Untitled Document

From raymond at PROLOCATION.NET Tue Jul 1 00:22:48 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:18:45 2006 Subject: reportword bug? In-Reply-To: <002101c33f5b$8a05b6f0$9701020a@brianmay> Message-ID: Hi! Read the archives, allready fixed ... On Mon, 30 Jun 2003, Brian May wrote: > Sender: some lamer > IP Address: 216.104.160.32 > Recipient: somelocal user > Subject: Footer created at Sat Jun 28 10 > MessageID: h5UMRor22332 > Report: ClamAV: msg-18145-23.html contains Exploit.IFrame.HTML > Found dangerous IFrame tag in HTML message > $reportword: Nod32: ./h5UMRor22332/2003 - Win32/Klez.J worm > ClamAV: 2003 contains Worm/Klez.H > F-Secure: ./h5UMRor22332/2003: Infected: W32/Klez.H@mm [F-Prot] > F-Secure: ./h5UMRor22332/2003: Infected: I-Worm.Klez.h [AVP] > > Not sure how the report word got there.. has there been a fix for this? > From mikew at CRUCIS.NET Tue Jul 1 01:39:44 2003 From: mikew at CRUCIS.NET (Mike Watson) Date: Thu Jan 12 21:18:45 2006 Subject: newby fetchmail question In-Reply-To: <200306301232.07382.ca@cwissy.co.uk> References: <200306301232.07382.ca@cwissy.co.uk> Message-ID: <200306301939.44982.mikew@crucis.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Monday 30 June 2003 06:32 am, you wrote: > Hi, > > If I set up fetchmail on a server running mailscanner will the mails > that it pulls in go through the mailscanner process or does it start > a new sendmail process for delivery? I can answer the first part. Yes e-mails pulled via fetchmail go through MailScanner. I have a remote e-mail address and use fetchmail to pull the e-mails. I just tested it and the e-mails were processed by both MailScanner, Spamassassin and also by my virus scanner. Mike W - -- Registered Linux - 256979 NRA Life ARS: W0TMW -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE/ANhQ5fq6h2uDDlQRAgcSAJ9Sey0Z5OIUou7yR6h/FQX0cOcUHQCfbhVI P8tcM5FJqpaPPON5ivMyOFw= =HacD -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by F-Prot and MailScanner, and is believed to be clean. From ashley at IMS.TELSTRA.COM.AU Tue Jul 1 03:25:32 2003 From: ashley at IMS.TELSTRA.COM.AU (Ash) Date: Thu Jan 12 21:18:45 2006 Subject: Using HTML tags/code to obfuscate "bad" words In-Reply-To: <5.2.1.1.2.20030630081331.058d7418@securemail.tulsaconnect.com> References: <5.2.1.1.2.20030630081331.058d7418@securemail.tulsaconnect.com> Message-ID: <3F00F11C.9000609@ims.telstra.com.au> fixed at my site by upgrading to SA v2.60 no other config changes applied ash ISP List wrote: > More and more I am seeing spammers use HTML codes to obfuscate > notoriously "bad" words so as to confuse/get by SpamAssassin and such. > For instance: > >

Make your balls and > pen?s > larger and get more satisfaction.
> > Are others seeing this, and is there a rule in SpamAssassin I can tweak > to give situations like this more weight? > > Thanks. > > ------------------------------------- > Mike Bacher / mike@sparklogic.com > Use OptiGold ISP? Check out OptiSkin! > http://www.sparklogic.com/optiskin/ > ------------------------------------- From mailscanner at CARLO65.DE Tue Jul 1 05:15:48 2003 From: mailscanner at CARLO65.DE (Roland Ehle) Date: Thu Jan 12 21:18:45 2006 Subject: Quick translation request - German In-Reply-To: <5.2.1.1.2.20030630215510.02533e60@imap.ecs.soton.ac.uk> References: <5.2.1.1.2.20030630215510.02533e60@imap.ecs.soton.ac.uk> Message-ID: <3F010AF4.8050403@carlo65.de> Julian Field schrieb: > For the max-message-size checking, I need this translating into as many > languages as possible: > > Message is too large Nachricht ist zu gross Regards, Roland From aschwalm at WEB.DE Tue Jul 1 07:22:09 2003 From: aschwalm at WEB.DE (Angela Schwalm) Date: Thu Jan 12 21:18:45 2006 Subject: MailScanner issue with postfix Message-ID: <200307010622.h616M5Q20318@mailgate5.cinetic.de> MailScanner mailing list schrieb am 30.06.03 17:22:47: > > But, do you have /var/spool/postfix and /var/spool/postfix.in created ? > If so, once starting the Postfix processes, all sub-directories inside > these directories should be created on the fly... > > Can you do a > ls -l /var/spool > ls -l /var/spool/postfix > ls -l /var/spool/postfix.in > xxxx:/var/log # ls -l /var/spool total 80 drwxr-xr-x 20 root root 4096 Jun 30 16:59 . drwxr-xr-x 18 root root 4096 Jun 3 12:47 .. drwxr-xr-x 5 root root 4096 Jun 25 12:29 MailScanner drwx------ 2 at at 4096 Sep 20 2002 atjobs drwx------ 2 at at 4096 Mar 23 2002 atspool drwxrwx--- 2 mail mail 4096 May 22 10:16 clientmqueue drwx------ 4 root root 4096 Sep 20 2002 cron drwx------ 3 lp root 4096 Sep 20 2002 cups drwxr-xr-x 2 dpbox localham 4096 Mar 21 2002 dpbox drwxr-xr-x 2 fax uucp 4096 Mar 21 2002 fax drwxr-xr-x 2 fnet uucp 4096 Mar 21 2002 fnet lrwxrwxrwx 1 root root 7 Sep 20 2002 locks -> ../lock drwxr-xr-x 2 lp lp 4096 Mar 21 2002 lpd drwxrwxrwt 2 root root 4096 Jun 27 09:58 mail drwx------ 3 root root 4096 May 22 10:16 mqueue drwx------ 3 root root 4096 Jun 23 15:33 mqueue.in drwxr-xr-x 15 root root 4096 Jun 30 17:22 postfix drwxr-xr-x 14 root root 4096 Jun 30 16:59 postfix.in drwxr-x--- 2 lp lp 4096 Mar 25 2002 samba drwxr-xr-x 3 uucp uucp 4096 Sep 20 2002 uucp drwxr-xr-x 4 65 nogroup 4096 Jun 12 17:02 vscan xxxx:/var/log # ls -l /var/spool/postfix total 60 drwxr-xr-x 15 root root 4096 Jun 30 17:22 . drwxr-xr-x 20 root root 4096 Jun 30 16:59 .. drwx------ 2 postfix root 4096 Jun 30 17:00 active drwx------ 2 postfix root 4096 Jun 30 17:00 bounce drwx------ 2 postfix root 4096 Jun 30 17:00 corrupt drwx------ 2 postfix root 4096 Jun 30 17:00 defer drwx------ 2 postfix root 4096 Jun 30 17:00 deferred drwxr-xr-x 2 root root 4096 Jun 30 17:23 etc drwx------ 2 postfix root 4096 Jun 30 17:00 flush drwx------ 2 postfix root 4096 Jun 30 17:00 incoming drwx-wx--- 2 postfix maildrop 4096 Jun 30 17:00 maildrop drwxr-xr-x 2 root root 4096 Jun 30 17:00 pid drwx------ 2 postfix root 4096 Jun 30 17:25 private drwx--x--- 2 postfix maildrop 4096 Jun 30 17:25 public drwx------ 2 postfix root 4096 Jun 30 17:00 saved xxxx:/var/log # ls -l /var/spool/postfix.in total 56 drwxr-xr-x 14 root root 4096 Jun 30 16:59 . drwxr-xr-x 20 root root 4096 Jun 30 16:59 .. drwx------ 2 postfix root 4096 Jul 1 08:24 active drwx------ 2 postfix root 4096 Jun 30 16:59 bounce drwx------ 2 postfix root 4096 Jun 30 16:59 corrupt drwx------ 2 postfix root 4096 Jul 1 08:24 defer drwx------ 3 postfix root 4096 Jun 30 17:04 deferred drwx------ 2 postfix root 4096 Jun 30 17:04 flush drwx------ 2 postfix root 4096 Jun 30 17:04 incoming drwx-wx--- 2 postfix maildrop 4096 Jun 30 16:59 maildrop drwxr-xr-x 2 root root 4096 Jun 30 17:04 pid drwx------ 2 postfix root 4096 Jun 30 17:24 private drwx--x--- 2 postfix maildrop 4096 Jun 30 17:24 public drwx------ 2 postfix root 4096 Jun 30 16:59 saved ____________________________________________________________________________ Jetzt bei WEB.DE FreeMail anmelden = 1qm Regenwald schuetzen! Helfen Sie mit! Nutzen Sie den Serien-Testsieger. http://user.web.de/Regenwald From john at TRADOC.FR Tue Jul 1 07:38:47 2003 From: john at TRADOC.FR (John Wilcock) Date: Thu Jan 12 21:18:45 2006 Subject: Quick translation request - French In-Reply-To: <5.2.1.1.2.20030630215510.02533e60@imap.ecs.soton.ac.uk> References: <5.2.1.1.2.20030630215510.02533e60@imap.ecs.soton.ac.uk> Message-ID: On Mon, 30 Jun 2003 21:55:50 +0100, Julian Field wrote: > For the max-message-size checking, I need this translating into as many > languages as possible: > > Message is too large Taille de message trop grand. John. -- -- Over 2000 webcams from ski resorts around the world - http://www.snoweye.com/ -- Translate your technical documents and web pages - http://www.tradoc.fr/ From Q.G.Campbell at NEWCASTLE.AC.UK Tue Jul 1 07:40:49 2003 From: Q.G.Campbell at NEWCASTLE.AC.UK (Quentin Campbell) Date: Thu Jan 12 21:18:45 2006 Subject: Sobig.{E,D,EML} not found by Sophos and McAfee Message-ID: <52E50E4D595DDE4D861117A1FB62E79D82089E@bond.ncl.ac.uk> I reported yesterday that McAfee was not always recognising the Sobig.E worm in messages. That problem appeared to fix itself after I restarted MailScanner. However further monitoring of logs shows that it is Sophos now that is not always recognising Sobig variants. I have instances where Sophos has missed Sobig.E (in both .txt and .pif files), Sobig.EML (.txt file) and Sobig.D (.pif file). In all these cases McAfee has found the worms and I have not found a new instance of McAfee missing a virus. What I cannot tell is whether there have been instances where _both_ scanners have missed a virus/worm at the same time. It is very worrying. The times at which these exceptions have occured are no where near the hourly updates of the DAT/IDE files. Any suggestions as to how I can more systematiclly investigate what is going on? Quentin --- PHONE: +44 191 222 8209 Computing Service, University of Newcastle FAX: +44 191 222 8765 Newcastle upon Tyne, United Kingdom, NE1 7RU. ------------------------------------------------------------------------ "Any opinion expressed above is mine. The University can get its own." From radislav.vrnata at porcela.cz Tue Jul 1 08:18:16 2003 From: radislav.vrnata at porcela.cz (Radislav Vrnata) Date: Thu Jan 12 21:18:45 2006 Subject: Quick translation request In-Reply-To: <5.2.1.1.2.20030630215510.02533e60@imap.ecs.soton.ac.uk> Message-ID: <3F0151D8.25343.18A0C51C@localhost> On 30 Jun 2003 at 21:55, Julian Field wrote: > For the max-message-size checking, I need this translating into as many > languages as possible: > > Message is too large Hi, Here is czech version: Zprava je prilis dlouha Radislav. > > Thanks folks! > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > From rybar at DATALOCK.SK Tue Jul 1 08:46:08 2003 From: rybar at DATALOCK.SK (Patrik Rybar) Date: Thu Jan 12 21:18:45 2006 Subject: Quick translation request In-Reply-To: <5.2.1.1.2.20030630215510.02533e60@imap.ecs.soton.ac.uk> References: <5.2.1.1.2.20030630215510.02533e60@imap.ecs.soton.ac.uk> Message-ID: <3F013C40.4020302@datalock.sk> Julian Field wrote: > For the max-message-size checking, I need this translating into as many > languages as possible: > > Message is too large > > Thanks folks! > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > Hi, here is slovak version Sprava je prilis dlha Patrik From P.G.M.Peters at utwente.nl Tue Jul 1 08:55:34 2003 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Thu Jan 12 21:18:46 2006 Subject: (Scrubbed) Re: filter by size of attachment In-Reply-To: References: Message-ID: On Mon, 30 Jun 2003 14:10:59 -0600, you wrote: >Yes, but my MTA won't allow me to create a whitelist like MailScanner >does that will bypass that message size limitation. For the occasional situation I have put a limit in the definition for the local-delivery. And for exceptions I use another local delivery agent. But that only works on the final delivery host. -- Peter Peters, senior netwerkbeheerder Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ From florusb at ASCIO.COM Tue Jul 1 09:09:39 2003 From: florusb at ASCIO.COM (Florus Both) Date: Thu Jan 12 21:18:46 2006 Subject: Quick translation request - danish Message-ID: <2F15A97500CFA0469C9BACC2041F8AC7043F7A15@aries.dk.speednames.com> Beskeden er for stor florus -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: 30. juni 2003 22:56 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Quick translation request For the max-message-size checking, I need this translating into as many languages as possible: Message is too large Thanks folks! -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Tue Jul 1 09:28:26 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:18:46 2006 Subject: Quick translation request In-Reply-To: <3F013C40.4020302@datalock.sk> References: <5.2.1.1.2.20030630215510.02533e60@imap.ecs.soton.ac.uk> <5.2.1.1.2.20030630215510.02533e60@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030701092739.041a5748@imap.ecs.soton.ac.uk> You're doing really well folks. Just Welsh Hungarian Italian Brazilian Portuguese Romanian left to go. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From florusb at ASCIO.COM Tue Jul 1 09:54:27 2003 From: florusb at ASCIO.COM (Florus Both) Date: Thu Jan 12 21:18:46 2006 Subject: Quick translation request - Brazilian Portuguese Message-ID: <2F15A97500CFA0469C9BACC2041F8AC7043F7A19@aries.dk.speednames.com> A mensagem e muito longa. Florus (by proxy of a colleague :)) -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: 1. juli 2003 10:28 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Quick translation request You're doing really well folks. Just Welsh Hungarian Italian Brazilian Portuguese Romanian left to go. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From f.rotondo at TESEO.IT Tue Jul 1 10:02:28 2003 From: f.rotondo at TESEO.IT (Francesco Rotondo) Date: Thu Jan 12 21:18:46 2006 Subject: Quick translation request References: <5.2.1.1.2.20030630215510.02533e60@imap.ecs.soton.ac.uk> Message-ID: <00de01c33faf$7fdca860$0464a8c0@teseo.info> > For the max-message-size checking, I need this translating into as many > languages as possible: > > Message is too large > > Thanks folks! Italian: Il messaggio è troppo grande Francesco From m.sapsed at BANGOR.AC.UK Tue Jul 1 10:21:20 2003 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:18:46 2006 Subject: Sobig.{E,D,EML} not found by Sophos and McAfee References: <52E50E4D595DDE4D861117A1FB62E79D82089E@bond.ncl.ac.uk> Message-ID: <3F015290.2000709@bangor.ac.uk> Hi Quentin, Quentin Campbell wrote: > However further monitoring of logs shows that it is Sophos now that is > not always recognising Sobig variants. I have instances where Sophos has > missed Sobig.E (in both .txt and .pif files), Sobig.EML (.txt file) and > Sobig.D (.pif file). In all these cases McAfee has found the worms and I > have not found a new instance of McAfee missing a virus. Assuming you quarantine these nasties, have you sent the ones Sophos has missed to them? If not, please would you??? They usually respond pretty quickly if they're missing stuff... By the way, what's Sobig.EML and what harm can it do in a .txt file? Cheers, Martin -- Martin Sapsed Information Services "Who do you say I am?" University of Wales, Bangor Jesus of Nazareth From kfliong at WOFS.COM Tue Jul 1 10:24:25 2003 From: kfliong at WOFS.COM (kfliong) Date: Thu Jan 12 21:18:46 2006 Subject: whitelist problem In-Reply-To: <2F15A97500CFA0469C9BACC2041F8AC7043F7A15@aries.dk.speednam es.com> Message-ID: <5.2.1.1.0.20030701172234.025b9668@192.168.10.2> Hi all, I added some email account to mark them as definitely not spam. But I don't know why the mails does not go through. I can see from Mailwatch that it is shown as whitelisted. So, how come I still don't receive the mail? Anyone have any idea? Thanks in advance. From Kevin.Spicer at BMRB.CO.UK Tue Jul 1 10:36:16 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:18:46 2006 Subject: whitelist problem Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0EBF6B3@pascal.priv.bmrb.co.uk> kfliong wrote: > Hi all, > > I added some email account to mark them as definitely not spam. But I > don't know why the mails does not go through. I can see from > Mailwatch that it is shown as whitelisted. So, how come I still don't > receive the mail? Anyone have any idea? > > Thanks in advance. It would help if you were to post relevent parts of your configuration (such as your whitelist entries) and perhaps also an extract from your logs showing what happens when a mail is recieved to one of those addresses. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From Q.G.Campbell at NEWCASTLE.AC.UK Tue Jul 1 10:39:57 2003 From: Q.G.Campbell at NEWCASTLE.AC.UK (Quentin Campbell) Date: Thu Jan 12 21:18:46 2006 Subject: Sobig.{E,D,EML} not found by Sophos and McAfee Message-ID: <52E50E4D595DDE4D861117A1FB62E79D8208E7@bond.ncl.ac.uk> > -----Original Message----- > From: Martin Sapsed [mailto:m.sapsed@BANGOR.AC.UK] > Sent: 01 July 2003 10:21 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Sobig.{E,D,EML} not found by Sophos and McAfee > > > Hi Quentin, > > Quentin Campbell wrote: > > However further monitoring of logs shows that it is Sophos > now that is > > not always recognising Sobig variants. I have instances > where Sophos > > has missed Sobig.E (in both .txt and .pif files), Sobig.EML (.txt > > file) and Sobig.D (.pif file). In all these cases McAfee > has found the > > worms and I have not found a new instance of McAfee missing a virus. > > Assuming you quarantine these nasties, have you sent the ones > Sophos has missed to them? If not, please would you??? They > usually respond pretty quickly if they're missing stuff... We don't use quarantining at this site. But your suggestion is noted. :-) > By the way, what's Sobig.EML and ... Good question. I cannot find this virus at the NAI site yet it is McAfee that is recognising it! The notification I got says: The following e-mail messages were found to have viruses in them: Sender: auto.reply@compuserve.com IP Address: 149.174.40.6 Recipient: xxx@newcastle.ac.uk Subject: Undeliverable Message MessageID: h611uKu05157 Report: /h611uKu05157/msg-32244-1482.txt Found the W32/Sobig.eml virus !!! > ...what harm can it do in a .txt file? That is not the point unless you are suggesting that is why Sophos does not recognise it? The issue for me is why one A-V scanner finds it but another doesn't. Quentin From aschwalm at WEB.DE Tue Jul 1 11:22:26 2003 From: aschwalm at WEB.DE (Angela Schwalm) Date: Thu Jan 12 21:18:46 2006 Subject: MailScanner issue with postfix Message-ID: <200307011022.h61AMQQ26985@mailgate5.cinetic.de> > After doing > mkdir /var/spool/postfix /var/spool/postfix.in > did you set the ownership correctly? > chown postfix /var/spool/postfix /var/spool/postfix.in > chgrp postfix /var/spool/postfix /var/spool/postfix.in > then > postfix start > postfix -C /etc/postfix.in start > (it might need to be "-c" instead of "-C", I can't remember) I did so. Now I got: Jul 1 12:25:50 xxxx postfix/postfix-script: warning: not owned by root: /var/spool/postfix.in Jul 1 12:25:54 xxxx postfix/postfix-script: starting the Postfix mail system Jul 1 12:25:55 xxxx postfix/master[20411]: daemon started Jul 1 12:26:15 xxxx postfix/postfix-script: warning: not owned by root: /var/spool/postfix.in Jul 1 12:26:27 xxxx postfix/postfix-script: warning: not owned by root: /var/spool/postfix Jul 1 12:26:31 xxxx postfix/postfix-script: starting the Postfix mail system Jul 1 12:26:32 xxxx postfix/master[20507]: daemon started Jul 1 12:26:38 xxxx postfix/postfix-script: warning: not owned by root: /var/spool/postfix Jul 1 12:27:32 xxxx MailScanner[20575]: MailScanner E-Mail Virus Scanner version 4.21-9 starting... Jul 1 12:27:41 xxxx MailScanner[20575]: Using locktype = flock Jul 1 12:27:42 xxxx MailScanner[20587]: MailScanner E-Mail Virus Scanner version 4.21-9 starting... Jul 1 12:27:51 xxxx MailScanner[20587]: Using locktype = flock Jul 1 12:27:52 xxxx MailScanner[20590]: MailScanner E-Mail Virus Scanner version 4.21-9 starting... Jul 1 12:28:00 xxxx MailScanner[20590]: Using locktype = flock Jul 1 12:28:02 xxxx MailScanner[20592]: MailScanner E-Mail Virus Scanner version 4.21-9 starting... Jul 1 12:28:18 xxxx MailScanner[20594]: MailScanner E-Mail Virus Scanner version 4.21-9 starting... Jul 1 12:28:23 xxxx MailScanner[20592]: Using locktype = flock Jul 1 12:28:36 xxxx MailScanner[20594]: Using locktype = flock ______________________________________________________________________________ UNICEF bittet um Spenden fur die Kinder im Irak! Hier online an UNICEF spenden: https://spenden.web.de/unicef/special/?mc=021101 From mailscanner at ecs.soton.ac.uk Tue Jul 1 11:27:42 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:18:46 2006 Subject: MailScanner issue with postfix In-Reply-To: <200307011022.h61AMQQ26985@mailgate5.cinetic.de> Message-ID: <5.2.0.9.2.20030701112657.04127850@imap.ecs.soton.ac.uk> At 11:22 01/07/2003, you wrote: > > After doing > > mkdir /var/spool/postfix /var/spool/postfix.in > > did you set the ownership correctly? > > chown postfix /var/spool/postfix /var/spool/postfix.in > > chgrp postfix /var/spool/postfix /var/spool/postfix.in > > then > > postfix start > > postfix -C /etc/postfix.in start > > (it might need to be "-c" instead of "-C", I can't remember) > >I did so. Now I got: Oops, sorry, my mistake. It obviously wants those 2 dirs owned by root and not postfix. chown and chgrp them back to 0 then restart both Postfixes again. >Jul 1 12:25:50 xxxx postfix/postfix-script: warning: not owned by root: >/var/spool/postfix.in >Jul 1 12:25:54 xxxx postfix/postfix-script: starting the Postfix mail system >Jul 1 12:25:55 xxxx postfix/master[20411]: daemon started >Jul 1 12:26:15 xxxx postfix/postfix-script: warning: not owned by root: >/var/spool/postfix.in >Jul 1 12:26:27 xxxx postfix/postfix-script: warning: not owned by root: >/var/spool/postfix >Jul 1 12:26:31 xxxx postfix/postfix-script: starting the Postfix mail system >Jul 1 12:26:32 xxxx postfix/master[20507]: daemon started >Jul 1 12:26:38 xxxx postfix/postfix-script: warning: not owned by root: >/var/spool/postfix >Jul 1 12:27:32 xxxx MailScanner[20575]: MailScanner E-Mail Virus Scanner >version 4.21-9 starting... >Jul 1 12:27:41 xxxx MailScanner[20575]: Using locktype = flock >Jul 1 12:27:42 xxxx MailScanner[20587]: MailScanner E-Mail Virus Scanner >version 4.21-9 starting... >Jul 1 12:27:51 xxxx MailScanner[20587]: Using locktype = flock >Jul 1 12:27:52 xxxx MailScanner[20590]: MailScanner E-Mail Virus Scanner >version 4.21-9 starting... >Jul 1 12:28:00 xxxx MailScanner[20590]: Using locktype = flock >Jul 1 12:28:02 xxxx MailScanner[20592]: MailScanner E-Mail Virus Scanner >version 4.21-9 starting... >Jul 1 12:28:18 xxxx MailScanner[20594]: MailScanner E-Mail Virus Scanner >version 4.21-9 starting... >Jul 1 12:28:23 xxxx MailScanner[20592]: Using locktype = flock >Jul 1 12:28:36 xxxx MailScanner[20594]: Using locktype = flock > >______________________________________________________________________________ >UNICEF bittet um Spenden fur die Kinder im Irak! Hier online an >UNICEF spenden: https://spenden.web.de/unicef/special/?mc=021101 -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Tue Jul 1 11:34:34 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:18:46 2006 Subject: MailScanner issue with postfix -- anyone? In-Reply-To: <5.2.0.9.2.20030701112657.04127850@imap.ecs.soton.ac.uk> References: <200307011022.h61AMQQ26985@mailgate5.cinetic.de> Message-ID: <5.2.0.9.2.20030701113314.041055d8@imap.ecs.soton.ac.uk> I have run out of ideas. Without remote access to the system there's not much more I can do for you, sorry. Maybe someone else has some ideas why you are seeing the strange symptoms you have. At 11:27 01/07/2003, you wrote: >At 11:22 01/07/2003, you wrote: >> > After doing >> > mkdir /var/spool/postfix /var/spool/postfix.in >> > did you set the ownership correctly? >> > chown postfix /var/spool/postfix /var/spool/postfix.in >> > chgrp postfix /var/spool/postfix /var/spool/postfix.in >> > then >> > postfix start >> > postfix -C /etc/postfix.in start >> > (it might need to be "-c" instead of "-C", I can't remember) >> >>I did so. Now I got: > >Oops, sorry, my mistake. It obviously wants those 2 dirs owned by root and >not postfix. chown and chgrp them back to 0 then restart both Postfixes again. > > >>Jul 1 12:25:50 xxxx postfix/postfix-script: warning: not owned by root: >>/var/spool/postfix.in >>Jul 1 12:25:54 xxxx postfix/postfix-script: starting the Postfix mail system >>Jul 1 12:25:55 xxxx postfix/master[20411]: daemon started >>Jul 1 12:26:15 xxxx postfix/postfix-script: warning: not owned by root: >>/var/spool/postfix.in >>Jul 1 12:26:27 xxxx postfix/postfix-script: warning: not owned by root: >>/var/spool/postfix >>Jul 1 12:26:31 xxxx postfix/postfix-script: starting the Postfix mail system >>Jul 1 12:26:32 xxxx postfix/master[20507]: daemon started >>Jul 1 12:26:38 xxxx postfix/postfix-script: warning: not owned by root: >>/var/spool/postfix >>Jul 1 12:27:32 xxxx MailScanner[20575]: MailScanner E-Mail Virus Scanner >>version 4.21-9 starting... >>Jul 1 12:27:41 xxxx MailScanner[20575]: Using locktype = flock >>Jul 1 12:27:42 xxxx MailScanner[20587]: MailScanner E-Mail Virus Scanner >>version 4.21-9 starting... >>Jul 1 12:27:51 xxxx MailScanner[20587]: Using locktype = flock >>Jul 1 12:27:52 xxxx MailScanner[20590]: MailScanner E-Mail Virus Scanner >>version 4.21-9 starting... >>Jul 1 12:28:00 xxxx MailScanner[20590]: Using locktype = flock >>Jul 1 12:28:02 xxxx MailScanner[20592]: MailScanner E-Mail Virus Scanner >>version 4.21-9 starting... >>Jul 1 12:28:18 xxxx MailScanner[20594]: MailScanner E-Mail Virus Scanner >>version 4.21-9 starting... >>Jul 1 12:28:23 xxxx MailScanner[20592]: Using locktype = flock >>Jul 1 12:28:36 xxxx MailScanner[20594]: Using locktype = flock >> >>______________________________________________________________________________ >>UNICEF bittet um Spenden fur die Kinder im Irak! Hier online an >>UNICEF spenden: https://spenden.web.de/unicef/special/?mc=021101 > >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From maxsec at TOTALISE.CO.UK Tue Jul 1 11:53:46 2003 From: maxsec at TOTALISE.CO.UK (Martin Hepworth) Date: Thu Jan 12 21:18:46 2006 Subject: MailScanner issue with postfix -- anyone? In-Reply-To: <5.2.0.9.2.20030701113314.041055d8@imap.ecs.soton.ac.uk> References: <200307011022.h61AMQQ26985@mailgate5.cinetic.de> <5.2.0.9.2.20030701113314.041055d8@imap.ecs.soton.ac.uk> Message-ID: <3F01683A.2030505@totalise.co.uk> Julian yeah I got that well - just warning I ignore with no ill effect as far as I can see.. -- Martin Julian Field wrote: > I have run out of ideas. Without remote access to the system there's not > much more I can do for you, sorry. > Maybe someone else has some ideas why you are seeing the strange symptoms > you have. > > At 11:27 01/07/2003, you wrote: > >> At 11:22 01/07/2003, you wrote: >> >>> > After doing >>> > mkdir /var/spool/postfix /var/spool/postfix.in >>> > did you set the ownership correctly? >>> > chown postfix /var/spool/postfix /var/spool/postfix.in >>> > chgrp postfix /var/spool/postfix /var/spool/postfix.in >>> > then >>> > postfix start >>> > postfix -C /etc/postfix.in start >>> > (it might need to be "-c" instead of "-C", I can't remember) >>> >>> I did so. Now I got: >> >> >> Oops, sorry, my mistake. It obviously wants those 2 dirs owned by root >> and >> not postfix. chown and chgrp them back to 0 then restart both >> Postfixes again. >> >> >>> Jul 1 12:25:50 xxxx postfix/postfix-script: warning: not owned by root: >>> /var/spool/postfix.in >>> Jul 1 12:25:54 xxxx postfix/postfix-script: starting the Postfix >>> mail system >>> Jul 1 12:25:55 xxxx postfix/master[20411]: daemon started >>> Jul 1 12:26:15 xxxx postfix/postfix-script: warning: not owned by root: >>> /var/spool/postfix.in >>> Jul 1 12:26:27 xxxx postfix/postfix-script: warning: not owned by root: >>> /var/spool/postfix >>> Jul 1 12:26:31 xxxx postfix/postfix-script: starting the Postfix >>> mail system >>> Jul 1 12:26:32 xxxx postfix/master[20507]: daemon started >>> Jul 1 12:26:38 xxxx postfix/postfix-script: warning: not owned by root: >>> /var/spool/postfix >>> Jul 1 12:27:32 xxxx MailScanner[20575]: MailScanner E-Mail Virus >>> Scanner >>> version 4.21-9 starting... >>> Jul 1 12:27:41 xxxx MailScanner[20575]: Using locktype = flock >>> Jul 1 12:27:42 xxxx MailScanner[20587]: MailScanner E-Mail Virus >>> Scanner >>> version 4.21-9 starting... >>> Jul 1 12:27:51 xxxx MailScanner[20587]: Using locktype = flock >>> Jul 1 12:27:52 xxxx MailScanner[20590]: MailScanner E-Mail Virus >>> Scanner >>> version 4.21-9 starting... >>> Jul 1 12:28:00 xxxx MailScanner[20590]: Using locktype = flock >>> Jul 1 12:28:02 xxxx MailScanner[20592]: MailScanner E-Mail Virus >>> Scanner >>> version 4.21-9 starting... >>> Jul 1 12:28:18 xxxx MailScanner[20594]: MailScanner E-Mail Virus >>> Scanner >>> version 4.21-9 starting... >>> Jul 1 12:28:23 xxxx MailScanner[20592]: Using locktype = flock >>> Jul 1 12:28:36 xxxx MailScanner[20594]: Using locktype = flock >>> >>> ______________________________________________________________________________ >>> >>> UNICEF bittet um Spenden fur die Kinder im Irak! Hier online an >>> UNICEF spenden: https://spenden.web.de/unicef/special/?mc=021101 >> >> >> -- >> Julian Field >> www.MailScanner.info >> MailScanner thanks transtec Computers for their support > > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support From andersan at LTKALMAR.SE Tue Jul 1 12:15:59 2003 From: andersan at LTKALMAR.SE (Anders Andersson, IT) Date: Thu Jan 12 21:18:46 2006 Subject: SV: eTrust Inoculate Message-ID: <9F18B7DDBA88E544AB1F1995148916661CE637@lkl63.ltkalmar.se> > -----Ursprungligt meddelande----- > Fr?n: Tony Johansson [mailto:tony.johansson@SVENSKAKYRKAN.SE] > Skickat: den 11 juni 2003 16:26 > Till: MAILSCANNER@JISCMAIL.AC.UK > ?mne: eTrust Inoculate > > > I have problems getting eTrust inoculate to work with MailScanner. Did you find any solution to this problem? > > Details: > > eTrust version: eTrust Antivirus for Linux (Build 1892) (from > the eTrust AntiVirus version 7 CD) > Os: Red Hat 7.3 with default sendmail > MailScanner: 4.21-9 > > Virus scanner in MailScanner.conf is set to f-prot and > inoculate. F-prot finds viruses, inoculate does not and > theres nothing in the maillog about inoculate. > > incoulate-wrapper DOES work however, see following output: > > "[root@localhost viruses]# > /usr/lib/MailScanner/inoculate-wrapper . File > /tmp/viruses/./BUG.0LL is infected by virus: > Win32/Bugbear.Worm File /tmp/viruses/./BUGBEAR.0OM is > infected by virus: Win32/Bugbear.Worm File > /tmp/viruses/./klez.0OM is infected by virus: > Win32/Klez.H.Worm File /tmp/viruses/./sircam.0OM is infected > by virus: Win32/SirCam.Worm > > Total Files Scanned: 8 > Total Viruses Found: 4 > Total Infected Files Found: 4 > Scan Mode: Secure > > *** End Of Summary *** " > > > Version info and options of inocmd32: > > [root@localhost MailScanner]# inocmd32 > > InoculateIT Engine version: 23.61.00 2003/04/08 > InoculateIT Signature version: virsig.da0 23.61.46 2003/06/10 > > Usage:inocmd32 [ -options ] file|directory|drive ... > -options: > : ENG > can be one of: Ino or Vet > : MOD Scan mode > can be one of: Secure or Reviewer > (default Secure) > : ACT Infected file action > can be one of: Cure, Rename, Delete or Move > : EXE Specified files > (based on the 'Specified' extension list) > : EXC Exclude files > (based on the 'Exclude' extension list) > : ARC Scan archive files > : NEX Detect compressed files by content, not file extension > : NOS No subdirectory traverse > : FIL: Only scan files that match (shell > wildcard) > : SCA Special Cure Action (ACT must be set to Cure) > can be one of: CB (Copy Before), DT > (Delete Trojan), > RF (Rename if cure fails) or MF (Move if cure fails) > : MCA Macro Cure Action > can be either: RA (remove all) or RI (remove > infected) > : SPM Special Mode > can only be: H (heuristics) > : SFI Stop at first infection in archive > : SRF Skip regular file scanning of archives > : LIS: Create scan report file > : APP: Append scan report to file > : UNI / is directory separator rather than switch introducer > : VER Verbose mode > : COU: Message every scanned files > : COU Message every 1000 scanned files > : SIG Display signature version numbers > : SIG:

Display signature version numbers of > engine located in > : HEL or ? Display this help > file|directory|drive ...: Specify at least one file, > directory or drive > file|directory|to > scan > > > > regards, Tony > From m.sapsed at BANGOR.AC.UK Tue Jul 1 12:25:56 2003 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:18:46 2006 Subject: Sobig.{E,D,EML} not found by Sophos and McAfee References: <52E50E4D595DDE4D861117A1FB62E79D8208E7@bond.ncl.ac.uk> Message-ID: <3F016FC4.1000703@bangor.ac.uk> Quentin Campbell wrote: > We don't use quarantining at this site. But your suggestion is noted. > :-) Shame. I sent them some files which were quarantined because they had .pif on the end. Subsequently an ide was released which identified them as Bugbear-Dam - the broken variants. > Good question. I cannot find this virus at the NAI site yet it is McAfee > that is recognising it! The notification I got says: > > The following e-mail messages were found to have viruses in them: > > Sender: auto.reply@compuserve.com > IP Address: 149.174.40.6 > Recipient: xxx@newcastle.ac.uk > Subject: Undeliverable Message > MessageID: h611uKu05157 > Report: /h611uKu05157/msg-32244-1482.txt Found the > W32/Sobig.eml virus !!! > >>...what harm can it do in a .txt file? > > That is not the point unless you are suggesting that is why Sophos does > not recognise it? The issue for me is why one A-V scanner finds it but > another doesn't. I wonder if it is a version of Sobig, in a message packaged up as email attachment .eml file but then renamed as .txt? I don't know whether Sophos would find anything in that - haven't got one to hand to try! I'm more concerned about it missing instances of .D and .E unless they're like the Bugbear incident - damaged versions that aren't actually executable. It would still be nice to know though otherwise you assume the worst. (Incidentally we've picked up 732 copies of Sobig-E in the 5 days since the ide was released - 22% of our detections for the whole of June, but I digress...) Cheers, Martin -- Martin Sapsed Information Services "Who do you say I am?" University of Wales, Bangor Jesus of Nazareth From m.sapsed at BANGOR.AC.UK Tue Jul 1 12:30:18 2003 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:18:46 2006 Subject: Using HTML tags/code to obfuscate "bad" words References: <5.2.1.1.2.20030630081331.058d7418@securemail.tulsaconnect.com> <3F00F11C.9000609@ims.telstra.com.au> Message-ID: <3F0170CA.5080006@bangor.ac.uk> Ash wrote: > ISP List wrote: > >> More and more I am seeing spammers use HTML codes to obfuscate >> notoriously "bad" words so as to confuse/get by SpamAssassin and >> such. For instance: >> >>

