From craig at STRONG-BOX.NET Sat Mar 1 00:23:36 2003 From: craig at STRONG-BOX.NET (Craig Pratt) Date: Thu Jan 12 21:17:20 2006 Subject: Problems with two different MIME attachment types Message-ID: <0AE825F4-4B7C-11D7-882D-000393B9390A@strong-box.net> Hi all, Thanks for the great software and community support! I recently upgraded to MS 4.12-2 (via RH RPM), and updated the dependent Perl mods. After installation, I tested the new version against the e-mail virus scanning script in Nessus. Out of the 5 test messages, 3 were tagged by MS as viruses (by the filename rules), and 2 got through to my mail client - even when both the filename rules and RAV antivirus should have tagged the "eicar.com" test attachment. Could I get a couple volunteers to verify? You'll just receive 5 test e-mails generated by the NASL script, each with a 68-byte EICAR test file ("eicar.com") attached in different forms. I'll post details in a follow-up, if the problem repros. If you're interested in the hacked NASL script - which allows you to run this test stand-alone using the nasl command line - let me know and I'll forward it along. Thanks, Craig Pratt craig@strong-box.net -- This message checked for dangerous content by MailScanner on StrongBox. From mailscanner at ecs.soton.ac.uk Sat Mar 1 11:41:33 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:21 2006 Subject: Problems with two different MIME attachment types In-Reply-To: <0AE825F4-4B7C-11D7-882D-000393B9390A@strong-box.net> Message-ID: <5.2.0.9.2.20030301113941.03050d50@imap.ecs.soton.ac.uk> Just to let everyone know, he has sent the test messages to me and I'm going to try to work out what they have done to get these through. Worth noting that so far (fingers crossed) no exploits have been written that do this trick, and MailScanner is certainly not the only one to suffer from this. I will get it corrected as soon as I can. At 00:23 01/03/2003, you wrote: >Hi all, > >Thanks for the great software and community support! > >I recently upgraded to MS 4.12-2 (via RH RPM), and updated the >dependent Perl mods. After installation, I tested the new version >against the e-mail virus scanning script in Nessus. > >Out of the 5 test messages, 3 were tagged by MS as viruses (by the >filename rules), and 2 got through to my mail client - even when both >the filename rules and RAV antivirus should have tagged the "eicar.com" >test attachment. > >Could I get a couple volunteers to verify? You'll just receive 5 test >e-mails generated by the NASL script, each with a 68-byte EICAR test >file ("eicar.com") attached in different forms. > >I'll post details in a follow-up, if the problem repros. > >If you're interested in the hacked NASL script - which allows you to >run this test stand-alone using the nasl command line - let me know and >I'll forward it along. > >Thanks, > >Craig Pratt >craig@strong-box.net > > >-- >This message checked for dangerous content by MailScanner on StrongBox. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Sat Mar 1 12:12:13 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:21 2006 Subject: ANNOUNCE: Version 4.13-1 released Message-ID: <5.2.0.9.2.20030301115845.030b1f50@imap.ecs.soton.ac.uk> Hi folks! I have just released the latest version 4.13-1. Highlights this month include - Script to automate upgrade of MailScanner.conf files - Option to ignore some Sophos error messages when scanning files - Option and Custom Function added to enable SQL logging - Options to block encrypted (or unencrypted) messages - Customisation of system administrator notices improved - Improved check_mailscanner script - Improved stripping of HTML to plain text - New Nod32 and Kaspersky updaters. F-Prot updater improved Download it all as usual from www.mailscanner.info. The full ChangeLog is this: * New Features and Improvements * - Written script to automate upgrade of MailScanner.conf files. - Added "Notices From" configuration option to change the user-visible part of the "From" address in the system administrator notices. - Added "Allowed Sophos Error Messages" configuration option to ignore messages containing error messages from Sophos Anti-Virus. - Added "Always Looked Up Last" configuration option for use with a Custom Function that does things at the end of message-processing such as logging extra information to a file and/or an SQL database. - Added "Block Encrypted Messages" configuration option for use with a ruleset to ensure your employees are not covertly talking to your competitors. - Added "Block Unencrypted Messages" configuration option for use with a ruleset to ensure that all sensitive mail is always encrypted. - Improvements to check_mailscanner for most OS's except Linux. - Improved check_MailScanner script to have "-q" (quiet) option, and changed cron job to use it rather than always ignore all output. - Added check to ensure user's home directory exists and is writable to protect against SpamAssassin startup failing quietly. - Improved stripping HTML to plain-text to ensure links have a whitespace immediately after them to ease the job of email clients. - Improved RPM to detect upgrades and inform users about upgrade_MailScanner_conf script. - Improved F-Prot autoupdater to not block MailScanner if first contact to update server locks up. - Added Nod32 autoupdater. - Added Kaspersky autoupdater with workaround for their script bugs. - Increased "Minimum Code Status" for various scanners. - Improved rulesets to allow optional '.' on the end of addresses. - Per-domain/per-user spam black+white listing Custom Functions now support IP addresses as well as email addresses and email domains. - Improved docs and rules EXAMPLES a bit after suggestions from users. - Upgraded external TNEF decoder program to latest version 1.1.4. - Added logging of child processes dying of old age. * Fixes * - Fix to permissions and not over-writing /etc/sysconfig/MailScanner when upgrading MailScanner RPM. - Fix to "nodeps" switch in install.sh. - Fix to sophos-autoupdate to use "warning" syslog priority, not "warn". - Fixed filename checking of attachments within winmail.dat TNEF files. - Changed RAV support to ravav instead of ravlin8 to circumvent GTK+. - Fixed RAV support as it appears to dislike having no stdin. - Improved configuration file reader to allow upper+lower case values. - Fixed "$file" instead of "$filename" errors in Danish reports. Any problems, give me a shout as usual :-) -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From raymond at PROLOCATION.NET Sat Mar 1 12:49:40 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:17:21 2006 Subject: ANNOUNCE: Version 4.13-1 released In-Reply-To: <5.2.0.9.2.20030301115845.030b1f50@imap.ecs.soton.ac.uk> Message-ID: Hi Julian, I found some mistakes in the NL language files: unencrypted = Message was not encrypted Should be: unencrypted = Bericht was niet encrypted And: encrypted = Message was encrypted Should be: encrypted = Bericht was encrypted Bye, Raymond. From raymond at PROLOCATION.NET Sat Mar 1 13:04:26 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:17:21 2006 Subject: ANNOUNCE: Version 4.13-1 released In-Reply-To: <5.2.0.9.2.20030301115845.030b1f50@imap.ecs.soton.ac.uk> Message-ID: Hi! > - Improved check_mailscanner script Uhm: [root@master cron.hourly]# ./check_MailScanner MailScanner running with pid 14922 14923 14939 14943 14953 14960 Its nice it reports now the pids, but i get a message hourly after upgrading from cron, i only would like to have output when its NOT running ok. :) I dont want to have a mail hourly like this, was ok before :) Bye, Raymond. From raymond at PROLOCATION.NET Sat Mar 1 13:06:03 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:17:21 2006 Subject: ANNOUNCE: Version 4.13-1 released In-Reply-To: Message-ID: Hi! > [root@master cron.hourly]# ./check_MailScanner > MailScanner running with pid 14922 14923 14939 14943 14953 14960 I guess you forgot to remove the # in the distribution files... /usr/sbin/check_MailScanner -q # >/dev/null 2>&1 Should be: /usr/sbin/check_MailScanner -q >/dev/null 2>&1 Bye, Raymond From mailscanner at ecs.soton.ac.uk Sat Mar 1 13:14:58 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:21 2006 Subject: ANNOUNCE: Version 4.13-1 released In-Reply-To: References: Message-ID: <5.2.0.9.2.20030301131431.02224808@imap.ecs.soton.ac.uk> At 13:06 01/03/2003, you wrote: >Hi! > > > [root@master cron.hourly]# ./check_MailScanner > > MailScanner running with pid 14922 14923 14939 14943 14953 14960 > >I guess you forgot to remove the # in the distribution files... > >/usr/sbin/check_MailScanner -q # >/dev/null 2>&1 > >Should be: > >/usr/sbin/check_MailScanner -q >/dev/null 2>&1 The -q should stop it outputting the list of pids. >Bye, >Raymond -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Sat Mar 1 13:14:04 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:21 2006 Subject: ANNOUNCE: Version 4.13-1 released In-Reply-To: References: <5.2.0.9.2.20030301115845.030b1f50@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030301131308.021ece60@imap.ecs.soton.ac.uk> At 13:04 01/03/2003, you wrote: >Hi! > > > - Improved check_mailscanner script > >Uhm: > >[root@master cron.hourly]# ./check_MailScanner >MailScanner running with pid 14922 14923 14939 14943 14953 14960 Run check_mailscanner -q >Its nice it reports now the pids, but i get a message hourly after >upgrading from cron, i only would like to have output when its NOT running >ok. :) I dont want to have a mail hourly like this, was ok before :) -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From raymond at PROLOCATION.NET Sat Mar 1 13:38:09 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:17:21 2006 Subject: ANNOUNCE: Version 4.13-1 released In-Reply-To: <5.2.0.9.2.20030301131431.02224808@imap.ecs.soton.ac.uk> Message-ID: Hi! > >I guess you forgot to remove the # in the distribution files... > >/usr/sbin/check_MailScanner -q # >/dev/null 2>&1 > >Should be: > >/usr/sbin/check_MailScanner -q >/dev/null 2>&1 > > The -q should stop it outputting the list of pids. It should, but it doesnt :) [root@master cron.hourly]# /usr/sbin/check_MailScanner -q MailScanner running with pid 17601 17606 17631 17651 17652 17653 Bye, Raymond. From mailscanner at ecs.soton.ac.uk Sat Mar 1 13:51:54 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:21 2006 Subject: ANNOUNCE: Version 4.13-1 released In-Reply-To: References: <5.2.0.9.2.20030301131431.02224808@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030301134923.02222910@imap.ecs.soton.ac.uk> At 13:38 01/03/2003, you wrote: >Hi! > > > >I guess you forgot to remove the # in the distribution files... > > >/usr/sbin/check_MailScanner -q # >/dev/null 2>&1 > > > >Should be: > > >/usr/sbin/check_MailScanner -q >/dev/null 2>&1 > > > > The -q should stop it outputting the list of pids. > >It should, but it doesnt :) Try 4.13-2, sorry about that. To save you upgrading, I have attached the script to this message. >[root@master cron.hourly]# /usr/sbin/check_MailScanner -q >MailScanner running with pid 17601 17606 17631 17651 17652 17653 > >Bye, >Raymond. -------------- next part -------------- A non-text attachment was scrubbed... Name: check_MailScanner Type: application/octet-stream Size: 3453 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030301/ef2dbb77/check_MailScanner.obj -------------- next part -------------- -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From raymond at PROLOCATION.NET Sat Mar 1 14:09:02 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:17:21 2006 Subject: ANNOUNCE: Version 4.13-1 released In-Reply-To: <5.2.0.9.2.20030301134923.02222910@imap.ecs.soton.ac.uk> Message-ID: Julian, > >It should, but it doesnt :) > > Try 4.13-2, sorry about that. To save you upgrading, I have attached the > script to this message. [root@master cron.hourly]# ./check_MailScanner Starting MailScanner... /usr/sbin/check_MailScanner: cd: /opt/MailScanner/bin: No such file or directory /usr/sbin/check_MailScanner: MailScanner: command not found Its having paths that doesnt match my (default) config paths. I noticed the nl language was allready updated in the -2, thanx for quick adding, the check script however needs some work :) Default for the configs should point to /etc/MailScanner in the RPM ones. Both lines are pointing to files in /opt Lets go for the 4.13-3 :)) Thanks, Raymond. From gerry at DORFAM.CA Sat Mar 1 14:16:09 2003 From: gerry at DORFAM.CA (Gerry Doris) Date: Thu Jan 12 21:17:21 2006 Subject: Support Question Message-ID: After going back and reading your messages I believe I may have misinterpreted how you intend to setup your pay for support mailing list. I had originally thought you intended to eliminate this free mailing list and only provide the pay for support mailing list. In actual fact you intend to keep this list and add the pay for support list...correct? -- Gerry "The lyfe so short, the craft so long to learne" Chaucer From mike at ZANKER.ORG Sat Mar 1 14:27:52 2003 From: mike at ZANKER.ORG (Mike Zanker) Date: Thu Jan 12 21:17:21 2006 Subject: ANNOUNCE: Version 4.13-1 released In-Reply-To: References: Message-ID: <451930531.1046528872@jemima.zanker.org> On 01 March 2003 14:38 +0100 Raymond Dijkxhoorn wrote: > [root@master cron.hourly]# /usr/sbin/check_MailScanner -q > MailScanner running with pid 17601 17606 17631 17651 17652 17653 Yes, I noticed that too. Also, /etc/cron.hourly/check_MailScanner is not even the same as /usr/sbin/check_MailScanner. Confused, Mike. From raymond at PROLOCATION.NET Sat Mar 1 14:32:58 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:17:21 2006 Subject: ANNOUNCE: Version 4.13-1 released In-Reply-To: <451930531.1046528872@jemima.zanker.org> Message-ID: Hi Mike, > > MailScanner running with pid 17601 17606 17631 17651 17652 17653 > Yes, I noticed that too. Also, /etc/cron.hourly/check_MailScanner is > not even the same as /usr/sbin/check_MailScanner. The scipt in cron.hourly is simply pointing towards the scripts in /usr/sbin. Thats normal. I installed -2 but that one is not ok either, the script has hardcoded paths inside that should be changed for the rpm install at least. Change this: msbindir=/usr/sbin config=/etc/MailScanner/MailScanner.conf And it should work like advertised, the the 4.13-2 installed. I guess Julian will announce a 4.13-3 shortly :) Bye, Raymond. From marco at MUW.EDU Sat Mar 1 14:43:43 2003 From: marco at MUW.EDU (Marco Obaid) Date: Thu Jan 12 21:17:21 2006 Subject: ANNOUNCE: Version 4.13-1 released In-Reply-To: References: Message-ID: <1046529823.3e60c71f1c4da@webmail.MUW.Edu> > [root@master cron.hourly]# ./check_MailScanner > Starting MailScanner... > /usr/sbin/check_MailScanner: cd: /opt/MailScanner/bin: No such file or > directory > /usr/sbin/check_MailScanner: MailScanner: command not found I ran into the same thing. I think it is an error in check_mailscanner. I edited /usr/sbin/check_mailscanner to this: process=Mailscanner msbindir=/usr/sbin config=/etc/MailScanner/MailScanner.conf Now things are working for me with 4.13-2 Marco _________________________________________________________________ This mail is sent through MUW Webmail: http://www.MUW.Edu/webmail For the latest MUW Events, visit http://www.MUW.Edu/calendar From mike at ZANKER.ORG Sat Mar 1 14:38:38 2003 From: mike at ZANKER.ORG (Mike Zanker) Date: Thu Jan 12 21:17:21 2006 Subject: ANNOUNCE: Version 4.13-1 released In-Reply-To: References: Message-ID: <452576890.1046529518@jemima.zanker.org> On 01 March 2003 15:32 +0100 Raymond Dijkxhoorn wrote: > The scipt in cron.hourly is simply pointing towards the scripts in > /usr/sbin. D'oh - I noticed that almost as soon as I posted! > Change this: > > msbindir=/usr/sbin > config=/etc/MailScanner/MailScanner.conf > > And it should work like advertised, the the 4.13-2 installed. Yes, already done that thanks... Mike. From mailscanner at ecs.soton.ac.uk Sat Mar 1 14:43:20 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:21 2006 Subject: ANNOUNCE: Version 4.13-1 released In-Reply-To: <1046529823.3e60c71f1c4da@webmail.MUW.Edu> References: Message-ID: <5.2.0.9.2.20030301144202.024fdec0@imap.ecs.soton.ac.uk> Sorry for the packaging problem. I have just done a clean installation of 4.13-3 and it appears to work now. At 14:43 01/03/2003, you wrote: > > [root@master cron.hourly]# ./check_MailScanner > > Starting MailScanner... > > /usr/sbin/check_MailScanner: cd: /opt/MailScanner/bin: No such file or > > directory > > /usr/sbin/check_MailScanner: MailScanner: command not found > >I ran into the same thing. I think it is an error in check_mailscanner. >I edited /usr/sbin/check_mailscanner to this: > >process=Mailscanner >msbindir=/usr/sbin >config=/etc/MailScanner/MailScanner.conf > >Now things are working for me with 4.13-2 > >Marco > > >_________________________________________________________________ >This mail is sent through MUW Webmail: http://www.MUW.Edu/webmail >For the latest MUW Events, visit http://www.MUW.Edu/calendar -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Sat Mar 1 14:47:14 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:21 2006 Subject: Support Question In-Reply-To: Message-ID: <5.2.0.9.2.20030301144342.0253ceb8@imap.ecs.soton.ac.uk> At 14:16 01/03/2003, you wrote: >After going back and reading your messages I believe I may have >misinterpreted how you intend to setup your pay for support mailing list. > >I had originally thought you intended to eliminate this free mailing list >and only provide the pay for support mailing list. In actual fact you >intend to keep this list and add the pay for support list...correct? Correct. But you won't see much of me on the free list other than for bug fixes and announcements. My aim is to provide better support on the paid list than I currently do on the free list. Annual support offerings will, among other things, include membership of the paid list. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From tjc at ecs.soton.ac.uk Sat Mar 1 15:27:54 2003 From: tjc at ecs.soton.ac.uk (Tim Chown) Date: Thu Jan 12 21:17:21 2006 Subject: canadian mirror In-Reply-To: <5.2.0.9.2.20030228172803.0271deb0@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030228171016.024c3010@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030228171016.024c3010@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030228172803.0271deb0@imap.ecs.soton.ac.uk> Message-ID: <20030301152754.GN5776@login.ecs.soton.ac.uk> On Fri, Feb 28, 2003 at 05:35:01PM +0000, Julian Field wrote: > > I am leaving mailscanner.info where it is (certainly for now, it might get > moved eventually). There are political reasons for leaving it on our main > dept web server as it gets the dept some subtle advertising and obviously > associates MailScanner with our dept, which the management like (and I am > quite happy about too). Glad to hear it ;-) Historically MailScanner came out of a JISC-funded project that the University of Southampton had, through which we realised a) the excessive price of Windows-based scanners (per-seat is so nasty) and b) the lack of Unix-based alternatives (one commercial, plus an early amavis, for example). Having determined that, and with Jules' enthusiasm and dedication, the rest is history :) By bringing in a paid support system we both allow Jules to get a reward for his work, and also people to get better support if they wish to pay for it (if enough do, the MailScanner team can be expanded...). The key aspect of "commercialisation" is that the code will remain free, and support (self-help) free. The .info domain was one of a few .info's we grabbed when they were enabled a while back; I guess noone else bid for it, or we got lucky. Not sure who's on mailscanner.com, looks like someone in LA... Jules will also of course still be giving some free advice, e.g. there's a MailScanner BoF at Networkshop UK in April in York. Tim From mike at ZANKER.ORG Sat Mar 1 16:21:45 2003 From: mike at ZANKER.ORG (Mike Zanker) Date: Thu Jan 12 21:17:21 2006 Subject: canadian mirror In-Reply-To: <20030301152754.GN5776@login.ecs.soton.ac.uk> References: <5.2.0.9.2.20030228171016.024c3010@imap.ecs.soton.ac.uk> Message-ID: <458764375.1046535705@jemima.zanker.org> <5.2.0.9.2.20030228171016.024c3010@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030228172803.0271deb0@imap.ecs.soton.ac.uk> <20030301152754.GN5776@login.ecs.soton.ac.uk> X-Mailer: Mulberry/3.0.2 (Win32) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Mallard-MailScanner: Found to be clean On 01 March 2003 15:27 +0000 Tim Chown wrote: > Jules will also of course still be giving some free advice, e.g. > there's a MailScanner BoF at Networkshop UK in April in York. Yes, probably see you there... Mike. From dot at DOTAT.AT Sat Mar 1 16:14:10 2003 From: dot at DOTAT.AT (Tony Finch) Date: Thu Jan 12 21:17:21 2006 Subject: Mailscanner and Exim with "split_spool_directory = true" In-Reply-To: References: <5.2.0.9.2.20030228135517.03b59b60@imap.ecs.soton.ac.uk> <3E5F6762.6020700@marinocrane.com> <5.2.0.9.2.20030228135517.03b59b60@imap.ecs.soton.ac.uk> <20030228151933.GA30294@peerlessmfg.com> Message-ID: Julian Field wrote: >At 15:19 28/02/2003, you wrote: >>Is it possible to use mailscanner with exim when split_spool_directory >>is set to true. I have not had any success with this option while using >>mailscanner. > >No it isn't I'm afraid. Sorry about that. I haven't got around to investigating this properly, but I have a couple of thoughts on the matter. You ought to be able to have a split spool directory on the smtp listener by using a configuration like Incoming Queue Dir = /var/spool/exim.in/input/* but there isn't much point in this because the incoming spool dir should always be small. split_spool is much more important for the outgoing Exim because it's doing all the retries, and because of its support for turning the option on and off with messages already in the spool, it may be possible to make MailScanner just leave the messages in /var/spool/exim/input and rely on Exim to move them into the correct subdirectory. BTW I'm using Exim with MailScanner with only one Exim configuration file by using a trick, as follows. In the Exim configuration file put SPOOL = /var/spool/exim spool_directory = SPOOL i.e. use a macro to define the spool directory. The you invoke the SMTP listening exim with a command-line macro definition to override the one in the configuration file, and -odq to turn off immediate delivery: exim -bd -odq -DSPOOL=/var/spool/exim.in and the outgoing/queue-running exim with an extra option to make it create a pid file which it won't do by default (because it has no -bd): exim -q15m -oP /var/spool/exim/exim-daemon.pid The Sendmail and Sendmail2 options in MailScanner can then be the same and without command line options. Unlike the recommended configuration this means that locally-generated email will bypass MailScanner, which should be OK if you don't have users on the machine. Tony. -- f.a.n.finch http://dotat.at/ THE WASH TO NORTH FORELAND: SOUTHWEST BACKING SOUTHEAST 3 OR 4 OCCASIONALLY 5, BUT LATER VEERING SOUTH OR SOUTHWEST. RAIN FOR A TIME. MODERATE OR GOOD. MAINLY SLIGHT, BUT LOCALLY MODERATE AT FIRST. From dot at DOTAT.AT Sat Mar 1 16:18:38 2003 From: dot at DOTAT.AT (Tony Finch) Date: Thu Jan 12 21:17:21 2006 Subject: ANNOUNCE: Version 4.13-1 released In-Reply-To: Message-ID: Julian Field wrote: > >- Improved rulesets to allow optional '.' on the end of addresses. Hmm. That's a syntax error that should be rejected by the MTA... Tony. -- f.a.n.finch http://dotat.at/ FISHER GERMAN BIGHT: SOUTHWEST 4 IN SOUTHWEST GERMAN BIGHT AT TIMES, OTHERWISE SOUTHEAST 5 TO 7, OCCASIONALLY GALE 8 IN FISHER. RAIN OR SLEET. MODERATE OR POOR. From mailscanner at ecs.soton.ac.uk Sat Mar 1 16:38:47 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:21 2006 Subject: ANNOUNCE: Version 4.13-1 released In-Reply-To: References: Message-ID: <5.2.0.9.2.20030301163733.02286eb8@imap.ecs.soton.ac.uk> At 16:18 01/03/2003, you wrote: >Julian Field wrote: > > > >- Improved rulesets to allow optional '.' on the end of addresses. > >Hmm. That's a syntax error that should be rejected by the MTA... Disagree here. As a DNS domain name, spammer.com. is just as valid as spammer.com I always thought the same applied to mail addresses. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Sat Mar 1 16:36:52 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:21 2006 Subject: Mailscanner and Exim with "split_spool_directory = true" In-Reply-To: References: <5.2.0.9.2.20030228135517.03b59b60@imap.ecs.soton.ac.uk> <3E5F6762.6020700@marinocrane.com> <5.2.0.9.2.20030228135517.03b59b60@imap.ecs.soton.ac.uk> <20030228151933.GA30294@peerlessmfg.com> Message-ID: <5.2.0.9.2.20030301163416.0225ae40@imap.ecs.soton.ac.uk> At 16:14 01/03/2003, you wrote: >Julian Field wrote: > >At 15:19 28/02/2003, you wrote: > >>Is it possible to use mailscanner with exim when split_spool_directory > >>is set to true. I have not had any success with this option while using > >>mailscanner. > > > >No it isn't I'm afraid. Sorry about that. > >I haven't got around to investigating this properly, but I have a couple >of thoughts on the matter. You ought to be able to have a split spool >directory on the smtp listener by using a configuration like > Incoming Queue Dir = /var/spool/exim.in/input/* >but there isn't much point in this because the incoming spool dir >should always be small. split_spool is much more important for the >outgoing Exim because it's doing all the retries, and because of its >support for turning the option on and off with messages already in the >spool, it may be possible to make MailScanner just leave the messages >in /var/spool/exim/input and rely on Exim to move them into the correct >subdirectory. What you can currently do to split your outgoing spool dir up into several is to use a ruleset to calculate "Outgoing Queue Dir" so that, for example, internal messages get 1 queue while external (leaving your site) messages go in another queue. You run a queue-runner Exim process for each of your outgoing queues. I have seen this done with sendmail to quite good effect. Gets you speed on internal messages separate from the potentially large queue of mail leaving your site bound for other (slow) SMTP servers. >BTW I'm using Exim with MailScanner with only one Exim configuration file >by using a trick, as follows. In the Exim configuration file put > SPOOL = /var/spool/exim > spool_directory = SPOOL >i.e. use a macro to define the spool directory. The you invoke the SMTP >listening exim with a command-line macro definition to override the one >in the configuration file, and -odq to turn off immediate delivery: > exim -bd -odq -DSPOOL=/var/spool/exim.in >and the outgoing/queue-running exim with an extra option to make it >create a pid file which it won't do by default (because it has no -bd): > exim -q15m -oP /var/spool/exim/exim-daemon.pid >The Sendmail and Sendmail2 options in MailScanner can then be the same >and without command line options. Unlike the recommended configuration >this means that locally-generated email will bypass MailScanner, which >should be OK if you don't have users on the machine. > >Tony. >-- >f.a.n.finch http://dotat.at/ >THE WASH TO NORTH FORELAND: SOUTHWEST BACKING SOUTHEAST 3 OR 4 OCCASIONALLY 5, >BUT LATER VEERING SOUTH OR SOUTHWEST. RAIN FOR A TIME. MODERATE OR GOOD. >MAINLY SLIGHT, BUT LOCALLY MODERATE AT FIRST. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From dot at DOTAT.AT Sat Mar 1 16:30:17 2003 From: dot at DOTAT.AT (Tony Finch) Date: Thu Jan 12 21:17:21 2006 Subject: FAQ-O-Matic available In-Reply-To: Message-ID: I have tried to register with this but it never sends the validation email. Tony. -- f.a.n.finch http://dotat.at/ LANDS END TO ST DAVIDS HEAD INCLUDING THE BRISTOL CHANNEL: SOUTHWEST 4 OR 5 VEERING WEST 4 FOR A TIME. SHOWERS THEN MAINLY FAIR. MAINLY GOOD. ROUGH. From urgent at mailscanner.info Sat Mar 1 16:42:40 2003 From: urgent at mailscanner.info (urgent@mailscanner.info) Date: Thu Jan 12 21:17:21 2006 Subject: Automated reply from urgent@www.mailscanner.biz Message-ID: <200303011642.h21Gge332532@mailscanner.biz> This has been sent to our support staff by SMS. If you didn't put your telephone number and name at the start of the message, please re-send it. Please email the full details of your fault to support@mailscanner.biz. From MAILER-DAEMON at mailscanner.info Sat Mar 1 16:42:40 2003 From: MAILER-DAEMON at mailscanner.info (Mail Delivery Subsystem) Date: Thu Jan 12 21:17:21 2006 Subject: Returned mail: see transcript for details Message-ID: <200303011642.h21Ggd232526@mailscanner.biz> The original message was received at Sat, 1 Mar 2003 16:42:36 GMT from raven.ecs.soton.ac.uk [152.78.70.1] ----- The following addresses had permanent fatal errors ----- urgent-list (reason: 550 5.1.1 User unknown) (expanded from: ) ----- Transcript of session follows ----- 550 5.1.1 urgent-list... User unknown -------------- next part -------------- Skipped content of type message/delivery-status-------------- next part -------------- An embedded message was scrubbed... From: Julian Field Subject: Test 2 Date: Sat, 01 Mar 2003 16:42:30 +0000 Size: 1231 Url: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030301/0cd04a6d/attachment.mht From dot at DOTAT.AT Sat Mar 1 16:48:50 2003 From: dot at DOTAT.AT (Tony Finch) Date: Thu Jan 12 21:17:21 2006 Subject: ANNOUNCE: Version 4.13-1 released In-Reply-To: References: Message-ID: Julian Field wrote: >At 16:18 01/03/2003, you wrote: >>Julian Field wrote: >> > >> >- Improved rulesets to allow optional '.' on the end of addresses. >> >>Hmm. That's a syntax error that should be rejected by the MTA... > >Disagree here. As a DNS domain name, > spammer.com. >is just as valid as > spammer.com >I always thought the same applied to mail addresses. It's one of the peculiar differences between the two :-) RFC 2821: Domain = (sub-domain 1*("." sub-domain)) / address-literal sub-domain = Let-dig [Ldh-str] Let-dig = ALPHA / DIGIT Ldh-str = *( ALPHA / DIGIT / "-" ) Let-dig RFC 2822: domain = dot-atom / domain-literal / obs-domain dot-atom = [CFWS] dot-atom-text [CFWS] dot-atom-text = 1*atext *("." 1*atext) atom = [CFWS] 1*atext [CFWS] The same is true for local parts too, which is slightly more surprising: RFC 2821: Local-part = Dot-string / Quoted-string Dot-string = Atom *("." Atom) Atom = 1*atext RFC 2822: local-part = dot-atom / quoted-string / obs-local-part Tony. -- f.a.n.finch http://dotat.at/ SELSEY BILL TO LYME REGIS: SOUTHWEST 5 VEERING WEST OR NORTHWEST 3 OR 4. SHOWERS. MAINLY GOOD. MODERATE LOCALLY ROUGH AT FIRST. From hh at HACKHAWK.NET Sat Mar 1 17:12:16 2003 From: hh at HACKHAWK.NET (Hack Hawk) Date: Thu Jan 12 21:17:21 2006 Subject: septic tank emails In-Reply-To: <06EE2C86D3DAD5119A6C0060943F3C970402C1A3@tormail1.algorith mics.com> Message-ID: <5.1.0.14.0.20030301090753.043f06f0@mail.nightsource.com> I got the same email, and put the following in my local.cf to increase the score for similar email to the septic tank email. If I knew perl syntax better I'd replace the 30 with a wild card number of zero through 100 or something. Maybe someone could offer something better for that rule? ------------------------------------------------------------------------ body LOCAL_FREE430 /\bfree for 30 days\b/i describe LOCAL_FREE430 Talks about something free for 30 days body LOCAL_EXCLUDE_SELF /\bexlude yourself\b/i describe LOCAL_EXCLUDE_SELF Talks about excluding yourself score LOCAL_FREE430 1.000 score LOCAL_EXCLUDE_SELF 1.000 ------------------------------------------------------------------------ Thanks - hawk At 07:51 AM 02/28/2003, Derek Winkler wrote: >Use a SpamAssassin local rule to increase the score: > >body LOCAL_sewer /septic tank/i >describe LOCAL_ISS "Body contains septic tank" >score LOCAL_ISS 5 > >I put these in /etc/mail/spamassassin/local.cf > >There should be a way to do subject, I just didn't have an example handy. > >-----Original Message----- >From: Matthew Bowman [mailto:mbowman@udcom.com] >Sent: Friday, February 28, 2003 10:31 AM >To: MAILSCANNER@jiscmail.ac.uk >Subject: septic tank emails > >Greetings > >We are being bombarded with septic tank emails and they are not being >flagged as spam as the score is so low. What is the best way to blacklist >these >type of emails ? (I'd rather do it on subject not domain). > >Thanks > >Matthew. > >----- > >Headers: > >Field Name: X_MailScanner_SpamCheck >Data Type: Text List >Data Length: 239 bytes >Seq Num: 1 >Dup Item ID: 0 >Field Flags: > >"not spam, SpamAssassin (score=1.7, required 4.8, BIG_FONT, >CTYPE_JUST_HTML, SPAM_PHRASE_00_01, TO_ADDRESS_EQ_REAL), not spam, >SpamAssassin (score=1.7, required 4.8, AWL, BIG_FONT, CTYPE_JUST_HTML, >SPAM_PHRASE_00_01, TO_ADDRESS_EQ_REAL)" > >Field Name: X_Real_Return_Path >Data Type: Text List >Data Length: 29 bytes >Seq Num: 1 >Dup Item ID: 0 >Field Flags: > >"yy55frs@fsd.paknet.com.pk" > >Field Name: SendTo >Data Type: Text List >Data Length: 53 bytes >Seq Num: 1 >Dup Item ID: 0 >Field Flags: SUMMARY > >""tiwcrpumn@lgh.lg.co.kr" " > >Field Name: Body >Data Type: MIME Part >Data Length: 447 bytes >Seq Num: 1 >Dup Item ID: 0 >Field Flags: SIGN SEAL > >"Content-Type: text/html > > > > >Fuck Saddam Hussein > > > > >

>href="http://www.kososo.com/cl5/spc/free_trial.html">Do >you have a >Septic >Tank?

>

>href="http://www.kososo.com/cl5/spc/free_trial.html">Free >and Important > >Information.

> > > > >" From mailscanner at ecs.soton.ac.uk Sat Mar 1 17:24:28 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:21 2006 Subject: septic tank emails In-Reply-To: <5.1.0.14.0.20030301090753.043f06f0@mail.nightsource.com> References: <06EE2C86D3DAD5119A6C0060943F3C970402C1A3@tormail1.algorith mics.com> Message-ID: <5.2.0.9.2.20030301172342.02894e60@imap.ecs.soton.ac.uk> At 17:12 01/03/2003, you wrote: >I got the same email, and put the following in my local.cf to increase the >score for similar email to the septic tank email. If I knew perl syntax >better I'd replace the 30 with a wild card number of zero through 100 or >something. Maybe someone could offer something better for that rule? Replace 30 with \d+ which means "1 or more digits". >------------------------------------------------------------------------ >body LOCAL_FREE430 /\bfree for 30 days\b/i >describe LOCAL_FREE430 Talks about something free for 30 days >body LOCAL_EXCLUDE_SELF /\bexlude yourself\b/i >describe LOCAL_EXCLUDE_SELF Talks about excluding yourself > >score LOCAL_FREE430 1.000 >score LOCAL_EXCLUDE_SELF 1.000 >------------------------------------------------------------------------ > >Thanks >- hawk > >At 07:51 AM 02/28/2003, Derek Winkler wrote: > >>Use a SpamAssassin local rule to increase the score: >> >>body LOCAL_sewer /septic tank/i >>describe LOCAL_ISS "Body contains septic tank" >>score LOCAL_ISS 5 >> >>I put these in /etc/mail/spamassassin/local.cf >> >>There should be a way to do subject, I just didn't have an example handy. >> >>-----Original Message----- >>From: Matthew Bowman [mailto:mbowman@udcom.com] >>Sent: Friday, February 28, 2003 10:31 AM >>To: MAILSCANNER@jiscmail.ac.uk >>Subject: septic tank emails >> >>Greetings >> >>We are being bombarded with septic tank emails and they are not being >>flagged as spam as the score is so low. What is the best way to blacklist >>these >>type of emails ? (I'd rather do it on subject not domain). >> >>Thanks >> >>Matthew. >> >>----- >> >>Headers: >> >>Field Name: X_MailScanner_SpamCheck >>Data Type: Text List >>Data Length: 239 bytes >>Seq Num: 1 >>Dup Item ID: 0 >>Field Flags: >> >>"not spam, SpamAssassin (score=1.7, required 4.8, BIG_FONT, >>CTYPE_JUST_HTML, SPAM_PHRASE_00_01, TO_ADDRESS_EQ_REAL), not spam, >>SpamAssassin (score=1.7, required 4.8, AWL, BIG_FONT, CTYPE_JUST_HTML, >>SPAM_PHRASE_00_01, TO_ADDRESS_EQ_REAL)" >> >>Field Name: X_Real_Return_Path >>Data Type: Text List >>Data Length: 29 bytes >>Seq Num: 1 >>Dup Item ID: 0 >>Field Flags: >> >>"yy55frs@fsd.paknet.com.pk" >> >>Field Name: SendTo >>Data Type: Text List >>Data Length: 53 bytes >>Seq Num: 1 >>Dup Item ID: 0 >>Field Flags: SUMMARY >> >>""tiwcrpumn@lgh.lg.co.kr" " >> >>Field Name: Body >>Data Type: MIME Part >>Data Length: 447 bytes >>Seq Num: 1 >>Dup Item ID: 0 >>Field Flags: SIGN SEAL >> >>"Content-Type: text/html >> >> >> >> >>Fuck Saddam Hussein >> >> >> >> >>

>>>href="http://www.kososo.com/cl5/spc/free_trial.html">Do >>you have a >>Septic >>Tank?

>>

>>>href="http://www.kososo.com/cl5/spc/free_trial.html">Free >>and Important >> >>Information.

>> >> >> >> >>" -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From ms at MLSIS.CO.UK Sat Mar 1 19:05:03 2003 From: ms at MLSIS.CO.UK (Matt Lowe) Date: Thu Jan 12 21:17:21 2006 Subject: postfix compatability? Message-ID: <1046545503.1887.20.camel@luggage> Hi im new to this mailing list, but after searching the arcives all i could find was a mention of this in the posible future. Is there any way to intergrate mailscanner and postfix yet? without useing sendmail/exim? Im running postfix on my router/mail server, and do not want to have to try and config sendmail and postfix on one machine (if this is even posible!). Thanks Matt Lowe From raymond at PROLOCATION.NET Sat Mar 1 19:19:08 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:17:21 2006 Subject: postfix compatability? In-Reply-To: <1046545503.1887.20.camel@luggage> Message-ID: Hi! > Is there any way to intergrate mailscanner and postfix yet? without > useing sendmail/exim? > > Im running postfix on my router/mail server, and do not want to have to > try and config sendmail and postfix on one machine (if this is even > posible!). Currently thats the only way to do it yes. No postfix support at the moment. Bye, Raymond. From mailscanner at ecs.soton.ac.uk Sat Mar 1 19:21:46 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:21 2006 Subject: postfix compatability? In-Reply-To: <1046545503.1887.20.camel@luggage> Message-ID: <5.2.0.9.2.20030301192035.023d6a30@imap.ecs.soton.ac.uk> At 19:05 01/03/2003, you wrote: >Hi im new to this mailing list, but after searching the arcives all i >could find was a mention of this in the posible future. > >Is there any way to intergrate mailscanner and postfix yet? without >useing sendmail/exim? Someone has some patches somewhere that might integrate the two. Postfix support is our next planned major feature. >Im running postfix on my router/mail server, and do not want to have to >try and config sendmail and postfix on one machine (if this is even >posible!). Got a spare machine to run MailScanner+Exim/sendmail on? -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From ms at MLSIS.CO.UK Sat Mar 1 19:54:35 2003 From: ms at MLSIS.CO.UK (Matt Lowe) Date: Thu Jan 12 21:17:21 2006 Subject: postfix compatability? Message-ID: <1046548476.1887.32.camel@luggage> On Sat, 2003-03-01 at 19:21, Julian Field wrote: > At 19:05 01/03/2003, you wrote: > >Hi im new to this mailing list, but after searching the arcives all i > >could find was a mention of this in the posible future. > > > >Is there any way to intergrate mailscanner and postfix yet? without > >useing sendmail/exim? > > Someone has some patches somewhere that might integrate the two. Postfix > support is our next planned major feature. anyone anyidea where these patches might be? any news on when postfix intergration might be out? > > >Im running postfix on my router/mail server, and do not want to have to > >try and config sendmail and postfix on one machine (if this is even > >posible!). > > Got a spare machine to run MailScanner+Exim/sendmail on? i could run it on my main server, but if i could setup sedmail/exim then id proberly use that, im using postfix cause my router software pre-configs it for me, im having enough probs getting the server to run smoothly, and without any maintance requirements :) Have tryed setting up sendmail in the past and got no were with it :( i know exim is ment to be easyer, but unless i can find a tutorial that gives me 'press this key, press that key' then its going ot take me a long time to get it up and running :( > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Sat Mar 1 20:01:38 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:21 2006 Subject: postfix compatability? In-Reply-To: <1046548476.1887.32.camel@luggage> Message-ID: <5.2.0.9.2.20030301195904.0273ae10@imap.ecs.soton.ac.uk> At 19:54 01/03/2003, you wrote: >On Sat, 2003-03-01 at 19:21, Julian Field wrote: > > At 19:05 01/03/2003, you wrote: > > >Hi im new to this mailing list, but after searching the arcives all i > > >could find was a mention of this in the posible future. > > > > > >Is there any way to intergrate mailscanner and postfix yet? without > > >useing sendmail/exim? > > > > Someone has some patches somewhere that might integrate the two. Postfix > > support is our next planned major feature. > >anyone anyidea where these patches might be? > >any news on when postfix intergration might be out? > > > > > >Im running postfix on my router/mail server, and do not want to have to > > >try and config sendmail and postfix on one machine (if this is even > > >posible!). > > > > Got a spare machine to run MailScanner+Exim/sendmail on? >i could run it on my main server, but if i could setup sedmail/exim then >id proberly use that, im using postfix cause my router software >pre-configs it for me, im having enough probs getting the server to run >smoothly, and without any maintance requirements :) >Have tryed setting up sendmail in the past and got no were with it :( >i know exim is ment to be easyer, but unless i can find a tutorial that >gives me 'press this key, press that key' then its going ot take me a >long time to get it up and running :( Exim is *fairly* easy to configure. I can probably give you some help if you need it. Get Exim built first, then I guess we need to set it up so that it listens on port 25, with postfix listening on port 26. You will have to get postfix listening on port 26 yourself, I don't know how to do that. The aim is to run Exim on port 25, with its output going into postfix via port 26 (which isn't normally used). -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From jrudd at UCSC.EDU Sat Mar 1 21:18:28 2003 From: jrudd at UCSC.EDU (John Rudd) Date: Thu Jan 12 21:17:21 2006 Subject: FREQ: Rule _Program_ Message-ID: <200303012118.h21LISp29476@kzin.ucsc.edu> Would it be possible to, instead of having huge static rule files that cover, say, 20,000 different recipient accounts, have a program which will dynamically generate the same response? Basically, the option would be that you'd tell mailscanner.conf that instead of looking in a rule file for the answer, you should run a certain program and it will generate the answer on the fly. I'm not sure about the exact right implementation details (put a pipe symbol at the end of the file name, to indicate that this is a program instead of a file? or have it be something expressed in the rule file? etc.), but I think it might help with managing large sites where you want each user to have the ability to set their own options. Otherwise, I can see mailscanner becoming bloated with multiple 20,000 line rule files. The program would probably want to know various things, so maybe it would want to be told who the recipients are, who the sender is, and maybe a few other details. Not sure about that side of things. From mailscanner at ecs.soton.ac.uk Sat Mar 1 22:07:37 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:21 2006 Subject: FREQ: Rule _Program_ In-Reply-To: <200303012118.h21LISp29476@kzin.ucsc.edu> Message-ID: <5.2.0.9.2.20030301220618.022a5d50@imap.ecs.soton.ac.uk> Read CustomConfig.pm. In there, you will find documentation about how to write your own plugins, and examples covering per-domain whitelists/blacklists and SQL logging of activity. At 21:18 01/03/2003, you wrote: >Would it be possible to, instead of having huge static rule files that >cover, say, 20,000 different recipient accounts, have a program which >will dynamically generate the same response? Basically, the option >would be that you'd tell mailscanner.conf that instead of looking in >a rule file for the answer, you should run a certain program and it >will generate the answer on the fly. > > >I'm not sure about the exact right implementation details (put a pipe >symbol at the end of the file name, to indicate that this is a program >instead of a file? or have it be something expressed in the rule file? >etc.), but I think it might help with managing large sites where you >want each user to have the ability to set their own options. Otherwise, >I can see mailscanner becoming bloated with multiple 20,000 line rule >files. > > >The program would probably want to know various things, so maybe it >would want to be told who the recipients are, who the sender is, >and maybe a few other details. Not sure about that side of things. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mike at UNIXSECURITY.ORG Sat Mar 1 23:41:46 2003 From: mike at UNIXSECURITY.ORG (Mike Wallis) Date: Thu Jan 12 21:17:21 2006 Subject: Sopos Upgrade Issues Message-ID: <3E61453A.3030409@unixsecurity.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I upgraded Sophos to v3.67 today, and am now getting errors when Mailscanner is trying to scan mail: Error initialising detection engine - missing part of virus data Error initialising detection engine - missing part of virus data etc, etc... It appears that Sophos has updated their virus data format: "The new version of Sophos Anti-Virus can read virus data from a number of small files, rather than from a single, large file. Future monthly updates of Sophos Anti-Virus will involve replacing only those virus data files that have been updated." Is this something new that will be patched, or have I not been paying attention and need to finally upgrade Mailscanner to the current version so this will start working again? - -- Mike Wallis -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1-nr1 (Windows 2000) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE+YUU6t9Knt4ko5pURAksJAJ93yY33K/28/6md3LPm4DQjVu4gwwCfUnqH 1RdZuGEdrSVK3rzeoNEckNg= =Qit3 -----END PGP SIGNATURE----- From mike at CAMAROSS.NET Sat Mar 1 23:54:18 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:17:21 2006 Subject: Sopos Upgrade Issues In-Reply-To: <3E61453A.3030409@unixsecurity.org> Message-ID: <001d01c2e04d$dfd7a330$6a01a8c0@home.middlefinger.net> What version of MS are you running? I just upgraded to 4.13-3 today from 4.11-x, but my Sophos has been running fine with 3.67 Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Mike Wallis Sent: Saturday, March 01, 2003 5:42 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Sopos Upgrade Issues -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I upgraded Sophos to v3.67 today, and am now getting errors when Mailscanner is trying to scan mail: Error initialising detection engine - missing part of virus data Error initialising detection engine - missing part of virus data etc, etc... It appears that Sophos has updated their virus data format: "The new version of Sophos Anti-Virus can read virus data from a number of small files, rather than from a single, large file. Future monthly updates of Sophos Anti-Virus will involve replacing only those virus data files that have been updated." Is this something new that will be patched, or have I not been paying attention and need to finally upgrade Mailscanner to the current version so this will start working again? - -- Mike Wallis -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1-nr1 (Windows 2000) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE+YUU6t9Knt4ko5pURAksJAJ93yY33K/28/6md3LPm4DQjVu4gwwCfUnqH 1RdZuGEdrSVK3rzeoNEckNg= =Qit3 -----END PGP SIGNATURE----- From Janssen at RZ.UNI-FRANKFURT.DE Sun Mar 2 00:35:39 2003 From: Janssen at RZ.UNI-FRANKFURT.DE (Michael Janssen) Date: Thu Jan 12 21:17:21 2006 Subject: Sopos Upgrade Issues In-Reply-To: <3E61453A.3030409@unixsecurity.org> Message-ID: On Sat, 1 Mar 2003, Mike Wallis wrote: > I upgraded Sophos to v3.67 today, and am now getting errors when > Mailscanner is trying to scan mail: > Error initialising detection engine - missing part of virus data > Error initialising detection engine - missing part of virus data > etc, etc... you will also get this error (nice topic for the faq - but I havn't got the 3.67) when starting sophos directly (but use "sophoswrapper" provided by MS-package: it will start Sophos with correct environment settings) Until now the best advise was to reinstall Sophos completly (delete directory and install). But did you then get the complete vdl-data? If concerned, you might try to remove and relink the vdl-link (and to any file working as a "part" of the virus data) and move the vdl-file away and back and silly things like that ;-) Sophos sweep can stumble about very sophisticated things in combination with the links used to target the vdl data and Sophos need no appearant reason for this behaviour (I have once strace'd the sweep process and it claims files as missing which were readable by any other programm...). A simple update might yield in an infunctional installation. Testing with sophoswrapper is crucial. Michael > > It appears that Sophos has updated their virus data format: > "The new version of Sophos Anti-Virus can read virus data from a number > of small files, rather than from a single, large file. Future monthly > updates of Sophos Anti-Virus will involve replacing only those virus > data files that have been updated." > From mike at UNIXSECURITY.ORG Sun Mar 2 00:41:05 2003 From: mike at UNIXSECURITY.ORG (Mike Wallis) Date: Thu Jan 12 21:17:21 2006 Subject: Sopos Upgrade Issues In-Reply-To: <001d01c2e04d$dfd7a330$6a01a8c0@home.middlefinger.net> References: <001d01c2e04d$dfd7a330$6a01a8c0@home.middlefinger.net> Message-ID: <3E615321.2090004@unixsecurity.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mike Kercher wrote: |What version of MS are you running? I just upgraded to 4.13-3 today from |4.11-x, but my Sophos has been running fine with 3.67 3.x, but to be honest, I don't recall the exact version, which isn't a good sign. But it's been long enough that upgrading to 4.13-3 seemed like a good idea. After the upgrade, I'm not seeing the errors from Sophos any longer. - -- Mike Wallis -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1-nr1 (Windows 2000) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE+YVMht9Knt4ko5pURAhdEAJ9wSdfg8/FfvoLu5SKp0y21DNv2egCfbHOH SFBGkmxI2O/rcvu8aR/GqIs= =k5h4 -----END PGP SIGNATURE----- From Janssen at RZ.UNI-FRANKFURT.DE Sun Mar 2 01:25:06 2003 From: Janssen at RZ.UNI-FRANKFURT.DE (Michael Janssen) Date: Thu Jan 12 21:17:21 2006 Subject: Sopos Upgrade Issues In-Reply-To: <3E615321.2090004@unixsecurity.org> Message-ID: On Sat, 1 Mar 2003, Mike Wallis wrote: [missing virus data error] > After the upgrade, I'm not seeing the errors from Sophos any longer. Hey! Julian did figure out how to catch this nasty Sophos output, didn't he? Sophos writes directly to /dev/tty, therefore it was tricky. I suggest you to check manually if Sophos is now doing the job (unless it depends on the settings of the sophoswrapper script this error is not assoziated with MailScanner and an upgrade of MailScanner can't *solve* the problem (unless Julian have programmed a routine that silently repairs broken Sophos installation. But that would be short to silently log in an fix any problem manually ;-) cheers Michael > > - -- > Mike Wallis > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.1-nr1 (Windows 2000) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQE+YVMht9Knt4ko5pURAhdEAJ9wSdfg8/FfvoLu5SKp0y21DNv2egCfbHOH > SFBGkmxI2O/rcvu8aR/GqIs= > =k5h4 > -----END PGP SIGNATURE----- > From mailscanner at ecs.soton.ac.uk Sun Mar 2 10:49:54 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:21 2006 Subject: Sopos Upgrade Issues In-Reply-To: References: <3E615321.2090004@unixsecurity.org> Message-ID: <5.2.0.9.2.20030302104601.02048d80@imap.ecs.soton.ac.uk> Sophos have slowly changed over to the new file structure in their scanner. As a result you need a recent sophos-autoupdate. You don't necessarily have to upgrade your entire MailScanner installation, you just need the new sophos-autoupdate and the new Sophos.install. My Sophos.install does make an attempt at removing any Sophos code that was installed using their installation script, so that their libraries don't get in the way. And when testing it, you have to run sophos-wrapper and not directly run sweep, in order to set up the environment for it properly. One of my main objections to their layout was that they put the IDE files in with all the code, whereas when updating automatically it makes more sense to keep them in a separate directory which can be completely replaced with a new directory *if* the update succeeds. I don't want to leave a half-working copy of Sophos if something goes wrong. At 01:25 02/03/2003, you wrote: >On Sat, 1 Mar 2003, Mike Wallis wrote: > >[missing virus data error] > > After the upgrade, I'm not seeing the errors from Sophos any longer. > >Hey! Julian did figure out how to catch this nasty Sophos output, didn't >he? Sophos writes directly to /dev/tty, therefore it was tricky. > >I suggest you to check manually if Sophos is now doing the job (unless it >depends on the settings of the sophoswrapper script this error is not >assoziated with MailScanner and an upgrade of MailScanner can't *solve* >the problem (unless Julian have programmed a routine that silently >repairs broken Sophos installation. But that would be short to silently >log in an fix any problem manually ;-) > >cheers >Michael > > > > > - -- > > Mike Wallis > > -----BEGIN PGP SIGNATURE----- > > Version: GnuPG v1.2.1-nr1 (Windows 2000) > > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > > > iD8DBQE+YVMht9Knt4ko5pURAhdEAJ9wSdfg8/FfvoLu5SKp0y21DNv2egCfbHOH > > SFBGkmxI2O/rcvu8aR/GqIs= > > =k5h4 > > -----END PGP SIGNATURE----- > > -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From Peter.Bates at LSHTM.AC.UK Sun Mar 2 11:31:59 2003 From: Peter.Bates at LSHTM.AC.UK (Peter Bates) Date: Thu Jan 12 21:17:21 2006 Subject: postfix compatability? Message-ID: Hello all... > mailscanner@ECS.SOTON.AC.UK 03/01/03 20:02 PM >>> >Exim is *fairly* easy to configure. I can probably give you some >help if you need it. Get Exim built first, then I guess we need to >set it up so that it listens on port 25, with postfix listening on >port 26. You will have to get postfix listening on port 26 >yourself, I don't know how to do that. Running Postfix still as I am, I can say the answer is in Postfix's 'master.cf' (this controls the transports, where main.cf controls mosts other things). There is a line in master.cf saying: smtp inet n - y - - smtpd where 'smtp' is the name in /etc/services: smtp 25/tcp mail ... you could either change 25 to 26 in /etc/services and probably break various things on your system, add a reference to 'smtp-new' in /etc/services, or just change 'smtp' to '26' in the line from master.cf Clear as mud! If I was a bit more savvy I'd like to help adding Postfix support to MailScanner, but at the moment it looks like I'll be switching my favourite MTA (at the moment) to Exim (which may of course then become my favourite MTA!)... ---------------------------------------------------------------------------------------------------> Peter Bates, Systems Support Officer, Network Support Team. London School of Hygiene & Tropical Medicine. Telephone:0207-958 8353 / Fax: 0207- 636 9838 From Richard.Lush at HP.COM Sun Mar 2 10:23:01 2003 From: Richard.Lush at HP.COM (Lush, Richard) Date: Thu Jan 12 21:17:21 2006 Subject: Webmin module -0.4 Beta - Released Message-ID: Hi All, Just to let you know that the webmin module supporting MailScanner 4.13 has been released. It can be downloaded from http://lushsoft.dyndns.org/mailscanner-webmin I'm always looking for feedback on what you think or what you want added so please mail me and let me know. Cheers all, Richard Richard Lush Consulting and Integration Security Practice Reading UK Email richard.lush@hp.com Mobile +44 (0) 7788 916941 Office +44 (0) 118 920 2349 Fax +44 (0) 118 920 4612 D I S C L A I M E R The information contained in this communication is intended solely for use by the individual or entity to whom it is addressed. Use of this communication by others is prohibited. HP is neither liable for the proper and complete transmission of the information contained in this communication nor for any delay in its receipt nor for any special, incidental or consequential damages of any nature whatsoever resulting from receipt or use of this communication. If you are not the intended recipient, you may not peruse, use, disseminate, distribute or copy this message. If you have received this message in error, please notify the sender immediately by email, facsimile or telephone and return or destroy the original message. Thank you. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030302/9b6ebe02/attachment.html From marco at MUW.EDU Sun Mar 2 15:04:51 2003 From: marco at MUW.EDU (Marco Obaid) Date: Thu Jan 12 21:17:21 2006 Subject: High Scoring Spam In-Reply-To: <3E4D1295.2050002@accent.it> References: <002801c2d43e$4ec74be0$be46460a@hazelwood.k12.mo.us> <3E4D1295.2050002@accent.it> Message-ID: <1046617491.3e621d93b46a3@webmail.MUW.Edu> Hello all, What is the logic behind "High Scoring Spam Actions = deliver" ? If a message scores > 5 and I am telling MailScanner to Spam Actions = store. Why would I have to tell it again what to do with High Scoring Spam? I have read the notes in Mailscanner.conf and it just did not click yet :) Maybe I am thinking too much about it or I have a mental block right now. Marco _________________________________________________________________ This mail is sent through MUW Webmail: http://www.MUW.Edu/webmail For the latest MUW Events, visit http://www.MUW.Edu/calendar From sevans at FOUNDATION.SDSU.EDU Sun Mar 2 15:26:39 2003 From: sevans at FOUNDATION.SDSU.EDU (Steve Evans) Date: Thu Jan 12 21:17:21 2006 Subject: High Scoring Spam Message-ID: For example spam is set to a score of 5, high scoring spam is set to 10. Maybe you want to only tag regular spam (between 5 and 9.9) because it's kind of grey and you don't want any false positives. But anything over 10 you consider to be a definite. So you automatically delete that (or store it). Steve Evans SDSU Foundation (619) 594-0653 -----Original Message----- From: Marco Obaid [mailto:marco@MUW.EDU] Sent: Sunday, March 02, 2003 7:05 AM To: MAILSCANNER@JISCMAIL.AC.UK Hello all, What is the logic behind "High Scoring Spam Actions = deliver" ? If a message scores > 5 and I am telling MailScanner to Spam Actions = store. Why would I have to tell it again what to do with High Scoring Spam? I have read the notes in Mailscanner.conf and it just did not click yet :) Maybe I am thinking too much about it or I have a mental block right now. Marco _________________________________________________________________ This mail is sent through MUW Webmail: http://www.MUW.Edu/webmail For the latest MUW Events, visit http://www.MUW.Edu/calendar From mailscanner at HRSERVERS.COM Sun Mar 2 16:05:32 2003 From: mailscanner at HRSERVERS.COM (SUBSCRIBE MAILSCANNER Anonymous) Date: Thu Jan 12 21:17:21 2006 Subject: Spamassassin 2.50 & MailScanner 4.13-3 Problems Message-ID: Spamassassin 2.50 & MailScanner 4.13-3 Problems... Well lets see to start with our server specs are... RH Linux 7.2 Ensim Webppliance 3.16-1 Sendmail MailScanner 4.13-3 Spamassassin 2.50 Running mailscanner with spamassassin on would put an extreme load on the server with the mailscanner processes using up 17-25% cpu. I also tried this with mailscanner 4.12-2 and had the same result. Apparently some where along the way there is either a major problem with spamassassin 2.50 or mailscanner when using spamassassin. However the spamassassin patch on your site (http://mailscanner.info) did correct this problem (load dropped to nearly nothing) but I wonder while using that is that going to hinder spamassassin's fuctionality? Also is this going to be fixed in a future version? From raymond at PROLOCATION.NET Sun Mar 2 16:19:59 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:17:21 2006 Subject: Spamassassin 2.50 & MailScanner 4.13-3 Problems In-Reply-To: Message-ID: Hi! > However the spamassassin patch on your site (http://mailscanner.info) did > correct this problem (load dropped to nearly nothing) but I wonder while > using that is that going to hinder spamassassin's fuctionality? Also is > this going to be fixed in a future version? Should you not be asking this on the Spamassassin's list ? Its a problem with that piece of software. They have to fix it :) Bye, Raymond. From mailscanner at ecs.soton.ac.uk Sun Mar 2 16:27:57 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:21 2006 Subject: Spamassassin 2.50 & MailScanner 4.13-3 Problems In-Reply-To: Message-ID: <5.2.0.9.2.20030302162525.02ecce60@imap.ecs.soton.ac.uk> At 16:05 02/03/2003, you wrote: >Spamassassin 2.50 & MailScanner 4.13-3 Problems... > >Well lets see to start with our server specs are... >RH Linux 7.2 >Ensim Webppliance 3.16-1 >Sendmail >MailScanner 4.13-3 >Spamassassin 2.50 > >Running mailscanner with spamassassin on would put an extreme load on the >server with the mailscanner processes using up 17-25% cpu. I also tried >this with mailscanner 4.12-2 and had the same result. Apparently some >where along the way there is either a major problem with spamassassin 2.50 >or mailscanner when using spamassassin. > >However the spamassassin patch on your site (http://mailscanner.info) did >correct this problem (load dropped to nearly nothing) but I wonder while >using that is that going to hinder spamassassin's fuctionality? Also is >this going to be fixed in a future version? The "chews up all your CPU time" problem was caused by a fault that was making SpamAssassin lock solid. They weren't closing a database properly at the end of processing a message. My patch just makes it close the database properly. The patch does not damage functionality of SpamAssassin or MailScanner in any way. It should be fixed by the SpamAssassin authors in 2.51, at which point my patch won't be needed any more. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From Kevin.Spicer at BMRB.CO.UK Sun Mar 2 16:47:25 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:17:21 2006 Subject: Sneaky Spammers...? Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A4AD3F@pascal.priv.bmrb.co.uk> I don't know whether this is a new ploy, or just one I haven't noticed before as I've got rather better reporting in place now (and one of the mails in question landed in my inbox!)... Like (I guess) many sites our primary MX is our border mailscanner (actually its also our secondary as its has addresses on two internet connections) and our ISP provides two fallback mailservers, which in the event of failure queue up mail and forward on to our MailScanner when it comes back up. I've just noticed that some enterprising spammer seems to have decided its a good idea to send mail directly to these servers and let them forward on to our primary MX. I'm fairly sure that this is what is happening, as a quick grep of our maillogs suggests that only spam is being recieved from the backup MX's (suggesting that the primary MX was in fact available throughout). I noticed also that mailstats.pl lists the two fallback servers as no.1 and no.3 on the list of 'blocked' IP's (fortunately I turned blocking off when I installed it). This could have serious consequences for anyone who is using this, or other scripts, to block spam relays, as should their primary MX (MailScanner) - or its internet connection - go down the seconary MX would then accept mail which it would be prevented from delivering once the primary MX came back up! [David, this is why I've copied you on this, as I'm not sure if you're currently on the MS list] It's debatable whether scripts that block based on IP's logged by MailScanner need to account for this or whether MS should refrain from logging the IP of hosts that are fallback MX's for the domain(s)(?) I did notice that the MS spam log entry suggests that the IP of our fallback MX's belongs the the domain of the spammers (forged) address rather than reflecting its reverse DNS name - which is also misleading. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From mike at CAMAROSS.NET Sun Mar 2 16:59:51 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:17:21 2006 Subject: Sneaky Spammers...? In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0A4AD3F@pascal.priv.bmrb.co.uk> Message-ID: <002c01c2e0dd$24c3ef50$6a01a8c0@home.middlefinger.net> It looks to me like mail is rejected at the MTA by DNS blacklists. The spam is then routed to the backup MX and it seems that when mail hits the secondary MX (even though the originating server was blacklisted), the backup allows the spam in because it is only spooling for the domain (for some reason). I may have this explanation all screwed because I just woke up, but I see this all the time as I do backup MX for lots of domains where the primary is also running MS/SA/DNSBL's. -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Spicer, Kevin Sent: Sunday, March 02, 2003 10:47 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Sneaky Spammers...? I don't know whether this is a new ploy, or just one I haven't noticed before as I've got rather better reporting in place now (and one of the mails in question landed in my inbox!)... Like (I guess) many sites our primary MX is our border mailscanner (actually its also our secondary as its has addresses on two internet connections) and our ISP provides two fallback mailservers, which in the event of failure queue up mail and forward on to our MailScanner when it comes back up. I've just noticed that some enterprising spammer seems to have decided its a good idea to send mail directly to these servers and let them forward on to our primary MX. I'm fairly sure that this is what is happening, as a quick grep of our maillogs suggests that only spam is being recieved from the backup MX's (suggesting that the primary MX was in fact available throughout). I noticed also that mailstats.pl lists the two fallback servers as no.1 and no.3 on the list of 'blocked' IP's (fortunately I turned blocking off when I installed it). This could have serious consequences for anyone who is using this, or other scripts, to block spam relays, as should their primary MX (MailScanner) - or its internet connection - go down the seconary MX would then accept mail which it would be prevented from delivering once the primary MX came back up! [David, this is why I've copied you on this, as I'm not sure if you're currently on the MS list] It's debatable whether scripts that block based on IP's logged by MailScanner need to account for this or whether MS should refrain from logging the IP of hosts that are fallback MX's for the domain(s)(?) I did notice that the MS spam log entry suggests that the IP of our fallback MX's belongs the the domain of the spammers (forged) address rather than reflecting its reverse DNS name - which is also misleading. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From Kevin.Spicer at BMRB.CO.UK Sun Mar 2 17:05:51 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:17:21 2006 Subject: Sneaky Spammers...? Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A4AD40@pascal.priv.bmrb.co.uk> > It looks to me like mail is rejected at the MTA by DNS > blacklists. The spam > is then routed to the backup MX and it seems that when mail hits the > secondary MX (even though the originating server was blacklisted), the > backup allows the spam in because it is only spooling for the > domain (for > some reason). I may have this explanation all screwed > because I just woke > up, but I see this all the time as I do backup MX for lots of > domains where > the primary is also running MS/SA/DNSBL's. > No I think this is a deliberate ploy because... 1) I haven't got any blacklisting turned on (although the way things are going I may review this soon!) 2) Mails are coming via both backup MX's - if it was as you suggest then surely they would only be coming via the higher priority one? BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From Kevin.Spicer at BMRB.CO.UK Sun Mar 2 17:16:48 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:17:21 2006 Subject: Bug?? Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A4AD41@pascal.priv.bmrb.co.uk> I don't know if this is a bug or just something I don't like much(!) I just noticed that when Sophos fails to update I don't get a mail (as I did with previous versions). Looking into this sophos_autoupdate logs the fact to syslog and prints to stderr (which when run by cron should then end up in an email to root, which ends up in my inbox), however update_virus_scanners calls sophos_autoupdate like this ${UPDATER} >/dev/null 2>&1 Which discards the message! I've changed this to... ${UPDATER} which appears to have solved the problem. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From mike at ZANKER.ORG Sun Mar 2 17:40:32 2003 From: mike at ZANKER.ORG (Mike Zanker) Date: Thu Jan 12 21:17:21 2006 Subject: Sneaky Spammers...? In-Reply-To: <002c01c2e0dd$24c3ef50$6a01a8c0@home.middlefinger.net> References: <002c01c2e0dd$24c3ef50$6a01a8c0@home.middlefinger.net> Message-ID: <549891093.1046626832@jemima.zanker.org> On 02 March 2003 10:59 -0600 Mike Kercher wrote: > It looks to me like mail is rejected at the MTA by DNS blacklists. > The spam is then routed to the backup MX and it seems that when mail > hits the secondary MX (even though the originating server was > blacklisted), the backup allows the spam in because it is only > spooling for the domain (for some reason). No, it's deliberate - spammers have been using secondary or even tertiary MX hosts for months now. Some of the spamming software available does this automatically now. My secondary MX also got blocked by mailstats.pl. I've left blocking enabled but fixed mailstats.pl so that it skips my secondary MX. Mike. From ms at MLSIS.CO.UK Sun Mar 2 20:48:53 2003 From: ms at MLSIS.CO.UK (Matt Lowe) Date: Thu Jan 12 21:17:21 2006 Subject: postfix compatability Message-ID: <1046638133.1886.47.camel@luggage> Hi, how far away is postfix compat? would a donation help in this progress? if so how much? I know mailscanner is GPL but a lot of programers cant dedicate all there time to a prroject due to work/cash/time constraints. Just an idea, i have a company that MIGHT be willing to pay, (and still keep it all GPLed) From mailscanner at ecs.soton.ac.uk Sun Mar 2 22:57:04 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:21 2006 Subject: New version of RAV - readme! Message-ID: <5.2.0.9.2.20030302225323.0300c128@imap.ecs.soton.ac.uk> There is a new version of RAV available. However, it has some slightly odd requirements and will need the rav-wrapper from 4.13 in order to work properly. So if you have upgraded your copy of RAV recently, please check to see if it is working as you may need to upgrade to 4.13 The upgrade is a 5 minute job, especially with my upgrade_MailScanner_conf script to do the awkward bit for you. You should upgrade the "tnef" RPM as well as the "mailscanner" RPM as that is updated also. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From paul at ESPMAIL.CO.UK Sun Mar 2 23:24:09 2003 From: paul at ESPMAIL.CO.UK (Paul Welsh) Date: Thu Jan 12 21:17:21 2006 Subject: Sneaky Spammers...? References: <002c01c2e0dd$24c3ef50$6a01a8c0@home.middlefinger.net> <549891093.1046626832@jemima.zanker.org> Message-ID: <004601c2e112$d7b94760$fde030d5@espmail> ----- Original Message ----- From: "Mike Zanker" To: Sent: 02 March 2003 17:40 Subject: Re: Sneaky Spammers...? > No, it's deliberate - spammers have been using secondary or even > tertiary MX hosts for months now. Some of the spamming software > available does this automatically now. Yes, I agree. That's why I like SpamAssassin, because it goes further than checking just the last hop with RBLs. If your secondary MX belongs to your ISP (who tend not to use RBLs) then blocking using simple RBLs on your primary MX does you no good at all. From David.While at UCE.AC.UK Mon Mar 3 10:25:16 2003 From: David.While at UCE.AC.UK (David While) Date: Thu Jan 12 21:17:22 2006 Subject: Sneaky Spammers...? Message-ID: I have added whitelist functionality to mailstats.pl to allow you to add the IP addresses of servers that you don't want added to the access file. This will allow you to add the IP addresses of your secondary MX hosts so that they don't get blocked. It can be downloaded as usual from http://staff.cie.uce.ac.uk/~dwhile/mailstats/ ----------------------------------------------------------------- David While Technical Development Manager Faculty of Computing, Information & English University of Central England Tel: 0121 331 6211 Mike Zanker Sent by: MailScanner mailing list 02/03/2003 17:40 Please respond to MailScanner mailing list To: MAILSCANNER@JISCMAIL.AC.UK cc: Subject: Re: Sneaky Spammers...? On 02 March 2003 10:59 -0600 Mike Kercher wrote: > It looks to me like mail is rejected at the MTA by DNS blacklists. > The spam is then routed to the backup MX and it seems that when mail > hits the secondary MX (even though the originating server was > blacklisted), the backup allows the spam in because it is only > spooling for the domain (for some reason). No, it's deliberate - spammers have been using secondary or even tertiary MX hosts for months now. Some of the spamming software available does this automatically now. My secondary MX also got blocked by mailstats.pl. I've left blocking enabled but fixed mailstats.pl so that it skips my secondary MX. Mike. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030303/a4df472b/attachment.html From steve.freegard at LBSLTD.CO.UK Mon Mar 3 11:37:04 2003 From: steve.freegard at LBSLTD.CO.UK (Steve Freegard) Date: Thu Jan 12 21:17:22 2006 Subject: SpamAssassin 2.50 Bayes + MailScanner Message-ID: <67D9E7698329D411936E00508B6590B902793242@neelix.lbsltd.co.uk> Hello, Has anyone successfully managed to get SpamAssassin to auto learn e-mail processed via MailScanner??? I've received about 1200 e-mails that have been processed with 2.50 although when I run 'check_bayes_db' as root, it only reports that it has seen two messages which were the 'sample-spam.txt' and 'sample-nonspam.txt' test files that I ran through SA when I upgraded. I've tried putting 'auto_learn 1' into spam.assassin.prefs.conf - I've also tried to change the bayes db path by putting 'bayes_path /etc/MailScanner/bayes' into the prefs file - after restarting MailScanner, the only file that gets created is 'bayes_toks.db' which is an empty file. Anyone else had this problem?? Thanks, Steve -- Steve Freegard Systems Manager Littlehampton Book Services Ltd. Tel: +44 (0)1903 82 8594 Fax: +44 (0)1903 82 8620 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.lbsltd.co.uk ********************************************************************** -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030303/89756101/attachment.html From mike at ZANKER.ORG Mon Mar 3 11:38:17 2003 From: mike at ZANKER.ORG (Mike Zanker) Date: Thu Jan 12 21:17:22 2006 Subject: Sneaky Spammers...? In-Reply-To: References: Message-ID: <2313390.1046691497@mallard.open.ac.uk> On 03 March 2003 10:25 +0000 David While wrote: > I have added whitelist functionality to mailstats.pl to allow you to > add the IP addresses of servers that you don't want added to the > access file. This will allow you to add the IP addresses of your > secondary MX hosts so that they don't get blocked. Marvellous - thanks David. Mike. From c_chow at REX-GARMENTS.COM.HK Mon Mar 3 11:32:55 2003 From: c_chow at REX-GARMENTS.COM.HK (Chris Chow) Date: Thu Jan 12 21:17:22 2006 Subject: Newbie to Mailscanner Message-ID: Dear all, I am interesting in using Mailscanner software to protect our email system. We are using Red Hat 7.3 and sendmail. I think using RPM to install this software will not be difficult. I am just a bit confuse about the concept of this software. Mailscanner scan incoming emails for virus, where does it get the virus pattern files. We are using Trend server protect for another server (win 2000) , does it mean I copy the pattern from this server, or do we copy the pattern from our desktop? I don't suppose there are virus pattern that is free to download? Secondly if I need to subscribe to anti-virus software vendor to get the pattern, maybe I can install that software for virus protection on server. I think Trend have linux version of anti-virus software call InterScan Messaging Security Suite to handle this task. I am sorry for listing this simple/basic question, I did search the listing but couldn't found the answer. Chris Chow From Kevin.Spicer at BMRB.CO.UK Mon Mar 3 11:49:29 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:17:22 2006 Subject: Newbie to Mailscanner Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A4AD46@pascal.priv.bmrb.co.uk> > > Mailscanner scan incoming emails for virus, where does it get > the virus > pattern files. You need to install a virus scanner (probably a commercial one like sophos or f-prot) > We are using Trend server protect for another > server (win > 2000) , does it mean I copy the pattern from this server, > or do we copy > the pattern from our desktop? I don't suppose there are virus pattern > that is free to download? There are - try clamav, but I'd recommend using a commercial scanner too to get maximum protection (especially against new viruses) > > Secondly if I need to subscribe to anti-virus software vendor > to get the > pattern, maybe I can install that software for virus protection on > server. I think Trend have linux version of anti-virus software call > InterScan Messaging Security Suite to handle this task. I believe the Trend scanner can be used with MailScanner (although it currently has an 'unsupported' code status (see http://www.sng.ecs.soton.ac.uk/mailscanner/install/codestatus.shtml ) > > I am sorry for listing this simple/basic question, I did search the > listing but couldn't found the answer. Have a good read of the website www.mailscanner.info all the above info is there BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From raymond at PROLOCATION.NET Mon Mar 3 11:55:28 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:17:22 2006 Subject: Newbie to Mailscanner In-Reply-To: Message-ID: Hi! > Mailscanner scan incoming emails for virus, where does it get the virus > pattern files. We are using Trend server protect for another server (win > 2000) , does it mean I copy the pattern from this server, or do we copy > the pattern from our desktop? I don't suppose there are virus pattern > that is free to download? Mailscanner is the framework, you need to install a virus scanner also. f-prot is free for non commercial use. > Secondly if I need to subscribe to anti-virus software vendor to get the > pattern, maybe I can install that software for virus protection on > server. I think Trend have linux version of anti-virus software call > InterScan Messaging Security Suite to handle this task. Yes you can, and you can also automate the update process. Bye, Raymond. From mailscanner at ecs.soton.ac.uk Mon Mar 3 12:23:06 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:22 2006 Subject: SpamAssassin 2.50 Bayes + MailScanner In-Reply-To: <67D9E7698329D411936E00508B6590B902793242@neelix.lbsltd.co. uk> Message-ID: <5.2.0.9.2.20030303121936.03e1c338@imap.ecs.soton.ac.uk> I had this problem when I initially installed 2.50 for the first time. What had happened was the "make install" of SA2.50 hadn't actually installed all the files for some reason. Check your /usr/share/spamassassin has some files in it that mention bayes in their filename, ls /usr/share/spamassassin/*bayes* and that there are some bayes files in /usr/lib/perl5 (or wherever the root of your perl lib installation is). find /usr/lib/perl5 -name '*bayes*' -print I ended up doing the "make install" again to watch carefully what happened, and this time it put all the right files in place. It was working then, and I wanted to go home, so I didn't ever investigate it further. At 11:37 03/03/2003, you wrote: >Hello, > >Has anyone successfully managed to get SpamAssassin to auto learn e-mail >processed via MailScanner??? > >I've received about 1200 e-mails that have been processed with 2.50 >although when I run 'check_bayes_db' as root, it only reports that it has >seen two messages which were the 'sample-spam.txt' and >'sample-nonspam.txt' test files that I ran through SA when I upgraded. > >I've tried putting 'auto_learn 1' into spam.assassin.prefs.conf - I've >also tried to change the bayes db path by putting 'bayes_path >/etc/MailScanner/bayes' into the prefs file - after restarting >MailScanner, the only file that gets created is 'bayes_toks.db' which is >an empty file. > >Anyone else had this problem?? > >Thanks, > > >Steve > >-- >Steve Freegard >Systems Manager >Littlehampton Book Services Ltd. >Tel: +44 (0)1903 82 8594 >Fax: +44 (0)1903 82 8620 > > > >********************************************************************** >This email and any files transmitted with it are confidential and >intended solely for the use of the individual or entity to whom they >are addressed. If you have received this email in error please notify >the system manager. > >This footnote also confirms that this email message has been swept by >MIMEsweeper for the presence of computer viruses. > >www.lbsltd.co.uk >********************************************************************** -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From dot at DOTAT.AT Mon Mar 3 13:08:27 2003 From: dot at DOTAT.AT (Tony Finch) Date: Thu Jan 12 21:17:22 2006 Subject: Mailscanner and Exim with "split_spool_directory = true" In-Reply-To: References: <5.2.0.9.2.20030228135517.03b59b60@imap.ecs.soton.ac.uk> <3E5F6762.6020700@marinocrane.com> <5.2.0.9.2.20030228135517.03b59b60@imap.ecs.soton.ac.uk> <20030228151933.GA30294@peerlessmfg.com> Message-ID: Tony Finch wrote: > >I haven't got around to investigating this properly, but I have a couple >of thoughts on the matter. You ought to be able to have a split spool >directory on the smtp listener by using a configuration like > Incoming Queue Dir = /var/spool/exim.in/input/* >but there isn't much point in this because the incoming spool dir >should always be small. split_spool is much more important for the >outgoing Exim because it's doing all the retries, and because of its >support for turning the option on and off with messages already in the >spool, it may be possible to make MailScanner just leave the messages >in /var/spool/exim/input and rely on Exim to move them into the correct >subdirectory. Unfortunately Exim doesn't move messages in the queue, and just relies on the natural turnover of messages when turning split_spool_directory on and off to do the work of getting all messages into the right place. So although this setup works, it has no benefit. Tony. -- f.a.n.finch http://dotat.at/ LANDS END TO ST DAVIDS HEAD INCLUDING THE BRISTOL CHANNEL: SOUTHEAST 4 OR 5 INCREASING 6 LOCALLY 7 VEERING WEST 5 THEN BACKING SOUTHWEST 4 OR 5 LATER. RAIN OR DRIZZLE. MODERATE LOCALLY POOR LATER. MODERATE OR ROUGH. From dml at UNB.CA Mon Mar 3 13:40:25 2003 From: dml at UNB.CA (David Lancaster) Date: Thu Jan 12 21:17:22 2006 Subject: septic tank emails In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0EBF427@pascal.priv.bmrb.co.uk> Message-ID: Looks like nottinghamcity.gov.uk is having Mail Server problems again... Only one so far, but perhaps nottinghamcity should consider replacing their broken mail system? D. Received: from mailserv2.unb.ca (mailserv2.unb.ca [131.202.3.56]) by sol.sun.csd.unb.ca (8.11.4/8.11.4) with ESMTP id h217vnM07818 for ; Sat, 1 Mar 2003 03:57:50 -0400 (AST) Received: from smtp.jiscmail.ac.uk (smtp.jiscmail.ac.uk [130.246.192.48]) by mailserv2.unb.ca (8.12.6/8.12.6) with ESMTP id h217vjKY030095 for ; Sat, 1 Mar 2003 03:57:47 -0400 Received: from LISTSERV.JISCMAIL.AC.UK (jiscmail.ac.uk) by smtp.jiscmail.ac.uk (LSMTP for Windows NT v1.1b) with SMTP id <0.00327397@smtp.jiscmail.ac.uk>; Sat, 1 Mar 2003 7:57:45 +0000 Received: from JISCMAIL.AC.UK by JISCMAIL.AC.UK (LISTSERV-TCP/IP release 1.8e) with spool id 18961031 for MAILSCANNER@JISCMAIL.AC.UK; Sat, 1 Mar 2003 07:57:44 +0000 Received: from 130.246.192.52 by JISCMAIL.AC.UK (SMTPL release 1.0h) with TCP; Sat, 1 Mar 2003 07:57:44 GMT Received: from insmtp23.bt.net (insmtp23.bt.net [217.35.209.183]) by ori.rl.ac.uk (8.11.1/8.11.1) with ESMTP id h217vhS04214 for ; Sat, 1 Mar 2003 07:57:43 GMT Received: from [194.72.158.100] (helo=[192.168.1.2]) by insmtp23.bt.net with esmtp (Exim 3.36 #1) id 18p1p1-0006d5-00 for MAILSCANNER@jiscmail.ac.uk; Sat, 01 Mar 2003 07:54:15 +0000 Received: from smtp.jiscmail.ac.uk (unverified) by cohen (Content Technologies SMTPRS 4.3.6) with SMTP id for ; Fri, 28 Feb 2003 15:53:30 +0000 Received: from LISTSERV.JISCMAIL.AC.UK (jiscmail.ac.uk) by smtp.jiscmail.ac.uk (LSMTP for Windows NT v1.1b) with SMTP id <7.000000BB@smtp.jiscmail.ac.uk>; Fri, 28 Feb 2003 15:59:13 +0000 Received: from JISCMAIL.AC.UK by JISCMAIL.AC.UK (LISTSERV-TCP/IP release 1.8e) with spool id 18936642 for MAILSCANNER@JISCMAIL.AC.UK; Fri, 28 Feb 2003 15:59:12 +0000 Received: from 130.246.192.52 by JISCMAIL.AC.UK (SMTPL release 1.0h) with TCP ; Fri, 28 Feb 2003 15:59:12 GMT On Fri, 28 Feb 2003, Spicer, Kevin wrote: > > Use a SpamAssassin local rule to increase the score: > > body LOCAL_sewer /septic tank/i > > describe LOCAL_ISS "Body contains septic tank" > > score LOCAL_ISS 5 > > I put these in /etc/mail/spamassassin/local.cf > > There should be a way to do subject, I just didn't have an example handy. > Lifted straight from the MailScanner home page... > header FRIEND_GREETINGS Subject =~ /you have an E-Card from/i > describe FRIEND_GREETINGS Nasty E-card from FriendGreetings.com > score FRIEND_GREETINGS 100.0 > > > > > BMRB International > http://www.bmrb.co.uk > +44 (0)20 8566 5000 > _________________________________________________________________ > This message (and any attachment) is intended only for the > recipient and may contain confidential and/or privileged > material. If you have received this in error, please contact the > sender and delete this message immediately. Disclosure, copying > or other action taken in respect of this email or in > reliance on it is prohibited. BMRB International Limited > accepts no liability in relation to any personal emails, or > content of any email which does not directly relate to our > business. > > > This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses > *********************************************************************************** > -- =========================================================== David Lancaster ITS ESS 447-3212 From sean at NISD.NET Mon Mar 3 14:33:26 2003 From: sean at NISD.NET (Sean Embry) Date: Thu Jan 12 21:17:22 2006 Subject: Sneaky Spammers...? Message-ID: >>> Kevin.Spicer@BMRB.CO.UK 03/02/03 10:47AM >>> > I don't know whether this is a new ploy, or just one I haven't noticed before as I've got rather better reporting in place now (and one of the mails in > question landed in my inbox!)... It's not all that new. I've been seeing this for a while. It's being discussed on News.Admin.Net-Abuse-Email. > Like (I guess) many sites our primary MX is our border mailscanner (actually its also our secondary as its has addresses on two internet connections) and > our ISP provides two fallback mailservers, which in the event of failure queue up mail and forward on to our MailScanner when it comes back up. I've just > noticed that some enterprising spammer seems to have decided its a good idea to send mail directly to these servers and let them forward on to our > primary MX. I'm fairly sure that this is what is happening, as a quick grep of our maillogs suggests that only spam is being recieved from the backup MX's > (suggesting that the primary MX was in fact available throughout). This is likely. Spammmers have tried to use higher priority mail servers because: 1. The are likely to be less critical in rejecting spam 2. Mail admins frequently forget to update local blocks on all MX's. 3. The servers are normally less loaded and can therefore take greater amounts of spam in less time. snip I'm thinking of making the higher priority mail exchangers refuse (with a 4xx) e-mail for the primary if the primary looks to be up. Since only spammers won't queue mail this should affect only spammers. Legitimate e-mail will go to the lowest priority MX, or it's broken anyway. About the only MTA I've seen that will try to use a higher priority MX with the lowest is up and accepting is Exchange Server, and not all of them do that. I don't know why some do, and some don't. Sean From steve.freegard at LBSLTD.CO.UK Mon Mar 3 14:58:18 2003 From: steve.freegard at LBSLTD.CO.UK (Steve Freegard) Date: Thu Jan 12 21:17:22 2006 Subject: SpamAssassin 2.50 Bayes + MailScanner Message-ID: <67D9E7698329D411936E00508B6590B902793250@neelix.lbsltd.co.uk> Hi Julian, Thanks for the reply. I've had a look for the files, and I've re-run 'make install' - still not working though. Here's all the files I've got: [root@trip root]# find / -name '*[Bb]ayes*' -print /usr/lib/perl5/site_perl/5.6.1/Mail/SpamAssassin/Bayes.pm /usr/lib/perl5/site_perl/5.6.1/Mail/SpamAssassin/BayesStore.pm /usr/share/spamassassin/23_bayes.cf /usr/man/man3/Mail::SpamAssassin::Bayes.3pm /etc/MailScanner/bayes_toks.db /root/Mail-SpamAssassin-2.50/rules/23_bayes.cf /root/Mail-SpamAssassin-2.50/tools/check_bayes_db /root/Mail-SpamAssassin-2.50/tools/trim_bayes_db /root/Mail-SpamAssassin-2.50/lib/Mail/SpamAssassin/BayesStore.pm /root/Mail-SpamAssassin-2.50/lib/Mail/SpamAssassin/Bayes.pm /root/Mail-SpamAssassin-2.50/blib/lib/Mail/SpamAssassin/Bayes.pm /root/Mail-SpamAssassin-2.50/blib/lib/Mail/SpamAssassin/BayesStore.pm /root/Mail-SpamAssassin-2.50/blib/man3/Mail::SpamAssassin::Bayes.3pm /root/.spamassassin/bayes_toks /root/.spamassassin/bayes_seen /root/.spamassassin/bayes_msgcount /root/.spamassassin/bayes_toks.db /home/smf/.spamassassin/bayes_toks /home/smf/.spamassassin/bayes_seen /home/smf/.spamassassin/bayes_msgcount This is on RedHat 7.3 with Perl 5.6.1. The spam.assassin.prefs.conf currently has 'bayes_path /etc/MailScanner/bayes' in it - the /root|smf/.spammassassin/bayes* files only have the two test messages in them... As this seems to be more SA related rather than MailScanner - I'll post the same question to the sa-talk list and see what happens... Thanks, Steve. -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: 03 March 2003 12:23 To: MAILSCANNER@jiscmail.ac.uk Subject: Re: SpamAssassin 2.50 Bayes + MailScanner I had this problem when I initially installed 2.50 for the first time. What had happened was the "make install" of SA2.50 hadn't actually installed all the files for some reason. Check your /usr/share/spamassassin has some files in it that mention bayes in their filename, ls /usr/share/spamassassin/*bayes* and that there are some bayes files in /usr/lib/perl5 (or wherever the root of your perl lib installation is). find /usr/lib/perl5 -name '*bayes*' -print I ended up doing the "make install" again to watch carefully what happened, and this time it put all the right files in place. It was working then, and I wanted to go home, so I didn't ever investigate it further. At 11:37 03/03/2003, you wrote: >Hello, > >Has anyone successfully managed to get SpamAssassin to auto learn e-mail >processed via MailScanner??? > >I've received about 1200 e-mails that have been processed with 2.50 >although when I run 'check_bayes_db' as root, it only reports that it has >seen two messages which were the 'sample-spam.txt' and >'sample-nonspam.txt' test files that I ran through SA when I upgraded. > >I've tried putting 'auto_learn 1' into spam.assassin.prefs.conf - I've >also tried to change the bayes db path by putting 'bayes_path >/etc/MailScanner/bayes' into the prefs file - after restarting >MailScanner, the only file that gets created is 'bayes_toks.db' which is >an empty file. > >Anyone else had this problem?? > >Thanks, > > >Steve > >-- >Steve Freegard >Systems Manager >Littlehampton Book Services Ltd. >Tel: +44 (0)1903 82 8594 >Fax: +44 (0)1903 82 8620 > > > >********************************************************************** >This email and any files transmitted with it are confidential and >intended solely for the use of the individual or entity to whom they >are addressed. If you have received this email in error please notify >the system manager. > >This footnote also confirms that this email message has been swept by >MIMEsweeper for the presence of computer viruses. > >www.lbsltd.co.uk >********************************************************************** -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.lbsltd.co.uk ********************************************************************** From dustin.baer at IHS.COM Mon Mar 3 15:22:07 2003 From: dustin.baer at IHS.COM (Dustin Baer) Date: Thu Jan 12 21:17:22 2006 Subject: Email Security and Virus Testing site References: <3E5E5E0C.8060305@marinocrane.com> Message-ID: <3E63731F.794C042@ihs.com> Ryan Pitt wrote: > > Hi Everyone, > > I am looking for a few suggested sites that offer email virus tests. http://www.gfi.com/emailsecuritytest From logwatch at GETNET.CZ Mon Mar 3 15:37:31 2003 From: logwatch at GETNET.CZ (Michal Kminek) Date: Thu Jan 12 21:17:22 2006 Subject: Attachments - packed files Message-ID: <200303031537.h23FbVA02717@mail.getnet.cz> Hi everyone, I want to just make sure that MailScanner doesn't unpack attachments with a corresponding external program. Why am I asking? Some antivirus scanners aren't perfect and I want to unpack all the compressed attachments for them and then let them scan the unpacked files. Has anybody written such hack or his own antivirus wrapper? Thank you Michal Kminek From Peter.Bates at LSHTM.AC.UK Mon Mar 3 16:53:30 2003 From: Peter.Bates at LSHTM.AC.UK (Peter Bates) Date: Thu Jan 12 21:17:22 2006 Subject: X-MailScanner message... Message-ID: Hello all... I upgraded to 4.13-3 today, and also used Julian's magic configuration upgrade script. During this, I must have uncommented: Information Header = X-MailScanner-Information: Now I see: >X-MailScanner-Information: Please contact the ISP for more information >X-MailScanner: Found to be clean on a message, which was spam, but not caught by SA. What does the 'please contact the ISP for more information' actually mean? Thanks... ---------------------------------------------------------------------------------------------------> Peter Bates, Systems Support Officer, Network Support Team. London School of Hygiene & Tropical Medicine. Telephone:0207-958 8353 / Fax: 0207- 636 9838 From mailscanner at ecs.soton.ac.uk Mon Mar 3 17:01:00 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:22 2006 Subject: Attachments - packed files In-Reply-To: <200303031537.h23FbVA02717@mail.getnet.cz> Message-ID: <5.2.0.9.2.20030303165938.03e39e28@imap.ecs.soton.ac.uk> At 15:37 03/03/2003, you wrote: > I want to just make sure that MailScanner doesn't unpack >attachments with a corresponding external program. Why am I asking? >Some antivirus scanners aren't perfect and I want to unpack all the >compressed attachments for them and then let them scan the unpacked >files. Has anybody written such hack or his own antivirus wrapper? All the decent anti-virus programs unpack every common archive format already. If your scanning engine doesn't unpack archives, then I suggest you buy a better one :-) You are quite correct, MailScanner doesn't unpack archives (as it doesn't need to). -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From kwang at UCALGARY.CA Mon Mar 3 17:35:10 2003 From: kwang at UCALGARY.CA (Kai Wang) Date: Thu Jan 12 21:17:22 2006 Subject: confusing spam rules Message-ID: <3E63924E.42025919@ucalgary.ca> Hello, We plan to use MailScanner to tag the spam messages. After a few tests, I found the spam rules in MailScanner are very confusing. In /etc/MailScanner/MailScanner.conf: ---------------------------------------------------------------------------- Is Definitely Not Spam = /etc/MailScanner/rules/spam.whitelist.rules Is Definitely Spam = /etc/MailScanner/rules/spam.blacklist.rules 1) Domain name does not match but ip address matches I configured a host name in /etc/MailScanner/rules/spam.blacklist.rules and sent a message from the machine, the message did not match the rule. Then I replaced the hostname with its IP address and sent the same message again from the same machine, it matched the spam rule. cat /etc/MailScanner/rules/spam.whitelist.rules FromTo: default no cat /etc/MailScanner/rules/spam.blacklist.rules From: /lms5.acs.ucalgary.ca/ yes FromTo: default no 2) wildcard(*) sometimes works, sometimes not The black list rule "To: fs50*@ucalgary.ca yes" does not match a message to fs501@ucalgary.ca. But the black list rule "From: fs50*@ucalgary.ca yes" matches a message from fs501@ucalgary.ca. Thanks Kai Wang From mailscanner at ecs.soton.ac.uk Mon Mar 3 17:07:19 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:22 2006 Subject: X-MailScanner message... In-Reply-To: Message-ID: <5.2.0.9.2.20030303170621.02d9e330@imap.ecs.soton.ac.uk> At 16:53 03/03/2003, you wrote: >Hello all... > >I upgraded to 4.13-3 today, and also used Julian's magic configuration >upgrade script. > >During this, I must have uncommented: > >Information Header = X-MailScanner-Information: > >Now I see: > > >X-MailScanner-Information: Please contact the ISP for more information > >X-MailScanner: Found to be clean > >on a message, which was spam, but not caught by SA. > >What does the 'please contact the ISP for more information' actually mean? Not much. It is intended that you configure it to say whatever you like (or make it blank so it disappears altogether). It is added to all mail that goes through MailScanner, whether it is scanned or not. Feel free to advertise MailScanner in the text :-) -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From logwatch at GETNET.CZ Mon Mar 3 17:47:13 2003 From: logwatch at GETNET.CZ (Michal Kminek) Date: Thu Jan 12 21:17:22 2006 Subject: Attachments - packed files Message-ID: <200303031747.h23HlDQ04148@mail.getnet.cz> Julian Field wrote .. > At 15:37 03/03/2003, you wrote: > > I want to just make sure that MailScanner doesn't unpack > >attachments with a corresponding external program. Why am I asking? > >Some antivirus scanners aren't perfect and I want to unpack all the > >compressed attachments for them and then let them scan the unpacked > >files. Has anybody written such hack or his own antivirus wrapper? > > All the decent anti-virus programs unpack every common archive format > already. If your scanning engine doesn't unpack archives, then I suggest > you buy a better one :-) > You are quite correct, MailScanner doesn't unpack archives (as it doesn't > need to). > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support To be honest, even those decent antivirus programs aren't perfect. The majority of the programs are black boxes, you just believe that it works. MailScanner is a nice program and maybe it would be nice to have a separate layer for unpacking, where you can control for example the nesting depth and prevent various DoS attacks. Then you just keep the unpacking utilities up-to-date. I'm surprised that nobody has attempted to program such thing. Regards, Michal Kminek From matthew.richard at COCC.COM Mon Mar 3 17:48:45 2003 From: matthew.richard at COCC.COM (Richard, Matt) Date: Thu Jan 12 21:17:22 2006 Subject: FW: [RHSA-2003:073-06] Updated sendmail packages fix critical sec urity issues Message-ID: For those who have not already seen the advisory. It appears to effect sendmail on many different platforms. Matt Richard -----Original Message----- From: bugzilla@redhat.com [mailto:bugzilla@redhat.com] Sent: Monday, March 03, 2003 12:05 PM To: redhat-watch-list@redhat.com; redhat-announce-list@redhat.com Subject: [RHSA-2003:073-06] Updated sendmail packages fix critical security issues --------------------------------------------------------------------- Red Hat, Inc. Red Hat Security Advisory Synopsis: Updated sendmail packages fix critical security issues Advisory ID: RHSA-2003:073-06 Issue date: 2003-02-07 Updated on: 2003-03-03 Product: Red Hat Linux Keywords: sendmail smrsh security bug Cross references: Obsoletes: RHSA-2002:106 CVE Names: CAN-2002-1337 --------------------------------------------------------------------- 1. Topic: Updated Sendmail packages are available to fix a vulnerability that may allow remote attackers to gain root privileges by sending a carefully crafted message. These packages also fix a security bug if sendmail is configured to use smrsh. 2. Relevant releases/architectures: Red Hat Linux 6.2 - i386 Red Hat Linux 7.0 - i386 Red Hat Linux 7.1 - i386 Red Hat Linux 7.2 - i386, ia64 Red Hat Linux 7.3 - i386 Red Hat Linux 8.0 - i386 3. Problem description: Sendmail is a widely used Mail Transport Agent (MTA) which is included in all Red Hat Linux distributions. During a code audit of Sendmail by ISS, a critical vulnerability was uncovered that affects unpatched versions of Sendmail prior to version 8.12.8. A remote attacker can send a carefully crafted email message which, when processed by sendmail, causes arbitrary code to be executed as root. We are advised that a proof-of-concept exploit is known to exist, but is not believed to be in the wild. Since this is a message-based vulnerability, MTAs other than Sendmail may pass on the carefully crafted message. This means that unpatched versions of Sendmail inside a network could still be at risk even if they do not accept external connections directly. In addition, the restricted shell (SMRSH) in Sendmail allows attackers to bypass the intended restrictions of smrsh by inserting additional commands after "||" sequences or "/" characters, which are not properly filtered or verified. A sucessful attack would allow an attacker who has a local account on a system which has explicitly enabled smrsh to execute arbitrary binaries as themselves by utilizing their .forward file. All users are advised to update to these erratum packages. For Red Hat Linux 8.0 we have included Sendmail version 8.12.8 which is not vulnerable to these issues. For all other distributions we have included a backported patch which corrects these vulnerabilities. Red Hat would like to thank Eric Allman for his assistance with this vulnerability. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via Red Hat Network. Many people find this an easier way to apply updates. To use Red Hat Network, launch the Red Hat Update Agent with the following command: up2date This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. 5. RPMs required: Red Hat Linux 6.2: SRPMS: ftp://updates.redhat.com/6.2/en/os/SRPMS/sendmail-8.11.6-1.62.2.src.rpm i386: ftp://updates.redhat.com/6.2/en/os/i386/sendmail-8.11.6-1.62.2.i386.rpm ftp://updates.redhat.com/6.2/en/os/i386/sendmail-cf-8.11.6-1.62.2.i386.rpm ftp://updates.redhat.com/6.2/en/os/i386/sendmail-doc-8.11.6-1.62.2.i386.rpm Red Hat Linux 7.0: SRPMS: ftp://updates.redhat.com/7.0/en/os/SRPMS/sendmail-8.11.6-23.70.src.rpm i386: ftp://updates.redhat.com/7.0/en/os/i386/sendmail-8.11.6-23.70.i386.rpm ftp://updates.redhat.com/7.0/en/os/i386/sendmail-cf-8.11.6-23.70.i386.rpm ftp://updates.redhat.com/7.0/en/os/i386/sendmail-devel-8.11.6-23.70.i386.rpm ftp://updates.redhat.com/7.0/en/os/i386/sendmail-doc-8.11.6-23.70.i386.rpm Red Hat Linux 7.1: SRPMS: ftp://updates.redhat.com/7.1/en/os/SRPMS/sendmail-8.11.6-23.71.src.rpm i386: ftp://updates.redhat.com/7.1/en/os/i386/sendmail-8.11.6-23.71.i386.rpm ftp://updates.redhat.com/7.1/en/os/i386/sendmail-cf-8.11.6-23.71.i386.rpm ftp://updates.redhat.com/7.1/en/os/i386/sendmail-devel-8.11.6-23.71.i386.rpm ftp://updates.redhat.com/7.1/en/os/i386/sendmail-doc-8.11.6-23.71.i386.rpm Red Hat Linux 7.2: SRPMS: ftp://updates.redhat.com/7.2/en/os/SRPMS/sendmail-8.11.6-23.72.src.rpm i386: ftp://updates.redhat.com/7.2/en/os/i386/sendmail-8.11.6-23.72.i386.rpm ftp://updates.redhat.com/7.2/en/os/i386/sendmail-cf-8.11.6-23.72.i386.rpm ftp://updates.redhat.com/7.2/en/os/i386/sendmail-devel-8.11.6-23.72.i386.rpm ftp://updates.redhat.com/7.2/en/os/i386/sendmail-doc-8.11.6-23.72.i386.rpm ia64: ftp://updates.redhat.com/7.2/en/os/ia64/sendmail-8.11.6-23.72.ia64.rpm ftp://updates.redhat.com/7.2/en/os/ia64/sendmail-cf-8.11.6-23.72.ia64.rpm ftp://updates.redhat.com/7.2/en/os/ia64/sendmail-devel-8.11.6-23.72.ia64.rpm ftp://updates.redhat.com/7.2/en/os/ia64/sendmail-doc-8.11.6-23.72.ia64.rpm Red Hat Linux 7.3: SRPMS: ftp://updates.redhat.com/7.3/en/os/SRPMS/sendmail-8.11.6-23.73.src.rpm i386: ftp://updates.redhat.com/7.3/en/os/i386/sendmail-8.11.6-23.73.i386.rpm ftp://updates.redhat.com/7.3/en/os/i386/sendmail-cf-8.11.6-23.73.i386.rpm ftp://updates.redhat.com/7.3/en/os/i386/sendmail-devel-8.11.6-23.73.i386.rpm ftp://updates.redhat.com/7.3/en/os/i386/sendmail-doc-8.11.6-23.73.i386.rpm Red Hat Linux 8.0: SRPMS: ftp://updates.redhat.com/8.0/en/os/SRPMS/sendmail-8.12.8-1.80.src.rpm i386: ftp://updates.redhat.com/8.0/en/os/i386/sendmail-8.12.8-1.80.i386.rpm ftp://updates.redhat.com/8.0/en/os/i386/sendmail-cf-8.12.8-1.80.i386.rpm ftp://updates.redhat.com/8.0/en/os/i386/sendmail-devel-8.12.8-1.80.i386.rpm ftp://updates.redhat.com/8.0/en/os/i386/sendmail-doc-8.12.8-1.80.i386.rpm 6. Verification: MD5 sum Package Name -------------------------------------------------------------------------- 35d83351ea84fdae048b3e6f556bfc4a 6.2/en/os/SRPMS/sendmail-8.11.6-1.62.2.src.rpm 71ddff0b307887232ad2b57c6f828dbd 6.2/en/os/i386/sendmail-8.11.6-1.62.2.i386.rpm 3b398feb4f97b05873a864be5d914ee8 6.2/en/os/i386/sendmail-cf-8.11.6-1.62.2.i386.rpm ba2e0d80e5efc7fe3ba2d55f9caa9cb1 6.2/en/os/i386/sendmail-doc-8.11.6-1.62.2.i386.rpm e3a9eb220d844e1e3a1bd84ada63c853 7.0/en/os/SRPMS/sendmail-8.11.6-23.70.src.rpm f3bdb70c4b1d95d10a827db33bf77a46 7.0/en/os/i386/sendmail-8.11.6-23.70.i386.rpm e7a8c264257e207d18257dfe075a5fd1 7.0/en/os/i386/sendmail-cf-8.11.6-23.70.i386.rpm c6cf8af32a436d42d0982b99260ce811 7.0/en/os/i386/sendmail-devel-8.11.6-23.70.i386.rpm ba9251c4ed7fc2916e27c8bc406d7f58 7.0/en/os/i386/sendmail-doc-8.11.6-23.70.i386.rpm c2eb6d0135dc60e83506f0c20148822c 7.1/en/os/SRPMS/sendmail-8.11.6-23.71.src.rpm c3a518db2157a56edc5a94f42c32f8db 7.1/en/os/i386/sendmail-8.11.6-23.71.i386.rpm 6cb3a88c447b56f37d0ebba1df4adb23 7.1/en/os/i386/sendmail-cf-8.11.6-23.71.i386.rpm f2fa0e42d15c723c33c876ea075b4508 7.1/en/os/i386/sendmail-devel-8.11.6-23.71.i386.rpm 2cee572aa2fe1eddb3d22f7ab4d43a20 7.1/en/os/i386/sendmail-doc-8.11.6-23.71.i386.rpm 854ee4390631bdcb818fe6cdc132f7da 7.2/en/os/SRPMS/sendmail-8.11.6-23.72.src.rpm dbce6be563a5642400d0a8a9e97f88fc 7.2/en/os/i386/sendmail-8.11.6-23.72.i386.rpm 92b8773b155b2cce446645dd55842e87 7.2/en/os/i386/sendmail-cf-8.11.6-23.72.i386.rpm d810fe7d6a61550e3b0ac3a509d00fed 7.2/en/os/i386/sendmail-devel-8.11.6-23.72.i386.rpm 722780636eb24b8168f8464817e21de4 7.2/en/os/i386/sendmail-doc-8.11.6-23.72.i386.rpm e83825fb7552ad321cb09ecf86df4a29 7.2/en/os/ia64/sendmail-8.11.6-23.72.ia64.rpm 70e2f72dffad5ec8565dc957f5c0b111 7.2/en/os/ia64/sendmail-cf-8.11.6-23.72.ia64.rpm 8d86d83586e75cbd03f7bccdfb5b97f2 7.2/en/os/ia64/sendmail-devel-8.11.6-23.72.ia64.rpm 16eac17677891e77e8eb70bf76dac135 7.2/en/os/ia64/sendmail-doc-8.11.6-23.72.ia64.rpm 2049d17db0e321ba6028ee4a7ca2ae93 7.3/en/os/SRPMS/sendmail-8.11.6-23.73.src.rpm ce6852e4c389405bed1f498514b5fa0f 7.3/en/os/i386/sendmail-8.11.6-23.73.i386.rpm f994f26ab50b8141ec27a6b04e819d37 7.3/en/os/i386/sendmail-cf-8.11.6-23.73.i386.rpm d6da03d08cdd8e9933616c0e66841302 7.3/en/os/i386/sendmail-devel-8.11.6-23.73.i386.rpm 5fb65ba4b8e91d9d87451e2d1400411f 7.3/en/os/i386/sendmail-doc-8.11.6-23.73.i386.rpm 29d277537beb532d6b5f48ad30d81d45 8.0/en/os/SRPMS/sendmail-8.12.8-1.80.src.rpm 8bba0d1400ab2e96e3d3c78ce5015597 8.0/en/os/i386/sendmail-8.12.8-1.80.i386.rpm 55ef5ca9c777278eddd48e365ba471c2 8.0/en/os/i386/sendmail-cf-8.12.8-1.80.i386.rpm 87aecce2ae343a69fe1df716b5e89685 8.0/en/os/i386/sendmail-devel-8.12.8-1.80.i386.rpm d945b47a44597e5da06f79658e38b9d8 8.0/en/os/i386/sendmail-doc-8.12.8-1.80.i386.rpm These packages are GPG signed by Red Hat, Inc. for security. Our key is available at http://www.redhat.com/about/contact/pgpkey.html You can verify each package with the following command: rpm --checksig -v If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command: md5sum 7. References: http://www.cert.org/advisories/CA-2003-07.html http://marc.theaimsgroup.com/?l=bugtraq&m=103350914307274 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1337 8. Contact: The Red Hat security contact is . More contact details at http://www.redhat.com/solutions/security/news/contact.html Copyright 2003 Red Hat, Inc. From nathan at TCPNETWORKS.NET Mon Mar 3 18:17:00 2003 From: nathan at TCPNETWORKS.NET (Nathan Johanson) Date: Thu Jan 12 21:17:22 2006 Subject: [RHSA-2003:073-06] Updated sendmail packages fix critical sec urity issues Message-ID: Thanks for the post! That was timely. -- Sincerely, Nathan Johanson Email: nathan@tcpnetworks.net -----Original Message----- From: Richard, Matt [mailto:matthew.richard@COCC.COM] Sent: Monday, March 03, 2003 9:49 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: FW: [RHSA-2003:073-06] Updated sendmail packages fix critical sec urity issues For those who have not already seen the advisory. It appears to effect sendmail on many different platforms. Matt Richard -----Original Message----- From: bugzilla@redhat.com [mailto:bugzilla@redhat.com] Sent: Monday, March 03, 2003 12:05 PM To: redhat-watch-list@redhat.com; redhat-announce-list@redhat.com Subject: [RHSA-2003:073-06] Updated sendmail packages fix critical security issues --------------------------------------------------------------------- Red Hat, Inc. Red Hat Security Advisory Synopsis: Updated sendmail packages fix critical security issues Advisory ID: RHSA-2003:073-06 Issue date: 2003-02-07 Updated on: 2003-03-03 Product: Red Hat Linux Keywords: sendmail smrsh security bug Cross references: Obsoletes: RHSA-2002:106 CVE Names: CAN-2002-1337 --------------------------------------------------------------------- 1. Topic: Updated Sendmail packages are available to fix a vulnerability that may allow remote attackers to gain root privileges by sending a carefully crafted message. These packages also fix a security bug if sendmail is configured to use smrsh. 2. Relevant releases/architectures: Red Hat Linux 6.2 - i386 Red Hat Linux 7.0 - i386 Red Hat Linux 7.1 - i386 Red Hat Linux 7.2 - i386, ia64 Red Hat Linux 7.3 - i386 Red Hat Linux 8.0 - i386 3. Problem description: Sendmail is a widely used Mail Transport Agent (MTA) which is included in all Red Hat Linux distributions. During a code audit of Sendmail by ISS, a critical vulnerability was uncovered that affects unpatched versions of Sendmail prior to version 8.12.8. A remote attacker can send a carefully crafted email message which, when processed by sendmail, causes arbitrary code to be executed as root. We are advised that a proof-of-concept exploit is known to exist, but is not believed to be in the wild. Since this is a message-based vulnerability, MTAs other than Sendmail may pass on the carefully crafted message. This means that unpatched versions of Sendmail inside a network could still be at risk even if they do not accept external connections directly. In addition, the restricted shell (SMRSH) in Sendmail allows attackers to bypass the intended restrictions of smrsh by inserting additional commands after "||" sequences or "/" characters, which are not properly filtered or verified. A sucessful attack would allow an attacker who has a local account on a system which has explicitly enabled smrsh to execute arbitrary binaries as themselves by utilizing their .forward file. All users are advised to update to these erratum packages. For Red Hat Linux 8.0 we have included Sendmail version 8.12.8 which is not vulnerable to these issues. For all other distributions we have included a backported patch which corrects these vulnerabilities. Red Hat would like to thank Eric Allman for his assistance with this vulnerability. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via Red Hat Network. Many people find this an easier way to apply updates. To use Red Hat Network, launch the Red Hat Update Agent with the following command: up2date This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. 5. RPMs required: Red Hat Linux 6.2: SRPMS: ftp://updates.redhat.com/6.2/en/os/SRPMS/sendmail-8.11.6-1.62.2.src.rpm i386: ftp://updates.redhat.com/6.2/en/os/i386/sendmail-8.11.6-1.62.2.i386.rpm ftp://updates.redhat.com/6.2/en/os/i386/sendmail-cf-8.11.6-1.62.2.i386.r pm ftp://updates.redhat.com/6.2/en/os/i386/sendmail-doc-8.11.6-1.62.2.i386. rpm Red Hat Linux 7.0: SRPMS: ftp://updates.redhat.com/7.0/en/os/SRPMS/sendmail-8.11.6-23.70.src.rpm i386: ftp://updates.redhat.com/7.0/en/os/i386/sendmail-8.11.6-23.70.i386.rpm ftp://updates.redhat.com/7.0/en/os/i386/sendmail-cf-8.11.6-23.70.i386.rp m ftp://updates.redhat.com/7.0/en/os/i386/sendmail-devel-8.11.6-23.70.i386 .rpm ftp://updates.redhat.com/7.0/en/os/i386/sendmail-doc-8.11.6-23.70.i386.r pm Red Hat Linux 7.1: SRPMS: ftp://updates.redhat.com/7.1/en/os/SRPMS/sendmail-8.11.6-23.71.src.rpm i386: ftp://updates.redhat.com/7.1/en/os/i386/sendmail-8.11.6-23.71.i386.rpm ftp://updates.redhat.com/7.1/en/os/i386/sendmail-cf-8.11.6-23.71.i386.rp m ftp://updates.redhat.com/7.1/en/os/i386/sendmail-devel-8.11.6-23.71.i386 .rpm ftp://updates.redhat.com/7.1/en/os/i386/sendmail-doc-8.11.6-23.71.i386.r pm Red Hat Linux 7.2: SRPMS: ftp://updates.redhat.com/7.2/en/os/SRPMS/sendmail-8.11.6-23.72.src.rpm i386: ftp://updates.redhat.com/7.2/en/os/i386/sendmail-8.11.6-23.72.i386.rpm ftp://updates.redhat.com/7.2/en/os/i386/sendmail-cf-8.11.6-23.72.i386.rp m ftp://updates.redhat.com/7.2/en/os/i386/sendmail-devel-8.11.6-23.72.i386 .rpm ftp://updates.redhat.com/7.2/en/os/i386/sendmail-doc-8.11.6-23.72.i386.r pm ia64: ftp://updates.redhat.com/7.2/en/os/ia64/sendmail-8.11.6-23.72.ia64.rpm ftp://updates.redhat.com/7.2/en/os/ia64/sendmail-cf-8.11.6-23.72.ia64.rp m ftp://updates.redhat.com/7.2/en/os/ia64/sendmail-devel-8.11.6-23.72.ia64 .rpm ftp://updates.redhat.com/7.2/en/os/ia64/sendmail-doc-8.11.6-23.72.ia64.r pm Red Hat Linux 7.3: SRPMS: ftp://updates.redhat.com/7.3/en/os/SRPMS/sendmail-8.11.6-23.73.src.rpm i386: ftp://updates.redhat.com/7.3/en/os/i386/sendmail-8.11.6-23.73.i386.rpm ftp://updates.redhat.com/7.3/en/os/i386/sendmail-cf-8.11.6-23.73.i386.rp m ftp://updates.redhat.com/7.3/en/os/i386/sendmail-devel-8.11.6-23.73.i386 .rpm ftp://updates.redhat.com/7.3/en/os/i386/sendmail-doc-8.11.6-23.73.i386.r pm Red Hat Linux 8.0: SRPMS: ftp://updates.redhat.com/8.0/en/os/SRPMS/sendmail-8.12.8-1.80.src.rpm i386: ftp://updates.redhat.com/8.0/en/os/i386/sendmail-8.12.8-1.80.i386.rpm ftp://updates.redhat.com/8.0/en/os/i386/sendmail-cf-8.12.8-1.80.i386.rpm ftp://updates.redhat.com/8.0/en/os/i386/sendmail-devel-8.12.8-1.80.i386. rpm ftp://updates.redhat.com/8.0/en/os/i386/sendmail-doc-8.12.8-1.80.i386.rp m 6. Verification: MD5 sum Package Name ------------------------------------------------------------------------ -- 35d83351ea84fdae048b3e6f556bfc4a 6.2/en/os/SRPMS/sendmail-8.11.6-1.62.2.src.rpm 71ddff0b307887232ad2b57c6f828dbd 6.2/en/os/i386/sendmail-8.11.6-1.62.2.i386.rpm 3b398feb4f97b05873a864be5d914ee8 6.2/en/os/i386/sendmail-cf-8.11.6-1.62.2.i386.rpm ba2e0d80e5efc7fe3ba2d55f9caa9cb1 6.2/en/os/i386/sendmail-doc-8.11.6-1.62.2.i386.rpm e3a9eb220d844e1e3a1bd84ada63c853 7.0/en/os/SRPMS/sendmail-8.11.6-23.70.src.rpm f3bdb70c4b1d95d10a827db33bf77a46 7.0/en/os/i386/sendmail-8.11.6-23.70.i386.rpm e7a8c264257e207d18257dfe075a5fd1 7.0/en/os/i386/sendmail-cf-8.11.6-23.70.i386.rpm c6cf8af32a436d42d0982b99260ce811 7.0/en/os/i386/sendmail-devel-8.11.6-23.70.i386.rpm ba9251c4ed7fc2916e27c8bc406d7f58 7.0/en/os/i386/sendmail-doc-8.11.6-23.70.i386.rpm c2eb6d0135dc60e83506f0c20148822c 7.1/en/os/SRPMS/sendmail-8.11.6-23.71.src.rpm c3a518db2157a56edc5a94f42c32f8db 7.1/en/os/i386/sendmail-8.11.6-23.71.i386.rpm 6cb3a88c447b56f37d0ebba1df4adb23 7.1/en/os/i386/sendmail-cf-8.11.6-23.71.i386.rpm f2fa0e42d15c723c33c876ea075b4508 7.1/en/os/i386/sendmail-devel-8.11.6-23.71.i386.rpm 2cee572aa2fe1eddb3d22f7ab4d43a20 7.1/en/os/i386/sendmail-doc-8.11.6-23.71.i386.rpm 854ee4390631bdcb818fe6cdc132f7da 7.2/en/os/SRPMS/sendmail-8.11.6-23.72.src.rpm dbce6be563a5642400d0a8a9e97f88fc 7.2/en/os/i386/sendmail-8.11.6-23.72.i386.rpm 92b8773b155b2cce446645dd55842e87 7.2/en/os/i386/sendmail-cf-8.11.6-23.72.i386.rpm d810fe7d6a61550e3b0ac3a509d00fed 7.2/en/os/i386/sendmail-devel-8.11.6-23.72.i386.rpm 722780636eb24b8168f8464817e21de4 7.2/en/os/i386/sendmail-doc-8.11.6-23.72.i386.rpm e83825fb7552ad321cb09ecf86df4a29 7.2/en/os/ia64/sendmail-8.11.6-23.72.ia64.rpm 70e2f72dffad5ec8565dc957f5c0b111 7.2/en/os/ia64/sendmail-cf-8.11.6-23.72.ia64.rpm 8d86d83586e75cbd03f7bccdfb5b97f2 7.2/en/os/ia64/sendmail-devel-8.11.6-23.72.ia64.rpm 16eac17677891e77e8eb70bf76dac135 7.2/en/os/ia64/sendmail-doc-8.11.6-23.72.ia64.rpm 2049d17db0e321ba6028ee4a7ca2ae93 7.3/en/os/SRPMS/sendmail-8.11.6-23.73.src.rpm ce6852e4c389405bed1f498514b5fa0f 7.3/en/os/i386/sendmail-8.11.6-23.73.i386.rpm f994f26ab50b8141ec27a6b04e819d37 7.3/en/os/i386/sendmail-cf-8.11.6-23.73.i386.rpm d6da03d08cdd8e9933616c0e66841302 7.3/en/os/i386/sendmail-devel-8.11.6-23.73.i386.rpm 5fb65ba4b8e91d9d87451e2d1400411f 7.3/en/os/i386/sendmail-doc-8.11.6-23.73.i386.rpm 29d277537beb532d6b5f48ad30d81d45 8.0/en/os/SRPMS/sendmail-8.12.8-1.80.src.rpm 8bba0d1400ab2e96e3d3c78ce5015597 8.0/en/os/i386/sendmail-8.12.8-1.80.i386.rpm 55ef5ca9c777278eddd48e365ba471c2 8.0/en/os/i386/sendmail-cf-8.12.8-1.80.i386.rpm 87aecce2ae343a69fe1df716b5e89685 8.0/en/os/i386/sendmail-devel-8.12.8-1.80.i386.rpm d945b47a44597e5da06f79658e38b9d8 8.0/en/os/i386/sendmail-doc-8.12.8-1.80.i386.rpm These packages are GPG signed by Red Hat, Inc. for security. Our key is available at http://www.redhat.com/about/contact/pgpkey.html You can verify each package with the following command: rpm --checksig -v If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command: md5sum 7. References: http://www.cert.org/advisories/CA-2003-07.html http://marc.theaimsgroup.com/?l=bugtraq&m=103350914307274 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1337 8. Contact: The Red Hat security contact is . More contact details at http://www.redhat.com/solutions/security/news/contact.html Copyright 2003 Red Hat, Inc. From mailscanner at LISTS.COM.AR Mon Mar 3 18:36:39 2003 From: mailscanner at LISTS.COM.AR (Mariano Absatz) Date: Thu Jan 12 21:17:22 2006 Subject: [RHSA-2003:073-06] Updated sendmail packages fix critical sec urity issues In-Reply-To: Message-ID: <3E637687.12743.582F272B@localhost> As Matt said, it not only affects RedHat (or Linux, for that matter): http://www.