->{otherinfected}++; + $message->{silent} = 1; $counter++; } } -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mike at ZANKER.ORG Fri Jan 10 14:54:56 2003 From: mike at ZANKER.ORG (Mike Zanker) Date: Thu Jan 12 21:16:55 2006 Subject: IFrame and Object Codebase silent? In-Reply-To: <5.2.0.9.2.20030110143058.04a4f1d0@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030110143058.04a4f1d0@imap.ecs.soton.ac.uk> Message-ID: <81125125.1042210496@mallard.open.ac.uk> On 10 January 2003 14:33 +0000 Julian Field wrote: > Try this: > > --- SweepContent.pm Sat Dec 28 22:49:56 2002 [snip] Thanks - excellent service :) Mike. From j.cormie at ABERTAY.AC.UK Fri Jan 10 15:07:22 2003 From: j.cormie at ABERTAY.AC.UK (Jason Cormie) Date: Thu Jan 12 21:16:55 2006 Subject: Spamassasin timing Out Message-ID: The strange thing is that it had been working without a hitch since before Xmas :-( I have a duplicate box, built identically, which is still running fine, so I know I've messed up the other box somehow, just not sure how. -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: 10, January, 2003 13:52 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Spamassasin timing Out At 11:41 10/01/2003, you wrote: >syslog below, nowt interesting >Just though yesterday I ran these home-made command to wipe out frozen and >bounces stuck in outgoing queue >exim -C/etc/exim/exim_outgoing.conf -Mrm $(mailq >-C/etc/exim/exim_outgoing.conf | grep '<>' | cut -c11-27) >exim -C/etc/exim/exim_outgoing.conf -Mrm $(mailq >-C/etc/exim/exim_outgoing.conf | grep '*** frozen' | cut -c11-27) >perhaps this may have had an effect? > >Jan 10 10:23:01 uadspa01 /USR/SBIN/CRON[13362]: (mail) CMD ( if [ -x >/usr/sbin/exim -a -f /etc/exim/exim.conf ]; then /usr/sbin/exim -q ; fi) That looks wrong. Surely you are trying to run the outgoing queue, not the mqueue.in? In that case you presumably need the "-C/etc/exim/exim_outgoing.conf" option in your cron job. It may well also be the cause of the number of messages in your incoming queue to go shooting upwards. From the fact that the PID is the same on all of these log entries, MailScanner is not crashing and restarting or anything like that. It really does think there are over 100 messages in the incoming queue. The number of bytes in each batch changes as well, so it is not rescanning exactly the same 100 messages over and over again. >Jan 10 10:30:01 uadspa01 mailscanner[4527]: Scanned 53 messages, 454720 >bytes in 3 seconds >Jan 10 10:30:03 uadspa01 mailscanner[4527]: Scanning 100 messages, 1769779 >bytes >Jan 10 10:38:01 uadspa01 /USR/SBIN/CRON[14378]: (mail) CMD ( if [ -x >/usr/sbin/exim -a -f /etc/exim/exim.conf ]; then /usr/sbin/exim -q ; fi) >Jan 10 10:46:26 uadspa01 mailscanner[4527]: Scanned 100 messages, 1769779 >bytes in 7 seconds >Jan 10 10:46:33 uadspa01 mailscanner[4527]: Scanning 100 messages, 1097136 >bytes >Jan 10 10:53:01 uadspa01 /USR/SBIN/CRON[15834]: (mail) CMD ( if [ -x >/usr/sbin/exim -a -f /etc/exim/exim.conf ]; then /usr/sbin/exim -q ; fi) >Jan 10 11:00:01 uadspa01 /USR/SBIN/CRON[16467]: (root) CMD ([ -f $LOCKFILE ] >&& exit 0; run_mailscanner=0; if [ -f /etc/default/mailscanner ]; then . >/etc/default/mailscanner; fi; [ $run_mailscanner = 0 ] && exit 0; trap "rm >-f $LOCKFILE" EXIT; touch $LOCKFILE; /usr/sbin/check_mailscanner >/dev/null >2>&1; exit 0) >Jan 10 11:02:44 uadspa01 mailscanner[4527]: Scanned 100 messages, 1097136 >bytes in 7 seconds >Jan 10 11:02:52 uadspa01 mailscanner[4527]: Scanning 100 messages, 814068 >bytes >Jan 10 11:08:01 uadspa01 /USR/SBIN/CRON[17450]: (mail) CMD ( if [ -x >/usr/sbin/exim -a -f /etc/exim/exim.conf ]; then /usr/sbin/exim -q ; fi) >Jan 10 11:19:34 uadspa01 mailscanner[4527]: Scanned 100 messages, 814068 >bytes in 6 seconds >Jan 10 11:19:41 uadspa01 mailscanner[4527]: Scanning 100 messages, 2725204 >bytes >Jan 10 11:23:01 uadspa01 /USR/SBIN/CRON[19029]: (mail) CMD ( if [ -x >/usr/sbin/exim -a -f /etc/exim/exim.conf ]; then /usr/sbin/exim -q ; fi) > >-----Original Message----- >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] >Sent: 10, January, 2003 11:23 >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Spamassasin timing Out > > >At 11:17 10/01/2003, you wrote: > >Spoke to soon, mailq now lists 300 messages that have been sitting their > >some for 40 minutes... > >It looks like it just keeps scanning and scanning the same messages > >Anything in the logs? >If not, we'll have to do a bit of off-list debugging. > > >It was working, honest :( > > > >-----Original Message----- > >From: Jason Cormie [mailto:j.cormie@ABERTAY.AC.UK] > >Sent: 10, January, 2003 10:31 > >To: MAILSCANNER@JISCMAIL.AC.UK > >Subject: Re: Spamassasin timing Out > > > > > >Only RBL I use is janets and thats on Exim > >I see if I can dig up my installation notes... > > > >vim /etc/mailscanner/mailscanner.conf > >Host Name = Abertay Mailscanner 1 > >Virus Scanner = mcafee > >Sweep = /etc/mailscanner/wrapper/mcafeewrapper > >Attachment Warning Filename = alert.txt > >Expand TNEF = no > >Notify Senders = no > >Local Postmaster = uadspa01@abertay.ac.uk > >Still Deliver Quietly Deleted Viruses = no > >Allow Iframe Tags = yes > >SpamAssassin Auto Whitelist = no > >Always Include SpamAssassin Report = yes > >High SpamAssassin Score = 15 > >High Scoring Spam Action = delete > >add a # in front of Spam List = ORDB-RBL, relays.ordb.org > > > > > >vim /etc/mailscanner/spamassassin.prefs.conf > >required_hits 10 > >skip_rbl_checks 1 > > > > > > > >-----Original Message----- > >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > >Sent: 10, January, 2003 10:05 > >To: MAILSCANNER@JISCMAIL.AC.UK > >Subject: Re: Spamassasin timing Out > > > > > >At 09:55 10/01/2003, you wrote: > > >Strange but True... > > > > > >Started up mailscanner this morning using Spamassassin... > > > > > >And now it works... > > > >Dodgy RBL's being used by SpamAssassin? > >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at BARENDSE.TO Fri Jan 10 16:26:17 2003 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:16:55 2006 Subject: running html2text but still the e-mails are not completely clean? Message-ID: I am trying out the html2text feature. When I look through a mail box I can see that not all html crap is removed. The filtered e-mails are about half the size before they went through th2 html2text filter but still there are loads of crap visible when looking at these mails in pine. This problem mostly seems to occur when the sender is using M$ Word as their e-mail editor for Outlook, the rest is filtered out pretty nicely. In pine loads of this chatter is visible: @font-face { font-family: MS Mincho; } @font-face { font-family: @MS Mincho; } @page Section1 {size: 595.35pt 842.0pt; margin: 26.95pt 70.9pt 1.0in 70.9pt; mso-header-margin: .5in; mso-footer-margin: .5in; mso-paper-source: 0; } P.MsoNormal { FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: Arial; mso-style-parent: ""; mso-pagination: widow-orphan; mso-fareast-font-family: "MS Mincho"; mso-bidi-font-family: "Times New Roman"; mso-ansi-language: NL; mso-fareast-language: JA; mso-bidi-font-weight: bold } LI.MsoNormal { FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: Arial; mso-style-parent: ""; mso-pagination: widow-orphan; mso-fareast-font-family: "MS Mincho"; mso-bidi-font-family: "Times New Roman"; mso-ansi-language: NL; mso-fareast-language: JA; Is this a bug in the filter? -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mailscanner at ecs.soton.ac.uk Fri Jan 10 16:38:15 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:55 2006 Subject: running html2text but still the e-mails are not completely clean? In-Reply-To: Message-ID: <5.2.0.9.2.20030110162817.04c40b28@imap.ecs.soton.ac.uk> At 16:26 10/01/2003, you wrote: >I am trying out the html2text feature. > >When I look through a mail box I can see that not all html crap is >removed. The filtered e-mails are about half the size before they went >through th2 html2text filter but still there are loads of crap visible >when looking at these mails in pine. > >This problem mostly seems to occur when the sender is using M$ Word as >their e-mail editor for Outlook, the rest is filtered out pretty nicely. > >In pine loads of this chatter is visible: >@font-face { font-family: MS Mincho; } @font-face { font-family: @MS >Mincho; } @page Section1 >{size: 595.35pt 842.0pt; margin: 26.95pt 70.9pt 1.0in 70.9pt; >mso-header-margin: .5in; >mso-footer-margin: .5in; mso-paper-source: 0; } P.MsoNormal { FONT-SIZE: >12pt; MARGIN: 0in 0in 0pt; >FONT-FAMILY: Arial; mso-style-parent: ""; mso-pagination: widow-orphan; >mso-fareast-font-family: >"MS Mincho"; mso-bidi-font-family: "Times New Roman"; mso-ansi-language: >NL; mso-fareast-language: >JA; mso-bidi-font-weight: bold } LI.MsoNormal { FONT-SIZE: 12pt; MARGIN: >0in 0in 0pt; FONT-FAMILY: >Arial; mso-style-parent: ""; mso-pagination: widow-orphan; >mso-fareast-font-family: "MS Mincho"; >mso-bidi-font-family: "Times New Roman"; mso-ansi-language: NL; >mso-fareast-language: JA; > >Is this a bug in the filter? It appears to be a problem with HTML-Parser not liking some versions of MSWord HTML. 3.26 is the latest version, which is what I distribute. I'm not sure there is very much I can immediately do about this unfortunately. I have just tried it with Office XP and the chatter you give above doesn't appear in the HTML file at all. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at BARENDSE.TO Fri Jan 10 18:47:59 2003 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:16:55 2006 Subject: Orphaned, undelivered files in mqueue.in In-Reply-To: <6i4t1vcmfl5pja96m582gqpadsj96mlaqg@4ax.com> Message-ID: Ever since I changed the setting back to 5 child processes I haven't had 1 single SIGHUP since. I changed it back just 5 minutes ago to test it out and immediately after 5 minutes I saw a SIGHUP again in the maillog :( Will switch back to 5 cp's but there must be a bug somewhere related to this number. On Fri, 10 Jan 2003, Peter Peters wrote: > On Thu, 9 Jan 2003 23:31:53 +0100, you wrote: > > >Strangely enough, immediately after increasing the Max Children = setting > >back to 5 the problem disappeared and I had not had a single SIGHUP since! > > > >That is the only thing I changed and immediately solved the problem. > > Try changing it back to 2 and check whether the SIGHUP's start > reappearing again. > > -- > Peter Peters > senior netwerkbeheerder, Centrum voor Informatievoorziening, > Universiteit Twente, Postbus 217, 7500 AE Enschede > telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mailscanner at ecs.soton.ac.uk Fri Jan 10 18:54:39 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:55 2006 Subject: Orphaned, undelivered files in mqueue.in In-Reply-To: References: <6i4t1vcmfl5pja96m582gqpadsj96mlaqg@4ax.com> Message-ID: <5.2.0.9.2.20030110185333.02ab1770@imap.ecs.soton.ac.uk> The odd thing is that there are other people out there happily running with 2 or 3 processes, without any problem at all. Any chance of remote access to your server so I can take a look and try to find the problem for you? At 18:47 10/01/2003, you wrote: >Ever since I changed the setting back to 5 child processes I haven't had 1 >single SIGHUP since. I changed it back just 5 minutes ago to test it out >and immediately after 5 minutes I saw a SIGHUP again in the maillog :( > >Will switch back to 5 cp's but there must be a bug somewhere related to >this number. > >On Fri, 10 Jan 2003, Peter Peters wrote: > > > On Thu, 9 Jan 2003 23:31:53 +0100, you wrote: > > > > >Strangely enough, immediately after increasing the Max Children = setting > > >back to 5 the problem disappeared and I had not had a single SIGHUP since! > > > > > >That is the only thing I changed and immediately solved the problem. > > > > Try changing it back to 2 and check whether the SIGHUP's start > > reappearing again. > > > > -- > > Peter Peters > > senior netwerkbeheerder, Centrum voor Informatievoorziening, > > Universiteit Twente, Postbus 217, 7500 AE Enschede > > telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ > > > > > > >-- >This message has been scanned for viruses and >dangerous content by MailScanner, and is >believed to be clean. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From dlovelace at HOTELS.COM Fri Jan 10 18:58:17 2003 From: dlovelace at HOTELS.COM (Dale Lovelace) Date: Thu Jan 12 21:16:55 2006 Subject: Orphaned, undelivered files in mqueue.in In-Reply-To: References: Message-ID: <1042225097.1722.1.camel@weatherwax.linux.hotels.com> Are you running mailscanner-mrtg? Check the "Restart Threshhold" in /etc/MailScanner/mailscanner-mrtg.conf if so.... Dale On Fri, 2003-01-10 at 12:47, Remco Barendse wrote: > Ever since I changed the setting back to 5 child processes I haven't had 1 > single SIGHUP since. I changed it back just 5 minutes ago to test it out > and immediately after 5 minutes I saw a SIGHUP again in the maillog :( > > Will switch back to 5 cp's but there must be a bug somewhere related to > this number. > > On Fri, 10 Jan 2003, Peter Peters wrote: > > > On Thu, 9 Jan 2003 23:31:53 +0100, you wrote: > > > > >Strangely enough, immediately after increasing the Max Children = setting > > >back to 5 the problem disappeared and I had not had a single SIGHUP since! > > > > > >That is the only thing I changed and immediately solved the problem. > > > > Try changing it back to 2 and check whether the SIGHUP's start > > reappearing again. > > > > -- > > Peter Peters > > senior netwerkbeheerder, Centrum voor Informatievoorziening, > > Universiteit Twente, Postbus 217, 7500 AE Enschede > > telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ > > > > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. From mailscanner at BARENDSE.TO Fri Jan 10 19:03:26 2003 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:16:55 2006 Subject: Orphaned, undelivered files in mqueue.in In-Reply-To: <1042225097.1722.1.camel@weatherwax.linux.hotels.com> Message-ID: Indeed, I am running MailScanner-mrtg. That indeed looks like the problem! Would it be possible to fetch that number from the MailScanner.conf file instead of a separate file? On Fri, 10 Jan 2003, Dale Lovelace wrote: > Are you running mailscanner-mrtg? Check the "Restart Threshhold" in > /etc/MailScanner/mailscanner-mrtg.conf if so.... > > Dale > > On Fri, 2003-01-10 at 12:47, Remco Barendse wrote: > > Ever since I changed the setting back to 5 child processes I haven't had 1 > > single SIGHUP since. I changed it back just 5 minutes ago to test it out > > and immediately after 5 minutes I saw a SIGHUP again in the maillog :( > > > > Will switch back to 5 cp's but there must be a bug somewhere related to > > this number. > > > > On Fri, 10 Jan 2003, Peter Peters wrote: > > > > > On Thu, 9 Jan 2003 23:31:53 +0100, you wrote: > > > > > > >Strangely enough, immediately after increasing the Max Children = setting > > > >back to 5 the problem disappeared and I had not had a single SIGHUP since! > > > > > > > >That is the only thing I changed and immediately solved the problem. > > > > > > Try changing it back to 2 and check whether the SIGHUP's start > > > reappearing again. > > > > > > -- > > > Peter Peters > > > senior netwerkbeheerder, Centrum voor Informatievoorziening, > > > Universiteit Twente, Postbus 217, 7500 AE Enschede > > > telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ > > > > > > > > > > > > -- > > This message has been scanned for viruses and > > dangerous content by MailScanner, and is > > believed to be clean. > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From gerry at DORFAM.CA Fri Jan 10 20:03:04 2003 From: gerry at DORFAM.CA (Gerry Doris) Date: Thu Jan 12 21:16:55 2006 Subject: SV: Performance Enhancements In-Reply-To: <5.2.0.9.2.20030110101911.02da5e50@imap.ecs.soton.ac.uk> Message-ID: On Fri, 10 Jan 2003, Julian Field wrote: > >I see spamd running on my MailScanner boxes (default rpm install of > >spamassassin) > >I guess I could just "chkconfig spamassassin off" and MailScanner would run > >just as well as before then? > > Indeed. You don't need spamd running. You might want to do > service spamassassin stop > as well. > -- > Julian Field Are you sure about this? Won't running service spamassassin stop turn off spamassassin not just spamd. I think you just want to make sure that you've stopped spamd not all of spamassassin...right? -- Gerry "The lyfe so short, the craft so long to learne" Chaucer From mailscanner at ecs.soton.ac.uk Fri Jan 10 20:06:46 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:55 2006 Subject: SV: Performance Enhancements In-Reply-To: References: <5.2.0.9.2.20030110101911.02da5e50@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030110200453.02dadc48@imap.ecs.soton.ac.uk> At 20:03 10/01/2003, you wrote: >On Fri, 10 Jan 2003, Julian Field wrote: > > > >I see spamd running on my MailScanner boxes (default rpm install of > > >spamassassin) > > >I guess I could just "chkconfig spamassassin off" and MailScanner > would run > > >just as well as before then? > > > > Indeed. You don't need spamd running. You might want to do > > service spamassassin stop > > as well. > > -- > > Julian Field > >Are you sure about this? Yes. > Won't running > >service spamassassin stop > >turn off spamassassin not just spamd. I think you just want to make sure >that you've stopped spamd not all of spamassassin...right? The core of SpamAssassin is just a function library, which MailScanner calls directly. All service spamassassin stop can do is stop spamd. There is no way of "turning off" SpamAssassin completely, because it is a function library which my code calls, not a background service provided by another process. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From jjohanns at sewanee.edu Fri Jan 10 21:52:41 2003 From: jjohanns at sewanee.edu (jj) Date: Thu Jan 12 21:16:55 2006 Subject: MailScanner_found_Cyrus_boundary_substring_problem_ In-Reply-To: Message-ID: Hello, We are running version 4.11-1 of mailscanner on HP-UX 11.0 with sendmail 8.12.7, Qpopper and majordomo as our mailing list manager. When a Word file was sent as an attachemnt to a majordomo list it resulted in the following error: _MailScanner_found_Cyrus_boundary_substring_problem__ and the attachment was included in the message. When the same attachment is sent to individual users it is deliverd normally. The sender uses Eudora on Windows 2000. Does anyone know what the problem might be? >--=====================_366438080==_.ALT-- > --__MailScanner_found_Cyrus_boundary_substring_problem__ Content-Type: application/msword; name="serials survey 1-03.doc"; x-mac-type="42494E41"; x-mac-creator="4D535744" Content-Transfer-Encoding: base64>Content-Disposition: attachment; filename="serials survey 1-03.doc" 0M8R4KGxGuEAAAAAAAAAAAAAAAAAAAAAPgADAP7/CQAGAAAAAAAAAAAAAAAB AAAAQwAAAAAAAAAAEAAARQAAAAEAAAD+////AAAAAEIAAAD///////////// etc. Thanks Johannes Johannsson From mailscanner at BARENDSE.TO Fri Jan 10 16:26:17 2003 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:16:56 2006 Subject: running html2text but still the e-mails are not completely clean? Message-ID: I am trying out the html2text feature. When I look through a mail box I can see that not all html crap is removed. The filtered e-mails are about half the size before they went through th2 html2text filter but still there are loads of crap visible when looking at these mails in pine. This problem mostly seems to occur when the sender is using M$ Word as their e-mail editor for Outlook, the rest is filtered out pretty nicely. In pine loads of this chatter is visible: @font-face { font-family: MS Mincho; } @font-face { font-family: @MS Mincho; } @page Section1 {size: 595.35pt 842.0pt; margin: 26.95pt 70.9pt 1.0in 70.9pt; mso-header-margin: .5in; mso-footer-margin: .5in; mso-paper-source: 0; } P.MsoNormal { FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: Arial; mso-style-parent: ""; mso-pagination: widow-orphan; mso-fareast-font-family: "MS Mincho"; mso-bidi-font-family: "Times New Roman"; mso-ansi-language: NL; mso-fareast-language: JA; mso-bidi-font-weight: bold } LI.MsoNormal { FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: Arial; mso-style-parent: ""; mso-pagination: widow-orphan; mso-fareast-font-family: "MS Mincho"; mso-bidi-font-family: "Times New Roman"; mso-ansi-language: NL; mso-fareast-language: JA; Is this a bug in the filter? -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. . This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses *********************************************************************************** . This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses *********************************************************************************** From mailscanner at ecs.soton.ac.uk Fri Jan 10 16:38:15 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:56 2006 Subject: running html2text but still the e-mails are not completely clean? In-Reply-To: Message-ID: <5.2.0.9.2.20030110162817.04c40b28@imap.ecs.soton.ac.uk> At 16:26 10/01/2003, you wrote: >I am trying out the html2text feature. > >When I look through a mail box I can see that not all html crap is >removed. The filtered e-mails are about half the size before they went >through th2 html2text filter but still there are loads of crap visible >when looking at these mails in pine. > >This problem mostly seems to occur when the sender is using M$ Word as >their e-mail editor for Outlook, the rest is filtered out pretty nicely. > >In pine loads of this chatter is visible: >@font-face { font-family: MS Mincho; } @font-face { font-family: @MS >Mincho; } @page Section1 >{size: 595.35pt 842.0pt; margin: 26.95pt 70.9pt 1.0in 70.9pt; >mso-header-margin: .5in; >mso-footer-margin: .5in; mso-paper-source: 0; } P.MsoNormal { FONT-SIZE: >12pt; MARGIN: 0in 0in 0pt; >FONT-FAMILY: Arial; mso-style-parent: ""; mso-pagination: widow-orphan; >mso-fareast-font-family: >"MS Mincho"; mso-bidi-font-family: "Times New Roman"; mso-ansi-language: >NL; mso-fareast-language: >JA; mso-bidi-font-weight: bold } LI.MsoNormal { FONT-SIZE: 12pt; MARGIN: >0in 0in 0pt; FONT-FAMILY: >Arial; mso-style-parent: ""; mso-pagination: widow-orphan; >mso-fareast-font-family: "MS Mincho"; >mso-bidi-font-family: "Times New Roman"; mso-ansi-language: NL; >mso-fareast-language: JA; > >Is this a bug in the filter? It appears to be a problem with HTML-Parser not liking some versions of MSWord HTML. 3.26 is the latest version, which is what I distribute. I'm not sure there is very much I can immediately do about this unfortunately. I have just tried it with Office XP and the chatter you give above doesn't appear in the HTML file at all. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support . This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses *********************************************************************************** . This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses *********************************************************************************** From dlovelace at HOTELS.COM Fri Jan 10 18:58:17 2003 From: dlovelace at HOTELS.COM (Dale Lovelace) Date: Thu Jan 12 21:16:56 2006 Subject: Orphaned, undelivered files in mqueue.in In-Reply-To: References: Message-ID: <1042225097.1722.1.camel@weatherwax.linux.hotels.com> Are you running mailscanner-mrtg? Check the "Restart Threshhold" in /etc/MailScanner/mailscanner-mrtg.conf if so.... Dale On Fri, 2003-01-10 at 12:47, Remco Barendse wrote: > Ever since I changed the setting back to 5 child processes I haven't had 1 > single SIGHUP since. I changed it back just 5 minutes ago to test it out > and immediately after 5 minutes I saw a SIGHUP again in the maillog :( > > Will switch back to 5 cp's but there must be a bug somewhere related to > this number. > > On Fri, 10 Jan 2003, Peter Peters wrote: > > > On Thu, 9 Jan 2003 23:31:53 +0100, you wrote: > > > > >Strangely enough, immediately after increasing the Max Children = setting > > >back to 5 the problem disappeared and I had not had a single SIGHUP since! > > > > > >That is the only thing I changed and immediately solved the problem. > > > > Try changing it back to 2 and check whether the SIGHUP's start > > reappearing again. > > > > -- > > Peter Peters > > senior netwerkbeheerder, Centrum voor Informatievoorziening, > > Universiteit Twente, Postbus 217, 7500 AE Enschede > > telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ > > > > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. . This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses *********************************************************************************** . This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses *********************************************************************************** From mailscanner at BARENDSE.TO Fri Jan 10 18:47:59 2003 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:16:56 2006 Subject: Orphaned, undelivered files in mqueue.in In-Reply-To: <6i4t1vcmfl5pja96m582gqpadsj96mlaqg@4ax.com> Message-ID: Ever since I changed the setting back to 5 child processes I haven't had 1 single SIGHUP since. I changed it back just 5 minutes ago to test it out and immediately after 5 minutes I saw a SIGHUP again in the maillog :( Will switch back to 5 cp's but there must be a bug somewhere related to this number. On Fri, 10 Jan 2003, Peter Peters wrote: > On Thu, 9 Jan 2003 23:31:53 +0100, you wrote: > > >Strangely enough, immediately after increasing the Max Children = setting > >back to 5 the problem disappeared and I had not had a single SIGHUP since! > > > >That is the only thing I changed and immediately solved the problem. > > Try changing it back to 2 and check whether the SIGHUP's start > reappearing again. > > -- > Peter Peters > senior netwerkbeheerder, Centrum voor Informatievoorziening, > Universiteit Twente, Postbus 217, 7500 AE Enschede > telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. . This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses *********************************************************************************** . This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses *********************************************************************************** From mailscanner at BARENDSE.TO Fri Jan 10 19:03:26 2003 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:16:56 2006 Subject: Orphaned, undelivered files in mqueue.in In-Reply-To: <1042225097.1722.1.camel@weatherwax.linux.hotels.com> Message-ID: Indeed, I am running MailScanner-mrtg. That indeed looks like the problem! Would it be possible to fetch that number from the MailScanner.conf file instead of a separate file? On Fri, 10 Jan 2003, Dale Lovelace wrote: > Are you running mailscanner-mrtg? Check the "Restart Threshhold" in > /etc/MailScanner/mailscanner-mrtg.conf if so.... > > Dale > > On Fri, 2003-01-10 at 12:47, Remco Barendse wrote: > > Ever since I changed the setting back to 5 child processes I haven't had 1 > > single SIGHUP since. I changed it back just 5 minutes ago to test it out > > and immediately after 5 minutes I saw a SIGHUP again in the maillog :( > > > > Will switch back to 5 cp's but there must be a bug somewhere related to > > this number. > > > > On Fri, 10 Jan 2003, Peter Peters wrote: > > > > > On Thu, 9 Jan 2003 23:31:53 +0100, you wrote: > > > > > > >Strangely enough, immediately after increasing the Max Children = setting > > > >back to 5 the problem disappeared and I had not had a single SIGHUP since! > > > > > > > >That is the only thing I changed and immediately solved the problem. > > > > > > Try changing it back to 2 and check whether the SIGHUP's start > > > reappearing again. > > > > > > -- > > > Peter Peters > > > senior netwerkbeheerder, Centrum voor Informatievoorziening, > > > Universiteit Twente, Postbus 217, 7500 AE Enschede > > > telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ > > > > > > > > > > > > -- > > This message has been scanned for viruses and > > dangerous content by MailScanner, and is > > believed to be clean. > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. . This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses *********************************************************************************** . This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses *********************************************************************************** From mailscanner at ecs.soton.ac.uk Fri Jan 10 18:54:39 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:56 2006 Subject: Orphaned, undelivered files in mqueue.in In-Reply-To: References: <6i4t1vcmfl5pja96m582gqpadsj96mlaqg@4ax.com> Message-ID: <5.2.0.9.2.20030110185333.02ab1770@imap.ecs.soton.ac.uk> The odd thing is that there are other people out there happily running with 2 or 3 processes, without any problem at all. Any chance of remote access to your server so I can take a look and try to find the problem for you? At 18:47 10/01/2003, you wrote: >Ever since I changed the setting back to 5 child processes I haven't had 1 >single SIGHUP since. I changed it back just 5 minutes ago to test it out >and immediately after 5 minutes I saw a SIGHUP again in the maillog :( > >Will switch back to 5 cp's but there must be a bug somewhere related to >this number. > >On Fri, 10 Jan 2003, Peter Peters wrote: > > > On Thu, 9 Jan 2003 23:31:53 +0100, you wrote: > > > > >Strangely enough, immediately after increasing the Max Children = setting > > >back to 5 the problem disappeared and I had not had a single SIGHUP since! > > > > > >That is the only thing I changed and immediately solved the problem. > > > > Try changing it back to 2 and check whether the SIGHUP's start > > reappearing again. > > > > -- > > Peter Peters > > senior netwerkbeheerder, Centrum voor Informatievoorziening, > > Universiteit Twente, Postbus 217, 7500 AE Enschede > > telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ > > > > > > >-- >This message has been scanned for viruses and >dangerous content by MailScanner, and is >believed to be clean. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support . This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses *********************************************************************************** . This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses *********************************************************************************** From gerry at DORFAM.CA Fri Jan 10 20:03:04 2003 From: gerry at DORFAM.CA (Gerry Doris) Date: Thu Jan 12 21:16:56 2006 Subject: SV: Performance Enhancements In-Reply-To: <5.2.0.9.2.20030110101911.02da5e50@imap.ecs.soton.ac.uk> Message-ID: On Fri, 10 Jan 2003, Julian Field wrote: > >I see spamd running on my MailScanner boxes (default rpm install of > >spamassassin) > >I guess I could just "chkconfig spamassassin off" and MailScanner would run > >just as well as before then? > > Indeed. You don't need spamd running. You might want to do > service spamassassin stop > as well. > -- > Julian Field Are you sure about this? Won't running service spamassassin stop turn off spamassassin not just spamd. I think you just want to make sure that you've stopped spamd not all of spamassassin...right? -- Gerry "The lyfe so short, the craft so long to learne" Chaucer . This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses *********************************************************************************** . This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses *********************************************************************************** From mailscanner at ecs.soton.ac.uk Fri Jan 10 20:06:46 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:56 2006 Subject: SV: Performance Enhancements In-Reply-To: References: <5.2.0.9.2.20030110101911.02da5e50@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030110200453.02dadc48@imap.ecs.soton.ac.uk> At 20:03 10/01/2003, you wrote: >On Fri, 10 Jan 2003, Julian Field wrote: > > > >I see spamd running on my MailScanner boxes (default rpm install of > > >spamassassin) > > >I guess I could just "chkconfig spamassassin off" and MailScanner > would run > > >just as well as before then? > > > > Indeed. You don't need spamd running. You might want to do > > service spamassassin stop > > as well. > > -- > > Julian Field > >Are you sure about this? Yes. > Won't running > >service spamassassin stop > >turn off spamassassin not just spamd. I think you just want to make sure >that you've stopped spamd not all of spamassassin...right? The core of SpamAssassin is just a function library, which MailScanner calls directly. All service spamassassin stop can do is stop spamd. There is no way of "turning off" SpamAssassin completely, because it is a function library which my code calls, not a background service provided by another process. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support . This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses *********************************************************************************** . This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses *********************************************************************************** From mailscanner at ecs.soton.ac.uk Fri Jan 10 22:14:42 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:56 2006 Subject: MailScanner_found_Cyrus_boundary_substring_problem_ In-Reply-To: References: Message-ID: <5.2.0.9.2.20030110220655.02db5d10@imap.ecs.soton.ac.uk> This is a result of a check used to defend against a bug in the Cyrus IMAP server which is exercised by some versions of Eudora. You have a multipart/mixed with a multipart/alternative inside it, where the "mised" MIME boundary is a substring of the "alternative" MIME boundary. So when MailScanner finds this situation, it changes the inner MIME boundary to be the string you saw. However, I did test this and it worked just fine when I tested it... Are you using the latest MIME tools and so on? It will only happen to messages created with Eudora which contain "styled" text (i.e. HTML) as well as plain text, and an attachment. Is anyone else seeing this problem? Or could it be a majordomo problem? The fact that it doesn't occur in messages sent to individual users shows it must be at least mostly correct. Can you send me (zipped up) the complete message sent to individual users, and the message sent out by majordomo, so I can compare them please? At 21:52 10/01/2003, you wrote: >Hello, > >We are running version 4.11-1 of mailscanner on HP-UX 11.0 with sendmail >8.12.7, Qpopper and majordomo as our mailing list manager. When a Word file >was sent as an attachemnt to a majordomo list it resulted in the following >error: _MailScanner_found_Cyrus_boundary_substring_problem__ >and the attachment was included in the message. When the same attachment is >sent to individual users it is deliverd normally. >The sender uses Eudora on Windows 2000. > >Does anyone know what the problem might be? > > >--=====================_366438080==_.ALT-- > > >--__MailScanner_found_Cyrus_boundary_substring_problem__ >Content-Type: application/msword; name="serials survey 1-03.doc"; > x-mac-type="42494E41"; x-mac-creator="4D535744" >Content-Transfer-Encoding: base64>Content-Disposition: attachment; >filename="serials survey 1-03.doc" >0M8R4KGxGuEAAAAAAAAAAAAAAAAAAAAAPgADAP7/CQAGAAAAAAAAAAAAAAAB >AAAAQwAAAAAAAAAAEAAARQAAAAEAAAD+////AAAAAEIAAAD///////////// > >etc. > >Thanks >Johannes Johannsson -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From john.hanks at USU.EDU Sat Jan 11 00:49:30 2003 From: john.hanks at USU.EDU (John B. Hanks) Date: Thu Jan 12 21:16:56 2006 Subject: Cry for help. Message-ID: <5CA287DBA85BF649A45916B75FD20E0E1224F3@exchange01.blue.usu.edu> We are getting pounded by a (new?) virus that always sends from big@boss.com. Can someone tell me a quick and dirty way to start dropping all mail from this address? McAfee is not detecting it and I have added a block for .pif attachments, but would prefer to drop the mails altogether. Thanks jbh From mike at CAMAROSS.NET Sat Jan 11 01:05:56 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:16:56 2006 Subject: Cry for help. In-Reply-To: <5CA287DBA85BF649A45916B75FD20E0E1224F3@exchange01.blue.usu.edu> Message-ID: <002401c2b90d$99911210$9901a8c0@home.middlefinger.net> Sophos has been detecting it all day today. -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of John B. Hanks Sent: Friday, January 10, 2003 6:50 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Cry for help. We are getting pounded by a (new?) virus that always sends from big@boss.com. Can someone tell me a quick and dirty way to start dropping all mail from this address? McAfee is not detecting it and I have added a block for .pif attachments, but would prefer to drop the mails altogether. Thanks jbh From mailscanner-sub at WIREHUB.NET Sat Jan 11 01:05:22 2003 From: mailscanner-sub at WIREHUB.NET (Ben C. O. Grimm) Date: Thu Jan 12 21:16:56 2006 Subject: Cry for help. In-Reply-To: References: Message-ID: On 11 Jan 2003 01:54:23 +0100, "John B. Hanks" wrote: > We are getting pounded by a (new?) virus that always sends from > big@boss.com. Can someone tell me a quick and dirty way to start dropping > all mail from this address? McAfee is not detecting it and I have added a > block for .pif attachments, but would prefer to drop the mails altogether. We put this one in our access.db with a DISCARD (under Sendmail). Not sure what this .pif is yet, but we were blocking it anyway with the filename rule. DISCARD just saves a bit of extra work. -- - Ben C. O. Grimm ----------------- Ben.Grimm@wirehub.net - - Wirehub! Internet Engineering - http://www.wirehub.net/ - - Private Ponderings ----------- http://www.bengrimm.net/ - - Wirehub! Internet ----------- part of easynet Group plc - From john.hanks at USU.EDU Sat Jan 11 01:05:07 2003 From: john.hanks at USU.EDU (John B. Hanks) Date: Thu Jan 12 21:16:56 2006 Subject: Cry for help. Message-ID: <5CA287DBA85BF649A45916B75FD20E0E1224F4@exchange01.blue.usu.edu> Nevermind, I figured it out with /etc/mail/access and sendmail. No need to bother mailscanner with it. Thanks anyway for MailScanner being incredible. jbh > -----Original Message----- > From: John B. Hanks > Sent: Friday, January 10, 2003 5:50 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Cry for help. > > > We are getting pounded by a (new?) virus that always sends > from big@boss.com. Can someone tell me a quick and dirty way > to start dropping all mail from this address? McAfee is not > detecting it and I have added a block for .pif attachments, > but would prefer to drop the mails altogether. > > Thanks > > jbh > From mailscanner at BARENDSE.TO Sat Jan 11 10:53:55 2003 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:16:56 2006 Subject: Cry for help. In-Reply-To: <5CA287DBA85BF649A45916B75FD20E0E1224F3@exchange01.blue.usu.edu> Message-ID: Alternatively you could use the daily dats for mcafee. These are `beta', I only had a problem with them once, it was blocking one non-infected file but it's well worth the time gain :) http://download.nai.com/products/mcafee-avert/daily_dats/DAILYDAT.ZIP Probaby you need to run a little rename command over the files in that ZIP because usually the filenames are in CAPS Remco On Fri, 10 Jan 2003, John B. Hanks wrote: > We are getting pounded by a (new?) virus that always sends from > big@boss.com. Can someone tell me a quick and dirty way to start dropping > all mail from this address? McAfee is not detecting it and I have added a > block for .pif attachments, but would prefer to drop the mails altogether. > > Thanks > > jbh > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mailscanner at BARENDSE.TO Sat Jan 11 11:00:39 2003 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:16:56 2006 Subject: Spam blacklist? In-Reply-To: <5.2.0.9.2.20030109000924.02cf5068@imap.ecs.soton.ac.uk> Message-ID: It's not really a problem, I just created another rule under low scoring spam actions where I put the same stuff as the spam blacklist rule. This does the job although if the blacklisted stuff would be treated as high scoring it would save an extra rule file. :) On Thu, 9 Jan 2003, Julian Field wrote: > At 21:24 08/01/2003, you wrote: > >Indeed, that is one possible solution. > > > >But not all of my boxes run spamassassin, particularly RedHat 6.2 is very > >difficult to get SA properly installed. Lots of things to upgrade and 90% > >of the spam problem is from or to a limited set of e-mail adresses on my > >boxes. > > > >But one would think that a blacklisted mail adress would be processed > >according to high scoring rules, otherwise there isn't much use in > >blacklisting them :) > > My black/white-listing isn't really connected to the SpamAssassin scoring > code. Maybe it should be. > > > > >On Wed, 8 Jan 2003, Lewis Bergman wrote: > > > > > On Wednesday 08 January 2003 04:24 am, Remco Barendse wrote: > > > > I have a rule list that will mark certain messages as spam even though > > > > there is no other reason to mark them as spam. This is working perfectly. > > > > > > > > I have noticed however that MailScanner will treat messages that are > > > > marked by a blacklist rule as low scoring spam? > > > > > > > > Would it be possible to change this to high scoring spam? After all you > > > > want to blacklist them. I allow low scoring spam messages to go through > > > > but high scoring stuff is forwarded to an alternate address. I would like > > > > to do the same for the blacklisted stuff. > > > Why not use SA to do the RBL checks and then assign them a score which will > > > force them into the high score category using the spam.assassin.prefs.conf > > > file? > > > -- > > > Lewis Bergman > > > Texas Communications > > > 4309 Maple St. > > > Abilene, TX 79602-8044 > > > 915-695-6962 ext 115 > > > > > > > > > > > >-- > >This message has been scanned for viruses and > >dangerous content by MailScanner, and is > >believed to be clean. > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From Jan-Peter.Koopmann at SECEIDOS.DE Sat Jan 11 11:10:26 2003 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:16:56 2006 Subject: AW: Cry for help. Message-ID: <4E7026FF8A422749B1553FE508E0068007ECF3@message.intern.akctech.de> Remco, would you mind stopping this childish "Outlook sucks" business? Thanks, JP -----Urspr?ngliche Nachricht----- Von: Remco Barendse [mailto:mailscanner@BARENDSE.TO] Gesendet: Samstag, 11. Januar 2003 11:54 An: MAILSCANNER@JISCMAIL.AC.UK Betreff: Re: Cry for help. Alternatively you could use the daily dats for mcafee. These are `beta', I only had a problem with them once, it was blocking one non-infected file but it's well worth the time gain :) http://download.nai.com/products/mcafee-avert/daily_dats/DAILYDAT.ZIP Probaby you need to run a little rename command over the files in that ZIP because usually the filenames are in CAPS Remco On Fri, 10 Jan 2003, John B. Hanks wrote: > We are getting pounded by a (new?) virus that always sends from > big@boss.com. Can someone tell me a quick and dirty way to start > dropping all mail from this address? McAfee is not detecting it and I > have added a block for .pif attachments, but would prefer to drop the > mails altogether. > > Thanks > > jbh > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mike at ZANKER.ORG Sat Jan 11 12:36:24 2003 From: mike at ZANKER.ORG (Mike Zanker) Date: Thu Jan 12 21:16:56 2006 Subject: AW: Cry for help. In-Reply-To: <4E7026FF8A422749B1553FE508E0068007ECF3@message.intern.akctech.de> References: <4E7026FF8A422749B1553FE508E0068007ECF3@message.intern.akcte ch.de> Message-ID: <148473433.1042288584@jemima.zanker.org> On 11 January 2003 12:10 +0100 Jan-Peter Koopmann wrote: > Remco, > > would you mind stopping this childish "Outlook sucks" business? Where did he say that? Mike. From brose at MED.WAYNE.EDU Sat Jan 11 15:21:44 2003 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:16:56 2006 Subject: AW: Cry for help. Message-ID: It's in the header. X-message-flag. Outlook displays that marker in the message window so Outlook people would see it. It is rather childish for this... A professional mailing list. -----Original Message----- From: Mike Zanker [mailto:mike@ZANKER.ORG] Sent: Saturday, January 11, 2003 7:36 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: AW: Cry for help. On 11 January 2003 12:10 +0100 Jan-Peter Koopmann wrote: > Remco, > > would you mind stopping this childish "Outlook sucks" business? Where did he say that? Mike. From mailscanner at ecs.soton.ac.uk Sat Jan 11 17:43:46 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:56 2006 Subject: AW: Cry for help. In-Reply-To: Message-ID: <5.2.0.9.2.20030111174144.02af5b68@imap.ecs.soton.ac.uk> At 15:21 11/01/2003, you wrote: >It's in the header. X-message-flag. Outlook displays that marker in >the message window so Outlook people would see it. It is rather >childish for this... A professional mailing list. Now, now, let's call a halt to this thread. Putting things in X-headers is not worth anyone getting upset about. >-----Original Message----- >From: Mike Zanker [mailto:mike@ZANKER.ORG] >Sent: Saturday, January 11, 2003 7:36 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: AW: Cry for help. > > >On 11 January 2003 12:10 +0100 Jan-Peter Koopmann > wrote: > > > Remco, > > > > would you mind stopping this childish "Outlook sucks" business? > >Where did he say that? > >Mike. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From funk.gabor at HUNETKFT.HU Sat Jan 11 23:26:46 2003 From: funk.gabor at HUNETKFT.HU (Funk Gabor) Date: Thu Jan 12 21:16:56 2006 Subject: Cry for help. - NAI-4242 is out. References: Message-ID: <003a01c2b9c8$e9d76380$2c8bded5@chello.hu> NAI 4242 is out. (incl. sobig detection) Currently download from ftp.nai.com didn't work for me, as I could only get 4241 from the ftp, but akamai worked. http://www.mcafeeb2b.com/naicommon/download/dats/find.asp G. From jscott at INFOCONEX.COM Sun Jan 12 00:07:05 2003 From: jscott at INFOCONEX.COM (Jim Scott) Date: Thu Jan 12 21:16:56 2006 Subject: Cannot modify postmaster notify signature? Message-ID: <004301c2b9ce$8a83f320$2719a8c0@infoconex.com> Version: 4.11-1 OS: Redhat 7.x MTA: Sendmail Virus Software: F-PROT I have modified all the templates in the "en" directory replacing any of the notifications that have this -- MailScanner Email Virus Scanner www.mailscanner.info I have modified the default with my own signature. When a virus is detected it sends out notification to the sending user with the proper signature that I have created in the template. However the postmaster I specified which is me for now gets a message with the above signature. I have searched high and low and cannot seem to find the location that this is changed in. The following is the example of what I get sent to me. Notice the signature is the default. Anyone know were this can be changed for the notification email that is sent to the postmaster? <-- Begin Sample --> The following e-mail messages were found to have viruses in them: Sender: IP Address: 213.163.105.2 Recipient: d1cdvvpfsswu94@somedain.com Subject: You are so sweet MessageID: h0BJdKW29137 Report: /var/spool/MailScanner/incoming/27694/h0BJdKW29137/love.scr Infection: W32/Lentin.H@mm Windows Screensavers are often used to hide viruses (love.scr) -- MailScanner Email Virus Scanner www.mailscanner.info <-- End Sample --> Thanks Jim Scott From Kevin.Spicer at BMRB.CO.UK Sun Jan 12 00:48:45 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:16:56 2006 Subject: Cannot modify postmaster notify signature? Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A32C20@pascal.priv.bmrb.co.uk> Its hardcoded in MessageBatch.pm (in /usr/lib/MailScanner/MailScanner/ on my system) > -----Original Message----- > From: Jim Scott [mailto:jscott@INFOCONEX.COM] > Sent: 12 January 2003 00:07 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: [MAILSCANNER] Cannot modify postmaster notify signature? > > > Version: 4.11-1 > OS: Redhat 7.x > MTA: Sendmail > Virus Software: F-PROT > > I have modified all the templates in the "en" directory > replacing any of the > notifications that have this > > -- > MailScanner > Email Virus Scanner > www.mailscanner.info > > > I have modified the default with my own signature. When a > virus is detected it sends > out notification to the sending user with the proper > signature that I have created in > the template. However the postmaster I specified which is me > for now gets a message > with the above signature. I have searched high and low and > cannot seem to find the > location that this is changed in. > > The following is the example of what I get sent to me. Notice > the signature is the > default. Anyone know were this can be changed for the > notification email that is sent > to the postmaster? > > <-- Begin Sample --> > > The following e-mail messages were found to have viruses in them: > > Sender: > IP Address: 213.163.105.2 > Recipient: d1cdvvpfsswu94@somedain.com > Subject: You are so sweet > MessageID: h0BJdKW29137 > Report: > /var/spool/MailScanner/incoming/27694/h0BJdKW29137/love.scr > Infection: > W32/Lentin.H@mm > Windows Screensavers are often used to hide viruses (love.scr) > > > -- > MailScanner > Email Virus Scanner > www.mailscanner.info > > <-- End Sample --> > > Thanks > Jim Scott > From jscott at INFOCONEX.COM Sun Jan 12 00:56:27 2003 From: jscott at INFOCONEX.COM (Jim Scott) Date: Thu Jan 12 21:16:56 2006 Subject: Cannot modify postmaster notify signature? References: <5C0296D26910694BB9A9BBFC577E7AB0A32C20@pascal.priv.bmrb.co.uk> Message-ID: <008401c2b9d5$70045560$2719a8c0@infoconex.com> > -----Original Message----- > From: Jim Scott [mailto:jscott@INFOCONEX.COM] > Sent: 12 January 2003 00:07 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: [MAILSCANNER] Cannot modify postmaster notify signature? > > > Version: 4.11-1 > OS: Redhat 7.x > MTA: Sendmail > Virus Software: F-PROT > > I have modified all the templates in the "en" directory > replacing any of the > notifications that have this > > -- > MailScanner > Email Virus Scanner > www.mailscanner.info > > > I have modified the default with my own signature. When a > virus is detected it sends > out notification to the sending user with the proper > signature that I have created in > the template. However the postmaster I specified which is me > for now gets a message > with the above signature. I have searched high and low and > cannot seem to find the > location that this is changed in. > > The following is the example of what I get sent to me. Notice > the signature is the > default. Anyone know were this can be changed for the > notification email that is sent > to the postmaster? > > <-- Begin Sample --> > > The following e-mail messages were found to have viruses in them: > > Sender: > IP Address: 213.163.105.2 > Recipient: d1cdvvpfsswu94@somedain.com > Subject: You are so sweet > MessageID: h0BJdKW29137 > Report: > /var/spool/MailScanner/incoming/27694/h0BJdKW29137/love.scr > Infection: > W32/Lentin.H@mm > Windows Screensavers are often used to hide viruses (love.scr) > > > -- > MailScanner > Email Virus Scanner > www.mailscanner.info > > <-- End Sample --> > > Thanks > Jim Scott > >->---- Original Message ----- >>From: "Spicer, Kevin" >>To: >>Sent: Saturday, January 11, 2003 4:48 PM >>Subject: Re: Cannot modify postmaster notify signature? >> >> >>Its hardcoded in MessageBatch.pm (in /usr/lib/MailScanner/MailScanner/ on my system) I modified that one already thinking the same thing. Still get the same signature. Evidently even though it looks like that would fix it, it must be hardcoded somewhere else. Jim From Kevin.Spicer at BMRB.CO.UK Sun Jan 12 01:28:24 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:16:56 2006 Subject: Cannot modify postmaster notify signature? Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A4ACFE@pascal.priv.bmrb.co.uk> > >>Its hardcoded in MessageBatch.pm (in > /usr/lib/MailScanner/MailScanner/ on my > system) > > > I modified that one already thinking the same thing. Still > get the same signature. > Evidently even though it looks like that would fix it, it > must be hardcoded somewhere > else. > > Jim I just tested that on my system and it definately works (MS4.10) Did you stop and restart mailscanner (just doing a reload isn't enough)? Have you by any chance got two versions of MS installed in different directories and maybe changed the non-current one (long shot!) The line I changed was... $notices{$postie} . "\n-- \nMailScanner\nEmail Virus Scanner\n" . "www.mailscanner.info\n"; which is line 587 in MessageBatch.pm in release 4.10 From P.G.M.Peters at civ.utwente.nl Sun Jan 12 12:44:32 2003 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:16:56 2006 Subject: AW: Cry for help. In-Reply-To: <5.2.0.9.2.20030111174144.02af5b68@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030111174144.02af5b68@imap.ecs.soton.ac.uk> Message-ID: <2no22v0gthlooki0elibfo4ornfmh3kdm3@4ax.com> On Sat, 11 Jan 2003 17:43:46 +0000, you wrote: >At 15:21 11/01/2003, you wrote: >>It's in the header. X-message-flag. Outlook displays that marker in >>the message window so Outlook people would see it. It is rather >>childish for this... A professional mailing list. > >Now, now, let's call a halt to this thread. >Putting things in X-headers is not worth anyone getting upset about. But complaining about using AW: instead of Re: in the subject of replies is. That can (and will in a number of places) break threading. -- Peter Peters senior netwerkbeheerder, Centrum voor Informatievoorziening, Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From paul.hamilton at sme-ecom.co.uk Sun Jan 12 14:14:51 2003 From: paul.hamilton at sme-ecom.co.uk (Paul Hamilton) Date: Thu Jan 12 21:16:56 2006 Subject: Setting up Black & Whitelists by domain Message-ID: <000001c2ba44$f9961420$fc32000a@4> Hi all, Is anyone willing to share their Black & Whitelist rulesets for 'By Domain' config? We have set-up rulesets up in the MailScanner.conf for Black & Whitelisting as follows: /opt/rules/blacklist.rules /opt/rules/whitelist.rules Both have the default as: FromTo: default no Further to this we have created the following directory: /opt/bydomain Within this we have further directories which represent the individual domains we wish to allow control over their own Black & White lists. e.g. sme-ecom.co.uk. - This directory then has its own blacklist & whitelist.rules files. The problem we have is that everytime we add to /opt/rules/blacklist.rules the following: FromTo: default no To: *@sme-ecom.co.uk /opt/bydomain/sme-ecom.co.uk/blacklist.rules we get a syntax error in our logs as shown here: "Syntax error in line 2 of ruleset file /opt/rules/spam.blacklist.rules for keyword spamblacklist Jan 12 14:02:21 cobaltxxxx MailScanner[3589]: Aborting due to syntax errors in /opt/rules/spam.blacklist.rules. The same happens when we try to set the Whitelist rules. Could anyone guide us or point out the errors of our ways - can this be done? Many thanks in advance. Paul H. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030112/214e9b78/attachment.html From Kevin.Spicer at BMRB.CO.UK Sun Jan 12 14:55:32 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:16:56 2006 Subject: Setting up Black & Whitelists by domain Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A4ACFF@pascal.priv.bmrb.co.uk> > The problem we have is that everytime we add to /opt/rules/blacklist.rules the following: > FromTo: default no > To: *@sme-ecom.co.uk /opt/bydomain/sme-ecom.co.uk/blacklist.rules > we get a syntax error in our logs as shown here: > "Syntax error in line 2 of ruleset file /opt/rules/spam.blacklist.rules for keyword > spamblacklist > Jan 12 14:02:21 cobaltxxxx MailScanner[3589]: Aborting due to syntax errors in > /opt/rules/spam.blacklist.rules. > The same happens when we try to set the Whitelist rules. > Could anyone guide us or point out the errors of our ways - can this be done? You are trying to specify a ruleset as the result of a ruleset, whereas you should only specify a yes or no (or whatever the legal values are for that option in the config file). I don't know any easy way of achieving what you want to do, if its no possible to combine all the rules you want into a single ruleset. If you are running a version of MS since 4.03 and you know some perl you could get your hands dirty and write a custom function in CustomConfig.pm to handle this (see the top of the config file for details about how to call this function). I imagine it would be possible to achieve what you want like that. From mailscanner at ecs.soton.ac.uk Sun Jan 12 15:35:59 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:56 2006 Subject: Setting up Black & Whitelists by domain In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0A4ACFF@pascal.priv.bmrb.co .uk> Message-ID: <5.2.0.9.2.20030112151646.02531500@imap.ecs.soton.ac.uk> At 14:55 12/01/2003, you wrote: > > The problem we have is that everytime we add to > /opt/rules/blacklist.rules the following: > > > FromTo: default no > > To: *@sme-ecom.co.uk /opt/bydomain/sme-ecom.co.uk/blacklist.rules > > > we get a syntax error in our logs as shown here: > > > "Syntax error in line 2 of ruleset file /opt/rules/spam.blacklist.rules > for keyword > > spamblacklist > > Jan 12 14:02:21 cobaltxxxx MailScanner[3589]: Aborting due to syntax > errors in > > /opt/rules/spam.blacklist.rules. > > > The same happens when we try to set the Whitelist rules. > > > Could anyone guide us or point out the errors of our ways - can this > be done? > >You are trying to specify a ruleset as the result of a ruleset, whereas >you should only specify a yes or no (or whatever the legal values are for >that option in the config file). > >I don't know any easy way of achieving what you want to do, if its no >possible to combine all the rules you want into a single ruleset. If you >are running a version of MS since 4.03 and you know some perl you could >get your hands dirty and write a custom function in >CustomConfig.pm to handle this (see the top of the config file for details >about how to call this function). I imagine it would be possible to >achieve what you want like that. Just to confirm that you are quite right. I haven't yet come up with a way of having rulesets within rulesets, which is what this would need. Currently you will have to write some custom function to do it for you. Shouldn't be too hard to do, especially if it's only a simple (but possibly long) ruleset for each domain. If each black/white-listed address is either a complete address or a domain name (so no "*" characters anywhere), then the end result will be very fast too. Thinking further, we have a dir "/opt/bydomain" which contains 2 subdirectories, "blacklist" and "whitelist". Each of those directories contains a file named after each domain. So for "example.com" there will be /opt/bydomain/whitelist/example.com and /opt/bydomain/blacklist/example.com. Each of the example.com files can contain entries of the form user@address.spam.com and address.spam.com and that's all. Keeping it restricted to this makes life a lot easier later. I'll get back to the list shortly about this, it's probably worth me writing an implementation of this as it is going to be a common requirement. For a sample domain "example.com", there is a file "example.com.white" and "example.com.black". -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Sun Jan 12 16:33:21 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:56 2006 Subject: Setting up Black & Whitelists by domain In-Reply-To: <5.2.0.9.2.20030112151646.02531500@imap.ecs.soton.ac.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0A4ACFF@pascal.priv.bmrb.co .uk> Message-ID: <5.2.0.9.2.20030112162449.0269ec00@imap.ecs.soton.ac.uk> Okay, I've moved the directories to be /etc/MailScanner/spam.bydomain/whitelist and /etc/MailScanner/spam.bydomain/blacklist but otherwise it is pretty much as I said in my previous posting (included at the bottom of this message). The patch to CustomConfig.pm I have attached has *not* been tested. So give it a go and see if it works. If you know some perl, please find all the bugs and mail me the corrections :-) If it works (or once it works after you have found all the bugs for me) then feel free to use it. To use it, you will need to set these in your MailScanner.conf file: Is Definitely Not Spam = &ByDomainSpamWhitelist Is Definitely Spam = &ByDomainSpamBlacklist At 15:35 12/01/2003, you wrote: >Currently you will have to write some custom function to do it for you. >Shouldn't be too hard to do, especially if it's only a simple (but possibly >long) ruleset for each domain. If each black/white-listed address is either >a complete address or a domain name (so no "*" characters anywhere), then >the end result will be very fast too. > >Thinking further, we have a dir "/opt/bydomain" which contains 2 >subdirectories, "blacklist" and "whitelist". >Each of those directories contains a file named after each domain. So for >"example.com" there will be /opt/bydomain/whitelist/example.com and >/opt/bydomain/blacklist/example.com. >Each of the example.com files can contain entries of the form > user@address.spam.com >and > address.spam.com >and that's all. Keeping it restricted to this makes life a lot easier later. > >I'll get back to the list shortly about this, it's probably worth me >writing an implementation of this as it is going to be a common requirement. >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support -------------- next part -------------- A non-text attachment was scrubbed... Name: CustomConfig.pm.patch Type: application/octet-stream Size: 4028 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030112/24ff20e7/CustomConfig.pm.obj -------------- next part -------------- -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From paul.hamilton at sme-ecom.co.uk Sun Jan 12 19:39:47 2003 From: paul.hamilton at sme-ecom.co.uk (Paul Hamilton) Date: Thu Jan 12 21:16:56 2006 Subject: FW: Setting up Black & Whitelists by domain Message-ID: <000501c2ba72$5dbb76c0$fc32000a@4> You Wrote: >Each of those directories contains a file named after each domain. So for >"example.com" there will be /opt/bydomain/whitelist/example.com and >/opt/bydomain/blacklist/example.com. >Each of the example.com files can contain entries of the form > user@address.spam.com >and > address.spam.com >and that's all. Keeping it restricted to this makes life a lot easier later. **************************************************************************** Jules, Thanks for this, will test and come back, just a couple of questions: Can we still add the default function for each domain? Do we still require 'FromTo:' i.e So whitelist/example.com - would look like: FromTo: default no FromTo: user@address.spam.com yes FromTo: address.spam.com yes or should it be: default no user@address.spam.com yes address.spam.com yes Regards Paul H. **************************************************************************** >I'll get back to the list shortly about this, it's probably worth me >writing an implementation of this as it is going to be a common requirement. >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Sun Jan 12 19:46:14 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:56 2006 Subject: FW: Setting up Black & Whitelists by domain In-Reply-To: <000501c2ba72$5dbb76c0$fc32000a@4> Message-ID: <5.2.0.9.2.20030112194407.0207fe70@imap.ecs.soton.ac.uk> At 19:39 12/01/2003, you wrote: >You Wrote: > > >Each of those directories contains a file named after each domain. So for > >"example.com" there will be /opt/bydomain/whitelist/example.com and > >/opt/bydomain/blacklist/example.com. > >Each of the example.com files can contain entries of the form > > user@address.spam.com > >and > > address.spam.com > >and that's all. Keeping it restricted to this makes life a lot easier >later. > >**************************************************************************** >Jules, > >Thanks for this, will test and come back, just a couple of questions: > >Can we still add the default function for each domain? >Do we still require 'FromTo:' i.e > >So whitelist/example.com - would look like: > >FromTo: default no >FromTo: user@address.spam.com yes >FromTo: address.spam.com yes > >or should it be: > >default no >user@address.spam.com yes >address.spam.com yes It's even simpler than that: user@address.spam.com adress.spam.com -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Sun Jan 12 20:00:10 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:56 2006 Subject: FW: Setting up Black & Whitelists by domain In-Reply-To: <5.2.0.9.2.20030112194407.0207fe70@imap.ecs.soton.ac.uk> References: <000501c2ba72$5dbb76c0$fc32000a@4> Message-ID: <5.2.0.9.2.20030112195905.02b75e10@imap.ecs.soton.ac.uk> At 19:46 12/01/2003, you wrote: >At 19:39 12/01/2003, you wrote: >>You Wrote: >> >> >Each of those directories contains a file named after each domain. So for >> >"example.com" there will be /opt/bydomain/whitelist/example.com and >> >/opt/bydomain/blacklist/example.com. >> >Each of the example.com files can contain entries of the form >> > user@address.spam.com >> >and >> > address.spam.com >> >and that's all. Keeping it restricted to this makes life a lot easier >>later. >> >>**************************************************************************** >>Jules, >> >>Thanks for this, will test and come back, just a couple of questions: >> >>Can we still add the default function for each domain? No, my patch assumes that the default is no. If you need this to be "yes" for some reason, get back to me. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From jscott at INFOCONEX.COM Mon Jan 13 04:37:46 2003 From: jscott at INFOCONEX.COM (Jim Scott) Date: Thu Jan 12 21:16:56 2006 Subject: Redhat 7.x startup script? Message-ID: <021a01c2babd$8743d4b0$1b19a8c0@jimlaptop> I have been changing config files and restarting and assuming that the mailscanner service was stopping and starting. Turns out it was not. I have insatlled 4.11-1 from source on my box. Does someone have a script that works? I have already tried the one listed on the website oldnews section and it does not stop the process. Just reports failed. Any help appreciated. Thanks Jim From jscott at INFOCONEX.COM Mon Jan 13 04:41:28 2003 From: jscott at INFOCONEX.COM (Jim Scott) Date: Thu Jan 12 21:16:56 2006 Subject: Cannot modify postmaster notify signature? References: <5C0296D26910694BB9A9BBFC577E7AB0A32C20@pascal.priv.bmrb.co.uk> Message-ID: <022101c2babe$0a9eb140$1b19a8c0@jimlaptop> Kevin, thanks. After you mentioned restarting I first discounted that as I had stopped and started it many times thinking the same thing. I then thought that since you made the same change and it worked that I must be doing something wrong. I stopped the service and then went to look and mailscanner was still running. Looks like the redhat startup script I am using starts the service fine, however stopping it does not work. Only shuts down the sendmail services. Thanks for you help. If you have a script for redhat I would appreciate it. If not no big deal as I have posted the issue to the list. After rebooting my machine the modification started working. Jim ----- Original Message ----- From: "Spicer, Kevin" To: Sent: Saturday, January 11, 2003 4:48 PM Subject: Re: Cannot modify postmaster notify signature? Its hardcoded in MessageBatch.pm (in /usr/lib/MailScanner/MailScanner/ on my system) > -----Original Message----- > From: Jim Scott [mailto:jscott@INFOCONEX.COM] > Sent: 12 January 2003 00:07 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: [MAILSCANNER] Cannot modify postmaster notify signature? > > > Version: 4.11-1 > OS: Redhat 7.x > MTA: Sendmail > Virus Software: F-PROT > > I have modified all the templates in the "en" directory > replacing any of the > notifications that have this > > -- > MailScanner > Email Virus Scanner > www.mailscanner.info > > > I have modified the default with my own signature. When a > virus is detected it sends > out notification to the sending user with the proper > signature that I have created in > the template. However the postmaster I specified which is me > for now gets a message > with the above signature. I have searched high and low and > cannot seem to find the > location that this is changed in. > > The following is the example of what I get sent to me. Notice > the signature is the > default. Anyone know were this can be changed for the > notification email that is sent > to the postmaster? > > <-- Begin Sample --> > > The following e-mail messages were found to have viruses in them: > > Sender: > IP Address: 213.163.105.2 > Recipient: d1cdvvpfsswu94@somedain.com > Subject: You are so sweet > MessageID: h0BJdKW29137 > Report: > /var/spool/MailScanner/incoming/27694/h0BJdKW29137/love.scr > Infection: > W32/Lentin.H@mm > Windows Screensavers are often used to hide viruses (love.scr) > > > -- > MailScanner > Email Virus Scanner > www.mailscanner.info > > <-- End Sample --> > > Thanks > Jim Scott > From todd.williams at TFCCI.COM Mon Jan 13 04:52:46 2003 From: todd.williams at TFCCI.COM (Todd Williams) Date: Thu Jan 12 21:16:56 2006 Subject: Couple of things for the next version Message-ID: <200301130452.XAA09011@twister.tfcc.com> Hi all, Just an FYI, found a couple of minor issues... In 4.11-1, there is a problem with the antivir-wrapper shell script, which makes your cron attempt to use the generic update script each time it runs -- at least it did on my system. Not a biggie, but may help save some confusion. The variable definitions were in perl style, which didn't work with #!/bin/sh. :) Fix: (Your distribution may vary.) In /usr/lib/MailScanner/antivir-wrapper #$PackageDir=/usr/lib/AntiVir #$prog=antivir PackageDir=/usr/lib/AntiVir prog=antivir Also, one other thing to note. The mcafee-autoupdate script requires the Net::FTP perl module to be installed. This isn't mentioned much of anywhere else, so arguably perhaps the MailScanner module should list this as a pre-requisite, especially if McAfee is to be used and autoupdated? It seems the McAfee script is the only autoupdate script requiring this, but it's important to note. Also, there is no "update failed" log entry generated or any other indication that the autoupdate failed. Hope this helps someone. Thanks, Todd From todd.williams at TFCCI.COM Mon Jan 13 04:59:34 2003 From: todd.williams at TFCCI.COM (Todd Williams) Date: Thu Jan 12 21:16:56 2006 Subject: Redhat Startup Script issue? Message-ID: <200301130459.XAA09272@twister.tfcc.com> Hi folks, It seems to me there is an issue with the init script on RedHat. When the init script (*/init.d/MailScanner) does pid=`pidofproc MailScanner` it finds itself running (the init script -- maybe NOT the MailScanner program!) This could give you a false positive to make you think the MailScanner is scanning messages, and it may not be running. The init script's status and reload functions are affected -- it could find the init script and/or the MailScanner perl program running. I'm not sure how the best way to get around this might be... Perhaps rename the init script? Julian, any thoughts? Thanks, Todd From jscott at INFOCONEX.COM Mon Jan 13 05:04:52 2003 From: jscott at INFOCONEX.COM (Jim Scott) Date: Thu Jan 12 21:16:56 2006 Subject: Redhat 7.x startup script? References: <021a01c2babd$8743d4b0$1b19a8c0@jimlaptop> Message-ID: <02b601c2bac1$4e603ea0$1b19a8c0@jimlaptop> Found the problem. The startup script that I got refers to mailscanner in lowercase. The script is running as MailScanner changing this: killproc mailscanner to this: killproc MailScanner Also updating in status area of script worked as well. Things now stop correctly and report status properly. Jim ----- Original Message ----- From: To: Sent: Sunday, January 12, 2003 8:37 PM Subject: Redhat 7.x startup script? I have been changing config files and restarting and assuming that the mailscanner service was stopping and starting. Turns out it was not. I have insatlled 4.11-1 from source on my box. Does someone have a script that works? I have already tried the one listed on the website oldnews section and it does not stop the process. Just reports failed. Any help appreciated. Thanks Jim From jscott at INFOCONEX.COM Mon Jan 13 05:11:10 2003 From: jscott at INFOCONEX.COM (Jim Scott) Date: Thu Jan 12 21:16:56 2006 Subject: Redhat Startup Script issue? References: <200301130459.XAA09272@twister.tfcc.com> Message-ID: <02be01c2bac2$303d2310$1b19a8c0@jimlaptop> I was never able to reliably get mailscanner to stop and start using the default name of mailscanner as the startup script. I renamed it mailscanner1 and it worked. Jim ----- Original Message ----- From: "Todd Williams" To: Sent: Sunday, January 12, 2003 8:59 PM Subject: Redhat Startup Script issue? Hi folks, It seems to me there is an issue with the init script on RedHat. When the init script (*/init.d/MailScanner) does pid=`pidofproc MailScanner` it finds itself running (the init script -- maybe NOT the MailScanner program!) This could give you a false positive to make you think the MailScanner is scanning messages, and it may not be running. The init script's status and reload functions are affected -- it could find the init script and/or the MailScanner perl program running. I'm not sure how the best way to get around this might be... Perhaps rename the init script? Julian, any thoughts? Thanks, Todd From todd.williams at TFCCI.COM Mon Jan 13 05:39:05 2003 From: todd.williams at TFCCI.COM (Todd Williams) Date: Thu Jan 12 21:16:56 2006 Subject: Question about "Full headers are" in virus report to postmaster Message-ID: <200301130539.AAA11126@twister.tfcc.com> Hello, Running Redhat and MailScanner 4.11-1 and Sendmail 8.11.6. In testing, I'm seeing something odd in the "Full headers are" section in the postmaster virus report... Full headers are Return-Path: <^Ag> The message above shown in the Return-Path should actually read: (LessThan)(Carat/Control?)(Capital A with ' accent mark)(GreaterThan) Anybody seeing similar behavior? It could be Sendmail or who knows?? Thanks in advance! Todd From mike at CAMAROSS.NET Mon Jan 13 05:42:09 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:16:56 2006 Subject: Question about "Full headers are" in virus report to postmaster In-Reply-To: <200301130539.AAA11126@twister.tfcc.com> Message-ID: <00d801c2bac6$846d4600$9801a8c0@home.middlefinger.net> I see ^g a lot...don't know what it means :) -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Todd Williams Sent: Sunday, January 12, 2003 11:39 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Question about "Full headers are" in virus report to postmaster Hello, Running Redhat and MailScanner 4.11-1 and Sendmail 8.11.6. In testing, I'm seeing something odd in the "Full headers are" section in the postmaster virus report... Full headers are Return-Path: <^Ag> The message above shown in the Return-Path should actually read: (LessThan)(Carat/Control?)(Capital A with ' accent mark)(GreaterThan) Anybody seeing similar behavior? It could be Sendmail or who knows?? Thanks in advance! Todd From Kevin.Spicer at BMRB.CO.UK Mon Jan 13 08:09:00 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:16:56 2006 Subject: Cannot modify postmaster notify signature? Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A32C23@pascal.priv.bmrb.co.uk> > Thanks for you help. If you have a script for redhat I would > appreciate it. > If not no big deal as I have posted the issue to the list. > It looks like maybe you have an init script left over from 3.x - (if I remember 3.x's init script was mailscanner, whereas 4.x is MailScanner). See if you have a MailScanner in /etc/init.d - if so try chkconfig mailscanner off chkconfig --level 2345 MailScanner on From paul at ESPMAIL.CO.UK Mon Jan 13 09:15:32 2003 From: paul at ESPMAIL.CO.UK (Paul Welsh) Date: Thu Jan 12 21:16:56 2006 Subject: Does Lirva send from a genuine address? References: <200301130452.XAA09011@twister.tfcc.com> Message-ID: <008f01c2bae4$52e95b50$6a0110ac@sbsplc.com> Just wondering whether Lirva is one of those viruses that sends itself using a bogus email address and therefore not worth notifying the sender about? I have looked at the Symantec site (http://www.symantec.com/avcenter/venc/data/w32.lirva.a@mm.html) and at Frisk's site (http://www.f-prot.com/virusinfo/lirva_desc.html) and can't find anything to indicate this. From G.Welter at ROCLEIDEN.NL Mon Jan 13 09:26:58 2003 From: G.Welter at ROCLEIDEN.NL (G Welter) Date: Thu Jan 12 21:16:56 2006 Subject: Does Lirva send from a genuine address? Message-ID: Hi. >From the mcafee page you mentioned below: The worm uses the default SMTP server of the infected computer, and then adds either the address of the sender or a randomly selected email address to the "From:" line of the email. So it seems to me that the from address is bogus. So yes, it should be added to the silent viruses. Gerben. >>> paul@ESPMAIL.CO.UK 01/13/03 10:15AM >>> Just wondering whether Lirva is one of those viruses that sends itself using a bogus email address and therefore not worth notifying the sender about? I have looked at the Symantec site (http://www.symantec.com/avcenter/venc/data/w32.lirva.a@mm.html) and at Frisk's site (http://www.f-prot.com/virusinfo/lirva_desc.html) and can't find anything to indicate this. From mailscanner at BARENDSE.TO Mon Jan 13 09:44:35 2003 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:16:56 2006 Subject: Cry for help. - NAI-4242 is out. In-Reply-To: <003a01c2b9c8$e9d76380$2c8bded5@chello.hu> Message-ID: Try the daily dats that McAfee release, I fetch these twice daily, McAfee found and stopped sobig only a few hours after the announcement was on their website. http://download.nai.com/products/mcafee-avert/daily_dats/DAILYDAT.ZIP On Sun, 12 Jan 2003, Funk Gabor wrote: > NAI 4242 is out. (incl. sobig detection) > Currently download from ftp.nai.com didn't work for me, as > I could only get 4241 from the ftp, but akamai worked. > > http://www.mcafeeb2b.com/naicommon/download/dats/find.asp > > > G. > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From paul at ESPMAIL.CO.UK Mon Jan 13 10:11:39 2003 From: paul at ESPMAIL.CO.UK (Paul Welsh) Date: Thu Jan 12 21:16:56 2006 Subject: Does Lirva send from a genuine address? References: Message-ID: <00c201c2baec$29c06cc0$6a0110ac@sbsplc.com> ----- Original Message ----- From: "G Welter" To: Sent: Monday, January 13, 2003 9:26 AM Subject: Re: Does Lirva send from a genuine address? > >From the mcafee page you mentioned below: > > The worm uses the default SMTP server of the infected computer, and then adds either the address of the sender or a randomly selected email address to the "From:" line of the email. > > So it seems to me that the from address is bogus. So yes, it should be added to the silent viruses. > Sorry, half asleep - didn't notice that, even though I skimmed through the Symantec article. From mailscanner at ecs.soton.ac.uk Mon Jan 13 10:18:12 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:56 2006 Subject: Redhat 7.x startup script? In-Reply-To: <021a01c2babd$8743d4b0$1b19a8c0@jimlaptop> Message-ID: <5.2.0.9.2.20030113101429.02a96240@imap.ecs.soton.ac.uk> At 04:37 13/01/2003, you wrote: >I have been changing config files and restarting and assuming that the >mailscanner service was stopping and starting. Turns out it was not. I have >insatlled 4.11-1 from source on my box. Does someone have a script that >works? > >I have already tried the one listed on the website oldnews section and it >does not stop the process. Just reports failed. The correct script is included in the RPM. Out of interest, why not use the rpm? As it is all written in perl you wind up with a copy of the source anyway. Just curious... I have attached a copy of the init.d script for you. -------------- next part -------------- A non-text attachment was scrubbed... Name: MailScanner Type: application/octet-stream Size: 4031 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030113/f782ce6d/MailScanner.obj -------------- next part -------------- -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Mon Jan 13 10:19:53 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:56 2006 Subject: Couple of things for the next version In-Reply-To: <200301130452.XAA09011@twister.tfcc.com> Message-ID: <5.2.0.9.2.20030113101857.02ad5e58@imap.ecs.soton.ac.uk> Both are good points. I have fixed the bug you point out in the antivir-wrapper script, and I will have a think to try to work out a method of detecting the problem in your second point. At 04:52 13/01/2003, you wrote: >Hi all, > >Just an FYI, found a couple of minor issues... > >In 4.11-1, there is a problem with the antivir-wrapper shell script, which >makes your cron attempt to use the generic update script each time it runs >-- at least it did on my system. Not a biggie, but may help save some >confusion. The variable definitions were in perl style, which didn't work >with #!/bin/sh. :) > >Fix: (Your distribution may vary.) In /usr/lib/MailScanner/antivir-wrapper > >#$PackageDir=/usr/lib/AntiVir >#$prog=antivir >PackageDir=/usr/lib/AntiVir >prog=antivir > >Also, one other thing to note. The mcafee-autoupdate script requires >the Net::FTP perl module to be installed. This isn't mentioned much of >anywhere else, so arguably perhaps the MailScanner module should list this >as a pre-requisite, especially if McAfee is to be used and >autoupdated? It seems the McAfee script is the only autoupdate script >requiring this, but it's important to note. Also, there is no "update >failed" log entry generated or any other indication that the autoupdate failed. > >Hope this helps someone. > >Thanks, > >Todd -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Mon Jan 13 10:22:59 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:56 2006 Subject: Redhat Startup Script issue? In-Reply-To: <200301130459.XAA09272@twister.tfcc.com> Message-ID: <5.2.0.9.2.20030113102123.02adc488@imap.ecs.soton.ac.uk> Is this not a problem with other init.d scripts as well? Do RedHat subtly make the init.d script names different from the process names in every case? the shell pidofproc function should look for the PID file before actually studying the process table if I remember rightly. It's all in /etc/rc.d/init.d/functions. At 04:59 13/01/2003, you wrote: >Hi folks, > >It seems to me there is an issue with the init script on RedHat. When the >init script (*/init.d/MailScanner) does pid=`pidofproc MailScanner` >it finds itself running (the init script -- maybe NOT the MailScanner >program!) This could give you a false positive to make you think the >MailScanner is scanning messages, and it may not be running. > >The init script's status and reload functions are affected -- it could >find the init script and/or the MailScanner perl program running. > >I'm not sure how the best way to get around this might be... Perhaps >rename the init script? Julian, any thoughts? > >Thanks, > >Todd -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Mon Jan 13 10:24:40 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:56 2006 Subject: Question about "Full headers are" in virus report to postmaster In-Reply-To: <200301130539.AAA11126@twister.tfcc.com> Message-ID: <5.2.0.9.2.20030113102327.02ad8af8@imap.ecs.soton.ac.uk> At 05:39 13/01/2003, you wrote: >Hello, > >Running Redhat and MailScanner 4.11-1 and Sendmail 8.11.6. In testing, >I'm seeing something odd in the "Full headers are" section in the >postmaster virus report... > >Full headers are > Return-Path: <^Ag> Sendmail puts really bizarre content in that header. I have tried removing the ^A character before, but it doesn't actually help. And there's no docs on this, it should just contain the envelope sender address but doesn't appear to. >The message above shown in the Return-Path should actually read: >(LessThan)(Carat/Control?)(Capital A with ' accent mark)(GreaterThan) > >Anybody seeing similar behavior? It could be Sendmail or who knows?? > >Thanks in advance! > >Todd -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From jjohanns at SEWANEE.EDU Fri Jan 10 21:52:41 2003 From: jjohanns at SEWANEE.EDU (jj) Date: Thu Jan 12 21:16:56 2006 Subject: MailScanner_found_Cyrus_boundary_substring_problem_ In-Reply-To: Message-ID: Hello, We are running version 4.11-1 of mailscanner on HP-UX 11.0 with sendmail 8.12.7, Qpopper and majordomo as our mailing list manager. When a Word file was sent as an attachemnt to a majordomo list it resulted in the following error: _MailScanner_found_Cyrus_boundary_substring_problem__ and the attachment was included in the message. When the same attachment is sent to individual users it is deliverd normally. The sender uses Eudora on Windows 2000. Does anyone know what the problem might be? >--=====================_366438080==_.ALT-- > --__MailScanner_found_Cyrus_boundary_substring_problem__ Content-Type: application/msword; name="serials survey 1-03.doc"; x-mac-type="42494E41"; x-mac-creator="4D535744" Content-Transfer-Encoding: base64>Content-Disposition: attachment; filename="serials survey 1-03.doc" 0M8R4KGxGuEAAAAAAAAAAAAAAAAAAAAAPgADAP7/CQAGAAAAAAAAAAAAAAAB AAAAQwAAAAAAAAAAEAAARQAAAAEAAAD+////AAAAAEIAAAD///////////// etc. Thanks Johannes Johannsson . This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses *********************************************************************************** . This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses *********************************************************************************** From mailscanner at ecs.soton.ac.uk Fri Jan 10 22:14:42 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:56 2006 Subject: MailScanner_found_Cyrus_boundary_substring_problem_ In-Reply-To: References: Message-ID: <5.2.0.9.2.20030110220655.02db5d10@imap.ecs.soton.ac.uk> This is a result of a check used to defend against a bug in the Cyrus IMAP server which is exercised by some versions of Eudora. You have a multipart/mixed with a multipart/alternative inside it, where the "mised" MIME boundary is a substring of the "alternative" MIME boundary. So when MailScanner finds this situation, it changes the inner MIME boundary to be the string you saw. However, I did test this and it worked just fine when I tested it... Are you using the latest MIME tools and so on? It will only happen to messages created with Eudora which contain "styled" text (i.e. HTML) as well as plain text, and an attachment. Is anyone else seeing this problem? Or could it be a majordomo problem? The fact that it doesn't occur in messages sent to individual users shows it must be at least mostly correct. Can you send me (zipped up) the complete message sent to individual users, and the message sent out by majordomo, so I can compare them please? At 21:52 10/01/2003, you wrote: >Hello, > >We are running version 4.11-1 of mailscanner on HP-UX 11.0 with sendmail >8.12.7, Qpopper and majordomo as our mailing list manager. When a Word file >was sent as an attachemnt to a majordomo list it resulted in the following >error: _MailScanner_found_Cyrus_boundary_substring_problem__ >and the attachment was included in the message. When the same attachment is >sent to individual users it is deliverd normally. >The sender uses Eudora on Windows 2000. > >Does anyone know what the problem might be? > > >--=====================_366438080==_.ALT-- > > >--__MailScanner_found_Cyrus_boundary_substring_problem__ >Content-Type: application/msword; name="serials survey 1-03.doc"; > x-mac-type="42494E41"; x-mac-creator="4D535744" >Content-Transfer-Encoding: base64>Content-Disposition: attachment; >filename="serials survey 1-03.doc" >0M8R4KGxGuEAAAAAAAAAAAAAAAAAAAAAPgADAP7/CQAGAAAAAAAAAAAAAAAB >AAAAQwAAAAAAAAAAEAAARQAAAAEAAAD+////AAAAAEIAAAD///////////// > >etc. > >Thanks >Johannes Johannsson -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support . This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses *********************************************************************************** . This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses *********************************************************************************** From mailscanner-sub at WIREHUB.NET Sat Jan 11 01:05:22 2003 From: mailscanner-sub at WIREHUB.NET (Ben C. O. Grimm) Date: Thu Jan 12 21:16:56 2006 Subject: Cry for help. In-Reply-To: References: Message-ID: On 11 Jan 2003 01:54:23 +0100, "John B. Hanks" wrote: > We are getting pounded by a (new?) virus that always sends from > big@boss.com. Can someone tell me a quick and dirty way to start dropping > all mail from this address? McAfee is not detecting it and I have added a > block for .pif attachments, but would prefer to drop the mails altogether. We put this one in our access.db with a DISCARD (under Sendmail). Not sure what this .pif is yet, but we were blocking it anyway with the filename rule. DISCARD just saves a bit of extra work. -- - Ben C. O. Grimm ----------------- Ben.Grimm@wirehub.net - - Wirehub! Internet Engineering - http://www.wirehub.net/ - - Private Ponderings ----------- http://www.bengrimm.net/ - - Wirehub! Internet ----------- part of easynet Group plc - . This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses *********************************************************************************** . This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses *********************************************************************************** From john.hanks at USU.EDU Sat Jan 11 01:05:07 2003 From: john.hanks at USU.EDU (John B. Hanks) Date: Thu Jan 12 21:16:56 2006 Subject: Cry for help. Message-ID: <5CA287DBA85BF649A45916B75FD20E0E1224F4@exchange01.blue.usu.edu> Nevermind, I figured it out with /etc/mail/access and sendmail. No need to bother mailscanner with it. Thanks anyway for MailScanner being incredible. jbh > -----Original Message----- > From: John B. Hanks > Sent: Friday, January 10, 2003 5:50 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Cry for help. > > > We are getting pounded by a (new?) virus that always sends > from big@boss.com. Can someone tell me a quick and dirty way > to start dropping all mail from this address? McAfee is not > detecting it and I have added a block for .pif attachments, > but would prefer to drop the mails altogether. > > Thanks > > jbh > . This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses *********************************************************************************** . This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses *********************************************************************************** From john.hanks at USU.EDU Sat Jan 11 00:49:30 2003 From: john.hanks at USU.EDU (John B. Hanks) Date: Thu Jan 12 21:16:56 2006 Subject: Cry for help. Message-ID: <5CA287DBA85BF649A45916B75FD20E0E1224F3@exchange01.blue.usu.edu> We are getting pounded by a (new?) virus that always sends from big@boss.com. Can someone tell me a quick and dirty way to start dropping all mail from this address? McAfee is not detecting it and I have added a block for .pif attachments, but would prefer to drop the mails altogether. Thanks jbh . This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses *********************************************************************************** . This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses *********************************************************************************** From mailscanner at ecs.soton.ac.uk Mon Jan 13 11:12:01 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:56 2006 Subject: Does Lirva send from a genuine address? In-Reply-To: <00c201c2baec$29c06cc0$6a0110ac@sbsplc.com> References: Message-ID: <5.2.0.9.2.20030113111003.02acdbc0@imap.ecs.soton.ac.uk> At 10:11 13/01/2003, you wrote: >----- Original Message ----- >From: "G Welter" >To: >Sent: Monday, January 13, 2003 9:26 AM >Subject: Re: Does Lirva send from a genuine address? > > > >From the mcafee page you mentioned below: > > > > The worm uses the default SMTP server of the infected computer, and then >adds either the address of the sender or a randomly selected email address >to the "From:" line of the email. > > > > So it seems to me that the from address is bogus. So yes, it should be >added to the silent viruses. I can see us all slowly coming to the situation that we turn off sender warnings altogether some time in the next year or so. Trouble is, this is going to make the virus situation worse than ever as there will be (practically) no way of finding the infected machines spewing out these messages. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From smohan at VSNL.COM Mon Jan 13 11:10:33 2003 From: smohan at VSNL.COM (S Mohan) Date: Thu Jan 12 21:16:56 2006 Subject: Cry for help. In-Reply-To: <5CA287DBA85BF649A45916B75FD20E0E1224F3@exchange01.blue.usu.edu> Message-ID: Give this address in the /etc/access file for discard as under. < content of /etc/access> # Check the /usr/doc/sendmail-8.11.0/README.cf file for a description # of the format of this file. (search for access_db in that file) # The /usr/doc/sendmail-8.11.0/README.cf is part of the sendmail-doc # package. # # by default we allow relaying from localhost... localhost.localdomain RELAY localhost RELAY 127.0.0.1 RELAY offers@ REJECT big@boss.com DISCARD < end of content /etc/access> Mohan -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of John B. Hanks Sent: 11 January 2003 06:20 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Cry for help. We are getting pounded by a (new?) virus that always sends from big@boss.com. Can someone tell me a quick and dirty way to start dropping all mail from this address? McAfee is not detecting it and I have added a block for .pif attachments, but would prefer to drop the mails altogether. Thanks jbh . This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses **************************************************************************** ******* . This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses **************************************************************************** ******* From mailscanner at ecs.soton.ac.uk Mon Jan 13 10:22:59 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:56 2006 Subject: Redhat Startup Script issue? In-Reply-To: <200301130459.XAA09272@twister.tfcc.com> Message-ID: <5.2.0.9.2.20030113102123.02adc488@imap.ecs.soton.ac.uk> Is this not a problem with other init.d scripts as well? Do RedHat subtly make the init.d script names different from the process names in every case? the shell pidofproc function should look for the PID file before actually studying the process table if I remember rightly. It's all in /etc/rc.d/init.d/functions. At 04:59 13/01/2003, you wrote: >Hi folks, > >It seems to me there is an issue with the init script on RedHat. When the >init script (*/init.d/MailScanner) does pid=`pidofproc MailScanner` >it finds itself running (the init script -- maybe NOT the MailScanner >program!) This could give you a false positive to make you think the >MailScanner is scanning messages, and it may not be running. > >The init script's status and reload functions are affected -- it could >find the init script and/or the MailScanner perl program running. > >I'm not sure how the best way to get around this might be... Perhaps >rename the init script? Julian, any thoughts? > >Thanks, > >Todd -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support . This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses *********************************************************************************** From mailscanner at ecs.soton.ac.uk Mon Jan 13 10:24:40 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:56 2006 Subject: Question about "Full headers are" in virus report to postmaster In-Reply-To: <200301130539.AAA11126@twister.tfcc.com> Message-ID: <5.2.0.9.2.20030113102327.02ad8af8@imap.ecs.soton.ac.uk> At 05:39 13/01/2003, you wrote: >Hello, > >Running Redhat and MailScanner 4.11-1 and Sendmail 8.11.6. In testing, >I'm seeing something odd in the "Full headers are" section in the >postmaster virus report... > >Full headers are > Return-Path: <^Ag> Sendmail puts really bizarre content in that header. I have tried removing the ^A character before, but it doesn't actually help. And there's no docs on this, it should just contain the envelope sender address but doesn't appear to. >The message above shown in the Return-Path should actually read: >(LessThan)(Carat/Control?)(Capital A with ' accent mark)(GreaterThan) > >Anybody seeing similar behavior? It could be Sendmail or who knows?? > >Thanks in advance! > >Todd -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support . This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses *********************************************************************************** From mike at ZANKER.ORG Sat Jan 11 12:36:24 2003 From: mike at ZANKER.ORG (Mike Zanker) Date: Thu Jan 12 21:16:56 2006 Subject: AW: Cry for help. In-Reply-To: <4E7026FF8A422749B1553FE508E0068007ECF3@message.intern.akctech.de> References: <4E7026FF8A422749B1553FE508E0068007ECF3@message.intern.akcte ch.de> Message-ID: <148473433.1042288584@jemima.zanker.org> On 11 January 2003 12:10 +0100 Jan-Peter Koopmann wrote: > Remco, > > would you mind stopping this childish "Outlook sucks" business? Where did he say that? Mike. . This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses *********************************************************************************** . This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses *********************************************************************************** From funk.gabor at HUNETKFT.HU Sat Jan 11 23:26:46 2003 From: funk.gabor at HUNETKFT.HU (Funk Gabor) Date: Thu Jan 12 21:16:56 2006 Subject: Cry for help. - NAI-4242 is out. References: Message-ID: <003a01c2b9c8$e9d76380$2c8bded5@chello.hu> NAI 4242 is out. (incl. sobig detection) Currently download from ftp.nai.com didn't work for me, as I could only get 4241 from the ftp, but akamai worked. http://www.mcafeeb2b.com/naicommon/download/dats/find.asp G. . This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses *********************************************************************************** . This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses *********************************************************************************** From jscott at INFOCONEX.COM Sun Jan 12 00:07:05 2003 From: jscott at INFOCONEX.COM (Jim Scott) Date: Thu Jan 12 21:16:56 2006 Subject: Cannot modify postmaster notify signature? Message-ID: <004301c2b9ce$8a83f320$2719a8c0@infoconex.com> Version: 4.11-1 OS: Redhat 7.x MTA: Sendmail Virus Software: F-PROT I have modified all the templates in the "en" directory replacing any of the notifications that have this -- MailScanner Email Virus Scanner www.mailscanner.info I have modified the default with my own signature. When a virus is detected it sends out notification to the sending user with the proper signature that I have created in the template. However the postmaster I specified which is me for now gets a message with the above signature. I have searched high and low and cannot seem to find the location that this is changed in. The following is the example of what I get sent to me. Notice the signature is the default. Anyone know were this can be changed for the notification email that is sent to the postmaster? <-- Begin Sample --> The following e-mail messages were found to have viruses in them: Sender: IP Address: 213.163.105.2 Recipient: d1cdvvpfsswu94@somedain.com Subject: You are so sweet MessageID: h0BJdKW29137 Report: /var/spool/MailScanner/incoming/27694/h0BJdKW29137/love.scr Infection: W32/Lentin.H@mm Windows Screensavers are often used to hide viruses (love.scr) -- MailScanner Email Virus Scanner www.mailscanner.info <-- End Sample --> Thanks Jim Scott . This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses *********************************************************************************** . This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses *********************************************************************************** From Jan-Peter.Koopmann at SECEIDOS.DE Sat Jan 11 11:10:26 2003 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:16:56 2006 Subject: AW: Cry for help. Message-ID: <4E7026FF8A422749B1553FE508E0068007ECF3@message.intern.akctech.de> Remco, would you mind stopping this childish "Outlook sucks" business? Thanks, JP -----Urspr?ngliche Nachricht----- Von: Remco Barendse [mailto:mailscanner@BARENDSE.TO] Gesendet: Samstag, 11. Januar 2003 11:54 An: MAILSCANNER@JISCMAIL.AC.UK Betreff: Re: Cry for help. Alternatively you could use the daily dats for mcafee. These are `beta', I only had a problem with them once, it was blocking one non-infected file but it's well worth the time gain :) http://download.nai.com/products/mcafee-avert/daily_dats/DAILYDAT.ZIP Probaby you need to run a little rename command over the files in that ZIP because usually the filenames are in CAPS Remco On Fri, 10 Jan 2003, John B. Hanks wrote: > We are getting pounded by a (new?) virus that always sends from > big@boss.com. Can someone tell me a quick and dirty way to start > dropping all mail from this address? McAfee is not detecting it and I > have added a block for .pif attachments, but would prefer to drop the > mails altogether. > > Thanks > > jbh > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. . This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses *********************************************************************************** . This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses *********************************************************************************** From Kevin.Spicer at BMRB.CO.UK Sun Jan 12 01:28:24 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:16:56 2006 Subject: Cannot modify postmaster notify signature? Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A4ACFE@pascal.priv.bmrb.co.uk> > >>Its hardcoded in MessageBatch.pm (in > /usr/lib/MailScanner/MailScanner/ on my > system) > > > I modified that one already thinking the same thing. Still > get the same signature. > Evidently even though it looks like that would fix it, it > must be hardcoded somewhere > else. > > Jim I just tested that on my system and it definately works (MS4.10) Did you stop and restart mailscanner (just doing a reload isn't enough)? Have you by any chance got two versions of MS installed in different directories and maybe changed the non-current one (long shot!) The line I changed was... $notices{$postie} . "\n-- \nMailScanner\nEmail Virus Scanner\n" . "www.mailscanner.info\n"; which is line 587 in MessageBatch.pm in release 4.10 . This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses *********************************************************************************** . This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses *********************************************************************************** From mailscanner at BARENDSE.TO Sat Jan 11 10:53:55 2003 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:16:56 2006 Subject: Cry for help. In-Reply-To: <5CA287DBA85BF649A45916B75FD20E0E1224F3@exchange01.blue.usu.edu> Message-ID: Alternatively you could use the daily dats for mcafee. These are `beta', I only had a problem with them once, it was blocking one non-infected file but it's well worth the time gain :) http://download.nai.com/products/mcafee-avert/daily_dats/DAILYDAT.ZIP Probaby you need to run a little rename command over the files in that ZIP because usually the filenames are in CAPS Remco On Fri, 10 Jan 2003, John B. Hanks wrote: > We are getting pounded by a (new?) virus that always sends from > big@boss.com. Can someone tell me a quick and dirty way to start dropping > all mail from this address? McAfee is not detecting it and I have added a > block for .pif attachments, but would prefer to drop the mails altogether. > > Thanks > > jbh > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. . This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses *********************************************************************************** . This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses *********************************************************************************** From jscott at INFOCONEX.COM Sun Jan 12 00:56:27 2003 From: jscott at INFOCONEX.COM (Jim Scott) Date: Thu Jan 12 21:16:57 2006 Subject: Cannot modify postmaster notify signature? References: <5C0296D26910694BB9A9BBFC577E7AB0A32C20@pascal.priv.bmrb.co.uk> Message-ID: <008401c2b9d5$70045560$2719a8c0@infoconex.com> > -----Original Message----- > From: Jim Scott [mailto:jscott@INFOCONEX.COM] > Sent: 12 January 2003 00:07 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: [MAILSCANNER] Cannot modify postmaster notify signature? > > > Version: 4.11-1 > OS: Redhat 7.x > MTA: Sendmail > Virus Software: F-PROT > > I have modified all the templates in the "en" directory > replacing any of the > notifications that have this > > -- > MailScanner > Email Virus Scanner > www.mailscanner.info > > > I have modified the default with my own signature. When a > virus is detected it sends > out notification to the sending user with the proper > signature that I have created in > the template. However the postmaster I specified which is me > for now gets a message > with the above signature. I have searched high and low and > cannot seem to find the > location that this is changed in. > > The following is the example of what I get sent to me. Notice > the signature is the > default. Anyone know were this can be changed for the > notification email that is sent > to the postmaster? > > <-- Begin Sample --> > > The following e-mail messages were found to have viruses in them: > > Sender: > IP Address: 213.163.105.2 > Recipient: d1cdvvpfsswu94@somedain.com > Subject: You are so sweet > MessageID: h0BJdKW29137 > Report: > /var/spool/MailScanner/incoming/27694/h0BJdKW29137/love.scr > Infection: > W32/Lentin.H@mm > Windows Screensavers are often used to hide viruses (love.scr) > > > -- > MailScanner > Email Virus Scanner > www.mailscanner.info > > <-- End Sample --> > > Thanks > Jim Scott > >->---- Original Message ----- >>From: "Spicer, Kevin" >>To: >>Sent: Saturday, January 11, 2003 4:48 PM >>Subject: Re: Cannot modify postmaster notify signature? >> >> >>Its hardcoded in MessageBatch.pm (in /usr/lib/MailScanner/MailScanner/ on my system) I modified that one already thinking the same thing. Still get the same signature. Evidently even though it looks like that would fix it, it must be hardcoded somewhere else. Jim . This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses *********************************************************************************** . This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses *********************************************************************************** From Kevin.Spicer at BMRB.CO.UK Sun Jan 12 00:48:45 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:16:57 2006 Subject: Cannot modify postmaster notify signature? Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A32C20@pascal.priv.bmrb.co.uk> Its hardcoded in MessageBatch.pm (in /usr/lib/MailScanner/MailScanner/ on my system) > -----Original Message----- > From: Jim Scott [mailto:jscott@INFOCONEX.COM] > Sent: 12 January 2003 00:07 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: [MAILSCANNER] Cannot modify postmaster notify signature? > > > Version: 4.11-1 > OS: Redhat 7.x > MTA: Sendmail > Virus Software: F-PROT > > I have modified all the templates in the "en" directory > replacing any of the > notifications that have this > > -- > MailScanner > Email Virus Scanner > www.mailscanner.info > > > I have modified the default with my own signature. When a > virus is detected it sends > out notification to the sending user with the proper > signature that I have created in > the template. However the postmaster I specified which is me > for now gets a message > with the above signature. I have searched high and low and > cannot seem to find the > location that this is changed in. > > The following is the example of what I get sent to me. Notice > the signature is the > default. Anyone know were this can be changed for the > notification email that is sent > to the postmaster? > > <-- Begin Sample --> > > The following e-mail messages were found to have viruses in them: > > Sender: > IP Address: 213.163.105.2 > Recipient: d1cdvvpfsswu94@somedain.com > Subject: You are so sweet > MessageID: h0BJdKW29137 > Report: > /var/spool/MailScanner/incoming/27694/h0BJdKW29137/love.scr > Infection: > W32/Lentin.H@mm > Windows Screensavers are often used to hide viruses (love.scr) > > > -- > MailScanner > Email Virus Scanner > www.mailscanner.info > > <-- End Sample --> > > Thanks > Jim Scott > . This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses *********************************************************************************** . This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses *********************************************************************************** From mailscanner at ecs.soton.ac.uk Sat Jan 11 17:43:46 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:57 2006 Subject: AW: Cry for help. In-Reply-To: Message-ID: <5.2.0.9.2.20030111174144.02af5b68@imap.ecs.soton.ac.uk> At 15:21 11/01/2003, you wrote: >It's in the header. X-message-flag. Outlook displays that marker in >the message window so Outlook people would see it. It is rather >childish for this... A professional mailing list. Now, now, let's call a halt to this thread. Putting things in X-headers is not worth anyone getting upset about. >-----Original Message----- >From: Mike Zanker [mailto:mike@ZANKER.ORG] >Sent: Saturday, January 11, 2003 7:36 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: AW: Cry for help. > > >On 11 January 2003 12:10 +0100 Jan-Peter Koopmann > wrote: > > > Remco, > > > > would you mind stopping this childish "Outlook sucks" business? > >Where did he say that? > >Mike. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support . This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses *********************************************************************************** . This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses *********************************************************************************** From mailscanner at BARENDSE.TO Sat Jan 11 11:00:39 2003 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:16:57 2006 Subject: Spam blacklist? In-Reply-To: <5.2.0.9.2.20030109000924.02cf5068@imap.ecs.soton.ac.uk> Message-ID: It's not really a problem, I just created another rule under low scoring spam actions where I put the same stuff as the spam blacklist rule. This does the job although if the blacklisted stuff would be treated as high scoring it would save an extra rule file. :) On Thu, 9 Jan 2003, Julian Field wrote: > At 21:24 08/01/2003, you wrote: > >Indeed, that is one possible solution. > > > >But not all of my boxes run spamassassin, particularly RedHat 6.2 is very > >difficult to get SA properly installed. Lots of things to upgrade and 90% > >of the spam problem is from or to a limited set of e-mail adresses on my > >boxes. > > > >But one would think that a blacklisted mail adress would be processed > >according to high scoring rules, otherwise there isn't much use in > >blacklisting them :) > > My black/white-listing isn't really connected to the SpamAssassin scoring > code. Maybe it should be. > > > > >On Wed, 8 Jan 2003, Lewis Bergman wrote: > > > > > On Wednesday 08 January 2003 04:24 am, Remco Barendse wrote: > > > > I have a rule list that will mark certain messages as spam even though > > > > there is no other reason to mark them as spam. This is working perfectly. > > > > > > > > I have noticed however that MailScanner will treat messages that are > > > > marked by a blacklist rule as low scoring spam? > > > > > > > > Would it be possible to change this to high scoring spam? After all you > > > > want to blacklist them. I allow low scoring spam messages to go through > > > > but high scoring stuff is forwarded to an alternate address. I would like > > > > to do the same for the blacklisted stuff. > > > Why not use SA to do the RBL checks and then assign them a score which will > > > force them into the high score category using the spam.assassin.prefs.conf > > > file? > > > -- > > > Lewis Bergman > > > Texas Communications > > > 4309 Maple St. > > > Abilene, TX 79602-8044 > > > 915-695-6962 ext 115 > > > > > > > > > > > >-- > >This message has been scanned for viruses and > >dangerous content by MailScanner, and is > >believed to be clean. > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. . This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses *********************************************************************************** . This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses *********************************************************************************** From Richard.Lush at HP.COM Mon Jan 13 11:58:22 2003 From: Richard.Lush at HP.COM (Lush, Richard) Date: Thu Jan 12 21:16:57 2006 Subject: Webmin module 0.01 BETA released Message-ID: Hi All, I've just finished the BETA version of my webmin module and would like some volunteers to test it. Although it is beta I haven't trashed my system yet using it, although I do backup my mailscanner.conf just in case. I'm not sure what people want from it so I do need your help in shaping what this looking like. I'm new to cgi and perl so there are a few "features" which need ironing out. Here is a list of the ones I know about: Maximum number of child forks not displaying Currently no external rules sets can be viewed/edited No lines which are #'d out can be edited (Any ideas anyone?) Currently no help is available Some of the file browsing buttons aren't working Here is a link to the website: http://lushsoft.dyndns.org/mailscanner-webmin/index.html Please note: This is written by me and as such all feedback comments etc should be sent to me and not Julian. Regards, Richard Richard Lush Consulting and Integration Security Practise Reading UK Email richard.lush@hp.com Mobile +44 (0) 7788 916941 Office +44 (0) 118 920 2349 Fax +44 (0) 118 920 4612 D I S C L A I M E R The information contained in this communication is intended solely for use by the individual or entity to whom it is addressed. Use of this communication by others is prohibited. HP and / or Compaq is neither liable for the proper and complete transmission of the information contained in this communication nor for any delay in its receipt nor for any special, incidental or consequential damages of any nature whatsoever resulting from receipt or use of this communication. If you are not the intended recipient, you may not peruse, use, disseminate, distribute or copy this message. If you have received this message in error, please notify the sender immediately by email, facsimile or telephone and return or destroy the original message. Thank you. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030113/0b0bd43a/attachment.html From andersan at LTKALMAR.SE Mon Jan 13 12:08:40 2003 From: andersan at LTKALMAR.SE (Anders Andersson, IT) Date: Thu Jan 12 21:16:57 2006 Subject: Dejavue Message-ID: <7B475DC5E9502B4D91EA73C283AE48D70263EDA9@lkl22.ltkalmar.se> Hi Is it only me are are we all getting doubble or tripple mail from the list? /Anders From David.Sullivan at BARNET.AC.UK Mon Jan 13 12:13:24 2003 From: David.Sullivan at BARNET.AC.UK (David Sullivan) Date: Thu Jan 12 21:16:57 2006 Subject: Dejavue In-Reply-To: <7B475DC5E9502B4D91EA73C283AE48D70263EDA9@lkl22.ltkalmar.se> Message-ID: <3E22AD7E.29771.143EA4D6@localhost> On 13 Jan 2003 at 13:08, Anders Andersson, IT wrote: > Hi > Is it only me are are we all getting doubble or tripple mail from the > list? Yes, we've discussed this before. ... Sorry :) David. ============================================================== This communication may contain privileged or confidential information which is for the exclusive use of the intended recipient. If you are not the intended recipient, please note that you may not distribute or use this communication or the information it contains. If this e-mail has reached you in error, please delete it and any attachment. Internet communications are not secure and Barnet College does not accept legal responsibility for the content of this message. Any views or opinions expressed are those of the author and not necessarily those of Barnet College. Please note that Barnet College reserves the right to monitor the source/destinations of all incoming or outgoing e-mail communications. ============================================================== From Jan-Peter.Koopmann at SECEIDOS.DE Mon Jan 13 12:14:39 2003 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:16:57 2006 Subject: AW: Dejavue Message-ID: <4E7026FF8A422749B1553FE508E00680087534@message.intern.akctech.de> It is not only you... :-( Who? Why? This happened a few weeks ago. What was/is the cause? Thanks, JP -----Urspr?ngliche Nachricht----- Von: Anders Andersson, IT [mailto:andersan@LTKALMAR.SE] Gesendet: Montag, 13. Januar 2003 13:09 An: MAILSCANNER@JISCMAIL.AC.UK Betreff: Dejavue Hi Is it only me are are we all getting doubble or tripple mail from the list? /Anders From mailscanner at ecs.soton.ac.uk Mon Jan 13 12:13:22 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:57 2006 Subject: Dejavue In-Reply-To: <7B475DC5E9502B4D91EA73C283AE48D70263EDA9@lkl22.ltkalmar.se > Message-ID: <5.2.0.9.2.20030113121255.03e5b348@imap.ecs.soton.ac.uk> At 12:08 13/01/2003, you wrote: >Hi >Is it only me are are we all getting doubble or tripple mail from the list? My copy of Eudora doubles up (incoming) messages occasionally, but otherwise everything appears fine. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mike at ZANKER.ORG Mon Jan 13 12:23:27 2003 From: mike at ZANKER.ORG (Mike Zanker) Date: Thu Jan 12 21:16:57 2006 Subject: Dejavue In-Reply-To: <7B475DC5E9502B4D91EA73C283AE48D70263EDA9@lkl22.ltkalmar.se> References: <7B475DC5E9502B4D91EA73C283AE48D70263EDA9@lkl22.ltkalmar.se> Message-ID: <11454796.1042460607@mallard.open.ac.uk> On 13 January 2003 13:08 +0100 "Anders Andersson, IT" wrote: > Is it only me are are we all getting doubble or tripple mail from the > list? No, I'm getting lots of duplicates too. It's nottinghamcity.gov.uk's mail server playing up again. Mike. From andersan at LTKALMAR.SE Mon Jan 13 12:33:52 2003 From: andersan at LTKALMAR.SE (Anders Andersson, IT) Date: Thu Jan 12 21:16:57 2006 Subject: SV: Dejavue Message-ID: <7B475DC5E9502B4D91EA73C283AE48D70263EDAA@lkl22.ltkalmar.se> > -----Ursprungligt meddelande----- > Fr?n: David Sullivan [mailto:David.Sullivan@BARNET.AC.UK] > Skickat: den 13 januari 2003 13:13 > Till: MAILSCANNER@JISCMAIL.AC.UK > ?mne: Re: Dejavue > > > On 13 Jan 2003 at 13:08, Anders Andersson, IT wrote: > > > Hi > > Is it only me are are we all getting doubble or tripple > mail from the > > list? > > Yes, we've discussed this before. I know it happend before but that was long time ago but for the moment it have stoped so I guees there is no wurry then. Lets blame the boring weather... :) /Anders > > ... Sorry :) > > David. > > ============================================================== > This communication may contain privileged or confidential > information which > is for the exclusive use of the intended recipient. If you > are not the > intended recipient, please note that you may not distribute > or use this > communication or the information it contains. If this e-mail > has reached you > in error, please delete it and any attachment. > > Internet communications are not secure and Barnet College > does not accept > legal responsibility for the content of this message. Any > views or opinions > expressed are those of the author and not necessarily those > of Barnet College. > > Please note that Barnet College reserves the right to monitor the > source/destinations of all incoming or outgoing e-mail communications. > ============================================================== > From sintje at PANDORA.BE Mon Jan 13 12:30:43 2003 From: sintje at PANDORA.BE (Sander K. Naudts) Date: Thu Jan 12 21:16:57 2006 Subject: problems installing mailscanner in debian Message-ID: <200301131230.h0DCUkM29937@ori.rl.ac.uk> I was trying to install mailscanner with debian (apt-get install mailscanner but I got the following error): Setting up mailscanner (3.13.2-4) ... hostname: Unknown host dpkg: error processing mailscanner (--configure): subprocess post-installation script returned error exit status 1 Errors were encountered while processing: mailscanner E: Sub-process /usr/bin/dpkg returned an error code (1) How can I fix this? Sander From j.figueira at zmail.pt Mon Jan 13 13:33:25 2003 From: j.figueira at zmail.pt (j. Figueira) Date: Thu Jan 12 21:16:57 2006 Subject: Outgoing sendmail [FAILED] Message-ID: Hello, I've recently installed MailScanner... The instalation went very well. And everything seems to be running well except one thing. When I start sendmail, it starts all ok... After a while, when I make: service MailScanner status MailScanner: [ OK ] incoming sendmail: [ OK ] outgoing sendmail: [FAILED] I am using RH7.2 I've already searched the list but I haven't find anything usefull. Any tip can be usefull Best regards Figueira From jaearick at COLBY.EDU Mon Jan 13 13:59:32 2003 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:16:57 2006 Subject: silent virii list In-Reply-To: <5.2.0.9.2.20030113111003.02acdbc0@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030113111003.02acdbc0@imap.ecs.soton.ac.uk> Message-ID: Julian, If/when it gets to the point where MailScanner does not send virus warnings to the masses, I would still like it to: * send warnings to users when filenames.rules.conf is triggered. The sender usually did this action themselves, and they should be warned that their email got squashed. * send virus and filenames.rules complaints to postmaster (Notices To), so that I can be aware of problem users in my own domain. I use procmail rulesets to shove klez and other virus complaints aside into their own mailboxes. Then I run a cron job to grep thru these files, looking for anybody in my own domain. This info is emailed to me periodically, so I can track down infections and fix them. --- Jeff On Mon, 13 Jan 2003, Julian Field wrote: > Date: Mon, 13 Jan 2003 11:12:01 +0000 > From: Julian Field > Reply-To: MailScanner mailing list > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Does Lirva send from a genuine address? > > At 10:11 13/01/2003, you wrote: > >----- Original Message ----- > >From: "G Welter" > >To: > >Sent: Monday, January 13, 2003 9:26 AM > >Subject: Re: Does Lirva send from a genuine address? > > > > > >From the mcafee page you mentioned below: > > > > > > The worm uses the default SMTP server of the infected computer, and then > >adds either the address of the sender or a randomly selected email address > >to the "From:" line of the email. > > > > > > So it seems to me that the from address is bogus. So yes, it should be > >added to the silent viruses. > > I can see us all slowly coming to the situation that we turn off sender > warnings altogether some time in the next year or so. Trouble is, this is > going to make the virus situation worse than ever as there will be > (practically) no way of finding the infected machines spewing out these > messages. > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > From richard.siddall at ELIRION.NET Mon Jan 13 13:59:49 2003 From: richard.siddall at ELIRION.NET (Richard Siddall) Date: Thu Jan 12 21:16:57 2006 Subject: Handling mass-mailing worms, was: Does Lirva send from a genuine address? In-Reply-To: <5.2.0.9.2.20030113111003.02acdbc0@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030113111003.02acdbc0@imap.ecs.soton.ac.uk> Message-ID: <3E22C655.8060206@elirion.net> Julian Field wrote: > I can see us all slowly coming to the situation that we turn off sender > warnings altogether some time in the next year or so. Trouble is, this is > going to make the virus situation worse than ever as there will be > (practically) no way of finding the infected machines spewing out these > messages. I have noticed that viruses received from AOL include an X-Apparently-From: header, which presumably the AOL mail server is inserting when receiving mail from the SMTP server built into the virus. I haven't verified whether you can contact the owner of the infected machine using the email address in this header. On a side note, it's a pity the virus scanner manufacturers don't include information on how to handle the virus in the detection report. For mass-mailing viruses, the best approach may be to report the virus to a distributed intrusion service like Dshield or myNetWatchman. They can aggregate all the reports and contact the ISP's abuse department. (Unfortunately, this may be as close to the infected machine as you can get without the ISP's authentication records.) Regards, Richard Siddall From adkinss at OHIO.EDU Mon Jan 13 14:11:31 2003 From: adkinss at OHIO.EDU (Scott Adkins) Date: Thu Jan 12 21:16:57 2006 Subject: Cry for help. In-Reply-To: References: Message-ID: <2758785153.1042449091@Callisto> Incidentally, I actually added another address to our /etc/mail/access files as well... It appears that a lot of outbound mail was getting created (bounced emails) that were trying to go back to the "originating" site (which I am not even sure exists). As a consequence, the mail queues were backing up, since the connections to remote host were being refused :-) Anyways, I put it in the access database and then removed all the emails from the mail queue, since they weren't doing us any good. This is what I have in our access database: big@boss.com DISCARD boss-polar.bossgame.com DISCARD Scott --On Monday, January 13, 2003 4:40 PM +0530 S Mohan wrote: > Give this address in the /etc/access file for discard as under. > > < content of /etc/access> ># Check the /usr/doc/sendmail-8.11.0/README.cf file for a description ># of the format of this file. (search for access_db in that file) ># The /usr/doc/sendmail-8.11.0/README.cf is part of the sendmail-doc ># package. ># ># by default we allow relaying from localhost... > localhost.localdomain RELAY > localhost RELAY > 127.0.0.1 RELAY > offers@ REJECT > big@boss.com DISCARD > < end of content /etc/access> > > Mohan > > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of John B. Hanks > Sent: 11 January 2003 06:20 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Cry for help. > > > We are getting pounded by a (new?) virus that always sends from > big@boss.com. Can someone tell me a quick and dirty way to start dropping > all mail from this address? McAfee is not detecting it and I have added a > block for .pif attachments, but would prefer to drop the mails altogether. > -- +-----------------------------------------------------------------------+ Scott W. Adkins http://www.cns.ohiou.edu/~sadkins/ UNIX Systems Engineer mailto:adkinss@ohio.edu ICQ 7626282 Work (740)593-9478 Fax (740)593-1944 +-----------------------------------------------------------------------+ PGP Public Key available at http://www.cns.ohiou.edu/~sadkins/pgp/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 231 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030113/35f17bc6/attachment.bin From sean at NISD.NET Mon Jan 13 15:09:43 2003 From: sean at NISD.NET (Sean Embry) Date: Thu Jan 12 21:16:57 2006 Subject: AOL: Menace to the 'net Message-ID: >Julian Field wrote: > >I have noticed that viruses received from AOL include an >X-Apparently-From: header, which presumably the AOL mail server is >inserting when receiving mail from the SMTP server built into the virus. > >I haven't verified whether you can contact the owner of the infected >machine using the email address in this header. > I've sent several e-mails to AOL requesting this information. I've not received ANY kind of answer at all, which doesn't really surprise me at all. I have sent e-mails to these addresses, and not gotten a bounce because the address is invalid. I get nothing at all, or "This user doesn't want to receive e-mail from your account." I've also not ever gotten anything from any of these users, but then again the e-mail I send concludes with "I am not allowed to assist you in this matter. If you are unsure how to proceed, please contact a friend and ask their advice." I had 207 Klez alerts from AOL accounts in my in box this morning (Sunday night to Monday morning). Some of the accounts have been reported as long as eight weeks ago, and most every day since. If I wouldn't get lynched, I'd start blocking AOL at MX'es I run. I've blocked ISP's for less in the past, and they are still on the block list. (Ignore a problem for a week, win a place in my block list after last warning.) If I suspected that AOL would start blocking my abuse reports, I'd start forwarding all these reports to them automagically. Sean From ellis at KAZAKCOMPOSITES.COM Mon Jan 13 17:06:40 2003 From: ellis at KAZAKCOMPOSITES.COM (Steve Ellis) Date: Thu Jan 12 21:16:57 2006 Subject: Cry for help. In-Reply-To: <5CA287DBA85BF649A45916B75FD20E0E1224F3@exchange01.blue.usu.edu> Message-ID: <003701c2bb26$23f89440$6600a8c0@Orthanc> I'm curious as to what virus was being sent from thebig@boss.com address. We received a few messages, but they were not detected as a virus by the virus software we are using with MailScanner. Anyone have a name for it? Steve Ellis Sr Engineer KaZaK Composites, Inc. 781.932.5665 -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of John B. Hanks Sent: Friday, January 10, 2003 7:50 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Cry for help. We are getting pounded by a (new?) virus that always sends from big@boss.com. Can someone tell me a quick and dirty way to start dropping all mail from this address? McAfee is not detecting it and I have added a block for .pif attachments, but would prefer to drop the mails altogether. Thanks jbh From jaearick at COLBY.EDU Mon Jan 13 17:18:55 2003 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:16:57 2006 Subject: Cry for help. In-Reply-To: <003701c2bb26$23f89440$6600a8c0@Orthanc> References: <003701c2bb26$23f89440$6600a8c0@Orthanc> Message-ID: Sobig-A, in Sophos-speak. Other anti-virus makers may have other names for it. Just add "big@boss.com" to your sendmail access file to reject/discard these things. --- Jeff On Mon, 13 Jan 2003, Steve Ellis wrote: > Date: Mon, 13 Jan 2003 12:06:40 -0500 > From: Steve Ellis > Reply-To: MailScanner mailing list > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Cry for help. > > I'm curious as to what virus was being sent from thebig@boss.com > address. We received a few messages, but they were not detected as a > virus by the virus software we are using with MailScanner. Anyone have a > name for it? > > Steve Ellis > Sr Engineer > KaZaK Composites, Inc. > 781.932.5665 > > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of John B. Hanks > Sent: Friday, January 10, 2003 7:50 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Cry for help. > > We are getting pounded by a (new?) virus that always sends from > big@boss.com. Can someone tell me a quick and dirty way to start > dropping > all mail from this address? McAfee is not detecting it and I have added > a > block for .pif attachments, but would prefer to drop the mails > altogether. > > Thanks > > jbh > From jethro.binks at STRATH.AC.UK Mon Jan 13 17:18:24 2003 From: jethro.binks at STRATH.AC.UK (Jethro R Binks) Date: Thu Jan 12 21:16:57 2006 Subject: Cry for help. In-Reply-To: <003701c2bb26$23f89440$6600a8c0@Orthanc> Message-ID: <20030113171818.D29803-100000@defjam.cc.strath.ac.uk> W32/Sobig@MM http://vil.mcafee.com/dispVirus.asp?virus_k=99950 On Mon, 13 Jan 2003, Steve Ellis wrote: > I'm curious as to what virus was being sent from thebig@boss.com > address. We received a few messages, but they were not detected as a > virus by the virus software we are using with MailScanner. Anyone have a > name for it? > > Steve Ellis > Sr Engineer > KaZaK Composites, Inc. > 781.932.5665 > > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of John B. Hanks > Sent: Friday, January 10, 2003 7:50 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Cry for help. > > We are getting pounded by a (new?) virus that always sends from > big@boss.com. Can someone tell me a quick and dirty way to start > dropping > all mail from this address? McAfee is not detecting it and I have added > a > block for .pif attachments, but would prefer to drop the mails > altogether. > > Thanks > > jbh > . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Jethro R Binks Computing Officer, IT Services University Of Strathclyde, Glasgow, UK From mailscanner at ecs.soton.ac.uk Mon Jan 13 17:59:26 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:57 2006 Subject: problems installing mailscanner in debian In-Reply-To: <200301131230.h0DCUkM29937@ori.rl.ac.uk> Message-ID: <5.2.0.9.2.20030113175858.01a41d50@imap.ecs.soton.ac.uk> I have passed your problem onto my Debian expert (ie. Nick). Hopefully he will get back to you soon. At 12:30 13/01/2003, you wrote: >I was trying to install mailscanner with debian (apt-get install mailscanner >but I got the following error): > >Setting up mailscanner (3.13.2-4) ... >hostname: Unknown host >dpkg: error processing mailscanner (--configure): > subprocess post-installation script returned error exit status 1 >Errors were encountered while processing: > mailscanner >E: Sub-process /usr/bin/dpkg returned an error code (1) > >How can I fix this? > > >Sander -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Mon Jan 13 18:01:38 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:57 2006 Subject: silent virii list In-Reply-To: References: <5.2.0.9.2.20030113111003.02acdbc0@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030113111003.02acdbc0@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030113180022.02ae8ed8@imap.ecs.soton.ac.uk> Both good points. I won't do anything quite as simple as hard-coding "Warn Senders = no", I'll separate out the virus warnings from other warnings. But no need to do it quite yet, fortunately. At 13:59 13/01/2003, you wrote: >Julian, > > If/when it gets to the point where MailScanner does not send virus >warnings to the masses, I would still like it to: > >* send warnings to users when filenames.rules.conf is triggered. > The sender usually did this action themselves, and they should be > warned that their email got squashed. > >* send virus and filenames.rules complaints to postmaster (Notices To), > so that I can be aware of problem users in my own domain. I use > procmail rulesets to shove klez and other virus complaints aside > into their own mailboxes. Then I run a cron job to grep thru these > files, looking for anybody in my own domain. This info is emailed > to me periodically, so I can track down infections and fix them. > >--- Jeff > >On Mon, 13 Jan 2003, Julian Field wrote: > > > Date: Mon, 13 Jan 2003 11:12:01 +0000 > > From: Julian Field > > Reply-To: MailScanner mailing list > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: Does Lirva send from a genuine address? > > > > At 10:11 13/01/2003, you wrote: > > >----- Original Message ----- > > >From: "G Welter" > > >To: > > >Sent: Monday, January 13, 2003 9:26 AM > > >Subject: Re: Does Lirva send from a genuine address? > > > > > > > >From the mcafee page you mentioned below: > > > > > > > > The worm uses the default SMTP server of the infected computer, and > then > > >adds either the address of the sender or a randomly selected email address > > >to the "From:" line of the email. > > > > > > > > So it seems to me that the from address is bogus. So yes, it should be > > >added to the silent viruses. > > > > I can see us all slowly coming to the situation that we turn off sender > > warnings altogether some time in the next year or so. Trouble is, this is > > going to make the virus situation worse than ever as there will be > > (practically) no way of finding the infected machines spewing out these > > messages. > > -- > > Julian Field > > www.MailScanner.info > > MailScanner thanks transtec Computers for their support > > -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From adkinss at OHIO.EDU Mon Jan 13 17:40:46 2003 From: adkinss at OHIO.EDU (Scott Adkins) Date: Thu Jan 12 21:16:57 2006 Subject: Adding a mail header... Message-ID: <2771340086.1042461646@Callisto> Maybe I missed something, but it doesn't look like it is possible to add an arbitrary header to the emails in addition to the "Mail Header" and the "Spam Header" headers. I am interested in adding a header that contains a URL to a web page we maintain describing the spam checking and virus scanning we are now doing. Is there an easy way to do this that I might be missing? Thanks, Scott -- +-----------------------------------------------------------------------+ Scott W. Adkins http://www.cns.ohiou.edu/~sadkins/ UNIX Systems Engineer mailto:adkinss@ohio.edu ICQ 7626282 Work (740)593-9478 Fax (740)593-1944 +-----------------------------------------------------------------------+ PGP Public Key available at http://www.cns.ohiou.edu/~sadkins/pgp/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 231 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030113/c32fa40c/attachment.bin From mike at CAMAROSS.NET Mon Jan 13 18:51:15 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:16:57 2006 Subject: Adding a mail header... In-Reply-To: <2771340086.1042461646@Callisto> Message-ID: <004601c2bb34$c0dfc860$9801a8c0@home.middlefinger.net> I do it with procmail -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Scott Adkins Sent: Monday, January 13, 2003 11:41 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Adding a mail header... Maybe I missed something, but it doesn't look like it is possible to add an arbitrary header to the emails in addition to the "Mail Header" and the "Spam Header" headers. I am interested in adding a header that contains a URL to a web page we maintain describing the spam checking and virus scanning we are now doing. Is there an easy way to do this that I might be missing? Thanks, Scott -- +----------------------------------------------------------------------- + Scott W. Adkins http://www.cns.ohiou.edu/~sadkins/ UNIX Systems Engineer mailto:adkinss@ohio.edu ICQ 7626282 Work (740)593-9478 Fax (740)593-1944 +----------------------------------------------------------------------- + PGP Public Key available at http://www.cns.ohiou.edu/~sadkins/pgp/ From mailscanner at ecs.soton.ac.uk Mon Jan 13 18:53:43 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:57 2006 Subject: Adding a mail header... In-Reply-To: <2771340086.1042461646@Callisto> Message-ID: <5.2.0.9.2.20030113184729.01a916f0@imap.ecs.soton.ac.uk> At 17:40 13/01/2003, you wrote: >Maybe I missed something, but it doesn't look like it is possible to add >an arbitrary header to the emails in addition to the "Mail Header" and the >"Spam Header" headers. I am interested in adding a header that contains >a URL to a web page we maintain describing the spam checking and virus >scanning we are now doing. Is there an easy way to do this that I might >be missing? Best way is to get your MTA to do it for you. Apparently very easy in Exim, shouldn't be too taxing in sendmail either. In sendmail you should be able to add this to your sendmail.cf file: HX-Help-Available-At: http://www.your.domain.com/help If you want to know how to do it in Exim, search the archives for the past couple of weeks, this was discussed recently. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From todd.williams at TFCCI.COM Mon Jan 13 18:54:21 2003 From: todd.williams at TFCCI.COM (Todd Williams) Date: Thu Jan 12 21:16:57 2006 Subject: RBL checking w/ MS and SA In-Reply-To: <200212130924.gBD9Ona26846@ori.rl.ac.uk> Message-ID: <002b01c2bb35$2f94d8e0$c802a8c0@toddntbox.tfcc.com> Hi all, There must be something I'm missing? The MailScanner's RBL lists in my setup seem as if all of them are not being checked. I normally get multiple RBL returns on most SPAM messages. I do have SpamAssassin enabled -- if I added lists to the MailScanner.conf and the spam.lists.conf files, I assumed the MailScanner either did RBL checking on it's own or passed the RBL's on to SpamAssassin to be checked? - Do I need to add the RBL checking to the spamassassin config to make it all happen and to check all of the RBLs I desire to use? - Is the MailScanner spam.lists.conf file used if SpamAssassin is in play? - Also one other question about the MailScanner.conf and the DNS blacklists, what is the difference between the "Spam List" configuration entry and the "Spam Domain List". I guess I don't see how the two actually interact. If SA is used, is it a moot point what's in this part of the config? Just a little confused -- sorry. Here are excerpts from my config files... ---------------------------- MailScanner.conf ---------------------------- # This is the name of the file that translates the names of the "Spam List" # values to the real DNS names of the spam blacklists. Spam List Definitions = /etc/MailScanner/spam.lists.conf ... # Do you want to check messages to see if they are spam? # This can also be the filename of a ruleset. Spam Checks = yes # This is the list of spam blacklists (RBLs) which you are using. # See the "Spam List Definitions" file for more information about what # you can put here. # This can also be the filename of a ruleset. #Spam List = ORDB-RBL Infinite-Monkeys # MAPS-RBL+ costs money (except .ac.uk) Spam List = ORDB-RBL spamcop.net Infinite-Monkeys osirusoft.com WIREHUB-DNSBL OSIRUSOFT-SPEWS # This is the list of spam domain blacklists which you are using # (such as the "rfc-ignorant" domains). See the "Spam List Definitions" # file for more information about what you can put here. # This can also be the filename of a ruleset. #Spam Domain List = ... # Set the location of the SpamAssassin user_prefs file. If you want to # stop SpamAssassin doing all the RBL checks again, then you can add # "skip_rbl_checks = 1" to this prefs file. SpamAssassin Prefs File = /etc/MailScanner/spam.assassin.prefs.conf ---------------------------- /MailScanner.conf ---------------------------- ---------------------------- spam.assassin.prefs.conf ---------------------------- ... # By default, SpamAssassin will run RBL checks. If your ISP already # does this, set this to 1. # # skip_rbl_checks 1 ... ---------------------------- /spam.assassin.prefs.conf ---------------------------- Thanks for your time, Todd From mailscanner at ecs.soton.ac.uk Mon Jan 13 19:07:51 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:57 2006 Subject: RBL checking w/ MS and SA In-Reply-To: <002b01c2bb35$2f94d8e0$c802a8c0@toddntbox.tfcc.com> References: <200212130924.gBD9Ona26846@ori.rl.ac.uk> Message-ID: <5.2.0.9.2.20030113185903.02ae2e60@imap.ecs.soton.ac.uk> At 18:54 13/01/2003, you wrote: >There must be something I'm missing? The MailScanner's RBL lists in my >setup seem as if all of them are not being checked. I normally get multiple >RBL returns on most SPAM messages. I do have SpamAssassin enabled -- if I >added lists to the MailScanner.conf and the spam.lists.conf files, I assumed >the MailScanner either did RBL checking on it's own or passed the RBL's on >to SpamAssassin to be checked? The RBL checking in MS and SA are separate. If the sender appears in any of the "Spam Lists" or "Spam Domain Lists" in MS then they will be marked as spam. SA does its own RBL checking as well unless you set "skip_rbl_checks = 1" in your spam.assassin.conf file. If SA gets a "hit" on any of the RBLs that it checks, then a value is added to the overall SpamAssassin score. >- Do I need to add the RBL checking to the spamassassin config to make it >all happen and to check all of the RBLs I desire to use? If you want "appearance in any RBL implies spam" then use MS to do it. If you want it to add to the SA score, then let SA do it. There's not much point doing the RBL checks twice, it just slows everything down. >- Is the MailScanner spam.lists.conf file used if SpamAssassin is in play? Yes. The MS spam lists and SA are separate. >- Also one other question about the MailScanner.conf and the DNS blacklists, >what is the difference between the "Spam List" configuration entry and the >"Spam Domain List". I guess I don't see how the two actually interact. If >SA is used, is it a moot point what's in this part of the config? Most RBLs are done using the IP address of the SMTP server that sent you the message. These are "Spam Lists". But a few are done using the domain name instead. These are "Spam Domain Lists". Personally I don't use "Spam Domain Lists" at all, but some people do. >Just a little confused -- sorry. No problem. The whole MS/SA interaction can seem a little complicated at first :-) In your config below, you are doing some of the RBL checks twice, which isn't optimal, but won't do any harm if your server can handle the load. You can configure MS so that if it gets any "hits" on the "Spam Lists" then it won't bother calling SA at all, as it will have already decided the message is spam. You might try using that. If you need any more help or explanation, do get in touch. >Here are excerpts from my config files... >---------------------------- >MailScanner.conf >---------------------------- ># This is the name of the file that translates the names of the "Spam List" ># values to the real DNS names of the spam blacklists. >Spam List Definitions = /etc/MailScanner/spam.lists.conf >... ># Do you want to check messages to see if they are spam? ># This can also be the filename of a ruleset. >Spam Checks = yes > ># This is the list of spam blacklists (RBLs) which you are using. ># See the "Spam List Definitions" file for more information about what ># you can put here. ># This can also be the filename of a ruleset. >#Spam List = ORDB-RBL Infinite-Monkeys # MAPS-RBL+ costs money (except >.ac.uk) >Spam List = ORDB-RBL spamcop.net Infinite-Monkeys osirusoft.com >WIREHUB-DNSBL OSIRUSOFT-SPEWS > ># This is the list of spam domain blacklists which you are using ># (such as the "rfc-ignorant" domains). See the "Spam List Definitions" ># file for more information about what you can put here. ># This can also be the filename of a ruleset. >#Spam Domain List = >... ># Set the location of the SpamAssassin user_prefs file. If you want to ># stop SpamAssassin doing all the RBL checks again, then you can add ># "skip_rbl_checks = 1" to this prefs file. >SpamAssassin Prefs File = /etc/MailScanner/spam.assassin.prefs.conf >---------------------------- >/MailScanner.conf >---------------------------- >---------------------------- >spam.assassin.prefs.conf >---------------------------- >... ># By default, SpamAssassin will run RBL checks. If your ISP already ># does this, set this to 1. ># ># skip_rbl_checks 1 >... >---------------------------- >/spam.assassin.prefs.conf >---------------------------- > >Thanks for your time, > >Todd -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Mon Jan 13 21:12:13 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:57 2006 Subject: problems installing mailscanner in debian In-Reply-To: <5.2.0.9.2.20030113175858.01a41d50@imap.ecs.soton.ac.uk> References: <200301131230.h0DCUkM29937@ori.rl.ac.uk> Message-ID: <5.2.0.9.2.20030113211148.02846b18@imap.ecs.soton.ac.uk> Nick says this: Fix whatever causes hostname to output "Unknown host" I guess... I haven't really looked at the scripts in the mailscanner 3 package, but I guess it's trying to use /bin/hostname to get the name to use in the config file and finding that hostname fails. Maybe check /etc/mailname and /etc/hosts? Failing that use the Debian BTS to report a bug (if it's possible for hostname to fail then the scripts need to handle it, I guess). At 17:59 13/01/2003, you wrote: >I have passed your problem onto my Debian expert (ie. Nick). Hopefully he >will get back to you soon. > >At 12:30 13/01/2003, you wrote: >>I was trying to install mailscanner with debian (apt-get install mailscanner >>but I got the following error): >> >>Setting up mailscanner (3.13.2-4) ... >>hostname: Unknown host >>dpkg: error processing mailscanner (--configure): >> subprocess post-installation script returned error exit status 1 >>Errors were encountered while processing: >> mailscanner >>E: Sub-process /usr/bin/dpkg returned an error code (1) >> >>How can I fix this? >> >> >>Sander > >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From john.hanks at USU.EDU Mon Jan 13 20:50:15 2003 From: john.hanks at USU.EDU (John B. Hanks) Date: Thu Jan 12 21:16:57 2006 Subject: Forcing sendmail to use /etc/hosts before using DNS Message-ID: <5CA287DBA85BF649A45916B75FD20E0E125761@exchange.usu.edu> I am trying to get sendmail/mailscanner to do something that has me questioning my understanding of the way this has been working. Here is what I currently do to scan mail for a mail server. My MailScanner machines are noturus.usu.edu and ameiurus.usu.edu. If I want to scan mail for mail.dept.usu.edu, I go to that DNS record and add mail.dept.usu.edu in mx 10 noturus.usu.edu mail.dept.usu.edu in mx 10 ameiurus.usu.edu This has been working flawlessly for some time. I think what happens is mail gets delivered to the MailScanner machines, they recognize themselves as MX hosts and then forward the scanned mail to the A record for the target. Now I need to do some magic for a server move. I have a host, someserver.usu.edu, that wants mail scanned and delivered to another box which will host mail but someserver.usu.edu still has other functions so it need to keep this name in its a record. I thought I could accomplish this by adding entries to /etc/hosts on the mailscanners like 172.17.1.33 someserver.usu.edu So that when noturus or ameiurus looked up someserver.usu.edu they would use the entry from the hosts file and unwittingly deliver mail to the new server. But, sendmail seems intent on ignoring the /etc/hosts file. I have changed /etc/resolv.conf, /etc/nsswitch.conf, /etc/host.conf and /etc/mail/services.switch so that all these point to files first, then dns but it still isn't working. The ping command works as expected, checking /etc/hosts and using the IP address from the file. Can someone tell me if what I want to do is possible and if so, how do I get sendmail to behave this way? As we move more mailservers to use MailScanner this is going to come up again and I need a way to solve it. This is Redhat 7.3, MailScanner 4.11-1 and sendmail 8.11.6-15. Thanks, jbh From brose at MED.WAYNE.EDU Mon Jan 13 21:30:21 2003 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:16:57 2006 Subject: Webmin module 0.01 BETA released Message-ID: Looks good on Solaris. Here's a suggestions, in the places where you can set rule files or the reports add an option to manual edit them. As it times goes on, you could probably add a subpage for adding/removing rules to the rule files for those people who still mess up making them. You could probably reuse the edit code from the sendmail module such as the sendmail/edit_file.cgi. Also you missed the browse option for Spam Actions under What to do with Spam. Can't High Scoring Spam Action be a rule also? -----Original Message----- From: Lush, Richard [mailto:Richard.Lush@HP.COM] Sent: Monday, January 13, 2003 6:58 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Webmin module 0.01 BETA released Hi All, I've just finished the BETA version of my webmin module and would like some volunteers to test it. Although it is beta I haven't trashed my system yet using it, although I do backup my mailscanner.conf just in case. I'm not sure what people want from it so I do need your help in shaping what this looking like. I'm new to cgi and perl so there are a few "features" which need ironing out. Here is a list of the ones I know about: Maximum number of child forks not displaying Currently no external rules sets can be viewed/edited No lines which are #'d out can be edited (Any ideas anyone?) Currently no help is available Some of the file browsing buttons aren't working Here is a link to the website: http://lushsoft.dyndns.org/mailscanner-webmin/index.html Please note: This is written by me and as such all feedback comments etc should be sent to me and not Julian. Regards, Richard Richard Lush Consulting and Integration Security Practise Reading UK Email richard.lush@hp.com Mobile +44 (0) 7788 916941 Office +44 (0) 118 920 2349 Fax +44 (0) 118 920 4612 D I S C L A I M E R The information contained in this communication is intended solely for use by the individual or entity to whom it is addressed. Use of this communication by others is prohibited. HP and / or Compaq is neither liable for the proper and complete transmission of the information contained in this communication nor for any delay in its receipt nor for any special, incidental or consequential damages of any nature whatsoever resulting from receipt or use of this communication. If you are not the intended recipient, you may not peruse, use, disseminate, distribute or copy this message. If you have received this message in error, please notify the sender immediately by email, facsimile or telephone and return or destroy the original message. Thank you. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030113/fbb3a2a0/attachment.html From mailscanner at ecs.soton.ac.uk Mon Jan 13 21:35:51 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:57 2006 Subject: Webmin module 0.01 BETA released In-Reply-To: Message-ID: <5.2.0.9.2.20030113213516.02af3bf0@imap.ecs.soton.ac.uk> At 21:30 13/01/2003, you wrote: >Also you missed the browse option for Spam Actions under What to do with Spam. Do you mean "bounce"? >Can't High Scoring Spam Action be a rule also? It can, yes. > >-----Original Message----- >From: Lush, Richard [mailto:Richard.Lush@HP.COM] >Sent: Monday, January 13, 2003 6:58 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Webmin module 0.01 BETA released > >Hi All, > >I've just finished the BETA version of my webmin module and would like >some volunteers to test it. Although it is beta I haven't trashed my >system yet using it, although I do backup my mailscanner.conf just in case. > >I'm not sure what people want from it so I do need your help in shaping >what this looking like. > >I'm new to cgi and perl so there are a few "features" which need ironing >out. Here is a list of the ones I know about: > >Maximum number of child forks not displaying >Currently no external rules sets can be viewed/edited >No lines which are #'d out can be edited (Any ideas anyone?) >Currently no help is available >Some of the file browsing buttons aren't working > >Here is a link to the website: >http://lushsoft.dyndns.org/mailscanner-webmin/index.html > > >Please note: This is written by me and as such all feedback comments etc >should be sent to me and not Julian. > >Regards, > >Richard > >Richard Lush > >Consulting and Integration >Security Practise >Reading UK >Email richard.lush@hp.com >Mobile +44 (0) 7788 916941 >Office +44 (0) 118 920 2349 >Fax +44 (0) 118 920 4612 >D I S C L A I M E R >The information contained in this communication is intended solely for use >by the individual or entity to whom it is addressed. Use of this >communication by others is prohibited. HP and / or Compaq is neither >liable for the proper and complete transmission of the information >contained in this communication nor for any delay in its receipt nor for >any special, incidental or consequential damages of any nature whatsoever >resulting from receipt or use of this communication. If you are not the >intended recipient, you may not peruse, use, disseminate, distribute or >copy this message. If you have received this message in error, please >notify the sender immediately by email, facsimile or telephone and return >or destroy the original message. Thank you. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030113/a565e181/attachment.html From mkettler at EVI-INC.COM Mon Jan 13 22:08:51 2003 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:16:57 2006 Subject: Forcing sendmail to use /etc/hosts before using DNS In-Reply-To: <5CA287DBA85BF649A45916B75FD20E0E125761@exchange.usu.edu> Message-ID: <5.1.1.6.0.20030113170448.018fbea0@192.168.50.2> This is a result of SMTP standards requirements, some discussion can be read here: http://www.linuxgazette.com/issue31/tag_maildns.html Really trying to deliver mail to a host without a valid MX record is a somewhat dangerous thing to do as far as "accidental open relay" bugs are concerned. More info is easily found on google: http://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q=sendmail+%2Fetc%2Fhosts&btnG=Google+Search At 01:50 PM 1/13/2003 -0700, John B. Hanks wrote: >I am trying to get sendmail/mailscanner to do something that has me >questioning my understanding of the way this has been working. Here is what >I currently do to scan mail for a mail server. > >My MailScanner machines are noturus.usu.edu and ameiurus.usu.edu. > >If I want to scan mail for mail.dept.usu.edu, I go to that DNS record and >add > >mail.dept.usu.edu in mx 10 noturus.usu.edu >mail.dept.usu.edu in mx 10 ameiurus.usu.edu > >This has been working flawlessly for some time. I think what happens is mail >gets delivered to the MailScanner machines, they recognize themselves as MX >hosts and then forward the scanned mail to the A record for the target. > >Now I need to do some magic for a server move. I have a host, >someserver.usu.edu, that wants mail scanned and delivered to another box >which will host mail but someserver.usu.edu still has other functions so it >need to keep this name in its a record. I thought I could accomplish this by >adding entries to /etc/hosts on the mailscanners like > >172.17.1.33 someserver.usu.edu > >So that when noturus or ameiurus looked up someserver.usu.edu they would use >the entry from the hosts file and unwittingly deliver mail to the new >server. But, sendmail seems intent on ignoring the /etc/hosts file. I have >changed /etc/resolv.conf, /etc/nsswitch.conf, /etc/host.conf and >/etc/mail/services.switch so that all these point to files first, then dns >but it still isn't working. The ping command works as expected, checking >/etc/hosts and using the IP address from the file. Can someone tell me if >what I want to do is possible and if so, how do I get sendmail to behave >this way? As we move more mailservers to use MailScanner this is going to >come up again and I need a way to solve it. > >This is Redhat 7.3, MailScanner 4.11-1 and sendmail 8.11.6-15. > >Thanks, > >jbh From robert at FENLANARENA.CO.UK Mon Jan 13 22:05:17 2003 From: robert at FENLANARENA.CO.UK (robert harpham) Date: Thu Jan 12 21:16:57 2006 Subject: starting mailscan on boot! Message-ID: <000901c2bb4f$dca904b0$0f01a8c0@kudos> hi i am wundering how you guys start mailscan up on boot? what script do u use? just wundering what the best way is and if i could have a copy so save me writting one out my self! also was wudnering what the best way is! thx robert -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030113/e560f351/attachment.html From mailscanner at ecs.soton.ac.uk Mon Jan 13 22:19:59 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:57 2006 Subject: starting mailscan on boot! In-Reply-To: <000901c2bb4f$dca904b0$0f01a8c0@kudos> Message-ID: <5.2.0.9.2.20030113221706.02ba8b20@imap.ecs.soton.ac.uk> At 22:05 13/01/2003, you wrote: >i am wundering how you guys start mailscan up on boot? what script do u use? >just wundering what the best way is and if i could have a copy so save me >writting one out my self! also was wudnering what the best way is! You need an init.d script, which you can base on the one used on your system to start sendmail. You need to start a sendmail -bd with all the relevant options as dictated by the MailScanner installation guide on the web site. You should also start a sendmail -q15m to run the outgoing queue. Then you should run check_mailscanner to actually start up MailScanner itself. What operating system and version are you using? What version of MailScanner are you using? How and where did you install MailScanner? -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030113/e70a1737/attachment.html From robert at FENLANARENA.CO.UK Mon Jan 13 22:53:00 2003 From: robert at FENLANARENA.CO.UK (robert harpham) Date: Thu Jan 12 21:16:57 2006 Subject: starting mailscan on boot! References: <5.2.0.9.2.20030113221706.02ba8b20@imap.ecs.soton.ac.uk> Message-ID: <001d01c2bb56$8656eb20$0f01a8c0@kudos> hi thx for help this is what is in my sendmail init.d scrpt #daemon /usr/sbin/sendmail -bd -q1h daemon /usr/sbin/sendmail -bd -OPrivacyOptions=noetrn -ODeliveryMode=queueonly -OQueueDirectory=/var/spool/mqueue.in sendmail -q1h echo touch /var/lock/subsys/sendmail ;; i am using turbolinux 6.5 server and version of mail scanner is MailScanner-4.11-1.tar which is installed under /opt/MailScanner-4.11-1 thx robert ----- Original Message ----- From: Julian Field To: MAILSCANNER@JISCMAIL.AC.UK Sent: Monday, January 13, 2003 10:19 PM Subject: Re: starting mailscan on boot! At 22:05 13/01/2003, you wrote: i am wundering how you guys start mailscan up on boot? what script do u use? just wundering what the best way is and if i could have a copy so save me writting one out my self! also was wudnering what the best way is! You need an init.d script, which you can base on the one used on your system to start sendmail. You need to start a sendmail -bd with all the relevant options as dictated by the MailScanner installation guide on the web site. You should also start a sendmail -q15m to run the outgoing queue. Then you should run check_mailscanner to actually start up MailScanner itself. What operating system and version are you using? What version of MailScanner are you using? How and where did you install MailScanner? -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030113/db25f605/attachment.html From adkinss at OHIO.EDU Mon Jan 13 18:24:25 2003 From: adkinss at OHIO.EDU (Scott Adkins) Date: Thu Jan 12 21:16:57 2006 Subject: Cry for help. In-Reply-To: <003701c2bb26$23f89440$6600a8c0@Orthanc> References: <003701c2bb26$23f89440$6600a8c0@Orthanc> Message-ID: <2773959292.1042464265@Callisto> --On Monday, January 13, 2003 12:06 PM -0500 Steve Ellis wrote: > I'm curious as to what virus was being sent from thebig@boss.com > address. We received a few messages, but they were not detected as a > virus by the virus software we are using with MailScanner. Anyone have a > name for it? Are you sure that the attachment was in there with the virus? I have seen a lot of copies of this email come through some mailing lists, but the attachments were stripped out of it. In some cases, Spam Assassin has scored it with 5.5, 5.4 and 3.2 fairly consistent, depending on the mail headers, and when the attachment is left in place, it would not get checked at all due to file size. Scott -- +-----------------------------------------------------------------------+ Scott W. Adkins http://www.cns.ohiou.edu/~sadkins/ UNIX Systems Engineer mailto:adkinss@ohio.edu ICQ 7626282 Work (740)593-9478 Fax (740)593-1944 +-----------------------------------------------------------------------+ PGP Public Key available at http://www.cns.ohiou.edu/~sadkins/pgp/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 231 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030113/c0e7541e/attachment.bin From alex at IALEX.NET Mon Jan 13 23:29:27 2003 From: alex at IALEX.NET (Alex Short) Date: Thu Jan 12 21:16:57 2006 Subject: Feature Request. Message-ID: With this pesky big@boss.com wave of mail i'm sure some of us have noticed, i don't think the load is so much caused by handling the incoming mail and scan, but also sending it out, having it deferred and so on. Can it be added to log email addresses of people that send a virus, and perhaps logs that and only send one notification per person per day? Alex From adkinss at OHIO.EDU Mon Jan 13 22:05:57 2003 From: adkinss at OHIO.EDU (Scott Adkins) Date: Thu Jan 12 21:16:57 2006 Subject: Adding a mail header... In-Reply-To: <5.2.0.9.2.20030113184729.01a916f0@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030113184729.01a916f0@imap.ecs.soton.ac.uk> Message-ID: <2787250864.1042477557@Callisto> Okay, I don't agree with this solution. For starters, our mail queue system is split up into a bunch of queues. When mail comes into our main incoming queue, these messages are moved into other queues appropriate for their destinations. Some go to the cyrus queue, some go to the our edirectory queue, and the rest go to our outbound queue. We actually have more queues than this, but that is a bit off topic. MailScanner is setup to process messages coming into the cyrus queue before delivering them to LMTP. When server load gets really high, we sometimes have to shut off MailScanner altogether in order to get the mail processed in a timely manner. For example, we have processed about 50,000 messages (just counting the ones going to the cyrus queue, not the ones going elsewhere that are coming into our system) in the last 2 hours alone! So, what I would like is to have a line like the following added to emails that are touched by MailScanner: X-MailScanner-Information: If MailScanner gets shutdown, I don't want that header in the messages. I certainly don't want that header in emails that come into our server and go back out without ever touching MailScanner. I agree that in some cases, it should be the MTA's responsibility to add headers to emails, but not in all cases. I believe this is one of them. I would suggest in the next version to allow for such a header, maybe call the config option "Information Header:". Scott --On Monday, January 13, 2003 6:53 PM +0000 Julian Field wrote: > At 17:40 13/01/2003, you wrote: >> Maybe I missed something, but it doesn't look like it is possible to add >> an arbitrary header to the emails in addition to the "Mail Header" and >> the "Spam Header" headers. I am interested in adding a header that >> contains a URL to a web page we maintain describing the spam checking >> and virus scanning we are now doing. Is there an easy way to do this >> that I might be missing? > > Best way is to get your MTA to do it for you. Apparently very easy in > Exim, shouldn't be too taxing in sendmail either. > > In sendmail you should be able to add this to your sendmail.cf file: > HX-Help-Available-At: http://www.your.domain.com/help > > If you want to know how to do it in Exim, search the archives for the past > couple of weeks, this was discussed recently. > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support -- +-----------------------------------------------------------------------+ Scott W. Adkins http://www.cns.ohiou.edu/~sadkins/ UNIX Systems Engineer mailto:adkinss@ohio.edu ICQ 7626282 Work (740)593-9478 Fax (740)593-1944 +-----------------------------------------------------------------------+ PGP Public Key available at http://www.cns.ohiou.edu/~sadkins/pgp/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 231 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030113/3351c061/attachment.bin From mike at CAMAROSS.NET Mon Jan 13 23:22:27 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:16:57 2006 Subject: Feature Request. In-Reply-To: Message-ID: <00af01c2bb5a$a377e6b0$9801a8c0@home.middlefinger.net> I'd rather pester the beejesus out of people too stupid to protect themselves! :) -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Alex Short Sent: Monday, January 13, 2003 5:29 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Feature Request. With this pesky big@boss.com wave of mail i'm sure some of us have noticed, i don't think the load is so much caused by handling the incoming mail and scan, but also sending it out, having it deferred and so on. Can it be added to log email addresses of people that send a virus, and perhaps logs that and only send one notification per person per day? Alex From gerry at DORFAM.CA Tue Jan 14 01:15:54 2003 From: gerry at DORFAM.CA (Gerry Doris) Date: Thu Jan 12 21:16:57 2006 Subject: Cry for help. In-Reply-To: <2773959292.1042464265@Callisto> Message-ID: On Mon, 13 Jan 2003, Scott Adkins wrote: > --On Monday, January 13, 2003 12:06 PM -0500 Steve Ellis > wrote: > Are you sure that the attachment was in there with the virus? I have > seen a lot of copies of this email come through some mailing lists, but > the attachments were stripped out of it. In some cases, Spam Assassin > has scored it with 5.5, 5.4 and 3.2 fairly consistent, depending on > the mail headers, and when the attachment is left in place, it would > not get checked at all due to file size. > > Scott Well, MailScanner and F-Prot pulled out a big@boss.com message on my server this morning that had the W32/Sobig.A@mm virus. This thing came directly to me and not through a mail list. On the other hand I've had several big@boss.com messages from mailing lists that had the attachment stripped. It was 89924 bytes in size. I guess the lesson is that more and more mailing lists are using virus scanning. -- Gerry "The lyfe so short, the craft so long to learne" Chaucer From mike at CAMAROSS.NET Tue Jan 14 01:23:28 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:16:57 2006 Subject: Cry for help. In-Reply-To: <2773959292.1042464265@Callisto> Message-ID: <000801c2bb6b$8bb7d290$9801a8c0@home.middlefinger.net> SpamAssassin doesn't have anything to do with the virus scanning. Attachments are virus scanned regardless of size... -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Scott Adkins Sent: Monday, January 13, 2003 12:24 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Cry for help. --On Monday, January 13, 2003 12:06 PM -0500 Steve Ellis wrote: > I'm curious as to what virus was being sent from thebig@boss.com > address. We received a few messages, but they were not detected as a > virus by the virus software we are using with MailScanner. Anyone have > a name for it? Are you sure that the attachment was in there with the virus? I have seen a lot of copies of this email come through some mailing lists, but the attachments were stripped out of it. In some cases, Spam Assassin has scored it with 5.5, 5.4 and 3.2 fairly consistent, depending on the mail headers, and when the attachment is left in place, it would not get checked at all due to file size. Scott -- +----------------------------------------------------------------------- + Scott W. Adkins http://www.cns.ohiou.edu/~sadkins/ UNIX Systems Engineer mailto:adkinss@ohio.edu ICQ 7626282 Work (740)593-9478 Fax (740)593-1944 +----------------------------------------------------------------------- + PGP Public Key available at http://www.cns.ohiou.edu/~sadkins/pgp/ From adkinss at OHIO.EDU Tue Jan 14 03:46:07 2003 From: adkinss at OHIO.EDU (Scott Adkins) Date: Thu Jan 12 21:16:57 2006 Subject: Cry for help. In-Reply-To: <000801c2bb6b$8bb7d290$9801a8c0@home.middlefinger.net> References: <000801c2bb6b$8bb7d290$9801a8c0@home.middlefinger.net> Message-ID: <7229625.1042497966@IO> Yes, and I probably slid off course just a little on my reply. What made me take notice of the stripped attachments was the fact that some of the emails were classified as spam and moved to my spam folder and others were not. The stripped attachments obviously brought the messages under the size threshold for spam checking, but is also means that there isn't any attachments to do virus scanning on... That was all I was wanting to say, I just didn't say it :) Scott --On Monday, January 13, 2003 7:23 PM -0600 Mike Kercher wrote: > SpamAssassin doesn't have anything to do with the virus scanning. > Attachments are virus scanned regardless of size... > > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Scott Adkins > Sent: Monday, January 13, 2003 12:24 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Cry for help. > > > --On Monday, January 13, 2003 12:06 PM -0500 Steve Ellis > wrote: > >> I'm curious as to what virus was being sent from thebig@boss.com >> address. We received a few messages, but they were not detected as a >> virus by the virus software we are using with MailScanner. Anyone have > >> a name for it? > > Are you sure that the attachment was in there with the virus? I have > seen a lot of copies of this email come through some mailing lists, but > the attachments were stripped out of it. In some cases, Spam Assassin > has scored it with 5.5, 5.4 and 3.2 fairly consistent, depending on the > mail headers, and when the attachment is left in place, it would not get > checked at all due to file size. > > Scott > -- > > +----------------------------------------------------------------------- > + > Scott W. Adkins http://www.cns.ohiou.edu/~sadkins/ > UNIX Systems Engineer mailto:adkinss@ohio.edu > ICQ 7626282 Work (740)593-9478 Fax (740)593-1944 > > +----------------------------------------------------------------------- > + > PGP Public Key available at http://www.cns.ohiou.edu/~sadkins/pgp/ -- +-----------------------------------------------------------------------+ Scott W. Adkins http://www.cns.ohiou.edu/~sadkins/ UNIX Systems Engineer mailto:adkinss@ohio.edu ICQ 7626282 Work (740)593-9478 Fax (740)593-1944 +-----------------------------------------------------------------------+ PGP Public Key available at http://www.cns.ohiou.edu/~sadkins/pgp/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 231 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030113/a1b58b81/attachment.bin From mailscanner at ecs.soton.ac.uk Tue Jan 14 08:56:55 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:57 2006 Subject: starting mailscan on boot! In-Reply-To: <001d01c2bb56$8656eb20$0f01a8c0@kudos> References: <5.2.0.9.2.20030113221706.02ba8b20@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030114085614.028fe380@imap.ecs.soton.ac.uk> At 22:53 13/01/2003, you wrote: >hi thx for help >this is what is in my sendmail init.d scrpt >#daemon /usr/sbin/sendmail -bd -q1h >daemon /usr/sbin/sendmail -bd -OPrivacyOptions=noetrn >-ODeliveryMode=queueonly -OQueueDirectory=/var/spool/mqueue.in > sendmail -q1h > echo > touch /var/lock/subsys/sendmail > ;; > >i am using turbolinux 6.5 server and version of mail scanner is >MailScanner-4.11-1.tar which is installed under /opt/MailScanner-4.11-1 The other command you need is /opt/MailScanner/bin/check_mailscanner to start up MailScanner itself once the 2 sendmail processes are started. You are very nearly there! :-) >thx >robert >>----- Original Message ----- >>From: Julian Field >>To: MAILSCANNER@JISCMAIL.AC.UK >>Sent: Monday, January 13, 2003 10:19 PM >>Subject: Re: starting mailscan on boot! >> >>At 22:05 13/01/2003, you wrote: >>>i am wundering how you guys start mailscan up on boot? what script do u use? >>>just wundering what the best way is and if i could have a copy so save >>>me writting one out my self! also was wudnering what the best way is! >> >>You need an init.d script, which you can base on the one used on your >>system to start sendmail. You need to start a sendmail -bd with all the >>relevant options as dictated by the MailScanner installation guide on the >>web site. You should also start a sendmail -q15m to run the outgoing >>queue. Then you should run check_mailscanner to actually start up >>MailScanner itself. >> >>What operating system and version are you using? What version of >>MailScanner are you using? How and where did you install MailScanner? >>-- >>Julian Field >>www.MailScanner.info >>MailScanner thanks transtec Computers for their support -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Tue Jan 14 09:00:45 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:57 2006 Subject: Feature Request. In-Reply-To: Message-ID: <5.2.0.9.2.20030114085857.04ccbae0@imap.ecs.soton.ac.uk> At 23:29 13/01/2003, you wrote: >With this pesky big@boss.com wave of mail i'm sure some of us have >noticed, i don't think the load is so much caused by handling the incoming >mail and scan, but also sending it out, having it deferred and so on. > >Can it be added to log email addresses of people that send a virus, and >perhaps logs that and only send one notification per person per day? If you quarantine the entire message when you find a virus, you can extract the sender info out of the message yourself in a nightly cron job and mail them all warnings. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From richard.lush at HP.COM Tue Jan 14 09:03:55 2003 From: richard.lush at HP.COM (Richard Lush) Date: Thu Jan 12 21:16:57 2006 Subject: Webmin module 0.01 BETA released In-Reply-To: References: Message-ID: <1042535035.1412.7.camel@vader> Thanks for the comments, glad you like it so far :-) The plan is to add the ability to manually edit the files, I sort of have it working at the moment but not good enough to put into this release. Where there are multiple options for actions which are predefined, such as what to do with spam, I want to add these as check boxes - just need to work out how to do it. Not sure what you mean by browse option under what to do with spam, but I'll check it out. Anyway, thanks for the feedback so far. Richard On Mon, 2003-01-13 at 21:30, Rose, Bobby wrote: > Looks good on Solaris. Here's a suggestions, in the places where you > can set rule files or the reports add an option to manual edit them. > As it times goes on, you could probably add a subpage for > adding/removing rules to the rule files for those people who still > mess up making them. You could probably reuse the edit code from the > sendmail module such as the sendmail/edit_file.cgi. > > Also you missed the browse option for Spam Actions under What to do > with Spam. Can't High Scoring Spam Action be a rule also? > > -----Original Message----- > From: Lush, Richard [mailto:Richard.Lush@HP.COM] > Sent: Monday, January 13, 2003 6:58 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Webmin module 0.01 BETA released > > > Hi All, > > I've just finished the BETA version of my webmin module and > would like some volunteers to test it. Although it is beta I > haven't trashed my system yet using it, although I do backup > my mailscanner.conf just in case. > > I'm not sure what people want from it so I do need your help > in shaping what this looking like. > > I'm new to cgi and perl so there are a few "features" which > need ironing out. Here is a list of the ones I know about: > > Maximum number of child forks not displaying > Currently no external rules sets can be viewed/edited > No lines which are #'d out can be edited (Any ideas anyone?) > Currently no help is available > Some of the file browsing buttons aren't working > > Here is a link to the website: > http://lushsoft.dyndns.org/mailscanner-webmin/index.html > > Please note: This is written by me and as such all feedback > comments etc should be sent to me and not Julian. > > Regards, > > Richard > > Richard Lush > > Consulting and Integration > Security Practise > Reading UK > Email richard.lush@hp.com > Mobile +44 (0) 7788 916941 > Office +44 (0) 118 920 2349 > Fax +44 (0) 118 920 4612 > D I S C L A I M E R > The information contained in this communication is intended > solely for use by the individual or entity to whom it is > addressed. Use of this communication by others is prohibited. > HP and / or Compaq is neither liable for the proper and > complete transmission of the information contained in this > communication nor for any delay in its receipt nor for any > special, incidental or consequential damages of any nature > whatsoever resulting from receipt or use of this > communication. If you are not the intended recipient, you may > not peruse, use, disseminate, distribute or copy this message. > If you have received this message in error, please notify the > sender immediately by email, facsimile or telephone and return > or destroy the original message. Thank you. -- Richard Lush From mailscanner at ecs.soton.ac.uk Tue Jan 14 08:55:23 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:57 2006 Subject: Adding a mail header... In-Reply-To: <2787250864.1042477557@Callisto> References: <5.2.0.9.2.20030113184729.01a916f0@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030113184729.01a916f0@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030114085329.028fe678@imap.ecs.soton.ac.uk> At 22:05 13/01/2003, you wrote: >So, what I would like is to have a line like the following added to >emails that are touched by MailScanner: > > X-MailScanner-Information: Do you want this in messages which MailScanner was configured not to scan as well as those it did scan? Or do you want it only in messages which MailScanner was configured to scan? What does anyone else want? >If MailScanner gets shutdown, I don't want that header in the messages. >I certainly don't want that header in emails that come into our server >and go back out without ever touching MailScanner. > >I agree that in some cases, it should be the MTA's responsibility to add >headers to emails, but not in all cases. I believe this is one of them. >I would suggest in the next version to allow for such a header, maybe >call the config option "Information Header:". > >Scott > >--On Monday, January 13, 2003 6:53 PM +0000 Julian Field > wrote: > >>At 17:40 13/01/2003, you wrote: >>>Maybe I missed something, but it doesn't look like it is possible to add >>>an arbitrary header to the emails in addition to the "Mail Header" and >>>the "Spam Header" headers. I am interested in adding a header that >>>contains a URL to a web page we maintain describing the spam checking >>>and virus scanning we are now doing. Is there an easy way to do this >>>that I might be missing? >> >>Best way is to get your MTA to do it for you. Apparently very easy in >>Exim, shouldn't be too taxing in sendmail either. >> >>In sendmail you should be able to add this to your sendmail.cf file: >>HX-Help-Available-At: http://www.your.domain.com/help >> >>If you want to know how to do it in Exim, search the archives for the past >>couple of weeks, this was discussed recently. >>-- >>Julian Field >>www.MailScanner.info >>MailScanner thanks transtec Computers for their support > > >-- >+-----------------------------------------------------------------------+ > Scott W. Adkins http://www.cns.ohiou.edu/~sadkins/ > UNIX Systems Engineer mailto:adkinss@ohio.edu > ICQ 7626282 Work (740)593-9478 Fax (740)593-1944 >+-----------------------------------------------------------------------+ > PGP Public Key available at > http://www.cns.ohiou.edu/~sadkins/pgp/ -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From daniele.antoniazzi at ACCENT.IT Tue Jan 14 08:41:26 2003 From: daniele.antoniazzi at ACCENT.IT (Daniele Antoniazzi) Date: Thu Jan 12 21:16:57 2006 Subject: need help installing patches on perl module MIME::tools Message-ID: <3E23CD36.7090303@accent.it> Hi, I'm trying to install the prerequisites for MailScanner. I've not understood how to apply the 4 patches to install MIME::tools perl module. I've tried "patch" command but without success :-( I've another question, concerning perl version. The installation docs say MailScanner has been tested on perl 5.8. What about 5.6? Thanks in advance for your help Ciao Daniele From mailscanner at ecs.soton.ac.uk Tue Jan 14 10:12:20 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:57 2006 Subject: need help installing patches on perl module MIME::tools In-Reply-To: <3E23CD36.7090303@accent.it> Message-ID: <5.2.0.9.2.20030114101047.02954848@imap.ecs.soton.ac.uk> At 08:41 14/01/2003, you wrote: >I'm trying to install the prerequisites for MailScanner. I've not >understood how to apply the 4 patches to install MIME::tools perl >module. I've tried "patch" command but without success :-( Get into the directory containing the unpacked mime-tools .tar.gz file, and do patch -p1 < mime-tools-patch.txt If "-p1" doesn't work nicely, then try "-p0". Then do the same command for each of the other patch files. >I've another question, concerning perl version. The installation docs >say MailScanner has been tested on perl 5.8. What about 5.6? Just needs 5.005 or later. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From tony.johansson at SVENSKAKYRKAN.SE Tue Jan 14 10:37:40 2003 From: tony.johansson at SVENSKAKYRKAN.SE (Tony Johansson) Date: Thu Jan 12 21:16:57 2006 Subject: Manage quarantine Message-ID: <3C4F5084EF16D4119CE700508B6B8B10058D0932@nt.svenskakyrkan.se> Hello, How do you people manage your quarantines? We will shortly tighten our policy which will result in many more items getting quarantined. What is the easiest way to view the quarantine and if needed relase items for delivery? regards, Tony From howard at harper-adams.ac.uk Tue Jan 14 11:38:59 2003 From: howard at harper-adams.ac.uk (Howard Robinson) Date: Thu Jan 12 21:16:57 2006 Subject: Manage quarantine In-Reply-To: <3C4F5084EF16D4119CE700508B6B8B10058D0932@nt.svenskakyrkan.se> Message-ID: <200301141137.h0EBbM410024@blackhole.harper-adams.ac.uk> On 14 Jan 03, at 11:37, Tony Johansson wrote: Hello Tony et al, We have been running Mailscanner since July 2001. For a year we kept the quarantined files but only had a few requests to recover them and then they were usually uncleanable/unusable. In July this year we took the decision to delete quarantined file and so far no one has complained. If someone sends a denied file (but virus free file) and its needed the user has to request it to be zipped or renamed and sent again. Of course it also saves disk space and reduces backup time. > Hello, > > How do you people manage your quarantines? > > We will shortly tighten our policy which will result in many more items > getting quarantined. What is the easiest way to view the quarantine and if > needed relase items for delivery? > > regards, Tony Regards Howard Robinson (Senior Technical Development Officer) Harper Adams University College Edgmond Newport Shropshire TF10 8NB UK E-mail: hrobinson@harper-adams.ac.uk Tel. : +44(0)1952 820280 Via switchboard : +44(0)1952 815253 Direct line Fax. : +44(0)1952 814783 College Web site http://www.harper-adams.ac.uk From joan.bryan at KCL.AC.UK Tue Jan 14 12:20:47 2003 From: joan.bryan at KCL.AC.UK (Joan Bryan) Date: Thu Jan 12 21:16:57 2006 Subject: Manage quarantine In-Reply-To: <200301141137.h0EBbM410024@blackhole.harper-adams.ac.uk> Message-ID: Hello We delete quarantine files over 30 days old with a cron job. We have decided against automated retrieval of quarantine files, because users often request to be sent actual infected files. When a new virus comes out the number of requests for infected files increases. For example, when Bugbear came out the virus-info account received 10 or so requests per day for a couple of weeks. The only case for automatic retrieval (in our case) would be restricted to IFRame and object codebase files. The requests for these amount to roughly 2 or 3 per week. (This is from a total of 240,000 average daily scanned messages and average 600 viruses per day) Joan Joan Bryan Information Systems King's College London 020 7848 2671 mailto:joan.bryan@kcl.ac.uk From Edward_Ortiz at SSA-SA.SEL.SONY.COM Tue Jan 14 13:36:25 2003 From: Edward_Ortiz at SSA-SA.SEL.SONY.COM (Ed Ortiz) Date: Thu Jan 12 21:16:57 2006 Subject: need help installing patches on perl module MIME::tools Message-ID: You may need to use the GNU version of patch, not the one provided with Solaris, if this is the OS you're using. After installing thge GNU version use /usr/local/bin/patch and follow Julian's instructions. Just my two cents, hope it helps. Ed Ortiz. >>> mailscanner@ECS.SOTON.AC.UK 1/14/03 4:12:20 AM >>> At 08:41 14/01/2003, you wrote: >I'm trying to install the prerequisites for MailScanner. I've not >understood how to apply the 4 patches to install MIME::tools perl >module. I've tried "patch" command but without success :-( Get into the directory containing the unpacked mime-tools .tar.gz file, and do patch -p1 < mime-tools-patch.txt If "-p1" doesn't work nicely, then try "-p0". Then do the same command for each of the other patch files. >I've another question, concerning perl version. The installation docs >say MailScanner has been tested on perl 5.8. What about 5.6? Just needs 5.005 or later. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From jaearick at COLBY.EDU Tue Jan 14 13:49:29 2003 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:16:57 2006 Subject: Manage quarantine In-Reply-To: References: Message-ID: Hi, We have discarded infected emails since day one (April 2002 in our case). We also do not disinfect-then-deliver. The sender and postmaster are notified that the email was vaporized (the recipient is not), but that is it. The reason we do not either quarantine or deliver cleaned messages is privacy. Some virii grab a document at random and email it; cleaning and delivering that document violates the privacy of the user of the infected machine. Likewise, hanging onto the document via quarantine also violates the privacy of the victim. I've never had a complaint about "your system ate my email and I want it back." ----------------------------------- Jeff A. Earickson, Ph.D Senior UNIX Sysadmin and Email Guru Information Technology Services Colby College, 4214 Mayflower Hill, Waterville ME, 04901-8842 phone: 207-872-3659 (fax = 3076) ----------------------------------- From joe at QITC.CO.UK Tue Jan 14 14:56:47 2003 From: joe at QITC.CO.UK (Joe Quinn) Date: Thu Jan 12 21:16:57 2006 Subject: mail not being scanned after reboot althought MailScanner was running References: <5.2.0.9.2.20030113221706.02ba8b20@imap.ecs.soton.ac.uk> <001d01c2bb56$8656eb20$0f01a8c0@kudos> Message-ID: <02af01c2bbdd$296ed0d0$78720550@T20> Hi, I'm running version 4.11-1 on a RaQ3 Strange thing this morning, I noticed an email coming in from a source that would normally have been tagged as spam but wasn't. I had a look at the header and sure enough, no indication that MailScanner had checked it??? I ran the top command and it showed MailScanner was running a few processes then tailed the maillog which showed mail coming in but no scan??? I traced the exact time the problem arose back to a reboot I did; reboot system boot 2.2.16C32_III Sun Jan 12 23:28 (1+11:23) prior to this all was OK but after this, no scanning. I stopped MailScanner then started it again after checking it was definitely stopped; [root@raq1 /root]# /etc/rc.d/init.d/MailScanner stop Shutting down MailScanner daemons: MailScanner: ERROR! incoming sendmail: sendmail ok outgoing sendmail: sendmail ok [root@raq1 /root]# ps -auxww | grep -i mail root 439 0.0 0.0 1192 456 pts/0 S 10:53 0:00 grep -i mail [root@raq1 /root]# ps -auxww | grep -i mail [root@raq1 /root]# /etc/rc.d/init.d/MailScanner start All is now OK and mail is definitely being scanned but what caused the problem, any ideas? Joe Quinn, QITC Internet Solutions (joe@qitc.co.uk) www.qitc.net From Stephen.Dawes at GOV.CALGARY.AB.CA Tue Jan 14 15:02:15 2003 From: Stephen.Dawes at GOV.CALGARY.AB.CA (Dawes, Stephen) Date: Thu Jan 12 21:16:57 2006 Subject: Upgrading MailScanner: Message-ID: I am not sure if I have made a mistake or not, and for that reason I am looking for conformation one way or the other. What I have done, is to download the latest version, 4.11, of MailScanner from the Web site. Then I ran the command tar -xvf MailScanner cd MailScanner source install.sh I am now seconding guessing myself. I did not uninstall the previous version of MailScanner before running the install command. Is this going to cause problems? Does the install script have built-in smarts to detect a previous version of MailScanner and then do the appropriate upgrades? I couldn't find anything about this in the documentation that comes with MailScanner, so if I missed it, or if it is not there, can a brief note be added to the documentation on upgrading procedures for future releases? Thanks! Stephen Dawes The City of Calgary | Phone: (403) 268-5527 Web Business Office #8300 | Fax: (403) 268-6423 PO Box 2100 Postal Station M. | Email: Stephen.Dawes@calgary.ca Calgary, Alberta, Canada. T2P 2M5 | Web: http://www.calgary.ca FOIPP NOTIFICATION This communication is intended ONLY for the use of the person or entity named above and may contain information that is confidential or legally privileged. If you are not the intended recipient named above or a person responsible for delivering messages or communications to the intended recipient, YOU ARE HEREBY NOTIFIED that any use, distribution, or copying of this communication or any of the information contained in it is strictly prohibited. If you have received this communication in error, please notify us immediately by telephone and then destroy or delete this communication, or return it to us by mail if requested by us. Thank you for your attention and co-operation. From mike at CAMAROSS.NET Tue Jan 14 15:09:30 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:16:57 2006 Subject: Upgrading MailScanner: In-Reply-To: Message-ID: <004901c2bbde$f37a5650$9801a8c0@home.middlefinger.net> You can rpm -Uvh mailscanner*.rpm Then all you need to do is diff the MailScanner.conf and MailScanner.conf.rpmnew to find configuration changed that need to be made. Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Dawes, Stephen Sent: Tuesday, January 14, 2003 9:02 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Upgrading MailScanner: I am not sure if I have made a mistake or not, and for that reason I am looking for conformation one way or the other. What I have done, is to download the latest version, 4.11, of MailScanner from the Web site. Then I ran the command tar -xvf MailScanner cd MailScanner source install.sh I am now seconding guessing myself. I did not uninstall the previous version of MailScanner before running the install command. Is this going to cause problems? Does the install script have built-in smarts to detect a previous version of MailScanner and then do the appropriate upgrades? I couldn't find anything about this in the documentation that comes with MailScanner, so if I missed it, or if it is not there, can a brief note be added to the documentation on upgrading procedures for future releases? Thanks! Stephen Dawes The City of Calgary | Phone: (403) 268-5527 Web Business Office #8300 | Fax: (403) 268-6423 PO Box 2100 Postal Station M. | Email: Stephen.Dawes@calgary.ca Calgary, Alberta, Canada. T2P 2M5 | Web: http://www.calgary.ca FOIPP NOTIFICATION This communication is intended ONLY for the use of the person or entity named above and may contain information that is confidential or legally privileged. If you are not the intended recipient named above or a person responsible for delivering messages or communications to the intended recipient, YOU ARE HEREBY NOTIFIED that any use, distribution, or copying of this communication or any of the information contained in it is strictly prohibited. If you have received this communication in error, please notify us immediately by telephone and then destroy or delete this communication, or return it to us by mail if requested by us. Thank you for your attention and co-operation. From JeremyE at BSA.CA.GOV Tue Jan 14 15:16:54 2003 From: JeremyE at BSA.CA.GOV (Jeremy Evans) Date: Thu Jan 12 21:16:58 2006 Subject: Maximum Filename Length Message-ID: <2739ECF7268CD0118F50080009DCC9F00156DB10@pebble.bsa.ca.gov> I'm trying to write a rule in filename.rules.conf that will block all attachments over a certain number of characters (in this case, 100). However, I've been unsuccessful. I've tried deny .{100,} Filename over 100 characters Filename over 100 characters and deny ^.{100,}$ Filename over 100 characters Filename over 100 characters neither of which work (the e-mail just goes through normally). I'm not an expert at regular expressions, so maybe I just didn't write it properly. This entry is the first entry in the file, there are tabs between all of the fields, and I have rebooted the server between changes, but I when I sent through an attachment with a filename over 100 characters, it goes through without being blocked. Other rules I have written work as expected. What should I do to get the functionality I want? Jeremy Evans Information Systems Analyst California State Auditor 916-445-0255 phone 916-322-7801 fax From mailscanner at ecs.soton.ac.uk Tue Jan 14 15:23:27 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:58 2006 Subject: mail not being scanned after reboot althought MailScanner was running In-Reply-To: <02af01c2bbdd$296ed0d0$78720550@T20> References: <5.2.0.9.2.20030113221706.02ba8b20@imap.ecs.soton.ac.uk> <001d01c2bb56$8656eb20$0f01a8c0@kudos> Message-ID: <5.2.0.9.2.20030114152242.050742e8@imap.ecs.soton.ac.uk> Check your init.d to ensure only MailScanner is being fired up, not the "sendmail" init.d script as well. chkconfig --list | grep -i mail should show that sendmail is off and MailScanner is on. At 14:56 14/01/2003, you wrote: >Hi, > >I'm running version 4.11-1 on a RaQ3 > >Strange thing this morning, I noticed an email coming in from a source that >would normally have been tagged as spam but wasn't. > >I had a look at the header and sure enough, no indication that MailScanner >had checked it??? > >I ran the top command and it showed MailScanner was running a few processes >then tailed the maillog which showed mail coming in but no scan??? > >I traced the exact time the problem arose back to a reboot I did; > >reboot system boot 2.2.16C32_III Sun Jan 12 23:28 (1+11:23) > >prior to this all was OK but after this, no scanning. > >I stopped MailScanner then started it again after checking it was definitely >stopped; > >[root@raq1 /root]# /etc/rc.d/init.d/MailScanner stop >Shutting down MailScanner daemons: > MailScanner: ERROR! > incoming sendmail: sendmail ok > outgoing sendmail: sendmail ok >[root@raq1 /root]# ps -auxww | grep -i mail >root 439 0.0 0.0 1192 456 pts/0 S 10:53 0:00 grep -i mail >[root@raq1 /root]# ps -auxww | grep -i mail >[root@raq1 /root]# /etc/rc.d/init.d/MailScanner start > >All is now OK and mail is definitely being scanned but what caused the >problem, any ideas? > >Joe Quinn, QITC Internet Solutions (joe@qitc.co.uk) >www.qitc.net -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From zabriskw at ITECH.NET Tue Jan 14 15:37:36 2003 From: zabriskw at ITECH.NET (Kris Zabriskie) Date: Thu Jan 12 21:16:58 2006 Subject: Spam Retrival Problem Message-ID: <002801c2bbe2$dd436620$0c02a8c0@itech.dom> I have a quick question. Back when we were using MailScanner 2.20 I was able to 'tail' my mail.log and retrieve spam based on the message ID from /var/spool/MailScanner/quarantine/date/messageid. Then I would simply copy it to /var/spool/mqueue.in and it would go through MailScanner again and be delivered (of course after I added the whitelist). Recently we upgraded to 4.11 and I noticed that the messages just sit in that directory. Is there a configuration error that I have made, or something I am missing. Any help would be appreciated. Thanks everyone! Kris Zabriskie Network Admin / Consultant I-Tech Inc. zabriskw@itech.net 717-657-3035 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030114/862140be/attachment.html From mailscanner at ecs.soton.ac.uk Tue Jan 14 16:15:42 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:58 2006 Subject: Spam Retrival Problem In-Reply-To: <002801c2bbe2$dd436620$0c02a8c0@itech.dom> Message-ID: <5.2.0.9.2.20030114161445.0535d4c0@imap.ecs.soton.ac.uk> At 15:37 14/01/2003, you wrote: >I have a quick question. Back when we were using MailScanner 2.20 I was >able to 'tail' my mail.log and retrieve spam based on the message ID from >/var/spool/MailScanner/quarantine/date/messageid. Then I would simply >copy it to /var/spool/mqueue.in and it would go through MailScanner again >and be delivered (of course after I added the whitelist). Recently we >upgraded to 4.11 and I noticed that the messages just sit in that >directory. Is there a configuration error that I have made, or something >I am missing. Any help would be appreciated. Thanks everyone! You need the raw queue files in your quarantine, not the "1 file per message" format. Take a look in your MailScanner.conf file for Quarantine Whole Messages As Queue Files = no and change it to "yes", then "reload" MailScanner. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From adkinss at OHIO.EDU Tue Jan 14 14:55:22 2003 From: adkinss at OHIO.EDU (Scott Adkins) Date: Thu Jan 12 21:16:58 2006 Subject: Adding a mail header... In-Reply-To: <5.2.0.9.2.20030114085329.028fe678@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030114085329.028fe678@imap.ecs.soton.ac.uk> Message-ID: <2847814731.1042538122@Callisto> --On Tuesday, January 14, 2003 8:55 AM +0000 Julian Field wrote: > At 22:05 13/01/2003, you wrote: >> So, what I would like is to have a line like the following added to >> emails that are touched by MailScanner: >> >> X-MailScanner-Information: > > Do you want this in messages which MailScanner was configured not to scan > as well as those it did scan? > Or do you want it only in messages which MailScanner was configured to > scan? > > What does anyone else want? My guess is that if MailScanner is doing any checks of any kind, that it should stick in the header. Even if we configured all the checks to be off (what, that would be Spam Checking, Spam Assassin, Virus Scanning, Filename Checking, Blacklist Lookups, anything else?), which means that MailScanner is just moving messages from the input queue to the output queue, that we should still have the header inserted. If we didn't want that, we could comment out the "Information Header" config option and be done with it. You know, I am surprised that you don't have an X-MailScanner-Version header line in there. :-) Anyways, I have been pleased with the ease of use for MailScanner, and feel I still have a lot to learn about it. We are still fighting a lot of performance issues on our server, and we are still tracking it down. The server supports about 2000 concurrent users logging in and checking their email, and doing mail processing with spam/virus checking turned on just throws the server over the edge. Of course, it doesn't help when we are delivering close to 50,000 emails in an hours worth of time either :-) Scott -- +-----------------------------------------------------------------------+ Scott W. Adkins http://www.cns.ohiou.edu/~sadkins/ UNIX Systems Engineer mailto:adkinss@ohio.edu ICQ 7626282 Work (740)593-9478 Fax (740)593-1944 +-----------------------------------------------------------------------+ PGP Public Key available at http://www.cns.ohiou.edu/~sadkins/pgp/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 231 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030114/51cead41/attachment.bin From joe at QITC.CO.UK Tue Jan 14 16:22:09 2003 From: joe at QITC.CO.UK (Joe Quinn) Date: Thu Jan 12 21:16:58 2006 Subject: mail not being scanned after reboot althought MailScanner was running References: <5.2.0.9.2.20030113221706.02ba8b20@imap.ecs.soton.ac.uk> <001d01c2bb56$8656eb20$0f01a8c0@kudos> <5.2.0.9.2.20030114152242.050742e8@imap.ecs.soton.ac.uk> Message-ID: <002701c2bbe9$163bff40$2d30c3c1@T20> Haven't a clue what this means :-) [root@raq1 /root]# chkconfig --list | grep -i mail sendmail 0:off 1:off 2:off 3:on 4:on 5:on 6:off MailScanner 0:off 1:off 2:on 3:off 4:off 5:off 6:off [root@raq1 /root]# Can you advise please? Joe Quinn, QITC Internet Solutions (joe@qitc.co.uk) Cisco re-seller, Cobalt Sapphire Partner. www.qitc.net/stocklist Web Site Hosting, Server Hosting, Co-location. Tel: (UK) +44 776 737 1234 ----- Original Message ----- From: "Julian Field" To: Sent: Tuesday, January 14, 2003 3:23 PM Subject: Re: mail not being scanned after reboot althought MailScanner was running Check your init.d to ensure only MailScanner is being fired up, not the "sendmail" init.d script as well. chkconfig --list | grep -i mail should show that sendmail is off and MailScanner is on. At 14:56 14/01/2003, you wrote: >Hi, > >I'm running version 4.11-1 on a RaQ3 > >Strange thing this morning, I noticed an email coming in from a source that >would normally have been tagged as spam but wasn't. > >I had a look at the header and sure enough, no indication that MailScanner >had checked it??? > >I ran the top command and it showed MailScanner was running a few processes >then tailed the maillog which showed mail coming in but no scan??? > >I traced the exact time the problem arose back to a reboot I did; > >reboot system boot 2.2.16C32_III Sun Jan 12 23:28 (1+11:23) > >prior to this all was OK but after this, no scanning. > >I stopped MailScanner then started it again after checking it was definitely >stopped; > >[root@raq1 /root]# /etc/rc.d/init.d/MailScanner stop >Shutting down MailScanner daemons: > MailScanner: ERROR! > incoming sendmail: sendmail ok > outgoing sendmail: sendmail ok >[root@raq1 /root]# ps -auxww | grep -i mail >root 439 0.0 0.0 1192 456 pts/0 S 10:53 0:00 grep -i mail >[root@raq1 /root]# ps -auxww | grep -i mail >[root@raq1 /root]# /etc/rc.d/init.d/MailScanner start > >All is now OK and mail is definitely being scanned but what caused the >problem, any ideas? > >Joe Quinn, QITC Internet Solutions (joe@qitc.co.uk) >www.qitc.net -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From kylist at SHCORP.COM Tue Jan 14 16:14:06 2003 From: kylist at SHCORP.COM (Kurt Yoder) Date: Thu Jan 12 21:16:58 2006 Subject: spamassassin returning 255 hits Message-ID: <44413.10.10.1.71.1042560846.squirrel@webmailtest.shcorp.com> Hello list I've been using mailscanner for awhile, and having it check for spam using spamassassin. Recently I started noticing that spamassassin was frequently timing out and being killed, even though I have a 40 timeout and this has been sufficient for most mail before. Restarting spamd did not help, so I upgraded Spamassassin. Now mailscanner always says spamassassin is returning 255 hits and reports everything as spam. I run spamassassin in daemon mode and have checked test messages using the "spamc" spamassassin client. My test messages using spamc are scanned correctly and return a normal, non-255 number. So why does mailscanner always think spamassassin is returning 255? Software info: Debian Linux, woody Mailscanner 3.12.5 (old, but I'm afraid to upgrade it in case I break something) Spamassassin 2.20 (debian package 2.20-1woody) Sendmail 8.12.1 (debian package 8.12.1-5; modified to work correctly with mailscanner) -- Kurt Yoder Sport & Health network administrator From sean at NISD.NET Tue Jan 14 16:23:25 2003 From: sean at NISD.NET (Sean Embry) Date: Thu Jan 12 21:16:58 2006 Subject: AOL and virus infected users (OT) Message-ID: Has anyone else noticed that e-mail to AOL abuse isn't working? EG: E-mail a virus detection report, eight weeks later, still geting them from the same X-Apparently-From: address in the alert. Does anyone know if the X-Apparently-From: can be trusted at all? I notice that CompuServe (cs.com) does this, and one or two others that I can't think of off hand... From Kevin.Spicer at BMRB.CO.UK Tue Jan 14 16:24:35 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:16:58 2006 Subject: mail not being scanned after reboot althought MailScanner was running Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A32C37@pascal.priv.bmrb.co.uk> chkconfig sendmail off > -----Original Message----- > From: Joe Quinn [mailto:joe@QITC.CO.UK] > Sent: 14 January 2003 16:22 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: mail not being scanned after reboot althought MailScanner > was running > > > Haven't a clue what this means :-) > > [root@raq1 /root]# chkconfig --list | grep -i mail > sendmail 0:off 1:off 2:off 3:on 4:on 5:on 6:off > MailScanner 0:off 1:off 2:on 3:off 4:off 5:off 6:off > [root@raq1 /root]# > > Can you advise please? > > Joe Quinn, QITC Internet Solutions (joe@qitc.co.uk) > Cisco re-seller, Cobalt Sapphire Partner. www.qitc.net/stocklist > Web Site Hosting, Server Hosting, Co-location. > Tel: (UK) +44 776 737 1234 > > ----- Original Message ----- > From: "Julian Field" > To: > Sent: Tuesday, January 14, 2003 3:23 PM > Subject: Re: mail not being scanned after reboot althought > MailScanner was > running > > > Check your init.d to ensure only MailScanner is being fired > up, not the > "sendmail" init.d script as well. > chkconfig --list | grep -i mail > should show that sendmail is off and MailScanner is on. > > At 14:56 14/01/2003, you wrote: > >Hi, > > > >I'm running version 4.11-1 on a RaQ3 > > > >Strange thing this morning, I noticed an email coming in > from a source that > >would normally have been tagged as spam but wasn't. > > > >I had a look at the header and sure enough, no indication > that MailScanner > >had checked it??? > > > >I ran the top command and it showed MailScanner was running > a few processes > >then tailed the maillog which showed mail coming in but no scan??? > > > >I traced the exact time the problem arose back to a reboot I did; > > > >reboot system boot 2.2.16C32_III Sun Jan 12 23:28 > (1+11:23) > > > >prior to this all was OK but after this, no scanning. > > > >I stopped MailScanner then started it again after checking it was > definitely > >stopped; > > > >[root@raq1 /root]# /etc/rc.d/init.d/MailScanner stop > >Shutting down MailScanner daemons: > > MailScanner: ERROR! > > incoming sendmail: sendmail ok > > outgoing sendmail: sendmail ok > >[root@raq1 /root]# ps -auxww | grep -i mail > >root 439 0.0 0.0 1192 456 pts/0 S 10:53 > 0:00 grep -i mail > >[root@raq1 /root]# ps -auxww | grep -i mail > >[root@raq1 /root]# /etc/rc.d/init.d/MailScanner start > > > >All is now OK and mail is definitely being scanned but what > caused the > >problem, any ideas? > > > >Joe Quinn, QITC Internet Solutions (joe@qitc.co.uk) > >www.qitc.net > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > From dwinkler at ALGORITHMICS.COM Tue Jan 14 16:27:48 2003 From: dwinkler at ALGORITHMICS.COM (Derek Winkler) Date: Thu Jan 12 21:16:58 2006 Subject: mail not being scanned after reboot althought MailScanner was running Message-ID: <06EE2C86D3DAD5119A6C0060943F3C970402C0EE@tormail1.algorithmics.com> This is displaying services, run levels and whether the service is turned on or off for that run level. -----Original Message----- From: Joe Quinn [mailto:joe@qitc.co.uk] Sent: Tuesday, January 14, 2003 11:22 AM To: MAILSCANNER@jiscmail.ac.uk Subject: Re: mail not being scanned after reboot althought MailScanner was running Haven't a clue what this means :-) [root@raq1 /root]# chkconfig --list | grep -i mail sendmail 0:off 1:off 2:off 3:on 4:on 5:on 6:off MailScanner 0:off 1:off 2:on 3:off 4:off 5:off 6:off [root@raq1 /root]# Can you advise please? Joe Quinn, QITC Internet Solutions (joe@qitc.co.uk) Cisco re-seller, Cobalt Sapphire Partner. www.qitc.net/stocklist Web Site Hosting, Server Hosting, Co-location. Tel: (UK) +44 776 737 1234 ----- Original Message ----- From: "Julian Field" To: Sent: Tuesday, January 14, 2003 3:23 PM Subject: Re: mail not being scanned after reboot althought MailScanner was running Check your init.d to ensure only MailScanner is being fired up, not the "sendmail" init.d script as well. chkconfig --list | grep -i mail should show that sendmail is off and MailScanner is on. At 14:56 14/01/2003, you wrote: >Hi, > >I'm running version 4.11-1 on a RaQ3 > >Strange thing this morning, I noticed an email coming in from a source that >would normally have been tagged as spam but wasn't. > >I had a look at the header and sure enough, no indication that MailScanner >had checked it??? > >I ran the top command and it showed MailScanner was running a few processes >then tailed the maillog which showed mail coming in but no scan??? > >I traced the exact time the problem arose back to a reboot I did; > >reboot system boot 2.2.16C32_III Sun Jan 12 23:28 (1+11:23) > >prior to this all was OK but after this, no scanning. > >I stopped MailScanner then started it again after checking it was definitely >stopped; > >[root@raq1 /root]# /etc/rc.d/init.d/MailScanner stop >Shutting down MailScanner daemons: > MailScanner: ERROR! > incoming sendmail: sendmail ok > outgoing sendmail: sendmail ok >[root@raq1 /root]# ps -auxww | grep -i mail >root 439 0.0 0.0 1192 456 pts/0 S 10:53 0:00 grep -i mail >[root@raq1 /root]# ps -auxww | grep -i mail >[root@raq1 /root]# /etc/rc.d/init.d/MailScanner start > >All is now OK and mail is definitely being scanned but what caused the >problem, any ideas? > >Joe Quinn, QITC Internet Solutions (joe@qitc.co.uk) >www.qitc.net -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030114/0ac33561/attachment.html From Denis.Beauchemin at USHERBROOKE.CA Tue Jan 14 16:30:51 2003 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:16:58 2006 Subject: mail not being scanned after reboot althought MailScanner was running In-Reply-To: <002701c2bbe9$163bff40$2d30c3c1@T20> References: <5.2.0.9.2.20030113221706.02ba8b20@imap.ecs.soton.ac.uk> <001d01c2bb56$8656eb20$0f01a8c0@kudos> <5.2.0.9.2.20030114152242.050742e8@imap.ecs.soton.ac.uk> <002701c2bbe9$163bff40$2d30c3c1@T20> Message-ID: <1042561851.30405.110.camel@dbeauchemin.si.usherbrooke.ca> Depending on the run-level you use by default, starting MailScanner only in level 2 may not be enough. Try also: chkconfig --level 2345 MailScanner on Denis PS: don't forget to turn sendmail off as noted by Kevin Spicer: chkconfig sendmail off Le mar 14/01/2003 ? 11:22, Joe Quinn a ?crit : > Haven't a clue what this means :-) > > [root@raq1 /root]# chkconfig --list | grep -i mail > sendmail 0:off 1:off 2:off 3:on 4:on 5:on 6:off > MailScanner 0:off 1:off 2:on 3:off 4:off 5:off 6:off > [root@raq1 /root]# > > Can you advise please? > > Joe Quinn, QITC Internet Solutions (joe@qitc.co.uk) > Cisco re-seller, Cobalt Sapphire Partner. www.qitc.net/stocklist > Web Site Hosting, Server Hosting, Co-location. > Tel: (UK) +44 776 737 1234 > > ----- Original Message ----- > From: "Julian Field" > To: > Sent: Tuesday, January 14, 2003 3:23 PM > Subject: Re: mail not being scanned after reboot althought MailScanner was > running > > > Check your init.d to ensure only MailScanner is being fired up, not the > "sendmail" init.d script as well. > chkconfig --list | grep -i mail > should show that sendmail is off and MailScanner is on. > > At 14:56 14/01/2003, you wrote: > >Hi, > > > >I'm running version 4.11-1 on a RaQ3 > > > >Strange thing this morning, I noticed an email coming in from a source that > >would normally have been tagged as spam but wasn't. > > > >I had a look at the header and sure enough, no indication that MailScanner > >had checked it??? > > > >I ran the top command and it showed MailScanner was running a few processes > >then tailed the maillog which showed mail coming in but no scan??? > > > >I traced the exact time the problem arose back to a reboot I did; > > > >reboot system boot 2.2.16C32_III Sun Jan 12 23:28 (1+11:23) > > > >prior to this all was OK but after this, no scanning. > > > >I stopped MailScanner then started it again after checking it was > definitely > >stopped; > > > >[root@raq1 /root]# /etc/rc.d/init.d/MailScanner stop > >Shutting down MailScanner daemons: > > MailScanner: ERROR! > > incoming sendmail: sendmail ok > > outgoing sendmail: sendmail ok > >[root@raq1 /root]# ps -auxww | grep -i mail > >root 439 0.0 0.0 1192 456 pts/0 S 10:53 0:00 grep -i mail > >[root@raq1 /root]# ps -auxww | grep -i mail > >[root@raq1 /root]# /etc/rc.d/init.d/MailScanner start > > > >All is now OK and mail is definitely being scanned but what caused the > >problem, any ideas? > > > >Joe Quinn, QITC Internet Solutions (joe@qitc.co.uk) > >www.qitc.net > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From mailscanner at ecs.soton.ac.uk Tue Jan 14 16:40:48 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:58 2006 Subject: Maximum Filename Length In-Reply-To: <2739ECF7268CD0118F50080009DCC9F00156DB10@pebble.bsa.ca.gov > Message-ID: <5.2.0.9.2.20030114163846.053481b8@imap.ecs.soton.ac.uk> I have found the problem. To protect against nasty things in filenames, I munge the filenames to "sanitise" them. Unfortunately, the filename checks are done on the new names not the old ones. One of the checks it does is to chop off the filename (but leave filename extensions) if the filename is very long. So your long filename becomes a nice, safe, short filename before this check is done. I clearly need to fix this, just need to work out exactly how. Expect it to be fixed in the next release. At 15:16 14/01/2003, you wrote: >I'm trying to write a rule in filename.rules.conf that will block all >attachments over a certain number of characters (in this case, 100). >However, I've been unsuccessful. I've tried > >deny .{100,} Filename over 100 characters Filename over 100 characters > >and > >deny ^.{100,}$ Filename over 100 characters Filename over 100 >characters > >neither of which work (the e-mail just goes through normally). I'm not an >expert at regular expressions, so maybe I just didn't write it properly. >This entry is the first entry in the file, there are tabs between all of the >fields, and I have rebooted the server between changes, but I when I sent >through an attachment with a filename over 100 characters, it goes through >without being blocked. Other rules I have written work as expected. > >What should I do to get the functionality I want? > >Jeremy Evans >Information Systems Analyst >California State Auditor >916-445-0255 phone >916-322-7801 fax -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Tue Jan 14 16:44:13 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:58 2006 Subject: mail not being scanned after reboot althought MailScanner was running In-Reply-To: <02af01c2bbdd$296ed0d0$78720550@T20> References: <5.2.0.9.2.20030113221706.02ba8b20@imap.ecs.soton.ac.uk> <001d01c2bb56$8656eb20$0f01a8c0@kudos> Message-ID: <5.2.0.9.2.20030114164348.02850980@imap.ecs.soton.ac.uk> Did you install it using the RPM distribution? If so, did you read what it said at the very end of the installation process? At 14:56 14/01/2003, you wrote: >Hi, > >I'm running version 4.11-1 on a RaQ3 > >Strange thing this morning, I noticed an email coming in from a source that >would normally have been tagged as spam but wasn't. > >I had a look at the header and sure enough, no indication that MailScanner >had checked it??? > >I ran the top command and it showed MailScanner was running a few processes >then tailed the maillog which showed mail coming in but no scan??? > >I traced the exact time the problem arose back to a reboot I did; > >reboot system boot 2.2.16C32_III Sun Jan 12 23:28 (1+11:23) > >prior to this all was OK but after this, no scanning. > >I stopped MailScanner then started it again after checking it was definitely >stopped; > >[root@raq1 /root]# /etc/rc.d/init.d/MailScanner stop >Shutting down MailScanner daemons: > MailScanner: ERROR! > incoming sendmail: sendmail ok > outgoing sendmail: sendmail ok >[root@raq1 /root]# ps -auxww | grep -i mail >root 439 0.0 0.0 1192 456 pts/0 S 10:53 0:00 grep -i mail >[root@raq1 /root]# ps -auxww | grep -i mail >[root@raq1 /root]# /etc/rc.d/init.d/MailScanner start > >All is now OK and mail is definitely being scanned but what caused the >problem, any ideas? > >Joe Quinn, QITC Internet Solutions (joe@qitc.co.uk) >www.qitc.net -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Tue Jan 14 16:43:03 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:58 2006 Subject: spamassassin returning 255 hits In-Reply-To: <44413.10.10.1.71.1042560846.squirrel@webmailtest.shcorp.co m> Message-ID: <5.2.0.9.2.20030114164102.0291b8f0@imap.ecs.soton.ac.uk> At 16:14 14/01/2003, you wrote: >Hello list > >I've been using mailscanner for awhile, and having it check for spam using >spamassassin. Recently I started noticing that spamassassin was frequently >timing out and being killed, even though I have a 40 timeout and this has >been sufficient for most mail before. Restarting spamd did not help, so I >upgraded Spamassassin. MailScanner does not use spamd, so there isn't really much point running that. And, before you ask, it doesn't invoke the "spamassassin" script either. In a version as old as 3.12-5, I make no guarantees about anything, sorry. >Now mailscanner always says spamassassin is returning 255 hits and reports >everything as spam. I run spamassassin in daemon mode and have checked >test messages using the "spamc" spamassassin client. My test messages >using spamc are scanned correctly and return a normal, non-255 number. So >why does mailscanner always think spamassassin is returning 255? > >Software info: >Debian Linux, woody >Mailscanner 3.12.5 (old, but I'm afraid to upgrade it in case I break >something) >Spamassassin 2.20 (debian package 2.20-1woody) >Sendmail 8.12.1 (debian package 8.12.1-5; modified to work correctly with >mailscanner) > >-- >Kurt Yoder >Sport & Health network administrator -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From E.H.Beekman at AMC.UVA.NL Tue Jan 14 16:49:13 2003 From: E.H.Beekman at AMC.UVA.NL (Ewald Beekman) Date: Thu Jan 12 21:16:58 2006 Subject: Forcing sendmail to use /etc/hosts before using DNS In-Reply-To: <5CA287DBA85BF649A45916B75FD20E0E125761@exchange.usu.edu>; from john.hanks@USU.EDU on Mon, Jan 13, 2003 at 01:50:15PM -0700 References: <5CA287DBA85BF649A45916B75FD20E0E125761@exchange.usu.edu> Message-ID: <20030114174913.N14771@oink.amc.uva.nl> Probably you can use the mailertable feature to accomplish this, make sure the feature is enabled in sendmail.mc : FEATURE(`mailertable',`hash -o /etc/mail/mailertable.db')dnl and create /etc/mail/mailertable with something like: someserver.usu.edu esmtp:[172.17.1.33] do a makemap makemap -v hash mailertable < mailertable and a kill -HUP of your sendmail process: kill -HUP `head -1 /var/run/sendmail.pid` you can always check where sendmail is going to send stuff with the -bv option: /usr/lib/sendmail -bv myuser@someserver.usu.edu http://www.sendmail.org/~ca/email/doc8.12/cf/m4/features.html have fun! Ewald... On Mon, Jan 13, 2003 at 01:50:15PM -0700, John B. Hanks wrote: > I am trying to get sendmail/mailscanner to do something that has me > questioning my understanding of the way this has been working. Here is what > I currently do to scan mail for a mail server. > > My MailScanner machines are noturus.usu.edu and ameiurus.usu.edu. > > If I want to scan mail for mail.dept.usu.edu, I go to that DNS record and > add > > mail.dept.usu.edu in mx 10 noturus.usu.edu > mail.dept.usu.edu in mx 10 ameiurus.usu.edu > > This has been working flawlessly for some time. I think what happens is mail > gets delivered to the MailScanner machines, they recognize themselves as MX > hosts and then forward the scanned mail to the A record for the target. > > Now I need to do some magic for a server move. I have a host, > someserver.usu.edu, that wants mail scanned and delivered to another box > which will host mail but someserver.usu.edu still has other functions so it > need to keep this name in its a record. I thought I could accomplish this by > adding entries to /etc/hosts on the mailscanners like > > 172.17.1.33 someserver.usu.edu > > So that when noturus or ameiurus looked up someserver.usu.edu they would use > the entry from the hosts file and unwittingly deliver mail to the new > server. But, sendmail seems intent on ignoring the /etc/hosts file. I have > changed /etc/resolv.conf, /etc/nsswitch.conf, /etc/host.conf and > /etc/mail/services.switch so that all these point to files first, then dns > but it still isn't working. The ping command works as expected, checking > /etc/hosts and using the IP address from the file. Can someone tell me if > what I want to do is possible and if so, how do I get sendmail to behave > this way? As we move more mailservers to use MailScanner this is going to > come up again and I need a way to solve it. > > This is Redhat 7.3, MailScanner 4.11-1 and sendmail 8.11.6-15. > > Thanks, > > jbh -- Ewald Beekman, Security Engineer, Academic Medical Center, dept. ADB/ICT Computer & Network Services, The Netherlands ## Your mind-mint is: God help the troubadour who tries to be a star. The more that you try to find success, the more that you will fail. -- Phil Ochs, on the Second System Effect From joe at QITC.CO.UK Tue Jan 14 16:59:24 2003 From: joe at QITC.CO.UK (Joe Quinn) Date: Thu Jan 12 21:16:58 2006 Subject: mail not being scanned after reboot althought MailScanner was running References: <5.2.0.9.2.20030113221706.02ba8b20@imap.ecs.soton.ac.uk> <001d01c2bb56$8656eb20$0f01a8c0@kudos> <5.2.0.9.2.20030114164348.02850980@imap.ecs.soton.ac.uk> Message-ID: <007c01c2bbee$4a9bf2e0$2d30c3c1@T20> > Did you install it using the RPM distribution? Yes > If so, did you read what it said at the very end of the installation process? Yes, that doesn't work on a RaQ, see my mail to the list of 6th Dec 02 :-) Is there something we can do so that it runs as it should after a reboot without any intervention? Joe Quinn, QITC Internet Solutions (joe@qitc.co.uk) Cisco re-seller, Cobalt Sapphire Partner. www.qitc.net/stocklist Web Site Hosting, Server Hosting, Co-location. Tel: (UK) +44 776 737 1234 ----- Original Message ----- From: "Julian Field" To: Sent: Tuesday, January 14, 2003 4:44 PM Subject: Re: mail not being scanned after reboot althought MailScanner was running Did you install it using the RPM distribution? If so, did you read what it said at the very end of the installation process? At 14:56 14/01/2003, you wrote: >Hi, > >I'm running version 4.11-1 on a RaQ3 > >Strange thing this morning, I noticed an email coming in from a source that >would normally have been tagged as spam but wasn't. > >I had a look at the header and sure enough, no indication that MailScanner >had checked it??? > >I ran the top command and it showed MailScanner was running a few processes >then tailed the maillog which showed mail coming in but no scan??? > >I traced the exact time the problem arose back to a reboot I did; > >reboot system boot 2.2.16C32_III Sun Jan 12 23:28 (1+11:23) > >prior to this all was OK but after this, no scanning. > >I stopped MailScanner then started it again after checking it was definitely >stopped; > >[root@raq1 /root]# /etc/rc.d/init.d/MailScanner stop >Shutting down MailScanner daemons: > MailScanner: ERROR! > incoming sendmail: sendmail ok > outgoing sendmail: sendmail ok >[root@raq1 /root]# ps -auxww | grep -i mail >root 439 0.0 0.0 1192 456 pts/0 S 10:53 0:00 grep -i mail >[root@raq1 /root]# ps -auxww | grep -i mail >[root@raq1 /root]# /etc/rc.d/init.d/MailScanner start > >All is now OK and mail is definitely being scanned but what caused the >problem, any ideas? > >Joe Quinn, QITC Internet Solutions (joe@qitc.co.uk) >www.qitc.net -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From jscott at INFOCONEX.COM Tue Jan 14 17:14:05 2003 From: jscott at INFOCONEX.COM (Jim Scott) Date: Thu Jan 12 21:16:58 2006 Subject: Forcing sendmail to use /etc/hosts before using DNS References: <5CA287DBA85BF649A45916B75FD20E0E125761@exchange.usu.edu> <20030114174913.N14771@oink.amc.uva.nl> Message-ID: <089f01c2bbf0$57f95b60$2719a8c0@infoconex.com> on the mailscanner servers put an entry like this in your /etc/mail/mailertable someserver.usu.edu RELAY:whateverserver.usu.edu Now any email that these two servers receive destined for @someserver.usu.edu will be directed to the server whateverserver.usu.edu make sure you take the entry out of the /etc/mail/local-host-names file and remove the entry for someserver.usu.edu domain Make sure you have something in the /etc/mail/local-host-names file on whateverserver.usu.edu to tell it that it accepts email for the domain someserver.usu.edu of course you probably also need to add your MX records to point to your mailscanner servers for this domain as well. Atleast this is what I think you are trying to do ;-) Email me privately if you need more help. Jim ----- Original Message ----- From: "Ewald Beekman" To: Sent: Tuesday, January 14, 2003 8:49 AM Subject: Re: Forcing sendmail to use /etc/hosts before using DNS Probably you can use the mailertable feature to accomplish this, make sure the feature is enabled in sendmail.mc : FEATURE(`mailertable',`hash -o /etc/mail/mailertable.db')dnl and create /etc/mail/mailertable with something like: someserver.usu.edu esmtp:[172.17.1.33] do a makemap makemap -v hash mailertable < mailertable and a kill -HUP of your sendmail process: kill -HUP `head -1 /var/run/sendmail.pid` you can always check where sendmail is going to send stuff with the -bv option: /usr/lib/sendmail -bv myuser@someserver.usu.edu http://www.sendmail.org/~ca/email/doc8.12/cf/m4/features.html have fun! Ewald... On Mon, Jan 13, 2003 at 01:50:15PM -0700, John B. Hanks wrote: > I am trying to get sendmail/mailscanner to do something that has me > questioning my understanding of the way this has been working. Here is what > I currently do to scan mail for a mail server. > > My MailScanner machines are noturus.usu.edu and ameiurus.usu.edu. > > If I want to scan mail for mail.dept.usu.edu, I go to that DNS record and > add > > mail.dept.usu.edu in mx 10 noturus.usu.edu > mail.dept.usu.edu in mx 10 ameiurus.usu.edu > > This has been working flawlessly for some time. I think what happens is mail > gets delivered to the MailScanner machines, they recognize themselves as MX > hosts and then forward the scanned mail to the A record for the target. > > Now I need to do some magic for a server move. I have a host, > someserver.usu.edu, that wants mail scanned and delivered to another box > which will host mail but someserver.usu.edu still has other functions so it > need to keep this name in its a record. I thought I could accomplish this by > adding entries to /etc/hosts on the mailscanners like > > 172.17.1.33 someserver.usu.edu > > So that when noturus or ameiurus looked up someserver.usu.edu they would use > the entry from the hosts file and unwittingly deliver mail to the new > server. But, sendmail seems intent on ignoring the /etc/hosts file. I have > changed /etc/resolv.conf, /etc/nsswitch.conf, /etc/host.conf and > /etc/mail/services.switch so that all these point to files first, then dns > but it still isn't working. The ping command works as expected, checking > /etc/hosts and using the IP address from the file. Can someone tell me if > what I want to do is possible and if so, how do I get sendmail to behave > this way? As we move more mailservers to use MailScanner this is going to > come up again and I need a way to solve it. > > This is Redhat 7.3, MailScanner 4.11-1 and sendmail 8.11.6-15. > > Thanks, > > jbh -- Ewald Beekman, Security Engineer, Academic Medical Center, dept. ADB/ICT Computer & Network Services, The Netherlands ## Your mind-mint is: God help the troubadour who tries to be a star. The more that you try to find success, the more that you will fail. -- Phil Ochs, on the Second System Effect From joe at QITC.CO.UK Tue Jan 14 18:13:22 2003 From: joe at QITC.CO.UK (Joe Quinn) Date: Thu Jan 12 21:16:58 2006 Subject: mail not being scanned after reboot althought MailScanner was running References: <5.2.0.9.2.20030113221706.02ba8b20@imap.ecs.soton.ac.uk> <001d01c2bb56$8656eb20$0f01a8c0@kudos> <5.2.0.9.2.20030114164348.02850980@imap.ecs.soton.ac.uk> <007c01c2bbee$4a9bf2e0$2d30c3c1@T20> Message-ID: <00d701c2bbf8$a004fc40$2d30c3c1@T20> All fixed now! :-) Joe Quinn, QITC Internet Solutions (joe@qitc.co.uk) Cisco re-seller, Cobalt Sapphire Partner. www.qitc.net/stocklist Web Site Hosting, Server Hosting, Co-location. Tel: (UK) +44 776 737 1234 From mike at CAMAROSS.NET Tue Jan 14 18:16:16 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:16:58 2006 Subject: mail not being scanned after reboot althought MailScanner was running In-Reply-To: <00d701c2bbf8$a004fc40$2d30c3c1@T20> Message-ID: <00d401c2bbf9$083950e0$9801a8c0@home.middlefinger.net> Solution for anyone that might have the same problem in the future? -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Joe Quinn Sent: Tuesday, January 14, 2003 12:13 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: mail not being scanned after reboot althought MailScanner was running All fixed now! :-) Joe Quinn, QITC Internet Solutions (joe@qitc.co.uk) Cisco re-seller, Cobalt Sapphire Partner. www.qitc.net/stocklist Web Site Hosting, Server Hosting, Co-location. Tel: (UK) +44 776 737 1234 From sholland at SUMSYS.COM Tue Jan 14 18:10:34 2003 From: sholland at SUMSYS.COM (Stephen Holland) Date: Thu Jan 12 21:16:58 2006 Subject: Document on How to Message-ID: <5CA24BCF0A68504C8A3F2AA3E526F0150CC89A@ssitransfer2.summit.local> Has anyone created a document on how to setup MailScanner on RedHat 7.3 with Spamassassin and Razor? 1) I have Sendmail running as an SMTP relay, but I was wondering how it check the RBL's or how do I know it is working. Does it work with the default install? I.e. "Spam List = ORDB-RBL Infinite-Monkeys # MAPS-RBL+ costs money (except .ac.uk)" 2) What do I need to do besides turn on Spamassassin in the Mailscanner.conf file to get the heuristic spam scanning to work? I know I have very basic question, but I have read and read and can not seem to find a document on how to integrate everything. Thank you much Stephen -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030114/4b7fdae3/attachment.html From joe at QITC.CO.UK Tue Jan 14 18:50:52 2003 From: joe at QITC.CO.UK (Joe Quinn) Date: Thu Jan 12 21:16:58 2006 Subject: mail not being scanned after reboot althought MailScanner was running References: <00d401c2bbf9$083950e0$9801a8c0@home.middlefinger.net> Message-ID: <010901c2bbfd$dd113e50$2d30c3c1@T20> > Solution for anyone that might have the same problem in the future? As Julian suggested, at the bottom of the page titled; "MailScanner Installation Guide - Linux RPM" Sort of RTFM but adapted slightly for the RaQ :-) /etc/rc.d/init.d/sendmail stop chkconfig sendmail off chkconfig --level 2345 MailScanner on /etc/rc.d/init.d/MailScanner start Cheers everyone and thanks for the input, learning all the time! Joe www.qitc.net From mailscanner at ecs.soton.ac.uk Tue Jan 14 19:03:40 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:58 2006 Subject: Document on How to In-Reply-To: <5CA24BCF0A68504C8A3F2AA3E526F0150CC89A@ssitransfer2.summit .local> Message-ID: <5.2.0.9.2.20030114190058.00b038d8@imap.ecs.soton.ac.uk> At 18:10 14/01/2003, you wrote: >Has anyone created a document on how to setup MailScanner on RedHat 7.3 >with Spamassassin and Razor? Basically, you unpack the MailScanner rpm tarball and run install.sh. Note down the commands output at the end of the installation procedure so you know how to enable it once you have SA installed. Then download and install SpamAssassin. I don't use Razor myself (and never have) so I'll leave the answer to that bit to others. >1) I have Sendmail running as an SMTP relay, but I was wondering how >it check the RBLs or how do I know it is working. Does it work with the >default install? I.e. Spam List = ORDB-RBL Infinite-Monkeys # MAPS-RBL+ >costs money (except .ac.uk) Yes. >2) What do I need to do besides turn on Spamassassin in the >Mailscanner.conf file to get the heuristic spam scanning to work? Nothing. >I know I have very basic question, but I have read and read and can not >seem to find a document on how to integrate everything. Everyone has to start somewhere :) -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From sholland at SUMSYS.COM Tue Jan 14 19:13:15 2003 From: sholland at SUMSYS.COM (Stephen Holland) Date: Thu Jan 12 21:16:58 2006 Subject: Document on How to Message-ID: <5CA24BCF0A68504C8A3F2AA3E526F0150C977D@ssitransfer2.summit.local> Thank you for your kindness. -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Tuesday, January 14, 2003 2:04 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Document on How to At 18:10 14/01/2003, you wrote: >Has anyone created a document on how to setup MailScanner on RedHat 7.3 >with Spamassassin and Razor? Basically, you unpack the MailScanner rpm tarball and run install.sh. Note down the commands output at the end of the installation procedure so you know how to enable it once you have SA installed. Then download and install SpamAssassin. I don't use Razor myself (and never have) so I'll leave the answer to that bit to others. >1) I have Sendmail running as an SMTP relay, but I was wondering how >it check the RBLs or how do I know it is working. Does it work with the >default install? I.e. Spam List = ORDB-RBL Infinite-Monkeys # MAPS-RBL+ >costs money (except .ac.uk) Yes. >2) What do I need to do besides turn on Spamassassin in the >Mailscanner.conf file to get the heuristic spam scanning to work? Nothing. >I know I have very basic question, but I have read and read and can not >seem to find a document on how to integrate everything. Everyone has to start somewhere :) -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From johannes at DSP.DE Tue Jan 14 19:24:32 2003 From: johannes at DSP.DE (Johannes) Date: Thu Jan 12 21:16:58 2006 Subject: Installation on SuSe 7.1 Message-ID: Hi, I just tried to install MailScanner on my SuSE 7.1 installation. Semms to work fine as Mailscanner starts correct, but when it tries to start the sendmail deamon I get Error Messages: mail2:~ # rcMailScanner start Initializing sendmail and MailScanner/usr/sbin/sendmail: illegal option -- A startproc: exit status of /usr/sbin/sendmail: 64 /usr/sbin/sendmail: illegal option -- A startproc: exit status of /usr/sbin/sendmail: 64 done mail2:~ # But I have got 5 Instances of Mailscanner running after trying to start it: 19914 ? S 0:00 perl - I/usr/lib/MailScanner /usr/sbin/MailScanner /et 19915 ? S 0:00 perl - I/usr/lib/MailScanner /usr/sbin/MailScanner /et 19916 ? S 0:00 perl - I/usr/lib/MailScanner /usr/sbin/MailScanner /et 19917 ? S 0:00 perl - I/usr/lib/MailScanner /usr/sbin/MailScanner /et 19918 ? S 0:00 perl - I/usr/lib/MailScanner /usr/sbin/MailScanner /et 19919 ? S 0:00 perl - I/usr/lib/MailScanner /usr/sbin/MailScanner /et 19920 pts/0 R 0:00 ps ax mail2:~ # check_MailScanner MailScanner running with pid 19914 19915 19916 19917 19918 19919 mail2:~ # Only the Sendmal deamon semms not to start... whats wrong with my Installation? Any Suggestions? I have the SuSE 8.0 RPM installed, any Problems with that on SuSE 7.1? Is There a RPM for SuSE 7.1? I also tried the source RPM, without success... Greets Johannes From mailscanner at ecs.soton.ac.uk Tue Jan 14 19:39:15 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:58 2006 Subject: Installation on SuSe 7.1 In-Reply-To: Message-ID: <5.2.0.9.2.20030114193717.02caf148@imap.ecs.soton.ac.uk> The SuSE RPM only works with 8.x, not 7.1. Take a look at /etc/init.d/MailScanner and remove sendmail command-line options that it doesn't like. I'm afraid I haven't got a 7.x machine to develop it on. At 19:24 14/01/2003, you wrote: >Hi, I just tried to install MailScanner on my SuSE 7.1 installation. Semms >to work fine as Mailscanner starts correct, but when it tries to start the >sendmail deamon I get Error Messages: > >mail2:~ # rcMailScanner start >Initializing sendmail and MailScanner/usr/sbin/sendmail: illegal option -- A >startproc: exit status of /usr/sbin/sendmail: 64 >/usr/sbin/sendmail: illegal option -- A >startproc: exit status of /usr/sbin/sendmail: 64 > done >mail2:~ # > >But I have got 5 Instances of Mailscanner running after trying to start it: > > >19914 ? S 0:00 perl - >I/usr/lib/MailScanner /usr/sbin/MailScanner /et >19915 ? S 0:00 perl - >I/usr/lib/MailScanner /usr/sbin/MailScanner /et >19916 ? S 0:00 perl - >I/usr/lib/MailScanner /usr/sbin/MailScanner /et >19917 ? S 0:00 perl - >I/usr/lib/MailScanner /usr/sbin/MailScanner /et >19918 ? S 0:00 perl - >I/usr/lib/MailScanner /usr/sbin/MailScanner /et >19919 ? S 0:00 perl - >I/usr/lib/MailScanner /usr/sbin/MailScanner /et >19920 pts/0 R 0:00 ps ax >mail2:~ # check_MailScanner >MailScanner running with pid 19914 19915 19916 19917 19918 19919 >mail2:~ # > >Only the Sendmal deamon semms not to start... > >whats wrong with my Installation? Any Suggestions? > >I have the SuSE 8.0 RPM installed, any Problems with that on SuSE 7.1? Is >There a RPM for SuSE 7.1? I also tried the source RPM, without success... > >Greets Johannes -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mime at GMX.DE Tue Jan 14 20:16:04 2003 From: mime at GMX.DE (Michael Meyer) Date: Thu Jan 12 21:16:58 2006 Subject: Installation on SuSe 7.1 In-Reply-To: References: Message-ID: <20030114201604.GC9798@mime.dyndns.org> Johannes wrote: > Hi, I just tried to install MailScanner on my SuSE 7.1 installation. Semms > to work fine as Mailscanner starts correct, but when it tries to start the > sendmail deamon I get Error Messages: > > mail2:~ # rcMailScanner start > Initializing sendmail and MailScanner/usr/sbin/sendmail: illegal option -- A > startproc: exit status of /usr/sbin/sendmail: 64 > /usr/sbin/sendmail: illegal option -- A > startproc: exit status of /usr/sbin/sendmail: 64 remove any '-A' from '/etc/sysconfig/MailScanner' and from '/etc/init.d/Mailscanner'. then: ,-----[ /etc/init.d/Mailscanner ] | if test "$SMTPD_LISTEN_REMOTE" != "yes" ; then | SENDMAIL_IN_ARGS="-O DaemonPortOptions=Addr=127.0.0.1 | $SENDMAIL_IN_ARGS" `-----| change 'DaemonPortOptions=Addr=127.0.0.1' to whatever you needed. eg to 'DaemonPortOptions=Addr=0.0.0.0'. change msppid in '/etc/init.d/Mailscanner' to 'msppid=/var/run/sm-client.pid' or whatever, because there is no 'clientmqueue' in SuSE 7.1. i hope i didn't forget something. that's _my_ way to get it work under 7.1. > But I have got 5 Instances of Mailscanner running after trying to start it: [...] > I/usr/lib/MailScanner /usr/sbin/MailScanner /et > 19920 pts/0 R 0:00 ps ax > mail2:~ # check_MailScanner > MailScanner running with pid 19914 19915 19916 19917 19918 19919 > > Only the Sendmal deamon semms not to start... > > whats wrong with my Installation? Any Suggestions? > > I have the SuSE 8.0 RPM installed, any Problems with that on SuSE 7.1? Is > There a RPM for SuSE 7.1? I also tried the source RPM, without success... there is no RPM for SuSE <8.0. there are a few differences between SuSE <8.0 and <=8.0. but with a little bit of work it is possible to get it work. sorry for my bad english. micha From c.bates at COMNET.CO.NZ Tue Jan 14 21:11:06 2003 From: c.bates at COMNET.CO.NZ (Craig Bates) Date: Thu Jan 12 21:16:58 2006 Subject: freeBSD problems continue Message-ID: <200301151011.06326.c.bates@comnet.co.nz> Hi all, Good to see there is now a FreeBSD howto and better support:) I have recently installed MailScanner 4.11-1 on two machines, one is a P4 with 1GB RAM, another is an older box with 128MB RAM. I'm still having the problem of mailscanner processes dying as I described late last year. I'm back from summer vacation and need to get this problem fixed. The problem is on both machines and seems worse in MailScanner 4.11. In the past I could just restart mailscanner every hour or so and then the problem would go away. The new version sometimes complains on startup about being unable to compile. A reboot fixes this problem. The problem is purely time dependent, not volume dependent. The P4 doesn't have any mail going through it and has the same problems as the older box that processes large quantaties of mail. I'm running FreeBSD4.7 with Perl 5.00503, f-prot, Spam Assassin 2.43, razor 2.22. I'm going to try turning off spam assassin and f-prot in the mailscanner conf file and see if this makes any difference. The next thing would be to build another box with only Mailscanner and see what happens. Does anybody have any other ideas I could try? Is it possible to have the mailscanner parent process write to the syslog if it notices one of its children are missing or if it can't start a child? Thanks Craig From mailscanner at ecs.soton.ac.uk Tue Jan 14 22:00:34 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:58 2006 Subject: freeBSD problems continue In-Reply-To: <200301151011.06326.c.bates@comnet.co.nz> Message-ID: <5.2.0.9.2.20030114215938.02991e88@imap.ecs.soton.ac.uk> At 21:11 14/01/2003, you wrote: >Hi all, > >Good to see there is now a FreeBSD howto and better support:) > >I have recently installed MailScanner 4.11-1 on two machines, one is a P4 >with >1GB RAM, another is an older box with 128MB RAM. > >I'm still having the problem of mailscanner processes dying as I described >late last year. I'm back from summer vacation and need to get this problem >fixed. The problem is on both machines and seems worse in MailScanner 4.11. >In the past I could just restart mailscanner every hour or so and then the >problem would go away. The new version sometimes complains on startup about >being unable to compile. A reboot fixes this problem. > >The problem is purely time dependent, not volume dependent. The P4 doesn't >have any mail going through it and has the same problems as the older box >that processes large quantaties of mail. > > >I'm running FreeBSD4.7 with Perl 5.00503, f-prot, Spam Assassin 2.43, razor >2.22. > >I'm going to try turning off spam assassin and f-prot in the mailscanner conf >file and see if this makes any difference. The next thing would be to build >another box with only Mailscanner and see what happens. > >Does anybody have any other ideas I could try? In the main MailScanner script, there are 3 consecutive calls to "close". Comment them out and you might see an error on the console when it dies. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Tue Jan 14 21:58:11 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:58 2006 Subject: Maximum Filename Length In-Reply-To: <2739ECF7268CD0118F50080009DCC9F00156DB10@pebble.bsa.ca.gov > Message-ID: <5.2.0.9.2.20030114215639.029450a8@imap.ecs.soton.ac.uk> If you need a quick fix for this before I release the next version, I can give you one now. Turned out to be a simpler fix than I thought (I like it when it works like that :-) Involves replacing 3 files. At 15:16 14/01/2003, you wrote: >I'm trying to write a rule in filename.rules.conf that will block all >attachments over a certain number of characters (in this case, 100). >However, I've been unsuccessful. I've tried > >deny .{100,} Filename over 100 characters Filename over 100 characters > >and > >deny ^.