Make your balls and >> pen?s >> larger and get more satisfaction.
>> >> Are others seeing this, and is there a rule in SpamAssassin I can >> tweak to give situations like this more weight? > > fixed at my site by upgrading to SA v2.60 no other config changes > applied This is the first time I've noticed 2.60 being mentioned here - it sounds like a desirable upgrade. Any other guinea pigs tried it and not had problems? (The 2.x0 versions have disagreed with MS before now...!) Cheers, Martin -- Martin Sapsed Information Services "Who do you say I am?" University of Wales, Bangor Jesus of Nazareth From Q.G.Campbell at NEWCASTLE.AC.UK Tue Jul 1 12:33:44 2003 From: Q.G.Campbell at NEWCASTLE.AC.UK (Quentin Campbell) Date: Thu Jan 12 21:18:46 2006 Subject: Sobig.{E,D,EML} not found by Sophos and McAfee - further info Message-ID: <52E50E4D595DDE4D861117A1FB62E79D820916@bond.ncl.ac.uk> > -----Original Message----- > From: Quentin Campbell [mailto:Q.G.Campbell@newcastle.ac.uk] > Sent: 01 July 2003 10:40 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Sobig.{E,D,EML} not found by Sophos and McAfee > [snip] > > By the way, what's Sobig.EML and ... > > Good question. I cannot find this virus at the NAI site yet > it is McAfee that is recognising it! The notification I got says: > > The following e-mail messages were found to have viruses in them: > > Sender: auto.reply@compuserve.com > IP Address: 149.174.40.6 > Recipient: xxx@newcastle.ac.uk > Subject: Undeliverable Message > MessageID: h611uKu05157 > Report: /h611uKu05157/msg-32244-1482.txt Found the > W32/Sobig.eml virus !!! > > > ...what harm can it do in a .txt file? > > That is not the point unless you are suggesting that is why > Sophos does not recognise it? The issue for me is why one A-V > scanner finds it but another doesn't. The one thing all these messages have in common are that they are bounce messages of one sort or another: o undeliverable message o failure notice o returned mail - nameserver error ... It appears that they retain some sort of "signature" text, probably harmless, that the McAfee scanner recognises but not the Sophos scanner. Does this sound plausible? Note that this applies to both "Sobig.e", "Sobig.d" and "Sobig.eml" (what ever that is). The latter suggests an alternative theory that it might be MailScanner wrongly picking up a string from the McAfee scanner or wrongly reporting a string that it has; that is, it reports as "Sobig.eml" a string that is something else? I will see if I can quarantine some of these messages. Quentin --- PHONE: +44 191 222 8209 Computing Service, University of Newcastle FAX: +44 191 222 8765 Newcastle upon Tyne, United Kingdom, NE1 7RU. ------------------------------------------------------------------------ "Any opinion expressed above is mine. The University can get its own." From aschwalm at WEB.DE Tue Jul 1 12:38:55 2003 From: aschwalm at WEB.DE (Angela Schwalm) Date: Thu Jan 12 21:18:46 2006 Subject: MailScanner issue with postfix Message-ID: <200307011138.h61BcsQ09846@mailgate5.cinetic.de> > > Oops, sorry, my mistake. It obviously wants those 2 dirs owned by root and > not postfix. chown and chgrp them back to 0 then restart both Postfixes again. > When I deleted /var/spool/postfix.in/deferred yesterday I got this message: Jun 30 16:59:49 xxxx MailScanner[15791]: Cannot cd to dir /var/spool/postfix.in/deferred to read messages, No such file or directory So that means MailScanner looks into the deferred directory. But why does it not recognize the mails in it? ____________________________________________________________________________ Nur bei WEB.DE Testsieger FreeMail testen und damit 1 qm Regenwald schuetzen. Jetzt anmelden und mithelfen! http://user.web.de/Regenwald From tony.johansson at SVENSKAKYRKAN.SE Tue Jul 1 12:55:20 2003 From: tony.johansson at SVENSKAKYRKAN.SE (Tony Johansson) Date: Thu Jan 12 21:18:46 2006 Subject: SV: eTrust Inoculate Message-ID: >Did you find any solution to this problem? > No. I've made the eTrust program package available to Julian who will have a look at it when he finds the time. Regards, Tony From HancockS at MORGANCO.COM Tue Jul 1 13:26:26 2003 From: HancockS at MORGANCO.COM (Hancock, Scott) Date: Thu Jan 12 21:18:46 2006 Subject: SV: eTrust Inoculate Message-ID: <3EA1A302A4978A4C970D2C63F327156ED54351@worc-mail2.int.morganco.com> Just a simple "me too". I'm also interested in using etrust as an f-prot replacement. CA gave me (via a coworker) the green light to use the workstation license with mailscanner. We already have their exchange product protecting the same mailboxes as mailscanner. I don't know if that was a factor in the decision. -Scott >-----Original Message----- >From: Tony Johansson [mailto:tony.johansson@SVENSKAKYRKAN.SE] >Sent: Tuesday, July 01, 2003 7:55 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: SV: eTrust Inoculate > >>Did you find any solution to this problem? >> >No. I've made the eTrust program package available to Julian who will have >a look at it when he finds the time. > >Regards, Tony From slwatts at WINCKWORTHS.CO.UK Tue Jul 1 13:17:54 2003 From: slwatts at WINCKWORTHS.CO.UK (Samuel Luxford-Watts) Date: Thu Jan 12 21:18:46 2006 Subject: MailScanner Postfix and SuSE 8.1 Message-ID: Hi, Can someone help me please?! I have just installed a clean copy of SuSE 8.1, Postfix (1.1.11-110), Sophos, and MailScanner. I used the latest stable release from the Mailscanner website (Version 4.21-9 for SuSE Linux 8.0/8.1). I ran the installation script and followed through every step in the Using MailScanner with Postfix installation guide with no real problems except one - the guide refers to a utility called redhat-switchmail-nox which I do not have. Anyway When I try to run /etc/init.d/MailScanner start I get the following errors: Initializing sendmail and MailScannersendmail: invalid option -- O sendmail: fatal: usage: sendmail [options] sendmail: invalid option -- A sendmail: fatal: usage: sendmail [options] sendmail: invalid option -- A sendmail: fatal: usage: sendmail [options] failed I have had a look through the init.d script and it looks nothing like the updated one on the Mailscanner website. Also /etc/sysconfig/MailScanner has no MTA= line in it and I have not added one. It only has a number of SENDMAIL_*_ARGS options and the workdir directives. Is this right? Or do I need to add the MTA Line anyway? It doesn't seem to be used by the init.d/MailScanner script that was installed with the SuSE package. Has anyone got any ideas on how I can get this working? I guess I just need to tweak the sendmail options but do not know which ones should be used. Thanks in advance, Sam -----Original Message----- From: L-Soft list server at JISCMAIL (1.8e) [mailto:LISTSERV@JISCMAIL.AC.UK] Sent: 01 July 2003 13:00 To: Sam Luxford-Watts Subject: Welcome to MailScanner This list is for the discussion of the MailScanner e-mail virus and spam protector. It is also used for announcements of new releases. If you *only* want announcements of new releases, then you would do better to subscribe to the MailScanner project at http://www.freshmeat.net/projects/mailscanner. -- Jules www.mailscanner.info From m.sapsed at BANGOR.AC.UK Tue Jul 1 13:46:47 2003 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:18:46 2006 Subject: Quick translation request - welsh References: <5.2.1.1.2.20030630215510.02533e60@imap.ecs.soton.ac.uk> Message-ID: <3F0182B7.7020109@bangor.ac.uk> Julian Field wrote: > For the max-message-size checking, I need this translating into as many > languages as possible: > > Message is too large (With apologies for the delay...) Mae'r neges yn rhy fawr Cheers, Martin -- Martin Sapsed Information Services "Who do you say I am?" University of Wales, Bangor Jesus of Nazareth From dene at DATATECHIE.COM Tue Jul 1 14:17:24 2003 From: dene at DATATECHIE.COM (Dene Ulmschneider) Date: Thu Jan 12 21:18:46 2006 Subject: No subject Message-ID: <5.1.0.14.2.20030701091719.02bc0eb0@192.168.1.112> Hello All- I am not 100% sure that this is a MailScanner issue - but I never this problem before installing MailScanner. I am running RHL 7.3 and MS 4.14-9. I am getting the following line in my logwatch on a daily basis. The most current logwatch form yesterday had this line in it 47 times. h5UF1ou22960: timeout waiting for input from hormel.redhat.com during server cmd read Does anyone know why it might be timing out so much and how I can stop it form happening? Thanks for any help Thank You Dene Ulmschneider Data Techie Inc. ------------------------------------------------------------------------- office: 718.738.8859 cell: 646.996.2976 email: dene@datatechie.com pager mail: denenow@datatechie.com website: www.datatechie.com ------------------------------------------------------------------------- "Data Techie - Always there to protect you!" -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030701/4f274346/attachment.html From raymond at PROLOCATION.NET Tue Jul 1 14:32:41 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:18:46 2006 Subject: your mail In-Reply-To: <5.1.0.14.2.20030701091719.02bc0eb0@192.168.1.112> Message-ID: Hi! > h5UF1ou22960: timeout waiting for input from hormel.redhat.com during > server cmd read > > Does anyone know why it might be timing out so much and how I can stop it > form happening? Network connection towards that sever. Notmuch you can change on your end i am afraid. Bye, Raymond. From David.While at UCE.AC.UK Tue Jul 1 14:32:05 2003 From: David.While at UCE.AC.UK (David While) Date: Thu Jan 12 21:18:46 2006 Subject: ANNOUNCE: mailstats V0.20 Message-ID: <107DE25EC0216C45AEF670016024245F6EE3@exchangea.staff.uce.ac.uk> For those using my script I have just released (finally!) version 0.20 The changes are: counting messages instead of recipients support for fsecure virus scanner support for determining the country from the IP address reporting when the anti virus database has been updated. Minor changes such as correcting the name of mcafee have aslo been included. NOTE: To use this version requires the installation of the GEOIP perl module and database. The details of where to get it from are available at the mailstats web site. This version can be downloaded from http://staff.cie.uce.ac.uk/~id001869/mailstats/ Note that the config file is called config.pl.new to avoid overwriting your existing file. You should check through to see if anything has changed. ----------------------------------------------------------------- David While Technical Development Manager Faculty of Computing, Information & English University of Central England Tel: 0121 331 6211 ----------------------------------------------------------------- -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030701/61dbf4f3/attachment.html From mailscanner at ecs.soton.ac.uk Tue Jul 1 14:18:05 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:18:46 2006 Subject: SV: eTrust Inoculate In-Reply-To: <3EA1A302A4978A4C970D2C63F327156ED54351@worc-mail2.int.morg anco.com> Message-ID: <5.2.0.9.2.20030701141403.042d2df0@imap.ecs.soton.ac.uk> Sorry I haven't had a chance to look at this. It's unlikely to happen before August now as I am going to have to live without bandwidth for most of July (on "holiday", whatever one of those is...). I guess it's a bit like being in hospital and hence not having a PC, but there again I had a laptop then and our local hospital has networked workstation rooms in it. This "holiday" thing is going to be a very strange experience :-) At 13:26 01/07/2003, you wrote: >Just a simple "me too". I'm also interested in using etrust as an >f-prot replacement. > >CA gave me (via a coworker) the green light to use the workstation >license with mailscanner. We already have their exchange product >protecting the same mailboxes as mailscanner. I don't know if that was >a factor in the decision. > >-Scott > > > >-----Original Message----- > >From: Tony Johansson [mailto:tony.johansson@SVENSKAKYRKAN.SE] > >Sent: Tuesday, July 01, 2003 7:55 AM > >To: MAILSCANNER@JISCMAIL.AC.UK > >Subject: Re: SV: eTrust Inoculate > > > >>Did you find any solution to this problem? > >> > >No. I've made the eTrust program package available to Julian who will >have > >a look at it when he finds the time. > > > >Regards, Tony -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Tue Jul 1 14:22:41 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:18:46 2006 Subject: MailScanner Postfix and SuSE 8.1 In-Reply-To: Message-ID: <5.2.0.9.2.20030701141910.04211df0@imap.ecs.soton.ac.uk> I need to do some more work on the SuSE init.d script so it is as clever as my RedHat one. In the mean time, look in the init.d script for code that starts with a line saying "startin)" and replace the following 3 sections with this: startin) echo -n "Initializing incoming Postfix" startproc -p $srvpid postfix -c /etc/postfix.in rc_status ;; startout) echo -n "Initializing outgoing Postfix" startproc -f -p $srvoutpid postfix -c /etc/postfix rc_status ;; start) echo -n "Initializing Postfix and MailScanner" startproc -p $srvpid postfix -c /etc/postfix.in rc_status startproc -f -p $srvoutpid postfix -c /etc/postfix rc_status startproc -f -p $mspid /usr/sbin/check_MailScanner >/dev/null rc_status -v rm -f /var/lock/subsys/MailScanner.off >/dev/null 2>&1 ;; At 13:17 01/07/2003, you wrote: >Hi, > >Can someone help me please?! > >I have just installed a clean copy of SuSE 8.1, Postfix (1.1.11-110), >Sophos, and MailScanner. I used the latest stable release from the >Mailscanner website (Version 4.21-9 for SuSE Linux 8.0/8.1). > >I ran the installation script and followed through every step in the Using >MailScanner with Postfix installation guide with no real problems except one >- the guide refers to a utility called redhat-switchmail-nox which I do not >have. Anyway When I try to run /etc/init.d/MailScanner start I get the >following errors: >Initializing sendmail and MailScannersendmail: invalid option -- O >sendmail: fatal: usage: sendmail [options] >sendmail: invalid option -- A >sendmail: fatal: usage: sendmail [options] >sendmail: invalid option -- A >sendmail: fatal: usage: sendmail [options] > failed >I have had a look through the init.d script and it looks nothing like the >updated one on the Mailscanner website. Also /etc/sysconfig/MailScanner has >no MTA= line in it and I have not added one. It only has a number of >SENDMAIL_*_ARGS options and the workdir directives. Is this right? Or do I >need to add the MTA Line anyway? It doesn't seem to be used by the >init.d/MailScanner script that was installed with the SuSE package. > >Has anyone got any ideas on how I can get this working? I guess I just need >to tweak the sendmail options but do not know which ones should be used. > >Thanks in advance, > >Sam > >-----Original Message----- >From: L-Soft list server at JISCMAIL (1.8e) [mailto:LISTSERV@JISCMAIL.AC.UK] > >Sent: 01 July 2003 13:00 >To: Sam Luxford-Watts >Subject: Welcome to MailScanner > > >This list is for the discussion of the MailScanner e-mail virus and spam >protector. It is also used for announcements of new releases. > >If you *only* want announcements of new releases, then you would do better >to subscribe to the MailScanner project at >http://www.freshmeat.net/projects/mailscanner. > >-- >Jules >www.mailscanner.info -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From andersan at LTKALMAR.SE Tue Jul 1 14:56:54 2003 From: andersan at LTKALMAR.SE (Anders Andersson, IT) Date: Thu Jan 12 21:18:46 2006 Subject: SV: SV: eTrust Inoculate Message-ID: <9F18B7DDBA88E544AB1F1995148916661CE639@lkl63.ltkalmar.se> Hey, no rush for my sake... I got enough to do since we soon moving to new location. I just have to be saticfied with 2 scanner and let inoculate wait until you back on track. I can use my time to open the perl books and cry ;) Have a nice vacation > -----Ursprungligt meddelande----- > Fr?n: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > Skickat: den 1 juli 2003 15:18 > Till: MAILSCANNER@JISCMAIL.AC.UK > ?mne: Re: SV: eTrust Inoculate > > > Sorry I haven't had a chance to look at this. It's unlikely > to happen before August now as I am going to have to live > without bandwidth for most of July (on "holiday", whatever > one of those is...). I guess it's a bit like being in > hospital and hence not having a PC, but there again I had a > laptop then and our local hospital has networked workstation > rooms in it. This "holiday" thing is going to be a very > strange experience :-) > > At 13:26 01/07/2003, you wrote: > >Just a simple "me too". I'm also interested in using etrust as an > >f-prot replacement. > > > >CA gave me (via a coworker) the green light to use the workstation > >license with mailscanner. We already have their exchange product > >protecting the same mailboxes as mailscanner. I don't know > if that was > >a factor in the decision. > > > >-Scott > > > > > > >-----Original Message----- > > >From: Tony Johansson [mailto:tony.johansson@SVENSKAKYRKAN.SE] > > >Sent: Tuesday, July 01, 2003 7:55 AM > > >To: MAILSCANNER@JISCMAIL.AC.UK > > >Subject: Re: SV: eTrust Inoculate > > > > > >>Did you find any solution to this problem? > > >> > > >No. I've made the eTrust program package available to Julian who > >will have > > >a look at it when he finds the time. > > > > > >Regards, Tony > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > From slwatts at WINCKWORTHS.CO.UK Tue Jul 1 15:11:52 2003 From: slwatts at WINCKWORTHS.CO.UK (Samuel Luxford-Watts) Date: Thu Jan 12 21:18:46 2006 Subject: MailScanner Postfix and SuSE 8.1 Message-ID: Thanks - this works (after I made a few changes - shown below) but it reports: Initializing sendmail and MailScanner failed Even tho all the services appear to have been started fine. I did have to change the startproc lines to include the full path to postfix and use start Eg. Startproc -f -p $srvoutpid /usr/sbin/postfix -c /etc/postfix start I am trying to go through and create a proper init.d script now. I don't really know much about this but will post it when I get it working fully! Thanks, Sam -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: 01 July 2003 14:23 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: MailScanner Postfix and SuSE 8.1 I need to do some more work on the SuSE init.d script so it is as clever as my RedHat one. In the mean time, look in the init.d script for code that starts with a line saying "startin)" and replace the following 3 sections with this: startin) echo -n "Initializing incoming Postfix" startproc -p $srvpid postfix -c /etc/postfix.in rc_status ;; startout) echo -n "Initializing outgoing Postfix" startproc -f -p $srvoutpid postfix -c /etc/postfix rc_status ;; start) echo -n "Initializing Postfix and MailScanner" startproc -p $srvpid postfix -c /etc/postfix.in rc_status startproc -f -p $srvoutpid postfix -c /etc/postfix rc_status startproc -f -p $mspid /usr/sbin/check_MailScanner >/dev/null rc_status -v rm -f /var/lock/subsys/MailScanner.off >/dev/null 2>&1 ;; At 13:17 01/07/2003, you wrote: >Hi, > >Can someone help me please?! > >I have just installed a clean copy of SuSE 8.1, Postfix (1.1.11-110), >Sophos, and MailScanner. I used the latest stable release from the >Mailscanner website (Version 4.21-9 for SuSE Linux 8.0/8.1). > >I ran the installation script and followed through every step in the >Using MailScanner with Postfix installation guide with no real problems >except one >- the guide refers to a utility called redhat-switchmail-nox which I do not >have. Anyway When I try to run /etc/init.d/MailScanner start I get the >following errors: >Initializing sendmail and MailScannersendmail: invalid option -- O >sendmail: fatal: usage: sendmail [options] >sendmail: invalid option -- A >sendmail: fatal: usage: sendmail [options] >sendmail: invalid option -- A >sendmail: fatal: usage: sendmail [options] > failed >I have had a look through the init.d script and it looks nothing like the >updated one on the Mailscanner website. Also /etc/sysconfig/MailScanner has >no MTA= line in it and I have not added one. It only has a number of >SENDMAIL_*_ARGS options and the workdir directives. Is this right? Or do I >need to add the MTA Line anyway? It doesn't seem to be used by the >init.d/MailScanner script that was installed with the SuSE package. > >Has anyone got any ideas on how I can get this working? I guess I just >need to tweak the sendmail options but do not know which ones should be >used. > >Thanks in advance, > >Sam > >-----Original Message----- >From: L-Soft list server at JISCMAIL (1.8e) >[mailto:LISTSERV@JISCMAIL.AC.UK] > >Sent: 01 July 2003 13:00 >To: Sam Luxford-Watts >Subject: Welcome to MailScanner > > >This list is for the discussion of the MailScanner e-mail virus and >spam protector. It is also used for announcements of new releases. > >If you *only* want announcements of new releases, then you would do >better to subscribe to the MailScanner project at >http://www.freshmeat.net/projects/mailscanner. > >-- >Jules >www.mailscanner.info -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From Kevin.Spicer at BMRB.CO.UK Tue Jul 1 15:34:14 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:18:46 2006 Subject: mailscanner timeout on virus updates...? Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0EBF6B9@pascal.priv.bmrb.co.uk> I've just seen this happen too, caused me a big backlog. I've disabled Clam for the time being (its not my only scanner), but some kind of timeout would be really helpful. -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: 30 June 2003 19:15 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: mailscanner timeout on virus updates...? At 19:04 30/06/2003, you wrote: Is there a way to set mailscanner to timeout when it's waiting on the virus update script(s)? My installation of MailScanner and ClamAV was stuck and just queueing messages again today, because the ClamAV update program was hung for some reason. I've sent a message to that list to see if there's a solution, but I was also wondering if there's a way to set a timeout value for MailScanner if the virus update script doesn't complete in a certain amount of time. Maybe even send an email to root or something to let them know that the script timed out... It won't make it into the July release, but I could knock up a sample autoupdate script that wraps the update in a timeout. This is probably best placed in the global updater actually. Let me think on that, and the best way to do it... -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030701/513c9718/attachment.html From mailscanner at ecs.soton.ac.uk Tue Jul 1 15:36:46 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:18:46 2006 Subject: MailScanner Postfix and SuSE 8.1 In-Reply-To: Message-ID: <5.2.0.9.2.20030701153534.040d90d0@imap.ecs.soton.ac.uk> At 15:11 01/07/2003, you wrote: >Thanks - this works (after I made a few changes - shown below) but it >reports: > >Initializing sendmail and MailScanner >failed > >Even tho all the services appear to have been started fine. In which case delete the line that prints the "failed" :-) >I did have to change the startproc lines to include the full path to postfix >and use start > >Eg. > >Startproc -f -p $srvoutpid /usr/sbin/postfix -c /etc/postfix start > >I am trying to go through and create a proper init.d script now. I don't >really know much about this but will post it when I get it working fully! Yes, it was only a quick and dirty hack. When I get some time alone with my SuSE box (has dead CPU fan right now) I will do some more work on it. Need to try with SuSE 8.2 as well (which someone here kindly bought me). >Thanks, > >Sam > >-----Original Message----- >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] >Sent: 01 July 2003 14:23 >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: MailScanner Postfix and SuSE 8.1 > > >I need to do some more work on the SuSE init.d script so it is as clever as >my RedHat one. > >In the mean time, look in the init.d script for code that starts with a line >saying "startin)" and replace the following 3 sections with this: > > startin) > echo -n "Initializing incoming Postfix" > startproc -p $srvpid postfix -c /etc/postfix.in > rc_status > ;; > startout) > echo -n "Initializing outgoing Postfix" > startproc -f -p $srvoutpid postfix -c /etc/postfix > rc_status > ;; > start) > echo -n "Initializing Postfix and MailScanner" > startproc -p $srvpid postfix -c /etc/postfix.in > rc_status > startproc -f -p $srvoutpid postfix -c /etc/postfix > rc_status > startproc -f -p $mspid /usr/sbin/check_MailScanner >/dev/null > rc_status -v > rm -f /var/lock/subsys/MailScanner.off >/dev/null 2>&1 > ;; > >At 13:17 01/07/2003, you wrote: > >Hi, > > > >Can someone help me please?! > > > >I have just installed a clean copy of SuSE 8.1, Postfix (1.1.11-110), > >Sophos, and MailScanner. I used the latest stable release from the > >Mailscanner website (Version 4.21-9 for SuSE Linux 8.0/8.1). > > > >I ran the installation script and followed through every step in the > >Using MailScanner with Postfix installation guide with no real problems > >except one > >- the guide refers to a utility called redhat-switchmail-nox which I do not > >have. Anyway When I try to run /etc/init.d/MailScanner start I get the > >following errors: > >Initializing sendmail and MailScannersendmail: invalid option -- O > >sendmail: fatal: usage: sendmail [options] > >sendmail: invalid option -- A > >sendmail: fatal: usage: sendmail [options] > >sendmail: invalid option -- A > >sendmail: fatal: usage: sendmail [options] > > >failed > >I have had a look through the init.d script and it looks nothing like the > >updated one on the Mailscanner website. Also /etc/sysconfig/MailScanner has > >no MTA= line in it and I have not added one. It only has a number of > >SENDMAIL_*_ARGS options and the workdir directives. Is this right? Or do I > >need to add the MTA Line anyway? It doesn't seem to be used by the > >init.d/MailScanner script that was installed with the SuSE package. > > > >Has anyone got any ideas on how I can get this working? I guess I just > >need to tweak the sendmail options but do not know which ones should be > >used. > > > >Thanks in advance, > > > >Sam > > > >-----Original Message----- > >From: L-Soft list server at JISCMAIL (1.8e) > >[mailto:LISTSERV@JISCMAIL.AC.UK] > > > >Sent: 01 July 2003 13:00 > >To: Sam Luxford-Watts > >Subject: Welcome to MailScanner > > > > > >This list is for the discussion of the MailScanner e-mail virus and > >spam protector. It is also used for announcements of new releases. > > > >If you *only* want announcements of new releases, then you would do > >better to subscribe to the MailScanner project at > >http://www.freshmeat.net/projects/mailscanner. > > > >-- > >Jules > >www.mailscanner.info > >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From aschwalm at WEB.DE Tue Jul 1 16:10:38 2003 From: aschwalm at WEB.DE (Angela Schwalm) Date: Thu Jan 12 21:18:46 2006 Subject: MailScanner issue with postfix Message-ID: here are all configurations. I hope anybody can see, why it does not work. /etc/postfix.in/main.cf: soft_bounce = yes queue_directory = /var/spool/postfix.in command_directory = /usr/sbin daemon_directory = /usr/lib/postfix sendmail_path = /usr/sbin/sendmail mailq_path = /usr/bin/mailq newaliases_path = /usr/sbin/sendmail mail_owner = postfix mail_name = Postfix on SuSE Linux 8.0 (i386) alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases sender_canonical_maps = hash:/etc/postfix/sender_canonical canonical_maps = hash:/etc/postfix/canonical virtual_maps = hash:/etc/postfix/virtual relocated_maps = hash:/etc/postfix/relocated transport_maps = hash:/etc/postfix/transport local_recipient_maps = debug_peer_level = 2 debugger_command = PATH=/usr/bin:/usr/X11R6/bin xxgdb $daemon_directory/$process_name $process_id & sleep 5 setgid_group = maildrop defer_transports = smtp local virtual relay disable_dns_lookups = no /etc/postfix.in/master.cf: # ========================================================================== # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (50) # ========================================================================== smtp inet n - y - - smtpd pickup unix n - y 60 1 pickup cleanup unix n - y - 0 cleanup qmgr unix n - y 300 1 qmgr rewrite unix - - y - - trivial-rewrite bounce unix - - y - 0 bounce defer unix - - y - 0 bounce flush unix n - y 1000? 0 flush smtp unix - - y - - smtp showq unix n - y - - showq error unix - - y - - error local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - y - - lmtp tlsmgr fifo - - n 300 1 tlsmgr cyrus unix - n n - - pipe flags=R user=cyrus argv=/usr/lib/cyrus/bin/deliver -e -m ${extension} ${user} uucp unix - n n - - pipe flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) ifmail unix - n n - - pipe flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) bsmtp unix - n n - - pipe flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient procmail unix - n n - - pipe flags=R user=cyrus argv=/usr/bin/procmail -t -m USER=${user} EXT=${extension} /etc/procmailrc /etc/postfix/master.cf: # ========================================================================== # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (50) # ========================================================================== #smtp inet n - n - - smtpd pickup unix n - y 60 1 pickup cleanup unix n - y - 0 cleanup qmgr unix n - y 300 1 qmgr rewrite unix - - y - - trivial-rewrite bounce unix - - y - 0 bounce defer unix - - y - 0 bounce flush unix n - y 1000? 0 flush #smtp unix - - y - - smtp showq unix n - y - - showq error unix - - y - - error local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - y - - lmtp tlsmgr fifo - - n 300 1 tlsmgr cyrus unix - n n - - pipe flags=R user=cyrus argv=/usr/lib/cyrus/bin/deliver -e -m ${extension} ${user} uucp unix - n n - - pipe flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) ifmail unix - n n - - pipe flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) bsmtp unix - n n - - pipe flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient procmail unix - n n - - pipe flags=R user=cyrus argv=/usr/bin/procmail -t -m USER=${user} EXT=${extension} /etc/procmailrc etc/postfix/main.cf: soft_bounce = yes queue_directory = /var/spool/postfix command_directory = /usr/sbin daemon_directory = /usr/lib/postfix mail_spool_directory = /var/mail sendmail_path = /usr/sbin/sendmail mailq_path = /usr/bin/mailq newaliases_path = /usr/sbin/sendmail mail_owner = postfix default_privs = nobody mail_name = Postfix on SuSE Linux 8.0 (i386) alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases sender_canonical_maps = hash:/etc/postfix/sender_canonical canonical_maps = hash:/etc/postfix/canonical virtual_maps = hash:/etc/postfix/virtual relocated_maps = hash:/etc/postfix/relocated transport_maps = hash:/etc/postfix/transport local_recipient_maps = debug_peer_level = 2 debugger_command = PATH=/usr/bin:/usr/X11R6/bin xxgdb $daemon_directory/$process_name $process_id & sleep 5 setgid_group = maildrop masquerade_exceptions = root masquerade_domains = defer_transports = disable_dns_lookups = no relayhost = /etc/MailScanner/MailScanner.conf: Max Children = 5 Run As User = postfix Run As Group = postfix Queue Scan Interval = 5 Incoming Queue Dir = /var/spool/postfix.in/deferred Outgoing Queue Dir = /var/spool/postfix/incoming Incoming Work Dir = /var/spool/MailScanner/incoming Quarantine Dir = /var/spool/MailScanner/quarantine PID file = /var/run/MailScanner.pid Restart Every = 14400 MTA = postifx Sendmail = /usr/sbin/sendmail Sendmail2 = /usr/sbin/sendmail If this is correct, perhaps it's a owner-problem? From rgrignon at INPHACT.COM Tue Jul 1 16:37:35 2003 From: rgrignon at INPHACT.COM (rgrignon@INPHACT.COM) Date: Thu Jan 12 21:18:46 2006 Subject: Long delay in sending mail Message-ID: We are running postfix 2.0.12 and MailScanner 4.21-9 I am noticing for the most part that mail is queued and delivered right away, however, about 5-6 times a day the queue builds up and does not send. It looks like it will eventually send within 15min, however, I am curious to know what is causing MailScanner (or postfix) to eventually send the mail. Is there some sort of cron job or a setting that I could adjust to force the mail to be delivered in the event that the system hangs like it is currently doing? Thanks, Rob From rzewnickie at RFA.ORG Tue Jul 1 16:45:56 2003 From: rzewnickie at RFA.ORG (Eric Dantan Rzewnicki) Date: Thu Jan 12 21:18:46 2006 Subject: filter by size of attachment In-Reply-To: <3F005BBA.A1AE40FC@ihs.com> References: <3F005BBA.A1AE40FC@ihs.com> Message-ID: <20030701154556.GB32558@rfa.org> On Mon 30/06/2003 09:48:10, Dustin Baer wrote: > Alan Fiebig wrote: > > > > Greetings! > > > > I know that MailScanner can block/remove file attachments based upon the name of the attachment, but does anyone know of a method to block/remove an attachment(s) based upon size? Many of my dialup account customers have major problems in downloading emails that are over 2 meg in size; some have their client lockup, other think it locked up due to the time involved in the transfer and just abort. > > > > I would therefore like to use MailScanner to also block or remove attachments that are over a given size, say 2 meg. > > > > All help is apreciated! > > > > -Alan > > Doesn't your MTA do this? > > Sendmail - > O MaxMessageSize=[BYTE SIZE] > > The MTA won't remove the attachment, but it will most certainly not let > it in. > Or the same in postfix: message_size_limit = [BYTE SIZE] > Dustin > > -- > Dustin Baer > Unix Administrator/Postmaster > Information Handling Services > 15 Inverness Way East > Englewood, CO 80112 > 303-397-2836 From cparker at SWATGEAR.COM Tue Jul 1 17:06:23 2003 From: cparker at SWATGEAR.COM (Chris W. Parker) Date: Thu Jan 12 21:18:46 2006 Subject: MailScanner feature request Message-ID: <001BD19C96E6E64E8750D72C2EA0ECEE1AE0ED@ati-ex-01.ati.local> Julian, I would like to see a command for MailScanner similar to 'iptables --list'. This command would show you, depending on the option(s) you passed to it, the configurations of the different files MailScanner reads upon load. For example I could do this: # mailscanner --lookup f This would get me a print out of the file extension configuration that MailScanner currently had in memory. Of course I would also be able to pass different flags aside from "f" to get other configurations. i.e. white/blacklist, MailScanner.conf, etc. My .02 Chris. From Kevin.Spicer at BMRB.CO.UK Tue Jul 1 17:12:21 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:18:46 2006 Subject: MailScanner feature request Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0EBF6BF@pascal.priv.bmrb.co.uk> > For example I could do this: > > # mailscanner --lookup f > I don't understand why you would need this, isn't cat /etc/MailScanner/filename.rules.conf enough? Its not like MailScanner can be reconfigured on the command line like iptables is (unless Julian has sneaked in another new feature there too!). BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From mailscanner at ecs.soton.ac.uk Tue Jul 1 17:40:27 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:18:46 2006 Subject: MailScanner feature request In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0EBF6BF@pascal.priv.bmrb.co .uk> Message-ID: <5.2.1.1.2.20030701173608.02669ec8@imap.ecs.soton.ac.uk> At 17:12 01/07/2003, you wrote: > > For example I could do this: > > > > # mailscanner --lookup f > > >I don't understand why you would need this, isn't cat >/etc/MailScanner/filename.rules.conf enough? Its not like MailScanner can >be reconfigured on the command line like iptables is (unless Julian has >sneaked in another new feature there too!). No I haven't. All the iptables commands are just handy ways of editing the filtering tables stored in the kernel. So asking the status and current settings is easy, you just ask the kernel what it thinks. There is no way in MailScanner of asking the running processes what state they have stored. To do so I would have to fork off a thread in each process to sit and listen for status requests, which would probably also have to listen on a control port. This opens it up to loads of nasty network attacks, requires a huge amount of code and doesn't really provide you with much more than you can get from cat-ing the configuration files. For things like rulesets, you would only be able to see the compiled version of the rules anyway, which most "normal people" can't understand anyway. Hopefully that explains why I'm not overly keen on this idea. All ideas are very welcome though! Some of the ones I don't like happen anyway :-) -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From cparker at SWATGEAR.COM Tue Jul 1 17:43:21 2003 From: cparker at SWATGEAR.COM (Chris W. Parker) Date: Thu Jan 12 21:18:46 2006 Subject: MailScanner feature request Message-ID: <001BD19C96E6E64E8750D72C2EA0ECEE1AE0EE@ati-ex-01.ati.local> Spicer, Kevin wrote: > > For example I could do this: > > > > # mailscanner --lookup f > > > I don't understand why you would need this, isn't cat > /etc/MailScanner/filename.rules.conf enough? What you see in the file isn't necessarily what MailScanner is actually using. Let me ammend my post with this: Julian, if you had a priority list of features to add to MailScanner using a range of 1 to 5, 1 being least important and 5 being most important, make this a 1. ;) Chris. From cparker at SWATGEAR.COM Tue Jul 1 17:47:00 2003 From: cparker at SWATGEAR.COM (Chris W. Parker) Date: Thu Jan 12 21:18:46 2006 Subject: MailScanner feature request Message-ID: <001BD19C96E6E64E8750D72C2EA0ECEE2B7CD9@ati-ex-01.ati.local> Julian Field wrote: > There is no way in MailScanner of asking the running processes what > state they have stored. To do so I would have to fork off a thread in > each process to sit and listen for status requests, which would > probably also have to listen on a control port. I see. Well that makes perfect sense. > This opens it up to loads of nasty network attacks, requires a huge > amount of code and doesn't really provide you with much more than you > can get from cat-ing the configuration files. For things like > rulesets, you would only be able to see the compiled version of the > rules anyway, which most "normal people" can't understand anyway. I had no idea such effort was involved, I thought it would be as easy as how you describe it with iptables. Chris. From mailscanner at ecs.soton.ac.uk Tue Jul 1 18:01:13 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:18:46 2006 Subject: MailScanner feature request In-Reply-To: <001BD19C96E6E64E8750D72C2EA0ECEE2B7CD9@ati-ex-01.ati.local > Message-ID: <5.2.1.1.2.20030701175339.03a4b718@imap.ecs.soton.ac.uk> At 17:47 01/07/2003, you wrote: >Julian Field wrote: > > This opens it up to loads of nasty network attacks, requires a huge > > amount of code and doesn't really provide you with much more than you > > can get from cat-ing the configuration files. For things like > > rulesets, you would only be able to see the compiled version of the > > rules anyway, which most "normal people" can't understand anyway. > >I had no idea such effort was involved, I thought it would be as easy as >how you describe it with iptables. As soon as you listen on a port, you are dealing with the outside world which is a very nasty place. This is one of the major reasons MailScanner doesn't get involved with SMTP service or message delivery. Even iptables has to do some of this, but I bet you could kill it if you sent it nasty enough instructions. Not many apps are 100% bullet-proof. It is very easy to do it very badly, and very hard to do it 100% right. Look at all the vulnerabilities that are discovered in applications everyday. So far (touch wood) MailScanner has only appeared in Bugtraq twice. Both occasions were for vulnerabilities that I discovered first (and documented) and there were never any reports of either of these ever being exploited by anyone. I let everyone else do the hard stuff :-) One of the standard tests I do on undergraduate courseworks that process input from the user is to feed the Linux kernel to it and see if their code handles it neatly. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From lists at STHOMAS.NET Tue Jul 1 18:11:05 2003 From: lists at STHOMAS.NET (Steve Thomas) Date: Thu Jan 12 21:18:46 2006 Subject: your mail In-Reply-To: ; from raymond@PROLOCATION.NET on Tue, Jul 01, 2003 at 03:32:41PM +0200 References: <5.1.0.14.2.20030701091719.02bc0eb0@192.168.1.112> Message-ID: <20030701101105.A31278@sthomas.net> On Tue, Jul 01, 2003 at 03:32:41PM +0200, Raymond Dijkxhoorn is rumored to have said: > > > h5UF1ou22960: timeout waiting for input from hormel.redhat.com during > > server cmd read > > Network connection towards that sever. Notmuch you can change on your end > i am afraid. You can edit the logwatch script so these get filtered out of your reports. I've done that with a couple of them, most notably the sendmail script. -- Steve Thomas ---------------------------------------------------------- "...subatomic matter in a particle accelerator that exists for only a few microseconds seems to exhibit more uptime than the RIAA's website." -- Andrew Orlowski TheRegister.co.uk From slwatts at WINCKWORTHS.CO.UK Tue Jul 1 18:18:38 2003 From: slwatts at WINCKWORTHS.CO.UK (Samuel Luxford-Watts) Date: Thu Jan 12 21:18:46 2006 Subject: MailScanner Postfix and SuSE 8.1 Message-ID: Ok - I kinda got a script that works ok. I am fumbling round in the dark a little as this is beyond my basic scripting abilities. Start startin startout, stop stopin stopout and status all work. The problem is if you do a start, then say a stopin and then status it returns the wrong status - all are up when they are clearly not. I hope you can get your fan fixed soon!!! Anyway - hope its of use as a starting point...... Sam Begin /etc/init.d/MailScanner ----------------------------- #!/bin/bash # # mailscanner This shell script takes care of starting and stopping # MailScanner, and its associated copies of sendmail. # ### BEGIN INIT INFO # Provides: MailScanner # Required-Start: $syslog $remote_fs # X-UnitedLinux-Should-Start: $time $network $named ypbind # Required-Stop: $syslog $remote_fs # X-UnitedLinux-Should-Stop: $time $network $named ypbind # Default-Start: 3 5 # Default-Stop: 0 1 2 6 # Short-Description: MailScanner and sendmail daemons # Description: Start sendmail and MailScanner to provide # SMTP service with virus, dangerous contents and spam scanning. ### END INIT INFO # Check for missing binaries (stale symlinks should not happen) MAILSCANNER_BIN=/usr/sbin/MailScanner #srvpid=/var/run/postfix-in.pid #srvoutpid=/var/run/postfix-out.pid mspid=/var/run/MailScanner.pid srvinpid=/var/spool/postfix.in/pid/master.pid srvoutpid=/var/spool/postfix/pid/master.pid POSTFIX_BIN=/usr/sbin/postfix POSTFIX_IN=/etc/postfix.in POSTFIX_OUT=/etc/postfix MASTER_BIN=/usr/lib/postfix/master # Determine the base and follow a runlevel link name. base=${0##*/} link=${base#*[SK][0-9][0-9]} test -x $POSTFIX_BIN || exit 5 test -x $MASTER_BIN || exit 5 . /etc/rc.status rc_reset case "$1" in startin) rc_reset echo -n "Initialising incoming mail process (postfix):" $POSTFIX_BIN -c $POSTFIX_IN start > /dev/null 2>&1 # Remember status and be verbose rc_status -v ( i=60 # waiting for qmgr while [ -z "$(pidof qmgr)" -a $i -gt 0 ]; do i=$(( $i - 1 )) sleep 1 done $POSTFIX_BIN -c $POSTFIX_IN flush ) > /dev/null 2>&1 & ;; startout) rc_reset echo -n "Initialising outgoing mail process (postfix):" $POSTFIX_BIN -c $POSTFIX_OUT start > /dev/null 2>&1 # Remember status and be verbose rc_status -v ( i=60 # waiting for qmgr while [ -z "$(pidof qmgr)" -a $i -gt 0 ]; do i=$(( $i - 1 )) sleep 1 done $POSTFIX_BIN -c $POSTFIX_IN flush ) > /dev/null 2>&1 & ;; start) $0 startin sleep 5 $0 startout rc_reset echo -n "Starting MailScanner:" /usr/sbin/check_MailScanner >/dev/null rc_status -v rm -f /var/lock/subsys/MailScanner.off >/dev/null 2>&1 ;; stopin) rc_reset echo -n "Shutting down Incoming Mail Process (postfix):" /sbin/killproc -p $srvinpid -TERM $MASTER_BIN rc_status -v ;; stopout) rc_reset echo -n "Shutting down Incoming Mail Process (postfix):" /sbin/killproc -p $srvoutpid -TERM $MASTER_BIN rc_status -v ;; stop) $0 stopin sleep 5 $0 stopout rc_reset echo -n "Shutting down MailScanner:" killproc -p $mspid -TERM /usr/sbin/MailScanner rc_status -v # Clear out all the old pid files rm -f $mspid # Clear out the old incoming dirs cd $MAILSCANNER_WORKDIR && ls | egrep '^[0123456789]+$' | xargs /bin/rm -rf 2>/dev/null touch /var/lock/subsys/MailScanner.off >/dev/null 2>&1 ;; try-restart) $0 stop && sleep 5 && $0 start rc_status ;; restart) $0 stop sleep 5 $0 start rc_status ;; reload|force-reload) echo -n "Reload service sendmail" killproc -p $mspid -HUP /usr/sbin/MailScanner rc_status -v ;; status) echo -n "Checking for incoming Mail process (procmail): " checkproc -p $srvinpid $MASTER_BIN rc_status -v rc_reset echo -n "Checking for outgoing Mail process (procmail): " checkproc -p $srvoutpid $MASTER_BIN rc_status -v rc_reset echo -n "Checking for MailScanner: " checkproc -p $mspid $MAILSCANNER_BIN rc_status -v ;; probe) test /etc/sendmail.cf -nt $srvpid -o /etc/mail/submit.cf -nt $msppid \ -o /etc/MailScanner/MailScanner.conf -nt $mspid && echo reload ;; *) echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload|probe|startin|sta rtout} " exit 1 esac rc_exit --------------------------- End -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: 01 July 2003 14:23 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: MailScanner Postfix and SuSE 8.1 I need to do some more work on the SuSE init.d script so it is as clever as my RedHat one. In the mean time, look in the init.d script for code that starts with a line saying "startin)" and replace the following 3 sections with this: startin) echo -n "Initializing incoming Postfix" startproc -p $srvpid postfix -c /etc/postfix.in rc_status ;; startout) echo -n "Initializing outgoing Postfix" startproc -f -p $srvoutpid postfix -c /etc/postfix rc_status ;; start) echo -n "Initializing Postfix and MailScanner" startproc -p $srvpid postfix -c /etc/postfix.in rc_status startproc -f -p $srvoutpid postfix -c /etc/postfix rc_status startproc -f -p $mspid /usr/sbin/check_MailScanner >/dev/null rc_status -v rm -f /var/lock/subsys/MailScanner.off >/dev/null 2>&1 ;; At 13:17 01/07/2003, you wrote: >Hi, > >Can someone help me please?! > >I have just installed a clean copy of SuSE 8.1, Postfix (1.1.11-110), >Sophos, and MailScanner. I used the latest stable release from the >Mailscanner website (Version 4.21-9 for SuSE Linux 8.0/8.1). > >I ran the installation script and followed through every step in the >Using MailScanner with Postfix installation guide with no real problems >except one >- the guide refers to a utility called redhat-switchmail-nox which I do not >have. Anyway When I try to run /etc/init.d/MailScanner start I get the >following errors: >Initializing sendmail and MailScannersendmail: invalid option -- O >sendmail: fatal: usage: sendmail [options] >sendmail: invalid option -- A >sendmail: fatal: usage: sendmail [options] >sendmail: invalid option -- A >sendmail: fatal: usage: sendmail [options] > failed >I have had a look through the init.d script and it looks nothing like the >updated one on the Mailscanner website. Also /etc/sysconfig/MailScanner has >no MTA= line in it and I have not added one. It only has a number of >SENDMAIL_*_ARGS options and the workdir directives. Is this right? Or do I >need to add the MTA Line anyway? It doesn't seem to be used by the >init.d/MailScanner script that was installed with the SuSE package. > >Has anyone got any ideas on how I can get this working? I guess I just >need to tweak the sendmail options but do not know which ones should be >used. > >Thanks in advance, > >Sam > >-----Original Message----- >From: L-Soft list server at JISCMAIL (1.8e) >[mailto:LISTSERV@JISCMAIL.AC.UK] > >Sent: 01 July 2003 13:00 >To: Sam Luxford-Watts >Subject: Welcome to MailScanner > > >This list is for the discussion of the MailScanner e-mail virus and >spam protector. It is also used for announcements of new releases. > >If you *only* want announcements of new releases, then you would do >better to subscribe to the MailScanner project at >http://www.freshmeat.net/projects/mailscanner. > >-- >Jules >www.mailscanner.info -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From splee at PLEXIO.COM Tue Jul 1 18:19:31 2003 From: splee at PLEXIO.COM (Stephen Lee) Date: Thu Jan 12 21:18:46 2006 Subject: Quick translation request - Brazilian Portuguese In-Reply-To: <2F15A97500CFA0469C9BACC2041F8AC7043F7A19@aries.dk.speednames.com> References: <2F15A97500CFA0469C9BACC2041F8AC7043F7A19@aries.dk.speednames.com> Message-ID: <1057079971.24162.142.camel@ralph.plexio.private> Here's another Brazilian Portuguese version (by proxy as well): Esta mensagem excede o espa?o dispon?vel. Stephen On Tue, 2003-07-01 at 01:54, Florus Both wrote: > A mensagem e muito longa. > > Florus (by proxy of a colleague :)) > > -----Original Message----- > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > Sent: 1. juli 2003 10:28 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Quick translation request > > > You're doing really well folks. > > Just > > Welsh > Hungarian > Italian > Brazilian Portuguese > Romanian > > left to go. > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support From jim at ENTROPHY-FREE.NET Tue Jul 1 18:09:25 2003 From: jim at ENTROPHY-FREE.NET (Jim Levie) Date: Thu Jan 12 21:18:46 2006 Subject: Sobig.{E,D,EML} not found by Sophos and McAfee In-Reply-To: <52E50E4D595DDE4D861117A1FB62E79D82089E@bond.ncl.ac.uk> References: <52E50E4D595DDE4D861117A1FB62E79D82089E@bond.ncl.ac.uk> Message-ID: <1057079365.4524.6.camel@wilowisp.dynetics.com> On Tue, 2003-07-01 at 01:40, Quentin Campbell wrote: > I reported yesterday that McAfee was not always recognising the Sobig.E > worm in messages. That problem appeared to fix itself after I restarted > MailScanner. > > However further monitoring of logs shows that it is Sophos now that is > not always recognising Sobig variants. I have instances where Sophos has > missed Sobig.E (in both .txt and .pif files), Sobig.EML (.txt file) and > Sobig.D (.pif file). In all these cases McAfee has found the worms and I > have not found a new instance of McAfee missing a virus. > I'm seeing something similar in that Sophos with the latest IDE's isn't catching some variants of SoBig that arrived over the weekend and this morning. McAfee is detecting them, so far. The virus isn't reaching my users, at least currently, because they are all in a disguised zip file and I have a filename rule that disallows '.zi'. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= The instructions said to use Windows 98 or better, so I installed RedHat Jim Levie email:jim@entrophy-free.net From mailscanner at ecs.soton.ac.uk Tue Jul 1 18:34:46 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:18:46 2006 Subject: ANNOUNCE: Version 4.22-4 released Message-ID: <5.2.1.1.2.20030701182840.02590538@imap.ecs.soton.ac.uk> G'day! I have just posted the new stable release 4.22-4 on the website. Major new features this time are - filetype detection regardless of filename, allowing you to allow/deny files of different type. - control over HTML forms in email messages, which have been used recently to try to extract passwords and credit card details from unwitting users. - control over the maximum size of any message, so you can limit the size of messages for dial-up users for example. Download it from www.mailscanner.info as usual. All comments to me or the list. The full ChangeLog is this: * New Features and Improvements * - Added support for checking file content types regardless of their filename. This uses the "file" command to work out the types of different files. New additions to MailScanner.conf are "file command", "file timeout", "filetype rules" (which work just like filename rules) and "log permitted filetypes". - Added "Allow Form Tags" configuration option to ban HTML forms from email. Requires almost no additional CPU load and is useful protection. - Added "Maximum Message Size" configuration option to limit the size of messages for certain users. Handy for dialup users to save their download phone bills. Obviously it works with a ruleset. - "Spam Actions", "High Scoring Spam Actions" and "Non Spam Actions" are now set up so that the first matching rule will be used, rather than the sum of all the matching rules. This means you can have 1 setting for a domain, but before that have a rule for an individual user that over-rides the domain setting. - MailScanner.conf file can now include "%name% = value" definition lines. These "%name%" variables can then be used later in the MailScanner.conf file and the rulesets, where they will be substituted with the appropriate "value". This greatly eases switching languages. - Sophos.install script improved to make new versions work with sophossavi. - f-prot-autoupdate script improved to handle new F-Prot version 4. - Added bitdefender-autoupdate script from Alessandro Bianchi. - Added "default" overall black- and white-lists to per-domain black/whitelist code in CustomConfig.pm. - Added code to CustomConfig.pm to implement internal-only accounts that cannot send mail to external addresses. - Improved comments in MailScanner.conf for "Max Children" setting. - Added (commented out) instruction to not use Bayesian stats engine in MailScanner, with a comment about its need. * Fixes * - "channel error" detection bug in ZMailer support fixed. - All sender.* reports now have To: From: and Subject: in English to keep sendmail and e-mail applications happy. - "$reportword" appearing in Postmaster notices fixed. - Added call to get logging working properly in clamav-autoupdate. - RBLs are converted to lower-case when read from MailScanner.conf. - Fix in signing clean messages containing single uuencoded attachments that are then read using certain versions of Outlook 97. - MailScanner does not support Postfix without hashed queues. This situation is detected and reported if it is found. By default in all recent releases of Postfix (both 1.x and 2.x) hashed queues are enabled, so just don't disable them. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From miguelk at KONSULTEX.COM.BR Tue Jul 1 18:45:57 2003 From: miguelk at KONSULTEX.COM.BR (Miguel Koren O'Brien de Lacy) Date: Thu Jan 12 21:18:46 2006 Subject: Quick translation request - Brazilian Portuguese References: <2F15A97500CFA0469C9BACC2041F8AC7043F7A19@aries.dk.speednames.com> <1057079971.24162.142.camel@ralph.plexio.private> Message-ID: <3F01C8D5.5090603@konsultex.com.br> I'm in Brazil and I speak Portuguese but what I don't know is if we're translating selected phrases or a whole system (I did not follow the translation thread). If it's just this phrase I favor Stephen's formulation and if you want to keep it shorter you can use: A mensagem excede o espa?o dispon?vel Miguel Stephen Lee wrote: >Here's another Brazilian Portuguese version (by proxy as well): > >Esta mensagem excede o espa?o dispon?vel. > > >Stephen > >On Tue, 2003-07-01 at 01:54, Florus Both wrote: > > >>A mensagem e muito longa. >> >>Florus (by proxy of a colleague :)) >> >>-----Original Message----- >>From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] >>Sent: 1. juli 2003 10:28 >>To: MAILSCANNER@JISCMAIL.AC.UK >>Subject: Re: Quick translation request >> >> >>You're doing really well folks. >> >>Just >> >>Welsh >>Hungarian >>Italian >>Brazilian Portuguese >>Romanian >> >>left to go. >>-- >>Julian Field >>www.MailScanner.info >>MailScanner thanks transtec Computers for their support >> >> From rgrignon at INPHACT.COM Tue Jul 1 18:45:23 2003 From: rgrignon at INPHACT.COM (rgrignon@INPHACT.COM) Date: Thu Jan 12 21:18:46 2006 Subject: Long delay in sending mail Message-ID: I've noticed that the delays consistently happen between the top of the hour and last for 15minutes other than that the mail is delivered in realtime... Any ideas? Thanks, Rob -----Original Message----- From: Grignon, Robert Sent: Tuesday, July 01, 2003 10:38 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Long delay in sending mail We are running postfix 2.0.12 and MailScanner 4.21-9 I am noticing for the most part that mail is queued and delivered right away, however, about 5-6 times a day the queue builds up and does not send. It looks like it will eventually send within 15min, however, I am curious to know what is causing MailScanner (or postfix) to eventually send the mail. Is there some sort of cron job or a setting that I could adjust to force the mail to be delivered in the event that the system hangs like it is currently doing? Thanks, Rob From mailscanner at ecs.soton.ac.uk Tue Jul 1 18:51:16 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:18:46 2006 Subject: Quick translation request - Brazilian Portuguese In-Reply-To: <3F01C8D5.5090603@konsultex.com.br> References: <2F15A97500CFA0469C9BACC2041F8AC7043F7A19@aries.dk.speednames.com> <1057079971.24162.142.camel@ralph.plexio.private> Message-ID: <5.2.1.1.2.20030701184936.03aba610@imap.ecs.soton.ac.uk> Why is it always the Spanish and Portuguese who can never agree on the translation? I guess it's the difference in dialects between Europe and South America. Maybe I should create a Red-neck and Geordie translation too? :) Anyone know any Scots Gaelic? At 18:45 01/07/2003, you wrote: >I'm in Brazil and I speak Portuguese but what I don't know is if we're >translating selected phrases or a whole system (I did not follow the >translation thread). If it's just this phrase I favor Stephen's >formulation and if you want to keep it shorter you can use: > >A mensagem excede o espa?o dispon?vel > >Miguel > >Stephen Lee wrote: > >>Here's another Brazilian Portuguese version (by proxy as well): >> >>Esta mensagem excede o espa?o dispon?vel. >> >> >>Stephen >> >>On Tue, 2003-07-01 at 01:54, Florus Both wrote: >> >> >>>A mensagem e muito longa. >>> >>>Florus (by proxy of a colleague :)) >>> >>>-----Original Message----- >>>From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] >>>Sent: 1. juli 2003 10:28 >>>To: MAILSCANNER@JISCMAIL.AC.UK >>>Subject: Re: Quick translation request >>> >>> >>>You're doing really well folks. >>> >>>Just >>> >>>Welsh >>>Hungarian >>>Italian >>>Brazilian Portuguese >>>Romanian >>> >>>left to go. >>>-- >>>Julian Field >>>www.MailScanner.info >>>MailScanner thanks transtec Computers for their support >>> > -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at LISTS.COM.AR Tue Jul 1 19:20:59 2003 From: mailscanner at LISTS.COM.AR (Mariano Absatz) Date: Thu Jan 12 21:18:46 2006 Subject: Quick translation request - Brazilian Portuguese In-Reply-To: <3F01C8D5.5090603@konsultex.com.br> Message-ID: <3F01A6DB.20777.5256507@localhost> Miguel, AFAIK, it doesn't refer to a message for which there's no available space, but one for whose lenght you have policied that you don't want it... That is, your current translation, translates back into English like: "The message exceeds available space" when we just want: "The message is too large" (e.g. 'cause I don't want large messages, regardless of "available space")... El 1 Jul 2003 a las 14:45, Miguel Koren O'Brien de Lacy escribi?: > I'm in Brazil and I speak Portuguese but what I don't know is if we're > translating selected phrases or a whole system (I did not follow the > translation thread). If it's just this phrase I favor Stephen's > formulation and if you want to keep it shorter you can use: > > A mensagem excede o espa?o dispon?vel > > Miguel > > Stephen Lee wrote: > > >Here's another Brazilian Portuguese version (by proxy as well): > > > >Esta mensagem excede o espa?o dispon?vel. > > > > > >Stephen > > > >On Tue, 2003-07-01 at 01:54, Florus Both wrote: > > > > > >>A mensagem e muito longa. > >> > >>Florus (by proxy of a colleague :)) > >> > >>-----Original Message----- > >>From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > >>Sent: 1. juli 2003 10:28 > >>To: MAILSCANNER@JISCMAIL.AC.UK > >>Subject: Re: Quick translation request > >> > >> > >>You're doing really well folks. > >> > >>Just > >> > >>Welsh > >>Hungarian > >>Italian > >>Brazilian Portuguese > >>Romanian > >> > >>left to go. > >>-- > >>Julian Field > >>www.MailScanner.info > >>MailScanner thanks transtec Computers for their support > >> > >> -- Mariano Absatz El Baby ---------------------------------------------------------- When I want your opinion, I'll give it to you. From mailscanner at LISTS.COM.AR Tue Jul 1 19:20:57 2003 From: mailscanner at LISTS.COM.AR (Mariano Absatz) Date: Thu Jan 12 21:18:46 2006 Subject: Quick translation request - Brazilian Portuguese In-Reply-To: <5.2.1.1.2.20030701184936.03aba610@imap.ecs.soton.ac.uk> References: <3F01C8D5.5090603@konsultex.com.br> Message-ID: <3F01A6D9.313.5255DC1@localhost> El 1 Jul 2003 a las 18:51, Julian Field escribi?: > Why is it always the Spanish and Portuguese who can never agree on the > translation? I guess it's the difference in dialects between Europe and > South America. In the case of Portuguese (though I don't speak, I understand a lot), I know the Brazilian Portuguese is _quite_ different from that spoken in Portugal... I don't know about the few places in Africa (former Portuguese colonies). Regarding Spanish, afaik, the language is spoken in more countries than any others (not by more people, I guess that is Chinese), and there are wild differences between Spain, southern South America, northern South America, Central America and Mexico... even down here (in the South Cone) Chilean people speak quite differently from Argentinian and Uruguayan people, not only from an accent point of view, but the words themselves... The first shot at translating MailScanner into Spanish was done by Luis Peromarta (from Spain) and myself (from Argentina), after a brief discusion about the local-neutrality of it... > Maybe I should create a Red-neck and Geordie translation too? :) > > Anyone know any Scots Gaelic? > > At 18:45 01/07/2003, you wrote: > >I'm in Brazil and I speak Portuguese but what I don't know is if we're > >translating selected phrases or a whole system (I did not follow the > >translation thread). If it's just this phrase I favor Stephen's > >formulation and if you want to keep it shorter you can use: > > > >A mensagem excede o espa?o dispon?vel > > > >Miguel > > > >Stephen Lee wrote: > > > >>Here's another Brazilian Portuguese version (by proxy as well): > >> > >>Esta mensagem excede o espa?o dispon?vel. > >> > >> > >>Stephen > >> > >>On Tue, 2003-07-01 at 01:54, Florus Both wrote: > >> > >> > >>>A mensagem e muito longa. > >>> > >>>Florus (by proxy of a colleague :)) > >>> > >>>-----Original Message----- > >>>From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > >>>Sent: 1. juli 2003 10:28 > >>>To: MAILSCANNER@JISCMAIL.AC.UK > >>>Subject: Re: Quick translation request > >>> > >>> > >>>You're doing really well folks. > >>> > >>>Just > >>> > >>>Welsh > >>>Hungarian > >>>Italian > >>>Brazilian Portuguese > >>>Romanian > >>> > >>>left to go. > >>>-- > >>>Julian Field > >>>www.MailScanner.info > >>>MailScanner thanks transtec Computers for their support > >>> > > > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support -- Mariano Absatz El Baby ---------------------------------------------------------- Errors have been made. Others will be blamed. From benny.butler at nexusitg.com Tue Jul 1 19:25:19 2003 From: benny.butler at nexusitg.com (Benny Butler) Date: Thu Jan 12 21:18:46 2006 Subject: Quick translation request - Brazilian Portuguese In-Reply-To: <5.2.1.1.2.20030701184936.03aba610@imap.ecs.soton.ac.uk> Message-ID: <011d01c33ffe$23c7b700$c805a8c0@maxima> Let me know if you need any help on that redneck translation... I can certinaly help since I speak the lower alabama dialect. _______________ Benny Butler Nexus ITG Office: 251-473-4756 Cell: 251-610-4002 www.nexusitg.com > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Julian Field > Sent: Tuesday, July 01, 2003 12:51 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Quick translation request - Brazilian Portuguese > > > Why is it always the Spanish and Portuguese who can never > agree on the > translation? I guess it's the difference in dialects between > Europe and > South America. > Maybe I should create a Red-neck and Geordie translation too? :) > > Anyone know any Scots Gaelic? > > At 18:45 01/07/2003, you wrote: > >I'm in Brazil and I speak Portuguese but what I don't know > is if we're > >translating selected phrases or a whole system (I did not follow the > >translation thread). If it's just this phrase I favor Stephen's > >formulation and if you want to keep it shorter you can use: > > > >A mensagem excede o espa?o dispon?vel > > > >Miguel > > > >Stephen Lee wrote: > > > >>Here's another Brazilian Portuguese version (by proxy as well): > >> > >>Esta mensagem excede o espa?o dispon?vel. > >> > >> > >>Stephen > >> > >>On Tue, 2003-07-01 at 01:54, Florus Both wrote: > >> > >> > >>>A mensagem e muito longa. > >>> > >>>Florus (by proxy of a colleague :)) > >>> > >>>-----Original Message----- > >>>From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > >>>Sent: 1. juli 2003 10:28 > >>>To: MAILSCANNER@JISCMAIL.AC.UK > >>>Subject: Re: Quick translation request > >>> > >>> > >>>You're doing really well folks. > >>> > >>>Just > >>> > >>>Welsh > >>>Hungarian > >>>Italian > >>>Brazilian Portuguese > >>>Romanian > >>> > >>>left to go. > >>>-- > >>>Julian Field > >>>www.MailScanner.info > >>>MailScanner thanks transtec Computers for their support > >>> > > > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > From mailscanner at LISTS.COM.AR Tue Jul 1 19:49:27 2003 From: mailscanner at LISTS.COM.AR (Mariano Absatz) Date: Thu Jan 12 21:18:46 2006 Subject: mcafee-autoupdate patch -- Tony Finch r-u-there? Message-ID: <3F01AD87.6057.53F7638@localhost> Hi, I use a slightly modified mcafee-autoupdate script that, when presented with a "-v" option in the command line, spits some output (to stdout) including a timestamp when it starts and when it ends, regardless of the fact that it found a new .dat file or not. Although everyone would hate having a mail message from cron every time the command is run, some of us, like to redirect the output of the command into a log file and eventually check how's everything going, even when there's nothing new. I recall seeing at least someone else asking for this, so I'm enclosing this patch to current version (from MailScanner 4.22-4). The patched version modifies (increases) the output when a "-v" option is presented, but doesn't modify anything if the option is not given. Tony, would you care to incorporate it (or suggest a modification, maybe another different command line option)? Regards. *** mcafee-autoupdate.ORI Tue Jul 1 15:36:56 2003 --- mcafee-autoupdate Tue Jul 1 15:38:54 2003 *************** *** 27,32 **** --- 27,40 ---- PATH=$LIBDIR:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin export PATH + # keep cron quiet by default + case $1 in + -v) + echo -n START: + date +" %Y:%m:%d-%H:%M:%S" + echo $0 starting... + esac + # version number pattern MATCH="[0-9][0-9][0-9][0-9]" *************** *** 57,62 **** --- 65,72 ---- # keep cron quiet by default case $1 in -v) echo Already have "$VERSION" + echo -n END: + date +" %Y:%m:%d-%H:%M:%S" esac exit fi *************** *** 128,133 **** echo echo Completed OK ! ! # done --- 138,147 ---- echo echo Completed OK ! case $1 in ! -v) ! echo -n END: ! date +" %Y:%m:%d-%H:%M:%S" ! esac ! # done -- Mariano Absatz El Baby ---------------------------------------------------------- Computers are only human. From evertjan at VANRAMSELAAR.NL Tue Jul 1 19:53:38 2003 From: evertjan at VANRAMSELAAR.NL (Evert Jan van Ramselaar) Date: Thu Jan 12 21:18:46 2006 Subject: ANNOUNCE: Version 4.22-4 released In-Reply-To: <5.2.1.1.2.20030701182840.02590538@imap.ecs.soton.ac.uk> References: <5.2.1.1.2.20030701182840.02590538@imap.ecs.soton.ac.uk> Message-ID: <3F01D8B2.5010700@vanramselaar.nl> Julian Field wrote: > G'day! Howdy! ;p > I have just posted the new stable release 4.22-4 on the website. I have just downloaded the RPM version and installed it. No problems so far. Great job again Julian! Keep up the good work! -- Evert Jan van Ramselaar Van Ramselaar Info Tech From mike at ZANKER.ORG Tue Jul 1 19:53:49 2003 From: mike at ZANKER.ORG (Mike Zanker) Date: Thu Jan 12 21:18:46 2006 Subject: Quick translation request - Brazilian Portuguese In-Reply-To: <5.2.1.1.2.20030701184936.03aba610@imap.ecs.soton.ac.uk> References: <2F15A97500CFA0469C9BACC2041F8AC7043F7A19@aries.dk.speednames .com> <1057079971.24162.142.camel@ralph.plexio.private> <5.2.1.1.2.20030701184936.03aba610@imap.ecs.soton.ac.uk> Message-ID: <82489500.1057089229@jemima.zanker.org> On 01 July 2003 18:51 +0100 Julian Field wrote: > Why is it always the Spanish and Portuguese who can never agree on > the translation? I guess it's the difference in dialects between > Europe and South America. Maybe I should create a Red-neck and > Geordie translation too? :) How about Klingon? If it's good enough for Google... :) Mike. From marco at MUW.EDU Tue Jul 1 20:36:27 2003 From: marco at MUW.EDU (Marco Obaid) Date: Thu Jan 12 21:18:46 2006 Subject: ANNOUNCE: Version 4.22-4 released In-Reply-To: <5.2.1.1.2.20030701182840.02590538@imap.ecs.soton.ac.uk> References: <5.2.1.1.2.20030701182840.02590538@imap.ecs.soton.ac.uk> Message-ID: <1057088187.3f01e2bb340af@webmail.MUW.Edu> Great job as usual !!! Is there an easy way to upgrade MailScanner on FreeBSD? Marco _________________________________________________________________ This mail is sent through MUW Webmail: http://www.MUW.Edu/webmail For the latest MUW Events, visit http://www.MUW.Edu/calendar From james at PCXPERIENCE.COM Tue Jul 1 20:28:21 2003 From: james at PCXPERIENCE.COM (James A. Pattie) Date: Thu Jan 12 21:18:47 2006 Subject: ClamAV autoupdate patch Message-ID: <3F01E0D5.8010901@pcxperience.com> Skipped content of type multipart/mixed-------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 252 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030701/d93e3e97/attachment.bin From mailscanner at ecs.soton.ac.uk Tue Jul 1 20:29:36 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:18:47 2006 Subject: ANNOUNCE: Version 4.22-4 released In-Reply-To: <1057088187.3f01e2bb340af@webmail.MUW.Edu> References: <5.2.1.1.2.20030701182840.02590538@imap.ecs.soton.ac.uk> <5.2.1.1.2.20030701182840.02590538@imap.ecs.soton.ac.uk> Message-ID: <5.2.1.1.2.20030701202837.03b41a58@imap.ecs.soton.ac.uk> At 20:36 01/07/2003, you wrote: >Great job as usual !!! > >Is there an easy way to upgrade MailScanner on FreeBSD? The hard work can be done by the upgrade_MailScanner_conf script. This will propagate your customisations and comments, and insert sensible default values for new features and settings. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Tue Jul 1 20:03:16 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:18:47 2006 Subject: Quick translation request - Brazilian Portuguese In-Reply-To: <82489500.1057089229@jemima.zanker.org> References: <5.2.1.1.2.20030701184936.03aba610@imap.ecs.soton.ac.uk> <2F15A97500CFA0469C9BACC2041F8AC7043F7A19@aries.dk.speednames .com> <1057079971.24162.142.camel@ralph.plexio.private> <5.2.1.1.2.20030701184936.03aba610@imap.ecs.soton.ac.uk> Message-ID: <5.2.1.1.2.20030701200249.03b28d90@imap.ecs.soton.ac.uk> At 19:53 01/07/2003, you wrote: >On 01 July 2003 18:51 +0100 Julian Field >wrote: > >>Why is it always the Spanish and Portuguese who can never agree on >>the translation? I guess it's the difference in dialects between >>Europe and South America. Maybe I should create a Red-neck and >>Geordie translation too? :) > >How about Klingon? If it's good enough for Google... :) Absolutely! Anyone know the ISO 2-letter country/planet code for Klingon? -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Tue Jul 1 20:56:45 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:18:47 2006 Subject: ANNOUNCE: Version 4.22-4 released In-Reply-To: <1057088187.3f01e2bb340af@webmail.MUW.Edu> References: <5.2.1.1.2.20030701182840.02590538@imap.ecs.soton.ac.uk> <5.2.1.1.2.20030701182840.02590538@imap.ecs.soton.ac.uk> Message-ID: <5.2.1.1.2.20030701205507.03ab1068@imap.ecs.soton.ac.uk> I hate it when the list goes this quiet just after a release.... From kevins at BMRB.CO.UK Tue Jul 1 21:01:04 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:18:47 2006 Subject: Quick translation request - Brazilian Portuguese In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB001175BF3@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB001175BF3@pascal.priv.bmrb.co.uk> Message-ID: <1057089664.11108.46.camel@bach.kevinspicer.co.uk> >Absolutely! Anyone know the ISO 2-letter country/planet code for >Klingon? Thats daft, theres not a two letter code for Klingon. There is however a three letter code - well its a three letter code (art) for 'invented languages' [What! Klingons aren't real?!] which then has the name of the language appended i.e. art-klingon. Theres also art-elvish and art-newspeak. ( stolen from http://www.helical-library.net/desk/hg_lang.html ) BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From denis at CROOMBS.ORG Tue Jul 1 21:02:56 2003 From: denis at CROOMBS.ORG (Denis Croombs) Date: Thu Jan 12 21:18:47 2006 Subject: ANNOUNCE: Version 4.22-4 released References: <5.2.1.1.2.20030701182840.02590538@imap.ecs.soton.ac.uk> <5.2.1.1.2.20030701182840.02590538@imap.ecs.soton.ac.uk> <5.2.1.1.2.20030701205507.03ab1068@imap.ecs.soton.ac.uk> Message-ID: <008801c3400b$c431c5c0$85b8fea9@Laptop> Well I have now upgraded to the new version from rpm and it works perfect, great job Julian Many thanks www.just-servers.co.uk ----- Original Message ----- From: "Julian Field" To: Sent: Tuesday, July 01, 2003 8:56 PM Subject: Re: ANNOUNCE: Version 4.22-4 released > I hate it when the list goes this quiet just after a release.... From marco at MUW.EDU Tue Jul 1 21:21:01 2003 From: marco at MUW.EDU (Marco Obaid) Date: Thu Jan 12 21:18:47 2006 Subject: ANNOUNCE: Version 4.22-4 released In-Reply-To: <5.2.1.1.2.20030701205507.03ab1068@imap.ecs.soton.ac.uk> References: <5.2.1.1.2.20030701182840.02590538@imap.ecs.soton.ac.uk> <5.2.1.1.2.20030701182840.02590538@imap.ecs.soton.ac.uk> <5.2.1.1.2.20030701205507.03ab1068@imap.ecs.soton.ac.uk> Message-ID: <1057090861.3f01ed2d50a72@webmail.MUW.Edu> Hi Julian, > I hate it when the list goes this quiet just after a release.... Be careful of what you wish for :) There is enough of us out there that can keep you busy :) I think most of us are busy updating to the new release ... Thank you for all you do Marco _________________________________________________________________ This mail is sent through MUW Webmail: http://www.MUW.Edu/webmail For the latest MUW Events, visit http://www.MUW.Edu/calendar From mailscanner at ecs.soton.ac.uk Tue Jul 1 21:15:02 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:18:47 2006 Subject: ANNOUNCE: Version 4.22-4 released In-Reply-To: <1057090861.3f01ed2d50a72@webmail.MUW.Edu> References: <5.2.1.1.2.20030701205507.03ab1068@imap.ecs.soton.ac.uk> <5.2.1.1.2.20030701182840.02590538@imap.ecs.soton.ac.uk> <5.2.1.1.2.20030701182840.02590538@imap.ecs.soton.ac.uk> <5.2.1.1.2.20030701205507.03ab1068@imap.ecs.soton.ac.uk> Message-ID: <5.2.1.1.2.20030701211339.03d0e008@imap.ecs.soton.ac.uk> At 21:21 01/07/2003, you wrote: >Hi Julian, > > > I hate it when the list goes this quiet just after a release.... > >There is enough of us out there that can keep you busy :) That's why I hate it when you're not. I get used to the normal state of affairs :) >Thank you for all you do My pleasure. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From randyf at SIBERNET.COM Tue Jul 1 21:12:23 2003 From: randyf at SIBERNET.COM (Randy Fishel) Date: Thu Jan 12 21:18:47 2006 Subject: MailScanner feature request In-Reply-To: <5.2.1.1.2.20030701175339.03a4b718@imap.ecs.soton.ac.uk> Message-ID: Pardon me if this has previously been requested, as there is a significant volume of MailScanner e-mail, and I don't necessarily read it all (and I didn't search before making this request). I would like to se the silent virus list actually go the other way and provide the equivilent of a non-silent notification list. Most of the newer viruses are doing e-mail harvesting and don't really come from the specified sender. So every time a new virus pattern defined, I need to add this to the silent list. I personally would prefer that the default action would to have the message NOT sent to the sender, and have the choice to send it to the recipient (the latter already exists, but I would need to add the pattern to the silent list to get the former). Maybe a configuration option would be to turn the silent virus list into a notification white list, or provide a different list (the presence of which might disable the current mechanism). Thoughts/Opinions? rf From miguelk at KONSULTEX.COM.BR Tue Jul 1 21:21:46 2003 From: miguelk at KONSULTEX.COM.BR (Miguel Koren O'Brien de Lacy) Date: Thu Jan 12 21:18:47 2006 Subject: Quick translation request - Brazilian Portuguese References: <5.2.1.1.2.20030701184936.03aba610@imap.ecs.soton.ac.uk> <2F15A97500CFA0469C9BACC2041F8AC7043F7A19@aries.dk.speednames .com> <1057079971.24162.142.camel@ralph.plexio.private> <5.2.1.1.2.20030701184936.03aba610@imap.ecs.soton.ac.uk> <5.2.1.1.2.20030701200249.03b28d90@imap.ecs.soton.ac.uk> Message-ID: <3F01ED5A.8060502@konsultex.com.br> Julian; It's "%&.^#" planet.country code ;-) Miguel P.S. Should we stop this thread by now? Julian Field wrote: > At 19:53 01/07/2003, you wrote: > >> On 01 July 2003 18:51 +0100 Julian Field >> wrote: >> >>> Why is it always the Spanish and Portuguese who can never agree on >>> the translation? I guess it's the difference in dialects between >>> Europe and South America. Maybe I should create a Red-neck and >>> Geordie translation too? :) >> >> >> How about Klingon? If it's good enough for Google... :) > > > Absolutely! Anyone know the ISO 2-letter country/planet code for Klingon? > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support From Antony at SOFT-SOLUTIONS.CO.UK Tue Jul 1 21:54:57 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:18:47 2006 Subject: MailScanner feature request In-Reply-To: <5.2.1.1.2.20030701175339.03a4b718@imap.ecs.soton.ac.uk> References: <5.2.1.1.2.20030701175339.03a4b718@imap.ecs.soton.ac.uk> Message-ID: <200307012055.h61Kt2709329@Primary.Networker.test> On Tuesday 01 July 2003 6:01 pm, Julian Field wrote: > One of the standard tests I do on undergraduate courseworks that process > input from the user is to feed the Linux kernel to it and see if their code > handles it neatly. Is that source code, or compiled !? Antony. -- 90% of network problems are routing problems. 9 of the remaining 10% are routing problems in the other direction. The remaining 1% might be something else, but check the routing anyway. From mailscanner at ecs.soton.ac.uk Tue Jul 1 21:57:47 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:18:47 2006 Subject: MailScanner feature request In-Reply-To: <200307012055.h61Kt2709329@Primary.Networker.test> References: <5.2.1.1.2.20030701175339.03a4b718@imap.ecs.soton.ac.uk> <5.2.1.1.2.20030701175339.03a4b718@imap.ecs.soton.ac.uk> Message-ID: <5.2.1.1.2.20030701215619.03a5b670@imap.ecs.soton.ac.uk> At 21:54 01/07/2003, you wrote: >On Tuesday 01 July 2003 6:01 pm, Julian Field wrote: > > > One of the standard tests I do on undergraduate courseworks that process > > input from the user is to feed the Linux kernel to it and see if their code > > handles it neatly. > >Is that source code, or compiled !? Oh, compiled. It's effectively a known large amount of /dev/random. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From Antony at SOFT-SOLUTIONS.CO.UK Tue Jul 1 22:02:24 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:18:47 2006 Subject: MailScanner feature request In-Reply-To: <5.2.1.1.2.20030701215619.03a5b670@imap.ecs.soton.ac.uk> References: <5.2.1.1.2.20030701175339.03a4b718@imap.ecs.soton.ac.uk> <5.2.1.1.2.20030701215619.03a5b670@imap.ecs.soton.ac.uk> Message-ID: <200307012102.h61L2S709988@Primary.Networker.test> On Tuesday 01 July 2003 9:57 pm, Julian Field wrote: > At 21:54 01/07/2003, you wrote: > >On Tuesday 01 July 2003 6:01 pm, Julian Field wrote: > > > One of the standard tests I do on undergraduate courseworks that > > > process input from the user is to feed the Linux kernel to it and see > > > if their code handles it neatly. > > > >Is that source code, or compiled !? > > Oh, compiled. It's effectively a known large amount of /dev/random. I'm not sure that Mr Torvalds would like to hear it described like that :) Antony -- Behind the counter a boy with a shaven head stared vacantly into space, a dozen spikes of microsoft protruding from the socket behind his ear. - William Gibson, Neuromancer (1984) From rogerdv at SOFTHOME.NET Tue Jul 1 19:27:32 2003 From: rogerdv at SOFTHOME.NET (Roger D. Vargas) Date: Thu Jan 12 21:18:47 2006 Subject: Quick translation request - Brazilian Portuguese In-Reply-To: <3F01A6D9.313.5255DC1@localhost> References: <3F01C8D5.5090603@konsultex.com.br> <3F01A6D9.313.5255DC1@localhost> Message-ID: <200307011427.32787.rogerdv@softhome.net> El Martes, 1 de Julio de 2003 02:20 PM, escribi?: > Regarding Spanish, afaik, the language is spoken in more countries than any > others (not by more people, I guess that is Chinese), and there are wild chinese mandarin (there are several chinese dialects) > > > Maybe I should create a Red-neck and Geordie translation too? :) > > Anyone know any Scots Gaelic? Why not quenya? So elven people can use it too. -- Roger D. Vargas ICQ: 117641572 Linux user: 180787 * Tanto si piensas que puedes, como si piensas que no puedes, tienes raz?n * Henry Ford From jaearick at COLBY.EDU Tue Jul 1 21:56:30 2003 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:18:47 2006 Subject: ANNOUNCE: Version 4.22-4 released In-Reply-To: <5.2.1.1.2.20030701205507.03ab1068@imap.ecs.soton.ac.uk> References: <5.2.1.1.2.20030701182840.02590538@imap.ecs.soton.ac.uk> <5.2.1.1.2.20030701182840.02590538@imap.ecs.soton.ac.uk> <5.2.1.1.2.20030701205507.03ab1068@imap.ecs.soton.ac.uk> Message-ID: Julian, All of us Yanks are getting set to celebrate our Independence from you guys this week. We don't want to upgrade software right before the holiday and break anything (even though we all know that your upgrades go flawlessly). --- Jeff On Tue, 1 Jul 2003, Julian Field wrote: > Date: Tue, 1 Jul 2003 20:56:45 +0100 > From: Julian Field > Reply-To: MailScanner mailing list > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: ANNOUNCE: Version 4.22-4 released > > I hate it when the list goes this quiet just after a release.... > From dh at UPTIME.AT Tue Jul 1 22:52:44 2003 From: dh at UPTIME.AT (David) Date: Thu Jan 12 21:18:47 2006 Subject: Quick translation request - Brazilian Portuguese In-Reply-To: <200307011427.32787.rogerdv@softhome.net> Message-ID: <5835AAE0-AC0E-11D7-BCA5-000393920D6C@uptime.at> On Dienstag, Juli 1, 2003, at 08:27 Uhr, Roger D. Vargas wrote: > El Martes, 1 de Julio de 2003 02:20 PM, escribi?: >> Regarding Spanish, afaik, the language is spoken in more countries >> than any >> others (not by more people, I guess that is Chinese), and there are >> wild > chinese mandarin (there are several chinese dialects) (learned Chinese at University) and just to give you a number, there are over 3500 known Chinese dialects.. so imagine that plus the ones not found yet... -d - ? Fantasie ist wichtiger als Wissen.? - Albert Einstein -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 186 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030701/424ade18/PGP.bin From oliver at LINUX-KERNEL.AT Tue Jul 1 22:53:44 2003 From: oliver at LINUX-KERNEL.AT (Oliver Pitzeier) Date: Thu Jan 12 21:18:47 2006 Subject: ANNOUNCE: Version 4.22-4 released In-Reply-To: <5.2.1.1.2.20030701205507.03ab1068@imap.ecs.soton.ac.uk> Message-ID: <000101c3401b$3ee9cbf0$0f11a8c0@pitzeier.priv.at> > I hate it when the list goes this quiet just after a release.... You name it! --- Great Job! For me it works perfect; Even migrating my SQL black-/whitelist functions in CustomConfig.pm was no problem to reintegrate... -Oliver From mailscanner at LISTS.COM.AR Tue Jul 1 22:54:35 2003 From: mailscanner at LISTS.COM.AR (Mariano Absatz) Date: Thu Jan 12 21:18:47 2006 Subject: ANNOUNCE: Version 4.22-4 released In-Reply-To: References: <5.2.1.1.2.20030701205507.03ab1068@imap.ecs.soton.ac.uk> Message-ID: <3F01D8EB.5573.5E8F4F8@localhost> So all of us Argentinians won't be upgrading next week since on July 9th we celebrate _our_ independence from them Spaniards :-) El 1 Jul 2003 a las 16:56, Jeff A. Earickson escribi?: > Julian, > All of us Yanks are getting set to celebrate our Independence from > you guys this week. We don't want to upgrade software right before the > holiday and break anything (even though we all know that your upgrades > go flawlessly). > > --- Jeff > -- Mariano Absatz El Baby ---------------------------------------------------------- Did anyone see my lost carrier? From mike at ZANKER.ORG Tue Jul 1 23:16:01 2003 From: mike at ZANKER.ORG (Mike Zanker) Date: Thu Jan 12 21:18:47 2006 Subject: ANNOUNCE: Version 4.22-4 released In-Reply-To: <5.2.1.1.2.20030701182840.02590538@imap.ecs.soton.ac.uk> References: <5.2.1.1.2.20030701182840.02590538@imap.ecs.soton.ac.uk> Message-ID: <94621062.1057101361@jemima.zanker.org> On 01 July 2003 18:34 +0100 Julian Field wrote: > I have just posted the new stable release 4.22-4 on the website. Seeing as CustomConfig.pm has changed I guess it's a good idea for MailWatch users to hold off until Steve comes up with a new patch? Mike. From joelc at CTCHOUSTON.COM Tue Jul 1 23:33:33 2003 From: joelc at CTCHOUSTON.COM (Joel Colvin) Date: Thu Jan 12 21:18:47 2006 Subject: Silently drop FORM tags Message-ID: <019a01c34020$ce416830$5703010a@jclaptop> Can I silently deal with form tags just like IFrame tags by adding it to the Silent Viruses? Silent Viruses = HTML-IFrame HTML-Form Joel From raymond at PROLOCATION.NET Tue Jul 1 23:40:50 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:18:47 2006 Subject: Silently drop FORM tags In-Reply-To: <019a01c34020$ce416830$5703010a@jclaptop> Message-ID: Hi! > Can I silently deal with form tags just like IFrame tags by adding it to the > Silent Viruses? > > Silent Viruses = HTML-IFrame HTML-Form Dont think so, its not a virus ... Most likely different part of code. Bye, Raymond. From raymond at PROLOCATION.NET Wed Jul 2 00:11:18 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:18:47 2006 Subject: ANNOUNCE: Version 4.22-4 released In-Reply-To: <5.2.1.1.2.20030701182840.02590538@imap.ecs.soton.ac.uk> Message-ID: Hi! > - control over HTML forms in email messages, which have been used recently > to try to extract passwords and credit card details from unwitting users. Works fine: The following e-mail messages were found to have viruses in them: Sender: info@managersonline.nl IP Address: 212.79.242.217 Recipient: m.xraax@bxaax-it.cox Subject: Managersonline.nl Nieuws 2 juli 2003 MessageID: h61MuJVP031406 Report: Found a form in HTML message The only thing is that a LOT of mails contain them, legit ones :) So i turned it back on on my boxes. ... > - control over the maximum size of any message, so you can limit the size > of messages for dial-up users for example. Nice one! Sop far running fine on two of my boxes, testing the FILE ruleset now... Thanks again Julian! Bye, Raymond. From mailscanner at ecs.soton.ac.uk Wed Jul 2 00:47:23 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:18:47 2006 Subject: ANNOUNCE: Version 4.22-4 released In-Reply-To: <94621062.1057101361@jemima.zanker.org> References: <5.2.1.1.2.20030701182840.02590538@imap.ecs.soton.ac.uk> <5.2.1.1.2.20030701182840.02590538@imap.ecs.soton.ac.uk> Message-ID: <5.2.1.1.2.20030702004637.0240a1d0@imap.ecs.soton.ac.uk> At 23:16 01/07/2003, you wrote: >On 01 July 2003 18:34 +0100 Julian Field >wrote: > >>I have just posted the new stable release 4.22-4 on the website. > >Seeing as CustomConfig.pm has changed I guess it's a good idea for >MailWatch users to hold off until Steve comes up with a new patch? Out of interest, had you previously edited your CustomConfig.pm? If so, did it overwrite your CustomConfig.pm or add CustomConfig.pm.rpmnew? -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Jul 2 00:55:24 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:18:47 2006 Subject: Silently drop FORM tags In-Reply-To: <019a01c34020$ce416830$5703010a@jclaptop> Message-ID: <5.2.1.1.2.20030702004923.0263aea8@imap.ecs.soton.ac.uk> At 23:33 01/07/2003, you wrote: >Can I silently deal with form tags just like IFrame tags by adding it to the >Silent Viruses? > >Silent Viruses = HTML-IFrame HTML-Form Yes, that's exactly how to do it. Sorry, I forgot to add that to the docs for the "Silent Viruses" option. The wording and functionality of the "Silent Viruses" option needs some work. 1) It needs to be renamed so it clearly includes special keywords like HTML-IFrame 2) It needs to be turned into a whitelist or a blacklist of some sort, as there are ever diminishing reasons for actually bothering to warn the senders of anything. However, I'm a bit loathed to spend much time on it, as we will soon reach the situation where no-one warns senders of anything as all the viruses in circulation fake From addresses. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From raymond at PROLOCATION.NET Wed Jul 2 01:00:11 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:18:47 2006 Subject: Silently drop FORM tags In-Reply-To: <5.2.1.1.2.20030702004923.0263aea8@imap.ecs.soton.ac.uk> Message-ID: Hi! > >Can I silently deal with form tags just like IFrame tags by adding it to the > >Silent Viruses? > > > >Silent Viruses = HTML-IFrame HTML-Form > > Yes, that's exactly how to do it. > Sorry, I forgot to add that to the docs for the "Silent Viruses" option. Grin, i just noticed in the config also. :=) > However, I'm a bit loathed to spend much time on it, as we will soon reach > the situation where no-one warns senders of anything as all the viruses in > circulation fake From addresses. I have some others in my silent list i noticed, perhaps handy for others to share: Silent Viruses = Klez Yaha Bugbear Lentin Sobig Hybris Sircam Holar Ganda Bye, Raymond. From newsletters at PCSITES.COM Wed Jul 2 03:15:25 2003 From: newsletters at PCSITES.COM (Richard Ahlquist) Date: Thu Jan 12 21:18:47 2006 Subject: Quick translation request - Brazilian Portuguese In-Reply-To: <5.2.1.1.2.20030701184936.03aba610@imap.ecs.soton.ac.uk> Message-ID: <01ad01c3403f$cce84fc0$5a01a8c0@rhome> Being in Georgia I feel free to offer the Red-neck version; Dat dere email thingy's too beeg! -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Julian Field Sent: Tuesday, July 01, 2003 1:51 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Quick translation request - Brazilian Portuguese Why is it always the Spanish and Portuguese who can never agree on the translation? I guess it's the difference in dialects between Europe and South America. Maybe I should create a Red-neck and Geordie translation too? :) Anyone know any Scots Gaelic? At 18:45 01/07/2003, you wrote: >I'm in Brazil and I speak Portuguese but what I don't know is if we're >translating selected phrases or a whole system (I did not follow the >translation thread). If it's just this phrase I favor Stephen's >formulation and if you want to keep it shorter you can use: > >A mensagem excede o espa?o dispon?vel > >Miguel > >Stephen Lee wrote: > >>Here's another Brazilian Portuguese version (by proxy as well): >> >>Esta mensagem excede o espa?o dispon?vel. >> >> >>Stephen >> >>On Tue, 2003-07-01 at 01:54, Florus Both wrote: >> >> >>>A mensagem e muito longa. >>> >>>Florus (by proxy of a colleague :)) >>> >>>-----Original Message----- >>>From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] >>>Sent: 1. juli 2003 10:28 >>>To: MAILSCANNER@JISCMAIL.AC.UK >>>Subject: Re: Quick translation request >>> >>> >>>You're doing really well folks. >>> >>>Just >>> >>>Welsh >>>Hungarian >>>Italian >>>Brazilian Portuguese >>>Romanian >>> >>>left to go. >>>-- >>>Julian Field >>>www.MailScanner.info >>>MailScanner thanks transtec Computers for their support >>> > -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From smhickel at CHARTERMI.NET Wed Jul 2 03:23:20 2003 From: smhickel at CHARTERMI.NET (Steve Hickel) Date: Thu Jan 12 21:18:47 2006 Subject: User Unknown Message-ID: <200307020223.h622NKV20510@chartermi.net> Roland, Problem turned out to be the domain in the route had two dots in the domain name. Old eyes made it tough to spot. Thanks, Steve teve Hickel wrote .. > Roland, > > In the SMTP part of IIS MGR I went to access and put in the domain gearresearch.com > in the allow domain for relays. > > It wasn't there before. > > Now it is sayingthe following (don't forget it is in descending order): > > > Jun 30 16:37:49 Neptune - Msg h5UKbj43003771: to=scott@gearresearch.com, > delay=00:00:04, xdelay=00:00:00, mailer=esmtp, pri=121936, relay=192.168.1.15. > [192.168.1.15], dsn=2.0.0, stat=Sent ( 792B741CF2C0154599608BC5F7505AC11CCD30@luna.korehicom.com > Queued mail for > delivery) > Jun 30 16:37:49 Neptune - Msg Uninfected: Delivered 1 messages > Jun 30 16:37:48 Neptune - MailScanner Virus and Content Scanning: Starting > Jun 30 16:37:48 Neptune - Msg h5UJdAEp001067: to=1-659023-gearresearch.com?rick@stderr.emailpartners.com, > delay=00:58:37, xdelay=00:01:00, mailer=esmtp, pri=753620, relay=stdin-01.emailpartners.com. > [65.247.177.9], dsn=4.0.0, stat=Deferred: Connection timed out with > stdin-01.emailpartners.com. > Jun 30 16:37:46 Neptune - MailScanner New Batch: Scanning 1 messages, 3102 > bytes > Jun 30 16:37:46 Neptune - Msg h5UKbj43003771: to=scott@gearresearch.com, > delay=00:00:01, mailer=esmtp, pri=31936, stat=queued > Jun 30 16:37:46 Neptune 2607 Msg h5UKbj43003771: from=Steve@KoreHiCom.com, > size=2607, class=0, nrcpts=1, msgid=792B741CF2C0154599608BC5F7505AC11CCD30@luna.korehicom.com, > proto=ESMTP, daemon=MTA, relay=[192.168.1.15] > Jun 30 16:37:45 Neptune - Msg h5UKbd43003723: to=scott@gearresearch.com, > delay=00:00:06, xdelay=00:00:00, mailer=esmtp, pri=121521, relay=192.168.1.15. > [192.168.1.15], dsn=2.0.0, stat=Sent ( 792B741CF2C0154599608BC5F7505AC11CCD30@luna.korehicom.com > Queued mail for > delivery) > > > Roland Ehle wrote .. > > Hi Steve, > > > > Steve Hickel schrieb: > > > No matter what I do I can't get my exchange box to accept the below: > > > Any thoughts? > > > h5UK7843002574: h5UK7Gao002611: DSN: User unknown > > > Jun 30 16:07:16 Neptune - Msg h5UK7843002574: to=scott@gearresearch.com, > > delay=00:00:07, xdelay=00:00:00, mailer=esmtp, pri=120961, relay=192.168.1.15. > > [192.168.1.15], dsn=5.1.1, stat=User unknown > > > Jun 30 16:07:16 Neptune - Msg Uninfected: Delivered 1 messages > > > > did you configure your exchange-box to accept mails for the domain > > gearresearch.com? Does the alias scott exist? > > > > Regards, > > Roland From ryanb at AACRAO.ORG Wed Jul 2 04:02:28 2003 From: ryanb at AACRAO.ORG (Ryan Bingham) Date: Thu Jan 12 21:18:47 2006 Subject: ANNOUNCE: Version 4.22-4 released References: <5.2.1.1.2.20030701205507.03ab1068@imap.ecs.soton.ac.uk> <5.2.1.1.2.20030701182840.02590538@imap.ecs.soton.ac.uk> <5.2.1.1.2.20030701182840.02590538@imap.ecs.soton.ac.uk> <5.2.1.1.2.20030701205507.03ab1068@imap.ecs.soton.ac.uk> <5.2.1.1.2.20030701211339.03d0e008@imap.ecs.soton.ac.uk> Message-ID: <006301c34046$5fadcd20$f8240340@kh06s9> Hi Julian, Upgraded here without a hitch. You are truly amazing! So far it looks like everything is working great. Thanks again for the filetype filter! Hope you have good trip in Canada (even if you will be without broadband). We all need to chip in and buy Julian a wireless neural shunt. :-) Thanks again! Ryan ----- Original Message ----- From: "Julian Field" To: Sent: Tuesday, July 01, 2003 4:15 PM Subject: Re: ANNOUNCE: Version 4.22-4 released At 21:21 01/07/2003, you wrote: >Hi Julian, > > > I hate it when the list goes this quiet just after a release.... > >There is enough of us out there that can keep you busy :) That's why I hate it when you're not. I get used to the normal state of affairs :) >Thank you for all you do My pleasure. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mike at CAMAROSS.NET Wed Jul 2 04:43:19 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:18:47 2006 Subject: ANNOUNCE: Version 4.22-4 released In-Reply-To: <006301c34046$5fadcd20$f8240340@kh06s9> Message-ID: <000501c3404c$14e2b5c0$9c01a8c0@home.middlefinger.net> So we've now graduated from kidneys to neural implants? I'll throw in a kid! :) Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Ryan Bingham Sent: Tuesday, July 01, 2003 10:02 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: ANNOUNCE: Version 4.22-4 released Hi Julian, Upgraded here without a hitch. You are truly amazing! So far it looks like everything is working great. Thanks again for the filetype filter! Hope you have good trip in Canada (even if you will be without broadband). We all need to chip in and buy Julian a wireless neural shunt. :-) Thanks again! Ryan ----- Original Message ----- From: "Julian Field" To: Sent: Tuesday, July 01, 2003 4:15 PM Subject: Re: ANNOUNCE: Version 4.22-4 released At 21:21 01/07/2003, you wrote: >Hi Julian, > > > I hate it when the list goes this quiet just after a release.... > >There is enough of us out there that can keep you busy :) That's why I hate it when you're not. I get used to the normal state of affairs :) >Thank you for all you do My pleasure. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From benny.butler at NEXUSITG.COM Wed Jul 2 04:48:31 2003 From: benny.butler at NEXUSITG.COM (Benny Butler) Date: Thu Jan 12 21:18:47 2006 Subject: Quick translation request - Brazilian Portuguese In-Reply-To: <01ad01c3403f$cce84fc0$5a01a8c0@rhome> Message-ID: <000b01c3404c$cf30a630$4c3b3f44@bluebird> Sounds like there's as many versions of redneck is there is Spanish. Heck, I'm going to feed my language files through the dialectizer so I can get Swiss Chef, Porky and Jive (Jive is my favorite) -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Richard Ahlquist Sent: Tuesday, July 01, 2003 9:15 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Quick translation request - Brazilian Portuguese Being in Georgia I feel free to offer the Red-neck version; Dat dere email thingy's too beeg! -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Julian Field Sent: Tuesday, July 01, 2003 1:51 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Quick translation request - Brazilian Portuguese Why is it always the Spanish and Portuguese who can never agree on the translation? I guess it's the difference in dialects between Europe and South America. Maybe I should create a Red-neck and Geordie translation too? :) Anyone know any Scots Gaelic? At 18:45 01/07/2003, you wrote: >I'm in Brazil and I speak Portuguese but what I don't know is if we're >translating selected phrases or a whole system (I did not follow the >translation thread). If it's just this phrase I favor Stephen's >formulation and if you want to keep it shorter you can use: > >A mensagem excede o espa?o dispon?vel > >Miguel > >Stephen Lee wrote: > >>Here's another Brazilian Portuguese version (by proxy as well): >> >>Esta mensagem excede o espa?o dispon?vel. >> >> >>Stephen >> >>On Tue, 2003-07-01 at 01:54, Florus Both wrote: >> >> >>>A mensagem e muito longa. >>> >>>Florus (by proxy of a colleague :)) >>> >>>-----Original Message----- >>>From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] >>>Sent: 1. juli 2003 10:28 >>>To: MAILSCANNER@JISCMAIL.AC.UK >>>Subject: Re: Quick translation request >>> >>> >>>You're doing really well folks. >>> >>>Just >>> >>>Welsh >>>Hungarian >>>Italian >>>Brazilian Portuguese >>>Romanian >>> >>>left to go. >>>-- >>>Julian Field >>>www.MailScanner.info >>>MailScanner thanks transtec Computers for their support >>> > -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From splee at PLEXIO.COM Wed Jul 2 06:25:48 2003 From: splee at PLEXIO.COM (Stephen Lee) Date: Thu Jan 12 21:18:47 2006 Subject: Quick translation request - Brazilian Portuguese In-Reply-To: <5835AAE0-AC0E-11D7-BCA5-000393920D6C@uptime.at> References: <5835AAE0-AC0E-11D7-BCA5-000393920D6C@uptime.at> Message-ID: <1057123547.24159.160.camel@ralph.plexio.private> On Tue, 2003-07-01 at 14:52, David wrote: > On Dienstag, Juli 1, 2003, at 08:27 Uhr, Roger D. Vargas wrote: > > > El Martes, 1 de Julio de 2003 02:20 PM, escribi?: > >> Regarding Spanish, afaik, the language is spoken in more countries > >> than any > >> others (not by more people, I guess that is Chinese), and there are > >> wild > > chinese mandarin (there are several chinese dialects) > (learned Chinese at University) > and just to give you a number, there are over 3500 known Chinese > dialects.. so imagine that plus the ones not found yet... Sure there are 3500 spoken dialects but only a few (2-3) written variations and most Chinese can read the bulk of those written forms. I presume Julian was looking for written and not phonetic translations ;-) Stephen From evertjan at VANRAMSELAAR.NL Wed Jul 2 06:54:46 2003 From: evertjan at VANRAMSELAAR.NL (Evert Jan van Ramselaar) Date: Thu Jan 12 21:18:47 2006 Subject: ANNOUNCE: Version 4.22-4 released In-Reply-To: <5.2.1.1.2.20030702004637.0240a1d0@imap.ecs.soton.ac.uk> References: <5.2.1.1.2.20030701182840.02590538@imap.ecs.soton.ac.uk> <5.2.1.1.2.20030701182840.02590538@imap.ecs.soton.ac.uk> <5.2.1.1.2.20030702004637.0240a1d0@imap.ecs.soton.ac.uk> Message-ID: <30520.194.151.195.222.1057125286.squirrel@mail.vanramselaar.nl> Julian Field said: >>>I have just posted the new stable release 4.22-4 on the website. >>Seeing as CustomConfig.pm has changed I guess it's a good idea for >>MailWatch users to hold off until Steve comes up with a new patch? Hehe, good one! I forgot all about the changes I made to this file when deploying MailWatch. Nothing broken with upgrading MailScanner though, because: > Out of interest, had you previously edited your CustomConfig.pm? > If so, did it overwrite your CustomConfig.pm or add > CustomConfig.pm.rpmnew? It did not touch the altered CustomConfig.pm and added a CustomConfig.pm.rpmnew like I think it should. I have not diffed the old and new files yet, so I do not know what the impact of using the "old" MailWatch version of CustomConfig.pm is. So far so good, because both MailScanner and MailWatch are still working fine. -- Evert Jan van Ramselaar Van Ramselaar Info Tech From mike at ZANKER.ORG Wed Jul 2 07:28:07 2003 From: mike at ZANKER.ORG (Mike Zanker) Date: Thu Jan 12 21:18:47 2006 Subject: ANNOUNCE: Version 4.22-4 released In-Reply-To: <30520.194.151.195.222.1057125286.squirrel@mail.vanramselaar.nl> References: <5.2.1.1.2.20030701182840.02590538@imap.ecs.soton.ac.uk> <5.2.1.1.2.20030701182840.02590538@imap.ecs.soton.ac.uk> <5.2.1.1.2.20030702004637.0240a1d0@imap.ecs.soton.ac.uk> <30520.194.151.195.222.1057125286.squirrel@mail.vanramselaar.nl> Message-ID: <124146906.1057130887@jemima.zanker.org> On 02 July 2003 07:54 +0200 Evert Jan van Ramselaar wrote: > Hehe, good one! I forgot all about the changes I made to this file > when deploying MailWatch. Nothing broken with upgrading MailScanner > though, because: > > It did not touch the altered CustomConfig.pm and added a > CustomConfig.pm.rpmnew like I think it should. Yes, I though it would do this but didn't know what the outcome of using the older, patched CustomConfig.pm with 4.22 would be. > I have not diffed the old and new files yet, so I do not know what the > impact of using the "old" MailWatch version of CustomConfig.pm is. So > far so good, because both MailScanner and MailWatch are still working > fine. Good to know. 4.21-8 is working fine here so I'll hold off a bit longer, just in case. Mike. From JEN at AH.DK Wed Jul 2 08:30:13 2003 From: JEN at AH.DK (Jan Elmqvist Nielsen) Date: Thu Jan 12 21:18:47 2006 Subject: Only 1.3 score by spamassassin Message-ID: How did this mail only get 1.3 by spamassassin? I am using mailscanner 4.21-9 and spamassassin 2.55 Jan Elmqvist Nielsen -------------- next part -------------- An embedded message was scrubbed... From: "Normand Noble" Subject: =?ISO-8859-1?B?SSBrbm93IGFsbCBh?=bout you Date: Wed, 02 Jul 2003 03:21:44 -0100 Size: 2818 Url: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030702/7d8d7278/attachment.mht From Kevin.Spicer at BMRB.CO.UK Wed Jul 2 08:46:49 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:18:47 2006 Subject: ANNOUNCE: Version 4.22-4 released Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0EBF6C1@pascal.priv.bmrb.co.uk> > - control over HTML forms in email messages, which have been used >> recently to try to extract passwords and credit card details from >> unwitting users. > Am I correct in thinking that setting Allow Form Tags = yes and Convert Dangerous HTML To Text = yes will strip the form tags from these emails whilst still allowing the emails to be delivered? BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From evertjan at VANRAMSELAAR.NL Wed Jul 2 08:54:43 2003 From: evertjan at VANRAMSELAAR.NL (Evert Jan van Ramselaar) Date: Thu Jan 12 21:18:47 2006 Subject: Only 1.3 score by spamassassin In-Reply-To: References: Message-ID: <39872.194.151.195.222.1057132483.squirrel@mail.vanramselaar.nl> Jan Elmqvist Nielsen said: > How did this mail only get 1.3 by spamassassin? > I am using mailscanner 4.21-9 and spamassassin 2.55 MailScanner has nothing to do with SpamAssassin scoring. It just uses the results. Talk about SA scoring belongs on the SA mailinglist. -- Evert Jan van Ramselaar Van Ramselaar Info Tech From JEN at AH.DK Wed Jul 2 09:04:00 2003 From: JEN at AH.DK (Jan Elmqvist Nielsen) Date: Thu Jan 12 21:18:47 2006 Subject: Vedr.: Re: Only 1.3 score by spamassassin Message-ID: I have also posted to spamassassin list. I can see that: Expand Your Penis up to 20% Thicker is in html this: Expand Your Penis up to 20% Thicker A little bit scarey.. >>> evertjan@VANRAMSELAAR.NL 02-07-2003 09:54:43 >>> Jan Elmqvist Nielsen said: > How did this mail only get 1.3 by spamassassin? > I am using mailscanner 4.21-9 and spamassassin 2.55 MailScanner has nothing to do with SpamAssassin scoring. It just uses the results. Talk about SA scoring belongs on the SA mailinglist. -- Evert Jan van Ramselaar Van Ramselaar Info Tech From mailscanner at BARENDSE.TO Wed Jul 2 09:19:37 2003 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:18:47 2006 Subject: Feature request X-MailScanner-SpamCheck: Message-ID: Don't know if this is an easy thing to do but I have a suggestion. Currently when mail passes several MailScanner servers all the X-headers are appended. For debugging reasons I think it would be practical if ever report could also include the host name or ip addr. of the host that generated the report. I would like to know and check why two identical boxes generate different scores but it's hard to see which header is from which host! X-MailScanner-SpamCheck: not spam, SpamAssassin (score=3, required 6, FAILURE_NOTICE_1 -0.30, FROM_NO_LOWER 2.20, INVALID_DATE 0.59, RCVD_IN_UNCONFIRMED_DSBL 0.51), not spam (whitelisted), SpamAssassin (score=1.6, required 5, FAILURE_NOTICE_1 -0.30, INVALID_DATE 0.59, NO_REAL_NAME 0.82, RCVD_IN_UNCONFIRMED_DSBL 0.51) Thanks! Remco From mailscanner at BARENDSE.TO Wed Jul 2 09:31:49 2003 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:18:47 2006 Subject: SpamAssassin -D?? Message-ID: I would like to see why DCC isn't working with SpamAssassin so I tried running it in debug mode. I tried : spamassassin -D /usr/share/doc/spamassassin-2.55/sample-spam.txt which just makes spamassassin to hang forever and display no output whatsoever. This is a RedHat 8.0 box with SpamAssassin 2.55-2 Ideas anyone? Thanks! Remco From Q.G.Campbell at NEWCASTLE.AC.UK Wed Jul 2 09:58:41 2003 From: Q.G.Campbell at NEWCASTLE.AC.UK (Quentin Campbell) Date: Thu Jan 12 21:18:47 2006 Subject: MailScanner + Sophos: a serious bug? Message-ID: <52E50E4D595DDE4D861117A1FB62E79DBFFBD0@bond.ncl.ac.uk> Re. my earlier messages about Sophos sometimes missing Sobig variants in messages. I switched on quarantining of virus containing messages and believe I can now see what is going on. In fact the problem is not just limited to Sobig (the most common infection at present) but to Yaha.G as well and most probably all other viruses. It seems that Sophos will not recognise viruses, including at least Yaha.G and all variants of Sobig, when the message being scanned is a bounce/error return message which contains the whole of the original message, including the zipped attachment with the virus/worm in it. At this site McAfee but not Sophos recognises the virus in such a message. Two questions: 1. Is this a problem with MailScanner's parsing of messages or with the A-V product it calls and to which it passes the message contents? 2. How serious is it if such a message is delivered intact? I would like to understand the problem and its possible consequences a bit better before I forward some example messages to Sophos. Quentin --- PHONE: +44 191 222 8209 Computing Service, University of Newcastle FAX: +44 191 222 8765 Newcastle upon Tyne, United Kingdom, NE1 7RU. ------------------------------------------------------------------------ "Any opinion expressed above is mine. The University can get its own." > -----Original Message----- > From: Quentin Campbell [mailto:Q.G.Campbell@NEWCASTLE.AC.UK] > Sent: 01 July 2003 12:34 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Sobig.{E,D,EML} not found by Sophos and McAfee - > further info > > > > -----Original Message----- > > From: Quentin Campbell [mailto:Q.G.Campbell@newcastle.ac.uk] > > Sent: 01 July 2003 10:40 > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: Sobig.{E,D,EML} not found by Sophos and McAfee > > > [snip] > > > By the way, what's Sobig.EML and ... > > > > Good question. I cannot find this virus at the NAI site yet > > it is McAfee that is recognising it! The notification I got says: > > > > The following e-mail messages were found to have viruses in them: > > > > Sender: auto.reply@compuserve.com > > IP Address: 149.174.40.6 > > Recipient: xxx@newcastle.ac.uk > > Subject: Undeliverable Message > > MessageID: h611uKu05157 > > Report: /h611uKu05157/msg-32244-1482.txt Found the > > W32/Sobig.eml virus !!! > > > > > ...what harm can it do in a .txt file? > > > > That is not the point unless you are suggesting that is why > > Sophos does not recognise it? The issue for me is why one A-V > > scanner finds it but another doesn't. > > The one thing all these messages have in common are that they > are bounce messages of one sort or another: > > o undeliverable message > o failure notice > o returned mail - nameserver error ... > > It appears that they retain some sort of "signature" text, > probably harmless, that the McAfee scanner recognises but not > the Sophos scanner. Does this sound plausible? > > Note that this applies to both "Sobig.e", "Sobig.d" and > "Sobig.eml" (what ever that is). > > The latter suggests an alternative theory that it might be > MailScanner wrongly picking up a string from the McAfee > scanner or wrongly reporting a string that it has; that is, > it reports as "Sobig.eml" a string that is something else? > > I will see if I can quarantine some of these messages. > > Quentin > --- > PHONE: +44 191 222 8209 Computing Service, University of Newcastle > FAX: +44 191 222 8765 Newcastle upon Tyne, United > Kingdom, NE1 7RU. > -------------------------------------------------------------- > ---------- > "Any opinion expressed above is mine. The University can get > its own." > > > From m.sapsed at BANGOR.AC.UK Wed Jul 2 10:09:25 2003 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:18:47 2006 Subject: MailScanner feature request References: Message-ID: <3F02A145.1030906@bangor.ac.uk> randyf@sibernet.com wrote: > I would like to se the silent virus list actually go the other way and > provide the equivilent of a non-silent notification list. Most of the > newer viruses are doing e-mail harvesting and don't really come from the > specified sender. So every time a new virus pattern defined, I need to > add this to the silent list. > > I personally would prefer that the default action would to have the > message NOT sent to the sender, and have the choice to send it to the > recipient (the latter already exists, but I would need to add the pattern > to the silent list to get the former). > > Maybe a configuration option would be to turn the silent virus list into > a notification white list, or provide a different list (the presence of > which might disable the current mechanism). but (as things stand) my Silent list has 8 entries for worm families but Sophos detects about 82000 viruses or something. I like the fact that if someone with old (or no) anti-virus software attaches a word document with any macro virus in it to an e-mail, they'll get a "heads-up" to get their act together, or if someone sends in a joke or trojan binary to a friend, they'll get a warning that we don't want those here. My guess is that a lot of the "new" worms which appear will just be new variants of existing ones, and adding an extra entry to the line isn't hard... I guess an option (off by default) to switch things around for those who want it wouldn't hurt, but I (personally) wouldn't like to lose the current facility... Just my tuppenny worth though... Cheers, Martin -- Martin Sapsed Information Services "Who do you say I am?" University of Wales, Bangor Jesus of Nazareth From m.sapsed at BANGOR.AC.UK Wed Jul 2 10:23:08 2003 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:18:47 2006 Subject: Silently drop FORM tags References: Message-ID: <3F02A47C.1070809@bangor.ac.uk> Raymond Dijkxhoorn wrote: >>However, I'm a bit loathed to spend much time on it, as we will soon reach >>the situation where no-one warns senders of anything as all the viruses in >>circulation fake From addresses. See my disagreement on the other thread... > Silent Viruses = Klez Yaha Bugbear Lentin Sobig Hybris Sircam Holar Ganda I don't think Sircam forges does it? Didn't think Hybris gave anything to send a warning to? Julian, what does MailScanner use - the entry in Sender: in the reports? If that's blank, does it do anything? Wasn't aware of Holar or Ganda and what's Lentin? I currently have (for Sophos) Silent Viruses = Klez Yaha Bugbear Braid WinEvar Fizzer Palyh Sobig Cheers, Martin -- Martin Sapsed Information Services "Who do you say I am?" University of Wales, Bangor Jesus of Nazareth From m.sapsed at BANGOR.AC.UK Wed Jul 2 10:24:45 2003 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:18:47 2006 Subject: Sobig.{E,D,EML} not found by Sophos and McAfee References: <52E50E4D595DDE4D861117A1FB62E79D82089E@bond.ncl.ac.uk> <1057079365.4524.6.camel@wilowisp.dynetics.com> Message-ID: <3F02A4DD.3090504@bangor.ac.uk> Jim Levie wrote: > I'm seeing something similar in that Sophos with the latest IDE's isn't > catching some variants of SoBig that arrived over the weekend and this > morning. McAfee is detecting them, so far. The virus isn't reaching my > users, at least currently, because they are all in a disguised zip file > and I have a filename rule that disallows '.zi'. Have you quarantined any and if so, have you sent them to Sophos for analysis? Cheers, Martin -- Martin Sapsed Information Services "Who do you say I am?" University of Wales, Bangor Jesus of Nazareth From dot at DOTAT.AT Wed Jul 2 11:01:49 2003 From: dot at DOTAT.AT (Tony Finch) Date: Thu Jan 12 21:18:47 2006 Subject: MailScanner feature request In-Reply-To: References: <5.2.1.1.2.20030701175339.03a4b718@imap.ecs.soton.ac.uk> Message-ID: Randy Fishel wrote: > > I personally would prefer that the default action would to have the >message NOT sent to the sender, and have the choice to send it to the >recipient (the latter already exists, but I would need to add the pattern >to the silent list to get the former). I also don't think that sender notifications are a good idea. In my MailScanner.conf I have Notify Senders = no, and in the text of the recipient virus notifications I tell them to inform the sender of the problem only if they are sure the message is otherwise legitimate. I've also altered the sender reports so that they get sent to me, in case of misconfiguration. Tony. -- f.a.n.finch http://dotat.at/ SELSEY BILL TO LYME REGIS: WEST OR NORTHWEST 3 OR 4. ISOLATED SHOWERS. MODERATE OR GOOD. SLIGHT. From Kevin.Spicer at BMRB.CO.UK Wed Jul 2 11:14:19 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:18:47 2006 Subject: MailScanner feature request Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0EBF6C5@pascal.priv.bmrb.co.uk> > I also don't think that sender notifications are a good idea. In my > MailScanner.conf I have Notify Senders = no, and in the text of the > recipient virus notifications I tell them to inform the sender of the > problem only if they are sure the message is otherwise legitimate. > I've also altered the sender reports so that they get sent to me, in > case of misconfiguration. FWIW I've just configured mine as a ruleset so that only local senders get notified. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From rogerdv at SOFTHOME.NET Wed Jul 2 11:54:35 2003 From: rogerdv at SOFTHOME.NET (Roger D. Vargas) Date: Thu Jan 12 21:18:47 2006 Subject: Quick translation request - Brazilian Portuguese In-Reply-To: <5835AAE0-AC0E-11D7-BCA5-000393920D6C@uptime.at> References: <5835AAE0-AC0E-11D7-BCA5-000393920D6C@uptime.at> Message-ID: <200307020654.35500.rogerdv@softhome.net> El Martes, 1 de Julio de 2003 05:52 PM, escribi?: > On Dienstag, Juli 1, 2003, at 08:27 Uhr, Roger D. Vargas wrote: > > El Martes, 1 de Julio de 2003 02:20 PM, escribi??: > >> Regarding Spanish, afaik, the language is spoken in more countries > >> than any > >> others (not by more people, I guess that is Chinese), and there are > >> wild > > > > chinese mandarin (there are several chinese dialects) > > (learned Chinese at University) > and just to give you a number, there are over 3500 known Chinese > dialects.. so imagine that plus the ones not found yet... > That is an awesome number. I had to deal with 2-3 (mandarin, cantonese) in my kung fu training, never imagined there were so many chinese languages. -- Roger D. Vargas ICQ: 117641572 Linux user: 180787 * Tanto si piensas que puedes, como si piensas que no puedes, tienes raz?n * Henry Ford From mailscanner at ecs.soton.ac.uk Wed Jul 2 11:37:30 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:18:47 2006 Subject: SpamAssassin -D?? In-Reply-To: Message-ID: <5.2.0.9.2.20030702113649.05c34b18@imap.ecs.soton.ac.uk> Check you have told SpamAssassin where to find dccproc (read Mail::SpamAssassin::conf man page). Also have you got iptables or anything like that potentially blocking the replies from dcc? At 09:31 02/07/2003, you wrote: >I would like to see why DCC isn't working with SpamAssassin so I tried >running it in debug mode. > >I tried : >spamassassin -D /usr/share/doc/spamassassin-2.55/sample-spam.txt > > >which just makes spamassassin to hang forever and display no output >whatsoever. This is a RedHat 8.0 box with SpamAssassin 2.55-2 > >Ideas anyone? > >Thanks! >Remco -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Jul 2 11:26:44 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:18:47 2006 Subject: ANNOUNCE: Version 4.22-4 released In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0EBF6C1@pascal.priv.bmrb.co .uk> Message-ID: <5.2.0.9.2.20030702112313.03f64918@imap.ecs.soton.ac.uk> At 08:46 02/07/2003, you wrote: > > - control over HTML forms in email messages, which have been used > >> recently to try to extract passwords and credit card details from > >> unwitting users. > > > >Am I correct in thinking that setting > >Allow Form Tags = yes > >and > >Convert Dangerous HTML To Text = yes > >will strip the form tags from these emails whilst still allowing the >emails to be delivered? Should do, yes. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Jul 2 11:41:28 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:18:47 2006 Subject: Silently drop FORM tags In-Reply-To: <3F02A47C.1070809@bangor.ac.uk> References: Message-ID: <5.2.0.9.2.20030702113817.03ff8110@imap.ecs.soton.ac.uk> At 10:23 02/07/2003, you wrote: >Didn't think Hybris gave anything to send a warning to? Julian, what >does MailScanner use - the entry in Sender: in the reports? If that's >blank, does it do anything? It uses the envelope sender address which is not always shown in the message headers. If the envelope sender is blank, then I seem to remember it throws away the sender warning. >Silent Viruses = Klez Yaha Bugbear Braid WinEvar Fizzer Palyh Sobig Raymond and I are working out a system whereby you can automatically keep this list up to date as new viruses of this type appear, but you will still be able to customise the list as well. Watch this space... -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Jul 2 11:34:26 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:18:47 2006 Subject: Vedr.: Re: Only 1.3 score by spamassassin In-Reply-To: Message-ID: <5.2.0.9.2.20030702113412.041b6bd8@imap.ecs.soton.ac.uk> At 09:04 02/07/2003, you wrote: >I have also posted to spamassassin list. > >I can see that: >Expand Your Penis up to 20% Thicker > >is in html this: >Expand Your Penis up to 20% Thicker I believe SpamAssassin 2.60 will address this problem. >A little bit scarey.. > > >>> evertjan@VANRAMSELAAR.NL 02-07-2003 09:54:43 >>> >Jan Elmqvist Nielsen said: > > How did this mail only get 1.3 by spamassassin? > > I am using mailscanner 4.21-9 and spamassassin 2.55 > >MailScanner has nothing to do with SpamAssassin scoring. It just uses the >results. Talk about SA scoring belongs on the SA mailinglist. > >-- > Evert Jan van Ramselaar > Van Ramselaar Info Tech -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Jul 2 11:36:22 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:18:47 2006 Subject: Feature request X-MailScanner-SpamCheck: In-Reply-To: Message-ID: <5.2.0.9.2.20030702113509.05c386a8@imap.ecs.soton.ac.uk> At 09:19 02/07/2003, you wrote: >Don't know if this is an easy thing to do but I have a suggestion. > >Currently when mail passes several MailScanner servers all the >X-headers are appended. > >For debugging reasons I think it would be practical if ever report could >also include the host name or ip addr. of the host that generated the >report. If you customise the headers in the MailScanner.conf then this isn't a problem. Put an acronym of your site name in the header name. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Jul 2 11:29:42 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:18:47 2006 Subject: MailScanner + Sophos: a serious bug? In-Reply-To: <52E50E4D595DDE4D861117A1FB62E79DBFFBD0@bond.ncl.ac.uk> Message-ID: <5.2.0.9.2.20030702112915.03d1fc68@imap.ecs.soton.ac.uk> Can you (in a password-protected zip) send me an example or two so I can see exactly what you mean. At 09:58 02/07/2003, you wrote: >Re. my earlier messages about Sophos sometimes missing Sobig variants in >messages. > >I switched on quarantining of virus containing messages and believe I >can now see what is going on. In fact the problem is not just limited to >Sobig (the most common infection at present) but to Yaha.G as well and >most probably all other viruses. > >It seems that Sophos will not recognise viruses, including at least >Yaha.G and all variants of Sobig, when the message being scanned is a >bounce/error return message which contains the whole of the original >message, including the zipped attachment with the virus/worm in it. > >At this site McAfee but not Sophos recognises the virus in such a >message. > >Two questions: > >1. Is this a problem with MailScanner's parsing of messages or with the >A-V product it calls and to which it passes the message contents? > >2. How serious is it if such a message is delivered intact? > >I would like to understand the problem and its possible consequences a >bit better before I forward some example messages to Sophos. > >Quentin >--- >PHONE: +44 191 222 8209 Computing Service, University of Newcastle >FAX: +44 191 222 8765 Newcastle upon Tyne, United Kingdom, NE1 7RU. >------------------------------------------------------------------------ >"Any opinion expressed above is mine. The University can get its own." > > > -----Original Message----- > > From: Quentin Campbell [mailto:Q.G.Campbell@NEWCASTLE.AC.UK] > > Sent: 01 July 2003 12:34 > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: Sobig.{E,D,EML} not found by Sophos and McAfee - > > further info > > > > > > > -----Original Message----- > > > From: Quentin Campbell [mailto:Q.G.Campbell@newcastle.ac.uk] > > > Sent: 01 July 2003 10:40 > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > Subject: Re: Sobig.{E,D,EML} not found by Sophos and McAfee > > > > > [snip] > > > > By the way, what's Sobig.EML and ... > > > > > > Good question. I cannot find this virus at the NAI site yet > > > it is McAfee that is recognising it! The notification I got says: > > > > > > The following e-mail messages were found to have viruses in them: > > > > > > Sender: auto.reply@compuserve.com > > > IP Address: 149.174.40.6 > > > Recipient: xxx@newcastle.ac.uk > > > Subject: Undeliverable Message > > > MessageID: h611uKu05157 > > > Report: /h611uKu05157/msg-32244-1482.txt Found the > > > W32/Sobig.eml virus !!! > > > > > > > ...what harm can it do in a .txt file? > > > > > > That is not the point unless you are suggesting that is why > > > Sophos does not recognise it? The issue for me is why one A-V > > > scanner finds it but another doesn't. > > > > The one thing all these messages have in common are that they > > are bounce messages of one sort or another: > > > > o undeliverable message > > o failure notice > > o returned mail - nameserver error ... > > > > It appears that they retain some sort of "signature" text, > > probably harmless, that the McAfee scanner recognises but not > > the Sophos scanner. Does this sound plausible? > > > > Note that this applies to both "Sobig.e", "Sobig.d" and > > "Sobig.eml" (what ever that is). > > > > The latter suggests an alternative theory that it might be > > MailScanner wrongly picking up a string from the McAfee > > scanner or wrongly reporting a string that it has; that is, > > it reports as "Sobig.eml" a string that is something else? > > > > I will see if I can quarantine some of these messages. > > > > Quentin > > --- > > PHONE: +44 191 222 8209 Computing Service, University of Newcastle > > FAX: +44 191 222 8765 Newcastle upon Tyne, United > > Kingdom, NE1 7RU. > > -------------------------------------------------------------- > > ---------- > > "Any opinion expressed above is mine. The University can get > > its own." > > > > > > -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From David.While at UCE.AC.UK Wed Jul 2 12:09:12 2003 From: David.While at UCE.AC.UK (David While) Date: Thu Jan 12 21:18:47 2006 Subject: Bayes learning Message-ID: <107DE25EC0216C45AEF670016024245F6EE8@exchangea.staff.uce.ac.uk> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: bayes-learn.pl Type: application/octet-stream Size: 1606 bytes Desc: bayes-learn.pl Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030702/eb9f0d5c/bayes-learn.obj From mailscanner at ecs.soton.ac.uk Wed Jul 2 11:33:53 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:18:47 2006 Subject: Only 1.3 score by spamassassin In-Reply-To: Message-ID: <5.2.0.9.2.20030702113147.03fde370@imap.ecs.soton.ac.uk> Enquiries of this sort and suggestions for extra traps in SpamAssassin really belong on the SAtalk mailing list run by the SpamAssassin developers. We can't really help you here, except to say that it is obviously a very well constructed spam message. At 08:30 02/07/2003, you wrote: >How did this mail only get 1.3 by spamassassin? > >I am using mailscanner 4.21-9 and spamassassin 2.55 > >Jan Elmqvist Nielsen >Received: from ns.ah.dk > (ns2.ah.dk [80.209.17.32]) > by ahpost.ah.dk; Wed, 02 Jul 2003 06:23:02 +0200 >Received: from ns3.ah.dk (ns3.ah.dk [80.209.17.33]) > by ns.ah.dk (8.11.6/8.11.6) with ESMTP id h624UiD31893 > for ; Wed, 2 Jul 2003 06:30:44 +0200 >Received: (from root@localhost) > by ns3.ah.dk (8.11.6/8.11.6) id h624YFR00858 > for dof@sofi.ah.dk.KAV; Wed, 2 Jul 2003 06:34:15 +0200 >Received: (from root@localhost) > by ns3.ah.dk (8.11.6/8.11.6) id h624YEj00848 > for dof@ah.dk.KAV; Wed, 2 Jul 2003 06:34:14 +0200 >Received: from openconnect.ch (h0010a40e4183.ne.client2.attbi.com >[66.31.163.55]) > by ns3.ah.dk (8.11.6/8.11.6) with ESMTP id h624YDp00840 > for ; Wed, 2 Jul 2003 06:34:13 +0200 >Subject: I know all about you >User-Agent: Mozilla/5.048 (X11; U; FreeBSD i386; U; NT4.0; en-us) >Gecko/25250101 >X-Accept-Language: en >MIME-Version: 1.0 >Message-ID: <3F025DD8.0EC9CBA8@mecanica.upm.es> >Date: Wed, 02 Jul 2003 03:21:44 -0100 >From: "Normand Noble" >To: dof@ah.dk >Content-Type: text/html >X-MailScanner-Information: Please contact the ISP for more information >X-MailScanner: Found to be clean >X-MailScanner-SpamCheck: ikke spam, SpamAssassin (bed?mmelse=1.3, p?kr?vet 3, > HTML_50_60 0.55, HTML_FONT_BIG 0.27, HTML_FONT_COLOR_RED 0.10, > HTML_MESSAGE 0.10, HTML_RELAYING_FRAME 0.27, MIME_HTML_ONLY 0.10, > USER_AGENT_MOZILLA_UA 0.00, X_ACCEPT_LANG -0.10) >X-MailScanner-SpamScore: s >Content-Transfer-Encoding: 8bit > >NEVER AGAIN BE EMBARRASSED ABOUT YOUR SIZE > >VPlb2mr-RX has helped over 700,000 men worldwide >Some benefits include: >* Gain up to 3 Full Inches in Length >* Expand Your Pen5t669is up to 20% Thicker >* Stop Premature Ejacuvhfi7lation! >* Produce Stronger, Rock Hard Eretdxcrctions >* 100% Safe To Take, With NO Side Effxgjshects >* Fast Priority Shipping Worldwide >* Doctor Approved and Recomoy7tymended >* No Pumps! No Surgery! No Exnylrrercises! > > >Don't wait another day, >More Info here! >* 100% Money Back Guaranw725hteed > >Remove me from the list -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030702/7c92817a/attachment.html From raymond at PROLOCATION.NET Wed Jul 2 11:44:24 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:18:47 2006 Subject: Silently drop FORM tags In-Reply-To: <3F02A47C.1070809@bangor.ac.uk> Message-ID: Hi! > Didn't think Hybris gave anything to send a warning to? Julian, what > does MailScanner use - the entry in Sender: in the reports? If that's > blank, does it do anything? > > Wasn't aware of Holar or Ganda and what's Lentin? Lentin is a different name for Klez. I am scanning with both F-prot and ClamAV so i need the two names ... Bye, Raymond. From howard at harper-adams.ac.uk Wed Jul 2 12:38:56 2003 From: howard at harper-adams.ac.uk (Howard Robinson) Date: Thu Jan 12 21:18:47 2006 Subject: Re installing Spamassassin. In-Reply-To: <5.2.0.9.2.20030411095712.0293a500@imap.ecs.soton.ac.uk> References: <041601c30007$00714460$3900a8c0@Daniel> Message-ID: <200307021137.h62Bbb3l005433@blackhole.harper-adams.ac.uk> On 11 Apr 03, at 9:58, Julian Field wrote: Hello List I am installing SpamAssassin 2.55 using the instructions mailed to the list some time ago (see below). I got as far as Makefile.PL and that ran with no errors. Its the next bit that is confusing me - the make make test make install. What does this mean? Is it literally running make then make test then make install? If so do these commands have to be run directly after running Makefile.PL ? Thanks. > rpm -e perl-Mail-SpamAssassin > Then download the .tar.gz file > tar xzf Mail-SpamAssassin-2.53.tar.gz > cd Mail-SpamAssassin-2.53 > perl Makefile.PL > Then make sure you have the pre-requisites installed (the previous command > will warn you if you don't) make make test make install > Regards Howard Robinson (Senior Technical Development Officer) Harper Adams University College Edgmond Newport Shropshire TF10 8NB UK E-mail: hrobinson@harper-adams.ac.uk Tel. : +44(0)1952 820280 Via switchboard : +44(0)1952 815253 Direct line Fax. : +44(0)1952 814783 College Web site http://www.harper-adams.ac.uk From Kevin.Spicer at BMRB.CO.UK Wed Jul 2 12:44:29 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:18:47 2006 Subject: Re installing Spamassassin. Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0EBF6C9@pascal.priv.bmrb.co.uk> Howard Robinson wrote: > On 11 Apr 03, at 9:58, Julian Field wrote: > Hello List > I am installing SpamAssassin 2.55 using the instructions mailed to > the list some time ago (see below). > I got as far as Makefile.PL and that ran with no errors. > Its the next bit that is confusing me - the make make test make > install. What does this mean? Is it literally running make > then make test > then make install? Yes and in that order BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From Q.G.Campbell at NEWCASTLE.AC.UK Wed Jul 2 12:49:17 2003 From: Q.G.Campbell at NEWCASTLE.AC.UK (Quentin Campbell) Date: Thu Jan 12 21:18:47 2006 Subject: MailScanner + Sophos: a serious bug? Message-ID: <52E50E4D595DDE4D861117A1FB62E79DBFFC20@bond.ncl.ac.uk> > -----Original Message----- > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > Sent: 02 July 2003 11:30 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: MailScanner + Sophos: a serious bug? > > > Can you (in a password-protected zip) send me an example or > two so I can see exactly what you mean. > Julian Done. Three example messages have been sent to your mailscanner@ecs.soton.ac.uk address. Quentin --- PHONE: +44 191 222 8209 Computing Service, University of Newcastle FAX: +44 191 222 8765 Newcastle upon Tyne, United Kingdom, NE1 7RU. ------------------------------------------------------------------------ "Any opinion expressed above is mine. The University can get its own." From Denis.Beauchemin at USHERBROOKE.CA Wed Jul 2 14:02:46 2003 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:18:47 2006 Subject: McAfee Auto Update In-Reply-To: <1057002309.3340.10.camel@dbeauchemin.sti.usherbrooke.ca> References: <5.2.1.1.2.20030630203049.0259aae8@imap.ecs.soton.ac.uk> <1057002309.3340.10.camel@dbeauchemin.sti.usherbrooke.ca> Message-ID: <1057150966.2835.15.camel@dbeauchemin.sti.usherbrooke.ca> I keep telling everybody that whenever my McAfee DAT files are updated I get an email. It is true but it is because I asked it to... For people who would be interested, here is how I do it in root's crontab: # McAfee update 17,47 * * * * /usr/lib/MailScanner/mcafee-autoupdate 2>&1 | /usr/local/bin/post-cron-results "$(uname -n) : MAJ McAfee" me@USherbrooke.ca The /usr/local/bin/post-cron-results script looks like this (I just did a quick translation to English): #!/bin/bash # # Script sending text received on stdin by email to all recipients listed # on the command line (separated by spaces). Subject of the message is the # first parameter on the command line. # # Denis Beauchemin, le 20001011. /bin/cat - > /tmp/poste-resultats.$$ if [[ $# -lt 2 ]]; then echo "Error! Wrong number of param?ters for ${0##*/}" echo "Use: ${0##*/} \"Subjet of the message\" destination [ destination ]" exit fi sujet="$1" shift if [[ -s /tmp/poste-resultats.$$ ]]; then /bin/mail -s "$sujet" "$*" < /tmp/poste-resultats.$$ fi rm /tmp/poste-resultats.$$ Basically, this script (which works just fine on all my Red Hat boxes) won't send you any email if the command feeding it input doesn't produce any. Useful in cron files because you otherwise always get an email (or never get any if you redirect everything in /dev/null). So it looks like I am still paranoid and am still looking for updates twice every hour! ;-) Denis Le lun 30/06/2003 ? 15:45, Denis Beauchemin a ?crit : > Wouldn't it be risky to not update as soon as an updated DAT file is > released? > > Maybe I'm paranoid but before your cron.hourly script I used to call my > own autoupdate script every 30 minutes! > > Denis > > Le lun 30/06/2003 ? 15:31, Julian Field a ?crit : > > Wouldn't it just be easier to move update_virus_scanners from the > > cron.hourly directory to the cron.daily directory? > > > > At 20:24 30/06/2003, you wrote: > > >Hello Julian, > > > > > >I have MailScanner installed on may Linux working with McAfee only. > > > > > >To avoid auto-update to run every hour, i've disable the script > > >update_virus_scanners on my cron.hourly and create a call to > > >mcafee-autoupdate script on may crontab file to run every day at 01:00am. > > >I've been checked every day and there seems to be no problem on the > > >mcafee-autoupdate script. > > >I just want to confirm if you see any problem with that configuration. > > > > > >Thanks. > > > > > > > > > > > >Rodrigo Scarano > > >Target Sistemas > > >http://www.targetsis.com.br/ > > >rscarano@targetsis.com.br > > > > -- > > Julian Field > > www.MailScanner.info > > Professional Support Services at www.MailScanner.biz > > MailScanner thanks transtec Computers for their support -- Denis Beauchemin, analyste Universit?de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From dot at DOTAT.AT Wed Jul 2 14:24:13 2003 From: dot at DOTAT.AT (Tony Finch) Date: Thu Jan 12 21:18:47 2006 Subject: RES: McAfee Auto Update In-Reply-To: References: <5.2.1.1.2.20030630203049.0259aae8@imap.ecs.soton.ac.uk> <006801c33f42$01280fe0$6900000a@targetsis.com.br> Message-ID: Julian Field wrote: > >The update_virus_scanners script bins all the output as not many people >want a mail message from cron every hour of every day. It's a fairly simple >script, so you can always edit it and remove the redirection to /dev/null >if you like. The alternate mcafee autoupdate script is silent when it finds out that no dat file update is needed, otherwise it produces informative output (or an error message). So if you run it from cron you'll only be emailed when something interesting happens. Tony. -- f.a.n.finch http://dotat.at/ DOGGER: NORTH OR NORTHWEST 5 TO 7 DECREASING 4 OR 5. RAIN AT TIMES. MODERATE OR GOOD. From gerry at dorfam.ca Wed Jul 2 15:13:48 2003 From: gerry at dorfam.ca (Gerry Doris) Date: Thu Jan 12 21:18:47 2006 Subject: Mail Delivery Hung Message-ID: <17834.129.80.22.133.1057155228.squirrel@tiger.dorfam.ca> Yesterday about 7:00am EST all mail delivery hung. The mail was being saved to mqueue.in but not moved out. I restarted MailScanner serveral times but that didn't fix it. When restarted the logs would say that MailScanner had found 320 messages waiting and was starting to scan them...then nothing. I finally just rebooted the system. That fixed it. This same thing happened about 10 days ago. I've checked all the logs but haven't noticed anything out of the ordinary. I thought I noticed comments about checks for ClamAV updates sometimes hanging the delivery process??? Could this be the cause? I have both F-Prot and ClamAV installed. Gerry From mailscanner at BARENDSE.TO Wed Jul 2 15:14:32 2003 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:18:48 2006 Subject: DSN: Return receipt ?? Message-ID: I noticed something strange, I use the archive feature to archive all incoming and outgoing e-mail. In the maillog I noticed a remark about a DSN: Return receipt. What does the line from maillog mean? Any return receipt did not appear in the mailbox for archived outgoing mail. I use sendmail rules to discard read receipt messages but in this case there is nothing in the maillog that this message or reply was discarded. Jul 2 15:34:56 linuxgw sendmail[12278]: h62DYuBB012278: from=, size=14109, class=0, nrcpts=1, msgid=<0D563AFDB4B9354E90B235773067ADB009BD1B@meidc01.xxx.local>, proto=ESMTP, daemon=MTA, relay=xxxx [10.1.0.20] BJul 2 15:34:58 linuxgw sendmail[12285]: h62DYuBB012278: to=jorge, delay=00:00:02, xdelay=00:00:00, mailer=local, pri=121417, dsn=2.0.0, stat=Sent Jul 2 15:34:58 linuxgw sendmail[12285]: h62DYuBB012278: h62DYwMP012285: DSN: Return receipt From mailscanner at ecs.soton.ac.uk Wed Jul 2 14:53:15 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:18:48 2006 Subject: RES: McAfee Auto Update In-Reply-To: References: <5.2.1.1.2.20030630203049.0259aae8@imap.ecs.soton.ac.uk> <006801c33f42$01280fe0$6900000a@targetsis.com.br> Message-ID: <5.2.0.9.2.20030702145235.04531fa0@imap.ecs.soton.ac.uk> At 14:24 02/07/2003, you wrote: >Julian Field wrote: > > > >The update_virus_scanners script bins all the output as not many people > >want a mail message from cron every hour of every day. It's a fairly simple > >script, so you can always edit it and remove the redirection to /dev/null > >if you like. > >The alternate mcafee autoupdate script is silent when it finds out that >no dat file update is needed, otherwise it produces informative output >(or an error message). So if you run it from cron you'll only be emailed >when something interesting happens. Note that Tony's "alternate" script is now the standard one you get in the distribution. It was much cleverer than mine, so I dropped my version. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From Denis.Beauchemin at USHERBROOKE.CA Wed Jul 2 15:25:13 2003 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:18:48 2006 Subject: Quick translation request - French In-Reply-To: References: <5.2.1.1.2.20030630215510.02533e60@imap.ecs.soton.ac.uk> Message-ID: <1057155913.2835.20.camel@dbeauchemin.sti.usherbrooke.ca> Julian, I guess not only Brazilians disagree on translations... 8-) I would rather say: Taille du message trop grande I know it must be too late for the current release but yesterday was our national Holiday and I only read your request this morning. Denis Le mar 01/07/2003 ? 02:38, John Wilcock a ?crit : > On Mon, 30 Jun 2003 21:55:50 +0100, Julian Field wrote: > > For the max-message-size checking, I need this translating into as many > > languages as possible: > > > > Message is too large > > Taille de message trop grand. > > John. -- Denis Beauchemin, analyste Universit?de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From jim at ENTROPHY-FREE.NET Wed Jul 2 15:13:11 2003 From: jim at ENTROPHY-FREE.NET (Jim Levie) Date: Thu Jan 12 21:18:48 2006 Subject: Sobig.{E,D,EML} not found by Sophos and McAfee In-Reply-To: <3F02A4DD.3090504@bangor.ac.uk> References: <52E50E4D595DDE4D861117A1FB62E79D82089E@bond.ncl.ac.uk> <1057079365.4524.6.camel@wilowisp.dynetics.com> <3F02A4DD.3090504@bangor.ac.uk> Message-ID: <1057155191.30546.5.camel@chaos.entrophy-free.net> On Wed, 2003-07-02 at 04:24, Martin Sapsed wrote: > Jim Levie wrote: > > I'm seeing something similar in that Sophos with the latest IDE's isn't > > catching some variants of SoBig that arrived over the weekend and this > > morning. McAfee is detecting them, so far. The virus isn't reaching my > > users, at least currently, because they are all in a disguised zip file > > and I have a filename rule that disallows '.zi'. > > Have you quarantined any and if so, have you sent them to Sophos for > analysis? > Yes I have sent them to Sophos. -- The instructions said to use Windows 98 or better, so I installed RedHat. From jim at ENTROPHY-FREE.NET Wed Jul 2 15:12:26 2003 From: jim at ENTROPHY-FREE.NET (Jim Levie) Date: Thu Jan 12 21:18:48 2006 Subject: MailScanner + Sophos: a serious bug? In-Reply-To: <52E50E4D595DDE4D861117A1FB62E79DBFFBD0@bond.ncl.ac.uk> References: <52E50E4D595DDE4D861117A1FB62E79DBFFBD0@bond.ncl.ac.uk> Message-ID: <1057155146.30546.3.camel@chaos.entrophy-free.net> On Wed, 2003-07-02 at 03:58, Quentin Campbell wrote: > Re. my earlier messages about Sophos sometimes missing Sobig variants in > messages. > > I switched on quarantining of virus containing messages and believe I > can now see what is going on. In fact the problem is not just limited to > Sobig (the most common infection at present) but to Yaha.G as well and > most probably all other viruses. > > It seems that Sophos will not recognise viruses, including at least > Yaha.G and all variants of Sobig, when the message being scanned is a > bounce/error return message which contains the whole of the original > message, including the zipped attachment with the virus/worm in it. > > At this site McAfee but not Sophos recognises the virus in such a > message. > Have you tried scanning the zip file or its contents with Sophos? I'm finding that Sophos, with the latest IDE's, isn't detecting the virus when scanning the zip file or the pif file that contains Sobig. -- The instructions said to use Windows 98 or better, so I installed RedHat. From andersan at LTKALMAR.SE Wed Jul 2 15:27:04 2003 From: andersan at LTKALMAR.SE (Anders Andersson, IT) Date: Thu Jan 12 21:18:48 2006 Subject: OT: RH9 updated perl-TimeDate..... Message-ID: <9F18B7DDBA88E544AB1F1995148916661CE63D@lkl63.ltkalmar.se> HI probably not something to wurry about but how will mailscanner handle updates from RH. Guess I could exclude perl* in config but thought that someone prolly could tell me what to do or just not wurry Up2date upgraded perl-TimeDate to 1.1301-5 /Anders From m.sapsed at BANGOR.AC.UK Wed Jul 2 16:19:02 2003 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:18:48 2006 Subject: ANNOUNCE: Version 4.22-4 released References: <5.2.1.1.2.20030701182840.02590538@imap.ecs.soton.ac.uk> Message-ID: <3F02F7E6.1000003@bangor.ac.uk> Julian Field wrote: > G'day! > > I have just posted the new stable release 4.22-4 on the website. Somewhere between 4.14 and the new version the report of viruses found by Sophos changed from stuff like Report: >>> Virus 'W32/Yaha-E' found in file ./h62FAd4X004564/goldfish.gif.pif to stuff like Adroddiad/Report: q216309.exe was infected by W32/Gibe-A Can someone remind me why this was please? (Means I've got to hack my script that works out my stats! :-( ) Cheers, Martin -- Martin Sapsed Information Services "Who do you say I am?" University of Wales, Bangor Jesus of Nazareth From steve.freegard at LBSLTD.CO.UK Wed Jul 2 16:29:20 2003 From: steve.freegard at LBSLTD.CO.UK (Steve Freegard) Date: Thu Jan 12 21:18:48 2006 Subject: ANNOUNCE: Version 4.22-4 released Message-ID: <67D9E7698329D411936E00508B6590B9027739E0@neelix.lbsltd.co.uk> Martin, Have you switched to Sophos-SAVI?? - if so, the output is different. Regards, Steve -----Original Message----- From: Martin Sapsed [mailto:m.sapsed@BANGOR.AC.UK] Sent: 02 July 2003 16:19 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: ANNOUNCE: Version 4.22-4 released Julian Field wrote: > G'day! > > I have just posted the new stable release 4.22-4 on the website. Somewhere between 4.14 and the new version the report of viruses found by Sophos changed from stuff like Report: >>> Virus 'W32/Yaha-E' found in file ./h62FAd4X004564/goldfish.gif.pif to stuff like Adroddiad/Report: q216309.exe was infected by W32/Gibe-A Can someone remind me why this was please? (Means I've got to hack my script that works out my stats! :-( ) Cheers, Martin -- Martin Sapsed Information Services "Who do you say I am?" University of Wales, Bangor Jesus of Nazareth -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender and delete the message from your mailbox. This footnote also confirms that this email message has been swept by MailScanner (www.mailscanner.info) for the presence of computer viruses. From Antony at SOFT-SOLUTIONS.CO.UK Wed Jul 2 16:33:22 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:18:48 2006 Subject: Silent viruses are silent in logs as well? Message-ID: <200307021534.h62FYTf14221@Beryl.Rockstone.co.uk> Hi all (and Julian in particular :) ) Looking through my syslog files today I found something I think is strange, and I'm not sure whether it qualifies as a bug or a feature of MailScanner :) I use Clam (+ others) for antivirus scanning, and it says "FOUND" whenever a virus is detected. I grepped my syslog messages file for "FOUND" and got 27 entries for today. Then I grepped for the MailScanner message "Virus Scanning: Found" and got 2 responses (both found only 1 virus). It turns out the 2 occurrences of "Virus Scanning: Found 1 viruses" were for viruses which aren't in my "Silent" list - all the other Clam messages were for Sobig, which is listed as silent. Is it correct that a silent virus isn't even reported as Found in the syslogs? I think I'd prefer it if my syslogs told me everything my server had found, even if it doesn't try to bounce back to the (false) sender... Regards, Antony. -- Perfection in design is achieved not when there is nothing left to add, but rather when there is nothing left to take away. - Antoine de Saint-Exupery From mailscanner at ecs.soton.ac.uk Wed Jul 2 16:10:03 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:18:48 2006 Subject: OT: RH9 updated perl-TimeDate..... In-Reply-To: <9F18B7DDBA88E544AB1F1995148916661CE63D@lkl63.ltkalmar.se> Message-ID: <5.2.0.9.2.20030702160932.0416dc58@imap.ecs.soton.ac.uk> I haven't come across any nasty happening there except for the glibc upgrade a couple of months ago which stopped various bits of the init.d script from shutting down the processes properly. At 15:27 02/07/2003, you wrote: >HI >probably not something to wurry about but how will mailscanner handle >updates from RH. Guess I could exclude perl* in config but thought that >someone prolly could tell me what to do or just not wurry >Up2date upgraded perl-TimeDate to 1.1301-5 > >/Anders -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Jul 2 16:36:02 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:18:48 2006 Subject: ANNOUNCE: Version 4.22-4 released In-Reply-To: <3F02F7E6.1000003@bangor.ac.uk> References: <5.2.1.1.2.20030701182840.02590538@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030702163456.063864d8@imap.ecs.soton.ac.uk> At 16:19 02/07/2003, you wrote: >Julian Field wrote: >>G'day! >> >>I have just posted the new stable release 4.22-4 on the website. > >Somewhere between 4.14 and the new version the report of viruses found >by Sophos changed from stuff like > >Report: >>> Virus 'W32/Yaha-E' found in file >./h62FAd4X004564/goldfish.gif.pif > >to stuff like > >Adroddiad/Report: q216309.exe was infected by W32/Gibe-A > >Can someone remind me why this was please? (Means I've got to hack my >script that works out my stats! :-( ) Are you using sophossavi instead of sophos now? In which case, it's effectively a different scanner. I wrote the output format of sophossavi to be as simple as possible and easy to understand. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From raymond at PROLOCATION.NET Wed Jul 2 16:39:33 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:18:48 2006 Subject: Silent viruses are silent in logs as well? In-Reply-To: <200307021534.h62FYTf14221@Beryl.Rockstone.co.uk> Message-ID: Hi! > Is it correct that a silent virus isn't even reported as Found in the syslogs? > > I think I'd prefer it if my syslogs told me everything my server had found, > even if it doesn't try to bounce back to the (false) sender... I have this: Jul 2 17:37:49 vmx10 MailScanner[12118]: /var/spool/MailScanner/incoming/12118/h62FbA90013905/your_details.zip->details.pif Infection: W32/Sobig.E@mm Jul 2 17:37:49 vmx10 MailScanner[12118]: Virus Scanning: F-Prot found virus W32/Sobig.E@mm And as you know, i posted my silent list yesterday, this is in my silent list also. So no, i dont think its not reporting those. In my case it certainly is.... Bye, Raymond. From andersan at LTKALMAR.SE Wed Jul 2 16:44:03 2003 From: andersan at LTKALMAR.SE (Anders Andersson, IT) Date: Thu Jan 12 21:18:48 2006 Subject: SV: OT: RH9 updated perl-TimeDate..... Message-ID: <9F18B7DDBA88E544AB1F1995148916661CE63F@lkl63.ltkalmar.se> > -----Ursprungligt meddelande----- > Fr?n: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > I haven't come across any nasty happening there except for > the glibc upgrade a couple of months ago which stopped > various bits of the init.d script from shutting down the > processes properly. Oki, I wont bother unless anything brakes then :) > > At 15:27 02/07/2003, you wrote: > >HI > >probably not something to wurry about but how will > mailscanner handle > >updates from RH. Guess I could exclude perl* in config but > thought that > >someone prolly could tell me what to do or just not wurry Up2date > >upgraded perl-TimeDate to 1.1301-5 > > > >/Anders > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > From Antony at SOFT-SOLUTIONS.CO.UK Wed Jul 2 16:47:23 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:18:48 2006 Subject: Silent viruses are silent in logs as well? In-Reply-To: References: Message-ID: <200307021548.h62FmVf16169@Beryl.Rockstone.co.uk> On Wednesday 02 July 2003 4:39 pm, Raymond Dijkxhoorn wrote: > Hi! > > > Is it correct that a silent virus isn't even reported as Found in the > > syslogs? > > > > I think I'd prefer it if my syslogs told me everything my server had > > found, even if it doesn't try to bounce back to the (false) sender... > > I have this: > > Jul 2 17:37:49 vmx10 MailScanner[12118]: > /var/spool/MailScanner/incoming/12118/h62FbA90013905/your_details.zip->deta >ils.pif Infection: W32/Sobig.E@mm > Jul 2 17:37:49 vmx10 MailScanner[12118]: Virus Scanning: F-Prot found > virus W32/Sobig.E@mm > > And as you know, i posted my silent list yesterday, this is in my silent > list also. So no, i dont think its not reporting those. In my case it > certainly is.... Well, almost... I think if you look for a virus which isn't on your silent list, you will *also* find in the syslog file an entry, after all the antivirus engines have said they found something, saying: Virus Scanning: Found 1 viruses The reason I'm interested in this is that this message only appears once for each mail which is scanned and found to contain a virus - the others (naming the particular antivirus engine which identified the infection) can appear multiple times per message, depending on how many antivirus engines you use, and also vary a bit in syntax between the different engines. I'm trying to get a consistent way to track the effectiveness of the antivirus checking system, which will work across several servers which use different vendors' antivirus engines (but which all use MailScanner). Antony. -- How I want a drink, alcoholic of course, after the heavy chapters involving quantum mechanics. - 3.14159265358979 From sw at INTERNETX.DE Wed Jul 2 16:38:04 2003 From: sw at INTERNETX.DE (Sebastian Wiesinger) Date: Thu Jan 12 21:18:48 2006 Subject: DSN: Return receipt ?? In-Reply-To: References: Message-ID: <20030702153804.GA15524@internetx.de> * Remco Barendse [2003-07-02 16:15]: > In the maillog I noticed a remark about a DSN: Return receipt. > > What does the line from maillog mean? Any return receipt did not appear in > the mailbox for archived outgoing mail. If a user adds a "Return-Receipt-To: " header to his/her mail, sendmail will deliver an receipt upon successful delivery of the mail. You can deactivate this feature with the following option in your sendmail.mc: define(`confPRIVACY_FLAGS', `noreceipts')dnl >From the sendmail operation guide: #v+ public Allow open access needmailhelo Insist on HELO or EHLO command before MAIL needexpnhelo Insist on HELO or EHLO command before EXPN noexpn Disallow EXPN entirely, implies noverb. needvrfyhelo Insist on HELO or EHLO command before VRFY novrfy Disallow VRFY entirely noetrn Disallow ETRN entirely noverb Disallow VERB entirely restrictmailq Restrict mailq command restrictqrun Restrict -q command line flag restrictexpand Restrict -bv and -v command line flags noreceipts Don't return success DSNs20 nobodyreturn Don't return the body of a message with DSNs goaway Disallow essentially all SMTP status queries authwarnings Put X-Authentication-Warning: headers in messages and log warnings #v- I prefer the following line: define(`confPRIVACY_FLAGS', `goaway,noreceipts,restrictqrun,restrictexpand')dnl > I use sendmail rules to discard read receipt messages but in this case > there is nothing in the maillog that this message or reply was discarded. I don't know what rules you use for discarding, but the configuration option above is the right way to deactivate the DSN2.x.x messages. For more info about the privacy options, see the sendmail installation and operation guide (op/op.txt.gz). -- InterNetX GmbH Sebastian Wiesinger System Administration eMail: sw@internetx.de From mailscanner at ecs.soton.ac.uk Wed Jul 2 17:27:00 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:18:48 2006 Subject: Silent viruses are silent in logs as well? In-Reply-To: <200307021548.h62FmVf16169@Beryl.Rockstone.co.uk> References: Message-ID: <5.2.0.9.2.20030702172611.03ffb2f8@imap.ecs.soton.ac.uk> At 16:47 02/07/2003, you wrote: >I'm trying to get a consistent way to track the effectiveness of the >antivirus checking system, which will work across several servers which use >different vendors' antivirus engines (but which all use MailScanner). Look for the syslog entries that are actually the output from each virus scanner. They are usually easy to find. Don't rely on any other stats, the actual virus scanner reports will tell you everything that it finds. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From jase at SENSIS.COM Wed Jul 2 17:31:34 2003 From: jase at SENSIS.COM (Desai, Jason) Date: Thu Jan 12 21:18:48 2006 Subject: SpamAssassin -D?? Message-ID: I think you need to use sample-spam.txt as input with a "<" like this: spamassassin -D < /usr/share/doc/spamassassin-2.55/sample-spam.txt Jason > -----Original Message----- > From: Remco Barendse [mailto:mailscanner@BARENDSE.TO] > Sent: Wednesday, July 02, 2003 4:32 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: [MAILSCANNER] SpamAssassin -D?? > > > I would like to see why DCC isn't working with SpamAssassin so I tried > running it in debug mode. > > I tried : > spamassassin -D /usr/share/doc/spamassassin-2.55/sample-spam.txt > > > which just makes spamassassin to hang forever and display no output > whatsoever. This is a RedHat 8.0 box with SpamAssassin 2.55-2 > > Ideas anyone? > > Thanks! > Remco > From Antony at SOFT-SOLUTIONS.CO.UK Wed Jul 2 17:40:14 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:18:48 2006 Subject: Silent viruses are silent in logs as well? In-Reply-To: <5.2.0.9.2.20030702172611.03ffb2f8@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030702172611.03ffb2f8@imap.ecs.soton.ac.uk> Message-ID: <200307021641.h62GfMf23116@Beryl.Rockstone.co.uk> On Wednesday 02 July 2003 5:27 pm, Julian Field wrote: > At 16:47 02/07/2003, you wrote: > >I'm trying to get a consistent way to track the effectiveness of the > >antivirus checking system, which will work across several servers which > > use different vendors' antivirus engines (but which all use MailScanner). > > Look for the syslog entries that are actually the output from each virus > scanner. They are usually easy to find. Don't rely on any other stats, the > actual virus scanner reports will tell you everything that it finds. Unfortunately that means a variable number of reports per infected email (eg one virus might be picked up by one antivirus engine, another might be picked up by another, or by both, etc). This makes it difficult to get a reliable number of "how many emails containing viruses did we block today?" Just out of interest, have I made an accurate diagnosis that viruses which are not on the Silent list will result in the "Virus Scanning: Found n viruses", and viruses which are on the list will not, or is the rule more complicated than this? Antony. -- In science, one tries to tell people in such a way as to be understood by everyone something that no-one ever knew before. In poetry, it is the exact opposite. - Paul Dirac From m.sapsed at BANGOR.AC.UK Wed Jul 2 18:02:26 2003 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:18:48 2006 Subject: ANNOUNCE: Version 4.22-4 released References: <5.2.1.1.2.20030701182840.02590538@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030702163456.063864d8@imap.ecs.soton.ac.uk> Message-ID: <3F031022.2090909@bangor.ac.uk> Julian Field wrote: > At 16:19 02/07/2003, you wrote: >> Somewhere between 4.14 and the new version the report of viruses found >> by Sophos changed from stuff like >> >> Report: >>> Virus 'W32/Yaha-E' found in file >> ./h62FAd4X004564/goldfish.gif.pif >> >> to stuff like >> >> Adroddiad/Report: q216309.exe was infected by W32/Gibe-A >> >> Can someone remind me why this was please? (Means I've got to hack my >> script that works out my stats! :-( ) > > Are you using sophossavi instead of sophos now? In which case, it's > effectively a different scanner. > I wrote the output format of sophossavi to be as simple as possible and > easy to understand. DOH! Thanks to Steve F and Julian (Steve first with a reply by a short head!) I am using sophossavi on the box I test things out on but still using ordinary Sophos on the production mail hubs, from which I get most of the reports. Is the concensus still that SophosSAVI is sound (on Solaris) and worth switching to? Cheers, Martin -- Martin Sapsed Information Services "Who do you say I am?" University of Wales, Bangor Jesus of Nazareth From nicholas_esborn at AFFYMETRIX.COM Wed Jul 2 18:07:44 2003 From: nicholas_esborn at AFFYMETRIX.COM (Nicholas Esborn) Date: Thu Jan 12 21:18:48 2006 Subject: Collection of all MailScanner contrib software? Message-ID: <20030702170744.GA1587@affymetrix.com> Hello, I was wondering if there was any definitive location to find all the various contributed monitoring and log analysis tools? I looked on the MailScanner page, but only found mailscanner-mrtg. Thanks -nick -- Nicholas Esborn Affymetrix, Inc. 510/428.8505 Every message PGP signed Include the word URGENT in your Subject to page me -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030702/a39a3282/attachment.bin From dh at UPTIME.AT Wed Jul 2 18:11:52 2003 From: dh at UPTIME.AT (David) Date: Thu Jan 12 21:18:48 2006 Subject: ANNOUNCE: Version 4.22-4 released In-Reply-To: <3F031022.2090909@bangor.ac.uk> Message-ID: <467569AB-ACB0-11D7-94B4-000393920D6C@uptime.at> On Mittwoch, Juli 2, 2003, at 07:02 Uhr, Martin Sapsed wrote: > > I am using sophossavi on the box I test things out on but still using > ordinary Sophos on the production mail hubs, from which I get most of > the reports. > > Is the concensus still that SophosSAVI is sound (on Solaris) and worth > switching to? > Well I can only speak for Alphas + Linux. Then it sometimes bombs out and shows rather weird behaviour. I have not had time yet to track it down ;) -----BEGIN GEEK CODE BLOCK----- Version: 3.12 GCC d+ s: a-- C+ UB++++ P+ L++ E--- W N+ o+++ K w-- O M+ V++ PS PE Y++ PGP++++ t+ 5 X- R+ tv-- b++++ DI D+ G e++++ h+ r++ y++ ------END GEEK CODE BLOCK------ -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 186 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030702/9d011430/PGP.bin From nwp at LEMON-COMPUTING.COM Wed Jul 2 12:23:51 2003 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:18:48 2006 Subject: Long delay in sending mail In-Reply-To: References: Message-ID: <20030702112351.GJ29971@hoiho.nz.lemon-computing.com> On Tue, Jul 01, 2003 at 12:45:23PM -0500, rgrignon@INPHACT.COM wrote: > I've noticed that the delays consistently happen between the top of the hour > and last for 15minutes other than that the mail is delivered in realtime... Hmmm... if you change the update cron job to run at quarter past the hour, does the delay move with it? 15 minutes sounds like about the right amount of time for a TCP connection to time out. If that's happening during the update, mailscanner will not be processing for 15 minutes while the update is waiting to time out. Cheers, Nick -- Nick Phillips -- nwp@lemon-computing.com What happened last night can happen again. From Jan-Peter.Koopmann at SECEIDOS.DE Wed Jul 2 18:16:16 2003 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:18:48 2006 Subject: ANNOUNCE: Version 4.22-4 released Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Marco, > Is there an easy way to upgrade MailScanner on FreeBSD? I hope I will have the new port ready tomorrow evening. The port will use Julians config-file upgrade-script automaticall. Regards, JP PS: I have no clue how long it will take the FreeBSD port maintainers to commit the port. It will be downloadable at the usual place though. -----BEGIN PGP SIGNATURE----- Version: PGP 8.0.2 iQA/AwUBPwMTVcljry2L+pqYEQLcMwCfSuNQxByoxVdFnZ2UCzlG6rZ46gsAoNv6 OYtoFdGSJvYjUlZlGUkdXKck =wEEp -----END PGP SIGNATURE----- From mailscanner at BARENDSE.TO Wed Jul 2 18:35:05 2003 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:18:48 2006 Subject: DSN: Return receipt ?? In-Reply-To: <20030702153804.GA15524@internetx.de> Message-ID: This is great, this is what I've been looking for for a long time :) :) Will this also block the read/not read messages? The problem I had was that I'm using Exchange as the mail server, this linux box is only relaying mail to/from the internet <-> exchange server. Will the sendmail setting also work in this case where M$ Exchange is gererating these annoying status messages that can't be disabled? On Wed, 2 Jul 2003, Sebastian Wiesinger wrote: > * Remco Barendse [2003-07-02 16:15]: > > In the maillog I noticed a remark about a DSN: Return receipt. > > > > What does the line from maillog mean? Any return receipt did not appear in > > the mailbox for archived outgoing mail. > > If a user adds a "Return-Receipt-To: " header to his/her > mail, sendmail will deliver an receipt upon successful delivery of the > mail. You can deactivate this feature with the following option in > your sendmail.mc: > > define(`confPRIVACY_FLAGS', `noreceipts')dnl > > >From the sendmail operation guide: > #v+ > public Allow open access > needmailhelo Insist on HELO or EHLO command before MAIL > needexpnhelo Insist on HELO or EHLO command before EXPN > noexpn Disallow EXPN entirely, implies noverb. > needvrfyhelo Insist on HELO or EHLO command before VRFY > novrfy Disallow VRFY entirely > noetrn Disallow ETRN entirely > noverb Disallow VERB entirely > restrictmailq Restrict mailq command > restrictqrun Restrict -q command line flag > restrictexpand Restrict -bv and -v command line flags > noreceipts Don't return success DSNs20 > nobodyreturn Don't return the body of a message with DSNs > goaway Disallow essentially all SMTP status queries > authwarnings Put X-Authentication-Warning: headers in messages > and log warnings > #v- > > I prefer the following line: > > define(`confPRIVACY_FLAGS', `goaway,noreceipts,restrictqrun,restrictexpand')dnl > > > I use sendmail rules to discard read receipt messages but in this case > > there is nothing in the maillog that this message or reply was discarded. > > I don't know what rules you use for discarding, but the configuration > option above is the right way to deactivate the DSN2.x.x messages. > > For more info about the privacy options, see the sendmail installation > and operation guide (op/op.txt.gz). > > -- > InterNetX GmbH > Sebastian Wiesinger > System Administration > > eMail: sw@internetx.de > From mailscanner at ecs.soton.ac.uk Wed Jul 2 19:19:16 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:18:48 2006 Subject: Collection of all MailScanner contrib software? In-Reply-To: <20030702170744.GA1587@affymetrix.com> Message-ID: <5.2.1.1.2.20030702191810.02402cc0@imap.ecs.soton.ac.uk> If everyone who has developed or is developing contrib software for it contacts me with a brief description and a link, I will build a web page listing them all. At 18:07 02/07/2003, you wrote: >Hello, > >I was wondering if there was any definitive location to find all the >various contributed monitoring and log analysis tools? I looked on >the MailScanner page, but only found mailscanner-mrtg. > >Thanks > >-nick > >-- >Nicholas Esborn >Affymetrix, Inc. > >510/428.8505 > >Every message PGP signed > >Include the word URGENT in your Subject to page me -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at BARENDSE.TO Wed Jul 2 19:38:30 2003 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:18:48 2006 Subject: SpamAssassin -D?? In-Reply-To: Message-ID: Oops! That's a *VERY* dumb mistake I made, thanks for your input :) Works like a charm now. On Wed, 2 Jul 2003, Desai, Jason wrote: > I think you need to use sample-spam.txt as input with a "<" like this: > > spamassassin -D < /usr/share/doc/spamassassin-2.55/sample-spam.txt > > Jason > > > -----Original Message----- > > From: Remco Barendse [mailto:mailscanner@BARENDSE.TO] > > Sent: Wednesday, July 02, 2003 4:32 AM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: [MAILSCANNER] SpamAssassin -D?? > > > > > > I would like to see why DCC isn't working with SpamAssassin so I tried > > running it in debug mode. > > > > I tried : > > spamassassin -D /usr/share/doc/spamassassin-2.55/sample-spam.txt > > > > > > which just makes spamassassin to hang forever and display no output > > whatsoever. This is a RedHat 8.0 box with SpamAssassin 2.55-2 > > > > Ideas anyone? > > > > Thanks! > > Remco > > > From mbowman at UDCOM.COM Wed Jul 2 19:38:19 2003 From: mbowman at UDCOM.COM (Matthew Bowman) Date: Thu Jan 12 21:18:48 2006 Subject: Error in maillog after upgrade Message-ID: Hello Just upgraded MailScanner to 4.22-4 and SpamAssassin to 2.55 on a RH 7.3 box My /var/log/maillog reports Jul 2 14:35:35 smithers MailScanner[28385]: Looked up unknown string spamassassin in language translation file /etc/MailScanner/reports/en/languages.conf Any ideas why? Thanks --- Matthew K Bowman Systems Administrator, UDCom From dot at DOTAT.AT Wed Jul 2 19:32:30 2003 From: dot at DOTAT.AT (Tony Finch) Date: Thu Jan 12 21:18:48 2006 Subject: mcafee-autoupdate patch -- Tony Finch r-u-there? In-Reply-To: Message-ID: Mariano Absatz wrote: > >Tony, would you care to incorporate it (or suggest a modification, maybe >another different command line option)? I wasn't particularly keen on the feature since it can be implemented with a trivial shell script -- you could even fit it in the crontab itself. But anyway, I was bored this afternoon, so I did some polishing of my script... Tony. -- f.a.n.finch http://dotat.at/ FAIR ISLE FAEROES: NORTHERLY 4 OR 5, OCCASIONALLY 6 IN EAST FAIR ISLE. OCCASIONAL DRIZZLE. MODERATE OR GOOD. #!/bin/sh -e # # Update the McAfee data files. # # $Cambridge: hermes/build/bin/uvscan-update,v 1.24 2003/07/02 18:25:47 fanf2 Exp $ # This is the directory where the uvscan binary is (NOT a symlink to # the binary), which is where it looks for its dat files. You may run # uvscan via a symlink to this place (e.g. from /usr/local/bin/uvscan) # and it will still look for the dat files here. If uvscan's library # dependencies can be found in a standard place (e.g. /usr/local/lib) # then you don't need a wrapper script to set LD_LIBRARY_PATH before # running it. # # The dat files are installed in a subdirectory named according to # their version number, with symlinks from this directory into the # subdirectory. The links are updated without locking on the # assumption that this is sufficiently unlikely to cause a problem. # LIBDIR=/opt/uvscan FTPDIR=ftp://ftp.csx.cam.ac.uk/pub/software/antivirus/datfiles/4.x #FTPDIR=ftp://ftpeur.nai.com/pub/antivirus/datfiles/4.x # ensure the path is plausible PATH=$LIBDIR:/usr/local/bin:/usr/bin:/bin export PATH # handle the command line OPTS="$*" option () { case $OPTS in -*$1*) eval $2=yes esac } case $OPTS in [!-]*|*[!-frtv]*) echo "usage: $0 [-frtv]" echo " -f force update" echo " -r show README" echo " -t timestamp output" echo " -v verbose" exit 1 ;; esac option f FORCE option r README option t TIME option v VERBOSE case $FORCE in yes) VERBOSE=yes esac # wrapper functions for echo etc. timestamp () { case $TIME in yes) date "+%Y-%m-%d %H:%M:%S " esac } say () { case $VERBOSE in yes) echo "`timestamp`$*" esac } run () { say "> $*" "$@" } say Starting $0 # version number pattern MATCH="[0-9][0-9][0-9][0-9]" # work out latest dat version cd $LIBDIR CMD="wget --passive-ftp $FTPDIR/update.ini 2>update.err" say "> $CMD" if eval "$CMD" then VERSION=`cat update.ini | sed "/^DATVersion=$$MATCH$.$/!d;s//\1/;q"` else cat update.err VERSION=UNKNOWN fi run rm -f update.* DATDIR=$LIBDIR/$VERSION FILE=dat-$VERSION.tar badversion () { VERBOSE=yes say "Failed to get McAfee datfile update from $FTPDIR" say "FTP version number \"$VERSION\" $*" run exit 1 } # check the format of the version number case $VERSION in $MATCH) : ok ;; *) badversion does not match "$MATCH" ;; esac # already got it? if [ -d $DATDIR ] then case $FORCE in yes) say Forced removal of $DATDIR run rm -rf $DATDIR ;; *) say Already have "$VERSION" run exit 0 ;; esac fi # work out installed dat version run cd $LIBDIR if ls -d $MATCH >/dev/null 2>&1 then INSTALLED=`ls -d $MATCH | tail -1` else # no installed version so get whatever is available INSTALLED=0000 fi # check new version is actually newer if [ $VERSION -lt $INSTALLED ] then badversion older than installed "$INSTALLED" fi VERBOSE=yes say Installed dat file is "$INSTALLED" say Latest dat file is "$VERSION" # fetch and extract dat files run mkdir $DATDIR run cd $DATDIR run wget --passive-ftp --progress=dot:mega $FTPDIR/$FILE run tar xvf $FILE # verify the contents fail () { trap EXIT echo "$OUT" say Test run failed -- removing bad McAfee data files run rm -rf $DATDIR run exit 1 } trap fail EXIT CMD="uvscan --dat $DATDIR --version 2>&1" say "> $CMD" OUT=`$CMD` case "$OUT" in *"Missing or invalid DAT"* | \ *"Data file not found"* | \ *"Removal datafile clean.dat not found"* | \ *"Unable to remove viruses"* ) fail ;; esac trap EXIT echo "$OUT" say Update OK run cd $DATDIR # show information on this update? case $README in yes) run sed 's/[[:cntrl:]]//g 1,/^NEW VIRUSES DETECTED/d /^UNDERSTANDING VIRUS NAMES/,$d s/^/# /' readme.txt esac # remove some crap run rm -f *.diz *.exe *.ini *.lst *.tar *.txt # change the current dat file links for file in *.dat do run rm -f ../$file run ln -s $VERSION/$file .. done say Completed OK run exit 0 # done From Cleveland at MAIL.WINNEFOX.ORG Wed Jul 2 19:47:32 2003 From: Cleveland at MAIL.WINNEFOX.ORG (Jody Cleveland) Date: Thu Jan 12 21:18:48 2006 Subject: Announce: MailWatch for MailScanner 0.2 (was MailScanner-Con sole ) Message-ID: <84CFA712F666B44A94CE6BE116BAF4B0B4EB4B@mail.winnefox.org> Hello, I'm just finishing up the installation of this, and in your install file, I noticed: I only use SophosSAVI and ClamAV as virus scanners, so if you have a different set-up, you will need to change the VIRUS_REGEX constant to match the output of your scanner. I use f-prot. Anyone know what I need to change? -- Jody Cleveland (cleveland@mail.winnefox.org) -----Original Message----- From: Steve Freegard [mailto:steve.freegard@LBSLTD.CO.UK] Sent: Monday, June 16, 2003 12:10 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Announce: MailWatch for MailScanner 0.2 (was MailScanner-Console ) Hi All, I've just uploaded a new version to http://www.smf.f2s.com/mailscanner/ - see the Change Log for the details. From raymond at PROLOCATION.NET Wed Jul 2 19:57:09 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:18:48 2006 Subject: Error in maillog after upgrade In-Reply-To: Message-ID: Hi! > Jul 2 14:35:35 smithers MailScanner[28385]: Looked up unknown string > spamassassin in language translation file > /etc/MailScanner/reports/en/languages.conf Do you have a .rpmnew version in that dir also perhaps ? Bye, Raymond. From kevins at BMRB.CO.UK Wed Jul 2 19:58:27 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:18:48 2006 Subject: Error in maillog after upgrade In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB001175C4A@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB001175C4A@pascal.priv.bmrb.co.uk> Message-ID: <1057172311.29590.8.camel@bach.kevinspicer.co.uk> >Jul 2 14:35:35 smithers MailScanner[28385]: Looked up unknown string >spamassassin in language translation file >/etc/MailScanner/reports/en/languages.conf >Any ideas why? You don't happen to have a languages.conf.rpmnew file kicking about do you? BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From mbowman at UDCOM.COM Wed Jul 2 19:57:14 2003 From: mbowman at UDCOM.COM (Matthew Bowman) Date: Thu Jan 12 21:18:48 2006 Subject: Error in maillog after upgrade Message-ID: No, I renamed the .rpmnew to languages.conf before I restarted MailScanner However having stopped MailScanner again and did a killall on any rogue processes and restarted MailScanner cleanly (again) it is now working. Thanks anyway. Matthew Raymond Dijkxhoorn Sent by: MailScanner mailing list 07/02/2003 02:57 PM Please respond to MailScanner mailing list To: MAILSCANNER@JISCMAIL.AC.UK cc: Subject: Re: Error in maillog after upgrade Hi! > Jul 2 14:35:35 smithers MailScanner[28385]: Looked up unknown string > spamassassin in language translation file > /etc/MailScanner/reports/en/languages.conf Do you have a .rpmnew version in that dir also perhaps ? Bye, Raymond. From mailscanner at LISTS.COM.AR Wed Jul 2 22:08:23 2003 From: mailscanner at LISTS.COM.AR (Mariano Absatz) Date: Thu Jan 12 21:18:48 2006 Subject: mcafee-autoupdate patch -- Tony Finch r-u-there? In-Reply-To: References: Message-ID: <3F031F97.28102.AE51868@localhost> COOL, TONY!!! It is like asking if you could add a cassette player to my car-stereo and getting a full CD-Changer :-D I love "-r"... I think I'm going "-vtr", and I'll be able to report since when a customer is protected from worm X. BTW, I see you use ftp://ftp.csx.cam.ac.uk/pub/software/antivirus/datfiles/4.x and Julian seems to prefer ftp://ftpeur.nai.com/pub/antivirus/datfiles/4.x The former seems to be more British, whereas the latter looks more European :-) Now, being in SouthAmerica and topologicaly much closer from the USA than from Europe or the UK, which site do you recommend for updates? Thanx a lot! El 2 Jul 2003 a las 19:32, Tony Finch escribi?: > Mariano Absatz wrote: > > > >Tony, would you care to incorporate it (or suggest a modification, maybe > >another different command line option)? > > I wasn't particularly keen on the feature since it can be implemented > with a trivial shell script -- you could even fit it in the crontab > itself. But anyway, I was bored this afternoon, so I did some polishing > of my script... > > Tony. -- Mariano Absatz El Baby ---------------------------------------------------------- Sarcasm is just one more service we offer. From Kevin_Miller at CI.JUNEAU.AK.US Wed Jul 2 22:14:56 2003 From: Kevin_Miller at CI.JUNEAU.AK.US (Kevin Miller) Date: Thu Jan 12 21:18:48 2006 Subject: DSN: Return receipt ?? Message-ID: <08146035CA49D6119A36009027AC822A0264E464@CITY-EXCH-NTS> >-----Original Message----- >From: Remco Barendse [mailto:mailscanner@BARENDSE.TO] > >This is great, this is what I've been looking for for a long time :) :) > >Will this also block the read/not read messages? > >The problem I had was that I'm using Exchange as the mail server, this >linux box is only relaying mail to/from the internet <-> >exchange server. > >Will the sendmail setting also work in this case where M$ Exchange is >gererating these annoying status messages that can't be disabled? Go into the IMS configuration area in Exchange Administrator, select the Internet Mail tab, then Advanced Options. You can disable Out of Office responses and Automatic Responses to the Internet. Hopefull the latter will put the kiebosh on what you're looking to kiebosh. I squelch the out of office replies, but not the Automatic responses. I'll be interested to see how that works for you. Might want to turn those off myself... ...Kevin ------------------- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Administrator, Mail Administrator 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From dot at DOTAT.AT Wed Jul 2 23:04:43 2003 From: dot at DOTAT.AT (Tony Finch) Date: Thu Jan 12 21:18:48 2006 Subject: mcafee-autoupdate patch -- Tony Finch r-u-there? In-Reply-To: References: Message-ID: Mariano Absatz wrote: > >BTW, I see you use >ftp://ftp.csx.cam.ac.uk/pub/software/antivirus/datfiles/4.x and Julian seems >to prefer ftp://ftpeur.nai.com/pub/antivirus/datfiles/4.x > >The former seems to be more British, whereas the latter looks more European :-) Well, I use the former because it's about 10 feet away from my servers. The latter URL is more official -- I should perhaps have done a little editing before sending the script out. >Now, being in SouthAmerica and topologicaly much closer from the USA than >from Europe or the UK, which site do you recommend for updates? Probably ftp.nai.com or ftpeur.nai.com, depending on how busy the servers are and the state of the network between them and you. Tony. -- f.a.n.finch http://dotat.at/ CROMARTY: NORTHWEST 5 OR 6, OCCASIONALLY 4 IN WEST. OCCASIONAL RAIN. MODERATE OR GOOD. From Kevin_Miller at CI.JUNEAU.AK.US Wed Jul 2 23:33:58 2003 From: Kevin_Miller at CI.JUNEAU.AK.US (Kevin Miller) Date: Thu Jan 12 21:18:48 2006 Subject: MailScanner 101, take two. Message-ID: <08146035CA49D6119A36009027AC822A0264E468@CITY-EXCH-NTS> A couple months ago, I set up MailScanner and we're currently using it quite successfully. In the process however, I did a lot of headscratching and typically (for me anyway) with new projects I can't see the forest for the trees when I begin. Consequently, I don't think I have the critter installed as optimally as I might. Since it's in production, I can't really tinker too much. But all's not lost. I grabbed a currently unused Dell 450, and am building a secondary mail server with it. I've also been reading the mailing list for the past month and a half or so, which has been an eye opener! Last time I had a time constraint to get something up and running. This time I can relax, take a deep breath, and go about the process in an orderly manner. So, here's the particulars: I'm running on SuSE 8.0 with sendmail. The SuSE updates have been applied, but it's basically a vanilla box at the moment. I'll be loading the current stable versions of: MailScanner Spamassassin Webmin MailScanner-mrtg or mailstats (or both) Probably go to mailstats. Antivirus Starting with MailScanner, which is the better way to go, rpm or tar? I'm usually a bit leery of rpms on SuSE as they're often written for Redhat, and do things a bit differently on SuSE (or is it SuSE does things a bit differently ), thus I end up doing a tarball anyway. But they're great when they work. So, how does the rpm pan out on SuSE 8.0/sendmail? If rpm is the way to go, I presume the perl patches are included (previous emails to this list indicated that was the case). Does the rpm load spamassassin as part of it's processing or do I have to load that after the fact (or before)? I don't see it referenced in the instructions for either the tarball or the rpm though I see there's a page about it at http://www.sng.ecs.soton.ac.uk/mailscanner/install/spamassassin.shtml. This references 2.6 - I'll be going with 2.55 and leave the bleeding edge to others. Are there any significant differences if I follow those instructions with the 2.55 version? If it's not loaded/installed by the MailScanner scripts, should I install it before or after MailScanner? The last go-round, I think I did the tarballs, including installing spamassassin from a tarball. When I was trying to get Razor2 going, I downloaded some perl stuff from CPAN which either the spamassassin site or the Razor site said I needed, which made my system sort of grumpy. Said modules weren't installed that were, or version errors or some such. It's been several weeks since I've been able to play w/it, so I can't remember the specifics. Instead, I just wiped the machine, and reinstalled and figured it was better to do it right rather than try to fix what I probably hosed last time. Thus this tome. For the antivirus I got a copy of F-Prot, but then they changed the license. Aargh. A grand more to do the same thing. So I'm looking at a different antivirus solution now, probably RAV. I don't mind paying for support/updates and I thought the original $300 F-prot cost was quite reasonable, but the new scheme isn't exactly competitive. Does RAV auto update both the signatures and the program? I want something I can put in and ignore until it's time to send 'em another check in a year. A friend is using Sophos, and he says he has to put in a new user license quarterly or some such. Life's too short for that. All the docs seem to refer to installing Sophos as a step however. Can I presume that I can substitute whatever flavor of antivirus there and *not* have to install Sophos? Some of these probably seem like dumb questions to a bunch of you, but they're not particularly clear to us folks that are a bit newer to the joys of Linux. Your patience and indulgence are appreciated. I'll probably have more a couple of steps into the process. TIA. I don't usually reply to replies for past requests for help, as I don't want to clutter the list so I'll say in advance that I appreciate the help... ...Kevin ------------------- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Administrator, Mail Administrator 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From raymond at PROLOCATION.NET Wed Jul 2 23:39:31 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:18:48 2006 Subject: MailScanner 101, take two. In-Reply-To: <08146035CA49D6119A36009027AC822A0264E468@CITY-EXCH-NTS> Message-ID: Hi! > For the antivirus I got a copy of F-Prot, but then they changed the license. > Aargh. A grand more to do the same thing. So I'm looking at a different > antivirus solution now, probably RAV. I don't mind paying for > support/updates and I thought the original $300 F-prot cost was quite > reasonable, but the new scheme isn't exactly competitive. Does RAV auto > update both the signatures and the program? I want something I can put in RAV is bought by Micro$oft and development is stopped on that one, i am not sure if you even can buy new ones, i think not (*nix) You could also try kasperski ... Bye, Raymond. From Kevin_Miller at CI.JUNEAU.AK.US Wed Jul 2 23:53:23 2003 From: Kevin_Miller at CI.JUNEAU.AK.US (Kevin Miller) Date: Thu Jan 12 21:18:48 2006 Subject: MailScanner 101, take two. Message-ID: <08146035CA49D6119A36009027AC822A0264E469@CITY-EXCH-NTS> Doh - you're right. Was just reading that a week or two ago and spaced it right out. Thanks. I'll take a look at Kasperski, et. al... ...Kevin ------------------- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Administrator, Mail Administrator 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 >-----Original Message----- >From: Raymond Dijkxhoorn [mailto:raymond@PROLOCATION.NET] >Sent: Wednesday, July 02, 2003 2:40 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: MailScanner 101, take two. > > >Hi! > >> For the antivirus I got a copy of F-Prot, but then they >changed the license. >> Aargh. A grand more to do the same thing. So I'm looking >at a different >> antivirus solution now, probably RAV. I don't mind paying for >> support/updates and I thought the original $300 F-prot cost was quite >> reasonable, but the new scheme isn't exactly competitive. >Does RAV auto >> update both the signatures and the program? I want >something I can put in > >RAV is bought by Micro$oft and development is stopped on that one, i am >not sure if you even can buy new ones, i think not (*nix) > >You could also try kasperski ... > >Bye, >Raymond. > From rscarano at targetsis.com.br Wed Jul 2 23:54:47 2003 From: rscarano at targetsis.com.br (Rodrigo Scarano) Date: Thu Jan 12 21:18:48 2006 Subject: Cron e-mail Message-ID: <000401c340ec$f19f14e0$6900000a@targetsis.com.br> Hello all I've added a command on my update_virus_scanners script (called on the cron.hourly directory) to redirect the output of the ${UPDATER} to a file: .... #echo Updating $NAME logger -p mail.info -t update.virus.scanners Updating $NAME ${UPDATER} >>/usr/local/uvscan/updnai.log 2>&1 ... Today I had a dat update (McAfee - 4275) and I didn't receive a mail (root) of cron telling me that the update was done ( and I know it was because I've see it on my updnai.log file). Anybody knows what I have to do to receive this e-mail ??? Tks for any help. Rodrigo Scarano Target Sistemas http://www.targetsis.com.br/ rscarano@targetsis.com.br From sanjay.patel at REXWIRE.COM Thu Jul 3 00:09:59 2003 From: sanjay.patel at REXWIRE.COM (Sanjay Patel) Date: Thu Jan 12 21:18:48 2006 Subject: MailScanner 101, take two. In-Reply-To: <08146035CA49D6119A36009027AC822A0264E469@CITY-EXCH-NTS> Message-ID: <007901c340ef$101726e0$6f01a8c0@Laptop1> Panda is cheap very cheap. Config can be a bitch but you get what you pay for. As a product it updates well and they are always astep ahead. -SKP -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Kevin Miller Sent: Wednesday, July 02, 2003 6:53 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: MailScanner 101, take two. Doh - you're right. Was just reading that a week or two ago and spaced it right out. Thanks. I'll take a look at Kasperski, et. al... ...Kevin ------------------- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Administrator, Mail Administrator 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 >-----Original Message----- >From: Raymond Dijkxhoorn [mailto:raymond@PROLOCATION.NET] >Sent: Wednesday, July 02, 2003 2:40 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: MailScanner 101, take two. > > >Hi! > >> For the antivirus I got a copy of F-Prot, but then they >changed the license. >> Aargh. A grand more to do the same thing. So I'm looking >at a different >> antivirus solution now, probably RAV. I don't mind paying for >> support/updates and I thought the original $300 F-prot cost was quite >> reasonable, but the new scheme isn't exactly competitive. >Does RAV auto >> update both the signatures and the program? I want >something I can put in > >RAV is bought by Micro$oft and development is stopped on that one, i am >not sure if you even can buy new ones, i think not (*nix) > >You could also try kasperski ... > >Bye, >Raymond. > From newsletters at PCSITES.COM Thu Jul 3 03:33:37 2003 From: newsletters at PCSITES.COM (Richard Ahlquist) Date: Thu Jan 12 21:18:48 2006 Subject: Announce: MailWatch for MailScanner 0.2 (was MailScanner-Con sole ) In-Reply-To: <84CFA712F666B44A94CE6BE116BAF4B0B4EB4B@mail.winnefox.org> Message-ID: <009a01c3410b$87a99730$5f01a8c0@MINE> This is what I use with f-prot; define(VIRUS_REGEX, '/(.