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21950 http://www.cert.org/advisories/CA-2003-07.html See http://sendmail.org/8.12.8.html for new version/patches It seems that, after 5 or 6 years (not counting last years' trojan distro) sendmail security bugs are back in action... :-( El 3 Mar 2003 a las 10:17, Nathan Johanson escribi?: > Thanks for the post! That was timely. > > -- > Sincerely, > > Nathan Johanson > Email: nathan@tcpnetworks.net > > > -----Original Message----- > From: Richard, Matt [mailto:matthew.richard@COCC.COM] > Sent: Monday, March 03, 2003 9:49 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: FW: [RHSA-2003:073-06] Updated sendmail packages fix critical > sec urity issues > > > For those who have not already seen the advisory. It appears to effect > sendmail on many different platforms. > > Matt Richard > > -----Original Message----- > From: bugzilla@redhat.com [mailto:bugzilla@redhat.com] > Sent: Monday, March 03, 2003 12:05 PM > To: redhat-watch-list@redhat.com; redhat-announce-list@redhat.com > Subject: [RHSA-2003:073-06] Updated sendmail packages fix critical > security > issues > > > --------------------------------------------------------------------- > Red Hat, Inc. Red Hat Security Advisory > > Synopsis: Updated sendmail packages fix critical security > issues > Advisory ID: RHSA-2003:073-06 > Issue date: 2003-02-07 > Updated on: 2003-03-03 > Product: Red Hat Linux > Keywords: sendmail smrsh security bug > Cross references: > Obsoletes: RHSA-2002:106 > CVE Names: CAN-2002-1337 > --------------------------------------------------------------------- > > 1. Topic: > > Updated Sendmail packages are available to fix a vulnerability that > may allow remote attackers to gain root privileges by sending a > carefully crafted message. > > These packages also fix a security bug if sendmail is configured to use > smrsh. > > 2. Relevant releases/architectures: > > Red Hat Linux 6.2 - i386 > Red Hat Linux 7.0 - i386 > Red Hat Linux 7.1 - i386 > Red Hat Linux 7.2 - i386, ia64 > Red Hat Linux 7.3 - i386 > Red Hat Linux 8.0 - i386 > > 3. Problem description: > > Sendmail is a widely used Mail Transport Agent (MTA) which is included > in all Red Hat Linux distributions. > > During a code audit of Sendmail by ISS, a critical vulnerability was > uncovered that affects unpatched versions of Sendmail prior to version > 8.12.8. A remote attacker can send a carefully crafted email message > which, when processed by sendmail, causes arbitrary code to be > executed as root. > > We are advised that a proof-of-concept exploit is known to exist, but > is not believed to be in the wild. > > Since this is a message-based vulnerability, MTAs other than Sendmail > may pass on the carefully crafted message. This means that unpatched > versions of Sendmail inside a network could still be at risk even if > they do not accept external connections directly. > > In addition, the restricted shell (SMRSH) in Sendmail allows attackers > to > bypass the intended restrictions of smrsh by inserting additional > commands > after "||" sequences or "/" characters, which are not properly filtered > or > verified. A sucessful attack would allow an attacker who has a local > account on a system which has explicitly enabled smrsh to execute > arbitrary > binaries as themselves by utilizing their .forward file. > > All users are advised to update to these erratum packages. For Red Hat > Linux 8.0 we have included Sendmail version 8.12.8 which is not > vulnerable > to these issues. For all other distributions we have included a > backported > patch which corrects these vulnerabilities. > > Red Hat would like to thank Eric Allman for his assistance with this > vulnerability. > > 4. Solution: > > Before applying this update, make sure all previously released errata > relevant to your system have been applied. > > To update all RPMs for your particular architecture, run: > > rpm -Fvh [filenames] > > where [filenames] is a list of the RPMs you wish to upgrade. Only those > RPMs which are currently installed will be updated. Those RPMs which > are > not installed but included in the list will not be updated. Note that > you > can also use wildcards (*.rpm) if your current directory *only* contains > the > desired RPMs. > > Please note that this update is also available via Red Hat Network. > Many > people find this an easier way to apply updates. To use Red Hat > Network, > launch the Red Hat Update Agent with the following command: > > up2date > > This will start an interactive process that will result in the > appropriate > RPMs being upgraded on your system. > > 5. RPMs required: > > Red Hat Linux 6.2: > > SRPMS: > ftp://updates.redhat.com/6.2/en/os/SRPMS/sendmail-8.11.6-1.62.2.src.rpm > > i386: > ftp://updates.redhat.com/6.2/en/os/i386/sendmail-8.11.6-1.62.2.i386.rpm > ftp://updates.redhat.com/6.2/en/os/i386/sendmail-cf-8.11.6-1.62.2.i386.r > pm > ftp://updates.redhat.com/6.2/en/os/i386/sendmail-doc-8.11.6-1.62.2.i386. > rpm > > Red Hat Linux 7.0: > > SRPMS: > ftp://updates.redhat.com/7.0/en/os/SRPMS/sendmail-8.11.6-23.70.src.rpm > > i386: > ftp://updates.redhat.com/7.0/en/os/i386/sendmail-8.11.6-23.70.i386.rpm > ftp://updates.redhat.com/7.0/en/os/i386/sendmail-cf-8.11.6-23.70.i386.rp > m > ftp://updates.redhat.com/7.0/en/os/i386/sendmail-devel-8.11.6-23.70.i386 > .rpm > ftp://updates.redhat.com/7.0/en/os/i386/sendmail-doc-8.11.6-23.70.i386.r > pm > > Red Hat Linux 7.1: > > SRPMS: > ftp://updates.redhat.com/7.1/en/os/SRPMS/sendmail-8.11.6-23.71.src.rpm > > i386: > ftp://updates.redhat.com/7.1/en/os/i386/sendmail-8.11.6-23.71.i386.rpm > ftp://updates.redhat.com/7.1/en/os/i386/sendmail-cf-8.11.6-23.71.i386.rp > m > ftp://updates.redhat.com/7.1/en/os/i386/sendmail-devel-8.11.6-23.71.i386 > .rpm > ftp://updates.redhat.com/7.1/en/os/i386/sendmail-doc-8.11.6-23.71.i386.r > pm > > Red Hat Linux 7.2: > > SRPMS: > ftp://updates.redhat.com/7.2/en/os/SRPMS/sendmail-8.11.6-23.72.src.rpm > > i386: > ftp://updates.redhat.com/7.2/en/os/i386/sendmail-8.11.6-23.72.i386.rpm > ftp://updates.redhat.com/7.2/en/os/i386/sendmail-cf-8.11.6-23.72.i386.rp > m > ftp://updates.redhat.com/7.2/en/os/i386/sendmail-devel-8.11.6-23.72.i386 > .rpm > ftp://updates.redhat.com/7.2/en/os/i386/sendmail-doc-8.11.6-23.72.i386.r > pm > > ia64: > ftp://updates.redhat.com/7.2/en/os/ia64/sendmail-8.11.6-23.72.ia64.rpm > ftp://updates.redhat.com/7.2/en/os/ia64/sendmail-cf-8.11.6-23.72.ia64.rp > m > ftp://updates.redhat.com/7.2/en/os/ia64/sendmail-devel-8.11.6-23.72.ia64 > .rpm > ftp://updates.redhat.com/7.2/en/os/ia64/sendmail-doc-8.11.6-23.72.ia64.r > pm > > Red Hat Linux 7.3: > > SRPMS: > ftp://updates.redhat.com/7.3/en/os/SRPMS/sendmail-8.11.6-23.73.src.rpm > > i386: > ftp://updates.redhat.com/7.3/en/os/i386/sendmail-8.11.6-23.73.i386.rpm > ftp://updates.redhat.com/7.3/en/os/i386/sendmail-cf-8.11.6-23.73.i386.rp > m > ftp://updates.redhat.com/7.3/en/os/i386/sendmail-devel-8.11.6-23.73.i386 > .rpm > ftp://updates.redhat.com/7.3/en/os/i386/sendmail-doc-8.11.6-23.73.i386.r > pm > > Red Hat Linux 8.0: > > SRPMS: > ftp://updates.redhat.com/8.0/en/os/SRPMS/sendmail-8.12.8-1.80.src.rpm > > i386: > ftp://updates.redhat.com/8.0/en/os/i386/sendmail-8.12.8-1.80.i386.rpm > ftp://updates.redhat.com/8.0/en/os/i386/sendmail-cf-8.12.8-1.80.i386.rpm > ftp://updates.redhat.com/8.0/en/os/i386/sendmail-devel-8.12.8-1.80.i386. > rpm > ftp://updates.redhat.com/8.0/en/os/i386/sendmail-doc-8.12.8-1.80.i386.rp > m > > > > 6. Verification: > > MD5 sum Package Name > ------------------------------------------------------------------------ > -- > 35d83351ea84fdae048b3e6f556bfc4a > 6.2/en/os/SRPMS/sendmail-8.11.6-1.62.2.src.rpm > 71ddff0b307887232ad2b57c6f828dbd > 6.2/en/os/i386/sendmail-8.11.6-1.62.2.i386.rpm > 3b398feb4f97b05873a864be5d914ee8 > 6.2/en/os/i386/sendmail-cf-8.11.6-1.62.2.i386.rpm > ba2e0d80e5efc7fe3ba2d55f9caa9cb1 > 6.2/en/os/i386/sendmail-doc-8.11.6-1.62.2.i386.rpm > e3a9eb220d844e1e3a1bd84ada63c853 > 7.0/en/os/SRPMS/sendmail-8.11.6-23.70.src.rpm > f3bdb70c4b1d95d10a827db33bf77a46 > 7.0/en/os/i386/sendmail-8.11.6-23.70.i386.rpm > e7a8c264257e207d18257dfe075a5fd1 > 7.0/en/os/i386/sendmail-cf-8.11.6-23.70.i386.rpm > c6cf8af32a436d42d0982b99260ce811 > 7.0/en/os/i386/sendmail-devel-8.11.6-23.70.i386.rpm > ba9251c4ed7fc2916e27c8bc406d7f58 > 7.0/en/os/i386/sendmail-doc-8.11.6-23.70.i386.rpm > c2eb6d0135dc60e83506f0c20148822c > 7.1/en/os/SRPMS/sendmail-8.11.6-23.71.src.rpm > c3a518db2157a56edc5a94f42c32f8db > 7.1/en/os/i386/sendmail-8.11.6-23.71.i386.rpm > 6cb3a88c447b56f37d0ebba1df4adb23 > 7.1/en/os/i386/sendmail-cf-8.11.6-23.71.i386.rpm > f2fa0e42d15c723c33c876ea075b4508 > 7.1/en/os/i386/sendmail-devel-8.11.6-23.71.i386.rpm > 2cee572aa2fe1eddb3d22f7ab4d43a20 > 7.1/en/os/i386/sendmail-doc-8.11.6-23.71.i386.rpm > 854ee4390631bdcb818fe6cdc132f7da > 7.2/en/os/SRPMS/sendmail-8.11.6-23.72.src.rpm > dbce6be563a5642400d0a8a9e97f88fc > 7.2/en/os/i386/sendmail-8.11.6-23.72.i386.rpm > 92b8773b155b2cce446645dd55842e87 > 7.2/en/os/i386/sendmail-cf-8.11.6-23.72.i386.rpm > d810fe7d6a61550e3b0ac3a509d00fed > 7.2/en/os/i386/sendmail-devel-8.11.6-23.72.i386.rpm > 722780636eb24b8168f8464817e21de4 > 7.2/en/os/i386/sendmail-doc-8.11.6-23.72.i386.rpm > e83825fb7552ad321cb09ecf86df4a29 > 7.2/en/os/ia64/sendmail-8.11.6-23.72.ia64.rpm > 70e2f72dffad5ec8565dc957f5c0b111 > 7.2/en/os/ia64/sendmail-cf-8.11.6-23.72.ia64.rpm > 8d86d83586e75cbd03f7bccdfb5b97f2 > 7.2/en/os/ia64/sendmail-devel-8.11.6-23.72.ia64.rpm > 16eac17677891e77e8eb70bf76dac135 > 7.2/en/os/ia64/sendmail-doc-8.11.6-23.72.ia64.rpm > 2049d17db0e321ba6028ee4a7ca2ae93 > 7.3/en/os/SRPMS/sendmail-8.11.6-23.73.src.rpm > ce6852e4c389405bed1f498514b5fa0f > 7.3/en/os/i386/sendmail-8.11.6-23.73.i386.rpm > f994f26ab50b8141ec27a6b04e819d37 > 7.3/en/os/i386/sendmail-cf-8.11.6-23.73.i386.rpm > d6da03d08cdd8e9933616c0e66841302 > 7.3/en/os/i386/sendmail-devel-8.11.6-23.73.i386.rpm > 5fb65ba4b8e91d9d87451e2d1400411f > 7.3/en/os/i386/sendmail-doc-8.11.6-23.73.i386.rpm > 29d277537beb532d6b5f48ad30d81d45 > 8.0/en/os/SRPMS/sendmail-8.12.8-1.80.src.rpm > 8bba0d1400ab2e96e3d3c78ce5015597 > 8.0/en/os/i386/sendmail-8.12.8-1.80.i386.rpm > 55ef5ca9c777278eddd48e365ba471c2 > 8.0/en/os/i386/sendmail-cf-8.12.8-1.80.i386.rpm > 87aecce2ae343a69fe1df716b5e89685 > 8.0/en/os/i386/sendmail-devel-8.12.8-1.80.i386.rpm > d945b47a44597e5da06f79658e38b9d8 > 8.0/en/os/i386/sendmail-doc-8.12.8-1.80.i386.rpm > > > These packages are GPG signed by Red Hat, Inc. for security. Our key > is available at http://www.redhat.com/about/contact/pgpkey.html > > You can verify each package with the following command: > > rpm --checksig -v > > If you only wish to verify that each package has not been corrupted or > tampered with, examine only the md5sum with the following command: > > md5sum > > > 7. References: > > http://www.cert.org/advisories/CA-2003-07.html > http://marc.theaimsgroup.com/?l=bugtraq&m=103350914307274 > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1337 > > 8. Contact: > > The Red Hat security contact is . More contact > details at http://www.redhat.com/solutions/security/news/contact.html > > Copyright 2003 Red Hat, Inc. -- Mariano Absatz El Baby ---------------------------------------------------------- Quote me as saying I was misquoted. -- Groucho Marx From mailscanner at ecs.soton.ac.uk Mon Mar 3 19:10:19 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:22 2006 Subject: confusing spam rules In-Reply-To: <3E63924E.42025919@ucalgary.ca> Message-ID: <5.2.0.9.2.20030303190538.0268fed8@imap.ecs.soton.ac.uk> At 17:35 03/03/2003, you wrote: >We plan to use MailScanner to tag the spam messages. After >a few tests, I found the spam rules in MailScanner are very >confusing. > > In /etc/MailScanner/MailScanner.conf: > >---------------------------------------------------------------------------- > > Is Definitely Not Spam = /etc/MailScanner/rules/spam.whitelist.rules > > Is Definitely Spam = /etc/MailScanner/rules/spam.blacklist.rules > >1) Domain name does not match but ip address matches > > I configured a host name in >/etc/MailScanner/rules/spam.blacklist.rules > and sent a message from the machine, the message did not match the >rule. > Then I replaced the hostname with its IP address and sent the same > message again from the same machine, it matched the spam rule. > > cat /etc/MailScanner/rules/spam.whitelist.rules > FromTo: default no > > cat /etc/MailScanner/rules/spam.blacklist.rules > From: /lms5.acs.ucalgary.ca/ yes > FromTo: default no If it is a name in the pattern, then it is checking the envelope sender of the message, whereas a numerical test will check the other end of the SMTP connection. >2) wildcard(*) sometimes works, sometimes not > > The black list rule "To: fs50*@ucalgary.ca yes" does not match > a message to fs501@ucalgary.ca. But the black list rule "From: > fs50*@ucalgary.ca yes" matches a message from fs501@ucalgary.ca. Don't understand that at all. Suggest you re-check your tests. All the rulesets are built from exactly the same code, so they must behave the same. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Mon Mar 3 19:16:33 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:22 2006 Subject: Attachments - packed files In-Reply-To: <200303031747.h23HlDQ04148@mail.getnet.cz> Message-ID: <5.2.0.9.2.20030303191312.027f1f68@imap.ecs.soton.ac.uk> At 17:47 03/03/2003, you wrote: >Julian Field wrote .. > > At 15:37 03/03/2003, you wrote: > > > I want to just make sure that MailScanner doesn't unpack > > >attachments with a corresponding external program. Why am I asking? > > >Some antivirus scanners aren't perfect and I want to unpack all the > > >compressed attachments for them and then let them scan the unpacked > > >files. Has anybody written such hack or his own antivirus wrapper? > > > > All the decent anti-virus programs unpack every common archive format > > already. If your scanning engine doesn't unpack archives, then I suggest > > you buy a better one :-) > > You are quite correct, MailScanner doesn't unpack archives (as it doesn't > > need to). > > -- > > Julian Field > > www.MailScanner.info > > MailScanner thanks transtec Computers for their support > >To be honest, even those decent antivirus programs aren't perfect. >The majority of the programs are black boxes, you just believe that >it works. MailScanner is a nice program and maybe it would be nice >to have a separate layer for unpacking, where you can control for >example the nesting depth and prevent various DoS attacks. MailScanner is already protected against this type of DoS attack. The famous "zip of death" causes no problem at all. > Then you >just keep the unpacking utilities up-to-date. I'm surprised that >nobody has attempted to program such thing. It's actually quite difficult, as you can't rely on the filename to be honest about the compression type, so you would have to try all the decompressors in turn and find which one works. And then you open yourself up to all sorts of attacks including malicious filenames in the archives which the decompressors don't check properly. Keeping it all in the memory of the virus scanner is a *whole lot* safer. And the decent virus scanners can unpack virtually everything that a user can unpack. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From kwang at UCALGARY.CA Mon Mar 3 19:31:27 2003 From: kwang at UCALGARY.CA (Kai Wang) Date: Thu Jan 12 21:17:22 2006 Subject: confusing spam rules References: <5.2.0.9.2.20030303190538.0268fed8@imap.ecs.soton.ac.uk> Message-ID: <3E63AD8F.8066AD97@ucalgary.ca> Thank you for you reply, Julian. Is there possible to check a name against the SMTP connection in the next version? We are running a spam bouncing program for incoming. We have more than 1000 entries of the domain name rules ( most of them have wild cards ). We plan to migrate the rules to MailScanner. This is really important to us. Kai Julian Field wrote: > At 17:35 03/03/2003, you wrote: > >We plan to use MailScanner to tag the spam messages. After > >a few tests, I found the spam rules in MailScanner are very > >confusing. > > > > In /etc/MailScanner/MailScanner.conf: > > > >---------------------------------------------------------------------------- > > > > Is Definitely Not Spam = /etc/MailScanner/rules/spam.whitelist.rules > > > > Is Definitely Spam = /etc/MailScanner/rules/spam.blacklist.rules > > > >1) Domain name does not match but ip address matches > > > > I configured a host name in > >/etc/MailScanner/rules/spam.blacklist.rules > > and sent a message from the machine, the message did not match the > >rule. > > Then I replaced the hostname with its IP address and sent the same > > message again from the same machine, it matched the spam rule. > > > > cat /etc/MailScanner/rules/spam.whitelist.rules > > FromTo: default no > > > > cat /etc/MailScanner/rules/spam.blacklist.rules > > From: /lms5.acs.ucalgary.ca/ yes > > FromTo: default no > > If it is a name in the pattern, then it is checking the envelope sender of > the message, whereas a numerical test will check the other end of the SMTP > connection. > > >2) wildcard(*) sometimes works, sometimes not > > > > The black list rule "To: fs50*@ucalgary.ca yes" does not match > > a message to fs501@ucalgary.ca. But the black list rule "From: > > fs50*@ucalgary.ca yes" matches a message from fs501@ucalgary.ca. > > Don't understand that at all. Suggest you re-check your tests. All the > rulesets are built from exactly the same code, so they must behave the same. > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support From mailscanner at LISTS.COM.AR Mon Mar 3 19:58:06 2003 From: mailscanner at LISTS.COM.AR (Mariano Absatz) Date: Thu Jan 12 21:17:22 2006 Subject: MS vs. Trend Message-ID: <3E63899F.16595.5879BE34@localhost> Hi there, I'm faced with making a "business case" of "mailscanner+some commercial av" against trend micro "complete antivirus/antispam/whatever solution"... I wonder if anyone out there have some input for it... TIA -- Mariano Absatz El Baby ---------------------------------------------------------- It's hard to be humble when you're perfect. From simon at ADVANTAGE-INTERACTIVE.COM Mon Mar 3 20:02:11 2003 From: simon at ADVANTAGE-INTERACTIVE.COM (Simon Dick) Date: Thu Jan 12 21:17:22 2006 Subject: Attachments - packed files In-Reply-To: <5.2.0.9.2.20030303191312.027f1f68@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030303191312.027f1f68@imap.ecs.soton.ac.uk> Message-ID: <1046721730.628.1.camel@laptop.internal.irrelevant.org> On Mon, 2003-03-03 at 19:16, Julian Field wrote: > At 17:47 03/03/2003, you wrote: > >Julian Field wrote .. > > > At 15:37 03/03/2003, you wrote: > > > > I want to just make sure that MailScanner doesn't unpack > > > >attachments with a corresponding external program. Why am I asking? > > > >Some antivirus scanners aren't perfect and I want to unpack all the > > > >compressed attachments for them and then let them scan the unpacked > > > >files. Has anybody written such hack or his own antivirus wrapper? > > > > > > All the decent anti-virus programs unpack every common archive format > > > already. If your scanning engine doesn't unpack archives, then I suggest > > > you buy a better one :-) > > > You are quite correct, MailScanner doesn't unpack archives (as it doesn't > > > need to). > > > -- > > > Julian Field > > > www.MailScanner.info > > > MailScanner thanks transtec Computers for their support > > > >To be honest, even those decent antivirus programs aren't perfect. > >The majority of the programs are black boxes, you just believe that > >it works. MailScanner is a nice program and maybe it would be nice > >to have a separate layer for unpacking, where you can control for > >example the nesting depth and prevent various DoS attacks. > > MailScanner is already protected against this type of DoS attack. The > famous "zip of death" causes no problem at all. Until you get to the virus scanners checking it, I've tried that 42.zip file with my install of mailscanner (not the latest version now, but it was at the time) and both f-prot and clamav used most of the cpu time. Shame there's no way to detect the zip file before passing it through :| -- Simon Dick From mailscanner at ecs.soton.ac.uk Mon Mar 3 20:07:18 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:22 2006 Subject: MS vs. Trend In-Reply-To: <3E63899F.16595.5879BE34@localhost> Message-ID: <5.2.0.9.2.20030303200318.0268b540@imap.ecs.soton.ac.uk> At 19:58 03/03/2003, you wrote: >Hi there, > >I'm faced with making a "business case" of "mailscanner+some commercial av" >against trend micro "complete antivirus/antispam/whatever solution"... I >wonder if anyone out there have some input for it... Short of simply comparing the price, I can probably produce some evidence tomorrow in the office. I have the white paper that MessageLabs released describing why you should use their service. If you knock off the price of their service, you end up with even bigger savings. Have you any more info on what I should be concentrating? The more info the better. The price is easily taken care of. F-Prot is very good and costs $300 per server, + the cost of a little PC to run it all on. How much have you been quoted for Trend Micro's system? Feel free to mail me off-list to stop numbers becoming public knowledge. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From craig at STRONG-BOX.NET Mon Mar 3 20:20:11 2003 From: craig at STRONG-BOX.NET (Craig Pratt) Date: Thu Jan 12 21:17:22 2006 Subject: Attachments - packed files In-Reply-To: <1046721730.628.1.camel@laptop.internal.irrelevant.org> Message-ID: <88EEB8DC-4DB5-11D7-882D-000393B9390A@strong-box.net> I just tested RAV AV with the infamous 42.zip file and it doesn't seem to phase it. It must incorporate some kind of heuristic to limit how much archive decompression it does. The output it produces is: RAV AntiVirus command line for Linux i686. Version: 8.3.1. Copyright (c) 1996-2001 GeCAD The Software Company. All rights reserved. Scan engine 8.11 for i386. Last update: Mon Mar 3 09:18:44 2003 Scanning for 77551 malwares (viruses, trojans and worms). Scan started on Mon Mar 3 12:09:36 2003 42.zip - OK 42.zip->lib 3.zip - OK 42.zip->lib 3.zip->book 3.zip - OK 42.zip->lib 3.zip->book 3.zip->chapter 4.zip - OK 42.zip->lib 3.zip->book 3.zip->chapter 4.zip->doc 0.zip - OK Scan ended on Mon Mar 3 12:09:36 2003 Scan results: Time: 0 second(s). Objects scanned: 5. New objects: 5 Infected: 0. Different virus bodies: 0. Files: 1. Directories: 0. Archives: 5. Packed: 0. Mail files: 0. Warnings: 0. Yet it does work with a nasty zip I created with 3 EICAR test files: eicar.zip.zip.zip.zip - OK eicar.zip.zip.zip.zip->eicar.com Infected: EICAR_Test_File eicar.zip.zip.zip.zip->eicar.zip.zip.zip - OK eicar.zip.zip.zip.zip->eicar.zip.zip.zip->eicar.zip.zip - OK eicar.zip.zip.zip.zip->eicar.zip.zip.zip->eicar.zip.zip->eicar.zip - OK eicar.zip.zip.zip.zip->eicar.zip.zip.zip->eicar.zip.zip->eicar.zip- >eicar.com Infected: EICAR_Test_File eicar.zip.zip.zip.zip->eicar.zip.zip.zip->eicar.com Infected: EICAR_Test_File Time: real 0m1.440s user 0m1.330s sys 0m0.090s So I'd say RAV's doing a good job - FWIW. Craig On Monday, March 3, 2003, at 12:02 PM, Simon Dick wrote: > On Mon, 2003-03-03 at 19:16, Julian Field wrote: >> At 17:47 03/03/2003, you wrote: >>> Julian Field wrote .. >>>> At 15:37 03/03/2003, you wrote: >>>>> I want to just make sure that MailScanner doesn't unpack >>>>> attachments with a corresponding external program. Why am I asking? >>>>> Some antivirus scanners aren't perfect and I want to unpack all the >>>>> compressed attachments for them and then let them scan the unpacked >>>>> files. Has anybody written such hack or his own antivirus wrapper? >>>> >>>> All the decent anti-virus programs unpack every common archive >>>> format >>>> already. If your scanning engine doesn't unpack archives, then I >>>> suggest >>>> you buy a better one :-) >>>> You are quite correct, MailScanner doesn't unpack archives (as it >>>> doesn't >>>> need to). >>>> -- >>>> Julian Field >>>> www.MailScanner.info >>>> MailScanner thanks transtec Computers for their support >>> >>> To be honest, even those decent antivirus programs aren't perfect. >>> The majority of the programs are black boxes, you just believe that >>> it works. MailScanner is a nice program and maybe it would be nice >>> to have a separate layer for unpacking, where you can control for >>> example the nesting depth and prevent various DoS attacks. >> >> MailScanner is already protected against this type of DoS attack. The >> famous "zip of death" causes no problem at all. > > Until you get to the virus scanners checking it, I've tried that 42.zip > file with my install of mailscanner (not the latest version now, but it > was at the time) and both f-prot and clamav used most of the cpu time. > Shame there's no way to detect the zip file before passing it through > :| > > -- > Simon Dick > > -- > This message checked for dangerous content by MailScanner on StrongBox. > -- This message checked for dangerous content by MailScanner on StrongBox. From Kevin.Spicer at BMRB.CO.UK Mon Mar 3 20:21:09 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:17:22 2006 Subject: MS vs. Trend Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A4AD48@pascal.priv.bmrb.co.uk> > > Hi there, > > I'm faced with making a "business case" of "mailscanner+some > commercial av" > against trend micro "complete antivirus/antispam/whatever > solution"... I > wonder if anyone out there have some input for it... > Well I'd start by analysing the speed with which bugs are fixed! (seriously have a look through the list and you'll see!). Argue that the money you spend on the virus vendors mail scanning tool would be better spent on a second AV product - so you can run MailScanner with two virus scanners for better protection, (throw in clam for free and you've got 3 scanners(!)). What about spamassassin integration? The flexibility of rulesets? The extensibility with CustomConfig. Proven reliability. Commercial support options (if thats the worry). Take a look at the list of organisations using MailScanner (on the website). What about the opinions of real users - heres one, "It rocks" (and you can quote me on that!). In future years you can shop around for the best deal on scanning engines without the worry of having to rebuild your mailserver. Take another angle - what benefits does the commercial product offer that MS doesn't to justify its price? BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From jrudd at UCSC.EDU Mon Mar 3 20:38:29 2003 From: jrudd at UCSC.EDU (John Rudd) Date: Thu Jan 12 21:17:22 2006 Subject: rfc822 format Message-ID: <200303032038.h23KcTw08419@kzin.ucsc.edu> Is it currently possible to have mailscanner take its incoming queue messages in rfc822 format instead of sendmail mailqueue format? If it's not, can that be added as a feature? From miguelk at KONSULTEX.COM.BR Mon Mar 3 20:40:47 2003 From: miguelk at KONSULTEX.COM.BR (Miguel Koren OBrien de Lacy) Date: Thu Jan 12 21:17:22 2006 Subject: MS vs. Trend In-Reply-To: <3E63899F.16595.5879BE34@localhost> References: <3E63899F.16595.5879BE34@localhost> Message-ID: <20030303204047.M87338@konsultex.com.br> Mariano; If your comparison is based in Argentina, I would say that at the moment the price (initial and ongoing...) comparison is far more important that appears at first ;-) As Kevin said, I can see absolutely no benefit in a Trend solution. 1) virus catching performance = depends on the engine (is Trend that good?) 2) spam = SpamAssasin is state of the art 3) administration = Mail Scanner is 'set and forget' (unless you use Sophos) We have been running MailScanner (also in Brazil) for about 2 years and the performance, bug fixes, additional tools, etc. have been excellent. We saved a bundle and have not had any problems. We are currently evaluating the use of CLAM to eliminate any cost whatsoever. If you would like system support with this in Buenos Aires let me know by separate mail. Miguel -- Konsultex Informatica (http://www.konsultex.com.br) ---------- Original Message ----------- From: Mariano Absatz To: MAILSCANNER@JISCMAIL.AC.UK Sent: Mon, 3 Mar 2003 16:58:06 -0300 Subject: MS vs. Trend > Hi there, > > I'm faced with making a "business case" of "mailscanner+some commercial av" > against trend micro "complete antivirus/antispam/whatever solution"... I > wonder if anyone out there have some input for it... > > TIA > > -- > Mariano Absatz > El Baby > ---------------------------------------------------------- > It's hard to be humble when you're perfect. ------- End of Original Message ------- From Kevin.Spicer at BMRB.CO.UK Mon Mar 3 20:50:08 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:17:22 2006 Subject: [RHSA-2003:073-06] Updated sendmail packages fix critical sec urity issues Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0EBF43C@pascal.priv.bmrb.co.uk> Thanks for that! One little gotcha to look out for... I just upgraded the rpms on my Mandrake box and the postinstall script kicked off a new sendmail process, bypassing MailScanner (Whoops!). Dunno if this happens with other packages but its worth checking! > -----Original Message----- > From: Richard, Matt [mailto:matthew.richard@COCC.COM] > Sent: Monday, March 03, 2003 9:49 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: FW: [RHSA-2003:073-06] Updated sendmail packages fix critical > sec urity issues > > > For those who have not already seen the advisory. It appears > to effect > sendmail on many different platforms. > > BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From mailscanner at ecs.soton.ac.uk Mon Mar 3 20:56:47 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:22 2006 Subject: rfc822 format In-Reply-To: <200303032038.h23KcTw08419@kzin.ucsc.edu> Message-ID: <5.2.0.9.2.20030303204226.027e2490@imap.ecs.soton.ac.uk> At 20:38 03/03/2003, you wrote: >Is it currently possible to have mailscanner take its incoming queue >messages in rfc822 format instead of sendmail mailqueue format? > >If it's not, can that be added as a feature? It's not there yet, but it could well appear once the postfix integration has been done. After sorting everything out for postfix (which has 1 file per message vs. sendmail+Exim which have 2) this shouldn't be a hard addition and would create compatibility with some other MTA's. But don't hold your breath, it's going to take a while. Once the support load problems are solved (spent this afternoon writing a business proposal :( I hope to have more time to spend on development. You may have noticed there hasn't been much devel in the past couple of months. I've also got plans for some roll-your-own content filtering. An external program that gets passed the contents of parts of messages so you can do whatever filtering you like. Everything from a "Swedish chef" translator (check out http://www.muppetworld.com/cooking/index.html if you don't know what I mean) to a dirty-picture filter looking for areas of pink. I'll leave it up to you to write the filters (with a few examples to get you started). I've yet to get the protocols sorted out, so that the external program can be run for multiple messages. It needs to be fast! -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Mon Mar 3 20:59:10 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:22 2006 Subject: [RHSA-2003:073-06] Updated sendmail packages fix critical sec urity issues In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0EBF43C@pascal.priv.bmrb.co .uk> Message-ID: <5.2.0.9.2.20030303205817.027e37b8@imap.ecs.soton.ac.uk> I wouldn't be surprised if the RPMs do a "chkconfig sendmail on" among other things :-( They really should recognise they are being upgraded and not freshly installed and therefore leave your system alone. At 20:50 03/03/2003, you wrote: >Thanks for that! One little gotcha to look out for... I just upgraded the >rpms on my Mandrake box and the postinstall script kicked off a new >sendmail process, bypassing MailScanner (Whoops!). Dunno if this happens >with other packages but its worth checking! > > > -----Original Message----- > > From: Richard, Matt [mailto:matthew.richard@COCC.COM] > > Sent: Monday, March 03, 2003 9:49 AM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: FW: [RHSA-2003:073-06] Updated sendmail packages fix critical > > sec urity issues > > > > > > For those who have not already seen the advisory. It appears > > to effect > > sendmail on many different platforms. > > > > > > > >BMRB International >http://www.bmrb.co.uk >+44 (0)20 8566 5000 >_________________________________________________________________ >This message (and any attachment) is intended only for the >recipient and may contain confidential and/or privileged >material. If you have received this in error, please contact the >sender and delete this message immediately. Disclosure, copying >or other action taken in respect of this email or in >reliance on it is prohibited. BMRB International Limited >accepts no liability in relation to any personal emails, or >content of any email which does not directly relate to our >business. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Mon Mar 3 20:41:18 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:22 2006 Subject: Attachments - packed files In-Reply-To: <88EEB8DC-4DB5-11D7-882D-000393B9390A@strong-box.net> References: <1046721730.628.1.camel@laptop.internal.irrelevant.org> Message-ID: <5.2.0.9.2.20030303204012.0281ff80@imap.ecs.soton.ac.uk> At 20:20 03/03/2003, you wrote: >I just tested RAV AV with the infamous 42.zip file and it doesn't seem >to phase it. Great. The other ones tend to consume CPU time until MailScanner comes along and kills them for taking too long. >It must incorporate some kind of heuristic to limit how much archive >decompression it does. The output it produces is: > > RAV AntiVirus command line for Linux i686. > Version: 8.3.1. > Copyright (c) 1996-2001 GeCAD The Software Company. All rights >reserved. > > Scan engine 8.11 for i386. > Last update: Mon Mar 3 09:18:44 2003 > Scanning for 77551 malwares (viruses, trojans and worms). > > Scan started on Mon Mar 3 12:09:36 2003 > > 42.zip - OK > 42.zip->lib 3.zip - OK > 42.zip->lib 3.zip->book 3.zip - OK > 42.zip->lib 3.zip->book 3.zip->chapter 4.zip - OK > 42.zip->lib 3.zip->book 3.zip->chapter 4.zip->doc 0.zip - OK > > Scan ended on Mon Mar 3 12:09:36 2003 > > Scan results: > Time: 0 second(s). > Objects scanned: 5. New objects: 5 > Infected: 0. Different virus bodies: 0. > Files: 1. Directories: 0. Archives: 5. Packed: 0. Mail files: 0. > Warnings: 0. > >Yet it does work with a nasty zip I created with 3 EICAR test files: > > eicar.zip.zip.zip.zip - OK > eicar.zip.zip.zip.zip->eicar.com Infected: EICAR_Test_File > eicar.zip.zip.zip.zip->eicar.zip.zip.zip - OK > eicar.zip.zip.zip.zip->eicar.zip.zip.zip->eicar.zip.zip - OK > eicar.zip.zip.zip.zip->eicar.zip.zip.zip->eicar.zip.zip->eicar.zip > - OK > >eicar.zip.zip.zip.zip->eicar.zip.zip.zip->eicar.zip.zip->eicar.zip- > >eicar.com Infected: EICAR_Test_File > eicar.zip.zip.zip.zip->eicar.zip.zip.zip->eicar.com Infected: >EICAR_Test_File > >Time: real 0m1.440s user 0m1.330s sys 0m0.090s > >So I'd say RAV's doing a good job - FWIW. > >Craig > >On Monday, March 3, 2003, at 12:02 PM, Simon Dick wrote: >>On Mon, 2003-03-03 at 19:16, Julian Field wrote: >>>At 17:47 03/03/2003, you wrote: >>>>Julian Field wrote .. >>>>>At 15:37 03/03/2003, you wrote: >>>>>> I want to just make sure that MailScanner doesn't unpack >>>>>>attachments with a corresponding external program. Why am I asking? >>>>>>Some antivirus scanners aren't perfect and I want to unpack all the >>>>>>compressed attachments for them and then let them scan the unpacked >>>>>>files. Has anybody written such hack or his own antivirus wrapper? >>>>> >>>>>All the decent anti-virus programs unpack every common archive >>>>>format >>>>>already. If your scanning engine doesn't unpack archives, then I >>>>>suggest >>>>>you buy a better one :-) >>>>>You are quite correct, MailScanner doesn't unpack archives (as it >>>>>doesn't >>>>>need to). >>>>>-- >>>>>Julian Field >>>>>www.MailScanner.info >>>>>MailScanner thanks transtec Computers for their support >>>> >>>>To be honest, even those decent antivirus programs aren't perfect. >>>>The majority of the programs are black boxes, you just believe that >>>>it works. MailScanner is a nice program and maybe it would be nice >>>>to have a separate layer for unpacking, where you can control for >>>>example the nesting depth and prevent various DoS attacks. >>> >>>MailScanner is already protected against this type of DoS attack. The >>>famous "zip of death" causes no problem at all. >> >>Until you get to the virus scanners checking it, I've tried that 42.zip >>file with my install of mailscanner (not the latest version now, but it >>was at the time) and both f-prot and clamav used most of the cpu time. >>Shame there's no way to detect the zip file before passing it through >>:| >> >>-- >>Simon Dick >> >>-- >>This message checked for dangerous content by MailScanner on StrongBox. > > >-- >This message checked for dangerous content by MailScanner on StrongBox. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From jwilliam at KCR.UKY.EDU Mon Mar 3 21:08:15 2003 From: jwilliam at KCR.UKY.EDU (John Williams) Date: Thu Jan 12 21:17:22 2006 Subject: [RHSA-2003:073-06] Updated sendmail packages fix critical sec urity issues In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0EBF43C@pascal.priv.bmrb.co .uk> Message-ID: <5.1.1.5.2.20030303160620.00b96d08@mail.kcr.uky.edu> Didn't happen on Solaris 8 and Sendmail Switch. I patched it to 2.2.5 Took less than 5 min. I appreciate the heads up about Sendmail! John At 08:50 PM 3/3/2003 +0000, you wrote: >Thanks for that! One little gotcha to look out for... I just upgraded the >rpms on my Mandrake box and the postinstall script kicked off a new >sendmail process, bypassing MailScanner (Whoops!). Dunno if this happens >with other packages but its worth checking! > > > -----Original Message----- > > From: Richard, Matt [mailto:matthew.richard@COCC.COM] > > Sent: Monday, March 03, 2003 9:49 AM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: FW: [RHSA-2003:073-06] Updated sendmail packages fix critical > > sec urity issues > > > > > > For those who have not already seen the advisory. It appears > > to effect > > sendmail on many different platforms. > > > > > > > >BMRB International >http://www.bmrb.co.uk >+44 (0)20 8566 5000 >_________________________________________________________________ >This message (and any attachment) is intended only for the >recipient and may contain confidential and/or privileged >material. If you have received this in error, please contact the >sender and delete this message immediately. Disclosure, copying >or other action taken in respect of this email or in >reliance on it is prohibited. BMRB International Limited >accepts no liability in relation to any personal emails, or >content of any email which does not directly relate to our >business. From Harish.Amin at DEG.STATE.WI.US Mon Mar 3 21:22:58 2003 From: Harish.Amin at DEG.STATE.WI.US (Amin, Harish) Date: Thu Jan 12 21:17:22 2006 Subject: [RHSA-2003:073-06] Updated sendmail packages fix critical sec urity issues Message-ID: <47F3EDACE4BC3A4594D0D7B504062BBD019C69E4@doamail04.doa.wistate.us> You mean Sendmail from SUN on Solaris 8 , can you how you went about it -----Original Message----- From: John Williams [mailto:jwilliam@KCR.UKY.EDU] Sent: Monday, March 03, 2003 3:08 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: [RHSA-2003:073-06] Updated sendmail packages fix critical sec urity issues Didn't happen on Solaris 8 and Sendmail Switch. I patched it to 2.2.5 Took less than 5 min. I appreciate the heads up about Sendmail! John At 08:50 PM 3/3/2003 +0000, you wrote: >Thanks for that! One little gotcha to look out for... I just upgraded the >rpms on my Mandrake box and the postinstall script kicked off a new >sendmail process, bypassing MailScanner (Whoops!). Dunno if this happens >with other packages but its worth checking! > > > -----Original Message----- > > From: Richard, Matt [mailto:matthew.richard@COCC.COM] > > Sent: Monday, March 03, 2003 9:49 AM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: FW: [RHSA-2003:073-06] Updated sendmail packages fix critical > > sec urity issues > > > > > > For those who have not already seen the advisory. It appears > > to effect > > sendmail on many different platforms. > > > > > > > >BMRB International >http://www.bmrb.co.uk >+44 (0)20 8566 5000 >_________________________________________________________________ >This message (and any attachment) is intended only for the >recipient and may contain confidential and/or privileged >material. If you have received this in error, please contact the >sender and delete this message immediately. Disclosure, copying >or other action taken in respect of this email or in >reliance on it is prohibited. BMRB International Limited >accepts no liability in relation to any personal emails, or >content of any email which does not directly relate to our >business. From raymond at PROLOCATION.NET Mon Mar 3 21:26:24 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:17:22 2006 Subject: [RHSA-2003:073-06] Updated sendmail packages fix critical sec urity issues In-Reply-To: <47F3EDACE4BC3A4594D0D7B504062BBD019C69E4@doamail04.doa.wistate.us> Message-ID: Julian, [root@toverdoos root]# chkconfig --list | grep sendmail sendmail 0:off 1:off 2:off 3:off 4:off 5:off 6:off [root@toverdoos root]# Looks on on my fresly upgraded RH 7.3, lets see on the 7.2 ones: [root@fallback root]# chkconfig --list | grep sendmail sendmail 0:off 1:off 2:off 3:off 4:off 5:off 6:off Same here. Seems its not touching it at all with 'upgrade' At least not on my boxes :) Bye, Raymond. From Denis.Beauchemin at USHERBROOKE.CA Mon Mar 3 21:26:44 2003 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:17:22 2006 Subject: [RHSA-2003:073-06] Updated sendmail packages fix critical sec urity issues In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0EBF43C@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0EBF43C@pascal.priv.bmrb.co.uk> Message-ID: <1046726804.1602.26.camel@dbeauchemin.si.usherbrooke.ca> Did OK on my RedHat 7.3 systems. Denis Le lun 03/03/2003 ? 15:50, Spicer, Kevin a ?crit : > Thanks for that! One little gotcha to look out for... I just upgraded the rpms on my Mandrake box and the postinstall script kicked off a new sendmail process, bypassing MailScanner (Whoops!). Dunno if this happens with other packages but its worth checking! > > > -----Original Message----- > > From: Richard, Matt [mailto:matthew.richard@COCC.COM] > > Sent: Monday, March 03, 2003 9:49 AM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: FW: [RHSA-2003:073-06] Updated sendmail packages fix critical > > sec urity issues > > > > > > For those who have not already seen the advisory. It appears > > to effect > > sendmail on many different platforms. > > > > > > > > BMRB International > http://www.bmrb.co.uk > +44 (0)20 8566 5000 > _________________________________________________________________ > This message (and any attachment) is intended only for the > recipient and may contain confidential and/or privileged > material. If you have received this in error, please contact the > sender and delete this message immediately. Disclosure, copying > or other action taken in respect of this email or in > reliance on it is prohibited. BMRB International Limited > accepts no liability in relation to any personal emails, or > content of any email which does not directly relate to our > business. -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From craig at STRONG-BOX.NET Mon Mar 3 21:27:35 2003 From: craig at STRONG-BOX.NET (Craig Pratt) Date: Thu Jan 12 21:17:22 2006 Subject: [RHSA-2003:073-06] Updated sendmail packages fix critical sec urity issues In-Reply-To: <5.2.0.9.2.20030303205817.027e37b8@imap.ecs.soton.ac.uk> Message-ID: I was worried about that too. But I can confirm that the RH update didn't do that - thankfully: $ sudo -H up2date -i sendmail sendmail-cf $ chkconfig --list sendmail sendmail 0:off 1:off 2:off 3:off 4:off 5:off 6:off Craig On Monday, March 3, 2003, at 12:59 PM, Julian Field wrote: > I wouldn't be surprised if the RPMs do a "chkconfig sendmail on" among > other things :-( > They really should recognise they are being upgraded and not freshly > installed and therefore leave your system alone. > > At 20:50 03/03/2003, you wrote: >> Thanks for that! One little gotcha to look out for... I just >> upgraded the >> rpms on my Mandrake box and the postinstall script kicked off a new >> sendmail process, bypassing MailScanner (Whoops!). Dunno if this >> happens >> with other packages but its worth checking! >> >> > -----Original Message----- >> > From: Richard, Matt [mailto:matthew.richard@COCC.COM] >> > Sent: Monday, March 03, 2003 9:49 AM >> > To: MAILSCANNER@JISCMAIL.AC.UK >> > Subject: FW: [RHSA-2003:073-06] Updated sendmail packages fix >> critical >> > sec urity issues >> > >> > >> > For those who have not already seen the advisory. It appears >> > to effect >> > sendmail on many different platforms. >> > >> > >> >> >> >> BMRB International >> http://www.bmrb.co.uk >> +44 (0)20 8566 5000 >> _________________________________________________________________ >> This message (and any attachment) is intended only for the >> recipient and may contain confidential and/or privileged >> material. If you have received this in error, please contact the >> sender and delete this message immediately. Disclosure, copying >> or other action taken in respect of this email or in >> reliance on it is prohibited. BMRB International Limited >> accepts no liability in relation to any personal emails, or >> content of any email which does not directly relate to our >> business. > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > > -- > This message checked for dangerous content by MailScanner on StrongBox. > -- This message checked for dangerous content by MailScanner on StrongBox. From jwilliam at KCR.UKY.EDU Mon Mar 3 21:35:21 2003 From: jwilliam at KCR.UKY.EDU (John Williams) Date: Thu Jan 12 21:17:22 2006 Subject: [RHSA-2003:073-06] Updated sendmail packages fix critical sec urity issues In-Reply-To: <47F3EDACE4BC3A4594D0D7B504062BBD019C69E4@doamail04.doa.wis tate.us> Message-ID: <5.1.1.5.2.20030303162547.00bbae60@mail.kcr.uky.edu> We use a commercial version of Sendmail, Sendmail Switch 2.2. They had a patch that updated it to 2.2.5, which fixes the new bug. We run it on Sun Solaris 8. Sorry, I know that's not much help. At 03:22 PM 3/3/2003 -0600, you wrote: >You mean Sendmail from SUN on Solaris 8 , can you how you went about it > >-----Original Message----- >From: John Williams [mailto:jwilliam@KCR.UKY.EDU] >Sent: Monday, March 03, 2003 3:08 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: [RHSA-2003:073-06] Updated sendmail packages fix critical >sec urity issues > > >Didn't happen on Solaris 8 and Sendmail Switch. I patched it to >2.2.5 Took less than 5 min. > >I appreciate the heads up about Sendmail! > >John > >At 08:50 PM 3/3/2003 +0000, you wrote: > >Thanks for that! One little gotcha to look out for... I just upgraded the > >rpms on my Mandrake box and the postinstall script kicked off a new > >sendmail process, bypassing MailScanner (Whoops!). Dunno if this happens > >with other packages but its worth checking! > > > > > -----Original Message----- > > > From: Richard, Matt [mailto:matthew.richard@COCC.COM] > > > Sent: Monday, March 03, 2003 9:49 AM > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > Subject: FW: [RHSA-2003:073-06] Updated sendmail packages fix critical > > > sec urity issues > > > > > > > > > For those who have not already seen the advisory. It appears > > > to effect > > > sendmail on many different platforms. > > > > > > > > > > > > > >BMRB International > >http://www.bmrb.co.uk > >+44 (0)20 8566 5000 > >_________________________________________________________________ > >This message (and any attachment) is intended only for the > >recipient and may contain confidential and/or privileged > >material. If you have received this in error, please contact the > >sender and delete this message immediately. Disclosure, copying > >or other action taken in respect of this email or in > >reliance on it is prohibited. BMRB International Limited > >accepts no liability in relation to any personal emails, or > >content of any email which does not directly relate to our > >business. From craig at STRONG-BOX.NET Mon Mar 3 21:43:09 2003 From: craig at STRONG-BOX.NET (Craig Pratt) Date: Thu Jan 12 21:17:22 2006 Subject: Warning: SuSE sendmail upgrade turns on sendmail (Was Re: [RHSA-2003:073-06] Updated sendmail packages fix critical security issues) In-Reply-To: <5.2.0.9.2.20030303205817.027e37b8@imap.ecs.soton.ac.uk> Message-ID: <2032737F-4DC1-11D7-882D-000393B9390A@strong-box.net> WARNING: SuSE 8.1 SENDMAIL UPGRADE TURNS ON SENDMAIL AT RUNLEVEL 5 Just upgraded one of our SuSE 8.1 systems. And was watching for this: $ chkconfig --list sendmail sendmail 0:off 1:off 2:off 3:off 4:off 5:off 6:off $ sudo rpm -U sendmail-8.12.6-91.i586.rpm sendmail 0:off 1:off 2:off 3:on 4:off 5:on 6:off With sendmail set to run at runlevel 5, it will bypass mailscanner (and the all-important spam and virus scanning it provides ;^) Note the remedy: $ sudo chkconfig sendmail off $ chkconfig --list sendmail sendmail 0:off 1:off 2:off 3:off 4:off 5:off 6:off Craig craig@strong-box.net On Monday, March 3, 2003, at 12:59 PM, Julian Field wrote: > I wouldn't be surprised if the RPMs do a "chkconfig sendmail on" among > other things :-( > They really should recognise they are being upgraded and not freshly > installed and therefore leave your system alone. > > At 20:50 03/03/2003, you wrote: >> Thanks for that! One little gotcha to look out for... I just >> upgraded the >> rpms on my Mandrake box and the postinstall script kicked off a new >> sendmail process, bypassing MailScanner (Whoops!). Dunno if this >> happens >> with other packages but its worth checking! >> >> > -----Original Message----- >> > From: Richard, Matt [mailto:matthew.richard@COCC.COM] >> > Sent: Monday, March 03, 2003 9:49 AM >> > To: MAILSCANNER@JISCMAIL.AC.UK >> > Subject: FW: [RHSA-2003:073-06] Updated sendmail packages fix >> critical >> > sec urity issues >> > >> > >> > For those who have not already seen the advisory. It appears >> > to effect >> > sendmail on many different platforms. >> > >> > >> >> >> >> BMRB International >> http://www.bmrb.co.uk >> +44 (0)20 8566 5000 >> _________________________________________________________________ >> This message (and any attachment) is intended only for the >> recipient and may contain confidential and/or privileged >> material. If you have received this in error, please contact the >> sender and delete this message immediately. Disclosure, copying >> or other action taken in respect of this email or in >> reliance on it is prohibited. BMRB International Limited >> accepts no liability in relation to any personal emails, or >> content of any email which does not directly relate to our >> business. > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > > -- > This message checked for dangerous content by MailScanner on StrongBox. > -- This message checked for dangerous content by MailScanner on StrongBox. From JeremyE at BSA.CA.GOV Mon Mar 3 22:00:22 2003 From: JeremyE at BSA.CA.GOV (Jeremy Evans) Date: Thu Jan 12 21:17:22 2006 Subject: New INSTALL.OpenBSD Message-ID: <2739ECF7268CD0118F50080009DCC9F00235D2DE@pebble.bsa.ca.gov> Based on some of the changes made in 4.13-3 (no more changes to check_mailscanner), some bugs in the instructions (updating the symbolic links), and some reorganization (separate instructions for new installation vs. upgrade), I've updated the INSTALL.OpenBSD instructions (included below). <> Jeremy Evans Information Systems Analyst California State Auditor 916-445-0255 phone 916-322-7801 fax -------------- next part -------------- A non-text attachment was scrubbed... Name: INSTALL.OpenBSD Type: application/octet-stream Size: 2862 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030303/4de2d82d/INSTALL.obj From Kevin.Spicer at BMRB.CO.UK Mon Mar 3 22:08:57 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:17:22 2006 Subject: [RHSA-2003:073-06] Updated sendmail packages fix critical sec urity issues Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A4AD49@pascal.priv.bmrb.co.uk> Funnily enough I just upgraded my home box and didn't have a problem - reading the post install script it looks like the mandrake rpm runs a 'service sendmail restart' if it fins /var/lock/subsys/sendmail I guess I must have killed sendmail at some point when I built the box. chkconfig didn't turn anything on in either case (just a random sendmail process got kicked off). Julian, there seem to be quite regular messages here from people who either didn't turn sendmail off with chkconfig, or who have random other sendmail processes running, (or who have packaging systems making random changes!) perhaps check_MailScanner should check for this? > -----Original Message----- > From: Spicer, Kevin > Sent: 03 March 2003 20:50 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: [RHSA-2003:073-06] Updated sendmail packages fix critical > sec urity issues > > > Thanks for that! One little gotcha to look out for... I just > upgraded the rpms on my Mandrake box and the postinstall > script kicked off a new sendmail process, bypassing > MailScanner (Whoops!). Dunno if this happens with other > packages but its worth checking! > > > -----Original Message----- > > From: Richard, Matt [mailto:matthew.richard@COCC.COM] > > Sent: Monday, March 03, 2003 9:49 AM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: FW: [RHSA-2003:073-06] Updated sendmail packages > fix critical > > sec urity issues > > > > > > For those who have not already seen the advisory. It appears > > to effect > > sendmail on many different platforms. > > > > > > > > BMRB International > http://www.bmrb.co.uk > +44 (0)20 8566 5000 > _________________________________________________________________ > This message (and any attachment) is intended only for the > recipient and may contain confidential and/or privileged > material. If you have received this in error, please contact the > sender and delete this message immediately. Disclosure, copying > or other action taken in respect of this email or in > reliance on it is prohibited. BMRB International Limited > accepts no liability in relation to any personal emails, or > content of any email which does not directly relate to our > business. > BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From steinkel at PA.NET Mon Mar 3 22:22:34 2003 From: steinkel at PA.NET (Leland J. Steinke) Date: Thu Jan 12 21:17:22 2006 Subject: postfix compatability? References: Message-ID: <3E63D5AA.8010804@pa.net> Peter Bates wrote: > Hello all... > > >>mailscanner@ECS.SOTON.AC.UK 03/01/03 20:02 PM >>> >>Exim is *fairly* easy to configure. I can probably give you some >help if you need it. Get Exim built first, then I guess we need to >set it up so that it listens on port 25, with postfix listening on >port 26. You will have to get postfix listening on port 26 >yourself, I don't know how to do that. > > > Running Postfix still as I am, I can say the answer is in Postfix's 'master.cf' (this controls the transports, where main.cf controls mosts other things). > > There is a line in master.cf saying: > > smtp inet n - y - - smtpd > > where 'smtp' is the name in /etc/services: > smtp 25/tcp mail > look in /etc/postfix/README_FILES/FILTER_README. You can pipe to external processes from within postfix to handle content filtering (this is what we do; actually we invoke a program that converts the messages from postfix queue files into queue files that MailScanner will understand). You can spawn multiple daemon processes to speak on non-standard ports (this is what is discussed in the FILTER_README). Or, you could just set up exim on non-standard ports and let postfix forward to that port; exim could then send the processed messages back on a different port for postfix to handle final queueing and delivery. Anyway, the master.cf file is absolutely key to getting filtering to work with postfix, however you choose to do it. Leland ps: What is the problem with the "official" MailScanner/postfix connection? Maybe we can help. Postfix is VERY powerful, but it takes a couple of "aha!" moments to figure out how to harness that power. Julian has already said that he does not want to build another MTA, so that pretty much removes my second option above. It does not make sense to run exim or another MTA on a postfix-equipped box just so MailScanner will work; just run the non-postfix MTA and be done with it, which removes the third option above. There was a reference to something like "Obtuse SMTPD" as a possible avenue of attack, but I do not recall hearing the outcome of that one. As I already said, we have postfix create MailScanner-compatible queue files, through a perl script; another perl script takes the processed messages and re-injects them into postfix. Postfix is designed to be as secure as possible, with multiple layers of defense against software errors (either accidental or intentional). Postfix queues, and the files therein, are at the very heart of postfix and I would not want to try to "spoof" them into something else. This is why we decided to ignore the issue entirely, make postfix run a program to create files for MailScanner to process, make MailScanner give the processed files back to postfix, and process millions of messages per month. pps: Having said all that, postfix has a "hold" queue. From the postfix docs: "The hold queue is for mail that is frozen in the queue; no delivery attempts are made until someone releases these messages with the postsuper command." Maybe that would be a place to start? From mailscanner at ecs.soton.ac.uk Mon Mar 3 22:28:59 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:22 2006 Subject: [RHSA-2003:073-06] Updated sendmail packages fix critical sec urity issues In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0A4AD49@pascal.priv.bmrb.co .uk> Message-ID: <5.2.0.9.2.20030303222834.0220f1a8@imap.ecs.soton.ac.uk> At 22:08 03/03/2003, you wrote: >Julian, there seem to be quite regular messages here from people who >either didn't turn sendmail off with chkconfig, or who have random other >sendmail processes running, (or who have packaging systems making random >changes!) perhaps check_MailScanner should check for this? If you have any ideas *how* it might do this, I'm all ears :) -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Mon Mar 3 22:32:11 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:22 2006 Subject: postfix compatability? In-Reply-To: <3E63D5AA.8010804@pa.net> References: Message-ID: <5.2.0.9.2.20030303223107.02273fe0@imap.ecs.soton.ac.uk> Any chance of you publishing all your scripts to make your setup work? They would help a lot of people. At 22:22 03/03/2003, you wrote: >Maybe we can help. Postfix is VERY powerful, but it takes a couple of "aha!" >moments to figure out how to harness that power. Julian has already said that >he does not want to build another MTA, so that pretty much removes my second >option above. It does not make sense to run exim or another MTA on a >postfix-equipped box just so MailScanner will work; just run the >non-postfix MTA >and be done with it, which removes the third option above. There was a >reference to something like "Obtuse SMTPD" as a possible avenue of attack, >but I >do not recall hearing the outcome of that one. As I already said, we have >postfix create MailScanner-compatible queue files, through a perl script; >another perl script takes the processed messages and re-injects them into >postfix. Postfix is designed to be as secure as possible, with multiple >layers >of defense against software errors (either accidental or >intentional). Postfix >queues, and the files therein, are at the very heart of postfix and I >would not >want to try to "spoof" them into something else. This is why we decided to >ignore the issue entirely, make postfix run a program to create files for >MailScanner to process, make MailScanner give the processed files back to >postfix, and process millions of messages per month. > >pps: Having said all that, postfix has a "hold" queue. From the postfix >docs: > "The hold queue is for mail that is frozen in the queue; no delivery > attempts >are made until someone releases these messages with the postsuper command." >Maybe that would be a place to start? -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From ms at MLSIS.CO.UK Mon Mar 3 23:04:05 2003 From: ms at MLSIS.CO.UK (Matt Lowe) Date: Thu Jan 12 21:17:22 2006 Subject: postfix compatibility? In-Reply-To: <3E63CCEF.9070700@pa.net> References: <1046548476.1887.32.camel@luggage> <3E63CCEF.9070700@pa.net> Message-ID: <1046732645.1887.121.camel@luggage> Yes please, could you send the config files :) This would make my life VERY much easier :) and if posible some realy easy step by step instructions on how to do this :) The reason im using postfix is cause its setup for me already, and the frontend i have is very easy for my users to add/del accounts. Matt Lowe ms@mlsis.co.uk On Mon, 2003-03-03 at 21:45, Leland J. Steinke wrote: > Matt Lowe wrote: > > On Sat, 2003-03-01 at 19:21, Julian Field wrote: > > > >>At 19:05 01/03/2003, you wrote: > >> > >>>Hi im new to this mailing list, but after searching the arcives all i > >>>could find was a mention of this in the posible future. > >>> > >>>Is there any way to intergrate mailscanner and postfix yet? without > >>>useing sendmail/exim? > >> > >>Someone has some patches somewhere that might integrate the two. Postfix > >>support is our next planned major feature. > > > > > > anyone anyidea where these patches might be? > > > > > we have postfix and mailscanner running quite happily together here, filtering > hundreds of messages per minute on multiple servers for both inbound and > outbound mail. > > It uses two perl scripts. the first one is invoked to take SMTP-inbound > messages from smtpd in master.cf and put them into a spool directory where > MailScanner will find them. The second one is called after spam/virus > processing by MailScanner to re-inject the messages into postfix for queueing > and delivery. It is not perfect, but it works quite well for us... > > If you are interested, I will send you the scripts and how we modified master.cf > to make it all work. > > > Leland > From mailscanner at HRSERVERS.COM Tue Mar 4 00:46:48 2003 From: mailscanner at HRSERVERS.COM (SUBSCRIBE MAILSCANNER Anonymous) Date: Thu Jan 12 21:17:22 2006 Subject: Spamassassin 2.50 & MailScanner 4.13-3 Problems Message-ID: Thank you Jullian for taking the time to explain what was going on with it. Just a little note I posted the same message over at spamassassin.org list and was told by one of the developers that they are aware of this issue and you are exactly right, they plan to fix it in 2.51 but they do not have an official release date as of yet but maybe next couple of weeks. Here is the link to the post and reply... http://www.hughes-family.org/bugzilla/show_bug.cgi?id=1585 Thanks again, JT From mkettler at EVI-INC.COM Tue Mar 4 01:20:10 2003 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:17:22 2006 Subject: Spamassassin 2.50 & MailScanner 4.13-3 Problems In-Reply-To: Message-ID: <5.2.0.9.0.20030303201556.016f0638@192.168.50.2> Actually, that was already filed The bug which has been assigned and is currently tracking the fixing of this problem is this one: http://www.hughes-family.org/bugzilla/show_bug.cgi?id=1556 I'm submitting a dupe-notice to the bugzilla, but I'll let one of the "real" members of saDev officially close 1585 as a duplicate. At 12:46 AM 3/4/2003 +0000, you wrote: >Thank you Jullian for taking the time to explain what was going on with it. > >Just a little note I posted the same message over at spamassassin.org list >and was told by one of the developers that they are aware of this issue >and you are exactly right, they plan to fix it in 2.51 but they do not >have an official release date as of yet but maybe next couple of weeks. >Here is the link to the post and reply... >http://www.hughes-family.org/bugzilla/show_bug.cgi?id=1585 > >Thanks again, >JT From smohan at vsnl.com Tue Mar 4 02:22:04 2003 From: smohan at vsnl.com (S Mohan) Date: Thu Jan 12 21:17:22 2006 Subject: MS vs. Trend In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0A4AD48@pascal.priv.bmrb.co.uk> Message-ID: <002601c2e1f4$daa8ca80$796041db@18yamuna> 1. Speed of fixes and response. 2. Do many things that we cannot without major sendmail hacking E.g. User based archive (alternative is using per user procmail - not so easy -:)) Add disclaimer notice. Create different outgoing queues depending on priorities/ users/ groups etc. 3. Multiple scanners. Trend would only allow its own. 4. in MS architecture, since sendmail receives mail, all sendmail based authentication, features etc is implemented while in Trend Micro's case, it is an SMTP server - can it match sendmail's features? Why compromise? Get the best MTA and the best scanner GW. 5. Trend Micro means another machine investment, maintenance etc.... 6. Trend Micro costing is per user mailbag/ email id based. We can have F-Prot on a server basis in here. If you could Julian's name and commitment on top of the list, it would be the icing on the cake. My 2 paise worth.. Mohan -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Spicer, Kevin Sent: Tuesday, March 04, 2003 1:51 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: MS vs. Trend > > Hi there, > > I'm faced with making a "business case" of "mailscanner+some > commercial av" > against trend micro "complete antivirus/antispam/whatever > solution"... I > wonder if anyone out there have some input for it... > From dot at DOTAT.AT Tue Mar 4 06:40:54 2003 From: dot at DOTAT.AT (Tony Finch) Date: Thu Jan 12 21:17:22 2006 Subject: postfix compatability? In-Reply-To: References: Message-ID: "Leland J. Steinke" wrote: > >look in /etc/postfix/README_FILES/FILTER_README. You can pipe to external >processes from within postfix to handle content filtering (this is what we do; >actually we invoke a program that converts the messages from postfix queue files >into queue files that MailScanner will understand). You can spawn multiple >daemon processes to speak on non-standard ports (this is what is discussed in >the FILTER_README). Or, you could just set up exim on non-standard ports and >let postfix forward to that port; exim could then send the processed messages >back on a different port for postfix to handle final queueing and delivery. >Anyway, the master.cf file is absolutely key to getting filtering to work with >postfix, however you choose to do it. A very vague thought about how MailScanner would fit into a Postfix setup from someone who knows almost nothing about Postfix: Since all messages in Postfix go through the cleanup process before they get to the main queue, and since the cleanup process is not a million miles away from a kind of MailScanner-lite, perhaps that's where MailScanner should plug in to Postfix. Tony. -- f.a.n.finch http://dotat.at/ WEST FITZROY: SOUTHWEST VEERING WEST OR NORTHWEST 5 TO 7, DECREASING 3 OR 4 LATER. RAIN THEN SHOWERS. MODERATE OR POOR BECOMING GOOD. From Kevin.Spicer at BMRB.CO.UK Tue Mar 4 09:00:12 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:17:22 2006 Subject: [RHSA-2003:073-06] Updated sendmail packages fix critical sec urity issues Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0EBF43E@pascal.priv.bmrb.co.uk> > At 22:08 03/03/2003, you wrote: > >Julian, there seem to be quite regular messages here from people who > >either didn't turn sendmail off with chkconfig, or who have > random other > >sendmail processes running, (or who have packaging systems > making random > >changes!) perhaps check_MailScanner should check for this? > > If you have any ideas *how* it might do this, I'm all ears :) Hmmm, fair point! Sounds easy in principle until you remember not everyone has chkconfig (or even uses sysV style init scripts) ;) BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From dh at UPTIME.AT Tue Mar 4 08:56:38 2003 From: dh at UPTIME.AT (David) Date: Thu Jan 12 21:17:22 2006 Subject: Still issues with Spamassassin 2.50 and Mailscanner (after patching) Message-ID: <35958706-4E1F-11D7-BC8A-000393920D6C@uptime.at> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Hello. This message is not directed at Julian, but all of you. I know he is very busy and I really think that we, as a community should take some load off his shoulders. I running redhat 7.3 (hardened but that should not affect anything) with Mailscanner 4.13-3 and spamassassin 2.50 (patch with julains patch). Somehow this setup fails though. it worked for about a week and now it bombs out on me again. The MailScanner process simply sits there and eats 99% of the CPU without doing anything. After about 5-6 Minutes it finally tells me Found XXX messages waiting... but it does not really scan them. Still 99%. As soon as I go back to 2.44 (spamassassin) all is fine again. Has someone observed this behaviour as well? Thank you - -d - -----BEGIN GEEK CODE BLOCK----- Version: 3.12 GCC d+ s: a-- C+ UB++++ P+ L++ E--- W N+ o+++ K w-- O M+ V++ PS PE Y++ PGP++++ t+ 5 X- R+ tv-- b++++ DI D+ G e++++ h+ r++ y++ - ------END GEEK CODE BLOCK------ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (Darwin) iD8DBQE+ZGpKiW/Ta/pxHPQRA4f7AJ4rh19CdUKKJRF5nYKENj6AY1nWmACfYeW3 s7+d4LwxpMA4u2TKY/MdJl0= =2cx7 -----END PGP SIGNATURE----- From Douglas.Hall at PROQUEST.CO.UK Tue Mar 4 12:31:05 2003 From: Douglas.Hall at PROQUEST.CO.UK (Hall, Douglas) Date: Thu Jan 12 21:17:22 2006 Subject: [RHSA-2003:073-06] Updated sendmail packages fix critical sec urity issues Message-ID: <16663F2E4043D711A5EA00A0C9EA06611837FC@exchange.private.chadwyck.co.uk> > -----Original Message----- > From: Amin, Harish [mailto:Harish.Amin@DEG.STATE.WI.US] > You mean Sendmail from SUN on Solaris 8 , can you how you > went about it Well hopefully you've all upgraded by now :) If not, the sun sendmail patch is easy enough to do. Be warned that if you have modified /etc/init.d/sendmail or any of the associated (sym|hard)links in the rcx.d directories they will be overwritten. (I use a different rc script and disabled rc2.d/S88sendmail) The sendmail patch overwrites /etc/mail/local-host-names, other than that I think everything else was untouched. I copied the contents of /etc/mail, the above rc scripts and /usr/lib/mail/cf/* to a temporary directory though just to be safe. The sendmail patch does list all the files that get overwritten! -Douglas From jaearick at COLBY.EDU Tue Mar 4 13:45:01 2003 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:17:22 2006 Subject: child dying of old age? Message-ID: Julian, I got a laugh when I saw this message in my syslog... I suppose it is better to have one's children dying of old age, instead of meeting a violent end with kill()! A new feature of 4.13-3? --- Jeff From mailscanner at ecs.soton.ac.uk Tue Mar 4 13:51:34 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:22 2006 Subject: child dying of old age? In-Reply-To: Message-ID: <5.2.0.9.2.20030304135016.03b88c08@imap.ecs.soton.ac.uk> At 13:45 04/03/2003, you wrote: >Julian, > I got a laugh when I saw this message in my syslog... >I suppose it is better to have one's children dying of >old age, instead of meeting a violent end with kill()! >A new feature of 4.13-3? Just a new bit of logging, so you can see that the new children are "spawned" in response to one of their older siblings dying a natural death. That way you can tell if a child was killed by something or just died naturally. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Tue Mar 4 14:08:33 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:22 2006 Subject: RaQ problems after installing sendmail patch Message-ID: <5.2.0.9.2.20030304140048.03b9cbc0@imap.ecs.soton.ac.uk> On pkgmaster.com there are now packages for the RaQ3 and RaQ4 that apply the sendmail patch everyone has been talking about for the last day or two. When the patch is installed, it messes around with the /var/spool/mqueue directory and leaves it in a state that MailScanner does not like. To solve this: cd /var/spool/mqueue rmdir q1 q2 q3 q4 /etc/rc.d/init.d/MailScanner restart Then you should find everything starts working properly again. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From Jan-Peter.Koopmann at SECEIDOS.DE Tue Mar 4 14:15:09 2003 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:17:22 2006 Subject: FromTo: not working? Message-ID: <4E7026FF8A422749B1553FE508E0068007EE72@message.intern.akctech.de> Hi, I use the following rules file to determine whether or not ot check for viruses: FromTo: *@akctech.de yes FromTo: *@seceidos.de yes FromTo: *@seceidos.net yes FromTo: *@seceidos.org yes FromTo: *@seceidos.com yes FromTo: *@telefonia.de yes FromTo: default no Mails to those domains are getting checked. But mails from one of those domains simply produce things like Mar 4 15:05:58 proxy MailScanner[85988]: New Batch: Forwarding 1 unscanned messages, 1726 bytes Mar 4 15:05:58 proxy MailScanner[85988]: Spam Checks: Starting Mar 4 15:05:58 proxy MailScanner[85988]: Unscanned: Delivered 1 messages Mar 4 15:05:58 proxy MailScanner[85988]: Virus and Content Scanning: Starting Why does it say "unscanned messages"? Once I change default to yes everything works again... Regards, JP From mailscanner at ecs.soton.ac.uk Tue Mar 4 14:16:35 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:23 2006 Subject: FromTo: not working? In-Reply-To: <4E7026FF8A422749B1553FE508E0068007EE72@message.intern.akct ech.de> Message-ID: <5.2.0.9.2.20030304141523.03ba82f8@imap.ecs.soton.ac.uk> At 14:15 04/03/2003, you wrote: >Hi, > >I use the following rules file to determine whether or not ot check for >viruses: > >FromTo: *@akctech.de yes >FromTo: *@seceidos.de yes >FromTo: *@seceidos.net yes >FromTo: *@seceidos.org yes >FromTo: *@seceidos.com yes >FromTo: *@telefonia.de yes >FromTo: default no > > >Mails to those domains are getting checked. But mails from one of those >domains simply produce things like > >Mar 4 15:05:58 proxy MailScanner[85988]: New Batch: Forwarding 1 >unscanned messages, 1726 bytes >Mar 4 15:05:58 proxy MailScanner[85988]: Spam Checks: Starting >Mar 4 15:05:58 proxy MailScanner[85988]: Unscanned: Delivered 1 >messages >Mar 4 15:05:58 proxy MailScanner[85988]: Virus and Content Scanning: >Starting > >Why does it say "unscanned messages"? Once I change default to yes >everything works again... What is the envelope sender address on the message that doesn't get scanned? You will have to either look in your maillog or in the qf file in the queue to get this information. It's not the "From:" address in the headers that matters, it's the envelope sender address. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mike at UNIXSECURITY.ORG Tue Mar 4 15:34:25 2003 From: mike at UNIXSECURITY.ORG (Mike Wallis) Date: Thu Jan 12 21:17:23 2006 Subject: Making check_MailScanner check for extraneous sendmail processes In-Reply-To: <5.2.0.9.2.20030303222834.0220f1a8@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030303222834.0220f1a8@imap.ecs.soton.ac.uk> Message-ID: <3E64C781.8050401@unixsecurity.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Julian Field wrote: | If you have any ideas *how* it might do this, I'm all ears :) This isn't the most elegant solution, but: chkconfig --list sendmail |grep on If anything at all is returned, they've done it wrong and this should probably result in some sort of notification. (As opposed to check_MailScanner trying to fix it for them) But, I've no idea how to handle the extra sendmail processes on systems without chkconfig. - -- Mike Wallis -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1-nr1 (Windows XP) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE+ZMeAXes7jE7XvgsRAmasAKD+XY7xqo2ZLdWgBcYcpBWe+c0YXQCgzW6F 4ybvWpehQ33hN6ZZMZA3HrU= =T87L -----END PGP SIGNATURE----- From gerry at dorfam.ca Tue Mar 4 15:43:52 2003 From: gerry at dorfam.ca (Gerry Doris) Date: Thu Jan 12 21:17:23 2006 Subject: Timeout Errors?? Message-ID: <35420.129.80.22.133.1046792632.squirrel@tiger.dorfam.ca> I starting noticing the following sendmail errors about the time I switched over to SpamAssassin 2.50. However, I'm not totally sure if this was happening before that time or I was just paying more attention after doing the update??? I'm seeing several of these over the day in my maillog. h23LMZk01726: timeout waiting for input from local during Draining Input h23LMjk01729: timeout waiting for input from local during Draining Input h23LOTk01773: timeout waiting for input from local during Draining Input h23LOsk01793: timeout waiting for input from local during Draining Input What exactly are these telling me? They appear to be sendmail errors but is it because sendmail is acting up or has it something to do with MailScanner? Gerry From mbowman at UDCOM.COM Tue Mar 4 15:55:23 2003 From: mbowman at UDCOM.COM (Matthew Bowman) Date: Thu Jan 12 21:17:23 2006 Subject: Fragmented messages cannot be scanned and are removed Message-ID: Hello A client failed to receive 4 e-mails which were flagged as virus with the error Fragmented messages cannot be scanned and are removed. This is the first I've seen this error. Here is an extract from the mail Return-Path: Received: from mail1.tpgi.com.au (mail.tpgi.com.au [203.12.160.57]) by smithers.vbcomm.net (8.11.6/8.11.6) with ESMTP id h2378h100355 for ; Mon, 3 Mar 2003 02:08:43 -0500 Received: from berendsen.com.au ([202.7.160.194]) by mail1.tpgi.com.au (8.11.6/8.11.6) with ESMTP id h237E1p11475 for ; Mon, 3 Mar 2003 18:14:01 +1100 Received: from garryg by berendsen.com.au with SMTP (MDaemon.PRO.v6.5.2.R) for ; Mon, 03 Mar 2003 18:15:58 +1100 Message-ID: <00a101c2e155$28c39010$7ec719ac@garryg> From: "Garry Grant" To: References: Subject: Re: Specs. for Marmora Terrace AS 3439.1-2002 Low-voltage switchgear and controlgear assemblies - Type-tested and partially type-tested assemblie.pdf [2/2] Date: Mon, 3 Mar 2003 18:18:45 +1100 MIME-Version: 1.0 Content-Type: message/partial; total=2; id="01C2E155.25C14C90@garryg"; number=2 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4807.1700 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 X-Return-Path: ggrant@epg.com.au X-MDaemon-Deliver-To: KWestfield@gormanrupp.com My installation is Redhat 7.3 MS 4.10-1 with clamav as the scanner SA 2.43 Any ideas? Matthew From HancockS at MORGANCO.COM Tue Mar 4 16:04:47 2003 From: HancockS at MORGANCO.COM (Hancock, Scott) Date: Thu Jan 12 21:17:23 2006 Subject: Debian ms v4.x install help. Deb, Alien or Source? attn Jason Desai Message-ID: <03Mar4.105815est.119118@gateway.morganco.com> Hello all, I'm running Debian unstable (sarge) mailscanner (3.27) and exim (3.36). Some of my users are asking for features in the latest versions of mailscanner. I notice some posts indicating people (including Jason) are using newer versions of mailscanner than is available at packages.debian.org. I'm mostly interested in the new mailscanner features and was wondering the best approach to installing without a .deb file. Are any dependency issues between exim 3.27 and MS 4.x? I figure my options are: an alternate site that has a .deb file, using Alien against the 4.x RPM file, or compiling from source. All this is being tested off line. Thanks all for your time. Scott From Denis.Beauchemin at USHERBROOKE.CA Tue Mar 4 16:09:26 2003 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:17:23 2006 Subject: Is the new FAQ working? Message-ID: <1046794165.1602.54.camel@dbeauchemin.si.usherbrooke.ca> Hello, A couple of days ago I tried to post new info in the FAQ but couldn't (I don't recall the error message but I think it kept telling me my login was not OK). Now I was looking for some info but I can't seem to find anything besides what Julian put in. All I see are "NewItem" links... with no info in them... I think the setup might not be permissive enough... Denis -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From mailscanner at LISTS.COM.AR Tue Mar 4 16:15:28 2003 From: mailscanner at LISTS.COM.AR (Mariano Absatz) Date: Thu Jan 12 21:17:23 2006 Subject: Fragmented messages cannot be scanned and are removed In-Reply-To: Message-ID: <3E64A6F0.4573.5CD4561E@localhost> This is not a bug... it's a feature... :-D no kidding. This message has its content fragmented in several individual messages. This is intended to be rebuilt at the destination (see the MIME specs for how this works). Now, if you have only part of a message, you can't run a virus scanner thru it. There is an option (see http://mailscanner.info/install/conf.shtml) "Allow Partial Messages" that you could enable (it's 'no' by default) but in that case, any "partial" message would pass thru unscanned. You should _seriously_ think before enabling this... as the docs say, you could enable it thru a very strict ruleset (e.g. only coming from a specific ftpmail server or something like that). El 4 Mar 2003 a las 10:55, Matthew Bowman escribi?: > Hello > > A client failed to receive 4 e-mails which were flagged as virus with the > error Fragmented messages cannot be scanned and are removed. This is the > first I've seen this error. > > Here is an extract from the mail > > Return-Path: > Received: from mail1.tpgi.com.au (mail.tpgi.com.au [203.12.160.57]) > by smithers.vbcomm.net (8.11.6/8.11.6) with ESMTP id > h2378h100355 > for ; Mon, 3 Mar 2003 02:08:43 > -0500 > Received: from berendsen.com.au ([202.7.160.194]) > by mail1.tpgi.com.au (8.11.6/8.11.6) with ESMTP id > h237E1p11475 > for ; Mon, 3 Mar 2003 18:14:01 > +1100 > Received: from garryg by berendsen.com.au > with SMTP (MDaemon.PRO.v6.5.2.R) > for ; Mon, 03 Mar 2003 > 18:15:58 +1100 > Message-ID: <00a101c2e155$28c39010$7ec719ac@garryg> > From: "Garry Grant" > To: > References: > Subject: Re: Specs. for Marmora Terrace AS 3439.1-2002 Low-voltage > switchgear and controlgear assemblies - Type-tested and partially > type-tested assemblie.pdf [2/2] > Date: Mon, 3 Mar 2003 18:18:45 +1100 > MIME-Version: 1.0 > Content-Type: message/partial; > total=2; > id="01C2E155.25C14C90@garryg"; > number=2 > X-Priority: 3 > X-MSMail-Priority: Normal > X-Mailer: Microsoft Outlook Express 5.50.4807.1700 > X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 > X-Return-Path: ggrant@epg.com.au > X-MDaemon-Deliver-To: KWestfield@gormanrupp.com > > My installation is > > Redhat 7.3 > MS 4.10-1 with clamav as the scanner > SA 2.43 > > Any ideas? > > Matthew -- Mariano Absatz El Baby ---------------------------------------------------------- We are born naked, wet and hungry. Then things get worse. From Jan-Peter.Koopmann at SECEIDOS.DE Tue Mar 4 16:23:29 2003 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:17:23 2006 Subject: Exim question: tidy_db Message-ID: <4E7026FF8A422749B1553FE508E0068007EE7C@message.intern.akctech.de> Hi, I noticed an error on http://www.sng.ecs.soton.ac.uk/mailscanner/install/exim.shtml In Exim 4 this should not read defer_router: driver = dnslookup self = defer transport = remote_smtp route_list = "* 127.0.0.1 byname" verify = false Since route_list is only supported for driver = manualroute AFAIK... The intruction then goes on and recommends running exim_tidydb -t 0m /var/spool/exim_incoming retry >/dev/null 1. I do not have a db there yet. 2. Why do I need to do this? Does Exim not maintain this on its own? 3. Why do I not need to do this for the outgoing spool dir? Thanks, JP From Jan-Peter.Koopmann at SECEIDOS.DE Tue Mar 4 16:19:26 2003 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:17:23 2006 Subject: FromTo: not working? Message-ID: <4E7026FF8A422749B1553FE508E0068007EE7B@message.intern.akctech.de> Hi Julian, Have you seen my reply to this to julian.field@mailscanner.info? :-) Regards, JP > -----Original Message----- > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > Sent: Tuesday, March 04, 2003 3:17 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: FromTo: not working? > > > At 14:15 04/03/2003, you wrote: > >Hi, > > > >I use the following rules file to determine whether or not > ot check for > >viruses: > > > >FromTo: *@akctech.de yes > >FromTo: *@seceidos.de yes > >FromTo: *@seceidos.net yes > >FromTo: *@seceidos.org yes > >FromTo: *@seceidos.com yes > >FromTo: *@telefonia.de yes > >FromTo: default no > > > > > >Mails to those domains are getting checked. But mails from > one of those > >domains simply produce things like > > > >Mar 4 15:05:58 proxy MailScanner[85988]: New Batch: Forwarding 1 > >unscanned messages, 1726 bytes Mar 4 15:05:58 proxy > >MailScanner[85988]: Spam Checks: Starting Mar 4 15:05:58 proxy > >MailScanner[85988]: Unscanned: Delivered 1 messages > >Mar 4 15:05:58 proxy MailScanner[85988]: Virus and Content Scanning: > >Starting > > > >Why does it say "unscanned messages"? Once I change default to yes > >everything works again... > > What is the envelope sender address on the message that > doesn't get scanned? You will have to either look in your > maillog or in the qf file in the queue to get this > information. It's not the "From:" address in the headers that > matters, it's the envelope sender address. > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > From mbowman at UDCOM.COM Tue Mar 4 16:25:09 2003 From: mbowman at UDCOM.COM (Matthew Bowman) Date: Thu Jan 12 21:17:23 2006 Subject: Fragmented messages cannot be scanned and are removed Message-ID: Thanks, I don't have the Allow Partial Messages field in my MailScanner.conf file - was this a feature added after 4.10-1 ? Mariano Absatz Sent by: MailScanner mailing list 03/04/2003 11:45 AM Please respond to MailScanner mailing list To: MAILSCANNER@JISCMAIL.AC.UK cc: Subject: Re: Fragmented messages cannot be scanned and are removed This is not a bug... it's a feature... :-D no kidding. This message has its content fragmented in several individual messages. This is intended to be rebuilt at the destination (see the MIME specs for how this works). Now, if you have only part of a message, you can't run a virus scanner thru it. There is an option (see http://mailscanner.info/install/conf.shtml) "Allow Partial Messages" that you could enable (it's 'no' by default) but in that case, any "partial" message would pass thru unscanned. You should _seriously_ think before enabling this... as the docs say, you could enable it thru a very strict ruleset (e.g. only coming from a specific ftpmail server or something like that). El 4 Mar 2003 a las 10:55, Matthew Bowman escribi?: > Hello > > A client failed to receive 4 e-mails which were flagged as virus with the > error Fragmented messages cannot be scanned and are removed. This is the > first I've seen this error. > > Here is an extract from the mail > > Return-Path: > Received: from mail1.tpgi.com.au (mail.tpgi.com.au [203.12.160.57]) > by smithers.vbcomm.net (8.11.6/8.11.6) with ESMTP id > h2378h100355 > for ; Mon, 3 Mar 2003 02:08:43 > -0500 > Received: from berendsen.com.au ([202.7.160.194]) > by mail1.tpgi.com.au (8.11.6/8.11.6) with ESMTP id > h237E1p11475 > for ; Mon, 3 Mar 2003 18:14:01 > +1100 > Received: from garryg by berendsen.com.au > with SMTP (MDaemon.PRO.v6.5.2.R) > for ; Mon, 03 Mar 2003 > 18:15:58 +1100 > Message-ID: <00a101c2e155$28c39010$7ec719ac@garryg> > From: "Garry Grant" > To: > References: > Subject: Re: Specs. for Marmora Terrace AS 3439.1-2002 Low-voltage > switchgear and controlgear assemblies - Type-tested and partially > type-tested assemblie.pdf [2/2] > Date: Mon, 3 Mar 2003 18:18:45 +1100 > MIME-Version: 1.0 > Content-Type: message/partial; > total=2; > id="01C2E155.25C14C90@garryg"; > number=2 > X-Priority: 3 > X-MSMail-Priority: Normal > X-Mailer: Microsoft Outlook Express 5.50.4807.1700 > X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 > X-Return-Path: ggrant@epg.com.au > X-MDaemon-Deliver-To: KWestfield@gormanrupp.com > > My installation is > > Redhat 7.3 > MS 4.10-1 with clamav as the scanner > SA 2.43 > > Any ideas? > > Matthew -- Mariano Absatz El Baby ---------------------------------------------------------- We are born naked, wet and hungry. Then things get worse. From Douglas.Hall at PROQUEST.CO.UK Tue Mar 4 16:32:06 2003 From: Douglas.Hall at PROQUEST.CO.UK (Hall, Douglas) Date: Thu Jan 12 21:17:23 2006 Subject: Timeout Errors?? Message-ID: <16663F2E4043D711A5EA00A0C9EA066118380B@exchange.private.chadwyck.co.uk> > -----Original Message----- > From: Gerry Doris [mailto:gerry@dorfam.ca] > Sent: 04 March 2003 15:44 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Timeout Errors?? > > h23LOsk01793: timeout waiting for input from local during > Draining Input > > > What exactly are these telling me? They appear to be > sendmail errors but > is it because sendmail is acting up or has it something to do with > MailScanner? The sendmail distribution KNOWNBUGS document has the following: * Delivery to programs that generate too much output may cause problems If e-mail is delivered to a program which generates too much output, then sendmail may issue an error: timeout waiting for input from local during Draining Input Make sure that the program does not generate output beyond a status message (corresponding to the exit status). This may require a wrapper around the actual program to redirect output to /dev/null. Such a problem has been reported for bulk_mailer. -Douglas From mailscanner at LISTS.COM.AR Tue Mar 4 16:34:15 2003 From: mailscanner at LISTS.COM.AR (Mariano Absatz) Date: Thu Jan 12 21:17:23 2006 Subject: Fragmented messages cannot be scanned and are removed In-Reply-To: Message-ID: <3E64AB57.6412.5CE5859C@localhost> El 4 Mar 2003 a las 11:25, Matthew Bowman escribi?: > Thanks, > > I don't have the Allow Partial Messages field in my MailScanner.conf file > - was this a feature added after 4.10-1 ? > browsing the changelog... it's been added in 4.12, so it's right, you don't have that available... I guess you'll have to upgrade if you want to use it (but then, it's still a bad idea)... regards. -- Mariano Absatz El Baby ---------------------------------------------------------- I don't care to belong to a club that accepts people like me as members. -- Groucho Marx From mailscanner at ecs.soton.ac.uk Tue Mar 4 15:46:08 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:23 2006 Subject: Timeout Errors?? In-Reply-To: <35420.129.80.22.133.1046792632.squirrel@tiger.dorfam.ca> Message-ID: <5.2.0.9.2.20030304154430.03bd6018@imap.ecs.soton.ac.uk> At 15:43 04/03/2003, you wrote: >I starting noticing the following sendmail errors about the time I >switched over to SpamAssassin 2.50. However, I'm not totally sure if this >was happening before that time or I was just paying more attention after >doing the update??? > >I'm seeing several of these over the day in my maillog. > >h23LMZk01726: timeout waiting for input from local during Draining Input >h23LMjk01729: timeout waiting for input from local during Draining Input >h23LOTk01773: timeout waiting for input from local during Draining Input >h23LOsk01793: timeout waiting for input from local during Draining Input > > >What exactly are these telling me? They appear to be sendmail errors but >is it because sendmail is acting up or has it something to do with >MailScanner? Have you installed my patch for SpamAssassin 2.50? If so, and you are still having problems with it, you are not alone. I have seen a problem on one customer's server that was blocking on SpamAssassin 2.50 even after the patch was applied. My only recommendation in this case is to back off to SpamAssassin 2.44 and wait for 2.51 to be released, which will hopefully fix these problems. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Tue Mar 4 16:25:11 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:23 2006 Subject: FromTo: not working? In-Reply-To: <4E7026FF8A422749B1553FE508E0068007EE7B@message.intern.akct ech.de> Message-ID: <5.2.0.9.2.20030304162354.04873ca0@imap.ecs.soton.ac.uk> At 16:19 04/03/2003, you wrote: >Hi Julian, > >Have you seen my reply to this to julian.field@mailscanner.info? :-) Yes, just haven't had a chance to reply yet. For some reason, your rules aren't matching, but I can't obviously see why not. Have you got some space after the "FromTo:" ? I'm slightly at a loss to know what to suggest, no-one else appears to have this problem. >Regards, > JP > > > -----Original Message----- > > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > > Sent: Tuesday, March 04, 2003 3:17 PM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: FromTo: not working? > > > > > > At 14:15 04/03/2003, you wrote: > > >Hi, > > > > > >I use the following rules file to determine whether or not > > ot check for > > >viruses: > > > > > >FromTo: *@akctech.de yes > > >FromTo: *@seceidos.de yes > > >FromTo: *@seceidos.net yes > > >FromTo: *@seceidos.org yes > > >FromTo: *@seceidos.com yes > > >FromTo: *@telefonia.de yes > > >FromTo: default no > > > > > > > > >Mails to those domains are getting checked. But mails from > > one of those > > >domains simply produce things like > > > > > >Mar 4 15:05:58 proxy MailScanner[85988]: New Batch: Forwarding 1 > > >unscanned messages, 1726 bytes Mar 4 15:05:58 proxy > > >MailScanner[85988]: Spam Checks: Starting Mar 4 15:05:58 proxy > > >MailScanner[85988]: Unscanned: Delivered 1 messages > > >Mar 4 15:05:58 proxy MailScanner[85988]: Virus and Content Scanning: > > >Starting > > > > > >Why does it say "unscanned messages"? Once I change default to yes > > >everything works again... > > > > What is the envelope sender address on the message that > > doesn't get scanned? You will have to either look in your > > maillog or in the qf file in the queue to get this > > information. It's not the "From:" address in the headers that > > matters, it's the envelope sender address. > > -- > > Julian Field > > www.MailScanner.info > > MailScanner thanks transtec Computers for their support > > -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Tue Mar 4 16:34:32 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:23 2006 Subject: Debian ms v4.x install help. Deb, Alien or Source? attn Jason Desai In-Reply-To: <03Mar4.105815est.119118@gateway.morganco.com> Message-ID: <5.2.0.9.2.20030304163247.048c8b20@imap.ecs.soton.ac.uk> At 16:04 04/03/2003, you wrote: >Hello all, > >I'm running Debian unstable (sarge) mailscanner (3.27) and exim (3.36). > >Some of my users are asking for features in the latest versions of >mailscanner. > >I notice some posts indicating people (including Jason) are using newer >versions of mailscanner than is available at packages.debian.org. I'm >mostly interested in the new mailscanner features and was wondering the >best approach to installing without a .deb file. > >Are any dependency issues between exim 3.27 and MS 4.x? > >I figure my options are: an alternate site that has a .deb file, using >Alien against the 4.x RPM file, or compiling from source. If you are prepared to run from /opt/MailScanner then the tar installation will do fine. If you are using 3.27 now, you will have most of the Perl modules already installed. But still go through the tar installation guide and make sure you have them all installed (there will be a few you don't have). Then make any binaries like "tnef" point to tnef.linux and not tnef.solaris. It shouldn't be too hard a job. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Tue Mar 4 16:35:40 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:23 2006 Subject: Is the new FAQ working? In-Reply-To: <1046794165.1602.54.camel@dbeauchemin.si.usherbrooke.ca> Message-ID: <5.2.0.9.2.20030304163526.048c7ff8@imap.ecs.soton.ac.uk> Any faq-o-matic experts out there who can help? At 16:09 04/03/2003, you wrote: >Hello, > >A couple of days ago I tried to post new info in the FAQ but couldn't (I >don't recall the error message but I think it kept telling me my login >was not OK). > >Now I was looking for some info but I can't seem to find anything >besides what Julian put in. > >All I see are "NewItem" links... with no info in them... > >I think the setup might not be permissive enough... > >Denis >-- >Denis Beauchemin, analyste >Universit? de Sherbrooke, S.T.I. >T: 819.821.8000x2252 F: 819.821.8045 -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Tue Mar 4 16:37:09 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:23 2006 Subject: Timeout Errors?? In-Reply-To: <16663F2E4043D711A5EA00A0C9EA066118380B@exchange.private.ch adwyck.co.uk> Message-ID: <5.2.0.9.2.20030304163635.048da008@imap.ecs.soton.ac.uk> At 16:32 04/03/2003, you wrote: > > -----Original Message----- > > From: Gerry Doris [mailto:gerry@dorfam.ca] > > Sent: 04 March 2003 15:44 > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Timeout Errors?? > > > > h23LOsk01793: timeout waiting for input from local during > > Draining Input > > > > > > What exactly are these telling me? They appear to be > > sendmail errors but > > is it because sendmail is acting up or has it something to do with > > MailScanner? > >The sendmail distribution KNOWNBUGS document has the following: > >* Delivery to programs that generate too much output may cause problems > > If e-mail is delivered to a program which generates too much > output, then sendmail may issue an error: > > timeout waiting for input from local during Draining Input > > Make sure that the program does not generate output beyond a > status message (corresponding to the exit status). This may > require a wrapper around the actual program to redirect output > to /dev/null. In which case the problem you are seeing is from whatever program sendmail is running to do the actual delivery of messages. Nothing to do with MailScanner. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From Jan-Peter.Koopmann at SECEIDOS.DE Tue Mar 4 16:43:45 2003 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:17:23 2006 Subject: FromTo: not working? Message-ID: <4E7026FF8A422749B1553FE508E0068007EE7F@message.intern.akctech.de> > Yes, just haven't had a chance to reply yet. > For some reason, your rules aren't matching, but I can't > obviously see why not. Have you got some space after the > "FromTo:" ? I am attaching the file so you can check yourself, ok? > I'm slightly at a loss to know what to suggest, > no-one else appears to have this problem. I am somehow not surprised... :-) Regards, JP -------------- next part -------------- A non-text attachment was scrubbed... Name: virus.scanning.rules Type: application/octet-stream Size: 181 bytes Desc: virus.scanning.rules Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030304/6bd4e38d/virus.scanning.obj From steve.freegard at LBSLTD.CO.UK Tue Mar 4 16:46:16 2003 From: steve.freegard at LBSLTD.CO.UK (Steve Freegard) Date: Thu Jan 12 21:17:23 2006 Subject: Fragmented messages cannot be scanned and are removed Message-ID: <67D9E7698329D411936E00508B6590B902793277@neelix.lbsltd.co.uk> Better still - you could educate the user in question to turn this 'feature' off in Outlook Express and to zip the attachment instead. To turn this off in OE: Select the 'Tools' menu -> Select 'Accounts....' -> Highlight the mail account name e.g. 'BT Internet' -> Click 'Properties' -> Select the 'Advanced' tab -> untick the 'Break apart messages larger than xxx KB' Regards, Steve. -----Original Message----- From: Mariano Absatz [mailto:mailscanner@LISTS.COM.AR] Sent: 04 March 2003 16:34 To: MAILSCANNER@jiscmail.ac.uk Subject: Re: Fragmented messages cannot be scanned and are removed El 4 Mar 2003 a las 11:25, Matthew Bowman escribi?: > Thanks, > > I don't have the Allow Partial Messages field in my MailScanner.conf file > - was this a feature added after 4.10-1 ? > browsing the changelog... it's been added in 4.12, so it's right, you don't have that available... I guess you'll have to upgrade if you want to use it (but then, it's still a bad idea)... regards. -- Mariano Absatz El Baby ---------------------------------------------------------- I don't care to belong to a club that accepts people like me as members. -- Groucho Marx ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.lbsltd.co.uk ********************************************************************** From mk at quadstone.com Tue Mar 4 16:51:14 2003 From: mk at quadstone.com (Michael Keightley) Date: Thu Jan 12 21:17:23 2006 Subject: Problems with check_mailscanner script in v4.13-3 Message-ID: <20030304165114.GA4304@quadstone.com> There is a problem with the check_mailscanner script if the ps line becomes too long. check_mailscanner will start up MailScanner again even when it is running already, this is because it can't see the MailScanner process in the output of ps. This is the output of "ps -ef | grep MailScanner | grep -v grep" on our Mail Gateway: root 16445 16424 0 16:31:36 ? 0:06 /usr/local/bin/perl -I/var/opt/MailScanner/lib /var/opt/MailScanner/bin/MailSca I managed to fix this by looking for /var/opt/MailScanner/lib in my check_mailscanner script. I.e. added this line to the start: mslibdir=/var/opt/MailScanner/lib Changed lines "fgrep $msbindir/$process |" to "fgrep $mslibdir |" Michael -- Michael Keightley Tel: +44 131 220 4491 Systems Manager, Quadstone Limited, Fax: +44 131 220 4492 16 Chester Street, Edinburgh EH3 7RA, Scotland http://www.quadstone.com From Kevin.Spicer at BMRB.CO.UK Tue Mar 4 16:49:43 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:17:23 2006 Subject: Is the new FAQ working? Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0EBF44D@pascal.priv.bmrb.co.uk> > Any faq-o-matic experts out there who can help? > > I'm not - but if it helps I seem to be able to edit the answers I put in last week, but don't seem to be able to add any (even in the same category) Something must have changed.... BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From mailscanner at ecs.soton.ac.uk Tue Mar 4 16:53:48 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:23 2006 Subject: Is the new FAQ working? In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0EBF44D@pascal.priv.bmrb.co .uk> Message-ID: <5.2.0.9.2.20030304165322.03c0bff8@imap.ecs.soton.ac.uk> At 16:49 04/03/2003, you wrote: > > Any faq-o-matic experts out there who can help? > > > > >I'm not - but if it helps I seem to be able to edit the answers I put in >last week, but don't seem to be able to add any (even in the same >category) Something must have changed.... I have just slackened all the permissions. Let's hope no-one makes a mess of it :-) -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Tue Mar 4 16:47:49 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:23 2006 Subject: FromTo: not working? In-Reply-To: <4E7026FF8A422749B1553FE508E0068007EE7F@message.intern.akct ech.de> Message-ID: <5.2.0.9.2.20030304164656.04ae87a8@imap.ecs.soton.ac.uk> This is really odd. Is it working okay for other people? I'm slightly worried... If you tell it to scan messages from "*@mailscanner.info", or just "mailscanner.info" does it then scan messages I send you? At 16:43 04/03/2003, you wrote: > > Yes, just haven't had a chance to reply yet. > > For some reason, your rules aren't matching, but I can't > > obviously see why not. Have you got some space after the > > "FromTo:" ? > >I am attaching the file so you can check yourself, ok? > > > I'm slightly at a loss to know what to suggest, > > no-one else appears to have this problem. > >I am somehow not surprised... :-) > >Regards, > JP -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Tue Mar 4 16:58:10 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:23 2006 Subject: MailScanner Store Message-ID: <5.2.0.9.2.20030304165657.02d8a210@imap.ecs.soton.ac.uk> This has to be the most spectacular failure I have seen in quite a while. Since setting it up, I have sold 4 (yes, four!) items. Boy, am I glad I don't have to pay any rental for the space! :-) -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From Kevin.Spicer at BMRB.CO.UK Tue Mar 4 17:09:44 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:17:23 2006 Subject: FromTo: not working? Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A4AD4C@pascal.priv.bmrb.co.uk> Complete shot in the dark... as the original post doesn't say which domain isn't being scanned & I'm not sure whether MS accepts mixed tabs and spaces, but there is a space and a tab after *@akctech.de whereas everything else is tab separated. > -----Original Message----- > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > Sent: 04 March 2003 16:48 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: FromTo: not working? > > > This is really odd. Is it working okay for other people? I'm slightly > worried... > If you tell it to scan messages from "*@mailscanner.info", or just > "mailscanner.info" does it then scan messages I send you? > > At 16:43 04/03/2003, you wrote: > > > > > > Yes, just haven't had a chance to reply yet. > > > For some reason, your rules aren't matching, but I can't > > > obviously see why not. Have you got some space after the > > > "FromTo:" ? > > > >I am attaching the file so you can check yourself, ok? > > > > > I'm slightly at a loss to know what to suggest, > > > no-one else appears to have this problem. > > > >I am somehow not surprised... :-) > > > >Regards, > > JP > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From jaearick at COLBY.EDU Tue Mar 4 17:13:16 2003 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:17:23 2006 Subject: Is the new FAQ working? In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0EBF44D@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0EBF44D@pascal.priv.bmrb.co.uk> Message-ID: Julian, Despite the fact that I originally suggested faqomatic, I'm no expert with it. I went to "hints for writing FAQ entries", added a test blurb, appended another test blurb, went back to the top level, and didn't see anything. Maybe adding entries requires approval by you before it appears publically? --- Jeff Earickson From dot at DOTAT.AT Tue Mar 4 17:37:11 2003 From: dot at DOTAT.AT (Tony Finch) Date: Thu Jan 12 21:17:23 2006 Subject: Is the new FAQ working? In-Reply-To: Message-ID: Julian Field wrote: > >I have just slackened all the permissions. Let's hope no-one makes a mess >of it :-) Ah good, it has now successfully emailed me a secret. Tony. -- f.a.n.finch http://dotat.at/ CROMARTY FORTH: SOUTH 5 TO 7, OCCASIONALLY GALE 8 IN CROMARTY AT FIRST. RAIN AT FIRST. MODERATE OCCASIONALLY POOR, BECOMING GOOD. From mailscanner at ecs.soton.ac.uk Tue Mar 4 17:38:38 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:23 2006 Subject: Is the new FAQ working? In-Reply-To: References: <5C0296D26910694BB9A9BBFC577E7AB0EBF44D@pascal.priv.bmrb.co.uk> <5C0296D26910694BB9A9BBFC577E7AB0EBF44D@pascal.priv.bmrb.co.uk> Message-ID: <5.2.0.9.2.20030304173358.022d2e50@imap.ecs.soton.ac.uk> At 17:13 04/03/2003, you wrote: >Julian, > > Despite the fact that I originally suggested faqomatic, I'm no >expert with it. I went to "hints for writing FAQ entries", added >a test blurb, appended another test blurb, went back to the top >level, and didn't see anything. Maybe adding entries requires >approval by you before it appears publically? Most things require you to be an authenticated user, but nothing should require more than that. It certainly hasn't sent me any mail informing me of edits. I'll try enabling that and see if I get anything. Can you try it again now? -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From lists at STHOMAS.NET Tue Mar 4 17:58:19 2003 From: lists at STHOMAS.NET (Steve Thomas) Date: Thu Jan 12 21:17:23 2006 Subject: Still issues with Spamassassin 2.50 and Mailscanner (after patching) In-Reply-To: <35958706-4E1F-11D7-BC8A-000393920D6C@uptime.at> Message-ID: <200303041802.h24I2mRg015726@chips.sthomas.net> | patch). Somehow this setup fails though. it worked for about a week and | now it bombs out on me again. The MailScanner process simply sits there | and eats 99% of the CPU without doing anything. After about 5-6 Minutes I saw pretty much the same thing. I applied Julian's patch, which fixed things for a few days, then everything started behaving as it did before patching SA. I turned off SA within MS, and went back to running SA via a perl wrapper around our MDA. I'm hoping that the next release of SA will fix the problem. Kudos to Julian, BTW, for finding and fixing a problem within someone else's software. Way above and beyond, if you ask me. Steve From iradu at UNITBV.RO Tue Mar 4 17:53:55 2003 From: iradu at UNITBV.RO (Radu IONESCU) Date: Thu Jan 12 21:17:23 2006 Subject: flooded by spam Message-ID: Hello, We are using MailScanner in a gateway (RH AS 2.1) for 7 other mail servers. As MailScanner deals with spam I wish it could handle a problem like ours:) It's a kind of mail flood, highly disturbing and making me to re-evaluate the mail gateway topology usefulness as I'm usin: Our University domain name is used abusively by some villains in the wild. They are mass mailing spam with From/Return fields forged with @unitbv.ro. Daily, thousands bounced messages are hitting our gateway. It accepts them, scans them, then sends them internally (mailertables) to our domain server which in turn refuses them. The gateway root mailbox is flooded with postmaster notifies and returned messages sent also back to the Internet, etc. Either the IP address of the originating server is forged (less probable), or they are using a lot of relays, as they are always different. Something like: Return-Path: Received: (qmail 17532 invoked from network); 4 Mar 2003 13:56:42 -0000 Received: from unknown (HELO unitbv.ro) (200.149.179.35) by mail.theofficenet.com with SMTP; 4 Mar 2003 13:56:42 -0000 Message-ID: <001510c8cc55$ace12883$17115632@jfrcoog.fhp> From: To: Subject: Improve Sense Of well Being 310-3 Date: Tue, 04 Mar 2003 23:38:17 -1100 MIME-Version: 1.0 Content-Type: text/html; charset="iso-8859-1" X-Priority: 3 X-Mailer: Microsoft Outlook Express 5.50.4522.1200 Importance: Normal (of course IP 200.149.179.35 is far from our address space) Therefore it is not my hope, that the real spammer could be dropped, but it would be better to have the gateway refusing immediately such messages, after RCPT TO. Not starting a whole chain reaction. It seems that sendmail as set in the gateway host, is not able to do it even for its users: mail from: 250 2.1.0 ... Sender ok rcpt to: 250 2.1.5 ... Recipient ok data 354 Enter mail, end with "." on a line by itself test . 