{100,}$ Filename over 100 characters Filename over 100 >characters > >neither of which work (the e-mail just goes through normally). I'm not an >expert at regular expressions, so maybe I just didn't write it properly. >This entry is the first entry in the file, there are tabs between all of the >fields, and I have rebooted the server between changes, but I when I sent >through an attachment with a filename over 100 characters, it goes through >without being blocked. Other rules I have written work as expected. > >What should I do to get the functionality I want? > >Jeremy Evans >Information Systems Analyst >California State Auditor >916-445-0255 phone >916-322-7801 fax -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From Kevin.Steil at JMFAMILY.COM Tue Jan 14 22:19:12 2003 From: Kevin.Steil at JMFAMILY.COM (Kevin Steil) Date: Thu Jan 12 21:16:58 2006 Subject: unscribe Message-ID: Kevin Steil Manager of Network Engineering JM Famliy Enterprises, Inc. 954-596-3834 From admin at thenamegame.com Tue Jan 14 23:29:10 2003 From: admin at thenamegame.com (Michael Szabados) Date: Thu Jan 12 21:16:58 2006 Subject: unsubscribe Message-ID: <00bc01c2bc24$bd5e65c0$6501a8c0@thenamegame.com> Michael Szabados -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030114/e83f2b06/attachment.html From cmiller at TIGERBYTE.COM Tue Jan 14 23:34:20 2003 From: cmiller at TIGERBYTE.COM (Clint Miller) Date: Thu Jan 12 21:16:58 2006 Subject: whitelist problems Message-ID: <200301141734.20993.cmiller@tigerbyte.com> We have some people that don't want us to screen for junk mail. So listed them in MailScanners whitelist. Well if a SPAM comes through and has one of the recipents in the whitelist then it delievers it to everyone on the SPAM's recipent list. Anyway around that? Maybe a different place to list my customers that don't want their spam screened? Thanks! -- Clint Miller From smhickel at CHARTERMI.NET Wed Jan 15 00:59:50 2003 From: smhickel at CHARTERMI.NET (Steve Hickel) Date: Thu Jan 12 21:16:58 2006 Subject: Whitelist seems not to work? In-Reply-To: <5.2.0.9.2.20030114085329.028fe678@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030113184729.01a916f0@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030113184729.01a916f0@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030114085329.028fe678@imap.ecs.soton.ac.uk> Message-ID: <1042592389.1843.4.camel@steve.hickel.info> All, I have set domains in my whitelist and they appear not to be allowed and are still filtered. I double checked the mailscanner.conf for the reference to the file and I put these changes in the whitelist.conf file under rules. Any thoughts as to what I should be looking for? Also, How do I restart mailscanner without having to reboot the linux box? I did a restart once and Mailscanner didn't work until I reinstalled it. Plus when I make changes to my .confs, do they get overwritten on an update? Thanks, Steve -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030114/c1b6ac93/attachment.bin From zabriskw at ITECH.NET Wed Jan 15 01:49:27 2003 From: zabriskw at ITECH.NET (Kris Zabriskie) Date: Thu Jan 12 21:16:58 2006 Subject: Whitelist seems not to work? References: <5.2.0.9.2.20030113184729.01a916f0@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030113184729.01a916f0@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030114085329.028fe678@imap.ecs.soton.ac.uk> <1042592389.1843.4.camel@steve.hickel.info> Message-ID: <000801c2bc38$56e872e0$0200a8c0@gottekno25> Steve, If you type ps ax | grep MailScanner it will show all the PIDS for MailScanner. You should probably see roughly 5 instances running. Type kill -9 pid and it will kill the MailScanner processes. Once you have killed all of them, go to /opt/MailScanner/bin/check_mailscanner and it will relaunch MailScanner. What does your spam.whitelist.rules say? ----- Original Message ----- From: "Steve Hickel" To: Sent: Tuesday, January 14, 2003 7:59 PM Subject: Re: Whitelist seems not to work? From smhickel at CHARTERMI.NET Wed Jan 15 03:49:54 2003 From: smhickel at CHARTERMI.NET (Steve Hickel) Date: Thu Jan 12 21:16:58 2006 Subject: Whitelist seems not to work? In-Reply-To: <000801c2bc38$56e872e0$0200a8c0@gottekno25> References: <5.2.0.9.2.20030113184729.01a916f0@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030113184729.01a916f0@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030114085329.028fe678@imap.ecs.soton.ac.uk> <1042592389.1843.4.camel@steve.hickel.info> <000801c2bc38$56e872e0$0200a8c0@gottekno25> Message-ID: <1042602593.4717.5.camel@steve.hickel.info> Thanks for the reply. This is what I get when I do the p s ax thing: 1909 ? S 0:11 /usr/bin/perl -I/usr/lib/MailScanner /user/sbin/MailScanner 4853 ? Z 0:00 [MailScanner ] check_mailscanner is in the /usr/sbin/subdirectory I can't get at my whitelist rules right now but we put in from: *@computerworld.com and it doesn't let it through. It keeps capturing it as spam. When I can get a copy of it, I will post it. Thanks, Steve On Tue, 2003-01-14 at 20:49, Kris Zabriskie wrote: > Steve, > If you type ps ax | grep MailScanner it will show all the PIDS for > MailScanner. You should probably see roughly 5 instances running. Type > kill -9 pid and it will kill the MailScanner processes. Once you have > killed all of them, go to /opt/MailScanner/bin/check_mailscanner and it will > relaunch MailScanner. > > What does your spam.whitelist.rules say? > > ----- Original Message ----- > From: "Steve Hickel" > To: > Sent: Tuesday, January 14, 2003 7:59 PM > Subject: Re: Whitelist seems not to work? -- Steve Hickel -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030114/432247db/attachment.bin From David.While at UCE.AC.UK Wed Jan 15 08:43:09 2003 From: David.While at UCE.AC.UK (David While) Date: Thu Jan 12 21:16:58 2006 Subject: Whitelist seems not to work? Message-ID: You don't say what OS you are using but if you use RedHat then to restart MailScanner (assuming its already running) simply do service MailScanner reload If its not running then you can do service MailScanner start regarding your conf files - if you use the rpm to upgrade MailScanner then your conf files will not be overwritten - the package will create the new conf files with extension .rpmnew - you can then look for differences between you existing and new files. ----------------------------------------------------------------- David While Technical Development Manager Faculty of Computing, Information & English University of Central England Tel: 0121 331 6211 Steve Hickel cc: Sent by: Subject: Re: Whitelist seems not to work? MailScanner mailing list 15/01/2003 00:59 Please respond to MailScanner mailing list All, I have set domains in my whitelist and they appear not to be allowed and are still filtered. I double checked the mailscanner.conf for the reference to the file and I put these changes in the whitelist.conf file under rules. Any thoughts as to what I should be looking for? Also, How do I restart mailscanner without having to reboot the linux box? I did a restart once and Mailscanner didn't work until I reinstalled it. Plus when I make changes to my .confs, do they get overwritten on an update? Thanks, Steve (See attached file: signature.asc) -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/octet-stream Size: 196 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030115/91bc9217/signature.obj From johannes at DSP.DE Wed Jan 15 09:00:20 2003 From: johannes at DSP.DE (Johannes) Date: Thu Jan 12 21:16:58 2006 Subject: Installation on SuSe 7.1 Message-ID: Hi micha, zhanks for your advice! But i?ve got some more Question... >remove any '-A' from '/etc/sysconfig/MailScanner' and from >'/etc/init.d/Mailscanner'. > >then: > >,-----[ /etc/init.d/Mailscanner ] >| if test "$SMTPD_LISTEN_REMOTE" != "yes" ; then >| SENDMAIL_IN_ARGS="-O DaemonPortOptions=Addr=127.0.0.1 >| $SENDMAIL_IN_ARGS" >`-----| > >change 'DaemonPortOptions=Addr=127.0.0.1' to whatever you needed. eg >to 'DaemonPortOptions=Addr=0.0.0.0'. I?am not shure about that Option, what does it mean? Do i have to add the IP-Adress of the MailServer itself? Or is it a Dummy Adress? If it is, wouldn?t be 127.0.0.1 be fine? > >change msppid in '/etc/init.d/Mailscanner' to >'msppid=/var/run/sm-client.pid' or whatever, because there is no >'clientmqueue' in SuSE 7.1. Is that the way to figure out the Process ID of the Sendmail Deamon? I?ve got two senmail Files in /var/run, the one is sendmail.pid itself, the other is sendmail/control.pid. I ain?t got any sendmail client ID... So it ?s probably the 'msppid=/var/run/sendmail.pid' I have to add, right? > >i hope i didn't forget something. that's _my_ way to get it work >under 7.1. > >> I have the SuSE 8.0 RPM installed, any Problems with that on SuSE 7.1? Is >> There a RPM for SuSE 7.1? I also tried the source RPM, without success... > >there is no RPM for SuSE <8.0. there are a few differences between >SuSE <8.0 and <=8.0. but with a little bit of work it is possible to >get it work. > I thought that it is something with the Configuration in SuSE >8 which ist diffrent to SuSE<8... What a pitty... >sorry for my bad english. Oh, thats OK, mine isn?t any better... ;-)) >micha johannes From johannes at DSP.DE Wed Jan 15 09:12:08 2003 From: johannes at DSP.DE (No Name Available) Date: Thu Jan 12 21:16:58 2006 Subject: Installation on SuSe 7.1 Message-ID: Hmm, nearly knew it, but i gave it a try with the 8.0 rpm... :-) But thanks for INfo, some more Question: If removing the -A command-line Option in /etc/init.d/MailScanner is it working right then? what does the A mean anyway? How does senmail know how which mailqueue to process? As far as I understood sendmail is still getting the mail on port 25 but isnt processing it to the lokal mailboxes or the internet, but putting it in an extra mqueue. There mailscanner looks for incoming mails and is processing these to the mailboxes or the internet after checking for spam etc, right? But where is this behavior configured? Johannes On Tue, 14 Jan 2003 19:39:15 +0000, Julian Field wrote: >The SuSE RPM only works with 8.x, not 7.1. >Take a look at /etc/init.d/MailScanner and remove sendmail command-line >options that it doesn't like. >I'm afraid I haven't got a 7.x machine to develop it on. > >At 19:24 14/01/2003, you wrote: >>Hi, I just tried to install MailScanner on my SuSE 7.1 installation. Semms >>to work fine as Mailscanner starts correct, but when it tries to start the >>sendmail deamon I get Error Messages: >> >>mail2:~ # rcMailScanner start >>Initializing sendmail and MailScanner/usr/sbin/sendmail: illegal option -- A >>startproc: exit status of /usr/sbin/sendmail: 64 >>/usr/sbin/sendmail: illegal option -- A >>startproc: exit status of /usr/sbin/sendmail: 64 >> done >>mail2:~ # >> >>But I have got 5 Instances of Mailscanner running after trying to start it: >> >> >>19914 ? S 0:00 perl - >>I/usr/lib/MailScanner /usr/sbin/MailScanner /et >>19915 ? S 0:00 perl - >>I/usr/lib/MailScanner /usr/sbin/MailScanner /et >>19916 ? S 0:00 perl - >>I/usr/lib/MailScanner /usr/sbin/MailScanner /et >>19917 ? S 0:00 perl - >>I/usr/lib/MailScanner /usr/sbin/MailScanner /et >>19918 ? S 0:00 perl - >>I/usr/lib/MailScanner /usr/sbin/MailScanner /et >>19919 ? S 0:00 perl - >>I/usr/lib/MailScanner /usr/sbin/MailScanner /et >>19920 pts/0 R 0:00 ps ax >>mail2:~ # check_MailScanner >>MailScanner running with pid 19914 19915 19916 19917 19918 19919 >>mail2:~ # >> >>Only the Sendmal deamon semms not to start... >> >>whats wrong with my Installation? Any Suggestions? >> >>I have the SuSE 8.0 RPM installed, any Problems with that on SuSE 7.1? Is >>There a RPM for SuSE 7.1? I also tried the source RPM, without success... >> >>Greets Johannes > >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support From johannes at DSP.DE Wed Jan 15 09:12:08 2003 From: johannes at DSP.DE (No Name Available) Date: Thu Jan 12 21:16:58 2006 Subject: Installation on SuSe 7.1 Message-ID: Hmm, nearly knew it, but i gave it a try with the 8.0 rpm... :-) But thanks for INfo, some more Question: If removing the -A command-line Option in /etc/init.d/MailScanner is it working right then? what does the A mean anyway? How does senmail know how which mailqueue to process? As far as I understood sendmail is still getting the mail on port 25 but isnt processing it to the lokal mailboxes or the internet, but putting it in an extra mqueue. There mailscanner looks for incoming mails and is processing these to the mailboxes or the internet after checking for spam etc, right? But where is this behavior configured? Johannes On Tue, 14 Jan 2003 19:39:15 +0000, Julian Field wrote: >The SuSE RPM only works with 8.x, not 7.1. >Take a look at /etc/init.d/MailScanner and remove sendmail command-line >options that it doesn't like. >I'm afraid I haven't got a 7.x machine to develop it on. > >At 19:24 14/01/2003, you wrote: >>Hi, I just tried to install MailScanner on my SuSE 7.1 installation. Semms >>to work fine as Mailscanner starts correct, but when it tries to start the >>sendmail deamon I get Error Messages: >> >>mail2:~ # rcMailScanner start >>Initializing sendmail and MailScanner/usr/sbin/sendmail: illegal option -- A >>startproc: exit status of /usr/sbin/sendmail: 64 >>/usr/sbin/sendmail: illegal option -- A >>startproc: exit status of /usr/sbin/sendmail: 64 >> done >>mail2:~ # >> >>But I have got 5 Instances of Mailscanner running after trying to start it: >> >> >>19914 ? S 0:00 perl - >>I/usr/lib/MailScanner /usr/sbin/MailScanner /et >>19915 ? S 0:00 perl - >>I/usr/lib/MailScanner /usr/sbin/MailScanner /et >>19916 ? S 0:00 perl - >>I/usr/lib/MailScanner /usr/sbin/MailScanner /et >>19917 ? S 0:00 perl - >>I/usr/lib/MailScanner /usr/sbin/MailScanner /et >>19918 ? S 0:00 perl - >>I/usr/lib/MailScanner /usr/sbin/MailScanner /et >>19919 ? S 0:00 perl - >>I/usr/lib/MailScanner /usr/sbin/MailScanner /et >>19920 pts/0 R 0:00 ps ax >>mail2:~ # check_MailScanner >>MailScanner running with pid 19914 19915 19916 19917 19918 19919 >>mail2:~ # >> >>Only the Sendmal deamon semms not to start... >> >>whats wrong with my Installation? Any Suggestions? >> >>I have the SuSE 8.0 RPM installed, any Problems with that on SuSE 7.1? Is >>There a RPM for SuSE 7.1? I also tried the source RPM, without success... >> >>Greets Johannes > >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Jan 15 10:02:38 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:58 2006 Subject: whitelist problems In-Reply-To: <200301141734.20993.cmiller@tigerbyte.com> Message-ID: <5.2.0.9.2.20030115095915.02902cd8@imap.ecs.soton.ac.uk> At 23:34 14/01/2003, you wrote: >We have some people that don't want us to screen for junk mail. So >listed them in MailScanners whitelist. Well if a SPAM comes through >and has one of the recipents in the whitelist then it delievers it >to everyone on the SPAM's recipent list. Anyway around that? Maybe >a different place to list my customers that don't want their spam >screened? In my experience very little spam has multiple recipients in 1 message these days. MailScanner doesn't split messages up into multiple copies of the same message (I really don't like generating mail if at all possible). So if a message is whitelisted for 1 recipient, then it is whitelisted for all recipients of that message. There isn't any easy way around this, other than to deliver their spam and strip out the subject line tag with procmail once it has been delivered to them. That's pretty simple though. You can still screen their mail for spam, you just need to make it look like you didn't :-) -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Jan 15 10:11:23 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:58 2006 Subject: Installation on SuSe 7.1 In-Reply-To: Message-ID: <5.2.0.9.2.20030115100639.029527a0@imap.ecs.soton.ac.uk> At 09:12 15/01/2003, you wrote: >If removing the -A command-line Option in /etc/init.d/MailScanner is it >working right then? what does the A mean anyway? How does senmail know how >which mailqueue to process? Does SuSE 7.x have a sendmail version recent enough to support the clientmqueue? If not, then it's nice and simple and the MailScanner tar installation guide will help you set up the init.d script correctly. Sounds like I need to setup a SuSE 7 box to get this sorted properly. >As far as I understood sendmail is still getting the mail on port 25 but >isnt processing it to the lokal mailboxes or the internet, but putting it >in an extra mqueue. There mailscanner looks for incoming mails and is >processing these to the mailboxes or the internet after checking for spam >etc, right? Once MailScanner has processed the messages, it doesn't deliver them directly itself but just puts them in an outgoing queue (/var/spool/mqueue) and tells sendmail they are awaiting delivery. >But where is this behavior configured? Take a look at http://www.sng.ecs.soton.ac.uk/mailscanner/install/sendmail.shtml as you might find it helps you understand what is needed. >Johannes > >On Tue, 14 Jan 2003 19:39:15 +0000, Julian Field > wrote: > > >The SuSE RPM only works with 8.x, not 7.1. > >Take a look at /etc/init.d/MailScanner and remove sendmail command-line > >options that it doesn't like. > >I'm afraid I haven't got a 7.x machine to develop it on. > > > >At 19:24 14/01/2003, you wrote: > >>Hi, I just tried to install MailScanner on my SuSE 7.1 installation. Semms > >>to work fine as Mailscanner starts correct, but when it tries to start the > >>sendmail deamon I get Error Messages: > >> > >>mail2:~ # rcMailScanner start > >>Initializing sendmail and MailScanner/usr/sbin/sendmail: illegal option -- > A > >>startproc: exit status of /usr/sbin/sendmail: 64 > >>/usr/sbin/sendmail: illegal option -- A > >>startproc: exit status of /usr/sbin/sendmail: 64 > >> >done > >>mail2:~ # > >> > >>But I have got 5 Instances of Mailscanner running after trying to start >it: > >> > >> > >>19914 ? S 0:00 perl - > >>I/usr/lib/MailScanner /usr/sbin/MailScanner /et > >>19915 ? S 0:00 perl - > >>I/usr/lib/MailScanner /usr/sbin/MailScanner /et > >>19916 ? S 0:00 perl - > >>I/usr/lib/MailScanner /usr/sbin/MailScanner /et > >>19917 ? S 0:00 perl - > >>I/usr/lib/MailScanner /usr/sbin/MailScanner /et > >>19918 ? S 0:00 perl - > >>I/usr/lib/MailScanner /usr/sbin/MailScanner /et > >>19919 ? S 0:00 perl - > >>I/usr/lib/MailScanner /usr/sbin/MailScanner /et > >>19920 pts/0 R 0:00 ps ax > >>mail2:~ # check_MailScanner > >>MailScanner running with pid 19914 19915 19916 19917 19918 19919 > >>mail2:~ # > >> > >>Only the Sendmal deamon semms not to start... > >> > >>whats wrong with my Installation? Any Suggestions? > >> > >>I have the SuSE 8.0 RPM installed, any Problems with that on SuSE 7.1? Is > >>There a RPM for SuSE 7.1? I also tried the source RPM, without success... > >> > >>Greets Johannes > > > >-- > >Julian Field > >www.MailScanner.info > >MailScanner thanks transtec Computers for their support -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscannerlist at TNJINFL.COM Wed Jan 15 11:46:49 2003 From: mailscannerlist at TNJINFL.COM (James Pifer) Date: Thu Jan 12 21:16:58 2006 Subject: [OT] rsync script Message-ID: <1042631210.20734.6.camel@tweety.tnjinfl.com> Hope you don't mind a somewhat off topic question... Can someone using rsync to transfer mrtg data to another machine share their rsync script? I'm trying to write one but have never used rsync before and having some trouble. I think it's close, but I'm missing something. I'm getting an error that says: The remote path must start with a module name not a / Not finding the correct way to do it on rsync's website, although I'm sure I'm just not seeing it. Any assistance is appreciated. James From s.kelly at ayrcoll.ac.uk Wed Jan 15 11:53:28 2003 From: s.kelly at ayrcoll.ac.uk (Shane Kelly) Date: Thu Jan 12 21:16:58 2006 Subject: Suse 8.1 rpm install Message-ID: <200301151153.28255.s.kelly@ayrcoll.ac.uk> MailScanner 4-11.1 suse rpm Suse Linux 8.1 Sendmail 8.12.6 perl 5.8.0 spamassassin not installed. Notes: Suse was installed from scratch using manual install, minimum config with sendmail added after succesful install, as was gcc, binutils,make, patch etc. Instructions from http://www.sng.ecs.soton.ac.uk/mailscanner/install/linux.shtml were followed. Mailscanner.conf and reports were edited to suit this site. Results: Syntax error in MailScanner script file (line 67) - two semi-colons missing - (add them yourself) Use chkconfig -s sendmail off to turn off sendmail Use chkconfig -s MailScanner on to turn on MailScanner Use chkconfig -l to see if is on or off. Hey Presto, one working email exchanger with av scanning. Optional: comment out all references to SENDMAIL_CLIENT_ARGS in MailScanner script, along with any references to $msppid (and the rc-status calls immediately after them). This - http://www.sendmail.org/secure-install.html will tell why (or why not) you should do this - basically if you do not have users 'homed' on this server, then you can do this and it won't break anything, (I think!) otherwise leave it standard. Overall, as a long time user of MailScanner, (4-11.1 replaced 3-12.?) I think Julian deserves a medal for his untiring efforts, his good humour (MailScanner contains some of the politest error messages I have ever seen!), his attention to detail and his responsiveness to user requests. I have always advocated MailScanner against commercial programs, and with the 4 series and its configurability, I will continue to advocate its use on any occasion that I can. Thank you, Julian. Regards, Shane Kelly. -- Network Infrastructure Manager Ayr College +44 (01292) 265184 =========================== Opinions expressed by me are mine. Ayr College can get their own. =========================== From mailscanner at ecs.soton.ac.uk Wed Jan 15 12:12:37 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:58 2006 Subject: Suse 8.1 rpm install In-Reply-To: <200301151153.28255.s.kelly@ayrcoll.ac.uk> Message-ID: <5.2.0.9.2.20030115121055.02e7b760@imap.ecs.soton.ac.uk> At 11:53 15/01/2003, you wrote: >MailScanner 4-11.1 suse rpm >Suse Linux 8.1 >Sendmail 8.12.6 >perl 5.8.0 >spamassassin not installed. > >Notes: Suse was installed from scratch using manual install, minimum config >with sendmail added after succesful install, as was gcc, binutils,make, patch >etc. > >Instructions from >http://www.sng.ecs.soton.ac.uk/mailscanner/install/linux.shtml >were followed. > >Mailscanner.conf and reports were edited to suit this site. > >Results: > Syntax error in MailScanner script file (line 67) - two semi-colons > missing - >(add them yourself) I've already fixed this for the next release :) >Use chkconfig -s sendmail off to turn off sendmail >Use chkconfig -s MailScanner on to turn on MailScanner >Use chkconfig -l to see if is on or off. Don't chkconfig sendmail off chkconfig MailScanner on chkconfig --list | grep work as well though? >Hey Presto, one working email exchanger with av scanning. > >Optional: comment out all references to SENDMAIL_CLIENT_ARGS in MailScanner >script, along with any references to $msppid (and the rc-status calls >immediately after them). This - http://www.sendmail.org/secure-install.html >will tell why (or why not) you should do this - basically if you do not have >users 'homed' on this server, then you can do this and it won't break >anything, (I think!) otherwise leave it standard. > > >Overall, as a long time user of MailScanner, (4-11.1 replaced 3-12.?) I think >Julian deserves a medal for his untiring efforts, his good humour >(MailScanner contains some of the politest error messages I have ever seen!), >his attention to detail and his responsiveness to user requests. Thanks! >I have always advocated MailScanner against commercial programs, and with the >4 series and its configurability, I will continue to advocate its use on any >occasion that I can. > >Thank you, Julian. It's a pleasure. Have you added a comment to the "guest book" on the web site yet? -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From s.kelly at ayrcoll.ac.uk Wed Jan 15 12:47:37 2003 From: s.kelly at ayrcoll.ac.uk (Shane Kelly) Date: Thu Jan 12 21:16:58 2006 Subject: Suse 8.1 rpm install In-Reply-To: <5.2.0.9.2.20030115121055.02e7b760@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030115121055.02e7b760@imap.ecs.soton.ac.uk> Message-ID: <200301151247.37152.s.kelly@ayrcoll.ac.uk> On Wednesday 15 January 2003 12:12 pm, Julian Field wrote: > At 11:53 15/01/2003, you wrote: > >MailScanner 4-11.1 suse rpm > >Suse Linux 8.1 > >Sendmail 8.12.6 > >perl 5.8.0 > >spamassassin not installed. -- snip --------- > > I've already fixed this for the next release :) Great - many thanks > > >Use chkconfig -s sendmail off to turn off sendmail > >Use chkconfig -s MailScanner on to turn on MailScanner > >Use chkconfig -l to see if is on or off. > > Don't > chkconfig sendmail off > chkconfig MailScanner on > chkconfig --list | grep > work as well though? You are, of course correct - my typing at fault when I used them - i get that a lot :-/ > > >Hey Presto, one working email exchanger with av scanning. > > > >Optional: comment out all references to SENDMAIL_CLIENT_ARGS in > > MailScanner script, along with any references to $msppid (and the > > rc-status calls immediately after them). This - > > http://www.sendmail.org/secure-install.html will tell why (or why not) > > you should do this - basically if you do not have users 'homed' on this > > server, then you can do this and it won't break anything, (I think!) > > otherwise leave it standard. > > > > > >Overall, as a long time user of MailScanner, (4-11.1 replaced 3-12.?) I > > think Julian deserves a medal for his untiring efforts, his good humour > > (MailScanner contains some of the politest error messages I have ever > > seen!), his attention to detail and his responsiveness to user requests. > > Thanks! You are welcome. > >I have always advocated MailScanner against commercial programs, and with > > the 4 series and its configurability, I will continue to advocate its use > > on any occasion that I can. > > > >Thank you, Julian. > > It's a pleasure. > Have you added a comment to the "guest book" on the web site yet? Done. Regards, Shane -- Network Infrastructure Manager Ayr College +44 (01292) 265184 =========================== Opinions expressed by me are mine. Ayr College can get their own. =========================== From mime at GMX.DE Wed Jan 15 12:39:35 2003 From: mime at GMX.DE (Michael Meyer) Date: Thu Jan 12 21:16:58 2006 Subject: Installation on SuSe 7.1 In-Reply-To: References: Message-ID: <20030115123935.GA14093@mime.dyndns.org> Johannes wrote: > >change 'DaemonPortOptions=Addr=127.0.0.1' to whatever you needed. eg > >to 'DaemonPortOptions=Addr=0.0.0.0'. > > I?am not shure about that Option, what does it mean? Do i have to add the > IP-Adress of the MailServer itself? Or is it a Dummy Adress? If it is, > wouldn?t be 127.0.0.1 be fine? on which device(s) should sendmail listen. if you only need sendmail as a lokal daemon, 127.0.0.1 will be fine. if you like, you can change it to 0.0.0.0, what means that sendmail will listen on _all_ available devices. > >change msppid in '/etc/init.d/Mailscanner' to > >'msppid=/var/run/sm-client.pid' or whatever, because there is no > >'clientmqueue' in SuSE 7.1. > > Is that the way to figure out the Process ID of the Sendmail Deamon? I?ve > got two senmail Files in /var/run, the one is sendmail.pid itself, the > other is sendmail/control.pid. I ain?t got any sendmail client ID... So it > ?s probably the 'msppid=/var/run/sendmail.pid' I have to add, right? no the PID is given by 'srvpid'. i think you can ignore 'msppid' without any problems. > I thought that it is something with the Configuration in SuSE >8 which ist > diffrent to SuSE<8... What a pitty... SuSE >=8.0 is going more LSB conform. > >sorry for my bad english. > > Oh, thats OK, mine isn?t any better... ;-)) as long as we understand us ... :) micha From Denis.Beauchemin at USHERBROOKE.CA Wed Jan 15 13:37:32 2003 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:16:58 2006 Subject: [OT] rsync script In-Reply-To: <1042631210.20734.6.camel@tweety.tnjinfl.com> References: <1042631210.20734.6.camel@tweety.tnjinfl.com> Message-ID: <1042637852.30515.143.camel@dbeauchemin.si.usherbrooke.ca> James, On our Web server we fetch the MRTG data every 5 minutes this way: from root's crontab: 2-59/5 * * * * su - mrtg -c "/usr/bin/rsync -az --exclude=index.html -e ssh machine1:/var/www/html/mailscanner-mrtg/* /home/www/www1/htdocs/mrtgstats/machine1" 2-59/5 * * * * su - mrtg -c "/usr/bin/rsync -az --exclude=index.html -e ssh machine2:/var/www/html/mailscanner-mrtg/* /home/www/www1/htdocs/mrtgstats/machine2" You will probably have to adjust the paths. All systems must have an mrtg user and they have to trust one another for this SSH transfer to work. Exchange of public keys between the machines and the Web server is the way to go. We do not transfer the index.html page because on the Web server the things are in different directories to we built new index.html pages on the Web server and we don't want to overwrite them with the transfert. Hope this helps. Denis Le mer 15/01/2003 ? 06:46, James Pifer a ?crit : > Hope you don't mind a somewhat off topic question... > > Can someone using rsync to transfer mrtg data to another machine share > their rsync script? I'm trying to write one but have never used rsync > before and having some trouble. I think it's close, but I'm missing > something. I'm getting an error that says: > The remote path must start with a module name not a / > > Not finding the correct way to do it on rsync's website, although I'm > sure I'm just not seeing it. > > Any assistance is appreciated. > James -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From mailscanner at ecs.soton.ac.uk Wed Jan 15 15:12:57 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:58 2006 Subject: Adding a mail header... In-Reply-To: <2847814731.1042538122@Callisto> References: <5.2.0.9.2.20030114085329.028fe678@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030114085329.028fe678@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030115151145.04ac33c8@imap.ecs.soton.ac.uk> At 14:55 14/01/2003, you wrote: >--On Tuesday, January 14, 2003 8:55 AM +0000 Julian Field > wrote: > >>At 22:05 13/01/2003, you wrote: >>>So, what I would like is to have a line like the following added to >>>emails that are touched by MailScanner: >>> >>> X-MailScanner-Information: >> >>Do you want this in messages which MailScanner was configured not to scan >>as well as those it did scan? >>Or do you want it only in messages which MailScanner was configured to >>scan? >> >>What does anyone else want? > >My guess is that if MailScanner is doing any checks of any kind, that it >should stick in the header. Even if we configured all the checks to be >off (what, that would be Spam Checking, Spam Assassin, Virus Scanning, >Filename Checking, Blacklist Lookups, anything else?), which means that >MailScanner is just moving messages from the input queue to the output >queue, that we should still have the header inserted. If we didn't want >that, we could comment out the "Information Header" config option and be >done with it. Done. Will be in the next version. It is simple to disable if you don't want it (after all, how many users actually see X- headers these days?). >You know, I am surprised that you don't have an X-MailScanner-Version >header line in there. :-) > >Anyways, I have been pleased with the ease of use for MailScanner, and >feel I still have a lot to learn about it. We are still fighting a lot >of performance issues on our server, and we are still tracking it down. >The server supports about 2000 concurrent users logging in and checking >their email, and doing mail processing with spam/virus checking turned >on just throws the server over the edge. Of course, it doesn't help >when we are delivering close to 50,000 emails in an hours worth of time >either :-) > >Scott >-- >+-----------------------------------------------------------------------+ > Scott W. Adkins http://www.cns.ohiou.edu/~sadkins/ > UNIX Systems Engineer mailto:adkinss@ohio.edu > ICQ 7626282 Work (740)593-9478 Fax (740)593-1944 >+-----------------------------------------------------------------------+ > PGP Public Key available at > http://www.cns.ohiou.edu/~sadkins/pgp/ -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Jan 15 15:13:55 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:58 2006 Subject: Setting up Black & Whitelists by domain In-Reply-To: <5.2.0.9.2.20030112162449.0269ec00@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030112151646.02531500@imap.ecs.soton.ac.uk> <5C0296D26910694BB9A9BBFC577E7AB0A4ACFF@pascal.priv.bmrb.co .uk> Message-ID: <5.2.0.9.2.20030115151318.02ef52b8@imap.ecs.soton.ac.uk> I have just fixed a couple of bugs, here's a re-release of CustomConfig.pm. At 16:33 12/01/2003, you wrote: >Okay, I've moved the directories to be > /etc/MailScanner/spam.bydomain/whitelist >and > /etc/MailScanner/spam.bydomain/blacklist >but otherwise it is pretty much as I said in my previous posting (included >at the bottom of this message). > >The patch to CustomConfig.pm I have attached has *not* been tested. So give >it a go and see if it works. If you know some perl, please find all the >bugs and mail me the corrections :-) >If it works (or once it works after you have found all the bugs for me) >then feel free to use it. > >To use it, you will need to set these in your MailScanner.conf file: > >Is Definitely Not Spam = &ByDomainSpamWhitelist >Is Definitely Spam = &ByDomainSpamBlacklist > >At 15:35 12/01/2003, you wrote: >>Currently you will have to write some custom function to do it for you. >>Shouldn't be too hard to do, especially if it's only a simple (but possibly >>long) ruleset for each domain. If each black/white-listed address is either >>a complete address or a domain name (so no "*" characters anywhere), then >>the end result will be very fast too. >> >>Thinking further, we have a dir "/opt/bydomain" which contains 2 >>subdirectories, "blacklist" and "whitelist". >>Each of those directories contains a file named after each domain. So for >>"example.com" there will be /opt/bydomain/whitelist/example.com and >>/opt/bydomain/blacklist/example.com. >>Each of the example.com files can contain entries of the form >> user@address.spam.com >>and >> address.spam.com >>and that's all. Keeping it restricted to this makes life a lot easier later. >> >>I'll get back to the list shortly about this, it's probably worth me >>writing an implementation of this as it is going to be a common requirement. >>-- >>Julian Field >>www.MailScanner.info >>MailScanner thanks transtec Computers for their support > > >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support -------------- next part -------------- A non-text attachment was scrubbed... Name: CustomConfig.zip Type: application/zip Size: 2967 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030115/9fc6c0cc/CustomConfig.zip -------------- next part -------------- -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From smhickel at CHARTERMI.NET Thu Jan 16 02:58:38 2003 From: smhickel at CHARTERMI.NET (Steve Hickel) Date: Thu Jan 12 21:16:58 2006 Subject: Whitelist seems not to work? In-Reply-To: References: Message-ID: <1042685917.3179.2.camel@steve.hickel.info> Redhat 7.3. I ran from my user login, doesn't work. Logged in as root didn't work. Do I need to be in a subdirectory? Which one. Thanks, Steve On Wed, 2003-01-15 at 03:43, David While wrote: > You don't say what OS you are using but if you use RedHat then to restart > MailScanner (assuming its already running) simply do > > service MailScanner reload > > If its not running then you can do > > service MailScanner start > > regarding your conf files - if you use the rpm to upgrade MailScanner then > your conf files will not be overwritten - the package will create the new > conf files with extension .rpmnew - you can then look for differences > between you existing and new files. > > ----------------------------------------------------------------- > David While > Technical Development Manager > Faculty of Computing, Information & English > University of Central England > Tel: 0121 331 6211 > > > > Steve Hickel > MI.NET> cc: > Sent by: Subject: Re: Whitelist seems not to work? > MailScanner > mailing list > MAIL.AC.UK> > > > 15/01/2003 00:59 > Please respond to > MailScanner > mailing list > > > > > > > > All, > > I have set domains in my whitelist and they appear not to be allowed and > are still filtered. I double > checked the mailscanner.conf for the reference to the file and I put these > changes in the whitelist.conf file under rules. > > Any thoughts as to what I should be looking for? > > Also, > > How do I restart mailscanner without having to reboot the linux box? I did > a restart once and Mailscanner didn't work until I reinstalled it. > Plus when I make changes to my .confs, do they get overwritten on an > update? > > Thanks, > > Steve > > > (See attached file: signature.asc) -- Steve Hickel -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030115/57e39ee1/attachment.bin From andersjk at SOL-INVICTUS.ORG Thu Jan 16 11:35:02 2003 From: andersjk at SOL-INVICTUS.ORG (Kevin Anderson) Date: Thu Jan 12 21:16:58 2006 Subject: initial alias file Message-ID: Hi all, I just got MailScanner working with wonderfull results, it works great! Just one thing that does bother me tho, the initial mail coming in ignores the aliases file, it accepts all mail destined for our domain. Is there a way to have it look at the alias file and discard any mail that is not intended for a user in the domain and only scan real mail? thanks, kevin anderson -- @ _____________________________________________ chaos, panic and disorder... my job is done... From S.R.Patterson at SOTON.AC.UK Thu Jan 16 12:38:53 2003 From: S.R.Patterson at SOTON.AC.UK (Patterson S.R.) Date: Thu Jan 12 21:16:58 2006 Subject: initial alias file Message-ID: > -----Original Message----- > From: Kevin Anderson [mailto:andersjk@SOL-INVICTUS.ORG] > Sent: 16 January 2003 11:35 > > Hi all, > > I just got MailScanner working with wonderfull results, it > works great! Doesn't it just. Did you sign the guest book on www.mailscanner.info to that effect? :) Or perhaps buy a mug from the new MailScanner store at www.mailscanner.info/store? ;D > Just one thing that does bother me tho, the > initial mail coming in ignores the aliases file, it accepts > all mail destined for our domain. Is there a way to have it > look at the alias file and discard any mail that is not > intended for a user in the domain and only scan real mail? This is a Sendmail point of view, I don't know anything about Exim, but as I understand it the checks run like this: - Is the (envelope) mail from domain valid? - Is the recipient domain one of ours? At this point sendmail has decided that it will, in principle, handle the mail. What would normally happen then is sendmail would choose a delivery agent to handle the message and, for domains which are in class w (local domains) the delivery agent would be the local delivery agent. This has a flag in the mailer definition which tells sendmail that this mailer is a local mailer performing final delivery and so sendmail then checks that the user is a valid, local user. All of this happens (normally) in the parsing of the envelope before the email is received. I can only assume that because mailscanner runs sendmail in queue-only mode it defers the selection of a delivery agent (mailer) until the message is run from the queue. I could be wrong about all of that of course, it's been known :) I hit a similar problem here, we run a two-tier system. There are a set of mailscanner machines which are our mail relays - they accept all in and out-bound email. They then scan the message and make a routing decision for delivery - the message is either passed on to a departmental mail server, the Microsoft Exchange system or the Unix mail delivery servers. It was done in this way because in future we envisage the redirection of mail to occurr at this point (rather than by use of forward files and/or to force certain groups of users email to certain other places) through LDAP lookups on the user directory. However, until this is done this would normally mean that these relay servers are simply "dumb" scanning relays. I wanted, for technical reasons (and because I also feel quite strongly that the border servers should be authoritative over what email it is valid to accept) to check if the recipient address is a valid local address at the point of mail acceptance. I put a bunch of rules into sendmail which perform NIS lookups on the alias map to resolve names to their base username form and then used another map to check if the user is local. IN fact I have: Kislocal user Kisalias nis mail.aliases Then in LOCAL_RULE_0 I have rules which use isalias to check the alias map and expand out to a username if applicable, and then this gets run through islocal to find out if the user is local - if they're not then they get dumped to the error mailer. This also has the advantage that people *sending* mail as user@soton.ac.uk also have to be using a valid local username. You have to be a bit careful, though - if NIS is down all of your aliases stop working and the mails start bouncing - I make sure I check that NIS is working properly first and if not I just accept the mail anyway! If that all sounds exceedingly complex, then I'd just live with the problem if I were you! Steve -- Steven Patterson MSci OCP. Tel: +44 (0)2380 595810 Primary Information Services Support and Development Information Systems Services, University of Southampton, UK. Public PGP Key: http://www.bottleneck.org/pubkey.php From jkha at HPLB.HPL.HP.COM Thu Jan 16 13:52:50 2003 From: jkha at HPLB.HPL.HP.COM (John Hawkes-Reed) Date: Thu Jan 12 21:16:58 2006 Subject: Mailscanner + Obtuse SMTPD + Postfix Message-ID: <3E26B932.6050805@hplb.hpl.hp.com> Hello. I'm speculatively prodding the internals of mailscanner 4.x with a view to making it work with Obtuse smtpd. Largely because I have no wish to get involved with the internals of a working Postfix install, it seems vaguely sensible to employ a daemon that's designed to drop messages into a queue dir (Obtuse) and then use Mailscanner to scan/sanitise those messages before handing them off to the relevant MTA. I'm more than likely missing something basic, but it seems to me that this approach may work for other MTAs with little code-friggery. The extra hassle involved is in setting up Obtuse in the first place and binding the existing MTA to a different (firewalled off?) port. The real excitement is that mailscanner seems to built on the concept of each message having a pair of datafiles and spoofing that could well be a two-cigarette problem. (Of course, if Postfix support is happening Real Soon Now, I can go try something less, um, challenging instead...) -- JH-R From usergroups at THEARGONCOMPANY.COM Thu Jan 16 14:08:57 2003 From: usergroups at THEARGONCOMPANY.COM (Rishi Gangoly) Date: Thu Jan 12 21:16:58 2006 Subject: MailScanner on Cobalt RaQ 550 References: <6C645222B0A8BC4FBFACD7606D4306A822FDEC@dzrz-ex-1.dzsh.landsh.de> Message-ID: <031101c2bd68$cfe78420$1b02a8c0@theargoncompany.com> Hi I've been a happy user of mailscanner with f-prot on the Cobalt RaQ4 for the past one year. I'm planning to upgrade to a Cobalt RaQ 550. Has anyone done so? If yes, any tips or advise to be passed on would be most welcome. ;-) I'd like to avoid falling into any pits if possible. ;-) Thanks in advance. Regards Rishi From mailscanner at ecs.soton.ac.uk Thu Jan 16 14:43:09 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:58 2006 Subject: Mailscanner + Obtuse SMTPD + Postfix In-Reply-To: <3E26B932.6050805@hplb.hpl.hp.com> Message-ID: <5.2.0.9.2.20030116144247.07655ea0@imap.ecs.soton.ac.uk> It's going to be a little while before either Nick or I get around to Postfix support. At 13:52 16/01/2003, you wrote: >Hello. > >I'm speculatively prodding the internals of mailscanner 4.x with a view >to making it work with Obtuse smtpd. > >Largely because I have no wish to get involved with the internals of a >working Postfix install, it seems vaguely sensible to employ a daemon >that's designed to drop messages into a queue dir (Obtuse) and then use >Mailscanner to scan/sanitise those messages before handing them off to >the relevant MTA. > >I'm more than likely missing something basic, but it seems to me that >this approach may work for other MTAs with little code-friggery. The >extra hassle involved is in setting up Obtuse in the first place and >binding the existing MTA to a different (firewalled off?) port. > >The real excitement is that mailscanner seems to built on the concept of >each message having a pair of datafiles and spoofing that could well be >a two-cigarette problem. > >(Of course, if Postfix support is happening Real Soon Now, I can go try >something less, um, challenging instead...) > >-- >JH-R -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From jkha at HPLB.HPL.HP.COM Thu Jan 16 15:19:45 2003 From: jkha at HPLB.HPL.HP.COM (John Hawkes-Reed) Date: Thu Jan 12 21:16:58 2006 Subject: Mailscanner + Obtuse SMTPD + Postfix References: <5.2.0.9.2.20030116144247.07655ea0@imap.ecs.soton.ac.uk> Message-ID: <3E26CD91.8070801@hplb.hpl.hp.com> Julian Field wrote: > It's going to be a little while before either Nick or I get around to > Postfix support. Ok - It probably doesn't need saying that our current mailscanner rig is providing sterling service and I'm in no particular hurry to change it. From steinkel at PA.NET Thu Jan 16 16:52:14 2003 From: steinkel at PA.NET (Leland J. Steinke) Date: Thu Jan 12 21:16:59 2006 Subject: initial alias file References: Message-ID: <3E26E33E.50703@pa.net> Patterson S.R. wrote: > > If that all sounds exceedingly complex, then I'd just live with the > problem if I were you! > It was really quite easy for us to do with postfix running on the border email scanning gateways. We push a hash of valid email addresses out to the border every hour. Postfix verifies recipient addresses against this hash as it becomes aware of them. It tarpits invalid recipients (by a couple of seconds), so we have some protection against dictionary attacks. When we initially tried to implement border mail gateways for filtering, without the valid email hash, the number of messages bouncing back and forth between our real mail server and the gateways caused them all to melt down. It was not at all pretty. I suppose I should sign the guest book and give a rough average of emails processed! Leland From gavin at NETERGY.COM Thu Jan 16 17:43:30 2003 From: gavin at NETERGY.COM (Gavin Nelmes-Crocker) Date: Thu Jan 12 21:16:59 2006 Subject: MailScanner on Cobalt RaQ 550 In-Reply-To: <031101c2bd68$cfe78420$1b02a8c0@theargoncompany.com> Message-ID: > I've been a happy user of mailscanner with f-prot on the Cobalt > RaQ4 for the > past one year. > > I'm planning to upgrade to a Cobalt RaQ 550. Has anyone done so? > If yes, any > tips or advise to be passed on would be most welcome. ;-) > > I'd like to avoid falling into any pits if possible. ;-) Rishi, I haven't put mailscanner onto a RaQ550 yet but I have it running on a RaQ3,4 and Qube with no problems so I suspect it would be ok. I have new fixed rpms specifically for Cobalt with install scripts to install MailScanner and SpamAssassin if you are interested. I will test the install on a RaQ550 here first for you and let you know - I am supposed to be doing some pkgs for all the products but keep getting bogged down with other work Regards Gavin -- This message has been scanned for viruses and dangerous content by the Netergy Virus Spam Defence, and is believed to be clean. For details on having your email scanned email nvsd@netergy.com From c.bates at COMNET.CO.NZ Thu Jan 16 20:36:22 2003 From: c.bates at COMNET.CO.NZ (Craig Bates) Date: Thu Jan 12 21:16:59 2006 Subject: dying processes Message-ID: <200301170936.22606.c.bates@comnet.co.nz> Hi, I decided to install MailScanner on RedHat80 as I was having problems with MailScanner processes dying on FreeBSD. I am now having exactly the same problem with RedHat80 This proves that the problem is independent of OS, sendmail version / compilation and perl version. I find it very strage that nobody else seems to have this problem and I have it on 3 boxes! Is there anybody on this list that has MailScanner working with spamassassin-2.43-3.i386.rpm, razor-agents-2.22.tar.gz, fp-linux-sb.rpm (f-prot)? One of these must be causing the problem as I'm sure MailScanner and RedHat8.0 is a very common installation that works! Thanks, Craig From mailscanner at ecs.soton.ac.uk Thu Jan 16 21:42:12 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:59 2006 Subject: dying processes In-Reply-To: <200301170936.22606.c.bates@comnet.co.nz> Message-ID: <5.2.0.9.2.20030116214102.0260a8b8@imap.ecs.soton.ac.uk> At 20:36 16/01/2003, you wrote: >Hi, > >I decided to install MailScanner on RedHat80 as I was having problems with >MailScanner processes dying on FreeBSD. I am now having exactly the same >problem with RedHat80 This proves that the problem is independent of OS, >sendmail version / compilation and perl version. > >I find it very strage that nobody else seems to have this problem and I have >it on 3 boxes! > >Is there anybody on this list that has MailScanner working with >spamassassin-2.43-3.i386.rpm, razor-agents-2.22.tar.gz, fp-linux-sb.rpm >(f-prot)? One of these must be causing the problem as I'm sure MailScanner >and RedHat8.0 is a very common installation that works! What does your /var/log/maillog sat about it? And where does the RPM of F-Prot install itself? The /usr/lib/MailScanner/f-prot* files assume /usr/local/f-prot at the moment. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From dustin.baer at IHS.COM Thu Jan 16 21:52:05 2003 From: dustin.baer at IHS.COM (Dustin Baer) Date: Thu Jan 12 21:16:59 2006 Subject: SpamActions store Message-ID: <3E272985.A9443697@ihs.com> Good day, I have the following: mailscanner.conf: Spam Actions = store When spam is stored, there is no X-MailScanner-SpamCheck: or X-MailScanner-SpamScore: in the qf file. Is there a setting that I am missing that will add these two headers in the quarantined email? Thanks, Dustin From mailscanner at ecs.soton.ac.uk Thu Jan 16 22:00:47 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:59 2006 Subject: SpamActions store In-Reply-To: <3E272985.A9443697@ihs.com> Message-ID: <5.2.0.9.2.20030116220017.0298ec28@imap.ecs.soton.ac.uk> The headers are only added when the messages are delivered. They are quarantined before the headers are added. At 21:52 16/01/2003, you wrote: >Good day, > >I have the following: > >mailscanner.conf: Spam Actions = store > >When spam is stored, there is no X-MailScanner-SpamCheck: or >X-MailScanner-SpamScore: in the qf file. Is there a setting that I am >missing that will add these two headers in the quarantined email? > >Thanks, > >Dustin -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From c.bates at COMNET.CO.NZ Thu Jan 16 22:31:30 2003 From: c.bates at COMNET.CO.NZ (Craig Bates) Date: Thu Jan 12 21:16:59 2006 Subject: dying processes In-Reply-To: <5.2.0.9.2.20030116214102.0260a8b8@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030116214102.0260a8b8@imap.ecs.soton.ac.uk> Message-ID: <200301171131.30323.c.bates@comnet.co.nz> Hi Julian, f-prot installs itself to /usr/local/f-prot, that is ok. maillog is full of timeouts, this redhat box is rather underpowered... but that is not the problem. it takes a few hours before processes start dying. I have disabled razor and am going to see if that makes any difference. Regards Craig On Friday 17 January 2003 10:42, you wrote: > At 20:36 16/01/2003, you wrote: > >Hi, > > > >I decided to install MailScanner on RedHat80 as I was having problems with > >MailScanner processes dying on FreeBSD. I am now having exactly the same > >problem with RedHat80 This proves that the problem is independent of OS, > >sendmail version / compilation and perl version. > > > >I find it very strage that nobody else seems to have this problem and I > > have it on 3 boxes! > > > >Is there anybody on this list that has MailScanner working with > >spamassassin-2.43-3.i386.rpm, razor-agents-2.22.tar.gz, fp-linux-sb.rpm > >(f-prot)? One of these must be causing the problem as I'm sure > > MailScanner and RedHat8.0 is a very common installation that works! > > What does your /var/log/maillog sat about it? And where does the RPM of > F-Prot install itself? The /usr/lib/MailScanner/f-prot* files assume > /usr/local/f-prot at the moment. From dlovelace at HOTELS.COM Thu Jan 16 22:34:29 2003 From: dlovelace at HOTELS.COM (Dale Lovelace) Date: Thu Jan 12 21:16:59 2006 Subject: dying processes In-Reply-To: <200301170936.22606.c.bates@comnet.co.nz> References: <200301170936.22606.c.bates@comnet.co.nz> Message-ID: <20030116163429.78cd771f.dlovelace@hotels.com> I was having this same problem, but didn't investigate why very much, that is why I put the restart option in mailscanner-mrtg, whenever it detects mailscanner is below a certain number of processes it restarts it. Dale On Fri, 17 Jan 2003 09:36:22 +1300 Craig Bates wrote: > Hi, > > I decided to install MailScanner on RedHat80 as I was having problems with > MailScanner processes dying on FreeBSD. I am now having exactly the same > problem with RedHat80 This proves that the problem is independent of OS, > sendmail version / compilation and perl version. > > I find it very strage that nobody else seems to have this problem and I have > it on 3 boxes! > > Is there anybody on this list that has MailScanner working with > spamassassin-2.43-3.i386.rpm, razor-agents-2.22.tar.gz, fp-linux-sb.rpm > (f-prot)? One of these must be causing the problem as I'm sure MailScanner > and RedHat8.0 is a very common installation that works! > > Thanks, > > Craig -- Dale Lovelace System Administrator hotels.com (214) 361-7311 Ext. 1074 From j.cormie at ABERTAY.AC.UK Thu Jan 16 23:12:25 2003 From: j.cormie at ABERTAY.AC.UK (Jason Cormie) Date: Thu Jan 12 21:16:59 2006 Subject: Quarantine message Message-ID: <1042758751.2808.11.camel@belial.wormood.org.uk> Mailscanner v3.26(Debian/testing) Just noticed that in the message sent to recipients of blocked attachments the email says: /var/spool/mailscanner/quarantine/18blah-blah-00 instead of /var/spool/mailscanner/quarantine/20030116/18blah-blah-00 Not a really huge problem, but it would save a little raking about. Jason From billa at STERLING.NET Thu Jan 16 23:32:08 2003 From: billa at STERLING.NET (Bill Anderson) Date: Thu Jan 12 21:16:59 2006 Subject: Large number of unscanned messages Message-ID: I have a large number of messages that do not get scanned. I have verified that they are not whitelisted. Most of the spam get's caught, however some slip through without scanning. What could be causing this or what is the best way to diagnose the problem. Here is the log entry: Jan 16 15:26:33 arwen MailScanner[27051]: New Batch: Forwarding 1 unscanned messages, 5099 bytes Here is the header of an unscanned message: Received: from arwen.sterling.net ([199.108.225.50]) by alder.keyknife.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id YSS41YS8; Thu, 16 Jan 2003 12:00:14 -0800 Received: from mx11.royalsavings.com (mx11.royalsavings.com [207.176.24.83]) by arwen.sterling.net (8.11.6/8.11.6) with ESMTP id h0GK0Bu08958 for < ejl@keyknife.com >; Thu, 16 Jan 2003 12:00:11 -0800 Received: by mx11.royalsavings.com (Postfix, from userid 844) id A9EF51E85BE; Thu, 16 Jan 2003 12:37:21 -0500 (EST) To: ejl@keyknife.com From: "Credit Help" < advice@SmartDiscounts.net > Reply-To: bounce@dm-direct.com X-CampaignID: 00886 X-Recipient: ejl@keyknife.com X-Intalius: ZWpsQGtleWtuaWZlLmNvbQ== X-ListID: 12 X-Source: 50209 Subject: Advice on debt reduction MIME-Version: 1.0 Content-type: multipart/alternative; boundary=boundary_23188.98657_31093158 Message-Id: < 20030116173721.A9EF51E85BE@mx11.royalsavings.com > Date: Thu, 16 Jan 2003 12:37:21 -0500 (EST) X-MailScanner: Not scanned: please contact your Internet E-Mail Service Provider for details --boundary_23188.98657_31093158 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable X-MIME-Autoconverted: from 8bit to quoted-printable by arwen.sterling.net id h0GK0Bu08958 From mailscanner at BARENDSE.TO Thu Jan 16 23:35:16 2003 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:16:59 2006 Subject: Blacklisting / whitelisting feature request Message-ID: I'd like to make a suggestion for a feature in the black/whitelisting for spam. >From what I understand the current scheme only works on basis of the mail relay that the mail is coming from. mrspammer.com is sending his spam through somestupidprovider.com and therefore somestupidprovider.com should be blocked. Is it possible to also have the entries in the bw lists checked against the proclaimed sender's email address? We also get tons of spam from mailinglists that we never sunscribed to, as in below maillog: Jan 16 21:30:57 linuxgw sendmail[28157]: h0GKUtuq028157: from=, size=80662, class=0, nrcpts=1, msgid=<000401c2bd9a$8a8db070$6401a8c0@your5rlp3a9516>, proto=ESMTP, daemon=MTA, relay=albatross.mail.pas.earthlink.net [207.217.120.120] It's possible to start tracking all the mailservers they use to send out their crap but the senders domain is a valid and legitimate domain and e-mail address and it's always the same. If I could simply drop all e-mail from this domain without the need to bother and look for the relay? I don't think there'd be any negative sideeffects on this. Using an e-mail address in the To: field works like a charm. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mailscanner at ecs.soton.ac.uk Thu Jan 16 23:42:04 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:59 2006 Subject: Large number of unscanned messages In-Reply-To: Message-ID: <5.2.0.9.2.20030116234142.02c8df68@imap.ecs.soton.ac.uk> In your MailScanner.conf file, what does the "Virus Scanning" option say? At 23:32 16/01/2003, you wrote: >I have a large number of messages that do not get scanned. I have verified >that they are not whitelisted. Most of the spam get's caught, however some >slip through without scanning. What could be causing this or what is the >best way to diagnose the problem. Here is the log entry: > >Jan 16 15:26:33 arwen MailScanner[27051]: New Batch: Forwarding 1 unscanned >messages, 5099 bytes > >Here is the header of an unscanned message: > >Received: from arwen.sterling.net ([199.108.225.50]) by alder.keyknife.com >with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) > id YSS41YS8; Thu, 16 Jan 2003 12:00:14 -0800 >Received: from mx11.royalsavings.com (mx11.royalsavings.com [207.176.24.83]) > by arwen.sterling.net (8.11.6/8.11.6) with ESMTP id h0GK0Bu08958 > for < ejl@keyknife.com >; Thu, 16 Jan 2003 >12:00:11 -0800 >Received: by mx11.royalsavings.com (Postfix, from userid 844) > id A9EF51E85BE; Thu, 16 Jan 2003 12:37:21 -0500 (EST) >To: ejl@keyknife.com >From: "Credit Help" < advice@SmartDiscounts.net > > >Reply-To: bounce@dm-direct.com >X-CampaignID: 00886 >X-Recipient: ejl@keyknife.com >X-Intalius: ZWpsQGtleWtuaWZlLmNvbQ== >X-ListID: 12 >X-Source: 50209 >Subject: Advice on debt reduction >MIME-Version: 1.0 >Content-type: multipart/alternative; boundary=boundary_23188.98657_31093158 >Message-Id: < 20030116173721.A9EF51E85BE@mx11.royalsavings.com > > >Date: Thu, 16 Jan 2003 12:37:21 -0500 (EST) >X-MailScanner: Not scanned: please contact your Internet E-Mail Service >Provider for details > >--boundary_23188.98657_31093158 >Content-Type: text/plain; charset=us-ascii >Content-Transfer-Encoding: quoted-printable >X-MIME-Autoconverted: from 8bit to quoted-printable by arwen.sterling.net id >h0GK0Bu08958 -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From billa at STERLING.NET Fri Jan 17 00:17:14 2003 From: billa at STERLING.NET (Bill Anderson) Date: Thu Jan 12 21:16:59 2006 Subject: Large number of unscanned messages In-Reply-To: <5.2.0.9.2.20030116234142.02c8df68@imap.ecs.soton.ac.uk> Message-ID: Virus Scanning = /etc/MailScanner/rules/strlg.virus.scanning.rules strlg.virus.scanning.rules FromorTo: default no To: motocow.com yes To: sterling.net yes To: sterlink.net yes To: sterlink.ws yes To: sterlink.org yes To: sterlink.tv yes To: sterlink.cc yes To: sterlink.info yes To: pacificlegal.com yes To: pacimaging.com yes To: countrysidechurch.com yes To: tualatinislandgreens.com yes To: bethanyvillage.com yes To: darkhorseconstruction.com yes To: lgprs.org yes To: lgprs.com yes To: lgprs.net yes To: newavenues.org yes To: coffmanteam.com yes To: coffmanexcavation.com yes > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Julian Field > Sent: Thursday, January 16, 2003 3:42 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Large number of unscanned messages > > > In your MailScanner.conf file, what does the "Virus Scanning" option say? > > At 23:32 16/01/2003, you wrote: > >I have a large number of messages that do not get scanned. I > have verified > >that they are not whitelisted. Most of the spam get's caught, > however some > >slip through without scanning. What could be causing this or what is the > >best way to diagnose the problem. Here is the log entry: > > > >Jan 16 15:26:33 arwen MailScanner[27051]: New Batch: Forwarding > 1 unscanned > >messages, 5099 bytes > > > >Here is the header of an unscanned message: > > > >Received: from arwen.sterling.net ([199.108.225.50]) by > alder.keyknife.com > >with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) > > id YSS41YS8; Thu, 16 Jan 2003 12:00:14 -0800 > >Received: from mx11.royalsavings.com (mx11.royalsavings.com > [207.176.24.83]) > > by arwen.sterling.net (8.11.6/8.11.6) with ESMTP id h0GK0Bu08958 > > for < ejl@keyknife.com >; Thu, 16 Jan 2003 > >12:00:11 -0800 > >Received: by mx11.royalsavings.com (Postfix, from userid 844) > > id A9EF51E85BE; Thu, 16 Jan 2003 12:37:21 -0500 (EST) > >To: ejl@keyknife.com > >From: "Credit Help" < advice@SmartDiscounts.net > > > > >Reply-To: bounce@dm-direct.com > >X-CampaignID: 00886 > >X-Recipient: ejl@keyknife.com > >X-Intalius: ZWpsQGtleWtuaWZlLmNvbQ== > >X-ListID: 12 > >X-Source: 50209 > >Subject: Advice on debt reduction > >MIME-Version: 1.0 > >Content-type: multipart/alternative; > boundary=boundary_23188.98657_31093158 > >Message-Id: < 20030116173721.A9EF51E85BE@mx11.royalsavings.com > > > > >Date: Thu, 16 Jan 2003 12:37:21 -0500 (EST) > >X-MailScanner: Not scanned: please contact your Internet E-Mail Service > >Provider for details > > > >--boundary_23188.98657_31093158 > >Content-Type: text/plain; charset=us-ascii > >Content-Transfer-Encoding: quoted-printable > >X-MIME-Autoconverted: from 8bit to quoted-printable by > arwen.sterling.net id > >h0GK0Bu08958 > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > From c.bates at COMNET.CO.NZ Fri Jan 17 01:45:18 2003 From: c.bates at COMNET.CO.NZ (Craig Bates) Date: Thu Jan 12 21:16:59 2006 Subject: dying processes In-Reply-To: <20030116163429.78cd771f.dlovelace@hotels.com> References: <200301170936.22606.c.bates@comnet.co.nz> <20030116163429.78cd771f.dlovelace@hotels.com> Message-ID: <200301171445.18521.c.bates@comnet.co.nz> Dale, Are you runing Spam assassin & RAZOR? What OS and anti-virus are you running? Anybody else having these problems???? Thanks, Craig On Friday 17 January 2003 11:34, you wrote: > I was having this same problem, but didn't investigate why very much, > that is why I put the restart option in mailscanner-mrtg, whenever it > detects mailscanner is below a certain number of processes it restarts it. > > Dale > > On Fri, 17 Jan 2003 09:36:22 +1300 > > Craig Bates wrote: > > Hi, > > > > I decided to install MailScanner on RedHat80 as I was having problems > > with MailScanner processes dying on FreeBSD. I am now having exactly the > > same problem with RedHat80 This proves that the problem is independent > > of OS, sendmail version / compilation and perl version. > > > > I find it very strage that nobody else seems to have this problem and I > > have it on 3 boxes! > > > > Is there anybody on this list that has MailScanner working with > > spamassassin-2.43-3.i386.rpm, razor-agents-2.22.tar.gz, fp-linux-sb.rpm > > (f-prot)? One of these must be causing the problem as I'm sure > > MailScanner and RedHat8.0 is a very common installation that works! > > > > Thanks, > > > > Craig From c.bates at COMNET.CO.NZ Fri Jan 17 01:45:18 2003 From: c.bates at COMNET.CO.NZ (Craig Bates) Date: Thu Jan 12 21:16:59 2006 Subject: dying processes In-Reply-To: <20030116163429.78cd771f.dlovelace@hotels.com> References: <200301170936.22606.c.bates@comnet.co.nz> <20030116163429.78cd771f.dlovelace@hotels.com> Message-ID: <200301171445.18521.c.bates@comnet.co.nz> Dale, Are you runing Spam assassin & RAZOR? What OS and anti-virus are you running? Anybody else having these problems???? Thanks, Craig On Friday 17 January 2003 11:34, you wrote: > I was having this same problem, but didn't investigate why very much, > that is why I put the restart option in mailscanner-mrtg, whenever it > detects mailscanner is below a certain number of processes it restarts it. > > Dale > > On Fri, 17 Jan 2003 09:36:22 +1300 > > Craig Bates wrote: > > Hi, > > > > I decided to install MailScanner on RedHat80 as I was having problems > > with MailScanner processes dying on FreeBSD. I am now having exactly the > > same problem with RedHat80 This proves that the problem is independent > > of OS, sendmail version / compilation and perl version. > > > > I find it very strage that nobody else seems to have this problem and I > > have it on 3 boxes! > > > > Is there anybody on this list that has MailScanner working with > > spamassassin-2.43-3.i386.rpm, razor-agents-2.22.tar.gz, fp-linux-sb.rpm > > (f-prot)? One of these must be causing the problem as I'm sure > > MailScanner and RedHat8.0 is a very common installation that works! > > > > Thanks, > > > > Craig From mailscanner at ecs.soton.ac.uk Fri Jan 17 09:02:16 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:59 2006 Subject: Large number of unscanned messages In-Reply-To: References: <5.2.0.9.2.20030116234142.02c8df68@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030117090136.0314f320@imap.ecs.soton.ac.uk> In which case only your named domains will be scanned. What are the envelope recipient addresses (in your maillog) on the unscanned messages? At 00:17 17/01/2003, you wrote: >Virus Scanning = /etc/MailScanner/rules/strlg.virus.scanning.rules > >strlg.virus.scanning.rules >FromorTo: default no >To: motocow.com yes >To: sterling.net yes >To: sterlink.net yes >To: sterlink.ws yes >To: sterlink.org yes >To: sterlink.tv yes >To: sterlink.cc yes >To: sterlink.info yes >To: pacificlegal.com yes >To: pacimaging.com yes >To: countrysidechurch.com yes >To: tualatinislandgreens.com yes >To: bethanyvillage.com yes >To: darkhorseconstruction.com yes >To: lgprs.org yes >To: lgprs.com yes >To: lgprs.net yes >To: newavenues.org yes >To: coffmanteam.com yes >To: coffmanexcavation.com yes > > > -----Original Message----- > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > Behalf Of Julian Field > > Sent: Thursday, January 16, 2003 3:42 PM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: Large number of unscanned messages > > > > > > In your MailScanner.conf file, what does the "Virus Scanning" option say? > > > > At 23:32 16/01/2003, you wrote: > > >I have a large number of messages that do not get scanned. I > > have verified > > >that they are not whitelisted. Most of the spam get's caught, > > however some > > >slip through without scanning. What could be causing this or what is the > > >best way to diagnose the problem. Here is the log entry: > > > > > >Jan 16 15:26:33 arwen MailScanner[27051]: New Batch: Forwarding > > 1 unscanned > > >messages, 5099 bytes > > > > > >Here is the header of an unscanned message: > > > > > >Received: from arwen.sterling.net ([199.108.225.50]) by > > alder.keyknife.com > > >with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) > > > id YSS41YS8; Thu, 16 Jan 2003 12:00:14 -0800 > > >Received: from mx11.royalsavings.com (mx11.royalsavings.com > > [207.176.24.83]) > > > by arwen.sterling.net (8.11.6/8.11.6) with ESMTP id h0GK0Bu08958 > > > for < ejl@keyknife.com >; Thu, 16 Jan 2003 > > >12:00:11 -0800 > > >Received: by mx11.royalsavings.com (Postfix, from userid 844) > > > id A9EF51E85BE; Thu, 16 Jan 2003 12:37:21 -0500 (EST) > > >To: ejl@keyknife.com > > >From: "Credit Help" < advice@SmartDiscounts.net > > > > > > >Reply-To: bounce@dm-direct.com > > >X-CampaignID: 00886 > > >X-Recipient: ejl@keyknife.com > > >X-Intalius: ZWpsQGtleWtuaWZlLmNvbQ== > > >X-ListID: 12 > > >X-Source: 50209 > > >Subject: Advice on debt reduction > > >MIME-Version: 1.0 > > >Content-type: multipart/alternative; > > boundary=boundary_23188.98657_31093158 > > >Message-Id: < 20030116173721.A9EF51E85BE@mx11.royalsavings.com > > > > > > >Date: Thu, 16 Jan 2003 12:37:21 -0500 (EST) > > >X-MailScanner: Not scanned: please contact your Internet E-Mail Service > > >Provider for details > > > > > >--boundary_23188.98657_31093158 > > >Content-Type: text/plain; charset=us-ascii > > >Content-Transfer-Encoding: quoted-printable > > >X-MIME-Autoconverted: from 8bit to quoted-printable by > > arwen.sterling.net id > > >h0GK0Bu08958 > > > > -- > > Julian Field > > www.MailScanner.info > > MailScanner thanks transtec Computers for their support > > -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From vanhorn at whidbey.com Fri Jan 17 10:32:39 2003 From: vanhorn at whidbey.com (G. Armour Van Horn) Date: Thu Jan 12 21:16:59 2006 Subject: Confused operator, server down ... References: <2093DBF9-2993-11D7-B1D9-000393D6F5B0@lemon-computing.com> Message-ID: <3E27DBC7.CDF0EA5@whidbey.com> Greetings, I was having some problems with one of myservers, one of those where every time you think you have it solved, something else breaks as soon as your back is turned. (Or as soon as you go to bed.) Right now, the mail isn't moving at all. This is RedHat 7.2, Sendmail 8.12.16, MailScanner 4.11-1. All of this was recently working, although most of it got upgraded during the thrashing around, and there's no telling what I might have stepped on along the way. "service MailScanner restart" fires off two copies of sendmail, one for incoming and one for outgoing. Both appear in the "ps aux" looking like normal. One says "sendmail: accepting connections" and the other says "sendmail: Queue runner@00:05:00 for /var/spool/mqueue". There's precious little in /var/spool/mail, so Queue runner could be running just fine. Everything in both sendmail.mc and submit.mc looks rational, although I don't have a copy from a week ago to compare with. Both are set to localhost, 127.0.0.1. If I send a message outside the system from the command line it never gets there. Messages from outside aren't getting in, I just got a notice that a message I sent 24 hours ago hasn't been delivered, "Connection refused." Telnet to port 25 from outside also gets "Connection refused." Mail to root should be delivered to vanhorn, according to the aliases file, but messages from cron to root end up in /var/spool/mail/root, so the aliases.db isn't getting used, although there is no error on running newaliases. Messages from the command line (sendmail vanhorn References: <2093DBF9-2993-11D7-B1D9-000393D6F5B0@lemon-computing.com> Message-ID: <5.2.0.9.2.20030117103205.02e87e28@imap.ecs.soton.ac.uk> At 10:32 17/01/2003, you wrote: >Greetings, > >I was having some problems with one of myservers, one of those where every >time you think you have it solved, something else breaks as soon as your back >is turned. (Or as soon as you go to bed.) Right now, the mail isn't moving at >all. > >This is RedHat 7.2, Sendmail 8.12.16, MailScanner 4.11-1. All of this was >recently working, although most of it got upgraded during the thrashing >around, and there's no telling what I might have stepped on along the way. > >"service MailScanner restart" fires off two copies of sendmail, one for >incoming and one for outgoing. Both appear in the "ps aux" looking like >normal. One says "sendmail: accepting connections" and the other says >"sendmail: Queue runner@00:05:00 for /var/spool/mqueue". There's precious >little in /var/spool/mail, so Queue runner could be running just fine. > >Everything in both sendmail.mc and submit.mc looks rational, although I don't >have a copy from a week ago to compare with. Both are set to localhost, >127.0.0.1. > >If I send a message outside the system from the command line it never gets >there. Messages from outside aren't getting in, I just got a notice that a >message I sent 24 hours ago hasn't been delivered, "Connection refused." > >Telnet to port 25 from outside also gets "Connection refused." That will be because you set the DaemonOptions to only listen on localhost, 127.0.0.1. >Mail to root should be delivered to vanhorn, according to the aliases file, >but messages from cron to root end up in /var/spool/mail/root, so the >aliases.db isn't getting used, although there is no error on running >newaliases. Do sendmail -bv root to see where sendmail will actually try to deliver the message. >Messages from the command line (sendmail vanhorn get delivered. Again, do a sendmail -bv vanhorn to see what sendmail thinks. >Mail that has been spooled for users (i.e., /var/spool/mail/vanhorn ) can be >retrieved with POP clients without problem. > >What am I missing? > >Van > > >-- >---------------------------------------------------------- >Sign up now for Quotes of the Day, a handful of quotations >on a theme delivered every morning. >Enlightenment! Daily, for free! >mailto:twisted@whidbey.com?subject=Subscribe_QOTD > >For web hosting and maintenance, >visit Van's home page: http://www.domainvanhorn.com/van/ >---------------------------------------------------------- -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From vanhorn at whidbey.com Fri Jan 17 11:19:31 2003 From: vanhorn at whidbey.com (G. Armour Van Horn) Date: Thu Jan 12 21:16:59 2006 Subject: Confused operator, server down ... References: <2093DBF9-2993-11D7-B1D9-000393D6F5B0@lemon-computing.com> <5.2.0.9.2.20030117103205.02e87e28@imap.ecs.soton.ac.uk> Message-ID: <3E27E6C3.B20F7621@whidbey.com> Julian Field wrote: > >Everything in both sendmail.mc and submit.mc looks rational, although I don't > >have a copy from a week ago to compare with. Both are set to localhost, > >127.0.0.1. > > > >If I send a message outside the system from the command line it never gets > >there. Messages from outside aren't getting in, I just got a notice that a > >message I sent 24 hours ago hasn't been delivered, "Connection refused." > > > >Telnet to port 25 from outside also gets "Connection refused." > > That will be because you set the DaemonOptions to only listen on localhost, > 127.0.0.1. Okay, I guess I had it backwards. I thought the new trick was to have submit.mc/cf handle the outside world, with sendmail.mc/cf restricted to localhost. Now that I've got DaemonOptions set for the public address in sendmail.mc, /var/spool/mqueue.in is accumulating a lot of mail. Alas, /var/spool/mqueue isn't growing at all yet. Every five seconds (yes, I changed the default, it seemed harmless) I get this in maillog: Jan 17 03:09:34 verbose MailScanner[13023]: MailScanner Jan 17 03:09:34 verbose MailScanner[13023]: MailScanner E-Mail Virus Scanner version 4.11-1 starting... In top and ps I see frequent entries like this one from ps aux: root 13069 4.6 0.0 0 0 ? Z 03:10 0:00 [MailScanner ] > Do > sendmail -bv root > to see where sendmail will actually try to deliver the message. [root@verbose mail]# sendmail -bv vanhorn vanhorn... deliverable: mailer local, user vanhorn [root@verbose mail]# sendmail -bv root vanhorn... deliverable: mailer local, user vanhorn But as far as I can see it doesn't actually try to deliver anything. So I'm getting closer, but I'm not there yet. Any more places to check? Van -- ---------------------------------------------------------- Sign up now for Quotes of the Day, a handful of quotations on a theme delivered every morning. Enlightenment! Daily, for free! mailto:twisted@whidbey.com?subject=Subscribe_QOTD For web hosting and maintenance, visit Van's home page: http://www.domainvanhorn.com/van/ ---------------------------------------------------------- From mailscanner at ecs.soton.ac.uk Fri Jan 17 11:23:52 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:59 2006 Subject: Confused operator, server down ... In-Reply-To: <3E27E6C3.B20F7621@whidbey.com> References: <2093DBF9-2993-11D7-B1D9-000393D6F5B0@lemon-computing.com> <5.2.0.9.2.20030117103205.02e87e28@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030117112328.02e9bce0@imap.ecs.soton.ac.uk> At 11:19 17/01/2003, you wrote: >Julian Field wrote: > > > >Everything in both sendmail.mc and submit.mc looks rational, although > I don't > > >have a copy from a week ago to compare with. Both are set to localhost, > > >127.0.0.1. > > > > > >If I send a message outside the system from the command line it never gets > > >there. Messages from outside aren't getting in, I just got a notice that a > > >message I sent 24 hours ago hasn't been delivered, "Connection refused." > > > > > >Telnet to port 25 from outside also gets "Connection refused." > > > > That will be because you set the DaemonOptions to only listen on localhost, > > 127.0.0.1. > >Okay, I guess I had it backwards. I thought the new trick was to have >submit.mc/cf >handle the outside world, with sendmail.mc/cf restricted to localhost. Now >that >I've got DaemonOptions set for the public address in sendmail.mc, >/var/spool/mqueue.in is accumulating a lot of mail. > >Alas, /var/spool/mqueue isn't growing at all yet. Every five seconds (yes, I >changed the default, it seemed harmless) I get this in maillog: > >Jan 17 03:09:34 verbose MailScanner[13023]: MailScanner >Jan 17 03:09:34 verbose MailScanner[13023]: MailScanner E-Mail Virus Scanner >version 4.11-1 starting... > >In top and ps I see frequent entries like this one from ps aux: >root 13069 4.6 0.0 0 0 ? Z 03:10 0:00 [MailScanner >] What else does your maillog say? It sounds like MailScanner isn't managing to start up. > > Do > > sendmail -bv root > > to see where sendmail will actually try to deliver the message. > >[root@verbose mail]# sendmail -bv vanhorn >vanhorn... deliverable: mailer local, user vanhorn >[root@verbose mail]# sendmail -bv root >vanhorn... deliverable: mailer local, user vanhorn > >But as far as I can see it doesn't actually try to deliver anything. > >So I'm getting closer, but I'm not there yet. Any more places to check? > >Van > >-- >---------------------------------------------------------- >Sign up now for Quotes of the Day, a handful of quotations >on a theme delivered every morning. >Enlightenment! Daily, for free! >mailto:twisted@whidbey.com?subject=Subscribe_QOTD > >For web hosting and maintenance, >visit Van's home page: http://www.domainvanhorn.com/van/ >---------------------------------------------------------- -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From joe at QITC.CO.UK Fri Jan 17 14:15:33 2003 From: joe at QITC.CO.UK (Joe Quinn) Date: Thu Jan 12 21:16:59 2006 Subject: Problem installing on a RaQ4 References: <5.2.0.9.2.20030116234142.02c8df68@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030117090136.0314f320@imap.ecs.soton.ac.uk> Message-ID: <00c701c2be32$e8741880$78720550@T20> Hi, I'm trying to do a fresh install on a new RaQ4 but have hit problems. I've done a few RaQ4's before and it was easy! When I run the./install.sh command I get; Your copy of the Perl module ExtUtils::MakeMaker........ run this first.........../Update-MakeMaker.sh but when I do that it still fails; [root MailScanner-4.11-1]# ./Update-MakeMaker.sh Can't locate object method "rel2abs" via package "File::Spec" at Makefile.PL line 55. BEGIN failed--compilation aborted at Makefile.PL line 57. make: *** No targets specified and no makefile found. Stop. make: *** No rule to make target `install'. Stop. Done. Please now run ./install.sh again. [root MailScanner-4.11-1]# so I ran ./install.sh again with the same results??? This time I read the FAQ and checked to ensure only one copy of perl was installed. Any ideas? Cheers, Joe www.qitc.net/ From mike at CAMAROSS.NET Fri Jan 17 14:23:41 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:16:59 2006 Subject: Problem installing on a RaQ4 In-Reply-To: <00c701c2be32$e8741880$78720550@T20> Message-ID: <022401c2be34$09391d30$9801a8c0@home.middlefinger.net> You might try downloading and installing File::Spec by hand and then try again: http://search.cpan.org/CPAN/authors/id/R/RB/RBS/File-Spec-0.82.tar.gz Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Joe Quinn Sent: Friday, January 17, 2003 8:16 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Problem installing on a RaQ4 Hi, I'm trying to do a fresh install on a new RaQ4 but have hit problems. I've done a few RaQ4's before and it was easy! When I run the./install.sh command I get; Your copy of the Perl module ExtUtils::MakeMaker........ run this first.........../Update-MakeMaker.sh but when I do that it still fails; [root MailScanner-4.11-1]# ./Update-MakeMaker.sh Can't locate object method "rel2abs" via package "File::Spec" at Makefile.PL line 55. BEGIN failed--compilation aborted at Makefile.PL line 57. make: *** No targets specified and no makefile found. Stop. make: *** No rule to make target `install'. Stop. Done. Please now run ./install.sh again. [root MailScanner-4.11-1]# so I ran ./install.sh again with the same results??? This time I read the FAQ and checked to ensure only one copy of perl was installed. Any ideas? Cheers, Joe www.qitc.net/ From dlovelace at HOTELS.COM Fri Jan 17 14:22:48 2003 From: dlovelace at HOTELS.COM (Dale Lovelace) Date: Thu Jan 12 21:16:59 2006 Subject: dying processes In-Reply-To: <200301171445.18521.c.bates@comnet.co.nz> References: <200301170936.22606.c.bates@comnet.co.nz> <20030116163429.78cd771f.dlovelace@hotels.com> <200301171445.18521.c.bates@comnet.co.nz> Message-ID: <20030117082248.5f3f7c2b.dlovelace@hotels.com> I am not running Razor. I have MailScanner 4.10, SpamAssassin 2.43 and ClamAv 0.54 on Red Hat 8.0. I would notice on my mailscanner-mrtg graphs that the number of MailScanner processes would drop from 20 to 3 sometimes, and stay there until I restarted MailScanner. I didn't look through the logs "real" hard, but my cursory examination didn't turn up anything. On Fri, 17 Jan 2003 14:45:18 +1300 Craig Bates wrote: > Dale, > > Are you runing Spam assassin & RAZOR? What OS and anti-virus are you running? > > Anybody else having these problems???? > > Thanks, > > Craig > > On Friday 17 January 2003 11:34, you wrote: > > I was having this same problem, but didn't investigate why very much, > > that is why I put the restart option in mailscanner-mrtg, whenever it > > detects mailscanner is below a certain number of processes it restarts it. > > > > Dale > > > > On Fri, 17 Jan 2003 09:36:22 +1300 > > > > Craig Bates wrote: > > > Hi, > > > > > > I decided to install MailScanner on RedHat80 as I was having problems > > > with MailScanner processes dying on FreeBSD. I am now having exactly the > > > same problem with RedHat80 This proves that the problem is independent > > > of OS, sendmail version / compilation and perl version. > > > > > > I find it very strage that nobody else seems to have this problem and I > > > have it on 3 boxes! > > > > > > Is there anybody on this list that has MailScanner working with > > > spamassassin-2.43-3.i386.rpm, razor-agents-2.22.tar.gz, fp-linux-sb.rpm > > > (f-prot)? One of these must be causing the problem as I'm sure > > > MailScanner and RedHat8.0 is a very common installation that works! > > > > > > Thanks, > > > > > > Craig -- Dale Lovelace System Administrator hotels.com (214) 361-7311 Ext. 1074 From mailscanner at ecs.soton.ac.uk Fri Jan 17 15:09:38 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:59 2006 Subject: Problem installing on a RaQ4 In-Reply-To: <022401c2be34$09391d30$9801a8c0@home.middlefinger.net> References: <00c701c2be32$e8741880$78720550@T20> Message-ID: <5.2.0.9.2.20030117150343.02fa1610@imap.ecs.soton.ac.uk> Unfortunately this can easily become a vicious circle, with a depending on b and d depending on a. If you find yourself caught like this, and the perl Makefile.PL make make test make install won't work for File-Spec, then you will find the module is only 1 file (Spec.pm), and the commands above will give you a good idea of where to put it. At 14:23 17/01/2003, you wrote: >You might try downloading and installing File::Spec by hand and then try >again: > >http://search.cpan.org/CPAN/authors/id/R/RB/RBS/File-Spec-0.82.tar.gz > >Mike > > >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On >Behalf Of Joe Quinn >Sent: Friday, January 17, 2003 8:16 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Problem installing on a RaQ4 > > >Hi, > >I'm trying to do a fresh install on a new RaQ4 but have hit problems. >I've done a few RaQ4's before and it was easy! > >When I run the./install.sh command I get; > >Your copy of the Perl module ExtUtils::MakeMaker........ >run this first.........../Update-MakeMaker.sh > >but when I do that it still fails; > >[root MailScanner-4.11-1]# ./Update-MakeMaker.sh >Can't locate object method "rel2abs" via package "File::Spec" at >Makefile.PL line 55. BEGIN failed--compilation aborted at Makefile.PL >line 57. >make: *** No targets specified and no makefile found. Stop. >make: *** No rule to make target `install'. Stop. > >Done. Please now run ./install.sh again. >[root MailScanner-4.11-1]# > >so I ran ./install.sh again with the same results??? > >This time I read the FAQ and checked to ensure only one copy of perl was >installed. > >Any ideas? > >Cheers, > >Joe >www.qitc.net/ -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Fri Jan 17 15:16:01 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:59 2006 Subject: dying processes In-Reply-To: <20030117082248.5f3f7c2b.dlovelace@hotels.com> References: <200301171445.18521.c.bates@comnet.co.nz> <200301170936.22606.c.bates@comnet.co.nz> <20030116163429.78cd771f.dlovelace@hotels.com> <200301171445.18521.c.bates@comnet.co.nz> Message-ID: <5.2.0.9.2.20030117151504.06156760@imap.ecs.soton.ac.uk> It may sound silly, but have you done a "df -k" recently? I've been experiencing a similar problem myself with another user's server, and it took me a while to realise one of the filesystems had filled up. At 14:22 17/01/2003, you wrote: > I am not running Razor. I have MailScanner 4.10, SpamAssassin 2.43 and > ClamAv 0.54 on Red Hat 8.0. > > I would notice on my mailscanner-mrtg graphs that the number of > MailScanner processes would drop from 20 to 3 sometimes, and stay there > until I restarted MailScanner. I didn't look through the logs "real" > hard, but my cursory examination didn't turn up anything. > >On Fri, 17 Jan 2003 14:45:18 +1300 >Craig Bates wrote: > > > Dale, > > > > Are you runing Spam assassin & RAZOR? What OS and anti-virus are you > running? > > > > Anybody else having these problems???? > > > > Thanks, > > > > Craig > > > > On Friday 17 January 2003 11:34, you wrote: > > > I was having this same problem, but didn't investigate why very much, > > > that is why I put the restart option in mailscanner-mrtg, whenever it > > > detects mailscanner is below a certain number of processes it > restarts it. > > > > > > Dale > > > > > > On Fri, 17 Jan 2003 09:36:22 +1300 > > > > > > Craig Bates wrote: > > > > Hi, > > > > > > > > I decided to install MailScanner on RedHat80 as I was having problems > > > > with MailScanner processes dying on FreeBSD. I am now having > exactly the > > > > same problem with RedHat80 This proves that the problem is independent > > > > of OS, sendmail version / compilation and perl version. > > > > > > > > I find it very strage that nobody else seems to have this problem and I > > > > have it on 3 boxes! > > > > > > > > Is there anybody on this list that has MailScanner working with > > > > spamassassin-2.43-3.i386.rpm, razor-agents-2.22.tar.gz, fp-linux-sb.rpm > > > > (f-prot)? One of these must be causing the problem as I'm sure > > > > MailScanner and RedHat8.0 is a very common installation that works! > > > > > > > > Thanks, > > > > > > > > Craig > > >-- > Dale Lovelace > System Administrator > hotels.com > (214) 361-7311 Ext. 1074 -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From dlovelace at HOTELS.COM Fri Jan 17 15:24:18 2003 From: dlovelace at HOTELS.COM (Dale Lovelace) Date: Thu Jan 12 21:16:59 2006 Subject: dying processes In-Reply-To: <5.2.0.9.2.20030117151504.06156760@imap.ecs.soton.ac.uk> References: <200301171445.18521.c.bates@comnet.co.nz> <200301170936.22606.c.bates@comnet.co.nz> <20030116163429.78cd771f.dlovelace@hotels.com> <200301171445.18521.c.bates@comnet.co.nz> <5.2.0.9.2.20030117151504.06156760@imap.ecs.soton.ac.uk> Message-ID: <20030117092418.22a64a7e.dlovelace@hotels.com> [root@relay-01 root]# df -k Filesystem 1K-blocks Used Available Use% Mounted on /dev/sda3 1004052 477680 475368 51% / /dev/sda1 101089 9457 86413 10% /boot none 256964 0 256964 0% /dev/shm /dev/sda2 1004052 303652 649396 32% /usr /dev/sda6 32360788 1414992 29301948 5% /var Nearly 30gig in /var, think I'm ok :-) Dale On Fri, 17 Jan 2003 15:16:01 +0000 Julian Field wrote: > It may sound silly, but have you done a "df -k" recently? I've been > experiencing a similar problem myself with another user's server, and it > took me a while to realise one of the filesystems had filled up. > > At 14:22 17/01/2003, you wrote: > > I am not running Razor. I have MailScanner 4.10, SpamAssassin 2.43 and > > ClamAv 0.54 on Red Hat 8.0. > > > > I would notice on my mailscanner-mrtg graphs that the number of > > MailScanner processes would drop from 20 to 3 sometimes, and stay there > > until I restarted MailScanner. I didn't look through the logs "real" > > hard, but my cursory examination didn't turn up anything. > > > >On Fri, 17 Jan 2003 14:45:18 +1300 > >Craig Bates wrote: > > > > > Dale, > > > > > > Are you runing Spam assassin & RAZOR? What OS and anti-virus are you > > running? > > > > > > Anybody else having these problems???? > > > > > > Thanks, > > > > > > Craig > > > > > > On Friday 17 January 2003 11:34, you wrote: > > > > I was having this same problem, but didn't investigate why very much, > > > > that is why I put the restart option in mailscanner-mrtg, whenever it > > > > detects mailscanner is below a certain number of processes it > > restarts it. > > > > > > > > Dale > > > > > > > > On Fri, 17 Jan 2003 09:36:22 +1300 > > > > > > > > Craig Bates wrote: > > > > > Hi, > > > > > > > > > > I decided to install MailScanner on RedHat80 as I was having problems > > > > > with MailScanner processes dying on FreeBSD. I am now having > > exactly the > > > > > same problem with RedHat80 This proves that the problem is independent > > > > > of OS, sendmail version / compilation and perl version. > > > > > > > > > > I find it very strage that nobody else seems to have this problem and I > > > > > have it on 3 boxes! > > > > > > > > > > Is there anybody on this list that has MailScanner working with > > > > > spamassassin-2.43-3.i386.rpm, razor-agents-2.22.tar.gz, fp-linux-sb.rpm > > > > > (f-prot)? One of these must be causing the problem as I'm sure > > > > > MailScanner and RedHat8.0 is a very common installation that works! > > > > > > > > > > Thanks, > > > > > > > > > > Craig > > > > > >-- > > Dale Lovelace > > System Administrator > > hotels.com > > (214) 361-7311 Ext. 1074 > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support -- Dale Lovelace System Administrator hotels.com (214) 361-7311 Ext. 1074 From billa at STERLING.NET Fri Jan 17 15:53:06 2003 From: billa at STERLING.NET (Bill Anderson) Date: Thu Jan 12 21:16:59 2006 Subject: Large number of unscanned messages In-Reply-To: <5.2.0.9.2.20030117090136.0314f320@imap.ecs.soton.ac.uk> Message-ID: Ok, I think I got this figured out. The domain in question does not have virus scanning turned on (which is what I want), but does have SPAM scanning on. I went ahead and turned on ALL logging of spam messages and this is what I got. > X-MailScanner: Not scanned: please contact your Internet E-Mail Service > Provider for details > X-MailScanner-SpamCheck: not spam, SpamAssassin (score=3.2, required 5, > MIME_LONG_LINE_QP, NO_REAL_NAME, SALE, SPAM_PHRASE_05_08, > SUBJECT_IS_LIST) I assume the first X-MailScanner says not scanned, because the VIRUS scanning will never happen because I turned it off. The second line is what happened during the SPAM scan process. Since I did not have all logging of spam turned on, I never saw the X-MailScanner-SpamCheck message, because the SPAM never registered above my threshold. Thanks. > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Julian Field > Sent: Friday, January 17, 2003 1:02 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Large number of unscanned messages > > > In which case only your named domains will be scanned. What are the > envelope recipient addresses (in your maillog) on the unscanned messages? > > At 00:17 17/01/2003, you wrote: > >Virus Scanning = /etc/MailScanner/rules/strlg.virus.scanning.rules > > > >strlg.virus.scanning.rules > >FromorTo: default no > >To: motocow.com yes > >To: sterling.net yes > >To: sterlink.net yes > >To: sterlink.ws yes > >To: sterlink.org yes > >To: sterlink.tv yes > >To: sterlink.cc yes > >To: sterlink.info yes > >To: pacificlegal.com yes > >To: pacimaging.com yes > >To: countrysidechurch.com yes > >To: tualatinislandgreens.com yes > >To: bethanyvillage.com yes > >To: darkhorseconstruction.com yes > >To: lgprs.org yes > >To: lgprs.com yes > >To: lgprs.net yes > >To: newavenues.org yes > >To: coffmanteam.com yes > >To: coffmanexcavation.com yes > > > > > -----Original Message----- > > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > > Behalf Of Julian Field > > > Sent: Thursday, January 16, 2003 3:42 PM > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > Subject: Re: Large number of unscanned messages > > > > > > > > > In your MailScanner.conf file, what does the "Virus Scanning" > option say? > > > > > > At 23:32 16/01/2003, you wrote: > > > >I have a large number of messages that do not get scanned. I > > > have verified > > > >that they are not whitelisted. Most of the spam get's caught, > > > however some > > > >slip through without scanning. What could be causing this > or what is the > > > >best way to diagnose the problem. Here is the log entry: > > > > > > > >Jan 16 15:26:33 arwen MailScanner[27051]: New Batch: Forwarding > > > 1 unscanned > > > >messages, 5099 bytes > > > > > > > >Here is the header of an unscanned message: > > > > > > > >Received: from arwen.sterling.net ([199.108.225.50]) by > > > alder.keyknife.com > > > >with SMTP (Microsoft Exchange Internet Mail Service Version > 5.5.2650.21) > > > > id YSS41YS8; Thu, 16 Jan 2003 12:00:14 -0800 > > > >Received: from mx11.royalsavings.com (mx11.royalsavings.com > > > [207.176.24.83]) > > > > by arwen.sterling.net (8.11.6/8.11.6) with ESMTP id h0GK0Bu08958 > > > > for < ejl@keyknife.com >; Thu, > 16 Jan 2003 > > > >12:00:11 -0800 > > > >Received: by mx11.royalsavings.com (Postfix, from userid 844) > > > > id A9EF51E85BE; Thu, 16 Jan 2003 12:37:21 -0500 (EST) > > > >To: ejl@keyknife.com > > > >From: "Credit Help" < advice@SmartDiscounts.net > > > > > > > > >Reply-To: bounce@dm-direct.com > > > >X-CampaignID: 00886 > > > >X-Recipient: ejl@keyknife.com > > > >X-Intalius: ZWpsQGtleWtuaWZlLmNvbQ== > > > >X-ListID: 12 > > > >X-Source: 50209 > > > >Subject: Advice on debt reduction > > > >MIME-Version: 1.0 > > > >Content-type: multipart/alternative; > > > boundary=boundary_23188.98657_31093158 > > > >Message-Id: < 20030116173721.A9EF51E85BE@mx11.royalsavings.com > > > > > > > > >Date: Thu, 16 Jan 2003 12:37:21 -0500 (EST) > > > >X-MailScanner: Not scanned: please contact your Internet > E-Mail Service > > > >Provider for details > > > > > > > >--boundary_23188.98657_31093158 > > > >Content-Type: text/plain; charset=us-ascii > > > >Content-Transfer-Encoding: quoted-printable > > > >X-MIME-Autoconverted: from 8bit to quoted-printable by > > > arwen.sterling.net id > > > >h0GK0Bu08958 > > > > > > -- > > > Julian Field > > > www.MailScanner.info > > > MailScanner thanks transtec Computers for their support > > > > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > From j.figueira at zmail.pt Fri Jan 17 16:17:14 2003 From: j.figueira at zmail.pt (j. Figueira) Date: Thu Jan 12 21:16:59 2006 Subject: To Scan or not to scan outgoing e-mail. That is the question... Message-ID: Hello, As you all know, scanning messages uses a lot of resources... Although MailScanner handles it quite well, scanning virus is allways "heavy" task. I am thinking on "turning off" the outgoing mail scanning. Reasons: 1. I _try_to_ protect my network as much as possible. Although it's impossible to be 100% sure, from inside to outside, there shouldn't go any virus. 2. Why do I have to be checking e-mail for other persons? Each network (or person) should try to keep his machine(s) clean. If they scan their incoming e-mail we are making this job twice (because I scan outgoing e-mail) (I know it's never too much... but resources are limited). I know this isn't a very nice aproach, and it's quite selfish, but I have to deal with an (almost) overloaded server... I would appreciate your opinion (and ideias on how to do this in MailScanner) Thank You Figueira From thomas_duvally at BROWN.EDU Fri Jan 17 18:40:04 2003 From: thomas_duvally at BROWN.EDU (Thomas DuVally) Date: Thu Jan 12 21:16:59 2006 Subject: Spam Score header help - please. Message-ID: <1042828804.28070.5.camel@croithine> If I have "Spam Score = yes" and "Always Include SpamAssassin Report = no", should all messages have a spam score in the header? If not, which ones would? I'm seeing them is mail that is tagged as spam, in some that are not tagged as spam, but not seeing them in most. I have no white-lists, every single message should be getting scanned for spam, but I don't know why the score seems sporadic. -- Thomas J. DuVally Lead Systems Prog. CIS, Brown Univ. From james at PCXPERIENCE.COM Fri Jan 17 20:17:47 2003 From: james at PCXPERIENCE.COM (James A. Pattie) Date: Thu Jan 12 21:16:59 2006 Subject: Kaspersky Virus Issues Message-ID: <3E2864EB.4050902@pcxperience.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello, I have a user of DansGuardian Anti-Virus that is using Kaspersky anti-virus. He complained about really long scan times of > 100 seconds. When I looked into it, it appears that the kaspersky-wrapper script is running the kavscanner program, but it never returns or outputs anything. This is Kaspersky 3.0 build 136. I tracked it down to kaspersky needing to be in the /opt/AVP directory when calling kavscanner so that it could load it's definition files. Even then, it is taking around 9-13 seconds to scan small html files where f-prot does it in 0-1 seconds. I added a 'cd ${PackageDir}' before the exec line. Can anyone comment to verify if I have correctly resolved this and/or if a newer version of Kaspersky can be launched from anywhere and still get to it's virus definition files? Thank you, - -- James A. Pattie james@pcxperience.com Linux -- SysAdmin / Programmer Xperience, Inc. http://www.pcxperience.com/ http://www.xperienceinc.com/ GPG Key Available at http://www.pcxperience.com/gpgkeys/james.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE+KGTqtUXjwPIRLVERAmHHAKDF+5E9KpanuQOzum1bfJVWXWxB4gCgrwY5 XKBISSZSn8W055CXq/YVRGY= =Nnpd -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From joe at QITC.CO.UK Fri Jan 17 23:57:56 2003 From: joe at QITC.CO.UK (Joe Quinn) Date: Thu Jan 12 21:16:59 2006 Subject: Why is AntiVir being called? References: <3E2864EB.4050902@pcxperience.com> Message-ID: <036301c2be84$4eb1f080$de85e150@T20> Can't figure out why I'm getting this in my logs; /usr/lib/MailScanner/antivir-wrapper: =/usr/lib/AntiVir: No such file or directory /usr/lib/MailScanner/antivir-wrapper: =antivir: command not found/usr/lib/MailScanner/antivir-wrapper: =/usr/lib/AntiVir: No such file or directory I've managed to install the latest version on a RaQ4 including SpamAssassin with f-prot but the hourly update seems to be calling AntiVir. It's also doing f-prot but it's supposed to. Any ideas? Cheers, Joe Quinn www.qitc.net From todd.williams at TFCCI.COM Sat Jan 18 00:08:27 2003 From: todd.williams at TFCCI.COM (Todd Williams) Date: Thu Jan 12 21:16:59 2006 Subject: Why is AntiVir being called? In-Reply-To: <036301c2be84$4eb1f080$de85e150@T20> from "Joe Quinn" at Jan 17, 2003 11:57:56 PM Message-ID: <200301180008.TAA06017@twister.tfcc.com> One I can answer... There is a minor problem with two of the variable assignments in the script: /usr/lib/MailScanner/antivir-wrapper Simply remove the leading "$" from the two statements in the script as follows... ------ $PackageDir=/usr/lib/AntiVir $prog=antivir ------ so that they become: ------ PackageDir=/usr/lib/AntiVir prog=antivir ------ This will fix the error, and AntiVir will no longer be called. Hope that helps, Todd > > Can't figure out why I'm getting this in my logs; > > /usr/lib/MailScanner/antivir-wrapper: =/usr/lib/AntiVir: No such file or > directory > /usr/lib/MailScanner/antivir-wrapper: =antivir: command not > found/usr/lib/MailScanner/antivir-wrapper: =/usr/lib/AntiVir: No such file > or directory > > I've managed to install the latest version on a RaQ4 including SpamAssassin > with f-prot but the hourly update seems to be calling AntiVir. It's also > doing f-prot but it's supposed to. > > Any ideas? > > Cheers, > > Joe Quinn > www.qitc.net > From cmiller at TIGERBYTE.COM Sat Jan 18 01:40:15 2003 From: cmiller at TIGERBYTE.COM (Clint Miller) Date: Thu Jan 12 21:16:59 2006 Subject: quarantine rotation Message-ID: <200301171940.15830.cmiller@tigerbyte.com> We are running mailscanner 4.11 with razor and SA and mcafee. We are catching about 40,000 spams / day and processing about 70k hams / day. We've only been running this configuration for a few weeks now so we're still tweaking. Our current issue is this: because we're accumulating 80k files in the quarantine each day it makes it difficult/impossible to do certain simple tasks like "ls" and "grep". Is there a way to tell mailscanner to rotate the quarantines more quickly than once per day? Should we just write something to rotate the quarantines ourselves? Thanks! -- Clint Miller From smohan at vsnl.com Sat Jan 18 02:33:21 2003 From: smohan at vsnl.com (S Mohan) Date: Thu Jan 12 21:16:59 2006 Subject: dying processes In-Reply-To: <5.2.0.9.2.20030117151504.06156760@imap.ecs.soton.ac.uk> Message-ID: <000001c2be99$f8967980$266041db@18yamuna> I had the same problem. I restart MailScanner regularly. As Julian pointed out, /var/spool/MailScanner did occupy a lot of space. I knocked off quarantine. I notice that the incoming directory has a whole lot of files. I think this is temporary unpacking and repacking area, if I'm not wrong. Would it be prudent to cron a command like "find /var/spool/MailScanner/incoming +mtime +3| xargs rm -f" on a daily basis. Maybe this can be part of standard install? Julian: Can clean up option of quarantine and temporary directory (in terms of no of hours or days) be part of the configuration in future releases? The cron job can be modified every time MailScanner starts. Mohan -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Julian Field Sent: Friday, January 17, 2003 8:46 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: dying processes It may sound silly, but have you done a "df -k" recently? I've been experiencing a similar problem myself with another user's server, and it took me a while to realise one of the filesystems had filled up. At 14:22 17/01/2003, you wrote: > I am not running Razor. I have MailScanner 4.10, SpamAssassin 2.43 > and ClamAv 0.54 on Red Hat 8.0. > > I would notice on my mailscanner-mrtg graphs that the number of > MailScanner processes would drop from 20 to 3 sometimes, and stay > there until I restarted MailScanner. I didn't look through the logs > "real" hard, but my cursory examination didn't turn up anything. > >On Fri, 17 Jan 2003 14:45:18 +1300 >Craig Bates wrote: > > > Dale, > > > > Are you runing Spam assassin & RAZOR? What OS and anti-virus are > > you > running? > > > > Anybody else having these problems???? > > > > Thanks, > > > > Craig > > > > On Friday 17 January 2003 11:34, you wrote: > > > I was having this same problem, but didn't investigate why very > > > much, that is why I put the restart option in mailscanner-mrtg, > > > whenever it detects mailscanner is below a certain number of > > > processes it > restarts it. > > > > > > Dale > > > > > > On Fri, 17 Jan 2003 09:36:22 +1300 > > > > > > Craig Bates wrote: > > > > Hi, > > > > > > > > I decided to install MailScanner on RedHat80 as I was having > > > > problems with MailScanner processes dying on FreeBSD. I am now > > > > having > exactly the > > > > same problem with RedHat80 This proves that the problem is > > > > independent of OS, sendmail version / compilation and perl > > > > version. > > > > > > > > I find it very strage that nobody else seems to have this > > > > problem and I have it on 3 boxes! > > > > > > > > Is there anybody on this list that has MailScanner working with > > > > spamassassin-2.43-3.i386.rpm, razor-agents-2.22.tar.gz, fp-linux-sb.rpm > > > > (f-prot)? One of these must be causing the problem as I'm sure > > > > MailScanner and RedHat8.0 is a very common installation that > > > > works! > > > > > > > > Thanks, > > > > > > > > Craig > > >-- > Dale Lovelace > System Administrator > hotels.com > (214) 361-7311 Ext. 1074 -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From thomas_duvally at BROWN.EDU Fri Jan 17 18:40:04 2003 From: thomas_duvally at BROWN.EDU (Thomas DuVally) Date: Thu Jan 12 21:16:59 2006 Subject: Spam Score header help - please. Message-ID: <1042828804.28070.5.camel@croithine> If I have "Spam Score = yes" and "Always Include SpamAssassin Report = no", should all messages have a spam score in the header? If not, which ones would? I'm seeing them is mail that is tagged as spam, in some that are not tagged as spam, but not seeing them in most. I have no white-lists, every single message should be getting scanned for spam, but I don't know why the score seems sporadic. -- Thomas J. DuVally Lead Systems Prog. CIS, Brown Univ. . This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses *********************************************************************************** . This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses *********************************************************************************** From james at PCXPERIENCE.COM Fri Jan 17 20:17:47 2003 From: james at PCXPERIENCE.COM (James A. Pattie) Date: Thu Jan 12 21:16:59 2006 Subject: Kaspersky Virus Issues Message-ID: <3E2864EB.4050902@pcxperience.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello, I have a user of DansGuardian Anti-Virus that is using Kaspersky anti-virus. He complained about really long scan times of > 100 seconds. When I looked into it, it appears that the kaspersky-wrapper script is running the kavscanner program, but it never returns or outputs anything. This is Kaspersky 3.0 build 136. I tracked it down to kaspersky needing to be in the /opt/AVP directory when calling kavscanner so that it could load it's definition files. Even then, it is taking around 9-13 seconds to scan small html files where f-prot does it in 0-1 seconds. I added a 'cd ${PackageDir}' before the exec line. Can anyone comment to verify if I have correctly resolved this and/or if a newer version of Kaspersky can be launched from anywhere and still get to it's virus definition files? Thank you, - -- James A. Pattie james@pcxperience.com Linux -- SysAdmin / Programmer Xperience, Inc. http://www.pcxperience.com/ http://www.xperienceinc.com/ GPG Key Available at http://www.pcxperience.com/gpgkeys/james.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE+KGTqtUXjwPIRLVERAmHHAKDF+5E9KpanuQOzum1bfJVWXWxB4gCgrwY5 XKBISSZSn8W055CXq/YVRGY= =Nnpd -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. . This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses *********************************************************************************** . This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses *********************************************************************************** From usergroups at THEARGONCOMPANY.COM Sat Jan 18 09:12:36 2003 From: usergroups at THEARGONCOMPANY.COM (Rishi Gangoly) Date: Thu Jan 12 21:16:59 2006 Subject: MailScanner on Cobalt RaQ 550 References: Message-ID: <018101c2bed1$be153b60$1b02a8c0@theargoncompany.com> > Rishi, I haven't put mailscanner onto a RaQ550 yet but I have it running on > a RaQ3,4 and Qube with no problems so I suspect it would be ok. I have new > fixed rpms specifically for Cobalt with install scripts to install > MailScanner and SpamAssassin if you are interested. > > I will test the install on a RaQ550 here first for you and let you know - I > am supposed to be doing some pkgs for all the products but keep getting > bogged down with other work > > Regards > > Gavin Hi Gavin, Thanks for responding. I guess I will try it out and see if I get stuck I'll ask for the pkg files. I'm planning to get two RaQ 550 servers. One to experiment with . ;-) Regards Rishi From joe at QITC.CO.UK Sat Jan 18 10:07:00 2003 From: joe at QITC.CO.UK (Joe Quinn) Date: Thu Jan 12 21:16:59 2006 Subject: Why is AntiVir being called? References: <200301180008.TAA06017@twister.tfcc.com> Message-ID: <001901c2bed9$586770f0$7580e150@T20> > There is a minor problem with two of the variable assignments in the script: > /usr/lib/MailScanner/antivir-wrapper > > Simply remove the leading "$" from the two statements in the script as follows... > ------ > $PackageDir=/usr/lib/AntiVir > $prog=antivir Thanks Todd, that worked. Any idea why it was there to start with? Joe www.qitc.net Tel: (UK) +44 776 737 1234 From mailscanner at ecs.soton.ac.uk Sat Jan 18 13:04:27 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:59 2006 Subject: Kaspersky Virus Issues In-Reply-To: <3E2864EB.4050902@pcxperience.com> Message-ID: <5.2.0.9.2.20030118130209.0200dbb8@imap.ecs.soton.ac.uk> I wouldn't be surprised at all that Kaspersky only works if called from 1 directory. It is the most oddly-written package I have seen in years. Who would have thought that someone could write a command-line virus scanner, where the location of the files to be scanned cannot be defined on the command-line? And instead of allowing config file options to be over-ridden on the command-line (like everyone else does), they do it in reverse. Weird... At 20:17 17/01/2003, you wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >Hello, > > I have a user of DansGuardian Anti-Virus that is using Kaspersky >anti-virus. He complained about really long scan times of > 100 >seconds. When I looked into it, it appears that the kaspersky-wrapper >script is running the kavscanner program, but it never returns or >outputs anything. This is Kaspersky 3.0 build 136. > > I tracked it down to kaspersky needing to be in the /opt/AVP > directory >when calling kavscanner so that it could load it's definition files. >Even then, it is taking around 9-13 seconds to scan small html files >where f-prot does it in 0-1 seconds. I added a 'cd ${PackageDir}' >before the exec line. > > Can anyone comment to verify if I have correctly resolved this and/or >if a newer version of Kaspersky can be launched from anywhere and still >get to it's virus definition files? > > Thank you, >- -- >James A. Pattie >james@pcxperience.com > >Linux -- SysAdmin / Programmer >Xperience, Inc. >http://www.pcxperience.com/ >http://www.xperienceinc.com/ > >GPG Key Available at http://www.pcxperience.com/gpgkeys/james.html >-----BEGIN PGP SIGNATURE----- >Version: GnuPG v1.0.6 (GNU/Linux) >Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > >iD8DBQE+KGTqtUXjwPIRLVERAmHHAKDF+5E9KpanuQOzum1bfJVWXWxB4gCgrwY5 >XKBISSZSn8W055CXq/YVRGY= >=Nnpd >-----END PGP SIGNATURE----- > > >-- >This message has been scanned for viruses and >dangerous content by MailScanner, and is >believed to be clean. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Sat Jan 18 13:00:43 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:59 2006 Subject: Spam Score header help - please. In-Reply-To: <1042828804.28070.5.camel@croithine> Message-ID: <5.2.0.9.2.20030118125834.026cfa70@imap.ecs.soton.ac.uk> There is an option Check SpamAssassin If On Spam List Check that is set to yes. The SpamScore won't appear unless SpamAssassin is called and it produces a score greater than 0. At 18:40 17/01/2003, you wrote: >If I have "Spam Score = yes" and "Always Include SpamAssassin Report = >no", should all messages have a spam score in the header? > >If not, which ones would? > >I'm seeing them is mail that is tagged as spam, in some that are not >tagged as spam, but not seeing them in most. > >I have no white-lists, every single message should be getting scanned >for spam, but I don't know why the score seems sporadic. > >-- >Thomas J. DuVally >Lead Systems Prog. >CIS, Brown Univ. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Sat Jan 18 13:06:19 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:59 2006 Subject: Why is AntiVir being called? In-Reply-To: <036301c2be84$4eb1f080$de85e150@T20> References: <3E2864EB.4050902@pcxperience.com> Message-ID: <5.2.0.9.2.20030118130441.029d2390@imap.ecs.soton.ac.uk> There's a bug in the current antivir-wrapper script, sorry. I have fixed it for the next release. Edit /usr/lib/MailScanner/antivir-wrapper and change the lines that say $PackageDir=/usr/lib/AntiVir $prog=antivir to PackageDir=/usr/lib/AntiVir prog=antivir At 23:57 17/01/2003, you wrote: >Can't figure out why I'm getting this in my logs; > >/usr/lib/MailScanner/antivir-wrapper: =/usr/lib/AntiVir: No such file or >directory >/usr/lib/MailScanner/antivir-wrapper: =antivir: command not >found/usr/lib/MailScanner/antivir-wrapper: =/usr/lib/AntiVir: No such file >or directory > >I've managed to install the latest version on a RaQ4 including SpamAssassin >with f-prot but the hourly update seems to be calling AntiVir. It's also >doing f-prot but it's supposed to. > >Any ideas? > >Cheers, > >Joe Quinn >www.qitc.net -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Sat Jan 18 13:08:02 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:16:59 2006 Subject: quarantine rotation In-Reply-To: <200301171940.15830.cmiller@tigerbyte.com> Message-ID: <5.2.0.9.2.20030118130705.029a66b8@imap.ecs.soton.ac.uk> At 01:40 18/01/2003, you wrote: >because we're accumulating 80k files in the quarantine each day it >makes it difficult/impossible to do certain simple tasks like "ls" >and "grep". > >Is there a way to tell mailscanner to rotate the quarantines more >quickly than once per day? Should we just write something to rotate >the quarantines ourselves? Not directly in MailScanner itself. You will need to write a little script to do it for you. Quite how you do it will depend on how easy it needs to be to recover a file from the quarantine. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Sat Jan 18 13:08:49 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:00 2006 Subject: Why is AntiVir being called? In-Reply-To: <001901c2bed9$586770f0$7580e150@T20> References: <200301180008.TAA06017@twister.tfcc.com> Message-ID: <5.2.0.9.2.20030118130815.027e85e8@imap.ecs.soton.ac.uk> At 10:07 18/01/2003, you wrote: > > There is a minor problem with two of the variable assignments in the >script: > > /usr/lib/MailScanner/antivir-wrapper > > > > Simply remove the leading "$" from the two statements in the script as >follows... > > ------ > > $PackageDir=/usr/lib/AntiVir > > $prog=antivir > >Thanks Todd, that worked. >Any idea why it was there to start with? Because my brain was writing a perl script while my fingers were writing a shell script :-) -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Sat Jan 18 13:18:29 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:00 2006 Subject: dying processes In-Reply-To: <000001c2be99$f8967980$266041db@18yamuna> References: <5.2.0.9.2.20030117151504.06156760@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030118130908.0271f9f0@imap.ecs.soton.ac.uk> At 02:33 18/01/2003, you wrote: >I had the same problem. I restart MailScanner regularly. As Julian >pointed out, /var/spool/MailScanner did occupy a lot of space. I knocked >off quarantine. I notice that the incoming directory has a whole lot of >files. I think this is temporary unpacking and repacking area, if I'm >not wrong. You're right. The incoming directory is entirely temporary. If you have the RAM and want MailScanner to run faster, put your incoming directory on a tmpfs filesystem (/dev/shm on many Linuxes, /tmp on Solaris). > Would it be prudent to cron a command like >"find /var/spool/MailScanner/incoming +mtime +3| xargs rm -f" on a daily >basis. You could do that. When MailScanner is shut down cleanly, it should clean up the incoming directory. If you "kill -9" it then it can't do that. >Maybe this can be part of standard install? > >Julian: >Can clean up option of quarantine and temporary directory (in terms of >no of hours or days) be part of the configuration in future releases? >The cron job can be modified every time MailScanner starts. Each of the parallel processes only knows about its own incoming directory, this job is much better done by a cron job. >Mohan > >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On >Behalf Of Julian Field >Sent: Friday, January 17, 2003 8:46 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: dying processes > > >It may sound silly, but have you done a "df -k" recently? I've been >experiencing a similar problem myself with another user's server, and it >took me a while to realise one of the filesystems had filled up. > >At 14:22 17/01/2003, you wrote: > > I am not running Razor. I have MailScanner 4.10, SpamAssassin 2.43 > > and ClamAv 0.54 on Red Hat 8.0. > > > > I would notice on my mailscanner-mrtg graphs that the number of > > MailScanner processes would drop from 20 to 3 sometimes, and stay > > there until I restarted MailScanner. I didn't look through the logs > > "real" hard, but my cursory examination didn't turn up anything. > > > >On Fri, 17 Jan 2003 14:45:18 +1300 > >Craig Bates wrote: > > > > > Dale, > > > > > > Are you runing Spam assassin & RAZOR? What OS and anti-virus are > > > you > > running? > > > > > > Anybody else having these problems???? > > > > > > Thanks, > > > > > > Craig > > > > > > On Friday 17 January 2003 11:34, you wrote: > > > > I was having this same problem, but didn't investigate why very > > > > much, that is why I put the restart option in mailscanner-mrtg, > > > > whenever it detects mailscanner is below a certain number of > > > > processes it > > restarts it. > > > > > > > > Dale > > > > > > > > On Fri, 17 Jan 2003 09:36:22 +1300 > > > > > > > > Craig Bates wrote: > > > > > Hi, > > > > > > > > > > I decided to install MailScanner on RedHat80 as I was having > > > > > problems with MailScanner processes dying on FreeBSD. I am now > > > > > having > > exactly the > > > > > same problem with RedHat80 This proves that the problem is > > > > > independent of OS, sendmail version / compilation and perl > > > > > version. > > > > > > > > > > I find it very strage that nobody else seems to have this > > > > > problem and I have it on 3 boxes! > > > > > > > > > > Is there anybody on this list that has MailScanner working with > > > > > spamassassin-2.43-3.i386.rpm, razor-agents-2.22.tar.gz, >fp-linux-sb.rpm > > > > > (f-prot)? One of these must be causing the problem as I'm sure > > > > > MailScanner and RedHat8.0 is a very common installation that > > > > > works! > > > > > > > > > > Thanks, > > > > > > > > > > Craig > > > > > >-- > > Dale Lovelace > > System Administrator > > hotels.com > > (214) 361-7311 Ext. 1074 > >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From nerijus at USERS.SOURCEFORGE.NET Sat Jan 18 15:04:19 2003 From: nerijus at USERS.SOURCEFORGE.NET (Nerijus Baliunas) Date: Thu Jan 12 21:17:00 2006 Subject: Kaspersky Virus Issues In-Reply-To: <3E2864EB.4050902@pcxperience.com> References: <3E2864EB.4050902@pcxperience.com> Message-ID: <200301181504.h0IF4NW10893@ori.rl.ac.uk> On Fri, 17 Jan 2003 14:17:47 -0600 "James A. Pattie" wrote: > I have a user of DansGuardian Anti-Virus that is using Kaspersky > anti-virus. He complained about really long scan times of > 100 > seconds. When I looked into it, it appears that the kaspersky-wrapper > script is running the kavscanner program, but it never returns or > outputs anything. This is Kaspersky 3.0 build 136. I also use DansGuardian Anti-Virus with Kaspersky and have no such problems. I'd suggest to upgrade to latest Kaspersky (4.0.2.2 IIRC), as 3.0 build 136 is very old. > I tracked it down to kaspersky needing to be in the /opt/AVP directory > when calling kavscanner so that it could load it's definition files. It shouldn't need for me. > Even then, it is taking around 9-13 seconds to scan small html files > where f-prot does it in 0-1 seconds. I added a 'cd ${PackageDir}' > before the exec line. > > Can anyone comment to verify if I have correctly resolved this and/or > if a newer version of Kaspersky can be launched from anywhere and still > get to it's virus definition files? Newer versions of Kaspersky can be launched from anywhere. Regards, Nerijus From me at glennmeyer.com Sat Jan 18 15:38:30 2003 From: me at glennmeyer.com (Glenn Meyer) Date: Thu Jan 12 21:17:00 2006 Subject: Clamav causes mail to hold in mqueue.in Message-ID: <3E2974F6.5080907@glennmeyer.com> My /var/spool/mqueue.in holds all messages when I set "Virus Scanners = clamav" in /etc/MailScanner/MailScanner.conf. If I set "Virus Scanners = none" and restart MailScanner, the mail flows well. Did I miss something somewhere in the Clam or MailScanner config? Thanks! Red Hat 7.1 MailScanner 4.11-1 Clam 0.54 From Kevin.Spicer at BMRB.CO.UK Sat Jan 18 18:03:02 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:17:00 2006 Subject: Clamav causes mail to hold in mqueue.in Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A4AD03@pascal.priv.bmrb.co.uk> > My /var/spool/mqueue.in holds all messages when I set "Virus > Scanners = > clamav" in /etc/MailScanner/MailScanner.conf. If I set > "Virus Scanners > = none" and restart MailScanner, the mail flows well. Did I miss > something somewhere in the Clam or MailScanner config? Thanks! > > Red Hat 7.1 > MailScanner 4.11-1 > Clam 0.54 Don't know if this is relevent to your situation but I had to do the following to get calmav to work with MailScanner I installed clamav from the Mandrake rpms which put clamscan and freshclam in /usr/bin instead of /usr/local/bin - this meant I had to edit the paths in /usr/lib/MailScanner/clamav-autoupdate and /usr/lib/MailScanner/clamav-wrapper. I also had to change the 'Minimum Code Status' in MailScanner.conf to 'unsupported' [If your experience with clam is okay you might like to let Julian know to encourage him to boost it up to supported status] BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From cmiller at TIGERBYTE.COM Sun Jan 19 03:11:26 2003 From: cmiller at TIGERBYTE.COM (Clint Miller) Date: Thu Jan 12 21:17:00 2006 Subject: orphaned files in mqueue.in on restart Message-ID: <200301182111.26241.cmiller@tigerbyte.com> Several weeks back (Mon, 30 Dec 2002 14:46:08 -0600) we inquired about files in the incoming mailscanner queue never being delivered. These files correspond exactly with when mailscanner is stopped and then started again. 4.11 was supposed to remedy this. We have installed 4.11 and found this not to be the case. Any hints how to proceed? -- Clint Miller From mailscanner at ecs.soton.ac.uk Sun Jan 19 12:28:09 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:00 2006 Subject: orphaned files in mqueue.in on restart In-Reply-To: <200301182111.26241.cmiller@tigerbyte.com> Message-ID: <5.2.0.9.2.20030119122612.0256e0f8@imap.ecs.soton.ac.uk> If you look back through your mail logs, have the message ID's been delivered? You should find they have. How exactly were you stopping MailScanner? Are you using sendmail or Exim? What filenames were being left behind? At 03:11 19/01/2003, you wrote: >Several weeks back (Mon, 30 Dec 2002 14:46:08 -0600) we inquired about >files in the incoming mailscanner queue never being delivered. These >files correspond exactly with when mailscanner is stopped and then >started again. 4.11 was supposed to remedy this. > >We have installed 4.11 and found this not to be the case. > >Any hints how to proceed? >-- >Clint Miller -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Sun Jan 19 12:36:59 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:00 2006 Subject: orphaned files in mqueue.in on restart In-Reply-To: <200301182111.26241.cmiller@tigerbyte.com> Message-ID: <5.2.0.9.2.20030119123503.02842d00@imap.ecs.soton.ac.uk> There is a possibility that MailScanner is taking quite a while to do all its cleaning up, which on some systems may make the RedHat functions kill it "nastily" before it has finished its job. In the /etc/rc.d/init.d/MailScanner script, there is a line in the "stop" section that says killproc MailScanner Change that so it says killproc MailScanner -15 and see if that solves the problem. At 03:11 19/01/2003, you wrote: >Several weeks back (Mon, 30 Dec 2002 14:46:08 -0600) we inquired about >files in the incoming mailscanner queue never being delivered. These >files correspond exactly with when mailscanner is stopped and then >started again. 4.11 was supposed to remedy this. > >We have installed 4.11 and found this not to be the case. > >Any hints how to proceed? >-- >Clint Miller -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Sun Jan 19 16:28:01 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:00 2006 Subject: Kaspersky DaemonClient In-Reply-To: <20030119152000.EF7C76960F@mx.ktv.lt> References: <5.2.0.9.2.20021209162824.05dcf540@imap.ecs.soton.ac.uk> <5.2.0.9.2.20021209162824.05dcf540@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030119162607.02905fb0@imap.ecs.soton.ac.uk> Sounds like the kav daemon is better than the other daemons I have tried. I will certainly consider adding it, many thanks for the patch. At 15:18 19/01/2003, you wrote: >On Mon, 9 Dec 2002 16:34:16 +0000 Julian Field > wrote: > > > >I am using Kaspersky with it's DaemonClient but as I understand there is > > >no support for DaemonClient. kavscanner and AvPDaemonClient produces > > >different outputs so SweepVirusess.pm can't parse the output?? > >Actually not so different as you'll see below. > > > >Due to high CPU load and long database loading time, I don't use > > >AvpLinux. Is there any method to use kaspersky other then Daemon which > > >take less CPU load and database loading time? > > > > I have tried various of the other daemon-based scanners, and always found > > them to actually be slower than the command-line ones in the only situation > > where it matters. > >You talk about situations where mailscanner processes a lot of messages, >but using daemon-based scanner is faster with low end server and a few >messages. Besides, DansGuardian Anti-Virus plugin uses mailscanner >scripts, and using daemon-based scanner in this case helps a lot - users >get their web pages much faster. That's because I adapted mailscanner >to work with kavdaemon clients. Please include it, even if as unsupported. > > > Once you have a high load, MailScanner will be handling large batches of > > messages at 1 go. > > > > If you use a daemon you have to send the location of every file to be > > scanned along a network socket to the daemon so it knows what to scan. If > >It's not true with kavdaemon clients - they can scan directories, even >recursively. > > > you use the command-line scanner, you have to just give it the starting > > directory and tell it to scan recursively. Agreed, you have to wait the > > startup time of the command-line scanner each time, but this is always > > outweighed by the overhead of having to send the full pathname of several > > hundred files along a network socket to the daemon. > > > > So while it may appear to be more efficient when scanning a few files at > > once, the only time it actually matters is when you are running out of > > server capacity and the message batches have grown very large. At this > > point, the command-line scanner is faster than the daemon. > > > > Which is why I don't support the daemons. You also have the reliability > > aspect that > > a) the daemon may crash, leaving you with a hung system, > > or > > b) the daemon may well leak resources, slowly degrading your system > over time. > >You can restart daemon periodically. > >Anyway, I understand your reasons, but please consider applying my patch - >it will be user's risk to enable it, and I won't have to >patch DansGuardian Anti-Virus >plugin every time a new version comes out... > >ProcessKavDaemonClientOutput is almost the same as ProcessKasperskyOutput, >the only differences are that it does not use $kaspersky_CurrentObject and >if ($line =~ / infected: /) >becomes >if ($line =~ /infected: /) > >I tested with latest kaspersky (4.0.2.2) and 2 clients - AvpDaemonClient from >/opt/AVP/DaemonClients/Sample and AvpTeamDream from >/opt/AVP/DaemonClients/Sample2. > >Could the OP (Murat Koc) test it? You will probably have to update to the >latest >Kaspersky, but it works with old licenses without problems. > >Regards, >Nerijus > -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Sun Jan 19 16:44:13 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:00 2006 Subject: Kaspersky DaemonClient In-Reply-To: <20030119152000.EF7C76960F@mx.ktv.lt> References: <5.2.0.9.2.20021209162824.05dcf540@imap.ecs.soton.ac.uk> <5.2.0.9.2.20021209162824.05dcf540@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030119164310.0206dd78@imap.ecs.soton.ac.uk> I have added one thing to your wrapper script so that it is compatible with the global updater. @@ -44,6 +42,11 @@ #Scanner=AvpTeamDream ScanOptions="" + +if [ "x$1" = "x-IsItInstalled" ]; then + [ -x ${PackageDir}/$Scanner ] && exit 0 + exit 1 +fi exec ${PackageDir}/$Scanner $ScanOptions "$@" Everything else looks fine, and will be included in the next release. Thanks for the contribution! At 15:18 19/01/2003, you wrote: >On Mon, 9 Dec 2002 16:34:16 +0000 Julian Field > wrote: > > > >I am using Kaspersky with it's DaemonClient but as I understand there is > > >no support for DaemonClient. kavscanner and AvPDaemonClient produces > > >different outputs so SweepVirusess.pm can't parse the output?? > >Actually not so different as you'll see below. > > > >Due to high CPU load and long database loading time, I don't use > > >AvpLinux. Is there any method to use kaspersky other then Daemon which > > >take less CPU load and database loading time? > > > > I have tried various of the other daemon-based scanners, and always found > > them to actually be slower than the command-line ones in the only situation > > where it matters. > >You talk about situations where mailscanner processes a lot of messages, >but using daemon-based scanner is faster with low end server and a few >messages. Besides, DansGuardian Anti-Virus plugin uses mailscanner >scripts, and using daemon-based scanner in this case helps a lot - users >get their web pages much faster. That's because I adapted mailscanner >to work with kavdaemon clients. Please include it, even if as unsupported. > > > Once you have a high load, MailScanner will be handling large batches of > > messages at 1 go. > > > > If you use a daemon you have to send the location of every file to be > > scanned along a network socket to the daemon so it knows what to scan. If > >It's not true with kavdaemon clients - they can scan directories, even >recursively. > > > you use the command-line scanner, you have to just give it the starting > > directory and tell it to scan recursively. Agreed, you have to wait the > > startup time of the command-line scanner each time, but this is always > > outweighed by the overhead of having to send the full pathname of several > > hundred files along a network socket to the daemon. > > > > So while it may appear to be more efficient when scanning a few files at > > once, the only time it actually matters is when you are running out of > > server capacity and the message batches have grown very large. At this > > point, the command-line scanner is faster than the daemon. > > > > Which is why I don't support the daemons. You also have the reliability > > aspect that > > a) the daemon may crash, leaving you with a hung system, > > or > > b) the daemon may well leak resources, slowly degrading your system > over time. > >You can restart daemon periodically. > >Anyway, I understand your reasons, but please consider applying my patch - >it will be user's risk to enable it, and I won't have to >patch DansGuardian Anti-Virus >plugin every time a new version comes out... > >ProcessKavDaemonClientOutput is almost the same as ProcessKasperskyOutput, >the only differences are that it does not use $kaspersky_CurrentObject and >if ($line =~ / infected: /) >becomes >if ($line =~ /infected: /) > >I tested with latest kaspersky (4.0.2.2) and 2 clients - AvpDaemonClient from >/opt/AVP/DaemonClients/Sample and AvpTeamDream from >/opt/AVP/DaemonClients/Sample2. > >Could the OP (Murat Koc) test it? You will probably have to update to the >latest >Kaspersky, but it works with old licenses without problems. > >Regards, >Nerijus > -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From cmiller at TIGERBYTE.COM Sun Jan 19 18:00:51 2003 From: cmiller at TIGERBYTE.COM (Clint Miller) Date: Thu Jan 12 21:17:00 2006 Subject: orphaned files in mqueue.in on restart In-Reply-To: <5.2.0.9.2.20030119123503.02842d00@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030119123503.02842d00@imap.ecs.soton.ac.uk> Message-ID: <200301191200.51654.cmiller@tigerbyte.com> That seems to work on all 3 of our servers. Thank you. Just FYI for anyone who cares, we're running: *) sendmail 8.11.6 *) MailScanner 4.11 *) SpamAssassin 2.43 *) Razor Agents 2.22 *) Razor Agents SDK 2.03 *) f-prot 3.12a The largest server is processing 80k ham, 70k spam, and 200 viri per day. On Sunday 19 January 2003 06:36, thus spake Julian Field: > There is a possibility that MailScanner is taking quite a while to > do all its cleaning up, which on some systems may make the RedHat > functions kill it "nastily" before it has finished its job. > > In the /etc/rc.d/init.d/MailScanner script, there is a line in the > "stop" section that says > killproc MailScanner > Change that so it says > killproc MailScanner -15 > and see if that solves the problem. > > At 03:11 19/01/2003, you wrote: > >Several weeks back (Mon, 30 Dec 2002 14:46:08 -0600) we inquired > > about files in the incoming mailscanner queue never being > > delivered. These files correspond exactly with when mailscanner > > is stopped and then started again. 4.11 was supposed to remedy > > this. > > > >We have installed 4.11 and found this not to be the case. > > > >Any hints how to proceed? -- Clint Miller From nerijus at USERS.SOURCEFORGE.NET Sun Jan 19 19:22:48 2003 From: nerijus at USERS.SOURCEFORGE.NET (Nerijus Baliunas) Date: Thu Jan 12 21:17:00 2006 Subject: Kaspersky DaemonClient In-Reply-To: <5.2.0.9.2.20030119164310.0206dd78@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20021209162824.05dcf540@imap.ecs.soton.ac.uk><5.2.0.9.2.20021209162824.05dcf540@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030119164310.0206dd78@imap.ecs.soton.ac.uk> Message-ID: <20030119193000.D6B866937B@mx.ktv.lt> On Sun, 19 Jan 2003 16:44:13 +0000 Julian Field wrote: > I have added one thing to your wrapper script so that it is compatible with > the global updater. I didn't add it because there will probably never be kavdaemonclient-autoupdate script, as it would be the same as kaspersky-autoupdate - it would probably be a bad idea to update the same scanner twice in a row. Regards, Nerijus From paul.hamilton at sme-ecom.co.uk Sun Jan 19 20:26:35 2003 From: paul.hamilton at sme-ecom.co.uk (Paul Hamilton) Date: Thu Jan 12 21:17:00 2006 Subject: Setting up Ruleset Message-ID: <000001c2bff9$109ece00$fc32000a@4> Hi all, We currently have the following set in MS.conf: # Spam Detection and Spam Lists (DNS blocklists) # ---------------------------------------------- # # Do you want to check messages to see if they are spam? # This can also be the filename of a ruleset. Spam Checks = yes We would like to limit DNS blocklist checking purely to our domains using Spamassassin. Therefore can someone confirm whether the above ruleset could reflect the same as our spamassassin.domains.to.scan ruleset and list only domains that require their mail to be checked against DNS blocklists - is this how this rule set is meant t work? Thanks in advance Paul H -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030119/393aea81/attachment.html From brandonf at BFCONSULT.CO.ZA Mon Jan 20 07:55:23 2003 From: brandonf at BFCONSULT.CO.ZA (Brandon Friedman) Date: Thu Jan 12 21:17:00 2006 Subject: Sophos autoupdate error Message-ID: <000501c2c059$49fe9a80$e900a8c0@brandonnb> Hi Folks I keep receiving this error from my autoupdate script: /etc/cron.daily/Sophos.autoupdate: Lynx failed with error return 1 , Bad file descriptor at /usr/local/Sophos/bin/autoupdate line 83. Help ? -- Regards Brandon Friedman ADT South Africa E-mail: bfriedman@tycoint.com From Kevin.Spicer at BMRB.CO.UK Mon Jan 20 08:07:08 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:17:00 2006 Subject: Sophos autoupdate error Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A4AD04@pascal.priv.bmrb.co.uk> > Lynx failed with error return 1 > , Bad file descriptor at /usr/local/Sophos/bin/autoupdate line 83. > That error usually occurs when sophos-autoupdate fails to get a zipfile of IDE's from the web. If you're getting this every time the autoupdate is called then check... - Your Sophos version is up to date (they only supply IDE's for the last 3 monthly releases) - I'd recommend grabbing the latest off the web (you get three months life rather than two months from the CD releases) - You MailScanner machine can access the sophos web site (lynx http://www.sophos.co.uk ) I've occasionally had this happen intermittently due to things like proxy server being down, sophos's site being down or slow to respond etc. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From bfriedman at TYCOINT.COM Mon Jan 20 08:17:45 2003 From: bfriedman at TYCOINT.COM (Brandon Friedman) Date: Thu Jan 12 21:17:00 2006 Subject: Sophos autoupdate error In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0A4AD04@pascal.priv.bmrb.co.uk> Message-ID: <000601c2c05b$3cf87cf0$e900a8c0@brandonnb> I thinks it's probably because of the out-dated Sophos software. Is there an easy upgrade procedure? Thanks for the help -- Regards Brandon Friedman ADT South Africa E-mail: bfriedman@tycoint.com > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@jiscmail.ac.uk] On Behalf Of Spicer, Kevin > Sent: 20 January 2003 10:07 > To: MAILSCANNER@jiscmail.ac.uk > Subject: Re: Sophos autoupdate error > > > > Lynx failed with error return 1 > > , Bad file descriptor at /usr/local/Sophos/bin/autoupdate line 83. > > > That error usually occurs when sophos-autoupdate fails to get > a zipfile of IDE's from the web. If you're getting this > every time the autoupdate is called then check... > > - Your Sophos version is up to date (they only supply IDE's > for the last 3 monthly releases) - I'd recommend grabbing the > latest off the web (you get three months life rather than two > months from the CD releases) > - You MailScanner machine can access the sophos web site > (lynx http://www.sophos.co.uk ) > > I've occasionally had this happen intermittently due to > things like proxy server being down, sophos's site being down > or slow to respond etc. > > > > BMRB International > http://www.bmrb.co.uk > +44 (0)20 8566 5000 > _________________________________________________________________ > This message (and any attachment) is intended only for the > recipient and may contain confidential and/or privileged > material. If you have received this in error, please contact the > sender and delete this message immediately. Disclosure, copying > or other action taken in respect of this email or in > reliance on it is prohibited. BMRB International Limited > accepts no liability in relation to any personal emails, or > content of any email which does not directly relate to our > business. > From mailscanner at BARENDSE.TO Mon Jan 20 08:36:26 2003 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:17:00 2006 Subject: SpamAssassin rebuilding SRPM on RedHat 8.0? Message-ID: Is there anyone having any luck rebuilding the SpamAssassin SRPMS on a RedHat 8.0 box? When I do [root@raveon SpamAssassin]# rpmbuild --rebuild spamassassin-2.43-3.src.rpm I get : Installing spamassassin-2.43-3.src.rpm Executing(%prep): /bin/sh -e /var/tmp/rpm-tmp.49198 + umask 022 + cd /usr/src/redhat/BUILD + LANG=C + export LANG + -q /var/tmp/rpm-tmp.49198: line 23: -q: command not found error: Bad exit status from /var/tmp/rpm-tmp.49198 (%prep) When I remove the -q from the prep script and rebuild I get this error: Processing files: perl-Mail-SpamAssassin-2.43-2 error: File not found by glob: /var/tmp/spamassassin-root/usr/share/man/man3/* It's really strange, I think there must be more people out there using RedHat 8, and some of them must have installed SA? Or maybe they just used the tarball instead. Ideas anyone? -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From Kevin.Spicer at BMRB.CO.UK Mon Jan 20 08:50:29 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:17:00 2006 Subject: Sophos autoupdate error Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A4AD05@pascal.priv.bmrb.co.uk> > > I thinks it's probably because of the out-dated Sophos software. Is > there an easy upgrade procedure? > > Grab the latest file from Sophos and follow the MailScanner installation instructions ( http://www.sng.ecs.soton.ac.uk/mailscanner/install/linux.shtml#Sophos ) BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From Richard.Lush at HP.COM Mon Jan 20 09:57:50 2003 From: Richard.Lush at HP.COM (Lush, Richard) Date: Thu Jan 12 21:17:00 2006 Subject: Sophos autoupdate error Message-ID: This is happening because you have an old sophos engine. Download the latest and it will work. Remember the sophos engine only exist for three months. Hope this helps Richard -----Original Message----- From: Brandon Friedman [mailto:brandonf@BFCONSULT.CO.ZA] Sent: 20 January 2003 07:55 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Sophos autoupdate error Hi Folks I keep receiving this error from my autoupdate script: /etc/cron.daily/Sophos.autoupdate: Lynx failed with error return 1 , Bad file descriptor at /usr/local/Sophos/bin/autoupdate line 83. Help ? -- Regards Brandon Friedman ADT South Africa E-mail: bfriedman@tycoint.com From Ulysees at ULYSEES.COM Mon Jan 20 10:20:46 2003 From: Ulysees at ULYSEES.COM (Ulysees) Date: Thu Jan 12 21:17:00 2006 Subject: Sophos autoupdate error References: Message-ID: <000401c2c06d$99195e20$3201010a@nimitz> Anybody found a way of automating the update of the sophos engine ? In otherwords so as you don't have to do it yourself every time on every machine. Uly ----- Original Message ----- From: "Lush, Richard" To: Sent: Monday, January 20, 2003 9:57 AM Subject: Re: [MAILSCANNER] Sophos autoupdate error This is happening because you have an old sophos engine. Download the latest and it will work. Remember the sophos engine only exist for three months. Hope this helps Richard -----Original Message----- From: Brandon Friedman [mailto:brandonf@BFCONSULT.CO.ZA] Sent: 20 January 2003 07:55 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Sophos autoupdate error Hi Folks I keep receiving this error from my autoupdate script: /etc/cron.daily/Sophos.autoupdate: Lynx failed with error return 1 , Bad file descriptor at /usr/local/Sophos/bin/autoupdate line 83. Help ? -- Regards Brandon Friedman ADT South Africa E-mail: bfriedman@tycoint.com From Richard.Lush at HP.COM Mon Jan 20 10:39:31 2003 From: Richard.Lush at HP.COM (Lush, Richard) Date: Thu Jan 12 21:17:00 2006 Subject: Sophos autoupdate error Message-ID: I did look into this, but the webpage seems to check that you have filled in your details before it will let you download. I haven't found a way to bypass this yet. If I do find a way round it I'll post the process. -----Original Message----- From: Ulysees [mailto:Ulysees@ULYSEES.COM] Sent: 20 January 2003 10:21 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Sophos autoupdate error Anybody found a way of automating the update of the sophos engine ? In otherwords so as you don't have to do it yourself every time on every machine. Uly ----- Original Message ----- From: "Lush, Richard" To: Sent: Monday, January 20, 2003 9:57 AM Subject: Re: [MAILSCANNER] Sophos autoupdate error This is happening because you have an old sophos engine. Download the latest and it will work. Remember the sophos engine only exist for three months. Hope this helps Richard -----Original Message----- From: Brandon Friedman [mailto:brandonf@BFCONSULT.CO.ZA] Sent: 20 January 2003 07:55 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Sophos autoupdate error Hi Folks I keep receiving this error from my autoupdate script: /etc/cron.daily/Sophos.autoupdate: Lynx failed with error return 1 , Bad file descriptor at /usr/local/Sophos/bin/autoupdate line 83. Help ? -- Regards Brandon Friedman ADT South Africa E-mail: bfriedman@tycoint.com From wayne at TELL.NET.AU Mon Jan 20 12:07:15 2003 From: wayne at TELL.NET.AU (Wayne Simes) Date: Thu Jan 12 21:17:00 2006 Subject: Domains to scan config Message-ID: <200301201207.h0KC7ECH032184@ernie.tell.net.au> Hi Could someone please indicate where I can edit the domains to scan/not to scan in version 4.11.1 ? Thanks Wayne From smohan at VSNL.COM Mon Jan 20 12:25:27 2003 From: smohan at VSNL.COM (S Mohan) Date: Thu Jan 12 21:17:00 2006 Subject: Domains to scan config In-Reply-To: <200301201207.h0KC7ECH032184@ernie.tell.net.au> Message-ID: Create and use a rules file for the Domains to Scan declarative in MailScanner.conf file Virus Scanning = /etc/MailScanner/rules/domains.scan.rules To: *@domain1.com yes To: *@domain2.com yes To: default no Mohan -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Wayne Simes Sent: 20 January 2003 17:37 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Domains to scan config Hi Could someone please indicate where I can edit the domains to scan/not to scan in version 4.11.1 ? Thanks Wayne From email-ian at POST1.COM Mon Jan 20 12:40:29 2003 From: email-ian at POST1.COM (eejs) Date: Thu Jan 12 21:17:00 2006 Subject: Sophos autoupdate error References: Message-ID: <3E2BEE3D.191975A7@post1.com> Hi all, try this link, http://downloads.sophos.com/dp/full/linux.intel.libc6.tar.Z hope the filename never changes. Kind regards, Ian "Lush, Richard" wrote: > > I did look into this, but the webpage seems to check that you have > filled in your details before it will let you download. I haven't found > a way to bypass this yet. If I do find a way round it I'll post the > process. > > -----Original Message----- > From: Ulysees [mailto:Ulysees@ULYSEES.COM] > Sent: 20 January 2003 10:21 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Sophos autoupdate error > > Anybody found a way of automating the update of the sophos engine ? > > In otherwords so as you don't have to do it yourself every time on every > machine. > > Uly > ----- Original Message ----- > From: "Lush, Richard" > To: > Sent: Monday, January 20, 2003 9:57 AM > Subject: Re: [MAILSCANNER] Sophos autoupdate error > > This is happening because you have an old sophos engine. Download the > latest and it will work. Remember the sophos engine only exist for > three months. > > Hope this helps > > Richard > > -----Original Message----- > From: Brandon Friedman [mailto:brandonf@BFCONSULT.CO.ZA] > Sent: 20 January 2003 07:55 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Sophos autoupdate error > > Hi Folks > > I keep receiving this error from my autoupdate script: > > /etc/cron.daily/Sophos.autoupdate: > > Lynx failed with error return 1 > , Bad file descriptor at /usr/local/Sophos/bin/autoupdate line 83. > > Help ? > -- > Regards > Brandon Friedman > ADT South Africa > E-mail: bfriedman@tycoint.com -- |\,/| ()-@@ , `--')/ Kind regards, Ju Seong From Stephane.Lentz at ANSF.ALCATEL.FR Mon Jan 20 12:57:39 2003 From: Stephane.Lentz at ANSF.ALCATEL.FR (Stephane Lentz) Date: Thu Jan 12 21:17:00 2006 Subject: SpamAssassin rebuilding SRPM on RedHat 8.0? In-Reply-To: References: Message-ID: <20030120125739.GE32615@iww.netfr.alcatel.fr> On Mon, Jan 20, 2003 at 09:36:26AM +0100, Remco Barendse wrote: > Is there anyone having any luck rebuilding the SpamAssassin SRPMS on a > RedHat 8.0 box? > > When I do > [root@raveon SpamAssassin]# rpmbuild --rebuild spamassassin-2.43-3.src.rpm > I get : > Installing spamassassin-2.43-3.src.rpm > Executing(%prep): /bin/sh -e /var/tmp/rpm-tmp.49198 > + umask 022 > + cd /usr/src/redhat/BUILD > + LANG=C > + export LANG > + -q > /var/tmp/rpm-tmp.49198: line 23: -q: command not found > error: Bad exit status from /var/tmp/rpm-tmp.49198 (%prep) > > When I remove the -q from the prep script and rebuild I get this error: > Processing files: perl-Mail-SpamAssassin-2.43-2 > error: File not found by glob: > /var/tmp/spamassassin-root/usr/share/man/man3/* > > It's really strange, I think there must be more people out there using > RedHat 8, and some of them must have installed SA? Or maybe they just > used the tarball instead. > > Ideas anyone? > Ain't using RedHat but you could try RedHat SA src.rpm instead : ftp://rpmfind.net/linux/rawhide/1.0/SRPMS/SRPMS/spamassassin-2.43-10.src.rpm RPM .spec differ a lot defpending the vender and the release .... SL/ --- Stephane Lentz / Alcanet International - Internet Services From mailscannerlist at TNJINFL.COM Mon Jan 20 13:44:25 2003 From: mailscannerlist at TNJINFL.COM (James Pifer) Date: Thu Jan 12 21:17:00 2006 Subject: Server dying problems Message-ID: <1043070266.9509.11.camel@tweety.tnjinfl.com> We're running MailScanner 4.10-1 and having a lot of problems with the server dying. I don't know what's causing the problems as suddenly it will just die. No errors in any of the logs, it just stops. We're running Redhat 7.3 on a Compaq DL370, 1gig RAM. One thing we have noticed is that sometimes mailscanner tries to send a message back to the sender. I'm not sure what cases it tries to do this, but I think one example is the biggboss.com ones. These messages just build up in our queue because they can't be sent. Not sure if this is adding to our problems with the server. Maybe it's wasting a lot of time trying to send these? I would like to turn this off. I see Notify Sender in the conf file, but not sure by the description if this is what I should turn off. I know I have given very good information here, but if anyone has any suggestions I would appreciate it. Thanks, James From mailscannerlist at TNJINFL.COM Mon Jan 20 13:48:37 2003 From: mailscannerlist at TNJINFL.COM (James Pifer) Date: Thu Jan 12 21:17:00 2006 Subject: Server dying problems In-Reply-To: <1043070266.9509.11.camel@tweety.tnjinfl.com> References: <1043070266.9509.11.camel@tweety.tnjinfl.com> Message-ID: <1043070517.9511.15.camel@tweety.tnjinfl.com> That should have been have NOT given very good information.... James On Mon, 2003-01-20 at 08:44, James Pifer wrote: > We're running MailScanner 4.10-1 and having a lot of problems with the > server dying. I don't know what's causing the problems as suddenly it > will just die. No errors in any of the logs, it just stops. We're > running Redhat 7.3 on a Compaq DL370, 1gig RAM. > > One thing we have noticed is that sometimes mailscanner tries to send a > message back to the sender. I'm not sure what cases it tries to do this, > but I think one example is the biggboss.com ones. These messages just > build up in our queue because they can't be sent. Not sure if this is > adding to our problems with the server. Maybe it's wasting a lot of time > trying to send these? > > I would like to turn this off. I see Notify Sender in the conf file, but > not sure by the description if this is what I should turn off. > > I know I have given very good information here, but if anyone has any > suggestions I would appreciate it. > > Thanks, > James From R.A.Gardener at SHU.AC.UK Mon Jan 20 13:55:07 2003 From: R.A.Gardener at SHU.AC.UK (Ray Gardener) Date: Thu Jan 12 21:17:00 2006 Subject: version 4, Exim and header rewrites. Message-ID: <006801c2c08b$8ab21930$5a14348f@videoproducer> Hi, I upgraded from version 3 to version 4 of Mailscanner last week and found that the header rewrites configured in my Exim 3.36 configuration no longed worked. Briefly we rewrite all internal addresses with an external form before passing the mail to the outside world. e.g. r.a.gardener@shuexchangebox.shu.ac.uk becomes R.A.Gardener@shu.ac.uk This rewrite stopped after upgrading to version 4. Upon just downgrading the installation to version 3 of Mailscanner the rewriting restarted. Has anyone else seen this? (and of course, is there a fix?) Regards, Ray Gardener CIS Sheffield Hallam University Howard Street Sheffield UK S1 1WB (44) 0114 225 4926 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030120/59a84f90/attachment.html From mailscannerlist at TNJINFL.COM Mon Jan 20 14:30:40 2003 From: mailscannerlist at TNJINFL.COM (James Pifer) Date: Thu Jan 12 21:17:00 2006 Subject: Server dying problems In-Reply-To: <1043070517.9511.15.camel@tweety.tnjinfl.com> References: <1043070266.9509.11.camel@tweety.tnjinfl.com> <1043070517.9511.15.camel@tweety.tnjinfl.com> Message-ID: <1043073040.9512.18.camel@tweety.tnjinfl.com> Think I might be way off base here. I talked to our Notes guy and he said that they are rejecting messages from certain domains and they send a message back saying that they were rejected for policy reasons. So I'm going to blacklist those domains on the MailScanner server instead and see if that helps. Thanks, James On Mon, 2003-01-20 at 08:48, James Pifer wrote: > That should have been have NOT given very good information.... > > James > > On Mon, 2003-01-20 at 08:44, James Pifer wrote: > > We're running MailScanner 4.10-1 and having a lot of problems with the > > server dying. I don't know what's causing the problems as suddenly it > > will just die. No errors in any of the logs, it just stops. We're > > running Redhat 7.3 on a Compaq DL370, 1gig RAM. > > > > One thing we have noticed is that sometimes mailscanner tries to send a > > message back to the sender. I'm not sure what cases it tries to do this, > > but I think one example is the biggboss.com ones. These messages just > > build up in our queue because they can't be sent. Not sure if this is > > adding to our problems with the server. Maybe it's wasting a lot of time > > trying to send these? > > > > I would like to turn this off. I see Notify Sender in the conf file, but > > not sure by the description if this is what I should turn off. > > > > I know I have given very good information here, but if anyone has any > > suggestions I would appreciate it. > > > > Thanks, > > James From baldguy33165 at YAHOO.COM Mon Jan 20 14:36:19 2003 From: baldguy33165 at YAHOO.COM (Juan Quesada) Date: Thu Jan 12 21:17:00 2006 Subject: Server dying problems In-Reply-To: <1043073040.9512.18.camel@tweety.tnjinfl.com> Message-ID: <20030120143619.3303.qmail@web20801.mail.yahoo.com> I'm surprised you are able to run Linux on Compaq servers. Linux runs like crap on Compaqs, well, at least for me it has. --- James Pifer wrote: > Think I might be way off base here. I talked to our > Notes guy and he > said that they are rejecting messages from certain > domains and they send > a message back saying that they were rejected for > policy reasons. So I'm > going to blacklist those domains on the MailScanner > server instead and > see if that helps. > > Thanks, > James > > > On Mon, 2003-01-20 at 08:48, James Pifer wrote: > > That should have been have NOT given very good > information.... > > > > James > > > > On Mon, 2003-01-20 at 08:44, James Pifer wrote: > > > We're running MailScanner 4.10-1 and having a > lot of problems with the > > > server dying. I don't know what's causing the > problems as suddenly it > > > will just die. No errors in any of the logs, it > just stops. We're > > > running Redhat 7.3 on a Compaq DL370, 1gig RAM. > > > > > > One thing we have noticed is that sometimes > mailscanner tries to send a > > > message back to the sender. I'm not sure what > cases it tries to do this, > > > but I think one example is the biggboss.com > ones. These messages just > > > build up in our queue because they can't be > sent. Not sure if this is > > > adding to our problems with the server. Maybe > it's wasting a lot of time > > > trying to send these? > > > > > > I would like to turn this off. I see Notify > Sender in the conf file, but > > > not sure by the description if this is what I > should turn off. > > > > > > I know I have given very good information here, > but if anyone has any > > > suggestions I would appreciate it. > > > > > > Thanks, > > > James __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com From Declan.Grady at NUVOTEM.COM Mon Jan 20 14:46:54 2003 From: Declan.Grady at NUVOTEM.COM (Declan Grady) Date: Thu Jan 12 21:17:00 2006 Subject: upgrading v3 to v4 Message-ID: <20030120144654.GA6481@nuvotem.com> Hi, Being a happy v3 user for quite a while now, I'm finally taking the plunge to step up to v4. Are there any pitfalls to be aware of, or is upgrade now a nice easy process ? I'm running: redhat7.0 sendmail-8.12.3 mailscanner 3.23-3 f-prot (frisk) Thanks for any suggestions, -- Declan From raymond at PROLOCATION.NET Mon Jan 20 14:56:34 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:17:00 2006 Subject: Server dying problems In-Reply-To: <1043075041.9512.26.camel@tweety.tnjinfl.com> Message-ID: Hi! > We're going to set the server up on a beefed up desktop and see how it > runs. I'm guessing it will be solid as a rock. > > Can I ask what Compaq Server models you used? I do have it running on a > DL360 and it seems pretty solid. I've seen posts on Redhat's mailing > list where people are running on Compaq without any problems. Same here, runs fine, on the older Proliant 800's and a couple of DL360's. Bye, Raymond. From andersan at ltkalmar.se Mon Jan 20 15:00:45 2003 From: andersan at ltkalmar.se (Anders Andersson, IT) Date: Thu Jan 12 21:17:00 2006 Subject: Swedish translation update Message-ID: <7B475DC5E9502B4D91EA73C283AE48D70263EDE2@lkl22.ltkalmar.se> Hi This is an update and fixed version for the swedish report files. All files are saved in ISO-8859 since I found some client probs with utf-8 format. Languages.conf is also translated though I think it needs a check =) Any comments or correction and kindly recieved, we all make misstakes ;-) Kind regards /Anders -------------- next part -------------- A non-text attachment was scrubbed... Name: swedish.tar Type: application/octet-stream Size: 30720 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030120/e7ff91f3/swedish.obj From mailscannerlist at TNJINFL.COM Mon Jan 20 15:04:00 2003 From: mailscannerlist at TNJINFL.COM (James Pifer) Date: Thu Jan 12 21:17:00 2006 Subject: Server dying problems In-Reply-To: <20030120143619.3303.qmail@web20801.mail.yahoo.com> References: <20030120143619.3303.qmail@web20801.mail.yahoo.com> Message-ID: <1043075041.9512.26.camel@tweety.tnjinfl.com> I have had on and off problems with it. I still think the crux of my problems are Redhat <---> Compaq, but I have no real evidience tight now. We're going to set the server up on a beefed up desktop and see how it runs. I'm guessing it will be solid as a rock. Can I ask what Compaq Server models you used? I do have it running on a DL360 and it seems pretty solid. I've seen posts on Redhat's mailing list where people are running on Compaq without any problems. Thanks, James On Mon, 2003-01-20 at 09:36, Juan Quesada wrote: > I'm surprised you are able to run Linux on Compaq > servers. > > Linux runs like crap on Compaqs, well, at least for me > it has. > --- James Pifer wrote: > > Think I might be way off base here. I talked to our > > Notes guy and he > > said that they are rejecting messages from certain > > domains and they send > > a message back saying that they were rejected for > > policy reasons. So I'm > > going to blacklist those domains on the MailScanner > > server instead and > > see if that helps. > > > > Thanks, > > James > > > > > > On Mon, 2003-01-20 at 08:48, James Pifer wrote: > > > That should have been have NOT given very good > > information.... > > > > > > James > > > > > > On Mon, 2003-01-20 at 08:44, James Pifer wrote: > > > > We're running MailScanner 4.10-1 and having a > > lot of problems with the > > > > server dying. I don't know what's causing the > > problems as suddenly it > > > > will just die. No errors in any of the logs, it > > just stops. We're > > > > running Redhat 7.3 on a Compaq DL370, 1gig RAM. > > > > > > > > One thing we have noticed is that sometimes > > mailscanner tries to send a > > > > message back to the sender. I'm not sure what > > cases it tries to do this, > > > > but I think one example is the biggboss.com > > ones. These messages just > > > > build up in our queue because they can't be > > sent. Not sure if this is > > > > adding to our problems with the server. Maybe > > it's wasting a lot of time > > > > trying to send these? > > > > > > > > I would like to turn this off. I see Notify > > Sender in the conf file, but > > > > not sure by the description if this is what I > > should turn off. > > > > > > > > I know I have given very good information here, > > but if anyone has any > > > > suggestions I would appreciate it. > > > > > > > > Thanks, > > > > James > > > __________________________________________________ > Do you Yahoo!? > Yahoo! Mail Plus - Powerful. Affordable. Sign up now. > http://mailplus.yahoo.com From andersan at LTKALMAR.SE Mon Jan 20 15:00:45 2003 From: andersan at LTKALMAR.SE (Anders Andersson, IT) Date: Thu Jan 12 21:17:00 2006 Subject: Swedish translation update Message-ID: <7B475DC5E9502B4D91EA73C283AE48D70263EDE2@lkl22.ltkalmar.se> Hi This is an update and fixed version for the swedish report files. All files are saved in ISO-8859 since I found some client probs with utf-8 format. Languages.conf is also translated though I think it needs a check =) Any comments or correction and kindly recieved, we all make misstakes ;-) Kind regards /Anders -------------- next part -------------- A non-text attachment was scrubbed... Name: swedish.tar Type: application/octet-stream Size: 30720 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030120/e7ff91f3/swedish-0001.obj From sholland at SUMSYS.COM Mon Jan 20 15:20:31 2003 From: sholland at SUMSYS.COM (Stephen Holland) Date: Thu Jan 12 21:17:01 2006 Subject: Where is the option for: Message-ID: <5CA24BCF0A68504C8A3F2AA3E526F0150CC8B1@ssitransfer2.summit.local> I read in the archive that in version 2.6 there was an option to not send a virus report to the recipients. Where do I find that now? I might just be over looking it in the MailScanner.conf file. http://www.jiscmail.ac.uk/cgi-bin/wa.exe?A2=ind0201&L=mailscanner&P=R699 8&I=-3 Thank you very much. --Stephen -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030120/c3140f07/attachment.html From E.H.Beekman at AMC.UVA.NL Mon Jan 20 15:17:24 2003 From: E.H.Beekman at AMC.UVA.NL (Ewald Beekman) Date: Thu Jan 12 21:17:01 2006 Subject: Server dying problems In-Reply-To: ; from raymond@PROLOCATION.NET on Mon, Jan 20, 2003 at 03:56:34PM +0100 References: <1043075041.9512.26.camel@tweety.tnjinfl.com> Message-ID: <20030120161723.A15358@oink.amc.uva.nl> We are running MailScanner on a couple of Compaq DL580G2's with RedHat 8.0, we had problems of the box stopping completely, this happened to be the gigabit Ethernet driver on a busy network. Redhat installs the tg3 by default (lsmod) for the BCM5701 (lspci) but you need to set it to the bcm5700 driver (in /etc/modules.conf). Furtermore after installing the compaq management agents the machine was rebooting after a couple of days, we now switched off ASR in the BIOS and since then it didn't happen anymore. Ewald... On Mon, Jan 20, 2003 at 03:56:34PM +0100, Raymond Dijkxhoorn wrote: > Hi! > > > We're going to set the server up on a beefed up desktop and see how it > > runs. I'm guessing it will be solid as a rock. > > > > Can I ask what Compaq Server models you used? I do have it running on a > > DL360 and it seems pretty solid. I've seen posts on Redhat's mailing > > list where people are running on Compaq without any problems. > > Same here, runs fine, on the older Proliant 800's and a couple of DL360's. > > Bye, > Raymond. -- Ewald Beekman, Security Engineer, Academic Medical Center, dept. ADB/ICT Computer & Network Services, The Netherlands ## Your mind-mint is: There is no sin but ignorance. -- Christopher Marlowe From Richard.Lush at HP.COM Mon Jan 20 15:28:18 2003 From: Richard.Lush at HP.COM (Lush, Richard) Date: Thu Jan 12 21:17:01 2006 Subject: Server dying problems Message-ID: I'm not biased at all but I've never had any problems running Linux on Compaq Kit. I've mainly run Redhat on them and with stand hardware configs it works fine. I have had problems running non-standard hardware but that goes for any system running Linux as finding drivers etc can be a pain. I'm not promising anything but if you are having specific problems I can have a looking internally for answers. Richard (pre-merger Compaq) -----Original Message----- From: Juan Quesada [mailto:baldguy33165@YAHOO.COM] Sent: 20 January 2003 14:36 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Server dying problems I'm surprised you are able to run Linux on Compaq servers. Linux runs like crap on Compaqs, well, at least for me it has. --- James Pifer wrote: > Think I might be way off base here. I talked to our > Notes guy and he > said that they are rejecting messages from certain > domains and they send > a message back saying that they were rejected for > policy reasons. So I'm > going to blacklist those domains on the MailScanner > server instead and > see if that helps. > > Thanks, > James > > > On Mon, 2003-01-20 at 08:48, James Pifer wrote: > > That should have been have NOT given very good > information.... > > > > James > > > > On Mon, 2003-01-20 at 08:44, James Pifer wrote: > > > We're running MailScanner 4.10-1 and having a > lot of problems with the > > > server dying. I don't know what's causing the > problems as suddenly it > > > will just die. No errors in any of the logs, it > just stops. We're > > > running Redhat 7.3 on a Compaq DL370, 1gig RAM. > > > > > > One thing we have noticed is that sometimes > mailscanner tries to send a > > > message back to the sender. I'm not sure what > cases it tries to do this, > > > but I think one example is the biggboss.com > ones. These messages just > > > build up in our queue because they can't be > sent. Not sure if this is > > > adding to our problems with the server. Maybe > it's wasting a lot of time > > > trying to send these? > > > > > > I would like to turn this off. I see Notify > Sender in the conf file, but > > > not sure by the description if this is what I > should turn off. > > > > > > I know I have given very good information here, > but if anyone has any > > > suggestions I would appreciate it. > > > > > > Thanks, > > > James __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com From nerijus at USERS.SOURCEFORGE.NET Mon Jan 20 15:53:32 2003 From: nerijus at USERS.SOURCEFORGE.NET (Nerijus Baliunas) Date: Thu Jan 12 21:17:01 2006 Subject: exe passed through Message-ID: <200301201607.h0KG7GqQ005806@mx.ktv.lt> Hello, I am resending message with MIME boundaries quoted, as it seems it didn't pass to the list. exe files are banned, but a few passed through Mailscanner (4.05): Subject: Introduction on ADSL MIME-Version: 1.0 Content-Type: multipart/alternative; "boundary=YyeUADgny7dwrMz860bV9280X9uvl31" "--YyeUADgny7dwrMz860bV9280X9uvl31" Content-Type: text/html; Content-Transfer-Encoding: quoted-printable "--YyeUADgny7dwrMz860bV9280X9uvl31" Content-Type: audio/x-md; -- changed by me - it was x-midi name=ir .ex -- changed by me - it was exe Content-Transfer-Encoding: base64 Content-ID: UEUAAEwBBAC4jrc8AAAAAAAAAADgAA8BCwEGAADAAAAAkAgAAAAAAFiEAAAAEAAAANAAAAAA Regards, Nerijus From andersan at LTKALMAR.SE Mon Jan 20 16:11:55 2003 From: andersan at LTKALMAR.SE (Anders Andersson, IT) Date: Thu Jan 12 21:17:01 2006 Subject: SV: exe passed through Message-ID: <7B475DC5E9502B4D91EA73C283AE48D70263EDE4@lkl22.ltkalmar.se> Is it my mcafee/exchange thats stupid or did mailscanner miss something? /Anders -----Ursprungligt meddelande----- Fr?n: Nerijus Baliunas [mailto:nerijus@USERS.SOURCEFORGE.NET] Skickat: den 20 januari 2003 16:54 Till: MAILSCANNER@JISCMAIL.AC.UK ?mne: exe passed through ******** McAfee GroupShield for Microsoft Exchange ********** ********************************************************************** Alert generated on: m?ndag, januari 20, 2003 17:07:56 W. Europe Standard Time The body of this message has been replaced as it contains the Exploit-MIME.gen.b virus. Please consult your administrator for further help quoting your ticket number: OB457_1043078876_LKL22_1 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030120/227ac38f/attachment.html From nerijus at USERS.SOURCEFORGE.NET Mon Jan 20 16:22:51 2003 From: nerijus at USERS.SOURCEFORGE.NET (Nerijus Baliunas) Date: Thu Jan 12 21:17:01 2006 Subject: SV: exe passed through In-Reply-To: <7B475DC5E9502B4D91EA73C283AE48D70263EDE4@lkl22.ltkalmar.se> References: <7B475DC5E9502B4D91EA73C283AE48D70263EDE4@lkl22.ltkalmar.se> Message-ID: <200301201623.h0KGN5qQ000251@mx.ktv.lt> On Mon, 20 Jan 2003 17:11:55 +0100 "Anders Andersson, IT" wrote: > Is it my mcafee/exchange thats stupid or did mailscanner miss something? The former... I quoted MIME boundaries and changed x-midi to x-md and "ir .exe" to "ir .ex" in the message. It shouldn't be caught. Regards, Nerijus From mailscanner at ecs.soton.ac.uk Mon Jan 20 16:57:07 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:01 2006 Subject: upgrading v3 to v4 In-Reply-To: <20030120144654.GA6481@nuvotem.com> Message-ID: <5.2.0.9.2.20030120165232.02614130@imap.ecs.soton.ac.uk> At 14:46 20/01/2003, you wrote: >Hi, >Being a happy v3 user for quite a while now, I'm finally taking the plunge to >step up to v4. > >Are there any pitfalls to be aware of, or is upgrade now a nice easy process >? > >I'm running: >redhat7.0 >sendmail-8.12.3 >mailscanner 3.23-3 >f-prot (frisk) > >Thanks for any suggestions, Do *not* attempt to just use your existing mailscanner.conf. You need to customise MailScanner.conf from scratch to build an equivalent system. If you used things like selectively scanning some domains, spam white/blacklists and things like that then read up on the "rules" files and the examples and docs in the /etc/MailScanner/rules directory. Remove any daily cron jobs you have to do things like update f-prot. The new "global updater" will update every hour for you. Just before you start the new one, make sure the old one is properly killed off. And make sure neither the new one nor the old one is running when you want to finally crank up the whole system. The new one might well be kicked into action (with a half-configured setup) by the hourly cron job that makes sure it is running. So it's a good idea to stop the incoming sendmail thoroughly so that you don't get any mail processed while you are setting it up. Don't try to do it in a rush, it will probably take you a couple of hours or so. But don't worry, future upgrades will be a *much* quicker job. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Mon Jan 20 17:13:17 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:01 2006 Subject: exe passed through In-Reply-To: <200301201607.h0KG7GqQ005806@mx.ktv.lt> Message-ID: <5.2.0.9.2.20030120171244.04a58ff8@imap.ecs.soton.ac.uk> Please can you zip up the entire message, headers and all and mail it to me at mailscanner@ecs.soton.ac.uk. Then I can take a look and see what it should have done with the message. At 15:53 20/01/2003, you wrote: >Hello, > >I am resending message with MIME boundaries quoted, as it seems >it didn't pass to the list. > >exe files are banned, but a few passed through Mailscanner (4.05): > >Subject: Introduction on ADSL >MIME-Version: 1.0 >Content-Type: multipart/alternative; > "boundary=YyeUADgny7dwrMz860bV9280X9uvl31" > >"--YyeUADgny7dwrMz860bV9280X9uvl31" >Content-Type: text/html; >Content-Transfer-Encoding: quoted-printable > > >"--YyeUADgny7dwrMz860bV9280X9uvl31" >Content-Type: audio/x-md; -- changed by me - it was x-midi > name=ir .ex -- changed by me - it was exe >Content-Transfer-Encoding: base64 >Content-ID: > >UEUAAEwBBAC4jrc8AAAAAAAAAADgAA8BCwEGAADAAAAAkAgAAAAAAFiEAAAAEAAAANAAAAAA > > >Regards, >Nerijus -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Mon Jan 20 17:11:22 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:01 2006 Subject: Where is the option for: In-Reply-To: <5CA24BCF0A68504C8A3F2AA3E526F0150CC8B1@ssitransfer2.summit .local> Message-ID: <5.2.0.9.2.20030120171109.0272f700@imap.ecs.soton.ac.uk> At 15:20 20/01/2003, you wrote: >I read in the archive that in version 2.6 there was an option to not send >a virus report to the recipients. Where do I find that now? I might just >be over looking it in the MailScanner.conf file. "Deliver Cleaned Messages" -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From jase at SENSIS.COM Mon Jan 20 18:01:27 2003 From: jase at SENSIS.COM (Desai, Jason) Date: Thu Jan 12 21:17:01 2006 Subject: version 4, Exim and header rewrites. Message-ID: Try testing the exim re-writing rules with the following: exim -C -brw EMAILADDRESS and see how exim would rewrite EMAILADDRESS. I think you would only need to set up the re-writing in your outgoing exim config, but I'm not sure. Jason -----Original Message----- From: Ray Gardener [mailto:R.A.Gardener@SHU.AC.UK] Sent: Monday, January 20, 2003 8:55 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: [MAILSCANNER] version 4, Exim and header rewrites. Hi, I upgraded from version 3 to version 4 of Mailscanner last week and found that the header rewrites configured in my Exim 3.36 configuration no longed worked. Briefly we rewrite all internal addresses with an external form before passing the mail to the outside world. e.g. r.a.gardener@shuexchangebox.shu.ac.uk becomes R.A.Gardener@shu.ac.uk This rewrite stopped after upgrading to version 4. Upon just downgrading the installation to version 3 of Mailscanner the rewriting restarted. Has anyone else seen this? (and of course, is there a fix?) Regards, Ray Gardener CIS Sheffield Hallam University Howard Street Sheffield UK S1 1WB (44) 0114 225 4926 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030120/0a0941c7/attachment.html From jase at SENSIS.COM Mon Jan 20 18:12:21 2003 From: jase at SENSIS.COM (Desai, Jason) Date: Thu Jan 12 21:17:01 2006 Subject: Blank Subject in Notices to System Administrators (Exim) Message-ID: I am running MailScanner 4.11 + Exim patch from Nick, and I notice (pun intended) that all of my Notices to System Administrators have a blank Subject field. I have Notices Include Full Headers = yes, and I can see the real subject in the full headers below, but the summary before the Full headers just has a blank subject. Here's an example: The following e-mail messages were found to have viruses in them: ===================================== Sender: IP Address: 199.105.164.4.22033 Recipient: xxxx@sensis.com Subject: MessageID: 18ag8j-0004BD-00 Report: /18ag8j-0004BD-00/Notes.exe Found the W32/Yaha.k virus !!! Notes.exe contains Yaha.K Executable DOS/Windows programs are dangerous in email (Notes.exe) Full headers are Received: from smtpmail.sensis.com [199.105.164.4] (mail) by dimstar.syr.sensis.com with esmtp (Exim 3.35 #1 (Debian)) id 18ag8j-0004BD-00; Mon, 20 Jan 2003 12:55:17 -0500 Received: from bgp385601bgs.jersyc01.nj.comcast.net (smtpmail.sensis.com) [68.36.35.194] by smtpmail.sensis.com with smtp (Exim 3.12 #1 (Debian)) id 18ag8h-0000F2-00; Mon, 20 Jan 2003 12:55:15 -0500 From: Jonathan To: xxxx@sensis.com Subject: Things to note Date: Mon,20 Jan 2003 12:55:10 PM X-Mailer: Microsoft Outlook Express 5.50.4133.2400 MIME-Version: 1.0 Content-Type:multipart/mixed; boundary=#r0xx# Message-Id: ===================================== Is anyone else having this problem? Obviously this is not a big deal since email is still getting scanned, and I do have the subject in the full headers. My guess is that this is Exim specific. Thanks. Jason From mailscanner at ecs.soton.ac.uk Mon Jan 20 18:23:55 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:01 2006 Subject: Blank Subject in Notices to System Administrators (Exim) In-Reply-To: Message-ID: <5.2.0.9.2.20030120182231.02862a80@imap.ecs.soton.ac.uk> Can you try this for me? Edit /usr/lib/MailScanner/MailScanner/Exim.pm and change line 480 from if ("subject" eq lc $1) { to if ("subject:" eq lc $1) { (i.e. add a ':'). Then restart MailScanner and see if this fixes the problem. At 18:12 20/01/2003, you wrote: >I am running MailScanner 4.11 + Exim patch from Nick, and I notice (pun >intended) that all of my Notices to System Administrators have a blank >Subject field. I have Notices Include Full Headers = yes, and I can see the >real subject in the full headers below, but the summary before the Full >headers just has a blank subject. > >Here's an example: > >The following e-mail messages were found to have viruses in them: > >===================================== > Sender: >IP Address: 199.105.164.4.22033 > Recipient: xxxx@sensis.com > Subject: > MessageID: 18ag8j-0004BD-00 > Report: /18ag8j-0004BD-00/Notes.exe Found the W32/Yaha.k virus >!!! >Notes.exe contains Yaha.K >Executable DOS/Windows programs are dangerous in email (Notes.exe) > >Full headers are > Received: from smtpmail.sensis.com [199.105.164.4] (mail) > by dimstar.syr.sensis.com with esmtp (Exim 3.35 #1 (Debian)) > id 18ag8j-0004BD-00; Mon, 20 Jan 2003 12:55:17 -0500 > Received: from bgp385601bgs.jersyc01.nj.comcast.net (smtpmail.sensis.com) >[68.36.35.194] > by smtpmail.sensis.com with smtp (Exim 3.12 #1 (Debian)) > id 18ag8h-0000F2-00; Mon, 20 Jan 2003 12:55:15 -0500 > From: Jonathan > To: xxxx@sensis.com > Subject: Things to note > Date: Mon,20 Jan 2003 12:55:10 PM > X-Mailer: Microsoft Outlook Express 5.50.4133.2400 > MIME-Version: 1.0 > Content-Type:multipart/mixed; > boundary=#r0xx# > Message-Id: >===================================== > >Is anyone else having this problem? Obviously this is not a big deal since >email is still getting scanned, and I do have the subject in the full >headers. My guess is that this is Exim specific. > >Thanks. > >Jason -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From sholland at SUMSYS.COM Mon Jan 20 18:43:42 2003 From: sholland at SUMSYS.COM (Stephen Holland) Date: Thu Jan 12 21:17:01 2006 Subject: Proper way to black list and whitelist Message-ID: <5CA24BCF0A68504C8A3F2AA3E526F0150CC8B2@ssitransfer2.summit.local> I have read how to black list in SA, MS and Sendmail. What is the best way to BL and WL domains? Like *@*.baddomain.com and *@baddomain.com Edit the spam.assassin.prefs.conf and put a bunch of whitelist_from and blacklist_from entries. Or create a white list and black list files and point MailScanner.conf to them. IE Is Definitely Not Spam = /etc/MailScanner/rules/spam.whitelist.rules Is Definitely Spam = /etc/MailScanner/rules/spam.blacklist.rules MS 4.11-1 SA 2.43 RH 7.3 SM 8.12 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030120/5d33eb9d/attachment.html From mbowman at UDCOM.COM Mon Jan 20 18:43:30 2003 From: mbowman at UDCOM.COM (Matthew Bowman) Date: Thu Jan 12 21:17:01 2006 Subject: Proper way to black list and whitelist Message-ID: I've found that using *@*.baddomain.com doesn't work very well and would like to know why and what alternatives we can use. Using the rules files on the other hand is a good idea. PITA domains are put in /etc/mail/access - which is my approach. Matthew Stephen Holland Sent by: MailScanner mailing list 01/20/2003 01:43 PM Please respond to MailScanner mailing list To: MAILSCANNER@JISCMAIL.AC.UK cc: Subject: Proper way to black list and whitelist I have read how to black list in SA, MS and Sendmail. What is the best way to BL and WL domains? Like *@*.baddomain.com and *@baddomain.com Edit the spam.assassin.prefs.conf and put a bunch of whitelist_from and blacklist_from entries. Or create a white list and black list files and point MailScanner.conf to them. IE Is Definitely Not Spam = /etc/MailScanner/rules/spam.whitelist.rules Is Definitely Spam = /etc/MailScanner/rules/spam.blacklist.rules MS 4.11-1 SA 2.43 RH 7.3 SM 8.12 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030120/03cd6e59/attachment.html From nerijus at USERS.SOURCEFORGE.NET Mon Jan 20 18:59:01 2003 From: nerijus at USERS.SOURCEFORGE.NET (Nerijus Baliunas) Date: Thu Jan 12 21:17:01 2006 Subject: exe passed through In-Reply-To: <5.2.0.9.2.20030120171244.04a58ff8@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030120171244.04a58ff8@imap.ecs.soton.ac.uk> Message-ID: <200301201900.h0KIxxqQ001147@mx.ktv.lt> On Mon, 20 Jan 2003 17:13:17 +0000 Julian Field wrote: > Please can you zip up the entire message, headers and all and mail it to me > at mailscanner@ecs.soton.ac.uk. > Then I can take a look and see what it should have done with the message. I am very sorry, but yesterday after changing sendmail configuration I restarted it with old scripts. When I started it correctly with mailscanner, everything is OK. Sorry, Nerijus From c.bates at COMNET.CO.NZ Mon Jan 20 19:24:14 2003 From: c.bates at COMNET.CO.NZ (Craig Bates) Date: Thu Jan 12 21:17:01 2006 Subject: dying processes In-Reply-To: <5.2.0.9.2.20030117151504.06156760@imap.ecs.soton.ac.uk> References: <200301171445.18521.c.bates@comnet.co.nz> <5.2.0.9.2.20030117151504.06156760@imap.ecs.soton.ac.uk> Message-ID: <200301210824.14568.c.bates@comnet.co.nz> Hi Julian, I have 23GB free on that partition. So far we know that this problem has occured on RedHat 8.0 and FreeBSD 4.7, perl 5.005 and perl 5.8.0, with and without Razor, with and without SpamAssasin enabled in MailScanner.conf, with F-prot and ClamAV. Does anybody else have any other information? Craig On Saturday 18 January 2003 04:16, you wrote: > It may sound silly, but have you done a "df -k" recently? I've been > experiencing a similar problem myself with another user's server, and it > took me a while to realise one of the filesystems had filled up. > > At 14:22 17/01/2003, you wrote: > > I am not running Razor. I have MailScanner 4.10, SpamAssassin 2.43 and > > ClamAv 0.54 on Red Hat 8.0. > > > > I would notice on my mailscanner-mrtg graphs that the number of > > MailScanner processes would drop from 20 to 3 sometimes, and stay there > > until I restarted MailScanner. I didn't look through the logs "real" > > hard, but my cursory examination didn't turn up anything. > > > >On Fri, 17 Jan 2003 14:45:18 +1300 > > > >Craig Bates wrote: > > > Dale, > > > > > > Are you runing Spam assassin & RAZOR? What OS and anti-virus are you > > > > running? > > > > > Anybody else having these problems???? > > > > > > Thanks, > > > > > > Craig > > > > > > On Friday 17 January 2003 11:34, you wrote: > > > > I was having this same problem, but didn't investigate why very > > > > much, that is why I put the restart option in mailscanner-mrtg, > > > > whenever it detects mailscanner is below a certain number of > > > > processes it > > > > restarts it. > > > > > > Dale > > > > > > > > On Fri, 17 Jan 2003 09:36:22 +1300 > > > > > > > > Craig Bates wrote: > > > > > Hi, > > > > > > > > > > I decided to install MailScanner on RedHat80 as I was having > > > > > problems with MailScanner processes dying on FreeBSD. I am now > > > > > having > > > > exactly the > > > > > > > same problem with RedHat80 This proves that the problem is > > > > > independent of OS, sendmail version / compilation and perl version. > > > > > > > > > > I find it very strage that nobody else seems to have this problem > > > > > and I have it on 3 boxes! > > > > > > > > > > Is there anybody on this list that has MailScanner working with > > > > > spamassassin-2.43-3.i386.rpm, razor-agents-2.22.tar.gz, > > > > > fp-linux-sb.rpm (f-prot)? One of these must be causing the > > > > > problem as I'm sure MailScanner and RedHat8.0 is a very common > > > > > installation that works! > > > > > > > > > > Thanks, > > > > > > > > > > Craig > > > >-- > > Dale Lovelace > > System Administrator > > hotels.com > > (214) 361-7311 Ext. 1074 From mailscanner at ecs.soton.ac.uk Mon Jan 20 19:14:40 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:01 2006 Subject: Proper way to black list and whitelist In-Reply-To: Message-ID: <5.2.0.9.2.20030120191401.027faeb0@imap.ecs.soton.ac.uk> At 18:43 20/01/2003, you wrote: >I've found that using *@*.baddomain.com doesn't work very well and would >like to know why and what alternatives we can use. You will probably need to add *@baddomain.com as well. > Using the rules files on the other hand is a good idea. PITA domains > are put in /etc/mail/access - which is my approach. > > >Matthew > > > >Stephen Holland >Sent by: MailScanner mailing list > >01/20/2003 01:43 PM >Please respond to MailScanner mailing list > > To: MAILSCANNER@JISCMAIL.AC.UK > cc: > Subject: Proper way to black list and whitelist > > >I have read how to black list in SA, MS and Sendmail. What is the best >way to BL and WL domains? Like >*@*.baddomain.com and >*@baddomain.com > > > >Edit the spam.assassin.prefs.conf and put a bunch of whitelist_from and >blacklist_from entries. Or create a white list and black list files and >point MailScanner.conf to them. > >IE >Is Definitely Not Spam = /etc/MailScanner/rules/spam.whitelist.rules >Is Definitely Spam = /etc/MailScanner/rules/spam.blacklist.rules > > > >MS 4.11-1 >SA 2.43 >RH 7.3 >SM 8.12 > -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030120/f44d4aa0/attachment.html From c.bates at COMNET.CO.NZ Mon Jan 20 19:54:01 2003 From: c.bates at COMNET.CO.NZ (Craig Bates) Date: Thu Jan 12 21:17:01 2006 Subject: Disinfection Message-ID: <200301210854.01293.c.bates@comnet.co.nz> I notice that spam messages that carry a virus are marked as disinfected and then are not detected as spam. I'm not sure if these messages are even going through spanassassin etc Craig From jase at SENSIS.COM Mon Jan 20 20:00:45 2003 From: jase at SENSIS.COM (Desai, Jason) Date: Thu Jan 12 21:17:01 2006 Subject: Blank Subject in Notices to System Administrat ors (Exim) Message-ID: What great service ... that fixed the problem! Thanks! Jason > -----Original Message----- > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > Sent: Monday, January 20, 2003 1:24 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: [MAILSCANNER] Blank Subject in Notices to System > Administrators (Exim) > > > Can you try this for me? > Edit /usr/lib/MailScanner/MailScanner/Exim.pm and change line 480 from > > if ("subject" eq lc $1) { > > to > > if ("subject:" eq lc $1) { > > (i.e. add a ':'). Then restart MailScanner and see if this > fixes the problem. > > At 18:12 20/01/2003, you wrote: > >I am running MailScanner 4.11 + Exim patch from Nick, and I > notice (pun > >intended) that all of my Notices to System Administrators > have a blank > >Subject field. I have Notices Include Full Headers = yes, > and I can see the > >real subject in the full headers below, but the summary > before the Full > >headers just has a blank subject. > > > >Here's an example: > > > >The following e-mail messages were found to have viruses in them: > > > >===================================== > > Sender: > >IP Address: 199.105.164.4.22033 > > Recipient: xxxx@sensis.com > > Subject: > > MessageID: 18ag8j-0004BD-00 > > Report: /18ag8j-0004BD-00/Notes.exe Found the > W32/Yaha.k virus > >!!! > >Notes.exe contains Yaha.K > >Executable DOS/Windows programs are dangerous in email (Notes.exe) > > > >Full headers are > > Received: from smtpmail.sensis.com [199.105.164.4] (mail) > > by dimstar.syr.sensis.com with esmtp (Exim 3.35 #1 (Debian)) > > id 18ag8j-0004BD-00; Mon, 20 Jan 2003 12:55:17 -0500 > > Received: from bgp385601bgs.jersyc01.nj.comcast.net > (smtpmail.sensis.com) > >[68.36.35.194] > > by smtpmail.sensis.com with smtp (Exim 3.12 #1 (Debian)) > > id 18ag8h-0000F2-00; Mon, 20 Jan 2003 12:55:15 -0500 > > From: Jonathan > > To: xxxx@sensis.com > > Subject: Things to note > > Date: Mon,20 Jan 2003 12:55:10 PM > > X-Mailer: Microsoft Outlook Express 5.50.4133.2400 > > MIME-Version: 1.0 > > Content-Type:multipart/mixed; > > boundary=#r0xx# > > Message-Id: > >===================================== > > > >Is anyone else having this problem? Obviously this is not a > big deal since > >email is still getting scanned, and I do have the subject in the full > >headers. My guess is that this is Exim specific. > > > >Thanks. > > > >Jason > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > From hden at KCBBS.GEN.NZ Mon Jan 20 22:55:49 2003 From: hden at KCBBS.GEN.NZ (Hendrik den Hartog) Date: Thu Jan 12 21:17:01 2006 Subject: Compaq Servers WAS: Server dying problems In-Reply-To: ; from raymond@PROLOCATION.NET on Mon, Jan 20, 2003 at 03:56:34PM +0100 References: <1043075041.9512.26.camel@tweety.tnjinfl.com> Message-ID: <20030121115549.A19487@mew.kcbbs.gen.nz> On Mon, Jan 20, 2003 at 03:56:34PM +0100, Raymond Dijkxhoorn wrote: > Hi! > > > We're going to set the server up on a beefed up desktop and see how it > > runs. I'm guessing it will be solid as a rock. > > > > Can I ask what Compaq Server models you used? I do have it running on a > > DL360 and it seems pretty solid. I've seen posts on Redhat's mailing > > list where people are running on Compaq without any problems. (Current) Compaq Servers are listed as fully compatable on RH's Hardware lists, the ML350 I'm currently setting up includes Linux in the list of OS's in Server Manager (NOT that I'm going to use Compaq's Server Manger). I've had RH8 running on a ML310 P4 for 5 weeks no problems, and am about to build this up to replace a current Linux Box (Running MS and SA) Glad to hear Linux Runs on the Proliant 800, I'm feeing one of these up soon and need to redesignate it. Cheers! From mike at CAMAROSS.NET Tue Jan 21 01:20:05 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:17:01 2006 Subject: Server dying problems In-Reply-To: <20030120143619.3303.qmail@web20801.mail.yahoo.com> Message-ID: <006201c2c0eb$3bbd1450$9901a8c0@home.middlefinger.net> You've GOT to be kidding! Linux rocks on Compaq servers. I run Redhat on Proliant 1850's, 2500's, 6400's, 6500's and one ML type machine and not ONE of them has ever given me a problem. You may have some configuration problems that are not the fault of Compaq OR Linux. -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Juan Quesada Sent: Monday, January 20, 2003 8:36 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Server dying problems I'm surprised you are able to run Linux on Compaq servers. Linux runs like crap on Compaqs, well, at least for me it has. --- James Pifer wrote: > Think I might be way off base here. I talked to our > Notes guy and he > said that they are rejecting messages from certain > domains and they send > a message back saying that they were rejected for > policy reasons. So I'm > going to blacklist those domains on the MailScanner > server instead and > see if that helps. > > Thanks, > James > > > On Mon, 2003-01-20 at 08:48, James Pifer wrote: > > That should have been have NOT given very good > information.... > > > > James > > > > On Mon, 2003-01-20 at 08:44, James Pifer wrote: > > > We're running MailScanner 4.10-1 and having a > lot of problems with the > > > server dying. I don't know what's causing the > problems as suddenly it > > > will just die. No errors in any of the logs, it > just stops. We're > > > running Redhat 7.3 on a Compaq DL370, 1gig RAM. > > > > > > One thing we have noticed is that sometimes > mailscanner tries to send a > > > message back to the sender. I'm not sure what > cases it tries to do this, > > > but I think one example is the biggboss.com > ones. These messages just > > > build up in our queue because they can't be > sent. Not sure if this is > > > adding to our problems with the server. Maybe > it's wasting a lot of time > > > trying to send these? > > > > > > I would like to turn this off. I see Notify > Sender in the conf file, but > > > not sure by the description if this is what I > should turn off. > > > > > > I know I have given very good information here, > but if anyone has any > > > suggestions I would appreciate it. > > > > > > Thanks, > > > James __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com From steve at CGPSYSTEMS.COM Tue Jan 21 01:30:21 2003 From: steve at CGPSYSTEMS.COM (Steve Barr) Date: Thu Jan 12 21:17:01 2006 Subject: Server dying problems In-Reply-To: <006201c2c0eb$3bbd1450$9901a8c0@home.middlefinger.net> Message-ID: <0bad01c2c0ec$aa3a5680$6e96a8c0@DELL> > You've GOT to be kidding! Linux rocks on Compaq servers. I > run Redhat on Proliant 1850's, 2500's, 6400's, 6500's and one > ML type machine and not ONE of them has ever given me a I agree. We have Debian Linux running on a DL360. It is great! It's been running since August without a single problem. Our previous mail/web server was a Compaq desktop machine. I'm almost embarassed to say it was a free Celeron 266 with 256mb RAM. Uptime on it was 373 days! Uptime would have been longer, but somebody (me), pulled the wrong power cord when moving devices to a new UPS... Doh! Linux on Compaq can be very solid. Steve Barr Madison Local School District Mansfield, OH -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. (MailScanner 4.11-1, 3.65) From brichter at interaccess.com Tue Jan 21 03:48:41 2003 From: brichter at interaccess.com (brichter) Date: Thu Jan 12 21:17:01 2006 Subject: Server dying problems References: <0bad01c2c0ec$aa3a5680$6e96a8c0@DELL> Message-ID: <002201c2c0ff$fda1d470$6500a8c0@internal.net> I can confirm that also. I manage at least 10 DL360's with Redhat 7.1 and 7.3 distros at work. Knock on wood, have not had any issues. We have allot of DL360's that blow their power supplies. So far all 2000 boxes though, none on the Linux side. I have been using Mailscanner for about a month now with no issues on 2 sendmail boxes. (Around 40K messages a day one of them does, incoming only. The second box is secondary on MX so it only scans a few hundred a day) Also I am only using Mailscanner for it's ties into SpamAssassin. We already were using Trend Interscan for our virus scanning. (AFTER sendmail relay's internally) Have not updated to the newest version of MailScanner yet.. Waiting to read through all my messages from the last few weeks from the mailing list to make sure there are no upgrade issues. I just wanted to say MANY thanks to the Author of MailScanner! It's been rock solid for us so far. ----- Original Message ----- From: "Steve Barr" To: Sent: Monday, January 20, 2003 7:30 PM Subject: Re: Server dying problems > > You've GOT to be kidding! Linux rocks on Compaq servers. I > > run Redhat on Proliant 1850's, 2500's, 6400's, 6500's and one > > ML type machine and not ONE of them has ever given me a > > I agree. We have Debian Linux running on a DL360. It is great! It's > been running since August without a single problem. Our previous > mail/web server was a Compaq desktop machine. I'm almost embarassed to > say it was a free Celeron 266 with 256mb RAM. Uptime on it was 373 > days! > > Uptime would have been longer, but somebody (me), pulled the wrong power > cord when moving devices to a new UPS... Doh! > > Linux on Compaq can be very solid. > > Steve Barr > Madison Local School District > Mansfield, OH > > > > > -- > This message has been scanned for viruses and dangerous content by MailScanner, > and is believed to be clean. (MailScanner 4.11-1, 3.65) From jorgen at GIVERSEN.NET Tue Jan 21 07:54:32 2003 From: jorgen at GIVERSEN.NET (=?ISO-8859-1?Q?J=F8rgen_Giversen?=) Date: Thu Jan 12 21:17:01 2006 Subject: Blank Subject in Notices to System Administrators (Exim) In-Reply-To: <5.2.0.9.2.20030120182231.02862a80@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030120182231.02862a80@imap.ecs.soton.ac.uk> Message-ID: <3E2CFCB8.8030900@giversen.net> Julian Field skrev: > Can you try this for me? > Edit /usr/lib/MailScanner/MailScanner/Exim.pm and change line 480 from > > if ("subject" eq lc $1) { > > to > > if ("subject:" eq lc $1) { > > (i.e. add a ':'). Then restart MailScanner and see if this fixes the > problem. > > At 18:12 20/01/2003, you wrote: > >> I am running MailScanner 4.11 + Exim patch from Nick, and I notice (pun >> intended) that all of my Notices to System Administrators have a blank >> Subject field. I have Notices Include Full Headers = yes, and I can >> see the >> real subject in the full headers below, but the summary before the Full >> headers just has a blank subject. >> >> Here's an example: >> >> The following e-mail messages were found to have viruses in them: >> >> ===================================== >> Sender: >> IP Address: 199.105.164.4.22033 >> Recipient: xxxx@sensis.com >> Subject: >> MessageID: 18ag8j-0004BD-00 >> Report: /18ag8j-0004BD-00/Notes.exe Found the W32/Yaha.k >> virus >> !!! >> Notes.exe contains Yaha.K >> Executable DOS/Windows programs are dangerous in email (Notes.exe) >> >> Full headers are >> Received: from smtpmail.sensis.com [199.105.164.4] (mail) >> by dimstar.syr.sensis.com with esmtp (Exim 3.35 #1 (Debian)) >> id 18ag8j-0004BD-00; Mon, 20 Jan 2003 12:55:17 -0500 >> Received: from bgp385601bgs.jersyc01.nj.comcast.net >> (smtpmail.sensis.com) >> [68.36.35.194] >> by smtpmail.sensis.com with smtp (Exim 3.12 #1 (Debian)) >> id 18ag8h-0000F2-00; Mon, 20 Jan 2003 12:55:15 -0500 >> From: Jonathan >> To: xxxx@sensis.com >> Subject: Things to note >> Date: Mon,20 Jan 2003 12:55:10 PM >> X-Mailer: Microsoft Outlook Express 5.50.4133.2400 >> MIME-Version: 1.0 >> Content-Type:multipart/mixed; >> boundary=#r0xx# >> Message-Id: >> ===================================== >> >> Is anyone else having this problem? Obviously this is not a big deal >> since >> email is still getting scanned, and I do have the subject in the full >> headers. My guess is that this is Exim specific. >> >> Thanks. >> >> Jason > > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > Well, I have discovered the same problem, and your solution works, thanks !!! Best regards J?rgen Giversen From R.A.Gardener at SHU.AC.UK Tue Jan 21 09:07:30 2003 From: R.A.Gardener at SHU.AC.UK (Ray Gardener) Date: Thu Jan 12 21:17:01 2006 Subject: version 4, Exim and header rewrites. References: Message-ID: <001701c2c12c$90234eb0$5a14348f@videoproducer> Hi, ----- Original Message ----- From: Desai, Jason To: MAILSCANNER@JISCMAIL.AC.UK Sent: Monday, January 20, 2003 6:01 PM Subject: Re: version 4, Exim and header rewrites. >Try testing the exim re-writing rules with the following: >exim -C -brw EMAILADDRESS I tested using this method last week, the rewrite rules are OK and are the same that have worked successfully since Feb 2002 and happily with version 3 of Mailscanner. >and see how exim would rewrite EMAILADDRESS. >I think you would only need to set up the re-writing in your outgoing exim config, but I'm not sure. >Jason -----Original Message----- From: Ray Gardener [mailto:R.A.Gardener@SHU.AC.UK] Sent: Monday, January 20, 2003 8:55 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: [MAILSCANNER] version 4, Exim and header rewrites. Hi, I upgraded from version 3 to version 4 of Mailscanner last week and found that the header rewrites configured in my Exim 3.36 configuration no longed worked. Briefly we rewrite all internal addresses with an external form before passing the mail to the outside world. e.g. r.a.gardener@shuexchangebox.shu.ac.uk becomes R.A.Gardener@shu.ac.uk This rewrite stopped after upgrading to version 4. Upon just downgrading the installation to version 3 of Mailscanner the rewriting restarted. Has anyone else seen this? (and of course, is there a fix?) Regards, Ray Gardener CIS Sheffield Hallam University Howard Street Sheffield UK S1 1WB (44) 0114 225 4926 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030121/d2a8fc88/attachment.html From j.cormie at ABERTAY.AC.UK Tue Jan 21 10:14:05 2003 From: j.cormie at ABERTAY.AC.UK (Jason Cormie) Date: Thu Jan 12 21:17:01 2006 Subject: Benefit of DNS caching? Message-ID: Is their any benefit in installing BIND on a MailScanner box for DNS caching of RBLs, without being subscribed for zone transfers? Just a thought Jason From mailscanner at ecs.soton.ac.uk Tue Jan 21 11:48:04 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:01 2006 Subject: Benefit of DNS caching? In-Reply-To: Message-ID: <5.2.0.9.2.20030121114713.02c612e8@imap.ecs.soton.ac.uk> At 10:14 21/01/2003, you wrote: >Is their any benefit in installing BIND on a MailScanner box for DNS caching >of RBLs, without being subscribed for zone transfers? You really at least need fast access to a local DNS server. If you haven't got a DNS server very close by, then running a simple caching BIND on the MailScanner box itself would help. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscannerlist at TNJINFL.COM Tue Jan 21 12:33:20 2003 From: mailscannerlist at TNJINFL.COM (James Pifer) Date: Thu Jan 12 21:17:01 2006 Subject: mailscanner-mrtg problem Message-ID: <1043152400.9512.44.camel@tweety.tnjinfl.com> Anyone seen this before with MailScanner-MRTG? On one system I'm getting these errors in emails sent from cron when mailscanner-mrtg runs. Thanks, James > gd-png: fatal libpng error: Invalid filter type specified > gd-png error: setjmp returns error condition > gd-png: fatal libpng error: Invalid filter type specified > gd-png error: setjmp returns error condition > gd-png: fatal libpng error: Invalid filter type specified > gd-png error: setjmp returns error condition > gd-png: fatal libpng error: Invalid filter type specified > gd-png error: setjmp returns error condition > gd-png: fatal libpng error: Invalid filter type specified > gd-png error: setjmp returns error condition > gd-png: fatal libpng error: Invalid filter type specified > gd-png error: setjmp returns error condition > gd-png: fatal libpng error: Invalid filter type specified > gd-png error: setjmp returns error condition > gd-png: fatal libpng error: Invalid filter type specified > gd-png error: setjmp returns error condition > gd-png: fatal libpng error: Invalid filter type specified > gd-png error: setjmp returns error condition > gd-png: fatal libpng error: Invalid filter type specified > gd-png error: setjmp returns error condition > gd-png: fatal libpng error: Invalid filter type specified > gd-png error: setjmp returns error condition > gd-png: fatal libpng error: Invalid filter type specified > gd-png error: setjmp returns error condition > gd-png: fatal libpng error: Invalid filter type specified > gd-png error: setjmp returns error condition > gd-png: fatal libpng error: Invalid filter type specified > gd-png error: setjmp returns error condition On Fri, 2003-01-17 at 16:41, Dale Lovelace wrote: > > I got broken links on all of the graphs, perhaps your mailscanner-mrtg is not in the root of your webserver? > > On 17 Jan 2003 14:43:59 -0500 > James Pifer wrote: > > > Dave, > > > > What do you think? I saw you on for a little while. Sorry, I lost my > > connection for a few minutes to the server. Were you able to tell > > anything? > > > > Thanks, > > James > > > > On Fri, 2003-01-17 at 09:33, Dale Lovelace wrote: > > > > > > Is the page publically available where I could take a look? Which graphs are screwed up? > > > > > > Dale > > > > > > On 17 Jan 2003 09:05:09 -0500 > > > James Pifer wrote: > > > > > > > Dave, > > > > > > > > I've been using mailscanner-mrtg for my personal mail server and I love > > > > it. I'm trying to now use it at my company and having a wierd problem. > > > > We have mailscanner running on Redhat 7.3 on Compaq hardware. I've tried > > > > both mailscanner-mrtg version 3-6 and 2-1. > > > > > > > > The data is not getting created correctly. Some of it seems to be there, > > > > but all the png files are screwed up. On my home system all the png > > > > files are around 2-3K, while the server at work they are all around 75B. > > > > Any ideas about what might be causing something like this? > > > > > > > > Thanks, > > > > James > > > > ps- if I should be emailing someone else or a mailing list, please > > > > advise. > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > Dale Lovelace > > > System Administrator > > > hotels.com > > > (214) 361-7311 Ext. 1074 > > > > > > > -- > Dale Lovelace > System Administrator > hotels.com > (214) 361-7311 Ext. 1074 From Peter.Bates at LSHTM.AC.UK Tue Jan 21 15:09:20 2003 From: Peter.Bates at LSHTM.AC.UK (Peter Bates) Date: Thu Jan 12 21:17:01 2006 Subject: Re-sending quarantined email Message-ID: Hello all... I'm just undergoing a process of evaluating MailScanner (we currently use Postfix and AMaViS), and wondered if I could ask a quick question... Apologies if this is a FAQ, but I did look through the Installation FAQ, and archives of this list for various likely solutions... A user (one of my few 'test' users) was sent a message from a list (a 'jobs vacant' sort of list) that contained an IFRAME, or solely HTML based content. Having not changed any of the settings relating to IFRAME, the HTML was stripped and the empty message sent on. The user has now complained, and I've found the file in /var/spool/MailScanner/quarantine, but naturally it's just the HTML on it's own. What's the easiest way of re-sending this file, so the user actually receives it? And also, which setting obviously configures the 'stripping' of unwanted content rather than totally blocking the message and just informing the sender and administrator about the 'unwanted' content (in the case of any other malware/virii, I guess). Thanks... ---------------------------------------------------------------------------------------------------> Peter Bates, Systems Support Officer, Network Support Team. London School of Hygiene & Tropical Medicine. Telephone:0207-958 8353 / Fax: 0207- 636 9838 From mailscanner at ecs.soton.ac.uk Tue Jan 21 15:36:37 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:01 2006 Subject: Re-sending quarantined email In-Reply-To: Message-ID: <5.2.0.9.2.20030121153320.02c207f0@imap.ecs.soton.ac.uk> At 15:09 21/01/2003, you wrote: >A user (one of my few 'test' users) was sent a message from a list >(a 'jobs vacant' sort of list) that contained an IFRAME, or solely HTML >based content. > >Having not changed any of the settings relating to IFRAME, the HTML >was stripped and the empty message sent on. > >The user has now complained, and I've found the file in >/var/spool/MailScanner/quarantine, >but naturally it's just the HTML on it's own. > >What's the easiest way of re-sending this file, so the user actually >receives it? If you set Quarantine Whole Message = no Quarantine Whole Messages As Queue Files = yes then all you need to do is move the qf+df files into the outgoing mqueue, and they will get picked up and delivered. If you have Quarantine Whole Messages As Queue Files = no then you can use "sendmail -t < input-message-file" to send the message to the original recipient. >And also, which setting obviously configures the 'stripping' of unwanted >content >rather than totally blocking the message and just informing the sender and >administrator >about the 'unwanted' content (in the case of any other malware/virii, I >guess). There are Convert Dangerous HTML To Text and Convert HTML To Text options which will control this. Of course these values can all be rulesets, so that you can apply different settings to different messages/domains/users/senders etc.. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscannerlist at TNJINFL.COM Tue Jan 21 16:07:53 2003 From: mailscannerlist at TNJINFL.COM (James Pifer) Date: Thu Jan 12 21:17:01 2006 Subject: *.united.com AND *@united.com - calrification Message-ID: <1043165273.9509.53.camel@tweety.tnjinfl.com> If I wanted all mail from united.com to be allowed would it be correct to whitelist both: *.united.com *@united.com Whitelisting *united.com would not be generic enough right? Something like joe@myhomeunited.com would get through. I did look at the EXAMPLES and README and just want to make sure I do it correctly. Thanks, James From sylvain.phaneuf at IMSU.OXFORD.AC.UK Tue Jan 21 16:02:23 2003 From: sylvain.phaneuf at IMSU.OXFORD.AC.UK (Sylvain Phaneuf) Date: Thu Jan 12 21:17:01 2006 Subject: order of scans Message-ID: I am still a newbie here, and I would like to apologise in advance if this has been covered somewhere. Is there a way to organise the order in which the various scans occur on the system (MailSvanner/SpamAssassin on RedHat) I would like to reduce the number of notifications that some of our users get. For example we have a few users being pestered with the Snowhite and seven dwarf message, which is a virus, and the attachement is an exe file. We do not want to pass on this message, but because we have notifications on for both infected messages and blocked files, the end user still receives a message when the Snowhite message arrive. If there is a way MailScanner could be configured so that this kind of message do produce any notifications, some of our users would be quite happy, Thanks in advance, Sylvain =========================================================== Sylvain Phaneuf --- Computing Manager | phone : +44 (0)1865 221323 Information Management Services Unit (Clinical School) Oxford University | email : sylvain.phaneuf@imsu.ox.ac.uk Room 3A25B John Radcliffe Hospital | fax : +44 (0) 1865 221322 Oxford OX3 9DU England =========================================================== From RHerban at GRAMTEL.NET Tue Jan 21 16:08:43 2003 From: RHerban at GRAMTEL.NET (Randy Herban) Date: Thu Jan 12 21:17:01 2006 Subject: order of scans Message-ID: There is an option in the MailScanner.conf about silent viruses. You should be able to enter snowwhite or something like into that option and it won't deliver a notice about it. I'm not sure what method Julian is using to get the name of the virus so I can't say how to go about getting that. Randy -----Original Message----- From: Sylvain Phaneuf [mailto:sylvain.phaneuf@IMSU.OXFORD.AC.UK] Sent: Tuesday, January 21, 2003 11:02 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: order of scans I am still a newbie here, and I would like to apologise in advance if this has been covered somewhere. Is there a way to organise the order in which the various scans occur on the system (MailSvanner/SpamAssassin on RedHat) I would like to reduce the number of notifications that some of our users get. For example we have a few users being pestered with the Snowhite and seven dwarf message, which is a virus, and the attachement is an exe file. We do not want to pass on this message, but because we have notifications on for both infected messages and blocked files, the end user still receives a message when the Snowhite message arrive. If there is a way MailScanner could be configured so that this kind of message do produce any notifications, some of our users would be quite happy, Thanks in advance, Sylvain =========================================================== Sylvain Phaneuf --- Computing Manager | phone : +44 (0)1865 221323 Information Management Services Unit (Clinical School) Oxford University | email : sylvain.phaneuf@imsu.ox.ac.uk Room 3A25B John Radcliffe Hospital | fax : +44 (0) 1865 221322 Oxford OX3 9DU England =========================================================== From sylvain.phaneuf at IMSU.OXFORD.AC.UK Tue Jan 21 16:18:09 2003 From: sylvain.phaneuf at IMSU.OXFORD.AC.UK (Sylvain Phaneuf) Date: Thu Jan 12 21:17:01 2006 Subject: order of scans Message-ID: That sounds promising... looking forward to hear from Julian... >>> RHerban@GRAMTEL.NET 21/01/2003 16:08:43 >>> There is an option in the MailScanner.conf about silent viruses. You should be able to enter snowwhite or something like into that option and it won't deliver a notice about it. I'm not sure what method Julian is using to get the name of the virus so I can't say how to go about getting that. Randy -----Original Message----- From: Sylvain Phaneuf [mailto:sylvain.phaneuf@IMSU.OXFORD.AC.UK] Sent: Tuesday, January 21, 2003 11:02 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: order of scans I am still a newbie here, and I would like to apologise in advance if this has been covered somewhere. Is there a way to organise the order in which the various scans occur on the system (MailSvanner/SpamAssassin on RedHat) I would like to reduce the number of notifications that some of our users get. For example we have a few users being pestered with the Snowhite and seven dwarf message, which is a virus, and the attachement is an exe file. We do not want to pass on this message, but because we have notifications on for both infected messages and blocked files, the end user still receives a message when the Snowhite message arrive. If there is a way MailScanner could be configured so that this kind of message do produce any notifications, some of our users would be quite happy, Thanks in advance, Sylvain =========================================================== Sylvain Phaneuf --- Computing Manager | phone : +44 (0)1865 221323 Information Management Services Unit (Clinical School) Oxford University | email : sylvain.phaneuf@imsu.ox.ac.uk Room 3A25B John Radcliffe Hospital | fax : +44 (0) 1865 221322 Oxford OX3 9DU England =========================================================== From mailscanner at ecs.soton.ac.uk Tue Jan 21 16:15:22 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:01 2006 Subject: *.united.com AND *@united.com - calrification In-Reply-To: <1043165273.9509.53.camel@tweety.tnjinfl.com> Message-ID: <5.2.0.9.2.20030121161320.04adc348@imap.ecs.soton.ac.uk> At 16:07 21/01/2003, you wrote: >If I wanted all mail from united.com to be allowed would it be correct >to whitelist both: >*.united.com >*@united.com > >Whitelisting *united.com would not be generic enough right? Something >like joe@myhomeunited.com would get through. The first line above would block anything@anywhere.united.com (but "anywhere" would have to be in the address. The second line above would block anything@united.com (i.e. with no "anywhere"). *.united.com == *@*.united.com -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From paul_houselander at BRISTOL-LEA.ORG.UK Tue Jan 21 16:29:46 2003 From: paul_houselander at BRISTOL-LEA.ORG.UK (Paul Houselander) Date: Thu Jan 12 21:17:01 2006 Subject: order of scans References: Message-ID: <01be01c2c16a$4ff5d400$7b10140a@education.bcc.lan> Take a look at Silent Viruses = Still Deliver Silent Viruses = mailscanner.conf As pet the comments in mailscanner.conf "# Strings listed here will be searched for in the output of the virus scanners." So check what your virus scanner outputs and put the string in Silent Viruses Cheers Paul ----- Original Message ----- From: "Sylvain Phaneuf" To: Sent: Tuesday, January 21, 2003 4:18 PM Subject: Re: order of scans > That sounds promising... looking forward to hear from Julian... > > >>> RHerban@GRAMTEL.NET 21/01/2003 16:08:43 >>> > There is an option in the MailScanner.conf about silent viruses. You should > be able to enter snowwhite or something like into that option and it won't > deliver a notice about it. > I'm not sure what method Julian is using to get the name of the virus so I > can't say how to go about getting that. > > Randy > > -----Original Message----- > From: Sylvain Phaneuf [mailto:sylvain.phaneuf@IMSU.OXFORD.AC.UK] > Sent: Tuesday, January 21, 2003 11:02 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: order of scans > > > I am still a newbie here, and I would like to apologise in advance if this > has been covered somewhere. > > Is there a way to organise the order in which the various scans occur on the > system (MailSvanner/SpamAssassin on RedHat) > > I would like to reduce the number of notifications that some of our users > get. For example we have a few users being pestered with the Snowhite and > seven dwarf message, which is a virus, and the attachement is an exe file. > We do not want to pass on this message, but because we have notifications on > for both infected messages and blocked files, the end user still receives a > message when the Snowhite message arrive. If there is a way MailScanner > could be configured so that this kind of message do produce any > notifications, some of our users would be quite happy, > > Thanks in advance, > > > Sylvain > > =========================================================== > Sylvain Phaneuf --- Computing Manager | phone : +44 (0)1865 221323 > Information Management Services Unit (Clinical School) > Oxford University | email : > sylvain.phaneuf@imsu.ox.ac.uk > Room 3A25B John Radcliffe Hospital | fax : +44 (0) 1865 221322 > Oxford OX3 9DU England > =========================================================== > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From R.A.Gardener at SHU.AC.UK Tue Jan 21 16:47:26 2003 From: R.A.Gardener at SHU.AC.UK (Ray Gardener) Date: Thu Jan 12 21:17:01 2006 Subject: Version 4, Exim and header rewrites - patch required? Message-ID: <00e601c2c16c$c77c5c40$5a14348f@videoproducer> Hi, I have examined the spool files produced by both version 3 and 4 of mailscanner and think that there may be a sight bug which is preventing the rewriting of certain header fields. Version 3 which works, specifies after the header length of these fields a character (F in the From: header, T in the To: header). Version 4 leaves out these letters. The exim specification suggest that these letters should be there and inserting them in files produced by version 4 and forcing delivery gives me mail with the headers rewritten perfectly. __________________________________________________________________________________________ An excerpt from section 56 the Exim 3.3 specification is reproduced below The flags at present contain only one bit, which is set for one_time addresses. It indicates that is the offset in the recipients list of the original parent of the address. The third number of the trio is for future expansion and is currently always zero. A blank line separates the envelope and status information from the headers which follow. A header may occupy several lines of the file, and to save effort when reading it in, each header is preceded by a number and an identifying character. The number is the number of characters in the header, including any embedded newlines and the terminating newline. The character is one of the following: header in which Exim has no special interest B Bcc: header C Cc: header F From: header I Message-id: header P Received: header -- P for `postmark' R Reply-To: header S Sender: header T To: header * replaced or deleted header Deleted or replaced (rewritten) headers remain in the spool __________________________________________________________________________________________ Regards, Ray Gardener CIS Sheffield Hallam University Howard Street Sheffield UK S1 1WB (44) 0114 225 4926 ----- Original Message ----- From: Ray Gardener To: MailScanner mailing list Sent: Monday, January 20, 2003 11:06 AM Subject: Version 4, Exim and header rewrites Hi, I upgraded from version 3 to version 4 of Mailscanner last week and found that the header rewrites configured in my Exim 3.36 configuration no longed worked. Briefly we rewrite all internal addresses with an external form before passing the mail to the outside world. e.g. r.a.gardener@shuexchangebox.shu.ac.uk becomes R.A.Gardener@shu.ac.uk This rewrite stopped after upgrading to version 4. Upon just downgrading the installation to version 3 of Mailscanner the rewriting restarted. Has anyone else seen this? (and of course is there a fix?) Regards, Ray Gardener CIS Sheffield Hallam University Howard Street Sheffield UK S1 1WB (44) 0114 225 4926 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030121/2bb01240/attachment.html From mailscanner at ecs.soton.ac.uk Tue Jan 21 16:53:10 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:01 2006 Subject: Version 4, Exim and header rewrites - patch required? In-Reply-To: <00e601c2c16c$c77c5c40$5a14348f@videoproducer> Message-ID: <5.2.0.9.2.20030121165218.04b99e68@imap.ecs.soton.ac.uk> The Exim code in Version 4 wasn't introduced until 4.10, so it is still fairly new. I will pass this problem onto Nick, and I am sure he will have a fix out very soon. At 16:47 21/01/2003, you wrote: >Hi, > >I have examined the spool files produced by both version 3 and 4 of >mailscanner and think that there may be a sight bug which is preventing >the rewriting of certain header fields. Version 3 which works, specifies >after the header length of these fields a character (F in the From: >header, T in the To: header). Version 4 leaves out these letters. The exim >specification suggest that these letters should be there and inserting >them in files produced by version 4 and forcing delivery gives me mail >with the headers rewritten perfectly. > >__________________________________________________________________________________________ >An excerpt from section 56 the Exim 3.3 specification is reproduced below > > >The flags at present contain only one bit, which is set for one_time >addresses. It indicates that is the offset in the >recipients list of the original parent of the address. The third number of >the trio is for future expansion and is currently always zero. A blank >line separates the envelope and status information from the headers which >follow. A header may occupy several lines of the file, and to save effort >when reading it in, each header is preceded by a number and an identifying >character. The number is the number of characters in the header, including >any embedded newlines and the terminating newline. The character is one of >the following: > header in which Exim has no special interest > B Bcc: header > C Cc: header > F From: header > I Message-id: header > P Received: header -- P for `postmark' > R Reply-To: header > S Sender: header > T To: header > * replaced or deleted header >Deleted or replaced (rewritten) headers remain in the spool > >__________________________________________________________________________________________ >Regards, > >Ray Gardener >CIS >Sheffield Hallam University >Howard Street >Sheffield >UK >S1 1WB >(44) 0114 225 4926 >----- Original Message ----- >From: Ray Gardener >To: MailScanner mailing list >Sent: Monday, January 20, 2003 11:06 AM >Subject: Version 4, Exim and header rewrites > >Hi, > >I upgraded from version 3 to version 4 of Mailscanner last week and found >that the header rewrites configured in my Exim 3.36 configuration no >longed worked. Briefly we rewrite all internal addresses with an external >form before passing the mail to the outside world. > >e.g. > >r.a.gardener@shuexchangebox.shu.ac.uk >becomes R.A.Gardener@shu.ac.uk > >This rewrite stopped after upgrading to version 4. Upon just downgrading >the installation to version 3 of Mailscanner the rewriting restarted. Has >anyone else seen this? (and of course is there a fix?) > >Regards, > >Ray Gardener >CIS >Sheffield Hallam University >Howard Street >Sheffield >UK >S1 1WB >(44) 0114 225 4926 -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030121/a6fee60b/attachment.html From viers at UNILIM.FR Tue Jan 21 17:08:53 2003 From: viers at UNILIM.FR (Nicolas Viers - SCI) Date: Thu Jan 12 21:17:01 2006 Subject: Defunct process Message-ID: <5.0.2.1.2.20030121180438.027de908@pop.unilim.fr> Hello, i had seen this message in the archive list: ------------------------------------------- This is a behaviour seen on a few operating system versions. It is entirely harmless and nothing to worry about. It doesn't affect your OS or MailScanner at all. At 08:16 29/08/2002, you wrote: >Hi all, >I see a [mailscanner ] process that moves around to different PIDs. >Mailscanner is still running the normal processes like > >21759 ? S 0:00 sendmail: accepting connections >21764 ? S 0:00 /usr/sbin/sendmail -q1m >21773 ? S 0:00 /usr/bin/perl /usr/local/MailScanner/bin/mailscanner >/usr/local/MailScanner/etc/mailscann er.conf >and below this: > >21868 ? Z 0:00 [mailscanner ] > -------------------------------------------- You said it is harmless; but my mailscanner always try to start chil process and does not work anymore. The messages stay in the mqueue.in directory I install again the 4.05 version and it's ok Thanks a lot for your answer ____________________________________________________________ Nicolas Viers | Service Commun Informatique M?l: viers@unilim.fr | 123, avenue Albert Thomas | 87060 Limoges cedex Tel: 05-55-45-77-09 | Fax: 05-55-45-75-95 http://www.unilim.fr/sci ____________________________________________________________ From mailscanner at ecs.soton.ac.uk Tue Jan 21 17:09:38 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:01 2006 Subject: Defunct process In-Reply-To: <5.0.2.1.2.20030121180438.027de908@pop.unilim.fr> Message-ID: <5.2.0.9.2.20030121170929.02cfc508@imap.ecs.soton.ac.uk> Anything in the logs to show what happened? At 17:08 21/01/2003, you wrote: > Hello, >i had seen this message in the archive list: >------------------------------------------- >This is a behaviour seen on a few operating system versions. It is >entirely harmless and nothing to worry about. It doesn't affect your OS or >MailScanner at all. >At 08:16 29/08/2002, you wrote: > >Hi all, > >I see a [mailscanner ] process that moves around to different PIDs. > >Mailscanner is still running the normal processes like > > > >21759 ? S 0:00 sendmail: accepting connections > >21764 ? S 0:00 /usr/sbin/sendmail -q1m > >21773 ? S 0:00 /usr/bin/perl > /usr/local/MailScanner/bin/mailscanner >/usr/local/MailScanner/etc/mailsca > nn er.conf > >and below this: > > > >21868 ? Z 0:00 [mailscanner ] > >-------------------------------------------- > >You said it is harmless; but my mailscanner always try to start chil >process and >does not work anymore. The messages stay in the mqueue.in directory > >I install again the 4.05 version and it's ok > >Thanks a lot for your answer > > > >____________________________________________________________ > >Nicolas Viers | Service Commun Informatique >M?l: viers@unilim.fr | 123, avenue Albert Thomas > | 87060 Limoges cedex >Tel: 05-55-45-77-09 | Fax: 05-55-45-75-95 > http://www.unilim.fr/sci >____________________________________________________________ > -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From hostmaster at NEXNET.ES Tue Jan 21 18:07:15 2003 From: hostmaster at NEXNET.ES (Jesus Garrote) Date: Thu Jan 12 21:17:01 2006 Subject: Option for notify senders does not work Message-ID: <4.3.2.7.0.20030121184622.00e14500@carrota.nexnet.es> Hi all, We are running "MailScanner-4.11-1" in one of our servers and all works fine, except to notify the people who sent us messages containing viruses or badly-named filenames. Looking in the " MailScanner.conf " file: Notify Senders = yes But no mail is sent to the mail senders. Cleaned mails, and correctly-named filenames are sent "ok" to the all recipients. Also local "postmaster" receives the notices. What are we doing wrong ? Thank you very much. Jesus From mailscanner at ecs.soton.ac.uk Tue Jan 21 18:24:18 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:01 2006 Subject: Option for notify senders does not work In-Reply-To: <4.3.2.7.0.20030121184622.00e14500@carrota.nexnet.es> Message-ID: <5.2.0.9.2.20030121182240.025886e0@imap.ecs.soton.ac.uk> Have you customised the sender reports at all? If you have damaged them, then they may not work any more. Feel free to mail yours (and your MailScanner.conf file) and I will take a look for you. At 18:07 21/01/2003, you wrote: >Hi all, > >We are running "MailScanner-4.11-1" in one of our servers and all works fine, >except to notify the people who sent us messages containing viruses or >badly-named filenames. > >Looking in the " MailScanner.conf " file: > > Notify Senders = yes > >But no mail is sent to the mail senders. > >Cleaned mails, and correctly-named filenames are sent "ok" to the all >recipients. >Also local "postmaster" receives the notices. > >What are we doing wrong ? > >Thank you very much. > > Jesus -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From hostmaster at NEXNET.ES Tue Jan 21 18:40:08 2003 From: hostmaster at NEXNET.ES (Jesus Garrote) Date: Thu Jan 12 21:17:01 2006 Subject: Option for notify senders does not work (cont) In-Reply-To: <5.2.0.9.2.20030121182240.025886e0@imap.ecs.soton.ac.uk> References: <4.3.2.7.0.20030121184622.00e14500@carrota.nexnet.es> Message-ID: <4.3.2.7.0.20030121192714.00dc8b90@carrota.nexnet.es> Hi all, Julian, you are right: we are using customized reports (from the original "spanish" translations). Attached you can see our: - Mailscanner.conf - sender.filename.report.txt - sender.virus.report.txt files. The mailscanner program is installed under "/usr/local/servers/Antivirus/MailScanner-4.11-1" folder. Also we have the following "logical links": /usr/local/servers/Antivirus/MailScanner --> /usr/local/servers/Antivirus/MailScanner-4.11-1 /usr/local/servers/Antivirus/mailscanner --> /usr/local/servers/Antivirus/MailScanner-4.11-1 Any clue ?? Thanks in advance. Jesus -------------- next part -------------- A non-text attachment was scrubbed... Name: MailScanner.conf Type: application/octet-stream Size: 35558 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030121/ec7054a4/MailScanner.obj -------------- next part -------------- From: "MailScanner" <$localpostmaster> To: $from Subject: =?ISO-8859-1?Q?Atenci=F3n:_Virus_de_e-mail_detectados?= MIME-Version: 1.0 Content-type: text/plain; charset=ISO-8859-1 Content-transfer-encoding: Quoted-Printable X-MailScanner: generated Nuestro detector de virus ha sido activado por un mensaje enviado por Usted:- A: $to Tema: $subject Fecha: $date Uno o m=E1s de los anexos est=E1n en la lista de archivos no aceptados por este sitio y no ser=E1n entregados. Considere renombrar los archivos o comprimirlos en un archivo ".zip" para evitar esta restricci=F3n. El detector de virus dijo lo siguiente acerca del mensaje: Reporte: $report -- Dep. Sistemas Informacion - NexGrup Tel. (902) 28 46 21 Email informatica@nexgrup.es -------------- next part -------------- From: "MailScanner" <$localpostmaster> To: $from Subject: =?ISO-8859-1?Q?Atenci=F3n:_Virus_detectado_en_el_E-mail?= X-MailScanner: generated MIME-Version: 1.0 Content-type: text/plain; charset=ISO-8859-1 Content-transfer-encoding: Quoted-Printable Nuestro detector de virus ha sido activado por un mensaje enviado por Usted:- A: $to Tema: $subject Fecha: $date Las partes del mensaje que estaban infectadas no han sido enviadas. Este mensaje es s=F3lo para avisarle que su sistema puede tener un virus y deber=EDa verificarlo. El detector de virus dijo lo siguiente acerca del mensaje: Reporte: $report -- Dep. Sistemas Informacion - NexGrup Tel. (902) 28 46 21 Email informatica@nexgrup.es From mailscanner at ecs.soton.ac.uk Tue Jan 21 18:56:52 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:01 2006 Subject: Option for notify senders does not work (cont) In-Reply-To: <4.3.2.7.0.20030121192714.00dc8b90@carrota.nexnet.es> References: <5.2.0.9.2.20030121182240.025886e0@imap.ecs.soton.ac.uk> <4.3.2.7.0.20030121184622.00e14500@carrota.nexnet.es> Message-ID: <5.2.0.9.2.20030121185051.029c5e88@imap.ecs.soton.ac.uk> The first thing that strikes me is that your files are in DOS text file format, rather than Unix text file format. Pump them through dos2unix. The files provided with MailScanner are Unix text files. The different end-of-line sequences may be enough to stop sendmail/Exim handling them properly. At 18:40 21/01/2003, you wrote: >Hi all, > >Julian, you are right: we are using customized reports (from the original >"spanish" translations). > >Attached you can see our: > - Mailscanner.conf > - sender.filename.report.txt > - sender.virus.report.txt >files. > >The mailscanner program is installed under >"/usr/local/servers/Antivirus/MailScanner-4.11-1" folder. >Also we have the following "logical links": > > /usr/local/servers/Antivirus/MailScanner --> >/usr/local/servers/Antivirus/MailScanner-4.11-1 > /usr/local/servers/Antivirus/mailscanner --> >/usr/local/servers/Antivirus/MailScanner-4.11-1 > >Any clue ?? > >Thanks in advance. > > Jesus > > > -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From hostmaster at NEXNET.ES Tue Jan 21 19:03:48 2003 From: hostmaster at NEXNET.ES (Jesus Garrote) Date: Thu Jan 12 21:17:01 2006 Subject: Option for notify senders does not work (cont) In-Reply-To: <5.2.0.9.2.20030121185051.029c5e88@imap.ecs.soton.ac.uk> References: <4.3.2.7.0.20030121192714.00dc8b90@carrota.nexnet.es> <5.2.0.9.2.20030121182240.025886e0@imap.ecs.soton.ac.uk> <4.3.2.7.0.20030121184622.00e14500@carrota.nexnet.es> Message-ID: <4.3.2.7.0.20030121195717.00dd3e20@carrota.nexnet.es> Julian, I have downloaded those files from our unix server to my windows-98 computer, where I wrote the email message sent to the mailing list. This is the reason (i know) because the files are in DOS format, rather the unix one. ;-) Jesus From mailscannerlist at TNJINFL.COM Tue Jan 21 21:37:03 2003 From: mailscannerlist at TNJINFL.COM (James Pifer) Date: Thu Jan 12 21:17:01 2006 Subject: My problems continue - Please help ASAP Message-ID: <1043185023.9510.92.camel@tweety.tnjinfl.com> A new problem(could be related to my other problems) came up on the server we have running mailscanner. Mail was not being routed for some reason. The server was recieving mail, but it was all getting stuck in mqueue.in and/or mqueue. I restarted MailScanner(4.10-1) and that didn't seem to do anything. We still have a ton of messages in mqeueu.in and quite a bit in mqueue as well. Should it still deliver everything? It's delivering mail but I can't figure out where it's picking it up from. Has anyone seen this before. I downloaded the maillog and the only problem I see is a lot of timeouts while trying to check the RBL's. Currently I'm using ORDB-RBL and Infinite-Monkeys. We had problems where our server just dies. Could these timeouts have anything to do with it? I'm open to any suggestions. Thanks, James From RHerban at GRAMTEL.NET Tue Jan 21 21:33:10 2003 From: RHerban at GRAMTEL.NET (Randy Herban) Date: Thu Jan 12 21:17:01 2006 Subject: My problems continue - Please help ASAP Message-ID: If you are getting a bunch of timeouts to RBL's then its probably a good idea to disable them for the time being. When ORDB (I think) was having problems couple weeks ago mail backed up because spamassassin was timing out to RBLs. Disabling the rbl checks solved the problem and let mail be delivered. -Randy -----Original Message----- From: James Pifer [mailto:mailscannerlist@TNJINFL.COM] Sent: Tuesday, January 21, 2003 4:37 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: My problems continue - Please help ASAP A new problem(could be related to my other problems) came up on the server we have running mailscanner. Mail was not being routed for some reason. The server was recieving mail, but it was all getting stuck in mqueue.in and/or mqueue. I restarted MailScanner(4.10-1) and that didn't seem to do anything. We still have a ton of messages in mqeueu.in and quite a bit in mqueue as well. Should it still deliver everything? It's delivering mail but I can't figure out where it's picking it up from. Has anyone seen this before. I downloaded the maillog and the only problem I see is a lot of timeouts while trying to check the RBL's. Currently I'm using ORDB-RBL and Infinite-Monkeys. We had problems where our server just dies. Could these timeouts have anything to do with it? I'm open to any suggestions. Thanks, James From mailscanner at ecs.soton.ac.uk Tue Jan 21 21:38:29 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:02 2006 Subject: My problems continue - Please help ASAP In-Reply-To: <1043185023.9510.92.camel@tweety.tnjinfl.com> Message-ID: <5.2.0.9.2.20030121213404.01ae27f0@imap.ecs.soton.ac.uk> At 21:37 21/01/2003, you wrote: >A new problem(could be related to my other problems) came up on the >server we have running mailscanner. Mail was not being routed for some >reason. The server was recieving mail, but it was all getting stuck in >mqueue.in and/or mqueue. > >I restarted MailScanner(4.10-1) and that didn't seem to do anything. > >We still have a ton of messages in mqeueu.in and quite a bit in mqueue >as well. Should it still deliver everything? It's delivering mail but I >can't figure out where it's picking it up from. > >Has anyone seen this before. I downloaded the maillog and the only >problem I see is a lot of timeouts while trying to check the RBL's. >Currently I'm using ORDB-RBL and Infinite-Monkeys. > >We had problems where our server just dies. Could these timeouts have >anything to do with it? > >I'm open to any suggestions. Start by switching off the spam checking. Make sure you only have 1 version of MailScanner running. Make sure you only have the sendmail processes running that are started as part of MailScanner. Be careful you don't have any running with both daemon options "-bd -q15m". Make sure all your hardware works. Make sure you haven't run out of disk space anywhere (do a "df -k" to check). Run "sendmail -q -v" and see what it prints out as it tries to deliver all the outgoing queue. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscannerlist at TNJINFL.COM Tue Jan 21 21:52:18 2003 From: mailscannerlist at TNJINFL.COM (James Pifer) Date: Thu Jan 12 21:17:02 2006 Subject: My problems continue - Please help ASAP In-Reply-To: References: Message-ID: <1043185939.9513.95.camel@tweety.tnjinfl.com> Couple dumb questions: - How do I disable them? (in case there are multiple places I should do it) Just remove them from MailScanner.conf? - Is this going to allow more spam to get through? Thanks, James On Tue, 2003-01-21 at 16:33, Randy Herban wrote: > If you are getting a bunch of timeouts to RBL's then its probably a good > idea to disable them for the time being. > When ORDB (I think) was having problems couple weeks ago mail backed up > because spamassassin was timing out to RBLs. > Disabling the rbl checks solved the problem and let mail be delivered. > > -Randy > > -----Original Message----- > From: James Pifer [mailto:mailscannerlist@TNJINFL.COM] > Sent: Tuesday, January 21, 2003 4:37 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: My problems continue - Please help ASAP > > > A new problem(could be related to my other problems) came up on the server > we have running mailscanner. Mail was not being routed for some reason. The > server was recieving mail, but it was all getting stuck in mqueue.in and/or > mqueue. > > I restarted MailScanner(4.10-1) and that didn't seem to do anything. > > We still have a ton of messages in mqeueu.in and quite a bit in mqueue as > well. Should it still deliver everything? It's delivering mail but I can't > figure out where it's picking it up from. > > Has anyone seen this before. I downloaded the maillog and the only problem I > see is a lot of timeouts while trying to check the RBL's. Currently I'm > using ORDB-RBL and Infinite-Monkeys. > > We had problems where our server just dies. Could these timeouts have > anything to do with it? > > I'm open to any suggestions. > > Thanks, > James From dwinkler at ALGORITHMICS.COM Tue Jan 21 21:51:50 2003 From: dwinkler at ALGORITHMICS.COM (Derek Winkler) Date: Thu Jan 12 21:17:02 2006 Subject: Permissions on Quarantine Message-ID: <06EE2C86D3DAD5119A6C0060943F3C970402C10D@tormail1.algorithmics.com> Is there a way to change the permissions used to create directories/files in quarantine? Thanks, Derek Winkler Security Administrator Algorithmics Inc., Toronto Tel: (416) 217-4107 Fax: (416) 971-6263 www.algorithmics.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030121/5124c3f2/attachment.html From mailscanner at ecs.soton.ac.uk Tue Jan 21 21:52:21 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:02 2006 Subject: My problems continue - Please help ASAP In-Reply-To: <1043185939.9513.95.camel@tweety.tnjinfl.com> References: Message-ID: <5.2.0.9.2.20030121215115.02a81710@imap.ecs.soton.ac.uk> At 21:52 21/01/2003, you wrote: >Couple dumb questions: >- How do I disable them? (in case there are multiple places I should do >it) Just remove them from MailScanner.conf? Set the spam list setting to just be blank. >- Is this going to allow more spam to get through? Yes, temporarily. Just while we try to get it all working. >Thanks, >James > >On Tue, 2003-01-21 at 16:33, Randy Herban wrote: > > If you are getting a bunch of timeouts to RBL's then its probably a good > > idea to disable them for the time being. > > When ORDB (I think) was having problems couple weeks ago mail backed up > > because spamassassin was timing out to RBLs. > > Disabling the rbl checks solved the problem and let mail be delivered. > > > > -Randy > > > > -----Original Message----- > > From: James Pifer [mailto:mailscannerlist@TNJINFL.COM] > > Sent: Tuesday, January 21, 2003 4:37 PM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: My problems continue - Please help ASAP > > > > > > A new problem(could be related to my other problems) came up on the server > > we have running mailscanner. Mail was not being routed for some reason. The > > server was recieving mail, but it was all getting stuck in mqueue.in and/or > > mqueue. > > > > I restarted MailScanner(4.10-1) and that didn't seem to do anything. > > > > We still have a ton of messages in mqeueu.in and quite a bit in mqueue as > > well. Should it still deliver everything? It's delivering mail but I can't > > figure out where it's picking it up from. > > > > Has anyone seen this before. I downloaded the maillog and the only > problem I > > see is a lot of timeouts while trying to check the RBL's. Currently I'm > > using ORDB-RBL and Infinite-Monkeys. > > > > We had problems where our server just dies. Could these timeouts have > > anything to do with it? > > > > I'm open to any suggestions. > > > > Thanks, > > James -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscannerlist at TNJINFL.COM Tue Jan 21 22:02:46 2003 From: mailscannerlist at TNJINFL.COM (James Pifer) Date: Thu Jan 12 21:17:02 2006 Subject: My problems continue - Please help ASAP In-Reply-To: <5.2.0.9.2.20030121213404.01ae27f0@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030121213404.01ae27f0@imap.ecs.soton.ac.uk> Message-ID: <1043186566.9493.106.camel@tweety.tnjinfl.com> It seems like it's catching up slowly. I haven't done a couple of these yet, but I wanted to respond. Only one version of MailScanner has been installed ps -ef | grep sendmail gives the output at the bottom. I believe the hardware is ok Plenty of disk space free Haven't run sendmail -q -v yet. Should I run that while MailScanner is running, or stop MailScanner first, or leave MailScanner running, but spam turned off? Thanks, James root@pcalaklx01 log]# ps -ef | grep sendmail root 779 1 0 14:43 ? 00:00:00 sendmail: accepting connections root 795 1 0 14:43 ? 00:00:00 /usr/sbin/sendmail -q15m root 11945 1 0 15:44 ? 00:00:00 sendmail: ./h0LKWjO10074 [10.96. root 11948 1 0 15:44 ? 00:00:00 sendmail: ./h0LKX4O10098: from q root 11951 1 0 15:44 ? 00:00:00 sendmail: ./h0LKUcO09776: from q root 11954 1 0 15:44 ? 00:00:00 sendmail: ./h0LKYqO10331 [10.96. root 11957 1 0 15:44 ? 00:00:00 sendmail: ./h0LKaXO10640: from q root 12297 1 0 15:45 ? 00:00:00 sendmail: ./h0LKK3D08065: from q root 12300 1 0 15:45 ? 00:00:00 sendmail: ./h0LKNMO08578 [10.96. root 12303 1 0 15:45 ? 00:00:00 sendmail: ./h0LKHlD07880 [10.96. root 12306 1 0 15:45 ? 00:00:00 sendmail: ./h0LKL3D08224: from q root 12309 1 0 15:45 ? 00:00:00 sendmail: ./h0LKK5D08067 [10.96. root 12504 1 0 15:46 ? 00:00:00 sendmail: ./h0LKToO09599: from q root 12507 1 0 15:46 ? 00:00:00 sendmail: ./h0LKPkO09049 [10.96. root 12510 1 0 15:46 ? 00:00:00 sendmail: ./h0LKTuO09613 [10.96. root 12513 1 0 15:46 ? 00:00:00 sendmail: ./h0LKQPO09134 [10.96. root 12516 1 0 15:46 ? 00:00:00 sendmail: ./h0LKRYO09295 [10.96. root 12530 779 0 15:46 ? 00:00:00 sendmail: server dfw7-1.relay.ma root 12572 779 0 15:46 ? 00:00:00 sendmail: server ashd1-1.relay.m root 12606 779 0 15:46 ? 00:00:00 sendmail: server La03mail24.powe root 12635 779 0 15:46 ? 00:00:00 sendmail: server [64.152.200.111 root 12640 779 0 15:47 ? 00:00:00 sendmail: server offerchkmail11. root 12755 1 0 15:47 ? 00:00:00 sendmail: ./h0LKc9O10871 [10.96. root 12757 1 0 15:47 ? 00:00:00 sendmail: ./h0LKhi601017 [10.96. root 12759 1 0 15:47 ? 00:00:00 sendmail: ./h0LKdIO11089: from q root 12764 1 0 15:47 ? 00:00:00 sendmail: ./h0LKdNO11106: from q root 12767 1 0 15:47 ? 00:00:00 sendmail: ./h0LKc4O10857: from q root 12795 779 0 15:47 ? 00:00:00 sendmail: server chi6-1.relay.ma root 12814 779 0 15:47 ? 00:00:00 sendmail: server members2.emailw root 12815 779 0 15:47 ? 00:00:00 sendmail: server port-64-1956812 root 12820 12606 0 15:47 ? 00:00:00 sendmail: h0LLlV612820 La03mail2 root 12825 12572 0 15:47 ? 00:00:00 sendmail: h0LLlX612825 ashd1-1.r root 12841 779 0 15:47 ? 00:00:00 sendmail: startup with [209.164. root 12864 12815 0 15:47 ? 00:00:00 sendmail: h0LLlh612864 port-64-1 root 12866 779 0 15:47 ? 00:00:00 sendmail: startup with 12.5.161. root 12875 12635 0 15:47 ? 00:00:00 sendmail: h0LLlk612875 [64.152.2 root 12878 779 0 15:47 ? 00:00:00 sendmail: startup with mail11.at root 12880 779 0 15:47 ? 00:00:00 sendmail: server mail228.mb11.co root 12882 779 0 15:47 ? 00:00:00 sendmail: server wic1.worldatama root 12893 12880 0 15:47 ? 00:00:00 sendmail: h0LLlu612893 mail228.m root 12894 12882 0 15:47 ? 00:00:00 sendmail: h0LLlu612894 wic1.worl root 12896 735 0 15:47 pts/0 00:00:00 grep sendmail You have new mail in /var/spool/mail/root [root@pcalaklx01 log]# On Tue, 2003-01-21 at 16:38, Julian Field wrote: > At 21:37 21/01/2003, you wrote: > >A new problem(could be related to my other problems) came up on the > >server we have running mailscanner. Mail was not being routed for some > >reason. The server was recieving mail, but it was all getting stuck in > >mqueue.in and/or mqueue. > > > >I restarted MailScanner(4.10-1) and that didn't seem to do anything. > > > >We still have a ton of messages in mqeueu.in and quite a bit in mqueue > >as well. Should it still deliver everything? It's delivering mail but I > >can't figure out where it's picking it up from. > > > >Has anyone seen this before. I downloaded the maillog and the only > >problem I see is a lot of timeouts while trying to check the RBL's. > >Currently I'm using ORDB-RBL and Infinite-Monkeys. > > > >We had problems where our server just dies. Could these timeouts have > >anything to do with it? > > > >I'm open to any suggestions. > > Start by switching off the spam checking. > Make sure you only have 1 version of MailScanner running. > Make sure you only have the sendmail processes running that are started as > part of MailScanner. Be careful you don't have any running with both daemon > options "-bd -q15m". > Make sure all your hardware works. > Make sure you haven't run out of disk space anywhere (do a "df -k" to check). > Run "sendmail -q -v" and see what it prints out as it tries to deliver all > the outgoing queue. > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Tue Jan 21 22:12:33 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:02 2006 Subject: Permissions on Quarantine In-Reply-To: <06EE2C86D3DAD5119A6C0060943F3C970402C10D@tormail1.algorith mics.com> Message-ID: <5.2.0.9.2.20030121220904.02a75ec8@imap.ecs.soton.ac.uk> At 21:51 21/01/2003, you wrote: >Is there a way to change the permissions used to create directories/files >in quarantine? I intentionally use default permissions that are restrictive, as we don't want to inadvertently give access to other users or programs. In the main MailScanner script there is a "umask 0077" which you are free to change of you don't like it. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Tue Jan 21 22:14:46 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:02 2006 Subject: My problems continue - Please help ASAP In-Reply-To: <1043186566.9493.106.camel@tweety.tnjinfl.com> References: <5.2.0.9.2.20030121213404.01ae27f0@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030121213404.01ae27f0@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030121221332.02ab5ee8@imap.ecs.soton.ac.uk> At 22:02 21/01/2003, you wrote: >It seems like it's catching up slowly. I haven't done a couple of these >yet, but I wanted to respond. > >Only one version of MailScanner has been installed >ps -ef | grep sendmail gives the output at the bottom. >I believe the hardware is ok >Plenty of disk space free > >Haven't run sendmail -q -v yet. Should I run that while MailScanner is >running, or stop MailScanner first, or leave MailScanner running, but >spam turned off? Shouldn't matter. Probably worth killing off the sendmail processes first though, in case you have a version that won't run multiple simultaneous queue runners. >Thanks, >James > >root@pcalaklx01 log]# ps -ef | grep sendmail >root 779 1 0 14:43 ? 00:00:00 sendmail: accepting >connections >root 795 1 0 14:43 ? 00:00:00 /usr/sbin/sendmail -q15m >root 11945 1 0 15:44 ? 00:00:00 sendmail: ./h0LKWjO10074 >[10.96. >root 11948 1 0 15:44 ? 00:00:00 sendmail: >./h0LKX4O10098: from q >root 11951 1 0 15:44 ? 00:00:00 sendmail: >./h0LKUcO09776: from q >root 11954 1 0 15:44 ? 00:00:00 sendmail: ./h0LKYqO10331 >[10.96. >root 11957 1 0 15:44 ? 00:00:00 sendmail: >./h0LKaXO10640: from q >root 12297 1 0 15:45 ? 00:00:00 sendmail: >./h0LKK3D08065: from q >root 12300 1 0 15:45 ? 00:00:00 sendmail: ./h0LKNMO08578 >[10.96. >root 12303 1 0 15:45 ? 00:00:00 sendmail: ./h0LKHlD07880 >[10.96. >root 12306 1 0 15:45 ? 00:00:00 sendmail: >./h0LKL3D08224: from q >root 12309 1 0 15:45 ? 00:00:00 sendmail: ./h0LKK5D08067 >[10.96. >root 12504 1 0 15:46 ? 00:00:00 sendmail: >./h0LKToO09599: from q >root 12507 1 0 15:46 ? 00:00:00 sendmail: ./h0LKPkO09049 >[10.96. >root 12510 1 0 15:46 ? 00:00:00 sendmail: ./h0LKTuO09613 >[10.96. >root 12513 1 0 15:46 ? 00:00:00 sendmail: ./h0LKQPO09134 >[10.96. >root 12516 1 0 15:46 ? 00:00:00 sendmail: ./h0LKRYO09295 >[10.96. >root 12530 779 0 15:46 ? 00:00:00 sendmail: server >dfw7-1.relay.ma >root 12572 779 0 15:46 ? 00:00:00 sendmail: server >ashd1-1.relay.m >root 12606 779 0 15:46 ? 00:00:00 sendmail: server >La03mail24.powe >root 12635 779 0 15:46 ? 00:00:00 sendmail: server >[64.152.200.111 >root 12640 779 0 15:47 ? 00:00:00 sendmail: server >offerchkmail11. >root 12755 1 0 15:47 ? 00:00:00 sendmail: ./h0LKc9O10871 >[10.96. >root 12757 1 0 15:47 ? 00:00:00 sendmail: ./h0LKhi601017 >[10.96. >root 12759 1 0 15:47 ? 00:00:00 sendmail: >./h0LKdIO11089: from q >root 12764 1 0 15:47 ? 00:00:00 sendmail: >./h0LKdNO11106: from q >root 12767 1 0 15:47 ? 00:00:00 sendmail: >./h0LKc4O10857: from q >root 12795 779 0 15:47 ? 00:00:00 sendmail: server >chi6-1.relay.ma >root 12814 779 0 15:47 ? 00:00:00 sendmail: server >members2.emailw >root 12815 779 0 15:47 ? 00:00:00 sendmail: server >port-64-1956812 >root 12820 12606 0 15:47 ? 00:00:00 sendmail: h0LLlV612820 >La03mail2 >root 12825 12572 0 15:47 ? 00:00:00 sendmail: h0LLlX612825 >ashd1-1.r >root 12841 779 0 15:47 ? 00:00:00 sendmail: startup with >[209.164. >root 12864 12815 0 15:47 ? 00:00:00 sendmail: h0LLlh612864 >port-64-1 >root 12866 779 0 15:47 ? 00:00:00 sendmail: startup with >12.5.161. >root 12875 12635 0 15:47 ? 00:00:00 sendmail: h0LLlk612875 >[64.152.2 >root 12878 779 0 15:47 ? 00:00:00 sendmail: startup with >mail11.at >root 12880 779 0 15:47 ? 00:00:00 sendmail: server >mail228.mb11.co >root 12882 779 0 15:47 ? 00:00:00 sendmail: server >wic1.worldatama >root 12893 12880 0 15:47 ? 00:00:00 sendmail: h0LLlu612893 >mail228.m >root 12894 12882 0 15:47 ? 00:00:00 sendmail: h0LLlu612894 >wic1.worl >root 12896 735 0 15:47 pts/0 00:00:00 grep sendmail >You have new mail in /var/spool/mail/root >[root@pcalaklx01 log]# > > >On Tue, 2003-01-21 at 16:38, Julian Field wrote: > > At 21:37 21/01/2003, you wrote: > > >A new problem(could be related to my other problems) came up on the > > >server we have running mailscanner. Mail was not being routed for some > > >reason. The server was recieving mail, but it was all getting stuck in > > >mqueue.in and/or mqueue. > > > > > >I restarted MailScanner(4.10-1) and that didn't seem to do anything. > > > > > >We still have a ton of messages in mqeueu.in and quite a bit in mqueue > > >as well. Should it still deliver everything? It's delivering mail but I > > >can't figure out where it's picking it up from. > > > > > >Has anyone seen this before. I downloaded the maillog and the only > > >problem I see is a lot of timeouts while trying to check the RBL's. > > >Currently I'm using ORDB-RBL and Infinite-Monkeys. > > > > > >We had problems where our server just dies. Could these timeouts have > > >anything to do with it? > > > > > >I'm open to any suggestions. > > > > Start by switching off the spam checking. > > Make sure you only have 1 version of MailScanner running. > > Make sure you only have the sendmail processes running that are started as > > part of MailScanner. Be careful you don't have any running with both daemon > > options "-bd -q15m". > > Make sure all your hardware works. > > Make sure you haven't run out of disk space anywhere (do a "df -k" to > check). > > Run "sendmail -q -v" and see what it prints out as it tries to deliver all > > the outgoing queue. > > > > -- > > Julian Field > > www.MailScanner.info > > MailScanner thanks transtec Computers for their support -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscannerlist at TNJINFL.COM Wed Jan 22 00:30:23 2003 From: mailscannerlist at TNJINFL.COM (James Pifer) Date: Thu Jan 12 21:17:02 2006 Subject: My problems continue - Please help ASAP In-Reply-To: <5.2.0.9.2.20030121221332.02ab5ee8@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030121213404.01ae27f0@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030121213404.01ae27f0@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030121221332.02ab5ee8@imap.ecs.soton.ac.uk> Message-ID: <1043195424.9493.113.camel@tweety.tnjinfl.com> Julian, I turned off RBL checking, Spam checking, and tried to run sendmail -q -v both with MailScanner running and not running. I still have tons of mail in both mqueue and mqeueu.in that isn't getting delivered. See attached txt file which is the output of running sendmail commands. Thanks, James On Tue, 2003-01-21 at 17:14, Julian Field wrote: > At 22:02 21/01/2003, you wrote: > >It seems like it's catching up slowly. I haven't done a couple of these > >yet, but I wanted to respond. > > > >Only one version of MailScanner has been installed > >ps -ef | grep sendmail gives the output at the bottom. > >I believe the hardware is ok > >Plenty of disk space free > > > >Haven't run sendmail -q -v yet. Should I run that while MailScanner is > >running, or stop MailScanner first, or leave MailScanner running, but > >spam turned off? > > Shouldn't matter. Probably worth killing off the sendmail processes first > though, in case you have a version that won't run multiple simultaneous > queue runners. > > > >Thanks, > >James > > > >root@pcalaklx01 log]# ps -ef | grep sendmail > >root 779 1 0 14:43 ? 00:00:00 sendmail: accepting > >connections > >root 795 1 0 14:43 ? 00:00:00 /usr/sbin/sendmail -q15m > >root 11945 1 0 15:44 ? 00:00:00 sendmail: ./h0LKWjO10074 > >[10.96. > >root 11948 1 0 15:44 ? 00:00:00 sendmail: > >./h0LKX4O10098: from q > >root 11951 1 0 15:44 ? 00:00:00 sendmail: > >./h0LKUcO09776: from q > >root 11954 1 0 15:44 ? 00:00:00 sendmail: ./h0LKYqO10331 > >[10.96. > >root 11957 1 0 15:44 ? 00:00:00 sendmail: > >./h0LKaXO10640: from q > >root 12297 1 0 15:45 ? 00:00:00 sendmail: > >./h0LKK3D08065: from q > >root 12300 1 0 15:45 ? 00:00:00 sendmail: ./h0LKNMO08578 > >[10.96. > >root 12303 1 0 15:45 ? 00:00:00 sendmail: ./h0LKHlD07880 > >[10.96. > >root 12306 1 0 15:45 ? 00:00:00 sendmail: > >./h0LKL3D08224: from q > >root 12309 1 0 15:45 ? 00:00:00 sendmail: ./h0LKK5D08067 > >[10.96. > >root 12504 1 0 15:46 ? 00:00:00 sendmail: > >./h0LKToO09599: from q > >root 12507 1 0 15:46 ? 00:00:00 sendmail: ./h0LKPkO09049 > >[10.96. > >root 12510 1 0 15:46 ? 00:00:00 sendmail: ./h0LKTuO09613 > >[10.96. > >root 12513 1 0 15:46 ? 00:00:00 sendmail: ./h0LKQPO09134 > >[10.96. > >root 12516 1 0 15:46 ? 00:00:00 sendmail: ./h0LKRYO09295 > >[10.96. > >root 12530 779 0 15:46 ? 00:00:00 sendmail: server > >dfw7-1.relay.ma > >root 12572 779 0 15:46 ? 00:00:00 sendmail: server > >ashd1-1.relay.m > >root 12606 779 0 15:46 ? 00:00:00 sendmail: server > >La03mail24.powe > >root 12635 779 0 15:46 ? 00:00:00 sendmail: server > >[64.152.200.111 > >root 12640 779 0 15:47 ? 00:00:00 sendmail: server > >offerchkmail11. > >root 12755 1 0 15:47 ? 00:00:00 sendmail: ./h0LKc9O10871 > >[10.96. > >root 12757 1 0 15:47 ? 00:00:00 sendmail: ./h0LKhi601017 > >[10.96. > >root 12759 1 0 15:47 ? 00:00:00 sendmail: > >./h0LKdIO11089: from q > >root 12764 1 0 15:47 ? 00:00:00 sendmail: > >./h0LKdNO11106: from q > >root 12767 1 0 15:47 ? 00:00:00 sendmail: > >./h0LKc4O10857: from q > >root 12795 779 0 15:47 ? 00:00:00 sendmail: server > >chi6-1.relay.ma > >root 12814 779 0 15:47 ? 00:00:00 sendmail: server > >members2.emailw > >root 12815 779 0 15:47 ? 00:00:00 sendmail: server > >port-64-1956812 > >root 12820 12606 0 15:47 ? 00:00:00 sendmail: h0LLlV612820 > >La03mail2 > >root 12825 12572 0 15:47 ? 00:00:00 sendmail: h0LLlX612825 > >ashd1-1.r > >root 12841 779 0 15:47 ? 00:00:00 sendmail: startup with > >[209.164. > >root 12864 12815 0 15:47 ? 00:00:00 sendmail: h0LLlh612864 > >port-64-1 > >root 12866 779 0 15:47 ? 00:00:00 sendmail: startup with > >12.5.161. > >root 12875 12635 0 15:47 ? 00:00:00 sendmail: h0LLlk612875 > >[64.152.2 > >root 12878 779 0 15:47 ? 00:00:00 sendmail: startup with > >mail11.at > >root 12880 779 0 15:47 ? 00:00:00 sendmail: server > >mail228.mb11.co > >root 12882 779 0 15:47 ? 00:00:00 sendmail: server > >wic1.worldatama > >root 12893 12880 0 15:47 ? 00:00:00 sendmail: h0LLlu612893 > >mail228.m > >root 12894 12882 0 15:47 ? 00:00:00 sendmail: h0LLlu612894 > >wic1.worl > >root 12896 735 0 15:47 pts/0 00:00:00 grep sendmail > >You have new mail in /var/spool/mail/root > >[root@pcalaklx01 log]# > > > > > >On Tue, 2003-01-21 at 16:38, Julian Field wrote: > > > At 21:37 21/01/2003, you wrote: > > > >A new problem(could be related to my other problems) came up on the > > > >server we have running mailscanner. Mail was not being routed for some > > > >reason. The server was recieving mail, but it was all getting stuck in > > > >mqueue.in and/or mqueue. > > > > > > > >I restarted MailScanner(4.10-1) and that didn't seem to do anything. > > > > > > > >We still have a ton of messages in mqeueu.in and quite a bit in mqueue > > > >as well. Should it still deliver everything? It's delivering mail but I > > > >can't figure out where it's picking it up from. > > > > > > > >Has anyone seen this before. I downloaded the maillog and the only > > > >problem I see is a lot of timeouts while trying to check the RBL's. > > > >Currently I'm using ORDB-RBL and Infinite-Monkeys. > > > > > > > >We had problems where our server just dies. Could these timeouts have > > > >anything to do with it? > > > > > > > >I'm open to any suggestions. > > > > > > Start by switching off the spam checking. > > > Make sure you only have 1 version of MailScanner running. > > > Make sure you only have the sendmail processes running that are started as > > > part of MailScanner. Be careful you don't have any running with both daemon > > > options "-bd -q15m". > > > Make sure all your hardware works. > > > Make sure you haven't run out of disk space anywhere (do a "df -k" to > > check). > > > Run "sendmail -q -v" and see what it prints out as it tries to deliver all > > > the outgoing queue. > > > > > > -- > > > Julian Field > > > www.MailScanner.info > > > MailScanner thanks transtec Computers for their support > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support -------------- next part -------------- Running /var/spool/mqueue/h0M0Ch601182 (sequence 1 of 5) h0M0Ch601182: locked Running /var/spool/mqueue/h0M0C0601031 (sequence 2 of 5) h0M0C0601031: locked Running /var/spool/mqueue/h0M0CT601126 (sequence 3 of 5) ... Connecting to [10.96.5.41] via esmtp... 220 pcalaklh01.pca.com ESMTP Service (Lotus Domino Release 5.0.11) ready at Tue, 2 1 Jan 2003 18:06:39 -0600 >>> EHLO pcalaklx01.packagingcorp.com 250-pcalaklh01.pca.com Hello pcalaklx01.packagingcorp.com ([63.67.43.164]), please d to meet you 250-HELP 250-SIZE 10485760 250 PIPELINING >>> MAIL From: SIZE=600 1 250 perf-errors.1290.149416.34046527.501.0.4@b.list-email.net... Sender OK >>> RCPT To: 250 sbatchelder@packagingcorp.com... Recipient OK >>> DATA 354 Enter message, end with "." on a line by itself >>> . 250 Message accepted for delivery ... Sent (Message accepted for delivery) Running /var/spool/mqueue/h0M0Cr601211 (sequence 4 of 5) Running /var/spool/mqueue/h0M0CK601111 (sequence 5 of 5) h0M0CK601111: locked Closing connection to [10.96.5.41] >>> QUIT 221 pcalaklh01.pca.com SMTP Service closing transmission channel [root@pcalaklx01 root]# sendmail -q -v Running /var/spool/mqueue/h0M0CK601111 (sequence 1 of 1) h0M0CK601111: locked [root@pcalaklx01 root]# sendmail -q -v Running /var/spool/mqueue/h0M0CK601111 (sequence 1 of 2) h0M0CK601111: locked Running /var/spool/mqueue/h0M0DF601251 (sequence 2 of 2) h0M0DF601251: locked [root@pcalaklx01 root]# sendmail -q -v Running /var/spool/mqueue/h0M0CK601111 (sequence 1 of 2) h0M0CK601111: locked Running /var/spool/mqueue/h0M0DF601251 (sequence 2 of 2) h0M0DF601251: locked [root@pcalaklx01 root]# sendmail -q -v Running /var/spool/mqueue/h0M0DK601261 (sequence 1 of 2) ^[[A... Connecting to [10.96.5.41] via esmtp... 220 pcalaklh01.pca.com ESMTP Service (Lotus Domino Release 5.0.11) ready at Tue, 2 1 Jan 2003 18:06:56 -0600 >>> EHLO pcalaklx01.packagingcorp.com 250-pcalaklh01.pca.com Hello pcalaklx01.packagingcorp.com ([63.67.43.164]), please d to meet you 250-HELP 250-SIZE 10485760 250 PIPELINING >>> MAIL From:<2-20582-packagingcorp.com?KBURNER@stderr.qualityemail.com> SIZE=648 2 250 2-20582-packagingcorp.com?KBURNER@stderr.qualityemail.com... Sender OK >>> RCPT To: 250 KBURNER@PACKAGINGCORP.COM... Recipient OK >>> DATA 354 Enter message, end with "." on a line by itself >>> . 250 Message accepted for delivery ... Sent (Message accepted for delivery) Running /var/spool/mqueue/h0M0CK601111 (sequence 2 of 2) h0M0CK601111: locked Closing connection to [10.96.5.41] >>> QUIT 221 pcalaklh01.pca.com SMTP Service closing transmission channel [root@pcalaklx01 root]# service MailScanner stop Shutting down MailScanner daemons: MailScanner: [ OK ] incoming sendmail: [ OK ] outgoing sendmail: [ OK ] [root@pcalaklx01 root]# sendmail -q -v Running /var/spool/mqueue/h0M0Dq601308 (sequence 1 of 2) ... Connecting to [10.96.5.41] via esmtp... 220 pcalaklh01.pca.com ESMTP Service (Lotus Domino Release 5.0.11) ready at Tue, 2 1 Jan 2003 18:07:27 -0600 >>> EHLO pcalaklx01.packagingcorp.com 250-pcalaklh01.pca.com Hello pcalaklx01.packagingcorp.com ([63.67.43.164]), please d to meet you 250-HELP 250-SIZE 10485760 250 PIPELINING >>> MAIL From: SIZE=4846 250 b-71200235-1805_597532556@b.pxlg.com... Sender OK >>> RCPT To: 250 ftansey@packagingcorp.com... Recipient OK >>> DATA 354 Enter message, end with "." on a line by itself >>> . 250 Message accepted for delivery ... Sent (Message accepted for delivery) Running /var/spool/mqueue/h0M0CK601111 (sequence 2 of 2) >>> RSET 250 Reset state ... Using cached ESMTP connection to [10.96.5.41] via e smtp... >>> MAIL From: SIZE=15578 250 epabox@ameritech.net... Sender OK >>> RCPT To: 250 kfeiter@packagingcorp.com... Recipient OK >>> DATA 354 Enter message, end with "." on a line by itself >>> . 250 Message accepted for delivery ... Sent (Message accepted for delivery) Closing connection to [10.96.5.41] >>> QUIT 221 pcalaklh01.pca.com SMTP Service closing transmission channel [root@pcalaklx01 root]# sendmail -q -v [root@pcalaklx01 root]# service MailScanner start Starting MailScanner daemons: incoming sendmail: [ OK ] outgoing sendmail: [ OK ] MailScanner: [ OK ] [root@pcalaklx01 root]# You have new mail in /var/spool/mail/root [root@pcalaklx01 root]# From mailscannerlist at TNJINFL.COM Wed Jan 22 00:35:09 2003 From: mailscannerlist at TNJINFL.COM (James Pifer) Date: Thu Jan 12 21:17:02 2006 Subject: My problems continue - Please help ASAP In-Reply-To: <5.2.0.9.2.20030121221332.02ab5ee8@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030121213404.01ae27f0@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030121213404.01ae27f0@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030121221332.02ab5ee8@imap.ecs.soton.ac.uk> Message-ID: <1043195709.12250.117.camel@tweety.tnjinfl.com> Sorry Julian. I was wrong. I was viewing those directories using webmin and it wasn't refreshed. They did get cleared out. I'm still not any closer to what has caused our problems though. Should i re-enable spam checking and leave RBL's off? Any suggestions? Thanks, James On Tue, 2003-01-21 at 17:14, Julian Field wrote: > At 22:02 21/01/2003, you wrote: > >It seems like it's catching up slowly. I haven't done a couple of these > >yet, but I wanted to respond. > > > >Only one version of MailScanner has been installed > >ps -ef | grep sendmail gives the output at the bottom. > >I believe the hardware is ok > >Plenty of disk space free > > > >Haven't run sendmail -q -v yet. Should I run that while MailScanner is > >running, or stop MailScanner first, or leave MailScanner running, but > >spam turned off? > > Shouldn't matter. Probably worth killing off the sendmail processes first > though, in case you have a version that won't run multiple simultaneous > queue runners. > > > >Thanks, > >James > > > >root@pcalaklx01 log]# ps -ef | grep sendmail > >root 779 1 0 14:43 ? 00:00:00 sendmail: accepting > >connections > >root 795 1 0 14:43 ? 00:00:00 /usr/sbin/sendmail -q15m > >root 11945 1 0 15:44 ? 00:00:00 sendmail: ./h0LKWjO10074 > >[10.96. > >root 11948 1 0 15:44 ? 00:00:00 sendmail: > >./h0LKX4O10098: from q > >root 11951 1 0 15:44 ? 00:00:00 sendmail: > >./h0LKUcO09776: from q > >root 11954 1 0 15:44 ? 00:00:00 sendmail: ./h0LKYqO10331 > >[10.96. > >root 11957 1 0 15:44 ? 00:00:00 sendmail: > >./h0LKaXO10640: from q > >root 12297 1 0 15:45 ? 00:00:00 sendmail: > >./h0LKK3D08065: from q > >root 12300 1 0 15:45 ? 00:00:00 sendmail: ./h0LKNMO08578 > >[10.96. > >root 12303 1 0 15:45 ? 00:00:00 sendmail: ./h0LKHlD07880 > >[10.96. > >root 12306 1 0 15:45 ? 00:00:00 sendmail: > >./h0LKL3D08224: from q > >root 12309 1 0 15:45 ? 00:00:00 sendmail: ./h0LKK5D08067 > >[10.96. > >root 12504 1 0 15:46 ? 00:00:00 sendmail: > >./h0LKToO09599: from q > >root 12507 1 0 15:46 ? 00:00:00 sendmail: ./h0LKPkO09049 > >[10.96. > >root 12510 1 0 15:46 ? 00:00:00 sendmail: ./h0LKTuO09613 > >[10.96. > >root 12513 1 0 15:46 ? 00:00:00 sendmail: ./h0LKQPO09134 > >[10.96. > >root 12516 1 0 15:46 ? 00:00:00 sendmail: ./h0LKRYO09295 > >[10.96. > >root 12530 779 0 15:46 ? 00:00:00 sendmail: server > >dfw7-1.relay.ma > >root 12572 779 0 15:46 ? 00:00:00 sendmail: server > >ashd1-1.relay.m > >root 12606 779 0 15:46 ? 00:00:00 sendmail: server > >La03mail24.powe > >root 12635 779 0 15:46 ? 00:00:00 sendmail: server > >[64.152.200.111 > >root 12640 779 0 15:47 ? 00:00:00 sendmail: server > >offerchkmail11. > >root 12755 1 0 15:47 ? 00:00:00 sendmail: ./h0LKc9O10871 > >[10.96. > >root 12757 1 0 15:47 ? 00:00:00 sendmail: ./h0LKhi601017 > >[10.96. > >root 12759 1 0 15:47 ? 00:00:00 sendmail: > >./h0LKdIO11089: from q > >root 12764 1 0 15:47 ? 00:00:00 sendmail: > >./h0LKdNO11106: from q > >root 12767 1 0 15:47 ? 00:00:00 sendmail: > >./h0LKc4O10857: from q > >root 12795 779 0 15:47 ? 00:00:00 sendmail: server > >chi6-1.relay.ma > >root 12814 779 0 15:47 ? 00:00:00 sendmail: server > >members2.emailw > >root 12815 779 0 15:47 ? 00:00:00 sendmail: server > >port-64-1956812 > >root 12820 12606 0 15:47 ? 00:00:00 sendmail: h0LLlV612820 > >La03mail2 > >root 12825 12572 0 15:47 ? 00:00:00 sendmail: h0LLlX612825 > >ashd1-1.r > >root 12841 779 0 15:47 ? 00:00:00 sendmail: startup with > >[209.164. > >root 12864 12815 0 15:47 ? 00:00:00 sendmail: h0LLlh612864 > >port-64-1 > >root 12866 779 0 15:47 ? 00:00:00 sendmail: startup with > >12.5.161. > >root 12875 12635 0 15:47 ? 00:00:00 sendmail: h0LLlk612875 > >[64.152.2 > >root 12878 779 0 15:47 ? 00:00:00 sendmail: startup with > >mail11.at > >root 12880 779 0 15:47 ? 00:00:00 sendmail: server > >mail228.mb11.co > >root 12882 779 0 15:47 ? 00:00:00 sendmail: server > >wic1.worldatama > >root 12893 12880 0 15:47 ? 00:00:00 sendmail: h0LLlu612893 > >mail228.m > >root 12894 12882 0 15:47 ? 00:00:00 sendmail: h0LLlu612894 > >wic1.worl > >root 12896 735 0 15:47 pts/0 00:00:00 grep sendmail > >You have new mail in /var/spool/mail/root > >[root@pcalaklx01 log]# > > > > > >On Tue, 2003-01-21 at 16:38, Julian Field wrote: > > > At 21:37 21/01/2003, you wrote: > > > >A new problem(could be related to my other problems) came up on the > > > >server we have running mailscanner. Mail was not being routed for some > > > >reason. The server was recieving mail, but it was all getting stuck in > > > >mqueue.in and/or mqueue. > > > > > > > >I restarted MailScanner(4.10-1) and that didn't seem to do anything. > > > > > > > >We still have a ton of messages in mqeueu.in and quite a bit in mqueue > > > >as well. Should it still deliver everything? It's delivering mail but I > > > >can't figure out where it's picking it up from. > > > > > > > >Has anyone seen this before. I downloaded the maillog and the only > > > >problem I see is a lot of timeouts while trying to check the RBL's. > > > >Currently I'm using ORDB-RBL and Infinite-Monkeys. > > > > > > > >We had problems where our server just dies. Could these timeouts have > > > >anything to do with it? > > > > > > > >I'm open to any suggestions. > > > > > > Start by switching off the spam checking. > > > Make sure you only have 1 version of MailScanner running. > > > Make sure you only have the sendmail processes running that are started as > > > part of MailScanner. Be careful you don't have any running with both daemon > > > options "-bd -q15m". > > > Make sure all your hardware works. > > > Make sure you haven't run out of disk space anywhere (do a "df -k" to > > check). > > > Run "sendmail -q -v" and see what it prints out as it tries to deliver all > > > the outgoing queue. > > > > > > -- > > > Julian Field > > > www.MailScanner.info > > > MailScanner thanks transtec Computers for their support > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support From smhickel at CHARTERMI.NET Wed Jan 22 05:24:58 2003 From: smhickel at CHARTERMI.NET (Hickel, Stephen [gh372247]) Date: Thu Jan 12 21:17:02 2006 Subject: Benefit of DNS caching? In-Reply-To: <5.2.0.9.2.20030121114713.02c612e8@imap.ecs.soton.ac.uk> Message-ID: I was reading documentation on a Pix box and how it does PAt, which may be similar to other firewalls in this regard. It said it doesn't support dns cacing servers in PAT mode. PAT means port address translation. Not sure why this is or how it impacts my caching servers, except that is what it said. Many people use PAT on their firewalls. At 10:14 21/01/2003, you wrote: >Is their any benefit in installing BIND on a MailScanner box for DNS caching >of RBLs, without being subscribed for zone transfers? You really at least need fast access to a local DNS server. If you haven't got a DNS server very close by, then running a simple caching BIND on the MailScanner box itself would help. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From j.cormie at ABERTAY.AC.UK Wed Jan 22 09:25:20 2003 From: j.cormie at ABERTAY.AC.UK (Jason Cormie) Date: Thu Jan 12 21:17:02 2006 Subject: Mcafee problem Message-ID: Every few days I get this when the cron job tries to update antivirus. Next day It tries it can usually update OK. /etc/cron.daily/mcafee: McAfee update failed: cannnot connect to ftp site, Invalid argument at /etc/cron.daily/mcafee line 93. run-parts: /etc/cron.daily/mcafee exited with return code 1 Any thoughts? Jason From wayne at TELL.NET.AU Wed Jan 22 09:28:35 2003 From: wayne at TELL.NET.AU (Wayne) Date: Thu Jan 12 21:17:02 2006 Subject: Domains to scan config In-Reply-To: References: <200301201207.h0KC7ECH032184@ernie.tell.net.au> Message-ID: <5.1.1.6.1.20030122195753.00b2fc98@mail.tell.net.au> Hi Mohan Thanks for your suggestion. I haven't tried it yet, but will tomorrow. Thanks Wayne At 05:55 PM 20/01/2003 +0530, you wrote: >Create and use a rules file for the Domains to Scan declarative in >MailScanner.conf file > >Virus Scanning = /etc/MailScanner/rules/domains.scan.rules > > >To: *@domain1.com yes >To: *@domain2.com yes >To: default no > > >Mohan >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On >Behalf Of Wayne Simes >Sent: 20 January 2003 17:37 >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Domains to scan config > > >Hi > >Could someone please indicate where I can edit the domains to scan/not to >scan in version 4.11.1 ? > > > >Thanks > >Wayne From wayne at TELL.NET.AU Wed Jan 22 09:35:22 2003 From: wayne at TELL.NET.AU (Wayne) Date: Thu Jan 12 21:17:02 2006 Subject: Which Virus Scanner Message-ID: <5.1.1.6.1.20030122195854.00b1dc50@mail.tell.net.au> Hi All Rather than me testing all of the virus scanners that MailScanner supports, I thought it would be quicker to hear your opions on which virus scanner(s) you have found to be the easiest to install and keep fully updated. I have tried Sophos, which works well, but updating the virus engine is a bit of a pain. What do you think ? Also, are there any which are free and support by MailScanner ? Thanks Wayne From brian at PORTSMOUTH-COLLEGE.AC.UK Wed Jan 22 09:42:31 2003 From: brian at PORTSMOUTH-COLLEGE.AC.UK (Brian Chivers - ICT Support Officer Portsmouth College) Date: Thu Jan 12 21:17:02 2006 Subject: Which Virus Scanner References: <5.1.1.6.1.20030122195854.00b1dc50@mail.tell.net.au> Message-ID: <002201c2c1fa$95e39520$65c8a8c0@portsmouthcollege.ac.uk> We're a sophos site. You only have update the engine every other month, and we use a simple script that replaces it from the CD we get each month, it takes longer to open and close the CD then install the upgrade. Brian Chivers Portsmouth College ----- Original Message ----- From: "Wayne" To: Sent: Wednesday, January 22, 2003 9:35 AM Subject: Which Virus Scanner Hi All Rather than me testing all of the virus scanners that MailScanner supports, I thought it would be quicker to hear your opions on which virus scanner(s) you have found to be the easiest to install and keep fully updated. I have tried Sophos, which works well, but updating the virus engine is a bit of a pain. What do you think ? Also, are there any which are free and support by MailScanner ? Thanks Wayne -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From howard at harper-adams.ac.uk Wed Jan 22 09:52:12 2003 From: howard at harper-adams.ac.uk (Howard Robinson) Date: Thu Jan 12 21:17:02 2006 Subject: Which Virus Scanner In-Reply-To: <5.1.1.6.1.20030122195854.00b1dc50@mail.tell.net.au> Message-ID: <200301220949.h0M9ns402346@blackhole.harper-adams.ac.uk> On 22 Jan 03, at 20:05, Wayne wrote: Wayne On Mailscanner front. I am not an expert unix user but updating the Sophos engine on our linux box every month or so hasn't caused me too much problem yet. Using Julians install program for the engine and the daily update works fine And on the PC front. We have a three year site agreement with Sophos having switched from F-secure 18 months ago when updates of ides to the local pcs would not work. The Sophos one does (generally) but with a few issues on performance of MS2000 workstations. > Hi All > > Rather than me testing all of the virus scanners that MailScanner > supports, I thought it would be quicker to hear your opions on which virus > scanner(s) you have found to be the easiest to install and keep fully > updated. I have tried Sophos, which works well, but updating the virus > engine is a bit of a pain. > > What do you think ? > > > Also, are there any which are free and support by MailScanner ? > > > Thanks > > Wayne Regards Howard Robinson (Senior Technical Development Officer) Harper Adams University College Edgmond Newport Shropshire TF10 8NB UK E-mail: hrobinson@harper-adams.ac.uk Tel. : +44(0)1952 820280 Via switchboard : +44(0)1952 815253 Direct line Fax. : +44(0)1952 814783 College Web site http://www.harper-adams.ac.uk From johannes at DSP.DE Wed Jan 22 09:52:45 2003 From: johannes at DSP.DE (No Name Available) Date: Thu Jan 12 21:17:02 2006 Subject: Installation on SuSe 7.1 Message-ID: Hi, i?ve finalle rewritten the MailScanner init Script with Advice from the .Tar installatio Guide and now it seems to work on my SuSE 7.1. If anybody finds any Problem in the Script, i would be glad to get some hints... I?am not shure about the "process ID Management" if its OK like this... Thanks for help, Greets Johannes ############################################################################ /etc/init.d/MailScanner ############################################################################ #!/bin/bash # # mailscanner This shell script takes care of starting and stopping # MailScanner, and its associated copies of sendmail. # ### BEGIN INIT INFO # Provides: MailScanner # Required-Start: $syslog $remote_fs # X-UnitedLinux-Should-Start: $time $network $named ypbind # Required-Stop: $syslog $remote_fs # X-UnitedLinux-Should-Stop: $time $network $named ypbind # Default-Start: 3 5 # Default-Stop: 0 1 2 6 # Short-Description: MailScanner and sendmail daemons # Description: Start sendmail and MailScanner to provide # SMTP service with virus, dangerous contents and spam scanning. ### END INIT INFO # Check for missing binaries (stale symlinks should not happen) MAILSCANNER_BIN=/usr/sbin/check_MailScanner test -x $MAILSCANNER_BIN || exit 5 test -x /usr/sbin/sendmail || exit 5 test -s /etc/rc.config.d/sendmail.rc.config && \ . /etc/rc.config.d/sendmail.rc.config test -s /etc/sysconfig/MailScanner && \ . /etc/sysconfig/MailScanner if test -z "$MAILSCANNER_WORKDIR" ; then MAILSCANNER_WORKDIR="/var/spool/MailScanner/incoming" fi if test -z "$MAILSCANNER_INQDIR" ; then MAILSCANNER_INQDIR="/var/spool/mqueue.in" fi if test -z "$SENDMAIL_IN_ARGS" ; then # JKF Need to add mqueue.in stuff here SENDMAIL_IN_ARGS="-bd -OPrivacyOptions=noetrn -ODeliveryMode=queueonly - OQueueDirectory=/var/spool/mqueue.in" fi #if test -z "$SENDMAIL_CLIENT_ARGS" ; then # SENDMAIL_CLIENT_ARGS="-L sendmail-client -Ac -q30m" #fi if test -z "$SENDMAIL_OUT_ARGS" ; then SENDMAIL_OUT_ARGS="-q5m -om" fi if test "$SMTPD_LISTEN_REMOTE" != "yes" ; then SENDMAIL_IN_ARGS="-O DaemonPortOptions=Addr=127.0.0.1 $SENDMAIL_IN_ARGS" fi SENDMAIL_IN_ARGS="-O DaemonPortOptions=Addr=0.0.0.0 $SENDMAIL_IN_ARGS" srvpid=/var/run/sendmail.pid srvoutpid=/var/run/sendmail-out.pid mspid=/var/run/MailScanner.pid . /etc/rc.status rc_reset case "$1" in startin) echo -n "Initializing incoming sendmail" startproc -p $srvpid /usr/sbin/sendmail $SENDMAIL_IN_ARGS rc_status ;; startout) echo -n "Initializing outgoing sendmail" startproc -p $srvoutpid /usr/sbin/sendmail $SENDMAIL_OUT_ARGS rc_status ;; start) echo -n "Initializing sendmail and MailScanner" startproc -p $srvpid /usr/sbin/sendmail $SENDMAIL_IN_ARGS rc_status startproc -f -p $srvoutpid /usr/sbin/sendmail $SENDMAIL_OUT_ARGS rc_status startproc -f -p $mspid /usr/sbin/check_MailScanner >/dev/null rc_status -v ;; stop) echo -n "Shutting down sendmail and MailScanner" killproc -p $srvpid -TERM /usr/sbin/sendmail rc_status echo -n "Shutting down SMTP port:" killproc -TERM /usr/sbin/sendmail || return=$rc_failed rc_status # killproc -p $srvoutpid -TERM /usr/sbin/sendmail # rc_status killproc -p $mspid -TERM /usr/sbin/MailScanner rc_status -v # Clear out all the old pid files rm -f $mspid # Clear out the old incoming dirs cd $MAILSCANNER_WORKDIR && ls | xargs /bin/rm -rf ;; try-restart) $0 stop && sleep 5 && $0 start rc_status ;; restart) $0 stop sleep 5 $0 start rc_status ;; reload|force-reload) echo -n "Reload service sendmail" killproc -p $mspid -HUP /usr/sbin/MailScanner rc_status -v ;; status) echo -n "Checking for service sendmail: " checkproc -p $srvpid /usr/sbin/sendmail rc_status checkproc -p $srvoutpid /usr/sbin/sendmail rc_status checkproc -p $mspid /usr/sbin/MailScanner rc_status -v ;; probe) test /etc/sendmail.cf -nt $srvpid -o /etc/mail/submit.cf -nt $msppid \ -o /etc/MailScanner/MailScanner.conf -nt $mspid && echo reload ;; *) echo "Usage: $0 {start|stop|status|try-restart|restart|force- reload|reload|probe|startin|startout}" exit 1 esac rc_exit ############################################################################ ############################################################################ /etc/MailScanner/MailScanner.conf ############################################################################ # # with what parameters should the incoming sendmail be started? # this is used to provide SMTP service and queue mail into # /var/spool/mqueue.in, ready for scanning by MailScanner. # normal sites use "-bd -om". # SENDMAIL_IN_ARGS="-bd -OPrivacyOptions=noetrn -ODeliveryMode=queueonly - OQueueDirectory=/var/spool/mqueue.in" # # with what parameters should the outgoing sendmail be started? # this is used to deliver mail that has been scanned by MailScanner. # normal sites use "-q30m -om". # SENDMAIL_OUT_ARGS="-q5m -om" # # where does MailScanner unpack messages for scanning? # normal sites use "/var/spool/MailScanner/incoming". # MAILSCANNER_WORKDIR=/var/spool/MailScanner/incoming # # where does the incoming sendmail deposit messages, so that # MailScanner can collect and scan them? # normal sites use "/var/spool/mqueue.in". # MAILSCANNER_INQDIR=/var/spool/mqueue.in ############################################################################ From johannes at DSP.DE Wed Jan 22 09:52:45 2003 From: johannes at DSP.DE (No Name Available) Date: Thu Jan 12 21:17:02 2006 Subject: Installation on SuSe 7.1 Message-ID: Hi, i?ve finalle rewritten the MailScanner init Script with Advice from the .Tar installatio Guide and now it seems to work on my SuSE 7.1. If anybody finds any Problem in the Script, i would be glad to get some hints... I?am not shure about the "process ID Management" if its OK like this... Thanks for help, Greets Johannes ############################################################################ /etc/init.d/MailScanner ############################################################################ #!/bin/bash # # mailscanner This shell script takes care of starting and stopping # MailScanner, and its associated copies of sendmail. # ### BEGIN INIT INFO # Provides: MailScanner # Required-Start: $syslog $remote_fs # X-UnitedLinux-Should-Start: $time $network $named ypbind # Required-Stop: $syslog $remote_fs # X-UnitedLinux-Should-Stop: $time $network $named ypbind # Default-Start: 3 5 # Default-Stop: 0 1 2 6 # Short-Description: MailScanner and sendmail daemons # Description: Start sendmail and MailScanner to provide # SMTP service with virus, dangerous contents and spam scanning. ### END INIT INFO # Check for missing binaries (stale symlinks should not happen) MAILSCANNER_BIN=/usr/sbin/check_MailScanner test -x $MAILSCANNER_BIN || exit 5 test -x /usr/sbin/sendmail || exit 5 test -s /etc/rc.config.d/sendmail.rc.config && \ . /etc/rc.config.d/sendmail.rc.config test -s /etc/sysconfig/MailScanner && \ . /etc/sysconfig/MailScanner if test -z "$MAILSCANNER_WORKDIR" ; then MAILSCANNER_WORKDIR="/var/spool/MailScanner/incoming" fi if test -z "$MAILSCANNER_INQDIR" ; then MAILSCANNER_INQDIR="/var/spool/mqueue.in" fi if test -z "$SENDMAIL_IN_ARGS" ; then # JKF Need to add mqueue.in stuff here SENDMAIL_IN_ARGS="-bd -OPrivacyOptions=noetrn -ODeliveryMode=queueonly - OQueueDirectory=/var/spool/mqueue.in" fi #if test -z "$SENDMAIL_CLIENT_ARGS" ; then # SENDMAIL_CLIENT_ARGS="-L sendmail-client -Ac -q30m" #fi if test -z "$SENDMAIL_OUT_ARGS" ; then SENDMAIL_OUT_ARGS="-q5m -om" fi if test "$SMTPD_LISTEN_REMOTE" != "yes" ; then SENDMAIL_IN_ARGS="-O DaemonPortOptions=Addr=127.0.0.1 $SENDMAIL_IN_ARGS" fi SENDMAIL_IN_ARGS="-O DaemonPortOptions=Addr=0.0.0.0 $SENDMAIL_IN_ARGS" srvpid=/var/run/sendmail.pid srvoutpid=/var/run/sendmail-out.pid mspid=/var/run/MailScanner.pid . /etc/rc.status rc_reset case "$1" in startin) echo -n "Initializing incoming sendmail" startproc -p $srvpid /usr/sbin/sendmail $SENDMAIL_IN_ARGS rc_status ;; startout) echo -n "Initializing outgoing sendmail" startproc -p $srvoutpid /usr/sbin/sendmail $SENDMAIL_OUT_ARGS rc_status ;; start) echo -n "Initializing sendmail and MailScanner" startproc -p $srvpid /usr/sbin/sendmail $SENDMAIL_IN_ARGS rc_status startproc -f -p $srvoutpid /usr/sbin/sendmail $SENDMAIL_OUT_ARGS rc_status startproc -f -p $mspid /usr/sbin/check_MailScanner >/dev/null rc_status -v ;; stop) echo -n "Shutting down sendmail and MailScanner" killproc -p $srvpid -TERM /usr/sbin/sendmail rc_status echo -n "Shutting down SMTP port:" killproc -TERM /usr/sbin/sendmail || return=$rc_failed rc_status # killproc -p $srvoutpid -TERM /usr/sbin/sendmail # rc_status killproc -p $mspid -TERM /usr/sbin/MailScanner rc_status -v # Clear out all the old pid files rm -f $mspid # Clear out the old incoming dirs cd $MAILSCANNER_WORKDIR && ls | xargs /bin/rm -rf ;; try-restart) $0 stop && sleep 5 && $0 start rc_status ;; restart) $0 stop sleep 5 $0 start rc_status ;; reload|force-reload) echo -n "Reload service sendmail" killproc -p $mspid -HUP /usr/sbin/MailScanner rc_status -v ;; status) echo -n "Checking for service sendmail: " checkproc -p $srvpid /usr/sbin/sendmail rc_status checkproc -p $srvoutpid /usr/sbin/sendmail rc_status checkproc -p $mspid /usr/sbin/MailScanner rc_status -v ;; probe) test /etc/sendmail.cf -nt $srvpid -o /etc/mail/submit.cf -nt $msppid \ -o /etc/MailScanner/MailScanner.conf -nt $mspid && echo reload ;; *) echo "Usage: $0 {start|stop|status|try-restart|restart|force- reload|reload|probe|startin|startout}" exit 1 esac rc_exit ############################################################################ ############################################################################ /etc/MailScanner/MailScanner.conf ############################################################################ # # with what parameters should the incoming sendmail be started? # this is used to provide SMTP service and queue mail into # /var/spool/mqueue.in, ready for scanning by MailScanner. # normal sites use "-bd -om". # SENDMAIL_IN_ARGS="-bd -OPrivacyOptions=noetrn -ODeliveryMode=queueonly - OQueueDirectory=/var/spool/mqueue.in" # # with what parameters should the outgoing sendmail be started? # this is used to deliver mail that has been scanned by MailScanner. # normal sites use "-q30m -om". # SENDMAIL_OUT_ARGS="-q5m -om" # # where does MailScanner unpack messages for scanning? # normal sites use "/var/spool/MailScanner/incoming". # MAILSCANNER_WORKDIR=/var/spool/MailScanner/incoming # # where does the incoming sendmail deposit messages, so that # MailScanner can collect and scan them? # normal sites use "/var/spool/mqueue.in". # MAILSCANNER_INQDIR=/var/spool/mqueue.in ############################################################################ From Kevin.Spicer at BMRB.CO.UK Wed Jan 22 10:13:47 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:17:02 2006 Subject: Which Virus Scanner Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A32C55@pascal.priv.bmrb.co.uk> > You only have update the engine every other month, and we use a simple > script that replaces it from the CD we get each month, it > takes longer to > open and close the CD then install the upgrade. > If you use the version from the website you only need upgrade every three months - the CD version is always a month old when you get it. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From Richard.Lush at HP.COM Wed Jan 22 10:29:05 2003 From: Richard.Lush at HP.COM (Lush, Richard) Date: Thu Jan 12 21:17:02 2006 Subject: Which Virus Scanner Message-ID: Wayne, I use sophos and f-prot as they are both "free" and work very well. Touch wood I've never had a virus not captured at the MailScanner box and having two scan engines gives you maximum flexibility and reliability and Sophos is very up-to-date with ides coming out daily. I have had first hand experience of the power of using two AV products. Sophos update their engines monthly and only support pervious engines for three months. I didn't update the Sophos engine and in January the engine was out of date, so no updates were downloaded. F-prot picked up a new virus and Sophos didn't. I checked the logs and found the Sophos update erroring as it couldn't find the updated ides on the server (it was looking for 362 ides). I updated the engine and it started working again. If I hadn't had f-prot as well the virus would have been sent to the Exchange server and the local AV would have had to detect and remove it, which isn't too much of an issue but I like stopping the viruses from getting to Exchange first. Anyway, hope this helps Richard -----Original Message----- From: Wayne [mailto:wayne@TELL.NET.AU] Sent: 22 January 2003 09:35 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Which Virus Scanner Hi All Rather than me testing all of the virus scanners that MailScanner supports, I thought it would be quicker to hear your opions on which virus scanner(s) you have found to be the easiest to install and keep fully updated. I have tried Sophos, which works well, but updating the virus engine is a bit of a pain. What do you think ? Also, are there any which are free and support by MailScanner ? Thanks Wayne From R.A.Gardener at SHU.AC.UK Wed Jan 22 10:48:49 2003 From: R.A.Gardener at SHU.AC.UK (Ray Gardener) Date: Thu Jan 12 21:17:02 2006 Subject: Version 4, Exim and header rewrites - patch required? References: Message-ID: <004501c2c203$e06ee690$5a14348f@videoproducer> Hi Nick, ----- Original Message ----- From: "Nick Phillips" To: Sent: Tuesday, January 21, 2003 10:30 PM Subject: Re: Version 4, Exim and header rewrites - patch required? On Wednesday, January 22, 2003, at 05:47 am, Ray Gardener wrote: > Hi, > > I have examined the spool files produced by both version 3 and 4 of > mailscanner and think that there may be a sight bug which is > preventing the rewriting of certain header fields. Version 3 which > works, specifies after the header length of these fields a character > (F in the From: header, T in the To: header). Version 4 leaves out > these letters. The exim specification suggest that these letters > should be there and inserting them in files produced by version 4 and > forcing delivery gives me mail with the headers rewritten perfectly. > >>Interesting. They certainly *should* be there. Do you find that they go >>missing with all >>messages, or only ones which have been modified in any particular way >>i.e. that have >>had spam headers added, or that have had content modified, or whatever)? I originally did the test on just clean messages and we aren't currently using the anti-spam stuff in mailscanner as I have that stuff configured in Exim already. The only modification that should be done is the addition of the mailscanner header indicating that the mail is clean. However I just sent the eicar virus through and the headers in these aren't being rewritten also. It may be significant that this file has the (faulty) to: header duplicated. >Do you add signatures to clean messages? no Regards, Ray Gardener CIS Sheffield Hallam University Howard Street Sheffield UK S1 1WB (44) 0114 225 4926 From mailscanner at ecs.soton.ac.uk Wed Jan 22 11:30:48 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:02 2006 Subject: Mcafee problem In-Reply-To: Message-ID: <5.2.0.9.2.20030122112949.0206c820@imap.ecs.soton.ac.uk> Try moving the cron job so that it gets updated at a quieter time of night each day. The other alternative is to move it to cron.hourly so it just gets done more often. That's what the new "global updater" does. At 09:25 22/01/2003, you wrote: >Every few days I get this when the cron job tries to update antivirus. Next >day It tries it can usually update OK. > >/etc/cron.daily/mcafee: >McAfee update failed: cannnot connect to ftp site, Invalid argument at >/etc/cron.daily/mcafee line 93. >run-parts: /etc/cron.daily/mcafee exited with return code 1 > >Any thoughts? > >Jason -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Jan 22 11:35:30 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:02 2006 Subject: Which Virus Scanner In-Reply-To: <5.1.1.6.1.20030122195854.00b1dc50@mail.tell.net.au> Message-ID: <5.2.0.9.2.20030122113104.02718cd8@imap.ecs.soton.ac.uk> At 09:35 22/01/2003, you wrote: >Rather than me testing all of the virus scanners that MailScanner supports, >I thought it would be quicker to hear your opions on which virus scanner(s) >you have found to be the easiest to install and keep fully updated. I have >tried Sophos, which works well, but updating the virus engine is a bit of a >pain. Note that I have no connection with any of the virus-scanner publishers. These are purely my personal opinion having used a few of them. In my view, Sophos is the best. You only have to update the engine once every 2 or 3 months, and it's dead easy with my "Sophos.install" script. F-Prot has a good reputation too. Kaspersky is a bizarre piece of software (see some of my previous postings about Kaspersky for more info). F-Secure is a broken clone of F-Prot, the original is far better. Take a look at http://www.sng.ecs.soton.ac.uk/mailscanner/install/codestatus.shtml to see what level of support I nominally give them. Don't read too much into that, but it might help you. >Also, are there any which are free and support by MailScanner ? ClamAV. Also, for personal use only, F-Prot is free. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Jan 22 11:28:44 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:02 2006 Subject: My problems continue - Please help ASAP In-Reply-To: <1043195709.12250.117.camel@tweety.tnjinfl.com> References: <5.2.0.9.2.20030121221332.02ab5ee8@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030121213404.01ae27f0@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030121213404.01ae27f0@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030121221332.02ab5ee8@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030122112707.02973748@imap.ecs.soton.ac.uk> At 00:35 22/01/2003, you wrote: >Sorry Julian. I was wrong. I was viewing those directories using webmin >and it wasn't refreshed. They did get cleared out. That solves most of it :-) >I'm still not any closer to what has caused our problems though. Should >i re-enable spam checking and leave RBL's off? Any suggestions? Try running without the RBL's for a little while. If there are RBL timeout problems, these will be mentioned in your maillog. >Thanks, >James > >On Tue, 2003-01-21 at 17:14, Julian Field wrote: > > At 22:02 21/01/2003, you wrote: > > >It seems like it's catching up slowly. I haven't done a couple of these > > >yet, but I wanted to respond. > > > > > >Only one version of MailScanner has been installed > > >ps -ef | grep sendmail gives the output at the bottom. > > >I believe the hardware is ok > > >Plenty of disk space free > > > > > >Haven't run sendmail -q -v yet. Should I run that while MailScanner is > > >running, or stop MailScanner first, or leave MailScanner running, but > > >spam turned off? > > > > Shouldn't matter. Probably worth killing off the sendmail processes first > > though, in case you have a version that won't run multiple simultaneous > > queue runners. > > > > > > >Thanks, > > >James > > > > > >root@pcalaklx01 log]# ps -ef | grep sendmail > > >root 779 1 0 14:43 ? 00:00:00 sendmail: accepting > > >connections > > >root 795 1 0 14:43 ? 00:00:00 /usr/sbin/sendmail -q15m > > >root 11945 1 0 15:44 ? 00:00:00 sendmail: ./h0LKWjO10074 > > >[10.96. > > >root 11948 1 0 15:44 ? 00:00:00 sendmail: > > >./h0LKX4O10098: from q > > >root 11951 1 0 15:44 ? 00:00:00 sendmail: > > >./h0LKUcO09776: from q > > >root 11954 1 0 15:44 ? 00:00:00 sendmail: ./h0LKYqO10331 > > >[10.96. > > >root 11957 1 0 15:44 ? 00:00:00 sendmail: > > >./h0LKaXO10640: from q > > >root 12297 1 0 15:45 ? 00:00:00 sendmail: > > >./h0LKK3D08065: from q > > >root 12300 1 0 15:45 ? 00:00:00 sendmail: ./h0LKNMO08578 > > >[10.96. > > >root 12303 1 0 15:45 ? 00:00:00 sendmail: ./h0LKHlD07880 > > >[10.96. > > >root 12306 1 0 15:45 ? 00:00:00 sendmail: > > >./h0LKL3D08224: from q > > >root 12309 1 0 15:45 ? 00:00:00 sendmail: ./h0LKK5D08067 > > >[10.96. > > >root 12504 1 0 15:46 ? 00:00:00 sendmail: > > >./h0LKToO09599: from q > > >root 12507 1 0 15:46 ? 00:00:00 sendmail: ./h0LKPkO09049 > > >[10.96. > > >root 12510 1 0 15:46 ? 00:00:00 sendmail: ./h0LKTuO09613 > > >[10.96. > > >root 12513 1 0 15:46 ? 00:00:00 sendmail: ./h0LKQPO09134 > > >[10.96. > > >root 12516 1 0 15:46 ? 00:00:00 sendmail: ./h0LKRYO09295 > > >[10.96. > > >root 12530 779 0 15:46 ? 00:00:00 sendmail: server > > >dfw7-1.relay.ma > > >root 12572 779 0 15:46 ? 00:00:00 sendmail: server > > >ashd1-1.relay.m > > >root 12606 779 0 15:46 ? 00:00:00 sendmail: server > > >La03mail24.powe > > >root 12635 779 0 15:46 ? 00:00:00 sendmail: server > > >[64.152.200.111 > > >root 12640 779 0 15:47 ? 00:00:00 sendmail: server > > >offerchkmail11. > > >root 12755 1 0 15:47 ? 00:00:00 sendmail: ./h0LKc9O10871 > > >[10.96. > > >root 12757 1 0 15:47 ? 00:00:00 sendmail: ./h0LKhi601017 > > >[10.96. > > >root 12759 1 0 15:47 ? 00:00:00 sendmail: > > >./h0LKdIO11089: from q > > >root 12764 1 0 15:47 ? 00:00:00 sendmail: > > >./h0LKdNO11106: from q > > >root 12767 1 0 15:47 ? 00:00:00 sendmail: > > >./h0LKc4O10857: from q > > >root 12795 779 0 15:47 ? 00:00:00 sendmail: server > > >chi6-1.relay.ma > > >root 12814 779 0 15:47 ? 00:00:00 sendmail: server > > >members2.emailw > > >root 12815 779 0 15:47 ? 00:00:00 sendmail: server > > >port-64-1956812 > > >root 12820 12606 0 15:47 ? 00:00:00 sendmail: h0LLlV612820 > > >La03mail2 > > >root 12825 12572 0 15:47 ? 00:00:00 sendmail: h0LLlX612825 > > >ashd1-1.r > > >root 12841 779 0 15:47 ? 00:00:00 sendmail: startup with > > >[209.164. > > >root 12864 12815 0 15:47 ? 00:00:00 sendmail: h0LLlh612864 > > >port-64-1 > > >root 12866 779 0 15:47 ? 00:00:00 sendmail: startup with > > >12.5.161. > > >root 12875 12635 0 15:47 ? 00:00:00 sendmail: h0LLlk612875 > > >[64.152.2 > > >root 12878 779 0 15:47 ? 00:00:00 sendmail: startup with > > >mail11.at > > >root 12880 779 0 15:47 ? 00:00:00 sendmail: server > > >mail228.mb11.co > > >root 12882 779 0 15:47 ? 00:00:00 sendmail: server > > >wic1.worldatama > > >root 12893 12880 0 15:47 ? 00:00:00 sendmail: h0LLlu612893 > > >mail228.m > > >root 12894 12882 0 15:47 ? 00:00:00 sendmail: h0LLlu612894 > > >wic1.worl > > >root 12896 735 0 15:47 pts/0 00:00:00 grep sendmail > > >You have new mail in /var/spool/mail/root > > >[root@pcalaklx01 log]# > > > > > > > > >On Tue, 2003-01-21 at 16:38, Julian Field wrote: > > > > At 21:37 21/01/2003, you wrote: > > > > >A new problem(could be related to my other problems) came up on the > > > > >server we have running mailscanner. Mail was not being routed for some > > > > >reason. The server was recieving mail, but it was all getting stuck in > > > > >mqueue.in and/or mqueue. > > > > > > > > > >I restarted MailScanner(4.10-1) and that didn't seem to do anything. > > > > > > > > > >We still have a ton of messages in mqeueu.in and quite a bit in mqueue > > > > >as well. Should it still deliver everything? It's delivering mail > but I > > > > >can't figure out where it's picking it up from. > > > > > > > > > >Has anyone seen this before. I downloaded the maillog and the only > > > > >problem I see is a lot of timeouts while trying to check the RBL's. > > > > >Currently I'm using ORDB-RBL and Infinite-Monkeys. > > > > > > > > > >We had problems where our server just dies. Could these timeouts have > > > > >anything to do with it? > > > > > > > > > >I'm open to any suggestions. > > > > > > > > Start by switching off the spam checking. > > > > Make sure you only have 1 version of MailScanner running. > > > > Make sure you only have the sendmail processes running that are > started as > > > > part of MailScanner. Be careful you don't have any running with > both daemon > > > > options "-bd -q15m". > > > > Make sure all your hardware works. > > > > Make sure you haven't run out of disk space anywhere (do a "df -k" to > > > check). > > > > Run "sendmail -q -v" and see what it prints out as it tries to > deliver all > > > > the outgoing queue. > > > > > > > > -- > > > > Julian Field > > > > www.MailScanner.info > > > > MailScanner thanks transtec Computers for their support > > > > -- > > Julian Field > > www.MailScanner.info > > MailScanner thanks transtec Computers for their support -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From sylvain.phaneuf at IMSU.OXFORD.AC.UK Wed Jan 22 12:04:04 2003 From: sylvain.phaneuf at IMSU.OXFORD.AC.UK (Sylvain Phaneuf) Date: Thu Jan 12 21:17:02 2006 Subject: order of scans Message-ID: Very useful. Thanks. I will try that now. >>> paul_houselander@BRISTOL-LEA.ORG.UK 21/01/2003 16:29:46 >>> Take a look at Silent Viruses = Still Deliver Silent Viruses = mailscanner.conf As pet the comments in mailscanner.conf "# Strings listed here will be searched for in the output of the virus scanners." So check what your virus scanner outputs and put the string in Silent Viruses Cheers Paul ----- Original Message ----- From: "Sylvain Phaneuf" To: Sent: Tuesday, January 21, 2003 4:18 PM Subject: Re: order of scans > That sounds promising... looking forward to hear from Julian... > > >>> RHerban@GRAMTEL.NET 21/01/2003 16:08:43 >>> > There is an option in the MailScanner.conf about silent viruses. You should > be able to enter snowwhite or something like into that option and it won't > deliver a notice about it. > I'm not sure what method Julian is using to get the name of the virus so I > can't say how to go about getting that. > > Randy > > -----Original Message----- > From: Sylvain Phaneuf [mailto:sylvain.phaneuf@IMSU.OXFORD.AC.UK] > Sent: Tuesday, January 21, 2003 11:02 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: order of scans > > > I am still a newbie here, and I would like to apologise in advance if this > has been covered somewhere. > > Is there a way to organise the order in which the various scans occur on the > system (MailSvanner/SpamAssassin on RedHat) > > I would like to reduce the number of notifications that some of our users > get. For example we have a few users being pestered with the Snowhite and > seven dwarf message, which is a virus, and the attachement is an exe file. > We do not want to pass on this message, but because we have notifications on > for both infected messages and blocked files, the end user still receives a > message when the Snowhite message arrive. If there is a way MailScanner > could be configured so that this kind of message do produce any > notifications, some of our users would be quite happy, > > Thanks in advance, > > > Sylvain > > =========================================================== > Sylvain Phaneuf --- Computing Manager | phone : +44 (0)1865 221323 > Information Management Services Unit (Clinical School) > Oxford University | email : > sylvain.phaneuf@imsu.ox.ac.uk > Room 3A25B John Radcliffe Hospital | fax : +44 (0) 1865 221322 > Oxford OX3 9DU England > =========================================================== > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From sylvain.phaneuf at IMSU.OXFORD.AC.UK Wed Jan 22 12:26:00 2003 From: sylvain.phaneuf at IMSU.OXFORD.AC.UK (Sylvain Phaneuf) Date: Thu Jan 12 21:17:02 2006 Subject: order of scans and rulesets Message-ID: One more question if I may. I see from mailscanner.conf that we can use a ruleset for this Silent Viruses feature. Would the syntax of the file just be a list of virus names, one per line? i.e.: Yaha-K Avril-A Avril-B Hybris-B Regarding these ruleset files, I am not 100% sure whther I can just use a series of domains, names, etc or whether I need a full rule. For example for a spam.blacklist.rules file, do I need FromTo: default no From: big@boss.com yes To: user_a@server.co.uk yes or just the following would be enough: big@boss.com user_a@server.co.uk Thanks in advance, Sylvain >>> paul_houselander@BRISTOL-LEA.ORG.UK 21/01/2003 16:29:46 >>> Take a look at Silent Viruses = Still Deliver Silent Viruses = mailscanner.conf As pet the comments in mailscanner.conf "# Strings listed here will be searched for in the output of the virus scanners." So check what your virus scanner outputs and put the string in Silent Viruses Cheers Paul ----- Original Message ----- From: "Sylvain Phaneuf" To: Sent: Tuesday, January 21, 2003 4:18 PM Subject: Re: order of scans > That sounds promising... looking forward to hear from Julian... > > >>> RHerban@GRAMTEL.NET 21/01/2003 16:08:43 >>> > There is an option in the MailScanner.conf about silent viruses. You should > be able to enter snowwhite or something like into that option and it won't > deliver a notice about it. > I'm not sure what method Julian is using to get the name of the virus so I > can't say how to go about getting that. > > Randy > > -----Original Message----- > From: Sylvain Phaneuf [mailto:sylvain.phaneuf@IMSU.OXFORD.AC.UK] > Sent: Tuesday, January 21, 2003 11:02 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: order of scans > > > I am still a newbie here, and I would like to apologise in advance if this > has been covered somewhere. > > Is there a way to organise the order in which the various scans occur on the > system (MailSvanner/SpamAssassin on RedHat) > > I would like to reduce the number of notifications that some of our users > get. For example we have a few users being pestered with the Snowhite and > seven dwarf message, which is a virus, and the attachement is an exe file. > We do not want to pass on this message, but because we have notifications on > for both infected messages and blocked files, the end user still receives a > message when the Snowhite message arrive. If there is a way MailScanner > could be configured so that this kind of message do produce any > notifications, some of our users would be quite happy, > > Thanks in advance, > > > Sylvain > > =========================================================== > Sylvain Phaneuf --- Computing Manager | phone : +44 (0)1865 221323 > Information Management Services Unit (Clinical School) > Oxford University | email : > sylvain.phaneuf@imsu.ox.ac.uk > Room 3A25B John Radcliffe Hospital | fax : +44 (0) 1865 221322 > Oxford OX3 9DU England > =========================================================== > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mailscanner at ecs.soton.ac.uk Wed Jan 22 12:35:48 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:02 2006 Subject: order of scans and rulesets In-Reply-To: Message-ID: <5.2.0.9.2.20030122123500.02c19338@imap.ecs.soton.ac.uk> At 12:26 22/01/2003, you wrote: >One more question if I may. I see from mailscanner.conf that we can use a >ruleset for this Silent Viruses feature. Would the syntax of the file just >be a list of virus names, one per line? > >i.e.: >Yaha-K >Avril-A >Avril-B >Hybris-B No, it is just a space separated list of virus names. >Regarding these ruleset files, I am not 100% sure whther I can just use a >series of domains, names, etc or whether I need a full rule. For example >for a spam.blacklist.rules file, do I need > >FromTo: default no >From: big@boss.com yes >To: user_a@server.co.uk yes > >or just the following would be enough: > >big@boss.com >user_a@server.co.uk You need to use proper rules. >Thanks in advance, > >Sylvain > > > >>> paul_houselander@BRISTOL-LEA.ORG.UK 21/01/2003 16:29:46 >>> >Take a look at > >Silent Viruses = >Still Deliver Silent Viruses = > >mailscanner.conf > >As pet the comments in mailscanner.conf > >"# Strings listed here will be searched for in the output of the virus >scanners." > >So check what your virus scanner outputs and put the string in Silent >Viruses > >Cheers > >Paul >----- Original Message ----- >From: "Sylvain Phaneuf" >To: >Sent: Tuesday, January 21, 2003 4:18 PM >Subject: Re: order of scans > > > > That sounds promising... looking forward to hear from Julian... > > > > >>> RHerban@GRAMTEL.NET 21/01/2003 16:08:43 >>> > > There is an option in the MailScanner.conf about silent viruses. You >should > > be able to enter snowwhite or something like into that option and it won't > > deliver a notice about it. > > I'm not sure what method Julian is using to get the name of the virus so I > > can't say how to go about getting that. > > > > Randy > > > > -----Original Message----- > > From: Sylvain Phaneuf [mailto:sylvain.phaneuf@IMSU.OXFORD.AC.UK] > > Sent: Tuesday, January 21, 2003 11:02 AM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: order of scans > > > > > > I am still a newbie here, and I would like to apologise in advance if this > > has been covered somewhere. > > > > Is there a way to organise the order in which the various scans occur on >the > > system (MailSvanner/SpamAssassin on RedHat) > > > > I would like to reduce the number of notifications that some of our users > > get. For example we have a few users being pestered with the Snowhite and > > seven dwarf message, which is a virus, and the attachement is an exe file. > > We do not want to pass on this message, but because we have notifications >on > > for both infected messages and blocked files, the end user still receives >a > > message when the Snowhite message arrive. If there is a way MailScanner > > could be configured so that this kind of message do produce any > > notifications, some of our users would be quite happy, > > > > Thanks in advance, > > > > > > Sylvain > > > > =========================================================== > > Sylvain Phaneuf --- Computing Manager | phone : +44 (0)1865 221323 > > Information Management Services Unit (Clinical School) > > Oxford University | email : > > sylvain.phaneuf@imsu.ox.ac.uk > > Room 3A25B John Radcliffe Hospital | fax : +44 (0) 1865 221322 > > Oxford OX3 9DU England > > =========================================================== > > > > -- > > This message has been scanned for viruses and > > dangerous content by MailScanner, and is > > believed to be clean. > > >-- >This message has been scanned for viruses and >dangerous content by MailScanner, and is >believed to be clean. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From P.G.M.Peters at civ.utwente.nl Wed Jan 22 13:08:14 2003 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:17:02 2006 Subject: Option for notify senders does not work (cont) In-Reply-To: <4.3.2.7.0.20030121195717.00dd3e20@carrota.nexnet.es> References: <4.3.2.7.0.20030121192714.00dc8b90@carrota.nexnet.es> <5.2.0.9.2.20030121182240.025886e0@imap.ecs.soton.ac.uk> <4.3.2.7.0.20030121184622.00e14500@carrota.nexnet.es> <5.2.0.9.2.20030121185051.029c5e88@imap.ecs.soton.ac.uk> <4.3.2.7.0.20030121195717.00dd3e20@carrota.nexnet.es> Message-ID: <7s5t2v4brvc5ra5266r4jdllovf0drtlmb@4ax.com> On Tue, 21 Jan 2003 20:03:48 +0100, you wrote: >I have downloaded those files from our unix server to my windows-98 computer, >where I wrote the email message sent to the mailing list. If you download of upload text files between dos and unix boxes be sure to do it in ASCII (not binary) mode. The ftp-programs should correctly alter the end-of-line sequences. -- Peter Peters senior netwerkbeheerder, Centrum voor Informatievoorziening, Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From Stephen.Dawes at GOV.CALGARY.AB.CA Wed Jan 22 14:37:48 2003 From: Stephen.Dawes at GOV.CALGARY.AB.CA (Dawes, Stephen) Date: Thu Jan 12 21:17:02 2006 Subject: Which Virus Scanner Message-ID: Where are you finding Sophos for free? I am only able to find it for a cost. Can you send the URL you used to get the free copy in your reply? Stephen Dawes The City of Calgary | Phone: (403) 268-5527 Web Business Office #8300 | Fax: (403) 268-6423 PO Box 2100 Postal Station M. | Email: Stephen.Dawes@calgary.ca Calgary, Alberta, Canada. T2P 2M5 | Web: http://www.calgary.ca FOIPP NOTIFICATION This communication is intended ONLY for the use of the person or entity named above and may contain information that is confidential or legally privileged. If you are not the intended recipient named above or a person responsible for delivering messages or communications to the intended recipient, YOU ARE HEREBY NOTIFIED that any use, distribution, or copying of this communication or any of the information contained in it is strictly prohibited. If you have received this communication in error, please notify us immediately by telephone and then destroy or delete this communication, or return it to us by mail if requested by us. Thank you for your attention and co-operation. > -----Original Message----- > From: Lush, Richard [mailto:Richard.Lush@HP.COM] > Sent: 2003 January 22 3:29 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Which Virus Scanner > > > Wayne, > > I use sophos and f-prot as they are both "free" and work very well. > Touch wood I've never had a virus not captured at the MailScanner box > and having two scan engines gives you maximum flexibility and > reliability and Sophos is very up-to-date with ides coming > out daily. > > I have had first hand experience of the power of using two AV > products. > Sophos update their engines monthly and only support pervious engines > for three months. I didn't update the Sophos engine and in > January the > engine was out of date, so no updates were downloaded. > F-prot picked up > a new virus and Sophos didn't. I checked the logs and found > the Sophos > update erroring as it couldn't find the updated ides on the server (it > was looking for 362 ides). I updated the engine and it > started working > again. If I hadn't had f-prot as well the virus would have > been sent to > the Exchange server and the local AV would have had to detect > and remove > it, which isn't too much of an issue but I like stopping the viruses > from getting to Exchange first. > > Anyway, hope this helps > > Richard > > > -----Original Message----- > From: Wayne [mailto:wayne@TELL.NET.AU] > Sent: 22 January 2003 09:35 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Which Virus Scanner > > > Hi All > > Rather than me testing all of the virus scanners that MailScanner > supports, I thought it would be quicker to hear your opions on which > virus scanner(s) you have found to be the easiest to install and keep > fully updated. I have tried Sophos, which works well, but updating the > virus engine is a bit of a pain. > > What do you think ? > > > Also, are there any which are free and support by MailScanner ? > > > Thanks > > Wayne > From Denis.Beauchemin at USHERBROOKE.CA Wed Jan 22 15:02:46 2003 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:17:02 2006 Subject: Sophos first impressions Message-ID: <1043247766.1219.41.camel@dbeauchemin.si.usherbrooke.ca> Hello, The current discussion on virus scanners made me want to try Sophos. So I went to www.sophos.com and downloaded an evaluation version of their antivirus software for Linux. When the installation came I had to peek at sophos-autoupdate to see that I needed to install it this way: ./install.sh -d /usr/local/Sophos -s ide -ni -v I then ran sophos-autoupdate but it complained that it couldn't get the version. I then realized that the autoupdate script looks into the lib directory for its vdl files that I installed into the ide directory. I modified sophos-autoupdate to point it to the right directory for the vdl files and all worked OK. I then tried to run it on some files in my quarantine directory and it said that no files were infected: /usr/lib/MailScanner/sophos-wrapper */* SWEEP virus detection utility Version 3.65, January 2003 [Linux/Intel] Includes detection for 79017 viruses, trojans and worms Copyright (c) 1989,2003 Sophos Plc, www.sophos.com System time 09:36:31, System date 22 January 2003 Quick Sweeping 5 files swept in 0 seconds. No viruses were discovered. End of Sweep. This is strange because McAfee says otherwise: uvscan */* /quarantaine/usherbrooke/20030122/h0M8vF827294/Love.scr Found the W32/Yaha.k virus !!! /quarantaine/usherbrooke/20030122/h0M9XC832328/Best_Friend.scr Found the W32/Yaha.k virus !!! Did I do something wrong with the installation? I also tried to unzip Sophos.366_ides.zip in the ide directory but it still didn't find any virus in my test files. I tested some other files and Sophos seems to detect Yaha.e but not yaha.k... >>> Virus 'W32/Klez-H' found in file courrier/20030122/h0M6eL810031/height.scr >>> Virus 'W32/Yaha-E' found in file courrier/20030122/h0M7DW814236/screensaverforu.scr Is Sophos really good or is it lagging in virus definition? Denis -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From j.cormie at ABERTAY.AC.UK Wed Jan 22 15:02:59 2003 From: j.cormie at ABERTAY.AC.UK (Jason Cormie) Date: Thu Jan 12 21:17:02 2006 Subject: Mcafee problem Message-ID: Thanks Julian, I'll try that -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: 22, January, 2003 11:31 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Mcafee problem Try moving the cron job so that it gets updated at a quieter time of night each day. The other alternative is to move it to cron.hourly so it just gets done more often. That's what the new "global updater" does. At 09:25 22/01/2003, you wrote: >Every few days I get this when the cron job tries to update antivirus. Next >day It tries it can usually update OK. > >/etc/cron.daily/mcafee: >McAfee update failed: cannnot connect to ftp site, Invalid argument at >/etc/cron.daily/mcafee line 93. >run-parts: /etc/cron.daily/mcafee exited with return code 1 > >Any thoughts? > >Jason -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From Kevin.Spicer at BMRB.CO.UK Wed Jan 22 15:07:39 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:17:02 2006 Subject: Sophos first impressions Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A32C56@pascal.priv.bmrb.co.uk> > > The current discussion on virus scanners made me want to try > Sophos. So > I went to www.sophos.com and downloaded an evaluation version of their > antivirus software for Linux. > > When the installation came I had to peek at sophos-autoupdate to see > that I needed to install it this way: > ./install.sh -d /usr/local/Sophos -s ide -ni -v > > I then ran sophos-autoupdate but it complained that it > couldn't get the > version. I then realized that the autoupdate script looks > into the lib > directory for its vdl files that I installed into the ide directory. > > I modified sophos-autoupdate to point it to the right > directory for the > vdl files and all worked OK. You don't need to modify anything but you should have installed Sophos using the script supplied with MailScanner - undo the changes you made and remove your existing Sophos install. then follow the instructions here... http://www.sng.ecs.soton.ac.uk/mailscanner/install/linux.shtml#sophos BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From Richard.Lush at HP.COM Wed Jan 22 15:18:35 2003 From: Richard.Lush at HP.COM (Lush, Richard) Date: Thu Jan 12 21:17:02 2006 Subject: Which Virus Scanner Message-ID: Sophos can be downloaded via this link http://downloads.sophos.com/dp/full/linux.intel.libc6.tar.Z (courtesy of Ian from a previous post). Or from http://www.sophos.com/downloads/products/?type=eval fill out your info and then you can download Sophos for Linux free (even though the link is for eval, it is free to use). -----Original Message----- From: Dawes, Stephen [mailto:Stephen.Dawes@GOV.CALGARY.AB.CA] Sent: 22 January 2003 14:38 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Which Virus Scanner Where are you finding Sophos for free? I am only able to find it for a cost. Can you send the URL you used to get the free copy in your reply? Stephen Dawes The City of Calgary | Phone: (403) 268-5527 Web Business Office #8300 | Fax: (403) 268-6423 PO Box 2100 Postal Station M. | Email: Stephen.Dawes@calgary.ca Calgary, Alberta, Canada. T2P 2M5 | Web: http://www.calgary.ca FOIPP NOTIFICATION This communication is intended ONLY for the use of the person or entity named above and may contain information that is confidential or legally privileged. If you are not the intended recipient named above or a person responsible for delivering messages or communications to the intended recipient, YOU ARE HEREBY NOTIFIED that any use, distribution, or copying of this communication or any of the information contained in it is strictly prohibited. If you have received this communication in error, please notify us immediately by telephone and then destroy or delete this communication, or return it to us by mail if requested by us. Thank you for your attention and co-operation. > -----Original Message----- > From: Lush, Richard [mailto:Richard.Lush@HP.COM] > Sent: 2003 January 22 3:29 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Which Virus Scanner > > > Wayne, > > I use sophos and f-prot as they are both "free" and work very well. > Touch wood I've never had a virus not captured at the MailScanner box > and having two scan engines gives you maximum flexibility and > reliability and Sophos is very up-to-date with ides coming out daily. > > I have had first hand experience of the power of using two AV > products. > Sophos update their engines monthly and only support pervious engines > for three months. I didn't update the Sophos engine and in > January the > engine was out of date, so no updates were downloaded. > F-prot picked up > a new virus and Sophos didn't. I checked the logs and found > the Sophos > update erroring as it couldn't find the updated ides on the server (it > was looking for 362 ides). I updated the engine and it > started working > again. If I hadn't had f-prot as well the virus would have > been sent to > the Exchange server and the local AV would have had to detect > and remove > it, which isn't too much of an issue but I like stopping the viruses > from getting to Exchange first. > > Anyway, hope this helps > > Richard > > > -----Original Message----- > From: Wayne [mailto:wayne@TELL.NET.AU] > Sent: 22 January 2003 09:35 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Which Virus Scanner > > > Hi All > > Rather than me testing all of the virus scanners that MailScanner > supports, I thought it would be quicker to hear your opions on which > virus scanner(s) you have found to be the easiest to install and keep > fully updated. I have tried Sophos, which works well, but updating the > virus engine is a bit of a pain. > > What do you think ? > > > Also, are there any which are free and support by MailScanner ? > > > Thanks > > Wayne > From mbowman at UDCOM.COM Wed Jan 22 15:20:17 2003 From: mbowman at UDCOM.COM (Matthew Bowman) Date: Thu Jan 12 21:17:02 2006 Subject: Which Virus Scanner Message-ID: The 30 day eval is free. The licensed linux version cost is either based on number of mailboxes, domains and/or servers. Their prices are somewhat high however we evaluated it and found that it was very good product. At the moment our clients have to make do with their local Norton/Symantec AV software until we install a server side av solution. Regards. Matthew K Bowman www.udcom.com "Lush, Richard" Sent by: MailScanner mailing list 01/22/2003 10:18 AM Please respond to MailScanner mailing list To: MAILSCANNER@JISCMAIL.AC.UK cc: Subject: Re: Which Virus Scanner Sophos can be downloaded via this link http://downloads.sophos.com/dp/full/linux.intel.libc6.tar.Z (courtesy of Ian from a previous post). Or from http://www.sophos.com/downloads/products/?type=eval fill out your info and then you can download Sophos for Linux free (even though the link is for eval, it is free to use). -----Original Message----- From: Dawes, Stephen [mailto:Stephen.Dawes@GOV.CALGARY.AB.CA] Sent: 22 January 2003 14:38 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Which Virus Scanner Where are you finding Sophos for free? I am only able to find it for a cost. Can you send the URL you used to get the free copy in your reply? Stephen Dawes The City of Calgary | Phone: (403) 268-5527 Web Business Office #8300 | Fax: (403) 268-6423 PO Box 2100 Postal Station M. | Email: Stephen.Dawes@calgary.ca Calgary, Alberta, Canada. T2P 2M5 | Web: http://www.calgary.ca FOIPP NOTIFICATION This communication is intended ONLY for the use of the person or entity named above and may contain information that is confidential or legally privileged. If you are not the intended recipient named above or a person responsible for delivering messages or communications to the intended recipient, YOU ARE HEREBY NOTIFIED that any use, distribution, or copying of this communication or any of the information contained in it is strictly prohibited. If you have received this communication in error, please notify us immediately by telephone and then destroy or delete this communication, or return it to us by mail if requested by us. Thank you for your attention and co-operation. > -----Original Message----- > From: Lush, Richard [mailto:Richard.Lush@HP.COM] > Sent: 2003 January 22 3:29 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Which Virus Scanner > > > Wayne, > > I use sophos and f-prot as they are both "free" and work very well. > Touch wood I've never had a virus not captured at the MailScanner box > and having two scan engines gives you maximum flexibility and > reliability and Sophos is very up-to-date with ides coming out daily. > > I have had first hand experience of the power of using two AV > products. > Sophos update their engines monthly and only support pervious engines > for three months. I didn't update the Sophos engine and in > January the > engine was out of date, so no updates were downloaded. > F-prot picked up > a new virus and Sophos didn't. I checked the logs and found > the Sophos > update erroring as it couldn't find the updated ides on the server (it > was looking for 362 ides). I updated the engine and it > started working > again. If I hadn't had f-prot as well the virus would have > been sent to > the Exchange server and the local AV would have had to detect > and remove > it, which isn't too much of an issue but I like stopping the viruses > from getting to Exchange first. > > Anyway, hope this helps > > Richard > > > -----Original Message----- > From: Wayne [mailto:wayne@TELL.NET.AU] > Sent: 22 January 2003 09:35 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Which Virus Scanner > > > Hi All > > Rather than me testing all of the virus scanners that MailScanner > supports, I thought it would be quicker to hear your opions on which > virus scanner(s) you have found to be the easiest to install and keep > fully updated. I have tried Sophos, which works well, but updating the > virus engine is a bit of a pain. > > What do you think ? > > > Also, are there any which are free and support by MailScanner ? > > > Thanks > > Wayne > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030122/14a6df48/attachment.html From Kevin.Spicer at BMRB.CO.UK Wed Jan 22 15:23:19 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:17:02 2006 Subject: Which Virus Scanner Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A32C57@pascal.priv.bmrb.co.uk> > > Sophos can be downloaded via this link > http://downloads.sophos.com/dp/full/linux.intel.libc6.tar.Z > (courtesy of > Ian from a previous post). Or from > http://www.sophos.com/downloads/products/?type=eval fill out your info > and then you can download Sophos for Linux free (even though > the link is > for eval, it is free to use). > It's not 'free' either as in beer or freedom. Sophos is a commercial product and you require a license to use it. If you download it for evaluation purposes you must comply with the terms of the evaluation license (don't have them to hand right now). In any case if you want to use it in your production MailScanner you need to buy a license - or you are breaking the law. If you want free try clam-av (or fprot for personal use). BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From Stephen.Dawes at GOV.CALGARY.AB.CA Wed Jan 22 15:30:52 2003 From: Stephen.Dawes at GOV.CALGARY.AB.CA (Dawes, Stephen) Date: Thu Jan 12 21:17:02 2006 Subject: Which Virus Scanner Message-ID: I am looking for something for home use. So, I will check out clam-av and f-prot. Does either product come in the rpm flavor or are they just tar-balls? Stephen Dawes The City of Calgary | Phone: (403) 268-5527 Web Business Office #8300 | Fax: (403) 268-6423 PO Box 2100 Postal Station M. | Email: Stephen.Dawes@calgary.ca Calgary, Alberta, Canada. T2P 2M5 | Web: http://www.calgary.ca FOIPP NOTIFICATION This communication is intended ONLY for the use of the person or entity named above and may contain information that is confidential or legally privileged. If you are not the intended recipient named above or a person responsible for delivering messages or communications to the intended recipient, YOU ARE HEREBY NOTIFIED that any use, distribution, or copying of this communication or any of the information contained in it is strictly prohibited. If you have received this communication in error, please notify us immediately by telephone and then destroy or delete this communication, or return it to us by mail if requested by us. Thank you for your attention and co-operation. > -----Original Message----- > From: Spicer, Kevin [mailto:Kevin.Spicer@BMRB.CO.UK] > Sent: 2003 January 22 8:23 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Which Virus Scanner > > > > > > Sophos can be downloaded via this link > > http://downloads.sophos.com/dp/full/linux.intel.libc6.tar.Z > > (courtesy of > > Ian from a previous post). Or from > > http://www.sophos.com/downloads/products/?type=eval fill > out your info > > and then you can download Sophos for Linux free (even though > > the link is > > for eval, it is free to use). > > > It's not 'free' either as in beer or freedom. Sophos is a > commercial product and you require a license to use it. If > you download it for evaluation purposes you must comply with > the terms of the evaluation license (don't have them to hand > right now). In any case if you want to use it in your > production MailScanner you need to buy a license - or you are > breaking the law. If you want free try clam-av (or fprot for > personal use). > > > > BMRB International > http://www.bmrb.co.uk > +44 (0)20 8566 5000 > _________________________________________________________________ > This message (and any attachment) is intended only for the > recipient and may contain confidential and/or privileged > material. If you have received this in error, please contact the > sender and delete this message immediately. Disclosure, copying > or other action taken in respect of this email or in > reliance on it is prohibited. BMRB International Limited > accepts no liability in relation to any personal emails, or > content of any email which does not directly relate to our > business. > From E.H.Beekman at AMC.UVA.NL Wed Jan 22 15:35:22 2003 From: E.H.Beekman at AMC.UVA.NL (Ewald Beekman) Date: Thu Jan 12 21:17:02 2006 Subject: Could not check ... (corrupt) Message-ID: <20030122163522.C335@oink.amc.uva.nl> Saw this message a couple of time since we're running production, most of the time it's because of DSN's which include the original attachment sent (where the original message is one mime-part and the original attachment is not a separate mime-part in the DSN messag because the mime boundaries are different). But i also got it on a "correct" message: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="part1_181.15952dd4.2b5fd091_boundary" .. --part1_181.15952dd4.2b5fd091_boundary Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit ... --part1_181.15952dd4.2b5fd091_boundary Content-Type: application/octet-stream; name="Notulen COB 13-01-03.doc" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="Notulen COB 13-01-03.doc" 0M8R4KGxGuEAAAAAAAAAAAAAAAAAAAAAPgADAP7/CQAGAAAAAAAAAAAAAAABAAAALAAAAAAA etc. Any ideas why it coudn't extract the attachment? I did it by hand using perl -MMIME::Base64 -ne 'print decode_base64($_)' < file > x.doc and that worked ok, and the document contained no virusses. Could it be the spaces? We are using mailscanner-4.11-1 on RedHat-8 with Sophos. These are the logs: Jan 22 11:47:08 MailScanner[10703]: Could not check ./h0MAl3er016081/Notulen COB 13-01-03.doc (corrupt) Jan 22 11:47:09 MailScanner[10703]: Saved entire message to /var/spool/MailScanner/quarantine/20030122/h0MAl3er016081 Jan 22 11:47:09 MailScanner[10703]: Saved infected "Notulen COB 13-01-03.doc (corrupt)" to /var/spool/MailScanner/quarantine/20030122/h0MAl3er016081 thanx in advance, Ewald... -- Ewald Beekman, Security Engineer, Academic Medical Center, dept. ADB/ICT Computer & Network Services, The Netherlands ## Your mind-mint is: Don't you wish you had more energy... or less ambition? From john.hanks at USU.EDU Wed Jan 22 15:29:43 2003 From: john.hanks at USU.EDU (John B. Hanks) Date: Thu Jan 12 21:17:02 2006 Subject: Which Virus Scanner Message-ID: <5CA287DBA85BF649A45916B75FD20E0E122545@exchange.usu.edu> > http://www.sophos.com/downloads/products/?type=eval fill out > your info and then you can download Sophos for Linux free > (even though the link is for eval, it is free to use). Are you absolutely certain about this? When we attempted to license Sophos for use with MailScanner, our only option was to license it for every machine that might receive scanned email on our campus or buy a site license for all Sophos products for our campus. I'd be interested to see Sophos documentation that says the Linux version is free to use, especially if it applies to non-commercial or educational sites. I'd like nothing more than to give McAfee the boot. jbh From Kevin.Spicer at BMRB.CO.UK Wed Jan 22 15:44:22 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:17:02 2006 Subject: Which Virus Scanner Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A4AD09@pascal.priv.bmrb.co.uk> > I am looking for something for home use. So, I will check out > clam-av and f-prot. > Does either product come in the rpm flavor or are they just tar-balls? I'm using both at home with MailScanner 4.10. I think f-prot have rpms on their site (its been a while...), get clam from www.rpmfind.net [for Mandrake you need clamav and libclamav]. The Mandrake rpms install clam in /usr rather than /usr/local so you need to edit the paths in the two clam scripts in /usr/lib/MailScanner. If using Clam you also need to change the Minimum Code Status in MailScanner.conf to unsupported. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From Denis.Beauchemin at USHERBROOKE.CA Wed Jan 22 15:46:28 2003 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:17:02 2006 Subject: Sophos first impressions In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0A32C56@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0A32C56@pascal.priv.bmrb.co.uk> Message-ID: <1043250387.1227.44.camel@dbeauchemin.si.usherbrooke.ca> Thanks Kevin, After the installation as described in the documentation Sophos is now detecting the same infected files as McAfee. Denis Le mer 22/01/2003 ? 10:07, Spicer, Kevin a ?crit : > > > > The current discussion on virus scanners made me want to try > > Sophos. So > > I went to www.sophos.com and downloaded an evaluation version of their > > antivirus software for Linux. > > > > When the installation came I had to peek at sophos-autoupdate to see > > that I needed to install it this way: > > ./install.sh -d /usr/local/Sophos -s ide -ni -v > > > > I then ran sophos-autoupdate but it complained that it > > couldn't get the > > version. I then realized that the autoupdate script looks > > into the lib > > directory for its vdl files that I installed into the ide directory. > > > > I modified sophos-autoupdate to point it to the right > > directory for the > > vdl files and all worked OK. > > You don't need to modify anything but you should have installed Sophos using the script supplied with MailScanner - undo the changes you made and remove your existing Sophos install. then follow the instructions here... > http://www.sng.ecs.soton.ac.uk/mailscanner/install/linux.shtml#sophos > > > > BMRB International > http://www.bmrb.co.uk > +44 (0)20 8566 5000 > _________________________________________________________________ > This message (and any attachment) is intended only for the > recipient and may contain confidential and/or privileged > material. If you have received this in error, please contact the > sender and delete this message immediately. Disclosure, copying > or other action taken in respect of this email or in > reliance on it is prohibited. BMRB International Limited > accepts no liability in relation to any personal emails, or > content of any email which does not directly relate to our > business. -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From Stephen.Dawes at GOV.CALGARY.AB.CA Wed Jan 22 15:53:50 2003 From: Stephen.Dawes at GOV.CALGARY.AB.CA (Dawes, Stephen) Date: Thu Jan 12 21:17:02 2006 Subject: Which Virus Scanner Message-ID: Thanks, I'll give it a try. Not to clear on why you would want to change the Minimum Code Status setting in MailScanner.conf to unsupported, but that is my lack of MailScanner knowledge speaking out. Stephen Dawes The City of Calgary | Phone: (403) 268-5527 Web Business Office #8300 | Fax: (403) 268-6423 PO Box 2100 Postal Station M. | Email: Stephen.Dawes@calgary.ca Calgary, Alberta, Canada. T2P 2M5 | Web: http://www.calgary.ca FOIPP NOTIFICATION This communication is intended ONLY for the use of the person or entity named above and may contain information that is confidential or legally privileged. If you are not the intended recipient named above or a person responsible for delivering messages or communications to the intended recipient, YOU ARE HEREBY NOTIFIED that any use, distribution, or copying of this communication or any of the information contained in it is strictly prohibited. If you have received this communication in error, please notify us immediately by telephone and then destroy or delete this communication, or return it to us by mail if requested by us. Thank you for your attention and co-operation. > -----Original Message----- > From: Spicer, Kevin [mailto:Kevin.Spicer@BMRB.CO.UK] > Sent: 2003 January 22 8:44 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Which Virus Scanner > > > > I am looking for something for home use. So, I will check out > > clam-av and f-prot. > > Does either product come in the rpm flavor or are they just > tar-balls? > > I'm using both at home with MailScanner 4.10. I think f-prot > have rpms on their site (its been a while...), get clam from www.rpmfind.net [for Mandrake you need clamav and libclamav]. The Mandrake rpms install clam in /usr rather than /usr/local so you need to edit the paths in the two clam scripts in /usr/lib/MailScanner. If using Clam you also need to change the Minimum Code Status in MailScanner.conf to unsupported. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From mbowman at UDCOM.COM Wed Jan 22 15:52:27 2003 From: mbowman at UDCOM.COM (Matthew Bowman) Date: Thu Jan 12 21:17:02 2006 Subject: Which Virus Scanner - Clamav? Message-ID: Hi I just downlowned the tarball and attempted to setup MailScanner.conf to use clam-av as the scanner Virus Scanners = clamav When I did a mailscanner restart I got the error FATAL: //www.sng.ecs.soton.ac.uk/mailscanner/install/codestatus.shtml What is the correct way of using clamav w/ mailscanner? Thanks Matthew K Bowman Systems Administrator; Hostmaster; Miva Administrator Universal Digital Communications, Mansfield Ohio. Tel: (419) 524-4330 Fax: (419) 522-4082 Cell: (419) 545-6376 Email: mbowman@udcom.com Web: http://www.udcom.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030122/538a66e3/attachment.html From Richard.Lush at HP.COM Wed Jan 22 15:58:59 2003 From: Richard.Lush at HP.COM (Lush, Richard) Date: Thu Jan 12 21:17:02 2006 Subject: Which Virus Scanner Message-ID: Sorry my mistake getting confused with f-prot which is free for personal use (I run MailScanner at home). Sophos is available for free eval of 30 days. In any case for commercial use I would always recommend buying the AV product. -----Original Message----- From: John B. Hanks [mailto:john.hanks@USU.EDU] Sent: 22 January 2003 15:30 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Which Virus Scanner > http://www.sophos.com/downloads/products/?type=eval fill out > your info and then you can download Sophos for Linux free > (even though the link is for eval, it is free to use). Are you absolutely certain about this? When we attempted to license Sophos for use with MailScanner, our only option was to license it for every machine that might receive scanned email on our campus or buy a site license for all Sophos products for our campus. I'd be interested to see Sophos documentation that says the Linux version is free to use, especially if it applies to non-commercial or educational sites. I'd like nothing more than to give McAfee the boot. jbh From Kevin.Spicer at BMRB.CO.UK Wed Jan 22 15:57:58 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:17:02 2006 Subject: Which Virus Scanner Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A4AD0A@pascal.priv.bmrb.co.uk> > Thanks, I'll give it a try. > > Not to clear on why you would want to change the Minimum Code > Status setting in MailScanner.conf to unsupported, but that > is my lack of MailScanner knowledge speaking out. > see http://www.sng.ecs.soton.ac.uk/mailscanner/install/codestatus.shtml (as this relates to virus scanners is at the bottom of that page) BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From Kevin.Spicer at BMRB.CO.UK Wed Jan 22 15:58:07 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:17:02 2006 Subject: Which Virus Scanner - Clamav? Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A32C5B@pascal.priv.bmrb.co.uk> I just downlowned the tarball and attempted to setup MailScanner.conf to use clam-av as the scanner Virus Scanners = clamav When I did a mailscanner restart I got the error FATAL: //www.sng.ecs.soton.ac.uk/mailscanner/install/codestatus.shtml What is the correct way of using clamav w/ mailscanner? change Minimum Code Status = unsupported in MailScanner.conf see... http://www.sng.ecs.soton.ac.uk/mailscanner/install/codestatus.shtml BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030122/96dc0778/attachment.html From Richard.Lush at HP.COM Wed Jan 22 16:11:25 2003 From: Richard.Lush at HP.COM (Lush, Richard) Date: Thu Jan 12 21:17:02 2006 Subject: Beta Webmin Module feedback anyone? Message-ID: Hi All, I'm just making the finishing touches to the next beta of the webmin module which I hope to have completed and release on Sunday. For those of you that have downloaded (I'm sure someone has) is there any feedback on problems seen, new feature requests etc. The link again is http://lushsoft.dyndns.org/mailscanner-webmin The new version will/does have the following fixed : Maximum number of child forks now display Help is now available All file browsing buttons now work Plus some other minor bugs Cheers Richard Richard Lush Consulting and Integration Security Practise Reading UK Email richard.lush@hp.com Mobile +44 (0) 7788 916941 Office +44 (0) 118 920 2349 Fax +44 (0) 118 920 4612 D I S C L A I M E R The information contained in this communication is intended solely for use by the individual or entity to whom it is addressed. Use of this communication by others is prohibited. HP and / or Compaq is neither liable for the proper and complete transmission of the information contained in this communication nor for any delay in its receipt nor for any special, incidental or consequential damages of any nature whatsoever resulting from receipt or use of this communication. If you are not the intended recipient, you may not peruse, use, disseminate, distribute or copy this message. If you have received this message in error, please notify the sender immediately by email, facsimile or telephone and return or destroy the original message. Thank you. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030122/f71e383a/attachment.html From mailscanner at ecs.soton.ac.uk Wed Jan 22 16:21:03 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:02 2006 Subject: Could not check ... (corrupt) In-Reply-To: <20030122163522.C335@oink.amc.uva.nl> Message-ID: <5.2.0.9.2.20030122162034.0493ec50@imap.ecs.soton.ac.uk> Please can you send me a copy of the entire original message so that I can see what is going on? Don't post it to the list, just directly to me. Jules. At 15:35 22/01/2003, you wrote: >Saw this message a couple of time since we're running production, >most of the time it's because of DSN's which include the original attachment >sent (where the original message is one mime-part and the original attachment >is not a separate mime-part in the DSN messag because the mime boundaries >are different). >But i also got it on a "correct" message: > >MIME-Version: 1.0 >Content-Type: multipart/mixed; boundary="part1_181.15952dd4.2b5fd091_boundary" >.. >--part1_181.15952dd4.2b5fd091_boundary >Content-Type: text/plain; charset="US-ASCII" >Content-Transfer-Encoding: 7bit >... >--part1_181.15952dd4.2b5fd091_boundary >Content-Type: application/octet-stream; name="Notulen COB 13-01-03.doc" >Content-Transfer-Encoding: base64 >Content-Disposition: attachment; filename="Notulen COB 13-01-03.doc" > >0M8R4KGxGuEAAAAAAAAAAAAAAAAAAAAAPgADAP7/CQAGAAAAAAAAAAAAAAABAAAALAAAAAAA >etc. > >Any ideas why it coudn't extract the attachment? I did it by hand using >perl -MMIME::Base64 -ne 'print decode_base64($_)' < file > x.doc >and that worked ok, and the document contained no virusses. >Could it be the spaces? > >We are using mailscanner-4.11-1 on RedHat-8 with Sophos. >These are the logs: > >Jan 22 11:47:08 MailScanner[10703]: Could not check >./h0MAl3er016081/Notulen COB 13-01-03.doc (corrupt) >Jan 22 11:47:09 MailScanner[10703]: Saved entire message to >/var/spool/MailScanner/quarantine/20030122/h0MAl3er016081 >Jan 22 11:47:09 MailScanner[10703]: Saved infected "Notulen COB >13-01-03.doc (corrupt)" to >/var/spool/MailScanner/quarantine/20030122/h0MAl3er016081 > >thanx in advance, >Ewald... > > >-- >Ewald Beekman, Security Engineer, Academic Medical Center, >dept. ADB/ICT Computer & Network Services, The Netherlands >## Your mind-mint is: >Don't you wish you had more energy... or less ambition? -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Jan 22 16:17:09 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:02 2006 Subject: Which Virus Scanner In-Reply-To: <5CA287DBA85BF649A45916B75FD20E0E122545@exchange.usu.edu> Message-ID: <5.2.0.9.2.20030122161647.0498ef48@imap.ecs.soton.ac.uk> At 15:29 22/01/2003, you wrote: > > http://www.sophos.com/downloads/products/?type=eval fill out > > your info and then you can download Sophos for Linux free > > (even though the link is for eval, it is free to use). > >Are you absolutely certain about this? When we attempted to license Sophos >for use with MailScanner, our only option was to license it for every >machine that might receive scanned email on our campus or buy a site license >for all Sophos products for our campus. Sophos do extremely good discounts for education. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From adkinss at OHIO.EDU Wed Jan 22 15:37:09 2003 From: adkinss at OHIO.EDU (Scott Adkins) Date: Thu Jan 12 21:17:02 2006 Subject: Sophos first impressions In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0A32C56@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0A32C56@pascal.priv.bmrb.co.uk> Message-ID: <3541514829.1043231829@Callisto> I disagree with the answer that was given... I too have a similar problem, though, the autoupdate script seems to work fine for me... I can see new IDE files getting downloaded regularly. The problem I experience, which is indicated below, is if I run the sweep program manually on the command line and try to scan several files that I know have viruses in them. Sweep comes back always indicating that there are no viruses in the files. However, sending the same files through email so that sweep can be ran against them via MailScanner works just fine. I even went as far as taking the command line arguments that MailScanner uses to run sweep and did that myself, and it still doesn't help any. Maybe I need to set some environment variables or something... in any the case, MailScanner obviously knows how to do the scanning better than I do :-) One other thing to point out... If I put a bunch of viruses in the same directory and also include the various EICAR testing files, sweep does indeed report the EICAR files as containing the EICAR virus, but reports that none of the other files has any viruses. Trussing the sweep process does show a couple things, such as that it is looking for the IDE files in a /usr/local/sav directory, but doesn't find them. I thought that maybe this was why it couldn't find any viruses. Symbolically linking /usr/local/sav to /usr/local/Sophos/sav did not help me any, so I am going to look at other options. It is obvious from reading the Sophos documentation that the way they want it to be installed is nothing close to the way MailScanner wants it to be installed. I haven't called Sophos about it yet, and I do know that they primarily use MailScanner for their testing of virus scanning in emails (they didn't even really know about MimeDefang at the time we talked to them last month, and said they would look into that one), so they probably know what is up with the above problems... Scott --On Wednesday, January 22, 2003 3:07 PM +0000 "Spicer, Kevin" wrote: >> >> The current discussion on virus scanners made me want to try >> Sophos. So >> I went to www.sophos.com and downloaded an evaluation version of their >> antivirus software for Linux. >> >> When the installation came I had to peek at sophos-autoupdate to see >> that I needed to install it this way: >> ./install.sh -d /usr/local/Sophos -s ide -ni -v >> >> I then ran sophos-autoupdate but it complained that it >> couldn't get the >> version. I then realized that the autoupdate script looks >> into the lib >> directory for its vdl files that I installed into the ide directory. >> >> I modified sophos-autoupdate to point it to the right >> directory for the >> vdl files and all worked OK. > > You don't need to modify anything but you should have installed Sophos > using the script supplied with MailScanner - undo the changes you made > and remove your existing Sophos install. then follow the instructions > here... > http://www.sng.ecs.soton.ac.uk/mailscanner/install/linux.shtml#sophos > > > > BMRB International > http://www.bmrb.co.uk > +44 (0)20 8566 5000 > _________________________________________________________________ > This message (and any attachment) is intended only for the > recipient and may contain confidential and/or privileged > material. If you have received this in error, please contact the > sender and delete this message immediately. Disclosure, copying > or other action taken in respect of this email or in > reliance on it is prohibited. BMRB International Limited > accepts no liability in relation to any personal emails, or > content of any email which does not directly relate to our > business. -- +-----------------------------------------------------------------------+ Scott W. Adkins http://www.cns.ohiou.edu/~sadkins/ UNIX Systems Engineer mailto:adkinss@ohio.edu ICQ 7626282 Work (740)593-9478 Fax (740)593-1944 +-----------------------------------------------------------------------+ PGP Public Key available at http://www.cns.ohiou.edu/~sadkins/pgp/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 231 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030122/ab923820/attachment.bin From mbowman at UDCOM.COM Wed Jan 22 16:33:29 2003 From: mbowman at UDCOM.COM (Matthew Bowman) Date: Thu Jan 12 21:17:02 2006 Subject: Which Virus Scanner - Clamav? Message-ID: Hi Not sure if this was a suitable test but I downloaded the eicar_com.zip file. Sent it from my own domain to my work e-mail address. It quarantined the zip file. Sent me the alert. Report: eicar_com.zip contains Eicar-Test-Signature Should clamav have disinfected the file? Can anyone send me a test with a virus to see if clamav cleans it up? Thanks Matthew K Bowman Systems Administrator; Hostmaster; Miva Administrator Universal Digital Communications, Mansfield Ohio. Tel: (419) 524-4330 Fax: (419) 522-4082 Cell: (419) 545-6376 Email: mbowman@udcom.com Web: http://www.udcom.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030122/b8a0152a/attachment.html From mailscanner at ecs.soton.ac.uk Wed Jan 22 16:49:59 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:02 2006 Subject: Which Virus Scanner - Clamav? In-Reply-To: Message-ID: <5.2.0.9.2.20030122164930.02bdecb8@imap.ecs.soton.ac.uk> As far as I am aware, ClamAV does not disinfect at all. But MailScanner will still remove the infected attachments, so nothing nasty gets to the recipient. At 16:33 22/01/2003, you wrote: >Hi > >Not sure if this was a suitable test but I downloaded the eicar_com.zip >file. Sent it from my own domain to my work e-mail address. It quarantined >the zip file. Sent me the alert. > >Report: eicar_com.zip contains Eicar-Test-Signature > >Should clamav have disinfected the file? > >Can anyone send me a test with a virus to see if clamav cleans it up? > >Thanks > >Matthew K Bowman >Systems Administrator; Hostmaster; Miva Administrator >Universal Digital Communications, Mansfield Ohio. >Tel: (419) 524-4330 >Fax: (419) 522-4082 >Cell: (419) 545-6376 >Email: mbowman@udcom.com >Web: http://www.udcom.com -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Jan 22 16:49:17 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:02 2006 Subject: Sophos first impressions In-Reply-To: <3541514829.1043231829@Callisto> References: <5C0296D26910694BB9A9BBFC577E7AB0A32C56@pascal.priv.bmrb.co.uk> <5C0296D26910694BB9A9BBFC577E7AB0A32C56@pascal.priv.bmrb.co.uk> Message-ID: <5.2.0.9.2.20030122164527.04945560@imap.ecs.soton.ac.uk> At 15:37 22/01/2003, you wrote: >The problem I experience, which is indicated below, is if I run the sweep >program manually on the command line and try to scan several files that I >know have viruses in them. Sweep comes back always indicating that there >are no viruses in the files. However, sending the same files through email >so that sweep can be ran against them via MailScanner works just fine. I >even went as far as taking the command line arguments that MailScanner uses >to run sweep and did that myself, and it still doesn't help any. Maybe I >need to set some environment variables or something... in any the case, >MailScanner obviously knows how to do the scanning better than I do :-) Try using "sophos-wrapper" instead of just "sweep" for starters. And also MailScanner adds a whole bunch of command-line arguments that make sure it checks everything. >One other thing to point out... If I put a bunch of viruses in the same >directory and also include the various EICAR testing files, sweep does >indeed report the EICAR files as containing the EICAR virus, but reports >that none of the other files has any viruses. That's probably because it is not finding its virus data library files. >It is obvious from reading the Sophos documentation that the way they >want it to be installed is nothing close to the way MailScanner wants it >to be installed. Take a look at the sophos-wrapper script, and you will see what it sets up. >I haven't called Sophos about it yet, and I do know >that they primarily use MailScanner for their testing of virus scanning >in emails Do they now? What about their new MailMonitor product? They became a lot less friendly to MailScanner after they launched MailMonitor, I don't think the bosses liked staff recommending their competition. >--On Wednesday, January 22, 2003 3:07 PM +0000 "Spicer, Kevin" > wrote: > >>> >>>The current discussion on virus scanners made me want to try >>>Sophos. So >>>I went to www.sophos.com and downloaded an evaluation version of their >>>antivirus software for Linux. >>> >>>When the installation came I had to peek at sophos-autoupdate to see >>>that I needed to install it this way: >>>./install.sh -d /usr/local/Sophos -s ide -ni -v >>> >>>I then ran sophos-autoupdate but it complained that it >>>couldn't get the >>>version. I then realized that the autoupdate script looks >>>into the lib >>>directory for its vdl files that I installed into the ide directory. >>> >>>I modified sophos-autoupdate to point it to the right >>>directory for the >>>vdl files and all worked OK. >> >>You don't need to modify anything but you should have installed Sophos >>using the script supplied with MailScanner - undo the changes you made >>and remove your existing Sophos install. then follow the instructions >>here... >>http://www.sng.ecs.soton.ac.uk/mailscanner/install/linux.shtml#sophos >> >> >> >>BMRB International >>http://www.bmrb.co.uk >>+44 (0)20 8566 5000 >>_________________________________________________________________ >>This message (and any attachment) is intended only for the >>recipient and may contain confidential and/or privileged >>material. If you have received this in error, please contact the >>sender and delete this message immediately. Disclosure, copying >>or other action taken in respect of this email or in >>reliance on it is prohibited. BMRB International Limited >>accepts no liability in relation to any personal emails, or >>content of any email which does not directly relate to our >>business. > > >-- >+-----------------------------------------------------------------------+ > Scott W. Adkins http://www.cns.ohiou.edu/~sadkins/ > UNIX Systems Engineer mailto:adkinss@ohio.edu > ICQ 7626282 Work (740)593-9478 Fax (740)593-1944 >+-----------------------------------------------------------------------+ > PGP Public Key available at > http://www.cns.ohiou.edu/~sadkins/pgp/ -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mbowman at UDCOM.COM Wed Jan 22 16:57:00 2003 From: mbowman at UDCOM.COM (Matthew Bowman) Date: Thu Jan 12 21:17:03 2006 Subject: Which Virus Scanner - Clamav? Message-ID: >As far as I am aware, ClamAV does not disinfect at all. But MailScanner >will still remove the infected attachments, so nothing nasty gets to the >recipient. Yeah, I just noticed that. I just did a clamscan -R . --remove in my /var/spool/MailScanner/quarantine to remove all the infected files - thats adequate for my needs for the moment. Do any of the other *free* packages have disinfection routines ? Thanks Matthew K Bowman -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030122/ac435379/attachment.html From mailscanner at ecs.soton.ac.uk Wed Jan 22 17:00:17 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:03 2006 Subject: Which Virus Scanner - Clamav? In-Reply-To: Message-ID: <5.2.0.9.2.20030122165952.02c19d18@imap.ecs.soton.ac.uk> At 16:57 22/01/2003, you wrote: > >As far as I am aware, ClamAV does not disinfect at all. But MailScanner > >will still remove the infected attachments, so nothing nasty gets to the > >recipient. > >Yeah, I just noticed that. I just did a clamscan -R . --remove in my >/var/spool/MailScanner/quarantine to remove all the infected files - thats >adequate for my needs for the moment. > >Do any of the other *free* packages have disinfection routines ? There aren't any other totally free ones. All the commercial ones can disinfect macros viruses from documents. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From chicks at CHICKS.NET Wed Jan 22 17:17:54 2003 From: chicks at CHICKS.NET (Christopher Hicks) Date: Thu Jan 12 21:17:03 2006 Subject: Which Virus Scanner In-Reply-To: <5.2.0.9.2.20030122161647.0498ef48@imap.ecs.soton.ac.uk> Message-ID: On Wed, 22 Jan 2003, Julian Field wrote: > Sophos do extremely good discounts for education. Even with the discounts f-prot is still cheaper. Sophos sounds great and I've encouraged several clients (a few of whom are schools) in that direction and none of them have found it practical to go that way even with the educational discounts. -- "Never offend people with style when you can offend them with substance." - Sam Brown From mike at TECHINTER.COM Wed Jan 22 17:05:00 2003 From: mike at TECHINTER.COM (Mike Williams) Date: Thu Jan 12 21:17:03 2006 Subject: Which Virus Scanner do I buy? In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0A4AD0A@pascal.priv.bmrb.co.uk> Message-ID: Hi, I have been searching for a virus scanner that will work on a BSDi 4.0.1 box and came upon MailScanner. I got it installed and working but I still have to plug in the virus software. So far I've only found 2 that mention BSDi in their software products. They are Kaspersky and RAV. Problem is they have different products and I searched the mail archive to see which one I should get but sill have no idea. RAV sells a product for Mail servers as well as a product for file servers. Kaspersky does this also. One for workstations one for servers and one for mail servers. Each are priced differently. What one should I get that will work with MailScanner? Thanks. Mike Williams IWC Inc. 30 South Whitney St Suite 1 Grayslake, IL 60030 ph. 847-543-7309 x 14 fax 847-543-1828 Toll free 877-492-6381 http://www.iwc.net From brian at PORTSMOUTH-COLLEGE.AC.UK Wed Jan 22 17:20:37 2003 From: brian at PORTSMOUTH-COLLEGE.AC.UK (Brian Chivers - ICT Support Officer Portsmouth College) Date: Thu Jan 12 21:17:03 2006 Subject: Which Virus Scanner References: Message-ID: <016b01c2c23a$946a95a0$65c8a8c0@portsmouthcollege.ac.uk> We pay about under ?1000 for 500 workstations and our gateways, I don't think thats bad considering all the updates they do. Brian ----- Original Message ----- From: "Christopher Hicks" To: Sent: Wednesday, January 22, 2003 5:17 PM Subject: Re: Which Virus Scanner On Wed, 22 Jan 2003, Julian Field wrote: > Sophos do extremely good discounts for education. Even with the discounts f-prot is still cheaper. Sophos sounds great and I've encouraged several clients (a few of whom are schools) in that direction and none of them have found it practical to go that way even with the educational discounts. -- "Never offend people with style when you can offend them with substance." - Sam Brown -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From adkinss at OHIO.EDU Wed Jan 22 15:46:36 2003 From: adkinss at OHIO.EDU (Scott Adkins) Date: Thu Jan 12 21:17:03 2006 Subject: Could not check ... (corrupt) In-Reply-To: <20030122163522.C335@oink.amc.uva.nl> References: <20030122163522.C335@oink.amc.uva.nl> Message-ID: <3542082034.1043232396@Callisto> Did you get a message similar to the following: The original e-mail attachment "not named" was believed to be infected by a virus and has been replaced by this warning message. At Fri Jan 17 13:15:11 2003 the virus scanner said: External message bodies cannot be scanned and are removed We are getting complaints that our virus scanning is removing perfectly valid attachments known not to have viruses in them. This will become a very hot topic if we don't figure it out soon and resolve it. I don't know if it is Sophos doing it or if it is MailScanner doing it. We are trying to get copies of these people's emails so that we can look at the warning message to find out if it is similar to the above. If this is MailScanner, is there an option to turn it off? If for some reason an attachment can't be scanned, my inclination is to play it safe and deliver it normally, not nuke it into obvlivion. We aren't doing quaranting here, and we have already received messages about the fact that these attachments are removed and we don't save them for later recovery. Our policy won't change, but I can understand their issues. Scott --On Wednesday, January 22, 2003 4:35 PM +0100 Ewald Beekman wrote: > Saw this message a couple of time since we're running production, > most of the time it's because of DSN's which include the original > attachment sent (where the original message is one mime-part and the > original attachment is not a separate mime-part in the DSN messag because > the mime boundaries are different). > But i also got it on a "correct" message: > > MIME-Version: 1.0 > Content-Type: multipart/mixed; > boundary="part1_181.15952dd4.2b5fd091_boundary" ... > --part1_181.15952dd4.2b5fd091_boundary > Content-Type: text/plain; charset="US-ASCII" > Content-Transfer-Encoding: 7bit > .... > --part1_181.15952dd4.2b5fd091_boundary > Content-Type: application/octet-stream; name="Notulen COB 13-01-03.doc" > Content-Transfer-Encoding: base64 > Content-Disposition: attachment; filename="Notulen COB 13-01-03.doc" > > 0M8R4KGxGuEAAAAAAAAAAAAAAAAAAAAAPgADAP7/CQAGAAAAAAAAAAAAAAABAAAALAAAAAAA > etc. > > Any ideas why it coudn't extract the attachment? I did it by hand using > perl -MMIME::Base64 -ne 'print decode_base64($_)' < file > x.doc > and that worked ok, and the document contained no virusses. > Could it be the spaces? > > We are using mailscanner-4.11-1 on RedHat-8 with Sophos. > These are the logs: > > Jan 22 11:47:08 MailScanner[10703]: Could not check > ./h0MAl3er016081/Notulen COB 13-01-03.doc (corrupt) Jan 22 11:47:09 > MailScanner[10703]: Saved entire message to > /var/spool/MailScanner/quarantine/20030122/h0MAl3er016081 Jan 22 11:47:09 > MailScanner[10703]: Saved infected "Notulen COB 13-01-03.doc (corrupt)" to > /var/spool/MailScanner/quarantine/20030122/h0MAl3er016081 > > thanx in advance, > Ewald... > > > -- > Ewald Beekman, Security Engineer, Academic Medical Center, > dept. ADB/ICT Computer & Network Services, The Netherlands >## Your mind-mint is: > Don't you wish you had more energy... or less ambition? -- +-----------------------------------------------------------------------+ Scott W. Adkins http://www.cns.ohiou.edu/~sadkins/ UNIX Systems Engineer mailto:adkinss@ohio.edu ICQ 7626282 Work (740)593-9478 Fax (740)593-1944 +-----------------------------------------------------------------------+ PGP Public Key available at http://www.cns.ohiou.edu/~sadkins/pgp/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 231 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030122/f914dd19/attachment.bin From didier.belhomme at FUNDP.AC.BE Wed Jan 22 18:01:58 2003 From: didier.belhomme at FUNDP.AC.BE (Didier Belhomme) Date: Thu Jan 12 21:17:03 2006 Subject: Sophos first impressions In-Reply-To: <3541514829.1043231829@Callisto> References: <5C0296D26910694BB9A9BBFC577E7AB0A32C56@pascal.priv.bmrb.co.uk> <5C0296D26910694BB9A9BBFC577E7AB0A32C56@pascal.priv.bmrb.co.uk> Message-ID: <5.2.0.9.0.20030122190020.035ede40@pop.fundp.ac.be> At 10:37 22/01/2003 -0500, you wrote: >I disagree with the answer that was given... I too have a similar problem, >though, the autoupdate script seems to work fine for me... I can see new >IDE files getting downloaded regularly. > >The problem I experience, which is indicated below, is if I run the sweep >program manually on the command line and try to scan several files that I >know have viruses in them. Sweep comes back always indicating that there >are no viruses in the files. However, sending the same files through email >so that sweep can be ran against them via MailScanner works just fine. I >even went as far as taking the command line arguments that MailScanner uses >to run sweep and did that myself, and it still doesn't help any. Maybe I >need to set some environment variables or something... in any the case, >MailScanner obviously knows how to do the scanning better than I do :-) By default, sweep do a "quick" sweep only on file with executable extensions. In order to catch much more virus, try sweep -f -all . And you'l get much more virus found. Didier Belhomme FUNDP - Service informatique universitaire - Support syst?mes UNIX Rue Grandgagnage, 21 B-5000 Namur Tel : +32 81 725025 Fax: +32 81 725023 E-mail : didier.belhomme@fundp.ac.be From didier.belhomme at FUNDP.AC.BE Wed Jan 22 18:09:54 2003 From: didier.belhomme at FUNDP.AC.BE (Didier Belhomme) Date: Thu Jan 12 21:17:03 2006 Subject: Sophos first impressions In-Reply-To: <5.2.0.9.2.20030122164527.04945560@imap.ecs.soton.ac.uk> References: <3541514829.1043231829@Callisto> <5C0296D26910694BB9A9BBFC577E7AB0A32C56@pascal.priv.bmrb.co.uk> <5C0296D26910694BB9A9BBFC577E7AB0A32C56@pascal.priv.bmrb.co.uk> Message-ID: <5.2.0.9.0.20030122190304.03643090@pop.fundp.ac.be> At 16:49 22/01/2003 +0000, you wrote: >>I haven't called Sophos about it yet, and I do know >>that they primarily use MailScanner for their testing of virus scanning >>in emails > >Do they now? What about their new MailMonitor product? They became a lot >less friendly to MailScanner after they launched MailMonitor, I don't think >the bosses liked staff recommending their competition. Sad. We didn't choose MailMonitor since it was like a "black box", without any indication of how the product work internally. Moreover, but things could have changed by now, there were no anti-relay provision in the base product, which would require us to put a supplemental e-mail server for incoming mail. Our setup now is quite stable now, running on 2 Sun Fire V100 servers (box @ 4000 EUR VAT included, with 3 years of Gold Support !) running Solaris 8 and processing about 14-15 thousands messages a day. We switched from McAfee to Sophos right yesterday, and the whole installation process took about 3 minutes to complete. That's to say again that you did (and are still doing) a very nice job Julian ! I hope you'll not be doing the same thing with MailScanner than what happened to SpamAssassin (now bought by NAI I think). Didier Belhomme FUNDP - Service informatique universitaire - Support syst?mes UNIX Rue Grandgagnage, 21 B-5000 Namur Tel : +32 81 725025 Fax: +32 81 725023 E-mail : didier.belhomme@fundp.ac.be From adkinss at OHIO.EDU Wed Jan 22 18:13:13 2003 From: adkinss at OHIO.EDU (Scott Adkins) Date: Thu Jan 12 21:17:03 2006 Subject: Sophos first impressions In-Reply-To: <5.2.0.9.2.20030122164527.04945560@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030122164527.04945560@imap.ecs.soton.ac.uk> Message-ID: <3550879424.1043241193@Callisto> --On Wednesday, January 22, 2003 4:49 PM +0000 Julian Field wrote: > Try using "sophos-wrapper" instead of just "sweep" for starters. And also > MailScanner adds a whole bunch of command-line arguments that make sure it > checks everything. I will give that a try... somebody else sent me a message about using "sophos-wrapper" as well... thanks for those who responded. As far as the command-line arguments go, I got them from MailScanner in the first place, so I know I know that wasn't the issue. But the wrapper sounds like a good thing to use. > That's probably because it is not finding its virus data library files. Right, which is why I thought I should try a default install of Sophos to see if it works. If I do that and then use "sophos-wrapper" to make it work with MailScanner then this sounds like a workable solution. >> I haven't called Sophos about it yet, and I do know >> that they primarily use MailScanner for their testing of virus scanning >> in emails > > Do they now? What about their new MailMonitor product? They became a lot > less friendly to MailScanner after they launched MailMonitor, I don't > think the bosses liked staff recommending their competition. Well, we talked to Sophos just before the the year turned, as they were trying to sell it to us before the end of their fiscal year (and we did end up buying the license for it). We talked with them over a conference call with regards to setup, performance, etc. We were using MIMEDefang at the time, and they didn't appear to know what that product was. They said they would go look at it and see about supporting it officially or something like that (I think MIMEDefang already has support for Sophos). What they recommend for us to do was to use MailScanner instead. They said it was a pretty good performer and they were most familiar with it. That was the first time we had ever heard of MailScanner. We switched to it and have been running it since. As for MailMonitor, they didn't bring it up, and until today, have never heard of it. So, from that, you can draw your own conclusions :-) Thanks for the help, Scott -- +-----------------------------------------------------------------------+ Scott W. Adkins http://www.cns.ohiou.edu/~sadkins/ UNIX Systems Engineer mailto:adkinss@ohio.edu ICQ 7626282 Work (740)593-9478 Fax (740)593-1944 +-----------------------------------------------------------------------+ PGP Public Key available at http://www.cns.ohiou.edu/~sadkins/pgp/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 231 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030122/63494654/attachment.bin From mailscanner at ecs.soton.ac.uk Wed Jan 22 19:10:18 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:03 2006 Subject: Sophos first impressions In-Reply-To: <5.2.0.9.0.20030122190304.03643090@pop.fundp.ac.be> References: <5.2.0.9.2.20030122164527.04945560@imap.ecs.soton.ac.uk> <3541514829.1043231829@Callisto> <5C0296D26910694BB9A9BBFC577E7AB0A32C56@pascal.priv.bmrb.co.uk> <5C0296D26910694BB9A9BBFC577E7AB0A32C56@pascal.priv.bmrb.co.uk> Message-ID: <5.2.0.9.2.20030122190510.0292de88@imap.ecs.soton.ac.uk> At 18:09 22/01/2003, you wrote: >That's to say again that you did (and are still doing) a very nice job >Julian ! Thanks. > I hope you'll not be doing the same thing with MailScanner than what > happened to SpamAssassin (now bought by NAI I think). I hope not. I don't rely on MailScanner for my income, and I'm not aiming to make my fortune from it, I just want to take over the world and make the Internet a safer place for everyone. Global Domination beats a fast car every time :-) -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Jan 22 19:03:22 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:03 2006 Subject: Which Virus Scanner do I buy? In-Reply-To: References: <5C0296D26910694BB9A9BBFC577E7AB0A4AD0A@pascal.priv.bmrb.co.uk> Message-ID: <5.2.0.9.2.20030122185927.0294ee88@imap.ecs.soton.ac.uk> At 17:05 22/01/2003, you wrote: >I have been searching for a virus scanner that will work on a BSDi 4.0.1 box >and came upon MailScanner. I got it installed and working but I still have >to plug in the virus software. So far I've only found 2 that mention BSDi >in their software products. They are Kaspersky and RAV. Problem is they >have different products and I searched the mail archive to see which one I >should get but sill have no idea. RAV sells a product for Mail servers as >well as a product for file servers. Kaspersky does this also. One for >workstations one for servers and one for mail servers. Each are priced >differently. What one should I get that will work with MailScanner? You want the command-line scanner that will just scan files. Normally the workstation version is what you want. I have just checked Kaspersky's website, and once you specify BSDi it only offers you a mail server scanner or a normal command-line scanner. It's the command-line one you want. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From steve at AVALON.DARTMOUTH.EDU Wed Jan 22 20:31:43 2003 From: steve at AVALON.DARTMOUTH.EDU (Steve Campbell) Date: Thu Jan 12 21:17:03 2006 Subject: sendmail 8.12.7 squawking after MS 4.11-1 upgrade In-Reply-To: Your message of "Thu, 02 Jan 2003 17:54:25 GMT." <5.2.0.9.2.20030102175232.03a5ed70@imap.ecs.soton.ac.uk> Message-ID: <200301222031.h0MKVhRV018340@avalon.Dartmouth.EDU> Folks, Was there ever a definitive solution to this problem? I am running MailScanner-4.05-3 on a Tru64 system with sendmail 8.12.6, and I see the error. For example: sendmail[176424]: File descriptors missing on startup: stdout, stderr; Bad file number If, as someone suggested, there is a "leak" of file descriptors, then that is what should be fixed. Stephen Campbell Network Services Dartmouth College 6223 Berry-Baker Library Hanover, New Hampshire 03755 US > At 16:31 02/01/2003, you wrote: > >Gang, > > I upgraded from Mailscanner 4.10-1 to 4.11-1 this morning. > >Afterwords, sendmail 8.12.7 starting complaining: > > > >[ID 702911 mail.warning] File descriptors > > missing on startup: stderr; Bad file number > > > >I've seen a pile 'o these this morning. I dropped back to 4.10-1 > >and sendmail shut up. I upgraded from 8.12.6 to 8.12.7 on Dec 31, > >so this may be a new feature/bug of sendmail. The complaint above > >comes out of sendmail's main() routine. A quick look at the > >sendmail code, and it looks like sendmail is checking that the stdio > >file descriptors are available, and complains if not. Maybe stderr > >is closed/gone in MS when a sendmail process gets launched in 4.11-1? > > MS 4.11 does indeed close all the stdout, stdin stderr. This means that the > forking off the daemon works properly, so you can close an SSH session that > started MailScanner. > > If you look in /usr/sbin/MailScanner, you will find 3 consecutive "close(" > function calls. Try commenting them out and see what happens. I might need > to add some code attempt to re-open them later, but I'm not 100% sure how > to do that yet. :-) > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Jan 22 20:57:31 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:03 2006 Subject: sendmail 8.12.7 squawking after MS 4.11-1 upgrade In-Reply-To: <200301222031.h0MKVhRV018340@avalon.Dartmouth.EDU> References: Message-ID: <5.2.0.9.2.20030122205638.011dd0c8@imap.ecs.soton.ac.uk> At 20:31 22/01/2003, you wrote: >Folks, > >Was there ever a definitive solution to this problem? > >I am running MailScanner-4.05-3 on a Tru64 system with sendmail 8.12.6, and I >see the error. For example: > >sendmail[176424]: File descriptors missing on startup: stdout, stderr; Bad >file number In the main MailScanner script, there are 3 calls to close(). If you comment them out, does it fix the problem? >If, as someone suggested, there is a "leak" of file descriptors, then that is >what should be fixed. > >Stephen Campbell >Network Services >Dartmouth College >6223 Berry-Baker Library >Hanover, New Hampshire 03755 >US > > > At 16:31 02/01/2003, you wrote: > > >Gang, > > > I upgraded from Mailscanner 4.10-1 to 4.11-1 this morning. > > >Afterwords, sendmail 8.12.7 starting complaining: > > > > > >[ID 702911 mail.warning] File descriptors > > > missing on startup: stderr; Bad file number > > > > > >I've seen a pile 'o these this morning. I dropped back to 4.10-1 > > >and sendmail shut up. I upgraded from 8.12.6 to 8.12.7 on Dec 31, > > >so this may be a new feature/bug of sendmail. The complaint above > > >comes out of sendmail's main() routine. A quick look at the > > >sendmail code, and it looks like sendmail is checking that the stdio > > >file descriptors are available, and complains if not. Maybe stderr > > >is closed/gone in MS when a sendmail process gets launched in 4.11-1? > > > > MS 4.11 does indeed close all the stdout, stdin stderr. This means that the > > forking off the daemon works properly, so you can close an SSH session that > > started MailScanner. > > > > If you look in /usr/sbin/MailScanner, you will find 3 consecutive "close(" > > function calls. Try commenting them out and see what happens. I might need > > to add some code attempt to re-open them later, but I'm not 100% sure how > > to do that yet. :-) > > -- > > Julian Field > > www.MailScanner.info > > MailScanner thanks transtec Computers for their support -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From wayne at TELL.NET.AU Wed Jan 22 21:38:24 2003 From: wayne at TELL.NET.AU (Wayne) Date: Thu Jan 12 21:17:03 2006 Subject: Which Virus Scanner In-Reply-To: <002201c2c1fa$95e39520$65c8a8c0@portsmouthcollege.ac.uk> References: <5.1.1.6.1.20030122195854.00b1dc50@mail.tell.net.au> Message-ID: <5.1.1.6.1.20030123080726.00b38620@mail.tell.net.au> Sounds ideal, any chance of sending me a copy of that script ? Wayne At 09:42 AM 22/01/2003 +0000, you wrote: >We're a sophos site. > >You only have update the engine every other month, and we use a simple >script that replaces it from the CD we get each month, it takes longer to >open and close the CD then install the upgrade. > >Brian Chivers >Portsmouth College >----- Original Message ----- >From: "Wayne" >To: >Sent: Wednesday, January 22, 2003 9:35 AM >Subject: Which Virus Scanner > > >Hi All > >Rather than me testing all of the virus scanners that MailScanner supports, >I thought it would be quicker to hear your opions on which virus scanner(s) >you have found to be the easiest to install and keep fully updated. I have >tried Sophos, which works well, but updating the virus engine is a bit of a >pain. > >What do you think ? > > >Also, are there any which are free and support by MailScanner ? > > >Thanks > >Wayne > >-- >This message has been scanned for viruses and >dangerous content by MailScanner, and is >believed to be clean. > > > >-- >This message has been scanned for viruses and >dangerous content by MailScanner, and is >believed to be clean. From smohan at vsnl.com Thu Jan 23 00:49:42 2003 From: smohan at vsnl.com (S Mohan) Date: Thu Jan 12 21:17:03 2006 Subject: Which Virus Scanner In-Reply-To: <5.1.1.6.1.20030122195854.00b1dc50@mail.tell.net.au> Message-ID: <000701c2c279$525579c0$ea6041db@18yamuna> I have created a cron job to run on 28th of every month. This downloads the latest engine and installs the same. Have called this sophos.update with 700 root owner Mohan -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Wayne Sent: Wednesday, January 22, 2003 3:05 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Which Virus Scanner Hi All Rather than me testing all of the virus scanners that MailScanner supports, I thought it would be quicker to hear your opions on which virus scanner(s) you have found to be the easiest to install and keep fully updated. I have tried Sophos, which works well, but updating the virus engine is a bit of a pain. What do you think ? Also, are there any which are free and support by MailScanner ? Thanks Wayne From wayne at TELL.NET.AU Thu Jan 23 08:26:39 2003 From: wayne at TELL.NET.AU (Wayne) Date: Thu Jan 12 21:17:03 2006 Subject: Sophos sweep script Message-ID: <5.1.1.6.1.20030123185330.00b38950@mail.tell.net.au> Hi All Does anyone have a script that I can use to run sweep to scan files on the drive and then email the out ? Thanks again. Wayne From smohan at VSNL.COM Thu Jan 23 08:51:43 2003 From: smohan at VSNL.COM (S Mohan) Date: Thu Jan 12 21:17:03 2006 Subject: Sophos sweep script In-Reply-To: <5.1.1.6.1.20030123185330.00b38950@mail.tell.net.au> Message-ID: You can do it from commandline as under. Let us assume you want to scan files recursively under /data and mail them out to a@bc.com. Assuming Linux OS here with bash. On bash prompt give: find /data -type f | xargs ./checkout.sh sweep $1 (give all arguments necessary here to clean/ delete/ disinfect etc) [ -e $1 ] && mutt a@bc.com -a $1 -s "Scanned file - $1" < msgtxt msgtext should have the standard body of the message. HTH Mohan -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Wayne Sent: 23 January 2003 13:57 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Sophos sweep script Hi All Does anyone have a script that I can use to run sweep to scan files on the drive and then email the out ? Thanks again. Wayne From steve at AVALON.DARTMOUTH.EDU Thu Jan 23 12:24:40 2003 From: steve at AVALON.DARTMOUTH.EDU (Steve Campbell) Date: Thu Jan 12 21:17:03 2006 Subject: sendmail 8.12.7 squawking after MS 4.11-1 upgrade In-Reply-To: Your message of "Wed, 22 Jan 2003 20:57:31 GMT." <5.2.0.9.2.20030122205638.011dd0c8@imap.ecs.soton.ac.uk> Message-ID: <200301231224.h0NCOeRV023197@avalon.Dartmouth.EDU> I am seeing the problem running version 4.05-3. I cannot find three close() calls in /opt/bin/mailscanner. Can you tell me exactly which file to examine? > At 20:31 22/01/2003, you wrote: > >Folks, > > > >Was there ever a definitive solution to this problem? > > > >I am running MailScanner-4.05-3 on a Tru64 system with sendmail 8.12.6, and I > >see the error. For example: > > > >sendmail[176424]: File descriptors missing on startup: stdout, stderr; Bad > >file number > > In the main MailScanner script, there are 3 calls to close(). If you > comment them out, does it fix the problem? From mailscanner at ecs.soton.ac.uk Thu Jan 23 12:35:13 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:03 2006 Subject: sendmail 8.12.7 squawking after MS 4.11-1 upgrade In-Reply-To: <200301231224.h0NCOeRV023197@avalon.Dartmouth.EDU> References: Message-ID: <5.2.0.9.2.20030123123436.03d2c800@imap.ecs.soton.ac.uk> At 12:24 23/01/2003, you wrote: >I am seeing the problem running version 4.05-3. I cannot find three close() >calls in /opt/bin/mailscanner. Can you tell me exactly which file to examine? 4.05 didn't contain these close() calls, it appears. So this definitely shouldn't be causing a problem. Any evidence of anything nasty happening, or is sendmail just being noisy? > > At 20:31 22/01/2003, you wrote: > > >Folks, > > > > > >Was there ever a definitive solution to this problem? > > > > > >I am running MailScanner-4.05-3 on a Tru64 system with sendmail > 8.12.6, and I > > >see the error. For example: > > > > > >sendmail[176424]: File descriptors missing on startup: stdout, stderr; Bad > > >file number > > > > In the main MailScanner script, there are 3 calls to close(). If you > > comment them out, does it fix the problem? -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From Denis.Beauchemin at USHERBROOKE.CA Thu Jan 23 13:48:05 2003 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:17:03 2006 Subject: Sophos issues Message-ID: <1043329685.1227.115.camel@dbeauchemin.si.usherbrooke.ca> Hello, Yesterday I added Sophos to McAfee as my virus scanners in MS. I then noticed the following messages in my logs: Jan 22 12:21:20 smtp2 MailScanner[10906]: Could not check ./h0MHL9O22471/StAR2001_2002Fleury et alH.rar/StAR2001_2002Fleury et alH.doc (format not supported) Jan 22 12:21:20 smtp2 MailScanner[10906]: Could not check ./h0MHL9O22471/StAR2001_2002Fleury et alH.rar (corrupt) Jan 22 12:21:20 smtp2 MailScanner[10906]: Virus Scanning: sophos found 2 infections Jan 22 12:21:20 smtp2 MailScanner[10906]: Virus Scanning: Found 2 viruses Jan 22 12:21:20 smtp2 MailScanner[10906]: Saved infected "StAR2001_2002Fleury et alH.rar (corrupt)" to /quarantaine/usherbrooke/20030122/h0MHL9O22471 Jan 22 12:21:20 smtp2 MailScanner[10906]: Saved infected "StAR2001_2002Fleury et alH.rar" to /quarantaine/usherbrooke/20030122/h0MHL9O22471 Jan 22 12:58:33 smtp2 MailScanner[10824]: Could not check ./h0MHwPO31882/Calendrier2003.pps (corrupt) Jan 22 12:58:33 smtp2 MailScanner[10824]: Could not check ./h0MHwPO31882/Calendrier2003.pps (corrupt) Jan 22 12:58:34 smtp2 MailScanner[10824]: Virus Scanning: sophos found 1 infections Jan 22 12:58:34 smtp2 MailScanner[10824]: Virus Scanning: Found 1 viruses Jan 22 12:58:34 smtp2 MailScanner[10824]: Saved infected "Calendrier2003.pps (corrupt)" to /quarantaine/hermes/20030122/h0MHwPO31882 Jan 22 16:26:55 smtp2 MailScanner[22132]: Could not check ./h0MLQmO04098/winmail.dat (corrupt) Jan 22 16:26:55 smtp2 MailScanner[22132]: Virus Re-scanning: sophos found 1 infections Jan 22 16:26:55 smtp2 MailScanner[22132]: Disinfection: Rescan found only 1 viruses I checked my old logs and these messages had never appeared before I added Sophos so I'm pretty sure it is the culprit. McAfee didn't complain about those files. I'm running version 4.11-1 on RH 7.3 with the external winmail.dat extractor. The problem is annoying because the attachments were not transmitted to the users and even though MS informed them that they were quarantined in directory X, they are not there except for the RAR file. For the others, the directory is empty. Until this issue is resolved I deactivated Sophos. Anyhow the Sophos quote I received was based on the number of users my mail gateways protect and was way too expensive for us. Thanks again! Denis -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From steve at AVALON.DARTMOUTH.EDU Thu Jan 23 14:10:24 2003 From: steve at AVALON.DARTMOUTH.EDU (Steve Campbell) Date: Thu Jan 12 21:17:03 2006 Subject: sendmail 8.12.7 squawking after MS 4.11-1 upgrade In-Reply-To: Your message of "Thu, 23 Jan 2003 12:35:13 GMT." <5.2.0.9.2.20030123123436.03d2c800@imap.ecs.soton.ac.uk> Message-ID: <200301231410.h0NEAORV023891@avalon.Dartmouth.EDU> > At 12:24 23/01/2003, you wrote: > >I am seeing the problem running version 4.05-3. I cannot find three close() > >calls in /opt/bin/mailscanner. Can you tell me exactly which file to examine? > > 4.05 didn't contain these close() calls, it appears. So this definitely > shouldn't be causing a problem. Any evidence of anything nasty happening, > or is sendmail just being noisy? As far as I can tell from looking at the sendmail code, it just complains but continues processing, ie does not exit. So in one sense we could ignore the message. But it is troubling that MailScanner seems to run normally for some time and the messages only begin later. This suggests that initially stdin, stdout, and stderr are open when sendmail is invoked, but later they are not. And this sounds like some kind of file descriptor leak. Steve Campbell Dartmouth College From mailscanner at ecs.soton.ac.uk Thu Jan 23 14:28:01 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:03 2006 Subject: Sophos issues In-Reply-To: <1043329685.1227.115.camel@dbeauchemin.si.usherbrooke.ca> Message-ID: <5.2.0.9.2.20030123142635.03fef968@imap.ecs.soton.ac.uk> I have heard of other similar problems with RAR archives and Sophos in the last few days. Supposedly Sophos tech support are working on them. If you do a standard ("Sophos"'s standard) installation of their virus scanner, and use sweep to scan the RAR file, and it still produces the errors (which I believe it will), then you should log a fault call with Sophos tech support so that they work faster on fixing this problem. At 13:48 23/01/2003, you wrote: >Hello, > >Yesterday I added Sophos to McAfee as my virus scanners in MS. I then >noticed the following messages in my logs: >Jan 22 12:21:20 smtp2 MailScanner[10906]: Could not check >./h0MHL9O22471/StAR2001_2002Fleury et alH.rar/StAR2001_2002Fleury et >alH.doc (format not supported) >Jan 22 12:21:20 smtp2 MailScanner[10906]: Could not check >./h0MHL9O22471/StAR2001_2002Fleury et alH.rar (corrupt) >Jan 22 12:21:20 smtp2 MailScanner[10906]: Virus Scanning: sophos found 2 >infections >Jan 22 12:21:20 smtp2 MailScanner[10906]: Virus Scanning: Found 2 viruses >Jan 22 12:21:20 smtp2 MailScanner[10906]: Saved infected >"StAR2001_2002Fleury et alH.rar (corrupt)" to >/quarantaine/usherbrooke/20030122/h0MHL9O22471 >Jan 22 12:21:20 smtp2 MailScanner[10906]: Saved infected >"StAR2001_2002Fleury et alH.rar" to >/quarantaine/usherbrooke/20030122/h0MHL9O22471 >Jan 22 12:58:33 smtp2 MailScanner[10824]: Could not check >./h0MHwPO31882/Calendrier2003.pps (corrupt) >Jan 22 12:58:33 smtp2 MailScanner[10824]: Could not check >./h0MHwPO31882/Calendrier2003.pps (corrupt) >Jan 22 12:58:34 smtp2 MailScanner[10824]: Virus Scanning: sophos found 1 >infections >Jan 22 12:58:34 smtp2 MailScanner[10824]: Virus Scanning: Found 1 viruses >Jan 22 12:58:34 smtp2 MailScanner[10824]: Saved infected >"Calendrier2003.pps (corrupt)" to /quarantaine/hermes/20030122/h0MHwPO31882 >Jan 22 16:26:55 smtp2 MailScanner[22132]: Could not check >./h0MLQmO04098/winmail.dat (corrupt) >Jan 22 16:26:55 smtp2 MailScanner[22132]: Virus Re-scanning: sophos found >1 >infections >Jan 22 16:26:55 smtp2 MailScanner[22132]: Disinfection: Rescan found only >1 viruses > >I checked my old logs and these messages had never appeared before I >added Sophos so I'm pretty sure it is the culprit. McAfee didn't >complain about those files. > >I'm running version 4.11-1 on RH 7.3 with the external winmail.dat >extractor. > >The problem is annoying because the attachments were not transmitted to >the users and even though MS informed them that they were quarantined in >directory X, they are not there except for the RAR file. For the others, >the directory is empty. > >Until this issue is resolved I deactivated Sophos. Anyhow the Sophos >quote I received was based on the number of users my mail gateways >protect and was way too expensive for us. > >Thanks again! > >Denis >-- >Denis Beauchemin, analyste >Universit? de Sherbrooke, S.T.I. >T: 819.821.8000x2252 F: 819.821.8045 -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Thu Jan 23 14:29:38 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:03 2006 Subject: sendmail 8.12.7 squawking after MS 4.11-1 upgrade In-Reply-To: <200301231410.h0NEAORV023891@avalon.Dartmouth.EDU> References: Message-ID: <5.2.0.9.2.20030123142818.02c6d008@imap.ecs.soton.ac.uk> At 14:10 23/01/2003, you wrote: > > At 12:24 23/01/2003, you wrote: > > >I am seeing the problem running version 4.05-3. I cannot find three > close() > > >calls in /opt/bin/mailscanner. Can you tell me exactly which file to > examine? > > > > 4.05 didn't contain these close() calls, it appears. So this definitely > > shouldn't be causing a problem. Any evidence of anything nasty happening, > > or is sendmail just being noisy? > >As far as I can tell from looking at the sendmail code, it just complains >but continues processing, ie does not exit. > >So in one sense we could ignore the message. But it is troubling that >MailScanner seems to run normally for some time and the messages only >begin later. This suggests that initially stdin, stdout, and stderr are >open when sendmail is invoked, but later they are not. And this sounds >like some kind of file descriptor leak. I think it's actually caused by the file descriptor connections with the shell being broken when MailScanner re-execs itself every few hours (see "Restart Every" in MailScanner.conf). It's a "disconnection" and not a leak, really. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From jskala at JASONSKALA.COM Thu Jan 23 14:39:29 2003 From: jskala at JASONSKALA.COM (Jason G Skala) Date: Thu Jan 12 21:17:03 2006 Subject: Scanner is marking mail as a virus when it isn't one! Message-ID: <33644.192.168.2.1.1043332769.squirrel@www.jasonskala.com> Every week my firewall program e-mails me a backup of the config file. Now the mailscanner is marking it as a virus, when in fact I know that it is not a virus. Is there anyway to add either the filename or the sender address so that it won't look at the file as a virus any longer? Is there anyway around this that I am missing? Any help would be great.. thanks. From mailscanner at ecs.soton.ac.uk Thu Jan 23 14:57:28 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:03 2006 Subject: Scanner is marking mail as a virus when it isn't one! In-Reply-To: <33644.192.168.2.1.1043332769.squirrel@www.jasonskala.com> Message-ID: <5.2.0.9.2.20030123145703.03f7b008@imap.ecs.soton.ac.uk> At 14:39 23/01/2003, you wrote: >Every week my firewall program e-mails me a backup of the config file. Now >the mailscanner is marking it as a virus, when in fact I know that it is >not a virus. Is there anyway to add either the filename or the sender >address so that it won't look at the file as a virus any longer? Add a rule to the top of /etc/MailScanner/filename.rules.conf that allows this filename. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From nerijus at USERS.SOURCEFORGE.NET Thu Jan 23 15:04:46 2003 From: nerijus at USERS.SOURCEFORGE.NET (Nerijus Baliunas) Date: Thu Jan 12 21:17:03 2006 Subject: Scanner is marking mail as a virus when it isn't one! In-Reply-To: <33644.192.168.2.1.1043332769.squirrel@www.jasonskala.com> References: <33644.192.168.2.1.1043332769.squirrel@www.jasonskala.com> Message-ID: <200301231504.h0NF4kqR029823@mx.ktv.lt> On Thu, 23 Jan 2003 09:39:29 -0500 Jason G Skala wrote: > Every week my firewall program e-mails me a backup of the config file. Now > the mailscanner is marking it as a virus, when in fact I know that it is > not a virus. Is there anyway to add either the filename or the sender > address so that it won't look at the file as a virus any longer? Yes, you can use rulesets. Please look in archives, there were various examples posted a few days ago. Julian, I think such questions should be added to FAQ (if they are not there), or you'll soon be tired to answer the same questions again and again... Regards, Nerijus From murat.koc at frontsite.com.tr Thu Jan 23 15:39:59 2003 From: murat.koc at frontsite.com.tr (Murat Koc) Date: Thu Jan 12 21:17:03 2006 Subject: Kaspersky DaemonClient In-Reply-To: <20030119152000.EF7C76960F@mx.ktv.lt> References: <5.2.0.9.2.20021209162824.05dcf540@imap.ecs.soton.ac.uk> <20030119152000.EF7C76960F@mx.ktv.lt> Message-ID: <1043336398.23170.30.camel@guru.frontsite.com.tr> Hi, Sorry for late answer. > Could the OP (Murat Koc) test it? You will probably have to update to the latest > Kaspersky, but it works with old licenses without problems. I tried your patch today and it works well, thank you very much for the patch. But, it didn't say found by kavdaemonclient. Just FYI. customer wants to know which one is detected the virus because we use 4 virus scanners. And Julian, some of our customers needs send partial messages (I don't know why and don't want to ask :)) so I think there should be a option for allowing to send partial messages. Then I won't be disable partial message check in SweepContent.pm :) Thanks again Julian for MailScanner and Nerijus for your patch. -- ----------------------------------------------------------------------------- Murat Koc mail:murat.koc@frontsite.com.tr Manager and IT Consultant frontsite Bilgi Teknolojisi A.S. tel: +90 212 222 68 42 - 63 fax: +90 212 222 68 35 ----------------------------------------------------------------------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 831 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030123/f9ea19d7/attachment.bin From Peter.Bates at LSHTM.AC.UK Thu Jan 23 15:24:06 2003 From: Peter.Bates at LSHTM.AC.UK (Peter Bates) Date: Thu Jan 12 21:17:03 2006 Subject: Quick question about disinfection and Sophos updating... Message-ID: Hello all... I'm still getting my head around MailScanner, and looking through the different options... I have: Deliver Disinfected Files = no Quarantine Infections = yes Quarantine Whole Message = yes Quarantine Whole Messages As Queue Files = no Does this stop the delivery of infected emails and quarantine them, but as a single message that can be examined in the quarantine directory? I don't basically want to 'strip'/disinfected messages that appeared to have a virus, I'd rather they were just plain stopped, and the sender and admin informed. Also if I have: Allow IFrame Tags = no Allow Object Codebase Tags = no Convert Dangerous HTML To Text = yes Then messages with IFRAME and Object Codebase will be delivered, but 'sanitized'? Apologies for the confusion, but I thought I saw a message stopped the other day for containing 'Object Codebase' tags, despite the above. Secondly, about Sophos updating ... every now and again is it just a case of getting the os-type.tar.gz file to the server (e.g. from CD or downloaded from Sophos), and running Sophos.install again? ... ---------------------------------------------------------------------------------------------------> Peter Bates, Systems Support Officer, Network Support Team. London School of Hygiene & Tropical Medicine. Telephone:0207-958 8353 / Fax: 0207- 636 9838 From mailscanner at ecs.soton.ac.uk Thu Jan 23 16:24:37 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:03 2006 Subject: Quick question about disinfection and Sophos updating... In-Reply-To: Message-ID: <5.2.0.9.2.20030123162033.02cd2a60@imap.ecs.soton.ac.uk> At 15:24 23/01/2003, you wrote: >Hello all... > >I'm still getting my head around MailScanner, and looking >through the different options... > >I have: > >Deliver Disinfected Files = no >Quarantine Infections = yes >Quarantine Whole Message = yes >Quarantine Whole Messages As Queue Files = no > >Does this stop the delivery of infected emails and quarantine them, >but as a single message that can be examined in the quarantine directory? Yes. >I don't basically want to 'strip'/disinfected messages that appeared to have >a virus, I'd rather they were just plain stopped, and the sender and admin >informed. > >Also if I have: > >Allow IFrame Tags = no >Allow Object Codebase Tags = no >Convert Dangerous HTML To Text = yes > >Then messages with IFRAME and Object Codebase >will be delivered, but 'sanitized'? You need to allow them, but convert them. So you need >Allow IFrame Tags = yes >Allow Object Codebase Tags = yes >Convert Dangerous HTML To Text = yes >Apologies for the confusion, but I thought I saw a message >stopped the other day for containing 'Object Codebase' tags, despite the >above. > >Secondly, about Sophos updating ... every now and again is it just a case >of getting the os-type.tar.gz file to the server (e.g. from CD or downloaded >from Sophos), and running Sophos.install again? Yes, every 2 or 3 months will do. If you start to get strange errors from sophos-autoupdate, then your version has become too old and needs replacing. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Thu Jan 23 16:41:19 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:03 2006 Subject: Kaspersky DaemonClient In-Reply-To: <1043336398.23170.30.camel@guru.frontsite.com.tr> References: <20030119152000.EF7C76960F@mx.ktv.lt> <5.2.0.9.2.20021209162824.05dcf540@imap.ecs.soton.ac.uk> <20030119152000.EF7C76960F@mx.ktv.lt> Message-ID: <5.2.0.9.2.20030123163911.03ceceb0@imap.ecs.soton.ac.uk> At 15:39 23/01/2003, you wrote: >I tried your patch today and it works well, thank you very much for the >patch. Great. >But, it didn't say found by kavdaemonclient. Just FYI. customer wants to >know which one is detected the virus because we use 4 virus scanners. Will have to think about that one. >And Julian, some of our customers needs send partial messages (I don't >know why and don't want to ask :)) so I think there should be a option >for allowing to send partial messages. Then I won't be disable partial >message check in SweepContent.pm :) In the next release there are 2 more new configuration options: Allow Partial Messages Allow External Message Bodies Both are set to "no" by default. Use rulesets with them to just allow the particular customers the abilities they want, while keeping everything safe for everyone else. >Thanks again Julian for MailScanner My pleasure :-) -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From jkha at HPLB.HPL.HP.COM Thu Jan 23 17:03:57 2003 From: jkha at HPLB.HPL.HP.COM (John Hawkes-Reed) Date: Thu Jan 12 21:17:03 2006 Subject: sendmail 8.12.7 squawking after MS 4.11-1 upgrade References: <5.2.0.9.2.20030123123436.03d2c800@imap.ecs.soton.ac.uk> Message-ID: <3E30207D.2010005@hplb.hpl.hp.com> Julian Field wrote: > At 12:24 23/01/2003, you wrote: > >> I am seeing the problem running version 4.05-3. I cannot find three >> close() >> calls in /opt/bin/mailscanner. Can you tell me exactly which file to >> examine? > > > 4.05 didn't contain these close() calls, it appears. So this definitely > shouldn't be causing a problem. Any evidence of anything nasty happening, > or is sendmail just being noisy? I think I'd call randomly deleting body text 'nasty'. (Mailscanner 4.11/sendmail 8.12.1/HP-UX 10.20) Oh well, back to 3.x and a grovelling apology to the userbase... From mailscanner at ecs.soton.ac.uk Thu Jan 23 17:06:35 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:03 2006 Subject: sendmail 8.12.7 squawking after MS 4.11-1 upgrade In-Reply-To: <3E30207D.2010005@hplb.hpl.hp.com> References: <5.2.0.9.2.20030123123436.03d2c800@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030123170337.099dc228@imap.ecs.soton.ac.uk> At 17:03 23/01/2003, you wrote: >Julian Field wrote: >>At 12:24 23/01/2003, you wrote: >> >>>I am seeing the problem running version 4.05-3. I cannot find three >>>close() >>>calls in /opt/bin/mailscanner. Can you tell me exactly which file to >>>examine? >> >> >>4.05 didn't contain these close() calls, it appears. So this definitely >>shouldn't be causing a problem. Any evidence of anything nasty happening, >>or is sendmail just being noisy? > >I think I'd call randomly deleting body text 'nasty'. This is the first time (in this thread) that you have mentioned that it is definitely deleting body text. No-one else appears to have said (in this thread) that it is deleting body text either. Exactly what do you think is going on? Can you produce some evidence that it is deleting body text? -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From Heinz.Knutzen at DZSH.DE Thu Jan 23 17:10:41 2003 From: Heinz.Knutzen at DZSH.DE (Knutzen, Heinz (DZ-SH)) Date: Thu Jan 12 21:17:03 2006 Subject: Some mails in outgoing queue don't get processed Message-ID: <6C645222B0A8BC4FBFACD7606D4306A822FE1F@dzrz-ex-1.dzsh.landsh.de> Hi, since yesterday I have trouble with my sendmail/mailscanner setup: Some mails remain in /var/spool/mqueue and don't get processed. There are thousands of mails which get processed ok, but I have about 70 mails with dates from yesterday to now which stay in /var/spool/mqueue all the time. When doing 'mailq', all 70 mails are shown. But if I do a 'sendmail -v -q', only 1 or two recent mails are processed. All of these qfiles have lines like qfh0N1Ohvm007970:MDeferred: Connection refused by [10.48.242.10] qfh0N6Okvm012640:MDeferred: Connection timed out with [10.107.64.10] but currently there are now connection problems. Restarting sendmail and removing /var/spool/mqueue/.hoststat/ doesn't help either. Any ideas, how to get them delivered? Version info: mailscanner-4.05-3 sendmail-8.12.2-88 Viele Gr??e -- Heinz Knutzen Datenzentrale Schleswig-Holstein Altenholzer Str. 10-14, 24161 Altenholz, Germany http://www.dzsh.de/ mailto:heinz.knutzen@dzsh.de Tel: +49.431.3295.6581 Fax: +49.431.3295.410 From mailscanner at ecs.soton.ac.uk Thu Jan 23 17:09:54 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:03 2006 Subject: Some mails in outgoing queue don't get processed In-Reply-To: <6C645222B0A8BC4FBFACD7606D4306A822FE1F@dzrz-ex-1.dzsh.land sh.de> Message-ID: <5.2.0.9.2.20030123170840.02e67ec0@imap.ecs.soton.ac.uk> At 17:10 23/01/2003, you wrote: >Hi, > >since yesterday I have trouble with my sendmail/mailscanner setup: >Some mails remain in /var/spool/mqueue and don't get processed. >There are thousands of mails which get processed ok, >but I have about 70 mails with dates from yesterday to now >which stay in /var/spool/mqueue all the time. > >When doing 'mailq', all 70 mails are shown. >But if I do a 'sendmail -v -q', only 1 or two recent mails are processed. >All of these qfiles have lines like > >qfh0N1Ohvm007970:MDeferred: Connection refused by [10.48.242.10] >qfh0N6Okvm012640:MDeferred: Connection timed out with [10.107.64.10] > >but currently there are now connection problems. >Restarting sendmail and removing /var/spool/mqueue/.hoststat/ >doesn't help either. > >Any ideas, how to get them delivered? This is 100% a sendmail problem :-) Have you tried (from your MailScanner host) typing "telnet 10.48.242.10 25" and/or "telnet 10.107.64.10 25" to see if the connections really can't be made? >Version info: >mailscanner-4.05-3 >sendmail-8.12.2-88 > >Viele Gr??e > >-- Heinz Knutzen > >Datenzentrale Schleswig-Holstein >Altenholzer Str. 10-14, 24161 Altenholz, Germany >http://www.dzsh.de/ >mailto:heinz.knutzen@dzsh.de >Tel: +49.431.3295.6581 Fax: +49.431.3295.410 -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From Heinz.Knutzen at DZSH.DE Thu Jan 23 17:17:03 2003 From: Heinz.Knutzen at DZSH.DE (Knutzen, Heinz (DZ-SH)) Date: Thu Jan 12 21:17:03 2006 Subject: Some mails in outgoing queue don't get processed Message-ID: <6C645222B0A8BC4FBFACD7606D4306A8429E4B@dzrz-ex-1.dzsh.landsh.de> > Have you tried (from your MailScanner host) typing "telnet > 10.48.242.10 25" > and/or "telnet 10.107.64.10 25" to see if the connections > really can't be made? Yes I have tried this recently and now again. telnet to port 25 works. Shure, it is a sendmail problem. But I would like to ask anyway Viele Gr??e -- Heinz > -----Original Message----- > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > Sent: Thursday, January 23, 2003 6:10 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Some mails in outgoing queue don't get processed > > > At 17:10 23/01/2003, you wrote: > >Hi, > > > >since yesterday I have trouble with my sendmail/mailscanner setup: > >Some mails remain in /var/spool/mqueue and don't get processed. > >There are thousands of mails which get processed ok, > >but I have about 70 mails with dates from yesterday to now > >which stay in /var/spool/mqueue all the time. > > > >When doing 'mailq', all 70 mails are shown. > >But if I do a 'sendmail -v -q', only 1 or two recent mails > are processed. > >All of these qfiles have lines like > > > >qfh0N1Ohvm007970:MDeferred: Connection refused by [10.48.242.10] > >qfh0N6Okvm012640:MDeferred: Connection timed out with [10.107.64.10] > > > >but currently there are now connection problems. > >Restarting sendmail and removing /var/spool/mqueue/.hoststat/ > >doesn't help either. > > > >Any ideas, how to get them delivered? > > This is 100% a sendmail problem :-) > > Have you tried (from your MailScanner host) typing "telnet > 10.48.242.10 25" > and/or "telnet 10.107.64.10 25" to see if the connections > really can't be made? > > > >Version info: > >mailscanner-4.05-3 > >sendmail-8.12.2-88 > > > >Viele Gr??e > > > >-- Heinz Knutzen > > > >Datenzentrale Schleswig-Holstein > >Altenholzer Str. 10-14, 24161 Altenholz, Germany > >http://www.dzsh.de/ > >mailto:heinz.knutzen@dzsh.de > >Tel: +49.431.3295.6581 Fax: +49.431.3295.410 > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > -- > Diese Mail wurde durch die Datenzentrale Schleswig-Holstein > maschinell auf Viren und gef?hrliche Inhalte untersucht. > > From Heinz.Knutzen at DZSH.DE Thu Jan 23 17:20:16 2003 From: Heinz.Knutzen at DZSH.DE (Knutzen, Heinz (DZ-SH)) Date: Thu Jan 12 21:17:03 2006 Subject: Some mails in outgoing queue don't get processed Message-ID: <6C645222B0A8BC4FBFACD7606D4306A8429E4C@dzrz-ex-1.dzsh.landsh.de> And, if there would be a network problem, doing a 'sendmail -v -q' would tell me about 70 tries to deliver mail. But my 'sendmail -v -q' say nothing, although 70 mails are waiting. > -----Original Message----- > From: Knutzen, Heinz (DZ-SH) > Sent: Thursday, January 23, 2003 6:17 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Some mails in outgoing queue don't get processed > > > > Have you tried (from your MailScanner host) typing "telnet > > 10.48.242.10 25" > > and/or "telnet 10.107.64.10 25" to see if the connections > > really can't be made? > > Yes I have tried this recently and now again. > telnet to port 25 works. > > Shure, it is a sendmail problem. > But I would like to ask anyway > > Viele Gr??e > > -- Heinz > > > > -----Original Message----- > > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > > Sent: Thursday, January 23, 2003 6:10 PM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: Some mails in outgoing queue don't get processed > > > > > > At 17:10 23/01/2003, you wrote: > > >Hi, > > > > > >since yesterday I have trouble with my sendmail/mailscanner setup: > > >Some mails remain in /var/spool/mqueue and don't get processed. > > >There are thousands of mails which get processed ok, > > >but I have about 70 mails with dates from yesterday to now > > >which stay in /var/spool/mqueue all the time. > > > > > >When doing 'mailq', all 70 mails are shown. > > >But if I do a 'sendmail -v -q', only 1 or two recent mails > > are processed. > > >All of these qfiles have lines like > > > > > >qfh0N1Ohvm007970:MDeferred: Connection refused by [10.48.242.10] > > >qfh0N6Okvm012640:MDeferred: Connection timed out with > [10.107.64.10] > > > > > >but currently there are now connection problems. > > >Restarting sendmail and removing /var/spool/mqueue/.hoststat/ > > >doesn't help either. > > > > > >Any ideas, how to get them delivered? > > > > This is 100% a sendmail problem :-) > > > > Have you tried (from your MailScanner host) typing "telnet > > 10.48.242.10 25" > > and/or "telnet 10.107.64.10 25" to see if the connections > > really can't be made? > > > > > > >Version info: > > >mailscanner-4.05-3 > > >sendmail-8.12.2-88 > > > > > >Viele Gr??e > > > > > >-- Heinz Knutzen > > > > > >Datenzentrale Schleswig-Holstein > > >Altenholzer Str. 10-14, 24161 Altenholz, Germany > > >http://www.dzsh.de/ > > >mailto:heinz.knutzen@dzsh.de > > >Tel: +49.431.3295.6581 Fax: +49.431.3295.410 > > > > -- > > Julian Field > > www.MailScanner.info > > MailScanner thanks transtec Computers for their support > > > > -- > > Diese Mail wurde durch die Datenzentrale Schleswig-Holstein > > maschinell auf Viren und gef?hrliche Inhalte untersucht. > > > > > From jkha at HPLB.HPL.HP.COM Thu Jan 23 17:27:06 2003 From: jkha at HPLB.HPL.HP.COM (John Hawkes-Reed) Date: Thu Jan 12 21:17:03 2006 Subject: sendmail 8.12.7 squawking after MS 4.11-1 upgrade References: <5.2.0.9.2.20030123123436.03d2c800@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030123170337.099dc228@imap.ecs.soton.ac.uk> Message-ID: <3E3025EA.30801@hplb.hpl.hp.com> Julian Field wrote: > At 17:03 23/01/2003, I wrote: >> I think I'd call randomly deleting body text 'nasty'. > > This is the first time (in this thread) that you have mentioned that it is > definitely deleting body text. No-one else appears to have said (in this > thread) that it is deleting body text either. (Un)lucky coincidence - I installed 4.11 today and was getting the following in the log: Jan 23 16:47:22 hplb Mailscanner: Virus and Content Scanning: Starting Jan 23 16:47:22 hplb Mailscanner: New Batch: Found 2 messages waiting Jan 23 16:47:22 hplb Mailscanner: New Batch: Scanning 1 messages, 4428 bytes Jan 23 16:47:22 hplb sendmail[27333]: SYSERR(root): File descriptors missing on startup: stdout, stderr: Bad file number Jan 23 16:47:22 hplb sendmail[27333]: NOQUEUE: 0: fl=0x0, mode=20666: CHR: dev=64/65539, ino=1680, nlink=1, u/gid=2/2, size=0 Jan 23 16:47:22 hplb sendmail[27333]: NOQUEUE: 1: fl=0x1, mode=20666: CHR: dev=64/65539, ino=1680, nlink=1, u/gid=2/2, size=0 Jan 23 16:47:22 hplb sendmail[27333]: NOQUEUE: 2: fl=0x1, mode=20666: CHR: dev=64/65539, ino=1680, nlink=1, u/gid=2/2, size=0 Jan 23 16:47:22 hplb sendmail[27333]: NOQUEUE: 3: fl=0x10001, mode=10666: FIFO: dev=64/65539, ino=1983, nlink=1, u/gid=0/0, size=2048 ... So I had a poke through the list-archive and found this thread. The rest of the log appeared to say that messages were being delivered rather than dropped on the floor, so I didn't revert immediately. > Exactly what do you think is going on? Can you produce some evidence that > it is deleting body text? [ Message excerpt follows ] Date: Thu, 23 Jan 2003 16:45:18 -0000 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" X-MailScanner: Found to be clean Error initialising detection engine - missing main virus data ublin, Edinburgh, Lisbon, London. [ Rest of meeting request elided ] I'll take a stab in the dark and guess that the one line is from Sophos. It may well be that this is only going to happen when the AV code attempts to report an internal error. (which should have gone to stderr?) From billa at STERLING.NET Thu Jan 23 18:00:10 2003 From: billa at STERLING.NET (Bill Anderson) Date: Thu Jan 12 21:17:03 2006 Subject: Console error messages... Message-ID: I just started getting the following errors this morning: Has anyone seen this before? We haven't got any child processes, which isn't right!, No child processes at /usr/sbin/MailScanner line 191. We have just tried to reap a process which wasn't one of ours!, No child processes at /usr/sbin/MailScanner line 194. From mailscanner at ecs.soton.ac.uk Thu Jan 23 18:20:35 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:03 2006 Subject: Console error messages... In-Reply-To: Message-ID: <5.2.0.9.2.20030123181954.027a99d0@imap.ecs.soton.ac.uk> This is most commonly caused by syntax errors in your MailScanner.conf file. Check your maillog for more information, it will hopefully tell you why MailScanner cannot start properly. At 18:00 23/01/2003, you wrote: >I just started getting the following errors this morning: Has anyone seen >this before? > >We haven't got any child processes, which isn't right!, No child processes >at /usr/sbin/MailScanner line 191. >We have just tried to reap a process which wasn't one of ours!, No child >processes at /usr/sbin/MailScanner line 194. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Thu Jan 23 18:19:43 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:03 2006 Subject: sendmail 8.12.7 squawking after MS 4.11-1 upgrade In-Reply-To: <3E3025EA.30801@hplb.hpl.hp.com> References: <5.2.0.9.2.20030123123436.03d2c800@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030123170337.099dc228@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030123181646.025eab80@imap.ecs.soton.ac.uk> At 17:27 23/01/2003, you wrote: >Julian Field wrote: >>At 17:03 23/01/2003, I wrote: > >>>I think I'd call randomly deleting body text 'nasty'. >> >>This is the first time (in this thread) that you have mentioned that it is >>definitely deleting body text. No-one else appears to have said (in this >>thread) that it is deleting body text either. > >(Un)lucky coincidence - I installed 4.11 today and was getting the >following in the log: > >Jan 23 16:47:22 hplb Mailscanner: Virus and Content Scanning: Starting >Jan 23 16:47:22 hplb Mailscanner: New Batch: Found 2 messages waiting >Jan 23 16:47:22 hplb Mailscanner: New Batch: Scanning 1 messages, 4428 bytes >Jan 23 16:47:22 hplb sendmail[27333]: SYSERR(root): File descriptors >missing on startup: stdout, stderr: Bad file number >Jan 23 16:47:22 hplb sendmail[27333]: NOQUEUE: 0: fl=0x0, mode=20666: >CHR: dev=64/65539, ino=1680, nlink=1, u/gid=2/2, size=0 >Jan 23 16:47:22 hplb sendmail[27333]: NOQUEUE: 1: fl=0x1, mode=20666: >CHR: dev=64/65539, ino=1680, nlink=1, u/gid=2/2, size=0 >Jan 23 16:47:22 hplb sendmail[27333]: NOQUEUE: 2: fl=0x1, mode=20666: >CHR: dev=64/65539, ino=1680, nlink=1, u/gid=2/2, size=0 >Jan 23 16:47:22 hplb sendmail[27333]: NOQUEUE: 3: fl=0x10001, >mode=10666: FIFO: dev=64/65539, ino=1983, nlink=1, u/gid=0/0, size=2048 This still only appears to happen on some OS's. In 4.11 you can try commenting out the 3 close() calls in /usr/sbin/MailScanner. I need to re-open these filehandles and tie them to /dev/null to keep sendmail happy. >... So I had a poke through the list-archive and found this thread. > >The rest of the log appeared to say that messages were being delivered >rather than dropped on the floor, so I didn't revert immediately. > >>Exactly what do you think is going on? Can you produce some evidence that >>it is deleting body text? > >[ Message excerpt follows ] > >Date: Thu, 23 Jan 2003 16:45:18 -0000 >MIME-Version: 1.0 >X-Mailer: Internet Mail Service (5.5.2653.19) >Content-Type: text/plain; > charset="iso-8859-1" >X-MailScanner: Found to be clean > >Error initialising detection engine - missing main virus data That is Sophos failing to work properly. Did you install it using Sophos.install? Does /usr/lib/MailScanner/sophos-wrapper . correctly scan the current directory? (don't forget the "." on the end of the command above) >ublin, >Edinburgh, Lisbon, London. > >[ Rest of meeting request elided ] > >I'll take a stab in the dark and guess that the one line is from Sophos. >It may well be that this is only going to happen when the AV code >attempts to report an internal error. (which should have gone to stderr?) -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Thu Jan 23 18:16:04 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:03 2006 Subject: Some mails in outgoing queue don't get processed In-Reply-To: <6C645222B0A8BC4FBFACD7606D4306A8429E4C@dzrz-ex-1.dzsh.land sh.de> Message-ID: <5.2.0.9.2.20030123181508.025eace8@imap.ecs.soton.ac.uk> At 17:20 23/01/2003, you wrote: >And, if there would be a network problem, >doing a 'sendmail -v -q' would tell me about 70 tries >to deliver mail. >But my 'sendmail -v -q' say nothing, >although 70 mails are waiting. Does it even show that it has thought about delivering them? Sendmail has a limit on the number of queue runners it allows at any time, so it might possibly do nothing whatsoever when you run another one. > > -----Original Message----- > > From: Knutzen, Heinz (DZ-SH) > > Sent: Thursday, January 23, 2003 6:17 PM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: Some mails in outgoing queue don't get processed > > > > > > > Have you tried (from your MailScanner host) typing "telnet > > > 10.48.242.10 25" > > > and/or "telnet 10.107.64.10 25" to see if the connections > > > really can't be made? > > > > Yes I have tried this recently and now again. > > telnet to port 25 works. > > > > Shure, it is a sendmail problem. > > But I would like to ask anyway > > > > Viele Gr??e > > > > -- Heinz > > > > > > > -----Original Message----- > > > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > > > Sent: Thursday, January 23, 2003 6:10 PM > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > Subject: Re: Some mails in outgoing queue don't get processed > > > > > > > > > At 17:10 23/01/2003, you wrote: > > > >Hi, > > > > > > > >since yesterday I have trouble with my sendmail/mailscanner setup: > > > >Some mails remain in /var/spool/mqueue and don't get processed. > > > >There are thousands of mails which get processed ok, > > > >but I have about 70 mails with dates from yesterday to now > > > >which stay in /var/spool/mqueue all the time. > > > > > > > >When doing 'mailq', all 70 mails are shown. > > > >But if I do a 'sendmail -v -q', only 1 or two recent mails > > > are processed. > > > >All of these qfiles have lines like > > > > > > > >qfh0N1Ohvm007970:MDeferred: Connection refused by [10.48.242.10] > > > >qfh0N6Okvm012640:MDeferred: Connection timed out with > > [10.107.64.10] > > > > > > > >but currently there are now connection problems. > > > >Restarting sendmail and removing /var/spool/mqueue/.hoststat/ > > > >doesn't help either. > > > > > > > >Any ideas, how to get them delivered? > > > > > > This is 100% a sendmail problem :-) > > > > > > Have you tried (from your MailScanner host) typing "telnet > > > 10.48.242.10 25" > > > and/or "telnet 10.107.64.10 25" to see if the connections > > > really can't be made? > > > > > > > > > >Version info: > > > >mailscanner-4.05-3 > > > >sendmail-8.12.2-88 > > > > > > > >Viele Gr??e > > > > > > > >-- Heinz Knutzen > > > > > > > >Datenzentrale Schleswig-Holstein > > > >Altenholzer Str. 10-14, 24161 Altenholz, Germany > > > >http://www.dzsh.de/ > > > >mailto:heinz.knutzen@dzsh.de > > > >Tel: +49.431.3295.6581 Fax: +49.431.3295.410 > > > > > > -- > > > Julian Field > > > www.MailScanner.info > > > MailScanner thanks transtec Computers for their support > > > > > > -- > > > Diese Mail wurde durch die Datenzentrale Schleswig-Holstein > > > maschinell auf Viren und gef?hrliche Inhalte untersucht. > > > > > > > > -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Thu Jan 23 18:48:47 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:03 2006 Subject: sendmail 8.12.7 squawking after MS 4.11-1 upgrade In-Reply-To: <3E3025EA.30801@hplb.hpl.hp.com> References: <5.2.0.9.2.20030123123436.03d2c800@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030123170337.099dc228@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030123184642.02508f68@imap.ecs.soton.ac.uk> I can't reproduce the problem myself, so I've to take an educated guess at how to solve it. Please can you try this patch to the main /usr/sbin/MailScanner script (or /opt/MailScanner/bin/MailScanner). Let me know if this helps. --- /usr/sbin/MailScanner Sun Jan 19 12:39:20 2003 +++ MailScanner Thu Jan 23 19:56:35 2003 @@ -37,6 +37,7 @@ require 5.005; use FileHandle; +use IO::Handle; use MailScanner::Config; use MailScanner::CustomConfig; use MailScanner::Lock; @@ -261,6 +262,16 @@ # If we are debugging, then just run once. # sub WorkForHours { + # Re-open the stdin, stdout and stderr file descriptors for + # sendmail's benefit. Should stop it squawking! + my($io0, $io1, $io2); + $io0 = new IO::Handle; + $io1 = new IO::Handle; + $io2 = new IO::Handle; + $io0->fdopen(fileno(STDIN), "r")); + $io1->fdopen(fileno(STDOUT),"w")); + $io2->fdopen(fileno(STDERR),"w")); + # Read the configuration file and start logging to syslog/stderr StartLogging($ConfFile); At 17:27 23/01/2003, you wrote: >Julian Field wrote: >>At 17:03 23/01/2003, I wrote: > >>>I think I'd call randomly deleting body text 'nasty'. >> >>This is the first time (in this thread) that you have mentioned that it is >>definitely deleting body text. No-one else appears to have said (in this >>thread) that it is deleting body text either. > >(Un)lucky coincidence - I installed 4.11 today and was getting the >following in the log: > >Jan 23 16:47:22 hplb Mailscanner: Virus and Content Scanning: Starting >Jan 23 16:47:22 hplb Mailscanner: New Batch: Found 2 messages waiting >Jan 23 16:47:22 hplb Mailscanner: New Batch: Scanning 1 messages, 4428 bytes >Jan 23 16:47:22 hplb sendmail[27333]: SYSERR(root): File descriptors >missing on startup: stdout, stderr: Bad file number >Jan 23 16:47:22 hplb sendmail[27333]: NOQUEUE: 0: fl=0x0, mode=20666: >CHR: dev=64/65539, ino=1680, nlink=1, u/gid=2/2, size=0 >Jan 23 16:47:22 hplb sendmail[27333]: NOQUEUE: 1: fl=0x1, mode=20666: >CHR: dev=64/65539, ino=1680, nlink=1, u/gid=2/2, size=0 >Jan 23 16:47:22 hplb sendmail[27333]: NOQUEUE: 2: fl=0x1, mode=20666: >CHR: dev=64/65539, ino=1680, nlink=1, u/gid=2/2, size=0 >Jan 23 16:47:22 hplb sendmail[27333]: NOQUEUE: 3: fl=0x10001, >mode=10666: FIFO: dev=64/65539, ino=1983, nlink=1, u/gid=0/0, size=2048 > >... So I had a poke through the list-archive and found this thread. > >The rest of the log appeared to say that messages were being delivered >rather than dropped on the floor, so I didn't revert immediately. > >>Exactly what do you think is going on? Can you produce some evidence that >>it is deleting body text? > >[ Message excerpt follows ] > >Date: Thu, 23 Jan 2003 16:45:18 -0000 >MIME-Version: 1.0 >X-Mailer: Internet Mail Service (5.5.2653.19) >Content-Type: text/plain; > charset="iso-8859-1" >X-MailScanner: Found to be clean > >Error initialising detection engine - missing main virus data > >ublin, >Edinburgh, Lisbon, London. > >[ Rest of meeting request elided ] > >I'll take a stab in the dark and guess that the one line is from Sophos. >It may well be that this is only going to happen when the AV code >attempts to report an internal error. (which should have gone to stderr?) -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From JeremyE at BSA.CA.GOV Thu Jan 23 19:12:51 2003 From: JeremyE at BSA.CA.GOV (Jeremy Evans) Date: Thu Jan 12 21:17:03 2006 Subject: sendmail 8.12.7 squawking after MS 4.11-1 upgrade Message-ID: <2739ECF7268CD0118F50080009DCC9F00156DB25@pebble.bsa.ca.gov> Shouldn't: + $io0->fdopen(fileno(STDIN), "r")); + $io1->fdopen(fileno(STDOUT),"w")); + $io2->fdopen(fileno(STDERR),"w")); be: + $io0->fdopen(fileno(STDIN), "r"); + $io1->fdopen(fileno(STDOUT),"w"); + $io2->fdopen(fileno(STDERR),"w"); in the patch? -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Thursday, January 23, 2003 10:49 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: sendmail 8.12.7 squawking after MS 4.11-1 upgrade I can't reproduce the problem myself, so I've to take an educated guess at how to solve it. Please can you try this patch to the main /usr/sbin/MailScanner script (or /opt/MailScanner/bin/MailScanner). Let me know if this helps. --- /usr/sbin/MailScanner Sun Jan 19 12:39:20 2003 +++ MailScanner Thu Jan 23 19:56:35 2003 @@ -37,6 +37,7 @@ require 5.005; use FileHandle; +use IO::Handle; use MailScanner::Config; use MailScanner::CustomConfig; use MailScanner::Lock; @@ -261,6 +262,16 @@ # If we are debugging, then just run once. # sub WorkForHours { + # Re-open the stdin, stdout and stderr file descriptors for + # sendmail's benefit. Should stop it squawking! + my($io0, $io1, $io2); + $io0 = new IO::Handle; + $io1 = new IO::Handle; + $io2 = new IO::Handle; + $io0->fdopen(fileno(STDIN), "r")); + $io1->fdopen(fileno(STDOUT),"w")); + $io2->fdopen(fileno(STDERR),"w")); + # Read the configuration file and start logging to syslog/stderr StartLogging($ConfFile); At 17:27 23/01/2003, you wrote: >Julian Field wrote: >>At 17:03 23/01/2003, I wrote: > >>>I think I'd call randomly deleting body text 'nasty'. >> >>This is the first time (in this thread) that you have mentioned that it is >>definitely deleting body text. No-one else appears to have said (in this >>thread) that it is deleting body text either. > >(Un)lucky coincidence - I installed 4.11 today and was getting the >following in the log: > >Jan 23 16:47:22 hplb Mailscanner: Virus and Content Scanning: Starting >Jan 23 16:47:22 hplb Mailscanner: New Batch: Found 2 messages waiting >Jan 23 16:47:22 hplb Mailscanner: New Batch: Scanning 1 messages, 4428 bytes >Jan 23 16:47:22 hplb sendmail[27333]: SYSERR(root): File descriptors >missing on startup: stdout, stderr: Bad file number >Jan 23 16:47:22 hplb sendmail[27333]: NOQUEUE: 0: fl=0x0, mode=20666: >CHR: dev=64/65539, ino=1680, nlink=1, u/gid=2/2, size=0 >Jan 23 16:47:22 hplb sendmail[27333]: NOQUEUE: 1: fl=0x1, mode=20666: >CHR: dev=64/65539, ino=1680, nlink=1, u/gid=2/2, size=0 >Jan 23 16:47:22 hplb sendmail[27333]: NOQUEUE: 2: fl=0x1, mode=20666: >CHR: dev=64/65539, ino=1680, nlink=1, u/gid=2/2, size=0 >Jan 23 16:47:22 hplb sendmail[27333]: NOQUEUE: 3: fl=0x10001, >mode=10666: FIFO: dev=64/65539, ino=1983, nlink=1, u/gid=0/0, size=2048 > >... So I had a poke through the list-archive and found this thread. > >The rest of the log appeared to say that messages were being delivered >rather than dropped on the floor, so I didn't revert immediately. > >>Exactly what do you think is going on? Can you produce some evidence that >>it is deleting body text? > >[ Message excerpt follows ] > >Date: Thu, 23 Jan 2003 16:45:18 -0000 >MIME-Version: 1.0 >X-Mailer: Internet Mail Service (5.5.2653.19) >Content-Type: text/plain; > charset="iso-8859-1" >X-MailScanner: Found to be clean > >Error initialising detection engine - missing main virus data > >ublin, >Edinburgh, Lisbon, London. > >[ Rest of meeting request elided ] > >I'll take a stab in the dark and guess that the one line is from Sophos. >It may well be that this is only going to happen when the AV code >attempts to report an internal error. (which should have gone to stderr?) -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Thu Jan 23 19:20:55 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:03 2006 Subject: sendmail 8.12.7 squawking after MS 4.11-1 upgrade In-Reply-To: <2739ECF7268CD0118F50080009DCC9F00156DB25@pebble.bsa.ca.gov > Message-ID: <5.2.0.9.2.20030123191833.024ec188@imap.ecs.soton.ac.uk> Oops, you're right of course. Must remember not to code with one hand while drinking wine with the other :-) Revised patch is below... At 19:12 23/01/2003, you wrote: >Shouldn't: > >+ $io0->fdopen(fileno(STDIN), "r")); >+ $io1->fdopen(fileno(STDOUT),"w")); >+ $io2->fdopen(fileno(STDERR),"w")); > >be: > >+ $io0->fdopen(fileno(STDIN), "r"); >+ $io1->fdopen(fileno(STDOUT),"w"); >+ $io2->fdopen(fileno(STDERR),"w"); > >in the patch? Revised patch is --- /usr/sbin/MailScanner Sun Jan 19 12:39:20 2003 +++ MailScanner Thu Jan 23 19:56:35 2003 @@ -37,6 +37,7 @@ require 5.005; use FileHandle; +use IO::Handle; use MailScanner::Config; use MailScanner::CustomConfig; use MailScanner::Lock; @@ -261,6 +262,16 @@ # If we are debugging, then just run once. # sub WorkForHours { + # Re-open the stdin, stdout and stderr file descriptors for + # sendmail's benefit. Should stop it squawking! + my($io0, $io1, $io2); + $io0 = new IO::Handle; + $io1 = new IO::Handle; + $io2 = new IO::Handle; + $io0->fdopen(fileno(STDIN), "r"); + $io1->fdopen(fileno(STDOUT),"w"); + $io2->fdopen(fileno(STDERR),"w"); + # Read the configuration file and start logging to syslog/stderr StartLogging($ConfFile); -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From JeremyE at BSA.CA.GOV Thu Jan 23 19:49:23 2003 From: JeremyE at BSA.CA.GOV (Jeremy Evans) Date: Thu Jan 12 21:17:03 2006 Subject: sendmail 8.12.7 squawking after MS 4.11-1 upgrade Message-ID: <2739ECF7268CD0118F50080009DCC9F00156DB26@pebble.bsa.ca.gov> Unfortunately, after applying the patch, I'm still getting the error: sendmail[30488]: File descriptors missing on startup: stderr; Bad file descriptor This is on an OpenBSD 3.2 box. I rebooted the machine beforehand, and still got the error when I sent a message. Then I killed MailScanner and sent a message, without getting an error (so it goes into mqueue.in without problems). When I restarted MailScanner, I got the error shortly thereafter (probably when it transfers the mail back to sendmail to send out). I haven't had a problem with mail being modified or deleted (except when it is supposed to, i.e. bad attachment filename), so the message is more of an annoyance than anything else. Still, it would be nice to get rid of it. Jeremy Evans Information Systems Analyst California State Auditor 916-445-0255 phone 916-322-7801 fax -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Thursday, January 23, 2003 11:21 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: sendmail 8.12.7 squawking after MS 4.11-1 upgrade Oops, you're right of course. Must remember not to code with one hand while drinking wine with the other :-) Revised patch is below... At 19:12 23/01/2003, you wrote: >Shouldn't: > >+ $io0->fdopen(fileno(STDIN), "r")); >+ $io1->fdopen(fileno(STDOUT),"w")); >+ $io2->fdopen(fileno(STDERR),"w")); > >be: > >+ $io0->fdopen(fileno(STDIN), "r"); >+ $io1->fdopen(fileno(STDOUT),"w"); >+ $io2->fdopen(fileno(STDERR),"w"); > >in the patch? Revised patch is --- /usr/sbin/MailScanner Sun Jan 19 12:39:20 2003 +++ MailScanner Thu Jan 23 19:56:35 2003 @@ -37,6 +37,7 @@ require 5.005; use FileHandle; +use IO::Handle; use MailScanner::Config; use MailScanner::CustomConfig; use MailScanner::Lock; @@ -261,6 +262,16 @@ # If we are debugging, then just run once. # sub WorkForHours { + # Re-open the stdin, stdout and stderr file descriptors for + # sendmail's benefit. Should stop it squawking! + my($io0, $io1, $io2); + $io0 = new IO::Handle; + $io1 = new IO::Handle; + $io2 = new IO::Handle; + $io0->fdopen(fileno(STDIN), "r"); + $io1->fdopen(fileno(STDOUT),"w"); + $io2->fdopen(fileno(STDERR),"w"); + # Read the configuration file and start logging to syslog/stderr StartLogging($ConfFile); -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Thu Jan 23 19:59:57 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:03 2006 Subject: sendmail 8.12.7 squawking after MS 4.11-1 upgrade In-Reply-To: <2739ECF7268CD0118F50080009DCC9F00156DB26@pebble.bsa.ca.gov > Message-ID: <5.2.0.9.2.20030123195917.0296d890@imap.ecs.soton.ac.uk> At 19:49 23/01/2003, you wrote: >Unfortunately, after applying the patch, I'm still getting the error: > >sendmail[30488]: File descriptors missing on startup: stderr; Bad file >descriptor Does it still produce the errors about stdin and stdout as well? >This is on an OpenBSD 3.2 box. I rebooted the machine beforehand, and still >got the error when I sent a message. Then I killed MailScanner and sent a >message, without getting an error (so it goes into mqueue.in without >problems). When I restarted MailScanner, I got the error shortly thereafter >(probably when it transfers the mail back to sendmail to send out). I >haven't had a problem with mail being modified or deleted (except when it is >supposed to, i.e. bad attachment filename), so the message is more of an >annoyance than anything else. Still, it would be nice to get rid of it. > >Jeremy Evans >Information Systems Analyst >California State Auditor >916-445-0255 phone >916-322-7801 fax > > >-----Original Message----- >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] >Sent: Thursday, January 23, 2003 11:21 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: sendmail 8.12.7 squawking after MS 4.11-1 upgrade > > >Oops, you're right of course. >Must remember not to code with one hand while drinking wine with the other >:-) >Revised patch is below... > >At 19:12 23/01/2003, you wrote: > >Shouldn't: > > > >+ $io0->fdopen(fileno(STDIN), "r")); > >+ $io1->fdopen(fileno(STDOUT),"w")); > >+ $io2->fdopen(fileno(STDERR),"w")); > > > >be: > > > >+ $io0->fdopen(fileno(STDIN), "r"); > >+ $io1->fdopen(fileno(STDOUT),"w"); > >+ $io2->fdopen(fileno(STDERR),"w"); > > > >in the patch? > >Revised patch is > >--- /usr/sbin/MailScanner Sun Jan 19 12:39:20 2003 >+++ MailScanner Thu Jan 23 19:56:35 2003 >@@ -37,6 +37,7 @@ > require 5.005; > > use FileHandle; >+use IO::Handle; > use MailScanner::Config; > use MailScanner::CustomConfig; > use MailScanner::Lock; >@@ -261,6 +262,16 @@ > # If we are debugging, then just run once. > # > sub WorkForHours { >+ # Re-open the stdin, stdout and stderr file descriptors for >+ # sendmail's benefit. Should stop it squawking! >+ my($io0, $io1, $io2); >+ $io0 = new IO::Handle; >+ $io1 = new IO::Handle; >+ $io2 = new IO::Handle; >+ $io0->fdopen(fileno(STDIN), "r"); >+ $io1->fdopen(fileno(STDOUT),"w"); >+ $io2->fdopen(fileno(STDERR),"w"); >+ > # Read the configuration file and start logging to syslog/stderr > StartLogging($ConfFile); > >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From JeremyE at BSA.CA.GOV Thu Jan 23 20:06:43 2003 From: JeremyE at BSA.CA.GOV (Jeremy Evans) Date: Thu Jan 12 21:17:03 2006 Subject: sendmail 8.12.7 squawking after MS 4.11-1 upgrade Message-ID: <2739ECF7268CD0118F50080009DCC9F00235D2A4@pebble.bsa.ca.gov> Nope, I've only been getting the messages about stderr (same error both before and after the patch). -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Thursday, January 23, 2003 12:00 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: sendmail 8.12.7 squawking after MS 4.11-1 upgrade At 19:49 23/01/2003, you wrote: >Unfortunately, after applying the patch, I'm still getting the error: > >sendmail[30488]: File descriptors missing on startup: stderr; Bad file >descriptor Does it still produce the errors about stdin and stdout as well? >This is on an OpenBSD 3.2 box. I rebooted the machine beforehand, and still >got the error when I sent a message. Then I killed MailScanner and sent a >message, without getting an error (so it goes into mqueue.in without >problems). When I restarted MailScanner, I got the error shortly thereafter >(probably when it transfers the mail back to sendmail to send out). I >haven't had a problem with mail being modified or deleted (except when it is >supposed to, i.e. bad attachment filename), so the message is more of an >annoyance than anything else. Still, it would be nice to get rid of it. > >Jeremy Evans >Information Systems Analyst >California State Auditor >916-445-0255 phone >916-322-7801 fax > > >-----Original Message----- >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] >Sent: Thursday, January 23, 2003 11:21 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: sendmail 8.12.7 squawking after MS 4.11-1 upgrade > > >Oops, you're right of course. >Must remember not to code with one hand while drinking wine with the other >:-) >Revised patch is below... > >At 19:12 23/01/2003, you wrote: > >Shouldn't: > > > >+ $io0->fdopen(fileno(STDIN), "r")); > >+ $io1->fdopen(fileno(STDOUT),"w")); > >+ $io2->fdopen(fileno(STDERR),"w")); > > > >be: > > > >+ $io0->fdopen(fileno(STDIN), "r"); > >+ $io1->fdopen(fileno(STDOUT),"w"); > >+ $io2->fdopen(fileno(STDERR),"w"); > > > >in the patch? > >Revised patch is > >--- /usr/sbin/MailScanner Sun Jan 19 12:39:20 2003 >+++ MailScanner Thu Jan 23 19:56:35 2003 >@@ -37,6 +37,7 @@ > require 5.005; > > use FileHandle; >+use IO::Handle; > use MailScanner::Config; > use MailScanner::CustomConfig; > use MailScanner::Lock; >@@ -261,6 +262,16 @@ > # If we are debugging, then just run once. > # > sub WorkForHours { >+ # Re-open the stdin, stdout and stderr file descriptors for >+ # sendmail's benefit. Should stop it squawking! >+ my($io0, $io1, $io2); >+ $io0 = new IO::Handle; >+ $io1 = new IO::Handle; >+ $io2 = new IO::Handle; >+ $io0->fdopen(fileno(STDIN), "r"); >+ $io1->fdopen(fileno(STDOUT),"w"); >+ $io2->fdopen(fileno(STDERR),"w"); >+ > # Read the configuration file and start logging to syslog/stderr > StartLogging($ConfFile); > >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From Denis.Beauchemin at USHERBROOKE.CA Thu Jan 23 21:47:07 2003 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:17:03 2006 Subject: Console error messages... In-Reply-To: References: Message-ID: <1043358427.1219.756.camel@dbeauchemin.si.usherbrooke.ca> Isn't it the problem that was solved in 4.11-1? I used to have those messages but they disappeared with 4.11-1. Denis Le jeu 23/01/2003 ? 15:45, Bill Anderson a ?crit : > I have poured over my Mailscanner.conf file and have not found anything. > The file was changed yesterday, however, the error did not pop up until this > morning. Mailscanner was restarted and it ran fine for about 30 minutes and > then got the same error. I restarted it again and it has been running fine > for the past 3 hours. > > Should I be checking somewhere else? > > > > -----Original Message----- > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > Behalf Of Julian Field > > Sent: Thursday, January 23, 2003 10:21 AM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: Console error messages... > > > > > > This is most commonly caused by syntax errors in your MailScanner.conf > > file. Check your maillog for more information, it will hopefully tell you > > why MailScanner cannot start properly. > > > > At 18:00 23/01/2003, you wrote: > > >I just started getting the following errors this morning: Has > > anyone seen > > >this before? > > > > > >We haven't got any child processes, which isn't right!, No child > > processes > > >at /usr/sbin/MailScanner line 191. > > >We have just tried to reap a process which wasn't one of ours!, No child > > >processes at /usr/sbin/MailScanner line 194. > > > > -- > > Julian Field > > www.MailScanner.info > > MailScanner thanks transtec Computers for their support > > -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From mailscanner at ecs.soton.ac.uk Thu Jan 23 21:47:32 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:03 2006 Subject: sendmail 8.12.7 squawking after MS 4.11-1 upgrade In-Reply-To: <2739ECF7268CD0118F50080009DCC9F00235D2A4@pebble.bsa.ca.gov > Message-ID: <5.2.0.9.2.20030123214432.029eebc0@imap.ecs.soton.ac.uk> Right. I've built 8.12.7 and managed to reproduce the problem. I appear to have a solution, which closes the filehandles to break the connection with the tty, and re-opens them after all the daemonising has been done. Instead of the last patch, try applying this one: (and yes, I know it looks dead simple, but it has taken hours to get right :-) --- /usr/sbin/MailScanner Sun Jan 19 12:39:20 2003 +++ MailScanner Thu Jan 23 22:53:48 2003 @@ -37,6 +37,7 @@ require 5.005; use FileHandle; +use IO::Handle; use MailScanner::Config; use MailScanner::CustomConfig; use MailScanner::Lock; @@ -261,6 +262,12 @@ # If we are debugging, then just run once. # sub WorkForHours { + # Re-open the stdin, stdout and stderr file descriptors for + # sendmail's benefit. Should stop it squawking! + open(STDIN, "/dev/null"); + open(STDERR, ">/dev/null"); + # Read the configuration file and start logging to syslog/stderr StartLogging($ConfFile); At 20:06 23/01/2003, you wrote: >Nope, I've only been getting the messages about stderr (same error both >before and after the patch). > >-----Original Message----- >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] >Sent: Thursday, January 23, 2003 12:00 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: sendmail 8.12.7 squawking after MS 4.11-1 upgrade > > >At 19:49 23/01/2003, you wrote: > >Unfortunately, after applying the patch, I'm still getting the error: > > > >sendmail[30488]: File descriptors missing on startup: stderr; Bad file > >descriptor > >Does it still produce the errors about stdin and stdout as well? > > >This is on an OpenBSD 3.2 box. I rebooted the machine beforehand, and >still > >got the error when I sent a message. Then I killed MailScanner and sent a > >message, without getting an error (so it goes into mqueue.in without > >problems). When I restarted MailScanner, I got the error shortly >thereafter > >(probably when it transfers the mail back to sendmail to send out). I > >haven't had a problem with mail being modified or deleted (except when it >is > >supposed to, i.e. bad attachment filename), so the message is more of an > >annoyance than anything else. Still, it would be nice to get rid of it. > > > >Jeremy Evans > >Information Systems Analyst > >California State Auditor > >916-445-0255 phone > >916-322-7801 fax > > > > > >-----Original Message----- > >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > >Sent: Thursday, January 23, 2003 11:21 AM > >To: MAILSCANNER@JISCMAIL.AC.UK > >Subject: Re: sendmail 8.12.7 squawking after MS 4.11-1 upgrade > > > > > >Oops, you're right of course. > >Must remember not to code with one hand while drinking wine with the other > >:-) > >Revised patch is below... > > > >At 19:12 23/01/2003, you wrote: > > >Shouldn't: > > > > > >+ $io0->fdopen(fileno(STDIN), "r")); > > >+ $io1->fdopen(fileno(STDOUT),"w")); > > >+ $io2->fdopen(fileno(STDERR),"w")); > > > > > >be: > > > > > >+ $io0->fdopen(fileno(STDIN), "r"); > > >+ $io1->fdopen(fileno(STDOUT),"w"); > > >+ $io2->fdopen(fileno(STDERR),"w"); > > > > > >in the patch? > > > >Revised patch is > > > >--- /usr/sbin/MailScanner Sun Jan 19 12:39:20 2003 > >+++ MailScanner Thu Jan 23 19:56:35 2003 > >@@ -37,6 +37,7 @@ > > require 5.005; > > > > use FileHandle; > >+use IO::Handle; > > use MailScanner::Config; > > use MailScanner::CustomConfig; > > use MailScanner::Lock; > >@@ -261,6 +262,16 @@ > > # If we are debugging, then just run once. > > # > > sub WorkForHours { > >+ # Re-open the stdin, stdout and stderr file descriptors for > >+ # sendmail's benefit. Should stop it squawking! > >+ my($io0, $io1, $io2); > >+ $io0 = new IO::Handle; > >+ $io1 = new IO::Handle; > >+ $io2 = new IO::Handle; > >+ $io0->fdopen(fileno(STDIN), "r"); > >+ $io1->fdopen(fileno(STDOUT),"w"); > >+ $io2->fdopen(fileno(STDERR),"w"); > >+ > > # Read the configuration file and start logging to syslog/stderr > > StartLogging($ConfFile); > > > >-- > >Julian Field > >www.MailScanner.info > >MailScanner thanks transtec Computers for their support > >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Thu Jan 23 22:07:51 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:03 2006 Subject: Console error messages... In-Reply-To: References: <5.2.0.9.2.20030123181954.027a99d0@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030123220708.02915820@imap.ecs.soton.ac.uk> Take a good look at your maillog whenever it starts producing the error to see if it contains any useful info. At 20:45 23/01/2003, you wrote: >I have poured over my Mailscanner.conf file and have not found anything. >The file was changed yesterday, however, the error did not pop up until this >morning. Mailscanner was restarted and it ran fine for about 30 minutes and >then got the same error. I restarted it again and it has been running fine >for the past 3 hours. > >Should I be checking somewhere else? > > > > -----Original Message----- > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > Behalf Of Julian Field > > Sent: Thursday, January 23, 2003 10:21 AM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: Console error messages... > > > > > > This is most commonly caused by syntax errors in your MailScanner.conf > > file. Check your maillog for more information, it will hopefully tell you > > why MailScanner cannot start properly. > > > > At 18:00 23/01/2003, you wrote: > > >I just started getting the following errors this morning: Has > > anyone seen > > >this before? > > > > > >We haven't got any child processes, which isn't right!, No child > > processes > > >at /usr/sbin/MailScanner line 191. > > >We have just tried to reap a process which wasn't one of ours!, No child > > >processes at /usr/sbin/MailScanner line 194. > > > > -- > > Julian Field > > www.MailScanner.info > > MailScanner thanks transtec Computers for their support > > -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From JeremyE at BSA.CA.GOV Thu Jan 23 22:09:00 2003 From: JeremyE at BSA.CA.GOV (Jeremy Evans) Date: Thu Jan 12 21:17:03 2006 Subject: sendmail 8.12.7 squawking after MS 4.11-1 upgrade Message-ID: <2739ECF7268CD0118F50080009DCC9F00235D2A5@pebble.bsa.ca.gov> This new patch works on my OpenBSD 3.2 box (sendmail 8.12.6, MailScanner 4.11-1). No more annoying messages. Thank you very much. -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Thursday, January 23, 2003 1:48 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: sendmail 8.12.7 squawking after MS 4.11-1 upgrade Right. I've built 8.12.7 and managed to reproduce the problem. I appear to have a solution, which closes the filehandles to break the connection with the tty, and re-opens them after all the daemonising has been done. Instead of the last patch, try applying this one: (and yes, I know it looks dead simple, but it has taken hours to get right :-) --- /usr/sbin/MailScanner Sun Jan 19 12:39:20 2003 +++ MailScanner Thu Jan 23 22:53:48 2003 @@ -37,6 +37,7 @@ require 5.005; use FileHandle; +use IO::Handle; use MailScanner::Config; use MailScanner::CustomConfig; use MailScanner::Lock; @@ -261,6 +262,12 @@ # If we are debugging, then just run once. # sub WorkForHours { + # Re-open the stdin, stdout and stderr file descriptors for + # sendmail's benefit. Should stop it squawking! + open(STDIN, "/dev/null"); + open(STDERR, ">/dev/null"); + # Read the configuration file and start logging to syslog/stderr StartLogging($ConfFile); At 20:06 23/01/2003, you wrote: >Nope, I've only been getting the messages about stderr (same error both >before and after the patch). > >-----Original Message----- >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] >Sent: Thursday, January 23, 2003 12:00 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: sendmail 8.12.7 squawking after MS 4.11-1 upgrade > > >At 19:49 23/01/2003, you wrote: > >Unfortunately, after applying the patch, I'm still getting the error: > > > >sendmail[30488]: File descriptors missing on startup: stderr; Bad file > >descriptor > >Does it still produce the errors about stdin and stdout as well? > > >This is on an OpenBSD 3.2 box. I rebooted the machine beforehand, and >still > >got the error when I sent a message. Then I killed MailScanner and sent a > >message, without getting an error (so it goes into mqueue.in without > >problems). When I restarted MailScanner, I got the error shortly >thereafter > >(probably when it transfers the mail back to sendmail to send out). I > >haven't had a problem with mail being modified or deleted (except when it >is > >supposed to, i.e. bad attachment filename), so the message is more of an > >annoyance than anything else. Still, it would be nice to get rid of it. > > > >Jeremy Evans > >Information Systems Analyst > >California State Auditor > >916-445-0255 phone > >916-322-7801 fax > > > > > >-----Original Message----- > >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > >Sent: Thursday, January 23, 2003 11:21 AM > >To: MAILSCANNER@JISCMAIL.AC.UK > >Subject: Re: sendmail 8.12.7 squawking after MS 4.11-1 upgrade > > > > > >Oops, you're right of course. > >Must remember not to code with one hand while drinking wine with the other > >:-) > >Revised patch is below... > > > >At 19:12 23/01/2003, you wrote: > > >Shouldn't: > > > > > >+ $io0->fdopen(fileno(STDIN), "r")); > > >+ $io1->fdopen(fileno(STDOUT),"w")); > > >+ $io2->fdopen(fileno(STDERR),"w")); > > > > > >be: > > > > > >+ $io0->fdopen(fileno(STDIN), "r"); > > >+ $io1->fdopen(fileno(STDOUT),"w"); > > >+ $io2->fdopen(fileno(STDERR),"w"); > > > > > >in the patch? > > > >Revised patch is > > > >--- /usr/sbin/MailScanner Sun Jan 19 12:39:20 2003 > >+++ MailScanner Thu Jan 23 19:56:35 2003 > >@@ -37,6 +37,7 @@ > > require 5.005; > > > > use FileHandle; > >+use IO::Handle; > > use MailScanner::Config; > > use MailScanner::CustomConfig; > > use MailScanner::Lock; > >@@ -261,6 +262,16 @@ > > # If we are debugging, then just run once. > > # > > sub WorkForHours { > >+ # Re-open the stdin, stdout and stderr file descriptors for > >+ # sendmail's benefit. Should stop it squawking! > >+ my($io0, $io1, $io2); > >+ $io0 = new IO::Handle; > >+ $io1 = new IO::Handle; > >+ $io2 = new IO::Handle; > >+ $io0->fdopen(fileno(STDIN), "r"); > >+ $io1->fdopen(fileno(STDOUT),"w"); > >+ $io2->fdopen(fileno(STDERR),"w"); > >+ > > # Read the configuration file and start logging to syslog/stderr > > StartLogging($ConfFile); > > > >-- > >Julian Field > >www.MailScanner.info > >MailScanner thanks transtec Computers for their support > >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From joelc at CTCHOUSTON.COM Thu Jan 23 22:09:21 2003 From: joelc at CTCHOUSTON.COM (Joel Colvin) Date: Thu Jan 12 21:17:03 2006 Subject: Disable Filename checking In-Reply-To: Message-ID: <027701c2c32c$187eb690$9504140a@hewlett9por0s0> If I wanted to completely disable all attachment filename checking should I leave the config option blank, comment it out or change the rules file to allow all files? Joel -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Lush, Richard Sent: Wednesday, January 22, 2003 10:11 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Beta Webmin Module feedback anyone? Hi All, I'm just making the finishing touches to the next beta of the webmin module which I hope to have completed and release on Sunday. For those of you that have downloaded (I'm sure someone has) is there any feedback on problems seen, new feature requests etc. The link again is http://lushsoft.dyndns.org/mailscanner-webmin The new version will/does have the following fixed : Maximum number of child forks now display Help is now available All file browsing buttons now work Plus some other minor bugs Cheers Richard Richard Lush Consulting and Integration Security Practise Reading UK Email richard.lush@hp.com Mobile +44 (0) 7788 916941 Office +44 (0) 118 920 2349 Fax +44 (0) 118 920 4612 D I S C L A I M E R The information contained in this communication is intended solely for use by the individual or entity to whom it is addressed. Use of this communication by others is prohibited. HP and / or Compaq is neither liable for the proper and complete transmission of the information contained in this communication nor for any delay in its receipt nor for any special, incidental or consequential damages of any nature whatsoever resulting from receipt or use of this communication. If you are not the intended recipient, you may not peruse, use, disseminate, distribute or copy this message. If you have received this message in error, please notify the sender immediately by email, facsimile or telephone and return or destroy the original message. Thank you. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030123/ecfa175f/attachment.html From mailscanner at ecs.soton.ac.uk Thu Jan 23 22:17:48 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:03 2006 Subject: Disable Filename checking In-Reply-To: <027701c2c32c$187eb690$9504140a@hewlett9por0s0> References: Message-ID: <5.2.0.9.2.20030123221647.02930d80@imap.ecs.soton.ac.uk> At 22:09 23/01/2003, you wrote: >If I wanted to completely disable all attachment filename checking should >I leave the config option blank, comment it out or change the rules file >to allow all files? Easiest way is to add at the top of the filename.rules.conf file allow .* - - (Don't forget to use TAB to separate the 4 fields). Then "reload" MailScanner. > > > > >Joel > >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On >Behalf Of Lush, Richard >Sent: Wednesday, January 22, 2003 10:11 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Beta Webmin Module feedback anyone? > > > >Hi All, > >I'm just making the finishing touches to the next beta of the webmin >module which I hope to have completed and release on Sunday. For those of >you that have downloaded (I'm sure someone has) is there any feedback on >problems seen, new feature requests etc. > >The link again is >http://lushsoft.dyndns.org/mailscanner-webmin > > >The new version will/does have the following fixed : > >Maximum number of child forks now display >Help is now available >All file browsing buttons now work >Plus some other minor bugs > >Cheers > >Richard > >Richard Lush > >Consulting and Integration >Security Practise >Reading UK >Email richard.lush@hp.com >Mobile +44 (0) 7788 916941 >Office +44 (0) 118 920 2349 >Fax +44 (0) 118 920 4612 >D I S C L A I M E R >The information contained in this communication is intended solely for use >by the individual or entity to whom it is addressed. Use of this >communication by others is prohibited. HP and / or Compaq is neither >liable for the proper and complete transmission of the information >contained in this communication nor for any delay in its receipt nor for >any special, incidental or consequential damages of any nature whatsoever >resulting from receipt or use of this communication. If you are not the >intended recipient, you may not peruse, use, disseminate, distribute or >copy this message. If you have received this message in error, please >notify the sender immediately by email, facsimile or telephone and return >or destroy the original message. Thank you. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030123/7c22c8cd/attachment.html From c.bates at COMNET.CO.NZ Thu Jan 23 23:10:05 2003 From: c.bates at COMNET.CO.NZ (Craig Bates) Date: Thu Jan 12 21:17:03 2006 Subject: dying processes In-Reply-To: <20030117082248.5f3f7c2b.dlovelace@hotels.com> References: <200301170936.22606.c.bates@comnet.co.nz> <200301171445.18521.c.bates@comnet.co.nz> <20030117082248.5f3f7c2b.dlovelace@hotels.com> Message-ID: <200301241210.05291.c.bates@comnet.co.nz> I've re-installed RedHat8.0 using the RedHat supplied spamassassin (2.31) and now MailScanner processes are not dying anymore! I was also using SpamAssassin 2.43 before. Now my only problem is that 2.31 does not seem to support RAZOR2, only RAZOR. On Saturday 18 January 2003 03:22, you wrote: > I am not running Razor. I have MailScanner 4.10, SpamAssassin 2.43 and > ClamAv 0.54 on Red Hat 8.0. > > I would notice on my mailscanner-mrtg graphs that the number of > MailScanner processes would drop from 20 to 3 sometimes, and stay there > until I restarted MailScanner. I didn't look through the logs "real" hard, > but my cursory examination didn't turn up anything. > > On Fri, 17 Jan 2003 14:45:18 +1300 > > Craig Bates wrote: > > Dale, > > > > Are you runing Spam assassin & RAZOR? What OS and anti-virus are you > > running? > > > > Anybody else having these problems???? > > > > Thanks, > > > > Craig > > > > On Friday 17 January 2003 11:34, you wrote: > > > I was having this same problem, but didn't investigate why very much, > > > that is why I put the restart option in mailscanner-mrtg, whenever it > > > detects mailscanner is below a certain number of processes it restarts > > > it. > > > > > > Dale > > > > > > On Fri, 17 Jan 2003 09:36:22 +1300 > > > > > > Craig Bates wrote: > > > > Hi, > > > > > > > > I decided to install MailScanner on RedHat80 as I was having problems > > > > with MailScanner processes dying on FreeBSD. I am now having exactly > > > > the same problem with RedHat80 This proves that the problem is > > > > independent of OS, sendmail version / compilation and perl version. > > > > > > > > I find it very strage that nobody else seems to have this problem and > > > > I have it on 3 boxes! > > > > > > > > Is there anybody on this list that has MailScanner working with > > > > spamassassin-2.43-3.i386.rpm, razor-agents-2.22.tar.gz, > > > > fp-linux-sb.rpm (f-prot)? One of these must be causing the problem > > > > as I'm sure MailScanner and RedHat8.0 is a very common installation > > > > that works! > > > > > > > > Thanks, > > > > > > > > Craig From billa at STERLING.NET Thu Jan 23 23:59:24 2003 From: billa at STERLING.NET (Bill Anderson) Date: Thu Jan 12 21:17:03 2006 Subject: Console error messages... In-Reply-To: <5.2.0.9.2.20030123220708.02915820@imap.ecs.soton.ac.uk> Message-ID: I have scanned all through my logs and can't find any reference to the error messages. Is there any particular string I should search for, ie. error code or something from mailscanner? > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Julian Field > Sent: Thursday, January 23, 2003 2:08 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Console error messages... > > > Take a good look at your maillog whenever it starts producing the error to > see if it contains any useful info. > > At 20:45 23/01/2003, you wrote: > >I have poured over my Mailscanner.conf file and have not found anything. > >The file was changed yesterday, however, the error did not pop > up until this > >morning. Mailscanner was restarted and it ran fine for about 30 > minutes and > >then got the same error. I restarted it again and it has been > running fine > >for the past 3 hours. > > > >Should I be checking somewhere else? > > > > > > > -----Original Message----- > > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > > Behalf Of Julian Field > > > Sent: Thursday, January 23, 2003 10:21 AM > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > Subject: Re: Console error messages... > > > > > > > > > This is most commonly caused by syntax errors in your MailScanner.conf > > > file. Check your maillog for more information, it will > hopefully tell you > > > why MailScanner cannot start properly. > > > > > > At 18:00 23/01/2003, you wrote: > > > >I just started getting the following errors this morning: Has > > > anyone seen > > > >this before? > > > > > > > >We haven't got any child processes, which isn't right!, No child > > > processes > > > >at /usr/sbin/MailScanner line 191. > > > >We have just tried to reap a process which wasn't one of > ours!, No child > > > >processes at /usr/sbin/MailScanner line 194. > > > > > > -- > > > Julian Field > > > www.MailScanner.info > > > MailScanner thanks transtec Computers for their support > > > > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > From mailscanner at ecs.soton.ac.uk Fri Jan 24 08:29:19 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:03 2006 Subject: Console error messages... In-Reply-To: References: <5.2.0.9.2.20030123220708.02915820@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030124082900.02b8dfa8@imap.ecs.soton.ac.uk> At 23:59 23/01/2003, you wrote: >I have scanned all through my logs and can't find any reference to the error >messages. Is there any particular string I should search for, ie. error >code or something from mailscanner? Look for "syntax" or "Syntax" for starters. > > -----Original Message----- > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > Behalf Of Julian Field > > Sent: Thursday, January 23, 2003 2:08 PM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: Console error messages... > > > > > > Take a good look at your maillog whenever it starts producing the error to > > see if it contains any useful info. > > > > At 20:45 23/01/2003, you wrote: > > >I have poured over my Mailscanner.conf file and have not found anything. > > >The file was changed yesterday, however, the error did not pop > > up until this > > >morning. Mailscanner was restarted and it ran fine for about 30 > > minutes and > > >then got the same error. I restarted it again and it has been > > running fine > > >for the past 3 hours. > > > > > >Should I be checking somewhere else? > > > > > > > > > > -----Original Message----- > > > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > > > Behalf Of Julian Field > > > > Sent: Thursday, January 23, 2003 10:21 AM > > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > > Subject: Re: Console error messages... > > > > > > > > > > > > This is most commonly caused by syntax errors in your MailScanner.conf > > > > file. Check your maillog for more information, it will > > hopefully tell you > > > > why MailScanner cannot start properly. > > > > > > > > At 18:00 23/01/2003, you wrote: > > > > >I just started getting the following errors this morning: Has > > > > anyone seen > > > > >this before? > > > > > > > > > >We haven't got any child processes, which isn't right!, No child > > > > processes > > > > >at /usr/sbin/MailScanner line 191. > > > > >We have just tried to reap a process which wasn't one of > > ours!, No child > > > > >processes at /usr/sbin/MailScanner line 194. > > > > > > > > -- > > > > Julian Field > > > > www.MailScanner.info > > > > MailScanner thanks transtec Computers for their support > > > > > > > > -- > > Julian Field > > www.MailScanner.info > > MailScanner thanks transtec Computers for their support > > -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From jkha at HPLB.HPL.HP.COM Fri Jan 24 09:14:27 2003 From: jkha at HPLB.HPL.HP.COM (John Hawkes-Reed) Date: Thu Jan 12 21:17:03 2006 Subject: sendmail 8.12.7 squawking after MS 4.11-1 upgrade References: <5.2.0.9.2.20030123123436.03d2c800@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030123170337.099dc228@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030123181646.025eab80@imap.ecs.soton.ac.uk> Message-ID: <3E3103F3.4090607@hplb.hpl.hp.com> Julian Field wrote: [ ... ] >> Jan 23 16:47:22 hplb sendmail[27333]: NOQUEUE: 3: fl=0x10001, >> mode=10666: FIFO: dev=64/65539, ino=1983, nlink=1, u/gid=0/0, size=2048 > > > This still only appears to happen on some OS's. In 4.11 you can try > commenting out the 3 close() calls in /usr/sbin/MailScanner. I need to > re-open these filehandles and tie them to /dev/null to keep sendmail happy. That it's probably a 10.20 feature surprises me not at all... I'll be spending the rest of the day building a test-rig and trying to duplicate, then fix the problem. [ ... ] > That is Sophos failing to work properly. Did you install it using > Sophos.install? Does > /usr/lib/MailScanner/sophos-wrapper . > correctly scan the current directory? (don't forget the "." on the end of > the command above) The Sophos installation here pre-dates Mailscanner - it's rsynced from another box and the ide path is different to the one expected by the wrapper. (And 10.20 uses SHLIB_PATH rather then LD_LIBRARY_PATH) sophos-wrapper worked once I'd fixed a typo, but I think I'd still prefer it to report its problems to syslog rather than the 'help I'm a prisoner in a toothpaste factory' approach above... :/ From jkha at HPLB.HPL.HP.COM Fri Jan 24 09:15:47 2003 From: jkha at HPLB.HPL.HP.COM (John Hawkes-Reed) Date: Thu Jan 12 21:17:03 2006 Subject: sendmail 8.12.7 squawking after MS 4.11-1 upgrade References: <5.2.0.9.2.20030123123436.03d2c800@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030123170337.099dc228@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030123184642.02508f68@imap.ecs.soton.ac.uk> Message-ID: <3E310443.4050203@hplb.hpl.hp.com> Julian Field wrote: > I can't reproduce the problem myself, so I've to take an educated guess at > how to solve it. Please can you try this patch to the main > /usr/sbin/MailScanner script (or /opt/MailScanner/bin/MailScanner). > Let me know if this helps. > > --- /usr/sbin/MailScanner Sun Jan 19 12:39:20 2003 [ ... ] Thanks. Will do. From Heinz.Knutzen at DZSH.DE Fri Jan 24 10:32:07 2003 From: Heinz.Knutzen at DZSH.DE (Knutzen, Heinz (DZ-SH)) Date: Thu Jan 12 21:17:04 2006 Subject: Solved: Some mails in outgoing queue don't get processed Message-ID: <6C645222B0A8BC4FBFACD7606D4306A822FE21@dzrz-ex-1.dzsh.landsh.de> I have solved my problem, it was my own fault: I had played with our sendmail conguration and changed values for confDELAY_LA, confQUEUE_LA, confREFUSE_LA to 0. The sendmail documentation says for confDELAY_LA: "Default is 0 which means no limit" From Peter.Bates at LSHTM.AC.UK Fri Jan 24 11:44:21 2003 From: Peter.Bates at LSHTM.AC.UK (Peter Bates) Date: Thu Jan 12 21:17:04 2006 Subject: Checking SpamAssassin activity? Message-ID: Hello all... MS 4.11 (installed from RPM) Sophos, Mcaffee scanners. SpamAssassin-2.43. Razor2 (2.20) and DCC (dccproc-1.1.19). Two questions, mainly. I have all the above, and see SA scoring some emails (I have the threshold set to 8), doing RBL lookups and stuff (instead of MS doing it itself), but does anyone know how to verify whether Razor or DCC are actually being run or used at all??? And is the default option in MailScanner.conf for 'SpamAssassin Auto Whitelist' set to 'no' because it doesn't work in an environment with a large volume of email? Thanks... apologies for bridging the gap betwixt MailScanner and SpamAssassin, but as MS is calling SA, it seems to be more of a question about the former than the latter. ---------------------------------------------------------------------------------------------------> Peter Bates, Systems Support Officer, Network Support Team. London School of Hygiene & Tropical Medicine. Telephone:0207-958 8353 / Fax: 0207- 636 9838 From mailscanner at ecs.soton.ac.uk Fri Jan 24 12:12:48 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:04 2006 Subject: Checking SpamAssassin activity? In-Reply-To: Message-ID: <5.2.0.9.2.20030124121150.02ba5e10@imap.ecs.soton.ac.uk> At 11:44 24/01/2003, you wrote: >MS 4.11 (installed from RPM) >Sophos, Mcaffee scanners. >SpamAssassin-2.43. >Razor2 (2.20) and DCC (dccproc-1.1.19). > >And is the default option in MailScanner.conf >for 'SpamAssassin Auto Whitelist' set to 'no' >because it doesn't work in an environment with >a large volume of email? There was a very careful analysis of the behaviour of this option done by someone on this list a month or two ago. The conclusion was that you are better off with this switched off. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From sveinn at SVEINNG.COM Fri Jan 24 12:37:45 2003 From: sveinn at SVEINNG.COM (Sveinn G. Gunnarsson) Date: Thu Jan 12 21:17:04 2006 Subject: F-Prot for AIX available ... and small change in output in upcoming version of F-Prot 4.x In-Reply-To: References: Message-ID: <200301241237.46243.sveinn@sveinng.com> Hi ya all !!! I just received the first beta of F-Prot for AIX yesterday, and got it running on one of my B50 running AIX 4.3.3 and MailScanner 4.11-1. I am running F-Prot and Sophos in parallel as scanners at the moment, and so far, F-prot has not missed 1 virus... For those of you interested in testing this new beta version for AIX, it can be downloaded from: http://www.f-prot.com/download/beta-test/ And Julian... They are changing the output once again ... So when people go to version 4, SweepViruses.pm must be changed like this: 539c539 < $fprot_InCruft=(-4); --- > $fprot_InCruft=(-3); Cheers all, and Julian... thx a million for your outstanding MailScanner !!! ---------------------------- Sveinn G. Gunnarsson AIX System Administrator - CATE Islandssimi hf. From R.A.Gardener at SHU.AC.UK Fri Jan 24 12:44:13 2003 From: R.A.Gardener at SHU.AC.UK (Ray Gardener) Date: Thu Jan 12 21:17:04 2006 Subject: Checking SpamAssassin activity? References: Message-ID: <00f201c2c3a6$4d789210$5a14348f@videoproducer> ----- Original Message ----- From: "Peter Bates" To: Sent: Friday, January 24, 2003 11:44 AM Subject: Checking SpamAssassin activity? >Two questions, mainly. >I have all the above, and see SA scoring some emails >(I have the threshold set to 8), doing RBL lookups and stuff (instead of MS doing it itself), but does anyone know how to verify whether Razor >or DCC are actually being run or used at all??? the spamassassin distribution include a test file, sample-spam.txt which is listed in Razor and the DCC either run spamassassin -t < /sample-spam.txt or force the file through mailscanner by sending it as mail. The file contains headers etc. if DCD and RAZOR are working you will see reference to them in the spamassassin analysis e.g. SPAM: DCC_CHECK (8.0 points) Listed in DCC, see http://rhyolite.com/anti-spam/dcc/ SPAM: RAZOR2_CHECK (7.8 points) Listed in Razor2, see http://razor.sf.net/ Regards Ray From mailscanner at ecs.soton.ac.uk Fri Jan 24 13:46:12 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:04 2006 Subject: small change in output in upcoming version of F-Prot 4.x In-Reply-To: <200301241237.46243.sveinn@sveinng.com> References: Message-ID: <5.2.0.9.2.20030124134430.02adb6d8@imap.ecs.soton.ac.uk> At 12:37 24/01/2003, you wrote: >And Julian... They are changing the output once again ... >So when people go to version 4, SweepViruses.pm must be changed like this: > >539c539 >< $fprot_InCruft=(-4); >--- > > $fprot_InCruft=(-3); Can you mail me the start of the output of something like cd /tmp /opt/MailScanner/lib/f-prot-wrapper -old -archive -dumb . with some viruses in files in /tmp. I need to be able to spot which version is running and make the code handle both versions. >Cheers all, >and Julian... thx a million for your outstanding MailScanner !!! Glad you like it! -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From campbell at CNPAPERS.COM Fri Jan 24 14:35:17 2003 From: campbell at CNPAPERS.COM (Steve Campbell) Date: Thu Jan 12 21:17:04 2006 Subject: Checking SpamAssassin activity? Message-ID: I had basically the same problem with some of the other RBLs. I never saw in the header any indication that any RBL test was ever performed. I ran all the tests for SA, indicating that they had passed proper operation, and the logs only showed minimal timeouts (never more than one timeout happening.) If I setup spam (as opposed to high spam) to be deleted, instead of just passed through with the SA score, the files were in fact deleted. I eventually gave up and do not check any of these BLs anymore, as I could not monitor what was really going on, since the mail either arrived or was deleted. All I wanted was to see if ORDB was catching anything and add that (either the default or my modified ORDB SA score) to the spam score, thereby allowing me to control what gets deleted with resulting total. MS is a wonderful program. Mr. Field does a great job of answering all of the requests sent to the list, as do others. But concerning my original problem sumbitted to the list, I felt like a customer at a car dealer service department - I just couldn't make anyone believe this was what really was happening. From mailscanner at ecs.soton.ac.uk Fri Jan 24 14:39:34 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:04 2006 Subject: Checking SpamAssassin activity? In-Reply-To: Message-ID: <5.2.0.9.2.20030124143506.02b9dd88@imap.ecs.soton.ac.uk> At 14:35 24/01/2003, you wrote: >I had basically the same problem with some of the other RBLs. I never saw >in the header any indication that any RBL test was ever performed. I ran >all the tests for SA, indicating that they had passed proper operation, and >the logs only showed minimal timeouts (never more than one timeout >happening.) If I setup spam (as opposed to high spam) to be deleted, >instead of just passed through with the SA score, the files were in fact >deleted. > >I eventually gave up and do not check any of these BLs anymore, as I could >not monitor what was really going on, since the mail either arrived or was >deleted. > >All I wanted was to see if ORDB was catching anything and add that (either >the default or my modified ORDB SA score) to the spam score, thereby >allowing me to control what gets deleted with resulting total. > >MS is a wonderful program. Mr. Field does a great job of answering all of >the requests sent to the list, as do others. But concerning my original >problem sumbitted to the list, I felt like a customer at a car dealer >service department - I just couldn't make anyone believe this was what >really was happening. Okay, can you re-state the original (and current) problem, being very clear to say exactly *what* is doing the RBL checking at each point (i.e. MS or SA). The MS and SA rbl checks are totally separate. The SA ones contribute to the SA score, which can cause either the "Spam Actions" or "High Scoring Spam Actions" to be executed. The MS ones are just flags, and any of them hitting will just cause the "Spam Actions" to be executed. The only time you will get "High Scoring Spam Actions" is if you are doing SA even when MS's rbl checks hit, and the SA score is over the "High Scoring" threshold for SA. May be if you could walk me through an example, it might be clearer. I must be missing your point. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From jkha at HPLB.HPL.HP.COM Fri Jan 24 15:40:11 2003 From: jkha at HPLB.HPL.HP.COM (John Hawkes-Reed) Date: Thu Jan 12 21:17:04 2006 Subject: sendmail 8.12.7 squawking after MS 4.11-1 upgrade References: <5.2.0.9.2.20030123214432.029eebc0@imap.ecs.soton.ac.uk> Message-ID: <3E315E5B.4070201@hplb.hpl.hp.com> Julian Field wrote: > Right. I've built 8.12.7 and managed to reproduce the problem. I appear to > have a solution, which closes the filehandles to break the connection with > the tty, and re-opens them after all the daemonising has been done. > > Instead of the last patch, try applying this one: (and yes, I know it looks > dead simple, but it has taken hours to get right :-) [ ... ] Ok. That certainly shuts sendmail up. Of course the body-overwriting fault isn't showing up on the sacrificial box - it's even alleging the messages are uninfected when sophos-wrapper's completely broken... [ Sigh ] From sveinn at SVEINNG.COM Fri Jan 24 17:14:13 2003 From: sveinn at SVEINNG.COM (Sveinn G. Gunnarsson) Date: Thu Jan 12 21:17:04 2006 Subject: small change in output in upcoming version of F-Prot 4.x In-Reply-To: <5.2.0.9.2.20030124134430.02adb6d8@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030124134430.02adb6d8@imap.ecs.soton.ac.uk> Message-ID: <200301241714.13727.sveinn@sveinng.com> > > Can you mail me the start of the output of something like > cd /tmp > /opt/MailScanner/lib/f-prot-wrapper -old -archive -dumb . > with some viruses in files in /tmp. > > I need to be able to spot which version is running and make the code handle > both versions. Sorry... been pretty busy today... but here it is... root@vx-m:/cluster/mail/quarantine/20030124>/opt/MailScanner/lib/f-prot-wrapper -old -archive -dumb . Virus scanning report - 24 January 2003 @ 17:15 F-PROT ANTIVIRUS Program version: 4.0.0b1 Engine version: 3.12.8 VIRUS SIGNATURE FILES SIGN.DEF created 18 January 2003 SIGN2.DEF created 20 January 2003 MACRO.DEF created 20 January 2003 Search: . Action: Report only Files: "Dumb" scan of all files Switches: -ARCHIVE -OLD /cluster/mail/quarantine/20030124/h0O0ARwO021738/funny.scr Infection: W32/Lentin.H@mm /cluster/mail/quarantine/20030124/h0O0AnwO024098/love.scr Infection: W32/Lentin.H@mm /cluster/mail/quarantine/20030124/h0O0B9wO024132/love.scr Infection: W32/Lentin.H@mm /cluster/mail/quarantine/20030124/h0O0BJwO030710/funny.scr Infection: W32/Lentin.H@mm /cluster/mail/quarantine/20030124/h0O0BVwO037270/Be_Happy.scr Infection: W32/Lentin.H@mm /cluster/mail/quarantine/20030124/h0O0CrwO038500/setup.exe Infection: W32/Klez.H@mm /cluster/mail/quarantine/20030124/h0O0DmwO048384/love.scr Infection: W32/Lentin.H@mm /cluster/mail/quarantine/20030124/h0O0EOwO045570/hotmail_hack.exe Infection: W32/Lentin.H@mm /cluster/mail/quarantine/20030124/h0O0J1wO042762/dfh0O0J1wO042762->content.scr Infection: W32/Klez.H@mm From mailscanner at ecs.soton.ac.uk Fri Jan 24 17:27:54 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:04 2006 Subject: small change in output in upcoming version of F-Prot 4.x In-Reply-To: <200301241714.13727.sveinn@sveinng.com> References: <5.2.0.9.2.20030124134430.02adb6d8@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030124134430.02adb6d8@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030124172650.06e90720@imap.ecs.soton.ac.uk> Thanks for that. Please can you check that this patch works okay with F-Prot 4 (and 3 if possible). --- /usr/lib/MailScanner/SweepViruses.pm Sun Jan 19 16:42:28 2003 +++ SweepViruses.pm Fri Jan 24 18:40:36 2003 @@ -952,8 +952,15 @@ chomp $line; - # Lose cruft - return 0 if $fprot_InCruft > 0; + # Look for the "Program version: 4...." line which shows we are running + # version 4 and therefore have different headers at the start of the + # scan output. + if ($fprot_InCruft==2 && $line =~ /program\s+version:\s*4/i) { + $fprot_InCruft -= 1; + return 0; + } + return 0 if $fprot_InCruft > 0; # Return if we are still in headers + # One header paragraph has finished, count it if ($line eq "") { $fprot_InCruft += 1; return 0; At 17:14 24/01/2003, you wrote: > > > > Can you mail me the start of the output of something like > > cd /tmp > > /opt/MailScanner/lib/f-prot-wrapper -old -archive -dumb . > > with some viruses in files in /tmp. > > > > I need to be able to spot which version is running and make the code handle > > both versions. > > >Sorry... been pretty busy today... but here it is... > > > >root@vx-m:/cluster/mail/quarantine/20030124>/opt/MailScanner/lib/f-prot-wrapper > >-old -archive -dumb . >Virus scanning report - 24 January 2003 @ 17:15 > >F-PROT ANTIVIRUS >Program version: 4.0.0b1 >Engine version: 3.12.8 > >VIRUS SIGNATURE FILES >SIGN.DEF created 18 January 2003 >SIGN2.DEF created 20 January 2003 >MACRO.DEF created 20 January 2003 > >Search: . >Action: Report only >Files: "Dumb" scan of all files >Switches: -ARCHIVE -OLD > >/cluster/mail/quarantine/20030124/h0O0ARwO021738/funny.scr Infection: >W32/Lentin.H@mm >/cluster/mail/quarantine/20030124/h0O0AnwO024098/love.scr Infection: >W32/Lentin.H@mm >/cluster/mail/quarantine/20030124/h0O0B9wO024132/love.scr Infection: >W32/Lentin.H@mm >/cluster/mail/quarantine/20030124/h0O0BJwO030710/funny.scr Infection: >W32/Lentin.H@mm >/cluster/mail/quarantine/20030124/h0O0BVwO037270/Be_Happy.scr Infection: >W32/Lentin.H@mm >/cluster/mail/quarantine/20030124/h0O0CrwO038500/setup.exe Infection: >W32/Klez.H@mm >/cluster/mail/quarantine/20030124/h0O0DmwO048384/love.scr Infection: >W32/Lentin.H@mm >/cluster/mail/quarantine/20030124/h0O0EOwO045570/hotmail_hack.exe Infection: >W32/Lentin.H@mm >/cluster/mail/quarantine/20030124/h0O0J1wO042762/dfh0O0J1wO042762->content.scr > >Infection: W32/Klez.H@mm -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From claviola at AX.NET.BR Fri Jan 24 18:08:32 2003 From: claviola at AX.NET.BR (Carlos Laviola) Date: Thu Jan 12 21:17:04 2006 Subject: [LISTSERV@JISCMAIL.AC.UK: Rejected posting to MAILSCANNER@JISCMAIL.AC.UK] Message-ID: <20030124180831.GN2705@alternex.com.br> I have tried to post the message below. As you might have noticed, I am posting with claviola@ax.net.br instead of claviola@alternex.com.br. What's wrong? Thank you, Carlos. ----- Forwarded message from "L-Soft list server at JISCMAIL (1.8e)" ----- Date: Fri, 24 Jan 2003 17:36:18 +0000 To: claviola@ALTERNEX.COM.BR From: "L-Soft list server at JISCMAIL (1.8e)" Subject: Rejected posting to MAILSCANNER@JISCMAIL.AC.UK You are not authorized to send mail to the MAILSCANNER list from your claviola@ALTERNEX.COM.BR account. You might be authorized to send to the list from another of your accounts, or perhaps when using another mail program which generates slightly different addresses, but LISTSERV has no way to associate this other account or address with yours. If you need assistance or if you have any question regarding the policy of the MAILSCANNER list, please contact the list owners: MAILSCANNER-request@JISCMAIL.AC.UK. Date: Fri, 24 Jan 2003 11:38:02 -0200 To: mailscanner@jiscmail.ac.uk From: Carlos Laviola Subject: Strange error (format not supported?) User-Agent: Mutt/1.5.3i One of our clients has reported these weird error messages: Jan 24 11:24:14 vorlon MailScanner[15870]: Could not check ./h0ODNwBL008990/pdv230103.exe/SfxArchiveData/pdv.exe (format not supported) Jan 24 11:24:14 vorlon MailScanner[15870]: Could not check ./h0ODNwBL008990/pdv230103.exe/SfxArchiveData (corrupt) How do I disable these checks? I've already commented out "Filename Rules". Thank you, -- Carlos Laviola AlterNex S/A - (21) 2515-0500 ----- End forwarded message ----- -- Carlos Laviola AlterNex S/A - (21) 2515-0500 From mkettler at EVI-INC.COM Fri Jan 24 18:49:19 2003 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:17:04 2006 Subject: Checking SpamAssassin activity? In-Reply-To: Message-ID: <5.1.1.6.0.20030124134155.00b7ca28@192.168.50.2> Well, you can verify if SpamAssassin itself is using razor and/or dcc by running: spamassassin --lint -D (assuming 2.4x or higher) and look at the debug output. You should see it calling razor and DCC in there. If you're using an ancient version of SA (2.3x or lower) do this instead: spamassassin -D Hello all... > >MS 4.11 (installed from RPM) >Sophos, Mcaffee scanners. >SpamAssassin-2.43. >Razor2 (2.20) and DCC (dccproc-1.1.19). > >Two questions, mainly. > >I have all the above, and see SA scoring some emails >(I have the threshold set to 8), doing RBL lookups and stuff (instead of >MS doing it itself), but does anyone know how to verify whether Razor or >DCC are actually being run or used at all??? > >And is the default option in MailScanner.conf >for 'SpamAssassin Auto Whitelist' set to 'no' >because it doesn't work in an environment with >a large volume of email? > >Thanks... apologies for bridging the gap betwixt MailScanner and >SpamAssassin, but as MS is calling SA, it seems to be more of a question >about the former than the latter. > > > >---------------------------------------------------------------------------------------------------> >Peter Bates, Systems Support Officer, Network Support Team. >London School of Hygiene & Tropical Medicine. >Telephone:0207-958 8353 / Fax: 0207- 636 9838 From billa at STERLING.NET Fri Jan 24 19:22:26 2003 From: billa at STERLING.NET (Bill Anderson) Date: Thu Jan 12 21:17:04 2006 Subject: Console error messages... In-Reply-To: <5.2.0.9.2.20030124082900.02b8dfa8@imap.ecs.soton.ac.uk> Message-ID: Nope, no luck searching on syntax. grep -i syntax /var/log/maillog I have not seen the error yet, it only happened twice for that one hour period. I have scoured through the logs and there is no record of it, only on the console. I will watch it and see if it happens again. Thanks for the patience. > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Julian Field > Sent: Friday, January 24, 2003 12:29 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Console error messages... > > > At 23:59 23/01/2003, you wrote: > >I have scanned all through my logs and can't find any reference > to the error > >messages. Is there any particular string I should search for, ie. error > >code or something from mailscanner? > > Look for "syntax" or "Syntax" for starters. > > > > > -----Original Message----- > > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > > Behalf Of Julian Field > > > Sent: Thursday, January 23, 2003 2:08 PM > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > Subject: Re: Console error messages... > > > > > > > > > Take a good look at your maillog whenever it starts producing > the error to > > > see if it contains any useful info. > > > > > > At 20:45 23/01/2003, you wrote: > > > >I have poured over my Mailscanner.conf file and have not > found anything. > > > >The file was changed yesterday, however, the error did not pop > > > up until this > > > >morning. Mailscanner was restarted and it ran fine for about 30 > > > minutes and > > > >then got the same error. I restarted it again and it has been > > > running fine > > > >for the past 3 hours. > > > > > > > >Should I be checking somewhere else? > > > > > > > > > > > > > -----Original Message----- > > > > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > > > Behalf Of Julian Field > > > > Sent: Thursday, January 23, 2003 10:21 AM > > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > > Subject: Re: Console error messages... > > > > > > > > > > > > This is most commonly caused by syntax errors in your MailScanner.conf > > > > file. Check your maillog for more information, it will > > hopefully tell you > > > > why MailScanner cannot start properly. > > > > > > > > At 18:00 23/01/2003, you wrote: > > > > >I just started getting the following errors this morning: Has > > > > anyone seen > > > > >this before? > > > > > > > > > >We haven't got any child processes, which isn't right!, No child > > > > processes > > > > >at /usr/sbin/MailScanner line 191. > > > > >We have just tried to reap a process which wasn't one of > > ours!, No child > > > > >processes at /usr/sbin/MailScanner line 194. > > > > > > > > -- > > > > Julian Field > > > > www.MailScanner.info > > > > MailScanner thanks transtec Computers for their support > > > > > > > > -- > > Julian Field > > www.MailScanner.info > > MailScanner thanks transtec Computers for their support > > -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mbowman at UDCOM.COM Fri Jan 24 19:35:09 2003 From: mbowman at UDCOM.COM (Matthew Bowman) Date: Thu Jan 12 21:17:04 2006 Subject: Console error messages... Message-ID: Hi RH 7.3 w/sendmail 8.11.6 My console messages get written to /var/log/maillog ok /var/log/maillog.3:Jan 4 15:46:19 smithers spamd[628]: Failed to run header SpamAssassin tests, skipping some: syntax error at (eval 16) line 75, near ") ~" syntax error at (eval 16) line 81, near ") ~" syntax error at (eval 16) line 147, near ") ~" syntax error at (eval 16) line 150, near "} }" I assume you have this to? Syslog Facility = mail in your MailScanner.conf ? Matthew -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030124/8fbd29bb/attachment.html From mailscanner at ecs.soton.ac.uk Fri Jan 24 19:42:38 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:04 2006 Subject: Console error messages... In-Reply-To: Message-ID: <5.2.0.9.2.20030124194149.02072398@imap.ecs.soton.ac.uk> At 19:35 24/01/2003, you wrote: >Hi > >RH 7.3 w/sendmail 8.11.6 > >My console messages get written to /var/log/maillog ok > >/var/log/maillog.3:Jan 4 15:46:19 smithers spamd[628]: Failed to run >header SpamAssassin tests, skipping some: syntax error >at (eval 16) line 75, near ") ~" syntax error at (eval 16) line 81, near >") ~" syntax error at (eval 16) line 147, near ") ~" syntax error at (eval >16) line 150, near "} }" But MailScanner doesn't use spamd... (it works faster than that) >I assume you have this to? > >Syslog Facility = mail > >in your MailScanner.conf ? > > >Matthew -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030124/1f0ff64b/attachment.html From mkettler at EVI-INC.COM Fri Jan 24 20:02:23 2003 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:17:04 2006 Subject: Console error messages... In-Reply-To: <5.2.0.9.2.20030124194149.02072398@imap.ecs.soton.ac.uk> References: Message-ID: <5.1.1.6.0.20030124145106.01d57cc0@192.168.50.2> Agreed, MS calls the SpamAssassin API directly and doesn't call spamc/spamd or the command-line spamassassin. Looks like he's also got some kind of procmail deal calling spamc/spamd. Whoops.. probably don't want to run SA twice on your mail :) In any event, those messages would imply that he's got typoes, probably small ones with bad side effects, in his spamassassin config. Typically things like forgetting a / at the end of a regex does this. My solution for keeping my ruleset clean and well checked is to use a symlink root's /root/.spamassassin/user_prefs to the MailScanner spam.assassin.prefs.conf file, this way I can always lint the same rules MailScanner is using when I run spamassassin on the command line as the root user. I never, ever, edit a spamassassin config without linting it afterwards.. the silliest typos can make half your ruleset be ignored. spamassassin --lint -LD This should not complain about having to skip rules, if it does, check what you just changed. At 07:42 PM 1/24/2003 +0000, Julian Field wrote: >>Hi >> >>RH 7.3 w/sendmail 8.11.6 >> >>My console messages get written to /var/log/maillog ok >> >>/var/log/maillog.3:Jan 4 15:46:19 smithers spamd[628]: Failed to run >>header SpamAssassin tests, skipping some: syntax error >>at (eval 16) line 75, near ") ~" syntax error at (eval 16) line 81, near >>") ~" syntax error at (eval 16) line 147, near ") ~" syntax error at >>(eval 16) line 150, near "} }" > >But MailScanner doesn't use spamd... (it works faster than that) From Peter.Bates at LSHTM.AC.UK Sat Jan 25 00:11:50 2003 From: Peter.Bates at LSHTM.AC.UK (Peter Bates) Date: Thu Jan 12 21:17:04 2006 Subject: Checking SpamAssassin activity? Message-ID: Hello all... > mkettler@EVI-INC.COM 01/24/03 18:46 PM >>> >Well, you can verify if SpamAssassin itself is using razor and/or dcc >by running: >spamassassin --lint -D (assuming 2.4x or higher) >and look at the debug output. You should see it calling razor and >DCC in there. Ahh, well that shows: debug: DCC is not available: dccproc not found ... although 'which dccproc' shows /usr/local/bin/dccproc, and it still doesn't work if I do a symlink into /usr/bin ... I appreciate this is nothing to do with MailScanner, but if anyone can suggest a reason for this before I join the SA mailing list, I'd be most grateful ;) ... ---------------------------------------------------------------------------------------------------> Peter Bates, Systems Support Officer, Network Support Team. London School of Hygiene & Tropical Medicine. Telephone:0207-958 8353 / Fax: 0207- 636 9838 From Peter.Bates at LSHTM.AC.UK Sat Jan 25 00:50:09 2003 From: Peter.Bates at LSHTM.AC.UK (Peter Bates) Date: Thu Jan 12 21:17:04 2006 Subject: Checking SpamAssassin activity? Message-ID: Well, to answer my own question... > Peter.Bates@lshtm.ac.uk 01/25/03 00:15 AM >>> >debug: DCC is not available: dccproc not found >... although 'which dccproc' shows >/usr/local/bin/dccproc, and it still doesn't work if I do >a symlink into /usr/bin ... I found setting 'dcc_path' to the location of the dccproc executable in /etc/mail/spamassassin/local.cf (i.e. the local configuration) fixed this, e.g; dcc_path /usr/local/bin/dccproc The 'spamassassin --lint -D' and also doing 'sendmail -t < sample-spam.txt' to use the DCC and RAZOR listed email that comes with SA to diagnose are both useful techniques learned from this list... Thanks as ever to all... ---------------------------------------------------------------------------------------------------> Peter Bates, Systems Support Officer, Network Support Team. London School of Hygiene & Tropical Medicine. Telephone:0207-958 8353 / Fax: 0207- 636 9838 From mkettler at EVI-INC.COM Sat Jan 25 01:14:53 2003 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:17:04 2006 Subject: Checking SpamAssassin activity? In-Reply-To: Message-ID: <5.1.1.6.0.20030124200832.018d6860@192.168.50.2> Yes, the dccproc deal is an issue with some versions of razor and perl. What winds up happening is that certain versions of razor (2.20 and up?) wind up munging (or, well, completely deleting) the executable path, but the cause of the path getting whacked seems to be a bug in perl itself. See If you care for more detail see: the razor-users posts under the subject "[Razor-users] [PATH] undefined reference in razor-agents-2.22" circa 06 Dec 2002 and spamassassin-talk posts under the subject "[SAtalk] DCC" circa 10 Jan 2003 At 12:50 AM 1/25/2003 +0000, you wrote: >Well, to answer my own question... > > > Peter.Bates@lshtm.ac.uk 01/25/03 00:15 AM >>> > > >debug: DCC is not available: dccproc not found > >I found setting 'dcc_path' to the location of the dccproc executable in >/etc/mail/spamassassin/local.cf (i.e. the local configuration) fixed this, e.g; > >dcc_path /usr/local/bin/dccproc From mike at CAMAROSS.NET Sun Jan 26 16:02:51 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:17:04 2006 Subject: Sophos Updates In-Reply-To: <5.1.1.6.0.20030124200832.018d6860@192.168.50.2> Message-ID: <016001c2c554$61d63c30$9801a8c0@home.middlefinger.net> Has anyone automated the download of Sophos updates from their website? I wrote a little shell script to download from my local repository, extract and install them, but I still have to download the .tar.Z manually by entering my username and password. Mike From jaearick at COLBY.EDU Sun Jan 26 16:04:22 2003 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:17:04 2006 Subject: Sophos Updates In-Reply-To: <016001c2c554$61d63c30$9801a8c0@home.middlefinger.net> References: <016001c2c554$61d63c30$9801a8c0@home.middlefinger.net> Message-ID: That is what the sophos-autoupdate perl script in MailScanner's lib directory is for. ----------------------------------- Jeff A. Earickson, Ph.D Senior UNIX Sysadmin and Email Guru Information Technology Services Colby College, 4214 Mayflower Hill, Waterville ME, 04901-8842 phone: 207-872-3659 (fax = 3076) ----------------------------------- On Sun, 26 Jan 2003, Mike Kercher wrote: > Date: Sun, 26 Jan 2003 10:02:51 -0600 > From: Mike Kercher > Reply-To: MailScanner mailing list > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Sophos Updates > > Has anyone automated the download of Sophos updates from their website? > I wrote a little shell script to download from my local repository, > extract and install them, but I still have to download the .tar.Z > manually by entering my username and password. > > Mike > From mike at CAMAROSS.NET Sun Jan 26 16:10:05 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:17:04 2006 Subject: Sophos Updates In-Reply-To: Message-ID: <016201c2c555$6419a710$9801a8c0@home.middlefinger.net> I'm not talking about IDE updates...I'm talking about releases...3.65, 3.66, etc. Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Jeff A. Earickson Sent: Sunday, January 26, 2003 10:04 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Sophos Updates That is what the sophos-autoupdate perl script in MailScanner's lib directory is for. ----------------------------------- Jeff A. Earickson, Ph.D Senior UNIX Sysadmin and Email Guru Information Technology Services Colby College, 4214 Mayflower Hill, Waterville ME, 04901-8842 phone: 207-872-3659 (fax = 3076) ----------------------------------- On Sun, 26 Jan 2003, Mike Kercher wrote: > Date: Sun, 26 Jan 2003 10:02:51 -0600 > From: Mike Kercher > Reply-To: MailScanner mailing list > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Sophos Updates > > Has anyone automated the download of Sophos updates from their > website? I wrote a little shell script to download from my local > repository, extract and install them, but I still have to download the > .tar.Z manually by entering my username and password. > > Mike > From jaearick at COLBY.EDU Sun Jan 26 16:15:42 2003 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:17:04 2006 Subject: Sophos Updates In-Reply-To: <016201c2c555$6419a710$9801a8c0@home.middlefinger.net> References: <016201c2c555$6419a710$9801a8c0@home.middlefinger.net> Message-ID: Mike, Ok, I understand... I prefer to do this by hand (it only needs to be done every other month or two) because the risk of having an automated script screw up either your virus protection or MailScanner is too great. I wonder what happens to MailScanner if it is doing virus protection, using Sophos, and the Sophos directory gets nuked. Big email train wreck? --- Jeff On Sun, 26 Jan 2003, Mike Kercher wrote: > Date: Sun, 26 Jan 2003 10:10:05 -0600 > From: Mike Kercher > Reply-To: MailScanner mailing list > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Sophos Updates > > I'm not talking about IDE updates...I'm talking about releases...3.65, > 3.66, etc. > > Mike > > > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Jeff A. Earickson > Sent: Sunday, January 26, 2003 10:04 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Sophos Updates > > > That is what the sophos-autoupdate perl script in MailScanner's lib > directory is for. > > ----------------------------------- > Jeff A. Earickson, Ph.D > Senior UNIX Sysadmin and Email Guru > Information Technology Services > Colby College, 4214 Mayflower Hill, > Waterville ME, 04901-8842 > phone: 207-872-3659 (fax = 3076) > ----------------------------------- > > On Sun, 26 Jan 2003, Mike Kercher wrote: > > > Date: Sun, 26 Jan 2003 10:02:51 -0600 > > From: Mike Kercher > > Reply-To: MailScanner mailing list > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Sophos Updates > > > > Has anyone automated the download of Sophos updates from their > > website? I wrote a little shell script to download from my local > > repository, extract and install them, but I still have to download the > > > .tar.Z manually by entering my username and password. > > > > Mike > > > From mike at CAMAROSS.NET Sun Jan 26 16:20:51 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:17:04 2006 Subject: Sophos Updates In-Reply-To: Message-ID: <016e01c2c556$e5105f70$9801a8c0@home.middlefinger.net> Good point. Maybe what I'll do is just run my update script on all my boxes and download the update manually. Worst case, the same version gets reinstalled :) Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Jeff A. Earickson Sent: Sunday, January 26, 2003 10:16 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Sophos Updates Mike, Ok, I understand... I prefer to do this by hand (it only needs to be done every other month or two) because the risk of having an automated script screw up either your virus protection or MailScanner is too great. I wonder what happens to MailScanner if it is doing virus protection, using Sophos, and the Sophos directory gets nuked. Big email train wreck? --- Jeff On Sun, 26 Jan 2003, Mike Kercher wrote: > Date: Sun, 26 Jan 2003 10:10:05 -0600 > From: Mike Kercher > Reply-To: MailScanner mailing list > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Sophos Updates > > I'm not talking about IDE updates...I'm talking about releases...3.65, > 3.66, etc. > > Mike > > > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Jeff A. Earickson > Sent: Sunday, January 26, 2003 10:04 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Sophos Updates > > > That is what the sophos-autoupdate perl script in MailScanner's lib > directory is for. > > ----------------------------------- > Jeff A. Earickson, Ph.D > Senior UNIX Sysadmin and Email Guru > Information Technology Services > Colby College, 4214 Mayflower Hill, > Waterville ME, 04901-8842 > phone: 207-872-3659 (fax = 3076) > ----------------------------------- > > On Sun, 26 Jan 2003, Mike Kercher wrote: > > > Date: Sun, 26 Jan 2003 10:02:51 -0600 > > From: Mike Kercher > > Reply-To: MailScanner mailing list > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Sophos Updates > > > > Has anyone automated the download of Sophos updates from their > > website? I wrote a little shell script to download from my local > > repository, extract and install them, but I still have to download > > the > > > .tar.Z manually by entering my username and password. > > > > Mike > > > From mailscanner at ecs.soton.ac.uk Sun Jan 26 17:27:34 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:04 2006 Subject: Sophos Updates In-Reply-To: <016e01c2c556$e5105f70$9801a8c0@home.middlefinger.net> References: Message-ID: <5.2.0.9.2.20030126165148.0277df00@imap.ecs.soton.ac.uk> It is possible to completely automate it. But I agree with Jeff's comments. With the current way it could be done, it would only take Sophos to re-organise their web site and it would break. It would also end up relying on a security slip-up made by Sophos, in order to be full automatic. The process can break in so many ways that I wouldn't feel safe using an automated script to do this. When you do a download and a "Sophos.install" by hand you can easily see that they worked. It only takes me 5 or 10 minutes every 3 months to update my 3 servers by hand. I wouldn't feel safe leaving it to a cron job :-) What you can easily do is add a monthly cron job which mails you the output of /usr/lib/MailScanner/sophos-wrapper -v | head -12 which will give you the release date of your current installation so you know when it needs to be updated. At 16:20 26/01/2003, you wrote: >Good point. Maybe what I'll do is just run my update script on all my >boxes and download the update manually. Worst case, the same version >gets reinstalled :) > >Mike > > >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On >Behalf Of Jeff A. Earickson >Sent: Sunday, January 26, 2003 10:16 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Sophos Updates > > >Mike, > Ok, I understand... I prefer to do this by hand (it only needs to be >done every other month or two) because the risk of having an automated >script screw up either your virus protection or MailScanner is too >great. I wonder what happens to MailScanner if it is doing virus >protection, using Sophos, and the Sophos directory gets nuked. Big email >train wreck? > >--- Jeff > >On Sun, 26 Jan 2003, Mike Kercher wrote: > > > Date: Sun, 26 Jan 2003 10:10:05 -0600 > > From: Mike Kercher > > Reply-To: MailScanner mailing list > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: Sophos Updates > > > > I'm not talking about IDE updates...I'm talking about releases...3.65, > > > 3.66, etc. > > > > Mike > > > > > > -----Original Message----- > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > > Behalf Of Jeff A. Earickson > > Sent: Sunday, January 26, 2003 10:04 AM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: Sophos Updates > > > > > > That is what the sophos-autoupdate perl script in MailScanner's lib > > directory is for. > > > > ----------------------------------- > > Jeff A. Earickson, Ph.D > > Senior UNIX Sysadmin and Email Guru > > Information Technology Services > > Colby College, 4214 Mayflower Hill, > > Waterville ME, 04901-8842 > > phone: 207-872-3659 (fax = 3076) > > ----------------------------------- > > > > On Sun, 26 Jan 2003, Mike Kercher wrote: > > > > > Date: Sun, 26 Jan 2003 10:02:51 -0600 > > > From: Mike Kercher > > > Reply-To: MailScanner mailing list > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > Subject: Sophos Updates > > > > > > Has anyone automated the download of Sophos updates from their > > > website? I wrote a little shell script to download from my local > > > repository, extract and install them, but I still have to download > > > the > > > > > .tar.Z manually by entering my username and password. > > > > > > Mike > > > > > -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From dbird at SGHMS.AC.UK Sun Jan 26 18:45:48 2003 From: dbird at SGHMS.AC.UK (Daniel Bird) Date: Thu Jan 12 21:17:04 2006 Subject: SA local.cf and mailscanner Message-ID: <3E342CDC.1050005@sghms.ac.uk> Just a quick question or two. For a while now we've been using the SA-Exim patch to do Spam checks before letting MailScanner do its thing. My questions are: 1) Which would be of better performance, running the Spam check using the SA-Exim patch before MailScanner or letting MailScanner do it for me? and 2) If I move Spam checking to MailScanner, will it pick up the defaults from the system local.cf file for Spam Assassin? TIA Dan -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mailscanner at ecs.soton.ac.uk Sun Jan 26 18:51:38 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:04 2006 Subject: SA local.cf and mailscanner In-Reply-To: <3E342CDC.1050005@sghms.ac.uk> Message-ID: <5.2.0.9.2.20030126184924.0277ad98@imap.ecs.soton.ac.uk> At 18:45 26/01/2003, you wrote: >Just a quick question or two. > >For a while now we've been using the SA-Exim patch to do Spam checks >before letting MailScanner do its thing. > >My questions are: >1) Which would be of better performance, running the Spam check using >the SA-Exim patch before MailScanner or letting MailScanner do it for me? Almost certainly by doing the SA checks with MailScanner, if the Exim patch is either using spamd/spamc or the "spamassassin" script. MailScanner talks directly to SA using its core Perl API. >2) If I move Spam checking to MailScanner, will it pick up the defaults >from the system local.cf file for Spam Assassin? It should pick up the /etc/MailScanner/spam.assassin.conf file. Put your local rules and settings in there. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From sveinn at SVEINNG.COM Mon Jan 27 11:42:45 2003 From: sveinn at SVEINNG.COM (Sveinn G. Gunnarsson) Date: Thu Jan 12 21:17:04 2006 Subject: small change in output in upcoming version of F-Prot 4.x In-Reply-To: <5.2.0.9.2.20030124172650.06e90720@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030124134430.02adb6d8@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030124172650.06e90720@imap.ecs.soton.ac.uk> Message-ID: <200301271142.45683.sveinn@sveinng.com> > Thanks for that. > Please can you check that this patch works okay with F-Prot 4 (and 3 if > possible). Hi Julian... I tried your patch on the machine runing the new F-Prot, but got the following parser errors... [-----] Jan 27 11:40:45 vx-m MailScanner[49110]: Search: . Jan 27 11:40:45 vx-m MailScanner[49110]: Either you've found a bug in MailScanner's F-Prot output parser, or F-Prot's output format has changed! F-Prot said this "Search: .". Please mail the author of MailScanner Jan 27 11:40:45 vx-m MailScanner[49110]: Action: Report only Jan 27 11:40:45 vx-m MailScanner[49110]: Either you've found a bug in MailScanner's F-Prot output parser, or F-Prot's output format has changed! F-Prot said this "Action: Report only". Please mail the author of MailScanner Jan 27 11:40:45 vx-m MailScanner[49110]: Files: "Dumb" scan of all files Jan 27 11:40:45 vx-m MailScanner[49110]: Either you've found a bug in MailScanner's F-Prot output parser, or F-Prot's output format has changed! F-Prot said this "Files: "Dumb" scan of all files". Please mail the author of MailScanner Jan 27 11:40:45 vx-m MailScanner[49110]: Switches: -ARCHIVE -OLD Jan 27 11:40:45 vx-m MailScanner[49110]: Either you've found a bug in MailScanner's F-Prot output parser, or F-Prot's output format has changed! F-Prot said this "Switches: -ARCHIVE -OLD". Please mail the author of MailScanner [-----] ---------------------------- Sveinn G. Gunnarsson AIX System Administrator - CATE Islandssimi hf. From mailscanner at ecs.soton.ac.uk Mon Jan 27 13:49:57 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:04 2006 Subject: small change in output in upcoming version of F-Prot 4.x In-Reply-To: <200301271142.45683.sveinn@sveinng.com> References: <5.2.0.9.2.20030124172650.06e90720@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030124134430.02adb6d8@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030124172650.06e90720@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030127134852.04f54630@imap.ecs.soton.ac.uk> At 11:42 27/01/2003, you wrote: > > Thanks for that. > > Please can you check that this patch works okay with F-Prot 4 (and 3 if > > possible). > >Hi Julian... > >I tried your patch on the machine runing the new F-Prot, but got the >following >parser errors... Sorry, silly error on my part. In line 958 of SweepViruses.pm you will currently find if ($fprot_InCruft==2 && $line =~ /program\s+version:\s*4/i) { This should be changed to if ($fprot_InCruft==-2 && $line =~ /program\s+version:\s*4/i) { (i.e. the "2" should become "-2"). -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From adkinss at OHIO.EDU Mon Jan 27 14:12:35 2003 From: adkinss at OHIO.EDU (Scott Adkins) Date: Thu Jan 12 21:17:04 2006 Subject: Sophos issues In-Reply-To: <5.2.0.9.2.20030123142635.03fef968@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030123142635.03fef968@imap.ecs.soton.ac.uk> Message-ID: <3968438162.1043658755@Callisto> Skipped content of type multipart/mixed-------------- next part -------------- A non-text attachment was scrubbed... Name: MSL8192.sig Type: application/pgp-signature Size: 231 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030127/0f60c08b/MSL8192.bin From adkinss at OHIO.EDU Mon Jan 27 15:51:24 2003 From: adkinss at OHIO.EDU (Scott Adkins) Date: Thu Jan 12 21:17:04 2006 Subject: Sophos issues In-Reply-To: <3968438162.1043658755@Callisto> References: <3968438162.1043658755@Callisto> Message-ID: <3974366747.1043664684@Callisto> I just spoke with Sophos about this issue. The person I spoke for tells me that this is definitely a MailScanner issue. The files are already "corrupt" by the time that Sophos sees it (basically, it can't see both the start of the file and the end of the file, is what I was told). I asked about the RAR archives, and she said that Sophos currently can't scan RAR version 3 archives, but that will be available in the next release. She suggested that I quarantine messages and release the files that get labeled corrupted, or in the case of the RAR files, maybe put the file extension on a whitelist, basically. Anyways, without the original files from these people, I can't verify for sure if the documents were already corrupted. I am still working that issue. How does MailScanner send files to Sophos? I assume it extracts the file in the attachment to a real file on the disk and then points Sophos to it, right? Are there cases where the whole file may not be written to disk for some reason? What would be really helpful, at this point, is a way for me to set an option to allow corrupted files to pass through MailScanner without being flagged as viruses and without being touched. The same goes for scanning of external MIME attachments (which is another thread). There should be an option to not flag those as viruses and to allow the messages to pass through untouched. Both of these issues are generated support calls for us right now. Thanks, Scott --On Monday, January 27, 2003 9:12 AM -0500 Scott Adkins wrote: > This problem seems to be even more widespread than that... Friday, I > somebody complained about an XLS document that was getting flagged as > a virus... They sent it multiple times and every time, it would get > to the other side flagged as a virus and the message would indicate > that it was corrupted. Today, I have a couple reports on PDF documets > doing the same thing. > > Looking at the PDF document on the destination side (after it gets > there and says it is corrupted), I get these error messags: > > Insufficient data for an image > > AND > > Unable to extract the embedded font "DOrchesterScriptMT". Some > characters may not display or print correctly. > > I am trying to get the original documents described above so I can do > a better check on them, but it all depends on them getting back to me. > > Ah... My grep on the syslog files just finished. Attached is the output > of what I found with regards to looking for corrupt documents that > MailScanner reports... > > So, is it correct to assume that Sophos is the one having problems with > this? The question that I have is whether or not the document was already > corrupted when Sophos got a hold of it, or if Sophos corrupted it when > trying to scan it... > > Scott > > --On Thursday, January 23, 2003 2:28 PM +0000 Julian Field > wrote: > >> I have heard of other similar problems with RAR archives and Sophos in >> the last few days. Supposedly Sophos tech support are working on them. >> >> If you do a standard ("Sophos"'s standard) installation of their virus >> scanner, and use sweep to scan the RAR file, and it still produces the >> errors (which I believe it will), then you should log a fault call with >> Sophos tech support so that they work faster on fixing this problem. >> >> At 13:48 23/01/2003, you wrote: >>> Hello, >>> >>> Yesterday I added Sophos to McAfee as my virus scanners in MS. I then >>> noticed the following messages in my logs: >>> Jan 22 12:21:20 smtp2 MailScanner[10906]: Could not check >>> ./h0MHL9O22471/StAR2001_2002Fleury et alH.rar/StAR2001_2002Fleury et >>> alH.doc (format not supported) >>> Jan 22 12:21:20 smtp2 MailScanner[10906]: Could not check >>> ./h0MHL9O22471/StAR2001_2002Fleury et alH.rar (corrupt) >>> Jan 22 12:21:20 smtp2 MailScanner[10906]: Virus Scanning: sophos found 2 >>> infections >>> Jan 22 12:21:20 smtp2 MailScanner[10906]: Virus Scanning: Found 2 >>> viruses Jan 22 12:21:20 smtp2 MailScanner[10906]: Saved infected >>> "StAR2001_2002Fleury et alH.rar (corrupt)" to >>> /quarantaine/usherbrooke/20030122/h0MHL9O22471 >>> Jan 22 12:21:20 smtp2 MailScanner[10906]: Saved infected >>> "StAR2001_2002Fleury et alH.rar" to >>> /quarantaine/usherbrooke/20030122/h0MHL9O22471 >>> Jan 22 12:58:33 smtp2 MailScanner[10824]: Could not check >>> ./h0MHwPO31882/Calendrier2003.pps (corrupt) >>> Jan 22 12:58:33 smtp2 MailScanner[10824]: Could not check >>> ./h0MHwPO31882/Calendrier2003.pps (corrupt) >>> Jan 22 12:58:34 smtp2 MailScanner[10824]: Virus Scanning: sophos found 1 >>> infections >>> Jan 22 12:58:34 smtp2 MailScanner[10824]: Virus Scanning: Found 1 >>> viruses Jan 22 12:58:34 smtp2 MailScanner[10824]: Saved infected >>> "Calendrier2003.pps (corrupt)" to >>> /quarantaine/hermes/20030122/h0MHwPO31882 Jan 22 16:26:55 smtp2 >>> MailScanner[22132]: Could not check >>> ./h0MLQmO04098/winmail.dat (corrupt) >>> Jan 22 16:26:55 smtp2 MailScanner[22132]: Virus Re-scanning: sophos >>> found 1 >>> infections >>> Jan 22 16:26:55 smtp2 MailScanner[22132]: Disinfection: Rescan found >>> only 1 viruses >>> >>> I checked my old logs and these messages had never appeared before I >>> added Sophos so I'm pretty sure it is the culprit. McAfee didn't >>> complain about those files. >>> >>> I'm running version 4.11-1 on RH 7.3 with the external winmail.dat >>> extractor. >>> >>> The problem is annoying because the attachments were not transmitted to >>> the users and even though MS informed them that they were quarantined in >>> directory X, they are not there except for the RAR file. For the others, >>> the directory is empty. >>> >>> Until this issue is resolved I deactivated Sophos. Anyhow the Sophos >>> quote I received was based on the number of users my mail gateways >>> protect and was way too expensive for us. >>> >>> Thanks again! >>> >>> Denis >>> -- >>> Denis Beauchemin, analyste >>> Universit? de Sherbrooke, S.T.I. >>> T: 819.821.8000x2252 F: 819.821.8045 >> >> -- >> Julian Field >> www.MailScanner.info >> MailScanner thanks transtec Computers for their support > > > -- > +-----------------------------------------------------------------------+ > Scott W. Adkins http://www.cns.ohiou.edu/~sadkins/ > UNIX Systems Engineer mailto:adkinss@ohio.edu > ICQ 7626282 Work (740)593-9478 Fax (740)593-1944 > +-----------------------------------------------------------------------+ > PGP Public Key available at http://www.cns.ohiou.edu/~sadkins/pgp/ -- +-----------------------------------------------------------------------+ Scott W. Adkins http://www.cns.ohiou.edu/~sadkins/ UNIX Systems Engineer mailto:adkinss@ohio.edu ICQ 7626282 Work (740)593-9478 Fax (740)593-1944 +-----------------------------------------------------------------------+ PGP Public Key available at http://www.cns.ohiou.edu/~sadkins/pgp/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 231 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030127/00c5f38c/attachment.bin From mailscanner at ecs.soton.ac.uk Mon Jan 27 16:34:44 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:04 2006 Subject: Sophos issues In-Reply-To: <3974366747.1043664684@Callisto> References: <3968438162.1043658755@Callisto> <3968438162.1043658755@Callisto> Message-ID: <5.2.0.9.2.20030127162836.0501d3a8@imap.ecs.soton.ac.uk> At 15:51 27/01/2003, you wrote: >I just spoke with Sophos about this issue. The person I spoke for tells >me that this is definitely a MailScanner issue. They are getting good at saying that. Shame they never actually tell me about it. > The files are already >"corrupt" by the time that Sophos sees it (basically, it can't see both >the start of the file and the end of the file, is what I was told). I >asked about the RAR archives, and she said that Sophos currently can't >scan RAR version 3 archives, but that will be available in the next >release. She suggested that I quarantine messages and release the files >that get labeled corrupted, or in the case of the RAR files, maybe put >the file extension on a whitelist, basically. When it finds a file is corrupt, MailScanner removes it, right? Is it happening often enough that you could archive all mail for a little while until it happens? If so, we can actually get a test case together to prove exactly what is happening to the message. Until I can get my hands on a test case, it is very difficult to work out what is happening. Are they suggesting that the file put into the quarantine is actually okay, but the file being scanned is not? That would be a neat trick... >Anyways, without the original files from these people, I can't verify >for sure if the documents were already corrupted. I am still working >that issue. How does MailScanner send files to Sophos? I assume it >extracts the file in the attachment to a real file on the disk and then >points Sophos to it, right? Correct. > Are there cases where the whole file may >not be written to disk for some reason? Other than you running out of disk space, no. >What would be really helpful, at this point, is a way for me to set an >option to allow corrupted files to pass through MailScanner without being >flagged as viruses and without being touched. The same goes for scanning >of external MIME attachments (which is another thread). There should be >an option to not flag those as viruses and to allow the messages to pass >through untouched. Both of these issues are generated support calls for >us right now. The "external bodies" switch will be in the next version. I'll have to take a look at how easy it would be to add a switch for the other bit. How come this is only happening with Sophos? No-one else is reporting any problems, only the people using Sophos. >Thanks, >Scott > >--On Monday, January 27, 2003 9:12 AM -0500 Scott Adkins > wrote: > >>This problem seems to be even more widespread than that... Friday, I >>somebody complained about an XLS document that was getting flagged as >>a virus... They sent it multiple times and every time, it would get >>to the other side flagged as a virus and the message would indicate >>that it was corrupted. Today, I have a couple reports on PDF documets >>doing the same thing. >> >>Looking at the PDF document on the destination side (after it gets >>there and says it is corrupted), I get these error messags: >> >> Insufficient data for an image >> >>AND >> >> Unable to extract the embedded font "DOrchesterScriptMT". Some >> characters may not display or print correctly. >> >>I am trying to get the original documents described above so I can do >>a better check on them, but it all depends on them getting back to me. >> >>Ah... My grep on the syslog files just finished. Attached is the output >>of what I found with regards to looking for corrupt documents that >>MailScanner reports... >> >>So, is it correct to assume that Sophos is the one having problems with >>this? The question that I have is whether or not the document was already >>corrupted when Sophos got a hold of it, or if Sophos corrupted it when >>trying to scan it... >> >>Scott >> >>--On Thursday, January 23, 2003 2:28 PM +0000 Julian Field >> wrote: >> >>>I have heard of other similar problems with RAR archives and Sophos in >>>the last few days. Supposedly Sophos tech support are working on them. >>> >>>If you do a standard ("Sophos"'s standard) installation of their virus >>>scanner, and use sweep to scan the RAR file, and it still produces the >>>errors (which I believe it will), then you should log a fault call with >>>Sophos tech support so that they work faster on fixing this problem. >>> >>>At 13:48 23/01/2003, you wrote: >>>>Hello, >>>> >>>>Yesterday I added Sophos to McAfee as my virus scanners in MS. I then >>>>noticed the following messages in my logs: >>>>Jan 22 12:21:20 smtp2 MailScanner[10906]: Could not check >>>>./h0MHL9O22471/StAR2001_2002Fleury et alH.rar/StAR2001_2002Fleury et >>>>alH.doc (format not supported) >>>>Jan 22 12:21:20 smtp2 MailScanner[10906]: Could not check >>>>./h0MHL9O22471/StAR2001_2002Fleury et alH.rar (corrupt) >>>>Jan 22 12:21:20 smtp2 MailScanner[10906]: Virus Scanning: sophos found 2 >>>>infections >>>>Jan 22 12:21:20 smtp2 MailScanner[10906]: Virus Scanning: Found 2 >>>>viruses Jan 22 12:21:20 smtp2 MailScanner[10906]: Saved infected >>>>"StAR2001_2002Fleury et alH.rar (corrupt)" to >>>>/quarantaine/usherbrooke/20030122/h0MHL9O22471 >>>>Jan 22 12:21:20 smtp2 MailScanner[10906]: Saved infected >>>>"StAR2001_2002Fleury et alH.rar" to >>>>/quarantaine/usherbrooke/20030122/h0MHL9O22471 >>>>Jan 22 12:58:33 smtp2 MailScanner[10824]: Could not check >>>>./h0MHwPO31882/Calendrier2003.pps (corrupt) >>>>Jan 22 12:58:33 smtp2 MailScanner[10824]: Could not check >>>>./h0MHwPO31882/Calendrier2003.pps (corrupt) >>>>Jan 22 12:58:34 smtp2 MailScanner[10824]: Virus Scanning: sophos found 1 >>>>infections >>>>Jan 22 12:58:34 smtp2 MailScanner[10824]: Virus Scanning: Found 1 >>>>viruses Jan 22 12:58:34 smtp2 MailScanner[10824]: Saved infected >>>>"Calendrier2003.pps (corrupt)" to >>>>/quarantaine/hermes/20030122/h0MHwPO31882 Jan 22 16:26:55 smtp2 >>>>MailScanner[22132]: Could not check >>>>./h0MLQmO04098/winmail.dat (corrupt) >>>>Jan 22 16:26:55 smtp2 MailScanner[22132]: Virus Re-scanning: sophos >>>>found 1 >>>>infections >>>>Jan 22 16:26:55 smtp2 MailScanner[22132]: Disinfection: Rescan found >>>>only 1 viruses >>>> >>>>I checked my old logs and these messages had never appeared before I >>>>added Sophos so I'm pretty sure it is the culprit. McAfee didn't >>>>complain about those files. >>>> >>>>I'm running version 4.11-1 on RH 7.3 with the external winmail.dat >>>>extractor. >>>> >>>>The problem is annoying because the attachments were not transmitted to >>>>the users and even though MS informed them that they were quarantined in >>>>directory X, they are not there except for the RAR file. For the others, >>>>the directory is empty. >>>> >>>>Until this issue is resolved I deactivated Sophos. Anyhow the Sophos >>>>quote I received was based on the number of users my mail gateways >>>>protect and was way too expensive for us. >>>> >>>>Thanks again! >>>> >>>>Denis >>>>-- >>>>Denis Beauchemin, analyste >>>>Universit? de Sherbrooke, S.T.I. >>>>T: 819.821.8000x2252 F: 819.821.8045 >>> >>>-- >>>Julian Field >>>www.MailScanner.info >>>MailScanner thanks transtec Computers for their support >> >> >>-- >> +-----------------------------------------------------------------------+ >> Scott W. Adkins http://www.cns.ohiou.edu/~sadkins/ >> UNIX Systems Engineer mailto:adkinss@ohio.edu >> ICQ 7626282 Work (740)593-9478 Fax (740)593-1944 >> +-----------------------------------------------------------------------+ >> PGP Public Key available at http://www.cns.ohiou.edu/~sadkins/pgp/ > > >-- >+-----------------------------------------------------------------------+ > Scott W. Adkins http://www.cns.ohiou.edu/~sadkins/ > UNIX Systems Engineer mailto:adkinss@ohio.edu > ICQ 7626282 Work (740)593-9478 Fax (740)593-1944 >+-----------------------------------------------------------------------+ > PGP Public Key available at > http://www.cns.ohiou.edu/~sadkins/pgp/ -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From sevans at FOUNDATION.SDSU.EDU Mon Jan 27 16:54:51 2003 From: sevans at FOUNDATION.SDSU.EDU (Steve Evans) Date: Thu Jan 12 21:17:04 2006 Subject: Sophos-autoupdate error 16777215 Message-ID: <6214C3F9233D764C9E7029396C355015682937@mail.foundation.sdsu.edu> When I run Sophos-autoupdate I get the following output. Unzip failed with error return 16777215 , Bad file descriptor at ./sophos-autoupdate line 83. What's going on? Steve Evans SDSU Foundation (619) 594-0653 From mailscanner at ecs.soton.ac.uk Mon Jan 27 16:55:16 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:04 2006 Subject: Sophos-autoupdate error 16777215 In-Reply-To: <6214C3F9233D764C9E7029396C355015682937@mail.foundation.sds u.edu> Message-ID: <5.2.0.9.2.20030127165438.04ff3998@imap.ecs.soton.ac.uk> At 16:54 27/01/2003, you wrote: >When I run Sophos-autoupdate I get the following output. > >Unzip failed with error return 16777215 >, Bad file descriptor at ./sophos-autoupdate line 83. > > >What's going on? Perhaps your installed copy of Sophos has just got too old and so they aren't producing updates for it any more. Download and install the latest version from their website and try again. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From Denis.Beauchemin at USHERBROOKE.CA Mon Jan 27 16:59:56 2003 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:17:04 2006 Subject: Sophos issues In-Reply-To: <5.2.0.9.2.20030127162836.0501d3a8@imap.ecs.soton.ac.uk> References: <3968438162.1043658755@Callisto> <3968438162.1043658755@Callisto> <5.2.0.9.2.20030127162836.0501d3a8@imap.ecs.soton.ac.uk> Message-ID: <1043686796.12634.40.camel@dbeauchemin.si.usherbrooke.ca> Le lun 27/01/2003 ? 11:34, Julian Field a ?crit : > How come this is only happening with Sophos? No-one else is reporting any > problems, only the people using Sophos. Julian, could this be a multi-scanner access issue? When I reported this problem I was using McAfee, then Sophos to scan email: Virus Scanners = mcafee sophos Could the two virus scanners be doing tricks on one another? Are they being run in parallel or back to back? One user told me that an email with a PDF file attached reached him but didn't make it to the mailbox of the other recipient of the same email who got the corrupt file message. If this really happened, it is quite strange... Denis -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From mailscanner at ecs.soton.ac.uk Mon Jan 27 16:59:53 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:04 2006 Subject: Sophos issues In-Reply-To: <1043686796.12634.40.camel@dbeauchemin.si.usherbrooke.ca> References: <5.2.0.9.2.20030127162836.0501d3a8@imap.ecs.soton.ac.uk> <3968438162.1043658755@Callisto> <3968438162.1043658755@Callisto> <5.2.0.9.2.20030127162836.0501d3a8@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030127165850.05083808@imap.ecs.soton.ac.uk> At 16:59 27/01/2003, you wrote: >Le lun 27/01/2003 ? 