+) Infection: (\S+)/'); Works well. Good Luck! Richard -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Jody Cleveland Sent: Wednesday, July 02, 2003 2:48 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Announce: MailWatch for MailScanner 0.2 (was MailScanner-Con sole ) Hello, I'm just finishing up the installation of this, and in your install file, I noticed: I only use SophosSAVI and ClamAV as virus scanners, so if you have a different set-up, you will need to change the VIRUS_REGEX constant to match the output of your scanner. I use f-prot. Anyone know what I need to change? -- Jody Cleveland (cleveland@mail.winnefox.org) -----Original Message----- From: Steve Freegard [mailto:steve.freegard@LBSLTD.CO.UK] Sent: Monday, June 16, 2003 12:10 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Announce: MailWatch for MailScanner 0.2 (was MailScanner-Console ) Hi All, I've just uploaded a new version to http://www.smf.f2s.com/mailscanner/ - see the Change Log for the details. From kevins at BMRB.CO.UK Thu Jul 3 08:11:21 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:18:48 2006 Subject: MailScanner 101, take two. In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB001175C53@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB001175C53@pascal.priv.bmrb.co.uk> Message-ID: <1057216282.18491.9.camel@bach.kevinspicer.co.uk> >Does the rpm load spamassassin as part of it's processing or do I have >to >load that after the fact (or before)? You have to do it yourself later >Are there any significant differences if I follow those >instructions with the 2.55 version? No >If it's not loaded/installed by the MailScanner scripts, should I >install it >before or after MailScanner? Doesn't matter just set Use SpamAssassin = yes once you've got it. >The last go-round, I think I did the tarballs, including installing >spamassassin from a tarball. When I was trying to get Razor2 going, I >downloaded some perl stuff from CPAN which either the spamassassin site >or >the Razor site said I needed, which made my system sort of grumpy. Don't use CPAN on an rpm based machine - its a bad idea. The razor2-sdk package (from razor's site) should provide what you need. This worked fine for me on Mandrake MailScanner rpm SpamAssassin tar.gz razor2 & razor2sdk rpms pyzor (tar I think) dcc (tar) BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From mailscanner at BARENDSE.TO Thu Jul 3 09:06:42 2003 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:18:48 2006 Subject: DSN: Return receipt ?? In-Reply-To: <08146035CA49D6119A36009027AC822A0264E464@CITY-EXCH-NTS> Message-ID: Tried that already, i think (suspect!) that the only thing that that tab kills are the messages : "Your message has been successfully delivered to" for most (certainly not all, see the status reply because of which I started this thread) messages. There is absolutely no way to disable read/not read messages, at least not when your clients on Exchange are running Outlook 2000. Outlook XP supposedly has an option to disable this 'feature'. I even tried installing Microgarden Outlook Tools for Outlook 2000 but this only helped for about half of the messages received, for the other half Outlook was still happily reporting which e-mail went where and who read it. This is why I chose to kill the messages of based on subject headers. Even if the client could disable it I don't want to rely on my users to disable this feature to prevent leaking any information. I don't want anybody to know when my users read their e-mail, it's kind of embarrasing if a scretary says someone is out of office but they get a read receipt message a couple of minutes later on an e-mail they sent. I just checked my maillog after setting the options define(`confPRIVACY_FLAGS', `authwarnings,goaway,noreceipts,restrictqrun,restrictexpand')dnl in my sendmail.mc but I still see read/not read messages being discarded. I hope that this line in sendmail.mc does kill the last of the annoying successfully delivered/could not be delivered to messages. On Wed, 2 Jul 2003, Kevin Miller wrote: > >-----Original Message----- > >From: Remco Barendse [mailto:mailscanner@BARENDSE.TO] > > > >This is great, this is what I've been looking for for a long time :) :) > > > >Will this also block the read/not read messages? > > > >The problem I had was that I'm using Exchange as the mail server, this > >linux box is only relaying mail to/from the internet <-> > >exchange server. > > > >Will the sendmail setting also work in this case where M$ Exchange is > >gererating these annoying status messages that can't be disabled? > > Go into the IMS configuration area in Exchange Administrator, select the > Internet Mail tab, then Advanced Options. You can disable Out of Office > responses and Automatic Responses to the Internet. Hopefull the latter will > put the kiebosh on what you're looking to kiebosh. I squelch the out of > office replies, but not the Automatic responses. I'll be interested to see > how that works for you. Might want to turn those off myself... > > ...Kevin > ------------------- > Kevin Miller Registered Linux User No: 307357 > CBJ MIS Dept. Network Systems Administrator, Mail > Administrator > 155 South Seward Street ph: (907) 586-0242 > Juneau, Alaska 99801 fax: (907 586-4500 > From howard at harper-adams.ac.uk Thu Jul 3 10:37:17 2003 From: howard at harper-adams.ac.uk (Howard Robinson) Date: Thu Jan 12 21:18:48 2006 Subject: Doh! Question Message-ID: <200307030936.h639a38M002508@blackhole.harper-adams.ac.uk> Dear list Thanks for the help over the last couple of days. I now have SpamAssassin running. So a Doh Question. What command do I use to find out the version of SpamAssassin running? (Okay I know its 2.55 now but I have a short memory!) I was installed the 'approved' way. Thanks Regards Howard Robinson (Senior Technical Development Officer) Harper Adams University College Edgmond Newport Shropshire TF10 8NB UK E-mail: hrobinson@harper-adams.ac.uk Tel. : +44(0)1952 820280 Via switchboard : +44(0)1952 815253 Direct line Fax. : +44(0)1952 814783 College Web site http://www.harper-adams.ac.uk From raymond at PROLOCATION.NET Thu Jul 3 10:57:10 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:18:48 2006 Subject: Doh! Question In-Reply-To: <200307030936.h639a38M002508@blackhole.harper-adams.ac.uk> Message-ID: hi! > What command do I use to find out the version of SpamAssassin > running? (Okay I know its 2.55 now but I have a short memory!) > I was installed the 'approved' way. > Thanks spamassassin -v Bye, Raymond. From ron at SPAWAR.NAVY.MIL Thu Jul 3 11:01:32 2003 From: ron at SPAWAR.NAVY.MIL (Ron Broersma) Date: Thu Jan 12 21:18:48 2006 Subject: ANNOUNCE: Version 4.22-4 released In-Reply-To: <5.2.1.1.2.20030701182840.02590538@imap.ecs.soton.ac.uk> References: <5.2.1.1.2.20030701182840.02590538@imap.ecs.soton.ac.uk> Message-ID: <3F03FEFC.7080106@spawar.navy.mil> Strange, RBL checks stopped happening. Turning on some debug revealed that none of the entries in the Spam Lists file (spam.lists.conf) were being found due to case mismatch. Changing everything in spam.lists.conf to lower case fixed the problem and RBL checks are happening again for me. My guess is that the following has something to do with this... > * Fixes * > - RBLs are converted to lower-case when read from MailScanner.conf. Other than that, the new version looks great. Thanks for the continued support of an awesome product. --Ron Julian Field wrote: > G'day! > > I have just posted the new stable release 4.22-4 on the website. > > Major new features this time are > - filetype detection regardless of filename, allowing you to allow/deny > files of different type. > - control over HTML forms in email messages, which have been used recently > to try to extract passwords and credit card details from unwitting users. > - control over the maximum size of any message, so you can limit the size > of messages for dial-up users for example. > > Download it from www.mailscanner.info as usual. > > All comments to me or the list. > > The full ChangeLog is this: > * New Features and Improvements * > - Added support for checking file content types regardless of their > filename. > This uses the "file" command to work out the types of different files. > New additions to MailScanner.conf are "file command", "file timeout", > "filetype rules" (which work just like filename rules) and "log permitted > filetypes". > - Added "Allow Form Tags" configuration option to ban HTML forms from > email. > Requires almost no additional CPU load and is useful protection. > - Added "Maximum Message Size" configuration option to limit the size of > messages for certain users. Handy for dialup users to save their download > phone bills. Obviously it works with a ruleset. > - "Spam Actions", "High Scoring Spam Actions" and "Non Spam Actions" are > now > set up so that the first matching rule will be used, rather than the > sum of > all the matching rules. This means you can have 1 setting for a > domain, but > before that have a rule for an individual user that over-rides the domain > setting. > - MailScanner.conf file can now include "%name% = value" definition lines. > These "%name%" variables can then be used later in the MailScanner.conf > file and the rulesets, where they will be substituted with the > appropriate > "value". This greatly eases switching languages. > - Sophos.install script improved to make new versions work with sophossavi. > - f-prot-autoupdate script improved to handle new F-Prot version 4. > - Added bitdefender-autoupdate script from Alessandro Bianchi. > - Added "default" overall black- and white-lists to per-domain > black/whitelist > code in CustomConfig.pm. > - Added code to CustomConfig.pm to implement internal-only accounts that > cannot send mail to external addresses. > - Improved comments in MailScanner.conf for "Max Children" setting. > - Added (commented out) instruction to not use Bayesian stats engine in > MailScanner, with a comment about its need. > > * Fixes * > - "channel error" detection bug in ZMailer support fixed. > - All sender.* reports now have To: From: and Subject: in English to keep > sendmail and e-mail applications happy. > - "$reportword" appearing in Postmaster notices fixed. > - Added call to get logging working properly in clamav-autoupdate. > - RBLs are converted to lower-case when read from MailScanner.conf. > - Fix in signing clean messages containing single uuencoded attachments > that > are then read using certain versions of Outlook 97. > - MailScanner does not support Postfix without hashed queues. This > situation > is detected and reported if it is found. > By default in all recent releases of Postfix (both 1.x and 2.x) hashed > queues are enabled, so just don't disable them. > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support From raymond at PROLOCATION.NET Thu Jul 3 11:10:05 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:18:48 2006 Subject: ANNOUNCE: Version 4.22-4 released In-Reply-To: <3F03FEFC.7080106@spawar.navy.mil> Message-ID: Hi! > Strange, RBL checks stopped happening. Turning on some debug revealed > that none of the entries in the Spam Lists file (spam.lists.conf) were > being found due to case mismatch. Changing everything in > spam.lists.conf to lower case fixed the problem and RBL checks are > happening again for me. > > My guess is that the following has something to do with this... > > * Fixes * > > - RBLs are converted to lower-case when read from MailScanner.conf. > Yes, i can confirm this, i upgraded and since that no matches were made on the Easynet lists i use, after changing to lowercase in the spam.lists.conf they are comming in again straight away. Julian, time for a quick fix i guess :)) Bye, Raymond. From mailscanner at ecs.soton.ac.uk Thu Jul 3 11:40:58 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:18:48 2006 Subject: Cron e-mail In-Reply-To: <000401c340ec$f19f14e0$6900000a@targetsis.com.br> Message-ID: <5.2.0.9.2.20030703114014.04721d08@imap.ecs.soton.ac.uk> If you take a look in the update_virus_scanners script, you will find it redirects all output from each -autoupdate script to /dev/null. Just uncomment the end of the line that calls the -autoupdate scripts and you should start seeing some output. At 23:54 02/07/2003, you wrote: >Hello all >I've added a command on my update_virus_scanners script (called on the >cron.hourly directory) to redirect the output of the ${UPDATER} to a file: >.... > #echo Updating $NAME > logger -p mail.info -t update.virus.scanners Updating $NAME > ${UPDATER} >>/usr/local/uvscan/updnai.log 2>&1 >... > >Today I had a dat update (McAfee - 4275) and I didn't receive a mail (root) >of cron telling me that the update was done ( and I know it was because I've >see it on my updnai.log file). > >Anybody knows what I have to do to receive this e-mail ??? > >Tks for any help. > > >Rodrigo Scarano >Target Sistemas >http://www.targetsis.com.br/ >rscarano@targetsis.com.br -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Thu Jul 3 11:38:09 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:18:48 2006 Subject: MailScanner 101, take two. In-Reply-To: <08146035CA49D6119A36009027AC822A0264E468@CITY-EXCH-NTS> Message-ID: <5.2.0.9.2.20030703113125.0459b7b8@imap.ecs.soton.ac.uk> At 23:33 02/07/2003, you wrote: >Last time I had a time constraint to get something up and running. This >time I can relax, take a deep breath, and go about the process in an orderly >manner. So, here's the particulars: I'm running on SuSE 8.0 with sendmail. >The SuSE updates have been applied, but it's basically a vanilla box at the >moment. I'll be loading the current stable versions of: > >MailScanner >Spamassassin >Webmin >MailScanner-mrtg or mailstats (or both) Probably go to mailstats. >Antivirus > >Starting with MailScanner, which is the better way to go, rpm or tar? rpm. The SuSE one, not the RedHat one. > I'm >usually a bit leery of rpms on SuSE as they're often written for Redhat, and >do things a bit differently on SuSE (or is it SuSE does things a bit >differently ), thus I end up doing a tarball anyway. But they're great >when they work. So, how does the rpm pan out on SuSE 8.0/sendmail? I haven't tested the RPM on SuSE 8.0, only 8.1. But I've only heard anyone having any problems with it once, and they were using 7.x which is quite a lot different from 8.x. So you should be okay. >If rpm is the way to go, I presume the perl patches are included (previous >emails to this list indicated that was the case). Yes. >Does the rpm load spamassassin as part of it's processing or do I have to >load that after the fact (or before)? Do it separately. And don't use the RPM of SpamAssassin. Either download it and build from source or use CPAN to install it. To build it by hand, unpack the .tar.gz archive, "cd" into it and do this: perl Makefile.PL make make test make install >I don't see it referenced in the instructions for either the tarball or the >rpm though I see there's a page about it at >http://www.sng.ecs.soton.ac.uk/mailscanner/install/spamassassin.shtml. This >references 2.6 - I'll be going with 2.55 and leave the bleeding edge to >others. Are there any significant differences if I follow those >instructions with the 2.55 version? 2.55 will be just fine. I don't run 2.60 myself on production systems. >If it's not loaded/installed by the MailScanner scripts, should I install it >before or after MailScanner? Doesn't matter. Just set "Use SpamAssassin = yes" in /etc/MailScanner/MailScanner.conf. >The last go-round, I think I did the tarballs, including installing >spamassassin from a tarball. When I was trying to get Razor2 going, I >downloaded some perl stuff from CPAN which either the spamassassin site or >the Razor site said I needed, which made my system sort of grumpy. Said >modules weren't installed that were, or version errors or some such. It's >been several weeks since I've been able to play w/it, so I can't remember >the specifics. Instead, I just wiped the machine, and reinstalled and >figured it was better to do it right rather than try to fix what I probably >hosed last time. Thus this tome. Don't install Perl modules from RPM packages, unless they are provided by SuSE themselves for 8.0. Different versions of Perl want things installed in different places, and 3rd-party providers of RPM's cannot know what version of Perl you are running and therefore cannot always install them in the right place. This is why I distribute MailScanner as a bunch of SRPM's (source RPMs) which are automatically rebuilt specifically for your system during the installation process. >For the antivirus I got a copy of F-Prot, but then they changed the license. >Aargh. A grand more to do the same thing. So I'm looking at a different >antivirus solution now, probably RAV. I don't mind paying for >support/updates and I thought the original $300 F-prot cost was quite >reasonable, but the new scheme isn't exactly competitive. Does RAV auto >update both the signatures and the program? I want something I can put in >and ignore until it's time to send 'em another check in a year. A friend is >using Sophos, and he says he has to put in a new user license quarterly or >some such. Life's too short for that. All the docs seem to refer to >installing Sophos as a step however. Can I presume that I can substitute >whatever flavor of antivirus there and *not* have to install Sophos? Yes. Just set "Virus Scanners = f-prot" or whatever is appropriate for your scanner, in /etc/MailScanner/MailScanner.conf. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Thu Jul 3 12:16:30 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:18:48 2006 Subject: ANNOUNCE: Version 4.22-5 released In-Reply-To: References: <3F03FEFC.7080106@spawar.navy.mil> Message-ID: <5.2.0.9.2.20030703121416.04eca5a0@imap.ecs.soton.ac.uk> I have fixed the bug below, and I think it warrants another release as this will have stopped everyone's RBL lists from working unless you convert them all to lower-case. The only other changes are - improve the efficiency of the filetype checking - add Tony Finch's improved mcafee-autoupdate script Download from the usual place at www.mailscanner.info Sorry folks :-( At 11:10 03/07/2003, you wrote: >Hi! > > > Strange, RBL checks stopped happening. Turning on some debug revealed > > that none of the entries in the Spam Lists file (spam.lists.conf) were > > being found due to case mismatch. Changing everything in > > spam.lists.conf to lower case fixed the problem and RBL checks are > > happening again for me. > > > > My guess is that the following has something to do with this... > > > * Fixes * > > > - RBLs are converted to lower-case when read from MailScanner.conf. > > > >Yes, i can confirm this, i upgraded and since that no matches were made on >the Easynet lists i use, after changing to lowercase in the >spam.lists.conf they are comming in again straight away. > >Julian, time for a quick fix i guess :)) > >Bye, >Raymond. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Thu Jul 3 11:29:25 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:18:48 2006 Subject: Doh! Question In-Reply-To: References: <200307030936.h639a38M002508@blackhole.harper-adams.ac.uk> Message-ID: <5.2.0.9.2.20030703112837.04f16bf8@imap.ecs.soton.ac.uk> At 10:57 03/07/2003, you wrote: >hi! > > > What command do I use to find out the version of SpamAssassin > > running? (Okay I know its 2.55 now but I have a short memory!) > > I was installed the 'approved' way. > > Thanks > >spamassassin -v Or if you can't find the "spamassassin" script for some reason: perl -MMail::SpamAssassin -e 'print $Mail::SpamAssassin::VERSION;' should do it too. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From m.sapsed at BANGOR.AC.UK Thu Jul 3 12:32:43 2003 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:18:48 2006 Subject: Doh! Question References: <200307030936.h639a38M002508@blackhole.harper-adams.ac.uk> Message-ID: <3F04145B.7090604@bangor.ac.uk> Howard Robinson wrote: > What command do I use to find out the version of SpamAssassin > running? (Okay I know its 2.55 now but I have a short memory!) > I was installed the 'approved' way. Rather than spamassassin -v as suggested by Raymond, I prefer the solution that someone else posted which checks what version perl sees - it's not inconceivable (depending on paths etc) to get 2 different answers. Save this #! /usr/bin/perl use Mail::SpamAssassin; print $Mail::SpamAssassin::VERSION . "\n"; to a file, make it executable and run it. Cheers, Martin -- Martin Sapsed Information Services "Who do you say I am?" University of Wales, Bangor Jesus of Nazareth From howard at harper-adams.ac.uk Thu Jul 3 12:38:38 2003 From: howard at harper-adams.ac.uk (Howard Robinson) Date: Thu Jan 12 21:18:48 2006 Subject: Doh! Question In-Reply-To: <3F04145B.7090604@bangor.ac.uk> Message-ID: <200307031137.h63BbX29007735@blackhole.harper-adams.ac.uk> On 3 Jul 03, at 12:32, Martin Sapsed wrote: I'll try the other option. For the record it is spamassassin -V not -v on 2.55. Thanks again Raymond, Matrin,Julian et al. > Howard Robinson wrote: > > What command do I use to find out the version of SpamAssassin > > running? (Okay I know its 2.55 now but I have a short memory!) > > I was installed the 'approved' way. > > Rather than spamassassin -v as suggested by Raymond, I prefer the > solution that someone else posted which checks what version perl sees - > it's not inconceivable (depending on paths etc) to get 2 different > answers. Save this > > #! /usr/bin/perl > use Mail::SpamAssassin; > print $Mail::SpamAssassin::VERSION . "\n"; > > to a file, make it executable and run it. > > Cheers, > > Martin > > -- > Martin Sapsed > Information Services "Who do you say I am?" > University of Wales, Bangor Jesus of Nazareth Regards Howard Robinson (Senior Technical Development Officer) Harper Adams University College Edgmond Newport Shropshire TF10 8NB UK E-mail: hrobinson@harper-adams.ac.uk Tel. : +44(0)1952 820280 Via switchboard : +44(0)1952 815253 Direct line Fax. : +44(0)1952 814783 College Web site http://www.harper-adams.ac.uk From mailscanner at BARENDSE.TO Thu Jul 3 13:05:35 2003 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:18:48 2006 Subject: directory containing all the reports in all the languages Message-ID: Just noticed this new option in the MailScanner.conf file: # Set the directory containing all the reports in all the languages %report-dir% = /etc/MailScanner/reports/en Shouldn't this be set to : /etc/MailScanner/reports as default? Or is this the option for the defualt language directory if no specific language is defined for a top level domain?? From ron at SPAWAR.NAVY.MIL Thu Jul 3 13:10:54 2003 From: ron at SPAWAR.NAVY.MIL (Ron Broersma) Date: Thu Jan 12 21:18:49 2006 Subject: ANNOUNCE: Version 4.22-5 released In-Reply-To: <5.2.0.9.2.20030703121416.04eca5a0@imap.ecs.soton.ac.uk> References: <3F03FEFC.7080106@spawar.navy.mil> <5.2.0.9.2.20030703121416.04eca5a0@imap.ecs.soton.ac.uk> Message-ID: <3F041D4E.1020306@spawar.navy.mil> Julian, Thanks for the quick fix. RBL checking is working again without the other file hacks. You might want to check that mcafee-autoupdate script. I had to remove all the embedded /r characters (every line) before it would work without complaint. Also had to set LIBDIR and FTPDIR back to the defaults where they were before. --Ron Julian Field wrote: > I have fixed the bug below, and I think it warrants another release as this > will have stopped everyone's RBL lists from working unless you convert them > all to lower-case. > > The only other changes are > - improve the efficiency of the filetype checking > - add Tony Finch's improved mcafee-autoupdate script > > Download from the usual place at www.mailscanner.info > > Sorry folks :-( > > At 11:10 03/07/2003, you wrote: > >> Hi! >> >> > Strange, RBL checks stopped happening. Turning on some debug revealed >> > that none of the entries in the Spam Lists file (spam.lists.conf) were >> > being found due to case mismatch. Changing everything in >> > spam.lists.conf to lower case fixed the problem and RBL checks are >> > happening again for me. >> > >> > My guess is that the following has something to do with this... >> > > * Fixes * >> > > - RBLs are converted to lower-case when read from MailScanner.conf. >> > >> >> Yes, i can confirm this, i upgraded and since that no matches were >> made on >> the Easynet lists i use, after changing to lowercase in the >> spam.lists.conf they are comming in again straight away. >> >> Julian, time for a quick fix i guess :)) >> >> Bye, >> Raymond. > > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support From mailscanner at ELKNET.NET Thu Jul 3 15:15:27 2003 From: mailscanner at ELKNET.NET (Alan Fiebig) Date: Thu Jan 12 21:18:49 2006 Subject: Spam reports Message-ID: <200307031316.h63DGdS14689@ori.rl.ac.uk> I've scanned the list archives, but could not find an answer to my question, so I'll post it here. Thanks in advance to all help provided. In the two reports: sender.spam.report.txt sender.spam.sa.report.txt That get sent to an allegged spammer as a result of a bounce spam action that had a SA score above the threshold, is there any means to include the SA report in the message body? I'd like the emailed report to include a typical report like: SpamCheck: spam, SpamAssassin (score=9.4, required 5, CLICK_BELOW 0.10, HTML_80_90 0.54, HTML_FONT_BIG 0.27, HTML_FONT_COLOR_BLUE 0.10, HTML_FONT_COLOR_RED 0.10, HTML_MESSAGE 0.10, IMPOTENCE 2.90, MIME_HTML_ONLY 0.10, MSGID_GOOD_EXCHANGE -0.38, OBFUSCATING_COMMENT 2.60, PENIS_ENLARGE 1.39, PENIS_ENLARGE2 1.29, REMOVE_PAGE 0.27) I thought including the '$spamreport' in the body of the report template would do the trick, but all I'm seeing is: "spam, SpamAssassin" in the report where the variable was placed, the actual triggers and scores are missing. Thanks! From Denis.Beauchemin at USHERBROOKE.CA Thu Jul 3 14:30:44 2003 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:18:49 2006 Subject: mcafee-autoupdate patch -- Tony Finch r-u-there? In-Reply-To: References: Message-ID: <1057239044.2846.6.camel@dbeauchemin.sti.usherbrooke.ca> Le mer 02/07/2003 ? 18:04, Tony Finch a ?crit : > >Now, being in SouthAmerica and topologicaly much closer from the USA than > >from Europe or the UK, which site do you recommend for updates? > > Probably ftp.nai.com or ftpeur.nai.com, depending on how busy the servers > are and the state of the network between them and you. > I just checked and... # host ftp.nai.com ftp.nai.com has address 216.49.88.143 # host ftpeur.nai.com ftpeur.nai.com is an alias for ftp.nai.com. ftp.nai.com has address 216.49.88.143 They're both the same!!! Denis -- Denis Beauchemin, analyste Universit?de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From slwatts at WINCKWORTHS.CO.UK Thu Jul 3 15:25:03 2003 From: slwatts at WINCKWORTHS.CO.UK (Samuel Luxford-Watts) Date: Thu Jan 12 21:18:49 2006 Subject: postfix + Mailscanner probs Message-ID: Hi All, This is probably a REALLY dumb question, but at the moment I cannot see why this is happening..... I followed through all the instructions for getting suse, postfix and mailscanner running. All seemed to work fine, but I couldnt figure out why mailscanner wasnt stripping viruses from attachments. In the end I stopped all the services, then ran postfix -c /etc/postfix.in start This to my mind should only start the inbound mail process, so the server receives emails and stores them in /var/spool/postfix.in. Well on my server its actually forwarding the mail as well. I have checked for the defer_transports line and that is present and correct in /etc/postfix.in/main.cf. The only thing I can think of is that I have altered /etc/postfix/transports to read: dest.test smtp:[192.168.25.95] where dest.test is my internal test mail domain and the ip address is of our test exchange server. my /etc/postfix.in/main.cf file is still pointing to /etc/postfix various files. I am trying to configure an email gateway which is listed as a primary MX host for our domain, filters and strips viruses/spam and forwards those emails to our exchange server. if I do not add this line to transport then I get a mail loop error because the mailscanner server thinks its the best MX host for dest.test. Any help would be great, Thanks, Sam -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030703/c0795640/attachment.html From rscarano at targetsis.com.br Thu Jul 3 15:34:29 2003 From: rscarano at targetsis.com.br (Rodrigo Scarano) Date: Thu Jan 12 21:18:49 2006 Subject: RES: Cron e-mail In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0EBF6D9@pascal.priv.bmrb.co.uk> Message-ID: <002f01c34170$36b54da0$6900000a@targetsis.com.br> Kevin, Thanks again and sorry to send the reply directly for you... Rodrigo Scarano Target Sistemas http://www.targetsis.com.br/ rscarano@targetsis.com.br -----Mensagem original----- De: Spicer, Kevin [mailto:Kevin.Spicer@bmrb.co.uk] Enviada em: Quinta-feira, 3 de Julho de 2003 11:21 Para: rscarano@targetsis.com.br Assunto: RE: Cron e-mail Rodrigo Scarano wrote: > Thanks Kevin. > > I dont know if I understood. If I use de original update > update_virus_scanner script with the line: > ... > ${UPDATER} >/dev/null 2>&1 > ... > > I will receive a e-mail when the update will be done ??? > No, change it to ${UPDATER} and you'll get mailed any output whenever it runs (no output=no mail). Maybe you'll get mail every time, maybe only when something goes wrong (depends on the specific update script). Some updaters (like f-prot's for example) take a flag which makes them silent except on error (check their docs). Please email the list in future. Regards, Kevin BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From Cleveland at MAIL.WINNEFOX.ORG Thu Jul 3 15:52:18 2003 From: Cleveland at MAIL.WINNEFOX.ORG (Jody Cleveland) Date: Thu Jan 12 21:18:49 2006 Subject: Announce: MailWatch for MailScanner 0.2 (was MailScanner-Con sole ) Message-ID: <84CFA712F666B44A94CE6BE116BAF4B0B4EB58@mail.winnefox.org> > This is what I use with f-prot; > > define(VIRUS_REGEX, '/(.+) Infection: (\S+)/'); > > Works well. Thanks! Works for me as well. I noticed on the Other page, there is a link under Tools for Sophos Status. Do you know of a way to make the same thing for f-prot status? Jody From mailscanner at BARENDSE.TO Thu Jul 3 15:53:29 2003 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:18:49 2006 Subject: ANNOUNCE: Version 4.22-5 released In-Reply-To: <3F041D4E.1020306@spawar.navy.mil> Message-ID: Have just checked but still the spam black whistelists aren't properly lowered? I still need to make duplicate entries for some domains because different servers on the other side display the sender domain in different casing. I still have to make two entries to whitelist for example: From: @domain.com yes From: @DOMAIN.com yes Thought that the domain part for the black/whitelist would be made case insensitive? On Thu, 3 Jul 2003, Ron Broersma wrote: > Julian, > > Thanks for the quick fix. RBL checking is working again without the > other file hacks. > > You might want to check that mcafee-autoupdate script. I had to remove > all the embedded /r characters (every line) before it would work without > complaint. Also had to set LIBDIR and FTPDIR back to the defaults where > they were before. > > --Ron > > Julian Field wrote: > > I have fixed the bug below, and I think it warrants another release as this > > will have stopped everyone's RBL lists from working unless you convert them > > all to lower-case. > > > > The only other changes are > > - improve the efficiency of the filetype checking > > - add Tony Finch's improved mcafee-autoupdate script > > > > Download from the usual place at www.mailscanner.info > > > > Sorry folks :-( > > > > At 11:10 03/07/2003, you wrote: > > > >> Hi! > >> > >> > Strange, RBL checks stopped happening. Turning on some debug revealed > >> > that none of the entries in the Spam Lists file (spam.lists.conf) were > >> > being found due to case mismatch. Changing everything in > >> > spam.lists.conf to lower case fixed the problem and RBL checks are > >> > happening again for me. > >> > > >> > My guess is that the following has something to do with this... > >> > > * Fixes * > >> > > - RBLs are converted to lower-case when read from MailScanner.conf. > >> > > >> > >> Yes, i can confirm this, i upgraded and since that no matches were > >> made on > >> the Easynet lists i use, after changing to lowercase in the > >> spam.lists.conf they are comming in again straight away. > >> > >> Julian, time for a quick fix i guess :)) > >> > >> Bye, > >> Raymond. > > > > > > -- > > Julian Field > > www.MailScanner.info > > MailScanner thanks transtec Computers for their support > From slwatts at WINCKWORTHS.CO.UK Thu Jul 3 16:23:12 2003 From: slwatts at WINCKWORTHS.CO.UK (Samuel Luxford-Watts) Date: Thu Jan 12 21:18:49 2006 Subject: postfix + Mailscanner probs - sorted Message-ID: sorry guys - I guess I am getting tyred. I found the problem and cant believe its taken me so long to spot it. /etc/postfix.in/main.cf had an extra defer_transports line at the end of the file which was blank. All sorted now! Sam -----Original Message----- From: Samuel Luxford-Watts [mailto:slwatts@WINCKWORTHS.CO.UK] Sent: 03 July 2003 15:25 To: MAILSCANNER@JISCMAIL.AC.UK Subject: postfix + Mailscanner probs Hi All, This is probably a REALLY dumb question, but at the moment I cannot see why this is happening..... I followed through all the instructions for getting suse, postfix and mailscanner running. All seemed to work fine, but I couldnt figure out why mailscanner wasnt stripping viruses from attachments. In the end I stopped all the services, then ran postfix -c /etc/postfix.in start This to my mind should only start the inbound mail process, so the server receives emails and stores them in /var/spool/postfix.in. Well on my server its actually forwarding the mail as well. I have checked for the defer_transports line and that is present and correct in /etc/postfix.in/main.cf. The only thing I can think of is that I have altered /etc/postfix/transports to read: dest.test smtp:[192.168.25.95] where dest.test is my internal test mail domain and the ip address is of our test exchange server. my /etc/postfix.in/main.cf file is still pointing to /etc/postfix various files. I am trying to configure an email gateway which is listed as a primary MX host for our domain, filters and strips viruses/spam and forwards those emails to our exchange server. if I do not add this line to transport then I get a mail loop error because the mailscanner server thinks its the best MX host for dest.test. Any help would be great, Thanks, Sam -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030703/f8ec6e2e/attachment.html From mailscanner at ecs.soton.ac.uk Thu Jul 3 16:32:35 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:18:49 2006 Subject: Spam reports In-Reply-To: <200307031316.h63DGdS14689@ori.rl.ac.uk> Message-ID: <5.2.0.9.2.20030703163133.04484380@imap.ecs.soton.ac.uk> Currently the short answer is "no". Drop me a line near the end of July and I'll try to write something for you for the next release. No point mailing me now about it as I'll forget by the time I come back from Canada. At 15:15 03/07/2003, you wrote: >I've scanned the list archives, but could not find an answer to my >question, so I'll post it here. Thanks in advance to all help provided. > >In the two reports: > sender.spam.report.txt > sender.spam.sa.report.txt > >That get sent to an allegged spammer as a result of a bounce spam action >that had a SA score above the threshold, is there any means to include the >SA report in the message body? I'd like the emailed report to include a >typical report like: > SpamCheck: spam, SpamAssassin (score=9.4, required 5, > CLICK_BELOW 0.10, HTML_80_90 0.54, HTML_FONT_BIG 0.27, > HTML_FONT_COLOR_BLUE 0.10, HTML_FONT_COLOR_RED 0.10, > HTML_MESSAGE 0.10, IMPOTENCE 2.90, MIME_HTML_ONLY 0.10, > MSGID_GOOD_EXCHANGE -0.38, OBFUSCATING_COMMENT 2.60, > PENIS_ENLARGE 1.39, PENIS_ENLARGE2 1.29, REMOVE_PAGE 0.27) > >I thought including the '$spamreport' in the body of the report template >would do the trick, but all I'm seeing is: > "spam, SpamAssassin" in the report where the variable was placed, the > actual triggers and scores are missing. > >Thanks! -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Thu Jul 3 16:25:19 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:18:49 2006 Subject: directory containing all the reports in all the languages In-Reply-To: Message-ID: <5.2.0.9.2.20030703162442.05147f98@imap.ecs.soton.ac.uk> No, because the default seting for each of the reports is %report-dir%/deleted.filename.message.txt for example, so the %report-dir% should contain the language code as well. At 13:05 03/07/2003, you wrote: >Just noticed this new option in the MailScanner.conf file: > ># Set the directory containing all the reports in all the languages >%report-dir% = /etc/MailScanner/reports/en > > >Shouldn't this be set to : >/etc/MailScanner/reports >as default? > >Or is this the option for the defualt language directory if no specific >language is defined for a top level domain?? -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Thu Jul 3 16:26:23 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:18:49 2006 Subject: ANNOUNCE: Version 4.22-5 released In-Reply-To: References: <3F041D4E.1020306@spawar.navy.mil> Message-ID: <5.2.0.9.2.20030703162556.0448de70@imap.ecs.soton.ac.uk> At 15:53 03/07/2003, you wrote: >Have just checked but still the spam black whistelists aren't properly >lowered? > >I still need to make duplicate entries for some domains because different >servers on the other side display the sender domain in different casing. > >I still have to make two entries to whitelist for example: > >From: @domain.com yes >From: @DOMAIN.com yes > >Thought that the domain part for the black/whitelist would be made case >insensitive? I can't figure this one out, as the check is made case-insensitive in at 3 different ways already. :-( >On Thu, 3 Jul 2003, Ron Broersma wrote: > > > Julian, > > > > Thanks for the quick fix. RBL checking is working again without the > > other file hacks. > > > > You might want to check that mcafee-autoupdate script. I had to remove > > all the embedded /r characters (every line) before it would work without > > complaint. Also had to set LIBDIR and FTPDIR back to the defaults where > > they were before. > > > > --Ron > > > > Julian Field wrote: > > > I have fixed the bug below, and I think it warrants another release > as this > > > will have stopped everyone's RBL lists from working unless you > convert them > > > all to lower-case. > > > > > > The only other changes are > > > - improve the efficiency of the filetype checking > > > - add Tony Finch's improved mcafee-autoupdate script > > > > > > Download from the usual place at www.mailscanner.info > > > > > > Sorry folks :-( > > > > > > At 11:10 03/07/2003, you wrote: > > > > > >> Hi! > > >> > > >> > Strange, RBL checks stopped happening. Turning on some debug revealed > > >> > that none of the entries in the Spam Lists file (spam.lists.conf) were > > >> > being found due to case mismatch. Changing everything in > > >> > spam.lists.conf to lower case fixed the problem and RBL checks are > > >> > happening again for me. > > >> > > > >> > My guess is that the following has something to do with this... > > >> > > * Fixes * > > >> > > - RBLs are converted to lower-case when read from MailScanner.conf. > > >> > > > >> > > >> Yes, i can confirm this, i upgraded and since that no matches were > > >> made on > > >> the Easynet lists i use, after changing to lowercase in the > > >> spam.lists.conf they are comming in again straight away. > > >> > > >> Julian, time for a quick fix i guess :)) > > >> > > >> Bye, > > >> Raymond. > > > > > > > > > -- > > > Julian Field > > > www.MailScanner.info > > > MailScanner thanks transtec Computers for their support > > -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From P.G.M.Peters at utwente.nl Thu Jul 3 16:59:20 2003 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Thu Jan 12 21:18:49 2006 Subject: MailScanner presentation Message-ID: <1jk8gv4sa2od4mrv1sinhtsjoss0s7eia7@4ax.com> Julian, You told you have held a presentation at a JANET meeting. At the end of September a meeting of European SCIRT's (TF-CSIRT) is held in Amsterdam. Could you be persuaded to come and have a presentation on that meeting? -- Peter Peters, senior netwerkbeheerder Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ From P.G.M.Peters at utwente.nl Thu Jul 3 17:01:21 2003 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Thu Jan 12 21:18:49 2006 Subject: MailScanner presentation In-Reply-To: <1jk8gv4sa2od4mrv1sinhtsjoss0s7eia7@4ax.com> References: <1jk8gv4sa2od4mrv1sinhtsjoss0s7eia7@4ax.com> Message-ID: Oops. This should go to Julian directly but I copied the wrong address. Mailscanner in both local parts is confusing. On Thu, 3 Jul 2003 17:59:20 +0200, I wrote: >You told you have held a presentation at a JANET meeting. At the end of >September a meeting of European SCIRT's (TF-CSIRT) is held in Amsterdam. CSIRT's -- Peter Peters, senior netwerkbeheerder Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ From raymond at PROLOCATION.NET Thu Jul 3 17:04:23 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:18:49 2006 Subject: MailScanner presentation In-Reply-To: Message-ID: Hi! > Oops. This should go to Julian directly but I copied the wrong address. > Mailscanner in both local parts is confusing. > > On Thu, 3 Jul 2003 17:59:20 +0200, I wrote: > > >You told you have held a presentation at a JANET meeting. At the end of > >September a meeting of European SCIRT's (TF-CSIRT) is held in Amsterdam. =) Julian, if you can come over i will buy you a couple of Beers :) I most likely will join the TF-CSIRT meeting also. Bye, Raymond. From ka at PACIFIC.NET Thu Jul 3 17:12:16 2003 From: ka at PACIFIC.NET (Ken Anderson) Date: Thu Jan 12 21:18:49 2006 Subject: CustomConfig.pm questions Message-ID: <3F0455E0.7050003@pacific.net> Hello, I am working with CustomConfig.pm, setting up per-user configs, and have a couple questions. When I reload MailScanner, I don't see an indication in the log that the rulesets were reloaded, so I'm assuming they are not? If not, I'll need to 'restart' rather than 'reload' MailScanner. :-( Is there a way modify MailScanner to call InitBy.... functions in CustomConfig.pm upon reload? Thanks, Ken A. Pacific.Net From Kevin_Miller at CI.JUNEAU.AK.US Thu Jul 3 16:42:55 2003 From: Kevin_Miller at CI.JUNEAU.AK.US (Kevin Miller) Date: Thu Jan 12 21:18:49 2006 Subject: DSN: Return receipt ?? Message-ID: <08146035CA49D6119A36009027AC822A0264E46E@CITY-EXCH-NTS> Ah - after chewing on your reply for a couple minutes I think you hit the nail on the head. It's the client that's doing it, not Exchange. We're using Exange 5.5 & LookOut 2000, so we're a bit behind you version wise, but I just checked my client and turned off automatic processing of requests & responses on arrival. It would make sense that the client is where the reply would generate from, not the server as the server may not know when the message is actually read - just when it's retrieved. So I guess egress filtering on auto-replies is the only practical option unless you force all users to use a stock client profile where the auto-replies have been disabled. Not sure if the best place to filter is in Sendmail or MailScanner - to new to both to make an intelligent guess, but maybe others here can chime in... ...Kevin ------------------- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Administrator, Mail Administrator 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 >-----Original Message----- >From: Remco Barendse [mailto:mailscanner@barendse.to] >Sent: Thursday, July 03, 2003 12:07 AM >To: MailScanner mailing list >Cc: Kevin Miller >Subject: Re: DSN: Return receipt ?? > > >Tried that already, i think (suspect!) that the only thing >that that tab >kills are the messages : "Your message has been successfully >delivered to" >for most (certainly not all, see the status reply because of which I >started this thread) messages. > >There is absolutely no way to disable read/not read messages, >at least not >when your clients on Exchange are running Outlook 2000. Outlook XP >supposedly has an option to disable this 'feature'. I even tried >installing Microgarden Outlook Tools for Outlook 2000 but this >only helped >for about half of the messages received, for the other half >Outlook was >still happily reporting which e-mail went where and who read it. > >This is why I chose to kill the messages of based on subject >headers. Even >if the client could disable it I don't want to rely on my >users to disable >this feature to prevent leaking any information. I don't want >anybody to >know when my users read their e-mail, it's kind of embarrasing if a >scretary says someone is out of office but they get a read >receipt message >a couple of minutes later on an e-mail they sent. > >I just checked my maillog after setting the options >define(`confPRIVACY_FLAGS', >`authwarnings,goaway,noreceipts,restrictqrun,restrictexpand')dnl > >in my sendmail.mc but I still see read/not read messages being >discarded. > >I hope that this line in sendmail.mc does kill the last of the >annoying >successfully delivered/could not be delivered to messages. From mailscanner at ecs.soton.ac.uk Thu Jul 3 17:37:52 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:18:49 2006 Subject: CustomConfig.pm questions In-Reply-To: <3F0455E0.7050003@pacific.net> Message-ID: <5.2.1.1.2.20030703173621.01fad590@imap.ecs.soton.ac.uk> At 17:12 03/07/2003, you wrote: >Hello, > >I am working with CustomConfig.pm, setting up per-user configs, and have >a couple questions. > >When I reload MailScanner, I don't see an indication in the log that the >rulesets were reloaded, so I'm assuming they are not? > >If not, I'll need to 'restart' rather than 'reload' MailScanner. :-( You need to "restart" as the changing code in CustomConfig.pm has to be recompiled. >Is there a way modify MailScanner to call InitBy.... functions in >CustomConfig.pm upon reload? Ok, see your point. Let me take a quick look at this. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Thu Jul 3 17:40:18 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:18:49 2006 Subject: CustomConfig.pm questions In-Reply-To: <3F0455E0.7050003@pacific.net> Message-ID: <5.2.1.1.2.20030703173951.039a89e8@imap.ecs.soton.ac.uk> At 17:12 03/07/2003, you wrote: >Hello, > >I am working with CustomConfig.pm, setting up per-user configs, and have >a couple questions. > >When I reload MailScanner, I don't see an indication in the log that the >rulesets were reloaded, so I'm assuming they are not? > >If not, I'll need to 'restart' rather than 'reload' MailScanner. :-( > >Is there a way modify MailScanner to call InitBy.... functions in >CustomConfig.pm upon reload? According to the code I just looked at, it should call the Init functions even when you do a "reload". -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From ka at PACIFIC.NET Thu Jul 3 18:11:37 2003 From: ka at PACIFIC.NET (Ken Anderson) Date: Thu Jan 12 21:18:49 2006 Subject: CustomConfig.pm questions In-Reply-To: <5.2.1.1.2.20030703173951.039a89e8@imap.ecs.soton.ac.uk> References: <5.2.1.1.2.20030703173951.039a89e8@imap.ecs.soton.ac.uk> Message-ID: <3F0463C9.7080907@pacific.net> Ah, yes, I do see the log entries! Not sure how I missed them before, but they ARE there! host# /sbin/service MailScanner reload Reloading MailScanner workers: MailScanner: [ OK ] Jul 3 10:05:02 mailfilter MailScanner[23313]: Read blacklist for 1 emails Thanks, Ken A. Pacific.Net Julian Field wrote: > At 17:12 03/07/2003, you wrote: > >> Hello, >> >> I am working with CustomConfig.pm, setting up per-user configs, and have >> a couple questions. >> >> When I reload MailScanner, I don't see an indication in the log that the >> rulesets were reloaded, so I'm assuming they are not? >> >> If not, I'll need to 'restart' rather than 'reload' MailScanner. :-( >> >> Is there a way modify MailScanner to call InitBy.... functions in >> CustomConfig.pm upon reload? > > > According to the code I just looked at, it should call the Init functions > even when you do a "reload". > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > > From peter at UCGBOOK.COM Thu Jul 3 18:21:10 2003 From: peter at UCGBOOK.COM (Peter Bonivart) Date: Thu Jan 12 21:18:49 2006 Subject: MailScanner 101, take two. In-Reply-To: <08146035CA49D6119A36009027AC822A0264E468@CITY-EXCH-NTS> References: <08146035CA49D6119A36009027AC822A0264E468@CITY-EXCH-NTS> Message-ID: <3F046606.3070408@ucgbook.com> For AV you could always use ClamAV that is completely free. Recent posts on the list has it that CA eTrust is legit to run with a $28 workstation license. That might also be interesting. ClamAV scans faster than F-Prot in my tests. It's also covered by MailScanners signature-updating script but you should update the program from time to time. But you can forget about the check instead! :) Check this for more info: http://www.sng.ecs.soton.ac.uk/mailscanner/install/OS-virus-scan-web.htm /Peter Bonivart --Unix lovers do it in the Sun Kevin Miller wrote: > For the antivirus I got a copy of F-Prot, but then they changed the license. > Aargh. A grand more to do the same thing. So I'm looking at a different > antivirus solution now, probably RAV. I don't mind paying for > support/updates and I thought the original $300 F-prot cost was quite > reasonable, but the new scheme isn't exactly competitive. Does RAV auto > update both the signatures and the program? I want something I can put in > and ignore until it's time to send 'em another check in a year. A friend is > using Sophos, and he says he has to put in a new user license quarterly or > some such. Life's too short for that. All the docs seem to refer to > installing Sophos as a step however. Can I presume that I can substitute > whatever flavor of antivirus there and *not* have to install Sophos? From paul.hamilton at sme-ecom.co.uk Thu Jul 3 18:47:54 2003 From: paul.hamilton at sme-ecom.co.uk (Paul Hamilton) Date: Thu Jan 12 21:18:49 2006 Subject: Banning Character Sets Message-ID: <000801c3418b$3dce5da0$fc32000a@4> Hi All, We have seen a useful feature in GFI's Spam Filter Software. They provide the client with the ability to ban character sets. Is it possible to do this with Spamassassin by domain? or as a feature request could the Blacklist functionality be extended to ban specific character sets per domain? As an example a client of ours is able to ban all emails containing any Chinese characters, they stop in the region of 250 emails a day at their Exchange server this way. They come from multiple sources so adding to the SA Blacklist is not desirable to the client. Thanks in advance Paul H From Kevin_Miller at CI.JUNEAU.AK.US Thu Jul 3 19:09:15 2003 From: Kevin_Miller at CI.JUNEAU.AK.US (Kevin Miller) Date: Thu Jan 12 21:18:49 2006 Subject: MailScanner 101, take two. Message-ID: <08146035CA49D6119A36009027AC822A0264E472@CITY-EXCH-NTS> Thanks. Earlier posts (month or two ago I think) indicated that they weren't the quickest off the line with updates, but one or two posts isn't a very big statistical sample! So, how satisfied have you ClamAV users been with the pattern updates? Do they come in in a timely fashion? TIA... ...Kevin ------------------- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Administrator, Mail Administrator 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 >-----Original Message----- >From: Peter Bonivart [mailto:peter@UCGBOOK.COM] >Sent: Thursday, July 03, 2003 9:21 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: MailScanner 101, take two. > > >For AV you could always use ClamAV that is completely free. >Recent posts >on the list has it that CA eTrust is legit to run with a $28 >workstation >license. That might also be interesting. > >ClamAV scans faster than F-Prot in my tests. It's also covered by >MailScanners signature-updating script but you should update >the program >from time to time. But you can forget about the check instead! :) > >Check this for more info: > >http://www.sng.ecs.soton.ac.uk/mailscanner/install/OS-virus-sca >n-web.htm > >/Peter Bonivart > >--Unix lovers do it in the Sun > >Kevin Miller wrote: > >> For the antivirus I got a copy of F-Prot, but then they >changed the license. >> Aargh. A grand more to do the same thing. So I'm looking >at a different >> antivirus solution now, probably RAV. I don't mind paying for >> support/updates and I thought the original $300 F-prot cost was quite >> reasonable, but the new scheme isn't exactly competitive. >Does RAV auto >> update both the signatures and the program? I want >something I can put in >> and ignore until it's time to send 'em another check in a >year. A friend is >> using Sophos, and he says he has to put in a new user >license quarterly or >> some such. Life's too short for that. All the docs seem to refer to >> installing Sophos as a step however. Can I presume that I >can substitute >> whatever flavor of antivirus there and *not* have to install Sophos? > From kevins at BMRB.CO.UK Thu Jul 3 19:34:25 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:18:49 2006 Subject: MailScanner 101, take two. In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB001175C7A@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB001175C7A@pascal.priv.bmrb.co.uk> Message-ID: <1057257268.26826.16.camel@bach.kevinspicer.co.uk> > So, how satisfied have you ClamAV users been > with the pattern updates? Do they come in in a timely fashion? I'm not sure you need a big statistical sample to determine that their updates aren't as timely as they could be (You would ned a big sample to determine that their updates are good however). In my experience Clam has some good features but also some serious limitations... Can't disinfect files (not such a big problem with the current crop of viruses which don't actually infect current files) Updates are not as swift as many commercial vendors. Most of the recent fast-spreading viruses I've seen picked up by Sophos hours or even days before clam (although I did see one varient that was caught by clam before Sophos). I saw somewhere (their mailing list/ site I think) that they aim to update their definitions several times a week (I like mine updated several times a day - whenever a new virus appears) Their site hasn't been the most reliable, but there are more mirrors now and the latest versions automatically use the mirrors. Several of us experienced problems over the last few days with clam updates failing and completely stopping MailScanner. I believe I've said this before, and I'll probably say it again, Clam is useful as a second virus scanner (for insurance should the first pack up) but at the moment you should still use a commercial solution. Is an aside its interesting how Clam gets its definitions, their is a tool in the clam distribution for generating signatures which relies on it being fed a known infected file, it then feeds portions of the file into a commercial virus scanner until it finds the exact portion of the file that generates a hit on the commercial scanner. The definition is then generated from this portion. I don't know if they do any other virus research, but this did strike me as perhaps a little cheeky (although I would guess the commercial vendors probably monitor each others definitions quite closely). BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From kevins at BMRB.CO.UK Thu Jul 3 19:49:57 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:18:49 2006 Subject: Banning Character Sets In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB001175C79@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB001175C79@pascal.priv.bmrb.co.uk> Message-ID: <1057258197.26824.23.camel@bach.kevinspicer.co.uk> >We have seen a useful feature in GFI's Spam Filter Software. >They provide the client with the ability to ban character sets. >Is it possible to do this with Spamassassin by domain? >or as a feature request could the Blacklist functionality be extended >to ban specific character sets per domain? Its possible to configure SA to add a score based on character set and/ or language (ok_locales and ok_languages in spam.assassin.prefs.conf - check the Spamassassin docs http://www.spamassassin.org/doc/Mail_SpamAssassin_Conf.html ) Its not clear from the MailScanner.conf file whether you can make the setting for SpamAssassin Prefs File a ruleset or not, but if you could thatb would do what you want. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From Cleveland at MAIL.WINNEFOX.ORG Thu Jul 3 19:51:24 2003 From: Cleveland at MAIL.WINNEFOX.ORG (Jody Cleveland) Date: Thu Jan 12 21:18:49 2006 Subject: Why won't my mail forward? Message-ID: <84CFA712F666B44A94CE6BE116BAF4B0B4EB66@mail.winnefox.org> Hello, I'm trying to setup a redhat server that takes all incoming mail and then forwards it on to an exchange server. I've got sendmail setup, MailScanner, and spamassassin, and I am able to send mail out. My problem is, it's not getting mail and forwarding it on. I've got the mx record setup properly. My question is, does Sendmail automatically listen on all IP addresses? Is there something else I should be looking at? -- Jody Cleveland (cleveland@mail.winnefox.org) From mbowman at UDCOM.COM Thu Jul 3 19:53:25 2003 From: mbowman at UDCOM.COM (Matthew Bowman) Date: Thu Jan 12 21:18:49 2006 Subject: Why won't my mail forward? Message-ID: Jody, Have you setup your /etc/mail//mailertable ? For example anyolddomain.tld esmtp:[mail.anynewdomain.tld] --- Matthew K Bowman Systems Administrator, UDCom Jody Cleveland Sent by: MailScanner mailing list 07/03/2003 02:51 PM Please respond to MailScanner mailing list To: MAILSCANNER@JISCMAIL.AC.UK cc: Subject: Why won't my mail forward? Hello, I'm trying to setup a redhat server that takes all incoming mail and then forwards it on to an exchange server. I've got sendmail setup, MailScanner, and spamassassin, and I am able to send mail out. My problem is, it's not getting mail and forwarding it on. I've got the mx record setup properly. My question is, does Sendmail automatically listen on all IP addresses? Is there something else I should be looking at? -- Jody Cleveland (cleveland@mail.winnefox.org) From kevins at BMRB.CO.UK Thu Jul 3 19:57:05 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:18:49 2006 Subject: Why won't my mail forward? In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB001175C7D@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB001175C7D@pascal.priv.bmrb.co.uk> Message-ID: <1057258625.26826.28.camel@bach.kevinspicer.co.uk> > My question is, does Sendmail automatically > listen on all IP addresses? netstat -l | grep smtp should give you this.... tcp 0 0 *:smtp *:* LISTEN Which means its okay, but if you get this... tcp 0 0 localhost:smtp *:* LISTEN or something similar then its only listening on the loopback interface BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From mbowman at UDCOM.COM Thu Jul 3 20:01:30 2003 From: mbowman at UDCOM.COM (Matthew Bowman) Date: Thu Jan 12 21:18:49 2006 Subject: Message Size Message-ID: I also think it would be a better idea to have more specific subjects E.g. {SPAM? - FORM TAG}, {VIRUS? - REJECTED FILE TYPE), {VIRUS? - INFECTED E-MAIL} That sort of thing Matthew Alan Fiebig Sent by: MailScanner mailing list 07/03/2003 03:53 PM Please respond to MailScanner mailing list To: MAILSCANNER@JISCMAIL.AC.UK cc: Subject: Message Size First, I don't want to sound ungrateful, I really do appreciate the new feature to filter on total message size. However, when a message is over the set size, MailScanner tags the subject line with the {Virus} tag, and the report message to the receipient is the virus removal message. Likewise, the report back to the sender appears to be the 'Sender Error Report'. These messages are a bit misleading. If the 'Maximum Message Size' filter doesn't warrant having its own tag, report to receipient, and report to sender, could you perhaps have that trigger use the 'Bad filename' report, 'Sender Bad Filename' report, and 'Filename Subject Text' tag instead? Those make a bit more sense. Thanks! -Alan From mike at CAMAROSS.NET Thu Jul 3 20:11:54 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:18:49 2006 Subject: Why won't my mail forward? In-Reply-To: Message-ID: <00b501c34196$f78a6d50$9c01a8c0@home.middlefinger.net> Additionally, you need to add your domain to /etc/mail/relay-domains Make sure you run 'make' in the /etc/mail directory after modifying the mailertable. Also, see if you can telnet to port 25 of your redhat box from another workstation. By default, sendmail is set to listen on 127.0.0.1 only. Take a look at /etc/mail/sendmail.mc Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Matthew Bowman Sent: Thursday, July 03, 2003 1:53 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Why won't my mail forward? Jody, Have you setup your /etc/mail//mailertable ? For example anyolddomain.tld esmtp:[mail.anynewdomain.tld] --- Matthew K Bowman Systems Administrator, UDCom Jody Cleveland Sent by: MailScanner mailing list 07/03/2003 02:51 PM Please respond to MailScanner mailing list To: MAILSCANNER@JISCMAIL.AC.UK cc: Subject: Why won't my mail forward? Hello, I'm trying to setup a redhat server that takes all incoming mail and then forwards it on to an exchange server. I've got sendmail setup, MailScanner, and spamassassin, and I am able to send mail out. My problem is, it's not getting mail and forwarding it on. I've got the mx record setup properly. My question is, does Sendmail automatically listen on all IP addresses? Is there something else I should be looking at? -- Jody Cleveland (cleveland@mail.winnefox.org) From mailscanner at ELKNET.NET Thu Jul 3 20:53:08 2003 From: mailscanner at ELKNET.NET (Alan Fiebig) Date: Thu Jan 12 21:18:49 2006 Subject: Message Size Message-ID: <200307031858.h63IwgS01221@ori.rl.ac.uk> First, I don't want to sound ungrateful, I really do appreciate the new feature to filter on total message size. However, when a message is over the set size, MailScanner tags the subject line with the {Virus} tag, and the report message to the receipient is the virus removal message. Likewise, the report back to the sender appears to be the 'Sender Error Report'. These messages are a bit misleading. If the 'Maximum Message Size' filter doesn't warrant having its own tag, report to receipient, and report to sender, could you perhaps have that trigger use the 'Bad filename' report, 'Sender Bad Filename' report, and 'Filename Subject Text' tag instead? Those make a bit more sense. Thanks! -Alan From kevins at BMRB.CO.UK Thu Jul 3 20:12:04 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:18:49 2006 Subject: Why won't my mail forward? In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB001175C81@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB001175C81@pascal.priv.bmrb.co.uk> Message-ID: <1057259525.26824.32.camel@bach.kevinspicer.co.uk> On Thu, 2003-07-03 at 20:03, Jody Cleveland wrote: > netstat -l | grep smtp >I get this: >tcp 0 0 wals.lib.wi.us:smtp *:* >LISTEN >Which is correct, but mail still isn't going through. >Jody Just to double check, do... netstat -ln | grep 25 BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From Cleveland at MAIL.WINNEFOX.ORG Thu Jul 3 20:15:06 2003 From: Cleveland at MAIL.WINNEFOX.ORG (Jody Cleveland) Date: Thu Jan 12 21:18:49 2006 Subject: Why won't my mail forward? Message-ID: <84CFA712F666B44A94CE6BE116BAF4B0B4EB69@mail.winnefox.org> > Just to double check, do... > > netstat -ln | grep 25 tcp 0 0 199.242.176.174:25 0.0.0.0:* LISTEN unix 2 [ ACC ] STREAM LISTENING 61125 /tmp/orbit-cleveland/linc-17aa-0-3848c04ca4212 unix 2 [ ACC ] STREAM LISTENING 61169 /tmp/orbit-cleveland/linc-17ae-0-8d63eec325c8 From mailscanner at BARENDSE.TO Thu Jul 3 20:14:57 2003 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:18:49 2006 Subject: DSN: Return receipt ?? In-Reply-To: <08146035CA49D6119A36009027AC822A0264E46E@CITY-EXCH-NTS> Message-ID: If your users are on Outlook 2000 too there is no way to disable the DSN messages (both read/unread and successfully delivered etc). It's only possible to do this in Outlook 2000 if you are using it in 'internet mode' where it is simply popping mail from the exchange server and sending via smtp. If you are using Workgroup mode (or whatever it's called) than the option to disable DSN is not available. This caused me several headaches. MicroGarden Outlook Tools (free app, google is your friend) was only filtering half the crap. I think Julian had a look at the annoying, privacy invading, DSN messages from Exchange/Outlook but it never made it into MailScanner itself. Anyways the read receipts can be efficiently killed off using sendmail rules although this also blocks incoming DSN messages if you are using them. I can post the sendmail rules to filter the crap if interested. The successfully delivered stuff can be killed from within Exchange (at least in 99% of the cases) using the tick box in the earlier mail. On Thu, 3 Jul 2003, Kevin Miller wrote: > Ah - after chewing on your reply for a couple minutes I think you hit the > nail on the head. It's the client that's doing it, not Exchange. We're > using Exange 5.5 & LookOut 2000, so we're a bit behind you version wise, but > I just checked my client and turned off automatic processing of requests & > responses on arrival. It would make sense that the client is where the > reply would generate from, not the server as the server may not know when > the message is actually read - just when it's retrieved. > > So I guess egress filtering on auto-replies is the only practical option > unless you force all users to use a stock client profile where the > auto-replies have been disabled. Not sure if the best place to filter is in > Sendmail or MailScanner - to new to both to make an intelligent guess, but > maybe others here can chime in... > > ...Kevin > ------------------- > Kevin Miller Registered Linux User No: 307357 > CBJ MIS Dept. Network Systems Administrator, Mail > Administrator > 155 South Seward Street ph: (907) 586-0242 > Juneau, Alaska 99801 fax: (907 586-4500 > > > >-----Original Message----- > >From: Remco Barendse [mailto:mailscanner@barendse.to] > >Sent: Thursday, July 03, 2003 12:07 AM > >To: MailScanner mailing list > >Cc: Kevin Miller > >Subject: Re: DSN: Return receipt ?? > > > > > >Tried that already, i think (suspect!) that the only thing > >that that tab > >kills are the messages : "Your message has been successfully > >delivered to" > >for most (certainly not all, see the status reply because of which I > >started this thread) messages. > > > >There is absolutely no way to disable read/not read messages, > >at least not > >when your clients on Exchange are running Outlook 2000. Outlook XP > >supposedly has an option to disable this 'feature'. I even tried > >installing Microgarden Outlook Tools for Outlook 2000 but this > >only helped > >for about half of the messages received, for the other half > >Outlook was > >still happily reporting which e-mail went where and who read it. > > > >This is why I chose to kill the messages of based on subject > >headers. Even > >if the client could disable it I don't want to rely on my > >users to disable > >this feature to prevent leaking any information. I don't want > >anybody to > >know when my users read their e-mail, it's kind of embarrasing if a > >scretary says someone is out of office but they get a read > >receipt message > >a couple of minutes later on an e-mail they sent. > > > >I just checked my maillog after setting the options > >define(`confPRIVACY_FLAGS', > >`authwarnings,goaway,noreceipts,restrictqrun,restrictexpand')dnl > > > >in my sendmail.mc but I still see read/not read messages being > >discarded. > > > >I hope that this line in sendmail.mc does kill the last of the > >annoying > >successfully delivered/could not be delivered to messages. > From Cleveland at MAIL.WINNEFOX.ORG Thu Jul 3 20:19:10 2003 From: Cleveland at MAIL.WINNEFOX.ORG (Jody Cleveland) Date: Thu Jan 12 21:18:49 2006 Subject: Why won't my mail forward? Message-ID: <84CFA712F666B44A94CE6BE116BAF4B0B4EB6A@mail.winnefox.org> > Additionally, you need to add your domain to /etc/mail/relay-domains > > Make sure you run 'make' in the /etc/mail directory after > modifying the mailertable. I had done that all ready. > Also, see if you can telnet to port 25 of your redhat box > from another workstation. I did that, and this is what came up: 220 wals.lib.wi.us ESMTP Sendmail 8.12.8/8.12.8; Thu, 3 Jul 2003 14:17:46 -0500 Jody From kevins at BMRB.CO.UK Thu Jul 3 20:21:21 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:18:49 2006 Subject: Why won't my mail forward? In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB001175C85@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB001175C85@pascal.priv.bmrb.co.uk> Message-ID: <1057260081.26826.36.camel@bach.kevinspicer.co.uk> On Thu, 2003-07-03 at 20:15, Jody Cleveland wrote: > Just to double check, do... > > netstat -ln | grep 25 >tcp 0 0 199.242.176.174:25 0.0.0.0:* >LISTEN Yeah, thats correct (assuming thats your public IP). Is there a firewall in the way, or have you got iptables misconfigured (see if theres any iptables logs relating to port 25 in /var/log/messages) As Mike suggested try connecting to port 25 remotely using telnet. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From mailscanner at ecs.soton.ac.uk Thu Jul 3 20:17:47 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:18:49 2006 Subject: Message Size In-Reply-To: <200307031858.h63IwgS01221@ori.rl.ac.uk> Message-ID: <5.2.1.1.2.20030703201407.03c9f8e0@imap.ecs.soton.ac.uk> At 20:53 03/07/2003, you wrote: >First, I don't want to sound ungrateful, I really do appreciate the new >feature to filter on total message size. > >However, when a message is over the set size, MailScanner tags the subject >line with the {Virus} tag, and the report message to the receipient is the >virus removal message. Likewise, the report back to the sender appears to >be the 'Sender Error Report'. > >These messages are a bit misleading. If the 'Maximum Message Size' filter >doesn't warrant having its own tag, report to receipient, and report to >sender, could you perhaps have that trigger use the 'Bad filename' report, >'Sender Bad Filename' report, and 'Filename Subject Text' tag instead? >Those make a bit more sense. Can you double check that you don't get the bad filename report please? It adds the same type of report to the message as the filename checks. To prove the point, the filename checks do this: MailScanner::Log::InfoLog("Filename Checks: %s (%s)", $logtext, $attach); $message->{namereports}{$safename} .= "$usertext ($safename)\n"; $message->{nametypes}{$safename} .= "f"; $counter++; $message->{nameinfected}++; while the filetype checks do this: MailScanner::Log::InfoLog("Filetype Checks: %s (%s)", $logtext, $attach); $message->{namereports}{$safename} .= "$usertext ($safename)\n"; $message->{nametypes}{$safename} .= "f"; $counter++; $message->{nameinfected}++; You may notice a slight similarity in the code... -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mike at CAMAROSS.NET Thu Jul 3 20:21:44 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:18:49 2006 Subject: Why won't my mail forward? In-Reply-To: <84CFA712F666B44A94CE6BE116BAF4B0B4EB6A@mail.winnefox.org> Message-ID: <00b901c34198$5758d5e0$9c01a8c0@home.middlefinger.net> Looks like there is a firewall in the way as I am not able to connect to your IP port 25. What you should do is set the primary MX to be the IP of your sendmail server and then it will forward all mail (based on the mailertable entry) to your exchange server. Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Jody Cleveland Sent: Thursday, July 03, 2003 2:19 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Why won't my mail forward? > Additionally, you need to add your domain to /etc/mail/relay-domains > > Make sure you run 'make' in the /etc/mail directory after modifying > the mailertable. I had done that all ready. > Also, see if you can telnet to port 25 of your redhat box from another > workstation. I did that, and this is what came up: 220 wals.lib.wi.us ESMTP Sendmail 8.12.8/8.12.8; Thu, 3 Jul 2003 14:17:46 -0500 Jody From richard.lush at NTLWORLD.COM Thu Jul 3 20:28:08 2003 From: richard.lush at NTLWORLD.COM (Richard Lush) Date: Thu Jan 12 21:18:49 2006 Subject: Why won't my mail forward? Message-ID: <8C4A83966C27354C928048C4A1620EF88F18@lando.rebel.com> Jody, Is the mail getting bounced back from exchange or is it just not getting there? Richard -----Original Message----- From: Jody Cleveland [mailto:Cleveland@MAIL.WINNEFOX.ORG] Sent: 03 July 2003 19:51 To: MAILSCANNER@JISCMAIL.AC.UK Hello, I'm trying to setup a redhat server that takes all incoming mail and then forwards it on to an exchange server. I've got sendmail setup, MailScanner, and spamassassin, and I am able to send mail out. My problem is, it's not getting mail and forwarding it on. I've got the mx record setup properly. My question is, does Sendmail automatically listen on all IP addresses? Is there something else I should be looking at? -- Jody Cleveland (cleveland@mail.winnefox.org) From Cleveland at MAIL.WINNEFOX.ORG Thu Jul 3 20:30:27 2003 From: Cleveland at MAIL.WINNEFOX.ORG (Jody Cleveland) Date: Thu Jan 12 21:18:49 2006 Subject: Why won't my mail forward? Message-ID: <84CFA712F666B44A94CE6BE116BAF4B0B4EB6E@mail.winnefox.org> > Is the mail getting bounced back from exchange or is it just > not getting there? It gets lost into oblivion. I don't get any bounced messages back, and the message never reaches the destination. Jody From mike at CAMAROSS.NET Thu Jul 3 20:37:59 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:18:49 2006 Subject: Why won't my mail forward? In-Reply-To: <84CFA712F666B44A94CE6BE116BAF4B0B4EB6E@mail.winnefox.org> Message-ID: <00bd01c3419a$9c094c90$9c01a8c0@home.middlefinger.net> What happens if you run 'mailq' on the sendmail server? Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Jody Cleveland Sent: Thursday, July 03, 2003 2:30 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Why won't my mail forward? > Is the mail getting bounced back from exchange or is it just not > getting there? It gets lost into oblivion. I don't get any bounced messages back, and the message never reaches the destination. Jody From Cleveland at MAIL.WINNEFOX.ORG Thu Jul 3 20:42:39 2003 From: Cleveland at MAIL.WINNEFOX.ORG (Jody Cleveland) Date: Thu Jan 12 21:18:50 2006 Subject: Why won't my mail forward? Message-ID: <84CFA712F666B44A94CE6BE116BAF4B0B4EB70@mail.winnefox.org> > What happens if you run 'mailq' on the sendmail server? /var/spool/mqueue is empty Total requests: 0 Also, I had the network admin open port 25 on that machine, but still no go. Jody From kevins at BMRB.CO.UK Thu Jul 3 20:43:03 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:18:50 2006 Subject: Why won't my mail forward? In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB001175C8C@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB001175C8C@pascal.priv.bmrb.co.uk> Message-ID: <1057261386.29329.1.camel@bach.kevinspicer.co.uk> >It gets lost into oblivion. I don't get any bounced messages back, and >the message never reaches the destination. So it gets accepted? Is there anything in mqueue.in or mqueue? What does it say in the maillog? BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From mike at CAMAROSS.NET Thu Jul 3 20:45:07 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:18:50 2006 Subject: Why won't my mail forward? In-Reply-To: <84CFA712F666B44A94CE6BE116BAF4B0B4EB70@mail.winnefox.org> Message-ID: <00bf01c3419b$9b74df50$9c01a8c0@home.middlefinger.net> I am able to connect now, but this doesn't look like a normal sendmail response: telnet 199.242.176.174 25 Trying 199.242.176.174... Connected to 199.242.176.174 (199.242.176.174). Escape character is '^]'. 220 *********************************2******2***************200************0*00 Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Jody Cleveland Sent: Thursday, July 03, 2003 2:43 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Why won't my mail forward? > What happens if you run 'mailq' on the sendmail server? /var/spool/mqueue is empty Total requests: 0 Also, I had the network admin open port 25 on that machine, but still no go. Jody From Cleveland at MAIL.WINNEFOX.ORG Thu Jul 3 20:53:00 2003 From: Cleveland at MAIL.WINNEFOX.ORG (Jody Cleveland) Date: Thu Jan 12 21:18:50 2006 Subject: Why won't my mail forward? Message-ID: <84CFA712F666B44A94CE6BE116BAF4B0B4EB71@mail.winnefox.org> > So it gets accepted? Seems to. > Is there anything in mqueue.in or mqueue? No. > What does it say in the maillog? A lot of mailscanner stuff about starting, and f-prot updating. Also, this quite a bit: Jul 3 14:28:43 mystique sendmail[8501]: h63JHkEd008501: [172.30.2.136] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA Jul 3 14:38:53 mystique sendmail[8518]: h63JciEd008518: [172.30.2.136] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA Jul 3 14:44:48 mystique sendmail[8526]: h63JgfEd008526: [172.30.2.136] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA Jul 3 14:45:04 mystique sendmail[8531]: h63Jj0Ed008531: [172.30.2.136] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA 172.30.2.136 is my machine's IP address. What exactly does that message mean? Jody From mikea at MIKEA.ATH.CX Thu Jul 3 20:53:37 2003 From: mikea at MIKEA.ATH.CX (mikea) Date: Thu Jan 12 21:18:50 2006 Subject: Why won't my mail forward? In-Reply-To: <00bf01c3419b$9b74df50$9c01a8c0@home.middlefinger.net>; from mike@CAMAROSS.NET on Thu, Jul 03, 2003 at 02:45:07PM -0500 References: <84CFA712F666B44A94CE6BE116BAF4B0B4EB70@mail.winnefox.org> <00bf01c3419b$9b74df50$9c01a8c0@home.middlefinger.net> Message-ID: <20030703145337.B98124@mikea.ath.cx> On Thu, Jul 03, 2003 at 02:45:07PM -0500, Mike Kercher wrote: > I am able to connect now, but this doesn't look like a normal sendmail > response: > > telnet 199.242.176.174 25 > Trying 199.242.176.174... > Connected to 199.242.176.174 (199.242.176.174). > Escape character is '^]'. > 220 > *********************************2******2***************200************0*00 That looks like one of those inexpensive hardware "home firewalls" that had some firmware bugsdiscussed *VERY* heavily a year or two back. You might Google on that string. -- Mike Andrews mikea@mikea.ath.cx Tired old sysadmin since 1964 From kevins at BMRB.CO.UK Thu Jul 3 20:54:12 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:18:50 2006 Subject: Why won't my mail forward? In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB001175C90@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB001175C90@pascal.priv.bmrb.co.uk> Message-ID: <1057262053.29328.4.camel@bach.kevinspicer.co.uk> >telnet 199.242.176.174 25 >Trying 199.242.176.174... >Connected to 199.242.176.174 (199.242.176.174). >Escape character is '^]'. >220 >********************2******2***************200************0*00 Well it speaks SMTP, but if thats an attempt to obfuscate the banner be aware that breaks an rfc, you must give the hostname. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From Cleveland at MAIL.WINNEFOX.ORG Thu Jul 3 20:56:33 2003 From: Cleveland at MAIL.WINNEFOX.ORG (Jody Cleveland) Date: Thu Jan 12 21:18:50 2006 Subject: Why won't my mail forward? Message-ID: <84CFA712F666B44A94CE6BE116BAF4B0B4EB74@mail.winnefox.org> > That looks like one of those inexpensive hardware "home > firewalls" that had some firmware bugsdiscussed *VERY* > heavily a year or two back. You might Google on that string. Actually, it's a PIX firewall. And, from what I understand, it was very expensive. It is about 3 years old though. We're hoping to get a linux firewall in place soon. Jody From mikea at MIKEA.ATH.CX Thu Jul 3 20:56:28 2003 From: mikea at MIKEA.ATH.CX (mikea) Date: Thu Jan 12 21:18:50 2006 Subject: Why won't my mail forward? In-Reply-To: <84CFA712F666B44A94CE6BE116BAF4B0B4EB71@mail.winnefox.org>; from Cleveland@MAIL.WINNEFOX.ORG on Thu, Jul 03, 2003 at 02:53:00PM -0500 References: <84CFA712F666B44A94CE6BE116BAF4B0B4EB71@mail.winnefox.org> Message-ID: <20030703145628.C98124@mikea.ath.cx> On Thu, Jul 03, 2003 at 02:53:00PM -0500, Jody Cleveland wrote: > > So it gets accepted? > > Seems to. > > > Is there anything in mqueue.in or mqueue? > > No. > > > What does it say in the maillog? > > A lot of mailscanner stuff about starting, and f-prot updating. Also, > this quite a bit: > Jul 3 14:28:43 mystique sendmail[8501]: h63JHkEd008501: [172.30.2.136] > did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA > Jul 3 14:38:53 mystique sendmail[8518]: h63JciEd008518: [172.30.2.136] > did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA > Jul 3 14:44:48 mystique sendmail[8526]: h63JgfEd008526: [172.30.2.136] > did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA > Jul 3 14:45:04 mystique sendmail[8531]: h63Jj0Ed008531: [172.30.2.136] > did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA > > 172.30.2.136 is my machine's IP address. What exactly does that message > mean? That something connected, and disconnected without issuing any of the MAIL, EXPN, VRFY, or ETRN commands. That, coupled with my (too vague, darn it!) memories of problems with a firewall that responded like that, make me wonder if the hardware or firmware is getting in the way. -- Mike Andrews mikea@mikea.ath.cx Tired old sysadmin since 1964 From mikea at MIKEA.ATH.CX Thu Jul 3 20:57:27 2003 From: mikea at MIKEA.ATH.CX (mikea) Date: Thu Jan 12 21:18:50 2006 Subject: Why won't my mail forward? In-Reply-To: <84CFA712F666B44A94CE6BE116BAF4B0B4EB74@mail.winnefox.org>; from Cleveland@MAIL.WINNEFOX.ORG on Thu, Jul 03, 2003 at 02:56:33PM -0500 References: <84CFA712F666B44A94CE6BE116BAF4B0B4EB74@mail.winnefox.org> Message-ID: <20030703145727.D98124@mikea.ath.cx> On Thu, Jul 03, 2003 at 02:56:33PM -0500, Jody Cleveland wrote: > > That looks like one of those inexpensive hardware "home > > firewalls" that had some firmware bugsdiscussed *VERY* > > heavily a year or two back. You might Google on that string. > > Actually, it's a PIX firewall. And, from what I understand, it was very > expensive. It is about 3 years old though. We're hoping to get a linux > firewall in place soon. That's It! THAT'S **IT**! Check for firmware upgrades, and google for problems with PIX firewalls. -- Mike Andrews mikea@mikea.ath.cx Tired old sysadmin since 1964 From Cleveland at MAIL.WINNEFOX.ORG Thu Jul 3 21:00:36 2003 From: Cleveland at MAIL.WINNEFOX.ORG (Jody Cleveland) Date: Thu Jan 12 21:18:50 2006 Subject: Why won't my mail forward? Message-ID: <84CFA712F666B44A94CE6BE116BAF4B0B4EB77@mail.winnefox.org> > That's It! THAT'S **IT**! > > Check for firmware upgrades, and google for problems with PIX > firewalls. See, the thing is, I've got another redhat 8 box right next to this one, and it's working fine. I've mirrored all the settings with sendmail and mailscanner and the firewall, but there must be something else I'm missing... -- Jody Cleveland (cleveland@mail.winnefox.org) From richard.lush at NTLWORLD.COM Thu Jul 3 21:00:21 2003 From: richard.lush at NTLWORLD.COM (Richard Lush) Date: Thu Jan 12 21:18:50 2006 Subject: Why won't my mail forward? Message-ID: <8C4A83966C27354C928048C4A1620EF88F19@lando.rebel.com> Is the firewall between the sendmail box and the Exchange server? (sorry if that has already been answered). Richard -----Original Message----- From: mikea [mailto:mikea@MIKEA.ATH.CX] Sent: 03 July 2003 20:57 To: MAILSCANNER@JISCMAIL.AC.UK On Thu, Jul 03, 2003 at 02:56:33PM -0500, Jody Cleveland wrote: > > That looks like one of those inexpensive hardware "home firewalls" > > that had some firmware bugsdiscussed *VERY* heavily a year or two > > back. You might Google on that string. > > Actually, it's a PIX firewall. And, from what I understand, it was > very expensive. It is about 3 years old though. We're hoping to get a > linux firewall in place soon. That's It! THAT'S **IT**! Check for firmware upgrades, and google for problems with PIX firewalls. -- Mike Andrews mikea@mikea.ath.cx Tired old sysadmin since 1964 From richard.lush at NTLWORLD.COM Thu Jul 3 21:01:09 2003 From: richard.lush at NTLWORLD.COM (Richard Lush) Date: Thu Jan 12 21:18:50 2006 Subject: Why won't my mail forward? Message-ID: <8C4A83966C27354C928048C4A1620EF8C074@lando.rebel.com> Check the following: 1. SMTP Configuration on the exchange server - i.e. The Recipients Policy is configure for all external SMTP addresses which it handles. 2. DNS MX records 3. I've setup /etc/mail/access with the internal SMTP domains (not sure if this is needed though) 4. check the mailertable 5. Check that you can telnet the the exchange servers SMTP connection Short of those things not sure what else to check. Richard -----Original Message----- From: Jody Cleveland [mailto:Cleveland@MAIL.WINNEFOX.ORG] Sent: 03 July 2003 20:30 To: MAILSCANNER@JISCMAIL.AC.UK > Is the mail getting bounced back from exchange or is it just not > getting there? It gets lost into oblivion. I don't get any bounced messages back, and the message never reaches the destination. Jody From Cleveland at MAIL.WINNEFOX.ORG Thu Jul 3 21:01:38 2003 From: Cleveland at MAIL.WINNEFOX.ORG (Jody Cleveland) Date: Thu Jan 12 21:18:50 2006 Subject: Why won't my mail forward? Message-ID: <84CFA712F666B44A94CE6BE116BAF4B0B4EB78@mail.winnefox.org> > Well it speaks SMTP, but if thats an attempt to obfuscate the > banner be aware that breaks an rfc, you must give the hostname. I'm afraid I don't understand. Jody From mike at CAMAROSS.NET Thu Jul 3 20:58:56 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:18:50 2006 Subject: Why won't my mail forward? In-Reply-To: <84CFA712F666B44A94CE6BE116BAF4B0B4EB77@mail.winnefox.org> Message-ID: <00c501c3419d$892d63b0$9c01a8c0@home.middlefinger.net> What is the IP of that other RH box? Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Jody Cleveland Sent: Thursday, July 03, 2003 3:01 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Why won't my mail forward? > That's It! THAT'S **IT**! > > Check for firmware upgrades, and google for problems with PIX > firewalls. See, the thing is, I've got another redhat 8 box right next to this one, and it's working fine. I've mirrored all the settings with sendmail and mailscanner and the firewall, but there must be something else I'm missing... -- Jody Cleveland (cleveland@mail.winnefox.org) From kevins at BMRB.CO.UK Thu Jul 3 21:02:18 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:18:50 2006 Subject: Why won't my mail forward? In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB001175C91@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB001175C91@pascal.priv.bmrb.co.uk> Message-ID: <1057262538.29329.6.camel@bach.kevinspicer.co.uk> >Jul 3 14:45:04 mystique sendmail[8531]: h63Jj0Ed008531: [172.30.2.136] >did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA >172.30.2.136 is my machine's IP address. What exactly does that message >mean? Thats probably you connecting with telnet, then aborting BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From Cleveland at MAIL.WINNEFOX.ORG Thu Jul 3 21:02:50 2003 From: Cleveland at MAIL.WINNEFOX.ORG (Jody Cleveland) Date: Thu Jan 12 21:18:50 2006 Subject: Why won't my mail forward? Message-ID: <84CFA712F666B44A94CE6BE116BAF4B0B4EB79@mail.winnefox.org> > Is the firewall between the sendmail box and the Exchange > server? (sorry if that has already been answered). I'm great with pc's, but not as much when it comes to the networking side of it. That said, all internal pc's, including servers, are inside the firewall. Jody From Cleveland at MAIL.WINNEFOX.ORG Thu Jul 3 21:03:35 2003 From: Cleveland at MAIL.WINNEFOX.ORG (Jody Cleveland) Date: Thu Jan 12 21:18:50 2006 Subject: Why won't my mail forward? Message-ID: <84CFA712F666B44A94CE6BE116BAF4B0B4EB7A@mail.winnefox.org> > What is the IP of that other RH box? 199.242.176.169 Jody From mike at CAMAROSS.NET Thu Jul 3 21:03:03 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:18:50 2006 Subject: Why won't my mail forward? In-Reply-To: <84CFA712F666B44A94CE6BE116BAF4B0B4EB7A@mail.winnefox.org> Message-ID: <00c601c3419e$1c9cc460$9c01a8c0@home.middlefinger.net> I'm getting the same banner: telnet 199.242.176.169 25 Trying 199.242.176.169... Connected to 199.242.176.169 (199.242.176.169). Escape character is '^]'. 220 *************************************2******2***************200*****0******0 *00 Here's what I get when I connect to one of mine: telnet 207.189.28.75 25 Trying 207.189.28.75... Connected to 207.189.28.75. Escape character is '^]'. 220 redline.camaross.net ESMTP Sendmail 8.11.6/8.11.6; Thu, 3 Jul 2003 15:17:41 -0500 I'd look at the firewall as suggested earlier. Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Jody Cleveland Sent: Thursday, July 03, 2003 3:04 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Why won't my mail forward? > What is the IP of that other RH box? 199.242.176.169 Jody From kevins at BMRB.CO.UK Thu Jul 3 21:09:44 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:18:50 2006 Subject: Why won't my mail forward? In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB001175C9E@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB001175C9E@pascal.priv.bmrb.co.uk> Message-ID: <1057262985.29327.11.camel@bach.kevinspicer.co.uk> Jody, I've just sent a mail to you at that machine using telnet (speaking smtp) heres the transaction (my IP obscured) apart form the odd banner all seemed well, perhaps you could grep your mail log for h63K3HEd008666 and post the result... Trying 199.242.176.174... Connected to 199.242.176.174 (199.242.176.174). Escape character is '^]'. 220 *********************************2******2***************200*****0******0*00 helo bach.kevinspicer.co.uk 250 wals.lib.wi.us Hello 213-152-53-60.dsl.eclipse.net.uk [213.152.53.60], pleased to meet you mail from:kevin@kevinspicer.co.uk 250 2.1.0 kevin@kevinspicer.co.uk... Sender ok rcpt to:cleveland@mail.winnefox.org 250 2.1.5 cleveland@mail.winnefox.org... Recipient ok data 354 Enter mail, end with "." on a line by itself Hello Jody, Kevin from the MailScanner list here, sending you a test message . 250 2.0.0 h63K3HEd008666 Message accepted for delivery quit 221 2.0.0 wals.lib.wi.us closing connection Connection closed by foreign host. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From mailscanner at ELKNET.NET Thu Jul 3 22:04:19 2003 From: mailscanner at ELKNET.NET (Alan Fiebig) Date: Thu Jan 12 21:18:50 2006 Subject: Message Size Message-ID: <200307032009.h63K9rS14552@ori.rl.ac.uk> Julian, The sender of the oversized message is receiving the 'sender.error.report.txt' message, not the 'sender.filename.report.txt'. Here is a copy of one I received when I tested the feature. Note that its the report about not being able to fully analyse the message, yet the '$report' variable at the bottom clearly shows it was the size filter that snagged it. ################################################################## Subject: Warning: Your E-mail to training@elknet.net was rejected X-ElkNetMailScrubber: generated Our virus detector failed to completely analyse a message you sent:- To: training@elknet.net Subject: second large test Date: Thu Jul 3 13:40:45 2003 Any parts of the message that could not be analysed will not have been delivered. If you are using Microsoft Outlook, we strongly recommend you change your outgoing message format from "Rich Text" to "HTML" or "Plain Text". The virus detector said this about the message: Report: Message is too large -- ElkNet Postmaster ElkNet E-Mail Scrubbing Service ################################################################## MailScanner then removes the entire message, and sends the 'deleted.virus.message.txt' to the receipient, with a new attachment that contains an explaination regarding the removal of the attachment. The subject of this message has been modified with the {virus} tag. Hope that helps! -Alan >Can you double check that you don't get the bad filename report please? It >adds the same type of report to the message as the filename checks. > >To prove the point, the filename checks do this: > MailScanner::Log::InfoLog("Filename Checks: %s (%s)", > $logtext, $attach); > $message->{namereports}{$safename} .= "$usertext ($safename)\n"; > $message->{nametypes}{$safename} .= "f"; > $counter++; > $message->{nameinfected}++; >while the filetype checks do this: > MailScanner::Log::InfoLog("Filetype Checks: %s (%s)", > $logtext, $attach); > $message->{namereports}{$safename} .= "$usertext ($safename)\n"; > $message->{nametypes}{$safename} .= "f"; > $counter++; > $message->{nameinfected}++; > >You may notice a slight similarity in the code... >-- >Julian Field >www.MailScanner.info >Professional Support Services at www.MailScanner.biz >MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Thu Jul 3 21:10:38 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:18:50 2006 Subject: OT Re: Why won't my mail forward? In-Reply-To: <84CFA712F666B44A94CE6BE116BAF4B0B4EB7A@mail.winnefox.org> Message-ID: <5.2.1.1.2.20030703210915.03cd73f8@imap.ecs.soton.ac.uk> This is really rather OT, and there have been 30 messages I have seen in this thread so far. Any chance a few of you could take the investigation off-list please, and just post to the list once you've got it sorted or you all run out of ideas and need some extra input from others? At 21:03 03/07/2003, you wrote: > > What is the IP of that other RH box? > >199.242.176.169 > >Jody -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From Cleveland at MAIL.WINNEFOX.ORG Thu Jul 3 21:13:15 2003 From: Cleveland at MAIL.WINNEFOX.ORG (Jody Cleveland) Date: Thu Jan 12 21:18:50 2006 Subject: Why won't my mail forward? Message-ID: <84CFA712F666B44A94CE6BE116BAF4B0B4EB7D@mail.winnefox.org> > perhaps you could grep your mail log for h63K3HEd008666 and post the result... Jul 3 15:05:12 mystique MailScanner[8392]: Spam Checks: Starting Jul 3 15:05:12 mystique MailScanner[8392]: Virus and Content Scanning: Starting Jul 3 15:05:12 mystique MailScanner[8392]: Uninfected: Delivered 1 messages Jul 3 15:05:13 mystique sendmail[8683]: h63K3HEd008666: to=cleveland@mail.winnefox.org, delay=00:00:53, xdelay=00:00:01, mailer=esmtp, pri=120077, relay=mail.winnefox.org. [199.242.176.171], dsn=2.0.0, stat=Sent (OK) After you sent that, I tried with my yahoo account. I noticed it sent right after yours. So, they are now being caught by MailScanner. However, they are not being forwarded to the exchange server. Well, yours did, but the two I did, did not. Jody From mike at CAMAROSS.NET Thu Jul 3 21:10:55 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:18:50 2006 Subject: OT Re: Why won't my mail forward? In-Reply-To: <5.2.1.1.2.20030703210915.03cd73f8@imap.ecs.soton.ac.uk> Message-ID: <00c701c3419f$3620f180$9c01a8c0@home.middlefinger.net> Julian, Seems like we run into this from time to time. What would be the odds you could setup an OT mailing list? I can do it on one of my servers if you want. Then people that want to subscribe and assist people with OT issues can stay in the loop and lend a hand where needed. Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Julian Field Sent: Thursday, July 03, 2003 3:11 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: OT Re: Why won't my mail forward? This is really rather OT, and there have been 30 messages I have seen in this thread so far. Any chance a few of you could take the investigation off-list please, and just post to the list once you've got it sorted or you all run out of ideas and need some extra input from others? At 21:03 03/07/2003, you wrote: > > What is the IP of that other RH box? > >199.242.176.169 > >Jody -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From chicks at CHICKS.NET Thu Jul 3 20:16:12 2003 From: chicks at CHICKS.NET (Christopher Hicks) Date: Thu Jan 12 21:18:50 2006 Subject: mailing list for OT stuff In-Reply-To: <00c701c3419f$3620f180$9c01a8c0@home.middlefinger.net> Message-ID: On Thu, 3 Jul 2003, Mike Kercher wrote: > Seems like we run into this from time to time. What would be the odds > you could setup an OT mailing list? I can do it on one of my servers if > you want. Then people that want to subscribe and assist people with OT > issues can stay in the loop and lend a hand where needed. Oh please call it mailscanner-wizards! -- The death of democracy is not likely to be an assassination from ambush. It will be a slow extinction from apathy, indifference, and undernourishment. -Robert Maynard Hutchins, educator (1899-1977) From JFalgout at CO.JEFFERSON.CO.US Thu Jul 3 21:17:04 2003 From: JFalgout at CO.JEFFERSON.CO.US (Jeff Falgout) Date: Thu Jan 12 21:18:50 2006 Subject: How can I exclude exe attachment from single email address Message-ID: Just moved MailScanner into production today * WOOHOO!! But ... I'm blocking .exe's using filename.rules.conf, but we have to deal with another company that insists on sending an *IMPORTANT* file as an exe attachment. Is there a way to allow .exe only from that email address? Thanks. Jeff From mailscanner at ELKNET.NET Thu Jul 3 22:14:38 2003 From: mailscanner at ELKNET.NET (Alan Fiebig) Date: Thu Jan 12 21:18:50 2006 Subject: MailScanner log entries Message-ID: <200307032020.h63KKCS16235@ori.rl.ac.uk> What can I look for in the maillog to see if MailScanner is rejecting messages based on rbl scores? I have disabled rbl checking in spamassassin and enabled them in MailScanner, but don't see any evidence that they are working. All mail coming into my network is received by a qmail server. This qmail server then forwards the mail on to my MailScanner server. Normally, I run rblsmtpd on the qmail server which checks 6 or 7 different rbl sites. This works perfectly, and I can see many rejections per minute in the qmail logs, so I know I'm receiving mail from sites that should be rejected. So, on MailScanner, I entered the same list of rbl sites into 'spam.lists.conf' file: ############################################################ dorkslayers orbs.dorkslayers.com. reynolds rmst.bl.reynolds.net.au. spamsites spamsites.relays.osirusoft.com. dnsrbl spam.dnsrbl.net. flowgoaway flowgoaway.com. njabl dnsbl.njabl.org. spamhaus sbl.spamhaus.org. spamcop bl.spamcop.net. ############################################################ and then I entered them into the 'spam list' space seperated: dorkslayers reynolds spamsites dnsrbl flowgoaway njabl spamhaus spamcop I set the 'Spam Lists To Reach High Score' to '1' so it should work just like my qmail server for testing purposes. Then I shut down the rbl checking on the qmail server so that it would accept all messages, but in examining the MailScanner logs, I don't see any evidence that its rejecting anything based on rbl checks. a) What text should I be looking for in the logs to see rbl rejections b) Is there a way to see if MailScanner has experienced timeouts on any of the rbl sites I entered? c) Is there a way to see if MailScanner has disabled any of my rbl checks due to hitting the max number of timeouts? Thanks! From peter at UCGBOOK.COM Thu Jul 3 21:20:13 2003 From: peter at UCGBOOK.COM (Peter Bonivart) Date: Thu Jan 12 21:18:50 2006 Subject: How can I exclude exe attachment from single email address In-Reply-To: References: Message-ID: <3F048FFD.9040605@ucgbook.com> You should look into rulesets but you could also tell them to send it in a zip :) /Peter Bonivart --Unix lovers do it in the Sun Jeff Falgout wrote: > Just moved MailScanner into production today * WOOHOO!! > > But ... > > I'm blocking .exe's using filename.rules.conf, but we have to deal with another company that insists on sending an *IMPORTANT* file as an exe attachment. > > Is there a way to allow .exe only from that email address? > > Thanks. > > Jeff > From mailscanner at ecs.soton.ac.uk Thu Jul 3 21:23:55 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:18:50 2006 Subject: OT Re: Why won't my mail forward? In-Reply-To: <00c701c3419f$3620f180$9c01a8c0@home.middlefinger.net> References: <5.2.1.1.2.20030703210915.03cd73f8@imap.ecs.soton.ac.uk> Message-ID: <5.2.1.1.2.20030703211902.03cc99d0@imap.ecs.soton.ac.uk> It's only ever happened 3 or 4 times. I'm not convinced many people would read a list which doesn't have an aim except for being about everything except MailScanner. I believe this is still the right place for occasional OT discussions, and I don't think anyone minds (they don't complain to me anyway). Between us we have collected together a large number of very experienced and helpful mail admins, and I don't want to break that up at all as it is a major part of MailScanner's success. The list just needs the odd nudge once in a while, which is part of my job as list owner. At 21:10 03/07/2003, you wrote: >Seems like we run into this from time to time. What would be the odds you >could setup an OT mailing list? I can do it on one of my servers if you >want. Then people that want to subscribe and assist people with OT issues >can stay in the loop and lend a hand where needed. > >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf >Of Julian Field >Sent: Thursday, July 03, 2003 3:11 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: OT Re: Why won't my mail forward? > > >This is really rather OT, and there have been 30 messages I have seen in >this thread so far. > >Any chance a few of you could take the investigation off-list please, and >just post to the list once you've got it sorted or you all run out of ideas >and need some extra input from others? > >At 21:03 03/07/2003, you wrote: > > > What is the IP of that other RH box? > > > >199.242.176.169 > > > >Jody > >-- >Julian Field >www.MailScanner.info >Professional Support Services at www.MailScanner.biz MailScanner thanks >transtec Computers for their support -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Thu Jul 3 21:26:47 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:18:50 2006 Subject: MailScanner log entries In-Reply-To: <200307032020.h63KKCS16235@ori.rl.ac.uk> Message-ID: <5.2.1.1.2.20030703212519.03c7bce8@imap.ecs.soton.ac.uk> Think about what you are doing. Outside world ---> qmail server ---> MailScanner server Qmail is getting messages from all over the world, including places that are listed in various RBLs. But your MailScanner server is only getting mail from your qmail server, which presumably isn't in any RBLs. So it won't report any. At 22:14 03/07/2003, you wrote: >What can I look for in the maillog to see if MailScanner is rejecting >messages based on rbl scores? > >I have disabled rbl checking in spamassassin and enabled them in >MailScanner, but don't see any evidence that they are working. > >All mail coming into my network is received by a qmail server. This qmail >server then forwards the mail on to my MailScanner server. > >Normally, I run rblsmtpd on the qmail server which checks 6 or 7 different >rbl sites. This works perfectly, and I can see many rejections per minute >in the qmail logs, so I know I'm receiving mail from sites that should be >rejected. > >So, on MailScanner, I entered the same list of rbl sites into >'spam.lists.conf' file: > >############################################################ >dorkslayers orbs.dorkslayers.com. >reynolds rmst.bl.reynolds.net.au. >spamsites spamsites.relays.osirusoft.com. >dnsrbl spam.dnsrbl.net. >flowgoaway flowgoaway.com. >njabl dnsbl.njabl.org. >spamhaus sbl.spamhaus.org. >spamcop bl.spamcop.net. >############################################################ > >and then I entered them into the 'spam list' space seperated: > > dorkslayers reynolds spamsites dnsrbl flowgoaway njabl spamhaus spamcop > > >I set the 'Spam Lists To Reach High Score' to '1' so it should work just >like my qmail server for testing purposes. > >Then I shut down the rbl checking on the qmail server so that it would >accept all messages, but in examining the MailScanner logs, I don't see >any evidence that its rejecting anything based on rbl checks. > >a) What text should I be looking for in the logs to see rbl rejections >b) Is there a way to see if MailScanner has experienced timeouts on any of >the rbl sites I entered? >c) Is there a way to see if MailScanner has disabled any of my rbl checks >due to hitting the max number of timeouts? > >Thanks! -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From richard.lush at NTLWORLD.COM Thu Jul 3 21:29:41 2003 From: richard.lush at NTLWORLD.COM (Richard Lush) Date: Thu Jan 12 21:18:50 2006 Subject: Why won't my mail forward? Message-ID: <8C4A83966C27354C928048C4A1620EF88F1C@lando.rebel.com> Can you telnet from the redhat box to the SMTP port on the Exchange Server ok? -----Original Message----- From: Jody Cleveland [mailto:Cleveland@MAIL.WINNEFOX.ORG] Sent: 03 July 2003 21:03 To: MAILSCANNER@JISCMAIL.AC.UK > Is the firewall between the sendmail box and the Exchange server? > (sorry if that has already been answered). I'm great with pc's, but not as much when it comes to the networking side of it. That said, all internal pc's, including servers, are inside the firewall. Jody From zen23003 at ZEN.CO.UK Thu Jul 3 21:49:52 2003 From: zen23003 at ZEN.CO.UK (Paul) Date: Thu Jan 12 21:18:50 2006 Subject: MailScanner log entries References: <5.2.1.1.2.20030703212519.03c7bce8@imap.ecs.soton.ac.uk> Message-ID: <005801c341a4$a754cb60$0100000a@lan> Worth adding too that SpamAssassin, however, digs deeper and checks (I believe) all the hosts that have handled the incoming messages, so disabling it has a big effect. ----- Original Message ----- From: "Julian Field" To: Sent: 03 July 2003 21:26 Subject: Re: MailScanner log entries > Think about what you are doing. > > Outside world ---> qmail server ---> MailScanner server > > Qmail is getting messages from all over the world, including places that > are listed in various RBLs. > But your MailScanner server is only getting mail from your qmail server, > which presumably isn't in any RBLs. So it won't report any. > > At 22:14 03/07/2003, you wrote: > >What can I look for in the maillog to see if MailScanner is rejecting > >messages based on rbl scores? > > > >I have disabled rbl checking in spamassassin and enabled them in > >MailScanner, but don't see any evidence that they are working. > > > >All mail coming into my network is received by a qmail server. This qmail > >server then forwards the mail on to my MailScanner server. > > From JFalgout at CO.JEFFERSON.CO.US Thu Jul 3 21:50:10 2003 From: JFalgout at CO.JEFFERSON.CO.US (Jeff Falgout) Date: Thu Jan 12 21:18:50 2006 Subject: How can I exclude exe attachment from single email address Message-ID: Been down that road . . .lost that argument. Yes, rule sets. . . Can you allow only a single type of attachment, or do you just turn off virus scanning for that email address? Amazing how frustration impairs your vision. >>> peter@UCGBOOK.COM 7/3/2003 2:20:13 PM >>> You should look into rulesets but you could also tell them to send it in a zip :) /Peter Bonivart --Unix lovers do it in the Sun Jeff Falgout wrote: > Just moved MailScanner into production today * WOOHOO!! > > But ... > > I'm blocking .exe's using filename.rules.conf, but we have to deal with another company that insists on sending an *IMPORTANT* file as an exe attachment. > > Is there a way to allow .exe only from that email address? > > Thanks. > > Jeff > From mailscanner at ecs.soton.ac.uk Thu Jul 3 21:57:41 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:18:50 2006 Subject: MailScanner log entries In-Reply-To: <005801c341a4$a754cb60$0100000a@lan> References: <5.2.1.1.2.20030703212519.03c7bce8@imap.ecs.soton.ac.uk> Message-ID: <5.2.1.1.2.20030703215714.020b05b8@imap.ecs.soton.ac.uk> I don't believe the headers as much as SpamAssassin does :-) At 21:49 03/07/2003, you wrote: >Worth adding too that SpamAssassin, however, digs deeper and checks (I >believe) all the hosts that have handled the incoming messages, so >disabling it has a big effect. > >----- Original Message ----- >From: "Julian Field" >To: >Sent: 03 July 2003 21:26 >Subject: Re: MailScanner log entries > > > > Think about what you are doing. > > > > Outside world ---> qmail server ---> MailScanner server > > > > Qmail is getting messages from all over the world, including places >that > > are listed in various RBLs. > > But your MailScanner server is only getting mail from your qmail >server, > > which presumably isn't in any RBLs. So it won't report any. > > > > At 22:14 03/07/2003, you wrote: > > >What can I look for in the maillog to see if MailScanner is rejecting > > >messages based on rbl scores? > > > > > >I have disabled rbl checking in spamassassin and enabled them in > > >MailScanner, but don't see any evidence that they are working. > > > > > >All mail coming into my network is received by a qmail server. This >qmail > > >server then forwards the mail on to my MailScanner server. > > > -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From kevins at BMRB.CO.UK Thu Jul 3 22:01:03 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:18:50 2006 Subject: How can I exclude exe attachment from single email address In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB001175CAD@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB001175CAD@pascal.priv.bmrb.co.uk> Message-ID: <1057266064.29327.39.camel@bach.kevinspicer.co.uk> On Thu, 2003-07-03 at 21:50, Jeff Falgout wrote: Been down that road . . .lost that argument. Yes, rule sets. . . Can you allow only a single type of attachment, or do you just turn off virus scanning for that email address? Filename Rules=/etc/MailScanner/rules/filename.rules.rules in that file From: fussy@ss.who.must.send.exes /etc/MailScanner/filename.rules.exeok From: default /etc/MailScanner/filename.rules.conf Copy filename.rules.conf to filename.rules.exeok and change the deny next to exe to allow. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From mailscanner at ecs.soton.ac.uk Thu Jul 3 22:06:07 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:18:50 2006 Subject: How can I exclude exe attachment from single email address In-Reply-To: Message-ID: <5.2.1.1.2.20030703220014.03c87eb0@imap.ecs.soton.ac.uk> At 21:17 03/07/2003, you wrote: >Just moved MailScanner into production today * WOOHOO!! > >But ... > >I'm blocking .exe's using filename.rules.conf, but we have to deal with >another company that insists on sending an *IMPORTANT* file as an exe >attachment. > >Is there a way to allow .exe only from that email address? Copy filename.rules.conf to filename.special.rules.conf. Edit filename.special.rules.conf and add a rule to the top of it along the lines of allow \.exe$ - - (separate those 4 sections with tab characters, not spaces). Then construct a ruleset in /etc/MailScanner/rules/filename.rules that looks like this: From: awkward@bugger.com /etc/MailScanner/filename.special.rules.conf FromOrTo: default /etc/MailScanner/filename.rules.conf Edit /etc/MailScanner/MailScanner.conf so it uses it Filename Rules = /etc/MailScanner/rules/filename.rules Then reload or restart MailScanner. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From JFalgout at CO.JEFFERSON.CO.US Thu Jul 3 22:10:31 2003 From: JFalgout at CO.JEFFERSON.CO.US (Jeff Falgout) Date: Thu Jan 12 21:18:50 2006 Subject: How can I exclude exe attachment from single email address Message-ID: Beautiful * Thank you very much!! >>> mailscanner@ECS.SOTON.AC.UK 7/3/2003 3:06:07 PM >>> At 21:17 03/07/2003, you wrote: >Just moved MailScanner into production today * WOOHOO!! > >But ... > >I'm blocking .exe's using filename.rules.conf, but we have to deal with >another company that insists on sending an *IMPORTANT* file as an exe >attachment. > >Is there a way to allow .exe only from that email address? Copy filename.rules.conf to filename.special.rules.conf. Edit filename.special.rules.conf and add a rule to the top of it along the lines of allow \.exe$ - - (separate those 4 sections with tab characters, not spaces). Then construct a ruleset in /etc/MailScanner/rules/filename.rules that looks like this: From: awkward@bugger.com /etc/MailScanner/filename.special.rules.conf FromOrTo: default /etc/MailScanner/filename.rules.conf Edit /etc/MailScanner/MailScanner.conf so it uses it Filename Rules = /etc/MailScanner/rules/filename.rules Then reload or restart MailScanner. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Thu Jul 3 22:14:45 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:18:50 2006 Subject: OT Re: Why won't my mail forward? In-Reply-To: <00d001c341a4$ee5e5f30$9c01a8c0@home.middlefinger.net> References: <5.2.1.1.2.20030703211902.03cc99d0@imap.ecs.soton.ac.uk> Message-ID: <5.2.1.1.2.20030703220721.020dbeb8@imap.ecs.soton.ac.uk> What I think would be the best idea (and may well be what you are already thinking) is to announce, when needed, that a thread is being moved to the OT list until it is resolved or further assistance from the main list is required, at which point it is moved back to the main list. So it becomes an ad hoc discussion forum that is used when needed, but questions still start life on the main list. They are only moved when it is obvious there is going to need to be a lot of OT discussion to resolve the issues. That way no-one needs to regularly read the OT list unless they want to partake in a particular discussion that has been moved there. I mostly want to avoid people having to regularly read anything other than the main list. It would be really good if you could set up the mailing list software with a filter that recognised messages whose subject doesn't start with "Re:" (or any reasonable translations of that). It could then reply to the sender that new discussions should not start there, as no-one may be reading it at the time. At 21:51 03/07/2003, you wrote: >Would you be opposed to me creating a list for OT discussions and announcing >it to the list? The reason is that people like this Jody Cleveland could >benefit from input from many people and we could keep it from cluttering the >mail list. > >Mike > > >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf >Of Julian Field >Sent: Thursday, July 03, 2003 3:24 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: OT Re: Why won't my mail forward? > > >It's only ever happened 3 or 4 times. I'm not convinced many people would >read a list which doesn't have an aim except for being about everything >except MailScanner. > >I believe this is still the right place for occasional OT discussions, and I >don't think anyone minds (they don't complain to me anyway). Between us we >have collected together a large number of very experienced and helpful mail >admins, and I don't want to break that up at all as it is a major part of >MailScanner's success. The list just needs the odd nudge once in a while, >which is part of my job as list owner. > >At 21:10 03/07/2003, you wrote: > >Seems like we run into this from time to time. What would be the odds > >you could setup an OT mailing list? I can do it on one of my servers > >if you want. Then people that want to subscribe and assist people with > >OT issues can stay in the loop and lend a hand where needed. > > > >-----Original Message----- > >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > >Behalf Of Julian Field > >Sent: Thursday, July 03, 2003 3:11 PM > >To: MAILSCANNER@JISCMAIL.AC.UK > >Subject: OT Re: Why won't my mail forward? > > > > > >This is really rather OT, and there have been 30 messages I have seen > >in this thread so far. > > > >Any chance a few of you could take the investigation off-list please, > >and just post to the list once you've got it sorted or you all run out > >of ideas and need some extra input from others? > > > >At 21:03 03/07/2003, you wrote: > > > > What is the IP of that other RH box? > > > > > >199.242.176.169 > > > > > >Jody > > > >-- > >Julian Field > >www.MailScanner.info > >Professional Support Services at www.MailScanner.biz MailScanner thanks > >transtec Computers for their support > >-- >Julian Field >www.MailScanner.info >Professional Support Services at www.MailScanner.biz MailScanner thanks >transtec Computers for their support -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From andersan at LTKALMAR.SE Thu Jul 3 22:19:33 2003 From: andersan at LTKALMAR.SE (Anders Andersson, IT) Date: Thu Jan 12 21:18:50 2006 Subject: SV: Why won't my mail forward? Message-ID: <9F18B7DDBA88E544AB1F1995148916661CE643@lkl63.ltkalmar.se> Hmm, did a fiast read so I might have missed it.... 2 short questions.... Can you telnet from RH to exchange and exchange to RH? You said you can recieve mail from internet but not send from exchange.... Have you changed where exchange sends outgoing mail? -----Ursprungligt meddelande----- Fr?n: Jody Cleveland [mailto:Cleveland@MAIL.WINNEFOX.ORG] Skickat: den 3 juli 2003 22:01 Till: MAILSCANNER@JISCMAIL.AC.UK ?mne: Re: Why won't my mail forward? > That's It! THAT'S **IT**! > > Check for firmware upgrades, and google for problems with PIX > firewalls. See, the thing is, I've got another redhat 8 box right next to this one, and it's working fine. I've mirrored all the settings with sendmail and mailscanner and the firewall, but there must be something else I'm missing... -- Jody Cleveland (cleveland@mail.winnefox.org) From ka at PACIFIC.NET Thu Jul 3 22:24:01 2003 From: ka at PACIFIC.NET (Ken Anderson) Date: Thu Jan 12 21:18:50 2006 Subject: How can I exclude exe attachment from single email address In-Reply-To: <1057266064.29327.39.camel@bach.kevinspicer.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB001175CAD@pascal.priv.bmrb.co.uk> <1057266064.29327.39.camel@bach.kevinspicer.co.uk> Message-ID: <3F049EF1.1040404@pacific.net> I didn't know you could nest rulesets like that! So instead of something like this: Required SpamAssassin Score = 5 I could use this: Required SpamAssassin Score = /etc/MailScanner/spam.threshold.rules Then in spam.threshold.rules: # a custom function that talks to mysql for some users, # letting users tweak their settings to their hearts content. To: boss@somedomain_that_pays_more.com &ByLowSAScore To: peon@somedomain_that_pays_more.com &ByLowSAScore To: lacky@somedomain_that_pays_more.com &ByLowSAScore To: *@somedomain_that_pays_more.com &ByLowSAScore # a normal user To: default /etc/MailScanner/spam.defaultthreshold.rules I like it! Ken Pacific.Net Kevin Spicer wrote: > On Thu, 2003-07-03 at 21:50, Jeff Falgout wrote: > > Been down that road . . .lost that argument. > > Yes, rule sets. . . > > Can you allow only a single type of attachment, or do you just turn off > virus scanning for that email address? > > Filename Rules=/etc/MailScanner/rules/filename.rules.rules > > in that file > > From: fussy@ss.who.must.send.exes /etc/MailScanner/filename.rules.exeok > From: default /etc/MailScanner/filename.rules.conf > > > Copy filename.rules.conf to filename.rules.exeok and change the deny > next to exe to allow. > > > > > BMRB International > http://www.bmrb.co.uk > +44 (0)20 8566 5000 > _________________________________________________________________ > This message (and any attachment) is intended only for the > recipient and may contain confidential and/or privileged > material. If you have received this in error, please contact the > sender and delete this message immediately. Disclosure, copying > or other action taken in respect of this email or in > reliance on it is prohibited. BMRB International Limited > accepts no liability in relation to any personal emails, or > content of any email which does not directly relate to our > business. > > From kevins at BMRB.CO.UK Thu Jul 3 22:31:54 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:18:50 2006 Subject: SV: Why won't my mail forward? In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB001175CB3@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB001175CB3@pascal.priv.bmrb.co.uk> Message-ID: <1057267914.29329.52.camel@bach.kevinspicer.co.uk> >On Thu, 2003-07-03 at 22:19, Anders Andersson, IT wrote: >Have you changed where exchange sends outgoing mail? I think we can close this thread now, we've taken the discussion off list and, I think, found the problem [the machine thinks its name is the same as the domain name, and so was treating mail for the domain as local and passing to procmail, rather than forwarding to the exchange box] BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From forrie at FORRIE.COM Thu Jul 3 22:34:05 2003 From: forrie at FORRIE.COM (Forrest Aldrich) Date: Thu Jan 12 21:18:51 2006 Subject: BogoFilter, SpamBayes, etc... In-Reply-To: <3F049EF1.1040404@pacific.net> References: <1057266064.29327.39.camel@bach.kevinspicer.co.uk> <5C0296D26910694BB9A9BBFC577E7AB001175CAD@pascal.priv.bmrb.co.uk> <1057266064.29327.39.camel@bach.kevinspicer.co.uk> Message-ID: <5.2.1.1.2.20030703173321.02f1a8d0@192.168.1.1> Has anyone experience using BogoFilter or SpamBayes with MailFilter... I'm curious about performance comparisons to SpamAssassin, etc. Forrest From mailscanner at ecs.soton.ac.uk Thu Jul 3 22:43:45 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:18:51 2006 Subject: How can I exclude exe attachment from single email address In-Reply-To: <3F049EF1.1040404@pacific.net> References: <1057266064.29327.39.camel@bach.kevinspicer.co.uk> <5C0296D26910694BB9A9BBFC577E7AB001175CAD@pascal.priv.bmrb.co.uk> <1057266064.29327.39.camel@bach.kevinspicer.co.uk> Message-ID: <5.2.1.1.2.20030703223538.020ddbb0@imap.ecs.soton.ac.uk> At 22:24 03/07/2003, you wrote: >I didn't know you could nest rulesets like that! No, you can't. In the filename.rules.conf example, you are using a ruleset to create a list of allow/deny patterns for the filename. You aren't using a ruleset to create a ruleset. By the way, an alternative to my previous solution is to create a filename.allowexe.conf just containing a single rule allow \.exe$ - - and then make the filename.rules ruleset concatenate filename.allowexec.conf and the original filename.rules.conf file using 2 rules like this: From: awkward@bugger.com /etc/MailScanner/filename.allowexe.conf /etc/MailScanner/filename.rules.conf FromOrTo: default /etc/MailScanner/filename.rules.conf In the resulting filename allow/deny patterns applied to awkward@bugger.com, the first rule will allow *.exe which will over-ride the "deny \.exe$" restriction later in the supplied filename.rules.conf. >So instead of something like this: >Required SpamAssassin Score = 5 > >I could use this: >Required SpamAssassin Score = /etc/MailScanner/spam.threshold.rules > >Then in spam.threshold.rules: > ># a custom function that talks to mysql for some users, ># letting users tweak their settings to their hearts content. >To: boss@somedomain_that_pays_more.com &ByLowSAScore >To: peon@somedomain_that_pays_more.com &ByLowSAScore >To: lacky@somedomain_that_pays_more.com &ByLowSAScore >To: *@somedomain_that_pays_more.com &ByLowSAScore > ># a normal user >To: default /etc/MailScanner/spam.defaultthreshold.rules > >I like it! > >Ken >Pacific.Net > > >Kevin Spicer wrote: > >>On Thu, 2003-07-03 at 21:50, Jeff Falgout wrote: >> >>Been down that road . . .lost that argument. >> >>Yes, rule sets. . . >> >>Can you allow only a single type of attachment, or do you just turn off >>virus scanning for that email address? >> >>Filename Rules=/etc/MailScanner/rules/filename.rules.rules >> >>in that file >> >>From: fussy@ss.who.must.send.exes /etc/MailScanner/filename.rules.exeok >>From: default /etc/MailScanner/filename.rules.conf >> >> >>Copy filename.rules.conf to filename.rules.exeok and change the deny >>next to exe to allow. >> >> >> >> >>BMRB International >>http://www.bmrb.co.uk >>+44 (0)20 8566 5000 >>_________________________________________________________________ >>This message (and any attachment) is intended only for the >>recipient and may contain confidential and/or privileged >>material. If you have received this in error, please contact the >>sender and delete this message immediately. Disclosure, copying >>or other action taken in respect of this email or in >>reliance on it is prohibited. BMRB International Limited >>accepts no liability in relation to any personal emails, or >>content of any email which does not directly relate to our >>business. >> -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From raymond at PROLOCATION.NET Thu Jul 3 22:54:58 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:18:51 2006 Subject: Why won't my mail forward? In-Reply-To: <84CFA712F666B44A94CE6BE116BAF4B0B4EB66@mail.winnefox.org> Message-ID: Hi! > MailScanner, and spamassassin, and I am able to send mail out. My > problem is, it's not getting mail and forwarding it on. I've got the mx > record setup properly. My question is, does Sendmail automatically > listen on all IP addresses? Is there something else I should be looking > at? Use the mailertable for that. Point the MXes to your sendmail box and use the mailertable to forward it to your exchange machine. Bye, Raymond. From raymond at PROLOCATION.NET Thu Jul 3 22:55:55 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:18:51 2006 Subject: Message Size In-Reply-To: <200307031858.h63IwgS01221@ori.rl.ac.uk> Message-ID: Hi! > First, I don't want to sound ungrateful, I really do appreciate the new > feature to filter on total message size. > > However, when a message is over the set size, MailScanner tags the > subject line with the {Virus} tag, and the report message to the > receipient is the virus removal message. Likewise, the report back to > the sender appears to be the 'Sender Error Report'. Sounds like we need a new template there :) Bye, Raymond. From steve.douglas at SBIINCORPORATED.COM Thu Jul 3 22:53:46 2003 From: steve.douglas at SBIINCORPORATED.COM (Steve Douglas) Date: Thu Jan 12 21:18:51 2006 Subject: Unsolicited commercial email rejected Message-ID: <3963522F0E71474CB14C0FF54A6914F701115118@mail.gardenbotanika.com> Maybe I missing something, but I can not seem to find where I can turn this feature off. I thought I did, but guess I was not to successful. Any suggestions is appreciated. Thanx. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030703/107875df/attachment.html From mike at CAMAROSS.NET Thu Jul 3 22:56:10 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:18:51 2006 Subject: Unsolicited commercial email rejected In-Reply-To: <3963522F0E71474CB14C0FF54A6914F701115118@mail.gardenbotanika.com> Message-ID: <00e101c341ad$e9dcdfa0$9c01a8c0@home.middlefinger.net> That looks like you have a Spam Action = bounce in your MailScanner.conf Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Steve Douglas Sent: Thursday, July 03, 2003 4:54 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Unsolicited commercial email rejected Maybe I missing something, but I can not seem to find where I can turn this feature off. I thought I did, but guess I was not to successful. Any suggestions is appreciated. Thanx. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030703/e6e08e60/attachment.html From raymond at PROLOCATION.NET Thu Jul 3 23:01:15 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:18:51 2006 Subject: Why won't my mail forward? In-Reply-To: <20030703145727.D98124@mikea.ath.cx> Message-ID: Hi! > > Actually, it's a PIX firewall. And, from what I understand, it was very > > expensive. It is about 3 years old though. We're hoping to get a linux > > firewall in place soon. > > That's It! THAT'S **IT**! > > Check for firmware upgrades, and google for problems with PIX > firewalls. What OS is that PIX running ? (version) i might have some leads there. I am used to admin PIXes :) Bye, Raymond. From raymond at PROLOCATION.NET Thu Jul 3 23:05:32 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:18:51 2006 Subject: How can I exclude exe attachment from single email address In-Reply-To: Message-ID: Hi! > I'm blocking .exe's using filename.rules.conf, but we have to deal with another company that insists on sending an *IMPORTANT* file as an exe attachment. > > Is there a way to allow .exe only from that email address? Rulesets ... create a different ruleset and point to ANOTHER filename.rules conf... Bye, Raymond. From raymond at PROLOCATION.NET Thu Jul 3 23:11:46 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:18:51 2006 Subject: How can I exclude exe attachment from single email address In-Reply-To: <5.2.1.1.2.20030703220014.03c87eb0@imap.ecs.soton.ac.uk> Message-ID: Hi! > Then construct a ruleset in /etc/MailScanner/rules/filename.rules that > looks like this: > From: awkward@bugger.com /etc/MailScanner/filename.special.rules.conf > FromOrTo: default /etc/MailScanner/filename.rules.conf > > Edit /etc/MailScanner/MailScanner.conf so it uses it > Filename Rules = /etc/MailScanner/rules/filename.rules Is there a simple way to DISABLE filename rules for a domain or sender ? I tried to set it empty for some domains, or to 'no' but that didnt work :) Any way how to do that, besides a 'empty' filename.empty.rules or something? Bye, Raymond. From mailscanner at ELKNET.NET Thu Jul 3 23:31:14 2003 From: mailscanner at ELKNET.NET (Alan Fiebig) Date: Thu Jan 12 21:18:51 2006 Subject: MailScanner log entries Message-ID: <200307032136.h63LamS01639@ori.rl.ac.uk> I've been at this too long... 8-10 hous a day for the last 4 days, installing, learning, tweaking, customizing, testing, updating a mail filtering system... has caused my brain to melt down. Sorry about that WAY STUPID question. I really am not normally that brain dead. -Alan >Think about what you are doing. > >Outside world ---> qmail server ---> MailScanner server > >Qmail is getting messages from all over the world, including places that >are listed in various RBLs. >But your MailScanner server is only getting mail from your qmail server, >which presumably isn't in any RBLs. So it won't report any. From ryanb at AACRAO.ORG Thu Jul 3 23:16:36 2003 From: ryanb at AACRAO.ORG (Ryan Bingham) Date: Thu Jan 12 21:18:51 2006 Subject: Why won't my mail forward? References: Message-ID: <003901c341b0$c4f22940$f8240340@kh06s9> My goodness! I stepped away from my email for a couple hours and this thread went crazy!! :-) Ryan ----- Original Message ----- From: "Raymond Dijkxhoorn" To: Sent: Thursday, July 03, 2003 6:01 PM Subject: Re: Why won't my mail forward? Hi! > > Actually, it's a PIX firewall. And, from what I understand, it was very > > expensive. It is about 3 years old though. We're hoping to get a linux > > firewall in place soon. > > That's It! THAT'S **IT**! > > Check for firmware upgrades, and google for problems with PIX > firewalls. What OS is that PIX running ? (version) i might have some leads there. I am used to admin PIXes :) Bye, Raymond. From ryanb at AACRAO.ORG Thu Jul 3 23:22:17 2003 From: ryanb at AACRAO.ORG (Ryan Bingham) Date: Thu Jan 12 21:18:51 2006 Subject: OT Re: Why won't my mail forward? References: <00c701c3419f$3620f180$9c01a8c0@home.middlefinger.net> Message-ID: <007801c341b1$906cc490$f8240340@kh06s9> I would also be willing to host such a list. I think it's great that people on here are so willing to help. Definitely something to encourage. Ryan ----- Original Message ----- From: "Mike Kercher" To: Sent: Thursday, July 03, 2003 4:10 PM Subject: Re: OT Re: Why won't my mail forward? Julian, Seems like we run into this from time to time. What would be the odds you could setup an OT mailing list? I can do it on one of my servers if you want. Then people that want to subscribe and assist people with OT issues can stay in the loop and lend a hand where needed. Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Julian Field Sent: Thursday, July 03, 2003 3:11 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: OT Re: Why won't my mail forward? This is really rather OT, and there have been 30 messages I have seen in this thread so far. Any chance a few of you could take the investigation off-list please, and just post to the list once you've got it sorted or you all run out of ideas and need some extra input from others? At 21:03 03/07/2003, you wrote: > > What is the IP of that other RH box? > >199.242.176.169 > >Jody -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mike at CAMAROSS.NET Thu Jul 3 23:30:01 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:18:51 2006 Subject: OT Re: Why won't my mail forward? In-Reply-To: <007801c341b1$906cc490$f8240340@kh06s9> Message-ID: <000001c341b2$a467dc40$9c01a8c0@home.middlefinger.net> I've created such a list. Waiting on Julian to bless it now :) Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Ryan Bingham Sent: Thursday, July 03, 2003 5:22 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: OT Re: Why won't my mail forward? I would also be willing to host such a list. I think it's great that people on here are so willing to help. Definitely something to encourage. Ryan ----- Original Message ----- From: "Mike Kercher" To: Sent: Thursday, July 03, 2003 4:10 PM Subject: Re: OT Re: Why won't my mail forward? Julian, Seems like we run into this from time to time. What would be the odds you could setup an OT mailing list? I can do it on one of my servers if you want. Then people that want to subscribe and assist people with OT issues can stay in the loop and lend a hand where needed. Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Julian Field Sent: Thursday, July 03, 2003 3:11 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: OT Re: Why won't my mail forward? This is really rather OT, and there have been 30 messages I have seen in this thread so far. Any chance a few of you could take the investigation off-list please, and just post to the list once you've got it sorted or you all run out of ideas and need some extra input from others? At 21:03 03/07/2003, you wrote: > > What is the IP of that other RH box? > >199.242.176.169 > >Jody -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From JeremyE at BSA.CA.GOV Fri Jul 4 00:04:41 2003 From: JeremyE at BSA.CA.GOV (Jeremy Evans) Date: Thu Jan 12 21:18:51 2006 Subject: Rulesets: Match first or match last? Message-ID: <1A91F0B5CDA2D7119000080009DCFDBC1BCD83@pebble.bsa.ca.gov> I thought rulesets were supposed to use the first entry that matches, but I'm doing some testing now and that doesn't seem to be the case. If I use this ruleset: # filename.rules # This file lists which e-mails are scanned for nasty filenames From: jeremye@bsa.ca.gov /opt/MailScanner/etc/filename.rules.conf From: *@bsa.ca.gov /opt/MailScanner/etc/filename.allowall.conf FromTo: default /opt/MailScanner/etc/filename.rules.conf and send an e-mail from jeremye@bsa.ca.gov with an attached file blocked in filename.rules.conf, it comes through without any problems. If I use this ruleset: # filename.rules # This file lists which e-mails are scanned for nasty filenames From: *@bsa.ca.gov /opt/MailScanner/etc/filename.allowall.conf From: jeremye@bsa.ca.gov /opt/MailScanner/etc/filename.rules.conf FromTo: default /opt/MailScanner/etc/filename.rules.conf the attachment is stripped from the file. Are the rulesets supposed to use the first entry that matches, or the last one? Jeremy Evans Information Systems Analyst California State Auditor 916-445-0255 phone 916-322-7801 fax From symedeot at YAHOO.FR Fri Jul 4 08:31:21 2003 From: symedeot at YAHOO.FR (Sylvain MEDEOT) Date: Thu Jan 12 21:18:51 2006 Subject: MailScanner issue with postfix Message-ID: Hi, You don't mention which Postfix version you are using. From my experience, versions of Postfix prior to postfix-1.1.11 won't work with MailScanner. One thing that should be missing in your files is : hash_queue_depth = 1 hash_queue_names = incoming deferred active bounce flush in both /etc/postfix/main.cf and /etc/postfix.in/main.cf Then you have to stop Postfix and run : postfix -c /etc/postfix.in check postfix -c /etc/postfix check On my system, before running postfix, I drop these two directories then I did a mkdir /var/spool/postfix /var/spool/postfix.in By doing so, you made to have not flat directories (they are not compatibles with MailScanner, recent versions of Postfix are OK). After doing this on my server, MailScanner starts working fine for some minutes then I had some mails lost (they were going into postfix/corrupted) and finally the server crashes with the following logs : Jun 30 15:32:20 intranet postfix/qmgr[4599]: warning: 1081F5B855: envelope records out of order Jun 30 15:32:20 intranet postfix/qmgr[4599]: warning: corrupt file queue active id 1081F5B855 Jun 30 15:32:25 intranet postfix/qmgr[4599]: warning: 927DA5B859: envelope records out of order Jun 30 15:32:25 intranet postfix/qmgr[4599]: warning: corrupt file queue active id 927DA5B859 Jun 30 15:33:20 intranet MailScanner[4636]: Corrupt queue output file Jun 30 15:33:20 intranet postfix/qmgr[4599]: warning: BEF445B861: envelope records out of order Jun 30 15:33:20 intranet postfix/qmgr[4599]: warning: corrupt file queue active id BEF445B861 Jun 30 15:35:34 intranet postfix/qmgr[4599]: warning: 2B65C5B871: envelope records out of order Jun 30 15:35:34 intranet postfix/qmgr[4599]: warning: corrupt file queue active id 2B65C5B871 Following Julian's suggestion, I decide to upgrade my current postfix to one of the versions he tested (postfix-1.1.11). I got the sources and compile it. Very easy... I then did a copy of my postfix cf files and run a make upgrade. After doing this, I had to make some minor changes to main.cf since some keywords changed between the two versions. Before running postfix, I drop /var/spool/postfix /var/spool/postfix.in and then I did a mkdir /var/spool/postfix /var/spool/postfix.in Then I run postfix alone to see if everything was fine. It was. Finally, I did again the whole process of copying /etc/postfix to /etc/postfix.in and all process described in MainScanner installation guide. And, now, everything is fine and reliable... Most problems can be solved by having a look to /var/log/mail Hope that can help somebody... From David.While at UCE.AC.UK Fri Jul 4 08:51:55 2003 From: David.While at UCE.AC.UK (David While) Date: Thu Jan 12 21:18:51 2006 Subject: MailScanner 101, take two. Message-ID: <107DE25EC0216C45AEF670016024245F64416F@exchangea.staff.uce.ac.uk> They updated the DB twice yesterday (3 July). I guess the update frequency is determined by the virus writers - you only update the signatures when a new virus outbreak occurs. David While -----Original Message----- From: Kevin Miller [mailto:Kevin_Miller@CI.JUNEAU.AK.US] Sent: Thu 03/07/2003 19:09 To: MAILSCANNER@JISCMAIL.AC.UK Cc: Subject: Re: MailScanner 101, take two. Thanks. Earlier posts (month or two ago I think) indicated that they weren't the quickest off the line with updates, but one or two posts isn't a very big statistical sample! So, how satisfied have you ClamAV users been with the pattern updates? Do they come in in a timely fashion? TIA... ...Kevin ------------------- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Administrator, Mail Administrator 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 >-----Original Message----- >From: Peter Bonivart [mailto:peter@UCGBOOK.COM] >Sent: Thursday, July 03, 2003 9:21 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: MailScanner 101, take two. > > >For AV you could always use ClamAV that is completely free. >Recent posts >on the list has it that CA eTrust is legit to run with a $28 >workstation >license. That might also be interesting. > >ClamAV scans faster than F-Prot in my tests. It's also covered by >MailScanners signature-updating script but you should update >the program >from time to time. But you can forget about the check instead! :) > >Check this for more info: > >http://www.sng.ecs.soton.ac.uk/mailscanner/install/OS-virus-sca >n-web.htm > >/Peter Bonivart > >--Unix lovers do it in the Sun > >Kevin Miller wrote: > >> For the antivirus I got a copy of F-Prot, but then they >changed the license. >> Aargh. A grand more to do the same thing. So I'm looking >at a different >> antivirus solution now, probably RAV. I don't mind paying for >> support/updates and I thought the original $300 F-prot cost was quite >> reasonable, but the new scheme isn't exactly competitive. >Does RAV auto >> update both the signatures and the program? I want >something I can put in >> and ignore until it's time to send 'em another check in a >year. A friend is >> using Sophos, and he says he has to put in a new user >license quarterly or >> some such. Life's too short for that. All the docs seem to refer to >> installing Sophos as a step however. Can I presume that I >can substitute >> whatever flavor of antivirus there and *not* have to install Sophos? > From P.G.M.Peters at utwente.nl Fri Jul 4 08:59:39 2003 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Thu Jan 12 21:18:51 2006 Subject: MailScanner replacements Message-ID: <7qcagv8e61u2a143eggps35fe26q9r917f@4ax.com> Sometimes other (not as good as) MailScanner replacements pop up. A few days ago (yes, I'm behind on my e-mail) my boss forwarded me an e-mail from/about Vircom/Sieve. Anybody any experience with this? It looks as if it does the same as MailScanner only they claim the have something called Sieve that is something "new". And it is update trough information gathered at 15 ISP's. -- Peter Peters, senior netwerkbeheerder Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ From mailscanner at ecs.soton.ac.uk Fri Jul 4 09:28:14 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:18:51 2006 Subject: How can I exclude exe attachment from single email address In-Reply-To: References: <5.2.1.1.2.20030703220014.03c87eb0@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030704092730.0452fbc8@imap.ecs.soton.ac.uk> At 23:11 03/07/2003, you wrote: >Hi! > > > Then construct a ruleset in /etc/MailScanner/rules/filename.rules that > > looks like this: > > > From: awkward@bugger.com /etc/MailScanner/filename.special.rules.conf > > FromOrTo: default /etc/MailScanner/filename.rules.conf > > > > Edit /etc/MailScanner/MailScanner.conf so it uses it > > Filename Rules = /etc/MailScanner/rules/filename.rules > >Is there a simple way to DISABLE filename rules for a domain or sender ? >I tried to set it empty for some domains, or to 'no' but that didnt work Use a filename.special.rules.conf that starts with allow . - - That rule will match every filename and allow it. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Fri Jul 4 09:31:38 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:18:51 2006 Subject: Rulesets: Match first or match last? In-Reply-To: <1A91F0B5CDA2D7119000080009DCFDBC1BCD83@pebble.bsa.ca.gov> Message-ID: <5.2.0.9.2.20030704093001.044ea140@imap.ecs.soton.ac.uk> The Filename Rules option concatenates all the matching rule results together, then uses that as the set of allow/deny rules for the attachment filenames. It only uses the "default" setting if none of the other rules match. At 00:04 04/07/2003, you wrote: >I thought rulesets were supposed to use the first entry that matches, but >I'm doing some testing now and that doesn't seem to be the case. If I use >this ruleset: > > # filename.rules > # This file lists which e-mails are scanned for nasty filenames > From: jeremye@bsa.ca.gov >/opt/MailScanner/etc/filename.rules.conf > From: *@bsa.ca.gov >/opt/MailScanner/etc/filename.allowall.conf > FromTo: default >/opt/MailScanner/etc/filename.rules.conf > >and send an e-mail from jeremye@bsa.ca.gov with an attached file blocked in >filename.rules.conf, it comes through without any problems. If I use this >ruleset: > > # filename.rules > # This file lists which e-mails are scanned for nasty filenames > From: *@bsa.ca.gov >/opt/MailScanner/etc/filename.allowall.conf > From: jeremye@bsa.ca.gov >/opt/MailScanner/etc/filename.rules.conf > FromTo: default >/opt/MailScanner/etc/filename.rules.conf > >the attachment is stripped from the file. Are the rulesets supposed to use >the first entry that matches, or the last one? > >Jeremy Evans >Information Systems Analyst >California State Auditor >916-445-0255 phone >916-322-7801 fax -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Fri Jul 4 09:29:30 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:18:51 2006 Subject: OT Re: Why won't my mail forward? In-Reply-To: <000001c341b2$a467dc40$9c01a8c0@home.middlefinger.net> References: <007801c341b1$906cc490$f8240340@kh06s9> Message-ID: <5.2.0.9.2.20030704092832.045554c8@imap.ecs.soton.ac.uk> Consider it blessed :-) I suggest that whenever a thread is moved to the OT list then a single "Going OT" posting goes to the main list, with subscription and posting details about the OT list so that people can follow it. At 23:30 03/07/2003, you wrote: >I've created such a list. Waiting on Julian to bless it now :) > >Mike > > >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf >Of Ryan Bingham >Sent: Thursday, July 03, 2003 5:22 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: OT Re: Why won't my mail forward? > > >I would also be willing to host such a list. I think it's great that people >on here are so willing to help. Definitely something to encourage. > >Ryan > >----- Original Message ----- >From: "Mike Kercher" >To: >Sent: Thursday, July 03, 2003 4:10 PM >Subject: Re: OT Re: Why won't my mail forward? > > >Julian, > >Seems like we run into this from time to time. What would be the odds you >could setup an OT mailing list? I can do it on one of my servers if you >want. Then people that want to subscribe and assist people with OT issues >can stay in the loop and lend a hand where needed. > >Mike > > >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf >Of Julian Field >Sent: Thursday, July 03, 2003 3:11 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: OT Re: Why won't my mail forward? > > >This is really rather OT, and there have been 30 messages I have seen in >this thread so far. > >Any chance a few of you could take the investigation off-list please, and >just post to the list once you've got it sorted or you all run out of ideas >and need some extra input from others? > >At 21:03 03/07/2003, you wrote: > > > What is the IP of that other RH box? > > > >199.242.176.169 > > > >Jody > >-- >Julian Field >www.MailScanner.info >Professional Support Services at www.MailScanner.biz MailScanner thanks >transtec Computers for their support -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From dean.plant at ROKE.CO.UK Fri Jul 4 10:16:10 2003 From: dean.plant at ROKE.CO.UK (Plant, Dean) Date: Thu Jan 12 21:18:51 2006 Subject: Using sa-learn to add ham mail to the spamassassin database Message-ID: I am using MailScanner 4.21-9 on Redhat 8 with spamassassin 2.55, dcc and razor2. MailScanner is used as our external relay with all internal mail handled by exchange/outlook. For low scoring spam I am using the "attachment deliver" spam actions. My question is regarding false positives of low scoring spam and the best way to teach spamassassin with sa-learn. I had asked users to drag and drop incorrectly identified spam mail into a public folder but after the spam is delivered the spam mail is changed to have the subject line {spam?} with the original header information and the original mail is the attachment but the header info has been removed. So using this mail with sa-learn will not give the correct results. Can anyone advise the best way to get the original mail with all the header info back onto the MailScanner server. Thanks in advance. Dean Plant. -- Registered Office: Roke Manor Research Ltd, Siemens House, Oldbury, Bracknell, Berkshire. RG12 8FZ The information contained in this e-mail and any attachments is confidential to Roke Manor Research Ltd and must not be passed to any third party without permission. This communication is for information only and shall not create or change any contractual relationship. From Antony at SOFT-SOLUTIONS.CO.UK Fri Jul 4 10:33:02 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:18:51 2006 Subject: Using sa-learn to add ham mail to the spamassassin database In-Reply-To: References: Message-ID: <200307040934.h649Yfg19989@agate.rockstone.co.uk> On Friday 04 July 2003 10:16 am, Plant, Dean wrote: > I am using MailScanner 4.21-9 on Redhat 8 with spamassassin 2.55, dcc and > razor2. MailScanner is used as our external relay with all internal mail > handled by exchange/outlook. > > For low scoring spam I am using the "attachment deliver" spam actions. > > My question is regarding false positives of low scoring spam and the best > way to teach spamassassin with sa-learn. > > I had asked users to drag and drop incorrectly identified spam mail into a > public folder but after the spam is delivered the spam mail is changed to > have the subject line {spam?} with the original header information and the > original mail is the attachment but the header info has been removed. So > using this mail with sa-learn will not give the correct results. > > Can anyone advise the best way to get the original mail with all the header > info back onto the MailScanner server. You could change the actions for low-scoring spam to include 'quarantine', and then use a script to pick the message ID out of the false-positives which users drag and drop into the public folder, match that with the filenames of the quarantined messages, and there you have the original false-positive message with no changes? Regards, Antony. -- What is this talk of software 'release' ? Our software evolves and matures until it becomes capable of escape, leaving a bloody trail of designers and quality assurance people in its wake. From mailscanner at BARENDSE.TO Fri Jul 4 10:33:16 2003 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:18:51 2006 Subject: Allow Form Tags ?? Message-ID: Since the upgrade to the latest version of MailScanner I seem to be getting some legitimate messages from customers that use HTML Form Tags which are now being blocked. Rather than opening up everything to these form tags wouldn't it be possible to convert the form tags to a 'normal' html message thereby 'cleaning' the message of any unwanted crap? From raymond at PROLOCATION.NET Fri Jul 4 10:41:59 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:18:51 2006 Subject: How can I exclude exe attachment from single email address In-Reply-To: <5.2.0.9.2.20030704092730.0452fbc8@imap.ecs.soton.ac.uk> Message-ID: Hi! > >Is there a simple way to DISABLE filename rules for a domain or sender ? > >I tried to set it empty for some domains, or to 'no' but that didnt work > Use a filename.special.rules.conf that starts with > allow . - - > > That rule will match every filename and allow it. That i have now, but would it be possible to just let that empty in the config ? Or a switch to disable filename rules ? I would prefer that. Bye, Raymond. From mailscanner at ecs.soton.ac.uk Fri Jul 4 11:00:27 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:18:51 2006 Subject: Allow Form Tags ?? In-Reply-To: Message-ID: <5.2.0.9.2.20030704110012.05114138@imap.ecs.soton.ac.uk> At 10:33 04/07/2003, you wrote: >Since the upgrade to the latest version of MailScanner I seem to be >getting some legitimate messages from customers that use HTML Form Tags >which are now being blocked. > >Rather than opening up everything to these form tags wouldn't it be >possible to convert the form tags to a 'normal' html message >thereby 'cleaning' the message of any unwanted crap? Allow the Form tags but set "Strip Dangerous HTML". -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Fri Jul 4 11:01:29 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:18:51 2006 Subject: How can I exclude exe attachment from single email address In-Reply-To: References: <5.2.0.9.2.20030704092730.0452fbc8@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030704110054.03d926e0@imap.ecs.soton.ac.uk> At 10:41 04/07/2003, you wrote: >Hi! > > > >Is there a simple way to DISABLE filename rules for a domain or sender ? > > >I tried to set it empty for some domains, or to 'no' but that didnt work > > > Use a filename.special.rules.conf that starts with > > allow . - - > > > > That rule will match every filename and allow it. > >That i have now, but would it be possible to just let that empty in the >config ? Probably, yes. It allows filenames by default. I haven't tried it myself but I think it should work. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From raymond at PROLOCATION.NET Fri Jul 4 11:10:06 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:18:51 2006 Subject: How can I exclude exe attachment from single email address In-Reply-To: <5.2.0.9.2.20030704110054.03d926e0@imap.ecs.soton.ac.uk> Message-ID: Hi! > >That i have now, but would it be possible to just let that empty in the > >config ? > Probably, yes. It allows filenames by default. I haven't tried it myself > but I think it should work. Wont work, i tried that allready :) But would be nice to have that as an addition. Or a config option where you simply, same as for spam and virus scanning tell: Use filename rules = no Bye, Raymond. From m.sapsed at BANGOR.AC.UK Fri Jul 4 12:07:52 2003 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:18:51 2006 Subject: directory containing all the reports in all the languages References: <5.2.0.9.2.20030703162442.05147f98@imap.ecs.soton.ac.uk> Message-ID: <3F056008.2030708@bangor.ac.uk> Julian Field wrote: > No, because the default seting for each of the reports is > %report-dir%/deleted.filename.message.txt > for example, so the %report-dir% should contain the language code as well. > > At 13:05 03/07/2003, you wrote: > >> Just noticed this new option in the MailScanner.conf file: >> >> # Set the directory containing all the reports in all the languages >> %report-dir% = /etc/MailScanner/reports/en >> >> >> Shouldn't this be set to : >> /etc/MailScanner/reports >> as default? >> >> Or is this the option for the defualt language directory if no specific >> language is defined for a top level domain?? > > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support -- Cheers, Martin -- Martin Sapsed Information Services "Who do you say I am?" University of Wales, Bangor Jesus of Nazareth From m.sapsed at BANGOR.AC.UK Fri Jul 4 12:09:59 2003 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:18:51 2006 Subject: directory containing all the reports in all the languages References: <5.2.0.9.2.20030703162442.05147f98@imap.ecs.soton.ac.uk> Message-ID: <3F056087.8090609@bangor.ac.uk> Apologies for the previous unhelpful message - keyboard playing up! Julian Field wrote: > No, because the default seting for each of the reports is > %report-dir%/deleted.filename.message.txt > for example, so the %report-dir% should contain the language code as well. Would # Set the directory containing all the reports in the required language be better wording then? Cheers, Martin -- Martin Sapsed Information Services "Who do you say I am?" University of Wales, Bangor Jesus of Nazareth From mailscanner at ecs.soton.ac.uk Fri Jul 4 12:13:05 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:18:51 2006 Subject: directory containing all the reports in all the languages In-Reply-To: <3F056087.8090609@bangor.ac.uk> References: <5.2.0.9.2.20030703162442.05147f98@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030704121301.03d643f8@imap.ecs.soton.ac.uk> Fixed. At 12:09 04/07/2003, you wrote: >Apologies for the previous unhelpful message - keyboard playing up! > >Julian Field wrote: >>No, because the default seting for each of the reports is >> %report-dir%/deleted.filename.message.txt >>for example, so the %report-dir% should contain the language code as well. > >Would > ># Set the directory containing all the reports in the required language > >be better wording then? > >Cheers, > >Martin > >-- >Martin Sapsed >Information Services "Who do you say I am?" >University of Wales, Bangor Jesus of Nazareth -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From hb at dfs.dk Fri Jul 4 14:09:09 2003 From: hb at dfs.dk (Henrik Bro) Date: Thu Jan 12 21:18:51 2006 Subject: Antivirus License? In-Reply-To: <5.2.0.9.2.20030704121301.03d643f8@imap.ecs.soton.ac.uk> Message-ID: <001b01c3422d$74f942c0$2f11a550@henrik> Does anyone know if any of the commercial AV products have a free solution for non-commercial / non-profit use? (I know Trend Micro has vscan) Or have a license where I buy a server-license and do not have to pay per. Mailbox? Best regards, Henrik From mailscanner at LISTS.COM.AR Fri Jul 4 14:23:29 2003 From: mailscanner at LISTS.COM.AR (Mariano Absatz) Date: Thu Jan 12 21:18:51 2006 Subject: MailScanner replacements In-Reply-To: <7qcagv8e61u2a143eggps35fe26q9r917f@4ax.com> Message-ID: <3F0555A1.9166.13885315@localhost> I just browsed over vircom's site... they have something called Anti-SPAM Gate (http://www.vircom.com/Enterprise/Solutions/antispamgate/) without a lot of info about it... AFAICS, it uses Sieve for filtering... Sieve is a relatively new standard language for mail filtering... it is being incorporated on some mail clients and server as a filtering language so users can write scripts based on message properties or contents and filter every incoming message... IIRC, you can accept, bounce, drop, copy/move to a certain folder based on things inside the message. The only open source server I recall using it is CMU's cyrus imap server... incidentally, I think the language was developed by people at CMU :-) I also recall a couple of mail clients using it... I think recent versions of Cyrusoft Mulberry (payware) use it for locally filtering. Now, Sieve is a fine language for filtering, but, in itself, it's nothing else... It is interesting that, being standard, once you learn to filter in Sieve, you can carry your scripts from client to server, or test in the client, then copy to server, etc... I don't recall it can do fancy things as scoring, de-html, etc... For what I see in vircom site, the advantage of Sieve is that you, as a paying customer can contribute to vircom so other paying customers take advantage of your experience... I don't think it is nowhere near what spamassassin, razor, dcc do... openly and for free :-) El 4 Jul 2003 a las 9:59, Peter Peters escribi?: > Sometimes other (not as good as) MailScanner replacements pop up. A few > days ago (yes, I'm behind on my e-mail) my boss forwarded me an e-mail > from/about Vircom/Sieve. Anybody any experience with this? > > It looks as if it does the same as MailScanner only they claim the have > something called Sieve that is something "new". And it is update trough > information gathered at 15 ISP's. > > -- > Peter Peters, senior netwerkbeheerder > Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) > Universiteit Twente, Postbus 217, 7500 AE Enschede > telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ -- Mariano Absatz El Baby ---------------------------------------------------------- The use of COBOL cripples the mind; its teaching should, therefore, be regarded as a criminal offense. -- E. W. Dijkstra From mailscanner at ecs.soton.ac.uk Fri Jul 4 14:43:31 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:18:51 2006 Subject: MailScanner replacements In-Reply-To: <3F0555A1.9166.13885315@localhost> References: <7qcagv8e61u2a143eggps35fe26q9r917f@4ax.com> Message-ID: <5.2.0.9.2.20030704143536.04680650@imap.ecs.soton.ac.uk> Let's all play "spot the snake oil". "Its unique multi-layered approach stops all spammer attacks". Yeah, right. "24/7 Sieve script auto-updates" Ooh, great, all your spam are belong to us. I wonder how long it will be before the spammers start polluting their database of scripts. You have to submit 50 lines of script, which they claim they will check, before you get to be a "member of the coalition". Must be a bit like finding weapons of mass destruction :-) People like Razor use far more sophisticated anti-pollution mechanisms based on dynamic evaluations of the history of your spam submissions compared against other people's submissions. Call a cynical old git if you like... At 14:23 04/07/2003, you wrote: >I just browsed over vircom's site... they have something called Anti-SPAM >Gate (http://www.vircom.com/Enterprise/Solutions/antispamgate/) without a lot >of info about it... > >AFAICS, it uses Sieve for filtering... Sieve is a relatively new standard >language for mail filtering... it is being incorporated on some mail clients >and server as a filtering language so users can write scripts based on >message properties or contents and filter every incoming message... IIRC, you >can accept, bounce, drop, copy/move to a certain folder based on things >inside the message. > >The only open source server I recall using it is CMU's cyrus imap server... >incidentally, I think the language was developed by people at CMU :-) > >I also recall a couple of mail clients using it... I think recent versions of >Cyrusoft Mulberry (payware) use it for locally filtering. > >Now, Sieve is a fine language for filtering, but, in itself, it's nothing >else... It is interesting that, being standard, once you learn to filter in >Sieve, you can carry your scripts from client to server, or test in the >client, then copy to server, etc... > >I don't recall it can do fancy things as scoring, de-html, etc... For what I >see in vircom site, the advantage of Sieve is that you, as a paying customer >can contribute to vircom so other paying customers take advantage of your >experience... I don't think it is nowhere near what spamassassin, razor, dcc >do... openly and for free :-) > >El 4 Jul 2003 a las 9:59, Peter Peters escribi?: > > > Sometimes other (not as good as) MailScanner replacements pop up. A few > > days ago (yes, I'm behind on my e-mail) my boss forwarded me an e-mail > > from/about Vircom/Sieve. Anybody any experience with this? > > > > It looks as if it does the same as MailScanner only they claim the have > > something called Sieve that is something "new". And it is update trough > > information gathered at 15 ISP's. > > > > -- > > Peter Peters, senior netwerkbeheerder > > Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) > > Universiteit Twente, Postbus 217, 7500 AE Enschede > > telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ > > >-- >Mariano Absatz >El Baby >---------------------------------------------------------- >The use of COBOL cripples the mind; its teaching should, >therefore, be regarded as a criminal offense. > -- E. W. Dijkstra -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From sevans at FOUNDATION.SDSU.EDU Fri Jul 4 15:09:50 2003 From: sevans at FOUNDATION.SDSU.EDU (Steve Evans) Date: Thu Jan 12 21:18:51 2006 Subject: MailScanner replacements Message-ID: <95B481BA6D181A4685081D263BF9A13A45B2@mail.foundation.sdsu.edu> >> Must be a bit like finding weapons of mass destruction :-) Easy, you saw what happened to the Dixie Chicks ;-) Steve Evans SDSU Foundation (619) 594-0653 -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Friday, July 04, 2003 6:44 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: MailScanner replacements Let's all play "spot the snake oil". "Its unique multi-layered approach stops all spammer attacks". Yeah, right. "24/7 Sieve script auto-updates" Ooh, great, all your spam are belong to us. I wonder how long it will be before the spammers start polluting their database of scripts. You have to submit 50 lines of script, which they claim they will check, before you get to be a "member of the coalition". Must be a bit like finding weapons of mass destruction :-) People like Razor use far more sophisticated anti-pollution mechanisms based on dynamic evaluations of the history of your spam submissions compared against other people's submissions. Call a cynical old git if you like... At 14:23 04/07/2003, you wrote: >I just browsed over vircom's site... they have something called >Anti-SPAM Gate >(http://www.vircom.com/Enterprise/Solutions/antispamgate/) without a lot of info about it... > >AFAICS, it uses Sieve for filtering... Sieve is a relatively new >standard language for mail filtering... it is being incorporated on >some mail clients and server as a filtering language so users can write >scripts based on message properties or contents and filter every >incoming message... IIRC, you can accept, bounce, drop, copy/move to a >certain folder based on things inside the message. > >The only open source server I recall using it is CMU's cyrus imap server... >incidentally, I think the language was developed by people at CMU :-) > >I also recall a couple of mail clients using it... I think recent >versions of Cyrusoft Mulberry (payware) use it for locally filtering. > >Now, Sieve is a fine language for filtering, but, in itself, it's >nothing else... It is interesting that, being standard, once you learn >to filter in Sieve, you can carry your scripts from client to server, >or test in the client, then copy to server, etc... > >I don't recall it can do fancy things as scoring, de-html, etc... For >what I see in vircom site, the advantage of Sieve is that you, as a >paying customer can contribute to vircom so other paying customers take >advantage of your experience... I don't think it is nowhere near what >spamassassin, razor, dcc do... openly and for free :-) > >El 4 Jul 2003 a las 9:59, Peter Peters escribi?: > > > Sometimes other (not as good as) MailScanner replacements pop up. A > > few days ago (yes, I'm behind on my e-mail) my boss forwarded me an > > e-mail from/about Vircom/Sieve. Anybody any experience with this? > > > > It looks as if it does the same as MailScanner only they claim the > > have something called Sieve that is something "new". And it is > > update trough information gathered at 15 ISP's. > > > > -- > > Peter Peters, senior netwerkbeheerder Dienst Informatietechnologie, > > Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, > > 7500 AE Enschede > > telefoon: 053 - 489 2301, fax: 053 - 489 2383, > > http://www.utwente.nl/civ > > >-- >Mariano Absatz >El Baby >---------------------------------------------------------- >The use of COBOL cripples the mind; its teaching should, therefore, be >regarded as a criminal offense. > -- E. W. Dijkstra -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From miguelk at KONSULTEX.COM.BR Fri Jul 4 15:29:21 2003 From: miguelk at KONSULTEX.COM.BR (Miguel Koren O'Brien de Lacy) Date: Thu Jan 12 21:18:51 2006 Subject: Antivirus License? References: <001b01c3422d$74f942c0$2f11a550@henrik> Message-ID: <3F058F41.8080900@konsultex.com.br> Henrik; As far as I know this is free for private use: http://www.hbedv.com/download/download.htm You can also check out: http://www.openantivirus.org/ To see if you can come up with some more inspiration about 'per server'. []s Miguel Henrik Bro wrote: >Does anyone know if any of the commercial AV products have a free solution >for non-commercial / non-profit use? (I know Trend Micro has vscan) > >Or have a license where I buy a server-license and do not have to pay per. >Mailbox? > >Best regards, >Henrik > > From mailscanner at LISTS.COM.AR Fri Jul 4 15:30:11 2003 From: mailscanner at LISTS.COM.AR (Mariano Absatz) Date: Thu Jan 12 21:18:51 2006 Subject: Rulesets: Match first or match last? In-Reply-To: <5.2.0.9.2.20030704093001.044ea140@imap.ecs.soton.ac.uk> References: <1A91F0B5CDA2D7119000080009DCFDBC1BCD83@pebble.bsa.ca.gov> Message-ID: <3F056543.12872.13C56412@localhost> Yes, but what Jeremy shows is that in the first example the first (non-default) rule should have applied but the second one did (supposedly both matched)... Now that I see that the actual From: in Jeremy's message is JeremyE@BSA.CA.GOV I wonder... are you upcasing or lowcasing e-mail addresses before matching rules?... This is kind of PITA, since domain names are case insensitive by definition, but the case sensitivity of the local part is a harder issue... RFC 2821 (SMTP) says (sect.2.4, page 14): [...] The local-part of a mailbox MUST BE treated as case sensitive. Therefore, SMTP implementations MUST take care to preserve the case of mailbox local-parts. Mailbox domains are not case sensitive. In particular, for some hosts the user "smith" is different from the user "Smith". However, exploiting the case sensitivity of mailbox local-parts impedes interoperability and is discouraged. So we shouldn't change the localpart (the part before the "@"), but then, most mail servers treat it as case-insensitive. In any case, if we decide that we should lowcase the addresses before doing any comparisons inside MailScanner, we should preserve the _original_ envelope SMTP from and to addresses and use that whenever delivering/copying the message for delivering it... I think this is what is being done today, but I don't remember... El 4 Jul 2003 a las 9:31, Julian Field escribi?: > The Filename Rules option concatenates all the matching rule results > together, then uses that as the set of allow/deny rules for the attachment > filenames. > > It only uses the "default" setting if none of the other rules match. > > > At 00:04 04/07/2003, you wrote: > >I thought rulesets were supposed to use the first entry that matches, but > >I'm doing some testing now and that doesn't seem to be the case. If I use > >this ruleset: > > > > # filename.rules > > # This file lists which e-mails are scanned for nasty filenames > > From: jeremye@bsa.ca.gov > >/opt/MailScanner/etc/filename.rules.conf > > From: *@bsa.ca.gov > >/opt/MailScanner/etc/filename.allowall.conf > > FromTo: default > >/opt/MailScanner/etc/filename.rules.conf > > > >and send an e-mail from jeremye@bsa.ca.gov with an attached file blocked in > >filename.rules.conf, it comes through without any problems. If I use this > >ruleset: > > > > # filename.rules > > # This file lists which e-mails are scanned for nasty filenames > > From: *@bsa.ca.gov > >/opt/MailScanner/etc/filename.allowall.conf > > From: jeremye@bsa.ca.gov > >/opt/MailScanner/etc/filename.rules.conf > > FromTo: default > >/opt/MailScanner/etc/filename.rules.conf > > > >the attachment is stripped from the file. Are the rulesets supposed to use > >the first entry that matches, or the last one? > > > >Jeremy Evans > >Information Systems Analyst > >California State Auditor > >916-445-0255 phone > >916-322-7801 fax > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support -- Mariano Absatz El Baby ---------------------------------------------------------- I started out with nothing & still have most of it left. From mike at CAMAROSS.NET Fri Jul 4 15:34:19 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:18:51 2006 Subject: MailScanner replacements In-Reply-To: <7qcagv8e61u2a143eggps35fe26q9r917f@4ax.com> Message-ID: <002d01c34239$5b7047c0$9c01a8c0@home.middlefinger.net> Sieve is not new to my knowledge. I have a server running SuSE Openexchange 4 in my office. This box uses postfix and Cyrus-IMAP (among other packages). Sieve is part of Cyrus and is a filtering tool. On the SuSE box, it is used to organize mail upon arrival into specific folders based on rules configured by the users. Much like procmail. SuSE also puts SpamAssassin on these systems, but I disable it and still use MS/SA on another MX and forward using mailertable. Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Peter Peters Sent: Friday, July 04, 2003 3:00 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: MailScanner replacements Sometimes other (not as good as) MailScanner replacements pop up. A few days ago (yes, I'm behind on my e-mail) my boss forwarded me an e-mail from/about Vircom/Sieve. Anybody any experience with this? It looks as if it does the same as MailScanner only they claim the have something called Sieve that is something "new". And it is update trough information gathered at 15 ISP's. -- Peter Peters, senior netwerkbeheerder Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ From mike at CAMAROSS.NET Fri Jul 4 15:47:48 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:18:51 2006 Subject: ANNOUNCE: OT Mailing List Message-ID: <002e01c3423b$3d8313d0$9c01a8c0@home.middlefinger.net> I have created a mailing list for OT discussions. Per Julian's recommendation, new threads should not be created on this list. This is where threads deems OT for the main list should be moved for further group discussion and assistance. Once a resolution is found, it is requested that the solution be posted back to the main MailScanner mailing list so it will show up in the archives and everyone will share the knowledge. Per Christopher Hicks' request, the list has been aptly names MailScanner-Wizards. You can subscribe/manage here: http://CamaroSS.net/mailman/admin/mailscanner-wizards Please contact me with any questions, suggestions or concerns. Mike From Kevin.Spicer at BMRB.CO.UK Fri Jul 4 15:54:57 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:18:51 2006 Subject: ANNOUNCE: OT Mailing List Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0EBF6E2@pascal.priv.bmrb.co.uk> > Per Christopher Hicks' request, the list has been aptly names > MailScanner-Wizards. > > You can subscribe/manage here: > > http://CamaroSS.net/mailman/admin/mailscanner-wizards > > Please contact me with any questions, suggestions or concerns. Mike, that link points to an admin login only. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From David.While at UCE.AC.UK Fri Jul 4 16:00:40 2003 From: David.While at UCE.AC.UK (David While) Date: Thu Jan 12 21:18:51 2006 Subject: ANNOUNCE: OT Mailing List Message-ID: <107DE25EC0216C45AEF670016024245F6EEC@exchangea.staff.uce.ac.uk> Think it should be: http://CamaroSS.net/mailman/listinfo/mailscanner-wizards ----------------------------------------------------------------- David While Technical Development Manager Faculty of Computing, Information & English University of Central England Tel: 0121 331 6211 ----------------------------------------------------------------- -----Original Message----- From: Spicer, Kevin [mailto:Kevin.Spicer@BMRB.CO.UK] Sent: 04 July 2003 15:55 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: ANNOUNCE: OT Mailing List > Per Christopher Hicks' request, the list has been aptly names > MailScanner-Wizards. > > You can subscribe/manage here: > > http://CamaroSS.net/mailman/admin/mailscanner-wizards > > Please contact me with any questions, suggestions or concerns. Mike, that link points to an admin login only. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From marco at MUW.EDU Fri Jul 4 16:48:43 2003 From: marco at MUW.EDU (Marco Obaid) Date: Thu Jan 12 21:18:51 2006 Subject: MailScanner replacements In-Reply-To: <5.2.0.9.2.20030704143536.04680650@imap.ecs.soton.ac.uk> References: <7qcagv8e61u2a143eggps35fe26q9r917f@4ax.com> <5.2.0.9.2.20030704143536.04680650@imap.ecs.soton.ac.uk> Message-ID: <1057333723.3f05a1db017f7@webmail.MUW.Edu> Hi, > Let's all play "spot the snake oil". > Call a cynical old git if you like... I second that Julian !!! For years I have played around with different technologies to combat the rising problem with spam/viruses. I can truely testify that MailScanner is far more superior to any product out there, commercial or not. I love the fact that it is flexible and not dependent *only* on one method or technology. I love the fact that it is relatively easy to install. I love the fact that it supports a wide variety of Antivirus products and Antispam technologies and techniques. Most importantly, the type of support we get from Julian and all the people on this list is far superior than any commericial support, period. I remember an incident when SA 2.50 had issues with locking. At the same time, I had an issue with a commercial product that we use here, we pay this company thousands of dollars annually for "support". I posted a message on the MailScanner mailing list and it took Julian less time to fix the problem with SA than me getting through the annoying recorded messages to talk to a support engineer to fix my other issue with the product that we pay lots of $$$ for support. Facotors like the above are crucial when evaluating and comparing products. Julian provides a world-class consulting for all of us that to me is unmatchable. Great job Julian !!! Marco _________________________________________________________________ This mail is sent through MUW Webmail: http://www.MUW.Edu/webmail For the latest MUW Events, visit http://www.MUW.Edu/calendar From mailscanner at ecs.soton.ac.uk Fri Jul 4 16:54:19 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:18:51 2006 Subject: MailScanner replacements In-Reply-To: <1057333723.3f05a1db017f7@webmail.MUW.Edu> References: <5.2.0.9.2.20030704143536.04680650@imap.ecs.soton.ac.uk> <7qcagv8e61u2a143eggps35fe26q9r917f@4ax.com> <5.2.0.9.2.20030704143536.04680650@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030704165402.04471960@imap.ecs.soton.ac.uk> At 16:48 04/07/2003, you wrote: >Hi, > > > Let's all play "spot the snake oil". > > Call a cynical old git if you like... > >I second that Julian !!! > >For years I have played around with different technologies to combat the >rising >problem with spam/viruses. I can truely testify that MailScanner is far more >superior to any product out there, commercial or not. > >I love the fact that it is flexible and not dependent *only* on one method or >technology. I love the fact that it is relatively easy to install. I love the >fact that it supports a wide variety of Antivirus products and Antispam >technologies and techniques. > >Most importantly, the type of support we get from Julian and all the people on >this list is far superior than any commericial support, period. I remember an >incident when SA 2.50 had issues with locking. At the same time, I had an >issue >with a commercial product that we use here, we pay this company thousands of >dollars annually for "support". I posted a message on the MailScanner mailing >list and it took Julian less time to fix the problem with SA than me getting >through the annoying recorded messages to talk to a support engineer to fix my >other issue with the product that we pay lots of $$$ for support. > >Facotors like the above are crucial when evaluating and comparing products. >Julian provides a world-class consulting for all of us that to me is >unmatchable. Great job Julian !!! Aw, shucks.... :) -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mike at CAMAROSS.NET Fri Jul 4 17:19:00 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:18:51 2006 Subject: ANNOUNCE: OT Mailing List In-Reply-To: <107DE25EC0216C45AEF670016024245F6EEC@exchangea.staff.uce.ac.uk> Message-ID: <002f01c34247$fb465e70$9c01a8c0@home.middlefinger.net> Yep...my bad :) I'll go get some coffee now! -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of David While Sent: Friday, July 04, 2003 10:01 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: ANNOUNCE: OT Mailing List Think it should be: http://CamaroSS.net/mailman/listinfo/mailscanner-wizards ----------------------------------------------------------------- David While Technical Development Manager Faculty of Computing, Information & English University of Central England Tel: 0121 331 6211 ----------------------------------------------------------------- -----Original Message----- From: Spicer, Kevin [mailto:Kevin.Spicer@BMRB.CO.UK] Sent: 04 July 2003 15:55 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: ANNOUNCE: OT Mailing List > Per Christopher Hicks' request, the list has been aptly names > MailScanner-Wizards. > > You can subscribe/manage here: > > http://CamaroSS.net/mailman/admin/mailscanner-wizards > > Please contact me with any questions, suggestions or concerns. Mike, that link points to an admin login only. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From gerry at DORFAM.CA Fri Jul 4 20:22:07 2003 From: gerry at DORFAM.CA (Gerry Doris) Date: Thu Jan 12 21:18:51 2006 Subject: Modified ClamAV Updater Message-ID: I and some others have experienced MailScanner freezes as a result of hangs when ClamAV virus files are being updated. The latest one for me occurrd on June 29 at 7:00am EST. >From my log files it appears that when the clamav-autoupdate script is called and the ClamAV site doesn't respond then a lock file is left open preventing MailScanner from performing any virus scans. In any case, mail continues to roll into mqueue.in but is not processed by MailScanner. MailScanner knows how many messages are in the queue and says that it's starting virus scanning...and that's all! I've modified the existing clamav-autoupdate script to include a timeout that hopefully will correct this. I am not by any means a programmer so please have a look at this and see if it does what I think it should! I don't believe there's been any further hangs at the ClamAV site so I don't know if it fixes the problem or not? -- Gerry "The lyfe so short, the craft so long to learne" Chaucer -------------- next part -------------- #!/usr/bin/perl use Sys::Syslog; # If you have a web proxy or cache server, put its value in the next line # in the syntax "full.host.name:port". $HTTPproxy = ""; $LogFile = "/tmp/ClamAV.update.log"; $ClamUpdateCommand = "/usr/local/bin/freshclam"; $LockFile = "/tmp/ClamAVBusy.lock"; $TIMEOUT = 10; #Timeout in sec's $LOCK_SH = 1; $LOCK_EX = 2; $LOCK_NB = 4; $LOCK_UN = 8; eval { Sys::Syslog::setlogsock('unix'); }; # This may fail! Sys::Syslog::openlog("ClamAV-autoupdate", 'pid, nowait', 'mail'); $SIG{ALRM} = sub { die "timeout" }; # Setup alarm eval { alarm("$TIMEOUT"); #Update timeout in $TIMEOUT sec's if (-x $ClamUpdateCommand) { &LockClamAV(); $Command = "$ClamUpdateCommand --quiet -l $LogFile"; $Command .= " --http-proxy $HTTPproxy" if $HTTPproxy; $retval=system($Command)>>8; } alarm(0); #Turn off alarm }; if ($@) { if ($@ =~ /timeout/) { &UnlockClamAV(); Sys::Syslog::syslog('err', "ClamAV updater timed out"); Sys::Syslog::closelog(); exit 0; } else { die; } } &UnlockClamAV(); if ($retval == 0 ) { Sys::Syslog::syslog('info', "ClamAV updated"); } elsif ($retval == 1 ) { Sys::Syslog::syslog('info', "ClamAV did not need updating"); } else { Sys::Syslog::syslog('err', "ClamAV updater failed"); } Sys::Syslog::closelog(); exit 0; sub LockClamAV { open(LOCK, ">$LockFile") or return; flock(LOCK, $LOCK_EX); print LOCK "Locked for updating ClamAV definitions by $$\n"; } sub UnlockClamAV { print LOCK "Unlocked after updating ClamAV definitions by $$\n"; unlink $LockFile; flock(LOCK, $LOCK_UN); close LOCK; } From nathan at TCPNETWORKS.NET Fri Jul 4 20:26:06 2003 From: nathan at TCPNETWORKS.NET (Nathan Johanson) Date: Thu Jan 12 21:18:51 2006 Subject: Advanced SpamAssassin Settings Message-ID: Hello, I'm getting ready to upgrade to 4.22-5 from 4.14-9 and I had a few questions about the "new" Advanced SpamAssassin Settings. Before these options were implemented, I added the following lines to spam.assassin.prefs.conf in order to change the location of the bayes database. bayes_path /var/spool/spamassassin/bayes bayes_file_mode 0644 It looks like this setting is now deprecated in favor of SpamAssassin User State Dir = I'm assuming I can safely comment out the former settings in spam.assassin.prefs.conf and define the following in MailScanner.conf to get the same effect? SpamAssassin User State Dir = /var/spool/spamassassin/bayes Correct? Or if I leave the new "SpamAssassin User State Dir" value empty, will MailScanner continue to use my bayes settings in spam.assassin.prefs.conf? If I'm using a vanilla SpamAssassin installation, I'm assuming the rest of the Advanced SpamAssassin Settings (such as "SpamAssassin Local Rules Dir" and "SpamAssassin Default Rules Dir") can be left alone. These two options are used only if you prefer not to use /etc/MailScanner/spam.assassin.prefs.conf for some reason? Right? I'm guess I'm a little confused by the difference between these two configuration options. Also, the MailScanner FAQ suggested setting the bayes_file_mode to 0644 (my current setting), but other places suggest it should be 0600. Does it matter? Thanks in advance! Sincerely, Nathan Johanson Email: nathan@tcpnetworks.net From kevins at BMRB.CO.UK Fri Jul 4 20:40:15 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:18:51 2006 Subject: Modified ClamAV Updater In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB001175CE1@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB001175CE1@pascal.priv.bmrb.co.uk> Message-ID: <1057347615.29329.64.camel@bach.kevinspicer.co.uk> >I am not by any means a programmer so please have a look at this and see >if it does what I think it should! I don't believe there's been any >further hangs at the ClamAV site so I don't know if it fixes the >problem >or not? Gerry, thats a good idea - did you mean to attach the file? ;) I'd be curious to know which version of Clam others were using when they had problems. In was using the snapshot 20030403. I've since upgraded to the snapshot from 20030625 (which is a few days after the 0.60 release) because I noticed the following in its changelog... * freshclam: fixed a typo - missing 2 in "nodb" in (should be "nodb2") in one clause. That was causing a strange behaviour in some situations. Patch by Damien Curtain . Don't know if that was at all relevent to the problems we had. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From hunter at userfriendly.net Fri Jul 4 20:45:47 2003 From: hunter at userfriendly.net (Michael Weiner) Date: Thu Jan 12 21:18:51 2006 Subject: Modified ClamAV Updater In-Reply-To: References: Message-ID: <1057347946.3603.7.camel@nomad.userfriendly.net> Thank you Gerry for your most recent post. This issue has been puzzling me for sometime now, and i unfortunately havent really had the time to "dig" into it like you have. I for one appreciate your letting the list know, as i too use clam (and like it) and have been having issues with MS when it goes to scan for virii. I posted a question to the list sometime ago, but got no response. Thank you for your answer. Michael Weiner -- On Fri, 2003-07-04 at 15:22, Gerry Doris wrote: > I and some others have experienced MailScanner freezes as a result of > hangs when ClamAV virus files are being updated. The latest one for me > occurrd on June 29 at 7:00am EST. > > >From my log files it appears that when the clamav-autoupdate script is > called and the ClamAV site doesn't respond then a lock file is left open > preventing MailScanner from performing any virus scans. In any case, mail > continues to roll into mqueue.in but is not processed by MailScanner. > MailScanner knows how many messages are in the queue and says that it's > starting virus scanning...and that's all! > > I've modified the existing clamav-autoupdate script to include a timeout > that hopefully will correct this. > > I am not by any means a programmer so please have a look at this and see > if it does what I think it should! I don't believe there's been any > further hangs at the ClamAV site so I don't know if it fixes the problem > or not? > > -- > Gerry > > "The lyfe so short, the craft so long to learne" Chaucer -- Michael B. Weiner, Linux+, Linux+ SME Systems Administrator/Partner The UserFriendly Network (UFN) -- Linux Registered User #94900 Have you been counted? http://counter.li.org -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030704/75eeee51/attachment.bin From gerry at DORFAM.CA Fri Jul 4 21:27:08 2003 From: gerry at DORFAM.CA (Gerry Doris) Date: Thu Jan 12 21:18:51 2006 Subject: Modified ClamAV Updater In-Reply-To: <1057347615.29329.64.camel@bach.kevinspicer.co.uk> Message-ID: On Fri, 4 Jul 2003, Kevin Spicer wrote: > >I am not by any means a programmer so please have a look at this and > see > >if it does what I think it should! I don't believe there's been any > >further hangs at the ClamAV site so I don't know if it fixes the > >problem > >or not? > > Gerry, thats a good idea - did you mean to attach the file? ;) > > I'd be curious to know which version of Clam others were using when they > had problems. In was using the snapshot 20030403. I've since upgraded > to the snapshot from 20030625 (which is a few days after the 0.60 > release) because I noticed the following in its changelog... > > * freshclam: fixed a typo - missing 2 in "nodb" in (should be "nodb2") > in > one clause. That was causing a strange behaviour in some > situations. Patch by Damien Curtain . > > Don't know if that was at all relevent to the problems we had. Uh, I did attach the file. At least if showed up on my message back from the list??? Where did you find the snapshoot number? I just checked the changelog for the version I have and the last listed problem was June 21 and it doesn't mention the problem that you listed as fixed. I'm going to download and install whatever version they have now on their system. -- Gerry "The lyfe so short, the craft so long to learne" Chaucer From kevins at BMRB.CO.UK Fri Jul 4 22:28:42 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:18:51 2006 Subject: Modified ClamAV Updater In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB001175CE5@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB001175CE5@pascal.priv.bmrb.co.uk> Message-ID: <1057354122.29328.77.camel@bach.kevinspicer.co.uk> >Uh, I did attach the file. At least if showed up on my message back >from >the list??? My sincere apologies, I've just been bitten by the unfathomable stupidity of exchange again. [I'm reading mail off an exchange server using IMAP through Evolution, for reasons best known to itself the exchange server converted your plain text email to html, but only if fetched via IMAP, and screwed up the mime type, managing to conceal the attachement entirely. Its in the message source but due to the screwy mime doesn't appear otherwise - weird eh] >Where did you find the snapshoot number? I just checked the changelog >for >the version I have and the last listed problem was June 21 and it >doesn't >mention the problem that you listed as fixed. I'm going to download >and >install whatever version they have now on their system. from the snapshots link on their home page. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From gerry at DORFAM.CA Fri Jul 4 22:45:51 2003 From: gerry at DORFAM.CA (Gerry Doris) Date: Thu Jan 12 21:18:51 2006 Subject: Modified ClamAV Updater In-Reply-To: <1057354122.29328.77.camel@bach.kevinspicer.co.uk> Message-ID: On Fri, 4 Jul 2003, Kevin Spicer wrote: > >Where did you find the snapshoot number? I just checked the changelog > >for > >the version I have and the last listed problem was June 21 and it > >doesn't > >mention the problem that you listed as fixed. I'm going to download > >and > >install whatever version they have now on their system. > > from the snapshots link on their home page. Ah, yes I see that now. I was looking through the directory where I had untared the package. For what it's worth I was using the stable 0.60 release that came out on 6/21 when I experienced the hang. I have now downloaded and install the updated snapshot release 20030625. -- Gerry "The lyfe so short, the craft so long to learne" Chaucer From becher at WEB.LU Sat Jul 5 13:26:55 2003 From: becher at WEB.LU (Schiltz Luc) Date: Thu Jan 12 21:18:51 2006 Subject: Custom Over quota Message-ID: Hi, does anybody know if there is a workaround with MailScanner to customize "over quota" messages handled by sendmail ? e.g. that mails which pass MailScanner and where the box is over quota get a personalized over quota message which is send by MailScanner or any idea how to customize this directly in sendmail as I?m looking for days now in order to find an answer many many thanks Schiltz Luc From raymond at PROLOCATION.NET Sat Jul 5 13:46:49 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:18:51 2006 Subject: Custom Over quota In-Reply-To: Message-ID: Hi! > does anybody know if there is a workaround with MailScanner to > customize "over quota" messages handled by sendmail ? e.g. that > mails which pass MailScanner and where the box is over quota get > a personalized over quota message which is send by MailScanner > or any idea how to customize this directly in sendmail as I?m looking > for days now in order to find an answer This is not a mailscanner issue. Mailscanner does not even know when a user is over quota. Within redhat, and i guess on other ditributions also there is a file called warnquota.conf (normally in /etc) that you can use to customise the mails that get sended out. Bye, Raymond. From becher at WEB.LU Sun Jul 6 20:24:18 2003 From: becher at WEB.LU (Schiltz Luc) Date: Thu Jan 12 21:18:51 2006 Subject: 1. Custom Over quota (2) In-Reply-To: <200307052301.BAA01398@germaine.webtechnologies.lu> Message-ID: Hi, yes on a standard System but in this case it is a Sun/Cobalt RaQXTR Server any more idea ? there is no warnquota.conf many thanks Luc -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Automatic digest processor Sent: 06 July 2003 01:02 To: Recipients of MAILSCANNER digests Subject: MAILSCANNER Digest - 4 Jul 2003 to 5 Jul 2003 (#2003-187) There are 2 messages totalling 51 lines in this issue. Topics of the day: 1. Custom Over quota (2) ---------------------------------------------------------------------- Date: Sat, 5 Jul 2003 13:26:55 +0100 From: Schiltz Luc Subject: Custom Over quota Hi, does anybody know if there is a workaround with MailScanner to customize "over quota" messages handled by sendmail ? e.g. that mails which pass MailScanner and where the box is over quota get a personalized over quota message which is send by MailScanner or any idea how to customize this directly in sendmail as I=B4m looking for days now in order to find an answer many many thanks Schiltz Luc ------------------------------ Date: Sat, 5 Jul 2003 14:46:49 +0200 From: Raymond Dijkxhoorn Subject: Re: Custom Over quota Hi! > does anybody know if there is a workaround with MailScanner to > customize "over quota" messages handled by sendmail ? e.g. that > mails which pass MailScanner and where the box is over quota get > a personalized over quota message which is send by MailScanner > or any idea how to customize this directly in sendmail as I=B4m looking > for days now in order to find an answer This is not a mailscanner issue. Mailscanner does not even know when a=20 user is over quota.