250 2.0.0 h24DukA07795 Message accepted for delivery (which could have to do with sendmail.cf modified by atMail, a webmail server installed on the gateway for another domain) The problem is, to have the gateway checking the user name even before accepting the message in the queue - perhaps off topic. Or checking the content (unitbv.ro not associated with our address space), again before accepting it into the queue(?). Well, any sugestions/help would be highly welcome, thank you! Radu IONESCU Systems Manager, TRANSILVANIA University Brasov From mailscanner at ecs.soton.ac.uk Tue Mar 4 18:05:12 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:23 2006 Subject: Still issues with Spamassassin 2.50 and Mailscanner (after patching) In-Reply-To: <200303041802.h24I2mRg015726@chips.sthomas.net> References: <35958706-4E1F-11D7-BC8A-000393920D6C@uptime.at> Message-ID: <5.2.0.9.2.20030304180317.02600f50@imap.ecs.soton.ac.uk> At 17:58 04/03/2003, you wrote: >| patch). Somehow this setup fails though. it worked for about a week and >| now it bombs out on me again. The MailScanner process simply sits there >| and eats 99% of the CPU without doing anything. After about 5-6 Minutes > >I saw pretty much the same thing. I applied Julian's patch, which fixed >things for a few days, then everything started behaving as it did before >patching SA. Can you make it do it consistently? If so, I might be able to find out what is causing it and get that problem fixed too. If you can make it do it, and can give me remote access to your system, then I'll have a good go and finding it. >I turned off SA within MS, and went back to running SA via a perl wrapper >around our MDA. I'm hoping that the next release of SA will fix the problem. It's dead easy to download and install SA 2.44 which works fine, until we get the 2.50 problems resolved. >Kudos to Julian, BTW, for finding and fixing a problem within someone else's >software. Way above and beyond, if you ask me. Thanks! -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Tue Mar 4 18:10:16 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:23 2006 Subject: flooded by spam In-Reply-To: Message-ID: <5.2.0.9.2.20030304180821.02643f50@imap.ecs.soton.ac.uk> There have been previous discussions of this issue. Exim is now apparently capable of checking recipient addresses against a file/database. Look in the Exim docs for things to do with SMTP address/user authentication and verification. Can anyone remember the Subject: line from the last time this was discussed? For that matter, can someone put a FAQ together for this problem please? At 17:53 04/03/2003, you wrote: >Hello, > >We are using MailScanner in a gateway (RH AS 2.1) for 7 other mail servers. >As MailScanner deals with spam I wish it could handle a problem like ours:) >It's a kind of mail flood, highly disturbing and making me to re-evaluate >the mail gateway topology usefulness as I'm usin: > >Our University domain name is used abusively by some villains in the wild. >They are mass mailing spam with From/Return fields forged with generated user name>@unitbv.ro. >Daily, thousands bounced messages are hitting our gateway. It accepts them, >scans them, then sends them internally (mailertables) to our domain server >which in turn refuses them. The gateway root mailbox is flooded with >postmaster notifies and returned messages sent also back to the Internet, >etc. > >Either the IP address of the originating server is forged (less probable), >or they are using a lot of relays, as they are always different. Something >like: > >Return-Path: >Received: (qmail 17532 invoked from network); 4 Mar 2003 13:56:42 -0000 >Received: from unknown (HELO unitbv.ro) (200.149.179.35) > by mail.theofficenet.com with SMTP; 4 Mar 2003 13:56:42 -0000 >Message-ID: <001510c8cc55$ace12883$17115632@jfrcoog.fhp> >From: >To: >Subject: Improve Sense Of well Being >310-3 >Date: Tue, 04 Mar 2003 23:38:17 -1100 >MIME-Version: 1.0 >Content-Type: text/html; > charset="iso-8859-1" >X-Priority: 3 >X-Mailer: Microsoft Outlook Express 5.50.4522.1200 >Importance: Normal > >(of course IP 200.149.179.35 is far from our address space) > >Therefore it is not my hope, that the real spammer could be dropped, but it >would be better to have the gateway refusing immediately such messages, >after RCPT TO. Not starting a whole chain reaction. > >It seems that sendmail as set in the gateway host, is not able to do it even >for its users: > >mail from: >250 2.1.0 ... Sender ok >rcpt to: >250 2.1.5 ... Recipient ok >data >354 Enter mail, end with "." on a line by itself >test >. >250 2.0.0 h24DukA07795 Message accepted for delivery > >(which could have to do with sendmail.cf modified by atMail, a webmail >server installed on the gateway for another domain) > >The problem is, to have the gateway checking the user name even before >accepting the message in the queue - perhaps off topic. Or checking the >content (unitbv.ro not associated with our address space), again before >accepting it into the queue(?). > >Well, any sugestions/help would be highly welcome, thank you! > >Radu IONESCU >Systems Manager, TRANSILVANIA University Brasov -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at LISTS.COM.AR Tue Mar 4 18:27:55 2003 From: mailscanner at LISTS.COM.AR (Mariano Absatz) Date: Thu Jan 12 21:17:23 2006 Subject: flooded by spam In-Reply-To: <5.2.0.9.2.20030304180821.02643f50@imap.ecs.soton.ac.uk> References: Message-ID: <3E64C5FB.15742.5D4D973D@localhost> Anyway, FTR, this is not a MailScanner problem but a SMTP relay server problem. Every time you have a border server you will experience this kind of things and, if you're a big ISP with automatic provisioning, you can't even block these names at the border since you never know if one of these will be used in two minutes to create a new account. Nevertheless you should configure your _internal_ servers to reject unknown users (you don't want to do this on _external_ servers, since this allows address harvesting). If you are receiving bounces where the envelope from was forged as coming from your domain, these bounces should have an envelope from like "<>" and the internal server's rejection should make your border server to simply drop it (since you can't bounce to "<>"). Regretfully, messages _will_ pass thru your gateway, but they'll be dropped. Incidentally, 200.149.179.35 is a Brazilian address whois 200.149.179.35@whois.lacnic.net sends me to Brazil's whois and: whois 200.149.179.35@whois.nic.br tells me it belongs to "Tele Norte Leste Participa??es S.A." Furthermore http://moensted.dk/spam/?addr=200.149.179.35&Submit=Submit shows it listed many times, in particular, as an open proxy... most professional spammers are abusing proxies nowadays. El 4 Mar 2003 a las 18:10, Julian Field escribi?: > There have been previous discussions of this issue. Exim is now apparently > capable of checking recipient addresses against a file/database. Look in > the Exim docs for things to do with SMTP address/user authentication and > verification. > > Can anyone remember the Subject: line from the last time this was discussed? > For that matter, can someone put a FAQ together for this problem please? > > At 17:53 04/03/2003, you wrote: > >Hello, > > > >We are using MailScanner in a gateway (RH AS 2.1) for 7 other mail servers. > >As MailScanner deals with spam I wish it could handle a problem like ours:) > >It's a kind of mail flood, highly disturbing and making me to re-evaluate > >the mail gateway topology usefulness as I'm usin: > > > >Our University domain name is used abusively by some villains in the wild. > >They are mass mailing spam with From/Return fields forged with >generated user name>@unitbv.ro. > >Daily, thousands bounced messages are hitting our gateway. It accepts them, > >scans them, then sends them internally (mailertables) to our domain server > >which in turn refuses them. The gateway root mailbox is flooded with > >postmaster notifies and returned messages sent also back to the Internet, > >etc. > > > >Either the IP address of the originating server is forged (less probable), > >or they are using a lot of relays, as they are always different. Something > >like: > > > >Return-Path: > >Received: (qmail 17532 invoked from network); 4 Mar 2003 13:56:42 -0000 > >Received: from unknown (HELO unitbv.ro) (200.149.179.35) > > by mail.theofficenet.com with SMTP; 4 Mar 2003 13:56:42 -0000 > >Message-ID: <001510c8cc55$ace12883$17115632@jfrcoog.fhp> > >From: > >To: > >Subject: Improve Sense Of well Being > >310-3 > >Date: Tue, 04 Mar 2003 23:38:17 -1100 > >MIME-Version: 1.0 > >Content-Type: text/html; > > charset="iso-8859-1" > >X-Priority: 3 > >X-Mailer: Microsoft Outlook Express 5.50.4522.1200 > >Importance: Normal > > > >(of course IP 200.149.179.35 is far from our address space) > > > >Therefore it is not my hope, that the real spammer could be dropped, but it > >would be better to have the gateway refusing immediately such messages, > >after RCPT TO. Not starting a whole chain reaction. > > > >It seems that sendmail as set in the gateway host, is not able to do it even > >for its users: > > > >mail from: > >250 2.1.0 ... Sender ok > >rcpt to: > >250 2.1.5 ... Recipient ok > >data > >354 Enter mail, end with "." on a line by itself > >test > >. > >250 2.0.0 h24DukA07795 Message accepted for delivery > > > >(which could have to do with sendmail.cf modified by atMail, a webmail > >server installed on the gateway for another domain) > > > >The problem is, to have the gateway checking the user name even before > >accepting the message in the queue - perhaps off topic. Or checking the > >content (unitbv.ro not associated with our address space), again before > >accepting it into the queue(?). > > > >Well, any sugestions/help would be highly welcome, thank you! > > > >Radu IONESCU > >Systems Manager, TRANSILVANIA University Brasov > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support -- Mariano Absatz El Baby ---------------------------------------------------------- Daddy, why doesn't this magnet pick up this floppy disk? From lists at STHOMAS.NET Tue Mar 4 18:34:55 2003 From: lists at STHOMAS.NET (Steve Thomas) Date: Thu Jan 12 21:17:23 2006 Subject: flooded by spam In-Reply-To: ; from iradu@UNITBV.RO on Tue, Mar 04, 2003 at 07:53:55PM +0200 References: Message-ID: <20030304103455.A15992@sthomas.net> On Tue, Mar 04, 2003 at 07:53:55PM +0200, Radu IONESCU is rumored to have said: > > Daily, thousands bounced messages are hitting our gateway. It accepts them, > scans them, then sends them internally (mailertables) to our domain server > which in turn refuses them. The gateway root mailbox is flooded with > postmaster notifies and returned messages sent also back to the Internet, > etc. I'm switching over from sendmail to exim here at our office for this exact reason, except our problem is with dictionary style spam attacks, not joe-jobbing. I only have MailScanner integration and mbox-maildir conversion left before making the switch. Our user database is kept in an LDAP directory, which sendmail doesn't play very nicely with. Exim works quite well with LDAP, and also has the capability to reject mail for non-local users at RCPT TO: time based on the results of an LDAP lookup. Very slick. To help subvert the problem, a while back I set up another machine to act as our primary MX. It just accepts mail and forwards it on to the secondary MX, which is actually our primary mail server. The way it forwards is via the aliases file. Every 15 minutes, a perl script queries the LDAP directory and gets a list of valid usernames. It adds the hostname of the primary mail server to the domain (user@example.com becomes user@host.example.com), reads a list of addresses which don't exist in the LDAP dir, then writes the whole thing to /etc/aliases and rebuilds. It's kind of kludgy, but it keeps my mailbox from being inundated with bounces, and keeps the queue dir from overflowing. Spammers, however, have been getting smarter (the only direction they could go). They're starting to use secondary MXs for their dictionary attacks, which subverts the entire system I had put in place - hence the switch to exim. If you can, take a look at exim to replace sendmail. It supports LDAP, SQL, dbm files, flat files, etc... I've only been playing with it for about a week, but so far I like what I see. It makes me realize that while sendmail is still very good at what it does, the list of things it doesn't do (or doesn't do well) is growing... St- From cselivanow at QWICNET.COM Tue Mar 4 18:28:10 2003 From: cselivanow at QWICNET.COM (Chris Selivanow) Date: Thu Jan 12 21:17:23 2006 Subject: Problem with Outlook attachments (not Rich text problem) Message-ID: <20030304132810.2efc5613.cselivanow@qwicnet.com> Hi all- Here's the situation. My company has a client that now uses the mailscanner package on their mail server (We installed it). Our problem seems to be with Outlook 97 attachments, but only some of them. It seems that if a user opens Outlook 97 and sends an attachment everything is ok and the receipient is able you save/view the attachment. It also seems that if a user sends an attachment from an application (MS Excel 97 to be exact), the attachment is unusable and appears MIME encoded in-line with the email text and after the Mailscanner "Clean message" signature. Below is the mail log section from showing the delivery of both types of attachments. The excel initiated attachment is first in the logs and in the diff of the message text. The only things that I noticed are the mail file sizes and the "Encoding:" lines. Any help is gladly accepted. -Chris Mar 4 11:53:15 MAIL-SERVER sendmail[30131]: LAA30131: from=, size=9094, class=0, pri=39094, nrcpts=1, msgid=<01C2E244.A3040B80.SENDER>, proto=ESMTP, relay=MAIL-RELAY [aaa.bbb.ccc.ddd] Mar 4 11:53:16 MAIL-SERVER mailscanner[27811]: Scanning 1 messages, 9498 bytes Mar 4 11:53:25 MAIL-SERVER mailscanner[27811]: Scanned 1 messages, 9498 bytes in 4 seconds Mar 4 11:53:26 MAIL-SERVER sendmail[30136]: LAA30131: to=, delay=00:00:11, xdelay=00:00:01, mailer=local, stat=Sent Mar 4 11:53:37 MAIL-SERVER sendmail[30140]: LAA30140: from=, size=19673, class=0, pri=49673, nrcpts=1, msgid=<01C2E244.AFB01040.SENDER>, proto=ESMTP, relay=MAIL-RELAY [aaa.bbb.ccc.ddd] Mar 4 11:53:40 MAIL-SERVER mailscanner[27811]: Scanning 1 messages, 20077 bytes Mar 4 11:53:48 MAIL-SERVER mailscanner[27811]: Scanned 1 messages, 20077 bytes in 3 seconds Mar 4 11:53:50 MAIL-SERVER sendmail[30146]: LAA30140: to=, delay=00:00:14, xdelay=00:00:01, mailer=local, stat=Sent diff -u test-excel test.outlook | more --- test-excel Tue Mar 4 11:49:25 2003 +++ test.outlook Tue Mar 4 11:49:36 2003 @@ -1,20 +1,20 @@ -From SENDER Tue Mar 4 11:48:38 2003 +From SENDER Tue Mar 4 11:48:58 2003 Received: from MAIL-RELAY (MAIL-RELAY [aaa.bbb.ccc.ddd]) - by MAIL-SERVER (8.9.3/8.9.3/Debian/GNU) with ESMTP id LAA30062 - for ; Tue, 4 Mar 2003 11:48:23 -0500 + by MAIL-SERVER (8.9.3/8.9.3/Debian/GNU) with ESMTP id LAA30074 + for ; Tue, 4 Mar 2003 11:48:45 -0500 Received: from vmware-default (host22.internal [192.168.0.22]) - by MAIL-RELAY (8.9.3/8.9.3/Debian 8.9.3-21) with SMTP id LAA15342 - for ; Tue, 4 Mar 2003 11:48:22 -0500 -Received: by localhost with Microsoft MAPI; Tue, 4 Mar 2003 11:48:21 -0500 -Message-ID: <01C2E243.F4EAA5E0.SENDER> + by MAIL-RELAY (8.9.3/8.9.3/Debian 8.9.3-21) with SMTP id LAA15346 + for ; Tue, 4 Mar 2003 11:48:44 -0500 +Received: by localhost with Microsoft MAPI; Tue, 4 Mar 2003 11:48:43 -0500 +Message-ID: <01C2E244.01F9D940.SENDER> From: Chris Selivanow To: "'RECEIPIENT'" -Subject: test.xls -Date: Tue, 4 Mar 2003 11:48:20 -0500 +Subject: test 1 +Date: Tue, 4 Mar 2003 11:48:42 -0500 X-Mailer: Microsoft Internet E-mail/MAPI - 8.0.0.4211 -Encoding: 1 TEXT, 140 UUENCODE +Encoding: 1 TEXT, 311 UUENCODE X-MS-Attachment: test.xls 0 00-00-1980 00:00 -Content-type: multipart/mixed; boundary="----------=_1046796515-27811-8" +Content-type: multipart/mixed; boundary="----------=_1046796535-27811-9" X-MailScanner: Found to be clean X-MailScanner-SpamCheck: not spam, SpamAssassin (score=1.1, required 6, AWL, LINES_OF_YELLING, SPAM_PHRASE_00_01, UPPERCASE_50_75) @@ -23,7 +23,7 @@ The following is a multipart MIME message which was extracted from a uuencoded message. -------------=_1046796515-27811-8 +------------=_1046796535-27811-9 -- Chris Selivanow 585 582-1600 Lead Technician 585 624-3465 (fax) QwicNet, Inc. http://www.qwicnet.com From dpowell at LSSI.NET Tue Mar 4 19:10:24 2003 From: dpowell at LSSI.NET (Darrin Powell) Date: Thu Jan 12 21:17:23 2006 Subject: Email generated by cron.hourly Message-ID: <1046805024.22989.377.camel@powell> Is there anyway I can get this email to stop coming out? Looks as if it is reporting the files not being there?? I am using MailScanner 4.13-3 with Sophos and Spamassassin. Email body /etc/cron.hourly/update_virus_scanners: /usr/lib/MailScanner/clamav-wrapper: /usr/local/bin/clamscan: No such file or directory /usr/lib/MailScanner/clamav-wrapper: exec: /usr/local/bin/clamscan: cannot execute: No such file or directory /usr/lib/MailScanner/f-prot-wrapper: /usr/local/f-prot/f-prot: No such file or directory /usr/lib/MailScanner/f-prot-wrapper: exec: /usr/local/f-prot/f-prot: cannot execute: No such file or directory /usr/lib/MailScanner/kaspersky-wrapper: /opt/AVP/kavscanner: No such file or directory /usr/lib/MailScanner/kaspersky-wrapper: exec: /opt/AVP/kavscanner: cannot execute: No such file or directory /usr/lib/MailScanner/mcafee-wrapper: /usr/local/uvscan/uvscan: No such file or directory /usr/lib/MailScanner/mcafee-wrapper: exec: /usr/local/uvscan/uvscan: cannot execute: No such file or directory sh: /usr/local/rav8/bin/ravlin8: No such file or directory Thanks Darrin From Denis.Beauchemin at USHERBROOKE.CA Tue Mar 4 19:11:53 2003 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:17:23 2006 Subject: flooded by spam In-Reply-To: <20030304103455.A15992@sthomas.net> References: <20030304103455.A15992@sthomas.net> Message-ID: <1046805113.1602.66.camel@dbeauchemin.si.usherbrooke.ca> Le mar 04/03/2003 ? 13:34, Steve Thomas a ?crit : > Our user database is kept in an LDAP directory, which sendmail doesn't play very nicely with. Exim works quite well with LDAP, and also has the capability to reject mail for non-local users at RCPT TO: time based on the results of an LDAP lookup. Very slick. We're using sendmail sendmail-8.11.6-23.73 (on Red Hat 7.3) with LDAP and it works very well. > To help subvert the problem, a while back I set up another machine to act as our primary MX. It just accepts mail and forwards it on to the secondary MX, which is actually our primary mail server. The way it forwards is via the aliases file. Every 15 minutes, a perl script queries the LDAP directory and gets a list of valid usernames. It adds the hostname of the primary mail server to the domain (user@example.com becomes user@host.example.com), reads a list of addresses which don't exist in the LDAP dir, then writes the whole thing to /etc/aliases and rebuilds. It's kind of kludgy, but it keeps my mailbox from being inundated with bounces, and keeps the queue dir from overflowing. > > Spammers, however, have been getting smarter (the only direction they could go). They're starting to use secondary MXs for their dictionary attacks, which subverts the entire system I had put in place - hence the switch to exim. If you are running on Linux, you could make quite easily (with iptables or ipchains) your secondary MX accept incoming mail only from your primary MX, thus forcing everyone to talk directly with your border systems. Denis -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From dot at DOTAT.AT Tue Mar 4 19:15:47 2003 From: dot at DOTAT.AT (Tony Finch) Date: Thu Jan 12 21:17:23 2006 Subject: flooded by spam In-Reply-To: References: Message-ID: Julian Field wrote: >There have been previous discussions of this issue. Exim is now apparently >capable of checking recipient addresses against a file/database. Look in >the Exim docs for things to do with SMTP address/user authentication and >verification. The keyword is "ACLs" (see the URL below). Note that one of the ways you can do recipient checking in Exim that is particularly useful for an email hub that does onward delivery to other servers (especially if they have different sysadmins) is the callout check which contacts the destination host via SMTP in order to ask it to verify the recipient. No user database required on the hub! You can also do callout checking for the return path, which can greatly reduce the number of bounced bounces you have to deal with. http://www.exim.org/exim-html-4.10/doc/html/spec_37.html Tony. -- f.a.n.finch http://dotat.at/ ARDNAMURCHAN POINT TO CAPE WRATH INCLUDING THE OUTER HEBRIDES: SOUTHEAST VEERING SOUTHWEST 5 TO 7, BACKING SOUTH 6 TO GALE 8 FOR A TIME. RAIN THEN SHOWERS. MODERATE BECOMING GOOD. MODERATE OR ROUGH, LOCALLY VERY ROUGH IN THE WEST. From ap at HPI.COM Tue Mar 4 19:23:23 2003 From: ap at HPI.COM (Adam Polkosnik) Date: Thu Jan 12 21:17:23 2006 Subject: Email generated by cron.hourly In-Reply-To: <1046805024.22989.377.camel@powell> Message-ID: It seems that you forget to update the wrappers http://www.sng.ecs.soton.ac.uk/mailscanner/downloads.shtml Best regards, Adam Polkosnik HPI IT Dept -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Darrin Powell Sent: Tuesday, March 04, 2003 2:10 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Email generated by cron.hourly Is there anyway I can get this email to stop coming out? Looks as if it is reporting the files not being there?? I am using MailScanner 4.13-3 with Sophos and Spamassassin. Email body /etc/cron.hourly/update_virus_scanners: /usr/lib/MailScanner/clamav-wrapper: /usr/local/bin/clamscan: No such file or directory /usr/lib/MailScanner/clamav-wrapper: exec: /usr/local/bin/clamscan: cannot execute: No such file or directory /usr/lib/MailScanner/f-prot-wrapper: /usr/local/f-prot/f-prot: No such file or directory /usr/lib/MailScanner/f-prot-wrapper: exec: /usr/local/f-prot/f-prot: cannot execute: No such file or directory /usr/lib/MailScanner/kaspersky-wrapper: /opt/AVP/kavscanner: No such file or directory /usr/lib/MailScanner/kaspersky-wrapper: exec: /opt/AVP/kavscanner: cannot execute: No such file or directory /usr/lib/MailScanner/mcafee-wrapper: /usr/local/uvscan/uvscan: No such file or directory /usr/lib/MailScanner/mcafee-wrapper: exec: /usr/local/uvscan/uvscan: cannot execute: No such file or directory sh: /usr/local/rav8/bin/ravlin8: No such file or directory Thanks Darrin From mike at CAMAROSS.NET Tue Mar 4 19:33:53 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:17:23 2006 Subject: Sophos Updates In-Reply-To: Message-ID: <00f901c2e284$fe5eeeb0$6a01a8c0@home.middlefinger.net> I know we had this discussion a few months back about automating the update of Sophos monthly. I emailed the folks at Sophos and they replied with a script. The script they provided checks date stamps and only downloads if necessary. I have modified it somewhat to fit my needs. If anyone would like a copy of the script in its original form, I'd be happy to post it to the list or off-list if that's more desirable. Mike From mailscanner at ecs.soton.ac.uk Tue Mar 4 19:14:08 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:23 2006 Subject: Email generated by cron.hourly In-Reply-To: <1046805024.22989.377.camel@powell> Message-ID: <5.2.0.9.2.20030304191258.03b04ea8@imap.ecs.soton.ac.uk> Check the contents of your /usr/lib/MailScanner directory. If you have a bunch of .rpmnew files, then rename each one over the top of the existing -wrapper file. There is a script to do this for you on the downloads page. You are running with old -wrapper scripts. At 19:10 04/03/2003, you wrote: >Is there anyway I can get this email to stop coming out? Looks as if it >is reporting the files not being there?? I am using MailScanner 4.13-3 >with Sophos and Spamassassin. > >Email body > >/etc/cron.hourly/update_virus_scanners: > >/usr/lib/MailScanner/clamav-wrapper: /usr/local/bin/clamscan: No such >file or directory >/usr/lib/MailScanner/clamav-wrapper: exec: /usr/local/bin/clamscan: >cannot execute: No such file or directory >/usr/lib/MailScanner/f-prot-wrapper: /usr/local/f-prot/f-prot: No such >file or directory >/usr/lib/MailScanner/f-prot-wrapper: exec: /usr/local/f-prot/f-prot: >cannot execute: No such file or directory >/usr/lib/MailScanner/kaspersky-wrapper: /opt/AVP/kavscanner: No such >file or directory >/usr/lib/MailScanner/kaspersky-wrapper: exec: /opt/AVP/kavscanner: >cannot execute: No such file or directory >/usr/lib/MailScanner/mcafee-wrapper: /usr/local/uvscan/uvscan: No such >file or directory >/usr/lib/MailScanner/mcafee-wrapper: exec: /usr/local/uvscan/uvscan: >cannot execute: No such file or directory >sh: /usr/local/rav8/bin/ravlin8: No such file or directory > > >Thanks >Darrin -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From lists at STHOMAS.NET Tue Mar 4 19:46:09 2003 From: lists at STHOMAS.NET (Steve Thomas) Date: Thu Jan 12 21:17:23 2006 Subject: flooded by spam In-Reply-To: <1046805113.1602.66.camel@dbeauchemin.si.usherbrooke.ca> Message-ID: | We're using sendmail sendmail-8.11.6-23.73 (on Red Hat 7.3) with LDAP | and it works very well. The documentation I found on sendmail's LDAP support didn't seem very good. Maybe I just hadn't had enough coffee that day (or too much), but it was confusing as all get out. Correct me if I'm wrong, but it also looked like in order to use what LDAP functionality sendmail provided, you had to include sendmail-specific schema. Exim gives you a lot more flexibility than that, and was much easier to understand and configure. | If you are running on Linux, you could make quite easily (with iptables | or ipchains) your secondary MX accept incoming mail only from your | primary MX, thus forcing everyone to talk directly with your border | systems. I could, but that would defeat the purpose of having multiple MXs. We also need to provide remote users with SMTP AUTH, which is only done via the primary mail server (2nd MX), so port 25 has to be open to the world. St- From dpowell at LSSI.NET Tue Mar 4 19:50:11 2003 From: dpowell at LSSI.NET (Darrin Powell) Date: Thu Jan 12 21:17:23 2006 Subject: Email generated by cron.hourly In-Reply-To: References: Message-ID: <1046807411.22983.414.camel@powell> That was it. Thanks Darrin On Tue, 2003-03-04 at 14:23, Adam Polkosnik wrote: > It seems that you forget to update the wrappers > > http://www.sng.ecs.soton.ac.uk/mailscanner/downloads.shtml > > Best regards, > Adam Polkosnik > HPI IT Dept > > > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Darrin Powell > Sent: Tuesday, March 04, 2003 2:10 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Email generated by cron.hourly > > > Is there anyway I can get this email to stop coming out? Looks as if it > is reporting the files not being there?? I am using MailScanner 4.13-3 > with Sophos and Spamassassin. > > Email body > > /etc/cron.hourly/update_virus_scanners: > > /usr/lib/MailScanner/clamav-wrapper: /usr/local/bin/clamscan: No such > file or directory > /usr/lib/MailScanner/clamav-wrapper: exec: /usr/local/bin/clamscan: > cannot execute: No such file or directory > /usr/lib/MailScanner/f-prot-wrapper: /usr/local/f-prot/f-prot: No such > file or directory > /usr/lib/MailScanner/f-prot-wrapper: exec: /usr/local/f-prot/f-prot: > cannot execute: No such file or directory > /usr/lib/MailScanner/kaspersky-wrapper: /opt/AVP/kavscanner: No such > file or directory > /usr/lib/MailScanner/kaspersky-wrapper: exec: /opt/AVP/kavscanner: > cannot execute: No such file or directory > /usr/lib/MailScanner/mcafee-wrapper: /usr/local/uvscan/uvscan: No such > file or directory > /usr/lib/MailScanner/mcafee-wrapper: exec: /usr/local/uvscan/uvscan: > cannot execute: No such file or directory > sh: /usr/local/rav8/bin/ravlin8: No such file or directory > > > Thanks > Darrin From steinkel at PA.NET Tue Mar 4 19:55:00 2003 From: steinkel at PA.NET (Leland J. Steinke) Date: Thu Jan 12 21:17:23 2006 Subject: postfix compatability? References: <5.2.0.9.2.20030303223107.02273fe0@imap.ecs.soton.ac.uk> Message-ID: <3E650494.4080305@pa.net> Julian Field wrote: > Any chance of you publishing all your scripts to make your setup work? They > would help a lot of people. > The perl scripts, along with our master.cf file, are in the attached archive. Yes, the scripts can be improved to run more quickly or converted to C, but they are working well enough for us. The final piece is to set the Sendmail2 config option to "/usr/local/spoolerator/despool.pl", while leaving the MTA as sendmail. (Naturally, one can change the location of these scripts to whatever fits your local preferences.) One of our design goals was to minimize hacking on either postfix or MailScanner. With only a single line change in MailScanner.conf and two lines in /etc/postfix/master.cf, I believe we succeeded in that design goal. Leland ps: Be sure to set the spool.pl file to point to the appropriate directories. pps: Test, test, and test again before fielding this on a live system!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: spoolerator.tar.gz Type: application/x-gzip Size: 3359 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030304/9359a92c/spoolerator.tar.gz From mailscanner at LISTS.COM.AR Tue Mar 4 20:08:25 2003 From: mailscanner at LISTS.COM.AR (Mariano Absatz) Date: Thu Jan 12 21:17:23 2006 Subject: Is the new FAQ working? In-Reply-To: <5.2.0.9.2.20030304173358.022d2e50@imap.ecs.soton.ac.uk> References: Message-ID: <3E64DD89.21800.5DA99E13@localhost> It's working fine now... I browsed it all and trashed the "New Item" answers that got spread all over during the weekend of try&fail... Just in case, I added a link to the trashcan in the main page. For all the people that tried to collaborate and were unable, please try again so we can populate the faq... The hints (or faq on faq-o-matic) section is at http://MailScanner.info/serve/cache/52.html I added a playground in case someone wants to try how it works before comitting (I found a couple of entries doing just that). It's at http://MailScanner.info/serve/cache/82.html El 4 Mar 2003 a las 17:38, Julian Field escribi?: > At 17:13 04/03/2003, you wrote: > >Julian, > > > > Despite the fact that I originally suggested faqomatic, I'm no > >expert with it. I went to "hints for writing FAQ entries", added > >a test blurb, appended another test blurb, went back to the top > >level, and didn't see anything. Maybe adding entries requires > >approval by you before it appears publically? > > Most things require you to be an authenticated user, but nothing should > require more than that. It certainly hasn't sent me any mail informing me > of edits. I'll try enabling that and see if I get anything. > > Can you try it again now? > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support -- Mariano Absatz El Baby ---------------------------------------------------------- Love is the answer, but while you're waiting for the answer, sex raises some pretty interesting questions. -- Woody Allen From paul at ESPMAIL.CO.UK Tue Mar 4 23:08:11 2003 From: paul at ESPMAIL.CO.UK (Paul Welsh) Date: Thu Jan 12 21:17:23 2006 Subject: Messages Waiting References: <3E64DD89.21800.5DA99E13@localhost> Message-ID: <008a01c2e2a2$f1128fa0$ece230d5@espmail> When MailScanner restarts I get a lot of messages waiting, yet my mailq is more or less empty. So what are these waiting messages? Mar 4 22:34:47 www mailscanner[2604]: Startup: found 345 messages waiting From howard at harper-adams.ac.uk Wed Mar 5 09:35:42 2003 From: howard at harper-adams.ac.uk (Howard Robinson) Date: Thu Jan 12 21:17:23 2006 Subject: MailScanner Store In-Reply-To: <5.2.0.9.2.20030304165657.02d8a210@imap.ecs.soton.ac.uk> Message-ID: <200303050932.h259WWm01866@blackhole.harper-adams.ac.uk> On 4 Mar 03, at 16:58, Julian Field wrote: > This has to be the most spectacular failure I have seen in quite a while. > Since setting it up, I have sold 4 (yes, four!) items. > Hmm could these be on the Antiques Road Show in twenty years with silly price tags? > Boy, am I glad I don't have to pay any rental for the space! :-) > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support Regards Howard Robinson (Senior Technical Development Officer) Harper Adams University College Edgmond Newport Shropshire TF10 8NB UK E-mail: hrobinson@harper-adams.ac.uk Tel. : +44(0)1952 820280 Via switchboard : +44(0)1952 815253 Direct line Fax. : +44(0)1952 814783 College Web site http://www.harper-adams.ac.uk From thomas.zajic at ROCKSTARVIENNA.COM Wed Mar 5 09:49:49 2003 From: thomas.zajic at ROCKSTARVIENNA.COM (Thomas Zajic) Date: Thu Jan 12 21:17:23 2006 Subject: FromTo: not working? In-Reply-To: <4E7026FF8A422749B1553FE508E0068007EE7F@message.intern.akctech.de> References: <4E7026FF8A422749B1553FE508E0068007EE7F@message.intern.akctech.de> Message-ID: <20030305094949.GA425@thomas.neo.at> On Tue, Mar 04, 2003 at 05:43:45PM +0100, Jan-Peter Koopmann wrote: > > Yes, just haven't had a chance to reply yet. > > For some reason, your rules aren't matching, but I can't > > obviously see why not. Have you got some space after the > > "FromTo:" ? > > I am attaching the file so you can check yourself, ok? > [...] Although the file looks okay at a first glance, there are a couple of things which might or might not confuse MailScanner: [zlatko@thomas]:~/tmp$ od -t c virus.scanning.rules 0000000 F r o m T o : \t * @ a k c t e c 0000020 h . d e \t y e s \t \n F r o m T 0000040 o : \t * @ s e c e i d o s . d e 0000060 \t y e s \n F r o m T o : \t * @ s 0000100 e c e i d o s . n e t \t y e s \n 0000120 F r o m T o : * @ s e c e i d 0000140 o s . o r g \t y e s \n F r o m T 0000160 o : * @ s e c e i d o s . c o 0000200 m \t y e s \n F r o m T o : * @ 0000220 t e l e f o n i a . d e \t y e s 0000240 \n F r o m T o : \t d e f a u l t 0000260 \t \t n o \n 0000265 This translates to: FromTo:*@akctech.deyes FromTo:*@seceidos.deyes FromTo:*@seceidos.netyes FromTo:*@seceidos.orgyes FromTo:*@seceidos.comyes FromTo:*@telefonia.deyes FromTo:defaultno A superfluous and in line 1, and instead of as field separators in lines 4, 5 and 6. Julian, how does your rule file parser handle this? :-) HTH, Thomas -- ----------------------------- Thomas Zajic system administrator ROCKSTAR VIENNA www.rockstarvienna.com From mailscanner at ecs.soton.ac.uk Wed Mar 5 10:15:34 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:23 2006 Subject: Messages Waiting In-Reply-To: <008a01c2e2a2$f1128fa0$ece230d5@espmail> References: <3E64DD89.21800.5DA99E13@localhost> Message-ID: <5.2.0.9.2.20030305101345.024cff98@imap.ecs.soton.ac.uk> At 23:08 04/03/2003, you wrote: >When MailScanner restarts I get a lot of messages waiting, yet my mailq >is more or less empty. > >So what are these waiting messages? > >Mar 4 22:34:47 www mailscanner[2604]: Startup: found 345 messages >waiting You may well have loads of orphaned files in mqeue.in. You can safely delete 1) anything old 2) any df files without matching qf files 3) any qf files without matching df files 4) any xf files But make sure sendmail isn't running when you do this. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Mar 5 10:40:21 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:23 2006 Subject: FromTo: not working? In-Reply-To: <4E7026FF8A422749B1553FE508E0068007EE7F@message.intern.akct ech.de> Message-ID: <5.2.0.9.2.20030305103836.02530b08@imap.ecs.soton.ac.uk> At 16:43 04/03/2003, you wrote: > > Yes, just haven't had a chance to reply yet. > > For some reason, your rules aren't matching, but I can't > > obviously see why not. Have you got some space after the > > "FromTo:" ? > >I am attaching the file so you can check yourself, ok? > > > I'm slightly at a loss to know what to suggest, > > no-one else appears to have this problem. > >I am somehow not surprised... :-) I have just tested your exact rules file, totally untouched, with messages coming from seceidos.de and messages not coming from there. It worked 100% as I would have expected it to work, so it's not a bug. Either you have a corrupted copy of MailScanner, or your envelope sender addresses aren't what you think they are. Other than that, I'm out of ideas :-( -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Mar 5 10:33:02 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:23 2006 Subject: FromTo: not working? In-Reply-To: <20030305094949.GA425@thomas.neo.at> References: <4E7026FF8A422749B1553FE508E0068007EE7F@message.intern.akctech.de> <4E7026FF8A422749B1553FE508E0068007EE7F@message.intern.akctech.de> Message-ID: <5.2.0.9.2.20030305102825.02530e40@imap.ecs.soton.ac.uk> At 09:49 05/03/2003, you wrote: >On Tue, Mar 04, 2003 at 05:43:45PM +0100, Jan-Peter Koopmann wrote: > > > > Yes, just haven't had a chance to reply yet. > > > For some reason, your rules aren't matching, but I can't > > > obviously see why not. Have you got some space after the > > > "FromTo:" ? > > > > I am attaching the file so you can check yourself, ok? > > [...] > >Although the file looks okay at a first glance, there are a couple of >things which might or might not confuse MailScanner: > >[zlatko@thomas]:~/tmp$ od -t c virus.scanning.rules >0000000 F r o m T o : \t * @ a k c t e c >0000020 h . d e \t y e s \t \n F r o m T >0000040 o : \t * @ s e c e i d o s . d e >0000060 \t y e s \n F r o m T o : \t * @ s >0000100 e c e i d o s . n e t \t y e s \n >0000120 F r o m T o : * @ s e c e i d >0000140 o s . o r g \t y e s \n F r o m T >0000160 o : * @ s e c e i d o s . c o >0000200 m \t y e s \n F r o m T o : * @ >0000220 t e l e f o n i a . d e \t y e s >0000240 \n F r o m T o : \t d e f a u l t >0000260 \t \t n o \n >0000265 > >This translates to: > >FromTo:*@akctech.deyes >FromTo:*@seceidos.deyes >FromTo:*@seceidos.netyes >FromTo:*@seceidos.orgyes >FromTo:*@seceidos.comyes >FromTo:*@telefonia.deyes >FromTo:defaultno + a on the end of the last line. >A superfluous and in line 1, and instead of as >field separators in lines 4, 5 and 6. Julian, how does your rule file parser >handle this? :-) The parser does this: /^(\S+)\s+(\S+)\s+(.+)$/ which matches when any whitespace is used, so long as there's something there. If this doesn't match, then a warning is put in the maillog about the syntax error. So this is working if you don't get a syntax error then it should have worked. And why is no-one else hitting this problem? I would expect loads of people to be complaining if this was really a problem in the code :-( -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From dbird at SGHMS.AC.UK Wed Mar 5 10:57:31 2003 From: dbird at SGHMS.AC.UK (Daniel Bird) Date: Thu Jan 12 21:17:23 2006 Subject: SA2.50 problems Message-ID: <3E65D81B.6030604@sghms.ac.uk> For info, RH7.3 MS4.11-1 SA2.50 (with patch) Razor 2.22 This morning we had the following errors in our mail.log Mar 5 10:20:05 mailhub1 MailScanner[1321]: Creating hardcoded struct_flock subroutine for linux (Linux-type) Mar 5 10:20:06 mailhub1 MailScanner[1306]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Mar 5 10:20:22 mailhub1 MailScanner[1353]: Using locktype = posix Mar 5 10:20:22 mailhub1 MailScanner[1353]: Creating hardcoded struct_flock subroutine for linux (Linux-type) Mar 5 10:20:38 mailhub1 MailScanner[1306]: SpamAssassin timed out and was killed, consecutive failure 2 of 20 Mar 5 10:20:38 mailhub1 MailScanner[1354]: Using locktype = posix Mar 5 10:20:38 mailhub1 MailScanner[1354]: Creating hardcoded struct_flock subroutine for linux (Linux-type) Mar 5 10:20:55 mailhub1 MailScanner[1355]: Using locktype = posix Mar 5 10:20:55 mailhub1 MailScanner[1355]: Creating hardcoded struct_flock subroutine for linux (Linux-type) Mar 5 10:21:09 mailhub1 MailScanner[1306]: SpamAssassin timed out and was killed, consecutive failure 3 of 20 Mar 5 10:21:40 mailhub1 MailScanner[1306]: SpamAssassin timed out and was killed, consecutive failure 4 of 20 Mar 5 10:22:12 mailhub1 MailScanner[1306]: SpamAssassin timed out and was killed, consecutive failure 5 of 20 etc... I went back to SA2.44 and all is well... Strangely, another box with the same config is fine! ____________________________________ Daniel Bird Network and Systems Manager Department Of Information Services St. George's Hospital Medical School Tooting London SW17 0RE P: +44 20 8725 2897 F: +44 20 8725 3583 E: dan@sghms.ac.uk ____________________________________ Everything is possible....except skiing through a revolving door. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mailscanner at ecs.soton.ac.uk Wed Mar 5 11:03:28 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:23 2006 Subject: SA2.50 problems In-Reply-To: <3E65D81B.6030604@sghms.ac.uk> Message-ID: <5.2.0.9.2.20030305110138.026e7008@imap.ecs.soton.ac.uk> At 10:57 05/03/2003, you wrote: >For info, > >RH7.3 >MS4.11-1 >SA2.50 (with patch) >Razor 2.22 > >This morning we had the following errors in our mail.log > >Mar 5 10:20:05 mailhub1 MailScanner[1321]: Creating hardcoded >struct_flock subroutine for linux (Linux-type) >Mar 5 10:20:06 mailhub1 MailScanner[1306]: SpamAssassin timed out and >was killed, consecutive failure 1 of 20 >Mar 5 10:20:22 mailhub1 MailScanner[1353]: Using locktype = posix >Mar 5 10:20:22 mailhub1 MailScanner[1353]: Creating hardcoded >struct_flock subroutine for linux (Linux-type) >Mar 5 10:20:38 mailhub1 MailScanner[1306]: SpamAssassin timed out and >was killed, consecutive failure 2 of 20 >Mar 5 10:20:38 mailhub1 MailScanner[1354]: Using locktype = posix >Mar 5 10:20:38 mailhub1 MailScanner[1354]: Creating hardcoded >struct_flock subroutine for linux (Linux-type) >Mar 5 10:20:55 mailhub1 MailScanner[1355]: Using locktype = posix >Mar 5 10:20:55 mailhub1 MailScanner[1355]: Creating hardcoded >struct_flock subroutine for linux (Linux-type) >Mar 5 10:21:09 mailhub1 MailScanner[1306]: SpamAssassin timed out and >was killed, consecutive failure 3 of 20 >Mar 5 10:21:40 mailhub1 MailScanner[1306]: SpamAssassin timed out and >was killed, consecutive failure 4 of 20 >Mar 5 10:22:12 mailhub1 MailScanner[1306]: SpamAssassin timed out and >was killed, consecutive failure 5 of 20 > >etc... > >I went back to SA2.44 and all is well... > >Strangely, another box with the same config is fine! There is still a problem with 2.50. However, I haven't been able to get access to a machine that will reliably time out with this problem, so I haven't been able to investigate it. If someone can get a bunch of mail messages that cause the timeout, on a system that suffers from it, then I might be able to get to the cause of it. Unless I can find the problem, it may not be fixed for 2.51, which would be A Bad Thing (tm). -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From R.A.Gardener at SHU.AC.UK Wed Mar 5 12:22:58 2003 From: R.A.Gardener at SHU.AC.UK (Ray Gardener) Date: Thu Jan 12 21:17:23 2006 Subject: version 4.13-3 and system load Message-ID: <012201c2e311$f4d67600$5a14348f@videoproducer> Hi, I upgraded to version 4.13-3 from version 4.12 on our three mail hubs yesterday and today, and on all machinces I am seeing a vastly increased system load. All three machines are Sun machines running Solaris. Has anyone else seen this? I am wondering if the new version changes the way that Sophos (our virus scanner) is called via the wrapper scripts. Regards _________________________________________________ Ray Gardener CIS Sheffield Hallam University Howard Street Sheffield UK S1 1WB (44) 0114 225 4926 From mailscanner at ecs.soton.ac.uk Wed Mar 5 12:22:27 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:23 2006 Subject: version 4.13-3 and system load In-Reply-To: <012201c2e311$f4d67600$5a14348f@videoproducer> Message-ID: <5.2.0.9.2.20030305122157.03cf41a0@imap.ecs.soton.ac.uk> Did you upgrade SpamAssassin at the same time by any chance? Did you upgrade Sophos at the same time? At 12:22 05/03/2003, you wrote: >Hi, > >I upgraded to version 4.13-3 from version 4.12 on our three mail hubs >yesterday and today, and on all machinces I am seeing a vastly increased >system load. All three machines are Sun machines running Solaris. Has anyone >else seen this? I am wondering if the new version changes the way that >Sophos (our virus scanner) is called via the wrapper scripts. > > >Regards >_________________________________________________ >Ray Gardener >CIS >Sheffield Hallam University >Howard Street >Sheffield >UK >S1 1WB >(44) 0114 225 4926 -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From jaearick at COLBY.EDU Wed Mar 5 12:28:53 2003 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:17:23 2006 Subject: version 4.13-3 and system load In-Reply-To: <012201c2e311$f4d67600$5a14348f@videoproducer> References: <012201c2e311$f4d67600$5a14348f@videoproducer> Message-ID: Hi, I went from 4.12.2 to 4.13.3 on Monday, Solaris 8, spamassassin 2.44, with no change in load. Maybe you are using ORDB or infinite monkeys in the new settings and you didn't before? ----------------------------------- Jeff A. Earickson, Ph.D Senior UNIX Sysadmin and Email Guru Information Technology Services Colby College, 4214 Mayflower Hill, Waterville ME, 04901-8842 phone: 207-872-3659 (fax = 3076) ----------------------------------- On Wed, 5 Mar 2003, Ray Gardener wrote: > Date: Wed, 5 Mar 2003 12:22:58 -0000 > From: Ray Gardener > Reply-To: MailScanner mailing list > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: version 4.13-3 and system load > > Hi, > > I upgraded to version 4.13-3 from version 4.12 on our three mail hubs > yesterday and today, and on all machinces I am seeing a vastly increased > system load. All three machines are Sun machines running Solaris. Has anyone > else seen this? I am wondering if the new version changes the way that > Sophos (our virus scanner) is called via the wrapper scripts. > > > Regards > _________________________________________________ > Ray Gardener > CIS > Sheffield Hallam University > Howard Street > Sheffield > UK > S1 1WB > (44) 0114 225 4926 > From R.A.Gardener at SHU.AC.UK Wed Mar 5 12:33:39 2003 From: R.A.Gardener at SHU.AC.UK (Ray Gardener) Date: Thu Jan 12 21:17:23 2006 Subject: version 4.13-3 and system load References: <5.2.0.9.2.20030305122157.03cf41a0@imap.ecs.soton.ac.uk> Message-ID: <015101c2e313$734969b0$5a14348f@videoproducer> Hi Julian, ----- Original Message ----- From: "Julian Field" To: Sent: Wednesday, March 05, 2003 12:22 PM Subject: Re: version 4.13-3 and system load > Did you upgrade SpamAssassin at the same time by any chance? no > Did you upgrade Sophos at the same time? no Having said that, the installations were done by untarring the distribution and copying the lib docs and bin subdirectories over the original - I don't know whether this is relevant. Regards, Ray > > At 12:22 05/03/2003, you wrote: > >Hi, > > > >I upgraded to version 4.13-3 from version 4.12 on our three mail hubs > >yesterday and today, and on all machinces I am seeing a vastly increased > >system load. All three machines are Sun machines running Solaris. Has anyone > >else seen this? I am wondering if the new version changes the way that > >Sophos (our virus scanner) is called via the wrapper scripts. > > > > > >Regards > >_________________________________________________ > >Ray Gardener > >CIS > >Sheffield Hallam University > >Howard Street > >Sheffield > >UK > >S1 1WB > >(44) 0114 225 4926 > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > From mailscanner at ecs.soton.ac.uk Wed Mar 5 12:34:43 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:23 2006 Subject: version 4.13-3 and system load In-Reply-To: <015101c2e313$734969b0$5a14348f@videoproducer> References: <5.2.0.9.2.20030305122157.03cf41a0@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030305123321.03d20770@imap.ecs.soton.ac.uk> At 12:33 05/03/2003, you wrote: >Hi Julian, > >----- Original Message ----- >From: "Julian Field" >To: >Sent: Wednesday, March 05, 2003 12:22 PM >Subject: Re: version 4.13-3 and system load > > > > Did you upgrade SpamAssassin at the same time by any chance? >no > > > Did you upgrade Sophos at the same time? >no > >Having said that, the installations were done by untarring the distribution >and copying the lib docs and bin subdirectories over the original - I don't >know whether this is relevant. What about the MailScanner.conf file? I would recommend my new upgrade_MailScanner_conf script to help with this. > > At 12:22 05/03/2003, you wrote: > > >I upgraded to version 4.13-3 from version 4.12 on our three mail hubs > > >yesterday and today, and on all machinces I am seeing a vastly increased > > >system load. All three machines are Sun machines running Solaris. Has >anyone > > >else seen this? I am wondering if the new version changes the way that > > >Sophos (our virus scanner) is called via the wrapper scripts. The communication with the -wrapper scripts hasn't changed at all, so all I can suggest is that your configuration is different from what you intended. As someone else suggested, have you got a different "Spam Lists" setting or a different "Max Children" setting? -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From dh at UPTIME.AT Wed Mar 5 12:57:37 2003 From: dh at UPTIME.AT (David) Date: Thu Jan 12 21:17:23 2006 Subject: RFC: calculating scan times for messages. Message-ID: <0ABF0EBC-4F0A-11D7-A01D-000393920D6C@uptime.at> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Hello. I was wondering if any of you have an idea how I could time the scanning process for a message. I am using sendmail and I was thinking about using the delay= data, but that would not be too accurate. What I actually wish to do is for a private littkle project of mine. I would ike to estimate the following: With the checks XX used and sophos, using Spamassassin with checks XXX scanning a 500byte message takes and avergae of XX seconds (and so on) Does this make sense at all? I am just fishing for ideas. - -d - - Face me and you shall surely perish. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (Darwin) iD8DBQE+ZfRFiW/Ta/pxHPQRA9ypAKCFq6d80/fDEM8mtzlnBQE0v1yuxACgggi7 RvE4ix/msVqgu0wj+kIxauc= =DBa7 -----END PGP SIGNATURE----- From mikew at CRUCIS.NET Wed Mar 5 13:50:35 2003 From: mikew at CRUCIS.NET (Mike Watson) Date: Thu Jan 12 21:17:23 2006 Subject: FromTo: not working? In-Reply-To: <5.2.0.9.2.20030305102825.02530e40@imap.ecs.soton.ac.uk> References: <4E7026FF8A422749B1553FE508E0068007EE7F@message.intern.akctech.de> <5.2.0.9.2.20030305102825.02530e40@imap.ecs.soton.ac.uk> Message-ID: <200303050750.35582.mikew@crucis.net> On Wednesday 05 March 2003 04:33 am, you wrote: > At 09:49 05/03/2003, you wrote: > >On Tue, Mar 04, 2003 at 05:43:45PM +0100, Jan-Peter Koopmann wrote: > > > > Yes, just haven't had a chance to reply yet. > > > > For some reason, your rules aren't matching, but I can't > > > > obviously see why not. Have you got some space after the > > > > "FromTo:" ? > > > > > > I am attaching the file so you can check yourself, ok? > > > [...] > > > >Although the file looks okay at a first glance, there are a couple > > of things which might or might not confuse MailScanner: > > > >[zlatko@thomas]:~/tmp$ od -t c virus.scanning.rules > >0000000 F r o m T o : \t * @ a k c t e > > c 0000020 h . d e \t y e s \t \n F r o > > m T 0000040 o : \t * @ s e c e i d o s > > . d e 0000060 \t y e s \n F r o m T o : > > \t * @ s 0000100 e c e i d o s . n e t > > \t y e s \n 0000120 F r o m T o : * @ > > s e c e i d 0000140 o s . o r g \t y e > > s \n F r o m T 0000160 o : * @ s e c > > e i d o s . c o 0000200 m \t y e s \n F > > r o m T o : * @ 0000220 t e l e f o > > n i a . d e \t y e s 0000240 \n F r o m > > T o : \t d e f a u l t 0000260 \t \t n o > > \n > >0000265 > > > >This translates to: > > FromTo:*@akctech.deyes > FromTo:*@seceidos.deyes > FromTo:*@seceidos.netyes > FromTo:*@seceidos.orgyes > FromTo:*@seceidos.comyes > FromTo:*@telefonia.deyes > FromTo:defaultno > > + a on the end of the last line. > > >A superfluous and in line 1, and instead of > > as field separators in lines 4, 5 and 6. Julian, how does > > your rule file parser handle this? :-) > > The parser does this: > /^(\S+)\s+(\S+)\s+(.+)$/ > which matches when any whitespace is used, so long as there's > something there. If this doesn't match, then a warning is put in the > maillog about the syntax error. So this is working if you don't get a > syntax error then it should have worked. > > And why is no-one else hitting this problem? I would expect loads of > people to be complaining if this was really a problem in the code :-( If you're like me, you've just starting using MailScanner and aren't fully falmiliar with all the rules. I added an address to the spam.whitelist.rules and e-mails and to the spamassassin prefs and e-mails from that source are still labeled as SPAM. I only get 2-3 e-mails a month from them, so I just noticed this last night. mw -- Registered Linux - 256979 NRA Life ARS: W?TMW -- This message has been scanned for viruses and dangerous content by F-Prot and MailScanner, and is believed to be clean. From mailscanner at ecs.soton.ac.uk Wed Mar 5 14:03:55 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:23 2006 Subject: RFC: calculating scan times for messages. In-Reply-To: <0ABF0EBC-4F0A-11D7-A01D-000393920D6C@uptime.at> Message-ID: <5.2.0.9.2.20030305140234.03962428@imap.ecs.soton.ac.uk> At 12:57 05/03/2003, you wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: RIPEMD160 > >Hello. > >I was wondering if any of you have an idea how I could time the >scanning process for a message. > >I am using sendmail and I was thinking about using the delay= data, but >that would not be too accurate. >What I actually wish to do is for a private littkle project of mine. > >I would ike to estimate the following: > >With the checks XX used and sophos, using Spamassassin with checks XXX > >scanning a 500byte message takes and avergae of XX seconds (and so on) > >Does this make sense at all? > >I am just fishing for ideas. I do calculations instead that produce a figure for the number of messages per day that can be processed. With multiple scanning thread, the average delay for a message is not actually very relevant, as several messages are being processed during the time. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at LISTS.COM.AR Wed Mar 5 15:31:01 2003 From: mailscanner at LISTS.COM.AR (Mariano Absatz) Date: Thu Jan 12 21:17:23 2006 Subject: RFC: calculating scan times for messages. In-Reply-To: <0ABF0EBC-4F0A-11D7-A01D-000393920D6C@uptime.at> Message-ID: <3E65EE05.15180.61D211A5@localhost> El 5 Mar 2003 a las 13:57, David escribi?: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: RIPEMD160 > > Hello. > > I was wondering if any of you have an idea how I could time the > scanning process for a message. > > I am using sendmail and I was thinking about using the delay= data, but > that would not be too accurate. > What I actually wish to do is for a private littkle project of mine. > > I would ike to estimate the following: > > With the checks XX used and sophos, using Spamassassin with checks XXX > > scanning a 500byte message takes and avergae of XX seconds (and so on) > > Does this make sense at all? Well... not that it doesn't make sense, but it wouldn't be measuring anything too useful... The point is that you can't extrapolate useful info from that data... In order to measure something useful, you should have to bomb your server with a good mixture of mails including spam, ham and viruses and keep an eye on the queues... once you have steadily growing queues you should make a couple of marks in the logs and measure the number of messages per time unit that are passing thru MailScanner. That should give you a rough estimate of performance... it doesn't make too much sense to measure how much does any specific message takes. Note that you need at least 3 machines to do this... the actual test machine, an emisor machine and a receptor machine. The test machine should be configured to route all its outgoing mail to the receptor machine. The receptor machine should have a very fast mail server configured to accept and delete every message inconditionally (kind of, your incoming mail queue should be /dev/null :-) The emisor machine is the hardest... maybe you'll have to hack a small fast program to send the mail. Or you can take something like qmail (which I think sends 1 message per session even though they may be going to the same place), stop the smtp client, fill the outgoing queue with your very large collection mixing spam, ham and virus e-mails and... start the smtp client. It might be a funny process and I would definitively like to have the outcome from that if you do it... maybe also the programs/configuration used. For the client smtp (the emisor) you might also want to take a look at Russel Cocker's postal http://www.coker.com.au/postal/ (the receptor machine is what he calls SMTP sink, if you do it, I guess he'll be glad to know about it). Postal generates garbage for the mail data, but maybe you can modify it so it takes the messages from somewhere. It has a nice set of options for number of simultaneous connections, max number of messages per connection, max message size, rate limitation, etc. -- Mariano Absatz El Baby ---------------------------------------------------------- In theory, there is no difference between theory and practice; but in practice, there is a great deal of difference. From jase at SENSIS.COM Wed Mar 5 16:33:29 2003 From: jase at SENSIS.COM (Desai, Jason) Date: Thu Jan 12 21:17:23 2006 Subject: Debian ms v4.x install help. Deb, Alien or Sour ce? attn Jason Desai Message-ID: Hi Scott - sorry for the late reply ... I installed MailScanner using the .tar file. I am running Debian stable (woody) with exim 3.35. If you need version MailScanner 4.x, I would suggest doing the same - just install from the .tar file. The instructions on the MailScanner web site are pretty good. I am not aware of any dependency issues between MailScanner 4.x and exim. I think I did compile MIME-tools-5.411 myself, to make sure that I got the patches. After applying the patches, I used dh-make-perl to create the files needed to make a debian package, then I ran dpkg-buildpackage -b to make the .deb file. Then I ran dpkg -i to install it. Again, I would suggest using the .tar installation. Let me know if you have any problems. Jason > -----Original Message----- > From: Hancock, Scott [mailto:HancockS@MORGANCO.COM] > Sent: Tuesday, March 04, 2003 11:05 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: [MAILSCANNER] Debian ms v4.x install help. Deb, Alien or > Source? attn Jason Desai > > > Hello all, > > I'm running Debian unstable (sarge) mailscanner (3.27) and > exim (3.36). > > Some of my users are asking for features in the latest versions of > mailscanner. > > I notice some posts indicating people (including Jason) are > using newer > versions of mailscanner than is available at packages.debian.org. I'm > mostly interested in the new mailscanner features and was > wondering the > best approach to installing without a .deb file. > > Are any dependency issues between exim 3.27 and MS 4.x? > > I figure my options are: an alternate site that has a .deb file, using > Alien against the 4.x RPM file, or compiling from source. > > All this is being tested off line. > > Thanks all for your time. > > Scott > From nathan at TCPNETWORKS.NET Wed Mar 5 16:49:22 2003 From: nathan at TCPNETWORKS.NET (Nathan Johanson) Date: Thu Jan 12 21:17:24 2006 Subject: MailScanner Store Message-ID: I wear my new MailScanner T-shirt all of the time. C'mon guys! Throw out the pocket protectors and spruce up your fashion a little bit ;-) Chicks dig MailScanner. Nathan Johanson -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Tuesday, March 04, 2003 8:58 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: MailScanner Store This has to be the most spectacular failure I have seen in quite a while. Since setting it up, I have sold 4 (yes, four!) items. Boy, am I glad I don't have to pay any rental for the space! :-) -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Mar 5 16:49:27 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:24 2006 Subject: RFC: calculating scan times for messages. In-Reply-To: <3E65EE05.15180.61D211A5@localhost> References: <0ABF0EBC-4F0A-11D7-A01D-000393920D6C@uptime.at> Message-ID: <5.2.0.9.2.20030305163850.02e42d88@imap.ecs.soton.ac.uk> At 15:31 05/03/2003, you wrote: >El 5 Mar 2003 a las 13:57, David escribi?: > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: RIPEMD160 > > > > Hello. > > > > I was wondering if any of you have an idea how I could time the > > scanning process for a message. > > > > I am using sendmail and I was thinking about using the delay= data, but > > that would not be too accurate. > > What I actually wish to do is for a private littkle project of mine. > > > > I would ike to estimate the following: > > > > With the checks XX used and sophos, using Spamassassin with checks XXX > > > > scanning a 500byte message takes and avergae of XX seconds (and so on) > > > > Does this make sense at all? >Well... not that it doesn't make sense, but it wouldn't be measuring anything >too useful... > >The point is that you can't extrapolate useful info from that data... In >order to measure something useful, you should have to bomb your server with a >good mixture of mails including spam, ham and viruses and keep an eye on the >queues... once you have steadily growing queues you should make a couple of >marks in the logs and measure the number of messages per time unit that are >passing thru MailScanner. > >That should give you a rough estimate of performance... it doesn't make too >much sense to measure how much does any specific message takes. > >Note that you need at least 3 machines to do this... the actual test machine, >an emisor machine and a receptor machine. > >The test machine should be configured to route all its outgoing mail to the >receptor machine. The receptor machine should have a very fast mail server >configured to accept and delete every message inconditionally (kind of, your >incoming mail queue should be /dev/null :-) > >The emisor machine is the hardest... maybe you'll have to hack a small fast >program to send the mail. Or you can take something like qmail (which I think >sends 1 message per session even though they may be going to the same place), >stop the smtp client, fill the outgoing queue with your very large collection >mixing spam, ham and virus e-mails and... start the smtp client. > >It might be a funny process and I would definitively like to have the outcome >from that if you do it... maybe also the programs/configuration used. > >For the client smtp (the emisor) you might also want to take a look at Russel >Cocker's postal http://www.coker.com.au/postal/ (the receptor machine is what >he calls SMTP sink, if you do it, I guess he'll be glad to know about it). > >Postal generates garbage for the mail data, but maybe you can modify it so it >takes the messages from somewhere. It has a nice set of options for number of >simultaneous connections, max number of messages per connection, max message >size, rate limitation, etc. This is exactly the test setup I already use. I have a test set of 60,000 messages. The emisor uses 10 parallel copies of a Perl script to squirt mail as fast as it possibly can to the MailScanner. The limiting factor here is disk I/O and the lousy i/o scheduler Linux has (it is being re-written for the 2.6 kernels, thank heavens). The emisor's limit is about 8 million messages per day. The MailScanner runs Exim and MailScanner, in a pretty much vanilla configuration, except that the MailScanner/incoming directory is on tmpfs to remove all that nasty disk i/o. It then sends all its output to a perl SMTP sink I wrote in about 10 minutes, which speaks just enough SMTP to convince Exim that it's a real mail server. These fork off to handle traffic, and there are quite often nearly 100 running simultaneously. They throw away everything they are sent. Speed control is done by varying an optional delay in the emisor script, and changing the number of emisor scripts that are run in parallel. It's pretty coarse but is good enough. Tweak the speed until the queue *just* doesn't grow without bounds. That's about the limit of what the MailScanner can handle. Running MailScanner, Sophos, SpamAssassin (2.44 or 2.50, it doesn't matter much) and 3 RBL's, the MailScanner can do about 1.5 million messages per day. Just running MailScanner and SpamAssassin, it can handle 4.4 million per day. In case you are interested, I have attached a little zip file containing the emisor test "harness"(and the shell script that runs them in parallel) and the smtp sink. -------------- next part -------------- A non-text attachment was scrubbed... Name: SpeedTests.zip Type: application/zip Size: 2651 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030305/ee1fdc06/SpeedTests.zip -------------- next part -------------- -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Mar 5 17:11:55 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:24 2006 Subject: Fwd: Re: SA2.50 problems... Message-ID: <5.2.0.9.2.20030305170932.06f343e0@imap.ecs.soton.ac.uk> If you are still having problems with SpamAssassin 2.50 hanging, even with my patch, then do this: >From: Daniel Bird >Subject: Re: SA2.50 problems... >To: Julian Field > >Julian, > >For info, >left "Use Spamassassin = yes" in MailScanner.conf but added >"use_bayes 0" to spam.assassin.prefs.conf > >and MailScanner + SA2.50 are running quite happily now. > >Thanks. > >Dan I have posted a huge great message to the SAtalk list about this problem. Something *very* strange is happening, and I haven't got to the bottom of it yet. It's all connected to file locking and the bayes database, just like the previous problem with it, but this one is a lot more strange.... If anything interesting comes up on SAtalk, I'll be sure to tell you all. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From tjc at ecs.soton.ac.uk Wed Mar 5 17:25:14 2003 From: tjc at ecs.soton.ac.uk (Tim Chown) Date: Thu Jan 12 21:17:24 2006 Subject: MailScanner Store In-Reply-To: References: Message-ID: <20030305172514.GN4962@login.ecs.soton.ac.uk> You mean Chicks dig MaleScanner? On Wed, Mar 05, 2003 at 08:49:22AM -0800, Nathan Johanson wrote: > I wear my new MailScanner T-shirt all of the time. C'mon guys! Throw out > the pocket protectors and spruce up your fashion a little bit ;-) > > Chicks dig MailScanner. > > Nathan Johanson > > > > -----Original Message----- > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > Sent: Tuesday, March 04, 2003 8:58 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: MailScanner Store > > > This has to be the most spectacular failure I have seen in quite a > while. > Since setting it up, I have sold 4 (yes, four!) items. > > Boy, am I glad I don't have to pay any rental for the space! :-) > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support From cselivanow at QWICNET.COM Wed Mar 5 17:24:27 2003 From: cselivanow at QWICNET.COM (Chris Selivanow) Date: Thu Jan 12 21:17:24 2006 Subject: Messages w/o text not being marked clean. Message-ID: <20030305122427.3a616114.cselivanow@qwicnet.com> Hi all- I noticed that if I send an email with an attachment but no text in the body of the email that the mailscanner will scan the message but not append the clean message signature. Of course if there is at least one character in the body then the signature is appended. Is there any way to get the signature appended every time? -Chris -- Chris Selivanow 585 582-1600 Lead Technician 585 624-3465 (fax) QwicNet, Inc. http://www.qwicnet.com From mailscanner at ecs.soton.ac.uk Wed Mar 5 17:26:06 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:24 2006 Subject: The reason why I asked was-->(Re: RFC: calculating scan times for messages.) In-Reply-To: References: <5.2.0.9.2.20030305163850.02e42d88@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030305171505.06fa4b48@imap.ecs.soton.ac.uk> At 17:14 05/03/2003, you wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: RIPEMD160 > > > >Running MailScanner, Sophos, SpamAssassin (2.44 or 2.50, it doesn't >matter much) and 3 RBL's, the MailScanner can do about 1.5 million > >messages per day. Just running MailScanner and SpamAssassin, it can >handle 4.4 million per day. >> >>In case you are interested, I have attached a little zip file >>containing the emisor test "harness"(and the shell script that runs >>them in parallel) and the smtp sink. -- > >Thank you very much. It is no real secret, but I am looking at a >project for one of the major Backbone providers. They hired me to have >a look at their intermediate Mail relays, they were interested in a >solution which is open source, as a proof of concept. Now with their >system we are looking at 26-40 Million messages a day! That is why I >was going to look at precise averaging, but thinking about all of it >for the latter of the day, I can only agree. My approach would not be >measuring anything useful. > >Now what they are granting me as hardware is either a Sun Fire >4500-8-Processor (with 8-12 Processors) and 8-16 Gig RAM. Or a solution >based on multiple Intel Xeon Quad Processor Machines. Personally I would go for the Xeon cluster, as it is more easily scalable later on, as their mail load grows. Also, if half of it goes up in smoke (or needs upgrading/maintaining) you still have a working service, albeit a slightly slower one. I know you can dynamically reconfigure the bigger SunFires, but a cluster does have its appeal... Unfortunately no-one has bought me a quad Xeon machine to test MailScanner on, so I can't give you accurate performance figures. But with dual 2.4GHz Xeon machines, 40 million messages per day would keep 30 of them fairly well occupied. You have to remember, of course, that my load tests are done with a steady stream of mail, and not a peaky load that you would see in real life. As for Exim vs sendmail, I found Exim to lot easier to get to scale up to multi-million figures. And configuring it to punt all mail at 1 other machine is dead easy. I'm no Exim expert, not by a long way. If you need any help whatsoever with this project, please don't hesitate to get in touch. I will offer whatever help and advice I can. >Computing Power really is no issue to them. I do not necessarily need a >solution either where an open Source OS is being used, but the system >itself which performs the scanning and delivers the framework has to be. > >Now I tested a bit with Ultra160 SCSI and the 2.5* kernel series. >Agreeing with Julain usual I/O was lousy, but it is quite up to par now >in the 2.5* series. > >According to their testing (I have no idea how through it has been) >sendmail is the only MTA which can handle the load with their setup, >thus I am on the safe side there as well. I was thinking about using >sophos, but if there is a faster scanner, I am sure they would buy that >one as well. > >- -d > > > > > > we may race and we may run, but we can not undo what has been done. >-----BEGIN PGP SIGNATURE----- >Version: GnuPG v1.2.1 (Darwin) > >iD8DBQE+ZjBhiW/Ta/pxHPQRA8S5AKC/VFc1q9q0k4tXS/3jJQ8a+zJyUACdHJfF >CJx5PYcHGpxb9MSCS42bDmU= >=spYC >-----END PGP SIGNATURE----- -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From cselivanow at QWICNET.COM Wed Mar 5 17:46:09 2003 From: cselivanow at QWICNET.COM (Chris Selivanow) Date: Thu Jan 12 21:17:24 2006 Subject: email address removed from report text Message-ID: <20030305124609.41362099.cselivanow@qwicnet.com> Hi again- I've just noticed this issue and I'm sure that someone else already had this question but I was unable to find it in the archives or the FAQ. Anyways, I noticed that if I have an email address in a report file that the entire line that contains the address is removed and replaced with a blank line. Is there a way to configure mailscanner not to do this? -- Chris Selivanow 585 582-1600 Lead Technician 585 624-3465 (fax) QwicNet, Inc. http://www.qwicnet.com From mailscanner at ecs.soton.ac.uk Wed Mar 5 18:15:44 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:24 2006 Subject: email address removed from report text In-Reply-To: <20030305124609.41362099.cselivanow@qwicnet.com> Message-ID: <5.2.0.9.2.20030305181505.02536ea0@imap.ecs.soton.ac.uk> At 17:46 05/03/2003, you wrote: >Hi again- > >I've just noticed this issue and I'm sure that someone else already had this >question but I was unable to find it in the archives or the FAQ. Anyways, >I noticed that if I have an email address in a report file that the entire >line that contains the address is removed and replaced with a blank line. >Is there a way to configure mailscanner not to do this? I guess you are using version 3. Replace "@" with "\@" in your reports. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Mar 5 18:11:57 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:24 2006 Subject: Messages w/o text not being marked clean. In-Reply-To: <20030305122427.3a616114.cselivanow@qwicnet.com> Message-ID: <5.2.0.9.2.20030305181008.021dddd8@imap.ecs.soton.ac.uk> At 17:24 05/03/2003, you wrote: >Hi all- > >I noticed that if I send an email with an attachment but no text in the body >of the email that the mailscanner will scan the message but not append the >clean message signature. Of course if there is at least one character in the >body then the signature is appended. Is there any way to get the signature >appended every time? It appends the signature to the first html and/or text segment of the message. If there's no body at all, there's nowhere to put the signature. I'll take a look at the possibility of creating a body if needed. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From lists at DILLONST.COM Wed Mar 5 18:53:55 2003 From: lists at DILLONST.COM (Daron) Date: Thu Jan 12 21:17:24 2006 Subject: Blacklist and high scoring spam Message-ID: <20030305185146.M16147@dillonst.com> I have setup several spam senders on the blacklist but it only marks it with the low level subject stamp and delivers it. Is there a way for the blacklist to score as a high score and follow those rules instead? Thanks, Daron From kylist at SHCORP.COM Wed Mar 5 18:57:00 2003 From: kylist at SHCORP.COM (Kurt Yoder) Date: Thu Jan 12 21:17:24 2006 Subject: Debian ms v4.x install help. Deb, Alien or Source? attn Jason Desai In-Reply-To: <03Mar4.105815est.119118@gateway.morganco.com> References: <03Mar4.105815est.119118@gateway.morganco.com> Message-ID: <43870.10.10.1.71.1046890620.squirrel@webmailtest.shcorp.com> <<< No Message Collected >>> From lists at DILLONST.COM Wed Mar 5 19:29:59 2003 From: lists at DILLONST.COM (Daron) Date: Thu Jan 12 21:17:24 2006 Subject: Sendmail before MailScanner Message-ID: <20030305192711.M27763@dillonst.com> I have notice that MailScanner ignores Sendmail rules before scanning. The problem is tons of non-existant users receiving mail gets scanned and processed even though in sendmail aliases file they are set to /dev/nul . Is there a place in the config to adjust this? From didier.belhomme at FUNDP.AC.BE Wed Mar 5 19:45:35 2003 From: didier.belhomme at FUNDP.AC.BE (Didier Belhomme) Date: Thu Jan 12 21:17:24 2006 Subject: Sendmail before MailScanner In-Reply-To: <20030305192711.M27763@dillonst.com> References: <20030305192711.M27763@dillonst.com> Message-ID: <1046893535.3e6653df23561@webmail3.fundp.ac.be> Selon Daron : > I have notice that MailScanner ignores Sendmail rules before scanning. The > problem is tons of non-existant users receiving mail gets scanned and > processed even though in sendmail aliases file they are set to /dev/nul . I hope this is /dev/null... That's a common mistake to think that Sendmail, as Mail Transfert Agent, is responsible for delivering the message. That's wrong : alias expansion is the responsability of the Mail Delivery Agent, which is another program like "deliver" or "procmail". Thus, I dont't think that the Sendmail process that is located *before* MailScanner should be modified in a way to support alias expansion. What is correct would be to use the "access" database in Sendmail in order to reject mail if matching a rule. > Is there a place in the config to adjust this? -- Didier Belhomme FUNDP - SIU Unix Systems Manager From cselivanow at QWICNET.COM Wed Mar 5 19:52:23 2003 From: cselivanow at QWICNET.COM (Chris Selivanow) Date: Thu Jan 12 21:17:24 2006 Subject: Messages w/o text not being marked clean. In-Reply-To: <5.2.0.9.2.20030305181008.021dddd8@imap.ecs.soton.ac.uk> References: <20030305122427.3a616114.cselivanow@qwicnet.com> <5.2.0.9.2.20030305181008.021dddd8@imap.ecs.soton.ac.uk> Message-ID: <20030305145223.26a22937.cselivanow@qwicnet.com> Julian- Thanks for the responce. I had previously posted a question regarding Outlook and attachments. I think that I have solved my issue with that and it seems to be related to this issue and how mailscanner handles uuencoded messages. Here is the situation: I have a client where some people are using outlook 97 and some people are using Eudora 5. Before the mailscanner (3.27)install there were no problems. After the mailscanner install those who were using Eudora were having issues with attachments sent via outlook. Basically the multipart message content was all being displayed in the message body. The reason follows: Mailscanner converts a uuencoded message, which only has one part ie: lacking a "Content-type" header, and converts it into a base64 encoded multipart message. This is all fine and well. However, mailscanner also adds the text: The following is a multipart MIME message which was extracted from a uuencoded message. Mailscanner does not however add a boundery line like: ------------=_1046891750-551-2 before the previous message. This causes Eudora to believe one of two things (as far a I can tell) 1) That the message really isn't a multipart message 2) That it has another part that is missing (ie: the attachment) I'm not really sure of the innerworkings of mailscanner but this seems to be what happens. Is there a way to resolve this? Besides having my client tell their senders to reconfigure thier outlook? -Chris On Wed, 5 Mar 2003 18:11:57 +0000 Julian Field wrote: JF> At 17:24 05/03/2003, you wrote: JF> >Hi all- JF> > JF> >I noticed that if I send an email with an attachment but no text in the body JF> >of the email that the mailscanner will scan the message but not append the JF> >clean message signature. Of course if there is at least one character in the JF> >body then the signature is appended. Is there any way to get the signature JF> >appended every time? JF> JF> It appends the signature to the first html and/or text segment of the JF> message. If there's no body at all, there's nowhere to put the signature. JF> JF> I'll take a look at the possibility of creating a body if needed. JF> -- JF> Julian Field JF> www.MailScanner.info JF> Professional Support Services at www.MailScanner.biz JF> MailScanner thanks transtec Computers for their support -- Chris Selivanow 585 582-1600 Lead Technician 585 624-3465 (fax) QwicNet, Inc. http://www.qwicnet.com From kylist at SHCORP.COM Wed Mar 5 20:34:10 2003 From: kylist at SHCORP.COM (Kurt Yoder) Date: Thu Jan 12 21:17:24 2006 Subject: Debian ms v4.x install help. Deb, Alien or Source? attn Jason Desai Message-ID: <44176.10.10.1.71.1046896450.squirrel@webmailtest.shcorp.com> (sorry, my mail server got messed up, I'm posting this again) I'm running Debian stable (woody) with the tar installation of mailscanner. It's not too bad to install. The only problem is with setting up sendmail to work correctly. The debian sendmail package has an odd way of setting things up that I haven't figured out. Since you're using exim I can't comment on that part of it. Incidentally, does anyone have any instructions on getting the Debian sendmail package working correctly with mailscanner? I had to completely replace the init script to make it work, and now dpkg chokes every time it touches sendmail. Hancock, Scott said: > Hello all, > > I'm running Debian unstable (sarge) mailscanner (3.27) and exim (3.36). > > Some of my users are asking for features in the latest versions of mailscanner. > > I notice some posts indicating people (including Jason) are using newer versions of mailscanner than is available at packages.debian.org. I'm mostly interested in the new mailscanner features and was wondering the best approach to installing without a .deb file. > > Are any dependency issues between exim 3.27 and MS 4.x? > > I figure my options are: an alternate site that has a .deb file, using Alien against the 4.x RPM file, or compiling from source. > > All this is being tested off line. > > Thanks all for your time. > > Scott > -- Kurt Yoder Sport & Health network administrator tel: 703-245-2708 cel: 703-929-3247 -- Kurt Yoder Sport & Health network administrator tel: 703-245-2708 cel: 703-929-3247 From cselivanow at QWICNET.COM Wed Mar 5 20:38:30 2003 From: cselivanow at QWICNET.COM (Chris Selivanow) Date: Thu Jan 12 21:17:24 2006 Subject: Messages w/o text not being marked clean. In-Reply-To: <20030305145223.26a22937.cselivanow@qwicnet.com> References: <20030305122427.3a616114.cselivanow@qwicnet.com> <5.2.0.9.2.20030305181008.021dddd8@imap.ecs.soton.ac.uk> <20030305145223.26a22937.cselivanow@qwicnet.com> Message-ID: <20030305153830.423e6070.cselivanow@qwicnet.com> It actually looks like Eudora is complaining that "MIME-Version: 1.0" isn't in the main headers. If I manually edit the spool file and insert it before the usesr POPs the mail it works fine. Is there a way to have mailscanner check for a "MIME-Version" header and insert it if it doesn't exist and if a uuencoded file was converted? -Chris On Wed, 5 Mar 2003 14:52:23 -0500 Chris Selivanow wrote: CS> Julian- CS> CS> Thanks for the responce. I had previously posted a question regarding Outlook CS> and attachments. I think that I have solved my issue with that and it seems CS> to be related to this issue and how mailscanner handles uuencoded messages. CS> CS> Here is the situation: I have a client where some people are using outlook 97 CS> and some people are using Eudora 5. Before the mailscanner (3.27)install there CS> were no problems. After the mailscanner install those who were using Eudora CS> were having issues with attachments sent via outlook. Basically the multipart CS> message content was all being displayed in the message body. CS> CS> The reason follows: CS> CS> Mailscanner converts a uuencoded message, which only has one part ie: lacking CS> a "Content-type" header, and converts it into a base64 encoded multipart CS> message. This is all fine and well. However, mailscanner also adds the text: CS> CS> The following is a multipart MIME message which was extracted CS> from a uuencoded message. CS> CS> Mailscanner does not however add a boundery line like: CS> CS> ------------=_1046891750-551-2 CS> CS> before the previous message. This causes Eudora to believe one of two things CS> (as far a I can tell) CS> CS> 1) That the message really isn't a multipart message CS> 2) That it has another part that is missing (ie: the attachment) CS> CS> I'm not really sure of the innerworkings of mailscanner but this seems to CS> be what happens. Is there a way to resolve this? Besides having my CS> client tell their senders to reconfigure thier outlook? CS> CS> -Chris CS> CS> On Wed, 5 Mar 2003 18:11:57 +0000 CS> Julian Field wrote: CS> CS> JF> At 17:24 05/03/2003, you wrote: CS> JF> >Hi all- CS> JF> > CS> JF> >I noticed that if I send an email with an attachment but no text in the body CS> JF> >of the email that the mailscanner will scan the message but not append the CS> JF> >clean message signature. Of course if there is at least one character in the CS> JF> >body then the signature is appended. Is there any way to get the signature CS> JF> >appended every time? CS> JF> CS> JF> It appends the signature to the first html and/or text segment of the CS> JF> message. If there's no body at all, there's nowhere to put the signature. CS> JF> CS> JF> I'll take a look at the possibility of creating a body if needed. CS> JF> -- CS> JF> Julian Field CS> JF> www.MailScanner.info CS> JF> Professional Support Services at www.MailScanner.biz CS> JF> MailScanner thanks transtec Computers for their support CS> CS> CS> -- CS> Chris Selivanow 585 582-1600 CS> Lead Technician 585 624-3465 (fax) CS> QwicNet, Inc. http://www.qwicnet.com -- Chris Selivanow 585 582-1600 Lead Technician 585 624-3465 (fax) QwicNet, Inc. http://www.qwicnet.com From iradu at UNITBV.RO Wed Mar 5 20:50:06 2003 From: iradu at UNITBV.RO (Radu IONESCU) Date: Thu Jan 12 21:17:24 2006 Subject: Sendmail before MailScanner In-Reply-To: <1046893535.3e6653df23561@webmail3.fundp.ac.be> Message-ID: Yet, this is my problem too. I wish MailScanner would be able to handle. Our gateway accepts daily thousands of messages, just to receive in turn a 550 user unknown from the internal mail hubs. This messages are generated in our case by SPAM, pretending to be generated by our university domain... The best would be to reject the message before enters the queue, but this is a Sendmail problem I can hardly handle (LDAP routing?). However, a rule something like this would help a lot: drop all messages containing in the body a line with "Received: from ...unitbv.ro" and not "(193.254.23" would stop the chain reaction for each of this messages (thousands of postmaster notify, returned message, etc. in the root mailbox). Can this be put in sendmail "acces" db? Or in SpamAssassin's? Thank you, Radu IONESCU Sys Mgr, Univ TRANSILVANIA Brasov > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Didier Belhomme > Sent: 5 martie 2003 21:46 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Sendmail before MailScanner > > > Selon Daron : > > > I have notice that MailScanner ignores Sendmail rules before > scanning. The > > problem is tons of non-existant users receiving mail gets scanned and > > processed even though in sendmail aliases file they are set to > /dev/nul . > > I hope this is /dev/null... > > That's a common mistake to think that Sendmail, as Mail Transfert > Agent, is > responsible for delivering the message. That's wrong : alias > expansion is the > responsability of the Mail Delivery Agent, which is another program > like "deliver" or "procmail". Thus, I dont't think that the > Sendmail process > that is located *before* MailScanner should be modified in a way > to support > alias expansion. What is correct would be to use the "access" database in > Sendmail in order to reject mail if matching a rule. > > > Is there a place in the config to adjust this? > > > -- > Didier Belhomme > FUNDP - SIU > Unix Systems Manager > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > Mailscanner thanks transtec Computers for their support. > From raymond at PROLOCATION.NET Wed Mar 5 20:58:39 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:17:24 2006 Subject: Sendmail before MailScanner In-Reply-To: Message-ID: Hi! > Yet, this is my problem too. I wish MailScanner would be able to handle. Our > gateway accepts daily thousands of messages, just to receive in turn a 550 > user unknown from the internal mail hubs. This messages are generated in our > case by SPAM, pretending to be generated by our university domain... > > The best would be to reject the message before enters the queue, but this is > a Sendmail problem I can hardly handle (LDAP routing?). > However, a rule something like this would help a lot: > drop all messages containing in the body a line with > "Received: from ...unitbv.ro" and not "(193.254.23" > would stop the chain reaction for each of this messages (thousands of > postmaster notify, returned message, etc. in the root mailbox). > Can this be put in sendmail "acces" db? Or in SpamAssassin's? > Thank you, If you like do do that, use ldap for example and let your relays be away of the users that DO exsist. Its a mailer problem, and you can configure that. Not mailscanner. Bye, Raymond. From craig at STRONG-BOX.NET Wed Mar 5 21:07:49 2003 From: craig at STRONG-BOX.NET (Craig Pratt) Date: Thu Jan 12 21:17:24 2006 Subject: Messages w/o text not being marked clean. In-Reply-To: <20030305153830.423e6070.cselivanow@qwicnet.com> Message-ID: <859F8297-4F4E-11D7-882D-000393B9390A@strong-box.net> Actually, would having it on all messages really be a problem? That would certainly simplify things. Couldn't a procmail recipe that says to just add this header if not present? Craig On Wednesday, March 5, 2003, at 12:38 PM, Chris Selivanow wrote: > It actually looks like Eudora is complaining that "MIME-Version: 1.0" > isn't in the main headers. If I manually edit the spool file and > insert > it before the usesr POPs the mail it works fine. Is there a way to > have > mailscanner check for a "MIME-Version" header and insert it if it > doesn't > exist and if a uuencoded file was converted? > > -Chris > > On Wed, 5 Mar 2003 14:52:23 -0500 > Chris Selivanow wrote: > > CS> Julian- > CS> > CS> Thanks for the responce. I had previously posted a question > regarding Outlook > CS> and attachments. I think that I have solved my issue with that > and it seems > CS> to be related to this issue and how mailscanner handles uuencoded > messages. > CS> > CS> Here is the situation: I have a client where some people are > using outlook 97 > CS> and some people are using Eudora 5. Before the mailscanner > (3.27)install there > CS> were no problems. After the mailscanner install those who were > using Eudora > CS> were having issues with attachments sent via outlook. Basically > the multipart > CS> message content was all being displayed in the message body. > CS> > CS> The reason follows: > CS> > CS> Mailscanner converts a uuencoded message, which only has one part > ie: lacking > CS> a "Content-type" header, and converts it into a base64 encoded > multipart > CS> message. This is all fine and well. However, mailscanner also > adds the text: > CS> > CS> The following is a multipart MIME message which was extracted > CS> from a uuencoded message. > CS> > CS> Mailscanner does not however add a boundery line like: > CS> > CS> ------------=_1046891750-551-2 > CS> > CS> before the previous message. This causes Eudora to believe one of > two things > CS> (as far a I can tell) > CS> > CS> 1) That the message really isn't a multipart message > CS> 2) That it has another part that is missing (ie: the attachment) > CS> > CS> I'm not really sure of the innerworkings of mailscanner but this > seems to > CS> be what happens. Is there a way to resolve this? Besides having > my > CS> client tell their senders to reconfigure thier outlook? > CS> > CS> -Chris > CS> > CS> On Wed, 5 Mar 2003 18:11:57 +0000 > CS> Julian Field wrote: > CS> > CS> JF> At 17:24 05/03/2003, you wrote: > CS> JF> >Hi all- > CS> JF> > > CS> JF> >I noticed that if I send an email with an attachment but no > text in the body > CS> JF> >of the email that the mailscanner will scan the message but > not append the > CS> JF> >clean message signature. Of course if there is at least one > character in the > CS> JF> >body then the signature is appended. Is there any way to get > the signature > CS> JF> >appended every time? > CS> JF> > CS> JF> It appends the signature to the first html and/or text segment > of the > CS> JF> message. If there's no body at all, there's nowhere to put the > signature. > CS> JF> > CS> JF> I'll take a look at the possibility of creating a body if > needed. > CS> JF> -- > CS> JF> Julian Field > CS> JF> www.MailScanner.info > CS> JF> Professional Support Services at www.MailScanner.biz > CS> JF> MailScanner thanks transtec Computers for their support > CS> > CS> > CS> -- > CS> Chris Selivanow 585 582-1600 > CS> Lead Technician 585 624-3465 (fax) > CS> QwicNet, Inc. http://www.qwicnet.com > > > -- > Chris Selivanow 585 582-1600 > Lead Technician 585 624-3465 (fax) > QwicNet, Inc. http://www.qwicnet.com > > -- > This message checked for dangerous content by MailScanner on StrongBox. > -- This message checked for dangerous content by MailScanner on StrongBox. From cselivanow at QWICNET.COM Wed Mar 5 21:27:40 2003 From: cselivanow at QWICNET.COM (Chris Selivanow) Date: Thu Jan 12 21:17:24 2006 Subject: Messages w/o text not being marked clean. In-Reply-To: <859F8297-4F4E-11D7-882D-000393B9390A@strong-box.net> References: <20030305153830.423e6070.cselivanow@qwicnet.com> <859F8297-4F4E-11D7-882D-000393B9390A@strong-box.net> Message-ID: <20030305162740.45501db6.cselivanow@qwicnet.com> On Wed, 5 Mar 2003 13:07:49 -0800 Craig Pratt wrote: CP> Actually, would having it on all messages really be a problem? CP> CP> That would certainly simplify things. Couldn't a procmail recipe that CP> says to just add this header if not present? Actually I could do that however, I think that mailscanner should be adding it because it appears that it actually causes the problem after it converts a uuencoded message to a MIME multipart message. It should be adding the MIME-Version header to the email it modifies. -Chris CP> CP> Craig CP> CP> On Wednesday, March 5, 2003, at 12:38 PM, Chris Selivanow wrote: CP> > It actually looks like Eudora is complaining that "MIME-Version: 1.0" CP> > isn't in the main headers. If I manually edit the spool file and CP> > insert CP> > it before the usesr POPs the mail it works fine. Is there a way to CP> > have CP> > mailscanner check for a "MIME-Version" header and insert it if it CP> > doesn't CP> > exist and if a uuencoded file was converted? CP> > CP> > -Chris CP> > CP> > On Wed, 5 Mar 2003 14:52:23 -0500 CP> > Chris Selivanow wrote: CP> > CP> > CS> Julian- CP> > CS> CP> > CS> Thanks for the responce. I had previously posted a question CP> > regarding Outlook CP> > CS> and attachments. I think that I have solved my issue with that CP> > and it seems CP> > CS> to be related to this issue and how mailscanner handles uuencoded CP> > messages. CP> > CS> CP> > CS> Here is the situation: I have a client where some people are CP> > using outlook 97 CP> > CS> and some people are using Eudora 5. Before the mailscanner CP> > (3.27)install there CP> > CS> were no problems. After the mailscanner install those who were CP> > using Eudora CP> > CS> were having issues with attachments sent via outlook. Basically CP> > the multipart CP> > CS> message content was all being displayed in the message body. CP> > CS> CP> > CS> The reason follows: CP> > CS> CP> > CS> Mailscanner converts a uuencoded message, which only has one part CP> > ie: lacking CP> > CS> a "Content-type" header, and converts it into a base64 encoded CP> > multipart CP> > CS> message. This is all fine and well. However, mailscanner also CP> > adds the text: CP> > CS> CP> > CS> The following is a multipart MIME message which was extracted CP> > CS> from a uuencoded message. CP> > CS> CP> > CS> Mailscanner does not however add a boundery line like: CP> > CS> CP> > CS> ------------=_1046891750-551-2 CP> > CS> CP> > CS> before the previous message. This causes Eudora to believe one of CP> > two things CP> > CS> (as far a I can tell) CP> > CS> CP> > CS> 1) That the message really isn't a multipart message CP> > CS> 2) That it has another part that is missing (ie: the attachment) CP> > CS> CP> > CS> I'm not really sure of the innerworkings of mailscanner but this CP> > seems to CP> > CS> be what happens. Is there a way to resolve this? Besides having CP> > my CP> > CS> client tell their senders to reconfigure thier outlook? CP> > CS> CP> > CS> -Chris CP> > CS> CP> > CS> On Wed, 5 Mar 2003 18:11:57 +0000 CP> > CS> Julian Field wrote: CP> > CS> CP> > CS> JF> At 17:24 05/03/2003, you wrote: CP> > CS> JF> >Hi all- CP> > CS> JF> > CP> > CS> JF> >I noticed that if I send an email with an attachment but no CP> > text in the body CP> > CS> JF> >of the email that the mailscanner will scan the message but CP> > not append the CP> > CS> JF> >clean message signature. Of course if there is at least one CP> > character in the CP> > CS> JF> >body then the signature is appended. Is there any way to get CP> > the signature CP> > CS> JF> >appended every time? CP> > CS> JF> CP> > CS> JF> It appends the signature to the first html and/or text segment CP> > of the CP> > CS> JF> message. If there's no body at all, there's nowhere to put the CP> > signature. CP> > CS> JF> CP> > CS> JF> I'll take a look at the possibility of creating a body if CP> > needed. CP> > CS> JF> -- CP> > CS> JF> Julian Field CP> > CS> JF> www.MailScanner.info CP> > CS> JF> Professional Support Services at www.MailScanner.biz CP> > CS> JF> MailScanner thanks transtec Computers for their support CP> > CS> CP> > CS> CP> > CS> -- CP> > CS> Chris Selivanow 585 582-1600 CP> > CS> Lead Technician 585 624-3465 (fax) CP> > CS> QwicNet, Inc. http://www.qwicnet.com CP> > CP> > CP> > -- CP> > Chris Selivanow 585 582-1600 CP> > Lead Technician 585 624-3465 (fax) CP> > QwicNet, Inc. http://www.qwicnet.com CP> > CP> > -- CP> > This message checked for dangerous content by MailScanner on StrongBox. CP> > CP> CP> CP> -- CP> This message checked for dangerous content by MailScanner on StrongBox. -- Chris Selivanow 585 582-1600 Lead Technician 585 624-3465 (fax) QwicNet, Inc. http://www.qwicnet.com From mailscanner at ecs.soton.ac.uk Wed Mar 5 21:16:09 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:24 2006 Subject: Blacklist and high scoring spam In-Reply-To: <20030305185146.M16147@dillonst.com> Message-ID: <5.2.0.9.2.20030305211451.027c3f50@imap.ecs.soton.ac.uk> At 18:53 05/03/2003, you wrote: >I have setup several spam senders on the blacklist but it only marks it with >the low level subject stamp and delivers it. Is there a way for the >blacklist to score as a high score and follow those rules instead? I have plans for a future feature consisting of a score for the RBL Spam Lists defined in MailScanner.conf. If I was implementing it now I probably wouldn't have bothered with my own "Spam Lists" at all, and just left SpamAssassin to do it all. But then you wouldn't be able to easily do per-domain spam white/black lists. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From cselivanow at QWICNET.COM Wed Mar 5 21:37:05 2003 From: cselivanow at QWICNET.COM (Chris Selivanow) Date: Thu Jan 12 21:17:24 2006 Subject: Messages w/o text not being marked clean. In-Reply-To: <20030305162740.45501db6.cselivanow@qwicnet.com> References: <20030305153830.423e6070.cselivanow@qwicnet.com> <859F8297-4F4E-11D7-882D-000393B9390A@strong-box.net> <20030305162740.45501db6.cselivanow@qwicnet.com> Message-ID: <20030305163705.32555426.cselivanow@qwicnet.com> I must me completely loosing it today..and didn't get the point of your message. It would be a problem to just add the header to all mail messages because it violates RFC1521 which states that if such a header exists then the message is guarenteed to be MIME compliant. Likewise, if a otherwise MIME compliant message doesn't have this header then it also violates the RFC and is therefor uncompliant. http://www.ietf.org/rfc/rfc1521.txt (section 3) (which is why I believe Eudora chokes on the emails) -Chris On Wed, 5 Mar 2003 16:27:40 -0500 Chris Selivanow wrote: CS> On Wed, 5 Mar 2003 13:07:49 -0800 CS> Craig Pratt wrote: CS> CS> CP> Actually, would having it on all messages really be a problem? CS> CP> CS> CP> That would certainly simplify things. Couldn't a procmail recipe that CS> CP> says to just add this header if not present? CS> CS> Actually I could do that however, I think that mailscanner should be adding CS> it because it appears that it actually causes the problem after it CS> converts a uuencoded message to a MIME multipart message. It should be CS> adding the MIME-Version header to the email it modifies. CS> CS> -Chris CS> CS> CP> CS> CP> Craig CS> CP> CS> CP> On Wednesday, March 5, 2003, at 12:38 PM, Chris Selivanow wrote: CS> CP> > It actually looks like Eudora is complaining that "MIME-Version: 1.0" CS> CP> > isn't in the main headers. If I manually edit the spool file and CS> CP> > insert CS> CP> > it before the usesr POPs the mail it works fine. Is there a way to CS> CP> > have CS> CP> > mailscanner check for a "MIME-Version" header and insert it if it CS> CP> > doesn't CS> CP> > exist and if a uuencoded file was converted? CS> CP> > CS> CP> > -Chris CS> CP> > CS> CP> > On Wed, 5 Mar 2003 14:52:23 -0500 CS> CP> > Chris Selivanow wrote: CS> CP> > CS> CP> > CS> Julian- CS> CP> > CS> CS> CP> > CS> Thanks for the responce. I had previously posted a question CS> CP> > regarding Outlook CS> CP> > CS> and attachments. I think that I have solved my issue with that CS> CP> > and it seems CS> CP> > CS> to be related to this issue and how mailscanner handles uuencoded CS> CP> > messages. CS> CP> > CS> CS> CP> > CS> Here is the situation: I have a client where some people are CS> CP> > using outlook 97 CS> CP> > CS> and some people are using Eudora 5. Before the mailscanner CS> CP> > (3.27)install there CS> CP> > CS> were no problems. After the mailscanner install those who were CS> CP> > using Eudora CS> CP> > CS> were having issues with attachments sent via outlook. Basically CS> CP> > the multipart CS> CP> > CS> message content was all being displayed in the message body. CS> CP> > CS> CS> CP> > CS> The reason follows: CS> CP> > CS> CS> CP> > CS> Mailscanner converts a uuencoded message, which only has one part CS> CP> > ie: lacking CS> CP> > CS> a "Content-type" header, and converts it into a base64 encoded CS> CP> > multipart CS> CP> > CS> message. This is all fine and well. However, mailscanner also CS> CP> > adds the text: CS> CP> > CS> CS> CP> > CS> The following is a multipart MIME message which was extracted CS> CP> > CS> from a uuencoded message. CS> CP> > CS> CS> CP> > CS> Mailscanner does not however add a boundery line like: CS> CP> > CS> CS> CP> > CS> ------------=_1046891750-551-2 CS> CP> > CS> CS> CP> > CS> before the previous message. This causes Eudora to believe one of CS> CP> > two things CS> CP> > CS> (as far a I can tell) CS> CP> > CS> CS> CP> > CS> 1) That the message really isn't a multipart message CS> CP> > CS> 2) That it has another part that is missing (ie: the attachment) CS> CP> > CS> CS> CP> > CS> I'm not really sure of the innerworkings of mailscanner but this CS> CP> > seems to CS> CP> > CS> be what happens. Is there a way to resolve this? Besides having CS> CP> > my CS> CP> > CS> client tell their senders to reconfigure thier outlook? CS> CP> > CS> CS> CP> > CS> -Chris CS> CP> > CS> CS> CP> > CS> On Wed, 5 Mar 2003 18:11:57 +0000 CS> CP> > CS> Julian Field wrote: CS> CP> > CS> CS> CP> > CS> JF> At 17:24 05/03/2003, you wrote: CS> CP> > CS> JF> >Hi all- CS> CP> > CS> JF> > CS> CP> > CS> JF> >I noticed that if I send an email with an attachment but no CS> CP> > text in the body CS> CP> > CS> JF> >of the email that the mailscanner will scan the message but CS> CP> > not append the CS> CP> > CS> JF> >clean message signature. Of course if there is at least one CS> CP> > character in the CS> CP> > CS> JF> >body then the signature is appended. Is there any way to get CS> CP> > the signature CS> CP> > CS> JF> >appended every time? CS> CP> > CS> JF> CS> CP> > CS> JF> It appends the signature to the first html and/or text segment CS> CP> > of the CS> CP> > CS> JF> message. If there's no body at all, there's nowhere to put the CS> CP> > signature. CS> CP> > CS> JF> CS> CP> > CS> JF> I'll take a look at the possibility of creating a body if CS> CP> > needed. CS> CP> > CS> JF> -- CS> CP> > CS> JF> Julian Field CS> CP> > CS> JF> www.MailScanner.info CS> CP> > CS> JF> Professional Support Services at www.MailScanner.biz CS> CP> > CS> JF> MailScanner thanks transtec Computers for their support CS> CP> > CS> CS> CP> > CS> CS> CP> > CS> -- CS> CP> > CS> Chris Selivanow 585 582-1600 CS> CP> > CS> Lead Technician 585 624-3465 (fax) CS> CP> > CS> QwicNet, Inc. http://www.qwicnet.com CS> CP> > CS> CP> > CS> CP> > -- CS> CP> > Chris Selivanow 585 582-1600 CS> CP> > Lead Technician 585 624-3465 (fax) CS> CP> > QwicNet, Inc. http://www.qwicnet.com CS> CP> > CS> CP> > -- CS> CP> > This message checked for dangerous content by MailScanner on StrongBox. CS> CP> > CS> CP> CS> CP> CS> CP> -- CS> CP> This message checked for dangerous content by MailScanner on StrongBox. CS> CS> CS> -- CS> Chris Selivanow 585 582-1600 CS> Lead Technician 585 624-3465 (fax) CS> QwicNet, Inc. http://www.qwicnet.com -- Chris Selivanow 585 582-1600 Lead Technician 585 624-3465 (fax) QwicNet, Inc. http://www.qwicnet.com From smohan at vsnl.com Thu Mar 6 01:25:23 2003 From: smohan at vsnl.com (S Mohan) Date: Thu Jan 12 21:17:24 2006 Subject: Sendmail before MailScanner In-Reply-To: Message-ID: <002601c2e37f$4492d360$2e6041db@18yamuna> Use access. The order of the rules matter. Put the deny or reject from IP before domain. I do not think combinations would work. Mohan -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Raymond Dijkxhoorn Sent: Thursday, March 06, 2003 2:29 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Sendmail before MailScanner Hi! > Yet, this is my problem too. I wish MailScanner would be able to > handle. Our gateway accepts daily thousands of messages, just to > receive in turn a 550 user unknown from the internal mail hubs. This > messages are generated in our case by SPAM, pretending to be generated > by our university domain... > > The best would be to reject the message before enters the queue, but > this is a Sendmail problem I can hardly handle (LDAP routing?). > However, a rule something like this would help a lot: drop all > messages containing in the body a line with > "Received: from ...unitbv.ro" and not "(193.254.23" > would stop the chain reaction for each of this messages (thousands of > postmaster notify, returned message, etc. in the root mailbox). Can > this be put in sendmail "acces" db? Or in SpamAssassin's? Thank you, If you like do do that, use ldap for example and let your relays be away of the users that DO exsist. Its a mailer problem, and you can configure that. Not mailscanner. Bye, Raymond. From craig at STRONG-BOX.NET Thu Mar 6 03:22:09 2003 From: craig at STRONG-BOX.NET (Craig Pratt) Date: Thu Jan 12 21:17:24 2006 Subject: Messages w/o text not being marked clean. In-Reply-To: <20030305163705.32555426.cselivanow@qwicnet.com> Message-ID: No - I think you had a good point. If MS (or one of the underlying Perl modules, more likely) is doing this conversion - basically turning RFC822 messages into semi-MIME-compliant messages - it should make them fully-MIME-compliant. However, I do think that addition of the header is still an acceptable work-around. If it's the only thing missing on the semi-MIME-compliant MS-generated messages, those will be OK. And for the non-MIME messages (RFC822, I presume?), there's some interesting verbiage in section 4 of the MIME standard (thanks for the link BTW - very interesting reading): Default RFC 822 messages are typed by this protocol as plain text in the US-ASCII character set, which can be explicitly specified as "Content-type: text/plain; charset=us-ascii". If no Content-Type is specified, this default is assumed. In the presence of a MIME- Version header field, a receiving User Agent can also assume that plain US-ASCII text was the sender's intent. In the absence of a MIME-Version specification, plain US-ASCII text must still be assumed, but the sender's intent might have been otherwise. I dunno - still could be missing something here. But I think - again along the lines of solving your immediate problem - writing a procmail recipe to add the header iff there is a Multipart header and there isn't a Version header is also doable. Sorry that I can't write it off the top of my head, though... Craig craig@strong-box.net On Wednesday, March 5, 2003, at 01:37 PM, Chris Selivanow wrote: > I must me completely loosing it today..and didn't get the > point of your message. It would be a problem to just add > the header to all mail messages because it violates > RFC1521 which states that if such a header exists then the > message is guarenteed to be MIME compliant. Likewise, if > a otherwise MIME compliant message doesn't have this header > then it also violates the RFC and is therefor uncompliant. > > http://www.ietf.org/rfc/rfc1521.txt (section 3) > > (which is why I believe Eudora chokes on the emails) > > -Chris > > On Wed, 5 Mar 2003 16:27:40 -0500 > Chris Selivanow wrote: > > CS> On Wed, 5 Mar 2003 13:07:49 -0800 > CS> Craig Pratt wrote: > CS> > CS> CP> Actually, would having it on all messages really be a problem? > CS> CP> > CS> CP> That would certainly simplify things. Couldn't a procmail > recipe that > CS> CP> says to just add this header if not present? > CS> > CS> Actually I could do that however, I think that mailscanner should > be adding > CS> it because it appears that it actually causes the problem after it > CS> converts a uuencoded message to a MIME multipart message. It > should be > CS> adding the MIME-Version header to the email it modifies. > CS> > CS> -Chris > CS> > CS> CP> > CS> CP> Craig > CS> CP> > CS> CP> On Wednesday, March 5, 2003, at 12:38 PM, Chris Selivanow > wrote: > CS> CP> > It actually looks like Eudora is complaining that > "MIME-Version: 1.0" > CS> CP> > isn't in the main headers. If I manually edit the spool > file and > CS> CP> > insert > CS> CP> > it before the usesr POPs the mail it works fine. Is there a > way to > CS> CP> > have > CS> CP> > mailscanner check for a "MIME-Version" header and insert it > if it > CS> CP> > doesn't > CS> CP> > exist and if a uuencoded file was converted? > CS> CP> > > CS> CP> > -Chris > CS> CP> > > CS> CP> > On Wed, 5 Mar 2003 14:52:23 -0500 > CS> CP> > Chris Selivanow wrote: > CS> CP> > > CS> CP> > CS> Julian- > CS> CP> > CS> > CS> CP> > CS> Thanks for the responce. I had previously posted a > question > CS> CP> > regarding Outlook > CS> CP> > CS> and attachments. I think that I have solved my issue > with that > CS> CP> > and it seems > CS> CP> > CS> to be related to this issue and how mailscanner handles > uuencoded > CS> CP> > messages. > CS> CP> > CS> > CS> CP> > CS> Here is the situation: I have a client where some > people are > CS> CP> > using outlook 97 > CS> CP> > CS> and some people are using Eudora 5. Before the > mailscanner > CS> CP> > (3.27)install there > CS> CP> > CS> were no problems. After the mailscanner install those > who were > CS> CP> > using Eudora > CS> CP> > CS> were having issues with attachments sent via outlook. > Basically > CS> CP> > the multipart > CS> CP> > CS> message content was all being displayed in the message > body. > CS> CP> > CS> > CS> CP> > CS> The reason follows: > CS> CP> > CS> > CS> CP> > CS> Mailscanner converts a uuencoded message, which only has > one part > CS> CP> > ie: lacking > CS> CP> > CS> a "Content-type" header, and converts it into a base64 > encoded > CS> CP> > multipart > CS> CP> > CS> message. This is all fine and well. However, > mailscanner also > CS> CP> > adds the text: > CS> CP> > CS> > CS> CP> > CS> The following is a multipart MIME message which was > extracted > CS> CP> > CS> from a uuencoded message. > CS> CP> > CS> > CS> CP> > CS> Mailscanner does not however add a boundery line like: > CS> CP> > CS> > CS> CP> > CS> ------------=_1046891750-551-2 > CS> CP> > CS> > CS> CP> > CS> before the previous message. This causes Eudora to > believe one of > CS> CP> > two things > CS> CP> > CS> (as far a I can tell) > CS> CP> > CS> > CS> CP> > CS> 1) That the message really isn't a multipart message > CS> CP> > CS> 2) That it has another part that is missing (ie: the > attachment) > CS> CP> > CS> > CS> CP> > CS> I'm not really sure of the innerworkings of mailscanner > but this > CS> CP> > seems to > CS> CP> > CS> be what happens. Is there a way to resolve this? > Besides having > CS> CP> > my > CS> CP> > CS> client tell their senders to reconfigure thier outlook? > CS> CP> > CS> > CS> CP> > CS> -Chris > CS> CP> > CS> > CS> CP> > CS> On Wed, 5 Mar 2003 18:11:57 +0000 > CS> CP> > CS> Julian Field wrote: > CS> CP> > CS> > CS> CP> > CS> JF> At 17:24 05/03/2003, you wrote: > CS> CP> > CS> JF> >Hi all- > CS> CP> > CS> JF> > > CS> CP> > CS> JF> >I noticed that if I send an email with an > attachment but no > CS> CP> > text in the body > CS> CP> > CS> JF> >of the email that the mailscanner will scan the > message but > CS> CP> > not append the > CS> CP> > CS> JF> >clean message signature. Of course if there is at > least one > CS> CP> > character in the > CS> CP> > CS> JF> >body then the signature is appended. Is there any > way to get > CS> CP> > the signature > CS> CP> > CS> JF> >appended every time? > CS> CP> > CS> JF> > CS> CP> > CS> JF> It appends the signature to the first html and/or > text segment > CS> CP> > of the > CS> CP> > CS> JF> message. If there's no body at all, there's nowhere > to put the > CS> CP> > signature. > CS> CP> > CS> JF> > CS> CP> > CS> JF> I'll take a look at the possibility of creating a > body if > CS> CP> > needed. > CS> CP> > CS> JF> -- > CS> CP> > CS> JF> Julian Field > CS> CP> > CS> JF> www.MailScanner.info > CS> CP> > CS> JF> Professional Support Services at www.MailScanner.biz > CS> CP> > CS> JF> MailScanner thanks transtec Computers for their > support > CS> CP> > CS> > CS> CP> > CS> > CS> CP> > CS> -- > CS> CP> > CS> Chris Selivanow 585 582-1600 > CS> CP> > CS> Lead Technician 585 624-3465 (fax) > CS> CP> > CS> QwicNet, Inc. http://www.qwicnet.com > CS> CP> > > CS> CP> > > CS> CP> > -- > CS> CP> > Chris Selivanow 585 582-1600 > CS> CP> > Lead Technician 585 624-3465 (fax) > CS> CP> > QwicNet, Inc. http://www.qwicnet.com > CS> CP> > > CS> CP> > -- > CS> CP> > This message checked for dangerous content by MailScanner on > StrongBox. > CS> CP> > > CS> CP> > CS> CP> > CS> CP> -- > CS> CP> This message checked for dangerous content by MailScanner on > StrongBox. > CS> > CS> > CS> -- > CS> Chris Selivanow 585 582-1600 > CS> Lead Technician 585 624-3465 (fax) > CS> QwicNet, Inc. http://www.qwicnet.com > > > -- > Chris Selivanow 585 582-1600 > Lead Technician 585 624-3465 (fax) > QwicNet, Inc. http://www.qwicnet.com > > -- > This message checked for dangerous content by MailScanner on StrongBox. > -- This message checked for dangerous content by MailScanner on StrongBox. From craig at STRONG-BOX.NET Thu Mar 6 03:28:45 2003 From: craig at STRONG-BOX.NET (Craig Pratt) Date: Thu Jan 12 21:17:24 2006 Subject: Fwd: Hackers' code exploits Sendmail flaw Message-ID: In case you haven't been keeping up on the news, it looks like there are already working exploits of the sendmail vulnerability announced monday. The one discussed below will basically open a remote terminal on the attacked system - presumably as root. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - From http://zdnet.com.com/2100-1105-991041.html Hackers' code exploits Sendmail flaw By Robert Lemos CNET News.com March 5, 2003, 4:31 AM PT A group of four Polish hackers published code to an open security mailing list on Tuesday that can take advantage of a major vulnerability in the Sendmail mail server. The code, released less than a day after the Sendmail flaw's public announcement, allows an attacker to remotely exploit a Red Hat or Slackware Linux computer running a vulnerable version of the mail server, the group--known as the Last Stage of Delirium--stated in the analysis that accompanied the code. While the limited number of platforms affected by the program seems to be good news, the group warned that its quick analysis might have missed other ways of exploiting the problem. "We do not claim that our way of exploitation is the only one," one of the group's members said in an e-mail with CNET News.com. "What we did was to perform the series of experiments aimed at actual verification of (the) vulnerability's impact. According to our results, this impact is much less significant that it might seem." The flaw in Sendmail--in one of the mail server's security functions that parses mail headers--was found by network protection firm Internet Security Systems and announced on Monday. Companies shipping versions of Sendmail affected by the flaw--believed to be more the 15 years old--include IBM, Hewlett-Packard, Apple Computer, Sun Microsystems, Red Hat and other Linux vendors, according to advisories posted Monday by the Sendmail Consortium open-source project. The LSD group's research questioned whether as many types of servers running Sendmail are as vulnerable as previously thought. That's a moot point, said Eric Allman, founder of the Sendmail Consortium and chief technology officer for Sendmail Inc., a company that has created a commercial version of Sendmail. "I don't think anyone should be complacent," he said, stressing that other ways to exploit the flaw may exist. "Just get the patch." Allman wasn't sure how he felt about the security group publishing such extensive details about exploiting the vulnerability so soon after it was announced. For many years, security researchers and hackers have argued whether releasing detailed information about how a software flaw can be abused helps or hinders security. The Sendmail founder had expected that code would be released soon, but not within 24 hours. Moreover, the functional nature of the posted code--the script returns a terminal prompt with which an attacker could issue commands to the compromised host--was overkill, he said. "I would have preferred that they would have done a proof of concept," Allman said. Proof-of-concept code only illustrates how to exploit a vulnerability without actually doing anything overly useful. The LSD group--whose four members claim to be graduates of the Poznan University of Technology--say that releasing such code enhances the community's overall security. "We do believe that open and free information is the best for improving security," the group said in its e-mail to CNET News.com. "In our opinion, publishing the details is the only way to...determine the impact. The lack of appropriate information on the issue can be...even more damaging." -- This message checked for dangerous content by MailScanner on StrongBox. From Jan-Peter.Koopmann at SECEIDOS.DE Thu Mar 6 08:21:18 2003 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:17:24 2006 Subject: Something strange with MS and Exim Message-ID: <4E7026FF8A422749B1553FE508E0068007EE94@message.intern.akctech.de> Hi, please have a look at this log: Mar 6 09:13:13 proxy MailScanner[79130]: Enabling SpamAssassin auto-whitelist functionality... Mar 6 09:13:22 proxy MailScanner[79130]: Using locktype = posix Mar 6 09:13:22 proxy MailScanner[79130]: Creating hardcoded struct_flock subroutine for freebsd (BSD-type) Mar 6 09:13:22 proxy MailScanner[79130]: New Batch: Found 11 messages waiting Mar 6 09:13:22 proxy MailScanner[79130]: New Batch: Scanning 3 messages, 27539 bytes Mar 6 09:13:22 proxy MailScanner[79130]: Spam Checks: Starting Mar 6 09:13:33 proxy MailScanner[79178]: MailScanner E-Mail Virus Scanner version 4.13-3 starting... Mar 6 09:13:34 proxy MailScanner[79178]: Enabling SpamAssassin auto-whitelist functionality... Mar 6 09:13:39 proxy MailScanner[79178]: Using locktype = posix Mar 6 09:13:39 proxy MailScanner[79178]: Creating hardcoded struct_flock subroutine for freebsd (BSD-type) Mar 6 09:13:49 proxy MailScanner[79178]: New Batch: Found 15 messages waiting Mar 6 09:13:49 proxy MailScanner[79178]: New Batch: Scanning 1 messages, 1717 bytes Mar 6 09:13:49 proxy MailScanner[79178]: Spam Checks: Starting Mar 6 09:13:49 proxy MailScanner[79178]: Virus and Content Scanning: Starting Mar 6 09:13:51 proxy MailScanner[79178]: Uninfected: Delivered 1 messages Mar 6 09:13:51 proxy MailScanner[79130]: RBL Check spamcop.net timed out and was killed, consecutive failure 1 of 7 Mar 6 09:14:08 proxy MailScanner[79130]: Virus and Content Scanning: Starting Mar 6 09:14:11 proxy MailScanner[79130]: Uninfected: Delivered 3 messages Mar 6 09:14:11 proxy MailScanner[79130]: New Batch: Scanning 1 messages, 2041 bytes Mar 6 09:14:11 proxy MailScanner[79130]: Spam Checks: Starting Mar 6 09:14:11 proxy MailScanner[79266]: MailScanner E-Mail Virus Scanner version 4.13-3 starting... Mar 6 09:14:15 proxy MailScanner[79130]: Virus and Content Scanning: Starting Mar 6 09:14:15 proxy MailScanner[79266]: Enabling SpamAssassin auto-whitelist functionality... Mar 6 09:14:18 proxy MailScanner[79130]: Uninfected: Delivered 1 messages Mar 6 09:14:20 proxy MailScanner[79266]: Using locktype = posix Mar 6 09:14:20 proxy MailScanner[79266]: Creating hardcoded struct_flock subroutine for freebsd (BSD-type) Mar 6 09:15:30 proxy MailScanner[79266]: New Batch: Scanning 1 messages, 1718 bytes Mar 6 09:15:30 proxy MailScanner[79266]: Spam Checks: Starting Mar 6 09:15:30 proxy MailScanner[79266]: Virus and Content Scanning: Starting Mar 6 09:15:32 proxy MailScanner[79266]: Uninfected: Delivered 1 messages Mar 6 09:15:38 proxy MailScanner[79130]: New Batch: Scanning 1 messages, 2042 bytes Mar 6 09:15:38 proxy MailScanner[79130]: Spam Checks: Starting Mar 6 09:15:40 proxy MailScanner[79130]: Virus and Content Scanning: Starting Mar 6 09:15:41 proxy MailScanner[79130]: Uninfected: Delivered 1 messages Mar 6 09:16:11 proxy MailScanner[79130]: New Batch: Scanning 7 messages, 42792 bytes Mar 6 09:16:11 proxy MailScanner[79130]: Spam Checks: Starting Mar 6 09:16:12 proxy MailScanner[79266]: New Batch: Found 9 messages waiting Mar 6 09:16:12 proxy MailScanner[79266]: New Batch: Scanning 2 messages, 10870 bytes Mar 6 09:16:12 proxy MailScanner[79266]: Spam Checks: Starting Mar 6 09:16:22 proxy MailScanner[79178]: New Batch: Found 43 messages waiting Mar 6 09:16:22 proxy MailScanner[79178]: New Batch: Scanning 10 messages, 52122 bytes Mar 6 09:16:22 proxy MailScanner[79178]: Spam Checks: Starting Mar 6 09:16:25 proxy MailScanner[79266]: Virus and Content Scanning: Starting Mar 6 09:16:30 proxy MailScanner[79266]: Uninfected: Delivered 2 messages Mar 6 09:16:30 proxy MailScanner[79266]: New Batch: Found 18 messages waiting Mar 6 09:16:30 proxy MailScanner[79266]: New Batch: Scanning 1 messages, 5456 bytes Mar 6 09:16:30 proxy MailScanner[79266]: Spam Checks: Starting Mar 6 09:16:36 proxy MailScanner[79266]: Virus and Content Scanning: Starting Mar 6 09:16:39 proxy MailScanner[79266]: Uninfected: Delivered 1 messages Mar 6 09:16:58 proxy MailScanner[79130]: Virus and Content Scanning: Starting Mar 6 09:17:02 proxy MailScanner[79130]: Uninfected: Delivered 7 messages There seems to be a bug in the "New Batch: Found xx messages waiting" routine. This keeps growing and growing even though there are not so many messages in the inbound queue. When it says Mar 6 09:16:30 proxy MailScanner[79266]: New Batch: Found 18 messages waiting Mar 6 09:16:30 proxy MailScanner[79266]: New Batch: Scanning 1 messages, 5456 bytes Mar 6 09:16:30 proxy MailScanner[79266]: Spam Checks: Starting Mar 6 09:16:36 proxy MailScanner[79266]: Virus and Content Scanning: Starting Mar 6 09:16:39 proxy MailScanner[79266]: Uninfected: Delivered 1 messages There is really only 1 message in the queue at this time. I never noticed this with sendmail, only with exim. Any explanations? All my messages seem to come through btw. so this probably is not a misconfiguration. Regards, JP PS: This is with 4.13-3, SA 2.50 and exim 4.12-6. From Jan-Peter.Koopmann at SECEIDOS.DE Thu Mar 6 08:24:50 2003 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:17:24 2006 Subject: OT: Read Receipt Request and this list Message-ID: <4E7026FF8A422749B1553FE508E0068007EE97@message.intern.akctech.de> Hi, damn I will probably always forget to turn this off when writing to this list. Is there no way for the list software to filter the read receipt request from incoming mails? Regards, JP From Jan-Peter.Koopmann at SECEIDOS.DE Thu Mar 6 08:36:13 2003 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:17:24 2006 Subject: SA and Bayes Message-ID: <4E7026FF8A422749B1553FE508E0068007EE98@message.intern.akctech.de> Hi, somehow I get the impression that my SA/MS setup does not use bayes. These are the relevant entries of my spam.assassin.prefs.conf file: auto_whitelist_path /var/spool/spamassassin/auto-whitelist auto_whitelist_file_mode 0666 bayes_path /var/spool/spamassassin/bayes bayes_file_mode 0666 auto_learn 1 use_bayes 1 bayes_ignore_header X-MailScanner bayes_ignore_header X-MailScanner-SpamCheck This is what a check_bayes_db tells me: 0.000 0 0 0 non-token data: db format = on-the-fly probs, expiry, scan-counting 0.000 0 209 0 non-token data: nspam 0.000 0 2320 0 non-token data: nham 0.000 0 0 0 non-token data: ntokens 0.000 0 0 0 non-token data: oldest age 0.000 0 4505 0 non-token data: current scan-count 0.000 0 0 0 non-token data: last expiry scan-count --- snipp --- If I interpret this correctly I have 209 spam and 2320 nonspam messages learned successfully. And as far as I can see both sa-learn and auto_learn seem to work. BUT: I never saw a single mail (spam and nospam) with a BAYES_ tag in the SpamAssassin score. Any ideas? Regards, JP From mailscanner at ecs.soton.ac.uk Thu Mar 6 10:08:50 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:24 2006 Subject: Something strange with MS and Exim In-Reply-To: <4E7026FF8A422749B1553FE508E0068007EE94@message.intern.akct ech.de> Message-ID: <5.2.0.9.2.20030306100553.0229f998@imap.ecs.soton.ac.uk> At 08:21 06/03/2003, you wrote: >Hi, > >There seems to be a bug in the "New Batch: Found xx messages waiting" >routine. This keeps growing and growing even though there are not so >many messages in the inbound queue. When it says Indeed, when it is looking for a new batch, there's a counter that doesn't get reset when it should. I happened to notice this myself yesterday. It's only cosmetic, the behaviour of the program is not affected at all, just the counter number that is printed. It will be fixed in the next release. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Thu Mar 6 10:10:58 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:24 2006 Subject: SA and Bayes In-Reply-To: <4E7026FF8A422749B1553FE508E0068007EE98@message.intern.akct ech.de> Message-ID: <5.2.0.9.2.20030306100952.022a6ea0@imap.ecs.soton.ac.uk> At 08:36 06/03/2003, you wrote: >Hi, > >somehow I get the impression that my SA/MS setup does not use bayes. >These are the relevant entries of my spam.assassin.prefs.conf file: > >auto_whitelist_path /var/spool/spamassassin/auto-whitelist >auto_whitelist_file_mode 0666 > >bayes_path /var/spool/spamassassin/bayes >bayes_file_mode 0666 > >auto_learn 1 > >use_bayes 1 > >bayes_ignore_header X-MailScanner >bayes_ignore_header X-MailScanner-SpamCheck > > >This is what a check_bayes_db tells me: > >0.000 0 0 0 non-token data: db format = on-the-fly >probs, expiry, scan-counting >0.000 0 209 0 non-token data: nspam >0.000 0 2320 0 non-token data: nham >0.000 0 0 0 non-token data: ntokens >0.000 0 0 0 non-token data: oldest age >0.000 0 4505 0 non-token data: current scan-count >0.000 0 0 0 non-token data: last expiry scan-count > >--- snipp --- > >If I interpret this correctly I have 209 spam and 2320 nonspam messages >learned successfully. And as far as I can see both sa-learn and >auto_learn seem to work. BUT: I never saw a single mail (spam and >nospam) with a BAYES_ tag in the SpamAssassin score. I have seen this too, there aren't any signs of it doing anything useful with the bayes rules. I was hoping it was just another SA 2.50 bug which will hopefully be fixed in SA 2.51. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From Jan-Peter.Koopmann at SECEIDOS.DE Thu Mar 6 10:52:24 2003 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:17:24 2006 Subject: SA and Bayes Message-ID: <4E7026FF8A422749B1553FE508E0068007EE9A@message.intern.akctech.de> Hi, > I have seen this too, there aren't any signs of it doing > anything useful with the bayes rules. I was hoping it was > just another SA 2.50 bug which will hopefully be fixed in SA 2.51. Ok. I will crosspost this in SATalk then. Maybe they know what's happening. Thanks, JP From brose at MED.WAYNE.EDU Thu Mar 6 14:03:30 2003 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:17:24 2006 Subject: SA and Bayes Message-ID: What happens if you don't specify anything for bayes and go with the defaults? I think my setup is using bayes because the .spamassassin dir under root has bayes files that are updating. The only problem that I've been seeing with bayes is that it's not very good at cleanup. It leaves lock files there but I've been noticing more sa temp files being left behind in /tmp as well. -----Original Message----- From: Jan-Peter Koopmann [mailto:Jan-Peter.Koopmann@SECEIDOS.DE] Sent: Thursday, March 06, 2003 3:36 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: SA and Bayes Hi, somehow I get the impression that my SA/MS setup does not use bayes. These are the relevant entries of my spam.assassin.prefs.conf file: auto_whitelist_path /var/spool/spamassassin/auto-whitelist auto_whitelist_file_mode 0666 bayes_path /var/spool/spamassassin/bayes bayes_file_mode 0666 auto_learn 1 use_bayes 1 bayes_ignore_header X-MailScanner bayes_ignore_header X-MailScanner-SpamCheck This is what a check_bayes_db tells me: 0.000 0 0 0 non-token data: db format = on-the-fly probs, expiry, scan-counting 0.000 0 209 0 non-token data: nspam 0.000 0 2320 0 non-token data: nham 0.000 0 0 0 non-token data: ntokens 0.000 0 0 0 non-token data: oldest age 0.000 0 4505 0 non-token data: current scan-count 0.000 0 0 0 non-token data: last expiry scan-count --- snipp --- If I interpret this correctly I have 209 spam and 2320 nonspam messages learned successfully. And as far as I can see both sa-learn and auto_learn seem to work. BUT: I never saw a single mail (spam and nospam) with a BAYES_ tag in the SpamAssassin score. Any ideas? Regards, JP From mailscanner at ecs.soton.ac.uk Thu Mar 6 14:15:19 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:24 2006 Subject: SA and Bayes In-Reply-To: Message-ID: <5.2.0.9.2.20030306141400.0470db30@imap.ecs.soton.ac.uk> At 14:03 06/03/2003, you wrote: >What happens if you don't specify anything for bayes and go with the >defaults? I think my setup is using bayes because the .spamassassin dir >under root has bayes files that are updating. The only problem that >I've been seeing with bayes is that it's not very good at cleanup. It >leaves lock files there but I've been noticing more sa temp files being >left behind in /tmp as well. But have you actually seen "BAYES" in any of the spam reports? Switch "Log Spam = yes" and sit back and wait. I've yet to see this being used in anger, although the db files are indeed being updated. I'm currently trying to recreate a faulty system so I can test this. Just got to copy my 60,000 message test set onto the poor thing :-) >-----Original Message----- >From: Jan-Peter Koopmann [mailto:Jan-Peter.Koopmann@SECEIDOS.DE] >Sent: Thursday, March 06, 2003 3:36 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: SA and Bayes > > >Hi, > >somehow I get the impression that my SA/MS setup does not use bayes. >These are the relevant entries of my spam.assassin.prefs.conf file: > >auto_whitelist_path /var/spool/spamassassin/auto-whitelist >auto_whitelist_file_mode 0666 > >bayes_path /var/spool/spamassassin/bayes >bayes_file_mode 0666 > >auto_learn 1 > >use_bayes 1 > >bayes_ignore_header X-MailScanner >bayes_ignore_header X-MailScanner-SpamCheck > > >This is what a check_bayes_db tells me: > >0.000 0 0 0 non-token data: db format = on-the-fly >probs, expiry, scan-counting >0.000 0 209 0 non-token data: nspam >0.000 0 2320 0 non-token data: nham >0.000 0 0 0 non-token data: ntokens >0.000 0 0 0 non-token data: oldest age >0.000 0 4505 0 non-token data: current scan-count >0.000 0 0 0 non-token data: last expiry scan-count > >--- snipp --- > >If I interpret this correctly I have 209 spam and 2320 nonspam messages >learned successfully. And as far as I can see both sa-learn and >auto_learn seem to work. BUT: I never saw a single mail (spam and >nospam) with a BAYES_ tag in the SpamAssassin score. > >Any ideas? > >Regards, > JP -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From brose at MED.WAYNE.EDU Thu Mar 6 14:52:48 2003 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:17:24 2006 Subject: SA and Bayes Message-ID: Yes Bayes_60, Bayes_90, Bayes_80, etc. I counted about 554 instances in the current log. -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Thursday, March 06, 2003 9:15 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: SA and Bayes At 14:03 06/03/2003, you wrote: >What happens if you don't specify anything for bayes and go with the >defaults? I think my setup is using bayes because the .spamassassin >dir under root has bayes files that are updating. The only problem >that I've been seeing with bayes is that it's not very good at cleanup. >It leaves lock files there but I've been noticing more sa temp files >being left behind in /tmp as well. But have you actually seen "BAYES" in any of the spam reports? Switch "Log Spam = yes" and sit back and wait. I've yet to see this being used in anger, although the db files are indeed being updated. I'm currently trying to recreate a faulty system so I can test this. Just got to copy my 60,000 message test set onto the poor thing :-) >-----Original Message----- >From: Jan-Peter Koopmann [mailto:Jan-Peter.Koopmann@SECEIDOS.DE] >Sent: Thursday, March 06, 2003 3:36 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: SA and Bayes > > >Hi, > >somehow I get the impression that my SA/MS setup does not use bayes. >These are the relevant entries of my spam.assassin.prefs.conf file: > >auto_whitelist_path /var/spool/spamassassin/auto-whitelist >auto_whitelist_file_mode 0666 > >bayes_path /var/spool/spamassassin/bayes >bayes_file_mode 0666 > >auto_learn 1 > >use_bayes 1 > >bayes_ignore_header X-MailScanner >bayes_ignore_header X-MailScanner-SpamCheck > > >This is what a check_bayes_db tells me: > >0.000 0 0 0 non-token data: db format = on-the-fly >probs, expiry, scan-counting >0.000 0 209 0 non-token data: nspam >0.000 0 2320 0 non-token data: nham >0.000 0 0 0 non-token data: ntokens >0.000 0 0 0 non-token data: oldest age >0.000 0 4505 0 non-token data: current scan-count >0.000 0 0 0 non-token data: last expiry scan-count > >--- snipp --- > >If I interpret this correctly I have 209 spam and 2320 nonspam messages >learned successfully. And as far as I can see both sa-learn and >auto_learn seem to work. BUT: I never saw a single mail (spam and >nospam) with a BAYES_ tag in the SpamAssassin score. > >Any ideas? > >Regards, > JP -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From andersjk at SOL-INVICTUS.ORG Thu Mar 6 14:47:34 2003 From: andersjk at SOL-INVICTUS.ORG (Kevin Anderson) Date: Thu Jan 12 21:17:24 2006 Subject: Strange score In-Reply-To: Message-ID: HI all! I found a strange spam score: X-MailScanner-SpamCheck: not spam, SpamAssassin (score=-88.2, required 6, ALL_NATURAL, AS_SEEN_ON, CLICK_BELOW, CLICK_HERE_LINK, HAIR_LOSS, HGH, LINES_OF_YELLING, MISSING_MIMEOLE, NO_QS_ASKED, NO_REAL_NAME, SPAM_PHRASE_08_13, SUBJ_HAS_UNIQ_ID, SUPERLONG_LINE, TRACKER_ID, USER_AGENT_OE, USER_IN_WHITELIST, X_MSMAIL_PRIORITY_HIGH, X_PRIORITY_HIGH) has -88.2, auto whitelisting is off. Anything to be worried about? thanks, kevin From john at OFIZ.COM Thu Mar 6 14:47:30 2003 From: john at OFIZ.COM (John Thewlis) Date: Thu Jan 12 21:17:24 2006 Subject: MailScanner Error Message In-Reply-To: <5.2.0.9.2.20030306141400.0470db30@imap.ecs.soton.ac.uk> Message-ID: Hi We are seeing the following in the MailScanner log:- Mar 6 14:44:47 ns sendmail[27402]: error: safesasl(/etc/sasldb) failed: Group readable file Any idea what we need to do about it? Thanks John From mike at CAMAROSS.NET Thu Mar 6 15:07:30 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:17:24 2006 Subject: MailScanner Error Message In-Reply-To: Message-ID: <011301c2e3f2$1c00cb00$b001a8c0@home.middlefinger.net> The simplest answer is to do a 'chmod 600 /etc/sasldb' ... If you want to see which users are in the file do a 'sasldblistusers' as root.. -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of John Thewlis Sent: Thursday, March 06, 2003 8:48 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: MailScanner Error Message Hi We are seeing the following in the MailScanner log:- Mar 6 14:44:47 ns sendmail[27402]: error: safesasl(/etc/sasldb) failed: Group readable file Any idea what we need to do about it? Thanks John From mailscanner at ecs.soton.ac.uk Thu Mar 6 15:03:31 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:24 2006 Subject: MailScanner Error Message In-Reply-To: References: <5.2.0.9.2.20030306141400.0470db30@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030306150253.03bd44c0@imap.ecs.soton.ac.uk> At 14:47 06/03/2003, you wrote: >Hi > >We are seeing the following in the MailScanner log:- It's a sendmail error message, not a MailScanner one. chmod g-r /etc/sasld* should do it. >Mar 6 14:44:47 ns sendmail[27402]: error: safesasl(/etc/sasldb) failed: >Group readable file > >Any idea what we need to do about it? > >Thanks > >John -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at LISTS.COM.AR Thu Mar 6 15:27:28 2003 From: mailscanner at LISTS.COM.AR (Mariano Absatz) Date: Thu Jan 12 21:17:25 2006 Subject: MailScanner Error Message In-Reply-To: References: <5.2.0.9.2.20030306141400.0470db30@imap.ecs.soton.ac.uk> Message-ID: <3E673EB0.19363.66F5406E@localhost> I'm not expert on sendmail or sasl but... sasl is an authentication layer (a library) used by sendmail for authenticating of users via SMTP-AUTH (and maybe for other things?). sasl can be configured to use a user database in /etc/sasldb instead of /etc/passwd or /etc/shadow (I guess it's the default)... Most security aware software is rather picky with it's own configuration files ownership and permissions... since it's complaining that /etc/sasldb is readable by the group, you should try the following: chmod 600 /etc/sasldb El 6 Mar 2003 a las 14:47, John Thewlis escribi?: > Hi > > We are seeing the following in the MailScanner log:- > > Mar 6 14:44:47 ns sendmail[27402]: error: safesasl(/etc/sasldb) failed: > Group readable file > > Any idea what we need to do about it? > > Thanks > > John -- Mariano Absatz El Baby ---------------------------------------------------------- Bug? That's not a bug, that's a feature. -- T. John Wendel From SJCJonker at SJC.NL Thu Mar 6 16:44:07 2003 From: SJCJonker at SJC.NL (Stijn Jonker) Date: Thu Jan 12 21:17:25 2006 Subject: OT: Sendmail/Postfix && LDAP. Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello all, I'm more then aware that this is completly Offtopic, therefor i would like to request to respond in private. I'm looking for an LDAP frontend that can do the following: Store user details such as address, and billing info Work with sendmail and postfix for email routing. As a lot of people are running large email systems i though maybe you could send me some pointers. Again sorry for being offtopic, but I can't seem to understand that i'm the first to search for this. The last thing i have to do is re-invent the wheel... But if i have to i'll take up the tools ;-) to do so. - -- Met Vriendelijke groet/Yours Sincerely Stijn Jonker -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE+Z3rZjU9r45tKnOARAhOtAJwNlITUOBJQ/4OJy4SvcAoD2Org+QCfRg/M eT5uEPIhKQsdzhvTpXdny1A= =qN17 -----END PGP SIGNATURE----- From brose at MED.WAYNE.EDU Thu Mar 6 18:33:49 2003 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:17:25 2006 Subject: Sendmail/Postfix && LDAP. Message-ID: Front-End? Most LDAP servers come with a front-end. I know address is in most ldap schemas and I would think there would be some schema updates out there that might give some billing info type attributes, if not then you could just create your own. You can also make your own frontends. I've used cold fusion & perl and I know folks who use php and java to update directories via ldap. Sendmail just needs to be compiled with the correct site.config and mc files to do ldap lookups. By default it looks for mailrouting info for the standard mail attibutes in ldap and with a few modifications, it can do ldap queries against active directory/exchange environments. -----Original Message----- From: Stijn Jonker [mailto:SJCJonker@SJC.NL] Sent: Thursday, March 06, 2003 11:44 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: OT: Sendmail/Postfix && LDAP. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello all, I'm more then aware that this is completly Offtopic, therefor i would like to request to respond in private. I'm looking for an LDAP frontend that can do the following: Store user details such as address, and billing info Work with sendmail and postfix for email routing. As a lot of people are running large email systems i though maybe you could send me some pointers. Again sorry for being offtopic, but I can't seem to understand that i'm the first to search for this. The last thing i have to do is re-invent the wheel... But if i have to i'll take up the tools ;-) to do so. - -- Met Vriendelijke groet/Yours Sincerely Stijn Jonker -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE+Z3rZjU9r45tKnOARAhOtAJwNlITUOBJQ/4OJy4SvcAoD2Org+QCfRg/M eT5uEPIhKQsdzhvTpXdny1A= =qN17 -----END PGP SIGNATURE----- From mkettler at EVI-INC.COM Thu Mar 6 18:36:49 2003 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:17:25 2006 Subject: Strange score In-Reply-To: References: Message-ID: <5.2.0.9.0.20030306133525.0176ac30@192.168.50.2> The hugely negative score is the result of it matching USER_IN_WHITELIST. This means that the sender (From: line and possibly recieved path) matched a static whitelist. check your whitelist_from and whitelist_from _rcvd entries. Note that there are some default ones present in /usr/share/spamassassin/60_whitelist.cf. At 03:47 PM 3/6/2003 +0100, Kevin Anderson wrote: >HI all! > >I found a strange spam score: > >X-MailScanner-SpamCheck: not spam, SpamAssassin (score=-88.2, required 6, > ALL_NATURAL, AS_SEEN_ON, CLICK_BELOW, CLICK_HERE_LINK, HAIR_LOSS, > HGH, LINES_OF_YELLING, MISSING_MIMEOLE, NO_QS_ASKED, NO_REAL_NAME, > SPAM_PHRASE_08_13, SUBJ_HAS_UNIQ_ID, SUPERLONG_LINE, TRACKER_ID, > USER_AGENT_OE, USER_IN_WHITELIST, X_MSMAIL_PRIORITY_HIGH, > X_PRIORITY_HIGH) > >has -88.2, auto whitelisting is off. Anything to be worried about? > >thanks, >kevin From m.sapsed at BANGOR.AC.UK Thu Mar 6 18:39:18 2003 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:17:25 2006 Subject: Strange score References: Message-ID: <3E6795D6.5030306@bangor.ac.uk> Kevin Anderson wrote: > HI all! > > I found a strange spam score: > > X-MailScanner-SpamCheck: not spam, SpamAssassin (score=-88.2, required 6, > ALL_NATURAL, AS_SEEN_ON, CLICK_BELOW, CLICK_HERE_LINK, HAIR_LOSS, > HGH, LINES_OF_YELLING, MISSING_MIMEOLE, NO_QS_ASKED, NO_REAL_NAME, > SPAM_PHRASE_08_13, SUBJ_HAS_UNIQ_ID, SUPERLONG_LINE, TRACKER_ID, > USER_AGENT_OE, USER_IN_WHITELIST, X_MSMAIL_PRIORITY_HIGH, > X_PRIORITY_HIGH) > > has -88.2, auto whitelisting is off. Anything to be worried about? USER_IN_WHITELIST has a score of -100 IIRC? Would suggest that the address is in SpamAssassin's whitelist? Added before you turned auto-listing off perhaps? Cheers, Martin -- Martin Sapsed Information Services "Who do you say I am?" University of Wales, Bangor Jesus of Nazareth From HancockS at MORGANCO.COM Thu Mar 6 19:24:19 2003 From: HancockS at MORGANCO.COM (Hancock, Scott) Date: Thu Jan 12 21:17:25 2006 Subject: Debian ms v4.x install help. Deb, Alien or Source? attn Jason Desai Message-ID: <03Mar6.141709est.119149@gateway.morganco.com> Thanks for pointer to the tar distribution. I should have thought of that. Anyway, I'm up and running under /opt. My only hitch is the new "striphtml" feature on a high score isn't working. I'm going back to the install docs now but any pointers would be helpful. Maybe be a dependency issue? My buddy is running sendmail and mailscanner. He found there was a single entry that needed to be pointed to mailscanner. He was impressed that the sendmail startup script supported mailscanner with one entry. I've asked him for the info to post here as I don't think he subscribes. Maybe this is enough for you sendmail guys to find it on your own. Perhaps this is to what Nick is referring. Cheers Scott Hancock > -----Original Message----- > From: Nick Phillips [mailto:nwp@LEMON-COMPUTING.COM] > Sent: Wednesday, March 05, 2003 8:30 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Debian ms v4.x install help. Deb, Alien or Source? attn Jason > Desai > > On Wed, Mar 05, 2003 at 03:34:10PM -0500, Kurt Yoder wrote: > > > Incidentally, does anyone have any instructions on getting the Debian > > sendmail package working correctly with mailscanner? I had to completely > > replace the init script to make it work, and now dpkg chokes every time > it > > touches sendmail. > > Easiest way I could see was to set the config variables (can't remember > the > name of the file you put them in; maybe /etc/default/sendmail?) so that > one side was a daemon and the other not, as it doesn't yet seem to be able > to run two daemons with two different sets of args. > > > Cheers, > > > Nick > -- > Nick Phillips -- nwp@lemon-computing.com > You will soon forget this. From HancockS at MORGANCO.COM Thu Mar 6 19:51:52 2003 From: HancockS at MORGANCO.COM (Hancock, Scott) Date: Thu Jan 12 21:17:25 2006 Subject: Debian ms v4.x install help. Deb, Alien or Source? attn Jason Desai Message-ID: <03Mar6.144442est.119058@gateway.morganco.com> > Anyway, I'm up and running under /opt. My only hitch is the new > "striphtml" feature on a high score isn't working. I'm going back to > the install docs now but any pointers would be helpful. Maybe be a > dependency issue? > "striphtml" doesn't automatically imply "deliver" (as you might want to just forward it elsewhere, for example). Does it work if you set Spam Actions = striphtml deliver Nevermind Scott From HancockS at MORGANCO.COM Thu Mar 6 20:06:24 2003 From: HancockS at MORGANCO.COM (Hancock, Scott) Date: Thu Jan 12 21:17:25 2006 Subject: Debian Mailscanner and Sendmail install notes was -- Debian ms v4.x.. Message-ID: <03Mar6.145914est.119160@gateway.morganco.com> Here are the notes from Dan. Pretty similar to Julian's notes at http://www.sng.ecs.soton.ac.uk/mailscanner/install/sendmail.shtml Cheers Scott Subject: RE: Debian ms v4.x install help. Deb, Alien or Source? attn Jason Desai > Feel like posting your doc to the mailscanner list? > Okay... Just typing off the cuff here so don't expect too much In order to get sendmail in Debian to run in a separate listener/queue runner mode all you need to do is change the DAEMON_PARMS line from DAEMON_PARMS=""; to DAEMON_PARMS="-OPrivacyOptions=noetrn -ODeliveryMode=queueonly -OQueueDirectory=/var/spool/mqueue.in"; And create the /var/spool/mqueue.in directory of course... but that's really all you need to do. I haven't tested it in woody, only in sarge but I did write a brief note to the sendmail maintainer who said that it should be fine. He also mentioned that the fact that splitting the sendmail process into a listener and queue runner is included in the conf file at all is due to an early user of mailscanner asking for the feature. The details of how/why it does what it does are in the file /usr/share/sendmail/sendmail. That's really what gets run when the /etc/init.d/sendmail script gets fired off. In there is a bit of logic that just looks to see if parameters are common between the listener and queue runner daemon and either creates one or two daemons to suit. Here's the operative bit: # See if we can share the listener and queue-runner daemon: # * Both must be in daemon mode # * They must have the same (possibly empty) parameters if [ "$DAEMON_MODE" = "daemon" \ -a "$QUEUE_MODE" = "daemon" \ -a "$DAEMON_PARMS" = "$QUEUE_PARMS" ]; then SPLIT_DAEMON=0; else SPLIT_DAEMON=1; fi; So, by changing the DAEMON_PARMS to anything other than the QUEUE_PARMS a second process gets spawned by the startup script and everybody is happy (or at least I was). I think that was really just about all that I had to do. The Debian mailscanner package has been set up with exim in mind so I had to change a few of the config options in mailscanner to sendmail stuff but that was pretty straightforward. Dan From gerry at dorfam.ca Thu Mar 6 20:18:37 2003 From: gerry at dorfam.ca (Gerry Doris) Date: Thu Jan 12 21:17:25 2006 Subject: MailScanner Error Message In-Reply-To: <011301c2e3f2$1c00cb00$b001a8c0@home.middlefinger.net> References: <011301c2e3f2$1c00cb00$b001a8c0@home.middlefinger.net> Message-ID: <36686.129.80.22.143.1046981917.squirrel@tiger.dorfam.ca> > The simplest answer is to do a 'chmod 600 /etc/sasldb' ... > > If you want to see which users are in the file do a 'sasldblistusers' as > root.. > If I remember correctly the /etc/sasldb file must be 0600 or you'll see the error message about it being group readable. On the other the latest versions of sendmail are no longer run as root and can't read the /etc/sasldb file if the permission is 0600. The sendmail doc's suggest using the DONT_BLAME_SENDMAIL directive in sendmail.mc get around this. GErry From HancockS at MORGANCO.COM Thu Mar 6 20:43:27 2003 From: HancockS at MORGANCO.COM (Hancock, Scott) Date: Thu Jan 12 21:17:25 2006 Subject: Debian Mailscanner and Sendmail install notes was -- Debian ms v4.x.. Message-ID: <03Mar6.153616est.119120@gateway.morganco.com> It should be noted that these entries are in /etc/mail/sendmail.conf. The start script /etc/init.d/sendmail requires no modification neither does /usr/share/sendmail/sendmail. Definitely applies to Debian Sarge probably Woody too. Scott > DAEMON_PARMS=""; > > to > > DAEMON_PARMS="-OPrivacyOptions=noetrn -ODeliveryMode=queueonly > -OQueueDirectory=/var/spool/mqueue.in"; From mailscanner at ecs.soton.ac.uk Thu Mar 6 21:27:50 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:25 2006 Subject: Fwd: Re: SA2.50 problems... In-Reply-To: <5.2.0.9.2.20030305170932.06f343e0@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030306212235.02210208@imap.ecs.soton.ac.uk> At 17:11 05/03/2003, you wrote: >If you are still having problems with SpamAssassin 2.50 hanging, even with >my patch, then do this: > >>From: Daniel Bird >>Subject: Re: SA2.50 problems... >>To: Julian Field >> >>Julian, >> >>For info, >>left "Use Spamassassin = yes" in MailScanner.conf but added >>"use_bayes 0" to spam.assassin.prefs.conf >> >>and MailScanner + SA2.50 are running quite happily now. >> >>Thanks. >> >>Dan > >I have posted a huge great message to the SAtalk list about this problem. >Something *very* strange is happening, and I haven't got to the bottom of >it yet. It's all connected to file locking and the bayes database, just >like the previous problem with it, but this one is a lot more strange.... > >If anything interesting comes up on SAtalk, I'll be sure to tell you all. This appears to have been fixed in the CVS of 2.60. Go to http://spamassassin.taint.org/downloads.html and download the CVS of 2.60. Install that (you don't need my SA2.50.patch at all). Also you should install "DB_File" using CPAN, and delete any .dir/.pag files in ~root/.spamassassin. Please let me know how you get on with this. I have been running this for 4 hours on a mail server that had problems with the patched-2.50 code, and the CVS2.60 code is still running fine. Previously it would have shown up in a very few minutes. Don't forget to comment out the "use_bayes" line, you don't need it any more. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From rap at PHYSICS.UBC.CA Thu Mar 6 22:16:21 2003 From: rap at PHYSICS.UBC.CA (Ron Parachoniak) Date: Thu Jan 12 21:17:25 2006 Subject: File descriptors missing on start up: stderr; Bad file number Message-ID: <3E67C8B5.1030401@physics.ubc.ca> I recently installed sendmail 8.12.8 (upgraded from 8.11.6) on a Solaris 8 box. We only use MailScanner for antivirus scanning (we run spamassassin separately). Since upgrading sendmail, I get the following messages in my logfile: Mar 6 14:06:21 warp.physics.ubc.ca MailScanner[19512]: New Batch: Scanning 1 messages, 2240 bytes Mar 6 14:06:21 warp.physics.ubc.ca MailScanner[19512]: Virus and Content Scanning: Starting Mar 6 14:06:22 warp.physics.ubc.ca MailScanner[19512]: Uninfected: Delivered 1 messages Mar 6 14:06:22 physics sendmail[29988]: [ID 702911 mail.warning] File descriptors missing on start up: stderr; Bad file number It appears to be related to MailScanner. Can anyone shed any light on this? Just for info, Don Jones posted a similar problem a while back. He ended switching to RedHat and never solved the problem. ----------------------------------------------------------------------- Message from Don Jones: Hi we are having a strange problem on 2 new 4.7 mailservers, both use sendmail and mailscanner (which does spamassasin and antivirus scanning). The configuration is one sendmail process that listens on port 25 and dumps mail to a queue, then mailscanner picks up the mail form this queue and does its scanning stuff and dumps the mail into a second queue. a second sendmail process then takes the mail from the second queue and delivers it. On both these boxes we are getting this error in /var/log/maillog: Dec 9 08:51:56 mx3 sendmail[39613]: File descriptors missing on startup: stdin, stdout, stderr; Bad file descriptor It ususlly occurs when MailScanner delivers the message to the second queue Dec 9 02:17:38 mx3 MailScanner[37952]: Virus and Content Scanning: Starting Dec 9 02:17:38 mx3 sendmail[37980]: File descriptors missing on startup: stdin, stdout, stderr; Dec 9 02:17:38 mx3 MailScanner[37952]: Uninfected: Delivered 1 messages Sendmail seems to spawn a second process to deal with the delivery and this process is complaining. It still seems to be functioning ok. Mailscanner has 5 processes which seem to be dying over time(over a few days), which may be related to this problem, I need to try and fix this. Can anybody explain what a "Bad file descriptor" actually is and how i would go about fixing it? Someone on the mailscanner mailing list suggested increasing the number of filehandles ("ulimit -a" to show ulimit -n to increase) this didnt seem to work - Im a bit out of my depth with this stuff - anyone have any ideas/advice/explanations? Thanks Don Jones ----------------------------------------------------------------------- -- Ron Ron D. Parachoniak UBC Physics & Astronomy Dept Ph. (604) 838-6437 System Manager 6224 Agricultural Road Fax (604) 822-5324 rap@physics.ubc.ca Vancouver, BC, Canada V6T 1Z1 From nerijus at USERS.SOURCEFORGE.NET Thu Mar 6 23:07:01 2003 From: nerijus at USERS.SOURCEFORGE.NET (Nerijus Baliunas) Date: Thu Jan 12 21:17:25 2006 Subject: File descriptors missing on start up: stderr; Bad file number In-Reply-To: <3E67C8B5.1030401@physics.ubc.ca> References: <3E67C8B5.1030401@physics.ubc.ca> Message-ID: <200303062308.h26N8hZn028942@mx.ktv.lt> On Thu, 6 Mar 2003 14:16:21 -0800 Ron Parachoniak wrote: > I recently installed sendmail 8.12.8 (upgraded from 8.11.6) on a Solaris > descriptors missing on start up: stderr; Bad file number > It appears to be related to MailScanner. Can anyone shed any light on What version of MailScanner are you running? It should be fixed in the newer versions. Regards, Nerijus From jgoggan at DCG.COM Fri Mar 7 02:45:33 2003 From: jgoggan at DCG.COM (John Goggan) Date: Thu Jan 12 21:17:25 2006 Subject: sendmail changing messages after MailScanner finishes... Message-ID: <3E6807CD.1F851039@dcg.com> I've just upgraded from sendmail v8.11 to 8.12.8. Note that there are some significant changes to sendmail between those versions -- the now recommend running them as two instances -- one for just queuing the mail -- and one for processing it after. Interestingly, this is the way that MailScanner has been integrated with my system for a long time now. So, I have one queue-only sendmail that puts all of the incoming messages in /var/spool/mqueue.in. MailScanner sees those, scans them, and puts them in /var/spool/mqueue. In the past, the second sendmail process always took care of them -- passing them along to be delivered locally. With 8.12.8 -- the second sendmail instead changes all of the "qf..." files that MailScanner puts there into "Qf..." files! It seems to want to believe that they are incomplete or something? I don't know why. If I manually copy them from mqueue.in to mqueue before MailScanner has a second to grab them, they get delivered fine. But if MailScanner puts them into mqueue -- sendmail changes them to "Qf..." and they never get delivered (they just stay there forever). I appear to be running MailScanner 3.22. (I know I need to upgrade -- I just haven't had time. Maybe this is a sign that I should just upgrade, eh? If no one can think of anything, I'll try to find time to do that...) Any ideas? Thanks! - John... From jgoggan at DCG.COM Fri Mar 7 02:59:12 2003 From: jgoggan at DCG.COM (John Goggan) Date: Thu Jan 12 21:17:25 2006 Subject: sendmail changing messages after MailScanner finishes... References: <3E6807CD.1F851039@dcg.com> Message-ID: <3E680B00.D9CCB092@dcg.com> I just discovered that sendmail is doing this because the files are being put into the mqueue dir by MailScanner as mode 666. sendmail seems to see this and changes them to Qf. If I change them to 600 -- sendmail then properly delivers them on the next pass through the queue. So -- now my question is: why does MailScanner put them there as 666? They were 600 when they were in mqueue.in. Is there some option to change this easily? Thanks! - John... From rap at PHYSICS.UBC.CA Fri Mar 7 00:28:06 2003 From: rap at PHYSICS.UBC.CA (Ron Parachoniak) Date: Thu Jan 12 21:17:25 2006 Subject: File descriptors missing on start up: stderr; Bad file number References: <3E67C8B5.1030401@physics.ubc.ca> <200303062308.h26N8hZn028942@mx.ktv.lt> Message-ID: <3E67E796.50206@physics.ubc.ca> I am using MailScanner version 4.13.3 Nerijus Baliunas wrote: > On Thu, 6 Mar 2003 14:16:21 -0800 Ron Parachoniak wrote: > > >>I recently installed sendmail 8.12.8 (upgraded from 8.11.6) on a Solaris > > >>descriptors missing on start up: stderr; Bad file number > > >>It appears to be related to MailScanner. Can anyone shed any light on > > > What version of MailScanner are you running? It should be fixed in the > newer versions. > > Regards, > Nerijus -- Ron Ron D. Parachoniak UBC Physics & Astronomy Dept Ph. (604) 838-6437 System Manager 6224 Agricultural Road Fax (604) 822-5324 rap@physics.ubc.ca Vancouver, BC, Canada V6T 1Z1 From jgoggan at DCG.COM Fri Mar 7 03:07:50 2003 From: jgoggan at DCG.COM (John Goggan) Date: Thu Jan 12 21:17:25 2006 Subject: sendmail changing messages after MailScanner finishes... References: <3E6807CD.1F851039@dcg.com> <3E680B00.D9CCB092@dcg.com> Message-ID: <3E680D06.791D0DAC@dcg.com> John Goggan wrote: > I just discovered that sendmail is doing this because the files are > being put into the mqueue dir by MailScanner as mode 666. sendmail seems > to see this and changes them to Qf. If I change them to 600 -- sendmail > then properly delivers them on the next pass through the queue. Oops -- make that: if I change them to 600 AND THEN RENAME them back to "qf..." -- sendmail then processes them correctly next time around... Just to be clear. - John... From mailscanner at ecs.soton.ac.uk Fri Mar 7 09:20:22 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:25 2006 Subject: sendmail changing messages after MailScanner finishes... In-Reply-To: <3E680D06.791D0DAC@dcg.com> References: <3E6807CD.1F851039@dcg.com> <3E680B00.D9CCB092@dcg.com> Message-ID: <5.2.0.9.2.20030307091454.039f2830@imap.ecs.soton.ac.uk> At 03:07 07/03/2003, you wrote: >John Goggan wrote: > > I just discovered that sendmail is doing this because the files are > > being put into the mqueue dir by MailScanner as mode 666. sendmail seems > > to see this and changes them to Qf. If I change them to 600 -- sendmail > > then properly delivers them on the next pass through the queue. > >Oops -- make that: if I change them to 600 AND THEN RENAME them back to >"qf..." -- sendmail then processes them correctly next time around... Can you do umask grep umask /usr/sbin/MailScanner ls -ald /var/spool/mqueue /var/spool/mqueue.in uname -a and tell me what it says. I can't reproduce the behaviour you are seeing. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From Peter.Bates at LSHTM.AC.UK Fri Mar 7 09:51:52 2003 From: Peter.Bates at LSHTM.AC.UK (Peter Bates) Date: Thu Jan 12 21:17:25 2006 Subject: Sophos and 'corrupt' files (slight return) Message-ID: Hello all... In a terrible problem as a result of an upgrade to amavis (no sniggers at the back please), I had to push my 'test' MailScanner box into service yesterday for our site. I'm running: mailscanner-4.13-3 Sophos sweep 3.66 Mcafee 4.12.0 F-prot SB 3.12d SA 2.50 (with Julian's patch, Razor2 and DCC) Sendmail as the MTA ... on RedHat 7.3 I'm still seeing: Subject: Undelivered Mail Returned to Sender MessageID: h274wd530878 Report: Could not check ./h274wd530878/ORS details.doc (corrupt) Report: Could not check ./h274wd530878/TDR Research Training Grants 2003.doc (corrupt) Subject: Undelivered Mail Returned to Sender MessageID: h278AU507615 Report: Could not check ./h278AU507615/our transport, our health.doc (corrupt) Strangely enough, only on what appear to be bounces (hence the subject), and scanning the files from the command-line, it is only Sophos that reports them as 'corrupt'. Shall I disable Sophos from the 'Virus Scanners' bit of MailScanner.conf, or does upgrading to 3.67 solve this? I've also seen: Subject: sending patient data MessageID: h279VD515651 Report: Could not check ./h279VD515651/02.zip/02.jpg (part of multi volume archive) Could not check ./h279VD515651/02.zip (corrupt) ... all 3 of the AV scanners check this zip out OK (just running /usr/lib/MailScanner/x-wrapper 02.zip over them, unless they need arguments to get them to check zip archives?), so what is generating this error? Thanks... ---------------------------------------------------------------------------------------------------> Peter Bates, Systems Support Officer, Network Support Team. London School of Hygiene & Tropical Medicine. Telephone:0207-958 8353 / Fax: 0207- 636 9838 From mailscanner at ecs.soton.ac.uk Fri Mar 7 10:09:14 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:25 2006 Subject: Sophos and 'corrupt' files (slight return) In-Reply-To: Message-ID: <5.2.0.9.2.20030307100520.0445e070@imap.ecs.soton.ac.uk> Can I snigger at the front then? Sophos 3.67 will help this. However, to avoid trouble from what Sophos thinks are corrupt files, you can enable the option Allowed Sophos Error Messages = corrupt in MailScanner.conf. This option is commented out by default. Bear in mind that this will bypass scanning of files that Sophos thinks are corrupt. At 09:51 07/03/2003, you wrote: >Hello all... > >In a terrible problem as a result of an upgrade to amavis (no sniggers at >the back please), >I had to push my 'test' MailScanner box into service yesterday for our site. > >I'm running: >mailscanner-4.13-3 >Sophos sweep 3.66 >Mcafee 4.12.0 >F-prot SB 3.12d >SA 2.50 (with Julian's patch, Razor2 and DCC) >Sendmail as the MTA >... on RedHat 7.3 > >I'm still seeing: > > Subject: Undelivered Mail Returned to Sender > MessageID: h274wd530878 > Report: Could not check ./h274wd530878/ORS details.doc (corrupt) > Report: Could not check ./h274wd530878/TDR Research Training Grants > 2003.doc (corrupt) > > Subject: Undelivered Mail Returned to Sender > MessageID: h278AU507615 > Report: Could not check ./h278AU507615/our transport, our health.doc > (corrupt) > >Strangely enough, only on what appear to be bounces (hence the subject), >and scanning the >files from the command-line, it is only Sophos that reports them as 'corrupt'. > >Shall I disable Sophos from the 'Virus Scanners' bit of MailScanner.conf, >or does upgrading to 3.67 solve this? > >I've also seen: > > Subject: sending patient data > MessageID: h279VD515651 > Report: Could not check ./h279VD515651/02.zip/02.jpg (part of multi > volume archive) >Could not check ./h279VD515651/02.zip (corrupt) > >... all 3 of the AV scanners check this zip out OK (just running >/usr/lib/MailScanner/x-wrapper 02.zip over them, >unless they need arguments to get them to check zip archives?), so what is >generating this error? > >Thanks... > > > >---------------------------------------------------------------------------------------------------> >Peter Bates, Systems Support Officer, Network Support Team. >London School of Hygiene & Tropical Medicine. >Telephone:0207-958 8353 / Fax: 0207- 636 9838 -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From Krishna_shekhar at GMX.NET Fri Mar 7 23:23:10 2003 From: Krishna_shekhar at GMX.NET (Krishna) Date: Thu Jan 12 21:17:25 2006 Subject: MailScanner and Horde/IMP Message-ID: <5.2.0.9.0.20030308044816.00af2bb8@pop.gmx.net> Hi, I installed MailScanner on my RedHat 7.3 box running Horde/IMP cvs version. When I send mails through Outlook or Eudora , the mails get scanned by MailScanner, does both Anti-Virus and Anti-Spam checks. But when I send through Horde/IMP mailscanner does not get executed. The mails goes without a scan via sendmail. Why is this happening? My horde configuration conf.php $conf['mailer']['type'] = 'sendmail'; $conf['mailer']['params'] = array(); $conf['mailer']['params'] = array('sendmail_path' => '/usr/sbin/sendmail'); regards Krishna http://www.KrisinDigitalAge.com From steve.freegard at LBSLTD.CO.UK Fri Mar 7 12:17:46 2003 From: steve.freegard at LBSLTD.CO.UK (Steve Freegard) Date: Thu Jan 12 21:17:25 2006 Subject: MailScanner and Horde/IMP Message-ID: <67D9E7698329D411936E00508B6590B9027932B2@neelix.lbsltd.co.uk> Krishna, I don't know Horde/IMP personally - but the reason that your mail isn't being scanned is because Horde/IMP is invoking sendmail directly which puts the mail into /var/spool/mqueue and therefore doesn't get scanned. You should change the cofiguration to use SMTP, and set the server address to 127.0.0.1 - this will then get picked up by mailscanner. Alternativly - you _might_ be able to change the sendmail_path to 'usr/sbin/sendmail -OQueueDirectory=/var/spool/mqueue.in' which also might do the trick. Regards, Steve. -----Original Message----- From: Krishna [mailto:Krishna_shekhar@GMX.NET] Sent: 07 March 2003 23:23 To: MAILSCANNER@jiscmail.ac.uk Subject: MailScanner and Horde/IMP Hi, I installed MailScanner on my RedHat 7.3 box running Horde/IMP cvs version. When I send mails through Outlook or Eudora , the mails get scanned by MailScanner, does both Anti-Virus and Anti-Spam checks. But when I send through Horde/IMP mailscanner does not get executed. The mails goes without a scan via sendmail. Why is this happening? My horde configuration conf.php $conf['mailer']['type'] = 'sendmail'; $conf['mailer']['params'] = array(); $conf['mailer']['params'] = array('sendmail_path' => '/usr/sbin/sendmail'); regards Krishna http://www.KrisinDigitalAge.com ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.lbsltd.co.uk ********************************************************************** From mailscanner at ecs.soton.ac.uk Fri Mar 7 12:21:35 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:25 2006 Subject: MailScanner and Horde/IMP In-Reply-To: <5.2.0.9.0.20030308044816.00af2bb8@pop.gmx.net> Message-ID: <5.2.0.9.2.20030307122032.044bce18@imap.ecs.soton.ac.uk> At 23:23 07/03/2003, you wrote: >Hi, > I installed MailScanner on my RedHat 7.3 box running Horde/IMP cvs >version. >When I send mails through Outlook or Eudora , the mails get scanned by >MailScanner, does both Anti-Virus and Anti-Spam checks. >But when I send through Horde/IMP mailscanner does not get executed. The >mails goes without a scan via sendmail. > >Why is this happening? > >My horde configuration conf.php > >$conf['mailer']['type'] = 'sendmail'; >$conf['mailer']['params'] = array(); > $conf['mailer']['params'] = array('sendmail_path' => '/usr/sbin/sendmail'); You either need to upgrade to a more recent version of sendmail, or else set this instead of your 3 lines above: $conf['mailer']['type'] = 'smtp'; $conf['mailer']['params'] = array(); $conf['mailer']['params'] = array('host' => 'localhost'); This will force IMP to talk SMTP to the host it is running on, which will get all its mail scanned. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From jgoggan at DCG.COM Fri Mar 7 13:55:25 2003 From: jgoggan at DCG.COM (John Goggan) Date: Thu Jan 12 21:17:25 2006 Subject: sendmail changing messages after MailScanner finishes... References: <3E6807CD.1F851039@dcg.com> <3E680B00.D9CCB092@dcg.com> <5.2.0.9.2.20030307091454.039f2830@imap.ecs.soton.ac.uk> Message-ID: <3E68A4CD.283F7FE0@dcg.com> Here's the info, Julian. Thanks for taking a look. I think I will have time to finally upgrade MailScanner this afternoon, so maybe this will be moot by then... [root@frobozz mqueue]# umask 022 [root@frobozz mqueue]# grep umask /opt/mailscanner/bin/mailscanner umask 0077; # Set nice and safe to no-one else can access anything! [root@frobozz mqueue]# ls -ald /var/spool/mqueue /var/spool/mqueue.in drwx------ 2 root root 8192 Mar 7 08:47 /var/spool/mqueue/ drwxrwxr-x 2 root mail 8192 Mar 7 08:45 /var/spool/mqueue.in/ [root@frobozz mqueue]# uname -a Linux frobozz.dcg.com 2.2.17-21mdk #1 Thu Oct 5 13:16:08 CEST 2000 i686 unknown - John... Julian Field wrote: > Can you do > umask > grep umask /usr/sbin/MailScanner > ls -ald /var/spool/mqueue /var/spool/mqueue.in > uname -a > and tell me what it says. I can't reproduce the behaviour you are seeing. From john at OFIZ.COM Fri Mar 7 14:11:13 2003 From: john at OFIZ.COM (John Thewlis) Date: Thu Jan 12 21:17:25 2006 Subject: MailScanner maillog error In-Reply-To: <3E68A4CD.283F7FE0@dcg.com> Message-ID: Hi Many thanks for all the help on the /etc/sasldb error, it is now fixed. When looking through the MailScanner maillog, I get the following error message each time an email is sent through the server:- Mar 7 14:05:46 ns MailScanner[18807]: New Batch: Scanning 1 messages, 3034 bytes Mar 7 14:05:46 ns MailScanner[18807]: Virus and Content Scanning: Starting Mar 7 14:05:46 ns MailScanner[18807]: Uninfected: Delivered 1 messages Mar 7 14:05:46 ns sendmail[29908]: gethostbyaddr(217.114.166.33) failed: 1 Mar 7 14:05:46 ns sendmail[29908]: gethostbyaddr(217.114.166.34) failed: 1 Mar 7 14:05:46 ns sendmail[29908]: gethostbyaddr(217.114.166.31) failed: 1 Mar 7 14:05:46 ns sendmail[29908]: gethostbyaddr(217.114.166.91) failed: 1 Any ideas as to how to resolve this error? Thanks John From combslm at APPSTATE.EDU Fri Mar 7 14:14:43 2003 From: combslm at APPSTATE.EDU (Laramie Combs) Date: Thu Jan 12 21:17:25 2006 Subject: MailScanner maillog error References: Message-ID: <004901c2e4b3$e67dacb0$160c0a98@maverick> Looks like a sendmail nameserver resolution problem to me. What does your /etc/named.conf look like? Also, what is the result of a nslookup on 217.114.166.133 and then on cnn.com? My nameserver returns Non-existant domain on the 217 address. -Laramie ----- Original Message ----- From: "John Thewlis" To: Sent: Friday, March 07, 2003 9:11 AM Subject: MailScanner maillog error > Hi > > Many thanks for all the help on the /etc/sasldb error, it is now fixed. > > When looking through the MailScanner maillog, I get the following error > message each time an email is sent through the server:- > > > Mar 7 14:05:46 ns MailScanner[18807]: New Batch: Scanning 1 messages, 3034 > bytes > Mar 7 14:05:46 ns MailScanner[18807]: Virus and Content Scanning: Starting > Mar 7 14:05:46 ns MailScanner[18807]: Uninfected: Delivered 1 messages > Mar 7 14:05:46 ns sendmail[29908]: gethostbyaddr(217.114.166.33) failed: 1 > Mar 7 14:05:46 ns sendmail[29908]: gethostbyaddr(217.114.166.34) failed: 1 > Mar 7 14:05:46 ns sendmail[29908]: gethostbyaddr(217.114.166.31) failed: 1 > Mar 7 14:05:46 ns sendmail[29908]: gethostbyaddr(217.114.166.91) failed: 1 > > > Any ideas as to how to resolve this error? > > Thanks > > John > From joe at QITC.CO.UK Fri Mar 7 14:23:38 2003 From: joe at QITC.CO.UK (Joe Quinn) Date: Thu Jan 12 21:17:25 2006 Subject: MailScanner maillog error References: Message-ID: <027b01c2e4b5$25edcc30$5d876751@T20> This is a common entry in the Cobalt RaQ, all it means is the IP in question does not have a PTR record and can't resolve to a host name. Not your problem provided it isn't your IP. If they are your IP's then go into the DNS parameters in the control panel and add PTR records for them (providing of course that you are authoritative for that netblock. Only one record per IP. It may be that your upstream provider hasn't delegated this so you may have to contact them. Cheers, Joe Tel: (UK) +44 776 737 1234 ----- Original Message ----- From: "John Thewlis" To: Sent: Friday, March 07, 2003 2:11 PM Subject: MailScanner maillog error > Hi > > Many thanks for all the help on the /etc/sasldb error, it is now fixed. > > When looking through the MailScanner maillog, I get the following error > message each time an email is sent through the server:- > > > Mar 7 14:05:46 ns MailScanner[18807]: New Batch: Scanning 1 messages, 3034 > bytes > Mar 7 14:05:46 ns MailScanner[18807]: Virus and Content Scanning: Starting > Mar 7 14:05:46 ns MailScanner[18807]: Uninfected: Delivered 1 messages > Mar 7 14:05:46 ns sendmail[29908]: gethostbyaddr(217.114.166.33) failed: 1 > Mar 7 14:05:46 ns sendmail[29908]: gethostbyaddr(217.114.166.34) failed: 1 > Mar 7 14:05:46 ns sendmail[29908]: gethostbyaddr(217.114.166.31) failed: 1 > Mar 7 14:05:46 ns sendmail[29908]: gethostbyaddr(217.114.166.91) failed: 1 > > > Any ideas as to how to resolve this error? > > Thanks > > John > From mailscanner at ecs.soton.ac.uk Fri Mar 7 14:58:39 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:25 2006 Subject: sendmail changing messages after MailScanner finishes... In-Reply-To: <3E68A4CD.283F7FE0@dcg.com> References: <3E6807CD.1F851039@dcg.com> <3E680B00.D9CCB092@dcg.com> <5.2.0.9.2.20030307091454.039f2830@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030307145413.028fc410@imap.ecs.soton.ac.uk> Are the files in /var/spool/mqueue set to rw-rw----? If not, then what? MailScanner doesn't change the permissions on clean messages, it just moves them. If I have to change the permissions as well, that's yet another system call and another disk write for each message, which I would like to avoid if I can. Are *all* the files in /var/spool/mqueue 666? Or are ones that were infected 600? What are the permissions on all the files in /var/spool/mqueue.in? As you see from below, MailScanner sets its own umask to give 600 files, specifically to stop problems like this. At 13:55 07/03/2003, you wrote: >Here's the info, Julian. Thanks for taking a look. I think I will have time >to finally upgrade MailScanner this afternoon, so maybe this will be moot by >then... > >[root@frobozz mqueue]# umask >022 >[root@frobozz mqueue]# grep umask /opt/mailscanner/bin/mailscanner >umask 0077; # Set nice and safe to no-one else can access anything! >[root@frobozz mqueue]# ls -ald /var/spool/mqueue /var/spool/mqueue.in >drwx------ 2 root root 8192 Mar 7 08:47 /var/spool/mqueue/ >drwxrwxr-x 2 root mail 8192 Mar 7 08:45 /var/spool/mqueue.in/ >[root@frobozz mqueue]# uname -a >Linux frobozz.dcg.com 2.2.17-21mdk #1 Thu Oct 5 13:16:08 CEST 2000 i686 >unknown > > - John... > >Julian Field wrote: > > Can you do > > umask > > grep umask /usr/sbin/MailScanner > > ls -ald /var/spool/mqueue /var/spool/mqueue.in > > uname -a > > and tell me what it says. I can't reproduce the behaviour you are seeing. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From jgoggan at DCG.COM Fri Mar 7 15:37:12 2003 From: jgoggan at DCG.COM (John Goggan) Date: Thu Jan 12 21:17:25 2006 Subject: sendmail changing messages after MailScanner finishes... References: <3E6807CD.1F851039@dcg.com> <3E680B00.D9CCB092@dcg.com> <5.2.0.9.2.20030307091454.039f2830@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030307145413.028fc410@imap.ecs.soton.ac.uk> Message-ID: <3E68BCA8.77EDBCAE@dcg.com> Julian Field wrote: > > Are the files in /var/spool/mqueue set to rw-rw----? If not, then > what? Sendmail picks up the messages from port 25 and puts them in mqueue.in. In there, they are rw-------. MailScanner then picks them up from mqueue.in, scans them (with SpamAssassin also -- so every message gets tagged even if clean with at least the SpamAssassin tag), and then puts them back in mqueue. When it puts them there, they are rw-rw-rw-. > Are *all* the files in /var/spool/mqueue 666? Or are ones that were > infected 600? Well, all my files get touched because I am having MailScanner (with SpamAssassin) add the X-MailScanner and X-MailScanner-SpamCheck tags. But, that being said, ALL of the qf files are 666 -- and the df files are 600. > What are the permissions on all the files in /var/spool/mqueue.in? They are all 600 all the time. > As you see from below, MailScanner sets its own umask to give 600 > files, specifically to stop problems like this. Indeed. I'm not quite sure why this is happening. And, unfortunately, I don't know if it was happening before I upgraded sendmail. I also upgraded SpamAssassin to 2.50 (from 2.33, I believe) during this timeperiod. So, I'm not sure if sendmail didn't care with the old version -- or if something in the way the new SpamAssassin scans is changing something. I didn't change the MailScanner configuration at all -- so I assume it is invoking the newer version of SA in the same way. A little later this afternoon, I will have some time and will try rolling back my sendmail to 8.11.x -- just to see if it is the new sendmail ignoring a "problem" with permissions that has always been there for me -- or if it also does the same thing and rejects them (in which case it is more likely related to my upgraded of SA)... - John... From dustin.baer at IHS.COM Fri Mar 7 15:55:02 2003 From: dustin.baer at IHS.COM (Dustin Baer) Date: Thu Jan 12 21:17:25 2006 Subject: sendmail changing messages after MailScanner finishes... References: <3E6807CD.1F851039@dcg.com> <3E680B00.D9CCB092@dcg.com> <5.2.0.9.2.20030307091454.039f2830@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030307145413.028fc410@imap.ecs.soton.ac.uk> <3E68BCA8.77EDBCAE@dcg.com> Message-ID: <3E68C0D6.17D9D8A5@ihs.com> > A little later this afternoon, I will have some time and will try rolling back > my sendmail to 8.11.x -- just to see if it is the new sendmail ignoring a > "problem" with permissions that has always been there for me -- or if it also > does the same thing and rejects them (in which case it is more likely related > to my upgraded of SA)... I upgraded to Sendmail 8.12.8 on Monday. No problems like you are seeing. Dustin -- Dustin Baer Unix Administrator/Postmaster Information Handling Services 15 Inverness Way East Englewood, CO 80112 303-397-2836 From mailscanner at LISTS.COM.AR Fri Mar 7 16:16:39 2003 From: mailscanner at LISTS.COM.AR (Mariano Absatz) Date: Thu Jan 12 21:17:25 2006 Subject: MIME-tools Message-ID: <3E689BB7.1423.6C48B863@localhost> Hi, I know this is an old one... but I have a couple of doubts about MIME-tools. For what I read, I don't want new versions of it, fine. When I browse in CPAN, I find 2 versions: 5.411a (dated 16/11/2001) 5.411 (dated 5/6/2001) I download them both... and find no difference, whatsoever (diff -rc) Is that a packaging problem? anybody knows? The other thing I see is that you provide 4 important security patches at: http://www.sng.ecs.soton.ac.uk/mailscanner/install/mime-tools-patch.txt http://www.sng.ecs.soton.ac.uk/mailscanner/install/mime-tools-patch2.txt http://www.sng.ecs.soton.ac.uk/mailscanner/install/mime-tools-patch3.txt http://www.sng.ecs.soton.ac.uk/mailscanner/install/mime-tools-patch4.txt Now, why don't you combine them into just one? like the one I'm attaching? The result should be the same and it's easier to do, isn't it? TIA -- Mariano Absatz El Baby ---------------------------------------------------------- Error, no keyboard - press F1 to continue. -------------- next part -------------- diff -rc MIME-tools-5.411/lib/MIME/Field/ParamVal.pm MIME-tools-5.411-patched4/lib/MIME/Field/ParamVal.pm *** MIME-tools-5.411/lib/MIME/Field/ParamVal.pm Sat Nov 4 16:54:49 2000 --- MIME-tools-5.411-patched4/lib/MIME/Field/ParamVal.pm Fri Mar 7 12:44:10 2003 *************** *** 9,50 **** =head1 SYNOPSIS # Create an object for a content-type field: ! $field = new Mail::Field 'Content-type'; ! # Set some attributes: $field->param('_' => 'text/html'); $field->param('charset' => 'us-ascii'); $field->param('boundary' => '---ABC---'); ! # Same: $field->set('_' => 'text/html', 'charset' => 'us-ascii', 'boundary' => '---ABC---'); ! # Get an attribute, or undefined if not present: print "no id!" if defined($field->param('id')); ! # Same, but use empty string for missing values: print "no id!" if ($field->paramstr('id') eq ''); ! # Output as string: print $field->stringify, "\n"; =head1 DESCRIPTION ! This is an abstract superclass of most MIME fields. It handles fields with a general syntax like this: Content-Type: Message/Partial; ! number=2; total=3; ! id="oc=jpbe0M2Yt4s@thumper.bellcore.com" Comments are supported I items, like this: Content-Type: Message/Partial; (a comment) ! number=2 (another comment) ; (yet another comment) total=3; ! id="oc=jpbe0M2Yt4s@thumper.bellcore.com" =head1 PUBLIC INTERFACE --- 9,50 ---- =head1 SYNOPSIS # Create an object for a content-type field: ! $field = new Mail::Field 'Content-type'; ! # Set some attributes: $field->param('_' => 'text/html'); $field->param('charset' => 'us-ascii'); $field->param('boundary' => '---ABC---'); ! # Same: $field->set('_' => 'text/html', 'charset' => 'us-ascii', 'boundary' => '---ABC---'); ! # Get an attribute, or undefined if not present: print "no id!" if defined($field->param('id')); ! # Same, but use empty string for missing values: print "no id!" if ($field->paramstr('id') eq ''); ! # Output as string: print $field->stringify, "\n"; =head1 DESCRIPTION ! This is an abstract superclass of most MIME fields. It handles fields with a general syntax like this: Content-Type: Message/Partial; ! number=2; total=3; ! id="oc=jpbe0M2Yt4s@thumper.bellcore.com" Comments are supported I items, like this: Content-Type: Message/Partial; (a comment) ! number=2 (another comment) ; (yet another comment) total=3; ! id="oc=jpbe0M2Yt4s@thumper.bellcore.com" =head1 PUBLIC INTERFACE *************** *** 100,105 **** --- 100,108 ---- # token = 1* # my $TSPECIAL = '()<>@,;:\ 3, 'id' => "ocj=pbe0M2"); ! Note that a single argument is taken to be a I to a paramhash, while multiple args are taken to be the elements of the paramhash themselves. --- 139,145 ---- 'total' => 3, 'id' => "ocj=pbe0M2"); ! Note that a single argument is taken to be a I to a paramhash, while multiple args are taken to be the elements of the paramhash themselves. *************** *** 160,175 **** it as a hash reference. For example, here is a field with parameters: Content-Type: Message/Partial; ! number=2; total=3; ! id="oc=jpbe0M2Yt4s@thumper.bellcore.com" Here is how you'd extract them: $params = $class->parse_params('content-type'); if ($$params{'_'} eq 'message/partial') { ! $number = $$params{'number'}; ! $total = $$params{'total'}; ! $id = $$params{'id'}; } Like field names, parameter names are coerced to lowercase. --- 166,181 ---- it as a hash reference. For example, here is a field with parameters: Content-Type: Message/Partial; ! number=2; total=3; ! id="oc=jpbe0M2Yt4s@thumper.bellcore.com" Here is how you'd extract them: $params = $class->parse_params('content-type'); if ($$params{'_'} eq 'message/partial') { ! $number = $$params{'number'}; ! $total = $$params{'total'}; ! $id = $$params{'id'}; } Like field names, parameter names are coerced to lowercase. *************** *** 181,190 **** --- 187,226 ---- =cut + sub rfc2231decode { + my($val) = @_; + my($enc, $lang, $rest); + + if ($val =~ m/^([^\']*)\'([^\']*)\'(.*)$/) { + # SHOULD REALLY DO SOMETHING MORE INTELLIGENT WITH ENCODING!!! + $enc = $1; + $lang = $2; + $rest = $3; + $rest = rfc2231percent($rest); + } elsif ($val =~ m/^([^\']*)\'([^\']*)$/) { + $enc = $1; + $rest = $2; + $rest = rfc2231percent($rest); + } else { + $rest = rfc2231percent($val); + } + return $rest; + } + + sub rfc2231percent { + # Do percent-subsitution + my($str) = @_; + $str =~ s/%([0-9a-fA-F]{2})/pack("c", hex($1))/ge; + return $str; + } + sub parse_params { my ($self, $raw) = @_; my %params = (); + my %rfc2231params = (); my $param; + my $val; + my $part; # Get raw field, and unfold it: defined($raw) or $raw = ''; *************** *** 200,208 **** $raw =~ m/\G$SPCZ\;$SPCZ/og or last; # skip leading separator $raw =~ m/\G($PARAMNAME)\s*=\s*/og or last; # give up if not a param $param = lc($1); ! $raw =~ m/\G(\"([^\"]+)\")|\G($TOKEN)|\G($ENCTOKEN)/g or last; # give up if no value ! my ($qstr, $str, $token, $enctoken) = ($1, $2, $3, $4); ! $params{$param} = defined($qstr) ? $str : (defined($token) ? $token : $enctoken); debug " field param <$param> = <$params{$param}>"; } --- 236,282 ---- $raw =~ m/\G$SPCZ\;$SPCZ/og or last; # skip leading separator $raw =~ m/\G($PARAMNAME)\s*=\s*/og or last; # give up if not a param $param = lc($1); ! $raw =~ m/\G(\"([^\"]+)\")|\G($ENCTOKEN)|\G($BADTOKEN)|\G($TOKEN)/g or last; # give up if no value" ! my ($qstr, $str, $enctoken, $badtoken, $token) = ($1, $2, $3, $4, $5); ! if (defined($badtoken)) { ! # Strip leading/trailing whitespace from badtoken ! $badtoken =~ s/^\s*//; ! $badtoken =~ s/\s*$//; ! } ! $val = defined($qstr) ? $str : ! (defined($enctoken) ? $enctoken : ! (defined($badtoken) ? $badtoken : $token)); ! ! # Do RFC 2231 processing ! if ($param =~ /\*/) { ! my($name, $num); ! # Pick out the parts of the parameter ! if ($param =~ m/^([^*]+)\*([^*]+)\*?$/) { ! # We have param*number* or param*number ! $name = $1; ! $num = $2; ! } else { ! # Fake a part of zero... not sure how to handle this properly ! $param =~ s/\*//g; ! $name = $param; ! $num = 0; ! } ! # Decode the value unless it was a quoted string ! if (!defined($qstr)) { ! $val = rfc2231decode($val); ! } ! $rfc2231params{$name}{$num} .= $val; ! } else { ! # Make a fake "part zero" for non-RFC2231 params ! $rfc2231params{$param}{"0"} = $val; ! } ! } ! ! # Extract reconstructed parameters ! foreach $param (keys %rfc2231params) { ! foreach $part (sort { $a <=> $b } keys %{$rfc2231params{$param}}) { ! $params{$param} .= $rfc2231params{$param}{$part}; ! } debug " field param <$param> = <$params{$param}>"; } *************** *** 227,233 **** # Allow use as constructor, for MIME::Head: ref($self) or $self = bless({}, $self); ! # Get params, and stuff them into the self object: $self->set($self->parse_params($string)); } --- 301,307 ---- # Allow use as constructor, for MIME::Head: ref($self) or $self = bless({}, $self); ! # Get params, and stuff them into the self object: $self->set($self->parse_params($string)); } diff -rc MIME-tools-5.411/lib/MIME/Parser.pm MIME-tools-5.411-patched4/lib/MIME/Parser.pm *** MIME-tools-5.411/lib/MIME/Parser.pm Sun Nov 12 02:55:11 2000 --- MIME-tools-5.411-patched4/lib/MIME/Parser.pm Fri Mar 7 12:44:47 2003 *************** *** 378,393 **** =item extract_nested_messages OPTION I ! Some MIME messages will contain a part of type C: literally, the text of an embedded mail/news/whatever message. This option controls whether (and how) we parse that embedded message. If the OPTION is false, we treat such a message just as if it were a C document, without attempting to decode its contents. ! If the OPTION is true (the default), the body of the C ! part is parsed by this parser, creating an entity object. ! What happens then is determined by the actual OPTION: =over 4 --- 378,394 ---- =item extract_nested_messages OPTION I ! Some MIME messages will contain a part of type C ! or C or C: literally, the text of an embedded mail/news/whatever message. This option controls whether (and how) we parse that embedded message. If the OPTION is false, we treat such a message just as if it were a C document, without attempting to decode its contents. ! If the OPTION is true (the default), the body of the C ! or C part is parsed by this parser, creating an ! entity object. What happens then is determined by the actual OPTION: =over 4 *************** *** 592,597 **** --- 593,599 ---- # # I # Process and return the next header. + # Return undef if, instead of a header, the encapsulation boundary is found. # Fatal exception on failure. # sub process_header { *************** *** 612,617 **** --- 614,623 ---- foreach (@headlines) { s/[\r\n]+\Z/\n/ } ### fold ### How did we do? + if ($hdr_rdr->eos_type eq 'DELIM') { + $self->whine("bogus part, without CRLF before body"); + return; + } ($hdr_rdr->eos_type eq 'DONE') or $self->error("unexpected end of header\n"); *************** *** 983,989 **** ### Parse and add the header: my $head = $self->process_header($in, $rdr); ! $ent->head($head); ### Tweak the content-type based on context from our parent... ### For example, multipart/digest messages default to type message/rfc822: --- 989,1005 ---- ### Parse and add the header: my $head = $self->process_header($in, $rdr); ! if (not defined $head) { ! $self->debug("bogus empty part"); ! $head = $self->interface('HEAD_CLASS')->new; ! $head->mime_type('text/plain; charset=US-ASCII'); ! $ent->head($head); ! $ent->bodyhandle($self->new_body_for($head)); ! $ent->bodyhandle->open("w")->close; ! $self->results->level(-1); ! return $ent; ! } ! $ent->head($head); ### Tweak the content-type based on context from our parent... ### For example, multipart/digest messages default to type message/rfc822: *************** *** 997,1004 **** if ($type eq 'multipart') { $self->process_multipart($in, $rdr, $ent); } ! elsif (("$type/$subtype" eq "message/rfc822") && ! $self->extract_nested_messages) { $self->debug("attempting to process a nested message"); $self->process_message($in, $rdr, $ent); } --- 1013,1022 ---- if ($type eq 'multipart') { $self->process_multipart($in, $rdr, $ent); } ! elsif (("$type/$subtype" eq "message/rfc822" || ! "$type/$subtype" eq "message/external-body" || ! ("$type/$subtype" eq "message/partial" && $head->mime_attr("content-type.number") == 1)) && ! $self->extract_nested_messages) { $self->debug("attempting to process a nested message"); $self->process_message($in, $rdr, $ent); } diff -rc MIME-tools-5.411/lib/MIME/Words.pm MIME-tools-5.411-patched4/lib/MIME/Words.pm *** MIME-tools-5.411/lib/MIME/Words.pm Fri Nov 10 13:45:12 2000 --- MIME-tools-5.411-patched4/lib/MIME/Words.pm Fri Mar 7 12:44:10 2003 *************** *** 186,192 **** $@ = ''; ### error-return ### Collapse boundaries between adjacent encoded words: ! $encstr =~ s{(\?\=)\r?\n[ \t](\=\?)}{$1$2}gs; pos($encstr) = 0; ### print STDOUT "ENC = [", $encstr, "]\n"; --- 186,192 ---- $@ = ''; ### error-return ### Collapse boundaries between adjacent encoded words: ! $encstr =~ s{(\?\=)\s*(\=\?)}{$1$2}gs; pos($encstr) = 0; ### print STDOUT "ENC = [", $encstr, "]\n"; From mailscanner at LISTS.COM.AR Fri Mar 7 16:28:24 2003 From: mailscanner at LISTS.COM.AR (Mariano Absatz) Date: Thu Jan 12 21:17:25 2006 Subject: MailScanner maillog error In-Reply-To: References: <3E68A4CD.283F7FE0@dcg.com> Message-ID: <3E689E78.2081.6C537882@localhost> hint: if the line says Month day time host sendmail[pid]: ... then the message was generated by sendmail. Month day time host Mailscanner[pid]: ... then the message was generated by MailScanner. Now, this message is sendmail's, and this means that it couldn't resolve a reverse DNS lookup (get host by address) on those addresses. Probably, you got connections from those and sendmail tries to resolve them. I just tried to resolve them from my dns cache resolver and none of them have reverse entries... this is not an error condition, per se... It is considered "bad manners" (or incompentce depending on who you ask) not to have a reverse dns record for a mail server, and one of the first anti- spam measures was to deny smtp connections from hosts without a reverse (or worse still, those with a reverse that didn't match any A or CNAME for the same host). But as more and more incompetent sysadmins are out there, those kind of measures rejected too much legit mail to keep them up... El 7 Mar 2003 a las 14:11, John Thewlis escribi?: > Hi > > Many thanks for all the help on the /etc/sasldb error, it is now fixed. > > When looking through the MailScanner maillog, I get the following error > message each time an email is sent through the server:- > > > Mar 7 14:05:46 ns MailScanner[18807]: New Batch: Scanning 1 messages, 3034 > bytes > Mar 7 14:05:46 ns MailScanner[18807]: Virus and Content Scanning: Starting > Mar 7 14:05:46 ns MailScanner[18807]: Uninfected: Delivered 1 messages > Mar 7 14:05:46 ns sendmail[29908]: gethostbyaddr(217.114.166.33) failed: 1 > Mar 7 14:05:46 ns sendmail[29908]: gethostbyaddr(217.114.166.34) failed: 1 > Mar 7 14:05:46 ns sendmail[29908]: gethostbyaddr(217.114.166.31) failed: 1 > Mar 7 14:05:46 ns sendmail[29908]: gethostbyaddr(217.114.166.91) failed: 1 > > > Any ideas as to how to resolve this error? > > Thanks > > John -- Mariano Absatz El Baby ---------------------------------------------------------- "Walking on water and developing software from a specification are easy if both are frozen." -- Edward V. Berard, "Life-Cycle Approaches" From gerry at dorfam.ca Fri Mar 7 17:00:39 2003 From: gerry at dorfam.ca (Gerry Doris) Date: Thu Jan 12 21:17:25 2006 Subject: sendmail update Message-ID: <59490.129.80.22.143.1047056439.squirrel@tiger.dorfam.ca> I hope everyone has completed their sendmail update. I saw yesterday that scripts have now been released to the internet that will allow remote sessions on non patched sendmail for both Redhat and SuSE. Also, someone was banging away at my home mailserver last night. The log file for the attempt was 89k. Gerry From brose at MED.WAYNE.EDU Fri Mar 7 17:14:39 2003 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:17:25 2006 Subject: MailScanner maillog error Message-ID: I've been using this function for a very long time without much complaint. It's nt any different than mail admins runing systems that act as open relays and are rejected. There are certain SMTP rules that should be obeyed and if they're not then it's up those sysadmin to learn and fix in order to commuicate unimpeded with the rest of us. Of course, if you're blocking anything from the sendmail side, it's a good idea to also use the delay checks feature and add spam:postmaster and spam:abuse lines to your access file so that if there is an issue with someone they can at least email those accounts and not be blocked. Only problem is that if they don't know about setting their mail system up properly then they probably don't know to send a message to postmaster. -----Original Message----- From: Mariano Absatz [mailto:mailscanner@LISTS.COM.AR] Sent: Friday, March 07, 2003 11:28 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: MailScanner maillog error hint: if the line says Month day time host sendmail[pid]: ... then the message was generated by sendmail. Month day time host Mailscanner[pid]: ... then the message was generated by MailScanner. Now, this message is sendmail's, and this means that it couldn't resolve a reverse DNS lookup (get host by address) on those addresses. Probably, you got connections from those and sendmail tries to resolve them. I just tried to resolve them from my dns cache resolver and none of them have reverse entries... this is not an error condition, per se... It is considered "bad manners" (or incompentce depending on who you ask) not to have a reverse dns record for a mail server, and one of the first anti- spam measures was to deny smtp connections from hosts without a reverse (or worse still, those with a reverse that didn't match any A or CNAME for the same host). But as more and more incompetent sysadmins are out there, those kind of measures rejected too much legit mail to keep them up... El 7 Mar 2003 a las 14:11, John Thewlis escribi?: > Hi > > Many thanks for all the help on the /etc/sasldb error, it is now > fixed. > > When looking through the MailScanner maillog, I get the following > error message each time an email is sent through the server:- > > > Mar 7 14:05:46 ns MailScanner[18807]: New Batch: Scanning 1 messages, > 3034 bytes Mar 7 14:05:46 ns MailScanner[18807]: Virus and Content > Scanning: Starting Mar 7 14:05:46 ns MailScanner[18807]: Uninfected: > Delivered 1 messages Mar 7 14:05:46 ns sendmail[29908]: > gethostbyaddr(217.114.166.33) failed: 1 Mar 7 14:05:46 ns > sendmail[29908]: gethostbyaddr(217.114.166.34) failed: 1 Mar 7 > 14:05:46 ns sendmail[29908]: gethostbyaddr(217.114.166.31) failed: 1 > Mar 7 14:05:46 ns sendmail[29908]: gethostbyaddr(217.114.166.91) > failed: 1 > > > Any ideas as to how to resolve this error? > > Thanks > > John -- Mariano Absatz El Baby ---------------------------------------------------------- "Walking on water and developing software from a specification are easy if both are frozen." -- Edward V. Berard, "Life-Cycle Approaches" From mailscanner at ecs.soton.ac.uk Fri Mar 7 16:36:52 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:25 2006 Subject: MIME-tools In-Reply-To: <3E689BB7.1423.6C48B863@localhost> Message-ID: <5.2.0.9.2.20030307163525.04691638@imap.ecs.soton.ac.uk> At 16:16 07/03/2003, you wrote: >Hi, > >I know this is an old one... but I have a couple of doubts about MIME-tools. > >For what I read, I don't want new versions of it, fine. > >When I browse in CPAN, I find 2 versions: >5.411a (dated 16/11/2001) >5.411 (dated 5/6/2001) > >I download them both... and find no difference, whatsoever (diff -rc) > >Is that a packaging problem? anybody knows? Can't remember. Start from 5.411a as it says on mailscanner.info and then apply the 4 patches. >The other thing I see is that you provide 4 important security patches at: >http://www.sng.ecs.soton.ac.uk/mailscanner/install/mime-tools-patch.txt >http://www.sng.ecs.soton.ac.uk/mailscanner/install/mime-tools-patch2.txt >http://www.sng.ecs.soton.ac.uk/mailscanner/install/mime-tools-patch3.txt >http://www.sng.ecs.soton.ac.uk/mailscanner/install/mime-tools-patch4.txt > >Now, why don't you combine them into just one? like the one I'm attaching? >The result should be the same and it's easier to do, isn't it? Because they were all written at different times. If I made them into 1 patch, then it would possibly fail because some patches had been previously applied and some hadn't. There is method in my madness (somewhere).... -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Fri Mar 7 16:12:34 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:25 2006 Subject: sendmail changing messages after MailScanner finishes... In-Reply-To: <3E68BCA8.77EDBCAE@dcg.com> References: <3E6807CD.1F851039@dcg.com> <3E680B00.D9CCB092@dcg.com> <5.2.0.9.2.20030307091454.039f2830@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030307145413.028fc410@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030307161125.04477e00@imap.ecs.soton.ac.uk> At 15:37 07/03/2003, you wrote: >Julian Field wrote: > > > > Are the files in /var/spool/mqueue set to rw-rw----? If not, then > > what? > >Sendmail picks up the messages from port 25 and puts them in mqueue.in. In >there, they are rw-------. MailScanner then picks them up from mqueue.in, >scans them (with SpamAssassin also -- so every message gets tagged even if >clean with at least the SpamAssassin tag), and then puts them back in mqueue. >When it puts them there, they are rw-rw-rw-. > > > Are *all* the files in /var/spool/mqueue 666? Or are ones that were > > infected 600? > >Well, all my files get touched because I am having MailScanner (with >SpamAssassin) add the X-MailScanner and X-MailScanner-SpamCheck tags. But, >that being said, ALL of the qf files are 666 -- and the df files are 600. > > > What are the permissions on all the files in /var/spool/mqueue.in? > >They are all 600 all the time. > > > As you see from below, MailScanner sets its own umask to give 600 > > files, specifically to stop problems like this. Try applying this patch to SMDiskStore.pm. It sets the umask again just before writing the files. --- SMDiskStore.pm.old Fri Mar 7 16:14:58 2003 +++ SMDiskStore.pm Fri Mar 7 16:17:05 2003 @@ -232,6 +232,7 @@ $hfile = $Outq . '/' . $this->{hname}; #print STDERR "tfile = $tfile and hfile = $hfile\n"; + umask 0077; # Add this to try to stop 0666 qf files $Tf = new FileHandle; MailScanner::Lock::openlock($Tf, ">$tfile", "w") or MailScanner::Log::DieLog("Cannot create + lock clean tempfile %s, %s", @@ -300,6 +301,7 @@ #print STDERR "Writing MIME body of \"$id\" to $dfile\n"; + umask 0077; # Add this to try to stop 0666 df files $Df = new FileHandle; MailScanner::Lock::openlock($Df, ">$dfile", "w") or MailScanner::Log::DieLog("Cannot create + lock clean body %s, %s", -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From andersjk at SOL-INVICTUS.ORG Fri Mar 7 18:14:37 2003 From: andersjk at SOL-INVICTUS.ORG (Kevin Anderson) Date: Thu Jan 12 21:17:25 2006 Subject: Strange score In-Reply-To: <3E6795D6.5030306@bangor.ac.uk> Message-ID: thanks, that would be it... kevin On Thu, 6 Mar 2003, Martin Sapsed wrote: > Kevin Anderson wrote: > > HI all! > > > > I found a strange spam score: > > > > X-MailScanner-SpamCheck: not spam, SpamAssassin (score=-88.2, required 6, > > ALL_NATURAL, AS_SEEN_ON, CLICK_BELOW, CLICK_HERE_LINK, HAIR_LOSS, > > HGH, LINES_OF_YELLING, MISSING_MIMEOLE, NO_QS_ASKED, NO_REAL_NAME, > > SPAM_PHRASE_08_13, SUBJ_HAS_UNIQ_ID, SUPERLONG_LINE, TRACKER_ID, > > USER_AGENT_OE, USER_IN_WHITELIST, X_MSMAIL_PRIORITY_HIGH, > > X_PRIORITY_HIGH) > > > > has -88.2, auto whitelisting is off. Anything to be worried about? > > USER_IN_WHITELIST has a score of -100 IIRC? Would suggest that the > address is in SpamAssassin's whitelist? Added before you turned > auto-listing off perhaps? > > Cheers, > > Martin > > -- > Martin Sapsed > Information Services "Who do you say I am?" > University of Wales, Bangor Jesus of Nazareth > -- @ _____________________________________________ chaos, panic and disorder... my job is done... From mailscanner at LISTS.COM.AR Fri Mar 7 18:30:55 2003 From: mailscanner at LISTS.COM.AR (Mariano Absatz) Date: Thu Jan 12 21:17:25 2006 Subject: MIME-tools In-Reply-To: <5.2.0.9.2.20030307163525.04691638@imap.ecs.soton.ac.uk> References: <3E689BB7.1423.6C48B863@localhost> Message-ID: <3E68BB2F.30508.6CC3A527@localhost> El 7 Mar 2003 a las 16:36, Julian Field escribi?: > >The other thing I see is that you provide 4 important security patches at: > >http://www.sng.ecs.soton.ac.uk/mailscanner/install/mime-tools-patch.txt > >http://www.sng.ecs.soton.ac.uk/mailscanner/install/mime-tools-patch2.txt > >http://www.sng.ecs.soton.ac.uk/mailscanner/install/mime-tools-patch3.txt > >http://www.sng.ecs.soton.ac.uk/mailscanner/install/mime-tools-patch4.txt > > > >Now, why don't you combine them into just one? like the one I'm attaching? > >The result should be the same and it's easier to do, isn't it? > > Because they were all written at different times. If I made them into 1 > patch, then it would possibly fail because some patches had been previously > applied and some hadn't. There is method in my madness (somewhere).... But what I did, to generate that patch was the following (that according to _my_ madness should be correct): tar xvzf MIME-tools-5.411.tar.gz patch -p0 < mime-tools-patch.txt patch -p0 < mime-tools-patch2.txt patch -p0 < mime-tools-patch3.txt patch -p0 < mime-tools-patch4.txt mv MIME-tools-5.411 MIME-tools-5.411-patched4 Now MIME-tools-5.411-patched4 has the completely patched MIME-tools. If I do the following: tar xvzf MIME-tools-5.411.tar.gz diff -rc MIME-tools-5.411 MIME-tools-5.411-patched4 \ > mime-tools-patches-1thru4.txt now mime-tools-patches-1thru4.txt has a patch that applied to the original module (in MIME-tools-5.411) generates the completely patched module (in MIME- tools-5.4.11-patched4). Am I wrong? -- Mariano Absatz El Baby ---------------------------------------------------------- If I held you any closer I would be on the other side of you. -- Groucho Marx From mailscanner at LISTS.COM.AR Fri Mar 7 20:50:42 2003 From: mailscanner at LISTS.COM.AR (Mariano Absatz) Date: Thu Jan 12 21:17:26 2006 Subject: typo in instructions? Message-ID: <3E68DBF2.16951.6D43A3FF@localhost> Hi Julian, I'm following the instructions for manual install (in order to have a clean installation with documented modifications of my own) and found (I think) a typo and a probable better sort order: In http://www.sng.ecs.soton.ac.uk/mailscanner/install/mailscanner.shtml you list the files that have to be modified if you change the path where you install MailScanner, but you mention /opt/MailScanner/etc/mailscanner.conf instead of the newer /opt/MailScanner/etc/MailScanner.conf OTOH, in http://www.sng.ecs.soton.ac.uk/mailscanner/install/other.shtml, I'd change the order of steps 4 and 5, since the installation instructions for the TNEF decoder is based in that MailScanner is already installed. Regards. -- Mariano Absatz El Baby ---------------------------------------------------------- Ever notice how fast Windows runs? Neither did I. From dbowen1 at MAC.COM Fri Mar 7 21:13:27 2003 From: dbowen1 at MAC.COM (Daniel Bowen) Date: Thu Jan 12 21:17:26 2006 Subject: Multipart Mime attachment killing MailScanner again Message-ID: <7512413.1047071607313.JavaMail.dbowen1@mac.com> Hi Julian, I have encountered the problem of a single multi-part MIME attachement message killing MailScanner. Here again I will include the error, however, I may have some more pertinent info. I will try to include the qf file here, and both in a tar.gz on an ftp server fo you. The error is as follows: Mar 7 14:26:37 mail MailScanner[17955]: Cannot parse /private/var/spool/MailScanner/incoming/17955/h27GA5sK025282.header and , write-open /private/var/spool/MailScanner/incoming/17955/h27GA5sK025282/LinkousGreen^@3x4^@.crtr: Invalid argument at /Library/Perl/MIME/Body.pm line 414. One interesting thing to note is that I can't use the external TNEF expander, as I am running on darwin Mac OS X. Here is the related portion of MailScanner.conf, for MailScanner 4.12-2. Also it is interesting to note that this message and the last one have been sent from Microsoft Outlook Express for Mac containing a Multipart mime message: # Expand TNEF attachments using an external program (or a Perl module)? # This should be "yes" unless the scanner you are using (Sophos, McAfee) has # the facility built-in. However, if you set it to "no", then the filenames # within the TNEF attachment will not be checked against the filename rules. Expand TNEF = yes # Some versions of Microsoft Outlook generate unparsable Rich Text # format attachments. Do we want to deliver these bad attachments anyway? # Setting this to yes introduces the slight risk of a virus getting through, # but if you have a lot of troubled Outlook users you might need to do this. # We are working on a replacement for the TNEF decoder. # This can also be the filename of a ruleset. Deliver Unparsable TNEF = no # Where the MS-TNEF expander is installed. # This is EITHER the full command (including maxsize option) that runs # the external TNEF expander binary, # OR the keyword "internal" which will make MailScanner use the Perl # module that does the same job. # They are both provided as I am unsure which one is faster and which # one is capable of expanding more file formats (there are plenty!). # # The --maxsize option limits the maximum size that any expanded attachment # may be. It helps protect against Denial Of Service attacks in TNEF files. TNEF Expander = internal # This can also be the filename of a ruleset. #TNEF Expander = /opt/MailScanner/bin/tnef --maxsize=100000000 # The maximum length of time the TNEF Expander is allowed to run for 1 message. # (in seconds) TNEF Timeout = 120 Here is the qfh27GA5sK025282, quoted to hopefully get through the scanners: >V6 >T1047053406 >K0 >N0 >P30559 >B8BITMIME >F8bs >$_znet.groupz.net [216.116.255.2] >$rESMTP >$sznet.groupz.net >${daemon_flags} >${if_addr}66.4.192.160 >S >rRFC822; xxxxx@ortn.edu >RPFD: >H?P?Return-Path: >H??Received: from znet.groupz.net (znet.groupz.net [216.116.255.2]) > by mail.ortn.edu (8.12.7/8.12.6) with ESMTP id h27GA5sK025282 > for ; Fri, 7 Mar 2003 11:10:06 -0500 (EST) >H??Received: from [192.168.154.153] (fwp1016.groupz.net [216.116.243.254]) > by znet.groupz.net (8.8.6 (PHNE_14041)/8.8.8) with ESMTP id LAA21034 > for ; Fri, 7 Mar 2003 11:09:54 -0500 (EST) >H??User-Agent: Microsoft Outlook Express Macintosh Edition - 5.01 (1630) >H??Date: Fri, 07 Mar 2003 11:08:59 -0500 >H??Subject: jpeg - Linkous 3x4 >H??From: xxxxx xxxxx >H??To: >H??Message-ID: >H??Mime-version: 1.0 >H??Content-type: multipart/mixed; > boundary="MS_Mac_OE_3129880139_20285474_MIME_Part" >. From dbowen1 at MAC.COM Fri Mar 7 21:18:56 2003 From: dbowen1 at MAC.COM (Daniel Bowen) Date: Thu Jan 12 21:17:26 2006 Subject: MailScanner maillog error Message-ID: <6486743.1047071936479.JavaMail.dbowen1@mac.com> Well, I have experienced a similar error showing the gethostbyaddr error, and it turned out to be that our DNS servers were not reverse resolving properly. The problem showed up with our mailserver's own IP in the parentheses. Check your reverse DNS resolution on the mail servers, maybe that's it. Dan Bowen Oak Ridge Schools TN On Friday, March 07, 2003, at 09:11AM, John Thewlis wrote: >Hi > >Many thanks for all the help on the /etc/sasldb error, it is now fixed. > >When looking through the MailScanner maillog, I get the following error >message each time an email is sent through the server:- > > >Mar 7 14:05:46 ns MailScanner[18807]: New Batch: Scanning 1 messages, 3034 >bytes >Mar 7 14:05:46 ns MailScanner[18807]: Virus and Content Scanning: Starting >Mar 7 14:05:46 ns MailScanner[18807]: Uninfected: Delivered 1 messages >Mar 7 14:05:46 ns sendmail[29908]: gethostbyaddr(217.114.166.33) failed: 1 >Mar 7 14:05:46 ns sendmail[29908]: gethostbyaddr(217.114.166.34) failed: 1 >Mar 7 14:05:46 ns sendmail[29908]: gethostbyaddr(217.114.166.31) failed: 1 >Mar 7 14:05:46 ns sendmail[29908]: gethostbyaddr(217.114.166.91) failed: 1 > > >Any ideas as to how to resolve this error? > >Thanks > >John > > From mailscanner at lists.com.ar Fri Mar 7 21:52:13 2003 From: mailscanner at lists.com.ar (Mariano Absatz) Date: Thu Jan 12 21:17:26 2006 Subject: mailscanner & zmailer Message-ID: <3E68EA5D.32729.6D7BF40A@localhost> Hi Nick, a few months ago I told Julian I was interested in porting MailScanner to zmailer (http://zmailer.org) since we use it in a quite a few installations, including some medium-sized to large ISPs. He told me I should contact you since you made the port to Exim. In short, zmailer does a three step process: 1) smtpserver listening to port 25, handling only the server part and leaving received messages in a queue directory 2) router picking from that queue, making a routing decision and leaving routed messages in the corresponding output queue (you can have several of these) 3) transport agents, coordinated by a scheduler, processing the output queues as needed. Usually, TAs are simply smtp clients Now, the obvious place to put mailscanner is between 1 & 2. We have already done this with different programs developed by us (e.g. in an SMS-SMTP 2-way gateway for a cellphone company). The only different thing with what I see from a quick browse of the MS sources is that zmailer only uses 1 queue file per message (instead of 2). You have first the envelope data, then a separator line and finally the message itself. Monday morning I'll start working hard on this, hopefully even coding. What I'd like to know in order to further understand the sources is what files you modified to make the sendmail->exim port. For what I can see: Sendmail.pm => Exim.pm SMDiskStore.pm => EximDiskStore.pm Are there other things you had to modify? I don't see any pod in the files... do you have any docs on the functions in mailscanner? TIA. -- Mariano Absatz El Baby ---------------------------------------------------------- --------------------------------------------------------------------------| 1 1 2 3 4 5 6 7 7 0 0 0 0 0 0 0 5 --------------------------------------------------------------------------| -- The 75 column-o-meter -------------- next part -------------- An embedded message was scrubbed... From: Julian Field Subject: Re: Problems after updating to 4.01-5 Date: Tue, 22 Oct 2002 15:12:13 +0100 Size: 4505 Url: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030307/19b652f8/attachment.mht From raxie at BULACAN.PH Sat Mar 8 01:49:41 2003 From: raxie at BULACAN.PH (=?iso-8859-1?Q?Raxie=AE?=) Date: Thu Jan 12 21:17:26 2006 Subject: MailScanner and Horde/IMP References: <5.2.0.9.0.20030308044816.00af2bb8@pop.gmx.net> Message-ID: <002901c2e514$fd430650$1401a8c0@RaxPogi> Krishna, Change your $conf['mailer']['type']='sendmail' to $conf['mailer']['type']='smtp' Raxie ----- Original Message ----- From: "Krishna" To: Sent: Saturday, March 08, 2003 7:23 AM Subject: MailScanner and Horde/IMP > Hi, > I installed MailScanner on my RedHat 7.3 box running Horde/IMP cvs > version. > When I send mails through Outlook or Eudora , the mails get scanned by > MailScanner, does both Anti-Virus and Anti-Spam checks. > But when I send through Horde/IMP mailscanner does not get executed. The > mails goes without a scan via sendmail. > > Why is this happening? > > My horde configuration conf.php > > $conf['mailer']['type'] = 'sendmail'; > $conf['mailer']['params'] = array(); > $conf['mailer']['params'] = array('sendmail_path' => '/usr/sbin/sendmail'); > > regards > Krishna > http://www.KrisinDigitalAge.com From craig at STRONG-BOX.NET Sat Mar 8 02:45:26 2003 From: craig at STRONG-BOX.NET (Craig Pratt) Date: Thu Jan 12 21:17:26 2006 Subject: Replacing original(s) with *.rpmnew In-Reply-To: Message-ID: <044E6020-5110-11D7-B55E-000393B9390A@strong-box.net> The "by the seat of your pants" form, in sh: for file in *.rpmnew; do mv $file $(basename "$file" .rpmnew); done Just make sure there aren't filenames with spaces in them. A better version, which will backup any overwritten files and deal with names with spaces: for file in *.rpmnew; do newname=$(basename "$file" .rpmnew); mv -f "$newname" "$newname.rpmold" ; mv "$file" "$newname" ; done Just be careful with such a thing. .rpmnew files are generated because intelligent choices often need to be made when incorporating the .rpmnew. For me, upgrading MS means merging all the conf files in /etc/MailScanner and leaving the report files as-is - since I've customized them. I just check the .rpmnew report files to ensure there are no surprises in there. Craig On Friday, March 7, 2003, at 03:46 PM, Nathan Johanson wrote: > Hello, > > The other day I upgraded from 4.11-x to 4.13-3. As expected, Julian's > upgrade script simplified the process. However, I noticed several > reports had been replaced. While replacing the originals with the > *.rpmnew files, I figured there must be a better way to do it than "mv > filename.rpmnew filename" ; rm filename.rpmnew" for each file. > > There must be a way to do all *.rpmnew files in a directory with a > short > shell script or compound command. Can someone give me a hand with this? > It would only be usefuly for files or reports I haven't changed, but > could potentially save me a lot of keyboard tapping. > > Thanks in advance! > > Sincerely, > Nathan Johanson > nathan@tcpnetworks.net > > > -----Original Message----- > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > Sent: Friday, March 07, 2003 4:22 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: MailScanner and Horde/IMP > > > At 23:23 07/03/2003, you wrote: >> Hi, >> I installed MailScanner on my RedHat 7.3 box running Horde/IMP > cvs >> version. >> When I send mails through Outlook or Eudora , the mails get scanned by >> MailScanner, does both Anti-Virus and Anti-Spam checks. >> But when I send through Horde/IMP mailscanner does not get executed. > The >> mails goes without a scan via sendmail. >> >> Why is this happening? >> >> My horde configuration conf.php >> >> $conf['mailer']['type'] = 'sendmail'; >> $conf['mailer']['params'] = array(); >> $conf['mailer']['params'] = array('sendmail_path' => > '/usr/sbin/sendmail'); > > You either need to upgrade to a more recent version of sendmail, or > else > set this instead of your 3 lines above: > > $conf['mailer']['type'] = 'smtp'; > $conf['mailer']['params'] = array(); > $conf['mailer']['params'] = array('host' => 'localhost'); > > This will force IMP to talk SMTP to the host it is running on, which > will > get all its mail scanned. > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > -- > This message checked for dangerous content by MailScanner on StrongBox. > -- This message checked for dangerous content by MailScanner on StrongBox. From jgoggan at DCG.COM Sat Mar 8 06:26:15 2003 From: jgoggan at DCG.COM (John Goggan) Date: Thu Jan 12 21:17:26 2006 Subject: sendmail changing messages after MailScanner finishes... References: <3E6807CD.1F851039@dcg.com> <3E680B00.D9CCB092@dcg.com> <5.2.0.9.2.20030307091454.039f2830@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030307145413.028fc410@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030307161125.04477e00@imap.ecs.soton.ac.uk> Message-ID: <3E698D07.57184BD3@dcg.com> Julian Field wrote: > Try applying this patch to SMDiskStore.pm. It sets the umask again just > before writing the files. Remember, I was running an old version of MailScanner -- v3.something. There was no SMDiskStore.pm in that version. :) So, I couldn't test your patch, sorry. However, I did rollback to sendmail v8.11.5 that was working fine before and found that I STILL had the problem. It was therefore my upgrading of SpamAssassin that seemed to cause the problem. I finally took the time to do sendmail right (I've been using an old style sendmail.cf forever without a matching .mc file) -- I started from scratch with a clean mc and have sendmail running as recommend with 8.12.8. I then installed the latest MailScanner. And, now, everything is working just great! So, I'm all set now. Just needed to take the time to upgrade everything instead of doing it piecemeal... Thanks for your help! - John... From support at INVICTANET.CO.UK Sat Mar 8 10:50:40 2003 From: support at INVICTANET.CO.UK (InvictaNet Customer Support) Date: Thu Jan 12 21:17:26 2006 Subject: rules Message-ID: Sorry if this has been asked before. In the rules examples, I note that the default seems to be always at the bottom of the file. Is this a requirement or can it be anywhere in the list? Martyn Routley ----------------------------------------------------------------- InvictaNet - The Internet in Plain English, Guaranteed http://www.invictanet.co.uk martyn@support.invictanet.co.uk phone: 08707 440180 fax: 08707 440181 Ask us about our online Antivirus and Junk mail scanning service ----------------------------------------------------------------- ------------------------------------------------- This message has been scanned for viruses and dangerous content by the http://www.anti84787.com MailScanner, and is believed to be clean. ------------------------------------------------- From nathan at TCPNETWORKS.NET Fri Mar 7 23:46:45 2003 From: nathan at TCPNETWORKS.NET (Nathan Johanson) Date: Thu Jan 12 21:17:26 2006 Subject: Replacing original(s) with *.rpmnew Message-ID: Hello, The other day I upgraded from 4.11-x to 4.13-3. As expected, Julian's upgrade script simplified the process. However, I noticed several reports had been replaced. While replacing the originals with the *.rpmnew files, I figured there must be a better way to do it than "mv filename.rpmnew filename" ; rm filename.rpmnew" for each file. There must be a way to do all *.rpmnew files in a directory with a short shell script or compound command. Can someone give me a hand with this? It would only be usefuly for files or reports I haven't changed, but could potentially save me a lot of keyboard tapping. Thanks in advance! Sincerely, Nathan Johanson nathan@tcpnetworks.net -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Friday, March 07, 2003 4:22 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: MailScanner and Horde/IMP At 23:23 07/03/2003, you wrote: >Hi, > I installed MailScanner on my RedHat 7.3 box running Horde/IMP cvs >version. >When I send mails through Outlook or Eudora , the mails get scanned by >MailScanner, does both Anti-Virus and Anti-Spam checks. >But when I send through Horde/IMP mailscanner does not get executed. The >mails goes without a scan via sendmail. > >Why is this happening? > >My horde configuration conf.php > >$conf['mailer']['type'] = 'sendmail'; >$conf['mailer']['params'] = array(); > $conf['mailer']['params'] = array('sendmail_path' => '/usr/sbin/sendmail'); You either need to upgrade to a more recent version of sendmail, or else set this instead of your 3 lines above: $conf['mailer']['type'] = 'smtp'; $conf['mailer']['params'] = array(); $conf['mailer']['params'] = array('host' => 'localhost'); This will force IMP to talk SMTP to the host it is running on, which will get all its mail scanned. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Sat Mar 8 13:30:48 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:26 2006 Subject: typo in instructions? In-Reply-To: <3E68DBF2.16951.6D43A3FF@localhost> Message-ID: <5.2.0.9.2.20030308133034.0251dbe0@imap.ecs.soton.ac.uk> Thanks for the corrections. Both applied. At 20:50 07/03/2003, you wrote: >Hi Julian, > >I'm following the instructions for manual install (in order to have a clean >installation with documented modifications of my own) and found (I think) a >typo and a probable better sort order: > >In http://www.sng.ecs.soton.ac.uk/mailscanner/install/mailscanner.shtml you >list the files that have to be modified if you change the path where you >install MailScanner, but you mention /opt/MailScanner/etc/mailscanner.conf >instead of the newer /opt/MailScanner/etc/MailScanner.conf > >OTOH, in http://www.sng.ecs.soton.ac.uk/mailscanner/install/other.shtml, I'd >change the order of steps 4 and 5, since the installation instructions for >the TNEF decoder is based in that MailScanner is already installed. > >Regards. > > >-- >Mariano Absatz >El Baby >---------------------------------------------------------- >Ever notice how fast Windows runs? Neither did I. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Sat Mar 8 13:40:55 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:26 2006 Subject: rules In-Reply-To: Message-ID: <5.2.0.9.2.20030308134021.024eb130@imap.ecs.soton.ac.uk> At 10:50 08/03/2003, you wrote: >In the rules examples, I note that the default seems to be always at the >bottom of the file. Is this a requirement or can it be anywhere in the list? Anywhere you like. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Sat Mar 8 13:14:51 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:26 2006 Subject: Replacing original(s) with *.rpmnew In-Reply-To: Message-ID: <5.2.0.9.2.20030308131324.02502e90@imap.ecs.soton.ac.uk> At 23:46 07/03/2003, you wrote: >Hello, > >The other day I upgraded from 4.11-x to 4.13-3. As expected, Julian's >upgrade script simplified the process. However, I noticed several >reports had been replaced. While replacing the originals with the >*.rpmnew files, I figured there must be a better way to do it than "mv >filename.rpmnew filename" ; rm filename.rpmnew" for each file. It only puts in an rpmnew if you have modified or otherwise changed the original file (loading it into an editor and saving it unchanged will modify the datestamp, which is enough). >There must be a way to do all *.rpmnew files in a directory with a short >shell script or compound command. Can someone give me a hand with this? >It would only be usefuly for files or reports I haven't changed, but >could potentially save me a lot of keyboard tapping. for NEW in *.rpmnew do echo $NEW ... F=`echo $NEW | sed -e 's/\.rpmnew//'` [ -f $F ] && mv -f $F ${F}.rpmold mv -f $NEW $F done exit >Thanks in advance! > >Sincerely, >Nathan Johanson >nathan@tcpnetworks.net > > >-----Original Message----- >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] >Sent: Friday, March 07, 2003 4:22 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: MailScanner and Horde/IMP > > >At 23:23 07/03/2003, you wrote: > >Hi, > > I installed MailScanner on my RedHat 7.3 box running Horde/IMP >cvs > >version. > >When I send mails through Outlook or Eudora , the mails get scanned by > >MailScanner, does both Anti-Virus and Anti-Spam checks. > >But when I send through Horde/IMP mailscanner does not get executed. >The > >mails goes without a scan via sendmail. > > > >Why is this happening? > > > >My horde configuration conf.php > > > >$conf['mailer']['type'] = 'sendmail'; > >$conf['mailer']['params'] = array(); > > $conf['mailer']['params'] = array('sendmail_path' => >'/usr/sbin/sendmail'); > >You either need to upgrade to a more recent version of sendmail, or else >set this instead of your 3 lines above: > >$conf['mailer']['type'] = 'smtp'; >$conf['mailer']['params'] = array(); >$conf['mailer']['params'] = array('host' => 'localhost'); > >This will force IMP to talk SMTP to the host it is running on, which >will >get all its mail scanned. >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030308/5050ae82/attachment.html From mailscanner at ecs.soton.ac.uk Sat Mar 8 13:45:38 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:26 2006 Subject: Multipart Mime attachment killing MailScanner again In-Reply-To: <7512413.1047071607313.JavaMail.dbowen1@mac.com> Message-ID: <5.2.0.9.2.20030308134315.026f1f50@imap.ecs.soton.ac.uk> At 21:13 07/03/2003, you wrote: >Hi Julian, > I have encountered the problem of a single multi-part MIME > attachement message killing MailScanner. Here again I will include the > error, however, I may have some more pertinent info. I will try to > include the qf file here, and both in a tar.gz on an ftp server fo > you. The error is as follows: Can you give me the ftp location please? Also, what version are you running? What O/S are you running (and what version of that)? >Mar 7 14:26:37 mail MailScanner[17955]: Cannot parse >/private/var/spool/MailScanner/incoming/17955/h27GA5sK025282.header and , >write-open >/private/var/spool/MailScanner/incoming/17955/h27GA5sK025282/LinkousGreen^@3x4^@.crtr: >Invalid argument at /Library/Perl/MIME/Body.pm line 414. > >One interesting thing to note is that I can't use the external TNEF >expander, as I am running on darwin Mac OS X. Here is the related portion >of MailScanner.conf, for MailScanner 4.12-2. Does it not compile correctly? The source distribution of tnef (with the "--maxsize" patch applied) is in the bin directory in the MailScanner distribution. > Also it is interesting to note that this message and the last one have > been sent from Microsoft Outlook Express for Mac containing a Multipart > mime message: > ># Expand TNEF attachments using an external program (or a Perl module)? ># This should be "yes" unless the scanner you are using (Sophos, McAfee) has ># the facility built-in. However, if you set it to "no", then the filenames ># within the TNEF attachment will not be checked against the filename rules. >Expand TNEF = yes > ># Some versions of Microsoft Outlook generate unparsable Rich Text ># format attachments. Do we want to deliver these bad attachments anyway? ># Setting this to yes introduces the slight risk of a virus getting through, ># but if you have a lot of troubled Outlook users you might need to do this. ># We are working on a replacement for the TNEF decoder. ># This can also be the filename of a ruleset. >Deliver Unparsable TNEF = no > ># Where the MS-TNEF expander is installed. ># This is EITHER the full command (including maxsize option) that runs ># the external TNEF expander binary, ># OR the keyword "internal" which will make MailScanner use the Perl ># module that does the same job. ># They are both provided as I am unsure which one is faster and which ># one is capable of expanding more file formats (there are plenty!). ># ># The --maxsize option limits the maximum size that any expanded attachment ># may be. It helps protect against Denial Of Service attacks in TNEF files. >TNEF Expander = internal ># This can also be the filename of a ruleset. >#TNEF Expander = /opt/MailScanner/bin/tnef --maxsize=100000000 > ># The maximum length of time the TNEF Expander is allowed to run for 1 >message. ># (in seconds) >TNEF Timeout = 120 > > >Here is the qfh27GA5sK025282, quoted to hopefully get through the scanners: > > >V6 > >T1047053406 > >K0 > >N0 > >P30559 > >B8BITMIME > >F8bs > >$_znet.groupz.net [216.116.255.2] > >$rESMTP > >$sznet.groupz.net > >${daemon_flags} > >${if_addr}66.4.192.160 > >S > >rRFC822; xxxxx@ortn.edu > >RPFD: > >H?P?Return-Path: > >H??Received: from znet.groupz.net (znet.groupz.net [216.116.255.2]) > > by mail.ortn.edu (8.12.7/8.12.6) with ESMTP id h27GA5sK025282 > > for ; Fri, 7 Mar 2003 11:10:06 -0500 (EST) > >H??Received: from [192.168.154.153] (fwp1016.groupz.net [216.116.243.254]) > > by znet.groupz.net (8.8.6 (PHNE_14041)/8.8.8) with ESMTP id LAA21034 > > for ; Fri, 7 Mar 2003 11:09:54 -0500 (EST) > >H??User-Agent: Microsoft Outlook Express Macintosh Edition - 5.01 (1630) > >H??Date: Fri, 07 Mar 2003 11:08:59 -0500 > >H??Subject: jpeg - Linkous 3x4 > >H??From: xxxxx xxxxx > >H??To: > >H??Message-ID: > >H??Mime-version: 1.0 > >H??Content-type: multipart/mixed; > > boundary="MS_Mac_OE_3129880139_20285474_MIME_Part" > >. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From Jan-Peter.Koopmann at SECEIDOS.DE Sat Mar 8 14:53:49 2003 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:17:26 2006 Subject: More info Message-ID: <4E7026FF8A422749B1553FE508E0068007EED9@message.intern.akctech.de> Hi Julian, one more thing. I changed the name of the mcafee-wrapper script to see what happened... Mar 8 15:50:46 proxy MailScanner[91306]: New Batch: Scanning 1 messages, 2242 bytes Mar 8 15:50:46 proxy MailScanner[91306]: Spam Checks: Starting Mar 8 15:50:46 proxy MailScanner[91306]: Virus and Content Scanning: Starting Mar 8 15:50:46 proxy MailScanner[92301]: Commercial virus checker failed with real error: Can't run commercial checker mcafee ("/usr/local/MailScanner/lib/mcafee-wrapper"): No such file or directory at MailScanner/SweepViruses.pm line 464. Mar 8 15:50:47 proxy MailScanner[91306]: Uninfected: Delivered 1 messages It could not start it so why the hell is the e-mail sent? Maybe this is somehow related? Remains the issue with the filename.rules.conf... I am using the standard distribution one but still all .com attachments are sent out as normal. Regards, JP From Jan-Peter.Koopmann at SECEIDOS.DE Sat Mar 8 14:44:38 2003 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:17:26 2006 Subject: HELP - Viruses are not detected Message-ID: <4E7026FF8A422749B1553FE508E0068007EED6@message.intern.akctech.de> Hi, I just noticed something very strange: the filename.rules.conf is not obeyed and no viruses are caught (tested with EICAR). This is incoming and outgoing... I first noticed this with 4.13-3. Could this be a bug? My config should be ok. Virus Scanning = yes Virus Scanners = mcafee f-prot Filename Rules = /usr/local/MailScanner/etc/filename.rules.conf Virus Scanner Definitions = /usr/local/MailScanner/etc/virus.scanners.conf This is the virus.scanners.conf: # This is a list of the names of the virus scanning engines, along with the # filename of the command or script to run to invoke each one. sophos /opt/MailScanner/lib/sophos-wrapper f-prot /usr/local/MailScanner/lib/f-prot-wrapper mcafee /usr/local/MailScanner/lib/mcafee-wrapper rav /opt/MailScanner/lib/rav-wrapper kaspersky /opt/MailScanner/lib/kaspersky-wrapper panda /opt/MailScanner/lib/panda-wrapper f-secure /opt/MailScanner/lib/f-secure-wrapper clamav /opt/MailScanner/lib/clamav-wrapper trend /opt/MailScanner/lib/trend-wrapper antivir /usr/lib/Antivir/antivir none /bin/false I checked this and running /usr/local/MailScanner/lib/mcafee-wrapper on the eicar test file works and reports this as a virus. What am I missing here? I switched from sendmail to exim, could this have to do anything with it? Help please, Jan-Peter From lists at STHOMAS.NET Sat Mar 8 16:11:13 2003 From: lists at STHOMAS.NET (Steve Thomas) Date: Thu Jan 12 21:17:26 2006 Subject: HELP - Viruses are not detected In-Reply-To: <4E7026FF8A422749B1553FE508E0068007EED6@message.intern.akctech.de> Message-ID: <000201c2e58d$58269c30$02001fac@winxp> | I switched from sendmail to exim, | could this have to do anything with it? I saw that when I set up a test machine with exim. It turned out to be a exim/MS config problem. First thing, check to see whether or not you're getting any X-MailScanner headers in messages that get delivered. If you are, the mail's getting scanned and you have a problem with your virus scanner or something. If not, did you read the docs about setting up MS with exim? You can't just drop in exim and have MS work with it like it did with sendmail. You didn't mention anything about your configuration, so it's difficult to diagnose what the problem might be. I'd be happy to help if you can give some more details on your setup. Steve From lists at STHOMAS.NET Sat Mar 8 18:03:05 2003 From: lists at STHOMAS.NET (Steve Thomas) Date: Thu Jan 12 21:17:26 2006 Subject: HELP - Viruses are not detected In-Reply-To: <4E7026FF8A422749B1553FE508E0068007EEDE@message.intern.akctech.de>; from Jan-Peter.Koopmann@SECEIDOS.DE on Sat, Mar 08, 2003 at 06:45:31PM +0100 References: <4E7026FF8A422749B1553FE508E0068007EEDE@message.intern.akctech.de> Message-ID: <20030308100305.A15485@sthomas.net> On Sat, Mar 08, 2003 at 06:45:31PM +0100, Jan-Peter Koopmann is rumored to have said: > > > First thing, check to see whether or not you're getting any > > X-MailScanner headers in messages that get delivered. > > I am. Spam check is working as well. Then you're having a different problem than I was seeing. I was hoping that you weren't, then I'd be able to help much more.. :\ > > If you are, the mail's getting scanned and you have a problem > > with your virus scanner or something. > > I opt for "or something". :-) The virus scanners are obviously called. > Moreover the filename.rules.conf is ignored as well which should not > have anything to do with the virus scanners. The only thing I can think of is permissions. Does your log file show anything out of the ordinary? I'm fairly new to MS (only been using it for a couple of weeks), so I doubt I'll be much help since you're experiencing something different than what I was seeing. One thing you could check is the wrapper for your virus scanner. I use sophos, and had to change the paths in the wrapper for it. If you can call -wrapper and successfully catch eicar, then it's working OK. Other than that, I don't think I'll be of much help.. -- Steve Thomas steve at sthomas dot net ---------------------------------------------------------- "...subatomic matter in a particle accelerator that exists for only a few microseconds seems to exhibit more uptime than the RIAA's website." -- Andrew Orlowski TheRegister.co.uk From Jan-Peter.Koopmann at SECEIDOS.DE Sat Mar 8 17:45:31 2003 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:17:26 2006 Subject: HELP - Viruses are not detected Message-ID: <4E7026FF8A422749B1553FE508E0068007EEDE@message.intern.akctech.de> Hi, > I saw that when I set up a test machine with exim. It turned > out to be a exim/MS config problem. I hope so... > First thing, check to see whether or not you're getting any > X-MailScanner headers in messages that get delivered. I am. Spam check is working as well. > If you are, the mail's getting scanned and you have a problem > with your virus scanner or something. I opt for "or something". :-) The virus scanners are obviously called. Moreover the filename.rules.conf is ignored as well which should not have anything to do with the virus scanners. > I'd be happy to help if you can give some more details on your setup. What would you like to know? And by the way: Thanks for the quick response. Regards, JP From mailscanner at ecs.soton.ac.uk Sat Mar 8 18:19:33 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:26 2006 Subject: HELP - Viruses are not detected In-Reply-To: <4E7026FF8A422749B1553FE508E0068007EED6@message.intern.akct ech.de> Message-ID: <5.2.0.9.2.20030308181543.02268688@imap.ecs.soton.ac.uk> At 14:44 08/03/2003, you wrote: >Hi, > >I just noticed something very strange: the filename.rules.conf is not >obeyed and no viruses are caught (tested with EICAR). This is incoming >and outgoing... I first noticed this with 4.13-3. Could this be a bug? > >My config should be ok. > >Virus Scanning = yes >Virus Scanners = mcafee f-prot >Filename Rules = /usr/local/MailScanner/etc/filename.rules.conf >Virus Scanner Definitions = >/usr/local/MailScanner/etc/virus.scanners.conf By default these files are in /opt/MailScanner, not /usr/local/MailScanner. If you are really using /usr/local/MailScanner/etc for these, where have you put the -wrapper scripts? Does the location of your -wrapper scripts match with the contents of you virus.scanners.conf file? If you are using a mixture of /opt and /usr/local, that could cause you all sorts of problems with settings not matching up with the right locations. It looks like you have got the 2 directories confused a bit. In the conf file you mailed me, you hadn't set the "Run as user" or "run as group" options, which are normally used for Exim setups. >This is the virus.scanners.conf: > ># This is a list of the names of the virus scanning engines, along with >the ># filename of the command or script to run to invoke each one. >sophos /opt/MailScanner/lib/sophos-wrapper >f-prot /usr/local/MailScanner/lib/f-prot-wrapper >mcafee /usr/local/MailScanner/lib/mcafee-wrapper >rav /opt/MailScanner/lib/rav-wrapper >kaspersky /opt/MailScanner/lib/kaspersky-wrapper >panda /opt/MailScanner/lib/panda-wrapper >f-secure /opt/MailScanner/lib/f-secure-wrapper >clamav /opt/MailScanner/lib/clamav-wrapper >trend /opt/MailScanner/lib/trend-wrapper >antivir /usr/lib/Antivir/antivir >none /bin/false > >I checked this and running /usr/local/MailScanner/lib/mcafee-wrapper on >the eicar test file works and reports this as a virus. > >What am I missing here? I switched from sendmail to exim, could this >have to do anything with it? > >Help please, > Jan-Peter -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From Jan-Peter.Koopmann at SECEIDOS.DE Sat Mar 8 18:47:05 2003 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:17:26 2006 Subject: HELP - Viruses are not detected Message-ID: <4E7026FF8A422749B1553FE508E0068007EEE8@message.intern.akctech.de> Hi Julian, > By default these files are in /opt/MailScanner, not > /usr/local/MailScanner. I know. > If you are really using > /usr/local/MailScanner/etc for these, where have you put the > -wrapper scripts? In /usr/local/MailScanner/lib > Does the location of your -wrapper scripts > match with the contents of you virus.scanners.conf file? It does I checked. > If > you are using a mixture of /opt and /usr/local, that could > cause you all sorts of problems with settings not matching up > with the right locations. I checked all locations and am running this config for months now. No problems so far. I put some trace statements into the mcafee-wrapper script and I am positive that it is being called: --recursive --ignore-links --analyze --mime --secure --noboot . PWD:/usr/local/MailScanner-4.13.3/lib $0:/usr/local/MailScanner/lib/mcafee-wrapper $1:--recursive $2:--ignore-links $3:--analyze $4:--mime $5:--secure $7:. Should PWD not be something like /var/spool/MailScanner/incoming or so? Moreover, if I change the name of that wrapper script, MailScanner gives me an error. And: Even if there were a config error with /usr/local and /opt, should the filename rules not be obeyes? They are not. > It looks like you have got the 2 directories confused a bit. Don't think so but in case I just linked /usr/local/MailScanner to /opt/MailScanner. Still no change. > In the conf file you mailed me, you hadn't set the "Run as > user" or "run as group" options, which are normally used for > Exim setups. Just changed that as well. No change. Sure this is no bug? Thanks for the quick help over the weekend. I appreciate this a lot. Regards, JP From nathan at TCPNETWORKS.NET Sat Mar 8 18:48:03 2003 From: nathan at TCPNETWORKS.NET (Nathan Johanson) Date: Thu Jan 12 21:17:26 2006 Subject: Replacing original(s) with *.rpmnew Message-ID: Thanks! For some reason, this last upgrade replaced most of the reports in 3-4 of the languages. While it's unlikely I'll ever use these other languages, I figured it would be smart to go with the latest versions in all cases (and renaming them one-by-one seemed to beg for a more efficient method). Next on the agenda...learn some shell scripting. Sincerely, Nathan Johanson Email: nathan@tcpnetworks.net -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Sat 3/8/2003 5:14 AM To: MAILSCANNER@JISCMAIL.AC.UK Cc: Subject: Re: Replacing original(s) with *.rpmnew At 23:46 07/03/2003, you wrote: Hello, The other day I upgraded from 4.11-x to 4.13-3. As expected, Julian's upgrade script simplified the process. However, I noticed several reports had been replaced. While replacing the originals with the *.rpmnew files, I figured there must be a better way to do it than "mv filename.rpmnew filename" ; rm filename.rpmnew" for each file. It only puts in an rpmnew if you have modified or otherwise changed the original file (loading it into an editor and saving it unchanged will modify the datestamp, which is enough). There must be a way to do all *.rpmnew files in a directory with a short shell script or compound command. Can someone give me a hand with this? It would only be usefuly for files or reports I haven't changed, but could potentially save me a lot of keyboard tapping. for NEW in *.rpmnew do echo $NEW ... F=`echo $NEW | sed -e 's/\.rpmnew//'` [ -f $F ] && mv -f $F ${F}.rpmold mv -f $NEW $F done exit -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Sat Mar 8 18:57:25 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:26 2006 Subject: HELP - Viruses are not detected In-Reply-To: <4E7026FF8A422749B1553FE508E0068007EEE8@message.intern.akct ech.de> Message-ID: <5.2.0.9.2.20030308185529.022b3a30@imap.ecs.soton.ac.uk> Can you give me access to your mail server? It's usually a lot faster for me to take a look and try things out directly on your server than have an endless "How about this?" discussion. At 18:47 08/03/2003, you wrote: >Hi Julian, > > > By default these files are in /opt/MailScanner, not > > /usr/local/MailScanner. > >I know. > > > If you are really using > > /usr/local/MailScanner/etc for these, where have you put the > > -wrapper scripts? > >In /usr/local/MailScanner/lib > > > > Does the location of your -wrapper scripts > > match with the contents of you virus.scanners.conf file? > >It does I checked. > > > If > > you are using a mixture of /opt and /usr/local, that could > > cause you all sorts of problems with settings not matching up > > with the right locations. > >I checked all locations and am running this config for months now. No >problems so far. > >I put some trace statements into the mcafee-wrapper script and I am >positive that it is being called: > >--recursive --ignore-links --analyze --mime --secure --noboot . >PWD:/usr/local/MailScanner-4.13.3/lib >$0:/usr/local/MailScanner/lib/mcafee-wrapper >$1:--recursive >$2:--ignore-links >$3:--analyze >$4:--mime >$5:--secure >$7:. > >Should PWD not be something like /var/spool/MailScanner/incoming or so? > >Moreover, if I change the name of that wrapper script, MailScanner gives >me an error. And: Even if there were a config error with /usr/local and >/opt, should the filename rules not be obeyes? They are not. > > > It looks like you have got the 2 directories confused a bit. > >Don't think so but in case I just linked /usr/local/MailScanner to >/opt/MailScanner. Still no change. > > > In the conf file you mailed me, you hadn't set the "Run as > > user" or "run as group" options, which are normally used for > > Exim setups. > >Just changed that as well. No change. > >Sure this is no bug? > >Thanks for the quick help over the weekend. I appreciate this a lot. > >Regards, > JP -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From Jan-Peter.Koopmann at SECEIDOS.DE Sat Mar 8 18:59:55 2003 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:17:26 2006 Subject: HELP - Viruses are not detected Message-ID: <4E7026FF8A422749B1553FE508E0068007EEEE@message.intern.akctech.de> > Can you give me access to your mail server? It's usually a > lot faster for me to take a look and try things out directly > on your server than have an endless "How about this?" discussion. I was afraid you would ask this and unfortunately at the moment that is not possible... Are there some sort of traces I could activate? Any sort of debug mode that would help? Thanks, JP From support at INVICTANET.CO.UK Sat Mar 8 21:56:16 2003 From: support at INVICTANET.CO.UK (InvictaNet Customer Support) Date: Thu Jan 12 21:17:26 2006 Subject: HELP - Viruses are not detected In-Reply-To: <5.2.0.9.2.20030308181543.02268688@imap.ecs.soton.ac.uk> Message-ID: Julian wrote: > > By default these files are in /opt/MailScanner, not > /usr/local/MailScanner. If you are really using > /usr/local/MailScanner/etc for these, where have you put the -wrapper > scripts? Does the location of your -wrapper scripts match with the > contents of you virus.scanners.conf file? If you are using a mixture > of /opt and /usr/local, that could cause you all sorts of problems > with settings not matching up with the right locations. > > It looks like you have got the 2 directories confused a bit. > It possibly won't help Jan-Peter, but I also have a mixed configuration. On my MailScanner server, I am running FreeBSD 4.7, Sophos, F-Prot, Sendmail 8.12.8 and MailScanner 4.13-3 I upgraded Sendmail because of the Security Alert. This, combined with the Sophos change seemed to break my MailScanner 3.x so I decided to go the whole way and move to MailScanner 4. Because of different paths in the source package and on my server etc. I have now ended up with: MailScanner is actually installed in /usr/local/MailScanner-4.13-3 /opt is linked to /usr/local mailscanner and MailScanner are linked to MailScanner-4.13-3 So far, everything seems to be working fine. I do wonder though if I am heading for a fall - advice would be appreciated from anyone who might have considered this method. Martyn Routley ----------------------------------------------------------------- InvictaNet - The Internet in Plain English, Guaranteed http://www.invictanet.co.uk martyn@support.invictanet.co.uk phone: 08707 440180 fax: 08707 440181 Ask us about our online Antivirus and Junk mail scanning service ----------------------------------------------------------------- ------------------------------------------------- This message has been scanned for viruses and dangerous content by the http://www.anti84787.com MailScanner, and is believed to be clean. ------------------------------------------------- From mailscanner at ecs.soton.ac.uk Sat Mar 8 22:16:21 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:26 2006 Subject: HELP - Viruses are not detected In-Reply-To: References: <5.2.0.9.2.20030308181543.02268688@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030308221256.02729d90@imap.ecs.soton.ac.uk> At 21:56 08/03/2003, you wrote: >Julian wrote: > > > > By default these files are in /opt/MailScanner, not > > /usr/local/MailScanner. If you are really using > > /usr/local/MailScanner/etc for these, where have you put the -wrapper > > scripts? Does the location of your -wrapper scripts match with the > > contents of you virus.scanners.conf file? If you are using a mixture > > of /opt and /usr/local, that could cause you all sorts of problems > > with settings not matching up with the right locations. > > > > It looks like you have got the 2 directories confused a bit. > > > >It possibly won't help Jan-Peter, but I also have a mixed configuration. >On my MailScanner server, I am running FreeBSD 4.7, Sophos, F-Prot, Sendmail >8.12.8 and MailScanner 4.13-3 >I upgraded Sendmail because of the Security Alert. This, combined with the >Sophos change seemed to break my MailScanner 3.x so I decided to go the >whole way and move to MailScanner 4. > >Because of different paths in the source package and on my server etc. I >have now ended up with: >MailScanner is actually installed in /usr/local/MailScanner-4.13-3 >/opt is linked to /usr/local >mailscanner and MailScanner are linked to MailScanner-4.13-3 > >So far, everything seems to be working fine. I do wonder though if I am >heading for a fall - advice would be appreciated from anyone who might have >considered this method. That does give me some reassurance that 4.13-3 isn't fundamentally broken. I've just been through every change in the code between 4.12 and 4.13, and there isn't anything that should break it. The only thing I can see that might cause you trouble is potential confusion when doing future upgrades. But if you are happy with that, then I don't see any great problem with it. Thanks for the info! -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From jrudd at UCSC.EDU Sun Mar 9 00:56:05 2003 From: jrudd at UCSC.EDU (John Rudd) Date: Thu Jan 12 21:17:26 2006 Subject: FREQ: infected header value Message-ID: Could it be possible to have an option for putting the name of the virus in the infected header? Something like: Infected Header Value = Found to be infected with $infection where $infection would be a list of names, for the viruses found and/or filename rules that were tripped. From mailscanner at ecs.soton.ac.uk Sun Mar 9 11:12:08 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:26 2006 Subject: FREQ: infected header value In-Reply-To: Message-ID: <5.2.0.9.2.20030309110832.021688a8@imap.ecs.soton.ac.uk> At 00:56 09/03/2003, you wrote: >Could it be possible to have an option for putting the name of the >virus in the infected header? >Something like: >Infected Header Value = Found to be infected with $infection >where $infection would be a list of names, for the viruses found and/or >filename rules that were tripped. I have done this for a couple of the scanners (including F-Prot if I remember rightly) but it's pretty difficult to do generally. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From etate01 at sun.hazelwood.k12.mo.us Sun Mar 9 14:23:41 2003 From: etate01 at sun.hazelwood.k12.mo.us (Ed Tate) Date: Thu Jan 12 21:17:26 2006 Subject: Harebrained Idea for scanning SPAM? Message-ID: <000001c2e647$7c2c74f0$0200a8c0@computer> This is just an idea (maybe a really dumb one) and I was wondering if this is even feasible to consider. This came out of a conversation with my boss who was aggravated because he can't find his important emails among the adds to enlarge his private parts and I told him that I'd at least look into it. MS & SA do an excellent job of working together but the real problem is what do with SPAM once you've identified it as such. What I'd like to do is to set Spam Assassins' score high and just automatically delete those from the system. Then I'd like to run it again with a lower score and stick the {SPAM} in the header and let the user decide. Currently we're configured at 6 and almost everything we catch is SPAM but we miss a lot. When I drop it to 5, I catch almost 100% of all the spam but I also get too many false positives to automatically delete these. I guess the question is can Mailscanner & Spam Assassin be run more than once? Thanks. Ed Tate (etate01@hazelwoodschools.org) From mailscanner at ecs.soton.ac.uk Sun Mar 9 14:30:19 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:26 2006 Subject: Harebrained Idea for scanning SPAM? In-Reply-To: <000001c2e647$7c2c74f0$0200a8c0@computer> Message-ID: <5.2.0.9.2.20030309142857.0216a978@imap.ecs.soton.ac.uk> At 14:23 09/03/2003, you wrote: >This is just an idea (maybe a really dumb one) and I was wondering if this >is even feasible to consider. This came out of a conversation with my boss >who was aggravated because he can't find his important emails among the adds >to enlarge his private parts and I told him that I'd at least look into it. > >MS & SA do an excellent job of working together but the real problem is what >do with SPAM once you've identified it as such. > >What I'd like to do is to set Spam Assassins' score high and just >automatically delete those from the system. Then I'd like to run it again >with a lower score and stick the {SPAM} in the header and let the user >decide. > >Currently we're configured at 6 and almost everything we catch is SPAM but >we miss a lot. When I drop it to 5, I catch almost 100% of all the spam but >I also get too many false positives to automatically delete these. > >I guess the question is can Mailscanner & Spam Assassin be run more than >once? What's the difference between that and using the "High Score" options that are in MailScanner already? Just set "High Scoring Spam Actions = delete" and "Spam Actions = deliver". -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From dbird at SGHMS.AC.UK Sun Mar 9 19:01:26 2003 From: dbird at SGHMS.AC.UK (Daniel Bird) Date: Thu Jan 12 21:17:26 2006 Subject: Problem with 'forward' spam action Message-ID: <3E6B8F86.2000003@sghms.ac.uk> Dear all, I'm running Rh7.3, MS4.13-3, SA2.60-cvs and Exim. in MailScanner.conf I have: High Scoring Spam Actions = store forward spam@sghms.ac.uk I'm seeing the following in my mail.log.... Mar 9 18:22:20 mailhub1 MailScanner[17291]: Spam Actions: message 18s5RA-0004t0-00 actions are forward,store,spam@sghms.ac.uk but in my exim log I see.... 2003-03-09 18:22:20 18s5RA-0004t0-00 Format error in spool file 18s5RA-0004t0-00-H: size=1573 and the message is not forwarded... This is the content of the above file (I've anonymised the original recipient)..... 18s5RA-0004t0-00-H root 0 0 1047234136 0 -helo_name shark1 -deliver_firsttime -host_address 217.39.107.177.3176 -received_protocol esmtp -body_linecount 68 -interface_address 194.82.51.7.25 XX 2 spam@sghms.ac.uk 171P Received: from [217.39.107.177] (helo=shark1) by mailhub1.sghms.ac.uk with esmtp (Exim 4.12) id 18s5RA-0004t0-00 for xxx@sghms.ac.uk; Sun, 09 Mar 2003 18:22:16 +0000 124 Received: from aol.com ([218.88.187.105]) by shark1 with Microsoft SMTPSVC(5.0.2195.1600); Sun, 9 Mar 2003 18:25:45 +0000 055I Message-ID: <00006e8a0b57$000007c8$00006aa7@lycos.com> 024T To: 042F From: "John Darvis" 054 Subject:****VeryLikelySPAM**** Dow Jones in Trouble? 038 Date: Sun, 09 Mar 2003 13:26:21 -1700 018 MIME-Version: 1.0 047 Content-Type: text/html; charset="iso-8859-1" 044 Content-Transfer-Encoding: quoted-printable 030R Reply-To: wasberdll0@juno.com 033 Return-Path: wasberdll0@juno.com 084 X-OriginalArrivalTime: 09 Mar 2003 18:25:47.0928 (UTC) FILETIME=[4E4AE180:01C2E669] 037 X-MailScanner-MH1: Found to be clean 404 X-MailScanner-SpamCheck: spam, SpamAssassin (score=27, required 5, BANG_MONEY, BAYES_90, CLICK_BELOW, EXCUSE_14, FREE_TRIAL, HTML_40_50, HTML_FONT_BIG, HTML_FONT_COLOR_BLUE, HTML_FONT_COLOR_GREEN, HTML_FONT_COLOR_UNSAFE, HTML_LINK_CLICK_HERE, INVALID_DATE_TZ_ABSURD, MSGID_OE_SPAM_4ZERO, MSGID_OUTLOOK_TIME, MSGID_SPAMSIGN_ZEROES, OFFERS_ETC, RAZOR2_CF_RANGE_91_100, RAZOR2_CHECK, SEE_FOR_YOURSELF) 053 X-MailScanner-SpamScore: sssssssssssssssssssssssssss This makes me think MS is not forming the header properly, or am I missing something? regards Dan -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From dbird at SGHMS.AC.UK Sun Mar 9 19:16:34 2003 From: dbird at SGHMS.AC.UK (Daniel Bird) Date: Thu Jan 12 21:17:26 2006 Subject: Problem with 'forward' spam action References: <3E6B8F86.2000003@sghms.ac.uk> Message-ID: <3E6B9312.2030009@sghms.ac.uk> A little more info.. If I put a forward on "Spam Actions", it works fine. Dan Daniel Bird wrote: > Dear all, > I'm running Rh7.3, MS4.13-3, SA2.60-cvs and Exim. in MailScanner.conf I > have: > > High Scoring Spam Actions = store forward spam@sghms.ac.uk > > I'm seeing the following in my mail.log.... > > Mar 9 18:22:20 mailhub1 MailScanner[17291]: Spam Actions: message > 18s5RA-0004t0-00 actions are forward,store,spam@sghms.ac.uk > > but in my exim log I see.... > > 2003-03-09 18:22:20 18s5RA-0004t0-00 Format error in spool file > 18s5RA-0004t0-00-H: size=1573 > > and the message is not forwarded... > > This is the content of the above file (I've anonymised the original > recipient)..... > > 18s5RA-0004t0-00-H > root 0 0 > > 1047234136 0 > -helo_name shark1 > -deliver_firsttime > -host_address 217.39.107.177.3176 > -received_protocol esmtp > -body_linecount 68 > -interface_address 194.82.51.7.25 > XX > 2 > spam@sghms.ac.uk > > 171P Received: from [217.39.107.177] (helo=shark1) > by mailhub1.sghms.ac.uk with esmtp (Exim 4.12) > id 18s5RA-0004t0-00 > for xxx@sghms.ac.uk; Sun, 09 Mar 2003 18:22:16 +0000 > 124 Received: from aol.com ([218.88.187.105]) by shark1 with Microsoft > SMTPSVC(5.0.2195.1600); > Sun, 9 Mar 2003 18:25:45 +0000 > 055I Message-ID: <00006e8a0b57$000007c8$00006aa7@lycos.com> > 024T To: > 042F From: "John Darvis" > 054 Subject:****VeryLikelySPAM**** Dow Jones in Trouble? > 038 Date: Sun, 09 Mar 2003 13:26:21 -1700 > 018 MIME-Version: 1.0 > 047 Content-Type: text/html; > charset="iso-8859-1" > 044 Content-Transfer-Encoding: quoted-printable > 030R Reply-To: wasberdll0@juno.com > 033 Return-Path: wasberdll0@juno.com > 084 X-OriginalArrivalTime: 09 Mar 2003 18:25:47.0928 (UTC) > FILETIME=[4E4AE180:01C2E669] > 037 X-MailScanner-MH1: Found to be clean > 404 X-MailScanner-SpamCheck: spam, SpamAssassin (score=27, required 5, > BANG_MONEY, BAYES_90, CLICK_BELOW, EXCUSE_14, FREE_TRIAL, > HTML_40_50, > HTML_FONT_BIG, HTML_FONT_COLOR_BLUE, HTML_FONT_COLOR_GREEN, > HTML_FONT_COLOR_UNSAFE, HTML_LINK_CLICK_HERE, > INVALID_DATE_TZ_ABSURD, > MSGID_OE_SPAM_4ZERO, MSGID_OUTLOOK_TIME, MSGID_SPAMSIGN_ZEROES, > OFFERS_ETC, RAZOR2_CF_RANGE_91_100, RAZOR2_CHECK, > SEE_FOR_YOURSELF) > 053 X-MailScanner-SpamScore: sssssssssssssssssssssssssss > > This makes me think MS is not forming the header properly, or am I > missing something? > > regards > > Dan > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mailscanner at ecs.soton.ac.uk Sun Mar 9 19:28:18 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:26 2006 Subject: Problem with 'forward' spam action In-Reply-To: <3E6B9312.2030009@sghms.ac.uk> References: <3E6B8F86.2000003@sghms.ac.uk> Message-ID: <5.2.0.9.2.20030309192748.0263f568@imap.ecs.soton.ac.uk> Can you try this patch to Exim.pm please? --- Exim.pm.old Thu Feb 6 17:12:56 2003 +++ Exim.pm Sun Mar 9 19:28:25 2003 @@ -899,6 +899,7 @@ my $this = shift; my($message) = @_; + $message->{metadata}{numrcpts}--; $message->{metadata}{rcpts} = []; $message->{metadata}{nonrcpts} = {}; At 19:16 09/03/2003, you wrote: >A little more info.. >If I put a forward on "Spam Actions", it works fine. > >Dan > >Daniel Bird wrote: > >>Dear all, >>I'm running Rh7.3, MS4.13-3, SA2.60-cvs and Exim. in MailScanner.conf I >>have: >> >>High Scoring Spam Actions = store forward spam@sghms.ac.uk >> >>I'm seeing the following in my mail.log.... >> >>Mar 9 18:22:20 mailhub1 MailScanner[17291]: Spam Actions: message >>18s5RA-0004t0-00 actions are forward,store,spam@sghms.ac.uk >> >>but in my exim log I see.... >> >>2003-03-09 18:22:20 18s5RA-0004t0-00 Format error in spool file >>18s5RA-0004t0-00-H: size=1573 >> >>and the message is not forwarded... >> >>This is the content of the above file (I've anonymised the original >>recipient)..... >> >>18s5RA-0004t0-00-H >>root 0 0 >> >>1047234136 0 >>-helo_name shark1 >>-deliver_firsttime >>-host_address 217.39.107.177.3176 >>-received_protocol esmtp >>-body_linecount 68 >>-interface_address 194.82.51.7.25 >>XX >>2 >>spam@sghms.ac.uk >> >>171P Received: from [217.39.107.177] (helo=shark1) >> by mailhub1.sghms.ac.uk with esmtp (Exim 4.12) >> id 18s5RA-0004t0-00 >> for xxx@sghms.ac.uk; Sun, 09 Mar 2003 18:22:16 +0000 >>124 Received: from aol.com ([218.88.187.105]) by shark1 with Microsoft >>SMTPSVC(5.0.2195.1600); >> Sun, 9 Mar 2003 18:25:45 +0000 >>055I Message-ID: <00006e8a0b57$000007c8$00006aa7@lycos.com> >>024T To: >>042F From: "John Darvis" >>054 Subject:****VeryLikelySPAM**** Dow Jones in Trouble? >>038 Date: Sun, 09 Mar 2003 13:26:21 -1700 >>018 MIME-Version: 1.0 >>047 Content-Type: text/html; >> charset="iso-8859-1" >>044 Content-Transfer-Encoding: quoted-printable >>030R Reply-To: wasberdll0@juno.com >>033 Return-Path: wasberdll0@juno.com >>084 X-OriginalArrivalTime: 09 Mar 2003 18:25:47.0928 (UTC) >>FILETIME=[4E4AE180:01C2E669] >>037 X-MailScanner-MH1: Found to be clean >>404 X-MailScanner-SpamCheck: spam, SpamAssassin (score=27, required 5, >> BANG_MONEY, BAYES_90, CLICK_BELOW, EXCUSE_14, FREE_TRIAL, >>HTML_40_50, >> HTML_FONT_BIG, HTML_FONT_COLOR_BLUE, HTML_FONT_COLOR_GREEN, >> HTML_FONT_COLOR_UNSAFE, HTML_LINK_CLICK_HERE, >>INVALID_DATE_TZ_ABSURD, >> MSGID_OE_SPAM_4ZERO, MSGID_OUTLOOK_TIME, MSGID_SPAMSIGN_ZEROES, >> OFFERS_ETC, RAZOR2_CF_RANGE_91_100, RAZOR2_CHECK, >>SEE_FOR_YOURSELF) >>053 X-MailScanner-SpamScore: sssssssssssssssssssssssssss >> >>This makes me think MS is not forming the header properly, or am I >>missing something? >> >>regards >> >>Dan >> >> >>-- >>This message has been scanned for viruses and >>dangerous content by MailScanner, and is >>believed to be clean. > > > >-- >This message has been scanned for viruses and >dangerous content by MailScanner, and is >believed to be clean. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From dbird at SGHMS.AC.UK Sun Mar 9 19:35:11 2003 From: dbird at SGHMS.AC.UK (Daniel Bird) Date: Thu Jan 12 21:17:26 2006 Subject: Problem with 'forward' spam action References: <3E6B8F86.2000003@sghms.ac.uk> <5.2.0.9.2.20030309192748.0263f568@imap.ecs.soton.ac.uk> Message-ID: <3E6B976F.4080803@sghms.ac.uk> Julian Field wrote: > Can you try this patch to Exim.pm please? > > --- Exim.pm.old Thu Feb 6 17:12:56 2003 > +++ Exim.pm Sun Mar 9 19:28:25 2003 > @@ -899,6 +899,7 @@ > my $this = shift; > my($message) = @_; > > + $message->{metadata}{numrcpts}--; > $message->{metadata}{rcpts} = []; > $message->{metadata}{nonrcpts} = {}; Yup, that's fixed it. thanks Julian, you're a * Dan > > At 19:16 09/03/2003, you wrote: > >> A little more info.. >> If I put a forward on "Spam Actions", it works fine. >> >> Dan >> >> Daniel Bird wrote: >> >>> Dear all, >>> I'm running Rh7.3, MS4.13-3, SA2.60-cvs and Exim. in MailScanner.conf I >>> have: >>> >>> High Scoring Spam Actions = store forward spam@sghms.ac.uk >>> >>> I'm seeing the following in my mail.log.... >>> >>> Mar 9 18:22:20 mailhub1 MailScanner[17291]: Spam Actions: message >>> 18s5RA-0004t0-00 actions are forward,store,spam@sghms.ac.uk >>> >>> but in my exim log I see.... >>> >>> 2003-03-09 18:22:20 18s5RA-0004t0-00 Format error in spool file >>> 18s5RA-0004t0-00-H: size=1573 >>> >>> and the message is not forwarded... >>> >>> This is the content of the above file (I've anonymised the original >>> recipient)..... >>> >>> 18s5RA-0004t0-00-H >>> root 0 0 >>> >>> 1047234136 0 >>> -helo_name shark1 >>> -deliver_firsttime >>> -host_address 217.39.107.177.3176 >>> -received_protocol esmtp >>> -body_linecount 68 >>> -interface_address 194.82.51.7.25 >>> XX >>> 2 >>> spam@sghms.ac.uk >>> >>> 171P Received: from [217.39.107.177] (helo=shark1) >>> by mailhub1.sghms.ac.uk with esmtp (Exim 4.12) >>> id 18s5RA-0004t0-00 >>> for xxx@sghms.ac.uk; Sun, 09 Mar 2003 18:22:16 +0000 >>> 124 Received: from aol.com ([218.88.187.105]) by shark1 with Microsoft >>> SMTPSVC(5.0.2195.1600); >>> Sun, 9 Mar 2003 18:25:45 +0000 >>> 055I Message-ID: <00006e8a0b57$000007c8$00006aa7@lycos.com> >>> 024T To: >>> 042F From: "John Darvis" >>> 054 Subject:****VeryLikelySPAM**** Dow Jones in Trouble? >>> 038 Date: Sun, 09 Mar 2003 13:26:21 -1700 >>> 018 MIME-Version: 1.0 >>> 047 Content-Type: text/html; >>> charset="iso-8859-1" >>> 044 Content-Transfer-Encoding: quoted-printable >>> 030R Reply-To: wasberdll0@juno.com >>> 033 Return-Path: wasberdll0@juno.com >>> 084 X-OriginalArrivalTime: 09 Mar 2003 18:25:47.0928 (UTC) >>> FILETIME=[4E4AE180:01C2E669] >>> 037 X-MailScanner-MH1: Found to be clean >>> 404 X-MailScanner-SpamCheck: spam, SpamAssassin (score=27, required 5, >>> BANG_MONEY, BAYES_90, CLICK_BELOW, EXCUSE_14, FREE_TRIAL, >>> HTML_40_50, >>> HTML_FONT_BIG, HTML_FONT_COLOR_BLUE, HTML_FONT_COLOR_GREEN, >>> HTML_FONT_COLOR_UNSAFE, HTML_LINK_CLICK_HERE, >>> INVALID_DATE_TZ_ABSURD, >>> MSGID_OE_SPAM_4ZERO, MSGID_OUTLOOK_TIME, MSGID_SPAMSIGN_ZEROES, >>> OFFERS_ETC, RAZOR2_CF_RANGE_91_100, RAZOR2_CHECK, >>> SEE_FOR_YOURSELF) >>> 053 X-MailScanner-SpamScore: sssssssssssssssssssssssssss >>> >>> This makes me think MS is not forming the header properly, or am I >>> missing something? >>> >>> regards >>> >>> Dan >>> >>> >>> -- >>> This message has been scanned for viruses and >>> dangerous content by MailScanner, and is >>> believed to be clean. >> >> >> >> >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. > > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From jrudd at UCSC.EDU Sun Mar 9 20:49:45 2003 From: jrudd at UCSC.EDU (John Rudd) Date: Thu Jan 12 21:17:26 2006 Subject: FREQ: infected header value Message-ID: <200303092049.h29Knja15338@kzin.ucsc.edu> > From: Julian Field > > At 00:56 09/03/2003, you wrote: > >Could it be possible to have an option for putting the name of the > >virus in the infected header? > >Something like: > >Infected Header Value = Found to be infected with $infection > >where $infection would be a list of names, for the viruses found and/or > >filename rules that were tripped. > > I have done this for a couple of the scanners (including F-Prot if I > remember rightly) but it's pretty difficult to do generally. Would sophos be one of the ones that would be difficult? From glynn at makati.techsquare.com Mon Mar 10 06:25:51 2003 From: glynn at makati.techsquare.com (Glynn S. Condez) Date: Thu Jan 12 21:17:26 2006 Subject: Spam Score Header Message-ID: <014501c2e6cd$e5d9b710$8201a8c0@proaccessph.com> Hi All, I just upgraded my MailScanner 3 to 4.13-3 awhile ago. What I observed is that Spam Score Header produced "sss" result on it. I'd like to know if its normal? Thanks in advance --- Glynn --- From Jan-Peter.Koopmann at SECEIDOS.DE Mon Mar 10 10:33:59 2003 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:17:26 2006 Subject: HELP - Viruses are not detected Message-ID: <4E7026FF8A422749B1553FE508E0068007EF08@message.intern.akctech.de> Hi, > I just noticed something very strange: the > filename.rules.conf is not obeyed and no viruses are caught > (tested with EICAR). This is incoming and outgoing... I first > noticed this with 4.13-3. Could this be a bug? Just wanted to let you know we found the problem. After an upgrade from 4.12 to 4.13 I forgot to change the SystemDefs.pm in lib/MailScanner. Therefore $global::sed pointed to /bin/sed. Under FreeBSD this must be /usr/bin/sed. This caused the EximDiskStore to fail when reading the message body (since it uses sed there) and passing it over to the MIME::Parser. Therefore the message did not get extracted and since there was nothing to scan, all virus scanners told MS that everything is ok. So all FreeBSD users: Always watch the SystemDefs.pm settings! :-) Thanks to everybody who offered their help.. Regards, Jan-Peter From mailscanner at ecs.soton.ac.uk Mon Mar 10 11:02:22 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:26 2006 Subject: Spam Score Header In-Reply-To: <014501c2e6cd$e5d9b710$8201a8c0@proaccessph.com> Message-ID: <5.2.0.9.2.20030310105948.0234b0f0@imap.ecs.soton.ac.uk> At 06:25 10/03/2003, you wrote: >Hi All, > >I just upgraded my MailScanner 3 to 4.13-3 awhile ago. >What I observed is that Spam Score Header produced "sss" result on it. >I'd like to know if its normal? Read the MailScanner.conf comments for the "Spam Score" header. 3 "s" characters imply that SpamAssassin gave it a score of 3. It is there so that users can easily write their own mail filters to filter messages at any spam score they like. If a user wants to do something with messages scoring over 10, for example, they can just look for "ssssssssss". -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Mon Mar 10 11:04:24 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:26 2006 Subject: can't get spamassassin to work!! In-Reply-To: <5.2.0.9.0.20030311031218.00aabe20@pop.gmx.net> Message-ID: <5.2.0.9.2.20030310110303.0242c398@imap.ecs.soton.ac.uk> At 21:55 10/03/2003, you wrote: >But spamassassin is not doing the checks from this table. >I am running spamd with the options " -q -d -c -a" Note that MailScanner doesn't use spamd (or the "spamassassin" script). It works faster than either of those methods. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From Jan-Peter.Koopmann at SECEIDOS.DE Mon Mar 10 11:30:10 2003 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:17:26 2006 Subject: FromTo: not working? Message-ID: <4E7026FF8A422749B1553FE508E0068007EF15@message.intern.akctech.de> Hi Julian, > I have just tested your exact rules file, totally untouched, > with messages coming from seceidos.de and messages not coming > from there. It worked 100% as I would have expected it to > work, so it's not a bug. I took the liberty to debug this and I think I found the problem. In Config.pm I put MailScanner::Log::WarnLog("Matching From: " . $msg->{from} ."\n"); foreach $to (@{$msg->{to}}) { MailScanner::Log::WarnLog("Matching To: " . $to ."\n"); } MailScanner::Log::WarnLog("Matching against $direction $iporaddr /$regexp/\n"); In the foreach $rule part of the sub Value. This is what the log says when I write a message: Mar 10 12:26:21 proxy MailScanner[66706]: Matching From: Mar 10 12:26:21 proxy MailScanner[66706]: Matching To: jan-peter.koopmann@web.de Mar 10 12:26:21 proxy MailScanner[66706]: Matching against ft t /^.*\@seceidos\.de\.?$/ Mar 10 12:26:21 proxy MailScanner[66706]: Matching From: Mar 10 12:26:21 proxy MailScanner[66706]: Matching To: jan-peter.koopmann@web.de Mar 10 12:26:21 proxy MailScanner[66706]: Matching against ft t /^.*\@seceidos\.net\.?$/ Mar 10 12:26:21 proxy MailScanner[66706]: Matching From: Mar 10 12:26:21 proxy MailScanner[66706]: Matching To: jan-peter.koopmann@web.de Mar 10 12:26:21 proxy MailScanner[66706]: Matching against ft t /^.*\@seceidos\.org\.?$/ Mar 10 12:26:21 proxy MailScanner[66706]: Matching From: Mar 10 12:26:21 proxy MailScanner[66706]: Matching To: jan-peter.koopmann@web.de Mar 10 12:26:21 proxy MailScanner[66706]: Matching against ft t /^.*\@seceidos\.com\.?$/ Mar 10 12:26:21 proxy MailScanner[66706]: Matching From: Mar 10 12:26:21 proxy MailScanner[66706]: Matching To: jan-peter.koopmann@web.de Mar 10 12:26:21 proxy MailScanner[66706]: Matching against ft t /^.*\@telefonia\.de\.?$/ Mar 10 12:26:21 proxy MailScanner[66706]: Matching From: Mar 10 12:26:21 proxy MailScanner[66706]: Matching To: jan-peter.koopmann@web.de Mar 10 12:26:21 proxy MailScanner[66706]: Matching against ft t /^.*\@akctech\.de\.?$/ I was quite surprised to see that $msg->(from) included the '<' and '>'. The call $misses++ unless $msg->{from} =~ /$regexp/i; This does not match due to the trailing '>'. Is it possible that the Sendmail.pm gives you the {from} without '<' and '>' yet the Exim.pm does? Moreover, the {to} part does not have these and therefore the To: part of the rule works. Regards, JP From Krishna_shekhar at GMX.NET Mon Mar 10 19:43:29 2003 From: Krishna_shekhar at GMX.NET (Krishna) Date: Thu Jan 12 21:17:26 2006 Subject: Configuring SpamAssassin with MailScanner <> Message-ID: <5.2.0.9.0.20030311011302.00b0d2f8@pop.gmx.net> Hi, I am using Horde/IMP on RedHat 7.3 with MailScanner running on sendmail. I am using the sam module from Horde/IMP and works alright , though not tested it. First I want to configure it in such a way that users are able to create their own spam preferences and detected spam mails go into a separate folder. I have create the database in mysql via the mysql script which comes with the sam module. What should I do next? regards Krishna http://www.KrisinDigitalAge.com From Krishna_shekhar at GMX.NET Mon Mar 10 21:55:21 2003 From: Krishna_shekhar at GMX.NET (Krishna) Date: Thu Jan 12 21:17:26 2006 Subject: can't get spamassassin to work!! Message-ID: <5.2.0.9.0.20030311031218.00aabe20@pop.gmx.net> Hi, I am using Horde/IMP cvs version on RedHat7.3 with sendmail and MailScanner. I created the userpref table for SpamAssassin in the horde database and checked it by adding rules etc. and it works. This is what local.cf shows for spamassassin in /etc/mail/spamassassin user_scores_dsn DBI:mysql:horde:localhost user_scores_sql_username horde user_scores_sql_password xxxxx user_scores_sql_table userpref But spamassassin is not doing the checks from this table. I am running spamd with the options " -q -d -c -a" The blacklisted rule which I created does not get executed. Any help!! Krishna http://www.KrisinDigitalAge.com From Jan-Peter.Koopmann at SECEIDOS.DE Mon Mar 10 11:42:25 2003 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:17:26 2006 Subject: FromTo: not working? Message-ID: <4E7026FF8A422749B1553FE508E0068007EF18@message.intern.akctech.de> > I was quite surprised to see that $msg->(from) included the > '<' and '>'. Quick fix in Exim.pm: --- Exim.pm.orig Mon Mar 10 12:34:20 2003 +++ Exim.pm Mon Mar 10 12:39:25 2003 @@ -255,7 +255,13 @@ chomp(($metadata{user},$metadata{uid},$metadata{gid}) = split / /, <$RQf>); # envelope-sender (in <>) chomp($metadata{sender} = <$RQf>); - $message->{from} = lc $metadata{sender}; + + $from = lc $metadata{sender}; + $from =~ s/^<\s*//; # leading and + $from =~ s/\s*>$//; # trailing <> + + $message->{from} = $from; + # time msg received (seconds since epoch) # + number of delay warnings sent chomp(($metadata{rcvtime},$metadata{warncnt}) = split / /, <$RQf>); This seems to work here but I am not sure about other implications (esp. for Exim3). Could someone with more Exim experience please have a look at this? Regards, JP From mailscanner at ecs.soton.ac.uk Mon Mar 10 11:48:52 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:26 2006 Subject: HELP - Viruses are not detected In-Reply-To: <4E7026FF8A422749B1553FE508E0068007EF08@message.intern.akct ech.de> Message-ID: <5.2.0.9.2.20030310114803.02290b90@imap.ecs.soton.ac.uk> At 10:33 10/03/2003, you wrote: >Hi, > > > I just noticed something very strange: the > > filename.rules.conf is not obeyed and no viruses are caught > > (tested with EICAR). This is incoming and outgoing... I first > > noticed this with 4.13-3. Could this be a bug? > >Just wanted to let you know we found the problem. After an upgrade from >4.12 to 4.13 I forgot to change the SystemDefs.pm in lib/MailScanner. >Therefore $global::sed pointed to /bin/sed. Under FreeBSD this must be >/usr/bin/sed. This caused the EximDiskStore to fail when reading the >message body (since it uses sed there) and passing it over to the >MIME::Parser. Therefore the message did not get extracted and since >there was nothing to scan, all virus scanners told MS that everything is >ok. > >So all FreeBSD users: Always watch the SystemDefs.pm settings! :-) I have just added a check for all of these settings to make sure they are correct. It won't start up without the programs being present and executable. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Mon Mar 10 12:14:34 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:26 2006 Subject: FromTo: not working? In-Reply-To: <4E7026FF8A422749B1553FE508E0068007EF15@message.intern.akct ech.de> Message-ID: <5.2.0.9.2.20030310121326.02638120@imap.ecs.soton.ac.uk> You are absolutely right. I have just posted a patch to the mailist list. At 11:30 10/03/2003, you wrote: >Hi Julian, > > > I have just tested your exact rules file, totally untouched, > > with messages coming from seceidos.de and messages not coming > > from there. It worked 100% as I would have expected it to > > work, so it's not a bug. > > >I took the liberty to debug this and I think I found the problem. In >Config.pm I put > > MailScanner::Log::WarnLog("Matching From: " . $msg->{from} ."\n"); > > foreach $to (@{$msg->{to}}) { > MailScanner::Log::WarnLog("Matching To: " . $to ."\n"); > > } > MailScanner::Log::WarnLog("Matching against $direction $iporaddr >/$regexp/\n"); > >In the foreach $rule part of the sub Value. This is what the log says >when I write a message: > >Mar 10 12:26:21 proxy MailScanner[66706]: Matching From: > >Mar 10 12:26:21 proxy MailScanner[66706]: Matching To: >jan-peter.koopmann@web.de >Mar 10 12:26:21 proxy MailScanner[66706]: Matching against ft t >/^.*\@seceidos\.de\.?$/ >Mar 10 12:26:21 proxy MailScanner[66706]: Matching From: > >Mar 10 12:26:21 proxy MailScanner[66706]: Matching To: >jan-peter.koopmann@web.de >Mar 10 12:26:21 proxy MailScanner[66706]: Matching against ft t >/^.*\@seceidos\.net\.?$/ >Mar 10 12:26:21 proxy MailScanner[66706]: Matching From: > >Mar 10 12:26:21 proxy MailScanner[66706]: Matching To: >jan-peter.koopmann@web.de >Mar 10 12:26:21 proxy MailScanner[66706]: Matching against ft t >/^.*\@seceidos\.org\.?$/ >Mar 10 12:26:21 proxy MailScanner[66706]: Matching From: > >Mar 10 12:26:21 proxy MailScanner[66706]: Matching To: >jan-peter.koopmann@web.de >Mar 10 12:26:21 proxy MailScanner[66706]: Matching against ft t >/^.*\@seceidos\.com\.?$/ >Mar 10 12:26:21 proxy MailScanner[66706]: Matching From: > >Mar 10 12:26:21 proxy MailScanner[66706]: Matching To: >jan-peter.koopmann@web.de >Mar 10 12:26:21 proxy MailScanner[66706]: Matching against ft t >/^.*\@telefonia\.de\.?$/ >Mar 10 12:26:21 proxy MailScanner[66706]: Matching From: > >Mar 10 12:26:21 proxy MailScanner[66706]: Matching To: >jan-peter.koopmann@web.de >Mar 10 12:26:21 proxy MailScanner[66706]: Matching against ft t >/^.*\@akctech\.de\.?$/ > > >I was quite surprised to see that $msg->(from) included the '<' and '>'. >The call > > $misses++ unless $msg->{from} =~ /$regexp/i; > >This does not match due to the trailing '>'. Is it possible that the >Sendmail.pm gives you the {from} without '<' and '>' yet the Exim.pm >does? Moreover, the {to} part does not have these and therefore the To: >part of the rule works. > >Regards, > JP -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Mon Mar 10 12:10:13 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:26 2006 Subject: FromTo: not working? In-Reply-To: <4E7026FF8A422749B1553FE508E0068007EF18@message.intern.akct ech.de> Message-ID: <5.2.0.9.2.20030310120836.02805f50@imap.ecs.soton.ac.uk> At 11:42 10/03/2003, you wrote: > > I was quite surprised to see that $msg->(from) included the > > '<' and '>'. > >Quick fix in Exim.pm: > >--- Exim.pm.orig Mon Mar 10 12:34:20 2003 >+++ Exim.pm Mon Mar 10 12:39:25 2003 >@@ -255,7 +255,13 @@ > chomp(($metadata{user},$metadata{uid},$metadata{gid}) = split / /, ><$RQf>); > # envelope-sender (in <>) > chomp($metadata{sender} = <$RQf>); >- $message->{from} = lc $metadata{sender}; >+ >+ $from = lc $metadata{sender}; >+ $from =~ s/^<\s*//; # leading and >+ $from =~ s/\s*>$//; # trailing <> >+ >+ $message->{from} = $from; >+ > # time msg received (seconds since epoch) > # + number of delay warnings sent > chomp(($metadata{rcvtime},$metadata{warncnt}) = split / /, <$RQf>); > > >This seems to work here but I am not sure about other implications (esp. >for Exim3). Could someone with more Exim experience please have a look >at this? It's nearly right, but not quite. Try the attached patch instead. Sorry about this folks :-( -------------- next part -------------- A non-text attachment was scrubbed... Name: Exim.pm.patch Type: application/octet-stream Size: 1567 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030310/85a21e8b/Exim.pm.obj -------------- next part -------------- -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From donovan at HUFFDATASYSTEMS.COM Mon Mar 10 12:28:15 2003 From: donovan at HUFFDATASYSTEMS.COM (Donovan Huff | HUFF DATA SYSTEMS) Date: Thu Jan 12 21:17:26 2006 Subject: FromTo: not working? References: <5.2.0.9.2.20030310120836.02805f50@imap.ecs.soton.ac.uk> Message-ID: <00be01c2e700$87167f50$3c82f6d1@x27> Is this patch for MailScanner-4.13-3, how is it properly applied? Donovan ----- Original Message ----- From: "Julian Field" To: Sent: Monday, March 10, 2003 6:10 AM Subject: Re: FromTo: not working? > At 11:42 10/03/2003, you wrote: > > > I was quite surprised to see that $msg->(from) included the > > > '<' and '>'. > > > >Quick fix in Exim.pm: > > > >--- Exim.pm.orig Mon Mar 10 12:34:20 2003 > >+++ Exim.pm Mon Mar 10 12:39:25 2003 > >@@ -255,7 +255,13 @@ > > chomp(($metadata{user},$metadata{uid},$metadata{gid}) = split / /, > ><$RQf>); > > # envelope-sender (in <>) > > chomp($metadata{sender} = <$RQf>); > >- $message->{from} = lc $metadata{sender}; > >+ > >+ $from = lc $metadata{sender}; > >+ $from =~ s/^<\s*//; # leading and > >+ $from =~ s/\s*>$//; # trailing <> > >+ > >+ $message->{from} = $from; > >+ > > # time msg received (seconds since epoch) > > # + number of delay warnings sent > > chomp(($metadata{rcvtime},$metadata{warncnt}) = split / /, <$RQf>); > > > > > >This seems to work here but I am not sure about other implications (esp. > >for Exim3). Could someone with more Exim experience please have a look > >at this? > > It's nearly right, but not quite. Try the attached patch instead. > Sorry about this folks :-( -------------------------------------------------------------------------------- > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support From Jan-Peter.Koopmann at SECEIDOS.DE Mon Mar 10 13:05:43 2003 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:17:26 2006 Subject: FromTo: not working? Message-ID: <4E7026FF8A422749B1553FE508E0068007EF1F@message.intern.akctech.de> > Is this patch for MailScanner-4.13-3, how is it properly applied? Yes it is and you will need it if you are using Exim instead of Sendmail. Go to your /opt/MailScanner/lib/MailScanner dir and execute patch < Exim.pm.patch Then restart MailScanner. That should do the trick. Regards, JP From Cleveland at MAIL.WINNEFOX.ORG Mon Mar 10 13:57:23 2003 From: Cleveland at MAIL.WINNEFOX.ORG (Jody Cleveland) Date: Thu Jan 12 21:17:26 2006 Subject: updated sendmail, now MailScanner isn't catching viruses Message-ID: <84CFA712F666B44A94CE6BE116BAF4B0B4E47E@MAIL> Hello, I'm running redhat 8 with sendmail. I used up2date to update sendmail, and now MailScanner with f-prot is no longer catching viruses. Is there a setting or file that was overwritten when I updated that I need to correct? -- Jody Cleveland (cleveland@winnefox.org) Winnefox Library System Computer Support Specialist From Jan-Peter.Koopmann at SECEIDOS.DE Mon Mar 10 13:58:35 2003 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:17:26 2006 Subject: updated sendmail, now MailScanner isn't catching viruses Message-ID: <4E7026FF8A422749B1553FE508E0068007EF22@message.intern.akctech.de> Hi, > I'm running redhat 8 with sendmail. I used up2date to update > sendmail, and now MailScanner with f-prot is no longer > catching viruses. Is there a setting or file that was > overwritten when I updated that I need to correct? How about some more detailed info? How did you discover that it is not catching viruses any more? Are the MailScanner headers still in the mails? What does the log say? Regards, JP From Cleveland at MAIL.WINNEFOX.ORG Mon Mar 10 14:10:07 2003 From: Cleveland at MAIL.WINNEFOX.ORG (Jody Cleveland) Date: Thu Jan 12 21:17:26 2006 Subject: updated sendmail, now MailScanner isn't catching viruses Message-ID: <84CFA712F666B44A94CE6BE116BAF4B0B4E47F@MAIL> > How about some more detailed info? How did you discover that it is not > catching viruses any more? Are the MailScanner headers still in the > mails? What does the log say? MailScanner is running, and the headers of each message say it found it to be clean. I just starting noticing that I wasn't getting any of the messages saying that viruses are found. I also noticed this morning that backup on our file server is catching viruses on our mail server. ( I have a redhat 8 box that scans mail and sends it off to our exchange server. We have a separate file server that backs up all our windows boxes) Jody From jgoggan at DCG.COM Mon Mar 10 14:18:37 2003 From: jgoggan at DCG.COM (John Goggan) Date: Thu Jan 12 21:17:26 2006 Subject: updated sendmail, now MailScanner isn't catching viruses References: <5C0296D26910694BB9A9BBFC577E7AB0EBF46C@pascal.priv.bmrb.co.uk> Message-ID: <3E6C9EBD.AAE45A4F@dcg.com> "Spicer, Kevin" wrote: > > Have you checked sendmail (on its own) isn't running (bypassing MailScanner). Some of the rpms have a habit of kicking off the sendmail process and/or configuring it to start at boot. Indeed! Especially since the latest version of sendmail runs completely differently than any previous versions. It now invokes two copies of itself -- one that runs as non-root and one that is -- so that it no longer needs to be SUID-root. In any case, it runs one to collect on the SMTP port -- and one to do local mail processing. So, I'm not exactly sure what the "up2date" script would have done as far as that goes... - John... From Kevin.Spicer at BMRB.CO.UK Mon Mar 10 14:06:58 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:17:26 2006 Subject: updated sendmail, now MailScanner isn't catching viruses Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0EBF46C@pascal.priv.bmrb.co.uk> Have you checked sendmail (on its own) isn't running (bypassing MailScanner). Some of the rpms have a habit of kicking off the sendmail process and/or configuring it to start at boot. service sendmail stop service MailScanner stop ps -elf | grep sendmail [ kill any sendmail processes ] chkconfig sendmail off service MailScanner start Then test with eicar.com! > -----Original Message----- > From: Jody Cleveland [mailto:Cleveland@MAIL.WINNEFOX.ORG] > Sent: 10 March 2003 13:57 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: updated sendmail, now MailScanner isn't catching viruses > > > Hello, > > I'm running redhat 8 with sendmail. I used up2date to update > sendmail, and > now MailScanner with f-prot is no longer catching viruses. Is there a > setting or file that was overwritten when I updated that I > need to correct? > > -- > Jody Cleveland > (cleveland@winnefox.org) > > Winnefox Library System > Computer Support Specialist > BMRB International http://www.bmrb.co.uk+44 (0)20 8566 5000_________________________________________________________________This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From john at OFIZ.COM Mon Mar 10 14:25:23 2003 From: john at OFIZ.COM (John Thewlis) Date: Thu Jan 12 21:17:26 2006 Subject: mailscanner-mrtg In-Reply-To: Message-ID: Hi I am attempting to install mrtg for mailscanner monitoring. I have downloaded the mailscanner-mrtg tar file into /home/mailscanner/monitoring on a Cobalt RaQ4r and am attempting to install this. However, it gives the following error. [root monitoring]# tar zxvf mailscanner-mrtg-0.03.tar.gz gzip: stdin: not in gzip format tar: Child returned status 1 tar: Error exit delayed from previous errors Any ideas as to how to fix this error? Many thanks John -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030310/e8796316/attachment.html From ap at HPI.COM Mon Mar 10 15:11:37 2003 From: ap at HPI.COM (Adam Polkosnik) Date: Thu Jan 12 21:17:26 2006 Subject: mailscanner-mrtg In-Reply-To: Message-ID: mailscanner-mrtgI bet that you used some old version of netscape and it decompressed the file after downloading. You can try " cat mailscanner-mrtg-0.03.tar.gz | tar xfv - " -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of John Thewlis Sent: Monday, March 10, 2003 9:25 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: mailscanner-mrtg Hi I am attempting to install mrtg for mailscanner monitoring. I have downloaded the mailscanner-mrtg tar file into /home/mailscanner/monitoring on a Cobalt RaQ4r and am attempting to install this. However, it gives the following error. [root monitoring]# tar zxvf mailscanner-mrtg-0.03.tar.gz gzip: stdin: not in gzip format tar: Child returned status 1 tar: Error exit delayed from previous errors Any ideas as to how to fix this error? Many thanks John -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030310/8ace61ff/attachment.html From Jan-Peter.Koopmann at SECEIDOS.DE Mon Mar 10 16:13:21 2003 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:17:26 2006 Subject: Bayes problem with MailScanner Message-ID: <4E7026FF8A422749B1553FE508E0068007EF29@message.intern.akctech.de> Hi, I am still trying to figure out why MailScanner is not using Bayes at the moment. Therefore I hacked the code a bit to write all SA debug output to a log file even when being called by MailScanner. Here is an interesting part: using "/usr/local/share/spamassassin" for default rules dir using "/usr/local/etc/mail/spamassassin" for site rules dir using "/var/spool/exim.in/.spamassassin" for user state dir using "/usr/local/MailScanner/etc/spam.assassin.prefs.conf" for user prefs file bayes: tie-ing to DB file R/O /var/spool/spamassassin/bayes_toks bayes: tie-ing to DB file R/O /var/spool/spamassassin/bayes_seen debug: Only 53 spam(s) in Bayes DB < 200 So the MailScanner/SA combination thinks it only has 53 spams. But now have a look at this: root@proxy:/usr/ports/mail/p5-Mail-SpamAssassin/work/Mail-SpamAssassin-2 .50/tools # ./check_bayes_db -db /var/spool/spamassassin/bayes 0.000 0 0 0 non-token data: db format = on-the-fly probs, expiry, scan-counting 0.000 0 269 0 non-token data: nspam 0.000 0 2320 0 non-token data: nham 0.000 0 0 0 non-token data: ntokens 0.000 0 0 0 non-token data: oldest age 0.000 0 270 0 non-token data: current scan-count 0.000 0 0 0 non-token data: last expiry scan-count Or this: root@proxy:/tmp # spamassassin -t < 1047306210_0.78770.proxy.intern.akctech.de debug: using "/usr/local/etc/mail/spamassassin" for site rules dir debug: using "/root/.spamassassin" for user state dir debug: using "/root/.spamassassin/user_prefs" for user prefs file debug: bayes: tie-ing to DB file R/O /var/spool/spamassassin/bayes_toks debug: bayes: tie-ing to DB file R/O /var/spool/spamassassin/bayes_seen debug: Score set 3 chosen. --- snipp --- debug: bayes corpus size: nspam = 269, nham = 2320 And of course bayes is used by spamassassin -t.... I simply do not see the difference... both ways use the same database obviously. Why does the SA/MS combination say 53 spams in the DB? BTW: /var/spool/exim.in/.spamassassin and /root/.spamassassin are equal so that sould not be it. Regards, JP From smohan at vsnl.com Mon Mar 10 16:54:31 2003 From: smohan at vsnl.com (S Mohan) Date: Thu Jan 12 21:17:26 2006 Subject: updated sendmail, now MailScanner isn't catching viruses In-Reply-To: <84CFA712F666B44A94CE6BE116BAF4B0B4E47F@MAIL> Message-ID: <003c01c2e725$bfcacb60$d06141db@18yamuna> I had the same problem. Mails were stuck in mqueue.in and were not scanned. I just reinstalled MialScanner after I upgraded sendmail and it started working. Reasons? I have not spent time to understand this as yet. Mohan -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Jody Cleveland Sent: Monday, March 10, 2003 7:40 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: updated sendmail, now MailScanner isn't catching viruses > How about some more detailed info? How did you discover that it is not > catching viruses any more? Are the MailScanner headers still in the > mails? What does the log say? MailScanner is running, and the headers of each message say it found it to be clean. I just starting noticing that I wasn't getting any of the messages saying that viruses are found. I also noticed this morning that backup on our file server is catching viruses on our mail server. ( I have a redhat 8 box that scans mail and sends it off to our exchange server. We have a separate file server that backs up all our windows boxes) Jody From Jan-Peter.Koopmann at seceidos.de Mon Mar 10 16:13:21 2003 From: Jan-Peter.Koopmann at seceidos.de (Jan-Peter Koopmann) Date: Thu Jan 12 21:17:27 2006 Subject: [SAtalk] Bayes problem with MailScanner Message-ID: <4E7026FF8A422749B1553FE508E0068007EF29@message.intern.akctech.de> Hi, I am still trying to figure out why MailScanner is not using Bayes at the moment. Therefore I hacked the code a bit to write all SA debug output to a log file even when being called by MailScanner. Here is an interesting part: using "/usr/local/share/spamassassin" for default rules dir using "/usr/local/etc/mail/spamassassin" for site rules dir using "/var/spool/exim.in/.spamassassin" for user state dir using "/usr/local/MailScanner/etc/spam.assassin.prefs.conf" for user prefs file bayes: tie-ing to DB file R/O /var/spool/spamassassin/bayes_toks bayes: tie-ing to DB file R/O /var/spool/spamassassin/bayes_seen debug: Only 53 spam(s) in Bayes DB < 200 So the MailScanner/SA combination thinks it only has 53 spams. But now have a look at this: root@proxy:/usr/ports/mail/p5-Mail-SpamAssassin/work/Mail-SpamAssassin-2 .50/tools # ./check_bayes_db -db /var/spool/spamassassin/bayes 0.000 0 0 0 non-token data: db format = on-the-fly probs, expiry, scan-counting 0.000 0 269 0 non-token data: nspam 0.000 0 2320 0 non-token data: nham 0.000 0 0 0 non-token data: ntokens 0.000 0 0 0 non-token data: oldest age 0.000 0 270 0 non-token data: current scan-count 0.000 0 0 0 non-token data: last expiry scan-count Or this: root@proxy:/tmp # spamassassin -t < 1047306210_0.78770.proxy.intern.akctech.de debug: using "/usr/local/etc/mail/spamassassin" for site rules dir debug: using "/root/.spamassassin" for user state dir debug: using "/root/.spamassassin/user_prefs" for user prefs file debug: bayes: tie-ing to DB file R/O /var/spool/spamassassin/bayes_toks debug: bayes: tie-ing to DB file R/O /var/spool/spamassassin/bayes_seen debug: Score set 3 chosen. --- snipp --- debug: bayes corpus size: nspam = 269, nham = 2320 And of course bayes is used by spamassassin -t.... I simply do not see the difference... both ways use the same database obviously. Why does the SA/MS combination say 53 spams in the DB? BTW: /var/spool/exim.in/.spamassassin and /root/.spamassassin are equal so that sould not be it. Regards, JP ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Spamassassin-talk mailing list Spamassassin-talk@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/spamassassin-talk From Jan-Peter.Koopmann at SECEIDOS.DE Mon Mar 10 17:12:03 2003 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:17:27 2006 Subject: Bayes problem with MailScanner Message-ID: <4E7026FF8A422749B1553FE508E0068007EF2B@message.intern.akctech.de> Hi, > Does it change if you do a > sa-learn --rebuild > ? I am doing this once an hour via cron job. Have a look at the debug output: It is using the same db as the check_bayes_db AND the same db as it is using when I am manually doing a spamassassin -t. I am 99.9999% sure that the tokens are in the right db and are correctly learned. That's what is so strange about this. Somehow SA interprets the db contents differently depending on how it is called. I had a quick look at the source and could not find anything... Regards, JP From mailscanner at ecs.soton.ac.uk Mon Mar 10 17:03:31 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:27 2006 Subject: Bayes problem with MailScanner In-Reply-To: <4E7026FF8A422749B1553FE508E0068007EF29@message.intern.akct ech.de> Message-ID: <5.2.0.9.2.20030310170316.03f9ac58@imap.ecs.soton.ac.uk> Does it change if you do a sa-learn --rebuild ? At 16:13 10/03/2003, you wrote: >Hi, > >I am still trying to figure out why MailScanner is not using Bayes at >the moment. Therefore I hacked the code a bit to write all SA debug >output to a log file even when being called by MailScanner. Here is an >interesting part: > >using "/usr/local/share/spamassassin" for default rules dir >using "/usr/local/etc/mail/spamassassin" for site rules dir >using "/var/spool/exim.in/.spamassassin" for user state dir >using "/usr/local/MailScanner/etc/spam.assassin.prefs.conf" for user >prefs file >bayes: tie-ing to DB file R/O /var/spool/spamassassin/bayes_toks >bayes: tie-ing to DB file R/O /var/spool/spamassassin/bayes_seen >debug: Only 53 spam(s) in Bayes DB < 200 > >So the MailScanner/SA combination thinks it only has 53 spams. But now >have a look at this: > >root@proxy:/usr/ports/mail/p5-Mail-SpamAssassin/work/Mail-SpamAssassin-2 >.50/tools # ./check_bayes_db -db /var/spool/spamassassin/bayes >0.000 0 0 0 non-token data: db format = on-the-fly >probs, expiry, scan-counting >0.000 0 269 0 non-token data: nspam >0.000 0 2320 0 non-token data: nham >0.000 0 0 0 non-token data: ntokens >0.000 0 0 0 non-token data: oldest age >0.000 0 270 0 non-token data: current scan-count >0.000 0 0 0 non-token data: last expiry scan-count > >Or this: > >root@proxy:/tmp # spamassassin -t < >1047306210_0.78770.proxy.intern.akctech.de >debug: using "/usr/local/etc/mail/spamassassin" for site rules dir >debug: using "/root/.spamassassin" for user state dir >debug: using "/root/.spamassassin/user_prefs" for user prefs file >debug: bayes: tie-ing to DB file R/O /var/spool/spamassassin/bayes_toks >debug: bayes: tie-ing to DB file R/O /var/spool/spamassassin/bayes_seen >debug: Score set 3 chosen. >--- snipp --- >debug: bayes corpus size: nspam = 269, nham = 2320 > >And of course bayes is used by spamassassin -t.... > >I simply do not see the difference... both ways use the same database >obviously. Why does the SA/MS combination say 53 spams in the DB? > >BTW: /var/spool/exim.in/.spamassassin and /root/.spamassassin are equal >so that sould not be it. > >Regards, > JP -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mbowman at UDCOM.COM Mon Mar 10 16:52:03 2003 From: mbowman at UDCOM.COM (Matthew Bowman) Date: Thu Jan 12 21:17:27 2006 Subject: updated sendmail, now MailScanner isn't catching viruses Message-ID: I first updated my sendmail on my RH 7.2 box then applied MailScanner 4.13-3. The only problem that I had was spamc getting connection refused to 127.0.0.1 (localhost), I circumvented that by using the -i flag with spamd in the rc script. No problems encountered with Virus Scanning. Matthew. S Mohan Sent by: MailScanner mailing list 03/10/2003 11:54 AM Please respond to smohan To: MAILSCANNER@JISCMAIL.AC.UK cc: Subject: Re: updated sendmail, now MailScanner isn't catching viruses I had the same problem. Mails were stuck in mqueue.in and were not scanned. I just reinstalled MialScanner after I upgraded sendmail and it started working. Reasons? I have not spent time to understand this as yet. Mohan -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Jody Cleveland Sent: Monday, March 10, 2003 7:40 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: updated sendmail, now MailScanner isn't catching viruses > How about some more detailed info? How did you discover that it is not > catching viruses any more? Are the MailScanner headers still in the > mails? What does the log say? MailScanner is running, and the headers of each message say it found it to be clean. I just starting noticing that I wasn't getting any of the messages saying that viruses are found. I also noticed this morning that backup on our file server is catching viruses on our mail server. ( I have a redhat 8 box that scans mail and sends it off to our exchange server. We have a separate file server that backs up all our windows boxes) Jody From Jan-Peter.Koopmann at SECEIDOS.DE Mon Mar 10 17:29:50 2003 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:17:27 2006 Subject: Spamassassin -r Message-ID: <4E7026FF8A422749B1553FE508E0068007EF2C@message.intern.akctech.de> BTW: Does spamassassin -r also delete X-MailScanner headers or should one do that manually before calling it? Thanks, JP From mailscanner at ecs.soton.ac.uk Mon Mar 10 17:33:21 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:27 2006 Subject: updated sendmail, now MailScanner isn't catching viruses In-Reply-To: Message-ID: <5.2.0.9.2.20030310173309.03daafc8@imap.ecs.soton.ac.uk> But MailScanner doesn't even use spamc... At 16:52 10/03/2003, you wrote: >I first updated my sendmail on my RH 7.2 box then applied MailScanner >4.13-3. The only problem that I had was spamc getting connection refused >to 127.0.0.1 (localhost), I circumvented that by using the -i >flag with spamd in the rc script. No problems encountered with Virus >Scanning. > >Matthew. > > > > > >S Mohan >Sent by: MailScanner mailing list >03/10/2003 11:54 AM >Please respond to smohan > > > To: MAILSCANNER@JISCMAIL.AC.UK > cc: > Subject: Re: updated sendmail, now MailScanner isn't > catching viruses > > >I had the same problem. Mails were stuck in mqueue.in and were not >scanned. I just reinstalled MialScanner after I upgraded sendmail and it >started working. > >Reasons? I have not spent time to understand this as yet. > >Mohan > >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On >Behalf Of Jody Cleveland >Sent: Monday, March 10, 2003 7:40 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: updated sendmail, now MailScanner isn't catching viruses > > > > How about some more detailed info? How did you discover that it is not > > > catching viruses any more? Are the MailScanner headers still in the > > mails? What does the log say? > >MailScanner is running, and the headers of each message say it found it >to be clean. I just starting noticing that I wasn't getting any of the >messages saying that viruses are found. I also noticed this morning that >backup on our file server is catching viruses on our mail server. ( I >have a redhat 8 box that scans mail and sends it off to our exchange >server. We have a separate file server that backs up all our windows >boxes) > >Jody -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From Cleveland at MAIL.WINNEFOX.ORG Mon Mar 10 18:32:19 2003 From: Cleveland at MAIL.WINNEFOX.ORG (Jody Cleveland) Date: Thu Jan 12 21:17:27 2006 Subject: updated sendmail, now MailScanner isn't catching viruses Message-ID: <84CFA712F666B44A94CE6BE116BAF4B0B4E481@MAIL> > I had the same problem. Mails were stuck in mqueue.in and were not > scanned. I just reinstalled MialScanner after I upgraded > sendmail and it > started working. Ok. I notice there's a newer version out, and I would like to update to that one anyhow. My question is, how do I do this seamlessly without disrupting users. Is there an upgrade script that will update the program without messing with settings? Jody From mkettler at EVI-INC.COM Mon Mar 10 19:03:18 2003 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:17:27 2006 Subject: Spamassassin -r In-Reply-To: <4E7026FF8A422749B1553FE508E0068007EF2C@message.intern.akct ech.de> Message-ID: <5.2.0.9.0.20030310135919.01989e70@192.168.50.2> It should not.. SpamAssassin isn't "aware" of MailScanner. SpamAssassin will only auto-remove markups that it generates itself (which MailScanner doesn't use). That said, header changes don't need to be removed.. Razor doesn't examine message headers at all, other than the subject for tracking purposes. What needs to be removed is any BODY changes (and in some modes, spamassassin does generate markups in the message body). Make sure that any custom "scanned by" message footers and other body modifiers get removed prior to calling spamassassin -r and you should be ok. Also make sure the message didn't have any HTML stripping run. At 06:29 PM 3/10/2003 +0100, Jan-Peter Koopmann wrote: >BTW: Does spamassassin -r also delete X-MailScanner headers or should >one do that manually before calling it? > >Thanks, > JP From davidclosson at MSN.COM Mon Mar 10 19:12:55 2003 From: davidclosson at MSN.COM (David Closson) Date: Thu Jan 12 21:17:27 2006 Subject: accumulation of files in /var/spool/mqueue.in Message-ID: Greetings, Using RH 7.3 Using Sendmail 8.11-6 MailScanner 4.13-3 Using McAfee AV I have been happily using MailScanner for almost a year now and have had to remove the accumulation of files in /var/spool/mqueue.in after a month or so. I am not sure if these are messages already delivered and were not removed or ? I have had no reports of missing email. _________ Sincerely, David Closson 209-736-0111 _________________________________________________________________ Help STOP SPAM with the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail From mailscanner at ecs.soton.ac.uk Mon Mar 10 19:27:44 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:27 2006 Subject: accumulation of files in /var/spool/mqueue.in In-Reply-To: Message-ID: <5.2.0.9.2.20030310192506.027bbf80@imap.ecs.soton.ac.uk> At 19:12 10/03/2003, you wrote: >Greetings, > >Using RH 7.3 >Using Sendmail 8.11-6 >MailScanner 4.13-3 >Using McAfee AV > >I have been happily using MailScanner for almost a year now and have had to >remove the accumulation of files in /var/spool/mqueue.in after a month or >so. > >I am not sure if these are messages already delivered and were not removed >or ? > >I have had no reports of missing email. If they are stray files that aren't part of a matching qf / df pair, then you can safely delete them. If an SMTP session into your server gets interrupted for some reason, a stray file will be left behind. The server at the far end of the session knows that its message transmission got interrupted and will retry anyway. SMTP is designed pretty carefully to ensure things don't get lost in transit. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mbowman at UDCOM.COM Mon Mar 10 19:56:14 2003 From: mbowman at UDCOM.COM (Matthew Bowman) Date: Thu Jan 12 21:17:27 2006 Subject: Virus Scanning messages... Message-ID: I updated MailScanner last Wednesday, after updating sendmail. Until I changed MailScanner, maillog was reporting these Mar 5 13:56:31 smithers MailScanner[27140]: Virus Scanning: Found 1 viruses Mar 5 13:56:31 smithers MailScanner[27140]: Silent: Delivered 1 messages containing silent viruses Ever since, I have seen no entries (which is unexpected). I'm running RH 7.2 w/ MailScanner 4.13-3 and clamscan 0.54 Here is an expanded extract from my MailScanner.conf Virus Scanning = yes # Virus Scanners = sophos f-prot mcafee # Virus Scanners = clamav Virus Scanner Timeout = 300 Deliver Disinfected Files = yes Silent Viruses = Klez Yaha-E Bugbear Braid-A WinEvar Still Deliver Silent Viruses = yes #Allowed Sophos Error Messages = corrupt Block Encrypted Messages = no Block Unencrypted Messages = no What has caused this to happen considering my MailScanner.conf was updated with the previous settings? Thanks Matthew From mbowman at UDCOM.COM Mon Mar 10 19:32:17 2003 From: mbowman at UDCOM.COM (Matthew Bowman) Date: Thu Jan 12 21:17:27 2006 Subject: updated sendmail, now MailScanner isn't catching viruses Message-ID: This is a related problem. MailScanner is detecting filename rules but not actual viruses. Even though Virus Scanners = clamav. This was working until I upgraded MailScanner on March 5th. sendmail was patched before I updated MailScanner. I'm running RH 7.2 w/ MailScanner 4.13-3 and clamscan 0.54 Here is an expanded extract from my MailScanner.conf Virus Scanning = yes # Virus Scanners = sophos f-prot mcafee # Virus Scanners = clamav Virus Scanner Timeout = 300 Deliver Disinfected Files = yes Silent Viruses = Klez Yaha-E Bugbear Braid-A WinEvar Still Deliver Silent Viruses = yes #Allowed Sophos Error Messages = corrupt Block Encrypted Messages = no Block Unencrypted Messages = no I'm at a loss as to what has happened. Any ideas what the problem is? Matthew From raymond at PROLOCATION.NET Mon Mar 10 20:33:12 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:17:27 2006 Subject: Delaying identified SPAM In-Reply-To: <20030310202854.GD63427@affymetrix.com> Message-ID: Hi! > I have a feature request. I'd like to be able to delay the delivery of > Spam until some specified time period, for example overnight. The main > goal of this request is to normalize the load on our mail servers by > time-shifting the unimportant Spam. Why not do a simple grep on your queue dir and move them to another dir on your server, and put them back n the delivery queue once you are ready? They do have the {SPAM?} inside so should be easy to catch. You could cron this so automate it. Bye, Raymond. From nicholas_esborn at AFFYMETRIX.COM Mon Mar 10 20:28:54 2003 From: nicholas_esborn at AFFYMETRIX.COM (Nicholas Esborn) Date: Thu Jan 12 21:17:27 2006 Subject: Delaying identified SPAM Message-ID: <20030310202854.GD63427@affymetrix.com> Hello, I have a feature request. I'd like to be able to delay the delivery of Spam until some specified time period, for example overnight. The main goal of this request is to normalize the load on our mail servers by time-shifting the unimportant Spam. Thanks, -nick -- Nicholas Esborn Affymetrix, Inc. 510/428.8505 Every message PGP signed -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030310/4eed17d3/attachment.bin From Antony at SOFT-SOLUTIONS.CO.UK Mon Mar 10 21:00:29 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:17:27 2006 Subject: Delaying identified SPAM In-Reply-To: <20030310202854.GD63427@affymetrix.com> References: <20030310202854.GD63427@affymetrix.com> Message-ID: <200303102100.h2AL0XV14365@Networker.Rockstone.co.uk> On Monday 10 March 2003 8:28 pm, Nicholas Esborn wrote: > Hello, > > I have a feature request. I'd like to be able to delay the delivery of > Spam until some specified time period, for example overnight. The main > goal of this request is to normalize the load on our mail servers by > time-shifting the unimportant Spam. Instead of telling MailScanner to 'deliver' the mail, tell it to 'store' it (and set both Quarantine Whole Message and Quarantine Whole Messages As Queue Files to yes), and then whenever you're ready to deliver the spam, simply move the files from the quarantine queue directory to the sendmail outgoing mail directory (eg with a cron job). Regards, Antony. -- There are only 10 types of people in the world: those who understand binary notation, and those who don't. From smohan at vsnl.com Tue Mar 11 01:39:08 2003 From: smohan at vsnl.com (S Mohan) Date: Thu Jan 12 21:17:27 2006 Subject: accumulation of files in /var/spool/mqueue.in In-Reply-To: Message-ID: <000a01c2e76f$057eb010$7e6041db@18yamuna> I had the same stuff. I looked up a few files and associated mail log. These were remnants of broken SMTP conversations. In order to clear these automatically, I created a daily cron job as under. Find /var/spool/mqueue.in -mtime +6|xargs rm -f I gave 6 days as sendmail will anyway abort after 5 days delivery. Thus files older than that anyway would be broken files. Mohan -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of David Closson Sent: Tuesday, March 11, 2003 1:27 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: accumulation of files in /var/spool/mqueue.in OK, I figured as much. Thank you for the rapid response. We are processing about 350,000 emails a day (heavier day) with MailScanner and Spamassassin. This figure is combined in and out for all of our users. _________ Sincerely, David Closson 209-736-0111 >From: Julian Field >Reply-To: MailScanner mailing list >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: accumulation of files in /var/spool/mqueue.in >Date: Mon, 10 Mar 2003 19:27:44 +0000 >MIME-Version: 1.0 >Received: from cpimssmtpa03.msn.com ([207.46.181.90]) by >mc5-f17.law1.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600); Mon, 10 >Mar 2003 11:30:21 -0800 >Received: from smtp.jiscmail.ac.uk ([130.246.192.48]) by >cpimssmtpa03.msn.com with Microsoft SMTPSVC(5.0.2195.4453); Mon, 10 Mar >2003 11:25:18 -0800 >Received: from LISTSERV.JISCMAIL.AC.UK (jiscmail.ac.uk) by >smtp.jiscmail.ac.uk (LSMTP for Windows NT v1.1b) with SMTP id ><3.0000634F@smtp.jiscmail.ac.uk>; Mon, 10 Mar 2003 19:28:14 +0000 >Received: from JISCMAIL.AC.UK by JISCMAIL.AC.UK (LISTSERV-TCP/IP release >1.8e) with spool id 19357891 for MAILSCANNER@JISCMAIL.AC.UK; Mon, >10 Mar 2003 19:28:14 +0000 >Received: from 130.246.192.52 by JISCMAIL.AC.UK (SMTPL release 1.0h) with >TCP; Mon, 10 Mar 2003 19:28:14 GMT >Received: from raven.ecs.soton.ac.uk (raven.ecs.soton.ac.uk [152.78.70.1]) >by ori.rl.ac.uk (8.11.1/8.11.1) with ESMTP id h2AJSCe29811 for > ; Mon, 10 Mar 2003 19:28:12 GMT >Received: from pigeon.ecs.soton.ac.uk (ns1 [152.78.68.1]) by >raven.ecs.soton.ac.uk (8.9.3/8.9.3) with ESMTP id TAA23530 for >; Mon, 10 Mar 2003 19:28:11 GMT >Received: from thief.ecs.soton.ac.uk (staff-vpn132 [152.78.236.132]) by > pigeon.ecs.soton.ac.uk (8.9.3/8.9.3) with ESMTP id TAA19506 for > ; Mon, 10 Mar 2003 19:28:10 GMT >X-Message-Info: JGTYoYF78jEHjJx36Oi8+Q1OJDRSDidP >X-MSN-Trace: {838B357B-4735-4DB1-A653-A9E73A906214} >X-RAL-MFrom: >X-RAL-Connect: >X-Sender: (Unverified) >X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9 >Message-ID: <5.2.0.9.2.20030310192506.027bbf80@imap.ecs.soton.ac.uk> >Sender: MailScanner mailing list >In-Reply-To: >Precedence: list >Return-Path: owner-mailscanner@JISCMAIL.AC.UK >X-OriginalArrivalTime: 10 Mar 2003 19:25:19.0093 (UTC) >FILETIME=[C9492A50:01C2E73A] > >At 19:12 10/03/2003, you wrote: >>Greetings, >> >>Using RH 7.3 >>Using Sendmail 8.11-6 >>MailScanner 4.13-3 >>Using McAfee AV >> >>I have been happily using MailScanner for almost a year now and have >>had to remove the accumulation of files in /var/spool/mqueue.in after >>a month or so. >> >>I am not sure if these are messages already delivered and were not >>removed or ? >> >>I have had no reports of missing email. > >If they are stray files that aren't part of a matching qf / df pair, >then you can safely delete them. If an SMTP session into your server >gets interrupted for some reason, a stray file will be left behind. The >server at the far end of the session knows that its message >transmission got interrupted and will retry anyway. SMTP is designed >pretty carefully to ensure things don't get lost in transit. >-- >Julian Field >www.MailScanner.info >Professional Support Services at www.MailScanner.biz MailScanner thanks >transtec Computers for their support _________________________________________________________________ Add photos to your e-mail with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail From craig at STRONG-BOX.NET Tue Mar 11 02:47:07 2003 From: craig at STRONG-BOX.NET (Craig Pratt) Date: Thu Jan 12 21:17:27 2006 Subject: accumulation of files in /var/spool/mqueue.in In-Reply-To: <000a01c2e76f$057eb010$7e6041db@18yamuna> Message-ID: Thanks for the tip. I've been seeing these queue files occasionally as well. Most recently, when I updated the sendmail access.db without restarting sendmail/MailScanner. This seemed to cause sendmail to die during SMTP connections - presumably due to the fact that sendmail's cached file state didn't match the actual file. What I'm wondering, though, is it safe to delete the files in mqueue.in with sendmail/MailScanner running? [sounds like a potential FAQ, as well] Craig On Monday, March 10, 2003, at 05:39 PM, S Mohan wrote: > I had the same stuff. I looked up a few files and associated mail log. > These were remnants of broken SMTP conversations. In order to clear > these automatically, I created a daily cron job as under. > > Find /var/spool/mqueue.in -mtime +6|xargs rm -f > > I gave 6 days as sendmail will anyway abort after 5 days delivery. Thus > files older than that anyway would be broken files. > > Mohan > > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of David Closson > Sent: Tuesday, March 11, 2003 1:27 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: accumulation of files in /var/spool/mqueue.in > > > OK, I figured as much. Thank you for the rapid response. > > We are processing about 350,000 emails a day (heavier day) with > MailScanner and Spamassassin. This figure is combined in and out for > all of our users. > > > _________ > Sincerely, > David Closson > 209-736-0111 > > > > > >> From: Julian Field >> Reply-To: MailScanner mailing list >> To: MAILSCANNER@JISCMAIL.AC.UK >> Subject: Re: accumulation of files in /var/spool/mqueue.in >> Date: Mon, 10 Mar 2003 19:27:44 +0000 >> MIME-Version: 1.0 >> Received: from cpimssmtpa03.msn.com ([207.46.181.90]) by >> mc5-f17.law1.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600); Mon, >> 10 > >> Mar 2003 11:30:21 -0800 >> Received: from smtp.jiscmail.ac.uk ([130.246.192.48]) by >> cpimssmtpa03.msn.com with Microsoft SMTPSVC(5.0.2195.4453); Mon, 10 >> Mar > >> 2003 11:25:18 -0800 >> Received: from LISTSERV.JISCMAIL.AC.UK (jiscmail.ac.uk) by >> smtp.jiscmail.ac.uk (LSMTP for Windows NT v1.1b) with SMTP id >> <3.0000634F@smtp.jiscmail.ac.uk>; Mon, 10 Mar 2003 19:28:14 +0000 >> Received: from JISCMAIL.AC.UK by JISCMAIL.AC.UK (LISTSERV-TCP/IP > release >> 1.8e) with spool id 19357891 for MAILSCANNER@JISCMAIL.AC.UK; > Mon, >> 10 Mar 2003 19:28:14 +0000 >> Received: from 130.246.192.52 by JISCMAIL.AC.UK (SMTPL release 1.0h) > with >> TCP; Mon, 10 Mar 2003 19:28:14 GMT >> Received: from raven.ecs.soton.ac.uk (raven.ecs.soton.ac.uk > [152.78.70.1]) >> by ori.rl.ac.uk (8.11.1/8.11.1) with ESMTP id h2AJSCe29811 >> for >> ; Mon, 10 Mar 2003 19:28:12 GMT >> Received: from pigeon.ecs.soton.ac.uk (ns1 [152.78.68.1]) by >> raven.ecs.soton.ac.uk (8.9.3/8.9.3) with ESMTP id TAA23530 for >> ; Mon, 10 Mar 2003 19:28:11 GMT >> Received: from thief.ecs.soton.ac.uk (staff-vpn132 [152.78.236.132]) >> by >> pigeon.ecs.soton.ac.uk (8.9.3/8.9.3) with ESMTP id TAA19506 for >> ; Mon, 10 Mar 2003 19:28:10 GMT >> X-Message-Info: JGTYoYF78jEHjJx36Oi8+Q1OJDRSDidP >> X-MSN-Trace: {838B357B-4735-4DB1-A653-A9E73A906214} >> X-RAL-MFrom: >> X-RAL-Connect: >> X-Sender: (Unverified) >> X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9 >> Message-ID: <5.2.0.9.2.20030310192506.027bbf80@imap.ecs.soton.ac.uk> >> Sender: MailScanner mailing list >> In-Reply-To: >> Precedence: list >> Return-Path: owner-mailscanner@JISCMAIL.AC.UK >> X-OriginalArrivalTime: 10 Mar 2003 19:25:19.0093 (UTC) >> FILETIME=[C9492A50:01C2E73A] >> >> At 19:12 10/03/2003, you wrote: >>> Greetings, >>> >>> Using RH 7.3 >>> Using Sendmail 8.11-6 >>> MailScanner 4.13-3 >>> Using McAfee AV >>> >>> I have been happily using MailScanner for almost a year now and have >>> had to remove the accumulation of files in /var/spool/mqueue.in after >>> a month or so. >>> >>> I am not sure if these are messages already delivered and were not >>> removed or ? >>> >>> I have had no reports of missing email. >> >> If they are stray files that aren't part of a matching qf / df pair, >> then you can safely delete them. If an SMTP session into your server >> gets interrupted for some reason, a stray file will be left behind. >> The > >> server at the far end of the session knows that its message >> transmission got interrupted and will retry anyway. SMTP is designed >> pretty carefully to ensure things don't get lost in transit. >> -- >> Julian Field >> www.MailScanner.info >> Professional Support Services at www.MailScanner.biz MailScanner >> thanks > >> transtec Computers for their support > > > _________________________________________________________________ > Add photos to your e-mail with MSN 8. Get 2 months FREE*. > http://join.msn.com/?page=features/featuredemail > > -- > This message checked for dangerous content by MailScanner on StrongBox. > -- This message checked for dangerous content by MailScanner on StrongBox. From mailscanner at BARENDSE.TO Tue Mar 11 08:01:36 2003 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:17:27 2006 Subject: Bug in filename rules handling? Message-ID: This morning we have received a message with filename extension hiding. The attachment is named ACN.DOC.xls.doc Mar 10 17:38:12 linux MailScanner[17336]: New Batch: Scanning 1 messages, 38249 bytes Mar 10 17:38:12 linux MailScanner[17336]: Virus and Content Scanning: Starting Mar 10 17:38:12 linux MailScanner[17336]: Filename Checks: Found possible filename hiding (ACN.DOC.xls.doc) Mar 10 17:38:12 linux MailScanner[17336]: Other Checks: Found 1 problems Mar 10 17:38:12 linux MailScanner[17336]: Saved entire message to /var/spool/MailScanner/quarantine/20030310/h2AGcBSh018875 Mar 10 17:38:12 linux MailScanner[17336]: Cleaned: Delivered 1 cleaned messages Although a notification was sent to postmaster that a virus had been caught, and the message subject was correctly modified and there was a notification inside the message to look inside VirusWarning.txt things didn't work. The attachment was let through 'as-is' without renaming or without removing it. Furthermore there was no VirusWarning.txt attached to the mail message although the body of the message referred to it. I have set however that warnings should *not* be sent as an attachment so maybe this is another bug? Things worked fine with the 4.12 release, this was found on release 4.13-3 The message went through our Exchange server and because of a forward rule the message was sent outside again. Again MailScanner reported the problem but did not remove the attachment! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From craig at STRONG-BOX.NET Tue Mar 11 08:06:47 2003 From: craig at STRONG-BOX.NET (Craig Pratt) Date: Thu Jan 12 21:17:27 2006 Subject: Bug in filename rules handling? In-Reply-To: Message-ID: <67FF0AEE-5398-11D7-AF6E-000393B9390A@strong-box.net> Have any of the "X-MailScanner" headers been added to the message? If not, this might mean that MailScanner is not actually the one delivering the message. Is it possible that sendmail is running behind MS's back? Craig On Tuesday, March 11, 2003, at 12:01 AM, Remco Barendse wrote: > This morning we have received a message with filename extension hiding. > The attachment is named ACN.DOC.xls.doc > > Mar 10 17:38:12 linux MailScanner[17336]: New Batch: Scanning 1 > messages, 38249 bytes > Mar 10 17:38:12 linux MailScanner[17336]: Virus and Content Scanning: > Starting > Mar 10 17:38:12 linux MailScanner[17336]: Filename Checks: Found > possible filename hiding (ACN.DOC.xls.doc) > Mar 10 17:38:12 linux MailScanner[17336]: Other Checks: Found 1 > problems > Mar 10 17:38:12 linux MailScanner[17336]: Saved entire message to > /var/spool/MailScanner/quarantine/20030310/h2AGcBSh018875 > Mar 10 17:38:12 linux MailScanner[17336]: Cleaned: Delivered 1 cleaned > messages > > Although a notification was sent to postmaster that a virus had been > caught, and the message subject was correctly modified and there was a > notification inside the message to look inside VirusWarning.txt things > didn't work. > > The attachment was let through 'as-is' without renaming or without > removing it. Furthermore there was no VirusWarning.txt attached to the > mail message although the body of the message referred to it. I have > set > however that warnings should *not* be sent as an attachment so maybe > this > is another bug? > > Things worked fine with the 4.12 release, this was found on release > 4.13-3 > > The message went through our Exchange server and because of a forward > rule > the message was sent outside again. Again MailScanner reported the > problem > but did not remove the attachment! > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > Craig Pratt Strongbox Network Services Inc. mailto:craig@strong-box.net -- This message checked for dangerous content by MailScanner on StrongBox. From mailscanner at BARENDSE.TO Tue Mar 11 08:36:59 2003 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:17:27 2006 Subject: Bug in filename rules handling? In-Reply-To: <67FF0AEE-5398-11D7-AF6E-000393B9390A@strong-box.net> Message-ID: Yes the headers were added as they should and the header also said 'found to be infected' Everything seems to be OK but the attachment was not removed and the VirusWarning was not inserted in the message as it should nor was it sent as an attachment. On Tue, 11 Mar 2003, Craig Pratt wrote: > Have any of the "X-MailScanner" headers been added to the message? > > If not, this might mean that MailScanner is not actually the one > delivering the message. Is it possible that sendmail is running behind > MS's back? > > Craig > > On Tuesday, March 11, 2003, at 12:01 AM, Remco Barendse wrote: > > This morning we have received a message with filename extension hiding. > > The attachment is named ACN.DOC.xls.doc > > > > Mar 10 17:38:12 linux MailScanner[17336]: New Batch: Scanning 1 > > messages, 38249 bytes > > Mar 10 17:38:12 linux MailScanner[17336]: Virus and Content Scanning: > > Starting > > Mar 10 17:38:12 linux MailScanner[17336]: Filename Checks: Found > > possible filename hiding (ACN.DOC.xls.doc) > > Mar 10 17:38:12 linux MailScanner[17336]: Other Checks: Found 1 > > problems > > Mar 10 17:38:12 linux MailScanner[17336]: Saved entire message to > > /var/spool/MailScanner/quarantine/20030310/h2AGcBSh018875 > > Mar 10 17:38:12 linux MailScanner[17336]: Cleaned: Delivered 1 cleaned > > messages > > > > Although a notification was sent to postmaster that a virus had been > > caught, and the message subject was correctly modified and there was a > > notification inside the message to look inside VirusWarning.txt things > > didn't work. > > > > The attachment was let through 'as-is' without renaming or without > > removing it. Furthermore there was no VirusWarning.txt attached to the > > mail message although the body of the message referred to it. I have > > set > > however that warnings should *not* be sent as an attachment so maybe > > this > > is another bug? > > > > Things worked fine with the 4.12 release, this was found on release > > 4.13-3 > > > > The message went through our Exchange server and because of a forward > > rule > > the message was sent outside again. Again MailScanner reported the > > problem > > but did not remove the attachment! > > > > > > -- > > This message has been scanned for viruses and > > dangerous content by MailScanner, and is > > believed to be clean. > > > Craig Pratt > Strongbox Network Services Inc. > mailto:craig@strong-box.net > > > -- > This message checked for dangerous content by MailScanner on StrongBox. > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From craig at STRONG-BOX.NET Tue Mar 11 08:46:27 2003 From: craig at STRONG-BOX.NET (Craig Pratt) Date: Thu Jan 12 21:17:27 2006 Subject: Bug in filename rules handling? In-Reply-To: Message-ID: How about the "Deliver Disinfected Files" option? Wouldn't that produce the behavior you're seeing? # Should I attempt to disinfect infected attachments and then deliver # the clean ones. "Disinfection" involves removing viruses from files # (such as removing macro viruses from documents). "Cleaning" is the # replacement of infected attachments with "VirusWarning.txt" text # attachments. # This can also be the filename of a ruleset. Deliver Disinfected Files = yes On Tuesday, March 11, 2003, at 12:36 AM, Remco Barendse wrote: > Yes the headers were added as they should and the header also said > 'found > to be infected' > > Everything seems to be OK but the attachment was not removed and the > VirusWarning was not inserted in the message as it should nor was it > sent > as an attachment. > > On Tue, 11 Mar 2003, Craig Pratt wrote: > >> Have any of the "X-MailScanner" headers been added to the message? >> >> If not, this might mean that MailScanner is not actually the one >> delivering the message. Is it possible that sendmail is running behind >> MS's back? >> >> Craig >> >> On Tuesday, March 11, 2003, at 12:01 AM, Remco Barendse wrote: >>> This morning we have received a message with filename extension >>> hiding. >>> The attachment is named ACN.DOC.xls.doc >>> >>> Mar 10 17:38:12 linux MailScanner[17336]: New Batch: Scanning 1 >>> messages, 38249 bytes >>> Mar 10 17:38:12 linux MailScanner[17336]: Virus and Content Scanning: >>> Starting >>> Mar 10 17:38:12 linux MailScanner[17336]: Filename Checks: Found >>> possible filename hiding (ACN.DOC.xls.doc) >>> Mar 10 17:38:12 linux MailScanner[17336]: Other Checks: Found 1 >>> problems >>> Mar 10 17:38:12 linux MailScanner[17336]: Saved entire message to >>> /var/spool/MailScanner/quarantine/20030310/h2AGcBSh018875 >>> Mar 10 17:38:12 linux MailScanner[17336]: Cleaned: Delivered 1 >>> cleaned >>> messages >>> >>> Although a notification was sent to postmaster that a virus had been >>> caught, and the message subject was correctly modified and there was >>> a >>> notification inside the message to look inside VirusWarning.txt >>> things >>> didn't work. >>> >>> The attachment was let through 'as-is' without renaming or without >>> removing it. Furthermore there was no VirusWarning.txt attached to >>> the >>> mail message although the body of the message referred to it. I have >>> set >>> however that warnings should *not* be sent as an attachment so maybe >>> this >>> is another bug? >>> >>> Things worked fine with the 4.12 release, this was found on release >>> 4.13-3 >>> >>> The message went through our Exchange server and because of a forward >>> rule >>> the message was sent outside again. Again MailScanner reported the >>> problem >>> but did not remove the attachment! >>> >>> >>> -- >>> This message has been scanned for viruses and >>> dangerous content by MailScanner, and is >>> believed to be clean. >>> >> Craig Pratt >> Strongbox Network Services Inc. >> mailto:craig@strong-box.net >> >> >> -- >> This message checked for dangerous content by MailScanner on >> StrongBox. >> > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > Craig Pratt Strongbox Network Services Inc. mailto:craig@strong-box.net -- This message checked for dangerous content by MailScanner on StrongBox. From mailscanner at ecs.soton.ac.uk Tue Mar 11 08:39:15 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:27 2006 Subject: accumulation of files in /var/spool/mqueue.in In-Reply-To: References: <000a01c2e76f$057eb010$7e6041db@18yamuna> Message-ID: <5.2.0.9.2.20030311083805.02f394d0@imap.ecs.soton.ac.uk> At 02:47 11/03/2003, you wrote: >What I'm wondering, though, is it safe to delete the files in mqueue.in >with sendmail/MailScanner running? [sounds like a potential FAQ, as >well] It's pretty safe, yes. The worst that can happen is that you manage to kill a MailScanner child process, which will cause it produce a replacement child process. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From P.G.M.Peters at civ.utwente.nl Tue Mar 11 09:46:11 2003 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:17:27 2006 Subject: Subject Text Message-ID: Hi, I have a feature request. MS offers the possibility to have different strings prepended to the Subject: header in case of a virus disinfected by the anti-virus engine and in case of a filename test. I use Virus Subject Text = {VIRUS!} and Filename Subject Text = {Virus?} to destinguish between a sure virus and a potential risk. It seems MS also uses the string from Virus Subject Text when an IFrame or Object Codebase Tag is detected but I would like to have a separate text for that. Could it be made to have "IFrame Subject Text" and "Object Codebase Subject Text" entries in MailScanner.conf? -- Peter Peters, senior netwerkbeheerder Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ From tal at MUSICGENOME.COM Tue Mar 11 10:27:09 2003 From: tal at MUSICGENOME.COM (Tal Kelrich) Date: Thu Jan 12 21:17:27 2006 Subject: endless respawning with SA enabled Message-ID: <1047378429.2582.71.camel@johnny5> Hi, I've recently upgraded to mailscanner 4.13, and SA 2.50 (patched) now, whenever I enable SA, mailscanner respawns endlessly, without any processing done. works perfectly when disabled. as far as I can tell, it quits sometime in the SA init stage, but I still haven't looked too deeply there. Thanks in advance, Tal Kelrich -- Tal Kelrich PGP fingerprint: 3EDF FCC5 60BB 4729 AB2F CAE6 FEC1 9AAC 12B9 AA69 Key Available at: http://www.hasturkun.com/pub.txt -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030311/b9734e03/attachment.bin From iah at DMU.AC.UK Tue Mar 11 10:59:32 2003 From: iah at DMU.AC.UK (Andy Humberston) Date: Thu Jan 12 21:17:27 2006 Subject: endless respawning with SA enabled Message-ID: > I've recently upgraded to mailscanner 4.13, and SA 2.50 > (patched) now, whenever I enable SA, mailscanner respawns > endlessly, without any processing done. works perfectly when > disabled. as far as I can tell, it quits sometime in the SA > init stage, but I still haven't looked too deeply there. > I noticed a problem similar to this last week and upon investigation I found the following settings (in spam.assassin.prefs.conf) to help greatly: # Settings taken from # http://www.jiscmail.ac.uk/cgi-bin/wa.exe?A2=ind0208&L=mailscanner&P=R9717&I= -3 # SpamAssassin Performance Tips (isp-list@TULSACONNECT.COM) # By default, spamassassin will change the Content-type: header of # suspected spam to "text/plain". This is a safety feature. If you # prefer to leave the Content-type header alone, set this to 0. # defang_mime 0 # By default, SpamAssassin will run RBL checks. If your ISP already # does this, set this to 1. # skip_rbl_checks 1 # only check for a valid MX record once check_mx_attempts 1 Andy From mailscanner at BARENDSE.TO Tue Mar 11 11:09:16 2003 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:17:27 2006 Subject: Bug in filename rules handling? In-Reply-To: Message-ID: I have it set to yes but this has not changed the behaviour of MailScanner before. I think all files in the filename.rules.conf are treated equal? I would not like to be in a situation where somenewvirus.doc.scr would be allowed through because the latest virus definition couldn't recognize the virus and the attachment would then be passed on as 'safe'. Also the attachment wasn't replaced with the VirusWarning.txt! On Tue, 11 Mar 2003, Craig Pratt wrote: > How about the "Deliver Disinfected Files" option? Wouldn't that produce > the behavior you're seeing? > > # Should I attempt to disinfect infected attachments and then deliver > # the clean ones. "Disinfection" involves removing viruses from files > # (such as removing macro viruses from documents). "Cleaning" is the > # replacement of infected attachments with "VirusWarning.txt" text > # attachments. > # This can also be the filename of a ruleset. > Deliver Disinfected Files = yes > > On Tuesday, March 11, 2003, at 12:36 AM, Remco Barendse wrote: > > Yes the headers were added as they should and the header also said > > 'found > > to be infected' > > > > Everything seems to be OK but the attachment was not removed and the > > VirusWarning was not inserted in the message as it should nor was it > > sent > > as an attachment. > > > > On Tue, 11 Mar 2003, Craig Pratt wrote: > > > >> Have any of the "X-MailScanner" headers been added to the message? > >> > >> If not, this might mean that MailScanner is not actually the one > >> delivering the message. Is it possible that sendmail is running behind > >> MS's back? > >> > >> Craig > >> > >> On Tuesday, March 11, 2003, at 12:01 AM, Remco Barendse wrote: > >>> This morning we have received a message with filename extension > >>> hiding. > >>> The attachment is named ACN.DOC.xls.doc > >>> > >>> Mar 10 17:38:12 linux MailScanner[17336]: New Batch: Scanning 1 > >>> messages, 38249 bytes > >>> Mar 10 17:38:12 linux MailScanner[17336]: Virus and Content Scanning: > >>> Starting > >>> Mar 10 17:38:12 linux MailScanner[17336]: Filename Checks: Found > >>> possible filename hiding (ACN.DOC.xls.doc) > >>> Mar 10 17:38:12 linux MailScanner[17336]: Other Checks: Found 1 > >>> problems > >>> Mar 10 17:38:12 linux MailScanner[17336]: Saved entire message to > >>> /var/spool/MailScanner/quarantine/20030310/h2AGcBSh018875 > >>> Mar 10 17:38:12 linux MailScanner[17336]: Cleaned: Delivered 1 > >>> cleaned > >>> messages > >>> > >>> Although a notification was sent to postmaster that a virus had been > >>> caught, and the message subject was correctly modified and there was > >>> a > >>> notification inside the message to look inside VirusWarning.txt > >>> things > >>> didn't work. > >>> > >>> The attachment was let through 'as-is' without renaming or without > >>> removing it. Furthermore there was no VirusWarning.txt attached to > >>> the > >>> mail message although the body of the message referred to it. I have > >>> set > >>> however that warnings should *not* be sent as an attachment so maybe > >>> this > >>> is another bug? > >>> > >>> Things worked fine with the 4.12 release, this was found on release > >>> 4.13-3 > >>> > >>> The message went through our Exchange server and because of a forward > >>> rule > >>> the message was sent outside again. Again MailScanner reported the > >>> problem > >>> but did not remove the attachment! > >>> > >>> > >>> -- > >>> This message has been scanned for viruses and > >>> dangerous content by MailScanner, and is > >>> believed to be clean. > >>> > >> Craig Pratt > >> Strongbox Network Services Inc. > >> mailto:craig@strong-box.net > >> > >> > >> -- > >> This message checked for dangerous content by MailScanner on > >> StrongBox. > >> > > > > > > -- > > This message has been scanned for viruses and > > dangerous content by MailScanner, and is > > believed to be clean. > > > Craig Pratt > Strongbox Network Services Inc. > mailto:craig@strong-box.net > > > -- > This message checked for dangerous content by MailScanner on StrongBox. > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mailscanner at ecs.soton.ac.uk Tue Mar 11 11:29:00 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:27 2006 Subject: Bug in filename rules handling? In-Reply-To: References: Message-ID: <5.2.0.9.2.20030311112651.03ba49c8@imap.ecs.soton.ac.uk> In the process of adding all the code to support proper checking of long/evil filenames, I screwed up. Please can you download and try out version 4.14-1, and let me know how you get on. URL's are Tar distribution: http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/tar/MailScanner-4.13-3.tar RedHat (and others) RPM: http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/rpm/MailScanner-4.13-3.rpm.tar SuSE: http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/suse/MailScanner-4.13-3.suse.tar At 11:09 11/03/2003, you wrote: >I have it set to yes but this has not changed the behaviour of MailScanner >before. I think all files in the filename.rules.conf are treated equal? > >I would not like to be in a situation where somenewvirus.doc.scr would be >allowed through because the latest virus definition couldn't recognize the >virus and the attachment would then be passed on as 'safe'. > >Also the attachment wasn't replaced with the VirusWarning.txt! > >On Tue, 11 Mar 2003, Craig Pratt wrote: > > > How about the "Deliver Disinfected Files" option? Wouldn't that produce > > the behavior you're seeing? > > > > # Should I attempt to disinfect infected attachments and then deliver > > # the clean ones. "Disinfection" involves removing viruses from files > > # (such as removing macro viruses from documents). "Cleaning" is the > > # replacement of infected attachments with "VirusWarning.txt" text > > # attachments. > > # This can also be the filename of a ruleset. > > Deliver Disinfected Files = yes > > > > On Tuesday, March 11, 2003, at 12:36 AM, Remco Barendse wrote: > > > Yes the headers were added as they should and the header also said > > > 'found > > > to be infected' > > > > > > Everything seems to be OK but the attachment was not removed and the > > > VirusWarning was not inserted in the message as it should nor was it > > > sent > > > as an attachment. > > > > > > On Tue, 11 Mar 2003, Craig Pratt wrote: > > > > > >> Have any of the "X-MailScanner" headers been added to the message? > > >> > > >> If not, this might mean that MailScanner is not actually the one > > >> delivering the message. Is it possible that sendmail is running behind > > >> MS's back? > > >> > > >> Craig > > >> > > >> On Tuesday, March 11, 2003, at 12:01 AM, Remco Barendse wrote: > > >>> This morning we have received a message with filename extension > > >>> hiding. > > >>> The attachment is named ACN.DOC.xls.doc > > >>> > > >>> Mar 10 17:38:12 linux MailScanner[17336]: New Batch: Scanning 1 > > >>> messages, 38249 bytes > > >>> Mar 10 17:38:12 linux MailScanner[17336]: Virus and Content Scanning: > > >>> Starting > > >>> Mar 10 17:38:12 linux MailScanner[17336]: Filename Checks: Found > > >>> possible filename hiding (ACN.DOC.xls.doc) > > >>> Mar 10 17:38:12 linux MailScanner[17336]: Other Checks: Found 1 > > >>> problems > > >>> Mar 10 17:38:12 linux MailScanner[17336]: Saved entire message to > > >>> /var/spool/MailScanner/quarantine/20030310/h2AGcBSh018875 > > >>> Mar 10 17:38:12 linux MailScanner[17336]: Cleaned: Delivered 1 > > >>> cleaned > > >>> messages > > >>> > > >>> Although a notification was sent to postmaster that a virus had been > > >>> caught, and the message subject was correctly modified and there was > > >>> a > > >>> notification inside the message to look inside VirusWarning.txt > > >>> things > > >>> didn't work. > > >>> > > >>> The attachment was let through 'as-is' without renaming or without > > >>> removing it. Furthermore there was no VirusWarning.txt attached to > > >>> the > > >>> mail message although the body of the message referred to it. I have > > >>> set > > >>> however that warnings should *not* be sent as an attachment so maybe > > >>> this > > >>> is another bug? > > >>> > > >>> Things worked fine with the 4.12 release, this was found on release > > >>> 4.13-3 > > >>> > > >>> The message went through our Exchange server and because of a forward > > >>> rule > > >>> the message was sent outside again. Again MailScanner reported the > > >>> problem > > >>> but did not remove the attachment! > > >>> > > >>> > > >>> -- > > >>> This message has been scanned for viruses and > > >>> dangerous content by MailScanner, and is > > >>> believed to be clean. > > >>> > > >> Craig Pratt > > >> Strongbox Network Services Inc. > > >> mailto:craig@strong-box.net > > >> > > >> > > >> -- > > >> This message checked for dangerous content by MailScanner on > > >> StrongBox. > > >> > > > > > > > > > -- > > > This message has been scanned for viruses and > > > dangerous content by MailScanner, and is > > > believed to be clean. > > > > > Craig Pratt > > Strongbox Network Services Inc. > > mailto:craig@strong-box.net > > > > > > -- > > This message checked for dangerous content by MailScanner on StrongBox. > > > > >-- >This message has been scanned for viruses and >dangerous content by MailScanner, and is >believed to be clean. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From raymond at PROLOCATION.NET Tue Mar 11 11:38:22 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:17:27 2006 Subject: Bug in filename rules handling? In-Reply-To: <5.2.0.9.2.20030311112651.03ba49c8@imap.ecs.soton.ac.uk> Message-ID: Hi! > In the process of adding all the code to support proper checking of > long/evil filenames, I screwed up. > > Please can you download and try out version 4.14-1, and let me know how you > get on. > URL's are > > Tar distribution: > http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/tar/MailScanner-4.13-3.tar I guess you mean: http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/tar/MailScanner-4.14-1.tar > RedHat (and others) RPM: > http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/rpm/MailScanner-4.13-3.rpm.tar http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/rpm/MailScanner-4.14-1.rpm.tar > SuSE: > http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/suse/MailScanner-4.13-3.suse.tar http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/suse/MailScanner-4.14-1.suse.tar Bye, Raymond. From mailscanner at BARENDSE.TO Tue Mar 11 11:57:00 2003 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:17:27 2006 Subject: Bug in filename rules handling? In-Reply-To: <5.2.0.9.2.20030311112651.03ba49c8@imap.ecs.soton.ac.uk> Message-ID: Thanks for checking! Is the error in the filename.rules.conf or in the MailScanner code? I have my own even more strict filename rules in place. Thanks!! Remco On Tue, 11 Mar 2003, Julian Field wrote: > In the process of adding all the code to support proper checking of > long/evil filenames, I screwed up. > > Please can you download and try out version 4.14-1, and let me know how you > get on. > URL's are > > Tar distribution: > http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/tar/MailScanner-4.13-3.tar > > RedHat (and others) RPM: > http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/rpm/MailScanner-4.13-3.rpm.tar > > SuSE: > http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/suse/MailScanner-4.13-3.suse.tar > > At 11:09 11/03/2003, you wrote: > >I have it set to yes but this has not changed the behaviour of MailScanner > >before. I think all files in the filename.rules.conf are treated equal? > > > >I would not like to be in a situation where somenewvirus.doc.scr would be > >allowed through because the latest virus definition couldn't recognize the > >virus and the attachment would then be passed on as 'safe'. > > > >Also the attachment wasn't replaced with the VirusWarning.txt! > > > >On Tue, 11 Mar 2003, Craig Pratt wrote: > > > > > How about the "Deliver Disinfected Files" option? Wouldn't that produce > > > the behavior you're seeing? > > > > > > # Should I attempt to disinfect infected attachments and then deliver > > > # the clean ones. "Disinfection" involves removing viruses from files > > > # (such as removing macro viruses from documents). "Cleaning" is the > > > # replacement of infected attachments with "VirusWarning.txt" text > > > # attachments. > > > # This can also be the filename of a ruleset. > > > Deliver Disinfected Files = yes > > > > > > On Tuesday, March 11, 2003, at 12:36 AM, Remco Barendse wrote: > > > > Yes the headers were added as they should and the header also said > > > > 'found > > > > to be infected' > > > > > > > > Everything seems to be OK but the attachment was not removed and the > > > > VirusWarning was not inserted in the message as it should nor was it > > > > sent > > > > as an attachment. > > > > > > > > On Tue, 11 Mar 2003, Craig Pratt wrote: > > > > > > > >> Have any of the "X-MailScanner" headers been added to the message? > > > >> > > > >> If not, this might mean that MailScanner is not actually the one > > > >> delivering the message. Is it possible that sendmail is running behind > > > >> MS's back? > > > >> > > > >> Craig > > > >> > > > >> On Tuesday, March 11, 2003, at 12:01 AM, Remco Barendse wrote: > > > >>> This morning we have received a message with filename extension > > > >>> hiding. > > > >>> The attachment is named ACN.DOC.xls.doc > > > >>> > > > >>> Mar 10 17:38:12 linux MailScanner[17336]: New Batch: Scanning 1 > > > >>> messages, 38249 bytes > > > >>> Mar 10 17:38:12 linux MailScanner[17336]: Virus and Content Scanning: > > > >>> Starting > > > >>> Mar 10 17:38:12 linux MailScanner[17336]: Filename Checks: Found > > > >>> possible filename hiding (ACN.DOC.xls.doc) > > > >>> Mar 10 17:38:12 linux MailScanner[17336]: Other Checks: Found 1 > > > >>> problems > > > >>> Mar 10 17:38:12 linux MailScanner[17336]: Saved entire message to > > > >>> /var/spool/MailScanner/quarantine/20030310/h2AGcBSh018875 > > > >>> Mar 10 17:38:12 linux MailScanner[17336]: Cleaned: Delivered 1 > > > >>> cleaned > > > >>> messages > > > >>> > > > >>> Although a notification was sent to postmaster that a virus had been > > > >>> caught, and the message subject was correctly modified and there was > > > >>> a > > > >>> notification inside the message to look inside VirusWarning.txt > > > >>> things > > > >>> didn't work. > > > >>> > > > >>> The attachment was let through 'as-is' without renaming or without > > > >>> removing it. Furthermore there was no VirusWarning.txt attached to > > > >>> the > > > >>> mail message although the body of the message referred to it. I have > > > >>> set > > > >>> however that warnings should *not* be sent as an attachment so maybe > > > >>> this > > > >>> is another bug? > > > >>> > > > >>> Things worked fine with the 4.12 release, this was found on release > > > >>> 4.13-3 > > > >>> > > > >>> The message went through our Exchange server and because of a forward > > > >>> rule > > > >>> the message was sent outside again. Again MailScanner reported the > > > >>> problem > > > >>> but did not remove the attachment! > > > >>> > > > >>> > > > >>> -- > > > >>> This message has been scanned for viruses and > > > >>> dangerous content by MailScanner, and is > > > >>> believed to be clean. > > > >>> > > > >> Craig Pratt > > > >> Strongbox Network Services Inc. > > > >> mailto:craig@strong-box.net > > > >> > > > >> > > > >> -- > > > >> This message checked for dangerous content by MailScanner on > > > >> StrongBox. > > > >> > > > > > > > > > > > > -- > > > > This message has been scanned for viruses and > > > > dangerous content by MailScanner, and is > > > > believed to be clean. > > > > > > > Craig Pratt > > > Strongbox Network Services Inc. > > > mailto:craig@strong-box.net > > > > > > > > > -- > > > This message checked for dangerous content by MailScanner on StrongBox. > > > > > > > > >-- > >This message has been scanned for viruses and > >dangerous content by MailScanner, and is > >believed to be clean. > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mailscanner at ecs.soton.ac.uk Tue Mar 11 11:48:15 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:27 2006 Subject: Bug in filename rules handling? In-Reply-To: References: <5.2.0.9.2.20030311112651.03ba49c8@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030311114740.03b48a50@imap.ecs.soton.ac.uk> I'm not having a good day, am I? :) Yes, I meant the 4.14-1 URLs. At 11:38 11/03/2003, you wrote: >Hi! > > > In the process of adding all the code to support proper checking of > > long/evil filenames, I screwed up. > > > > Please can you download and try out version 4.14-1, and let me know how you > > get on. > > URL's are > > > > Tar distribution: > > > http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/tar/MailScanner-4.13-3.tar > >I guess you mean: > >http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/tar/MailScanner-4.14-1.tar > > > RedHat (and others) RPM: > > > http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/rpm/MailScanner-4.13-3.rpm.tar > >http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/rpm/MailScanner-4.14-1.rpm.tar > > > SuSE: > > > http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/suse/MailScanner-4.13-3.suse.tar > >http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/suse/MailScanner-4.14-1.suse.tar > >Bye, >Raymond. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From paul.hamilton at sme-ecom.co.uk Tue Mar 11 12:08:19 2003 From: paul.hamilton at sme-ecom.co.uk (Paul Hamilton) Date: Thu Jan 12 21:17:27 2006 Subject: Delivering Quarantined Messages with their attachments Message-ID: <000601c2e7c6$ea586e40$fc32000a@4> Hi all, Could someone just confirm the best procedure for forcing delivery of a message out of MailScanner quarantine, so it is not scanned and quarantined again. Particularly where the message contains three parts i.e. dxxxxxxxxxxx, qxxxxxxxxxx and an attachment. Is it a case of just copying all three to q1 or only the d & q message, which will force the attachment to automatically be delivered. Thanks in advance Paul H. From Jan-Peter.Koopmann at SECEIDOS.DE Tue Mar 11 12:12:25 2003 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:17:27 2006 Subject: Bayes problem with MailScanner Message-ID: <4E7026FF8A422749B1553FE508E0068007EF34@message.intern.akctech.de> Hi Julian, > Does it change if you do a > sa-learn --rebuild Nope but we are getting close. To be exact: I have it working here now but I need you to verify something for me. I noticed that I have four databases in my /var/spool/spamassassin file bayes_seen bayes_seen.db bayes_toks bayes_toks.db I always ignored the ones without .db. The strange thing is that sa-learn and check_bayes_db always worked on the files without .db but spamassasin called via MailScanner always used the ones with .db. Since the one with .db only greq via auto-learn though, there were only 53 spams in there indeed and bayes did not work. I linked the files now and suddenly it works. I get BAYES scores in the headers and everything. I looked through the SA source code and could not find any reason for this behaviour. Especially why spamassassin -t uses bayes_toks and MailScanner uses bayes_toks.db but hey... I am no perl guru. So please have a look at your database dirs and see if you have "duplicates" as well. This would explain it then. Regards, JP From mailscanner at BARENDSE.TO Tue Mar 11 12:17:47 2003 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:17:27 2006 Subject: Bug in filename rules handling? In-Reply-To: <5.2.0.9.2.20030311114740.03b48a50@imap.ecs.soton.ac.uk> Message-ID: :) Indeed in 4.14-1 the problem is fixed now, I get the warnings as they should. The other minor bug is still there tho. I have set Warning Is Attachment = no in my MailScanner.conf and still this warning is an attachment. Nothing serious but my users get scared if there's any vague report of viruses and will not open any attachment, even the VirusWarning.txt :) Thanks for fixing the problem! Remco On Tue, 11 Mar 2003, Julian Field wrote: > I'm not having a good day, am I? :) > > Yes, I meant the 4.14-1 URLs. > > At 11:38 11/03/2003, you wrote: > >Hi! > > > > > In the process of adding all the code to support proper checking of > > > long/evil filenames, I screwed up. > > > > > > Please can you download and try out version 4.14-1, and let me know how you > > > get on. > > > URL's are > > > > > > Tar distribution: > > > > > http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/tar/MailScanner-4.13-3.tar > > > >I guess you mean: > > > >http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/tar/MailScanner-4.14-1.tar > > > > > RedHat (and others) RPM: > > > > > http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/rpm/MailScanner-4.13-3.rpm.tar > > > >http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/rpm/MailScanner-4.14-1.rpm.tar > > > > > SuSE: > > > > > http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/suse/MailScanner-4.13-3.suse.tar > > > >http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/suse/MailScanner-4.14-1.suse.tar > > > >Bye, > >Raymond. > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mailscanner at ecs.soton.ac.uk Tue Mar 11 12:29:00 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:27 2006 Subject: endless respawning with SA enabled In-Reply-To: Message-ID: <5.2.0.9.2.20030311122755.037389b8@imap.ecs.soton.ac.uk> What does your maillog say? Does the user you are using to run MailScanner have a real home directory? The SpamAssassin init code fails if there isn't a home directory it can write to. Most commonly a problem when people are using Exim (as they run as non-root). At 10:59 11/03/2003, you wrote: > > I've recently upgraded to mailscanner 4.13, and SA 2.50 > > (patched) now, whenever I enable SA, mailscanner respawns > > endlessly, without any processing done. works perfectly when > > disabled. as far as I can tell, it quits sometime in the SA > > init stage, but I still haven't looked too deeply there. > > > >I noticed a problem similar to this last week and upon >investigation I found the following settings (in >spam.assassin.prefs.conf) to help greatly: > ># Settings taken from ># >http://www.jiscmail.ac.uk/cgi-bin/wa.exe?A2=ind0208&L=mailscanner&P=R9717&I= >-3 ># SpamAssassin Performance Tips (isp-list@TULSACONNECT.COM) > ># By default, spamassassin will change the Content-type: header of ># suspected spam to "text/plain". This is a safety feature. If you ># prefer to leave the Content-type header alone, set this to 0. ># >defang_mime 0 > ># By default, SpamAssassin will run RBL checks. If your ISP already ># does this, set this to 1. ># >skip_rbl_checks 1 > ># only check for a valid MX record once >check_mx_attempts 1 > >Andy -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Tue Mar 11 12:25:49 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:27 2006 Subject: Bug in filename rules handling? In-Reply-To: References: <5.2.0.9.2.20030311112651.03ba49c8@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030311122528.03b591d8@imap.ecs.soton.ac.uk> At 11:57 11/03/2003, you wrote: >Thanks for checking! > >Is the error in the filename.rules.conf or in the MailScanner code? I have >my own even more strict filename rules in place. In the mailscanner code. >Thanks!! > >Remco > >On Tue, 11 Mar 2003, Julian Field wrote: > > > In the process of adding all the code to support proper checking of > > long/evil filenames, I screwed up. > > > > Please can you download and try out version 4.14-1, and let me know how you > > get on. > > URL's are > > > > Tar distribution: > > > http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/tar/MailScanner-4.13-3.tar > > > > RedHat (and others) RPM: > > > http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/rpm/MailScanner-4.13-3.rpm.tar > > > > SuSE: > > > http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/suse/MailScanner-4.13-3.suse.tar > > > > At 11:09 11/03/2003, you wrote: > > >I have it set to yes but this has not changed the behaviour of MailScanner > > >before. I think all files in the filename.rules.conf are treated equal? > > > > > >I would not like to be in a situation where somenewvirus.doc.scr would be > > >allowed through because the latest virus definition couldn't recognize the > > >virus and the attachment would then be passed on as 'safe'. > > > > > >Also the attachment wasn't replaced with the VirusWarning.txt! > > > > > >On Tue, 11 Mar 2003, Craig Pratt wrote: > > > > > > > How about the "Deliver Disinfected Files" option? Wouldn't that produce > > > > the behavior you're seeing? > > > > > > > > # Should I attempt to disinfect infected attachments and then deliver > > > > # the clean ones. "Disinfection" involves removing viruses from files > > > > # (such as removing macro viruses from documents). "Cleaning" is the > > > > # replacement of infected attachments with "VirusWarning.txt" text > > > > # attachments. > > > > # This can also be the filename of a ruleset. > > > > Deliver Disinfected Files = yes > > > > > > > > On Tuesday, March 11, 2003, at 12:36 AM, Remco Barendse wrote: > > > > > Yes the headers were added as they should and the header also said > > > > > 'found > > > > > to be infected' > > > > > > > > > > Everything seems to be OK but the attachment was not removed and the > > > > > VirusWarning was not inserted in the message as it should nor was it > > > > > sent > > > > > as an attachment. > > > > > > > > > > On Tue, 11 Mar 2003, Craig Pratt wrote: > > > > > > > > > >> Have any of the "X-MailScanner" headers been added to the message? > > > > >> > > > > >> If not, this might mean that MailScanner is not actually the one > > > > >> delivering the message. Is it possible that sendmail is running > behind > > > > >> MS's back? > > > > >> > > > > >> Craig > > > > >> > > > > >> On Tuesday, March 11, 2003, at 12:01 AM, Remco Barendse wrote: > > > > >>> This morning we have received a message with filename extension > > > > >>> hiding. > > > > >>> The attachment is named ACN.DOC.xls.doc > > > > >>> > > > > >>> Mar 10 17:38:12 linux MailScanner[17336]: New Batch: Scanning 1 > > > > >>> messages, 38249 bytes > > > > >>> Mar 10 17:38:12 linux MailScanner[17336]: Virus and Content > Scanning: > > > > >>> Starting > > > > >>> Mar 10 17:38:12 linux MailScanner[17336]: Filename Checks: Found > > > > >>> possible filename hiding (ACN.DOC.xls.doc) > > > > >>> Mar 10 17:38:12 linux MailScanner[17336]: Other Checks: Found 1 > > > > >>> problems > > > > >>> Mar 10 17:38:12 linux MailScanner[17336]: Saved entire message to > > > > >>> /var/spool/MailScanner/quarantine/20030310/h2AGcBSh018875 > > > > >>> Mar 10 17:38:12 linux MailScanner[17336]: Cleaned: Delivered 1 > > > > >>> cleaned > > > > >>> messages > > > > >>> > > > > >>> Although a notification was sent to postmaster that a virus had > been > > > > >>> caught, and the message subject was correctly modified and > there was > > > > >>> a > > > > >>> notification inside the message to look inside VirusWarning.txt > > > > >>> things > > > > >>> didn't work. > > > > >>> > > > > >>> The attachment was let through 'as-is' without renaming or without > > > > >>> removing it. Furthermore there was no VirusWarning.txt attached to > > > > >>> the > > > > >>> mail message although the body of the message referred to it. I > have > > > > >>> set > > > > >>> however that warnings should *not* be sent as an attachment so > maybe > > > > >>> this > > > > >>> is another bug? > > > > >>> > > > > >>> Things worked fine with the 4.12 release, this was found on release > > > > >>> 4.13-3 > > > > >>> > > > > >>> The message went through our Exchange server and because of a > forward > > > > >>> rule > > > > >>> the message was sent outside again. Again MailScanner reported the > > > > >>> problem > > > > >>> but did not remove the attachment! > > > > >>> > > > > >>> > > > > >>> -- > > > > >>> This message has been scanned for viruses and > > > > >>> dangerous content by MailScanner, and is > > > > >>> believed to be clean. > > > > >>> > > > > >> Craig Pratt > > > > >> Strongbox Network Services Inc. > > > > >> mailto:craig@strong-box.net > > > > >> > > > > >> > > > > >> -- > > > > >> This message checked for dangerous content by MailScanner on > > > > >> StrongBox. > > > > >> > > > > > > > > > > > > > > > -- > > > > > This message has been scanned for viruses and > > > > > dangerous content by MailScanner, and is > > > > > believed to be clean. > > > > > > > > > Craig Pratt > > > > Strongbox Network Services Inc. > > > > mailto:craig@strong-box.net > > > > > > > > > > > > -- > > > > This message checked for dangerous content by MailScanner on StrongBox. > > > > > > > > > > > > >-- > > >This message has been scanned for viruses and > > >dangerous content by MailScanner, and is > > >believed to be clean. > > > > -- > > Julian Field > > www.MailScanner.info > > MailScanner thanks transtec Computers for their support > > > > > > >-- >This message has been scanned for viruses and >dangerous content by MailScanner, and is >believed to be clean. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Tue Mar 11 12:27:12 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:27 2006 Subject: Bug in filename rules handling? In-Reply-To: References: <5.2.0.9.2.20030311114740.03b48a50@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030311122601.03bc3af8@imap.ecs.soton.ac.uk> At 12:17 11/03/2003, you wrote: >:) > >Indeed in 4.14-1 the problem is fixed now, I get the warnings as they >should. Can someone else confirm that this version is working okay, then I'll put it up on the main web site. >The other minor bug is still there tho. I have set Warning Is Attachment = >no in my MailScanner.conf and still this warning is an attachment. That's down to incorrect handling in email apps. >Nothing serious but my users get scared if there's any vague report of >viruses and will not open any attachment, even the VirusWarning.txt :) I'll take a look at this when I get time, it's not a major problem. >Thanks for fixing the problem! > >Remco > > >On Tue, 11 Mar 2003, Julian Field wrote: > > > I'm not having a good day, am I? :) > > > > Yes, I meant the 4.14-1 URLs. > > > > At 11:38 11/03/2003, you wrote: > > >Hi! > > > > > > > In the process of adding all the code to support proper checking of > > > > long/evil filenames, I screwed up. > > > > > > > > Please can you download and try out version 4.14-1, and let me know > how you > > > > get on. > > > > URL's are > > > > > > > > Tar distribution: > > > > > > > > http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/tar/MailScanner-4.13-3.tar > > > > > >I guess you mean: > > > > > >http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/tar/MailScanner-4.14 > -1.tar > > > > > > > RedHat (and others) RPM: > > > > > > > > http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/rpm/MailScanner-4.13-3.rpm.tar > > > > > >http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/rpm/MailScanner-4.14 > -1.rpm.tar > > > > > > > SuSE: > > > > > > > > http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/suse/MailScanner-4.13-3.suse.tar > > > > > >http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/suse/MailScanner-4.1 > 4-1.suse.tar > > > > > >Bye, > > >Raymond. > > > > -- > > Julian Field > > www.MailScanner.info > > MailScanner thanks transtec Computers for their support > > > > > > >-- >This message has been scanned for viruses and >dangerous content by MailScanner, and is >believed to be clean. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From tal at MUSICGENOME.COM Tue Mar 11 13:11:16 2003 From: tal at MUSICGENOME.COM (Tal Kelrich) Date: Thu Jan 12 21:17:27 2006 Subject: endless respawning with SA enabled Message-ID: On Tue, 11 Mar 2003 12:29:00 +0000, Julian Field wrote: >At 10:59 11/03/2003, you wrote: >> > I've recently upgraded to mailscanner 4.13, and SA 2.50 >> > (patched) now, whenever I enable SA, mailscanner respawns >> > endlessly, without any processing done. works perfectly when >> > disabled. as far as I can tell, it quits sometime in the SA >> > init stage, but I still haven't looked too deeply there. >> > >> >>I noticed a problem similar to this last week and upon >>investigation I found the following settings (in >>spam.assassin.prefs.conf) to help greatly: >> >># Settings taken from >># >>http://www.jiscmail.ac.uk/cgi-bin/wa.exe?A2=ind0208&L=mailscanner&P=R9717&I= >>-3 >># SpamAssassin Performance Tips (isp-list@TULSACONNECT.COM) >> >># By default, spamassassin will change the Content-type: header of >># suspected spam to "text/plain". This is a safety feature. If you >># prefer to leave the Content-type header alone, set this to 0. >># >>defang_mime 0 >> >># By default, SpamAssassin will run RBL checks. If your ISP already >># does this, set this to 1. >># >>skip_rbl_checks 1 >> >># only check for a valid MX record once >>check_mx_attempts 1 >> >>Andy > >What does your maillog say? >Does the user you are using to run MailScanner have a real home >directory? >The SpamAssassin init code fails if there isn't a home directory it can >write to. Most commonly a problem when people are using Exim (as they run >as non-root). > I did some more tests, and it looks like it's dieing in SA.pm in compile_now (dropped log messages in there, no AWL, makes the object, stops at compile_now) when run in debug mode, no errors or anything, just quits. user is root, has a home, and SA works on it's own. Tal From Denis.Beauchemin at USHERBROOKE.CA Tue Mar 11 13:52:03 2003 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:17:27 2006 Subject: Subject Text In-Reply-To: References: Message-ID: <1047390723.28074.68.camel@dbeauchemin.si.usherbrooke.ca> Hello, I second that. I would also like to be able to use a different report file for those 2 because they are not really viruses but potential threats. Denis Le mar 11/03/2003 ? 04:46, Peter Peters a ?crit : > Hi, > > I have a feature request. MS offers the possibility to have different > strings prepended to the Subject: header in case of a virus disinfected > by the anti-virus engine and in case of a filename test. I use Virus > Subject Text = {VIRUS!} and Filename Subject Text = {Virus?} to > destinguish between a sure virus and a potential risk. > > It seems MS also uses the string from Virus Subject Text when an IFrame > or Object Codebase Tag is detected but I would like to have a separate > text for that. > > Could it be made to have "IFrame Subject Text" and "Object Codebase > Subject Text" entries in MailScanner.conf? > > -- > Peter Peters, senior netwerkbeheerder > Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) > Universiteit Twente, Postbus 217, 7500 AE Enschede > telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From Jan-Peter.Koopmann at SECEIDOS.DE Tue Mar 11 13:59:50 2003 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:17:27 2006 Subject: endless respawning with SA enabled Message-ID: <4E7026FF8A422749B1553FE508E0068007EF37@message.intern.akctech.de> Hi Tal, > I did some more tests, and it looks like it's dieing in SA.pm in compile_now (dropped log messages in there, > no AWL, makes the object, stops at compile_now) when run in debug mode, no errors or anything, just quits. > user is root, has a home, and SA works on it's own. I did not get the debug mode to work with MailScanner. Simply quits. Try something like this in SpamAssassin.pm sub dbg { my $dbg=$Mail::SpamAssassin::DEBUG; #return unless $dbg->{enabled}; my ($msg, $codepath, $level) = @_; $msg=join('',@{$msg}) if (ref $msg); if (defined $codepath) { if (not defined $dbg->{$codepath}) { warn("dbg called with codepath $codepath, but it's not defined, skipping (message was \"$msg\"\n"); return 0; } elsif (not defined $level) { warn("dbg called with codepath $codepath, but no level threshold (message was \"$msg\"\n"); } } # Negative levels are just level numbers, the more negative, the more debug return if (defined $level and $level<0 and not $dbg->{$codepath} <= $level); # Positive levels are bit fields return if (defined $level and $level>0 and not $dbg->{$codepath} & $level); # LOG if ( open(DBGFILE, ">>/tmp/sa.log") ) { print DBGFILE $msg . "\n"; close(DBGFILE); } warn "debug: $msg\n"; } Notice the # in front of the return. This will "turn on" debugging even though SA is not in debug mode. This will create a /tmp/sa.log file with all debuggin output of SA. Once you have this output, look for error messages or send a copy of it here. Thanks, JP From Jan-Peter.Koopmann at SECEIDOS.DE Tue Mar 11 13:04:58 2003 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:17:27 2006 Subject: HTML body changed??? - Different SA scores / SA and MA Message-ID: <4E7026FF8A422749B1553FE508E0068007EF36@message.intern.akctech.de> Hi Julian, I am still playing around with SpamAssassin and MailScanner a bit. Here is something strange: I took a junk mail and ran it through spamassassin -t. This is the report: Content analysis details: (25.80 points, 6 required) X_PRIORITY_HIGH (1.9 points) Sent with 'X-Priority' set to high BAYES_90 (2.9 points) BODY: Bayesian classifier says spam probability is 90 to 99% [score: 0.9815] HTML_40_50 (0.4 points) BODY: Message is 40% to 50% HTML HTML_IMAGE_ONLY_02 (1.5 points) BODY: HTML has images with 0-200 bytes of words PYZOR_CHECK (1.2 points) Listed in Pyzor, see http://pyzor.sf.net/ DATE_IN_PAST_12_24 (0.1 points) Date: is 12 to 24 hours before Received: date MSGID_OUTLOOK_TIME (4.4 points) Message-Id is fake (in Outlook Express format) RCVD_FAKE_HELO_DOTCOM_2 (2.8 points) Received contains a faked HELO hostname (2) RCVD_IN_NJABL (1.2 points) RBL: Received via a relay in dnsbl.njabl.org [RBL check: found 3.160.178.202.dnsbl.njabl.org.,] [type: 127.0.0.9] RCVD_IN_OSIRUSOFT_COM (0.5 points) RBL: Received via a relay in relays.osirusoft.com [RBL check: found 3.160.178.202.relays.osirusoft.com., type: 127.0.0.3] RCVD_IN_BL_SPAMCOP_NET (4.0 points) RBL: Received via a relay in bl.spamcop.net [RBL check: found 3.160.178.202.bl.spamcop.net.] RCVD_IN_DSBL (4.3 points) RBL: Received via a relay in list.dsbl.org [RBL check: found 3.160.178.202.list.dsbl.org.] PRIORITY_NO_NAME (0.6 points) Message has priority setting, but no X-Mailer Then I fed exatly the same file into my system using exim -t < msg.txt. This is what SA/MS found: X-MailScanner-SpamCheck: spam, SpamAssassin (score=23.1, required 6, AWL, BAYES_90, DATE_IN_PAST_12_24, HTML_20_30, HTML_IMAGE_ONLY_06, MSGID_OUTLOOK_TIME, PRIORITY_NO_NAME, RCVD_FAKE_HELO_DOTCOM_2, RCVD_IN_BL_SPAMCOP_NET, RCVD_IN_DSBL, RCVD_IN_NJABL, RCVD_IN_OSIRUSOFT_COM, X_PRIORITY_HIGH) MailScanner/SpamAssassin changed HTML_40_50 to HTML_20_30. Why/How? Moreover it shows HTML_IMAGE_ONLY_06 and not _02. Obviously something changed the HTML source. I cannot see an Iframe tag anywhere. Moreover the PYZOR_CHECK is missing which also indicates that the body has been altered by MailScanner. This is the body of the msg.file: This is a multi-part message in MIME format. ------_=_NextPart_001_01C2E70F.C1B22B00 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable I can't wait to meet = 8421PFsC8-249DRPN4997MsTV2-l25=20 ------_=_NextPart_001_01C2E70F.C1B22B00 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