11:34, Julian Field a ?crit : > > > How come this is only happening with Sophos? No-one else is reporting any > > problems, only the people using Sophos. > >Julian, could this be a multi-scanner access issue? When I reported >this problem I was using McAfee, then Sophos to scan email: >Virus Scanners = mcafee sophos > >Could the two virus scanners be doing tricks on one another? Are they >being run in parallel or back to back? They are run in sequence, over exactly the same files. >One user told me that an email with a PDF file attached reached him but >didn't make it to the mailbox of the other recipient of the same email >who got the corrupt file message. If this really happened, it is quite >strange... So something screwed up the message for 1 recipient, but left it alone for another recipient in the same domain? That's clever! -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From jaearick at COLBY.EDU Mon Jan 27 17:06:04 2003 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:17:04 2006 Subject: Sophos-autoupdate error 16777215 In-Reply-To: <5.2.0.9.2.20030127165438.04ff3998@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030127165438.04ff3998@imap.ecs.soton.ac.uk> Message-ID: Julian, I got this message a lot this weekend, and my Sophos is up-to-date. I think the Slammer worm just slowed down the internet enough to cause lynx downloads to time out, and the script to fail. The script started working again later for me, without any changes. --- Jeff On Mon, 27 Jan 2003, Julian Field wrote: > Date: Mon, 27 Jan 2003 16:55:16 +0000 > From: Julian Field > Reply-To: MailScanner mailing list > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Sophos-autoupdate error 16777215 > > At 16:54 27/01/2003, you wrote: > >When I run Sophos-autoupdate I get the following output. > > > >Unzip failed with error return 16777215 > >, Bad file descriptor at ./sophos-autoupdate line 83. > > > > > >What's going on? > > Perhaps your installed copy of Sophos has just got too old and so they > aren't producing updates for it any more. Download and install the latest > version from their website and try again. > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > From mailings at ULTIMATE-SYSTEMS.DE Mon Jan 27 17:02:10 2003 From: mailings at ULTIMATE-SYSTEMS.DE (Oliver Siegmar) Date: Thu Jan 12 21:17:04 2006 Subject: Sophos, other AVs Message-ID: <7261359.1043690530@[192.168.18.2]> Hello, I'd like to buy a sophos antivirus scanner for my server but sophos told me that I have to buy at least ten licenses, but I only need one :-) Is there a avscanner that is as good as (or maybe better than) sophos? Bye, Oliver -- Oliver Siegmar www.xams.org XAMS - The ultimate way for managing mailservers. From Ulysees at ULYSEES.COM Mon Jan 27 17:14:00 2003 From: Ulysees at ULYSEES.COM (Ulysees) Date: Thu Jan 12 21:17:04 2006 Subject: Sophos-autoupdate error 16777215 References: <5.2.0.9.2.20030127165438.04ff3998@imap.ecs.soton.ac.uk> Message-ID: <000e01c2c627$f90a9640$0a010a0a@BUNGHOLIO> Had a similar issue sunday between 7:00 & 14:30 gmt Lynx failed with error return 1 , Bad file descriptor at /usr/local/Sophos/bin/autoupdate line 77. Bit late in the day for Slammer but maybe the Sophos site was just acting up. Uly ----- Original Message ----- From: "Jeff A. Earickson" To: Sent: Monday, January 27, 2003 5:06 PM Subject: Re: [MAILSCANNER] Sophos-autoupdate error 16777215 > Julian, > I got this message a lot this weekend, and my Sophos is up-to-date. > I think the Slammer worm just slowed down the internet enough to > cause lynx downloads to time out, and the script to fail. The script > started working again later for me, without any changes. > > --- Jeff > > On Mon, 27 Jan 2003, Julian Field wrote: > > > Date: Mon, 27 Jan 2003 16:55:16 +0000 > > From: Julian Field > > Reply-To: MailScanner mailing list > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: Sophos-autoupdate error 16777215 > > > > At 16:54 27/01/2003, you wrote: > > >When I run Sophos-autoupdate I get the following output. > > > > > >Unzip failed with error return 16777215 > > >, Bad file descriptor at ./sophos-autoupdate line 83. > > > > > > > > >What's going on? > > > > Perhaps your installed copy of Sophos has just got too old and so they > > aren't producing updates for it any more. Download and install the latest > > version from their website and try again. > > -- > > Julian Field > > www.MailScanner.info > > MailScanner thanks transtec Computers for their support > > > From paul.hamilton at sme-ecom.co.uk Mon Jan 27 17:25:58 2003 From: paul.hamilton at sme-ecom.co.uk (Paul Hamilton) Date: Thu Jan 12 21:17:04 2006 Subject: Sophos Issues Message-ID: <000001c2c629$28db1380$fc32000a@4> If it is of any help we also have experienced a problem with one particular user, who has corruptions on PDF's. We were sent two test messages from them of which one corrupted and the other didn't. To our knowledge the one that corrupted had originally been sent to them by email, through our MS, they could open it without corruption but as soon as it was forwarded on to us and one other the corruption occurred. The one that didn't corrupt had not originally been sent to them by email through our MS. We run three scanner in conjunction with MS of which one is Sophos. I have both copies if of use. Paul H. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030127/ea34d776/attachment.html From mike at ZANKER.ORG Mon Jan 27 17:28:43 2003 From: mike at ZANKER.ORG (Mike Zanker) Date: Thu Jan 12 21:17:04 2006 Subject: Sophos-autoupdate error 16777215 In-Reply-To: <000e01c2c627$f90a9640$0a010a0a@BUNGHOLIO> References: <5.2.0.9.2.20030127165438.04ff3998@imap.ecs.soton.ac.uk> <000e01c2c627$f90a9640$0a010a0a@BUNGHOLIO> Message-ID: <339099078.1043688523@jemima.zanker.org> On 27 January 2003 17:14 +0000 Ulysees wrote: > Had a similar issue sunday between 7:00 & 14:30 gmt > > Lynx failed with error return 1 > , Bad file descriptor at /usr/local/Sophos/bin/autoupdate line 77. > > Bit late in the day for Slammer but maybe the Sophos site was just > acting up. Yes, their site was down until mid-afternoon GMT. Mike. From mailscanner at ecs.soton.ac.uk Mon Jan 27 18:09:13 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:04 2006 Subject: Sophos, other AVs In-Reply-To: <7261359.1043690530@[192.168.18.2]> Message-ID: <5.2.0.9.2.20030127180904.05124008@imap.ecs.soton.ac.uk> F-Prot is pretty good, and very cheap. At 17:02 27/01/2003, you wrote: >Hello, > >I'd like to buy a sophos antivirus scanner for my server but sophos >told me that I have to buy at least ten licenses, but I only need >one :-) > >Is there a avscanner that is as good as (or maybe better than) sophos? > > >Bye, >Oliver > >-- >Oliver Siegmar >www.xams.org >XAMS - The ultimate way for managing mailservers. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailings at ULTIMATE-SYSTEMS.DE Mon Jan 27 18:30:56 2003 From: mailings at ULTIMATE-SYSTEMS.DE (Oliver Siegmar) Date: Thu Jan 12 21:17:04 2006 Subject: Sophos, other AVs In-Reply-To: <5.2.0.9.2.20030127180904.05124008@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030127180904.05124008@imap.ecs.soton.ac.uk> Message-ID: <12586656.1043695856@[192.168.18.2]> --On Montag, 27. Januar 2003 18:09 +0000 Julian Field wrote: > F-Prot is pretty good, and very cheap. I used am*v*s with kaspersky before. But am*v*s is crappy and kav seems to have a very stupid api but the price is just a quarter of f-prot. Are there any chances for a good kav support in mailscanner? Or would you totally discourage from kav? -- Oliver Siegmar www.xams.org XAMS - The ultimate way for managing mailservers. From adkinss at OHIO.EDU Mon Jan 27 17:59:58 2003 From: adkinss at OHIO.EDU (Scott Adkins) Date: Thu Jan 12 21:17:04 2006 Subject: Sophos issues In-Reply-To: <5.2.0.9.2.20030127162836.0501d3a8@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030127162836.0501d3a8@imap.ecs.soton.ac.uk> Message-ID: <3982080358.1043672398@Callisto> --On Monday, January 27, 2003 4:34 PM +0000 Julian Field wrote: >> The files are already >> "corrupt" by the time that Sophos sees it (basically, it can't see both >> the start of the file and the end of the file, is what I was told). I >> asked about the RAR archives, and she said that Sophos currently can't >> scan RAR version 3 archives, but that will be available in the next >> release. She suggested that I quarantine messages and release the files >> that get labeled corrupted, or in the case of the RAR files, maybe put >> the file extension on a whitelist, basically. > > When it finds a file is corrupt, MailScanner removes it, right? Actually no... It looks like the attachments come through okay, though, the files are indeed corrupted. I am still trying to get the original fines from the authors to see if they started that way or not... So, I can't know for sure what happens, but the attachment doesn't appear to be removed, just a warning message inserted into the body of the message indicating that the file is corrupted. > Is it happening often enough that you could archive all mail for a little > while until it happens? If so, we can actually get a test case together > to prove exactly what is happening to the message. Until I can get my > hands on a test case, it is very difficult to work out what is happening. I don't think so... We get several hundred emails going through our system a minute... We have enough problems trying to stay afloat with CPU load and (especially) disk I/O. When we turned on quarantining for about a 10 hour time period, we had about 1.5GB of disk space consumed... so, it makes me a bit afraid to do anything on our production server like that :-) > Are they suggesting that the file put into the quarantine is actually > okay, but the file being scanned is not? That would be a neat trick... That is a good point... My concern was with regards of a message coming in that was fine and somehow MailScanner or Sophos was corrupting the message and that was what got put into the attachment... but that seems a bit less likely at this point, and I feel like the file is starting out corrupt. If I had to guess right now, Sophos is expecting documents to be exactly compliant with those document standard formats (i.e. DOC files must follow Microsoft Word Document format, PDF files follow Adobe PDF file formats etc). There doesn't appear to be much room in the way of flexibility. I have seen other programs, like Star Office, write their documents that are mostly compliant, but not quite, and maybe those would be flagged by Sophos as being corrupted. Anyways, those are guesses. >> What would be really helpful, at this point, is a way for me to set an >> option to allow corrupted files to pass through MailScanner without being >> flagged as viruses and without being touched. The same goes for scanning >> of external MIME attachments (which is another thread). There should be >> an option to not flag those as viruses and to allow the messages to pass >> through untouched. Both of these issues are generated support calls for >> us right now. > > The "external bodies" switch will be in the next version. I'll have to > take a look at how easy it would be to add a switch for the other bit. Great! I will let the users know about this (the external bodies thing). > How come this is only happening with Sophos? No-one else is reporting any > problems, only the people using Sophos. That is a good point... If I knew our system could support another virus scanner, such as ClamV or something like that, I would put it on.... as is, we are now running without spam checking just so we can get some benefit of MailScanner doing virus checking on messages... when we start to fall behind in the mail queues, even that gets turned off. On average, we get several hundred messages a minute. When we get spammed (usually by our own university departments), we get way more than that :) Scott -- +-----------------------------------------------------------------------+ Scott W. Adkins http://www.cns.ohiou.edu/~sadkins/ UNIX Systems Engineer mailto:adkinss@ohio.edu ICQ 7626282 Work (740)593-9478 Fax (740)593-1944 +-----------------------------------------------------------------------+ PGP Public Key available at http://www.cns.ohiou.edu/~sadkins/pgp/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 231 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030127/adae3551/attachment.bin From sevans at FOUNDATION.SDSU.EDU Mon Jan 27 18:36:15 2003 From: sevans at FOUNDATION.SDSU.EDU (Steve Evans) Date: Thu Jan 12 21:17:04 2006 Subject: Sophos-autoupdate error 16777215 Message-ID: <6214C3F9233D764C9E7029396C35501568293B@mail.foundation.sdsu.edu> I installed it from the January CD. Also I've been having problems all day so it appears that it is not a problem contacting the sophos site. Steve Evans SDSU Foundation (619) 594-0653 -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Monday, January 27, 2003 8:55 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Sophos-autoupdate error 16777215 At 16:54 27/01/2003, you wrote: >When I run Sophos-autoupdate I get the following output. > >Unzip failed with error return 16777215 >, Bad file descriptor at ./sophos-autoupdate line 83. > > >What's going on? Perhaps your installed copy of Sophos has just got too old and so they aren't producing updates for it any more. Download and install the latest version from their website and try again. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From nerijus at USERS.SOURCEFORGE.NET Mon Jan 27 18:45:35 2003 From: nerijus at USERS.SOURCEFORGE.NET (Nerijus Baliunas) Date: Thu Jan 12 21:17:04 2006 Subject: Sophos, other AVs In-Reply-To: <12586656.1043695856@[192.168.18.2]> References: <5.2.0.9.2.20030127180904.05124008@imap.ecs.soton.ac.uk> <12586656.1043695856@[192.168.18.2]> Message-ID: <200301271845.h0RIjW0I003340@mx.ktv.lt> On Mon, 27 Jan 2003 19:30:56 +0100 Oliver Siegmar wrote: > I used am*v*s with kaspersky before. But am*v*s is crappy and > kav seems to have a very stupid api but the price is just a > quarter of f-prot. Are there any chances for a good kav support > in mailscanner? Or would you totally discourage from kav? It works quite normally, what's the problem? Even kavdaemon should work in next MS version. Regards, Nerijus From support at INVICTANET.CO.UK Mon Jan 27 18:47:16 2003 From: support at INVICTANET.CO.UK (InvictaNet Customer Support) Date: Thu Jan 12 21:17:04 2006 Subject: Sophos-autoupdate error 16777215 In-Reply-To: <339099078.1043688523@jemima.zanker.org> Message-ID: -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Mike Zanker Sent: 27 January 2003 17:29 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Sophos-autoupdate error 16777215 On 27 January 2003 17:14 +0000 Ulysees wrote: > Had a similar issue sunday between 7:00 & 14:30 gmt > > Lynx failed with error return 1 > , Bad file descriptor at /usr/local/Sophos/bin/autoupdate line 77. > > Bit late in the day for Slammer but maybe the Sophos site was just > acting up. Yes, their site was down until mid-afternoon GMT. Mike. Perhaps it runs on MS SQL???????? Martyn Routley ----------------------------------------------------------------- InvictaNet - The Internet in Plain English, Guaranteed http://www.invictanet.co.uk martyn@support.invictanet.co.uk phone: 08707 440180 fax: 08707 440181 Ask us about our online Antivirus and Junk mail scanning service ----------------------------------------------------------------- From mailings at ULTIMATE-SYSTEMS.DE Mon Jan 27 18:56:08 2003 From: mailings at ULTIMATE-SYSTEMS.DE (Oliver Siegmar) Date: Thu Jan 12 21:17:04 2006 Subject: Sophos, other AVs In-Reply-To: <200301271845.h0RIjW0I003340@mx.ktv.lt> References: <5.2.0.9.2.20030127180904.05124008@imap.ecs.soton.ac.uk> <12586656.1043695856@[192.168.18.2]> <200301271845.h0RIjW0I003340@mx.ktv.lt> Message-ID: <14099125.1043697368@[192.168.18.2]> --On Montag, 27. Januar 2003 20:45 +0200 Nerijus Baliunas wrote: >> I used am*v*s with kaspersky before. But am*v*s is crappy and >> kav seems to have a very stupid api but the price is just a >> quarter of f-prot. Are there any chances for a good kav support >> in mailscanner? Or would you totally discourage from kav? > > It works quite normally, what's the problem? Even kavdaemon > should work in next MS version. Oh, I didn't said that there is a problem. I just don't like kaspersky's api to the kavdaemon. What's up with performance when I just use the scanner? But I guess the API (the overhead) takes more time than just launching the scanner (which is cached by the OS). But why is kav-support in beta if it 'works quite normally'? :-) From ryan at MARINOCRANE.COM Mon Jan 27 18:58:03 2003 From: ryan at MARINOCRANE.COM (Ryan Pitt) Date: Thu Jan 12 21:17:04 2006 Subject: Syntax for Mail Archive and Monitoring Ruleset Message-ID: <3E35813B.90805@marinocrane.com> I have been searching around trying to find out what the syntax is for the ruleset that allows me to get a copy of incoming and/or outgoing emails from specific email addresses. The feature is called "Mail archiving and monitoring". I gather that this file can be called 'anything' as long as it is specified in MailScanner.conf Please could someone let me know how the entries are to be made in this file. Thank you Ryan Pitt From nerijus at USERS.SOURCEFORGE.NET Mon Jan 27 19:12:38 2003 From: nerijus at USERS.SOURCEFORGE.NET (Nerijus Baliunas) Date: Thu Jan 12 21:17:04 2006 Subject: Sophos, other AVs In-Reply-To: <14099125.1043697368@[192.168.18.2]> References: <5.2.0.9.2.20030127180904.05124008@imap.ecs.soton.ac.uk><12586656.1043695856@[192.168.18.2]><200301271845.h0RIjW0I003340@mx.ktv.lt> <14099125.1043697368@[192.168.18.2]> Message-ID: <200301271912.h0RJCi0I013500@mx.ktv.lt> On Mon, 27 Jan 2003 19:56:08 +0100 Oliver Siegmar wrote: > >> I used am*v*s with kaspersky before. But am*v*s is crappy and > >> kav seems to have a very stupid api but the price is just a > >> quarter of f-prot. Are there any chances for a good kav support > >> in mailscanner? Or would you totally discourage from kav? > > > > It works quite normally, what's the problem? Even kavdaemon > > should work in next MS version. > > Oh, I didn't said that there is a problem. I just don't like > kaspersky's api to the kavdaemon. What's up with performance when Why don't you like it? > I just use the scanner? But I guess the API (the overhead) takes > more time than just launching the scanner (which is cached by the OS). On a not very loaded server kavdaemon client is faster than kavscanner. Fast example: kavscanner: real 0m3.349s user 0m2.600s sys 0m0.109s kavdaemonclient: real 0m0.666s user 0m0.018s sys 0m0.008s > But why is kav-support in beta if it 'works quite normally'? :-) It is less tested than others. Regards, Nerijus From mailings at ULTIMATE-SYSTEMS.DE Mon Jan 27 19:16:48 2003 From: mailings at ULTIMATE-SYSTEMS.DE (Oliver Siegmar) Date: Thu Jan 12 21:17:04 2006 Subject: Sophos, other AVs In-Reply-To: <200301271912.h0RJCi0I013500@mx.ktv.lt> References: <5.2.0.9.2.20030127180904.05124008@imap.ecs.soton.ac.uk> <12586656.1043695856@[192.168.18.2]><200301271845.h0RIjW0I003340@mx.ktv.lt> <14099125.1043697368@[192.168.18.2]> <200301271912.h0RJCi0I013500@mx.ktv.lt> Message-ID: <15338625.1043698608@[192.168.18.2]> --On Montag, 27. Januar 2003 21:12 +0200 Nerijus Baliunas wrote: >> > It works quite normally, what's the problem? Even kavdaemon >> > should work in next MS version. >> >> Oh, I didn't said that there is a problem. I just don't like >> kaspersky's api to the kavdaemon. What's up with performance when > > Why don't you like it? Had some trouble (e.g. segfaults) with it several month ago. But you're right...I'll test it again. From nerijus at USERS.SOURCEFORGE.NET Mon Jan 27 19:28:26 2003 From: nerijus at USERS.SOURCEFORGE.NET (Nerijus Baliunas) Date: Thu Jan 12 21:17:04 2006 Subject: Sophos, other AVs In-Reply-To: <15338625.1043698608@[192.168.18.2]> References: <5.2.0.9.2.20030127180904.05124008@imap.ecs.soton.ac.uk><12586656.1043695856@[192.168.18.2]><200301271845.h0RIjW0I003340@mx.ktv.lt><14099125.1043697368@[192.168.18.2]><200301271912.h0RJCi0I013500@mx.ktv.lt> <15338625.1043698608@[192.168.18.2]> Message-ID: <200301271929.h0RJTm0I014367@mx.ktv.lt> On Mon, 27 Jan 2003 20:16:48 +0100 Oliver Siegmar wrote: > >> > It works quite normally, what's the problem? Even kavdaemon > >> > should work in next MS version. > >> > >> Oh, I didn't said that there is a problem. I just don't like > >> kaspersky's api to the kavdaemon. What's up with performance when > > > > Why don't you like it? > > Had some trouble (e.g. segfaults) with it several month ago. > But you're right...I'll test it again. Yes, C++ sample /opt/AVP/DaemonClients/Sample2/AvpTeamDream segfaults on RH 6.2 IIRC, but works on RH 8. But /opt/AVP/DaemonClients/ Sample/AvpDaemonClient works on both. Regards, Nerijus From mailscanner at ecs.soton.ac.uk Mon Jan 27 20:05:53 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:04 2006 Subject: Syntax for Mail Archive and Monitoring Ruleset In-Reply-To: <3E35813B.90805@marinocrane.com> Message-ID: <5.2.0.9.2.20030127200345.02b38538@imap.ecs.soton.ac.uk> At 18:58 27/01/2003, you wrote: >I have been searching around trying to find out what the syntax is for >the ruleset that allows me to get a copy of incoming and/or outgoing >emails from specific email addresses. The feature is called "Mail >archiving and monitoring". >I gather that this file can be called 'anything' as long as it is >specified in MailScanner.conf >Please could someone let me know how the entries are to be made in this >file. From: user1@domain1.com /archive/domain1/user1 To: *@domain2.com /archive/domain2 user2@domain3.com user4@domain5.com FromAndTo: *@domain6.com /archive/domain6/internalmail postmaster@domain7.com Basically the value of each rule should be a list of directories and/or email addresses. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Mon Jan 27 20:00:50 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:04 2006 Subject: Sophos, other AVs In-Reply-To: <14099125.1043697368@[192.168.18.2]> References: <200301271845.h0RIjW0I003340@mx.ktv.lt> <5.2.0.9.2.20030127180904.05124008@imap.ecs.soton.ac.uk> <12586656.1043695856@[192.168.18.2]> <200301271845.h0RIjW0I003340@mx.ktv.lt> Message-ID: <5.2.0.9.2.20030127195957.02752de0@imap.ecs.soton.ac.uk> At 18:56 27/01/2003, you wrote: >But why is kav-support in beta if it 'works quite normally'? :-) I will probably push the support up to "supported" for the next release. No-one seems to have reported any problems with it for a long time now. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From joelc at CTCHOUSTON.COM Mon Jan 27 20:17:17 2003 From: joelc at CTCHOUSTON.COM (Joel Colvin) Date: Thu Jan 12 21:17:05 2006 Subject: Mailscanner cron install files In-Reply-To: <5.2.0.9.2.20030127195957.02752de0@imap.ecs.soton.ac.uk> Message-ID: <003901c2c641$1e2350c0$9504140a@hewlett9por0s0> Julian, During install of MailScanner it installs a few files in the cron.daily and cron.hourly directories. My vote would be to not install these files but offer them as needed files similar to the way you end with a message about activating the MailScanner service. I would prefer to be able to install but not activate and during my last install on a new server the cron files kicked off before I was ready with the rest of the setup. Joel From nerijus at USERS.SOURCEFORGE.NET Mon Jan 27 20:45:56 2003 From: nerijus at USERS.SOURCEFORGE.NET (Nerijus Baliunas) Date: Thu Jan 12 21:17:05 2006 Subject: Mailscanner cron install files In-Reply-To: <003901c2c641$1e2350c0$9504140a@hewlett9por0s0> References: <003901c2c641$1e2350c0$9504140a@hewlett9por0s0> Message-ID: <200301272045.h0RKjs0I021149@mx.ktv.lt> On Mon, 27 Jan 2003 14:17:17 -0600 Joel Colvin wrote: > During install of MailScanner it installs a few files in the cron.daily > and cron.hourly directories. My vote would be to not install these > files but offer them as needed files similar to the way you end with a > message about activating the MailScanner service. I would prefer to be > able to install but not activate and during my last install on a new > server the cron files kicked off before I was ready with the rest of the > setup. Hmm, /etc/cron.daily/clean.quarantine is disabled by default, /etc/cron.hourly/update_virus_scanners just updates virus scanners. check_MailScanner tries to run MailScanner, that's the problem? It would be better to solve it somehow, but I'd still like these files to be installed like they are now. Regards, Nerijus From joelc at CTCHOUSTON.COM Mon Jan 27 20:54:49 2003 From: joelc at CTCHOUSTON.COM (Joel Colvin) Date: Thu Jan 12 21:17:05 2006 Subject: Mailscanner cron install files In-Reply-To: <200301272045.h0RKjs0I021149@mx.ktv.lt> Message-ID: <003a01c2c646$58b25dd0$9504140a@hewlett9por0s0> It was the check_MailScanner that got me. I know to check these now I'm just stating my preference. It's not a big deal but I prefer to manually install cron files since it runs everything as root. -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Nerijus Baliunas Sent: Monday, January 27, 2003 2:46 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Mailscanner cron install files On Mon, 27 Jan 2003 14:17:17 -0600 Joel Colvin wrote: > During install of MailScanner it installs a few files in the cron.daily > and cron.hourly directories. My vote would be to not install these > files but offer them as needed files similar to the way you end with a > message about activating the MailScanner service. I would prefer to be > able to install but not activate and during my last install on a new > server the cron files kicked off before I was ready with the rest of the > setup. Hmm, /etc/cron.daily/clean.quarantine is disabled by default, /etc/cron.hourly/update_virus_scanners just updates virus scanners. check_MailScanner tries to run MailScanner, that's the problem? It would be better to solve it somehow, but I'd still like these files to be installed like they are now. Regards, Nerijus From paul.hamilton at sme-ecom.co.uk Mon Jan 27 21:01:34 2003 From: paul.hamilton at sme-ecom.co.uk (Paul Hamilton) Date: Thu Jan 12 21:17:05 2006 Subject: JBDGMGR (Teddybear) Hoax Message-ID: <000001c2c647$470b5d60$fc32000a@4> Hi all, We have seen as reported a resurgence in this nuisance hoax email. In its most innocent guise, its still catching some of our unsuspecting users. We know this is a bit off track but is anyone willing to share any sendmail tricks (if there any) that can block these emails. If we remember rightly there was a 'Greetings' Hoax as well, if any body has anything on that as well it would be gratefully received. Thanks in advance Paul H. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030127/7e2258c0/attachment.html From sean at NISD.NET Mon Jan 27 21:38:02 2003 From: sean at NISD.NET (Sean Embry) Date: Thu Jan 12 21:17:05 2006 Subject: Differing locations for virus and spam Message-ID: I'm looking into how to change where in the file system mail gets dropped depending on why it was snagged in the first place. EG: I want spam to go to ~/Spam/20030127/ and I want viruses to go to ~/quarantine/20030127/ and disallowed attachment files to go to ~/attachments/20030127/ Using MS 4.01-8 (And yes, I am planning an upgrade soon). Where should I be looking? Thanks! From Kevin.Spicer at BMRB.CO.UK Mon Jan 27 21:39:29 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:17:05 2006 Subject: JBDGMGR (Teddybear) Hoax Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A4AD0D@pascal.priv.bmrb.co.uk> >We have seen as reported a resurgence in this nuisance hoax email. >In its most innocent guise, its still catching some of our unsuspecting >users. Same here, loads of them today! >We know this is a bit off track but is anyone willing to share any sendmail >tricks (if there any) that can block these emails. Spam Assassin seems to catch them, perhaps by tweaking the scores you could give them a very high score and then set MS to delete high scoring spam (setting the theshold high). My guess is that catching them with sendmail would be tricky since they are sent by real users all the headers and even the subject can change randomly. Now if some perl guru could write a bit of code for MailScanner that picked up the hoax rules from the scoring information mailscanner returned and let us insert '{HOAX?}' rather than '{SPAM?}' for those emails that would be special.... not the easiest though. [just thinking aloud] >If we remember rightly there was a 'Greetings' Hoax as well, if any body has >anything on that as well it would be gratefully received. The spam.assassin.prefs.conf distributed with mailscanner has SA rules for that. Although they seem to have stopped since the website was removed. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From ryan at MARINOCRANE.COM Mon Jan 27 20:38:43 2003 From: ryan at MARINOCRANE.COM (Ryan Pitt) Date: Thu Jan 12 21:17:05 2006 Subject: Syntax for Mail Archive and Monitoring Ruleset References: <5.2.0.9.2.20030127200345.02b38538@imap.ecs.soton.ac.uk> Message-ID: <3E3598D3.8010707@marinocrane.com> An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030127/b4cd096c/attachment.html From mailscanner at ecs.soton.ac.uk Mon Jan 27 21:53:31 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:05 2006 Subject: Syntax for Mail Archive and Monitoring Ruleset In-Reply-To: <3E3598D3.8010707@marinocrane.com> References: <5.2.0.9.2.20030127200345.02b38538@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030127215312.025e3ab0@imap.ecs.soton.ac.uk> At 20:38 27/01/2003, you wrote: >Thank you, that makes sense. >I am having a tough time getting MailScanner.conf to accept the path to a >file called archive.ruleset which I placed in /etc/MailScanner/rules >When I add the entry: >Archive Mail = /etc/MailScanner/rules/archive.ruleset >to MailScanner.conf and restart mailscanner, the following error appears: >Can't continue processing configuration file until these errors have been >corrected. at /usr/lib/MailScanner/MailScanner/Config.pm line 693 >Any ideas? Make it end in .rules >Thanks again. >Ryan Pitt > > >Julian Field wrote: >>At 18:58 27/01/2003, you wrote: >>>I have been searching around trying to find out what the syntax is for >>>the ruleset that allows me to get a copy of incoming and/or outgoing >>>emails from specific email addresses. The feature is called "Mail >>>archiving and monitoring". >>>I gather that this file can be called 'anything' as long as it is >>>specified in MailScanner.conf >>>Please could someone let me know how the entries are to be made in this >>>file. >> >>From: user1@domain1.com >>/archive/domain1/user1 >>To: *@domain2.com /archive/domain2 >>user2@domain3.com >>user4@domain5.com >>FromAndTo: *@domain6.com /archive/domain6/internalmail >>postmaster@domain7.com >> >>Basically the value of each rule should be a list of directories and/or >>email addresses. >>-- >>Julian Field >>www.MailScanner.info >>MailScanner thanks transtec Computers for their support -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030127/c84cd29d/attachment.html From james at PCXPERIENCE.COM Tue Jan 28 00:06:41 2003 From: james at PCXPERIENCE.COM (James A. Pattie) Date: Thu Jan 12 21:17:05 2006 Subject: Mailscanner cron install files In-Reply-To: <200301272045.h0RKjs0I021149@mx.ktv.lt> References: <003901c2c641$1e2350c0$9504140a@hewlett9por0s0> <200301272045.h0RKjs0I021149@mx.ktv.lt> Message-ID: <3E35C991.80108@pcxperience.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Nerijus Baliunas wrote: > On Mon, 27 Jan 2003 14:17:17 -0600 Joel Colvin wrote: > > >>During install of MailScanner it installs a few files in the cron.daily >>and cron.hourly directories. My vote would be to not install these >>files but offer them as needed files similar to the way you end with a >>message about activating the MailScanner service. I would prefer to be >>able to install but not activate and during my last install on a new >>server the cron files kicked off before I was ready with the rest of the >>setup. > > > Hmm, /etc/cron.daily/clean.quarantine is disabled by default, > /etc/cron.hourly/update_virus_scanners just updates virus scanners. > check_MailScanner tries to run MailScanner, that's the problem? > It would be better to solve it somehow, but I'd still like these files > to be installed like they are now. > > Regards, > Nerijus > What if they were installed into /usr/lib/MailScanner/cron/{hourly,daily} and then you just make a symlink from them into /etc/cron.{hourly,daily} when you are ready to have them startup. This way they are always installed but it is upto the user to make sure they are used. We could provide a script that does the symlinking and tell the user to run it after they are done configuring their upgraded MailScanner install. - -- James A. Pattie james@pcxperience.com Linux -- SysAdmin / Programmer Xperience, Inc. http://www.pcxperience.com/ http://www.xperienceinc.com/ GPG Key Available at http://www.pcxperience.com/gpgkeys/james.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE+NcmRtUXjwPIRLVERApRsAKDPjGoPD242eqEaAmxucnY1zFFvbgCg0SIe /RNMKoyZGGUcxwWKPBdXiUI= =qbYj -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From glynn at makati.techsquare.com Tue Jan 28 03:35:09 2003 From: glynn at makati.techsquare.com (Glynn S. Condez) Date: Thu Jan 12 21:17:05 2006 Subject: Sophos eval version on production mailserver Message-ID: <01d901c2c67e$42a9abf0$8201a8c0@proaccessph.com> Hi All, I'd like to know if its ok if I use eval version of sophos on my production mailserver? TIA --- Glenn --- From chris at HARVESTROAD.COM Tue Jan 28 08:47:44 2003 From: chris at HARVESTROAD.COM (Chris Waltham) Date: Thu Jan 12 21:17:05 2006 Subject: How to *not* scan outgoing messages? Message-ID: <5.2.0.9.2.20030128164010.039b8008@spinach.harvestroad.com> Hi folks, Reading the MailScanner FAQ, I notice Julian talking about scanning email leaving one's site (question 7, "There seem to be long delays". My question is, can I disable scanning (for spam and virii) of messages that are leaving our site? I couldn't find anything in mailscanner.conf that strictly forbids scanning in either direction (i.e. incoming or outgoing), so if y'all could help me out that would be great! Thanks, Chris -- Chris Waltham Systems Administrator HarvestRoad, Limited. chris@harvestroad.com phone: (08) 9338-3000 From Kevin.Spicer at BMRB.CO.UK Tue Jan 28 09:00:43 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:17:05 2006 Subject: How to *not* scan outgoing messages? Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A4AD0E@pascal.priv.bmrb.co.uk> > > Reading the MailScanner FAQ, I notice Julian talking about > scanning email > leaving one's site (question 7, "There seem to be long > delays". My question > is, can I disable scanning (for spam and virii) of messages that are > leaving our site? > > I couldn't find anything in mailscanner.conf that strictly > forbids scanning > in either direction (i.e. incoming or outgoing), so if y'all > could help me > out that would be great! Try... Virus Scanning = /etc/MailScanner/rules/virusscan.rules in MailScanner.conf, then create /etc/MailScanner/rules/virusscan.rules with the following entries From: default yes From: *@yourdomain.tld no (You can add multiple domains as extra lines) OR..... From: default yes From: xxx.xxx.xxx.xxx no Where xxx.xxx.xxx.xxx is the IP of an internal machine sending mail out through the mailscanner (IMHO this is better because you risk letting in mail with a spoofed sender in the first option) OR..... To: *@yourdomain.tld yes To: default no Which you choose largely depends on your sites setup and which is best for you - take your pick (see the README and EXAMPLES files in /etc/MailScanner/rules for more info) BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From mailscanner at ecs.soton.ac.uk Tue Jan 28 09:02:14 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:05 2006 Subject: How to *not* scan outgoing messages? In-Reply-To: <5.2.0.9.2.20030128164010.039b8008@spinach.harvestroad.com> Message-ID: <5.2.0.9.2.20030128090058.04748f10@imap.ecs.soton.ac.uk> At 08:47 28/01/2003, you wrote: >Hi folks, > >Reading the MailScanner FAQ, I notice Julian talking about scanning email >leaving one's site (question 7, "There seem to be long delays". My question >is, can I disable scanning (for spam and virii) of messages that are >leaving our site? > >I couldn't find anything in mailscanner.conf that strictly forbids scanning >in either direction (i.e. incoming or outgoing), so if y'all could help me >out that would be great! If your site is called "domain.com" then you can have Virus Scanning = /etc/MailScanner/rules/virus.scanning.rules and then in that file put To: domain.com yes FromOrTo: default no Then any mail to your domain will be scanned, but that's all. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Tue Jan 28 09:04:52 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:05 2006 Subject: How to *not* scan outgoing messages? In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0A4AD0E@pascal.priv.bmrb.co .uk> Message-ID: <5.2.0.9.2.20030128090355.04741d00@imap.ecs.soton.ac.uk> At 09:00 28/01/2003, you wrote: > > > > Reading the MailScanner FAQ, I notice Julian talking about > > scanning email > > leaving one's site (question 7, "There seem to be long > > delays". My question > > is, can I disable scanning (for spam and virii) of messages that are > > leaving our site? > > > > I couldn't find anything in mailscanner.conf that strictly > > forbids scanning > > in either direction (i.e. incoming or outgoing), so if y'all > > could help me > > out that would be great! > > >Try... >Virus Scanning = /etc/MailScanner/rules/virusscan.rules > >in MailScanner.conf, then create /etc/MailScanner/rules/virusscan.rules >with the following entries > > >From: default yes >From: *@yourdomain.tld no Problem with this is that it won't scan internal mail (i.e. mail which is From and To your domain). >(You can add multiple domains as extra lines) > >OR..... > >From: default yes >From: xxx.xxx.xxx.xxx no > >Where xxx.xxx.xxx.xxx is the IP of an internal machine sending mail out >through the mailscanner (IMHO this is better because you risk letting in >mail with a spoofed sender in the first option) Agreed. >OR..... >To: *@yourdomain.tld yes >To: default no > >Which you choose largely depends on your sites setup and which is best for >you - take your pick (see the README and EXAMPLES files in >/etc/MailScanner/rules for more info) > > > >BMRB International >http://www.bmrb.co.uk >+44 (0)20 8566 5000 >_________________________________________________________________ >This message (and any attachment) is intended only for the >recipient and may contain confidential and/or privileged >material. If you have received this in error, please contact the >sender and delete this message immediately. Disclosure, copying >or other action taken in respect of this email or in >reliance on it is prohibited. BMRB International Limited >accepts no liability in relation to any personal emails, or >content of any email which does not directly relate to our >business. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From Richard.Lush at HP.COM Tue Jan 28 09:36:19 2003 From: Richard.Lush at HP.COM (Lush, Richard) Date: Thu Jan 12 21:17:05 2006 Subject: Sophos eval version on production mailserver Message-ID: Hi You can do, but remember the terms of the evaluation period are 30 days after which you must purchase it to legally use it on a production server. (I couldn't find the T&C on the website but speaking to Sophos it is 30 days). The software will still function after 30 days but the engine is only valid for 3 months. Hope this helps, Richard -----Original Message----- From: Glynn S. Condez [mailto:glynn@MAKATI.TECHSQUARE.COM] Sent: 28 January 2003 03:35 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Sophos eval version on production mailserver Hi All, I'd like to know if its ok if I use eval version of sophos on my production mailserver? TIA --- Glenn --- From mailscanner at ecs.soton.ac.uk Tue Jan 28 09:52:31 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:05 2006 Subject: Sophos issues In-Reply-To: <3982080358.1043672398@Callisto> References: <5.2.0.9.2.20030127162836.0501d3a8@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030127162836.0501d3a8@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030128095136.0489bb48@imap.ecs.soton.ac.uk> Can I suggest you upgrade to the latest 3.66 release of Sophos. I have been sent a few files which 3.62 and other releases complains are corrupt. 3.66 happily scans them. At 17:59 27/01/2003, you wrote: >--On Monday, January 27, 2003 4:34 PM +0000 Julian Field > wrote: > >>> The files are already >>>"corrupt" by the time that Sophos sees it (basically, it can't see both >>>the start of the file and the end of the file, is what I was told). I >>>asked about the RAR archives, and she said that Sophos currently can't >>>scan RAR version 3 archives, but that will be available in the next >>>release. She suggested that I quarantine messages and release the files >>>that get labeled corrupted, or in the case of the RAR files, maybe put >>>the file extension on a whitelist, basically. >> >>When it finds a file is corrupt, MailScanner removes it, right? > >Actually no... It looks like the attachments come through okay, though, >the files are indeed corrupted. I am still trying to get the original >fines from the authors to see if they started that way or not... So, I >can't know for sure what happens, but the attachment doesn't appear to be >removed, just a warning message inserted into the body of the message >indicating that the file is corrupted. > >>Is it happening often enough that you could archive all mail for a little >>while until it happens? If so, we can actually get a test case together >>to prove exactly what is happening to the message. Until I can get my >>hands on a test case, it is very difficult to work out what is happening. > >I don't think so... We get several hundred emails going through our system >a minute... We have enough problems trying to stay afloat with CPU load and >(especially) disk I/O. When we turned on quarantining for about a 10 hour >time period, we had about 1.5GB of disk space consumed... so, it makes me >a bit afraid to do anything on our production server like that :-) > >>Are they suggesting that the file put into the quarantine is actually >>okay, but the file being scanned is not? That would be a neat trick... > >That is a good point... My concern was with regards of a message coming >in that was fine and somehow MailScanner or Sophos was corrupting the >message and that was what got put into the attachment... but that seems >a bit less likely at this point, and I feel like the file is starting out >corrupt. If I had to guess right now, Sophos is expecting documents to >be exactly compliant with those document standard formats (i.e. DOC files >must follow Microsoft Word Document format, PDF files follow Adobe PDF >file formats etc). There doesn't appear to be much room in the way of >flexibility. I have seen other programs, like Star Office, write their >documents that are mostly compliant, but not quite, and maybe those would >be flagged by Sophos as being corrupted. Anyways, those are guesses. > >>>What would be really helpful, at this point, is a way for me to set an >>>option to allow corrupted files to pass through MailScanner without being >>>flagged as viruses and without being touched. The same goes for scanning >>>of external MIME attachments (which is another thread). There should be >>>an option to not flag those as viruses and to allow the messages to pass >>>through untouched. Both of these issues are generated support calls for >>>us right now. >> >>The "external bodies" switch will be in the next version. I'll have to >>take a look at how easy it would be to add a switch for the other bit. > >Great! I will let the users know about this (the external bodies thing). > >>How come this is only happening with Sophos? No-one else is reporting any >>problems, only the people using Sophos. > >That is a good point... If I knew our system could support another virus >scanner, such as ClamV or something like that, I would put it on.... as is, >we are now running without spam checking just so we can get some benefit >of MailScanner doing virus checking on messages... when we start to fall >behind in the mail queues, even that gets turned off. > >On average, we get several hundred messages a minute. When we get spammed >(usually by our own university departments), we get way more than that :) > >Scott >-- >+-----------------------------------------------------------------------+ > Scott W. Adkins http://www.cns.ohiou.edu/~sadkins/ > UNIX Systems Engineer mailto:adkinss@ohio.edu > ICQ 7626282 Work (740)593-9478 Fax (740)593-1944 >+-----------------------------------------------------------------------+ > PGP Public Key available at > http://www.cns.ohiou.edu/~sadkins/pgp/ -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From sveinn at SVEINNG.COM Tue Jan 28 11:05:00 2003 From: sveinn at SVEINNG.COM (Sveinn G. Gunnarsson) Date: Thu Jan 12 21:17:05 2006 Subject: small change in output in upcoming version of F-Prot 4.x In-Reply-To: <5.2.0.9.2.20030127134852.04f54630@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030124172650.06e90720@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030127134852.04f54630@imap.ecs.soton.ac.uk> Message-ID: <200301281105.01015.sveinn@sveinng.com> Hi Julian... > Sorry, silly error on my part. In line 958 of SweepViruses.pm you will > currently find > if ($fprot_InCruft==2 && $line =~ /program\s+version:\s*4/i) { > This should be changed to > if ($fprot_InCruft==-2 && $line =~ /program\s+version:\s*4/i) { > > (i.e. the "2" should become "-2"). This patch works perfectly, as far as I can see. I have tested it with F-Prot 3.x and 4.x without problems, and virus detection working properly. Many thanx !! ---------------------------- Sveinn G. Gunnarsson AIX System Administrator - CATE Islandssimi hf. From adkinss at OHIO.EDU Tue Jan 28 13:05:01 2003 From: adkinss at OHIO.EDU (Scott Adkins) Date: Thu Jan 12 21:17:05 2006 Subject: Sophos issues In-Reply-To: <5.2.0.9.2.20030128095136.0489bb48@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030128095136.0489bb48@imap.ecs.soton.ac.uk> Message-ID: <4050781575.1043741101@Callisto> Ah, okay... I will give that a try... I will let you know what happens... Scott --On Tuesday, January 28, 2003 9:52 AM +0000 Julian Field wrote: > Can I suggest you upgrade to the latest 3.66 release of Sophos. > I have been sent a few files which 3.62 and other releases complains are > corrupt. > 3.66 happily scans them. > > At 17:59 27/01/2003, you wrote: >> --On Monday, January 27, 2003 4:34 PM +0000 Julian Field >> wrote: >> >>>> The files are already >>>> "corrupt" by the time that Sophos sees it (basically, it can't see both >>>> the start of the file and the end of the file, is what I was told). I >>>> asked about the RAR archives, and she said that Sophos currently can't >>>> scan RAR version 3 archives, but that will be available in the next >>>> release. She suggested that I quarantine messages and release the >>>> files that get labeled corrupted, or in the case of the RAR files, >>>> maybe put the file extension on a whitelist, basically. >>> >>> When it finds a file is corrupt, MailScanner removes it, right? >> >> Actually no... It looks like the attachments come through okay, though, >> the files are indeed corrupted. I am still trying to get the original >> fines from the authors to see if they started that way or not... So, I >> can't know for sure what happens, but the attachment doesn't appear to be >> removed, just a warning message inserted into the body of the message >> indicating that the file is corrupted. >> >>> Is it happening often enough that you could archive all mail for a >>> little while until it happens? If so, we can actually get a test case >>> together to prove exactly what is happening to the message. Until I can >>> get my hands on a test case, it is very difficult to work out what is >>> happening. >> >> I don't think so... We get several hundred emails going through our >> system a minute... We have enough problems trying to stay afloat with >> CPU load and (especially) disk I/O. When we turned on quarantining for >> about a 10 hour time period, we had about 1.5GB of disk space >> consumed... so, it makes me a bit afraid to do anything on our >> production server like that :-) >> >>> Are they suggesting that the file put into the quarantine is actually >>> okay, but the file being scanned is not? That would be a neat trick... >> >> That is a good point... My concern was with regards of a message coming >> in that was fine and somehow MailScanner or Sophos was corrupting the >> message and that was what got put into the attachment... but that seems >> a bit less likely at this point, and I feel like the file is starting out >> corrupt. If I had to guess right now, Sophos is expecting documents to >> be exactly compliant with those document standard formats (i.e. DOC files >> must follow Microsoft Word Document format, PDF files follow Adobe PDF >> file formats etc). There doesn't appear to be much room in the way of >> flexibility. I have seen other programs, like Star Office, write their >> documents that are mostly compliant, but not quite, and maybe those would >> be flagged by Sophos as being corrupted. Anyways, those are guesses. >> >>>> What would be really helpful, at this point, is a way for me to set an >>>> option to allow corrupted files to pass through MailScanner without >>>> being flagged as viruses and without being touched. The same goes for >>>> scanning of external MIME attachments (which is another thread). >>>> There should be an option to not flag those as viruses and to allow >>>> the messages to pass through untouched. Both of these issues are >>>> generated support calls for us right now. >>> >>> The "external bodies" switch will be in the next version. I'll have to >>> take a look at how easy it would be to add a switch for the other bit. >> >> Great! I will let the users know about this (the external bodies thing). >> >>> How come this is only happening with Sophos? No-one else is reporting >>> any problems, only the people using Sophos. >> >> That is a good point... If I knew our system could support another virus >> scanner, such as ClamV or something like that, I would put it on.... as >> is, we are now running without spam checking just so we can get some >> benefit of MailScanner doing virus checking on messages... when we start >> to fall behind in the mail queues, even that gets turned off. >> >> On average, we get several hundred messages a minute. When we get >> spammed (usually by our own university departments), we get way more >> than that :) >> >> Scott >> -- >> +-----------------------------------------------------------------------+ >> Scott W. Adkins http://www.cns.ohiou.edu/~sadkins/ >> UNIX Systems Engineer mailto:adkinss@ohio.edu >> ICQ 7626282 Work (740)593-9478 Fax (740)593-1944 >> +-----------------------------------------------------------------------+ >> PGP Public Key available at >> http://www.cns.ohiou.edu/~sadkins/pgp/ > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support -- +-----------------------------------------------------------------------+ Scott W. Adkins http://www.cns.ohiou.edu/~sadkins/ UNIX Systems Engineer mailto:adkinss@ohio.edu ICQ 7626282 Work (740)593-9478 Fax (740)593-1944 +-----------------------------------------------------------------------+ PGP Public Key available at http://www.cns.ohiou.edu/~sadkins/pgp/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 231 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030128/22a60f28/attachment.bin From adkinss at OHIO.EDU Tue Jan 28 16:45:38 2003 From: adkinss at OHIO.EDU (Scott Adkins) Date: Thu Jan 12 21:17:05 2006 Subject: Sophos issues In-Reply-To: <4050781575.1043741101@Callisto> References: <4050781575.1043741101@Callisto> Message-ID: <4064022034.1043754338@Callisto> My initial testing with the new release is that it acts the same as the old release... But part of the problem is that the only files I currently have for testing are files that look like they are already corrupted. So, I don't know if the new version really fixes it or not. It is definitely the case that corrupted PDF and XLS files come out on the other end as being flagged {Virus?} and (corrupt), which is still not desired. Scott --On Tuesday, January 28, 2003 8:05 AM -0500 Scott Adkins wrote: > Ah, okay... I will give that a try... I will let you know what happens... > > Scott > > --On Tuesday, January 28, 2003 9:52 AM +0000 Julian Field > wrote: > >> Can I suggest you upgrade to the latest 3.66 release of Sophos. >> I have been sent a few files which 3.62 and other releases complains are >> corrupt. >> 3.66 happily scans them. >> >> At 17:59 27/01/2003, you wrote: >>> --On Monday, January 27, 2003 4:34 PM +0000 Julian Field >>> wrote: >>> >>>>> The files are already >>>>> "corrupt" by the time that Sophos sees it (basically, it can't see >>>>> both the start of the file and the end of the file, is what I was >>>>> told). I asked about the RAR archives, and she said that Sophos >>>>> currently can't scan RAR version 3 archives, but that will be >>>>> available in the next release. She suggested that I quarantine >>>>> messages and release the files that get labeled corrupted, or in the >>>>> case of the RAR files, maybe put the file extension on a whitelist, >>>>> basically. >>>> >>>> When it finds a file is corrupt, MailScanner removes it, right? >>> >>> Actually no... It looks like the attachments come through okay, though, >>> the files are indeed corrupted. I am still trying to get the original >>> fines from the authors to see if they started that way or not... So, I >>> can't know for sure what happens, but the attachment doesn't appear to >>> be removed, just a warning message inserted into the body of the message >>> indicating that the file is corrupted. >>> >>>> Is it happening often enough that you could archive all mail for a >>>> little while until it happens? If so, we can actually get a test case >>>> together to prove exactly what is happening to the message. Until I can >>>> get my hands on a test case, it is very difficult to work out what is >>>> happening. >>> >>> I don't think so... We get several hundred emails going through our >>> system a minute... We have enough problems trying to stay afloat with >>> CPU load and (especially) disk I/O. When we turned on quarantining for >>> about a 10 hour time period, we had about 1.5GB of disk space >>> consumed... so, it makes me a bit afraid to do anything on our >>> production server like that :-) >>> >>>> Are they suggesting that the file put into the quarantine is actually >>>> okay, but the file being scanned is not? That would be a neat trick... >>> >>> That is a good point... My concern was with regards of a message coming >>> in that was fine and somehow MailScanner or Sophos was corrupting the >>> message and that was what got put into the attachment... but that seems >>> a bit less likely at this point, and I feel like the file is starting >>> out corrupt. If I had to guess right now, Sophos is expecting >>> documents to be exactly compliant with those document standard formats >>> (i.e. DOC files must follow Microsoft Word Document format, PDF files >>> follow Adobe PDF file formats etc). There doesn't appear to be much >>> room in the way of flexibility. I have seen other programs, like Star >>> Office, write their documents that are mostly compliant, but not quite, >>> and maybe those would be flagged by Sophos as being corrupted. >>> Anyways, those are guesses. >>> >>>>> What would be really helpful, at this point, is a way for me to set an >>>>> option to allow corrupted files to pass through MailScanner without >>>>> being flagged as viruses and without being touched. The same goes for >>>>> scanning of external MIME attachments (which is another thread). >>>>> There should be an option to not flag those as viruses and to allow >>>>> the messages to pass through untouched. Both of these issues are >>>>> generated support calls for us right now. >>>> >>>> The "external bodies" switch will be in the next version. I'll have to >>>> take a look at how easy it would be to add a switch for the other bit. >>> >>> Great! I will let the users know about this (the external bodies >>> thing). >>> >>>> How come this is only happening with Sophos? No-one else is reporting >>>> any problems, only the people using Sophos. >>> >>> That is a good point... If I knew our system could support another virus >>> scanner, such as ClamV or something like that, I would put it on.... as >>> is, we are now running without spam checking just so we can get some >>> benefit of MailScanner doing virus checking on messages... when we start >>> to fall behind in the mail queues, even that gets turned off. >>> >>> On average, we get several hundred messages a minute. When we get >>> spammed (usually by our own university departments), we get way more >>> than that :) >>> >>> Scott >>> -- >>> +---------------------------------------------------------------------- >>> -+ Scott W. Adkins http://www.cns.ohiou.edu/~sadkins/ >>> UNIX Systems Engineer mailto:adkinss@ohio.edu ICQ >>> 7626282 Work (740)593-9478 Fax (740)593-1944 >>> +---------------------------------------------------------------------- >>> -+ PGP Public Key available at >>> http://www.cns.ohiou.edu/~sadkins/pgp/ >> >> -- >> Julian Field >> www.MailScanner.info >> MailScanner thanks transtec Computers for their support > > > -- > +-----------------------------------------------------------------------+ > Scott W. Adkins http://www.cns.ohiou.edu/~sadkins/ > UNIX Systems Engineer mailto:adkinss@ohio.edu > ICQ 7626282 Work (740)593-9478 Fax (740)593-1944 > +-----------------------------------------------------------------------+ > PGP Public Key available at http://www.cns.ohiou.edu/~sadkins/pgp/ -- +-----------------------------------------------------------------------+ Scott W. Adkins http://www.cns.ohiou.edu/~sadkins/ UNIX Systems Engineer mailto:adkinss@ohio.edu ICQ 7626282 Work (740)593-9478 Fax (740)593-1944 +-----------------------------------------------------------------------+ PGP Public Key available at http://www.cns.ohiou.edu/~sadkins/pgp/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 231 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030128/7c600a58/attachment.bin From Harish.Amin at DEG.STATE.WI.US Tue Jan 28 17:47:07 2003 From: Harish.Amin at DEG.STATE.WI.US (Amin, Harish) Date: Thu Jan 12 21:17:05 2006 Subject: same msgid Message-ID: <47F3EDACE4BC3A4594D0D7B504062BBD019C68A1@doamail04.doa.wistate.us> I am having some duplicate messages problem on out list server since Sunday we are having someone sending about 40 to 60 messages to entire list containing several members here's my Mailllog file I noticed that all have same msgid=, size=1603, class=-60, nrcpts=3, msgid=, proto=ESMTP, daemon=MTA-IPv4, relay=mcda4-4-0-0-321.rback0.mi lw.wi.voyager.net [169.207.146.116] (may be forged) syslog:Jan 27 14:43:52 badger sendmail[14934]: [ID 801593 mail.info] h0RKhpI14934: from=, size=1624, class=-60, nrcpts=3, msgid=, proto=ESMTP, daemon=MTA-IPv4, relay=mcda4-4-0-0-321.rback0.mi lw.wi.voyager.net [169.207.146.116] (may be forged) syslog:Jan 27 14:45:57 badger sendmail[15016]: [ID 801593 mail.info] h0RKjtI15016: from=, size=1645, class=-60, nrcpts=3, msgid=, proto=ESMTP, daemon=MTA-IPv4, relay=mcda4-4-0-0-321.rback0.mi lw.wi.voyager.net [169.207.146.116] (may be forged) syslog:Jan 27 14:47:52 badger sendmail[15108]: [ID 801593 mail.info] h0RKlpI15108: from=, size=1666, class=-60, nrcpts=3, msgid=, proto=ESMTP, daemon=MTA-IPv4, relay=mcda4-4-0-0-321.rback0.mi lw.wi.voyager.net [169.207.146.116] (may be forged) syslog:Jan 27 14:49:54 badger sendmail[15206]: [ID 801593 mail.info] h0RKnrI15206: from=, size=1687, class=-60, nrcpts=3, msgid=, proto=ESMTP, daemon=MTA-IPv4, relay=mcda4-4-0-0-321.rback0.mi lw.wi.voyager.net [169.207.146.116] (may be forged) syslog:Jan 27 14:51:50 badger sendmail[15289]: [ID 801593 mail.info] h0RKpnI15289: from=, size=1708, class=-60, nrcpts=3, msgid=, proto=ESMTP, daemon=MTA-IPv4, relay=mcda4-4-0-0-321.rback0.mi lw.wi.voyager.net [169.207.146.116] (may be forged) syslog:Jan 27 14:53:53 badger sendmail[15364]: [ID 801593 mail.info] h0RKrqI15364: from=, size=1729, class=-60, nrcpts=3, msgid=, proto=ESMTP, daemon=MTA-IPv4, relay=mcda4-4-0-0-321.rback0.mi lw.wi.voyager.net [169.207.146.116] (may be forged) From mailscanner at ecs.soton.ac.uk Tue Jan 28 18:51:52 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:05 2006 Subject: same msgid In-Reply-To: <47F3EDACE4BC3A4594D0D7B504062BBD019C68A1@doamail04.doa.wis tate.us> Message-ID: <5.2.0.9.2.20030128185120.024c7800@imap.ecs.soton.ac.uk> Are you sure that they are not being repeatedly sent to your server? That is the most common reason for this problem. At 17:47 28/01/2003, you wrote: >I am having some duplicate messages problem on out list server > >since Sunday we are having someone sending about 40 to 60 messages to entire >list containing several members > >here's my Mailllog file >I noticed that all have same msgid=Thanx for any help > >-----Original Message-----# grep mcda4-4-0-0-321.rback0.milw.wi.voyager.net >syslog* |more >syslog:Jan 27 14:41:51 badger sendmail[14858]: [ID 801593 mail.info] >h0RKfoI14858: from=, size=1603, > class=-60, nrcpts=3, msgid=, >proto=ESMTP, daemon=MTA-IPv4, relay=mcda4-4-0-0-321.rback0.mi >lw.wi.voyager.net [169.207.146.116] (may be forged) >syslog:Jan 27 14:43:52 badger sendmail[14934]: [ID 801593 mail.info] >h0RKhpI14934: from=, size=1624, > class=-60, nrcpts=3, msgid=, >proto=ESMTP, daemon=MTA-IPv4, relay=mcda4-4-0-0-321.rback0.mi >lw.wi.voyager.net [169.207.146.116] (may be forged) >syslog:Jan 27 14:45:57 badger sendmail[15016]: [ID 801593 mail.info] >h0RKjtI15016: from=, size=1645, > class=-60, nrcpts=3, msgid=, >proto=ESMTP, daemon=MTA-IPv4, relay=mcda4-4-0-0-321.rback0.mi >lw.wi.voyager.net [169.207.146.116] (may be forged) >syslog:Jan 27 14:47:52 badger sendmail[15108]: [ID 801593 mail.info] >h0RKlpI15108: from=, size=1666, > class=-60, nrcpts=3, msgid=, >proto=ESMTP, daemon=MTA-IPv4, relay=mcda4-4-0-0-321.rback0.mi >lw.wi.voyager.net [169.207.146.116] (may be forged) >syslog:Jan 27 14:49:54 badger sendmail[15206]: [ID 801593 mail.info] >h0RKnrI15206: from=, size=1687, > class=-60, nrcpts=3, msgid=, >proto=ESMTP, daemon=MTA-IPv4, relay=mcda4-4-0-0-321.rback0.mi >lw.wi.voyager.net [169.207.146.116] (may be forged) >syslog:Jan 27 14:51:50 badger sendmail[15289]: [ID 801593 mail.info] >h0RKpnI15289: from=, size=1708, > class=-60, nrcpts=3, msgid=, >proto=ESMTP, daemon=MTA-IPv4, relay=mcda4-4-0-0-321.rback0.mi >lw.wi.voyager.net [169.207.146.116] (may be forged) >syslog:Jan 27 14:53:53 badger sendmail[15364]: [ID 801593 mail.info] >h0RKrqI15364: from=, size=1729, > class=-60, nrcpts=3, msgid=, >proto=ESMTP, daemon=MTA-IPv4, relay=mcda4-4-0-0-321.rback0.mi >lw.wi.voyager.net [169.207.146.116] (may be forged) -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Tue Jan 28 18:49:36 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:05 2006 Subject: Sophos issues In-Reply-To: <4064022034.1043754338@Callisto> References: <4050781575.1043741101@Callisto> <4050781575.1043741101@Callisto> Message-ID: <5.2.0.9.2.20030128184744.01b26560@imap.ecs.soton.ac.uk> But I still haven't been sent any examples of a file in its corrupt+noncorrupt state. The curious thing is that the MIME parsing & regenerating code hasn't changed since I first wrote V4, and that code is functionally the same as that in V3. So why has this only just become a problem? My MIME code hasn't changed. At 16:45 28/01/2003, you wrote: >My initial testing with the new release is that it acts the same as the >old release... But part of the problem is that the only files I currently >have for testing are files that look like they are already corrupted. So, >I don't know if the new version really fixes it or not. It is definitely >the case that corrupted PDF and XLS files come out on the other end as >being flagged {Virus?} and (corrupt), which is still not desired. > >Scott > >--On Tuesday, January 28, 2003 8:05 AM -0500 Scott Adkins > wrote: > >>Ah, okay... I will give that a try... I will let you know what happens... >> >>Scott >> >>--On Tuesday, January 28, 2003 9:52 AM +0000 Julian Field >> wrote: >> >>>Can I suggest you upgrade to the latest 3.66 release of Sophos. >>>I have been sent a few files which 3.62 and other releases complains are >>>corrupt. >>>3.66 happily scans them. >>> >>>At 17:59 27/01/2003, you wrote: >>>>--On Monday, January 27, 2003 4:34 PM +0000 Julian Field >>>> wrote: >>>> >>>>>> The files are already >>>>>>"corrupt" by the time that Sophos sees it (basically, it can't see >>>>>>both the start of the file and the end of the file, is what I was >>>>>>told). I asked about the RAR archives, and she said that Sophos >>>>>>currently can't scan RAR version 3 archives, but that will be >>>>>>available in the next release. She suggested that I quarantine >>>>>>messages and release the files that get labeled corrupted, or in the >>>>>>case of the RAR files, maybe put the file extension on a whitelist, >>>>>>basically. >>>>> >>>>>When it finds a file is corrupt, MailScanner removes it, right? >>>> >>>>Actually no... It looks like the attachments come through okay, though, >>>>the files are indeed corrupted. I am still trying to get the original >>>>fines from the authors to see if they started that way or not... So, I >>>>can't know for sure what happens, but the attachment doesn't appear to >>>>be removed, just a warning message inserted into the body of the message >>>>indicating that the file is corrupted. >>>> >>>>>Is it happening often enough that you could archive all mail for a >>>>>little while until it happens? If so, we can actually get a test case >>>>>together to prove exactly what is happening to the message. Until I can >>>>>get my hands on a test case, it is very difficult to work out what is >>>>>happening. >>>> >>>>I don't think so... We get several hundred emails going through our >>>>system a minute... We have enough problems trying to stay afloat with >>>>CPU load and (especially) disk I/O. When we turned on quarantining for >>>>about a 10 hour time period, we had about 1.5GB of disk space >>>>consumed... so, it makes me a bit afraid to do anything on our >>>>production server like that :-) >>>> >>>>>Are they suggesting that the file put into the quarantine is actually >>>>>okay, but the file being scanned is not? That would be a neat trick... >>>> >>>>That is a good point... My concern was with regards of a message coming >>>>in that was fine and somehow MailScanner or Sophos was corrupting the >>>>message and that was what got put into the attachment... but that seems >>>>a bit less likely at this point, and I feel like the file is starting >>>>out corrupt. If I had to guess right now, Sophos is expecting >>>>documents to be exactly compliant with those document standard formats >>>>(i.e. DOC files must follow Microsoft Word Document format, PDF files >>>>follow Adobe PDF file formats etc). There doesn't appear to be much >>>>room in the way of flexibility. I have seen other programs, like Star >>>>Office, write their documents that are mostly compliant, but not quite, >>>>and maybe those would be flagged by Sophos as being corrupted. >>>>Anyways, those are guesses. >>>> >>>>>>What would be really helpful, at this point, is a way for me to set an >>>>>>option to allow corrupted files to pass through MailScanner without >>>>>>being flagged as viruses and without being touched. The same goes for >>>>>>scanning of external MIME attachments (which is another thread). >>>>>>There should be an option to not flag those as viruses and to allow >>>>>>the messages to pass through untouched. Both of these issues are >>>>>>generated support calls for us right now. >>>>> >>>>>The "external bodies" switch will be in the next version. I'll have to >>>>>take a look at how easy it would be to add a switch for the other bit. >>>> >>>>Great! I will let the users know about this (the external bodies >>>>thing). >>>> >>>>>How come this is only happening with Sophos? No-one else is reporting >>>>>any problems, only the people using Sophos. >>>> >>>>That is a good point... If I knew our system could support another virus >>>>scanner, such as ClamV or something like that, I would put it on.... as >>>>is, we are now running without spam checking just so we can get some >>>>benefit of MailScanner doing virus checking on messages... when we start >>>>to fall behind in the mail queues, even that gets turned off. >>>> >>>>On average, we get several hundred messages a minute. When we get >>>>spammed (usually by our own university departments), we get way more >>>>than that :) >>>> >>>>Scott >>>>-- >>>>+---------------------------------------------------------------------- >>>>-+ Scott W. Adkins http://www.cns.ohiou.edu/~sadkins/ >>>> UNIX Systems Engineer mailto:adkinss@ohio.edu ICQ >>>> 7626282 Work (740)593-9478 Fax (740)593-1944 >>>>+---------------------------------------------------------------------- >>>>-+ PGP Public Key available at >>>>http://www.cns.ohiou.edu/~sadkins/pgp/ >>> >>>-- >>>Julian Field >>>www.MailScanner.info >>>MailScanner thanks transtec Computers for their support >> >> >>-- >> +-----------------------------------------------------------------------+ >> Scott W. Adkins http://www.cns.ohiou.edu/~sadkins/ >> UNIX Systems Engineer mailto:adkinss@ohio.edu >> ICQ 7626282 Work (740)593-9478 Fax (740)593-1944 >> +-----------------------------------------------------------------------+ >> PGP Public Key available at http://www.cns.ohiou.edu/~sadkins/pgp/ > > >-- >+-----------------------------------------------------------------------+ > Scott W. Adkins http://www.cns.ohiou.edu/~sadkins/ > UNIX Systems Engineer mailto:adkinss@ohio.edu > ICQ 7626282 Work (740)593-9478 Fax (740)593-1944 >+-----------------------------------------------------------------------+ > PGP Public Key available at > http://www.cns.ohiou.edu/~sadkins/pgp/ -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Tue Jan 28 19:03:37 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:05 2006 Subject: Sophos issues In-Reply-To: <5.2.0.9.2.20030128184744.01b26560@imap.ecs.soton.ac.uk> References: <4064022034.1043754338@Callisto> <4050781575.1043741101@Callisto> <4050781575.1043741101@Callisto> Message-ID: <5.2.0.9.2.20030128190250.02624c70@imap.ecs.soton.ac.uk> One more thing, is this just being experienced by Sophos users? How about all you F-Prot users out there? At 18:49 28/01/2003, you wrote: >But I still haven't been sent any examples of a file in its >corrupt+noncorrupt state. >The curious thing is that the MIME parsing & regenerating code hasn't >changed since I first wrote V4, and that code is functionally the same as >that in V3. > >So why has this only just become a problem? My MIME code hasn't changed. > >At 16:45 28/01/2003, you wrote: >>My initial testing with the new release is that it acts the same as the >>old release... But part of the problem is that the only files I currently >>have for testing are files that look like they are already corrupted. So, >>I don't know if the new version really fixes it or not. It is definitely >>the case that corrupted PDF and XLS files come out on the other end as >>being flagged {Virus?} and (corrupt), which is still not desired. >> >>Scott >> >>--On Tuesday, January 28, 2003 8:05 AM -0500 Scott Adkins >> wrote: >> >>>Ah, okay... I will give that a try... I will let you know what happens... >>> >>>Scott >>> >>>--On Tuesday, January 28, 2003 9:52 AM +0000 Julian Field >>> wrote: >>> >>>>Can I suggest you upgrade to the latest 3.66 release of Sophos. >>>>I have been sent a few files which 3.62 and other releases complains are >>>>corrupt. >>>>3.66 happily scans them. >>>> >>>>At 17:59 27/01/2003, you wrote: >>>>>--On Monday, January 27, 2003 4:34 PM +0000 Julian Field >>>>> wrote: >>>>> >>>>>>> The files are already >>>>>>>"corrupt" by the time that Sophos sees it (basically, it can't see >>>>>>>both the start of the file and the end of the file, is what I was >>>>>>>told). I asked about the RAR archives, and she said that Sophos >>>>>>>currently can't scan RAR version 3 archives, but that will be >>>>>>>available in the next release. She suggested that I quarantine >>>>>>>messages and release the files that get labeled corrupted, or in the >>>>>>>case of the RAR files, maybe put the file extension on a whitelist, >>>>>>>basically. >>>>>> >>>>>>When it finds a file is corrupt, MailScanner removes it, right? >>>>> >>>>>Actually no... It looks like the attachments come through okay, though, >>>>>the files are indeed corrupted. I am still trying to get the original >>>>>fines from the authors to see if they started that way or not... So, I >>>>>can't know for sure what happens, but the attachment doesn't appear to >>>>>be removed, just a warning message inserted into the body of the message >>>>>indicating that the file is corrupted. >>>>> >>>>>>Is it happening often enough that you could archive all mail for a >>>>>>little while until it happens? If so, we can actually get a test case >>>>>>together to prove exactly what is happening to the message. Until I can >>>>>>get my hands on a test case, it is very difficult to work out what is >>>>>>happening. >>>>> >>>>>I don't think so... We get several hundred emails going through our >>>>>system a minute... We have enough problems trying to stay afloat with >>>>>CPU load and (especially) disk I/O. When we turned on quarantining for >>>>>about a 10 hour time period, we had about 1.5GB of disk space >>>>>consumed... so, it makes me a bit afraid to do anything on our >>>>>production server like that :-) >>>>> >>>>>>Are they suggesting that the file put into the quarantine is actually >>>>>>okay, but the file being scanned is not? That would be a neat trick... >>>>> >>>>>That is a good point... My concern was with regards of a message coming >>>>>in that was fine and somehow MailScanner or Sophos was corrupting the >>>>>message and that was what got put into the attachment... but that seems >>>>>a bit less likely at this point, and I feel like the file is starting >>>>>out corrupt. If I had to guess right now, Sophos is expecting >>>>>documents to be exactly compliant with those document standard formats >>>>>(i.e. DOC files must follow Microsoft Word Document format, PDF files >>>>>follow Adobe PDF file formats etc). There doesn't appear to be much >>>>>room in the way of flexibility. I have seen other programs, like Star >>>>>Office, write their documents that are mostly compliant, but not quite, >>>>>and maybe those would be flagged by Sophos as being corrupted. >>>>>Anyways, those are guesses. >>>>> >>>>>>>What would be really helpful, at this point, is a way for me to set an >>>>>>>option to allow corrupted files to pass through MailScanner without >>>>>>>being flagged as viruses and without being touched. The same goes for >>>>>>>scanning of external MIME attachments (which is another thread). >>>>>>>There should be an option to not flag those as viruses and to allow >>>>>>>the messages to pass through untouched. Both of these issues are >>>>>>>generated support calls for us right now. >>>>>> >>>>>>The "external bodies" switch will be in the next version. I'll have to >>>>>>take a look at how easy it would be to add a switch for the other bit. >>>>> >>>>>Great! I will let the users know about this (the external bodies >>>>>thing). >>>>> >>>>>>How come this is only happening with Sophos? No-one else is reporting >>>>>>any problems, only the people using Sophos. >>>>> >>>>>That is a good point... If I knew our system could support another virus >>>>>scanner, such as ClamV or something like that, I would put it on.... as >>>>>is, we are now running without spam checking just so we can get some >>>>>benefit of MailScanner doing virus checking on messages... when we start >>>>>to fall behind in the mail queues, even that gets turned off. >>>>> >>>>>On average, we get several hundred messages a minute. When we get >>>>>spammed (usually by our own university departments), we get way more >>>>>than that :) >>>>> >>>>>Scott >>>>>-- >>>>>+---------------------------------------------------------------------- >>>>>-+ Scott W. Adkins http://www.cns.ohiou.edu/~sadkins/ >>>>> UNIX Systems Engineer mailto:adkinss@ohio.edu ICQ >>>>> 7626282 Work (740)593-9478 Fax (740)593-1944 >>>>>+---------------------------------------------------------------------- >>>>>-+ PGP Public Key available at >>>>>http://www.cns.ohiou.edu/~sadkins/pgp/ >>>> >>>>-- >>>>Julian Field >>>>www.MailScanner.info >>>>MailScanner thanks transtec Computers for their support >>> >>> >>>-- >>> +-----------------------------------------------------------------------+ >>> Scott W. Adkins http://www.cns.ohiou.edu/~sadkins/ >>> UNIX Systems Engineer mailto:adkinss@ohio.edu >>> ICQ 7626282 Work (740)593-9478 Fax (740)593-1944 >>> +-----------------------------------------------------------------------+ >>> PGP Public Key available at http://www.cns.ohiou.edu/~sadkins/pgp/ >> >> >>-- >>+-----------------------------------------------------------------------+ >> Scott W. Adkins http://www.cns.ohiou.edu/~sadkins/ >> UNIX Systems Engineer mailto:adkinss@ohio.edu >> ICQ 7626282 Work (740)593-9478 Fax (740)593-1944 >>+-----------------------------------------------------------------------+ >> PGP Public Key available at >>http://www.cns.ohiou.edu/~sadkins/pgp/ > >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From Harish.Amin at DEG.STATE.WI.US Tue Jan 28 19:19:12 2003 From: Harish.Amin at DEG.STATE.WI.US (Amin, Harish) Date: Thu Jan 12 21:17:05 2006 Subject: same msgid Message-ID: <47F3EDACE4BC3A4594D0D7B504062BBD019C68A4@doamail04.doa.wistate.us> Julian, the sender(owner of the list denies) and found that someone is trying to forge him.. How do I make sure that they are being repeatedly sent? any hints Thanx for your reply Harish -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Tuesday, January 28, 2003 12:52 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: same msgid Are you sure that they are not being repeatedly sent to your server? That is the most common reason for this problem. At 17:47 28/01/2003, you wrote: >I am having some duplicate messages problem on out list server > >since Sunday we are having someone sending about 40 to 60 messages to entire >list containing several members > >here's my Mailllog file >I noticed that all have same msgid=Thanx for any help > >-----Original Message-----# grep mcda4-4-0-0-321.rback0.milw.wi.voyager.net >syslog* |more >syslog:Jan 27 14:41:51 badger sendmail[14858]: [ID 801593 mail.info] >h0RKfoI14858: from=, size=1603, > class=-60, nrcpts=3, msgid=, >proto=ESMTP, daemon=MTA-IPv4, relay=mcda4-4-0-0-321.rback0.mi >lw.wi.voyager.net [169.207.146.116] (may be forged) >syslog:Jan 27 14:43:52 badger sendmail[14934]: [ID 801593 mail.info] >h0RKhpI14934: from=, size=1624, > class=-60, nrcpts=3, msgid=, >proto=ESMTP, daemon=MTA-IPv4, relay=mcda4-4-0-0-321.rback0.mi >lw.wi.voyager.net [169.207.146.116] (may be forged) >syslog:Jan 27 14:45:57 badger sendmail[15016]: [ID 801593 mail.info] >h0RKjtI15016: from=, size=1645, > class=-60, nrcpts=3, msgid=, >proto=ESMTP, daemon=MTA-IPv4, relay=mcda4-4-0-0-321.rback0.mi >lw.wi.voyager.net [169.207.146.116] (may be forged) >syslog:Jan 27 14:47:52 badger sendmail[15108]: [ID 801593 mail.info] >h0RKlpI15108: from=, size=1666, > class=-60, nrcpts=3, msgid=, >proto=ESMTP, daemon=MTA-IPv4, relay=mcda4-4-0-0-321.rback0.mi >lw.wi.voyager.net [169.207.146.116] (may be forged) >syslog:Jan 27 14:49:54 badger sendmail[15206]: [ID 801593 mail.info] >h0RKnrI15206: from=, size=1687, > class=-60, nrcpts=3, msgid=, >proto=ESMTP, daemon=MTA-IPv4, relay=mcda4-4-0-0-321.rback0.mi >lw.wi.voyager.net [169.207.146.116] (may be forged) >syslog:Jan 27 14:51:50 badger sendmail[15289]: [ID 801593 mail.info] >h0RKpnI15289: from=, size=1708, > class=-60, nrcpts=3, msgid=, >proto=ESMTP, daemon=MTA-IPv4, relay=mcda4-4-0-0-321.rback0.mi >lw.wi.voyager.net [169.207.146.116] (may be forged) >syslog:Jan 27 14:53:53 badger sendmail[15364]: [ID 801593 mail.info] >h0RKrqI15364: from=, size=1729, > class=-60, nrcpts=3, msgid=, >proto=ESMTP, daemon=MTA-IPv4, relay=mcda4-4-0-0-321.rback0.mi >lw.wi.voyager.net [169.207.146.116] (may be forged) -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Tue Jan 28 19:26:09 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:05 2006 Subject: same msgid In-Reply-To: <47F3EDACE4BC3A4594D0D7B504062BBD019C68A4@doamail04.doa.wis tate.us> Message-ID: <5.2.0.9.2.20030128192359.0240be80@imap.ecs.soton.ac.uk> At 19:19 28/01/2003, you wrote: >Julian, >the sender(owner of the list denies) and found that someone is trying to >forge him.. >How do I make sure that they are being repeatedly sent? any hints Check your maillog. You should have a maillog entry for every incoming message that is queued awaiting processing by MailScanner. You should have an entry with "stat=queued" for incoming messages and "stat=sent" for outgoing messages. >Thanx for your reply >Harish >-----Original Message----- >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] >Sent: Tuesday, January 28, 2003 12:52 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: same msgid > > >Are you sure that they are not being repeatedly sent to your server? That >is the most common reason for this problem. > >At 17:47 28/01/2003, you wrote: > >I am having some duplicate messages problem on out list server > > > >since Sunday we are having someone sending about 40 to 60 messages to >entire > >list containing several members > > > >here's my Mailllog file > >I noticed that all have same msgid= >Thanx for any help > > > >-----Original Message-----# grep mcda4-4-0-0-321.rback0.milw.wi.voyager.net > >syslog* |more > >syslog:Jan 27 14:41:51 badger sendmail[14858]: [ID 801593 mail.info] > >h0RKfoI14858: from=, size=1603, > > class=-60, nrcpts=3, msgid=, > >proto=ESMTP, daemon=MTA-IPv4, relay=mcda4-4-0-0-321.rback0.mi > >lw.wi.voyager.net [169.207.146.116] (may be forged) > >syslog:Jan 27 14:43:52 badger sendmail[14934]: [ID 801593 mail.info] > >h0RKhpI14934: from=, size=1624, > > class=-60, nrcpts=3, msgid=, > >proto=ESMTP, daemon=MTA-IPv4, relay=mcda4-4-0-0-321.rback0.mi > >lw.wi.voyager.net [169.207.146.116] (may be forged) > >syslog:Jan 27 14:45:57 badger sendmail[15016]: [ID 801593 mail.info] > >h0RKjtI15016: from=, size=1645, > > class=-60, nrcpts=3, msgid=, > >proto=ESMTP, daemon=MTA-IPv4, relay=mcda4-4-0-0-321.rback0.mi > >lw.wi.voyager.net [169.207.146.116] (may be forged) > >syslog:Jan 27 14:47:52 badger sendmail[15108]: [ID 801593 mail.info] > >h0RKlpI15108: from=, size=1666, > > class=-60, nrcpts=3, msgid=, > >proto=ESMTP, daemon=MTA-IPv4, relay=mcda4-4-0-0-321.rback0.mi > >lw.wi.voyager.net [169.207.146.116] (may be forged) > >syslog:Jan 27 14:49:54 badger sendmail[15206]: [ID 801593 mail.info] > >h0RKnrI15206: from=, size=1687, > > class=-60, nrcpts=3, msgid=, > >proto=ESMTP, daemon=MTA-IPv4, relay=mcda4-4-0-0-321.rback0.mi > >lw.wi.voyager.net [169.207.146.116] (may be forged) > >syslog:Jan 27 14:51:50 badger sendmail[15289]: [ID 801593 mail.info] > >h0RKpnI15289: from=, size=1708, > > class=-60, nrcpts=3, msgid=, > >proto=ESMTP, daemon=MTA-IPv4, relay=mcda4-4-0-0-321.rback0.mi > >lw.wi.voyager.net [169.207.146.116] (may be forged) > >syslog:Jan 27 14:53:53 badger sendmail[15364]: [ID 801593 mail.info] > >h0RKrqI15364: from=, size=1729, > > class=-60, nrcpts=3, msgid=, > >proto=ESMTP, daemon=MTA-IPv4, relay=mcda4-4-0-0-321.rback0.mi > >lw.wi.voyager.net [169.207.146.116] (may be forged) > >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From gary.morgan at ASOLUTIONS.COM Tue Jan 28 20:47:44 2003 From: gary.morgan at ASOLUTIONS.COM (Gary Morgan) Date: Thu Jan 12 21:17:05 2006 Subject: mail generated locally doesn't get scanned Message-ID: I'm sure somebody has run into this before.... I've been running Mailscanner 1.11-1 for a few weeks now, and haven't had any problems yet. However, management wants me to implement an easy way for users to change their email passwords, turn on vacation and email forwarding as well as webmail. Easy 'nuff...Usermin supplies all those things. That's when I noticed that email generated on the email server, either by using Usermin's "Read Mail" interface or even by using the "mail" command from the prompt, does not get scanned. What do I need to do so that the messages created via webmail (running no the mailserver) get scanned? TIA, Gary Morgan From mailscanner at ecs.soton.ac.uk Tue Jan 28 21:00:35 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:05 2006 Subject: mail generated locally doesn't get scanned In-Reply-To: Message-ID: <5.2.0.9.2.20030128205916.02525e08@imap.ecs.soton.ac.uk> I assume you are running a fairly old version of sendmail. Upgrade to a recent version and it will pump all locally-generated mail through MailScanner as well. The alternative is to configure your webmail system to talk SMTP to localhost rather than invoking sendmail directly. At 20:47 28/01/2003, you wrote: >I'm sure somebody has run into this before.... > >I've been running Mailscanner 1.11-1 for a few weeks now, and haven't >had any problems yet. However, management wants me to implement an easy >way for users to change their email passwords, turn on vacation and >email forwarding as well as webmail. Easy 'nuff...Usermin supplies all >those things. That's when I noticed that email generated on the email >server, either by using Usermin's "Read Mail" interface or even by using >the "mail" command from the prompt, does not get scanned. > >What do I need to do so that the messages created via webmail (running >no the mailserver) get scanned? > > >TIA, > >Gary Morgan -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From gary.morgan at ASYNCHRONY.COM Tue Jan 28 21:11:26 2003 From: gary.morgan at ASYNCHRONY.COM (Gary Morgan) Date: Thu Jan 12 21:17:05 2006 Subject: mail generated locally doesn't get scanned In-Reply-To: <5.2.0.9.2.20030128205916.02525e08@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030128205916.02525e08@imap.ecs.soton.ac.uk> Message-ID: <1043788286.4134.23.camel@windu.asynchrony.com> I'm running sendmail version 8.11.6-15, do you consider this fairly old? On Tue, 2003-01-28 at 15:00, Julian Field wrote: > I assume you are running a fairly old version of sendmail. Upgrade to a > recent version and it will pump all locally-generated mail through > MailScanner as well. > > The alternative is to configure your webmail system to talk SMTP to > localhost rather than invoking sendmail directly. > > At 20:47 28/01/2003, you wrote: > >I'm sure somebody has run into this before.... > > > >I've been running Mailscanner 1.11-1 for a few weeks now, and haven't > >had any problems yet. However, management wants me to implement an easy > >way for users to change their email passwords, turn on vacation and > >email forwarding as well as webmail. Easy 'nuff...Usermin supplies all > >those things. That's when I noticed that email generated on the email > >server, either by using Usermin's "Read Mail" interface or even by using > >the "mail" command from the prompt, does not get scanned. > > > >What do I need to do so that the messages created via webmail (running > >no the mailserver) get scanned? > > > > > >TIA, > > > >Gary Morgan > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support -- This message has been scanned for viruses and dangerous content by MailScanner at asynchrony.com, and is believed to be clean. From Denis.Beauchemin at USHERBROOKE.CA Tue Jan 28 21:27:12 2003 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:17:05 2006 Subject: Sophos issues In-Reply-To: <5.2.0.9.2.20030128095136.0489bb48@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030127162836.0501d3a8@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030127162836.0501d3a8@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030128095136.0489bb48@imap.ecs.soton.ac.uk> Message-ID: <1043789232.12627.98.camel@dbeauchemin.si.usherbrooke.ca> Julian, I upgraded to 3.66 and asked a user to send me the test file that caused problems last week. Turns out the problem is still there! He sent me a file with an XML extension (no trace of this one in filename.rules.conf) and put his own email address in cc:. I received the file OK and have been able to load it in Mozilla. He received an error message with the subject changed to include {VIRUS} and the following error message: Could not check winmail.dat (corrupt) Strange thing: his message had no winmail.dat in it (there was none in the copy I received), just the S812.CHOIXET.XML file. He also received a second message saying that his PC was probably infected and should be checked... again, the message included: Could not check winmail.dat (corrupt) Any ideas what is going on? Denis Le mar 28/01/2003 ? 04:52, Julian Field a ?crit : > Can I suggest you upgrade to the latest 3.66 release of Sophos. > I have been sent a few files which 3.62 and other releases complains are > corrupt. > 3.66 happily scans them. > > At 17:59 27/01/2003, you wrote: > >--On Monday, January 27, 2003 4:34 PM +0000 Julian Field > > wrote: > > > >>> The files are already > >>>"corrupt" by the time that Sophos sees it (basically, it can't see both > >>>the start of the file and the end of the file, is what I was told). I > >>>asked about the RAR archives, and she said that Sophos currently can't > >>>scan RAR version 3 archives, but that will be available in the next > >>>release. She suggested that I quarantine messages and release the files > >>>that get labeled corrupted, or in the case of the RAR files, maybe put > >>>the file extension on a whitelist, basically. > >> > >>When it finds a file is corrupt, MailScanner removes it, right? > > > >Actually no... It looks like the attachments come through okay, though, > >the files are indeed corrupted. I am still trying to get the original > >fines from the authors to see if they started that way or not... So, I > >can't know for sure what happens, but the attachment doesn't appear to be > >removed, just a warning message inserted into the body of the message > >indicating that the file is corrupted. > > > >>Is it happening often enough that you could archive all mail for a little > >>while until it happens? If so, we can actually get a test case together > >>to prove exactly what is happening to the message. Until I can get my > >>hands on a test case, it is very difficult to work out what is happening. > > > >I don't think so... We get several hundred emails going through our system > >a minute... We have enough problems trying to stay afloat with CPU load and > >(especially) disk I/O. When we turned on quarantining for about a 10 hour > >time period, we had about 1.5GB of disk space consumed... so, it makes me > >a bit afraid to do anything on our production server like that :-) > > > >>Are they suggesting that the file put into the quarantine is actually > >>okay, but the file being scanned is not? That would be a neat trick... > > > >That is a good point... My concern was with regards of a message coming > >in that was fine and somehow MailScanner or Sophos was corrupting the > >message and that was what got put into the attachment... but that seems > >a bit less likely at this point, and I feel like the file is starting out > >corrupt. If I had to guess right now, Sophos is expecting documents to > >be exactly compliant with those document standard formats (i.e. DOC files > >must follow Microsoft Word Document format, PDF files follow Adobe PDF > >file formats etc). There doesn't appear to be much room in the way of > >flexibility. I have seen other programs, like Star Office, write their > >documents that are mostly compliant, but not quite, and maybe those would > >be flagged by Sophos as being corrupted. Anyways, those are guesses. > > > >>>What would be really helpful, at this point, is a way for me to set an > >>>option to allow corrupted files to pass through MailScanner without being > >>>flagged as viruses and without being touched. The same goes for scanning > >>>of external MIME attachments (which is another thread). There should be > >>>an option to not flag those as viruses and to allow the messages to pass > >>>through untouched. Both of these issues are generated support calls for > >>>us right now. > >> > >>The "external bodies" switch will be in the next version. I'll have to > >>take a look at how easy it would be to add a switch for the other bit. > > > >Great! I will let the users know about this (the external bodies thing). > > > >>How come this is only happening with Sophos? No-one else is reporting any > >>problems, only the people using Sophos. > > > >That is a good point... If I knew our system could support another virus > >scanner, such as ClamV or something like that, I would put it on.... as is, > >we are now running without spam checking just so we can get some benefit > >of MailScanner doing virus checking on messages... when we start to fall > >behind in the mail queues, even that gets turned off. > > > >On average, we get several hundred messages a minute. When we get spammed > >(usually by our own university departments), we get way more than that :) > > > >Scott > >-- > >+-----------------------------------------------------------------------+ > > Scott W. Adkins http://www.cns.ohiou.edu/~sadkins/ > > UNIX Systems Engineer mailto:adkinss@ohio.edu > > ICQ 7626282 Work (740)593-9478 Fax (740)593-1944 > >+-----------------------------------------------------------------------+ > > PGP Public Key available at > > http://www.cns.ohiou.edu/~sadkins/pgp/ > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From mailscanner at ecs.soton.ac.uk Tue Jan 28 21:33:18 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:05 2006 Subject: Sophos issues In-Reply-To: <1043789232.12627.98.camel@dbeauchemin.si.usherbrooke.ca> References: <5.2.0.9.2.20030128095136.0489bb48@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030127162836.0501d3a8@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030127162836.0501d3a8@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030128095136.0489bb48@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030128213010.02760300@imap.ecs.soton.ac.uk> If it gained a winmail.dat then an Exchange Server is involved somewhere en route, or else he was using Outlook with "Rich Text Format" enabled. Please can you try a route that does not involve any winmail.dat files. The version that came to you was perfectly intact, so that route is working (which I assume involved MailScanner somewhere). At 21:27 28/01/2003, you wrote: >Julian, > >I upgraded to 3.66 and asked a user to send me the test file that caused >problems last week. > >Turns out the problem is still there! He sent me a file with an XML >extension (no trace of this one in filename.rules.conf) and put his own >email address in cc:. > >I received the file OK and have been able to load it in Mozilla. > >He received an error message with the subject changed to include {VIRUS} >and the following error message: >Could not check winmail.dat (corrupt) > >Strange thing: his message had no winmail.dat in it (there was none in >the copy I received), just the S812.CHOIXET.XML file. > >He also received a second message saying that his PC was probably >infected and should be checked... again, the message included: >Could not check winmail.dat (corrupt) > >Any ideas what is going on? > >Denis > >Le mar 28/01/2003 ? 04:52, Julian Field a ?crit : > > Can I suggest you upgrade to the latest 3.66 release of Sophos. > > I have been sent a few files which 3.62 and other releases complains are > > corrupt. > > 3.66 happily scans them. > > > > At 17:59 27/01/2003, you wrote: > > >--On Monday, January 27, 2003 4:34 PM +0000 Julian Field > > > wrote: > > > > > >>> The files are already > > >>>"corrupt" by the time that Sophos sees it (basically, it can't see both > > >>>the start of the file and the end of the file, is what I was told). I > > >>>asked about the RAR archives, and she said that Sophos currently can't > > >>>scan RAR version 3 archives, but that will be available in the next > > >>>release. She suggested that I quarantine messages and release the files > > >>>that get labeled corrupted, or in the case of the RAR files, maybe put > > >>>the file extension on a whitelist, basically. > > >> > > >>When it finds a file is corrupt, MailScanner removes it, right? > > > > > >Actually no... It looks like the attachments come through okay, though, > > >the files are indeed corrupted. I am still trying to get the original > > >fines from the authors to see if they started that way or not... So, I > > >can't know for sure what happens, but the attachment doesn't appear to be > > >removed, just a warning message inserted into the body of the message > > >indicating that the file is corrupted. > > > > > >>Is it happening often enough that you could archive all mail for a little > > >>while until it happens? If so, we can actually get a test case together > > >>to prove exactly what is happening to the message. Until I can get my > > >>hands on a test case, it is very difficult to work out what is happening. > > > > > >I don't think so... We get several hundred emails going through our system > > >a minute... We have enough problems trying to stay afloat with CPU > load and > > >(especially) disk I/O. When we turned on quarantining for about a 10 hour > > >time period, we had about 1.5GB of disk space consumed... so, it makes me > > >a bit afraid to do anything on our production server like that :-) > > > > > >>Are they suggesting that the file put into the quarantine is actually > > >>okay, but the file being scanned is not? That would be a neat trick... > > > > > >That is a good point... My concern was with regards of a message coming > > >in that was fine and somehow MailScanner or Sophos was corrupting the > > >message and that was what got put into the attachment... but that seems > > >a bit less likely at this point, and I feel like the file is starting out > > >corrupt. If I had to guess right now, Sophos is expecting documents to > > >be exactly compliant with those document standard formats (i.e. DOC files > > >must follow Microsoft Word Document format, PDF files follow Adobe PDF > > >file formats etc). There doesn't appear to be much room in the way of > > >flexibility. I have seen other programs, like Star Office, write their > > >documents that are mostly compliant, but not quite, and maybe those would > > >be flagged by Sophos as being corrupted. Anyways, those are guesses. > > > > > >>>What would be really helpful, at this point, is a way for me to set an > > >>>option to allow corrupted files to pass through MailScanner without > being > > >>>flagged as viruses and without being touched. The same goes for > scanning > > >>>of external MIME attachments (which is another thread). There should be > > >>>an option to not flag those as viruses and to allow the messages to pass > > >>>through untouched. Both of these issues are generated support calls for > > >>>us right now. > > >> > > >>The "external bodies" switch will be in the next version. I'll have to > > >>take a look at how easy it would be to add a switch for the other bit. > > > > > >Great! I will let the users know about this (the external bodies thing). > > > > > >>How come this is only happening with Sophos? No-one else is reporting any > > >>problems, only the people using Sophos. > > > > > >That is a good point... If I knew our system could support another virus > > >scanner, such as ClamV or something like that, I would put it on.... > as is, > > >we are now running without spam checking just so we can get some benefit > > >of MailScanner doing virus checking on messages... when we start to fall > > >behind in the mail queues, even that gets turned off. > > > > > >On average, we get several hundred messages a minute. When we get spammed > > >(usually by our own university departments), we get way more than that :) > > > > > >Scott > > >-- > > >+-----------------------------------------------------------------------+ > > > Scott W. Adkins http://www.cns.ohiou.edu/~sadkins/ > > > UNIX Systems Engineer mailto:adkinss@ohio.edu > > > ICQ 7626282 Work (740)593-9478 Fax (740)593-1944 > > >+-----------------------------------------------------------------------+ > > > PGP Public Key available at > > > http://www.cns.ohiou.edu/~sadkins/pgp/ > > > > -- > > Julian Field > > www.MailScanner.info > > MailScanner thanks transtec Computers for their support >-- >Denis Beauchemin, analyste >Universit? de Sherbrooke, S.T.I. >T: 819.821.8000x2252 F: 819.821.8045 -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Tue Jan 28 21:23:53 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:05 2006 Subject: mail generated locally doesn't get scanned In-Reply-To: <1043788286.4134.23.camel@windu.asynchrony.com> References: <5.2.0.9.2.20030128205916.02525e08@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030128205916.02525e08@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030128212027.027dbf50@imap.ecs.soton.ac.uk> At 21:11 28/01/2003, you wrote: >I'm running sendmail version 8.11.6-15, do you consider this fairly old? No. Your locally-generated mail should go via clientmqueue into mqueue.in. Worth checking that is what is actually happening. Otherwise go for the smtp to localhost route. Any webmail worth using will be able to talk smtp to a mail server. >On Tue, 2003-01-28 at 15:00, Julian Field wrote: > > I assume you are running a fairly old version of sendmail. Upgrade to a > > recent version and it will pump all locally-generated mail through > > MailScanner as well. > > > > The alternative is to configure your webmail system to talk SMTP to > > localhost rather than invoking sendmail directly. > > > > At 20:47 28/01/2003, you wrote: > > >I'm sure somebody has run into this before.... > > > > > >I've been running Mailscanner 1.11-1 for a few weeks now, and haven't > > >had any problems yet. However, management wants me to implement an easy > > >way for users to change their email passwords, turn on vacation and > > >email forwarding as well as webmail. Easy 'nuff...Usermin supplies all > > >those things. That's when I noticed that email generated on the email > > >server, either by using Usermin's "Read Mail" interface or even by using > > >the "mail" command from the prompt, does not get scanned. > > > > > >What do I need to do so that the messages created via webmail (running > > >no the mailserver) get scanned? > > > > > > > > >TIA, > > > > > >Gary Morgan > > > > -- > > Julian Field > > www.MailScanner.info > > MailScanner thanks transtec Computers for their support > > >-- >This message has been scanned for viruses and >dangerous content by MailScanner at asynchrony.com, >and is believed to be clean. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mbowman at UDCOM.COM Tue Jan 28 22:00:19 2003 From: mbowman at UDCOM.COM (Matthew Bowman) Date: Thu Jan 12 21:17:05 2006 Subject: dodgy spam.actions ? Message-ID: Greetings In my spam.actions.conf file, I have this rule To: @vbcomm.net delete forward mbowman@udcom.com I sent a SPAM e-mail to it from my yahoo account and here is where maillog said: Jan 28 16:55:32 smithers MailScanner[3632]: Spam Actions: message h0SLtS403985 actions are forward,mbowman@udcom.com Why didn't the e-mail get deleted or did it and maillog just reported the 2nd rule? Thanks Matthew K Bowman Systems Administrator; Hostmaster; Miva Administrator Universal Digital Communications, Mansfield Ohio. Tel: (419) 524-4330 Fax: (419) 522-4082 Cell: (419) 545-6376 Email: mbowman@udcom.com Web: http://www.udcom.com --- Newcastle for the Premiership -- --- Howay the lads! --- -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030128/af5a98e1/attachment.html From mailscanner at ecs.soton.ac.uk Tue Jan 28 22:07:14 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:05 2006 Subject: dodgy spam.actions ? In-Reply-To: Message-ID: <5.2.0.9.2.20030128220614.027bfeb8@imap.ecs.soton.ac.uk> If it deleted it, what would it forward? It ignore the "delete" request as you over-rode it with a "forward" request. If you want is stored, say so. If you don't, it won't. At 22:00 28/01/2003, you wrote: >Greetings > >In my spam.actions.conf file, I have this rule > >To: @vbcomm.net delete forward mbowman@udcom.com > >I sent a SPAM e-mail to it from my yahoo account and here is where maillog >said: > >Jan 28 16:55:32 smithers MailScanner[3632]: Spam Actions: message >h0SLtS403985 actions are forward,mbowman@udcom.com > >Why didn't the e-mail get deleted or did it and maillog just reported the >2nd rule? > >Thanks > >Matthew K Bowman >Systems Administrator; Hostmaster; Miva Administrator >Universal Digital Communications, Mansfield Ohio. >Tel: (419) 524-4330 >Fax: (419) 522-4082 >Cell: (419) 545-6376 >Email: mbowman@udcom.com >Web: http://www.udcom.com > >--- Newcastle for the Premiership -- >--- Howay the lads! --- -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030128/f8b8ffe1/attachment.html From joelc at CTCHOUSTON.COM Tue Jan 28 22:16:12 2003 From: joelc at CTCHOUSTON.COM (Joel Colvin) Date: Thu Jan 12 21:17:05 2006 Subject: Multiple sendmail queue directories In-Reply-To: <3E35C991.80108@pcxperience.com> Message-ID: <014601c2c71a$e1769f80$9504140a@hewlett9por0s0> I have a mail server that uses multiple queue directories in sendmail. I'm trying to figure out how to get MailScanner to work with that. I see that the MailScanner.conf supports multiple queue directories. Is that all I need to change? Joel From billa at STERLING.NET Tue Jan 28 22:41:15 2003 From: billa at STERLING.NET (Bill Anderson) Date: Thu Jan 12 21:17:05 2006 Subject: /bin/cat: : No such file or directory Message-ID: I posted a message awhile back to deal with a problem message that keeps popping up on my console. I was given a bunch of great ideas on where to look, however, I could never find the problem. Shortly thereafter, the messages went away (that was a little spooky). However, the messages are back, but this time I found out where they are coming from. I get these messages whenever is use the "store" option for caught spam. I am not quarantineing (if there is such a word) any viruses, but I did turn "store" back on for some domains. Here is my Mailscanner.conf file: Spam Actions = /etc/MailScanner/rules/strlg.spam.actions.rules Here is my strlg.spam.actions.rules file: To: domain.com bounce store To: another.com bounce store If I remove the "store" option, the messages go away. Oh yeah, here is what the message is: /bin/cat: : No such file or directory It seems everytime I get the message, another message is dropped in the quarantine directory. From mailscanner at ecs.soton.ac.uk Tue Jan 28 22:41:19 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:05 2006 Subject: Multiple sendmail queue directories In-Reply-To: <014601c2c71a$e1769f80$9504140a@hewlett9por0s0> References: <3E35C991.80108@pcxperience.com> Message-ID: <5.2.0.9.2.20030128224001.027e6008@imap.ecs.soton.ac.uk> At 22:16 28/01/2003, you wrote: >I have a mail server that uses multiple queue directories in sendmail. >I'm trying to figure out how to get MailScanner to work with that. I >see that the MailScanner.conf supports multiple queue directories. Is >that all I need to change? It supports split queue directories on the incoming side, but only supports them on the outgoing side if you run 1 sendmail queue runner for each queue (e.g. 1 queue for local hosts, 1 for slow remote hosts). You can just merge the outgoing queue directories into one and it will work just fine. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Tue Jan 28 22:47:23 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:05 2006 Subject: /bin/cat: : No such file or directory In-Reply-To: Message-ID: <5.2.0.9.2.20030128224714.02880ec8@imap.ecs.soton.ac.uk> Are you using sendmail or Exim? At 22:41 28/01/2003, you wrote: >I posted a message awhile back to deal with a problem message that keeps >popping up on my console. I was given a bunch of great ideas on where to >look, however, I could never find the problem. Shortly thereafter, the >messages went away (that was a little spooky). > >However, the messages are back, but this time I found out where they are >coming from. I get these messages whenever is use the "store" option for >caught spam. I am not quarantineing (if there is such a word) any viruses, >but I did turn "store" back on for some domains. Here is my >Mailscanner.conf file: > >Spam Actions = /etc/MailScanner/rules/strlg.spam.actions.rules > >Here is my strlg.spam.actions.rules file: > >To: domain.com bounce store >To: another.com bounce store > >If I remove the "store" option, the messages go away. Oh yeah, here is what >the message is: > >/bin/cat: : No such file or directory > >It seems everytime I get the message, another message is dropped in the >quarantine directory. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From joelc at CTCHOUSTON.COM Tue Jan 28 23:17:16 2003 From: joelc at CTCHOUSTON.COM (Joel Colvin) Date: Thu Jan 12 21:17:05 2006 Subject: Multiple sendmail queue directories In-Reply-To: <5.2.0.9.2.20030128224001.027e6008@imap.ecs.soton.ac.uk> Message-ID: <014c01c2c723$6978c360$9504140a@hewlett9por0s0> I usually have 6000+ items in the queue directories and have been running separate queue runners to help get past the deferred messages and on to the others. Splitting the queue up helped me do that faster. I see where I would need to change, in the init script, the StartOutSendmail function to add queue runners but I'm having trouble setting multiple queue dirs in MailScanner.conf. Outgoing Queue Dir suggests that I could use a ruleset but I'm having no luck there. I get syntax errors when I set a wildcard on the variable and when I put queue dirs in a separate file like this: Outgoing Queue Dir = /etc/MailScanner/mqueue.out.list.conf -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Julian Field Sent: Tuesday, January 28, 2003 4:41 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Multiple sendmail queue directories At 22:16 28/01/2003, you wrote: >I have a mail server that uses multiple queue directories in sendmail. >I'm trying to figure out how to get MailScanner to work with that. I >see that the MailScanner.conf supports multiple queue directories. Is >that all I need to change? It supports split queue directories on the incoming side, but only supports them on the outgoing side if you run 1 sendmail queue runner for each queue (e.g. 1 queue for local hosts, 1 for slow remote hosts). You can just merge the outgoing queue directories into one and it will work just fine. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From billa at STERLING.NET Tue Jan 28 23:55:16 2003 From: billa at STERLING.NET (Bill Anderson) Date: Thu Jan 12 21:17:05 2006 Subject: /bin/cat: : No such file or directory In-Reply-To: <5.2.0.9.2.20030128224714.02880ec8@imap.ecs.soton.ac.uk> Message-ID: sendmail > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Julian Field > Sent: Tuesday, January 28, 2003 2:47 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: /bin/cat: : No such file or directory > > > Are you using sendmail or Exim? > > At 22:41 28/01/2003, you wrote: > >I posted a message awhile back to deal with a problem message that keeps > >popping up on my console. I was given a bunch of great ideas on where to > >look, however, I could never find the problem. Shortly thereafter, the > >messages went away (that was a little spooky). > > > >However, the messages are back, but this time I found out where they are > >coming from. I get these messages whenever is use the "store" option for > >caught spam. I am not quarantineing (if there is such a word) > any viruses, > >but I did turn "store" back on for some domains. Here is my > >Mailscanner.conf file: > > > >Spam Actions = /etc/MailScanner/rules/strlg.spam.actions.rules > > > >Here is my strlg.spam.actions.rules file: > > > >To: domain.com bounce store > >To: another.com bounce store > > > >If I remove the "store" option, the messages go away. Oh yeah, > here is what > >the message is: > > > >/bin/cat: : No such file or directory > > > >It seems everytime I get the message, another message is dropped in the > >quarantine directory. > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > From P.G.M.Peters at civ.utwente.nl Wed Jan 29 08:50:26 2003 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:17:05 2006 Subject: New installation on SuSe Message-ID: I just installed MS on a new system (running SuSe) and I noticed some "strange" things. I run MS as user mail but the cron.hourly that updates the anti-virus packages runs as user root. So the lock-files in /tmp have permissions 644. I get the message "Cannot create /tmp/FProtBusy.lock, Permission denied" and it stops processing the queue. I had to manually change the permissions to 664 to have it working. Could "update.virus.scanners" be made to set these permissions. When I first started MS it found AntiVir installed and it started updating that. So I configured MS to also use AntiVir. Offcourse I got the message about codestatus. It appears that AntiVir is installed automatically with SuSe. Has anybody used it with MS? I would eventually like to test it myself but I don't want to run into problems with other packages if I change "Minimum Code Status" to unsupported. I would like to test the new system by copying files from the quarantine directory on the production server to the queue directory on the test server. Is this a good way to test the new system? -- Peter Peters senior netwerkbeheerder Centrum voor InformatieTechnology, Bibliotheek en Educatie Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From andersan at LTKALMAR.SE Wed Jan 29 09:42:25 2003 From: andersan at LTKALMAR.SE (Anders Andersson, IT) Date: Thu Jan 12 21:17:05 2006 Subject: SV: Sophos issues Message-ID: <7B475DC5E9502B4D91EA73C283AE48D70263EE0D@lkl22.ltkalmar.se> > -----Ursprungligt meddelande----- > Fr?n: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > Skickat: den 28 januari 2003 20:04 > Till: MAILSCANNER@JISCMAIL.AC.UK > ?mne: Re: Sophos issues > > > One more thing, is this just being experienced by Sophos users? > How about all you F-Prot users out there? Running F-Prot and no problems at all /Anders > > At 18:49 28/01/2003, you wrote: > >But I still haven't been sent any examples of a file in its > >corrupt+noncorrupt state. > >The curious thing is that the MIME parsing & regenerating code hasn't > >changed since I first wrote V4, and that code is > functionally the same as > >that in V3. > > > >So why has this only just become a problem? My MIME code > hasn't changed. > > > >At 16:45 28/01/2003, you wrote: > >>My initial testing with the new release is that it acts the > same as the > >>old release... But part of the problem is that the only > files I currently > >>have for testing are files that look like they are already > corrupted. So, > >>I don't know if the new version really fixes it or not. It > is definitely > >>the case that corrupted PDF and XLS files come out on the > other end as > >>being flagged {Virus?} and (corrupt), which is still not desired. > >> > >>Scott > >> > >>--On Tuesday, January 28, 2003 8:05 AM -0500 Scott Adkins > >> wrote: > >> > >>>Ah, okay... I will give that a try... I will let you know > what happens... > >>> > >>>Scott > >>> > >>>--On Tuesday, January 28, 2003 9:52 AM +0000 Julian Field > >>> wrote: > >>> > >>>>Can I suggest you upgrade to the latest 3.66 release of Sophos. > >>>>I have been sent a few files which 3.62 and other > releases complains are > >>>>corrupt. > >>>>3.66 happily scans them. > >>>> > >>>>At 17:59 27/01/2003, you wrote: > >>>>>--On Monday, January 27, 2003 4:34 PM +0000 Julian Field > >>>>> wrote: > >>>>> > >>>>>>> The files are already > >>>>>>>"corrupt" by the time that Sophos sees it (basically, > it can't see > >>>>>>>both the start of the file and the end of the file, is > what I was > >>>>>>>told). I asked about the RAR archives, and she said > that Sophos > >>>>>>>currently can't scan RAR version 3 archives, but that will be > >>>>>>>available in the next release. She suggested that I quarantine > >>>>>>>messages and release the files that get labeled > corrupted, or in the > >>>>>>>case of the RAR files, maybe put the file extension on > a whitelist, > >>>>>>>basically. > >>>>>> > >>>>>>When it finds a file is corrupt, MailScanner removes it, right? > >>>>> > >>>>>Actually no... It looks like the attachments come > through okay, though, > >>>>>the files are indeed corrupted. I am still trying to > get the original > >>>>>fines from the authors to see if they started that way > or not... So, I > >>>>>can't know for sure what happens, but the attachment > doesn't appear to > >>>>>be removed, just a warning message inserted into the > body of the message > >>>>>indicating that the file is corrupted. > >>>>> > >>>>>>Is it happening often enough that you could archive all > mail for a > >>>>>>little while until it happens? If so, we can actually > get a test case > >>>>>>together to prove exactly what is happening to the > message. Until I can > >>>>>>get my hands on a test case, it is very difficult to > work out what is > >>>>>>happening. > >>>>> > >>>>>I don't think so... We get several hundred emails going > through our > >>>>>system a minute... We have enough problems trying to > stay afloat with > >>>>>CPU load and (especially) disk I/O. When we turned on > quarantining for > >>>>>about a 10 hour time period, we had about 1.5GB of disk space > >>>>>consumed... so, it makes me a bit afraid to do anything on our > >>>>>production server like that :-) > >>>>> > >>>>>>Are they suggesting that the file put into the > quarantine is actually > >>>>>>okay, but the file being scanned is not? That would be > a neat trick... > >>>>> > >>>>>That is a good point... My concern was with regards of a > message coming > >>>>>in that was fine and somehow MailScanner or Sophos was > corrupting the > >>>>>message and that was what got put into the attachment... > but that seems > >>>>>a bit less likely at this point, and I feel like the > file is starting > >>>>>out corrupt. If I had to guess right now, Sophos is expecting > >>>>>documents to be exactly compliant with those document > standard formats > >>>>>(i.e. DOC files must follow Microsoft Word Document > format, PDF files > >>>>>follow Adobe PDF file formats etc). There doesn't > appear to be much > >>>>>room in the way of flexibility. I have seen other > programs, like Star > >>>>>Office, write their documents that are mostly compliant, > but not quite, > >>>>>and maybe those would be flagged by Sophos as being corrupted. > >>>>>Anyways, those are guesses. > >>>>> > >>>>>>>What would be really helpful, at this point, is a way > for me to set an > >>>>>>>option to allow corrupted files to pass through > MailScanner without > >>>>>>>being flagged as viruses and without being touched. > The same goes for > >>>>>>>scanning of external MIME attachments (which is > another thread). > >>>>>>>There should be an option to not flag those as viruses > and to allow > >>>>>>>the messages to pass through untouched. Both of these > issues are > >>>>>>>generated support calls for us right now. > >>>>>> > >>>>>>The "external bodies" switch will be in the next > version. I'll have to > >>>>>>take a look at how easy it would be to add a switch for > the other bit. > >>>>> > >>>>>Great! I will let the users know about this (the external bodies > >>>>>thing). > >>>>> > >>>>>>How come this is only happening with Sophos? No-one > else is reporting > >>>>>>any problems, only the people using Sophos. > >>>>> > >>>>>That is a good point... If I knew our system could > support another virus > >>>>>scanner, such as ClamV or something like that, I would > put it on.... as > >>>>>is, we are now running without spam checking just so we > can get some > >>>>>benefit of MailScanner doing virus checking on > messages... when we start > >>>>>to fall behind in the mail queues, even that gets turned off. > >>>>> > >>>>>On average, we get several hundred messages a minute. > When we get > >>>>>spammed (usually by our own university departments), we > get way more > >>>>>than that :) > >>>>> > >>>>>Scott > >>>>>-- > >>>>>+-------------------------------------------------------- > -------------- > >>>>>-+ Scott W. Adkins > http://www.cns.ohiou.edu/~sadkins/ > >>>>> UNIX Systems Engineer > mailto:adkinss@ohio.edu ICQ > >>>>> 7626282 Work (740)593-9478 Fax > (740)593-1944 > >>>>>+-------------------------------------------------------- > -------------- > >>>>>-+ PGP Public Key available at > >>>>>http://www.cns.ohiou.edu/~sadkins/pgp/ > >>>> > >>>>-- > >>>>Julian Field > >>>>www.MailScanner.info > >>>>MailScanner thanks transtec Computers for their support > >>> > >>> > >>>-- > >>> > +------------------------------------------------------------- > ----------+ > >>> Scott W. Adkins > http://www.cns.ohiou.edu/~sadkins/ > >>> UNIX Systems Engineer mailto:adkinss@ohio.edu > >>> ICQ 7626282 Work (740)593-9478 > Fax (740)593-1944 > >>> > +------------------------------------------------------------- > ----------+ > >>> PGP Public Key available at > http://www.cns.ohiou.edu/~sadkins/pgp/ > >> > >> > >>-- > >>+----------------------------------------------------------- > ------------+ > >> Scott W. Adkins > http://www.cns.ohiou.edu/~sadkins/ > >> UNIX Systems Engineer mailto:adkinss@ohio.edu > >> ICQ 7626282 Work (740)593-9478 Fax > (740)593-1944 > >>+----------------------------------------------------------- > ------------+ > >> PGP Public Key available at > >>http://www.cns.ohiou.edu/~sadkins/pgp/ > > > >-- > >Julian Field > >www.MailScanner.info > >MailScanner thanks transtec Computers for their support > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > From mailscanner at ecs.soton.ac.uk Wed Jan 29 10:45:44 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:05 2006 Subject: New installation on SuSe In-Reply-To: Message-ID: <5.2.0.9.2.20030129104318.02076330@imap.ecs.soton.ac.uk> At 08:50 29/01/2003, you wrote: >I just installed MS on a new system (running SuSe) and I noticed some >"strange" things. > >I run MS as user mail but the cron.hourly that updates the anti-virus >packages runs as user root. So the lock-files in /tmp have permissions >644. I get the message "Cannot create /tmp/FProtBusy.lock, Permission >denied" and it stops processing the queue. I had to manually change the >permissions to 664 to have it working. Could "update.virus.scanners" be >made to set these permissions. Fixed. >When I first started MS it found AntiVir installed and it started >updating that. So I configured MS to also use AntiVir. Offcourse I got >the message about codestatus. It appears that AntiVir is installed >automatically with SuSe. Has anybody used it with MS? I would eventually >like to test it myself but I don't want to run into problems with other >packages if I change "Minimum Code Status" to unsupported. The virus scanners are currently the only thing used by the "Code Status" setting. There are a few people out there who use AntiVir, but I've only heard from 5 or 6 people using it. >I would like to test the new system by copying files from the quarantine >directory on the production server to the queue directory on the test >server. Is this a good way to test the new system? As long as they are being quarantined as Queue Files then that should work fine. Remember to set the ownership to mail.mail when you copy them into the incoming queue, or nothing will happen. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Jan 29 10:32:24 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:05 2006 Subject: /bin/cat: : No such file or directory In-Reply-To: References: <5.2.0.9.2.20030128224714.02880ec8@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030129103148.0205e078@imap.ecs.soton.ac.uk> Can you (off-list) please mail me your MailScanner.conf file. I need to be able to exactly reproduce your setup. At 23:55 28/01/2003, you wrote: >sendmail > > > -----Original Message----- > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > Behalf Of Julian Field > > Sent: Tuesday, January 28, 2003 2:47 PM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: /bin/cat: : No such file or directory > > > > > > Are you using sendmail or Exim? > > > > At 22:41 28/01/2003, you wrote: > > >I posted a message awhile back to deal with a problem message that keeps > > >popping up on my console. I was given a bunch of great ideas on where to > > >look, however, I could never find the problem. Shortly thereafter, the > > >messages went away (that was a little spooky). > > > > > >However, the messages are back, but this time I found out where they are > > >coming from. I get these messages whenever is use the "store" option for > > >caught spam. I am not quarantineing (if there is such a word) > > any viruses, > > >but I did turn "store" back on for some domains. Here is my > > >Mailscanner.conf file: > > > > > >Spam Actions = /etc/MailScanner/rules/strlg.spam.actions.rules > > > > > >Here is my strlg.spam.actions.rules file: > > > > > >To: domain.com bounce store > > >To: another.com bounce store > > > > > >If I remove the "store" option, the messages go away. Oh yeah, > > here is what > > >the message is: > > > > > >/bin/cat: : No such file or directory > > > > > >It seems everytime I get the message, another message is dropped in the > > >quarantine directory. > > > > -- > > Julian Field > > www.MailScanner.info > > MailScanner thanks transtec Computers for their support > > -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Jan 29 10:30:52 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:05 2006 Subject: Multiple sendmail queue directories In-Reply-To: <014c01c2c723$6978c360$9504140a@hewlett9por0s0> References: <5.2.0.9.2.20030128224001.027e6008@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030129102950.023be6d0@imap.ecs.soton.ac.uk> At 23:17 28/01/2003, you wrote: >I usually have 6000+ items in the queue directories and have been >running separate queue runners to help get past the deferred messages >and on to the others. Splitting the queue up helped me do that faster. > >I see where I would need to change, in the init script, the >StartOutSendmail function to add queue runners but I'm having trouble >setting multiple queue dirs in MailScanner.conf. > >Outgoing Queue Dir suggests that I could use a ruleset but I'm having no >luck there. I get syntax errors when I set a wildcard on the variable >and when I put queue dirs in a separate file like this: > >Outgoing Queue Dir = /etc/MailScanner/mqueue.out.list.conf Make the rules file end in ".rules". Detecting use of a rules file vs a directory name isn't trivial once you include links and devices. >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On >Behalf Of Julian Field >Sent: Tuesday, January 28, 2003 4:41 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Multiple sendmail queue directories > >At 22:16 28/01/2003, you wrote: > >I have a mail server that uses multiple queue directories in sendmail. > >I'm trying to figure out how to get MailScanner to work with that. I > >see that the MailScanner.conf supports multiple queue directories. Is > >that all I need to change? > >It supports split queue directories on the incoming side, but only >supports >them on the outgoing side if you run 1 sendmail queue runner for each >queue >(e.g. 1 queue for local hosts, 1 for slow remote hosts). >You can just merge the outgoing queue directories into one and it will >work >just fine. >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From P.G.M.Peters at civ.utwente.nl Wed Jan 29 11:43:50 2003 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:17:05 2006 Subject: New installation on SuSe In-Reply-To: <5.2.0.9.2.20030129104318.02076330@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030129104318.02076330@imap.ecs.soton.ac.uk> Message-ID: <9hff3vctf5dvha37j2srv5omu2k6vp56i9@4ax.com> On Wed, 29 Jan 2003 10:45:44 +0000, you wrote: >>I run MS as user mail but the cron.hourly that updates the anti-virus >>packages runs as user root. So the lock-files in /tmp have permissions >>644. I get the message "Cannot create /tmp/FProtBusy.lock, Permission >>denied" and it stops processing the queue. I had to manually change the >>permissions to 664 to have it working. Could "update.virus.scanners" be >>made to set these permissions. > >Fixed. You are the best. >>When I first started MS it found AntiVir installed and it started >>updating that. So I configured MS to also use AntiVir. Offcourse I got >>the message about codestatus. It appears that AntiVir is installed >>automatically with SuSe. Has anybody used it with MS? I would eventually >>like to test it myself but I don't want to run into problems with other >>packages if I change "Minimum Code Status" to unsupported. > >The virus scanners are currently the only thing used by the "Code Status" >setting. There are a few people out there who use AntiVir, but I've only >heard from 5 or 6 people using it. OK. I'll check whether I can test some stuff. >>I would like to test the new system by copying files from the quarantine >>directory on the production server to the queue directory on the test >>server. Is this a good way to test the new system? > >As long as they are being quarantined as Queue Files then that should work >fine. Remember to set the ownership to mail.mail when you copy them into >the incoming queue, or nothing will happen. I allways use scp for these kind of things and I do this as user mail. -- Peter Peters senior netwerkbeheerder Centrum voor InformatieTechnologie, Bibliotheek en Educatie Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From Denis.Beauchemin at USHERBROOKE.CA Wed Jan 29 14:41:59 2003 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:17:05 2006 Subject: Sophos issues In-Reply-To: <5.2.0.9.2.20030128213010.02760300@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030128095136.0489bb48@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030127162836.0501d3a8@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030127162836.0501d3a8@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030128095136.0489bb48@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030128213010.02760300@imap.ecs.soton.ac.uk> Message-ID: <1043851318.12634.167.camel@dbeauchemin.si.usherbrooke.ca> Le mar 28/01/2003 ? 