=20 Within redhat, and i guess on other ditributions also there is a file=20 called warnquota.conf (normally in /etc) that you can use to customise th= e=20 mails that get sended out. Bye, Raymond. ------------------------------ End of MAILSCANNER Digest - 4 Jul 2003 to 5 Jul 2003 (#2003-187) **************************************************************** From ryanb at AACRAO.ORG Mon Jul 7 03:14:03 2003 From: ryanb at AACRAO.ORG (Ryan Bingham) Date: Thu Jan 12 21:18:51 2006 Subject: 1. Custom Over quota (2) References: Message-ID: <001201c3442d$70052bb0$f8240340@kh06s9> Is something going on with the list? This is the only message I've received all day. Ryan ----- Original Message ----- From: "Schiltz Luc" To: Sent: Sunday, July 06, 2003 3:24 PM Subject: 1. Custom Over quota (2) Hi, yes on a standard System but in this case it is a Sun/Cobalt RaQXTR Server any more idea ? there is no warnquota.conf many thanks Luc -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Automatic digest processor Sent: 06 July 2003 01:02 To: Recipients of MAILSCANNER digests Subject: MAILSCANNER Digest - 4 Jul 2003 to 5 Jul 2003 (#2003-187) There are 2 messages totalling 51 lines in this issue. Topics of the day: 1. Custom Over quota (2) ---------------------------------------------------------------------- Date: Sat, 5 Jul 2003 13:26:55 +0100 From: Schiltz Luc Subject: Custom Over quota Hi, does anybody know if there is a workaround with MailScanner to customize "over quota" messages handled by sendmail ? e.g. that mails which pass MailScanner and where the box is over quota get a personalized over quota message which is send by MailScanner or any idea how to customize this directly in sendmail as I=B4m looking for days now in order to find an answer many many thanks Schiltz Luc ------------------------------ Date: Sat, 5 Jul 2003 14:46:49 +0200 From: Raymond Dijkxhoorn Subject: Re: Custom Over quota Hi! > does anybody know if there is a workaround with MailScanner to > customize "over quota" messages handled by sendmail ? e.g. that > mails which pass MailScanner and where the box is over quota get > a personalized over quota message which is send by MailScanner > or any idea how to customize this directly in sendmail as I=B4m looking > for days now in order to find an answer This is not a mailscanner issue. Mailscanner does not even know when a=20 user is over quota.=20 Within redhat, and i guess on other ditributions also there is a file=20 called warnquota.conf (normally in /etc) that you can use to customise th= e=20 mails that get sended out. Bye, Raymond. ------------------------------ End of MAILSCANNER Digest - 4 Jul 2003 to 5 Jul 2003 (#2003-187) **************************************************************** From danieltan at shopnsave.com.sg Mon Jul 7 04:12:47 2003 From: danieltan at shopnsave.com.sg (Daniel Tan) Date: Thu Jan 12 21:18:51 2006 Subject: long file names and virus Message-ID: <002d01c34435$a57b9100$3900a8c0@Daniel> Hi, how do i prevent mailscanner from blocking emails with long file names? i need certain emails to pass through according to their long file names or subject names.... another thing...i have f-prot scanning my emails...it was able to detect an email with the fortnight virus but certain emails with that virus is still passing through to other users? why is this so? is there a leak somewhere? Regards, Daniel Tan 67469188 Ext.665 DID: 68430665 MIS Department Shop N Save Pte Ltd : danieltan@shopnsave.com.sg [This e-mail is confidential and may also be privileged. If you are not the intended recipient, please delete it and notify us immediately; you should not copy or use it for any purpose, nor disclose its contents to any other person. Thank you.] From raymond at PROLOCATION.NET Mon Jul 7 07:33:51 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:18:51 2006 Subject: long file names and virus In-Reply-To: <002d01c34435$a57b9100$3900a8c0@Daniel> Message-ID: Hi! > how do i prevent mailscanner from blocking emails with long file names? > i need certain emails to pass through according to their long file names or > subject names.... another thing...i have f-prot scanning my emails...it was Look in the filename.rules > able to detect an email with the fortnight virus but certain emails with > that virus is still passing through to other users? why is this so? is there > a leak somewhere? Contact your vendor. Bye, Raymond. From manearter at YAHOO.COM Mon Jul 7 10:53:38 2003 From: manearter at YAHOO.COM (Goga Lee) Date: Thu Jan 12 21:18:52 2006 Subject: Which Filter To Use Message-ID: <20030707095338.39002.qmail@web80602.mail.yahoo.com> All mail filters: 1) MailScanner 2) SpamAssassin & 3) Procmail Seems to be good enough, can anyone advise and suggest the best spam/virus filter of all? Thanks. GogaLee --------------------------------- Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030707/9bc9bf4f/attachment.html From Kevin.Spicer at BMRB.CO.UK Mon Jul 7 11:23:53 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:18:52 2006 Subject: Which Filter To Use Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A4ADB8@pascal.priv.bmrb.co.uk> err. MaiScanner. Did you really expect any other answer on this list? ;) Seriously they all do different things. Procmail provides a means of calling external programs, and of filtering mail into different folders etc. based on regular expressions. It doesn't do any virus/ spam filtering but can call external programs (like SpamAssassin & virus scanners). SpamAssassin provides very good spam filtering based on known spam characteristics and statistical filtering (Bayes) - but doesn't have any anti-virus capability. MailScanner provides an interface to an external virus scanner (or scanners), can integrate spamassassin (very easily!), has its own filename and filetype filters, can filter out certain known exploits, can query RBL lists, etc, etc (RTFWP!) Its also easy to install, and works out the box (i.e. sensible defaults). If you're a tweaker theres an almost limitless number of tweaks you can do, especially given the flexibilty of rulesets and the 'custom config' functions. In short, MailScanner rocks. -----Original Message----- From: Goga Lee [mailto:manearter@YAHOO.COM] Sent: 07 July 2003 10:54 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Which Filter To Use All mail filters: 1) MailScanner 2) SpamAssassin & 3) Procmail Seems to be good enough, can anyone advise and suggest the best spam/virus filter of all? Thanks. GogaLee _____ Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030707/024a3c32/attachment.html From Heinz.Knutzen at DZSH.DE Mon Jul 7 12:01:27 2003 From: Heinz.Knutzen at DZSH.DE (Knutzen, Heinz (DZ-SH)) Date: Thu Jan 12 21:18:52 2006 Subject: enhanced /etc/init.d/MailScanner for SuSE rpm Message-ID: <6C645222B0A8BC4FBFACD7606D4306A822FF21@dzrz-ex-1.dzsh> I successfully use MailScanner-4.22-5.suse.tar.gz on a system running SuSE 8.2. There is a small problem with the "reload" option of the /etc/init.d/MailScanner script: Currently it calls killproc -p $mspid -HUP /usr/sbin/MailScanner This sends a HUP to the parent process which is silently ignored, i.e. "reload" currently does NOTHING. This should be changed to send HUP signals to all children: killproc -G -p $mspid -HUP /usr/sbin/MailScanner >From 'man killproc': -G Sends the signal to all session followers (children) of the identified process. Viele Gr??e -- Heinz From donovan at HUFFDATASYSTEMS.COM Mon Jul 7 12:51:33 2003 From: donovan at HUFFDATASYSTEMS.COM (Donovan Huff | HUFF DATA SYSTEMS) Date: Thu Jan 12 21:18:52 2006 Subject: CPanel: EXIM + SA + MailScanner, anyone? Message-ID: <00d801c3447e$1d97c6c0$6f109a3f@x27> I have a box that uses CPanel and am wondering if anyone has configured a CPanel + EXIM + SA + MailScanner setup? I have MailScanner working on another box (not CPanel), just would like to chat with someone that has set it up already. Please reply on or of list if you like. Regards, Donovan Huff Owner/Operator HUFF DATA SYSTEMS donovan@huffdatasystems.com http://www.huffdatasystems.com/ (361) 781-0631 ------------------------------------------------------ Web Hosting Starting at $5.00/mo http://www.huffdatasystems.com/ ------------------------------------------------------ Internet Access Just About Anywhere http://UnlimitedCheapInternet.com/ ------------------------------------------------------ From howard at harper-adams.ac.uk Mon Jul 7 12:54:15 2003 From: howard at harper-adams.ac.uk (Howard Robinson) Date: Thu Jan 12 21:18:52 2006 Subject: Maillog entry Message-ID: <200307071152.h67Bqj7W004374@blackhole.harper-adams.ac.uk> Hello The following appears a 527 number of times in a 2mb Maillog file. I appreciate it refers to sendmail but what is it telling me? Is it a problem with sendmail or the email its trying to process. Stuff is coming in and out as normal or at least looks to be.Number in Brackets changes each time by the look of it. Extract from Maillog begins Jul 6 04:03:31 blackhole sendmail[4864]: STARTTLS: ClientCertFile missing Jul 6 04:03:31 blackhole sendmail[4864]: STARTTLS: ClientKeyFile missing Jul 6 04:03:31 blackhole sendmail[4864]: STARTTLS: ClientCACertPath missing Jul 6 04:03:31 blackhole sendmail[4864]: STARTTLS: ClientCACertFile missing Jul 6 04:03:31 blackhole sendmail[4864]: STARTTLS=client, init=1 extract ends Thanks Regards Howard Robinson (Senior Technical Development Officer) Harper Adams University College Edgmond Newport Shropshire TF10 8NB UK E-mail: hrobinson@harper-adams.ac.uk Tel. : +44(0)1952 820280 Via switchboard : +44(0)1952 815253 Direct line Fax. : +44(0)1952 814783 College Web site http://www.harper-adams.ac.uk From john at TRADOC.FR Mon Jul 7 13:04:14 2003 From: john at TRADOC.FR (John Wilcock) Date: Thu Jan 12 21:18:52 2006 Subject: razor log in postfix deferred directory? Message-ID: I've recently added razor2 to my system - seems to be working fine, headers show that it is being called by spamassassin and is detecting spam. However, I also note that it is creating a log file in /var/spool/postfix.in/deferred/razor-agent.log (which is flagged every time the incoming postfix is reloaded). I suspect that this is due to razor not reading its config file from /root/.razor/ when called by spamassassin, but I can't work out where it wants the config file to be. The razor manpages talk about /etc/razor/ which did not exist on my system, but putting the files there didn't help. Postfix is running chrooted (redhat 9 setup) - I've even tried copying the config files to /var/spool/postfix.in/etc/razor/ to no avail. Any ideas, anyone? John. -- -- Over 2000 webcams from ski resorts around the world - http://www.snoweye.com/ -- Translate your technical documents and web pages - http://www.tradoc.fr/ From Kevin.Spicer at BMRB.CO.UK Mon Jul 7 13:06:08 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:18:52 2006 Subject: Maillog entry Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A4ADBA@pascal.priv.bmrb.co.uk> > Extract from Maillog begins > Jul 6 04:03:31 blackhole sendmail[4864]: > STARTTLS: ClientCertFile missing > Jul 6 04:03:31 blackhole sendmail[4864]: > STARTTLS: ClientKeyFile missing > Jul 6 04:03:31 blackhole sendmail[4864]: > STARTTLS: ClientCACertPath missing > Jul 6 04:03:31 blackhole sendmail[4864]: > STARTTLS: ClientCACertFile missing > Jul 6 04:03:31 blackhole sendmail[4864]: > STARTTLS=client, init=1 > extract ends > I'd guess its telling you that sendmail has been configured to use support SSL/TLS, but none of the necessary supporting files (i.e. the Certificate, key and Certificate authority certs) are present. Look for STARTTLS in /usr/share/sendmail-cf/README (may be elsewhere on your system). BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From henker at SHCOM.US Mon Jul 7 13:04:10 2003 From: henker at SHCOM.US (Steffan Henke) Date: Thu Jan 12 21:18:52 2006 Subject: CPanel: EXIM + SA + MailScanner, anyone? In-Reply-To: <00d801c3447e$1d97c6c0$6f109a3f@x27> References: <00d801c3447e$1d97c6c0$6f109a3f@x27> Message-ID: On Mon, 7 Jul 2003, Donovan Huff | HUFF DATA SYSTEMS wrote: > I have a box that uses CPanel and am wondering if anyone has configured a CPanel + EXIM + SA + MailScanner setup? I have > MailScanner working on another box (not CPanel), just would like to chat with someone that has set it up already. Please reply on > or of list if you like. You may want to have a look at this thread: http://forum.rackshack.net/showthread.php?s=&threadid=23819 Please note that I have absolutely nothing to do with this and am not involved with it in any way. So far, I haven't deployed MailScanner on any cpanel box yet. Nonetheless, cpanel has SpamAssassin integration, users can enable it if they want to. I just fear that every time you run a cpanel upgrade, all your exim modifications will be overwritten. Regards, Steffan From Kevin.Spicer at BMRB.CO.UK Mon Jul 7 13:12:23 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:18:52 2006 Subject: razor log in postfix deferred directory? Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0EBF6E9@pascal.priv.bmrb.co.uk> > Postfix is running chrooted (redhat 9 setup) - I've even tried copying > the config files to /var/spool/postfix.in/etc/razor/ to no avail. Any > ideas, anyone? > I'd imagine it would be ~postfix/.razor/ (assuming that postfix is the user MailScanner runs as). Have you looked in the razor-agents.log file to see if theres any clues in there? BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From john at TRADOC.FR Mon Jul 7 13:19:55 2003 From: john at TRADOC.FR (John Wilcock) Date: Thu Jan 12 21:18:52 2006 Subject: razor log in postfix deferred directory? In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0EBF6E9@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0EBF6E9@pascal.priv.bmrb.co.uk> Message-ID: On Mon, 7 Jul 2003 13:12:23 +0100, Spicer, Kevin wrote: > I'd imagine it would be ~postfix/.razor/ > (assuming that postfix is the user MailScanner runs as). Have you looked in the razor-agents.log file to see if theres any clues in there? Yes, MailScanner runs as postfix. I've just tried putting the files in /var/spool/postfix.in/.razor/ and reloading - still no change. There's no useful information in the log file unfortunately. John. -- -- Over 2000 webcams from ski resorts around the world - http://www.snoweye.com/ -- Translate your technical documents and web pages - http://www.tradoc.fr/ From Kevin.Spicer at BMRB.CO.UK Mon Jul 7 13:25:21 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:18:52 2006 Subject: razor log in postfix deferred directory? Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0EBF6EA@pascal.priv.bmrb.co.uk> John Wilcock wrote: > On Mon, 7 Jul 2003 13:12:23 +0100, Spicer, Kevin wrote: >> I'd imagine it would be ~postfix/.razor/ >> (assuming that postfix is the user MailScanner runs as). > Have you looked in the razor-agents.log file to see if theres any > clues in there? > > Yes, MailScanner runs as postfix. I've just tried putting the files in > /var/spool/postfix.in/.razor/ and reloading - still no change. There's > no useful information in the log file unfortunately. > > John. Are you sure that /var/spool/postfix.in is the home directory for the postfix user. I'm not running mailscanner with postfix but all the postfix systems I can access have /var/spool/postfix as the home. (maybe grep it out of /etc/passwd). Maybe razor is fussy about permissions or ownership, did you chown all the files? BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From john at TRADOC.FR Mon Jul 7 13:38:39 2003 From: john at TRADOC.FR (John Wilcock) Date: Thu Jan 12 21:18:52 2006 Subject: razor log in postfix deferred directory? In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0EBF6EA@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0EBF6EA@pascal.priv.bmrb.co.uk> Message-ID: On Mon, 7 Jul 2003 13:25:21 +0100, Spicer, Kevin wrote: > John Wilcock wrote: > > Yes, MailScanner runs as postfix. I've just tried putting the files in > > /var/spool/postfix.in/.razor/ and reloading - still no change. There's > > no useful information in the log file unfortunately. > > Are you sure that /var/spool/postfix.in is the home directory for the > postfix user. I'm not running mailscanner with postfix but all the > postfix systems I can access have /var/spool/postfix as the home. > (maybe grep it out of /etc/passwd). Maybe razor is fussy about > permissions or ownership, did you chown all the files? Thanks - /var/spool/postfix/.razor was indeed what was needed, and chowning everything helped too. John. -- -- Over 2000 webcams from ski resorts around the world - http://www.snoweye.com/ -- Translate your technical documents and web pages - http://www.tradoc.fr/ From gerry at dorfam.ca Mon Jul 7 15:16:30 2003 From: gerry at dorfam.ca (Gerry Doris) Date: Thu Jan 12 21:18:52 2006 Subject: Julain on Vacation? Message-ID: <63155.129.80.22.133.1057587390.squirrel@tiger.dorfam.ca> Has Julian left on his vacation yet? I believe he said he was going to be gone all month without access to the list...I wonder if he'll survive? Gerry From Heinz.Knutzen at DZSH.DE Mon Jul 7 15:19:51 2003 From: Heinz.Knutzen at DZSH.DE (Knutzen, Heinz (DZ-SH)) Date: Thu Jan 12 21:18:52 2006 Subject: bug in rule handling of filename rules Message-ID: <6C645222B0A8BC4FBFACD7606D4306A822FF23@dzrz-ex-1.dzsh> There is a bug / problem in rule handling of filename rules. When multiple rules apply to a single message, then ALL filename rule files of all matching rules are concatenated in a RANDOM order. I expected that only the FIRST filename rule would be used or that at least the original order would be preserved if all filename rules are used. This problem occures in 4.05-3 as well as 4.22-5. You will find a simple patch below. Example: MailScanner.conf: Filename Rules = %rules-dir%/filename.rules filename.rules: to master@test.de /etc/MailScanner/filename-any.rules.conf to *@test.de /etc/MailScanner/filename-secure.rules.conf filename-any.rules.conf: allow . - - filename-secure.rules.conf: allow \.txt$ - - allow \.rtf$ - - allow \.doc$ - - allow \.pdf$ - - allow \.xls$ - - allow \.vcf$ - - allow \.msg$ - - allow \.html?$ - - deny . forbidden by rule forbidden by rule For this example I always thougt, only filename rules from filename-any.rules.conf would be applied to messages to master@test.de. But MailScanner did reject e.g. *.zip files to master@test.de. This problem occured in real life with a real customer. When looking at the source code I found in 1. ConfigDefs.pl: [All,File] #FilenameRules /etc/MailScanner/filename.rules.conf FilenameRules i.e. MailScanner reads ALL values it finds for a given message. 2. Config.pm: sub Value { ... # It's an all-matches rule ... map { $matches{$_} = 1; } (split(" ",$value)) ... $results = join(" ", keys %matches); ... } i.e. result values are returned in a random order, since they are read from a hash whereby the original order is lost. I solved this problem by simply changing the "category" of FilenameRules in ConfigDefs.pl from "all-matches" to "first-match". In fact, I changed this for all "File" rules which are FilenameRules and FiletypeRules. To preserve similar problems I would propose to change "sub Value" in Config.pm such that the original order of values remains unchanged. Patch ----- *** ConfigDefs.pl.orig Thu Jul 3 17:37:02 2003 --- ConfigDefs.pl Mon Jul 7 15:14:58 2003 *************** *** 316,322 **** SpamStars 0 no 0 yes 1 UseSpamAssassin 0 no 0 yes 1 ! [All,File] #FilenameRules /etc/MailScanner/filename.rules.conf FilenameRules FiletypeRules --- 316,322 ---- SpamStars 0 no 0 yes 1 UseSpamAssassin 0 no 0 yes 1 ! [First,File] #FilenameRules /etc/MailScanner/filename.rules.conf FilenameRules FiletypeRules Viele Gr??e -- Heinz Knutzen Datenzentrale Schleswig-Holstein Altenholzer Str. 10-14, 24161 Altenholz, Germany http://www.dzsh.de/ mailto:heinz.knutzen@dzsh.de Tel: +49.431.3295.6581 Fax: +49.431.3295.410 From ryanb at AACRAO.ORG Mon Jul 7 15:30:38 2003 From: ryanb at AACRAO.ORG (Ryan Bingham) Date: Thu Jan 12 21:18:52 2006 Subject: bug in rule handling of filename rules In-Reply-To: <6C645222B0A8BC4FBFACD7606D4306A822FF23@dzrz-ex-1.dzsh> References: <6C645222B0A8BC4FBFACD7606D4306A822FF23@dzrz-ex-1.dzsh> Message-ID: <3F09840E.7030101@aacrao.org> Knutzen, Heinz (DZ-SH) wrote: > There is a problem in rule handling of filename rules. > When multiple rules apply to a single message, > then ALL filename rule files of all matching rules > are concatenated in a RANDOM order. I don't think it's a bug. This topic was brought up on the list last week and this was Julian's reply: On July 4, Julian wrote: > The Filename Rules option concatenates all the matching rule results > together, then uses that as the set of allow/deny rules for the attachment > filenames. > > It only uses the "default" setting if none of the other rules match Ryan From Heinz.Knutzen at DZSH.DE Mon Jul 7 15:58:57 2003 From: Heinz.Knutzen at DZSH.DE (Knutzen, Heinz (DZ-SH)) Date: Thu Jan 12 21:18:52 2006 Subject: bug in rule handling of filename rules Message-ID: <6C645222B0A8BC4FBFACD7606D4306A822FF25@dzrz-ex-1.dzsh> OK, Julian described the current implementation. But I think a "first-match" behaviour of filename rules would be much more useful and less surprising than the current "all-matches" behaviour. If it's not a bug I would request a feature to make this configurable. Viele Gr??e -- Heinz > -----Original Message----- > From: Ryan Bingham [mailto:ryanb@AACRAO.ORG] > Sent: Monday, July 07, 2003 4:31 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: bug in rule handling of filename rules > > > Knutzen, Heinz (DZ-SH) wrote: > > > There is a problem in rule handling of filename rules. > > When multiple rules apply to a single message, > > then ALL filename rule files of all matching rules > > are concatenated in a RANDOM order. > > I don't think it's a bug. This topic was brought up on the list last > week and this was Julian's reply: > > On July 4, Julian wrote: > > > The Filename Rules option concatenates all the matching > rule results > > together, then uses that as the set of allow/deny rules for the > attachment > > filenames. > > > > It only uses the "default" setting if none of the other rules match > > Ryan > > -- > Diese Mail wurde durch die Datenzentrale Schleswig-Holstein > maschinell auf Viren und gef?hrliche Inhalte untersucht. > > From SJCJonker at SJC.NL Mon Jul 7 16:00:23 2003 From: SJCJonker at SJC.NL (Stijn Jonker) Date: Thu Jan 12 21:18:52 2006 Subject: Which Filter To Use In-Reply-To: <20030707095338.39002.qmail@web80602.mail.yahoo.com> References: <20030707095338.39002.qmail@web80602.mail.yahoo.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hmm, Is this ment to be funny ;-)) What about all three? First of all MailScanner with SpamAssassin included, with off course razor2 && dcc. Secondly a nice long procmailrc, which among other things filters all medium level spam to a seperate mailbox ;-))... And if you really want to get a good opinion on the MAILSCANNER mailinglist what about rephrasing your question a bit more specific. On Mon, 7 Jul 2003, Goga Lee wrote: > All mail filters: > > 1) MailScanner > 2) SpamAssassin & > 3) Procmail - -- Met Vriendelijke groet/Yours Sincerely Stijn Jonker -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE/CYsMjU9r45tKnOARAmFgAKCxd//dMnpRMS3Keme0cnl26Q+SnwCeI2Z0 6P4qSzTE96PJCnwO+W3V+no= =9W4t -----END PGP SIGNATURE----- From dgeorgiades at POWERENG.COM Mon Jul 7 16:08:02 2003 From: dgeorgiades at POWERENG.COM (Derrick Georgiades) Date: Thu Jan 12 21:18:52 2006 Subject: File locking / directory problem Message-ID: I am receiving the following messages on all emails in my maillog: Jul 7 08:01:20 mx.mydomain.com MailScanner[19668]: Cannot create + lock heade rs file /queue/MailScanner/incoming/19668/h67E1I79019675.header, Also I am getting these errors to my system messages log: Jul 7 06:56:57 mx.mydomain.com /usr/lib/nfs/lockd[193]: [ID 396295 daemon.error] t_accept( file descriptor 5/transport tcp) TLI error 7 Jul 7 08:05:16 mx.mydomain.com MailScanner[19986]: Cannot mkdir /queue/MailSc anner/incoming/19986/h67E4g7K019935, No such file or directory I am running MS ver 3.22-14 on Solaris 9. MS has been running great for months until now. The only changes to the server prior to this error was another nic interface was brought online. If I su to my smmsp user that sendmail and mailscanner runs as I can create files and directories in the incoming queue for MS. It doesn't appear to be a permissions issue. Does anyone know what an error 7 is for the lockd daemon? Strangely I can still pass mail, but these errors seem like it shouldn't. Any help would be greatly appreciated. Thanks Derrick Georgiades POWER Engineers, Inc. From Kevin.Spicer at BMRB.CO.UK Mon Jul 7 16:48:32 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:18:52 2006 Subject: File locking / directory problem Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A4ADBB@pascal.priv.bmrb.co.uk> > I am running MS ver 3.22-14 on Solaris 9. You really should get round to upgrading that, the latest versions are so much better. I'd hazard a guess that the MailScanner problem may not be related to the lockd problem as they occured over an hour apart. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From Kevin_Miller at CI.JUNEAU.AK.US Mon Jul 7 17:29:33 2003 From: Kevin_Miller at CI.JUNEAU.AK.US (Kevin Miller) Date: Thu Jan 12 21:18:52 2006 Subject: Whitelist not working... Message-ID: <08146035CA49D6119A36009027AC822A0264E485@CITY-EXCH-NTS> What address does the whitelist use to permit ham through? This is a snippet from my whitelist: /etc/MailScanner/rules/spam.whitelist.rules From: *@alaskaair.com yes FromOrTo: default no so I should be allowing mail from alaskaair.com through, but it's getting forwarded to the quarantine account. Here's the headers from one of them: ============================================================================ =========== Received: from mis-mxg-lnx.ci.juneau.ak.us ([199.58.55.24]) by city-exch-nts.ci.juneau.ak.us with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id 33XHQDJK; Mon, 7 Jul 2003 07:16:57 -0800 Received: from airemote3.aif1.com (airemote3.aif1.com [208.45.250.253]) by mis-mxg-lnx.ci.juneau.ak.us (8.12.3/8.12.3/SuSE Linux 0.6) with SMTP id h67FFrwu020123 for ; Mon, 7 Jul 2003 07:16:50 -0800 Message-Id: <200307071516.h67FFrwu020123@mis-mxg-lnx.ci.juneau.ak.us> Received: from aiappprd1 (localhost) by aiappprd1.adinfonitum.com (LSMTP for Windows NT v1.1b) with SMTP id <0.00040C88@aiappprd1.adinfonitum.com>; 6 Jul 2003 20:51:40 -0700 To: someone@ci.juneau.ak.us From: "alaskaair.com Newsletter" Date: Mon, 07 Jul 2003 08:01:00 -0800 Subject: {Spam?} Fly 3, Get 1 Free and Online Reservations Change Reply-To: alaskaair@mailserv.directserv.com Keywords: JOB_ID=1606|EMAIL_ID=01503413|GUID=17EDCD807EC711D5B66900D0B77540BD X-JOB_ID: 1606 X-GUID: 17EDCD807EC711D5B66900D0B77540BD X-PARTY_ID: 00040089 X-EMAIL_ADDRESS_ID: 01503413 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="_----=_NextPart_000_001__21409945_61783.93" X-MailScanner-Information: For more information see www . mailscanner . info X-CBJ-MailScanner: Found to be clean X-CBJ-MailScanner-SpamCheck: spam, SpamAssassin (score=7.2, required 5, CLICK_BELOW, DEAR_SOMETHING, HTML_40_50, HTML_LINK_CLICK_HERE, HTML_WEB_BUGS, MIME_BOUND_NEXTPART, MIME_DEFICIENT_QP, MSG_ID_ADDED_BY_MTA_2, NORMAL_HTTP_TO_IP) X-CBJ-MailScanner-SpamScore: sssssss ============================================================================ =========== The from line says alaskaair.com, but the reply to is mailserv.directserv.com, and the sending host was actually aiappprd1.adinfonitum.com (although the sendmail headers indicated it connected as airemote3.aif1.com) so what domain do I want to whitelist? I'm leaning toward airemote3.aif1.com, but am concerned that next month they'll be routed via airemote2.aif1.com or some other such nonsense. Can I put an entry like this in the whitelist: From: *@*.airemote1.com yes Other whitelists are working as advertised. TIA... ...Kevin ------------------- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Administrator, Mail Administrator 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From Antony at SOFT-SOLUTIONS.CO.UK Mon Jul 7 17:39:29 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:18:52 2006 Subject: Whitelist not working... In-Reply-To: <08146035CA49D6119A36009027AC822A0264E485@CITY-EXCH-NTS> References: <08146035CA49D6119A36009027AC822A0264E485@CITY-EXCH-NTS> Message-ID: <200307071639.h67GdXK27260@Primary.networker.test> On Monday 07 July 2003 5:29 pm, Kevin Miller wrote: > What address does the whitelist use to permit ham through? > > This is a snippet from my whitelist: > /etc/MailScanner/rules/spam.whitelist.rules > From: *@alaskaair.com yes > FromOrTo: default no > > so I should be allowing mail from alaskaair.com through, but it's getting > forwarded to the quarantine account. Here's the headers from one of them: (headers snipped) > The from line says alaskaair.com, but the reply to is > mailserv.directserv.com, and the sending host was actually > aiappprd1.adinfonitum.com (although the sendmail headers indicated it > connected as airemote3.aif1.com) so what domain do I want to whitelist? MailScanner goes by the envelope addresses in the SMTP connection (MAIL FROM: and RCPT TO:), not by anything in the headers of the email itself. You need to find out what the sending server says after MAIL FROM: and then use that in your whitelist. Regards, Antony. -- How I want a drink, alcoholic of course, after the heavy chapters involving quantum mechanics. - 3.14159265358979 From kevins at BMRB.CO.UK Mon Jul 7 17:56:28 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:18:52 2006 Subject: Whitelist not working... In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB001175D02@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB001175D02@pascal.priv.bmrb.co.uk> Message-ID: <1057596992.26531.1.camel@bach.kevinspicer.co.uk> >You need to find out what the sending server says after MAIL FROM: and >then >use that in your whitelist. You may well be able to find this by grepping your mail logs for the sendmail messageid BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From Kevin_Miller at CI.JUNEAU.AK.US Mon Jul 7 18:27:30 2003 From: Kevin_Miller at CI.JUNEAU.AK.US (Kevin Miller) Date: Thu Jan 12 21:18:52 2006 Subject: Whitelist not working... Message-ID: <08146035CA49D6119A36009027AC822A0264E487@CITY-EXCH-NTS> >-----Original Message----- > >MailScanner goes by the envelope addresses in the SMTP >connection (MAIL FROM: >and RCPT TO:), not by anything in the headers of the email itself. > >You need to find out what the sending server says after MAIL >FROM: and then use that in your whitelist. Thanks Anthony, et. al., The sendmail log shows it connected as airemote3.aif1.com, so I'll add that & see what happens. Still not sure if I can wildcard the domain, but if the host doesn't change from month to month I guess it doesn't matter... ...Kevin ------------------- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Administrator, Mail Administrator 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From Antony at SOFT-SOLUTIONS.CO.UK Mon Jul 7 18:37:35 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:18:52 2006 Subject: Whitelist not working... In-Reply-To: <08146035CA49D6119A36009027AC822A0264E487@CITY-EXCH-NTS> References: <08146035CA49D6119A36009027AC822A0264E487@CITY-EXCH-NTS> Message-ID: <200307071737.h67HbdK00864@Primary.networker.test> On Monday 07 July 2003 6:27 pm, Kevin Miller wrote: > Thanks Antony, et. al., > > The sendmail log shows it connected as airemote3.aif1.com, so I'll add that > & see what happens. Still not sure if I can wildcard the domain, but if > the host doesn't change from month to month I guess it doesn't matter... I would *guess* that if they connected as airemote3.aif1.com this time, you should expect to get mails from airemote1.aif1.com and airemote2.aif1.com as well (assuming they're all outgoing mailservers...) I just did a quick dig at their nameserver, and they don't have a 0 and they don't have a 4, so these are the only machines you should need to think about... I could be completely wrong, and the particular newsletters you're interested in might always come from the same machine, but a match of airemote?.aif1.com might be what you want.... Regards, Antony. -- In science, one tries to tell people in such a way as to be understood by everyone something that no-one ever knew before. In poetry, it is the exact opposite. - Paul Dirac From webmaster at ORBITEL.COM Tue Jul 8 07:14:45 2003 From: webmaster at ORBITEL.COM (Orbitel Webmaster) Date: Thu Jan 12 21:18:52 2006 Subject: Sophos Installation issues w/ mailscanner Message-ID: <200307071743.MAA31854@mail.int.orbitel.com> History: I just installed the current version of mailscanner and sophos 3.71. Sophos was installed by running /usr/sbin/Sophos.install. Sophos installs fine and the script does not complain about any errors except an unzipping the update files failed bad file descriptor error. Problem: When I run /usr/lib/MailScanner/sohpos-wrapper test file I receive Error initializing detection engine - missing main virus data Additionally, when I run sophos-update I receive: Unzipping the new Sophos IDE files failed. This may well be because your Sophos installation is too old. Please install the latest release of SophosUnzip failed with error return 16777215 , Bad file descriptor at ./sophos-autoupdate line 94. I can, however, get sophos-wrapper to run by commenting out the EXPORT sav_ide line. The files appear to be linked correctly. I added the necessary library paths to /etc/ld.so.conf and added the paths to /etc/profile per the installation scripts instructions. Sweep runs fine on its own. Thank you! Hopefully some of the following helps: [root@webmail MailScanner]# ls -l /usr/local/Sophos/ total 12 drwxr-xr-x 2 root root 4096 Jul 8 01:00 bin drwxr-xr-x 2 root root 4096 Jul 8 01:00 lib drwxr-xr-x 4 root root 4096 Jul 7 23:57 man [root@webmail MailScanner]# ls -l /usr/local/Sophos/bin total 128 -rwxr-xr-x 1 root root 123084 Jul 8 01:00 sweep [root@webmail MailScanner]# ls -l /usr/local/Sophos/lib total 5676 lrwxrwxrwx 1 root root 12 Jul 8 01:00 libsavi.so -> libsavi.so.3 lrwxrwxrwx 1 root root 21 Jul 8 01:00 libsavi.so.2 - > libsavi.so.3.2.05.034 lrwxrwxrwx 1 root root 21 Jul 8 01:00 libsavi.so.3 - > libsavi.so.3.2.05.034 -r-xr-xr-x 1 bin bin 1002996 Jul 8 01:00 libsavi.so.3.2.05.034 -rw-r--r-- 1 bin bin 443637 Jul 8 01:00 vdl01.vdb -rw-r--r-- 1 bin bin 401446 Jul 8 01:00 vdl02.vdb -rw-r--r-- 1 bin bin 389383 Jul 8 01:00 vdl03.vdb -rw-r--r-- 1 bin bin 439542 Jul 8 01:00 vdl04.vdb -rw-r--r-- 1 bin bin 459468 Jul 8 01:00 vdl05.vdb -rw-r--r-- 1 bin bin 376402 Jul 8 01:00 vdl06.vdb -rw-r--r-- 1 bin bin 374881 Jul 8 01:00 vdl07.vdb -rw-r--r-- 1 bin bin 344925 Jul 8 01:00 vdl08.vdb -rw-r--r-- 1 bin bin 258931 Jul 8 01:00 vdl09.vdb -rw-r--r-- 1 bin bin 370090 Jul 8 01:00 vdl10.vdb -rw-r--r-- 1 bin bin 474813 Jul 8 01:00 vdl11.vdb -rw-r--r-- 1 bin bin 392158 Jul 8 01:00 vdl-3.71.dat lrwxrwxrwx 1 root root 12 Jul 8 01:00 vdl.dat -> vdl-3.71.dat [root@webmail MailScanner]# ls -l /usr/lib/MailScanner/ total 144 -rwxr-xr-x 1 root root 3693 Jul 1 12:14 sophos- autoupdate -r-xr-xr-x 1 root root 1504 Jul 8 01:04 sophos-wrapper [root@webmail MailScanner]# cat /usr/lib/MailScanner/sophos-wrapper # # JKF Wrapper Sophos programs with the correct LD_LIBRARY_PATH # Modified for solaris by CJG # Then tweaked for heron by JKF again PackageDir=/usr/local/Sophos prog=sweep # `basename $0` SAV_IDE=$PackageDir/ide LD_LIBRARY_PATH=$PackageDir/lib export SAV_IDE export LD_LIBRARY_PATH if [ "x$1" = "x-IsItInstalled" ]; then [ -x ${PackageDir}/bin/$prog ] && exit 0 exit 1 fi exec ${PackageDir}/bin/$prog "$@" [root@webmail MailScanner]# [root@webmail MailScanner]# /usr/lib/MailScanner/sophos-wrapper Error initialising detection engine - missing main virus data [root@webmail MailScanner]# /usr/lib/MailScanner/sophos-autoupdate Unzipping the new Sophos IDE files failed. This may well be because your Sophos installation is too old. Please install the latest release of SophosUnzip failed with error return 16777215 , Bad file descriptor at /usr/lib/MailScanner/sophos-autoupdate line 94. [root@webmail MailScanner]# cat /etc/ld.so.conf /usr/kerberos/lib /usr/X11R6/lib /usr/local/Sophos/lib [root@webmail MailScanner]# cat /etc/profile | grep Soph PATH=/usr/local/Sophos/bin:$PATH [root@webmail MailScanner]# It's a redhat linux box. > From dh at UPTIME.AT Mon Jul 7 18:58:24 2003 From: dh at UPTIME.AT (David) Date: Thu Jan 12 21:18:52 2006 Subject: Sophos Installation issues w/ mailscanner In-Reply-To: <200307071743.MAA31854@mail.int.orbitel.com> Message-ID: <9A703FFC-B0A4-11D7-85FE-000393920D6C@uptime.at> On Dienstag, Juli 8, 2003, at 08:14 Uhr, Orbitel Webmaster wrote: > History: I just installed the current version of mailscanner and > sophos 3.71. Sophos was installed by > running /usr/sbin/Sophos.install. Sophos installs fine and the > script does not complain about any errors except an unzipping the > update files failed bad file descriptor error. > > Problem: When I run /usr/lib/MailScanner/sohpos-wrapper test file I > receive Error initializing detection engine - missing main virus data > > Is unzip installed? -d > -- nee amata wo mitsukete soshite midoto wasrezu domma mi mumega itakutemo soba mi iru mo zutto...zutto...zutto -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 186 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030707/faca9f22/PGP.bin From webmaster at ORBITEL.COM Tue Jul 8 07:36:50 2003 From: webmaster at ORBITEL.COM (Orbitel Webmaster) Date: Thu Jan 12 21:18:52 2006 Subject: Sophos Installation issues w/ mailscanner Message-ID: <200307071805.NAA32396@mail.int.orbitel.com> Thank you, that was the problem. Initially unzip wasn't installed so I went ahead and installed it but mistakenly placed it in /usr/local/bin. It appears the script calls it from /usr/bin so I moved it to that location. Perhaps a check should be added to the Sophos.install script to check for unzip around the same time it checks for your path statements. Thank you David! -------- Original Message -------- ==> From: David ==> Date: Mon, 7 Jul 2003 19:58:24 0200 On Dienstag, Juli 8, 2003, at 08:14 Uhr, Orbitel Webmaster wrote: > History: I just installed the current version of mailscanner and > sophos 3.71. Sophos was installed by > running /usr/sbin/Sophos.install. Sophos installs fine and the > script does not complain about any errors except an unzipping the > update files failed bad file descriptor error. > > Problem: When I run /usr/lib/MailScanner/sohpos-wrapper test file I > receive Error initializing detection engine - missing main virus data > > Is unzip installed? -d > -- nee amata wo mitsukete soshite midoto wasrezu domma mi mumega itakutemo soba mi iru mo zutto...zutto...zutto From lance at WARE.NET Mon Jul 7 20:46:40 2003 From: lance at WARE.NET (Lance Ware) Date: Thu Jan 12 21:18:52 2006 Subject: Problems with F-Prot and Silent Virus Deletion Message-ID: <9F214F8D10934845A3664A21425C79FC754CCC@dhcp5.ware.net> Hi Folks, My silent virus deletion doesn't seem to be working. I've tried a variety of config in MailScanner.conf, but still no luck. Here's what F-Prot is showing the Virus as (I've tried W32/Sobig.E@mm, Sobig.E, W32/Sobig.E and others in the config). Jul 7 12:41:06 antispam MailScanner[10971]: Virus Scanning: F-Prot found virus W32/Sobig.E@mm Any tips? Thanks, Lance -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030707/62f57dac/attachment.html From lance at WARE.NET Mon Jul 7 20:48:05 2003 From: lance at WARE.NET (Lance Ware) Date: Thu Jan 12 21:18:52 2006 Subject: Problems with F-Prot and Silent Virus Deletion Message-ID: <9F214F8D10934845A3664A21425C79FC754CCD@dhcp5.ware.net> Disregard - somehow I had still deliver turned on. Sorry for the noise. -----Original Message----- From: Lance Ware Sent: Monday, July 07, 2003 12:47 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Problems with F-Prot and Silent Virus Deletion Hi Folks, My silent virus deletion doesn't seem to be working. I've tried a variety of config in MailScanner.conf, but still no luck. Here's what F-Prot is showing the Virus as (I've tried W32/Sobig.E@mm, Sobig.E, W32/Sobig.E and others in the config). Jul 7 12:41:06 antispam MailScanner[10971]: Virus Scanning: F-Prot found virus W32/Sobig.E@mm Any tips? Thanks, Lance -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030707/d750692f/attachment.html From raymond at PROLOCATION.NET Mon Jul 7 20:54:12 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:18:52 2006 Subject: Problems with F-Prot and Silent Virus Deletion In-Reply-To: <9F214F8D10934845A3664A21425C79FC754CCC@dhcp5.ware.net> Message-ID: Hi! > Here's what F-Prot is showing the Virus as (I've tried W32/Sobig.E@mm, > Sobig.E, W32/Sobig.E and others in the config). > > Jul 7 12:41:06 antispam MailScanner[10971]: Virus Scanning: F-Prot > found virus W32/Sobig.E@mm F-prot will ALWAYS warn you about the virus, the part thats silent is the delivery! If you properly add it in your config it will not send the mail to the rcpt and sen no warning to the sender either. So what you describe above sounds normal to me. Check your maillog if theres any delivery ... Bye, Raymond. From raymond at PROLOCATION.NET Mon Jul 7 20:55:28 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:18:52 2006 Subject: Problems with F-Prot and Silent Virus Deletion In-Reply-To: <9F214F8D10934845A3664A21425C79FC754CCD@dhcp5.ware.net> Message-ID: Hi! > Disregard - somehow I had still deliver turned on. > Sorry for the noise. =) > Here's what F-Prot is showing the Virus as (I've tried W32/Sobig.E@mm, > Sobig.E, W32/Sobig.E and others in the config). This can be matched by just adding: Sobig Bye, Raymond. From jaearick at COLBY.EDU Mon Jul 7 21:06:08 2003 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:18:52 2006 Subject: Spam Actions attachment mode and bayes learn Message-ID: Gang, I just upgraded from 4.21-9 to 4.22-5, and in the process I changed from "Spam Actions = deliver" to "Spam Actions = attachment". Will this break my bayes learning on collected spam? It seems like it would at first thought, or (worse) train the bayes engine to view any attachment as spam!! Yikes! Any thoughts on the interaction between this spam action and the bayes learning engine? Has Julian fled the jurisdiction yet? Time to call the Mounties for help? --- Jeff Earickson From raymond at PROLOCATION.NET Mon Jul 7 21:10:49 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:18:52 2006 Subject: Spam Actions attachment mode and bayes learn In-Reply-To: Message-ID: Hi! > I just upgraded from 4.21-9 to 4.22-5, and in the process I changed > from "Spam Actions = deliver" to "Spam Actions = attachment". Will > this break my bayes learning on collected spam? It seems like it > would at first thought, or (worse) train the bayes engine to view any > attachment as spam!! Yikes! Any thoughts on the interaction between > this spam action and the bayes learning engine? Dont think so, its only the method that changed, as far as i can see you dont change anything in the rest of the process. Or did you use the new settigns for SA perhaps so your bayesdb is located elsewhere now ? Bye, Raymond. From kevins at BMRB.CO.UK Mon Jul 7 21:33:36 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:18:52 2006 Subject: Spam Actions attachment mode and bayes learn In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB001175D0D@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB001175D0D@pascal.priv.bmrb.co.uk> Message-ID: <1057610017.26531.20.camel@bach.kevinspicer.co.uk> > I just upgraded from 4.21-9 to 4.22-5, and in the process I changed >from "Spam Actions = deliver" to "Spam Actions = attachment". You need to set Spam Actions = attachment deliver or the message will be turned into an attachment but not delivered (I found that out the hard way) > Will this break my bayes learning on collected spam? If you're talking about the 'auto' Bayes learning which takes place during the spamassassin spam the answer is no. MailScanner can't know the message is spam until its done the spam checks, therefore the conversion to an attachment must take place later in the processing. If you're talking about feeding false positives back into the system (maybe through a falsespam mailbox or something similar) the answer is maybe. Problem is that sa-learn uses the messageid to unlearn wrongly learned spam, Julian has managed to preserve the messageid, so... If the message was high enough scoring for Bayes to auto-learn it then it will just relearn the tokens identified previously from the messageid, but... If the message was not learned previously (moderate scoring spam, which most false positives will be) then it will need to tokenise it and may get mislead by the attachment. At least thats how I think it works! (my understanding based on SA docs rather than the actual code) The good news is that there is a script to extract an rfc822 attachment from a message. I'm using it in a procmail recipe which extracts the attachment from the mail and stores it in a file ready for my sa-learn cron job (which has to run as the mailscanner user not the user who owns the falsespam mailbox). That script can be found here... http://jmason.org/software/scripts/extract-rfc822-attachment.txt BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From webmaster at ORBITEL.COM Tue Jul 8 10:10:28 2003 From: webmaster at ORBITEL.COM (Orbitel Webmaster) Date: Thu Jan 12 21:18:52 2006 Subject: Mailscanner server becoming unresponsive, high disk activitity Message-ID: <200307072038.PAA03432@mail.int.orbitel.com> If I start mailscanner on my server it freezes the whole box within 2 hours. When it freezes disk activity goes non-stop until I hit the reset key. This is without load, or a very small load, going through mailscanner. If I turn off the mailscanner service the problem disappears. Any advice? From mikea at MIKEA.ATH.CX Mon Jul 7 21:42:32 2003 From: mikea at MIKEA.ATH.CX (mikea) Date: Thu Jan 12 21:18:52 2006 Subject: Mailscanner server becoming unresponsive, high disk activitity In-Reply-To: <200307072038.PAA03432@mail.int.orbitel.com>; from webmaster@ORBITEL.COM on Tue, Jul 08, 2003 at 04:10:28AM -0500 References: <200307072038.PAA03432@mail.int.orbitel.com> Message-ID: <20030707154232.B16559@mikea.ath.cx> On Tue, Jul 08, 2003 at 04:10:28AM -0500, Orbitel Webmaster wrote: > If I start mailscanner on my server it freezes the whole box within 2 > hours. When it freezes disk activity goes non-stop until I hit the > reset key. > > This is without load, or a very small load, going through > mailscanner. If I turn off the mailscanner service the problem > disappears. > > Any advice? How much Ram? How much swap? What OS? What speed CPU? It *sounds* as though you're running on a box with about 25% to 50% of the RAM it needs. I know all about that; that's why I went from a 200MHz box with 64 MBytes to a 433MHz box with 384 MBytes. Now I don't see swapping at all. -- Mike Andrews mikea@mikea.ath.cx Tired old sysadmin since 1964 From raymond at PROLOCATION.NET Mon Jul 7 21:44:04 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:18:52 2006 Subject: Mailscanner server becoming unresponsive, high disk activitity In-Reply-To: <200307072038.PAA03432@mail.int.orbitel.com> Message-ID: Hi! > If I start mailscanner on my server it freezes the whole box within 2 > hours. When it freezes disk activity goes non-stop until I hit the > reset key. > > This is without load, or a very small load, going through > mailscanner. If I turn off the mailscanner service the problem > disappears. What ammount of RAM you have in the box ? Please give us some more details. If your system using any swap at that moment ? What OS are you running anyway ? Type: free To show your RAM usage, and paste also the output of 'top' Bye, Raymond. From webmaster at ORBITEL.COM Tue Jul 8 10:22:48 2003 From: webmaster at ORBITEL.COM (Orbitel Webmaster) Date: Thu Jan 12 21:18:52 2006 Subject: Mailscanner server becoming unresponsive, high disk activitity Message-ID: <200307072050.PAA03683@mail.int.orbitel.com> -------- Original Message -------- ==> From: mikea ==> Date: Mon, 7 Jul 2003 15:42:32 -0500 On Tue, Jul 08, 2003 at 04:10:28AM -0500, Orbitel Webmaster wrote: > If I start mailscanner on my server it freezes the whole box within 2 > hours. When it freezes disk activity goes non-stop until I hit the > reset key. > > This is without load, or a very small load, going through > mailscanner. If I turn off the mailscanner service the problem > disappears. > > Any advice? How much Ram? 128 How much swap? 64 meg partition -- but its not allocated and thats too little. This most likely the problem. I'll dump a gig of ram in the machine (its pc133 and just laying around anyways) and fix the swap problem. What OS? redhat 8.0? 7.2? What speed CPU? p-3 700 thank you -- I feel embarassed. It *sounds* as though you're running on a box with about 25% to 50% of the RAM it needs. I know all about that; that's why I went from a 200MHz box with 64 MBytes to a 433MHz box with 384 MBytes. Now I don't see swapping at all. -- Mike Andrews mikea@mikea.ath.cx Tired old sysadmin since 1964 From mikea at MIKEA.ATH.CX Mon Jul 7 21:55:34 2003 From: mikea at MIKEA.ATH.CX (mikea) Date: Thu Jan 12 21:18:52 2006 Subject: Mailscanner server becoming unresponsive, high disk activitity In-Reply-To: <200307072050.PAA03683@mail.int.orbitel.com>; from webmaster@ORBITEL.COM on Tue, Jul 08, 2003 at 04:22:48AM -0500 References: <200307072050.PAA03683@mail.int.orbitel.com> Message-ID: <20030707155534.A16673@mikea.ath.cx> On Tue, Jul 08, 2003 at 04:22:48AM -0500, Orbitel Webmaster wrote: > -------- Original Message -------- > > ==> From: mikea > ==> Date: Mon, 7 Jul 2003 15:42:32 -0500 > > On Tue, Jul 08, 2003 at 04:10:28AM -0500, Orbitel Webmaster wrote: > > If I start mailscanner on my server it freezes the whole box within 2 > > hours. When it freezes disk activity goes non-stop until I hit the > > reset key. > > This is without load, or a very small load, going > through > mailscanner. If I turn off the mailscanner service the > problem > disappears. > > Any advice? > > How much Ram? > 128 > How much swap? > 64 meg partition -- but its not allocated and thats too little. > This most likely the problem. I'll dump a gig of ram in the machine > (its pc133 and just laying around anyways) and fix the swap problem. > What OS? redhat 8.0? 7.2? > What speed CPU? > p-3 700 > > thank you -- I feel embarassed. Well, as I wrote in my initial response, I started off with a really runty box, which came off the to-surplus pallet. It sort-of-worked for a while, but then the load just got to be too much. It appears that I'm not alone. It's the RAM that's the key here; a 200 MHz or so PeeCee should be able to keep up with my load (about 5K mails/day inbound), though not necessarily with any other site's load. -- Mike Andrews mikea@mikea.ath.cx Tired old sysadmin since 1964 From cparker at SWATGEAR.COM Mon Jul 7 22:10:48 2003 From: cparker at SWATGEAR.COM (Chris W. Parker) Date: Thu Jan 12 21:18:52 2006 Subject: Mailscanner server becoming unresponsive, high disk activitity Message-ID: <001BD19C96E6E64E8750D72C2EA0ECEE1AE103@ati-ex-01.ati.local> Orbitel Webmaster wrote: > This is without load, or a very small load, going through > mailscanner. If I turn off the mailscanner service the problem > disappears. > > Any advice? Try reducing the child processes from the default of 5 to 1 or 2. I had this same problem (although a little less severe than you describe it) and my problem went away without any hardware mods once I reduced the child processes. The child processes setting can be found in /etc/MailScanner/MailScanner.conf The child processes is determined by how many mails you receive in one day and how much ram you have. If you receive a low amount of mails like us (700-800 inbound/day) you'd probably do fine with 1 child process (like me). Even if you have lots of ram (I only have 64) there's no need to add child processes since they will never get used. You'll only waste memory because some of the child processes will just be sitting around waiting for mail to process but they'll never get any. On the other hand if you have a high mail count you'll need more child processes. BUT if you have a low amount of ram with a high amount of mail you'll definitely need to upgrade your ram because the extra child process required to process all the mail will not work properly because of the lack of sufficient ram. (I think the average usage is about 20megs per child process.) More Mail = More Child Processes More Ram != More Child Processes hth, Chris. p.s. extra ram is always good though. From kenny at manjar.freeserve.co.uk Tue Jul 8 06:56:49 2003 From: kenny at manjar.freeserve.co.uk (Kenny) Date: Thu Jan 12 21:18:52 2006 Subject: Newbie - rules files Message-ID: <002301c34515$b9766640$0f7068d5@pc1> Hi I am trying to set up a rules files for the inline signatures. I have separated the three fields by a tab eg. From: @mydomain.com yes What I am finding is the first line of the file always works but MailScanner appears to be ignoring all other lines. Any help would be appreciated.... -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030708/eaee9ccd/attachment.html From Kevin.Spicer at BMRB.CO.UK Tue Jul 8 09:03:55 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:18:52 2006 Subject: FW: Newbie - rules files Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0EBF6F1@pascal.priv.bmrb.co.uk> Can you post exactly which MailScanner.conf options you're trying to use a ruleset for and a longer example of whats in your ruleset -----Original Message----- From: Kenny [mailto:kenny@manjar.freeserve.co.uk] Sent: 08 July 2003 06:57 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Newbie - rules files Hi I am trying to set up a rules files for the inline signatures. I have separated the three fields by a tab eg. From: @mydomain.com yes What I am finding is the first line of the file always works but MailScanner appears to be ignoring all other lines. Any help would be appreciated.... BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030708/426022a4/attachment.html From Kevin.Spicer at BMRB.CO.UK Tue Jul 8 09:13:43 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:18:52 2006 Subject: Heads up - serious vulnerability in 'unzip' Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A4ADBC@pascal.priv.bmrb.co.uk> Theres a problem with unzip. Looks like it could be serious for anyone running MailScanner as root where the virus scanner uses external unzip (such as Clam). Patches are available. (from http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0282 ) Directory traversal vulnerability in UnZip 5.50 allows attackers to overwrite arbitrary files via invalid characters between two . (dot) characters, which are filtered and result in a ".." sequence. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From howard at harper-adams.ac.uk Tue Jul 8 09:40:27 2003 From: howard at harper-adams.ac.uk (Howard Robinson) Date: Thu Jan 12 21:18:52 2006 Subject: Spam Actions attachment mode and bayes learn In-Reply-To: <1057610017.26531.20.camel@bach.kevinspicer.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB001175D0D@pascal.priv.bmrb.co.uk> Message-ID: <200307080838.h688cqJi028477@blackhole.harper-adams.ac.uk> On 7 Jul 03, at 21:33, Kevin Spicer wrote: Thanks for this timely correction Kevin. I had literally just decided to change spam actions as well and had restarted Mailscanner to send Spam as attachments. A quick edit,a restart and less head scratching. > > I just upgraded from 4.21-9 to 4.22-5, and in the process I changed > >from "Spam Actions = deliver" to "Spam Actions = attachment". > > You need to set > > Spam Actions = attachment deliver > > or the message will be turned into an attachment but not delivered (I > found that out the hard way) > Regards Howard Robinson (Senior Technical Development Officer) Harper Adams University College Edgmond Newport Shropshire TF10 8NB UK E-mail: hrobinson@harper-adams.ac.uk Tel. : +44(0)1952 820280 Via switchboard : +44(0)1952 815253 Direct line Fax. : +44(0)1952 814783 College Web site http://www.harper-adams.ac.uk From howard at harper-adams.ac.uk Tue Jul 8 13:00:02 2003 From: howard at harper-adams.ac.uk (Howard Robinson) Date: Thu Jan 12 21:18:52 2006 Subject: Whitelist/Blacklist Message-ID: <200307081158.h68BwjJk004209@blackhole.harper-adams.ac.uk> Hello, Sorry this is another Doh Question! I have been reading the archive on Whitelists and blacklists and am now totally confused. Looking at the Archive is seems that I could let things through with out any virus checks or let spam through if it is in a white list and block it regardless it it is in a blacklist. I have two staff members - one receives monthly exe attachments for amendment/updates to software from a known sender. A second receives an HTML format email, again monthly, from a database search engine. I have set MailScanner to convert html to text but in this case it more or less unreadable. What I need to do is set mailscanner so that it checks everything but in the first case doesn't stop the exe file from the known address and in the second case doesn't convert the html to test again from a known address. Can this be done? Regards Howard Robinson (Senior Technical Development Officer) Harper Adams University College Edgmond Newport Shropshire TF10 8NB UK E-mail: hrobinson@harper-adams.ac.uk Tel. : +44(0)1952 820280 Via switchboard : +44(0)1952 815253 Direct line Fax. : +44(0)1952 814783 College Web site http://www.harper-adams.ac.uk From dustin.baer at IHS.COM Tue Jul 8 13:57:31 2003 From: dustin.baer at IHS.COM (Dustin Baer) Date: Thu Jan 12 21:18:52 2006 Subject: Newbie - rules files References: <002301c34515$b9766640$0f7068d5@pc1> Message-ID: <3F0ABFBB.74292B2B@ihs.com> > Kenny wrote: > > Hi > I am trying to set up a rules files for the inline signatures. > I have separated the three fields by a tab eg. > > From: @mydomain.com yes > > What I am finding is the first line of the file always works but > MailScanner appears to be ignoring all other lines. > > Any help would be appreciated.... What about: From: *@mydomain.com yes Dustin -- Dustin Baer Unix Administrator/Postmaster Information Handling Services 15 Inverness Way East Englewood, CO 80112 303-397-2836 From andersan at LTKALMAR.SE Tue Jul 8 15:00:56 2003 From: andersan at LTKALMAR.SE (Anders Andersson, IT) Date: Thu Jan 12 21:18:52 2006 Subject: Noticed missing text in mailscanner.conf after upgrade Message-ID: <9F18B7DDBA88E544AB1F1995148916661CE64D@lkl63.ltkalmar.se> Hi Not a big thing but thought I should let you know. Did an upgrade and ran the upgrade_mailscanner_conf... everything ran ok accept spam was converted to attachment. Checked MailScanner.conf but there was nothing about it. Seems like the upgrade_mailscanner_conf missed to add that text in the conf file. The funny thing is that it continues to deliver them as attchment even if the conf-file just say deliver.... any clues on that? /Anders From raymond at PROLOCATION.NET Tue Jul 8 15:06:50 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:18:52 2006 Subject: Noticed missing text in mailscanner.conf after upgrade In-Reply-To: <9F18B7DDBA88E544AB1F1995148916661CE64D@lkl63.ltkalmar.se> Message-ID: Hi! > Checked MailScanner.conf but there was nothing about it. > Seems like the upgrade_mailscanner_conf missed to add that text in the conf > file. > The funny thing is that it continues to deliver them as attchment even if > the conf-file just say deliver.... any clues on that? It only adds new config parts, it doesnt update the text part of currently existing ones. Bye, Raymond. From andersan at LTKALMAR.SE Tue Jul 8 15:08:38 2003 From: andersan at LTKALMAR.SE (Anders Andersson, IT) Date: Thu Jan 12 21:18:52 2006 Subject: SV: Noticed missing text in mailscanner.conf after upgrade Message-ID: <9F18B7DDBA88E544AB1F1995148916661CE64E@lkl63.ltkalmar.se> > Fr?n: Raymond Dijkxhoorn [mailto:raymond@PROLOCATION.NET] > Skickat: den 8 juli 2003 16:07 > > Checked MailScanner.conf but there was nothing about it. Seems like > > the upgrade_mailscanner_conf missed to add that text in the > conf file. > > > The funny thing is that it continues to deliver them as > attchment even > > if the conf-file just say deliver.... any clues on that? > > It only adds new config parts, it doesnt update the text part > of currently existing ones. But that doesnt explain the that it covert spam to attachment???? > > Bye, > Raymond. > From dgeorgiades at POWERENG.COM Tue Jul 8 15:37:21 2003 From: dgeorgiades at POWERENG.COM (Derrick Georgiades) Date: Thu Jan 12 21:18:52 2006 Subject: File locking / directory problem Message-ID: My queue directories are not NFS mounted. My server had been running for 90 days without a reboot, during that time I must have changed something. I also started to get errors that MIME\body.pm couldn't parse emails. Luckily in my case we have redundant servers incase of a problem like this. I think I will just blow my MS and SpamAssassin away and start over on that system. I have older versions of both anyway. Thanks for the responses. Derrick Georgiades -----Original Message----- From: Nick Phillips [mailto:nwp@LEMON-COMPUTING.COM] Sent: Tuesday, July 08, 2003 4:17 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: File locking / directory problem On Mon, Jul 07, 2003 at 09:08:02AM -0600, Derrick Georgiades wrote: > It doesn't appear to be a permissions issue. Does anyone know what an error > 7 is for the lockd daemon? Strangely I can still pass mail, but these > errors seem like it shouldn't. Any help would be greatly appreciated. Are your spool dirs NFS-mounted? Sendmail generally uses flock (as does mailscanner when working with sendmail), which is not NFS-safe... Cheers, Nick -- Nick Phillips -- nwp@lemon-computing.com You never know how many friends you have until you rent a house on the beach. From Antony at SOFT-SOLUTIONS.CO.UK Tue Jul 8 16:48:05 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:18:52 2006 Subject: Newbie - rules files In-Reply-To: <3F0ABFBB.74292B2B@ihs.com> References: <002301c34515$b9766640$0f7068d5@pc1> <3F0ABFBB.74292B2B@ihs.com> Message-ID: <200307081548.h68Fm9K08824@Primary.networker.test> On Tuesday 08 July 2003 1:57 pm, Dustin Baer wrote: > > Kenny wrote: > > > > Hi > > I am trying to set up a rules files for the inline signatures. > > I have separated the three fields by a tab eg. > > > > From: @mydomain.com yes > > > > What I am finding is the first line of the file always works but > > MailScanner appears to be ignoring all other lines. > > > > Any help would be appreciated.... > > What about: > > From: *@mydomain.com yes I believe the * here is redundant. The second field is a regular expression for matching against the sender's address, so unless you put a ^ at the beginning to anchor the @ as the first character, @mydomain.com will match exactly the same things as *@mydomain.com. Admittedly the second version might be a little easier to read and see what it does, but there is no functional difference for MailScanner. Antony. -- What is this talk of software 'release' ? Our software evolves and matures until it becomes capable of escape, leaving a bloody trail of designers and quality assurance people in its wake. From Kevin.Spicer at BMRB.CO.UK Tue Jul 8 16:53:08 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:18:52 2006 Subject: How to use spamassassin on a per user basis with a third party e-mail server setup? Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0EBF6FF@pascal.priv.bmrb.co.uk> > Can someone point me in the right direction -- documentation or > otherwise? The closest I have found is spamassassin's userpref's > file on their website. > If you're using SA through MailScanner you can achieve this with rulesets, take a read through the MailScanner.conf file and the files in /etc/MailScanner/rules (or the equivalent directory on your system) BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From Antony at SOFT-SOLUTIONS.CO.UK Tue Jul 8 16:55:39 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:18:52 2006 Subject: How to use spamassassin on a per user basis with a third party e-mail server setup? In-Reply-To: <200307081545.KAA27336@mail.int.orbitel.com> References: <200307081545.KAA27336@mail.int.orbitel.com> Message-ID: <200307081555.h68FthK09560@Primary.networker.test> On Wednesday 09 July 2003 5:17 am, Orbitel Webmaster wrote: > What have you found as the easiest way to enable/disable spamassassin > for individual e-mail addresses? Our mailscanner server is being > utilized in a third party e-mail server enviroment (relay) therefore > there cannot be individual user accounts and spamassassin preference > files. > > I would like the ability to either disable tagging, enable tagging, > or enable auto spam deletion on a per e-mail address basis. I would > like all settings to default to off. Additionally, all users will > receive e-mail virus scanning. > > Can someone point me in the right direction -- documentation or > otherwise? The closest I have found is spamassassin's userpref's > file on their website. Ignore SpamAssassin's internal settings - you'll find MailScanner overrides most of them anyway (eg it does its own subject line mangling, header insertions, and body alterations...) What you need are rulesets for things like: (High Scoring) Spam Modify Subject (High Scoring) Spam Subject Text Use SpamAssassin Required SpamAssassin Score High SpamAssassin Score etc... Antony -- I can resist everything but temptation, I can tolerate everything but intolerance, and I can survive everything but death. From slwatts at WINCKWORTHS.CO.UK Tue Jul 8 16:58:00 2003 From: slwatts at WINCKWORTHS.CO.UK (Samuel Luxford-Watts) Date: Thu Jan 12 21:18:52 2006 Subject: Mailscanner + Postfix Message-ID: Hi All, Just been thinking about my test installation of postfix + MailScanner on Suse 8.1. At the moment it is all working great after following the instructions on the mailscanner website. Thanks Guys! However this configuration is based on having postfix processes - one for receiving and one sending with Mailscanner sat in the middle moving files (messages) back and forth. I am only a new person at this but on the face of it there would appear to be two ways that my be better at doing this but I am not at all sure if they would work with MailScanner. 1 is to use the 'content_filter=' directive in /etc/postfix/main.cf. I would guess that this is a NO but thought I would ask!! 2. Would it be possible to adapt the process used for anomy as detailed on: http://advosys.ca/papers/postfix-filtering.html ? .....creating a filter script to move the files/invoke mailscanner and define this script as a new service in /etc/postfix/master.cf? Or is the two process solution the best? Sam From steve.douglas at SBIINCORPORATED.COM Tue Jul 8 17:32:18 2003 From: steve.douglas at SBIINCORPORATED.COM (Steve Douglas) Date: Thu Jan 12 21:18:52 2006 Subject: HTML in Text Body Message-ID: <3963522F0E71474CB14C0FF54A6914F70111514A@mail.gardenbotanika.com> The only options I am using for "SPAM Actions" is store and forward (email address). The "high scoring spam actions is set to only store. Originally I had the striphtml configured. Since this time I have gone back to the removal of the striphtml option, yet it appears a get a few stragglers each day that are stripped. Is there another location that I need to turn the HTML stripping off? Thanks. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030708/4621304e/attachment.html From steve.douglas at SBIINCORPORATED.COM Tue Jul 8 17:34:57 2003 From: steve.douglas at SBIINCORPORATED.COM (Steve Douglas) Date: Thu Jan 12 21:18:52 2006 Subject: HTML in Text Body Message-ID: <3963522F0E71474CB14C0FF54A6914F70111514B@mail.gardenbotanika.com> I found the solution. Thanks. ? ? From harish.amin at DEG.STATE.WI.US Tue Jul 8 18:10:30 2003 From: harish.amin at DEG.STATE.WI.US (Harish Amin) Date: Thu Jan 12 21:18:52 2006 Subject: How to disable a mail to a user before scanning Message-ID: I receive about 50 messages to a unknown user on my SMTP server and I as a postmaster receive all the messages back I tried the rules # more spam.actions.rules To: webmaster@www.dpi.state.wi.us delete # more spam.blacklist.rules #To: /^$/ yes To: webmaster@www.dpi.state.wi.us yes But I still keep getting it The original message was received at Tue, 8 Jul 2003 12:08:05 -0500 (CDT) from doagw01.doa.state.wi.us [165.189.88.161] ----- The following addresses had permanent fatal errors ----- <'webmaster@www.dpi.state.wi.us> (reason: 553 5.3.5 system config error) ----- Transcript of session follows ----- 553 5.3.5 www.dpi.state.wi.us. config error: mail loops back to me (MX problem?) 554 5.3.5 Local configuration error AM I doing something wrong here... I am running MailScanner E-Mail Virus Scanner version 4.22-4 on SUn Solaris running sendmail Any Help will be appreciated From mike at CAMAROSS.NET Tue Jul 8 18:10:18 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:18:52 2006 Subject: How to disable a mail to a user before scanning In-Reply-To: Message-ID: <001901c34573$cf261180$9c01a8c0@home.middlefinger.net> Why not add an entry to /etc/mail/virtusertable and /dev/null it? Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Harish Amin Sent: Tuesday, July 08, 2003 12:11 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: How to disable a mail to a user before scanning I receive about 50 messages to a unknown user on my SMTP server and I as a postmaster receive all the messages back I tried the rules # more spam.actions.rules To: webmaster@www.dpi.state.wi.us delete # more spam.blacklist.rules #To: /^$/ yes To: webmaster@www.dpi.state.wi.us yes But I still keep getting it The original message was received at Tue, 8 Jul 2003 12:08:05 -0500 (CDT) from doagw01.doa.state.wi.us [165.189.88.161] ----- The following addresses had permanent fatal errors ----- <'webmaster@www.dpi.state.wi.us> (reason: 553 5.3.5 system config error) ----- Transcript of session follows ----- 553 5.3.5 www.dpi.state.wi.us. config error: mail loops back to me (MX problem?) 554 5.3.5 Local configuration error AM I doing something wrong here... I am running MailScanner E-Mail Virus Scanner version 4.22-4 on SUn Solaris running sendmail Any Help will be appreciated From Harish.Amin at DEG.STATE.WI.US Tue Jul 8 18:13:29 2003 From: Harish.Amin at DEG.STATE.WI.US (Amin, Harish) Date: Thu Jan 12 21:18:52 2006 Subject: R Rulesets( How to disable a mail to a user before scanning) Message-ID: <47F3EDACE4BC3A4594D0D7B504062BBD03733E70@doamail04.doa.wistate.us> I receive about 50 messages to a unknown user on my SMTP server and I as a postmaster receive all the messages back I tried the rules # more spam.actions.rules To: webmaster@www.dpi.state.wi.us delete # more spam.blacklist.rules #To: /^$/ yes To: webmaster@www.dpi.state.wi.us yes But I still keep getting it The original message was received at Tue, 8 Jul 2003 12:08:05 -0500 (CDT) from doagw01.doa.state.wi.us [165.189.88.161] ----- The following addresses had permanent fatal errors ----- <'webmaster@www.dpi.state.wi.us> (reason: 553 5.3.5 system config error) ----- Transcript of session follows ----- 553 5.3.5 www.dpi.state.wi.us. config error: mail loops back to me (MX problem?) 554 5.3.5 Local configuration error AM I doing something wrong here... I am running MailScanner E-Mail Virus Scanner version 4.22-4 on SUn Solaris running sendmail Any Help will be appreciated Thanx Harish From mike at CAMAROSS.NET Tue Jul 8 18:16:23 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:18:52 2006 Subject: R Rulesets( How to disable a mail to a user before scanning) In-Reply-To: <47F3EDACE4BC3A4594D0D7B504062BBD03733E70@doamail04.doa.wistate.us> Message-ID: <001e01c34574$a8c96680$9c01a8c0@home.middlefinger.net> Ahhh...your mail server is not configured to accept mail for www.dpi.state.wi.us Try adding that FQDN to your local delivery domains. I'm not sure where this is done on Solaris. Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Amin, Harish Sent: Tuesday, July 08, 2003 12:13 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: R Rulesets( How to disable a mail to a user before scanning) I receive about 50 messages to a unknown user on my SMTP server and I as a postmaster receive all the messages back I tried the rules # more spam.actions.rules To: webmaster@www.dpi.state.wi.us delete # more spam.blacklist.rules #To: /^$/ yes To: webmaster@www.dpi.state.wi.us yes But I still keep getting it The original message was received at Tue, 8 Jul 2003 12:08:05 -0500 (CDT) from doagw01.doa.state.wi.us [165.189.88.161] ----- The following addresses had permanent fatal errors ----- <'webmaster@www.dpi.state.wi.us> (reason: 553 5.3.5 system config error) ----- Transcript of session follows ----- 553 5.3.5 www.dpi.state.wi.us. config error: mail loops back to me (MX problem?) 554 5.3.5 Local configuration error AM I doing something wrong here... I am running MailScanner E-Mail Virus Scanner version 4.22-4 on SUn Solaris running sendmail Any Help will be appreciated Thanx Harish From raymond at PROLOCATION.NET Tue Jul 8 19:00:17 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:18:52 2006 Subject: How to disable a mail to a user before scanning In-Reply-To: Message-ID: Hi! > To: webmaster@www.dpi.state.wi.us yes > ----- The following addresses had permanent fatal errors ----- > <'webmaster@www.dpi.state.wi.us> > (reason: 553 5.3.5 system config error) I noticed a slightly diffrent address, the one in your mail has a 'webmaster and you block webmaster Perhaps its just a typo, if not it might be your solution. You could also let your mailer block *@www.bha in the access files. Bye, Raymond. From forrie at FORRIE.COM Tue Jul 8 19:15:28 2003 From: forrie at FORRIE.COM (Forrest Aldrich) Date: Thu Jan 12 21:18:52 2006 Subject: SpamAssassin Milter In-Reply-To: References: Message-ID: <5.2.1.1.2.20030708141420.02f7ce90@192.168.1.1> Hi, Wondering if others have experience with using MailScanner with Spamassassin Milter. I've been testing it (CVS code) and it seems to be working well, but I'm curious about optimizing how it works with MailScanner (if that's possible, since MailScanner isn't using Milter). Thanks.. From raymond at PROLOCATION.NET Tue Jul 8 19:18:41 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:18:52 2006 Subject: F-prot auto updates ... In-Reply-To: <5.2.1.1.2.20030708141420.02f7ce90@192.168.1.1> Message-ID: Hi! I just noticed the f-prot update sites (both ftp.f-prot.com and updates.f-prot.com are mega slow. The link towards their network seems just fine, low responses there. But when logging into their machines all hangs. If tested this from 4 networks, usa and europe based. It kept my auto update hanging so i disabled that for now. Other people experiencing the same ? bye, Raymond. From mbowman at UDCOM.COM Tue Jul 8 19:19:35 2003 From: mbowman at UDCOM.COM (Matthew Bowman) Date: Thu Jan 12 21:18:52 2006 Subject: F-prot auto updates ... Message-ID: Yes its slow from here too (Mansfield, Ohio) Matthew Raymond Dijkxhoorn Sent by: MailScanner mailing list 07/08/2003 02:18 PM Please respond to MailScanner mailing list To: MAILSCANNER@JISCMAIL.AC.UK cc: Subject: F-prot auto updates ... Hi! I just noticed the f-prot update sites (both ftp.f-prot.com and updates.f-prot.com are mega slow. The link towards their network seems just fine, low responses there. But when logging into their machines all hangs. If tested this from 4 networks, usa and europe based. It kept my auto update hanging so i disabled that for now. Other people experiencing the same ? bye, Raymond. From raymond at PROLOCATION.NET Tue Jul 8 19:23:37 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:18:52 2006 Subject: F-prot auto updates ... In-Reply-To: Message-ID: Hi! > Yes its slow from here too (Mansfield, Ohio) > Other people experiencing the same ? Ok, thanks. Then i know its not just me :) Other people might want to disable the auto update script also, since during the update mail will crop up and a update took 40 minutes here when i let it complete. Gives a nice backlog on processing :) Bye, Raymond. From Kevin_Miller at CI.JUNEAU.AK.US Tue Jul 8 19:01:35 2003 From: Kevin_Miller at CI.JUNEAU.AK.US (Kevin Miller) Date: Thu Jan 12 21:18:53 2006 Subject: Sophos Antivirus... Message-ID: <08146035CA49D6119A36009027AC822A0264E496@CITY-EXCH-NTS> I'm still muddling over what antivirus to go with on my secondary server. (F-prot is on my current server, but got to expensive!) I set up a spreadsheet and grabbed the AV products web page on the MailScanner site and am trying to get a "global view" of the diffenent products strengths & weaknesses. I'm looking at each one by one, and am on the Sophos web site, but have a couple questions about it: Approximate cost? Didn't see that listed anywhere, though might have missed it. It seems that they put out a new "version" monthly, or as needed. The MailScanner script (or at least the instructions on the MS web page for a tarball install) indicate that a daily cron job can be used to update the critter. I have the impression though, that I'd still have to do a monthly install of the new IDE files. Is that correct? Can it be set up so that it takes care of itself for the duration of the license (i.e., a year or more)? In the event of an outbreak I don't mind doing a manual pull, but I don't want to make it a habit every month. As always, thanks much. More questions sure to follow... ...Kevin ------------------- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Administrator, Mail Administrator 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From zabriskw at ITECH.NET Tue Jul 8 19:50:21 2003 From: zabriskw at ITECH.NET (Kris Zabriskie) Date: Thu Jan 12 21:18:53 2006 Subject: Bayesian Scanning Message-ID: <003c01c34581$c88e69e0$0c02a8c0@itech.dom> I am having one heck of a time getting Bayesian scanning to work properly. I am having several problems. The first problem is with the Bayesian scanning itself. I have been using the script below in a cron job, but have had several problems with it: #!/bin/sh SPAM=/var/spool/mail/spam NOTSPAM=/var/spool/mail/notspam TOTAL=.cumulative LOGFILE=/var/log/learn.spam.log PREFS=/usr/local/MailScanner/etc/spam.assassin.prefs.conf SALEARN=/usr/local/MailScanner/bin/sa-learn date >> $LOGFILE if [ -f $SPAM ]; then BOX=${SPAM}.processing mv $SPAM $BOX sleep 5 # Wait for writing current message to complete $SALEARN --prefs-file=$PREFS --spam --mbox $BOX >> $LOGFILE 2>&1 cat $BOX >> ${SPAM}${TOTAL} echo >> ${SPAM}${TOTAL} rm -f $BOX fi if [ -f $NOTSPAM ]; then BOX=${NOTSPAM}.processing mv $NOTSPAM $BOX sleep 5 # Wait for writing current message to complete $SALEARN --prefs-file=$PREFS --ham --mbox $BOX >> $LOGFILE 2>&1 cat $BOX >> ${NOTSPAM}${TOTAL} echo >> ${NOTSPAM}${TOTAL} rm -f $BOX fi Now.. the problem I see with this is.. it is moving the spam@domain.com and notspam@domain.com mailboxes, and they are not being recreated. Has anyone else experienced this problem? I tried adding these lines and it worked, but caused the following errors to be reported: touch $SPAM chown spam $SPAM and visa versa for $NOTSPAM This is causing the processes to be killed however. The other problem is when I attempt to run the Bayesian clean up script this is the error I get: Failed to create default user preference file //.spamassassin/user_prefs ............................................................................ ............................................................................ ...........................................................bayes expire_old_tokens: Out of memory during "large" request for 1052672 bytes, total sbrk() is 133331264 bytes at /usr/local/lib/perl5/site_perl/5.6.1/Mail/SpamAssassin/BayesStore.pm line 390. Has anyone experienced these problems before? Any help would be greatly appreciated. Thanks! From kevins at BMRB.CO.UK Tue Jul 8 19:56:33 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:18:53 2006 Subject: Sophos Antivirus... In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB001175D32@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB001175D32@pascal.priv.bmrb.co.uk> Message-ID: <1057690603.23991.3.camel@bach.kevinspicer.co.uk> >Approximate cost? Didn't see that listed anywhere, though might have >missed it. If you're looking to save money Sophos won't be your choice! >It seems that they put out a new "version" monthly, or as needed. The >MailScanner script (or at least the instructions on the MS web page for >a >tarball install) indicate that a daily cron job can be used to update >the >critter. I have the impression though, that I'd still have to do a >monthly >install of the new IDE files. Is that correct? MailScanner does hourly updates of all definitions, but Sophos release a new engine every three months, theres a script somewhere on the MS site to automate this too. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From kevins at BMRB.CO.UK Tue Jul 8 20:00:13 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:18:53 2006 Subject: Bayesian Scanning In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB001175D33@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB001175D33@pascal.priv.bmrb.co.uk> Message-ID: <1057690814.23991.7.camel@bach.kevinspicer.co.uk> > Failed to create default user preference file //.spamassassin/user_prefs At a guess you're either running the script as a user other than the mailscanner user, or the mailscanner user is not root and does not have a proper home directory. The mailboxes will be recreated when they next recieve any mail. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From zabriskw at ITECH.NET Tue Jul 8 20:02:37 2003 From: zabriskw at ITECH.NET (Kris Zabriskie) Date: Thu Jan 12 21:18:53 2006 Subject: Bayesian Scanning References: <5C0296D26910694BB9A9BBFC577E7AB001175D33@pascal.priv.bmrb.co.uk> <1057690814.23991.7.camel@bach.kevinspicer.co.uk> Message-ID: <000601c34583$7fba3d50$0c02a8c0@itech.dom> Bayesian was being run as root as well as MailScanner. I was not aware that the mailboxes were recreated when new mail was received. Thanks! I really appreciate your help! ----- Original Message ----- From: "Kevin Spicer" To: Sent: Tuesday, July 08, 2003 3:00 PM Subject: Re: Bayesian Scanning > > Failed to create default user preference file > //.spamassassin/user_prefs > > At a guess you're either running the script as a user other than the > mailscanner user, or the mailscanner user is not root and does not have > a proper home directory. > > The mailboxes will be recreated when they next recieve any mail. > > > > > BMRB International > http://www.bmrb.co.uk > +44 (0)20 8566 5000 > _________________________________________________________________ > This message (and any attachment) is intended only for the > recipient and may contain confidential and/or privileged > material. If you have received this in error, please contact the > sender and delete this message immediately. Disclosure, copying > or other action taken in respect of this email or in > reliance on it is prohibited. BMRB International Limited > accepts no liability in relation to any personal emails, or > content of any email which does not directly relate to our > business. > From mailscanner at BARENDSE.TO Tue Jul 8 20:20:25 2003 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:18:53 2006 Subject: R Rulesets( How to disable a mail to a user before scanning) In-Reply-To: <47F3EDACE4BC3A4594D0D7B504062BBD03733E70@doamail04.doa.wistate.us> Message-ID: I have the same problem. For some reason mail sent to webmaster@ or postmaster@ never ever gets deleted. It is marked as spam, but a spam action to delete it never works it seems. I haven't tried it yet but maybe a solution to that is create an alias in your /etc/aliases getlost: /dev/null and make the spam action for the webmaster@whatever forward getlost On Tue, 8 Jul 2003, Amin, Harish wrote: > I receive about 50 messages to a unknown user on my SMTP server > and I as a postmaster receive all the messages back > I tried the rules > > # more spam.actions.rules > To: webmaster@www.dpi.state.wi.us delete > > > # more spam.blacklist.rules > #To: /^$/ yes > To: webmaster@www.dpi.state.wi.us yes > > But I still keep getting it > > > > The original message was received at Tue, 8 Jul 2003 12:08:05 -0500 (CDT) > from doagw01.doa.state.wi.us [165.189.88.161] > > ----- The following addresses had permanent fatal errors ----- > <'webmaster@www.dpi.state.wi.us> > (reason: 553 5.3.5 system config error) > > ----- Transcript of session follows ----- > 553 5.3.5 www.dpi.state.wi.us. config error: mail loops back to me (MX > problem?) > 554 5.3.5 Local configuration error > > AM I doing something wrong here... > I am running MailScanner E-Mail Virus Scanner version 4.22-4 on SUn Solaris > running sendmail > Any Help will be appreciated > Thanx > Harish > From kevins at BMRB.CO.UK Tue Jul 8 20:38:47 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:18:53 2006 Subject: R Rulesets( How to disable a mail to a user before scanning) In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB001175D37@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB001175D37@pascal.priv.bmrb.co.uk> Message-ID: <1057693128.23991.11.camel@bach.kevinspicer.co.uk> On Tue, 2003-07-08 at 20:20, Remco Barendse wrote: >For some reason mail sent to webmaster@ or postmaster@ never ever gets >deleted. It is marked as spam, but a spam action to delete it never >works it seems. Maybe you have aliases for webmaster & postmaster (perhaps onto root) in /etc/aliases. Sendmail (IIRC) applies these aliases on receipt, so by the time the message gets to MailScanner its envelope is root@yourserver.yourdomain.com (you'll still get webmaster in the headers) BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From mike at CAMAROSS.NET Tue Jul 8 20:38:14 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:18:53 2006 Subject: R Rulesets( How to disable a mail to a user before scanning) In-Reply-To: <1057693128.23991.11.camel@bach.kevinspicer.co.uk> Message-ID: <005e01c34588$797d27e0$9c01a8c0@home.middlefinger.net> I still say this problem needs to be resolved first: ----- Transcript of session follows ----- 553 5.3.5 www.dpi.state.wi.us. config error: mail loops back to me (MX problem?) 554 5.3.5 Local configuration error On Redhat systems, adding www.dpi.state.wi.us to /etc/mail/local-host-names and a restart of the MailScanner service should fix it. Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Kevin Spicer Sent: Tuesday, July 08, 2003 2:39 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: R Rulesets( How to disable a mail to a user before scanning) On Tue, 2003-07-08 at 20:20, Remco Barendse wrote: >For some reason mail sent to webmaster@ or postmaster@ never ever gets >deleted. It is marked as spam, but a spam action to delete it never >works it seems. Maybe you have aliases for webmaster & postmaster (perhaps onto root) in /etc/aliases. Sendmail (IIRC) applies these aliases on receipt, so by the time the message gets to MailScanner its envelope is root@yourserver.yourdomain.com (you'll still get webmaster in the headers) BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From nwp at LEMON-COMPUTING.COM Tue Jul 8 11:18:36 2003 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:18:53 2006 Subject: Whitelist not working... In-Reply-To: <08146035CA49D6119A36009027AC822A0264E487@CITY-EXCH-NTS> References: <08146035CA49D6119A36009027AC822A0264E487@CITY-EXCH-NTS> Message-ID: <20030708101835.GL29047@hoiho.nz.lemon-computing.com> On Mon, Jul 07, 2003 at 09:27:30AM -0800, Kevin Miller wrote: > The sendmail log shows it connected as airemote3.aif1.com, so I'll add that > & see what happens. Still not sure if I can wildcard the domain, but if the > host doesn't change from month to month I guess it doesn't matter... Remember that it's not the host that's connecting that you're after, but the domain that that host claims the mail is from... I wasn't quite sure which you were referring to above. Cheers, Nick -- Nick Phillips -- nwp@lemon-computing.com You can create your own opportunities this week. Blackmail a senior executive. From nwp at LEMON-COMPUTING.COM Tue Jul 8 11:16:44 2003 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:18:53 2006 Subject: File locking / directory problem In-Reply-To: References: Message-ID: <20030708101644.GK29047@hoiho.nz.lemon-computing.com> On Mon, Jul 07, 2003 at 09:08:02AM -0600, Derrick Georgiades wrote: > It doesn't appear to be a permissions issue. Does anyone know what an error > 7 is for the lockd daemon? Strangely I can still pass mail, but these > errors seem like it shouldn't. Any help would be greatly appreciated. Are your spool dirs NFS-mounted? Sendmail generally uses flock (as does mailscanner when working with sendmail), which is not NFS-safe... Cheers, Nick -- Nick Phillips -- nwp@lemon-computing.com You never know how many friends you have until you rent a house on the beach. From webmaster at ORBITEL.COM Wed Jul 9 05:17:51 2003 From: webmaster at ORBITEL.COM (Orbitel Webmaster) Date: Thu Jan 12 21:18:53 2006 Subject: How to use spamassassin on a per user basis with a third party e-mail server setup? Message-ID: <200307081545.KAA27336@mail.int.orbitel.com> What have you found as the easiest way to enable/disable spamassassin for individual e-mail addresses? Our mailscanner server is being utilized in a third party e-mail server enviroment (relay) therefore there cannot be individual user accounts and spamassassin preference files. I would like the ability to either disable tagging, enable tagging, or enable auto spam deletion on a per e-mail address basis. I would like all settings to default to off. Additionally, all users will receive e-mail virus scanning. Can someone point me in the right direction -- documentation or otherwise? The closest I have found is spamassassin's userpref's file on their website. Thanks! From forrie at FORRIE.COM Tue Jul 8 21:11:49 2003 From: forrie at FORRIE.COM (Forrest Aldrich) Date: Thu Jan 12 21:18:53 2006 Subject: Automatic Archiving of attachements...... In-Reply-To: <5.2.1.1.2.20030708141420.02f7ce90@192.168.1.1> References: Message-ID: <5.2.1.1.2.20030708161027.02f84238@192.168.1.1> Another way one might be able to trick *.pif attachments and the like (provided they're not outright prohibited) are by automatically placing attachments into a *.zip file or something similar. AOL does this with attachments, and I'm not sure how one would do this -- it would certainly be a performance hit. From adkinss at OHIO.EDU Tue Jul 8 21:36:10 2003 From: adkinss at OHIO.EDU (Scott Adkins) Date: Thu Jan 12 21:18:53 2006 Subject: Sophos Antivirus... In-Reply-To: <1057690603.23991.3.camel@bach.kevinspicer.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB001175D32@pascal.priv.bmrb.co.uk> <1057690603.23991.3.camel@bach.kevinspicer.co.uk> Message-ID: <2181725665.1057682170@Callisto> --On Tuesday, July 08, 2003 7:56 PM +0100 Kevin Spicer wrote: >> Approximate cost? Didn't see that listed anywhere, though might have >> missed it. > > If you're looking to save money Sophos won't be your choice! > >> It seems that they put out a new "version" monthly, or as needed. The >> MailScanner script (or at least the instructions on the MS web page for >> a >> tarball install) indicate that a daily cron job can be used to update >> the >> critter. I have the impression though, that I'd still have to do a >> monthly >> install of the new IDE files. Is that correct? > > MailScanner does hourly updates of all definitions, but Sophos release a > new engine every three months, theres a script somewhere on the MS site > to automate this too. Actually, Sophos updates their engine every month (though, they could do it more often in cases of emergencies, but I haven't seen that happen). You are only required to update your engine every three months, as the auto-update process won't work after that. It is a good idea to update the engine as often as possible, but realistically, most people do it on the three month schedule. As for the auto-update process for the IDEs, we watch the mailbox that receives their mailings that new IDEs have been put up on the web page. Basically, when the mailbox file changes, an auto-update process kicks off. It has come in handy in a couple instances, such as the Sobig-E virus. As soon as the update process downloaded the IDE for it, we were getting notifications that the virus was being caught... I am sure a few made it to some user's mailboxes before they made an IDE for it. Scott -- +-----------------------------------------------------------------------+ Scott W. Adkins http://www.cns.ohiou.edu/~sadkins/ UNIX Systems Engineer mailto:adkinss@ohio.edu ICQ 7626282 Work (740)593-9478 Fax (740)593-1944 +-----------------------------------------------------------------------+ PGP Public Key available at http://www.cns.ohiou.edu/~sadkins/pgp/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 231 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030708/c7ddafe6/attachment.bin From mbowman at UDCOM.COM Tue Jul 8 21:56:55 2003 From: mbowman at UDCOM.COM (Matthew Bowman) Date: Thu Jan 12 21:18:53 2006 Subject: score=0/spamc errors Message-ID: Hi I have had a client call me today about a problem whereby an e-mail doesn't get scored.. In the headers it says SCORE=0 but I cannot find any trace of this in the maillog. However I do see the mail be routed as follows: Jul 8 12:42:21 smithers sendmail[21543]: h68GgK621543: from=<1zbygm6VcbmPdijo463wtpZP7mIjEe@5948.bounce.e-i1.com>, size=1568, class=0, nrcpts=1, msgid=<1zbygdxMTSdGUZafvxunkgQGyd9a5V@1zbygQk9GFQ3HMNSikhaXTD3lQwNsI>, proto=SMTP, daemon=MTA, relay=b7.e-i1.com [63.251.54.87] Jul 8 12:42:21 smithers sendmail[21543]: h68GgK621543: to=, delay=00:00:01, mailer=smtp, pri=31568, stat=queued Jul 8 12:42:22 smithers sendmail[21551]: h68GgK621543: to=, delay=00:00:02, xdelay=00:00:00, mailer=smtp, pri=121568, relay=grcmail1.gormanrupp.com. [63.173.204.4], dsn=2.0.0, stat=Sent (Message accepted for delivery) No indication of Spam Checking... Maillog has also reported this Jul 8 16:54:53 smithers spamc[1410]: connect() to spamd at 127.0.0.1 failed, retrying (1/3): Connection refused Jul 8 16:54:54 smithers spamc[1410]: connect() to spamd at 127.0.0.1 failed, retrying (2/3): Connection refused Jul 8 16:54:55 smithers spamc[1410]: connect() to spamd at 127.0.0.1 failed, retrying (3/3): Connection refused Jul 8 16:54:56 smithers spamc[1410]: connection attempt to spamd aborted after 3 retries Are these linked? or seperate issues? Problems started to happen after the upgrade to MS 4.22-4 and SA 2.55 Any help would be appreciated Thank you Matthew Bowman UDCom From lists at STHOMAS.NET Tue Jul 8 22:04:24 2003 From: lists at STHOMAS.NET (Steve Thomas) Date: Thu Jan 12 21:18:53 2006 Subject: Sophos Antivirus... In-Reply-To: <2181725665.1057682170@Callisto>; from adkinss@OHIO.EDU on Tue, Jul 08, 2003 at 04:36:10PM -0400 References: <5C0296D26910694BB9A9BBFC577E7AB001175D32@pascal.priv.bmrb.co.uk> <1057690603.23991.3.camel@bach.kevinspicer.co.uk> <2181725665.1057682170@Callisto> Message-ID: <20030708140424.A7799@sthomas.net> On Tue, Jul 08, 2003 at 04:36:10PM -0400, Scott Adkins is rumored to have said: > > Basically, when the mailbox file changes, an auto-update process kicks > off. It has come in handy in a couple instances, such as the Sobig-E I have a utility that automates the downloading of the IDEs when the e-mail is received. It extracts the URL out of the message and downloads the IDE file. It's used by setting up an alias in sendmail which feeds the message to the program. Here's the URL for those interested: http://www.sthomas.net/perl/scripts/sidefire.php -- "One of the symptoms of an approaching nervous breakdown is the belief that one's work is terribly important." - Bertrand Russell (1872-1970) From combslm at APPSTATE.EDU Tue Jul 8 22:08:19 2003 From: combslm at APPSTATE.EDU (Laramie Combs) Date: Thu Jan 12 21:18:53 2006 Subject: score=0/spamc errors References: Message-ID: <001c01c34595$0f3374e0$1e140a98@somana> I have never seen a score of exactly 0 from spamassassin. Mailscanner should not have to connect to spamd for its scanning - it just uses the spamassassin program for scanning and scoring. Spamd probably got started running with your upgrade to the SA 2.55. Are you seeing other mail messages getting scores from MailScanner? -Laramie Combs Network Analyst Appalachian State ----- Original Message ----- From: "Matthew Bowman" To: Sent: Tuesday, July 08, 2003 4:56 PM Subject: score=0/spamc errors > Hi > > I have had a client call me today about a problem whereby an e-mail > doesn't get scored.. > > In the headers it says SCORE=0 but I cannot find any trace of this in the > maillog. > > However I do see the mail be routed as follows: > > Jul 8 12:42:21 smithers sendmail[21543]: h68GgK621543: > from=<1zbygm6VcbmPdijo463wtpZP7mIjEe@5948.bounce.e-i1.com>, size=1568, > class=0, nrcpts=1, > msgid=<1zbygdxMTSdGUZafvxunkgQGyd9a5V@1zbygQk9GFQ3HMNSikhaXTD3lQwNsI>, > proto=SMTP, daemon=MTA, relay=b7.e-i1.com [63.251.54.87] > Jul 8 12:42:21 smithers sendmail[21543]: h68GgK621543: > to=, delay=00:00:01, mailer=smtp, pri=31568, > stat=queued > Jul 8 12:42:22 smithers sendmail[21551]: h68GgK621543: > to=, delay=00:00:02, xdelay=00:00:00, mailer=smtp, > pri=121568, relay=grcmail1.gormanrupp.com. [63.173.204.4], dsn=2.0.0, > stat=Sent (Message accepted for delivery) > > No indication of Spam Checking... > > Maillog has also reported this > > Jul 8 16:54:53 smithers spamc[1410]: connect() to spamd at 127.0.0.1 > failed, retrying (1/3): Connection refused > Jul 8 16:54:54 smithers spamc[1410]: connect() to spamd at 127.0.0.1 > failed, retrying (2/3): Connection refused > Jul 8 16:54:55 smithers spamc[1410]: connect() to spamd at 127.0.0.1 > failed, retrying (3/3): Connection refused > Jul 8 16:54:56 smithers spamc[1410]: connection attempt to spamd aborted > after 3 retries > > Are these linked? or seperate issues? > > Problems started to happen after the upgrade to MS 4.22-4 and SA 2.55 > > Any help would be appreciated > > Thank you > > Matthew Bowman > UDCom > From mikea at MIKEA.ATH.CX Tue Jul 8 22:17:02 2003 From: mikea at MIKEA.ATH.CX (mikea) Date: Thu Jan 12 21:18:53 2006 Subject: score=0/spamc errors In-Reply-To: ; from mbowman@UDCOM.COM on Tue, Jul 08, 2003 at 04:56:55PM -0400 References: Message-ID: <20030708161702.A22183@mikea.ath.cx> On Tue, Jul 08, 2003 at 04:56:55PM -0400, Matthew Bowman wrote: > Hi > > I have had a client call me today about a problem whereby an e-mail > doesn't get scored.. > > In the headers it says SCORE=0 but I cannot find any trace of this in the > maillog. > > However I do see the mail be routed as follows: > > Jul 8 12:42:21 smithers sendmail[21543]: h68GgK621543: > from=<1zbygm6VcbmPdijo463wtpZP7mIjEe@5948.bounce.e-i1.com>, size=1568, > class=0, nrcpts=1, > msgid=<1zbygdxMTSdGUZafvxunkgQGyd9a5V@1zbygQk9GFQ3HMNSikhaXTD3lQwNsI>, > proto=SMTP, daemon=MTA, relay=b7.e-i1.com [63.251.54.87] > Jul 8 12:42:21 smithers sendmail[21543]: h68GgK621543: > to=, delay=00:00:01, mailer=smtp, pri=31568, > stat=queued > Jul 8 12:42:22 smithers sendmail[21551]: h68GgK621543: > to=, delay=00:00:02, xdelay=00:00:00, mailer=smtp, > pri=121568, relay=grcmail1.gormanrupp.com. [63.173.204.4], dsn=2.0.0, > stat=Sent (Message accepted for delivery) > > No indication of Spam Checking... > > Maillog has also reported this > > Jul 8 16:54:53 smithers spamc[1410]: connect() to spamd at 127.0.0.1 > failed, retrying (1/3): Connection refused > Jul 8 16:54:54 smithers spamc[1410]: connect() to spamd at 127.0.0.1 > failed, retrying (2/3): Connection refused > Jul 8 16:54:55 smithers spamc[1410]: connect() to spamd at 127.0.0.1 > failed, retrying (3/3): Connection refused > Jul 8 16:54:56 smithers spamc[1410]: connection attempt to spamd aborted > after 3 retries > > Are these linked? or seperate issues? > > Problems started to happen after the upgrade to MS 4.22-4 and SA 2.55 > > Any help would be appreciated If you're running MailScanner, and MailScanner is running SpamAssassin directly, then I don't understand why spamc and/or spamd would be involved in any way at all. Would you mind explaining just how things are installed, and who does what, and with which, and to whom? Then we'll all have a somewhat better understanding of what's going on. Output from `ps awux | grep -i mail`, or its Linux equivalent, would be useful, too. -- Mike Andrews mikea@mikea.ath.cx Tired old sysadmin since 1964 From kevins at BMRB.CO.UK Tue Jul 8 22:28:19 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:18:53 2006 Subject: Sophos Antivirus... In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB001175D3B@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB001175D3B@pascal.priv.bmrb.co.uk> Message-ID: <1057699700.23991.17.camel@bach.kevinspicer.co.uk> > Actually, Sophos updates their engine every month Agreed, I meant to say that you only need to upgrade every three months, doh! > > As for the auto-update process for the IDEs, we watch the mailbox that > receives their mailings that new IDEs have been put up on the web page. > Basically, when the mailbox file changes, an auto-update process kicks > off. I've found that the ides usually appear a while before the email alerts, whenever I've checked (which to be fair isn't often) I've already got the ides from the hourly update by the time the email arrives. I guess they don't wait to write the analysis and send the email before publishing the ides. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From moliveri at UTI.COM Tue Jul 8 22:32:20 2003 From: moliveri at UTI.COM (Mike Oliveri) Date: Thu Jan 12 21:18:53 2006 Subject: Quick AV question Message-ID: <5.2.0.9.0.20030708162609.00a7b4e0@mail211.pair.com> Hi folks, I'm working on getting MailScanner up and running and have a quick question. The sysadmin I'm replacing had AMaViS (http://www.amavis.org/) antivirus running on the mail server in the past. I noticed it's not listed on the AV chart at http://www.sng.ecs.soton.ac.uk/mailscanner/install/OS-virus-scan-web.htm. Has anyone out there used MailScanner with AMaViS, and/or can anyone think of any reason I shouldn't be able to? Thanks! Take care, Mike Oliveri www.mikeoliveri.com From mbowman at UDCOM.COM Tue Jul 8 22:42:31 2003 From: mbowman at UDCOM.COM (Matthew Bowman) Date: Thu Jan 12 21:18:53 2006 Subject: score=0/spamc errors Message-ID: Hi Redhat 7.3 running on a Dell Poweredge with Dual 1Ghz Processors and 1GB of Ram sendmail 8.11.6 - fully patched I upgraded from MailScanner 4-13.3 to 4.22.4 and all I did was update the .conf and .rule files to what I previously had. I downloaded SA 2.55 and compiled from source. I am seeing e-mail getting scored with SpamAssassin but occassionally it doesn't even check for e-mail to a domain for spam. An example of the problem I've been looking at An email is sent from 1zbygm6VcbmPdijo463wtpZP7mIjEe@5948.bounce.e-i1.com to gary1@gormanrupp.com MX 5 for gormanrupp.com points to 63.173.207.13 (smithers) the e-mail is checked by mailscanner and via mailertable is forwarded onto the client's Lotus mail server In the 'document properties' under X-MailScanner-SpamCheck it says SCORE=0, REQUIRED=4 Naturally I am baffled by this problem. The MX 10 server which we provide does not have MS or SA installed so I'm ruling that out. Output from ps command root 24497 0.0 0.3 7264 3596 ? S May18 4:59 /usr/bin/perl /us r/bin/mrtg /etc/mrtg/mailscanner-mrtg.cfg root 22189 0.0 0.2 5568 2072 ? S 15:45 0:02 sendmail: accepti ng connections root 22194 0.0 0.1 4696 1760 ? S 15:45 0:00 /usr/sbin/sendmai l -q15m root 22212 0.0 0.8 10200 8780 ? S 15:45 0:00 /usr/bin/perl -I/ usr/lib/MailScanner /usr/sbin/MailScanner /etc/MailS root 22213 0.5 2.0 22524 20692 ? S 15:45 0:40 /usr/bin/perl -I/ usr/lib/MailScanner /usr/sbin/MailScanner /etc/MailS root 22232 0.6 2.0 23108 21272 ? S 15:45 0:43 /usr/bin/perl -I/ usr/lib/MailScanner /usr/sbin/MailScanner /etc/MailS root 22258 0.5 2.0 22436 20612 ? S 15:45 0:41 /usr/bin/perl -I/ usr/lib/MailScanner /usr/sbin/MailScanner /etc/MailS root 22280 0.6 2.0 22740 20900 ? S 15:45 0:43 /usr/bin/perl -I/ usr/lib/MailScanner /usr/sbin/MailScanner /etc/MailS root 22292 0.5 2.0 23092 21236 ? S 15:45 0:37 /usr/bin/perl -I/ usr/lib/MailScanner /usr/sbin/MailScanner /etc/MailS root 23665 0.0 0.2 5972 2532 ? S 15:53 0:00 sendmail: server [61.173.41.30] child wait root 23928 0.0 0.2 6316 2628 ? S 15:54 0:00 sendmail: ./h68Js Wr23928 [61.173.41.30]: DATA root 25368 0.0 0.2 5968 2532 ? S 16:01 0:00 sendmail: server madison.punchstock.com [216.165.175.102] (may be for root 25372 0.0 0.2 6312 2628 ? S 16:01 0:00 sendmail: ./h68K1 qr25372 madison.punchstock.com [216.165.175.102] (ma root 814 0.0 0.2 5968 2532 ? S 16:52 0:00 sendmail: server mail10.hollywoodspecials.net [216.39.88.106] cmd rea root 7307 0.0 0.2 5032 2196 ? S 17:40 0:00 sendmail: ./h68Le er07297 xwing.aoltw.net.: user open root 7432 0.4 0.2 5968 2540 ? S 17:41 0:00 sendmail: server mail.directoptions.com [216.196.234.46] child wait root 7435 0.0 0.2 5584 2168 ? S 17:41 0:00 sendmail: startup with bay0-smtp07.bay0.hotmail.com root 7438 2.0 0.2 6312 2628 ? S 17:41 0:00 sendmail: ./h68Lf sr07438 mail.directoptions.com [216.196.234.46]: DAT root 7448 0.0 0.0 1740 596 pts/2 S Thanks for the input so far Matthew mikea cc: Sent by: Subject: Re: score=0/spamc errors MailScanner mailing list 07/08/2003 05:17 PM Please respond to MailScanner mailing list On Tue, Jul 08, 2003 at 04:56:55PM -0400, Matthew Bowman wrote: > Hi > > I have had a client call me today about a problem whereby an e-mail > doesn't get scored.. > > In the headers it says SCORE=0 but I cannot find any trace of this in the > maillog. > > However I do see the mail be routed as follows: > > Jul 8 12:42:21 smithers sendmail[21543]: h68GgK621543: > from=<1zbygm6VcbmPdijo463wtpZP7mIjEe@5948.bounce.e-i1.com>, size=1568, > class=0, nrcpts=1, > msgid=<1zbygdxMTSdGUZafvxunkgQGyd9a5V@1zbygQk9GFQ3HMNSikhaXTD3lQwNsI>, > proto=SMTP, daemon=MTA, relay=b7.e-i1.com [63.251.54.87] > Jul 8 12:42:21 smithers sendmail[21543]: h68GgK621543: > to=, delay=00:00:01, mailer=smtp, pri=31568, > stat=queued > Jul 8 12:42:22 smithers sendmail[21551]: h68GgK621543: > to=, delay=00:00:02, xdelay=00:00:00, mailer=smtp, > pri=121568, relay=grcmail1.gormanrupp.com. [63.173.204.4], dsn=2.0.0, > stat=Sent (Message accepted for delivery) > > No indication of Spam Checking... > > Maillog has also reported this > > Jul 8 16:54:53 smithers spamc[1410]: connect() to spamd at 127.0.0.1 > failed, retrying (1/3): Connection refused > Jul 8 16:54:54 smithers spamc[1410]: connect() to spamd at 127.0.0.1 > failed, retrying (2/3): Connection refused > Jul 8 16:54:55 smithers spamc[1410]: connect() to spamd at 127.0.0.1 > failed, retrying (3/3): Connection refused > Jul 8 16:54:56 smithers spamc[1410]: connection attempt to spamd aborted > after 3 retries > > Are these linked? or seperate issues? > > Problems started to happen after the upgrade to MS 4.22-4 and SA 2.55 > > Any help would be appreciated If you're running MailScanner, and MailScanner is running SpamAssassin directly, then I don't understand why spamc and/or spamd would be involved in any way at all. Would you mind explaining just how things are installed, and who does what, and with which, and to whom? Then we'll all have a somewhat better understanding of what's going on. Output from `ps awux | grep -i mail`, or its Linux equivalent, would be useful, too. -- Mike Andrews mikea@mikea.ath.cx Tired old sysadmin since 1964 From lists at STHOMAS.NET Tue Jul 8 22:50:59 2003 From: lists at STHOMAS.NET (Steve Thomas) Date: Thu Jan 12 21:18:53 2006 Subject: Quick AV question Message-ID: <20030708145059.B9279@sthomas.net> On Tue, Jul 08, 2003 at 04:32:20PM -0500, Mike Oliveri is rumored to have said: > > Has anyone out there used MailScanner with AMaViS, and/or can anyone think > of any reason I shouldn't be able to? Thanks! MailScanner and Amavis perform roughly the same function - both use external virus scanners to check incoming messages, but MS adds antispam capabilities. I used to use amavis, but replaced it with MS some time ago. Better software, antispam and there aren't sixteen zillion branches to try and decide between/keep uptodate. -- "Knowledge speaks, but wisdom listens." - Jimi Hendrix From mikew at CRUCIS.NET Tue Jul 8 22:45:50 2003 From: mikew at CRUCIS.NET (Mike Watson) Date: Thu Jan 12 21:18:53 2006 Subject: Heads up - serious vulnerability in 'unzip' In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0A4ADBC@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0A4ADBC@pascal.priv.bmrb.co.uk> Message-ID: <200307081645.53709.mikew@crucis.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tuesday 08 July 2003 03:13 am, you wrote: > Theres a problem with unzip. Looks like it could be serious for > anyone running MailScanner as root where the virus scanner uses > external unzip (such as Clam). Patches are available. > > (from http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0282 ) > > Directory traversal vulnerability in UnZip 5.50 allows attackers to > overwrite arbitrary files via invalid characters between two . (dot) > characters, which are filtered and result in a ".." sequence. > > > > > > BMRB International > http://www.bmrb.co.uk > +44 (0)20 8566 5000 Snipped Red Hat has already released a fix for unzip for RH8 & 9. Earlier versions too I think. Mike W - -- Registered Linux - 256979 NRA Life ARS: W0TMW -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE/CzuR5fq6h2uDDlQRAgsDAJ4scKkrGmWGrEbFC1TIbTVa5qq6LwCgoRhO GxWmORq0if5GEe/XsTqe8/Q= =KMyp -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by F-Prot and MailScanner, and is believed to be clean. From richard_cipher at YAHOO.COM Tue Jul 8 23:02:56 2003 From: richard_cipher at YAHOO.COM (Evert Ford) Date: Thu Jan 12 21:18:53 2006 Subject: Quick AV question In-Reply-To: <5.2.0.9.0.20030708162609.00a7b4e0@mail211.pair.com> Message-ID: Yes. Amavis is actually, at least to my understand, an e-mail scanner, that calls an anti-virus piece of software, such as Kapersky, or F-prot, or Sophos. It can also be used to scan e-mails for spam. Sounds just like MailScanner! In Fact, it fulfills the same role as MailScanner in the marketplace, only it is much tougher to install and setup and have working. MailScanner is more stable and robust. Once I switched from Amavis to MailScanner, I've had very few problems. Evert Computer Guy Westone Laboratories. --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.483 / Virus Database: 279 - Release Date: 5/19/03 From moliveri at UTI.COM Tue Jul 8 23:05:00 2003 From: moliveri at UTI.COM (Mike Oliveri) Date: Thu Jan 12 21:18:53 2006 Subject: Quick AV question In-Reply-To: <20030708145059.B9279@sthomas.net> Message-ID: <5.2.0.9.0.20030708170416.00a7b4e0@pop3.uti.com> Ah, wasn't aware of that. This is the first I've run into AMaViS. Guess I'll dig a little further and see what amavis is really doing... Thanks! Take care, Mike At 02:50 PM 7/8/2003 -0700, you wrote: >On Tue, Jul 08, 2003 at 04:32:20PM -0500, Mike Oliveri is rumored to have >said: > > > > Has anyone out there used MailScanner with AMaViS, and/or can anyone think > > of any reason I shouldn't be able to? Thanks! > >MailScanner and Amavis perform roughly the same function - both use >external virus scanners to check incoming messages, but MS adds antispam >capabilities. I used to use amavis, but replaced it with MS some time ago. >Better software, antispam and there aren't sixteen zillion branches to try >and decide between/keep uptodate. > >-- >"Knowledge speaks, but wisdom listens." >- Jimi Hendrix From esandquist at IHMS.NET Tue Jul 8 23:38:34 2003 From: esandquist at IHMS.NET (Eric Sandquist) Date: Thu Jan 12 21:18:53 2006 Subject: Service in Tarbal?? In-Reply-To: <3EF9E978.12665.15063A9@localhost> Message-ID: I have an installation of MailScanner on a Mandrake 8.2 server. I have installed from a tarbal and not the rpm. I am using postfix 2.0.10, clamav, and spamassassin. All is working well right now... However, I recently made changes to the filename.rules.conf to stop the SoBig.E virus and now need to restart the service. The problem is what files need to be installed to run MailScanner as a server? There is no obvious instructions for building the file /etc/rc.d/init.d/MailScanner or /etc/sysconfig/MailScanner... I know that these are part of the RPM, but how do I construct them otherwise? Eric From raymond at PROLOCATION.NET Tue Jul 8 23:48:24 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:18:53 2006 Subject: Service in Tarbal?? In-Reply-To: Message-ID: Hi! > The problem is what files need to be installed to run MailScanner as a > server? There is no obvious instructions for building the file > /etc/rc.d/init.d/MailScanner or /etc/sysconfig/MailScanner... > > I know that these are part of the RPM, but how do I construct them > otherwise? Just grab them from within the RPM, thats really the easiest way to get them. Or you really want to invent the wheel twice ? Bye, Raymond. From kevins at BMRB.CO.UK Wed Jul 9 00:05:59 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:18:53 2006 Subject: Service in Tarbal?? In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB001175D47@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB001175D47@pascal.priv.bmrb.co.uk> Message-ID: <1057705560.23990.28.camel@bach.kevinspicer.co.uk> >On Tue, 2003-07-08 at 23:38, Eric Sandquist wrote: >I have an installation of MailScanner on a Mandrake 8.2 server. I have >installed from a tarbal and not the rpm. I also use MailScanner on Mandrake - you might like to know (for the future) that the rpm install works just fine, but you have to run it with the nodeps flag (i.e. ./install.sh nodeps ). All the dependencies are part of the default perl install anyway or installed by the MailScanner install script. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From mark at TIPPINGMAR.COM Wed Jul 9 01:38:59 2003 From: mark at TIPPINGMAR.COM (Mark Nienberg) Date: Thu Jan 12 21:18:53 2006 Subject: Sophos Antivirus... In-Reply-To: <08146035CA49D6119A36009027AC822A0264E496@CITY-EXCH-NTS> Message-ID: <3F0B01B3.5892.4ECC605B@localhost> On 8 Jul 2003 at 10:01, Kevin Miller wrote: > It seems that they put out a new "version" monthly, or as needed. The > MailScanner script (or at least the instructions on the MS web page for a > tarball install) indicate that a daily cron job can be used to update the > critter. I have the impression though, that I'd still have to do a monthly > install of the new IDE files. Is that correct? Can it be set up so that it > takes care of itself for the duration of the license (i.e., a year or more)? > In the event of an outbreak I don't mind doing a manual pull, but I don't > want to make it a habit every month. > The monthly (or at least once every 3 months) update is the engine, not the IDE files. But Julian's installation script downloads fresh IDEs after it installs the engine. A shell script to automate the monthly update is available here: http://www.sng.ecs.soton.ac.uk/mailscanner/downloads.shtml or here: http://www.tippingmar.com/majorsophos/ -- Mark W. Nienberg, SE Tipping Mar + associates 1906 Shattuck Ave, Berkeley, CA 94704 visit our website at http://www.tippingmar.com From shawn at ADVANCEDMANAGED.COM Wed Jul 9 02:14:08 2003 From: shawn at ADVANCEDMANAGED.COM (shawn) Date: Thu Jan 12 21:18:53 2006 Subject: locks fcntl flocks Message-ID: <01d701c345b7$65f01370$3cced7c0@pong> I installed a new MailScanner(4.22-5) server Friday with SA (2.55), DCC and Razor. Antivirus is being handled by f-prot and rav. Everything seems to be working fine under a light load -about 100 emails have gone thru since friday. I decided to stress test by sending 200 emails thru as fast as possible ? took 1 ? minutes for server to receive them. I checked logs and found lots of these errors. Sendmail is version 8.11.6 on RH 7.1. lots of these Jul 7 02:12:39 testsystem MailScanner[22304]: Failed to lock + References: Message-ID: If you use "FEATURE(`blacklist_recipients')" in your "sendmail.mc macro configuration then you can add entries to the access.db map for local users, hosts in your domains, or addresses in your domain which should not receive mail: badlocaluser 550 Mailbox disabled for this username host.mydomain.com 550 That host does not accept mail user@otherhost.mydomain.com 550 Mailbox disabled for this recipient This would prevent a recipient of badlocaluser@mydomain.com, any user at host.mydomain.com, and the single address user@otherhost.mydomain.com from receiving mail. Hope that helps! --Tim --- Timothy M. Lyons, CISSP lyons at digitalvoodoo.org -- This message has been scanned for viruses and dangerous content and is believed to be clean. -- From mike at CAMAROSS.NET Wed Jul 9 03:21:28 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:18:53 2006 Subject: How to disable a mail to a user before scanning In-Reply-To: Message-ID: <001201c345c0$ce2cb660$9c01a8c0@home.middlefinger.net> I'll bet if you make your machine accept mail for the FQDN, add the virtusertable entry to /dev/null and use a ruleset to exclude scanning of mail to the specified account, you will be happy with the results. The mail would be accepted by sendmail, MailScanner would bypass scanning (based on the ruleset) and the LDA would write the email to /dev/null...never to be seen again. Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of S Mohan Sent: Wednesday, July 09, 2003 8:45 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: How to disable a mail to a user before scanning I thought this happens at delivery and not receipt end - virtusertable lookup. Am I wrong? If so, the mail will be scanned and then the local delivery agent would bounce it. Mohan -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Mike Kercher Sent: Tuesday, July 08, 2003 10:40 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: How to disable a mail to a user before scanning Why not add an entry to /etc/mail/virtusertable and /dev/null it? Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Harish Amin Sent: Tuesday, July 08, 2003 12:11 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: How to disable a mail to a user before scanning I receive about 50 messages to a unknown user on my SMTP server and I as a postmaster receive all the messages back I tried the rules # more spam.actions.rules To: webmaster@www.dpi.state.wi.us delete # more spam.blacklist.rules #To: /^$/ yes To: webmaster@www.dpi.state.wi.us yes But I still keep getting it The original message was received at Tue, 8 Jul 2003 12:08:05 -0500 (CDT) from doagw01.doa.state.wi.us [165.189.88.161] ----- The following addresses had permanent fatal errors ----- <'webmaster@www.dpi.state.wi.us> (reason: 553 5.3.5 system config error) ----- Transcript of session follows ----- 553 5.3.5 www.dpi.state.wi.us. config error: mail loops back to me (MX problem?) 554 5.3.5 Local configuration error AM I doing something wrong here... I am running MailScanner E-Mail Virus Scanner version 4.22-4 on SUn Solaris running sendmail Any Help will be appreciated From paul at CS.UKY.EDU Wed Jul 9 03:39:25 2003 From: paul at CS.UKY.EDU (Paul Linton) Date: Thu Jan 12 21:18:53 2006 Subject: MailScanner not removing virus even though it was found? Message-ID: <20030709023925.GA12072@bud.cs.uky.edu> I have a brand new install of MailScanner/Spamassassin/McAfee. Most seems to be working fine, with the exception of virus removal. MailScanner calls McAfee and sees the virus, but then happily sends the message on, virus and all, no warning to the recipient, etc. Did I miss something in the .conf file? Here is a snippet of syslog: Jul 8 22:32:50 xxx MailScanner[22175]: New Batch: Scanning 1 messages, 113172 bytes Jul 8 22:32:51 xxx MailScanner[22175]: Virus and Content Scanning: Starting Jul 8 22:32:52 xxx MailScanner[22175]: McAfee said "/xxx/incoming/22175/h692WlJP022178/your_details.zi" Jul 8 22:32:52 xxx MailScanner[22175]: McAfee said " Found the W32/Sobig.e@MM virus !!!" Jul 8 22:32:52 xxx MailScanner[22175]: /xxx/22175/h692WlJP022178/your_details.zi Found the W32/Sobig.e@MM virus !!! Jul 8 22:32:52 xxx MailScanner[22175]: Virus Scanning: McAfee found 1 infections Jul 8 22:32:52 xxx MailScanner[22175]: Virus Scanning: Found 1 viruses Jul 8 22:32:52 xxx MailScanner[22175]: Uninfected: Delivered 1 messages Thanks for any pointers. - Paul -- Paul Linton Systems Programmer paul@cs.uky.edu UofK Department of Computer Science (859) 257-3962 From esandquist at IHMS.NET Wed Jul 9 05:00:30 2003 From: esandquist at IHMS.NET (Eric Sandquist) Date: Thu Jan 12 21:18:53 2006 Subject: Service in Tarbal?? In-Reply-To: <1057705560.23990.28.camel@bach.kevinspicer.co.uk> Message-ID: Any idea what the effect will be of installing the RPM over the top of the tarbal? It is currently residing at /opt/MailScanner... I have the latest and greatest RPM and would love to ruin, I mean run it... :) Eric -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Kevin Spicer Sent: Tuesday, July 08, 2003 6:06 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Service in Tarbal?? >On Tue, 2003-07-08 at 23:38, Eric Sandquist wrote: >I have an installation of MailScanner on a Mandrake 8.2 server. I have >installed from a tarbal and not the rpm. I also use MailScanner on Mandrake - you might like to know (for the future) that the rpm install works just fine, but you have to run it with the nodeps flag (i.e. ./install.sh nodeps ). All the dependencies are part of the default perl install anyway or installed by the MailScanner install script. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From raymond at PROLOCATION.NET Wed Jul 9 07:38:59 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:18:53 2006 Subject: MailScanner not removing virus even though it was found? In-Reply-To: <20030709023925.GA12072@bud.cs.uky.edu> Message-ID: Hi! > seems to be working fine, with the exception of virus removal. MailScanner > calls McAfee and sees the virus, but then happily sends the message on, virus > and all, no warning to the recipient, etc. Did I miss something in the .conf > file? > > Here is a snippet of syslog: > Jul 8 22:32:50 xxx MailScanner[22175]: New Batch: Scanning 1 messages, 113172 bytes > Jul 8 22:32:51 xxx MailScanner[22175]: Virus and Content Scanning: Starting > Jul 8 22:32:52 xxx MailScanner[22175]: McAfee said "/xxx/incoming/22175/h692WlJP022178/your_details.zi" > Jul 8 22:32:52 xxx MailScanner[22175]: McAfee said " Found the W32/Sobig.e@MM virus !!!" > Jul 8 22:32:52 xxx MailScanner[22175]: /xxx/22175/h692WlJP022178/your_details.zi Found the W32/Sobig.e@MM virus !!! > Jul 8 22:32:52 xxx MailScanner[22175]: Virus Scanning: McAfee found 1 infections It might be interesting to see your virus settings. Deliver Disinfected Files = ? Silent Viruses = ? Still Deliver Silent Viruses = ? ect ect. Bye, Raymond. From Kevin.Spicer at BMRB.CO.UK Wed Jul 9 08:37:21 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:18:53 2006 Subject: How to disable a mail to a user before scanning Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0EBF700@pascal.priv.bmrb.co.uk> S Mohan wrote: > I thought this happens at delivery and not receipt end - virtusertable > lookup. Am I wrong? If so, the mail will be scanned and then the local > delivery agent would bounce it. I handle cases like these by adding them to the access database... To:user@domain.com REJECT They never get as far as MailScanner then. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From mailscanner at BARENDSE.TO Wed Jul 9 09:13:51 2003 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:18:53 2006 Subject: DSN: Return receipt ?? In-Reply-To: <20030702153804.GA15524@internetx.de> Message-ID: I have something which I can't quite figure out: I use the following to kill all the read/not read messages with sendmail through the following lines in sendmail.mc: LOCAL_RULESETS F{SSJunk} /etc/mail/ssjunk.txt F{DiscardSubs} /etc/mail/discardsubs.txt HSubject: $>Check_Subject SCheck_Subject R$* $={SSJunk} $* $#error $: NMJUNKSUB R$* NMJUNKSUB $* $#error $: "553 Rejected" R$* $={DiscardSubs} $* $#discard This is what's in discardsubs.txt read: not.read: gelezen: niet.gelezen: le?do: no.le?do: Still some read/not read messages are getting through. When I look at the copies in normal view in pine the subject line is this: Subject: Read: FW: Entrega de which should comply with the sendmail rule to get discarded (but isn't). I suspect this maybe because of M$ Exchange doing something funny with the read receipt messages (they are generated by Exchange, not Outlook according to the signature of the message). When doing full header view the subject looks like this: Subject: =?iso-8859-1?Q?Read=3A_FW=3A_Entrega_de If the funny subject is indeed the problem is there any way to filter these weird messages out too?? The option in the message below (goaway) doesn't do anything in my case, I think sendmail will refuse to send out DSN messages but all the users are connected to an Exchange server and the behaviour of Exchange is not affected by this option (apparently the mails themselves aren't cleaned of any DSN parts either). Any help greatly appreciated! Remco On Wed, 2 Jul 2003, Sebastian Wiesinger wrote: > * Remco Barendse [2003-07-02 16:15]: > > In the maillog I noticed a remark about a DSN: Return receipt. > > > > What does the line from maillog mean? Any return receipt did not appear in > > the mailbox for archived outgoing mail. > > If a user adds a "Return-Receipt-To: " header to his/her > mail, sendmail will deliver an receipt upon successful delivery of the > mail. You can deactivate this feature with the following option in > your sendmail.mc: > > define(`confPRIVACY_FLAGS', `noreceipts')dnl > > >From the sendmail operation guide: > #v+ > public Allow open access > needmailhelo Insist on HELO or EHLO command before MAIL > needexpnhelo Insist on HELO or EHLO command before EXPN > noexpn Disallow EXPN entirely, implies noverb. > needvrfyhelo Insist on HELO or EHLO command before VRFY > novrfy Disallow VRFY entirely > noetrn Disallow ETRN entirely > noverb Disallow VERB entirely > restrictmailq Restrict mailq command > restrictqrun Restrict -q command line flag > restrictexpand Restrict -bv and -v command line flags > noreceipts Don't return success DSNs20 > nobodyreturn Don't return the body of a message with DSNs > goaway Disallow essentially all SMTP status queries > authwarnings Put X-Authentication-Warning: headers in messages > and log warnings > #v- > > I prefer the following line: > > define(`confPRIVACY_FLAGS', `goaway,noreceipts,restrictqrun,restrictexpand')dnl > > > I use sendmail rules to discard read receipt messages but in this case > > there is nothing in the maillog that this message or reply was discarded. > > I don't know what rules you use for discarding, but the configuration > option above is the right way to deactivate the DSN2.x.x messages. > > For more info about the privacy options, see the sendmail installation > and operation guide (op/op.txt.gz). > > -- > InterNetX GmbH > Sebastian Wiesinger > System Administration > > eMail: sw@internetx.de > From P.G.M.Peters at utwente.nl Wed Jul 9 09:18:37 2003 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Thu Jan 12 21:18:53 2006 Subject: F-prot auto updates ... In-Reply-To: References: Message-ID: <7ijngvslb1f6h7m80bvun904v3dqsso1cf@4ax.com> On Tue, 8 Jul 2003 20:23:37 +0200, you wrote: >> Yes its slow from here too (Mansfield, Ohio) > >> Other people experiencing the same ? > >Ok, thanks. Then i know its not just me :) > >Other people might want to disable the auto update script also, since >during the update mail will crop up and a update took 40 minutes here when >i let it complete. Gives a nice backlog on processing :) I only noticed a backlog yesterday 20:00 (GMT +2). Checking my log I can't see anything strange at that time. I do see an entry "Jul 7 19:02:13 netlx014 F-Prot autoupdate[7265]: F-Prot successfully updated." So it took just over 2 minutes to update my systems. Going back in my logs I noticed it normally takes 10 to 15 seconds to update F-Prot. But I don't think 2 minutes is that much of a problem when I update F-Prot. -- Peter Peters, senior netwerkbeheerder Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ From Declan.Grady at NUVOTEM.COM Wed Jul 9 10:33:51 2003 From: Declan.Grady at NUVOTEM.COM (Declan Grady) Date: Thu Jan 12 21:18:53 2006 Subject: [OT] Bounced rejection notices Message-ID: <1057743230.1192.10.camel@declan> Hi, Most, if not all, of the "UCE Rejected" notices that mailscanner sends out in response to incoming spam mails are bounced, as undeliverable. Is there an easy way around this, or is it generally safe to delete the spam (or even high-scoring spam) instead of rejecting it ? My only concern is that if I dont reject it to the sender, then ther is a chance that a false-positive will fall into a blackhole. My mail volume is quite small, so its more of an annoyance than a problem really. Any suggestions ? Thanks, Declan From AndreaC at GOTECH.IT Wed Jul 9 11:08:53 2003 From: AndreaC at GOTECH.IT (Andrea Cogliati) Date: Thu Jan 12 21:18:53 2006 Subject: MS Performance Message-ID: <463F0AFA3E2CEA4E807EC569C019E739140BBD@atlantis.gtub.corp> Guys, we did several stress tests on our MS gateway and these are the results. System description: Single Intel Pentium 4 1.8 GHz 128 MB RAM 40 GB single IDE disk MS 4.22-5 SpamAssassin 2.55 AV: McAfee and ClamAV With this system we are able to process about 100 messages/minute. We had to lower the number of MS children processes to 3, as with the default of 5 we got a lot of swapping (each MS process uses about 20MB of memory) and performance severely degraded. Increasing the number of messages per process to 75 also improved the overall performance a little bit. Does this make any sense? Can I improve the performances tuning the system configuration? TIA, Andrea From maxsec at TOTALISE.CO.UK Wed Jul 9 11:28:17 2003 From: maxsec at TOTALISE.CO.UK (Martin Hepworth) Date: Thu Jan 12 21:18:53 2006 Subject: MS Performance In-Reply-To: <463F0AFA3E2CEA4E807EC569C019E739140BBD@atlantis.gtub.corp> References: <463F0AFA3E2CEA4E807EC569C019E739140BBD@atlantis.gtub.corp> Message-ID: <3F0BEE41.3010301@totalise.co.uk> Andrea RAM, add more RAM. 128MB is kinda low, esp a you can get 512MB ram for < 50 UK pounds (~75 Euro I guess) -- Martin Andrea Cogliati wrote: > Guys, > > we did several stress tests on our MS gateway and these are the results. > > System description: > > Single Intel Pentium 4 1.8 GHz > 128 MB RAM > 40 GB single IDE disk > MS 4.22-5 > SpamAssassin 2.55 > AV: McAfee and ClamAV > > With this system we are able to process about 100 messages/minute. > > We had to lower the number of MS children processes to 3, as with the > default > of 5 we got a lot of swapping (each MS process uses about 20MB of > memory) and > performance severely degraded. Increasing the number of messages per > process > to 75 also improved the overall performance a little bit. > > Does this make any sense? Can I improve the performances tuning the > system > configuration? > > TIA, > > Andrea From raymond at PROLOCATION.NET Wed Jul 9 12:38:19 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:18:53 2006 Subject: F-prot auto updates ... In-Reply-To: <7ijngvslb1f6h7m80bvun904v3dqsso1cf@4ax.com> Message-ID: Hi! > >Ok, thanks. Then i know its not just me :) > I only noticed a backlog yesterday 20:00 (GMT +2). > > Checking my log I can't see anything strange at that time. I do see an > entry "Jul 7 19:02:13 netlx014 F-Prot autoupdate[7265]: F-Prot > successfully updated." So it took just over 2 minutes to update my > systems. > > Going back in my logs I noticed it normally takes 10 to 15 seconds to > update F-Prot. But I don't think 2 minutes is that much of a problem > when I update F-Prot. A little later this was fixed. Most likely due to network or system problems @f-prot. It was also depending on what machine in their load balanced cluster you were ending. So i guess one or two boxes that would not do the right things :) All seems fixed now indeed btw. Bye, Raymond. From mbowman at UDCOM.COM Wed Jul 9 13:17:36 2003 From: mbowman at UDCOM.COM (Matthew Bowman) Date: Thu Jan 12 21:18:53 2006 Subject: score=0/spamc errors -- continued Message-ID: If a domain was in the auto whitlelist, would the score be set to 0 ? Is there any tool that can be used to view the autowhitelist.db file to check for domains and addresses? Thanks Matthew ----- Forwarded by Matthew K Bowman/udc on 07/09/2003 08:18 AM ----- Matthew Bowman Sent by: MailScanner mailing list 07/08/2003 05:42 PM Please respond to MailScanner mailing list To: MAILSCANNER@JISCMAIL.AC.UK cc: Subject: Re: score=0/spamc errors Hi Redhat 7.3 running on a Dell Poweredge with Dual 1Ghz Processors and 1GB of Ram sendmail 8.11.6 - fully patched I upgraded from MailScanner 4-13.3 to 4.22.4 and all I did was update the .conf and .rule files to what I previously had. I downloaded SA 2.55 and compiled from source. I am seeing e-mail getting scored with SpamAssassin but occassionally it doesn't even check for e-mail to a domain for spam. An example of the problem I've been looking at An email is sent from 1zbygm6VcbmPdijo463wtpZP7mIjEe@5948.bounce.e-i1.com to gary1@gormanrupp.com MX 5 for gormanrupp.com points to 63.173.207.13 (smithers) the e-mail is checked by mailscanner and via mailertable is forwarded onto the client's Lotus mail server In the 'document properties' under X-MailScanner-SpamCheck it says SCORE=0, REQUIRED=4 Naturally I am baffled by this problem. The MX 10 server which we provide does not have MS or SA installed so I'm ruling that out. Output from ps command root 24497 0.0 0.3 7264 3596 ? S May18 4:59 /usr/bin/perl /us r/bin/mrtg /etc/mrtg/mailscanner-mrtg.cfg root 22189 0.0 0.2 5568 2072 ? S 15:45 0:02 sendmail: accepti ng connections root 22194 0.0 0.1 4696 1760 ? S 15:45 0:00 /usr/sbin/sendmai l -q15m root 22212 0.0 0.8 10200 8780 ? S 15:45 0:00 /usr/bin/perl -I/ usr/lib/MailScanner /usr/sbin/MailScanner /etc/MailS root 22213 0.5 2.0 22524 20692 ? S 15:45 0:40 /usr/bin/perl -I/ usr/lib/MailScanner /usr/sbin/MailScanner /etc/MailS root 22232 0.6 2.0 23108 21272 ? S 15:45 0:43 /usr/bin/perl -I/ usr/lib/MailScanner /usr/sbin/MailScanner /etc/MailS root 22258 0.5 2.0 22436 20612 ? S 15:45 0:41 /usr/bin/perl -I/ usr/lib/MailScanner /usr/sbin/MailScanner /etc/MailS root 22280 0.6 2.0 22740 20900 ? S 15:45 0:43 /usr/bin/perl -I/ usr/lib/MailScanner /usr/sbin/MailScanner /etc/MailS root 22292 0.5 2.0 23092 21236 ? S 15:45 0:37 /usr/bin/perl -I/ usr/lib/MailScanner /usr/sbin/MailScanner /etc/MailS root 23665 0.0 0.2 5972 2532 ? S 15:53 0:00 sendmail: server [61.173.41.30] child wait root 23928 0.0 0.2 6316 2628 ? S 15:54 0:00 sendmail: ./h68Js Wr23928 [61.173.41.30]: DATA root 25368 0.0 0.2 5968 2532 ? S 16:01 0:00 sendmail: server madison.punchstock.com [216.165.175.102] (may be for root 25372 0.0 0.2 6312 2628 ? S 16:01 0:00 sendmail: ./h68K1 qr25372 madison.punchstock.com [216.165.175.102] (ma root 814 0.0 0.2 5968 2532 ? S 16:52 0:00 sendmail: server mail10.hollywoodspecials.net [216.39.88.106] cmd rea root 7307 0.0 0.2 5032 2196 ? S 17:40 0:00 sendmail: ./h68Le er07297 xwing.aoltw.net.: user open root 7432 0.4 0.2 5968 2540 ? S 17:41 0:00 sendmail: server mail.directoptions.com [216.196.234.46] child wait root 7435 0.0 0.2 5584 2168 ? S 17:41 0:00 sendmail: startup with bay0-smtp07.bay0.hotmail.com root 7438 2.0 0.2 6312 2628 ? S 17:41 0:00 sendmail: ./h68Lf sr07438 mail.directoptions.com [216.196.234.46]: DAT root 7448 0.0 0.0 1740 596 pts/2 S Thanks for the input so far Matthew mikea cc: Sent by: Subject: Re: score=0/spamc errors MailScanner mailing list 07/08/2003 05:17 PM Please respond to MailScanner mailing list On Tue, Jul 08, 2003 at 04:56:55PM -0400, Matthew Bowman wrote: > Hi > > I have had a client call me today about a problem whereby an e-mail > doesn't get scored.. > > In the headers it says SCORE=0 but I cannot find any trace of this in the > maillog. > > However I do see the mail be routed as follows: > > Jul 8 12:42:21 smithers sendmail[21543]: h68GgK621543: > from=<1zbygm6VcbmPdijo463wtpZP7mIjEe@5948.bounce.e-i1.com>, size=1568, > class=0, nrcpts=1, > msgid=<1zbygdxMTSdGUZafvxunkgQGyd9a5V@1zbygQk9GFQ3HMNSikhaXTD3lQwNsI>, > proto=SMTP, daemon=MTA, relay=b7.e-i1.com [63.251.54.87] > Jul 8 12:42:21 smithers sendmail[21543]: h68GgK621543: > to=, delay=00:00:01, mailer=smtp, pri=31568, > stat=queued > Jul 8 12:42:22 smithers sendmail[21551]: h68GgK621543: > to=, delay=00:00:02, xdelay=00:00:00, mailer=smtp, > pri=121568, relay=grcmail1.gormanrupp.com. [63.173.204.4], dsn=2.0.0, > stat=Sent (Message accepted for delivery) > > No indication of Spam Checking... > > Maillog has also reported this > > Jul 8 16:54:53 smithers spamc[1410]: connect() to spamd at 127.0.0.1 > failed, retrying (1/3): Connection refused > Jul 8 16:54:54 smithers spamc[1410]: connect() to spamd at 127.0.0.1 > failed, retrying (2/3): Connection refused > Jul 8 16:54:55 smithers spamc[1410]: connect() to spamd at 127.0.0.1 > failed, retrying (3/3): Connection refused > Jul 8 16:54:56 smithers spamc[1410]: connection attempt to spamd aborted > after 3 retries > > Are these linked? or seperate issues? > > Problems started to happen after the upgrade to MS 4.22-4 and SA 2.55 > > Any help would be appreciated If you're running MailScanner, and MailScanner is running SpamAssassin directly, then I don't understand why spamc and/or spamd would be involved in any way at all. Would you mind explaining just how things are installed, and who does what, and with which, and to whom? Then we'll all have a somewhat better understanding of what's going on. Output from `ps awux | grep -i mail`, or its Linux equivalent, would be useful, too. -- Mike Andrews mikea@mikea.ath.cx Tired old sysadmin since 1964 From andersan at LTKALMAR.SE Wed Jul 9 13:29:50 2003 From: andersan at LTKALMAR.SE (Anders Andersson, IT) Date: Thu Jan 12 21:18:53 2006 Subject: Spam being converted to attachment Message-ID: <9F18B7DDBA88E544AB1F1995148916661CE653@lkl63.ltkalmar.se> Hi All spams are being converted to attachment even if setting in MailScanner.conf is Spam Actions = striphtml deliver High Scoring Spam Actions = striphtml deliver Non Spam Actions = deliver I cant figure this one out, its not a big deal now, but I think the users will be confused when they get back after vacation.... what can I have missed? /Anders From dean.plant at ROKE.CO.UK Wed Jul 9 13:32:43 2003 From: dean.plant at ROKE.CO.UK (Plant, Dean) Date: Thu Jan 12 21:18:53 2006 Subject: F-prot auto updates ... Message-ID: Raymond Dijkxhoorn wrote: > Hi! > >>> Ok, thanks. Then i know its not just me :) > >> I only noticed a backlog yesterday 20:00 (GMT +2). >> >> Checking my log I can't see anything strange at that time. I do see >> an entry "Jul 7 19:02:13 netlx014 F-Prot autoupdate[7265]: F-Prot >> successfully updated." So it took just over 2 minutes to update my >> systems. >> >> Going back in my logs I noticed it normally takes 10 to 15 seconds to >> update F-Prot. But I don't think 2 minutes is that much of a problem >> when I update F-Prot. > > A little later this was fixed. Most likely due to network or system > problems @f-prot. It was also depending on what machine in their load > balanced cluster you were ending. So i guess one or two boxes that > would not do the right things :) > > All seems fixed now indeed btw. > > Bye, > Raymond. Should there not be an timeout built into the update process to ensure this does not happen? Dean Plant -- Registered Office: Roke Manor Research Ltd, Siemens House, Oldbury, Bracknell, Berkshire. RG12 8FZ The information contained in this e-mail and any attachments is confidential to Roke Manor Research Ltd and must not be passed to any third party without permission. This communication is for information only and shall not create or change any contractual relationship. From paul at CS.UKY.EDU Wed Jul 9 14:05:03 2003 From: paul at CS.UKY.EDU (Paul Linton) Date: Thu Jan 12 21:18:53 2006 Subject: MailScanner not removing virus even though it was found? In-Reply-To: References: <20030709023925.GA12072@bud.cs.uky.edu> Message-ID: <20030709130503.GA20280@bud.cs.uky.edu> On Wed, Jul 09, 2003 at 08:38:59AM +0200, Raymond Dijkxhoorn wrote: > > seems to be working fine, with the exception of virus removal. MailScanner > > calls McAfee and sees the virus, but then happily sends the message on, virus > > and all, no warning to the recipient, etc. Did I miss something in the .conf > It might be interesting to see your virus settings. > > Deliver Disinfected Files = ? > Silent Viruses = ? > Still Deliver Silent Viruses = ? Here is some of the configurations, if this helps: % grep -v "^#" MailScanner.conf | egrep "Virus|Deliver" Deliver Unparsable TNEF = no Virus Scanning = yes Virus Scanners = mcafee Virus Scanner Timeout = 300 Deliver Disinfected Files = yes Silent Viruses = HTML-IFrame Klez Yaha-E Bugbear Braid-A WinEvar Palyh Sobig Fizzer Still Deliver Silent Viruses = yes Deleted Virus Message Report = %report-dir%/deleted.virus.message.txt Stored Virus Message Report = %report-dir%/stored.virus.message.txt Sender Virus Report = %report-dir%/sender.virus.report.txt Deliver Cleaned Messages = yes Virus Modify Subject = yes Virus Subject Text = {Virus?} Attachment Warning Filename = VirusWarning.txt Virus Scanner Definitions = %etc-dir%/virus.scanners.conf Deliver In Background = yes Delivery Method = batch Thanks for any help/pointers! - Paul -- Paul Linton Systems Programmer paul@cs.uky.edu UofK Department of Computer Science (859) 257-3962 From miguel.montoya at CALIDAD.TELETULUA.COM.CO Wed Jul 9 14:12:34 2003 From: miguel.montoya at CALIDAD.TELETULUA.COM.CO (Miguel Fernando Montoya Martinez) Date: Thu Jan 12 21:18:53 2006 Subject: unsuscribe Message-ID: -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030709/1b0f3ba2/attachment.html From mike at CAMAROSS.NET Wed Jul 9 14:23:43 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:18:53 2006 Subject: [OT] Bounced rejection notices In-Reply-To: <1057743230.1192.10.camel@declan> Message-ID: <000e01c3461d$529d6af0$9c01a8c0@home.middlefinger.net> Depends on your score thresholds. I mark spam at 5.8, high scoring spam is 6.9 Spam gets the striphtml, deliver action High Scoring Spam is deleted. It is a rare occasion that a legit email scores a 6.9 and I've had no complaints from my users. Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Declan Grady Sent: Wednesday, July 09, 2003 4:34 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: [OT] Bounced rejection notices Hi, Most, if not all, of the "UCE Rejected" notices that mailscanner sends out in response to incoming spam mails are bounced, as undeliverable. Is there an easy way around this, or is it generally safe to delete the spam (or even high-scoring spam) instead of rejecting it ? My only concern is that if I dont reject it to the sender, then ther is a chance that a false-positive will fall into a blackhole. My mail volume is quite small, so its more of an annoyance than a problem really. Any suggestions ? Thanks, Declan From mike at CAMAROSS.NET Wed Jul 9 14:37:01 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:18:53 2006 Subject: MailScanner not removing virus even though it was found? In-Reply-To: <20030709130503.GA20280@bud.cs.uky.edu> Message-ID: <001101c3461f$2d91b480$9c01a8c0@home.middlefinger.net> The only thing that catches my eye is that you have: Silent Viruses = defined twice. I set my Silent Viruses = none in my config file because I want to know when a virus is found. I also have Still Deliver Silent Viruses = yes Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Paul Linton Sent: Wednesday, July 09, 2003 8:05 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: MailScanner not removing virus even though it was found? On Wed, Jul 09, 2003 at 08:38:59AM +0200, Raymond Dijkxhoorn wrote: > > seems to be working fine, with the exception of virus removal. > > MailScanner calls McAfee and sees the virus, but then happily sends > > the message on, virus and all, no warning to the recipient, etc. > > Did I miss something in the .conf > It might be interesting to see your virus settings. > > Deliver Disinfected Files = ? > Silent Viruses = ? > Still Deliver Silent Viruses = ? Here is some of the configurations, if this helps: % grep -v "^#" MailScanner.conf | egrep "Virus|Deliver" Deliver Unparsable TNEF = no Virus Scanning = yes Virus Scanners = mcafee Virus Scanner Timeout = 300 Deliver Disinfected Files = yes Silent Viruses = HTML-IFrame Klez Yaha-E Bugbear Braid-A WinEvar Palyh Sobig Fizzer Still Deliver Silent Viruses = yes Deleted Virus Message Report = %report-dir%/deleted.virus.message.txt Stored Virus Message Report = %report-dir%/stored.virus.message.txt Sender Virus Report = %report-dir%/sender.virus.report.txt Deliver Cleaned Messages = yes Virus Modify Subject = yes Virus Subject Text = {Virus?} Attachment Warning Filename = VirusWarning.txt Virus Scanner Definitions = %etc-dir%/virus.scanners.conf Deliver In Background = yes Delivery Method = batch Thanks for any help/pointers! - Paul -- Paul Linton Systems Programmer paul@cs.uky.edu UofK Department of Computer Science (859) 257-3962 From mike at CAMAROSS.NET Wed Jul 9 14:43:35 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:18:53 2006 Subject: MS Performance In-Reply-To: <3F0BEE41.3010301@totalise.co.uk> Message-ID: <001201c34620$18e34070$9c01a8c0@home.middlefinger.net> Agreed. You might also consider moving your incoming to a tmpfs: /bin/mount -t tmpfs tmpfs /var/spool/MailScanner/incoming yields tmpfs on /var/spool/MailScanner/incoming type tmpfs (rw) Do this only after adding RAM to your system though! Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Martin Hepworth Sent: Wednesday, July 09, 2003 5:28 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: MS Performance Andrea RAM, add more RAM. 128MB is kinda low, esp a you can get 512MB ram for < 50 UK pounds (~75 Euro I guess) -- Martin Andrea Cogliati wrote: > Guys, > > we did several stress tests on our MS gateway and these are the > results. > > System description: > > Single Intel Pentium 4 1.8 GHz > 128 MB RAM > 40 GB single IDE disk > MS 4.22-5 > SpamAssassin 2.55 > AV: McAfee and ClamAV > > With this system we are able to process about 100 messages/minute. > > We had to lower the number of MS children processes to 3, as with the > default of 5 we got a lot of swapping (each MS process uses about 20MB > of > memory) and > performance severely degraded. Increasing the number of messages per > process to 75 also improved the overall performance a little bit. > > Does this make any sense? Can I improve the performances tuning the > system configuration? > > TIA, > > Andrea From paul at CS.UKY.EDU Wed Jul 9 14:50:47 2003 From: paul at CS.UKY.EDU (Paul Linton) Date: Thu Jan 12 21:18:53 2006 Subject: MailScanner not removing virus even though it was found? In-Reply-To: <001101c3461f$2d91b480$9c01a8c0@home.middlefinger.net> References: <20030709130503.GA20280@bud.cs.uky.edu> <001101c3461f$2d91b480$9c01a8c0@home.middlefinger.net> Message-ID: <20030709135047.GA20608@bud.cs.uky.edu> Hmmm, I doubled checked and did not find it twice. In the off change that this was causing a problem, I did change it to 'none': % grep -v "^#" MailScanner.conf | grep -i virus Virus Scanning = yes Virus Scanners = mcafee Virus Scanner Timeout = 300 Silent Viruses = none Still Deliver Silent Viruses = yes Deleted Virus Message Report = %report-dir%/deleted.virus.message.txt Stored Virus Message Report = %report-dir%/stored.virus.message.txt Sender Virus Report = %report-dir%/sender.virus.report.txt Virus Modify Subject = yes Virus Subject Text = {Virus?} Attachment Warning Filename = VirusWarning.txt Virus Scanner Definitions = %etc-dir%/virus.scanners.conf Same effect. Thanks - I'll keep looking. Doing a 'debug' one-time run didn't show anything else. I'm hesitant to start adding debug statements in all the perl modules. - Paul On Wed, Jul 09, 2003 at 08:37:01AM -0500, Mike Kercher wrote: > The only thing that catches my eye is that you have: > > Silent Viruses = > > defined twice. I set my Silent Viruses = none in my config file because I > want to know when a virus is found. I also have > > Still Deliver Silent Viruses = yes > > Mike > > > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf > Of Paul Linton > Sent: Wednesday, July 09, 2003 8:05 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: MailScanner not removing virus even though it was found? > > > On Wed, Jul 09, 2003 at 08:38:59AM +0200, Raymond Dijkxhoorn wrote: > > > seems to be working fine, with the exception of virus removal. > > > MailScanner calls McAfee and sees the virus, but then happily sends > > > the message on, virus and all, no warning to the recipient, etc. > > > Did I miss something in the .conf > > It might be interesting to see your virus settings. > > > > Deliver Disinfected Files = ? > > Silent Viruses = ? > > Still Deliver Silent Viruses = ? > > Here is some of the configurations, if this helps: > > % grep -v "^#" MailScanner.conf | egrep "Virus|Deliver" > Deliver Unparsable TNEF = no > Virus Scanning = yes > Virus Scanners = mcafee > Virus Scanner Timeout = 300 > Deliver Disinfected Files = yes > Silent Viruses = HTML-IFrame Klez Yaha-E Bugbear Braid-A WinEvar Palyh Sobig > Fizzer Still Deliver Silent Viruses = yes > Deleted Virus Message Report = %report-dir%/deleted.virus.message.txt > Stored Virus Message Report = %report-dir%/stored.virus.message.txt > Sender Virus Report = %report-dir%/sender.virus.report.txt > Deliver Cleaned Messages = yes > Virus Modify Subject = yes > Virus Subject Text = {Virus?} > Attachment Warning Filename = VirusWarning.txt > Virus Scanner Definitions = %etc-dir%/virus.scanners.conf Deliver In > Background = yes Delivery Method = batch > > Thanks for any help/pointers! > > - Paul > > -- > Paul Linton Systems Programmer paul@cs.uky.edu > UofK Department of Computer Science (859) 257-3962 -- Paul Linton Systems Programmer paul@cs.uky.edu UofK Department of Computer Science (859) 257-3962 From dene at DATATECHIE.COM Wed Jul 9 14:54:30 2003 From: dene at DATATECHIE.COM (Dene Ulmschneider) Date: Thu Jan 12 21:18:53 2006 Subject: User specific "Spam Actions" Message-ID: <5.1.0.14.2.20030709094950.00bc1b68@192.168.1.112> Hello all- I am running RHL 7.3 and MS version 4.14-9 and Sendmail. I am trying to setup user specific "Spam Actions" and could use a little help. I know that the spam action setting can point to a file with rule sets in it but I am not clear on the format of the file. Can anyone help me out with the format of the file? If a user wants to delete spam and high spam - what should the file look like? Does anyone have a sample file that they can forward to give me a better idea on how to set this up?? Thank You Dene Ulmschneider Data Techie Inc. ------------------------------------------------------------------------- office: 718.738.8859 cell: 646.996.2976 email: dene@datatechie.com pager mail: denenow@datatechie.com website: www.datatechie.com ------------------------------------------------------------------------- "Data Techie - Always there to protect you!" -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030709/9edc1412/attachment.html From mbowman at UDCOM.COM Wed Jul 9 14:54:43 2003 From: mbowman at UDCOM.COM (Matthew Bowman) Date: Thu Jan 12 21:18:53 2006 Subject: User specific "Spam Actions" Message-ID: Example spam.actions.conf To: postmaster@abc.com striphtml forward abc@abc.com To: *@abc.com delete From: *@boss.com delete From: *@china.com delete From: *@computingworld.com delete From: *@crucialoffers.com delete From: *@dataillusions.com delete From: *@deal-seeker.com delete Although I am wonderng if the * is necessary ? Matthew Dene Ulmschneider Sent by: MailScanner mailing list 07/09/2003 09:54 AM Please respond to MailScanner mailing list To: MAILSCANNER@JISCMAIL.AC.UK cc: Subject: User specific "Spam Actions" Hello all- I am running RHL 7.3 and MS version 4.14-9 and Sendmail. I am trying to setup user specific "Spam Actions" and could use a little help. I know that the spam action setting can point to a file with rule sets in it but I am not clear on the format of the file. Can anyone help me out with the format of the file? If a user wants to delete spam and high spam - what should the file look like? Does anyone have a sample file that they can forward to give me a better idea on how to set this up?? Thank You Dene Ulmschneider Data Techie Inc. ------------------------------------------------------------------------- office: 718.738.8859 cell: 646.996.2976 email: dene@datatechie.com pager mail: denenow@datatechie.com website: www.datatechie.com ------------------------------------------------------------------------- "Data Techie - Always there to protect you!" From P.G.M.Peters at utwente.nl Wed Jul 9 15:09:11 2003 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Thu Jan 12 21:18:53 2006 Subject: [OT] Bounced rejection notices In-Reply-To: <000e01c3461d$529d6af0$9c01a8c0@home.middlefinger.net> References: <1057743230.1192.10.camel@declan> <000e01c3461d$529d6af0$9c01a8c0@home.middlefinger.net> Message-ID: <2f8ogvs8s8ine9gmte82ib13mk48l0cson@4ax.com> On Wed, 9 Jul 2003 08:23:43 -0500, you wrote: >Depends on your score thresholds. > >I mark spam at 5.8, high scoring spam is 6.9 > >Spam gets the striphtml, deliver action > >High Scoring Spam is deleted. > >It is a rare occasion that a legit email scores a 6.9 and I've had no >complaints from my users. I get complaints about spam with the original spam included. And ofcourse that message is also claimed as beeing spam. -- Peter Peters, senior netwerkbeheerder Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ From P.G.M.Peters at utwente.nl Wed Jul 9 15:07:54 2003 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Thu Jan 12 21:18:53 2006 Subject: MailScanner not removing virus even though it was found? In-Reply-To: <001101c3461f$2d91b480$9c01a8c0@home.middlefinger.net> References: <20030709130503.GA20280@bud.cs.uky.edu> <001101c3461f$2d91b480$9c01a8c0@home.middlefinger.net> Message-ID: On Wed, 9 Jul 2003 08:37:01 -0500, you wrote: >The only thing that catches my eye is that you have: > >Silent Viruses = > >defined twice. I set my Silent Viruses = none in my config file because I >want to know when a virus is found. I also have I didn't see that line twice. >Still Deliver Silent Viruses = yes If you define silent viruses and still deliver them, you will be notified. But if your don't define silent viruses the (forged) sender gets the message he sent a virus (which isn't true). >-----Original Message----- >Here is some of the configurations, if this helps: > >% grep -v "^#" MailScanner.conf | egrep "Virus|Deliver" >Deliver Unparsable TNEF = no >Virus Scanning = yes >Virus Scanners = mcafee >Virus Scanner Timeout = 300 >Deliver Disinfected Files = yes >Silent Viruses = HTML-IFrame Klez Yaha-E Bugbear Braid-A WinEvar Palyh Sobig >Fizzer Still Deliver Silent Viruses = yes ??? something went wrong with your reply? >Deleted Virus Message Report = %report-dir%/deleted.virus.message.txt >Stored Virus Message Report = %report-dir%/stored.virus.message.txt >Sender Virus Report = %report-dir%/sender.virus.report.txt >Deliver Cleaned Messages = yes >Virus Modify Subject = yes >Virus Subject Text = {Virus?} >Attachment Warning Filename = VirusWarning.txt >Virus Scanner Definitions = %etc-dir%/virus.scanners.conf Deliver In >Background = yes Delivery Method = batch Perhaps your mailclient played tricks on you. -- Peter Peters, senior netwerkbeheerder Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ From steve.freegard at LBSLTD.CO.UK Wed Jul 9 15:24:31 2003 From: steve.freegard at LBSLTD.CO.UK (Steve Freegard) Date: Thu Jan 12 21:18:53 2006 Subject: MS Performance Message-ID: <67D9E7698329D411936E00508B6590B902773A10@neelix.lbsltd.co.uk> Mike, Quick question I've been meaning to ask on the list for a while: What's a reasonable amount of memory to have on a MailScanner box to take advantage of tmpfs??, and how much of a difference does it make?? - I've got two Proliant DL360's, one with 512Mb RAM and the other with 1Gb RAM both just running MailScanner, Sophos, Clam and MailWatch on RedHat 9. Obviously 1Gb's probably enough, but what about the machine with 512Mb?? - what happens if I end up with a queue full of largeish mails - will it just swap like crazy and is there any chance of loosing mail by doing this if the server runs out of memory?? Kind regards, Steve -- Steve Freegard Systems Manager Littlehampton Book Services Ltd. -----Original Message----- From: Mike Kercher [mailto:mike@CAMAROSS.NET] Sent: 09 July 2003 14:44 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: MS Performance Agreed. You might also consider moving your incoming to a tmpfs: /bin/mount -t tmpfs tmpfs /var/spool/MailScanner/incoming yields tmpfs on /var/spool/MailScanner/incoming type tmpfs (rw) Do this only after adding RAM to your system though! Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Martin Hepworth Sent: Wednesday, July 09, 2003 5:28 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: MS Performance Andrea RAM, add more RAM. 128MB is kinda low, esp a you can get 512MB ram for < 50 UK pounds (~75 Euro I guess) -- Martin Andrea Cogliati wrote: > Guys, > > we did several stress tests on our MS gateway and these are the > results. > > System description: > > Single Intel Pentium 4 1.8 GHz > 128 MB RAM > 40 GB single IDE disk > MS 4.22-5 > SpamAssassin 2.55 > AV: McAfee and ClamAV > > With this system we are able to process about 100 messages/minute. > > We had to lower the number of MS children processes to 3, as with the > default of 5 we got a lot of swapping (each MS process uses about 20MB > of > memory) and > performance severely degraded. Increasing the number of messages per > process to 75 also improved the overall performance a little bit. > > Does this make any sense? Can I improve the performances tuning the > system configuration? > > TIA, > > Andrea -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender and delete the message from your mailbox. This footnote also confirms that this email message has been swept by MailScanner (www.mailscanner.info) for the presence of computer viruses. From raymond at PROLOCATION.NET Wed Jul 9 15:32:31 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:18:53 2006 Subject: MS Performance In-Reply-To: <67D9E7698329D411936E00508B6590B902773A10@neelix.lbsltd.co.uk> Message-ID: Hi! > Obviously 1Gb's probably enough, but what about the machine with 512Mb?? - > what happens if I end up with a queue full of largeish mails - will it just > swap like crazy and is there any chance of loosing mail by doing this if the > server runs out of memory?? Thats depending on your mail load. I have boxes with 2 gig ram using most of it for MailScanner ... RAM is cheap anyway so the more the better. Bye, Raymond. From AndreaC at GOTECH.IT Wed Jul 9 15:56:12 2003 From: AndreaC at GOTECH.IT (Andrea Cogliati) Date: Thu Jan 12 21:18:53 2006 Subject: MS Performance Message-ID: <463F0AFA3E2CEA4E807EC569C019E739140BBE@atlantis.gtub.corp> Mike Kercher wrote: > Agreed. You might also consider moving your incoming to a tmpfs: > > /bin/mount -t tmpfs tmpfs /var/spool/MailScanner/incoming [...] >-----Original Message----- >From: [...] Martin Hepworth [...] > RAM, add more RAM. 128MB is kinda low, esp a you can get 512MB ram for < 50 UK > pounds (~75 Euro I guess) >Andrea Cogliati wrote: >> Guys, >> >> we did several stress tests on our MS gateway and these are the >> results. >> >> System description: >> >> Single Intel Pentium 4 1.8 GHz >> 128 MB RAM >> 40 GB single IDE disk >> MS 4.22-5 >> SpamAssassin 2.55 >> AV: McAfee and ClamAV >> >> With this system we are able to process about 100 messages/minute. >> >> We had to lower the number of MS children processes to 3, as with the >> default of 5 we got a lot of swapping (each MS process uses about 20MB >> of >> memory) and >> performance severely degraded. Increasing the number of messages per >> process to 75 also improved the overall performance a little bit. >> >> Does this make any sense? Can I improve the performances tuning the >> system configuration? >> >> TIA, >> >> Andrea Mike and Martin, Tried that but it doesn't seem to help. I've put another 128 MB of RAM to a total of 256MB. With or without tmpfs I can get a maximum of 1.72 scanned messages per second (103 msg/min). It seems to be a limit of the CPU and not of the RAM. Could someone confirm or confute this? Andrea From dene at DATATECHIE.COM Wed Jul 9 15:57:00 2003 From: dene at DATATECHIE.COM (Dene Ulmschneider) Date: Thu Jan 12 21:18:53 2006 Subject: User specific "Spam Actions" In-Reply-To: Message-ID: <5.1.0.14.2.20030709105201.00bc1c90@192.168.1.112> OK - let's say that there are 2 users called joe@domain.com and jane@domain.com. What if Joe wants to delete mail form abccorp.com and jane wants to accept it? Is that possible and if so - how could that be accomplished? Also, my original questions was more towards setting that spam action rule for the "SPAM" and "HIGH SPAM" which is determined by the spam count. In the MailScanner.conf file - there are settings for spam and high spam and what should be done with them (but it is a site wide setting). Is it possible for Joe to deliver spam and delete high spam while jane can delete all emails that are scored and spam and high spam (probable spam and definite spam)? >Thank You > >Dene Ulmschneider >Data Techie Inc. >------------------------------------------------------------------------- >office: 718.738.8859 >cell: 646.996.2976 >email: dene@datatechie.com >pager mail: denenow@datatechie.com >website: www.datatechie.com >------------------------------------------------------------------------- >"Data Techie - Always there to protect you!" At 09:54 AM 7/9/2003 -0400, you wrote: >Example spam.actions.conf > >To: postmaster@abc.com striphtml forward abc@abc.com >To: *@abc.com delete >From: *@boss.com delete >From: *@china.com delete >From: *@computingworld.com delete >From: *@crucialoffers.com delete >From: *@dataillusions.com delete >From: *@deal-seeker.com delete > >Although I am wonderng if the * is necessary ? > >Matthew > > > > > >Dene Ulmschneider >Sent by: MailScanner mailing list >07/09/2003 09:54 AM >Please respond to MailScanner mailing list > > > To: MAILSCANNER@JISCMAIL.AC.UK > cc: > Subject: User specific "Spam Actions" > > >Hello all- > >I am running RHL 7.3 and MS version 4.14-9 and Sendmail. > >I am trying to setup user specific "Spam Actions" and could use a little >help. I know that the spam action setting can point to a file with rule >sets in it but I am not clear on the format of the file. > >Can anyone help me out with the format of the file? If a user wants to >delete spam and high spam - what should the file look like? > >Does anyone have a sample file that they can forward to give me a better >idea on how to set this up?? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030709/d6ab7a7a/attachment.html From dean.plant at ROKE.CO.UK Wed Jul 9 16:11:26 2003 From: dean.plant at ROKE.CO.UK (Plant, Dean) Date: Thu Jan 12 21:18:53 2006 Subject: MS Performance Message-ID: Andrea Cogliati wrote: > Mike Kercher wrote: > >> Agreed. You might also consider moving your incoming to a tmpfs: >> >> /bin/mount -t tmpfs tmpfs /var/spool/MailScanner/incoming > > [...] > >> -----Original Message----- >> From: [...] Martin Hepworth > > [...] > >> RAM, add more RAM. 128MB is kinda low, esp a you can get 512MB ram >> for < 50 UK pounds (~75 Euro I guess) > >> Andrea Cogliati wrote: > >>> Guys, >>> >>> we did several stress tests on our MS gateway and these are the >>> results. >>> >>> System description: >>> >>> Single Intel Pentium 4 1.8 GHz >>> 128 MB RAM >>> 40 GB single IDE disk >>> MS 4.22-5 >>> SpamAssassin 2.55 >>> AV: McAfee and ClamAV >>> >>> With this system we are able to process about 100 messages/minute. >>> >>> We had to lower the number of MS children processes to 3, as with >>> the default of 5 we got a lot of swapping (each MS process uses >>> about 20MB of memory) and >>> performance severely degraded. Increasing the number of messages per >>> process to 75 also improved the overall performance a little bit. >>> >>> Does this make any sense? Can I improve the performances tuning the >>> system configuration? >>> >>> TIA, >>> >>> Andrea > > Mike and Martin, > > Tried that but it doesn't seem to help. I've put another 128 MB of RAM > to a total > of 256MB. With or without tmpfs I can get a maximum of 1.72 scanned > messages > per second (103 msg/min). It seems to be a limit of the CPU and not of > the RAM. > Could someone confirm or confute this? > > Andrea Im running a Pentium 3 700Mhz + 256MB ram on RH 8.0 sendmail/f-prot with spamassassin 2.55, dcc and razor on a ext3 filesystem. Mailscanner processed 13.1K messages in 1 day. And a significant amount of that was during working hours. (See pic) -- Registered Office: Roke Manor Research Ltd, Siemens House, Oldbury, Bracknell, Berkshire. RG12 8FZ The information contained in this e-mail and any attachments is confidential to Roke Manor Research Ltd and must not be passed to any third party without permission. This communication is for information only and shall not create or change any contractual relationship. -------------- next part -------------- A non-text attachment was scrubbed... Name: mail-week.png Type: application/octet-stream Size: 3003 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030709/20c63a8a/mail-week.obj From richard_cipher at yahoo.com Wed Jul 9 16:07:04 2003 From: richard_cipher at yahoo.com (Evert Ford) Date: Thu Jan 12 21:18:54 2006 Subject: MS Performance In-Reply-To: <463F0AFA3E2CEA4E807EC569C019E739140BBE@atlantis.gtub.corp> Message-ID: I sometimes have a burst of 300-400 messages on Monday Morning. It takes about a minute to process them, but only because of the way I have fetchmail set to deal with latency on the server I download from. I have more issues with latency on the remote server than I do with problems with MailScanner. Might this be your issue? I have an Intel Celeron 933Mhz running Redhat Linux 7.2 with 256 Meg of RAM with MailScanner, F-Prot, Sendmail, and SpamAssassin. Current versions on everything except F-prot(just haven't bothered to update). Evert Ford Computer Guy Westone Laboratories -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Andrea Cogliati Sent: Wednesday, July 09, 2003 8:56 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: MS Performance Mike Kercher wrote: > Agreed. You might also consider moving your incoming to a tmpfs: > > /bin/mount -t tmpfs tmpfs /var/spool/MailScanner/incoming [...] >-----Original Message----- >From: [...] Martin Hepworth [...] > RAM, add more RAM. 128MB is kinda low, esp a you can get 512MB ram for < 50 UK > pounds (~75 Euro I guess) >Andrea Cogliati wrote: >> Guys, >> >> we did several stress tests on our MS gateway and these are the >> results. >> >> System description: >> >> Single Intel Pentium 4 1.8 GHz >> 128 MB RAM >> 40 GB single IDE disk >> MS 4.22-5 >> SpamAssassin 2.55 >> AV: McAfee and ClamAV >> >> With this system we are able to process about 100 messages/minute. >> >> We had to lower the number of MS children processes to 3, as with the >> default of 5 we got a lot of swapping (each MS process uses about 20MB >> of >> memory) and >> performance severely degraded. Increasing the number of messages per >> process to 75 also improved the overall performance a little bit. >> >> Does this make any sense? Can I improve the performances tuning the >> system configuration? >> >> TIA, >> >> Andrea Mike and Martin, Tried that but it doesn't seem to help. I've put another 128 MB of RAM to a total of 256MB. With or without tmpfs I can get a maximum of 1.72 scanned messages per second (103 msg/min). It seems to be a limit of the CPU and not of the RAM. Could someone confirm or confute this? Andrea --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.483 / Virus Database: 279 - Release Date: 5/19/03 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.483 / Virus Database: 279 - Release Date: 5/19/03 From mdlaney at morehouse.edu Wed Jul 9 16:22:58 2003 From: mdlaney at morehouse.edu (Matt Laney) Date: Thu Jan 12 21:18:54 2006 Subject: MS Performance In-Reply-To: <463F0AFA3E2CEA4E807EC569C019E739140BBE@atlantis.gtub.corp> from "Andrea Cogliati" at Jul 09, 2003 04:56:12 PM Message-ID: <200307091522.LAA20603@earl.morehouse.edu> Andrea, > Tried that [tmpfs] but it doesn't seem to help. I've put another 128 MB > of RAM to a total of 256MB. With or without tmpfs I can get a maximum of > 1.72 scanned messages per second (103 msg/min). It seems to be a limit > of the CPU and not of the RAM. > > Could someone confirm or confute this? How are you measuring performance? Is 'top' of any help in showing whether things are processor bound or memory bound or otherwise? I get similar performance on a dual Pentium 3 550Mhz with 1G RAM, slow SCSI disks, no tmpfs, sophos, with spam checks on...or at least I think I do, if the logs provide a decent measure. Here's a fragment from mine: Jul 5 21:38:43 ...: New Batch: Scanning 22 messages, 75339 bytes Jul 5 21:38:43 ...: Spam Checks: Starting Jul 5 21:38:57 ...: Virus and Content Scanning: Starting Jul 5 21:38:58 ...: Uninfected: Delivered 22 messages It seems that the spam scans are taking roughly forever (with all that DNS activity, I'm not surprised) while the virus scans are moving very quickly...if the logs are to be believed on matters of timing. According to 'top', my load averages are kinda low, like .50 most of the time. MailScanner never shows up as eating more than 10% of the accounted-for CPU time. Smells like network lag on the RBLs to me... -Matt -- Matt Laney, mdlaney@morehouse.edu Network and Unix Systems Engineer Morehouse College --- Atlanta, GA From tsevy at EPX.COM Wed Jul 9 16:34:41 2003 From: tsevy at EPX.COM (Tom Sevy) Date: Thu Jan 12 21:18:54 2006 Subject: MailScanner + Procmail? Message-ID: <006701c3462f$9d5f1f90$bc0aa8c0@epx.com> Does anyone have MailScanner + Procmail running on the same system? I would like, for just one single local user, to run procmail so I can sort mail into folders. Will this work? Any gotchas? I have never run procmail so I don't yet know anything about it other than that it is there.... From ka at PACIFIC.NET Wed Jul 9 16:25:34 2003 From: ka at PACIFIC.NET (Ken Anderson) Date: Thu Jan 12 21:18:54 2006 Subject: How to use spamassassin on a per user basis with a third party e-mail server setup? In-Reply-To: <200307081545.KAA27336@mail.int.orbitel.com> References: <200307081545.KAA27336@mail.int.orbitel.com> Message-ID: <3F0C33EE.4060007@pacific.net> We have a similar relay setup. We've just implemented whitelist/blacklist per user rules, and per user "spam action" rules (attachment,deliver or just deliver). We have not exposed the control to users yet though, since improper rules will cause undesired side effects. For example, since the mailservers are configured to allow up to x number of recipients per message and MailScanner only looks at the TO envelope sender, rules made by one user will affect other users. 99% of the time it's just a spam dictionary attack that is affected by this. Anyone know of a way around this issue? The rules are stored in mysql for easy webifying, and a perl script generates the rule files for MailScanner if the db is changed. A simple db with (id, rule_owner, rule_type, rule_operation, rule_value) works for any rule type, though some fields may be left empty for some rule types. See CustomConfig.pm for an example (see 'ByDomain' rules). This can be easily modified to 'ByEmail..' rules, so that whitelist/blacklist rules are read from (for example) "/etc/MailScanner/spam.user/whitelist/user@domain.com" files. In MS.conf, you specify "Is Definitely Not Spam = &ByEmailWhitelist" Spam Action rules are handled as a normal ruleset. Spam Action = /etc/MailScanner/rules/spam.action.rules In spam.action.rules, you have things like this: To: someuser@somedomain.com deliver To: domain.net attachment,deliver To: spamdeath@nospam.net delete Ken Pacific.Net Orbitel Webmaster wrote: > What have you found as the easiest way to enable/disable spamassassin > for individual e-mail addresses? Our mailscanner server is being > utilized in a third party e-mail server enviroment (relay) therefore > there cannot be individual user accounts and spamassassin preference > files. > > I would like the ability to either disable tagging, enable tagging, > or enable auto spam deletion on a per e-mail address basis. I would > like all settings to default to off. Additionally, all users will > receive e-mail virus scanning. > > Can someone point me in the right direction -- documentation or > otherwise? The closest I have found is spamassassin's userpref's > file on their website. > > Thanks! > > From ka at PACIFIC.NET Wed Jul 9 16:42:13 2003 From: ka at PACIFIC.NET (Ken Anderson) Date: Thu Jan 12 21:18:54 2006 Subject: MS Performance In-Reply-To: <200307091522.LAA20603@earl.morehouse.edu> References: <200307091522.LAA20603@earl.morehouse.edu> Message-ID: <3F0C37D5.4090108@pacific.net> You might try turning off the rbl checks in SA. see /etc/mail/spamassassin/local.cf Some rbl lookups take too long if dns is slow or connectivity is not perfect. Ken Matt Laney wrote: > Andrea, > > >>Tried that [tmpfs] but it doesn't seem to help. I've put another 128 MB >>of RAM to a total of 256MB. With or without tmpfs I can get a maximum of >>1.72 scanned messages per second (103 msg/min). It seems to be a limit >>of the CPU and not of the RAM. >> >>Could someone confirm or confute this? > > > > How are you measuring performance? Is 'top' of any help in showing > whether things are processor bound or memory bound or otherwise? > > > I get similar performance on a dual Pentium 3 550Mhz with 1G RAM, slow > SCSI disks, no tmpfs, sophos, with spam checks on...or at least I think > I do, if the logs provide a decent measure. Here's a fragment from mine: > > Jul 5 21:38:43 ...: New Batch: Scanning 22 messages, 75339 bytes > Jul 5 21:38:43 ...: Spam Checks: Starting > Jul 5 21:38:57 ...: Virus and Content Scanning: Starting > Jul 5 21:38:58 ...: Uninfected: Delivered 22 messages > > It seems that the spam scans are taking roughly forever (with all that > DNS activity, I'm not surprised) while the virus scans are moving very > quickly...if the logs are to be believed on matters of timing. > > > According to 'top', my load averages are kinda low, like .50 most of > the time. MailScanner never shows up as eating more than 10% of the > accounted-for CPU time. > > Smells like network lag on the RBLs to me... > > > -Matt > > > -- > Matt Laney, mdlaney@morehouse.edu > Network and Unix Systems Engineer > Morehouse College --- Atlanta, GA > > From Kevin.Spicer at BMRB.CO.UK Wed Jul 9 16:42:09 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:18:54 2006 Subject: MailScanner + Procmail? Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0EBF704@pascal.priv.bmrb.co.uk> Tom Sevy wrote: > Does anyone have MailScanner + Procmail running on the same system? > > I would like, for just one single local user, to run procmail so I > can sort mail into folders. > > Will this work? Yes, the processes happen in this order. sendmail recieves incomin mail MailScanner processes mail sendmail called by MailScanner to deliver mail procmail called by sendmail to handle local delivery BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From gerry at dorfam.ca Wed Jul 9 17:01:59 2003 From: gerry at dorfam.ca (Gerry Doris) Date: Thu Jan 12 21:18:54 2006 Subject: F-prot auto updates ... In-Reply-To: References: Message-ID: <61977.129.80.22.143.1057766519.squirrel@tiger.dorfam.ca> > Raymond Dijkxhoorn wrote: >> Hi! >> >>>> Ok, thanks. Then i know its not just me :) >> >>> I only noticed a backlog yesterday 20:00 (GMT +2). >>> >>> Checking my log I can't see anything strange at that time. I do see >>> an entry "Jul 7 19:02:13 netlx014 F-Prot autoupdate[7265]: F-Prot >>> successfully updated." So it took just over 2 minutes to update my >>> systems. >>> >>> Going back in my logs I noticed it normally takes 10 to 15 seconds to >>> update F-Prot. But I don't think 2 minutes is that much of a problem >>> when I update F-Prot. >> >> A little later this was fixed. Most likely due to network or system >> problems @f-prot. It was also depending on what machine in their load >> balanced cluster you were ending. So i guess one or two boxes that >> would not do the right things :) >> >> All seems fixed now indeed btw. >> >> Bye, >> Raymond. > > Should there not be an timeout built into the update process to ensure > this does not happen? > > Dean Plant I just looked at the /usr/lib/MailScanner/f-prot-autoupdate script and I believe there is a built in timeout. Julian is using wget to download the f-prot files and is allowing 3 tries. If the download isn't successful he calls a bailout routine and exits. If the timeout is too much then I suppose the easiest way to reduce it would be to lower/remove the retries. Gerry From AndreaC at GOTECH.IT Wed Jul 9 16:48:20 2003 From: AndreaC at GOTECH.IT (Andrea Cogliati) Date: Thu Jan 12 21:18:54 2006 Subject: MS Performance Message-ID: <463F0AFA3E2CEA4E807EC569C019E739140BBF@atlantis.gtub.corp> Matt, >> Tried that [tmpfs] but it doesn't seem to help. I've put another 128 >> MB of RAM to a total of 256MB. With or without tmpfs I can get a >> maximum of 1.72 scanned messages per second (103 msg/min). It seems to >> be a limit of the CPU and not of the RAM. >> >> Could someone confirm or confute this? > How are you measuring performance? Is 'top' of any help in showing > whether things are processor bound or memory bound or otherwise? I simpy stop MailScanner, put a lot of mail messages (2.000, generated by postal) in mqueue.in, then start MailScanner and watch when mqueue.in is empty. 'top' shows high system load (over 7) and CPU usage (roughly 75% user and 25% system). Memory used is always below memory available and no swap is used. It seems CPU bound to me. Andrea From raymond at PROLOCATION.NET Wed Jul 9 18:15:23 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:18:54 2006 Subject: MS Performance In-Reply-To: Message-ID: Hi! > > Tried that but it doesn't seem to help. I've put another 128 MB of RAM > > of 256MB. With or without tmpfs I can get a maximum of 1.72 scanned > > per second (103 msg/min). It seems to be a limit of the CPU and not of > > Could someone confirm or confute this? > Im running a Pentium 3 700Mhz + 256MB ram on RH 8.0 sendmail/f-prot with > spamassassin 2.55, dcc and razor on a ext3 filesystem. Mailscanner processed > 13.1K messages in 1 day. And a significant amount of that was during working > hours. (See pic) I am processing around 600.000 messages on two dual xeon machines, daily, with peaks to 800.000-1.000.000 daily. I think MS is doing just fine :) Most of the time its a matter of the test setup also that is limiting the figures. Also some tweaking on the machines wont harm... Bye, Raymond. From raymond at PROLOCATION.NET Wed Jul 9 18:12:13 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:18:54 2006 Subject: MS Performance In-Reply-To: <463F0AFA3E2CEA4E807EC569C019E739140BBE@atlantis.gtub.corp> Message-ID: Hi! > Tried that but it doesn't seem to help. I've put another 128 MB of RAM > of 256MB. With or without tmpfs I can get a maximum of 1.72 scanned > per second (103 msg/min). It seems to be a limit of the CPU and not of > Could someone confirm or confute this? May i ask how you test this ? How many machines you use for sending for example ? Bye, Raymond. From raymond at PROLOCATION.NET Wed Jul 9 18:45:07 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:18:54 2006 Subject: F-prot auto updates ... In-Reply-To: <61977.129.80.22.143.1057766519.squirrel@tiger.dorfam.ca> Message-ID: Hi! > > Should there not be an timeout built into the update process to ensure > > this does not happen? > I just looked at the /usr/lib/MailScanner/f-prot-autoupdate script and I > believe there is a built in timeout. Julian is using wget to download the > f-prot files and is allowing 3 tries. If the download isn't successful he > calls a bailout routine and exits. > > If the timeout is too much then I suppose the easiest way to reduce it > would be to lower/remove the retries. The timout is 3 tries, but there was a 'ok' connection, it was just damn slow :) So it took some time to complete. Like .001 kbps ... Bye, Raymond. From raymond at PROLOCATION.NET Wed Jul 9 18:55:15 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:18:54 2006 Subject: MS Performance In-Reply-To: <3F0C37D5.4090108@pacific.net> Message-ID: Hi! > You might try turning off the rbl checks in SA. > see /etc/mail/spamassassin/local.cf > Some rbl lookups take too long if dns is slow or connectivity is not > perfect. Running a local caching DNS on the box itself might also help in that case... Bye, Raymond. From smohan at VSNL.COM Thu Jul 10 02:44:50 2003 From: smohan at VSNL.COM (S Mohan) Date: Thu Jan 12 21:18:54 2006 Subject: How to disable a mail to a user before scanning In-Reply-To: <001901c34573$cf261180$9c01a8c0@home.middlefinger.net> Message-ID: I thought this happens at delivery and not receipt end - virtusertable lookup. Am I wrong? If so, the mail will be scanned and then the local delivery agent would bounce it. Mohan -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Mike Kercher Sent: Tuesday, July 08, 2003 10:40 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: How to disable a mail to a user before scanning Why not add an entry to /etc/mail/virtusertable and /dev/null it? Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Harish Amin Sent: Tuesday, July 08, 2003 12:11 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: How to disable a mail to a user before scanning I receive about 50 messages to a unknown user on my SMTP server and I as a postmaster receive all the messages back I tried the rules # more spam.actions.rules To: webmaster@www.dpi.state.wi.us delete # more spam.blacklist.rules #To: /^$/ yes To: webmaster@www.dpi.state.wi.us yes But I still keep getting it The original message was received at Tue, 8 Jul 2003 12:08:05 -0500 (CDT) from doagw01.doa.state.wi.us [165.189.88.161] ----- The following addresses had permanent fatal errors ----- <'webmaster@www.dpi.state.wi.us> (reason: 553 5.3.5 system config error) ----- Transcript of session follows ----- 553 5.3.5 www.dpi.state.wi.us. config error: mail loops back to me (MX problem?) 554 5.3.5 Local configuration error AM I doing something wrong here... I am running MailScanner E-Mail Virus Scanner version 4.22-4 on SUn Solaris running sendmail Any Help will be appreciated From smohan at VSNL.COM Thu Jul 10 02:48:06 2003 From: smohan at VSNL.COM (S Mohan) Date: Thu Jan 12 21:18:54 2006 Subject: Quick AV question In-Reply-To: Message-ID: Amavis, as per standard set up, does scanning for inbound and not outbound too. Further, it lacks the flexibility offered by the rulesets feature of MS and spamassassin integration. Mohan -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Evert Ford Sent: Wednesday, July 09, 2003 3:33 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Quick AV question Yes. Amavis is actually, at least to my understand, an e-mail scanner, that calls an anti-virus piece of software, such as Kapersky, or F-prot, or Sophos. It can also be used to scan e-mails for spam. Sounds just like MailScanner! In Fact, it fulfills the same role as MailScanner in the marketplace, only it is much tougher to install and setup and have working. MailScanner is more stable and robust. Once I switched from Amavis to MailScanner, I've had very few problems. Evert Computer Guy Westone Laboratories. --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.483 / Virus Database: 279 - Release Date: 5/19/03 From raymond at PROLOCATION.NET Wed Jul 9 18:59:01 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:18:54 2006 Subject: MS Performance In-Reply-To: <463F0AFA3E2CEA4E807EC569C019E739140BBF@atlantis.gtub.corp> Message-ID: Hi! > > How are you measuring performance? Is 'top' of any help in showing > > whether things are processor bound or memory bound or otherwise? > I simpy stop MailScanner, put a lot of mail messages (2.000, generated > by postal) > in mqueue.in, then start MailScanner and watch when mqueue.in is empty. Thats no real test. You mostly measure disk io. A real live server has a LOT of connections normally (tcp) and also uses your ram as a filecache. If you just beam in those messages from multiple targets it will most likely show up different results. > 'top' shows high system load (over 7) and CPU usage (roughly 75% user > system). Memory used is always below memory available and no swap is > used. It seems CPU bound to me. No, i dont think so, i am allmost sure its io bound, not CPU. But i might be wrong :) Bye, Raymond. From thomas_duvally at BROWN.EDU Wed Jul 9 18:57:26 2003 From: thomas_duvally at BROWN.EDU (Thomas DuVally) Date: Thu Jan 12 21:18:54 2006 Subject: MS Performance In-Reply-To: <463F0AFA3E2CEA4E807EC569C019E739140BBF@atlantis.gtub.corp> References: <463F0AFA3E2CEA4E807EC569C019E739140BBF@atlantis.gtub.corp> Message-ID: <1057773445.684.29.camel@croithine> On Wed, 2003-07-09 at 11:48, Andrea Cogliati wrote: > I simpy stop MailScanner, put a lot of mail messages (2.000, generated > by postal) > in mqueue.in, then start MailScanner and watch when mqueue.in is empty. > > 'top' shows high system load (over 7) and CPU usage (roughly 75% user > and 25% > system). Memory used is always below memory available and no swap is > used. > It seems CPU bound to me. I've just upgraded one of my servers from 4-10 to 4-20-3. One of the things I noticed is that the size in mem of MailScanner has almost double! Is this reasonable? I've got most of the stuff that causes delays off (RBLS) but its slower and doesn't clear out the queues nearly as fast. I have a set of scripts that tell me how many messages are sitting in each area (incoming, mqueue.in, mqueue, and old queues). 4-10 is MUCH faster. -- Thomas J. DuVally Lead Systems Prog. CIS, Brown Univ. http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x15F233F6 From joelc at CTCHOUSTON.COM Wed Jul 9 19:49:23 2003 From: joelc at CTCHOUSTON.COM (Joel Colvin) Date: Thu Jan 12 21:18:54 2006 Subject: MS Performance In-Reply-To: <463F0AFA3E2CEA4E807EC569C019E739140BBE@atlantis.gtub.corp> Message-ID: <002001c3464a$d1d928e0$6400a8c0@jclaptop> I measure performance by watching the sendmail delay field. If you look at the final delivery of the message, the delay field shows total time from first receipt until delivered locally or to another server. Consequently, delay time shows total time to process through MS, SA and any Virus checks. I only look at messages delivered to my own mail server and ignore outbound mail. I have several MS servers, some doing virus checks and some not and I chart the Average Delay time. (See attached .bmp) I am alerted when the average time to process goes over a threshold. On the system with the included chart, I get alerts when the average time exceeds 45 seconds. From this chart, you can see that I run about 7 seconds per message. I size a system based on this number and the peak messages per second that I anticipate. My largest system peaks at about 1.5 messages per second and has an average delay time of 9 seconds. Watching this time, total memory and CPU performance is how I finally solved my performance problems of two months ago. Knowing your peak messages per second is critical to sizing some of the batch variables in MS. Joel P.S. I generate this data with a heavily modified version of David While's Mailstats. -------------- next part -------------- A non-text attachment was scrubbed... Name: delay.bmp Type: image/bmp Size: 60478 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030709/34bbf1e2/delay.bmp From thomas_duvally at BROWN.EDU Wed Jul 9 20:11:24 2003 From: thomas_duvally at BROWN.EDU (Thomas DuVally) Date: Thu Jan 12 21:18:54 2006 Subject: MS Performance In-Reply-To: <002001c3464a$d1d928e0$6400a8c0@jclaptop> References: <002001c3464a$d1d928e0$6400a8c0@jclaptop> Message-ID: <1057777883.685.32.camel@croithine> On Wed, 2003-07-09 at 14:49, Joel Colvin wrote: > P.S. I generate this data with a heavily modified version of David While's > Mailstats. Could you send me or post a copy of that? I'd love to get those kinda stats for my systems! -- Thomas J. DuVally Lead Systems Prog. CIS, Brown Univ. http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x15F233F6 From mike at CAMAROSS.NET Wed Jul 9 19:35:58 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:18:54 2006 Subject: MailScanner not removing virus even though it was found? In-Reply-To: <20030709135047.GA20608@bud.cs.uky.edu> Message-ID: <002d01c34648$f12a59a0$9c01a8c0@home.middlefinger.net> I am pasting what was in the email I replied to: Here is some of the configurations, if this helps: Probably what happened is a line got wrapped and I misread it :) Mike % grep -v "^#" MailScanner.conf | egrep "Virus|Deliver" Deliver Unparsable TNEF = no Virus Scanning = yes Virus Scanners = mcafee Virus Scanner Timeout = 300 Deliver Disinfected Files = yes Silent Viruses = HTML-IFrame Klez Yaha-E Bugbear Braid-A WinEvar Palyh Sobig Fizzer Still Deliver Silent Viruses = yes Deleted Virus Message Report = %report-dir%/deleted.virus.message.txt Stored Virus Message Report = %report-dir%/stored.virus.message.txt -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Paul Linton Sent: Wednesday, July 09, 2003 8:51 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: MailScanner not removing virus even though it was found? Hmmm, I doubled checked and did not find it twice. In the off change that this was causing a problem, I did change it to 'none': % grep -v "^#" MailScanner.conf | grep -i virus Virus Scanning = yes Virus Scanners = mcafee Virus Scanner Timeout = 300 Silent Viruses = none Still Deliver Silent Viruses = yes Deleted Virus Message Report = %report-dir%/deleted.virus.message.txt Stored Virus Message Report = %report-dir%/stored.virus.message.txt Sender Virus Report = %report-dir%/sender.virus.report.txt Virus Modify Subject = yes Virus Subject Text = {Virus?