I can't wait to meet 8421PFsC8-249DRPN4997MsTV2-l25 ------_=_NextPart_001_01C2E70F.C1B22B00-- Thanks, JP From mailscanner at ecs.soton.ac.uk Tue Mar 11 14:16:30 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:27 2006 Subject: HTML body changed??? - Different SA scores / SA and MA In-Reply-To: <4E7026FF8A422749B1553FE508E0068007EF36@message.intern.akct ech.de> Message-ID: <5.2.0.9.2.20030311141520.03bbc588@imap.ecs.soton.ac.uk> There is currently a little problem in the MS->SA interface for Exim. It's not very serious but can cause test results that differ a bit from what you expect. There is a fix for it, but I want to do some more testing on it first to be sure it won't break anything else. At 13:04 11/03/2003, you wrote: >Hi Julian, > >I am still playing around with SpamAssassin and MailScanner a bit. Here >is something strange: > >I took a junk mail and ran it through spamassassin -t. This is the >report: > > >Content analysis details: (25.80 points, 6 required) >X_PRIORITY_HIGH (1.9 points) Sent with 'X-Priority' set to high >BAYES_90 (2.9 points) BODY: Bayesian classifier says spam >probability is 90 to 99% > [score: 0.9815] >HTML_40_50 (0.4 points) BODY: Message is 40% to 50% HTML >HTML_IMAGE_ONLY_02 (1.5 points) BODY: HTML has images with 0-200 bytes >of words >PYZOR_CHECK (1.2 points) Listed in Pyzor, see >http://pyzor.sf.net/ >DATE_IN_PAST_12_24 (0.1 points) Date: is 12 to 24 hours before >Received: date >MSGID_OUTLOOK_TIME (4.4 points) Message-Id is fake (in Outlook Express >format) >RCVD_FAKE_HELO_DOTCOM_2 (2.8 points) Received contains a faked HELO >hostname (2) >RCVD_IN_NJABL (1.2 points) RBL: Received via a relay in >dnsbl.njabl.org > [RBL check: found 3.160.178.202.dnsbl.njabl.org.,] > [type: 127.0.0.9] >RCVD_IN_OSIRUSOFT_COM (0.5 points) RBL: Received via a relay in >relays.osirusoft.com > [RBL check: found >3.160.178.202.relays.osirusoft.com., type: 127.0.0.3] >RCVD_IN_BL_SPAMCOP_NET (4.0 points) RBL: Received via a relay in >bl.spamcop.net > [RBL check: found 3.160.178.202.bl.spamcop.net.] >RCVD_IN_DSBL (4.3 points) RBL: Received via a relay in >list.dsbl.org > [RBL check: found 3.160.178.202.list.dsbl.org.] >PRIORITY_NO_NAME (0.6 points) Message has priority setting, but no >X-Mailer > > >Then I fed exatly the same file into my system using exim -t < msg.txt. >This is what SA/MS found: > >X-MailScanner-SpamCheck: spam, SpamAssassin (score=23.1, required 6, >AWL, > BAYES_90, DATE_IN_PAST_12_24, HTML_20_30, HTML_IMAGE_ONLY_06, > MSGID_OUTLOOK_TIME, PRIORITY_NO_NAME, RCVD_FAKE_HELO_DOTCOM_2, > RCVD_IN_BL_SPAMCOP_NET, RCVD_IN_DSBL, RCVD_IN_NJABL, > RCVD_IN_OSIRUSOFT_COM, X_PRIORITY_HIGH) > > >MailScanner/SpamAssassin changed HTML_40_50 to HTML_20_30. Why/How? >Moreover it shows HTML_IMAGE_ONLY_06 and not _02. Obviously something >changed the HTML source. I cannot see an Iframe tag anywhere. Moreover >the PYZOR_CHECK is missing which also indicates that the body has been >altered by MailScanner. > >This is the body of the msg.file: > >This is a multi-part message in MIME format. > >------_=_NextPart_001_01C2E70F.C1B22B00 >Content-Type: text/plain; > charset="iso-8859-1" >Content-Transfer-Encoding: quoted-printable > > I can't wait to meet = >8421PFsC8-249DRPN4997MsTV2-l25=20 > >------_=_NextPart_001_01C2E70F.C1B22B00 >Content-Type: text/html; > charset="iso-8859-1" >Content-Transfer-Encoding: quoted-printable > > >charset=3Diso-8859-1"> >
> >I can't wait to meet > > >8421PFsC8-249DRPN4997MsTV2-l25 > >------_=_NextPart_001_01C2E70F.C1B22B00-- > > >Thanks, > JP -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From Jan-Peter.Koopmann at SECEIDOS.DE Tue Mar 11 14:44:07 2003 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:17:27 2006 Subject: HTML body changed??? - Different SA scores / SA and MA Message-ID: <4E7026FF8A422749B1553FE508E0068007EF3A@message.intern.akctech.de> > There is currently a little problem in the MS->SA interface > for Exim. It's not very serious but can cause test results > that differ a bit from what you expect. There is a fix for > it, but I want to do some more testing on it first to be sure > it won't break anything else. Noted... Thought it would be something like that. Need a guinea pig? Regards, JP From usergroups at THEARGONCOMPANY.COM Tue Mar 11 15:52:38 2003 From: usergroups at THEARGONCOMPANY.COM (Rishi Gangoly) Date: Thu Jan 12 21:17:27 2006 Subject: RaQ problems after installing sendmail patch In-Reply-To: <5.2.0.9.2.20030304140048.03b9cbc0@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030304140048.03b9cbc0@imap.ecs.soton.ac.uk> Message-ID: <200303111552.VAA31810@theargonserver.theargoncompany.com> On Tuesday 04 March 2003 7:38 pm, you wrote: > On pkgmaster.com there are now packages for the RaQ3 and RaQ4 that apply > the sendmail patch everyone has been talking about for the last day or two. > > When the patch is installed, it messes around with the /var/spool/mqueue > directory and leaves it in a state that MailScanner does not like. > > To solve this: > > cd /var/spool/mqueue > rmdir q1 q2 q3 q4 > /etc/rc.d/init.d/MailScanner restart > > Then you should find everything starts working properly again. Does this effect version 3.22-10 of mailscanner? That's the one I have. Should I upgrade my Mailscanner to 4.x? Is there anyone who has upgraded mailscanner form 3.x to 4.x on a Cobalt RaQ4? Regards Rishi From Jan-Peter.Koopmann at SECEIDOS.DE Tue Mar 11 16:05:45 2003 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:17:27 2006 Subject: HTML body changed??? - Different SA scores / SA and MA Message-ID: <4E7026FF8A422749B1553FE508E0068007EF3E@message.intern.akctech.de> Hmm. Something strange again... Maybe this is related to the issue though... I see BAYES_ scores in all messages. Except those that are SPAM (that is their score is above the threshold). Those do not show BAYES_ scores and are not auto-learned even though their score sometimes is over the auto_learn threshold as well. When I feed those messages to spamassassin -t it clearly showes BAYES_ scores. Now for the fun part. If I feed this mail to exim -t and send it through MailScanner/SA again, it is marked with BAYES_scores and auto-learned. Any ideas? I fired up my log again and am wating for new spam to reproduce this and maybe see some sort of error. I'll keep you posted. Regards, JP From jaearick at COLBY.EDU Tue Mar 11 16:08:17 2003 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:17:27 2006 Subject: sophos 3.66 to 3.67, load jumps? Message-ID: Hi, I upgraded from sophos 3.66 to 3.67 yesterday and since then, I've noticed that my load on my mail server has been much higher than before. Anybody else notice this? I've dropped the Max Children setting from 4 to 2 on my system (Sun E220R, 2 CPUs, Sol 8) and that reduced the load. I wonder what changed in Sophos to make such a difference? --- Jeff Earickson From Jan-Peter.Koopmann at SECEIDOS.DE Tue Mar 11 16:15:46 2003 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:17:27 2006 Subject: Problems with outgoing mail being detected as spam Message-ID: <4E7026FF8A422749B1553FE508E0068007EF3F@message.intern.akctech.de> Hi Jeff, > As you suggested, I listed my mailserver first in the list > and outgoing mail is still being detected as spam. So I need > to "turn on" the autowhitelist? No this has nothing to do with autowhitelisting. Are you by any chance running exim? There was a bug in MailScanner (at least in 4.13-3) which would explain exactly this behavior (at least when using domain names). > /etc/MailScanner/rules/spam.whitelist.rules: > > # This is where you can build a Spam WhiteList > # Addresses matching in here, with the value > # "yes" will never be marked as spam. > #From: 152.78. yes > #From: 130.246. yes > FromTo: default no > From: 65.219.192.36 yes > From: 65.219.192.35 yes > As Jeremy mentioned this should read From: 65.219.192.36 yes From: 65.219.192.35 yes FromTo: default no Why are you not using domain names btw? From my point of view this is easier. From: *@image-src.com yes Are you absolutely sure that the envelope shows one of these e-mail adresses as the sender? .... Hmm. Now that I am reading this again, why are you using whitelisting at all for this? I prefer to stop spam checks alltogether for messages from my local domain: In MailScanner.conf put Spam Checks = /opt/MailScanner/etc/rules/spam.checks.rules And in this file put From: *@image-src.com no From: 65.219.192. no FromTo: default yes That should do the trick. Regards, JP From s.kelly at ayrcoll.ac.uk Tue Mar 11 16:19:01 2003 From: s.kelly at ayrcoll.ac.uk (Shane Kelly) Date: Thu Jan 12 21:17:27 2006 Subject: sophos 3.66 to 3.67, load jumps? In-Reply-To: References: Message-ID: <200303111619.01392.s.kelly@ayrcoll.ac.uk> On Tuesday 11 March 2003 4:08 pm, Jeff A. Earickson wrote: > Hi, > > I upgraded from sophos 3.66 to 3.67 yesterday and since then, I've > noticed that my load on my mail server has been much higher than > before. Anybody else notice this? I've dropped the Max Children > setting from 4 to 2 on my system (Sun E220R, 2 CPUs, Sol 8) and that > reduced the load. I wonder what changed in Sophos to make such a > difference? I think it is to do with the way in which sophos now packages its virus definition files - the scan time for one message has gone from 1 second to seven seconds on my (very small) mail hub. > --- Jeff Earickson Regards, Shane Kelly -- Network Infrastructure Manager Ayr College +44 (01292) 265184 =========================== These are my personal opinion(s), and do not necessarily reflect those of my employer. =========================== From jeff at IMAGE-SRC.COM Tue Mar 11 16:06:40 2003 From: jeff at IMAGE-SRC.COM (Jeff Graves) Date: Thu Jan 12 21:17:27 2006 Subject: Problems with outgoing mail being detected as spam In-Reply-To: <2739ECF7268CD0118F50080009DCC9F00235D2D4@pebble.bsa.ca.gov> Message-ID: <001101c2e7e8$33961d20$6401a8c0@bellingham.imagesrc.com> As you suggested, I listed my mailserver first in the list and outgoing mail is still being detected as spam. So I need to "turn on" the autowhitelist? Jeff Graves Customer Support Engineer Image Source, Inc. 10 Mill Street Bellingham, MA 02019 jeff@image-src.com - Email 508.966.5200 X31 - Phone 508.966.5170 - Fax -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Jeremy Evans Sent: Wednesday, February 26, 2003 3:51 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Problems with outgoing mail being detected as spam I think that since default is listed first, it will match everything. Try listing it after the other two addresses. Also, you should only need the address of your mail server, the address of your LAN gateway shouldn't be necessary, unless it is acting as a proxy. Jeremy Evans Information Systems Analyst California State Auditor 916-445-0255 phone 916-322-7801 fax -----Original Message----- From: Jeff Graves [mailto:jeff@IMAGE-SRC.COM] Sent: Wednesday, February 26, 2003 12:38 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Problems with outgoing mail being detected as spam Hello all. I'm running MailScanner 4.12-2 with Sophos AV and SpamAssassin 2.31-16. I checked the archives and they mention a setting in MailScanner.conf but it was sort of outdated. I think I've traced it to adding entries in the /etc/MailScanner/rules/spam.whitelist.rules file. I add the 2 IP's that need no spam checking (my LAN gateway and my Mail Server) but messages sent by my mail server are still be checked for spam (and detected btw). Here's what the entries look like: /etc/MailScanner/rules/spam.whitelist.rules: # This is where you can build a Spam WhiteList # Addresses matching in here, with the value # "yes" will never be marked as spam. #From: 152.78. yes #From: 130.246. yes FromTo: default no From: 65.219.192.36 yes From: 65.219.192.35 yes Is my syntax incorrect? Is there another setting I'm missing? Thanks, Jeff Graves Customer Support Engineer Image Source, Inc. 10 Mill Street Bellingham, MA 02019 jeff@image-src.com - Email 508.966.5200 X31 - Phone 508.966.5170 - Fax From Kevin.Spicer at BMRB.CO.UK Tue Mar 11 16:27:34 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:17:27 2006 Subject: sophos 3.66 to 3.67, load jumps? Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A4AD50@pascal.priv.bmrb.co.uk> > On Tuesday 11 March 2003 4:08 pm, Jeff A. Earickson wrote: > > Hi, > > > > I upgraded from sophos 3.66 to 3.67 yesterday and since then, I've > > noticed that my load on my mail server has been much higher than > > before. Anybody else notice this? I've dropped the Max Children > > setting from 4 to 2 on my system (Sun E220R, 2 CPUs, Sol 8) and that > > reduced the load. I wonder what changed in Sophos to make such a > > difference? > I think it is to do with the way in which sophos now > packages its virus > definition files - the scan time for one message has gone > from 1 second to > seven seconds on my (very small) mail hub. > Yeah 3.67 is not good at all, my MailScanner's running 3.66 still - but I've got several machines using samba-vscan that used to quite happily read the virus defs from an NFS share. When I upgraded them to 3.66 it nearly killed one of the machines (load average went up to high 30's before I got to it and killed samba. I've had to go back to installing and updating each machine seperately (not using NFS) and the performance is still noticably poorer. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From mailscanner at ecs.soton.ac.uk Tue Mar 11 16:23:34 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:27 2006 Subject: RaQ problems after installing sendmail patch In-Reply-To: <200303111552.VAA31810@theargonserver.theargoncompany.com> References: <5.2.0.9.2.20030304140048.03b9cbc0@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030304140048.03b9cbc0@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030311162323.036f0d38@imap.ecs.soton.ac.uk> At 15:52 11/03/2003, you wrote: >On Tuesday 04 March 2003 7:38 pm, you wrote: > > On pkgmaster.com there are now packages for the RaQ3 and RaQ4 that apply > > the sendmail patch everyone has been talking about for the last day or two. > > > > When the patch is installed, it messes around with the /var/spool/mqueue > > directory and leaves it in a state that MailScanner does not like. > > > > To solve this: > > > > cd /var/spool/mqueue > > rmdir q1 q2 q3 q4 > > /etc/rc.d/init.d/MailScanner restart > > > > Then you should find everything starts working properly again. > > >Does this effect version 3.22-10 of mailscanner? Yes. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Tue Mar 11 16:27:25 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:27 2006 Subject: sophos 3.66 to 3.67, load jumps? In-Reply-To: <200303111619.01392.s.kelly@ayrcoll.ac.uk> References: Message-ID: <5.2.0.9.2.20030311162504.0359c1a0@imap.ecs.soton.ac.uk> At 16:19 11/03/2003, you wrote: >On Tuesday 11 March 2003 4:08 pm, Jeff A. Earickson wrote: > > Hi, > > > > I upgraded from sophos 3.66 to 3.67 yesterday and since then, I've > > noticed that my load on my mail server has been much higher than > > before. Anybody else notice this? I've dropped the Max Children > > setting from 4 to 2 on my system (Sun E220R, 2 CPUs, Sol 8) and that > > reduced the load. I wonder what changed in Sophos to make such a > > difference? > I think it is to do with the way in which sophos now packages its > virus >definition files - the scan time for one message has gone from 1 second to >seven seconds on my (very small) mail hub. If I was being really cynical, I might think they were intentionally nobbling systems which use their command-line scanner, encouraging people to use their over-priced mailmonitor package instead. Of course all that will really happen is that they lose customers to their competitors... -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Tue Mar 11 16:43:42 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:27 2006 Subject: sophos 3.66 to 3.67, load jumps? In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0A4AD50@pascal.priv.bmrb.co .uk> Message-ID: <5.2.0.9.2.20030311164250.037b4eb0@imap.ecs.soton.ac.uk> You don't fancy taking this issue up with Sophos support do you? Would sure help if they didn't nobble their (previously fast) scanner. Having a complaint from a user of something other than MailScanner would help quite a bit, I think. Thanks! At 16:27 11/03/2003, you wrote: > > On Tuesday 11 March 2003 4:08 pm, Jeff A. Earickson wrote: > > > Hi, > > > > > > I upgraded from sophos 3.66 to 3.67 yesterday and since then, I've > > > noticed that my load on my mail server has been much higher than > > > before. Anybody else notice this? I've dropped the Max Children > > > setting from 4 to 2 on my system (Sun E220R, 2 CPUs, Sol 8) and that > > > reduced the load. I wonder what changed in Sophos to make such a > > > difference? > > I think it is to do with the way in which sophos now > > packages its virus > > definition files - the scan time for one message has gone > > from 1 second to > > seven seconds on my (very small) mail hub. > > >Yeah 3.67 is not good at all, my MailScanner's running 3.66 still - but >I've got several machines using samba-vscan that used to quite happily >read the virus defs from an NFS share. When I upgraded them to 3.66 it >nearly killed one of the machines (load average went up to high >30's before I got to it and killed samba. I've had to go back to >installing and updating each machine seperately (not using NFS) and the >performance is still noticably poorer. > > > >BMRB International >http://www.bmrb.co.uk >+44 (0)20 8566 5000 >_________________________________________________________________ >This message (and any attachment) is intended only for the >recipient and may contain confidential and/or privileged >material. If you have received this in error, please contact the >sender and delete this message immediately. Disclosure, copying >or other action taken in respect of this email or in >reliance on it is prohibited. BMRB International Limited >accepts no liability in relation to any personal emails, or >content of any email which does not directly relate to our >business. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From m.sapsed at BANGOR.AC.UK Tue Mar 11 16:49:01 2003 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:17:27 2006 Subject: OT: Read Receipt Request and this list References: <4E7026FF8A422749B1553FE508E0068007EE97@message.intern.akctech.de> Message-ID: <3E6E137D.4070703@bangor.ac.uk> Jan-Peter Koopmann wrote: > Hi, > > damn I will probably always forget to turn this off when writing to this > list. Is there no way for the list software to filter the read receipt > request from incoming mails? Unfortunately not - I checked. They can set the software to refuse/delete a post containing a particular header but can't remove the header and let the post through. Cheers, Martin -- Martin Sapsed Information Services "Who do you say I am?" University of Wales, Bangor Jesus of Nazareth From Jan-Peter.Koopmann at SECEIDOS.DE Tue Mar 11 16:50:17 2003 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:17:27 2006 Subject: OT: Read Receipt Request and this list Message-ID: <4E7026FF8A422749B1553FE508E0068007EF41@message.intern.akctech.de> Hi, > Unfortunately not - I checked. They can set the software to > refuse/delete a post containing a particular header but can't > remove the header and let the post through. > What header are we talking about? I will teach my exim to delete it when posts are going to mailing lists. Regards, JP From marco at MUW.EDU Tue Mar 11 17:08:11 2003 From: marco at MUW.EDU (Marco Obaid) Date: Thu Jan 12 21:17:27 2006 Subject: MS 4.14-1 In-Reply-To: <5.2.0.9.2.20030311122601.03bc3af8@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030311114740.03b48a50@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030311122601.03bc3af8@imap.ecs.soton.ac.uk> Message-ID: <1047402491.3e6e17fb82658@webmail.MUW.Edu> Quoting Julian Field : > Can someone else confirm that this version is working okay, then I'll put > it up on the main web site. > I tested it on two machines RH 7.3 and 8.0 and everything seems to be running smoothly on my side. Marco _________________________________________________________________ This mail is sent through MUW Webmail: http://www.MUW.Edu/webmail For the latest MUW Events, visit http://www.MUW.Edu/calendar From Kevin.Spicer at BMRB.CO.UK Tue Mar 11 17:08:23 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:17:27 2006 Subject: sophos 3.66 to 3.67, load jumps? Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A4AD51@pascal.priv.bmrb.co.uk> > You don't fancy taking this issue up with Sophos support do you? > Would sure help if they didn't nobble their (previously fast) scanner. > > Having a complaint from a user of something other than > MailScanner would > help quite a bit, I think. > Okay, just done it! My only concern is that I'm actually using Sophos installed in MailScanner configuration (so I can use MailScanner's Sophos.install and autoupdate script to make my life easier - so I'm hoping they don't ask too much about how its installed!). I also hacked the samba-vscan code to get around an issue caused by Intercheck on Windows client machines. So my setup is probably not representative of samba-vscan users in general. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From m.sapsed at BANGOR.AC.UK Tue Mar 11 17:08:35 2003 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:17:27 2006 Subject: sophos 3.66 to 3.67, load jumps? References: <5.2.0.9.2.20030311164250.037b4eb0@imap.ecs.soton.ac.uk> Message-ID: <3E6E1813.90706@bangor.ac.uk> Julian Field wrote: > You don't fancy taking this issue up with Sophos support do you? > Would sure help if they didn't nobble their (previously fast) scanner. > > Having a complaint from a user of something other than MailScanner would > help quite a bit, I think. Will do. We installed MailScanner with Sophos 3.67 on one of our main mail hubs last night and were disappointed with the performance. We tried tweaking a few things in order to keep its head above water but it was very reassuring when this thread started! Nice to know when a problem wasn't caused by something you did! Cheers, Martin -- Martin Sapsed Information Services "Who do you say I am?" University of Wales, Bangor Jesus of Nazareth From David.Sullivan at BARNET.AC.UK Tue Mar 11 17:27:22 2003 From: David.Sullivan at BARNET.AC.UK (David Sullivan) Date: Thu Jan 12 21:17:27 2006 Subject: sophos 3.66 to 3.67, load jumps? In-Reply-To: <5.2.0.9.2.20030311164250.037b4eb0@imap.ecs.soton.ac.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0A4AD50@pascal.priv.bmrb.co .uk> Message-ID: I did query this increased time about two weeks ago but noone seemed interested or could confirm it for me, if you'd like me to take it up with Sophos I can do. David. On 11 Mar 2003 at 16:43, Julian Field wrote: > You don't fancy taking this issue up with Sophos support do you? > Would sure help if they didn't nobble their (previously fast) scanner. > > Having a complaint from a user of something other than MailScanner > would help quite a bit, I think. > > Thanks! > > At 16:27 11/03/2003, you wrote: > > > On Tuesday 11 March 2003 4:08 pm, Jeff A. Earickson wrote: > > > > Hi, > > > > > > > > I upgraded from sophos 3.66 to 3.67 yesterday and since then, > > > > I've noticed that my load on my mail server has been much higher > > > > than before. Anybody else notice this? I've dropped the Max > > > > Children setting from 4 to 2 on my system (Sun E220R, 2 CPUs, > > > > Sol 8) and that reduced the load. I wonder what changed in > > > > Sophos to make such a difference? > > > I think it is to do with the way in which sophos now > > > packages its virus > > > definition files - the scan time for one message has gone > > > from 1 second to > > > seven seconds on my (very small) mail hub. > > > > >Yeah 3.67 is not good at all, my MailScanner's running 3.66 still - > >but I've got several machines using samba-vscan that used to quite > >happily read the virus defs from an NFS share. When I upgraded them > >to 3.66 it nearly killed one of the machines (load average went up to > >high 30's before I got to it and killed samba. I've had to go back > >to installing and updating each machine seperately (not using NFS) > >and the performance is still noticably poorer. > > ============================================================== This communication may contain privileged or confidential information which is for the exclusive use of the intended recipient. If you are not the intended recipient, please note that you may not distribute or use this communication or the information it contains. If this e-mail has reached you in error, please delete it and any attachment. Internet communications are not secure and Barnet College does not accept legal responsibility for the content of this message. Any views or opinions expressed are those of the author and not necessarily those of Barnet College. Please note that Barnet College reserves the right to monitor the source/destinations of all incoming or outgoing e-mail communications. ============================================================== From mailscanner at ecs.soton.ac.uk Tue Mar 11 17:35:08 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:27 2006 Subject: HTML body changed??? - Different SA scores / SA and MA In-Reply-To: <4E7026FF8A422749B1553FE508E0068007EF3A@message.intern.akct ech.de> Message-ID: <5.2.0.9.2.20030311173326.03b76e78@imap.ecs.soton.ac.uk> At 14:44 11/03/2003, you wrote: > > There is currently a little problem in the MS->SA interface > > for Exim. It's not very serious but can cause test results > > that differ a bit from what you expect. There is a fix for > > it, but I want to do some more testing on it first to be sure > > it won't break anything else. > >Noted... Thought it would be something like that. Need a guinea pig? Yes please. Take your pick of: http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/tar/MailScanner-4.14-2.tar http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/rpm/MailScanner-4.14-2.rpm.tar http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/suse/MailScanner-4.14-2.suse.tar -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From richard.siddall at ELIRION.NET Tue Mar 11 18:01:32 2003 From: richard.siddall at ELIRION.NET (Richard Siddall) Date: Thu Jan 12 21:17:27 2006 Subject: RaQ problems after installing sendmail patch In-Reply-To: <200303111552.VAA31810@theargonserver.theargoncompany.com> References: <5.2.0.9.2.20030304140048.03b9cbc0@imap.ecs.soton.ac.uk> <200303111552.VAA31810@theargonserver.theargoncompany.com> Message-ID: <3E6E247C.3060302@elirion.net> Rishi Gangoly wrote: > Is there anyone who has upgraded mailscanner form 3.x to 4.x on a Cobalt RaQ4? > Yes. I put it off for several months as I mistakenly thought 4.x required Perl 5.6.1, and I did not want to get into installing a second copy of Perl on the RaQ. IIRC, I installed SpamAssassin 2.43 from the tarball and MailScanner 4.x from the RPM. I don't recall any problems other than getting the configuration file tuned up, which was complicated by the fact that 4.x uses different directories and file names than 3.x. Regards, Richard. From marco at MUW.EDU Tue Mar 11 18:13:42 2003 From: marco at MUW.EDU (Marco Obaid) Date: Thu Jan 12 21:17:27 2006 Subject: sophos 3.66 to 3.67, load jumps? Message-ID: <1047406422.3e6e27567585c@webmail.MUW.Edu> I just spoke with Sophos about this issue and I am attaching their response. One interesting note about my conversation with the tech support person is that he did not want me to call my issue a "problem with Sophos". He repeatedly said that the performance jump is due to providing "BETTER" protection. I will let you read their repsponse. ----- Forwarded message from mark.danus@sophos.com ----- Date: Tue, 11 Mar 2003 12:54:44 -0500 Subject: Unix performance issues To: marco@muw.edu Version 3.67 of SAV on non-windows platform sees a big jump in engine capabilities. In particular it contains plug-ins enabling thorough scans of four common file types - pdf, rtf, elf (Linux/BSD binaries) and .class (java 'executables'). Addition of these plug-ins means that the engine is doing more work to provide better protection. As a result of this some customers may report significant increases in the time taken to scan their file systems. Increases will very according to the number and proportion of the file types mentioned above. The extreme example is scanning a set of files consisting solely of pdfs, rtfs, elf binaries and java files. In this case the scan time increases by a factor of just over 3 (60 minutes -> minutes). If you receive calls from customers complaining of scans taking longer to complete or SAVI applications having to work harder than usual, it is more than likely down to these issues. The important thing to remember is that the slowdown is due to the increased level of protection that we need to provide given the continuing growth in the number of different file types that can carry viruses. It is possible to disable these for options when using sweep by adding the following command-line arguments: -nopt=Pdf -nopt=Elf -nopt=Rtf -nopt=Java don't forget that use of any of these options may seriously impact our ability to detect viruses in those types of file. Regards, MGD ----- End forwarded message ----- ____________________________________________________________ _/ _/ _/ _/ _/ _/ | Marco Obaid _/_/ _/_/ _/ _/ _/ _/ | Network Administrator _/ _/ _/ _/ _/ _/ _/ _/ | McDevitt Hall _/ _/ _/ _/ _/_/ _/_/ | W-Box 1621 _/ _/ _/_/_/ _/ _/ | Columbus MS 39701 ____________________________________________________________ M I S S I S S I P P I U N I V E R S I T Y F O R W O M E N _________________________________________________________________ This mail is sent through MUW Webmail: http://www.MUW.Edu/webmail For the latest MUW Events, visit http://www.MUW.Edu/calendar From jeff at IMAGE-SRC.COM Tue Mar 11 18:07:43 2003 From: jeff at IMAGE-SRC.COM (Jeff Graves) Date: Thu Jan 12 21:17:28 2006 Subject: Problems with outgoing mail being detected as spam In-Reply-To: <4E7026FF8A422749B1553FE508E0068007EF3F@message.intern.akctech.de> Message-ID: <003d01c2e7f9$1ca39230$6401a8c0@bellingham.imagesrc.com> Well, I made this change as suggested: .... Hmm. Now that I am reading this again, why are you using whitelisting at all for this? I prefer to stop spam checks alltogether for messages from my local domain: In MailScanner.conf put Spam Checks = /etc/MailScanner/rules/spam.checks.rules And in this file put From: *@image-src.com no From: 65.219.192. no FromTo: default yes That should do the trick. .... And certain outgoing mail is still being checked for spam. I have a script that sends a message for procmail without a from address. This message is being marked as spam even though it came from the mail server. How do I configure MailScanner to not check any mail for spam if it is coming from localhost? Here's the headers: Date: Tue, 11 Mar 2003 13:21:07 -0500 From: <> Message-Id: <200303111821.h2BIL7i2014928@mailsrv.image-src.com> Received: from mailsrv.image-src.com (localhost.localdomain [127.0.0.1]) by mailsrv.image-src.com (8.12.5/8.12.5) with ESMTP id h2BIL744014930 for ; Tue, 11 Mar 2003 13:21:07 -0500 (from jeff@localhost) by mailsrv.image-src.com (8.12.5/8.12.5/Submit) id h2BIL7i2014928; Tue, 11 Mar 2003 13:21:07 -0500 Return-Path: Subject: {Spam} Email To: admin@image-src.com X-MailScanner: Found to be clean X-MailScanner-SpamCheck: spam, SpamAssassin (score=5.2, required 5, FROM_MALFORMED, FROM_NO_USER) X-MailScanner-SpamScore: sssss It seems like the "From:" directive in the spam.checks.rules file I created is actaully checking against the "From:" directive in the envelope. How do I tell MailScanner to not check the mail at all if it came from the local sendmail server? Jeff Graves Customer Support Engineer Image Source, Inc. 10 Mill Street Bellingham, MA 02019 jeff@image-src.com - Email 508.966.5200 X31 - Phone 508.966.5170 - Fax -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Jan-Peter Koopmann Sent: Tuesday, March 11, 2003 11:16 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Problems with outgoing mail being detected as spam Hi Jeff, > As you suggested, I listed my mailserver first in the list > and outgoing mail is still being detected as spam. So I need > to "turn on" the autowhitelist? No this has nothing to do with autowhitelisting. Are you by any chance running exim? There was a bug in MailScanner (at least in 4.13-3) which would explain exactly this behavior (at least when using domain names). > /etc/MailScanner/rules/spam.whitelist.rules: > > # This is where you can build a Spam WhiteList > # Addresses matching in here, with the value > # "yes" will never be marked as spam. > #From: 152.78. yes > #From: 130.246. yes > FromTo: default no > From: 65.219.192.36 yes > From: 65.219.192.35 yes > As Jeremy mentioned this should read From: 65.219.192.36 yes From: 65.219.192.35 yes FromTo: default no Why are you not using domain names btw? From my point of view this is easier. From: *@image-src.com yes Are you absolutely sure that the envelope shows one of these e-mail adresses as the sender? .... Hmm. Now that I am reading this again, why are you using whitelisting at all for this? I prefer to stop spam checks alltogether for messages from my local domain: In MailScanner.conf put Spam Checks = /opt/MailScanner/etc/rules/spam.checks.rules And in this file put From: *@image-src.com no From: 65.219.192. no FromTo: default yes That should do the trick. Regards, JP From Jan-Peter.Koopmann at SECEIDOS.DE Tue Mar 11 18:26:18 2003 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:17:28 2006 Subject: Problems with outgoing mail being detected as spam Message-ID: <4E7026FF8A422749B1553FE508E0068007EF45@message.intern.akctech.de> Have you tried a From: 127.0.0.1 no From: localhost no ? From mailscanner at ecs.soton.ac.uk Tue Mar 11 18:34:06 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:28 2006 Subject: sophos 3.66 to 3.67, load jumps? In-Reply-To: <1047406422.3e6e27567585c@webmail.MUW.Edu> Message-ID: <5.2.0.9.2.20030311182825.0245b3d0@imap.ecs.soton.ac.uk> Can someone do a quick test with cd /usr/lib/MailScanner time ./sophos-wrapper -TNEF /dev/null with 3.66 and 3.67. Then, with 3.67, try turning off their "new options": cd /usr/lib/MailScanner time ./sophos-wrapper -TNEF -nopt=Pdf -nopt=Elf -nopt=Rtf -nopt=Java /dev/null What are the timings like? This will give us the startup time as scanning /dev/null should take 0 time. At 18:13 11/03/2003, you wrote: >I just spoke with Sophos about this issue and I am attaching their response. >One interesting note about my conversation with the tech support person is >that >he did not want me to call my issue a "problem with Sophos". He repeatedly >said >that the performance jump is due to providing "BETTER" protection. I will let >you read their repsponse. > >----- Forwarded message from mark.danus@sophos.com ----- > Date: Tue, 11 Mar 2003 12:54:44 -0500 > Subject: Unix performance issues > To: marco@muw.edu > >Version 3.67 of SAV on non-windows platform sees a big jump in engine >capabilities. In particular it contains plug-ins enabling thorough scans of >four common file types - pdf, rtf, elf (Linux/BSD binaries) and .class >(java 'executables'). > >Addition of these plug-ins means that the engine is doing more work to >provide better protection. > >As a result of this some customers may report significant increases in the >time taken to scan their file systems. Increases will very according to the >number and proportion of the file types mentioned above. The extreme >example is scanning a set of files consisting solely of pdfs, rtfs, elf >binaries and java files. In this case the scan time increases by a factor >of just over 3 (60 minutes -> minutes). > >If you receive calls from customers complaining of scans taking longer to >complete or SAVI applications having to work harder than usual, it is more >than likely down to these issues. > >The important thing to remember is that the slowdown is due to the >increased level of protection that we need to provide given the continuing >growth in the number of different file types that can carry viruses. > >It is possible to disable these for options when using sweep by adding the >following command-line arguments: > >-nopt=Pdf >-nopt=Elf >-nopt=Rtf >-nopt=Java > >don't forget that use of any of these options may seriously impact our >ability to detect viruses in those types of file. > >Regards, > >MGD > > >----- End forwarded message ----- > > >____________________________________________________________ > _/ _/ _/ _/ _/ _/ | Marco Obaid > _/_/ _/_/ _/ _/ _/ _/ | Network Administrator > _/ _/ _/ _/ _/ _/ _/ _/ | McDevitt Hall > _/ _/ _/ _/ _/_/ _/_/ | W-Box 1621 >_/ _/ _/_/_/ _/ _/ | Columbus MS 39701 >____________________________________________________________ >M I S S I S S I P P I U N I V E R S I T Y F O R W O M E N > >_________________________________________________________________ >This mail is sent through MUW Webmail: http://www.MUW.Edu/webmail >For the latest MUW Events, visit http://www.MUW.Edu/calendar -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From David.Sullivan at BARNET.AC.UK Tue Mar 11 18:35:04 2003 From: David.Sullivan at BARNET.AC.UK (David Sullivan) Date: Thu Jan 12 21:17:28 2006 Subject: sophos 3.66 to 3.67, load jumps? In-Reply-To: <1047406422.3e6e27567585c@webmail.MUW.Edu> Message-ID: <3E6E2C58.30289.1469CB@localhost> On 11 Mar 2003 at 12:13, Marco Obaid wrote: > I just spoke with Sophos about this issue and I am attaching their response. > One interesting note about my conversation with the tech support person is that > he did not want me to call my issue a "problem with Sophos". He repeatedly said > that the performance jump is due to providing "BETTER" protection. I will let > you read their repsponse. All very well for possibly decreasing the scan time for large numbers of files but these options seem to have no effect on the time taken to spawn the executable itself which slows down the time taken to scan each batch of messages in MailScanner. David ============================================================== This communication may contain privileged or confidential information which is for the exclusive use of the intended recipient. If you are not the intended recipient, please note that you may not distribute or use this communication or the information it contains. If this e-mail has reached you in error, please delete it and any attachment. Internet communications are not secure and Barnet College does not accept legal responsibility for the content of this message. Any views or opinions expressed are those of the author and not necessarily those of Barnet College. Please note that Barnet College reserves the right to monitor the source/destinations of all incoming or outgoing e-mail communications. ============================================================== From mike at TECHINTER.COM Tue Mar 11 18:35:15 2003 From: mike at TECHINTER.COM (Mike Williams) Date: Thu Jan 12 21:17:28 2006 Subject: Per User Blacklist and white lists In-Reply-To: <4E7026FF8A422749B1553FE508E0068007EF45@message.intern.akctech.de> Message-ID: Is it possible to have a per user blacklist and whitelist? Example in the whitelist file: To: user-1@domain.com /etc/MailScanner/rules/whitelist/user-1-domain.com To: user-2@domain.com /etc/MailScanner/rules/whitelist/user-2-domain.com FromTo: Default no user-1-domain.com From: friend@domain.com yes From: friend1@domain.com yes From: default no and so on? Mike From mailscanner at ecs.soton.ac.uk Tue Mar 11 18:43:57 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:28 2006 Subject: Per User Blacklist and white lists In-Reply-To: References: <4E7026FF8A422749B1553FE508E0068007EF45@message.intern.akctech.de> Message-ID: <5.2.0.9.2.20030311184240.027c12e8@imap.ecs.soton.ac.uk> Take a look in the CustomConfig.pm file in recent distributions. This feature is an example of what you can do with "Custom Functions". You will probably need to change the directories it reads the black/whitelists from, but otherwise it will just work. The code briefly explains what should go in the various config files. At 18:35 11/03/2003, you wrote: >Is it possible to have a per user blacklist and whitelist? Example in the >whitelist file: > >To: user-1@domain.com /etc/MailScanner/rules/whitelist/user-1-domain.com >To: user-2@domain.com /etc/MailScanner/rules/whitelist/user-2-domain.com >FromTo: Default no > > >user-1-domain.com > >From: friend@domain.com yes >From: friend1@domain.com yes >From: default no > >and so on? > >Mike -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Tue Mar 11 18:56:09 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:28 2006 Subject: sophos 3.66 to 3.67, load jumps? In-Reply-To: <5.2.0.9.2.20030311182825.0245b3d0@imap.ecs.soton.ac.uk> References: <1047406422.3e6e27567585c@webmail.MUW.Edu> Message-ID: <5.2.0.9.2.20030311184828.0227bb58@imap.ecs.soton.ac.uk> At 18:34 11/03/2003, you wrote: >Can someone do a quick test with > time sweep -TNEF /dev/null >with 3.66 and 3.67. 3.66: real 0m0.620s user 0m0.610s sys 0m0.020s 3.67: real 0m1.578s user 0m1.550s sys 0m0.030s So startup is 2.5 times slower with 3.67 than 3.66. >Then, with 3.67, try turning off their "new options": > time sweep -TNEF -nopt=Pdf -nopt=Elf -nopt=Rtf >-nopt=Java /dev/null real 0m2.075s user 0m2.040s sys 0m0.030s 3.3 times slower than 3.66, with the options that are supposed to speed it up! Can people get onto Sophos with these startup timing figures? They are appalling. >At 18:13 11/03/2003, you wrote: >>I just spoke with Sophos about this issue and I am attaching their response. >>One interesting note about my conversation with the tech support person is >>that >>he did not want me to call my issue a "problem with Sophos". He repeatedly >>said >>that the performance jump is due to providing "BETTER" protection. I will let >>you read their repsponse. >> >>----- Forwarded message from mark.danus@sophos.com ----- >> Date: Tue, 11 Mar 2003 12:54:44 -0500 >> Subject: Unix performance issues >> To: marco@muw.edu >> >>Version 3.67 of SAV on non-windows platform sees a big jump in engine >>capabilities. In particular it contains plug-ins enabling thorough scans of >>four common file types - pdf, rtf, elf (Linux/BSD binaries) and .class >>(java 'executables'). >> >>Addition of these plug-ins means that the engine is doing more work to >>provide better protection. >> >>As a result of this some customers may report significant increases in the >>time taken to scan their file systems. Increases will very according to the >>number and proportion of the file types mentioned above. The extreme >>example is scanning a set of files consisting solely of pdfs, rtfs, elf >>binaries and java files. In this case the scan time increases by a factor >>of just over 3 (60 minutes -> minutes). >> >>If you receive calls from customers complaining of scans taking longer to >>complete or SAVI applications having to work harder than usual, it is more >>than likely down to these issues. >> >>The important thing to remember is that the slowdown is due to the >>increased level of protection that we need to provide given the continuing >>growth in the number of different file types that can carry viruses. >> >>It is possible to disable these for options when using sweep by adding the >>following command-line arguments: >> >>-nopt=Pdf >>-nopt=Elf >>-nopt=Rtf >>-nopt=Java >> >>don't forget that use of any of these options may seriously impact our >>ability to detect viruses in those types of file. >> >>Regards, >> >>MGD >> >> >>----- End forwarded message ----- >> >> >>____________________________________________________________ >> _/ _/ _/ _/ _/ _/ | Marco Obaid >> _/_/ _/_/ _/ _/ _/ _/ | Network Administrator >> _/ _/ _/ _/ _/ _/ _/ _/ | McDevitt Hall >> _/ _/ _/ _/ _/_/ _/_/ | W-Box 1621 >>_/ _/ _/_/_/ _/ _/ | Columbus MS 39701 >>____________________________________________________________ >>M I S S I S S I P P I U N I V E R S I T Y F O R W O M E N >> >>_________________________________________________________________ >>This mail is sent through MUW Webmail: http://www.MUW.Edu/webmail >>For the latest MUW Events, visit http://www.MUW.Edu/calendar > >-- >Julian Field >www.MailScanner.info >Professional Support Services at www.MailScanner.biz >MailScanner thanks transtec Computers for their support -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From jaearick at COLBY.EDU Tue Mar 11 19:35:07 2003 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:17:28 2006 Subject: sophos 3.66 to 3.67, load jumps? In-Reply-To: <5.2.0.9.2.20030311184828.0227bb58@imap.ecs.soton.ac.uk> References: <1047406422.3e6e27567585c@webmail.MUW.Edu> <5.2.0.9.2.20030311184828.0227bb58@imap.ecs.soton.ac.uk> Message-ID: Julian, Here is what I got on my busy E220R, solaris 8. I reinstalled 3.66 into a seperate directory, downloaded the current ide defs, set the SAV_IDE and LD_LIBRARY_PATH variables accordingly, etc, before running this test. 3.66: timex ./sweep -TNEF /dev/null ---- real 3.63 user 1.60 sys 0.10 3.67: timex ./sweep -TNEF /dev/null ---- real 7.32 user 3.59 sys 0.10 3.67: timex ./sweep -TNEF -nopt=Pdf -nopt=Elf -nopt=Rtf -nopt=Java /dev/null ---- real 10.08 user 3.99 sys 0.18 I'm glad that our PC person still had the 3.66 CD, so I could get 3.66 back. This performance degradation is unacceptable and I'll tell Sophos that in my email to them. I'm rolling back to 3.66 for the time being. ----------------------------------- Jeff A. Earickson, Ph.D Senior UNIX Sysadmin and Email Guru Information Technology Services Colby College, 4214 Mayflower Hill, Waterville ME, 04901-8842 phone: 207-872-3659 (fax = 3076) ----------------------------------- On Tue, 11 Mar 2003, Julian Field wrote: > Date: Tue, 11 Mar 2003 18:56:09 +0000 > From: Julian Field > Reply-To: MailScanner mailing list > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: sophos 3.66 to 3.67, load jumps? > > At 18:34 11/03/2003, you wrote: > >Can someone do a quick test with > > time sweep -TNEF /dev/null > >with 3.66 and 3.67. > > 3.66: > real 0m0.620s > user 0m0.610s > sys 0m0.020s > > 3.67: > real 0m1.578s > user 0m1.550s > sys 0m0.030s > > So startup is 2.5 times slower with 3.67 than 3.66. > > >Then, with 3.67, try turning off their "new options": > > time sweep -TNEF -nopt=Pdf -nopt=Elf -nopt=Rtf > >-nopt=Java /dev/null > > real 0m2.075s > user 0m2.040s > sys 0m0.030s > > 3.3 times slower than 3.66, with the options that are supposed to speed it up! > > Can people get onto Sophos with these startup timing figures? They are > appalling. > > >At 18:13 11/03/2003, you wrote: > >>I just spoke with Sophos about this issue and I am attaching their response. > >>One interesting note about my conversation with the tech support person is > >>that > >>he did not want me to call my issue a "problem with Sophos". He repeatedly > >>said > >>that the performance jump is due to providing "BETTER" protection. I will let > >>you read their repsponse. > >> > >>----- Forwarded message from mark.danus@sophos.com ----- > >> Date: Tue, 11 Mar 2003 12:54:44 -0500 > >> Subject: Unix performance issues > >> To: marco@muw.edu > >> > >>Version 3.67 of SAV on non-windows platform sees a big jump in engine > >>capabilities. In particular it contains plug-ins enabling thorough scans of > >>four common file types - pdf, rtf, elf (Linux/BSD binaries) and .class > >>(java 'executables'). > >> > >>Addition of these plug-ins means that the engine is doing more work to > >>provide better protection. > >> > >>As a result of this some customers may report significant increases in the > >>time taken to scan their file systems. Increases will very according to the > >>number and proportion of the file types mentioned above. The extreme > >>example is scanning a set of files consisting solely of pdfs, rtfs, elf > >>binaries and java files. In this case the scan time increases by a factor > >>of just over 3 (60 minutes -> minutes). > >> > >>If you receive calls from customers complaining of scans taking longer to > >>complete or SAVI applications having to work harder than usual, it is more > >>than likely down to these issues. > >> > >>The important thing to remember is that the slowdown is due to the > >>increased level of protection that we need to provide given the continuing > >>growth in the number of different file types that can carry viruses. > >> > >>It is possible to disable these for options when using sweep by adding the > >>following command-line arguments: > >> > >>-nopt=Pdf > >>-nopt=Elf > >>-nopt=Rtf > >>-nopt=Java > >> > >>don't forget that use of any of these options may seriously impact our > >>ability to detect viruses in those types of file. > >> > >>Regards, > >> > >>MGD > >> > >> > >>----- End forwarded message ----- > >> > >> > >>____________________________________________________________ > >> _/ _/ _/ _/ _/ _/ | Marco Obaid > >> _/_/ _/_/ _/ _/ _/ _/ | Network Administrator > >> _/ _/ _/ _/ _/ _/ _/ _/ | McDevitt Hall > >> _/ _/ _/ _/ _/_/ _/_/ | W-Box 1621 > >>_/ _/ _/_/_/ _/ _/ | Columbus MS 39701 > >>____________________________________________________________ > >>M I S S I S S I P P I U N I V E R S I T Y F O R W O M E N > >> > >>_________________________________________________________________ > >>This mail is sent through MUW Webmail: http://www.MUW.Edu/webmail > >>For the latest MUW Events, visit http://www.MUW.Edu/calendar > > > >-- > >Julian Field > >www.MailScanner.info > >Professional Support Services at www.MailScanner.biz > >MailScanner thanks transtec Computers for their support > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > From Peter.Bates at LSHTM.AC.UK Tue Mar 11 19:37:19 2003 From: Peter.Bates at LSHTM.AC.UK (Peter Bates) Date: Thu Jan 12 21:17:28 2006 Subject: sophos 3.66 to 3.67, load jumps? Message-ID: Hello all... In my position sitting on the fence between amavis(d) and MailScanner, I just thought I'd pipe up... testing with Postfix and MS with the scripts posted to this list recently is however going very well, but that's a different story... Over on the amavis lists they've been moaning about 3.67 since it appeared, due to the increased load/spawning times, and also changes in number of virus-data files, and command-line/SAVI options. Particularly badly hit have been Sophie, the daemonized SAVI-interfacing scanner, and SAVI::Perl, the Perl interface to SAVI, mainly due to the dropping of options, or changing thereof. Always good to know you're not alone in the world... where that leaves the humble Sophos user, is of course yet again another story.. On the note above, I've read Julian's misgivings/dislike about Sophie and daemonized AV scanners, but surely something like SAVI::Perl is an interesting development? ---------------------------------------------------------------------------------------------------> Peter Bates, Systems Support Officer, Network Support Team. London School of Hygiene & Tropical Medicine. Telephone:0207-958 8353 / Fax: 0207- 636 9838 From marco at MUW.EDU Tue Mar 11 19:51:51 2003 From: marco at MUW.EDU (Marco Obaid) Date: Thu Jan 12 21:17:28 2006 Subject: sophos 3.66 to 3.67, load jumps? In-Reply-To: <5.2.0.9.2.20030311184828.0227bb58@imap.ecs.soton.ac.uk> References: <1047406422.3e6e27567585c@webmail.MUW.Edu> <5.2.0.9.2.20030311184828.0227bb58@imap.ecs.soton.ac.uk> Message-ID: <1047412311.3e6e3e573b58f@webmail.MUW.Edu> > Can people get onto Sophos with these startup timing figures? They are > appalling. I did and here is the recommendation from Sophos. First, they are not admitting that it is an "issue". If you request it, which I did, you can install their XRS version. XRS, according to Sophos, is the old engine with the new IDEs. I installed it on two systems and the performance is much better now. Actually ver good according to my systems. Can more people test it now? I have it installed now on a production system and the load is normal. Here is the e-mail from Sophos: ----------- As requested http://www.sophos.com/sophos/products/full/xrs/aix.tar.Z http://www.sophos.com/sophos/products/full/xrs/digitalunix.tar.Z http://www.sophos.com/sophos/products/full/xrs/freebsd.aout.tar.Z http://www.sophos.com/sophos/products/full/xrs/freebsd.elf.tar.Z http://www.sophos.com/sophos/products/full/xrs/hpux.tar.Z http://www.sophos.com/sophos/products/full/xrs/linux.alpha.tar.Z http://www.sophos.com/sophos/products/full/xrs/linux.intel.libc5.tar.Z http://www.sophos.com/sophos/products/full/xrs/linux.intel.libc6.tar.Z http://www.sophos.com/sophos/products/full/xrs/linux.ppc.tar.Z http://www.sophos.com/sophos/products/full/xrs/linux.s390.tar.Z http://www.sophos.com/sophos/products/full/xrs/scoopenserver.tar.Z http://www.sophos.com/sophos/products/full/xrs/scounixware.tar.Z http://www.sophos.com/sophos/products/full/xrs/solaris.intel.tar.Z http://www.sophos.com/sophos/products/full/xrs/solaris.sparc.tar.Z Regards, MGD --------- Marco _________________________________________________________________ This mail is sent through MUW Webmail: http://www.MUW.Edu/webmail For the latest MUW Events, visit http://www.MUW.Edu/calendar From jeff at IMAGE-SRC.COM Tue Mar 11 19:47:32 2003 From: jeff at IMAGE-SRC.COM (Jeff Graves) Date: Thu Jan 12 21:17:28 2006 Subject: Problems with outgoing mail being detected as spam In-Reply-To: <4E7026FF8A422749B1553FE508E0068007EF45@message.intern.akctech.de> Message-ID: <005801c2e807$0e462b90$6401a8c0@bellingham.imagesrc.com> From: 127.0.0.1 no This fixed the issue. Thanks for all your help! Jeff Graves Customer Support Engineer Image Source, Inc. 10 Mill Street Bellingham, MA 02019 jeff@image-src.com - Email 508.966.5200 X31 - Phone 508.966.5170 - Fax From mike at TECHINTER.COM Tue Mar 11 19:50:04 2003 From: mike at TECHINTER.COM (Mike Williams) Date: Thu Jan 12 21:17:28 2006 Subject: Per User Blacklist and white lists In-Reply-To: <5.2.0.9.2.20030311184240.027c12e8@imap.ecs.soton.ac.uk> Message-ID: Julian, Thanks for the info. I'm looking at the code and the example is for bydomain. I'm not sure but it looks like I can have the white and black list by either domain.com or by user@domain.com. The reason I am asking is that each user will need to be able to specify their own black and white list. This makes it possible that one user would wish to block email from a user@spam.com and another user to whitelist or not block a user@spam.com. So if I use a filename of user1@domain.com and user2@domain.com does this in fact make the whitelist and blacklist unique for each user even if they are in the same domain? Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Julian Field Sent: Tuesday, March 11, 2003 12:44 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Per User Blacklist and white lists Take a look in the CustomConfig.pm file in recent distributions. This feature is an example of what you can do with "Custom Functions". You will probably need to change the directories it reads the black/whitelists from, but otherwise it will just work. The code briefly explains what should go in the various config files. At 18:35 11/03/2003, you wrote: >Is it possible to have a per user blacklist and whitelist? Example in the >whitelist file: > >To: user-1@domain.com /etc/MailScanner/rules/whitelist/user-1-domain.com >To: user-2@domain.com /etc/MailScanner/rules/whitelist/user-2-domain.com >FromTo: Default no > > >user-1-domain.com > >From: friend@domain.com yes >From: friend1@domain.com yes >From: default no > >and so on? > >Mike -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From sholland at SUMSYS.COM Tue Mar 11 20:21:54 2003 From: sholland at SUMSYS.COM (Stephen Holland) Date: Thu Jan 12 21:17:28 2006 Subject: Old FAQ #19 Message-ID: <955B9133AB84B54DA680A88B1B75514E02875D@ssisrv02.summit.local> http://www.sng.ecs.soton.ac.uk/mailscanner/faq.shtml#19 Maybe this should be a question for the SA thread, BUT. Is it recommended to not have spamd running and if so do you disable it in SA or MailScanner. I installed this from an RPM that is why I am asking because there is not a way to remove spamd before install like the link says to do above. Or if I use MailScanner which I assume calls SA then do I even need to worry about the spamd on my box. --Stephen -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030311/5199007f/attachment.html From mailscanner at ecs.soton.ac.uk Tue Mar 11 20:24:23 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:28 2006 Subject: Per User Blacklist and white lists In-Reply-To: References: <5.2.0.9.2.20030311184240.027c12e8@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030311202337.027f2e90@imap.ecs.soton.ac.uk> At 19:50 11/03/2003, you wrote: >Julian, > >Thanks for the info. I'm looking at the code and the example is for >bydomain. I'm not sure but it looks like I can have the white and black >list by either domain.com or by user@domain.com. Yes you can. You can even give it IP addresses if I remember rightly. > The reason I am asking is >that each user will need to be able to specify their own black and white >list. This makes it possible that one user would wish to block email from a >user@spam.com and another user to whitelist or not block a user@spam.com. >So if I use a filename of user1@domain.com and user2@domain.com does this in >fact make the whitelist and blacklist unique for each user even if they are >in the same domain? > >Mike > >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On >Behalf Of Julian Field >Sent: Tuesday, March 11, 2003 12:44 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Per User Blacklist and white lists > > >Take a look in the CustomConfig.pm file in recent distributions. This >feature is an example of what you can do with "Custom Functions". You will >probably need to change the directories it reads the black/whitelists from, >but otherwise it will just work. The code briefly explains what should go >in the various config files. > >At 18:35 11/03/2003, you wrote: > >Is it possible to have a per user blacklist and whitelist? Example in the > >whitelist file: > > > >To: user-1@domain.com >/etc/MailScanner/rules/whitelist/user-1-domain.com > >To: user-2@domain.com >/etc/MailScanner/rules/whitelist/user-2-domain.com > >FromTo: Default no > > > > > >user-1-domain.com > > > >From: friend@domain.com yes > >From: friend1@domain.com yes > >From: default no > > > >and so on? > > > >Mike > >-- >Julian Field >www.MailScanner.info >Professional Support Services at www.MailScanner.biz >MailScanner thanks transtec Computers for their support -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Tue Mar 11 20:23:12 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:28 2006 Subject: sophos 3.66 to 3.67, load jumps? In-Reply-To: <1047412311.3e6e3e573b58f@webmail.MUW.Edu> References: <5.2.0.9.2.20030311184828.0227bb58@imap.ecs.soton.ac.uk> <1047406422.3e6e27567585c@webmail.MUW.Edu> <5.2.0.9.2.20030311184828.0227bb58@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030311202206.027f2d50@imap.ecs.soton.ac.uk> The XRS version works at the speed of the old versions, as expected. real 0m0.619s user 0m0.600s sys 0m0.020s At 19:51 11/03/2003, you wrote: > > Can people get onto Sophos with these startup timing figures? They are > > appalling. > >I did and here is the recommendation from Sophos. First, they are not >admitting >that it is an "issue". Hopefully if enough people hassle them, they will agree that it is! > If you request it, which I did, you can install their >XRS version. XRS, according to Sophos, is the old engine with the new IDEs. I >installed it on two systems and the performance is much better now. Actually >ver good according to my systems. Can more people test it now? I have it >installed now on a production system and the load is normal. > >Here is the e-mail from Sophos: > >----------- > >As requested > >http://www.sophos.com/sophos/products/full/xrs/aix.tar.Z >http://www.sophos.com/sophos/products/full/xrs/digitalunix.tar.Z >http://www.sophos.com/sophos/products/full/xrs/freebsd.aout.tar.Z >http://www.sophos.com/sophos/products/full/xrs/freebsd.elf.tar.Z >http://www.sophos.com/sophos/products/full/xrs/hpux.tar.Z >http://www.sophos.com/sophos/products/full/xrs/linux.alpha.tar.Z >http://www.sophos.com/sophos/products/full/xrs/linux.intel.libc5.tar.Z >http://www.sophos.com/sophos/products/full/xrs/linux.intel.libc6.tar.Z >http://www.sophos.com/sophos/products/full/xrs/linux.ppc.tar.Z >http://www.sophos.com/sophos/products/full/xrs/linux.s390.tar.Z >http://www.sophos.com/sophos/products/full/xrs/scoopenserver.tar.Z >http://www.sophos.com/sophos/products/full/xrs/scounixware.tar.Z >http://www.sophos.com/sophos/products/full/xrs/solaris.intel.tar.Z >http://www.sophos.com/sophos/products/full/xrs/solaris.sparc.tar.Z > > >Regards, > >MGD >--------- > >Marco > >_________________________________________________________________ >This mail is sent through MUW Webmail: http://www.MUW.Edu/webmail >For the latest MUW Events, visit http://www.MUW.Edu/calendar -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Tue Mar 11 20:28:41 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:28 2006 Subject: Old FAQ #19 In-Reply-To: <955B9133AB84B54DA680A88B1B75514E02875D@ssisrv02.summit.loc al> Message-ID: <5.2.0.9.2.20030311202806.0288df50@imap.ecs.soton.ac.uk> At 20:21 11/03/2003, you wrote: >http://www.sng.ecs.soton.ac.uk/mailscanner/faq.shtml#19 >Maybe this should be a question for the SA thread, BUT. Is it recommended >to not have spamd running and if so do you disable it in SA or >MailScanner. I installed this from an RPM that is why I am asking because >there is not a way to remove spamd before install like the link says to do >above. Or if I use MailScanner which I assume calls SA then do I even >need to worry about the spamd on my box. MailScanner doesn't use spamd, so feel free to disable it. It won't make any difference. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From ryan at MARINOCRANE.COM Tue Mar 11 20:35:51 2003 From: ryan at MARINOCRANE.COM (Ryan Pitt) Date: Thu Jan 12 21:17:28 2006 Subject: sophos 3.66 to 3.67, load jumps? References: <5.2.0.9.2.20030311184828.0227bb58@imap.ecs.soton.ac.uk> <1047406422.3e6e27567585c@webmail.MUW.Edu> <5.2.0.9.2.20030311184828.0227bb58@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030311202206.027f2d50@imap.ecs.soton.ac.uk> Message-ID: <3E6E48A7.5030604@marinocrane.com> I just took a look at the new Sophos CD (March 2003) and there is an XRS folder which contains the files that are linked to below. Just thought I would try and save some of you the hassle of trying to download them, especially those who dont have a username and password for Sophos. Regards Ryan Julian Field wrote: > The XRS version works at the speed of the old versions, as expected. > real 0m0.619s > user 0m0.600s > sys 0m0.020s > > At 19:51 11/03/2003, you wrote: > >> > Can people get onto Sophos with these startup timing figures? They are >> > appalling. >> >> I did and here is the recommendation from Sophos. First, they are not >> admitting >> that it is an "issue". > > > Hopefully if enough people hassle them, they will agree that it is! > >> If you request it, which I did, you can install their >> XRS version. XRS, according to Sophos, is the old engine with the new >> IDEs. I >> installed it on two systems and the performance is much better now. >> Actually >> ver good according to my systems. Can more people test it now? I have it >> installed now on a production system and the load is normal. >> >> Here is the e-mail from Sophos: >> >> ----------- >> >> As requested >> >> http://www.sophos.com/sophos/products/full/xrs/aix.tar.Z >> http://www.sophos.com/sophos/products/full/xrs/digitalunix.tar.Z >> http://www.sophos.com/sophos/products/full/xrs/freebsd.aout.tar.Z >> http://www.sophos.com/sophos/products/full/xrs/freebsd.elf.tar.Z >> http://www.sophos.com/sophos/products/full/xrs/hpux.tar.Z >> http://www.sophos.com/sophos/products/full/xrs/linux.alpha.tar.Z >> http://www.sophos.com/sophos/products/full/xrs/linux.intel.libc5.tar.Z >> http://www.sophos.com/sophos/products/full/xrs/linux.intel.libc6.tar.Z >> http://www.sophos.com/sophos/products/full/xrs/linux.ppc.tar.Z >> http://www.sophos.com/sophos/products/full/xrs/linux.s390.tar.Z >> http://www.sophos.com/sophos/products/full/xrs/scoopenserver.tar.Z >> http://www.sophos.com/sophos/products/full/xrs/scounixware.tar.Z >> http://www.sophos.com/sophos/products/full/xrs/solaris.intel.tar.Z >> http://www.sophos.com/sophos/products/full/xrs/solaris.sparc.tar.Z >> >> >> Regards, >> >> MGD >> --------- >> >> Marco >> >> _________________________________________________________________ >> This mail is sent through MUW Webmail: http://www.MUW.Edu/webmail >> For the latest MUW Events, visit http://www.MUW.Edu/calendar > > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mailscanner at lists.com.ar Tue Mar 11 21:04:17 2003 From: mailscanner at lists.com.ar (Mariano Absatz) Date: Thu Jan 12 21:17:28 2006 Subject: mailscanner & zmailer In-Reply-To: <20030307231751.GC18283@hoiho.nz.lemon-computing.com> References: <3E68EA5D.32729.6D7BF40A@localhost> Message-ID: <3E6E2521.990.81E9CF83@localhost> Alright, alright, you scared me enough... I browsed the code and it has its things... even the comments in Sendmail.pm are not quite accurate... there are functions documented that don't exist anymore and other (public) not documented... Some of the "documented public" functions are not used outside Sendmail.pm... well. What I'll try to do is to create a zmq2smq and a smq2zmq to translate the queue file formats... Thankfully, I have good documentation on both queue formats (bat book chap 23 and http://zmailer.org/zman/zapp-filefmts.html). Since I couldn't easily find the queue format of Exim, I'll go for the sendmail translator. I won't have any locking problems with zmailer since its one-file approach gives me always a finished unlocked file and I can do likewise when I hand it to zmailer. I'll use flock file locking so I emulate sendmail and don't step over mailscanner. Regards, Mariano. El 8 Mar 2003 a las 12:17, Nick Phillips escribi?: > On Fri, Mar 07, 2003 at 06:52:13PM -0300, Mariano Absatz wrote: > > > Monday morning I'll start working hard on this, hopefully even coding. > > > > What I'd like to know in order to further understand the sources is what > > files you modified to make the sendmail->exim port. > > > > For what I can see: > > Sendmail.pm => Exim.pm > > SMDiskStore.pm => EximDiskStore.pm > > > > Are there other things you had to modify? > > Well, yes, because initially it wasn't designed to be used with different > MTAs. And now it's somewhat more generalised and abstracted, so it should > be fairly easy to port to another MTA with a 2-queuefile system. > > However, there are some areas in which the object-isation didn't go the > whole hog in the move from v3 to v4, and these need to be fixed to > completely abstract the queue-handling stuff out from the main code > before it will reasonably be feasible to support single-queuefile mailers. > > > I don't see any pod in the files... do you have any docs on the functions in > > mailscanner? > > Not really; there are comments at the top of the Exim/Sendmail-specific files > to tell you what's needed. > > There will need to be some fairly significant rearrangement before we can > handle MTAs with single queue-files, though. Or to do it nicely, at least. > > This is the main thing that stopped me doing Postfix a few months ago. > > I've given Julian a bunch of pointers to the things that need to be jiggled > with to put this right, but I don't know how he's getting on yet. > > Keep talking when you get into looking at it. Probably the best thing to do > initially (and what I did before) was to just come up with a file or three > that replace the current mailscanner stuff to make it work, and then to > integrate the necessary changes back into the main code when it's clear > what's needed. And we'll try to get the changes made to support it. > > > Cheers, -- Mariano Absatz El Baby ---------------------------------------------------------- I.R.S.: We've got what it takes to take what you've got! From splee at PLEXIO.COM Tue Mar 11 22:04:37 2003 From: splee at PLEXIO.COM (Stephen Lee) Date: Thu Jan 12 21:17:28 2006 Subject: sophos 3.66 to 3.67, load jumps? In-Reply-To: <5.2.0.9.2.20030311162504.0359c1a0@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030311162504.0359c1a0@imap.ecs.soton.ac.uk> Message-ID: <1047420277.13484.58.camel@ralph.plexio.private> On Tue, 2003-03-11 at 08:27, Julian Field wrote: > At 16:19 11/03/2003, you wrote: > >On Tuesday 11 March 2003 4:08 pm, Jeff A. Earickson wrote: > > > Hi, > > > > > > I upgraded from sophos 3.66 to 3.67 yesterday and since then, I've > > > noticed that my load on my mail server has been much higher than > > > before. Anybody else notice this? I've dropped the Max Children > > > setting from 4 to 2 on my system (Sun E220R, 2 CPUs, Sol 8) and that > > > reduced the load. I wonder what changed in Sophos to make such a > > > difference? > > I think it is to do with the way in which sophos now packages its > > virus > >definition files - the scan time for one message has gone from 1 second to > >seven seconds on my (very small) mail hub. > > If I was being really cynical, I might think they were intentionally > nobbling systems which use their command-line scanner, encouraging people > to use their over-priced mailmonitor package instead. > > Of course all that will really happen is that they lose customers to their > competitors... I don't appear to have this problem: Mar 11 11:29:52 mail MailScanner[9973]: New Batch: Found 5 messages waiting Mar 11 11:29:52 mail MailScanner[9973]: New Batch: Scanning 1 messages, 2921 bytes Mar 11 11:29:52 mail MailScanner[9973]: Spam Checks: Starting Mar 11 11:29:54 mail MailScanner[9973]: Virus and Content Scanning: Starting Mar 11 11:29:56 mail MailScanner[9973]: Uninfected: Delivered 1 messages I'm using MS 4.13-3, Sophos 3.67. I believe Julian already fixed the harmless batch count bug so only 1 message was scanned, not 5. Stephen From nerijus at USERS.SOURCEFORGE.NET Tue Mar 11 22:06:10 2003 From: nerijus at USERS.SOURCEFORGE.NET (Nerijus Baliunas) Date: Thu Jan 12 21:17:28 2006 Subject: 'service MailScanner stop' doesn't stop MailScanner the 1st time Message-ID: <200303112206.h2BM6Fe05211@ori.rl.ac.uk> Hello, I noticed this on 2 machines (RH 7.2 and 7.3): # ps axw|grep -i mail 22138 ? S 0:06 sendmail: accepting connections 22143 ? S 0:01 /usr/sbin/sendmail -q15m 22153 ? S 0:01 /usr/bin/perl -I/usr/lib/MailScanner /usr/sbin/MailScanner /etc/MailScanner/MailScanner.conf 15702 ? S 0:01 /usr/bin/perl -I/usr/lib/MailScanner /usr/sbin/MailScanner /etc/MailScanner/MailScanner.conf 15963 ? S 0:00 /usr/bin/perl -I/usr/lib/MailScanner /usr/sbin/MailScanner /etc/MailScanner/MailScanner.conf # service MailScanner stop Shutting down MailScanner daemons: MailScanner: [ OK ] incoming sendmail: [ OK ] outgoing sendmail: [ OK ] # ps axw|grep -i mail 22153 ? D 0:01 /usr/bin/perl -I/usr/lib/MailScanner /usr/sbin/MailScanner /etc/MailScanner/MailScanner.conf 15702 ? D 0:01 /usr/bin/perl -I/usr/lib/MailScanner /usr/sbin/MailScanner /etc/MailScanner/MailScanner.conf 15963 ? D 0:00 /usr/bin/perl -I/usr/lib/MailScanner /usr/sbin/MailScanner /etc/MailScanner/MailScanner.conf # service MailScanner stop Shutting down MailScanner daemons: MailScanner: [ OK ] incoming sendmail: [FAILED] outgoing sendmail: [FAILED] # ps axw|grep -i mail Only the 2nd 'service MailScanner stop' killed MailScanner processes. Why? Had I to wait a little more time (the processes were in D state)? Regards, Nerijus From mailscanner at lists.com.ar Tue Mar 11 22:13:44 2003 From: mailscanner at lists.com.ar (Mariano Absatz) Date: Thu Jan 12 21:17:28 2006 Subject: zmq2smq Message-ID: <3E6E3568.6954.822963F7@localhost> Hi, I see you originally read the qf in Sendmail::ReadQf, for what I see here, you process the following fields: R S $_ H Do you process or generate any other kind of qf field? or by just translating these and choosing an unused letter to hide the rest would do? Take into account that there won't be any real sendmail around... Other thing, the sendmail entry (in the config) is only used to deliver "new" messages, right? (bounces, warnings, disinfected) I see you use sendmail2 to deliver a bunch of messages... you do this when you already put them in the output queue? That is, my "sendmail2" should be smq2zmq, right? The original qf is not modified further than messing with the R and H lines, is it? Quickie sendmail one... the df does NOT include the header lines, does it? Sorry for the lack of order/logic... I'm browsing the code as I write this :-) Will continue tomorrow, maybe start coding? regards, -- Mariano Absatz El Baby ---------------------------------------------------------- I've never met a human being who would want to read 17,000 pages of documentation, and if there was, I'd kill him to get him out of the gene pool. -- Joseph Costello, President of Cadence From nerijus at USERS.SOURCEFORGE.NET Wed Mar 12 00:23:29 2003 From: nerijus at USERS.SOURCEFORGE.NET (Nerijus Baliunas) Date: Thu Jan 12 21:17:28 2006 Subject: Kaspersky DaemonClient Message-ID: <200303120023.h2C0NZe18238@ori.rl.ac.uk> Hello Julian, It seems kaspersky daemon client support isn't functional (with newest kavdaemon only?) - I see in kavdaemon log: Query for the tests: <0>Mar 11 23:58:33:. Directory . wasn't included in enabled paths. I asked Kaspersky support, and they answered: AvpDaemonClient can not use relevant path, only absolute, due to kavdaemon can use absolute path only in it's internal work for some security reasons. Is it possible to launch virus scanning script(s) with full path? Regards, Nerijus From smohan at vsnl.com Wed Mar 12 02:27:06 2003 From: smohan at vsnl.com (S Mohan) Date: Thu Jan 12 21:17:28 2006 Subject: accumulation of files in /var/spool/mqueue.in In-Reply-To: Message-ID: <002201c2e83e$e29cd2e0$ab6041db@18yamuna> I chose 6 days as beyond that, as per standard setting, sendmail would not deliver anyway. Thus residual files have to be broken. This is assuming MailScanner would probably not have as big a backlog as 5 days. Julian: Is it reasonable to assume that MailScanner picks up the oldest files for processing first? Is there any way of extracting average wait time in mqueue.in so that we can increase number of children if need be and see if it makes a difference else increase Ram/ CPU Power? Mohan -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Craig Pratt Sent: Tuesday, March 11, 2003 8:17 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: accumulation of files in /var/spool/mqueue.in Thanks for the tip. I've been seeing these queue files occasionally as well. Most recently, when I updated the sendmail access.db without restarting sendmail/MailScanner. This seemed to cause sendmail to die during SMTP connections - presumably due to the fact that sendmail's cached file state didn't match the actual file. What I'm wondering, though, is it safe to delete the files in mqueue.in with sendmail/MailScanner running? [sounds like a potential FAQ, as well] Craig On Monday, March 10, 2003, at 05:39 PM, S Mohan wrote: > I had the same stuff. I looked up a few files and associated mail log. > These were remnants of broken SMTP conversations. In order to clear > these automatically, I created a daily cron job as under. > > Find /var/spool/mqueue.in -mtime +6|xargs rm -f > > I gave 6 days as sendmail will anyway abort after 5 days delivery. > Thus files older than that anyway would be broken files. > > Mohan > > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of David Closson > Sent: Tuesday, March 11, 2003 1:27 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: accumulation of files in /var/spool/mqueue.in > > > OK, I figured as much. Thank you for the rapid response. > > We are processing about 350,000 emails a day (heavier day) with > MailScanner and Spamassassin. This figure is combined in and out for > all of our users. > > > _________ > Sincerely, > David Closson > 209-736-0111 > > > > > >> From: Julian Field >> Reply-To: MailScanner mailing list >> To: MAILSCANNER@JISCMAIL.AC.UK >> Subject: Re: accumulation of files in /var/spool/mqueue.in >> Date: Mon, 10 Mar 2003 19:27:44 +0000 >> MIME-Version: 1.0 >> Received: from cpimssmtpa03.msn.com ([207.46.181.90]) by >> mc5-f17.law1.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600); Mon, >> 10 > >> Mar 2003 11:30:21 -0800 >> Received: from smtp.jiscmail.ac.uk ([130.246.192.48]) by >> cpimssmtpa03.msn.com with Microsoft SMTPSVC(5.0.2195.4453); Mon, 10 >> Mar > >> 2003 11:25:18 -0800 >> Received: from LISTSERV.JISCMAIL.AC.UK (jiscmail.ac.uk) by >> smtp.jiscmail.ac.uk (LSMTP for Windows NT v1.1b) with SMTP id >> <3.0000634F@smtp.jiscmail.ac.uk>; Mon, 10 Mar 2003 19:28:14 +0000 >> Received: from JISCMAIL.AC.UK by JISCMAIL.AC.UK (LISTSERV-TCP/IP > release >> 1.8e) with spool id 19357891 for MAILSCANNER@JISCMAIL.AC.UK; > Mon, >> 10 Mar 2003 19:28:14 +0000 >> Received: from 130.246.192.52 by JISCMAIL.AC.UK (SMTPL release 1.0h) > with >> TCP; Mon, 10 Mar 2003 19:28:14 GMT >> Received: from raven.ecs.soton.ac.uk (raven.ecs.soton.ac.uk > [152.78.70.1]) >> by ori.rl.ac.uk (8.11.1/8.11.1) with ESMTP id h2AJSCe29811 >> for >> ; Mon, 10 Mar 2003 19:28:12 GMT >> Received: from pigeon.ecs.soton.ac.uk (ns1 [152.78.68.1]) by >> raven.ecs.soton.ac.uk (8.9.3/8.9.3) with ESMTP id TAA23530 for >> ; Mon, 10 Mar 2003 19:28:11 GMT >> Received: from thief.ecs.soton.ac.uk (staff-vpn132 [152.78.236.132]) >> by >> pigeon.ecs.soton.ac.uk (8.9.3/8.9.3) with ESMTP id TAA19506 for >> ; Mon, 10 Mar 2003 19:28:10 GMT >> X-Message-Info: JGTYoYF78jEHjJx36Oi8+Q1OJDRSDidP >> X-MSN-Trace: {838B357B-4735-4DB1-A653-A9E73A906214} >> X-RAL-MFrom: >> X-RAL-Connect: >> X-Sender: (Unverified) >> X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9 >> Message-ID: <5.2.0.9.2.20030310192506.027bbf80@imap.ecs.soton.ac.uk> >> Sender: MailScanner mailing list >> In-Reply-To: >> Precedence: list >> Return-Path: owner-mailscanner@JISCMAIL.AC.UK >> X-OriginalArrivalTime: 10 Mar 2003 19:25:19.0093 (UTC) >> FILETIME=[C9492A50:01C2E73A] >> >> At 19:12 10/03/2003, you wrote: >>> Greetings, >>> >>> Using RH 7.3 >>> Using Sendmail 8.11-6 >>> MailScanner 4.13-3 >>> Using McAfee AV >>> >>> I have been happily using MailScanner for almost a year now and have >>> had to remove the accumulation of files in /var/spool/mqueue.in >>> after a month or so. >>> >>> I am not sure if these are messages already delivered and were not >>> removed or ? >>> >>> I have had no reports of missing email. >> >> If they are stray files that aren't part of a matching qf / df pair, >> then you can safely delete them. If an SMTP session into your server >> gets interrupted for some reason, a stray file will be left behind. >> The > >> server at the far end of the session knows that its message >> transmission got interrupted and will retry anyway. SMTP is designed >> pretty carefully to ensure things don't get lost in transit. >> -- >> Julian Field >> www.MailScanner.info >> Professional Support Services at www.MailScanner.biz MailScanner >> thanks > >> transtec Computers for their support > > > _________________________________________________________________ > Add photos to your e-mail with MSN 8. Get 2 months FREE*. > http://join.msn.com/?page=features/featuredemail > > -- > This message checked for dangerous content by MailScanner on > StrongBox. > -- This message checked for dangerous content by MailScanner on StrongBox. From nightowl at NIGHTOWLS.NET Wed Mar 12 04:25:15 2003 From: nightowl at NIGHTOWLS.NET (Joseph Dobransky) Date: Thu Jan 12 21:17:28 2006 Subject: MS and SA Message-ID: <001e01c2e84f$61ad1a30$4ad34918@hawaii> Mail-SpamAssassin-2.50, and MS Version 4.13-3 I say yes to using spamassassin to scan for spam, it just dumps my mail into the mqueue.in folder, and leaves it there. I say no, MS works just great. Ideas? **************************** Joseph Dobransky HYPERLINK "http://www.nightowlswebspace.com"http://www.nightowlswebspace.com aim: skeeter1jd icq: 21228143 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.459 / Virus Database: 258 - Release Date: 2/25/2003 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030311/671ace0e/attachment.html From P.G.M.Peters at civ.utwente.nl Wed Mar 12 07:44:43 2003 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:17:28 2006 Subject: 'service MailScanner stop' doesn't stop MailScanner the 1st time In-Reply-To: <200303112206.h2BM6Fe05211@ori.rl.ac.uk> References: <200303112206.h2BM6Fe05211@ori.rl.ac.uk> Message-ID: On Wed, 12 Mar 2003 00:06:10 +0200, you wrote: >Only the 2nd 'service MailScanner stop' killed MailScanner processes. Why? >Had I to wait a little more time (the processes were in D state)? Yes. MS is cleaning reminants of the previous run before stopping. This was a problem with 'service MailScanner restart' because it started MS to soon. That is solved now by waiting a few seconds. -- Peter Peters, senior netwerkbeheerder Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ From peter at ISAB.SE Wed Mar 12 08:27:02 2003 From: peter at ISAB.SE (Peter Dahlman) Date: Thu Jan 12 21:17:28 2006 Subject: I need to straighten out one of the basic-features of Antispam Message-ID: I've got this far: Spamassisn marks alla incomming spam with {spam?} The thing is, i don't wish to receive this mails i want them to be sent to another "trash" account. I edited a line in /etc/MailScanner/MailScanner.conf Spam Actions = forward trash@myhost.com delete And restarted the service by /etc/rc.d/init.d/MailScanner restart But it's not forwarding any mail to the "trash" account and it is not deleting it from the origin account. What am i missing here? From steve at CGPSYSTEMS.COM Tue Mar 11 22:23:30 2003 From: steve at CGPSYSTEMS.COM (Steve Barr) Date: Thu Jan 12 21:17:28 2006 Subject: sophos 3.66 to 3.67, load jumps? In-Reply-To: <1047420277.13484.58.camel@ralph.plexio.private> Message-ID: <071e01c2e81c$d83deae0$6e96a8c0@DELL> > > I don't appear to have this problem: > > Mar 11 11:29:52 mail MailScanner[9973]: New Batch: Found 5 > messages waiting Mar 11 11:29:52 mail MailScanner[9973]: New > Batch: Scanning 1 messages, 2921 bytes Mar 11 11:29:52 mail > MailScanner[9973]: Spam Checks: Starting Mar 11 11:29:54 mail > MailScanner[9973]: Virus and Content Scanning: Starting Mar > 11 11:29:56 mail MailScanner[9973]: Uninfected: Delivered 1 > messages I'm using MS 4.13-3, Sophos 3.67. I believe Julian > already fixed the harmless batch count bug so only 1 message > was scanned, not 5. I've been watching my logs, and I don't see much change with 3.67. Here's a snippet of the log from this afternoon... Mar 11 17:05:30 www MailScanner[32201]: New Batch: Found 4 messages waiting Mar 11 17:05:30 www MailScanner[32201]: New Batch: Scanning 1 messages, 2036 bytes Mar 11 17:05:30 www MailScanner[32201]: Spam Checks: Starting Mar 11 17:05:30 www MailScanner[32201]: Virus and Content Scanning: Starting Mar 11 17:05:33 www MailScanner[32201]: Uninfected: Delivered 1 messages Debian Woody, MailScanner 4.12-2, and Sophos 3.67. The server is a Compaq DL360 P3-1.26, 512mb RAM. Steve -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. (MailScanner 4.11-1, 3.66) From john at OFIZ.COM Wed Mar 12 10:26:22 2003 From: john at OFIZ.COM (John Thewlis) Date: Thu Jan 12 21:17:28 2006 Subject: Cobalt RaQ4r MailScanner Queries In-Reply-To: <057701c2e809$b0c3d910$5d876751@T20> Message-ID: Hi I am finalising the install of MailScanner and SpamAssassin on a Cobalt RaQ4r, and need some advice from anyone who has done these installs on a Cobalt RaQ4 box. Any help would be much appreciated. 1 Has anyone installed any other virus scanner other than f-prot, e.g. Sophos, and if so do you have an install guide or Cobalt specific gotchas that I need to be aware of to add these additional virus scanners? 2 Has anyone added any additional blacklists to improve the accuracy of Spam identification, as lots of Spam is still getting through our box with the spam setting at 5? 3 Has anyone installed MailScanner-MRTG for monitoring the MailScanner on a Cobalt RaQ4, and if so, in what directory did you install it, and what changes did you need to make to any other system files to get it working? Again, many thanks for any help you might be able to offer. John John Thewlis From mailscanner at ecs.soton.ac.uk Wed Mar 12 11:30:59 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:28 2006 Subject: MS and SA In-Reply-To: <001e01c2e84f$61ad1a30$4ad34918@hawaii> Message-ID: <5.2.0.9.2.20030312113032.02270c48@imap.ecs.soton.ac.uk> At 04:25 12/03/2003, you wrote: >Mail-SpamAssassin-2.50, and MS Version 4.13-3 > >I say yes to using spamassassin to scan for spam, it just dumps my mail >into the mqueue.in folder, and leaves it there. I say no, MS works just >great. Ideas? Have you seen the News item on the website about SpamAssassin 2.50? > > >**************************** > > > >Joseph Dobransky >http://www.nightowlswebspace.com >aim: skeeter1jd >icq: 21228143 > > > >--- >Outgoing mail is certified Virus Free. >Checked by AVG anti-virus system (http://www.grisoft.com). >Version: 6.0.459 / Virus Database: 258 - Release Date: 2/25/2003 -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Mar 12 11:25:29 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:28 2006 Subject: 'service MailScanner stop' doesn't stop MailScanner the 1st time In-Reply-To: <200303112206.h2BM6Fe05211@ori.rl.ac.uk> Message-ID: <5.2.0.9.2.20030312112438.022e23a8@imap.ecs.soton.ac.uk> At 22:06 11/03/2003, you wrote: >Hello, > >I noticed this on 2 machines (RH 7.2 and 7.3): > ># ps axw|grep -i mail >22138 ? S 0:06 sendmail: accepting connections >22143 ? S 0:01 /usr/sbin/sendmail -q15m >22153 ? S 0:01 /usr/bin/perl -I/usr/lib/MailScanner >/usr/sbin/MailScanner /etc/MailScanner/MailScanner.conf >15702 ? S 0:01 /usr/bin/perl -I/usr/lib/MailScanner >/usr/sbin/MailScanner /etc/MailScanner/MailScanner.conf >15963 ? S 0:00 /usr/bin/perl -I/usr/lib/MailScanner >/usr/sbin/MailScanner /etc/MailScanner/MailScanner.conf ># service MailScanner stop >Shutting down MailScanner daemons: > MailScanner: [ OK ] > incoming sendmail: [ OK ] > outgoing sendmail: [ OK ] ># ps axw|grep -i mail >22153 ? D 0:01 /usr/bin/perl -I/usr/lib/MailScanner >/usr/sbin/MailScanner /etc/MailScanner/MailScanner.conf >15702 ? D 0:01 /usr/bin/perl -I/usr/lib/MailScanner >/usr/sbin/MailScanner /etc/MailScanner/MailScanner.conf >15963 ? D 0:00 /usr/bin/perl -I/usr/lib/MailScanner >/usr/sbin/MailScanner /etc/MailScanner/MailScanner.conf ># service MailScanner stop >Shutting down MailScanner daemons: > MailScanner: [ OK ] > incoming sendmail: [FAILED] > outgoing sendmail: [FAILED] ># ps axw|grep -i mail > > >Only the 2nd 'service MailScanner stop' killed MailScanner processes. Why? >Had I to wait a little more time (the processes were in D state)? Yes. Give it some time to do the job, it is trying to be very nice to you and is cleaning up all the temporary directories it will have created. After doing the "stop", wait 10 seconds or so before the "ps". -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Mar 12 11:32:16 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:28 2006 Subject: I need to straighten out one of the basic-features of Antispam In-Reply-To: Message-ID: <5.2.0.9.2.20030312113156.02254750@imap.ecs.soton.ac.uk> Because you haven't set the "High Scoring Spam Actions" perhaps? At 08:27 12/03/2003, you wrote: >I've got this far: >Spamassisn marks alla incomming spam with {spam?} > >The thing is, i don't wish to receive this mails i want them to be sent to >another "trash" account. > >I edited a line in /etc/MailScanner/MailScanner.conf >Spam Actions = forward trash@myhost.com delete > >And restarted the service by /etc/rc.d/init.d/MailScanner restart > >But it's not forwarding any mail to the "trash" account and it is not >deleting it from the origin account. > >What am i missing here? -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Mar 12 11:30:00 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:28 2006 Subject: accumulation of files in /var/spool/mqueue.in In-Reply-To: <002201c2e83e$e29cd2e0$ab6041db@18yamuna> References: Message-ID: <5.2.0.9.2.20030312112912.022a2e50@imap.ecs.soton.ac.uk> At 02:27 12/03/2003, you wrote: >I chose 6 days as beyond that, as per standard setting, sendmail would >not deliver anyway. Thus residual files have to be broken. This is >assuming MailScanner would probably not have as big a backlog as 5 days. > >Julian: >Is it reasonable to assume that MailScanner picks up the oldest files >for processing first? Yes it does. It processes them in strict date order. >Is there any way of extracting average wait time in mqueue.in so that we >can increase number of children if need be and see if it makes a >difference else increase Ram/ CPU Power? I'll take a look. >Mohan >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On >Behalf Of Craig Pratt >Sent: Tuesday, March 11, 2003 8:17 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: accumulation of files in /var/spool/mqueue.in > > >Thanks for the tip. I've been seeing these queue files occasionally as >well. > >Most recently, when I updated the sendmail access.db without restarting >sendmail/MailScanner. This seemed to cause sendmail to die during SMTP >connections - presumably due to the fact that sendmail's cached file >state didn't match the actual file. > >What I'm wondering, though, is it safe to delete the files in mqueue.in >with sendmail/MailScanner running? [sounds like a potential FAQ, as >well] > >Craig > >On Monday, March 10, 2003, at 05:39 PM, S Mohan wrote: > > I had the same stuff. I looked up a few files and associated mail log. > > > These were remnants of broken SMTP conversations. In order to clear > > these automatically, I created a daily cron job as under. > > > > Find /var/spool/mqueue.in -mtime +6|xargs rm -f > > > > I gave 6 days as sendmail will anyway abort after 5 days delivery. > > Thus files older than that anyway would be broken files. > > > > Mohan > > > > -----Original Message----- > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > > Behalf Of David Closson > > Sent: Tuesday, March 11, 2003 1:27 AM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: accumulation of files in /var/spool/mqueue.in > > > > > > OK, I figured as much. Thank you for the rapid response. > > > > We are processing about 350,000 emails a day (heavier day) with > > MailScanner and Spamassassin. This figure is combined in and out for > > all of our users. > > > > > > _________ > > Sincerely, > > David Closson > > 209-736-0111 > > > > > > > > > > > >> From: Julian Field > >> Reply-To: MailScanner mailing list > >> To: MAILSCANNER@JISCMAIL.AC.UK > >> Subject: Re: accumulation of files in /var/spool/mqueue.in > >> Date: Mon, 10 Mar 2003 19:27:44 +0000 > >> MIME-Version: 1.0 > >> Received: from cpimssmtpa03.msn.com ([207.46.181.90]) by > >> mc5-f17.law1.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600); Mon, > >> 10 > > > >> Mar 2003 11:30:21 -0800 > >> Received: from smtp.jiscmail.ac.uk ([130.246.192.48]) by > >> cpimssmtpa03.msn.com with Microsoft SMTPSVC(5.0.2195.4453); Mon, 10 > >> Mar > > > >> 2003 11:25:18 -0800 > >> Received: from LISTSERV.JISCMAIL.AC.UK (jiscmail.ac.uk) by > >> smtp.jiscmail.ac.uk (LSMTP for Windows NT v1.1b) with SMTP id > >> <3.0000634F@smtp.jiscmail.ac.uk>; Mon, 10 Mar 2003 19:28:14 +0000 > >> Received: from JISCMAIL.AC.UK by JISCMAIL.AC.UK (LISTSERV-TCP/IP > > release > >> 1.8e) with spool id 19357891 for MAILSCANNER@JISCMAIL.AC.UK; > > Mon, > >> 10 Mar 2003 19:28:14 +0000 > >> Received: from 130.246.192.52 by JISCMAIL.AC.UK (SMTPL release 1.0h) > > with > >> TCP; Mon, 10 Mar 2003 19:28:14 GMT > >> Received: from raven.ecs.soton.ac.uk (raven.ecs.soton.ac.uk > > [152.78.70.1]) > >> by ori.rl.ac.uk (8.11.1/8.11.1) with ESMTP id h2AJSCe29811 > >> for > >> ; Mon, 10 Mar 2003 19:28:12 GMT > >> Received: from pigeon.ecs.soton.ac.uk (ns1 [152.78.68.1]) by > >> raven.ecs.soton.ac.uk (8.9.3/8.9.3) with ESMTP id TAA23530 for > >> ; Mon, 10 Mar 2003 19:28:11 GMT > >> Received: from thief.ecs.soton.ac.uk (staff-vpn132 [152.78.236.132]) > >> by > >> pigeon.ecs.soton.ac.uk (8.9.3/8.9.3) with ESMTP id TAA19506 for > >> ; Mon, 10 Mar 2003 19:28:10 GMT > >> X-Message-Info: JGTYoYF78jEHjJx36Oi8+Q1OJDRSDidP > >> X-MSN-Trace: {838B357B-4735-4DB1-A653-A9E73A906214} > >> X-RAL-MFrom: > >> X-RAL-Connect: > >> X-Sender: (Unverified) > >> X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9 > >> Message-ID: <5.2.0.9.2.20030310192506.027bbf80@imap.ecs.soton.ac.uk> > >> Sender: MailScanner mailing list > >> In-Reply-To: > >> Precedence: list > >> Return-Path: owner-mailscanner@JISCMAIL.AC.UK > >> X-OriginalArrivalTime: 10 Mar 2003 19:25:19.0093 (UTC) > >> FILETIME=[C9492A50:01C2E73A] > >> > >> At 19:12 10/03/2003, you wrote: > >>> Greetings, > >>> > >>> Using RH 7.3 > >>> Using Sendmail 8.11-6 > >>> MailScanner 4.13-3 > >>> Using McAfee AV > >>> > >>> I have been happily using MailScanner for almost a year now and have > > >>> had to remove the accumulation of files in /var/spool/mqueue.in > >>> after a month or so. > >>> > >>> I am not sure if these are messages already delivered and were not > >>> removed or ? > >>> > >>> I have had no reports of missing email. > >> > >> If they are stray files that aren't part of a matching qf / df pair, > >> then you can safely delete them. If an SMTP session into your server > >> gets interrupted for some reason, a stray file will be left behind. > >> The > > > >> server at the far end of the session knows that its message > >> transmission got interrupted and will retry anyway. SMTP is designed > >> pretty carefully to ensure things don't get lost in transit. > >> -- > >> Julian Field > >> www.MailScanner.info > >> Professional Support Services at www.MailScanner.biz MailScanner > >> thanks > > > >> transtec Computers for their support > > > > > > _________________________________________________________________ > > Add photos to your e-mail with MSN 8. Get 2 months FREE*. > > http://join.msn.com/?page=features/featuredemail > > > > -- > > This message checked for dangerous content by MailScanner on > > StrongBox. > > > > >-- >This message checked for dangerous content by MailScanner on StrongBox. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From nightowl at NIGHTOWLS.NET Wed Mar 12 11:42:23 2003 From: nightowl at NIGHTOWLS.NET (Joseph Dobransky) Date: Thu Jan 12 21:17:28 2006 Subject: MS and SA In-Reply-To: <5.2.0.9.2.20030312113032.02270c48@imap.ecs.soton.ac.uk> Message-ID: <000901c2e88c$72ab9c70$4ad34918@hawaii> kk. Considered beta, but it should at least attempt to work. One would think anyway... **************************** Joseph Dobransky http://www.nightowlswebspace.com aim: skeeter1jd icq: 21228143 -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Julian Field Sent: Wednesday, March 12, 2003 6:31 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: MS and SA At 04:25 12/03/2003, you wrote: >Mail-SpamAssassin-2.50, and MS Version 4.13-3 > >I say yes to using spamassassin to scan for spam, it just dumps my mail >into the mqueue.in folder, and leaves it there. I say no, MS works just >great. Ideas? Have you seen the News item on the website about SpamAssassin 2.50? > > >**************************** > > > >Joseph Dobransky >http://www.nightowlswebspace.com >aim: skeeter1jd >icq: 21228143 > > > >--- >Outgoing mail is certified Virus Free. >Checked by AVG anti-virus system (http://www.grisoft.com). >Version: 6.0.459 / Virus Database: 258 - Release Date: 2/25/2003 -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.459 / Virus Database: 258 - Release Date: 2/25/2003 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.459 / Virus Database: 258 - Release Date: 2/25/2003 From R.A.Gardener at SHU.AC.UK Wed Mar 12 15:00:09 2003 From: R.A.Gardener at SHU.AC.UK (Ray Gardener) Date: Thu Jan 12 21:17:28 2006 Subject: multi part volume (sophos) errors - best way of handling Message-ID: <010801c2e8a8$1b990c80$5a14348f@videoproducer> Hi, sophos (not reasonably) complains that it is unable to handle multi part zip files and reports them as corrupt. e.g. ____________________________________________________________________________ ______________ Sender: <> IP Address: 212.78.202.106.49920 Recipient: a.student@student.shu.ac.uk Subject: Undelivered Mail Returned to Sender MessageID: 18t6j9-00067B-00 Report: Could not check ./18t6j9-00067B-00/Implementation 12March.zip/Implementation/SCM 2/SCM/Debug/vc60.idb (part of multi volume archive) Could not check ./18t6j9-00067B-00/Implementation 12March.zip (corrupt) ____________________________________________________________________________ ___________________ I know that in the latest version of mailscanner you can specified that such errors be ignored using Allowed Sophos Error Messages = corrupt (even though you are warned of the dangers of doing this). Just to clarify - would Allowed Sophos Error Messages = part of multi volume archive also work in allowing through mail with similar errors to the one above? 2) In the case of multi part volumes would mailscanner adding a opening warning attachment telling the users that this hasn't been scanned properly be a sensible or feasible to implement? Regards _________________________________________________ Ray Gardener CIS Sheffield Hallam University Howard Street Sheffield UK S1 1WB (44) 0114 225 4926 -------------- next part -------------- A non-text attachment was scrubbed... Name: Ray Gardener.vcf Type: text/x-vcard Size: 571 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030312/c0dade34/RayGardener.vcf From mailscanner at ecs.soton.ac.uk Wed Mar 12 15:13:47 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:28 2006 Subject: multi part volume (sophos) errors - best way of handling In-Reply-To: <010801c2e8a8$1b990c80$5a14348f@videoproducer> Message-ID: <5.2.0.9.2.20030312151311.04205f68@imap.ecs.soton.ac.uk> At 15:00 12/03/2003, you wrote: >sophos (not reasonably) complains that it is unable to handle multi part zip >files and reports them as corrupt. > > I know that in the latest version of mailscanner you can specified that >such errors be ignored using > >Allowed Sophos Error Messages = corrupt > >Just to clarify - would >Allowed Sophos Error Messages = part of multi volume archive >also work in allowing through mail with similar errors to the one above? Yes, should do. >2) In the case of multi part volumes would mailscanner adding a opening >warning attachment telling the users that this hasn't been scanned properly >be a sensible or feasible to implement? Not very easy I'm afraid. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mike at TECHINTER.COM Wed Mar 12 17:48:26 2003 From: mike at TECHINTER.COM (Mike Williams) Date: Thu Jan 12 21:17:28 2006 Subject: Per User Blacklist and white lists In-Reply-To: <5.2.0.9.2.20030311202337.027f2e90@imap.ecs.soton.ac.uk> Message-ID: Ok, I enabled the bydoaminblacklist and bydoaminwhitelist in the MailScanner.conf with Is Definitely Not Spam = &ByDomainSpamWhitelist Is Definitely Spam = &ByDomainSpamBlacklist The directorys are set to /etc/MailScanner/rules/whitelist and /etc/MailScanner/rules/blacklist. I have a file in blacklist folder named user@domain.com (actual file name is different but same format). In the file user@domain.com I have listed several blacklist items, one is an email account that I have on aol.com. The aol email address doesn't appear in any whitelist. However, when I send email to user@domain.com from the AOL account that is on the blacklist it goes through without even being marked as spam. There are no errors when starting mailscanner and in the logs is says that it read blacklist for 1 domain. I must be missing something but I haven't a clue. Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Julian Field Sent: Tuesday, March 11, 2003 2:24 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Per User Blacklist and white lists At 19:50 11/03/2003, you wrote: >Julian, > >Thanks for the info. I'm looking at the code and the example is for >bydomain. I'm not sure but it looks like I can have the white and black >list by either domain.com or by user@domain.com. Yes you can. You can even give it IP addresses if I remember rightly. > The reason I am asking is >that each user will need to be able to specify their own black and white >list. This makes it possible that one user would wish to block email from a >user@spam.com and another user to whitelist or not block a user@spam.com. >So if I use a filename of user1@domain.com and user2@domain.com does this in >fact make the whitelist and blacklist unique for each user even if they are >in the same domain? > >Mike > >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On >Behalf Of Julian Field >Sent: Tuesday, March 11, 2003 12:44 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Per User Blacklist and white lists > > >Take a look in the CustomConfig.pm file in recent distributions. This >feature is an example of what you can do with "Custom Functions". You will >probably need to change the directories it reads the black/whitelists from, >but otherwise it will just work. The code briefly explains what should go >in the various config files. > >At 18:35 11/03/2003, you wrote: > >Is it possible to have a per user blacklist and whitelist? Example in the > >whitelist file: > > > >To: user-1@domain.com >/etc/MailScanner/rules/whitelist/user-1-domain.com > >To: user-2@domain.com >/etc/MailScanner/rules/whitelist/user-2-domain.com > >FromTo: Default no > > > > > >user-1-domain.com > > > >From: friend@domain.com yes > >From: friend1@domain.com yes > >From: default no > > > >and so on? > > > >Mike > >-- >Julian Field >www.MailScanner.info >Professional Support Services at www.MailScanner.biz >MailScanner thanks transtec Computers for their support -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From Peter.Bates at LSHTM.AC.UK Wed Mar 12 17:54:23 2003 From: Peter.Bates at LSHTM.AC.UK (Peter Bates) Date: Thu Jan 12 21:17:28 2006 Subject: Logging 'subject' field of detected Spam? Message-ID: Hello all... I haven't looked at the code yet, but was wondering how tricky this would be to implement... Now and again I try to add variations of 'known' spam 'Subjects' (and some body content) to my MTA configuration to block it... Is it possible to add logging of 'Subject' to the line: Mar 12 17:25:06 hancock MailScanner[30443]: Message B1F1C15600B from 193.63.251.18 (anstpbat@icecube.lshtm.ac.uk) to lshtm.ac.uk is spam, SpamAssassin (score=13.5, required 8, DATE_IN_PAST_12_24, DCC_CHECK, DRASTIC_REDUCED, HOME_EMPLOYMENT, INVALID_DATE, INVALID_MSGID, NO_REAL_NAME, ONCE_IN_LIFETIME, RAZOR2_CHECK, RCVD _IN_OSIRUSOFT_COM, REMOVE_SUBJ, UNDISC_RECIPS) ... or as an additional line after that? ... ---------------------------------------------------------------------------------------------------> Peter Bates, Systems Support Officer, Network Support Team. London School of Hygiene & Tropical Medicine. Telephone:0207-958 8353 / Fax: 0207- 636 9838 From mailscanner at ecs.soton.ac.uk Wed Mar 12 18:22:36 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:28 2006 Subject: Logging 'subject' field of detected Spam? In-Reply-To: Message-ID: <5.2.0.9.2.20030312182059.02257ef8@imap.ecs.soton.ac.uk> Would this be used by other people as well? It would generate considerably more logging output. The code is is Message.pm around line 343, shouldn't be difficult to add but would require yet another configuration option "Log Spam Subject" to switch it on and off. At 17:54 12/03/2003, you wrote: >Hello all... > >I haven't looked at the code yet, but was wondering >how tricky this would be to implement... > >Now and again I try to add variations of 'known' spam 'Subjects' >(and some body content) to my MTA configuration to block it... > >Is it possible to add logging of 'Subject' to the line: > >Mar 12 17:25:06 hancock MailScanner[30443]: Message B1F1C15600B from >193.63.251.18 >(anstpbat@icecube.lshtm.ac.uk) to lshtm.ac.uk is spam, SpamAssassin >(score=13.5, required 8, >DATE_IN_PAST_12_24, DCC_CHECK, DRASTIC_REDUCED, HOME_EMPLOYMENT, > INVALID_DATE, INVALID_MSGID, NO_REAL_NAME, ONCE_IN_LIFETIME, > RAZOR2_CHECK, RCVD >_IN_OSIRUSOFT_COM, REMOVE_SUBJ, UNDISC_RECIPS) > >... or as an additional line after that? > >... > > > >---------------------------------------------------------------------------------------------------> >Peter Bates, Systems Support Officer, Network Support Team. >London School of Hygiene & Tropical Medicine. >Telephone:0207-958 8353 / Fax: 0207- 636 9838 -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Mar 12 18:18:42 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:28 2006 Subject: Per User Blacklist and white lists In-Reply-To: References: <5.2.0.9.2.20030311202337.027f2e90@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030312181023.0222e958@imap.ecs.soton.ac.uk> Looks like I never wrote the code to do the per-user lists, only per-domain lists. Try editing CustomConfig.pm and making "LookupByDomainList" look like this: sub LookupByDomainList { my($message, $BlackWhite) = @_; return 0 unless $message; # Sanity check the input # Find the "from" address and the first "to" address my($from, $fromdomain, @todomain, $todomain, @to, $to, $ip); $from = $message->{from}; $fromdomain = $message->{fromdomain}; @todomain = @{$message->{todomain}}; $todomain = $todomain[0]; @to = @{$message->{to}}; $to = $to[0]; $ip = $message->{clientip}; # It is in the list if either the exact address is listed, # or the domain is listed return 1 if $BlackWhite->{$to}{$from}; return 1 if $BlackWhite->{$to}{$fromdomain}; return 1 if $BlackWhite->{$to}{$ip}; return 1 if $BlackWhite->{$todomain}{$from}; return 1 if $BlackWhite->{$todomain}{$fromdomain}; return 1 if $BlackWhite->{$todomain}{$ip}; # It is not in the list return 0; } Please give this a try and let me know if it works, so I can include the code in the next release (due very shortly to fix long filename checking bug in 4.13). At 17:48 12/03/2003, you wrote: >Ok, I enabled the bydoaminblacklist and bydoaminwhitelist in the >MailScanner.conf with > >Is Definitely Not Spam = &ByDomainSpamWhitelist >Is Definitely Spam = &ByDomainSpamBlacklist > >The directorys are set to /etc/MailScanner/rules/whitelist and >/etc/MailScanner/rules/blacklist. I have a file in blacklist folder named >user@domain.com (actual file name is different but same format). In the >file user@domain.com I have listed several blacklist items, one is an email >account that I have on aol.com. The aol email address doesn't appear in any >whitelist. However, when I send email to user@domain.com from the AOL >account that is on the blacklist it goes through without even being marked >as spam. There are no errors when starting mailscanner and in the logs is >says that it read blacklist for 1 domain. I must be missing something but I >haven't a clue. > >Mike >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On >Behalf Of Julian Field >Sent: Tuesday, March 11, 2003 2:24 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Per User Blacklist and white lists > > >At 19:50 11/03/2003, you wrote: > >Julian, > > > >Thanks for the info. I'm looking at the code and the example is for > >bydomain. I'm not sure but it looks like I can have the white and black > >list by either domain.com or by user@domain.com. > >Yes you can. You can even give it IP addresses if I remember rightly. > > > The reason I am asking is > >that each user will need to be able to specify their own black and white > >list. This makes it possible that one user would wish to block email from >a > >user@spam.com and another user to whitelist or not block a user@spam.com. > >So if I use a filename of user1@domain.com and user2@domain.com does this >in > >fact make the whitelist and blacklist unique for each user even if they are > >in the same domain? > > > >Mike > > > >-----Original Message----- > >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > >Behalf Of Julian Field > >Sent: Tuesday, March 11, 2003 12:44 PM > >To: MAILSCANNER@JISCMAIL.AC.UK > >Subject: Re: Per User Blacklist and white lists > > > > > >Take a look in the CustomConfig.pm file in recent distributions. This > >feature is an example of what you can do with "Custom Functions". You will > >probably need to change the directories it reads the black/whitelists from, > >but otherwise it will just work. The code briefly explains what should go > >in the various config files. > > > >At 18:35 11/03/2003, you wrote: > > >Is it possible to have a per user blacklist and whitelist? Example in >the > > >whitelist file: > > > > > >To: user-1@domain.com > >/etc/MailScanner/rules/whitelist/user-1-domain.com > > >To: user-2@domain.com > >/etc/MailScanner/rules/whitelist/user-2-domain.com > > >FromTo: Default no > > > > > > > > >user-1-domain.com > > > > > >From: friend@domain.com yes > > >From: friend1@domain.com yes > > >From: default no > > > > > >and so on? > > > > > >Mike > > > >-- > >Julian Field > >www.MailScanner.info > >Professional Support Services at www.MailScanner.biz > >MailScanner thanks transtec Computers for their support > >-- >Julian Field >www.MailScanner.info >Professional Support Services at www.MailScanner.biz >MailScanner thanks transtec Computers for their support -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mike at TECHINTER.COM Wed Mar 12 19:47:00 2003 From: mike at TECHINTER.COM (Mike Williams) Date: Thu Jan 12 21:17:28 2006 Subject: Per User Blacklist and white lists In-Reply-To: <5.2.0.9.2.20030312181023.0222e958@imap.ecs.soton.ac.uk> Message-ID: Works like a charm. Thanks. BTW quick question is there a way to assign a spam score to blacklisted addresses so that it will activate the high score rule? Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Julian Field Sent: Wednesday, March 12, 2003 12:19 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Per User Blacklist and white lists Looks like I never wrote the code to do the per-user lists, only per-domain lists. Try editing CustomConfig.pm and making "LookupByDomainList" look like this: sub LookupByDomainList { my($message, $BlackWhite) = @_; return 0 unless $message; # Sanity check the input # Find the "from" address and the first "to" address my($from, $fromdomain, @todomain, $todomain, @to, $to, $ip); $from = $message->{from}; $fromdomain = $message->{fromdomain}; @todomain = @{$message->{todomain}}; $todomain = $todomain[0]; @to = @{$message->{to}}; $to = $to[0]; $ip = $message->{clientip}; # It is in the list if either the exact address is listed, # or the domain is listed return 1 if $BlackWhite->{$to}{$from}; return 1 if $BlackWhite->{$to}{$fromdomain}; return 1 if $BlackWhite->{$to}{$ip}; return 1 if $BlackWhite->{$todomain}{$from}; return 1 if $BlackWhite->{$todomain}{$fromdomain}; return 1 if $BlackWhite->{$todomain}{$ip}; # It is not in the list return 0; } Please give this a try and let me know if it works, so I can include the code in the next release (due very shortly to fix long filename checking bug in 4.13). At 17:48 12/03/2003, you wrote: >Ok, I enabled the bydoaminblacklist and bydoaminwhitelist in the >MailScanner.conf with > >Is Definitely Not Spam = &ByDomainSpamWhitelist >Is Definitely Spam = &ByDomainSpamBlacklist > >The directorys are set to /etc/MailScanner/rules/whitelist and >/etc/MailScanner/rules/blacklist. I have a file in blacklist folder named >user@domain.com (actual file name is different but same format). In the >file user@domain.com I have listed several blacklist items, one is an email >account that I have on aol.com. The aol email address doesn't appear in any >whitelist. However, when I send email to user@domain.com from the AOL >account that is on the blacklist it goes through without even being marked >as spam. There are no errors when starting mailscanner and in the logs is >says that it read blacklist for 1 domain. I must be missing something but I >haven't a clue. > >Mike >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On >Behalf Of Julian Field >Sent: Tuesday, March 11, 2003 2:24 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Per User Blacklist and white lists > > >At 19:50 11/03/2003, you wrote: > >Julian, > > > >Thanks for the info. I'm looking at the code and the example is for > >bydomain. I'm not sure but it looks like I can have the white and black > >list by either domain.com or by user@domain.com. > >Yes you can. You can even give it IP addresses if I remember rightly. > > > The reason I am asking is > >that each user will need to be able to specify their own black and white > >list. This makes it possible that one user would wish to block email from >a > >user@spam.com and another user to whitelist or not block a user@spam.com. > >So if I use a filename of user1@domain.com and user2@domain.com does this >in > >fact make the whitelist and blacklist unique for each user even if they are > >in the same domain? > > > >Mike > > > >-----Original Message----- > >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > >Behalf Of Julian Field > >Sent: Tuesday, March 11, 2003 12:44 PM > >To: MAILSCANNER@JISCMAIL.AC.UK > >Subject: Re: Per User Blacklist and white lists > > > > > >Take a look in the CustomConfig.pm file in recent distributions. This > >feature is an example of what you can do with "Custom Functions". You will > >probably need to change the directories it reads the black/whitelists from, > >but otherwise it will just work. The code briefly explains what should go > >in the various config files. > > > >At 18:35 11/03/2003, you wrote: > > >Is it possible to have a per user blacklist and whitelist? Example in >the > > >whitelist file: > > > > > >To: user-1@domain.com > >/etc/MailScanner/rules/whitelist/user-1-domain.com > > >To: user-2@domain.com > >/etc/MailScanner/rules/whitelist/user-2-domain.com > > >FromTo: Default no > > > > > > > > >user-1-domain.com > > > > > >From: friend@domain.com yes > > >From: friend1@domain.com yes > > >From: default no > > > > > >and so on? > > > > > >Mike > > > >-- > >Julian Field > >www.MailScanner.info > >Professional Support Services at www.MailScanner.biz > >MailScanner thanks transtec Computers for their support > >-- >Julian Field >www.MailScanner.info >Professional Support Services at www.MailScanner.biz >MailScanner thanks transtec Computers for their support -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From james at PCXPERIENCE.COM Wed Mar 12 20:01:34 2003 From: james at PCXPERIENCE.COM (James A. Pattie) Date: Thu Jan 12 21:17:28 2006 Subject: Outlook and UUENCODED attachments Message-ID: <3E6F921E.9050106@pcxperience.