16:33, Julian Field a ?crit : > If it gained a winmail.dat then an Exchange Server is involved somewhere en > route, or else he was using Outlook with "Rich Text Format" enabled. None of the above are true. The message I received did not have any winmail.dat in it and was addresses to me AND to the sender. The headers clearly indicate that no Exchange server was used (smtp2 is my Linux MailScanner relay and courriel is my Cyrus-IMAP server): Return-Path: Received: from courriel.usherbrooke.ca ([unix socket]) by courriel.usherbrooke.ca (Cyrus v2.1.8) with LMTP; Tue, 28 Jan 2003 16:00:04 -0500 X-Sieve: CMU Sieve 2.2 Received: from smtp2.usherbrooke.ca (smtp2.usherb.ca [132.210.13.6]) by courriel.usherbrooke.ca (8.11.6/8.11.6) with ESMTP id h0SL03j18663 for ; Tue, 28 Jan 2003 16:00:03 -0500 Received: from STI106 ([132.210.180.18]) by smtp2.usherbrooke.ca (8.11.6/8.11.6) with ESMTP id h0SKxwK10556 for ; Tue, 28 Jan 2003 15:59:58 -0500 From: =?iso-8859-1?Q?Andr=E9_Fredette?= To: "Denis Beauchemin" , "=?iso-8859-1?Q?Andr=E9_Fredette_\=28Andr=E9_Fredette\=29?=" Subject: TEST EXTRENTION ???.XML Date: Tue, 28 Jan 2003 15:59:57 -0500 Message-ID: <000c01c2c710$36dc8120$12b4d284@STI106> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_000D_01C2C6E6.4E067920" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.4024 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Importance: Normal X-MailScanner: Aucun code suspect =?ISO-8859-1?Q?d=E9tect=E9?= X-MailScanner-SpamCheck: n'est pas un polluriel, SpamAssassin (Courriel dXpassant la taille maximale) X-Evolution-Source: imap://bead2306@courriel.usherbrooke.ca/ ------=_NextPart_000_000D_01C2C6E6.4E067920 Content-Type: multipart/alternative; boundary="----=_NextPart_001_000E_01C2C6E6.4E08EA20" ... ------=_NextPart_001_000E_01C2C6E6.4E08EA20 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; CHARSET=iso-8859-1 ... ------=_NextPart_001_000E_01C2C6E6.4E08EA20 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; CHARSET=iso-8859-1 ... ------=_NextPart_001_000E_01C2C6E6.4E08EA20-- ------=_NextPart_000_000D_01C2C6E6.4E067920 Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="S812.CHOIXET.XML" Content-Type: text/xml; NAME=S812.CHOIXET.XML ... Here are the headers from the message he received: Return-Path: Received: from courriel.usherbrooke.ca ([unix socket]) by courriel.usherbrooke.ca (Cyrus v2.1.8) with LMTP; Tue, 28 Jan 2003 16:00:14 -0500 X-Sieve: CMU Sieve 2.2 Received: from smtp2.usherbrooke.ca (smtp2.usherb.ca [132.210.13.6]) by courriel.usherbrooke.ca (8.11.6/8.11.6) with ESMTP id h0SL0Ej18703 for ; Tue, 28 Jan 2003 16:00:14 -0500 Received: from STI106 ([132.210.180.18]) by smtp2.usherbrooke.ca (8.11.6/8.11.6) with ESMTP id h0SKxxK10558 for ; Tue, 28 Jan 2003 15:59:59 -0500 From: =?iso-8859-1?Q?Andr=E9_Fredette?= To: "Denis Beauchemin" , "=?iso-8859-1?Q?Andr=E9_Fredette_\=28Andr=E9_Fredette\=29?=" Subject: {VIRUS} TEST EXTRENTION ???.XML Date: Tue, 28 Jan 2003 15:59:57 -0500 Message-ID: <001201c2c710$37727f90$12b4d284@STI106> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_0013_01C2C6E6.4E9C7790" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.4024 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Importance: Normal X-MS-TNEF-Correlator: 00000000FA556A646B57924283742D2D536E9DD624B02100 X-MailScanner: Code suspect =?ISO-8859-1?Q?d=E9tect=E9?= X-MailScanner-SpamCheck: n'est pas un polluriel, SpamAssassin (Courriel dXpassant la taille maximale) Now, can you find something out of this??? Denis > > Please can you try a route that does not involve any winmail.dat files. > > The version that came to you was perfectly intact, so that route is working > (which I assume involved MailScanner somewhere). > > At 21:27 28/01/2003, you wrote: > >Julian, > > > >I upgraded to 3.66 and asked a user to send me the test file that caused > >problems last week. > > > >Turns out the problem is still there! He sent me a file with an XML > >extension (no trace of this one in filename.rules.conf) and put his own > >email address in cc:. > > > >I received the file OK and have been able to load it in Mozilla. > > > >He received an error message with the subject changed to include {VIRUS} > >and the following error message: > >Could not check winmail.dat (corrupt) > > > >Strange thing: his message had no winmail.dat in it (there was none in > >the copy I received), just the S812.CHOIXET.XML file. > > > >He also received a second message saying that his PC was probably > >infected and should be checked... again, the message included: > >Could not check winmail.dat (corrupt) > > > >Any ideas what is going on? > > > >Denis > > -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From Kevin.Spicer at BMRB.CO.UK Wed Jan 29 14:45:20 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:17:05 2006 Subject: Sophos issues Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A32CA5@pascal.priv.bmrb.co.uk> > None of the above are true. The message I received did not have any > winmail.dat in it and was addresses to me AND to the sender. The > headers clearly indicate that no Exchange server was used (smtp2 is my > Linux MailScanner relay and courriel is my Cyrus-IMAP server): > > Looks to me like the sender might be using exchange... > Received: from STI106 ^^^^^^ Their server? > X-MSMail-Priority: Normal > X-Mailer: Microsoft Outlook, Build 10.0.4024 They're certainly using Outlook! BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From ragan_davis at COLSTATE.EDU Wed Jan 29 14:42:01 2003 From: ragan_davis at COLSTATE.EDU (Mack Ragan) Date: Thu Jan 12 21:17:05 2006 Subject: Weird error in log after installing MailScanner Message-ID: Hi! I am getting this weird error in /var/log/messages since installing MailScanner 4.11-1. Also, MailScanner really hogs the cpu, and eventually the host runs out of memory and MailScanner dies (or is killed). Here's the error: Jan 29 09:40:47 lx2 kernel: Trying to vfree() nonexistent vm area (c88c6000) Jan 29 09:40:48 lx2 kernel: c4e65ea4 c03006c0 c03006c0 c03009c8 00000003 c7e92820 00000000 c4e64000 Jan 29 09:40:51 lx2 kernel: 0000000b c0119419 c7e92820 00000206 c7e92820 c011e026 c7e92820 c15322dc Jan 29 09:40:52 lx2 kernel: c4e64000 00000000 c4e65f30 0000000b c012438c 0000000b c0124574 0000000b Jan 29 09:40:53 lx2 kernel: Call Trace: [] mmput [kernel] 0x39 (0xc4e65ec8)) Jan 29 09:40:53 lx2 kernel: [] do_exit [kernel] 0xa6 (0xc4e65ed8)) Jan 29 09:40:54 lx2 kernel: [] sig_exit [kernel] 0xac (0xc4e65ef4)) Jan 29 09:40:54 lx2 kernel: [] dequeue_signal [kernel] 0x64 (0xc4e65efc)) Jan 29 09:40:54 lx2 kernel: [] do_signal [kernel] 0x1f7 (0xc4e65f14)) Jan 29 09:40:55 lx2 kernel: [] deliver_signal [kernel] 0x31 (0xc4e65f68)) Jan 29 09:40:55 lx2 kernel: [] do_general_protection [kernel] 0x0 (0xc4e65fa0)) Jan 29 09:40:55 lx2 kernel: [] force_sig [kernel] 0x1f (0xc4e65fa8)) Jan 29 09:40:55 lx2 kernel: [] do_general_protection [kernel] 0x0 (0xc4e65fb8)) Jan 29 09:40:55 lx2 kernel: [] signal_return [kernel] 0x14 (0xc4e65fc0)) Any thoughts as to why this is happening? Thanks! Mack From mailscanner at ecs.soton.ac.uk Wed Jan 29 15:01:19 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:05 2006 Subject: Weird error in log after installing MailScanner In-Reply-To: Message-ID: <5.2.0.9.2.20030129150039.05ac5df0@imap.ecs.soton.ac.uk> I would advise you upgrade to the latest glibc and kernel, this looks like a very fundamental library/CPU problem. Are you 100% your hardware is all working properly? At 14:42 29/01/2003, you wrote: >Hi! > >I am getting this weird error in /var/log/messages since installing >MailScanner 4.11-1. Also, MailScanner really hogs the cpu, and eventually >the host runs out of memory and MailScanner dies (or is killed). Here's >the error: > >Jan 29 09:40:47 lx2 kernel: Trying to vfree() nonexistent vm area (c88c6000) >Jan 29 09:40:48 lx2 kernel: c4e65ea4 c03006c0 c03006c0 c03009c8 00000003 >c7e92820 00000000 c4e64000 >Jan 29 09:40:51 lx2 kernel: 0000000b c0119419 c7e92820 00000206 >c7e92820 c011e026 c7e92820 c15322dc >Jan 29 09:40:52 lx2 kernel: c4e64000 00000000 c4e65f30 0000000b >c012438c 0000000b c0124574 0000000b >Jan 29 09:40:53 lx2 kernel: Call Trace: [] mmput [kernel] 0x39 >(0xc4e65ec8)) >Jan 29 09:40:53 lx2 kernel: [] do_exit [kernel] 0xa6 (0xc4e65ed8)) >Jan 29 09:40:54 lx2 kernel: [] sig_exit [kernel] 0xac >(0xc4e65ef4)) >Jan 29 09:40:54 lx2 kernel: [] dequeue_signal [kernel] 0x64 >(0xc4e65efc)) >Jan 29 09:40:54 lx2 kernel: [] do_signal [kernel] 0x1f7 >(0xc4e65f14)) >Jan 29 09:40:55 lx2 kernel: [] deliver_signal [kernel] 0x31 >(0xc4e65f68)) >Jan 29 09:40:55 lx2 kernel: [] do_general_protection [kernel] 0x0 >(0xc4e65fa0)) >Jan 29 09:40:55 lx2 kernel: [] force_sig [kernel] 0x1f >(0xc4e65fa8)) >Jan 29 09:40:55 lx2 kernel: [] do_general_protection [kernel] 0x0 >(0xc4e65fb8)) >Jan 29 09:40:55 lx2 kernel: [] signal_return [kernel] 0x14 >(0xc4e65fc0)) > >Any thoughts as to why this is happening? > >Thanks! >Mack -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From Denis.Beauchemin at USHERBROOKE.CA Wed Jan 29 15:14:53 2003 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:17:05 2006 Subject: Sophos issues In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0A32CA5@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0A32CA5@pascal.priv.bmrb.co.uk> Message-ID: <1043853293.12634.171.camel@dbeauchemin.si.usherbrooke.ca> Le mer 29/01/2003 ? 09:45, Spicer, Kevin a ?crit : > > None of the above are true. The message I received did not have any > > winmail.dat in it and was addresses to me AND to the sender. The > > headers clearly indicate that no Exchange server was used (smtp2 is my > > Linux MailScanner relay and courriel is my Cyrus-IMAP server): > > > > > Looks to me like the sender might be using exchange... > > Received: from STI106 > ^^^^^^ Their server? No. The sender's PC. > > X-MSMail-Priority: Normal > > X-Mailer: Microsoft Outlook, Build 10.0.4024 > > They're certainly using Outlook! I agree but this shouldn't be held against him. I'm positive there are no Exchange servers around. Denis -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From didier.belhomme at FUNDP.AC.BE Wed Jan 29 15:34:58 2003 From: didier.belhomme at FUNDP.AC.BE (Didier Belhomme) Date: Thu Jan 12 21:17:05 2006 Subject: Sophos issues In-Reply-To: <1043853293.12634.171.camel@dbeauchemin.si.usherbrooke.ca> References: <5C0296D26910694BB9A9BBFC577E7AB0A32CA5@pascal.priv.bmrb.co.uk> <5C0296D26910694BB9A9BBFC577E7AB0A32CA5@pascal.priv.bmrb.co.uk> Message-ID: <5.2.0.9.0.20030129163231.031828c0@pop.fundp.ac.be> At 10:14 29/01/2003 -0500, you wrote: >No. The sender's PC. > > > > X-MSMail-Priority: Normal > > > X-Mailer: Microsoft Outlook, Build 10.0.4024 > > > > They're certainly using Outlook! > >I agree but this shouldn't be held against him. The problem is perhaps that Outlook create a winmail.dat attachment which is rejected by MS. If it's the case, do you found something in the logs ? I suspect the winmail.dat to be rejected by MS because of wrong return code of the Sophos sweep. >I'm positive there are no Exchange servers around. > >Denis >-- >Denis Beauchemin, analyste >Universit? de Sherbrooke, S.T.I. >T: 819.821.8000x2252 F: 819.821.8045 Didier Belhomme FUNDP - Service informatique universitaire - Support syst?mes UNIX Rue Grandgagnage, 21 B-5000 Namur Tel : +32 81 725025 Fax: +32 81 725023 E-mail : didier.belhomme@fundp.ac.be From Denis.Beauchemin at USHERBROOKE.CA Wed Jan 29 16:04:47 2003 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:17:06 2006 Subject: Sophos issues In-Reply-To: <5.2.0.9.0.20030129163231.031828c0@pop.fundp.ac.be> References: <5C0296D26910694BB9A9BBFC577E7AB0A32CA5@pascal.priv.bmrb.co.uk> <5C0296D26910694BB9A9BBFC577E7AB0A32CA5@pascal.priv.bmrb.co.uk> <5.2.0.9.0.20030129163231.031828c0@pop.fundp.ac.be> Message-ID: <1043856287.12627.183.camel@dbeauchemin.si.usherbrooke.ca> Le mer 29/01/2003 ? 10:34, Didier Belhomme a ?crit : > At 10:14 29/01/2003 -0500, you wrote: > >No. The sender's PC. > > > > > > X-MSMail-Priority: Normal > > > > X-Mailer: Microsoft Outlook, Build 10.0.4024 > > > > > > They're certainly using Outlook! > > > >I agree but this shouldn't be held against him. > > The problem is perhaps that Outlook create a winmail.dat attachment which > is rejected by MS. If it's the case, do you found something in the logs ? I > suspect the winmail.dat to be rejected by MS because of wrong return code > of the Sophos sweep. Could Outlook be sending the message twice? Once in plain text for me and a second one for the sender in a winmail.dat? It looks like it in my maillog: Jan 28 15:59:59 smtp2 sendmail[10556]: h0SKxwK10556: from=, size=1096963, class=0, nrcpts=1, msgid=<000c01c2c710$36dc8120$12b4d28 4@STI106>, proto=ESMTP, daemon=MTA, relay=[132.210.180.18] Jan 28 15:59:59 smtp2 sendmail[10556]: h0SKxwK10556: to=, delay=00:00:01, mailer=relay, pri=1126963, stat=queued Jan 28 16:00:00 smtp2 sendmail[10558]: h0SKxxK10558: from=, size=1112905, class=0, nrcpts=1, msgid=<001201c2c710$37727f90$12b4d28 4@STI106>, proto=ESMTP, daemon=MTA, relay=[132.210.180.18] Jan 28 16:00:00 smtp2 sendmail[10558]: h0SKxxK10558: to=, delay=00:00:01, mailer=relay, pri=1142905, stat=queued This is confirmed by the 2 emails that don't have the same ID: Received: from STI106 ([132.210.180.18]) by smtp2.usherbrooke.ca (8.11.6/8.11.6) with ESMTP id h0SKxwK10556 for ; Tue, 28 Jan 2003 15:59:58 -0500 Received: from STI106 ([132.210.180.18]) by smtp2.usherbrooke.ca (8.11.6/8.11.6) with ESMTP id h0SKxxK10558 for ; Tue, 28 Jan 2003 15:59:59 -0500 What a stupid program! Denis -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030129/935ff094/attachment.html From mailscanner at ecs.soton.ac.uk Wed Jan 29 16:24:59 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:06 2006 Subject: Sophos issues In-Reply-To: <1043856287.12627.183.camel@dbeauchemin.si.usherbrooke.ca> References: <5.2.0.9.0.20030129163231.031828c0@pop.fundp.ac.be> <5C0296D26910694BB9A9BBFC577E7AB0A32CA5@pascal.priv.bmrb.co.uk> <5C0296D26910694BB9A9BBFC577E7AB0A32CA5@pascal.priv.bmrb.co.uk> <5.2.0.9.0.20030129163231.031828c0@pop.fundp.ac.be> Message-ID: <5.2.0.9.2.20030129162329.06497008@imap.ecs.soton.ac.uk> At 16:04 29/01/2003, you wrote: >Le mer 29/01/2003 ? 10:34, Didier Belhomme a ?crit : >> >>At 10:14 29/01/2003 -0500, you wrote: >> >No. The sender's PC. >> > >> > > > X-MSMail-Priority: Normal >> > > > X-Mailer: Microsoft Outlook, Build 10.0.4024 >> > > >> > > They're certainly using Outlook! >> > >> >I agree but this shouldn't be held against him. >> >>The problem is perhaps that Outlook create a winmail.dat attachment which >>is rejected by MS. If it's the case, do you found something in the logs ? I >>suspect the winmail.dat to be rejected by MS because of wrong return code >>of the Sophos sweep. > >Could Outlook be sending the message twice? Once in plain text for me and >a second one for the sender in a winmail.dat? From what you have posted below, it certainly looks as if it is doing exactly that. "Curiouser and curiouser" cried Alice! (If that makes no sense, read Alice In Wonderland :-) >It looks like it in my maillog: >Jan 28 15:59:59 smtp2 sendmail[10556]: h0SKxwK10556: >from=, size=1096963, class=0, nrcpts=1, >msgid=<000c01c2c710$36dc8120$12b4d28 >4@STI106>, proto=ESMTP, daemon=MTA, relay=[132.210.180.18] >Jan 28 15:59:59 smtp2 sendmail[10556]: h0SKxwK10556: >to=, delay=00:00:01, mailer=relay, >pri=1126963, stat=queued >Jan 28 16:00:00 smtp2 sendmail[10558]: h0SKxxK10558: >from=, size=1112905, class=0, nrcpts=1, >msgid=<001201c2c710$37727f90$12b4d28 >4@STI106>, proto=ESMTP, daemon=MTA, relay=[132.210.180.18] >Jan 28 16:00:00 smtp2 sendmail[10558]: h0SKxxK10558: >to=, delay=00:00:01, mailer=relay, >pri=1142905, stat=queued >This is confirmed by the 2 emails that don't have the same ID: >Received: from STI106 ([132.210.180.18]) by smtp2.usherbrooke.ca > (8.11.6/8.11.6) with ESMTP id h0SKxwK10556 for > ; Tue, 28 Jan 2003 15:59:58 -0500 > >Received: from STI106 ([132.210.180.18]) > by smtp2.usherbrooke.ca (8.11.6/8.11.6) with ESMTP id h0SKxxK10558 > for ; Tue, 28 Jan 2003 15:59:59 -0500 > >What a stupid program! > >Denis > > > > >-- >Denis Beauchemin, analyste >Universit? de Sherbrooke, S.T.I. >T: 819.821.8000x2252 F: 819.821.8045 -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030129/007204a1/attachment.html From dustin.baer at IHS.COM Wed Jan 29 16:59:33 2003 From: dustin.baer at IHS.COM (Dustin Baer) Date: Thu Jan 12 21:17:06 2006 Subject: Future release suggestion - Spam header Message-ID: <3E380875.D70E5467@ihs.com> Julian, A couple weeks ago I asked about how to turn on the SpamAssassin headers in quarantined spam. You said that the headers are added after all the checks and just before delivery to mqueue, so wouldn't show up in the quarantined qf file. I have a script that runs overnight to notify people of what was quarantined and send email in the following format: From: gslmAkiko bjwdnancey7@yahoo.com Date: Date: Tue, 28 Jan 2003 00:17:33 -0800 Subject: Your visa bill dtuxu REQUEST THIS EMAIL The "REQUEST THIS EMAIL" is a clickable link to a cgi page that will send the email along. It would be nice to include the X-MailScanner-SpamScore: in the header listings, which would mean including the MailScanner headers in quarantined/*/spam directories. Is this something you would consider for a future release of MailScanner? Thanks, Dustin -- Dustin Baer Unix Administrator/Postmaster Information Handling Services 15 Inverness Way East Englewood, CO 80112 303-397-2836 From mailscanner at ecs.soton.ac.uk Wed Jan 29 17:04:19 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:06 2006 Subject: Future release suggestion - Spam header In-Reply-To: <3E380875.D70E5467@ihs.com> Message-ID: <5.2.0.9.2.20030129170409.02754fa0@imap.ecs.soton.ac.uk> No promises, but I'll take a look at it. At 16:59 29/01/2003, you wrote: >Julian, > >A couple weeks ago I asked about how to turn on the SpamAssassin headers >in quarantined spam. You said that the headers are added after all the >checks and just before delivery to mqueue, so wouldn't show up in the >quarantined qf file. > >I have a script that runs overnight to notify people of what was >quarantined and send email in the following format: > >From: gslmAkiko bjwdnancey7@yahoo.com > Date: Date: Tue, 28 Jan 2003 00:17:33 -0800 > Subject: Your visa bill dtuxu > REQUEST THIS EMAIL > >The "REQUEST THIS EMAIL" is a clickable link to a cgi page that will >send the email along. > >It would be nice to include the X-MailScanner-SpamScore: in the header >listings, which would mean including the MailScanner headers in >quarantined/*/spam directories. > >Is this something you would consider for a future release of >MailScanner? > >Thanks, > >Dustin >-- >Dustin Baer >Unix Administrator/Postmaster >Information Handling Services >15 Inverness Way East >Englewood, CO 80112 >303-397-2836 -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From brian at KAOSTECH.COM Wed Jan 29 17:46:15 2003 From: brian at KAOSTECH.COM (Brian Peterson) Date: Thu Jan 12 21:17:06 2006 Subject: mqueue file permissions Message-ID: <20030129174221.M15373@kaostech.com> I've been seeing problems with the mqueue qf file modes when SpamAssassin is enabled, I've used both SpamAssassin 2.43 and 2.50. The qf files are being delivered to the mqueue directory mode 664 instead of 600 which sendmail then complains about bogus uid even though it's the permission. Has anyone seen this before? Jan 29 09:34:34 alpha sendmail[7657]: h0THY4D07651: bogus queue file, uid=0, mode=100664 Jan 29 09:34:34 alpha sendmail[7657]: h0THY4D07651: Losing ./qfh0THY4D07651: bogus file uid in mqueue -rw------- 1 root root 7 Jan 29 09:34 dfh0THY4D07651 -rw-rw-r-- 1 root root 894 Jan 29 09:34 Qfh0THY4D07651 Brian Peterson mailto:kaos@kaostech.com From mailscanner at ecs.soton.ac.uk Wed Jan 29 18:10:22 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:06 2006 Subject: mqueue file permissions In-Reply-To: <20030129174221.M15373@kaostech.com> Message-ID: <5.2.0.9.2.20030129180839.02a37e60@imap.ecs.soton.ac.uk> At 17:46 29/01/2003, you wrote: >I've been seeing problems with the mqueue qf file modes when SpamAssassin is >enabled, I've used both SpamAssassin 2.43 and 2.50. The qf files are being >delivered to the mqueue directory mode 664 instead of 600 which sendmail then >complains about bogus uid even though it's the permission. Has anyone seen >this before? I have moved the call to umask the other side of the daemonising code in case it wasn't being propagated to the child processes properly. If you want to try it for yourself, add a line saying umask 0077; near the top of the "WorkForHours" subroutine in the main /usr/sbin/MailScanner script. >Jan 29 09:34:34 alpha sendmail[7657]: h0THY4D07651: bogus queue file, uid=0, >mode=100664 >Jan 29 09:34:34 alpha sendmail[7657]: h0THY4D07651: Losing ./qfh0THY4D07651: >bogus file uid in mqueue > >-rw------- 1 root root 7 Jan 29 09:34 dfh0THY4D07651 >-rw-rw-r-- 1 root root 894 Jan 29 09:34 Qfh0THY4D07651 > > > >Brian Peterson >mailto:kaos@kaostech.com -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From hciss at HCIWS.COM Wed Jan 29 18:13:28 2003 From: hciss at HCIWS.COM (Matt) Date: Thu Jan 12 21:17:06 2006 Subject: Announcements List Message-ID: <00bd01c2c7c2$1f9449f0$6401a8c0@matthew> Is there an announcements list for mailscanner? If so how do I un-subscribe from this one and get on it? Just to much traffic. Also, I am still running MS 3.x on my RAq 4i but it works fine and too scared to mess with it and risk hudreds of irrate users. Perhaps if I ever upgrade the Raq to a Cpanel box I will update then. Anyone know an easy way to move several hundred users from a Raq to a Cpanel server? Cpanel worth a crud? Matt From mailscanner at ecs.soton.ac.uk Wed Jan 29 18:26:05 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:06 2006 Subject: Announcements List In-Reply-To: <00bd01c2c7c2$1f9449f0$6401a8c0@matthew> Message-ID: <5.2.0.9.2.20030129181920.02a11008@imap.ecs.soton.ac.uk> At 18:13 29/01/2003, you wrote: >Is there an announcements list for mailscanner? Read the home page www.mailscanner.info (in particular the bit about subscribing to the project at Freshmeat.net). > If so how do I un-subscribe >from this one and get on it? Follow the instructions for subscribing to this list, but send it the command "unsubscribe". > Just to much traffic. It is a bit busy, I agree. But it does result in very fast bugfixes among other things. It does take quite a bit of my time though, which may have to be something that changes in the near future as I'm reaching the limit of what I can do, so development time is suffering due to the support load. One of the ideas being floated at work is that I still do some support for free on the mailing list, but you may be able to buy a place nearer the front of the queue. >Also, I am still running MS 3.x on my RAq 4i but it works fine and too >scared to mess with it and risk hudreds of irrate users. Perhaps if I ever >upgrade the Raq to a Cpanel box I will update then. Anyone know an easy way >to move several hundred users from a Raq to a Cpanel server? Cpanel worth a >crud? Never heard of Cpanel before. How much does the software cost? Then I might be able to package it the way Cpanel likes it, if no-one else can do it. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From jase at SENSIS.COM Wed Jan 29 18:35:55 2003 From: jase at SENSIS.COM (Desai, Jason) Date: Thu Jan 12 21:17:06 2006 Subject: /bin/cat: : No such file or directory Message-ID: Just a thought, but does the full directory path where you store spam contain any spaces or other strange characters? > -----Original Message----- > From: Bill Anderson [mailto:billa@STERLING.NET] > Sent: Tuesday, January 28, 2003 5:41 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: [MAILSCANNER] /bin/cat: : No such file or directory > > > I posted a message awhile back to deal with a problem message > that keeps > popping up on my console. I was given a bunch of great ideas > on where to > look, however, I could never find the problem. Shortly > thereafter, the > messages went away (that was a little spooky). > > However, the messages are back, but this time I found out > where they are > coming from. I get these messages whenever is use the > "store" option for > caught spam. I am not quarantineing (if there is such a > word) any viruses, > but I did turn "store" back on for some domains. Here is my > Mailscanner.conf file: > > Spam Actions = /etc/MailScanner/rules/strlg.spam.actions.rules > > Here is my strlg.spam.actions.rules file: > > To: domain.com bounce store > To: another.com bounce store > > If I remove the "store" option, the messages go away. Oh > yeah, here is what > the message is: > > /bin/cat: : No such file or directory > > It seems everytime I get the message, another message is > dropped in the > quarantine directory. > From henker at SHCOM.US Wed Jan 29 19:08:04 2003 From: henker at SHCOM.US (Steffan Henke) Date: Thu Jan 12 21:17:06 2006 Subject: Announcements List In-Reply-To: <5.2.0.9.2.20030129181920.02a11008@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030129181920.02a11008@imap.ecs.soton.ac.uk> Message-ID: On Wed, 29 Jan 2003, Julian Field wrote: > Never heard of Cpanel before. How much does the software cost? Then I might > be able to package it the way Cpanel likes it, if no-one else can do it. cpanel is rather expensive, starting at $1400. http://www.cpanel.net/dist.htm Regards, Steffan From ragan_davis at COLSTATE.EDU Wed Jan 29 19:09:22 2003 From: ragan_davis at COLSTATE.EDU (Mack Ragan) Date: Thu Jan 12 21:17:06 2006 Subject: Weird error in log after installing MailScanner Message-ID: Hi! I'm running the latest of both glibc and kernel for RH8 (that is, the latest stable that's available from RH). It would seem to me that if I had a hardware problem, and/or if I had a fundamental lib/cpu problem, then this problem would have manifested itself before MailScanner was introduced. It only happens when I run MailScanner. I can kill mailscanner and run only sendmail and the machine runs like a mclaren f1. As soon as I introduce mailscanner, the machine runs like a snail and then dies. Also, to further troubleshoot the problem, I installed RH8/sendmail/mailscanner/f-prot on a different box w/different hardware profile. Same result. Same messages in the log, and same "slow-down-to-a- stop" behavior. I love your product. It's been a godsend for us. I'd like to continue using it, but I can't if using it means that email stops being delivered. I'm gonna try to reinstall everything...maybe something got confused somewhere. I'll letcha know the result. If you have anyother suggestions please I'd like to hear them. Thanks! mack From mailscanner at ecs.soton.ac.uk Wed Jan 29 19:28:15 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:06 2006 Subject: Weird error in log after installing MailScanner In-Reply-To: Message-ID: <5.2.0.9.2.20030129192640.02b66d50@imap.ecs.soton.ac.uk> Loads of people (including me) run the same MailScanner setup as you, and have no problems. Have you tried successively switching off features to see if something (e.g. spam checking) causes the problem on your systems? At 19:09 29/01/2003, you wrote: >Hi! > >I'm running the latest of both glibc and kernel for RH8 (that is, the >latest stable that's available from RH). It would seem to me that if I had >a hardware problem, and/or if I had a fundamental lib/cpu problem, then >this problem would have manifested itself before MailScanner was >introduced. It only happens when I run MailScanner. I can kill >mailscanner and run only sendmail and the machine runs like a mclaren f1. >As soon as I introduce mailscanner, the machine runs like a snail and then >dies. Also, to further troubleshoot the problem, I installed >RH8/sendmail/mailscanner/f-prot on a different box w/different hardware >profile. Same result. Same messages in the log, and same "slow-down-to-a- >stop" behavior. I love your product. It's been a godsend for us. I'd >like to continue using it, but I can't if using it means that email stops >being delivered. I'm gonna try to reinstall everything...maybe something >got confused somewhere. I'll letcha know the result. If you have anyother >suggestions please I'd like to hear them. > >Thanks! >mack -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mike at CAMAROSS.NET Wed Jan 29 19:37:08 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:17:06 2006 Subject: Announcements List In-Reply-To: <00bd01c2c7c2$1f9449f0$6401a8c0@matthew> Message-ID: <002a01c2c7cd$d05a5800$9801a8c0@home.middlefinger.net> Is there a reason you want to run on a Cpanel box? I recently migrated a client from a RaQ to a straight RH 7.3 box and it went very smoothly. Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Matt Sent: Wednesday, January 29, 2003 12:13 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Announcements List Is there an announcements list for mailscanner? If so how do I un-subscribe from this one and get on it? Just to much traffic. Also, I am still running MS 3.x on my RAq 4i but it works fine and too scared to mess with it and risk hudreds of irrate users. Perhaps if I ever upgrade the Raq to a Cpanel box I will update then. Anyone know an easy way to move several hundred users from a Raq to a Cpanel server? Cpanel worth a crud? Matt From mike at CAMAROSS.NET Wed Jan 29 19:45:09 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:17:06 2006 Subject: Weird error in log after installing MailScanner In-Reply-To: Message-ID: <002b01c2c7ce$ef51c8a0$9801a8c0@home.middlefinger.net> I saw lots of references to this on Google. Is your machine up2date? Kernel, vmalloc, etc? Are you loading any drivers that you don't need to such as sound? Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Mack Ragan Sent: Wednesday, January 29, 2003 8:42 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Weird error in log after installing MailScanner Hi! I am getting this weird error in /var/log/messages since installing MailScanner 4.11-1. Also, MailScanner really hogs the cpu, and eventually the host runs out of memory and MailScanner dies (or is killed). Here's the error: Jan 29 09:40:47 lx2 kernel: Trying to vfree() nonexistent vm area (c88c6000) Jan 29 09:40:48 lx2 kernel: c4e65ea4 c03006c0 c03006c0 c03009c8 00000003 c7e92820 00000000 c4e64000 Jan 29 09:40:51 lx2 kernel: 0000000b c0119419 c7e92820 00000206 c7e92820 c011e026 c7e92820 c15322dc Jan 29 09:40:52 lx2 kernel: c4e64000 00000000 c4e65f30 0000000b c012438c 0000000b c0124574 0000000b Jan 29 09:40:53 lx2 kernel: Call Trace: [] mmput [kernel] 0x39 (0xc4e65ec8)) Jan 29 09:40:53 lx2 kernel: [] do_exit [kernel] 0xa6 (0xc4e65ed8)) Jan 29 09:40:54 lx2 kernel: [] sig_exit [kernel] 0xac (0xc4e65ef4)) Jan 29 09:40:54 lx2 kernel: [] dequeue_signal [kernel] 0x64 (0xc4e65efc)) Jan 29 09:40:54 lx2 kernel: [] do_signal [kernel] 0x1f7 (0xc4e65f14)) Jan 29 09:40:55 lx2 kernel: [] deliver_signal [kernel] 0x31 (0xc4e65f68)) Jan 29 09:40:55 lx2 kernel: [] do_general_protection [kernel] 0x0 (0xc4e65fa0)) Jan 29 09:40:55 lx2 kernel: [] force_sig [kernel] 0x1f (0xc4e65fa8)) Jan 29 09:40:55 lx2 kernel: [] do_general_protection [kernel] 0x0 (0xc4e65fb8)) Jan 29 09:40:55 lx2 kernel: [] signal_return [kernel] 0x14 (0xc4e65fc0)) Any thoughts as to why this is happening? Thanks! Mack From brose at MED.WAYNE.EDU Wed Jan 29 20:41:13 2003 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:17:06 2006 Subject: mqueue file permissions Message-ID: Weird... I just started having the exact same problem today at 12:50pm EST. Only change made was updating SA to the latest CVS of 2.50. Last update was about 4 weeks ago. -----Original Message----- From: Brian Peterson [mailto:brian@KAOSTECH.COM] Sent: Wednesday, January 29, 2003 12:46 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: mqueue file permissions I've been seeing problems with the mqueue qf file modes when SpamAssassin is enabled, I've used both SpamAssassin 2.43 and 2.50. The qf files are being delivered to the mqueue directory mode 664 instead of 600 which sendmail then complains about bogus uid even though it's the permission. Has anyone seen this before? Jan 29 09:34:34 alpha sendmail[7657]: h0THY4D07651: bogus queue file, uid=0, mode=100664 Jan 29 09:34:34 alpha sendmail[7657]: h0THY4D07651: Losing ./qfh0THY4D07651: bogus file uid in mqueue -rw------- 1 root root 7 Jan 29 09:34 dfh0THY4D07651 -rw-rw-r-- 1 root root 894 Jan 29 09:34 Qfh0THY4D07651 Brian Peterson mailto:kaos@kaostech.com From mailscanner at ecs.soton.ac.uk Wed Jan 29 20:46:09 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:06 2006 Subject: mqueue file permissions In-Reply-To: Message-ID: <5.2.0.9.2.20030129204307.033bce28@imap.ecs.soton.ac.uk> At 20:41 29/01/2003, you wrote: >Weird... I just started having the exact same problem today at 12:50pm >EST. Only change made was updating SA to the latest CVS of 2.50. Last >update was about 4 weeks ago. Fancy checking there are no "umask" calls in the SA code that weren't there before? The actual spam checking is done in a forked process, so umask calls in there won't have any effect. But if they have umask calls in places they shouldn't, it might be possible that they execute one in the main MS thread. If that is the case, I'm going to have to move the umask call again. Is my suggested earlier change working okay? (Adding "umask 0077;" near the top of WorkForHours() in the main /usr/sbin/MailScanner script). >-----Original Message----- >From: Brian Peterson [mailto:brian@KAOSTECH.COM] >Sent: Wednesday, January 29, 2003 12:46 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: mqueue file permissions > > >I've been seeing problems with the mqueue qf file modes when >SpamAssassin is enabled, I've used both SpamAssassin 2.43 and 2.50. The >qf files are being delivered to the mqueue directory mode 664 instead of >600 which sendmail then complains about bogus uid even though it's the >permission. Has anyone seen this before? > >Jan 29 09:34:34 alpha sendmail[7657]: h0THY4D07651: bogus queue file, >uid=0, mode=100664 Jan 29 09:34:34 alpha sendmail[7657]: h0THY4D07651: >Losing ./qfh0THY4D07651: bogus file uid in mqueue > >-rw------- 1 root root 7 Jan 29 09:34 dfh0THY4D07651 >-rw-rw-r-- 1 root root 894 Jan 29 09:34 Qfh0THY4D07651 > > > >Brian Peterson >mailto:kaos@kaostech.com -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From ragan_davis at COLSTATE.EDU Wed Jan 29 20:49:31 2003 From: ragan_davis at COLSTATE.EDU (Mack Ragan) Date: Thu Jan 12 21:17:06 2006 Subject: Weird error in log after installing MailScanner Message-ID: Well, that's cool then. Since that's the case, I'm gonna try to switch off some of the features as you suggest and see if things improve. I'll keep u posted. Also, another list member suggested that I make sure I was "up2date". Here's what an "up2date -l" outputs, which I'm assuming means that anything not listed is already "up2date"? Here's the output: Name Version Rel ---------------------------------------------------------- cvs 1.11.2 8 cyrus-sasl 2.1.10 1 cyrus-sasl-devel 2.1.10 1 cyrus-sasl-md5 2.1.10 1 cyrus-sasl-plain 2.1.10 1 dhclient 3.0pl1 15 krb5-devel 1.2.5 7 krb5-libs 1.2.5 7 libpng 1.2.2 8 libpng10 1.0.13 6 net-snmp 5.0.6 8.80.2 net-snmp-utils 5.0.6 8.80.2 vim-minimal 6.1 18.8x.1 You guys probably know better than I if anything here is essential to MailScanner. So, please advise if anything listed here should be installed. Note: the output shown is what's left AFTER updating everything that I thought was important, including the kernel. Please let me know if I missed something. Thanks! mack From brose at MED.WAYNE.EDU Wed Jan 29 21:37:37 2003 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:17:06 2006 Subject: mqueue file permissions Message-ID: Adding umask above didn't fix. I checked the change log on SA and the only entry that mentions umask is 2003-01-19 04:25 felicity * lib/Mail/SpamAssassin/: BayesStore.pm, Conf.pm, DBBasedAddrList.pm, NoMailAudit.pm, PerMsgStatus.pm, Util.pm: Put umask around any open or tie commands. This will 1) let the *_mode options work as expected, and 2) keep some of our temp files more secure. If I grep thru all the pm files I see some umasks set to 0 and some 077. The 077's are in their BayeStore.pm, NoMailAudit.pm and a UnixLocker.pm So it looks like they are changing it. What a pain! -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Wednesday, January 29, 2003 3:46 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: mqueue file permissions At 20:41 29/01/2003, you wrote: >Weird... I just started having the exact same problem today at 12:50pm >EST. Only change made was updating SA to the latest CVS of 2.50. Last >update was about 4 weeks ago. Fancy checking there are no "umask" calls in the SA code that weren't there before? The actual spam checking is done in a forked process, so umask calls in there won't have any effect. But if they have umask calls in places they shouldn't, it might be possible that they execute one in the main MS thread. If that is the case, I'm going to have to move the umask call again. Is my suggested earlier change working okay? (Adding "umask 0077;" near the top of WorkForHours() in the main /usr/sbin/MailScanner script). >-----Original Message----- >From: Brian Peterson [mailto:brian@KAOSTECH.COM] >Sent: Wednesday, January 29, 2003 12:46 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: mqueue file permissions > > >I've been seeing problems with the mqueue qf file modes when >SpamAssassin is enabled, I've used both SpamAssassin 2.43 and 2.50. >The qf files are being delivered to the mqueue directory mode 664 >instead of 600 which sendmail then complains about bogus uid even >though it's the permission. Has anyone seen this before? > >Jan 29 09:34:34 alpha sendmail[7657]: h0THY4D07651: bogus queue file, >uid=0, mode=100664 Jan 29 09:34:34 alpha sendmail[7657]: h0THY4D07651: >Losing ./qfh0THY4D07651: bogus file uid in mqueue > >-rw------- 1 root root 7 Jan 29 09:34 dfh0THY4D07651 >-rw-rw-r-- 1 root root 894 Jan 29 09:34 Qfh0THY4D07651 > > > >Brian Peterson >mailto:kaos@kaostech.com -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From JeremyE at BSA.CA.GOV Wed Jan 29 21:52:26 2003 From: JeremyE at BSA.CA.GOV (Jeremy Evans) Date: Thu Jan 12 21:17:06 2006 Subject: Double File Extensions Message-ID: <2739ECF7268CD0118F50080009DCC9F00235D2AC@pebble.bsa.ca.gov> In the process of testing, I found that a double extension can get through if there is a space (or multiple spaces) between the first (fake) file extension and the second (actual) file extension. Since a space after the fake file extension will probably be just as invisible as the actual file extension, it could be a way to sneak past the filters while getting the same nefarious effect. I propose that by default the last line in filename.rules.conf be changed to: deny \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$ Found possible filename hiding Attempt to hide real filename extension Jeremy Evans Information Systems Analyst California State Auditor 916-445-0255 phone 916-322-7801 fax From mailscanner at ecs.soton.ac.uk Wed Jan 29 21:44:34 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:06 2006 Subject: SpamAssassin 2.50 news Message-ID: <5.2.0.9.2.20030129214113.033e8de0@imap.ecs.soton.ac.uk> For all the SpamAssassin users, here is a reply I just got on the SAtalk mailing list. >On Wed, Jan 29, 2003 at 09:14:35PM +0000, Julian Field wrote: > > I know this is probably a dangerous question, but is there yet any idea of > > a very rough ETA for the next version of this wonderful package? > >Very rough: by end of Q1. Less, but still, rough: by end of Februrary. > > > Just want to know whether I should start trying out CVS versions or just > > wait a couple of weeks for the real release. > >The main code is pretty much done, but the stuff that's in progress are >the scores. So we've got a good 6 weeks (or thereabouts) to go before the new version of SA will be available and settled. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Jan 29 22:00:29 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:06 2006 Subject: Double File Extensions In-Reply-To: <2739ECF7268CD0118F50080009DCC9F00235D2AC@pebble.bsa.ca.gov > Message-ID: <5.2.0.9.2.20030129220010.035c0ec0@imap.ecs.soton.ac.uk> At 21:52 29/01/2003, you wrote: >In the process of testing, I found that a double extension can get through >if there is a space (or multiple spaces) between the first (fake) file >extension and the second (actual) file extension. Since a space after the >fake file extension will probably be just as invisible as the actual file >extension, it could be a way to sneak past the filters while getting the >same nefarious effect. I propose that by default the last line in >filename.rules.conf be changed to: > >deny \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$ Found possible filename >hiding Attempt to hide real filename extension Good idea. It will be in the next release. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Jan 29 21:58:25 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:06 2006 Subject: mqueue file permissions In-Reply-To: Message-ID: <5.2.0.9.2.20030129215704.035ac008@imap.ecs.soton.ac.uk> As they might be changing the umask every time, I have moved the umask setting to much lower-level code, so that it gets done before every open file + lock it. --- /usr/lib/MailScanner/MailScanner/Lock.pm Sun Nov 24 12:06:15 2002 +++ Lock.pm Wed Jan 29 23:08:20 2003 @@ -348,6 +348,9 @@ defined $rw or $rw = ((substr($fn,0,1) eq '>')?"w":"r"); $rw =~ /^[rs]/i or $rw = 'w'; + # Set umask every time as SpamAssassin might have reset it + umask 0077; + unless (open($fh, $fn)) { MailScanner::Log::InfoLog("Could not open file $fn: %s", $!) unless $quiet; See if that does the job. At 21:37 29/01/2003, you wrote: >Adding umask above didn't fix. I checked the change log on SA and the >only entry that mentions umask is > >2003-01-19 04:25 felicity > > * lib/Mail/SpamAssassin/: BayesStore.pm, Conf.pm, > DBBasedAddrList.pm, NoMailAudit.pm, PerMsgStatus.pm, Util.pm: >Put > umask around any open or tie commands. This will 1) let the >*_mode > options work as expected, and 2) keep some of our temp files >more > secure. > >If I grep thru all the pm files I see some umasks set to 0 and some 077. >The 077's are in their BayeStore.pm, NoMailAudit.pm and a UnixLocker.pm > > >So it looks like they are changing it. What a pain! > >-----Original Message----- >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] >Sent: Wednesday, January 29, 2003 3:46 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: mqueue file permissions > > >At 20:41 29/01/2003, you wrote: > >Weird... I just started having the exact same problem today at 12:50pm > >EST. Only change made was updating SA to the latest CVS of 2.50. Last > > >update was about 4 weeks ago. > >Fancy checking there are no "umask" calls in the SA code that weren't >there before? The actual spam checking is done in a forked process, so >umask calls in there won't have any effect. But if they have umask calls >in places they shouldn't, it might be possible that they execute one in >the main MS thread. If that is the case, I'm going to have to move the >umask call again. > >Is my suggested earlier change working okay? (Adding "umask 0077;" near >the top of WorkForHours() in the main /usr/sbin/MailScanner script). > > >-----Original Message----- > >From: Brian Peterson [mailto:brian@KAOSTECH.COM] > >Sent: Wednesday, January 29, 2003 12:46 PM > >To: MAILSCANNER@JISCMAIL.AC.UK > >Subject: mqueue file permissions > > > > > >I've been seeing problems with the mqueue qf file modes when > >SpamAssassin is enabled, I've used both SpamAssassin 2.43 and 2.50. > >The qf files are being delivered to the mqueue directory mode 664 > >instead of 600 which sendmail then complains about bogus uid even > >though it's the permission. Has anyone seen this before? > > > >Jan 29 09:34:34 alpha sendmail[7657]: h0THY4D07651: bogus queue file, > >uid=0, mode=100664 Jan 29 09:34:34 alpha sendmail[7657]: h0THY4D07651: > >Losing ./qfh0THY4D07651: bogus file uid in mqueue > > > >-rw------- 1 root root 7 Jan 29 09:34 dfh0THY4D07651 > >-rw-rw-r-- 1 root root 894 Jan 29 09:34 Qfh0THY4D07651 > > > > > > > >Brian Peterson > >mailto:kaos@kaostech.com > >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From brose at MED.WAYNE.EDU Wed Jan 29 22:15:05 2003 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:17:06 2006 Subject: mqueue file permissions Message-ID: Bingo I think that did it. SA is enabled and the mask is getting set correctly. -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Wednesday, January 29, 2003 4:58 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: mqueue file permissions As they might be changing the umask every time, I have moved the umask setting to much lower-level code, so that it gets done before every open file + lock it. --- /usr/lib/MailScanner/MailScanner/Lock.pm Sun Nov 24 12:06:15 2002 +++ Lock.pm Wed Jan 29 23:08:20 2003 @@ -348,6 +348,9 @@ defined $rw or $rw = ((substr($fn,0,1) eq '>')?"w":"r"); $rw =~ /^[rs]/i or $rw = 'w'; + # Set umask every time as SpamAssassin might have reset it + umask 0077; + unless (open($fh, $fn)) { MailScanner::Log::InfoLog("Could not open file $fn: %s", $!) unless $quiet; See if that does the job. At 21:37 29/01/2003, you wrote: >Adding umask above didn't fix. I checked the change log on SA and the >only entry that mentions umask is > >2003-01-19 04:25 felicity > > * lib/Mail/SpamAssassin/: BayesStore.pm, Conf.pm, > DBBasedAddrList.pm, NoMailAudit.pm, PerMsgStatus.pm, Util.pm: >Put > umask around any open or tie commands. This will 1) let the >*_mode > options work as expected, and 2) keep some of our temp files >more > secure. > >If I grep thru all the pm files I see some umasks set to 0 and some >077. The 077's are in their BayeStore.pm, NoMailAudit.pm and a >UnixLocker.pm > > >So it looks like they are changing it. What a pain! > >-----Original Message----- >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] >Sent: Wednesday, January 29, 2003 3:46 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: mqueue file permissions > > >Fancy checking there are no "umask" calls in the SA code that weren't >there before? The actual spam checking is done in a forked process, so >umask calls in there won't have any effect. But if they have umask >calls in places they shouldn't, it might be possible that they execute >one in the main MS thread. If that is the case, I'm going to have to >move the umask call again. > >Is my suggested earlier change working okay? (Adding "umask 0077;" near >the top of WorkForHours() in the main /usr/sbin/MailScanner script). > > >-----Original Message----- > >From: Brian Peterson [mailto:brian@KAOSTECH.COM] > >Sent: Wednesday, January 29, 2003 12:46 PM > >To: MAILSCANNER@JISCMAIL.AC.UK > >Subject: mqueue file permissions > > > > > >I've been seeing problems with the mqueue qf file modes when > >SpamAssassin is enabled, I've used both SpamAssassin 2.43 and 2.50. > >The qf files are being delivered to the mqueue directory mode 664 > >instead of 600 which sendmail then complains about bogus uid even > >though it's the permission. Has anyone seen this before? > > > >Jan 29 09:34:34 alpha sendmail[7657]: h0THY4D07651: bogus queue file, > >uid=0, mode=100664 Jan 29 09:34:34 alpha sendmail[7657]: > >h0THY4D07651: Losing ./qfh0THY4D07651: bogus file uid in mqueue > > > >-rw------- 1 root root 7 Jan 29 09:34 dfh0THY4D07651 > >-rw-rw-r-- 1 root root 894 Jan 29 09:34 Qfh0THY4D07651 > > > > > > > >Brian Peterson > >mailto:kaos@kaostech.com > >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From hciss at HCIWS.COM Thu Jan 30 00:16:44 2003 From: hciss at HCIWS.COM (Matt) Date: Thu Jan 12 21:17:06 2006 Subject: Announcements List OT References: <002a01c2c7cd$d05a5800$9801a8c0@home.middlefinger.net> Message-ID: <016701c2c7f4$e13fd600$6401a8c0@matthew> We are a small wireless ISP and starting to host a few domains for some of our custommers. I want something that is easier for the end user and us to run. I don't like being the only one that knows how to add DNS records and new domains to the raq. Also, adding updates to the Raq not approved by Cobalt seems risky at breaking the Gui. The reason I am not running 4.x yet. I think the Cpanel (www.cpanel.net) is just a very advanced webmin interface that runs on Linux. Is there anything else out there that works like the Cpanel or Raq GUI? What would be really cool is if I could allow each domain decide by its siteadmin's GUI interface which blacklists and so on they wanted to use. Right now I just do this through sendmail.cf and cannot turn it off per user or domain. Matt > Is there a reason you want to run on a Cpanel box? I recently migrated > a client from a RaQ to a straight RH 7.3 box and it went very smoothly. > > Mike From mike at TECHINTER.COM Thu Jan 30 00:16:41 2003 From: mike at TECHINTER.COM (Mike Williams) Date: Thu Jan 12 21:17:06 2006 Subject: MailScanner something wrong with new install In-Reply-To: Message-ID: Have a new MailScanner install on RedHat 7.1 using the RPM. Everything seems to have installed correctly and MailScanner starts successfully but strangely when using ps to see the processes it lists each as defunct and then all of them go away except one and the pid on that one changes. The mqueue.in fills up and none of the messages are process. The maillog is repeating that MailScanner is starting.... Message log says MailScanner started successfully. I'm sure that I'm missing something but I can't see it. Any clues would be great. Mike Williams IWC Inc. 30 South Whitney St Suite 1 Grayslake, IL 60030 ph. 847-543-7309 x 14 fax 847-543-1828 Toll free 877-492-6381 http://www.iwc.net From JeremyE at BSA.CA.GOV Thu Jan 30 00:49:19 2003 From: JeremyE at BSA.CA.GOV (Jeremy Evans) Date: Thu Jan 12 21:17:06 2006 Subject: SpamCheck is blank, SpamScore is absent Message-ID: <2739ECF7268CD0118F50080009DCC9F00235D2AD@pebble.bsa.ca.gov> I'm currently testing MailScanner 4.11-1 and all messages I send through it have a blank SpamCheck, and a missing SpamScore. I thought this had been discussed on the mailing list before, but I haven't been able to find it after some searching. The logs list "Spam Checks: Starting" and "Virus and Content Scanning: Starting", but never say that the message is spam even if I try pretty hard to add a lot of obvious spam phrases to the message. The spam.actions.rules files are set to deliver all spam, and the spam.whitelist.rules file is set to "FromTo: default no". The spam.assassin.prefs.conf file hasn't been modified. If anyone could post the answer again, I'd appreciate it. Thanks in advance. Jeremy Evans Information Systems Analyst California State Auditor 916-445-0255 phone 916-322-7801 fax -- Excerpt from header of message -- X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 X-BSA-MailScanner: Clean X-BSA-SpamCheck: This is a multi-part message in MIME format. ------=_NextPart_000_010F_01C2C7B0.3D6388E0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable -- Excerpt from maillog -- Jan 29 09:06:31 riviera MailScanner[25974]: New Batch: Scanning 1 messages, 2735 bytes Jan 29 09:06:31 riviera MailScanner[25974]: Spam Checks: Starting Jan 29 09:06:31 riviera MailScanner[25974]: Virus and Content Scanning: Starting Jan 29 09:06:32 riviera MailScanner[25974]: Uninfected: Delivered 1 messages -- Excerpt from MailScanner.conf -- Mail Header = X-BSA-MailScanner: Spam Header = X-BSA-SpamCheck: Spam Score Header = X-BSA-SpamScore: Spam Score Character = s Clean Header Value = Clean Infected Header Value = Infected Disinfected Header Value = Disinfected Multiple Headers = append Hostname = the MailScanner Sign Messages Already Processed = no Sign Clean Messages = no Mark Infected Messages = yes Mark Unscanned Messages = no Deliver Cleaned Messages = yes Scanned Modify Subject = no # end Filename Subject Text = {Restricted-File-Attachment} Spam Modify Subject = yes Spam Subject Text = {Probably-Spam} High Scoring Spam Modify Subject = yes High Scoring Spam Subject Text = {Almost-Definitely-Spam} Spam Checks = no Is Definitely Not Spam = /opt/MailScanner/etc/rules/spam.whitelist.rules Is Definitely Spam = /opt/MailScanner/etc/rules/spam.blacklist.rules Use SpamAssassin = yes Max SpamAssassin Size = 50000 Required SpamAssassin Score = 5 High SpamAssassin Score = 10 SpamAssassin Auto Whitelist = no SpamAssassin Prefs File = /opt/MailScanner/etc/spam.assassin.prefs.conf SpamAssassin Timeout = 60 Max SpamAssassin Timeouts = 20 Check SpamAssassin If On Spam List = yes Always Include SpamAssassin Report = yes Spam Score = yes Spam Actions = /opt/MailScanner/etc/rules/spam.actions.rules High Scoring Spam Actions = /opt/MailScanner/etc/rules/spam.high.actions.rules Sender Spam Report = /opt/MailScanner/etc/reports/en/sender.spam.report.txt Sender Spam List Report = /opt/MailScanner/etc/reports/en/sender.spam.rbl.report.txt Sender SpamAssassin Report = /opt/MailScanner/etc/reports/en/sender.spam.sa.report.txt Syslog Facility = mail Log Spam = yes Log Permitted Filenames = yes Debug = no Deliver In Background = yes Delivery Method = batch Lockfile Dir = /tmp Minimum Code Status = supported From billa at STERLING.NET Thu Jan 30 01:03:01 2003 From: billa at STERLING.NET (Bill Anderson) Date: Thu Jan 12 21:17:06 2006 Subject: /bin/cat: : No such file or directory In-Reply-To: Message-ID: No spaces or strange characters. The spam is stored in the correct place as well. > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Desai, Jason > Sent: Wednesday, January 29, 2003 10:36 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: /bin/cat: : No such file or directory > > > Just a thought, but does the full directory path where you store spam > contain any spaces or other strange characters? > > > -----Original Message----- > > From: Bill Anderson [mailto:billa@STERLING.NET] > > Sent: Tuesday, January 28, 2003 5:41 PM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: [MAILSCANNER] /bin/cat: : No such file or directory > > > > > > I posted a message awhile back to deal with a problem message > > that keeps > > popping up on my console. I was given a bunch of great ideas > > on where to > > look, however, I could never find the problem. Shortly > > thereafter, the > > messages went away (that was a little spooky). > > > > However, the messages are back, but this time I found out > > where they are > > coming from. I get these messages whenever is use the > > "store" option for > > caught spam. I am not quarantineing (if there is such a > > word) any viruses, > > but I did turn "store" back on for some domains. Here is my > > Mailscanner.conf file: > > > > Spam Actions = /etc/MailScanner/rules/strlg.spam.actions.rules > > > > Here is my strlg.spam.actions.rules file: > > > > To: domain.com bounce store > > To: another.com bounce store > > > > If I remove the "store" option, the messages go away. Oh > > yeah, here is what > > the message is: > > > > /bin/cat: : No such file or directory > > > > It seems everytime I get the message, another message is > > dropped in the > > quarantine directory. > > > From sevans at FOUNDATION.SDSU.EDU Thu Jan 30 03:31:27 2003 From: sevans at FOUNDATION.SDSU.EDU (Steve Evans) Date: Thu Jan 12 21:17:06 2006 Subject: SpamAssassin 2.50 news Message-ID: <6214C3F9233D764C9E7029396C35501568296B@mail.foundation.sdsu.edu> Have you looked into how the bayes filtering is going to work with MailScanner? My understanding is that bayes is designed to learn off a single user, and may not have desirable affects when the learning process uses your entire mail flow. Steve Evans SDSU Foundation (619) 594-0653 -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Wednesday, January 29, 2003 1:45 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: SpamAssassin 2.50 news For all the SpamAssassin users, here is a reply I just got on the SAtalk mailing list. >On Wed, Jan 29, 2003 at 09:14:35PM +0000, Julian Field wrote: > > I know this is probably a dangerous question, but is there yet any > > idea of a very rough ETA for the next version of this wonderful > > package? > >Very rough: by end of Q1. Less, but still, rough: by end of Februrary. > > > Just want to know whether I should start trying out CVS versions or > > just wait a couple of weeks for the real release. > >The main code is pretty much done, but the stuff that's in progress are >the scores. So we've got a good 6 weeks (or thereabouts) to go before the new version of SA will be available and settled. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From brose at MED.WAYNE.EDU Thu Jan 30 03:59:37 2003 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:17:06 2006 Subject: SpamAssassin 2.50 news Message-ID: Autolearning isn't in there yet. Even so it'll be a configurable option. -----Original Message----- From: Steve Evans [mailto:sevans@FOUNDATION.SDSU.EDU] Sent: Wednesday, January 29, 2003 10:31 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: SpamAssassin 2.50 news Have you looked into how the bayes filtering is going to work with MailScanner? My understanding is that bayes is designed to learn off a single user, and may not have desirable affects when the learning process uses your entire mail flow. Steve Evans SDSU Foundation (619) 594-0653 -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Wednesday, January 29, 2003 1:45 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: SpamAssassin 2.50 news For all the SpamAssassin users, here is a reply I just got on the SAtalk mailing list. >On Wed, Jan 29, 2003 at 09:14:35PM +0000, Julian Field wrote: > > I know this is probably a dangerous question, but is there yet any > > idea of a very rough ETA for the next version of this wonderful > > package? > >Very rough: by end of Q1. Less, but still, rough: by end of Februrary. > > > Just want to know whether I should start trying out CVS versions or > > just wait a couple of weeks for the real release. > >The main code is pretty much done, but the stuff that's in progress are >the scores. So we've got a good 6 weeks (or thereabouts) to go before the new version of SA will be available and settled. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From Q.G.Campbell at NEWCASTLE.AC.UK Thu Jan 30 08:30:32 2003 From: Q.G.Campbell at NEWCASTLE.AC.UK (Quentin Campbell) Date: Thu Jan 12 21:17:06 2006 Subject: Spam.whitelist.rules file question Message-ID: <08AC2E825474534ABB2D6EDB643FC7F80F4CFD@bond.ncl.ac.uk> Yesterday morning I updated the spam.whitelist.rules file (on cheviot1) so that it now looks like: .... From: *.messagelabs.com yes From: default no However at 18:30 a message that should have been whitelisted was in fact tagged as spam. The envelope-from address in the tagged message is given in: Received: from mail9.messagelabs.com (mail9.messagelabs.com [194.205.110.133]) by cheviot1.ncl.ac.uk (8.10.1/8.10.1) with SMTP id h0TIU5k31581 for ; Wed, 29 Jan 2003 18:30:05 GMT Other whitelisted entries appear to be working OK so I am perplexed as to why this one was tagged. Quentin --- PHONE: +44 191 222 8209 Computing Service, University of Newcastle FAX: +44 191 222 8765 Newcastle upon Tyne, United Kingdom, NE1 7RU. ------------------------------------------------------------------------ "Any opinion expressed above is mine. The University can get its own." From mailscanner at ecs.soton.ac.uk Thu Jan 30 09:59:44 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:06 2006 Subject: SpamCheck is blank, SpamScore is absent In-Reply-To: <2739ECF7268CD0118F50080009DCC9F00235D2AD@pebble.bsa.ca.gov > Message-ID: <5.2.0.9.2.20030130095917.02576188@imap.ecs.soton.ac.uk> At 00:49 30/01/2003, you wrote: >I'm currently testing MailScanner 4.11-1 and all messages I send through it >have a blank SpamCheck, and a missing SpamScore. I thought this had been >discussed on the mailing list before, but I haven't been able to find it >after some searching. The logs list "Spam Checks: Starting" and "Virus and >Content Scanning: Starting", but never say that the message is spam even if >I try pretty hard to add a lot of obvious spam phrases to the message. The >spam.actions.rules files are set to deliver all spam, and the >spam.whitelist.rules file is set to "FromTo: default no". The >spam.assassin.prefs.conf file hasn't been modified. > >If anyone could post the answer again, I'd appreciate it. Thanks in >advance. You currently have spam checks switched off. Set Spam Checks = yes >Jeremy Evans >Information Systems Analyst >California State Auditor >916-445-0255 phone >916-322-7801 fax > > >-- Excerpt from header of message -- > >X-Priority: 3 >X-MSMail-Priority: Normal >X-Mailer: Microsoft Outlook Express 6.00.2800.1106 >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 >X-BSA-MailScanner: Clean >X-BSA-SpamCheck: > >This is a multi-part message in MIME format. > >------=_NextPart_000_010F_01C2C7B0.3D6388E0 >Content-Type: text/plain; > charset="iso-8859-1" >Content-Transfer-Encoding: quoted-printable > > >-- Excerpt from maillog -- > >Jan 29 09:06:31 riviera MailScanner[25974]: New Batch: Scanning 1 messages, >2735 bytes >Jan 29 09:06:31 riviera MailScanner[25974]: Spam Checks: Starting >Jan 29 09:06:31 riviera MailScanner[25974]: Virus and Content Scanning: >Starting >Jan 29 09:06:32 riviera MailScanner[25974]: Uninfected: Delivered 1 messages > > >-- Excerpt from MailScanner.conf -- > >Mail Header = X-BSA-MailScanner: >Spam Header = X-BSA-SpamCheck: >Spam Score Header = X-BSA-SpamScore: >Spam Score Character = s >Clean Header Value = Clean >Infected Header Value = Infected >Disinfected Header Value = Disinfected >Multiple Headers = append >Hostname = the MailScanner >Sign Messages Already Processed = no >Sign Clean Messages = no >Mark Infected Messages = yes >Mark Unscanned Messages = no >Deliver Cleaned Messages = yes >Scanned Modify Subject = no # end >Filename Subject Text = {Restricted-File-Attachment} >Spam Modify Subject = yes >Spam Subject Text = {Probably-Spam} >High Scoring Spam Modify Subject = yes >High Scoring Spam Subject Text = {Almost-Definitely-Spam} >Spam Checks = no >Is Definitely Not Spam = /opt/MailScanner/etc/rules/spam.whitelist.rules >Is Definitely Spam = /opt/MailScanner/etc/rules/spam.blacklist.rules >Use SpamAssassin = yes >Max SpamAssassin Size = 50000 >Required SpamAssassin Score = 5 >High SpamAssassin Score = 10 >SpamAssassin Auto Whitelist = no >SpamAssassin Prefs File = /opt/MailScanner/etc/spam.assassin.prefs.conf >SpamAssassin Timeout = 60 >Max SpamAssassin Timeouts = 20 >Check SpamAssassin If On Spam List = yes >Always Include SpamAssassin Report = yes >Spam Score = yes >Spam Actions = /opt/MailScanner/etc/rules/spam.actions.rules >High Scoring Spam Actions = >/opt/MailScanner/etc/rules/spam.high.actions.rules >Sender Spam Report = /opt/MailScanner/etc/reports/en/sender.spam.report.txt >Sender Spam List Report = >/opt/MailScanner/etc/reports/en/sender.spam.rbl.report.txt >Sender SpamAssassin Report = >/opt/MailScanner/etc/reports/en/sender.spam.sa.report.txt >Syslog Facility = mail >Log Spam = yes >Log Permitted Filenames = yes >Debug = no >Deliver In Background = yes >Delivery Method = batch >Lockfile Dir = /tmp >Minimum Code Status = supported -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Thu Jan 30 09:58:03 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:06 2006 Subject: Announcements List OT In-Reply-To: <016701c2c7f4$e13fd600$6401a8c0@matthew> References: <002a01c2c7cd$d05a5800$9801a8c0@home.middlefinger.net> Message-ID: <5.2.0.9.2.20030130095605.020516f8@imap.ecs.soton.ac.uk> At 00:16 30/01/2003, you wrote: >We are a small wireless ISP and starting to host a few domains for some of >our custommers. I want something that is easier for the end user and us to >run. I don't like being the only one that knows how to add DNS records and >new domains to the raq. Also, adding updates to the Raq not approved by >Cobalt seems risky at breaking the Gui. The reason I am not running 4.x >yet. I think the Cpanel (www.cpanel.net) is just a very advanced webmin >interface that runs on Linux. Is there anything else out there that works >like the Cpanel or Raq GUI? > >What would be really cool is if I could allow each domain decide by its >siteadmin's GUI interface which blacklists and so on they wanted to use. >Right now I just do this through sendmail.cf and cannot turn it off per user >or domain. You will get the "per domain or per user" control you want if you move to version 4. There is a webmin module on its way, there should be a new version out on 1st Feb. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Thu Jan 30 09:55:00 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:06 2006 Subject: MailScanner something wrong with new install In-Reply-To: References: Message-ID: <5.2.0.9.2.20030130095114.026c1918@imap.ecs.soton.ac.uk> Something is stopping it starting correctly. Sounds like the whole thing is dying when it tries to create the child processes. Have you installed SpamAssassin? I would suspect a) you don't have some module installed. Did the install.sh work properly or did it produce some errors? b) errors in your MailScanner.conf, though I would hope that would produce log messages Possible permissions problem. Are you using sendmail or Exim? At 00:16 30/01/2003, you wrote: >Have a new MailScanner install on RedHat 7.1 using the RPM. Everything >seems to have installed correctly and MailScanner starts successfully but >strangely when using ps to see the processes it lists each as defunct and >then all of them go away except one and the pid on that one changes. The >mqueue.in fills up and none of the messages are process. The maillog is >repeating that MailScanner is starting.... Message log says MailScanner >started successfully. I'm sure that I'm missing something but I can't see >it. Any clues would be great. > >Mike Williams >IWC Inc. >30 South Whitney St Suite 1 >Grayslake, IL 60030 >ph. 847-543-7309 x 14 >fax 847-543-1828 >Toll free 877-492-6381 >http://www.iwc.net -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Thu Jan 30 09:50:40 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:06 2006 Subject: /bin/cat: : No such file or directory In-Reply-To: References: Message-ID: <5.2.0.9.2.20030130094918.02637340@imap.ecs.soton.ac.uk> At 01:03 30/01/2003, you wrote: >No spaces or strange characters. The spam is stored in the correct place as >well. So everything is working, but you get this error? If you are asking for whole messages to be quarantined, all mail to be archived and spam to be stored, do all 3 features still work? What does your MailScanner.conf look like? > > -----Original Message----- > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > Behalf Of Desai, Jason > > Sent: Wednesday, January 29, 2003 10:36 AM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: /bin/cat: : No such file or directory > > > > > > Just a thought, but does the full directory path where you store spam > > contain any spaces or other strange characters? > > > > > -----Original Message----- > > > From: Bill Anderson [mailto:billa@STERLING.NET] > > > Sent: Tuesday, January 28, 2003 5:41 PM > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > Subject: [MAILSCANNER] /bin/cat: : No such file or directory > > > > > > > > > I posted a message awhile back to deal with a problem message > > > that keeps > > > popping up on my console. I was given a bunch of great ideas > > > on where to > > > look, however, I could never find the problem. Shortly > > > thereafter, the > > > messages went away (that was a little spooky). > > > > > > However, the messages are back, but this time I found out > > > where they are > > > coming from. I get these messages whenever is use the > > > "store" option for > > > caught spam. I am not quarantineing (if there is such a > > > word) any viruses, > > > but I did turn "store" back on for some domains. Here is my > > > Mailscanner.conf file: > > > > > > Spam Actions = /etc/MailScanner/rules/strlg.spam.actions.rules > > > > > > Here is my strlg.spam.actions.rules file: > > > > > > To: domain.com bounce store > > > To: another.com bounce store > > > > > > If I remove the "store" option, the messages go away. Oh > > > yeah, here is what > > > the message is: > > > > > > /bin/cat: : No such file or directory > > > > > > It seems everytime I get the message, another message is > > > dropped in the > > > quarantine directory. > > > > > -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Thu Jan 30 10:03:13 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:06 2006 Subject: Spam.whitelist.rules file question In-Reply-To: <08AC2E825474534ABB2D6EDB643FC7F80F4CFD@bond.ncl.ac.uk> Message-ID: <5.2.0.9.2.20030130100035.020b5150@imap.ecs.soton.ac.uk> At 08:30 30/01/2003, you wrote: >Yesterday morning I updated the spam.whitelist.rules file (on cheviot1) >so that it now looks like: > > .... > From: *.messagelabs.com yes > From: default no So if the envelope sender address ends in ".messagelabs.com" then it is whitelisted. >However at 18:30 a message that should have been whitelisted was in fact >tagged as spam. The envelope-from address in the tagged message is given >in: > >Received: from mail9.messagelabs.com That's the name of the host, not the email address that sent the message to you. If you want to whitelist mail from specific IP addresses, then you need to whitelist those specific numeric IP's (or use a regular expression that covers them). > (mail9.messagelabs.com [194.205.110.133]) > by cheviot1.ncl.ac.uk (8.10.1/8.10.1) with SMTP id h0TIU5k31581 > for ; Wed, 29 Jan 2003 18:30:05 GMT > >Other whitelisted entries appear to be working OK so I am perplexed as >to why this one was tagged. > >Quentin >--- >PHONE: +44 191 222 8209 Computing Service, University of Newcastle >FAX: +44 191 222 8765 Newcastle upon Tyne, United Kingdom, NE1 7RU. >------------------------------------------------------------------------ >"Any opinion expressed above is mine. The University can get its own." -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From P.G.M.Peters at civ.utwente.nl Thu Jan 30 11:08:13 2003 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:17:06 2006 Subject: Future release suggestion - Spam header In-Reply-To: <3E380875.D70E5467@ihs.com> References: <3E380875.D70E5467@ihs.com> Message-ID: <4p1i3vssig9l1hqbllcshcgest1sbv5m55@4ax.com> On Wed, 29 Jan 2003 09:59:33 -0700, you wrote: >I have a script that runs overnight to notify people of what was >quarantined and send email in the following format: > >From: gslmAkiko bjwdnancey7@yahoo.com > Date: Date: Tue, 28 Jan 2003 00:17:33 -0800 > Subject: Your visa bill dtuxu > REQUEST THIS EMAIL > >The "REQUEST THIS EMAIL" is a clickable link to a cgi page that will >send the email along. Could you share this script and/or your setup? I have had also questions about sending the e-mail along. In the past this occuried once a month at most, but since I also block IFrame's and the like I get a couple a week. It would be nice to have the ability for the users to request the e-mail. It would even be nicer if this link could be included in the message the user gets. -- Peter Peters senior netwerkbeheerder Centrum voor InformatieTechnologie, Bibliotheek en Educatie Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ From smhickel at CHARTERMI.NET Thu Jan 30 12:21:43 2003 From: smhickel at CHARTERMI.NET (Steve Hickel) Date: Thu Jan 12 21:17:06 2006 Subject: Spam.whitelist.rules file question In-Reply-To: <5.2.0.9.2.20030130100035.020b5150@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030130100035.020b5150@imap.ecs.soton.ac.uk> Message-ID: <1043929302.1513.3.camel@steve.hickel.info> So you are saying that he needed to put 194.205.110.133 instead or in addition to? Steve On Thu, 2003-01-30 at 05:03, Julian Field wrote: > At 08:30 30/01/2003, you wrote: > >Yesterday morning I updated the spam.whitelist.rules file (on cheviot1) > >so that it now looks like: > > > > .... > > From: *.messagelabs.com yes > > From: default no > > So if the envelope sender address ends in ".messagelabs.com" then it is > whitelisted. > > >However at 18:30 a message that should have been whitelisted was in fact > >tagged as spam. The envelope-from address in the tagged message is given > >in: > > > >Received: from mail9.messagelabs.com > > That's the name of the host, not the email address that sent the message to > you. > > If you want to whitelist mail from specific IP addresses, then you need to > whitelist those specific numeric IP's (or use a regular expression that > covers them). > > > (mail9.messagelabs.com [194.205.110.133]) > > by cheviot1.ncl.ac.uk (8.10.1/8.10.1) with SMTP id h0TIU5k31581 > > for ; Wed, 29 Jan 2003 18:30:05 GMT > > > >Other whitelisted entries appear to be working OK so I am perplexed as > >to why this one was tagged. > > > >Quentin > >--- > >PHONE: +44 191 222 8209 Computing Service, University of Newcastle > >FAX: +44 191 222 8765 Newcastle upon Tyne, United Kingdom, NE1 7RU. > >------------------------------------------------------------------------ > >"Any opinion expressed above is mine. The University can get its own." > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support -- Steve Hickel -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030130/9fcc4b14/attachment.bin From mailscanner at ecs.soton.ac.uk Thu Jan 30 12:27:57 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:06 2006 Subject: Spam.whitelist.rules file question In-Reply-To: <1043929302.1513.3.camel@steve.hickel.info> References: <5.2.0.9.2.20030130100035.020b5150@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030130100035.020b5150@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030130122129.04b7eff8@imap.ecs.soton.ac.uk> At 12:21 30/01/2003, you wrote: >So you are saying that he needed to put 194.205.110.133 instead or in >addition to? Instead. Normally the thing in the rule is (a pattern matching) the email address. But if it doesn't contain any letters, it interprets it as (a pattern matching) the IP address. There currently isn't a way of matching the hostname by name, only by number. I think that relying on the hostname is actually not very good, as you leave yourself open to simple DNS attacks. Say "nasty.com" own the IP address range 1.2.3.*. If they setup their DNS server so that the reverse record for 1.2.3.4 claims to be "mail.good.com" instead of "mail.nasty.com", then any mail from 1.2.3.4 will be treated by your server as being from "mail.good.com" instead of "something.nasty.com". To be sure this isn't happening to you, you have to do forward and reverse lookups and check they all match and are consistent with each other. This takes time to execute, and I haven't written it yet. >Steve > >On Thu, 2003-01-30 at 05:03, Julian Field wrote: > > At 08:30 30/01/2003, you wrote: > > >Yesterday morning I updated the spam.whitelist.rules file (on cheviot1) > > >so that it now looks like: > > > > > > .... > > > From: *.messagelabs.com yes > > > From: default no > > > > So if the envelope sender address ends in ".messagelabs.com" then it is > > whitelisted. > > > > >However at 18:30 a message that should have been whitelisted was in fact > > >tagged as spam. The envelope-from address in the tagged message is given > > >in: > > > > > >Received: from mail9.messagelabs.com > > > > That's the name of the host, not the email address that sent the message to > > you. > > > > If you want to whitelist mail from specific IP addresses, then you need to > > whitelist those specific numeric IP's (or use a regular expression that > > covers them). > > > > > (mail9.messagelabs.com [194.205.110.133]) > > > by cheviot1.ncl.ac.uk (8.10.1/8.10.1) with SMTP id h0TIU5k31581 > > > for ; Wed, 29 Jan 2003 18:30:05 GMT > > > > > >Other whitelisted entries appear to be working OK so I am perplexed as > > >to why this one was tagged. > > > > > >Quentin > > >--- > > >PHONE: +44 191 222 8209 Computing Service, University of Newcastle > > >FAX: +44 191 222 8765 Newcastle upon Tyne, United Kingdom, NE1 7RU. > > >------------------------------------------------------------------------ > > >"Any opinion expressed above is mine. The University can get its own." > > > > -- > > Julian Field > > www.MailScanner.info > > MailScanner thanks transtec Computers for their support >-- >Steve Hickel -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From ragan_davis at COLSTATE.EDU Thu Jan 30 13:41:21 2003 From: ragan_davis at COLSTATE.EDU (Mack Ragan) Date: Thu Jan 12 21:17:06 2006 Subject: Weird error in log after installing MailScanner Message-ID: I turned off spam checking, and this seemed to help at first. But, after a while the load cranked back up and the result was the same. so, I turned virus scanning off, and nothing changed. I was wondering...I have gcc v3.2- 7 installed. Do you think it would help to install v3.2.1 (which seems to be the current stable version available at gcc.gnu.org)? I'll admit, I'm just taking shots in the dark at this point. Please advise. thanks, mack From mailscanner at ecs.soton.ac.uk Thu Jan 30 14:38:17 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:06 2006 Subject: Weird error in log after installing MailScanner In-Reply-To: Message-ID: <5.2.0.9.2.20030130143529.056de2f8@imap.ecs.soton.ac.uk> At 13:41 30/01/2003, you wrote: >I turned off spam checking, and this seemed to help at first. But, after a >while the load cranked back up and the result was the same. so, I turned >virus scanning off, and nothing changed. I was wondering...I have gcc v3.2- >7 installed. Do you think it would help to install v3.2.1 (which seems to >be the current stable version available at gcc.gnu.org)? I'll admit, I'm >just taking shots in the dark at this point. Please advise. I doubt that would help much. I still think it might be a DNS resolving problem. Is it doing lots of IO, lots of disk, lots of CPU or what? What does "nice top" produce? Have you got lots of processes trying to run, or are they all waiting on disk or net? You can use "top" and "sar" to work out what your machine is doing. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From dustin.baer at IHS.COM Thu Jan 30 14:54:26 2003 From: dustin.baer at IHS.COM (Dustin Baer) Date: Thu Jan 12 21:17:06 2006 Subject: spam quarantine not checked for virus? Message-ID: <3E393CA2.35314294@ihs.com> Good day, I have a message that was quarantined by MailScanner due to SpamAssassin. It was later requested. Since it can't go back through MailScanner, less it be quarantined as spam again, it was put directly into /var/spool/mqueue. It was caught later down the road by Norton AntiVirus on our Lotus Notes server. If messages are caught by SpamAssassin and moved to quarantine/*/spam, are they also checked for viruses? Thanks, Dustin -- Dustin Baer Unix Administrator/Postmaster Information Handling Services 15 Inverness Way East Englewood, CO 80112 303-397-2836 From mailscanner at ecs.soton.ac.uk Thu Jan 30 15:01:58 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:06 2006 Subject: Security Alert: ban very long filenames Message-ID: <5.2.0.9.2.20030130145737.02e6bc20@imap.ecs.soton.ac.uk> There is a bug in some versions of some Microsoft e-mail packages that is being actively exploited. MessageLabs claim to have stopped over 3,000 copies of it last weekend. It relies on very long filenames, making it very easy to block. I strongly advise you add a new rule to the top of your filename.rules.conf file. The line should look like deny .{150,} Possible OE attack Possible attack against Microsoft e-mail packages Remember to separate the 4 "fields" on this line with tab characters and not just spaces. You can read more about the attack at http://www.messagelabs.com/viruseye/report.asp?id=130 This rule will be included in the next release of MailScanner, due out at the end of this week (1st Feb). -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From Harish.Amin at DEG.STATE.WI.US Thu Jan 30 15:05:52 2003 From: Harish.Amin at DEG.STATE.WI.US (Amin, Harish) Date: Thu Jan 12 21:17:06 2006 Subject: Is this normal?? lots of Found to be clean Message-ID: <47F3EDACE4BC3A4594D0D7B504062BBD019C68C6@doamail04.doa.wistate.us> MailScanner showing lots and lots of Found to be clean for a single message __________________________________________________________ H??Message-Id: < se354441.015@adngate.adn.uwrf.edu > H??X-Mailer: Novell GroupWise 5.5.4 H??Date: Mon, 27 Jan 2003 14:37:48 -0600 H??From: "Stanley Potts" < stanley.j.potts@uwrf.edu > H??Subject: April Flint Visit to the National Center.... H??Content-Type: text/plain; charset=US-ASCII H??Content-Disposition: inline H??X-Scanned-By: MIMEDefang 2.27 (www . roaringpenguin . com / mimedefang) H??X-MailScanner: Found to be clean, Found to be clean, Found to be clean, Found to be clean, Found to be clean, Found to be clean, Found to be clean, Found to be clean, Found to be clean, Found to be clean, Found to be clea n, Found to be clean, Found to be clean, Found to be clean, Found to be clean, Found to be clean, Found to be cl ean, Found to be clean, Found to be clean, Found to be clean, Found to be clean, Found to be clean, Found to be clean, Found to be clean, Found to be clean, Found to be clean, Found to be clean, Found to be clean, Found to b e clean, Found to be clean, Found to be clean, Found to be clean, Found to be clean, Found to be clean, Found to be clean, Found to be clean, Found to be clean, Found to be clean, Found to be clean, Found to be clean, Found to be clean, Found to be clean, Found to be clean, Found to be clean, Found to be clean, Found to be clean, Foun d to be clean, Found to be clean, Found to be clean H??Content-Transfer-Encoding: 8bit H??X-MIME-Autoconverted: from quoted-printable to 8bit by badger.state.wi.us id h0RKd4a14767 H??Status: U H??MIME-Version: 1.0 H??Sender: owner-comed@Badger.state.wi.us H??Precedence: bulk Harish Amin -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030130/cf9ef090/attachment.html From JeremyE at BSA.CA.GOV Thu Jan 30 15:10:13 2003 From: JeremyE at BSA.CA.GOV (Jeremy Evans) Date: Thu Jan 12 21:17:06 2006 Subject: SpamCheck is blank, SpamScore is absent Message-ID: <2739ECF7268CD0118F50080009DCC9F00235D2AE@pebble.bsa.ca.gov> Thanks. I thought that Spam Checks = no was just related to the DNS blocklists (which we don't use), since that is the section it is under. Everything is working now. -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Thursday, January 30, 2003 2:00 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: SpamCheck is blank, SpamScore is absent At 00:49 30/01/2003, you wrote: >I'm currently testing MailScanner 4.11-1 and all messages I send through it >have a blank SpamCheck, and a missing SpamScore. I thought this had been >discussed on the mailing list before, but I haven't been able to find it >after some searching. The logs list "Spam Checks: Starting" and "Virus and >Content Scanning: Starting", but never say that the message is spam even if >I try pretty hard to add a lot of obvious spam phrases to the message. The >spam.actions.rules files are set to deliver all spam, and the >spam.whitelist.rules file is set to "FromTo: default no". The >spam.assassin.prefs.conf file hasn't been modified. > >If anyone could post the answer again, I'd appreciate it. Thanks in >advance. You currently have spam checks switched off. Set Spam Checks = yes >Jeremy Evans >Information Systems Analyst >California State Auditor >916-445-0255 phone >916-322-7801 fax > > >-- Excerpt from header of message -- > >X-Priority: 3 >X-MSMail-Priority: Normal >X-Mailer: Microsoft Outlook Express 6.00.2800.1106 >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 >X-BSA-MailScanner: Clean >X-BSA-SpamCheck: > >This is a multi-part message in MIME format. > >------=_NextPart_000_010F_01C2C7B0.3D6388E0 >Content-Type: text/plain; > charset="iso-8859-1" >Content-Transfer-Encoding: quoted-printable > > >-- Excerpt from maillog -- > >Jan 29 09:06:31 riviera MailScanner[25974]: New Batch: Scanning 1 messages, >2735 bytes >Jan 29 09:06:31 riviera MailScanner[25974]: Spam Checks: Starting >Jan 29 09:06:31 riviera MailScanner[25974]: Virus and Content Scanning: >Starting >Jan 29 09:06:32 riviera MailScanner[25974]: Uninfected: Delivered 1 messages > > >-- Excerpt from MailScanner.conf -- > >Mail Header = X-BSA-MailScanner: >Spam Header = X-BSA-SpamCheck: >Spam Score Header = X-BSA-SpamScore: >Spam Score Character = s >Clean Header Value = Clean >Infected Header Value = Infected >Disinfected Header Value = Disinfected >Multiple Headers = append >Hostname = the MailScanner >Sign Messages Already Processed = no >Sign Clean Messages = no >Mark Infected Messages = yes >Mark Unscanned Messages = no >Deliver Cleaned Messages = yes >Scanned Modify Subject = no # end >Filename Subject Text = {Restricted-File-Attachment} >Spam Modify Subject = yes >Spam Subject Text = {Probably-Spam} >High Scoring Spam Modify Subject = yes >High Scoring Spam Subject Text = {Almost-Definitely-Spam} >Spam Checks = no >Is Definitely Not Spam = /opt/MailScanner/etc/rules/spam.whitelist.rules >Is Definitely Spam = /opt/MailScanner/etc/rules/spam.blacklist.rules >Use SpamAssassin = yes >Max SpamAssassin Size = 50000 >Required SpamAssassin Score = 5 >High SpamAssassin Score = 10 >SpamAssassin Auto Whitelist = no >SpamAssassin Prefs File = /opt/MailScanner/etc/spam.assassin.prefs.conf >SpamAssassin Timeout = 60 >Max SpamAssassin Timeouts = 20 >Check SpamAssassin If On Spam List = yes >Always Include SpamAssassin Report = yes >Spam Score = yes >Spam Actions = /opt/MailScanner/etc/rules/spam.actions.rules >High Scoring Spam Actions = >/opt/MailScanner/etc/rules/spam.high.actions.rules >Sender Spam Report = /opt/MailScanner/etc/reports/en/sender.spam.report.txt >Sender Spam List Report = >/opt/MailScanner/etc/reports/en/sender.spam.rbl.report.txt >Sender SpamAssassin Report = >/opt/MailScanner/etc/reports/en/sender.spam.sa.report.txt >Syslog Facility = mail >Log Spam = yes >Log Permitted Filenames = yes >Debug = no >Deliver In Background = yes >Delivery Method = batch >Lockfile Dir = /tmp >Minimum Code Status = supported -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From David.Sullivan at BARNET.AC.UK Thu Jan 30 15:16:17 2003 From: David.Sullivan at BARNET.AC.UK (David Sullivan) Date: Thu Jan 12 21:17:06 2006 Subject: Is this normal?? lots of Found to be clean In-Reply-To: <47F3EDACE4BC3A4594D0D7B504062BBD019C68C6@doamail04.doa.wistate.us> Message-ID: On 30 Jan 2003 at 9:05, Amin, Harish wrote: > MailScanner showing lots and lots of Found to be clean for a single > message Not really possible to tell given those headers but has the message got caught in a mailloop? If the message has gone through MailScanner a number of times and it's configured to append the header it would produce something like this. David. ============================================================== This communication may contain privileged or confidential information which is for the exclusive use of the intended recipient. If you are not the intended recipient, please note that you may not distribute or use this communication or the information it contains. If this e-mail has reached you in error, please delete it and any attachment. Internet communications are not secure and Barnet College does not accept legal responsibility for the content of this message. Any views or opinions expressed are those of the author and not necessarily those of Barnet College. Please note that Barnet College reserves the right to monitor the source/destinations of all incoming or outgoing e-mail communications. ============================================================== From Kevin.Spicer at BMRB.CO.UK Thu Jan 30 15:19:08 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:17:06 2006 Subject: Double File Extensions Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A32CAE@pascal.priv.bmrb.co.uk> Julian, I've just read the messagelabs artice refered to in your post, "Security Alert, ban very long filenames" and I wondered, in light of that, where you think the rule contained in this following post (from earlier this week) should go? I'm toying with the idea of moving it above all the allow's > >In the process of testing, I found that a double extension > can get through > >if there is a space (or multiple spaces) between the first > (fake) file > >extension and the second (actual) file extension. Since a > space after the > >fake file extension will probably be just as invisible as > the actual file > >extension, it could be a way to sneak past the filters while > getting the > >same nefarious effect. I propose that by default the last line in > >filename.rules.conf be changed to: > > > >deny \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$ Found > possible filename > >hiding Attempt to hide real filename extension > > Good idea. It will be in the next release. > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From mailscanner at ecs.soton.ac.uk Thu Jan 30 15:20:15 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:06 2006 Subject: spam quarantine not checked for virus? In-Reply-To: <3E393CA2.35314294@ihs.com> Message-ID: <5.2.0.9.2.20030130151657.082fde98@imap.ecs.soton.ac.uk> At 14:54 30/01/2003, you wrote: >Good day, > >I have a message that was quarantined by MailScanner due to >SpamAssassin. It was later requested. Since it can't go back through >MailScanner, less it be quarantined as spam again, it was put directly >into /var/spool/mqueue. It was caught later down the road by Norton >AntiVirus on our Lotus Notes server. > >If messages are caught by SpamAssassin and moved to quarantine/*/spam, >are they also checked for viruses? The spam checking and quarantining is done first, before any of the virus checking. You could quite easily (and automatically) quarantine the message as a 1-file-per-message (rather than as raw queue files), invoke sendmail to cause the delivery and add localhost to your spam whitelist. Not ideal, I admit, but it would get you out of the hole. I might re-arrange the code at some point in the future so that the quarantining/archiving is done at the end, but I seem to remember that introduces problems of its own as well. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Thu Jan 30 15:21:34 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:06 2006 Subject: Is this normal?? lots of Found to be clean In-Reply-To: <47F3EDACE4BC3A4594D0D7B504062BBD019C68C6@doamail04.doa.wis tate.us> Message-ID: <5.2.0.9.2.20030130152034.0828b538@imap.ecs.soton.ac.uk> It is spinning your mail server. For some reason you are causing the message to be repeatedly submitted back to the server. Did the "Received" headers give any clue? At 15:05 30/01/2003, you wrote: >MailScanner showing lots and lots of Found to be clean for a single message > > >__________________________________________________________ > >H??Message-Id: ><se354441.015@adngate.adn.uwrf.edu> >H??X-Mailer: Novell GroupWise 5.5.4 >H??Date: Mon, 27 Jan 2003 14:37:48 -0600 >H??From: "Stanley Potts" ><stanley.j.potts@uwrf.edu> >H??Subject: April Flint Visit to the National Center.... >H??Content-Type: text/plain; charset=US-ASCII >H??Content-Disposition: inline >H??X-Scanned-By: MIMEDefang 2.27 (www . roaringpenguin . com / mimedefang) >H??X-MailScanner: Found to be clean, Found to be clean, Found to be clean, >Found to be clean, Found to be clean, > Found to be clean, Found to be clean, Found to be clean, Found to be > clean, Found to be clean, Found to be clea >n, Found to be clean, Found to be clean, Found to be clean, Found to be >clean, Found to be clean, Found to be cl >ean, Found to be clean, Found to be clean, Found to be clean, Found to be >clean, Found to be clean, Found to be >clean, Found to be clean, Found to be clean, Found to be clean, Found to >be clean, Found to be clean, Found to b >e clean, Found to be clean, Found to be clean, Found to be clean, Found to >be clean, Found to be clean, Found to > be clean, Found to be clean, Found to be clean, Found to be clean, Found > to be clean, Found to be clean, Found >to be clean, Found to be clean, Found to be clean, Found to be clean, >Found to be clean, Found to be clean, Foun >d to be clean, Found to be clean, Found to be clean >H??Content-Transfer-Encoding: 8bit >H??X-MIME-Autoconverted: from quoted-printable to 8bit by >badger.state.wi.us id h0RKd4a14767 >H??Status: U >H??MIME-Version: 1.0 >H??Sender: >owner-comed@Badger.state.wi.us >H??Precedence: bulk > >Harish Amin -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Thu Jan 30 15:25:13 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:06 2006 Subject: Double File Extensions In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0A32CAE@pascal.priv.bmrb.co .uk> Message-ID: <5.2.0.9.2.20030130152447.05723298@imap.ecs.soton.ac.uk> I have always put that one near the bottom as there is no point in denying *.jan.txt, *.feb.txt, etc.. At 15:19 30/01/2003, you wrote: >Julian, >I've just read the messagelabs artice refered to in your post, "Security >Alert, ban very long filenames" and I wondered, in light of that, where >you think the rule contained in this following post (from earlier this >week) should go? I'm toying with the idea of moving it above all the allow's > > > >In the process of testing, I found that a double extension > > can get through > > >if there is a space (or multiple spaces) between the first > > (fake) file > > >extension and the second (actual) file extension. Since a > > space after the > > >fake file extension will probably be just as invisible as > > the actual file > > >extension, it could be a way to sneak past the filters while > > getting the > > >same nefarious effect. I propose that by default the last line in > > >filename.rules.conf be changed to: > > > > > >deny \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$ Found > > possible filename > > >hiding Attempt to hide real filename extension > > > > Good idea. It will be in the next release. > > > > -- > > Julian Field > > www.MailScanner.info > > MailScanner thanks transtec Computers for their support > > > > > >BMRB International >http://www.bmrb.co.uk >+44 (0)20 8566 5000 >_________________________________________________________________ >This message (and any attachment) is intended only for the >recipient and may contain confidential and/or privileged >material. If you have received this in error, please contact the >sender and delete this message immediately. Disclosure, copying >or other action taken in respect of this email or in >reliance on it is prohibited. BMRB International Limited >accepts no liability in relation to any personal emails, or >content of any email which does not directly relate to our >business. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From Harish.Amin at DEG.STATE.WI.US Thu Jan 30 15:32:42 2003 From: Harish.Amin at DEG.STATE.WI.US (Amin, Harish) Date: Thu Jan 12 21:17:06 2006 Subject: Is this normal?? lots of Found to be clean Message-ID: <47F3EDACE4BC3A4594D0D7B504062BBD019C68C7@doamail04.doa.wistate.us> Julian, WE were thinking that someone is repeatedly sending too many duplicate messagess so this has to do with the MailScanner ... Here's the received Headers Funny thing this is happening on only three of the majordomo lists of a single person. And its not having any problem on the other lists # more qfh0S28vd22602 V4 T1043719737 K1043720971 N2 P4430827 I0/0/90179 MDeferred: male.osceola.k12.wi.us.: Network is unreachable Fbn $_majordom@localhost Sowner-comed@Badger.state.wi.us Aowner-comed@badger.state.wi.us Cmajordom:1003:12:include:/usr/local/majordomo/lists/comed RPFD:orourkes@osceola.k12.wi.us H?P?Return-Path: H??Received: (from majordom@localhost) by badger.state.wi.us (8.11.6+Sun/8.11.6) id h0S28vd22602 for comed-list; Mon, 27 Jan 2003 20:08:57 -0600 (CST) H??Received: from mail2.Aging.gov (mcda4-4-0-0-321.rback0.milw.wi.voyager.net [169.207.146.116] (may be forged)) by badger.state.wi.us (8.11.6+Sun/8.11.6) with ESMTP id h0S28oI22590; Mon, 27 Jan 2003 20:08:51 -0600 (CST) H??Received: from MAIL2 (mail2.Aging.gov [127.0.0.1]) by mail2.Aging.gov with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id DQ44N9WM; Mon, 27 Jan 2003 20:07:04 -0600 H??To: , , H??Message-Id: H??X-Mailer: Novell GroupWise 5.5.4 H??Date: Mon, 27 Jan 2003 14:37:48 -0600 H??From: "Stanley Potts" H??Subject: April Flint Visit to the National Center.... H??Content-Type: text/plain; charset=US-ASCII H??Content-Disposition: inline H??X-Scanned-By: MIMEDefang 2.27 (www . roaringpenguin . com / mimedefang) H??X-MailScanner: Found to be clean, Found to be clean, Found to be clean, Found to be clean, Found to be clean, Found to be clean, Found to be clean, Found to be clean, Found to be clean, Found to be clean, Found to be clea n, Found to be clean, Found to be clean, Found to be clean, Found to be clean, Found to be clean, Found to be cl ean, Found to be clean, Found to be clean, Found to be clean, Found to be clean, Found to be clean, Found to be clean, Found to be clean, Found to be clean, Found to be clean, Found to be clean, Found to be clean, Found to b e clean, Found to be clean, Found to be clean, Found to be clean, Found to be clean, Found to be clean, Found to be clean, Found to be clean, Found to be clean, Found to be clean, Found to be clean, Found to be clean, Found to be clean, Found to be clean, Found to be clean, Found to be clean, Found to be clean, Found to be clean, Foun d to be clean, Found to be clean, Found to be clean H??Content-Transfer-Encoding: 8bit H??X-MIME-Autoconverted: from quoted-printable to 8bit by badger.state.wi.us id h0RKd4a14767 H??Status: U H??MIME-Version: 1.0 H??Sender: owner-comed@Badger.state.wi.us H??Precedence: bulk -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Thursday, January 30, 2003 9:22 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Is this normal?? lots of Found to be clean It is spinning your mail server. For some reason you are causing the message to be repeatedly submitted back to the server. Did the "Received" headers give any clue? At 15:05 30/01/2003, you wrote: >MailScanner showing lots and lots of Found to be clean for a single message > > >__________________________________________________________ > >H??Message-Id: ><se354441.015@adngate.adn.uwrf.ed u> >H??X-Mailer: Novell GroupWise 5.5.4 >H??Date: Mon, 27 Jan 2003 14:37:48 -0600 >H??From: "Stanley Potts" ><stanley.j.potts@uwrf.edu> >H??Subject: April Flint Visit to the National Center.... >H??Content-Type: text/plain; charset=US-ASCII >H??Content-Disposition: inline >H??X-Scanned-By: MIMEDefang 2.27 (www . roaringpenguin . com / mimedefang) >H??X-MailScanner: Found to be clean, Found to be clean, Found to be clean, >Found to be clean, Found to be clean, > Found to be clean, Found to be clean, Found to be clean, Found to be > clean, Found to be clean, Found to be clea >n, Found to be clean, Found to be clean, Found to be clean, Found to be >clean, Found to be clean, Found to be cl >ean, Found to be clean, Found to be clean, Found to be clean, Found to be >clean, Found to be clean, Found to be >clean, Found to be clean, Found to be clean, Found to be clean, Found to >be clean, Found to be clean, Found to b >e clean, Found to be clean, Found to be clean, Found to be clean, Found to >be clean, Found to be clean, Found to > be clean, Found to be clean, Found to be clean, Found to be clean, Found > to be clean, Found to be clean, Found >to be clean, Found to be clean, Found to be clean, Found to be clean, >Found to be clean, Found to be clean, Foun >d to be clean, Found to be clean, Found to be clean >H??Content-Transfer-Encoding: 8bit >H??X-MIME-Autoconverted: from quoted-printable to 8bit by >badger.state.wi.us id h0RKd4a14767 >H??Status: U >H??MIME-Version: 1.0 >H??Sender: >owner-comed@Badger.state.wi.us >H??Precedence: bulk > >Harish Amin -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From brose at MED.WAYNE.EDU Thu Jan 30 15:35:49 2003 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:17:06 2006 Subject: Security Alert: ban very long filenames Message-ID: Is this the correct article? It sounds more like multiple extensions and not long filenames. -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Thursday, January 30, 2003 10:02 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Security Alert: ban very long filenames There is a bug in some versions of some Microsoft e-mail packages that is being actively exploited. MessageLabs claim to have stopped over 3,000 copies of it last weekend. It relies on very long filenames, making it very easy to block. I strongly advise you add a new rule to the top of your filename.rules.conf file. The line should look like deny .{150,} Possible OE attack Possible attack against Microsoft e-mail packages Remember to separate the 4 "fields" on this line with tab characters and not just spaces. You can read more about the attack at http://www.messagelabs.com/viruseye/report.asp?id=130 This rule will be included in the next release of MailScanner, due out at the end of this week (1st Feb). -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From andersan at LTKALMAR.SE Thu Jan 30 15:35:38 2003 From: andersan at LTKALMAR.SE (Anders Andersson, IT) Date: Thu Jan 12 21:17:06 2006 Subject: SV: Double File Extensions Message-ID: <7B475DC5E9502B4D91EA73C283AE48D70263EE18@lkl22.ltkalmar.se> > -----Ursprungligt meddelande----- > Fr?n: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > Skickat: den 30 januari 2003 16:25 > Till: MAILSCANNER@JISCMAIL.AC.UK > ?mne: Re: Double File Extensions > > > I have always put that one near the bottom as there is no > point in denying > *.jan.txt, *.feb.txt, etc.. Shouldn't this be default for most extension.... I mean allowing ie name.name.doc etc. etc. I was supposed to have changed that to the default policy since users some time do misstakes and no point blocking those. Maybe you should consider that for all safe/normal files? I cant say if that will cause probs with name.vbs.doc in windows computers... who know how it will execute that but hopefully not. /Anders > > At 15:19 30/01/2003, you wrote: > >Julian, > >I've just read the messagelabs artice refered to in your > post, "Security > >Alert, ban very long filenames" and I wondered, in light of > that, where > >you think the rule contained in this following post (from > earlier this > >week) should go? I'm toying with the idea of moving it > above all the allow's > > > > > >In the process of testing, I found that a double extension > > > can get through > > > >if there is a space (or multiple spaces) between the first > > > (fake) file > > > >extension and the second (actual) file extension. Since a > > > space after the > > > >fake file extension will probably be just as invisible as > > > the actual file > > > >extension, it could be a way to sneak past the filters while > > > getting the > > > >same nefarious effect. I propose that by default the > last line in > > > >filename.rules.conf be changed to: > > > > > > > >deny \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$ Found > > > possible filename > > > >hiding Attempt to hide real filename extension > > > > > > Good idea. It will be in the next release. > > > > > > -- > > > Julian Field > > > www.MailScanner.info > > > MailScanner thanks transtec Computers for their support > > > > > > > > > > >BMRB International > >http://www.bmrb.co.uk > >+44 (0)20 8566 5000 > >_________________________________________________________________ > >This message (and any attachment) is intended only for the > >recipient and may contain confidential and/or privileged > >material. If you have received this in error, please contact the > >sender and delete this message immediately. Disclosure, copying > >or other action taken in respect of this email or in > >reliance on it is prohibited. BMRB International Limited > >accepts no liability in relation to any personal emails, or > >content of any email which does not directly relate to our > >business. > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > From dustin.baer at IHS.COM Thu Jan 30 16:06:43 2003 From: dustin.baer at IHS.COM (Dustin Baer) Date: Thu Jan 12 21:17:06 2006 Subject: spam quarantine not checked for virus? References: <5.2.0.9.2.20030130151657.082fde98@imap.ecs.soton.ac.uk> Message-ID: <3E394D93.886BBF68@ihs.com> Julian Field wrote: > > At 14:54 30/01/2003, you wrote: > >Good day, > > > >I have a message that was quarantined by MailScanner due to > >SpamAssassin. It was later requested. Since it can't go back through > >MailScanner, less it be quarantined as spam again, it was put directly > >into /var/spool/mqueue. It was caught later down the road by Norton > >AntiVirus on our Lotus Notes server. > > > >If messages are caught by SpamAssassin and moved to quarantine/*/spam, > >are they also checked for viruses? > > The spam checking and quarantining is done first, before any of the virus > checking. > > You could quite easily (and automatically) quarantine the message as a > 1-file-per-message (rather than as raw queue files), invoke sendmail to > cause the delivery and add localhost to your spam whitelist. Not ideal, I > admit, but it would get you out of the hole. I figured out how to get around it. The situation is that people request the quarantined spam and it automatically sent the qf/df files to mqueue. I modified the script to add another header and wrote a SpamAssassin rule to give that header a -100 score. Then the raw files are sent back through mqueue.in and completely scanned. Dustin -- Dustin Baer Unix Administrator/Postmaster Information Handling Services 15 Inverness Way East Englewood, CO 80112 303-397-2836 From dustin.baer at IHS.COM Thu Jan 30 17:10:42 2003 From: dustin.baer at IHS.COM (Dustin Baer) Date: Thu Jan 12 21:17:06 2006 Subject: Future release suggestion - Spam header References: <3E380875.D70E5467@ihs.com> <4p1i3vssig9l1hqbllcshcgest1sbv5m55@4ax.com> Message-ID: <3E395C92.D551DF00@ihs.com> Whoops, sent this to Peter, instead of the list. Peter Peters wrote: > > On Wed, 29 Jan 2003 09:59:33 -0700, you wrote: > > >I have a script that runs overnight to notify people of what was > >quarantined and send email in the following format: > > > >From: gslmAkiko bjwdnancey7@yahoo.com > > Date: Date: Tue, 28 Jan 2003 00:17:33 -0800 > > Subject: Your visa bill dtuxu > > REQUEST THIS EMAIL > > > >The "REQUEST THIS EMAIL" is a clickable link to a cgi page that will > >send the email along. > > Could you share this script and/or your setup? The pertinent scripts are attached as a zip file. There are three ksh scripts and one perl/cgi script that all tie in together. I went through and commented them heavily, so hopefully you will understand what I have tried to do. I am using Sendmail, by the way. 1. spamAssassinNotify.ksh - This is the script that runs at 11:55 p.m. and will strip certain information from the headers and include them in the email. 2. spamAssassinRequest.cgi - used for the "REQUEST THIS EMAIL" link. 3. spamAssassinRequest.ksh - This script is tied to an email alias: sarequest:"|/usr/local/bin/spamAssassinRequest.ksh" 4. spamAssassinRequestCron.ksh - This is a cronjob that runs every 15 minutes checking to see if anyone has requested any quarantined spam email > It would even be nicer if this link could be included in the message the > user gets. If I understand you correctly, spamAssassinNotify.ksh does this in two ways. 1. A direct link to the perl/cgi script for people connected to our intranet, which will automatically send an email to the sarequest email alias. 2. A mailto: email link that will send an email to the sarequest email alias (which the spamAssassinRequest.cgi script does automatically). This is used by the people who aren't connected to our intranet. I haven't modified any of the text, so my company's name is scattered throughout. Obviously, feel free to do whatever you want to these scripts to make them fit your environment. If you have any questions, don't hesitate to ask. Hope these come in handy! > Peter Peters senior netwerkbeheerder > Centrum voor InformatieTechnologie, Bibliotheek en Educatie > Universiteit Twente, Postbus 217, 7500 AE Enschede > telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ Dustin -- Dustin Baer Unix Administrator/Postmaster Information Handling Services 15 Inverness Way East Englewood, CO 80112 303-397-2836 -------------- next part -------------- A non-text attachment was scrubbed... Name: sanotify.zip Type: application/zip Size: 6034 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030130/857c7fd3/sanotify.zip From Harish.Amin at DEG.STATE.WI.US Thu Jan 30 17:29:45 2003 From: Harish.Amin at DEG.STATE.WI.US (Amin, Harish) Date: Thu Jan 12 21:17:06 2006 Subject: Is this normal?? lots of Found to be clean Message-ID: <47F3EDACE4BC3A4594D0D7B504062BBD019C68C8@doamail04.doa.wistate.us> Any hints or solution to this problem -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Thursday, January 30, 2003 9:22 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Is this normal?? lots of Found to be clean It is spinning your mail server. For some reason you are causing the message to be repeatedly submitted back to the server. Did the "Received" headers give any clue? At 15:05 30/01/2003, you wrote: >MailScanner showing lots and lots of Found to be clean for a single message > > >__________________________________________________________ > >H??Message-Id: ><se354441.015@adngate.adn.uwrf.ed u> >H??X-Mailer: Novell GroupWise 5.5.4 >H??Date: Mon, 27 Jan 2003 14:37:48 -0600 >H??From: "Stanley Potts" ><stanley.j.potts@uwrf.edu> >H??Subject: April Flint Visit to the National Center.... >H??Content-Type: text/plain; charset=US-ASCII >H??Content-Disposition: inline >H??X-Scanned-By: MIMEDefang 2.27 (www . roaringpenguin . com / mimedefang) >H??X-MailScanner: Found to be clean, Found to be clean, Found to be clean, >Found to be clean, Found to be clean, > Found to be clean, Found to be clean, Found to be clean, Found to be > clean, Found to be clean, Found to be clea >n, Found to be clean, Found to be clean, Found to be clean, Found to be >clean, Found to be clean, Found to be cl >ean, Found to be clean, Found to be clean, Found to be clean, Found to be >clean, Found to be clean, Found to be >clean, Found to be clean, Found to be clean, Found to be clean, Found to >be clean, Found to be clean, Found to b >e clean, Found to be clean, Found to be clean, Found to be clean, Found to >be clean, Found to be clean, Found to > be clean, Found to be clean, Found to be clean, Found to be clean, Found > to be clean, Found to be clean, Found >to be clean, Found to be clean, Found to be clean, Found to be clean, >Found to be clean, Found to be clean, Foun >d to be clean, Found to be clean, Found to be clean >H??Content-Transfer-Encoding: 8bit >H??X-MIME-Autoconverted: from quoted-printable to 8bit by >badger.state.wi.us id h0RKd4a14767 >H??Status: U >H??MIME-Version: 1.0 >H??Sender: >owner-comed@Badger.state.wi.us >H??Precedence: bulk > >Harish Amin -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From billa at STERLING.NET Thu Jan 30 22:12:04 2003 From: billa at STERLING.NET (Bill Anderson) Date: Thu Jan 12 21:17:06 2006 Subject: /bin/cat: : No such file or directory In-Reply-To: <5.2.0.9.2.20030130094918.02637340@imap.ecs.soton.ac.uk> Message-ID: Yes all three are working. When I turn off the "store" option for spam mail, the messages for away. > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Julian Field > Sent: Thursday, January 30, 2003 1:51 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: /bin/cat: : No such file or directory > > > At 01:03 30/01/2003, you wrote: > >No spaces or strange characters. The spam is stored in the > correct place as > >well. > > So everything is working, but you get this error? > If you are asking for whole messages to be quarantined, all mail to be > archived and spam to be stored, do all 3 features still work? > > What does your MailScanner.conf look like? > > > > > > -----Original Message----- > > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > > Behalf Of Desai, Jason > > > Sent: Wednesday, January 29, 2003 10:36 AM > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > Subject: Re: /bin/cat: : No such file or directory > > > > > > > > > Just a thought, but does the full directory path where you store spam > > > contain any spaces or other strange characters? > > > > > > > -----Original Message----- > > > > From: Bill Anderson [mailto:billa@STERLING.NET] > > > > Sent: Tuesday, January 28, 2003 5:41 PM > > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > > Subject: [MAILSCANNER] /bin/cat: : No such file or directory > > > > > > > > > > > > I posted a message awhile back to deal with a problem message > > > > that keeps > > > > popping up on my console. I was given a bunch of great ideas > > > > on where to > > > > look, however, I could never find the problem. Shortly > > > > thereafter, the > > > > messages went away (that was a little spooky). > > > > > > > > However, the messages are back, but this time I found out > > > > where they are > > > > coming from. I get these messages whenever is use the > > > > "store" option for > > > > caught spam. I am not quarantineing (if there is such a > > > > word) any viruses, > > > > but I did turn "store" back on for some domains. Here is my > > > > Mailscanner.conf file: > > > > > > > > Spam Actions = /etc/MailScanner/rules/strlg.spam.actions.rules > > > > > > > > Here is my strlg.spam.actions.rules file: > > > > > > > > To: domain.com bounce store > > > > To: another.com bounce store > > > > > > > > If I remove the "store" option, the messages go away. Oh > > > > yeah, here is what > > > > the message is: > > > > > > > > /bin/cat: : No such file or directory > > > > > > > > It seems everytime I get the message, another message is > > > > dropped in the > > > > quarantine directory. > > > > > > > > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > From smhickel at CHARTERMI.NET Fri Jan 31 01:35:46 2003 From: smhickel at CHARTERMI.NET (Steve Hickel) Date: Thu Jan 12 21:17:06 2006 Subject: Spam.whitelist.rules file question In-Reply-To: <5.2.0.9.2.20030130122129.04b7eff8@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030130100035.020b5150@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030130100035.020b5150@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030130122129.04b7eff8@imap.ecs.soton.ac.uk> Message-ID: <1043976945.1502.5.camel@steve.hickel.info> Thanks, Steve On Thu, 2003-01-30 at 07:27, Julian Field wrote: > At 12:21 30/01/2003, you wrote: > >So you are saying that he needed to put 194.205.110.133 instead or in > >addition to? > > Instead. > > Normally the thing in the rule is (a pattern matching) the email address. > But if it doesn't contain any letters, it interprets it as (a pattern > matching) the IP address. > > There currently isn't a way of matching the hostname by name, only by number. > > I think that relying on the hostname is actually not very good, as you > leave yourself open to simple DNS attacks. Say "nasty.com" own the IP > address range 1.2.3.*. If they setup their DNS server so that the reverse > record for 1.2.3.4 claims to be "mail.good.com" instead of > "mail.nasty.com", then any mail from 1.2.3.4 will be treated by your server > as being from "mail.good.com" instead of "something.nasty.com". > > To be sure this isn't happening to you, you have to do forward and reverse > lookups and check they all match and are consistent with each other. This > takes time to execute, and I haven't written it yet. > > > >Steve > > > >On Thu, 2003-01-30 at 05:03, Julian Field wrote: > > > At 08:30 30/01/2003, you wrote: > > > >Yesterday morning I updated the spam.whitelist.rules file (on cheviot1) > > > >so that it now looks like: > > > > > > > > .... > > > > From: *.messagelabs.com yes > > > > From: default no > > > > > > So if the envelope sender address ends in ".messagelabs.com" then it is > > > whitelisted. > > > > > > >However at 18:30 a message that should have been whitelisted was in fact > > > >tagged as spam. The envelope-from address in the tagged message is given > > > >in: > > > > > > > >Received: from mail9.messagelabs.com > > > > > > That's the name of the host, not the email address that sent the message to > > > you. > > > > > > If you want to whitelist mail from specific IP addresses, then you need to > > > whitelist those specific numeric IP's (or use a regular expression that > > > covers them). > > > > > > > (mail9.messagelabs.com [194.205.110.133]) > > > > by cheviot1.ncl.ac.uk (8.10.1/8.10.1) with SMTP id h0TIU5k31581 > > > > for ; Wed, 29 Jan 2003 18:30:05 GMT > > > > > > > >Other whitelisted entries appear to be working OK so I am perplexed as > > > >to why this one was tagged. > > > > > > > >Quentin > > > >--- > > > >PHONE: +44 191 222 8209 Computing Service, University of Newcastle > > > >FAX: +44 191 222 8765 Newcastle upon Tyne, United Kingdom, NE1 7RU. > > > >------------------------------------------------------------------------ > > > >"Any opinion expressed above is mine. The University can get its own." > > > > > > -- > > > Julian Field > > > www.MailScanner.info > > > MailScanner thanks transtec Computers for their support > >-- > >Steve Hickel > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support -- Steve Hickel -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030130/97e3d98b/attachment.bin From jrudd at UCSC.EDU Fri Jan 31 20:44:15 2003 From: jrudd at UCSC.EDU (John Rudd) Date: Thu Jan 12 21:17:06 2006 Subject: mailscanner and spamd Message-ID: <200301312044.h0VKiFZ24866@kzin.ucsc.edu> Is there a way to speed up the spamassassin processing by using the compiled versions of spamassassin instead of the perl versions? Does it automatically use it if it's installed, or do you have to do something tricky, or does mailscanner never use it since mailscanner is written in perl? John From nerijus at USERS.SOURCEFORGE.NET Fri Jan 31 20:59:31 2003 From: nerijus at USERS.SOURCEFORGE.NET (Nerijus Baliunas) Date: Thu Jan 12 21:17:06 2006 Subject: mailscanner and spamd In-Reply-To: <200301312044.h0VKiFZ24866@kzin.ucsc.edu> References: <200301312044.h0VKiFZ24866@kzin.ucsc.edu> Message-ID: <200301312059.h0VKxiOx016081@mx.ktv.lt> On Fri, 31 Jan 2003 12:44:15 -0800 John Rudd wrote: > Is there a way to speed up the spamassassin processing by using the > compiled versions of spamassassin instead of the perl versions? Does > it automatically use it if it's installed, or do you have to do something > tricky, or does mailscanner never use it since mailscanner is written > in perl? Mailscanner calls SA's API directly, so using compiled version would not help. Look in the list archives, it was discussed recently. Regards, Nerijus From mailscanner at BARENDSE.TO Fri Jan 31 21:17:12 2003 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:17:06 2006 Subject: mailscanner-mrtg non growing and small bug? Message-ID: Doesn anybody know if it's possible to get mailscanner-mrtg to produce non-growing stats? I don't like the looks of these cumulative figures for all graphs. It is neat for some (like spams and virii caught) but not so practical for others (bytes of mail transferred) because it gets a bit harder to track your server performance. Would be nice if this could be changed or even a config file settable parameter. Also my "Server Ethernet Traffic Daily Graph" is not showing anything sensible. The graph shows only full peaks to the roof or no traffic at all. Think the graph is not adjusting the max scale to a max measured value? But it's a nifty package :) Remco -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From dlovelace at HOTELS.COM Fri Jan 31 21:25:44 2003 From: dlovelace at HOTELS.COM (Dale Lovelace) Date: Thu Jan 12 21:17:07 2006 Subject: mailscanner-mrtg non growing and small bug? In-Reply-To: References: Message-ID: <20030131152544.112f2bff.dlovelace@hotels.com> You should be able to remove the "guage" option from the graph you would like to see without the cumulative figures, but I haven't had any luck doing it that way. Please tell me if you do. I'm not sure about the "Server Ethernet Traffic Daily Graph", it was contributed. It shows all kinds of activity on my boxes, but I am unsure what the graphs mean :-) As a side note, my company is transitioning to "cricket" instead of mrtg, so soon I will have cricket rpm's and a mailscanner-cricket package :-) On Fri, 31 Jan 2003 22:17:12 +0100 Remco Barendse wrote: > Doesn anybody know if it's possible to get mailscanner-mrtg to produce > non-growing stats? > > I don't like the looks of these cumulative figures for all graphs. It is > neat for some (like spams and virii caught) but not so practical for > others (bytes of mail transferred) because it gets a bit harder to track > your server performance. > > Would be nice if this could be changed or even a config file settable > parameter. > > Also my "Server Ethernet Traffic Daily Graph" is not showing anything > sensible. The graph shows only full peaks to the roof or no traffic at > all. Think the graph is not adjusting the max scale to a max measured > value? > > But it's a nifty package :) > > Remco > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. -- Dale Lovelace System Administrator hotels.com (214) 361-7311 Ext. 1074 From jrudd at UCSC.EDU Fri Jan 31 21:53:54 2003 From: jrudd at UCSC.EDU (John Rudd) Date: Thu Jan 12 21:17:07 2006 Subject: Performance Enhancements References: <5.2.0.9.2.20030110085438.04976de8@imap.ecs.soton.ac.uk> Message-ID: <3E3AF072.DA68D6EF@ucsc.edu> Julian Field wrote: > > >Another thought is with Spam Assassin. I know it has the capability to run > >in daemon mode (spamd). Does MailScanner even support this? Does running > >spamd in daemon mode give you any performance advantage at all? > > The spamd daemon merely provides a (narrow) route to the SpamAssassin code, > which is all written in perl. MailScanner talks to the perl code directly, > which is considerably faster than having to poke all the files down a > socket to it. Using spamd would be slower. > Have you done any load testing of the two approaches? In my own (brief) tests, "time spamc < msg" is _much_ faster than "time spamassassin -t < msg". This would seem to contract the assertion about poking all the files down a socket. Though, it's my impression that what spamd gets you is not having to re-start spam assassin for each message (ie. avoiding the perl start up overhead), whereas mailscanner gets around this by being a persistant perl program. So I can see where spamc/spamd might be better than running the spamassassin cli tool, but not better than what mailscanner already does. But I don't know for sure, and was hoping to find some detailed answers. From mailscanner at ecs.soton.ac.uk Fri Jan 31 20:55:22 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:07 2006 Subject: mailscanner and spamd In-Reply-To: <200301312044.h0VKiFZ24866@kzin.ucsc.edu> Message-ID: <5.2.0.9.2.20030131205231.027b1848@imap.ecs.soton.ac.uk> At 20:44 31/01/2003, you wrote: >Is there a way to speed up the spamassassin processing by using the >compiled versions of spamassassin instead of the perl versions? Does >it automatically use it if it's installed, or do you have to do something >tricky, or does mailscanner never use it since mailscanner is written >in perl? The "compiled version of spamassassin" *is* the perl version. The only difference is that it uses a client written in C to talk the daemon, of which the core is all written in Perl. MailScanner uses the fastest way of talking to SpamAssassin, which is to directly call its Perl API. The other ways of calling it (i.e. the spamc/spamd client/daemon and the "spamassassin" script) are both considerably slower. The guts of SpamAssassin is written in Perl. There is no point installing the spamd daemon, MailScanner won't use it as it is slower than calling it directly. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Fri Jan 31 22:56:06 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:07 2006 Subject: Performance Enhancements In-Reply-To: <3E3AF072.DA68D6EF@ucsc.edu> References: <5.2.0.9.2.20030110085438.04976de8@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030131225231.027bbc90@imap.ecs.soton.ac.uk> At 21:53 31/01/2003, you wrote: >Julian Field wrote: > > > > > >Another thought is with Spam Assassin. I know it has the capability > to run > > >in daemon mode (spamd). Does MailScanner even support this? Does running > > >spamd in daemon mode give you any performance advantage at all? > > > > The spamd daemon merely provides a (narrow) route to the SpamAssassin code, > > which is all written in perl. MailScanner talks to the perl code directly, > > which is considerably faster than having to poke all the files down a > > socket to it. Using spamd would be slower. > > > >Have you done any load testing of the two approaches? In my own (brief) >tests, "time spamc < msg" is _much_ faster than "time spamassassin -t < >msg". This would seem to contract the assertion about poking all the >files down a socket. Yes, using the "spamassassin" script is far slower, which is why I don't use it. SpamAssassin is a big function library. You can do 1 of 3 things: 1) call it via the spamassassin script, which requires recompiling all the perl for each message. This is the slowest. 2) call it via the spamd daemon. This saves recompiling the perl for each message, but requires you to push the entire message down a socket. 3) call the function library directly. This saves recompiling the perl for each message, and also has no bandwidth constraint for getting the message into SpamAssassin. This is by far the fastest method. MailScanner uses approach number 3. >Though, it's my impression that what spamd gets you is not having to >re-start spam assassin for each message (ie. avoiding the perl start up >overhead), whereas mailscanner gets around this by being a persistant >perl program. So I can see where spamc/spamd might be better than >running the spamassassin cli tool, but not better than what mailscanner >already does. But I don't know for sure, and was hoping to find some >detailed answers. Hopefully the explanation above answers your question. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From dbowen1 at MAC.COM Fri Jan 31 22:48:39 2003 From: dbowen1 at MAC.COM (Daniel Bowen) Date: Thu Jan 12 21:17:07 2006 Subject: Not disinfecting detected viruses found by clamav! Message-ID: <2393663.1044053319641.JavaMail.dbowen1@mac.com> Hello, I'm seeing the following message in the mail.log: Jan 31 17:37:43 mail MailScanner[704]: New Batch: Scanning 1 messages, 1186 bytes Jan 31 17:37:43 mail MailScanner[704]: Virus and Content Scanning: Starting Jan 31 17:37:43 mail MailScanner[704]: /private/var/spool/MailScanner/incoming/704/./h0VMbdeN001832/test1: ClamAV-Test-Signature FOUND Jan 31 17:37:43 mail MailScanner[704]: Virus Scanning: clamav found 1 infections Jan 31 17:37:43 mail MailScanner[704]: Virus Scanning: Found 1 viruses Jan 31 17:37:43 mail MailScanner[704]: Uninfected: Delivered 1 messages yet the message arrive at it's destination, complete with "cleaned" signature, and the original virus containing attachment, as follows: -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. Mailscanner thanks transtec Computers for their support. [clamAV test signature was here, but deleted for posting to the list] Does anyone have any hints as to how to get the thing to disinfect??? Thanks, Dan Bowen Oak Ridge Schools Oak Ridge, TN, USA From dbowen1 at MAC.COM Fri Jan 31 22:55:16 2003 From: dbowen1 at MAC.COM (Daniel Bowen) Date: Thu Jan 12 21:17:07 2006 Subject: MailScanner on Mac OS X 10.2 Jaguar Message-ID: <1511673.1044053716800.JavaMail.dbowen1@mac.com> Hello, I would like to know if anyone else has installed, or has hints on installing MailScanner on Mac OS X, in particular, 10.2 Jaguar. I have gotten it to work, mostly, though the startup seems kludgy, just the cron entry for check_mailscanner. I followed the instructions for BSD as best as possible, though there is no rc.conf, so I'm not sure how much that will impact things. Also, how have people dealt with starting sendmail, having no rc.conf, it's entry in /System/Library/StartupItems/Sendmail/ is what I've edited, though I'm not sure how well this will work out. Has anyone made a startupitem out of MailScanner? Also, I'm using clamav - though I can't say successfully, it all seems to be talking to eachother, though the viruses that are found aren't actually disinfected. more on this in another post here. Thanks, Dan Bowen Oak Ridge Schools Oak Ridge, TN, USA From nerijus at USERS.SOURCEFORGE.NET Fri Jan 31 23:11:50 2003 From: nerijus at USERS.SOURCEFORGE.NET (Nerijus Baliunas) Date: Thu Jan 12 21:17:07 2006 Subject: MailScanner on Mac OS X 10.2 Jaguar In-Reply-To: <1511673.1044053716800.JavaMail.dbowen1@mac.com> References: <1511673.1044053716800.JavaMail.dbowen1@mac.com> Message-ID: <200301312311.h0VNBfOx008392@mx.ktv.lt> On Fri, 31 Jan 2003 17:55:16 -0500 Daniel Bowen wrote: > Also, I'm using clamav - though I can't say successfully, it all seems to be talking to eachother, though the viruses that are found aren't actually disinfected. Clamav can't disinfect. Regards, Nerijus