} Attachment Warning Filename = VirusWarning.txt Virus Scanner Definitions = %etc-dir%/virus.scanners.conf Same effect. Thanks - I'll keep looking. Doing a 'debug' one-time run didn't show anything else. I'm hesitant to start adding debug statements in all the perl modules. - Paul On Wed, Jul 09, 2003 at 08:37:01AM -0500, Mike Kercher wrote: > The only thing that catches my eye is that you have: > > Silent Viruses = > > defined twice. I set my Silent Viruses = none in my config file > because I want to know when a virus is found. I also have > > Still Deliver Silent Viruses = yes > > Mike > > > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of Paul Linton > Sent: Wednesday, July 09, 2003 8:05 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: MailScanner not removing virus even though it was found? > > > On Wed, Jul 09, 2003 at 08:38:59AM +0200, Raymond Dijkxhoorn wrote: > > > seems to be working fine, with the exception of virus removal. > > > MailScanner calls McAfee and sees the virus, but then happily > > > sends the message on, virus and all, no warning to the recipient, > > > etc. Did I miss something in the .conf > > It might be interesting to see your virus settings. > > > > Deliver Disinfected Files = ? > > Silent Viruses = ? > > Still Deliver Silent Viruses = ? > > Here is some of the configurations, if this helps: > > % grep -v "^#" MailScanner.conf | egrep "Virus|Deliver" Deliver > Unparsable TNEF = no Virus Scanning = yes > Virus Scanners = mcafee > Virus Scanner Timeout = 300 > Deliver Disinfected Files = yes > Silent Viruses = HTML-IFrame Klez Yaha-E Bugbear Braid-A WinEvar Palyh Sobig > Fizzer Still Deliver Silent Viruses = yes > Deleted Virus Message Report = %report-dir%/deleted.virus.message.txt > Stored Virus Message Report = %report-dir%/stored.virus.message.txt > Sender Virus Report = %report-dir%/sender.virus.report.txt > Deliver Cleaned Messages = yes > Virus Modify Subject = yes > Virus Subject Text = {Virus?} > Attachment Warning Filename = VirusWarning.txt > Virus Scanner Definitions = %etc-dir%/virus.scanners.conf Deliver In > Background = yes Delivery Method = batch > > Thanks for any help/pointers! > > - Paul > > -- > Paul Linton Systems Programmer paul@cs.uky.edu > UofK Department of Computer Science (859) 257-3962 -- Paul Linton Systems Programmer paul@cs.uky.edu UofK Department of Computer Science (859) 257-3962 From Kevin_Miller at CI.JUNEAU.AK.US Wed Jul 9 22:15:38 2003 From: Kevin_Miller at CI.JUNEAU.AK.US (Kevin Miller) Date: Thu Jan 12 21:18:54 2006 Subject: Starting problems on SuSE 8.1 Message-ID: <08146035CA49D6119A36009027AC822A0264E4B2@CITY-EXCH-NTS> >-----Original Message----- >From: Roland Ehle [mailto:mailscanner@CARLO65.DE] >Sent: Sunday, June 15, 2003 1:16 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Starting problems on SuSE 8.1 > > >Hi, > >since I migrated from SuSE 7.3 to SuSE 8.1 I have problems >with starting >MailScanner. > >I start MailScanner 4.21-9 with "rcMailScanner start" and I >get "failed" >on standard out, but MailScanner seems to be working fine. >Same is, when >MailScanner is started at boot. Sorry for the lack of timeliness of the response - maybe someone else answered it already or maybe it's a different problem, but I had the same issue in 8.0. It turns out that in the script there is a call to a return code status utility script along the lines of: . /etc/rc.status rc_reset which expand the rc.status script into the current environment, then set the r.c to (I think) null. As the script trundles through it's processing, in the start section, it starts sendmail and MailScanner, then checks the return code. Sendmail is a program, so it returns a valid r.c. but check_MailScanner is a script, which I think has it's own environment and it apparently doesn't know about the parent environment. Thus, the program starts just fine, but the return code fails as it's not passed back to the calling script. I modified mine as below - you can see I just remmed out the last rc_status check: start) echo -n "Initializing Sendmail with In_Args" startproc -p $srvpid /usr/sbin/sendmail $SENDMAIL_IN_ARGS rc_status -v echo -n "Initializing Sendmail with Client_Args" startproc -f -p $msppid /usr/sbin/sendmail $SENDMAIL_CLIENT_ARGS rc_status -v echo -n "Initializing Sendmail with Out_Args" startproc -f -p $srvoutpid /usr/sbin/sendmail $SENDMAIL_OUT_ARGS rc_status -v echo "Initializing MailScanner via check_MailScanner" startproc -f -p $mspid /usr/sbin/check_MailScanner > /dev/null # rc_status -v ;; To insure that MailScanner is actually started it's easy enough to run ps afterwards if in doubt. It's never failed to start for me though. I did spend a few days trying to track this one down - plumb boggled me for a bit, until I threw it out to my local Linux Users Group... HTH... ...Kevin ------------------- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Administrator, Mail Administrator 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 > From wpc4 at DODGETHIS.ORG Wed Jul 9 22:36:28 2003 From: wpc4 at DODGETHIS.ORG (William Curley) Date: Thu Jan 12 21:18:54 2006 Subject: Stop/Reload MailScanner Message-ID: <1057786588.c4210b87f1f3d@mail.cynical.us> I am trying to figure out the process to stop MailScanner and to also reload the configuration. Looking back through list archives I see references to an init.d script, I do not see that in the MailScanner-4.22-5.tar.gz package. I have also looked over the website and have not seen this. Is this available elsewhere or have to steps to restart MailScanner since changed? Thanks William Curley Dodgethis Services http://www.dodgethis.org From raymond at PROLOCATION.NET Wed Jul 9 22:56:22 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:18:54 2006 Subject: Stop/Reload MailScanner In-Reply-To: <1057786588.c4210b87f1f3d@mail.cynical.us> Message-ID: Hi! > I am trying to figure out the process to stop MailScanner and to also reload the > configuration. Looking back through list archives I see references to an init.d > script, I do not see that in the MailScanner-4.22-5.tar.gz package. I have also > looked over the website and have not seen this. Is this available elsewhere or > have to steps to restart MailScanner since changed? Thanks This was mentioned a few days ago also. Please look inside the RPM distro. Bye, Raymond. From Steve at swaney.com Thu Jul 10 00:54:36 2003 From: Steve at swaney.com (Stephen Swaney) Date: Thu Jan 12 21:18:54 2006 Subject: Stopping all notifications to users In-Reply-To: <08146035CA49D6119A36009027AC822A0264E4B2@CITY-EXCH-NTS> References: <08146035CA49D6119A36009027AC822A0264E4B2@CITY-EXCH-NTS> Message-ID: <1057794875.14648.2.camel@speedy> Is there any easy way to stop all virus notifications to recipients but still send the notifications to postmaster? Thanks in advance, Steve Steve Swaney Steve@Swaney.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030709/0acbec95/attachment.html From Antony at SOFT-SOLUTIONS.CO.UK Thu Jul 10 01:01:06 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:18:54 2006 Subject: Stopping all notifications to users In-Reply-To: <1057794875.14648.2.camel@speedy> References: <08146035CA49D6119A36009027AC822A0264E4B2@CITY-EXCH-NTS> <1057794875.14648.2.camel@speedy> Message-ID: <200307100003.h6A033g23412@agate.rockstone.co.uk> On Thursday 10 July 2003 12:54 am, Stephen Swaney wrote: > Is there any easy way to stop all virus notifications to recipients but > still send the notifications to postmaster? Send Notices = yes Notices To = Postmaster@Your.Domain.Com Deliver Disinfected Files = no Regards, Antony -- Windows: just another pane in the glass. From danieltan at shopnsave.com.sg Thu Jul 10 05:06:48 2003 From: danieltan at shopnsave.com.sg (Daniel Tan) Date: Thu Jan 12 21:18:54 2006 Subject: postmaster not getting any email reports? Message-ID: <001f01c34698$b06fdc00$3900a8c0@Daniel> hi, postmaster not receiving email after virus detected? previously was working fine... check mailscanner.conf file and send notices to sys admin is yes Regards, Daniel Tan 67469188 Ext.665 DID: 68430665 MIS Department Shop N Save Pte Ltd : danieltan@shopnsave.com.sg [This e-mail is confidential and may also be privileged. If you are not the intended recipient, please delete it and notify us immediately; you should not copy or use it for any purpose, nor disclose its contents to any other person. Thank you.] From David.While at UCE.AC.UK Thu Jul 10 08:34:58 2003 From: David.While at UCE.AC.UK (David While) Date: Thu Jan 12 21:18:54 2006 Subject: MS Performance Message-ID: <107DE25EC0216C45AEF670016024245F6EEE@exchangea.staff.uce.ac.uk> Could you let me have a copy - I will look at incorporating into the main version. Seems useful to me. ----------------------------------------------------------------- David While Technical Development Manager Faculty of Computing, Information & English University of Central England Tel: 0121 331 6211 ----------------------------------------------------------------- -----Original Message----- From: Joel Colvin [mailto:joelc@CTCHOUSTON.COM] Sent: 09 July 2003 19:49 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: MS Performance I measure performance by watching the sendmail delay field. If you look at the final delivery of the message, the delay field shows total time from first receipt until delivered locally or to another server. Consequently, delay time shows total time to process through MS, SA and any Virus checks. I only look at messages delivered to my own mail server and ignore outbound mail. I have several MS servers, some doing virus checks and some not and I chart the Average Delay time. (See attached .bmp) I am alerted when the average time to process goes over a threshold. On the system with the included chart, I get alerts when the average time exceeds 45 seconds. From this chart, you can see that I run about 7 seconds per message. I size a system based on this number and the peak messages per second that I anticipate. My largest system peaks at about 1.5 messages per second and has an average delay time of 9 seconds. Watching this time, total memory and CPU performance is how I finally solved my performance problems of two months ago. Knowing your peak messages per second is critical to sizing some of the batch variables in MS. Joel P.S. I generate this data with a heavily modified version of David While's Mailstats. From giampiero.raschetti at POPSO.IT Thu Jul 10 13:35:42 2003 From: giampiero.raschetti at POPSO.IT (Giampiero Raschetti) Date: Thu Jan 12 21:18:54 2006 Subject: MailScanner not removing virus even though it was found? Message-ID: I'have just upgraded to the latest mailscan 4.22-5 from 4.13-x and I'm registering exatly the same problem: Jul 10 12:40:33 neutrino MailScanner[26052]: New Batch: Scanning 1 messages, 101382 bytes Jul 10 12:40:34 neutrino MailScanner[26052]: Virus and Content Scanning: Starting Jul 10 12:40:34 neutrino MailScanner[26052]: McAfee said "/home1/spool/MailScanner/incoming/26052/h6AAeWE00411/sirc-virus.zip/SIRC32-VIRUS.EXE" Jul 10 12:40:34 neutrino MailScanner[26052]: McAfee said " Found the W32/SirCam@MM virus !!!" Jul 10 12:40:34 neutrino MailScanner[26052]: /home1/spool/MailScanner/incoming/26052/h6AAeWE00411/sirc-virus.zip/SIRC32-VIRUS.EXE Found the W32/SirCam@MM virus !!! Jul 10 12:40:34 neutrino MailScanner[26052]: Virus Scanning: McAfee found 1 infections Jul 10 12:40:34 neutrino MailScanner[26052]: Virus Scanning: Found 1 viruses Jul 10 12:40:34 neutrino MailScanner[26052]: Uninfected: Delivered 1 messages In the configuration file there is absolutely no changes from the default parameters. MailScan 4.22-5 has been installed from RPM pakage and it is working using McAfee antivirus. Every other functionality works fine. Need to investigate more deeply on this quest. GR From TGFurnish at HERFF-JONES.COM Thu Jul 10 14:48:08 2003 From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G) Date: Thu Jan 12 21:18:54 2006 Subject: MailScanner 101, take two. Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF0C070D@inex1.herffjones.hj-int> >-----Original Message----- >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] >Sent: Thursday, July 03, 2003 5:38 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: MailScanner 101, take two. > > >Do it separately. And don't use the RPM of SpamAssassin. >Either download it >and build from source or use CPAN to install it. To build it by hand, >unpack the .tar.gz archive, "cd" into it and do this: > perl Makefile.PL > make > make test > make install Note though that 'make test' for spamassassin will fail if the system's network ports are sufficiently locked down by iptables/ipchains. It hangs for a long time. If that happens to you, try turning off ipchains/iptables while you run make test, then turn it on again when you're done. >Yes. Just set "Virus Scanners = f-prot" or whatever is >appropriate for your >scanner, in /etc/MailScanner/MailScanner.conf. And if, like me, your first thought upon seeing that was "well how do I know it's 'f-prot' instead of 'F-Prot' or 'fprot'", then it's worth noting that the list of virus scanners is in the virus.scanners.conf file (which for me is in /etc/MailScanner). HTH, Trever From David.While at UCE.AC.UK Thu Jul 10 15:23:57 2003 From: David.While at UCE.AC.UK (David While) Date: Thu Jan 12 21:18:54 2006 Subject: MS Performance --> mailstats Message-ID: <107DE25EC0216C45AEF670016024245F6EEF@exchangea.staff.uce.ac.uk> I think you are refering to the mailstats that comes with sendmail - my mailstats is actually mailstats.pl a Perl script which does produce graphs etc. See http://staff.cie.uce.ac.uk/~id001869/mailstats/ ----------------------------------------------------------------- David While Technical Development Manager Faculty of Computing, Information & English University of Central England Tel: 0121 331 6211 ----------------------------------------------------------------- -----Original Message----- From: Tom Sevy [mailto:tom.sevy@intercept.net] Sent: 10 July 2003 15:10 To: 'David.While@UCE.AC.UK' Subject: RE: MS Performance --> mailstats I found mailstats in my rh9 already installed. Is there a package or anything available to produce graphs from the mailstats output? I am running mrtg-mailscanner now.... -----Original Message----- From: David While [mailto:David.While@UCE.AC.UK] Sent: Thursday, July 10, 2003 3:35 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: MS Performance Could you let me have a copy - I will look at incorporating into the main version. Seems useful to me. ----------------------------------------------------------------- David While Technical Development Manager Faculty of Computing, Information & English University of Central England Tel: 0121 331 6211 ----------------------------------------------------------------- -----Original Message----- From: Joel Colvin [mailto:joelc@CTCHOUSTON.COM] Sent: 09 July 2003 19:49 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: MS Performance I measure performance by watching the sendmail delay field. If you look at the final delivery of the message, the delay field shows total time from first receipt until delivered locally or to another server. Consequently, delay time shows total time to process through MS, SA and any Virus checks. I only look at messages delivered to my own mail server and ignore outbound mail. I have several MS servers, some doing virus checks and some not and I chart the Average Delay time. (See attached .bmp) I am alerted when the average time to process goes over a threshold. On the system with the included chart, I get alerts when the average time exceeds 45 seconds. From this chart, you can see that I run about 7 seconds per message. I size a system based on this number and the peak messages per second that I anticipate. My largest system peaks at about 1.5 messages per second and has an average delay time of 9 seconds. Watching this time, total memory and CPU performance is how I finally solved my performance problems of two months ago. Knowing your peak messages per second is critical to sizing some of the batch variables in MS. Joel P.S. I generate this data with a heavily modified version of David While's Mailstats. From P.G.M.Peters at utwente.nl Thu Jul 10 15:25:54 2003 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Thu Jan 12 21:18:54 2006 Subject: MailScanner not removing virus even though it was found? In-Reply-To: References: Message-ID: <8otqgvsj3coi6vrle49lgrp61ev4du4a8g@4ax.com> On Thu, 10 Jul 2003 13:35:42 +0100, you wrote: >I'have just upgraded to the latest mailscan 4.22-5 from 4.13-x and >I'm registering exatly the same problem: > >Jul 10 12:40:34 neutrino MailScanner[26052]: McAfee said >"/home1/spool/MailScanner/incoming/26052/h6AAeWE00411/sirc-virus.zip/SIRC32-VIRUS.EXE" > >Jul 10 12:40:34 neutrino MailScanner[26052]: McAfee said " Found the >W32/SirCam@MM virus !!!" >Jul 10 12:40:34 neutrino MailScanner[26052]: >/home1/spool/MailScanner/incoming/26052/h6AAeWE00411/sirc-virus.zip/SIRC32-VIRUS.EXE > Found the W32/SirCam@MM virus !!! As far as I understand it MS starts the virusscanner to check whether a virus is detected. If at least one message in a batch has a virus MS starts the virusscanner with the clean option. Perhaps McAfee doesn't act (anymore) on that option. -- Peter Peters, senior netwerkbeheerder Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ From richard at HELPPLC.COM Thu Jul 10 15:37:06 2003 From: richard at HELPPLC.COM (Richard Sidlin) Date: Thu Jan 12 21:18:54 2006 Subject: Chinese Emails Message-ID: <002d01c346f0$bff13fe0$1a00000a@rich> I put a message up a couple of weeks ago but I am still having a problem with emails being received in what looks like Chinese. I added a few lines on language settings in the spam assassin conf file that someone suggested but that hasn't cured it. It's really only coming in on one email address but my customer is getting very agitated about it! Anyone help please? BTW, it's coming from all sorts of addresses and domains. Richard Sidlin -- This message has been scanned for viruses and dangerous content by the Help Internet Virus Spam Defence, and is believed to be clean. For details on having your email scanned email support@helpinternet.co.uk From Kevin.Spicer at BMRB.CO.UK Thu Jul 10 15:43:51 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:18:54 2006 Subject: Chinese Emails Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0EBF709@pascal.priv.bmrb.co.uk> Richard Sidlin wrote: > I put a message up a couple of weeks ago but I am still having a > problem with emails being received in what looks like Chinese. I > added a few lines on language settings in the spam assassin conf file > that someone suggested but that hasn't cured it. It's really only > coming in on one email address but my customer is getting very > agitated about it! Anyone help please? BTW, it's coming from all > sorts of addresses and domains. I've just checked the archive and the example you posted previously had not been scanned by MailScanner, could you post some example headers where MailScanner has scanned it please. If MailScanner isn't scanning any of them you need to work out why (maybe you have a mis-configured ruleset somewhere?). Preferably post headers for a representative message and grep your maillog for the messageid and post the lines you find. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From gerry at dorfam.ca Thu Jul 10 15:45:15 2003 From: gerry at dorfam.ca (Gerry Doris) Date: Thu Jan 12 21:18:54 2006 Subject: Chinese Emails In-Reply-To: <002d01c346f0$bff13fe0$1a00000a@rich> References: <002d01c346f0$bff13fe0$1a00000a@rich> Message-ID: <12913.129.80.22.133.1057848315.squirrel@tiger.dorfam.ca> > I put a message up a couple of weeks ago but I am still having a problem > with emails being received in what looks like Chinese. I added a few > lines on language settings in the spam assassin conf file that someone > suggested but that hasn't cured it. It's really only coming in on one > email address but my customer is getting very agitated about it! Anyone > help please? BTW, it's coming from all sorts of addresses and domains. > > > Richard Sidlin Have you checked the headers for "charset=some_character_set"? If they arrive with Big-5, Korean, etc you can easily screen for them. Gerry From joelc at CTCHOUSTON.COM Thu Jul 10 15:44:53 2003 From: joelc at CTCHOUSTON.COM (Joel Colvin) Date: Thu Jan 12 21:18:54 2006 Subject: MS Performance In-Reply-To: <107DE25EC0216C45AEF670016024245F6EEE@exchangea.staff.uce.ac.uk> Message-ID: <005c01c346f1$d3517720$6400a8c0@jclaptop> David, I'll send you a copy and explain my changes. I probably won't have time for a couple days but I'll send it and you can decide if any of my mods are worth adding. Joel -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of David While Sent: Thursday, July 10, 2003 2:35 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: MS Performance Could you let me have a copy - I will look at incorporating into the main version. Seems useful to me. ----------------------------------------------------------------- David While Technical Development Manager Faculty of Computing, Information & English University of Central England Tel: 0121 331 6211 ----------------------------------------------------------------- -----Original Message----- From: Joel Colvin [mailto:joelc@CTCHOUSTON.COM] Sent: 09 July 2003 19:49 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: MS Performance I measure performance by watching the sendmail delay field. If you look at the final delivery of the message, the delay field shows total time from first receipt until delivered locally or to another server. Consequently, delay time shows total time to process through MS, SA and any Virus checks. I only look at messages delivered to my own mail server and ignore outbound mail. I have several MS servers, some doing virus checks and some not and I chart the Average Delay time. (See attached .bmp) I am alerted when the average time to process goes over a threshold. On the system with the included chart, I get alerts when the average time exceeds 45 seconds. From this chart, you can see that I run about 7 seconds per message. I size a system based on this number and the peak messages per second that I anticipate. My largest system peaks at about 1.5 messages per second and has an average delay time of 9 seconds. Watching this time, total memory and CPU performance is how I finally solved my performance problems of two months ago. Knowing your peak messages per second is critical to sizing some of the batch variables in MS. Joel P.S. I generate this data with a heavily modified version of David While's Mailstats. From richard at HELPPLC.COM Thu Jul 10 16:24:29 2003 From: richard at HELPPLC.COM (Richard Sidlin) Date: Thu Jan 12 21:18:54 2006 Subject: Chinese Emails In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0EBF709@pascal.priv.bmrb.co.uk> Message-ID: <002f01c346f7$5f80f860$1a00000a@rich> >Subject: Re: Chinese Emails > > >Richard Sidlin wrote: >> I put a message up a couple of weeks ago but I am still having a >> problem with emails being received in what looks like >Chinese. I added >> a few lines on language settings in the spam assassin conf file that >> someone suggested but that hasn't cured it. It's really only >coming in >> on one email address but my customer is getting very agitated about >> it! Anyone help please? BTW, it's coming from all sorts of addresses >> and domains. > > >I've just checked the archive and the example you posted >previously had not been scanned by MailScanner, could you post >some example headers where MailScanner has scanned it please. >If MailScanner isn't scanning any of them you need to work out >why (maybe you have a mis-configured ruleset somewhere?). >Preferably post headers for a representative message and grep >your maillog for the messageid and post the lines you find. > Headers of an example: Return-Path: Received: from hero ([210.21.34.186]) by hosting.helpplc.co.uk (8.10.2/8.10.2) with SMTP id h6A2ObS03588 for ; Thu, 10 Jul 2003 03:24:38 +0100 Message-Id: <200307100224.h6A2ObS03588@ns.helpplc.co.uk> Date: Thu, 10 Jul 03 10:25:45 ???????????? From: "??????????????????????????????" Reply-To: "??????????????????????????????" To: info@xxxxxx.co.uk Subject: ???????????????????????????????????????????? MIME-Version: 1.0 Content-type: multipart/mixed; boundary="----=_NextPart_000_006C_0DF30091.29D901B4" X-MailScanner-Information: Provided by Help Internet - 01707 897111 X-MailScanner: Found to be clean X-UIDL: L_G"!e>H!!cRS"!1@I!! -- This message has been scanned for viruses and dangerous content by the Help Internet Virus Spam Defence, and is believed to be clean. For details on having your email scanned email support@helpinternet.co.uk From hzhu at wesleyan.edu Thu Jul 10 16:17:15 2003 From: hzhu at wesleyan.edu (Hong Zhu) Date: Thu Jan 12 21:18:54 2006 Subject: Too many open files + Cannot create + lock headers file Message-ID: Hi All, We installed mailscanner 4.21-9 on a Solaris 8 system, I updated max file descriptor to be unlimited in "/opt/MailScanner/bin/check_mailscanner" from: ulimit -n 2000 >/dev/null 2>&1 to: ulimit -n unlimited >/dev/null 2>&1 I terminated old MailScanner processes, then ran "check_mailscanner", but I still saw following errors in the log: MailScanner[14033]: Could not open file >/var/spool/MailScanner/incoming/14033/h6AEnFre013009.header: Too many open files MailScanner[14033]: Cannot create + lock headers file /var/spool/MailScanner/incoming/14033/h6AEnFre013009.header, Is there anything else that I need to update? Your quick response is highly appreciated, many thanks, hong From Kevin.Spicer at BMRB.CO.UK Thu Jul 10 16:33:12 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:18:54 2006 Subject: Chinese Emails Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0EBF70A@pascal.priv.bmrb.co.uk> > X-MailScanner-Information: Provided by Help Internet - 01707 897111 > X-MailScanner: Found to be clean X-UIDL: L_G"!e>H!!cRS"!1@I!! Okays, so it is being scanned - if you change Always Include SpamAssassin Report = no to Always Include SpamAssassin Report = yes in MailScanner.conf the headers should then tell you what score SA is giving it and why. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From TGFurnish at HERFF-JONES.COM Thu Jul 10 16:43:17 2003 From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G) Date: Thu Jan 12 21:18:54 2006 Subject: really easy Q for someone: what is sendmail's -Ac option? Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF0C028C@inex1.herffjones.hj-int> Ok, I've always just accepted -Ac as an option for sendmail, but for whatever reason today I wanted to verify that it does what I think it does - but I can't find it documented. :-( Then again I've always hated trying to find documentation for sendmail so maybe it's just me. Could someone enlighten me as to the meaning of the -Ac option to sendmail? Is it "aliases check"? -t. From mikea at MIKEA.ATH.CX Thu Jul 10 16:44:58 2003 From: mikea at MIKEA.ATH.CX (mikea) Date: Thu Jan 12 21:18:54 2006 Subject: really easy Q for someone: what is sendmail's -Ac option? In-Reply-To: <8FFC76593085ED4A80D3601BC41EFCDF0C028C@inex1.herffjones.hj-int>; from TGFurnish@HERFF-JONES.COM on Thu, Jul 10, 2003 at 10:43:17AM -0500 References: <8FFC76593085ED4A80D3601BC41EFCDF0C028C@inex1.herffjones.hj-int> Message-ID: <20030710104458.A32005@mikea.ath.cx> On Thu, Jul 10, 2003 at 10:43:17AM -0500, Furnish, Trever G wrote: > Ok, I've always just accepted -Ac as an option for sendmail, but for > whatever reason today I wanted to verify that it does what I think it does - > but I can't find it documented. :-( Then again I've always hated trying to > find documentation for sendmail so maybe it's just me. > > Could someone enlighten me as to the meaning of the -Ac option to sendmail? > Is it "aliases check"? : $man sendmail : : ... : -Ac Use submit.cf even if the operation mode does not : indicate an initial mail submission. : ... -- Mike Andrews mikea@mikea.ath.cx Tired old sysadmin since 1964 From Kevin.Spicer at BMRB.CO.UK Thu Jul 10 16:47:54 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:18:54 2006 Subject: really easy Q for someone: what is sendmail's -Ac option? Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0EBF70B@pascal.priv.bmrb.co.uk> Furnish, Trever G wrote: > Ok, I've always just accepted -Ac as an option for sendmail, but for > whatever reason today I wanted to verify that it does what I think it > does - but I can't find it documented. :-( Then again I've always > hated trying to find documentation for sendmail so maybe it's just me. man sendmail -Ac Use submit.cf even if the operation mode does not indicate an initial mail submission. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From richard_cipher at YAHOO.COM Thu Jul 10 17:11:15 2003 From: richard_cipher at YAHOO.COM (Evert Ford) Date: Thu Jan 12 21:18:54 2006 Subject: Chinese Emails In-Reply-To: <002d01c346f0$bff13fe0$1a00000a@rich> Message-ID: Are you using SpamAssassin with MailScanner? SpamAssassin has a score for 'MIME_CHARSET_FARAWAY' of 2.45 (at least in my version). You might consider upping this value in spam.assassin.prefs.conf (e.g. 'score MIME_CHARSET_FARAWAY 3' or even higher if that doesn't do it) Evert Ford Information Analyst Westone Laboratories http://www.westone.com -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Richard Sidlin Sent: Thursday, July 10, 2003 8:37 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Chinese Emails I put a message up a couple of weeks ago but I am still having a problem with emails being received in what looks like Chinese. I added a few lines on language settings in the spam assassin conf file that someone suggested but that hasn't cured it. It's really only coming in on one email address but my customer is getting very agitated about it! Anyone help please? BTW, it's coming from all sorts of addresses and domains. Richard Sidlin -- This message has been scanned for viruses and dangerous content by the Help Internet Virus Spam Defence, and is believed to be clean. For details on having your email scanned email support@helpinternet.co.uk --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.483 / Virus Database: 279 - Release Date: 5/19/03 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.483 / Virus Database: 279 - Release Date: 5/19/03 From TGFurnish at HERFF-JONES.COM Thu Jul 10 17:19:19 2003 From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G) Date: Thu Jan 12 21:18:54 2006 Subject: really easy Q for someone: what is sendmail's -Ac option? Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF0C028E@inex1.herffjones.hj-int> Thanks, Kevin and Mike. My sendmail man page is missing that info. :-( Guess I'll grab the latest version from sendmail.org for comparison. >-----Original Message----- >From: Spicer, Kevin [mailto:Kevin.Spicer@BMRB.CO.UK] >Sent: Thursday, July 10, 2003 10:48 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: really easy Q for someone: what is sendmail's -Ac option? > > >Furnish, Trever G wrote: >> Ok, I've always just accepted -Ac as an option for sendmail, but for >> whatever reason today I wanted to verify that it does what I think it >> does - but I can't find it documented. :-( Then again I've always >> hated trying to find documentation for sendmail so maybe >it's just me. > >man sendmail > > > -Ac Use submit.cf even if the operation mode does not >indicate an > initial mail submission. > > > > > >BMRB International >http://www.bmrb.co.uk >+44 (0)20 8566 5000 >_________________________________________________________________ >This message (and any attachment) is intended only for the >recipient and may contain confidential and/or privileged >material. If you have received this in error, please contact the >sender and delete this message immediately. Disclosure, copying >or other action taken in respect of this email or in >reliance on it is prohibited. BMRB International Limited >accepts no liability in relation to any personal emails, or >content of any email which does not directly relate to our >business. > From m.sapsed at BANGOR.AC.UK Thu Jul 10 17:24:32 2003 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:18:54 2006 Subject: MailScanner + Procmail? References: <006701c3462f$9d5f1f90$bc0aa8c0@epx.com> Message-ID: <3F0D9340.7010604@bangor.ac.uk> Tom Sevy wrote: > Does anyone have MailScanner + Procmail running on the same system? > > I would like, for just one single local user, to run procmail so I can sort > mail into folders. > > Will this work? > > Any gotchas? I have never run procmail so I don't yet know anything about > it other than that it is there.... As Kevin has suggested you can either have sendmail use procmail as a delivery agent or (I guess?) you could put a call to procmail in a .forward file if you only want one person using it rather than everyone? Nothing really to do with MailScanner though. Cheers, Martin -- Martin Sapsed Information Services "Who do you say I am?" University of Wales, Bangor Jesus of Nazareth From lvargas at CFT.COM.MX Thu Jul 10 19:17:18 2003 From: lvargas at CFT.COM.MX (Luis Amado Vargas) Date: Thu Jan 12 21:18:54 2006 Subject: MailScanner in Raq4 Message-ID: <000001c3470f$85eab960$0402a8c0@ATILVARGAS> I?ve serious problem with MailScanner, i followed the instalation instruction line by line for Cobalt Raq4, i first install f-prot, then MailScanner and then SpamAssasin, and only have a problem with chkconfig command. I check the status for MailScanner [root /]# /etc/rc.d/init.d/MailScanner status Checking MailScanner daemons: MailScanner: ok incoming sendmail: ok outgoing sendmail: ok In the maillog appears this Jul 9 14:18:34 ns5 MailScanner[18086]: MailScanner E-Mail Virus Scanner version 4.21-9 starting... Jul 9 14:18:34 ns5 MailScanner[18086]: SpamAssassin installation could not be found If i try to send infected mail or any mail and .... the MailScanner is not working , not send and recive any mail any commentary on the matter Please Urgent !!! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030710/4c36b9f5/attachment.html From michele at BLACKNIGHTSOLUTIONS.COM Thu Jul 10 17:35:28 2003 From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon:: Blacknight Solutions) Date: Thu Jan 12 21:18:54 2006 Subject: MailScanner in Raq4 In-Reply-To: <000001c3470f$85eab960$0402a8c0@ATILVARGAS> Message-ID: <200307101634.h6AGYXA06115@camelot.blacknightsolutions.com> How did you install Spam Assasin? RAQs can be a real pain, as their version of Perl (unless you've upgraded it) is rather old... Mr. Michele Neylon Blacknight Solutions http://www.blacknightsolutions.com Spam and virus scanning available ######################################################### This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance to it is prohibited. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030710/c239d40a/attachment.html From wpc4 at DODGETHIS.ORG Thu Jul 10 17:38:27 2003 From: wpc4 at DODGETHIS.ORG (William Curley) Date: Thu Jan 12 21:18:54 2006 Subject: Postfix & Mailscanner Message-ID: <1057855107.7a5141f7dba78@mail.cynical.us> The documentation for configuring postfix with mailscanner appears to be a little bit sparse. It states that postfix must be chrooted but doesn't explain which services in master.cf need to be chrooted. I didn't set any of the services to chroot and it appears to be working fine, I just want to verify it isn't going to implode by me not doing something correctly. From damian at WORKGROUPSOLUTIONS.COM Thu Jul 10 17:40:53 2003 From: damian at WORKGROUPSOLUTIONS.COM (Damian Mendoza) Date: Thu Jan 12 21:18:54 2006 Subject: MailScanner delivering SPAM messages Message-ID: Hi, I'm starting to see messages that are marked as SPAM being delivered by MailScanner - (version 4.12-2.) This only happens occasionally - The majority of SPAM messages are not delivered, just deleted which is defined in spam.actions.rules file. Any ideas? Maillog File = Problem Message ID = h6A04Q9G032454 Jul 9 17:03:59 spamgate MailScanner[25750]: Spam Checks: Starting Jul 9 17:04:00 spamgate MailScanner[25750]: Message h6A03u9F032449 from 198.188.250.254 (g.ss01.net) to svusd.k12.ca.us is spam, SpamAssassin (score=4.9, required 4, BAYES_10, DCC_CHECK, EXCUSE_1, REMOVE_PAGE) Jul 9 17:04:00 spamgate MailScanner[25750]: Spam Checks: Found 1 spam messages Jul 9 17:04:00 spamgate MailScanner[25750]: Spam Actions: message h6A03u9F032449 actions are delete Jul 9 17:04:00 spamgate MailScanner[25750]: Virus and Content Scanning: Starting Jul 9 17:04:27 spamgate sendmail[32454]: h6A04Q9F032454: from=, size=2207, class=0, nrcpts=1, msgid=<2730416505.01380945810856@kroc.com>, proto=ESMTP, daemon=MTA, relay=gateway.svusd.k12.ca.us [198.188.250.254] Jul 9 17:04:27 spamgate sendmail[32454]: h6A04Q9F032454: to=, delay=00:00:00, mailer=esmtp, pri=30531, stat=queued Jul 9 17:04:27 spamgate sendmail[32454]: h6A04Q9G032454: from=, size=6546, class=0, nrcpts=1, msgid=<1057795388.2242@64.119.200.139.impro6.com>, proto=ESMTP, daemon=MTA, relay=gateway.svusd.k12.ca.us [198.188.250.254] Jul 9 17:04:27 spamgate sendmail[32454]: h6A04Q9G032454: to=, delay=00:00:00, mailer=esmtp, pri=30487, stat=queued Jul 9 17:04:29 spamgate MailScanner[26052]: New Batch: Forwarding 2 unscanned messages, 9748 bytes Jul 9 17:04:29 spamgate MailScanner[26052]: Spam Checks: Starting Jul 9 17:04:30 spamgate MailScanner[26052]: Message h6A04Q9G032454 from 198.188.250.254 (para3ds.com) to svusd.k12.ca.us is spam, SpamAssassin (score=15.8, required 4, BAYES_80, DCC_CHECK, EXCUSE_1, EXCUSE_19, EXCUSE_3, HIDE_WIN_STATUS, HTML_70_80, HTML_IMAGE_ONLY_06, HTML_TAG_EXISTS_TBODY, HTML_WEB_BUGS, MIME_HEADER_CTYPE_ONLY, MIME_HTML_ONLY, NORMAL_HTTP_TO_IP, OFFER, OFFERS_ETC, RECEIVE_OFFER) Jul 9 17:04:31 spamgate MailScanner[26052]: Spam Checks: Found 1 spam messages Jul 9 17:04:31 spamgate MailScanner[26052]: Spam Actions: message h6A04Q9G032454 actions are delete Jul 9 17:04:31 spamgate MailScanner[26052]: Unscanned: Delivered 1 messages Jul 9 17:04:31 spamgate MailScanner[26052]: Virus and Content Scanning: Starting Jul 9 17:04:32 spamgate sendmail[32466]: h6A04Q9F032454: to=, delay=00:00:05, xdelay=00:00:01, mailer=esmtp, pri=120531, relay=[10.1.254.3] [10.1.254.3], dsn=2.0.0, stat=Sent ( <2730416505.01380945810856@kroc.com> Queued mail for delivery) Header Information = Message ID = h6A04Q9F032454 (No SPAM header information included - not sure why) Microsoft Mail Internet Headers Version 2.0 Received: from spamgate.spamgate.us ([198.188.250.11]) by doexchange.svusd.net with Microsoft SMTPSVC(5.0.2195.5329); Wed, 9 Jul 2003 17:04:36 -0700 Received: from svusd.k12.ca.us (gateway.svusd.k12.ca.us [198.188.250.254]) by spamgate.spamgate.us (8.12.5/8.12.5) with ESMTP id h6A04Q9F032454 for >; Wed, 9 Jul 2003 17:04:27 -0700 Received: from 24.203.227.247 ([24.203.227.247]) by gateway.svusd.k12.ca.us with SMTP id <119056>; Wed, 9 Jul 2003 14:04:29 -1000 Date: Thu, 10 Jul 2003 14:34:01 GMT From: Vballoons Gballota > To: chuw@svusd.k12.ca.us X-Priority: 3 (Normal) Message-ID: <2730416505.01380945810856@kroc.com > Subject: Young gays (C76M6ZQUON below) MIME-Version: 1.0 Content-type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Accept-Language: en-us, en X-Mailer: Gnus v5.7/Emacs 20.17 X-Priority: 3 (Normal) Return-Path: swims-blew@kroc.com X-OriginalArrivalTime: 10 Jul 2003 00:04:36.0100 (UTC) FILETIME=[D9394440:01C34676] Workgroup Solutions 20532 El Toro Rd, Suite 107 Mission Viejo, CA 92692 949 586-2200 Developers of SpamGate - MXTreme - Stop SPAM at the Gateway with the MXTreme Appliance Stop SPAM today at the Gateway! PacketShaper - Bandwidth Management for your network Centurion Guard - Write protect your desktop computers From mikea at MIKEA.ATH.CX Thu Jul 10 17:42:46 2003 From: mikea at MIKEA.ATH.CX (mikea) Date: Thu Jan 12 21:18:54 2006 Subject: MailScanner in Raq4 In-Reply-To: <000001c3470f$85eab960$0402a8c0@ATILVARGAS>; from lvargas@CFT.COM.MX on Thu, Jul 10, 2003 at 11:17:18AM -0700 References: <000001c3470f$85eab960$0402a8c0@ATILVARGAS> Message-ID: <20030710114246.A32318@mikea.ath.cx> On Thu, Jul 10, 2003 at 11:17:18AM -0700, Luis Amado Vargas wrote: > I?ve serious problem with MailScanner, i followed the instalation > instruction line by line for Cobalt Raq4, i first install f-prot, then > MailScanner and then SpamAssasin, and only have a problem with chkconfig > command. > > I check the status for MailScanner > > [root /]# /etc/rc.d/init.d/MailScanner status > Checking MailScanner daemons: > MailScanner: ok > incoming sendmail: ok > outgoing sendmail: ok > > In the maillog appears this > > Jul 9 14:18:34 ns5 MailScanner[18086]: MailScanner E-Mail Virus Scanner > version 4.21-9 starting... > Jul 9 14:18:34 ns5 MailScanner[18086]: SpamAssassin installation could > not be found > If i try to send infected mail or any mail and .... the MailScanner > is not working , not send and recive any mail > > any commentary on the matter > > Please Urgent !!! I expect it *is*. Probably all your inbound mail is being locked up in the Raq. I've been there, and it's unpleasant. First, you need to find your SpamAssassin installation. Try `locate SpamAssassin` or `find /usr -name "*ssassin*"` -- without the quotes, of course. Then you need to tell MailScanner where to look, in /opt/MailScanner/etc/MailScanner.Conf. The variable to set is "SpamAssassin Install Prefix". If `find /usr -name "*ssassin*"` fails, then try `find / -name "*ssassin*"`, but keep in mind that this will search everything that is currently mounted on that machine, including all remotely-mounted (SAMBA, NFS, etc.) filesystems. That can be expensive. If this still fails and you haven't found the problem, then please reply to the list. ?Buena suerte! -- Mike Andrews mikea@mikea.ath.cx Tired old sysadmin since 1964 From lvargas at CFT.COM.MX Thu Jul 10 19:56:30 2003 From: lvargas at CFT.COM.MX (Luis Amado Vargas) Date: Thu Jan 12 21:18:54 2006 Subject: MailScanner in Raq4 In-Reply-To: <200307101634.h6AGYXA06115@camelot.blacknightsolutions.com> Message-ID: <001001c34714$fc7a0900$0402a8c0@ATILVARGAS> I followed the instruction of this page http://www.qitc.net/support/mailscanner/#To%20stop/start%20MailScanner any comment will thank it Luis Amado Vargas Vargas Ing. de Soporte Tecnico. Alta Tecnologia en Internet. Tel.: (01 442) 2384518 -----Mensaje original----- De: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] En nombre de Michele Neylon:: Blacknight Solutions Enviado el: Jueves, 10 de Julio de 2003 09:35 a.m. Para: MAILSCANNER@JISCMAIL.AC.UK Asunto: Re: MailScanner in Raq4 How did you install Spam Assasin? RAQs can be a real pain, as their version of Perl (unless you've upgraded it) is rather old... Mr. Michele Neylon Blacknight Solutions http://www.blacknightsolutions.com Spam and virus scanning available _____ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030710/27a7b641/attachment.html From richard at HELPPLC.COM Thu Jul 10 18:11:48 2003 From: richard at HELPPLC.COM (Richard Sidlin) Date: Thu Jan 12 21:18:54 2006 Subject: Chinese Emails In-Reply-To: Message-ID: <000901c34706$5bdb9940$0b01a8c0@rich> I don't see that at all in that conf file. Richard > > >Are you using SpamAssassin with MailScanner? > >SpamAssassin has a score for 'MIME_CHARSET_FARAWAY' of 2.45 >(at least in my version). You might consider upping this value >in spam.assassin.prefs.conf (e.g. 'score MIME_CHARSET_FARAWAY >3' or even higher if that doesn't do it) > >Evert Ford >Information Analyst >Westone Laboratories >http://www.westone.com > > > > >I put a message up a couple of weeks ago but I am still having >a problem with emails being received in what looks like >Chinese. I added a few lines on language settings in the spam >assassin conf file that someone suggested but that hasn't >cured it. It's really only coming in on one email address but >my customer is getting very agitated about it! Anyone help >please? BTW, it's coming from all sorts of addresses and domains. > > >Richard Sidlin > > > -- This message has been scanned for viruses and dangerous content by the Help Internet Virus Spam Defence, and is believed to be clean. For details on having your email scanned email support@helpinternet.co.uk From moliveri at UTI.COM Thu Jul 10 18:13:43 2003 From: moliveri at UTI.COM (Mike Oliveri) Date: Thu Jan 12 21:18:54 2006 Subject: Quick Exim question Message-ID: <5.2.0.9.0.20030710120657.00a7ab30@mail211.pair.com> Okay, I've got everything configured and ready to go, and I'm just about ready to start MailScanner. However, I'm running Exim with a split spool directory due to our server load. Because my current config is only running with one config file, I only have one spool directory: /var/spool/exim/input/* The new config files will have an input directory of /var/spool/exim.in/input/*, but of course they do not exist yet. The MailScanner Exim configure page says I should create all the subdirectories of ../input before running MailScanner. Is it possible to just do the following: mv /var/spool/exim/input /var/spool/exim.in/input mkdir /var/spool/exim/input Or will that cause problems? The second line to create the directory refers to the spool directory for the outgoing Exim config file. I figure this will also preserve all the mail currently in the queue and the new processes/config files will still get it all delivered. Make sense? Just wanted to see if anyone experienced this before I accidentally hose my system. Thanks! Take care, Mike Oliveri Systems Administrator UTI Systems, Inc. From ka at PACIFIC.NET Thu Jul 10 18:29:26 2003 From: ka at PACIFIC.NET (Ken Anderson) Date: Thu Jan 12 21:18:54 2006 Subject: User specific "Spam Actions" In-Reply-To: <200307101511.KAA30556@mail.int.orbitel.com> References: <200307101511.KAA30556@mail.int.orbitel.com> Message-ID: <3F0DA276.4080803@pacific.net> or, if that doesn't fit your needs, see previous thread: "How to use spamassassin on a per user basis with a third party e-mail server setup?" Ken Orbitel Webmaster wrote: > Take a look at the files in /etc/MailScanner/rules > > In a nutshelll go to the line to want to vary per user in > mailscanner.conf. Instead of putting it's value in put > in "/etc/MailScanner/rules/rulefilenameyourwant.rules" > > Then use emacs/vi/pico to edit that file name. I do my user specific > spam actions based on destination e-mail address. In my case, this > file is used to determine wether the spam check is enabled or not. > In this case, if they are user1 or user2 spam checking is enabled. > Everyone else, default, has it off. Hope that helps. > > #syntax e-mail yes/no/or any other option depending on the > #mailscanner.conf line > To: user1@domain.com yes > To: user2@domain.com yes > FromOrTo: default no > > > > -------- Original Message -------- > > ==> From: Dene Ulmschneider > ==> Date: Wed, 9 Jul 2003 09:54:30 -0400 > > Hello all- > > I am running RHL 7.3 and MS version 4.14-9 and Sendmail. > > I am trying to setup user specific "Spam Actions" and could use a > little help. I know that the spam action setting can point to a file > with rule sets in it but I am not clear on the format of the file. > > Can anyone help me out with the format of the file? If a user wants > to delete spam and high spam - what should the file look like? > > Does anyone have a sample file that they can forward to give me a > better idea on how to set this up?? > > Thank You > > Dene Ulmschneider Data Techie Inc. > ----------------------------------- > -------------------------------------- office: 718.738.8859 > cell: 646.996.2976 email: dene@datatechie.com > pager mail: denenow@datatechie.com website: > www.datatechie.com > --------------------------------------------------- > ---------------------- "Data Techie - Always there to protect you!" > > From kevins at BMRB.CO.UK Thu Jul 10 18:29:31 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:18:54 2006 Subject: Chinese Emails In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB001175D9C@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB001175D9C@pascal.priv.bmrb.co.uk> Message-ID: <1057858171.29126.3.camel@bach.kevinspicer.co.uk> On Thu, 2003-07-10 at 18:11, Richard Sidlin wrote: I don't see that at all in that conf file. You'll need to add it, the spam.assassin.prefs.conf file only contains a subset of the available directives. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From richard at HELPPLC.COM Thu Jul 10 18:35:21 2003 From: richard at HELPPLC.COM (Richard Sidlin) Date: Thu Jan 12 21:18:54 2006 Subject: Chinese Emails In-Reply-To: <1057858171.29126.3.camel@bach.kevinspicer.co.uk> Message-ID: <000a01c34709$a7d6dd20$0b01a8c0@rich> >Subject: Re: Chinese Emails > > >On Thu, 2003-07-10 at 18:11, Richard Sidlin wrote: > >I don't see that at all in that conf file. > > >You'll need to add it, the spam.assassin.prefs.conf file only >contains a subset of the available directives. > So just add this at the end? score MIME_CHARSET_FARAWAY 3 -- This message has been scanned for viruses and dangerous content by the Help Internet Virus Spam Defence, and is believed to be clean. For details on having your email scanned email support@helpinternet.co.uk From richard_cipher at YAHOO.COM Thu Jul 10 18:34:07 2003 From: richard_cipher at YAHOO.COM (Evert Ford) Date: Thu Jan 12 21:18:54 2006 Subject: Chinese Emails In-Reply-To: <000901c34706$5bdb9940$0b01a8c0@rich> Message-ID: It's not in there until you add it. spam.assassin.prefs.conf is a file where you can add customized settings that change the way spamassassin behaves. If you add custom scores to this file, SpamAssassin will use the custom scores instead of it's default scores. For this to help you 1. You have to have SpamAssassin installed 2. In MailScanner.conf set 'Use SpamAssassin = yes' 3. On some systems, you may have to tell MailScanner where spamassassin is located. 4. in spam.assassin.prefs.conf add a line to change the default value of MIME_CHARSET_FARAWAY for Example score MIME_CHARSET_FARAWAY 3.45 5. re-start MailScanner for Example service MailScanner reload Setting custom scores too high can trigger false positives in spamassassin. But in your case, unless you had users expecting and wanting e-mail in chinese, you probably don't need to worry about that I don't know that this will help you, but it might. :-) Evert Ford Information Analyst Westone Laboratories http://www.westone.com -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Richard Sidlin Sent: Thursday, July 10, 2003 11:12 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Chinese Emails I don't see that at all in that conf file. Richard > > >Are you using SpamAssassin with MailScanner? > >SpamAssassin has a score for 'MIME_CHARSET_FARAWAY' of 2.45 >(at least in my version). You might consider upping this value >in spam.assassin.prefs.conf (e.g. 'score MIME_CHARSET_FARAWAY >3' or even higher if that doesn't do it) > >Evert Ford >Information Analyst >Westone Laboratories >http://www.westone.com > > > > >I put a message up a couple of weeks ago but I am still having >a problem with emails being received in what looks like >Chinese. I added a few lines on language settings in the spam >assassin conf file that someone suggested but that hasn't >cured it. It's really only coming in on one email address but >my customer is getting very agitated about it! Anyone help >please? BTW, it's coming from all sorts of addresses and domains. > > >Richard Sidlin > > > -- This message has been scanned for viruses and dangerous content by the Help Internet Virus Spam Defence, and is believed to be clean. For details on having your email scanned email support@helpinternet.co.uk --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.483 / Virus Database: 279 - Release Date: 5/19/03 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.483 / Virus Database: 279 - Release Date: 5/19/03 From kevins at BMRB.CO.UK Thu Jul 10 18:39:49 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:18:54 2006 Subject: Chinese Emails In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB001175DA0@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB001175DA0@pascal.priv.bmrb.co.uk> Message-ID: <1057858790.29126.7.camel@bach.kevinspicer.co.uk> So just add this at the end? score MIME_CHARSET_FARAWAY 3 Yes, but you should first activate Always Include SpamAssassin Report = yes so that you can see whether that rule is in fact being triggered by these emails, and decide what to change the score to. There may be other scores you want to tweak too. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From richard at HELPPLC.COM Thu Jul 10 18:47:28 2003 From: richard at HELPPLC.COM (Richard Sidlin) Date: Thu Jan 12 21:18:54 2006 Subject: Chinese Emails In-Reply-To: <1057858790.29126.7.camel@bach.kevinspicer.co.uk> Message-ID: <000b01c3470b$57c58280$0b01a8c0@rich> >So just add this at the end? > >score MIME_CHARSET_FARAWAY 3 > >Yes, but you should first activate > >Always Include SpamAssassin Report = yes > >so that you can see whether that rule is in fact being >triggered by these emails, and decide what to change the score >to. There may be other scores you want to tweak too. > Thanks. Done that. I'll keep an eye on it. -- This message has been scanned for viruses and dangerous content by the Help Internet Virus Spam Defence, and is believed to be clean. For details on having your email scanned email support@helpinternet.co.uk From paul at CS.UKY.EDU Thu Jul 10 18:54:12 2003 From: paul at CS.UKY.EDU (Paul Linton) Date: Thu Jan 12 21:18:54 2006 Subject: Symantec AntiVirus Command Line Scanner In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0EBF69E@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0EBF69E@pascal.priv.bmrb.co.uk> Message-ID: <20030710175412.GA32608@bud.cs.uky.edu> On Fri, Jun 27, 2003 at 09:59:00AM +0100, Spicer, Kevin wrote: > I see that symantec now do a command line scanner for linux > http://enterprisesecurity.symantec.com/products/products.cfm?ProductID=65 > has anyone tried this or got it working with MailScanner? I am running an older version of the engine, and it seems fine. I know that someone else on campus here had issues with shared libraries. I'm running slackware 9.0/kernel 2.4.21 and slackware 8.0/kernel 2.4.18 with % uvscan --version Virus Scan for Linux v4.16.0 Copyright (c) 1992-2001 Networks Associates Technology Inc. All rights reserved. (408) 988-3832 LICENSED COPY - Nov 13 2001 Scan engine v4.1.60 for Linux. Virus data file v4276 created Jul 09 2003 % ldd `which uvscan` liblnxfv.so.4 => /usr/local/lib/liblnxfv.so.4 (0x40015000) libstdc++.so.2.8 => /usr/i386-slackware-linux/lib/libstdc++.so.2.8 (0x401ff000) libm.so.6 => /lib/libm.so.6 (0x40240000) libc.so.6 => /lib/libc.so.6 (0x40263000) /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000) Our (recently installed) mailserver with Mailscanner is running the Solaris version. I have been doing filesystem scans with the linux one though. - Paul -- Paul Linton Systems Programmer paul@cs.uky.edu UofK Department of Computer Science (859) 257-3962 From mike at CAMAROSS.NET Thu Jul 10 19:01:39 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:18:54 2006 Subject: Chinese Emails In-Reply-To: <000b01c3470b$57c58280$0b01a8c0@rich> Message-ID: <007f01c3470d$5036a010$9c01a8c0@home.middlefinger.net> Don't forget to reload MailScanner so it will read the new configuration! Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Richard Sidlin Sent: Thursday, July 10, 2003 12:47 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Chinese Emails >So just add this at the end? > >score MIME_CHARSET_FARAWAY 3 > >Yes, but you should first activate > >Always Include SpamAssassin Report = yes > >so that you can see whether that rule is in fact being triggered by >these emails, and decide what to change the score to. There may be >other scores you want to tweak too. > Thanks. Done that. I'll keep an eye on it. -- This message has been scanned for viruses and dangerous content by the Help Internet Virus Spam Defence, and is believed to be clean. For details on having your email scanned email support@helpinternet.co.uk From paul at CS.UKY.EDU Thu Jul 10 19:12:44 2003 From: paul at CS.UKY.EDU (Paul Linton) Date: Thu Jan 12 21:18:55 2006 Subject: MailScanner not removing virus even though it was found? In-Reply-To: <20030709023925.GA12072@bud.cs.uky.edu> References: <20030709023925.GA12072@bud.cs.uky.edu> Message-ID: <20030710181244.GB32608@bud.cs.uky.edu> Solved. It was simply a matter of trusting the documentation. I had read, and ignored, the note about McAfee and symbolic links. So my /var/spool/MailScanner/incoming option was really somewhere else. Since McAfee was running fine and seeing viruses I didn't think this was an issue. After a LOT of debugging I tracked it down to the following line(s): SweepViruses.pm: lines 976-978 # McAfee prints the whole path as opposed to # ./messages/part so make it the same $lastline =~ s/$BaseDir//; Since I will be trying to keep my .conf files fairly consistent across domains I would like to change that line to be more forgiving. If anyone is interested drop me a line and maybe we can convince someone to incorporate the change. - Paul On Tue, Jul 08, 2003 at 10:39:25PM -0400, Paul Linton wrote: > I have a brand new install of MailScanner/Spamassassin/McAfee. Most > seems to be working fine, with the exception of virus removal. MailScanner > calls McAfee and sees the virus, but then happily sends the message on, virus > and all, no warning to the recipient, etc. Did I miss something in the .conf > file? -- Paul Linton Systems Programmer paul@cs.uky.edu UofK Department of Computer Science (859) 257-3962 From moliveri at UTI.COM Thu Jul 10 19:35:41 2003 From: moliveri at UTI.COM (Mike Oliveri) Date: Thu Jan 12 21:18:55 2006 Subject: One more Exim scanner Message-ID: <5.2.0.9.0.20030710133226.00a7ab30@mail211.pair.com> Whoops, one more thing for Exim: The MailScanner startup options in rc.local on FreeBSD refer to the MailScanner incoming mail spool as being /var/spool/mqueue.in Should that actually be the incoming Exim queue at /var/spool/exim.in/input/*? Or are these supposed to be two separate queues? Thanks! Take care, Mike Oliveri From TGFurnish at HERFF-JONES.COM Thu Jul 10 22:00:36 2003 From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G) Date: Thu Jan 12 21:18:55 2006 Subject: How can I get some spam? Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF0C0291@inex1.herffjones.hj-int> :-) Seriously - I need to test a mailscanner subdomain so I need some spam. :-) I've clicked a few unsubscribe links (modified to reflect the filter testing domain), but now I'm out of spam, so any suggestions (specifics, not general concepts - got a link?) would be appreciated. Address that wants spam: tgfurnish@public.herff-jones.com -- Trever From kevins at BMRB.CO.UK Thu Jul 10 22:11:56 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:18:55 2006 Subject: How can I get some spam? In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB001175DA8@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB001175DA8@pascal.priv.bmrb.co.uk> Message-ID: <1057871516.29126.12.camel@bach.kevinspicer.co.uk> On Thu, 2003-07-10 at 22:00, Furnish, Trever G wrote: Address that wants spam: tgfurnish@public.herff-jones.com Posting on usenet (Google Groups) worked well for me (unfortunately!) BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From dwinkler at ALGORITHMICS.COM Thu Jul 10 22:12:24 2003 From: dwinkler at ALGORITHMICS.COM (Derek Winkler) Date: Thu Jan 12 21:18:55 2006 Subject: How can I get some spam? Message-ID: <06EE2C86D3DAD5119A6C0060943F3C97055E7088@tormail1.algorithmics.com> Spamassassin prodvides some test spam on their site. Just deliver to yourself with sendmail from command line. -----Original Message----- From: Furnish, Trever G [mailto:TGFurnish@herff-jones.com] Sent: Thursday, July 10, 2003 5:01 PM To: MAILSCANNER@jiscmail.ac.uk Subject: How can I get some spam? :-) Seriously - I need to test a mailscanner subdomain so I need some spam. :-) I've clicked a few unsubscribe links (modified to reflect the filter testing domain), but now I'm out of spam, so any suggestions (specifics, not general concepts - got a link?) would be appreciated. Address that wants spam: tgfurnish@public.herff-jones.com -- Trever -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030710/9bb4f7dd/attachment.html From mikea at MIKEA.ATH.CX Thu Jul 10 22:26:52 2003 From: mikea at MIKEA.ATH.CX (mikea) Date: Thu Jan 12 21:18:55 2006 Subject: How can I get some spam? In-Reply-To: <06EE2C86D3DAD5119A6C0060943F3C97055E7088@tormail1.algorithmics.com>; from dwinkler@ALGORITHMICS.COM on Thu, Jul 10, 2003 at 05:12:24PM -0400 References: <06EE2C86D3DAD5119A6C0060943F3C97055E7088@tormail1.algorithmics.com> Message-ID: <20030710162652.A34019@mikea.ath.cx> On Thu, Jul 10, 2003 at 05:12:24PM -0400, Derek Winkler wrote: > Spamassassin prodvides some test spam on their site. > > Just deliver to yourself with sendmail from command line. > > -----Original Message----- > From: Furnish, Trever G [mailto:TGFurnish@herff-jones.com] > Sent: Thursday, July 10, 2003 5:01 PM > To: MAILSCANNER@jiscmail.ac.uk > Subject: How can I get some spam? > > > :-) Seriously - I need to test a mailscanner subdomain so I need some spam. > :-) > > I've clicked a few unsubscribe links (modified to reflect the filter testing > domain), but now I'm out of spam, so any suggestions (specifics, not general > concepts - got a link?) would be appreciated. > > Address that wants spam: tgfurnish@public.herff-jones.com Want 13506473 bytes (and growing) of guaranteed-to-be-spam? That's 1806 (and counting) separate pieces. I can gzip it up and ship it to anyone who wants it. Not, mind you, that there's a spam shortage. It gzips down to a tidy 4193099 bytes. -- Mike Andrews mikea@mikea.ath.cx Tired old sysadmin since 1964 From michele at BLACKNIGHTSOLUTIONS.COM Thu Jul 10 22:56:49 2003 From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon:: Blacknight Solutions) Date: Thu Jan 12 21:18:55 2006 Subject: How can I get some spam? In-Reply-To: <20030710162652.A34019@mikea.ath.cx> Message-ID: <200307102155.h6ALtrA17903@camelot.blacknightsolutions.com> > Want 13506473 bytes (and growing) of guaranteed-to-be-spam? That's > 1806 (and counting) separate pieces. I can gzip it up and > ship it to anyone who wants it. Not, mind you, that there's a > spam shortage. > It gzips down to a tidy 4193099 bytes. ROFL This must be the only mailing list where people swap spam and virii and compare they're quality :-) To test some SPAM and virus logging we used a few junk email addresses with a dialup ISP and used fetchmail to pass them through the system. The scary thing was that over 95% of the mail from one account was spam and virii!! M ######################################################### This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance to it is prohibited. From TGFurnish at HERFF-JONES.COM Thu Jul 10 22:57:54 2003 From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G) Date: Thu Jan 12 21:18:55 2006 Subject: How can I get some spam? Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF0C0712@inex1.herffjones.hj-int> >-----Original Message----- >From: mikea [mailto:mikea@MIKEA.ATH.CX] >Sent: Thursday, July 10, 2003 4:27 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: How can I get some spam? > >Want 13506473 bytes (and growing) of guaranteed-to-be-spam? That's >1806 (and counting) separate pieces. I can gzip it up and ship it >to anyone who wants it. Not, mind you, that there's a spam shortage. >It gzips down to a tidy 4193099 bytes. Well, yes, thanks, but I'm also hoping to test rbl lookups and I'm thinking that would be difficult if I'm sending the spam myself. Still though, if you don't mind sending a gzipped version, then go ahead - most appreciated. :-) And thanks to the others who've already passed on spam without mentioning it on the list as well. -t. From wpc4 at DODGETHIS.ORG Thu Jul 10 23:00:20 2003 From: wpc4 at DODGETHIS.ORG (William Curley) Date: Thu Jan 12 21:18:55 2006 Subject: How can I get some spam? {Scanned} In-Reply-To: <200307102155.h6ALtrA17903@camelot.blacknightsolutions.com> References: <200307102155.h6ALtrA17903@camelot.blacknightsolutions.com> Message-ID: <1057874420.a529bfbd4624c@mail.cynical.us> For a test Virus email you can head to http://www.eicar.org/anti_virus_test_file.htm Industry has organized a fake virus file that is detected by virus scanners. Quoting "Michele Neylon:: Blacknight Solutions" : > > Want 13506473 bytes (and growing) of guaranteed-to-be-spam? That's > > 1806 (and counting) separate pieces. I can gzip it up and > > ship it to anyone who wants it. Not, mind you, that there's a > > spam shortage. > > It gzips down to a tidy 4193099 bytes. > > ROFL > > This must be the only mailing list where people swap spam and virii and > compare they're quality :-) > > To test some SPAM and virus logging we used a few junk email addresses with > a dialup ISP and used fetchmail to pass them through the system. The scary > thing was that over 95% of the mail from one account was spam and virii!! > > M > > > ######################################################### > This message (and any attachment) is intended only for the > recipient and may contain confidential and/or privileged > material. If you have received this in error, please contact the > sender and delete this message immediately. Disclosure, copying > or other action taken in respect of this email or in > reliance to it is prohibited. > From mikea at MIKEA.ATH.CX Thu Jul 10 23:26:59 2003 From: mikea at MIKEA.ATH.CX (mikea) Date: Thu Jan 12 21:18:55 2006 Subject: How can I get some spam? In-Reply-To: <200307102155.h6ALtrA17903@camelot.blacknightsolutions.com>; from michele@BLACKNIGHTSOLUTIONS.COM on Thu, Jul 10, 2003 at 11:56:49PM +0200 References: <20030710162652.A34019@mikea.ath.cx> <200307102155.h6ALtrA17903@camelot.blacknightsolutions.com> Message-ID: <20030710172659.B34446@mikea.ath.cx> On Thu, Jul 10, 2003 at 11:56:49PM +0200, Michele Neylon:: Blacknight Solutions wrote: > > Want 13506473 bytes (and growing) of guaranteed-to-be-spam? That's > > 1806 (and counting) separate pieces. I can gzip it up and > > ship it to anyone who wants it. Not, mind you, that there's a > > spam shortage. > > It gzips down to a tidy 4193099 bytes. > > ROFL > > This must be the only mailing list where people swap spam and virii and > compare they're quality :-) Erm ... no, actually. But I can't discuss the other list, because it mostly is composed of mail and system administrators from large companies and corporations. For that matter, if I were to send just three days spam from my day job, it would be close to 50 megabytes unzipped. But I think it's better not to do that. And I can send something like 20 megabytes of worm traffic, but again I think it's better not to. > To test some SPAM and virus logging we used a few junk email addresses with > a dialup ISP and used fetchmail to pass them through the system. The scary > thing was that over 95% of the mail from one account was spam and virii!! No surprise there; there's a vanishingly-small probability that it was *not* infected by a worm -- probably one of the recent generation, such as SoBig. -- Mike Andrews mikea@mikea.ath.cx Tired old sysadmin since 1964 From christopher.albert at MCGILL.CA Thu Jul 10 22:29:00 2003 From: christopher.albert at MCGILL.CA (Christopher Albert) Date: Thu Jan 12 21:18:55 2006 Subject: How can I get some spam? In-Reply-To: <06EE2C86D3DAD5119A6C0060943F3C97055E7088@tormail1.algorithmics.com> References: <06EE2C86D3DAD5119A6C0060943F3C97055E7088@tormail1.algorithmics.com> Message-ID: <3F0DDA9C.9080807@mcgill.ca> > :-) Seriously - I need to test a mailscanner subdomain so I need some > spam. > :-) > > I've clicked a few unsubscribe links (modified to reflect the filter > testing > domain), but now I'm out of spam, so any suggestions (specifics, not > general > concepts - got a link?) would be appreciated. > > Address that wants spam: tgfurnish@public.herff-jones.com > > -- > Trever > There is: http://www.spamarchive.org/ with 1.3Gs of spam in ftp archives (>225K emails). Chris From cparker at SWATGEAR.COM Thu Jul 10 23:34:08 2003 From: cparker at SWATGEAR.COM (Chris W. Parker) Date: Thu Jan 12 21:18:55 2006 Subject: How can I get some spam? Message-ID: <001BD19C96E6E64E8750D72C2EA0ECEE2B7D36@ati-ex-01.ati.local> Christopher Albert wrote: > > :-) Seriously - I need to test a mailscanner subdomain so I need > > some spam. :-) > > There is: > http://www.spamarchive.org/ > > with 1.3Gs of spam in ftp archives (>225K emails). Hmm.. cool resource. Chris. p.s. please trim your email kthxbye! From mkettler at EVI-INC.COM Thu Jul 10 23:33:40 2003 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:18:55 2006 Subject: How can I get some spam? In-Reply-To: <1057874420.a529bfbd4624c@mail.cynical.us> References: <200307102155.h6ALtrA17903@camelot.blacknightsolutions.com> <200307102155.h6ALtrA17903@camelot.blacknightsolutions.com> Message-ID: <5.2.1.1.0.20030710182934.01c1bbf8@xanadu.evi-inc.com> At 03:00 PM 7/10/2003 -0700, you wrote: >For a test Virus email you can head to >http://www.eicar.org/anti_virus_test_file.htm Industry has organized a fake >virus file that is detected by virus scanners. On a similar note SpamAssassin has a GTUBE (generic test for unsolicited bulk email) which is a rule which adds +100 to an email. It's a great way to do a quick check to ensure that SA is running and will actually tag email. It's not a comprehensive check, but it certainly answers the question of "is this thing on?" very quickly. Simply draft an email with the following string in the body, convert all the lower-case letters to upper-case, and run it through spamassassin: xjs*C4JDBQADN1.NSBN3*2IDNEN*gtube-standard-ANTI-UBE-TEST-EMAIL*C.34X Since I did not want this email to trigger the test rule, I converted the first 3 characters and the "gtube-standard" part to lower-case. If you want to make it work, all the letters need to be upper-case as the rule is case sensitive. From mikea at MIKEA.ATH.CX Thu Jul 10 23:39:48 2003 From: mikea at MIKEA.ATH.CX (mikea) Date: Thu Jan 12 21:18:55 2006 Subject: How can I get some spam? In-Reply-To: <5.2.1.1.0.20030710182934.01c1bbf8@xanadu.evi-inc.com>; from mkettler@EVI-INC.COM on Thu, Jul 10, 2003 at 06:33:40PM -0400 References: <200307102155.h6ALtrA17903@camelot.blacknightsolutions.com> <200307102155.h6ALtrA17903@camelot.blacknightsolutions.com> <1057874420.a529bfbd4624c@mail.cynical.us> <5.2.1.1.0.20030710182934.01c1bbf8@xanadu.evi-inc.com> Message-ID: <20030710173948.B34631@mikea.ath.cx> On Thu, Jul 10, 2003 at 06:33:40PM -0400, Matt Kettler wrote: > At 03:00 PM 7/10/2003 -0700, you wrote: > >For a test Virus email you can head to > >http://www.eicar.org/anti_virus_test_file.htm Industry has organized a fake > >virus file that is detected by virus scanners. > > > On a similar note SpamAssassin has a GTUBE (generic test for unsolicited > bulk email) which is a rule which adds +100 to an email. It's a great way > to do a quick check to ensure that SA is running and will actually tag > email. It's not a comprehensive check, but it certainly answers the > question of "is this thing on?" very quickly. Looks like it adds +1000. That's *impressive*! -- Mike Andrews mikea@mikea.ath.cx Tired old sysadmin since 1964 From webmaster at ORBITEL.COM Fri Jul 11 04:44:10 2003 From: webmaster at ORBITEL.COM (Orbitel Webmaster) Date: Thu Jan 12 21:18:55 2006 Subject: User specific "Spam Actions" Message-ID: <200307101511.KAA30556@mail.int.orbitel.com> Take a look at the files in /etc/MailScanner/rules In a nutshelll go to the line to want to vary per user in mailscanner.conf. Instead of putting it's value in put in "/etc/MailScanner/rules/rulefilenameyourwant.rules" Then use emacs/vi/pico to edit that file name. I do my user specific spam actions based on destination e-mail address. In my case, this file is used to determine wether the spam check is enabled or not. In this case, if they are user1 or user2 spam checking is enabled. Everyone else, default, has it off. Hope that helps. #syntax e-mail yes/no/or any other option depending on the #mailscanner.conf line To: user1@domain.com yes To: user2@domain.com yes FromOrTo: default no -------- Original Message -------- ==> From: Dene Ulmschneider ==> Date: Wed, 9 Jul 2003 09:54:30 -0400 Hello all- I am running RHL 7.3 and MS version 4.14-9 and Sendmail. I am trying to setup user specific "Spam Actions" and could use a little help. I know that the spam action setting can point to a file with rule sets in it but I am not clear on the format of the file. Can anyone help me out with the format of the file? If a user wants to delete spam and high spam - what should the file look like? Does anyone have a sample file that they can forward to give me a better idea on how to set this up?? Thank You Dene Ulmschneider Data Techie Inc. ----------------------------------- -------------------------------------- office: 718.738.8859 cell: 646.996.2976 email: dene@datatechie.com pager mail: denenow@datatechie.com website: www.datatechie.com --------------------------------------------------- ---------------------- "Data Techie - Always there to protect you!" From webmaster at ORBITEL.COM Fri Jul 11 10:43:44 2003 From: webmaster at ORBITEL.COM (Orbitel Webmaster) Date: Thu Jan 12 21:18:55 2006 Subject: How can I get some spam? Message-ID: <200307102111.QAA00830@mail.int.orbitel.com> Take a peice of spam off another e-mail account (IE: Hotmail) and forward it to the target account. I've sent you one you can re-use and recycle. -------- Original Message -------- ==> From: "Furnish, Trever G" ==> Date: Thu, 10 Jul 2003 16:00:36 -0500 :-) Seriously - I need to test a mailscanner subdomain so I need some spam. :-) I've clicked a few unsubscribe links (modified to reflect the filter testing domain), but now I'm out of spam, so any suggestions (specifics, not general concepts - got a link?) would be appreciated. Address that wants spam: tgfurnish@public.herff-jones.com -- Trever From mike at CAMAROSS.NET Thu Jul 10 23:40:02 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:18:55 2006 Subject: How can I get some spam? In-Reply-To: <8FFC76593085ED4A80D3601BC41EFCDF0C0291@inex1.herffjones.hj-int> Message-ID: <008f01c34734$337a2420$9c01a8c0@home.middlefinger.net> I'll make that email address the forward action on my High Scoring Spam on a couple of machines. If you want this, tell me when to turn it off :) Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Furnish, Trever G Sent: Thursday, July 10, 2003 4:01 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: How can I get some spam? :-) Seriously - I need to test a mailscanner subdomain so I need some spam. :-) I've clicked a few unsubscribe links (modified to reflect the filter testing domain), but now I'm out of spam, so any suggestions (specifics, not general concepts - got a link?) would be appreciated. Address that wants spam: tgfurnish@public.herff-jones.com -- Trever From TGFurnish at HERFF-JONES.COM Fri Jul 11 00:19:49 2003 From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G) Date: Thu Jan 12 21:18:55 2006 Subject: Where do I start debugging? Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF0C0714@inex1.herffjones.hj-int> Ok, so now I have some spam coming to my filtering domain, but mailscanner is behaving unexpectedly and I'm not sure where to look in order to figure out why. I have Log Spam = yes and logging is showing up in syslog, but I'm hoping there's more logging going somewhere else I'm not aware of. I've discovered (by reversing the my work in order till everything worked again) that these two statements in MailScanner.conf cause it to do bad things - messages seem to disappear into the void. Perhaps I should mention that this is version 4.21-9. Any suggestions? Spam Actions = attachment High Scoring Spam Actions = attachment If I change those back to the default (deliver), then I successfully get message subjects tagged as spam, but I'd prefer to have MailScanner repackage the messages as attachments. When I have the actions set to 'attachment', sometimes I even get the syslog message that says "actions are attachment". Usually I just get "Spam Checks: Starting" and "Virus and Content Scanning: Starting", followed by "Uninfected: Delivered" and then sendmail's log entry stating it delivered the message. Most troubling is that even though sendmail logs an entry stating it handed off the message, the message doesn't arrive. Not even sure how that could be related to mailscanner... -t. From TGFurnish at HERFF-JONES.COM Fri Jul 11 00:24:45 2003 From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G) Date: Thu Jan 12 21:18:55 2006 Subject: How can I get some spam? Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF0C029B@inex1.herffjones.hj-int> LOL - Turn it off now? UNCLE!!! Talk about "ask and ye shall receive"!!! I've gotten enough. :-) Thanks, all. Now if only I hadn't posted to all those usenet groups already. :-) >-----Original Message----- >From: Mike Kercher [mailto:mike@CAMAROSS.NET] >Sent: Thursday, July 10, 2003 5:40 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: How can I get some spam? > > >I'll make that email address the forward action on my High >Scoring Spam on a >couple of machines. If you want this, tell me when to turn it off :) > >Mike > > >-----Original Message----- >From: MailScanner mailing list >[mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf >Of Furnish, Trever G >Sent: Thursday, July 10, 2003 4:01 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: How can I get some spam? > > >:-) Seriously - I need to test a mailscanner subdomain so I >need some spam. >:-) > >I've clicked a few unsubscribe links (modified to reflect the >filter testing >domain), but now I'm out of spam, so any suggestions >(specifics, not general >concepts - got a link?) would be appreciated. > >Address that wants spam: tgfurnish@public.herff-jones.com > >-- >Trever > From gerry at DORFAM.CA Fri Jul 11 00:28:37 2003 From: gerry at DORFAM.CA (Gerry Doris) Date: Thu Jan 12 21:18:55 2006 Subject: Virus Update Scripts with Timeouts Message-ID: I use both F-Prot and ClamAV with MailScanner. There are scripts for each of these virus scanners which by default are run hourly to check for new virus definition files. Unfortunately, if the script is unable to complete then MailScanner will cease processing mail until the problem is corrected. Mail still is received but nothing is scanned and processed for delivery. I have modified the two update scripts to add a timeout (default=15sec). If the script has not completed the connection to the download site before the timeout the script is aborted and MailScanner is given back control. I posted the ClamAV script about a week ago. Nothing has really changed in this version other than I cleaned up my coding (I'm a long ways from being a programmer!). I added the timeout code in the F-Prot script and fixed a problem in the original BailOut sub code that prevented logging status to the syslog. If you choose to use these scripts they need to be placed in the /usr/lib/MailScanner directory. I suggest you backup the original scripts incase you want to go back to them. -- Gerry "The lyfe so short, the craft so long to learne" Chaucer -------------- next part -------------- #!/usr/bin/perl # # MailScanner - SMTP E-Mail Virus Scanner # Copyright (C) 2002 Julian Field # # $Id: f-prot-autoupdate,v 1.3.2.5 2003/06/07 17:55:00 jkf Exp $ # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # # The author, Julian Field, can be contacted by email at # Jules@JulianField.net # or by paper mail at # Julian Field # Dept of Electronics & Computer Science # University of Southampton # Southampton # SO17 1BJ # United Kingdom # $SIG{ALRM} = sub { die "timeout" }; # Setup alarm call use Sys::Syslog; use IO::File; # Stop syslogd from needing external access (or -r) eval { Sys::Syslog::setlogsock('unix'); }; #################################### # # You can set your HTTP proxy server / web-cache here if you want to, # otherwise you will have to set it in the environment or wget's # startup file. # If you don't want to specify it here, comment out the next line. # #$HttpProxy = 'www-cache.soton.ac.uk:3128'; #$FtpProxy = ''; # #################################### $FProtRoot = "/usr/local/f-prot"; # N.B. TempDir DIRECTORY WILL BE CLEARED so # you *really* don't want to share it with # anything else. $TempDir = "$FProtRoot/tmp"; $DefDir = $FProtRoot; #$FallbackServer = 'http://updates.f-prot.com/files/'; $FallbackServer = 'ftp://ftp.f-prot.com/pub/'; $LockFile = "/tmp/FProtBusy.lock"; $LOCK_SH = 1; $LOCK_EX = 2; $LOCK_NB = 4; $LOCK_UN = 8; $cron = 0; $quiet = 0; $updated = 0; $FProtIsLocked = 0; $HaveDownloadedSign = 0; $TmpFile = "tmp-web"; $HttpReturn = 10; $TIMEOUT = 10; #Default Timeout in sec's # # Check command-line parameters # foreach (@ARGV) { if (/cron/i) { $cron = 1; } elsif (/quiet/i) { $quiet = 1; } else { BailOut("Invalid command-line option \"$_\""); } } # If they have specified an http/ftp proxy server / web-cache, then use it $ENV{'http_proxy'} = $HttpProxy if $HttpProxy; $ENV{'ftp_proxy'} = $FtpProxy if $FtpProxy; # # Check if TempDir exists and is a directory # stat($TempDir); if (-e _) { BailOut("$TempDir needs to be a directory") if ! -d _; } else { mkdir $TempDir, 0700 or BailOut("Could not create $TempDir directory, $!"); } # Check file permissions of TempDir are correct chmod 0700, $TempDir or BailOut("Could not set perms of $TempDir. Check you own it"); CleanTempDir(); # Clean up the contents of TempDir # # Check we can find all the external programs we need # for $program (qw/cp grep head wget unzip/) { $result = system("$program --version < /dev/null > /dev/null 2>&1"); BailOut("Could not find $program on your path. Please install it " . "or fix your path") if $result==127; } # # Download update information from the update server # eval { alarm("$TIMEOUT"); #Set timeout in $TIMEOUT sec's $result = system("wget --output-document=$TempDir/$TmpFile --tries=3 " . "'http://updates.f-prot.com/cgi-bin/check-updates?" . "protocol=1&run_as=check_updates' > /dev/null 2>&1"); alarm(0); #Turn off alarm }; BailOut("F-Prot updater timed out. ") if $@ =~ /timeout/ ; BailOut("wget command failed. You need the latest version installed, $!") if $result==127; BailOut("Updates download from http://updates.f-prot.com failed. Suspect server could not be reached, $!") if $result!=0; # Get HTTP return value from checking for updates open(TEMPFILE, "$TempDir/$TmpFile") or BailOut("Could not read temp file $TmpFile, $!"); $HttpReturn = ; chomp $HttpReturn; $HttpReturn =~ s/\s*$//g; if ($HttpReturn!=2) { BailOut("Invalid parameters used in http URL, exiting, $!") if $HttpReturn==3; BailOut("Invalid protocol used in http URL, exiting, $!") if $HttpReturn==4; BailOut("Server error on remote machine, exiting, $!") if $HttpReturn==5; BailOut("Unknown error while downloading update information, " . "do you need to specify your HTTP/FTP proxy / web-cache at " . "the top of this script? Exiting, $!"); } # # Read the file once to pull out the ftp URL of the update server # while() { chomp; next unless s/^S://; # Delete trailing newlines and stuff like that s/\s*$//g; $Server = $_; } close(TEMPFILE); print STDERR "FTP address for retrieving files is $Server\n" unless $quiet || $cron; # # Lock out all other users of F-Prot until update is complete. # &LockFProt(); # # Now read and compare checksums of the files on the update server and # the local def files. # open(TEMPFILE, "$TempDir/$TmpFile"); while() { chomp; s/\s*$//g; # Delete trailing whitespace (^M and such like) next unless /^C/; next unless /DEF=/; s/^[^:]*://; # Delete everything up to and including ":" ($FileToCheck, $RemoteChecksum) = split(/=/, $_, 2); $FileChecksum = Checksum("$DefDir/$FileToCheck"); BailOut("$FProtRoot/checksum was not found. It should be in your " . "F-Prot package, $!") if $FileChecksum==127; # Current file different from remote file? if ($FileChecksum ne $RemoteChecksum) { print STDERR "F-Prot signature file update script\n" unless $updated || $quiet; print STDERR "There is a new version of $FileToCheck, starting download.\n" unless $quiet; $updated = 1; # Download it from the server DownloadFile($Server, $FileToCheck); # Check we downloaded the file we wanted $FileChecksum = Checksum("$TempDir/$FileToCheck"); if ($FileChecksum eq $RemoteChecksum) { # Copy file from temp dir to f-prot dir system("cp $TempDir/$FileToCheck $FProtRoot"); print STDERR "Updated $FileToCheck.\n" unless $quiet; } else { # If not, then try fallback server instead DownloadFile($FallbackServer, $FileToCheck); # If that fails too, then error $FileChecksum = Checksum("$TempDir/$FileToCheck"); if ($FileChecksum eq $RemoteChecksum) { # Copy file from temp dir to f-prot dir system("cp $TempDir/$FileToCheck $FProtRoot"); print STDERR "Updated $FileToCheck from fallback server.\n" unless $quiet; } else { BailOut("Could not find correct version of $FileToCheck, exiting, $!"); } } } else { print STDERR "File $FileToCheck is already up to date.\n" unless $quiet || $cron; } } if ($updated) { print STDERR "Update completed.\n" unless $quiet; } else { print STDERR "Nothing to be done.\n" unless $cron; } # Clean up and exit. CleanTempDir(); &UnlockFProt(); Sys::Syslog::openlog("F-Prot autoupdate", 'pid, nowait', 'mail'); Sys::Syslog::syslog('info', $updated?"F-Prot successfully updated.":"F-Prot did not need updating."); Sys::Syslog::closelog(); exit 0; ######################################################################### # # Clean up the contents of TempDir # sub CleanTempDir { opendir(TEMPDIR, $TempDir) or BailOut("Could not read directory $TempDir, $!"); foreach (readdir(TEMPDIR)) { next if /^\.\.?$/; # Skip . and .. unlink "$TempDir/$_"; } closedir(TEMPDIR); } # Find the checksum of a given filename sub Checksum { my($Filename) = @_; my($FileChecksum, $Result); # Catch case where file does not exist return 0 unless -f $Filename; if (-x "$FProtRoot/checksum") { $FileChecksum = `$FProtRoot/checksum $Filename 0`; $Result = $?; chomp $FileChecksum; $FileChecksum =~ s/^[^=]*=//; # Chop off up to and including "=" BailOut("$FProtRoot/checksum was not found. It should be in your " . "F-Prot package, $!") if $Result==127; BailOut("Unknown fatal error calling \"checksum\", exiting, $!") if $Result; return $FileChecksum; } else { return create_compare_string_for_defs($Filename); } } # Perl code for new version of checksum sub create_compare_string_for_defs { my ($filename) = @_; if (my $file = new IO::File $filename) { my $buff = ''; return undef if ($file->read($buff, 32) != 32); # Get file size my @fstat = $file->stat(); my $fsize = $fstat[7]; $file->close(); return uc( unpack('H*', $buff) . sprintf("%8.8X", $fsize) ); } return undef; } sub DownloadFile { my($host, $file) = @_; my($result); if ($file =~ /^SIGN/) { if (!$HaveDownloadedSign) { $HaveDownloadedSign = 1; chdir $TempDir; Fetch($host, 'fp-def.zip'); print STDERR "Download completed.\n" unless $quiet; $result = system("unzip -o fp-def.zip /dev/null 2>&1"); BailOut("Fatal error while unzipping fp-def.zip, $!") if ($result>>8); } } else { chdir $TempDir; Fetch($host, 'macrdef2.zip'); print STDERR "Download completed.\n" unless $quiet; $result = system("unzip -o macrdef2.zip /dev/null 2>&1"); BailOut("Fatal error while unzipping macrdef2.zip, $!") if ($result>>8); } } sub Fetch { my($ip, $filename) = @_; my($r); eval { alarm("$TIMEOUT"); #Alarm timeout in $TIMEOUT sec's $r = system("wget --passive-ftp --tries=3 $ip$filename > /dev/null 2>&1"); alarm(0); #No timeout - turn off alarm }; BailOut("F-Prot updater timed out. ") if $@ =~ /timeout/ ; if ($r>>8) { # Download failed so try fallback server BailOut("Download of $ip$filename failed, exiting, $!") if $ip eq $FallbackServer; Fetch($FallbackServer, $filename); } } sub BailOut { &UnlockFProt(); Sys::Syslog::openlog("F-Prot autoupdate", 'pid, nowait', 'mail'); Sys::Syslog::syslog('err', @_); Sys::Syslog::closelog(); warn "@_\n"; chdir $FProtRoot or die "Cannot cd $FProtRoot, $!"; exit 1; } sub LockFProt { open(LOCK, ">$LockFile") or return; flock(LOCK, $LOCK_EX); print LOCK "Locked for updating F-Prot virus files by $$\n"; $FProtIsLocked = 1; } sub UnlockFProt { return unless $FProtIsLocked; print LOCK "Unlocked after updating F-Prot virus files by $$\n"; unlink $LockFile; flock(LOCK, $LOCK_UN); close LOCK; } -------------- next part -------------- #!/usr/bin/perl use Sys::Syslog; # If you have a web proxy or cache server, put its value in the next line # in the syntax "full.host.name:port". $HTTPproxy = ""; $LogFile = "/tmp/ClamAV.update.log"; $ClamUpdateCommand = "/usr/local/bin/freshclam"; $LockFile = "/tmp/ClamAVBusy.lock"; $TIMEOUT = 10; #Timeout in sec's $LOCK_SH = 1; $LOCK_EX = 2; $LOCK_NB = 4; $LOCK_UN = 8; eval { Sys::Syslog::setlogsock('unix'); }; # This may fail! Sys::Syslog::openlog("ClamAV-autoupdate", 'pid, nowait', 'mail'); $SIG{ALRM} = sub { die "timeout" }; # Setup alarm eval { alarm("$TIMEOUT"); #Update timeout in $TIMEOUT sec's if (-x $ClamUpdateCommand) { &LockClamAV(); $Command = "$ClamUpdateCommand --quiet -l $LogFile"; $Command .= " --http-proxy $HTTPproxy" if $HTTPproxy; $retval=system($Command)>>8; } alarm(0); #Turn off alarm }; if ($@ =~ /timeout/) { &UnlockClamAV(); Sys::Syslog::syslog('err', "ClamAV updater timed out"); Sys::Syslog::closelog(); exit 0; } &UnlockClamAV(); if ($retval == 0 ) { Sys::Syslog::syslog('info', "ClamAV updated"); } elsif ($retval == 1 ) { Sys::Syslog::syslog('info', "ClamAV did not need updating"); } else { Sys::Syslog::syslog('err', "ClamAV updater failed"); } Sys::Syslog::closelog(); exit 0; sub LockClamAV { open(LOCK, ">$LockFile") or return; flock(LOCK, $LOCK_EX); print LOCK "Locked for updating ClamAV definitions by $$\n"; } sub UnlockClamAV { print LOCK "Unlocked after updating ClamAV definitions by $$\n"; unlink $LockFile; flock(LOCK, $LOCK_UN); close LOCK; } From kevins at BMRB.CO.UK Fri Jul 11 00:29:44 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:18:55 2006 Subject: Where do I start debugging? In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB001175DB6@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB001175DB6@pascal.priv.bmrb.co.uk> Message-ID: <1057879784.4582.15.camel@bach.kevinspicer.co.uk> Spam Actions = attachment High Scoring Spam Actions = attachment Its not clear in the docs, but you also need to specify the deliver action, i.e. Spam Actions = attachment deliver High Scoring Spam Actions = attachment deliver BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From raymond at PROLOCATION.NET Fri Jul 11 00:30:30 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:18:55 2006 Subject: Virus Update Scripts with Timeouts In-Reply-To: Message-ID: Julian, > I use both F-Prot and ClamAV with MailScanner. There are scripts for each > of these virus scanners which by default are run hourly to check for new > virus definition files. Unfortunately, if the script is unable to > complete then MailScanner will cease processing mail until the problem is > corrected. Mail still is received but nothing is scanned and processed > for delivery. > > I have modified the two update scripts to add a timeout (default=15sec). > If the script has not completed the connection to the download site before > the timeout the script is aborted and MailScanner is given back control. Once you get back, could you adopt this for the other update scripts also ? Bye, Raymond. From TGFurnish at HERFF-JONES.COM Fri Jul 11 00:31:02 2003 From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G) Date: Thu Jan 12 21:18:55 2006 Subject: Does this mean something's broken? Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF0C029C@inex1.herffjones.hj-int> Um, can I safely assume that the following headers should not appear together on a message, especially one that isn't marked as spam? X-MailScanner: Found to be clean, Found to be clean X-MailScanner-SpamCheck: spam, spamcop.net, SpamAssassin (score=7.791, required 5.8, BAYES_99 3.01[...snip...] I'm refering to the fact that the X-MailScanner header says "clean, clean" even though the spamcheck header says "score=7.791, required 5.8". If the score is hirer than "required", doesn't that mean it's spam? -t. From TGFurnish at HERFF-JONES.COM Fri Jul 11 00:37:31 2003 From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G) Date: Thu Jan 12 21:18:55 2006 Subject: Where do I start debugging? Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF0C029D@inex1.herffjones.hj-int> D'OH!!! Thanks. :-) >-----Original Message----- >From: Kevin Spicer [mailto:kevins@BMRB.CO.UK] >Sent: Thursday, July 10, 2003 6:30 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Where do I start debugging? > > >Spam Actions = attachment >High Scoring Spam Actions = attachment > >Its not clear in the docs, but you also need to specify the deliver >action, i.e. > >Spam Actions = attachment deliver >High Scoring Spam Actions = attachment deliver > > > > >BMRB International >http://www.bmrb.co.uk >+44 (0)20 8566 5000 >_________________________________________________________________ >This message (and any attachment) is intended only for the >recipient and may contain confidential and/or privileged >material. If you have received this in error, please contact the >sender and delete this message immediately. Disclosure, copying >or other action taken in respect of this email or in >reliance on it is prohibited. BMRB International Limited >accepts no liability in relation to any personal emails, or >content of any email which does not directly relate to our >business. > From kevins at BMRB.CO.UK Fri Jul 11 00:41:00 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:18:55 2006 Subject: Does this mean something's broken? In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB001175DBB@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB001175DBB@pascal.priv.bmrb.co.uk> Message-ID: <1057880460.4582.20.camel@bach.kevinspicer.co.uk> I'm refering to the fact that the X-MailScanner header says "clean, clean" even though the spamcheck header says "score=7.791, required 5.8". Found to be clean really means no virus (or virus like exploits etc.) found, nothing to do with spam. The fact it says 'Found to be clean' twice suggests it has been through two mailscanners, it may well be that the spam header was added by the first MailScanner (not yours) and that one is not configured to add Spam to the subject. IIRC 5.8 isn't the default score, so unless you've tweaked yours to this then it wasn't added by you. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From richard_cipher at YAHOO.COM Fri Jul 11 00:40:55 2003 From: richard_cipher at YAHOO.COM (Evert Ford) Date: Thu Jan 12 21:18:55 2006 Subject: Does this mean something's broken? In-Reply-To: <8FFC76593085ED4A80D3601BC41EFCDF0C029C@inex1.herffjones.hj-int> Message-ID: "Found to be clean" means that it's not infected with a virus. Evert Ford Information Analyst Westone Laboratories http://www.westone.com -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Furnish, Trever G Sent: Thursday, July 10, 2003 5:31 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Does this mean something's broken? Um, can I safely assume that the following headers should not appear together on a message, especially one that isn't marked as spam? X-MailScanner: Found to be clean, Found to be clean X-MailScanner-SpamCheck: spam, spamcop.net, SpamAssassin (score=7.791, required 5.8, BAYES_99 3.01[...snip...] I'm refering to the fact that the X-MailScanner header says "clean, clean" even though the spamcheck header says "score=7.791, required 5.8". If the score is hirer than "required", doesn't that mean it's spam? -t. --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.483 / Virus Database: 279 - Release Date: 5/19/03 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.483 / Virus Database: 279 - Release Date: 5/19/03 From mike at CAMAROSS.NET Fri Jul 11 00:38:48 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:18:55 2006 Subject: Does this mean something's broken? In-Reply-To: <8FFC76593085ED4A80D3601BC41EFCDF0C029C@inex1.herffjones.hj-int> Message-ID: <009301c3473c$6a666090$9c01a8c0@home.middlefinger.net> What are your Spam Actions = and Sign Messages Already Processed = values set to? -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Furnish, Trever G Sent: Thursday, July 10, 2003 6:31 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Does this mean something's broken? Um, can I safely assume that the following headers should not appear together on a message, especially one that isn't marked as spam? X-MailScanner: Found to be clean, Found to be clean X-MailScanner-SpamCheck: spam, spamcop.net, SpamAssassin (score=7.791, required 5.8, BAYES_99 3.01[...snip...] I'm refering to the fact that the X-MailScanner header says "clean, clean" even though the spamcheck header says "score=7.791, required 5.8". If the score is hirer than "required", doesn't that mean it's spam? -t. From mikea at MIKEA.ATH.CX Fri Jul 11 00:42:08 2003 From: mikea at MIKEA.ATH.CX (mikea) Date: Thu Jan 12 21:18:55 2006 Subject: Where do I start debugging? In-Reply-To: <8FFC76593085ED4A80D3601BC41EFCDF0C0714@inex1.herffjones.hj-int>; from TGFurnish@HERFF-JONES.COM on Thu, Jul 10, 2003 at 06:19:49PM -0500 References: <8FFC76593085ED4A80D3601BC41EFCDF0C0714@inex1.herffjones.hj-int> Message-ID: <20030710184208.A34916@mikea.ath.cx> On Thu, Jul 10, 2003 at 06:19:49PM -0500, Furnish, Trever G wrote: > Ok, so now I have some spam coming to my filtering domain, but mailscanner > is behaving unexpectedly and I'm not sure where to look in order to figure > out why. > > I have Log Spam = yes and logging is showing up in syslog, but I'm hoping > there's more logging going somewhere else I'm not aware of. > > I've discovered (by reversing the my work in order till everything worked > again) that these two statements in MailScanner.conf cause it to do bad > things - messages seem to disappear into the void. Perhaps I should mention > that this is version 4.21-9. > > Any suggestions? > > Spam Actions = attachment > High Scoring Spam Actions = attachment This was discussed earlier this week; you need to to use "attachment deliver" to have the spam turned into an attachment *and* delivered. > If I change those back to the default (deliver), then I successfully get > message subjects tagged as spam, but I'd prefer to have MailScanner > repackage the messages as attachments. > > When I have the actions set to 'attachment', sometimes I even get the syslog > message that says "actions are attachment". Usually I just get "Spam > Checks: Starting" and "Virus and Content Scanning: Starting", followed by > "Uninfected: Delivered" and then sendmail's log entry stating it delivered > the message. > > Most troubling is that even though sendmail logs an entry stating it handed > off the message, the message doesn't arrive. Not even sure how that could > be related to mailscanner... Which of the two sendmails? The inbound sendmail or the outbound one? How about a set of maillog lines showing complete processing of a piece of E-mail, from A to Z? -- Mike Andrews mikea@mikea.ath.cx Tired old sysadmin since 1964 From TGFurnish at HERFF-JONES.COM Fri Jul 11 00:43:18 2003 From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G) Date: Thu Jan 12 21:18:55 2006 Subject: Does this mean something's broken? Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF0C029E@inex1.herffjones.hj-int> >-----Original Message----- >From: Kevin Spicer [mailto:kevins@BMRB.CO.UK] >Sent: Thursday, July 10, 2003 6:41 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Does this mean something's broken? > > >I'm refering to the fact that the X-MailScanner header says "clean, >clean" >even though the spamcheck header says "score=7.791, required 5.8". > >Found to be clean really means no virus (or virus like exploits etc.) >found, nothing to do with spam. The fact it says 'Found to be clean' >twice suggests it has been through two mailscanners, it may >well be that >the spam header was added by the first MailScanner (not yours) and that >one is not configured to add Spam to the subject. IIRC 5.8 isn't the >default score, so unless you've tweaked yours to this then it wasn't >added by you. Ah - that explains it then. Someone from the list redirecting some spam they've already caught. I wondered about the 5.8 but I'd never have realized that was the reason it was different. Thanks again, Mr. Spicer. -- Trever From mike at CAMAROSS.NET Fri Jul 11 00:40:43 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:18:55 2006 Subject: How can I get some spam? In-Reply-To: <8FFC76593085ED4A80D3601BC41EFCDF0C029B@inex1.herffjones.hj-int> Message-ID: <009401c3473c$adf9b960$9c01a8c0@home.middlefinger.net> I turned mine off :) -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Furnish, Trever G Sent: Thursday, July 10, 2003 6:25 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: How can I get some spam? LOL - Turn it off now? UNCLE!!! Talk about "ask and ye shall receive"!!! I've gotten enough. :-) Thanks, all. Now if only I hadn't posted to all those usenet groups already. :-) >-----Original Message----- >From: Mike Kercher [mailto:mike@CAMAROSS.NET] >Sent: Thursday, July 10, 2003 5:40 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: How can I get some spam? > > >I'll make that email address the forward action on my High Scoring Spam >on a couple of machines. If you want this, tell me when to turn it off >:) > >Mike > > >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On >Behalf Of Furnish, Trever G >Sent: Thursday, July 10, 2003 4:01 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: How can I get some spam? > > >:-) Seriously - I need to test a mailscanner subdomain so I need some >spam. >:-) > >I've clicked a few unsubscribe links (modified to reflect the filter >testing domain), but now I'm out of spam, so any suggestions >(specifics, not general >concepts - got a link?) would be appreciated. > >Address that wants spam: tgfurnish@public.herff-jones.com > >-- >Trever > From TGFurnish at HERFF-JONES.COM Fri Jul 11 00:52:34 2003 From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G) Date: Thu Jan 12 21:18:55 2006 Subject: Where do I start debugging? Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF0C0715@inex1.herffjones.hj-int> >-----Original Message----- >From: mikea [mailto:mikea@MIKEA.ATH.CX] >Sent: Thursday, July 10, 2003 6:42 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Where do I start debugging? > >> Most troubling is that even though sendmail logs an entry >> stating it handed >> off the message, the message doesn't arrive. Not even sure >> how that could >> be related to mailscanner... > >Which of the two sendmails? The inbound sendmail or the outbound one? >How about a set of maillog lines showing complete processing of a >piece of E-mail, from A to Z? > >Mike Andrews Thanks - once I added deliver to the end of the actions, it's passing messages through again. Guess I should have done more than just skim the old messages looking for this one. I'm still a tad confused by the log entry made by sendmail though that claims the message was delivered to the next mx server, but I'm going to attribute that to confusion on my part and pretend it didn't happen unless I bump into it again. -- Trever From cparker at SWATGEAR.COM Fri Jul 11 01:32:06 2003 From: cparker at SWATGEAR.COM (Chris W. Parker) Date: Thu Jan 12 21:18:55 2006 Subject: anyone noticing a rise in spam? Message-ID: <001BD19C96E6E64E8750D72C2EA0ECEE2B7D3A@ati-ex-01.ati.local> Hello, My boss said to me today "I've noticed that since you put in that spam filter [about 2 months ago] we've [himself and at least one other employee] been getting a lot more spam. Most of it gets marked as spam but there is definitely an increase. Can you find out why?" Well my immediate reaction is that it's just coincidence and there's no other reason for it. But I thought I would survey the list and see if anyone else has any other ideas. Our email addresses (except for maybe mine) are not plastered on the internet anymore than they used to be. Any/all ideas welcome. Thanks, Chris. From forrie at FORRIE.COM Fri Jul 11 01:48:30 2003 From: forrie at FORRIE.COM (Forrest Aldrich) Date: Thu Jan 12 21:18:55 2006 Subject: anyone noticing a rise in spam? In-Reply-To: <001BD19C96E6E64E8750D72C2EA0ECEE2B7D3A@ati-ex-01.ati.local > Message-ID: <5.2.1.1.2.20030710204530.0312ce80@192.168.1.1> SPAM is generally on the rise. CNN had a commentary about it recently, about how it's increasing. I've noticed it here, too. A friend of mine mentioned that some of the more sophisticated spammers have been hijacking IP space and AS numbers. For example, 9.0.0.0/8 belongs to IBM and is NEVER on a public network (so you can safely filter that out), and some of the dot.gone companies have seen their IP space hijacked. It's getting to be quite a mess. Speaking of which, anyone here see that infamous G-2 Resumes spam? It's by someone in a nearby city (Framingham, MA -- and rayprotech.com). FWIW, I've been running spamass-milter with a rejection level of 10 (SA score) and it's done wonders. Forrest At 08:32 PM 7/10/2003, Chris W. Parker wrote: >Hello, > >My boss said to me today "I've noticed that since you put in that spam >filter [about 2 months ago] we've [himself and at least one other >employee] been getting a lot more spam. Most of it gets marked as spam but >there is definitely an increase. Can you find out why?" > >Well my immediate reaction is that it's just coincidence and there's no >other reason for it. But I thought I would survey the list and see if >anyone else has any other ideas. > >Our email addresses (except for maybe mine) are not plastered on the >internet anymore than they used to be. > >Any/all ideas welcome. > > >Thanks, >Chris. From mikea at MIKEA.ATH.CX Fri Jul 11 01:52:17 2003 From: mikea at MIKEA.ATH.CX (mikea) Date: Thu Jan 12 21:18:55 2006 Subject: anyone noticing a rise in spam? In-Reply-To: <001BD19C96E6E64E8750D72C2EA0ECEE2B7D3A@ati-ex-01.ati.local>; from cparker@SWATGEAR.COM on Thu, Jul 10, 2003 at 05:32:06PM -0700 References: <001BD19C96E6E64E8750D72C2EA0ECEE2B7D3A@ati-ex-01.ati.local> Message-ID: <20030710195217.A35733@mikea.ath.cx> On Thu, Jul 10, 2003 at 05:32:06PM -0700, Chris W. Parker wrote: > Hello, > My boss said to me today "I've noticed that since you put in that > spam filter [about 2 months ago] we've [himself and at least one other > employee] been getting a lot more spam. Most of it gets marked as spam > but there is definitely an increase. Can you find out why?" > Well my immediate reaction is that it's just coincidence and there's > no other reason for it. But I thought I would survey the list and see > if anyone else has any other ideas. > Our email addresses (except for maybe mine) are not plastered on the > internet anymore than they used to be. > Any/all ideas welcome. See, among others, for some graphs. The story of Nadine also is of considerable interest, as it shows how addresses get passed around. -- Mike Andrews mikea@mikea.ath.cx Tired old sysadmin since 1964 From raymond at PROLOCATION.NET Fri Jul 11 01:54:07 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:18:55 2006 Subject: anyone noticing a rise in spam? In-Reply-To: <5.2.1.1.2.20030710204530.0312ce80@192.168.1.1> Message-ID: Hi! > A friend of mine mentioned that some of the more sophisticated spammers > have been hijacking IP space and AS numbers. For example, 9.0.0.0/8 > belongs to IBM and is NEVER on a public network (so you can safely filter > that out), and some of the dot.gone companies have seen their IP space > hijacked. It's getting to be quite a mess. On NANOG, one of the lists that network admins use there has been a lot of talk about hijacked AS numbers and IP ranges. Its not only that particular block you mention, but much more ... Its a pain. Bye, Raymond. From danieltan at shopnsave.com.sg Fri Jul 11 03:50:47 2003 From: danieltan at shopnsave.com.sg (Daniel Tan) Date: Thu Jan 12 21:18:55 2006 Subject: mail not moving in mqueue.in Message-ID: <00af01c34757$3bafa700$3900a8c0@Daniel> hi, recently had a major problem with my mail server and had to reinstall everything from scratch again.been working till late last night and now i brought the server back to my office and mailscanner seems unable to process the emails in mqueue.in permissions.... drwxr-x--- 2 root mail 8192 Jul 11 10:36 mqueue drwxr-x--- 2 root mail 8192 Jul 11 10:45 mqueue.in any idea why? i am using mailscanner-4.22-5 and spamassassin-2.53-1 with f-prot as the virus scanner Regards, Daniel Tan 67469188 Ext.665 DID: 68430665 MIS Department Shop N Save Pte Ltd : danieltan@shopnsave.com.sg [This e-mail is confidential and may also be privileged. If you are not the intended recipient, please delete it and notify us immediately; you should not copy or use it for any purpose, nor disclose its contents to any other person. Thank you.] From tony.johansson at SVENSKAKYRKAN.SE Fri Jul 11 07:43:38 2003 From: tony.johansson at SVENSKAKYRKAN.SE (Tony Johansson) Date: Thu Jan 12 21:18:55 2006 Subject: MS Performance Message-ID: >I am processing around 600.000 messages on two dual xeon machines, daily, >with peaks to 800.000-1.000.000 daily. I think MS is doing just fine :) > >Most of the time its a matter of the test setup also that is limiting the >figures. Also some tweaking on the machines wont harm... > >Bye, >Raymond. What MTA are you using? I recall an earlier post by Julian where he tested exim vs sendmail on one of his test machines, getting 3 times the throughput with exim. I'm interested in what kind of performance people are getting with sendmail and MS. I'm about to design a system built on redhat and sendmail which will handle lots of relaying (500k-1mil email daily approx) I'd rather use sendmail but if the performance gain with exim really is 3 to 1 that might be the road we haveto take. regards, Tony From giampiero.raschetti at POPSO.IT Fri Jul 11 08:04:18 2003 From: giampiero.raschetti at POPSO.IT (Giampiero Raschetti) Date: Thu Jan 12 21:18:55 2006 Subject: MailScanner not removing virus even though it was found? In-Reply-To: <20030710181244.GB32608@bud.cs.uky.edu> References: <20030709023925.GA12072@bud.cs.uky.edu> <20030710181244.GB32608@bud.cs.uky.edu> Message-ID: <3F0E6172.8090709@popso.it> Thanks to your work now it works here too. I had read the warning line about McAfee but I didn't understand if the links referred where those where the program reside or those where it was working on. Anyway till last running release it had always worked with the link active without any problem.... so why not now ? Anyway now I had changed this in MailScanner.conf # Set where to unpack incoming messages before scanning them Incoming Work Dir = /home1/spool/MailScanner/incoming And it works great !! Thanks again Paul. Giampiero Paul Linton wrote: > Solved. It was simply a matter of trusting the documentation. I had > read, and ignored, the note about McAfee and symbolic links. So my > /var/spool/MailScanner/incoming option was really somewhere else. Since > McAfee was running fine and seeing viruses I didn't think this was an issue. > > After a LOT of debugging I tracked it down to the following line(s): > > SweepViruses.pm: lines 976-978 > > # McAfee prints the whole path as opposed to > # ./messages/part so make it the same > $lastline =~ s/$BaseDir//; > > Since I will be trying to keep my .conf files fairly consistent across > domains I would like to change that line to be more forgiving. If anyone > is interested drop me a line and maybe we can convince someone to incorporate > the change. > > - Paul > > On Tue, Jul 08, 2003 at 10:39:25PM -0400, Paul Linton wrote: > >>I have a brand new install of MailScanner/Spamassassin/McAfee. Most >>seems to be working fine, with the exception of virus removal. MailScanner >>calls McAfee and sees the virus, but then happily sends the message on, virus >>and all, no warning to the recipient, etc. Did I miss something in the .conf >>file? > > -- > Paul Linton Systems Programmer paul@cs.uky.edu > UofK Department of Computer Science (859) 257-3962 -- Best Regards __________________________________________________ |o Banca Popolare di Sondrio o| |o Sistemi Innovativi o| |o Ing.Giampiero Raschetti o| |o tel: +39-0342-528876 _ _ _o| |o http://www.popso.it _ _ _ _ / `-' `-' `. |o _ _ _ _ _ / `-' `-' `-' `-' `-' `-' `-' `-' `-' `-' From raymond at PROLOCATION.NET Fri Jul 11 08:06:04 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:18:55 2006 Subject: mail not moving in mqueue.in In-Reply-To: <00af01c34757$3bafa700$3900a8c0@Daniel> Message-ID: Hi! > permissions.... > drwxr-x--- 2 root mail 8192 Jul 11 10:36 mqueue > drwxr-x--- 2 root mail 8192 Jul 11 10:45 mqueue.in > > any idea why? How about posting some logs ? Bye, Raymond. From raymond at PROLOCATION.NET Fri Jul 11 08:07:51 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:18:55 2006 Subject: MS Performance In-Reply-To: Message-ID: Hi! > >I am processing around 600.000 messages on two dual xeon machines, daily, > >with peaks to 800.000-1.000.000 daily. I think MS is doing just fine :) > > > >Most of the time its a matter of the test setup also that is limiting the > >figures. Also some tweaking on the machines wont harm... > I'm interested in what kind of performance people are getting with sendmail > and MS. I'm about to design a system built on redhat and sendmail which > will handle lots of relaying (500k-1mil email daily approx) This is sendmail. > I'd rather use sendmail but if the performance gain with exim really is 3 > to 1 that might be the road we haveto take. No, tests that i did showed sendmail is able to do about the same, but you have to tweak sendmail a little for that. Bye, Raymond. From raymond at PROLOCATION.NET Fri Jul 11 08:54:05 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:18:55 2006 Subject: New f-prot minor update Message-ID: Hi! Got linux/MD5SUMS 380 1 Got linux/fp-linux-ws-4.1.1-1.i386.rpm.md5 63 0 Got linux/fp-linux-ws-4.1.1.tar.gz.md5 59 1 Got linux/fp-linux-ws.deb.md5 50 0 Got linux/fp-linux-ws.rpm.md5 50 0 Got linux/fp-linux-ws.tar.gz.md5 53 1 Got linux/fp-linux-ws_4.1.1-1_i386.deb.md5 63 0 Got linux/fp-linux-ws-4.1.1-1.i386.rpm 2095581 7 Got linux/fp-linux-ws-4.1.1.tar.gz 2105643 6 Got linux/fp-linux-ws_4.1.1-1_i386.deb 2091780 6 Seems to work just fine. Bye, Raymond. From andersan at LTKALMAR.SE Fri Jul 11 09:47:37 2003 From: andersan at LTKALMAR.SE (Anders Andersson, IT) Date: Thu Jan 12 21:18:55 2006 Subject: Regarding striphtml.... Message-ID: <9F18B7DDBA88E544AB1F1995148916661CE65B@lkl63.ltkalmar.se> Hi Just got a mail from microsoft technet and the have been been stripped from html. When I look at the header it says X-MailScanner-SpamCheck: ej spam, "not spam" SpamAssassin (Meddelande st?rre ?n maximal test storlek) "bigger then maximal test size" I its not spam dont that mean that it shouldnt do a "striphtml" or could it be because the size was to big. I guess the solution should be to whitelist microsoft mail then? /Anders From Kevin.Spicer at BMRB.CO.UK Fri Jul 11 09:51:34 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:18:55 2006 Subject: Regarding striphtml.... Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0EBF70E@pascal.priv.bmrb.co.uk> > I its not spam dont that mean that it shouldnt do a "striphtml" > or could it be because the size was to big. > I guess the solution should be to whitelist microsoft mail then? > Maybe you are stripping html if it finds iframe/ object-codebase or form content? (the convert dangerous html to text option) BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From andersan at LTKALMAR.SE Fri Jul 11 09:55:16 2003 From: andersan at LTKALMAR.SE (Anders Andersson, IT) Date: Thu Jan 12 21:18:55 2006 Subject: SV: Regarding striphtml.... Message-ID: <9F18B7DDBA88E544AB1F1995148916661CE65C@lkl63.ltkalmar.se> > -----Ursprungligt meddelande----- > Fr?n: Spicer, Kevin [mailto:Kevin.Spicer@BMRB.CO.UK] > Skickat: den 11 juli 2003 10:52 > Till: MAILSCANNER@JISCMAIL.AC.UK > ?mne: Re: Regarding striphtml.... > > > > I its not spam dont that mean that it shouldnt do a "striphtml" or > > could it be because the size was to big. I guess the > solution should > > be to whitelist microsoft mail then? > > > Maybe you are stripping html if it finds iframe/ > object-codebase or form content? (the convert dangerous html > to text option) Thanks, checked config and Convert Dangerous HTML To Text = yes Damn, I was hoping not to have to start using rules to keep it as simple as possible but I guess I might have to go there... Thanks again From maxsec at TOTALISE.CO.UK Fri Jul 11 09:57:35 2003 From: maxsec at TOTALISE.CO.UK (Martin Hepworth) Date: Thu Jan 12 21:18:55 2006 Subject: anyone noticing a rise in spam? In-Reply-To: <001BD19C96E6E64E8750D72C2EA0ECEE2B7D3A@ati-ex-01.ati.local> References: <001BD19C96E6E64E8750D72C2EA0ECEE2B7D3A@ati-ex-01.ati.local> Message-ID: <3F0E7BFF.10004@totalise.co.uk> Chris W. Parker wrote: > Hello, > > My boss said to me today "I've noticed that since you put in that spam filter [about 2 months ago] we've [himself and at least one other employee] been getting a lot more spam. Most of it gets marked as spam but there is definitely an increase. Can you find out why?" > > Well my immediate reaction is that it's just coincidence and there's no other reason for it. But I thought I would survey the list and see if anyone else has any other ideas. > > Our email addresses (except for maybe mine) are not plastered on the internet anymore than they used to be. > > Any/all ideas welcome. > > > Thanks, > Chris. Chris Yes its gone up rapidly over the last 6 months. two years ago we had 250 users on email and around 2,500 emails per week last year we had 200 users on email and around 7,000 emails per week now we have 150 users on email and 24,000 emails per week. (85% of which is spam). yes the average number of emails per user is rising, but mostly I be eating spam this year! The increase is almost purely spam. -- martin (at home) From P.G.M.Peters at utwente.nl Fri Jul 11 10:15:52 2003 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Thu Jan 12 21:18:55 2006 Subject: How can I get some spam? In-Reply-To: <8FFC76593085ED4A80D3601BC41EFCDF0C0712@inex1.herffjones.hj-int> References: <8FFC76593085ED4A80D3601BC41EFCDF0C0712@inex1.herffjones.hj-int> Message-ID: On Thu, 10 Jul 2003 16:57:54 -0500, you wrote: >Well, yes, thanks, but I'm also hoping to test rbl lookups and I'm thinking >that would be difficult if I'm sending the spam myself. Use xx.countries.nerd.dk as your rbl. It lists all IPv4 addresses. -- Peter Peters, senior netwerkbeheerder Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ From dot at DOTAT.AT Fri Jul 11 10:59:04 2003 From: dot at DOTAT.AT (Tony Finch) Date: Thu Jan 12 21:18:55 2006 Subject: Quick Exim question In-Reply-To: Message-ID: Mike Oliveri wrote: > >Because my current config is only running with one config file, I only have >one spool directory: /var/spool/exim/input/* The new config files will >have an input directory of /var/spool/exim.in/input/*, but of course they >do not exist yet. The MailScanner Exim configure page says I should create >all the subdirectories of ../input before running MailScanner. MailScanner's much happier if all the directories it needs exist before it starts. There's not much point in taking shortcuts. My Exim setup script does for exim in exim exim.in do for split in \ a b c d e f g h i j k l m \ n o p q r s t u v w x y z \ A B C D E F G H I J K L M \ N O P Q R S T U V W X Y Z \ 0 1 2 3 4 5 6 7 8 9 do run mkdir -p /var/spool/$exim/input/$split done run chown -R exim:exim /var/spool/$exim run chmod -R 0750 /var/spool/$exim done Tony. -- f.a.n.finch http://dotat.at/ ST DAVIDS HEAD TO COLWYN BAY, INCLUDING ST GEORGES CHANNEL: WEST 4 LOCALLY 5, VEERING NORTHWEST TO WEST 2 OR 3 LOCALLY 4. ISOLATED SHOWERS IN THE NORTH OTHERWISE MAINLY FAIR. MAINLY GOOD. SLIGHT TO MODERATE. From john at TRADOC.FR Fri Jul 11 12:26:08 2003 From: john at TRADOC.FR (John Wilcock) Date: Thu Jan 12 21:18:55 2006 Subject: Virus Update Scripts with Timeouts In-Reply-To: References: Message-ID: <2h7tgv47fou2pstqnigrap4ujd7n7tmgrt@tradoc.fr> On Thu, 10 Jul 2003 19:28:37 -0400, Gerry Doris wrote: > I have modified the two update scripts to add a timeout (default=15sec). > If the script has not completed the connection to the download site before > the timeout the script is aborted and MailScanner is given back control. I've tried these new scripts here on a redhat 9 box - they work fine if called directly from a shell prompt, but for some reason don't log the usual updated / does not need updating information to the syslog when called from Julian's cron.hourly script. Any ideas? John. -- -- Over 2000 webcams from ski resorts around the world - http://www.snoweye.com/ -- Translate your technical documents and web pages - http://www.tradoc.fr/ From myr at HTW-SAARLAND.DE Fri Jul 11 12:46:34 2003 From: myr at HTW-SAARLAND.DE (Margit Meyer) Date: Thu Jan 12 21:18:55 2006 Subject: Notify sender and postmaster Message-ID: Hi all, I' m using MailScanner 4.22-5 and I want to notify senders and postmaster if a virus is sent or caught. I made the following settings: Notify Senders = yes Send Notices = yes Notices From = MailScanner Notices To = postmaster@htw-saarland.de Local Postmaster = postmaster@htw-saarland.de %report-dir% = /opt/MailScanner/etc/reports/de Sender Virus Report = %report-dir%/sender.virus.report.txt But there are neither notifies to the senders nor to postmaster. No error messages about not being able to send notifications appear in the syslog. But the rest works fine :-)) What could be wrong? Regards Margit From gerry at DORFAM.CA Fri Jul 11 13:36:54 2003 From: gerry at DORFAM.CA (Gerry Doris) Date: Thu Jan 12 21:18:55 2006 Subject: Virus Update Scripts with Timeouts In-Reply-To: <2h7tgv47fou2pstqnigrap4ujd7n7tmgrt@tradoc.fr> Message-ID: On Fri, 11 Jul 2003, John Wilcock wrote: > On Thu, 10 Jul 2003 19:28:37 -0400, Gerry Doris wrote: > > I have modified the two update scripts to add a timeout (default=15sec). > > If the script has not completed the connection to the download site before > > the timeout the script is aborted and MailScanner is given back control. > > I've tried these new scripts here on a redhat 9 box - they work fine > if called directly from a shell prompt, but for some reason don't log > the usual updated / does not need updating information to the syslog > when called from Julian's cron.hourly script. Any ideas? > > John. I'm using a Redhat 7.3 box and don't have RH 9 to test with. When I run "update_virus_scanners" from the command line I see the correct logging in /var/log/maillog. It also works correctly when run from the cron.hourly script. Perhaps someone with a RH 9 box can try them and let us know if it works for them. -- Gerry "The lyfe so short, the craft so long to learne" Chaucer From P.G.M.Peters at utwente.nl Fri Jul 11 13:43:11 2003 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Thu Jan 12 21:18:55 2006 Subject: Notify sender and postmaster In-Reply-To: References: Message-ID: <64ctgvgpgfa0ri26ckvrkti8knuasg1c90@4ax.com> On Fri, 11 Jul 2003 12:46:34 +0100, you wrote: >Notify Senders = yes >Send Notices = yes >Notices From = MailScanner ^^^^^^ No domain? >Notices To = postmaster@htw-saarland.de >Local Postmaster = postmaster@htw-saarland.de >%report-dir% = /opt/MailScanner/etc/reports/de >Sender Virus Report = %report-dir%/sender.virus.report.txt > >But there are neither notifies to the senders nor to postmaster. No error >messages about not being able to send notifications appear in the syslog. I have had this in another situation (not MS related) where the mailserver did not accept the from-address because he knew it didn't exist. Neither could he return a bounce because the address did not exist. -- Peter Peters, senior netwerkbeheerder Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ From combs at magnet.fsu.edu Fri Jul 11 14:58:13 2003 From: combs at magnet.fsu.edu (Tom Combs) Date: Thu Jan 12 21:18:55 2006 Subject: Allow multiple filename extensions? Message-ID: <200307111358.h6BDwDM8028514@osprey.magnet.fsu.edu> Hello, I'm not clear on the need for denying multiple filename extensions. It seems if an attachment contained a virus, it would be checked by the virus scanner and either caught or cleared regardless of the extension. Does having multiply filename extensions somehow circumvent this process? I'm considering dropping this ruleset: deny \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$ Found possible filename hiding Attempt to hide real filename extension Is this a mistake? Thanks for the help! --Tom Combs -- Tom Combs E-mail: combs@magnet.fsu.edu National High Magnetic Field Laboratory Phone: (850) 644-1657 1800 E. Paul Dirac Drive Tallahassee, FL 32310 From mikea at MIKEA.ATH.CX Fri Jul 11 15:09:12 2003 From: mikea at MIKEA.ATH.CX (mikea) Date: Thu Jan 12 21:18:55 2006 Subject: Allow multiple filename extensions? In-Reply-To: <200307111358.h6BDwDM8028514@osprey.magnet.fsu.edu>; from combs@magnet.fsu.edu on Fri, Jul 11, 2003 at 09:58:13AM -0400 References: <200307111358.h6BDwDM8028514@osprey.magnet.fsu.edu> Message-ID: <20030711090912.A38157@mikea.ath.cx> On Fri, Jul 11, 2003 at 09:58:13AM -0400, Tom Combs wrote: > Hello, > > I'm not clear on the need for denying multiple filename extensions. > It seems if an attachment contained a virus, it would be checked by > the virus scanner and either caught or cleared regardless of the > extension. Does having multiply filename extensions somehow > circumvent this process? > > I'm considering dropping this ruleset: > > deny \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$ Found possible filename hiding > Attempt to hide real filename extension > > > Is this a mistake? I had to drop it at the day job, where we have lots of people sending in files with names like IH35.Moore.C03-192045.wpd. Each piece of that filename has meaning, and it's much less inconvenient to accept the mild risk of passing multocomponent filenames than it is to force the users to adhere to 8.3 names -- if I could even try to do so. I know from 25 years here that any attempt to force that would be doomed to spectacular failure. But each installation is different, and others may differ with either or both of us. -- Mike Andrews mikea@mikea.ath.cx Tired old sysadmin since 1964 From howard at harper-adams.ac.uk Fri Jul 11 15:21:20 2003 From: howard at harper-adams.ac.uk (Howard Robinson) Date: Thu Jan 12 21:18:55 2006 Subject: Allow multiple filename extensions? In-Reply-To: <20030711090912.A38157@mikea.ath.cx> References: <200307111358.h6BDwDM8028514@osprey.magnet.fsu.edu>; from combs@magnet.fsu.edu on Fri, Jul 11, 2003 at 09:58:13AM -0400 Message-ID: <200307111419.h6BEJqUr010191@blackhole.harper-adams.ac.uk> On 11 Jul 03, at 9:09, mikea wrote: Hello I block all > single extensions and exe etc. If users can't use sensible names that's their problem. A little education can help and those that don't/won't understand are the very ones that may run something nasty. It would be better is if the hide know extensions in windows was removed so that the true filename was always shown. > On Fri, Jul 11, 2003 at 09:58:13AM -0400, Tom Combs wrote: > > Hello, > > > > I'm not clear on the need for denying multiple filename extensions. It > > seems if an attachment contained a virus, it would be checked by the > > virus scanner and either caught or cleared regardless of the > > extension. Does having multiply filename extensions somehow > > circumvent this process? > > > > I'm considering dropping this ruleset: > > > > deny \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$ Found possible filename > > hiding > > Attempt to hide real filename extension > > > > > > Is this a mistake? > > I had to drop it at the day job, where we have lots of people sending in > files with names like IH35.Moore.C03-192045.wpd. Each piece of that > filename has meaning, and it's much less inconvenient to accept the mild > risk of passing multocomponent filenames than it is to force the users to > adhere to 8.3 names -- if I could even try to do so. I know from 25 years > here that any attempt to force that would be doomed to spectacular > failure. > > But each installation is different, and others may differ with either or > both of us. > > -- > Mike Andrews > mikea@mikea.ath.cx > Tired old sysadmin since 1964 Regards Howard Robinson (Senior Technical Development Officer) Harper Adams University College Edgmond Newport Shropshire TF10 8NB UK E-mail: hrobinson@harper-adams.ac.uk Tel. : +44(0)1952 820280 Via switchboard : +44(0)1952 815253 Direct line Fax. : +44(0)1952 814783 College Web site http://www.harper-adams.ac.uk From Antony at SOFT-SOLUTIONS.CO.UK Fri Jul 11 15:21:45 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:18:55 2006 Subject: Allow multiple filename extensions? In-Reply-To: <200307111358.h6BDwDM8028514@osprey.magnet.fsu.edu> References: <200307111358.h6BDwDM8028514@osprey.magnet.fsu.edu> Message-ID: <200307111421.h6BELoW02305@Beryl.Rockstone.co.uk> On Friday 11 July 2003 2:58 pm, Tom Combs wrote: > Hello, > > I'm not clear on the need for denying multiple filename extensions. > It seems if an attachment contained a virus, it would be checked by > the virus scanner and either caught or cleared regardless of the > extension. Does having multiply filename extensions somehow > circumvent this process? > > I'm considering dropping this ruleset: > > deny \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$ Found possible filename > hiding Attempt to hide real filename extension > > Is this a mistake? I have removed this rule from my systems - I am happy simply to block the explicit final extensions which I know can be dangerous. I look at it this way: 1. If the final extension is on my 'blocked' list, the email gets blocked and I don't care if there was a double extension. 2. If the final extension is not on my 'blocked' list, then allow the email, because it's not going to do anything dangerous on a Windoze machine which acts on that final extension anyway. If anyone knows of a reason why this could be a dangerous policy, please tell me :) Regards, Antony. -- G- GIT/E d- s+:--(-) a+ C++++$ UL++++$ P+(---)>++ L+++(++++)$ !E W(-) N(-) o? w-- O !M V+++(--) !PS !PE Y+ PGP+> t- tv@ b+++ DI++ D--- e++>+++ h++ r@? 5? !X- !R K--? From Peter.Bates at LSHTM.AC.UK Fri Jul 11 15:27:22 2003 From: Peter.Bates at LSHTM.AC.UK (Peter Bates) Date: Thu Jan 12 21:18:55 2006 Subject: Mailscanner + Postfix Message-ID: Hello all... Bit slow to reply on this one, been a bit distracted... >I am only a new person at this but on the face of it there would appear >to be two ways that my be better at doing this but I am not at all sure if >they would work with MailScanner. >1 is to use the 'content_filter=' directive in /etc/postfix/main.cf. I would >guess that this is a NO but thought I would ask!! Yes. This is is a NO ;) The Postfix content_filter explicitly works on the basis that the 'filter' re-injects mail into Postfix using SMTP. If you really want to do this, Amavis does it, but compared to MailScanner, Amavis is... well. >2. Would it be possible to adapt the process used for anomy as detailed >on: >http://advosys.ca/papers/postfix-filtering.html ? .....creating a filter >script to move the files/invoke mailscanner and define this script as a >new service in /etc/postfix/master.cf? This looks to be the way that old versions of Amavis used to work, before it became a horrendous SMTP-server emulating (badly) monster. It doesn't really differ tremendously from the content_filter method. I'm running a solitary instance of Postfix method in production, suggested by another member of the list. I have header_checks defined in main.cf: header_checks = pcre:/etc/postfix/header_checks And then, in there I have: /^Received:.*by .*\.lshtm.ac.uk $Postfix$/ HOLD As a result of this, any mail being relayed through the system (which results in a 'Received:' header being added), gets 'held' which puts the mail in: /var/spool/postfix/hold so I have Incoming Queue Dir = /var/spool/postfix/hold in MailScanner.conf. Outgoing is as normal: Outgoing Queue Dir = /var/spool/postfix/incoming ... and this works. Locally generated messages (like cron reports) from the box itself bypass this whole thing, but my box is a gateway with no local users. I had to adopt this method because I was using address verification, and the method that employs deferring the queues doesn't work too nicely with this (the address checks get deferred). This problem is fixed in newer versions of Postfix (you can specify the 'verify' service as having a different transport), but I'm still happier only running one version of Postfix. The main weirdness with similar methods and things like Amavis is ending up with essentially two 'chains' of activity in a log, where a message is received, and then re-injected after scanning. With the above, log analysis is now a lot more easier. ... ---------------------------------------------------------------------------------------------------> Peter Bates, Systems Support Officer, Network Support Team. London School of Hygiene & Tropical Medicine. Telephone:0207-958 8353 / Fax: 0207- 636 9838 From mdunder at GE.UCL.AC.UK Fri Jul 11 15:33:04 2003 From: mdunder at GE.UCL.AC.UK (Mike Dunderdale) Date: Thu Jan 12 21:18:55 2006 Subject: Allow multiple filename extensions? In-Reply-To: <200307111421.h6BELoW02305@Beryl.Rockstone.co.uk> References: <200307111358.h6BDwDM8028514@osprey.magnet.fsu.edu> <200307111421.h6BELoW02305@Beryl.Rockstone.co.uk> Message-ID: The reason that the double extensions are disallowed is because it's a known method of trying to fool users, in particular Outlook Express, into running programs. Certain windows programs only show the first of the two extensions, thus fooling the user into thinking that they're opening one sort of file (eg a document .doc) instead of opening a nasty script (.vbs) That's the sort of attack which may not be a virus per se, but will still do nasty things to your users computer. Hence the double extension rule. I'd just encourage your users to put it all into a correctly named zip file - bypassing this kind of check and reducing bandwidth into the bargain. M. On Fri, 11 Jul 2003, Antony Stone wrote: > On Friday 11 July 2003 2:58 pm, Tom Combs wrote: > > > Hello, > > > > I'm not clear on the need for denying multiple filename extensions. > > It seems if an attachment contained a virus, it would be checked by > > the virus scanner and either caught or cleared regardless of the > > extension. Does having multiply filename extensions somehow > > circumvent this process? > > > > I'm considering dropping this ruleset: > > > > deny \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$ Found possible filename > > hiding Attempt to hide real filename extension > > > > Is this a mistake? > > I have removed this rule from my systems - I am happy simply to block the > explicit final extensions which I know can be dangerous. > > I look at it this way: > > 1. If the final extension is on my 'blocked' list, the email gets blocked and > I don't care if there was a double extension. > > 2. If the final extension is not on my 'blocked' list, then allow the email, > because it's not going to do anything dangerous on a Windoze machine which > acts on that final extension anyway. > > If anyone knows of a reason why this could be a dangerous policy, please tell > me :) > > Regards, > > Antony. > > -- > > G- GIT/E d- s+:--(-) a+ C++++$ UL++++$ P+(---)>++ L+++(++++)$ !E W(-) N(-) o? > w-- O !M V+++(--) !PS !PE Y+ PGP+> t- tv@ b+++ DI++ D--- e++>+++ h++ r@? 5? > !X- !R K--? > ------------------------------------------------------------------------- Mike Dunderdale | tel: ++44 20 7679 2756 IT Systems Manager, Geomatic Engineering | fax: ++44 20 7380 0453 mike.dunderdale@ge.ucl.ac.uk | mob: ++44 7939 455 245 From Antony at SOFT-SOLUTIONS.CO.UK Fri Jul 11 15:35:00 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:18:55 2006 Subject: Allow multiple filename extensions? In-Reply-To: <200307111419.h6BEJqUr010191@blackhole.harper-adams.ac.uk> References: <200307111358.h6BDwDM8028514@osprey.magnet.fsu.edu> <200307111419.h6BEJqUr010191@blackhole.harper-adams.ac.uk> Message-ID: <200307111435.h6BEZ5W04953@Beryl.Rockstone.co.uk> On Friday 11 July 2003 3:21 pm, Howard Robinson wrote: > On 11 Jul 03, at 9:09, mikea wrote: > Hello > I block all > single extensions and exe etc. > If users can't use sensible names that's their problem. I disagree with this. I think that multiple extensions on filenames are perfectly sensible (eg Forecast.aug.xls, or kernel.tar.bz2) and should not be discouraged. It is only the CP/M - Dos - Windows mentality that places such emphasis on the last three letters and a dot at the end of a filename which causes any confusion - Unix people have been using multiple extensions for years with no problems. > A little > education can help and those that don't/won't understand are the > very ones that may run something nasty. Surely they can only run something nasty if the *final* extension is one of exe, com, bat, pif, scr etc - and those are the ones which you (hopefully) block anyway using the other rules? > It would be better is if the hide known extensions in windows was > removed so that the true filename was always shown. I agree :)) However, let's stick to a reasonable objective please :) Regards, Antony. -- If you think you see a Heffalump in a trap, make sure it isn't really a Bear with an empty honey jar stuck on his head. From Antony at SOFT-SOLUTIONS.CO.UK Fri Jul 11 15:38:34 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:18:55 2006 Subject: Allow multiple filename extensions? In-Reply-To: References: <200307111358.h6BDwDM8028514@osprey.magnet.fsu.edu> <200307111421.h6BELoW02305@Beryl.Rockstone.co.uk> Message-ID: <200307111438.h6BEcdW05508@Beryl.Rockstone.co.uk> On Friday 11 July 2003 3:33 pm, Mike Dunderdale wrote: > The reason that the double extensions are disallowed is because it's a > known method of trying to fool users, in particular Outlook Express, into > running programs. Certain windows programs only show the first of the two > extensions, thus fooling the user into thinking that they're opening one > sort of file (eg a document .doc) instead of opening a nasty script (.vbs) Oh, I understand the reason for the rule, yes, but my point is that it's only the *final* extension (which may be hidden from the end user, but gets examined by MailScanner) which determines whether it really is dangerous or not. Eg: an attachment document.doc.scr should get blocked because it ends in .scr, agreed, but an attachment forecast.aug.xls should not be blocked, because there's nothing wrong with .xls files. In either case there's no need to examine more than the final extension. Regards, Antony. -- Abandon hope, all ye who enter here. You'll feel much better about things once you do. From mikea at MIKEA.ATH.CX Fri Jul 11 15:42:34 2003 From: mikea at MIKEA.ATH.CX (mikea) Date: Thu Jan 12 21:18:55 2006 Subject: Allow multiple filename extensions? In-Reply-To: <200307111435.h6BEZ5W04953@Beryl.Rockstone.co.uk>; from Antony@SOFT-SOLUTIONS.CO.UK on Fri, Jul 11, 2003 at 03:35:00PM +0100 References: <200307111358.h6BDwDM8028514@osprey.magnet.fsu.edu> <200307111419.h6BEJqUr010191@blackhole.harper-adams.ac.uk> <200307111435.h6BEZ5W04953@Beryl.Rockstone.co.uk> Message-ID: <20030711094234.A38308@mikea.ath.cx> On Fri, Jul 11, 2003 at 03:35:00PM +0100, Antony Stone wrote: > On Friday 11 July 2003 3:21 pm, Howard Robinson wrote: > > > On 11 Jul 03, at 9:09, mikea wrote: > > Hello > > I block all > single extensions and exe etc. > > If users can't use sensible names that's their problem. Actually I did *not* write that; someone else wrote it in response to my post to the list. I'm not about to impose my definition of "sensible names" on my user community. We provide a computing, file storage, and file transfer utility service, and not some procrustean bed into which we force all the users by stretching the short ones and trimming the long ones. It's there so that they can get *their* work done, and where we don't have to get in the way, we have no business getting in the way. Again, your shop may be different. Those are the rules for *my* shop. I wrote them over a period of 25 years. -- Mike Andrews mikea@mikea.ath.cx Tired old sysadmin since 1964 From dot at DOTAT.AT Fri Jul 11 15:32:56 2003 From: dot at DOTAT.AT (Tony Finch) Date: Thu Jan 12 21:18:55 2006 Subject: Allow multiple filename extensions? In-Reply-To: Message-ID: Tom Combs wrote: > > I'm not clear on the need for denying multiple filename extensions. > It seems if an attachment contained a virus, it would be checked by > the virus scanner and either caught or cleared regardless of the > extension. Does having multiply filename extensions somehow > circumvent this process? It's aimed more at social engineering attacks, or as a backup protection strategy for the time between a virus getting out and the scanner database being updated. The problem is that Windows often hides a file's extension which means names like info.txt.exe might fool users. To reduce the number of false positives I've added more known-safe file extensions fo the list, e.g. .doc, .pdf, etc. Tony. -- f.a.n.finch http://dotat.at/ FISHER: WEST VEERING NORTHWEST 4 OR 5, INCREASING 6. SHOWERS. GOOD. From lvargas at CFT.COM.MX Fri Jul 11 17:45:10 2003 From: lvargas at CFT.COM.MX (Luis Amado Vargas) Date: Thu Jan 12 21:18:55 2006 Subject: Uninstall Mailscanner Message-ID: <000d01c347cb$cdf19280$0402a8c0@ATILVARGAS> How to uninstall mailscaner from Raq4. Thks. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030711/ff53e021/attachment.html From mikea at MIKEA.ATH.CX Fri Jul 11 15:51:28 2003 From: mikea at MIKEA.ATH.CX (mikea) Date: Thu Jan 12 21:18:55 2006 Subject: Uninstall Mailscanner In-Reply-To: <000d01c347cb$cdf19280$0402a8c0@ATILVARGAS>; from lvargas@CFT.COM.MX on Fri, Jul 11, 2003 at 09:45:10AM -0700 References: <000d01c347cb$cdf19280$0402a8c0@ATILVARGAS> Message-ID: <20030711095128.B38308@mikea.ath.cx> On Fri, Jul 11, 2003 at 09:45:10AM -0700, Luis Amado Vargas wrote: > How to uninstall mailscaner from Raq4. 1. Put your sendmail (or other MTA) configuration back the way it was; 2. undo any changes you made to the boot-time startup scripts (/etc/init.d or whatever); 3. stop all MailScanner and MTA instances; 4. start your MTA the way you used to do it; 5. remove the directory that MailScanner installed to (/opt/MailScanner on my systems). I may have missed something. In any event, reverse the actions you took to install MailScanner; use the MailScanner install documentation to see what needs to be undone and how. What went wrong that you're uninstalling? -- Mike Andrews mikea@mikea.ath.cx Tired old sysadmin since 1964 From moliveri at uti.com Fri Jul 11 16:03:39 2003 From: moliveri at uti.com (Mike Oliveri) Date: Thu Jan 12 21:18:55 2006 Subject: Quick Exim question References: Message-ID: <008701c347bd$9c8c5760$2a35f8cc@poseidon> I've got a currently-working Exim configuration; would I just go ahead and run the Exim setup script again to populate a new exim.in spool directory? Of course, that's assuming I can find the Exim setup script the last admin used... I'm still rather new to Exim and I'm running 3.36 on FreeBSD. I did fire up MailScanner yesterday after moving everything to that exim.in directory and ended up with an error message after all. Outlook Express simply reported refused connections, but Pine said it was unable to create /var/spool/exim.in. I assume it's related to the above directory problems, as the permissions on exim and exim.in match. Would simply eliminating the split spool functionality avoid this problem altogether? Take care, Mike Oliveri Systems Administrator UTI Systems, Inc. moliveri@uti.com 815-941-4555 ----- Original Message ----- From: "Tony Finch" To: Sent: Friday, July 11, 2003 4:59 AM Subject: Re: Quick Exim question > Mike Oliveri wrote: > > > >Because my current config is only running with one config file, I only have > >one spool directory: /var/spool/exim/input/* The new config files will > >have an input directory of /var/spool/exim.in/input/*, but of course they > >do not exist yet. The MailScanner Exim configure page says I should create > >all the subdirectories of ../input before running MailScanner. > > MailScanner's much happier if all the directories it needs exist before it > starts. There's not much point in taking shortcuts. My Exim setup script does > > for exim in exim exim.in > do > for split in \ > a b c d e f g h i j k l m \ > n o p q r s t u v w x y z \ > A B C D E F G H I J K L M \ > N O P Q R S T U V W X Y Z \ > 0 1 2 3 4 5 6 7 8 9 > do > run mkdir -p /var/spool/$exim/input/$split > done > run chown -R exim:exim /var/spool/$exim > run chmod -R 0750 /var/spool/$exim > done > > Tony. > -- > f.a.n.finch http://dotat.at/ > ST DAVIDS HEAD TO COLWYN BAY, INCLUDING ST GEORGES CHANNEL: WEST 4 LOCALLY 5, > VEERING NORTHWEST TO WEST 2 OR 3 LOCALLY 4. ISOLATED SHOWERS IN THE NORTH > OTHERWISE MAINLY FAIR. MAINLY GOOD. SLIGHT TO MODERATE. > > From JFalgout at CO.JEFFERSON.CO.US Fri Jul 11 16:26:34 2003 From: JFalgout at CO.JEFFERSON.CO.US (Jeff Falgout) Date: Thu Jan 12 21:18:55 2006 Subject: Allow multiple filename extensions? Message-ID: >>> Tom Combs 7/11/2003 7:58:13 AM >>> >Hello, > > I'm not clear on the need for denying multiple filename extensions. > It seems if an attachment contained a virus, it would be checked by > the virus scanner and either caught or cleared regardless of the > extension. Does having multiply filename extensions somehow > circumvent this process? > > I'm considering dropping this ruleset: > >deny \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$ Found possible filename hiding Attempt to hide real filename extension Would the proper way to allow double extensions be to change the "deny" to "allow" or comment out the line? Jeff From ryanb at AACRAO.ORG Fri Jul 11 16:29:32 2003 From: ryanb at AACRAO.ORG (Bingham, Ryan) Date: Thu Jan 12 21:18:55 2006 Subject: Allow multiple filename extensions? Message-ID: Don't forget a lot of these problematic attachments can now be handled with the new Filetype rule, so I don't think the multiple extension rule is as critical anymore. Ryan From jstuart at EDENPR.K12.MN.US Fri Jul 11 16:41:47 2003 From: jstuart at EDENPR.K12.MN.US (Joe Stuart) Date: Thu Jan 12 21:18:55 2006 Subject: Upgrade spamassassin Message-ID: I am going to uopgrade spamassassin from 2.41 to current and was wondering if it is neccessary to remove the 2.41 files first? They where not installed from rpm. thanks From Antony at SOFT-SOLUTIONS.CO.UK Fri Jul 11 16:41:32 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:18:55 2006 Subject: Allow multiple filename extensions? In-Reply-To: References: Message-ID: <200307111541.h6BFfcW20439@Beryl.Rockstone.co.uk> On Friday 11 July 2003 4:26 pm, Jeff Falgout wrote: > > I'm considering dropping this ruleset: > > > > deny \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$ Found possible > > filename hiding Attempt to hide real filename extension > > Would the proper way to allow double extensions be to change the "deny" > to "allow" or comment out the line? > > Jeff I simply commented out the line - I don't want MailScanner to even consider the idea of double extensions - positively or negatively. Regards, Antony. -- Most people have more than the average number of legs. From dwinkler at ALGORITHMICS.COM Fri Jul 11 16:44:51 2003 From: dwinkler at ALGORITHMICS.COM (Derek Winkler) Date: Thu Jan 12 21:18:56 2006 Subject: Allow multiple filename extensions? Message-ID: <06EE2C86D3DAD5119A6C0060943F3C97055E7089@tormail1.algorithmics.com> Comment out. If you change it to allow, it will allow anything with a double extension. I added some extensions that should be allowed whether doubled or not above this rule and left it as deny. I've really been trying to talk everyone into a list of extensions to allow and deny everyting else. -----Original Message----- From: Jeff Falgout [mailto:JFalgout@co.jefferson.co.us] Sent: Friday, July 11, 2003 11:27 AM To: MAILSCANNER@jiscmail.ac.uk Subject: Re: Allow multiple filename extensions? >>> Tom Combs 7/11/2003 7:58:13 AM >>> >Hello, > > I'm not clear on the need for denying multiple filename extensions. > It seems if an attachment contained a virus, it would be checked by > the virus scanner and either caught or cleared regardless of the > extension. Does having multiply filename extensions somehow > circumvent this process? > > I'm considering dropping this ruleset: > >deny \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$ Found possible filename hiding Attempt to hide real filename extension Would the proper way to allow double extensions be to change the "deny" to "allow" or comment out the line? Jeff -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030711/995af1d6/attachment.html From wpc4 at DODGETHIS.ORG Fri Jul 11 16:55:09 2003 From: wpc4 at DODGETHIS.ORG (William Curley) Date: Thu Jan 12 21:18:56 2006 Subject: Upgrade spamassassin {Scanned} In-Reply-To: References: Message-ID: <1057938909.8db8a6136ed93@mail.cynical.us> If you are upgrading from a tar file, there should be no problem upgrading from previous versions. There should be an UPGRADE File or maybe some text in the INSTALL file. I personally have never had problems upgrading. Quoting Joe Stuart : > I am going to uopgrade spamassassin from 2.41 to current and was > wondering if it is neccessary to remove the 2.41 files first? They where > not installed from rpm. > > thanks > From mkettler at EVI-INC.COM Fri Jul 11 17:52:46 2003 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:18:56 2006 Subject: Upgrade spamassassin In-Reply-To: <1057938909.8db8a6136ed93@mail.cynical.us> References: Message-ID: <5.2.1.1.0.20030711124724.01e74ff0@xanadu.evi-inc.com> At 08:55 AM 7/11/2003 -0700, William Curley wrote: >If you are upgrading from a tar file, there should be no problem upgrading >from >previous versions. There should be an UPGRADE File or maybe some text in the >INSTALL file. I personally have never had problems upgrading. It should go just fine.. however, be aware that if you (improperly) edited files in /usr/share/spamassassin, they will be obliterated by the upgrade process. (the installer does a rm -f on this directory). Move any customizations to /etc/mail/spamassassin/local.cf or MailScanner's spam.assassin.prefs.conf. There have only been two occasions where I've had upgrade problems: The first was when I had made a subdirectory under /usr/share/spamassassin for some backups. The install failed because it couldn't clean out /usr/share/spamassassin. The second was when I upgraded via CPAN and I had a buggy version of CPAN that tried to install a whole new copy of perl in /usr/local/*. I wound up with two copies of SA and two copies of perl. That was a mess to clean up.. From jstuart at EDENPR.K12.MN.US Fri Jul 11 18:24:17 2003 From: jstuart at EDENPR.K12.MN.US (Joe Stuart) Date: Thu Jan 12 21:18:56 2006 Subject: Upgrade spamassassin Message-ID: Ok I did the upgrade and it seemed to go smooth, but now when I test it it's not marking anything with spam. I'm testing it with obviuos spam stuff that scored 6-8 points before is now only scoring maybe 2. I have no idea what is wrong. any help is appreciated. Thanks >>> mkettler@EVI-INC.COM 07/11/03 11:52AM >>> At 08:55 AM 7/11/2003 -0700, William Curley wrote: >If you are upgrading from a tar file, there should be no problem upgrading >from >previous versions. There should be an UPGRADE File or maybe some text in the >INSTALL file. I personally have never had problems upgrading. It should go just fine.. however, be aware that if you (improperly) edited files in /usr/share/spamassassin, they will be obliterated by the upgrade process. (the installer does a rm -f on this directory). Move any customizations to /etc/mail/spamassassin/local.cf or MailScanner's spam.assassin.prefs.conf. There have only been two occasions where I've had upgrade problems: The first was when I had made a subdirectory under /usr/share/spamassassin for some backups. The install failed because it couldn't clean out /usr/share/spamassassin. The second was when I upgraded via CPAN and I had a buggy version of CPAN that tried to install a whole new copy of perl in /usr/local/*. I wound up with two copies of SA and two copies of perl. That was a mess to clean up.. From damian at WORKGROUPSOLUTIONS.COM Fri Jul 11 18:59:32 2003 From: damian at WORKGROUPSOLUTIONS.COM (Damian Mendoza) Date: Thu Jan 12 21:18:56 2006 Subject: Spamassassin timed out Message-ID: Hi, Any ideas why I receive SpamAssassin timed out errors? It occurs every day and I have not been able resolve why it happens. I've removed RBLs from MailScanner.conf. I'm using DCC and Razor. I have multiple T1 connections to the Internet dedicated just for SMTP messages - about 6500 messages a day. Jul 11 10:38:38 spamgate MailScanner[21117]: SpamAssassin timed out and was killed, consecutive failure 4 of 20 Jul 11 10:38:43 spamgate MailScanner[20984]: SpamAssassin timed out and was killed, consecutive failure 4 of 20 Jul 11 10:38:52 spamgate MailScanner[21233]: SpamAssassin timed out and was killed, consecutive failure 3 of 20 Jul 11 10:39:20 spamgate MailScanner[21117]: SpamAssassin timed out and was killed, consecutive failure 5 of 20 Jul 11 10:39:24 spamgate MailScanner[20884]: SpamAssassin timed out and was killed, consecutive failure 4 of 20 Usually the consecutive failure remains less than 8. Should I worry about these errors? Thanks, Damian From mkettler at EVI-INC.COM Fri Jul 11 19:14:29 2003 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:18:56 2006 Subject: Spamassassin timed out In-Reply-To: Message-ID: <5.2.1.1.0.20030711140924.019a29f8@xanadu.evi-inc.com> At 10:59 AM 7/11/2003 -0700, Damian Mendoza wrote: >Any ideas why I receive SpamAssassin timed out errors? It occurs every day >and I have not been able resolve why it happens. I've removed RBLs from >MailScanner.conf. I'm using DCC and Razor. I have multiple T1 connections >to the Internet dedicated just for SMTP messages - about 6500 messages a day. > >Jul 11 10:38:38 spamgate MailScanner[21117]: SpamAssassin timed out and >was killed, consecutive failure 4 of 20 >Jul 11 10:38:43 spamgate MailScanner[20984]: SpamAssassin timed out and >was killed, consecutive failure 4 of 20 >Jul 11 10:38:52 spamgate MailScanner[21233]: SpamAssassin timed out and >was killed, consecutive failure 3 of 20 >Jul 11 10:39:20 spamgate MailScanner[21117]: SpamAssassin timed out and >was killed, consecutive failure 5 of 20 >Jul 11 10:39:24 spamgate MailScanner[20884]: SpamAssassin timed out and >was killed, consecutive failure 4 of 20 > >Usually the consecutive failure remains less than 8. Should I worry about >these errors? Yes you should worry about it. SA is likely calling an RBL that is dead and timing out. What version of SA are you using? If not a current version, VISI and ORBS both seem to be down and should have zeroed scores. Add the following to /etc/mail/spamassassin/local.cf. VISI was removed from the ruleset somewhere around 2.54, but ORBS is currently only removed in the CVS versions: score RCVD_IN_VISI 0 score RCVD_IN_ORBS 0 What is your spamassassin timeout set to in mailscanner.conf? What is your rbl_timeout set to in spamassassin (note: this is not a mailscanner.conf setting)? If both are 30, you should set the RBL timeout in SA to something smaller? I'd suggest the following change to /etc/mail/spamassassin/local.cf to reduce the impact of RBL outages: rbl_timeout 10 From mkettler at EVI-INC.COM Fri Jul 11 19:15:34 2003 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:18:56 2006 Subject: Upgrade spamassassin In-Reply-To: Message-ID: <5.2.1.1.0.20030711141458.01a32210@xanadu.evi-inc.com> At 12:24 PM 7/11/2003 -0500, Joe Stuart wrote: >Ok I did the upgrade and it seemed to go smooth, but now when I test it >it's not marking anything with spam. I'm testing it with obviuos spam >stuff that scored 6-8 points before is now only scoring maybe 2. I have >no idea what is wrong. any help is appreciated. > >Thanks Send yourself a GTUBE email. See my post yesterday under the subject "Re: How can I get some spam?" From jstuart at EDENPR.K12.MN.US Fri Jul 11 19:27:47 2003 From: jstuart at EDENPR.K12.MN.US (Joe Stuart) Date: Thu Jan 12 21:18:56 2006 Subject: Upgrade spamassassin Message-ID: thanks, it worked. The weird thing is that I have old spam that I'm sending to myself >>> mkettler@EVI-INC.COM 07/11/03 01:15PM >>> At 12:24 PM 7/11/2003 -0500, Joe Stuart wrote: >Ok I did the upgrade and it seemed to go smooth, but now when I test it >it's not marking anything with spam. I'm testing it with obviuos spam >stuff that scored 6-8 points before is now only scoring maybe 2. I have >no idea what is wrong. any help is appreciated. > >Thanks Send yourself a GTUBE email. See my post yesterday under the subject "Re: How can I get some spam?" From jstuart at EDENPR.K12.MN.US Fri Jul 11 19:30:50 2003 From: jstuart at EDENPR.K12.MN.US (Joe Stuart) Date: Thu Jan 12 21:18:56 2006 Subject: Upgrade spamassassin Message-ID: sorry accidently sent that last one. >>> jstuart@EDENPR.K12.MN.US 07/11/03 01:27PM >>> thanks, it worked. The weird thing is that I have old spam that I'm sending to myself >>> mkettler@EVI-INC.COM 07/11/03 01:15PM >>> At 12:24 PM 7/11/2003 -0500, Joe Stuart wrote: >Ok I did the upgrade and it seemed to go smooth, but now when I test it >it's not marking anything with spam. I'm testing it with obviuos spam >stuff that scored 6-8 points before is now only scoring maybe 2. I have >no idea what is wrong. any help is appreciated. > >Thanks Send yourself a GTUBE email. See my post yesterday under the subject "Re: How can I get some spam?" From emcc-mailscanner at CTCNET.COM Fri Jul 11 19:25:36 2003 From: emcc-mailscanner at CTCNET.COM (Eric McClelland) Date: Thu Jan 12 21:18:56 2006 Subject: Mysterious MailScanner hangs Message-ID: Hi All, I have a sporadic problem where MailScanner mysteriously stops picking up inbound MTA spool files. A 'service MailScanner restart' temporarily clears the problem for the most part (inbound MTA queue, normally 0-10, still hovers between 30-95 afterwards). When the problem occurs, there is invariably one MailScanner process taking >90% of the CPU (load usually 1-3), and the problem persists until I intervene (i.e. MailScanner does not kill and restart itself periodically as it normally does). I've poked around the MTA and MailScanner queues, but noticed nothing amiss with any of the messages (except that some appear never to get processed), nor do any log entries provide a clue. At this point I'm trying to decide the next step in troubleshooting; setting "Debug = yes" in MailScanner.conf merely stops the scanning again, but I see no output. Then again I haven't found much documentation on debugging so perhaps I'm not looking in the right place. My current setup: 6 servers in a DNS round-robin under one hostname (i.e. one hostname mapping to six different machine IP addresses). CPU: Pentium III / 733 MHz RAM: Two (512MB each), One (256MB), Three (128 MB) Distribution: RedHat 7.3, up2date'd periodically MailScanner: 4.20-3 All six servers run MailScanner + Postfix + McAfee; no spam checking at this time. The hardware setup is certainly not ideal, especially where I'm using IDE drives; I have access to suboptimal hardware, but a lot of it. It's actually easier for me to throw a whole box into the mix than to get a single DIMM > 128MB. For the most part, the quantity-over-quality strategy has worked fine, and I've seen this problem occur on all the boxes - again sporadically - so I don't think the issue is hardware. Sheer load does not appear to be the issue, either: a 'service MailScanner restart' will result in an inbound MTA queue being whittled from several thousand messages to under 100 in minutes. We did ramp up a lot of traffic on these servers on Monday, but the problem did not appear until Tuesday evening / Wednesday morning. FWIW we originally saw similar symptoms several weeks ago, back when we ran ClamAV in conjunction with McAfee, but we discovered that the clamav-autoupdate was hanging; killing that script caused MailScanner to wake up with no need for a restart. I removed clamav from the Virus Scanners list at that time (I've since seen some postings about this in the list archives). When this problem occurs now, I see no update scripts running. Any suggestions would be appreciated. Hopefully I've provided enough info without being long-winded. :) Cheers, --Eric From lists at STHOMAS.NET Fri Jul 11 19:45:33 2003 From: lists at STHOMAS.NET (Steve Thomas) Date: Thu Jan 12 21:18:56 2006 Subject: Spamassassin timed out In-Reply-To: ; from damian@WORKGROUPSOLUTIONS.COM on Fri, Jul 11, 2003 at 10:59:32AM -0700 References: Message-ID: <20030711114532.A24576@sthomas.net> On Fri, Jul 11, 2003 at 10:59:32AM -0700, Damian Mendoza is rumored to have said: > > Any ideas why I receive SpamAssassin timed out errors? It occurs every day and > I have not been able resolve why it happens. I've removed RBLs from > MailScanner.conf. I'm using DCC and Razor. I have multiple T1 connections to > the Internet dedicated just for SMTP messages - about 6500 messages a day. First, some background. I call SA (spamc/d) from procmail, not MS, and I use a semi-regularly updated CVS version of SA. I was seeing similar problems. I figured it was a dead RBL or something, so I disabled all DNS, razor, RBL, dcc, etc. checks with no improvement. At that point, I turned on SA debugging and waited for a message to come through unscanned - it didn't take long... It turned out to be the bayes database. When SA was running, it was finding my bayes db and was trying to convert it from "version 0" to "version 2". It was doing this for each message and would usually take almost two full minutes to do. Procmail would forget about it before it completed and "rescue" the message, delivering it unfiltered. I deleted (renamed, actually) the bayes_* files in ~/.spamassassin/ and let them start rebuilding from scratch. Haven't seen a single spam hit my inbox since... Since I don't use SA with MS, I can't comment on whether or not this might be your problem, but it might be worth checking out. HTH, St- -- "I love Mickey Mouse more than any woman I have ever known." - Walt Disney (1901-1966) From zabriskw at ITECH.NET Fri Jul 11 19:44:55 2003 From: zabriskw at ITECH.NET (Kris Zabriskie) Date: Thu Jan 12 21:18:56 2006 Subject: Mysterious MailScanner hangs References: Message-ID: <003a01c347dc$85d14ed0$0c02a8c0@itech.dom> Eric, I just skimmed through your message quickly. We had a VERY similar problem. What we do now (and it works) is in crontab we do this: 0,5,10,15,20,25,30,35,40,45,50,55 * * * * [ -x /usr/bin/resms ] && /usr/bin/resms >/dev/null 2>&1 resms is simply a script that kills all processes of MailScanner and then runs the ./bin/check_mailscanner binary. Hope that helps... and again, I apologize if this has nothing to do with your problem, I just skimmed. Kris Zabriskie Network Admin / Consultant I-Tech Inc. zabriskw@itech.net 717-657-3035 ----- Original Message ----- From: "Eric McClelland" To: Sent: Friday, July 11, 2003 2:25 PM Subject: Mysterious MailScanner hangs > Hi All, > > I have a sporadic problem where MailScanner mysteriously stops picking up inbound MTA spool files. A 'service MailScanner restart' temporarily clears the problem for the most part (inbound MTA queue, normally 0-10, still hovers between 30-95 afterwards). When the problem occurs, there is invariably one MailScanner process taking >90% of the CPU (load usually 1-3), and the problem persists until I intervene (i.e. MailScanner does not kill and restart itself periodically as it normally does). I've poked around the MTA and MailScanner queues, but noticed nothing amiss with any of the messages (except that some appear never to get processed), nor do any log entries provide a clue. > > At this point I'm trying to decide the next step in troubleshooting; setting "Debug = yes" in MailScanner.conf merely stops the scanning again, but I see no output. Then again I haven't found much documentation on debugging so perhaps I'm not looking in the right place. > > My current setup: > 6 servers in a DNS round-robin under one hostname (i.e. one hostname mapping to six different machine IP addresses). > CPU: Pentium III / 733 MHz > RAM: Two (512MB each), One (256MB), Three (128 MB) > Distribution: RedHat 7.3, up2date'd periodically > MailScanner: 4.20-3 > All six servers run MailScanner + Postfix + McAfee; no spam checking at this time. > > The hardware setup is certainly not ideal, especially where I'm using IDE drives; I have access to suboptimal hardware, but a lot of it. It's actually easier for me to throw a whole box into the mix than to get a single DIMM > 128MB. For the most part, the quantity-over-quality strategy has worked fine, and I've seen this problem occur on all the boxes - again sporadically - so I don't think the issue is hardware. > > Sheer load does not appear to be the issue, either: a 'service MailScanner restart' will result in an inbound MTA queue being whittled from several thousand messages to under 100 in minutes. We did ramp up a lot of traffic on these servers on Monday, but the problem did not appear until Tuesday evening / Wednesday morning. > > FWIW we originally saw similar symptoms several weeks ago, back when we ran ClamAV in conjunction with McAfee, but we discovered that the clamav-autoupdate was hanging; killing that script caused MailScanner to wake up with no need for a restart. I removed clamav from the Virus Scanners list at that time (I've since seen some postings about this in the list archives). When this problem occurs now, I see no update scripts running. > > Any suggestions would be appreciated. Hopefully I've provided enough info without being long-winded. :) > > Cheers, > --Eric > From damian at WORKGROUPSOLUTIONS.COM Fri Jul 11 21:00:12 2003 From: damian at WORKGROUPSOLUTIONS.COM (Damian Mendoza) Date: Thu Jan 12 21:18:56 2006 Subject: Spamassassin timed out Message-ID: Steve, Thanks for the feedback - I'll look into rebuilding the bayes database. I did not think of bayes being a possible suspect to the problem. Regards, Damian -----Original Message----- From: Steve Thomas [mailto:lists@STHOMAS.NET] Sent: Friday, July 11, 2003 11:46 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Spamassassin timed out On Fri, Jul 11, 2003 at 10:59:32AM -0700, Damian Mendoza is rumored to have said: > > Any ideas why I receive SpamAssassin timed out errors? It occurs every day and > I have not been able resolve why it happens. I've removed RBLs from > MailScanner.conf. I'm using DCC and Razor. I have multiple T1 connections to > the Internet dedicated just for SMTP messages - about 6500 messages a day. First, some background. I call SA (spamc/d) from procmail, not MS, and I use a semi-regularly updated CVS version of SA. I was seeing similar problems. I figured it was a dead RBL or something, so I disabled all DNS, razor, RBL, dcc, etc. checks with no improvement. At that point, I turned on SA debugging and waited for a message to come through unscanned - it didn't take long... It turned out to be the bayes database. When SA was running, it was finding my bayes db and was trying to convert it from "version 0" to "version 2". It was doing this for each message and would usually take almost two full minutes to do. Procmail would forget about it before it completed and "rescue" the message, delivering it unfiltered. I deleted (renamed, actually) the bayes_* files in ~/.spamassassin/ and let them start rebuilding from scratch. Haven't seen a single spam hit my inbox since... Since I don't use SA with MS, I can't comment on whether or not this might be your problem, but it might be worth checking out. HTH, St- -- "I love Mickey Mouse more than any woman I have ever known." - Walt Disney (1901-1966) From mkettler at EVI-INC.COM Fri Jul 11 21:06:26 2003 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:18:56 2006 Subject: Upgrade spamassassin In-Reply-To: Message-ID: <5.2.1.1.0.20030711155757.017ff190@xanadu.evi-inc.com> At 01:27 PM 7/11/2003 -0500, Joe Stuart wrote: >thanks, it worked. The weird thing is that I have old spam that I'm >sending to myself There's a few reasons that sending yourself old spam may cause a negative hit. 1) by sending the message to yourself, you've changed the message headers. This removes a large quantity of information that SA uses to look for "invalid" patterns commonly present in spam, such as date fields that contain a non-existent timezone, and replaces them with legitimate headers, which can greatly reduce their score. 2) in general I've found the 2.5x ruleset to be slightly weaker than past versions, but this weakness is greatly made up for by the awesome power of the bayes engine. Once you get bayes trained 2.5x works considerably better, and more to the point, it's harder for spammers to tune their emails to avoid it (because everyone has a different training). 3) Also how old is "old"? In general the current version of SA is tuned to catch current trends in spam. Since the behavior of spammers (and legitimate mailers) changes over time, the current version of SA might not catch all historical spam. But that's ok, because you really want SA to catch the spam you get today. How well it catches spam you got a year ago isn't very important. From penguin at DHCP.NET Sat Jul 12 00:17:34 2003 From: penguin at DHCP.NET (penguin) Date: Thu Jan 12 21:18:56 2006 Subject: Some spam getting through for some odd reason Message-ID: <000001c34802$9f0efd40$0200a8c0@penguin> Heya, I occasionally seem to get a spam E-mail that gets through without being checked properly. If I manually pipe it through SpamAssassin, it scores unusually high (39.90!). Even so, both of my spam 'actions' are set to 'delete' in the MailScanner configuration file. Also, the E-mail lacks the MailScanner and SpamAssassin headers altogether..? Oddly, I don't see it in my mail.log either. Any ideas, suggestions? -- Arnim -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From kevins at BMRB.CO.UK Sat Jul 12 00:28:26 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:18:56 2006 Subject: Some spam getting through for some odd reason In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB001175DF7@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB001175DF7@pascal.priv.bmrb.co.uk> Message-ID: <1057966110.4398.7.camel@bach.kevinspicer.co.uk> > Also, the E-mail lacks the MailScanner and SpamAssassin >headers >altogether..? Oddly, I don't see it in my mail.log either. >Any ideas, suggestions? Do the recieved headers show it passing through your mailscanner server? What are you looking for in your maillog? (I find messageid best) Could you post some headers please... BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From raymond at PROLOCATION.NET Sat Jul 12 09:18:36 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:18:56 2006 Subject: MS Performance In-Reply-To: <20030712052218.GF11320@hoiho.nz.lemon-computing.com> Message-ID: Hi! > > No, tests that i did showed sendmail is able to do about the same, but you > > have to tweak sendmail a little for that. > Well if you're going to start tweaking, you should be tweaking exim too :-P > Biased? I suppose I am, yes... I do have a large setup with EXIM running also. Little larger then the sendmail setup. I dont see much difference there, really. The only nice thing is the throtthling EXIM can do, thats a thing i miss with sendmail. Its always biased, but i run both myself... Bye, Raymond. From Janssen at RZ.UNI-FRANKFURT.DE Sat Jul 12 14:40:12 2003 From: Janssen at RZ.UNI-FRANKFURT.DE (Michael Janssen) Date: Thu Jan 12 21:18:56 2006 Subject: Mysterious MailScanner hangs In-Reply-To: References: Message-ID: On Fri, 11 Jul 2003, Eric McClelland wrote: > Hi All, > > I have a sporadic problem where MailScanner mysteriously stops picking > up inbound MTA spool files. A 'service MailScanner restart' temporarily > clears the problem for the most part (inbound MTA queue, normally 0-10, > still hovers between 30-95 afterwards). When the problem occurs, there > is invariably one MailScanner process taking >90% of the CPU (load > usually 1-3), and the problem persists until I intervene (i.e. > MailScanner does not kill and restart itself periodically as it normally > does). I've poked around the MTA and MailScanner queues, but noticed > nothing amiss with any of the messages (except that some appear never to > get processed), nor do any log entries provide a clue. [I work with exim but nevertheless] In which state the MS-process hangs? E.G. the last logline *for this pid* might be "Virus and Content Scanning: Starting". This *might* indicate a problem while scanning (but there is a default 300sec timeout for the scanner). Is there a scanner process? More likly its indicate a problem with MS-postfix (especially with "Deliver in Background = no" or "Delivery Method" on some values). The really good thing is, that you can inspect the hanging MS-process with "strace": "strace -p [process-pid]" will plug into the running proces and shows all the system calls it does. On our system this is often "wait4([pid of a exim-process], " for hanged or delayed MS-processes. "wait4" means the process is (possibly innocently) waiting for another process to complete. This information can also be seen via some output formats of "ps" providing the waitchannel abbrv "WCHAN": ps -C MailScanner o pid,wchan # with GNU-ps Note that "strace" can damage running processes in rare cases - you will need to check after stracing that the process has survived. As already said, I work with exim but last logline and strace should give some important informations to solve this problem. Michael From oliverbp at EPOST.DE Sun Jul 13 01:24:26 2003 From: oliverbp at EPOST.DE (Oliver Pawellek) Date: Thu Jan 12 21:18:56 2006 Subject: MailScanner + SuSE Linux 8.2 Message-ID: Would anyone have a MailScanner shell script that works under SuSE Linux 8.2? The supplied MailScanner script for SuSE Linux 8.0/8.1 appears to only partially work under SuSE Linux 8.2, which produces: "Initializing sendmail and MailScanner = failed". The script seems to start sendmail fine on localhost:smtp and appears to scan emails that are sent to an from local email accounts, it does however fail to start sendmail listening on Port 25 for incoming mail from the internet. - Oliver From damian at WORKGROUPSOLUTIONS.COM Sun Jul 13 19:48:38 2003 From: damian at WORKGROUPSOLUTIONS.COM (Damian Mendoza) Date: Thu Jan 12 21:18:56 2006 Subject: Some spam getting through for some odd reason Message-ID: Hi, I have seen the same problem many times as well. I can see the scores in the maillog file as being tagged as spam, I also see it being deleted in maillog and then I see it being delivered to the receipient in the maillog. The end-user receives the SPAM message - no spam header information included. It was a message sent to multiple recepients, however none of them are whitelisted. Regards, Damian -----Original Message----- From: penguin [mailto:penguin@DHCP.NET] Sent: Friday, July 11, 2003 4:18 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Some spam getting through for some odd reason Heya, I occasionally seem to get a spam E-mail that gets through without being checked properly. If I manually pipe it through SpamAssassin, it scores unusually high (39.90!). Even so, both of my spam 'actions' are set to 'delete' in the MailScanner configuration file. Also, the E-mail lacks the MailScanner and SpamAssassin headers altogether..? Oddly, I don't see it in my mail.log either. Any ideas, suggestions? -- Arnim -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From damian at WORKGROUPSOLUTIONS.COM Sun Jul 13 20:30:41 2003 From: damian at WORKGROUPSOLUTIONS.COM (Damian Mendoza) Date: Thu Jan 12 21:18:56 2006 Subject: Some spam getting through for some odd reason Message-ID: The following is an example of a SPAM message being delivered to an end user when the action is delete. You can see the message was delivered to the end user without the SPAM header information. Message ID "h6A04Q9F032454" Maillog file: Jul 9 17:04:27 spamgate sendmail[32454]: h6A04Q9F032454: from=, size=2207, class=0, nrcpts=1, msgid=<2730416505.01380945810856@kroc.com>, proto=ESMTP, daemon=MTA, relay=gateway.svusd.k12.ca.us [198.188.250.254] Jul 9 17:04:27 spamgate sendmail[32454]: h6A04Q9F032454: to=, delay=00:00:00, mailer=esmtp, pri=30531, stat=queued Jul 9 17:04:27 spamgate sendmail[32454]: h6A04Q9G032454: from=, size=6546, class=0, nrcpts=1, msgid=<1057795388.2242@64.119.200.139.impro6.com>, proto=ESMTP, daemon=MTA, relay=gateway.svusd.k12.ca.us [198.188.250.254] Jul 9 17:04:27 spamgate sendmail[32454]: h6A04Q9G032454: to=, delay=00:00:00, mailer=esmtp, pri=30487, stat=queued Jul 9 17:04:29 spamgate MailScanner[26052]: New Batch: Forwarding 2 unscanned messages, 9748 bytes Jul 9 17:04:29 spamgate MailScanner[26052]: Spam Checks: Starting Jul 9 17:04:30 spamgate MailScanner[26052]: Message h6A04Q9G032454 from 198.188.250.254 (para3ds.com) to svusd.k12.ca.us is spam, SpamAssassin (score=15.8, required 4, BAYES_80, DCC_CHECK, EXCUSE_1, EXCUSE_19, EXCUSE_3, HIDE_WIN_STATUS, HTML_70_80, HTML_IMAGE_ONLY_06, HTML_TAG_EXISTS_TBODY, HTML_WEB_BUGS, MIME_HEADER_CTYPE_ONLY, MIME_HTML_ONLY, NORMAL_HTTP_TO_IP, OFFER, OFFERS_ETC, RECEIVE_OFFER) Jul 9 17:04:31 spamgate MailScanner[26052]: Spam Checks: Found 1 spam messages Jul 9 17:04:31 spamgate MailScanner[26052]: Spam Actions: message h6A04Q9G032454 actions are delete Jul 9 17:04:31 spamgate MailScanner[26052]: Unscanned: Delivered 1 messages Jul 9 17:04:31 spamgate MailScanner[26052]: Virus and Content Scanning: Starting Jul 9 17:04:32 spamgate sendmail[32466]: h6A04Q9F032454: to=, delay=00:00:05, xdelay=00:00:01, mailer=esmtp, pri=120531, relay=[10.1.254.3] [10.1.254.3], dsn=2.0.0, stat=Sent ( <2730416505.01380945810856@kroc.com> Queued mail for delivery) Header Information from Message: by spamgate.spamgate.us (8.12.5/8.12.5) with ESMTP id h6A04Q9F032454 for ; Wed, 9 Jul 2003 17:04:27 -0700 Received: from 24.203.227.247 ([24.203.227.247]) by gateway.svusd.k12.ca.us with SMTP id <119056>; Wed, 9 Jul 2003 14:04:29 -1000 Date: Thu, 10 Jul 2003 14:34:01 GMT From: Vballoons Gballota To: chuw@svusd.k12.ca.us X-Priority: 3 (Normal) Message-ID: <2730416505.01380945810856@kroc.com> Subject: Young gays (C76M6ZQUON below) MIME-Version: 1.0 Content-type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Accept-Language: en-us, en X-Mailer: Gnus v5.7/Emacs 20.17 X-Priority: 3 (Normal) Return-Path: swims-blew@kroc.com X-OriginalArrivalTime: 10 Jul 2003 00:04:36.0100 (UTC) FILETIME=[D9394440:01C34676] Any ideas? Thanks, Damian -----Original Message----- From: penguin [mailto:penguin@DHCP.NET] Sent: Friday, July 11, 2003 4:18 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Some spam getting through for some odd reason Heya, I occasionally seem to get a spam E-mail that gets through without being checked properly. If I manually pipe it through SpamAssassin, it scores unusually high (39.90!). Even so, both of my spam 'actions' are set to 'delete' in the MailScanner configuration file. Also, the E-mail lacks the MailScanner and SpamAssassin headers altogether..? Oddly, I don't see it in my mail.log either. Any ideas, suggestions? -- Arnim -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From kevins at BMRB.CO.UK Sun Jul 13 20:44:36 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:18:56 2006 Subject: Some spam getting through for some odd reason In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB001175E02@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB001175E02@pascal.priv.bmrb.co.uk> Message-ID: <1058125481.13291.3.camel@bach.kevinspicer.co.uk> Its clear that MS/SA aren't even looking at the message, (the spam check in your log was for a different message). Have you got any rulesets defined anywhere? (Particularly for either Virus Scanning or Spam Checks) BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From damian at WORKGROUPSOLUTIONS.COM Sun Jul 13 21:35:02 2003 From: damian at WORKGROUPSOLUTIONS.COM (Damian Mendoza) Date: Thu Jan 12 21:18:56 2006 Subject: Some spam getting through for some odd reason Message-ID: You are correct as it does not match. The spam check should be for [32466] I believe. No rulesets that I can think of other than whitelist and blacklists. We receive about 6,000 mail messages a day - most are being tagged correctly. The few that that are being reported have been like this problem. Jul 9 17:04:32 spamgate sendmail[32466]: h6A04Q9F032454: to=, delay=00:00:05, xdelay=00:00:01, mailer=esmtp, pri=120531, relay=[10.1.254. 3] [10.1.254.3], dsn=2.0.0, stat=Sent ( <2730416505.01380945810856@kroc.com> Que ued mail for delivery) Thanks, Damian -----Original Message----- From: Kevin Spicer [mailto:kevins@BMRB.CO.UK] Sent: Sunday, July 13, 2003 12:45 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Some spam getting through for some odd reason Its clear that MS/SA aren't even looking at the message, (the spam check in your log was for a different message). Have you got any rulesets defined anywhere? (Particularly for either Virus Scanning or Spam Checks) BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From kevins at BMRB.CO.UK Sun Jul 13 22:13:00 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:18:56 2006 Subject: Some spam getting through for some odd reason In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB001175E04@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB001175E04@pascal.priv.bmrb.co.uk> Message-ID: <1058130781.13291.27.camel@bach.kevinspicer.co.uk> >On Sun, 2003-07-13 at 21:35, Damian Mendoza wrote: >You are correct as it does not match. The spam check should be for >[32466] I believe. I'm not sure that we are clear whats going on. I've split your supplied log up to show the progress of the message incorrectly delivered (h6A04Q9F032454) and ignoring the other correctly processed message (h6A04Q9G032454) (note the single character difference - G not F) MESSAGE h6A04Q9F032454 (incorrectly delivered without scanning) Jul 9 17:04:27 spamgate sendmail[32454]: h6A04Q9F032454: from=, size=2207, class=0, nrcpts=1, msgid=<2730416505.01380945810856@kroc.com>, proto=ESMTP, daemon=MTA, relay=gateway.svusd.k12.ca.us [198.188.250.254] Jul 9 17:04:27 spamgate sendmail[32454]: h6A04Q9F032454: to=, delay=00:00:00, mailer=esmtp, pri=30531, stat=queued Jul 9 17:04:31 spamgate MailScanner[26052]: Unscanned: Delivered 1 messages Jul 9 17:04:32 spamgate sendmail[32466]: h6A04Q9F032454: to=, delay=00:00:05, xdelay=00:00:01, mailer=esmtp, pri=120531, relay=[10.1.254.3] [10.1.254.3], dsn=2.0.0, stat=Sent ( <2730416505.01380945810856@kroc.com> Queued mail for delivery) There must be a reason why MS is ignoring these messages. It looks like the sender forged the server HELO to use a name in your domain (the name and IP don't resolve to each other). If you are whitelisting based on domain, or have virus checking turned off for some mail (maybe 'outgoing'?) then this may explain the behaviour. Could you post your various rulesets and the values for 'Virus Scanning' and 'Spam Checks' from MailScanner.conf? BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From norman at NORMAN.COM.BR Mon Jul 14 02:20:03 2003 From: norman at NORMAN.COM.BR (Norman Schmidt Jr) Date: Thu Jan 12 21:18:56 2006 Subject: Strange (non working) behaviour 4.22-4 Message-ID: Some days ago I installed a sendmail 8.12.9 + mailscanner 4.22-4. The setup worked flawlessy for two days, scanning and blocking viruses and blocking attachments as configured in filename and filetype.rules.conf. Everything was running fine and smoothly. On Saturday, after some "MailScanner child dying of old age" and restarting messages - and absolutely NO modifications on any config file - Mailscanner stopped to scan and block files, and its now just forwarding unscanned messages. Everything goes in: viruses, files blocked by rules, etc: MailScanner[1122]: New Batch: Forwarding 1 unscanned messages, 8465 bytes MailScanner[1122]: Unscanned: Delivered 1 messages I really dont have a clue about what happened. Everything looks fine. Can someone help me pointing where I can start looking for something wrong? Thanks in advance, Norman From mailscanner at BARENDSE.TO Mon Jul 14 08:20:33 2003 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:18:56 2006 Subject: filename rules Message-ID: I just received an e-mail message with an attachment. I have .url blocked in my filename rules, the attachment was named something.url. and was let through. Outlook blocked access to it but I think the trailing dot let it through. Is there a way to filter a trailing dot too? From Kevin.Spicer at BMRB.CO.UK Mon Jul 14 08:39:16 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:18:56 2006 Subject: filename rules Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0EBF719@pascal.priv.bmrb.co.uk> Remco Barendse wrote: > I just received an e-mail message with an attachment. > > I have .url blocked in my filename rules, the attachment was named > something.url. and was let through. > > Outlook blocked access to it but I think the trailing dot let it > through. Is there a way to filter a trailing dot too? I think adding a rule near the top of filename.rules.conf like this deny \.$ Trailing dot in Filename Trailing dots are not permitted in filenames should do the trick (note those are tabs between the fields). BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From Kevin.Spicer at BMRB.CO.UK Mon Jul 14 08:42:55 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:18:56 2006 Subject: Strange (non working) behaviour 4.22-4 Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0EBF71A@pascal.priv.bmrb.co.uk> > I really dont have a clue about what happened. Everything looks fine. > Can someone help me pointing where I can start looking for something > wrong? Thanks in advance, Sounds like you might have a sendmail process running which is bypassing mailscanner, try (assuming RedHat like syntax) service MailScanner stop service sendmail stop chkconfig sendmail --level 2345 off ps -elf | grep sendmail [Now kill all sendmail processes & ps again to check they are dead] service MailScanner start If that doesn't work could you post some of your maillog so we can see whats happening. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From yusri at TMNET.COM.MY Mon Jul 14 09:25:49 2003 From: yusri at TMNET.COM.MY (Mohd Yusri Mahadi) Date: Thu Jan 12 21:18:56 2006 Subject: mailscanner didn't pickup mail in /var/spool/mqueue.in Message-ID: Hi, I've installed MailScanner-4.21-9 with sendmail. But seem that mailscanner didn't pick-up email from /var/spool/mqueue.in. Pls help. From Antony at SOFT-SOLUTIONS.CO.UK Mon Jul 14 09:40:31 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:18:56 2006 Subject: mailscanner didn't pickup mail in /var/spool/mqueue.in In-Reply-To: References: Message-ID: <200307140842.h6E8gdg26082@agate.rockstone.co.uk> On Monday 14 July 2003 9:25 am, Mohd Yusri Mahadi wrote: > Hi, > > I've installed MailScanner-4.21-9 with sendmail. But seem that mailscanner > didn't pick-up email from /var/spool/mqueue.in. What do you have "Incoming Queue Dir" set to in MailScanner.conf? Antony. -- If at first you don't succeed, destroy all the evidence that you tried. From kfliong at WOFS.COM Mon Jul 14 10:40:10 2003 From: kfliong at WOFS.COM (kfliong) Date: Thu Jan 12 21:18:56 2006 Subject: emails with No Message Collected In-Reply-To: Message-ID: <5.2.1.1.0.20030714173600.02670a60@192.168.10.2> Hi, I have this problem where some of the outgoing mails are received as <<< No Message Collected >>>. All the contents including attachments are ripped and only left with this message "<<< No Message Collected >>>". I am not sure if this is related to Mailscanner or any of the settings in it that i have implemented. This truly strange. So far, I can't find any pattern that can lead me to diagnose this problem. The sender, recipient, subject, contents are random. I would appreciate any help or suggestions. Thanks in advance. From Kevin.Spicer at BMRB.CO.UK Mon Jul 14 10:57:37 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:18:56 2006 Subject: emails with No Message Collected Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A4ADCB@pascal.priv.bmrb.co.uk> kfliong wrote: > Hi, > > I have this problem where some of the outgoing mails are received as > <<< No Message Collected >>>. > > All the contents including attachments are ripped and only left with > this message "<<< No Message Collected >>>". Thats a sendmail error - probably you have a sendmail process which is trying to process the incoming queue, which leads to a race condition between mailscanner and sendmail. Sometimes MailScanner gets the message, sometimes sendmail gets the message, sometimes mailscanner gets the message, sometimes theres a draw, mailscanner gets the message - sendmail only gets the headers - but sendmail delivers first, therefore the second (full) copy (from MailScanner) is discarded as a duplicate (same messageid). You can verify if this is the case by grepping your maillogs for affected message ids. When this happened to me it was caused by an exchange server issuing ETRN's - make sure your MailScanner init script is starting sendmail with the noetrn option. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From richard at HELPPLC.COM Mon Jul 14 11:50:29 2003 From: richard at HELPPLC.COM (Richard Sidlin) Date: Thu Jan 12 21:18:56 2006 Subject: Chinese Emails In-Reply-To: <1057858790.29126.7.camel@bach.kevinspicer.co.uk> Message-ID: <001201c349f5$c108a410$0b01a8c0@rich> Here's one that got through. Any thoughts? Return-Path: Received: from hotmail.com ([211.147.233.7]) by hosting.helpplc.co.uk (8.10.2/8.10.2) with ESMTP id h6BG4j513185 for ; Fri, 11 Jul 2003 17:04:46 +0100 Date: Fri, 11 Jul 2003 17:04:46 +0100 Message-Id: <200307111604.h6BG4j513185@ns.helpplc.co.uk> From: "me2@hotmail.com" Subject: =?GB2312?B?08PI/bfW1tOjrL2owaLX1Ly6tcR3ZWLT79L0wcTM7LrNtee7sLvh0unPtc2z? = X-MailScanner-Information: Provided by Help Internet - 01707 897111 X-MailScanner: Found to be clean X-MailScanner-SpamCheck: not spam, SpamAssassin (score=5.7, required 6, BAYES_20, CHARSET_FARAWAY_HEADERS, FORGED_HOTMAIL_RCVD, HTML_10_20, HTML_CHARSET_FARAWAY, HTML_TITLE_UNTITLED, UNDESIRED_LANGUAGE_BODY) X-MailScanner-SpamScore: sssss X-UIDL: 3NU!!M%-!!K$f"!G3&!! Message: =?GB2312?B?o6zD4rfRz8LU2Mq508M=?= To: info@xxxx.co.uk Content-Type: text/html;charset="GB2312" Reply-To: me2@hotmail.com Date: Sat, 12 Jul 2003 00:06:09 +0800 X-Priority: 3 X-Mailer: Microsoft Outlook Express 6.00.2600.0000 Untitled Document