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I'm not 100% sure that this is a MailScanner issue but this issue only started being reported after installing MailScanner. I have a user that is sending file attachments (usually office documents) from Outlook 97 and when they send these e-mails to other internal users the other users get the e-mail but the attachment is empty. When they send the e-mail to me (external using Mozilla mail) I get the e-mail fine. It appears that the originating mail client is encoding using UUENCODE instead of MIME from the following headers: X-Mailer: Microsoft Internet E-mail/MAPI - 8.0.0.4211 Encoding: 15 TEXT, 447 UUENCODE X-MS-Attachment: Doc1.doc 0 00-00-1980 00:00 MailScanner is generating the following body content: The following is a multipart MIME message which was extracted from a uuencoded message. - ------------=_1047489992-23715-0 The message then follows the boundary and goes on. The internal users, also using Outlook 97, are getting the message and when they forward it to me the file attachment looks like this: - ------ =_NextPart_000_01C2E88B.02DAFF40 Content-Type: application/msword; name="Doc1.doc" Content-Transfer-Encoding: base64 - ------ =_NextPart_000_01C2E88B.02DAFF40-- When the user sends me the same attachment, I get the following: - ------------=_1047489992-23715-0 Content-Type: application/octet-stream; name="Doc1.doc"; x-unix-mode="0600" Content-Disposition: inline; filename="Doc1.doc" Content-Transfer-Encoding: base64 MIME-Version: 1.0 X-Mailer: MIME-tools 5.411 (Entity 5.404) - ------------=_1047489992-23715-0-- The originating site is using MailScanner 4.12-2 and I'm using MailScanner 4.13-3. If needed I can send the sanitised e-mails for inspection. - -- James A. Pattie james@pcxperience.com Linux -- SysAdmin / Programmer Xperience, Inc. http://www.pcxperience.com/ http://www.xperienceinc.com/ GPG Key Available at http://www.pcxperience.com/gpgkeys/james.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE+b5IetUXjwPIRLVERAsDaAKC+PZ/17DELSu0Cl2vKcwRlw7Z1owCcDKKR +h+wqbo4UR8b0w9UAK8qhXc= =RBi3 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mailscanner at ecs.soton.ac.uk Wed Mar 12 20:18:53 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:28 2006 Subject: Per User Blacklist and white lists In-Reply-To: References: <5.2.0.9.2.20030312181023.0222e958@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030312200952.025e7890@imap.ecs.soton.ac.uk> At 19:47 12/03/2003, you wrote: >Works like a charm. Thanks. Great. It will be in the next release. > BTW quick question is there a way to assign a >spam score to blacklisted addresses so that it will activate the high score >rule? Not currently, no. But try this: 1) In the blacklisting lookup code, change the code to say this: sub ByDomainSpamBlacklist { my($message) = @_; my($value); $value = LookupByDomainList($message, \%Blacklist); $message->{sascore} = 10 if $value; return $value; } (if you want blacklisting to score 10) Then edit Message.pm and change line 370 from $this->{sascore} = $sascore; # Save the actual figure for use later... to $this->{sascore} += $sascore; # Save the actual figure for use later... Give this a try and let me know how you get on. >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On >Behalf Of Julian Field >Sent: Wednesday, March 12, 2003 12:19 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Per User Blacklist and white lists > > >Looks like I never wrote the code to do the per-user lists, only per-domain >lists. > >Try editing CustomConfig.pm and making "LookupByDomainList" look like this: > >sub LookupByDomainList { > my($message, $BlackWhite) = @_; > > return 0 unless $message; # Sanity check the input > > # Find the "from" address and the first "to" address > my($from, $fromdomain, @todomain, $todomain, @to, $to, $ip); > $from = $message->{from}; > $fromdomain = $message->{fromdomain}; > @todomain = @{$message->{todomain}}; > $todomain = $todomain[0]; > @to = @{$message->{to}}; > $to = $to[0]; > $ip = $message->{clientip}; > > # It is in the list if either the exact address is listed, > # or the domain is listed > return 1 if $BlackWhite->{$to}{$from}; > return 1 if $BlackWhite->{$to}{$fromdomain}; > return 1 if $BlackWhite->{$to}{$ip}; > return 1 if $BlackWhite->{$todomain}{$from}; > return 1 if $BlackWhite->{$todomain}{$fromdomain}; > return 1 if $BlackWhite->{$todomain}{$ip}; > > # It is not in the list > return 0; >} > >Please give this a try and let me know if it works, so I can include the >code in the next release (due very shortly to fix long filename checking >bug in 4.13). > >At 17:48 12/03/2003, you wrote: > >Ok, I enabled the bydoaminblacklist and bydoaminwhitelist in the > >MailScanner.conf with > > > >Is Definitely Not Spam = &ByDomainSpamWhitelist > >Is Definitely Spam = &ByDomainSpamBlacklist > > > >The directorys are set to /etc/MailScanner/rules/whitelist and > >/etc/MailScanner/rules/blacklist. I have a file in blacklist folder named > >user@domain.com (actual file name is different but same format). In the > >file user@domain.com I have listed several blacklist items, one is an email > >account that I have on aol.com. The aol email address doesn't appear in >any > >whitelist. However, when I send email to user@domain.com from the AOL > >account that is on the blacklist it goes through without even being marked > >as spam. There are no errors when starting mailscanner and in the logs is > >says that it read blacklist for 1 domain. I must be missing something but >I > >haven't a clue. > > > >Mike > >-----Original Message----- > >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > >Behalf Of Julian Field > >Sent: Tuesday, March 11, 2003 2:24 PM > >To: MAILSCANNER@JISCMAIL.AC.UK > >Subject: Re: Per User Blacklist and white lists > > > > > >At 19:50 11/03/2003, you wrote: > > >Julian, > > > > > >Thanks for the info. I'm looking at the code and the example is for > > >bydomain. I'm not sure but it looks like I can have the white and black > > >list by either domain.com or by user@domain.com. > > > >Yes you can. You can even give it IP addresses if I remember rightly. > > > > > The reason I am asking is > > >that each user will need to be able to specify their own black and white > > >list. This makes it possible that one user would wish to block email >from > >a > > >user@spam.com and another user to whitelist or not block a >user@spam.com. > > >So if I use a filename of user1@domain.com and user2@domain.com does this > >in > > >fact make the whitelist and blacklist unique for each user even if they >are > > >in the same domain? > > > > > >Mike > > > > > >-----Original Message----- > > >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > >Behalf Of Julian Field > > >Sent: Tuesday, March 11, 2003 12:44 PM > > >To: MAILSCANNER@JISCMAIL.AC.UK > > >Subject: Re: Per User Blacklist and white lists > > > > > > > > >Take a look in the CustomConfig.pm file in recent distributions. This > > >feature is an example of what you can do with "Custom Functions". You >will > > >probably need to change the directories it reads the black/whitelists >from, > > >but otherwise it will just work. The code briefly explains what should go > > >in the various config files. > > > > > >At 18:35 11/03/2003, you wrote: > > > >Is it possible to have a per user blacklist and whitelist? Example in > >the > > > >whitelist file: > > > > > > > >To: user-1@domain.com > > >/etc/MailScanner/rules/whitelist/user-1-domain.com > > > >To: user-2@domain.com > > >/etc/MailScanner/rules/whitelist/user-2-domain.com > > > >FromTo: Default no > > > > > > > > > > > >user-1-domain.com > > > > > > > >From: friend@domain.com yes > > > >From: friend1@domain.com yes > > > >From: default no > > > > > > > >and so on? > > > > > > > >Mike > > > > > >-- > > >Julian Field > > >www.MailScanner.info > > >Professional Support Services at www.MailScanner.biz > > >MailScanner thanks transtec Computers for their support > > > >-- > >Julian Field > >www.MailScanner.info > >Professional Support Services at www.MailScanner.biz > >MailScanner thanks transtec Computers for their support > >-- >Julian Field >www.MailScanner.info >Professional Support Services at www.MailScanner.biz >MailScanner thanks transtec Computers for their support -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Mar 12 20:21:48 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:28 2006 Subject: Outlook and UUENCODED attachments In-Reply-To: <3E6F921E.9050106@pcxperience.com> Message-ID: <5.2.0.9.2.20030312202029.026ec488@imap.ecs.soton.ac.uk> At some point, yes please send me the messages. At the moment I haven't got time to look at it. Are you using "Sign Clean Messages = yes"? If so, can you try setting it to "no" and see what happens. At 20:01 12/03/2003, you wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >I'm not 100% sure that this is a MailScanner issue but this issue only >started being reported after installing MailScanner. > >I have a user that is sending file attachments (usually office >documents) from Outlook 97 and when they send these e-mails to other >internal users the other users get the e-mail but the attachment is >empty. When they send the e-mail to me (external using Mozilla mail) I >get the e-mail fine. > >It appears that the originating mail client is encoding using UUENCODE >instead of MIME from the following headers: > >X-Mailer: Microsoft Internet E-mail/MAPI - 8.0.0.4211 >Encoding: 15 TEXT, 447 UUENCODE >X-MS-Attachment: Doc1.doc 0 00-00-1980 00:00 > >MailScanner is generating the following body content: > >The following is a multipart MIME message which was extracted >from a uuencoded message. > >- ------------=_1047489992-23715-0 > >The message then follows the boundary and goes on. > >The internal users, also using Outlook 97, are getting the message and >when they forward it to me the file attachment looks like this: > >- ------ =_NextPart_000_01C2E88B.02DAFF40 >Content-Type: application/msword; name="Doc1.doc" >Content-Transfer-Encoding: base64 > > >- ------ =_NextPart_000_01C2E88B.02DAFF40-- > >When the user sends me the same attachment, I get the following: > >- ------------=_1047489992-23715-0 >Content-Type: application/octet-stream; name="Doc1.doc"; x-unix-mode="0600" >Content-Disposition: inline; filename="Doc1.doc" >Content-Transfer-Encoding: base64 >MIME-Version: 1.0 >X-Mailer: MIME-tools 5.411 (Entity 5.404) > > > >- ------------=_1047489992-23715-0-- > > >The originating site is using MailScanner 4.12-2 and I'm using >MailScanner 4.13-3. > > >If needed I can send the sanitised e-mails for inspection. > >- -- >James A. Pattie >james@pcxperience.com > >Linux -- SysAdmin / Programmer >Xperience, Inc. >http://www.pcxperience.com/ >http://www.xperienceinc.com/ > >GPG Key Available at http://www.pcxperience.com/gpgkeys/james.html >-----BEGIN PGP SIGNATURE----- >Version: GnuPG v1.0.6 (GNU/Linux) >Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > >iD8DBQE+b5IetUXjwPIRLVERAsDaAKC+PZ/17DELSu0Cl2vKcwRlw7Z1owCcDKKR >+h+wqbo4UR8b0w9UAK8qhXc= >=RBi3 >-----END PGP SIGNATURE----- > > >-- >This message has been scanned for viruses and >dangerous content by MailScanner, and is >believed to be clean. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Mar 12 20:18:53 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:28 2006 Subject: Per User Blacklist and white lists In-Reply-To: References: <5.2.0.9.2.20030312181023.0222e958@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030312200952.025e7890@imap.ecs.soton.ac.uk> At 19:47 12/03/2003, you wrote: >Works like a charm. Thanks. Great. It will be in the next release. > BTW quick question is there a way to assign a >spam score to blacklisted addresses so that it will activate the high score >rule? Not currently, no. But try this: 1) In the blacklisting lookup code, change the code to say this: sub ByDomainSpamBlacklist { my($message) = @_; my($value); $value = LookupByDomainList($message, \%Blacklist); $message->{sascore} = 10 if $value; return $value; } (if you want blacklisting to score 10) Then edit Message.pm and change line 370 from $this->{sascore} = $sascore; # Save the actual figure for use later... to $this->{sascore} += $sascore; # Save the actual figure for use later... Give this a try and let me know how you get on. >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On >Behalf Of Julian Field >Sent: Wednesday, March 12, 2003 12:19 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Per User Blacklist and white lists > > >Looks like I never wrote the code to do the per-user lists, only per-domain >lists. > >Try editing CustomConfig.pm and making "LookupByDomainList" look like this: > >sub LookupByDomainList { > my($message, $BlackWhite) = @_; > > return 0 unless $message; # Sanity check the input > > # Find the "from" address and the first "to" address > my($from, $fromdomain, @todomain, $todomain, @to, $to, $ip); > $from = $message->{from}; > $fromdomain = $message->{fromdomain}; > @todomain = @{$message->{todomain}}; > $todomain = $todomain[0]; > @to = @{$message->{to}}; > $to = $to[0]; > $ip = $message->{clientip}; > > # It is in the list if either the exact address is listed, > # or the domain is listed > return 1 if $BlackWhite->{$to}{$from}; > return 1 if $BlackWhite->{$to}{$fromdomain}; > return 1 if $BlackWhite->{$to}{$ip}; > return 1 if $BlackWhite->{$todomain}{$from}; > return 1 if $BlackWhite->{$todomain}{$fromdomain}; > return 1 if $BlackWhite->{$todomain}{$ip}; > > # It is not in the list > return 0; >} > >Please give this a try and let me know if it works, so I can include the >code in the next release (due very shortly to fix long filename checking >bug in 4.13). > >At 17:48 12/03/2003, you wrote: > >Ok, I enabled the bydoaminblacklist and bydoaminwhitelist in the > >MailScanner.conf with > > > >Is Definitely Not Spam = &ByDomainSpamWhitelist > >Is Definitely Spam = &ByDomainSpamBlacklist > > > >The directorys are set to /etc/MailScanner/rules/whitelist and > >/etc/MailScanner/rules/blacklist. I have a file in blacklist folder named > >user@domain.com (actual file name is different but same format). In the > >file user@domain.com I have listed several blacklist items, one is an email > >account that I have on aol.com. The aol email address doesn't appear in >any > >whitelist. However, when I send email to user@domain.com from the AOL > >account that is on the blacklist it goes through without even being marked > >as spam. There are no errors when starting mailscanner and in the logs is > >says that it read blacklist for 1 domain. I must be missing something but >I > >haven't a clue. > > > >Mike > >-----Original Message----- > >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > >Behalf Of Julian Field > >Sent: Tuesday, March 11, 2003 2:24 PM > >To: MAILSCANNER@JISCMAIL.AC.UK > >Subject: Re: Per User Blacklist and white lists > > > > > >At 19:50 11/03/2003, you wrote: > > >Julian, > > > > > >Thanks for the info. I'm looking at the code and the example is for > > >bydomain. I'm not sure but it looks like I can have the white and black > > >list by either domain.com or by user@domain.com. > > > >Yes you can. You can even give it IP addresses if I remember rightly. > > > > > The reason I am asking is > > >that each user will need to be able to specify their own black and white > > >list. This makes it possible that one user would wish to block email >from > >a > > >user@spam.com and another user to whitelist or not block a >user@spam.com. > > >So if I use a filename of user1@domain.com and user2@domain.com does this > >in > > >fact make the whitelist and blacklist unique for each user even if they >are > > >in the same domain? > > > > > >Mike > > > > > >-----Original Message----- > > >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > >Behalf Of Julian Field > > >Sent: Tuesday, March 11, 2003 12:44 PM > > >To: MAILSCANNER@JISCMAIL.AC.UK > > >Subject: Re: Per User Blacklist and white lists > > > > > > > > >Take a look in the CustomConfig.pm file in recent distributions. This > > >feature is an example of what you can do with "Custom Functions". You >will > > >probably need to change the directories it reads the black/whitelists >from, > > >but otherwise it will just work. The code briefly explains what should go > > >in the various config files. > > > > > >At 18:35 11/03/2003, you wrote: > > > >Is it possible to have a per user blacklist and whitelist? Example in > >the > > > >whitelist file: > > > > > > > >To: user-1@domain.com > > >/etc/MailScanner/rules/whitelist/user-1-domain.com > > > >To: user-2@domain.com > > >/etc/MailScanner/rules/whitelist/user-2-domain.com > > > >FromTo: Default no > > > > > > > > > > > >user-1-domain.com > > > > > > > >From: friend@domain.com yes > > > >From: friend1@domain.com yes > > > >From: default no > > > > > > > >and so on? > > > > > > > >Mike > > > > > >-- > > >Julian Field > > >www.MailScanner.info > > >Professional Support Services at www.MailScanner.biz > > >MailScanner thanks transtec Computers for their support > > > >-- > >Julian Field > >www.MailScanner.info > >Professional Support Services at www.MailScanner.biz > >MailScanner thanks transtec Computers for their support > >-- >Julian Field >www.MailScanner.info >Professional Support Services at www.MailScanner.biz >MailScanner thanks transtec Computers for their support -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses *********************************************************************************** From mailscanner at lists.com.ar Wed Mar 12 20:45:18 2003 From: mailscanner at lists.com.ar (Mariano Absatz) Date: Thu Jan 12 21:17:28 2006 Subject: mailscanner & zmailer In-Reply-To: <20030312201403.GA11369@hoiho.nz.lemon-computing.com> References: <3E6E2521.990.81E9CF83@localhost> Message-ID: <3E6F722E.4165.86FEDA7C@localhost> El 13 Mar 2003 a las 9:14, Nick Phillips escribi?: > On Tue, Mar 11, 2003 at 06:04:17PM -0300, Mariano Absatz wrote: > > Alright, alright, > > > > you scared me enough... > > > > I browsed the code and it has its things... even the comments in Sendmail.pm > > are not quite accurate... there are functions documented that don't exist > > anymore and other (public) not documented... Some of the "documented public" > > functions are not used outside Sendmail.pm... well. > > > > What I'll try to do is to create a zmq2smq and a smq2zmq to translate the > > queue file formats... > > Scared too much, it seems. It would be really good to get something that > would work directly, and we do need to get the restructuring done to work > nicely with single-queue-file systems... OK... I'll try to view that in parallel... that is, I have a time constrain to have something workable up and running quickly, however, I don't like the idea of having to mantain ugly patches like this one either. I'll keep studying the code and see what I can do... I think that what I need is a "clean" interface for the MailScanner::SMDiskStore and MailScanner::Sendmail packages... As I said before, in the comments in Sendmail.pm there's stuff that is supposed to be implemented that is only needed there (or at most in SMDiskStore) and should be more "opaque"... I never played much with Exporter (only copied stuff other people did), but maybe starting to publish a module interface will help... I'm no OO-expert nor religious about this things, but in the long run it will help (as you said in notes.txt)... > > Exim spool documentation is at www.exim.org in the "Exim Specification", > near the end. FWIW. Good!... I was searching for "queue" instead of "spool"... anyway, for now, I'll take the sendmail route... > -- Mariano Absatz El Baby ---------------------------------------------------------- Bus error -- passengers dumped. From mailscanner at ecs.soton.ac.uk Wed Mar 12 21:10:04 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:28 2006 Subject: Stupid luser Message-ID: <5.2.0.9.2.20030312210113.02725ef8@imap.ecs.soton.ac.uk> Just had this from someone whose mail got stopped by MailScanner. They sent me an extremely abusive message (usual threats of legal action which I'm used to now), to which I responded very politely. This is their response: >NO THREAT. NOTHING IDLE AT ALL. HERE'S ANOTHER FACT FOR YOU LITTLE SHIT: >OUR ATTORNEY GENERAL HERE IN MISSOURI DOES'NT CARE FOR INTERNET SPAM. These people make me really glad I give up time to do this :-( And they can't even get their punctuation correct. And as for the grammar in the second "sentence", don't get me started. Where the heck is Missouri anyway? No insult to anyone here from Missouri, but to me it's one of those states "in the middle of the USA somewhere"... Feel free to direct me at a map :) Oh, the reason for these outbursts? They were sent a "sender warning" from an old version of MailScanner which was replying to a copy of Klez. That's my best guess anyway, they weren't exactly clear. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From dwinkler at ALGORITHMICS.COM Wed Mar 12 21:19:32 2003 From: dwinkler at ALGORITHMICS.COM (Derek Winkler) Date: Thu Jan 12 21:17:28 2006 Subject: Stupid luser Message-ID: <06EE2C86D3DAD5119A6C0060943F3C97055E6EC7@tormail1.algorithmics.com> All references to "virus" had to be removed from all reports here. Someone threatened legal action because he sent a clean .exe which violated the filename rules and they didn't like the implication that they had sent a virus. Unfortunately he was taken a little too seriously. -----Original Message----- From: Julian Field [mailto:mailscanner@ecs.soton.ac.uk] Sent: Wednesday, March 12, 2003 4:10 PM To: MAILSCANNER@jiscmail.ac.uk Subject: Stupid luser Just had this from someone whose mail got stopped by MailScanner. They sent me an extremely abusive message (usual threats of legal action which I'm used to now), to which I responded very politely. This is their response: >NO THREAT. NOTHING IDLE AT ALL. HERE'S ANOTHER FACT FOR YOU LITTLE SHIT: >OUR ATTORNEY GENERAL HERE IN MISSOURI DOES'NT CARE FOR INTERNET SPAM. These people make me really glad I give up time to do this :-( And they can't even get their punctuation correct. And as for the grammar in the second "sentence", don't get me started. Where the heck is Missouri anyway? No insult to anyone here from Missouri, but to me it's one of those states "in the middle of the USA somewhere"... Feel free to direct me at a map :) Oh, the reason for these outbursts? They were sent a "sender warning" from an old version of MailScanner which was replying to a copy of Klez. That's my best guess anyway, they weren't exactly clear. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030312/601900a0/attachment.html From henker at SHCOM.US Wed Mar 12 21:22:09 2003 From: henker at SHCOM.US (Steffan Henke) Date: Thu Jan 12 21:17:28 2006 Subject: Stupid luser In-Reply-To: <5.2.0.9.2.20030312210113.02725ef8@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030312210113.02725ef8@imap.ecs.soton.ac.uk> Message-ID: On Wed, 12 Mar 2003, Julian Field wrote: > Just had this from someone whose mail got stopped by MailScanner. > >NO THREAT. NOTHING IDLE AT ALL. HERE'S ANOTHER FACT FOR YOU LITTLE SHIT: > >OUR ATTORNEY GENERAL HERE IN MISSOURI DOES'NT CARE FOR INTERNET SPAM. Oh yes, the dark sides of the net. I also get phone calls from spammers and I really would *not* like to know what people like spamhaus.org have to face every day. I really adore them for doing what they do. Take alone http://www.spamhaus.org/rokso/index.lasso - incredible works ! Too bad so much energy has to be wasted on spammers. Regards, Steffan From james at PCXPERIENCE.COM Wed Mar 12 21:36:16 2003 From: james at PCXPERIENCE.COM (James A. Pattie) Date: Thu Jan 12 21:17:28 2006 Subject: Outlook and UUENCODED attachments In-Reply-To: <5.2.0.9.2.20030312202029.026ec488@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030312202029.026ec488@imap.ecs.soton.ac.uk> Message-ID: <3E6FA850.3080306@pcxperience.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Julian Field wrote: > At some point, yes please send me the messages. At the moment I haven't got > time to look at it. Are you using "Sign Clean Messages = yes"? If so, can > you try setting it to "no" and see what happens. Yes, but I had set up a rules file that was supposed to not sign any messages they sent themselves. Unfortunately, they have 2 different domains that they are using and the sender had her email address in one and was sending to the other domain. Is there any way to do a rule that says don't sign when From = domainA and To = domainY? When I turned off signing clean messages alltogether, then the e-mail went through ok to the other internal users. This doesn't really explain why I was able to get it no problem unless it is an issue with Outlook97 being old or something. :) > > At 20:01 12/03/2003, you wrote: > >> I'm not 100% sure that this is a MailScanner issue but this issue only >> started being reported after installing MailScanner. >> >> I have a user that is sending file attachments (usually office >> documents) from Outlook 97 and when they send these e-mails to other >> internal users the other users get the e-mail but the attachment is >> empty. When they send the e-mail to me (external using Mozilla mail) I >> get the e-mail fine. >> >> It appears that the originating mail client is encoding using UUENCODE >> instead of MIME from the following headers: >> >> X-Mailer: Microsoft Internet E-mail/MAPI - 8.0.0.4211 >> Encoding: 15 TEXT, 447 UUENCODE >> X-MS-Attachment: Doc1.doc 0 00-00-1980 00:00 >> >> MailScanner is generating the following body content: >> >> The following is a multipart MIME message which was extracted >> from a uuencoded message. >> >> - ------------=_1047489992-23715-0 >> >> The message then follows the boundary and goes on. >> >> The internal users, also using Outlook 97, are getting the message and >> when they forward it to me the file attachment looks like this: >> >> - ------ =_NextPart_000_01C2E88B.02DAFF40 >> Content-Type: application/msword; name="Doc1.doc" >> Content-Transfer-Encoding: base64 >> >> >> - ------ =_NextPart_000_01C2E88B.02DAFF40-- >> >> When the user sends me the same attachment, I get the following: >> >> - ------------=_1047489992-23715-0 >> Content-Type: application/octet-stream; name="Doc1.doc"; >> x-unix-mode="0600" >> Content-Disposition: inline; filename="Doc1.doc" >> Content-Transfer-Encoding: base64 >> MIME-Version: 1.0 >> X-Mailer: MIME-tools 5.411 (Entity 5.404) >> >> >> >> - ------------=_1047489992-23715-0-- >> >> >> The originating site is using MailScanner 4.12-2 and I'm using >> MailScanner 4.13-3. >> >> >> If needed I can send the sanitised e-mails for inspection. >> - -- James A. Pattie james@pcxperience.com Linux -- SysAdmin / Programmer Xperience, Inc. http://www.pcxperience.com/ http://www.xperienceinc.com/ GPG Key Available at http://www.pcxperience.com/gpgkeys/james.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE+b6hPtUXjwPIRLVERAlN3AJ0WqX7g2+uOXoWdV7jBEUE4lHWr9wCfbY+K 8MBAZUr/9ozUbUu6/7Y231g= =SAu2 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mike at TECHINTER.COM Wed Mar 12 21:39:24 2003 From: mike at TECHINTER.COM (Mike Williams) Date: Thu Jan 12 21:17:28 2006 Subject: Per User Blacklist and white lists In-Reply-To: <5.2.0.9.2.20030312200952.025e7890@imap.ecs.soton.ac.uk> Message-ID: Ok, this is what I got. X-MailScanner-1: Found to be clean X-MailScanner-SpamCheck-1: spam (blacklisted) X-MailScanner-SpamScore: ssssssssssssssssssss It didn't get caught by the high score rule or even the required score rule. I have my required score set at 3 and high at 9. I set the value at 20 so it should have scored. I checked the required score with a value of 5 also with the same results. Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Julian Field Sent: Wednesday, March 12, 2003 2:19 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Per User Blacklist and white lists At 19:47 12/03/2003, you wrote: >Works like a charm. Thanks. Great. It will be in the next release. > BTW quick question is there a way to assign a >spam score to blacklisted addresses so that it will activate the high score >rule? Not currently, no. But try this: 1) In the blacklisting lookup code, change the code to say this: sub ByDomainSpamBlacklist { my($message) = @_; my($value); $value = LookupByDomainList($message, \%Blacklist); $message->{sascore} = 10 if $value; return $value; } (if you want blacklisting to score 10) Then edit Message.pm and change line 370 from $this->{sascore} = $sascore; # Save the actual figure for use later... to $this->{sascore} += $sascore; # Save the actual figure for use later... Give this a try and let me know how you get on. >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On >Behalf Of Julian Field >Sent: Wednesday, March 12, 2003 12:19 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Per User Blacklist and white lists > > >Looks like I never wrote the code to do the per-user lists, only per-domain >lists. > >Try editing CustomConfig.pm and making "LookupByDomainList" look like this: > >sub LookupByDomainList { > my($message, $BlackWhite) = @_; > > return 0 unless $message; # Sanity check the input > > # Find the "from" address and the first "to" address > my($from, $fromdomain, @todomain, $todomain, @to, $to, $ip); > $from = $message->{from}; > $fromdomain = $message->{fromdomain}; > @todomain = @{$message->{todomain}}; > $todomain = $todomain[0]; > @to = @{$message->{to}}; > $to = $to[0]; > $ip = $message->{clientip}; > > # It is in the list if either the exact address is listed, > # or the domain is listed > return 1 if $BlackWhite->{$to}{$from}; > return 1 if $BlackWhite->{$to}{$fromdomain}; > return 1 if $BlackWhite->{$to}{$ip}; > return 1 if $BlackWhite->{$todomain}{$from}; > return 1 if $BlackWhite->{$todomain}{$fromdomain}; > return 1 if $BlackWhite->{$todomain}{$ip}; > > # It is not in the list > return 0; >} > >Please give this a try and let me know if it works, so I can include the >code in the next release (due very shortly to fix long filename checking >bug in 4.13). > >At 17:48 12/03/2003, you wrote: > >Ok, I enabled the bydoaminblacklist and bydoaminwhitelist in the > >MailScanner.conf with > > > >Is Definitely Not Spam = &ByDomainSpamWhitelist > >Is Definitely Spam = &ByDomainSpamBlacklist > > > >The directorys are set to /etc/MailScanner/rules/whitelist and > >/etc/MailScanner/rules/blacklist. I have a file in blacklist folder named > >user@domain.com (actual file name is different but same format). In the > >file user@domain.com I have listed several blacklist items, one is an email > >account that I have on aol.com. The aol email address doesn't appear in >any > >whitelist. However, when I send email to user@domain.com from the AOL > >account that is on the blacklist it goes through without even being marked > >as spam. There are no errors when starting mailscanner and in the logs is > >says that it read blacklist for 1 domain. I must be missing something but >I > >haven't a clue. > > > >Mike > >-----Original Message----- > >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > >Behalf Of Julian Field > >Sent: Tuesday, March 11, 2003 2:24 PM > >To: MAILSCANNER@JISCMAIL.AC.UK > >Subject: Re: Per User Blacklist and white lists > > > > > >At 19:50 11/03/2003, you wrote: > > >Julian, > > > > > >Thanks for the info. I'm looking at the code and the example is for > > >bydomain. I'm not sure but it looks like I can have the white and black > > >list by either domain.com or by user@domain.com. > > > >Yes you can. You can even give it IP addresses if I remember rightly. > > > > > The reason I am asking is > > >that each user will need to be able to specify their own black and white > > >list. This makes it possible that one user would wish to block email >from > >a > > >user@spam.com and another user to whitelist or not block a >user@spam.com. > > >So if I use a filename of user1@domain.com and user2@domain.com does this > >in > > >fact make the whitelist and blacklist unique for each user even if they >are > > >in the same domain? > > > > > >Mike > > > > > >-----Original Message----- > > >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > >Behalf Of Julian Field > > >Sent: Tuesday, March 11, 2003 12:44 PM > > >To: MAILSCANNER@JISCMAIL.AC.UK > > >Subject: Re: Per User Blacklist and white lists > > > > > > > > >Take a look in the CustomConfig.pm file in recent distributions. This > > >feature is an example of what you can do with "Custom Functions". You >will > > >probably need to change the directories it reads the black/whitelists >from, > > >but otherwise it will just work. The code briefly explains what should go > > >in the various config files. > > > > > >At 18:35 11/03/2003, you wrote: > > > >Is it possible to have a per user blacklist and whitelist? Example in > >the > > > >whitelist file: > > > > > > > >To: user-1@domain.com > > >/etc/MailScanner/rules/whitelist/user-1-domain.com > > > >To: user-2@domain.com > > >/etc/MailScanner/rules/whitelist/user-2-domain.com > > > >FromTo: Default no > > > > > > > > > > > >user-1-domain.com > > > > > > > >From: friend@domain.com yes > > > >From: friend1@domain.com yes > > > >From: default no > > > > > > > >and so on? > > > > > > > >Mike > > > > > >-- > > >Julian Field > > >www.MailScanner.info > > >Professional Support Services at www.MailScanner.biz > > >MailScanner thanks transtec Computers for their support > > > >-- > >Julian Field > >www.MailScanner.info > >Professional Support Services at www.MailScanner.biz > >MailScanner thanks transtec Computers for their support > >-- >Julian Field >www.MailScanner.info >Professional Support Services at www.MailScanner.biz >MailScanner thanks transtec Computers for their support -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From paul at ESPMAIL.CO.UK Wed Mar 12 21:43:12 2003 From: paul at ESPMAIL.CO.UK (Paul Welsh) Date: Thu Jan 12 21:17:29 2006 Subject: Announce List References: <5.2.0.9.2.20030312202029.026ec488@imap.ecs.soton.ac.uk> <3E6FA850.3080306@pcxperience.com> Message-ID: <004801c2e8e0$63f4c860$54e330d5@espmail> Hi Julian Did anything come of the suggestion of having a pure announce list? The volume of mail on this list is getting a bit much for me. From nerijus at USERS.SOURCEFORGE.NET Wed Mar 12 21:55:21 2003 From: nerijus at USERS.SOURCEFORGE.NET (Nerijus Baliunas) Date: Thu Jan 12 21:17:29 2006 Subject: Announce List In-Reply-To: <004801c2e8e0$63f4c860$54e330d5@espmail> References: <5.2.0.9.2.20030312202029.026ec488@imap.ecs.soton.ac.uk> <3E6FA850.3080306@pcxperience.com> <004801c2e8e0$63f4c860$54e330d5@espmail> Message-ID: <200303122156.h2CLuZ804034@nori.rl.ac.uk> On Wed, 12 Mar 2003 21:43:12 -0000 Paul Welsh wrote: > Did anything come of the suggestion of having a pure announce list? > > The volume of mail on this list is getting a bit much for me. I'd suggest to subscribe to new releases at http://freshmeat.net/projects/mailscanner/ - you will receive an email with changes when Julian updates freshmeat record. Regards, Nerijus From mailscanner at ecs.soton.ac.uk Wed Mar 12 21:49:08 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:29 2006 Subject: Announce List In-Reply-To: <004801c2e8e0$63f4c860$54e330d5@espmail> References: <5.2.0.9.2.20030312202029.026ec488@imap.ecs.soton.ac.uk> <3E6FA850.3080306@pcxperience.com> Message-ID: <5.2.0.9.2.20030312214813.026fddf8@imap.ecs.soton.ac.uk> At 21:43 12/03/2003, you wrote: >Hi Julian > >Did anything come of the suggestion of having a pure announce list? > >The volume of mail on this list is getting a bit much for me. If you just want announcements, then subscribe to the project at freshmeat.net. This is on the www.mailscanner.info home page. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Mar 12 21:47:32 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:29 2006 Subject: Outlook and UUENCODED attachments In-Reply-To: <3E6FA850.3080306@pcxperience.com> References: <5.2.0.9.2.20030312202029.026ec488@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030312202029.026ec488@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030312214417.022b3e58@imap.ecs.soton.ac.uk> At 21:36 12/03/2003, you wrote: >Is there any way to do a rule that says don't sign when From = domainA >and To = domainY? No, there isn't. However you could fairly easily implement it in a Custom Function. You just need to construct a list of domains and check that both the fromdomain and the todomain are in the list. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From andrewh at CQG.COM Wed Mar 12 22:49:32 2003 From: andrewh at CQG.COM (Andrew M. Hoying) Date: Thu Jan 12 21:17:29 2006 Subject: Problems since the new McAfee dat file 4252 Message-ID: <8A6DFB0865502242A29E25BDAEFBB945533679@d2sexchtest.cqg.com> I know I'm running a very old version of mailscanner, 3.14, which may be the problem, but since the new dat file came out, Office XP calendar meeting requests are being reported as Exploit-CTCalendar and then the scanner crashes and reports the virus again, 50-60 times a minute until I delete the message from the incoming folder. Is there anything I can do, short of upgrading the a new version, to fix this problem? Andrew Hoying -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030312/d1ef4e3c/attachment.html From etate01 at sun.hazelwood.k12.mo.us Thu Mar 13 00:32:28 2003 From: etate01 at sun.hazelwood.k12.mo.us (Ed Tate) Date: Thu Jan 12 21:17:29 2006 Subject: Stupid luser Message-ID: <000001c2e8f8$0742d8b0$0200a8c0@computer> Having called Missouri "home" for the last 25 years, I think that I can shed some light on where we are and what the "luser" is referring to. Sales people selling everything from insurance to light bulbs bug us Americans by calling us at dinner time. Missouri has a great no-call list that you sign up for and it imposes fines on these guys if they call you and you're on the list. This is run by the attorney general's office in the state capitol. It works fantastic and the entire United States is considering such a law. A legislator and the attorney general have teamed up to introduce a similar bill except for spam. Notice what's important in the first link below. Hint - it's not the proposed legislation. The second link gives the progress of the bill - it isn't official yet but it is moving through the legislative process so it might actually make it to a law. Enforcement should be interesting. http://www.senate.state.mo.us/03INFO/bills/SB010.htm http://www.ago.state.mo.us/photogallery/2002/spamlegislation102102.htm This next link gives you some information about Missouri. And you were right - it's almost smack in the middle of the United States. It's a beautiful state, relatively mild weather in comparison, but we do seem to have more than our share of "lusers". http://encarta.msn.com/encnet/refpages/RefArticle.aspx?refid=761563653 Ed Tate (etate01@hazelwoodschools.org) Coordinator of Technology Support Hazelwood School District Florissant, Missouri From P.G.M.Peters at civ.utwente.nl Thu Mar 13 08:07:58 2003 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:17:29 2006 Subject: Stupid luser In-Reply-To: <06EE2C86D3DAD5119A6C0060943F3C97055E6EC7@tormail1.algorithmics.com> References: <06EE2C86D3DAD5119A6C0060943F3C97055E6EC7@tormail1.algorithmics.com> Message-ID: <70f07v49ms7j171b7bslr915ojcf18mbs9@4ax.com> On Wed, 12 Mar 2003 16:19:32 -0500, you wrote: >Someone threatened legal action because he sent a clean .exe which violated >the filename rules and they didn't like the implication that they had sent a >virus. I am trying to educate the postmaster of a fellow institution to drop his scanner in favour of MS. His scanner sends a virus-warning to all people in the To: and Cc: when the scanner finds blocked extensions. -- Peter Peters, senior netwerkbeheerder Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ From mk at quadstone.com Thu Mar 13 09:41:26 2003 From: mk at quadstone.com (Michael Keightley) Date: Thu Jan 12 21:17:29 2006 Subject: Some Spam still not being marked as Spam Message-ID: <20030313094126.GA1642@quadstone.com> I'm using MailScanner-4.13-3 with SpamAssassin-2.50 (no AWL) on Solaris 9. About 5% of Spam we receive isn't marked as Spam. If I save these messages and run "spamassassin -t" on these messages they get a much higer score (e.g. 9 instead of 4). Why is the score lower when they are processed by MailScanner? Is this a bug? Michael -- Michael Keightley Tel: +44 131 220 4491 Systems Manager, Quadstone Limited, Fax: +44 131 220 4492 16 Chester Street, Edinburgh EH3 7RA, Scotland http://www.quadstone.com From Q.G.Campbell at NEWCASTLE.AC.UK Thu Mar 13 07:58:19 2003 From: Q.G.Campbell at NEWCASTLE.AC.UK (Quentin Campbell) Date: Thu Jan 12 21:17:29 2006 Subject: Logging 'subject' field of detected Spam? Message-ID: <08AC2E825474534ABB2D6EDB643FC7F83CEFB4@bond.ncl.ac.uk> Julian In the UK the "Subject" line is considered to be "content" so logging it would be "interception" under RIPA. Whether such interception by MailScanner is lawful would depend on the circumstances. Note that the above applies even more obviously to quarantining of messages and sites in the UK who do this need to be very clear about the how and the why. Even if the quarantining/interception is lawful the site may still be open to civil suit by their users if they are not careful. I note that the "Subject" line is present in the "virus warning" messages I receive as Postmaster so I may already be operating in breach of the law! However I think this is covered by the Lawful Business Practices Regulations and/or by the provisions in RIPA covering interception for the purposes of ensuring the correct operation of a service. Sigh! Quentin --- PHONE: +44 191 222 8209 Computing Service, University of Newcastle FAX: +44 191 222 8765 Newcastle upon Tyne, United Kingdom, NE1 7RU. ------------------------------------------------------------------------ "Any opinion expressed above is mine. The University can get its own." > -----Original Message----- > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > Sent: 12 March 2003 18:23 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Logging 'subject' field of detected Spam? > > > Would this be used by other people as well? It would generate > considerably more logging output. > > The code is is Message.pm around line 343, shouldn't be > difficult to add but would require yet another configuration > option "Log Spam Subject" to switch it on and off. > > At 17:54 12/03/2003, you wrote: > >Hello all... > > > >I haven't looked at the code yet, but was wondering > >how tricky this would be to implement... > > > >Now and again I try to add variations of 'known' spam > 'Subjects' (and > >some body content) to my MTA configuration to block it... > > > >Is it possible to add logging of 'Subject' to the line: > > > >Mar 12 17:25:06 hancock MailScanner[30443]: Message B1F1C15600B from > >193.63.251.18 > >(anstpbat@icecube.lshtm.ac.uk) to lshtm.ac.uk is spam, SpamAssassin > >(score=13.5, required 8, DATE_IN_PAST_12_24, DCC_CHECK, > >DRASTIC_REDUCED, HOME_EMPLOYMENT, > > INVALID_DATE, INVALID_MSGID, NO_REAL_NAME, ONCE_IN_LIFETIME, > >RAZOR2_CHECK, RCVD _IN_OSIRUSOFT_COM, REMOVE_SUBJ, UNDISC_RECIPS) > > > >... or as an additional line after that? > > > >... > > > > > > > >------------------------------------------------------------- > --------------------------------------> > >Peter Bates, Systems Support Officer, Network Support Team. London > >School of Hygiene & Tropical Medicine. Telephone:0207-958 > 8353 / Fax: > >0207- 636 9838 > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > From Jan-Peter.Koopmann at SECEIDOS.DE Thu Mar 13 09:50:50 2003 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:17:29 2006 Subject: Some Spam still not being marked as Spam Message-ID: <4E7026FF8A422749B1553FE508E0068007EF68@message.intern.akctech.de> Hi Michael, > I'm using MailScanner-4.13-3 with SpamAssassin-2.50 (no AWL) > on Solaris 9. > About 5% of Spam we receive isn't marked as Spam. If I save > these messages and run "spamassassin -t" on these messages > they get a much higer score (e.g. 9 instead of 4). Why is > the score lower when they are processed by MailScanner? Is > this a bug? Not necessarily. I am troubled with the same problem btw. The scoring depends a lot on your settings and whether or not MailScanner/SpamAssassin is using the same set of configuration files than SA alone started by your user. Are you using Exim btw? Please post the SCORES that a suspicious message gets via MS/SA and via spamassassin -t. Regards, JP From mailscanner at ecs.soton.ac.uk Thu Mar 13 10:14:49 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:29 2006 Subject: Problems since the new McAfee dat file 4252 In-Reply-To: <8A6DFB0865502242A29E25BDAEFBB945533679@d2sexchtest.cqg.com > Message-ID: <5.2.0.9.2.20030313101325.025ac8f8@imap.ecs.soton.ac.uk> At 22:49 12/03/2003, you wrote: >I know I'm running a very old version of mailscanner, 3.14, which may be >the problem, but since the new dat file came out, Office XP calendar >meeting requests are being reported as Exploit-CTCalendar and then the >scanner crashes and reports the virus again, 50-60 times a minute until I >delete the message from the incoming folder. Is there anything I can do, >short of upgrading the a new version, to fix this problem? What happens when you run mcafee on the files by hand? Can you mail me the exact output please, and I'll find out what new versions do with it. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From Jan-Peter.Koopmann at SECEIDOS.DE Thu Mar 13 10:20:29 2003 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:17:29 2006 Subject: FreeBSD mcafee-autoupdate Message-ID: <4E7026FF8A422749B1553FE508E0068007EF69@message.intern.akctech.de> Hi, the mcafee-autoupdate script in lib uses /bin/tar. Under FreeBSD this is in /usr/bin/tar. The script starts and downloads the update file but does not untar it. Unfortunately this does NOT give you an error and everything seems to run fine. Please either change this or include a note in INSTALL.FreeBSD. Thanks, JP From mk at quadstone.com Thu Mar 13 10:29:48 2003 From: mk at quadstone.com (Michael Keightley) Date: Thu Jan 12 21:17:29 2006 Subject: Some Spam still not being marked as Spam In-Reply-To: <4E7026FF8A422749B1553FE508E0068007EF68@message.intern.akctech.de> References: <4E7026FF8A422749B1553FE508E0068007EF68@message.intern.akctech.de> Message-ID: <20030313102948.GB1642@quadstone.com> On Thu, Mar 13, 2003 at 10:50:50AM +0100, Jan-Peter Koopmann wrote: > > Hi Michael, > > > I'm using MailScanner-4.13-3 with SpamAssassin-2.50 (no AWL) > > on Solaris 9. > > About 5% of Spam we receive isn't marked as Spam. If I save > > these messages and run "spamassassin -t" on these messages > > they get a much higer score (e.g. 9 instead of 4). Why is > > the score lower when they are processed by MailScanner? Is > > this a bug? > > Not necessarily. I am troubled with the same problem btw. The scoring > depends a lot on your settings and whether or not > MailScanner/SpamAssassin is using the same set of configuration files > than SA alone started by your user. Are you using Exim btw? Please post > the SCORES that a suspicious message gets via MS/SA and via spamassassin > -t. I'm using sendmail-8.12.8. Attached is a Spam message, MS.txt is the message that got delivered, SA.txt is the output of "spamassassin -t". The only change I've made spam.assassin.prefs.conf is to uncomment skip_rbl_checks 1 Michael > > Regards, > JP -- Michael Keightley Tel: +44 131 220 4491 Systems Manager, Quadstone Limited, Fax: +44 131 220 4492 16 Chester Street, Edinburgh EH3 7RA, Scotland http://www.quadstone.com -------------- next part -------------- >From Yaelijy@private.21cn.com Wed Mar 12 22:59:30 2003 Return-Path: Received: from quadstone.com (postie.quadstone.co.uk [194.80.190.3]) by edinburgh.quadstone.com (8.12.8/8.12.8) with ESMTP id h2CMxQ77011882 for ; Wed, 12 Mar 2003 22:59:30 GMT Received: from sxrqwew (ns.htu.or.jp [61.127.212.66]) by quadstone.com (8.12.8/8.12.8) with SMTP id h2CMxLaJ023684 for ; Wed, 12 Mar 2003 22:59:23 GMT Message-Id: <200303122259.h2CMxLaJ023684@quadstone.com> From: Tracee Scatena Subject: Date: Wed, 12 Mar 2003 17:15:50 -0500 Mime-Version: 1.0 Content-Type: text/html Content-Transfer-Encoding: base64 X-MailScanner: Found to be clean X-MailScanner-SpamScore: ssss Status: RO Content-Length: 410 Lines: 6 PGh0bWw+DQo8Ym9keQ0KPGJyPg0KSGksIGhvc3RtYXN0ZXIgLDxicj4NCjxicj4NCjxhIGhy ZWY9Imh0dHA6Ly93d3cubXlydXNzaWFubG92ZXIuY29tLz9vYz0yMzkwIj5BIG5pY2UgbGFk eSB3YW50cyB0byBjb3JyZXNwb25kIHdpdGggeW91Ljxicj4NCjxicj4NCjxhIGhyZWY9Imh0 dHA6Ly93d3cubXlydXNzaWFubG92ZXIuY29tL3JlbW92ZS8/b2M9MjM5MCI+TGV0IG1lIGtu b3cgYW5kIEkgd29uJ3Qgd3JpdGUgeW91IGFnYWluLjxicj4NCjxicj4NCjwvYT48L2Rpdj48 L2JvZHk+PC9odG1sPg0KPC9ib2R5Pg0KPC9odG1sPg== -------------- next part -------------- >From Yaelijy@private.21cn.com Wed Mar 12 22:59:30 2003 Received: from localhost [127.0.0.1] by gromit.quadstone.co.uk with SpamAssassin (2.50 1.173-2003-02-20-exp); Thu, 13 Mar 2003 09:38:39 %z From: Tracee Scatena Subject: Date: Wed, 12 Mar 2003 17:15:50 -0500 Message-Id: <200303122259.h2CMxLaJ023684@quadstone.com> X-Spam-Flag: YES X-Spam-Status: Yes, hits=9.1 required=5.0 tests=BASE64_ENC_TEXT,HTML_50_60,HTML_MESSAGE, HTML_TAG_BALANCE_BODY,MIME_HTML_ONLY,MISSING_HEADERS, MSG_ID_ADDED_BY_MTA_3,RCVD_IN_NJABL,RCVD_IN_OPM, RCVD_IN_OSIRUSOFT_COM,REMOVE_PAGE version=2.50 X-Spam-Level: ********* X-Spam-Checker-Version: SpamAssassin 2.50 1.173-2003-02-20-exp MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----------=_3E70519F.B453720D" This is a multi-part message in MIME format. ------------=_3E70519F.B453720D Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 8bit This mail is probably spam. The original message has been attached along with this report, so you can recognize or block similar unwanted mail in future. See http://spamassassin.org/tag/ for more details. Content preview: Hi, hostmaster , URI:http://www.myrussianlover.com/?oc#90 A nice lady wants to correspond with you. URI:http://www.myrussianlover.com/remove/?oc#90 Let me know and I won't write you again. [...] Content analysis details: (9.10 points, 5 required) HTML_50_60 (0.2 points) BODY: Message is 50% to 60% HTML HTML_MESSAGE (0.1 points) BODY: HTML included in message HTML_TAG_BALANCE_BODY (0.6 points) BODY: HTML has unbalanced "body" tags BASE64_ENC_TEXT (1.7 points) RAW: Message text disguised using base-64 encoding REMOVE_PAGE (0.1 points) URI: URL of page called "remove" MSG_ID_ADDED_BY_MTA_3 (0.3 points) 'Message-Id' was added by a relay (3) MISSING_HEADERS (0.1 points) Missing To: header RCVD_IN_NJABL (1.0 points) RBL: Received via a relay in dnsbl.njabl.org [RBL check: found 66.212.127.61.dnsbl.njabl.org.,] [type: 127.0.0.9] RCVD_IN_OSIRUSOFT_COM (0.6 points) RBL: Received via a relay in relays.osirusoft.com [RBL check: found 66.212.127.61.relays.osirusoft.com., type: 127.0.0.9] RCVD_IN_OPM (4.3 points) RBL: Received via a relay in opm.blitzed.org [RBL check: found 66.212.127.61.opm.blitzed.org.,] [type: 127.1.0.16] MIME_HTML_ONLY (0.1 points) Message only has text/html MIME parts The original message did not contain plain text, and may be unsafe to open with some email clients; in particular, it may contain a virus, or confirm that your address can receive spam. If you wish to view it, it may be safer to save it to a file and open it with an editor. ------------=_3E70519F.B453720D Content-Type: message/rfc822 Content-Description: original message before SpamAssassin Content-Disposition: attachment Content-Transfer-Encoding: 8bit Return-Path: Received: from quadstone.com (postie.quadstone.co.uk [194.80.190.3]) by edinburgh.quadstone.com (8.12.8/8.12.8) with ESMTP id h2CMxQ77011882 for ; Wed, 12 Mar 2003 22:59:30 GMT Received: from sxrqwew (ns.htu.or.jp [61.127.212.66]) by quadstone.com (8.12.8/8.12.8) with SMTP id h2CMxLaJ023684 for ; Wed, 12 Mar 2003 22:59:23 GMT Message-Id: <200303122259.h2CMxLaJ023684@quadstone.com> From: Tracee Scatena Subject: Date: Wed, 12 Mar 2003 17:15:50 -0500 Mime-Version: 1.0 Content-Type: text/html Content-Transfer-Encoding: base64 X-MailScanner: Found to be clean X-MailScanner-SpamScore: ssss Status: RO Content-Length: 410 Lines: 6 PGh0bWw+DQo8Ym9keQ0KPGJyPg0KSGksIGhvc3RtYXN0ZXIgLDxicj4NCjxicj4NCjxhIGhy ZWY9Imh0dHA6Ly93d3cubXlydXNzaWFubG92ZXIuY29tLz9vYz0yMzkwIj5BIG5pY2UgbGFk eSB3YW50cyB0byBjb3JyZXNwb25kIHdpdGggeW91Ljxicj4NCjxicj4NCjxhIGhyZWY9Imh0 dHA6Ly93d3cubXlydXNzaWFubG92ZXIuY29tL3JlbW92ZS8/b2M9MjM5MCI+TGV0IG1lIGtu b3cgYW5kIEkgd29uJ3Qgd3JpdGUgeW91IGFnYWluLjxicj4NCjxicj4NCjwvYT48L2Rpdj48 L2JvZHk+PC9odG1sPg0KPC9ib2R5Pg0KPC9odG1sPg== ------------=_3E70519F.B453720D-- This mail is probably spam. The original message has been attached along with this report, so you can recognize or block similar unwanted mail in future. See http://spamassassin.org/tag/ for more details. Content preview: Hi, hostmaster , URI:http://www.myrussianlover.com/?oc#90 A nice lady wants to correspond with you. URI:http://www.myrussianlover.com/remove/?oc#90 Let me know and I won't write you again. [...] Content analysis details: (9.10 points, 5 required) HTML_50_60 (0.2 points) BODY: Message is 50% to 60% HTML HTML_MESSAGE (0.1 points) BODY: HTML included in message HTML_TAG_BALANCE_BODY (0.6 points) BODY: HTML has unbalanced "body" tags BASE64_ENC_TEXT (1.7 points) RAW: Message text disguised using base-64 encoding REMOVE_PAGE (0.1 points) URI: URL of page called "remove" MSG_ID_ADDED_BY_MTA_3 (0.3 points) 'Message-Id' was added by a relay (3) MISSING_HEADERS (0.1 points) Missing To: header RCVD_IN_NJABL (1.0 points) RBL: Received via a relay in dnsbl.njabl.org [RBL check: found 66.212.127.61.dnsbl.njabl.org.,] [type: 127.0.0.9] RCVD_IN_OSIRUSOFT_COM (0.6 points) RBL: Received via a relay in relays.osirusoft.com [RBL check: found 66.212.127.61.relays.osirusoft.com., type: 127.0.0.9] RCVD_IN_OPM (4.3 points) RBL: Received via a relay in opm.blitzed.org [RBL check: found 66.212.127.61.opm.blitzed.org.,] [type: 127.1.0.16] MIME_HTML_ONLY (0.1 points) Message only has text/html MIME parts From Jan-Peter.Koopmann at SECEIDOS.DE Thu Mar 13 10:41:37 2003 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:17:29 2006 Subject: Some Spam still not being marked as Spam Message-ID: <4E7026FF8A422749B1553FE508E0068007EF6C@message.intern.akctech.de> > Attached is a Spam message, MS.txt is the message that got > delivered, SA.txt is the output of "spamassassin -t". > The only change I've made spam.assassin.prefs.conf is to uncomment > skip_rbl_checks 1 Well unfortunately you configured your MailScanner to only have the X-MailScanner-spam header in it, when spam is detected. So in this example I cannot see what rules where triggered with the MailScanner/SpamAssassin combination. You might want to change this and rerun the test. Your spamassassin -t used RBL checks and triggered three of them with a total of 5.9 points. When you say skip_rbl_checks 1 in your spam.assassin.prefs.conf file then MS/SA are not running those tests and the 5.9 points should be missing. That's most probably the explanation. Regards, JP From dbird at SGHMS.AC.UK Thu Mar 13 13:00:42 2003 From: dbird at SGHMS.AC.UK (Daniel Bird) Date: Thu Jan 12 21:17:29 2006 Subject: Problems since the new McAfee dat file 4252 References: <5.2.0.9.2.20030313101325.025ac8f8@imap.ecs.soton.ac.uk> Message-ID: <3E7080FA.1070200@sghms.ac.uk> Julian Field wrote: > At 22:49 12/03/2003, you wrote: > >> I know I'm running a very old version of mailscanner, 3.14, which may be >> the problem, but since the new dat file came out, Office XP calendar >> meeting requests are being reported as Exploit-CTCalendar and then the >> scanner crashes and reports the virus again, 50-60 times a minute >> until I >> delete the message from the incoming folder. Is there anything I can do, >> short of upgrading the a new version, to fix this problem? > > > What happens when you run mcafee on the files by hand? Can you mail me > the > exact output please, and I'll find out what new versions do with it. We had some problems ealier this week (on Solaris and Linux) with McAfee updates. It was cured by downloading the latest version of the Virus Engine (rather than just the dat.) Regards Dan > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From cleveland at MAIL.WINNEFOX.ORG Thu Mar 13 13:29:30 2003 From: cleveland at MAIL.WINNEFOX.ORG (Jody Cleveland) Date: Thu Jan 12 21:17:29 2006 Subject: MailScanner/ f-prot not catching all viruses Message-ID: <3561.199.242.176.181.1047562170.squirrel@email.winnefox.org> Hello, I'm running MailScanner with f-prot on redhat 8 using sendmail. I've been noticing that it's not catching Sobig and Yaha viruses. Any ideas why? -- Jody Cleveland (cleveland@winnefox.org) From simon at ADVANTAGE-INTERACTIVE.COM Thu Mar 13 13:24:10 2003 From: simon at ADVANTAGE-INTERACTIVE.COM (Simon Dick) Date: Thu Jan 12 21:17:29 2006 Subject: MailScanner/ f-prot not catching all viruses In-Reply-To: <3561.199.242.176.181.1047562170.squirrel@email.winnefox.org> References: <3561.199.242.176.181.1047562170.squirrel@email.winnefox.org> Message-ID: <1047561850.1925.6.camel@devbox> On Thu, 2003-03-13 at 13:29, Jody Cleveland wrote: > Hello, > > I'm running MailScanner with f-prot on redhat 8 using sendmail. I've been > noticing that it's not catching Sobig and Yaha viruses. Any ideas why? I had some Yaha viruses get through recently, but it turned out that they actually bypassed our mx records and went direct to the server which handles the mail after being scanned, my assumption is that that was our old mx record before using mailscanner so it may have a very old cached copy somehow. -- Simon Dick simon@advantage-interactive.com From Jan-Peter.Koopmann at SECEIDOS.DE Thu Mar 13 13:37:24 2003 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:17:29 2006 Subject: MailScanner/ f-prot not catching all viruses Message-ID: <4E7026FF8A422749B1553FE508E0068007EF73@message.intern.akctech.de> > I had some Yaha viruses get through recently, but it turned > out that they actually bypassed our mx records and went > direct to the server which handles the mail after being > scanned, my assumption is that that was our old mx record > before using mailscanner so it may have a very old cached > copy somehow. You have a server out there accepting mail without some sort of protection in front of it? You are relying on MX records only? What about port scans on your network and finding the machine? Would be quite easy to do. If I were you I would think about this setup really quick... :-) Otherwise you might as well get rid of MailScanner in the first place *g* Regards, JP From simon at ADVANTAGE-INTERACTIVE.COM Thu Mar 13 13:47:15 2003 From: simon at ADVANTAGE-INTERACTIVE.COM (Simon Dick) Date: Thu Jan 12 21:17:29 2006 Subject: MailScanner/ f-prot not catching all viruses In-Reply-To: <4E7026FF8A422749B1553FE508E0068007EF73@message.intern.akctech.de> References: <4E7026FF8A422749B1553FE508E0068007EF73@message.intern.akctech.de> Message-ID: <1047563235.2263.9.camel@devbox> On Thu, 2003-03-13 at 13:37, Jan-Peter Koopmann wrote: > > I had some Yaha viruses get through recently, but it turned > > out that they actually bypassed our mx records and went > > direct to the server which handles the mail after being > > scanned, my assumption is that that was our old mx record > > before using mailscanner so it may have a very old cached > > copy somehow. > > You have a server out there accepting mail without some sort of > protection in front of it? You are relying on MX records only? What > about port scans on your network and finding the machine? Would be quite > easy to do. If I were you I would think about this setup really quick... > :-) Otherwise you might as well get rid of MailScanner in the first > place *g* Long story, I should really check that, but the current exim config is "interesting" and not trivial to change like that until I have enough time :) -- Simon Dick simon@advantage-interactive.com From raymond at PROLOCATION.NET Thu Mar 13 13:48:22 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:17:29 2006 Subject: MailScanner/ f-prot not catching all viruses In-Reply-To: <1047563235.2263.9.camel@devbox> Message-ID: Hi! > > You have a server out there accepting mail without some sort of > > protection in front of it? You are relying on MX records only? What > > about port scans on your network and finding the machine? Would be quite > > easy to do. If I were you I would think about this setup really quick... > > :-) Otherwise you might as well get rid of MailScanner in the first > > place *g* > > Long story, I should really check that, but the current exim config is > "interesting" and not trivial to change like that until I have enough > time :) Best is to simply block acceess and only allow your mailserver to drop mail on it, from the outside world. Bye, Raymond. From Cleveland at MAIL.WINNEFOX.ORG Thu Mar 13 14:04:31 2003 From: Cleveland at MAIL.WINNEFOX.ORG (Jody Cleveland) Date: Thu Jan 12 21:17:29 2006 Subject: SpamAssassin via rpm in redhat 8? Message-ID: <84CFA712F666B44A94CE6BE116BAF4B0B4E49A@MAIL> Hello, I'm wanting to install SpamAssassin to work with MailScanner. Has anyone had any luck installing using the RPM with Redhat 8, sendmail, and MailScanner? -- Jody Cleveland (cleveland@winnefox.org) Winnefox Library System Computer Support Specialist From andrewh at CQG.COM Thu Mar 13 14:07:39 2003 From: andrewh at CQG.COM (Andrew Hoying) Date: Thu Jan 12 21:17:29 2006 Subject: Problems since the new McAfee dat file 4252 References: <5.2.0.9.2.20030313101325.025ac8f8@imap.ecs.soton.ac.uk> Message-ID: <001d01c2e969$e85e3080$0300000a@andrew> Here is a copy of the file h2DAmR5G020453.vir : Return-Path: Received: from xx ([xx]) by xx(8.12.8/8.12.8) with ESMTP id h2DAmR5G020453 for ; Thu, 13 Mar 2003 03:48:28 -0700 Full-Name: Yuriy Toropin From: xx To: xx Subject: Meeting with representative from Vested Development Inc. Date: Thu, 13 Mar 2003 13:52:30 +0300 Message-ID: <00b401c2e94e$a61aa480$d4e7a8c0@mxpyuriy> MIME-Version: 1.0 Content-Type: text/calendar; method=REQUEST; charset="utf-8" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.4024 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Importance: Normal Here is the output from uvscan: # uvscan --recursive --ignore-links --analyze --secure --noboot h2DAmR5G020453.vir /root/h2DAmR5G020453.vir Found trojan or variant Exploit-CTCalendar !!! Please send a copy of the file to Network Associates ----- Original Message ----- From: "Julian Field" To: Sent: Thursday, March 13, 2003 3:14 AM Subject: Re: Problems since the new McAfee dat file 4252 > At 22:49 12/03/2003, you wrote: > >I know I'm running a very old version of mailscanner, 3.14, which may be > >the problem, but since the new dat file came out, Office XP calendar > >meeting requests are being reported as Exploit-CTCalendar and then the > >scanner crashes and reports the virus again, 50-60 times a minute until I > >delete the message from the incoming folder. Is there anything I can do, > >short of upgrading the a new version, to fix this problem? > > What happens when you run mcafee on the files by hand? Can you mail me the > exact output please, and I'll find out what new versions do with it. > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > From simon at ADVANTAGE-INTERACTIVE.COM Thu Mar 13 14:26:43 2003 From: simon at ADVANTAGE-INTERACTIVE.COM (Simon Dick) Date: Thu Jan 12 21:17:29 2006 Subject: MailScanner/ f-prot not catching all viruses In-Reply-To: References: Message-ID: <1047565603.1925.12.camel@devbox> On Thu, 2003-03-13 at 13:48, Raymond Dijkxhoorn wrote: > Hi! > > > > You have a server out there accepting mail without some sort of > > > protection in front of it? You are relying on MX records only? What > > > about port scans on your network and finding the machine? Would be quite > > > easy to do. If I were you I would think about this setup really quick... > > > :-) Otherwise you might as well get rid of MailScanner in the first > > > place *g* > > > > Long story, I should really check that, but the current exim config is > > "interesting" and not trivial to change like that until I have enough > > time :) > > Best is to simply block acceess and only allow your mailserver to drop > mail on it, from the outside world. As we use the server for other mail related things too that's not possible, however this has kickstarted me into adding an acl rule to only allow email for certain domains in from the scanner server, thanks ;) -- Simon Dick simon@advantage-interactive.com From Denis.Beauchemin at USHERBROOKE.CA Thu Mar 13 14:28:58 2003 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:17:29 2006 Subject: Problems since the new McAfee dat file 4252 In-Reply-To: <8A6DFB0865502242A29E25BDAEFBB945533679@d2sexchtest.cqg.com> References: <8A6DFB0865502242A29E25BDAEFBB945533679@d2sexchtest.cqg.com> Message-ID: <1047565738.30611.37.camel@dbeauchemin.si.usherbrooke.ca> I have seen only 1 occurrence of this message so far but the file was not quarantined and it didn't cause any MS problem. Denis Le mer 12/03/2003 ? 17:49, Andrew M. Hoying a ?crit : > I know I'm running a very old version of mailscanner, 3.14, which may > be the problem, but since the new dat file came out, Office XP > calendar meeting requests are being reported as Exploit-CTCalendar and > then the scanner crashes and reports the virus again, 50-60 times a > minute until I delete the message from the incoming folder. Is there > anything I can do, short of upgrading the a new version, to fix this > problem? > > Andrew Hoying -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From mailscanner at ecs.soton.ac.uk Thu Mar 13 15:04:29 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:29 2006 Subject: Problems since the new McAfee dat file 4252 In-Reply-To: <001d01c2e969$e85e3080$0300000a@andrew> References: <5.2.0.9.2.20030313101325.025ac8f8@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030313150239.029259f0@imap.ecs.soton.ac.uk> If you look in sweep.pl you should find a function ProcessMcAfeeOutput. Comment out your current version (don't just delete it, you might need it again!). Add this version: sub ProcessMcAfeeOutput { my($line, $infections, $types, $BaseDir) = @_; my($lastline, $report, $dot, $id, $part, @rest); my($logout); chomp $line; $lastline = $currentline; $currentline = $line; # SEP: need to add code to log warnings return 0 unless $line =~ /Found/; # McAfee prints the whole path as opposed to # ./messages/part so make it the same $lastline =~ s/$BaseDir//; # make an equivalent report line from the last 2 $report = "$lastline$currentline"; $logout = $report; $logout =~ s/%/%%/g; #MailScanner::Log::InfoLog($logout); # note: '$dot' does not become '.' ($dot, $id, $part, @rest) = split(/\//, $lastline); $infections->{"$id"}{"$part"} .= $report . "\n"; $types->{"$id"}{"$part"} .= "v"; return 1; } I have commented out the "Log" line as that won't work in version 3. If you look through your original version in sweep.pl you will soon see what that line needs to be. At 14:07 13/03/2003, you wrote: >Here is a copy of the file h2DAmR5G020453.vir : > >Return-Path: >Received: from xx ([xx]) > by xx(8.12.8/8.12.8) with ESMTP id h2DAmR5G020453 > for ; Thu, 13 Mar 2003 03:48:28 -0700 >Full-Name: Yuriy Toropin >From: xx >To: xx >Subject: Meeting with representative from Vested Development Inc. >Date: Thu, 13 Mar 2003 13:52:30 +0300 >Message-ID: <00b401c2e94e$a61aa480$d4e7a8c0@mxpyuriy> >MIME-Version: 1.0 >Content-Type: text/calendar; method=REQUEST; > charset="utf-8" >Content-Transfer-Encoding: 7bit >X-Priority: 3 (Normal) >X-MSMail-Priority: Normal >X-Mailer: Microsoft Outlook, Build 10.0.4024 >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 >Importance: Normal > > >Here is the output from uvscan: > ># uvscan --recursive --ignore-links --analyze --secure --noboot >h2DAmR5G020453.vir >/root/h2DAmR5G020453.vir > Found trojan or variant Exploit-CTCalendar !!! > Please send a copy of the file to Network Associates > > >----- Original Message ----- >From: "Julian Field" >To: >Sent: Thursday, March 13, 2003 3:14 AM >Subject: Re: Problems since the new McAfee dat file 4252 > > > > At 22:49 12/03/2003, you wrote: > > >I know I'm running a very old version of mailscanner, 3.14, which may be > > >the problem, but since the new dat file came out, Office XP calendar > > >meeting requests are being reported as Exploit-CTCalendar and then the > > >scanner crashes and reports the virus again, 50-60 times a minute until I > > >delete the message from the incoming folder. Is there anything I can do, > > >short of upgrading the a new version, to fix this problem? > > > > What happens when you run mcafee on the files by hand? Can you mail me the > > exact output please, and I'll find out what new versions do with it. > > -- > > Julian Field > > www.MailScanner.info > > Professional Support Services at www.MailScanner.biz > > MailScanner thanks transtec Computers for their support > > -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From dot at DOTAT.AT Thu Mar 13 15:36:09 2003 From: dot at DOTAT.AT (Tony Finch) Date: Thu Jan 12 21:17:29 2006 Subject: FreeBSD mcafee-autoupdate In-Reply-To: Message-ID: Jan-Peter Koopmann wrote: > >the mcafee-autoupdate script in lib uses /bin/tar. Under FreeBSD this is >in /usr/bin/tar. The script starts and downloads the update file but >does not untar it. Unfortunately this does NOT give you an error and >everything seems to run fine. Please either change this or include a >note in INSTALL.FreeBSD. The script I use is as follows. It keeps track of the datfile versions that have been installed by storing them in /usr/local/lib/uvscan/NNNN with symlinks from /usr/local/lib/uvscan into the current version. It checks which upstream version is available, and if it is already installed it exits quietly (which makes it nice for running from cron). Otherwise it downloads the new version (using wget since that is more universally available than FreeBSD's fetch utility), checks that it works, then activates it. (In this case it is noisy, so when run from cron you will get an email telling you about the datfile update.) It will not splat an existing setup if the new datfile is corrupt. It uses sh -e to avoid failures propagating and becoming serious, and it relies on a sane PATH setting. It doesn't use locking, but assumes that updating four symlinks will be fast enough that the race won't matter. I also don't use a wrapper script since it's unnecessary if uvscan is installed where McAfee expect it to be. #!/bin/sh -e # # Update the McAfee data files. # # $Cambridge: hermes/build/bin/uvscan-update,v 1.10 2003/02/04 04:52:21 fanf2 Exp $ LIBDIR=/usr/local/lib/uvscan FTPDIR=ftp://ftp.csx.cam.ac.uk/pub/software/antivirus/datfiles/4.x #FTPDIR=ftp://ftpeur.nai.com/pub/antivirus/datfiles/4.x # work out latest dat version SED='/^DATVersion=\([0-9]*\).*$/!d;s//\1/;q' VERSION=`wget -q -O- $FTPDIR/update.ini | sed -e "$SED"` DATDIR=$LIBDIR/$VERSION FILE=dat-$VERSION.tar # already got it? if [ -d $DATDIR ] then case $1 in -v) echo Already have $VERSION esac exit fi echo Latest dat file is $VERSION run() { echo ">" "$@" "$@" } # fetch and extract dat files run mkdir -p $DATDIR run cd $DATDIR run wget --progress=dot:mega $FTPDIR/$FILE run tar xvf $FILE # verify the contents fail () { echo "$OUT" echo Test run failed -- removing bad McAfee data files run rm -rf $DATDIR exit 1 } trap fail EXIT CMD="uvscan --dat $DATDIR --version 2>&1" echo '> OUT=`'$CMD'`' OUT=`$CMD` case "$OUT" in *"Missing or invalid DAT"* | \ *"Data file not found"* | \ *"Removal datafile clean.dat not found"* | \ *"Unable to remove viruses"* ) fail ;; esac trap EXIT echo "$OUT" echo Update OK # change the current dat file links run cd $LIBDIR run ln -sf $VERSION/*.dat . # remove some crap run cd $DATDIR run rm -f *.exe *.tar *.txt # done Tony. -- f.a.n.finch http://dotat.at/ CROMARTY FORTH TYNE: VARIABLE 3 BECOMING SOUTH OR SOUTHEAST 3 OR 4. FAIR. GOOD OCCASIONALLY MODERATE. From jaearick at COLBY.EDU Thu Mar 13 15:48:03 2003 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:17:29 2006 Subject: "Found invalid qf" message running amok Message-ID: Julian, Every once in a while our mail server gets malformed spam that causes a blizzard of "Batch: Found invalid qf queue file" messages in my syslog. This message comes from line 329 of lib/MailScanner/Sendmail.pm (version 4.13-3). I can send you the qf files if you want to look at them, but the messages are always from well-known spam sites with uuencoded message bodies. They have IP numbers of 0.0.0.0 in the qf files, which probably triggers the syslog message. I have to yank the miscreants out of mqueue.in to restore order. Can't MailScanner just note the problem in syslog once, then either nuke the qf/df files in mqueue.in, or maybe move them to /tmp? --- Jeff A. Earickson From Jan-Peter.Koopmann at SECEIDOS.DE Thu Mar 13 15:58:35 2003 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:17:29 2006 Subject: FreeBSD mcafee-autoupdate Message-ID: <4E7026FF8A422749B1553FE508E0068007EF77@message.intern.akctech.de> > The script I use is as follows. Geeee. Thanks Tony. I will try to implement this next week! Regards, JP From andersan at LTKALMAR.SE Thu Mar 13 16:04:15 2003 From: andersan at LTKALMAR.SE (Anders Andersson, IT) Date: Thu Jan 12 21:17:29 2006 Subject: SV: SpamAssassin via rpm in redhat 8? Message-ID: <9F18B7DDBA88E544AB1F199514891666014631@lkl63.ltkalmar.se> It works fine.... but I would recommend you to add spamassassin from the cd installation to get all the necesary perl thingys. Download the uppgrade from SA pages 2.43 and you will find it working nicelly. Still havent uppgrader to SA 2.5 since there been some performance problem so Im waiting untill they fix that. /Anders -----Ursprungligt meddelande----- Fr?n: Jody Cleveland [mailto:Cleveland@MAIL.WINNEFOX.ORG] Skickat: den 13 mars 2003 15:05 Till: MAILSCANNER@JISCMAIL.AC.UK ?mne: SpamAssassin via rpm in redhat 8? Hello, I'm wanting to install SpamAssassin to work with MailScanner. Has anyone had any luck installing using the RPM with Redhat 8, sendmail, and MailScanner? -- Jody Cleveland (cleveland@winnefox.org) Winnefox Library System Computer Support Specialist From andrewh at CQG.COM Thu Mar 13 16:04:36 2003 From: andrewh at CQG.COM (Andrew M. Hoying) Date: Thu Jan 12 21:17:29 2006 Subject: Problems since the new McAfee dat file 4252 Message-ID: <8A6DFB0865502242A29E25BDAEFBB94553367C@d2sexchtest.cqg.com> I updated to the latest uvscan version, Virus Scan for Linux v4.24.0 as was suggested, but scanning the file below still returns the same virus found. I don't know if MailScanner will break again yet, I'll let you know what I find. Thanks. > -----Original Message----- > From: Andrew M. Hoying > Sent: Thursday, March 13, 2003 7:08 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Problems since the new McAfee dat file 4252 > > > Here is a copy of the file h2DAmR5G020453.vir : > > Return-Path: > Received: from xx ([xx]) > by xx(8.12.8/8.12.8) with ESMTP id h2DAmR5G020453 > for ; Thu, 13 Mar 2003 03:48:28 -0700 > Full-Name: Yuriy Toropin > From: xx > To: xx > Subject: Meeting with representative from Vested Development Inc. > Date: Thu, 13 Mar 2003 13:52:30 +0300 > Message-ID: <00b401c2e94e$a61aa480$d4e7a8c0@mxpyuriy> > MIME-Version: 1.0 > Content-Type: text/calendar; method=REQUEST; > charset="utf-8" > Content-Transfer-Encoding: 7bit > X-Priority: 3 (Normal) > X-MSMail-Priority: Normal > X-Mailer: Microsoft Outlook, Build 10.0.4024 > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 > Importance: Normal > > > Here is the output from uvscan: > > # uvscan --recursive --ignore-links --analyze --secure --noboot > h2DAmR5G020453.vir > /root/h2DAmR5G020453.vir > Found trojan or variant Exploit-CTCalendar !!! > Please send a copy of the file to Network Associates > > > ----- Original Message ----- > From: "Julian Field" > To: > Sent: Thursday, March 13, 2003 3:14 AM > Subject: Re: Problems since the new McAfee dat file 4252 > > > > At 22:49 12/03/2003, you wrote: > > >I know I'm running a very old version of mailscanner, > 3.14, which may be > > >the problem, but since the new dat file came out, Office > XP calendar > > >meeting requests are being reported as Exploit-CTCalendar > and then the > > >scanner crashes and reports the virus again, 50-60 times a > minute until I > > >delete the message from the incoming folder. Is there > anything I can do, > > >short of upgrading the a new version, to fix this problem? > > > > What happens when you run mcafee on the files by hand? Can > you mail me the > > exact output please, and I'll find out what new versions do with it. > > -- > > Julian Field > > www.MailScanner.info > > Professional Support Services at www.MailScanner.biz > > MailScanner thanks transtec Computers for their support > > > From andrewh at CQG.COM Thu Mar 13 16:08:18 2003 From: andrewh at CQG.COM (Andrew M. Hoying) Date: Thu Jan 12 21:17:29 2006 Subject: Problems since the new McAfee dat file 4252 Message-ID: <8A6DFB0865502242A29E25BDAEFBB94553367D@d2sexchtest.cqg.com> It still happens, this is the error that is outputted to stderr: /bin/cat: /var/spool/MailScanner/incoming/h2DG5gXl011855.vir.header: No such file or directory /bin/cat: /var/spool/mqueue.in/dfh2DG5gXl011855.vir: No such file or directory > -----Original Message----- > From: Andrew M. Hoying > Sent: Thursday, March 13, 2003 9:05 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Problems since the new McAfee dat file 4252 > > > I updated to the latest uvscan version, Virus Scan for Linux > v4.24.0 as > was suggested, but scanning the file below still returns the > same virus > found. I don't know if MailScanner will break again yet, I'll let you > know what I find. > > Thanks. > > > -----Original Message----- > > From: Andrew M. Hoying > > Sent: Thursday, March 13, 2003 7:08 AM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: Problems since the new McAfee dat file 4252 > > > > > > Here is a copy of the file h2DAmR5G020453.vir : > > > > Return-Path: > > Received: from xx ([xx]) > > by xx(8.12.8/8.12.8) with ESMTP id h2DAmR5G020453 > > for ; Thu, 13 Mar 2003 03:48:28 -0700 > > Full-Name: Yuriy Toropin > > From: xx > > To: xx > > Subject: Meeting with representative from Vested Development Inc. > > Date: Thu, 13 Mar 2003 13:52:30 +0300 > > Message-ID: <00b401c2e94e$a61aa480$d4e7a8c0@mxpyuriy> > > MIME-Version: 1.0 > > Content-Type: text/calendar; method=REQUEST; > > charset="utf-8" > > Content-Transfer-Encoding: 7bit > > X-Priority: 3 (Normal) > > X-MSMail-Priority: Normal > > X-Mailer: Microsoft Outlook, Build 10.0.4024 > > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 > > Importance: Normal > > > > > > Here is the output from uvscan: > > > > # uvscan --recursive --ignore-links --analyze --secure --noboot > > h2DAmR5G020453.vir > > /root/h2DAmR5G020453.vir > > Found trojan or variant Exploit-CTCalendar !!! > > Please send a copy of the file to Network Associates > > > > > > ----- Original Message ----- > > From: "Julian Field" > > To: > > Sent: Thursday, March 13, 2003 3:14 AM > > Subject: Re: Problems since the new McAfee dat file 4252 > > > > > > > At 22:49 12/03/2003, you wrote: > > > >I know I'm running a very old version of mailscanner, > > 3.14, which may be > > > >the problem, but since the new dat file came out, Office > > XP calendar > > > >meeting requests are being reported as Exploit-CTCalendar > > and then the > > > >scanner crashes and reports the virus again, 50-60 times a > > minute until I > > > >delete the message from the incoming folder. Is there > > anything I can do, > > > >short of upgrading the a new version, to fix this problem? > > > > > > What happens when you run mcafee on the files by hand? Can > > you mail me the > > > exact output please, and I'll find out what new versions > do with it. > > > -- > > > Julian Field > > > www.MailScanner.info > > > Professional Support Services at www.MailScanner.biz > > > MailScanner thanks transtec Computers for their support > > > > > > From vic at vicsfamily.net Thu Mar 13 16:14:37 2003 From: vic at vicsfamily.net (Victor Cain) Date: Thu Jan 12 21:17:29 2006 Subject: Kmail and Netscape Mail with Mailscanner Message-ID: <200303131114.37023.vic@vicsfamily.net> I am running mailscanner 3.27, spamassassin 2.43, fetchmail 5.9.11, exim 3.36 and using Kmail to read mail on a Debian Sarge system, thanks to many e-mails from Julian. It is working fine, as long as the Debian incompatabilities don't get too bad, however I would also like to read mail with Netscape Mail as an alternative to Kmail. Netscape Mail can send mail the same way as Kmail, just sending to "localhost" but Netscape Mail doesn't read the mail. Kmail just reads from "localhost" but when I try that with Netscape, nothing happens. Mailx, which is also on the system, does read it, but not Netscape. Do I need for MailScanner to send it to a different place? Any help would be appreciated. The attachment is what I did, for my own records. TIA, -- Victor R. Cain (865)435-5084 Fax:(865)435-9709 E: vic@vicsfamily.net Web: www.vicsfamily.net ------------ Quote of the Hour ------------ The cost of living hasn't affected its popularity. -------------- next part -------------- Steps to installation of MailScanner, Tnef, SpamAssassin, Fetchmail using Exim Operating System: Debian Linux "sarge" (testing) MTA: exim Mail Reader: kmail I INSTALL PACKAGES %%-> apt-get install f-prot-installer (This will tell you where to go to download the actual installation files and where to store them on your hard drive. It then does the install.) %%-> apt-get install tnef mailscanner spamassassin fetchmail fetchmailconf On my system this installed: mailscanner 3.27.1-1 spamassassin 2.43-1 tnef 1.1.1-0.1 fetchmail 5.9.11-7 fetchmailconf 5.9.11-7 exim 3.36-3 (previously installed) II CHANGE EXIM TO RUN AS DAEMON Exim was changed to run as a daemon by commenting out the following line in /etc/inetd.conf # smtp stream tcp nowait mail /usr/sbin/exim exim -bs III CREATE SPOOL DIRECTORIES AND EXIM CONFIG FILES At this point, I followed the instructions in http:///www.sng.ecs.soton.ac.uk/mailscanner/install/exim.shtml along with almost identical instructions in file: /usr/share/doc/mailscanner/README.exim provided with the mailscanner package. Briefly, do this: - create a spool for the incoming queue: mkdir -p /var/spool/exim_incoming mkdir -p /var/spool/exim_incoming/db mkdir -p /var/spool/exim_incoming/input mkdir -p /var/spool/exim_incoming/msglog chown -R mail.mail /var/spool/exim_incoming chmod -R 750 /var/spool/exim_incoming - modify the exim configuration: cp -p /etc/exim/exim.conf /etc/exim/exim_original.conf cp -p /etc/exim/exim.conf /etc/exim/exim_outgoing.conf mv /etc/exim/exim.conf /etc/exim/exim_incoming.conf ln -sf exim_incoming.conf /etc/exim/exim.conf IV MODIFY /ETC/EXIM/EXIM_INCOMING.CONF The upshot of the modifications to /etc/exim/exim_incoming.conf: %%-> diff /etc/exim/exim_original.conf /etc/exim/exim_incoming.conf 27a28,32 > # mailscanner config > spool_directory = /var/spool/exim_incoming > queue_only = true > > 298a304,309 > #mailscanner config -- this added at the _top_ of the directors configuration > defer_director: > driver = smartuser > new_address = :defer: All deliveries are deferred > verify = false > 372a384,391 > #mailscanner config -- this added at the _top_ of the routers configuration > defer_router: > driver = domainlist > self = defer > route_list = "* 127.0.0.1 byname" > verify = false Note that lines 304-309 (defer_director) must be the first entry in the "Director's Configuration" in the file, and lines 384-391 (defer_router) must be the first entry in the "Router's Configuration" in the file. V MODIFY /ETC/EXIM/EXIM_OUTGOING.CONF The comparable changes in /etc/exim/exim_outgoing.conf: %%-> diff /etc/exim/exim_original.conf /etc/exim/exim_outgoing.conf 27a28,32 > > # mailscanner configuration > log_file_path = syslog : /var/log/exim_outgoing/%slog > > 281a287,288 > hosts = smtp.comcast.net > hosts_override = true The two statements at lines 287-288 follow the "driver = smtp" line in the "remote_smtp" transport. Obviously if you are not a Comcast customer, use your ISP's mail server in place of "smtp.comcast.net". (This change was found necessary to keep several SPAM filters from tagging all of my outgoing e-mails as spam. Why, I don't really understand.) VI CREATE NEW EXIM START/STOP SCRIPT %%-> cp /usr/share/doc/mailscanner/exim/exim-init.d /etc/init.d/exim Note that there may be some problems with this script. It uses "start-stop-daemon" to start and stop _two_ daemons and I am not convinced that that program can really do that, but it does start the two daemons needed with the "/etc/init.d/exim start" command, as long as there are not previous versions running. Otherwise, who knows? VII DELETE EXIM CRON.D SCRIPT Comment out all executables in /etc/cron.d/exim (or delete the file). VIII CREATE NEW EXIM CRON.DAILY SCRIPT %%-> cp /usr/share/doc/mailscanner/exim/exim-cron.daily /etc/cron.daily/exim %%-> mkmod a+x /etc/cron.daily/exim I also uncommented the if loop that generates daily e-mail activity reports (just for the fun of it -- not much point if you're not really running a mail server). IX F-PROT Make sure $FProtRoot in /etc/mailscanner/autoupdate/f-prot is set correctly. %%-> grep "FProtRoot " /etc/mailscanner/autoupdate/f-prot $FProtRoot = "/usr/lib/f-prot"; %%-> cat /usr/bin/f-prot #!/bin/sh # # This is a shell script to invoke the F-Prot OnDemand Scanner for Linux. # exec /usr/lib/f-prot/f-prot ${@+"$@"} MAKE SURE the directories /usr/lib/f-prot and /var/lib/f-prot are owned by "mail.mail". F-PROT UPDATE from /etc/cron.d/f-prot (NOTE: this is modified from the original) %%-> cat /etc/cron.d/f-prot # /etc/cron.d/f-prot 27 4 * * * mail if [ -x /etc/mailscanner/autoupdate/f-prot ]; \ then /etc/mailscanner/autoupdate/f-prot -cron; fi F-PROT Wrapper (without comments): %%-> nocomment /etc/mailscanner/wrapper/f-protwrapper PackageDir=/usr/lib/f-prot # This may vary depending on your OS Scanner=f-prot ScanOptions="" exec ${PackageDir}/$Scanner $ScanOptions "$@" X CHANGE TO /ETC/DEFAULT/MAILSCANNER run_mailscanner=1 XI MODIFY /ETC/MAILSCANNER/MAILSCANNER.CONF The only changes from the Debian default file were: Virus scanner = f-prot Sweep = /etc/mailscanner/wrapper/f-protwrapper Local Postmaster = postmaster@vicsfamily.net Log Spam = yes These are some of the more important settings: Run As User = mail Run As Group = mail Host name = Monarch2 Incoming Work Dir = /var/spool/mailscanner/incoming Quarantine Dir = /var/spool/mailscanner/quarantine Pid File = /var/run/mailscanner/mailscanner.pid Filename Rules = /etc/mailscanner/filename.rules.conf Log Permitted Filenames = no Hide Incoming Work Dir = yes Incoming Queue Dir = /var/spool/exim_incoming/input Outgoing Queue Dir = /var/spool/exim/input MTA = exim Sendmail = /usr/sbin/exim Sendmail2 = /usr/sbin/exim -C /etc/exim/exim_outgoing.conf Log Facility = mail Virus Scanning = yes Virus Scanner = f-prot Sweep = /etc/mailscanner/wrapper/f-protwrapper Virus Scanner Timeout = 300 Expand TNEF = yes TNEF Expander = /usr/bin/tnef --maxsize=100000000 TNEF Timeout = 120 Notify Local Postmaster = yes Postmaster Gets Full Headers = no Local Postmaster = postmaster@vicsfamily.net Local Domains = /etc/mailscanner/localdomains.conf Spam Checks = yes Spam Header = X-MailScanner-SpamCheck: Spam Modify Subject = yes Spam Subject Text = {SPAM?} Spam Action = deliver Log Spam = yes Use SpamAssassin = yes Max SpamAssassin Size = 50000 SpamAssassin Timeout = 15 Max SpamAssassin Timeouts = 10 SpamAssassin Prefs File = /etc/mailscanner/spam.assassin.prefs.conf SpamAssassin Auto Whitelist = yes Compile SpamAssassin Once = yes Always Include SpamAssassin Report = yes Spam List = ORDB-RBL, relays.ordb.org. Spam List Timeout = 5 Max Spam List Timeouts = 7 Delivery Method = batch Lock File Dir = /tmp Deliver Unparsable TNEF = no Deliver In Background = yes Minimum Code Status = supported XII SUGGESTED CHANGE TO /ETC/MAILSCANNER/SPAM.ASSASSIN.PREFS.CONF Required_hits = 9 ### Not done yet XIII KMAIL CONFIGURATION NOTE: Kmail does not communicate directly with the ISP's mail server Incoming (Receiving) POP Host: localhost Port: 110 Dest Fldr: inbox Outgoing (Sending) SMTP Host: localhost Port: 25 XIV NETSCAPE MAIL CONFIGURATION I don't have the slightest idea how to get Netscape Mail to read the incoming mail. I did succeed in getting the outgoing mail working by just changing the ISP mail server (smtp.comcast.net) with "localhost", leaving everything else alone. IF ANYONE KNOWS HOW TO DO THIS, PLEASE LET ME KNOW! XV FETCHMAIL Run fetchmailconf (not as root) %%-> cd %%-> /usr/bin/fetchmailconf %%-> su -c "cp .fetchmailrc /etc/fetchmailrc" %%-> su -c "chown fetchmail.nogroup /etc/fetchmailrc" This is my copy of /etc/fetchmailrc, with 'u's for the user name and 'p's for the password, if you just want to copy it. This one checks the ISP for mail every ten minutes. # Configuration created Wed Mar 5 15:59:51 2003 by fetchmailconf set postmaster "vic" set bouncemail set no spambounce set properties "" set daemon 600 poll pop3.comcast.net with proto POP3 user 'uuuuuu' there with password 'pppppp' is 'vic' here options fetchall XVI CREATE OUTGOING LOG DIRECTORY %%-> cd /var/log %%-> mkdir exim_outgoing %%-> chown mail.adm exim_outgoing %%-> chmod --reference=exim exim_outgoing XVII START EVERYTHING UP I'm not sure just what you should do -- it all seems to start up if you reboot. I assume that there is some proper sequence of commands like: /etc/init.d/mailscanner restart /etc/init.d/exim restart /etc/init.d/fetchmail restart From email at ace.net.au Thu Mar 13 16:33:58 2003 From: email at ace.net.au (Peter Nitschke) Date: Thu Jan 12 21:17:29 2006 Subject: Wildcards In-Reply-To: <5.2.0.9.2.20030312210113.02725ef8@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030312210113.02725ef8@imap.ecs.soton.ac.uk> Message-ID: <200303140303580314.0715D4A7@smtp1.ace.net.au> Having the problem of spam being sent "from" one of my domains, so getting back huge numbers of bounces. That domain doesn't have any numbers in the user names, but all the spam bounce messages do. Is it possible to block mail to addresses with numbers, eg some rules like: *1*@domain.com *2*@domain.com etc I would prefer to block at the sendmail level if possible. Peter From andrewh at CQG.COM Wed Mar 12 22:49:32 2003 From: andrewh at CQG.COM (Andrew M. Hoying) Date: Thu Jan 12 21:17:29 2006 Subject: Problems since the new McAfee dat file 4252 Message-ID: <8A6DFB0865502242A29E25BDAEFBB945533679@d2sexchtest.cqg.com> I know I'm running a very old version of mailscanner, 3.14, which may be the problem, but since the new dat file came out, Office XP calendar meeting requests are being reported as Exploit-CTCalendar and then the scanner crashes and reports the virus again, 50-60 times a minute until I delete the message from the incoming folder. Is there anything I can do, short of upgrading the a new version, to fix this problem? Andrew Hoying This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses *********************************************************************************** -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030312/d1ef4e3c/attachment-0001.html From mike at TECHINTER.COM Thu Mar 13 18:22:56 2003 From: mike at TECHINTER.COM (Mike Williams) Date: Thu Jan 12 21:17:29 2006 Subject: Per User Blacklist and white lists In-Reply-To: <5.2.0.9.2.20030312200952.025e7890@imap.ecs.soton.ac.uk> Message-ID: Ok, that didn't do anything either but when I add $message->{ishigh} = 1; to the CustomConfig.pm in the lines you gave me it triggers the high score. Only problem I noticed with this is when To: contains multiple recipients and when CC: contains recipients. It will allow that message to go through. I suspect because the other addresses are not on the in the spam checking and it somehow resets to a not scanned message. Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Julian Field Sent: Wednesday, March 12, 2003 2:19 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Per User Blacklist and white lists At 19:47 12/03/2003, you wrote: >Works like a charm. Thanks. Great. It will be in the next release. > BTW quick question is there a way to assign a >spam score to blacklisted addresses so that it will activate the high score >rule? Not currently, no. But try this: 1) In the blacklisting lookup code, change the code to say this: sub ByDomainSpamBlacklist { my($message) = @_; my($value); $value = LookupByDomainList($message, \%Blacklist); $message->{sascore} = 10 if $value; return $value; } (if you want blacklisting to score 10) Then edit Message.pm and change line 370 from $this->{sascore} = $sascore; # Save the actual figure for use later... to $this->{sascore} += $sascore; # Save the actual figure for use later... Give this a try and let me know how you get on. >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On >Behalf Of Julian Field >Sent: Wednesday, March 12, 2003 12:19 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Per User Blacklist and white lists > > >Looks like I never wrote the code to do the per-user lists, only per-domain >lists. > >Try editing CustomConfig.pm and making "LookupByDomainList" look like this: > >sub LookupByDomainList { > my($message, $BlackWhite) = @_; > > return 0 unless $message; # Sanity check the input > > # Find the "from" address and the first "to" address > my($from, $fromdomain, @todomain, $todomain, @to, $to, $ip); > $from = $message->{from}; > $fromdomain = $message->{fromdomain}; > @todomain = @{$message->{todomain}}; > $todomain = $todomain[0]; > @to = @{$message->{to}}; > $to = $to[0]; > $ip = $message->{clientip}; > > # It is in the list if either the exact address is listed, > # or the domain is listed > return 1 if $BlackWhite->{$to}{$from}; > return 1 if $BlackWhite->{$to}{$fromdomain}; > return 1 if $BlackWhite->{$to}{$ip}; > return 1 if $BlackWhite->{$todomain}{$from}; > return 1 if $BlackWhite->{$todomain}{$fromdomain}; > return 1 if $BlackWhite->{$todomain}{$ip}; > > # It is not in the list > return 0; >} > >Please give this a try and let me know if it works, so I can include the >code in the next release (due very shortly to fix long filename checking >bug in 4.13). > >At 17:48 12/03/2003, you wrote: > >Ok, I enabled the bydoaminblacklist and bydoaminwhitelist in the > >MailScanner.conf with > > > >Is Definitely Not Spam = &ByDomainSpamWhitelist > >Is Definitely Spam = &ByDomainSpamBlacklist > > > >The directorys are set to /etc/MailScanner/rules/whitelist and > >/etc/MailScanner/rules/blacklist. I have a file in blacklist folder named > >user@domain.com (actual file name is different but same format). In the > >file user@domain.com I have listed several blacklist items, one is an email > >account that I have on aol.com. The aol email address doesn't appear in >any > >whitelist. However, when I send email to user@domain.com from the AOL > >account that is on the blacklist it goes through without even being marked > >as spam. There are no errors when starting mailscanner and in the logs is > >says that it read blacklist for 1 domain. I must be missing something but >I > >haven't a clue. > > > >Mike > >-----Original Message----- > >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > >Behalf Of Julian Field > >Sent: Tuesday, March 11, 2003 2:24 PM > >To: MAILSCANNER@JISCMAIL.AC.UK > >Subject: Re: Per User Blacklist and white lists > > > > > >At 19:50 11/03/2003, you wrote: > > >Julian, > > > > > >Thanks for the info. I'm looking at the code and the example is for > > >bydomain. I'm not sure but it looks like I can have the white and black > > >list by either domain.com or by user@domain.com. > > > >Yes you can. You can even give it IP addresses if I remember rightly. > > > > > The reason I am asking is > > >that each user will need to be able to specify their own black and white > > >list. This makes it possible that one user would wish to block email >from > >a > > >user@spam.com and another user to whitelist or not block a >user@spam.com. > > >So if I use a filename of user1@domain.com and user2@domain.com does this > >in > > >fact make the whitelist and blacklist unique for each user even if they >are > > >in the same domain? > > > > > >Mike > > > > > >-----Original Message----- > > >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > >Behalf Of Julian Field > > >Sent: Tuesday, March 11, 2003 12:44 PM > > >To: MAILSCANNER@JISCMAIL.AC.UK > > >Subject: Re: Per User Blacklist and white lists > > > > > > > > >Take a look in the CustomConfig.pm file in recent distributions. This > > >feature is an example of what you can do with "Custom Functions". You >will > > >probably need to change the directories it reads the black/whitelists >from, > > >but otherwise it will just work. The code briefly explains what should go > > >in the various config files. > > > > > >At 18:35 11/03/2003, you wrote: > > > >Is it possible to have a per user blacklist and whitelist? Example in > >the > > > >whitelist file: > > > > > > > >To: user-1@domain.com > > >/etc/MailScanner/rules/whitelist/user-1-domain.com > > > >To: user-2@domain.com > > >/etc/MailScanner/rules/whitelist/user-2-domain.com > > > >FromTo: Default no > > > > > > > > > > > >user-1-domain.com > > > > > > > >From: friend@domain.com yes > > > >From: friend1@domain.com yes > > > >From: default no > > > > > > > >and so on? > > > > > > > >Mike > > > > > >-- > > >Julian Field > > >www.MailScanner.info > > >Professional Support Services at www.MailScanner.biz > > >MailScanner thanks transtec Computers for their support > > > >-- > >Julian Field > >www.MailScanner.info > >Professional Support Services at www.MailScanner.biz > >MailScanner thanks transtec Computers for their support > >-- >Julian Field >www.MailScanner.info >Professional Support Services at www.MailScanner.biz >MailScanner thanks transtec Computers for their support -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses ************************************************************************** ********* From mailscanner at LISTS.COM.AR Thu Mar 13 18:15:47 2003 From: mailscanner at LISTS.COM.AR (Mariano Absatz) Date: Thu Jan 12 21:17:29 2006 Subject: "Found invalid qf" message running amok In-Reply-To: Message-ID: <3E70A0A3.24984.8B9C667A@localhost> Hi Jeff, this message _did_ come in thru sendmail? I just looked at the code and the reason of that error is that one or more of these 3 conditions are true: 1) the qf lacks a "S" line (sender) 2) the qf lacks a "R" line (recipient) 3) the qf lacks a "$_" line which should have the originating address in it in a format [NNN.NNN.NNN.NNN] or "someone@localhost". Anyway, if the "$_" line IS in there, MailScanner won't fail there. El 13 Mar 2003 a las 10:48, Jeff A. Earickson escribi?: > Julian, > > Every once in a while our mail server gets malformed spam that > causes a blizzard of "Batch: Found invalid qf queue file" messages > in my syslog. This message comes from line 329 of > lib/MailScanner/Sendmail.pm (version 4.13-3). I can send you the > qf files if you want to look at them, but the messages are always > from well-known spam sites with uuencoded message bodies. They have > IP numbers of 0.0.0.0 in the qf files, which probably triggers the > syslog message. I have to yank the miscreants out of mqueue.in to > restore order. > > Can't MailScanner just note the problem in syslog once, then either > nuke the qf/df files in mqueue.in, or maybe move them to /tmp? > > --- Jeff A. Earickson -- Mariano Absatz El Baby ---------------------------------------------------------- Hello, I must be going. -- Groucho Marx From mailscanner at ecs.soton.ac.uk Thu Mar 13 19:02:26 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:29 2006 Subject: Wildcards In-Reply-To: <200303140303580314.0715D4A7@smtp1.ace.net.au> References: <5.2.0.9.2.20030312210113.02725ef8@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030312210113.02725ef8@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030313190023.0204b008@imap.ecs.soton.ac.uk> At 16:33 13/03/2003, you wrote: >Having the problem of spam being sent "from" one of my domains, so getting >back huge numbers of bounces. > >That domain doesn't have any numbers in the user names, but all the spam >bounce messages do. > >Is it possible to block mail to addresses with numbers, eg some rules like: > >*1*@domain.com >*2*@domain.com >etc > >I would prefer to block at the sendmail level if possible. This is an MTA problem, not a MailScanner one. As an example of blocking a pattern, I use this: KIsEcsList2 regex -a@MATCH ^.*-all(-[0-9])?$ SLocal_check_rcpt R$* <@ *LOCAL* > $* $: $(IsEcsList2 $1 $) <@ *LOCAL* > $2 ECS list? -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Thu Mar 13 20:17:21 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:29 2006 Subject: Beta test please Message-ID: <5.2.0.9.2.20030313200314.02721ea0@imap.ecs.soton.ac.uk> Before I publish this to the world, can you test these for me please? http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/tar/MailScanner-4.14-3.tar http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/rpm/MailScanner-4.14-3.rpm.tar http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/suse/MailScanner-4.14-3.suse.tar Hopefully this is okay now, but let me know... Only the mailscanner*rpm has changed, the other RPM's are as before. The ChangeLog says this: * New Features and Improvements * - Improved OpenBSD installation and upgrading instructions. - Added check of location of all required system commands. - Improved wording of message to spam senders. - Increased max size of messages sent to SpamAssassin. Spam messages are getting bigger. * Fixes * - Fixed important bug in filename checking code causing it not to check long filenames properly. - Changed setuid/setgid code so taint mode is not switched on. - Fixed various other issues kindly brought to my attention by Tony Finch at Cambridge Univ. - Fixed problem with deleting recipients from messages with Exim. - Fixed problem with headers being passed to SpamAssassin from Exim incorrectly. Thanks folks! -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mike at ZANKER.ORG Thu Mar 13 21:14:25 2003 From: mike at ZANKER.ORG (Mike Zanker) Date: Thu Jan 12 21:17:29 2006 Subject: Beta test please In-Reply-To: <5.2.0.9.2.20030313200314.02721ea0@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030313200314.02721ea0@imap.ecs.soton.ac.uk> Message-ID: <220707593.1047590065@jemima.zanker.org> On 13 March 2003 20:17 +0000 Julian Field wrote: > Before I publish this to the world, can you test these for me please? Been meaning to mention this for a while but keep forgetting. Any particular reason for the install process starting MailScanner when installing from rpm? Could this not cause problems if MailScanner.conf hasn't been edited yet? Thanks, Mike. From JeremyE at BSA.CA.GOV Thu Mar 13 22:19:10 2003 From: JeremyE at BSA.CA.GOV (Jeremy Evans) Date: Thu Jan 12 21:17:29 2006 Subject: Beta test please Message-ID: <2739ECF7268CD0118F50080009DCC9F00235D2F7@pebble.bsa.ca.gov> After running the upgrade_MailScanner_conf program I noticed that the Archive Mail setting was removed, and the Information Header section was added a second time. Here are the diffs between the new version (created by upgrade_MailScanner_conf) and the old MailScanner.conf: 426a427,434 > Information Header = X-MailScanner-Information: > > # Add this extra header to all mail as it is processed. > # The contents is set by "Information Header Value" and is intended for > # you to be able to insert a help URL for your users. > # If you don't want an information header at all, just comment out this > # setting or set it to be blank. > # This can also be the filename of a ruleset. 599,612d606 < < # < # Mail Archiving and Monitoring < # ----------------------------- < # < < # Space-separated list of email address and directory names where you want < # a copy of all mail to be forwarded or stored. < # < # If you give this option a ruleset, you can control exactly whose mail < # is archived or forwarded. If you do this, beware of the legal implications < # as this could be deemed to be illegal interception unless the police have < # asked you to do this. < Archive Mail = /opt/MailScanner/etc/rules/archive.rules Here are the relevant parts of the diffs between the new file created by upgrade_MailScanner_conf and the 4.14-3 default MailScanner.conf: 427a429,436 > # Add this extra header to all mail as it is processed. > # The contents is set by "Information Header Value" and is intended for > # you to be able to insert a help URL for your users. > # If you don't want an information header at all, just comment out this > # setting or set it to be blank. > # This can also be the filename of a ruleset. > #Information Header = X-MailScanner-Information: > 600,613d608 < # Mail Archiving and Monitoring < # ----------------------------- < # < < # Space-separated list of email address and directory names where you want < # a copy of all mail to be forwarded or stored. < # < # If you give this option a ruleset, you can control exactly whose mail < # is archived or forwarded. If you do this, beware of the legal implications < # as this could be deemed to be illegal interception unless the police have < # asked you to do this. < #Archive Mail = /var/spool/MailScanner/archive < < # Here is the output from upgrade_MailScanner_conf: Added new: Information Header = X-MailScanner-Information: Removed old: Archive Mail = /opt/MailScanner/etc/rules/archive.rules Summary ------- Read 125 settings from old /opt/MailScanner/etc/MailScanner.conf Used 124 settings from old /opt/MailScanner/etc/MailScanner.conf Used 1 default settings from new ./MailScanner.conf2 Notes ----- I would advise you to check on any parameters which are different between the default new conf file and the conf file you just created, so that you find any parameters whose default values have changed. If you ran this with a command like this upgrade_MailScanner_conf MailScanner.conf MailScanner.conf.rpmnew > MailScanner.conf.new then you should do diff MailScanner.conf.rpmnew MailScanner.conf.new and check for any differences in values you have not changed yourself. Once you have checked that MailScanner.new contains what you want, you can then save your old one and move the new one into place, using commands like these: mv -f MailScanner.conf MailScanner.old mv -f MailScanner.new MailScanner.conf Did I make a mistake somewhere, or is there something wrong with the script? It's obviously pretty trivial to fix the problems manually, but it'd be nice to know if I made a mistake or if there is an error in the script. Thanks. Sincerely, Jeremy Evans Information Systems Analyst California State Auditor 916-445-0255 phone 916-322-7801 fax -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Thursday, March 13, 2003 12:17 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Beta test please Before I publish this to the world, can you test these for me please? http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/tar/MailScanner-4.14-3.ta r http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/rpm/MailScanner-4.14-3.rp m.tar http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/suse/MailScanner-4.14-3.s use.tar Hopefully this is okay now, but let me know... Only the mailscanner*rpm has changed, the other RPM's are as before. The ChangeLog says this: * New Features and Improvements * - Improved OpenBSD installation and upgrading instructions. - Added check of location of all required system commands. - Improved wording of message to spam senders. - Increased max size of messages sent to SpamAssassin. Spam messages are getting bigger. * Fixes * - Fixed important bug in filename checking code causing it not to check long filenames properly. - Changed setuid/setgid code so taint mode is not switched on. - Fixed various other issues kindly brought to my attention by Tony Finch at Cambridge Univ. - Fixed problem with deleting recipients from messages with Exim. - Fixed problem with headers being passed to SpamAssassin from Exim incorrectly. Thanks folks! -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Thu Mar 13 22:19:10 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:29 2006 Subject: Beta test please In-Reply-To: <220707593.1047590065@jemima.zanker.org> References: <5.2.0.9.2.20030313200314.02721ea0@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030313200314.02721ea0@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030313221320.02cf0d00@imap.ecs.soton.ac.uk> At 21:14 13/03/2003, you wrote: >On 13 March 2003 20:17 +0000 Julian Field >wrote: > >>Before I publish this to the world, can you test these for me please? > >Been meaning to mention this for a while but keep forgetting. Any >particular reason for the install process starting MailScanner when >installing from rpm? Could this not cause problems if MailScanner.conf >hasn't been edited yet? It does a restart when it has been upgraded. If I totally stop it, then I end up cutting off the SMTP service as well, which I don't want to do. It's a bit of an awkward problem. As the new config file will have been put in as .rpmnew, it will just be running with default values for the new parameters. All your old settings will still be used. On the whole my default values are chosen to be "sensible" and not do anything stupid with your mail. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Thu Mar 13 22:35:40 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:29 2006 Subject: Beta test please In-Reply-To: <2739ECF7268CD0118F50080009DCC9F00235D2F7@pebble.bsa.ca.gov > Message-ID: <5.2.0.9.2.20030313223035.02f23e58@imap.ecs.soton.ac.uk> At 22:19 13/03/2003, you wrote: >After running the upgrade_MailScanner_conf program I noticed that the >Archive Mail setting was removed, and the Information Header section was >added a second time. Here are the diffs between the new version (created by >upgrade_MailScanner_conf) and the old MailScanner.conf: > >426a427,434 > > Information Header = X-MailScanner-Information: > > > > # Add this extra header to all mail as it is processed. > > # The contents is set by "Information Header Value" and is intended for > > # you to be able to insert a help URL for your users. > > # If you don't want an information header at all, just comment out this > > # setting or set it to be blank. > > # This can also be the filename of a ruleset. >599,612d606 >< >< # >< # Mail Archiving and Monitoring >< # ----------------------------- >< # >< >< # Space-separated list of email address and directory names where you want >< # a copy of all mail to be forwarded or stored. >< # >< # If you give this option a ruleset, you can control exactly whose mail >< # is archived or forwarded. If you do this, beware of the legal >implications >< # as this could be deemed to be illegal interception unless the police >have >< # asked you to do this. >< Archive Mail = /opt/MailScanner/etc/rules/archive.rules > >Here are the relevant parts of the diffs between the new file created by >upgrade_MailScanner_conf and the 4.14-3 default MailScanner.conf: > >427a429,436 > > # Add this extra header to all mail as it is processed. > > # The contents is set by "Information Header Value" and is intended for > > # you to be able to insert a help URL for your users. > > # If you don't want an information header at all, just comment out this > > # setting or set it to be blank. > > # This can also be the filename of a ruleset. > > #Information Header = X-MailScanner-Information: > > >600,613d608 >< # Mail Archiving and Monitoring >< # ----------------------------- >< # >< >< # Space-separated list of email address and directory names where you want >< # a copy of all mail to be forwarded or stored. >< # >< # If you give this option a ruleset, you can control exactly whose mail >< # is archived or forwarded. If you do this, beware of the legal >implications >< # as this could be deemed to be illegal interception unless the police >have >< # asked you to do this. >< #Archive Mail = /var/spool/MailScanner/archive >< >< # > > >Here is the output from upgrade_MailScanner_conf: > >Added new: Information Header = X-MailScanner-Information: >Removed old: Archive Mail = /opt/MailScanner/etc/rules/archive.rules It is commented out in the supplied .conf file, with the result that the upgrade script thinks it has been removed as it can't find it. I wanted the upgrade script to work with any version upgrade, with the result that it doesn't do 100% of the job for you. It does tell you where to look though, and hopefully you will be able to fix up the remains by hand. The only other option was to make it read the syntax structure of the new conf file from ConfigDefs.pl, which would have made the script enormously more complicated. And as for working with any version, that would be almost impossible. So I went for the "works 98% of the time with any upgrade" version than the "works 100% of the time in exactly the right situation" version. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From JeremyE at BSA.CA.GOV Thu Mar 13 22:48:54 2003 From: JeremyE at BSA.CA.GOV (Jeremy Evans) Date: Thu Jan 12 21:17:29 2006 Subject: Beta test please Message-ID: <2739ECF7268CD0118F50080009DCC9F00235D2F8@pebble.bsa.ca.gov> Thanks for the quick response as always. Starting now, I'm leaving the Information Header setting blank instead of commenting it out, so that I won't have a problem with it next time. I'm not sure if I understand what went wrong with the Archive Mail setting. It wasn't commented out in the supplied file (though it is commented out in the default file, as are other settings such as Lock Type and Allowed Sophos Error Messages). Maybe you should change the Archive Mail setting to blank or "no" instead of or in addition to having it commented out (same for the other settings that are commented out by default). Would that fix the problem with Archive Mail? I'm guessing I didn't have a problem with those other settings because they were commented out in both the default and the supplied files. -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Thursday, March 13, 2003 2:36 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Beta test please At 22:19 13/03/2003, you wrote: >After running the upgrade_MailScanner_conf program I noticed that the >Archive Mail setting was removed, and the Information Header section was >added a second time. Here are the diffs between the new version (created by >upgrade_MailScanner_conf) and the old MailScanner.conf: > >426a427,434 > > Information Header = X-MailScanner-Information: > > > > # Add this extra header to all mail as it is processed. > > # The contents is set by "Information Header Value" and is intended for > > # you to be able to insert a help URL for your users. > > # If you don't want an information header at all, just comment out this > > # setting or set it to be blank. > > # This can also be the filename of a ruleset. >599,612d606 >< >< # >< # Mail Archiving and Monitoring >< # ----------------------------- >< # >< >< # Space-separated list of email address and directory names where you want >< # a copy of all mail to be forwarded or stored. >< # >< # If you give this option a ruleset, you can control exactly whose mail >< # is archived or forwarded. If you do this, beware of the legal >implications >< # as this could be deemed to be illegal interception unless the police >have >< # asked you to do this. >< Archive Mail = /opt/MailScanner/etc/rules/archive.rules > >Here are the relevant parts of the diffs between the new file created by >upgrade_MailScanner_conf and the 4.14-3 default MailScanner.conf: > >427a429,436 > > # Add this extra header to all mail as it is processed. > > # The contents is set by "Information Header Value" and is intended for > > # you to be able to insert a help URL for your users. > > # If you don't want an information header at all, just comment out this > > # setting or set it to be blank. > > # This can also be the filename of a ruleset. > > #Information Header = X-MailScanner-Information: > > >600,613d608 >< # Mail Archiving and Monitoring >< # ----------------------------- >< # >< >< # Space-separated list of email address and directory names where you want >< # a copy of all mail to be forwarded or stored. >< # >< # If you give this option a ruleset, you can control exactly whose mail >< # is archived or forwarded. If you do this, beware of the legal >implications >< # as this could be deemed to be illegal interception unless the police >have >< # asked you to do this. >< #Archive Mail = /var/spool/MailScanner/archive >< >< # > > >Here is the output from upgrade_MailScanner_conf: > >Added new: Information Header = X-MailScanner-Information: >Removed old: Archive Mail = /opt/MailScanner/etc/rules/archive.rules It is commented out in the supplied .conf file, with the result that the upgrade script thinks it has been removed as it can't find it. I wanted the upgrade script to work with any version upgrade, with the result that it doesn't do 100% of the job for you. It does tell you where to look though, and hopefully you will be able to fix up the remains by hand. The only other option was to make it read the syntax structure of the new conf file from ConfigDefs.pl, which would have made the script enormously more complicated. And as for working with any version, that would be almost impossible. So I went for the "works 98% of the time with any upgrade" version than the "works 100% of the time in exactly the right situation" version. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From jrudd at UCSC.EDU Thu Mar 13 22:47:12 2003 From: jrudd at UCSC.EDU (John Rudd) Date: Thu Jan 12 21:17:29 2006 Subject: MailScanner and Communigate Pro Message-ID: <200303132247.h2DMlCT00523@kzin.ucsc.edu> For anyone who is interested, I've got a preliminary set of wrapper scripts set up for using Communigate Pro with MailScanner. The way they work is that Communigate Pro has an "Execute" rule which invokes my first wrapper. That wrapper creates a sendmail format pair of queue files, and puts them into mailscanner's incoming queue. The rule then discards the message (since mailscanner will change the body and/or subject of the message if it finds various things). When mailscanner is done with the message, it invokes my 2nd wrapper script, which converts the message out of sendmail paired queue file format and then sends the message out using Communigate Pro's legacy "sendmail" command. (unfortunately, the legacy sendmail command does not take in queue file messages via the "-qI" method that mailscanner uses) There are only a very few interdependancies, two of which I'm going to try to eliminate: 1) my wrappers need to be told where your mailscanner queue's are (both incoming and outgoing). 