ÓÃÈý·ÖÖÓ£¬½¨Á¢×Ô¼ºµÄwebÓïÒôÁÄÌìºÍµç»°»áÒéÏµÍ³£¬Ãâ·ÑÏÂÔØÊ¹ÓÃ¡£

MeChatÓÃweb·½Ê½ÊµÏÖÎÄ×ÖºÍÓïÒôÁÄÌì,ÓïÒôÊý¾Ý¿ÉÒÔÍ¨¹ý¾ÖÓòÍø¡¢ADSL¡¢ Internet¡¢NAT¡£

ÓÃÍ¾°üÀ¨:
1.´ó¡¢ÖÐ¡¢Ð¡ÍøÕ¾µÄµÄÓïÒôÁÄÌìÊÒ¡£
2.Ô¶³Ì½ÌÓý£¬ÌØ±ðÓÃÀ´Ñ§Ï°½»Á÷ÍâÓï¡£
3.ºÍweb·½Ê½µÄOAÏµÍ³½áºÏ£¬ÊµÏÖ·½±ã¹«Ë¾ÄÚ²¿½»Á÷.¿ÉÒÔ×÷Îªµç»°»áÒéÏµÍ³¡£

°²×°¹ý³Ì·ÖÈý²½,Ã¿²½Ò»·ÖÖÓ×óÓÒ£º
Ãâ·ÑÏÂÔØ £»ÓÃwinzip½âÑ¹Ëõ£»ÔÚ½âÑ¹ËõÄ¿Â¼Ë«»÷install.bat£»

ÏêÏ¸ÐÅÏ¢£¬¿ÉÒÔ·ÃÎÊµØÖ· http://www.mechat.com/cn/¡£

MeChat°²×°¡¢Î¬»¤¼«Æä¼òµ¥¡£MeChat²ÉÓÃC++±àÖÆ£¬ËÙ¶ÈÆæ¿ì£¬Èç¹ûÎÄ±¾ÁÄÌìÖ§ ³Ö5000ÈËÍ¬Ê±ÔÚÏß! MeChatÁé»îµÄÄ£°å½á¹¹£¬Ìá¹©ÄúÒ»¸ö³ä·ÖÕ¹Ê¾×Ô¼º¸öÐÔµÄÆ½ Ì¨¡£Ö§³ÖwindowNT/2000/XP/linux/solaris/unix¡£±¾ÏµÍ³ÎÞÐèÈÎºÎWEB SERVER¡¢Êý¾Ý¿âÏµÍ³Ö§³Ö£¬ÍêÈ«¶ÀÁ¢ÔËÐÐ¡£

MeChat Server¿ÉÒÔ°ÑÊý¾Ý´æ´¢ÔÚÎÄ¼þÖÐ£¬Ò²¿ÉÒÔ·ÅÔÚÊý¾Ý¿âÖÐ£¬Ê¹ÓÃÊý¾Ý¿â£¬ ¸üÈÝÒ×ºÍÆäËû³ÌÐòÒ»ÆðÊ¹ÓÃ¡£Ö§³ÖµÄÊý¾Ý¿âÓÐAccess,Ms Sql Server,MySql,OralceµÈ.

²»Í¬ÓëÒ»°ãµÄCGIºÍASPµÄÁÄÌì³ÌÐò£¬MeChatÕ¼ÓÃ·þÎñÆ÷µÄ×ÊÔ´·Ç³£ÉÙ¡£·þÎñÆ÷ Ó²¼þÅäÖÃÎª£ºDELL PIII-550 256MÄÚ´æ£¬Í¬Ò»Ì¨·þÎñÆ÷ÉÏ»¹ÔËÐÐ×ÅÐí¶àÓ¦ÓÃ£¬ 500ÈËÍ¬Ê±ÔÚÏßÊ±£¬MeChat½öÏûºÄ2%-6%µÄCPU£¬5M×óÓÒµÄÄÚ´æ¡£¶øÇÒÁ¬ÐøÔËÐÐÁË Èý¸ö¶àÔÂ´ÓÎ´³öÏÖ¹ý±ÀÀ£µÄÇé¿ö¡£ Èç¹ûÓÃASP»òÆäËû»ùÓÚWeb serverµÄÁÄÌì³ÌÐò£¬ ¿ÖÅÂCPUÖÁÉÙÒ²µ½99%ÁË!
ËùÒÔ£¬Ê¹ÓÃMeChatÄãÔÙÒ²²»±Øµ£ÐÄÁÄÌì³ÌÐò»áÍÏ¿åÄúµÄ·þÎñÆ÷£¬¶øÇÒÄãÒ²¾ø¶Ô²» ÓÃµ¥¶ÀÎªÁÄÌìÊÒ¶ø×¨ÃÅÉèÁ¢Ò»Ì¨·þÎñÆ÷¡£ µã»÷MeChatÑÝÊ¾ÁÄÌìÊÒ¿´³ÌÐòÑÝÊ¾Ð§¹û.

>-----Original Message----- >From: MailScanner mailing list >[mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Kevin Spicer >Sent: 10 July 2003 18:40 >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Chinese Emails > > >So just add this at the end? > >score MIME_CHARSET_FARAWAY 3 > >Yes, but you should first activate > >Always Include SpamAssassin Report = yes > >so that you can see whether that rule is in fact being >triggered by these emails, and decide what to change the score >to. There may be other scores you want to tweak too. > > > > >BMRB International >http://www.bmrb.co.uk >+44 (0)20 8566 5000 >_________________________________________________________________ >This message (and any attachment) is intended only for the >recipient and may contain confidential and/or privileged >material. If you have received this in error, please contact >the sender and delete this message immediately. Disclosure, >copying or other action taken in respect of this email or in >reliance on it is prohibited. BMRB International Limited >accepts no liability in relation to any personal emails, or >content of any email which does not directly relate to our business. > --This message has been scanned for viruses and dangerous content by the Help Internet Virus Spam Defence, and isbelieved to be clean. For details on having your email scanned email support@helpinternet.co.uk From Kevin.Spicer at BMRB.CO.UK Mon Jul 14 11:59:24 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:18:56 2006 Subject: Chinese Emails Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0EBF721@pascal.priv.bmrb.co.uk> Richard Sidlin wrote: > Here's one that got through. Any thoughts? Your threshold is quite conservative! Maybe increase the scores for each of these (say by 0.3 or 0.4) I don't know what the current scores are so you'll have to look them up! CHARSET_FARAWAY_HEADERS HTML_CHARSET_FARAWAY UNDESIRED_LANGUAGE_BODY BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From richard at HELPPLC.COM Mon Jul 14 12:09:26 2003 From: richard at HELPPLC.COM (Richard Sidlin) Date: Thu Jan 12 21:18:56 2006 Subject: Chinese Emails In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0EBF721@pascal.priv.bmrb.co.uk> Message-ID: <001b01c349f8$673fb010$0b01a8c0@rich> The only manual entry I have in spam.assassin.prefs.conf is: Score MIME_CHARSET_FARAWAY 3 Should I add some others under this and can you be specific please! Richard >-----Original Message----- >From: MailScanner mailing list >[mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Spicer, Kevin >Sent: 14 July 2003 11:59 >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Chinese Emails > > >Richard Sidlin wrote: >> Here's one that got through. Any thoughts? > >Your threshold is quite conservative! > >Maybe increase the scores for each of these (say by 0.3 or >0.4) I don't know what the current scores are so you'll have >to look them up! CHARSET_FARAWAY_HEADERS HTML_CHARSET_FARAWAY >UNDESIRED_LANGUAGE_BODY > > > >BMRB International >http://www.bmrb.co.uk >+44 (0)20 8566 5000 >_________________________________________________________________ >This message (and any attachment) is intended only for the >recipient and may contain confidential and/or privileged >material. If you have received this in error, please contact the >sender and delete this message immediately. Disclosure, copying >or other action taken in respect of this email or in >reliance on it is prohibited. BMRB International Limited >accepts no liability in relation to any personal emails, or >content of any email which does not directly relate to our >business. > > -- This message has been scanned for viruses and dangerous content by the Help Internet Virus Spam Defence, and is believed to be clean. For details on having your email scanned email support@helpinternet.co.uk From mailscanner at BARENDSE.TO Mon Jul 14 12:15:03 2003 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:18:56 2006 Subject: Chinese Emails In-Reply-To: <001b01c349f8$673fb010$0b01a8c0@rich> Message-ID: and also increase the scores for the other items: CHARSET_FARAWAY_HEADERS HTML_CHARSET_FARAWAY Installing DCC also helps a lot, I now only get 1-2 mails per week for all my users that slip through! On Mon, 14 Jul 2003, Richard Sidlin wrote: > The only manual entry I have in spam.assassin.prefs.conf is: > > Score MIME_CHARSET_FARAWAY 3 > > Should I add some others under this and can you be specific please! > > > Richard > > >-----Original Message----- > >From: MailScanner mailing list > >[mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Spicer, Kevin > >Sent: 14 July 2003 11:59 > >To: MAILSCANNER@JISCMAIL.AC.UK > >Subject: Re: Chinese Emails > > > > > >Richard Sidlin wrote: > >> Here's one that got through. Any thoughts? > > > >Your threshold is quite conservative! > > > >Maybe increase the scores for each of these (say by 0.3 or > >0.4) I don't know what the current scores are so you'll have > >to look them up! CHARSET_FARAWAY_HEADERS HTML_CHARSET_FARAWAY > >UNDESIRED_LANGUAGE_BODY > > > > > > > >BMRB International > >http://www.bmrb.co.uk > >+44 (0)20 8566 5000 > >_________________________________________________________________ > >This message (and any attachment) is intended only for the > >recipient and may contain confidential and/or privileged > >material. If you have received this in error, please contact the > >sender and delete this message immediately. Disclosure, copying > >or other action taken in respect of this email or in > >reliance on it is prohibited. BMRB International Limited > >accepts no liability in relation to any personal emails, or > >content of any email which does not directly relate to our > >business. > > > > > > > > -- > This message has been scanned for viruses and dangerous content by the Help Internet Virus Spam Defence, and is > believed to be clean. For details on having your email scanned email support@helpinternet.co.uk > From Kevin.Spicer at BMRB.CO.UK Mon Jul 14 12:18:46 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:18:56 2006 Subject: Chinese Emails Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0EBF724@pascal.priv.bmrb.co.uk> Richard Sidlin wrote: > The only manual entry I have in spam.assassin.prefs.conf is: > > Score MIME_CHARSET_FARAWAY 3 > > Should I add some others under this and can you be specific please! Yes. look up the current scores for each of the following (if they are not in spam.assassin.prefs.conf grep for them in the files in /usr/share/spamassassin) then add a line for each to spam.assassin.prefs.conf, adding 0.3 to the score in each case. I can't tell you what the scores should be because it depends which ruleset you are using. CHARSET_FARAWAY CHARSET_FARAWAY_HEADERS HTML_CHARSET_FARAWAY MIME_CHARSET_FARAWAY UNDESIRED_LANGUAGE_BODY BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From richard at HELPPLC.COM Mon Jul 14 12:22:36 2003 From: richard at HELPPLC.COM (Richard Sidlin) Date: Thu Jan 12 21:18:56 2006 Subject: Chinese Emails In-Reply-To: Message-ID: <002201c349fa$3d98edb0$0b01a8c0@rich> I have the following setting: Score DCC_CHECK 0.0 Do I need to change the score on this? Richard >-----Original Message----- >From: MailScanner mailing list >[mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Remco Barendse >Sent: 14 July 2003 12:15 >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Chinese Emails > > >and also increase the scores for the other items: >CHARSET_FARAWAY_HEADERS HTML_CHARSET_FARAWAY > >Installing DCC also helps a lot, I now only get 1-2 mails per >week for all my users that slip through! > >On Mon, 14 Jul 2003, Richard Sidlin wrote: > >> The only manual entry I have in spam.assassin.prefs.conf is: >> >> Score MIME_CHARSET_FARAWAY 3 >> >> Should I add some others under this and can you be specific please! >> >> >> Richard >> >> >-----Original Message----- >> >From: MailScanner mailing list >[mailto:MAILSCANNER@JISCMAIL.AC.UK] On >> >Behalf Of Spicer, >Kevin >> >Sent: 14 July 2003 11:59 >> >To: MAILSCANNER@JISCMAIL.AC.UK >> >Subject: Re: Chinese Emails >> > >> > >> >Richard Sidlin wrote: >> >> Here's one that got through. Any thoughts? >> > >> >Your threshold is quite conservative! >> > >> >Maybe increase the scores for each of these (say by 0.3 or >> >0.4) I don't know what the current scores are so you'll >have to look >> >them up! CHARSET_FARAWAY_HEADERS HTML_CHARSET_FARAWAY >> >UNDESIRED_LANGUAGE_BODY >> > >> > >> > >> >BMRB International >> >http://www.bmrb.co.uk >> >+44 (0)20 8566 5000 >> >_________________________________________________________________ >> >This message (and any attachment) is intended only for the >recipient >> >and may contain confidential and/or privileged material. >If you have >> >received this in error, please contact the sender and delete this >> >message immediately. Disclosure, copying or other action taken in >> >respect of this email or in reliance on it is prohibited. BMRB >> >International Limited accepts no liability in relation to any >> >personal emails, or content of any email which does not directly >> >relate to our business. >> > >> > >> >> >> >> -- >> This message has been scanned for viruses and dangerous >content by the >> Help Internet Virus Spam Defence, and is believed to be clean. For >> details on having your email scanned email support@helpinternet.co.uk >> > > -- This message has been scanned for viruses and dangerous content by the Help Internet Virus Spam Defence, and is believed to be clean. For details on having your email scanned email support@helpinternet.co.uk From Kevin.Spicer at BMRB.CO.UK Mon Jul 14 12:24:53 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:18:56 2006 Subject: Chinese Emails Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0EBF726@pascal.priv.bmrb.co.uk> Richard Sidlin wrote: > I have the following setting: > > Score DCC_CHECK 0.0 > > Do I need to change the score on this? > > Richard > Only if you have installed DCC BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From tony.johansson at SVENSKAKYRKAN.SE Mon Jul 14 13:02:47 2003 From: tony.johansson at SVENSKAKYRKAN.SE (Tony Johansson) Date: Thu Jan 12 21:18:56 2006 Subject: Messages per user survey Message-ID: Hello, I'm interested in knowing how many messages your users send/receive per day on average. (external traffic) I have some fairly low-volume users. The grand total is no more than 1.5 incoming messages and about 1.1 outgoing per day for a total of 14.000 users. I ask because I've seen some pretty weird quotes saying that the average email user gets 24 and send 11 (or so) messages per day. Would be interesting with some real live figures from this list as a reference. regards, Tony From denis at CROOMBS.ORG Mon Jul 14 13:11:13 2003 From: denis at CROOMBS.ORG (Denis Croombs) Date: Thu Jan 12 21:18:56 2006 Subject: Messages per user survey References: Message-ID: <00b401c34a01$05d05d30$85b8fea9@Laptop> Hi I have a number of servers & 1 of these handles between 1500 to 2500 received emails per day & 20 to 100 emails sent per day, this servers has 10 users. Denis www.just-servers.co.uk ----- Original Message ----- From: "Tony Johansson" To: Sent: Monday, July 14, 2003 1:02 PM Subject: Messages per user survey > Hello, > > I'm interested in knowing how many messages your users send/receive per day > on average. (external traffic) > > I have some fairly low-volume users. The grand total is no more than 1.5 > incoming messages and about 1.1 outgoing per day for a total of 14.000 > users. > > I ask because I've seen some pretty weird quotes saying that the average > email user gets 24 and send 11 (or so) messages per day. Would be > interesting with some real live figures from this list as a reference. > > > regards, Tony From myr at HTW-SAARLAND.DE Mon Jul 14 13:49:22 2003 From: myr at HTW-SAARLAND.DE (Margit Meyer) Date: Thu Jan 12 21:18:56 2006 Subject: Notify sender and postmaster Message-ID: > >>Notify Senders = yes >>Send Notices = yes >>Notices From = MailScanner > ^^^^^^ No domain? > >I have had this in another situation (not MS related) where the >mailserver did not accept the from-address because he knew it didn't >exist. Neither could he return a bounce because the address did not >exist. > >-- >Peter Peters, senior netwerkbeheerder >Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) >Universiteit Twente, Postbus 217, 7500 AE Enschede >telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ I added our domain and created the account MailScanner - but it didn' t help. Regards Margit From Thomas.Ehweiner at T-SYSTEMS.COM Mon Jul 14 16:30:55 2003 From: Thomas.Ehweiner at T-SYSTEMS.COM (Thomas Ehweiner) Date: Thu Jan 12 21:18:56 2006 Subject: AW: Strange (non working) behaviour 4.22-4 Message-ID: <698647D9732ED84290AB276EC481B64301EEB0@U8SM7.gppng01.telekom.de> Same behaviour by me. But MS doesn?t works never before. Every message is unscanned. Jul 14 17:00:54 192.168.10.52 MailScanner[5913]: MailScanner E-Mail Virus Scanner version 4.22-5 starting... Jul 14 17:00:55 192.168.10.52 MailScanner[5913]: Using locktype = flock Jul 14 17:01:00 192.168.10.52 MailScanner[5913]: New Batch: Forwarding 1 unscanned messages, 5652 bytes Jul 14 17:01:00 192.168.10.52 MailScanner[5913]: Spam Checks: Starting Jul 14 17:01:00 192.168.10.52 MailScanner[5913]: Unscanned: Delivered 1 messages Jul 14 17:01:00 192.168.10.52 MailScanner[5913]: Virus and Content Scanning: Starting No whitelisting for sender domain/IP. No blacklist. SA-Test ("spamassassin -t < sample-spam.txt > spam.out") is ok. SA 2.55 MS 4.22-5 Solaris 8 perl 5.8 in mailscanner.conf: Mark Infected Messages = yes Mark Unscanned Messages = yes Deliver Cleaned Messages = yes Detailed Spam Report = yes Include Scores In SpamAssassin Report = yes sendmail-in runs as smmsp, sendmail-out as root. Use MS only for spam checking (Virus Scanning = no). Any help would be appreciated. Norman, Thomas > -----Urspr?ngliche Nachricht----- > Von: Norman Schmidt Jr [mailto:norman@NORMAN.COM.BR] > Gesendet: Montag, 14. Juli 2003 03:20 > An: MAILSCANNER@JISCMAIL.AC.UK > Betreff: Strange (non working) behaviour 4.22-4 > > > Some days ago I installed a sendmail 8.12.9 + mailscanner 4.22-4. The > setup worked flawlessy for two days, scanning and blocking viruses and > blocking attachments as configured in filename and > filetype.rules.conf. Everything was running fine and smoothly. On > Saturday, after some "MailScanner child dying of old age" and > restarting messages - and absolutely NO modifications on any config > file - Mailscanner stopped to scan and block files, and its now just > forwarding unscanned messages. Everything goes in: viruses, files > blocked by rules, etc: > > MailScanner[1122]: New Batch: Forwarding 1 unscanned messages, 8465 > bytes > MailScanner[1122]: Unscanned: Delivered 1 messages > > I really dont have a clue about what happened. Everything looks fine. > Can someone help me pointing where I can start looking for something > wrong? Thanks in advance, Norman > From Kevin.Spicer at BMRB.CO.UK Mon Jul 14 16:45:54 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:18:56 2006 Subject: Strange (non working) behaviour 4.22-4 Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0EBF72D@pascal.priv.bmrb.co.uk> > (Virus Scanning = no) That turns off all processing, including spam checks! It is misnamed, but theres a historical reason for that. You need to set Virus Scanning=yes and Virus Scanners=no, you'llprobably want to disable the other virus related content checks too (read the comments in MailScanner.conf). BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From Thomas.Ehweiner at T-SYSTEMS.COM Mon Jul 14 17:29:48 2003 From: Thomas.Ehweiner at T-SYSTEMS.COM (Thomas Ehweiner) Date: Thu Jan 12 21:18:56 2006 Subject: AW: Strange (non working) behaviour 4.22-4 Message-ID: <698647D9732ED84290AB276EC481B64301EEB1@U8SM7.gppng01.telekom.de> Kevin, you?re right! It works. Another issue is, Mailscanner complains about logging. In Debug-mode: -------------------- Starting MailScanner... In Debugging mode, not forking... unix passed to setlogsock, but path not available at /opt/MailScanner/lib/MailScanner/Log.pm line 62 debug: Score set 0 chosen. debug: running in taint mode? no ----------------- I?m using syslog-ng 1.6 with this source "source local { sun-streams("/dev/log" door("/etc/.syslog_door")); internal();" facility is local4 (to /var/log/scanmail) - and it works! Should I pay attention to the error message above? Thomas > -----Urspr?ngliche Nachricht----- > Von: Spicer, Kevin [mailto:Kevin.Spicer@BMRB.CO.UK] > Gesendet: Montag, 14. Juli 2003 17:46 > An: MAILSCANNER@JISCMAIL.AC.UK > Betreff: Re: Strange (non working) behaviour 4.22-4 > > > > (Virus Scanning = no) > > That turns off all processing, including spam checks! It is > misnamed, but theres a historical reason for that. You need > to set Virus Scanning=yes and Virus Scanners=no, > you'llprobably want to disable the other virus related > content checks too (read the comments in MailScanner.conf). > > > > BMRB International > http://www.bmrb.co.uk > +44 (0)20 8566 5000 > _________________________________________________________________ > This message (and any attachment) is intended only for the > recipient and may contain confidential and/or privileged > material. If you have received this in error, please contact the > sender and delete this message immediately. Disclosure, copying > or other action taken in respect of this email or in > reliance on it is prohibited. BMRB International Limited > accepts no liability in relation to any personal emails, or > content of any email which does not directly relate to our > business. > From ka at PACIFIC.NET Mon Jul 14 17:30:11 2003 From: ka at PACIFIC.NET (Ken Anderson) Date: Thu Jan 12 21:18:56 2006 Subject: MS Performance In-Reply-To: References: Message-ID: <3F12DA93.4060804@pacific.net> We relay about 500k emails a day through 2 MS machines running redhat & sendmail. Both machines are dual Xeon/1gb RAM/SCSI, RAID1 About 45% of the total incoming mail is spam, half of which is deleted. With the exception of the following, it's a default rpm install: Max Children = 15 Log Spam = yes (since we need the logs for stats.) MS Spam Action is "attachment, deliver". If one rbl goes down or is slow, we found that we very quickly had a backlog of 20k messages, so we've turned off rbl checks in SA. Adjusting the timeouts for rbl checks may be a better solution. We've made a few other tweaks to the default MS settings, but I don't think they are related to performance. The load average when the machines are sharing the mail load is usually about 3-4, rising to about 10-15 when one machine handles the full load by itself. Everything seems to fit into memory, there is no swapping to disk, and the average delay for a message being relayed is < 1 minute. A possible bottleneck is syslog, since both sendmail & MS are very busy adding log entries to the maillog, though I haven't done any testing to see if this is really a problem. Another bottleneck is the way 'user unknowns' are handled. Currently, because mail is relayed through the MS boxes, the MS boxes don't know if the user exists at the domain or not. So MS spends time scanning mail that is destined for a user that doesn't exist. Next Sendmail tries to deliver it and it is rejected by the destination mailserver. Then sendmail tries to bounce it back to an address that usually doesn't exist, or a mailserver that is not accepting connections or can't be resolved. Using re-mqueue to re-queue outgoing mail is helpful with this problem. Ken A. Tony Johansson wrote: >>I am processing around 600.000 messages on two dual xeon machines, daily, >>with peaks to 800.000-1.000.000 daily. I think MS is doing just fine :) >> >>Most of the time its a matter of the test setup also that is limiting the >>figures. Also some tweaking on the machines wont harm... >> >>Bye, >>Raymond. > > > What MTA are you using? I recall an earlier post by Julian where he tested > exim vs sendmail on one of his test machines, getting 3 times the > throughput with exim. > > I'm interested in what kind of performance people are getting with sendmail > and MS. I'm about to design a system built on redhat and sendmail which > will handle lots of relaying (500k-1mil email daily approx) > > I'd rather use sendmail but if the performance gain with exim really is 3 > to 1 that might be the road we haveto take. > > regards, Tony > > From lists at STHOMAS.NET Mon Jul 14 17:50:47 2003 From: lists at STHOMAS.NET (Steve Thomas) Date: Thu Jan 12 21:18:56 2006 Subject: FW: qmail smtp-auth bug allows open relay Message-ID: <20030714095047.A13086@sthomas.net> Heads up to all qmail users out there... ----- Forwarded message from John Brown ----- Date: Mon, 14 Jul 2003 10:34:00 -0600 From: John Brown <.....@chagresventures.com> To: nanog@merit.edu Subject: qmail smtp-auth bug allows open relay seems that there are installs of the smtp-auth patch to qmail that accept anything as a user name and password and thus allow you to connect. http://marc.theaimsgroup.com/?l=qmail&m=105452174430616&w=2 is one URL that talks about this. There has been an increase is what appears to be qmail based open-relays over the last 5 days. Each of these servers pass the normal suite of open-relay tests. Spammers are scanning for SMTP-AUTH and STARTTLS based mail servers that may be misconfigured. Then using them to send out their trash. Some early docs on setting up qmail based smtp-auth systems had the config infor incorrect. This leads to /usr/bin/true being used as the password checker. :( >From an operational perspective, I suspect we will see more SMTP scans The basic test (see URL above) should get incorporated into various open-relay testing scripts. cheers john brown chagres technologies, inc ----- End forwarded message ----- -- "All truth passes through three stages. First, it is ridiculed. Second, it is violently opposed. Third, it is accepted as being self-evident." - Arthur Schopenhauer (1788-1860) From tsevy at EPX.COM Mon Jul 14 17:54:51 2003 From: tsevy at EPX.COM (Tom Sevy) Date: Thu Jan 12 21:18:56 2006 Subject: MS Performance Message-ID: <006101c34a28$a4727e60$bc0aa8c0@epx.com> Don't know what you use for Firewalling, but I have taken the top invalid recipients and created a rule in our Firewalls to reject email to them. ----- Original Message ----- From: "Ken Anderson" To: Sent: Monday, July 14, 2003 12:30 PM Subject: Re: MS Performance We relay about 500k emails a day through 2 MS machines running redhat & sendmail. Both machines are dual Xeon/1gb RAM/SCSI, RAID1 About 45% of the total incoming mail is spam, half of which is deleted. With the exception of the following, it's a default rpm install: Max Children = 15 Log Spam = yes (since we need the logs for stats.) MS Spam Action is "attachment, deliver". If one rbl goes down or is slow, we found that we very quickly had a backlog of 20k messages, so we've turned off rbl checks in SA. Adjusting the timeouts for rbl checks may be a better solution. We've made a few other tweaks to the default MS settings, but I don't think they are related to performance. The load average when the machines are sharing the mail load is usually about 3-4, rising to about 10-15 when one machine handles the full load by itself. Everything seems to fit into memory, there is no swapping to disk, and the average delay for a message being relayed is < 1 minute. A possible bottleneck is syslog, since both sendmail & MS are very busy adding log entries to the maillog, though I haven't done any testing to see if this is really a problem. Another bottleneck is the way 'user unknowns' are handled. Currently, because mail is relayed through the MS boxes, the MS boxes don't know if the user exists at the domain or not. So MS spends time scanning mail that is destined for a user that doesn't exist. Next Sendmail tries to deliver it and it is rejected by the destination mailserver. Then sendmail tries to bounce it back to an address that usually doesn't exist, or a mailserver that is not accepting connections or can't be resolved. Using re-mqueue to re-queue outgoing mail is helpful with this problem. Ken A. Tony Johansson wrote: >>I am processing around 600.000 messages on two dual xeon machines, daily, >>with peaks to 800.000-1.000.000 daily. I think MS is doing just fine :) >> >>Most of the time its a matter of the test setup also that is limiting the >>figures. Also some tweaking on the machines wont harm... >> >>Bye, >>Raymond. > > > What MTA are you using? I recall an earlier post by Julian where he tested > exim vs sendmail on one of his test machines, getting 3 times the > throughput with exim. > > I'm interested in what kind of performance people are getting with sendmail > and MS. I'm about to design a system built on redhat and sendmail which > will handle lots of relaying (500k-1mil email daily approx) > > I'd rather use sendmail but if the performance gain with exim really is 3 > to 1 that might be the road we haveto take. > > regards, Tony > > From norman at NORMAN.COM.BR Mon Jul 14 18:01:45 2003 From: norman at NORMAN.COM.BR (Norman Schmidt Jr) Date: Thu Jan 12 21:18:56 2006 Subject: Strange (non working) behaviour 4.22-4 References: <5C0296D26910694BB9A9BBFC577E7AB0EBF71A@pascal.priv.bmrb.co.uk> Message-ID: <3F12E1F9.4070501@norman.com.br> Hi Folks, At first, thanks to everybody who replied my post! For the record, I found the problem: Friday I was playing with the webmin mailscanner module (http://lushsoft.dyndns.org/mailscanner-webmin/) in that server. Although I hadnt saved any configuration change using that webmin module - installing it just to check how look its interface - it seems that the first thing the module did was change the "Virus Scanning" MailScanner.conf directive to "no", without any warning. As it was supposed to be, new child processes were reborning forwarding everything. As this is such a blatantly obvious problem and I am subject to all Murphy's laws, I simply didnt saw it in my three or four previous .conf file checks. A fifth check after a cup of coffee and a (thanks Matt!) grep -v ^# MailScanner.conf hit the spot. Again, thanks everybody! Norman Spicer, Kevin escreveu: >>I really dont have a clue about what happened. Everything looks fine. >>Can someone help me pointing where I can start looking for something >>wrong? Thanks in advance, > > > Sounds like you might have a sendmail process running which is bypassing mailscanner, try (assuming RedHat like syntax) > > service MailScanner stop > service sendmail stop > chkconfig sendmail --level 2345 off > > ps -elf | grep sendmail > [Now kill all sendmail processes & ps again to check they are dead] > > service MailScanner start > > If that doesn't work could you post some of your maillog so we can see whats happening. > > > > BMRB International > http://www.bmrb.co.uk > +44 (0)20 8566 5000 > _________________________________________________________________ > This message (and any attachment) is intended only for the > recipient and may contain confidential and/or privileged > material. If you have received this in error, please contact the > sender and delete this message immediately. Disclosure, copying > or other action taken in respect of this email or in > reliance on it is prohibited. BMRB International Limited > accepts no liability in relation to any personal emails, or > content of any email which does not directly relate to our > business. > > From vanhorn at whidbey.com Mon Jul 14 18:53:59 2003 From: vanhorn at whidbey.com (G. Armour Van Horn) Date: Thu Jan 12 21:18:56 2006 Subject: Smooth upgrade to 4.22-5 References: <5.2.1.1.2.20030606191640.02586da8@imap.ecs.soton.ac.uk> <5.2.1.1.2.20030606180831.03cf99a0@imap.ecs.soton.ac.uk> <5.2.1.1.2.20030606180831.03cf99a0@imap.ecs.soton.ac.uk> <5.2.1.1.2.20030606191640.02586da8@imap.ecs.soton.ac.uk> <5.2.1.1.2.20030608145043.03927510@imap.ecs.soton.ac.uk> Message-ID: <3F12EE37.66408831@whidbey.com> Julian, I just reved my system to 4.22-5 (from 4.14-9, also reved SA from 2.53 to 2.55) with no problems at all. (Well, I did have to include ignore-perl, but that's a known artifact of something that you and I went throuh last year, but I didn't have to force anything else.) When I restarted the service I checked to make sure all my processes were running, and was stunned to find that I had two Queue runners serving /var/spool/clientmqueue, one from last month, and one from the restart. Yippee!!! I no long have to remember to manually start that queue after a system restart. Van -- ---------------------------------------------------------- Sign up now for Quotes of the Day, a handful of quotations on a theme delivered every morning. Enlightenment! Daily, for free! mailto:twisted@whidbey.com?subject=Subscribe_QOTD For web hosting and maintenance, visit Van's home page: http://www.domainvanhorn.com/van/ ---------------------------------------------------------- From chris at FRACTALWEB.COM Mon Jul 14 18:54:10 2003 From: chris at FRACTALWEB.COM (Chris Yuzik) Date: Thu Jan 12 21:18:56 2006 Subject: strange glitch results in lost mail Message-ID: <038a01c34a30$edcff3a0$1501a8c0@pandora> Hi everyone, I have SpamAssassin and MailScanner running on my RedHat 7.3 machine. The server is running Ensim WEBppliance PRO 3.5.10. The server hosts about a dozen domains. I run sendmail and procmail. Almost everything works great. Almost. Mail from the outside world works as expected, gets scanned and scored and so forth. I've got SA's threshold set to 5 and am running DCC and Razor...in the two days I tested it over the weekend, it correctly identified 99%+ of spam. My big problem is that sometimes mail from within the server never arrives...never bounces...just goes to a black hole. I'll list some examples so it makes more sense: 1) let's pretend that domain1.com and domain2.com are hosted on my server. external1.com is not hosted on my server. 2) steve@domain1.com and john@domain1.com can both sent to and receive email from susan@external1.com just fine. dave@domain2.com and scott@domain2.com can also sent to and receive email from susan@external1.com to. Internal to the outside world works. 3) steve@domain1.com can not email john@domain1.com and vice-versa. Internal to internal is not working. 4) it gets stranger. dave@domain2.com can send email to scott@domain2.com, but not the other way around. If scott replies to dave's message, then dave never gets the reply. As I said before, the message doesn't bounce or anything...it just goes into a black hole and is never seen again. When I installed MailScanner, the documentation said I was supposed to do the following (which is what I did): 1) "service sendmail stop" 2) "service MailScanner start" In an attempt to troubleshoot the problem, I tried the following: 1) "service MailScanner stop" 2) "service sendmail start" 3) "service MailScanner start" Now everyone can email everyone else: internal<-> internal and internal<->external just fine. Unfortunately, now nothing gets processed through spamassassin. How do I go about fixing this? Please help. Regards, Chris Yuzik -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030714/30263958/attachment.html From damian at WORKGROUPSOLUTIONS.COM Mon Jul 14 19:15:29 2003 From: damian at WORKGROUPSOLUTIONS.COM (Damian Mendoza) Date: Thu Jan 12 21:18:56 2006 Subject: Some spam getting through for some odd reason Message-ID: Kevin, Thanks for the feedback - I now believe that the message was scanned, but did not score high enough to be displayed as SPAM in my logs or the header of the message. It was a strange message with a lot of misspelled words. Regards, Damian -----Original Message----- From: Kevin Spicer [mailto:kevins@BMRB.CO.UK] Sent: Sunday, July 13, 2003 2:13 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Some spam getting through for some odd reason >On Sun, 2003-07-13 at 21:35, Damian Mendoza wrote: >You are correct as it does not match. The spam check should be for >[32466] I believe. I'm not sure that we are clear whats going on. I've split your supplied log up to show the progress of the message incorrectly delivered (h6A04Q9F032454) and ignoring the other correctly processed message (h6A04Q9G032454) (note the single character difference - G not F) MESSAGE h6A04Q9F032454 (incorrectly delivered without scanning) Jul 9 17:04:27 spamgate sendmail[32454]: h6A04Q9F032454: from=, size=2207, class=0, nrcpts=1, msgid=<2730416505.01380945810856@kroc.com>, proto=ESMTP, daemon=MTA, relay=gateway.svusd.k12.ca.us [198.188.250.254] Jul 9 17:04:27 spamgate sendmail[32454]: h6A04Q9F032454: to=, delay=00:00:00, mailer=esmtp, pri=30531, stat=queued Jul 9 17:04:31 spamgate MailScanner[26052]: Unscanned: Delivered 1 messages Jul 9 17:04:32 spamgate sendmail[32466]: h6A04Q9F032454: to=, delay=00:00:05, xdelay=00:00:01, mailer=esmtp, pri=120531, relay=[10.1.254.3] [10.1.254.3], dsn=2.0.0, stat=Sent ( <2730416505.01380945810856@kroc.com> Queued mail for delivery) There must be a reason why MS is ignoring these messages. It looks like the sender forged the server HELO to use a name in your domain (the name and IP don't resolve to each other). If you are whitelisting based on domain, or have virus checking turned off for some mail (maybe 'outgoing'?) then this may explain the behaviour. Could you post your various rulesets and the values for 'Virus Scanning' and 'Spam Checks' from MailScanner.conf? BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From mikea at MIKEA.ATH.CX Mon Jul 14 19:22:36 2003 From: mikea at MIKEA.ATH.CX (mikea) Date: Thu Jan 12 21:18:56 2006 Subject: Some spam getting through for some odd reason In-Reply-To: ; from damian@WORKGROUPSOLUTIONS.COM on Mon, Jul 14, 2003 at 11:15:29AM -0700 References: Message-ID: <20030714132236.A63832@mikea.ath.cx> On Mon, Jul 14, 2003 at 11:15:29AM -0700, Damian Mendoza wrote: > Kevin, > > Thanks for the feedback - I now believe that the message was scanned, but did not score high enough to be displayed as SPAM in my logs or the header of the message. It was a strange message with a lot of misspelled words. I see that a lot now. "L337" spellings, with lots of s/l/1/, s/E/3/, s/O/0/, s/o/0/, s/A/4/, and the like. Once you have enough ham and spam to get Bayesian classification working, SA finds that stuff very handily. The "L337" alphabet, as near as I've been able to figure it out: abcdefghijk1mn0pqrs7uvwxyz 4BCD3FGHIJKLMN0PQRSTUVWXYZ Additions will be useful. -- Mike Andrews mikea@mikea.ath.cx Tired old sysadmin since 1964 From nejc.skoberne at guest.arnes.si Mon Jul 14 19:27:19 2003 From: nejc.skoberne at guest.arnes.si (Nejc Skoberne) Date: Thu Jan 12 21:18:56 2006 Subject: Some spam getting through for some odd reason In-Reply-To: <20030714132236.A63832@mikea.ath.cx> References: <20030714132236.A63832@mikea.ath.cx> Message-ID: <111901813.20030714202719@guest.arnes.si> Hi. > The "L337" alphabet, as near as I've been able to figure it out: > abcdefghijk1mn0pqrs7uvwxyz > 4BCD3FGHIJKLMN0PQRSTUVWXYZ > Additions will be useful. I think this is not "exact science". I mean there are many l33t0 interpretations. In some cases 1 means i, not l. Also, s is 5, v is sometimes \/, etc. -- Nejc Skoberne Grajska 5 SI-5220 Tolmin E-mail: nejc.skoberne@guest.arnes.si From richard_cipher at YAHOO.COM Mon Jul 14 19:36:46 2003 From: richard_cipher at YAHOO.COM (Evert Ford) Date: Thu Jan 12 21:18:56 2006 Subject: strange glitch results in lost mail In-Reply-To: <038a01c34a30$edcff3a0$1501a8c0@pandora> Message-ID: since you aren't having any mail delivery problems when you start sendmail outside of MailScanner, I'd suggest looking at your whitelist rules and blacklist rules, and next I'd suggest looking for a configuration error in MailScanner.conf. I had a similar problem until I whitelisted the internal domains I manage. in MailScanner.conf, look at the following settings(just for starters): MTA = sendmail and Sendmail = /usr/sbin/sendmail if you are using a standard install path on Redhat 7.3 for sendmail also, are you seeing any errors in your maillog on the e-mails that aren'd delivered? Evert Ford Information Analyst Westone Laboratories http://www.westone.com -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Chris Yuzik Sent: Monday, July 14, 2003 11:54 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: strange glitch results in lost mail Hi everyone, I have SpamAssassin and MailScanner running on my RedHat 7.3 machine. The server is running Ensim WEBppliance PRO 3.5.10. The server hosts about a dozen domains. I run sendmail and procmail. Almost everything works great. Almost. Mail from the outside world works as expected, gets scanned and scored and so forth. I've got SA's threshold set to 5 and am running DCC and Razor...in the two days I tested it over the weekend, it correctly identified 99%+ of spam. My big problem is that sometimes mail from within the server never arrives...never bounces...just goes to a black hole. I'll list some examples so it makes more sense: 1) let's pretend that domain1.com and domain2.com are hosted on my server. external1.com is not hosted on my server. 2) steve@domain1.com and john@domain1.com can both sent to and receive email from susan@external1.com just fine. dave@domain2.com and scott@domain2.com can also sent to and receive email from susan@external1.com to. Internal to the outside world works. 3) steve@domain1.com can not email john@domain1.com and vice-versa. Internal to internal is not working. 4) it gets stranger. dave@domain2.com can send email to scott@domain2.com, but not the other way around. If scott replies to dave's message, then dave never gets the reply. As I said before, the message doesn't bounce or anything...it just goes into a black hole and is never seen again. When I installed MailScanner, the documentation said I was supposed to do the following (which is what I did): 1) "service sendmail stop" 2) "service MailScanner start" In an attempt to troubleshoot the problem, I tried the following: 1) "service MailScanner stop" 2) "service sendmail start" 3) "service MailScanner start" Now everyone can email everyone else: internal<-> internal and internal<->external just fine. Unfortunately, now nothing gets processed through spamassassin. How do I go about fixing this? Please help. Regards, Chris Yuzik --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.483 / Virus Database: 279 - Release Date: 5/19/03 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030714/e1ee6843/attachment.html From ka at PACIFIC.NET Mon Jul 14 21:07:38 2003 From: ka at PACIFIC.NET (Ken Anderson) Date: Thu Jan 12 21:18:56 2006 Subject: MS Performance In-Reply-To: <006101c34a28$a4727e60$bc0aa8c0@epx.com> References: <006101c34a28$a4727e60$bc0aa8c0@epx.com> Message-ID: <3F130D8A.2030206@pacific.net> We're using iptables on the MS machines; I'm not sure how to use iptables to do this (or it is possible?). What are you using for a firewall? Adding the top invalid recipients to /etc/mail/access should help similarly, as long as sendmail.cf was compiled with: FEATURE(`access_db', `hash -T /etc/mail/access')dnl and FEATURE(`blacklist_recipients') Thanks for the idea, Ken A. Tom Sevy wrote: > Don't know what you use for Firewalling, but I have taken the top invalid > recipients and created a rule in our Firewalls to reject email to them. > > ----- Original Message ----- > From: "Ken Anderson" > To: > Sent: Monday, July 14, 2003 12:30 PM > Subject: Re: MS Performance > > > We relay about 500k emails a day through 2 MS machines running redhat & > sendmail. Both machines are dual Xeon/1gb RAM/SCSI, RAID1 > About 45% of the total incoming mail is spam, half of which is deleted. > > With the exception of the following, it's a default rpm install: > Max Children = 15 > Log Spam = yes (since we need the logs for stats.) > MS Spam Action is "attachment, deliver". > If one rbl goes down or is slow, we found that we very quickly had a > backlog of 20k messages, so we've turned off rbl checks in SA. Adjusting > the timeouts for rbl checks may be a better solution. > > We've made a few other tweaks to the default MS settings, but I don't > think they are related to performance. > > The load average when the machines are sharing the mail load is usually > about 3-4, rising to about 10-15 when one machine handles the full load > by itself. Everything seems to fit into memory, there is no swapping to > disk, and the average delay for a message being relayed is < 1 minute. > > A possible bottleneck is syslog, since both sendmail & MS are very busy > adding log entries to the maillog, though I haven't done any testing to > see if this is really a problem. > > Another bottleneck is the way 'user unknowns' are handled. Currently, > because mail is relayed through the MS boxes, the MS boxes don't know if > the user exists at the domain or not. So MS spends time scanning mail > that is destined for a user that doesn't exist. Next Sendmail tries to > deliver it and it is rejected by the destination mailserver. Then > sendmail tries to bounce it back to an address that usually doesn't > exist, or a mailserver that is not accepting connections or can't be > resolved. Using re-mqueue to re-queue outgoing mail is helpful with this > problem. > > Ken A. > > > Tony Johansson wrote: > >>>I am processing around 600.000 messages on two dual xeon machines, daily, >>>with peaks to 800.000-1.000.000 daily. I think MS is doing just fine :) >>> >>>Most of the time its a matter of the test setup also that is limiting the >>>figures. Also some tweaking on the machines wont harm... >>> >>>Bye, >>>Raymond. >> >> >>What MTA are you using? I recall an earlier post by Julian where he tested >>exim vs sendmail on one of his test machines, getting 3 times the >>throughput with exim. >> >>I'm interested in what kind of performance people are getting with > > sendmail > >>and MS. I'm about to design a system built on redhat and sendmail which >>will handle lots of relaying (500k-1mil email daily approx) >> >>I'd rather use sendmail but if the performance gain with exim really is 3 >>to 1 that might be the road we haveto take. >> >>regards, Tony >> >> > > > > From kevins at BMRB.CO.UK Mon Jul 14 21:16:07 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:18:56 2006 Subject: MS Performance In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB001175E25@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB001175E25@pascal.priv.bmrb.co.uk> Message-ID: <1058213771.17104.9.camel@bach.kevinspicer.co.uk> >Adding the top invalid recipients to /etc/mail/access should help Thats how I do it - knocked my spam down by a third simply by adding a couple of dozen ex-employees into the access database! I'd be interested to know what firewall product does this, and how (although I'd take some persuading to get me away from the notion that which emails to accept is a decision for the MTA, and in larger organizations that means the mail administrator not the firewall administrator). I hope it blocks the mail by sending the appropriate SMTP responses, not just blocking the packets outright (I'm thinking sending MTA tries primary, secondary, and tertiary MX's repeatedly for 5 days - not very efficient). BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From marco at MUW.EDU Mon Jul 14 21:55:00 2003 From: marco at MUW.EDU (Marco Obaid) Date: Thu Jan 12 21:18:56 2006 Subject: MS Performance In-Reply-To: <1058213771.17104.9.camel@bach.kevinspicer.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB001175E25@pascal.priv.bmrb.co.uk> <1058213771.17104.9.camel@bach.kevinspicer.co.uk> Message-ID: <1058216100.3f1318a47c856@webmail.MUW.Edu> Hi everyone, There is a good document on Python's website that you can look at here: http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq04.011.htp While relates to Mailman, I found it useful !!! I cut down on load spikes by denying mail at the MTA level. Also, mounting /var/spool/MailScanner/incoming into RAM. Finally, spreading the load on multiple scsi disks ---> made the world of difference for my site. Specifically, spreading spool and syslog logs on different physical fast scsi drives. Marco _________________________________________________________________ This mail is sent through MUW Webmail: http://www.MUW.Edu/webmail For the latest MUW Events, visit http://www.MUW.Edu/calendar From chris at FRACTALWEB.COM Mon Jul 14 21:50:02 2003 From: chris at FRACTALWEB.COM (Chris Yuzik) Date: Thu Jan 12 21:18:56 2006 Subject: strange glitch results in lost mail References: Message-ID: <002001c34a49$7f7f67f0$6501a8c0@pandora> Hi Evert, Everything in my MailScanner.conf file looks ok from what I can tell. MTA and Sendmail are as you show, and sendmail is in /usr/bin/sendmail. I haven't noticed anything particularly strange in the /var/log/maillog file...but I'm not sure what I'm supposed to look for either. Any hints? I have added a crontab for /usr/lib/opcenter/virtualhosting/MailQueueCleaner and set it to run every 5 minutes. Not sure if this will help anything or not. I read somewhere that it might help, but certainly won't hurt anything. Where exactly do you whitelist the internal domains? Is that in "/etc/MailScanner/spam.whitelist.rules"? I don't have this file on my system and am not sure what format to use. Could you give me a couple of examples, or point me to the right place in the docs for this? Thanks. Chris Yuzik ----- Original Message ----- From: Evert Ford To: MAILSCANNER@JISCMAIL.AC.UK Sent: Monday, July 14, 2003 11:36 AM Subject: Re: strange glitch results in lost mail since you aren't having any mail delivery problems when you start sendmail outside of MailScanner, I'd suggest looking at your whitelist rules and blacklist rules, and next I'd suggest looking for a configuration error in MailScanner.conf. I had a similar problem until I whitelisted the internal domains I manage. in MailScanner.conf, look at the following settings(just for starters): MTA = sendmail and Sendmail = /usr/sbin/sendmail if you are using a standard install path on Redhat 7.3 for sendmail also, are you seeing any errors in your maillog on the e-mails that aren'd delivered? Evert Ford Information Analyst Westone Laboratories http://www.westone.com -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Chris Yuzik Sent: Monday, July 14, 2003 11:54 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: strange glitch results in lost mail Hi everyone, I have SpamAssassin and MailScanner running on my RedHat 7.3 machine. The server is running Ensim WEBppliance PRO 3.5.10. The server hosts about a dozen domains. I run sendmail and procmail. Almost everything works great. Almost. Mail from the outside world works as expected, gets scanned and scored and so forth. I've got SA's threshold set to 5 and am running DCC and Razor...in the two days I tested it over the weekend, it correctly identified 99%+ of spam. My big problem is that sometimes mail from within the server never arrives...never bounces...just goes to a black hole. I'll list some examples so it makes more sense: 1) let's pretend that domain1.com and domain2.com are hosted on my server. external1.com is not hosted on my server. 2) steve@domain1.com and john@domain1.com can both sent to and receive email from susan@external1.com just fine. dave@domain2.com and scott@domain2.com can also sent to and receive email from susan@external1.com to. Internal to the outside world works. 3) steve@domain1.com can not email john@domain1.com and vice-versa. Internal to internal is not working. 4) it gets stranger. dave@domain2.com can send email to scott@domain2.com, but not the other way around. If scott replies to dave's message, then dave never gets the reply. As I said before, the message doesn't bounce or anything...it just goes into a black hole and is never seen again. When I installed MailScanner, the documentation said I was supposed to do the following (which is what I did): 1) "service sendmail stop" 2) "service MailScanner start" In an attempt to troubleshoot the problem, I tried the following: 1) "service MailScanner stop" 2) "service sendmail start" 3) "service MailScanner start" Now everyone can email everyone else: internal<-> internal and internal<->external just fine. Unfortunately, now nothing gets processed through spamassassin. How do I go about fixing this? Please help. Regards, Chris Yuzik -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030714/a4fda270/attachment.html From mikea at MIKEA.ATH.CX Mon Jul 14 22:02:20 2003 From: mikea at MIKEA.ATH.CX (mikea) Date: Thu Jan 12 21:18:56 2006 Subject: strange glitch results in lost mail In-Reply-To: <002001c34a49$7f7f67f0$6501a8c0@pandora>; from chris@FRACTALWEB.COM on Mon, Jul 14, 2003 at 01:50:02PM -0700 References: <002001c34a49$7f7f67f0$6501a8c0@pandora> Message-ID: <20030714160220.A64716@mikea.ath.cx> On Mon, Jul 14, 2003 at 01:50:02PM -0700, Chris Yuzik wrote: > Hi Evert, > Everything in my MailScanner.conf file looks ok from what I can tell. MTA and Sendmail are as you show, and sendmail is in /usr/bin/sendmail. > I haven't noticed anything particularly strange in the > /var/log/maillog file...but I'm not sure what I'm supposed to look for > either. Any hints? Mail that comes in through the input Sendmail, but never gets picked up by the output Sendmail, for one. You could have a quick look through the /var/spool/mqueue.in directory tree for stuff that should have been processed, too. > Where exactly do you whitelist the internal domains? Is that in > "/etc/MailScanner/spam.whitelist.rules"? I don't have this file on my > system and am not sure what format to use. Could you give me a couple > of examples, or point me to the right place in the docs for this? Try /opt/MailScanner/etc/rules. Mine has the following files in it: EXAMPLES README spam.whitelist.rules and spam.whitelist.rules looks like this: # This is where you can build a Spam WhiteList # Addresses matching in here, with the value # "yes" will never be marked as spam. From: 152.78. yes #From: 130.246. yes FromOrTo: default no From: westernunion.com yes From: *@*.state.ok.us yes From: *@*.mil yes From: *@*.gov yes NOTE: The whitespace between the pairs of columns is Tab characters. -- Mike Andrews mikea@mikea.ath.cx Tired old sysadmin since 1964 From richard_cipher at YAHOO.COM Mon Jul 14 22:10:11 2003 From: richard_cipher at YAHOO.COM (Evert Ford) Date: Thu Jan 12 21:18:56 2006 Subject: strange glitch results in lost mail In-Reply-To: <002001c34a49$7f7f67f0$6501a8c0@pandora> Message-ID: if you have a standard install of MailScanner you should have the file /etc/MailScanner/rules/spam.whitelist.rules . It is called from MailScanner via: Is Definitely Not Spam = /etc/MailScanner/rules/spam.whitelist.rules . An example of a rule that would whitelist anything going to an internal domain: To: *@myinternaldomain.com yes If you wanted to whitelist inbound mail to a specific user, you would do something like: To: joe@myinternaldomain.com yes In the rules directory there is an excellent README and EXAMPLES file that helps explain how to do this, by the way Evert Ford Information Analyst Westone Laboratories http://www.westone.com -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Chris Yuzik Sent: Monday, July 14, 2003 2:50 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: strange glitch results in lost mail Hi Evert, Everything in my MailScanner.conf file looks ok from what I can tell. MTA and Sendmail are as you show, and sendmail is in /usr/bin/sendmail. I haven't noticed anything particularly strange in the /var/log/maillog file...but I'm not sure what I'm supposed to look for either. Any hints? I have added a crontab for /usr/lib/opcenter/virtualhosting/MailQueueCleaner and set it to run every 5 minutes. Not sure if this will help anything or not. I read somewhere that it might help, but certainly won't hurt anything. Where exactly do you whitelist the internal domains? Is that in "/etc/MailScanner/spam.whitelist.rules"? I don't have this file on my system and am not sure what format to use. Could you give me a couple of examples, or point me to the right place in the docs for this? Thanks. Chris Yuzik ----- Original Message ----- From: Evert Ford To: MAILSCANNER@JISCMAIL.AC.UK Sent: Monday, July 14, 2003 11:36 AM Subject: Re: strange glitch results in lost mail since you aren't having any mail delivery problems when you start sendmail outside of MailScanner, I'd suggest looking at your whitelist rules and blacklist rules, and next I'd suggest looking for a configuration error in MailScanner.conf. I had a similar problem until I whitelisted the internal domains I manage. in MailScanner.conf, look at the following settings(just for starters): MTA = sendmail and Sendmail = /usr/sbin/sendmail if you are using a standard install path on Redhat 7.3 for sendmail also, are you seeing any errors in your maillog on the e-mails that aren'd delivered? Evert Ford Information Analyst Westone Laboratories http://www.westone.com -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Chris Yuzik Sent: Monday, July 14, 2003 11:54 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: strange glitch results in lost mail Hi everyone, I have SpamAssassin and MailScanner running on my RedHat 7.3 machine. The server is running Ensim WEBppliance PRO 3.5.10. The server hosts about a dozen domains. I run sendmail and procmail. Almost everything works great. Almost. Mail from the outside world works as expected, gets scanned and scored and so forth. I've got SA's threshold set to 5 and am running DCC and Razor...in the two days I tested it over the weekend, it correctly identified 99%+ of spam. My big problem is that sometimes mail from within the server never arrives...never bounces...just goes to a black hole. I'll list some examples so it makes more sense: 1) let's pretend that domain1.com and domain2.com are hosted on my server. external1.com is not hosted on my server. 2) steve@domain1.com and john@domain1.com can both sent to and receive email from susan@external1.com just fine. dave@domain2.com and scott@domain2.com can also sent to and receive email from susan@external1.com to. Internal to the outside world works. 3) steve@domain1.com can not email john@domain1.com and vice-versa. Internal to internal is not working. 4) it gets stranger. dave@domain2.com can send email to scott@domain2.com, but not the other way around. If scott replies to dave's message, then dave never gets the reply. As I said before, the message doesn't bounce or anything...it just goes into a black hole and is never seen again. When I installed MailScanner, the documentation said I was supposed to do the following (which is what I did): 1) "service sendmail stop" 2) "service MailScanner start" In an attempt to troubleshoot the problem, I tried the following: 1) "service MailScanner stop" 2) "service sendmail start" 3) "service MailScanner start" Now everyone can email everyone else: internal<-> internal and internal<->external just fine. Unfortunately, now nothing gets processed through spamassassin. How do I go about fixing this? Please help. Regards, Chris Yuzik --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.483 / Virus Database: 279 - Release Date: 5/19/03 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030714/21da225a/attachment.html From marco at MUW.EDU Mon Jul 14 22:20:08 2003 From: marco at MUW.EDU (Marco Obaid) Date: Thu Jan 12 21:18:57 2006 Subject: strange glitch results in lost mail In-Reply-To: <002001c34a49$7f7f67f0$6501a8c0@pandora> References: <002001c34a49$7f7f67f0$6501a8c0@pandora> Message-ID: <1058217608.3f131e88e56cd@webmail.MUW.Edu> Hi, > Where exactly do you whitelist the internal domains? Is that in > "/etc/MailScanner/spam.whitelist.rules"? I don't have this file on my system > and am not sure what format to use. Could you give me a couple of examples, > or point me to the right place in the docs for this? Look into /etc/MailScanner/rules directory and you should find spam.whitelist.rules file. Here is an example: # This is where you can build a Spam WhiteList # Addresses matching in here, with the value # "yes" will never be marked as spam. From: 152.78. yes # whitelists mail from a network From: user@* yes # whitelists any mail coming from user FromAndTo: localhost yes # whitelists from and to localhost From: 10.10.10.15 yes # whitlists mail from a host To: host.domain.tld yes # whitelists mail TO a host FromOrTo: default no # Default is to check spam Make sure you change this line in MailScanner.conf (if not already set): Is Definitely Not Spam = /etc/MailScanner/rules/spam.whitelist.rules Hope this helps Marco _________________________________________________________________ This mail is sent through MUW Webmail: http://www.MUW.Edu/webmail For the latest MUW Events, visit http://www.MUW.Edu/calendar From penguin at DHCP.NET Mon Jul 14 22:49:07 2003 From: penguin at DHCP.NET (penguin) Date: Thu Jan 12 21:18:57 2006 Subject: tar.gz upgrade question Message-ID: <000001c34a51$c39abbd0$0200a8c0@penguin> Hiya, Has anyone seen an upgrade script for the tar.gz installation of MailScanner? I have Gentoo and I don't use the RPM of MailScanner, so I was wondering if someone had developed or considered developing a nice .sh script that would perform the updates required in an RPM-like fashion. If not, I'm willing to give it a go and/or work with someone in making a script that does that. A. Eijkhoudt -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From nwp at LEMON-COMPUTING.COM Sat Jul 12 06:22:18 2003 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:18:57 2006 Subject: MS Performance In-Reply-To: References:

Message-ID: <20030712052218.GF11320@hoiho.nz.lemon-computing.com> On Fri, Jul 11, 2003 at 09:07:51AM +0200, Raymond Dijkxhoorn wrote: > No, tests that i did showed sendmail is able to do about the same, but you > have to tweak sendmail a little for that. Well if you're going to start tweaking, you should be tweaking exim too :-P Biased? I suppose I am, yes... Cheers, Nick -- Nick Phillips -- nwp@lemon-computing.com Caution: Keep out of reach of children. From nwp at LEMON-COMPUTING.COM Sat Jul 12 06:12:20 2003 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:18:57 2006 Subject: MailScanner not removing virus even though it was found? In-Reply-To: <3F0E6172.8090709@popso.it> References: <20030709023925.GA12072@bud.cs.uky.edu> <20030710181244.GB32608@bud.cs.uky.edu> <3F0E6172.8090709@popso.it> Message-ID: <20030712051220.GD11320@hoiho.nz.lemon-computing.com> On Fri, Jul 11, 2003 at 09:04:18AM +0200, Giampiero Raschetti wrote: > I had read the warning line about McAfee but I didn't understand if the > links > referred where those where the program reside or those where it was working > on. > Anyway now I had changed this in MailScanner.conf > # Set where to unpack incoming messages before scanning them > Incoming Work Dir = /home1/spool/MailScanner/incoming This is the path which was being referred to; search the list archives for details -- I can't remember the exact problem when this was not the 'real' path (was it something like McAfee reporting the entire real path to the file, and confusing MailScanner?...) > >Since I will be trying to keep my .conf files fairly consistent across > >domains I would like to change that line to be more forgiving. If anyone > >is interested drop me a line and maybe we can convince someone to > >incorporate > >the change. What exactly is "the change"? Cheers, Nick -- Nick Phillips -- nwp@lemon-computing.com Truth will out this morning. (Which may really mess things up.) From nwp at LEMON-COMPUTING.COM Sat Jul 12 06:18:44 2003 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:18:57 2006 Subject: MS Performance In-Reply-To: <67D9E7698329D411936E00508B6590B902773A10@neelix.lbsltd.co.uk> References: <67D9E7698329D411936E00508B6590B902773A10@neelix.lbsltd.co.uk> Message-ID: <20030712051844.GE11320@hoiho.nz.lemon-computing.com> On Wed, Jul 09, 2003 at 03:24:31PM +0100, Steve Freegard wrote: > Obviously 1Gb's probably enough, but what about the machine with 512Mb?? - > what happens if I end up with a queue full of largeish mails - will it just > swap like crazy and is there any chance of loosing mail by doing this if the > server runs out of memory?? Messages aren't removed from the incoming queue until they are believed to be safely copied/linked in to the outgoing queue. So, no matter what crashes, you should never lose mail. This of course assumes that we are successful in judging when a mail has been successfully transferred to the outgoing queue :-/ Cheers, Nick -- Nick Phillips -- nwp@lemon-computing.com You will wish you hadn't. From nwp at LEMON-COMPUTING.COM Sat Jul 12 06:03:16 2003 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:18:57 2006 Subject: One more Exim scanner In-Reply-To: <5.2.0.9.0.20030710133226.00a7ab30@mail211.pair.com> References: <5.2.0.9.0.20030710133226.00a7ab30@mail211.pair.com> Message-ID: <20030712050316.GB11320@hoiho.nz.lemon-computing.com> On Thu, Jul 10, 2003 at 01:35:41PM -0500, Mike Oliveri wrote: > Whoops, one more thing for Exim: > > The MailScanner startup options in rc.local on FreeBSD refer to the > MailScanner incoming mail spool as being /var/spool/mqueue.in > > Should that actually be the incoming Exim queue at > /var/spool/exim.in/input/*? Or are these supposed to be two separate queues? It refers to the spool directory at the same level that the exim config file does -- /var/spool/. The 'input', 'db' and 'msglog' subdirectories are all part of the same spool, and exim does not provide any way to configure weird uses of them at that level. As far as config files are concerned, you should not be looking any deeper than /var/spool/. Cheers, Nick -- Nick Phillips -- nwp@lemon-computing.com You can rent this space for only $5 a week. From nwp at LEMON-COMPUTING.COM Sat Jul 12 06:06:08 2003 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:18:57 2006 Subject: MailScanner delivering SPAM messages In-Reply-To: References: Message-ID: <20030712050608.GC11320@hoiho.nz.lemon-computing.com> On Thu, Jul 10, 2003 at 09:40:53AM -0700, Damian Mendoza wrote: > Hi, > > I'm starting to see messages that are marked as SPAM being delivered by MailScanner - (version 4.12-2.) This only happens occasionally - The majority of SPAM messages are not delivered, just deleted which is defined in spam.actions.rules file. > > Any ideas? This would usually happen when the message has multiple receipients, at least one of which is configured to have spam delivered. Since mailscanner does as little as possible to the messages themselves, they must either be delivered to all recipients or to none -- so in this case they would be delivered to all. If that's not what's happening here, *shrug*... Cheers, Nick -- Nick Phillips -- nwp@lemon-computing.com It may or may not be worthwhile, but it still has to be done. From chris at FRACTALWEB.COM Mon Jul 14 22:58:49 2003 From: chris at FRACTALWEB.COM (Chris Yuzik) Date: Thu Jan 12 21:18:57 2006 Subject: strange glitch results in lost mail References: <002001c34a49$7f7f67f0$6501a8c0@pandora> <20030714160220.A64716@mikea.ath.cx> Message-ID: <001e01c34a53$1b857d20$6501a8c0@pandora> I've setup the whitelist rules to include *@fractalweb.com and my other domains that are hosted on the server, and specified the complete path to the whitelist file in MailScanner.conf. I then stopped sendmail and started the Mailscanner service. I then sent a test email from cyuzik@fractalweb.com to chris@fractalweb.com; the message never did arrive. Here are (what I believe to be) the relevant portions of the maillog file. Jul 14 14:29:00 ns1 sendmail[23636]: h6ELSxo23636: to=, delay=00:00:00, mailer=virthostmail, pri=141805, stat=queued Jul 14 14:29:02 ns1 MailScanner[23606]: New Batch: Scanning 1 messages, 4376 bytes Jul 14 14:29:03 ns1 MailScanner[23606]: Spam Checks: Starting Jul 14 14:29:03 ns1 MailScanner[23606]: Virus and Content Scanning: Starting Jul 14 14:29:03 ns1 MailScanner[23606]: Uninfected: Delivered 1 messages Jul 14 14:29:03 ns1 virthostmail[23646]: Chrooting to /home/virtual/site2/fst Jul 14 14:29:03 ns1 sendmail[23644]: h6ELSxo23636: to=, delay=00:00:03, xdelay=00:00:00, mailer=virthostmail, pri=231805, relay=fractalweb.com, dsn=2.0.0, stat=Sent (h6ELT3m23648 Message accepted for delivery) Jul 14 14:29:03 ns1 sendmail[23649]: h6ELT3m23648: to=, delay=00:00:00, xdelay=00:00:00, mailer=local, pri=139143, dsn=2.0.0, stat=Sent There is nothing in /var/spool/mail. HOWEVER...(and now we're getting somewhere)...there are a ton of files sitting in /home/virtual/fractalweb.com. According to the dates and times of these oddly named files, this looks like it could be the lost mail. It looks like the mail is being delivered to the wrong directory. AHA!!! In fact, each of my virtual directories has a bunch of these suspicious looking mail files. So, it looks like sendmail or procmail or whatever program is transferring the messages to the right mailbox isn't getting it quite right. Instead of putting my mail into /home/virtual/fractalweb.com, it should be putting it into "/home/virtual/fractalweb.com/var/spool/mail/mqueue", right? Or am I wrong here? My thoughts are now this: all I need to do is figure out what file is doing the job of xferring the messages, find its configuration file, and tweak something. I don't know where to start though, so I need help. Help! :-) ps - this is more fun than most games...kinda reminds me of the old Zork games. From jscott at INFOCONEX.COM Mon Jul 14 23:57:59 2003 From: jscott at INFOCONEX.COM (Jim Scott) Date: Thu Jan 12 21:18:57 2006 Subject: OT: Zipping all email attachments Message-ID: <02a401c34a5b$62e52690$1302a8c0@jimplat> Not sure this is a topic for the MailSCanner list. We would like to zip all incoming email attachments over a certain size or possibly just everything that comes in as an attachment place in a zip file. Can anyone give me some direction to accomplishing this. Thanks Jim From mike at CAMAROSS.NET Tue Jul 15 01:24:38 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:18:57 2006 Subject: tar.gz upgrade question In-Reply-To: <000001c34a51$c39abbd0$0200a8c0@penguin> Message-ID: <004e01c34a67$7aa7f3a0$9c01a8c0@home.middlefinger.net> You may need to adjust paths because I use the rpm distro. [root@genesis rules]# cat /usr/sbin/upgrade_MailScanner_conf #!/usr/bin/perl # # MailScanner - SMTP E-Mail Virus Scanner # Copyright (C) 2002 Julian Field # # $Id: upgrade_MailScanner_conf,v 1.1.2.5 2003/03/10 19:42:37 jkf Exp $ # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # # The author, Julian Field, can be contacted by email at # Jules@JulianField.net # or by paper mail at # Julian Field # Dept of Electronics & Computer Science # University of Southampton # Southampton # SO17 1BJ # United Kingdom # # # This script will output the contents of a new MailScanner.conf file based # on an old MailScanner.conf file and a default copy of the new file. # It is designed for upgrading MailScanner.conf files from one release of # version 4 to another release of version 4. It will not help with the upgrade # from version 3 or earlier to version 4, you still have to do that by hand. # use FileHandle; use strict; sub Usage { print STDERR < MailScanner.new mv MailScanner.conf MailScanner.old mv MailScanner.new MailScanner.conf If you are using the tar distribution so that the old version is in /opt/MailScanner and the new one is in /opt/MailScanner.new then: cd /opt/MailScanner.new/etc ../bin/upgrade_MailScanner_conf /opt/MailScanner/etc/MailScanner.conf /opt/MailScanner.new/etc/MailScanner.conf > MailScanner.new mv MailScanner.conf MailScanner.old mv MailScanner.new MailScanner.conf EOU exit 1; } sub Afterwards { print STDERR "\nOnce you have checked that MailScanner.new contains what\n"; print STDERR "you want, you can then save your old one and move the new\n"; print STDERR "one into place, using commands like these:\n"; print STDERR " mv -f MailScanner.conf MailScanner.old\n"; print STDERR " mv -f MailScanner.new MailScanner.conf\n"; } my $oldfname = shift; my $newfname = shift; Usage() unless $oldfname && $newfname && -f $oldfname && -f $newfname; # Read in the old file to get all their current settings my $oldfh = new FileHandle; $oldfh->open($oldfname) or die "Cannot read old MailScanner.conf file $oldfname, $!"; my($key, $value, $origkey, $origline, %oldsettings, $ReadOldValue, %oldkeys); my(%oldcomments, $comments); $ReadOldValue = 0; $comments = ""; while(<$oldfh>) { chomp; $origline = $_; s/#.*$//; s/^\s+//; s/\s+$//; ($comments .= "$origline\n"),next if /^$/; undef $origkey; undef $key; undef $value; /^(.*?)\s*=/; # \s*(.*)$/; $origkey = $1; $origline =~ /=\s*(.*)$/; $value = $1; $key = lc($origkey); $key =~ s/[^a-z0-9]//g; # Leave numbers and letters only $oldsettings{$key} = $value; $oldkeys{$key} = $origkey; $oldcomments{$key} = $comments; $comments = ""; $ReadOldValue++; } $oldfh->close(); # Read in the new file to get all the default settings and new key names my $newfh = new FileHandle; $newfh->open($newfname) or die "Cannot read new default MailScanner.conf file $newfname, $!"; my($defaultvalue, $UsedOldValue, $UsedDefaultValue); $UsedOldValue = 0; $UsedDefaultValue = 0; $comments = ""; while(<$newfh>) { chomp; $origline = $_; s/#.*$//; s/^\s+//; s/\s+$//; ($comments .= "$origline\n"),next if /^$/; undef $origkey; undef $key; undef $defaultvalue; /^(.*?)\s*=/; # \s*(.*)$/; $origkey = $1; /=\s*(.*)$/; $defaultvalue = $1; $key = lc($origkey); $key =~ s/[^a-z0-9]//g; # Leave numbers and letters only if (exists $oldsettings{$key}) { # They previously had a setting for this parameter print $oldcomments{$key}; print "$origkey = $oldsettings{$key}\n"; delete $oldsettings{$key}; $comments = ""; $UsedOldValue++; } else { # they are using the new default value for this parameter print $comments; print "$origline\n"; print STDERR "Added new: $origline\n"; sleep(2); $comments = ""; $UsedDefaultValue++; } } $newfh->close(); while (($key, $value) = each %oldsettings) { print STDERR "Removed old: $oldkeys{$key} = $value\n"; sleep(2); } print STDERR < MailScanner.conf.new then you should do diff MailScanner.conf.rpmnew MailScanner.conf.new and check for any differences in values you have not changed yourself. EOL sleep(5); Afterwards(); exit 0; -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of penguin Sent: Monday, July 14, 2003 4:49 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: tar.gz upgrade question Hiya, Has anyone seen an upgrade script for the tar.gz installation of MailScanner? I have Gentoo and I don't use the RPM of MailScanner, so I was wondering if someone had developed or considered developing a nice .sh script that would perform the updates required in an RPM-like fashion. If not, I'm willing to give it a go and/or work with someone in making a script that does that. A. Eijkhoudt -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From melilela at TIME.NET.MY Tue Jul 15 02:49:41 2003 From: melilela at TIME.NET.MY (Ramli Mohd) Date: Thu Jan 12 21:18:57 2006 Subject: Need Some Help In-Reply-To: <004e01c34a67$7aa7f3a0$9c01a8c0@home.middlefinger.net> Message-ID: I already upgrade from MailScanner 4.13 to MailScanner 4.22-5 I got this in the log file Jul 15 09:45:32 pop MailScanner[4479]: Looked up unknown string spamassassin in language translation file /etc/MailScanner/reports/en/languages.conf What it mean. How to solve this prob. Thank You From mike at CAMAROSS.NET Tue Jul 15 03:04:48 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:18:57 2006 Subject: Need Some Help In-Reply-To: Message-ID: <006a01c34a75$78dcc830$9c01a8c0@home.middlefinger.net> You probably didn't rename /etc/MailScanner/reports/en/languages.conf.rpmnew to /etc/MailScanner/reports/en/languages.conf Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Ramli Mohd Sent: Monday, July 14, 2003 8:50 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Need Some Help I already upgrade from MailScanner 4.13 to MailScanner 4.22-5 I got this in the log file Jul 15 09:45:32 pop MailScanner[4479]: Looked up unknown string spamassassin in language translation file /etc/MailScanner/reports/en/languages.conf What it mean. How to solve this prob. Thank You From mikea at MIKEA.ATH.CX Tue Jul 15 03:11:59 2003 From: mikea at MIKEA.ATH.CX (mikea) Date: Thu Jan 12 21:18:57 2006 Subject: Need Some Help In-Reply-To: <006a01c34a75$78dcc830$9c01a8c0@home.middlefinger.net>; from mike@CAMAROSS.NET on Mon, Jul 14, 2003 at 09:04:48PM -0500 References: <006a01c34a75$78dcc830$9c01a8c0@home.middlefinger.net> Message-ID: <20030714211159.A66087@mikea.ath.cx> On Mon, Jul 14, 2003 at 09:04:48PM -0500, Mike Kercher wrote: > You probably didn't rename /etc/MailScanner/reports/en/languages.conf.rpmnew > to /etc/MailScanner/reports/en/languages.conf I got it, too -- on a FreeBSD box, building MailScanner from a tar.gz distribution. That doesn't provide a .rpmnew file to rename, and does provide languages.conf. -- Mike Andrews mikea@mikea.ath.cx Tired old sysadmin since 1964 From mike at CAMAROSS.NET Tue Jul 15 03:50:08 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:18:57 2006 Subject: Need Some Help In-Reply-To: <20030714211159.A66087@mikea.ath.cx> Message-ID: <006b01c34a7b$ce3cf4c0$9c01a8c0@home.middlefinger.net> Here's mine: cat /etc/MailScanner/reports/en/languages.conf # # This file contains all the word, phrases and sentences that are output # to a user by MailScanner. They are all here so that you can translate # them into your language. # You should only edit what is on the right of each "=". # If you set the "Language Strings" option in MailScanner.conf to be a # ruleset (or even a function!) then you can output responses in different # languages to different users and customers. # # Used in spam header Blacklisted = blacklisted Whitelisted = whitelisted NotSpam = not spam Spam = spam # used when creating VirusWarning.txt TheEntireMessage = the entire message NotNamed = not named # used for sysadmin notifications NoticeSubject = Warning: E-mail viruses detected FullHeadersAre = Full headers are # used for delivering truly disinfected attachments Disinfected = Disinfected # used for virus report in unparsable messages CantAnalyze = Could not analyze message # used for virus report in unparsable TNEF messages BadTNEF = Could not parse Outlook Rich Text attachment # used for creating sysadmin notifications NoticeHeading = The following e-mail messages were found to have viruses in them # used when SpamAssassin has timed out too often SADisabled = Disabled due to %d consecutive timeouts # used when message size exceeds configured SpamAssassin max message size SATooLarge = Message larger than max testing size # used when trying to use SpamAssassin on a bad message with no headers SANoHeaders = Message had no headers # used when creating SpamAssassin results header score = score required = required SATimedOut = timed out # used when creating reports for messages with dangerous content PartialMessage = Fragmented messages cannot be scanned and are removed FoundIFrame = Found dangerous IFrame tag in HTML message FoundObject = Found dangerous Object Codebase tag in HTML message ExternalBody = External message bodies cannot be scanned and are removed EudoraLongMIME = Eudora long-MIME-boundary attack # used when detecting denial-of-service attacks DOSAttack = Denial of Service attack in message! # used when detecting+blocking (un)encrypted messages encrypted = Message was encrypted unencrypted = Message was not encrypted # used in spam reports SpamAssassin = SpamAssassin -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of mikea Sent: Monday, July 14, 2003 9:12 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Need Some Help On Mon, Jul 14, 2003 at 09:04:48PM -0500, Mike Kercher wrote: > You probably didn't rename > /etc/MailScanner/reports/en/languages.conf.rpmnew > to /etc/MailScanner/reports/en/languages.conf I got it, too -- on a FreeBSD box, building MailScanner from a tar.gz distribution. That doesn't provide a .rpmnew file to rename, and does provide languages.conf. -- Mike Andrews mikea@mikea.ath.cx Tired old sysadmin since 1964 From chris at FRACTALWEB.COM Tue Jul 15 04:14:56 2003 From: chris at FRACTALWEB.COM (Chris Yuzik) Date: Thu Jan 12 21:18:57 2006 Subject: outbound mail gets stuck when MailScanner running Message-ID: <001201c34a7f$44bc77d0$6501a8c0@pandora> I've done extensive testing and now understand what's going on...but I don't know how to fix it. When MailScanner is running, all mail sent from any of the user accounts (on my virtual domains), will get stuck on the server. In fact, it doesn't even go into a queue directory anywhere. Each time a message is sent, it just sits in the root of the virtual directory from which it came from. When MailScanner is running, each time I attempt to send a message I get two new files in /home/virtual/fractalweb.com (which would be the root directory for the virtual domain when it's chrooted). One file always starts with a "d" and the other a "q"; the rest of the file name is the same. My last test generated these: -rw------- 1 root root 3 Jul 14 19:54 dfh6F2sot32240 -rw------- 1 root root 1040 Jul 14 19:54 qfh6F2sot32240 If I copy these files to (the real) /var/spool/mqueue and type "sendmail -q" then they're actually sent out. Otherwise, they just sit there and collect dust. Incoming mail from the outside (my server) world works great. My guess is there is some sort of config file somewhere that needs a good tweak. Problem is...I'm stuck again and I need help. "Help please." :-) -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030714/425322a9/attachment.html From yusri at TM.NET.MY Tue Jul 15 06:27:35 2003 From: yusri at TM.NET.MY (Yusri Mahadi) Date: Thu Jan 12 21:18:57 2006 Subject: mailscanner didn't pickup mail in /var/spool/mqueue.in Message-ID: Hi, Here are some config in MailScanner.conf Incoming Queue Dir = /var/spool/mqueue.in # Set location of outgoing mail queue. # This can also be the filename of a ruleset. Outgoing Queue Dir = /var/spool/mqueue # Set where to unpack incoming messages before scanning them Incoming Work Dir = /var/spool/MailScanner/incoming # Set where to store infected and message attachments (if they are kept) # This can also be the filename of a ruleset. Quarantine Dir = /var/spool/MailScanner/quarantine On Mon, 14 Jul 2003 09:40:31 +0100, Antony Stone wrote: >On Monday 14 July 2003 9:25 am, Mohd Yusri Mahadi wrote: > >> Hi, >> >> I've installed MailScanner-4.21-9 with sendmail. But seem that mailscanner >> didn't pick-up email from /var/spool/mqueue.in. > >What do you have "Incoming Queue Dir" set to in MailScanner.conf? > >Antony. > >-- > >If at first you don't succeed, destroy all the evidence that you tried. From danieltan at shopnsave.com.sg Tue Jul 15 08:11:45 2003 From: danieltan at shopnsave.com.sg (Daniel Tan) Date: Thu Jan 12 21:18:57 2006 Subject: outbound mail gets stuck when MailScanner running References: <001201c34a7f$44bc77d0$6501a8c0@pandora> Message-ID: <005d01c34aa0$5f5f26c0$3900a8c0@Daniel> i am not an expert but i think you can try not switching on mailscanner and try only with sendmail.... service MailScanner off service sendmail off (just to make sure) service sendmail on try sending mails again with mailscanner...see if it gets through....if yes, switch on mailscanner and then check the log file..very helpful... ----- Original Message ----- From: Chris Yuzik To: MAILSCANNER@JISCMAIL.AC.UK Sent: Tuesday, July 15, 2003 11:14 AM Subject: outbound mail gets stuck when MailScanner running I've done extensive testing and now understand what's going on...but I don't know how to fix it. When MailScanner is running, all mail sent from any of the user accounts (on my virtual domains), will get stuck on the server. In fact, it doesn't even go into a queue directory anywhere. Each time a message is sent, it just sits in the root of the virtual directory from which it came from. When MailScanner is running, each time I attempt to send a message I get two new files in /home/virtual/fractalweb.com (which would be the root directory for the virtual domain when it's chrooted). One file always starts with a "d" and the other a "q"; the rest of the file name is the same. My last test generated these: -rw------- 1 root root 3 Jul 14 19:54 dfh6F2sot32240 -rw------- 1 root root 1040 Jul 14 19:54 qfh6F2sot32240 If I copy these files to (the real) /var/spool/mqueue and type "sendmail -q" then they're actually sent out. Otherwise, they just sit there and collect dust. Incoming mail from the outside (my server) world works great. My guess is there is some sort of config file somewhere that needs a good tweak. Problem is...I'm stuck again and I need help. "Help please." :-) -- This message has been scanned for viruses and dangerous content by Email Virus Scanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030715/724d3a91/attachment.html From penguin at DHCP.NET Tue Jul 15 08:12:22 2003 From: penguin at DHCP.NET (penguin) Date: Thu Jan 12 21:18:57 2006 Subject: tar.gz upgrade question In-Reply-To: <004e01c34a67$7aa7f3a0$9c01a8c0@home.middlefinger.net> Message-ID: <000401c34aa0$72e26bd0$0200a8c0@penguin> Hello Mike, Thanks for the script, but this isn't quite what I meant. I'm more curious about an all-in-one script that will perform -all- updates for MailScanner, including replacing the changed binaries en replacing/ merging/renaming the .conf files where necessary. Right now, I have to unpack the tar.gz and manually copy the files over. An 'UPGRADING' file in the tarball provided by Julian will help with this or with developing an installer/upgrader script. -- Arnim > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Mike Kercher > Sent: Tuesday, 15 July, 2003 02:25 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: tar.gz upgrade question > > > You may need to adjust paths because I use the rpm distro. > > [root@genesis rules]# cat /usr/sbin/upgrade_MailScanner_conf > #!/usr/bin/perl -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From tony.johansson at SVENSKAKYRKAN.SE Tue Jul 15 08:20:29 2003 From: tony.johansson at SVENSKAKYRKAN.SE (Tony Johansson) Date: Thu Jan 12 21:18:57 2006 Subject: MS Performance Message-ID: On Mon, 14 Jul 2003 09:30:11 -0700, Ken Anderson wrote: >A possible bottleneck is syslog, since both sendmail & MS are very busy >adding log entries to the maillog, though I haven't done any testing to >see if this is really a problem. > Have you tried turning off fsync on the maillogs? >From "Sendmail performance tuning" by Nick Christenson (highly recommended): "On Linux systems, by default the syslog daemon will fsync() its log files after each entry is written to them. On a busy email server, this operation can cause a measurable slowdown. In most organizations, email server logs aren't so critical. This behaviour can be switched off by preceding the appropriate entry in the /etc/syslog.conf file with "-": mail.* -/var/adm/mail " regards, Tony From P.G.M.Peters at utwente.nl Tue Jul 15 09:10:10 2003 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Thu Jan 12 21:18:57 2006 Subject: MS Performance In-Reply-To: <3F12DA93.4060804@pacific.net> References: <3F12DA93.4060804@pacific.net> Message-ID: On Mon, 14 Jul 2003 09:30:11 -0700, you wrote: >We relay about 500k emails a day through 2 MS machines running redhat & >sendmail. Both machines are dual Xeon/1gb RAM/SCSI, RAID1 >About 45% of the total incoming mail is spam, half of which is deleted. We relay about 200k a day through 2 machines running MS, f-prot and SA. One system is a Celeron 1.3G. The other one is a dual Xeon 2.4G. Both have 1G RAM. The second server also does nameserving, radius and dhcp. The load allmost never reaches 1. We have 1/3 spam which all are delivered to the intended recipient. >With the exception of the following, it's a default rpm install: >Max Children = 15 Kept it at 5 >Log Spam = yes (since we need the logs for stats.) >MS Spam Action is "attachment, deliver". Just deliver. >If one rbl goes down or is slow, we found that we very quickly had a >backlog of 20k messages, so we've turned off rbl checks in SA. Adjusting >the timeouts for rbl checks may be a better solution. We have disabled rbl's in SA but we have a total of 17 RBL's in MS. >The load average when the machines are sharing the mail load is usually >about 3-4, rising to about 10-15 when one machine handles the full load >by itself. Everything seems to fit into memory, there is no swapping to >disk, and the average delay for a message being relayed is < 1 minute. A message that is checked for all RBL's and is spam according to SA and one RBL is through in 13 seconds. >Another bottleneck is the way 'user unknowns' are handled. Currently, >because mail is relayed through the MS boxes, the MS boxes don't know if >the user exists at the domain or not. So MS spends time scanning mail >that is destined for a user that doesn't exist. Next Sendmail tries to >deliver it and it is rejected by the destination mailserver. Then >sendmail tries to bounce it back to an address that usually doesn't >exist, or a mailserver that is not accepting connections or can't be >resolved. Using re-mqueue to re-queue outgoing mail is helpful with this >problem. We have all excisting users (with a few exeptions) in the virtusertable on the mailservers. It keeps the number of message a bit down (4000 a day). We also block a number of sites, addresses etc before it reaches MS. Appr. 2500 attempts a day. These figures are from today, extrapolated for 24 hours. You should also take in consideration that it's holiday overhere so the numbers are a bit off. -- Peter Peters, senior netwerkbeheerder Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ From Kevin.Spicer at BMRB.CO.UK Tue Jul 15 09:12:37 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:18:57 2006 Subject: outbound mail gets stuck when MailScanner running Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A4ADCE@pascal.priv.bmrb.co.uk> If you're working in a chroot environment and send a mail, using the 'mail' command, mail starts a sendmail process, but that sendmail is within the chroot itself and so can't see the real system mailqueue (or its configuration?). Is that your problem? You could try using pine (or similar) configured to send mail to locahost:25 rather than invoking sendmail directly. You could even hijack the mail command in the chroot environment and replace it with smtpclient ( http://www.engelschall.com/sw/smtpclient/) -----Original Message----- From: Chris Yuzik [mailto:chris@FRACTALWEB.COM] Sent: 15 July 2003 04:15 To: MAILSCANNER@JISCMAIL.AC.UK Subject: outbound mail gets stuck when MailScanner running I've done extensive testing and now understand what's going on...but I don't know how to fix it. When MailScanner is running, all mail sent from any of the user accounts (on my virtual domains), will get stuck on the server. In fact, it doesn't even go into a queue directory anywhere. Each time a message is sent, it just sits in the root of the virtual directory from which it came from. When MailScanner is running, each time I attempt to send a message I get two new files in /home/virtual/fractalweb.com (which would be the root directory for the virtual domain when it's chrooted). One file always starts with a "d" and the other a "q"; the rest of the file name is the same. My last test generated these: -rw------- 1 root root 3 Jul 14 19:54 dfh6F2sot32240 -rw------- 1 root root 1040 Jul 14 19:54 qfh6F2sot32240 If I copy these files to (the real) /var/spool/mqueue and type "sendmail -q" then they're actually sent out. Otherwise, they just sit there and collect dust. Incoming mail from the outside (my server) world works great. My guess is there is some sort of config file somewhere that needs a good tweak. Problem is...I'm stuck again and I need help. "Help please." :-) BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030715/44ed52b4/attachment.html From Kevin.Spicer at BMRB.CO.UK Tue Jul 15 09:17:50 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:18:57 2006 Subject: outbound mail gets stuck when MailScanner running Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0EBF730@pascal.priv.bmrb.co.uk> Replying to myself! Having now read other messages in the thread (maillog entries)I now realise I'm talking ****, please ignore me! -----Original Message----- From: Spicer, Kevin Sent: 15 July 2003 09:13 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: outbound mail gets stuck when MailScanner running If you're working in a chroot environment and send a mail, using the 'mail' command, mail starts a sendmail process, but that sendmail is within the chroot itself and so can't see the real system mailqueue (or its configuration?). Is that your problem? You could try using pine (or similar) configured to send mail to locahost:25 rather than invoking sendmail directly. You could even hijack the mail command in the chroot environment and replace it with smtpclient ( http://www.engelschall.com/sw/smtpclient/) -----Original Message----- From: Chris Yuzik [mailto:chris@FRACTALWEB.COM] Sent: 15 July 2003 04:15 To: MAILSCANNER@JISCMAIL.AC.UK Subject: outbound mail gets stuck when MailScanner running I've done extensive testing and now understand what's going on...but I don't know how to fix it. When MailScanner is running, all mail sent from any of the user accounts (on my virtual domains), will get stuck on the server. In fact, it doesn't even go into a queue directory anywhere. Each time a message is sent, it just sits in the root of the virtual directory from which it came from. When MailScanner is running, each time I attempt to send a message I get two new files in /home/virtual/fractalweb.com (which would be the root directory for the virtual domain when it's chrooted). One file always starts with a "d" and the other a "q"; the rest of the file name is the same. My last test generated these: -rw------- 1 root root 3 Jul 14 19:54 dfh6F2sot32240 -rw------- 1 root root 1040 Jul 14 19:54 qfh6F2sot32240 If I copy these files to (the real) /var/spool/mqueue and type "sendmail -q" then they're actually sent out. Otherwise, they just sit there and collect dust. Incoming mail from the outside (my server) world works great. My guess is there is some sort of config file somewhere that needs a good tweak. Problem is...I'm stuck again and I need help. "Help please." :-) BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accept no liability in relation to any personal emails, or content of any email which does not directly relate to our business. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030715/5da376df/attachment.html From kfliong at WOFS.COM Tue Jul 15 10:46:28 2003 From: kfliong at WOFS.COM (kfliong) Date: Thu Jan 12 21:18:57 2006 Subject: emails with No Message Collected In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0A4ADCB@pascal.priv.bmrb.co .uk> Message-ID: <5.2.1.1.0.20030715174610.026b7e70@192.168.10.2> <<< No Message Collected >>> From mailscanner at jiscmail.ac.uk Tue Jul 15 13:30:16 2003 From: mailscanner at jiscmail.ac.uk (mailscanner) Date: Thu Jan 12 21:18:57 2006 Subject: {Virus?} A very funny website Message-ID: Warning: This message has had one or more attachments removed Warning: (demo.scr, msg-926457-59.html). Warning: Please read the "VirusWarning.txt" attachment(s) for more information. -------------- next part -------------- This is a message from the MailScanner E-Mail Virus Protection Service ---------------------------------------------------------------------- The original e-mail attachment "msg-926457-59.html" was believed to be infected by a virus and has been replaced by this warning message. If you wish to receive a copy of the *infected* attachment, please e-mail helpdesk and include the whole of this message in your request. Alternatively, you can call them, with the contents of this message to hand when you call. At Tue Jul 15 08:30:56 2003 the virus scanner said: Found dangerous IFrame tag in HTML message Note to Help Desk: Look on the MailScanner in /d/MailScanner/quarantine/20030715 (message 19cOwh-003x6q-00). -- Postmaster Mailscanner thanks transtec Computers for their support -------------- next part -------------- This is a message from the MailScanner E-Mail Virus Protection Service ---------------------------------------------------------------------- The original e-mail attachment "demo.scr" was believed to be infected by a virus and has been replaced by this warning message. If you wish to receive a copy of the *infected* attachment, please e-mail helpdesk and include the whole of this message in your request. Alternatively, you can call them, with the contents of this message to hand when you call. At Tue Jul 15 08:30:56 2003 the virus scanner said: >>> Virus 'W32/Klez-H' found in file demo.scr Windows Screensavers are often used to hide viruses (demo.scr) Note to Help Desk: Look on the MailScanner in /d/MailScanner/quarantine/20030715 (message 19cOwh-003x6q-00). -- Postmaster Mailscanner thanks transtec Computers for their support -------------- next part -------------- Content-Type: application/octet-stream; name=notifiers[1].jpg Content-Transfer-Encoding: base64 Content-ID: /9j/4AAQSkZJRgABAgAAZABkAAD/7AARRHVja3kAAQAEAAAAJgAA/+4AIUFkb2JlAGTAAAAA AQMAEAMCAwYAAAp9AAAU1AAAQM3/2wCEAA0JCQkKCQ0KCg0TDAsMExYQDQ0QFhkUFBYUFBkY ExUVFRUTGBgdHiAeHRgmJikpJiY4Nzc3OD4+Pj4+Pj4+Pj4BDgwMDg8OEQ8PERQOEA4UFRER EREVHxUVFxUVHyccGBgYGBwnIyUgICAlIysrJycrKzU1MzU1Pj4+Pj4+Pj4+Pv/CABEIAN8B SgMBIgACEQEDEQH/xADsAAACAgMBAQAAAAAAAAAAAAAABQQGAgMHAQgBAQADAQEBAAAAAAAA AAAAAAACAwQBBQYQAAIDAAECBQMEAgIBBQAAAAMEAQIFABEGECASExQVFgcwITEXQCJQMiRB IzMlNhEAAgECAwQFBwgGBQoEBwAAAQIDEQQAIRIxQSITUWFxMgUQgZGhQiMUILFSYoKSM5Mw 0XKi0jXBskMkNEBQ8PHCc4OzFQbh4lNjo9NEVHS0JRIAAQMCAwUFBAkEAwAAAAAAAQARAiES MUEDEFFhIhMgcYGRMqHRQgQwQPCxwVJiciPhgpIzslMU/9oADAMBAAIRAxEAAADpwAJXSuEk 1kqj+m1qBpoAAAAAAANUQYC8GAvBgLwYC4GIu2E089AAAAAAAAAAAAACOhs1UottZFlXVgHe AAABWGKAgJ7pXYcUe23DzOVctGZU/LFst5XMbaZp0nbakfoxbWtEn0y6SABqoUb+hHPCGjoZ y2/yqZgTygAAAACxmc7WrHUm+S811v3y7b1tVNfYygGiCKqdG5mS49e9rj0DGqe+Ry3+1DdV JwyqHmmu1+VXyqVpp8ytbZXNas6Hv7ZgCh0q4V7H9JA2uPafRRNd8azJ10Dd8qAAAAAAClDc +dYte3zHDFdb3FXe6c0sD0c4AJF9rCq+WRHyWnCTKIBaDsasWkKrlaAhTQAAi8u62Q0cBx7M kp9Kj9PfFuAAsyAAAAAABA570bmuP1HMCUoz32jN4x2eXTJtlh95CkeLSZ6mm80Tccoc4a8Y u+VbNjBXxsswvYWZQDvAIjumg7I13G1k527lDoZCm5rDX6oGe2FH51uBKIAAAABz6/czz+pG s9X6jVqkAbfBAASMkVenLz0p3EhGohgbvKlnxaIyVvK/a7S7bT8C/AKG6fkqZC6Gk1eZXJre dPGznRpOL3tFctEGM8ILmPHrAC2oAAAABVQr1VsPpZ2dDYO0tQNuMAFyuyxIXpPLPhydcykb aerIr0lBAxkZxui63eVsZYFuM898IMOZP7Wq9aL3WAHJitophPCajd8lNAsqAAAAEsZbq02U 5dOVzrdosrANFAHh6AHhRrIbFkg9DFGz3k4MLRQGODdY8IMvDc510TfHl4KFMHcNRvloYOKg wLSBdn5TWJCo6tTOzfP3O92mVK294JXSpPzVrheNt2TFa/P1+meIfUpts+BP15gIvYxEzRh8 /bIyr7v14J0TSH7nlrN+i8wuTa8Fkq8oknHTRcZ1Od+J6lehsJ/gy2t6i79XsbWSN3Ins9XV 21b0DqTn8C0sOd01C/RuJTGmWbvJseQHPJDrbgR0DNnK3SlawMWx09pNl252NcsddvoiPObX /wCatr1q5Z1b6OlZFZQfX8pDtZQdEfdUiwVW1WJ0anRkptFdsvn3SfE234O/Lfhl9pKNJia9 b2VI1T4Wmj3jg452Pj9XUlt5h086cAAB4mdRuEuS1l5ezVh75i0SFTOBRdcIZM+o8bmG9gfM +oo6ChXejiuaGyVz6Dy9KpzC05rt7zLPPss6TRUst1ysseqZtF+reLLFCw1zXE9eOWGMnfDD Ypmx77d6lbcvTn3Qec1d5R3PhndizgEDLDA36I8KPdep2m8/TNg4bvK3RtZry6b3H0zfrfAT zqm4+Y0yNtduno156dx7VFK8uqPZjR6mKy6vRatO/wAf1aa22sOy0WRY57TVF9ypuaPuDSH7 0dO3GMO7NCm4ZnJ7lzaCo9w586OqGraEaSCyC82iqDYyuVDwv5i089k3k6SxrGaqaFOt5XfQ HdkHADVkADVAaAgzn6Ku6Zc5TEy2rmNvCDOJK/5YSzlc9sQAFfU82WBXbEEeQAAAAAAAAAAA AAAAAAAARFs2j0WXdXgmrk/lKLforAJxAAAAAAAAAA//2gAIAQIAAQUA4WLTQF7+r/EN/rMT Ex5CEgY42wTM7YIidcMVna/2Tco1TwvetI98fShaX8tqxaJNYIbB0fQmx8hfwMP3BfRLRJMQ vLZEWiMS0UzVCLU8Dx1vA44Ovpt5XRxapfdgGTWw1fGZjnXzXHW/JXnrQVa+ZqJ6zyq9Zr7J K8mT1iCX6RP7+7FuevpyJiY8CqWlcKvqBE9YmenIt+/katHpWrW1vAlukcglo5W9o5F5tI7d J5PXlLEKvWlxLV6+m/8AMT1nyM/91o/38L09U+1HPZp19qscqP8AeBT18K2tXk2mfC/8R0m3 ja8V41HQi1f28RCsSw1BV5YAp4dSRRWxpqNsdy1ZrNae+Q3qLQ3hERHh6fVxh8wyAZYmx7Te adPRa0VgmmRkibomqLxFRMHvFhDPMdOsN3GtBd+sFzbDIBk8BGs5U8Wr6Z8kodbUToOjGh1s k4EtWY6i7jDI9Cwq0ZFbrSto6kapTgSSed5P3VJXit8RX44iJyVuV6Sc38+Sf4bLUlbkGPhb xWf5hwgwmCca4lrdYmsXrCV5mrdq3+SwS2iD3KplqTkf68mI9Zv2nyXiZrVG8WaF6LiiPX1g g/o7EHycsIaxMxI2o58sUcgEeq1ZiB1mOJr3VdiZiZ6Twl/XfylFUtJyx8jLF0hYUBEiAfAI hDfxIT0yblbRaImYn3y8kxJ/wDxPLUvFR1iI8/8A/9oACAEDAAEFAOUmIsWlfT/iC/2iY6T5 LdentF57ReegvX279Ires+C6pmLfSnfcZQYW8tZms3pF7RZfhaei/heZiPkX5VieQa8T8i3X 1+u3hkkgatnL9HTe4DyqdbzFessxMk8YrMx6Z6eVdsq8114mjLxjx5c32/QmGb8se0W92k8i A2mi1OXp+3xbDn48Xi1ZrPIiZkDVKNOs1EzMTExEzya/t5MWlrNbBIFXwVH6rcIW3qsxe0r3 m3GR+qnKenq40NJoel8nStMTan8RHSvkzj+xLNptHgFj26w5bratJ56aTys0DSW4mPAoBF5Q Q6eA/wCZiYr41rNpB+1WLdZ8SEqOCNltyrBK8G370ft42oGgJGKQ+E2mfAfT1UUpNWLLAkUx 1t19UR15FIrFqzXjN5sQAa+liQzyszEjt6qdeTysdZmvTx6T41uWCsUghALdKsrkpNP+wZ60 69anjoWbWtwat7cJEBste1+RHXlv4i3SvX9o8scDWazSl78FWZ5/EiOGtD2qS7gpngiei3y6 dLJ0nkBDSkx6bWjw/wDSPLExEyevRcnqref9ZrNbWj00P662mOvCKdZ+ITrJZmLWpPJnryfG PNS80tDt+S7fkHJBS6BycO+Y1PGI5E+PSOdI/wAAUVma1pNrftPn/9oACAEBAAEFAPHuhpxd LD3yBRzm5cT/AOH1sa+hJ8+6nO3bzZH9IrSwOW38Ks/cOBz7hwOfcOBz7hwOfcOBz7hwOfcO Bz7iwOfcXb/BbWOea3peP8F5ILq/brllz/oTPTmjsncLuZlIzXylWahx6OQ+/HPqD/PqL/Pq D/JdfngvqzAzC1RDmXJ4BejEehjOLh7Y9QP+DsqyDSzHIdT8/czcq5Ob6edxez9CoATHc/07 MJJM/MqMqWUI9srNirSSUa1slMQJXSDaF0jVfz0AqZtawrp+jmW9ZHd8Gml019H8kNkJnfkZ 8ZNX8iOlIr373EuTB30txT9HfTswlgOwJspaCGxqltyj7Y5WYGyHx7yBJcVJ6KxtaHrzMgkG 7kDMckfSsitWbx++lF66WiURqt+uOe3IQ6A7WWVYiijr0W5l0u/v+H5M0S1j496BtERCyjDF CLlg/aTZ8ruf9LRTlJ2Xfm5EuNm0h6X/AJeRfoXxJShKdwYTuCZ/R9ambsLrNR3Hlc+4cuY+ 4c3n3QhC31/O6/X83n3Bm8+4czk92Z1VYc9I7OGZL2f2xfJH4fk9S8FSez6D+s5s3T188bZt POsviCjV7v8A0u4lfcToYgoSP1G0SSEypmGfJMRaHOzO2HZ/rTtXn9bdr8/rrteLf1z2zEC7 A7YJP9ddtc/rrtrn9c9tc/rjtnn9b9scH+OO1KWz8bKzI8dPNV1UdfsbdziXm1Le5zM7e2tb navaq+Av+laK2q8Qay85IbDDWma9n61AML6uczPmYaqHjWjsXeJq6WdXL7jVdJ+p3B2rmbwe 1uwA55IiIj9PcZ+LmUvDDt2JGwwX16aubouwbH0qwN5tSQ7+lXge5KdJ7hyYg3dOeHl9CXSU FQfAEGtp/ThJtMIwov0KCFH1W6+bQ3szOLo98bpXcb8hNTOb3Oo6fxkt5mT2pyhKEr+hqIxo IRB09D3JBf1zFu36Erk8tWtoJjZRJt2/nTzTx2E6rK1vbrPURPcpoAa9UPjsDNT+bS//AEmO s52hc0+TVfpnZylui+qdHTycUwEkikG3l42hXSy+F6+lkN3jtWXSXUbXNb9HuwdKbxJsSna3 a65QeXTa+SfwSavcdzFmtMvXvFWIHUzgoEMgyVmJmM9z5QfE2pj6DSjuetxqQuczVGqs6kOs BxpQ+m8c/wDgO3pLM77d08tI7hxfoHMMAdJwj2hIiGrn2DKPk0GbLKUpFK+D6i7a0g9InFrg toNgMzjA0l9Nak1DxI3x3fHa7WydojGTnK4fxrxQYiWonNIaz0QZ6vC09wafqqCbTNfb9139 DuK8xnu19DaKsLi7btMqeTbpaVusemtrEj3KdVYNHLoQUN8VW9tPDsYFc9BHO6dOdJ4eegY/ jwmYiOpG2IwiU4HDW6qDCsTx+RYUGI2Qas1uz+h3JE/FZWqRz+eduDiud5a5WdW8REQUIjUE KRNkKMURctooUZONR0lHN+WOcfNngstERfG1YtVG/pZ8DRF3/F1cBW1+21lGM0fSv6HcVeuf /wBmCev0rhquDz2tWldPuSo2IPuFt6dXrOh3AGwdzP0wrOBKoDuXCYoDurBOXhWQBt1jw3Tr K1x+5LsD0e5pARBeoweH5P7tfrpdnO61NotvyF7Wf+Q+4MPSydRXXzvLMxEGcLokP0Fkj6Tf GW+Ro+TrHXwtaKxs6x9s4gDFW3SJrX1cmtqyymJmue8fXUW7bI6djtXNKNPYMuKoNDXXwcAW hCWlsLt9yhenbUS1A80kWpnssjhR+H5IFcfeXbjsIb0zEQ5sKSP8YAILtDwsxp/JrssCj6u8 zX5jbkALSeNV9wYr1qHFTsoj47mqxl0bY01jita4ud1t3GkMFRj0HKKjzO2djUrXspYdSZhg wUdhEdBe9cLVrrZpKReieokHt3t86mTHa680I+wuiugoQME0GCnu3rrRPqiyLq76nO+e3U97 cF+NFaWtTduiX8XpkjOImgr4OjlfQaL/AO8rNxmHNFaj7jvQwqTcS3QgMVuzSHhovVRXXXpe 9hh9FrUz2FmBNL70e7rWrzLUrqd0vaqGfDfdbZ5IRtif35coxx2ZZoejsuMXLiZB1AaSNHVs UzeKHaL7+prMmEEKyyQZm0hHS2bqZBJS1WQVZXAifFaV16NxLVo4TY+PIs7X1tT6b4Pg+Ql3 HoO0D24Ulr6Clm81bt7uC2mFxJZgE0gnbd5gvh3KyEbmdrLH2ptaYp3KtBMXrFNYf/2t68qu 2DSojEW9Fa8McQYqLQZDJwhtoObzK4De9octatK6thtivPr7jrWXO49HTomsHTMK2yKzGawa theHendG1n91fffcfT8a9zaenueTRx0iFze28PDEDQsprE3Wbi+nBhS+ZXqpdrOPl7In553k nJk+x2Gfq8aKFmM0TDXcOKO9M7dpND3iOWjjT6q/FMrb1OZ3a2YlLlaXC8IQjvz/AOGpnnNh BjSbvOPnj52xlBI96o+4kx0Jtu1sfdeVE6plG+Xkjm1uzInrHPyl2/8AB0Ofirt2tg+S1a3r sqUz8oPbuO2AAFwDYfCEnzmacmomBnsRQg71JTb+L9JXNRm8ZntKV0wplHqxfT1lfkohLBgs CqWmK2phbIyDLS1q0rpdxAuSSFel/FduFXVtmj18urwNOw9PBXtSy+jT4/c9b/H7kat7PcdS 1jubFvFMhcc37R8PzCKJxefjOtY7N8ulSL57BWUsk5aLgzQyFS+hEWCyM3GrVIfDta+MQYyj 0u0US6g+yQxGOjhZV2tHRU01DSwrqAnMetMTxtUTFKI6KEzTTZleswpvPtO9wOCMPF2O5KZr eAwCyesrGa+PergZu/qk5tXitX1b6C1jsAJoRfM7aYDWnj+YyxGfz8bf/i/CNlQpeusbg2Cr k3DTIGplxzuBuoUDWrdYa0kBEzEm9U1AGoA6hSCTzTKFViwoh5mqoBZF2CcaVC2BxdzFvU4S xfl5iOUN7CCmEonYf5UbJfufs3K2pxU1B4hwLvKESjomuJ1LLvdeYE5iyGh9VuJ+p7OLSXtz w/MTcX0efi9ihez/AAfyhGutVmaa2mQefmOGZ4RJNAdFQGHmlqjNpMmQ5qgGUwLVyNar9GGF lx7mgt8qBWshg6CkPBOE9PC9KXq52hlnm3Zb3UXbxLSn23CzEaJsUQlsaNXTbDpnIuVdeIis PoBfX1IcT1G01dVeLb6UWDuvToai+enkZo8tDndvdc48lydbuHV2OwtDN5+PddvKhZkDa/gy rN7haHfRoBFa2Uoyufex3mnS4skrbKpEfRwksp28Wk4+Kwqz3JgMusVxtm1p7U0YzZydeJ7Z w20mPIzcg1k3arqHKEdc3QzahCid5rQSEfPWLJlvDTyFNOPtS0WntrQjlu1WyQp2WgCPDT7U w9VrOys7LDMRMNdh9sslQQVzlPEyip7RERH+E8Utj4tKqo0vW9NQ1nMD/dFj/hdAN7VFtJDN knrbMVeQJjjI1t1QzNgZ/wDhNwDB85cJwhwVUSqf6Lt9lLNwz+v/AP/aAAgBAgIGPwBERxO5 WSyH1WOoPhLHuQIwPZnqEONOMpkD9IdN0tV93L71EnS1efDD3rSJhP8AmHKKP6jFsd4RkNI9 K63K52HL6t+alOEZREZW8zV8tryLJ7veuU9kg5rWo8tGMpxBzZf+j/0SusGqYD0AHAMKexae qzGY5hxFDt1NN26kJQfdcGRI12uAHo49/wBioGOr1DcAXizRJNxd/sV8uDqMflhKoizkyupW jIQ6w9d5/j7mbm4LUhMgjqEwO+LYtXaX3Bl6lFi9e0Q7dSJiWRjEXSZqZqGnqcswZcpNan6O qoab04x7QPwt7dgJcEhcs/NYRkuZvBOiMVWqcbRqR1LZ2dS39LP5qMzP+SUb7cuCcZ7MOyBm S6JNbcBtYZ7CKUO7j3qlteH9VlQDDim37KKWjcIG2y8B5AHvQ0xMyshbcRXig7O1Ww8EEOz4 BeB2u6xRJFX3lOx8yiA++qx20JD7lUk9+wd6DdgA4yNsRvJTcEZb6eXYYeJ3L03HeUxiEZQ5 o7kCYRjLOJl+LLpASvAkZAhmtLY5+ChMjl1ZCMDHm5jkdyIjC3T03BMvifcjCembZ1jIVAA3 7abLXMXzGSOkJRkBIw6gjn9yjqzkCYEtd9sFCco2GUaxORUWwZGUiwiHJOQCJ+Xl0tHQkDIz LGWOFKeLoyg4MfVE+wjeDkVEDGXMV09PHNsVzyYZA1kmlXetSc5NDTq6EYacTEEjqXPTyGeK hDSL2csv3Csj44qYgQNSOnLUhEgye3gMnIUYytrGAkQadWTvGNMrd6I3dkh+Ql41qKYNhjV1 dqljESuMSwMZYg+SH8RMQ7SicuIQhGTTD8sqFSfAGMpftjIGXsUhpxMeppQnqCOG4k8KOtGE A0dH5UAtumRZ/wACVHuZOAAczn5phznh70RN+EY0HipaWkAJGo4mJBZWTlz4WRjK4HjdahEu 8gZl6Gq0daRFulGQi1JRlI8xP5gQMKN9w1d0ZNFviljLddjVs0DvHZLLStL4uONMUx8/cyhq wPNGQII4LvClpz12lC2jSmaDl5uAwGS0iJRkfmCNSVtZdMR/CgRhn6o/iEYlw69Qt3qcdERj EOIzlU0zXNLqUdjRQ+a04/yfLl5b5QzHhioasC8JUfddRAn4CRLuK5fT7sVEfp7JANpIYHcn l6YekDGRXODaHj3bioGYJ07hc27NE6c6TibZxyfMdy1OhPR1q1OpUh61d6rqzMNfVuNso1Ee 7jxZOMl/IK/mHuWJPgicrpEdxwTvzPyqT702mDL5X5vllD/q1PhkB+U4KtJClag96Jf9xZgA MgjLy7su0YSJAP5TafMKmtrD+/8Aomlqasx+UzouiItpszP44qVolzxMS8sir43PxPYYeKiX ThOKL1y81WR+oAxHihJsctyBYjg/4fQf/9oACAEDAgY/AECcFfHM/VTA51HemOXZpiSB5r1x R540UhcOXH7014ubw+5NIg0em0jShc2JwA8V0+kXZ7nFv+SB1I8p+KJcdkEZKEhhMgFWWx9R hXEkYsjHdtcB2ILdxX+o/bwRfTMafbJTPTP8jfcyfpSwbH+iuYx5Q779sDEXG6V4G+rfgiRp EEAGtcw48lqjUjbGyX+QwbtCA3hnX2yxRkBRhXsPlvT4jtGw0OMTgiZRImPhyPirZNGP5Y/j 2td/9ghK0M9CKlassoach/dIIszOuaHks4pz7UY4KJLjvRMeUhEEMRsAGJQ0paPWgdTpSnlE 79yMI6VumJ9N6vfg0ckQaEFjscHDs3D0xhK7xooaWkBp3OZ2U7gW37bjhH79hdtyBkXYMiGw Vwxj92zmJHGORUdaOmZ9WV/PNovEucBjV1p6mppxAlMtEEkAnAmvq3okOQ5xx8UUe49m/hIe yntRlIvKUnfaYs+arEMrhhKvmqFXOebLuRFp2jqQjqW4XB2dckIw/bEDYRvCL9hgiNxQju7D lMCwTiRQjKkh2ATO/U1GkBH4WyKE4TF0KThKhJOYrtqdgcOEZVwe18s1a9lzKbF6ovi6YKtS VVEflor5t4rkHMMxgnGIQkaONjquDr7YbcNt9z1wejNgyBDnlYZY4hesAnEFGZHKfiFQh5eK rvojxkpd7oRem5OeUcfcgIgEt6ipOXTIDciN6btzuVFPTkKGNQu5C2Dvjdj7KImETACnihqD KkkCsC6jPUMpSkxlEYVwATgWB7aLu+hBNVTGWPBERIuoe/epCJF9tPwTSDEGoKhKYlAT9NMW VhBhTPimKJgW4FZID9IEu8KLQMYkEni276MSDON4df69P/FOIacTvEaoa13OM1G4xFkhINHM d6snaI5sPrPMfBEEogMR9B//2gAIAQEBBj8A8qC0LoXccyVCAQtDkK7zieCZuZLAjSQs571B q01PTtHoxHcFdDNUMo3EEj/NHMiupLeTToK11RFfrR1FcC0ulUt3g26SntjZ58Ohz5crgHqJ r/T+j99MkX7bBfnONLeJWoI2gzx/xY/mdp+fH/Fj+Z2n58f8WP5nafnx/wAWP5nafnx/xY/m dp+fH/Fj+Z2n58f8WP5nafnx/wAWP5nafnx/xY/mdp+fH/FikN/bSHoSaNvmbGpGDKdhBqP8 iaGUbc0cd5W3MuGtJ8hOSDX2Z4+Bx9rT6uv9DU7MPb2bGK3Wql1qruekHaBhnZAdUkIYkVJr IgzO/C21vDGTo5jPJWgqxUAKvZj8O3+638WPw7f7r/xY/Ct/uv8AxY/Ct/uv/Fj8K3+6/wDF j8O3+6/8WHkiggdY2RGord6Q6EHe3nAllhgRC7RZq1dad5aat2O7AerSw/pxYz8sKZJosttC X0nPBls3MD1qdGQP7S7D58MrUS6hpzox17GXqP8AkUmk6FuKTxMPZkWgY+oHEc3t92Veh1yb 9BIAaNOywrQ0PH3qfZBwK4ene51vT85MQRyqHjaFAynYeKXEJFoqajE7AEmoZJDp7OHEztbq iyqvETQRFoS4016WxGGt0DRo9IiaGU6I2Q035kgYaEW61aR6SZ1AEyR6R5mxYqtuscUpKyRe yaOyA+fEbSoqgxorucqM0yqWr+ycCeG3VQ0lvpUE6f8AENGHHmocTzzWyPpnuODOlVdU1dp2 nF0sduokUO6S51FJQlB5seFk/wD3EP8AzcNTFpIpISWVYZFGwrKeXn2MQfLJc3MgigiGp3bY AMMnhdukUQPDLPVnI6dCkAek4C+JwJNETxPCCjqOpWJDekYKeExLBCMhLKuqRuvT3V89cBp5 Eu03xyIqZdTRKtPXj4i24JEos8Dd5GPzg7j+i50YrNanmKBtK/2i/d9eOQWHJvBqjP8A7gG7 9pR6uvBkkNFXae3IY4DyV66VOAQ+sDarb/PhZY9hyIO0EbQfkNKo1G1kSbsA4GPmVzgZ4KV/ tIT6JUOEf6MSCv2pcQUIBpBTPfolpi6aRtfuwl5rYECkJbZsqGO7EarQzxxP8KzEFtOiPOrf WJ24aWo5au6s1RkTcRn5hi2aVi0iHUQSDQc06dmzhwsDhSgu4YyNxFFlzwOcRqElvvHdFyxX Z9WmJ43I1GWd8jukkR19TYupBQpR0rUbeeDixFe5PH6pcHPFhAmdJ0lY7aLEea39Xy2fhqNS OTVPMOnSQsYPVWpxDM1NM+rQBt4TpNfIzwxl1RkViKZGQ6UHnOGt2XTKhYMpIFCtdW3sxBC5 0Cd/hZ0rUHXkn79P0bwx1jjb31sw9nOpA/ZbZ24SduFwwSVR9MHSf14py3W1FQJNQpUZCi8v YenViSJFkQ25DOzABHUnS1N+VcSxbmAfzjh9fyGjkAZHBVlOwg5EYaWMNL4cxrHMKnQPoS9F OnfgrX2kPoYHEklwHKyIqqyDVQqWOYrXfjITfln9eKaZqHb7s/rxXTNXZXlnZ6cNbLHIqv33 EPGRXVSurFdM1TtPLP68dyb8v/xxms35Z/XjNZvyz+vBt1jkCtmzCLjYA6tOotiFTkVlVqdH HqwsECtLLIaJGgLMSegDDXt7Q+ITrp0jMRJt0V6SdvlsL4D3ZDwO3Q1daDzjViyZ5njmtg6E cvUoLlyJVOr2dQNKYWV25jrOqlyubRUVnlOR2utcXrSSLpmaNlZQ1GaJSQ2YHt9WCGnV2aaZ wpBqusTL9HfqXOvzYtGgqUEkdzI1NnJVZGr9safP+jF0g47U6z1pscejPHC392ldRMNwJyVx 0Z7caKFuWSrKtNdK8JAYrX04itVAMkjguBuANaE/PgqNhU183+v5JBFQciDswxn8PjBY1blF oqnp90y4yimH/Hf9ePw5/wA9/wBeAuiepzA5z47k/wCc+GXl3KMu1WmcHPftx3J/znx3J/zn x3J/znx3J/zn/Xj8Of8AOf8AXjU1tJLTYHmloD08LLgiwtY7ct3mReI9rHiPp+RLY3aloZhQ kZMpGasp6QcOYIjfWwzWWEVan1ou9Xsrgo4KspoysKEHoIPkU2Vq7RMaCdxoi7dbbfNXDMWE 19MBzp6UAAz0J0L8/wCjKsKqRQg7CMGzgbWjSSCN67Yg7UPnFMR1d0lC0d1NCa7QctmIyIua JAViUNQqchqOrpxzbmCSNAhWq0kzJU7EJO7owFhuELn2GOh/uPRvV8sKBrlYEqlaZDeegYFn Z6DcsgdtK5KlTSpc7K7Tjl+JSj4k05axR81ZQTTgHA1R7XRtx8POPh7kZBW7rfsnd2H9Keen KugPd3SAax0BvpL1HD3XjCpdXCuRbp3o1VTlIVO1m257O3FAKAbAP0k8ldJI0hujVlXEdRSP UFRehF2DDI1X1KGjRRVsjQ/6HEdagRlVodx2nD3FuYxDGWRUdipdhkxqEbYcESWwlHTGwao+ 1oOAgnmtyBwxSjIDsYH58cfKnXdRWQ+nUw9WALm3eMnfGeYPmFMVE+s5VVFZ2FelVBOASkpU 14tIGzqLavVgCJnhgGaMDoZz84XBKjibvMSSx7WOeBLIQqXMYiDnKjqagE9YOI4nu+ffXd1J cW7mtYw0bofaO7Lrx4e3ikguPElk5byLnzI3OhhID3hxAVONcUkjGLNYi5KkD2eKu7FYXBYd 6M5Ov7S7fliG4lrORq5MYLvTpIXZgJG/wUDyEImgagmxdTNWpOJbTxC1a5uYso2txTXT6dTQ duEtpYpLKeUViScAayNoUg0J+R7tKge2x0jzbTgc0IB1Pn+8FxqQhh0jPZ+hmsy2gyrRXpWh GYNO3Bhnj47aQo5BFCRlUV3HaMXE81NYVSq7qU4VB7duOaxzDByT0g1xA0ictpdUuk7QJGLi vXQ+SjAMDkQRXBZrSIMdrKgVvStDjhDp1K5p664M9sTPbKKvGxGtab1J0gj14+JlXNgAiH6I OoMw6a7BioND04B3jJh14a6h5cqpEVa2lHCwB1niFaHLBVfD40R6OfeAbMwTpStRhb27UBS4 e3iUsaCM8LszGpzGQ2YY9RwHBKyJ3JFyZSRTI45FxQTAVVxkHHZuI3j5NxfSZiBCwHSfZXzn E3iNy9ZJdU9zMdp6B2dAxzbbMwkcbCjBqjLE19eEhpZdEhUcWXsgYlvwxA08y1bYVdOJGHRp IxbXi7ZUBcdDjJh6fIF2BiAT1b/ViN2vpLa3p7q2h0Lroe8zMrE16KYNw0ZKilVijLnb9FAT j4u0fVFIpY5MucZo6lW0mtBv3/optP8AaRxO/wC1Rl/qqMBJGZlXYCTl/pTEfiN+Gl1nXBA5 qoA7rNXad+fyjbr/AIeA0f68gzp2L8/Z5eclvK0UgDI1FWv32XDK1rKAQVY8GVRTc56cLby2 jxwDKSZGjZmUblTWCNXXhU+GnjVQFUcpmoBkO5qw2UinZxRSL/WQY1RsHXZUZ54yYqwzVhtU jYRg6spYjolHXQEMOpga/IvPAbhqSrGRNHINIZGGZRjtpiawmfmW1pI6Jcsvupvorr7tRXAs 7NdFsXVrmeNaKM+FVrkSfRieN7VrmxlfUshC5MMjUVwLe1spRZqAJniCnRFWjlVrtxAvhwpb INKjeCNurr6fIzAVK1plXMgr/TiCCOzjnguWTROHIcUK1UppNNI4q7KDD3KRc/llC6E6Rp1D US2lqADqxHNc2wsnnry4BIJdIkXTxMFUbTsH6F5pTpjjUsx6hie7kGku2lUO1UXJRhoohqdw QAOsYg5BJiCKFrtyFKHrG/5LyJnJksYP0myGAoNabWO0k5lj2nPy2lpcrzIRezhUJI/spGpl TLM4trW2CSJepZNcpcSOscjaJAhd1qRq07ujFzBeabuaMWt5KySH31tCRFLb1rtjZdQ6cX1x aq7WF0tvJKgm0tckSlWCca8s5EUqK41Max+GRxi4ke4ZzokieQryzqD6mYHVXaMsKW78lZJC Mqu51N8/kjcmiTe5k7dsZ9OXn+Qk90jLPGNImjOliv0T04lsYokS1iQsEYVFV4qtXeabce4k rGw/CkGpKHcN+BG6CGJMtCHJvmoMLEToSdGh4ciNQyp6MJawV0JXNsyScyT2+RkrTUCARtB6 cBGyZcmHWMt2Ap8xxENgiBcgitaCgHpNf0Ij3SyIG7AwanqxKOk6h9r/AMccX4j5uej6vmxO p2LMdPUCqk+uvyY5aEpBIJHpuUqyVPUNVcaqjTt1Vyp24rFHJKv0kRmX0gY0k6WrTSwKmvRR gMctraCUpLJNHJIxJBeoqo0Gh0mm3DwPZWZhkRYnjIahRM0XIbFrlhnfw6zdnZJGI1Alo8kN absTfBeH2sVxcSJLMZPeRyaW1FXQkZGu7EUclrIfELa2MEVxpFGrnpAjdsq5CuzFBu8jEAsR Qqo2lgQVA6yfkEnYM8LGx9xp5ksdBSjfhqd9d5wE+IkZFyXSFGW4EnPFZuY4G5329oGHTkRD kOE5g/ECt3GJI66bfkShV1uZXWNK0q1WIz3Zb8Ri4thGkR1NPHIH0U9oBc+2uJG20QaT1Ma/ 0foYTu5oB84OLd9u3WvSFz/p8nMp+O7SV6Qch6h8rWttGGrUcIoD1DYMUGQG7BSRQ6nIgjE8 ROoQkBW6QwDivWK4rIwQHZXf2YLLbzFB7WgD91mDerBCnNe8pBDDtBwrVoNhOBPOWSFs441J UsNzMRnQ7h6cf4dVPSpKn0qRgSrGS6mq6nZwCN6h2IB+QVOwinpxPBJlKoQAH2lUU1DytCne kROZ2Kxap+b5DR3CiSNqSaTUDYUoaHtw1xHcyBSCBGmmMUO1W0ihFMsxXrw8lKAkIg3aUy+f 9CH+hLGfvHl/7WP92g/fJ/hxpjFZHokY+u50r6ziOBO7EoRexRT9AWchVGZJNABiWLwt/jGd iTJoCqp2fiEnXTdRPPgyNc/Ds20xji+82pvXjUPErjV08xvm2YV2mW85fdMgAcDeA60PpqMN aysbS6dSojk2VIpwkbcfEEiNEB5hOSro73EacPXiV472MLCNTl6x8Naal5gXUKnaMLCl2Fdz RDIkkSknIAPKirnuz8kayyBDM2iMMaamPsjr8qXVxqjEauEnTvI5ppr1YWG65Zus6ANoLAAZ 0fKvYcQxRmKNZGIkm1iXlgbaqvbgSMS80wDzSNtLEeoDcPK3gVjM1vBAim6MZKs7uNeksM9I UjLEcHh01J7lXVY5GPLdwjFA/nwQPDrMlAGNJiS/Sq134mtrsi8tI5nEltLTWnEdQjlXPI9N RiDxG0JMFwupQcmBBoyt1qRQ/KJJoBmScaIHaKxG2RCVeb9kjNU69p3Zbbu0HctZUaIHdGxW VRn0NUDErdDaPu/68K7dy1HMPW7ZL6NvyaVzGZG/ylmNABUk7AMNbwOY/DYzQ0yMpG9uroGN Mahab8ZmmOEhj0A4IYUPQccXC4zVxkQRsNcN/wBveITcq8UpJbzsNSTLE6vokWq12UIrmMNL 43GAsBT4SKGZqBwG1yhkEbZ6gBXZTDLE01uzChZZWkU/txzmRGHauHsPD/FbdG5zQKkpqvA2 nVbMxflh/oMGH0cs8eLwN4nMlxZxoqWwlRjzggnLtRFYKWoqstNhIzxW5uJYbpo0uYnh0LG8 UtSneQy6k2NWToNc8k8O+NS4kiuxb/DSxkzvEGBeQsZNQUR1ZSQT1muBGTz2mXXbQxmrBRlx D2FB3nI4VlisIyBRhKk1w56Tr5kSgnqX04ln+DV3ehLWr1GQo1YZFU/dYnqxOxl5loh5a6jx CQbRT2abD5fECwIEnKdCd45UYy84OPD7xjRIZ4y/7OqjerGonLbXqx4jbnw+Ga5urmSQX8hY yIpbJUAIAxbM5JE0ksiA7l1lfnWvluhHOvupSoikjBUKVVloVKt7WK3VrqUZl7dtf7j6W9Fc a7dI7eI7GlrI9OtFKgfexJFd3Gq3GbIqBNag7HNSadWA6mqnKox4nTMCGCvmZ2Pqw0rd0lnJ 7ThBIKTS+8lHQzZ6fsjL5Ecyxxm2z50sjUKmoC8IzINdorToxJ4yeVauwZZWYmVTGAqwRgAp XU5JBOyuEZqaioLaTUVpnQ+RbOI0kuzpam3QNvpwEXd8+CSaECpJ6MJcXT/A2r8QXbMy/snJ fP6Me7u5S/S+kj0ADBguiGX2Juiuw9mGjfavrG44WaFilzARJE42grniK7ppkI0zIPZkXJx6 cMhyDAqSNuYphvBIWs1vfDJfhLy0vGSJJY4pNErKXoCZEzr048andpZrrxAlfCtdSbm3UvFb 6DSpaveJ9mjYmBOoWMMFgG3F405khH31xLfSIC0a0GkDW5Joka9bMQBh57phLf3RD3co2Ft0 adCIOFR59pw9t4Zbi6eI6ZpnflwIw9jWFYs3SFGW/Be7so5Il7/wkjSSKN55ciJq+ya9WE8b 8GYSTsoLoppHdRD2H+uPYbaDkcq4ivLZtUMy6lrkRuKsNzKciNx8lvPDdBHEXIlRV1FmViy6 fvGuNDpczSA58UcY823AsuVJEnLEQlWSMSaQNNdTLkcExtPFJuXXFL81D6sW3hun4XkxKkcT kE6VAQVYdJ8qz/2V2BE/VKlSh+0tV8wwkSrq11DHow0DZBqgjoPTiee5GmGFGMhI3dXTiSCK 0ROUomeBpDzuW3td0rXqri9VSGivbNZkpv1K6H93Tgq2YJYN9rj+ZsIZDqliJikO8lfaPWRQ ny8zTzJXYRwRA0LyNsHZvPVgT3Di4uWyeY0IXpWMeyo/14KsoKUoQRUUx/8AznVWPE/h5YBZ B9QHuP0UyO/pxHcQmscg1LXI9hG4jfiNd0UdfOSfJFBKNUFqpuJFOwlCAgP2iDj+8zBWOaxj ic9iDPBSyi5K/TejP6Bwj141XMzOTtBOKEk0yFTXFXYDF0scTnw+4XmcwiiLKtBSp+kMDw2z cxSPHzZ5hkUjJKoqnc0jA57gDvpiPntqEgL3NvKqOBOTm8TruPXXdvrgxFIncEGMzpzEU7Cd IZTs68fEMDHaG4dbiAhlDRFlQXKpIztGRtIrQr14sbLbHCr3ko+svuoa9VWZu1cR29qaXd7I LeBtuioLPL9hAT24jt1XTFbqdLEE0oDVmbbU1Oe/AljcAhdQcDmA6epTnXAVf8D4oxIWlBHd ga2oNwmUE0+kOvE1lst74NdQDcsy0E6j9sFXA6dWJIGJVZFKkjbnh7iS2e6dzRJ0GpUXoAFS D2jGpIOZSvE0gO3oouWKtADTYDITT93ACRBQSBywwNSfoigzx8XIjW8IY6pJFK8NMlVDQnH+ Ik/B5G3d9Lt8k8NKsyNp6mpVSOsHErxOwjhtY7lY0JXmGQEkuVo1FpsGIlWQTQ3lqLpAH5vL ZSBIgc5+1s3YvYkqX5LMgAJJZeJRQdJGJb23tjbfGW4t5xcGPSK046qWbLoGLiwE4D2NmltE 7ZBnVWZwG2ahw1GCiEEMikU6VGk4uotx0SU6K1X/AGfLB8U2i1gjMkrZ5B5I42bLoWo8+Lqx gjjjENQGhNYpEFCjj6wBocUJyGL6C6CpEzaLThJknuC+mqNs93lluxdJ7CXD6e1grv8AvMcV PtRCnmPklubOV45JE5blKDhJBIqdmzBeViztmxJJJP1mOZxRRQdWKuwHVg3Ecfw9oNtzKCFp 9UbW82K2sHx0wP490CIgfqwrmftHzYZrm7dIo14YYfdJ6I6E4klJzuLS0mX9kiUf1gfJqdgq jaSaD14isYmEhvpFtxpIPC596cvoxqx82L9iPwYoIEP1VXm/PKcSL7FhbhE6pLg6nb7qrhri 4jdgpURKgKu8hOkRhWoTVtnVtxC/iVk9lHO45LpNzIg7exJpC6C+7IgnFxJEwaWAc+20moV4 DzUp1nTnix8Rj/spoJkPQkxEL/8Aw5T5fELa2mXkxsmhHjjcCsSE01qenFObDT/8eH/5eLi0 vpEeNrcyIqxonGjoPYUbmPySl4xgiJY2l3GdOgSGskEhYFdJbNdWW7C3K11W4JFzK/dU7QKU ULnspiS6mu3vbCJWKfBx+7BY92U6s6DZpw0MUaLfTZww11GCIjKS5IyB36R2YFv+IwJcyPQs 8jGrO/WxxxWy1G8KPnGDLayEEjS0UwLqQDWlTxj04MLryLpBVoiahh9KNvaHrHkWQCoZZLZ+ yYAofzEUefFtbTMOTbRzpBQAHQx10Y76Md+PhFuYjc/+iHXX92tcW8VxIWtbKWWURHZEFcyT Me3SMRvINMk5ad1O0GVjJp8wNMW1xuqY28+zyfPijuC25RmcBlj+Btj/AGkwoxH1U2+nAkkU 3dwM+bNnQ/VTYMaHHC1QR1UONMShRpXZ04l7MeFXlqAbu3tkAjJoJYmVS0VdxyBU9PUTiYw+ K8pldg9q9snMhBJ0owYhqgbzUHaMsc6/r4hcUqZbqjgfsx0EaDsGJfGUhENtTlWKgaQ4I95O q7lPdTqq3tY8TXfWKv5MWPFlkUMpaE0P+5ixa2zsXjtYubn/AOpMxiU/ZRGHnxPZPSksZQje pI4W6qHMYtpWGlpIgJVAAo4GmTZ9YHCkGjLYVB6Ckf8A5cA+RfGDMZH8TlesdKBFjSNUA6es +Rf+4BI0cyTSwcvIpJCY184Ic7er5JVgGU5EHMEYurrw8PBLFGWjjiaiFtg902pPVhPE7maW cSIJmdpNCCq1LERBBljRboqRnMaRka+111xyFV57imrkwrqYA7C2wKO041TWMqRjayskhH2E NfRgEjUjiqnYaHHPj/FtW5ikbwveX7S1GFkU1VwGU9Rzxdm7cxwLEzPIASU0jUGAG8EVGGl8 PgSynuVpdXIdTIa98QoGITUd+3HwzNHFGJOaHLojD6I1d6oOeqtcFbl4LmKZ0F5PAB8TJGDm raOF679lR14+BWL3en8WtOMKsmnRTZpYZ4kQd9RqTtGeFfYw4WHWMFG2HoyxIPEYgbe4I5N2 41GFhlSp2Ka5nAkjYOjZhlNQR2jBdyFVRUscgBgw2oaagIUoK7cmfsGwdOHuLdCYlbltLJVE UrlpzGonqUHEavcRpDcCocRt582cU+7iC18QjRLYIqQ3sDF4iFAX3gPEnbmOk4MsBEV/EpNr cilQ1Mlb6SMe8v8ATQ4mm5ZJeGQPCe8siBg0bU3q4IxE0ZBRkUqRsIIypjXsS9t1I63hZkc+ iRMTqcluoIXHWVLxt6OHGptkttGy/wDCkcP/AMwYieM1W5t5InpvMLLIh82thgSnu67iQHpU zSMD6MQQnJp7WOMds1EH9fy2MvtJc6R00aNif6vksSBQs0xbrPOkHzD5V0pNAYnqfsnF1DGh ksrxNQUHigkmpqAB2xsWrlsxJM/chQuR1KK4V5fx5/fXDby75/ujIY4EqBvJpig4X+icPvU5 f0YsWbaYI6/dGGjkUPG4KurCoIORBGGi8PZUhWOsylFkEcleFdTZ8S7q5U68APPH1lLeMN6X L/Nic3KF76OQmCOUB5CmyMwqBQ6qbhkcFpJDFPIJ5IuXGQpmYIUjkklBQoqLmV6MQzshQyor lGFCNQrQjHNAPwlydu5X6MZZg7MFJVDDpwf+n3k1un0EY6c/qmox/fbuWcZVV24cvqigwHjq JLplUNvAZuWh+yp1YewhkltoLKsXh1tCCaOoGio1L32zZ/PizWYe8UjX1VBNMQ+GpZrcSSxm eSWSURBV4uFNXDsTftOWJLmz1BoJLaaGTUamC4ZQ0TKTSigMAN2VNmDdAUsPEnC3HRFdGipJ 1LL3W+tT6RxNa3ag/CRsfD2c6VkVRwQM+5k2D6S5ipriynvkSCaKUcqWJmeOSKYaJF1MqaWQ 6Hz2gZb6Wfi+xbdjDdH6MU1BqPUsiqezENzbEC9tCWjDZK1RSSJjuDjfuNDibxSW3lt1sbd4 4EmXSz3ExAooqdQGkCoyNcJZJnPyUtlHTI4EfrdseF+FJnrngQAbdFv74+qLy+Gw73mkf7ig f7fk8O/4/wD+xL5ZILMNdzQsUlWICisu1WZyqinbjJYrVTvYmV/QuhfXhYL0g6zSK4A0qx+g w9lujpwtjHUyXfDJT2YR+Ix7RwjrOI7KMe5gZZrttw08UUPaTxHq7cPCAXluOFVG5QauzHcK ZdZywzxmqslVI6CKj1YMqniBPD2YqMiMCNDSWdlhir9OQ6F+fEcKdyJQi9iigw7RsULFVaUe wrGjP5hhDajTGa0B2kgkEk51JO/HdqcNOEEki0WOOoDMzEKqA9ZOI5vE9EnKYSRWyCsauNjs W7zDduHke3nXVG4oerrGNE6mayPcuANnU3QcVRgerf5Kk0xby97kyRK2kVJCyiNiB+znh/EZ kWeaNSymNQWIUVGe1uoYZp7O3NtqoYSXEmmuypqpPmxazSzt4cwWsblNVY24zCykijKWNO3F 9PZg/Duhitic6xWqGJG+0wZsPBOokt7hCrqdhVhh/BfFR8QGUiCZwPfwjef/AHErRvvb8XH/ AG74qOa1tSPWe88e2GZT9KnrBxJ4N4pSRwmksw4Z4jwiWnWMnG445QEs9kMre4iVpHRd0UyK Cx07A1M9+eIp7hJI7C0YSlplMZllX8MKjgNoQ8RJGZphX/8Ao/DONidjTkcC/YUlj10xNeUr DYR8qM7ubNRm86xgff8AL4dZg5wwvKw/3rBR/wAvyW0ampt5Jo26iZGl+Zx5fiYo1M47ynhE gH11zVuhhgtZ3JbRk9tdDUyH6JdeIevE6XEPJZWSOd6c5Ejk/tQAM9mVRtwLe2ItGlqoluGN 1dSIhI1nTwIMiBqNMLHCrSyvUrAD7yaTaWZj072OWGHj9g3/AFG5qVWJXkCxpQhFZaDSlfTn twfDJxKkCmlnLcqV1K1fdFjvXd0jDKoqjZrXBkkqcwAqirMzGgCjecVWdEkidTG+pTplQhly rtruwY5VEV3EAZYwaqQfbQ71PqwXuZUij3tIwUelsK//AG/Jp0EtdNGoMMmY4UU0BelTqXH/ AFH/AKsq2WnXzREBRfOxz3UptxJN4zM1WbXYNcUVIxmNLaaKJKbz5sB4ZFkQ7GQhh6vKUdQy sKMpFQQenBe3L2chzrEeH7jVHoweX4lw7tUefqbDS3sr/CamWO416EYI5jJk0xOY6kZVNKb8 R3FusfJQakgMrvGX06eZUx1OW6tN+I7S7gNx7NqtqyvIyVOlOU5RuAcNRXCz3/8A28tpLL/e FcMJnQlqI0sEY0gsQTw6qY8PgVXXw+4kobwjSH1LqWOMGjUfZq9GJvDLeFik7EQMq0jSOY+8 qRkvLqxA35UwAMgMgMGGWqkEPFKuTxuO66HpHr2HLFjJcxGO5LNavMikwzJpaZHVs9JBQ8DZ ip2jPChmKSIdUM0ZAkifpWvrByOOWYBeoO7LAyKSPrRzMuk9jEYpKF8Ph9qSRlklp9SNKxg9 ZY9mG8N8GT4ieJSWUHUAzHvTP0s3nJxHaIxdlq0sp2ySudUjntY7N2zyR2NmFfxC4FVLkaI1 J0hmr07sSh1fxC/Ue9cOCoUZd6oQLnuwjG2laIRI0ssXvFDkcYJAyocXNlHGtxYBhcTlnSOS MsNJZNZAfJBw4jubdxJDKoZHGwg+UXFuwiukFA/ssPoSDevzbsSrMoic2458TkZaGIrU5FTr yOJU8GuZIopW1yQWcSyrq2Eo5UqnpxKzRsIZRq5lxIJLjXlkStRo6q5YF0kQuoQgRI9elk3t pVqKdWW+uCs3hkzKcmBQkfusa4Aa0ulA2DTNQejCk2dzKy92qzGhOWVcVtPCREfpuI48/Oxb 1Y+Mu5F5gRo0hiqVAYqzFmYAseEbsR31pSaRF0PBIaZA1DRE5Kenpxo+CkB6SUC/e1Y0CVDK bj4k2lfdV0aO9Tve10V9ONJsZSdmWkj72qmJb26UW5kTQluhrWpqXl08NcqD5MskSGSREZkR drMASFHbiG2NtdOYo1QsYW4iooSe3DNbLf2MVCZkhgJTSMzpV1YIetcC4sbK5dZlB+IMTM8g 3FpHOtvPi6vZGmtYptMIgZUV2ijX6VCyAs7bDh7daQ8tQYHUAcp4842UfVIGIpmFDIiuR0Fg D5YueXSSAkxSRsVZSwo3Ua9YwSviU4XcCkJPp5eODxQgfWhBPqkXBWbxLWrAggQAGh2952ws bzyyW6kEW6hIUJH0uSisfT5fi72AvNpCFg7rULsyVgMcmwt0t0Pe0jian0mNWbznBBFQciDj mm1MJOZWJii+Zdg82I7O0TlwQghFqTtJY5npJ+QrTwpKydwuoYivRXFAKDoH+Rw2UT8r4hZH eUULBI9IKpqqKnWM8fBEEfAMYCxBoyrxIwO+qkV68B0NVYAqekHFzLaPyjPA4VmFStQVbIe0 PnxbIsjyQ3D8gxOdWlgjOHVjxexQj/Q/5ljuYhWa1YyKo9pSNLx/aXZ10xc0LTRySBkdKFSD FGMjXETF6rGDGXbL8NinF6MT2XO0mRrqNWAJC1llCnFvPAlIYIyS5laFhdFdDjgVm92CR58L Ld+JM0a0/u6AEN+28gJp2Af5lkSCRYyKNIHbQrRjN0Z89II34MBZOKIhJbZxLGH1PmpT9ro3 YllvtKFpKlTNTi0JqDKj6RxDtw8UdGthJcFWh95GQ0upKNHqGQJHVi4umkZYTGsUsDsGLShi VkZQTpIjoM8z/kH/2T== From ka at PACIFIC.NET Tue Jul 15 14:31:36 2003 From: ka at PACIFIC.NET (Ken Anderson) Date: Thu Jan 12 21:18:57 2006 Subject: MS Performance In-Reply-To: References: Message-ID: <3F140238.60405@pacific.net> Tony Johansson wrote: > On Mon, 14 Jul 2003 09:30:11 -0700, Ken Anderson wrote: > > > >>A possible bottleneck is syslog, since both sendmail & MS are very busy >>adding log entries to the maillog, though I haven't done any testing to >>see if this is really a problem. >> > > Have you tried turning off fsync on the maillogs? > >>From "Sendmail performance tuning" by Nick Christenson (highly recommended): > "On Linux systems, by default the syslog daemon will fsync() its log files > after each entry is written to them. On a busy email server, this operation > can cause a measurable slowdown. In most organizations, email server logs > aren't so critical. This behaviour can be switched off by preceding the > appropriate entry in the /etc/syslog.conf file with "-": > mail.* -/var/adm/mail " LA dropped from 2.7 to 1.3 with just that modification to syslog.conf. Seems I should pick up that book! Thanks, Ken A. > > regards, Tony > > From rherban at HYPERVINE.NET Tue Jul 15 14:35:22 2003 From: rherban at HYPERVINE.NET (Randy Herban) Date: Thu Jan 12 21:18:57 2006 Subject: MS Performance Message-ID: <00FD7F04EA248947B8FBB971044379DB80BD@corpserv1.hvcorp.hypervine.net> > -----Original Message----- > From: Ken Anderson [mailto:ka@PACIFIC.NET] > Sent: Tuesday, July 15, 2003 8:32 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: MS Performance > > > Tony Johansson wrote: > > > On Mon, 14 Jul 2003 09:30:11 -0700, Ken Anderson > > wrote: > > > > > > > >>A possible bottleneck is syslog, since both sendmail & MS are very > >>busy adding log entries to the maillog, though I haven't done any > >>testing to see if this is really a problem. > >> > > > > Have you tried turning off fsync on the maillogs? > > > >>From "Sendmail performance tuning" by Nick Christenson (highly > >>recommended): > > "On Linux systems, by default the syslog daemon will > fsync() its log > > files after each entry is written to them. On a busy email server, > > this operation can cause a measurable slowdown. In most > organizations, > > email server logs aren't so critical. This behaviour can be > switched > > off by preceding the appropriate entry in the > /etc/syslog.conf file with "-": > > mail.* -/var/adm/mail " > > > LA dropped from 2.7 to 1.3 with just that modification to > syslog.conf. Seems I should pick up that book! Thanks, > > Ken A. > > > > > regards, Tony > > > > > Another thing to consider if you have enough servers or enough logs to warrant it is using a central syslog server. Helps keep the burden off your mail servers and keeps all the logs in one place, easier for searching through for problems and/or running any of the stats programs that have been produced by this list. From P.G.M.Peters at utwente.nl Tue Jul 15 14:49:45 2003 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Thu Jan 12 21:18:57 2006 Subject: MS Performance In-Reply-To: <00FD7F04EA248947B8FBB971044379DB80BD@corpserv1.hvcorp.hypervine.net> References: <00FD7F04EA248947B8FBB971044379DB80BD@corpserv1.hvcorp.hypervine.net> Message-ID: On Tue, 15 Jul 2003 08:35:22 -0500, you wrote: >Another thing to consider if you have enough servers or enough logs to >warrant it is using a central syslog server. Helps keep the burden off >your mail servers and keeps all the logs in one place, easier for >searching through for problems and/or running any of the stats programs >that have been produced by this list. I would suggest at least two syslog servers. When one has problems you don't loose possibly important loglines. And you can even have routers, switches etc log to those servers. -- Peter Peters, senior netwerkbeheerder Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ From richard_cipher at YAHOO.COM Tue Jul 15 15:35:32 2003 From: richard_cipher at YAHOO.COM (Evert Ford) Date: Thu Jan 12 21:18:57 2006 Subject: outbound mail gets stuck when MailScanner running Message-ID: Chris, In MailScanner.conf there is a variable with the default setting Incoming Queue Dir = /var/spool/mqueue.in Just above it in the comments, it shows one of the options being the name of a file containing a list of directory names. You might try this. an example: in MailScanner.conf: Incoming Queue Dir = /etc/MailScanner/mqueue.in.rules in mqueue.in.rules: myinternaldomain1.com/var/spool/mqueue.in myinternaldomain2.com/var/spool/mqueue.in and so on... you would, of course, have to actually make these directories before doing this, stop sendmail from running external to MailScanner, and start MailScanner. Other than this(which occurred to me while taking a shower this morning :-)), I'm fresh out of ideas. Evert Ford Information Analyst Westone Laboratories http://www.westone.com --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.483 / Virus Database: 279 - Release Date: 5/19/03 From mike at UNIXSECURITY.ORG Tue Jul 15 15:48:27 2003 From: mike at UNIXSECURITY.ORG (Mike Wallis) Date: Thu Jan 12 21:18:57 2006 Subject: RH9 and SophosSAVI Message-ID: <3F14143B.8000008@unixsecurity.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I upgraded my mail server from RH 7.3 to RH9 yesterday and then proceded to spend several hours trying to figure out why MS was no longer working. I completely uninstalled and reinstalled Perl and everything MS related, but finally tracekd it down to SophosSAVI. Apparently the SAVI module doesn't like something on my RH9 system, since every time it's called, it simply produces the following unhelpful error message: Jul 14 21:43:27 deep-thought root: Process did not exit cleanly, returned 0 with signal 11 I finally gave up fighting with it and changed the virus scanner back to sohpos, but I'd like to be able to use sohpossavi again. Anybody seen anything like this, or have any ideas? - -- Mike Wallis -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1-nr1 (Windows XP) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/FBQ7Xes7jE7XvgsRAv2bAKC69sk1yPg3dDLiDCtUGgV+hjYd5QCffBVi 5fChp1T/Jrg4QWcTeRWmLVY= =1R9K -----END PGP SIGNATURE----- From steve.freegard at LBSLTD.CO.UK Tue Jul 15 16:02:03 2003 From: steve.freegard at LBSLTD.CO.UK (Steve Freegard) Date: Thu Jan 12 21:18:57 2006 Subject: RH9 and SophosSAVI Message-ID: <67D9E7698329D411936E00508B6590B902773A24@neelix.lbsltd.co.uk> Mike, I'm using RH9 with SophosSAVI, and I did have a few troubles to begin with - check to make sure you haven't got the file /etc/sav.conf on your system - if you have delete it, and SophosSAVI should start working. Also check that your're running the latest version of MailScanner as Julian has made numerous improvements to the handling of SopohsSAVI. Hope this helps. Kind regards, Steve -- Steve Freegard Systems Manager Littlehampton Book Services Ltd. -----Original Message----- From: Mike Wallis [mailto:mike@UNIXSECURITY.ORG] Sent: 15 July 2003 15:48 To: MAILSCANNER@JISCMAIL.AC.UK Subject: RH9 and SophosSAVI -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I upgraded my mail server from RH 7.3 to RH9 yesterday and then proceded to spend several hours trying to figure out why MS was no longer working. I completely uninstalled and reinstalled Perl and everything MS related, but finally tracekd it down to SophosSAVI. Apparently the SAVI module doesn't like something on my RH9 system, since every time it's called, it simply produces the following unhelpful error message: Jul 14 21:43:27 deep-thought root: Process did not exit cleanly, returned 0 with signal 11 I finally gave up fighting with it and changed the virus scanner back to sohpos, but I'd like to be able to use sohpossavi again. Anybody seen anything like this, or have any ideas? - -- Mike Wallis -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1-nr1 (Windows XP) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/FBQ7Xes7jE7XvgsRAv2bAKC69sk1yPg3dDLiDCtUGgV+hjYd5QCffBVi 5fChp1T/Jrg4QWcTeRWmLVY= =1R9K -----END PGP SIGNATURE----- -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender and delete the message from your mailbox. This footnote also confirms that this email message has been swept by MailScanner (www.mailscanner.info) for the presence of computer viruses. From ap at HPI.COM Tue Jul 15 20:36:12 2003 From: ap at HPI.COM (Adam Polkosnik) Date: Thu Jan 12 21:18:57 2006 Subject: Eicar signature in the subject line Message-ID: <3F1457AC.2050701@hpi.com> Just as I was updating my mail system and started to do some testing I've noticed that an e-mail with eicar signature in the subject line was able to pass through (without any problem) my mailserver equipped with Mailscanner and ClamAv. Would anyone like to comment on this one? -- Best regards, Adam Polkosnik 718.768.8800 x245 IT Dept HPI International, Inc. From mkettler at EVI-INC.COM Tue Jul 15 21:29:14 2003 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:18:57 2006 Subject: Eicar signature in the subject line In-Reply-To: <3F1457AC.2050701@hpi.com> Message-ID: <5.2.1.1.0.20030715162735.01b80ea8@xanadu.evi-inc.com> At 03:36 PM 7/15/2003 -0400, Adam Polkosnik wrote: >Just as I was updating my mail system and started to do some testing >I've noticed that an e-mail with eicar signature in the subject line was >able to pass through (without any problem) my mailserver equipped with >Mailscanner and ClamAv. >Would anyone like to comment on this one? My comment "Yeah, it works as it should, so what's the issue?" From ap at HPI.COM Wed Jul 16 02:44:28 2003 From: ap at HPI.COM (Adam Polkosnik) Date: Thu Jan 12 21:18:57 2006 Subject: Eicar signature in the subject line In-Reply-To: <5.2.1.1.0.20030715162735.01b80ea8@xanadu.evi-inc.com> References: <5.2.1.1.0.20030715162735.01b80ea8@xanadu.evi-inc.com> Message-ID: <3F14ADFC.8020103@hpi.com> Matt Kettler wrote: > At 03:36 PM 7/15/2003 -0400, Adam Polkosnik wrote: > >> Just as I was updating my mail system and started to do some testing >> I've noticed that an e-mail with eicar signature in the subject line was >> able to pass through (without any problem) my mailserver equipped with >> Mailscanner and ClamAv. >> Would anyone like to comment on this one? > > > My comment "Yeah, it works as it should, so what's the issue?" > Are you trying to say that by design the Subject line is excluded from being scanned? From wpc4 at DODGETHIS.ORG Wed Jul 16 02:47:38 2003 From: wpc4 at DODGETHIS.ORG (William Curley) Date: Thu Jan 12 21:18:57 2006 Subject: Eicar signature in the subject line {Scanned} References: <5.2.1.1.0.20030715162735.01b80ea8@xanadu.evi-inc.com> <3F14ADFC.8020103@hpi.com> Message-ID: <000701c34b3c$3d4b4590$0600a8c0@dejour> Appears to be, I'm running latest mailscanner with postfix 2.0.13 with f-prot 4.1.1 and it doesn't detect the subject line. Thinking about it there is little reason for it to. You can't get a virus from only the subject line so why should it scan it? ----- Original Message ----- From: "Adam Polkosnik" To: Sent: Tuesday, July 15, 2003 6:44 PM Subject: Re: Eicar signature in the subject line {Scanned} > Matt Kettler wrote: > > > At 03:36 PM 7/15/2003 -0400, Adam Polkosnik wrote: > > > >> Just as I was updating my mail system and started to do some testing > >> I've noticed that an e-mail with eicar signature in the subject line was > >> able to pass through (without any problem) my mailserver equipped with > >> Mailscanner and ClamAv. > >> Would anyone like to comment on this one? > > > > > > My comment "Yeah, it works as it should, so what's the issue?" > > > Are you trying to say that by design the Subject line is excluded from > being scanned? > From kfliong at WOFS.COM Wed Jul 16 03:23:20 2003 From: kfliong at WOFS.COM (kfliong) Date: Thu Jan 12 21:18:57 2006 Subject: emails with No Message Collected In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0A4ADCB@pascal.priv.bmrb.co .uk> Message-ID: <5.2.1.1.0.20030716102245.02663600@192.168.10.2> I have checked and my "noetrn" command is in the init script. So, what else could be the reason? Thanks in advance. At 10:57 AM 7/14/2003 +0100, you wrote: >kfliong wrote: > > Hi, > > > > I have this problem where some of the outgoing mails are received as > > <<< No Message Collected >>>. > > > > All the contents including attachments are ripped and only left with > > this message "<<< No Message Collected >>>". > >Thats a sendmail error - probably you have a sendmail process which is >trying to process the incoming queue, which leads to a race condition >between mailscanner and sendmail. Sometimes MailScanner gets the message, >sometimes sendmail gets the message, sometimes mailscanner gets the >message, sometimes theres a draw, mailscanner gets the message - sendmail >only gets the headers - but sendmail delivers first, therefore the second >(full) copy (from MailScanner) is discarded as a duplicate (same >messageid). You can verify if this is the case by grepping your maillogs >for affected message ids. When this happened to me it was caused by an >exchange server issuing ETRN's - make sure your MailScanner init script is >starting sendmail with the noetrn option. > > > >BMRB International >http://www.bmrb.co.uk >+44 (0)20 8566 5000 >_________________________________________________________________ >This message (and any attachment) is intended only for the >recipient and may contain confidential and/or privileged >material. If you have received this in error, please contact the >sender and delete this message immediately. Disclosure, copying >or other action taken in respect of this email or in >reliance on it is prohibited. BMRB International Limited >accepts no liability in relation to any personal emails, or >content of any email which does not directly relate to our >business. From batucker at ICNET.NET Wed Jul 16 04:38:20 2003 From: batucker at ICNET.NET (Brady A. Tucker) Date: Thu Jan 12 21:18:57 2006 Subject: A Few Messages are 'whitelisted' even with auto-whitelist off Message-ID: I have some messages getting through that say they are whitelisted, though they are not. I'm not sure when this started as I'm just now looking for them specifically, I've done updates as they have come out (Except for MS 4.22-5) on both SA and Mailscanner, Any suggestions ? Specifics : -MailScanner 4.22-4, SA 2.5.5, RH 9, sendmail 8.12.8 -Doesn't happen with very many addresses, but with ~65,000 messages a day.... -I have 'SpamAssassin Auto Whitelist = no' set in MailScanner.conf -I do use spam.whitelist.rules, not excessively (30 or so entries), and the address to which this was sent (me) has no 'To' or 'FromorTo' lines, nor does the address it was received from have any entries... -I'm betting there is another whitelist setting I'm missing in SA ? Can't fine anything, even though this is not an SA list, any suggestions are appreciated MailScanner headers : X-MailScanner: Found to be clean X-MailScanner-SpamCheck: not spam (whitelisted), spamassassin (score=18.4, required 5, BAYES_60, CLICK_BELOW, DATE_IN_FUTURE_12_24, HG_HORMONE, HTML_40_50, HTML_IMAGE_ONLY_06, HTML_LINK_CLICK_HERE, HTML_WEB_BUGS, MIME_HTML_ONLY, MSG_ID_ADDED_BY_MTA_SHORT, RCVD_IN_BL_SPAMCOP_NET, RCVD_IN_DSBL, USERPASS) Brady A. Tucker Internet Complete! inc. http://www.icnet.net From damian at WORKGROUPSOLUTIONS.COM Wed Jul 16 06:27:24 2003 From: damian at WORKGROUPSOLUTIONS.COM (Damian Mendoza) Date: Thu Jan 12 21:18:57 2006 Subject: A Few Messages are 'whitelisted' even with auto-whitelist off Message-ID: Brady, I have the exact same problem with messages being "whitelisted" when they should not be. Others have reported the problem as well. I have not been able to resolve it yet, though I keep trying new ideas. Regards, Damian -----Original Message----- From: Brady A. Tucker [mailto:batucker@ICNET.NET] Sent: Tuesday, July 15, 2003 8:38 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: A Few Messages are 'whitelisted' even with auto-whitelist off I have some messages getting through that say they are whitelisted, though they are not. I'm not sure when this started as I'm just now looking for them specifically, I've done updates as they have come out (Except for MS 4.22-5) on both SA and Mailscanner, Any suggestions ? Specifics : -MailScanner 4.22-4, SA 2.5.5, RH 9, sendmail 8.12.8 -Doesn't happen with very many addresses, but with ~65,000 messages a day.... -I have 'SpamAssassin Auto Whitelist = no' set in MailScanner.conf -I do use spam.whitelist.rules, not excessively (30 or so entries), and the address to which this was sent (me) has no 'To' or 'FromorTo' lines, nor does the address it was received from have any entries... -I'm betting there is another whitelist setting I'm missing in SA ? Can't fine anything, even though this is not an SA list, any suggestions are appreciated MailScanner headers : X-MailScanner: Found to be clean X-MailScanner-SpamCheck: not spam (whitelisted), spamassassin (score=18.4, required 5, BAYES_60, CLICK_BELOW, DATE_IN_FUTURE_12_24, HG_HORMONE, HTML_40_50, HTML_IMAGE_ONLY_06, HTML_LINK_CLICK_HERE, HTML_WEB_BUGS, MIME_HTML_ONLY, MSG_ID_ADDED_BY_MTA_SHORT, RCVD_IN_BL_SPAMCOP_NET, RCVD_IN_DSBL, USERPASS) Brady A. Tucker Internet Complete! inc. http://www.icnet.net From danieltan at shopnsave.com.sg Wed Jul 16 07:11:11 2003 From: danieltan at shopnsave.com.sg (Daniel Tan) Date: Thu Jan 12 21:18:57 2006 Subject: local.cf or spamassassin.prefs.conf? Message-ID: <004401c34b61$0e432c20$3900a8c0@Daniel> hi all, i am trying to create my own rules to prohibit spam mails. As 20_porn.cf file in /usr/share/spamassassin advice not to edit that file. so currently i have 2 entries in spamassassin.prefs.conf in /etc/MailScanner to do the job nicely for me. But 20_porn.cf file advice to put my local rules in /etc/mail/spamassassin...tried that but did not work whereas putting the same rules in spamassassin.prefs.conf works! i am thinking of using local.cf file as it is empty whereas spamassassin.prefs.conf file has some settings already in there... Regards, Daniel Tan 67469188 Ext.665 DID: 68430665 MIS Department Shop N Save Pte Ltd : danieltan@shopnsave.com.sg [This e-mail is confidential and may also be privileged. If you are not the intended recipient, please delete it and notify us immediately; you should not copy or use it for any purpose, nor disclose its contents to any other person. Thank you.] -- This message has been scanned for viruses and dangerous content by Email Virus Scanner, and is believed to be clean. From john at TRADOC.FR Wed Jul 16 07:31:31 2003 From: john at TRADOC.FR (John Wilcock) Date: Thu Jan 12 21:18:57 2006 Subject: A Few Messages are 'whitelisted' even with auto-whitelist off In-Reply-To: References: Message-ID: On Tue, 15 Jul 2003 22:38:20 -0500, Brady A. Tucker wrote: > -I'm betting there is another whitelist setting I'm missing in SA ? Can't > fine anything, even though this is not an SA list, any suggestions are > appreciated Could it be the default whitelists in /usr/share/spamassassin/60_whitelist.cf ? John. -- -- Over 2000 webcams from ski resorts around the world - http://www.snoweye.com/ -- Translate your technical documents and web pages - http://www.tradoc.fr/ From kevins at BMRB.CO.UK Wed Jul 16 07:32:55 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:18:57 2006 Subject: A Few Messages are 'whitelisted' even with auto-whitelist off In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB001175E48@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB001175E48@pascal.priv.bmrb.co.uk> Message-ID: <1058337183.15737.6.camel@bach.kevinspicer.co.uk> On Wed, 2003-07-16 at 04:38, Brady A. Tucker wrote: >I have some messages getting through that say they are whitelisted, >though >they are not. I'm not sure when this started as I'm just now looking >for Have you whitlisted you own domains (by name)? - many spammers use your own address as the envelope from address (this doesn't appear in the headers, but may be in your maillog). Note that the whitelist in the header you posted is a MailScanner whitelist (spam.whitelist.rules) not a SpamAssassin whitelist (which would give it a negative score). If you have whitelisted your domains by name change spam.whitelist.rules to whitelist your domain's mail servers by IP instead (alternativly whitelist your entire IP range if thats easier). BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From kevins at BMRB.CO.UK Wed Jul 16 07:34:47 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:18:57 2006 Subject: A Few Messages are 'whitelisted' even with auto-whitelist off In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB001175E4B@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB001175E4B@pascal.priv.bmrb.co.uk> Message-ID: <1058337287.13524.9.camel@bach.kevinspicer.co.uk> >On Wed, 2003-07-16 at 07:31, John Wilcock wrote: >On Tue, 15 Jul 2003 22:38:20 -0500, Brady A. Tucker wrote: >> -I'm betting there is another whitelist setting I'm missing in SA ? Can't >> fine anything, even though this is not an SA list, any suggestions are >> appreciated >Could it be the default whitelists in >/usr/share/spamassassin/60_whitelist.cf ? No, because the headers posted showed that it was the mailscanner whitelist and not a spamassassin whitelist (which would give a negative score). BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From kevins at BMRB.CO.UK Wed Jul 16 07:43:38 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:18:57 2006 Subject: emails with No Message Collected In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB001175E47@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB001175E47@pascal.priv.bmrb.co.uk> Message-ID: <1058337818.13524.19.camel@bach.kevinspicer.co.uk> On Wed, 2003-07-16 at 03:23, kfliong wrote: I have checked and my "noetrn" command is in the init script. So, what else could be the reason? Maybe a locking problem? Check that sendmail and MS are using the same lock type (and that none of your mail spools are on NFS shares). You can find sendmails lock type as described below (from sendmails site)... "You can determine which locking system is used by sendmail from the output of: sendmail -bt -d0.10 < /dev/null | grep HASFLOCK If HASFLOCK is in the output, your system is using flock() for locking. Otherwise, it is using fcntl() for locking. " fcntl() is called 'posix' in MS, check that 'Lock Type' in MS.conf is set to the correct type (or commented out if sendmail is using flock()). Failing that - have you checked for anything unusual in the maillog? BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From Thomas.Ehweiner at T-SYSTEMS.COM Wed Jul 16 07:42:27 2003 From: Thomas.Ehweiner at T-SYSTEMS.COM (Thomas Ehweiner) Date: Thu Jan 12 21:18:57 2006 Subject: AW: emails with No Message Collected Message-ID: <698647D9732ED84290AB276EC481B64301EEB4@u8sm7.gppng01.telekom.de> Do you have "timeout waiting for input from during message collect" in your logs? If yes, mtu/mss size is too big for some servers. Thomas > -----Urspr?ngliche Nachricht----- > Von: kfliong [mailto:kfliong@WOFS.COM] > Gesendet: Montag, 14. Juli 2003 11:40 > An: MAILSCANNER@JISCMAIL.AC.UK > Betreff: emails with No Message Collected > > > Hi, > > I have this problem where some of the outgoing mails are > received as <<< No Message Collected >>>. > > All the contents including attachments are ripped and only > left with this message "<<< No Message Collected >>>". > > I am not sure if this is related to Mailscanner or any of the > settings in it that i have implemented. This truly strange. > So far, I can't find any pattern that can lead me to diagnose > this problem. The sender, recipient, subject, contents are random. > > I would appreciate any help or suggestions. Thanks in advance. > From kfliong at WOFS.COM Wed Jul 16 08:43:33 2003 From: kfliong at WOFS.COM (kfliong) Date: Thu Jan 12 21:18:57 2006 Subject: emails with No Message Collected In-Reply-To: <1058337818.13524.19.camel@bach.kevinspicer.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB001175E47@pascal.priv.bmrb.co.uk> <5C0296D26910694BB9A9BBFC577E7AB001175E47@pascal.priv.bmrb.co.uk> Message-ID: <5.2.1.1.0.20030716151522.02674a98@192.168.10.2> I have check and both sendmail and MS is using flock. I see this in MS.conf file - Lock Type = flock So, both is flock type. Here is a short list of what i get when it tail maillog. MTP, daemon=MTA, relay=215.Red-80-36-94.pooles.rima-tde.net [80.36.94.215] Jul 16 15:38:00 ensim sendmail[12706]: h6GJbnV12706: to=, delay=00:00:07, mailer=virthostmail, pri=32201, stat=queued Jul 16 15:38:01 ensim MailScanner[12047]: New Batch: Found 2 messages waiting Jul 16 15:38:01 ensim MailScanner[12047]: New Batch: Scanning 1 messages, 2762 bytes Jul 16 15:38:01 ensim MailScanner[12098]: Spam Checks: Found 1 spam messages Jul 16 15:38:01 ensim sendmail[12765]: h6GJc1l12765: from=<>, size=999, class=0, nrcpts=1, msgid=<200307161938.h6GJc1l12765@ensim.wofsproperties.com>, relay=root@localhost Jul 16 15:38:01 ensim MailScanner[12098]: Virus and Content Scanning: Starting Jul 16 15:38:03 ensim sendmail[12768]: h6GJc1l12765: to=mariawantsu@compuserve.com, delay=00:00:02, xdelay=00:00:02, mailer=esmtp, pri=30999, relay=mx2.compuserve.com. [149.174.40.8], dsn=2.0.0, stat=Sent (h6G7hpAR016440 Message accepted for delivery) Jul 16 15:38:05 ensim MailScanner[12047]: Spam Checks: Found 1 spam messages Jul 16 15:38:05 ensim sendmail[12775]: h6GJc5912775: from=<>, size=937, class=0, nrcpts=1, msgid=<200307161938.h6GJc5912775@ensim.wofsproperties.com>, relay=root@localhost Jul 16 15:38:05 ensim MailScanner[12047]: Virus and Content Scanning: Starting Jul 16 15:38:06 ensim sendmail[12778]: h6GJc5912775: to=mariawantsu@yahoo.com, delay=00:00:01, xdelay=00:00:01, mailer=esmtp, pri=30937, relay=mx2.mail.yahoo.com. [64.156.215.5], dsn=5.0.0, stat=Service unavailable Jul 16 15:38:06 ensim sendmail[12778]: h6GJc5912775: h6GJc6812778: postmaster notify: Service unavailable Jul 16 15:38:06 ensim sendmail[12778]: h6GJc6812778: to=root, delay=00:00:00, xdelay=00:00:00, mailer=local, pri=31037, dsn=2.0.0, stat=Sent Jul 16 15:38:23 ensim sendmail[12815]: h6GJcNh12815: from=apache, size=832, class=0, nrcpts=1, msgid=<200307161938.h6GJcNh12815@ensim.wofsproperties.com>, relay=apache@localhost Jul 16 15:38:25 ensim sendmail[12818]: h6GJcNh12815: to=izancj@hotmail.com, ctladdr=apache (48/48), delay=00:00:02, xdelay=00:00:02, mailer=esmtp, pri=30832, relay=mx4.hotmail.com. [65.54.254.151], dsn=2.0.0, stat=Sent ( <200307161938.h6GJcNh12815@ensim.wofsproperties.com> Queued mail for delivery) Well, I am not sure if this is correct, but how come some mails are being handled by MailScanne and some by sendmail? Thanks in advance. At 07:43 AM 7/16/2003 +0100, you wrote: >On Wed, 2003-07-16 at 03:23, kfliong wrote: > >I have checked and my "noetrn" command is in the init script. So, what >else >could be the reason? > >Maybe a locking problem? Check that sendmail and MS are using the same >lock type (and that none of your mail spools are on NFS shares). You >can find sendmails lock type as described below (from sendmails site)... > > >"You can determine which locking system is used by sendmail from the >output of: > > sendmail -bt -d0.10 < /dev/null | grep HASFLOCK > >If HASFLOCK is in the output, your system is using flock() for locking. >Otherwise, it is using fcntl() for locking. " > >fcntl() is called 'posix' in MS, check that 'Lock Type' in MS.conf is >set to the correct type (or commented out if sendmail is using flock()). > >Failing that - have you checked for anything unusual in the maillog? > > > > > >BMRB International >http://www.bmrb.co.uk >+44 (0)20 8566 5000 >_________________________________________________________________ >This message (and any attachment) is intended only for the >recipient and may contain confidential and/or privileged >material. If you have received this in error, please contact the >sender and delete this message immediately. Disclosure, copying >or other action taken in respect of this email or in >reliance on it is prohibited. BMRB International Limited >accepts no liability in relation to any personal emails, or >content of any email which does not directly relate to our >business. From m.sapsed at BANGOR.AC.UK Wed Jul 16 09:02:10 2003 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:18:57 2006 Subject: Eicar signature in the subject line References: <5.2.1.1.0.20030715162735.01b80ea8@xanadu.evi-inc.com> <3F14ADFC.8020103@hpi.com> Message-ID: <3F150682.9040000@bangor.ac.uk> Adam Polkosnik wrote: > Matt Kettler wrote: > >> At 03:36 PM 7/15/2003 -0400, Adam Polkosnik wrote: >> >>> Just as I was updating my mail system and started to do some testing >>> I've noticed that an e-mail with eicar signature in the subject line was >>> able to pass through (without any problem) my mailserver equipped with >>> Mailscanner and ClamAv. >>> Would anyone like to comment on this one? >> >> My comment "Yeah, it works as it should, so what's the issue?" >> > Are you trying to say that by design the Subject line is excluded from > being scanned? Yes, as are the rest of the headers. What would be the point of scanning it? I'm not aware of any way for the contents of the Subject line to be executed (better put a "yet" in there!). As far as I can remember the MyParty "issue" was the only reason MailScanner started checking the body of messages. In general, attachments (including bits of HTML) are the main things to worry about. Cheers, Martin -- Martin Sapsed Information Services "Who do you say I am?" University of Wales, Bangor Jesus of Nazareth From m.sapsed at BANGOR.AC.UK Wed Jul 16 09:06:08 2003 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:18:57 2006 Subject: local.cf or spamassassin.prefs.conf? References: <004401c34b61$0e432c20$3900a8c0@Daniel> Message-ID: <3F150770.5080903@bangor.ac.uk> Daniel Tan wrote: > i am trying to create my own rules to prohibit spam mails. As > 20_porn.cf file in /usr/share/spamassassin advice not to edit that file. so > currently i have 2 entries in spamassassin.prefs.conf in /etc/MailScanner > to do the job nicely for me. But 20_porn.cf file advice to put my local > rules in /etc/mail/spamassassin...tried that but did not work whereas > putting the same rules in spamassassin.prefs.conf works! i am thinking of > using local.cf file as it is empty whereas spamassassin.prefs.conf file has > some settings already in there... Received wisdom on the list is to make local.cf a symbolic link to spamassassin.prefs.conf - that way, any alterations affect both MailScanner's use of SpamAssassin and use of spamassassin on its own. > [This e-mail is confidential and may also be privileged. If you are not the > intended recipient, please delete it and notify us immediately; you should > not copy or use it for any purpose, nor disclose its contents to any other > person. Thank you.] [This disclaimer is ludicrous when attached to e-mails to a list. According to it, I shouldn't have read it, replied to it or copied any of it to the list!] ;-) Cheers, Martin -- Martin Sapsed Information Services "Who do you say I am?" University of Wales, Bangor Jesus of Nazareth From john at TRADOC.FR Wed Jul 16 10:10:20 2003 From: john at TRADOC.FR (John Wilcock) Date: Thu Jan 12 21:18:57 2006 Subject: Virus Update Scripts with Timeouts In-Reply-To: <2h7tgv47fou2pstqnigrap4ujd7n7tmgrt@tradoc.fr> References: <2h7tgv47fou2pstqnigrap4ujd7n7tmgrt@tradoc.fr> Message-ID: <9a5ahv0brr7sf47ed4ucren4erlotmu5g0@tradoc.fr> On Fri, 11 Jul 2003 13:26:08 +0200, I wrote: > I've tried these new scripts here on a redhat 9 box - they work fine > if called directly from a shell prompt, but for some reason don't log > the usual updated / does not need updating information to the syslog > when called from Julian's cron.hourly script. Any ideas? Suddenly had a flash of inspiration - I'd forgotten to dos2unix these scripts when transferring them from the Windows box on which I receive mail. I don't fully understand why they worked anyway when called directly from shell, but still... they work correctly now no matter how I call them. John. -- -- Over 2000 webcams from ski resorts around the world - http://www.snoweye.com/ -- Translate your technical documents and web pages - http://www.tradoc.fr/ From michele at BLACKNIGHTSOLUTIONS.COM Wed Jul 16 10:39:58 2003 From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon :: Blacknight Solutions) Date: Thu Jan 12 21:18:57 2006 Subject: Blacklisted e-mails not deleted??? In-Reply-To: References: Message-ID: <2098.213.140.31.171.1058348398.squirrel@www.blacknightsolutions.com> > I have a domain on spam blacklist, and in spam actions the same domain > is marked with action delete. > > Their crap still gets delivered however. Is there a bug in > mailscanner-4.22-5? > > Thanks! Why don't you block in via Sendmail -- Mr. Michele Neylon Blacknight Solutions http://www.blacknightsolutions.com/ Shell hosting now available ######################################################### This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance to it is prohibited. From mailscanner at BARENDSE.TO Wed Jul 16 10:33:31 2003 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:18:57 2006 Subject: Blacklisted e-mails not deleted??? Message-ID: I have a domain on spam blacklist, and in spam actions the same domain is marked with action delete. Their crap still gets delivered however. Is there a bug in mailscanner-4.22-5? Thanks! From Kevin.Spicer at BMRB.CO.UK Wed Jul 16 10:48:34 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:18:57 2006 Subject: Blacklisted e-mails not deleted??? Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0EBF739@pascal.priv.bmrb.co.uk> Michele Neylon :: Blacknight Solutions wrote: >> I have a domain on spam blacklist, and in spam actions the same >> domain is marked with action delete. >> >> Their crap still gets delivered however. Is there a bug in >> mailscanner-4.22-5? Maybe they are using a different domain in the envelope than the one they are using in the headers? Does the domain show up in your maillog? BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From mailscanner at BARENDSE.TO Wed Jul 16 12:40:17 2003 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:18:57 2006 Subject: Blacklisted e-mails not deleted??? In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0EBF739@pascal.priv.bmrb.co.uk> Message-ID: They do show up in the maillog without any remarks. This is the header as viewed in pine: Return-Path: Received: from gw.xxx.xx (gw.xxx.xxx [1.1.1.1]) by l.xxxx (8.12.8/8.12.8) with ESMTP id h6G9SCos011122 for ; Wed, 16 Jul 2003 11:28:12 +0200 Received: from diseno3. (dsl-200-67-178-168.prodigy.net.mx [200.67.178.168]) by gw.xxx.xxx (8.12.9/8.12.9) with SMTP id h6G9HFR5027587 for ; Wed, 16 Jul 2003 11:27:44 +0200 x-esmtp: 0 0 1 Message-ID: <9493103-22003731662334624@diseno3> From: "QuimiNews" This is what it says in maillog: Jul 16 11:20:13 l sendmail[10506]: h6G9KDos010506: from=, size=17915, class=0, nrcpts=1, msgid=< 4506104-2200373165220452@diseno3>, proto=ESMTP, daemon=MTA, relay= I think maybe that one action in MailScanner cancels the other. New Batch: Scanning 1 messages, 18332 bytes Spam Checks: Found 1 spam messages Virus and Content Scanning: Starting Content Checks: Detected HTML-specific exploits in h6G9KDos010506 Content Checks: Found 1 problems Content Checks: Detected and will convert HTML message to plain text in h6G9KDos010 Uninfected: Delivered 1 messages It seems as if the message has passed through html cleansing, MailScanner forgets to apply the spam delivery rule?? Or maybe the html cleaning does an auto deliver?? On Wed, 16 Jul 2003, Spicer, Kevin wrote: > Michele Neylon :: Blacknight Solutions wrote: > >> I have a domain on spam blacklist, and in spam actions the same > >> domain is marked with action delete. > >> > >> Their crap still gets delivered however. Is there a bug in > >> mailscanner-4.22-5? > Maybe they are using a different domain in the envelope than the one they are using in the headers? Does the domain show up in your maillog? > > > > BMRB International > http://www.bmrb.co.uk > +44 (0)20 8566 5000 > _________________________________________________________________ > This message (and any attachment) is intended only for the > recipient and may contain confidential and/or privileged > material. If you have received this in error, please contact the > sender and delete this message immediately. Disclosure, copying > or other action taken in respect of this email or in > reliance on it is prohibited. BMRB International Limited > accepts no liability in relation to any personal emails, or > content of any email which does not directly relate to our > business. > From zabriskw at ITECH.NET Wed Jul 16 13:10:37 2003 From: zabriskw at ITECH.NET (Kris Zabriskie) Date: Thu Jan 12 21:18:57 2006 Subject: A Few Messages are 'whitelisted' even with auto-whitelist off References: Message-ID: <001101c34b93$4498dbd0$0c02a8c0@itech.dom> Brady, I have been trying for a couple of months now, and I can not solve the problem either. If you find a solution could you please post it to the Mailing list, because I know several people are having the same problem. Thanks! ----- Original Message ----- From: "Brady A. Tucker" To: Sent: Tuesday, July 15, 2003 11:38 PM Subject: A Few Messages are 'whitelisted' even with auto-whitelist off > I have some messages getting through that say they are whitelisted, though > they are not. I'm not sure when this started as I'm just now looking for > them specifically, I've done updates as they have come out (Except for MS > 4.22-5) on both SA and Mailscanner, Any suggestions ? > > Specifics : > -MailScanner 4.22-4, SA 2.5.5, RH 9, sendmail 8.12.8 > -Doesn't happen with very many addresses, but with ~65,000 messages a > day.... > -I have 'SpamAssassin Auto Whitelist = no' set in MailScanner.conf > -I do use spam.whitelist.rules, not excessively (30 or so entries), and > the address to which this was sent (me) has no 'To' or 'FromorTo' lines, > nor does the address it was received from have any entries... > > -I'm betting there is another whitelist setting I'm missing in SA ? Can't > fine anything, even though this is not an SA list, any suggestions are > appreciated > > > MailScanner headers : > > X-MailScanner: Found to be clean > X-MailScanner-SpamCheck: not spam (whitelisted), spamassassin (score=18.4, > required 5, BAYES_60, CLICK_BELOW, DATE_IN_FUTURE_12_24, HG_HORMONE, > HTML_40_50, HTML_IMAGE_ONLY_06, HTML_LINK_CLICK_HERE, HTML_WEB_BUGS, > MIME_HTML_ONLY, MSG_ID_ADDED_BY_MTA_SHORT, RCVD_IN_BL_SPAMCOP_NET, > RCVD_IN_DSBL, USERPASS) > > > Brady A. Tucker > Internet Complete! inc. > http://www.icnet.net > From steve.douglas at SBIINCORPORATED.COM Wed Jul 16 13:52:02 2003 From: steve.douglas at SBIINCORPORATED.COM (Steve Douglas) Date: Thu Jan 12 21:18:57 2006 Subject: Block whole address Message-ID: <3963522F0E71474CB14C0FF54A6914F7011151DC@mail.gardenbotanika.com> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: Steve Douglas.vcf Type: application/octet-stream Size: 380 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030716/90e81680/SteveDouglas.obj From Kevin.Spicer at BMRB.CO.UK Wed Jul 16 14:05:19 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:18:57 2006 Subject: Block whole address Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0EBF73E@pascal.priv.bmrb.co.uk> You're probably better off doing that at the MTA (e.g. in sendmail's access database). -----Original Message----- From: Steve Douglas [mailto:steve.douglas@SBIINCORPORATED.COM] Sent: 16 July 2003 13:52 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Block whole address Is there a way to block an entire address from entering an email server using MailScanner? BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030716/2bc45e9c/attachment.html From mailscanner at ecs.soton.ac.uk Wed Jul 16 14:30:39 2003 From: mailscanner at ecs.soton.ac.uk (mailscanner) Date: Thu Jan 12 21:18:57 2006 Subject: {Virus?} Re:look,my beautiful girl friend Message-ID: Warning: This message has had one or more attachments removed Warning: (click.bat, msg-1771660-28.html). Warning: Please read the "VirusWarning.txt" attachment(s) for more information. -------------- next part -------------- This is a message from the MailScanner E-Mail Virus Protection Service ---------------------------------------------------------------------- The original e-mail attachment "msg-1771660-28.html" was believed to be infected by a virus and has been replaced by this warning message. If you wish to receive a copy of the *infected* attachment, please e-mail helpdesk and include the whole of this message in your request. Alternatively, you can call them, with the contents of this message to hand when you call. At Wed Jul 16 09:31:16 2003 the virus scanner said: Found dangerous IFrame tag in HTML message Note to Help Desk: Look on the MailScanner in /d/MailScanner/quarantine/20030716 (message 19cmMh-004KOX-00). -- Postmaster Mailscanner thanks transtec Computers for their support -------------- next part -------------- This is a message from the MailScanner E-Mail Virus Protection Service ---------------------------------------------------------------------- The original e-mail attachment "click.bat" was believed to be infected by a virus and has been replaced by this warning message. If you wish to receive a copy of the *infected* attachment, please e-mail helpdesk and include the whole of this message in your request. Alternatively, you can call them, with the contents of this message to hand when you call. At Wed Jul 16 09:31:17 2003 the virus scanner said: >>> Virus 'W32/Klez-H' found in file click.bat Batch files are often mailicious (click.bat) Note to Help Desk: Look on the MailScanner in /d/MailScanner/quarantine/20030716 (message 19cmMh-004KOX-00). -- Postmaster Mailscanner thanks transtec Computers for their support -------------- next part -------------- Content-Type: application/octet-stream; name=misc[1].htm Content-Transfer-Encoding: base64 Content-ID: Ly8gSmF2YXNjcmlwdCBVdGlsaXRpZXMKLy8gTmV0TGFicy5uZXQgIEFsbCBSaWdodHMgUmVz ZXJ2ZWQsIGluZm9AbmV0bGFicy5uZXQgQ29weXJpZ2h0IDIwMDIKLy8KCk5TNCA9IChkb2N1 bWVudC5sYXllcnMpID8gdHJ1ZSA6IGZhbHNlOwpJRSA9IChkb2N1bWVudC5hbGwpID8gdHJ1 ZSA6IGZhbHNlOwpJRTQgPSAoKGRvY3VtZW50LmFsbCkmJihuYXZpZ2F0b3IuYXBwVmVyc2lv bi5pbmRleE9mKCJNU0lFIDQuIikhPS0xKSkgPyB0cnVlIDogZmFsc2U7CklFNSA9ICgoZG9j dW1lbnQuYWxsKSYmKG5hdmlnYXRvci5hcHBWZXJzaW9uLmluZGV4T2YoIk1TSUUgNS4iKSE9 LTEpKSA/IHRydWUgOiBmYWxzZTsKSUU2ID0gKChkb2N1bWVudC5hbGwpJiYobmF2aWdhdG9y LmFwcFZlcnNpb24uaW5kZXhPZigiTVNJRSA2LiIpIT0tMSkpID8gdHJ1ZSA6IGZhbHNlOwp2 ZXI0ID0gKE5TNCB8fCBJRTQpID8gdHJ1ZSA6IGZhbHNlOwpOUzYgPSAoZG9jdW1lbnQuZ2V0 RWxlbWVudEJ5SWQpICYmIChuYXZpZ2F0b3IudXNlckFnZW50LmluZGV4T2YoJ05ldHNjYXBl JykhPS0xKT90cnVlOmZhbHNlOwpJRTVwbHVzID0gSUU1IHx8IElFNjsKREhUTUw9IChOUzQg fHwgSUUgfHwgTlM2KTsKCgpmdW5jdGlvbiBnZXRPYmoobmFtZSkKewogIGlmIChkb2N1bWVu dC5hbGwpCiAgeyByZXR1cm4gZG9jdW1lbnQuYWxsW25hbWVdIH0KICBlbHNlIGlmIChkb2N1 bWVudC5nZXRFbGVtZW50QnlJZCkKICB7IHJldHVybiBkb2N1bWVudC5nZXRFbGVtZW50QnlJ ZChuYW1lKSB9CiAgZWxzZSBpZiAoZG9jdW1lbnQubGF5ZXJzKQogIHsgcmV0dXJuIGRvY3Vt ZW50LmxheWVyc1tuYW1lXTsgfQogIGVsc2UgcmV0dXJuIGZhbHNlOwp9CgoKCmZ1bmN0aW9u IGFyck9uKG51bSkgewogICBpZiAoIURIVE1MICkgcmV0dXJuOwogICBlPWdldE9iaignYXJy JytudW0pOwogICBpZiAoIWUgKSByZXR1cm47CiAgIGUuc3JjID0gIi9pbWFnZXMvbG4tZ3JB cnJEb3duLmdpZiI7CiAgIGU9Z2V0T2JqKCdsbicrbnVtKTsKICAgaWYgKCFlICkgcmV0dXJu OwogICBlLnNyYyA9ICIvaW1hZ2VzLzY2OTk2NnB4LmdpZiI7CiAgIC8vZS5zdHlsZS52aXNp YmlsaXR5PSJ2aXNpYmxlIjsKfQoKCmZ1bmN0aW9uIGFyck9mZihudW0pIHsKICAgaWYgKCFE SFRNTCApIHJldHVybjsKICAgZT1nZXRPYmooJ2FycicrbnVtKTsKICAgaWYgKCFlICkgcmV0 dXJuOwogICBlLnNyYyA9ICIvaW1hZ2VzL2xuLWJsdUFyclJ0LmdpZiI7CiAgIGU9Z2V0T2Jq KCdsbicrbnVtKTsKICAgaWYgKCFlICkgcmV0dXJuOwogICBlLnNyYyA9ICIvaW1hZ2VzL3Ry YW5zcHguZ2lmIjsKICAgLy9lLnN0eWxlLnZpc2liaWxpdHk9ImhpZGRlbiI7Cn0KCgoKZnVu Y3Rpb24gc3dhcEltYWdlKCkgeyAKICB2YXIgaSwgdGhlT2JqLCBqPTAsIHN3YXBBcnJheT1u ZXcgQXJyYXksIG9sZEFycmF5PWRvY3VtZW50LnN3YXBJbWdEYXRhOyAgCiAgZm9yIChpPTA7 IGkgPCAoc3dhcEltYWdlLmFyZ3VtZW50cy5sZW5ndGgtMik7IGkrPTMpIHsgIAogICAgdGhl T2JqID0gZXZhbChzd2FwSW1hZ2UuYXJndW1lbnRzWyhuYXZpZ2F0b3IuYXBwTmFtZSA9PSAn TmV0c2NhcGUnKT9pOmkrMV0pICAKICAgIGlmICh0aGVPYmogIT0gbnVsbCkgeyAgCiAgICAg IHN3YXBBcnJheVtqKytdID0gdGhlT2JqOyAgCiAgICAgIHN3YXBBcnJheVtqKytdID0gKG9s ZEFycmF5PT1udWxsIHx8IG9sZEFycmF5W2otMV0hPXRoZU9iaik/dGhlT2JqLnNyYzpvbGRB cnJheVtqXTsgIAogICAgICB0aGVPYmouc3JjID0gc3dhcEltYWdlLmFyZ3VtZW50c1tpKzJd OyAgCiAgfSB9ICAKICBkb2N1bWVudC5zd2FwSW1nRGF0YSA9IHN3YXBBcnJheTsgLy91c2Vk IGZvciByZXN0b3JlICAKfSAgCgpmdW5jdGlvbiBzd2FwSW1nUmVzdG9yZSgpIHsgCiAgaWYg KGRvY3VtZW50LnN3YXBJbWdEYXRhICE9IG51bGwpICAKICAgIGZvciAodmFyIGk9MDsgaTwo ZG9jdW1lbnQuc3dhcEltZ0RhdGEubGVuZ3RoLTEpOyBpKz0yKSAgCiAgICAgIGRvY3VtZW50 LnN3YXBJbWdEYXRhW2ldLnNyYyA9IGRvY3VtZW50LnN3YXBJbWdEYXRhW2krMV07ICAKfSAg CgoKcGFnZT13aW5kb3cubG9jYXRpb247CmZ1bmN0aW9uIHNlbmRfbWFpbCgpCnsKdGl0bGU9 ZG9jdW1lbnQudGl0bGU7CmJvZHk9IlRha2UgYSBsb29rIGF0IHRoaXMlMEQlMEEiK3RpdGxl KyIlMEQlMEEiK3BhZ2U7Cgptc2c9Im1haWx0bzo/c3ViamVjdD0iK3RpdGxlKyImYm9keT0i K2JvZHk7CgovLyBhbGVydChtc2cpCndpbmRvdy5sb2NhdGlvbj1tc2c7Cgp9CgoKCgpmdW5j dGlvbiBvcGVuV2luICggaHRtbEZpbGUsIGZpbGVIZWlnaHQsIGZpbGVXaWR0aCApCnsKCiAg V2luUHJvY2Vzcz13aW5kb3cub3BlbiggaHRtbEZpbGUgLCAnX2JsYW5rJywic2Nyb2xsYmFy cz15ZXMscmVzaXphYmxlPXllcyxoZWlnaHQ9IitmaWxlSGVpZ2h0KyIsd2lkdGg9IitmaWxl V2lkdGgpIAogIFdpblByb2Nlc3MuZm9jdXMoKTsKfQoKZnVuY3Rpb24gb3Blbldpbk5TICgg aHRtbEZpbGUsIGZpbGVIZWlnaHQsIGZpbGVXaWR0aCApCnsKICBXaW5Qcm9jZXNzPXdpbmRv dy5vcGVuKCBodG1sRmlsZSAsICdfYmxhbmsnLCJzY3JvbGxiYXJzPW5vLHJlc2l6YWJsZT15 ZXMsaGVpZ2h0PSIrZmlsZUhlaWdodCsiLHdpZHRoPSIrZmlsZVdpZHRoKSAKICBXaW5Qcm9j ZXNzLmZvY3VzOwp9CgoKCmZ1bmN0aW9uIG9wZW5QSShwaSkKewogIHBpV2luPXdpbmRvdy5v cGVuKCBwaSwgJ19ibGFuaycsJ3Njcm9sbGJhcnM9eWVzLHJlc2l6YWJsZT15ZXMsaGVpZ2h0 PTYwMCx3aWR0aD02MDAnKTsKICBwaVdpbi5mb2N1cygpOwp9CgoKZnVuY3Rpb24gaW50ZXJz dGl0KCBwYWdlICkgewogdmFyIHJldDsKCiAgJG1zZz0nWW91IGFyZSBub3cgbGVhdmluZyB0 aGUgd3d3LnBoYXJtYS51cy5ub3ZhcnRpcy5jb20gc2l0ZSBhbmQgbW92aW5nIHRvIGFuIGV4 dGVybmFsIFdlYiBzaXRlIGluZGVwZW5kZW50bHkgb3BlcmF0ZWQgYW5kIG5vdCBtYW5hZ2Vk IGJ5IHRoZSBOb3ZhcnRpcyBQaGFybWFjZXV0aWNhbHMgQ29ycG9yYXRpb24uIE5vdmFydGlz IGFzc3VtZXMgbm8gcmVzcG9uc2liaWxpdHkgZm9yIHRoZSBzaXRlLlxuXG4gSWYgeW91IGRv IG5vdCB3aXNoIHRvIGxlYXZlIHRoaXMgc2l0ZSwgY2xpY2sgQ2FuY2VsLiAgT3IsIGNsaWNr IE9LIHRvIGNvbnRpbnVlLiAnOwoKICByZXQ9Y29uZmlybSgkbXNnKTsKCmlmICggcmV0ICkK ICB7CiAgICAgIHdpbmRvdy5vcGVuKHBhZ2UpCiAgICAgIC8vd2luZG93LmxvY2F0aW9uLmhy ZWY9cGFnZTsKICB9Cgp9CgoKLy8gRW5kIE5ldExhYnMgSmF2YXNjcmlwdCBGdW5jdGlvbnMK Ly8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLwoK Cj== From gerry at dorfam.ca Wed Jul 16 14:50:27 2003 From: gerry at dorfam.ca (Gerry Doris) Date: Thu Jan 12 21:18:57 2006 Subject: Virus Update Scripts with Timeouts In-Reply-To: <9a5ahv0brr7sf47ed4ucren4erlotmu5g0@tradoc.fr> References: <2h7tgv47fou2pstqnigrap4ujd7n7tmgrt@tradoc.fr> <9a5ahv0brr7sf47ed4ucren4erlotmu5g0@tradoc.fr> Message-ID: <64695.129.80.22.133.1058363427.squirrel@tiger.dorfam.ca> > On Fri, 11 Jul 2003 13:26:08 +0200, I wrote: >> I've tried these new scripts here on a redhat 9 box - they work fine >> if called directly from a shell prompt, but for some reason don't log >> the usual updated / does not need updating information to the syslog >> when called from Julian's cron.hourly script. Any ideas? > > Suddenly had a flash of inspiration - I'd forgotten to dos2unix these > scripts when transferring them from the Windows box on which I receive > mail. I don't fully understand why they worked anyway when called > directly from shell, but still... they work correctly now no matter > how I call them. > > John. > Great! No one else complained and I wasn't able to reproduce the error. Thanks for getting back. Gerry From robbyv at DISASTER.COM Wed Jul 16 15:00:45 2003 From: robbyv at DISASTER.COM (Rob V) Date: Thu Jan 12 21:18:57 2006 Subject: forged From: In-Reply-To: <64695.129.80.22.133.1058363427.squirrel@tiger.dorfam.ca> References: <9a5ahv0brr7sf47ed4ucren4erlotmu5g0@tradoc.fr> <2h7tgv47fou2pstqnigrap4ujd7n7tmgrt@tradoc.fr> <9a5ahv0brr7sf47ed4ucren4erlotmu5g0@tradoc.fr> Message-ID: <5.2.1.1.2.20030716095822.01de4578@mailhost.disaster.com> Has Anyone got a way to block or detect a forged From: address. I am getting spam sent to us with forged From (they are putting that the mail is from someone at our domain) Since we do not scan our own domain these messages are getting in no problem. Any help or suggested would be appreciated. From zabriskw at ITECH.NET Wed Jul 16 15:03:10 2003 From: zabriskw at ITECH.NET (Kris Zabriskie) Date: Thu Jan 12 21:18:58 2006 Subject: forged From: References: <9a5ahv0brr7sf47ed4ucren4erlotmu5g0@tradoc.fr> <2h7tgv47fou2pstqnigrap4ujd7n7tmgrt@tradoc.fr> <9a5ahv0brr7sf47ed4ucren4erlotmu5g0@tradoc.fr> <5.2.1.1.2.20030716095822.01de4578@mailhost.disaster.com> Message-ID: <001601c34ba2$fe71ec90$0c02a8c0@itech.dom> We got slammed recently with the same problem. The best advise I can give you is do some research on the check_* feature in sendmail. If you are using sendmail. ----- Original Message ----- From: "Rob V" To: Sent: Wednesday, July 16, 2003 10:00 AM Subject: forged From: > Has Anyone got a way to block or detect a forged From: address. > I am getting spam sent to us with forged From (they are putting that the > mail is from someone at our domain) > Since we do not scan our own domain these messages are getting in no problem. > Any help or suggested would be appreciated. > From Kevin.Spicer at BMRB.CO.UK Wed Jul 16 15:08:17 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:18:58 2006 Subject: forged From: Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0EBF73F@pascal.priv.bmrb.co.uk> Rob V wrote: > Has Anyone got a way to block or detect a forged From: address. > I am getting spam sent to us with forged From (they are putting that > the mail is from someone at our domain) > Since we do not scan our own domain these messages are getting in no > problem. Any help or suggested would be appreciated. You should not whitelist your own domains by their domain name, instead you should whitelist trusted internal servers by IP, or your IP address blocks. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From steve.douglas at SBIINCORPORATED.COM Wed Jul 16 15:10:28 2003 From: steve.douglas at SBIINCORPORATED.COM (Steve Douglas) Date: Thu Jan 12 21:18:58 2006 Subject: Block whole address Message-ID: <3963522F0E71474CB14C0FF54A6914F7011151ED@mail.gardenbotanika.com> Awesome. Never thought of that. Thanks for the suggestion! SD :-) -----Original Message----- From: Spicer, Kevin [mailto:Kevin.Spicer@BMRB.CO.UK] Sent: Wednesday, July 16, 2003 8:05 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Block whole address You're probably better off doing that at the MTA (e.g. in sendmail's access database). -----Original Message----- From: Steve Douglas [mailto:steve.douglas@SBIINCORPORATED.COM] Sent: 16 July 2003 13:52 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Block whole address Is there a way to block an entire address from entering an email server using MailScanner? BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accept no liability in relation to any personal emails, or content of any email which does not directly relate to our business. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030716/748710b7/attachment.html From chris at TRUDEAU.ORG Wed Jul 16 16:21:53 2003 From: chris at TRUDEAU.ORG (Chris-Personal) Date: Thu Jan 12 21:18:58 2006 Subject: Fw: Rejected posting to MAILSCANNER@JISCMAIL.AC.UK Message-ID: <011301c34bad$fd064da0$5702010a@mscore.trusecure.net> uhhhh.... This is the address i signed up with...did I do something wrong in my subscription process? THX CT ----- Original Message ----- From: "L-Soft list server at JISCMAIL (1.8e)" To: "Chris Trudeau" Sent: Wednesday, July 16, 2003 9:53 AM Subject: Rejected posting to MAILSCANNER@JISCMAIL.AC.UK > You are not authorized to send mail to the MAILSCANNER list from your > ctrudeau@BELLSOUTH.NET account. You might be authorized to send to the list > from another of your accounts, or perhaps when using another mail program which > generates slightly different addresses, but LISTSERV has no way to associate > this other account or address with yours. If you need assistance or if you have > any question regarding the policy of the MAILSCANNER list, please contact the > list owners: MAILSCANNER-request@JISCMAIL.AC.UK. > -------------- next part -------------- An embedded message was scrubbed... From: "Chris-Bellsouth" Subject: problems starting Date: Wed, 16 Jul 2003 09:33:21 -0400 Size: 3755 Url: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030716/a8b7989d/problemsstarting.eml From ka at PACIFIC.NET Wed Jul 16 16:30:21 2003 From: ka at PACIFIC.NET (Ken Anderson) Date: Thu Jan 12 21:18:58 2006 Subject: mailscanner only sees the envelope TO Message-ID: <3F156F8D.20505@pacific.net> MailScanner only looks at the envelope TO address, so if your mail server allows messages to have 100 recipients, you have 99 users who can't control what they perceive to be their own email filtering. :-( What is the best way to handle this issue? So far, we've limited the MaxRecipients in sendmail.cf to 10. Users don't send mail out through our MailScanner boxes, so this works reasonably well, since less than 1% of incoming mail is actually addressed to more than 1 user. Thanks for any ideas, Ken A. From mkettler at EVI-INC.COM Wed Jul 16 16:47:58 2003 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:18:58 2006 Subject: mailscanner only sees the envelope TO In-Reply-To: <3F156F8D.20505@pacific.net> Message-ID: <5.2.1.1.0.20030716114104.014fb008@xanadu.evi-inc.com> At 08:30 AM 7/16/2003 -0700, Ken Anderson wrote: >MailScanner only looks at the envelope TO address, so if your mail >server allows messages to have 100 recipients, you have 99 users who >can't control what they perceive to be their own email filtering. :-( > >What is the best way to handle this issue? > >So far, we've limited the MaxRecipients in sendmail.cf to 10. >Users don't send mail out through our MailScanner boxes, so this works >reasonably well, since less than 1% of incoming mail is actually >addressed to more than 1 user. Unfortunately, since there's only one message at the transport layer, only one action can be taken. It's either whitelisted or not. SpamAssassin (a tool used by MailScanner) suffers from the same basic issue whenever it's called at the transport layer. It looks at the body "To:" header (along with some others), and must whitelist if any of the addresses are whitelist addresses. It's unfortunately impossible to magically make one message into many at the MTA layer.. It's an inherent drawback. Of course, you can switch to using tools that scan at the point of delivery instead of transport, however those wind up scanning a message once per recipient, instead of once, which increases overhead. It's kind of a trade-off between flexibility and efficiency. (Those who call SA from the MDA can force per-user preference files by using spamc -u with the name of the actual recipient.) From Steve at swaney.com Wed Jul 16 17:09:27 2003 From: Steve at swaney.com (Stephen Swaney) Date: Thu Jan 12 21:18:58 2006 Subject: mailscanner only sees the envelope TO In-Reply-To: <5.2.1.1.0.20030716114104.014fb008@xanadu.evi-inc.com> References: <5.2.1.1.0.20030716114104.014fb008@xanadu.evi-inc.com> Message-ID: <1058371767.22504.9.camel@speedy> What about a MailScanner option that passes delivery of messages to multiple to a recipients to another program, i.e. procmail? Steve Steve Swaney Steve@Swaney.com On Wed, 2003-07-16 at 11:47, Matt Kettler wrote: > At 08:30 AM 7/16/2003 -0700, Ken Anderson wrote: > >MailScanner only looks at the envelope TO address, so if your mail > >server allows messages to have 100 recipients, you have 99 users who > >can't control what they perceive to be their own email filtering. :-( > > > >What is the best way to handle this issue? > > > >So far, we've limited the MaxRecipients in sendmail.cf to 10. > >Users don't send mail out through our MailScanner boxes, so this works > >reasonably well, since less than 1% of incoming mail is actually > >addressed to more than 1 user. > > Unfortunately, since there's only one message at the transport layer, only > one action can be taken. It's either whitelisted or not. > > SpamAssassin (a tool used by MailScanner) suffers from the same basic issue > whenever it's called at the transport layer. It looks at the body "To:" > header (along with some others), and must whitelist if any of the addresses > are whitelist addresses. > > It's unfortunately impossible to magically make one message into many at > the MTA layer.. It's an inherent drawback. > > Of course, you can switch to using tools that scan at the point of delivery > instead of transport, however those wind up scanning a message once per > recipient, instead of once, which increases overhead. It's kind of a > trade-off between flexibility and efficiency. > > (Those who call SA from the MDA can force per-user preference files by > using spamc -u with the name of the actual recipient.) -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030716/7c5f3dd1/attachment.html From robbyv at DISASTER.COM Wed Jul 16 17:12:11 2003 From: robbyv at DISASTER.COM (Rob V) Date: Thu Jan 12 21:18:58 2006 Subject: forged From: In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0EBF73F@pascal.priv.bmrb.co .uk> Message-ID: <5.2.1.1.2.20030716121105.01e8a498@mailhost.disaster.com> Can I add that in my scan.rules ? like From: 192.168.198. no will that no scan all of 192.168.198 or do I have to add it differently ? At 03:08 PM 7/16/2003 +0100, you wrote: >Rob V wrote: > > Has Anyone got a way to block or detect a forged From: address. > > I am getting spam sent to us with forged From (they are putting that > > the mail is from someone at our domain) > > Since we do not scan our own domain these messages are getting in no > > problem. Any help or suggested would be appreciated. > >You should not whitelist your own domains by their domain name, instead >you should whitelist trusted internal servers by IP, or your IP address blocks. > > > >BMRB International >http://www.bmrb.co.uk >+44 (0)20 8566 5000 >_________________________________________________________________ >This message (and any attachment) is intended only for the >recipient and may contain confidential and/or privileged >material. If you have received this in error, please contact the >sender and delete this message immediately. Disclosure, copying >or other action taken in respect of this email or in >reliance on it is prohibited. BMRB International Limited >accepts no liability in relation to any personal emails, or >content of any email which does not directly relate to our >business. Rob Vicchiullo robv@disaster.com http://www.disaster.com (518) 218-0900 From richard_cipher at YAHOO.COM Wed Jul 16 17:23:58 2003 From: richard_cipher at YAHOO.COM (Evert Ford) Date: Thu Jan 12 21:18:58 2006 Subject: mailscanner only sees the envelope TO In-Reply-To: <3F156F8D.20505@pacific.net> Message-ID: To me this sounds more like the job of the MTA(Sendmail or Exim, for example) or the MDA(procmail), since only one is received, but 100 are delivered. I don't know much about other MTA's, but Sendmail can do filtering through changes to sendmail.cf and its access file(aptly named access), and procmail through .procmailrc. Evert Ford Information Analyst Westone Laboratories http://www.westone.com -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Ken Anderson Sent: Wednesday, July 16, 2003 9:30 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: mailscanner only sees the envelope TO MailScanner only looks at the envelope TO address, so if your mail server allows messages to have 100 recipients, you have 99 users who can't control what they perceive to be their own email filtering. :-( What is the best way to handle this issue? So far, we've limited the MaxRecipients in sendmail.cf to 10. Users don't send mail out through our MailScanner boxes, so this works reasonably well, since less than 1% of incoming mail is actually addressed to more than 1 user. Thanks for any ideas, Ken A. --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.483 / Virus Database: 279 - Release Date: 5/19/03 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.483 / Virus Database: 279 - Release Date: 5/19/03 From kevins at BMRB.CO.UK Wed Jul 16 17:49:19 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:18:58 2006 Subject: forged From: In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB001175E63@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB001175E63@pascal.priv.bmrb.co.uk> Message-ID: <1058374162.8235.0.camel@bach.kevinspicer.co.uk> On Wed, 2003-07-16 at 17:12, Rob V wrote: Can I add that in my scan.rules ? like From: 192.168.198. no will that no scan all of 192.168.198 That should work fine. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From ka at PACIFIC.NET Wed Jul 16 17:56:27 2003 From: ka at PACIFIC.NET (Ken Anderson) Date: Thu Jan 12 21:18:58 2006 Subject: mailscanner only sees the envelope TO In-Reply-To: <1058371767.22504.9.camel@speedy> References: <5.2.1.1.0.20030716114104.014fb008@xanadu.evi-inc.com> <1058371767.22504.9.camel@speedy> Message-ID: <3F1583BB.3090606@pacific.net> I've looked at options for using a pop3 proxy with SA, but there's nothing very mature in this area yet. See Prometo project at sourceforge if you are interested. But, I'd like to stay with MS because of it's additional capabilities, and do this with per user configs for virtual users (no accounts on the system means no procmail or spamc -u). I've also wondered about forcing sendmail to break apart a message by putting another mailserver out front that accepted up to 20 recipients per message, but did no filtering. It would just relay to the MS boxes that would only accept 1 recip per message. Wouldn't the sending mailserver break the messages up into bits for you, or am I misunderstanding mail delivery? from sendmail.org: MaxRecipientsPerMessage - If set, allow no more than the specified number of recipients in an SMTP envelope. Further recipients receive a 452 error code (i.e., they are deferred for the next delivery attempt). Thanks, Ken A. Stephen Swaney wrote: > What about a MailScanner option that passes delivery of messages to > multiple to a recipients to another program, i.e. procmail? > > Steve > Steve Swaney > Steve@Swaney.com > > On Wed, 2003-07-16 at 11:47, Matt Kettler wrote: > > >>At 08:30 AM 7/16/2003 -0700, Ken Anderson wrote: >> >>>MailScanner only looks at the envelope TO address, so if your mail >>>server allows messages to have 100 recipients, you have 99 users who >>>can't control what they perceive to be their own email filtering. :-( >>> >>>What is the best way to handle this issue? >>> >>>So far, we've limited the MaxRecipients in sendmail.cf to 10. >>>Users don't send mail out through our MailScanner boxes, so this works >>>reasonably well, since less than 1% of incoming mail is actually >>>addressed to more than 1 user. >> >>Unfortunately, since there's only one message at the transport layer, only >>one action can be taken. It's either whitelisted or not. >> >>SpamAssassin (a tool used by MailScanner) suffers from the same basic issue >>whenever it's called at the transport layer. It looks at the body "To:" >>header (along with some others), and must whitelist if any of the addresses >>are whitelist addresses. >> >>It's unfortunately impossible to magically make one message into many at >>the MTA layer.. It's an inherent drawback. >> >>Of course, you can switch to using tools that scan at the point of delivery >>instead of transport, however those wind up scanning a message once per >>recipient, instead of once, which increases overhead. It's kind of a >>trade-off between flexibility and efficiency. >> >>(Those who call SA from the MDA can force per-user preference files by >>using spamc -u with the name of the actual recipient.) > > > > From mkettler at EVI-INC.COM Wed Jul 16 18:48:16 2003 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:18:58 2006 Subject: mailscanner only sees the envelope TO In-Reply-To: <1058371767.22504.9.camel@speedy> References: <5.2.1.1.0.20030716114104.014fb008@xanadu.evi-inc.com> <5.2.1.1.0.20030716114104.014fb008@xanadu.evi-inc.com> Message-ID: <5.2.1.1.0.20030716134542.01e4d3b0@xanadu.evi-inc.com> At 12:09 PM 7/16/2003 -0400, Stephen Swaney wrote: >What about a MailScanner option that passes delivery of messages to >multiple to a recipients to another program, i.e. procmail? > >Steve At that point, why use spam-scanning via MailScanner at all? Why not just use procmail to call SA for everything?. By passing a subset of the messages to procmail, you've lost any benefits of using MS to call SA. From mkettler at EVI-INC.COM Wed Jul 16 18:57:32 2003 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:18:58 2006 Subject: Eicar signature in the subject line In-Reply-To: <3F14ADFC.8020103@hpi.com> References: <5.2.1.1.0.20030715162735.01b80ea8@xanadu.evi-inc.com> <5.2.1.1.0.20030715162735.01b80ea8@xanadu.evi-inc.com> Message-ID: <5.2.1.1.0.20030716135527.01e511a8@xanadu.evi-inc.com> At 09:44 PM 7/15/2003 -0400, you wrote: >Are you trying to say that by design the Subject line is excluded from >being scanned? I'm trying to ponder why on earth would the subject line would ever be scanned for viruses at all. Client exploits maybe, but viruses, I don't see the point. From Steve at swaney.com Wed Jul 16 19:00:47 2003 From: Steve at swaney.com (Stephen Swaney) Date: Thu Jan 12 21:18:58 2006 Subject: mailscanner only sees the envelope TO In-Reply-To: <5.2.1.1.0.20030716134542.01e4d3b0@xanadu.evi-inc.com> References: <5.2.1.1.0.20030716114104.014fb008@xanadu.evi-inc.com> <5.2.1.1.0.20030716114104.014fb008@xanadu.evi-inc.com> <5.2.1.1.0.20030716134542.01e4d3b0@xanadu.evi-inc.com> Message-ID: <1058378447.22259.19.camel@speedy> On Wed, 2003-07-16 at 13:48, Matt Kettler wrote: > At 12:09 PM 7/16/2003 -0400, Stephen Swaney wrote: > >What about a MailScanner option that passes delivery of messages to > >multiple to a recipients to another program, i.e. procmail? > > > >Steve > > At that point, why use spam-scanning via MailScanner at all? Why not just > use procmail to call SA for everything?. > Absolutely right and silly of me not to think of it. > By passing a subset of the messages to procmail, you've lost any benefits > of using MS to call SA. Right again and that is the way I used to use SpamAssassin. Don't want to go there again! Am I right in thinking that a message to multiple recipients is not "split into separate messages" until until the local delivery agent is called? If so, might it be possible to write another delivery agent that is only called if the message has multiple recipients. This new delivery agent would simply deliver the individual (split) messages to the incoming MailScanner directory. Steve Steve@Swaney.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030716/9cea3d4a/attachment.html From billa at STERLING.NET Wed Jul 16 20:36:33 2003 From: billa at STERLING.NET (Bill Anderson) Date: Thu Jan 12 21:18:58 2006 Subject: Whitelist via DNSBL Message-ID: <015701c34bd1$903c8800$0a010a0a@dirt> Does mailscanner have the ability to use a whitelist via a DNSBL / DNS Query. I am looking at implementing TCATS whitelist which is a DNS Query. Thanks. From kl571 at YAHOO.COM Wed Jul 16 20:40:47 2003 From: kl571 at YAHOO.COM (Kenny Liu) Date: Thu Jan 12 21:18:58 2006 Subject: bayes_journal file size Message-ID: <20030716194047.91859.qmail@web41303.mail.yahoo.com> - Solaris 8 - MailScanner-4.21-9 - Perl 5.8 - Sendmail 8.12.9 - Spamassassin 2.55 I've been running mailscanner on our mail gateway for about 9 days and have been pleased with its functionality. The mail gateway handles about 15K incoming email of which 33% appear to be spam. I wanted to know how I can safely control the size of the bayes_journal file in the /.spamassassin directory. It just seems to grow and grow. Is there a setting that I can adjust to put a cap on this bayes_journal file? bash-2.03# ls -l total 279852 -rw------- 1 root other 140768200 Jul 16 15:23 bayes_journal -rw------- 1 root other 3419 Jul 16 15:23 bayes_msgcount -rw------- 1 root root 335872 Jul 16 15:20 bayes_seen -rw------- 1 root root 2605056 Jul 16 15:20 bayes_toks -rw-r--r-- 1 root other 1218 Jul 8 15:24 user_prefs Thanks, Ken __________________________________ Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com From kevins at BMRB.CO.UK Wed Jul 16 21:16:16 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:18:58 2006 Subject: bayes_journal file size In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB001175E6B@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB001175E6B@pascal.priv.bmrb.co.uk> Message-ID: <1058386576.8235.13.camel@bach.kevinspicer.co.uk> >Is there >a setting that I can adjust to put a cap on this >bayes_journal file? You should run sa-learn --rebuild periodically. The other largish file is the bayes_toks file which will initially tend to grow quite quickly, as the Bayes engine learns new tokens. Over time this rate of growth will slow, and IIRC tokens which have not been used for a while are removed (not sure on that). BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From tyler at BELOIT.EDU Wed Jul 16 21:34:32 2003 From: tyler at BELOIT.EDU (Tim Tyler) Date: Thu Jan 12 21:18:58 2006 Subject: Sophos issue? Message-ID: <5.2.0.9.0.20030716145443.01714b78@beloit.edu> I am in the process of trying to upgrade from mailscanner 2.6 to the latest 4.x version. I am a bit confused in the virus configuration section. We use Sophos. I believe its simply the Sophossavi license since we only use it for email purposes. I have sophos installed in /usr/local/sav with the sweep binary in /usr/local/bin and the libraries in /usr/local/lib. I noticed there is a install.sophos script in mailscanner/bin. I presume that is for the full sophos package and not sophos savi, correct? The old configuration used to have a direct path for the sweep binary. How do I make sure that it can find the sweep binary now? Note: If I use sophossavi, it doesn't process the messages. I get the following errors in syslog: Jul 16 15:07:37 backt MailScanner[27962]: MailScanner E-Mail Virus Scanner version 4.22-5 starting... Jul 16 15:07:46 backt root: Process did not exit cleanly, returned 2 with signal 0 Somehow, I don't think its finding the sophos binary, "sweep". Note: the spam side with spamassassin seems to be working fine. Tim Tyler Network Engineer - Beloit College tyler@beloit.edu From Steve at swaney.com Wed Jul 16 21:59:52 2003 From: Steve at swaney.com (Stephen Swaney) Date: Thu Jan 12 21:18:58 2006 Subject: Sophos issue? In-Reply-To: <5.2.0.9.0.20030716145443.01714b78@beloit.edu> References: <5.2.0.9.0.20030716145443.01714b78@beloit.edu> Message-ID: <1058389192.22506.36.camel@speedy> Tim, This has been covered before but I'll check the FAQ and add it if it's missing. Julian has well scripted the Sophos installation and you need to use his scripts: cd to wherever you un-tarred the Sophos files: cd /sav-install tehn run /usr/sbin/Sophos.install This script does it all! Then make sure that the SAVI-Perl module is correctly installed: http://www.sng.ecs.soton.ac.uk/mailscanner/install/SAVI.shtml Then change your MailScanner.conf file: Virus Scanners = sophossavi The update_virus scanners script will also be installed by the new MailScanner Note there is no need to run spamd with this setup. Steve Steve@Swaney.com On Wed, 2003-07-16 at 16:34, Tim Tyler wrote: > I am in the process of trying to upgrade from mailscanner 2.6 to the latest > 4.x version. I am a bit confused in the virus configuration section. We > use Sophos. I believe its simply the Sophossavi license since we only use > it for email purposes. I have sophos installed in /usr/local/sav with the > sweep binary in /usr/local/bin and the libraries in /usr/local/lib. I > noticed there is a install.sophos script in mailscanner/bin. I presume > that is for the full sophos package and not sophos savi, correct? The old > configuration used to have a direct path for the sweep binary. How do I > make sure that it can find the sweep binary now? > Note: > If I use sophossavi, it doesn't process the messages. I get the following > errors in syslog: > Jul 16 15:07:37 backt MailScanner[27962]: MailScanner E-Mail Virus Scanner > version 4.22-5 starting... > Jul 16 15:07:46 backt root: Process did not exit cleanly, returned 2 with > signal 0 > > Somehow, I don't think its finding the sophos binary, "sweep". > > Note: the spam side with spamassassin seems to be working fine. > > > > Tim Tyler > Network Engineer - Beloit College > tyler@beloit.edu -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030716/2c5a15d9/attachment.html From ka at PACIFIC.NET Wed Jul 16 22:50:51 2003 From: ka at PACIFIC.NET (Ken Anderson) Date: Thu Jan 12 21:18:58 2006 Subject: mailscanner only sees the envelope TO In-Reply-To: <1058378447.22259.19.camel@speedy> References: <5.2.1.1.0.20030716114104.014fb008@xanadu.evi-inc.com> <5.2.1.1.0.20030716114104.014fb008@xanadu.evi-inc.com> <5.2.1.1.0.20030716134542.01e4d3b0@xanadu.evi-inc.com> <1058378447.22259.19.camel@speedy> Message-ID: <3F15C8BB.5030003@pacific.net> Stephen Swaney wrote: > On Wed, 2003-07-16 at 13:48, Matt Kettler wrote: > > >>At 12:09 PM 7/16/2003 -0400, Stephen Swaney wrote: >> >>>What about a MailScanner option that passes delivery of messages to >>>multiple to a recipients to another program, i.e. procmail? >>> >>>Steve >> >>At that point, why use spam-scanning via MailScanner at all? Why not just >>use procmail to call SA for everything?. >> > > > Absolutely right and silly of me not to think of it. > > >>By passing a subset of the messages to procmail, you've lost any benefits >>of using MS to call SA. > > > Right again and that is the way I used to use SpamAssassin. Don't want > to go there again! > > Am I right in thinking that a message to multiple recipients is not > "split into separate messages" until until the local delivery agent is > called? If so, might it be possible to write another delivery agent that > is only called if the message has multiple recipients. This new delivery > agent would simply deliver the individual (split) messages to the > incoming MailScanner directory. This seems ideal. If sendmail could be made to put all messages in the incoming MS queue if they have 1 recipient, and all messages with > 1 recipient in another queue. Then you could use perl/other mail tools to split/clone the messages with >1 recip and then move them back to the MS incoming queue. Another option: Looking at sendmail/TUNING: ------ snip --------- Before 8.12 sendmail delivers an e-mail sequentially to all its recipients. For mailing lists or large aliases the overall delivery time can be substantial... Some mailing list software therefore "split" up e-mails into smaller pieces with fewer recipients. Sendmail 8.12 can do this itself, either across queue groups or within a queue directory... The latter is controlled by the 'r=' field of a queue group declaration. ... So for this queue each envelope will have at most 5 recipients. You can apply this to the main queue: QUEUE_GROUP(`mqueue', `P=/var/spool/mqueue, F=f, r=5, R=8, I=2m')dnl -------- snip --------- Or QUEUE_GROUP(`mqueue', `P=/var/spool/mqueue, F=f, r=5, R=8, I=2m')dnl for 1 recip per message. This could be used to split all messages with multiple recipients into messages with 1 recipient, right? Mail could then be queued up properly for MS with 1 recip per message max, so all per-user rules never affected other users. Anyone tried this? Thanks, Ken A. > Steve > Steve@Swaney.com > From kevins at BMRB.CO.UK Wed Jul 16 22:49:26 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:18:58 2006 Subject: Sophos issue? In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB001175E6D@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB001175E6D@pascal.priv.bmrb.co.uk> Message-ID: <1058392167.8235.20.camel@bach.kevinspicer.co.uk> Set the scanner to 'sophos' if you have just installed Sophos - this will then call the Sweep binary. If you find that the startup time for sweep is bogging your mail server down you can install the savi perl module (as described on the MailScanner website), this is a perl API that allows one to use the Sophos C libraries without having to run sweep. Under this circumstance you should change virus scanners to sophossavi. The Sophos C libraries come with the command line scanner and there is n additional license, although you do have to install the perl module (which is not distributed by Sophos themselves). Unless you have performance issues its easier to stick with regular Sophos. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From steve.douglas at SBIINCORPORATED.COM Wed Jul 16 22:52:04 2003 From: steve.douglas at SBIINCORPORATED.COM (Steve Douglas) Date: Thu Jan 12 21:18:58 2006 Subject: False-positives Message-ID: <3963522F0E71474CB14C0FF54A6914F701115206@mail.gardenbotanika.com> I have the "SPAM lists to reach high score" setting set to 5. My server only gets about 2000 messages a day, yet I have about 100 or so messages that were originally identified as SPAM. Is there something I need to do here? I have white listed these messages by their network IDs to prevent this in the future, but the false-positives are reflected as an important area of concern by my management due the fact alot of this information is directly tied to the company's revenue. Any suggestions are appreciated. Thank you!!! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030716/8452dec0/attachment.html From lindsay at pa.net Wed Jul 16 23:00:17 2003 From: lindsay at pa.net (Lindsay Snider) Date: Thu Jan 12 21:18:58 2006 Subject: False-positives In-Reply-To: <3963522F0E71474CB14C0FF54A6914F701115206@mail.gardenbotanika.com> References: <3963522F0E71474CB14C0FF54A6914F701115206@mail.gardenbotanika.com> Message-ID: <200307161800.17241.lindsay@pa.net> On Wednesday 16 July 2003 17:52, you wrote: > I have the "SPAM lists to reach high score" setting set to 5. My server I would suggest picking a larger number then 5. We have ours set to 7 and see little to no false positives. If you want to be really safe, maybe try 10. > only gets about 2000 messages a day, yet I have about 100 or so messages > that were originally identified as SPAM. Is there something I need to do > here? I have white listed these messages by their network IDs to prevent > this in the future, but the false-positives are reflected as an important > area of concern by my management due the fact alot of this information is > directly tied to the company's revenue. > > Any suggestions are appreciated. Thank you!!! From Steve at swaney.com Wed Jul 16 23:47:22 2003 From: Steve at swaney.com (Stephen Swaney) Date: Thu Jan 12 21:18:58 2006 Subject: mailscanner only sees the envelope TO In-Reply-To: <3F15C8BB.5030003@pacific.net> References: <5.2.1.1.0.20030716114104.014fb008@xanadu.evi-inc.com> <5.2.1.1.0.20030716114104.014fb008@xanadu.evi-inc.com> <5.2.1.1.0.20030716134542.01e4d3b0@xanadu.evi-inc.com> <1058378447.22259.19.camel@speedy> <3F15C8BB.5030003@pacific.net> Message-ID: <1058395642.22259.60.camel@speedy> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: smiley-3.png Type: image/png Size: 819 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030716/1fbe950e/smiley-3.png From batucker at ICNET.NET Thu Jul 17 01:04:05 2003 From: batucker at ICNET.NET (Brady A. Tucker) Date: Thu Jan 12 21:18:58 2006 Subject: A Few Messages are 'whitelisted' even with auto-whitelist off In-Reply-To: <1058337183.15737.6.camel@bach.kevinspicer.co.uk> Message-ID: Kevin, I have not whitelisted my own domains/virtual domains in their entirety.. only those individual users (gluttons) that wish to receive their full and unfiltered share of SPAM, and a few mailing lists. However, I did in fact find a resolutions for what was causing it, I had 'FROM:' whitelisted my own address at some point for some reason, so when the return/to address was faked with my own, and whitelisted address, it was of course accepted/delivered as whitelisted. Thanks for helping to point this out in a round-about way. I had completely forgotten that I had whitelisted my own address, I have NO idea why I did this, so perhaps this will help the other people having difficulties with this as well. Brady A. Tucker Internet Complete! inc. http://www.icnet.net -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Kevin Spicer Sent: Wednesday, July 16, 2003 1:33 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: A Few Messages are 'whitelisted' even with auto-whitelist off On Wed, 2003-07-16 at 04:38, Brady A. Tucker wrote: >I have some messages getting through that say they are whitelisted, >though >they are not. I'm not sure when this started as I'm just now looking >for Have you whitlisted you own domains (by name)? - many spammers use your own address as the envelope from address (this doesn't appear in the headers, but may be in your maillog). Note that the whitelist in the header you posted is a MailScanner whitelist (spam.whitelist.rules) not a SpamAssassin whitelist (which would give it a negative score). If you have whitelisted your domains by name change spam.whitelist.rules to whitelist your domain's mail servers by IP instead (alternativly whitelist your entire IP range if thats easier). BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From m.sapsed at BANGOR.AC.UK Thu Jul 17 09:16:00 2003 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:18:58 2006 Subject: False-positives References: <3963522F0E71474CB14C0FF54A6914F701115206@mail.gardenbotanika.com> Message-ID: <3F165B40.30607@bangor.ac.uk> Steve Douglas wrote: > I have the "SPAM lists to reach high score" setting set to 5. My server > only gets about 2000 messages a day, yet I have about 100 or so messages > that were originally identified as SPAM. Is there something I need to > do here? I have white listed these messages by their network IDs to > prevent this in the future, but the false-positives are reflected as an > important area of concern by my management due the fact alot of this > information is directly tied to the company's revenue. If I understand you correctly, 100 or so out of 2000 messages per day are marked as spam when they shouldn't be? You haven't said which version of SpamAssassin you're using - that has a big effect on the scores you get. If you look at the SpamCheck header and there's a high-value category listed consistently among the wrongly- marked messages you could lower that score in MailScanner/etc/spam.assassin.prefs.conf perhaps? If your correctly marked spam is consistently coming in with higher scores, then just raise the threshold. Cheers, Martin -- Martin Sapsed Information Services "Who do you say I am?" University of Wales, Bangor Jesus of Nazareth From mdunder at GE.UCL.AC.UK Thu Jul 17 09:21:10 2003 From: mdunder at GE.UCL.AC.UK (Mike Dunderdale) Date: Thu Jan 12 21:18:58 2006 Subject: Block whole address In-Reply-To: References: Message-ID: If you're going to do the access thing, I suggest the following: have a set of lines allowing your domain and connecting mail servers to connect connect:your.mail.servers RELAY connect:127.0.0.1 RELAY connect:your.domain.IP RELAY connect:your.transferring.mail.server RELAY Add a line allowing abuse@yourdomain.com through even from spammers To:abuse@ SPAMFRIEND Add locally allowed email addresses: From:im@notaspammer.com OK And then add the domains/spammers to be dropped: From:spamdomain.com ERROR:"550 SPAM suspected. Falsely accused should \ email abuse@yourdomains.com" Hope this helps. M On Fri, 18 Jul 2003, S Mohan wrote: > If you are using sendmail, use the access feature to block the address. > /etc/mail/access file needs to be edited and the address followed by reject > or drop in capitals should be given in a line. > > Mohan > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Steve Douglas > Sent: Wednesday, July 16, 2003 6:22 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Block whole address > > > Is there a way to block an entire address from entering an email server > using MailScanner? > > > > > > > > > > ------------------------------------------------------------------------- Mike Dunderdale | tel: ++44 20 7679 2756 IT Systems Manager, Geomatic Engineering | fax: ++44 20 7380 0453 mike.dunderdale@ge.ucl.ac.uk | mob: ++44 7939 455 245 From m.sapsed at BANGOR.AC.UK Thu Jul 17 09:22:39 2003 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:18:58 2006 Subject: Sophos issue? References: <5C0296D26910694BB9A9BBFC577E7AB001175E6D@pascal.priv.bmrb.co.uk> <1058392167.8235.20.camel@bach.kevinspicer.co.uk> Message-ID: <3F165CCF.2080307@bangor.ac.uk> Kevin Spicer wrote: > Set the scanner to 'sophos' if you have just installed Sophos - this > will then call the Sweep binary. > > If you find that the startup time for sweep is bogging your mail server > down you can install the savi perl module (as described on the > MailScanner website), this is a perl API that allows one to use the > Sophos C libraries without having to run sweep. Under this circumstance > you should change virus scanners to sophossavi. > > The Sophos C libraries come with the command line scanner and there is n > additional license, although you do have to install the perl module > (which is not distributed by Sophos themselves). > > Unless you have performance issues its easier to stick with regular > Sophos. The only thing I'd add to Kevin's answer is that you should use the supplied Sophos.install script to do the install in the way MailScanner likes it. (I confess that I alter the script slightly because I wanted intercheck available but that's just me!) If you want to use the command line scanner to check something then call sweep via the sophos-wrapper rather than directly. Cheers, Martin -- Martin Sapsed Information Services "Who do you say I am?" University of Wales, Bangor Jesus of Nazareth From dean.plant at ROKE.CO.UK Thu Jul 17 10:02:53 2003 From: dean.plant at ROKE.CO.UK (Plant, Dean) Date: Thu Jan 12 21:18:58 2006 Subject: forged From: Message-ID: Instead of whitelisting, would it be better to use a ruleset for enabling spamchecks only for your domain? Then a forged From: would not be missed. ie. Spam Checks = /etc/MailScanner/rules/spam.check.rules To: *@your.domain.com yes FromOrTo: default no Dean Plant -----Original Message----- From: Spicer, Kevin [mailto:Kevin.Spicer@BMRB.CO.UK] Sent: 16 July 2003 15:08 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: forged From: Rob V wrote: > Has Anyone got a way to block or detect a forged From: address. > I am getting spam sent to us with forged From (they are putting that > the mail is from someone at our domain) > Since we do not scan our own domain these messages are getting in no > problem. Any help or suggested would be appreciated. You should not whitelist your own domains by their domain name, instead you should whitelist trusted internal servers by IP, or your IP address blocks. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. -- Registered Office: Roke Manor Research Ltd, Siemens House, Oldbury, Bracknell, Berkshire. RG12 8FZ The information contained in this e-mail and any attachments is confidential to Roke Manor Research Ltd and must not be passed to any third party without permission. This communication is for information only and shall not create or change any contractual relationship. From Steve at swaney.com Thu Jul 17 12:43:31 2003 From: Steve at swaney.com (Stephen Swaney) Date: Thu Jan 12 21:18:58 2006 Subject: White-Black-listing Email to multiple recipients In-Reply-To: References: Message-ID: <1058442210.22498.106.camel@speedy> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/png Size: 819 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030717/c3522bb6/attachment.png From mailscannerlist at TNJINFL.COM Thu Jul 17 13:49:41 2003 From: mailscannerlist at TNJINFL.COM (James Pifer) Date: Thu Jan 12 21:18:58 2006 Subject: MailScanner/Sendmail + Mailman? Message-ID: <1058446180.18388.26.camel@tweety.tnjinfl.com> Anyone running Mailman on the same server that is running MailScanner with Sendmail? The Mailman readme wants you to configure the sendmail.cf and make some changes. I don't want to mess up my functioning MailScanner server. Anyone doing this? Anyone have any suggestions for making Mailman work in this situation? Right now it doesn't seem to deliver mail. Thanks, James From Steve at swaney.com Thu Jul 17 13:55:49 2003 From: Steve at swaney.com (Stephen Swaney) Date: Thu Jan 12 21:18:58 2006 Subject: MailScanner/Sendmail + Mailman? In-Reply-To: <1058446180.18388.26.camel@tweety.tnjinfl.com> References: <1058446180.18388.26.camel@tweety.tnjinfl.com> Message-ID: <1058446549.1570.7.camel@speedy> I'm running Mailman on two systems, Red Hat 7 and red Hat 8, that are also running MailScanner and SpamAssassin. Quite nice because my lists get NO spam. No Problems. Steve Steve@Swaney.com On Thu, 2003-07-17 at 08:49, James Pifer wrote: > Anyone running Mailman on the same server that is running MailScanner > with Sendmail? > > The Mailman readme wants you to configure the sendmail.cf and make some > changes. I don't want to mess up my functioning MailScanner server. > > Anyone doing this? Anyone have any suggestions for making Mailman work > in this situation? Right now it doesn't seem to deliver mail. > > Thanks, > James -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030717/5bb4707a/attachment.html From David.While at UCE.AC.UK Thu Jul 17 13:52:53 2003 From: David.While at UCE.AC.UK (David While) Date: Thu Jan 12 21:18:58 2006 Subject: MailScanner/Sendmail + Mailman? Message-ID: <107DE25EC0216C45AEF670016024245F6EFA@exchangea.staff.uce.ac.uk> Yep - I am running Mailman on the same server as sendmail and MailScanner and have no problems. The only changes I made were to the sendmail alias files to provide the mailman aliases. This has no effect on MailScanner. ----------------------------------------------------------------- David While Technical Development Manager Faculty of Computing, Information & English University of Central England Tel: 0121 331 6211 ----------------------------------------------------------------- -----Original Message----- From: James Pifer [mailto:mailscannerlist@TNJINFL.COM] Sent: 17 July 2003 13:50 To: MAILSCANNER@JISCMAIL.AC.UK Subject: MailScanner/Sendmail + Mailman? Anyone running Mailman on the same server that is running MailScanner with Sendmail? The Mailman readme wants you to configure the sendmail.cf and make some changes. I don't want to mess up my functioning MailScanner server. Anyone doing this? Anyone have any suggestions for making Mailman work in this situation? Right now it doesn't seem to deliver mail. Thanks, James From mdlaney at morehouse.edu Thu Jul 17 14:00:06 2003 From: mdlaney at morehouse.edu (Matt Laney) Date: Thu Jan 12 21:18:58 2006 Subject: MailScanner/Sendmail + Mailman? In-Reply-To: <1058446180.18388.26.camel@tweety.tnjinfl.com> from "James Pifer" at Jul 17, 2003 08:49:41 AM Message-ID: <200307171300.JAA31594@earl.morehouse.edu> > Anyone running Mailman on the same server that is running MailScanner > with Sendmail? Yep: MailScanner 4.22-5, sendmail 8.12.something, GNU Mailman 2.0.something. Works great. > The Mailman readme wants you to configure the sendmail.cf and make some > changes. I don't want to mess up my functioning MailScanner server. I ran through the Mailman docs just now and didn't see any required changes to sendmail.cf, rather a couple aliases to enter and a smrsh change ( cd /usr/adm/sm.bin && ln -s /home/mailman/mail/wrapper . ). What did it ask you to do? (Perhaps I have an old version that doesn't require whatever this is.) > Right now it doesn't seem to deliver mail. Can you tell from your sendmail logs or from the mailman data/ and qfiles/ and logs/ directories how far along the delivery process is going? Is the mail getting to mailman? If so, is it being sent out (by the cron job, qrunner, I believe)? -Matt -- Matt Laney, mdlaney@morehouse.edu Network and Unix Systems Engineer Morehouse College --- Atlanta, GA From wmcdonald at ORCTEL.CO.UK Thu Jul 17 14:09:42 2003 From: wmcdonald at ORCTEL.CO.UK (Will Mc Donald) Date: Thu Jan 12 21:18:58 2006 Subject: Restarting the MailScanner process. Message-ID: <0a1601c34c64$b315d960$cb3ca8c0@orctel.internal> Guys, hopefully a quickie here. I've just modified my MailScanner.conf to look at a rule to allow HTML