2) mailscanner's "Sendmail2" variable needs to be set to my 2nd wrapper script (I do not know how the "Sendmail" variable works, by generating a message via queue files, as with Sendmail2, or generating a message via stdin ... so that's one untested issue so far). Mailscanner keeps the "MTA" variable set to sendmail, so it doesn't really know it's not actually using sendmail. 3) both Communigate Pro and mailscanner have to agree upon the Information header. That's how Communigate Pro knows that the message has been scanned already. I am thinking about having Communigate Pro use a different header that my wrapper scripts will insert into the message, and then Communigate Pro will remove the header in a later rule. The reason I'm thinking about this, is that it makes me nervous that maybe a spammer or virus author could pre-include headers to try to bypass mailscanner. So, if I put in a header that only communigate pro, mailscanner, and my wrapper scripts will ever see, then I'll feel a little better about that. (the two things I need to resolve are the issue about mailscanner's "Sendmail" variable, and how it generates informational messages, and the thing in item 3) Otherwise, a little code commenting and clean up, some documentation, and I'll be ready to release this thing for other people to look over. My two reasons for posting about it now are: a) can some people who are more mailscanner savy than I look at what I am asking in item #2 above, and b) is there anyone in either community who is interested in testing this? once I do those cleanup things, I'd like to let other people look it over and report if they find any problems. if you are interested, mail me back, off of both lists, with the subject "Test MS-CGP Interface" and I'll get back to you (probably next week) when I'm ready to give it out. (once I feel it has been well tested, I'll then make it available for general download) For those on the Communigate Pro mailing list who may not know what MailScanner is, MailScanner is a program written in perl which manages various tools for checking the contents of your email on a site wide basis. It can be set up with a wide range of virus scanning engines (sophos, mcafee, f-prot, f-secure, clamav, kapersky, rav, panda, trend), spam assassin, and various RBL services. It then allows you to specify different actions for different results (quarantine messages, delete them without delivery, deliver them with subject and/or header markups, replace viruses with reports about what was found, send reports to the postmaster, and many other options). For more information about MailScanner, see www.mailscanner.info John Rudd From mike at ZANKER.ORG Fri Mar 14 06:09:05 2003 From: mike at ZANKER.ORG (Mike Zanker) Date: Thu Jan 12 21:17:29 2006 Subject: Beta test please In-Reply-To: <5.2.0.9.2.20030313221320.02cf0d00@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030313200314.02721ea0@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030313200314.02721ea0@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030313221320.02cf0d00@imap.ecs.soton.ac.uk> Message-ID: <252787921.1047622145@jemima.zanker.org> On 13 March 2003 22:19 +0000 Julian Field wrote: > It does a restart when it has been upgraded. If I totally stop it, > then I end up cutting off the SMTP service as well, which I don't > want to do. It's a bit of an awkward problem. OK, I hadn't really thought about it in the context of large sites. > As the new config file will have been put in as .rpmnew, it will just > be running with default values for the new parameters. All your old > settings will still be used. On the whole my default values are > chosen to be "sensible" and not do anything stupid with your mail. That's true, so it's not as bad as I thought it would be. Thanks, Mike. From mailscanner at ecs.soton.ac.uk Fri Mar 14 11:18:45 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:29 2006 Subject: Beta test please In-Reply-To: <2739ECF7268CD0118F50080009DCC9F00235D2F8@pebble.bsa.ca.gov > Message-ID: <5.2.0.9.2.20030314111326.04158568@imap.ecs.soton.ac.uk> I've been through the conf file and set values for all the variables, so none are commented out. This should improve things. The values are just blank if they were commented out before. Hopefully upgrade_MailScanner_conf will have an easier time now. Which distribution are you using? Can I just mail you a new URL to try this out please? At 22:48 13/03/2003, you wrote: >Thanks for the quick response as always. > >Starting now, I'm leaving the Information Header setting blank instead of >commenting it out, so that I won't have a problem with it next time. > >I'm not sure if I understand what went wrong with the Archive Mail setting. >It wasn't commented out in the supplied file (though it is commented out in >the default file, as are other settings such as Lock Type and Allowed Sophos >Error Messages). Maybe you should change the Archive Mail setting to blank >or "no" instead of or in addition to having it commented out (same for the >other settings that are commented out by default). Would that fix the >problem with Archive Mail? I'm guessing I didn't have a problem with those >other settings because they were commented out in both the default and the >supplied files. > >-----Original Message----- >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] >Sent: Thursday, March 13, 2003 2:36 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Beta test please > > >At 22:19 13/03/2003, you wrote: > >After running the upgrade_MailScanner_conf program I noticed that the > >Archive Mail setting was removed, and the Information Header section was > >added a second time. Here are the diffs between the new version (created >by > >upgrade_MailScanner_conf) and the old MailScanner.conf: > > > >426a427,434 > > > Information Header = X-MailScanner-Information: > > > > > > # Add this extra header to all mail as it is processed. > > > # The contents is set by "Information Header Value" and is intended for > > > # you to be able to insert a help URL for your users. > > > # If you don't want an information header at all, just comment out this > > > # setting or set it to be blank. > > > # This can also be the filename of a ruleset. > >599,612d606 > >< > >< # > >< # Mail Archiving and Monitoring > >< # ----------------------------- > >< # > >< > >< # Space-separated list of email address and directory names where you >want > >< # a copy of all mail to be forwarded or stored. > >< # > >< # If you give this option a ruleset, you can control exactly whose mail > >< # is archived or forwarded. If you do this, beware of the legal > >implications > >< # as this could be deemed to be illegal interception unless the police > >have > >< # asked you to do this. > >< Archive Mail = /opt/MailScanner/etc/rules/archive.rules > > > >Here are the relevant parts of the diffs between the new file created by > >upgrade_MailScanner_conf and the 4.14-3 default MailScanner.conf: > > > >427a429,436 > > > # Add this extra header to all mail as it is processed. > > > # The contents is set by "Information Header Value" and is intended for > > > # you to be able to insert a help URL for your users. > > > # If you don't want an information header at all, just comment out this > > > # setting or set it to be blank. > > > # This can also be the filename of a ruleset. > > > #Information Header = X-MailScanner-Information: > > > > >600,613d608 > >< # Mail Archiving and Monitoring > >< # ----------------------------- > >< # > >< > >< # Space-separated list of email address and directory names where you >want > >< # a copy of all mail to be forwarded or stored. > >< # > >< # If you give this option a ruleset, you can control exactly whose mail > >< # is archived or forwarded. If you do this, beware of the legal > >implications > >< # as this could be deemed to be illegal interception unless the police > >have > >< # asked you to do this. > >< #Archive Mail = /var/spool/MailScanner/archive > >< > >< # > > > > > >Here is the output from upgrade_MailScanner_conf: > > > >Added new: Information Header = X-MailScanner-Information: > >Removed old: Archive Mail = /opt/MailScanner/etc/rules/archive.rules > >It is commented out in the supplied .conf file, with the result that the >upgrade script thinks it has been removed as it can't find it. I wanted the >upgrade script to work with any version upgrade, with the result that it >doesn't do 100% of the job for you. It does tell you where to look though, >and hopefully you will be able to fix up the remains by hand. > >The only other option was to make it read the syntax structure of the new >conf file from ConfigDefs.pl, which would have made the script enormously >more complicated. And as for working with any version, that would be almost >impossible. So I went for the "works 98% of the time with any upgrade" >version than the "works 100% of the time in exactly the right situation" >version. >-- >Julian Field >www.MailScanner.info >Professional Support Services at www.MailScanner.biz >MailScanner thanks transtec Computers for their support -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From JeremyE at BSA.CA.GOV Fri Mar 14 15:08:48 2003 From: JeremyE at BSA.CA.GOV (Jeremy Evans) Date: Thu Jan 12 21:17:29 2006 Subject: Beta test please Message-ID: <2739ECF7268CD0118F50080009DCC9F00235D2FA@pebble.bsa.ca.gov> I'm using the tar distribution running on OpenBSD. You can mail me the URL, I'll have time to test it this morning. Thanks for fixing this quickly. -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Friday, March 14, 2003 3:19 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Beta test please I've been through the conf file and set values for all the variables, so none are commented out. This should improve things. The values are just blank if they were commented out before. Hopefully upgrade_MailScanner_conf will have an easier time now. Which distribution are you using? Can I just mail you a new URL to try this out please? At 22:48 13/03/2003, you wrote: >Thanks for the quick response as always. > >Starting now, I'm leaving the Information Header setting blank instead of >commenting it out, so that I won't have a problem with it next time. > >I'm not sure if I understand what went wrong with the Archive Mail setting. >It wasn't commented out in the supplied file (though it is commented out in >the default file, as are other settings such as Lock Type and Allowed Sophos >Error Messages). Maybe you should change the Archive Mail setting to blank >or "no" instead of or in addition to having it commented out (same for the >other settings that are commented out by default). Would that fix the >problem with Archive Mail? I'm guessing I didn't have a problem with those >other settings because they were commented out in both the default and the >supplied files. > >-----Original Message----- >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] >Sent: Thursday, March 13, 2003 2:36 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Beta test please > > >At 22:19 13/03/2003, you wrote: > >After running the upgrade_MailScanner_conf program I noticed that the > >Archive Mail setting was removed, and the Information Header section was > >added a second time. Here are the diffs between the new version (created >by > >upgrade_MailScanner_conf) and the old MailScanner.conf: > > > >426a427,434 > > > Information Header = X-MailScanner-Information: > > > > > > # Add this extra header to all mail as it is processed. > > > # The contents is set by "Information Header Value" and is intended for > > > # you to be able to insert a help URL for your users. > > > # If you don't want an information header at all, just comment out this > > > # setting or set it to be blank. > > > # This can also be the filename of a ruleset. > >599,612d606 > >< > >< # > >< # Mail Archiving and Monitoring > >< # ----------------------------- > >< # > >< > >< # Space-separated list of email address and directory names where you >want > >< # a copy of all mail to be forwarded or stored. > >< # > >< # If you give this option a ruleset, you can control exactly whose mail > >< # is archived or forwarded. If you do this, beware of the legal > >implications > >< # as this could be deemed to be illegal interception unless the police > >have > >< # asked you to do this. > >< Archive Mail = /opt/MailScanner/etc/rules/archive.rules > > > >Here are the relevant parts of the diffs between the new file created by > >upgrade_MailScanner_conf and the 4.14-3 default MailScanner.conf: > > > >427a429,436 > > > # Add this extra header to all mail as it is processed. > > > # The contents is set by "Information Header Value" and is intended for > > > # you to be able to insert a help URL for your users. > > > # If you don't want an information header at all, just comment out this > > > # setting or set it to be blank. > > > # This can also be the filename of a ruleset. > > > #Information Header = X-MailScanner-Information: > > > > >600,613d608 > >< # Mail Archiving and Monitoring > >< # ----------------------------- > >< # > >< > >< # Space-separated list of email address and directory names where you >want > >< # a copy of all mail to be forwarded or stored. > >< # > >< # If you give this option a ruleset, you can control exactly whose mail > >< # is archived or forwarded. If you do this, beware of the legal > >implications > >< # as this could be deemed to be illegal interception unless the police > >have > >< # asked you to do this. > >< #Archive Mail = /var/spool/MailScanner/archive > >< > >< # > > > > > >Here is the output from upgrade_MailScanner_conf: > > > >Added new: Information Header = X-MailScanner-Information: > >Removed old: Archive Mail = /opt/MailScanner/etc/rules/archive.rules > >It is commented out in the supplied .conf file, with the result that the >upgrade script thinks it has been removed as it can't find it. I wanted the >upgrade script to work with any version upgrade, with the result that it >doesn't do 100% of the job for you. It does tell you where to look though, >and hopefully you will be able to fix up the remains by hand. > >The only other option was to make it read the syntax structure of the new >conf file from ConfigDefs.pl, which would have made the script enormously >more complicated. And as for working with any version, that would be almost >impossible. So I went for the "works 98% of the time with any upgrade" >version than the "works 100% of the time in exactly the right situation" >version. >-- >Julian Field >www.MailScanner.info >Professional Support Services at www.MailScanner.biz >MailScanner thanks transtec Computers for their support -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From David.While at UCE.AC.UK Fri Mar 14 15:15:11 2003 From: David.While at UCE.AC.UK (David While) Date: Thu Jan 12 21:17:29 2006 Subject: ANNOUNCE: mailstats.pl V0.17 Message-ID: For those people who use my script to analyse the mail log file you will find a new version which has the following additions: It can now report which spam traps have been triggered eg the RBLs so you get a report showing spamassassin, osirusoft.com etc and how many spam each of them has detected. I have also separated the configuration values into a separate file so that future upgrades of the software are easier to install - you shouldn't have to change your configuration file. I have also changed the code which scans the log file to make it substantially quicker. The report also includes the current number of mail messages in the mail queue. You can view the output at http://www.boys-brigade.org.uk/mrtg/ You can download as usual from http://staff.cie.uce.ac.uk/~dwhile/mailstats/ ----------------------------------------------------------------- David While Technical Development Manager Faculty of Computing, Information & English University of Central England Tel: 0121 331 6211 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030314/22982d4b/attachment.html From mbowman at UDCOM.COM Fri Mar 14 15:26:17 2003 From: mbowman at UDCOM.COM (Matthew Bowman) Date: Thu Jan 12 21:17:29 2006 Subject: Virus Notifications Message-ID: Is it possible to have multiple users who can receive virus notifications produced by mailscanner aside from postmaster, sender and recipient? That is if viruses were sent to @abc.com I would want notifications to goto postmaster (me) the sender, the recipient and george@abc.com (who could be their IT contact) Or is it a case of RTFM :) ? Thanks Matthew From richard.siddall at ELIRION.NET Fri Mar 14 15:45:54 2003 From: richard.siddall at ELIRION.NET (Richard Siddall) Date: Thu Jan 12 21:17:29 2006 Subject: Stupid luser In-Reply-To: <5.2.0.9.2.20030312210113.02725ef8@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030312210113.02725ef8@imap.ecs.soton.ac.uk> Message-ID: <3E71F932.5040507@elirion.net> Julian Field wrote: > Just had this from someone whose mail got stopped by MailScanner. > [snip] > Oh, the reason for these outbursts? They were sent a "sender warning" from > an old version of MailScanner which was replying to a copy of Klez. That's > my best guess anyway, they weren't exactly clear. Poor Julian! It might help if you provided a page to explain to the luser how to find out who really sent the e-mail and followed the lead of the SpamAssassin site by having in big, bold letters at the top of www.mailscanner.info, the message "If you were sent here because you received an e-mail message from MailScanner, please go to this page." You've got better things to do than waste your time on these in-duh-viduals. Regards, Richard Siddall From mbowman at UDCOM.COM Fri Mar 14 16:25:42 2003 From: mbowman at UDCOM.COM (Matthew Bowman) Date: Thu Jan 12 21:17:29 2006 Subject: Virus Notifications Message-ID: Thanks. Could you add this to the rules/EXAMPLES file in the next release? Julian Field Sent by: MailScanner mailing list 03/14/2003 11:09 AM Please respond to MailScanner mailing list To: MAILSCANNER@JISCMAIL.AC.UK cc: Subject: Re: Virus Notifications At 15:26 14/03/2003, you wrote: >Is it possible to have multiple users who can receive virus notifications >produced by mailscanner aside from postmaster, sender and recipient? > >That is if viruses were sent to @abc.com I would want notifications to >goto postmaster (me) the sender, the recipient and >george@abc.com (who could be their IT contact) > >Or is it a case of RTFM :) ? Afraid so. You can list multiple recipients for the postmaster notifications. What you then do is set the address using a ruleset, so that, for example Notices To = /etc/MailScanner/rules/notices.to.rules then in that file put To: @abc.com postmaster@me.com george@abc.com To: @def.com postmaster@me.com bill@def.com FromOrTo: default postmaster@me.com -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Fri Mar 14 16:09:05 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:29 2006 Subject: Virus Notifications In-Reply-To: Message-ID: <5.2.0.9.2.20030314160700.02fcdec0@imap.ecs.soton.ac.uk> At 15:26 14/03/2003, you wrote: >Is it possible to have multiple users who can receive virus notifications >produced by mailscanner aside from postmaster, sender and recipient? > >That is if viruses were sent to @abc.com I would want notifications to >goto postmaster (me) the sender, the recipient and >george@abc.com (who could be their IT contact) > >Or is it a case of RTFM :) ? Afraid so. You can list multiple recipients for the postmaster notifications. What you then do is set the address using a ruleset, so that, for example Notices To = /etc/MailScanner/rules/notices.to.rules then in that file put To: @abc.com postmaster@me.com george@abc.com To: @def.com postmaster@me.com bill@def.com FromOrTo: default postmaster@me.com -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Fri Mar 14 16:51:59 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:29 2006 Subject: Virus Notifications In-Reply-To: Message-ID: <5.2.0.9.2.20030314165154.03c3a3f8@imap.ecs.soton.ac.uk> Sure thing. At 16:25 14/03/2003, you wrote: >Thanks. Could you add this to the rules/EXAMPLES file in the next release? > > > > > > > >Julian Field >Sent by: MailScanner mailing list >03/14/2003 11:09 AM >Please respond to MailScanner mailing list > > > To: MAILSCANNER@JISCMAIL.AC.UK > cc: > Subject: Re: Virus Notifications > > >At 15:26 14/03/2003, you wrote: > >Is it possible to have multiple users who can receive virus notifications > >produced by mailscanner aside from postmaster, sender and recipient? > > > >That is if viruses were sent to @abc.com I would want notifications to > >goto postmaster (me) the sender, the recipient and > >george@abc.com (who could be their IT contact) > > > >Or is it a case of RTFM :) ? > >Afraid so. > >You can list multiple recipients for the postmaster notifications. What >you >then do is set the address using a ruleset, so that, for example >Notices To = /etc/MailScanner/rules/notices.to.rules > >then in that file put >To: @abc.com postmaster@me.com george@abc.com >To: @def.com postmaster@me.com bill@def.com >FromOrTo: default postmaster@me.com >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From nicholas_esborn at AFFYMETRIX.COM Fri Mar 14 22:19:26 2003 From: nicholas_esborn at AFFYMETRIX.COM (Nicholas Esborn) Date: Thu Jan 12 21:17:29 2006 Subject: Delivery of Spam to alternate location? Message-ID: <20030314221926.GC82996@affymetrix.com> Hello, I was wondering if it's possible to have MailScanner deliver identified Spam to an alternate server or email address? The idea would be to send the Spam to a quarantine mailserver, where users could browse their Spam with a webmail client, thus reducing the load on the primary mailservers. Thanks, -nick -- Nicholas Esborn Affymetrix, Inc. 510/428.8505 Every message PGP signed -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030314/c28e0e2d/attachment.bin From mailscanner at ecs.soton.ac.uk Fri Mar 14 22:58:22 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:29 2006 Subject: Delivery of Spam to alternate location? In-Reply-To: <20030314221926.GC82996@affymetrix.com> Message-ID: <5.2.0.9.2.20030314225638.02270a58@imap.ecs.soton.ac.uk> Take a look at the setting Spam Actions = forward in the MailScanner.conf file. At 22:19 14/03/2003, you wrote: >Hello, > >I was wondering if it's possible to have MailScanner deliver identified >Spam to an alternate server or email address? The idea would be to send >the Spam to a quarantine mailserver, where users could browse their Spam >with a webmail client, thus reducing the load on the primary mailservers. > >Thanks, > >-nick > >-- >Nicholas Esborn >Affymetrix, Inc. > >510/428.8505 > >Every message PGP signed -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From james at PCXPERIENCE.COM Fri Mar 14 23:52:09 2003 From: james at PCXPERIENCE.COM (James A. Pattie) Date: Thu Jan 12 21:17:29 2006 Subject: Corrupt pgp-signed messages In-Reply-To: <1047671810.685abe4f51bd8@www.emery.homelinux.net> References: <1047671810.685abe4f51bd8@www.emery.homelinux.net> Message-ID: <3E726B29.5040900@pcxperience.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Rick Emery wrote: > I searched the documentation and list archives (at least, I think I did it > right; I've never used listserv before) but couldn't find anything on this. > > I configured MailScanner (a *great* product, by the way) to sign all clean > messages. My mail client is configured to verify pgp signatures, and I noticed > that I started getting a lot of "BAD pgp signature" messages. A little research > showed that the MailScanner signature was being added to the bottom of (inside) > the signed part of the message, apparently corrupting it. > > I am a member of several MailMan mailing lists, and noticed that several of them > were configured to sign all messages as well. However, it appears that the > mailing list signature is added after the pgp signature, outside of the signed > portion of the message. I don't know enough to explain this with technical > accuracy, so I hope this makes sense. > > My questions are: > > 1. is there a way to configure MailScanner to sign the message _after_ the pgp > signed portion? > > 2. Am I the only one seeing this behaviour? > > Thanks in advance for any guidance, > Rick > > P.S. I turned off the MailScanner signature, and everything is working fine (I > can tell by the headers that mail is being scanned). I just like the idea of a > signature telling everyone that the message was scanned (and I like advertising > MailScanner too :-) I gpg sign my e-mails and have never had this issue. I have had the issue where a certificate signed e-mail (S/MIME) has an issue since the signing of the e-mail by MailScanner changes the content. This was talked about several months ago. :) - -- James A. Pattie james@pcxperience.com Linux -- SysAdmin / Programmer Xperience, Inc. http://www.pcxperience.com/ http://www.xperienceinc.com/ GPG Key Available at http://www.pcxperience.com/gpgkeys/james.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE+cmsotUXjwPIRLVERAmrAAJ0RPOCKWQ6itragPNuVDsdErTaw/wCgjBMQ NdH7oCMMXEYdlIbR5yCW2XM= =bSqU -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From nicholas_esborn at AFFYMETRIX.COM Sat Mar 15 00:41:47 2003 From: nicholas_esborn at AFFYMETRIX.COM (Nicholas Esborn) Date: Thu Jan 12 21:17:30 2006 Subject: Delivery of Spam to alternate location? In-Reply-To: <5.2.0.9.2.20030314225638.02270a58@imap.ecs.soton.ac.uk> References: <20030314221926.GC82996@affymetrix.com> <5.2.0.9.2.20030314225638.02270a58@imap.ecs.soton.ac.uk> Message-ID: <20030315004147.GA37304@affymetrix.com> Julian, I see that Action, but unless I'm mistaken, mail would be forwarded to a specified email address. Rather than that, I'm looking for a way of sending the Spam to an alternative mail server, keeping the destination address intact or modifying it in a specific way. For example, if MailScanner identified as Spam a message sent to nicholas_esborn@affymetrix.com, it could rewrite the address as nicholas_esborn@spambin.affymetrix.com and send it along. Then, instead of moving on to the normal affymetrix.com mailserver, the message would go to spambin.affymetrix.com, which might deliver the message locally into per-user accounts of some sort. That way, the main affymetrix.com mailservers would be spared the burden of handling the Spam, yet users would be able to retrieve their Spam from their accounts on spambin. Am I missing how the existing Action = forward directive could do this? Thanks! -nick On Fri, Mar 14, 2003 at 10:58:22PM +0000, Julian Field wrote: > Take a look at the setting > Spam Actions = forward > in the MailScanner.conf file. > > At 22:19 14/03/2003, you wrote: > >Hello, > > > >I was wondering if it's possible to have MailScanner deliver identified > >Spam to an alternate server or email address? The idea would be to send > >the Spam to a quarantine mailserver, where users could browse their Spam > >with a webmail client, thus reducing the load on the primary mailservers. > > > >Thanks, > > > >-nick > > > >-- > >Nicholas Esborn > >Affymetrix, Inc. > > > >510/428.8505 > > > >Every message PGP signed > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support -- Nicholas Esborn Affymetrix, Inc. 510/428.8505 Every message PGP signed -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030314/6724d78e/attachment.bin From Kevin.Spicer at BMRB.CO.UK Sat Mar 15 01:07:38 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:17:30 2006 Subject: Delivery of Spam to alternate location? Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A4AD55@pascal.priv.bmrb.co.uk> > > Julian, > > I see that Action, but unless I'm mistaken, mail would be forwarded to > a specified email address. Rather than that, I'm looking for a way of > sending the Spam to an alternative mail server, keeping the > destination > address intact or modifying it in a specific way. > Off the top of my head here's an idea that _might_ work (assuming you don't quarantine virus mails). set Spam Actions = store (and High Scoring Spam Actions = store). Make sure Quarantine Whole Messages As Queue Files = yes. Then run a seperate sendmail process which just runs the 'queue' in the quarantine directory using a different sendmail.cf with a smarthost specified which all mail should be forwarded to. I suppose if you're quarantining viruses you may be able to do some filtering by subject (look for {Virus?}) using a procmail rule perhaps on the destination machine (quarantining them there instead). BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From donovan at HUFFDATASYSTEMS.COM Sat Mar 15 03:04:57 2003 From: donovan at HUFFDATASYSTEMS.COM (Donovan Huff | HUFF DATA SYSTEMS) Date: Thu Jan 12 21:17:30 2006 Subject: How is SPAM filtering turned off for reply e-mail? Also, reply issues... Message-ID: <003701c2ea9f$aa1d1ed0$ec7d9d40@x27> I had a problem when I first installed MailScanner and Spamassassin with replies to e-mail I sent, all the replies would have the {Spam?} added to the subject even though the scores were low (below 5) and they were not marked as SPAM in the header. I turned on the Auto Whitelisting feature and this stopped. However, what was odd is if I turn off spam filtering for low or high scored e-mails and then turn it back on again (never changing the auto whitelist, it is still turned on) then I would have the same problem. What I had to do is turn off SPAM filtering for both low and high and also turn off the auto whitelisting feature. After I did that (of course I stopped and started MailScanner between config changes) I could then turn them all back on (low and high SPAM filtering and auto whitelisting) and it would start working again, meaning replies were not having {Spam?} added to the subject line (this took a while to figure out, I have assumed it is some kind of bug where something does not get set properly if you turn the individual settings on and off, but it does when you turn them all off then on). I heard some talk about adding 127.0.0.1 to the spam whitelist (i.e. /etc/MailScanner/rules/spam.whitelist.rules), not sure if this would fix the issue or not. I have not done anything unusual to the MailScanner config or Spamassasin config just to let you know. Other people must be having or have had this issue as well, what is the fix? I really just want to make it so that all e-mail that is a reply is whitelisted (not marked as SPAM ever). I wondering though, if this will cause issues with SPAM filtering in the future as SPAMMERS could likely make the e-mail appear to be a reply. I am using MailScanner 4.14-3 with SpamAssassin 2.50 patched (2.51?) to fix the bug where it has issues working with MailScanner. TIA, Donovan From dcmwai at AMTB-M.ORG.MY Sat Mar 15 04:21:52 2003 From: dcmwai at AMTB-M.ORG.MY (Chan Min Wai) Date: Thu Jan 12 21:17:30 2006 Subject: Corrupt pgp-signed messages References: <1047671810.685abe4f51bd8@www.emery.homelinux.net> Message-ID: <3E72AA60.2010306@amtb-m.org.my> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello Rick, ~ I'm sure you know what is pgp sinature check for with the signature. The Signature is just like the "Parity Bit" On the Digital Message. And you cannot Modify anything inside the body of the message however. You can try to modify the subject of the message that will solve the problem but you will never be able to add footer on the Message. ~ There is one gpg Signature that is static "Non Changing with the content" But that will not be a secure to your message and people does be able to change the content during transmisttion. ~ I'm not sure if there is a way to solve this problem. ~ This problem become worst if you are transmisting an Encryted message. ~ If you get the answer, please do tell me as well. Thank You Chan Min Wai Rick Emery ´£¨ì: |I searched the documentation and list archives (at least, I think I did it |right; I've never used listserv before) but couldn't find anything on this. | |I configured MailScanner (a *great* product, by the way) to sign all clean |messages. My mail client is configured to verify pgp signatures, and I noticed |that I started getting a lot of "BAD pgp signature" messages. A little research |showed that the MailScanner signature was being added to the bottom of (inside) |the signed part of the message, apparently corrupting it. | |I am a member of several MailMan mailing lists, and noticed that several of them |were configured to sign all messages as well. However, it appears that the |mailing list signature is added after the pgp signature, outside of the signed |portion of the message. I don't know enough to explain this with technical |accuracy, so I hope this makes sense. | |My questions are: | |1. is there a way to configure MailScanner to sign the message _after_ the pgp |signed portion? | |2. Am I the only one seeing this behaviour? | |Thanks in advance for any guidance, |Rick | |P.S. I turned off the MailScanner signature, and everything is working fine (I |can tell by the headers that mail is being scanned). I just like the idea of a |signature telling everyone that the message was scanned (and I like advertising |MailScanner too :-) | |------------------------------------------------ |This email was sent using IMP v4.0-cvs, part of |the Horde suite of information management tools. |http://horde.org/ | | -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE+cqpfV0p9slMZLW4RAmcQAKDI0SwgRF/MPf/zrD8gLDLU4nRYXwCgqrJw Ynqq4W6erfAWJxVfkRSocpU= =NkTI -----END PGP SIGNATURE----- From mailscanner at ecs.soton.ac.uk Sat Mar 15 15:28:18 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:30 2006 Subject: How is SPAM filtering turned off for reply e-mail? Also, reply issues... In-Reply-To: <003701c2ea9f$aa1d1ed0$ec7d9d40@x27> Message-ID: <5.2.0.9.2.20030315152710.02265bc0@imap.ecs.soton.ac.uk> The easiest thing is to add your entire netblock to the spam whitelist. At work, we have the whole 152.78 so I just put this in spam.whitelist.rules From: 152.78. yes FromOrTo: default no At 03:04 15/03/2003, you wrote: >I had a problem when I first installed MailScanner and Spamassassin with >replies to e-mail I sent, all the replies would have the >{Spam?} added to the subject even though the scores were low (below 5) and >they were not marked as SPAM in the header. I turned on >the Auto Whitelisting feature and this stopped. However, what was odd is >if I turn off spam filtering for low or high scored >e-mails and then turn it back on again (never changing the auto whitelist, >it is still turned on) then I would have the same >problem. What I had to do is turn off SPAM filtering for both low and >high and also turn off the auto whitelisting feature. After >I did that (of course I stopped and started MailScanner between config >changes) I could then turn them all back on (low and high >SPAM filtering and auto whitelisting) and it would start working again, >meaning replies were not having {Spam?} added to the subject >line (this took a while to figure out, I have assumed it is some kind of >bug where something does not get set properly if you turn >the individual settings on and off, but it does when you turn them all off >then on). > >I heard some talk about adding 127.0.0.1 to the spam whitelist (i.e. >/etc/MailScanner/rules/spam.whitelist.rules), not sure if this >would fix the issue or not. I have not done anything unusual to the >MailScanner config or Spamassasin config just to let you know. >Other people must be having or have had this issue as well, what is the >fix? I really just want to make it so that all e-mail that >is a reply is whitelisted (not marked as SPAM ever). I wondering though, >if this will cause issues with SPAM filtering in the >future as SPAMMERS could likely make the e-mail appear to be a reply. > >I am using MailScanner 4.14-3 with SpamAssassin 2.50 patched (2.51?) to >fix the bug where it has issues working with MailScanner. > > >TIA, > >Donovan -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Sat Mar 15 15:12:37 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:30 2006 Subject: Corrupt pgp-signed messages In-Reply-To: <3E726B29.5040900@pcxperience.com> References: <1047671810.685abe4f51bd8@www.emery.homelinux.net> <1047671810.685abe4f51bd8@www.emery.homelinux.net> Message-ID: <5.2.0.9.2.20030315150822.02581800@imap.ecs.soton.ac.uk> At 23:52 14/03/2003, you wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >Rick Emery wrote: > > I searched the documentation and list archives (at least, I think I did it > > right; I've never used listserv before) but couldn't find anything on >this. > > > > I configured MailScanner (a *great* product, by the way) to sign all clean > > messages. My mail client is configured to verify pgp signatures, and I >noticed > > that I started getting a lot of "BAD pgp signature" messages. A little >research > > showed that the MailScanner signature was being added to the bottom of >(inside) > > the signed part of the message, apparently corrupting it. > > > > I am a member of several MailMan mailing lists, and noticed that >several of them > > were configured to sign all messages as well. However, it appears that the > > mailing list signature is added after the pgp signature, outside of >the signed > > portion of the message. I don't know enough to explain this with technical > > accuracy, so I hope this makes sense. I would like to see the difference in the MIME structure between what MailMan does and what MailScanner does. I just add the signature on to the end of the first in-line text+html segments of the message, which will be what you see. So the signature should be put in place after the signature, and therefore hopefully outside the signed portion of the message. > > My questions are: > > > > 1. is there a way to configure MailScanner to sign the message _after_ >the pgp > > signed portion? > > > > 2. Am I the only one seeing this behaviour? > > > > Thanks in advance for any guidance, > > Rick > > > > P.S. I turned off the MailScanner signature, and everything is working >fine (I > > can tell by the headers that mail is being scanned). I just like the >idea of a > > signature telling everyone that the message was scanned (and I like >advertising > > MailScanner too :-) The other alternative is by using the Subject: line modification feature (e.g. add "{Scanned}" on the end of the subject line). >I gpg sign my e-mails and have never had this issue. > >I have had the issue where a certificate signed e-mail (S/MIME) has an >issue since the signing of the e-mail by MailScanner changes the >content. This was talked about several months ago. :) > >- -- >James A. Pattie >james@pcxperience.com > >Linux -- SysAdmin / Programmer >Xperience, Inc. >http://www.pcxperience.com/ >http://www.xperienceinc.com/ > >GPG Key Available at http://www.pcxperience.com/gpgkeys/james.html >-----BEGIN PGP SIGNATURE----- >Version: GnuPG v1.0.6 (GNU/Linux) >Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > >iD8DBQE+cmsotUXjwPIRLVERAmrAAJ0RPOCKWQ6itragPNuVDsdErTaw/wCgjBMQ >NdH7oCMMXEYdlIbR5yCW2XM= >=bSqU >-----END PGP SIGNATURE----- > > >-- >This message has been scanned for viruses and >dangerous content by MailScanner, and is >believed to be clean. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Sat Mar 15 15:25:56 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:30 2006 Subject: Delivery of Spam to alternate location? In-Reply-To: <20030315004147.GA37304@affymetrix.com> References: <5.2.0.9.2.20030314225638.02270a58@imap.ecs.soton.ac.uk> <20030314221926.GC82996@affymetrix.com> <5.2.0.9.2.20030314225638.02270a58@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030315151335.022e93a0@imap.ecs.soton.ac.uk> At 00:41 15/03/2003, you wrote: >I see that Action, but unless I'm mistaken, mail would be forwarded to >a specified email address. Rather than that, I'm looking for a way of >sending the Spam to an alternative mail server, keeping the destination >address intact or modifying it in a specific way. > >For example, if MailScanner identified as Spam a message sent to >nicholas_esborn@affymetrix.com, it could rewrite the address as >nicholas_esborn@spambin.affymetrix.com and send it along. Okay, this is exactly the sort thing that a "Custom Function" could do. Bung this in CustomConfig.pm: my $spamserver = 'spambin'; sub SpamActions { my($message) = @_; return "deliver" unless $message; # Default if no message passed in my($to, $user, $domain, result); # Loop through each recipient of the message, building the Spam Actions foreach $to (@{$message->{to}}) { # Get the user@domain bits out ($user, $domain) = split(/@/, $to, 2); $result .= "forward $user\@$spamserver.$domain "; } return "deliver" unless $result; # If something was wrong, no recipients? return $result; } That all goes in CustomConfig.pm. You should also create empty functions called InitSpamActions and EndSpamActions to be neat and tidy. Then in your MailScanner.conf, set Spam Actions = &SpamActions High Scoring Spam Actions = &SpamActions and restart MailScanner. Obviously you should change the value of "spamserver" at the top of the code to whatever your spam mail servers are going to be called. I haven't tested it at all, but it should basically work okay. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From rick at EMERY.HOMELINUX.NET Sat Mar 15 16:34:31 2003 From: rick at EMERY.HOMELINUX.NET (Rick Emery) Date: Thu Jan 12 21:17:30 2006 Subject: Corrupt pgp-signed messages In-Reply-To: <5.2.0.9.2.20030315150822.02581800@imap.ecs.soton.ac.uk> References: <1047671810.685abe4f51bd8@www.emery.homelinux.net> <1047671810.685abe4f51bd8@www.emery.homelinux.net> <5.2.0.9.2.20030315150822.02581800@imap.ecs.soton.ac.uk> Message-ID: <1047746071.ec3314e36e4eb@www.emery.homelinux.net> Quoting Julian Field : > I would like to see the difference in the MIME structure between what > MailMan does and what MailScanner does. I just add the signature on to the > end of the first in-line text+html segments of the message, which will be > what you see. So the signature should be put in place after the signature, > and therefore hopefully outside the signed portion of the message. Would this involve just forwarding the sample message to you? How can I view the mime structure of a message? I'm sorry, but my technical knowledge of this is pretty spare. However, your explanation above makes sense. What I'm seeing is that MailScanner is attaching its signature at the end of the first in-line text segment of the message (exactly as you desribed above). I think the problem is that that is the signed part of the message. If I'm understanding this correctly, a signed message has (at least) two mime parts; the message, and the pgp signature. It looks like MailMan might add a third part, the text signature for the mailing list. > The other alternative is by using the Subject: line modification feature > (e.g. add "{Scanned}" on the end of the subject line). I'm not too worried about this; it isn't mission critical and, as I said, I know the messages are being scanned because of the headers being added. I just thought the signature was cool. Thanks for your help, and a *great* product, and if I can provide any additional information or troubleshoot it further, please let me know. Rick ------------------------------------------------ This email was sent using IMP v4.0-cvs, part of the Horde suite of information management tools. http://horde.org/ From rick at emery.homelinux.net Sat Mar 15 16:34:31 2003 From: rick at emery.homelinux.net (Rick Emery) Date: Thu Jan 12 21:17:30 2006 Subject: [MAILSCANNER] Corrupt pgp-signed messages In-Reply-To: <5.2.0.9.2.20030315150822.02581800@imap.ecs.soton.ac.uk> References: <1047671810.685abe4f51bd8@www.emery.homelinux.net> <1047671810.685abe4f51bd8@www.emery.homelinux.net> <5.2.0.9.2.20030315150822.02581800@imap.ecs.soton.ac.uk> Message-ID: <1047746071.ec3314e36e4eb@www.emery.homelinux.net> Quoting Julian Field : > I would like to see the difference in the MIME structure between what > MailMan does and what MailScanner does. I just add the signature on to the > end of the first in-line text+html segments of the message, which will be > what you see. So the signature should be put in place after the signature, > and therefore hopefully outside the signed portion of the message. Would this involve just forwarding the sample message to you? How can I view the mime structure of a message? I'm sorry, but my technical knowledge of this is pretty spare. However, your explanation above makes sense. What I'm seeing is that MailScanner is attaching its signature at the end of the first in-line text segment of the message (exactly as you desribed above). I think the problem is that that is the signed part of the message. If I'm understanding this correctly, a signed message has (at least) two mime parts; the message, and the pgp signature. It looks like MailMan might add a third part, the text signature for the mailing list. > The other alternative is by using the Subject: line modification feature > (e.g. add "{Scanned}" on the end of the subject line). I'm not too worried about this; it isn't mission critical and, as I said, I know the messages are being scanned because of the headers being added. I just thought the signature was cool. Thanks for your help, and a *great* product, and if I can provide any additional information or troubleshoot it further, please let me know. Rick ------------------------------------------------ This email was sent using IMP v4.0-cvs, part of the Horde suite of information management tools. http://horde.org/ From rick at EMERY.HOMELINUX.NET Sat Mar 15 16:45:41 2003 From: rick at EMERY.HOMELINUX.NET (Rick Emery) Date: Thu Jan 12 21:17:30 2006 Subject: Corrupt pgp-signed messages In-Reply-To: <3E726B29.5040900@pcxperience.com> References: <1047671810.685abe4f51bd8@www.emery.homelinux.net> <3E726B29.5040900@pcxperience.com> Message-ID: <1047746741.59dc6ec661254@www.emery.homelinux.net> Quoting "James A. Pattie" : > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Rick Emery wrote: > > I searched the documentation and list archives (at least, I think I did it > > right; I've never used listserv before) but couldn't find anything on > this. > > > > I configured MailScanner (a *great* product, by the way) to sign all clean > > messages. My mail client is configured to verify pgp signatures, and I > noticed > > that I started getting a lot of "BAD pgp signature" messages. A little > research > > showed that the MailScanner signature was being added to the bottom of > (inside) > > the signed part of the message, apparently corrupting it. > > > > I am a member of several MailMan mailing lists, and noticed that > several of them > > were configured to sign all messages as well. However, it appears that the > > mailing list signature is added after the pgp signature, outside of > the signed > > portion of the message. I don't know enough to explain this with technical > > accuracy, so I hope this makes sense. > > > > My questions are: > > > > 1. is there a way to configure MailScanner to sign the message _after_ > the pgp > > signed portion? > > > > 2. Am I the only one seeing this behaviour? > > > > Thanks in advance for any guidance, > > Rick > > > > P.S. I turned off the MailScanner signature, and everything is working > fine (I > > can tell by the headers that mail is being scanned). I just like the > idea of a > > signature telling everyone that the message was scanned (and I like > advertising > > MailScanner too :-) > > I gpg sign my e-mails and have never had this issue. > > I have had the issue where a certificate signed e-mail (S/MIME) has an > issue since the signing of the e-mail by MailScanner changes the > content. This was talked about several months ago. :) > > - -- > James A. Pattie > james@pcxperience.com > > Linux -- SysAdmin / Programmer > Xperience, Inc. > http://www.pcxperience.com/ > http://www.xperienceinc.com/ > > GPG Key Available at http://www.pcxperience.com/gpgkeys/james.html > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.6 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQE+cmsotUXjwPIRLVERAmrAAJ0RPOCKWQ6itragPNuVDsdErTaw/wCgjBMQ > NdH7oCMMXEYdlIbR5yCW2XM= > =bSqU > -----END PGP SIGNATURE----- > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > Forgive me for quoting the entire message, but it's a good indicator of what's going on. As you can see above, your message contains: # -----BEGIN PGP SIGNED MESSAGE----- # the message # -----BEGIN PGP SIGNATURE----- # the signature # -----END PGP SIGNATURE----- # MailScanner's text signature When I view the corrupt messages, MailScanner's text signature appears just above the "BEGIN PGP SIGNATURE" line. What I don't understand is why your setup attached the MailScanner signature after the PGP SIGNATURE, but mine puts it before. I couldn't find a configuration option for this. Could it have anything to do with the message composer? Something I've noticed is that the corrupt messages don't say "BEGIN PGP SIGNED MESSAGE", they have a cryptic string of letters, numbers, and symbols at the beginning and end. Again I apologize for all of the noise, but I don't understand enough about mime and pgp to figure it out. Thanks again, Rick ------------------------------------------------ This email was sent using IMP v4.0-cvs, part of the Horde suite of information management tools. http://horde.org/ From mailscanner at ecs.soton.ac.uk Sat Mar 15 16:46:30 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:30 2006 Subject: Corrupt pgp-signed messages In-Reply-To: <1047746071.ec3314e36e4eb@www.emery.homelinux.net> References: <5.2.0.9.2.20030315150822.02581800@imap.ecs.soton.ac.uk> <1047671810.685abe4f51bd8@www.emery.homelinux.net> <1047671810.685abe4f51bd8@www.emery.homelinux.net> <5.2.0.9.2.20030315150822.02581800@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030315164402.0283af00@imap.ecs.soton.ac.uk> At 16:34 15/03/2003, you wrote: >Quoting Julian Field : > > > I would like to see the difference in the MIME structure between what > > MailMan does and what MailScanner does. I just add the signature on to the > > end of the first in-line text+html segments of the message, which will be > > what you see. So the signature should be put in place after the signature, > > and therefore hopefully outside the signed portion of the message. > >Would this involve just forwarding the sample message to you? How can I >view the >mime structure of a message? I'm sorry, but my technical knowledge of this is >pretty spare. However, your explanation above makes sense. If you can find one (possibly using the "Archive Mail" feature), copy the raw queue files for a couple of sample messages generated by MailMan. 1 without the pgp sig and 1 with the pgp sig would be ideal. >What I'm seeing is that MailScanner is attaching its signature at the end >of the >first in-line text segment of the message (exactly as you desribed above). I >think the problem is that that is the signed part of the message. If I'm >understanding this correctly, a signed message has (at least) two mime parts; >the message, and the pgp signature. It looks like MailMan might add a third >part, the text signature for the mailing list. The snag with that is getting all email programs to actually display the 3rd bit (i.e. the signature). I would be interested to see how MailMan gets around the problem. > > The other alternative is by using the Subject: line modification feature > > (e.g. add "{Scanned}" on the end of the subject line). > >I'm not too worried about this; it isn't mission critical and, as I said, >I know >the messages are being scanned because of the headers being added. I just >thought the signature was cool. > >Thanks for your help, and a *great* product, Thanks! > and if I can provide any additional >information or troubleshoot it further, please let me know. > >Rick > >------------------------------------------------ >This email was sent using IMP v4.0-cvs, part of >the Horde suite of information management tools. >http://horde.org/ -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From Kevin.Spicer at BMRB.CO.UK Sat Mar 15 16:53:29 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:17:30 2006 Subject: Corrupt pgp-signed messages Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A4AD56@pascal.priv.bmrb.co.uk> > I would like to see the difference in the MIME structure between what > MailMan does and what MailScanner does. I just add the > signature on to the > end of the first in-line text+html segments of the message, > which will be > what you see. So the signature should be put in place after > the signature, > and therefore hopefully outside the signed portion of the message. > I don't use mailman but I've been able to produce the same/a similar behaviour with differences between Outlook on Windows (with the gdata gpg plugin) and Evolution on Linux. Outlook / Gdata plugin... Mime type : text/plain Single part message, PGP Message and Signature are all within the body of the message and MailScanner signe the message after the PGP signature. On receipt the PGP signature validates okay. Evolution... Multi part MIME message (content type: multipart/signed) First section (text/plain) contains the message itself (without the PGP signature) with the MailScanner signature appended. Second section (application/pgp-signature) contains the PGP signature. In this case the mailscanner signature breaks the PGP signature. Julian - if you'd like a closer look I'll happily send you my test messages off-list. As an aside - I prefer the way evolution handles it from a security point of view, but unfortunately this doesn't work at all with gdata's plugin! BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From Kevin.Spicer at BMRB.CO.UK Sat Mar 15 17:16:31 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:17:30 2006 Subject: Corrupt pgp-signed messages Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0EBF49F@pascal.priv.bmrb.co.uk> > > Evolution... > Multi part MIME message (content type: multipart/signed) > First section (text/plain) contains the message itself > (without the PGP signature) with the MailScanner signature appended. > Second section (application/pgp-signature) contains the PGP signature. > In this case the mailscanner signature breaks the PGP signature. > Hmmm, replying to myself - first sign of madness! Looks like this is specified in RFC1847 http://www.faqs.org/rfcs/rfc1847.html On a first scan the important paragraphs seem to be these... The entire contents of the multipart/signed container must be treated as opaque while it is in transit from an originator to a recipient. Intermediate message transfer agents must not alter the content of a multipart/signed in any way, including, but not limited to, changing the content transfer encoding of the body part or any of its encapsulated body parts. The signature in a multipart/signed only applies to the material that is actually within the multipart/signed object. In particular, it does not apply to any enclosing message material, nor does it apply to entities that are referenced (e.g. via a MIME message/external- body) by rather than included in the signed content. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From lists at STHOMAS.NET Sat Mar 15 19:39:00 2003 From: lists at STHOMAS.NET (Steve Thomas) Date: Thu Jan 12 21:17:30 2006 Subject: Warm fuzzy Message-ID: <20030315113900.B11309@sthomas.net> I just got my new super-comfy fuzzy warm MailScanner fleece jacket in the mail. Man, is this thing comfortable. It makes the temporary crown I also just got seem a little more bearable. Aren't you jealous? Don't be! You too can have one! Visit the MailScanner Store today! :) -- Steve Thomas steve +at+ sthomas -dot- net ---------------------------------------------------------- "...subatomic matter in a particle accelerator that exists for only a few microseconds seems to exhibit more uptime than the RIAA's website." -- Andrew Orlowski TheRegister.co.uk From donovan at HUFFDATASYSTEMS.COM Sat Mar 15 20:58:26 2003 From: donovan at HUFFDATASYSTEMS.COM (Donovan Huff | HUFF DATA SYSTEMS) Date: Thu Jan 12 21:17:30 2006 Subject: How is SPAM filtering turned off for reply e-mail? Also, reply issues... References: <5.2.0.9.2.20030315152710.02265bc0@imap.ecs.soton.ac.uk> Message-ID: <002901c2eb35$a0bd26a0$73ef1d43@x27> Is there a way for a user to say forward e-mail that they wish to be whitelisted automatically? How about for blacklisting? Can they forward and e-mail from themselves to say user-whitelist@domain.tld (where user@domain.tld is the normal password) or anything like this? Someone had given me the impression that this was an option, but I did not see it in the config. Donovan ----- Original Message ----- From: "Julian Field" To: Sent: Saturday, March 15, 2003 9:28 AM Subject: Re: How is SPAM filtering turned off for reply e-mail? Also, reply issues... > The easiest thing is to add your entire netblock to the spam whitelist. At > work, we have the whole 152.78 so I just put this in spam.whitelist.rules > From: 152.78. yes > FromOrTo: default no > > At 03:04 15/03/2003, you wrote: > >I had a problem when I first installed MailScanner and Spamassassin with > >replies to e-mail I sent, all the replies would have the > >{Spam?} added to the subject even though the scores were low (below 5) and > >they were not marked as SPAM in the header. I turned on > >the Auto Whitelisting feature and this stopped. However, what was odd is > >if I turn off spam filtering for low or high scored > >e-mails and then turn it back on again (never changing the auto whitelist, > >it is still turned on) then I would have the same > >problem. What I had to do is turn off SPAM filtering for both low and > >high and also turn off the auto whitelisting feature. After > >I did that (of course I stopped and started MailScanner between config > >changes) I could then turn them all back on (low and high > >SPAM filtering and auto whitelisting) and it would start working again, > >meaning replies were not having {Spam?} added to the subject > >line (this took a while to figure out, I have assumed it is some kind of > >bug where something does not get set properly if you turn > >the individual settings on and off, but it does when you turn them all off > >then on). > > > >I heard some talk about adding 127.0.0.1 to the spam whitelist (i.e. > >/etc/MailScanner/rules/spam.whitelist.rules), not sure if this > >would fix the issue or not. I have not done anything unusual to the > >MailScanner config or Spamassasin config just to let you know. > >Other people must be having or have had this issue as well, what is the > >fix? I really just want to make it so that all e-mail that > >is a reply is whitelisted (not marked as SPAM ever). I wondering though, > >if this will cause issues with SPAM filtering in the > >future as SPAMMERS could likely make the e-mail appear to be a reply. > > > >I am using MailScanner 4.14-3 with SpamAssassin 2.50 patched (2.51?) to > >fix the bug where it has issues working with MailScanner. > > > > > >TIA, > > > >Donovan > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support From dh at UPTIME.AT Sun Mar 16 14:08:48 2003 From: dh at UPTIME.AT (David) Date: Thu Jan 12 21:17:30 2006 Subject: Maybe a bit OT, auto adjusting high scoring value.. Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Hello. First of all let me explain my setup. I have a "low" score of 5.3 and a high score of 13. High scoring spam is deleted, but the message is forwarded to me none the less, so I can check, that it is really not a message that has some value to the user. This is something we all agreed on. Out of curiosity I collected 631 Spam messages, all verified by me to be actual spam. Some of them are above the threshold of 13, others are within the range of 5.3-13. I have written a little Perl script, which reads that Mbox, collects all the Spam Scores and tosses them into a little array on which I am able to perform some statistical operations using Statistics::Lite. For me that returns: Max Value: 31.7 Min Value: 5.3 (kinda expected) Data Range: 26.4 Std. Variance: 26.2935.... Std. Deviation: 5.0292... Mean Score: 13.81410... Median: 13.4 Now my question is and I am posting to this list because I know there are many talented mathematicians out there. a) Does this kind of collecting data make sense? b) which statistical functions would make sense ? What I am trying to do is the following. I am noticing, that there is a LOT of verified Spam in the range between 5.3 to 13 and I am trying to find the best value for our typical Spam flow which will catch most verified spam and still allow the seldom false positives to pass through to the user. If you recall, I delete the high scoring Spam. So basically I need to find the best value for "High scoring"- I would be very happy if you could tell me how to tackle this, because I really know nothing about math and I think what I just did has little to no value - -d - - ? Fantasie ist wichtiger als Wissen.? - Albert Einstein -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (Darwin) iD8DBQE+dIV0iW/Ta/pxHPQRAzVvAKDGv6WRjGyMqc5pRAQyi/467M7fHwCghgsh TaL4ldLqeIEb0qtZdPwOF2Y= =Ua2i -----END PGP SIGNATURE----- From mailscanner at ecs.soton.ac.uk Sun Mar 16 19:23:52 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:30 2006 Subject: SpamAssassin 2.50 problems Message-ID: <5.2.0.9.2.20030316191403.024b9aa0@imap.ecs.soton.ac.uk> I have just managed to work around the nasty problem with SpamAssassin 2.50 repeatedly timing out. The symptom was that SpamAssassin 2.50 would suddenly time out 20 times in a row for no apparent reason, at which point SpamAssassin was disabled until the next scheduled restart ("Restart Every" in MailScanner.conf). I have fixed this, and it was caused by the style of file locking used by the SpamAssassin code that cannot clear up after itself if the process is killed. MailScanner uses flock()-style locking which cleans up after itself automatically. There is still a problem, that will have to be addressed by the SpamAssassin developers, that the Bayes database files are locked for a long time during each test. Only 1 MailScanner child process can access the files at a time, resulting in a situation where all the other MailScanner child processes are waiting for the files to be unlocked. ! change that should help is to reduce the time between locking attempts. Currently it waits for 0.5 - 1.5 seconds between attempts. Shortening that to 0.1 - 0.2 seconds should improve things. But unfortunately the timing numbers are hard-wired into the SpamAssassin code. If you are interested, it is in line 59 of /usr/lib/perl5/5.6.1/site_perl/Mail/SpamAssassin/UnixLocker.pm. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From lance at WARE.NET Sun Mar 16 19:34:48 2003 From: lance at WARE.NET (Lance Ware) Date: Thu Jan 12 21:17:30 2006 Subject: Archiving Human Readable Messages Message-ID: <9F214F8D10934845A3664A21425C79FC60857C@dhcp5.ware.net> Hello, I've just installed MailScanner, first I'd like to say thanks to Julian and the rest of the contributors - it looks to be a great project. In combination with SpamAssasin it's already catching 200+ SPAMs a day for me. I'm using it to front end my Qmail/Vpopmail system so it runs on a separate box with a mailertable entry (I couldn't move the main box because it hosts email for some 200+ domains that I don't want to filter just yet). Now the challenge - I've got a number of "spam pots" which I'd like to use to increase the hit rate for spam detection. My initial plan for this was to use the "archive" feature of MailScanner to log all the mails to these various dead email addresses. I got that setup ok, but it's creating the 2 queue files per email. I've tried tinkering with: Quarantine Whole Messages As Queue Files = no But so far I've been unsuccessful in simply archiving the full text of the message. Since most of my users are on Windows with Outlook 2002 or OE it's not very easy to bounce mail back for adding to the Bayesian filters and Razor/etc. Any tips on getting the archiving to a single file to work are greatly appreciated. TIA, Lance -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030316/efee57a5/attachment.html From mailscanner at ecs.soton.ac.uk Sun Mar 16 19:48:01 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:30 2006 Subject: Archiving Human Readable Messages In-Reply-To: <9F214F8D10934845A3664A21425C79FC60857C@dhcp5.ware.net> Message-ID: <5.2.0.9.2.20030316194639.022c41b8@imap.ecs.soton.ac.uk> At 19:34 16/03/2003, you wrote: >Ive just installed MailScanner, first Id like to say thanks to Julian and >the rest of the contributors it looks to be a great project. In >combination with SpamAssasin its already catching 200+ SPAMs a day for me. >Im using it to front end my Qmail/Vpopmail system so it runs on a separate >box with a mailertable entry (I couldnt move the main box because it hosts >email for some 200+ domains that I dont want to filter just yet). >Now the challenge Ive got a number of spam potswhich Id like to use to >increase the hit rate for spam detection. >My initial plan for this was to use the archivefeature of MailScanner to >log all the mails to these various dead email addresses. I got that setup >ok, but its creating the 2 queue files per email. Ive tried tinkering with: >Quarantine Whole Messages As Queue Files = no >But so far Ive been unsuccessful in simply archiving the full text of the >message. That is the correct setting. Just make sure you do a "reload" afterwards ("service MailScanner reload" on RedHat). This will produce a single file of the headers and the body. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From lance at WARE.NET Sun Mar 16 20:03:39 2003 From: lance at WARE.NET (Lance Ware) Date: Thu Jan 12 21:17:30 2006 Subject: Archiving Human Readable Messages Message-ID: <9F214F8D10934845A3664A21425C79FC60857D@dhcp5.ware.net> > -----Original Message----- > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > Sent: Sunday, March 16, 2003 11:48 AM > > At 19:34 16/03/2003, you wrote: > >Ive just installed MailScanner, first Id like to say thanks to Julian and > >the rest of the contributors it looks to be a great project. In > >combination with SpamAssasin its already catching 200+ SPAMs a day for > me. > >Im using it to front end my Qmail/Vpopmail system so it runs on a > separate > >box with a mailertable entry (I couldnt move the main box because it > hosts > >email for some 200+ domains that I dont want to filter just yet). > >Now the challenge Ive got a number of spam potswhich Id like to use to > >increase the hit rate for spam detection. > >My initial plan for this was to use the archivefeature of MailScanner to > >log all the mails to these various dead email addresses. I got that setup > >ok, but its creating the 2 queue files per email. Ive tried tinkering > with: > >Quarantine Whole Messages As Queue Files = no > >But so far Ive been unsuccessful in simply archiving the full text of the > >message. > > That is the correct setting. Just make sure you do a "reload" afterwards > ("service MailScanner reload" on RedHat). This will produce a single file > of the headers and the body. I've tried the reloading - still no luck. And it all seemed so simple. I have: Archive Mail = /etc/MailScanner/rules/logSpamTrolls.rules And in that file: To: edhunt_1@webcam.com /var/log/spam/ To: duckvonlong@webcam.com /var/log/spam/ To: oral@webcam.com /var/log/spam/ To: fcdxsza@webcam.com /var/log/spam/ FromOrTo: default no I still get 2 files per email. Lance From dcmwai at AMTB-M.ORG.MY Mon Mar 17 05:27:14 2003 From: dcmwai at AMTB-M.ORG.MY (Chan Min Wai) Date: Thu Jan 12 21:17:30 2006 Subject: About some Rules on SpamAssassin... Message-ID: <3E755CB2.3050506@amtb-m.org.my> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello all, I don't know if I'm asking in the wrong places, but this is happenning all the time and very annoying. Our Organization use Chinese More often then english and SpamAssassin always think that the mail is spam and it score very high. Most of the time, Mail sent by Outlook express will be marked as Spam, no mather they are from a MaxOs or from Windows. Can someone have experience with this help me. (this is part of the header) X-MailScanner-SpamCheck: spam, SpamAssassin (score=10.4, required 5, CHARSET_FARAWAY, CHARSET_FARAWAY_HEADERS, MAILTO_TO_SPAM_ADDR, NOSPAM_INC, SPAM_PHRASE_00_01, SUBJ_FULL_OF_8BITS, UPPERCASE_25_50, USER_AGENT, USER_AGENT_MOZILLA_UA, X_ACCEPT_LANG) Thank You -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE+dVyyV0p9slMZLW4RAo+gAKD4IhhONkgpsdxigDXFt4agfogkewCbBdyV ujW8Q9SUN8kz/Ww9sNpWZ6g= =MBhg -----END PGP SIGNATURE----- From Kevin.Spicer at BMRB.CO.UK Mon Mar 17 08:11:45 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:17:30 2006 Subject: About some Rules on SpamAssassin... Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A4AD58@pascal.priv.bmrb.co.uk> > > I don't know if I'm asking in the wrong places, but this is happenning > all the time and very annoying. > Our Organization use Chinese More often then english and SpamAssassin > always think that the mail is spam and it score very high. Most of the > time, Mail sent by Outlook express will be marked as Spam, no mather > they are from a MaxOs or from Windows. I think you need the following in spam.assassin.prefs.conf... ok_languages en zh ok_locales en zh NOTE: ok_locales en is already specified in spam.assassing.prefs.conf, so you'll need to find and change that line. ok_languages is not in there are the default is to allow all languages - so you might just omit it anyway. If you're really having problems omit/comment out ok_languages and ok_locales to let everything through without perfoming any of these language/ locale checks. If that doesn't work you could also assign a zero score to those tests which are causing false positives for you. e.g. (I'm guessing you might see this one quite a bit...) score SUBJ_FULL_OF_8BITS 0 (CHARSET_FARAWAY and CHARSET_FARAWAY_HEADERS should both be sorted by changing ok_locales) more info... http://www.spamassassin.org/doc/Mail_SpamAssassin_Conf.html BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From Jan-Peter.Koopmann at SECEIDOS.DE Mon Mar 17 09:01:44 2003 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:17:30 2006 Subject: About some Rules on SpamAssassin... Message-ID: <4E7026FF8A422749B1553FE508E0068007EF92@message.intern.akctech.de> > Our Organization use Chinese More often then english and SpamAssassin > always think that the mail is spam and it score very high. Most of the > time, Mail sent by Outlook express will be marked as Spam, no mather > they are from a MaxOs or from Windows. Have you tried ok_languages en zh ok_locales en zh to tell SpamAssassin that Chinese is ok? > required 5, CHARSET_FARAWAY, CHARSET_FARAWAY_HEADERS, > MAILTO_TO_SPAM_ADDR, NOSPAM_INC, SPAM_PHRASE_00_01, > SUBJ_FULL_OF_8BITS, UPPERCASE_25_50, USER_AGENT, > USER_AGENT_MOZILLA_UA, X_ACCEPT_LANG) You might change the scores for some of these tests. Regards, JP From mailscanner at ecs.soton.ac.uk Mon Mar 17 08:54:51 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:30 2006 Subject: About some Rules on SpamAssassin... In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0A4AD58@pascal.priv.bmrb.co .uk> Message-ID: <5.2.0.9.2.20030317085351.01295a28@imap.ecs.soton.ac.uk> I have removed ok_languages. We're probably better off without it at all. Thanks for letting me know. At 08:11 17/03/2003, you wrote: > > > > I don't know if I'm asking in the wrong places, but this is happenning > > all the time and very annoying. > > Our Organization use Chinese More often then english and SpamAssassin > > always think that the mail is spam and it score very high. Most of the > > time, Mail sent by Outlook express will be marked as Spam, no mather > > they are from a MaxOs or from Windows. > >I think you need the following in spam.assassin.prefs.conf... > >ok_languages en zh >ok_locales en zh > >NOTE: ok_locales en is already specified in spam.assassing.prefs.conf, so >you'll need to find and change that line. ok_languages is not in there >are the default is to allow all languages - so you might just omit it >anyway. If you're really having problems omit/comment out ok_languages >and ok_locales to let everything through without perfoming any of these >language/ locale checks. >If that doesn't work you could also assign a zero score to those tests >which are causing false positives for you. e.g. (I'm guessing you might >see this one quite a bit...) >score SUBJ_FULL_OF_8BITS 0 > >(CHARSET_FARAWAY and CHARSET_FARAWAY_HEADERS should both be sorted by >changing ok_locales) > >more info... http://www.spamassassin.org/doc/Mail_SpamAssassin_Conf.html > > > >BMRB International >http://www.bmrb.co.uk >+44 (0)20 8566 5000 >_________________________________________________________________ >This message (and any attachment) is intended only for the >recipient and may contain confidential and/or privileged >material. If you have received this in error, please contact the >sender and delete this message immediately. Disclosure, copying >or other action taken in respect of this email or in >reliance on it is prohibited. BMRB International Limited >accepts no liability in relation to any personal emails, or >content of any email which does not directly relate to our >business. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From dcmwai at AMTB-M.ORG.MY Mon Mar 17 09:03:16 2003 From: dcmwai at AMTB-M.ORG.MY (Chan Min Wai) Date: Thu Jan 12 21:17:30 2006 Subject: About some Rules on SpamAssassin... References: <5C0296D26910694BB9A9BBFC577E7AB0A4AD58@pascal.priv.bmrb.co.uk> Message-ID: <3E758F54.8090305@amtb-m.org.my> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Thank Kevin, It should be done :) Spicer, Kevin ´£¨ì: |>I don't know if I'm asking in the wrong places, but this is happenning |>all the time and very annoying. |>Our Organization use Chinese More often then english and SpamAssassin |>always think that the mail is spam and it score very high. Most of the |>time, Mail sent by Outlook express will be marked as Spam, no mather |>they are from a MaxOs or from Windows. | | |I think you need the following in spam.assassin.prefs.conf... | |ok_languages en zh |ok_locales en zh | |NOTE: ok_locales en is already specified in spam.assassing.prefs.conf, so you'll need to find and change that line. ok_languages is not in there are the default is to allow all languages - so you might just omit it anyway. If you're really having problems omit/comment out ok_languages and ok_locales to let everything through without perfoming any of these language/ locale checks. |If that doesn't work you could also assign a zero score to those tests which are causing false positives for you. e.g. (I'm guessing you might see this one quite a bit...) |score SUBJ_FULL_OF_8BITS 0 | |(CHARSET_FARAWAY and CHARSET_FARAWAY_HEADERS should both be sorted by changing ok_locales) | |more info... http://www.spamassassin.org/doc/Mail_SpamAssassin_Conf.html | | | |BMRB International |http://www.bmrb.co.uk |+44 (0)20 8566 5000 |_________________________________________________________________ |This message (and any attachment) is intended only for the |recipient and may contain confidential and/or privileged |material. If you have received this in error, please contact the |sender and delete this message immediately. Disclosure, copying |or other action taken in respect of this email or in |reliance on it is prohibited. BMRB International Limited |accepts no liability in relation to any personal emails, or |content of any email which does not directly relate to our |business. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE+dY9TV0p9slMZLW4RAj11AKDPg9RvSFFmMHqkz1lHZD+B7GZA8gCgpRvH ctYpkE7NijKUbxyTjtc01Ow= =XkDT -----END PGP SIGNATURE----- From mailscanner at BARENDSE.TO Mon Mar 17 12:24:25 2003 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:17:30 2006 Subject: About some Rules on SpamAssassin... In-Reply-To: <5.2.0.9.2.20030317085351.01295a28@imap.ecs.soton.ac.uk> Message-ID: Interesting setting. We are getting loads and loads of spam crap in chinese, although nobody speaks chinese here. Would setting ok_languages en block all messages in chinese? We do get some legitimate e-mail from china which will cause the e-mails that are replied on to contain some chinese characters but the majority of characters will be english. Would that setting block everything even with one or 2 characters in it or only mail that contains only chinese? On Mon, 17 Mar 2003, Julian Field wrote: > I have removed ok_languages. We're probably better off without it at all. > Thanks for letting me know. > > At 08:11 17/03/2003, you wrote: > > > > > > I don't know if I'm asking in the wrong places, but this is happenning > > > all the time and very annoying. > > > Our Organization use Chinese More often then english and SpamAssassin > > > always think that the mail is spam and it score very high. Most of the > > > time, Mail sent by Outlook express will be marked as Spam, no mather > > > they are from a MaxOs or from Windows. > > > >I think you need the following in spam.assassin.prefs.conf... > > > >ok_languages en zh > >ok_locales en zh > > > >NOTE: ok_locales en is already specified in spam.assassing.prefs.conf, so > >you'll need to find and change that line. ok_languages is not in there > >are the default is to allow all languages - so you might just omit it > >anyway. If you're really having problems omit/comment out ok_languages > >and ok_locales to let everything through without perfoming any of these > >language/ locale checks. > >If that doesn't work you could also assign a zero score to those tests > >which are causing false positives for you. e.g. (I'm guessing you might > >see this one quite a bit...) > >score SUBJ_FULL_OF_8BITS 0 > > > >(CHARSET_FARAWAY and CHARSET_FARAWAY_HEADERS should both be sorted by > >changing ok_locales) > > > >more info... http://www.spamassassin.org/doc/Mail_SpamAssassin_Conf.html > > > > > > > >BMRB International > >http://www.bmrb.co.uk > >+44 (0)20 8566 5000 > >_________________________________________________________________ > >This message (and any attachment) is intended only for the > >recipient and may contain confidential and/or privileged > >material. If you have received this in error, please contact the > >sender and delete this message immediately. Disclosure, copying > >or other action taken in respect of this email or in > >reliance on it is prohibited. BMRB International Limited > >accepts no liability in relation to any personal emails, or > >content of any email which does not directly relate to our > >business. > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From m.sapsed at BANGOR.AC.UK Mon Mar 17 13:49:14 2003 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:17:30 2006 Subject: Beta test please References: <5.2.0.9.2.20030313200314.02721ea0@imap.ecs.soton.ac.uk> Message-ID: <3E75D25A.2010905@bangor.ac.uk> Julian Field wrote: > Before I publish this to the world, can you test these for me please? > > Only the mailscanner*rpm has changed, the other RPM's are as before. > > The ChangeLog says this: > * New Features and Improvements * > [...] > - Improved wording of message to spam senders. Does this mean the translations will need updating or have you improved all the translations too? ;-) Cheers, Martin -- Martin Sapsed Information Services "Who do you say I am?" University of Wales, Bangor Jesus of Nazareth From mbowman at UDCOM.COM Mon Mar 17 13:28:53 2003 From: mbowman at UDCOM.COM (Matthew Bowman) Date: Thu Jan 12 21:17:30 2006 Subject: Correct Syntax for allowing files Message-ID: Hello, A client of ours sends out a virus definition file update in the form of a .bat file. The filename is Virus Definition Update-Remote Users.bat. In my filename.rules.conf file I put in the following line then restarted MailScanner allow 'Virus Definition Update-Remote Users.bat' - - MailScanner still blocked it as it looked at .bat as the extension as the full filename. Where am I going wrong here? Thanks Regards, Matthew K Bowman From mailscanner at ecs.soton.ac.uk Mon Mar 17 13:55:00 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:30 2006 Subject: Correct Syntax for allowing files In-Reply-To: Message-ID: <5.2.0.9.2.20030317135311.03cc9dd0@imap.ecs.soton.ac.uk> At 13:28 17/03/2003, you wrote: >Hello, > >A client of ours sends out a virus definition file update in the form >of a .bat file. The filename is Virus Definition Update-Remote Users.bat. > > >In my filename.rules.conf file I put in the following line then restarted >MailScanner > >allow 'Virus Definition Update-Remote Users.bat' - - 2 problems. Remove the quotes and make sure there are tabs between the 4 fields in the line, not spaces. I would also advise changing ".bat" to "\.bat$" as you want a literal "." and not "any character" and the test should be tied to the end of the filename, or else someone could send you "........bat.exe" and it would get through. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Mon Mar 17 13:57:10 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:30 2006 Subject: Beta test please In-Reply-To: <3E75D25A.2010905@bangor.ac.uk> References: <5.2.0.9.2.20030313200314.02721ea0@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030317135554.04743b30@imap.ecs.soton.ac.uk> At 13:49 17/03/2003, you wrote: >Julian Field wrote: >>Before I publish this to the world, can you test these for me please? >> >>Only the mailscanner*rpm has changed, the other RPM's are as before. >> >>The ChangeLog says this: >>* New Features and Improvements * >>[...] >>- Improved wording of message to spam senders. > >Does this mean the translations will need updating or have you improved >all the translations too? ;-) Ideally, an update of the translations would be nice. The new English text is "If you are sending spam and continue to do so, your Internet Service Provider may be contacted and requested to close your account." Thanks folks! BTW I have fixed the remaining problems with SpamAssassin 2.50 as well. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From raymond at PROLOCATION.NET Mon Mar 17 14:15:37 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:17:30 2006 Subject: Beta test please In-Reply-To: <5.2.0.9.2.20030317135554.04743b30@imap.ecs.soton.ac.uk> Message-ID: Hi! > >Does this mean the translations will need updating or have you improved > >all the translations too? ;-) > Thanks folks! > BTW I have fixed the remaining problems with SpamAssassin 2.50 as well. Any version we could test yet ? :) Bye, Raymond. From mbowman at UDCOM.COM Mon Mar 17 14:10:57 2003 From: mbowman at UDCOM.COM (Matthew Bowman) Date: Thu Jan 12 21:17:30 2006 Subject: Correct Syntax for allowing files Message-ID: Thanks that worked like a charm. Matthew Julian Field Sent by: MailScanner mailing list 03/17/2003 08:55 AM Please respond to MailScanner mailing list To: MAILSCANNER@JISCMAIL.AC.UK cc: Subject: Re: Correct Syntax for allowing files At 13:28 17/03/2003, you wrote: >Hello, > >A client of ours sends out a virus definition file update in the form >of a .bat file. The filename is Virus Definition Update-Remote Users.bat. > > >In my filename.rules.conf file I put in the following line then restarted >MailScanner > >allow 'Virus Definition Update-Remote Users.bat' - - 2 problems. Remove the quotes and make sure there are tabs between the 4 fields in the line, not spaces. I would also advise changing ".bat" to "\.bat$" as you want a literal "." and not "any character" and the test should be tied to the end of the filename, or else someone could send you "........bat.exe" and it would get through. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From Denis.Beauchemin at USHERBROOKE.CA Mon Mar 17 14:21:12 2003 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:17:30 2006 Subject: Beta test please In-Reply-To: <5.2.0.9.2.20030317135554.04743b30@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030313200314.02721ea0@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030317135554.04743b30@imap.ecs.soton.ac.uk> Message-ID: <1047910872.31992.4.camel@dbeauchemin.si.usherbrooke.ca> Le lun 17/03/2003 ? 08:57, Julian Field a ?crit : > Ideally, an update of the translations would be nice. The new English text is > > "If you are sending spam and continue to do so, your > Internet Service Provider may be contacted and requested to close your > account." In French: Si vous continuez ? nous envoyer des polluriels nous allons contacter votre fournisseur de services Internet pour lui demander de bloquer votre compte. Denis -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From Cleveland at MAIL.WINNEFOX.ORG Mon Mar 17 14:28:42 2003 From: Cleveland at MAIL.WINNEFOX.ORG (Jody Cleveland) Date: Thu Jan 12 21:17:30 2006 Subject: need to restart when adding to whitelist? Message-ID: <84CFA712F666B44A94CE6BE116BAF4B0B4E4A8@MAIL> Hello, Do I need to restart MailScanner each time I add to the whitelist? -- Jody Cleveland (cleveland@winnefox.org) Winnefox Library System Computer Support Specialist From raymond at PROLOCATION.NET Mon Mar 17 14:31:14 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:17:30 2006 Subject: need to restart when adding to whitelist? In-Reply-To: <84CFA712F666B44A94CE6BE116BAF4B0B4E4A8@MAIL> Message-ID: Hi! > Do I need to restart MailScanner each time I add to the whitelist? If you want to activate the changes, yes :) Bye, Raymond. From Cleveland at MAIL.WINNEFOX.ORG Mon Mar 17 14:37:34 2003 From: Cleveland at MAIL.WINNEFOX.ORG (Jody Cleveland) Date: Thu Jan 12 21:17:30 2006 Subject: need to restart when adding to whitelist? Message-ID: <84CFA712F666B44A94CE6BE116BAF4B0B4E4A9@MAIL> > If you want to activate the changes, yes :) Ok, that's what I thought. Now, I am using spamassassin with it. Should I use the whitelist for that, or is the one for MailScanner ok? Jody From raymond at PROLOCATION.NET Mon Mar 17 14:24:50 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:17:30 2006 Subject: Beta test please In-Reply-To: <1047910872.31992.4.camel@dbeauchemin.si.usherbrooke.ca> Message-ID: Hi! > > "If you are sending spam and continue to do so, your > > Internet Service Provider may be contacted and requested to close your > > account." Dutch: Als u spam stuurt en van plan bent hiermee door te gaan kan uw Internet Service Provider benaderd worden en gevraagd worden uw account op te heffen. Bye, Raymond. > > Denis > From t.d.lee at DURHAM.AC.UK Mon Mar 17 14:43:32 2003 From: t.d.lee at DURHAM.AC.UK (David Lee) Date: Thu Jan 12 21:17:30 2006 Subject: Beta test please In-Reply-To: <1047910872.31992.4.camel@dbeauchemin.si.usherbrooke.ca> References: <5.2.0.9.2.20030313200314.02721ea0@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030317135554.04743b30@imap.ecs.soton.ac.uk> <1047910872.31992.4.camel@dbeauchemin.si.usherbrooke.ca> Message-ID: On Mon, 17 Mar 2003, Denis Beauchemin wrote: > Le lun 17/03/2003 ? 08:57, Julian Field a ?crit : > > Ideally, an update of the translations would be nice. The new English text is > > > > "If you are sending spam and continue to do so, your > > Internet Service Provider may be contacted and requested to close your > > account." > > In French: > Si vous continuez ? nous envoyer des polluriels nous allons contacter > votre fournisseur de services Internet pour lui demander de bloquer > votre compte. To my shame, I have largely forgotten the French I learned at school. But it strikes me that the translation of: your [ISP] may be contacted into: nous allons contacter votre [...] seems subtly different on two counts: 1. The "may" has become "will" (lit. "are going to"); 2. The "passive" has become "active" ("we" will do the contacting). A re-translation back to English would become "we will contact ...", wouldn't it? Is that the intention of the message? If so, perhaps that is what the English version, too, should say. -- : David Lee I.T. Service : : Systems Programmer Computer Centre : : University of Durham : : http://www.dur.ac.uk/t.d.lee/ South Road : : Durham : : Phone: +44 191 374 2882 U.K. : From m.sapsed at BANGOR.AC.UK Mon Mar 17 14:51:38 2003 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:17:30 2006 Subject: Kmail and Netscape Mail with Mailscanner References: <200303131114.37023.vic@vicsfamily.net> Message-ID: <3E75E0FA.8000303@bangor.ac.uk> Victor Cain wrote: > I am running mailscanner 3.27, spamassassin 2.43, fetchmail 5.9.11, exim 3.36 > and using Kmail to read mail on a Debian Sarge system, thanks to many e-mails > from Julian. It is working fine, as long as the Debian incompatabilities > don't get too bad, however I would also like to read mail with Netscape Mail > as an alternative to Kmail. > > Netscape Mail can send mail the same way as Kmail, just sending to "localhost" > but Netscape Mail doesn't read the mail. Kmail just reads from "localhost" > but when I try that with Netscape, nothing happens. Mailx, which is also on > the system, does read it, but not Netscape. Do I need for MailScanner to > send it to a different place? Any help would be appreciated. [...] > XIII KMAIL CONFIGURATION > > NOTE: Kmail does not communicate directly with the ISP's mail server > > Incoming (Receiving) > POP Host: localhost > Port: 110 > Dest Fldr: inbox > > Outgoing (Sending) > SMTP Host: localhost > Port: 25 > > XIV NETSCAPE MAIL CONFIGURATION > > I don't have the slightest idea how to get Netscape Mail to read the incoming mail. > I did succeed in getting the outgoing mail working by just changing the ISP mail > server (smtp.comcast.net) with "localhost", leaving everything else alone. > > IF ANYONE KNOWS HOW TO DO THIS, PLEASE LET ME KNOW! If KMail is reading using POP from localhost, you need to configure Netscape to do the same. It's in the Mail&Newsgroup preferences somewhere depending on which version of Netscape you're using. Cheers, Martin -- Martin Sapsed Information Services "Who do you say I am?" University of Wales, Bangor Jesus of Nazareth From mailscanner at ecs.soton.ac.uk Mon Mar 17 14:52:02 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:30 2006 Subject: Beta test please In-Reply-To: References: <5.2.0.9.2.20030317135554.04743b30@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030317144809.049aba40@imap.ecs.soton.ac.uk> At 14:15 17/03/2003, you wrote: >Hi! > > > >Does this mean the translations will need updating or have you improved > > >all the translations too? ;-) > > > Thanks folks! > > BTW I have fixed the remaining problems with SpamAssassin 2.50 as well. > >Any version we could test yet ? :) Sure. Beta version 4.14-5 is posted on the web site. This email is intentionally not billed as an announcement, I don't want everyone running this. The only RPM I have changed is the mailscanner rpm itself. The ChangeLog currently looks like this: * New Features and Improvements * - Signed and/or encrypted messages can now be signed without breaking the PGP/GPG signed portion of the message. - Improved OpenBSD installation and upgrading instructions. - Added check of location of all required system commands. - Improved wording of message to spam senders. - Increased max size of messages sent to SpamAssassin. Spam messages are getting bigger. - All variables in the supplied conf file are now set to something, even if just a blank value. This will make upgrade_MailScanner_conf work better. * Fixes * - Fixed important bug in filename checking code causing it not to check long filenames properly. - Changed setuid/setgid code so taint mode is not switched on. - Fixed various other issues kindly brought to my attention by Tony Finch at Cambridge Univ. - Fixed problem with deleting recipients from messages with Exim. - Fixed problem with headers being passed to SpamAssassin from Exim incorrectly. - Fixed problem when running internal TNEF decoder. - Fixed locking problems when SpamAssassin 2.50 times out. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Mon Mar 17 14:35:27 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:30 2006 Subject: need to restart when adding to whitelist? In-Reply-To: References: <84CFA712F666B44A94CE6BE116BAF4B0B4E4A8@MAIL> Message-ID: <5.2.0.9.2.20030317143442.04748e60@imap.ecs.soton.ac.uk> At 14:31 17/03/2003, you wrote: >Hi! > > > Do I need to restart MailScanner each time I add to the whitelist? > >If you want to activate the changes, yes :) A "reload" will do. This just sends a "kill -HUP" to each of the processes, forcing them to re-read their configuration files. It's quicker than doing a "restart". -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Mon Mar 17 14:46:31 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:30 2006 Subject: need to restart when adding to whitelist? In-Reply-To: <84CFA712F666B44A94CE6BE116BAF4B0B4E4A9@MAIL> Message-ID: <5.2.0.9.2.20030317144555.0497c930@imap.ecs.soton.ac.uk> At 14:37 17/03/2003, you wrote: > > If you want to activate the changes, yes :) > >Ok, that's what I thought. Now, I am using spamassassin with it. Should I >use the whitelist for that, or is the one for MailScanner ok? If you use any other spam features in MailScanner such as the "Spam Lists", then you should definitely put it in the MailScanner whitelist. If not, then it's pretty much up to you... -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Mon Mar 17 14:45:46 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:30 2006 Subject: Beta test please In-Reply-To: References: <1047910872.31992.4.camel@dbeauchemin.si.usherbrooke.ca> <5.2.0.9.2.20030313200314.02721ea0@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030317135554.04743b30@imap.ecs.soton.ac.uk> <1047910872.31992.4.camel@dbeauchemin.si.usherbrooke.ca> Message-ID: <5.2.0.9.2.20030317144458.02f10f30@imap.ecs.soton.ac.uk> At 14:43 17/03/2003, you wrote: >On Mon, 17 Mar 2003, Denis Beauchemin wrote: > > > Le lun 17/03/2003 ? 08:57, Julian Field a ?crit : > > > Ideally, an update of the translations would be nice. The new English > text is > > > > > > "If you are sending spam and continue to do so, your > > > Internet Service Provider may be contacted and requested to close your > > > account." > > > > In French: > > Si vous continuez ? nous envoyer des polluriels nous allons contacter > > votre fournisseur de services Internet pour lui demander de bloquer > > votre compte. > >To my shame, I have largely forgotten the French I learned at school. > >But it strikes me that the translation of: > your [ISP] may be contacted >into: > nous allons contacter votre [...] > >seems subtly different on two counts: > >1. The "may" has become "will" (lit. "are going to"); Should definitely be "may". It's a threat, not a promise. >2. The "passive" has become "active" ("we" will do the contacting). I sure ain't doin' no contactin' :-) -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From Denis.Beauchemin at USHERBROOKE.CA Mon Mar 17 14:54:41 2003 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:17:30 2006 Subject: Beta test please In-Reply-To: References: <5.2.0.9.2.20030313200314.02721ea0@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030317135554.04743b30@imap.ecs.soton.ac.uk> <1047910872.31992.4.camel@dbeauchemin.si.usherbrooke.ca> Message-ID: <1047912881.31992.13.camel@dbeauchemin.si.usherbrooke.ca> David, Your French is not bad at all... You are right about my translation. I think that "MAY" is not strong enough. It's like telling someone facing murder charges that we don't like the way he dresses... he couldn't care less! In fact here in Qu?bec this point is rather moot because our ISPs don't care about such complaints. They only act when the authorities (police or government) force them to. Denis Le lun 17/03/2003 ? 09:43, David Lee a ?crit : > On Mon, 17 Mar 2003, Denis Beauchemin wrote: > > > Le lun 17/03/2003 ? 08:57, Julian Field a ?crit : > > > Ideally, an update of the translations would be nice. The new English text is > > > > > > "If you are sending spam and continue to do so, your > > > Internet Service Provider may be contacted and requested to close your > > > account." > > > > In French: > > Si vous continuez ? nous envoyer des polluriels nous allons contacter > > votre fournisseur de services Internet pour lui demander de bloquer > > votre compte. > > To my shame, I have largely forgotten the French I learned at school. > > But it strikes me that the translation of: > your [ISP] may be contacted > into: > nous allons contacter votre [...] > > seems subtly different on two counts: > > 1. The "may" has become "will" (lit. "are going to"); > > 2. The "passive" has become "active" ("we" will do the contacting). > > A re-translation back to English would become "we will contact ...", > wouldn't it? Is that the intention of the message? If so, perhaps that > is what the English version, too, should say. -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From mailscanner at LISTS.COM.AR Mon Mar 17 15:44:22 2003 From: mailscanner at LISTS.COM.AR (Mariano Absatz) Date: Thu Jan 12 21:17:30 2006 Subject: Beta test please In-Reply-To: <5.2.0.9.2.20030317135554.04743b30@imap.ecs.soton.ac.uk> References: <3E75D25A.2010905@bangor.ac.uk> Message-ID: <3E75C326.30099.9FAB8147@localhost> El 17 Mar 2003 a las 13:57, Julian Field escribi?: > At 13:49 17/03/2003, you wrote: > >Julian Field wrote: > >>Before I publish this to the world, can you test these for me please? > >> > >>Only the mailscanner*rpm has changed, the other RPM's are as before. > >> > >>The ChangeLog says this: > >>* New Features and Improvements * > >>[...] > >>- Improved wording of message to spam senders. > > > >Does this mean the translations will need updating or have you improved > >all the translations too? ;-) > > Ideally, an update of the translations would be nice. The new English text is > > "If you are sending spam and continue to do so, your > Internet Service Provider may be contacted and requested to close your > account." Spanish: Si usted est? enviando spam y contin?a haci?ndolo, su Proveedor de Internet podr? ser contactado para requerirle que le clausure su cuenta. Luis? R-U there? Waddaya think? -- Mariano Absatz El Baby ---------------------------------------------------------- Windows, another fine product from the folks who gave us EDLIN. From jgoggan at DCG.COM Mon Mar 17 16:03:31 2003 From: jgoggan at DCG.COM (John Goggan) Date: Thu Jan 12 21:17:30 2006 Subject: How to test emails through SA using MS config? Message-ID: <3E75F1D3.13C33D22@dcg.com> Is there some easy way to do message testing/reporting via SA using the MailScanner config? In other words, I run MS with SA -- and let's say it marks something as spam -- and now I'd like to see a full report. If I was just using SA, I could just to "spamassassin -t < spam.message" to see the report. If I do that as it is now, I don't get the same report -- since my MailScanner config enables things like whitelists and such. How do I go about getting SA to use my MailScanner config options so that I get the report I expect? It just seems that there should be a "MailScanner -t < spam.message" sort of way to do such things easily, yes? - John... From andersan at LTKALMAR.SE Mon Mar 17 16:10:58 2003 From: andersan at LTKALMAR.SE (Anders Andersson, IT) Date: Thu Jan 12 21:17:30 2006 Subject: SV: Beta test please Message-ID: <9F18B7DDBA88E544AB1F19951489166601463F@lkl63.ltkalmar.se> > -----Ursprungligt meddelande----- > Fr?n: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > Skickat: den 17 mars 2003 14:57 > Till: MAILSCANNER@JISCMAIL.AC.UK > ?mne: Re: Beta test please > > > At 13:49 17/03/2003, you wrote: > >Julian Field wrote: > >>Before I publish this to the world, can you test these for > me please? > >> > >>Only the mailscanner*rpm has changed, the other RPM's are as before. > >> > >>The ChangeLog says this: > >>* New Features and Improvements * > >>[...] > >>- Improved wording of message to spam senders. > > > >Does this mean the translations will need updating or have > you improved > >all the translations too? ;-) > > Ideally, an update of the translations would be nice. The new > English text is > > "If you are sending spam and continue to do so, your > Internet Service Provider may be contacted and requested to > close your account." Swedish: Om ni skickar SPAM och fors?tter att skicka SPAM, kommer er ISP att kontaktas med rekommendationen att ert konto st?ngs med omedelbar verkan. > > Thanks folks! > > BTW I have fixed the remaining problems with SpamAssassin > 2.50 as well. > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > From Kevin.Spicer at BMRB.CO.UK Mon Mar 17 16:32:46 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:17:30 2006 Subject: Clam Antivirus Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A4AD59@pascal.priv.bmrb.co.uk> Does anyone know whats going on with Clam? Their website seems to have been down since Friday. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From nerijus at USERS.SOURCEFORGE.NET Mon Mar 17 16:47:57 2003 From: nerijus at USERS.SOURCEFORGE.NET (Nerijus Baliunas) Date: Thu Jan 12 21:17:30 2006 Subject: Read quarantined spam in mail cient? In-Reply-To: <3E75FB6E.4528BC6C@dcg.com> References: <3E75FB6E.4528BC6C@dcg.com> Message-ID: <20030317164630.A8884144F3@mx.ktv.lt> On Mon, 17 Mar 2003 11:44:30 -0500 John Goggan wrote: > I have some interest in storing them the new default way though -- as actual > individual files with the header and message in one file. Is there an easy > way to concatenate these together into a client-readable (i.e. mbox format) > version fairly easily? Yes, you can concatenate them after adding From header required for mbox to every message (smth like echo From...>>mbox; cat file>>mbox), or copy single files to Maildir. Regards, Nerijus From jgoggan at DCG.COM Mon Mar 17 16:44:30 2003 From: jgoggan at DCG.COM (John Goggan) Date: Thu Jan 12 21:17:30 2006 Subject: Read quarantined spam in mail cient? Message-ID: <3E75FB6E.4528BC6C@dcg.com> A few months ago, I asked about being able to read the quarantined spam easily with a normal mail client (I do this after I make significant spam-catching changes to make sure I'm not identifying too much real mail as spam). At the time, only queue-based (df/qf) storage occurred -- so Julian did up the handy df2mbox -- which works well. I have some interest in storing them the new default way though -- as actual individual files with the header and message in one file. Is there an easy way to concatenate these together into a client-readable (i.e. mbox format) version fairly easily? I assume it should be fairly trivial, but just don't know how to do it myself, sorry. If it is a big problem/difficulty, I guess I could just go back to the queue-file format and continue to use df2mbox. Thanks. - John... From mailscanner at ecs.soton.ac.uk Mon Mar 17 16:29:26 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:30 2006 Subject: How to test emails through SA using MS config? In-Reply-To: <3E75F1D3.13C33D22@dcg.com> Message-ID: <5.2.0.9.2.20030317162723.040296d8@imap.ecs.soton.ac.uk> At 16:03 17/03/2003, you wrote: >Is there some easy way to do message testing/reporting via SA using the >MailScanner config? > >In other words, I run MS with SA -- and let's say it marks something as spam >-- and now I'd like to see a full report. If I was just using SA, I could >just to "spamassassin -t < spam.message" to see the report. If I do that as >it is now, I don't get the same report -- since my MailScanner config enables >things like whitelists and such. How do I go about getting SA to use my >MailScanner config options so that I get the report I expect? You just surely need to configure a SpamAssassin installation to use the same options as your MailScanner config uses when talking to SpamAssassin. You could even set up a script run via an account with a ".forward" file, so that it took the message, ran it through spamassassin -t and then replied with the report. >It just seems that there should be a "MailScanner -t < spam.message" sort of >way to do such things easily, yes? It's not quite as easy as that... -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From carles at descom.es Mon Mar 17 17:04:41 2003 From: carles at descom.es (Carles Xavier Munyoz =?iso-8859-1?q?Bald=F3?=) Date: Thu Jan 12 21:17:30 2006 Subject: Clam Antivirus In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0A4AD59@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0A4AD59@pascal.priv.bmrb.co.uk> Message-ID: <200303171804.44524.carles@descom.es> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Monday 17 March 2003 17:32, Spicer, Kevin wrote: > Does anyone know whats going on with Clam? Their website seems to have > been down since Friday. Yes, and I get the error: [...] Checking for a new database - started at Mon Mar 17 15:31:47 2003 viruses.db2 is up to date. ERROR: The checksum of viruses.db database isn't ok. Please check it yourself or try again. [...] When the update daemon tries to update its virus database. Greetings. - --- Carles Xavier Munyoz Bald? carles@descom.es Descom Consulting Telf: +34 965861024 Fax: +34 965861024 http://www.descom.es/ - --- -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQA/AwUBPnYAKTvYAf7VZNaaEQKzLwCbBMuSbcCpdSO9Mh/eW8DYeGA7wEIAn0Y/ wFi7kgm7VHG6bwookLcoeXud =CBmf -----END PGP SIGNATURE----- From ivan at NUCCI.COM.BR Mon Mar 17 17:13:17 2003 From: ivan at NUCCI.COM.BR (Ivan Mirisola) Date: Thu Jan 12 21:17:30 2006 Subject: Clam Antivirus References: <5C0296D26910694BB9A9BBFC577E7AB0A4AD59@pascal.priv.bmrb.co.uk> <200303171804.44524.carles@descom.es> Message-ID: <3E76022D.2070100@nucci.com.br> I am also getting an error: ]# /usr/bin/freshclam Checking for a new database - started at Mon Mar 17 14:08:30 2003 Current working dir is /var/lib/clamav ERROR: Can't connect to port 80 of host clamav.elektrapro.com ERROR: Connection with clamav.elektrapro.com failed. I think that they had some problems with their servers or internet link. Or maybe they just retired, who knows. Let?s wait and see if they come back soon. >On Monday 17 March 2003 17:32, Spicer, Kevin wrote: > > >>Does anyone know whats going on with Clam? Their website seems to have >>been down since Friday. >> >> Greetings, ---------------------------- Ivan Mirisola Analista de Sistemas Nucci Systems ivan@nucci.com.br +55 11 3049-3610 From mailscanner at ecs.soton.ac.uk Mon Mar 17 16:58:45 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:30 2006 Subject: Read quarantined spam in mail cient? In-Reply-To: <20030317164630.A8884144F3@mx.ktv.lt> References: <3E75FB6E.4528BC6C@dcg.com> <3E75FB6E.4528BC6C@dcg.com> Message-ID: <5.2.0.9.2.20030317165546.02edfdc8@imap.ecs.soton.ac.uk> At 16:47 17/03/2003, you wrote: >On Mon, 17 Mar 2003 11:44:30 -0500 John Goggan wrote: > > > I have some interest in storing them the new default way though -- as > actual > > individual files with the header and message in one file. Is there an easy > > way to concatenate these together into a client-readable (i.e. mbox format) > > version fairly easily? > >Yes, you can concatenate them after adding From header required for mbox >to every message (smth like echo From...>>mbox; cat file>>mbox), or copy >single files to Maildir. Something like this will give you the idea: Call this make.mbox.sh #!/bin/sh for f in * do echo 'From someone@somewhere.com' cat $f echo done And then do ./make.mbox.sh > mailbox-file it will cat together all the files in the current directory with an message break between each one. Someone will probably tell me I can't just use "From someone@somewhere.com", but give it a try anyway. Hopefully that gives you the general idea. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From james at PCXPERIENCE.COM Mon Mar 17 19:51:40 2003 From: james at PCXPERIENCE.COM (James A. Pattie) Date: Thu Jan 12 21:17:30 2006 Subject: Config File Idea Message-ID: <3E76274C.8070207@pcxperience.com> What if the MailScanner code remembered the date/time stamp of each config file when it initially started and parsed them. Then before using the data structure for a given config file, it checks to see if the file has changed and if it did, re-loads the config file. Obviously, we would need some form of file locking, etc. to make sure that you don't read a config file that is half way created and to make this work, we would need a script that locked the file and then let you run vi, etc. and then unlocked it when you were done. The reason I bring this up is for the ideas of making a web configuration interface that many users could be changing settings in a database and then the config program re-generates the config files every X minutes or as the user finishes their changes. But we don't want to constantly be restarting MailScanner or telling the user they are going to have to wait X minutes before their changes are live if we do restart MailScanner all the time, etc. Any thoughts, suggestions, etc. welcome. Anyone interested in working on a user configuration interface? -- James A. Pattie james@pcxperience.com Linux -- SysAdmin / Programmer Xperience, Inc. http://www.pcxperience.com/ http://www.xperienceinc.com/ GPG Key Available at http://www.pcxperience.com/gpgkeys/james.html -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From craig at STRONG-BOX.NET Mon Mar 17 20:00:24 2003 From: craig at STRONG-BOX.NET (Craig Pratt) Date: Thu Jan 12 21:17:30 2006 Subject: Read quarantined spam in mail cient? In-Reply-To: <3E75FB6E.4528BC6C@dcg.com> Message-ID: <1755838E-58B3-11D7-9E13-000393B9390A@strong-box.net> What we do is tag the message subject with "[bulk]" using the MS "Spam Subject Text" options. Then we use a global procmail rule to store the spam messages in a folder in each user's ~/Mail/Bulk folder: ... MAILDIR=${HOME}/mail #First check what your mail directory is! ... :0: * ^Subject:.\[BULK\] Bulk They can view these with IMAP and SquirrelMail when they want to sort through the tailings. You can easily write these into an single file as well. Just give a full path for the mail folder. Craig --- Craig Pratt Strongbox Network Services Inc. mailto:craig@strong-box.net On Monday, March 17, 2003, at 08:44 AM, John Goggan wrote: > A few months ago, I asked about being able to read the quarantined > spam easily > with a normal mail client (I do this after I make significant > spam-catching > changes to make sure I'm not identifying too much real mail as spam). > At the > time, only queue-based (df/qf) storage occurred -- so Julian did up > the handy > df2mbox -- which works well. > > I have some interest in storing them the new default way though -- as > actual > individual files with the header and message in one file. Is there an > easy > way to concatenate these together into a client-readable (i.e. mbox > format) > version fairly easily? I assume it should be fairly trivial, but just > don't > know how to do it myself, sorry. If it is a big problem/difficulty, I > guess I > could just go back to the queue-file format and continue to use > df2mbox. > > Thanks. > > - John... -- This message checked for dangerous content by MailScanner on StrongBox. From mailscanner at ecs.soton.ac.uk Mon Mar 17 20:09:30 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:30 2006 Subject: Config File Idea In-Reply-To: <3E76274C.8070207@pcxperience.com> Message-ID: <5.2.0.9.2.20030317200921.0226c008@imap.ecs.soton.ac.uk> There are already a few possibilities here. If you are changing the config files, then you should use flock() (advisory file locks) exclusive locks on them while you are updating them, that will make sure that MailScanner isn't trying to read a few you are half way through writing. You can shorten the "Restart Every" time to a few minutes, which just regularly does the same as a MailScanner "reload" does. There is very little efficiency hit by doing this, it just causes MailScanner to scrap scanning the current batches of messages and start processing them again. On a reasonably-loaded MailScanner server that will only cause a few messages to be re-scanned. Or else you can do a "reload" when the config files have been updated. You don't need to do a "restart" which is a much more heavyweight operation. All a "reload" does is do a "kill -HUP" on all the MailScanner processes, causing them all to scrap the current batch, re-read the config files and start again. As for writing a configuration user interface, I don't really have much intention of doing that. Everyone's requirements are so different that it would be impossible to create one which suited everyone. For certain groups of users, this has already been done, such as the Webmin module which has been written. At 19:51 17/03/2003, you wrote: >What if the MailScanner code remembered the date/time stamp of each >config file when it initially started and parsed them. Then before >using the data structure for a given config file, it checks to see if >the file has changed and if it did, re-loads the config file. > >Obviously, we would need some form of file locking, etc. to make sure >that you don't read a config file that is half way created and to make >this work, we would need a script that locked the file and then let you >run vi, etc. and then unlocked it when you were done. > >The reason I bring this up is for the ideas of making a web >configuration interface that many users could be changing settings in a >database and then the config program re-generates the config files every >X minutes or as the user finishes their changes. But we don't want to >constantly be restarting MailScanner or telling the user they are going >to have to wait X minutes before their changes are live if we do restart >MailScanner all the time, etc. > >Any thoughts, suggestions, etc. welcome. > >Anyone interested in working on a user configuration interface? > >-- >James A. Pattie >james@pcxperience.com > >Linux -- SysAdmin / Programmer >Xperience, Inc. >http://www.pcxperience.com/ >http://www.xperienceinc.com/ > >GPG Key Available at http://www.pcxperience.com/gpgkeys/james.html > > >-- >This message has been scanned for viruses and >dangerous content by MailScanner, and is >believed to be clean. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From wkuiters at FREE.FR Mon Mar 17 20:14:26 2003 From: wkuiters at FREE.FR (Willem Kuiters) Date: Thu Jan 12 21:17:30 2006 Subject: sophos 3.67 and wrapper script Message-ID: <20030317201426.GA2561@bragann> I use mailscanner 3.27.1-1 on a debian (sarge) system with sophos. I use Julians IDE-update script and the sophoswrapper script. Mine looks like this: #PackageDir=/usr/local #prog=sweep # `basename $0` # #SAV_IDE=$PackageDir/ide #LD_LIBRARY_PATH=$PackageDir/lib #export SAV_IDE #export LD_LIBRARY_PATH # #exec ${PackageDir}/bin/$prog "$@" Since I upgraded to sophos 3.67, running the sophoswrapper script returns the error: "Error initialising detection engine - missing part of virus data" I tried using the file that came on the Sophos CD in case the fault was caused by an error in downloading the update but the result remained the same. Launching the command "sweep" on the command line works fine. I do not quite see what could cause this error and hope for some hints. Willem From mailscanner at ecs.soton.ac.uk Mon Mar 17 20:24:17 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:30 2006 Subject: sophos 3.67 and wrapper script In-Reply-To: <20030317201426.GA2561@bragann> Message-ID: <5.2.0.9.2.20030317201844.02190ac0@imap.ecs.soton.ac.uk> You will need the scripts out of the version 4 distribution, which I have attached for you. You may need to tweak the paths at the top of them a bit. By the way, there are *major* performance problems with Sophos 3.67. It takes 3 times longer to start up than previous versions. Please lodge a complaint with Sophos tech support, so that they get their lousy new code fixed. The new 3.67 using the old (fast) engine is available, it is the "XRS" version. If you don't have these on your CD from Sophos, contact their tech support and ask where you can download them from. Their new engine is appallingly slow to start up, and the more people that complain about it, the greater chance of them actually fixing it. At 20:14 17/03/2003, you wrote: >I use mailscanner 3.27.1-1 on a debian (sarge) system with sophos. I use >Julians IDE-update script and the sophoswrapper script. > >Mine looks like this: > >#PackageDir=/usr/local >#prog=sweep # `basename $0` ># >#SAV_IDE=$PackageDir/ide >#LD_LIBRARY_PATH=$PackageDir/lib >#export SAV_IDE >#export LD_LIBRARY_PATH ># >#exec ${PackageDir}/bin/$prog "$@" > >Since I upgraded to sophos 3.67, running the sophoswrapper script >returns the error: > >"Error initialising detection engine - missing part of virus data" > >I tried using the file that came on the Sophos CD in case the fault was >caused by an error in downloading the update but the result remained the >same. Launching the command "sweep" on the command line works fine. > >I do not quite see what could cause this error and hope for some hints. > >Willem -------------- next part -------------- A non-text attachment was scrubbed... Name: sophos-autoupdate Type: application/octet-stream Size: 3673 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030317/0831b8f7/sophos-autoupdate.obj -------------- next part -------------- A non-text attachment was scrubbed... Name: sophos-wrapper Type: application/octet-stream Size: 1502 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030317/0831b8f7/sophos-wrapper.obj -------------- next part -------------- A non-text attachment was scrubbed... Name: Sophos.install Type: application/x-internet-signup Size: 2231 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030317/0831b8f7/Sophos.bin -------------- next part -------------- -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From wkuiters at FREE.FR Mon Mar 17 20:58:17 2003 From: wkuiters at FREE.FR (Willem Kuiters) Date: Thu Jan 12 21:17:30 2006 Subject: sophos 3.67 and wrapper script In-Reply-To: <5.2.0.9.2.20030317201844.02190ac0@imap.ecs.soton.ac.uk> References: <20030317201426.GA2561@bragann> <5.2.0.9.2.20030317201844.02190ac0@imap.ecs.soton.ac.uk> Message-ID: <20030317205817.GA3183@bragann> On Mon, Mar 17, 2003 at 08:24:17PM +0000, Julian Field wrote: > You will need the scripts out of the version 4 distribution, which I have > attached for you. > You may need to tweak the paths at the top of them a bit. > > By the way, there are *major* performance problems with Sophos 3.67. It > takes 3 times longer to start up than previous versions. Please lodge a > complaint with Sophos tech support, so that they get their lousy new code > fixed. The new 3.67 using the old (fast) engine is available, it is the > "XRS" version. If you don't have these on your CD from Sophos, contact > their tech support and ask where you can download them from. > > Their new engine is appallingly slow to start up, and the more people that > complain about it, the greater chance of them actually fixing it. Many thanks, that solved it. I installed the XRS version and your new scripts. I'll write a complaint about the performance problems of the 3.67 engine now. Willem complaint