tags FromOrTo just one specific address. We're running MailScanner-4.22-4 from the tarball distribution and I just wanted to know what's the quickest, safest way to restart to reread that config? Can I just kill -1 the PPID? Or do I kill the process and its children then run check_mailscanner again? Cheers, Will. From David.While at UCE.AC.UK Thu Jul 17 14:09:48 2003 From: David.While at UCE.AC.UK (David While) Date: Thu Jan 12 21:18:58 2006 Subject: Restarting the MailScanner process. Message-ID: <107DE25EC0216C45AEF670016024245F6EFB@exchangea.staff.uce.ac.uk> If you are running RedHat try service MailScanner reload ----------------------------------------------------------------- David While Technical Development Manager Faculty of Computing, Information & English University of Central England Tel: 0121 331 6211 ----------------------------------------------------------------- -----Original Message----- From: Will Mc Donald [mailto:wmcdonald@ORCTEL.CO.UK] Sent: 17 July 2003 14:10 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Restarting the MailScanner process. Guys, hopefully a quickie here. I've just modified my MailScanner.conf to look at a rule to allow HTML tags FromOrTo just one specific address. We're running MailScanner-4.22-4 from the tarball distribution and I just wanted to know what's the quickest, safest way to restart to reread that config? Can I just kill -1 the PPID? Or do I kill the process and its children then run check_mailscanner again? Cheers, Will. From zabriskw at ITECH.NET Thu Jul 17 14:11:41 2003 From: zabriskw at ITECH.NET (Kris Zabriskie) Date: Thu Jan 12 21:18:58 2006 Subject: Restarting the MailScanner process. References: <0a1601c34c64$b315d960$cb3ca8c0@orctel.internal> Message-ID: <000401c34c64$f6dcc550$0c02a8c0@itech.dom> I have always killed all the processes (kill -9), and then used check_mailscanner to kick it back off again. ----- Original Message ----- From: "Will Mc Donald" To: Sent: Thursday, July 17, 2003 9:09 AM Subject: Restarting the MailScanner process. > Guys, > > hopefully a quickie here. I've just modified my MailScanner.conf to look at a rule to allow HTML tags FromOrTo just one specific address. > > We're running MailScanner-4.22-4 from the tarball distribution and I just wanted to know what's the quickest, safest way to restart to reread that config? Can I just kill -1 the PPID? Or do I kill the process and its children then run check_mailscanner again? > > Cheers, > > Will. > > From Kevin.Spicer at BMRB.CO.UK Thu Jul 17 14:16:44 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:18:58 2006 Subject: Restarting the MailScanner process. Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0EBF74B@pascal.priv.bmrb.co.uk> When I do service MailScanner reload, I see in the logs... MailScanner child caught a SIGHUP So I would suggest that sending all the MailScanner processes a SIGHUP should do the job. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From wmcdonald at ORCTEL.CO.UK Thu Jul 17 14:18:28 2003 From: wmcdonald at ORCTEL.CO.UK (Will Mc Donald) Date: Thu Jan 12 21:18:58 2006 Subject: Restarting the MailScanner process. References: <107DE25EC0216C45AEF670016024245F6EFB@exchangea.staff.uce.ac.uk> Message-ID: <0a5101c34c65$fd1f4a40$cb3ca8c0@orctel.internal> I think that probably only works for the RPM install since all it does (AFAIA) is: /etc/rc.d/init.s/$service restart And there's no $service for MailScanner since it's a tarball install. Cheers anyway though. Will. ----- Original Message ----- From: "David While" > If you are running RedHat try > > service MailScanner reload > > -----Original Message----- > From: Will Mc Donald [mailto:wmcdonald@ORCTEL.CO.UK] > > I just wanted to know what's the quickest, safest way to restart to reread that config? From mailscanner at BARENDSE.TO Thu Jul 17 14:49:45 2003 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:18:58 2006 Subject: DSN: Return receipt ?? In-Reply-To: <20030702153804.GA15524@internetx.de> Message-ID: I have something which I can't quite figure out: I use the following to kill all the read/not read messages with sendmail through the following lines in sendmail.mc: LOCAL_RULESETS F{SSJunk} /etc/mail/ssjunk.txt F{DiscardSubs} /etc/mail/discardsubs.txt HSubject: $>Check_Subject SCheck_Subject R$* $={SSJunk} $* $#error $: NMJUNKSUB R$* NMJUNKSUB $* $#error $: "553 Rejected" R$* $={DiscardSubs} $* $#discard This is what's in discardsubs.txt read: not.read: gelezen: niet.gelezen: le?do: no.le?do: Still some read/not read messages are getting through. When I look at the copies in normal view in pine the subject line is this: Subject: Read: FW: Entrega de which should comply with the sendmail rule to get discarded (but isn't). I suspect this maybe because of M$ Exchange doing something funny with the read receipt messages (they are generated by Exchange, not Outlook according to the signature of the message). When doing full header view the subject looks like this: Subject: =?iso-8859-1?Q?Read=3A_FW=3A_Entrega_de If the funny subject is indeed the problem is there any way to filter these weird messages out too?? The option in the message below (goaway) doesn't do anything in my case, I think sendmail will refuse to send out DSN messages but all the users are connected to an Exchange server and the behaviour of Exchange is not affected by this option (apparently the mails themselves aren't cleaned of any DSN parts either). Any help greatly appreciated! Remco On Wed, 2 Jul 2003, Sebastian Wiesinger wrote: > * Remco Barendse [2003-07-02 16:15]: > > In the maillog I noticed a remark about a DSN: Return receipt. > > > > What does the line from maillog mean? Any return receipt did not appear in > > the mailbox for archived outgoing mail. > > If a user adds a "Return-Receipt-To: " header to his/her > mail, sendmail will deliver an receipt upon successful delivery of the > mail. You can deactivate this feature with the following option in > your sendmail.mc: > > define(`confPRIVACY_FLAGS', `noreceipts')dnl > > >From the sendmail operation guide: > #v+ > public Allow open access > needmailhelo Insist on HELO or EHLO command before MAIL > needexpnhelo Insist on HELO or EHLO command before EXPN > noexpn Disallow EXPN entirely, implies noverb. > needvrfyhelo Insist on HELO or EHLO command before VRFY > novrfy Disallow VRFY entirely > noetrn Disallow ETRN entirely > noverb Disallow VERB entirely > restrictmailq Restrict mailq command > restrictqrun Restrict -q command line flag > restrictexpand Restrict -bv and -v command line flags > noreceipts Don't return success DSNs20 > nobodyreturn Don't return the body of a message with DSNs > goaway Disallow essentially all SMTP status queries > authwarnings Put X-Authentication-Warning: headers in messages > and log warnings > #v- > > I prefer the following line: > > define(`confPRIVACY_FLAGS', `goaway,noreceipts,restrictqrun,restrictexpand')dnl > > > I use sendmail rules to discard read receipt messages but in this case > > there is nothing in the maillog that this message or reply was discarded. > > I don't know what rules you use for discarding, but the configuration > option above is the right way to deactivate the DSN2.x.x messages. > > For more info about the privacy options, see the sendmail installation > and operation guide (op/op.txt.gz). > > -- > InterNetX GmbH > Sebastian Wiesinger > System Administration > > eMail: sw@internetx.de > From mailscannerlist at TNJINFL.COM Thu Jul 17 15:05:02 2003 From: mailscannerlist at TNJINFL.COM (James Pifer) Date: Thu Jan 12 21:18:58 2006 Subject: MailScanner/Sendmail + Mailman? In-Reply-To: <200307171300.JAA31594@earl.morehouse.edu> References: <200307171300.JAA31594@earl.morehouse.edu> Message-ID: <1058450701.18388.39.camel@tweety.tnjinfl.com> Well, first I tried the Mailman RPM that comes with Redhat and had trouble with the Admin pages not saving changes. The Mailman list said to uninstall the RPM and download the newer non-rpm install. The README.SENDMAIL says to look at mm-handler.readme, and that's where it talks about modifying the cf file. I don't think you really need to after taking another look. One thing it did say you "must" do was to modify the mailertable and add an entry like(their example): listtest.uchicago.edu mailman:listtest.uchicago.edu Did you have to modify the mailertable? I looked at the files you suggested and found a few things. Under data/qfiles there was a file that said I should have some stuff in /etc/aliases, so I added those entries as it suggested. I can see what appears to be the outgoing messages stuck in /qfiles/virgin. I see nothing in /var/log/messages related to my mailman list. I didn't see anything about changing the wrapper stuff. Maybe that's what I'm missing? Honestly not sure I understand what you said here: smrsh change (cd /usr/adm/sm.bin && ln -s /home/mailman/mail/wrapper. ). Would I type that line exactly as you show in the ()? Thanks for your help. James On Thu, 2003-07-17 at 09:00, Matt Laney wrote: > > Anyone running Mailman on the same server that is running MailScanner > > with Sendmail? > > Yep: MailScanner 4.22-5, sendmail 8.12.something, GNU Mailman > 2.0.something. Works great. > > > > The Mailman readme wants you to configure the sendmail.cf and make some > > changes. I don't want to mess up my functioning MailScanner server. > > I ran through the Mailman docs just now and didn't see any required > changes to sendmail.cf, rather a couple aliases to enter and a smrsh > change ( cd /usr/adm/sm.bin && ln -s /home/mailman/mail/wrapper . ). > > What did it ask you to do? (Perhaps I have an old version that doesn't > require whatever this is.) > > > > Right now it doesn't seem to deliver mail. > > Can you tell from your sendmail logs or from the mailman data/ and qfiles/ > and logs/ directories how far along the delivery process is going? > Is the mail getting to mailman? If so, is it being sent out (by the > cron job, qrunner, I believe)? > > > -Matt > > > -- > Matt Laney, mdlaney@morehouse.edu > Network and Unix Systems Engineer > Morehouse College --- Atlanta, GA From mdlaney at morehouse.edu Thu Jul 17 15:30:19 2003 From: mdlaney at morehouse.edu (Matt Laney) Date: Thu Jan 12 21:18:58 2006 Subject: MailScanner/Sendmail + Mailman? In-Reply-To: <1058450701.18388.39.camel@tweety.tnjinfl.com> from "James Pifer" at Jul 17, 2003 10:05:02 AM Message-ID: <200307171430.KAA31790@earl.morehouse.edu> James, > The README.SENDMAIL says to look at mm-handler.readme... Ah--that's if you're using mm-handler as your local delivery agent for mailman. I'm not, and I happen to know nothing about it. If you're also not using mm-handler, then the stuff you stuck in the sendmail aliases file should help. (Make sure to rebuild that with 'newaliases'.) > Did you have to modify the mailertable? No, but I run my list processor on the same domain as the rest of my stuff. That is, I didn't add a subdomain just for Mailman. In my experience, adding extra mailertable entries for your own domains doesn't really hurt, so I'd suggest trying it and, if you find later that something else might have made it work, undo it to see if it's necessary. > I can see what appears to be the outgoing messages stuck in > /qfiles/virgin. Sounds like the qrunner process isn't running. Check the Mailman documentation for some stuff to run from cron periodically. You can run it by hand, too, just to see if that's what's causing the problem. > I see nothing in /var/log/messages related to my mailman list. I'd expect mail.log or sendmail.log to be more helpful: that will show if the mail was delivered to your Mailman setup or not. For example: Jul 16 08:58:02 mybox sendmail[1242]: h6klaj025495: to="|/home/mailman/mail/wrapper post big-list-l", ctladdr= (51/0), delay=00:00:04, xdelay=00:00:01, mailer=prog, pri=120787, dsn=2.0.0, stat=Sent This is where sendmail dropped a message on Mailman. If that part is happening, the problem isn't in the aliases and probably is in Mailman. > I didn't see anything about changing the wrapper stuff. Maybe that's > what I'm missing? Honestly not sure I understand what you said here: > smrsh change (cd /usr/adm/sm.bin && ln -s /home/mailman/mail/wrapper. ). > Would I type that line exactly as you show in the ()? Yep. That's if you're using sendmail's restricted shell (smrsh): it needs symlinks in its directory, which might not be the one I mentioned, before it'll run your wrapper program. Sendmail will gripe fairly loudly in the logs if that's not configured right, though. If this doesn't help, let's take the conversation off the list for a bit since it's pretty off-topic. We can come back to present the solution. -Matt -- Matt Laney, mdlaney@morehouse.edu Network and Unix Systems Engineer Morehouse College --- Atlanta, GA From mikea at MIKEA.ATH.CX Thu Jul 17 16:16:16 2003 From: mikea at MIKEA.ATH.CX (mikea) Date: Thu Jan 12 21:18:58 2006 Subject: storing spam and ham as mbox files Message-ID: <20030717101616.A80801@mikea.ath.cx> Is there a way to store ham and spam as mbox files, or just to concatenate all the ham to one file and all the spam to another? I know about Non Spam Actions, High Scoring Spam Actions, and Spam Actions, but these (at least in the MailScanner version I have) just store to directories in the quarantine subtree, and then only as queue files. I'd *love* to be able to store them as mbox files, so that I could just run mutt against them to see what had been caught overnight, and it would mean that I didn't have to forward spam to my Lotus Notes mailbox. The Lotus Notes admin would be happy about that, too, I can assure you. -- Mike Andrews mikea@mikea.ath.cx Tired old sysadmin since 1964 From Kevin.Spicer at BMRB.CO.UK Thu Jul 17 16:20:15 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:18:58 2006 Subject: storing spam and ham as mbox files Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0EBF750@pascal.priv.bmrb.co.uk> > Is there a way to store ham and spam as mbox files, or just to > concatenate all the ham to one file and all the spam to another? > > Can't you just use the forward action to forward the mails to a mailbox on the local machine? BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From ka at PACIFIC.NET Thu Jul 17 16:23:31 2003 From: ka at PACIFIC.NET (Ken Anderson) Date: Thu Jan 12 21:18:58 2006 Subject: mailscanner only sees the envelope TO - solved In-Reply-To: <1058395642.22259.60.camel@speedy> References: <5.2.1.1.0.20030716114104.014fb008@xanadu.evi-inc.com> <5.2.1.1.0.20030716114104.014fb008@xanadu.evi-inc.com> <5.2.1.1.0.20030716134542.01e4d3b0@xanadu.evi-inc.com> <1058378447.22259.19.camel@speedy> <3F15C8BB.5030003@pacific.net> <1058395642.22259.60.camel@speedy> Message-ID: <3F16BF73.8020401@pacific.net> I have incoming sendmail splitting multiple recipient messages into multiple messages, so MailScanner and SA only see 1 recip per message. Here's what I did. If any sendmail gurus out there thing this is a bad idea, please let me know what a mess I've made of things :-) 1) Start the incoming sendmail with a different config file. Changes to /etc/rc.d/init.d/MailScanner (from rpm install on redhat) make this change to the incoming sendmail command line: ------ snip ------- $SENDMAIL -bd -OPrivacyOptions=noetrn \ -ODeliveryMode=queueonly \ -OQueueDirectory=$INQDIR \ -OPidFile=$INPID \ -C/etc/mail/sendmail_in.cf -------- snip -------- 2) Make changes to the new sendmail config: cp /etc/mail/sendmail /etc/mail/sendmail_in.cf In sendmail_in.cf, add the following: The comment header "QUEUE GROUP DEFINITIONS" should be there already. Just add the single line under it. ------- snip -------- ############################ # QUEUE GROUP DEFINITIONS # ############################ Qmqueue, P=/var/spool/mqueue.in, F=f, r=1, R=8, I=2m ------- snip -------- AND, just above the "Ruleset 3" comment header, add the following: (not sure if both lines are required or not...) --------- snip -------- # LOCAL_RULESETS Squeuegroup R$* @ $* $# mqueue R$* $# mqueue ############################################ ### Ruleset 3 -- Name Canonicalization ### ############################################ --------- snip ---------- Restart sendmail, and things like this start showing up in the log when messages with multiple recipients come in: Jul 17 08:14:31 host sendmail[7183]: h6HFDop8007183: split: maxrcpts=1, rcpts=3, count=2, ids=h6HFDop9007183; h6HFDopA007183 So now mailscanner only sees 1 recip per message and rulesets only apply to the user they are supposed to apply to. Cool, huh? Thanks for all the suggestions! Ken A Pacific.Net Stephen Swaney wrote: > Excellent thought. Certainly the MTA is the right place to accomplish > this if it can do the job. More below. > > On Wed, 2003-07-16 at 17:50, Ken Anderson wrote: > > >>Stephen Swaney wrote: >> >> >>>On Wed, 2003-07-16 at 13:48, Matt Kettler wrote: >>> >>> >>> >>>>At 12:09 PM 7/16/2003 -0400, Stephen Swaney wrote: >>>> >>>> >>>>>What about a MailScanner option that passes delivery of messages to >>>>>multiple to a recipients to another program, i.e. procmail? >>>>> >>>>>Steve >>>> >>>>At that point, why use spam-scanning via MailScanner at all? Why not just >>>>use procmail to call SA for everything?. >>>> >>> >>> >>>Absolutely right and silly of me not to think of it. >>> >>> >>> >>>>By passing a subset of the messages to procmail, you've lost any benefits >>>>of using MS to call SA. >>> >>> >>>Right again and that is the way I used to use SpamAssassin. Don't want >>>to go there again! >>> >>>Am I right in thinking that a message to multiple recipients is not >>>"split into separate messages" until until the local delivery agent is >>>called? If so, might it be possible to write another delivery agent that >>>is only called if the message has multiple recipients. This new delivery >>>agent would simply deliver the individual (split) messages to the >>>incoming MailScanner directory. >> >>This seems ideal. If sendmail could be made to put all messages in the >>incoming MS queue if they have 1 recipient, and all messages with > 1 >>recipient in another queue. Then you could use perl/other mail tools to >>split/clone the messages with >1 recip and then move them back to the MS >>incoming queue. > > > > >>Another option: >> >>Looking at sendmail/TUNING: >>------ snip --------- >> >>Before 8.12 sendmail delivers an e-mail sequentially to all its >>recipients. For mailing lists or large aliases the overall delivery >>time can be substantial... Some mailing list software therefore "split" >>up e-mails into smaller pieces with fewer recipients. Sendmail 8.12 can >>do this itself, either across queue groups or within a queue >>directory... The latter is controlled by the 'r=' field of a queue group >>declaration. >>... So for this queue each envelope will have at most 5 recipients. >>You can apply this to the main queue: >>QUEUE_GROUP(`mqueue', `P=/var/spool/mqueue, F=f, r=5, R=8, I=2m')dnl >> > > > Very good catch. It if nothing else it pointed me to the sendmail tuning > file :) > > >>-------- snip --------- >> >>Or QUEUE_GROUP(`mqueue', `P=/var/spool/mqueue, F=f, r=5, R=8, I=2m')dnl >>for 1 recip per message. >> > > > I'm having a hard time finding the documentation for the F=f & I=2m > flags. Also wouldn't this operate on only emails with more the 5 > recipients (r=5), splitting the message into multiple messages, each > with 5 recipients? Since I believe "R=" the number of queue runners and > we wouldn't want any want "real" delivery (just MailScanner) picking up > the messages, might something like: > > > QUEUE_GROUP(`multimqueue', `P=/var/spool/mqueue.in, F=f, r=1, R=0')dnl > > > Work? Would this split the messages and leave them where MailScanner > would normally pick them up? > > Since you would want this behavior only of the instance of sendmail that > that processing incoming mail, that instance of sendmail might best call > a separate sendmail.cf file. > > Any comments or suggestions appreciated. > > > >>This could be used to split all messages with multiple recipients into >>messages with 1 recipient, right? Mail could then be queued up properly >>for MS with 1 recip per message max, so all per-user rules never >>affected other users. Anyone tried this? >> >>Thanks, >> >>Ken A. >> >> >> >>>Steve >>>Steve@Swaney.com >>> > > From billa at STERLING.NET Thu Jul 17 16:23:34 2003 From: billa at STERLING.NET (Bill Anderson) Date: Thu Jan 12 21:18:58 2006 Subject: DNSBL Whitelist Message-ID: <043101c34c77$6392a540$0a010a0a@dirt> I asked this question earlier, however from the lack of response, I assume I posed the question unclearly. In the MailScanner.conf file there is a section to use blacklist by using ORDB, MAPS, etc... # This is the list of spam blacklists (RBLs) which you are using. # See the "Spam List Definitions" file for more information about what # you can put here. # This can also be the filename of a ruleset. Spam List = ORDB-RBL Infinite-Monkeys # MAPS-RBL+ costs money (except .ac.uk) Is there a way to do the same thing, however make the response a whitelist. There is a service out there called TCATS, that provides a whitelist of good IP's as well as a black list. I would like to use the whitelist to reduce false positives, but have not found a way to integrate it with MailScanner. Here is the the link to TCATS: http://www.the-carrot-and-the-stick.com/How_To/index.php?VIEW=direct_query From andersjk at SOL-INVICTUS.ORG Thu Jul 17 16:29:17 2003 From: andersjk at SOL-INVICTUS.ORG (Kevin Anderson) Date: Thu Jan 12 21:18:58 2006 Subject: storing spam and ham as mbox files In-Reply-To: <20030717101616.A80801@mikea.ath.cx> Message-ID: on my linux box i create a user spam, installed pine then forward all spam mail to that, then in the morning sort thru it to see if any real mail was caught, or for automation use bounce and delete the spam, of course any NDR's will come back with error messages which is no fun then setup procmail with this: :0 B *Unsolicited commercial email rejected /dev/null :0 * ^From.* ! user@domain.com user@domain.com is then the replacement postmaster. thanks, kevin On Thu, 17 Jul 2003, mikea wrote: > Is there a way to store ham and spam as mbox files, or just to > concatenate all the ham to one file and all the spam to another? > > I know about Non Spam Actions, High Scoring Spam Actions, and Spam > Actions, but these (at least in the MailScanner version I have) just > store to directories in the quarantine subtree, and then only as > queue files. > > I'd *love* to be able to store them as mbox files, so that I could > just run mutt against them to see what had been caught overnight, and > it would mean that I didn't have to forward spam to my Lotus Notes > mailbox. > > The Lotus Notes admin would be happy about that, too, I can assure > you. > > -- > Mike Andrews > mikea@mikea.ath.cx > Tired old sysadmin since 1964 > -- @ _____________________________________________ chaos, panic and disorder... my job is done... From mikea at MIKEA.ATH.CX Thu Jul 17 16:31:52 2003 From: mikea at MIKEA.ATH.CX (mikea) Date: Thu Jan 12 21:18:58 2006 Subject: storing spam and ham as mbox files In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0EBF750@pascal.priv.bmrb.co.uk>; from Kevin.Spicer@BMRB.CO.UK on Thu, Jul 17, 2003 at 04:20:15PM +0100 References: <5C0296D26910694BB9A9BBFC577E7AB0EBF750@pascal.priv.bmrb.co.uk> Message-ID: <20030717103152.A81002@mikea.ath.cx> On Thu, Jul 17, 2003 at 04:20:15PM +0100, Spicer, Kevin wrote: > > Is there a way to store ham and spam as mbox files, or just to > > concatenate all the ham to one file and all the spam to another? > Can't you just use the forward action to forward the mails to a mailbox on the local machine? I'll give it a try. Nope. The "forward" action requires an address of the form something@domain, and just supplying an address local to the machine without the "@domain" part fails. Unfortunately for me, the MX for our "inside" network is a Lotus Notes server which is set to not relay anywhere. I can't get that changed, and it is ... well, "unpleasant" is a very short way out along that axis, and my situation lies considerably farther out. Any ideas will be enthusiastically examined, and probably will be given The Old School Try. -- Mike Andrews mikea@mikea.ath.cx Tired old sysadmin since 1964 From Kevin.Spicer at BMRB.CO.UK Thu Jul 17 16:36:41 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:18:58 2006 Subject: storing spam and ham as mbox files Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0EBF751@pascal.priv.bmrb.co.uk> > > > Nope. > > The "forward" action requires an address of the form something@domain, > and just supplying an address local to the machine without the > "@domain" part fails. > You should be able to do yourname@yourmailserver.yourdomain.com, or possibly yourname@localhost. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From mikea at MIKEA.ATH.CX Thu Jul 17 16:47:13 2003 From: mikea at MIKEA.ATH.CX (mikea) Date: Thu Jan 12 21:18:58 2006 Subject: storing spam and ham as mbox files In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0EBF751@pascal.priv.bmrb.co.uk>; from Kevin.Spicer@BMRB.CO.UK on Thu, Jul 17, 2003 at 04:36:41PM +0100 References: <5C0296D26910694BB9A9BBFC577E7AB0EBF751@pascal.priv.bmrb.co.uk> Message-ID: <20030717104713.A81139@mikea.ath.cx> On Thu, Jul 17, 2003 at 04:36:41PM +0100, Spicer, Kevin wrote: > > > > > > Nope. > > > > The "forward" action requires an address of the form something@domain, > > and just supplying an address local to the machine without the > > "@domain" part fails. > > > You should be able to do yourname@yourmailserver.yourdomain.com, or possibly yourname@localhost. No; I tried that. The MX won't relay back to this machine, or indeed to any other machine; stuff goes to the MX (Lotus Notes) and thence to Dave Null if addressed to the MX. Decidedly Unpleasant. I'll plead with the Notes admin, but I really expect to get nowhere fast. -- Mike Andrews mikea@mikea.ath.cx Tired old sysadmin since 1964 From denis at IMSLTD.COM Thu Jul 17 16:40:25 2003 From: denis at IMSLTD.COM (Denis Croombs) Date: Thu Jan 12 21:18:58 2006 Subject: storing spam and ham as mbox files References: <5C0296D26910694BB9A9BBFC577E7AB0EBF751@pascal.priv.bmrb.co.uk> <20030717104713.A81139@mikea.ath.cx> Message-ID: <013c01c34c79$c178a950$9601a8c0@cel1700> Try root@localhost denis www.just-server.co.uk ----- Original Message ----- From: "mikea" To: Sent: Thursday, July 17, 2003 4:47 PM Subject: Re: storing spam and ham as mbox files > On Thu, Jul 17, 2003 at 04:36:41PM +0100, Spicer, Kevin wrote: > > > > > > > > > Nope. > > > > > > The "forward" action requires an address of the form something@domain, > > > and just supplying an address local to the machine without the > > > "@domain" part fails. > > > > > You should be able to do yourname@yourmailserver.yourdomain.com, or possibly yourname@localhost. > > No; I tried that. The MX won't relay back to this machine, or indeed > to any other machine; stuff goes to the MX (Lotus Notes) and thence > to Dave Null if addressed to the MX. > > Decidedly Unpleasant. > > I'll plead with the Notes admin, but I really expect to get nowhere > fast. > > -- > Mike Andrews > mikea@mikea.ath.cx > Tired old sysadmin since 1964 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.501 / Virus Database: 299 - Release Date: 14/07/2003 From Kevin.Spicer at BMRB.CO.UK Thu Jul 17 16:55:58 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:18:58 2006 Subject: storing spam and ham as mbox files Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0EBF752@pascal.priv.bmrb.co.uk> > No; I tried that. The MX won't relay back to this machine, or indeed > to any other machine; stuff goes to the MX (Lotus Notes) and thence > to Dave Null if addressed to the MX. > But it should never leave the machine if addressed to localhost (presuming you're using sendmail) - it should be passed to procmail for local delivery. Unless that is you have configured your box with a smarthost (but then presumably you wouldn't be scanning outgoing mail in that case?) BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From mikea at MIKEA.ATH.CX Thu Jul 17 17:06:40 2003 From: mikea at MIKEA.ATH.CX (mikea) Date: Thu Jan 12 21:18:58 2006 Subject: storing spam and ham as mbox files In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0EBF752@pascal.priv.bmrb.co.uk>; from Kevin.Spicer@BMRB.CO.UK on Thu, Jul 17, 2003 at 04:55:58PM +0100 References: <5C0296D26910694BB9A9BBFC577E7AB0EBF752@pascal.priv.bmrb.co.uk> Message-ID: <20030717110640.A81383@mikea.ath.cx> On Thu, Jul 17, 2003 at 04:55:58PM +0100, Spicer, Kevin wrote: > > No; I tried that. The MX won't relay back to this machine, or indeed > > to any other machine; stuff goes to the MX (Lotus Notes) and thence > > to Dave Null if addressed to the MX. > > > But it should never leave the machine if addressed to localhost > (presuming you're using sendmail) - it should be passed to procmail > for local delivery. Unless that is you have configured your box with a > smarthost (but then presumably you wouldn't be scanning outgoing mail > in that case?) Sendmail is configured with the Lotus server as a smarthost, for reasons related to the overall (ugly) setup of the firewall and Lotus server, and to management paranoia^Wconcerns. All mail that comes into this box goes to the Notes server, I can't do anything about it now. Before I retired and came back as a contract peon, I was #2 in the IT division and *still* couldn't do anything about it; I tried. Now I have absolutely zero stroke. So, within the "all mail inbound to this box will definitely go to the Notes server and stay there" constraint, what can I do to preserve ham and spam on the MailScanner box as something other than queuefiles? -- Mike Andrews mikea@mikea.ath.cx Tired old sysadmin since 1964 From mikea at MIKEA.ATH.CX Thu Jul 17 17:12:58 2003 From: mikea at MIKEA.ATH.CX (mikea) Date: Thu Jan 12 21:18:58 2006 Subject: storing spam and ham as mbox files In-Reply-To: <3F16C852.5050307@sumark.com>; from rismiller@SUMARK.COM on Thu, Jul 17, 2003 at 12:01:22PM -0400 References: <20030717101616.A80801@mikea.ath.cx> <3F16C852.5050307@sumark.com> Message-ID: <20030717111258.B81383@mikea.ath.cx> On Thu, Jul 17, 2003 at 12:01:22PM -0400, Chad Rismiller wrote: > mikea wrote: > > Is there a way to store ham and spam as mbox files, or just to > > concatenate all the ham to one file and all the spam to another? > > > > I know about Non Spam Actions, High Scoring Spam Actions, and Spam > > Actions, but these (at least in the MailScanner version I have) just > > store to directories in the quarantine subtree, and then only as > > queue files. > > If you quarantine your spam, then just run df2mbox located in the > MailScanner/bin directory. This will turn all your qf and df files into > mbox files. I run mine like this: > > df2mbox /var/spool/MailScanner/quarantine/* Thanks! I was unaware of that utility! -- Mike Andrews mikea@mikea.ath.cx Tired old sysadmin since 1964 From rismiller at SUMARK.COM Thu Jul 17 17:01:22 2003 From: rismiller at SUMARK.COM (Chad Rismiller) Date: Thu Jan 12 21:18:58 2006 Subject: storing spam and ham as mbox files In-Reply-To: <20030717101616.A80801@mikea.ath.cx> References: <20030717101616.A80801@mikea.ath.cx> Message-ID: <3F16C852.5050307@sumark.com> mikea wrote: > Is there a way to store ham and spam as mbox files, or just to > concatenate all the ham to one file and all the spam to another? > > I know about Non Spam Actions, High Scoring Spam Actions, and Spam > Actions, but these (at least in the MailScanner version I have) just > store to directories in the quarantine subtree, and then only as > queue files. If you quarantine your spam, then just run df2mbox located in the MailScanner/bin directory. This will turn all your qf and df files into mbox files. I run mine like this: df2mbox /var/spool/MailScanner/quarantine/* Chad From steve.freegard at LBSLTD.CO.UK Thu Jul 17 17:16:28 2003 From: steve.freegard at LBSLTD.CO.UK (Steve Freegard) Date: Thu Jan 12 21:18:58 2006 Subject: storing spam and ham as mbox files Message-ID: <67D9E7698329D411936E00508B6590B902773A2D@neelix.lbsltd.co.uk> Mike, I've been playing with the MailScanner quarantine actions quite a bit recently with a view to putting 'Quarantine Manager' screens into MailWatch. I know this isn't exactly what you want - but you could set: Spam/High Scoring Spam Actions = store Quarantine Whole Message = yes Quarantine Whole Messages As Queue Files = no in MailScanner.conf - then you'll have all the files in /var/spool/MailScanner/quarantine//(not-spam|spam)/ stored as files in message/rfc822 format that you can parse with awk/perl to do what you want with it. Alternativly there may be a util around out there somewhere to munge a load of rfc822 files into mbox format... Just an idea while I was watching this thread.... Kind regards, Steve. -- Steve Freegard Systems Manager Littlehampton Book Services Ltd. -----Original Message----- From: mikea [mailto:mikea@MIKEA.ATH.CX] Sent: 17 July 2003 16:32 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: storing spam and ham as mbox files On Thu, Jul 17, 2003 at 04:20:15PM +0100, Spicer, Kevin wrote: > > Is there a way to store ham and spam as mbox files, or just to > > concatenate all the ham to one file and all the spam to another? > Can't you just use the forward action to forward the mails to a mailbox on the local machine? I'll give it a try. Nope. The "forward" action requires an address of the form something@domain, and just supplying an address local to the machine without the "@domain" part fails. Unfortunately for me, the MX for our "inside" network is a Lotus Notes server which is set to not relay anywhere. I can't get that changed, and it is ... well, "unpleasant" is a very short way out along that axis, and my situation lies considerably farther out. Any ideas will be enthusiastically examined, and probably will be given The Old School Try. -- Mike Andrews mikea@mikea.ath.cx Tired old sysadmin since 1964 -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender and delete the message from your mailbox. This footnote also confirms that this email message has been swept by MailScanner (www.mailscanner.info) for the presence of computer viruses. From tyler at beloit.edu Thu Jul 17 17:44:09 2003 From: tyler at beloit.edu (Tim Tyler) Date: Thu Jan 12 21:18:58 2006 Subject: Sophos issue? Message-ID: <200307171644.h6HGi9p37282@beloit.edu> Ok, I have 10's of thousands of messages that go out in a day on my student server. I think it would be to my advantage to have the savi perl module installed. The steps were going fine until I got to step 6 of the Perl SAVI Module instructions: Create a link so that "-lsavi" works: [ -e /usr/local/Sophos/lib/libsavi.so.2 ] && ln -sf libsavi.so.2 /usr/local/Sophos/lib/libsavi.so [ -e /usr/local/Sophos/lib/libsavi.so.3 ] && ln -sf libsavi.so.3 /usr/local/Sophos/lib/libsavi.so I don't quite understand this step. I am running on an AIX5.1 system. I don't have any libsavi.so* files laying around anywhere. Should I? Should I skip this step? Am I missing libraries that I should have from Sophos? Note: the sophos/lib directory has libsavi.a and vdl.* files. Can someone clarify this step better to me? -thanks! Tim > Set the scanner to 'sophos' if you have just installed > Sophos - this will then call the Sweep binary. > > If you find that the startup time for sweep is bogging > your mail server down you can install the savi perl module > (as described on the MailScanner website), this is a perl > API that allows one to use the Sophos C libraries without > having to run sweep. Under this circumstance you should > change virus scanners to sophossavi. > > The Sophos C libraries come with the command line scanner > and there is n additional license, although you do have to > install the perl module (which is not distributed by > Sophos themselves). > > Unless you have performance issues its easier to stick > with regular Sophos. > > > > > > > > BMRB International > http://www.bmrb.co.uk > +44 (0)20 8566 5000 > __________________________________________________________ > _______ This message (and any attachment) is intended only > for the recipient and may contain confidential and/or > privileged material. If you have received this in error, > please contact the sender and delete this message > immediately. Disclosure, copying or other action taken in > respect of this email or in reliance on it is prohibited. > BMRB International Limited accepts no liability in > relation to any personal emails, or content of any email > which does not directly relate to our business. > Tim Tyler Network Engineer From vosburgh at DALSEMI.COM Thu Jul 17 17:54:04 2003 From: vosburgh at DALSEMI.COM (David Vosburgh) Date: Thu Jan 12 21:18:59 2006 Subject: storing spam and ham as mbox files References: <5C0296D26910694BB9A9BBFC577E7AB0EBF751@pascal.priv.bmrb.co.uk> <20030717104713.A81139@mikea.ath.cx> Message-ID: <3F16D4AC.2090100@dalsemi.com> is this what you're looking for: High Scoring Spam Actions = forward spam-archive-highscore@MS-server.your-domain.com and then create an alias in /etc/mail/aliases that points to a local file: spam-archive-highscore: /blah/blah/blah/spam-archive-highscore and then read them with pine. dave mikea wrote: >On Thu, Jul 17, 2003 at 04:36:41PM +0100, Spicer, Kevin wrote: > > >>> >>> >>>Nope. >>> >>>The "forward" action requires an address of the form something@domain, >>>and just supplying an address local to the machine without the >>>"@domain" part fails. >>> >>> >>> >>You should be able to do yourname@yourmailserver.yourdomain.com, or possibly yourname@localhost. >> >> > >No; I tried that. The MX won't relay back to this machine, or indeed >to any other machine; stuff goes to the MX (Lotus Notes) and thence >to Dave Null if addressed to the MX. > >Decidedly Unpleasant. > >I'll plead with the Notes admin, but I really expect to get nowhere >fast. > >-- >Mike Andrews >mikea@mikea.ath.cx >Tired old sysadmin since 1964 > > > From kevins at BMRB.CO.UK Thu Jul 17 18:47:52 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:18:59 2006 Subject: [Fwd: Re: Sophos issue?] Message-ID: <1058464072.6514.10.camel@bach.kevinspicer.co.uk> Sorry, I meant to post this to the list... > From: Kevin Spicer > To: tyler@beloit.edu > Subject: Re: Sophos issue? > Date: 17 Jul 2003 18:39:41 +0100 > > I don't quite understand this step. I am running on an > AIX5.1 system. I don't have any libsavi.so* files laying > around anywhere. Should I? Should I skip this step? Am I > missing libraries that I should have from Sophos? Note: the > sophos/lib directory has libsavi.a and vdl.* files. Can > someone clarify this step better to me? -thanks! > > You can't skip the step, however it doesn't look good as a .a file is a > static library, not a shared library like a .so file. So it looks like > Sophos on AIX is statically linked. > > Maybe you could build the savi module statically linked - but this means > you'll have to rebuild it every time you do an upgrade of Sophos to the > latest version, you may well decide that isn't worth it. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From mailscanner at LISTS.COM.AR Thu Jul 17 19:20:56 2003 From: mailscanner at LISTS.COM.AR (Mariano Absatz) Date: Thu Jan 12 21:18:59 2006 Subject: mcafee-autoupdate not executable Message-ID: <3F16BED8.8981.107DC89D@localhost> Hi Julian, a small one for your homecoming... The mcafee-autoupdate script inside the 4.22-5 tarball is not executable... would you "chmod +x " it, please? TIA -- Mariano Absatz El Baby ---------------------------------------------------------- Build a system that even a fool can use, and only a fool will use it. From Steve at swaney.com Thu Jul 17 19:24:35 2003 From: Steve at swaney.com (Stephen Swaney) Date: Thu Jan 12 21:18:59 2006 Subject: [Fwd: Re: Sophos issue?] In-Reply-To: <1058464072.6514.10.camel@bach.kevinspicer.co.uk> References: <1058464072.6514.10.camel@bach.kevinspicer.co.uk> Message-ID: <1058466275.1333.27.camel@speedy> Did you use /usr/sbin/Sophos.install to install Sophos? I posted a response to a similar problem on the faq-o-matic yesterday. Try using Julian's script to install Sophos. Steve Steve@Swaney.com On Thu, 2003-07-17 at 13:47, Kevin Spicer wrote: > Sorry, I meant to post this to the list... > > > From: Kevin Spicer > > To: tyler@beloit.edu > > Subject: Re: Sophos issue? > > Date: 17 Jul 2003 18:39:41 +0100 > > > > I don't quite understand this step. I am running on an > > AIX5.1 system. I don't have any libsavi.so* files laying > > around anywhere. Should I? Should I skip this step? Am I > > missing libraries that I should have from Sophos? Note: the > > sophos/lib directory has libsavi.a and vdl.* files. Can > > someone clarify this step better to me? -thanks! > > > > You can't skip the step, however it doesn't look good as a .a file is a > > static library, not a shared library like a .so file. So it looks like > > Sophos on AIX is statically linked. > > > > Maybe you could build the savi module statically linked - but this means > > you'll have to rebuild it every time you do an upgrade of Sophos to the > > latest version, you may well decide that isn't worth it. > > > > > > BMRB International > http://www.bmrb.co.uk > +44 (0)20 8566 5000 > _________________________________________________________________ > This message (and any attachment) is intended only for the > recipient and may contain confidential and/or privileged > material. If you have received this in error, please contact the > sender and delete this message immediately. Disclosure, copying > or other action taken in respect of this email or in > reliance on it is prohibited. BMRB International Limited > accepts no liability in relation to any personal emails, or > content of any email which does not directly relate to our > business. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030717/c3aecf67/attachment.html From emcc-mailscanner at CTCNET.COM Thu Jul 17 19:47:22 2003 From: emcc-mailscanner at CTCNET.COM (Eric McClelland) Date: Thu Jan 12 21:18:59 2006 Subject: Mysterious MailScanner hangs In-Reply-To: Message-ID: Well I feel a little silly because I somehow overlooked something in syslog: Jul 13 04:04:15 Iris MailScanner[10213]: Batch: Found invalid queue file for message 8BEE88EABD Doing some research on this message I discovered this issue had been raised back in May: http://www.jiscmail.ac.uk/cgi-bin/wa.exe?A2=ind0305&L=mailscanner&P=R22003&I=-1 ...only I hadn't looked back that far in the archives. I installed MailScanner 4.22-5 and the problem disappeared. Thanks for the responses. Cheers, --Eric From vboulytchev at COINFOTECH.COM Thu Jul 17 20:23:38 2003 From: vboulytchev at COINFOTECH.COM (Boulytchev, Vasiliy) Date: Thu Jan 12 21:18:59 2006 Subject: subscribe Message-ID: <1958DE295D9656499ECAAD3642822DE0033F6B@willow.office.coinfotech.com> Vasiliy Boulytchev Colorado Information Technologies Inc. (719) 473-2800 x15 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030717/6460344e/attachment.html From vboulytchev at COINFOTECH.COM Thu Jul 17 20:36:18 2003 From: vboulytchev at COINFOTECH.COM (Boulytchev, Vasiliy) Date: Thu Jan 12 21:18:59 2006 Subject: .bad files ..... Message-ID: <1958DE295D9656499ECAAD3642822DE0033F6E@willow.office.coinfotech.com> ladies and Gents, I have an issue with mailscanner putting .bad files in /var/Communigate/Submitted/ I have looked at most of MailScanner's code...... I dont see the point where that is being added, so I am thinking its something else. PLEASE HELP!!!!!!!!!!!!!!!!!!!!!!! Vasiliy Boulytchev Colorado Information Technologies Inc. (719) 473-2800 x15 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030717/366a612a/attachment.html From chris at FRACTALWEB.COM Thu Jul 17 20:36:05 2003 From: chris at FRACTALWEB.COM (Chris Yuzik) Date: Thu Jan 12 21:18:59 2006 Subject: attach spam doesn't work Message-ID: <018401c34c9a$aa455190$1501a8c0@pandora> Hi, I tried setting up my MailScanner.conf file to do attachments for spam, but then all mail stopped coming in. I had: Spam Actions = attachment But then no spam came in...it just got eaten by the server. As soon as I changed it back to: Spam Actions = deliver Then the spam started flowing again. Now, much as I would like to see all spam go away...I don't think this is a safe option and is certainly not what I intended. Also, I was using one of my email addresses to test the spam filtering and labelling and have sent the "gtube" string several times. Now I can't seem to send any email from that address anymore. I do have "auto-whitelist=yes". Any thoughts? Thanks, Chris -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030717/a5941101/attachment.html From Steve at swaney.com Thu Jul 17 20:44:22 2003 From: Steve at swaney.com (Stephen Swaney) Date: Thu Jan 12 21:18:59 2006 Subject: attach spam doesn't work In-Reply-To: <018401c34c9a$aa455190$1501a8c0@pandora> References: <018401c34c9a$aa455190$1501a8c0@pandora> Message-ID: <1058471062.1338.97.camel@speedy> Try: Spam Actions = attachment deliver This has been covered in the list a few times before. Steve Steve@Swaney.com On Thu, 2003-07-17 at 15:36, Chris Yuzik wrote: > Hi, > > I tried setting up my MailScanner.conf file to do attachments for > spam, but then all mail stopped coming in. > > I had: Spam Actions = attachment > > But then no spam came in...it just got eaten by the server. As soon as > I changed it back to: > Spam Actions = deliver > > Then the spam started flowing again. Now, much as I would like to see > all spam go away...I don't think this is a safe option and is > certainly not what I intended. > > Also, I was using one of my email addresses to test the spam filtering > and labelling and have sent the "gtube" string several times. Now I > can't seem to send any email from that address anymore. I do have > "auto-whitelist=yes". Any thoughts? > > Thanks, > Chris > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030717/170fe106/attachment.html From mike at CAMAROSS.NET Thu Jul 17 21:32:54 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:18:59 2006 Subject: MailScanner/Sendmail + Mailman? In-Reply-To: <1058446180.18388.26.camel@tweety.tnjinfl.com> Message-ID: <003a01c34ca2$9a539e10$9c01a8c0@home.middlefinger.net> I run MM 2.1.2 on the same box as MailScanner without any problems. -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of James Pifer Sent: Thursday, July 17, 2003 7:50 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: MailScanner/Sendmail + Mailman? Anyone running Mailman on the same server that is running MailScanner with Sendmail? The Mailman readme wants you to configure the sendmail.cf and make some changes. I don't want to mess up my functioning MailScanner server. Anyone doing this? Anyone have any suggestions for making Mailman work in this situation? Right now it doesn't seem to deliver mail. Thanks, James From steve.douglas at SBIINCORPORATED.COM Thu Jul 17 21:39:38 2003 From: steve.douglas at SBIINCORPORATED.COM (Steve Douglas) Date: Thu Jan 12 21:18:59 2006 Subject: False-positives Message-ID: <3963522F0E71474CB14C0FF54A6914F70111522B@mail.gardenbotanika.com> The system has version 2.55 of SPAMAssassin. I did raise the score to seven from five and that appears to have reduced it significantly. Thanks for the suggestion. SD :-) > -----Original Message----- > From: Martin Sapsed [mailto:m.sapsed@BANGOR.AC.UK] > Sent: Thursday, July 17, 2003 3:16 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: False-positives > > Steve Douglas wrote: > > I have the "SPAM lists to reach high score" setting set to 5. My server > > only gets about 2000 messages a day, yet I have about 100 or so messages > > that were originally identified as SPAM. Is there something I need to > > do here? I have white listed these messages by their network IDs to > > prevent this in the future, but the false-positives are reflected as an > > important area of concern by my management due the fact alot of this > > information is directly tied to the company's revenue. > > If I understand you correctly, 100 or so out of 2000 messages per day > are marked as spam when they shouldn't be? > > You haven't said which version of SpamAssassin you're using - that has a > big effect on the scores you get. If you look at the SpamCheck header > and there's a high-value category listed consistently among the wrongly- > marked messages you could lower that score in > MailScanner/etc/spam.assassin.prefs.conf perhaps? > > If your correctly marked spam is consistently coming in with higher > scores, then just raise the threshold. > > Cheers, > > Martin > > -- > Martin Sapsed > Information Services "Who do you say I am?" > University of Wales, Bangor Jesus of Nazareth From steve.douglas at SBIINCORPORATED.COM Thu Jul 17 21:40:49 2003 From: steve.douglas at SBIINCORPORATED.COM (Steve Douglas) Date: Thu Jan 12 21:18:59 2006 Subject: DNSBL Whitelist Message-ID: <3963522F0E71474CB14C0FF54A6914F70111522C@mail.gardenbotanika.com> Why not just raise your SPAMAssassin score higher. SD :-) > -----Original Message----- > From: Bill Anderson [mailto:billa@STERLING.NET] > Sent: Thursday, July 17, 2003 10:24 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: DNSBL Whitelist > > I asked this question earlier, however from the lack of response, I assume > I > posed the question unclearly. > > In the MailScanner.conf file there is a section to use blacklist by using > ORDB, MAPS, etc... > > # This is the list of spam blacklists (RBLs) which you are using. > # See the "Spam List Definitions" file for more information about what > # you can put here. > # This can also be the filename of a ruleset. > Spam List = ORDB-RBL Infinite-Monkeys # MAPS-RBL+ costs money (except > .ac.uk) > > Is there a way to do the same thing, however make the response a > whitelist. > There is a service out there called TCATS, that provides a whitelist of > good > IP's as well as a black list. I would like to use the whitelist to reduce > false positives, but have not found a way to integrate it with > MailScanner. > > Here is the the link to TCATS: > > http://www.the-carrot-and-the-stick.com/How_To/index.php?VIEW=direct_query From kevins at BMRB.CO.UK Thu Jul 17 22:11:09 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:18:59 2006 Subject: DNSBL Whitelist In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB001175E8C@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB001175E8C@pascal.priv.bmrb.co.uk> Message-ID: <1058476269.6514.20.camel@bach.kevinspicer.co.uk> On Thu, 2003-07-17 at 16:23, Bill Anderson wrote: >Is there a way to do the same thing, however make the response a >whitelist. >There is a service out there called TCATS, that provides a whitelist of >good >IP's as well as a black list. I would like to use the whitelist to >reduce >false positives, but have not found a way to integrate it with >MailScanner. I don't believe theres currently any way of doing this with MailScanner, however if you use SpamAssassin to do the RBL checks you can do it. I _think_ its done by adding something like the following to spam.assassin.prefs.conf header RCVD_IN_TCATS rbleval:check_rbl('relay', 'accept.the-carrot-and-the-stick.com.') describe RCVD_IN_TCATS Listed in TCATS see http://www.the-carrot-and-the-stick.com/ tflags RCVD_IN_TCATS net nice score RCVD_IN_TCATS -10 [NOTE: the first two pairs of lines are single lines which my mail client has wrapped] You can set the score to what you like (but it should be negative). I basically nicked the above from the way spamassassin handles the bondedsender.org whitelist. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From vboulytchev at COINFOTECH.COM Thu Jul 17 22:14:29 2003 From: vboulytchev at COINFOTECH.COM (Boulytchev, Vasiliy) Date: Thu Jan 12 21:18:59 2006 Subject: .bad files continued Message-ID: <1958DE295D9656499ECAAD3642822DE0033F75@willow.office.coinfotech.com> Ladies and Gents, cgp2ms is adding RPFD to the recipients line. Why its doing that, I have no clue. Another thing that is bazaar, is I have a few domains working with no problems, its just this one......... It does have a route rule in Communigate, but how would that affect anything...................... If I take those stupid RPFD: out from those .bad files, and copy them to .sub, communigate pushes the files. Any Suggestions? Vasiliy Boulytchev Colorado Information Technologies Inc. (719) 473-2800 x15 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030717/5eba7635/attachment.html From billa at STERLING.NET Thu Jul 17 22:41:24 2003 From: billa at STERLING.NET (Bill Anderson) Date: Thu Jan 12 21:18:59 2006 Subject: DNSBL Whitelist References: <5C0296D26910694BB9A9BBFC577E7AB001175E8C@pascal.priv.bmrb.co.uk> <1058476269.6514.20.camel@bach.kevinspicer.co.uk> Message-ID: <048401c34cac$2bfb4800$0a010a0a@dirt> Thanks, I will give it a go. ----- Original Message ----- From: "Kevin Spicer" To: Sent: Thursday, July 17, 2003 2:11 PM Subject: Re: DNSBL Whitelist > On Thu, 2003-07-17 at 16:23, Bill Anderson wrote: > > >Is there a way to do the same thing, however make the response a > >whitelist. > >There is a service out there called TCATS, that provides a whitelist of > >good > >IP's as well as a black list. I would like to use the whitelist to > >reduce > >false positives, but have not found a way to integrate it with > >MailScanner. > > I don't believe theres currently any way of doing this with MailScanner, > however if you use SpamAssassin to do the RBL checks you can do it. > > I _think_ its done by adding something like the following to > spam.assassin.prefs.conf > > header RCVD_IN_TCATS rbleval:check_rbl('relay', > 'accept.the-carrot-and-the-stick.com.') > > describe RCVD_IN_TCATS Listed in TCATS see > http://www.the-carrot-and-the-stick.com/ > > tflags RCVD_IN_TCATS net nice > > score RCVD_IN_TCATS -10 > > [NOTE: the first two pairs of lines are single lines which my mail > client has wrapped] You can set the score to what you like (but it > should be negative). > > I basically nicked the above from the way spamassassin handles the > bondedsender.org whitelist. > > > > > > > BMRB International > http://www.bmrb.co.uk > +44 (0)20 8566 5000 > _________________________________________________________________ > This message (and any attachment) is intended only for the > recipient and may contain confidential and/or privileged > material. If you have received this in error, please contact the > sender and delete this message immediately. Disclosure, copying > or other action taken in respect of this email or in > reliance on it is prohibited. BMRB International Limited > accepts no liability in relation to any personal emails, or > content of any email which does not directly relate to our > business. > From smohan at VSNL.COM Fri Jul 18 05:27:11 2003 From: smohan at VSNL.COM (S Mohan) Date: Thu Jan 12 21:18:59 2006 Subject: Block whole address In-Reply-To: <3963522F0E71474CB14C0FF54A6914F7011151DC@mail.gardenbotanika.com> Message-ID: If you are using sendmail, use the access feature to block the address. /etc/mail/access file needs to be edited and the address followed by reject or drop in capitals should be given in a line. Mohan -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Steve Douglas Sent: Wednesday, July 16, 2003 6:22 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Block whole address Is there a way to block an entire address from entering an email server using MailScanner? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030718/06c8cc1e/attachment.html From smohan at VSNL.COM Fri Jul 18 06:06:26 2003 From: smohan at VSNL.COM (S Mohan) Date: Thu Jan 12 21:18:59 2006 Subject: forged From: In-Reply-To: <1058374162.8235.0.camel@bach.kevinspicer.co.uk> Message-ID: Outgoing mails i.e. to ther domains also will not be scanned then, is it not? Mohan -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Kevin Spicer Sent: Wednesday, July 16, 2003 10:19 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: forged From: On Wed, 2003-07-16 at 17:12, Rob V wrote: Can I add that in my scan.rules ? like From: 192.168.198. no will that no scan all of 192.168.198 That should work fine. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From smohan at VSNL.COM Fri Jul 18 06:06:24 2003 From: smohan at VSNL.COM (S Mohan) Date: Thu Jan 12 21:18:59 2006 Subject: forged From: In-Reply-To: <5.2.1.1.2.20030716121105.01e8a498@mailhost.disaster.com> Message-ID: The rule should actually be From: IP and to:*@domain.com. I do not think we can do this in the rules right now. Could be looked at as a feature enhancement. Current we have FromTo(meaning From billa at STERLING.NET Thu Jul 17 22:41:51 2003 From: billa at STERLING.NET (Bill Anderson) Date: Thu Jan 12 21:18:59 2006 Subject: DNSBL Whitelist References: <3963522F0E71474CB14C0FF54A6914F70111522C@mail.gardenbotanika.com> Message-ID: <048901c34cac$3bd5f770$0a010a0a@dirt> I tried that, but to much spam got through. ----- Original Message ----- From: "Steve Douglas" To: Sent: Thursday, July 17, 2003 1:40 PM Subject: Re: DNSBL Whitelist > Why not just raise your SPAMAssassin score higher. > > SD > :-) > > > > -----Original Message----- > > From: Bill Anderson [mailto:billa@STERLING.NET] > > Sent: Thursday, July 17, 2003 10:24 AM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: DNSBL Whitelist > > > > I asked this question earlier, however from the lack of response, I assume > > I > > posed the question unclearly. > > > > In the MailScanner.conf file there is a section to use blacklist by using > > ORDB, MAPS, etc... > > > > # This is the list of spam blacklists (RBLs) which you are using. > > # See the "Spam List Definitions" file for more information about what > > # you can put here. > > # This can also be the filename of a ruleset. > > Spam List = ORDB-RBL Infinite-Monkeys # MAPS-RBL+ costs money (except > > .ac.uk) > > > > Is there a way to do the same thing, however make the response a > > whitelist. > > There is a service out there called TCATS, that provides a whitelist of > > good > > IP's as well as a black list. I would like to use the whitelist to reduce > > false positives, but have not found a way to integrate it with > > MailScanner. > > > > Here is the the link to TCATS: > > > > http://www.the-carrot-and-the-stick.com/How_To/index.php?VIEW=direct_query > From kevins at BMRB.CO.UK Thu Jul 17 22:42:06 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:18:59 2006 Subject: .bad files continued In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB001175EA5@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB001175EA5@pascal.priv.bmrb.co.uk> Message-ID: <1058478127.6635.25.camel@bach.kevinspicer.co.uk> On Thu, 2003-07-17 at 22:14, Boulytchev, Vasiliy wrote: >Ladies and Gents, > cgp2ms is adding RPFD to the recipients line. Why its doing that, >I have no clue. Another thing that is bazaar, is I have a few domains >working with no problems, its just this one......... It does have a > route rule in Communigate, but how would that affect >anything...................... If I take those stupid RPFD: out from >those .bad files, and copy them to .sub, communigate pushes the files. Perhaps you should try a mailing list for communicate users? This doesn't sound like any symptom I've seen anyone report on this list - so its probably a Communigate issue. You could try ruling out MailScanner by taking it out of the mix temporarily. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From chris at FRACTALWEB.COM Thu Jul 17 23:38:49 2003 From: chris at FRACTALWEB.COM (Chris Yuzik) Date: Thu Jan 12 21:18:59 2006 Subject: outbound mail stuck ... in wrong directory Message-ID: <009c01c34cb4$3150a9a0$1501a8c0@pandora> Hi everyone, Just when I approach "spam nirvana" I keep hitting speedbumps.Thanks to this list, you guys keep helping me get over them. Thanks. I have RedHat 7.3 with multiple virtual domains set up. Incoming mail works great...and Mailscanner is catching virtually all the spam that arrives at the system. Sendmail and Procmail are handling mail. I have 1 remaining problem (so far): When MailScanner is running, outbound mail is getting placed in the incorrect directory on the hard disk. Specifically, the outbound mail should (I think) be going into /var/spool/mqueue, but it's going to /home/virtual/site2/fst/ instead...and there's nothing to move it from there to the outbound queue. What's the fix for this? ...I'm pulling out what little hair I have. Thanks, Chris PS - I asked a similar question a couple of days ago...but most of my incoming mail got shredded. If you answered it before...please re-answer. Thanks. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030717/6767c097/attachment.html From P.G.M.Peters at utwente.nl Fri Jul 18 10:43:51 2003 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Thu Jan 12 21:18:59 2006 Subject: mailscanner only sees the envelope TO - solved In-Reply-To: <3F16BF73.8020401@pacific.net> References: <5.2.1.1.0.20030716114104.014fb008@xanadu.evi-inc.com> <5.2.1.1.0.20030716114104.014fb008@xanadu.evi-inc.com> <5.2.1.1.0.20030716134542.01e4d3b0@xanadu.evi-inc.com> <1058378447.22259.19.camel@speedy> <3F15C8BB.5030003@pacific.net> <1058395642.22259.60.camel@speedy> <3F16BF73.8020401@pacific.net> Message-ID: On Thu, 17 Jul 2003 08:23:31 -0700, you wrote: >Here's what I did. If any sendmail gurus out there thing this is a bad >idea, please let me know what a mess I've made of things :-) It looks good. >Restart sendmail, and things like this start showing up in the log when >messages with multiple recipients come in: > >Jul 17 08:14:31 host sendmail[7183]: h6HFDop8007183: split: maxrcpts=1, >rcpts=3, count=2, ids=h6HFDop9007183; h6HFDopA007183 I use queue-ID's to track messages through our systems. I presume this logline appears next to the from=/to= lines from the incoming sendmail. After that the messages is processed by MS. Could you confirm that the new queue-ID's are used in de MS loglines. I presume that sendmail handles it correctly when he delivers the three messages after the scanning. -- Peter Peters, senior netwerkbeheerder Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ From SJCJonker at SJC.NL Fri Jul 18 12:00:57 2003 From: SJCJonker at SJC.NL (Stijn Jonker) Date: Thu Jan 12 21:18:59 2006 Subject: MailScanner/Sendmail + Mailman? In-Reply-To: <200307171430.KAA31790@earl.morehouse.edu> References: <200307171430.KAA31790@earl.morehouse.edu> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello, Just in short, if you want to use mm-handler, with sendmail, MS, SA etc etc etc. Some of my comments when implementing it. I think it is only reasonable to do if you use 1 specific subdomain to handle the list. Don't forget the: VIRTUSER_DOMAIN in the sendmail.mc it took me 2 days to figure out why it wasn't working, only to see i missed this entry. Attached is my sendmail.mc, anonymized, and with comments for the mm-handler setup. Remove the comments to make it an m4. Oh, and don't add the list.* hostnames to the local-host-names (The Fw macro.) in mailertable do: list.domain-1.com mailman:list.domain-1.com etc And it should work. Good luck. P.S. In regards to configing sendmail, the ora bat book is your best friend. If you need info, you can find it in there, if it doesn't work, it makes nice sounds when landing on the floor/chair/door or you collegue ;-)) On Thu, 17 Jul 2003, Matt Laney wrote: > James, > > > The README.SENDMAIL says to look at mm-handler.readme... > > Ah--that's if you're using mm-handler as your local delivery agent > for mailman. I'm not, and I happen to know nothing about it. <> > > Did you have to modify the mailertable? > > No, but I run my list processor on the same domain as the rest of > my stuff. That is, I didn't add a subdomain just for Mailman. In <> - -- Met Vriendelijke groet/Yours Sincerely Stijn Jonker -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE/F9NvjU9r45tKnOARAoCHAKDSZmpC5uzp2u8c7Xj16zEJUp4NOQCfcsKr qjt4tCBUS5pYt1dhSq38mng= =BC6h -----END PGP SIGNATURE----- -------------- next part -------------- divert(-1) include(`/usr/share/sendmail-cf/m4/cf.m4')dnl VERSIONID(`ph-dmz-01 config')dnl OSTYPE(`linux')dnl define(`confDEF_USER_ID',`8:12')dnl undefine(`UUCP_RELAY')dnl undefine(`BITNET_RELAY')dnl define(`confTO_CONNECT', `1m')dnl define(`confTRY_NULL_MX_LIST',true)dnl define(`confDONT_PROBE_INTERFACES',true)dnl define(`PROCMAIL_MAILER_PATH',`/usr/bin/procmail')dnl define(`ALIAS_FILE', `/etc/aliases')dnl define(`STATUS_FILE', `/var/log/sendmail.st')dnl define(`UUCP_MAILER_MAX', `2000000')dnl define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun')dnl define(`confAUTH_OPTIONS', `A')dnl define(`confTO_QUEUEWARN', `4h')dnl define(`confTO_QUEUERETURN', `5d')dnl define(`confTO_IDENT',`0')dnl define(`confQUEUE_LA', `12')dnl define(`confREFUSE_LA', `18')dnl # # This server doens't have any local accounts # the following 4 setting makes sure it will # (hopefully) never deliver locally # # define(`MAIL_HUB', `smtp-final.XXXX')dnl define(`LUSER_RELAY', `smtp-final.XXXX')dnl define(`LOCAL_RELAY', `smtp-final.XXXX')dnl define(`SMART_HOST', `smtp-out.XXXX') dnl define(`confMAX_MESSAGE_SIZE',15000000)dnl define(`confMAX_HOP',30)dnl define(`confUSE_ERRORS_TO',true)dnl define(`confCOPY_ERRORS_TO',Postmaster)dnl define(`confDOUBLE_BOUNCE_ADDRESS',`postmaster')dnl dnl dnl By default, sendmail applies virtusertable mapping, if at all, for dnl all interfaces for which it accepts mail -- i.e., all domains in dnl $=w. Mm-handler relies on your having a single domain (hostname) dnl that serves only lists, with no users. To avoid potential namespace dnl conflicts, you need not to have this list domain included in $=w. dnl As a result, virtuser mapping does not apply for the Mailman dnl list domain. However, you can pre-empt this rule by defining dnl $={VirtHost}: if there are domains in this class, they will be dnl mapped before $=w is mapped. dnl dnl VIRTUSER_DOMAIN() defines this class. dnl # # Like said in the email this is important # VIRTUSER_DOMAIN(`list.domain-1.com list.domain-2.com list.domain-3.com') FEATURE(`no_default_msa',`dnl')dnl FEATURE(`smrsh',`/usr/sbin/smrsh')dnl FEATURE(`mailertable',`hash -o /etc/mail/mailertable')dnl FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable')dnl FEATURE(redirect)dnl FEATURE(always_add_domain)dnl FEATURE(use_cw_file)dnl FEATURE(use_ct_file)dnl FEATURE(local_procmail)dnl FEATURE(`access_db')dnl FEATURE(`blacklist_recipients')dnl EXPOSED_USER(`root bin daemon adm lp sync shutdown halt mail news uucp operator games gopher ftp nobody xfs gdm rpc mailnull postfix named apache')dnl MAILER(`smtp')dnl MAILER(`procmail')dnl dnl dnl Our Mailman-specific local mailer. dnl MAILER_DEFINITIONS #################################### ### New Mailer specifications ### #################################### ## Special flags! See ## http://www.sendmail.org/~ca/email/doc8.10/op-sh-5.html#sh-5.4 ## Note especially the absence of the "m" and "n" flags. THIS IS ## IMPORTANT: mm-handler assumes this behavior to avoid having to know ## too much about address parsing and other RFC-2822 mail details. Mmailman, P=/etc/mail/mm-handler, F=rDFMhlqSu, U=mailman:mailman, S=EnvFromL, R=EnvToL/HdrToL, A=mm-handler $h $u From dustin.baer at IHS.COM Fri Jul 18 14:16:47 2003 From: dustin.baer at IHS.COM (Dustin Baer) Date: Thu Jan 12 21:18:59 2006 Subject: not reading spam.assassin.prefs.conf Message-ID: <3F17F33F.CD0C6B74@ihs.com> I am searching throught the archives also, but thought I would send a message here, also. Solaris 9 Sendmail 8.12.9 MailScanner 4.13-3 Yesterday, I upgraded SpamAssassin from 2.43 to 2.55 using perl -MCPAN. Now, my spam.assassin.prefs.conf file does not seem to be working. Any suggestions on where to start? Thanks for any leads... Dustin -- Dustin Baer Unix Administrator/Postmaster Information Handling Services 15 Inverness Way East Englewood, CO 80112 303-397-2836 From ka at PACIFIC.NET Fri Jul 18 14:30:18 2003 From: ka at PACIFIC.NET (Ken Anderson) Date: Thu Jan 12 21:18:59 2006 Subject: mailscanner only sees the envelope TO - solved In-Reply-To: References: <5.2.1.1.0.20030716114104.014fb008@xanadu.evi-inc.com> <5.2.1.1.0.20030716114104.014fb008@xanadu.evi-inc.com> <5.2.1.1.0.20030716134542.01e4d3b0@xanadu.evi-inc.com> <1058378447.22259.19.camel@speedy> <3F15C8BB.5030003@pacific.net> <1058395642.22259.60.camel@speedy> <3F16BF73.8020401@pacific.net> Message-ID: <3F17F66A.1050607@pacific.net> Peter Peters wrote: > On Thu, 17 Jul 2003 08:23:31 -0700, you wrote: > > >>Here's what I did. If any sendmail gurus out there thing this is a bad >>idea, please let me know what a mess I've made of things :-) > > > It looks good. > > >>Restart sendmail, and things like this start showing up in the log when >>messages with multiple recipients come in: >> >>Jul 17 08:14:31 host sendmail[7183]: h6HFDop8007183: split: maxrcpts=1, >>rcpts=3, count=2, ids=h6HFDop9007183; h6HFDopA007183 > > > I use queue-ID's to track messages through our systems. I presume this > logline appears next to the from=/to= lines from the incoming sendmail. Yes, the first TO gets the original message id, and the new split messages get the ids listed above as ids=xxxxx;xxxxx, so it's possible to track them. > After that the messages is processed by MS. Could you confirm that the > new queue-ID's are used in de MS loglines. I presume that sendmail > handles it correctly when he delivers the three messages after the > scanning. Yes, we put about 500k messages through it yesterday. Sendmail splits the message before it puts the clones of the message into the mqueue.in queue that is used by MailScanner as input. Each message has a unique message id. The total number of messages that your system will then process, and the load on mailscanner will increase a bit, but MS sees these as individual messages having the ids that sendmail assigns in the split log line. Note: I wouldn't do this on a system that accepted messages with 100 recipients per message, since the load would skyrocket if a spammer sent more than a few such messages to your system at a time. I'm not sure how things like 'BadRecipient Throttle' work in combination with Queue Groups, but it might help in such cases. Ken > -- > Peter Peters, senior netwerkbeheerder > Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) > Universiteit Twente, Postbus 217, 7500 AE Enschede > telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ > > From richard_cipher at yahoo.com Fri Jul 18 15:29:33 2003 From: richard_cipher at yahoo.com (Evert Ford) Date: Thu Jan 12 21:18:59 2006 Subject: not reading spam.assassin.prefs.conf In-Reply-To: <3F17F33F.CD0C6B74@ihs.com> Message-ID: did you upgrade using the rpm or the tarball? if you used the rpm, uninstall it using rpm -e spamassassin download and unpack the tarball something like: tar zxvf /path/to/Mail-SpamAssassin-2.55.tar.gz navigate to the directory spamassassin is residing in then: perl Makefile.pl make make test make install then reload MailScanner. It should work fine at this point. Evert Ford Information Analyst http://www.westone.com -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Dustin Baer Sent: Friday, July 18, 2003 7:17 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: not reading spam.assassin.prefs.conf I am searching throught the archives also, but thought I would send a message here, also. Solaris 9 Sendmail 8.12.9 MailScanner 4.13-3 Yesterday, I upgraded SpamAssassin from 2.43 to 2.55 using perl -MCPAN. Now, my spam.assassin.prefs.conf file does not seem to be working. Any suggestions on where to start? Thanks for any leads... Dustin -- Dustin Baer Unix Administrator/Postmaster Information Handling Services 15 Inverness Way East Englewood, CO 80112 303-397-2836 --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.483 / Virus Database: 279 - Release Date: 5/19/03 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.483 / Virus Database: 279 - Release Date: 5/19/03 From richard_cipher at YAHOO.COM Fri Jul 18 15:35:13 2003 From: richard_cipher at YAHOO.COM (Evert Ford) Date: Thu Jan 12 21:18:59 2006 Subject: not reading spam.assassin.prefs.conf In-Reply-To: <3F17F33F.CD0C6B74@ihs.com> Message-ID: sorry...stupid response...i just re-read your message......i would try downloading the tarball and trying it that way instead of MCPAN....i've never had a problem on my system that way Evert -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Dustin Baer Sent: Friday, July 18, 2003 7:17 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: not reading spam.assassin.prefs.conf I am searching throught the archives also, but thought I would send a message here, also. Solaris 9 Sendmail 8.12.9 MailScanner 4.13-3 Yesterday, I upgraded SpamAssassin from 2.43 to 2.55 using perl -MCPAN. Now, my spam.assassin.prefs.conf file does not seem to be working. Any suggestions on where to start? Thanks for any leads... Dustin -- Dustin Baer Unix Administrator/Postmaster Information Handling Services 15 Inverness Way East Englewood, CO 80112 303-397-2836 --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.483 / Virus Database: 279 - Release Date: 5/19/03 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.483 / Virus Database: 279 - Release Date: 5/19/03 From P.G.M.Peters at utwente.nl Fri Jul 18 16:16:01 2003 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Thu Jan 12 21:18:59 2006 Subject: mailscanner only sees the envelope TO - solved In-Reply-To: <3F17F66A.1050607@pacific.net> References: <5.2.1.1.0.20030716114104.014fb008@xanadu.evi-inc.com> <5.2.1.1.0.20030716114104.014fb008@xanadu.evi-inc.com> <5.2.1.1.0.20030716134542.01e4d3b0@xanadu.evi-inc.com> <1058378447.22259.19.camel@speedy> <3F15C8BB.5030003@pacific.net> <1058395642.22259.60.camel@speedy> <3F16BF73.8020401@pacific.net> <3F17F66A.1050607@pacific.net> Message-ID: <5k3ghvge6hqsopkcd1chjmep5ommlbdo4r@4ax.com> On Fri, 18 Jul 2003 06:30:18 -0700, you wrote: >> After that the messages is processed by MS. Could you confirm that the >> new queue-ID's are used in de MS loglines. I presume that sendmail >> handles it correctly when he delivers the three messages after the >> scanning. > >Yes, we put about 500k messages through it yesterday. Sendmail splits >the message before it puts the clones of the message into the mqueue.in >queue that is used by MailScanner as input. Each message has a unique >message id. The total number of messages that your system will then >process, and the load on mailscanner will increase a bit, but MS sees >these as individual messages having the ids that sendmail assigns in the >split log line. I know sendmail puts "for " in the received header when there is only one recipient. Does this mean the "for" clause is now also in the received headers of the "first" sendmail? -- Peter Peters, senior netwerkbeheerder Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ From dustin.baer at IHS.COM Fri Jul 18 16:16:20 2003 From: dustin.baer at IHS.COM (Dustin Baer) Date: Thu Jan 12 21:18:59 2006 Subject: not reading spam.assassin.prefs.conf References: Message-ID: <3F180F44.DBE878CD@ihs.com> Evert Ford wrote: > > sorry...stupid response...i just re-read your message......i would try > downloading the tarball and trying it that way instead of MCPAN....i've > never had a problem on my system that way > > Evert No, not a stupid response. I am glad someone even responded. I thought of this, also and am in the process of doing that. The very strange thing is that I upgraded with MCPAN on both our test and our production mail server and things worked fine on the test server. I will post whether this works or not. Thanks! -- Dustin Baer Unix Administrator/Postmaster Information Handling Services 15 Inverness Way East Englewood, CO 80112 303-397-2836 From ka at PACIFIC.NET Fri Jul 18 17:00:43 2003 From: ka at PACIFIC.NET (Ken Anderson) Date: Thu Jan 12 21:18:59 2006 Subject: mailscanner only sees the envelope TO - solved In-Reply-To: <5k3ghvge6hqsopkcd1chjmep5ommlbdo4r@4ax.com> References: <5.2.1.1.0.20030716114104.014fb008@xanadu.evi-inc.com> <5.2.1.1.0.20030716114104.014fb008@xanadu.evi-inc.com> <5.2.1.1.0.20030716134542.01e4d3b0@xanadu.evi-inc.com> <1058378447.22259.19.camel@speedy> <3F15C8BB.5030003@pacific.net> <1058395642.22259.60.camel@speedy> <3F16BF73.8020401@pacific.net> <3F17F66A.1050607@pacific.net> <5k3ghvge6hqsopkcd1chjmep5ommlbdo4r@4ax.com> Message-ID: <3F1819AB.1040605@pacific.net> Peter Peters wrote: > On Fri, 18 Jul 2003 06:30:18 -0700, you wrote: > > >>>After that the messages is processed by MS. Could you confirm that the >>>new queue-ID's are used in de MS loglines. I presume that sendmail >>>handles it correctly when he delivers the three messages after the >>>scanning. >> >>Yes, we put about 500k messages through it yesterday. Sendmail splits >>the message before it puts the clones of the message into the mqueue.in >>queue that is used by MailScanner as input. Each message has a unique >>message id. The total number of messages that your system will then >>process, and the load on mailscanner will increase a bit, but MS sees >>these as individual messages having the ids that sendmail assigns in the >>split log line. > > > I know sendmail puts "for " in the received header when there is only > one recipient. Does this mean the "for" clause is now also in the > received headers of the "first" sendmail? We have 2 MS boxes that scan and then relay to our mail hub. What happen is interesting: The first TO in the original msg gets the "for " line. After the message is split, scanned and delivered as separate messages to the mail hub, ALL of the messages get the "for " line added by the mail hub, since they appear to our mail hub as separate messages with 1 recip each. This means that the "for " line can't be depended on to tell you who the message was really originally addressed to. However, the original message will have 2 "for " lines, so it's still possible to tell if a message is an original or a clone so to speak. You don't really lose anything, since the "other" recipients of a message never had the "to " information anyway. The message header of each of the split messages contains the original message id from before the split, and NOT the new queue.in id assigned and logged by sendmail, so you can trace using that just as you could before. Ken > -- > Peter Peters, senior netwerkbeheerder > Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) > Universiteit Twente, Postbus 217, 7500 AE Enschede > telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ > > From ka at PACIFIC.NET Fri Jul 18 17:04:30 2003 From: ka at PACIFIC.NET (Ken Anderson) Date: Thu Jan 12 21:18:59 2006 Subject: not reading spam.assassin.prefs.conf In-Reply-To: <3F17F33F.CD0C6B74@ihs.com> References: <3F17F33F.CD0C6B74@ihs.com> Message-ID: <3F181A8E.3010506@pacific.net> SA also looks at /etc/spamassassin/local.cf Not sure what you mean by "does not seem to be working", but this file may affect how spam.assassin.prefs.conf is used. I don't know in what order they are read/applied though. Ken A. Dustin Baer wrote: > I am searching throught the archives also, but thought I would send a > message here, also. > > Solaris 9 > Sendmail 8.12.9 > MailScanner 4.13-3 > > Yesterday, I upgraded SpamAssassin from 2.43 to 2.55 using perl -MCPAN. > Now, my spam.assassin.prefs.conf file does not seem to be working. > > Any suggestions on where to start? > > Thanks for any leads... > > Dustin > -- > Dustin Baer > Unix Administrator/Postmaster > Information Handling Services > 15 Inverness Way East > Englewood, CO 80112 > 303-397-2836 > > From ka at PACIFIC.NET Fri Jul 18 17:08:48 2003 From: ka at PACIFIC.NET (Ken Anderson) Date: Thu Jan 12 21:18:59 2006 Subject: is the list going crazy or is it me? Message-ID: <3F181B90.8050809@pacific.net> I've sent 3 emails to the list today, and 2 times have received this warning email back: > Your message is being returned to you unprocessed because it appears to have > already been distributed to the MAILSCANNER list. That is, a message with > identical text (but possibly with different mail headers) has been posted to > the list recently, either by you or by someone else. If you have a good reason > to resend this message to the list (for instance because you have been notified > of a hardware failure with loss of data), please alter the text of the message > in some way and resend it to the list. Note that altering the "Subject:" line > or adding blank lines at the top or bottom of the message is not sufficient; > you should instead add a sentence or two at the top explaining why you are > resending the message, so that the other subscribers understand why they are > getting two copies of the same message. I only sent one copy of each email, and messages are being posted to the list AFAIK. Ken From dustin.baer at IHS.COM Fri Jul 18 17:09:33 2003 From: dustin.baer at IHS.COM (Dustin Baer) Date: Thu Jan 12 21:18:59 2006 Subject: not reading spam.assassin.prefs.conf References: <3F17F33F.CD0C6B74@ihs.com> <3F181A8E.3010506@pacific.net> Message-ID: <3F181BBD.78DB0EED@ihs.com> Ken Anderson wrote: > > SA also looks at /etc/spamassassin/local.cf > Not sure what you mean by "does not seem to be working", but this file > may affect how spam.assassin.prefs.conf is used. I don't know in what > order they are read/applied though. > Ken A. Thanks Ken, "does not seem to be working" means that my customized scoring is not working. I don't have an /etc/spamassassin directory. The manual (perl Makefile.PL, etc.) upgrade didn't work, either, so I will keep trying. Thanks for the input. Dustin From richard_cipher at YAHOO.COM Fri Jul 18 17:12:03 2003 From: richard_cipher at YAHOO.COM (Evert Ford) Date: Thu Jan 12 21:18:59 2006 Subject: is the list going crazy or is it me? In-Reply-To: <3F181B90.8050809@pacific.net> Message-ID: I've had the same happen. It appears to be a problem. Evert Ford Information Analyst Westone Laboratories http://www.westone.com -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Ken Anderson Sent: Friday, July 18, 2003 10:09 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: is the list going crazy or is it me? I've sent 3 emails to the list today, and 2 times have received this warning email back: > Your message is being returned to you unprocessed because it appears to have > already been distributed to the MAILSCANNER list. That is, a message with > identical text (but possibly with different mail headers) has been posted to > the list recently, either by you or by someone else. If you have a good reason > to resend this message to the list (for instance because you have been notified > of a hardware failure with loss of data), please alter the text of the message > in some way and resend it to the list. Note that altering the "Subject:" line > or adding blank lines at the top or bottom of the message is not sufficient; > you should instead add a sentence or two at the top explaining why you are > resending the message, so that the other subscribers understand why they are > getting two copies of the same message. I only sent one copy of each email, and messages are being posted to the list AFAIK. Ken --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.483 / Virus Database: 279 - Release Date: 5/19/03 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.483 / Virus Database: 279 - Release Date: 5/19/03 From dustin.baer at IHS.COM Fri Jul 18 17:10:09 2003 From: dustin.baer at IHS.COM (Dustin Baer) Date: Thu Jan 12 21:18:59 2006 Subject: is the list going crazy or is it me? References: <3F181B90.8050809@pacific.net> Message-ID: <3F181BE1.BCB6BF3F@ihs.com> Ken Anderson wrote: > > I've sent 3 emails to the list today, and 2 times have received this > warning email back: > > > ... > > I only sent one copy of each email, and messages are being posted to the > list AFAIK. > > Ken Same here! Dustin -- Dustin Baer Unix Administrator/Postmaster Information Handling Services 15 Inverness Way East Englewood, CO 80112 303-397-2836 From mkettler at EVI-INC.COM Fri Jul 18 18:00:05 2003 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:18:59 2006 Subject: not reading spam.assassin.prefs.conf In-Reply-To: <3F181BBD.78DB0EED@ihs.com> References: <3F17F33F.CD0C6B74@ihs.com> <3F181A8E.3010506@pacific.net> Message-ID: <5.2.1.1.0.20030718125727.0199d880@xanadu.evi-inc.com> At 10:09 AM 7/18/2003 -0600, Dustin Baer wrote: >Thanks Ken, > >"does not seem to be working" means that my customized scoring is not >working. > >I don't have an /etc/spamassassin directory. > >The manual (perl Makefile.PL, etc.) upgrade didn't work, either, so I >will keep trying. > >Thanks for the input. As a suggestion, I usually copy or ln -s my spam.assassin.prefs.conf to /root/.spamassassin/user_prefs and then run spamassassin --lint to check my config files for bugs and typos. There are several commands in the configfile syntax that have changed for 2.5x. In theory these should be irrelevant on a MailScanner setup as they are almost all related to the report format and html stripping, which MailScanner does on it's own. From dustin.baer at IHS.COM Fri Jul 18 18:02:38 2003 From: dustin.baer at IHS.COM (Dustin Baer) Date: Thu Jan 12 21:18:59 2006 Subject: not reading spam.assassin.prefs.conf - DUH! References: <3F17F33F.CD0C6B74@ihs.com> Message-ID: <3F18282E.947D90CF@ihs.com> Dustin Baer wrote: > > I am searching throught the archives also, but thought I would send a > message here, also. > > Solaris 9 > Sendmail 8.12.9 > MailScanner 4.13-3 > > Yesterday, I upgraded SpamAssassin from 2.43 to 2.55 using perl -MCPAN. > Now, my spam.assassin.prefs.conf file does not seem to be working. > > Any suggestions on where to start? > > Thanks for any leads... NOTHING to do with SpamAssassin. I edited my spam.assassin.prefs.conf file and instead of using a pipe (|) to separate keywords to catch in the subject line, I used a slash (/): header IHS_SUBJECT_JUNK_2 Subject =~ /STEPHANIE/URGENT/ That obviously broke the Perl. THANK YOU to everyone who responded and also to those who looked into this and didn't respond. I will crawl back into my hole, now. Dustin -- Dustin Baer Unix Administrator/Postmaster Information Handling Services 15 Inverness Way East Englewood, CO 80112 303-397-2836 From mkettler at EVI-INC.COM Fri Jul 18 18:30:00 2003 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:18:59 2006 Subject: is the list going crazy or is it me? - found source of problem to be COINFOTECH.COM In-Reply-To: References: <3F181B90.8050809@pacific.net> Message-ID: <5.2.1.1.0.20030718132213.01a0cb10@xanadu.evi-inc.com> At 10:12 AM 7/18/2003 -0600, you wrote: >I've had the same happen. It appears to be a problem. > >Evert Ford >Information Analyst >Westone Laboratories >http://www.westone.com If you look at the headers in the rejected messages it's a broken mailserver that's looping messages back to the list, presumably by delivering based on the To: address instead of the envelope (a common mistake to make in custom scripts). See: Received: from mailsvc.com (iowa.coinfotech.com [209.12.32.105]) by ori.rl.ac.uk (8.11.1/8.11.1) with ESMTP id h6IH1uS14042 for ; Fri, 18 Jul 2003 18:01:57 +0100 Received: by mailsvc.com (CommuniGate Pro PIPE 4.0.6) with PIPE id 12184636; Fri, 18 Jul 2003 10:57:08 -0600 Received: from smtp.jiscmail.ac.uk ([130.246.192.48] verified) by mailsvc.com (CommuniGate Pro SMTP 4.0.6) with ESMTP id 12184630 for xxxxx@COINFOTECH.COM; Fri, 18 Jul 2003 10:57:03 -0600 (I censored the subscriber's address for politeness, although it can be readily figured out by the recipients of the bounces) From shawn at ADVANCEDMANAGED.COM Fri Jul 18 19:07:43 2003 From: shawn at ADVANCEDMANAGED.COM (shawn) Date: Thu Jan 12 21:18:59 2006 Subject: bayes autolearn Message-ID: <00b401c34d57$7c3de330$3cced7c0@pong> If your mailscanner installation is just a relay, with the email addresses not local, is it wise to use bayes with the db built only with autolearn? Having outlook users use resend to a spam/notspam address is not an option. Also are mailscanner whitelisted items still put thru spamassassin for autolearning? Tia shawn -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030718/7c5b7415/attachment.html From vboulytchev at COINFOTECH.COM Fri Jul 18 19:19:37 2003 From: vboulytchev at COINFOTECH.COM (Boulytchev, Vasiliy) Date: Thu Jan 12 21:18:59 2006 Subject: Bcc not going through Message-ID: <1958DE295D9656499ECAAD3642822DE0033F8D@willow.office.coinfotech.com> Ladies and Gents, I use Communigate Pro for my email server. I see when the /Submitted/ directory has a .bad file, the recipients field is set to "Undisclosed". When I push an email with someone with BCC field filled out, email disapears. Any suggestions? Vasiliy Boulytchev Colorado Information Technologies Inc. (719) 473-2800 x15 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030718/7b0358a6/attachment.html From evertjan at VANRAMSELAAR.NL Fri Jul 18 19:25:48 2003 From: evertjan at VANRAMSELAAR.NL (Evert Jan van Ramselaar) Date: Thu Jan 12 21:18:59 2006 Subject: Bcc not going through In-Reply-To: <1958DE295D9656499ECAAD3642822DE0033F8D@willow.office.coinfotech.com> References: <1958DE295D9656499ECAAD3642822DE0033F8D@willow.office.coinfotech.com> Message-ID: <3F183BAC.2070908@vanramselaar.nl> Boulytchev, Vasiliy wrote: > Ladies and Gents, > I use Communigate Pro for my email server. I see when the > /Submitted/ directory has a .bad file, the recipients field is set to > "Undisclosed". When I push an email with someone with BCC field filled > out, email disapears. This list is NOT about Communigate, but about MailScanner. AFAIK MailScanner does not support Communigate. See www.mailscanner.info for more about MailScanner. Btw, please turn off HTML when sending mail to mailinglists. -- Evert Jan van Ramselaar Van Ramselaar Info Tech From evertjan at VANRAMSELAAR.NL Fri Jul 18 19:31:23 2003 From: evertjan at VANRAMSELAAR.NL (Evert Jan van Ramselaar) Date: Thu Jan 12 21:18:59 2006 Subject: Bcc not going through In-Reply-To: <1958DE295D9656499ECAAD3642822DE0033F8D@willow.office.coinfotech.com> References: <1958DE295D9656499ECAAD3642822DE0033F8D@willow.office.coinfotech.com> Message-ID: <3F183CFB.9070508@vanramselaar.nl> Boulytchev, Vasiliy wrote: > Ladies and Gents, > I use Communigate Pro for my email server. I see when the > /Submitted/ directory has a .bad file, the recipients field is set to > "Undisclosed". When I push an email with someone with BCC field filled > out, email disapears. And PLEASE fix your mailserver!! It is resending all messages from this list back to this same list, resulting in error messages to the original sender! And PLEASE fix it NOW! -- Evert Jan van Ramselaar Van Ramselaar Info Tech From kevins at BMRB.CO.UK Fri Jul 18 19:39:18 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:18:59 2006 Subject: Bcc not going through In-Reply-To: <3F183CFB.9070508@vanramselaar.nl> References: <1958DE295D9656499ECAAD3642822DE0033F8D@willow.office.coinfotech.com> <3F183CFB.9070508@vanramselaar.nl> Message-ID: <1058553559.4382.15.camel@bach.kevinspicer.co.uk> > And PLEASE fix your mailserver!! It is resending all messages from this > list back to this same list, resulting in error messages to the original > sender! > > And PLEASE fix it NOW! > Or at least have the courtesy to unsubscribe until you have fixed it (you could always re-subscribe with a hotmail account or similar) BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From mailscanner at ELKNET.NET Fri Jul 18 21:57:50 2003 From: mailscanner at ELKNET.NET (Alan Fiebig) Date: Thu Jan 12 21:18:59 2006 Subject: From = to Message-ID: <200307182058.h6IKw1S08416@ori.rl.ac.uk> I searched the archives, but didn't find an answer, so I'm trying here. Thanks in advance for any help :) We see a number of spams coming in where the 'From:' address has been set by the spammer to be the same as the 'To:' address. When MS detects these, a bounce message typically consisting of the 'Sender Spamassassin Report', it sends the bounce message to the spam's 'From:' address. As the 'From:' was forged to be the same as the intended recepient of the spam, its that poor recepient who gets the bounce message. They quickly in turn email us screaming "I didn't send out that spam, especially not to myself!" So, what I'm looking for is some means of bypassing the 'bounce' action anytime the 'From:' or the 'Rely to:' is the same as the 'To:' address. Any ideas? -Alan From kevins at BMRB.CO.UK Fri Jul 18 22:12:58 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:18:59 2006 Subject: From = to In-Reply-To: <200307182058.h6IKw1S08416@ori.rl.ac.uk> References: <200307182058.h6IKw1S08416@ori.rl.ac.uk> Message-ID: <1058562779.5559.18.camel@bach.kevinspicer.co.uk> > So, what I'm looking for is some means of bypassing the 'bounce' action anytime the 'From:' or the 'Rely to:' is the same as the 'To:' address. > > Any ideas? > Can't you just make spam actions a ruleset along the lines of... From: *@yourdomain.com delete FromorTo: default bounce BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From mkettler at EVI-INC.COM Fri Jul 18 22:38:54 2003 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:18:59 2006 Subject: From = to In-Reply-To: <200307182058.h6IKw1S08416@ori.rl.ac.uk> Message-ID: <5.2.1.1.0.20030718172953.01850750@xanadu.evi-inc.com> At 03:57 PM 7/18/2003 -0500, Alan Fiebig wrote: >So, what I'm looking for is some means of bypassing the 'bounce' action >anytime the 'From:' or the 'Rely to:' is the same as the 'To:' address. > >Any ideas? (note: the following is my opinion, but it's at least one that comes from a fairly well thought-out perspective). My suggestion would be to not use bounce at all. The way it's done in MailScanner (which is really the best that MS can do) is pretty much hopelessly broken and abuses other networks. 99.99% of spam has a forged From: address, so bouncing these messages increases the severity of joe-jobs. The only useful function it provides is in the case of a false positive, the sender is notified. However, if your false-positive rate is reasonable, at least 99% of your bounce messages are just going to some poor guy that got joe-jobbed. That's a "more harm than good" situation by a ratio of approximately 100:1. silent deletion isn't exactly a good idea either, but it's at least it isn't dumping your spam problems back onto another network. I'd say best practice is to tag-only or quarantine for hand review. Bouncing with MS is just a bad idea that is only attractive to those who like to litter in other people's yards. From mailscanner at LISTS.COM.AR Fri Jul 18 22:43:04 2003 From: mailscanner at LISTS.COM.AR (Mariano Absatz) Date: Thu Jan 12 21:18:59 2006 Subject: ZMailer + MailScanner Message-ID: <3F183FB8.30554.165D49C7@localhost> Hi there, a guy who works with me wrote the initial code that allowed MailScanner to work along with ZMailer. I maintain it and wrote the simple instructions in: http://www.sng.ecs.soton.ac.uk/mailscanner/install/zmailer.shtml As I said there, I didn't have a proper init.d script... in fact, I never had installed either ZMailer or MailScanner from RPM... I'm usually more comfortable compiling my most critical pieces of software, and my mail server, certainly is critical. However I could argue that if you're running ZMailer, then "you should know" and if you just want to plain run a MailScanner, you'll be more comfortable using either Sendmail or Postfix, I just got a hand on a spare old pentium with redhat in it and I installed ZMailer from rpm using the closest to an official ZMailer rpm, which is the one developed by Xos? V?zquez, found at http://rpmfind.net/linux/RPM/contrib/libc6/i386/zmailer-2.99.55-5.i386.html Then I installed the latest MailScanner 4.22-5 RPM following the instructions. Finally, I modified the necesary files in both so they work together. I'm attaching 3 files: modify-zmailer.sh: is a script to create the /var/spool/postoffice-incoming hierarchy, with the proper subdirectories and permissions. ZMailer-2.99.55-5.rpm-MailScanner.patch: is a small patch that modifies the main ZMailer configuration file, /etc/zmailer/zmailer.conf so that smtpserver works in that new hierarchy. MailScanner-4.22-5.rpm-ZMailer.patch: is a patch that modifies the following files: /etc/rc.d/init.d/MailScanner /etc/sysconfig/MailScanner /etc/MailScanner/MailScanner.conf so that MailScanner works with ZMailer. You have to be root to make this: 0) Install ZMailer and MailScanner from the rpm's. 1) stop ZMailer if it's running, and disable its startup script (as you do with Sendmail previous to run MailScanner): service zmailer stop chkconfig zmailer off 2) run the included shell script: ./modify-zmailer.sh This will check that you're root, will ask for confirmation, and then, it'll create a bunch of directories... it's a simple script, I used "-v" in most commands so you can see what's beeing done. 3) Patch ZMailer: cd / patch -p0 < /path/to/ZMailer-2.99.55-5.rpm-MailScanner.patch 4) Patch MailScanner: cd / patch -p0 < /path/to/MailScanner-4.22-5.rpm-ZMailer.patch 5) Enable and start MailScanner. This will also start ZMailer: chkconfig --add MailScanner chkconfig MailScanner on service MailScanner start voil?! -- Mariano Absatz El Baby ---------------------------------------------------------- I write all my critical routines in assembler, and my comedy routines in FORTRAN. -- Anonymous -------------- next part -------------- A non-text attachment was scrubbed... Name: modify-zmailer.sh Type: application/octet-stream Size: 1067 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030718/147a4287/modify-zmailer.obj -------------- next part -------------- A non-text attachment was scrubbed... Name: ZMailer-2.99.55-5.rpm-MailScanner.patch Type: application/octet-stream Size: 624 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030718/147a4287/ZMailer-2.99.55-5.rpm-MailScanner.obj -------------- next part -------------- A non-text attachment was scrubbed... Name: MailScanner-4.22-5.rpm-ZMailer.patch Type: application/octet-stream Size: 9247 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030718/147a4287/MailScanner-4.22-5.rpm-ZMailer.obj From mailscanner at LISTS.COM.AR Fri Jul 18 23:06:25 2003 From: mailscanner at LISTS.COM.AR (Mariano Absatz) Date: Thu Jan 12 21:18:59 2006 Subject: MailScanner startup script standalone Message-ID: <3F184531.9360.1672ACCC@localhost> Hi, in case someone is interested, based on some old MailScanner startup script, I modified it so that it only cares about MailScanner itself and not about the MTA. In fact, this is the way I prefer to handle it, I have a separate startup script for ZMailer and this one for MailScanner. Whenever both are related services and mail won't be delivered if both aren't running, I can start and stop both of them independently and nothing brakes... only mail can accumulate in one or another queue. When something goes wrong, I like the ability to stop only a part and watch the queues by hand. In fact, with the standard zmailer script (the zmailer command, not the startup script) I can independently start or stop the different daemons... MailScanner would be a fourth daemon in here, with its own startup script. The script is quite simple and works nicely in redhat, I don't know about other flavors of linux, but it should be easier to adapt than the standard MailScanner startup script, since it's smaller. Enjoy it! -- Mariano Absatz El Baby ---------------------------------------------------------- Everyone must believe in something. I believe I'll have another drink. -- W.C. Fields -------------- next part -------------- A non-text attachment was scrubbed... Name: MailScanner Type: application/octet-stream Size: 3522 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030718/99544a04/MailScanner.obj From mailscanner at LISTS.COM.AR Fri Jul 18 23:27:55 2003 From: mailscanner at LISTS.COM.AR (Mariano Absatz) Date: Thu Jan 12 21:19:00 2006 Subject: scripts & patches for download Message-ID: <3F184A3B.23580.16865C27@localhost> Hi, I know, my Pegasus mail client has too much personality for adding some text attachments... I uploaded all the patches and scripts I sent so you can download them from the web... The patches and script for using ZMailer and MailScanner from rpm's are in http://baby.com.ar/MailScanner/ZMailer.rpm.patches/ The standalone startup script (so you can start it independently from the MTA) is in http://baby.com.ar/MailScanner/StandAloneStartupScript/MailScanner Finally, Julian, when you're back, would you replace the /etc/rc.d/init.d/MailScanner and /etc/sysconfig/MailScanner files in the rpm with the ones at http://baby.com.ar/MailScanner/ModifiedFilesForMailScannerDistribution/ ? This would incorporate ZMailer into the rpm distribution. I'll modify the web page at http://www.sng.ecs.soton.ac.uk/mailscanner/install/zmailer.shtml and post it so you can upgrade that too. Have a nice weekend! -- Mariano Absatz El Baby ---------------------------------------------------------- What is a "free" gift ? Aren't all gifts free? From so-mlist-alias at ALL-ABOUT-SHIFT.COM Sat Jul 19 13:58:05 2003 From: so-mlist-alias at ALL-ABOUT-SHIFT.COM (Soeren Gerlach) Date: Thu Jan 12 21:19:00 2006 Subject: Fw: bayes autolearn Message-ID: <009601c34df5$6c2fbce0$6301010a@vaiosan> I do have the same setup (two mail servers configured via MX as relays) and I do the following with quite remarkable results: * Quanrantine "high score spam" messages * Collect them once a day from the two relays to another consolidation server * There use the "sa-learn" from S.A. * Additionally I feed the mails back to the razor network * copy back the resulting database to the two relays (MailScanner must be stopped while copying back because of file locks) With now some 5.000+ Spam messages it increases the overall "yield" quite good. The problem with autolearn that the "ham" portion of the mail is only usefull one a single user basis (there're some articels about this issue on the net) because of the often individual dictionaries a user's mail have, while the spam portion on the other hand isn't. regards, Soeren Gerlach ----- Original Message ----- From: "shawn" To: Sent: Friday, July 18, 2003 8:07 PM Subject: bayes autolearn > If your mailscanner installation is just a relay, with the email > addresses not local, is it wise to use bayes with the db built only with > autolearn? Having outlook users use resend to a spam/notspam address is > not an option. > > > > Also are mailscanner whitelisted items still put thru spamassassin for > autolearning? > > > > Tia > > shawn From mailscanner at ELKNET.NET Sat Jul 19 23:06:13 2003 From: mailscanner at ELKNET.NET (Alan Fiebig) Date: Thu Jan 12 21:19:00 2006 Subject: From = to Message-ID: Well, this idea is certainly a start. But it would end up in MS blindly deleting any spams sent by my customers to my customers. Thanks! >> So, what I'm looking for is some means of bypassing the 'bounce' action anytime the 'From:' or the 'Rely to:' is the same as the 'To:' address. >> >> Any ideas? >> >Can't you just make spam actions a ruleset along the lines of... > >From: *@yourdomain.com delete >FromorTo: default bounce From mailscanner at ELKNET.NET Sat Jul 19 23:04:57 2003 From: mailscanner at ELKNET.NET (Alan Fiebig) Date: Thu Jan 12 21:19:00 2006 Subject: From = to Message-ID: I can't hand examine 66,000+ quarantined spams per day. I also can't afford to blindly delete. Far to many potential instances have already arisen where a customer 'Wanted' the spam, and only knew it was being filtered because the bounce wnet to the sender, who notified the recepient. We deal with about a dozen complaints per day from those that receive the bounce messages and want to resolve the issues. Sometimes we whitelist them, sometimes our customer opts-out of our filters, sometimes the sender adjusts their message. So the bounces ARE working and necessary for me. Tag only is also worthless for the vast majority of my customers. They would have no idea what to do with the tag, they would simply be getting all the spam like always. Setting client filters to sort or delete based upon a tag is beyond them. Thanks for the reply though. >My suggestion would be to not use bounce at all. The way it's done in >MailScanner (which is really the best that MS can do) is pretty much >hopelessly broken and abuses other networks. > >99.99% of spam has a forged From: address, so bouncing these messages >increases the severity of joe-jobs. The only useful function it provides is >in the case of a false positive, the sender is notified. However, if your >false-positive rate is reasonable, at least 99% of your bounce messages are >just going to some poor guy that got joe-jobbed. > >That's a "more harm than good" situation by a ratio of approximately 100:1. > >silent deletion isn't exactly a good idea either, but it's at least it >isn't dumping your spam problems back onto another network. > >I'd say best practice is to tag-only or quarantine for hand review. >Bouncing with MS is just a bad idea that is only attractive to those who >like to litter in other people's yards. From Antony at SOFT-SOLUTIONS.CO.UK Sat Jul 19 22:45:20 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:19:00 2006 Subject: From = to In-Reply-To: <200307182058.h6IKw1S08416@ori.rl.ac.uk> References: <200307182058.h6IKw1S08416@ori.rl.ac.uk> Message-ID: <200307192145.h6JLjPi12710@Primary.networker.test> On Friday 18 July 2003 9:57 pm, Alan Fiebig wrote: > We see a number of spams coming in where the 'From:' address has been set > by the spammer to be the same as the 'To:' address. When MS detects these, > a bounce message typically consisting of the 'Sender Spamassassin Report', > it sends the bounce message to the spam's 'From:' address. As the 'From:' > was forged to be the same as the intended recepient of the spam, its that > poor recepient who gets the bounce message. > > They quickly in turn email us screaming "I didn't send out that spam, > especially not to myself!" > > So, what I'm looking for is some means of bypassing the 'bounce' action > anytime the 'From:' or the 'Rely to:' is the same as the 'To:' address. > > Any ideas? Is there any mileage in creating yourself a SpamAssassin rule which picks up on From=To, and assigning it a high enough score that it reaches your MailScanner High Spam Score, which you can then delete? Antony. -- The truth is rarely pure, and never simple. - Oscar Wilde From kevins at BMRB.CO.UK Sat Jul 19 23:10:45 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:19:00 2006 Subject: From = to In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB001175EC9@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB001175EC9@pascal.priv.bmrb.co.uk> Message-ID: <1058652649.15041.7.camel@bach.kevinspicer.co.uk> On Sat, 2003-07-19 at 23:06, Alan Fiebig wrote: Well, this idea is certainly a start. But it would end up in MS blindly deleting any spams sent by my customers to my customers. Presumably you mean false positives, since I can't imagine you'd be particularly keen on your customers spamming anyone through your server. A suggestion (not knowing your setup this may or may not be a good one!), set up a ruleset so that only incoming mail (external to your network) is checked for spam [you would need to do this by IP range not domain] and also apply the ruleset I suggested previously. This would also improve performance on outgoing mail. Failing that, get your hands dirty with a little perl and write a custom config module (in CustomConfig.pm) which checks if the From and To addresses are identical [or better, whether it comes from a local domain but an IP external to your network] and use this for spam actions. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From Antony at SOFT-SOLUTIONS.CO.UK Sun Jul 20 00:08:11 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:19:00 2006 Subject: From = to In-Reply-To: <200307192145.h6JLjPi12710@Primary.networker.test> References: <200307182058.h6IKw1S08416@ori.rl.ac.uk> <200307192145.h6JLjPi12710@Primary.networker.test> Message-ID: <200307192308.h6JN8Go22533@Primary.networker.test> On Saturday 19 July 2003 10:45 pm, Antony Stone wrote: > Is there any mileage in creating yourself a SpamAssassin rule which picks > up on From=To, and assigning it a high enough score that it reaches your > MailScanner High Spam Score, which you can then delete? This seemed like a neat opportunity to write my first SpamAssassin rule, so I thought I'd give it a try. I came up with this: In the file /usr/lib/perl5/site_perl/Mail/SpamAssassin/EvalTests.pm there is already a function called check_for_from_to_same (which is badly named, because it explicitly does *not* match the from and to addresses being identical - only if they are 'similar'....) Using this as a template, I created a new function: sub check_for_from_to_identical { my ($self) = @_; my $addr_from = $self->get('From:addr'); my $addr_to = $self->get('To:addr'); $addr_from =~ s/\s+//g; $addr_to =~ s/\s+//g; return 1 if ($addr_from eq $addr_to); return 0; } I then added three lines to /opt/MailScanner/etc/spam.assassin.prefs.conf: header FROM_AND_TO_IDENTICAL eval:check_for_from_to_identical() describe FROM_AND_TO_IDENTICAL From and To are the same address score FROM_AND_TO_IDENTICAL 20 The only thing which bothers me slightly about this idea is that I think I see some emails from genuine mailing lists which set the from and to addresses to the same thing - I disapprove of that, but it would lead to some false positivies if the mailing lists aren't whitelisted.... Anyway, have fun, Antony. -- It is also possible that putting the birds in a laboratory setting inadvertently renders them relatively incompetent. - Daniel C Dennett From jrudd at UCSC.EDU Sun Jul 20 06:43:59 2003 From: jrudd at UCSC.EDU (John Rudd) Date: Thu Jan 12 21:19:00 2006 Subject: .bad files continued In-Reply-To: <1058478127.6635.25.camel@bach.kevinspicer.co.uk> Message-ID: <295D16EA-BA75-11D7-873F-003065F939FE@ucsc.edu> On Thursday, Jul 17, 2003, at 14:42 US/Pacific, Kevin Spicer wrote: > On Thu, 2003-07-17 at 22:14, Boulytchev, Vasiliy wrote: >> Ladies and Gents, >> cgp2ms is adding RPFD to the recipients line. Why its doing that, >> I have no clue. Another thing that is bazaar, is I have a few domains >> working with no problems, its just this one......... It does have a >> route rule in Communigate, but how would that affect >> anything...................... If I take those stupid RPFD: out from >> those .bad files, and copy them to .sub, communigate pushes the files. > > Perhaps you should try a mailing list for communicate users? This > doesn't sound like any symptom I've seen anyone report on this list - > so > its probably a Communigate issue. You could try ruling out MailScanner > by taking it out of the mix temporarily. > > It's related to the glue scripts I wrote between CommuniGate Pro and MailScanner. IIRC, it's caused when MailScanner is generating its own messages. I have a fix for it that I'm putting out in the next couple days. From tony.johansson at SVENSKAKYRKAN.SE Sun Jul 20 19:32:32 2003 From: tony.johansson at SVENSKAKYRKAN.SE (Tony Johansson) Date: Thu Jan 12 21:19:00 2006 Subject: Fw: bayes autolearn Message-ID: On Sat, 19 Jul 2003 14:58:05 +0200, Soeren Gerlach wrote: >I do have the same setup (two mail servers configured via MX as relays) and >I do the following with quite remarkable results: > > * Quanrantine "high score spam" messages > * Collect them once a day from the two relays to another consolidation >server > * There use the "sa-learn" from S.A. > * Additionally I feed the mails back to the razor network > * copy back the resulting database to the two relays (MailScanner must be >stopped while copying back because of file locks) > >With now some 5.000+ Spam messages it increases the overall "yield" quite >good. The problem with autolearn that the "ham" portion of the mail is only >usefull one a single user basis (there're some articels about this issue on >the net) because of the often individual dictionaries a user's mail have, >while the spam portion on the other hand isn't. > >regards, >Soeren Gerlach How much ham do you use when training? From so-mlist-alias at ALL-ABOUT-SHIFT.COM Sun Jul 20 21:27:09 2003 From: so-mlist-alias at ALL-ABOUT-SHIFT.COM (Soeren Gerlach) Date: Thu Jan 12 21:19:00 2006 Subject: Fw: bayes autolearn References: Message-ID: <000801c34efd$50882d20$6301010a@vaiosan> > On Sat, 19 Jul 2003 14:58:05 +0200, Soeren Gerlach ABOUT-SHIFT.COM> wrote: > > >I do have the same setup (two mail servers configured via MX as relays) and > >I do the following with quite remarkable results: > > > > * Quanrantine "high score spam" messages > > * Collect them once a day from the two relays to another consolidation > >server > > * There use the "sa-learn" from S.A. > > * Additionally I feed the mails back to the razor network > > * copy back the resulting database to the two relays (MailScanner must be > >stopped while copying back because of file locks) > > > >With now some 5.000+ Spam messages it increases the overall "yield" quite > >good. The problem with autolearn that the "ham" portion of the mail is only > >usefull one a single user basis (there're some articels about this issue on > >the net) because of the often individual dictionaries a user's mail have, > >while the spam portion on the other hand isn't. > > > >regards, > >Soeren Gerlach > > How much ham do you use when training? > From http://www.spamassassin.org/doc/sa-learn.html > "It's also worth noting that training with a very small quantity of ham, > will produce atrocious results. You should aim to train with at least the > same amount (or more if possible!) of ham data than spam" I use no ham at all, spam only works quite well. regards, Soeren From kfliong at WOFS.COM Mon Jul 21 03:25:46 2003 From: kfliong at WOFS.COM (kfliong) Date: Thu Jan 12 21:19:00 2006 Subject: emails with No Message Collected In-Reply-To: <5.2.1.1.0.20030716151522.02674a98@192.168.10.2> References: <1058337818.13524.19.camel@bach.kevinspicer.co.uk> <5C0296D26910694BB9A9BBFC577E7AB001175E47@pascal.priv.bmrb.co.uk> <5C0296D26910694BB9A9BBFC577E7AB001175E47@pascal.priv.bmrb.co.uk> Message-ID: <5.2.1.1.0.20030721102324.027057c8@192.168.10.2> I have no idea why sendmail is interfering with the mails. Could someone please tell me how I could go about to find out the problem? Would re-installing MailScanner help? And if I re-install MailScanner, do I need to remove the old version first? What about MailWatch 0.2? Do I need to do something with that as well? Thanks in advance. At 03:43 PM 7/16/2003 +0800, you wrote: >I have check and both sendmail and MS is using flock. > >I see this in MS.conf file - Lock Type = flock > >So, both is flock type. > >Here is a short list of what i get when it tail maillog. > >MTP, daemon=MTA, relay=215.Red-80-36-94.pooles.rima-tde.net [80.36.94.215] >Jul 16 15:38:00 ensim sendmail[12706]: h6GJbnV12706: to=, >delay=00:00:07, mailer=virthostmail, pri=32201, stat=queued >Jul 16 15:38:01 ensim MailScanner[12047]: New Batch: Found 2 messages waiting >Jul 16 15:38:01 ensim MailScanner[12047]: New Batch: Scanning 1 messages, >2762 bytes >Jul 16 15:38:01 ensim MailScanner[12098]: Spam Checks: Found 1 spam messages >Jul 16 15:38:01 ensim sendmail[12765]: h6GJc1l12765: from=<>, size=999, >class=0, nrcpts=1, >msgid=<200307161938.h6GJc1l12765@ensim.wofsproperties.com>, >relay=root@localhost >Jul 16 15:38:01 ensim MailScanner[12098]: Virus and Content Scanning: Starting >Jul 16 15:38:03 ensim sendmail[12768]: h6GJc1l12765: >to=mariawantsu@compuserve.com, delay=00:00:02, xdelay=00:00:02, >mailer=esmtp, pri=30999, relay=mx2.compuserve.com. [149.174.40.8], >dsn=2.0.0, stat=Sent (h6G7hpAR016440 Message accepted for delivery) >Jul 16 15:38:05 ensim MailScanner[12047]: Spam Checks: Found 1 spam messages >Jul 16 15:38:05 ensim sendmail[12775]: h6GJc5912775: from=<>, size=937, >class=0, nrcpts=1, >msgid=<200307161938.h6GJc5912775@ensim.wofsproperties.com>, >relay=root@localhost >Jul 16 15:38:05 ensim MailScanner[12047]: Virus and Content Scanning: Starting >Jul 16 15:38:06 ensim sendmail[12778]: h6GJc5912775: >to=mariawantsu@yahoo.com, delay=00:00:01, xdelay=00:00:01, mailer=esmtp, >pri=30937, relay=mx2.mail.yahoo.com. [64.156.215.5], dsn=5.0.0, >stat=Service unavailable >Jul 16 15:38:06 ensim sendmail[12778]: h6GJc5912775: h6GJc6812778: >postmaster notify: Service unavailable >Jul 16 15:38:06 ensim sendmail[12778]: h6GJc6812778: to=root, >delay=00:00:00, xdelay=00:00:00, mailer=local, pri=31037, dsn=2.0.0, stat=Sent >Jul 16 15:38:23 ensim sendmail[12815]: h6GJcNh12815: from=apache, size=832, >class=0, nrcpts=1, >msgid=<200307161938.h6GJcNh12815@ensim.wofsproperties.com>, >relay=apache@localhost >Jul 16 15:38:25 ensim sendmail[12818]: h6GJcNh12815: to=izancj@hotmail.com, >ctladdr=apache (48/48), delay=00:00:02, xdelay=00:00:02, mailer=esmtp, >pri=30832, relay=mx4.hotmail.com. [65.54.254.151], dsn=2.0.0, stat=Sent ( ><200307161938.h6GJcNh12815@ensim.wofsproperties.com> Queued mail for delivery) > >Well, I am not sure if this is correct, but how come some mails are being >handled by MailScanne and some by sendmail? > >Thanks in advance. > >At 07:43 AM 7/16/2003 +0100, you wrote: >>On Wed, 2003-07-16 at 03:23, kfliong wrote: >> >>I have checked and my "noetrn" command is in the init script. So, what >>else >>could be the reason? >> >>Maybe a locking problem? Check that sendmail and MS are using the same >>lock type (and that none of your mail spools are on NFS shares). You >>can find sendmails lock type as described below (from sendmails site)... >> >> >>"You can determine which locking system is used by sendmail from the >>output of: >> >> sendmail -bt -d0.10 < /dev/null | grep HASFLOCK >> >>If HASFLOCK is in the output, your system is using flock() for locking. >>Otherwise, it is using fcntl() for locking. " >> >>fcntl() is called 'posix' in MS, check that 'Lock Type' in MS.conf is >>set to the correct type (or commented out if sendmail is using flock()). >> >>Failing that - have you checked for anything unusual in the maillog? >> >> >> >> >> >>BMRB International >>http://www.bmrb.co.uk >>+44 (0)20 8566 5000 >>_________________________________________________________________ >>This message (and any attachment) is intended only for the >>recipient and may contain confidential and/or privileged >>material. If you have received this in error, please contact the >>sender and delete this message immediately. Disclosure, copying >>or other action taken in respect of this email or in >>reliance on it is prohibited. BMRB International Limited >>accepts no liability in relation to any personal emails, or >>content of any email which does not directly relate to our >>business. From kevins at BMRB.CO.UK Mon Jul 21 05:25:07 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:19:00 2006 Subject: emails with No Message Collected In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB001175ED1@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB001175ED1@pascal.priv.bmrb.co.uk> Message-ID: <1058761507.12045.14.camel@bach.kevinspicer.co.uk> On Mon, 2003-07-21 at 03:25, kfliong wrote: >Could someone >please tell me how I could go about to find out the problem? Could you please identify an affected message, look for the sendmail message ID in its headers and then grep the maillog for the message ID and post what you find (previously you tailed the maillog, it wasn't clear whether that showed anything happening that sholdn't have). BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From P.G.M.Peters at utwente.nl Mon Jul 21 10:39:42 2003 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Thu Jan 12 21:19:00 2006 Subject: is the list going crazy or is it me? In-Reply-To: <3F181B90.8050809@pacific.net> References: <3F181B90.8050809@pacific.net> Message-ID: On Fri, 18 Jul 2003 09:08:48 -0700, you wrote: >> Your message is being returned to you unprocessed because it appears to have >> already been distributed to the MAILSCANNER list. That is, a message with >> identical text (but possibly with different mail headers) has been posted to >> the list recently, either by you or by someone else. If you have a good reason >> to resend this message to the list (for instance because you have been notified >> of a hardware failure with loss of data), please alter the text of the message >> in some way and resend it to the list. Note that altering the "Subject:" line >> or adding blank lines at the top or bottom of the message is not sufficient; >> you should instead add a sentence or two at the top explaining why you are >> resending the message, so that the other subscribers understand why they are >> getting two copies of the same message. > >I only sent one copy of each email, and messages are being posted to the >list AFAIK. I my case I get a message stating that my address is not on the subscriberslist and the message will not be processed. But my e-mail gets distributed. -- Peter Peters, senior netwerkbeheerder Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ From davidj at IMPOL.NET Mon Jul 21 12:11:37 2003 From: davidj at IMPOL.NET (David Jacobson) Date: Thu Jan 12 21:19:00 2006 Subject: Fw: MailScanner + Exim spooler - processing, but not delivering mails. Message-ID: Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: configure Type: application/octet-stream Size: 22644 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030721/047f2cbc/configure.obj -------------- next part -------------- A non-text attachment was scrubbed... Name: MailScanner.conf Type: application/octet-stream Size: 48193 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030721/047f2cbc/MailScanner.obj -------------- next part -------------- A non-text attachment was scrubbed... Name: MailScanner-init.d Type: application/octet-stream Size: 7887 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030721/047f2cbc/MailScanner-init.obj -------------- next part -------------- A non-text attachment was scrubbed... Name: MailScanner-sysconfig Type: application/octet-stream Size: 1003 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030721/047f2cbc/MailScanner-sysconfig.obj -------------- next part -------------- A non-text attachment was scrubbed... Name: maillog Type: application/octet-stream Size: 20148 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030721/047f2cbc/maillog.obj -------------- next part -------------- A non-text attachment was scrubbed... Name: mainlog Type: application/octet-stream Size: 3186 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030721/047f2cbc/mainlog.obj From davidj at IMPOL.NET Mon Jul 21 13:23:18 2003 From: davidj at IMPOL.NET (David Jacobson) Date: Thu Jan 12 21:19:00 2006 Subject: Fw: MailScanner + Exim spooler - processing, but not delivering mails. In-Reply-To: <20030721114359.GC30668@hoiho.nz.lemon-computing.com> Message-ID: Hi, Thanks for your prompt reply. I used to have split incoming and outgoing directories, however since nothing was working, to attempt to resolve the problem I made it not split the directories however yes there are indeed two exim processes running PS OUTPUT ------------------- PID TTY STAT TIME COMMAND 1 ? S 0:04 init 2 ? SW 0:00 [keventd] 3 ? SWN 0:00 [ksoftirqd_CPU0] 8 ? SW 0:00 [bdflush] 4 ? SW 0:00 [kswapd] 5 ? SW 0:00 [kscand/DMA] 6 ? SW 0:00 [kscand/Normal] 7 ? SW 0:00 [kscand/HighMem] 9 ? SW 0:00 [kupdated] 10 ? SW 0:00 [mdrecoveryd] 14 ? SW 0:00 [kjournald] 72 ? SW 0:00 [khubd] 279 ? SW 0:00 [kjournald] 280 ? SW 0:00 [kjournald] 281 ? SW 0:00 [kjournald] 595 ? S 0:00 syslogd -m 0 599 ? S 0:00 klogd -x 617 ? S 0:00 portmap 636 ? S 0:00 rpc.statd 732 ? S 0:00 /usr/sbin/sshd 747 ? S 0:00 xinetd -stayalive -pidfile /var/run/xinetd.pid 789 ? S 0:00 gpm -t ps/2 -m /dev/mouse 798 ? S 0:00 crond 820 ? S 0:00 /usr/sbin/atd 832 ? S 0:00 /usr/bin/perl /usr/libexec/webmin/miniserv.pl /etc/webmin/miniserv.conf 835 tty1 S 0:00 /sbin/mingetty tty1 836 tty2 S 0:00 /sbin/mingetty tty2 837 tty3 S 0:00 /sbin/mingetty tty3 838 tty4 S 0:00 /sbin/mingetty tty4 839 tty5 S 0:00 /sbin/mingetty tty5 840 tty6 S 0:00 /sbin/mingetty tty6 907 ? S 0:01 /usr/sbin/sshd 909 pts/0 S 0:01 -bash 1732 ? S 0:00 /usr/exim/bin/exim -C /usr/exim/configure -q15m 1750 ? S 0:00 /usr/bin/perl -I/usr/lib/MailScanner /usr/sbin/MailScanner /etc/MailScanner/MailScanner.conf 1751 ? S 0:01 /usr/bin/perl -I/usr/lib/MailScanner /usr/sbin/MailScanner /etc/MailScanner/MailScanner.conf 1756 ? S 0:01 /usr/bin/perl -I/usr/lib/MailScanner /usr/sbin/MailScanner /etc/MailScanner/MailScanner.conf 1758 ? S 0:01 /usr/bin/perl -I/usr/lib/MailScanner /usr/sbin/MailScanner /etc/MailScanner/MailScanner.conf 1764 ? S 0:01 /usr/bin/perl -I/usr/lib/MailScanner /usr/sbin/MailScanner /etc/MailScanner/MailScanner.conf 1765 ? S 0:01 /usr/bin/perl -I/usr/lib/MailScanner /usr/sbin/MailScanner /etc/MailScanner/MailScanner.conf 1729 ? S 0:00 /usr/exim/bin/exim -C /usr/exim/configure -bd -odq -DSPOOL=/var/spool/exim 2075 ? Z 0:00 [exim ] 2076 pts/0 R 0:00 ps ax Kind regards, David Jacobson System Architect Imperial Online - The Imperial Connection Switchboard (+27) 11 723-8000 Helpdesk (+27) 11 723-8181 Mobile (+27) 83 235-0760 Facsimile (+27) 11 454 1236 Email davidj@impol.net www.imperialonline.co.za / www.imperialtoday.co.za Confidentiality Notice: This communication and the information it contains are intended for the person(s) or organisation(s) named above and for no other person(s) or organisation(s). The content of this communication may be confidential, legally privileged and protected. Unauthorised use, copying or disclosure of any part of this communication may be unlawful. Nick Phillips Sent by: MailScanner mailing list 07/21/2003 01:43 PM Please respond to MailScanner mailing list To MAILSCANNER@JISCMAIL.AC.UK cc Subject Re: Fw: MailScanner + Exim spooler - processing, but not delivering mails. On Mon, Jul 21, 2003 at 01:11:37PM +0200, David Jacobson wrote: > To whom it may concern, > > OS : Linux > Distribution: Redhat 9 > Kernel: 2.4.20-18.9 > MTA: Exim 4.20 > MailScanner: 4.22-5 (RPM) > > Mail should work like this > ------------------------------------- > > Hits our spooler (MailScanner), it should scan the message then deliver it > to the real mail servers where the > mail boxes reside. > > Problem: Mail comes in - I see it in queue for 1 second, it then says it's > scanned and delivered and the message > does not get delivered even though the files are out the queue. > > I am using one spool directory... You do actually have two exim processes, don't you? With separate spool directories (one each)? Cheers, Nick -- Nick Phillips -- nwp@lemon-computing.com You will soon forget this. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030721/e913fa97/attachment.html From mailscanner at ELKNET.NET Mon Jul 21 14:11:58 2003 From: mailscanner at ELKNET.NET (Alan Fiebig) Date: Thu Jan 12 21:19:00 2006 Subject: From = to Message-ID: <200307211312.h6LDC0S21092@ori.rl.ac.uk> Excellent! Thankyou! >On Saturday 19 July 2003 10:45 pm, Antony Stone wrote: > >> Is there any mileage in creating yourself a SpamAssassin rule which picks >> up on From=To, and assigning it a high enough score that it reaches your >> MailScanner High Spam Score, which you can then delete? > >This seemed like a neat opportunity to write my first SpamAssassin rule, so I >thought I'd give it a try. > >I came up with this: > >In the file /usr/lib/perl5/site_perl/Mail/SpamAssassin/EvalTests.pm there is >already a function called check_for_from_to_same (which is badly named, >because it explicitly does *not* match the from and to addresses being >identical - only if they are 'similar'....) > >Using this as a template, I created a new function: > >sub check_for_from_to_identical { > my ($self) = @_; > > my $addr_from = $self->get('From:addr'); > my $addr_to = $self->get('To:addr'); > $addr_from =~ s/\s+//g; > $addr_to =~ s/\s+//g; > return 1 if ($addr_from eq $addr_to); > return 0; >} > >I then added three lines to /opt/MailScanner/etc/spam.assassin.prefs.conf: > >header FROM_AND_TO_IDENTICAL eval:check_for_from_to_identical() >describe FROM_AND_TO_IDENTICAL From and To are the same address >score FROM_AND_TO_IDENTICAL 20 > >The only thing which bothers me slightly about this idea is that I think I >see some emails from genuine mailing lists which set the from and to >addresses to the same thing - I disapprove of that, but it would lead to some >false positivies if the mailing lists aren't whitelisted.... > >Anyway, have fun, > >Antony. > >-- > >It is also possible that putting the birds in a laboratory setting >inadvertently renders them relatively incompetent. > > - Daniel C Dennett From steve.douglas at SBIINCORPORATED.COM Mon Jul 21 15:23:55 2003 From: steve.douglas at SBIINCORPORATED.COM (Steve Douglas) Date: Thu Jan 12 21:19:00 2006 Subject: bayes_journal file size Message-ID: <3963522F0E71474CB14C0FF54A6914F701115254@mail.gardenbotanika.com> I have incorporated MS with SpamAssassin, but I can not locate where this bayes database exists. Am I missing something? I would like to at minimum check the size of my database and autolearn if necessary. Thanks. SD :-) > -----Original Message----- > From: Kevin Spicer [mailto:kevins@BMRB.CO.UK] > Sent: Wednesday, July 16, 2003 3:16 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: bayes_journal file size > > >Is there > >a setting that I can adjust to put a cap on this > >bayes_journal file? > > You should run sa-learn --rebuild periodically. > > The other largish file is the bayes_toks file which will initially tend > to grow quite quickly, as the Bayes engine learns new tokens. Over time > this rate of growth will slow, and IIRC tokens which have not been used > for a while are removed (not sure on that). > > > > > > BMRB International > http://www.bmrb.co.uk > +44 (0)20 8566 5000 > _________________________________________________________________ > This message (and any attachment) is intended only for the > recipient and may contain confidential and/or privileged > material. If you have received this in error, please contact the > sender and delete this message immediately. Disclosure, copying > or other action taken in respect of this email or in > reliance on it is prohibited. BMRB International Limited > accepts no liability in relation to any personal emails, or > content of any email which does not directly relate to our > business. From wpc4 at DODGETHIS.ORG Mon Jul 21 15:27:36 2003 From: wpc4 at DODGETHIS.ORG (William Curley) Date: Thu Jan 12 21:19:00 2006 Subject: bayes_journal file size References: <3963522F0E71474CB14C0FF54A6914F701115254@mail.gardenbotanika.com> Message-ID: <004301c34f94$3c4e1490$0600a8c0@dejour> Unless mailscanner does it differently the bayes_* files are stored under ~/.spamassassin ----- Original Message ----- From: "Steve Douglas" To: Sent: Monday, July 21, 2003 7:23 AM Subject: Re: bayes_journal file size > I have incorporated MS with SpamAssassin, but I can not locate where this > bayes database exists. Am I missing something? I would like to at minimum > check the size of my database and autolearn if necessary. Thanks. > > SD > :-) > > > > -----Original Message----- > > From: Kevin Spicer [mailto:kevins@BMRB.CO.UK] > > Sent: Wednesday, July 16, 2003 3:16 PM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: bayes_journal file size > > > > >Is there > > >a setting that I can adjust to put a cap on this > > >bayes_journal file? > > > > You should run sa-learn --rebuild periodically. > > > > The other largish file is the bayes_toks file which will initially tend > > to grow quite quickly, as the Bayes engine learns new tokens. Over time > > this rate of growth will slow, and IIRC tokens which have not been used > > for a while are removed (not sure on that). > > > > > > > > > > > > BMRB International > > http://www.bmrb.co.uk > > +44 (0)20 8566 5000 > > _________________________________________________________________ > > This message (and any attachment) is intended only for the > > recipient and may contain confidential and/or privileged > > material. If you have received this in error, please contact the > > sender and delete this message immediately. Disclosure, copying > > or other action taken in respect of this email or in > > reliance on it is prohibited. BMRB International Limited > > accepts no liability in relation to any personal emails, or > > content of any email which does not directly relate to our > > business. > From TGFurnish at HERFF-JONES.COM Mon Jul 21 15:29:44 2003 From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G) Date: Thu Jan 12 21:19:00 2006 Subject: bayes_journal file size Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF0C02E5@inex1.herffjones.hj-int> If you don't know, then it's probably in some user's .spamassassin directory (typically root's). You probably want to look at the config file /etc/MailScanner/spam.assassin.prefs.conf and ponder this setting: bayes_path /var/spool/spamassassin/bayes >-----Original Message----- >From: Steve Douglas [mailto:steve.douglas@SBIINCORPORATED.COM] >Sent: Monday, July 21, 2003 9:24 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: bayes_journal file size > > >I have incorporated MS with SpamAssassin, but I can not locate >where this >bayes database exists. Am I missing something? I would like >to at minimum >check the size of my database and autolearn if necessary. Thanks. > >SD >:-) > > >> -----Original Message----- >> From: Kevin Spicer [mailto:kevins@BMRB.CO.UK] >> Sent: Wednesday, July 16, 2003 3:16 PM >> To: MAILSCANNER@JISCMAIL.AC.UK >> Subject: Re: bayes_journal file size >> >> >Is there >> >a setting that I can adjust to put a cap on this >> >bayes_journal file? >> >> You should run sa-learn --rebuild periodically. >> >> The other largish file is the bayes_toks file which will >initially tend >> to grow quite quickly, as the Bayes engine learns new >tokens. Over time >> this rate of growth will slow, and IIRC tokens which have >not been used >> for a while are removed (not sure on that). >> >> >> >> >> >> BMRB International >> http://www.bmrb.co.uk >> +44 (0)20 8566 5000 >> _________________________________________________________________ >> This message (and any attachment) is intended only for the >> recipient and may contain confidential and/or privileged >> material. If you have received this in error, please contact the >> sender and delete this message immediately. Disclosure, copying >> or other action taken in respect of this email or in >> reliance on it is prohibited. BMRB International Limited >> accepts no liability in relation to any personal emails, or >> content of any email which does not directly relate to our >> business. > From steve.douglas at SBIINCORPORATED.COM Mon Jul 21 15:29:56 2003 From: steve.douglas at SBIINCORPORATED.COM (Steve Douglas) Date: Thu Jan 12 21:19:00 2006 Subject: bayes_journal file size Message-ID: <3963522F0E71474CB14C0FF54A6914F701115255@mail.gardenbotanika.com> I am not a Linux guru by any stretch, but does ~/.spamassassin imply the root? SD :-) > -----Original Message----- > From: William Curley [mailto:wpc4@DODGETHIS.ORG] > Sent: Monday, July 21, 2003 9:28 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: bayes_journal file size > > Unless mailscanner does it differently the bayes_* files are stored under > ~/.spamassassin > > ----- Original Message ----- > From: "Steve Douglas" > To: > Sent: Monday, July 21, 2003 7:23 AM > Subject: Re: bayes_journal file size > > > > I have incorporated MS with SpamAssassin, but I can not locate where > this > > bayes database exists. Am I missing something? I would like to at > minimum > > check the size of my database and autolearn if necessary. Thanks. > > > > SD > > :-) > > > > > > > -----Original Message----- > > > From: Kevin Spicer [mailto:kevins@BMRB.CO.UK] > > > Sent: Wednesday, July 16, 2003 3:16 PM > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > Subject: Re: bayes_journal file size > > > > > > >Is there > > > >a setting that I can adjust to put a cap on this > > > >bayes_journal file? > > > > > > You should run sa-learn --rebuild periodically. > > > > > > The other largish file is the bayes_toks file which will initially > tend > > > to grow quite quickly, as the Bayes engine learns new tokens. Over > time > > > this rate of growth will slow, and IIRC tokens which have not been > used > > > for a while are removed (not sure on that). > > > > > > > > > > > > > > > > > > BMRB International > > > http://www.bmrb.co.uk > > > +44 (0)20 8566 5000 > > > _________________________________________________________________ > > > This message (and any attachment) is intended only for the > > > recipient and may contain confidential and/or privileged > > > material. If you have received this in error, please contact the > > > sender and delete this message immediately. Disclosure, copying > > > or other action taken in respect of this email or in > > > reliance on it is prohibited. BMRB International Limited > > > accepts no liability in relation to any personal emails, or > > > content of any email which does not directly relate to our > > > business. > > From TGFurnish at HERFF-JONES.COM Mon Jul 21 15:31:32 2003 From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G) Date: Thu Jan 12 21:19:00 2006 Subject: bayes_journal file size Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF0C02E6@inex1.herffjones.hj-int> "~" is "current user's home directory", so if you're logged in as root, then ~/.spamassassin is the .spamassassin directory under root's home directory. >-----Original Message----- >From: Steve Douglas [mailto:steve.douglas@SBIINCORPORATED.COM] >Sent: Monday, July 21, 2003 9:30 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: bayes_journal file size > > >I am not a Linux guru by any stretch, but does ~/.spamassassin >imply the >root? > >SD >:-) > > >> -----Original Message----- >> From: William Curley [mailto:wpc4@DODGETHIS.ORG] >> Sent: Monday, July 21, 2003 9:28 AM >> To: MAILSCANNER@JISCMAIL.AC.UK >> Subject: Re: bayes_journal file size >> >> Unless mailscanner does it differently the bayes_* files are >stored under >> ~/.spamassassin >> >> ----- Original Message ----- >> From: "Steve Douglas" >> To: >> Sent: Monday, July 21, 2003 7:23 AM >> Subject: Re: bayes_journal file size >> >> >> > I have incorporated MS with SpamAssassin, but I can not >locate where >> this >> > bayes database exists. Am I missing something? I would like to at >> minimum >> > check the size of my database and autolearn if necessary. Thanks. >> > >> > SD >> > :-) >> > >> > >> > > -----Original Message----- >> > > From: Kevin Spicer [mailto:kevins@BMRB.CO.UK] >> > > Sent: Wednesday, July 16, 2003 3:16 PM >> > > To: MAILSCANNER@JISCMAIL.AC.UK >> > > Subject: Re: bayes_journal file size >> > > >> > > >Is there >> > > >a setting that I can adjust to put a cap on this >> > > >bayes_journal file? >> > > >> > > You should run sa-learn --rebuild periodically. >> > > >> > > The other largish file is the bayes_toks file which will >initially >> tend >> > > to grow quite quickly, as the Bayes engine learns new >tokens. Over >> time >> > > this rate of growth will slow, and IIRC tokens which >have not been >> used >> > > for a while are removed (not sure on that). >> > > >> > > >> > > >> > > >> > > >> > > BMRB International >> > > http://www.bmrb.co.uk >> > > +44 (0)20 8566 5000 >> > > _________________________________________________________________ >> > > This message (and any attachment) is intended only for the >> > > recipient and may contain confidential and/or privileged >> > > material. If you have received this in error, please contact the >> > > sender and delete this message immediately. Disclosure, copying >> > > or other action taken in respect of this email or in >> > > reliance on it is prohibited. BMRB International Limited >> > > accepts no liability in relation to any personal emails, or >> > > content of any email which does not directly relate to our >> > > business. >> > > From mailscanner at LISTS.COM.AR Mon Jul 21 15:38:58 2003 From: mailscanner at LISTS.COM.AR (Mariano Absatz) Date: Thu Jan 12 21:19:00 2006 Subject: scripts & patches for download In-Reply-To: <3F184A3B.23580.16865C27@localhost> Message-ID: <3F1BD0D2.13151.244C4EE3@localhost> As promised, here's the updated installation instrucions for MailScanner+ZMailer: http://baby.com.ar/MailScanner/ModifiedFilesForMailScannerDistribution/doc/install/zmailer.shtml When Julian comes back, we'll see if he uploads this update, as well as some of the modifications to the startup script, so it is easier to do MailScanner+ZMailer via RPM. El 18 Jul 2003 a las 19:27, Mariano Absatz escribi?: > Hi, > > I know, my Pegasus mail client has too much personality for adding some text > attachments... > > I uploaded all the patches and scripts I sent so you can download them from > the web... > > The patches and script for using ZMailer and MailScanner from rpm's are in > http://baby.com.ar/MailScanner/ZMailer.rpm.patches/ > > The standalone startup script (so you can start it independently from the > MTA) is in > http://baby.com.ar/MailScanner/StandAloneStartupScript/MailScanner > > Finally, Julian, when you're back, would you replace the > /etc/rc.d/init.d/MailScanner and /etc/sysconfig/MailScanner files in the rpm > with the ones at > http://baby.com.ar/MailScanner/ModifiedFilesForMailScannerDistribution/ ? > > This would incorporate ZMailer into the rpm distribution. > > I'll modify the web page at > http://www.sng.ecs.soton.ac.uk/mailscanner/install/zmailer.shtml > and post it so you can upgrade that too. > > Have a nice weekend! > -- Mariano Absatz El Baby ---------------------------------------------------------- I am not afraid of death, I just don't want to be there when it happens. -- Woody Allen From steve.douglas at SBIINCORPORATED.COM Mon Jul 21 15:44:37 2003 From: steve.douglas at SBIINCORPORATED.COM (Steve Douglas) Date: Thu Jan 12 21:19:00 2006 Subject: bayes_journal file size Message-ID: <3963522F0E71474CB14C0FF54A6914F701115256@mail.gardenbotanika.com> Thank you. Apparently I am not using bayes. I looked through the MailScanner Config file and the keyword bayes is nowhere to be found. However, I do have SpamAssassin on my gateway. I am using the following config: Fprot 4.1.0 SpamAssassin 2.55 MS 4.21-9 SendMail Perl SD :-) > -----Original Message----- > From: Furnish, Trever G [mailto:TGFurnish@HERFF-JONES.COM] > Sent: Monday, July 21, 2003 9:32 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: bayes_journal file size > > "~" is "current user's home directory", so if you're logged in as root, > then > ~/.spamassassin is the .spamassassin directory under root's home > directory. > > >-----Original Message----- > >From: Steve Douglas [mailto:steve.douglas@SBIINCORPORATED.COM] > >Sent: Monday, July 21, 2003 9:30 AM > >To: MAILSCANNER@JISCMAIL.AC.UK > >Subject: Re: bayes_journal file size > > > > > >I am not a Linux guru by any stretch, but does ~/.spamassassin > >imply the > >root? > > > >SD > >:-) > > > > > >> -----Original Message----- > >> From: William Curley [mailto:wpc4@DODGETHIS.ORG] > >> Sent: Monday, July 21, 2003 9:28 AM > >> To: MAILSCANNER@JISCMAIL.AC.UK > >> Subject: Re: bayes_journal file size > >> > >> Unless mailscanner does it differently the bayes_* files are > >stored under > >> ~/.spamassassin > >> > >> ----- Original Message ----- > >> From: "Steve Douglas" > >> To: > >> Sent: Monday, July 21, 2003 7:23 AM > >> Subject: Re: bayes_journal file size > >> > >> > >> > I have incorporated MS with SpamAssassin, but I can not > >locate where > >> this > >> > bayes database exists. Am I missing something? I would like to at > >> minimum > >> > check the size of my database and autolearn if necessary. Thanks. > >> > > >> > SD > >> > :-) > >> > > >> > > >> > > -----Original Message----- > >> > > From: Kevin Spicer [mailto:kevins@BMRB.CO.UK] > >> > > Sent: Wednesday, July 16, 2003 3:16 PM > >> > > To: MAILSCANNER@JISCMAIL.AC.UK > >> > > Subject: Re: bayes_journal file size > >> > > > >> > > >Is there > >> > > >a setting that I can adjust to put a cap on this > >> > > >bayes_journal file? > >> > > > >> > > You should run sa-learn --rebuild periodically. > >> > > > >> > > The other largish file is the bayes_toks file which will > >initially > >> tend > >> > > to grow quite quickly, as the Bayes engine learns new > >tokens. Over > >> time > >> > > this rate of growth will slow, and IIRC tokens which > >have not been > >> used > >> > > for a while are removed (not sure on that). > >> > > > >> > > > >> > > > >> > > > >> > > > >> > > BMRB International > >> > > http://www.bmrb.co.uk > >> > > +44 (0)20 8566 5000 > >> > > _________________________________________________________________ > >> > > This message (and any attachment) is intended only for the > >> > > recipient and may contain confidential and/or privileged > >> > > material. If you have received this in error, please contact the > >> > > sender and delete this message immediately. Disclosure, copying > >> > > or other action taken in respect of this email or in > >> > > reliance on it is prohibited. BMRB International Limited > >> > > accepts no liability in relation to any personal emails, or > >> > > content of any email which does not directly relate to our > >> > > business. > >> > > > From P.G.M.Peters at utwente.nl Mon Jul 21 15:44:58 2003 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Thu Jan 12 21:19:00 2006 Subject: bayes_journal file size In-Reply-To: <8FFC76593085ED4A80D3601BC41EFCDF0C02E6@inex1.herffjones.hj-int> References: <8FFC76593085ED4A80D3601BC41EFCDF0C02E6@inex1.herffjones.hj-int> Message-ID: On Mon, 21 Jul 2003 09:31:32 -0500, you wrote: >"~" is "current user's home directory", so if you're logged in as root, then >~/.spamassassin is the .spamassassin directory under root's home directory. It doesn't refer to the user you are logged into but to the user MS is running as. Yes, usually root but to be save something else. -- Peter Peters, senior netwerkbeheerder Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ From dot at DOTAT.AT Mon Jul 21 15:36:55 2003 From: dot at DOTAT.AT (Tony Finch) Date: Thu Jan 12 21:19:00 2006 Subject: Fw: MailScanner + Exim spooler - processing, but not delivering mails. In-Reply-To: References: <20030721114359.GC30668@hoiho.nz.lemon-computing.com> Message-ID: David Jacobson wrote: > > 1732 ? S 0:00 /usr/exim/bin/exim -C /usr/exim/configure -q15m > 1729 ? S 0:00 /usr/exim/bin/exim -C /usr/exim/configure -bd >-odq -DSPOOL=/var/spool/exim Both of your exims are using the same spool directory, which is wrong. You have the same mistake in your MailScanner.conf. Is the Exim documentation insufficiently clear? I wrote it so I have some interest in making sure it's straightforward. Tony. -- f.a.n.finch http://dotat.at/ SOUTHEAST ICELAND: VARIABLE OR SOUTHEASTERLY 3 OR LESS. RAIN OR DRIZZLE AT TIMES. MODERATE WITH FOG PATCHES. From nwp at LEMON-COMPUTING.COM Sat Jul 19 16:15:17 2003 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:19:00 2006 Subject: DNSBL Whitelist In-Reply-To: <043101c34c77$6392a540$0a010a0a@dirt> References: <043101c34c77$6392a540$0a010a0a@dirt> Message-ID: <20030719151517.GB17686@hoiho.nz.lemon-computing.com> On Thu, Jul 17, 2003 at 08:23:34AM -0700, Bill Anderson wrote: > I asked this question earlier, however from the lack of response, I assume I > posed the question unclearly. Nope, just that: 1) It seems like a good idea; 2) Julian's not around to release anything at the moment, even if it did happen to get written somehow. Cheers, Nick -- Nick Phillips -- nwp@lemon-computing.com Bonus fortune cookie: buy 10 get 1 FREE! From nwp at LEMON-COMPUTING.COM Sat Jul 19 16:18:07 2003 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:19:00 2006 Subject: Restarting the MailScanner process. In-Reply-To: <0a1601c34c64$b315d960$cb3ca8c0@orctel.internal> References: <0a1601c34c64$b315d960$cb3ca8c0@orctel.internal> Message-ID: <20030719151807.GC17686@hoiho.nz.lemon-computing.com> On Thu, Jul 17, 2003 at 02:09:42PM +0100, Will Mc Donald wrote: > Guys, > > hopefully a quickie here. I've just modified my MailScanner.conf to look at a rule to allow HTML tags FromOrTo just one specific address. > > We're running MailScanner-4.22-4 from the tarball distribution and I just wanted to know what's the quickest, safest way to restart to reread that config? Can I just kill -1 the PPID? Or do I kill the process and its children then run check_mailscanner again? Why not try the former? It should work... Cheers, Nick -- Nick Phillips -- nwp@lemon-computing.com Perfect day for scrubbing the floor and other exciting things. From nwp at LEMON-COMPUTING.COM Mon Jul 21 12:43:59 2003 From: nwp at LEMON-COMPUTING.COM (Nick Phillips) Date: Thu Jan 12 21:19:00 2006 Subject: Fw: MailScanner + Exim spooler - processing, but not delivering mails. In-Reply-To: References: Message-ID: <20030721114359.GC30668@hoiho.nz.lemon-computing.com> On Mon, Jul 21, 2003 at 01:11:37PM +0200, David Jacobson wrote: > To whom it may concern, > > OS : Linux > Distribution: Redhat 9 > Kernel: 2.4.20-18.9 > MTA: Exim 4.20 > MailScanner: 4.22-5 (RPM) > > Mail should work like this > ------------------------------------- > > Hits our spooler (MailScanner), it should scan the message then deliver it > to the real mail servers where the > mail boxes reside. > > Problem: Mail comes in - I see it in queue for 1 second, it then says it's > scanned and delivered and the message > does not get delivered even though the files are out the queue. > > I am using one spool directory... You do actually have two exim processes, don't you? With separate spool directories (one each)? Cheers, Nick -- Nick Phillips -- nwp@lemon-computing.com You will soon forget this. From steve.douglas at SBIINCORPORATED.COM Mon Jul 21 15:49:55 2003 From: steve.douglas at SBIINCORPORATED.COM (Steve Douglas) Date: Thu Jan 12 21:19:00 2006 Subject: bayes_journal file size Message-ID: <3963522F0E71474CB14C0FF54A6914F701115257@mail.gardenbotanika.com> Thank you. I did locate the bayes_journal finally. Mine is in no way too big. I am at 10.3 mb. So I would presume my SPAM gateway is not passing anywhere near as much as traffic compared to others I have read about. Even though this is the case, is still a good ideas to perform the auto-learn feature every now and then? If so, should I stop MailScanner prior to performing this? Thanks for the feedback! SD :-) > -----Original Message----- > From: Peter Peters [mailto:P.G.M.Peters@utwente.nl] > Sent: Monday, July 21, 2003 9:45 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: bayes_journal file size > > On Mon, 21 Jul 2003 09:31:32 -0500, you wrote: > > >"~" is "current user's home directory", so if you're logged in as root, > then > >~/.spamassassin is the .spamassassin directory under root's home > directory. > > It doesn't refer to the user you are logged into but to the user MS is > running as. Yes, usually root but to be save something else. > > -- > Peter Peters, senior netwerkbeheerder > Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) > Universiteit Twente, Postbus 217, 7500 AE Enschede > telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ From P.Delaney at RL.AC.UK Mon Jul 21 16:06:10 2003 From: P.Delaney at RL.AC.UK (Delaney, P (Pam)) Date: Thu Jan 12 21:19:00 2006 Subject: Test - please ignore Message-ID: <350DC7048372D31197F200902773DF4C01EBE6F0@exchange11.rl.ac.uk> Test for duplication Pam Pamela Delaney JISCmail Helpline Manager 01235 445344 mailto:p.delaney@rl.ac.uk From HancockS at MORGANCO.COM Mon Jul 21 17:07:43 2003 From: HancockS at MORGANCO.COM (Hancock, Scott) Date: Thu Jan 12 21:19:00 2006 Subject: Panda Software Command line update script from Panda support. Message-ID: <3EA1A302A4978A4C970D2C63F327156E012EEFB8@worc-mail2.int.morganco.com> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: pavcl_update_script.tgz Type: application/x-compressed Size: 2319 bytes Desc: pavcl_update_script.tgz Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030721/cbf9fe17/pavcl_update_script.bin From vboulytchev at COINFOTECH.COM Mon Jul 21 17:23:34 2003 From: vboulytchev at COINFOTECH.COM (Boulytchev, Vasiliy) Date: Thu Jan 12 21:19:00 2006 Subject: .bad files continued Message-ID: <1958DE295D9656499ECAAD3642822DE0033FAC@willow.office.coinfotech.com> sweeeeeet, Would you CC me on the fix? Also I am noticing, that emails get a .bad when I have a BCC. The problem below I resolved by doing the following in cgp2ms foreach $to (@rcpt) { # print the recipient list print QF "RPFD:$to\n"; } (just take out RPFD:) and no more .bads :))))))))))) The BCC issue is different. I see that /opt/Mailscanner/lib/Mailscanner/Sendmail.pm is searching for $RFound, $SFound, $IPFound. Thanks for looking into this!!!!!!!!!!!!!!!!!!!!!!!! Vasiliy Boulytchev Colorado Information Technologies Inc. (719) 473-2800 x15 -----Original Message----- From: John Rudd [mailto:jrudd@UCSC.EDU] Sent: Saturday, July 19, 2003 11:44 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: .bad files continued On Thursday, Jul 17, 2003, at 14:42 US/Pacific, Kevin Spicer wrote: > On Thu, 2003-07-17 at 22:14, Boulytchev, Vasiliy wrote: >> Ladies and Gents, >> cgp2ms is adding RPFD to the recipients line. Why its doing that, >> I have no clue. Another thing that is bazaar, is I have a few domains >> working with no problems, its just this one......... It does have a >> route rule in Communigate, but how would that affect >> anything...................... If I take those stupid RPFD: out from >> those .bad files, and copy them to .sub, communigate pushes the files. > > Perhaps you should try a mailing list for communicate users? This > doesn't sound like any symptom I've seen anyone report on this list - > so > its probably a Communigate issue. You could try ruling out MailScanner > by taking it out of the mix temporarily. > > It's related to the glue scripts I wrote between CommuniGate Pro and MailScanner. IIRC, it's caused when MailScanner is generating its own messages. I have a fix for it that I'm putting out in the next couple days. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030721/0c0f87b0/attachment.html From vboulytchev at COINFOTECH.COM Mon Jul 21 17:27:14 2003 From: vboulytchev at COINFOTECH.COM (Boulytchev, Vasiliy) Date: Thu Jan 12 21:19:00 2006 Subject: Restarting the MailScanner process. Message-ID: <1958DE295D9656499ECAAD3642822DE0033FAD@willow.office.coinfotech.com> Here is a way you can quickly kill Mailscanner. 1.) Copy check_mailscanner (i hope im right on the filename) to kill_mailscanner. 2.) Change to reflect this: else if [ "x$1" != "x-q" ]; then echo MailScanner running with pid $pid kill $pid fi 3.) Run check_mailscanner. I hope I'm making sense to you guys, if not email me back. Vasiliy Boulytchev Colorado Information Technologies Inc. (719) 473-2800 x15 -----Original Message----- From: Nick Phillips [mailto:nwp@LEMON-COMPUTING.COM] Sent: Saturday, July 19, 2003 9:18 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Restarting the MailScanner process. On Thu, Jul 17, 2003 at 02:09:42PM +0100, Will Mc Donald wrote: > Guys, > > hopefully a quickie here. I've just modified my MailScanner.conf to look at a rule to allow HTML tags FromOrTo just one specific address. > > We're running MailScanner-4.22-4 from the tarball distribution and I just wanted to know what's the quickest, safest way to restart to reread that config? Can I just kill -1 the PPID? Or do I kill the process and its children then run check_mailscanner again? Why not try the former? It should work... Cheers, Nick -- Nick Phillips -- nwp@lemon-computing.com Perfect day for scrubbing the floor and other exciting things. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030721/b73c120f/attachment.html From michele at BLACKNIGHTSOLUTIONS.COM Mon Jul 21 19:04:20 2003 From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon:: Blacknight Solutions) Date: Thu Jan 12 21:19:00 2006 Subject: Panda Software Command line update script from Panda support. In-Reply-To: <3EA1A302A4978A4C970D2C63F327156E012EEFB8@worc-mail2.int.morganco.com> Message-ID: <200307211803.h6LI3Aw22615@camelot.blacknightsolutions.com> So how did you manage to get a reply from them? What was your trick? (Thanks for the script!!) ######################################################### This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance to it is prohibited. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030721/9fbbb269/attachment.html From HancockS at MORGANCO.COM Mon Jul 21 21:00:51 2003 From: HancockS at MORGANCO.COM (Hancock, Scott) Date: Thu Jan 12 21:19:01 2006 Subject: Panda Software Command line update script from Panda support. Message-ID: <3EA1A302A4978A4C970D2C63F327156ED54388@worc-mail2.int.morganco.com> I was ready for a fight that never came. I did threaten to cancel payment in the subject of my initial email. I didn't see Julian's post until after I bought the software (in a bit of haste I might add). I'm really not qualified to write or mess with the MailScanner wrapper. I'm hoping some one could post an updated wrapper based on the tech support script. An English version would be a bonus too. If I remember the wrapper is necessary to pause the mailscanner while the sig files download and update. -Scott -----Original Message----- From: Michele Neylon:: Blacknight Solutions [mailto:michele@BLACKNIGHTSOLUTIONS.COM] Sent: Monday, July 21, 2003 2:04 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Panda Software Command line update script from Panda support. So how did you manage to get a reply from them? What was your trick? (Thanks for the script!!) _____ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030721/64e4be25/attachment.html From kwang at UCALGARY.CA Mon Jul 21 21:57:05 2003 From: kwang at UCALGARY.CA (Kai Wang) Date: Thu Jan 12 21:19:01 2006 Subject: check Spam rules before install them Message-ID: <3F1C53A1.7040307@ucalgary.ca> Hi All, We just had a problem yesterday. We have 4 machines running MailScanner. We synchronize the spam rules among them. One of our administrator made a syntax error in the spam rules and it was installed to the four machines. All in the sudden, the 4 machines' MailScanner processes became defunct. It took me a while to figure the problem out. Could we have a syntax checker later to prevent this from happening? Jul 20 17:13:16 XXXX MailScanner[5632]: Syntax error in first field in line 3000 of ruleset /etc/MailScanner/rules/spam.blacklist.r ules Jul 20 17:13:16 XXXX MailScanner[5632]: Aborting due to syntax errors in /etc/MailScanner/rules/spam.blacklist.rules. Kai Wang From mkettler at EVI-INC.COM Mon Jul 21 22:11:17 2003 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:19:01 2006 Subject: check Spam rules before install them In-Reply-To: <3F1C53A1.7040307@ucalgary.ca> Message-ID: <5.2.1.1.0.20030721171035.0192f978@xanadu.evi-inc.com> At 02:57 PM 7/21/2003 -0600, Kai Wang wrote: >Jul 20 17:13:16 XXXX MailScanner[5632]: Syntax error in first field in >line 3000 of ruleset /etc/MailScanner/rules/spam.blacklist.r >ules >Jul 20 17:13:16 XXXX MailScanner[5632]: Aborting due to syntax errors in >/etc/MailScanner/rules/spam.blacklist.rules. Whoops, apparently I didn't read far enough.. Those really are MailScanner rules.. my bad. More coffee for me. From mkettler at EVI-INC.COM Mon Jul 21 22:10:07 2003 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:19:01 2006 Subject: check Spam rules before install them In-Reply-To: <3F1C53A1.7040307@ucalgary.ca> Message-ID: <5.2.1.1.0.20030721170802.01921be8@xanadu.evi-inc.com> At 02:57 PM 7/21/2003 -0600, Kai Wang wrote: >We just had a problem yesterday. We have 4 machines running MailScanner. >We synchronize the spam rules among them. One of our administrator made >a syntax error in the spam rules and it was installed to the four machines. >All in the sudden, the 4 machines' MailScanner processes became defunct. >It took me a while to figure the problem out. Could we have a syntax checker >later to prevent this from happening? I assume by "spam rule" you mean a SpamAssassin rule. If so, this is really a SA issue, not a MailScanner issue. However SpamAssassin has had a built-in syntax checker since 2.4x, you just need to bother to use it. spamassassin --lint From jrudd at UCSC.EDU Mon Jul 21 23:37:12 2003 From: jrudd at UCSC.EDU (John Rudd) Date: Thu Jan 12 21:19:01 2006 Subject: CommuniGate Pro - MailScanner update Message-ID: <3F1C6B18.87206DFE@ucsc.edu> I have made an update to my scripts for using MailScanner with CommuniGate Pro. I have also updated the text of the CommuniGate Pro rule instructions (the Execute rule no longer needs the [RETPATH] nor [RCPT] options). This should change the problem some people noticed with ".bad" files showing up in the CommuniGate Pro Queue directory, due to "RPFD:" being prepended to sender's addresses. This shouldn't happen any more. You can get the new scripts and information from: http://people.ucsc.edu/~jrudd/MailScanner If you have any questions, or notice any new bugs, please let me know. (And be sure to edit your path to perl in the first line of each script; it changed in the downloads because my testing platform changed from Solaris to Linux) John Rudd (ps: one person has mentioned that they see some messages being cross delivered, but I haven't had anyone else mention this problem to me, nor have I seen it on my own servers; if you do see such a behavior, please let me know right away, and try to give me plenty of context information) From Q.G.Campbell at NEWCASTLE.AC.UK Tue Jul 22 09:00:43 2003 From: Q.G.Campbell at NEWCASTLE.AC.UK (Quentin Campbell) Date: Thu Jan 12 21:19:01 2006 Subject: Attachment vs Striphtml for tagged messages Message-ID: <52E50E4D595DDE4D861117A1FB62E79DC00695@bond.ncl.ac.uk> We are running with the latest MailScanner (and SpamAssassin) releases and are evaluating with a small group of users the use of the "attachment" option for messages tagged as spam. The rest of our users see the "striphtml" behaviour. We expected that only spam messages with an HTML body would have the original body moved into an attachment while spam messages with a non-HTML body would be left as they were. We are finding that _most_ tagged spam messages, even when they appear to have no HTML, have the message body moved to an attachment. A few tagged messages however do not have the body moved into an attachment but these messages appear to be no different to some that do have the body moved into an attachment. What criteria decides which tagged message has its body moved unchanged into an attachment (and the body replaced with a warning text) and which has its body left as received? What we really want is for the attachment option to do: if [ message body is HTML or dangerous ] then move body unchanged into an attachment else # all text-only messages should get here... leave message body as receieved fi This means that any text-only message that is wrongly tagged as spam will still be readable without having to open an attachment. As a BTW we note that the "attachment" option works well with Outlook, Pine, Pegasus, etc, but in the case of Eudora the attachment is opened automatically when the message body is read. This is precisely the opposite of what is wanted. It may well be a configurable behaviour on Eudora but we havn't found the option yet! Quentin --- PHONE: +44 191 222 8209 Computing Service, University of Newcastle FAX: +44 191 222 8765 Newcastle upon Tyne, United Kingdom, NE1 7RU. ------------------------------------------------------------------------ "Any opinion expressed above is mine. The University can get its own." From zen23003 at ZEN.CO.UK Tue Jul 22 09:55:37 2003 From: zen23003 at ZEN.CO.UK (Paul) Date: Thu Jan 12 21:19:01 2006 Subject: Change request - prohibited vs infected Message-ID: <026601c3502f$055cf910$6a0110ac@sbsplc.com> Various file types are listed in filetype.rules.conf. The problem I have is that these files trigger a virus warning message when in fact these are simply prohibited file types. So too, the message header gets "X-MailScanner: Found to be infected" inserted into it. The same is true of prohibited file names (as specified in filename.rules.conf). What brought this to my attention was the default ban on movie files in filetype.rules.conf . These, unlike .pif, .scr and .exe etc are rarely infected. What I'd like to have is the ability to specify a different value for "X-MailScanner:" for prohibited file types and names, eg, "Prohibited file type" and "Prohibited file name". From sylvain.phaneuf at IMSU.OXFORD.AC.UK Tue Jul 22 10:08:48 2003 From: sylvain.phaneuf at IMSU.OXFORD.AC.UK (Sylvain Phaneuf) Date: Thu Jan 12 21:19:01 2006 Subject: silent viruses Message-ID: Hi, Reading some old posts, I saw that some people have very few entries in their Silent Viruses line in MailScanner.conf I am probably wrong here, so please tell meif I need all the entries like Yaha-A Yaha-B Yaha-C Yaha-D Yaha-E Yaha-J or would simply Yaha would do? Thanks in advance, Sylvain =========================================================== Sylvain Phaneuf --- Computing Manager | phone : +44 (0)1865 221323 Information Management Services Unit - Medical Sciences Division Oxford University | email : sylvain.phaneuf@imsu.ox.ac.uk Room 3A25B John Radcliffe Hospital | fax : +44 (0) 1865 221322 Oxford OX3 9DU England =========================================================== From sylvain.phaneuf at IMSU.OXFORD.AC.UK Tue Jul 22 10:18:47 2003 From: sylvain.phaneuf at IMSU.OXFORD.AC.UK (Sylvain Phaneuf) Date: Thu Jan 12 21:19:01 2006 Subject: blocking messages with tags Message-ID: Hi everyone, I have upgraded MS to 4.22-5 last week, and selected to block messages containing form tags. I am quite puzzled to see how many messages we have stopped because of that. It seems that a lot of genuine mail is coming with those form tags, e.g. from medical /scientific abstract services. I haven't got a clue how dangerous can these forms be. Should I continue stopping these messages? I noticed that a few services seem to know that their messages are likely to be stopped, they have the following line in plain text at the top of the message: ""If you cannot view this email, please copy and paste the following link into your browser: http://master.emedicine.com/email/radio23.html"" Thanks in advance for sharing your opinions. Sylvain =========================================================== Sylvain Phaneuf --- Computing Manager | phone : +44 (0)1865 221323 Information Management Services Unit - Medical Sciences Division Oxford University | email : sylvain.phaneuf@imsu.ox.ac.uk Room 3A25B John Radcliffe Hospital | fax : +44 (0) 1865 221322 Oxford OX3 9DU England =========================================================== From dot at DOTAT.AT Tue Jul 22 10:16:58 2003 From: dot at DOTAT.AT (Tony Finch) Date: Thu Jan 12 21:19:01 2006 Subject: silent viruses In-Reply-To: Message-ID: Sylvain Phaneuf wrote: > >I am probably wrong here, so please tell meif I need all the entries >like >Yaha-A Yaha-B Yaha-C Yaha-D Yaha-E Yaha-J >or would simply Yaha would do? Just Yaha will do since MailScanner matches it against any substring in the virus scanner's report. I use McAfee, and my Silent Viruses list is Badtrans Braid Bugbear Colevo Fizzer Ganda Gibe Hybris Klez Korvar Lirva Lovgate Magistr Nimda Sircam Sobig Yaha. I have a note about aliases for viruses: Palyh=Sobig WinEvar=Korvar Tony. -- f.a.n.finch http://dotat.at/ LYME REGIS TO LANDS END INCLUDING THE ISLES OF SCILLY: WEST TO SOUTHWEST 3 OR 4, INCREASING SOUTHWEST 4 OR 5 PERHAPS 6 LATER IN THE WEST. ISOLATED SHOWERS, CHIEFLY IN THE AFTERNOON, OTHERWISE MAINLY FAIR BUT SOME RAIN ON WEDNESDAY. GOOD OCCASIONALLY MODERATE BECOMING GENERALLY MODERATE LATER. SLIGHT TO MODERATE BUILDING MODERATE IN THE WEST. From joan.bryan at KCL.AC.UK Tue Jul 22 10:32:53 2003 From: joan.bryan at KCL.AC.UK (Joan Bryan) Date: Thu Jan 12 21:19:01 2006 Subject: silent viruses In-Reply-To: References: Message-ID: Sylvain On Tue, 22 Jul 2003 10:08:48 +0100 Sylvain Phaneuf wrote: > Hi, > > Reading some old posts, I saw that some people have very few entries > in their Silent Viruses line in MailScanner.conf > > I am probably wrong here, so please tell meif I need all the entries > like > Yaha-A Yaha-B Yaha-C Yaha-D Yaha-E Yaha-J > or would simply Yaha would do? > Yaha will do. Here is my list of Silent viruses, but be aware some are named differently by diffrent anti virus vendors. Silent Viruses = Bugbear Braid Elkern Fizzer Ganda Holar Klez Korvar Livra Pate PornDial Sobig WinEvar Yaha Joan From raymond at PROLOCATION.NET Tue Jul 22 11:03:57 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:01 2006 Subject: silent viruses In-Reply-To: Message-ID: Hi! > Yaha-A Yaha-B Yaha-C Yaha-D Yaha-E Yaha-J > or would simply Yaha would do? It will match the string, so Yaha would catch all of the above. Bye, Raymond. From dot at DOTAT.AT Tue Jul 22 10:57:23 2003 From: dot at DOTAT.AT (Tony Finch) Date: Thu Jan 12 21:19:01 2006 Subject: silent viruses In-Reply-To: References: Message-ID: Joan Bryan wrote: > >Silent Viruses = Bugbear Braid Elkern Fizzer Ganda Holar Klez Korvar Livra Pate >PornDial Sobig WinEvar Yaha I'm interested that you've included Pate and PornDial which aren't mass-mailing worms -- and Pate in particular can be disinfected. Elkern turns up with Klez but isn't itself a mass-mailing worm, so listing Klez should deal with it. Tony. -- f.a.n.finch http://dotat.at/ LOUGH FOYLE TO CARLINGFORD LOUGH: SOUTHWEST TO WEST 3 OR 4 LOCALLY 4 OR 5, BACKING SOUTH TO SOUTHEAST 4 OR 5 LOCALLY 6. ISOLATED SHOWERS, CHIEFLY IN THE AFTERNOON, RAIN TONIGHT AND ON WEDNESDAY MORNING. GOOD OCCASIONALLY MODERATE BECOMING GENERALLY MODERATE LATER. SLIGHT TO MODERATE. From sylvain.phaneuf at IMSU.OXFORD.AC.UK Tue Jul 22 11:09:48 2003 From: sylvain.phaneuf at IMSU.OXFORD.AC.UK (Sylvain Phaneuf) Date: Thu Jan 12 21:19:01 2006 Subject: silent viruses Message-ID: Thanks all for the info. My list contains more now but is shorter... Sylvain >>> raymond@PROLOCATION.NET 22/07/2003 11:03:57 >>> Hi! > Yaha-A Yaha-B Yaha-C Yaha-D Yaha-E Yaha-J > or would simply Yaha would do? It will match the string, so Yaha would catch all of the above. Bye, Raymond. From Q.G.Campbell at NEWCASTLE.AC.UK Tue Jul 22 11:53:41 2003 From: Q.G.Campbell at NEWCASTLE.AC.UK (Quentin Campbell) Date: Thu Jan 12 21:19:01 2006 Subject: blocking messages with tags Message-ID: <74BC2BBF06470148911E64E2B48FE139049923@pinewood.ncl.ac.uk> > -----Original Message----- > From: Sylvain Phaneuf [mailto:sylvain.phaneuf@IMSU.OXFORD.AC.UK] > Sent: 22 July 2003 10:19 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: blocking messages with tags > > > Hi everyone, > > I have upgraded MS to 4.22-5 last week, and selected to block > messages containing form tags. I am quite puzzled to see how > many messages we have stopped because of that. It seems that > a lot of genuine mail is coming with those form tags, e.g. > from medical /scientific abstract services. > > I haven't got a clue how dangerous can these forms be. Should > I continue stopping these messages? I noticed that a few > services seem to know that their messages are likely to be > stopped, they have the following line in plain text at the > top of the message: ""If you cannot view this email, please > copy and paste the following link into your browser: > http://master.emedicine.com/email/radio23.html> "" > Sylvain This site receives 1,000+ messages per day containing form tags, most of it in spam. However we had to switch forms blocking off because it was causing so many problems for recipients of genuine list traffic from professional sources such as academic news letters, alerting services, etc. In addition I discovered that our Admissions 0ffice sends out applications to Post Graduate enquirers as "forms" in e-mail. However it should be possible to use a ruleset to exempt local outgoing traffic from the block. Forms can be used in scams to harvest personal information from unsuspecting recipients. If the form is presented immediately the e-mail is opened then it is considered preferable to trying to encourage the recipient to click on a link in an e-mail. Quentin --- PHONE: +44 191 222 8209 Computing Service, University of Newcastle FAX: +44 191 222 8765 Newcastle upon Tyne, United Kingdom, NE1 7RU. ------------------------------------------------------------------------ "Any opinion expressed above is mine. The University can get its own." From joan.bryan at KCL.AC.UK Tue Jul 22 12:02:13 2003 From: joan.bryan at KCL.AC.UK (Joan Bryan) Date: Thu Jan 12 21:19:01 2006 Subject: silent viruses In-Reply-To: References: Message-ID: Tony On Tue, 22 Jul 2003 10:57:23 +0100 Tony Finch wrote: > Joan Bryan wrote: > > > >Silent Viruses = Bugbear Braid Elkern Fizzer Ganda Holar Klez Korvar Livra Pate > >PornDial Sobig WinEvar Yaha > > I'm interested that you've included Pate and PornDial which aren't mass-mailing > worms -- and Pate in particular can be disinfected. Elkern turns up with Klez > but isn't itself a mass-mailing worm, so listing Klez should deal with it. Pate was spoofing the address of support@microsoft.com so we didn't want to send out replies to this. We were being spammed a lot with PordDialer and we did not want to reply to this hence the reason for adding it to the silent viruses list. Joan From ctrudeau at BELLSOUTH.NET Tue Jul 22 12:26:16 2003 From: ctrudeau at BELLSOUTH.NET (Chris Trudeau) Date: Thu Jan 12 21:19:01 2006 Subject: InfoSecurity show Message-ID: On Tue, 29 Apr 2003 21:52:47 +0100, Julian Field wrote: >At 21:42 29/04/2003, you wrote: >>FWIW The main argument I hear for moving to a commercial product is the >>'content filtering' that some of the commercial products claim to do. >>The main reasons for this being HR & legal related (not just porn but >>also profanity, and prevention of information leakage - quite how that >>could be achieved with any degree or certainty). I know all about the >>striphtml action, but that alone isn't seen as being enough. The other >>'essential requirement' of a content filtering is detailed reporting. > >General content filtering (be it for reporting or replacement) is one of my >next big things to implement. Then writing a simple keyword-spotter will be >dead easy. > >As for the detailed reporting, that will come with a keyword-spotting >content filter. Just wondering...has any progress been made on this? My need is really more focused toward being able to FULLY stop PROFANE language inbound or outbound for several domains...so a rules based approach makes my life VERY easy. Thanks for great software all! CT From ctrudeau at BELLSOUTH.NET Tue Jul 22 12:33:11 2003 From: ctrudeau at BELLSOUTH.NET (Chris Trudeau) Date: Thu Jan 12 21:19:01 2006 Subject: SA rules? Message-ID: All, probably answered in the past...but am unable to find search paramters that return anything of value...probably just me...here goes. I was wondering if the spam.assassin.prefs.conf can be a rules file that points to seperate spamassassin configurations based on FromOrTo directives....the reason I'm asking is that this would allow completely seperate SA rules per domain if I wanted to host several domains... THNX CT From denis at CROOMBS.ORG Tue Jul 22 13:21:28 2003 From: denis at CROOMBS.ORG (Denis Croombs) Date: Thu Jan 12 21:19:01 2006 Subject: Rejected e-mail Any Clues ? Message-ID: <004401c3504b$c73fc3c0$85b8fea9@Laptop> An e-mail was rejected by 1 of my servers currently running MailScanner (latest version) and SpamAssassin 2.55 on a redhat 7.3 system with Sendmail, The returned e-mail is:- -----Original Message----- From: Info Avenue Internet Services [mailto:postmaster@InfoAve.Net] Sent: Monday, July 21, 2003 5:16 AM To: spw0082@xxxxxx.com Subject: Delivery Notification: Delivery has failed This report relates to a message you sent with the following header fields: Message-id: Date: Mon, 21 Jul 2003 06:15:49 -0400 From: Steve spw0082@xxxxxx.com To: Julie julie@yyyyyy.com Subject: Meeting Your message cannot be delivered to the following recipients: Recipient address: julie@yyyyyy.com Reason: Server rejected MAIL FROM address. Diagnostic code: smtp;550 5.7.1 Access denied Remote system: dns;mail.yyyyyy.com (TCP|165.166.0.28|58988|217.199.181.62|25) Action: failed Status: 5.0.0 (Server rejected MAIL FROM address.) Original-recipient: rfc822;julie@yyyyyy.com Final-recipient: rfc822;julie@yyyyyy.com Remote-MTA: dns;mail.yyyyyy.com (TCP|165.166.0.28|58988|217.199.181.62|25) Diagnostic-code: smtp;550 5.7.1 Access denied **************End of returned message***************** In my sendmail (maillog) I have the following which are the only entries relating to the incoming domain & this e-mail address:- Jul 21 10:47:03 ns sendmail[22305]: h6L9l3322305: ruleset=check_relay, arg1=smtp03.infoave.net, arg2=165.166.0.28, relay=smtp03.infoave.net [165.166.0.28], reject=550 5.7.1 Access denied Jul 21 10:47:04 ns sendmail[22305]: NOQUEUE: smtp03.infoave.net [165.166.0.28] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA Jul 21 16:46:41 ns sendmail[5948]: h6LFke305948: from=, size=70816, class=0, nrcpts=1, msgid=, delay=00:00:00, mailer=virthostmail, pri=100816, stat=queued Jul 21 16:46:42 ns MailScanner[31907]: New Batch: Scanning 1 messages, 71369 bytes Jul 21 16:46:42 ns MailScanner[31907]: Spam Checks: Starting Jul 21 16:46:44 ns MailScanner[31907]: Virus and Content Scanning: Starting Jul 21 16:46:44 ns MailScanner[31907]: Uninfected: Delivered 1 messages Jul 21 16:46:44 ns virthostmail[5956]: Chrooting to /home/virtual/site3/fst Jul 21 16:46:44 ns sendmail[5958]: h6LFkiO05958: from=, size=71279, class=0, nrcpts=1, msgid=, delay=00:00:03, xdelay=00:00:00, mailer=virthostmail, pri=190816, relay=yyyyyy.com, dsn=2.0.0, stat=Sent (h6LFkiO05958 Message accepted for delivery) Jul 21 16:46:44 ns sendmail[5959]: h6LFkiO05958: to=, delay=00:00:00, xdelay=00:00:00, mailer=local, pri=100014, dsn=2.0.0, stat=Sent All clues very welcome Denis From rscarano at targetsis.com.br Tue Jul 22 13:49:41 2003 From: rscarano at targetsis.com.br (Rodrigo Scarano) Date: Thu Jan 12 21:19:01 2006 Subject: RES: blocking messages with tags In-Reply-To: Message-ID: <000001c3504f$bac1b000$6900000a@targetsis.com.br> Sylvain, I use Allow IFrame Tags = yes and Allow Object Codebase Tags = yes, but the line Convert Dangerous HTML To Text is set to yes. I guess i'm secure with this. Regards, Rodrigo Scarano Target Sistemas http://www.targetsis.com.br/ rscarano@targetsis.com.br -----Mensagem original----- De: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] Em nome de Sylvain Phaneuf Enviada em: Ter?a-feira, 22 de Julho de 2003 06:19 Para: MAILSCANNER@JISCMAIL.AC.UK Assunto: blocking messages with tags Hi everyone, I have upgraded MS to 4.22-5 last week, and selected to block messages containing form tags. I am quite puzzled to see how many messages we have stopped because of that. It seems that a lot of genuine mail is coming with those form tags, e.g. from medical /scientific abstract services. I haven't got a clue how dangerous can these forms be. Should I continue stopping these messages? I noticed that a few services seem to know that their messages are likely to be stopped, they have the following line in plain text at the top of the message: ""If you cannot view this email, please copy and paste the following link into your browser: http://master.emedicine.com/email/radio23.html"" Thanks in advance for sharing your opinions. Sylvain =========================================================== Sylvain Phaneuf --- Computing Manager | phone : +44 (0)1865 221323 Information Management Services Unit - Medical Sciences Division Oxford University | email : sylvain.phaneuf@imsu.ox.ac.uk Room 3A25B John Radcliffe Hospital | fax : +44 (0) 1865 221322 Oxford OX3 9DU England =========================================================== From mikea at MIKEA.ATH.CX Tue Jul 22 14:08:52 2003 From: mikea at MIKEA.ATH.CX (mikea) Date: Thu Jan 12 21:19:01 2006 Subject: Rejected e-mail Any Clues ? In-Reply-To: <004401c3504b$c73fc3c0$85b8fea9@Laptop>; from denis@CROOMBS.ORG on Tue, Jul 22, 2003 at 01:21:28PM +0100 References: <004401c3504b$c73fc3c0$85b8fea9@Laptop> Message-ID: <20030722080852.A12935@mikea.ath.cx> On Tue, Jul 22, 2003 at 01:21:28PM +0100, Denis Croombs wrote: > An e-mail was rejected by 1 of my servers currently running MailScanner > (latest version) and SpamAssassin 2.55 on a redhat 7.3 system with Sendmail, > > The returned e-mail is:- > > -----Original Message----- > From: Info Avenue Internet Services [mailto:postmaster@InfoAve.Net] > Sent: Monday, July 21, 2003 5:16 AM > To: spw0082@xxxxxx.com > Subject: Delivery Notification: Delivery has failed > > > This report relates to a message you sent with the following header fields: > > Message-id: > > AAAAiwmE/lx1vUuurCT2KKM2VAEAAAAA@xxxxxx.com> > Date: Mon, 21 Jul 2003 06:15:49 -0400 > From: Steve spw0082@xxxxxx.com > To: Julie julie@yyyyyy.com > Subject: Meeting > > Your message cannot be delivered to the following recipients: > > Recipient address: julie@yyyyyy.com > Reason: Server rejected MAIL FROM address. > Diagnostic code: smtp;550 5.7.1 Access denied > Remote system: dns;mail.yyyyyy.com > (TCP|165.166.0.28|58988|217.199.181.62|25) > > Action: failed > Status: 5.0.0 (Server rejected MAIL FROM address.) > Original-recipient: rfc822;julie@yyyyyy.com > Final-recipient: rfc822;julie@yyyyyy.com > Remote-MTA: dns;mail.yyyyyy.com (TCP|165.166.0.28|58988|217.199.181.62|25) > Diagnostic-code: smtp;550 5.7.1 Access denied > > **************End of returned message***************** > > In my sendmail (maillog) I have the following which are the only entries > relating to the incoming domain & this e-mail address:- > > Jul 21 10:47:03 ns sendmail[22305]: h6L9l3322305: ruleset=check_relay, > arg1=smtp03.infoave.net, arg2=165.166.0.28, relay=smtp03.infoave.net > [165.166.0.28], reject=550 5.7.1 Access denied > Jul 21 10:47:04 ns sendmail[22305]: NOQUEUE: smtp03.infoave.net > [165.166.0.28] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA [snip] This looks *very* much like mail service being denied because of an entry in the /etc/mail/access.db database. The maillog lines above are pretty much diagnostic for that. Here is a similar log line pair for rejection of an SMTP connection because of an access.db entry here: Jul 15 08:16:42 mikea sendmail[67639]: h6FDGSS8067639: from=, size=4398, class=0, nrcpts=1, msgid=<7t--$9-3$1$x0y$r$$n$weh$6@9gx.6.fih>, proto=SMTP, daemon=MTA, relay=MG097004084.user.veloxzone.com.br [200.97.4.84] Jul 15 14:47:10 mikea sendmail[69568]: ruleset=check_relay, arg1=MG020198.user.veloxzone.com.br, arg2=200.165.20.198, relay=MG020198.user.veloxzone.com.br [200.165.20.198], reject=550 5.7.1:Comite Gestor da Internet no Brasil not permitted to do SMTP here. -- Mike Andrews mikea@mikea.ath.cx Tired old sysadmin since 1964 From rscarano at targetsis.com.br Tue Jul 22 14:09:09 2003 From: rscarano at targetsis.com.br (Rodrigo Scarano) Date: Thu Jan 12 21:19:01 2006 Subject: Delete Old McAfee Dats Message-ID: <000101c35052$7118d8e0$6900000a@targetsis.com.br> Hello all I use MS with McAfee and I have a simple question. The auto-update-script creates a new directory for the new dat (when it's find one on ftp) and keep the old dats for backup. I thing I can delete with some frequency this old Dat directories. Is thar correct ??? Regards, Rodrigo Scarano Target Sistemas http://www.targetsis.com.br/ rscarano@targetsis.com.br From jaearick at COLBY.EDU Tue Jul 22 14:14:56 2003 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:19:01 2006 Subject: extra garbage in Mailscanner syslog lines Message-ID: Hi, Does anybody else see numbers or other garbage in their syslog output from MailScanner? Example: Jul 22 09:02:12 basalt <22>MailScanner[20750]: Spam Checks: Starting ^^^^ I'm using MS 4.22-5 on a Solaris 9 system. I moved our email from a Solaris 8 system this weekend, that box didn't have the extra numbers in the syslog output (same version of MS). Any clue how to clean this up? --- Jeff Earickson From denis at CROOMBS.ORG Tue Jul 22 14:25:14 2003 From: denis at CROOMBS.ORG (Denis Croombs) Date: Thu Jan 12 21:19:01 2006 Subject: Rejected e-mail Any Clues ? References: <004401c3504b$c73fc3c0$85b8fea9@Laptop> <20030722080852.A12935@mikea.ath.cx> Message-ID: <006801c35054$afd7db60$85b8fea9@Laptop> Hi Mike Thanks for that, I had checked that, and neither the ISP or the xxxxxx.com domain are listed for rejection. Denis ----- Original Message ----- From: "mikea" To: Sent: Tuesday, July 22, 2003 2:08 PM Subject: Re: Rejected e-mail Any Clues ? > On Tue, Jul 22, 2003 at 01:21:28PM +0100, Denis Croombs wrote: > > An e-mail was rejected by 1 of my servers currently running MailScanner > > (latest version) and SpamAssassin 2.55 on a redhat 7.3 system with Sendmail, > > > > The returned e-mail is:- > > > > -----Original Message----- > > From: Info Avenue Internet Services [mailto:postmaster@InfoAve.Net] > > Sent: Monday, July 21, 2003 5:16 AM > > To: spw0082@xxxxxx.com > > Subject: Delivery Notification: Delivery has failed > > > > > > This report relates to a message you sent with the following header fields: > > > > Message-id: > > > > > AAAAiwmE/lx1vUuurCT2KKM2VAEAAAAA@xxxxxx.com> > > Date: Mon, 21 Jul 2003 06:15:49 -0400 > > From: Steve spw0082@xxxxxx.com > > To: Julie julie@yyyyyy.com > > Subject: Meeting > > > > Your message cannot be delivered to the following recipients: > > > > Recipient address: julie@yyyyyy.com > > Reason: Server rejected MAIL FROM address. > > Diagnostic code: smtp;550 5.7.1 Access denied > > Remote system: dns;mail.yyyyyy.com > > (TCP|165.166.0.28|58988|217.199.181.62|25) > > > > Action: failed > > Status: 5.0.0 (Server rejected MAIL FROM address.) > > Original-recipient: rfc822;julie@yyyyyy.com > > Final-recipient: rfc822;julie@yyyyyy.com > > Remote-MTA: dns;mail.yyyyyy.com (TCP|165.166.0.28|58988|217.199.181.62|25) > > Diagnostic-code: smtp;550 5.7.1 Access denied > > > > **************End of returned message***************** > > > > In my sendmail (maillog) I have the following which are the only entries > > relating to the incoming domain & this e-mail address:- > > > > Jul 21 10:47:03 ns sendmail[22305]: h6L9l3322305: ruleset=check_relay, > > arg1=smtp03.infoave.net, arg2=165.166.0.28, relay=smtp03.infoave.net > > [165.166.0.28], reject=550 5.7.1 Access denied > > Jul 21 10:47:04 ns sendmail[22305]: NOQUEUE: smtp03.infoave.net > > [165.166.0.28] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA > > [snip] > > This looks *very* much like mail service being denied because of an > entry in the /etc/mail/access.db database. The maillog lines above > are pretty much diagnostic for that. > > Here is a similar log line pair for rejection of an SMTP connection > because of an access.db entry here: > > Jul 15 08:16:42 mikea sendmail[67639]: h6FDGSS8067639: > from=, size=4398, class=0, nrcpts=1, > msgid=<7t--$9-3$1$x0y$r$$n$weh$6@9gx.6.fih>, proto=SMTP, > daemon=MTA, relay=MG097004084.user.veloxzone.com.br [200.97.4.84] > Jul 15 14:47:10 mikea sendmail[69568]: ruleset=check_relay, > arg1=MG020198.user.veloxzone.com.br, arg2=200.165.20.198, > relay=MG020198.user.veloxzone.com.br [200.165.20.198], > reject=550 5.7.1:Comite Gestor da Internet no Brasil > not permitted to do SMTP here. > > -- > Mike Andrews > mikea@mikea.ath.cx > Tired old sysadmin since 1964 From mailscanner at LISTS.COM.AR Tue Jul 22 14:27:28 2003 From: mailscanner at LISTS.COM.AR (Mariano Absatz) Date: Thu Jan 12 21:19:01 2006 Subject: Panda Software Command line update script from Panda support. In-Reply-To: <3EA1A302A4978A4C970D2C63F327156ED54388@worc-mail2.int.morganco.com> Message-ID: <3F1D1190.9059.293147B0@localhost> Well... AFAIK, Julian is on Vacation, I just translated the script... I didn't test it, since I don't have PAV, however, the only thing I did was to eliminate the Spanish strings (it tried to detect if your locale language was Spanish and use Spanish strings, otherwise, it would use English strings), and also changed the comments and variable and functions names so it is clearer. The script is somehow poor, but I think Julian or someone else could elaborate on it... e.g. wget could be searched for with "which", and there are lots of other stuff to enhance... I'm attaching the modified script... the config file was already in English. El 21 Jul 2003 a las 16:00, Hancock, Scott escribi?: > I was ready for a fight that never came. I did threaten to cancel > payment in the subject of my initial email. > I didn't see Julian's post until after I bought the software (in > a bit of haste I might add). > I'm really not qualified to write or mess with the MailScanner wrapper. > I'm hoping some one could post an updated wrapper based on the tech > support script. An English version would be a bonus too. > > If I remember the wrapper is necessary to pause the mailscanner while > the sig files download and update. > > -Scott > > > -----Original Message----- > From: Michele Neylon:: Blacknight Solutions > [mailto:michele@BLACKNIGHTSOLUTIONS.COM] > Sent: Monday, July 21, 2003 2:04 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Panda Software Command line update script from Panda > support. > > So how did you manage to get a reply from them? What was your trick? > > (Thanks for the script!!) > _____ > > This message (and any attachment) is intended only for the recipient and > may contain confidential and/or privileged material. If you have > received this in error, please contact the sender and delete this > message immediately. Disclosure, copying or other action taken in > respect of this email or in reliance on it is prohibited. > -- Mariano Absatz El Baby ---------------------------------------------------------- When I want your opinion, I'll give it to you. -------------- next part -------------- A non-text attachment was scrubbed... Name: pavcl_update.sh Type: application/octet-stream Size: 6019 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030722/7ed7f270/pavcl_update.obj From ka at PACIFIC.NET Tue Jul 22 14:37:48 2003 From: ka at PACIFIC.NET (Ken Anderson) Date: Thu Jan 12 21:19:01 2006 Subject: SA rules? In-Reply-To: References: Message-ID: <3F1D3E2C.1070006@pacific.net> Chris Trudeau wrote: > All, > > probably answered in the past...but am unable to find search paramters that > return anything of value...probably just me...here goes. > > I was wondering if the spam.assassin.prefs.conf can be a rules file that > points to seperate spamassassin configurations based on FromOrTo > directives....the reason I'm asking is that this would allow completely > seperate SA rules per domain if I wanted to host several domains... See CustomConfig.pm for an example of how to implement per-domain whitelist and blacklist rules. Note that this doesn't give you completely separate SA rules per domain, just separate white/blacklist per-domain. Ken A. > THNX > CT > > From SJCJonker at SJC.NL Tue Jul 22 14:53:55 2003 From: SJCJonker at SJC.NL (Stijn Jonker) Date: Thu Jan 12 21:19:01 2006 Subject: Attachment vs Striphtml for tagged messages In-Reply-To: <52E50E4D595DDE4D861117A1FB62E79DC00695@bond.ncl.ac.uk> References: <52E50E4D595DDE4D861117A1FB62E79DC00695@bond.ncl.ac.uk> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Quentin, I see nobody replied yet, I only have a partial answer. See my comments inline. On Tue, 22 Jul 2003, Quentin Campbell wrote: > We are running with the latest MailScanner (and SpamAssassin) releases > and are evaluating with a small group of users the use of the > "attachment" option for messages tagged as spam. The rest of our users > see the "striphtml" behaviour. > > We expected that only spam messages with an HTML body would have the > original body moved into an attachment while spam messages with a > non-HTML body would be left as they were. As far as i know this is as designed, next to protection against "web bugs" / images with a unique identifier etc, etc It also protects the users against trash and sexist talk etc etc. Imho a good move. but off course your milage may vary. > We are finding that _most_ tagged spam messages, even when they appear > to have no HTML, have the message body moved to an attachment. A few > tagged messages however do not have the body moved into an attachment > but these messages appear to be no different to some that do have the > body moved into an attachment. As MailScanner doesn't copy messages if they have multiple receipients it takes only one rule on what action to take. (I seem to remeber it's the first rule, but i'm not sure.) You might want to check the messages where the body isn't an attachment if they where send to multiple receipients on SMTP level. (So not only the body). > What criteria decides which tagged message has its body moved unchanged > into an attachment (and the body replaced with a warning text) and which > has its body left as received? > See my reasons above, but i'm not julian ;-)) > > As a BTW we note that the "attachment" option works well with Outlook, > Pine, Pegasus, etc, but in the case of Eudora the attachment is opened > automatically when the message body is read. This is precisely the > opposite of what is wanted. It may well be a configurable behaviour on > Eudora but we havn't found the option yet! Maybe you can help me here, i can't see to get pine to leave the attached message as it, it display the attachment here after the MailScanner notice. What option did you use to disable the behaviour to display the message inline? Hope it helps. - -- Met Vriendelijke groet/Yours Sincerely Stijn Jonker -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE/HUIAjU9r45tKnOARAjkpAJ0SWUPfwMgrsNEXgl0spYc3CH8WDQCg1lGn b/FvcbCk0oLirThLcF5TzhA= =n+aZ -----END PGP SIGNATURE----- From mailscanner at LISTS.COM.AR Tue Jul 22 14:59:37 2003 From: mailscanner at LISTS.COM.AR (Mariano Absatz) Date: Thu Jan 12 21:19:01 2006 Subject: Delete Old McAfee Dats In-Reply-To: <000101c35052$7118d8e0$6900000a@targetsis.com.br> Message-ID: <3F1D1919.15385.294EB86D@localhost> Yes, you can delete the old dat directories. There's no "frequency" to do this, you should do it when you're sure the newer dat has no problems. I think of two different schemes: 1) You could delete the old directory(ies) after 2 or 3 days passed from the last update if nothing went wrong (every now and then there can be updates that are broken, though they're usually followed by a newer update fixing it). 2) You could manage to keep, for instance, the current dat directory plus one or two old ones, regardless of time. El 22 Jul 2003 a las 10:09, Rodrigo Scarano escribi?: > Hello all > I use MS with McAfee and I have a simple question. > The auto-update-script creates a new directory for the new dat (when it's > find one on ftp) and keep the old dats for backup. I thing I can delete with > some frequency this old Dat directories. Is thar correct ??? > > Regards, > > Rodrigo Scarano > Target Sistemas > http://www.targetsis.com.br/ > rscarano@targetsis.com.br -- Mariano Absatz El Baby ---------------------------------------------------------- Never underestimate the bandwidth of a station wagon full of tapes hurtling down the highway. -- Andrew S. Tanenbaum - Computer Networks From rscarano at targetsis.com.br Tue Jul 22 15:11:07 2003 From: rscarano at targetsis.com.br (Rodrigo Scarano) Date: Thu Jan 12 21:19:01 2006 Subject: RES: Delete Old McAfee Dats In-Reply-To: <3F1D1919.15385.294EB86D@localhost> Message-ID: <000a01c3505b$1935ad20$6900000a@targetsis.com.br> Txs Mariano, i will follow your sugestions... ;-). Regards, Rodrigo Scarano Target Sistemas http://www.targetsis.com.br/ rscarano@targetsis.com.br -----Mensagem original----- De: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] Em nome de Mariano Absatz Enviada em: Ter?a-feira, 22 de Julho de 2003 11:00 Para: MAILSCANNER@JISCMAIL.AC.UK Assunto: Re: Delete Old McAfee Dats Yes, you can delete the old dat directories. There's no "frequency" to do this, you should do it when you're sure the newer dat has no problems. I think of two different schemes: 1) You could delete the old directory(ies) after 2 or 3 days passed from the last update if nothing went wrong (every now and then there can be updates that are broken, though they're usually followed by a newer update fixing it). 2) You could manage to keep, for instance, the current dat directory plus one or two old ones, regardless of time. El 22 Jul 2003 a las 10:09, Rodrigo Scarano escribi?: > Hello all > I use MS with McAfee and I have a simple question. > The auto-update-script creates a new directory for the new dat (when it's > find one on ftp) and keep the old dats for backup. I thing I can delete with > some frequency this old Dat directories. Is thar correct ??? > > Regards, > > Rodrigo Scarano > Target Sistemas > http://www.targetsis.com.br/ > rscarano@targetsis.com.br -- Mariano Absatz El Baby ---------------------------------------------------------- Never underestimate the bandwidth of a station wagon full of tapes hurtling down the highway. -- Andrew S. Tanenbaum - Computer Networks From mbowman at UDCOM.COM Tue Jul 22 15:12:05 2003 From: mbowman at UDCOM.COM (Matthew Bowman) Date: Thu Jan 12 21:19:01 2006 Subject: Threshold ruleset syntax Message-ID: Hi What is the syntax for the Threshold ruleset ? To: domain1.tld 4 To: domain2.tld 5 To: default 6 ? Please advise. Thanks Matthew From zabriskw at ITECH.NET Tue Jul 22 15:19:51 2003 From: zabriskw at ITECH.NET (Kris Zabriskie) Date: Thu Jan 12 21:19:01 2006 Subject: Whitelisted Message-ID: <000701c3505c$509521f0$0c02a8c0@itech.dom> I know this has come up several times on the MailScanner mailing list, but I have not seen a clear cut answer on why this happends and I know several people are having the same problem. Our spam has gone through the roof recently. A good portion of it is spam, that SpamAssassin has identified as spam, but in the header it says "not spam (whitelisted)". OK. Obviously somewhere it says, that this e-mail address is ok. So I continue to look around. No mentionment of the address in spam.whitelist.rules for mailscanner. So it must be SA! I go over to 60_whitelist.conf. The address is not in there, in fact I delete all of the addresses. I then, jump over to the MailScanner conf, and take a look in there to make sure I am not using SA for whitelisting. In the MailScanner conf it says: SpamAssassin Auto Whitelist = no I have NO idea what is going on here! Below is just an example of one that got through. This is everything from mail.log pertaining to the example message: Jul 22 09:11:08 mustang sendmail[385422]: h6MDB1OS385422: from=<7hd29nsrepo@springfieldrealty.com>, size=2700, class=0, nrcpts=17, msgid=, proto=SMTP, daemon=MTA, relay=_Crystal@c66.110.164-221.clta.globetrotter.net [66.110.164.221] Jul 22 09:11:12 mustang sendmail[387950]: h6MDB1OS385422: to=,,,,,support,,,,,,,,,,,< bbani@itech.net>, delay=00:00:11, xdelay=00:00:01, mailer=local, pri=600558, dsn=2.0.0, stat=Sent This is the header of the email: X-Priority: 3 X-MSMail-Priority: Normal X-MailScanner-Information: Please contact the ISP for more information X-MailScanner: Found to be clean X-MailScanner-SpamCheck: not spam (whitelisted), SpamAssassin (score=8.2, required 5, BANG_GUARANTEE, CLICK_BELOW_CAPS, HTML_70_80, HTML_FONT_BIG, HTML_LINK_CLICK_CAPS, HTML_LINK_CLICK_HERE, HTML_MESSAGE, MIME_HTML_ONLY, MISSING_MIMEOLD, MISSING_OUTLOOK_NAME, OBFUSCATING_COMMENT, PENIS_ENLARGE2) Any help would be greatly appreciated. I am trying to stop little kids from getting bombarded with Penis Enlargement e-mails. Thanks in advance. Kris Zabriskie Network Admin / Consultant I-Tech Inc. zabriskw@itech.net 717-657-3035 From srhitch at MECHENG1.UWATERLOO.CA Tue Jul 22 15:17:19 2003 From: srhitch at MECHENG1.UWATERLOO.CA (Steve Hitchman) Date: Thu Jan 12 21:19:01 2006 Subject: SA only scores 0 In-Reply-To: <3F1D3E2C.1070006@pacific.net> Message-ID: <001401c3505b$f65fb7e0$202e6181@NEXUS.UWATERLOO.CA> Hello all, I have recently upgraded from ver3.x to ver4.22(Sophos/Solaris 7). Seems to be working great! I have not been running Spamassassin in the past. I installed SA 2.60. Within MS I get nothing but "SpamAssassin (score=0, required 5)" on all messages including spam that detects as spam when piped to "spamassassin". Regards, Steve Hitchman University of Waterloo Dept of Mechanical Engineering Ontario, Canada From Steve at swaney.com Tue Jul 22 16:33:25 2003 From: Steve at swaney.com (Stephen Swaney) Date: Thu Jan 12 21:19:01 2006 Subject: SA only scores 0 In-Reply-To: <001401c3505b$f65fb7e0$202e6181@NEXUS.UWATERLOO.CA> References: <001401c3505b$f65fb7e0$202e6181@NEXUS.UWATERLOO.CA> Message-ID: <1058888004.3386.27.camel@speedy> Steve, Have you set: Use SpamAssassin = yes in MailScanner.conf? Also I believe that SpamAssasssin 2.60 is still pre-relaease. Still it should work. Steve Steve@swaney.com On Tue, 2003-07-22 at 10:17, Steve Hitchman wrote: > Hello all, > > I have recently upgraded from ver3.x to ver4.22(Sophos/Solaris 7). Seems > to be working great! I have not been running Spamassassin in the past. I > installed SA 2.60. Within MS I get nothing but "SpamAssassin (score=0, > required 5)" on all messages including spam that detects as spam when > piped to "spamassassin". > > Regards, > > Steve Hitchman > University of Waterloo > Dept of Mechanical Engineering > Ontario, Canada -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030722/796f2260/attachment.html From srhitch at MECHENG1.UWATERLOO.CA Tue Jul 22 16:54:59 2003 From: srhitch at MECHENG1.UWATERLOO.CA (Steve Hitchman) Date: Thu Jan 12 21:19:01 2006 Subject: SA only scores 0 In-Reply-To: <1058888004.3386.27.camel@speedy> Message-ID: <003b01c35069$9b270640$202e6181@NEXUS.UWATERLOO.CA> Yes. I have set Use SpamAssassin=yes. The "SpamAssassin (score=0,required 5)" message shows up in the header of all delivered mail. Does that not mean the MS has used or attempted to use SA? Steve Hitchman University of Waterloo Dept of Mechanical Engineering -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Stephen Swaney Sent: July 22, 2003 11:33 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: SA only scores 0 Steve, Have you set: Use SpamAssassin = yes in MailScanner.conf? Also I believe that SpamAssasssin 2.60 is still pre-relaease. Still it should work. Steve Steve@swaney.com On Tue, 2003-07-22 at 10:17, Steve Hitchman wrote: Hello all, I have recently upgraded from ver3.x to ver4.22(Sophos/Solaris 7). Seems to be working great! I have not been running Spamassassin in the past. I installed SA 2.60. Within MS I get nothing but "SpamAssassin (score=0, required 5)" on all messages including spam that detects as spam when piped to "spamassassin". Regards, Steve Hitchman University of Waterloo Dept of Mechanical Engineering Ontario, Canada From tchamtieh at YAHOO.COM Tue Jul 22 16:57:10 2003 From: tchamtieh at YAHOO.COM (Thomas Chamtieh) Date: Thu Jan 12 21:19:01 2006 Subject: SA only scores 0 In-Reply-To: <003b01c35069$9b270640$202e6181@NEXUS.UWATERLOO.CA> Message-ID: <20030722155710.48223.qmail@web13208.mail.yahoo.com> I've had the same problem. I un-installed SpamAssassin completely including the tools and all then re-installed it again. All worked perfect after that. -Thomas Steve Hitchman wrote: Yes. I have set Use SpamAssassin=yes. The "SpamAssassin (score=0,required 5)" message shows up in the header of all delivered mail. Does that not mean the MS has used or attempted to use SA? Steve Hitchman University of Waterloo Dept of Mechanical Engineering -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Stephen Swaney Sent: July 22, 2003 11:33 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: SA only scores 0 Steve, Have you set: Use SpamAssassin = yes in MailScanner.conf? Also I believe that SpamAssasssin 2.60 is still pre-relaease. Still it should work. Steve Steve@swaney.com On Tue, 2003-07-22 at 10:17, Steve Hitchman wrote: Hello all, I have recently upgraded from ver3.x to ver4.22(Sophos/Solaris 7). Seems to be working great! I have not been running Spamassassin in the past. I installed SA 2.60. Within MS I get nothing but "SpamAssassin (score=0, required 5)" on all messages including spam that detects as spam when piped to "spamassassin". Regards, Steve Hitchman University of Waterloo Dept of Mechanical Engineering Ontario, Canada --------------------------------- Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030722/0c76262b/attachment.html From mkettler at EVI-INC.COM Tue Jul 22 17:13:10 2003 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:19:01 2006 Subject: SA only scores 0 In-Reply-To: <1058888004.3386.27.camel@speedy> References: <001401c3505b$f65fb7e0$202e6181@NEXUS.UWATERLOO.CA> <001401c3505b$f65fb7e0$202e6181@NEXUS.UWATERLOO.CA> Message-ID: <5.2.1.1.0.20030722121004.01893460@xanadu.evi-inc.com> At 11:33 AM 7/22/2003 -0400, Stephen Swaney wrote: >Also I believe that SpamAssasssin 2.60 is still pre-relaease. Still it >should work. Yes, 2.60 is most definitely NOT a released version. Since MailScanner uses the direct API, I'd advise against playing with CVS versions of spamassassin on production boxes. Steve, Try upgrading your 2.60 to todays version, see if it fixes the problem.. it changes daily and is sometimes unstable for short periods of time. (and yes the sa website does warn you that 2.60 is currently a CVS devel version that may be unstable). If you want a stable release version, 2.55 is current. From mkettler at EVI-INC.COM Tue Jul 22 17:15:52 2003 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:19:01 2006 Subject: Whitelisted In-Reply-To: <000701c3505c$509521f0$0c02a8c0@itech.dom> Message-ID: <5.2.1.1.0.20030722121437.01887368@xanadu.evi-inc.com> At 10:19 AM 7/22/2003 -0400, Kris Zabriskie wrote: >I know this has come up several times on the MailScanner mailing list, but I >have not seen a clear cut answer on why this happends and I know several >people are having the same problem. Our spam has gone through the roof >recently. A good portion of it is spam, that SpamAssassin has identified as >spam, but in the header it says "not spam (whitelisted)". OK. Obviously >somewhere it says, that this e-mail address is ok. So I continue to look >around. No mentionment of the address in spam.whitelist.rules for >mailscanner. So it must be SA! I go over to 60_whitelist.conf. The >address is not in there, in fact I delete all of the addresses. I then, >jump over to the MailScanner conf, and take a look in there to make sure I >am not using SA for whitelisting. In the MailScanner conf it says: >SpamAssassin Auto Whitelist = no The "not spam (whitelisted)" is a MailScanner whitelisting, not a SpamAssassin whitelisting. Check your mailscanner config. SA will indicate whitelists by rules that modify the score, and not any other way. From rherban at HYPERVINE.NET Tue Jul 22 17:43:18 2003 From: rherban at HYPERVINE.NET (Randy Herban) Date: Thu Jan 12 21:19:01 2006 Subject: User Verification Message-ID: <00FD7F04EA248947B8FBB971044379DB110644@corpserv1.hvcorp.hypervine.net> I have a question about how versitile mailscanner/spamassassin might be to do user verification. I've been thinkin about it for a while and my mentality was to have mailscanner do the verification, if the user doesn't exist, delete the mail and proceed onto the next, bypassing the rest of the checks as we won't be delivering this mail anyway. This has a nasty side as legit mail to a user who was just deleted wouldn't get bounced back. My next thought was to use a spamassassin type scoring to it. For each nonexistent user we add a score of 1. If there are that many to push it over the high spam score then it will get deleted but single messages (boucebacks) would go under the radar and get delivered fine. I know that I would be able to write this into mailscanner itself (being as it's a perl script) but not sure if it's possible to tie it into the spamassassin scoring. Does anyone with more knowledge have any input that might assist me? Thanks Randy From damian at WORKGROUPSOLUTIONS.COM Tue Jul 22 17:43:48 2003 From: damian at WORKGROUPSOLUTIONS.COM (Damian Mendoza) Date: Thu Jan 12 21:19:01 2006 Subject: Whitelisted Message-ID: Matt, If you find the resolution, please let me know. It's been killing me at one of my accounts - the CEO hates getting SPAM and he is the one that keeps getting the "whitelisted" SPAM. Regards, Damian -----Original Message----- From: Matt Kettler [mailto:mkettler@EVI-INC.COM] Sent: Tuesday, July 22, 2003 9:16 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Whitelisted At 10:19 AM 7/22/2003 -0400, Kris Zabriskie wrote: >I know this has come up several times on the MailScanner mailing list, but I >have not seen a clear cut answer on why this happends and I know several >people are having the same problem. Our spam has gone through the roof >recently. A good portion of it is spam, that SpamAssassin has identified as >spam, but in the header it says "not spam (whitelisted)". OK. Obviously >somewhere it says, that this e-mail address is ok. So I continue to look >around. No mentionment of the address in spam.whitelist.rules for >mailscanner. So it must be SA! I go over to 60_whitelist.conf. The >address is not in there, in fact I delete all of the addresses. I then, >jump over to the MailScanner conf, and take a look in there to make sure I >am not using SA for whitelisting. In the MailScanner conf it says: >SpamAssassin Auto Whitelist = no The "not spam (whitelisted)" is a MailScanner whitelisting, not a SpamAssassin whitelisting. Check your mailscanner config. SA will indicate whitelists by rules that modify the score, and not any other way. From Steve at swaney.com Tue Jul 22 17:54:21 2003 From: Steve at swaney.com (Stephen Swaney) Date: Thu Jan 12 21:19:01 2006 Subject: User Verification In-Reply-To: <00FD7F04EA248947B8FBB971044379DB110644@corpserv1.hvcorp.hypervine.net> References: <00FD7F04EA248947B8FBB971044379DB110644@corpserv1.hvcorp.hypervine.net> Message-ID: <1058892861.3386.38.camel@speedy> Randy, A lot easier (and better) to do this in the MTA. A sendmail example would be to use the virtusertable feature. Enable sendmail to use the virtusertable feature, then create the virtual user table with entries similar to: joe@yourdomain.com joe@yourdomain1.com jim@yourdomain.com jim@yourdomain.com sally@yourdomain.com sally@yourdomain.com @yourdomain.com error:nouser No such user here A fuller explanation can be found at: http://naughty.monkey.org/openbsd/archive/misc/0204/msg00846.html On Tue, 2003-07-22 at 12:43, Randy Herban wrote: > I have a question about how versitile mailscanner/spamassassin might be > to do user verification. > > I've been thinkin about it for a while and my mentality was to have > mailscanner do the verification, if the user doesn't exist, delete the > mail and proceed onto the next, bypassing the rest of the checks as we > won't be delivering this mail anyway. > This has a nasty side as legit mail to a user who was just deleted > wouldn't get bounced back. > > My next thought was to use a spamassassin type scoring to it. For each > nonexistent user we add a score of 1. If there are that many to push it > over the high spam score then it will get deleted but single messages > (boucebacks) would go under the radar and get delivered fine. > > I know that I would be able to write this into mailscanner itself (being > as it's a perl script) but not sure if it's possible to tie it into the > spamassassin scoring. > > Does anyone with more knowledge have any input that might assist me? > > Thanks > Randy -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030722/86afc59b/attachment.html From mkettler at EVI-INC.COM Tue Jul 22 17:57:19 2003 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:19:01 2006 Subject: Whitelisted In-Reply-To: Message-ID: <5.2.1.1.0.20030722125412.018882c8@xanadu.evi-inc.com> At 09:43 AM 7/22/2003 -0700, Damian Mendoza wrote: >If you find the resolution, please let me know. It's been killing me at >one of my accounts - the CEO hates getting SPAM and he is the one that >keeps getting the "whitelisted" SPAM. I can't find the resolution to a problem I don't have. My offhanded guess is you've got a mailscanner "accept spam from" statement that covers a secondary MX. But this is a problem with your configuration, so you're going to have to look at the message headers of the whitelisted messages, and at your mailscanner.conf and figure out why they are matching. From zabriskw at ITECH.NET Tue Jul 22 17:59:47 2003 From: zabriskw at ITECH.NET (Kris Zabriskie) Date: Thu Jan 12 21:19:01 2006 Subject: Whitelisted References: <5.2.1.1.0.20030722121437.01887368@xanadu.evi-inc.com> Message-ID: <001601c35072$a89b26e0$0c02a8c0@itech.dom> Matt, Thank you for the reply. I have just looked at my MailScanner.conf file again, and I do not see anything in there, that would allow for these messages to be whitelisted. The only thing I can think of, is if the spammers were forging the e-mail envelop address as something that I have whitelisted (only 3 domains). However, that would be apparent in the mail.log for sendmail, and that is not appearing to be the case at all. I am absolutely clueless about why these are being whitelisted. I will post mailscanner.conf and spam.whitelist.rules if that would help at all, but I don't want to clutter the mailing list if that isn't going to help. Thanks again for your help! ----- Original Message ----- From: "Matt Kettler" To: Sent: Tuesday, July 22, 2003 12:15 PM Subject: Re: Whitelisted > At 10:19 AM 7/22/2003 -0400, Kris Zabriskie wrote: > >I know this has come up several times on the MailScanner mailing list, but I > >have not seen a clear cut answer on why this happends and I know several > >people are having the same problem. Our spam has gone through the roof > >recently. A good portion of it is spam, that SpamAssassin has identified as > >spam, but in the header it says "not spam (whitelisted)". OK. Obviously > >somewhere it says, that this e-mail address is ok. So I continue to look > >around. No mentionment of the address in spam.whitelist.rules for > >mailscanner. So it must be SA! I go over to 60_whitelist.conf. The > >address is not in there, in fact I delete all of the addresses. I then, > >jump over to the MailScanner conf, and take a look in there to make sure I > >am not using SA for whitelisting. In the MailScanner conf it says: > >SpamAssassin Auto Whitelist = no > > The "not spam (whitelisted)" is a MailScanner whitelisting, not a > SpamAssassin whitelisting. Check your mailscanner config. > > SA will indicate whitelists by rules that modify the score, and not any > other way. > From steve.douglas at SBIINCORPORATED.COM Tue Jul 22 18:14:35 2003 From: steve.douglas at SBIINCORPORATED.COM (Steve Douglas) Date: Thu Jan 12 21:19:01 2006 Subject: Whitelisted Message-ID: <3963522F0E71474CB14C0FF54A6914F7011152C4@mail.gardenbotanika.com> I pretty well have given up on trying to figure out this too. I have numerous address in my spam.whitelist.rules and they just get plain ignored. This statement is invoked by the "Is Definitely Not Spam" statement in the MS conf file. SD :-) > -----Original Message----- > From: Kris Zabriskie [mailto:zabriskw@ITECH.NET] > Sent: Tuesday, July 22, 2003 9:20 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Whitelisted > > I know this has come up several times on the MailScanner mailing list, but > I > have not seen a clear cut answer on why this happends and I know several > people are having the same problem. Our spam has gone through the roof > recently. A good portion of it is spam, that SpamAssassin has identified > as > spam, but in the header it says "not spam (whitelisted)". OK. Obviously > somewhere it says, that this e-mail address is ok. So I continue to look > around. No mentionment of the address in spam.whitelist.rules for > mailscanner. So it must be SA! I go over to 60_whitelist.conf. The > address is not in there, in fact I delete all of the addresses. I then, > jump over to the MailScanner conf, and take a look in there to make sure I > am not using SA for whitelisting. In the MailScanner conf it says: > SpamAssassin Auto Whitelist = no > > I have NO idea what is going on here! Below is just an example of one > that > got through. > > This is everything from mail.log pertaining to the example message: > > Jul 22 09:11:08 mustang sendmail[385422]: h6MDB1OS385422: > from=<7hd29nsrepo@springfieldrealty.com>, size=2700, class=0, nrcpts=17, > msgid=, proto=SMTP, > daemon=MTA, > relay=_Crystal@c66.110.164-221.clta.globetrotter.net [66.110.164.221] > Jul 22 09:11:12 mustang sendmail[387950]: h6MDB1OS385422: > to=,,, ne > t>,,support,,, pi > mp@itech.net>,,,, rr > ier@itech.net>,,, > ,< > bbani@itech.net>, delay=00:00:11, xdelay=00:00:01, mailer=local, > pri=600558, > dsn=2.0.0, stat=Sent > > This is the header of the email: > > X-Priority: 3 > X-MSMail-Priority: Normal > X-MailScanner-Information: Please contact the ISP for more information > X-MailScanner: Found to be clean > X-MailScanner-SpamCheck: not spam (whitelisted), SpamAssassin (score=8.2, > required 5, BANG_GUARANTEE, CLICK_BELOW_CAPS, HTML_70_80, HTML_FONT_BIG, > HTML_LINK_CLICK_CAPS, HTML_LINK_CLICK_HERE, HTML_MESSAGE, MIME_HTML_ONLY, > MISSING_MIMEOLD, MISSING_OUTLOOK_NAME, OBFUSCATING_COMMENT, > PENIS_ENLARGE2) > > Any help would be greatly appreciated. I am trying to stop little kids > from > getting bombarded with Penis Enlargement e-mails. Thanks in advance. > > > Kris Zabriskie > Network Admin / Consultant > I-Tech Inc. > zabriskw@itech.net > 717-657-3035 From zabriskw at ITECH.NET Tue Jul 22 18:19:51 2003 From: zabriskw at ITECH.NET (Kris Zabriskie) Date: Thu Jan 12 21:19:01 2006 Subject: Whitelisted References: <3963522F0E71474CB14C0FF54A6914F7011152C4@mail.gardenbotanika.com> Message-ID: <000501c35075$75e0d350$0c02a8c0@itech.dom> If this continues, I think I am going to have to change products, which I really do not want to do. ----- Original Message ----- From: "Steve Douglas" To: Sent: Tuesday, July 22, 2003 1:14 PM Subject: Re: Whitelisted > I pretty well have given up on trying to figure out this too. I have > numerous address in my spam.whitelist.rules and they just get plain ignored. > This statement is invoked by the "Is Definitely Not Spam" statement in the > MS conf file. > > SD > :-) > > > > -----Original Message----- > > From: Kris Zabriskie [mailto:zabriskw@ITECH.NET] > > Sent: Tuesday, July 22, 2003 9:20 AM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Whitelisted > > > > I know this has come up several times on the MailScanner mailing list, but > > I > > have not seen a clear cut answer on why this happends and I know several > > people are having the same problem. Our spam has gone through the roof > > recently. A good portion of it is spam, that SpamAssassin has identified > > as > > spam, but in the header it says "not spam (whitelisted)". OK. Obviously > > somewhere it says, that this e-mail address is ok. So I continue to look > > around. No mentionment of the address in spam.whitelist.rules for > > mailscanner. So it must be SA! I go over to 60_whitelist.conf. The > > address is not in there, in fact I delete all of the addresses. I then, > > jump over to the MailScanner conf, and take a look in there to make sure I > > am not using SA for whitelisting. In the MailScanner conf it says: > > SpamAssassin Auto Whitelist = no > > > > I have NO idea what is going on here! Below is just an example of one > > that > > got through. > > > > This is everything from mail.log pertaining to the example message: > > > > Jul 22 09:11:08 mustang sendmail[385422]: h6MDB1OS385422: > > from=<7hd29nsrepo@springfieldrealty.com>, size=2700, class=0, nrcpts=17, > > msgid=, proto=SMTP, > > daemon=MTA, > > relay=_Crystal@c66.110.164-221.clta.globetrotter.net [66.110.164.221] > > Jul 22 09:11:12 mustang sendmail[387950]: h6MDB1OS385422: > > to=,,, > ne > > t>,,support,,, > pi > > mp@itech.net>,,,, > rr > > ier@itech.net>,,, > > ,< > > bbani@itech.net>, delay=00:00:11, xdelay=00:00:01, mailer=local, > > pri=600558, > > dsn=2.0.0, stat=Sent > > > > This is the header of the email: > > > > X-Priority: 3 > > X-MSMail-Priority: Normal > > X-MailScanner-Information: Please contact the ISP for more information > > X-MailScanner: Found to be clean > > X-MailScanner-SpamCheck: not spam (whitelisted), SpamAssassin (score=8.2, > > required 5, BANG_GUARANTEE, CLICK_BELOW_CAPS, HTML_70_80, HTML_FONT_BIG, > > HTML_LINK_CLICK_CAPS, HTML_LINK_CLICK_HERE, HTML_MESSAGE, MIME_HTML_ONLY, > > MISSING_MIMEOLD, MISSING_OUTLOOK_NAME, OBFUSCATING_COMMENT, > > PENIS_ENLARGE2) > > > > Any help would be greatly appreciated. I am trying to stop little kids > > from > > getting bombarded with Penis Enlargement e-mails. Thanks in advance. > > > > > > Kris Zabriskie > > Network Admin / Consultant > > I-Tech Inc. > > zabriskw@itech.net > > 717-657-3035 > From ka at PACIFIC.NET Tue Jul 22 18:29:20 2003 From: ka at PACIFIC.NET (Ken Anderson) Date: Thu Jan 12 21:19:01 2006 Subject: Whitelisted In-Reply-To: <000501c35075$75e0d350$0c02a8c0@itech.dom> References: <3963522F0E71474CB14C0FF54A6914F7011152C4@mail.gardenbotanika.com> <000501c35075$75e0d350$0c02a8c0@itech.dom> Message-ID: <3F1D7470.6040000@pacific.net> Can't help you without information. Post your whitelist rules, post your maillogs & msg headers for the messages that were mysteriously whitelisted. Try running mailscanner in debug mode? (I have never tried this, so I can't really help here) Ken A. Kris Zabriskie wrote: > If this continues, I think I am going to have to change products, which I > really do not want to do. > > > ----- Original Message ----- > From: "Steve Douglas" > To: > Sent: Tuesday, July 22, 2003 1:14 PM > Subject: Re: Whitelisted > > > >>I pretty well have given up on trying to figure out this too. I have >>numerous address in my spam.whitelist.rules and they just get plain > > ignored. > >>This statement is invoked by the "Is Definitely Not Spam" statement in the >>MS conf file. >> >>SD >>:-) >> >> >> >>>-----Original Message----- >>>From: Kris Zabriskie [mailto:zabriskw@ITECH.NET] >>>Sent: Tuesday, July 22, 2003 9:20 AM >>>To: MAILSCANNER@JISCMAIL.AC.UK >>>Subject: Whitelisted >>> >>>I know this has come up several times on the MailScanner mailing list, > > but > >>>I >>>have not seen a clear cut answer on why this happends and I know several >>>people are having the same problem. Our spam has gone through the roof >>>recently. A good portion of it is spam, that SpamAssassin has > > identified > >>>as >>>spam, but in the header it says "not spam (whitelisted)". OK. > > Obviously > >>>somewhere it says, that this e-mail address is ok. So I continue to > > look > >>>around. No mentionment of the address in spam.whitelist.rules for >>>mailscanner. So it must be SA! I go over to 60_whitelist.conf. The >>>address is not in there, in fact I delete all of the addresses. I then, >>>jump over to the MailScanner conf, and take a look in there to make sure > > I > >>>am not using SA for whitelisting. In the MailScanner conf it says: >>>SpamAssassin Auto Whitelist = no >>> >>>I have NO idea what is going on here! Below is just an example of one >>>that >>>got through. >>> >>>This is everything from mail.log pertaining to the example message: >>> >>>Jul 22 09:11:08 mustang sendmail[385422]: h6MDB1OS385422: >>>from=<7hd29nsrepo@springfieldrealty.com>, size=2700, class=0, nrcpts=17, >>>msgid=, proto=SMTP, >>>daemon=MTA, >>>relay=_Crystal@c66.110.164-221.clta.globetrotter.net [66.110.164.221] >>>Jul 22 09:11:12 mustang sendmail[387950]: h6MDB1OS385422: >>> > > to=,,, >>>ne >>> > > t>,,support,,, >>>pi >>> > > mp@itech.net>,,,, >>>rr >>> > > ier@itech.net>,,, > >>>,< >>>bbani@itech.net>, delay=00:00:11, xdelay=00:00:01, mailer=local, >>>pri=600558, >>>dsn=2.0.0, stat=Sent >>> >>>This is the header of the email: >>> >>>X-Priority: 3 >>>X-MSMail-Priority: Normal >>>X-MailScanner-Information: Please contact the ISP for more information >>>X-MailScanner: Found to be clean >>>X-MailScanner-SpamCheck: not spam (whitelisted), SpamAssassin > > (score=8.2, > >>>required 5, BANG_GUARANTEE, CLICK_BELOW_CAPS, HTML_70_80, HTML_FONT_BIG, >>>HTML_LINK_CLICK_CAPS, HTML_LINK_CLICK_HERE, HTML_MESSAGE, > > MIME_HTML_ONLY, > >>>MISSING_MIMEOLD, MISSING_OUTLOOK_NAME, OBFUSCATING_COMMENT, >>>PENIS_ENLARGE2) >>> >>>Any help would be greatly appreciated. I am trying to stop little kids >>>from >>>getting bombarded with Penis Enlargement e-mails. Thanks in advance. >>> >>> >>>Kris Zabriskie >>>Network Admin / Consultant >>>I-Tech Inc. >>>zabriskw@itech.net >>>717-657-3035 >> > > From zabriskw at ITECH.NET Tue Jul 22 18:42:01 2003 From: zabriskw at ITECH.NET (Kris Zabriskie) Date: Thu Jan 12 21:19:01 2006 Subject: Whitelisted References: <3963522F0E71474CB14C0FF54A6914F7011152C4@mail.gardenbotanika.com> <000501c35075$75e0d350$0c02a8c0@itech.dom> <3F1D7470.6040000@pacific.net> Message-ID: <000901c35078$8efbcc70$0c02a8c0@itech.dom> Here is everything: Contents: mail.log is the sendmail mail.log (ONLY information pertaining to the message in question) mail.header is the header of the e-mail spam.whitelist.rules is exactly what it says MailScanner.conf is exactly what it is =) Any help will greatly be appreciated!!! Thanks again to everyone for their help, and patience! ----- Original Message ----- From: "Ken Anderson" To: Sent: Tuesday, July 22, 2003 1:29 PM Subject: Re: Whitelisted > Can't help you without information. Post your whitelist rules, post your > maillogs & msg headers for the messages that were mysteriously > whitelisted. Try running mailscanner in debug mode? (I have never tried > this, so I can't really help here) > Ken A. > > > Kris Zabriskie wrote: > > > If this continues, I think I am going to have to change products, which I > > really do not want to do. > > > > > > ----- Original Message ----- > > From: "Steve Douglas" > > To: > > Sent: Tuesday, July 22, 2003 1:14 PM > > Subject: Re: Whitelisted > > > > > > > >>I pretty well have given up on trying to figure out this too. I have > >>numerous address in my spam.whitelist.rules and they just get plain > > > > ignored. > > > >>This statement is invoked by the "Is Definitely Not Spam" statement in the > >>MS conf file. > >> > >>SD > >>:-) > >> > >> > >> > >>>-----Original Message----- > >>>From: Kris Zabriskie [mailto:zabriskw@ITECH.NET] > >>>Sent: Tuesday, July 22, 2003 9:20 AM > >>>To: MAILSCANNER@JISCMAIL.AC.UK > >>>Subject: Whitelisted > >>> > >>>I know this has come up several times on the MailScanner mailing list, > > > > but > > > >>>I > >>>have not seen a clear cut answer on why this happends and I know several > >>>people are having the same problem. Our spam has gone through the roof > >>>recently. A good portion of it is spam, that SpamAssassin has > > > > identified > > > >>>as > >>>spam, but in the header it says "not spam (whitelisted)". OK. > > > > Obviously > > > >>>somewhere it says, that this e-mail address is ok. So I continue to > > > > look > > > >>>around. No mentionment of the address in spam.whitelist.rules for > >>>mailscanner. So it must be SA! I go over to 60_whitelist.conf. The > >>>address is not in there, in fact I delete all of the addresses. I then, > >>>jump over to the MailScanner conf, and take a look in there to make sure > > > > I > > > >>>am not using SA for whitelisting. In the MailScanner conf it says: > >>>SpamAssassin Auto Whitelist = no > >>> > >>>I have NO idea what is going on here! Below is just an example of one > >>>that > >>>got through. > >>> > >>>This is everything from mail.log pertaining to the example message: > >>> > >>>Jul 22 09:11:08 mustang sendmail[385422]: h6MDB1OS385422: > >>>from=<7hd29nsrepo@springfieldrealty.com>, size=2700, class=0, nrcpts=17, > >>>msgid=, proto=SMTP, > >>>daemon=MTA, > >>>relay=_Crystal@c66.110.164-221.clta.globetrotter.net [66.110.164.221] > >>>Jul 22 09:11:12 mustang sendmail[387950]: h6MDB1OS385422: > >>> > > > > to=,,, > > >>>ne > >>> > > > > t>,,support,,, > > >>>pi > >>> > > > > mp@itech.net>,,,, > > >>>rr > >>> > > > > ier@itech.net>,,, > > > >>>,< > >>>bbani@itech.net>, delay=00:00:11, xdelay=00:00:01, mailer=local, > >>>pri=600558, > >>>dsn=2.0.0, stat=Sent > >>> > >>>This is the header of the email: > >>> > >>>X-Priority: 3 > >>>X-MSMail-Priority: Normal > >>>X-MailScanner-Information: Please contact the ISP for more information > >>>X-MailScanner: Found to be clean > >>>X-MailScanner-SpamCheck: not spam (whitelisted), SpamAssassin > > > > (score=8.2, > > > >>>required 5, BANG_GUARANTEE, CLICK_BELOW_CAPS, HTML_70_80, HTML_FONT_BIG, > >>>HTML_LINK_CLICK_CAPS, HTML_LINK_CLICK_HERE, HTML_MESSAGE, > > > > MIME_HTML_ONLY, > > > >>>MISSING_MIMEOLD, MISSING_OUTLOOK_NAME, OBFUSCATING_COMMENT, > >>>PENIS_ENLARGE2) > >>> > >>>Any help would be greatly appreciated. I am trying to stop little kids > >>>from > >>>getting bombarded with Penis Enlargement e-mails. Thanks in advance. > >>> > >>> > >>>Kris Zabriskie > >>>Network Admin / Consultant > >>>I-Tech Inc. > >>>zabriskw@itech.net > >>>717-657-3035 > >> > > > > > -------------- next part -------------- A non-text attachment was scrubbed... Name: MailScanner.conf Type: application/octet-stream Size: 43011 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030722/f5cb8328/MailScanner.obj -------------- next part -------------- A non-text attachment was scrubbed... Name: spam.whitelist.rules Type: application/octet-stream Size: 2248 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030722/f5cb8328/spam.whitelist.obj -------------- next part -------------- A non-text attachment was scrubbed... Name: mail.header Type: application/octet-stream Size: 1352 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030722/f5cb8328/mail.obj -------------- next part -------------- A non-text attachment was scrubbed... Name: mail.log Type: application/octet-stream Size: 737 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030722/f5cb8328/mail-0001.obj From dustin.baer at IHS.COM Tue Jul 22 18:51:27 2003 From: dustin.baer at IHS.COM (Dustin Baer) Date: Thu Jan 12 21:19:01 2006 Subject: Whitelisted References: <3963522F0E71474CB14C0FF54A6914F7011152C4@mail.gardenbotanika.com> <000501c35075$75e0d350$0c02a8c0@itech.dom> <3F1D7470.6040000@pacific.net> <000901c35078$8efbcc70$0c02a8c0@itech.dom> Message-ID: <3F1D799F.58B5B272@ihs.com> Kris Zabriskie wrote: > > Here is everything: > > Contents: > mail.log is the sendmail mail.log (ONLY information pertaining to the > message in question) > mail.header is the header of the e-mail > spam.whitelist.rules is exactly what it says > MailScanner.conf is exactly what it is =) Check this entry in spam.whitelist.rules: "To: blshu@itech.net yes # for her daily drool" Check this entry in the mail logs: to=...,... Hope you don't have to change products now. Dustin -- Dustin Baer Unix Administrator/Postmaster Information Handling Services 15 Inverness Way East Englewood, CO 80112 303-397-2836 From zabriskw at ITECH.NET Tue Jul 22 18:54:47 2003 From: zabriskw at ITECH.NET (Kris Zabriskie) Date: Thu Jan 12 21:19:01 2006 Subject: Whitelisted References: <3963522F0E71474CB14C0FF54A6914F7011152C4@mail.gardenbotanika.com> <000501c35075$75e0d350$0c02a8c0@itech.dom> <3F1D7470.6040000@pacific.net> <000901c35078$8efbcc70$0c02a8c0@itech.dom> <3F1D799F.58B5B272@ihs.com> Message-ID: <001e01c3507a$576d02e0$0c02a8c0@itech.dom> Dustin, Maybe that is where my misunderstanding is. I thought, that would turn off spam filtering for that user only. Does that say anything addressed to that user and anyone else, will go through? ----- Original Message ----- From: "Dustin Baer" To: Sent: Tuesday, July 22, 2003 1:51 PM Subject: Re: Whitelisted > Kris Zabriskie wrote: > > > > Here is everything: > > > > Contents: > > mail.log is the sendmail mail.log (ONLY information pertaining to the > > message in question) > > mail.header is the header of the e-mail > > spam.whitelist.rules is exactly what it says > > MailScanner.conf is exactly what it is =) > > > Check this entry in spam.whitelist.rules: "To: > blshu@itech.net yes # for her daily drool" > > Check this entry in the mail logs: to=...,... > > Hope you don't have to change products now. > > Dustin > -- > Dustin Baer > Unix Administrator/Postmaster > Information Handling Services > 15 Inverness Way East > Englewood, CO 80112 > 303-397-2836 > From mbowman at UDCOM.COM Tue Jul 22 18:57:35 2003 From: mbowman at UDCOM.COM (Matthew Bowman) Date: Thu Jan 12 21:19:02 2006 Subject: Whitelisted Message-ID: Kris, No.. That means that anything tagged as SPAM will not get tagged as SPAM for that using and all e-mail (save for viruses) is delivered as normal. If you want to disable spam scanning for a user, you need to use the following option (see my example below) # Do you want to check messages to see if they are spam? # This can also be the filename of a ruleset. Spam Checks = /etc/MailScanner/rules/spam.check.rules FromOrTo: mbowman@udcom.com no HTH Matthew Kris Zabriskie Sent by: MailScanner mailing list 07/22/2003 01:54 PM Please respond to MailScanner mailing list To: MAILSCANNER@JISCMAIL.AC.UK cc: Subject: Re: Whitelisted Dustin, Maybe that is where my misunderstanding is. I thought, that would turn off spam filtering for that user only. Does that say anything addressed to that user and anyone else, will go through? ----- Original Message ----- From: "Dustin Baer" To: Sent: Tuesday, July 22, 2003 1:51 PM Subject: Re: Whitelisted > Kris Zabriskie wrote: > > > > Here is everything: > > > > Contents: > > mail.log is the sendmail mail.log (ONLY information pertaining to the > > message in question) > > mail.header is the header of the e-mail > > spam.whitelist.rules is exactly what it says > > MailScanner.conf is exactly what it is =) > > > Check this entry in spam.whitelist.rules: "To: > blshu@itech.net yes # for her daily drool" > > Check this entry in the mail logs: to=...,... > > Hope you don't have to change products now. > > Dustin > -- > Dustin Baer > Unix Administrator/Postmaster > Information Handling Services > 15 Inverness Way East > Englewood, CO 80112 > 303-397-2836 > From dustin.baer at IHS.COM Tue Jul 22 19:00:52 2003 From: dustin.baer at IHS.COM (Dustin Baer) Date: Thu Jan 12 21:19:02 2006 Subject: Whitelisted References: <3963522F0E71474CB14C0FF54A6914F7011152C4@mail.gardenbotanika.com> <000501c35075$75e0d350$0c02a8c0@itech.dom> <3F1D7470.6040000@pacific.net> <000901c35078$8efbcc70$0c02a8c0@itech.dom> <3F1D799F.58B5B272@ihs.com> <001e01c3507a$576d02e0$0c02a8c0@itech.dom> Message-ID: <3F1D7BD4.31F8CD58@ihs.com> Kris Zabriskie wrote: > > Dustin, > Maybe that is where my misunderstanding is. I thought, that would turn off > spam filtering for that user only. Does that say anything addressed to that > user and anyone else, will go through? Hi Kris, As far as I understand MailScanner's whitelisting, if one recipient is in the whitelist, all recipients receive the message. I have run into your situation also, and refuse to whitelist recipient names here, if I see that they receive a high volume of spam. I don't want other people getting spam, just because they want their name whitelisted. I am sure someone will correct me, if I have mis-stated how MailScanner operates its whitelist. Good luck with your CEO! Dustin > > ----- Original Message ----- > From: "Dustin Baer" > To: > Sent: Tuesday, July 22, 2003 1:51 PM > Subject: Re: Whitelisted > > > Kris Zabriskie wrote: > > > > > > Here is everything: > > > > > > Contents: > > > mail.log is the sendmail mail.log (ONLY information pertaining to the > > > message in question) > > > mail.header is the header of the e-mail > > > spam.whitelist.rules is exactly what it says > > > MailScanner.conf is exactly what it is =) > > > > > > Check this entry in spam.whitelist.rules: "To: > > blshu@itech.net yes # for her daily drool" > > > > Check this entry in the mail logs: to=...,... > > > > Hope you don't have to change products now. > > > > Dustin > > -- > > Dustin Baer > > Unix Administrator/Postmaster > > Information Handling Services > > 15 Inverness Way East > > Englewood, CO 80112 > > 303-397-2836 From ka at PACIFIC.NET Tue Jul 22 19:16:53 2003 From: ka at PACIFIC.NET (Ken Anderson) Date: Thu Jan 12 21:19:02 2006 Subject: Whitelisted In-Reply-To: <3F1D7BD4.31F8CD58@ihs.com> References: <3963522F0E71474CB14C0FF54A6914F7011152C4@mail.gardenbotanika.com> <000501c35075$75e0d350$0c02a8c0@itech.dom> <3F1D7470.6040000@pacific.net> <000901c35078$8efbcc70$0c02a8c0@itech.dom> <3F1D799F.58B5B272@ihs.com> <001e01c3507a$576d02e0$0c02a8c0@itech.dom> <3F1D7BD4.31F8CD58@ihs.com> Message-ID: <3F1D7F95.20908@pacific.net> See the previous thread on "mailscanner only sees the envelope TO - solved" for a solution to this problem. Ken Dustin Baer wrote: > Kris Zabriskie wrote: > >>Dustin, >>Maybe that is where my misunderstanding is. I thought, that would turn off >>spam filtering for that user only. Does that say anything addressed to that >>user and anyone else, will go through? > > > Hi Kris, > > As far as I understand MailScanner's whitelisting, if one recipient is > in the whitelist, all recipients receive the message. I have run into > your situation also, and refuse to whitelist recipient names here, if I > see that they receive a high volume of spam. I don't want other people > getting spam, just because they want their name whitelisted. > > I am sure someone will correct me, if I have mis-stated how MailScanner > operates its whitelist. > > Good luck with your CEO! > > Dustin > > > > > >>----- Original Message ----- >>From: "Dustin Baer" >>To: >>Sent: Tuesday, July 22, 2003 1:51 PM >>Subject: Re: Whitelisted >> >> >>>Kris Zabriskie wrote: >>> >>>>Here is everything: >>>> >>>>Contents: >>>>mail.log is the sendmail mail.log (ONLY information pertaining to the >>>>message in question) >>>>mail.header is the header of the e-mail >>>>spam.whitelist.rules is exactly what it says >>>>MailScanner.conf is exactly what it is =) >>> >>> >>>Check this entry in spam.whitelist.rules: "To: >>>blshu@itech.net yes # for her daily drool" >>> >>>Check this entry in the mail logs: to=...,... >>> >>>Hope you don't have to change products now. >>> >>>Dustin >>>-- >>>Dustin Baer >>>Unix Administrator/Postmaster >>>Information Handling Services >>>15 Inverness Way East >>>Englewood, CO 80112 >>>303-397-2836 > > > From dustin.baer at IHS.COM Tue Jul 22 19:28:33 2003 From: dustin.baer at IHS.COM (Dustin Baer) Date: Thu Jan 12 21:19:02 2006 Subject: Whitelisted References: Message-ID: <3F1D8251.2D82251F@ihs.com> Matthew Bowman wrote: > > If you want to disable spam scanning for a user, you need to use the > following option (see my example below) > > # Do you want to check messages to see if they are spam? > # This can also be the filename of a ruleset. > Spam Checks = /etc/MailScanner/rules/spam.check.rules > > FromOrTo: mbowman@udcom.com no I just put the following entry in my SpamChecks.rules file: FromOrTo: devnull@ihs.com no And sent devnull@ihs.com and dustin.baer@ihs.com a spam filled email. I received the email and no spam checking was done. After taking the above entry out of SpamChecks.rules and resending the email, the message was properly quarantined. It seems to me that your example is acting the same way as whitelisting an email address. Did I misunderstand you? Dustin -- Dustin Baer Unix Administrator/Postmaster Information Handling Services 15 Inverness Way East Englewood, CO 80112 303-397-2836 From thomas_duvally at BROWN.EDU Tue Jul 22 19:35:22 2003 From: thomas_duvally at BROWN.EDU (Thomas DuVally) Date: Thu Jan 12 21:19:02 2006 Subject: Vexing problem Message-ID: <1058898921.1282.38.camel@croithine> I recently upgraded both SA (2.55) and MS (4-20.3). I am running it in parallel to one of the older versions (2.43/4-10). I process about 70-100k per system per day. Each machine is otherwise identical and getting the same number and types of messages (equally weighted MX) Everyday around peak time the upgraded system starts to get backed up. The incoming queue goes from a normal 2-4 message count up to 1000+. Restarting MS will begin clearing this out. Question: Is there a possible memory issue with eith MS or SA I should be aware of? I've got it trimmed down pretty good with no bayes or RBLS and only incoming messages content checked. Specs: Solaris 9 UltraSparc III+ 2 CPU 4G mem Perl 5.8 If I can't figure this out I may have to downgrade. -- Thomas J. DuVally Lead Systems Prog. CIS, Brown Univ. http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x15F233F6 From TGFurnish at HERFF-JONES.COM Tue Jul 22 19:37:06 2003 From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G) Date: Thu Jan 12 21:19:02 2006 Subject: moving the bayes files? Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF0C0306@inex1.herffjones.hj-int> I suppose I'm taking a rather haphazard approach to learning mailscanner, but I've recently realized spamassassin *may* be storing bayesian filtering-related files under /root/.spamassassin on my system, which isn't a good long-term situation for me, so I stopped mailscanner, uncommented the following lines in /etc/MailScanner/spam.assassin.prefs.conf, and restarted MailScanner: auto_whitelist_path /var/spool/spamassassin/auto-whitelist auto_whitelist_file_mode 0600 bayes_path /var/spool/spamassassin/bayes bayes_file_mode 0600 That didn't seem to work (for moving the files) -- The /var/spool/spamassassin directory did not get created and MailScanner died quietly. So...I ran the mailscanner init script with 'stop' as an arg, then did a mkdir /var/spool/spamassassin, then restarted mailscanner. Now it doesn't die, but it also doesn't create files under /var/spool/spamassassin. What else do I need to do in order to get that working? I'm not even sure the bayesian stuff was working to begin with. In case it helps, here's the output of spamassassin -D --lint 2>&1 - any suggestions would be appreciated. debug: Score set 0 chosen. debug: running in taint mode? no debug: ignore: using a test message to lint rules debug: using "/usr/share/spamassassin" for default rules dir debug: using "/etc/mail/spamassassin" for site rules dir debug: using "/root/.spamassassin" for user state dir debug: using "/root/.spamassassin/user_prefs" for user prefs file debug: using "/root/.spamassassin" for user state dir debug: bayes: 22042 tie-ing to DB file R/O /root/.spamassassin/bayes_toks debug: bayes: 22042 tie-ing to DB file R/O /root/.spamassassin/bayes_seen debug: debug: Only 5 spam(s) in Bayes DB < 200 debug: bayes: 22042 untie-ing debug: bayes: 22042 untie-ing db_toks debug: bayes: 22042 untie-ing db_seen debug: Score set 1 chosen. debug: Initialising learner debug: using "/root/.spamassassin" for user state dir debug: bayes: 22042 tie-ing to DB file R/O /root/.spamassassin/bayes_toks debug: bayes: 22042 tie-ing to DB file R/O /root/.spamassassin/bayes_seen debug: debug: Only 5 spam(s) in Bayes DB < 200 debug: bayes: 22042 untie-ing debug: bayes: 22042 untie-ing db_toks debug: bayes: 22042 untie-ing db_seen debug: is Net::DNS::Resolver available? yes debug: trying (3) amazon.com... debug: looking up MX for 'amazon.com' debug: MX for 'amazon.com' exists? 1 debug: MX lookup of amazon.com succeeded => Dns available (set dns_available to hardcode) debug: is DNS available? 1 debug: running header regexp tests; score so far=0 debug: running body-text per-line regexp tests; score so far=1.9 debug: running raw-body-text per-line regexp tests; score so far=1.9 debug: running uri tests; score so far=1.9 debug: uri tests: Done uriRE debug: running full-text regexp tests; score so far=1.9 debug: Razor2 is not available debug: Current PATH is: /usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/us r/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/bin:/root/bin debug: DCC is not available: dccproc not found debug: Pyzor is not available: pyzor not found debug: all '*To' addrs: debug: all '*From' addrs: ignore@compiling.spamassassin.taint.org debug: running meta tests; score so far=2.4 debug: is spam? score=2.4 required=5 tests=DATE_MISSING,MISSING_HEADERS,NO_REAL_ NAME debug: bayes: 22042 untie-ing From raymond at PROLOCATION.NET Tue Jul 22 19:46:05 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:02 2006 Subject: Vexing problem In-Reply-To: <1058898921.1282.38.camel@croithine> Message-ID: Hi! > Restarting MS will begin clearing this out. > > Question: Is there a possible memory issue with eith MS or SA I should > be aware of? I've got it trimmed down pretty good with no bayes or RBLS > and only incoming messages content checked. I have a simmilar thing without SA running. After a few days two of m yservers, both RH9 seem to slow down, sounds like a memmory leak somewhere. the strange thing is that on a less busy (identical) system all seems just fine. Bye, Raymond. From thomas_duvally at BROWN.EDU Tue Jul 22 20:09:05 2003 From: thomas_duvally at BROWN.EDU (Thomas DuVally) Date: Thu Jan 12 21:19:02 2006 Subject: Vexing problem In-Reply-To: References: Message-ID: <1058900944.1278.44.camel@croithine> On Tue, 2003-07-22 at 14:46, Raymond Dijkxhoorn wrote: > I have a simmilar thing without SA running. After a few days two of m > yservers, both RH9 seem to slow down, sounds like a memmory leak > somewhere. the strange thing is that on a less busy (identical) system all > seems just fine. Yup, during the off-peak times (not 11am-3pm) everything is smooth (load is low, delay is small, queues are almost empty). At some point each weekday, some critical mass must be getting reached and blockage occurs. The older versions don't seem to care. Hmmmm.... -- Thomas J. DuVally Lead Systems Prog. CIS, Brown Univ. http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x15F233F6 From m.sapsed at BANGOR.AC.UK Tue Jul 22 21:11:29 2003 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:19:02 2006 Subject: Whitelisted References: <3963522F0E71474CB14C0FF54A6914F7011152C4@mail.gardenbotanika.com> <000501c35075$75e0d350$0c02a8c0@itech.dom> <3F1D7470.6040000@pacific.net> <000901c35078$8efbcc70$0c02a8c0@itech.dom> <3F1D799F.58B5B272@ihs.com> <001e01c3507a$576d02e0$0c02a8c0@itech.dom> Message-ID: <3F1D9A71.4060509@bangor.ac.uk> Kris et al, Kris Zabriskie wrote: > Maybe that is where my misunderstanding is. I thought, that would turn off > spam filtering for that user only. Does that say anything addressed to that > user and anyone else, will go through? As other people have said, MailScanner treats each message in one way only, no matter how many recipients. Can I ask what you're trying to achieve by whitelisting all those internal people? Wouldn't it be simpler to let MailScanner/SpamAssassin mark the messages as they see fit using subject alterations and then let the users choose what/how to filter using either the subject line or spam score header. People who don't want to see the spam can filter it, people who do leave it alone. I believe that would get you to where you want to be although via a slightly different route? Cheers, Martin -- Martin Sapsed Information Services "Who do you say I am?" University of Wales, Bangor Jesus of Nazareth From jase at SENSIS.COM Tue Jul 22 21:16:51 2003 From: jase at SENSIS.COM (Desai, Jason) Date: Thu Jan 12 21:19:02 2006 Subject: ClamAV 0.60 problems - ProcessClamAVOutput: unrecognized line Message-ID: Hello. I just upgraded to MailScanner 4.22-5 and ClamAV to 0.60. I've noticed a few entries in my mail.log file such as: Jul 21 15:06:47 hostname MailScanner[26628]: /var/spool/MailScanner/incoming/26628/./19efzB-0002a1-00/RS3 Rev 14.zip: Files number limit exceeded. Jul 21 15:06:47 hostname MailScanner[26628]: ProcessClamAVOutput: unrecognised line "/var/spool/MailScanner/incoming/26628/./19efzB-0002a1-00/RS3 Rev 14.zip: Files number limit exceeded.". Please contact the authors! Jul 21 15:06:47 hostname MailScanner[26628]: extracting: CODE/RDI-68K/Load/LoadAsm.bat Jul 21 15:06:47 hostname MailScanner[26628]: ProcessClamAVOutput: unrecognised line " extracting: CODE/RDI-68K/Load/LoadAsm.bat ". Please contact the authors! Jul 21 15:06:47 hostname MailScanner[26628]: extracting: CODE/RDI-68K/Main/MainCc.bat Jul 21 15:06:47 hostname MailScanner[26628]: ProcessClamAVOutput: unrecognised line " extracting: CODE/RDI-68K/Main/MainCc.bat ". Please contact the authors! Jul 21 15:06:47 hostname MailScanner[26628]: extracting: CODE/RDI-68K/Main/MainMap.bat Jul 21 15:06:47 hostname MailScanner[26628]: ProcessClamAVOutput: unrecognised line " extracting: CODE/RDI-68K/Main/MainMap.bat ". Please contact the authors! Jul 21 15:06:47 hostname MailScanner[26628]: extracting: CODE/RDI-68K/RDISTART/RdiAsm.bat Jul 21 15:06:47 hostname MailScanner[26628]: ProcessClamAVOutput: unrecognised line " extracting: CODE/RDI-68K/RDISTART/RdiAsm.bat ". Please contact the authors! Jul 21 15:06:48 hostname MailScanner[26628]: extracting: CODE/RStatusDecodeDLL/TestDriver/test.bcv Jul 21 15:06:48 hostname MailScanner[26628]: ProcessClamAVOutput: unrecognised line " extracting: CODE/RStatusDecodeDLL/TestDriver/test.bcv ". Please contact the authors! Jul 21 15:06:48 hostname MailScanner[26628]: extracting: CODE/SensorDataDLL/res/SensorDataDLL.rc2 Jul 21 15:06:48 hostname MailScanner[26628]: ProcessClamAVOutput: unrecognised line " extracting: CODE/SensorDataDLL/res/SensorDataDLL.rc2 ". Please contact the authors! and Jul 21 19:28:28 hostname MailScanner[25439]: /var/spool/MailScanner/incoming/25439/./19ek4w-0001fC-00/FAT_07_18.zip: File size limit exceeded. Jul 21 19:28:28 hostname MailScanner[25439]: ProcessClamAVOutput: unrecognised line "/var/spool/MailScanner/incoming/25439/./19ek4w-0001fC-00/FAT_07_18.zip: File size limit exceeded.". Please contact the authors! I am thinking that this has to do with the new version of ClamAV. I found some options for clamscan to disable some of these limits, and put them in clamav-wrapper. Specifically, I set ScanOptions="--max-files=0 --max-space=0 --max-recursion=0" Questions: * Has anyone else come across this? * Since MailScanner already has timeouts for virus scanning, would you think it is safe to run this way? * If yes, should this be the default? (I'm not sure if versions < 0.60 support this - maybe put some comments in the clamav-wrapper script?) * Is "unrecognised" British for "unrecognized" or is it just misspelled? Thanks. Jason From mkettler at EVI-INC.COM Tue Jul 22 21:16:21 2003 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:19:02 2006 Subject: Whitelisted In-Reply-To: <3F1D7BD4.31F8CD58@ihs.com> References: <3963522F0E71474CB14C0FF54A6914F7011152C4@mail.gardenbotanika.com> <000501c35075$75e0d350$0c02a8c0@itech.dom> <3F1D7470.6040000@pacific.net> <000901c35078$8efbcc70$0c02a8c0@itech.dom> <3F1D799F.58B5B272@ihs.com> <001e01c3507a$576d02e0$0c02a8c0@itech.dom> Message-ID: <5.2.1.1.0.20030722153627.01471d00@xanadu.evi-inc.com> At 12:00 PM 7/22/2003 -0600, Dustin Baer wrote: > > Dustin, > > Maybe that is where my misunderstanding is. I thought, that would turn off > > spam filtering for that user only. Does that say anything addressed to > that > > user and anyone else, will go through? > >Hi Kris, > >As far as I understand MailScanner's whitelisting, if one recipient is >in the whitelist, all recipients receive the message. I have run into >your situation also, and refuse to whitelist recipient names here, if I >see that they receive a high volume of spam. I don't want other people >getting spam, just because they want their name whitelisted. > >I am sure someone will correct me, if I have mis-stated how MailScanner >operates its whitelist. That is correct. And this "problem" is a fundamental limit of running at the MTA layer. It's not a bug, or a mistake, it's a design tradeoff between flexibility and efficiency. Mailscanner runs at the MTA layer, not the MDA layer, so there is not one copy of the message per user when MS sees it.. there's just one message with many recipients. Thus MailScanner can only whitelist that one message, or not whitelist it. There is no such thing as "well, later when you go to deliver this, give these guys this copy, and that guy this other version". It's one message, and they'll all get the same message, all MailScanner can do is edit it. Running at the MTA layer is much more efficient, because you only scan the message once, but it inherently has limits on "per user" customization. The MTA layer is the ideal spot to do virus scanning, because you rarely want user-specific behaviors for virus scanning. However doing spam scanning at the MTA layer is somewhat limiting if you've got users that need "exceptions". Personally I deal with it by creating custom SpamAssassin rules instead of whitelists. This gives me the ability to target specific kinds of messages, rather than specific sources or destinations. If I have to do a whitelist, I try to make it a "fromto" type whitelist where it winds up narrowly defined. I never use To: type whitelists, and I avoid simple From: whitelists as well. From dwinkler at ALGORITHMICS.COM Tue Jul 22 21:19:43 2003 From: dwinkler at ALGORITHMICS.COM (Derek Winkler) Date: Thu Jan 12 21:19:02 2006 Subject: Whitelisted Message-ID: <06EE2C86D3DAD5119A6C0060943F3C97055E70A2@tormail1.algorithmics.com> See earlier thread on splitting messages with multiple recipients into messages with one recipient each as a workaround. -----Original Message----- From: Matt Kettler [mailto:mkettler@EVI-INC.COM] Sent: Tuesday, July 22, 2003 4:16 PM To: MAILSCANNER@jiscmail.ac.uk Subject: Re: Whitelisted At 12:00 PM 7/22/2003 -0600, Dustin Baer wrote: > > Dustin, > > Maybe that is where my misunderstanding is. I thought, that would turn off > > spam filtering for that user only. Does that say anything addressed to > that > > user and anyone else, will go through? > >Hi Kris, > >As far as I understand MailScanner's whitelisting, if one recipient is >in the whitelist, all recipients receive the message. I have run into >your situation also, and refuse to whitelist recipient names here, if I >see that they receive a high volume of spam. I don't want other people >getting spam, just because they want their name whitelisted. > >I am sure someone will correct me, if I have mis-stated how MailScanner >operates its whitelist. That is correct. And this "problem" is a fundamental limit of running at the MTA layer. It's not a bug, or a mistake, it's a design tradeoff between flexibility and efficiency. Mailscanner runs at the MTA layer, not the MDA layer, so there is not one copy of the message per user when MS sees it.. there's just one message with many recipients. Thus MailScanner can only whitelist that one message, or not whitelist it. There is no such thing as "well, later when you go to deliver this, give these guys this copy, and that guy this other version". It's one message, and they'll all get the same message, all MailScanner can do is edit it. Running at the MTA layer is much more efficient, because you only scan the message once, but it inherently has limits on "per user" customization. The MTA layer is the ideal spot to do virus scanning, because you rarely want user-specific behaviors for virus scanning. However doing spam scanning at the MTA layer is somewhat limiting if you've got users that need "exceptions". Personally I deal with it by creating custom SpamAssassin rules instead of whitelists. This gives me the ability to target specific kinds of messages, rather than specific sources or destinations. If I have to do a whitelist, I try to make it a "fromto" type whitelist where it winds up narrowly defined. I never use To: type whitelists, and I avoid simple From: whitelists as well. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030722/e7a79321/attachment.html From Steve at swaney.com Tue Jul 22 21:38:09 2003 From: Steve at swaney.com (Stephen Swaney) Date: Thu Jan 12 21:19:02 2006 Subject: Whitelisted In-Reply-To: <06EE2C86D3DAD5119A6C0060943F3C97055E70A2@tormail1.algorithmics.com> References: <06EE2C86D3DAD5119A6C0060943F3C97055E70A2@tormail1.algorithmics.com> Message-ID: <1058906289.29144.14.camel@speedy> Actually I placed Ken A, Pacific.Net's excellent solution for this in the MailScanner FAQ. http://www.sng.ecs.soton.ac.uk/mailscanner/serve/cache/169.html How easy can it get. Steve Steve Swaney steve@swaney.com On Tue, 2003-07-22 at 16:19, Derek Winkler wrote: > See earlier thread on splitting messages with multiple recipients into > messages with one recipient each as a workaround. > > -----Original Message----- > From: Matt Kettler [mailto:mkettler@EVI-INC.COM] > Sent: Tuesday, July 22, 2003 4:16 PM > To: MAILSCANNER@jiscmail.ac.uk > Subject: Re: Whitelisted > > > At 12:00 PM 7/22/2003 -0600, Dustin Baer wrote: > > > Dustin, > > > Maybe that is where my misunderstanding is. I thought, that would > turn off > > > spam filtering for that user only. Does that say anything > addressed to > > that > > > user and anyone else, will go through? > > > >Hi Kris, > > > >As far as I understand MailScanner's whitelisting, if one recipient > is > >in the whitelist, all recipients receive the message. I have run > into > >your situation also, and refuse to whitelist recipient names here, if > I > >see that they receive a high volume of spam. I don't want other > people > >getting spam, just because they want their name whitelisted. > > > >I am sure someone will correct me, if I have mis-stated how > MailScanner > >operates its whitelist. > > That is correct. And this "problem" is a fundamental limit of running > at > the MTA layer. It's not a bug, or a mistake, it's a design tradeoff > between > flexibility and efficiency. > > Mailscanner runs at the MTA layer, not the MDA layer, so there is not > one > copy of the message per user when MS sees it.. there's just one > message > with many recipients. Thus MailScanner can only whitelist that one > message, > or not whitelist it. There is no such thing as "well, later when you > go to > deliver this, give these guys this copy, and that guy this other > version". > It's one message, and they'll all get the same message, all > MailScanner can > do is edit it. > > Running at the MTA layer is much more efficient, because you only scan > the > message once, but it inherently has limits on "per user" > customization. The > MTA layer is the ideal spot to do virus scanning, because you rarely > want > user-specific behaviors for virus scanning. However doing spam > scanning at > the MTA layer is somewhat limiting if you've got users that need > "exceptions". > > Personally I deal with it by creating custom SpamAssassin rules > instead of > whitelists. This gives me the ability to target specific kinds of > messages, > rather than specific sources or destinations. If I have to do a > whitelist, > I try to make it a "fromto" type whitelist where it winds up narrowly > defined. I never use To: type whitelists, and I avoid simple From: > whitelists as well. > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030722/05c8b0ec/attachment.html From miguelk at KONSULTEX.COM.BR Tue Jul 22 21:46:56 2003 From: miguelk at KONSULTEX.COM.BR (Miguel Koren O'Brien de Lacy) Date: Thu Jan 12 21:19:02 2006 Subject: ClamAV 0.60 problems - ProcessClamAVOutput: unrecognized line References: Message-ID: <3F1DA2C0.4090904@konsultex.com.br> Jason; I have these versions on 2 servers (RH7.3) with the default values and it works fine form me. Miguel Desai, Jason wrote: >Hello. I just upgraded to MailScanner 4.22-5 and ClamAV to 0.60. I've >noticed a few entries in my mail.log file such as: > >Jul 21 15:06:47 hostname MailScanner[26628]: >/var/spool/MailScanner/incoming/26628/./19efzB-0002a1-00/RS3 Rev 14.zip: >Files number limit exceeded. >Jul 21 15:06:47 hostname MailScanner[26628]: ProcessClamAVOutput: >unrecognised line >"/var/spool/MailScanner/incoming/26628/./19efzB-0002a1-00/RS3 Rev 14.zip: >Files number limit exceeded.". Please contact the authors! >Jul 21 15:06:47 hostname MailScanner[26628]: extracting: >CODE/RDI-68K/Load/LoadAsm.bat >Jul 21 15:06:47 hostname MailScanner[26628]: ProcessClamAVOutput: >unrecognised line " extracting: CODE/RDI-68K/Load/LoadAsm.bat ". Please >contact the authors! >Jul 21 15:06:47 hostname MailScanner[26628]: extracting: >CODE/RDI-68K/Main/MainCc.bat >Jul 21 15:06:47 hostname MailScanner[26628]: ProcessClamAVOutput: >unrecognised line " extracting: CODE/RDI-68K/Main/MainCc.bat ". Please >contact the authors! >Jul 21 15:06:47 hostname MailScanner[26628]: extracting: >CODE/RDI-68K/Main/MainMap.bat >Jul 21 15:06:47 hostname MailScanner[26628]: ProcessClamAVOutput: >unrecognised line " extracting: CODE/RDI-68K/Main/MainMap.bat ". Please >contact the authors! >Jul 21 15:06:47 hostname MailScanner[26628]: extracting: >CODE/RDI-68K/RDISTART/RdiAsm.bat >Jul 21 15:06:47 hostname MailScanner[26628]: ProcessClamAVOutput: >unrecognised line " extracting: CODE/RDI-68K/RDISTART/RdiAsm.bat ". Please >contact the authors! >Jul 21 15:06:48 hostname MailScanner[26628]: extracting: >CODE/RStatusDecodeDLL/TestDriver/test.bcv >Jul 21 15:06:48 hostname MailScanner[26628]: ProcessClamAVOutput: >unrecognised line " extracting: CODE/RStatusDecodeDLL/TestDriver/test.bcv ". >Please contact the authors! >Jul 21 15:06:48 hostname MailScanner[26628]: extracting: >CODE/SensorDataDLL/res/SensorDataDLL.rc2 >Jul 21 15:06:48 hostname MailScanner[26628]: ProcessClamAVOutput: >unrecognised line " extracting: CODE/SensorDataDLL/res/SensorDataDLL.rc2 ". >Please contact the authors! > >and > >Jul 21 19:28:28 hostname MailScanner[25439]: >/var/spool/MailScanner/incoming/25439/./19ek4w-0001fC-00/FAT_07_18.zip: File >size limit exceeded. >Jul 21 19:28:28 hostname MailScanner[25439]: ProcessClamAVOutput: >unrecognised line >"/var/spool/MailScanner/incoming/25439/./19ek4w-0001fC-00/FAT_07_18.zip: >File size limit exceeded.". Please contact the authors! > >I am thinking that this has to do with the new version of ClamAV. I found >some options for clamscan to disable some of these limits, and put them in >clamav-wrapper. Specifically, I set > >ScanOptions="--max-files=0 --max-space=0 --max-recursion=0" > >Questions: > >* Has anyone else come across this? >* Since MailScanner already has timeouts for virus scanning, would you >think it is safe to run this way? >* If yes, should this be the default? (I'm not sure if versions < 0.60 >support this - maybe put some comments in the clamav-wrapper script?) >* Is "unrecognised" British for "unrecognized" or is it just misspelled? > >Thanks. > >Jason > > From vboulytchev at COINFOTECH.COM Tue Jul 22 21:58:18 2003 From: vboulytchev at COINFOTECH.COM (Boulytchev, Vasiliy) Date: Thu Jan 12 21:19:02 2006 Subject: CommuniGate Pro - MailScanner update Message-ID: <1958DE295D9656499ECAAD3642822DE0033FCF@willow.office.coinfotech.com> John, We greatly appreciate your prompt updates. As my testing goes, I will keep you posted. THANKS!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Vasiliy Boulytchev Colorado Information Technologies Inc. (719) 473-2800 x15 -----Original Message----- From: John Rudd [mailto:jrudd@UCSC.EDU] Sent: Monday, July 21, 2003 4:37 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: CommuniGate Pro - MailScanner update I have made an update to my scripts for using MailScanner with CommuniGate Pro. I have also updated the text of the CommuniGate Pro rule instructions (the Execute rule no longer needs the [RETPATH] nor [RCPT] options). This should change the problem some people noticed with ".bad" files showing up in the CommuniGate Pro Queue directory, due to "RPFD:" being prepended to sender's addresses. This shouldn't happen any more. You can get the new scripts and information from: http://people.ucsc.edu/~jrudd/MailScanner If you have any questions, or notice any new bugs, please let me know. (And be sure to edit your path to perl in the first line of each script; it changed in the downloads because my testing platform changed from Solaris to Linux) John Rudd (ps: one person has mentioned that they see some messages being cross delivered, but I haven't had anyone else mention this problem to me, nor have I seen it on my own servers; if you do see such a behavior, please let me know right away, and try to give me plenty of context information) -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030722/a2545451/attachment.html From Denis.Beauchemin at USHERBROOKE.CA Tue Jul 22 21:32:58 2003 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:19:02 2006 Subject: How to setup a tmpfs on a RH system Message-ID: <1058905978.3137.37.camel@dbeauchemin.sti.usherbrooke.ca> Hi, I would like to experiment with a tmpfs and MS but am at a loss as to how to create one on a RH 7.3 system. I searched my man pages and this list's archives to no avail. Also which directories should I put on it for best performance and reliability? Thanks again! Denis -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From jrudd at UCSC.EDU Tue Jul 22 22:02:03 2003 From: jrudd at UCSC.EDU (John Rudd) Date: Thu Jan 12 21:19:02 2006 Subject: PIPE module, mailscanner and cgp2ms/ms2cgp In-Reply-To: Message-ID: (Mailscanner list: There was another bug reported in the CGP<->MailScanner scripts, and I've tracked it down and released a new version today) I found the problem. It wasn't what I expected it to be (what I described earlier). I'm putting up a second update. (the problem was this: I had written ms2cgp to accept multiple sendmail jobs at once, as it should, but had not cleared/reset all of the variables in the loop (specifically, the one I had not reset was $rcpt; not sure how that one escaped me), but the bug hadn't shown up because none of my test servers is being used heavily enough to have multiple jobs come through in one pass (and we wont be going to production with CGP until September); I'm guessing no one else is having a heavy enough load to see it, either, because so far you're the only person to report it) (by the way, thank you for your patience, and for helping me track it down) The web page has the fixed version of the script now. For the individual script: http://people.ucsc.edu/~jrudd/MailScanner/ms2cgp Or, if you just want the actual fix: In the ms2cgp script I released yesterday, lines 46 and 47 are: > $msg = "/tmp/ms2cgp.$$.msg"; # the tempfile we'll give to CGP > Change them to this (which will now be lines 46-48, because you're inserting a new line between the above two lines): > $msg = "/tmp/ms2cgp.$$.msg"; # the tempfile we'll give to CGP > $rcpt = ""; > The whole site: http://people.ucsc.edu/~jrudd/MailScanner If anyone sees any new bugs, please let me know, and I'll get right on them. John On Tuesday, Jul 22, 2003, at 12:58 US/Pacific, NTIN Page Guy wrote: > > Hello John, > > We are running Redhat Linux 8.1 > > This doesn't happen for every message. I have noticed the messages > that it does occur on appear to have been delivered at the exact same > time, down to the second. > > Tuesday, July 22, 2003, you wrote: > > > > JR> What platform are you using? > > JR> The mesg id comes from the process ID of the cgp2ms script that was > JR> invoked for that message. I could make it longer, to encode a time > JR> string, but it really shouldn't be rolling over in a time frame > that > JR> would matter. This makes me wonder what's happening that gives > you the > JR> same process ID every time cgp2ms gets run. > > > JR> On Tuesday, Jul 22, 2003, at 10:45 US/Pacific, NTIN Page Guy wrote: > >>> >>> Hello John, >>> >>> Now, I have a new problem. I've sent you a email about this, I hope >>> you don't mind. >>> >>> People are getting other peoples emails, For example >>> >>> Lets say the server receives a email to test1 >>> >>> It executes sendmail >>> >>> /opt/CommuniGate/sendmail -i test1@mydomain.com < >>> /tmp/ms2cgp.5741.msg >>> >>> then quickly there after it gets a message for test2 >>> >>> it then executes sendmail like this >>> >>> /opt/CommuniGate/sendmail -i test1@mydomain.com test2@mydomain.com < >>> /tmp/ms2cgp.5741.msg >>> >>> then quickly there after it gets a message for test3 >>> >>> /opt/CommuniGate/sendmail -i test1@mydomain.com test2@mydomain.com >>> test3@mydomain.com < /tmp/ms2cgp.5741.msg >>> >>> >>> I don't know why its doing this other than to speculate that what >>> ever >>> is >>> passing the id number to ms2cgp is giving it the same id number it >>> did >>> last message, >>> rather than changing. >>> >>> Tuesday, July 22, 2003, you wrote: >>> >>> >>> >>> JR> Are you still having this problem after my update yesterday? >>> >>> JR> I posted the message to both this list and to the mailscanner >>> list >>> JR> yesterday afternoon. >>> >>> >>> JR> On Tuesday, Jul 22, 2003, at 08:39 US/Pacific, NTIN Page Guy >>> wrote: >>> >>>>> >>>>> Hello CGatePro, >>>>> >>>>> PIPE module, mailscanner and cgp2ms/ms2cgp >>>>> >>>>> Im having a rather unusual problem with the above working together. >>>>> >>>>> Here is the problem as I understand it. >>>>> >>>>> Using ms2cgp as it came, it uses the legacy sendmail support to >>>>> PIPE >>>>> the messages back into Communigate, sendmail adds the following >>>>> line >>>>> which makes the message undeliverable >>>>> >>>>>> Envelope-To: RPFD:rbaldwin@ntin.net >>>>> >>>>> Communigate responds that the message has no valid to field, and >>>>> renames the file to with a .bad extension. >>>>> >>>>> >>>>> Best regards, >>>>> Robert B, NTIN mailto:pages@ntin.net >>>>> >>>>> >>>>> ############################################################# >>>>> This message is sent to you because you are subscribed to >>>>> the mailing list . >>>>> To unsubscribe, E-mail to: >>>>> To switch to the DIGEST mode, E-mail to >>>>> >>>>> To switch to the INDEX mode, E-mail to >>>>> >>>>> Send administrative queries to >>> >>> >>> JR> ############################################################# >>> JR> This message is sent to you because you are subscribed to >>> JR> the mailing list . >>> JR> To unsubscribe, E-mail to: >>> JR> To switch to the DIGEST mode, E-mail to >>> >>> JR> To switch to the INDEX mode, E-mail to >>> >>> JR> Send administrative queries to >>> >>> >>> >>> >>> Best regards, >>> Robert B, NTIN mailto:pages@ntin.net >>> >>> >>> ############################################################# >>> This message is sent to you because you are subscribed to >>> the mailing list . >>> To unsubscribe, E-mail to: >>> To switch to the DIGEST mode, E-mail to >>> >>> To switch to the INDEX mode, E-mail to >>> >>> Send administrative queries to > > > JR> ############################################################# > JR> This message is sent to you because you are subscribed to > JR> the mailing list . > JR> To unsubscribe, E-mail to: > JR> To switch to the DIGEST mode, E-mail to > > JR> To switch to the INDEX mode, E-mail to > > JR> Send administrative queries to > > > > Best regards, > Robert B, NTIN mailto:pages@ntin.net > > > ############################################################# > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: > To switch to the DIGEST mode, E-mail to > > To switch to the INDEX mode, E-mail to > > Send administrative queries to From mailscanner at LISTS.COM.AR Tue Jul 22 22:03:27 2003 From: mailscanner at LISTS.COM.AR (Mariano Absatz) Date: Thu Jan 12 21:19:02 2006 Subject: ClamAV 0.60 problems - ProcessClamAVOutput: unrecognized line In-Reply-To: <3F1DA2C0.4090904@konsultex.com.br> Message-ID: <3F1D7C6F.16598.2AD2C3D4@localhost> I don't use CLAM-AV, but IIRC, it uses the external unzip utility for .zip files and maybe you two are using different versions (and they yeld different output)... what does rpm -q unzip yeld? If the output changed, I guess you'll have to wait for Julian to return... unless someone is able to come up with a patch before... El 22 Jul 2003 a las 17:46, Miguel Koren O'Brien de Lacy escribi?: > Jason; > > I have these versions on 2 servers (RH7.3) with the default values and > it works fine form me. > > Miguel > > Desai, Jason wrote: > > >Hello. I just upgraded to MailScanner 4.22-5 and ClamAV to 0.60. I've > >noticed a few entries in my mail.log file such as: > > > >Jul 21 15:06:47 hostname MailScanner[26628]: > >/var/spool/MailScanner/incoming/26628/./19efzB-0002a1-00/RS3 Rev 14.zip: > >Files number limit exceeded. > >Jul 21 15:06:47 hostname MailScanner[26628]: ProcessClamAVOutput: > >unrecognised line > >"/var/spool/MailScanner/incoming/26628/./19efzB-0002a1-00/RS3 Rev 14.zip: > >Files number limit exceeded.". Please contact the authors! > >Jul 21 15:06:47 hostname MailScanner[26628]: extracting: > >CODE/RDI-68K/Load/LoadAsm.bat > >Jul 21 15:06:47 hostname MailScanner[26628]: ProcessClamAVOutput: > >unrecognised line " extracting: CODE/RDI-68K/Load/LoadAsm.bat ". Please > >contact the authors! > >Jul 21 15:06:47 hostname MailScanner[26628]: extracting: > >CODE/RDI-68K/Main/MainCc.bat > >Jul 21 15:06:47 hostname MailScanner[26628]: ProcessClamAVOutput: > >unrecognised line " extracting: CODE/RDI-68K/Main/MainCc.bat ". Please > >contact the authors! > >Jul 21 15:06:47 hostname MailScanner[26628]: extracting: > >CODE/RDI-68K/Main/MainMap.bat > >Jul 21 15:06:47 hostname MailScanner[26628]: ProcessClamAVOutput: > >unrecognised line " extracting: CODE/RDI-68K/Main/MainMap.bat ". Please > >contact the authors! > >Jul 21 15:06:47 hostname MailScanner[26628]: extracting: > >CODE/RDI-68K/RDISTART/RdiAsm.bat > >Jul 21 15:06:47 hostname MailScanner[26628]: ProcessClamAVOutput: > >unrecognised line " extracting: CODE/RDI-68K/RDISTART/RdiAsm.bat ". Please > >contact the authors! > >Jul 21 15:06:48 hostname MailScanner[26628]: extracting: > >CODE/RStatusDecodeDLL/TestDriver/test.bcv > >Jul 21 15:06:48 hostname MailScanner[26628]: ProcessClamAVOutput: > >unrecognised line " extracting: CODE/RStatusDecodeDLL/TestDriver/test.bcv ". > >Please contact the authors! > >Jul 21 15:06:48 hostname MailScanner[26628]: extracting: > >CODE/SensorDataDLL/res/SensorDataDLL.rc2 > >Jul 21 15:06:48 hostname MailScanner[26628]: ProcessClamAVOutput: > >unrecognised line " extracting: CODE/SensorDataDLL/res/SensorDataDLL.rc2 ". > >Please contact the authors! > > > >and > > > >Jul 21 19:28:28 hostname MailScanner[25439]: > >/var/spool/MailScanner/incoming/25439/./19ek4w-0001fC-00/FAT_07_18.zip: File > >size limit exceeded. > >Jul 21 19:28:28 hostname MailScanner[25439]: ProcessClamAVOutput: > >unrecognised line > >"/var/spool/MailScanner/incoming/25439/./19ek4w-0001fC-00/FAT_07_18.zip: > >File size limit exceeded.". Please contact the authors! > > > >I am thinking that this has to do with the new version of ClamAV. I found > >some options for clamscan to disable some of these limits, and put them in > >clamav-wrapper. Specifically, I set > > > >ScanOptions="--max-files=0 --max-space=0 --max-recursion=0" > > > >Questions: > > > >* Has anyone else come across this? > >* Since MailScanner already has timeouts for virus scanning, would you > >think it is safe to run this way? > >* If yes, should this be the default? (I'm not sure if versions < 0.60 > >support this - maybe put some comments in the clamav-wrapper script?) > >* Is "unrecognised" British for "unrecognized" or is it just misspelled? > > > >Thanks. > > > >Jason > > > > -- Mariano Absatz El Baby ---------------------------------------------------------- The best cure for insomnia is to get a lot of sleep. -- W.C. Fields From raymond at PROLOCATION.NET Tue Jul 22 22:04:37 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:19:02 2006 Subject: How to setup a tmpfs on a RH system In-Reply-To: <1058905978.3137.37.camel@dbeauchemin.sti.usherbrooke.ca> Message-ID: Hi! > I would like to experiment with a tmpfs and MS but am at a loss as to > how to create one on a RH 7.3 system. > > I searched my man pages and this list's archives to no avail. > > Also which directories should I put on it for best performance and > reliability? If you use it 'default' it will take half of your available ram. You can tune this by adding a size statement in your fstab. Like this: none /var/spool/MailScanner/incoming/ tmpfs size=512m 0 0 Bye, Raymond. From jase at SENSIS.COM Tue Jul 22 22:31:04 2003 From: jase at SENSIS.COM (Desai, Jason) Date: Thu Jan 12 21:19:02 2006 Subject: ClamAV 0.60 problems - ProcessClamAVOutput: un recognized line Message-ID: Thanks for the response. I'm running Debian. Unzip version 5.50-1woody1. But I'm pretty sure this is a ClamAV issue, since the man page talks about the options I put in clamav-wrapper. And since those changes, I've not seen the error any more. I also saved out the offending file and ran clamav-wrapper on it both with and without my ScanOptions. Without them, I get the output that MailScanner does not recognize. And I think that it does not completely scan the file. With them, it scans the file fine. Jason > > I don't use CLAM-AV, but IIRC, it uses the external unzip > utility for .zip > files and maybe you two are using different versions (and > they yeld different > output)... > > what does > rpm -q unzip > yeld? > > If the output changed, I guess you'll have to wait for Julian > to return... > unless someone is able to come up with a patch before... > > El 22 Jul 2003 a las 17:46, Miguel Koren O'Brien de Lacy escribi?: > > > Jason; > > > > I have these versions on 2 servers (RH7.3) with the default > values and > > it works fine form me. > > > > Miguel > > > > Desai, Jason wrote: > > > > >Hello. I just upgraded to MailScanner 4.22-5 and ClamAV > to 0.60. I've > > >noticed a few entries in my mail.log file such as: > > > > > >Jul 21 15:06:47 hostname MailScanner[26628]: > > > >/var/spool/MailScanner/incoming/26628/./19efzB-0002a1-00/RS3 > Rev 14.zip: > > >Files number limit exceeded. > > >Jul 21 15:06:47 hostname MailScanner[26628]: ProcessClamAVOutput: > > >unrecognised line > > > >"/var/spool/MailScanner/incoming/26628/./19efzB-0002a1-00/RS3 > Rev 14.zip: > > >Files number limit exceeded.". Please contact the authors! > > >Jul 21 15:06:47 hostname MailScanner[26628]: extracting: > > >CODE/RDI-68K/Load/LoadAsm.bat > > >Jul 21 15:06:47 hostname MailScanner[26628]: ProcessClamAVOutput: > > >unrecognised line " extracting: > CODE/RDI-68K/Load/LoadAsm.bat ". Please > > >contact the authors! > > >Jul 21 15:06:47 hostname MailScanner[26628]: extracting: > > >CODE/RDI-68K/Main/MainCc.bat > > >Jul 21 15:06:47 hostname MailScanner[26628]: ProcessClamAVOutput: > > >unrecognised line " extracting: > CODE/RDI-68K/Main/MainCc.bat ". Please > > >contact the authors! > > >Jul 21 15:06:47 hostname MailScanner[26628]: extracting: > > >CODE/RDI-68K/Main/MainMap.bat > > >Jul 21 15:06:47 hostname MailScanner[26628]: ProcessClamAVOutput: > > >unrecognised line " extracting: > CODE/RDI-68K/Main/MainMap.bat ". Please > > >contact the authors! > > >Jul 21 15:06:47 hostname MailScanner[26628]: extracting: > > >CODE/RDI-68K/RDISTART/RdiAsm.bat > > >Jul 21 15:06:47 hostname MailScanner[26628]: ProcessClamAVOutput: > > >unrecognised line " extracting: > CODE/RDI-68K/RDISTART/RdiAsm.bat ". Please > > >contact the authors! > > >Jul 21 15:06:48 hostname MailScanner[26628]: extracting: > > >CODE/RStatusDecodeDLL/TestDriver/test.bcv > > >Jul 21 15:06:48 hostname MailScanner[26628]: ProcessClamAVOutput: > > >unrecognised line " extracting: > CODE/RStatusDecodeDLL/TestDriver/test.bcv ". > > >Please contact the authors! > > >Jul 21 15:06:48 hostname MailScanner[26628]: extracting: > > >CODE/SensorDataDLL/res/SensorDataDLL.rc2 > > >Jul 21 15:06:48 hostname MailScanner[26628]: ProcessClamAVOutput: > > >unrecognised line " extracting: > CODE/SensorDataDLL/res/SensorDataDLL.rc2 ". > > >Please contact the authors! > > > > > >and > > > > > >Jul 21 19:28:28 hostname MailScanner[25439]: > > > >/var/spool/MailScanner/incoming/25439/./19ek4w-0001fC-00/FAT_ > 07_18.zip: File > > >size limit exceeded. > > >Jul 21 19:28:28 hostname MailScanner[25439]: ProcessClamAVOutput: > > >unrecognised line > > > >"/var/spool/MailScanner/incoming/25439/./19ek4w-0001fC-00/FAT > _07_18.zip: > > >File size limit exceeded.". Please contact the authors! > > > > > >I am thinking that this has to do with the new version of > ClamAV. I found > > >some options for clamscan to disable some of these limits, > and put them in > > >clamav-wrapper. Specifically, I set > > > > > >ScanOptions="--max-files=0 --max-space=0 --max-recursion=0" > > > > > >Questions: > > > > > >* Has anyone else come across this? > > >* Since MailScanner already has timeouts for virus > scanning, would you > > >think it is safe to run this way? > > >* If yes, should this be the default? (I'm not sure if > versions < 0.60 > > >support this - maybe put some comments in the > clamav-wrapper script?) > > >* Is "unrecognised" British for "unrecognized" or is it > just misspelled? > > > > > >Thanks. > > > > > >Jason > > > > > > > > > -- > Mariano Absatz > El Baby > ---------------------------------------------------------- > The best cure for insomnia is to get a lot of sleep. > -- W.C. Fields > From vboulytchev at COINFOTECH.COM Tue Jul 22 22:56:08 2003 From: vboulytchev at COINFOTECH.COM (Boulytchev, Vasiliy) Date: Thu Jan 12 21:19:02 2006 Subject: CommuniGate Pro - MailScanner update Message-ID: <1958DE295D9656499ECAAD3642822DE0033FDA@willow.office.coinfotech.com> Yet another .bad :)))))))))))))))))))) Here is the qf-blah file V4 T1058909914 K0 N0 P150900 HFrom: (Automatic Reply mailbox for testing) HDate: Tue, 22 Jul 2003 15:38:33 -0600 HMessage-ID: HX-Autogenerated: Reply HTo: "vasiliy boulytchev" HSubject: Re: HIn-Reply-To: <003601c3509a$4af6f4b0$3700000a@office.coinfotech.com> autoreply@mailsvc.com is just a mailbox on Communigate Mail Server to autoreply to the message for testing purposes. How about messages from Daemons on Listservers? Here is a copy of a good qf-blah V4 T1058910524 K0 N0 P150900 $_ S RPFD: HReceived: from [209.12.32.66] (HELO willow.office.coinfotech.com) by mailsvc.com (CommuniGate Pro SMTP 4.0.6) with ESMTP id 12399741 for virus@boulytcheva.com; Tue, 22 Jul 2003 15:48:43 -0600 HMIME-Version: 1.0 HContent-Type: multipart/alternative; boundary="----_=_NextPart_001_01C3509B.93B4BFAB" Hcontent-class: urn:content-classes:message HX-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0 HSubject: HDate: Tue, 22 Jul 2003 15:52:42 -0600 HMessage-ID: <1958DE295D9656499ECAAD3642822DE0033FD7@willow.office.coinfotech.com> HX-MS-Has-Attach: HX-MS-TNEF-Correlator: HThread-Index: AcNQm5OBeCvE5aXeTmW62LdyGyY1eQ== HFrom: "Boulytchev, Vasiliy" HTo: "vasiliy boulytchev" Vasiliy Boulytchev Colorado Information Technologies Inc. (719) 473-2800 x15 -----Original Message----- From: John Rudd [mailto:jrudd@UCSC.EDU] Sent: Monday, July 21, 2003 4:37 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: CommuniGate Pro - MailScanner update I have made an update to my scripts for using MailScanner with CommuniGate Pro. I have also updated the text of the CommuniGate Pro rule instructions (the Execute rule no longer needs the [RETPATH] nor [RCPT] options). This should change the problem some people noticed with ".bad" files showing up in the CommuniGate Pro Queue directory, due to "RPFD:" being prepended to sender's addresses. This shouldn't happen any more. You can get the new scripts and information from: http://people.ucsc.edu/~jrudd/MailScanner If you have any questions, or notice any new bugs, please let me know. (And be sure to edit your path to perl in the first line of each script; it changed in the downloads because my testing platform changed from Solaris to Linux) John Rudd (ps: one person has mentioned that they see some messages being cross delivered, but I haven't had anyone else mention this problem to me, nor have I seen it on my own servers; if you do see such a behavior, please let me know right away, and try to give me plenty of context information) -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030722/aded9378/attachment.html From TGFurnish at HERFF-JONES.COM Tue Jul 22 23:10:44 2003 From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G) Date: Thu Jan 12 21:19:02 2006 Subject: moving the bayes files? Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF0C030E@inex1.herffjones.hj-int> Replying to my own question, it looks like these files are only created periodically, so once I made the config change and restarted MailScanner, the files didn't immediately appear. Instead they appeared quite a few hours later, after 30 or so messages had been run through the system. My thanks to "Matt", who shall remain otherwise nameless because he's list-"shy". :-) -- Trever >-----Original Message----- >From: Furnish, Trever G [mailto:TGFurnish@HERFF-JONES.COM] >Sent: Tuesday, July 22, 2003 1:37 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: moving the bayes files? > > >I suppose I'm taking a rather haphazard approach to learning >mailscanner, >but I've recently realized spamassassin *may* be storing bayesian >filtering-related files under /root/.spamassassin on my >system, which isn't >a good long-term situation for me, so I stopped mailscanner, >uncommented the >following lines in /etc/MailScanner/spam.assassin.prefs.conf, >and restarted >MailScanner: > >auto_whitelist_path /var/spool/spamassassin/auto-whitelist >auto_whitelist_file_mode 0600 >bayes_path /var/spool/spamassassin/bayes >bayes_file_mode 0600 > >That didn't seem to work (for moving the files) -- The >/var/spool/spamassassin directory did not get created and >MailScanner died >quietly. > >So...I ran the mailscanner init script with 'stop' as an arg, >then did a >mkdir /var/spool/spamassassin, then restarted mailscanner. >Now it doesn't >die, but it also doesn't create files under >/var/spool/spamassassin. What >else do I need to do in order to get that working? I'm not >even sure the >bayesian stuff was working to begin with. > >In case it helps, here's the output of spamassassin -D --lint >2>&1 - any >suggestions would be appreciated. > >debug: Score set 0 chosen. >debug: running in taint mode? no >debug: ignore: using a test message to lint rules >debug: using "/usr/share/spamassassin" for default rules dir >debug: using "/etc/mail/spamassassin" for site rules dir >debug: using "/root/.spamassassin" for user state dir >debug: using "/root/.spamassassin/user_prefs" for user prefs file >debug: using "/root/.spamassassin" for user state dir >debug: bayes: 22042 tie-ing to DB file R/O >/root/.spamassassin/bayes_toks >debug: bayes: 22042 tie-ing to DB file R/O >/root/.spamassassin/bayes_seen >debug: debug: Only 5 spam(s) in Bayes DB < 200 >debug: bayes: 22042 untie-ing >debug: bayes: 22042 untie-ing db_toks >debug: bayes: 22042 untie-ing db_seen >debug: Score set 1 chosen. >debug: Initialising learner >debug: using "/root/.spamassassin" for user state dir >debug: bayes: 22042 tie-ing to DB file R/O >/root/.spamassassin/bayes_toks >debug: bayes: 22042 tie-ing to DB file R/O >/root/.spamassassin/bayes_seen >debug: debug: Only 5 spam(s) in Bayes DB < 200 >debug: bayes: 22042 untie-ing >debug: bayes: 22042 untie-ing db_toks >debug: bayes: 22042 untie-ing db_seen >debug: is Net::DNS::Resolver available? yes >debug: trying (3) amazon.com... >debug: looking up MX for 'amazon.com' >debug: MX for 'amazon.com' exists? 1 >debug: MX lookup of amazon.com succeeded => Dns available (set >dns_available >to >hardcode) >debug: is DNS available? 1 >debug: running header regexp tests; score so far=0 >debug: running body-text per-line regexp tests; score so far=1.9 >debug: running raw-body-text per-line regexp tests; score so far=1.9 >debug: running uri tests; score so far=1.9 >debug: uri tests: Done uriRE >debug: running full-text regexp tests; score so far=1.9 >debug: Razor2 is not available >debug: Current PATH is: >/usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/us >r/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/bin:/root/bin >debug: DCC is not available: dccproc not found >debug: Pyzor is not available: pyzor not found >debug: all '*To' addrs: >debug: all '*From' addrs: ignore@compiling.spamassassin.taint.org >debug: running meta tests; score so far=2.4 >debug: is spam? score=2.4 required=5 >tests=DATE_MISSING,MISSING_HEADERS,NO_REAL_ >NAME >debug: bayes: 22042 untie-ing > From jrudd at UCSC.EDU Tue Jul 22 23:20:29 2003 From: jrudd at UCSC.EDU (John Rudd) Date: Thu Jan 12 21:19:02 2006 Subject: CommuniGate Pro - MailScanner update In-Reply-To: <1958DE295D9656499ECAAD3642822DE0033FDA@willow.office.coinfotech.com> Message-ID: How was that bad message generated? It would appear that it was generated without any recipients (hence the lack of lines that start RPFD:, the sendmail queue file line indicating each recipient). Is it being generated by CommuniGate Pro's rules? or something else? On Tuesday, Jul 22, 2003, at 14:56 US/Pacific, Boulytchev, Vasiliy wrote: > Yet another .bad :)))))))))))))))))))) > ? > Here is the qf-blah file > ? > V4 > T1058909914 > K0 > N0 > P150900 > HFrom: