From craig at STRONG-BOX.NET Sat Mar 1 00:23:36 2003 From: craig at STRONG-BOX.NET (Craig Pratt) Date: Thu Jan 12 21:17:20 2006 Subject: Problems with two different MIME attachment types Message-ID: <0AE825F4-4B7C-11D7-882D-000393B9390A@strong-box.net> Hi all, Thanks for the great software and community support! I recently upgraded to MS 4.12-2 (via RH RPM), and updated the dependent Perl mods. After installation, I tested the new version against the e-mail virus scanning script in Nessus. Out of the 5 test messages, 3 were tagged by MS as viruses (by the filename rules), and 2 got through to my mail client - even when both the filename rules and RAV antivirus should have tagged the "eicar.com" test attachment. Could I get a couple volunteers to verify? You'll just receive 5 test e-mails generated by the NASL script, each with a 68-byte EICAR test file ("eicar.com") attached in different forms. I'll post details in a follow-up, if the problem repros. If you're interested in the hacked NASL script - which allows you to run this test stand-alone using the nasl command line - let me know and I'll forward it along. Thanks, Craig Pratt craig@strong-box.net -- This message checked for dangerous content by MailScanner on StrongBox. From mailscanner at ecs.soton.ac.uk Sat Mar 1 11:41:33 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:21 2006 Subject: Problems with two different MIME attachment types In-Reply-To: <0AE825F4-4B7C-11D7-882D-000393B9390A@strong-box.net> Message-ID: <5.2.0.9.2.20030301113941.03050d50@imap.ecs.soton.ac.uk> Just to let everyone know, he has sent the test messages to me and I'm going to try to work out what they have done to get these through. Worth noting that so far (fingers crossed) no exploits have been written that do this trick, and MailScanner is certainly not the only one to suffer from this. I will get it corrected as soon as I can. At 00:23 01/03/2003, you wrote: >Hi all, > >Thanks for the great software and community support! > >I recently upgraded to MS 4.12-2 (via RH RPM), and updated the >dependent Perl mods. After installation, I tested the new version >against the e-mail virus scanning script in Nessus. > >Out of the 5 test messages, 3 were tagged by MS as viruses (by the >filename rules), and 2 got through to my mail client - even when both >the filename rules and RAV antivirus should have tagged the "eicar.com" >test attachment. > >Could I get a couple volunteers to verify? You'll just receive 5 test >e-mails generated by the NASL script, each with a 68-byte EICAR test >file ("eicar.com") attached in different forms. > >I'll post details in a follow-up, if the problem repros. > >If you're interested in the hacked NASL script - which allows you to >run this test stand-alone using the nasl command line - let me know and >I'll forward it along. > >Thanks, > >Craig Pratt >craig@strong-box.net > > >-- >This message checked for dangerous content by MailScanner on StrongBox. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Sat Mar 1 12:12:13 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:21 2006 Subject: ANNOUNCE: Version 4.13-1 released Message-ID: <5.2.0.9.2.20030301115845.030b1f50@imap.ecs.soton.ac.uk> Hi folks! I have just released the latest version 4.13-1. Highlights this month include - Script to automate upgrade of MailScanner.conf files - Option to ignore some Sophos error messages when scanning files - Option and Custom Function added to enable SQL logging - Options to block encrypted (or unencrypted) messages - Customisation of system administrator notices improved - Improved check_mailscanner script - Improved stripping of HTML to plain text - New Nod32 and Kaspersky updaters. F-Prot updater improved Download it all as usual from www.mailscanner.info. The full ChangeLog is this: * New Features and Improvements * - Written script to automate upgrade of MailScanner.conf files. - Added "Notices From" configuration option to change the user-visible part of the "From" address in the system administrator notices. - Added "Allowed Sophos Error Messages" configuration option to ignore messages containing error messages from Sophos Anti-Virus. - Added "Always Looked Up Last" configuration option for use with a Custom Function that does things at the end of message-processing such as logging extra information to a file and/or an SQL database. - Added "Block Encrypted Messages" configuration option for use with a ruleset to ensure your employees are not covertly talking to your competitors. - Added "Block Unencrypted Messages" configuration option for use with a ruleset to ensure that all sensitive mail is always encrypted. - Improvements to check_mailscanner for most OS's except Linux. - Improved check_MailScanner script to have "-q" (quiet) option, and changed cron job to use it rather than always ignore all output. - Added check to ensure user's home directory exists and is writable to protect against SpamAssassin startup failing quietly. - Improved stripping HTML to plain-text to ensure links have a whitespace immediately after them to ease the job of email clients. - Improved RPM to detect upgrades and inform users about upgrade_MailScanner_conf script. - Improved F-Prot autoupdater to not block MailScanner if first contact to update server locks up. - Added Nod32 autoupdater. - Added Kaspersky autoupdater with workaround for their script bugs. - Increased "Minimum Code Status" for various scanners. - Improved rulesets to allow optional '.' on the end of addresses. - Per-domain/per-user spam black+white listing Custom Functions now support IP addresses as well as email addresses and email domains. - Improved docs and rules EXAMPLES a bit after suggestions from users. - Upgraded external TNEF decoder program to latest version 1.1.4. - Added logging of child processes dying of old age. * Fixes * - Fix to permissions and not over-writing /etc/sysconfig/MailScanner when upgrading MailScanner RPM. - Fix to "nodeps" switch in install.sh. - Fix to sophos-autoupdate to use "warning" syslog priority, not "warn". - Fixed filename checking of attachments within winmail.dat TNEF files. - Changed RAV support to ravav instead of ravlin8 to circumvent GTK+. - Fixed RAV support as it appears to dislike having no stdin. - Improved configuration file reader to allow upper+lower case values. - Fixed "$file" instead of "$filename" errors in Danish reports. Any problems, give me a shout as usual :-) -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From raymond at PROLOCATION.NET Sat Mar 1 12:49:40 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:17:21 2006 Subject: ANNOUNCE: Version 4.13-1 released In-Reply-To: <5.2.0.9.2.20030301115845.030b1f50@imap.ecs.soton.ac.uk> Message-ID: Hi Julian, I found some mistakes in the NL language files: unencrypted = Message was not encrypted Should be: unencrypted = Bericht was niet encrypted And: encrypted = Message was encrypted Should be: encrypted = Bericht was encrypted Bye, Raymond. From raymond at PROLOCATION.NET Sat Mar 1 13:04:26 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:17:21 2006 Subject: ANNOUNCE: Version 4.13-1 released In-Reply-To: <5.2.0.9.2.20030301115845.030b1f50@imap.ecs.soton.ac.uk> Message-ID: Hi! > - Improved check_mailscanner script Uhm: [root@master cron.hourly]# ./check_MailScanner MailScanner running with pid 14922 14923 14939 14943 14953 14960 Its nice it reports now the pids, but i get a message hourly after upgrading from cron, i only would like to have output when its NOT running ok. :) I dont want to have a mail hourly like this, was ok before :) Bye, Raymond. From raymond at PROLOCATION.NET Sat Mar 1 13:06:03 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:17:21 2006 Subject: ANNOUNCE: Version 4.13-1 released In-Reply-To: Message-ID: Hi! > [root@master cron.hourly]# ./check_MailScanner > MailScanner running with pid 14922 14923 14939 14943 14953 14960 I guess you forgot to remove the # in the distribution files... /usr/sbin/check_MailScanner -q # >/dev/null 2>&1 Should be: /usr/sbin/check_MailScanner -q >/dev/null 2>&1 Bye, Raymond From mailscanner at ecs.soton.ac.uk Sat Mar 1 13:14:58 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:21 2006 Subject: ANNOUNCE: Version 4.13-1 released In-Reply-To: References: Message-ID: <5.2.0.9.2.20030301131431.02224808@imap.ecs.soton.ac.uk> At 13:06 01/03/2003, you wrote: >Hi! > > > [root@master cron.hourly]# ./check_MailScanner > > MailScanner running with pid 14922 14923 14939 14943 14953 14960 > >I guess you forgot to remove the # in the distribution files... > >/usr/sbin/check_MailScanner -q # >/dev/null 2>&1 > >Should be: > >/usr/sbin/check_MailScanner -q >/dev/null 2>&1 The -q should stop it outputting the list of pids. >Bye, >Raymond -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Sat Mar 1 13:14:04 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:21 2006 Subject: ANNOUNCE: Version 4.13-1 released In-Reply-To: References: <5.2.0.9.2.20030301115845.030b1f50@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030301131308.021ece60@imap.ecs.soton.ac.uk> At 13:04 01/03/2003, you wrote: >Hi! > > > - Improved check_mailscanner script > >Uhm: > >[root@master cron.hourly]# ./check_MailScanner >MailScanner running with pid 14922 14923 14939 14943 14953 14960 Run check_mailscanner -q >Its nice it reports now the pids, but i get a message hourly after >upgrading from cron, i only would like to have output when its NOT running >ok. :) I dont want to have a mail hourly like this, was ok before :) -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From raymond at PROLOCATION.NET Sat Mar 1 13:38:09 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:17:21 2006 Subject: ANNOUNCE: Version 4.13-1 released In-Reply-To: <5.2.0.9.2.20030301131431.02224808@imap.ecs.soton.ac.uk> Message-ID: Hi! > >I guess you forgot to remove the # in the distribution files... > >/usr/sbin/check_MailScanner -q # >/dev/null 2>&1 > >Should be: > >/usr/sbin/check_MailScanner -q >/dev/null 2>&1 > > The -q should stop it outputting the list of pids. It should, but it doesnt :) [root@master cron.hourly]# /usr/sbin/check_MailScanner -q MailScanner running with pid 17601 17606 17631 17651 17652 17653 Bye, Raymond. From mailscanner at ecs.soton.ac.uk Sat Mar 1 13:51:54 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:21 2006 Subject: ANNOUNCE: Version 4.13-1 released In-Reply-To: References: <5.2.0.9.2.20030301131431.02224808@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030301134923.02222910@imap.ecs.soton.ac.uk> At 13:38 01/03/2003, you wrote: >Hi! > > > >I guess you forgot to remove the # in the distribution files... > > >/usr/sbin/check_MailScanner -q # >/dev/null 2>&1 > > > >Should be: > > >/usr/sbin/check_MailScanner -q >/dev/null 2>&1 > > > > The -q should stop it outputting the list of pids. > >It should, but it doesnt :) Try 4.13-2, sorry about that. To save you upgrading, I have attached the script to this message. >[root@master cron.hourly]# /usr/sbin/check_MailScanner -q >MailScanner running with pid 17601 17606 17631 17651 17652 17653 > >Bye, >Raymond. -------------- next part -------------- A non-text attachment was scrubbed... Name: check_MailScanner Type: application/octet-stream Size: 3453 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030301/ef2dbb77/check_MailScanner.obj -------------- next part -------------- -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From raymond at PROLOCATION.NET Sat Mar 1 14:09:02 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:17:21 2006 Subject: ANNOUNCE: Version 4.13-1 released In-Reply-To: <5.2.0.9.2.20030301134923.02222910@imap.ecs.soton.ac.uk> Message-ID: Julian, > >It should, but it doesnt :) > > Try 4.13-2, sorry about that. To save you upgrading, I have attached the > script to this message. [root@master cron.hourly]# ./check_MailScanner Starting MailScanner... /usr/sbin/check_MailScanner: cd: /opt/MailScanner/bin: No such file or directory /usr/sbin/check_MailScanner: MailScanner: command not found Its having paths that doesnt match my (default) config paths. I noticed the nl language was allready updated in the -2, thanx for quick adding, the check script however needs some work :) Default for the configs should point to /etc/MailScanner in the RPM ones. Both lines are pointing to files in /opt Lets go for the 4.13-3 :)) Thanks, Raymond. From gerry at DORFAM.CA Sat Mar 1 14:16:09 2003 From: gerry at DORFAM.CA (Gerry Doris) Date: Thu Jan 12 21:17:21 2006 Subject: Support Question Message-ID: After going back and reading your messages I believe I may have misinterpreted how you intend to setup your pay for support mailing list. I had originally thought you intended to eliminate this free mailing list and only provide the pay for support mailing list. In actual fact you intend to keep this list and add the pay for support list...correct? -- Gerry "The lyfe so short, the craft so long to learne" Chaucer From mike at ZANKER.ORG Sat Mar 1 14:27:52 2003 From: mike at ZANKER.ORG (Mike Zanker) Date: Thu Jan 12 21:17:21 2006 Subject: ANNOUNCE: Version 4.13-1 released In-Reply-To: References: Message-ID: <451930531.1046528872@jemima.zanker.org> On 01 March 2003 14:38 +0100 Raymond Dijkxhoorn wrote: > [root@master cron.hourly]# /usr/sbin/check_MailScanner -q > MailScanner running with pid 17601 17606 17631 17651 17652 17653 Yes, I noticed that too. Also, /etc/cron.hourly/check_MailScanner is not even the same as /usr/sbin/check_MailScanner. Confused, Mike. From raymond at PROLOCATION.NET Sat Mar 1 14:32:58 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:17:21 2006 Subject: ANNOUNCE: Version 4.13-1 released In-Reply-To: <451930531.1046528872@jemima.zanker.org> Message-ID: Hi Mike, > > MailScanner running with pid 17601 17606 17631 17651 17652 17653 > Yes, I noticed that too. Also, /etc/cron.hourly/check_MailScanner is > not even the same as /usr/sbin/check_MailScanner. The scipt in cron.hourly is simply pointing towards the scripts in /usr/sbin. Thats normal. I installed -2 but that one is not ok either, the script has hardcoded paths inside that should be changed for the rpm install at least. Change this: msbindir=/usr/sbin config=/etc/MailScanner/MailScanner.conf And it should work like advertised, the the 4.13-2 installed. I guess Julian will announce a 4.13-3 shortly :) Bye, Raymond. From marco at MUW.EDU Sat Mar 1 14:43:43 2003 From: marco at MUW.EDU (Marco Obaid) Date: Thu Jan 12 21:17:21 2006 Subject: ANNOUNCE: Version 4.13-1 released In-Reply-To: References: Message-ID: <1046529823.3e60c71f1c4da@webmail.MUW.Edu> > [root@master cron.hourly]# ./check_MailScanner > Starting MailScanner... > /usr/sbin/check_MailScanner: cd: /opt/MailScanner/bin: No such file or > directory > /usr/sbin/check_MailScanner: MailScanner: command not found I ran into the same thing. I think it is an error in check_mailscanner. I edited /usr/sbin/check_mailscanner to this: process=Mailscanner msbindir=/usr/sbin config=/etc/MailScanner/MailScanner.conf Now things are working for me with 4.13-2 Marco _________________________________________________________________ This mail is sent through MUW Webmail: http://www.MUW.Edu/webmail For the latest MUW Events, visit http://www.MUW.Edu/calendar From mike at ZANKER.ORG Sat Mar 1 14:38:38 2003 From: mike at ZANKER.ORG (Mike Zanker) Date: Thu Jan 12 21:17:21 2006 Subject: ANNOUNCE: Version 4.13-1 released In-Reply-To: References: Message-ID: <452576890.1046529518@jemima.zanker.org> On 01 March 2003 15:32 +0100 Raymond Dijkxhoorn wrote: > The scipt in cron.hourly is simply pointing towards the scripts in > /usr/sbin. D'oh - I noticed that almost as soon as I posted! > Change this: > > msbindir=/usr/sbin > config=/etc/MailScanner/MailScanner.conf > > And it should work like advertised, the the 4.13-2 installed. Yes, already done that thanks... Mike. From mailscanner at ecs.soton.ac.uk Sat Mar 1 14:43:20 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:21 2006 Subject: ANNOUNCE: Version 4.13-1 released In-Reply-To: <1046529823.3e60c71f1c4da@webmail.MUW.Edu> References: Message-ID: <5.2.0.9.2.20030301144202.024fdec0@imap.ecs.soton.ac.uk> Sorry for the packaging problem. I have just done a clean installation of 4.13-3 and it appears to work now. At 14:43 01/03/2003, you wrote: > > [root@master cron.hourly]# ./check_MailScanner > > Starting MailScanner... > > /usr/sbin/check_MailScanner: cd: /opt/MailScanner/bin: No such file or > > directory > > /usr/sbin/check_MailScanner: MailScanner: command not found > >I ran into the same thing. I think it is an error in check_mailscanner. >I edited /usr/sbin/check_mailscanner to this: > >process=Mailscanner >msbindir=/usr/sbin >config=/etc/MailScanner/MailScanner.conf > >Now things are working for me with 4.13-2 > >Marco > > >_________________________________________________________________ >This mail is sent through MUW Webmail: http://www.MUW.Edu/webmail >For the latest MUW Events, visit http://www.MUW.Edu/calendar -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Sat Mar 1 14:47:14 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:21 2006 Subject: Support Question In-Reply-To: Message-ID: <5.2.0.9.2.20030301144342.0253ceb8@imap.ecs.soton.ac.uk> At 14:16 01/03/2003, you wrote: >After going back and reading your messages I believe I may have >misinterpreted how you intend to setup your pay for support mailing list. > >I had originally thought you intended to eliminate this free mailing list >and only provide the pay for support mailing list. In actual fact you >intend to keep this list and add the pay for support list...correct? Correct. But you won't see much of me on the free list other than for bug fixes and announcements. My aim is to provide better support on the paid list than I currently do on the free list. Annual support offerings will, among other things, include membership of the paid list. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From tjc at ecs.soton.ac.uk Sat Mar 1 15:27:54 2003 From: tjc at ecs.soton.ac.uk (Tim Chown) Date: Thu Jan 12 21:17:21 2006 Subject: canadian mirror In-Reply-To: <5.2.0.9.2.20030228172803.0271deb0@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030228171016.024c3010@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030228171016.024c3010@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030228172803.0271deb0@imap.ecs.soton.ac.uk> Message-ID: <20030301152754.GN5776@login.ecs.soton.ac.uk> On Fri, Feb 28, 2003 at 05:35:01PM +0000, Julian Field wrote: > > I am leaving mailscanner.info where it is (certainly for now, it might get > moved eventually). There are political reasons for leaving it on our main > dept web server as it gets the dept some subtle advertising and obviously > associates MailScanner with our dept, which the management like (and I am > quite happy about too). Glad to hear it ;-) Historically MailScanner came out of a JISC-funded project that the University of Southampton had, through which we realised a) the excessive price of Windows-based scanners (per-seat is so nasty) and b) the lack of Unix-based alternatives (one commercial, plus an early amavis, for example). Having determined that, and with Jules' enthusiasm and dedication, the rest is history :) By bringing in a paid support system we both allow Jules to get a reward for his work, and also people to get better support if they wish to pay for it (if enough do, the MailScanner team can be expanded...). The key aspect of "commercialisation" is that the code will remain free, and support (self-help) free. The .info domain was one of a few .info's we grabbed when they were enabled a while back; I guess noone else bid for it, or we got lucky. Not sure who's on mailscanner.com, looks like someone in LA... Jules will also of course still be giving some free advice, e.g. there's a MailScanner BoF at Networkshop UK in April in York. Tim From mike at ZANKER.ORG Sat Mar 1 16:21:45 2003 From: mike at ZANKER.ORG (Mike Zanker) Date: Thu Jan 12 21:17:21 2006 Subject: canadian mirror In-Reply-To: <20030301152754.GN5776@login.ecs.soton.ac.uk> References: <5.2.0.9.2.20030228171016.024c3010@imap.ecs.soton.ac.uk> Message-ID: <458764375.1046535705@jemima.zanker.org> <5.2.0.9.2.20030228171016.024c3010@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030228172803.0271deb0@imap.ecs.soton.ac.uk> <20030301152754.GN5776@login.ecs.soton.ac.uk> X-Mailer: Mulberry/3.0.2 (Win32) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Mallard-MailScanner: Found to be clean On 01 March 2003 15:27 +0000 Tim Chown wrote: > Jules will also of course still be giving some free advice, e.g. > there's a MailScanner BoF at Networkshop UK in April in York. Yes, probably see you there... Mike. From dot at DOTAT.AT Sat Mar 1 16:14:10 2003 From: dot at DOTAT.AT (Tony Finch) Date: Thu Jan 12 21:17:21 2006 Subject: Mailscanner and Exim with "split_spool_directory = true" In-Reply-To: References: <5.2.0.9.2.20030228135517.03b59b60@imap.ecs.soton.ac.uk> <3E5F6762.6020700@marinocrane.com> <5.2.0.9.2.20030228135517.03b59b60@imap.ecs.soton.ac.uk> <20030228151933.GA30294@peerlessmfg.com> Message-ID: Julian Field wrote: >At 15:19 28/02/2003, you wrote: >>Is it possible to use mailscanner with exim when split_spool_directory >>is set to true. I have not had any success with this option while using >>mailscanner. > >No it isn't I'm afraid. Sorry about that. I haven't got around to investigating this properly, but I have a couple of thoughts on the matter. You ought to be able to have a split spool directory on the smtp listener by using a configuration like Incoming Queue Dir = /var/spool/exim.in/input/* but there isn't much point in this because the incoming spool dir should always be small. split_spool is much more important for the outgoing Exim because it's doing all the retries, and because of its support for turning the option on and off with messages already in the spool, it may be possible to make MailScanner just leave the messages in /var/spool/exim/input and rely on Exim to move them into the correct subdirectory. BTW I'm using Exim with MailScanner with only one Exim configuration file by using a trick, as follows. In the Exim configuration file put SPOOL = /var/spool/exim spool_directory = SPOOL i.e. use a macro to define the spool directory. The you invoke the SMTP listening exim with a command-line macro definition to override the one in the configuration file, and -odq to turn off immediate delivery: exim -bd -odq -DSPOOL=/var/spool/exim.in and the outgoing/queue-running exim with an extra option to make it create a pid file which it won't do by default (because it has no -bd): exim -q15m -oP /var/spool/exim/exim-daemon.pid The Sendmail and Sendmail2 options in MailScanner can then be the same and without command line options. Unlike the recommended configuration this means that locally-generated email will bypass MailScanner, which should be OK if you don't have users on the machine. Tony. -- f.a.n.finch http://dotat.at/ THE WASH TO NORTH FORELAND: SOUTHWEST BACKING SOUTHEAST 3 OR 4 OCCASIONALLY 5, BUT LATER VEERING SOUTH OR SOUTHWEST. RAIN FOR A TIME. MODERATE OR GOOD. MAINLY SLIGHT, BUT LOCALLY MODERATE AT FIRST. From dot at DOTAT.AT Sat Mar 1 16:18:38 2003 From: dot at DOTAT.AT (Tony Finch) Date: Thu Jan 12 21:17:21 2006 Subject: ANNOUNCE: Version 4.13-1 released In-Reply-To: Message-ID: Julian Field wrote: > >- Improved rulesets to allow optional '.' on the end of addresses. Hmm. That's a syntax error that should be rejected by the MTA... Tony. -- f.a.n.finch http://dotat.at/ FISHER GERMAN BIGHT: SOUTHWEST 4 IN SOUTHWEST GERMAN BIGHT AT TIMES, OTHERWISE SOUTHEAST 5 TO 7, OCCASIONALLY GALE 8 IN FISHER. RAIN OR SLEET. MODERATE OR POOR. From mailscanner at ecs.soton.ac.uk Sat Mar 1 16:38:47 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:21 2006 Subject: ANNOUNCE: Version 4.13-1 released In-Reply-To: References: Message-ID: <5.2.0.9.2.20030301163733.02286eb8@imap.ecs.soton.ac.uk> At 16:18 01/03/2003, you wrote: >Julian Field wrote: > > > >- Improved rulesets to allow optional '.' on the end of addresses. > >Hmm. That's a syntax error that should be rejected by the MTA... Disagree here. As a DNS domain name, spammer.com. is just as valid as spammer.com I always thought the same applied to mail addresses. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Sat Mar 1 16:36:52 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:21 2006 Subject: Mailscanner and Exim with "split_spool_directory = true" In-Reply-To: References: <5.2.0.9.2.20030228135517.03b59b60@imap.ecs.soton.ac.uk> <3E5F6762.6020700@marinocrane.com> <5.2.0.9.2.20030228135517.03b59b60@imap.ecs.soton.ac.uk> <20030228151933.GA30294@peerlessmfg.com> Message-ID: <5.2.0.9.2.20030301163416.0225ae40@imap.ecs.soton.ac.uk> At 16:14 01/03/2003, you wrote: >Julian Field wrote: > >At 15:19 28/02/2003, you wrote: > >>Is it possible to use mailscanner with exim when split_spool_directory > >>is set to true. I have not had any success with this option while using > >>mailscanner. > > > >No it isn't I'm afraid. Sorry about that. > >I haven't got around to investigating this properly, but I have a couple >of thoughts on the matter. You ought to be able to have a split spool >directory on the smtp listener by using a configuration like > Incoming Queue Dir = /var/spool/exim.in/input/* >but there isn't much point in this because the incoming spool dir >should always be small. split_spool is much more important for the >outgoing Exim because it's doing all the retries, and because of its >support for turning the option on and off with messages already in the >spool, it may be possible to make MailScanner just leave the messages >in /var/spool/exim/input and rely on Exim to move them into the correct >subdirectory. What you can currently do to split your outgoing spool dir up into several is to use a ruleset to calculate "Outgoing Queue Dir" so that, for example, internal messages get 1 queue while external (leaving your site) messages go in another queue. You run a queue-runner Exim process for each of your outgoing queues. I have seen this done with sendmail to quite good effect. Gets you speed on internal messages separate from the potentially large queue of mail leaving your site bound for other (slow) SMTP servers. >BTW I'm using Exim with MailScanner with only one Exim configuration file >by using a trick, as follows. In the Exim configuration file put > SPOOL = /var/spool/exim > spool_directory = SPOOL >i.e. use a macro to define the spool directory. The you invoke the SMTP >listening exim with a command-line macro definition to override the one >in the configuration file, and -odq to turn off immediate delivery: > exim -bd -odq -DSPOOL=/var/spool/exim.in >and the outgoing/queue-running exim with an extra option to make it >create a pid file which it won't do by default (because it has no -bd): > exim -q15m -oP /var/spool/exim/exim-daemon.pid >The Sendmail and Sendmail2 options in MailScanner can then be the same >and without command line options. Unlike the recommended configuration >this means that locally-generated email will bypass MailScanner, which >should be OK if you don't have users on the machine. > >Tony. >-- >f.a.n.finch http://dotat.at/ >THE WASH TO NORTH FORELAND: SOUTHWEST BACKING SOUTHEAST 3 OR 4 OCCASIONALLY 5, >BUT LATER VEERING SOUTH OR SOUTHWEST. RAIN FOR A TIME. MODERATE OR GOOD. >MAINLY SLIGHT, BUT LOCALLY MODERATE AT FIRST. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From dot at DOTAT.AT Sat Mar 1 16:30:17 2003 From: dot at DOTAT.AT (Tony Finch) Date: Thu Jan 12 21:17:21 2006 Subject: FAQ-O-Matic available In-Reply-To: Message-ID: I have tried to register with this but it never sends the validation email. Tony. -- f.a.n.finch http://dotat.at/ LANDS END TO ST DAVIDS HEAD INCLUDING THE BRISTOL CHANNEL: SOUTHWEST 4 OR 5 VEERING WEST 4 FOR A TIME. SHOWERS THEN MAINLY FAIR. MAINLY GOOD. ROUGH. From urgent at mailscanner.info Sat Mar 1 16:42:40 2003 From: urgent at mailscanner.info (urgent@mailscanner.info) Date: Thu Jan 12 21:17:21 2006 Subject: Automated reply from urgent@www.mailscanner.biz Message-ID: <200303011642.h21Gge332532@mailscanner.biz> This has been sent to our support staff by SMS. If you didn't put your telephone number and name at the start of the message, please re-send it. Please email the full details of your fault to support@mailscanner.biz. From MAILER-DAEMON at mailscanner.info Sat Mar 1 16:42:40 2003 From: MAILER-DAEMON at mailscanner.info (Mail Delivery Subsystem) Date: Thu Jan 12 21:17:21 2006 Subject: Returned mail: see transcript for details Message-ID: <200303011642.h21Ggd232526@mailscanner.biz> The original message was received at Sat, 1 Mar 2003 16:42:36 GMT from raven.ecs.soton.ac.uk [152.78.70.1] ----- The following addresses had permanent fatal errors ----- urgent-list (reason: 550 5.1.1 User unknown) (expanded from: ) ----- Transcript of session follows ----- 550 5.1.1 urgent-list... User unknown -------------- next part -------------- Skipped content of type message/delivery-status-------------- next part -------------- An embedded message was scrubbed... From: Julian Field Subject: Test 2 Date: Sat, 01 Mar 2003 16:42:30 +0000 Size: 1231 Url: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030301/0cd04a6d/attachment.mht From dot at DOTAT.AT Sat Mar 1 16:48:50 2003 From: dot at DOTAT.AT (Tony Finch) Date: Thu Jan 12 21:17:21 2006 Subject: ANNOUNCE: Version 4.13-1 released In-Reply-To: References: Message-ID: Julian Field wrote: >At 16:18 01/03/2003, you wrote: >>Julian Field wrote: >> > >> >- Improved rulesets to allow optional '.' on the end of addresses. >> >>Hmm. That's a syntax error that should be rejected by the MTA... > >Disagree here. As a DNS domain name, > spammer.com. >is just as valid as > spammer.com >I always thought the same applied to mail addresses. It's one of the peculiar differences between the two :-) RFC 2821: Domain = (sub-domain 1*("." sub-domain)) / address-literal sub-domain = Let-dig [Ldh-str] Let-dig = ALPHA / DIGIT Ldh-str = *( ALPHA / DIGIT / "-" ) Let-dig RFC 2822: domain = dot-atom / domain-literal / obs-domain dot-atom = [CFWS] dot-atom-text [CFWS] dot-atom-text = 1*atext *("." 1*atext) atom = [CFWS] 1*atext [CFWS] The same is true for local parts too, which is slightly more surprising: RFC 2821: Local-part = Dot-string / Quoted-string Dot-string = Atom *("." Atom) Atom = 1*atext RFC 2822: local-part = dot-atom / quoted-string / obs-local-part Tony. -- f.a.n.finch http://dotat.at/ SELSEY BILL TO LYME REGIS: SOUTHWEST 5 VEERING WEST OR NORTHWEST 3 OR 4. SHOWERS. MAINLY GOOD. MODERATE LOCALLY ROUGH AT FIRST. From hh at HACKHAWK.NET Sat Mar 1 17:12:16 2003 From: hh at HACKHAWK.NET (Hack Hawk) Date: Thu Jan 12 21:17:21 2006 Subject: septic tank emails In-Reply-To: <06EE2C86D3DAD5119A6C0060943F3C970402C1A3@tormail1.algorith mics.com> Message-ID: <5.1.0.14.0.20030301090753.043f06f0@mail.nightsource.com> I got the same email, and put the following in my local.cf to increase the score for similar email to the septic tank email. If I knew perl syntax better I'd replace the 30 with a wild card number of zero through 100 or something. Maybe someone could offer something better for that rule? ------------------------------------------------------------------------ body LOCAL_FREE430 /\bfree for 30 days\b/i describe LOCAL_FREE430 Talks about something free for 30 days body LOCAL_EXCLUDE_SELF /\bexlude yourself\b/i describe LOCAL_EXCLUDE_SELF Talks about excluding yourself score LOCAL_FREE430 1.000 score LOCAL_EXCLUDE_SELF 1.000 ------------------------------------------------------------------------ Thanks - hawk At 07:51 AM 02/28/2003, Derek Winkler wrote: >Use a SpamAssassin local rule to increase the score: > >body LOCAL_sewer /septic tank/i >describe LOCAL_ISS "Body contains septic tank" >score LOCAL_ISS 5 > >I put these in /etc/mail/spamassassin/local.cf > >There should be a way to do subject, I just didn't have an example handy. > >-----Original Message----- >From: Matthew Bowman [mailto:mbowman@udcom.com] >Sent: Friday, February 28, 2003 10:31 AM >To: MAILSCANNER@jiscmail.ac.uk >Subject: septic tank emails > >Greetings > >We are being bombarded with septic tank emails and they are not being >flagged as spam as the score is so low. What is the best way to blacklist >these >type of emails ? (I'd rather do it on subject not domain). > >Thanks > >Matthew. > >----- > >Headers: > >Field Name: X_MailScanner_SpamCheck >Data Type: Text List >Data Length: 239 bytes >Seq Num: 1 >Dup Item ID: 0 >Field Flags: > >"not spam, SpamAssassin (score=1.7, required 4.8, BIG_FONT, >CTYPE_JUST_HTML, SPAM_PHRASE_00_01, TO_ADDRESS_EQ_REAL), not spam, >SpamAssassin (score=1.7, required 4.8, AWL, BIG_FONT, CTYPE_JUST_HTML, >SPAM_PHRASE_00_01, TO_ADDRESS_EQ_REAL)" > >Field Name: X_Real_Return_Path >Data Type: Text List >Data Length: 29 bytes >Seq Num: 1 >Dup Item ID: 0 >Field Flags: > >"yy55frs@fsd.paknet.com.pk" > >Field Name: SendTo >Data Type: Text List >Data Length: 53 bytes >Seq Num: 1 >Dup Item ID: 0 >Field Flags: SUMMARY > >""tiwcrpumn@lgh.lg.co.kr" " > >Field Name: Body >Data Type: MIME Part >Data Length: 447 bytes >Seq Num: 1 >Dup Item ID: 0 >Field Flags: SIGN SEAL > >"Content-Type: text/html > > > > >Fuck Saddam Hussein > > > > >

>href="http://www.kososo.com/cl5/spc/free_trial.html">Do >you have a >Septic >Tank?

>

>href="http://www.kososo.com/cl5/spc/free_trial.html">Free >and Important > >Information.

> > > > >" From mailscanner at ecs.soton.ac.uk Sat Mar 1 17:24:28 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:21 2006 Subject: septic tank emails In-Reply-To: <5.1.0.14.0.20030301090753.043f06f0@mail.nightsource.com> References: <06EE2C86D3DAD5119A6C0060943F3C970402C1A3@tormail1.algorith mics.com> Message-ID: <5.2.0.9.2.20030301172342.02894e60@imap.ecs.soton.ac.uk> At 17:12 01/03/2003, you wrote: >I got the same email, and put the following in my local.cf to increase the >score for similar email to the septic tank email. If I knew perl syntax >better I'd replace the 30 with a wild card number of zero through 100 or >something. Maybe someone could offer something better for that rule? Replace 30 with \d+ which means "1 or more digits". >------------------------------------------------------------------------ >body LOCAL_FREE430 /\bfree for 30 days\b/i >describe LOCAL_FREE430 Talks about something free for 30 days >body LOCAL_EXCLUDE_SELF /\bexlude yourself\b/i >describe LOCAL_EXCLUDE_SELF Talks about excluding yourself > >score LOCAL_FREE430 1.000 >score LOCAL_EXCLUDE_SELF 1.000 >------------------------------------------------------------------------ > >Thanks >- hawk > >At 07:51 AM 02/28/2003, Derek Winkler wrote: > >>Use a SpamAssassin local rule to increase the score: >> >>body LOCAL_sewer /septic tank/i >>describe LOCAL_ISS "Body contains septic tank" >>score LOCAL_ISS 5 >> >>I put these in /etc/mail/spamassassin/local.cf >> >>There should be a way to do subject, I just didn't have an example handy. >> >>-----Original Message----- >>From: Matthew Bowman [mailto:mbowman@udcom.com] >>Sent: Friday, February 28, 2003 10:31 AM >>To: MAILSCANNER@jiscmail.ac.uk >>Subject: septic tank emails >> >>Greetings >> >>We are being bombarded with septic tank emails and they are not being >>flagged as spam as the score is so low. What is the best way to blacklist >>these >>type of emails ? (I'd rather do it on subject not domain). >> >>Thanks >> >>Matthew. >> >>----- >> >>Headers: >> >>Field Name: X_MailScanner_SpamCheck >>Data Type: Text List >>Data Length: 239 bytes >>Seq Num: 1 >>Dup Item ID: 0 >>Field Flags: >> >>"not spam, SpamAssassin (score=1.7, required 4.8, BIG_FONT, >>CTYPE_JUST_HTML, SPAM_PHRASE_00_01, TO_ADDRESS_EQ_REAL), not spam, >>SpamAssassin (score=1.7, required 4.8, AWL, BIG_FONT, CTYPE_JUST_HTML, >>SPAM_PHRASE_00_01, TO_ADDRESS_EQ_REAL)" >> >>Field Name: X_Real_Return_Path >>Data Type: Text List >>Data Length: 29 bytes >>Seq Num: 1 >>Dup Item ID: 0 >>Field Flags: >> >>"yy55frs@fsd.paknet.com.pk" >> >>Field Name: SendTo >>Data Type: Text List >>Data Length: 53 bytes >>Seq Num: 1 >>Dup Item ID: 0 >>Field Flags: SUMMARY >> >>""tiwcrpumn@lgh.lg.co.kr" " >> >>Field Name: Body >>Data Type: MIME Part >>Data Length: 447 bytes >>Seq Num: 1 >>Dup Item ID: 0 >>Field Flags: SIGN SEAL >> >>"Content-Type: text/html >> >> >> >> >>Fuck Saddam Hussein >> >> >> >> >>

>>>href="http://www.kososo.com/cl5/spc/free_trial.html">Do >>you have a >>Septic >>Tank?

>>

>>>href="http://www.kososo.com/cl5/spc/free_trial.html">Free >>and Important >> >>Information.

>> >> >> >> >>" -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From ms at MLSIS.CO.UK Sat Mar 1 19:05:03 2003 From: ms at MLSIS.CO.UK (Matt Lowe) Date: Thu Jan 12 21:17:21 2006 Subject: postfix compatability? Message-ID: <1046545503.1887.20.camel@luggage> Hi im new to this mailing list, but after searching the arcives all i could find was a mention of this in the posible future. Is there any way to intergrate mailscanner and postfix yet? without useing sendmail/exim? Im running postfix on my router/mail server, and do not want to have to try and config sendmail and postfix on one machine (if this is even posible!). Thanks Matt Lowe From raymond at PROLOCATION.NET Sat Mar 1 19:19:08 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:17:21 2006 Subject: postfix compatability? In-Reply-To: <1046545503.1887.20.camel@luggage> Message-ID: Hi! > Is there any way to intergrate mailscanner and postfix yet? without > useing sendmail/exim? > > Im running postfix on my router/mail server, and do not want to have to > try and config sendmail and postfix on one machine (if this is even > posible!). Currently thats the only way to do it yes. No postfix support at the moment. Bye, Raymond. From mailscanner at ecs.soton.ac.uk Sat Mar 1 19:21:46 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:21 2006 Subject: postfix compatability? In-Reply-To: <1046545503.1887.20.camel@luggage> Message-ID: <5.2.0.9.2.20030301192035.023d6a30@imap.ecs.soton.ac.uk> At 19:05 01/03/2003, you wrote: >Hi im new to this mailing list, but after searching the arcives all i >could find was a mention of this in the posible future. > >Is there any way to intergrate mailscanner and postfix yet? without >useing sendmail/exim? Someone has some patches somewhere that might integrate the two. Postfix support is our next planned major feature. >Im running postfix on my router/mail server, and do not want to have to >try and config sendmail and postfix on one machine (if this is even >posible!). Got a spare machine to run MailScanner+Exim/sendmail on? -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From ms at MLSIS.CO.UK Sat Mar 1 19:54:35 2003 From: ms at MLSIS.CO.UK (Matt Lowe) Date: Thu Jan 12 21:17:21 2006 Subject: postfix compatability? Message-ID: <1046548476.1887.32.camel@luggage> On Sat, 2003-03-01 at 19:21, Julian Field wrote: > At 19:05 01/03/2003, you wrote: > >Hi im new to this mailing list, but after searching the arcives all i > >could find was a mention of this in the posible future. > > > >Is there any way to intergrate mailscanner and postfix yet? without > >useing sendmail/exim? > > Someone has some patches somewhere that might integrate the two. Postfix > support is our next planned major feature. anyone anyidea where these patches might be? any news on when postfix intergration might be out? > > >Im running postfix on my router/mail server, and do not want to have to > >try and config sendmail and postfix on one machine (if this is even > >posible!). > > Got a spare machine to run MailScanner+Exim/sendmail on? i could run it on my main server, but if i could setup sedmail/exim then id proberly use that, im using postfix cause my router software pre-configs it for me, im having enough probs getting the server to run smoothly, and without any maintance requirements :) Have tryed setting up sendmail in the past and got no were with it :( i know exim is ment to be easyer, but unless i can find a tutorial that gives me 'press this key, press that key' then its going ot take me a long time to get it up and running :( > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Sat Mar 1 20:01:38 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:21 2006 Subject: postfix compatability? In-Reply-To: <1046548476.1887.32.camel@luggage> Message-ID: <5.2.0.9.2.20030301195904.0273ae10@imap.ecs.soton.ac.uk> At 19:54 01/03/2003, you wrote: >On Sat, 2003-03-01 at 19:21, Julian Field wrote: > > At 19:05 01/03/2003, you wrote: > > >Hi im new to this mailing list, but after searching the arcives all i > > >could find was a mention of this in the posible future. > > > > > >Is there any way to intergrate mailscanner and postfix yet? without > > >useing sendmail/exim? > > > > Someone has some patches somewhere that might integrate the two. Postfix > > support is our next planned major feature. > >anyone anyidea where these patches might be? > >any news on when postfix intergration might be out? > > > > > >Im running postfix on my router/mail server, and do not want to have to > > >try and config sendmail and postfix on one machine (if this is even > > >posible!). > > > > Got a spare machine to run MailScanner+Exim/sendmail on? >i could run it on my main server, but if i could setup sedmail/exim then >id proberly use that, im using postfix cause my router software >pre-configs it for me, im having enough probs getting the server to run >smoothly, and without any maintance requirements :) >Have tryed setting up sendmail in the past and got no were with it :( >i know exim is ment to be easyer, but unless i can find a tutorial that >gives me 'press this key, press that key' then its going ot take me a >long time to get it up and running :( Exim is *fairly* easy to configure. I can probably give you some help if you need it. Get Exim built first, then I guess we need to set it up so that it listens on port 25, with postfix listening on port 26. You will have to get postfix listening on port 26 yourself, I don't know how to do that. The aim is to run Exim on port 25, with its output going into postfix via port 26 (which isn't normally used). -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From jrudd at UCSC.EDU Sat Mar 1 21:18:28 2003 From: jrudd at UCSC.EDU (John Rudd) Date: Thu Jan 12 21:17:21 2006 Subject: FREQ: Rule _Program_ Message-ID: <200303012118.h21LISp29476@kzin.ucsc.edu> Would it be possible to, instead of having huge static rule files that cover, say, 20,000 different recipient accounts, have a program which will dynamically generate the same response? Basically, the option would be that you'd tell mailscanner.conf that instead of looking in a rule file for the answer, you should run a certain program and it will generate the answer on the fly. I'm not sure about the exact right implementation details (put a pipe symbol at the end of the file name, to indicate that this is a program instead of a file? or have it be something expressed in the rule file? etc.), but I think it might help with managing large sites where you want each user to have the ability to set their own options. Otherwise, I can see mailscanner becoming bloated with multiple 20,000 line rule files. The program would probably want to know various things, so maybe it would want to be told who the recipients are, who the sender is, and maybe a few other details. Not sure about that side of things. From mailscanner at ecs.soton.ac.uk Sat Mar 1 22:07:37 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:21 2006 Subject: FREQ: Rule _Program_ In-Reply-To: <200303012118.h21LISp29476@kzin.ucsc.edu> Message-ID: <5.2.0.9.2.20030301220618.022a5d50@imap.ecs.soton.ac.uk> Read CustomConfig.pm. In there, you will find documentation about how to write your own plugins, and examples covering per-domain whitelists/blacklists and SQL logging of activity. At 21:18 01/03/2003, you wrote: >Would it be possible to, instead of having huge static rule files that >cover, say, 20,000 different recipient accounts, have a program which >will dynamically generate the same response? Basically, the option >would be that you'd tell mailscanner.conf that instead of looking in >a rule file for the answer, you should run a certain program and it >will generate the answer on the fly. > > >I'm not sure about the exact right implementation details (put a pipe >symbol at the end of the file name, to indicate that this is a program >instead of a file? or have it be something expressed in the rule file? >etc.), but I think it might help with managing large sites where you >want each user to have the ability to set their own options. Otherwise, >I can see mailscanner becoming bloated with multiple 20,000 line rule >files. > > >The program would probably want to know various things, so maybe it >would want to be told who the recipients are, who the sender is, >and maybe a few other details. Not sure about that side of things. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mike at UNIXSECURITY.ORG Sat Mar 1 23:41:46 2003 From: mike at UNIXSECURITY.ORG (Mike Wallis) Date: Thu Jan 12 21:17:21 2006 Subject: Sopos Upgrade Issues Message-ID: <3E61453A.3030409@unixsecurity.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I upgraded Sophos to v3.67 today, and am now getting errors when Mailscanner is trying to scan mail: Error initialising detection engine - missing part of virus data Error initialising detection engine - missing part of virus data etc, etc... It appears that Sophos has updated their virus data format: "The new version of Sophos Anti-Virus can read virus data from a number of small files, rather than from a single, large file. Future monthly updates of Sophos Anti-Virus will involve replacing only those virus data files that have been updated." Is this something new that will be patched, or have I not been paying attention and need to finally upgrade Mailscanner to the current version so this will start working again? - -- Mike Wallis -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1-nr1 (Windows 2000) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE+YUU6t9Knt4ko5pURAksJAJ93yY33K/28/6md3LPm4DQjVu4gwwCfUnqH 1RdZuGEdrSVK3rzeoNEckNg= =Qit3 -----END PGP SIGNATURE----- From mike at CAMAROSS.NET Sat Mar 1 23:54:18 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:17:21 2006 Subject: Sopos Upgrade Issues In-Reply-To: <3E61453A.3030409@unixsecurity.org> Message-ID: <001d01c2e04d$dfd7a330$6a01a8c0@home.middlefinger.net> What version of MS are you running? I just upgraded to 4.13-3 today from 4.11-x, but my Sophos has been running fine with 3.67 Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Mike Wallis Sent: Saturday, March 01, 2003 5:42 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Sopos Upgrade Issues -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I upgraded Sophos to v3.67 today, and am now getting errors when Mailscanner is trying to scan mail: Error initialising detection engine - missing part of virus data Error initialising detection engine - missing part of virus data etc, etc... It appears that Sophos has updated their virus data format: "The new version of Sophos Anti-Virus can read virus data from a number of small files, rather than from a single, large file. Future monthly updates of Sophos Anti-Virus will involve replacing only those virus data files that have been updated." Is this something new that will be patched, or have I not been paying attention and need to finally upgrade Mailscanner to the current version so this will start working again? - -- Mike Wallis -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1-nr1 (Windows 2000) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE+YUU6t9Knt4ko5pURAksJAJ93yY33K/28/6md3LPm4DQjVu4gwwCfUnqH 1RdZuGEdrSVK3rzeoNEckNg= =Qit3 -----END PGP SIGNATURE----- From Janssen at RZ.UNI-FRANKFURT.DE Sun Mar 2 00:35:39 2003 From: Janssen at RZ.UNI-FRANKFURT.DE (Michael Janssen) Date: Thu Jan 12 21:17:21 2006 Subject: Sopos Upgrade Issues In-Reply-To: <3E61453A.3030409@unixsecurity.org> Message-ID: On Sat, 1 Mar 2003, Mike Wallis wrote: > I upgraded Sophos to v3.67 today, and am now getting errors when > Mailscanner is trying to scan mail: > Error initialising detection engine - missing part of virus data > Error initialising detection engine - missing part of virus data > etc, etc... you will also get this error (nice topic for the faq - but I havn't got the 3.67) when starting sophos directly (but use "sophoswrapper" provided by MS-package: it will start Sophos with correct environment settings) Until now the best advise was to reinstall Sophos completly (delete directory and install). But did you then get the complete vdl-data? If concerned, you might try to remove and relink the vdl-link (and to any file working as a "part" of the virus data) and move the vdl-file away and back and silly things like that ;-) Sophos sweep can stumble about very sophisticated things in combination with the links used to target the vdl data and Sophos need no appearant reason for this behaviour (I have once strace'd the sweep process and it claims files as missing which were readable by any other programm...). A simple update might yield in an infunctional installation. Testing with sophoswrapper is crucial. Michael > > It appears that Sophos has updated their virus data format: > "The new version of Sophos Anti-Virus can read virus data from a number > of small files, rather than from a single, large file. Future monthly > updates of Sophos Anti-Virus will involve replacing only those virus > data files that have been updated." > From mike at UNIXSECURITY.ORG Sun Mar 2 00:41:05 2003 From: mike at UNIXSECURITY.ORG (Mike Wallis) Date: Thu Jan 12 21:17:21 2006 Subject: Sopos Upgrade Issues In-Reply-To: <001d01c2e04d$dfd7a330$6a01a8c0@home.middlefinger.net> References: <001d01c2e04d$dfd7a330$6a01a8c0@home.middlefinger.net> Message-ID: <3E615321.2090004@unixsecurity.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mike Kercher wrote: |What version of MS are you running? I just upgraded to 4.13-3 today from |4.11-x, but my Sophos has been running fine with 3.67 3.x, but to be honest, I don't recall the exact version, which isn't a good sign. But it's been long enough that upgrading to 4.13-3 seemed like a good idea. After the upgrade, I'm not seeing the errors from Sophos any longer. - -- Mike Wallis -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1-nr1 (Windows 2000) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE+YVMht9Knt4ko5pURAhdEAJ9wSdfg8/FfvoLu5SKp0y21DNv2egCfbHOH SFBGkmxI2O/rcvu8aR/GqIs= =k5h4 -----END PGP SIGNATURE----- From Janssen at RZ.UNI-FRANKFURT.DE Sun Mar 2 01:25:06 2003 From: Janssen at RZ.UNI-FRANKFURT.DE (Michael Janssen) Date: Thu Jan 12 21:17:21 2006 Subject: Sopos Upgrade Issues In-Reply-To: <3E615321.2090004@unixsecurity.org> Message-ID: On Sat, 1 Mar 2003, Mike Wallis wrote: [missing virus data error] > After the upgrade, I'm not seeing the errors from Sophos any longer. Hey! Julian did figure out how to catch this nasty Sophos output, didn't he? Sophos writes directly to /dev/tty, therefore it was tricky. I suggest you to check manually if Sophos is now doing the job (unless it depends on the settings of the sophoswrapper script this error is not assoziated with MailScanner and an upgrade of MailScanner can't *solve* the problem (unless Julian have programmed a routine that silently repairs broken Sophos installation. But that would be short to silently log in an fix any problem manually ;-) cheers Michael > > - -- > Mike Wallis > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.1-nr1 (Windows 2000) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQE+YVMht9Knt4ko5pURAhdEAJ9wSdfg8/FfvoLu5SKp0y21DNv2egCfbHOH > SFBGkmxI2O/rcvu8aR/GqIs= > =k5h4 > -----END PGP SIGNATURE----- > From mailscanner at ecs.soton.ac.uk Sun Mar 2 10:49:54 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:21 2006 Subject: Sopos Upgrade Issues In-Reply-To: References: <3E615321.2090004@unixsecurity.org> Message-ID: <5.2.0.9.2.20030302104601.02048d80@imap.ecs.soton.ac.uk> Sophos have slowly changed over to the new file structure in their scanner. As a result you need a recent sophos-autoupdate. You don't necessarily have to upgrade your entire MailScanner installation, you just need the new sophos-autoupdate and the new Sophos.install. My Sophos.install does make an attempt at removing any Sophos code that was installed using their installation script, so that their libraries don't get in the way. And when testing it, you have to run sophos-wrapper and not directly run sweep, in order to set up the environment for it properly. One of my main objections to their layout was that they put the IDE files in with all the code, whereas when updating automatically it makes more sense to keep them in a separate directory which can be completely replaced with a new directory *if* the update succeeds. I don't want to leave a half-working copy of Sophos if something goes wrong. At 01:25 02/03/2003, you wrote: >On Sat, 1 Mar 2003, Mike Wallis wrote: > >[missing virus data error] > > After the upgrade, I'm not seeing the errors from Sophos any longer. > >Hey! Julian did figure out how to catch this nasty Sophos output, didn't >he? Sophos writes directly to /dev/tty, therefore it was tricky. > >I suggest you to check manually if Sophos is now doing the job (unless it >depends on the settings of the sophoswrapper script this error is not >assoziated with MailScanner and an upgrade of MailScanner can't *solve* >the problem (unless Julian have programmed a routine that silently >repairs broken Sophos installation. But that would be short to silently >log in an fix any problem manually ;-) > >cheers >Michael > > > > > - -- > > Mike Wallis > > -----BEGIN PGP SIGNATURE----- > > Version: GnuPG v1.2.1-nr1 (Windows 2000) > > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > > > iD8DBQE+YVMht9Knt4ko5pURAhdEAJ9wSdfg8/FfvoLu5SKp0y21DNv2egCfbHOH > > SFBGkmxI2O/rcvu8aR/GqIs= > > =k5h4 > > -----END PGP SIGNATURE----- > > -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From Peter.Bates at LSHTM.AC.UK Sun Mar 2 11:31:59 2003 From: Peter.Bates at LSHTM.AC.UK (Peter Bates) Date: Thu Jan 12 21:17:21 2006 Subject: postfix compatability? Message-ID: Hello all... > mailscanner@ECS.SOTON.AC.UK 03/01/03 20:02 PM >>> >Exim is *fairly* easy to configure. I can probably give you some >help if you need it. Get Exim built first, then I guess we need to >set it up so that it listens on port 25, with postfix listening on >port 26. You will have to get postfix listening on port 26 >yourself, I don't know how to do that. Running Postfix still as I am, I can say the answer is in Postfix's 'master.cf' (this controls the transports, where main.cf controls mosts other things). There is a line in master.cf saying: smtp inet n - y - - smtpd where 'smtp' is the name in /etc/services: smtp 25/tcp mail ... you could either change 25 to 26 in /etc/services and probably break various things on your system, add a reference to 'smtp-new' in /etc/services, or just change 'smtp' to '26' in the line from master.cf Clear as mud! If I was a bit more savvy I'd like to help adding Postfix support to MailScanner, but at the moment it looks like I'll be switching my favourite MTA (at the moment) to Exim (which may of course then become my favourite MTA!)... ---------------------------------------------------------------------------------------------------> Peter Bates, Systems Support Officer, Network Support Team. London School of Hygiene & Tropical Medicine. Telephone:0207-958 8353 / Fax: 0207- 636 9838 From Richard.Lush at HP.COM Sun Mar 2 10:23:01 2003 From: Richard.Lush at HP.COM (Lush, Richard) Date: Thu Jan 12 21:17:21 2006 Subject: Webmin module -0.4 Beta - Released Message-ID: Hi All, Just to let you know that the webmin module supporting MailScanner 4.13 has been released. It can be downloaded from http://lushsoft.dyndns.org/mailscanner-webmin I'm always looking for feedback on what you think or what you want added so please mail me and let me know. Cheers all, Richard Richard Lush Consulting and Integration Security Practice Reading UK Email richard.lush@hp.com Mobile +44 (0) 7788 916941 Office +44 (0) 118 920 2349 Fax +44 (0) 118 920 4612 D I S C L A I M E R The information contained in this communication is intended solely for use by the individual or entity to whom it is addressed. Use of this communication by others is prohibited. HP is neither liable for the proper and complete transmission of the information contained in this communication nor for any delay in its receipt nor for any special, incidental or consequential damages of any nature whatsoever resulting from receipt or use of this communication. If you are not the intended recipient, you may not peruse, use, disseminate, distribute or copy this message. If you have received this message in error, please notify the sender immediately by email, facsimile or telephone and return or destroy the original message. Thank you. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030302/9b6ebe02/attachment.html From marco at MUW.EDU Sun Mar 2 15:04:51 2003 From: marco at MUW.EDU (Marco Obaid) Date: Thu Jan 12 21:17:21 2006 Subject: High Scoring Spam In-Reply-To: <3E4D1295.2050002@accent.it> References: <002801c2d43e$4ec74be0$be46460a@hazelwood.k12.mo.us> <3E4D1295.2050002@accent.it> Message-ID: <1046617491.3e621d93b46a3@webmail.MUW.Edu> Hello all, What is the logic behind "High Scoring Spam Actions = deliver" ? If a message scores > 5 and I am telling MailScanner to Spam Actions = store. Why would I have to tell it again what to do with High Scoring Spam? I have read the notes in Mailscanner.conf and it just did not click yet :) Maybe I am thinking too much about it or I have a mental block right now. Marco _________________________________________________________________ This mail is sent through MUW Webmail: http://www.MUW.Edu/webmail For the latest MUW Events, visit http://www.MUW.Edu/calendar From sevans at FOUNDATION.SDSU.EDU Sun Mar 2 15:26:39 2003 From: sevans at FOUNDATION.SDSU.EDU (Steve Evans) Date: Thu Jan 12 21:17:21 2006 Subject: High Scoring Spam Message-ID: For example spam is set to a score of 5, high scoring spam is set to 10. Maybe you want to only tag regular spam (between 5 and 9.9) because it's kind of grey and you don't want any false positives. But anything over 10 you consider to be a definite. So you automatically delete that (or store it). Steve Evans SDSU Foundation (619) 594-0653 -----Original Message----- From: Marco Obaid [mailto:marco@MUW.EDU] Sent: Sunday, March 02, 2003 7:05 AM To: MAILSCANNER@JISCMAIL.AC.UK Hello all, What is the logic behind "High Scoring Spam Actions = deliver" ? If a message scores > 5 and I am telling MailScanner to Spam Actions = store. Why would I have to tell it again what to do with High Scoring Spam? I have read the notes in Mailscanner.conf and it just did not click yet :) Maybe I am thinking too much about it or I have a mental block right now. Marco _________________________________________________________________ This mail is sent through MUW Webmail: http://www.MUW.Edu/webmail For the latest MUW Events, visit http://www.MUW.Edu/calendar From mailscanner at HRSERVERS.COM Sun Mar 2 16:05:32 2003 From: mailscanner at HRSERVERS.COM (SUBSCRIBE MAILSCANNER Anonymous) Date: Thu Jan 12 21:17:21 2006 Subject: Spamassassin 2.50 & MailScanner 4.13-3 Problems Message-ID: Spamassassin 2.50 & MailScanner 4.13-3 Problems... Well lets see to start with our server specs are... RH Linux 7.2 Ensim Webppliance 3.16-1 Sendmail MailScanner 4.13-3 Spamassassin 2.50 Running mailscanner with spamassassin on would put an extreme load on the server with the mailscanner processes using up 17-25% cpu. I also tried this with mailscanner 4.12-2 and had the same result. Apparently some where along the way there is either a major problem with spamassassin 2.50 or mailscanner when using spamassassin. However the spamassassin patch on your site (http://mailscanner.info) did correct this problem (load dropped to nearly nothing) but I wonder while using that is that going to hinder spamassassin's fuctionality? Also is this going to be fixed in a future version? From raymond at PROLOCATION.NET Sun Mar 2 16:19:59 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:17:21 2006 Subject: Spamassassin 2.50 & MailScanner 4.13-3 Problems In-Reply-To: Message-ID: Hi! > However the spamassassin patch on your site (http://mailscanner.info) did > correct this problem (load dropped to nearly nothing) but I wonder while > using that is that going to hinder spamassassin's fuctionality? Also is > this going to be fixed in a future version? Should you not be asking this on the Spamassassin's list ? Its a problem with that piece of software. They have to fix it :) Bye, Raymond. From mailscanner at ecs.soton.ac.uk Sun Mar 2 16:27:57 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:21 2006 Subject: Spamassassin 2.50 & MailScanner 4.13-3 Problems In-Reply-To: Message-ID: <5.2.0.9.2.20030302162525.02ecce60@imap.ecs.soton.ac.uk> At 16:05 02/03/2003, you wrote: >Spamassassin 2.50 & MailScanner 4.13-3 Problems... > >Well lets see to start with our server specs are... >RH Linux 7.2 >Ensim Webppliance 3.16-1 >Sendmail >MailScanner 4.13-3 >Spamassassin 2.50 > >Running mailscanner with spamassassin on would put an extreme load on the >server with the mailscanner processes using up 17-25% cpu. I also tried >this with mailscanner 4.12-2 and had the same result. Apparently some >where along the way there is either a major problem with spamassassin 2.50 >or mailscanner when using spamassassin. > >However the spamassassin patch on your site (http://mailscanner.info) did >correct this problem (load dropped to nearly nothing) but I wonder while >using that is that going to hinder spamassassin's fuctionality? Also is >this going to be fixed in a future version? The "chews up all your CPU time" problem was caused by a fault that was making SpamAssassin lock solid. They weren't closing a database properly at the end of processing a message. My patch just makes it close the database properly. The patch does not damage functionality of SpamAssassin or MailScanner in any way. It should be fixed by the SpamAssassin authors in 2.51, at which point my patch won't be needed any more. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From Kevin.Spicer at BMRB.CO.UK Sun Mar 2 16:47:25 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:17:21 2006 Subject: Sneaky Spammers...? Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A4AD3F@pascal.priv.bmrb.co.uk> I don't know whether this is a new ploy, or just one I haven't noticed before as I've got rather better reporting in place now (and one of the mails in question landed in my inbox!)... Like (I guess) many sites our primary MX is our border mailscanner (actually its also our secondary as its has addresses on two internet connections) and our ISP provides two fallback mailservers, which in the event of failure queue up mail and forward on to our MailScanner when it comes back up. I've just noticed that some enterprising spammer seems to have decided its a good idea to send mail directly to these servers and let them forward on to our primary MX. I'm fairly sure that this is what is happening, as a quick grep of our maillogs suggests that only spam is being recieved from the backup MX's (suggesting that the primary MX was in fact available throughout). I noticed also that mailstats.pl lists the two fallback servers as no.1 and no.3 on the list of 'blocked' IP's (fortunately I turned blocking off when I installed it). This could have serious consequences for anyone who is using this, or other scripts, to block spam relays, as should their primary MX (MailScanner) - or its internet connection - go down the seconary MX would then accept mail which it would be prevented from delivering once the primary MX came back up! [David, this is why I've copied you on this, as I'm not sure if you're currently on the MS list] It's debatable whether scripts that block based on IP's logged by MailScanner need to account for this or whether MS should refrain from logging the IP of hosts that are fallback MX's for the domain(s)(?) I did notice that the MS spam log entry suggests that the IP of our fallback MX's belongs the the domain of the spammers (forged) address rather than reflecting its reverse DNS name - which is also misleading. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From mike at CAMAROSS.NET Sun Mar 2 16:59:51 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:17:21 2006 Subject: Sneaky Spammers...? In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0A4AD3F@pascal.priv.bmrb.co.uk> Message-ID: <002c01c2e0dd$24c3ef50$6a01a8c0@home.middlefinger.net> It looks to me like mail is rejected at the MTA by DNS blacklists. The spam is then routed to the backup MX and it seems that when mail hits the secondary MX (even though the originating server was blacklisted), the backup allows the spam in because it is only spooling for the domain (for some reason). I may have this explanation all screwed because I just woke up, but I see this all the time as I do backup MX for lots of domains where the primary is also running MS/SA/DNSBL's. -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Spicer, Kevin Sent: Sunday, March 02, 2003 10:47 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Sneaky Spammers...? I don't know whether this is a new ploy, or just one I haven't noticed before as I've got rather better reporting in place now (and one of the mails in question landed in my inbox!)... Like (I guess) many sites our primary MX is our border mailscanner (actually its also our secondary as its has addresses on two internet connections) and our ISP provides two fallback mailservers, which in the event of failure queue up mail and forward on to our MailScanner when it comes back up. I've just noticed that some enterprising spammer seems to have decided its a good idea to send mail directly to these servers and let them forward on to our primary MX. I'm fairly sure that this is what is happening, as a quick grep of our maillogs suggests that only spam is being recieved from the backup MX's (suggesting that the primary MX was in fact available throughout). I noticed also that mailstats.pl lists the two fallback servers as no.1 and no.3 on the list of 'blocked' IP's (fortunately I turned blocking off when I installed it). This could have serious consequences for anyone who is using this, or other scripts, to block spam relays, as should their primary MX (MailScanner) - or its internet connection - go down the seconary MX would then accept mail which it would be prevented from delivering once the primary MX came back up! [David, this is why I've copied you on this, as I'm not sure if you're currently on the MS list] It's debatable whether scripts that block based on IP's logged by MailScanner need to account for this or whether MS should refrain from logging the IP of hosts that are fallback MX's for the domain(s)(?) I did notice that the MS spam log entry suggests that the IP of our fallback MX's belongs the the domain of the spammers (forged) address rather than reflecting its reverse DNS name - which is also misleading. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From Kevin.Spicer at BMRB.CO.UK Sun Mar 2 17:05:51 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:17:21 2006 Subject: Sneaky Spammers...? Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A4AD40@pascal.priv.bmrb.co.uk> > It looks to me like mail is rejected at the MTA by DNS > blacklists. The spam > is then routed to the backup MX and it seems that when mail hits the > secondary MX (even though the originating server was blacklisted), the > backup allows the spam in because it is only spooling for the > domain (for > some reason). I may have this explanation all screwed > because I just woke > up, but I see this all the time as I do backup MX for lots of > domains where > the primary is also running MS/SA/DNSBL's. > No I think this is a deliberate ploy because... 1) I haven't got any blacklisting turned on (although the way things are going I may review this soon!) 2) Mails are coming via both backup MX's - if it was as you suggest then surely they would only be coming via the higher priority one? BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From Kevin.Spicer at BMRB.CO.UK Sun Mar 2 17:16:48 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:17:21 2006 Subject: Bug?? Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A4AD41@pascal.priv.bmrb.co.uk> I don't know if this is a bug or just something I don't like much(!) I just noticed that when Sophos fails to update I don't get a mail (as I did with previous versions). Looking into this sophos_autoupdate logs the fact to syslog and prints to stderr (which when run by cron should then end up in an email to root, which ends up in my inbox), however update_virus_scanners calls sophos_autoupdate like this ${UPDATER} >/dev/null 2>&1 Which discards the message! I've changed this to... ${UPDATER} which appears to have solved the problem. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From mike at ZANKER.ORG Sun Mar 2 17:40:32 2003 From: mike at ZANKER.ORG (Mike Zanker) Date: Thu Jan 12 21:17:21 2006 Subject: Sneaky Spammers...? In-Reply-To: <002c01c2e0dd$24c3ef50$6a01a8c0@home.middlefinger.net> References: <002c01c2e0dd$24c3ef50$6a01a8c0@home.middlefinger.net> Message-ID: <549891093.1046626832@jemima.zanker.org> On 02 March 2003 10:59 -0600 Mike Kercher wrote: > It looks to me like mail is rejected at the MTA by DNS blacklists. > The spam is then routed to the backup MX and it seems that when mail > hits the secondary MX (even though the originating server was > blacklisted), the backup allows the spam in because it is only > spooling for the domain (for some reason). No, it's deliberate - spammers have been using secondary or even tertiary MX hosts for months now. Some of the spamming software available does this automatically now. My secondary MX also got blocked by mailstats.pl. I've left blocking enabled but fixed mailstats.pl so that it skips my secondary MX. Mike. From ms at MLSIS.CO.UK Sun Mar 2 20:48:53 2003 From: ms at MLSIS.CO.UK (Matt Lowe) Date: Thu Jan 12 21:17:21 2006 Subject: postfix compatability Message-ID: <1046638133.1886.47.camel@luggage> Hi, how far away is postfix compat? would a donation help in this progress? if so how much? I know mailscanner is GPL but a lot of programers cant dedicate all there time to a prroject due to work/cash/time constraints. Just an idea, i have a company that MIGHT be willing to pay, (and still keep it all GPLed) From mailscanner at ecs.soton.ac.uk Sun Mar 2 22:57:04 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:21 2006 Subject: New version of RAV - readme! Message-ID: <5.2.0.9.2.20030302225323.0300c128@imap.ecs.soton.ac.uk> There is a new version of RAV available. However, it has some slightly odd requirements and will need the rav-wrapper from 4.13 in order to work properly. So if you have upgraded your copy of RAV recently, please check to see if it is working as you may need to upgrade to 4.13 The upgrade is a 5 minute job, especially with my upgrade_MailScanner_conf script to do the awkward bit for you. You should upgrade the "tnef" RPM as well as the "mailscanner" RPM as that is updated also. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From paul at ESPMAIL.CO.UK Sun Mar 2 23:24:09 2003 From: paul at ESPMAIL.CO.UK (Paul Welsh) Date: Thu Jan 12 21:17:21 2006 Subject: Sneaky Spammers...? References: <002c01c2e0dd$24c3ef50$6a01a8c0@home.middlefinger.net> <549891093.1046626832@jemima.zanker.org> Message-ID: <004601c2e112$d7b94760$fde030d5@espmail> ----- Original Message ----- From: "Mike Zanker" To: Sent: 02 March 2003 17:40 Subject: Re: Sneaky Spammers...? > No, it's deliberate - spammers have been using secondary or even > tertiary MX hosts for months now. Some of the spamming software > available does this automatically now. Yes, I agree. That's why I like SpamAssassin, because it goes further than checking just the last hop with RBLs. If your secondary MX belongs to your ISP (who tend not to use RBLs) then blocking using simple RBLs on your primary MX does you no good at all. From David.While at UCE.AC.UK Mon Mar 3 10:25:16 2003 From: David.While at UCE.AC.UK (David While) Date: Thu Jan 12 21:17:22 2006 Subject: Sneaky Spammers...? Message-ID: I have added whitelist functionality to mailstats.pl to allow you to add the IP addresses of servers that you don't want added to the access file. This will allow you to add the IP addresses of your secondary MX hosts so that they don't get blocked. It can be downloaded as usual from http://staff.cie.uce.ac.uk/~dwhile/mailstats/ ----------------------------------------------------------------- David While Technical Development Manager Faculty of Computing, Information & English University of Central England Tel: 0121 331 6211 Mike Zanker Sent by: MailScanner mailing list 02/03/2003 17:40 Please respond to MailScanner mailing list To: MAILSCANNER@JISCMAIL.AC.UK cc: Subject: Re: Sneaky Spammers...? On 02 March 2003 10:59 -0600 Mike Kercher wrote: > It looks to me like mail is rejected at the MTA by DNS blacklists. > The spam is then routed to the backup MX and it seems that when mail > hits the secondary MX (even though the originating server was > blacklisted), the backup allows the spam in because it is only > spooling for the domain (for some reason). No, it's deliberate - spammers have been using secondary or even tertiary MX hosts for months now. Some of the spamming software available does this automatically now. My secondary MX also got blocked by mailstats.pl. I've left blocking enabled but fixed mailstats.pl so that it skips my secondary MX. Mike. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030303/a4df472b/attachment.html From steve.freegard at LBSLTD.CO.UK Mon Mar 3 11:37:04 2003 From: steve.freegard at LBSLTD.CO.UK (Steve Freegard) Date: Thu Jan 12 21:17:22 2006 Subject: SpamAssassin 2.50 Bayes + MailScanner Message-ID: <67D9E7698329D411936E00508B6590B902793242@neelix.lbsltd.co.uk> Hello, Has anyone successfully managed to get SpamAssassin to auto learn e-mail processed via MailScanner??? I've received about 1200 e-mails that have been processed with 2.50 although when I run 'check_bayes_db' as root, it only reports that it has seen two messages which were the 'sample-spam.txt' and 'sample-nonspam.txt' test files that I ran through SA when I upgraded. I've tried putting 'auto_learn 1' into spam.assassin.prefs.conf - I've also tried to change the bayes db path by putting 'bayes_path /etc/MailScanner/bayes' into the prefs file - after restarting MailScanner, the only file that gets created is 'bayes_toks.db' which is an empty file. Anyone else had this problem?? Thanks, Steve -- Steve Freegard Systems Manager Littlehampton Book Services Ltd. Tel: +44 (0)1903 82 8594 Fax: +44 (0)1903 82 8620 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.lbsltd.co.uk ********************************************************************** -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030303/89756101/attachment.html From mike at ZANKER.ORG Mon Mar 3 11:38:17 2003 From: mike at ZANKER.ORG (Mike Zanker) Date: Thu Jan 12 21:17:22 2006 Subject: Sneaky Spammers...? In-Reply-To: References: Message-ID: <2313390.1046691497@mallard.open.ac.uk> On 03 March 2003 10:25 +0000 David While wrote: > I have added whitelist functionality to mailstats.pl to allow you to > add the IP addresses of servers that you don't want added to the > access file. This will allow you to add the IP addresses of your > secondary MX hosts so that they don't get blocked. Marvellous - thanks David. Mike. From c_chow at REX-GARMENTS.COM.HK Mon Mar 3 11:32:55 2003 From: c_chow at REX-GARMENTS.COM.HK (Chris Chow) Date: Thu Jan 12 21:17:22 2006 Subject: Newbie to Mailscanner Message-ID: Dear all, I am interesting in using Mailscanner software to protect our email system. We are using Red Hat 7.3 and sendmail. I think using RPM to install this software will not be difficult. I am just a bit confuse about the concept of this software. Mailscanner scan incoming emails for virus, where does it get the virus pattern files. We are using Trend server protect for another server (win 2000) , does it mean I copy the pattern from this server, or do we copy the pattern from our desktop? I don't suppose there are virus pattern that is free to download? Secondly if I need to subscribe to anti-virus software vendor to get the pattern, maybe I can install that software for virus protection on server. I think Trend have linux version of anti-virus software call InterScan Messaging Security Suite to handle this task. I am sorry for listing this simple/basic question, I did search the listing but couldn't found the answer. Chris Chow From Kevin.Spicer at BMRB.CO.UK Mon Mar 3 11:49:29 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:17:22 2006 Subject: Newbie to Mailscanner Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A4AD46@pascal.priv.bmrb.co.uk> > > Mailscanner scan incoming emails for virus, where does it get > the virus > pattern files. You need to install a virus scanner (probably a commercial one like sophos or f-prot) > We are using Trend server protect for another > server (win > 2000) , does it mean I copy the pattern from this server, > or do we copy > the pattern from our desktop? I don't suppose there are virus pattern > that is free to download? There are - try clamav, but I'd recommend using a commercial scanner too to get maximum protection (especially against new viruses) > > Secondly if I need to subscribe to anti-virus software vendor > to get the > pattern, maybe I can install that software for virus protection on > server. I think Trend have linux version of anti-virus software call > InterScan Messaging Security Suite to handle this task. I believe the Trend scanner can be used with MailScanner (although it currently has an 'unsupported' code status (see http://www.sng.ecs.soton.ac.uk/mailscanner/install/codestatus.shtml ) > > I am sorry for listing this simple/basic question, I did search the > listing but couldn't found the answer. Have a good read of the website www.mailscanner.info all the above info is there BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From raymond at PROLOCATION.NET Mon Mar 3 11:55:28 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:17:22 2006 Subject: Newbie to Mailscanner In-Reply-To: Message-ID: Hi! > Mailscanner scan incoming emails for virus, where does it get the virus > pattern files. We are using Trend server protect for another server (win > 2000) , does it mean I copy the pattern from this server, or do we copy > the pattern from our desktop? I don't suppose there are virus pattern > that is free to download? Mailscanner is the framework, you need to install a virus scanner also. f-prot is free for non commercial use. > Secondly if I need to subscribe to anti-virus software vendor to get the > pattern, maybe I can install that software for virus protection on > server. I think Trend have linux version of anti-virus software call > InterScan Messaging Security Suite to handle this task. Yes you can, and you can also automate the update process. Bye, Raymond. From mailscanner at ecs.soton.ac.uk Mon Mar 3 12:23:06 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:22 2006 Subject: SpamAssassin 2.50 Bayes + MailScanner In-Reply-To: <67D9E7698329D411936E00508B6590B902793242@neelix.lbsltd.co. uk> Message-ID: <5.2.0.9.2.20030303121936.03e1c338@imap.ecs.soton.ac.uk> I had this problem when I initially installed 2.50 for the first time. What had happened was the "make install" of SA2.50 hadn't actually installed all the files for some reason. Check your /usr/share/spamassassin has some files in it that mention bayes in their filename, ls /usr/share/spamassassin/*bayes* and that there are some bayes files in /usr/lib/perl5 (or wherever the root of your perl lib installation is). find /usr/lib/perl5 -name '*bayes*' -print I ended up doing the "make install" again to watch carefully what happened, and this time it put all the right files in place. It was working then, and I wanted to go home, so I didn't ever investigate it further. At 11:37 03/03/2003, you wrote: >Hello, > >Has anyone successfully managed to get SpamAssassin to auto learn e-mail >processed via MailScanner??? > >I've received about 1200 e-mails that have been processed with 2.50 >although when I run 'check_bayes_db' as root, it only reports that it has >seen two messages which were the 'sample-spam.txt' and >'sample-nonspam.txt' test files that I ran through SA when I upgraded. > >I've tried putting 'auto_learn 1' into spam.assassin.prefs.conf - I've >also tried to change the bayes db path by putting 'bayes_path >/etc/MailScanner/bayes' into the prefs file - after restarting >MailScanner, the only file that gets created is 'bayes_toks.db' which is >an empty file. > >Anyone else had this problem?? > >Thanks, > > >Steve > >-- >Steve Freegard >Systems Manager >Littlehampton Book Services Ltd. >Tel: +44 (0)1903 82 8594 >Fax: +44 (0)1903 82 8620 > > > >********************************************************************** >This email and any files transmitted with it are confidential and >intended solely for the use of the individual or entity to whom they >are addressed. If you have received this email in error please notify >the system manager. > >This footnote also confirms that this email message has been swept by >MIMEsweeper for the presence of computer viruses. > >www.lbsltd.co.uk >********************************************************************** -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From dot at DOTAT.AT Mon Mar 3 13:08:27 2003 From: dot at DOTAT.AT (Tony Finch) Date: Thu Jan 12 21:17:22 2006 Subject: Mailscanner and Exim with "split_spool_directory = true" In-Reply-To: References: <5.2.0.9.2.20030228135517.03b59b60@imap.ecs.soton.ac.uk> <3E5F6762.6020700@marinocrane.com> <5.2.0.9.2.20030228135517.03b59b60@imap.ecs.soton.ac.uk> <20030228151933.GA30294@peerlessmfg.com> Message-ID: Tony Finch wrote: > >I haven't got around to investigating this properly, but I have a couple >of thoughts on the matter. You ought to be able to have a split spool >directory on the smtp listener by using a configuration like > Incoming Queue Dir = /var/spool/exim.in/input/* >but there isn't much point in this because the incoming spool dir >should always be small. split_spool is much more important for the >outgoing Exim because it's doing all the retries, and because of its >support for turning the option on and off with messages already in the >spool, it may be possible to make MailScanner just leave the messages >in /var/spool/exim/input and rely on Exim to move them into the correct >subdirectory. Unfortunately Exim doesn't move messages in the queue, and just relies on the natural turnover of messages when turning split_spool_directory on and off to do the work of getting all messages into the right place. So although this setup works, it has no benefit. Tony. -- f.a.n.finch http://dotat.at/ LANDS END TO ST DAVIDS HEAD INCLUDING THE BRISTOL CHANNEL: SOUTHEAST 4 OR 5 INCREASING 6 LOCALLY 7 VEERING WEST 5 THEN BACKING SOUTHWEST 4 OR 5 LATER. RAIN OR DRIZZLE. MODERATE LOCALLY POOR LATER. MODERATE OR ROUGH. From dml at UNB.CA Mon Mar 3 13:40:25 2003 From: dml at UNB.CA (David Lancaster) Date: Thu Jan 12 21:17:22 2006 Subject: septic tank emails In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0EBF427@pascal.priv.bmrb.co.uk> Message-ID: Looks like nottinghamcity.gov.uk is having Mail Server problems again... Only one so far, but perhaps nottinghamcity should consider replacing their broken mail system? D. Received: from mailserv2.unb.ca (mailserv2.unb.ca [131.202.3.56]) by sol.sun.csd.unb.ca (8.11.4/8.11.4) with ESMTP id h217vnM07818 for ; Sat, 1 Mar 2003 03:57:50 -0400 (AST) Received: from smtp.jiscmail.ac.uk (smtp.jiscmail.ac.uk [130.246.192.48]) by mailserv2.unb.ca (8.12.6/8.12.6) with ESMTP id h217vjKY030095 for ; Sat, 1 Mar 2003 03:57:47 -0400 Received: from LISTSERV.JISCMAIL.AC.UK (jiscmail.ac.uk) by smtp.jiscmail.ac.uk (LSMTP for Windows NT v1.1b) with SMTP id <0.00327397@smtp.jiscmail.ac.uk>; Sat, 1 Mar 2003 7:57:45 +0000 Received: from JISCMAIL.AC.UK by JISCMAIL.AC.UK (LISTSERV-TCP/IP release 1.8e) with spool id 18961031 for MAILSCANNER@JISCMAIL.AC.UK; Sat, 1 Mar 2003 07:57:44 +0000 Received: from 130.246.192.52 by JISCMAIL.AC.UK (SMTPL release 1.0h) with TCP; Sat, 1 Mar 2003 07:57:44 GMT Received: from insmtp23.bt.net (insmtp23.bt.net [217.35.209.183]) by ori.rl.ac.uk (8.11.1/8.11.1) with ESMTP id h217vhS04214 for ; Sat, 1 Mar 2003 07:57:43 GMT Received: from [194.72.158.100] (helo=[192.168.1.2]) by insmtp23.bt.net with esmtp (Exim 3.36 #1) id 18p1p1-0006d5-00 for MAILSCANNER@jiscmail.ac.uk; Sat, 01 Mar 2003 07:54:15 +0000 Received: from smtp.jiscmail.ac.uk (unverified) by cohen (Content Technologies SMTPRS 4.3.6) with SMTP id for ; Fri, 28 Feb 2003 15:53:30 +0000 Received: from LISTSERV.JISCMAIL.AC.UK (jiscmail.ac.uk) by smtp.jiscmail.ac.uk (LSMTP for Windows NT v1.1b) with SMTP id <7.000000BB@smtp.jiscmail.ac.uk>; Fri, 28 Feb 2003 15:59:13 +0000 Received: from JISCMAIL.AC.UK by JISCMAIL.AC.UK (LISTSERV-TCP/IP release 1.8e) with spool id 18936642 for MAILSCANNER@JISCMAIL.AC.UK; Fri, 28 Feb 2003 15:59:12 +0000 Received: from 130.246.192.52 by JISCMAIL.AC.UK (SMTPL release 1.0h) with TCP ; Fri, 28 Feb 2003 15:59:12 GMT On Fri, 28 Feb 2003, Spicer, Kevin wrote: > > Use a SpamAssassin local rule to increase the score: > > body LOCAL_sewer /septic tank/i > > describe LOCAL_ISS "Body contains septic tank" > > score LOCAL_ISS 5 > > I put these in /etc/mail/spamassassin/local.cf > > There should be a way to do subject, I just didn't have an example handy. > Lifted straight from the MailScanner home page... > header FRIEND_GREETINGS Subject =~ /you have an E-Card from/i > describe FRIEND_GREETINGS Nasty E-card from FriendGreetings.com > score FRIEND_GREETINGS 100.0 > > > > > BMRB International > http://www.bmrb.co.uk > +44 (0)20 8566 5000 > _________________________________________________________________ > This message (and any attachment) is intended only for the > recipient and may contain confidential and/or privileged > material. If you have received this in error, please contact the > sender and delete this message immediately. Disclosure, copying > or other action taken in respect of this email or in > reliance on it is prohibited. BMRB International Limited > accepts no liability in relation to any personal emails, or > content of any email which does not directly relate to our > business. > > > This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses > *********************************************************************************** > -- =========================================================== David Lancaster ITS ESS 447-3212 From sean at NISD.NET Mon Mar 3 14:33:26 2003 From: sean at NISD.NET (Sean Embry) Date: Thu Jan 12 21:17:22 2006 Subject: Sneaky Spammers...? Message-ID: >>> Kevin.Spicer@BMRB.CO.UK 03/02/03 10:47AM >>> > I don't know whether this is a new ploy, or just one I haven't noticed before as I've got rather better reporting in place now (and one of the mails in > question landed in my inbox!)... It's not all that new. I've been seeing this for a while. It's being discussed on News.Admin.Net-Abuse-Email. > Like (I guess) many sites our primary MX is our border mailscanner (actually its also our secondary as its has addresses on two internet connections) and > our ISP provides two fallback mailservers, which in the event of failure queue up mail and forward on to our MailScanner when it comes back up. I've just > noticed that some enterprising spammer seems to have decided its a good idea to send mail directly to these servers and let them forward on to our > primary MX. I'm fairly sure that this is what is happening, as a quick grep of our maillogs suggests that only spam is being recieved from the backup MX's > (suggesting that the primary MX was in fact available throughout). This is likely. Spammmers have tried to use higher priority mail servers because: 1. The are likely to be less critical in rejecting spam 2. Mail admins frequently forget to update local blocks on all MX's. 3. The servers are normally less loaded and can therefore take greater amounts of spam in less time. snip I'm thinking of making the higher priority mail exchangers refuse (with a 4xx) e-mail for the primary if the primary looks to be up. Since only spammers won't queue mail this should affect only spammers. Legitimate e-mail will go to the lowest priority MX, or it's broken anyway. About the only MTA I've seen that will try to use a higher priority MX with the lowest is up and accepting is Exchange Server, and not all of them do that. I don't know why some do, and some don't. Sean From steve.freegard at LBSLTD.CO.UK Mon Mar 3 14:58:18 2003 From: steve.freegard at LBSLTD.CO.UK (Steve Freegard) Date: Thu Jan 12 21:17:22 2006 Subject: SpamAssassin 2.50 Bayes + MailScanner Message-ID: <67D9E7698329D411936E00508B6590B902793250@neelix.lbsltd.co.uk> Hi Julian, Thanks for the reply. I've had a look for the files, and I've re-run 'make install' - still not working though. Here's all the files I've got: [root@trip root]# find / -name '*[Bb]ayes*' -print /usr/lib/perl5/site_perl/5.6.1/Mail/SpamAssassin/Bayes.pm /usr/lib/perl5/site_perl/5.6.1/Mail/SpamAssassin/BayesStore.pm /usr/share/spamassassin/23_bayes.cf /usr/man/man3/Mail::SpamAssassin::Bayes.3pm /etc/MailScanner/bayes_toks.db /root/Mail-SpamAssassin-2.50/rules/23_bayes.cf /root/Mail-SpamAssassin-2.50/tools/check_bayes_db /root/Mail-SpamAssassin-2.50/tools/trim_bayes_db /root/Mail-SpamAssassin-2.50/lib/Mail/SpamAssassin/BayesStore.pm /root/Mail-SpamAssassin-2.50/lib/Mail/SpamAssassin/Bayes.pm /root/Mail-SpamAssassin-2.50/blib/lib/Mail/SpamAssassin/Bayes.pm /root/Mail-SpamAssassin-2.50/blib/lib/Mail/SpamAssassin/BayesStore.pm /root/Mail-SpamAssassin-2.50/blib/man3/Mail::SpamAssassin::Bayes.3pm /root/.spamassassin/bayes_toks /root/.spamassassin/bayes_seen /root/.spamassassin/bayes_msgcount /root/.spamassassin/bayes_toks.db /home/smf/.spamassassin/bayes_toks /home/smf/.spamassassin/bayes_seen /home/smf/.spamassassin/bayes_msgcount This is on RedHat 7.3 with Perl 5.6.1. The spam.assassin.prefs.conf currently has 'bayes_path /etc/MailScanner/bayes' in it - the /root|smf/.spammassassin/bayes* files only have the two test messages in them... As this seems to be more SA related rather than MailScanner - I'll post the same question to the sa-talk list and see what happens... Thanks, Steve. -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: 03 March 2003 12:23 To: MAILSCANNER@jiscmail.ac.uk Subject: Re: SpamAssassin 2.50 Bayes + MailScanner I had this problem when I initially installed 2.50 for the first time. What had happened was the "make install" of SA2.50 hadn't actually installed all the files for some reason. Check your /usr/share/spamassassin has some files in it that mention bayes in their filename, ls /usr/share/spamassassin/*bayes* and that there are some bayes files in /usr/lib/perl5 (or wherever the root of your perl lib installation is). find /usr/lib/perl5 -name '*bayes*' -print I ended up doing the "make install" again to watch carefully what happened, and this time it put all the right files in place. It was working then, and I wanted to go home, so I didn't ever investigate it further. At 11:37 03/03/2003, you wrote: >Hello, > >Has anyone successfully managed to get SpamAssassin to auto learn e-mail >processed via MailScanner??? > >I've received about 1200 e-mails that have been processed with 2.50 >although when I run 'check_bayes_db' as root, it only reports that it has >seen two messages which were the 'sample-spam.txt' and >'sample-nonspam.txt' test files that I ran through SA when I upgraded. > >I've tried putting 'auto_learn 1' into spam.assassin.prefs.conf - I've >also tried to change the bayes db path by putting 'bayes_path >/etc/MailScanner/bayes' into the prefs file - after restarting >MailScanner, the only file that gets created is 'bayes_toks.db' which is >an empty file. > >Anyone else had this problem?? > >Thanks, > > >Steve > >-- >Steve Freegard >Systems Manager >Littlehampton Book Services Ltd. >Tel: +44 (0)1903 82 8594 >Fax: +44 (0)1903 82 8620 > > > >********************************************************************** >This email and any files transmitted with it are confidential and >intended solely for the use of the individual or entity to whom they >are addressed. If you have received this email in error please notify >the system manager. > >This footnote also confirms that this email message has been swept by >MIMEsweeper for the presence of computer viruses. > >www.lbsltd.co.uk >********************************************************************** -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.lbsltd.co.uk ********************************************************************** From dustin.baer at IHS.COM Mon Mar 3 15:22:07 2003 From: dustin.baer at IHS.COM (Dustin Baer) Date: Thu Jan 12 21:17:22 2006 Subject: Email Security and Virus Testing site References: <3E5E5E0C.8060305@marinocrane.com> Message-ID: <3E63731F.794C042@ihs.com> Ryan Pitt wrote: > > Hi Everyone, > > I am looking for a few suggested sites that offer email virus tests. http://www.gfi.com/emailsecuritytest From logwatch at GETNET.CZ Mon Mar 3 15:37:31 2003 From: logwatch at GETNET.CZ (Michal Kminek) Date: Thu Jan 12 21:17:22 2006 Subject: Attachments - packed files Message-ID: <200303031537.h23FbVA02717@mail.getnet.cz> Hi everyone, I want to just make sure that MailScanner doesn't unpack attachments with a corresponding external program. Why am I asking? Some antivirus scanners aren't perfect and I want to unpack all the compressed attachments for them and then let them scan the unpacked files. Has anybody written such hack or his own antivirus wrapper? Thank you Michal Kminek From Peter.Bates at LSHTM.AC.UK Mon Mar 3 16:53:30 2003 From: Peter.Bates at LSHTM.AC.UK (Peter Bates) Date: Thu Jan 12 21:17:22 2006 Subject: X-MailScanner message... Message-ID: Hello all... I upgraded to 4.13-3 today, and also used Julian's magic configuration upgrade script. During this, I must have uncommented: Information Header = X-MailScanner-Information: Now I see: >X-MailScanner-Information: Please contact the ISP for more information >X-MailScanner: Found to be clean on a message, which was spam, but not caught by SA. What does the 'please contact the ISP for more information' actually mean? Thanks... ---------------------------------------------------------------------------------------------------> Peter Bates, Systems Support Officer, Network Support Team. London School of Hygiene & Tropical Medicine. Telephone:0207-958 8353 / Fax: 0207- 636 9838 From mailscanner at ecs.soton.ac.uk Mon Mar 3 17:01:00 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:22 2006 Subject: Attachments - packed files In-Reply-To: <200303031537.h23FbVA02717@mail.getnet.cz> Message-ID: <5.2.0.9.2.20030303165938.03e39e28@imap.ecs.soton.ac.uk> At 15:37 03/03/2003, you wrote: > I want to just make sure that MailScanner doesn't unpack >attachments with a corresponding external program. Why am I asking? >Some antivirus scanners aren't perfect and I want to unpack all the >compressed attachments for them and then let them scan the unpacked >files. Has anybody written such hack or his own antivirus wrapper? All the decent anti-virus programs unpack every common archive format already. If your scanning engine doesn't unpack archives, then I suggest you buy a better one :-) You are quite correct, MailScanner doesn't unpack archives (as it doesn't need to). -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From kwang at UCALGARY.CA Mon Mar 3 17:35:10 2003 From: kwang at UCALGARY.CA (Kai Wang) Date: Thu Jan 12 21:17:22 2006 Subject: confusing spam rules Message-ID: <3E63924E.42025919@ucalgary.ca> Hello, We plan to use MailScanner to tag the spam messages. After a few tests, I found the spam rules in MailScanner are very confusing. In /etc/MailScanner/MailScanner.conf: ---------------------------------------------------------------------------- Is Definitely Not Spam = /etc/MailScanner/rules/spam.whitelist.rules Is Definitely Spam = /etc/MailScanner/rules/spam.blacklist.rules 1) Domain name does not match but ip address matches I configured a host name in /etc/MailScanner/rules/spam.blacklist.rules and sent a message from the machine, the message did not match the rule. Then I replaced the hostname with its IP address and sent the same message again from the same machine, it matched the spam rule. cat /etc/MailScanner/rules/spam.whitelist.rules FromTo: default no cat /etc/MailScanner/rules/spam.blacklist.rules From: /lms5.acs.ucalgary.ca/ yes FromTo: default no 2) wildcard(*) sometimes works, sometimes not The black list rule "To: fs50*@ucalgary.ca yes" does not match a message to fs501@ucalgary.ca. But the black list rule "From: fs50*@ucalgary.ca yes" matches a message from fs501@ucalgary.ca. Thanks Kai Wang From mailscanner at ecs.soton.ac.uk Mon Mar 3 17:07:19 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:22 2006 Subject: X-MailScanner message... In-Reply-To: Message-ID: <5.2.0.9.2.20030303170621.02d9e330@imap.ecs.soton.ac.uk> At 16:53 03/03/2003, you wrote: >Hello all... > >I upgraded to 4.13-3 today, and also used Julian's magic configuration >upgrade script. > >During this, I must have uncommented: > >Information Header = X-MailScanner-Information: > >Now I see: > > >X-MailScanner-Information: Please contact the ISP for more information > >X-MailScanner: Found to be clean > >on a message, which was spam, but not caught by SA. > >What does the 'please contact the ISP for more information' actually mean? Not much. It is intended that you configure it to say whatever you like (or make it blank so it disappears altogether). It is added to all mail that goes through MailScanner, whether it is scanned or not. Feel free to advertise MailScanner in the text :-) -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From logwatch at GETNET.CZ Mon Mar 3 17:47:13 2003 From: logwatch at GETNET.CZ (Michal Kminek) Date: Thu Jan 12 21:17:22 2006 Subject: Attachments - packed files Message-ID: <200303031747.h23HlDQ04148@mail.getnet.cz> Julian Field wrote .. > At 15:37 03/03/2003, you wrote: > > I want to just make sure that MailScanner doesn't unpack > >attachments with a corresponding external program. Why am I asking? > >Some antivirus scanners aren't perfect and I want to unpack all the > >compressed attachments for them and then let them scan the unpacked > >files. Has anybody written such hack or his own antivirus wrapper? > > All the decent anti-virus programs unpack every common archive format > already. If your scanning engine doesn't unpack archives, then I suggest > you buy a better one :-) > You are quite correct, MailScanner doesn't unpack archives (as it doesn't > need to). > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support To be honest, even those decent antivirus programs aren't perfect. The majority of the programs are black boxes, you just believe that it works. MailScanner is a nice program and maybe it would be nice to have a separate layer for unpacking, where you can control for example the nesting depth and prevent various DoS attacks. Then you just keep the unpacking utilities up-to-date. I'm surprised that nobody has attempted to program such thing. Regards, Michal Kminek From matthew.richard at COCC.COM Mon Mar 3 17:48:45 2003 From: matthew.richard at COCC.COM (Richard, Matt) Date: Thu Jan 12 21:17:22 2006 Subject: FW: [RHSA-2003:073-06] Updated sendmail packages fix critical sec urity issues Message-ID: For those who have not already seen the advisory. It appears to effect sendmail on many different platforms. Matt Richard -----Original Message----- From: bugzilla@redhat.com [mailto:bugzilla@redhat.com] Sent: Monday, March 03, 2003 12:05 PM To: redhat-watch-list@redhat.com; redhat-announce-list@redhat.com Subject: [RHSA-2003:073-06] Updated sendmail packages fix critical security issues --------------------------------------------------------------------- Red Hat, Inc. Red Hat Security Advisory Synopsis: Updated sendmail packages fix critical security issues Advisory ID: RHSA-2003:073-06 Issue date: 2003-02-07 Updated on: 2003-03-03 Product: Red Hat Linux Keywords: sendmail smrsh security bug Cross references: Obsoletes: RHSA-2002:106 CVE Names: CAN-2002-1337 --------------------------------------------------------------------- 1. Topic: Updated Sendmail packages are available to fix a vulnerability that may allow remote attackers to gain root privileges by sending a carefully crafted message. These packages also fix a security bug if sendmail is configured to use smrsh. 2. Relevant releases/architectures: Red Hat Linux 6.2 - i386 Red Hat Linux 7.0 - i386 Red Hat Linux 7.1 - i386 Red Hat Linux 7.2 - i386, ia64 Red Hat Linux 7.3 - i386 Red Hat Linux 8.0 - i386 3. Problem description: Sendmail is a widely used Mail Transport Agent (MTA) which is included in all Red Hat Linux distributions. During a code audit of Sendmail by ISS, a critical vulnerability was uncovered that affects unpatched versions of Sendmail prior to version 8.12.8. A remote attacker can send a carefully crafted email message which, when processed by sendmail, causes arbitrary code to be executed as root. We are advised that a proof-of-concept exploit is known to exist, but is not believed to be in the wild. Since this is a message-based vulnerability, MTAs other than Sendmail may pass on the carefully crafted message. This means that unpatched versions of Sendmail inside a network could still be at risk even if they do not accept external connections directly. In addition, the restricted shell (SMRSH) in Sendmail allows attackers to bypass the intended restrictions of smrsh by inserting additional commands after "||" sequences or "/" characters, which are not properly filtered or verified. A sucessful attack would allow an attacker who has a local account on a system which has explicitly enabled smrsh to execute arbitrary binaries as themselves by utilizing their .forward file. All users are advised to update to these erratum packages. For Red Hat Linux 8.0 we have included Sendmail version 8.12.8 which is not vulnerable to these issues. For all other distributions we have included a backported patch which corrects these vulnerabilities. Red Hat would like to thank Eric Allman for his assistance with this vulnerability. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via Red Hat Network. Many people find this an easier way to apply updates. To use Red Hat Network, launch the Red Hat Update Agent with the following command: up2date This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. 5. RPMs required: Red Hat Linux 6.2: SRPMS: ftp://updates.redhat.com/6.2/en/os/SRPMS/sendmail-8.11.6-1.62.2.src.rpm i386: ftp://updates.redhat.com/6.2/en/os/i386/sendmail-8.11.6-1.62.2.i386.rpm ftp://updates.redhat.com/6.2/en/os/i386/sendmail-cf-8.11.6-1.62.2.i386.rpm ftp://updates.redhat.com/6.2/en/os/i386/sendmail-doc-8.11.6-1.62.2.i386.rpm Red Hat Linux 7.0: SRPMS: ftp://updates.redhat.com/7.0/en/os/SRPMS/sendmail-8.11.6-23.70.src.rpm i386: ftp://updates.redhat.com/7.0/en/os/i386/sendmail-8.11.6-23.70.i386.rpm ftp://updates.redhat.com/7.0/en/os/i386/sendmail-cf-8.11.6-23.70.i386.rpm ftp://updates.redhat.com/7.0/en/os/i386/sendmail-devel-8.11.6-23.70.i386.rpm ftp://updates.redhat.com/7.0/en/os/i386/sendmail-doc-8.11.6-23.70.i386.rpm Red Hat Linux 7.1: SRPMS: ftp://updates.redhat.com/7.1/en/os/SRPMS/sendmail-8.11.6-23.71.src.rpm i386: ftp://updates.redhat.com/7.1/en/os/i386/sendmail-8.11.6-23.71.i386.rpm ftp://updates.redhat.com/7.1/en/os/i386/sendmail-cf-8.11.6-23.71.i386.rpm ftp://updates.redhat.com/7.1/en/os/i386/sendmail-devel-8.11.6-23.71.i386.rpm ftp://updates.redhat.com/7.1/en/os/i386/sendmail-doc-8.11.6-23.71.i386.rpm Red Hat Linux 7.2: SRPMS: ftp://updates.redhat.com/7.2/en/os/SRPMS/sendmail-8.11.6-23.72.src.rpm i386: ftp://updates.redhat.com/7.2/en/os/i386/sendmail-8.11.6-23.72.i386.rpm ftp://updates.redhat.com/7.2/en/os/i386/sendmail-cf-8.11.6-23.72.i386.rpm ftp://updates.redhat.com/7.2/en/os/i386/sendmail-devel-8.11.6-23.72.i386.rpm ftp://updates.redhat.com/7.2/en/os/i386/sendmail-doc-8.11.6-23.72.i386.rpm ia64: ftp://updates.redhat.com/7.2/en/os/ia64/sendmail-8.11.6-23.72.ia64.rpm ftp://updates.redhat.com/7.2/en/os/ia64/sendmail-cf-8.11.6-23.72.ia64.rpm ftp://updates.redhat.com/7.2/en/os/ia64/sendmail-devel-8.11.6-23.72.ia64.rpm ftp://updates.redhat.com/7.2/en/os/ia64/sendmail-doc-8.11.6-23.72.ia64.rpm Red Hat Linux 7.3: SRPMS: ftp://updates.redhat.com/7.3/en/os/SRPMS/sendmail-8.11.6-23.73.src.rpm i386: ftp://updates.redhat.com/7.3/en/os/i386/sendmail-8.11.6-23.73.i386.rpm ftp://updates.redhat.com/7.3/en/os/i386/sendmail-cf-8.11.6-23.73.i386.rpm ftp://updates.redhat.com/7.3/en/os/i386/sendmail-devel-8.11.6-23.73.i386.rpm ftp://updates.redhat.com/7.3/en/os/i386/sendmail-doc-8.11.6-23.73.i386.rpm Red Hat Linux 8.0: SRPMS: ftp://updates.redhat.com/8.0/en/os/SRPMS/sendmail-8.12.8-1.80.src.rpm i386: ftp://updates.redhat.com/8.0/en/os/i386/sendmail-8.12.8-1.80.i386.rpm ftp://updates.redhat.com/8.0/en/os/i386/sendmail-cf-8.12.8-1.80.i386.rpm ftp://updates.redhat.com/8.0/en/os/i386/sendmail-devel-8.12.8-1.80.i386.rpm ftp://updates.redhat.com/8.0/en/os/i386/sendmail-doc-8.12.8-1.80.i386.rpm 6. Verification: MD5 sum Package Name -------------------------------------------------------------------------- 35d83351ea84fdae048b3e6f556bfc4a 6.2/en/os/SRPMS/sendmail-8.11.6-1.62.2.src.rpm 71ddff0b307887232ad2b57c6f828dbd 6.2/en/os/i386/sendmail-8.11.6-1.62.2.i386.rpm 3b398feb4f97b05873a864be5d914ee8 6.2/en/os/i386/sendmail-cf-8.11.6-1.62.2.i386.rpm ba2e0d80e5efc7fe3ba2d55f9caa9cb1 6.2/en/os/i386/sendmail-doc-8.11.6-1.62.2.i386.rpm e3a9eb220d844e1e3a1bd84ada63c853 7.0/en/os/SRPMS/sendmail-8.11.6-23.70.src.rpm f3bdb70c4b1d95d10a827db33bf77a46 7.0/en/os/i386/sendmail-8.11.6-23.70.i386.rpm e7a8c264257e207d18257dfe075a5fd1 7.0/en/os/i386/sendmail-cf-8.11.6-23.70.i386.rpm c6cf8af32a436d42d0982b99260ce811 7.0/en/os/i386/sendmail-devel-8.11.6-23.70.i386.rpm ba9251c4ed7fc2916e27c8bc406d7f58 7.0/en/os/i386/sendmail-doc-8.11.6-23.70.i386.rpm c2eb6d0135dc60e83506f0c20148822c 7.1/en/os/SRPMS/sendmail-8.11.6-23.71.src.rpm c3a518db2157a56edc5a94f42c32f8db 7.1/en/os/i386/sendmail-8.11.6-23.71.i386.rpm 6cb3a88c447b56f37d0ebba1df4adb23 7.1/en/os/i386/sendmail-cf-8.11.6-23.71.i386.rpm f2fa0e42d15c723c33c876ea075b4508 7.1/en/os/i386/sendmail-devel-8.11.6-23.71.i386.rpm 2cee572aa2fe1eddb3d22f7ab4d43a20 7.1/en/os/i386/sendmail-doc-8.11.6-23.71.i386.rpm 854ee4390631bdcb818fe6cdc132f7da 7.2/en/os/SRPMS/sendmail-8.11.6-23.72.src.rpm dbce6be563a5642400d0a8a9e97f88fc 7.2/en/os/i386/sendmail-8.11.6-23.72.i386.rpm 92b8773b155b2cce446645dd55842e87 7.2/en/os/i386/sendmail-cf-8.11.6-23.72.i386.rpm d810fe7d6a61550e3b0ac3a509d00fed 7.2/en/os/i386/sendmail-devel-8.11.6-23.72.i386.rpm 722780636eb24b8168f8464817e21de4 7.2/en/os/i386/sendmail-doc-8.11.6-23.72.i386.rpm e83825fb7552ad321cb09ecf86df4a29 7.2/en/os/ia64/sendmail-8.11.6-23.72.ia64.rpm 70e2f72dffad5ec8565dc957f5c0b111 7.2/en/os/ia64/sendmail-cf-8.11.6-23.72.ia64.rpm 8d86d83586e75cbd03f7bccdfb5b97f2 7.2/en/os/ia64/sendmail-devel-8.11.6-23.72.ia64.rpm 16eac17677891e77e8eb70bf76dac135 7.2/en/os/ia64/sendmail-doc-8.11.6-23.72.ia64.rpm 2049d17db0e321ba6028ee4a7ca2ae93 7.3/en/os/SRPMS/sendmail-8.11.6-23.73.src.rpm ce6852e4c389405bed1f498514b5fa0f 7.3/en/os/i386/sendmail-8.11.6-23.73.i386.rpm f994f26ab50b8141ec27a6b04e819d37 7.3/en/os/i386/sendmail-cf-8.11.6-23.73.i386.rpm d6da03d08cdd8e9933616c0e66841302 7.3/en/os/i386/sendmail-devel-8.11.6-23.73.i386.rpm 5fb65ba4b8e91d9d87451e2d1400411f 7.3/en/os/i386/sendmail-doc-8.11.6-23.73.i386.rpm 29d277537beb532d6b5f48ad30d81d45 8.0/en/os/SRPMS/sendmail-8.12.8-1.80.src.rpm 8bba0d1400ab2e96e3d3c78ce5015597 8.0/en/os/i386/sendmail-8.12.8-1.80.i386.rpm 55ef5ca9c777278eddd48e365ba471c2 8.0/en/os/i386/sendmail-cf-8.12.8-1.80.i386.rpm 87aecce2ae343a69fe1df716b5e89685 8.0/en/os/i386/sendmail-devel-8.12.8-1.80.i386.rpm d945b47a44597e5da06f79658e38b9d8 8.0/en/os/i386/sendmail-doc-8.12.8-1.80.i386.rpm These packages are GPG signed by Red Hat, Inc. for security. Our key is available at http://www.redhat.com/about/contact/pgpkey.html You can verify each package with the following command: rpm --checksig -v If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command: md5sum 7. References: http://www.cert.org/advisories/CA-2003-07.html http://marc.theaimsgroup.com/?l=bugtraq&m=103350914307274 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1337 8. Contact: The Red Hat security contact is . More contact details at http://www.redhat.com/solutions/security/news/contact.html Copyright 2003 Red Hat, Inc. From nathan at TCPNETWORKS.NET Mon Mar 3 18:17:00 2003 From: nathan at TCPNETWORKS.NET (Nathan Johanson) Date: Thu Jan 12 21:17:22 2006 Subject: [RHSA-2003:073-06] Updated sendmail packages fix critical sec urity issues Message-ID: Thanks for the post! That was timely. -- Sincerely, Nathan Johanson Email: nathan@tcpnetworks.net -----Original Message----- From: Richard, Matt [mailto:matthew.richard@COCC.COM] Sent: Monday, March 03, 2003 9:49 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: FW: [RHSA-2003:073-06] Updated sendmail packages fix critical sec urity issues For those who have not already seen the advisory. It appears to effect sendmail on many different platforms. Matt Richard -----Original Message----- From: bugzilla@redhat.com [mailto:bugzilla@redhat.com] Sent: Monday, March 03, 2003 12:05 PM To: redhat-watch-list@redhat.com; redhat-announce-list@redhat.com Subject: [RHSA-2003:073-06] Updated sendmail packages fix critical security issues --------------------------------------------------------------------- Red Hat, Inc. Red Hat Security Advisory Synopsis: Updated sendmail packages fix critical security issues Advisory ID: RHSA-2003:073-06 Issue date: 2003-02-07 Updated on: 2003-03-03 Product: Red Hat Linux Keywords: sendmail smrsh security bug Cross references: Obsoletes: RHSA-2002:106 CVE Names: CAN-2002-1337 --------------------------------------------------------------------- 1. Topic: Updated Sendmail packages are available to fix a vulnerability that may allow remote attackers to gain root privileges by sending a carefully crafted message. These packages also fix a security bug if sendmail is configured to use smrsh. 2. Relevant releases/architectures: Red Hat Linux 6.2 - i386 Red Hat Linux 7.0 - i386 Red Hat Linux 7.1 - i386 Red Hat Linux 7.2 - i386, ia64 Red Hat Linux 7.3 - i386 Red Hat Linux 8.0 - i386 3. Problem description: Sendmail is a widely used Mail Transport Agent (MTA) which is included in all Red Hat Linux distributions. During a code audit of Sendmail by ISS, a critical vulnerability was uncovered that affects unpatched versions of Sendmail prior to version 8.12.8. A remote attacker can send a carefully crafted email message which, when processed by sendmail, causes arbitrary code to be executed as root. We are advised that a proof-of-concept exploit is known to exist, but is not believed to be in the wild. Since this is a message-based vulnerability, MTAs other than Sendmail may pass on the carefully crafted message. This means that unpatched versions of Sendmail inside a network could still be at risk even if they do not accept external connections directly. In addition, the restricted shell (SMRSH) in Sendmail allows attackers to bypass the intended restrictions of smrsh by inserting additional commands after "||" sequences or "/" characters, which are not properly filtered or verified. A sucessful attack would allow an attacker who has a local account on a system which has explicitly enabled smrsh to execute arbitrary binaries as themselves by utilizing their .forward file. All users are advised to update to these erratum packages. For Red Hat Linux 8.0 we have included Sendmail version 8.12.8 which is not vulnerable to these issues. For all other distributions we have included a backported patch which corrects these vulnerabilities. Red Hat would like to thank Eric Allman for his assistance with this vulnerability. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via Red Hat Network. Many people find this an easier way to apply updates. To use Red Hat Network, launch the Red Hat Update Agent with the following command: up2date This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. 5. RPMs required: Red Hat Linux 6.2: SRPMS: ftp://updates.redhat.com/6.2/en/os/SRPMS/sendmail-8.11.6-1.62.2.src.rpm i386: ftp://updates.redhat.com/6.2/en/os/i386/sendmail-8.11.6-1.62.2.i386.rpm ftp://updates.redhat.com/6.2/en/os/i386/sendmail-cf-8.11.6-1.62.2.i386.r pm ftp://updates.redhat.com/6.2/en/os/i386/sendmail-doc-8.11.6-1.62.2.i386. rpm Red Hat Linux 7.0: SRPMS: ftp://updates.redhat.com/7.0/en/os/SRPMS/sendmail-8.11.6-23.70.src.rpm i386: ftp://updates.redhat.com/7.0/en/os/i386/sendmail-8.11.6-23.70.i386.rpm ftp://updates.redhat.com/7.0/en/os/i386/sendmail-cf-8.11.6-23.70.i386.rp m ftp://updates.redhat.com/7.0/en/os/i386/sendmail-devel-8.11.6-23.70.i386 .rpm ftp://updates.redhat.com/7.0/en/os/i386/sendmail-doc-8.11.6-23.70.i386.r pm Red Hat Linux 7.1: SRPMS: ftp://updates.redhat.com/7.1/en/os/SRPMS/sendmail-8.11.6-23.71.src.rpm i386: ftp://updates.redhat.com/7.1/en/os/i386/sendmail-8.11.6-23.71.i386.rpm ftp://updates.redhat.com/7.1/en/os/i386/sendmail-cf-8.11.6-23.71.i386.rp m ftp://updates.redhat.com/7.1/en/os/i386/sendmail-devel-8.11.6-23.71.i386 .rpm ftp://updates.redhat.com/7.1/en/os/i386/sendmail-doc-8.11.6-23.71.i386.r pm Red Hat Linux 7.2: SRPMS: ftp://updates.redhat.com/7.2/en/os/SRPMS/sendmail-8.11.6-23.72.src.rpm i386: ftp://updates.redhat.com/7.2/en/os/i386/sendmail-8.11.6-23.72.i386.rpm ftp://updates.redhat.com/7.2/en/os/i386/sendmail-cf-8.11.6-23.72.i386.rp m ftp://updates.redhat.com/7.2/en/os/i386/sendmail-devel-8.11.6-23.72.i386 .rpm ftp://updates.redhat.com/7.2/en/os/i386/sendmail-doc-8.11.6-23.72.i386.r pm ia64: ftp://updates.redhat.com/7.2/en/os/ia64/sendmail-8.11.6-23.72.ia64.rpm ftp://updates.redhat.com/7.2/en/os/ia64/sendmail-cf-8.11.6-23.72.ia64.rp m ftp://updates.redhat.com/7.2/en/os/ia64/sendmail-devel-8.11.6-23.72.ia64 .rpm ftp://updates.redhat.com/7.2/en/os/ia64/sendmail-doc-8.11.6-23.72.ia64.r pm Red Hat Linux 7.3: SRPMS: ftp://updates.redhat.com/7.3/en/os/SRPMS/sendmail-8.11.6-23.73.src.rpm i386: ftp://updates.redhat.com/7.3/en/os/i386/sendmail-8.11.6-23.73.i386.rpm ftp://updates.redhat.com/7.3/en/os/i386/sendmail-cf-8.11.6-23.73.i386.rp m ftp://updates.redhat.com/7.3/en/os/i386/sendmail-devel-8.11.6-23.73.i386 .rpm ftp://updates.redhat.com/7.3/en/os/i386/sendmail-doc-8.11.6-23.73.i386.r pm Red Hat Linux 8.0: SRPMS: ftp://updates.redhat.com/8.0/en/os/SRPMS/sendmail-8.12.8-1.80.src.rpm i386: ftp://updates.redhat.com/8.0/en/os/i386/sendmail-8.12.8-1.80.i386.rpm ftp://updates.redhat.com/8.0/en/os/i386/sendmail-cf-8.12.8-1.80.i386.rpm ftp://updates.redhat.com/8.0/en/os/i386/sendmail-devel-8.12.8-1.80.i386. rpm ftp://updates.redhat.com/8.0/en/os/i386/sendmail-doc-8.12.8-1.80.i386.rp m 6. Verification: MD5 sum Package Name ------------------------------------------------------------------------ -- 35d83351ea84fdae048b3e6f556bfc4a 6.2/en/os/SRPMS/sendmail-8.11.6-1.62.2.src.rpm 71ddff0b307887232ad2b57c6f828dbd 6.2/en/os/i386/sendmail-8.11.6-1.62.2.i386.rpm 3b398feb4f97b05873a864be5d914ee8 6.2/en/os/i386/sendmail-cf-8.11.6-1.62.2.i386.rpm ba2e0d80e5efc7fe3ba2d55f9caa9cb1 6.2/en/os/i386/sendmail-doc-8.11.6-1.62.2.i386.rpm e3a9eb220d844e1e3a1bd84ada63c853 7.0/en/os/SRPMS/sendmail-8.11.6-23.70.src.rpm f3bdb70c4b1d95d10a827db33bf77a46 7.0/en/os/i386/sendmail-8.11.6-23.70.i386.rpm e7a8c264257e207d18257dfe075a5fd1 7.0/en/os/i386/sendmail-cf-8.11.6-23.70.i386.rpm c6cf8af32a436d42d0982b99260ce811 7.0/en/os/i386/sendmail-devel-8.11.6-23.70.i386.rpm ba9251c4ed7fc2916e27c8bc406d7f58 7.0/en/os/i386/sendmail-doc-8.11.6-23.70.i386.rpm c2eb6d0135dc60e83506f0c20148822c 7.1/en/os/SRPMS/sendmail-8.11.6-23.71.src.rpm c3a518db2157a56edc5a94f42c32f8db 7.1/en/os/i386/sendmail-8.11.6-23.71.i386.rpm 6cb3a88c447b56f37d0ebba1df4adb23 7.1/en/os/i386/sendmail-cf-8.11.6-23.71.i386.rpm f2fa0e42d15c723c33c876ea075b4508 7.1/en/os/i386/sendmail-devel-8.11.6-23.71.i386.rpm 2cee572aa2fe1eddb3d22f7ab4d43a20 7.1/en/os/i386/sendmail-doc-8.11.6-23.71.i386.rpm 854ee4390631bdcb818fe6cdc132f7da 7.2/en/os/SRPMS/sendmail-8.11.6-23.72.src.rpm dbce6be563a5642400d0a8a9e97f88fc 7.2/en/os/i386/sendmail-8.11.6-23.72.i386.rpm 92b8773b155b2cce446645dd55842e87 7.2/en/os/i386/sendmail-cf-8.11.6-23.72.i386.rpm d810fe7d6a61550e3b0ac3a509d00fed 7.2/en/os/i386/sendmail-devel-8.11.6-23.72.i386.rpm 722780636eb24b8168f8464817e21de4 7.2/en/os/i386/sendmail-doc-8.11.6-23.72.i386.rpm e83825fb7552ad321cb09ecf86df4a29 7.2/en/os/ia64/sendmail-8.11.6-23.72.ia64.rpm 70e2f72dffad5ec8565dc957f5c0b111 7.2/en/os/ia64/sendmail-cf-8.11.6-23.72.ia64.rpm 8d86d83586e75cbd03f7bccdfb5b97f2 7.2/en/os/ia64/sendmail-devel-8.11.6-23.72.ia64.rpm 16eac17677891e77e8eb70bf76dac135 7.2/en/os/ia64/sendmail-doc-8.11.6-23.72.ia64.rpm 2049d17db0e321ba6028ee4a7ca2ae93 7.3/en/os/SRPMS/sendmail-8.11.6-23.73.src.rpm ce6852e4c389405bed1f498514b5fa0f 7.3/en/os/i386/sendmail-8.11.6-23.73.i386.rpm f994f26ab50b8141ec27a6b04e819d37 7.3/en/os/i386/sendmail-cf-8.11.6-23.73.i386.rpm d6da03d08cdd8e9933616c0e66841302 7.3/en/os/i386/sendmail-devel-8.11.6-23.73.i386.rpm 5fb65ba4b8e91d9d87451e2d1400411f 7.3/en/os/i386/sendmail-doc-8.11.6-23.73.i386.rpm 29d277537beb532d6b5f48ad30d81d45 8.0/en/os/SRPMS/sendmail-8.12.8-1.80.src.rpm 8bba0d1400ab2e96e3d3c78ce5015597 8.0/en/os/i386/sendmail-8.12.8-1.80.i386.rpm 55ef5ca9c777278eddd48e365ba471c2 8.0/en/os/i386/sendmail-cf-8.12.8-1.80.i386.rpm 87aecce2ae343a69fe1df716b5e89685 8.0/en/os/i386/sendmail-devel-8.12.8-1.80.i386.rpm d945b47a44597e5da06f79658e38b9d8 8.0/en/os/i386/sendmail-doc-8.12.8-1.80.i386.rpm These packages are GPG signed by Red Hat, Inc. for security. Our key is available at http://www.redhat.com/about/contact/pgpkey.html You can verify each package with the following command: rpm --checksig -v If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command: md5sum 7. References: http://www.cert.org/advisories/CA-2003-07.html http://marc.theaimsgroup.com/?l=bugtraq&m=103350914307274 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1337 8. Contact: The Red Hat security contact is . More contact details at http://www.redhat.com/solutions/security/news/contact.html Copyright 2003 Red Hat, Inc. From mailscanner at LISTS.COM.AR Mon Mar 3 18:36:39 2003 From: mailscanner at LISTS.COM.AR (Mariano Absatz) Date: Thu Jan 12 21:17:22 2006 Subject: [RHSA-2003:073-06] Updated sendmail packages fix critical sec urity issues In-Reply-To: Message-ID: <3E637687.12743.582F272B@localhost> As Matt said, it not only affects RedHat (or Linux, for that matter): http://www.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21950 http://www.cert.org/advisories/CA-2003-07.html See http://sendmail.org/8.12.8.html for new version/patches It seems that, after 5 or 6 years (not counting last years' trojan distro) sendmail security bugs are back in action... :-( El 3 Mar 2003 a las 10:17, Nathan Johanson escribi?: > Thanks for the post! That was timely. > > -- > Sincerely, > > Nathan Johanson > Email: nathan@tcpnetworks.net > > > -----Original Message----- > From: Richard, Matt [mailto:matthew.richard@COCC.COM] > Sent: Monday, March 03, 2003 9:49 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: FW: [RHSA-2003:073-06] Updated sendmail packages fix critical > sec urity issues > > > For those who have not already seen the advisory. It appears to effect > sendmail on many different platforms. > > Matt Richard > > -----Original Message----- > From: bugzilla@redhat.com [mailto:bugzilla@redhat.com] > Sent: Monday, March 03, 2003 12:05 PM > To: redhat-watch-list@redhat.com; redhat-announce-list@redhat.com > Subject: [RHSA-2003:073-06] Updated sendmail packages fix critical > security > issues > > > --------------------------------------------------------------------- > Red Hat, Inc. Red Hat Security Advisory > > Synopsis: Updated sendmail packages fix critical security > issues > Advisory ID: RHSA-2003:073-06 > Issue date: 2003-02-07 > Updated on: 2003-03-03 > Product: Red Hat Linux > Keywords: sendmail smrsh security bug > Cross references: > Obsoletes: RHSA-2002:106 > CVE Names: CAN-2002-1337 > --------------------------------------------------------------------- > > 1. Topic: > > Updated Sendmail packages are available to fix a vulnerability that > may allow remote attackers to gain root privileges by sending a > carefully crafted message. > > These packages also fix a security bug if sendmail is configured to use > smrsh. > > 2. Relevant releases/architectures: > > Red Hat Linux 6.2 - i386 > Red Hat Linux 7.0 - i386 > Red Hat Linux 7.1 - i386 > Red Hat Linux 7.2 - i386, ia64 > Red Hat Linux 7.3 - i386 > Red Hat Linux 8.0 - i386 > > 3. Problem description: > > Sendmail is a widely used Mail Transport Agent (MTA) which is included > in all Red Hat Linux distributions. > > During a code audit of Sendmail by ISS, a critical vulnerability was > uncovered that affects unpatched versions of Sendmail prior to version > 8.12.8. A remote attacker can send a carefully crafted email message > which, when processed by sendmail, causes arbitrary code to be > executed as root. > > We are advised that a proof-of-concept exploit is known to exist, but > is not believed to be in the wild. > > Since this is a message-based vulnerability, MTAs other than Sendmail > may pass on the carefully crafted message. This means that unpatched > versions of Sendmail inside a network could still be at risk even if > they do not accept external connections directly. > > In addition, the restricted shell (SMRSH) in Sendmail allows attackers > to > bypass the intended restrictions of smrsh by inserting additional > commands > after "||" sequences or "/" characters, which are not properly filtered > or > verified. A sucessful attack would allow an attacker who has a local > account on a system which has explicitly enabled smrsh to execute > arbitrary > binaries as themselves by utilizing their .forward file. > > All users are advised to update to these erratum packages. For Red Hat > Linux 8.0 we have included Sendmail version 8.12.8 which is not > vulnerable > to these issues. For all other distributions we have included a > backported > patch which corrects these vulnerabilities. > > Red Hat would like to thank Eric Allman for his assistance with this > vulnerability. > > 4. Solution: > > Before applying this update, make sure all previously released errata > relevant to your system have been applied. > > To update all RPMs for your particular architecture, run: > > rpm -Fvh [filenames] > > where [filenames] is a list of the RPMs you wish to upgrade. Only those > RPMs which are currently installed will be updated. Those RPMs which > are > not installed but included in the list will not be updated. Note that > you > can also use wildcards (*.rpm) if your current directory *only* contains > the > desired RPMs. > > Please note that this update is also available via Red Hat Network. > Many > people find this an easier way to apply updates. To use Red Hat > Network, > launch the Red Hat Update Agent with the following command: > > up2date > > This will start an interactive process that will result in the > appropriate > RPMs being upgraded on your system. > > 5. RPMs required: > > Red Hat Linux 6.2: > > SRPMS: > ftp://updates.redhat.com/6.2/en/os/SRPMS/sendmail-8.11.6-1.62.2.src.rpm > > i386: > ftp://updates.redhat.com/6.2/en/os/i386/sendmail-8.11.6-1.62.2.i386.rpm > ftp://updates.redhat.com/6.2/en/os/i386/sendmail-cf-8.11.6-1.62.2.i386.r > pm > ftp://updates.redhat.com/6.2/en/os/i386/sendmail-doc-8.11.6-1.62.2.i386. > rpm > > Red Hat Linux 7.0: > > SRPMS: > ftp://updates.redhat.com/7.0/en/os/SRPMS/sendmail-8.11.6-23.70.src.rpm > > i386: > ftp://updates.redhat.com/7.0/en/os/i386/sendmail-8.11.6-23.70.i386.rpm > ftp://updates.redhat.com/7.0/en/os/i386/sendmail-cf-8.11.6-23.70.i386.rp > m > ftp://updates.redhat.com/7.0/en/os/i386/sendmail-devel-8.11.6-23.70.i386 > .rpm > ftp://updates.redhat.com/7.0/en/os/i386/sendmail-doc-8.11.6-23.70.i386.r > pm > > Red Hat Linux 7.1: > > SRPMS: > ftp://updates.redhat.com/7.1/en/os/SRPMS/sendmail-8.11.6-23.71.src.rpm > > i386: > ftp://updates.redhat.com/7.1/en/os/i386/sendmail-8.11.6-23.71.i386.rpm > ftp://updates.redhat.com/7.1/en/os/i386/sendmail-cf-8.11.6-23.71.i386.rp > m > ftp://updates.redhat.com/7.1/en/os/i386/sendmail-devel-8.11.6-23.71.i386 > .rpm > ftp://updates.redhat.com/7.1/en/os/i386/sendmail-doc-8.11.6-23.71.i386.r > pm > > Red Hat Linux 7.2: > > SRPMS: > ftp://updates.redhat.com/7.2/en/os/SRPMS/sendmail-8.11.6-23.72.src.rpm > > i386: > ftp://updates.redhat.com/7.2/en/os/i386/sendmail-8.11.6-23.72.i386.rpm > ftp://updates.redhat.com/7.2/en/os/i386/sendmail-cf-8.11.6-23.72.i386.rp > m > ftp://updates.redhat.com/7.2/en/os/i386/sendmail-devel-8.11.6-23.72.i386 > .rpm > ftp://updates.redhat.com/7.2/en/os/i386/sendmail-doc-8.11.6-23.72.i386.r > pm > > ia64: > ftp://updates.redhat.com/7.2/en/os/ia64/sendmail-8.11.6-23.72.ia64.rpm > ftp://updates.redhat.com/7.2/en/os/ia64/sendmail-cf-8.11.6-23.72.ia64.rp > m > ftp://updates.redhat.com/7.2/en/os/ia64/sendmail-devel-8.11.6-23.72.ia64 > .rpm > ftp://updates.redhat.com/7.2/en/os/ia64/sendmail-doc-8.11.6-23.72.ia64.r > pm > > Red Hat Linux 7.3: > > SRPMS: > ftp://updates.redhat.com/7.3/en/os/SRPMS/sendmail-8.11.6-23.73.src.rpm > > i386: > ftp://updates.redhat.com/7.3/en/os/i386/sendmail-8.11.6-23.73.i386.rpm > ftp://updates.redhat.com/7.3/en/os/i386/sendmail-cf-8.11.6-23.73.i386.rp > m > ftp://updates.redhat.com/7.3/en/os/i386/sendmail-devel-8.11.6-23.73.i386 > .rpm > ftp://updates.redhat.com/7.3/en/os/i386/sendmail-doc-8.11.6-23.73.i386.r > pm > > Red Hat Linux 8.0: > > SRPMS: > ftp://updates.redhat.com/8.0/en/os/SRPMS/sendmail-8.12.8-1.80.src.rpm > > i386: > ftp://updates.redhat.com/8.0/en/os/i386/sendmail-8.12.8-1.80.i386.rpm > ftp://updates.redhat.com/8.0/en/os/i386/sendmail-cf-8.12.8-1.80.i386.rpm > ftp://updates.redhat.com/8.0/en/os/i386/sendmail-devel-8.12.8-1.80.i386. > rpm > ftp://updates.redhat.com/8.0/en/os/i386/sendmail-doc-8.12.8-1.80.i386.rp > m > > > > 6. Verification: > > MD5 sum Package Name > ------------------------------------------------------------------------ > -- > 35d83351ea84fdae048b3e6f556bfc4a > 6.2/en/os/SRPMS/sendmail-8.11.6-1.62.2.src.rpm > 71ddff0b307887232ad2b57c6f828dbd > 6.2/en/os/i386/sendmail-8.11.6-1.62.2.i386.rpm > 3b398feb4f97b05873a864be5d914ee8 > 6.2/en/os/i386/sendmail-cf-8.11.6-1.62.2.i386.rpm > ba2e0d80e5efc7fe3ba2d55f9caa9cb1 > 6.2/en/os/i386/sendmail-doc-8.11.6-1.62.2.i386.rpm > e3a9eb220d844e1e3a1bd84ada63c853 > 7.0/en/os/SRPMS/sendmail-8.11.6-23.70.src.rpm > f3bdb70c4b1d95d10a827db33bf77a46 > 7.0/en/os/i386/sendmail-8.11.6-23.70.i386.rpm > e7a8c264257e207d18257dfe075a5fd1 > 7.0/en/os/i386/sendmail-cf-8.11.6-23.70.i386.rpm > c6cf8af32a436d42d0982b99260ce811 > 7.0/en/os/i386/sendmail-devel-8.11.6-23.70.i386.rpm > ba9251c4ed7fc2916e27c8bc406d7f58 > 7.0/en/os/i386/sendmail-doc-8.11.6-23.70.i386.rpm > c2eb6d0135dc60e83506f0c20148822c > 7.1/en/os/SRPMS/sendmail-8.11.6-23.71.src.rpm > c3a518db2157a56edc5a94f42c32f8db > 7.1/en/os/i386/sendmail-8.11.6-23.71.i386.rpm > 6cb3a88c447b56f37d0ebba1df4adb23 > 7.1/en/os/i386/sendmail-cf-8.11.6-23.71.i386.rpm > f2fa0e42d15c723c33c876ea075b4508 > 7.1/en/os/i386/sendmail-devel-8.11.6-23.71.i386.rpm > 2cee572aa2fe1eddb3d22f7ab4d43a20 > 7.1/en/os/i386/sendmail-doc-8.11.6-23.71.i386.rpm > 854ee4390631bdcb818fe6cdc132f7da > 7.2/en/os/SRPMS/sendmail-8.11.6-23.72.src.rpm > dbce6be563a5642400d0a8a9e97f88fc > 7.2/en/os/i386/sendmail-8.11.6-23.72.i386.rpm > 92b8773b155b2cce446645dd55842e87 > 7.2/en/os/i386/sendmail-cf-8.11.6-23.72.i386.rpm > d810fe7d6a61550e3b0ac3a509d00fed > 7.2/en/os/i386/sendmail-devel-8.11.6-23.72.i386.rpm > 722780636eb24b8168f8464817e21de4 > 7.2/en/os/i386/sendmail-doc-8.11.6-23.72.i386.rpm > e83825fb7552ad321cb09ecf86df4a29 > 7.2/en/os/ia64/sendmail-8.11.6-23.72.ia64.rpm > 70e2f72dffad5ec8565dc957f5c0b111 > 7.2/en/os/ia64/sendmail-cf-8.11.6-23.72.ia64.rpm > 8d86d83586e75cbd03f7bccdfb5b97f2 > 7.2/en/os/ia64/sendmail-devel-8.11.6-23.72.ia64.rpm > 16eac17677891e77e8eb70bf76dac135 > 7.2/en/os/ia64/sendmail-doc-8.11.6-23.72.ia64.rpm > 2049d17db0e321ba6028ee4a7ca2ae93 > 7.3/en/os/SRPMS/sendmail-8.11.6-23.73.src.rpm > ce6852e4c389405bed1f498514b5fa0f > 7.3/en/os/i386/sendmail-8.11.6-23.73.i386.rpm > f994f26ab50b8141ec27a6b04e819d37 > 7.3/en/os/i386/sendmail-cf-8.11.6-23.73.i386.rpm > d6da03d08cdd8e9933616c0e66841302 > 7.3/en/os/i386/sendmail-devel-8.11.6-23.73.i386.rpm > 5fb65ba4b8e91d9d87451e2d1400411f > 7.3/en/os/i386/sendmail-doc-8.11.6-23.73.i386.rpm > 29d277537beb532d6b5f48ad30d81d45 > 8.0/en/os/SRPMS/sendmail-8.12.8-1.80.src.rpm > 8bba0d1400ab2e96e3d3c78ce5015597 > 8.0/en/os/i386/sendmail-8.12.8-1.80.i386.rpm > 55ef5ca9c777278eddd48e365ba471c2 > 8.0/en/os/i386/sendmail-cf-8.12.8-1.80.i386.rpm > 87aecce2ae343a69fe1df716b5e89685 > 8.0/en/os/i386/sendmail-devel-8.12.8-1.80.i386.rpm > d945b47a44597e5da06f79658e38b9d8 > 8.0/en/os/i386/sendmail-doc-8.12.8-1.80.i386.rpm > > > These packages are GPG signed by Red Hat, Inc. for security. Our key > is available at http://www.redhat.com/about/contact/pgpkey.html > > You can verify each package with the following command: > > rpm --checksig -v > > If you only wish to verify that each package has not been corrupted or > tampered with, examine only the md5sum with the following command: > > md5sum > > > 7. References: > > http://www.cert.org/advisories/CA-2003-07.html > http://marc.theaimsgroup.com/?l=bugtraq&m=103350914307274 > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1337 > > 8. Contact: > > The Red Hat security contact is . More contact > details at http://www.redhat.com/solutions/security/news/contact.html > > Copyright 2003 Red Hat, Inc. -- Mariano Absatz El Baby ---------------------------------------------------------- Quote me as saying I was misquoted. -- Groucho Marx From mailscanner at ecs.soton.ac.uk Mon Mar 3 19:10:19 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:22 2006 Subject: confusing spam rules In-Reply-To: <3E63924E.42025919@ucalgary.ca> Message-ID: <5.2.0.9.2.20030303190538.0268fed8@imap.ecs.soton.ac.uk> At 17:35 03/03/2003, you wrote: >We plan to use MailScanner to tag the spam messages. After >a few tests, I found the spam rules in MailScanner are very >confusing. > > In /etc/MailScanner/MailScanner.conf: > >---------------------------------------------------------------------------- > > Is Definitely Not Spam = /etc/MailScanner/rules/spam.whitelist.rules > > Is Definitely Spam = /etc/MailScanner/rules/spam.blacklist.rules > >1) Domain name does not match but ip address matches > > I configured a host name in >/etc/MailScanner/rules/spam.blacklist.rules > and sent a message from the machine, the message did not match the >rule. > Then I replaced the hostname with its IP address and sent the same > message again from the same machine, it matched the spam rule. > > cat /etc/MailScanner/rules/spam.whitelist.rules > FromTo: default no > > cat /etc/MailScanner/rules/spam.blacklist.rules > From: /lms5.acs.ucalgary.ca/ yes > FromTo: default no If it is a name in the pattern, then it is checking the envelope sender of the message, whereas a numerical test will check the other end of the SMTP connection. >2) wildcard(*) sometimes works, sometimes not > > The black list rule "To: fs50*@ucalgary.ca yes" does not match > a message to fs501@ucalgary.ca. But the black list rule "From: > fs50*@ucalgary.ca yes" matches a message from fs501@ucalgary.ca. Don't understand that at all. Suggest you re-check your tests. All the rulesets are built from exactly the same code, so they must behave the same. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Mon Mar 3 19:16:33 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:22 2006 Subject: Attachments - packed files In-Reply-To: <200303031747.h23HlDQ04148@mail.getnet.cz> Message-ID: <5.2.0.9.2.20030303191312.027f1f68@imap.ecs.soton.ac.uk> At 17:47 03/03/2003, you wrote: >Julian Field wrote .. > > At 15:37 03/03/2003, you wrote: > > > I want to just make sure that MailScanner doesn't unpack > > >attachments with a corresponding external program. Why am I asking? > > >Some antivirus scanners aren't perfect and I want to unpack all the > > >compressed attachments for them and then let them scan the unpacked > > >files. Has anybody written such hack or his own antivirus wrapper? > > > > All the decent anti-virus programs unpack every common archive format > > already. If your scanning engine doesn't unpack archives, then I suggest > > you buy a better one :-) > > You are quite correct, MailScanner doesn't unpack archives (as it doesn't > > need to). > > -- > > Julian Field > > www.MailScanner.info > > MailScanner thanks transtec Computers for their support > >To be honest, even those decent antivirus programs aren't perfect. >The majority of the programs are black boxes, you just believe that >it works. MailScanner is a nice program and maybe it would be nice >to have a separate layer for unpacking, where you can control for >example the nesting depth and prevent various DoS attacks. MailScanner is already protected against this type of DoS attack. The famous "zip of death" causes no problem at all. > Then you >just keep the unpacking utilities up-to-date. I'm surprised that >nobody has attempted to program such thing. It's actually quite difficult, as you can't rely on the filename to be honest about the compression type, so you would have to try all the decompressors in turn and find which one works. And then you open yourself up to all sorts of attacks including malicious filenames in the archives which the decompressors don't check properly. Keeping it all in the memory of the virus scanner is a *whole lot* safer. And the decent virus scanners can unpack virtually everything that a user can unpack. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From kwang at UCALGARY.CA Mon Mar 3 19:31:27 2003 From: kwang at UCALGARY.CA (Kai Wang) Date: Thu Jan 12 21:17:22 2006 Subject: confusing spam rules References: <5.2.0.9.2.20030303190538.0268fed8@imap.ecs.soton.ac.uk> Message-ID: <3E63AD8F.8066AD97@ucalgary.ca> Thank you for you reply, Julian. Is there possible to check a name against the SMTP connection in the next version? We are running a spam bouncing program for incoming. We have more than 1000 entries of the domain name rules ( most of them have wild cards ). We plan to migrate the rules to MailScanner. This is really important to us. Kai Julian Field wrote: > At 17:35 03/03/2003, you wrote: > >We plan to use MailScanner to tag the spam messages. After > >a few tests, I found the spam rules in MailScanner are very > >confusing. > > > > In /etc/MailScanner/MailScanner.conf: > > > >---------------------------------------------------------------------------- > > > > Is Definitely Not Spam = /etc/MailScanner/rules/spam.whitelist.rules > > > > Is Definitely Spam = /etc/MailScanner/rules/spam.blacklist.rules > > > >1) Domain name does not match but ip address matches > > > > I configured a host name in > >/etc/MailScanner/rules/spam.blacklist.rules > > and sent a message from the machine, the message did not match the > >rule. > > Then I replaced the hostname with its IP address and sent the same > > message again from the same machine, it matched the spam rule. > > > > cat /etc/MailScanner/rules/spam.whitelist.rules > > FromTo: default no > > > > cat /etc/MailScanner/rules/spam.blacklist.rules > > From: /lms5.acs.ucalgary.ca/ yes > > FromTo: default no > > If it is a name in the pattern, then it is checking the envelope sender of > the message, whereas a numerical test will check the other end of the SMTP > connection. > > >2) wildcard(*) sometimes works, sometimes not > > > > The black list rule "To: fs50*@ucalgary.ca yes" does not match > > a message to fs501@ucalgary.ca. But the black list rule "From: > > fs50*@ucalgary.ca yes" matches a message from fs501@ucalgary.ca. > > Don't understand that at all. Suggest you re-check your tests. All the > rulesets are built from exactly the same code, so they must behave the same. > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support From mailscanner at LISTS.COM.AR Mon Mar 3 19:58:06 2003 From: mailscanner at LISTS.COM.AR (Mariano Absatz) Date: Thu Jan 12 21:17:22 2006 Subject: MS vs. Trend Message-ID: <3E63899F.16595.5879BE34@localhost> Hi there, I'm faced with making a "business case" of "mailscanner+some commercial av" against trend micro "complete antivirus/antispam/whatever solution"... I wonder if anyone out there have some input for it... TIA -- Mariano Absatz El Baby ---------------------------------------------------------- It's hard to be humble when you're perfect. From simon at ADVANTAGE-INTERACTIVE.COM Mon Mar 3 20:02:11 2003 From: simon at ADVANTAGE-INTERACTIVE.COM (Simon Dick) Date: Thu Jan 12 21:17:22 2006 Subject: Attachments - packed files In-Reply-To: <5.2.0.9.2.20030303191312.027f1f68@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030303191312.027f1f68@imap.ecs.soton.ac.uk> Message-ID: <1046721730.628.1.camel@laptop.internal.irrelevant.org> On Mon, 2003-03-03 at 19:16, Julian Field wrote: > At 17:47 03/03/2003, you wrote: > >Julian Field wrote .. > > > At 15:37 03/03/2003, you wrote: > > > > I want to just make sure that MailScanner doesn't unpack > > > >attachments with a corresponding external program. Why am I asking? > > > >Some antivirus scanners aren't perfect and I want to unpack all the > > > >compressed attachments for them and then let them scan the unpacked > > > >files. Has anybody written such hack or his own antivirus wrapper? > > > > > > All the decent anti-virus programs unpack every common archive format > > > already. If your scanning engine doesn't unpack archives, then I suggest > > > you buy a better one :-) > > > You are quite correct, MailScanner doesn't unpack archives (as it doesn't > > > need to). > > > -- > > > Julian Field > > > www.MailScanner.info > > > MailScanner thanks transtec Computers for their support > > > >To be honest, even those decent antivirus programs aren't perfect. > >The majority of the programs are black boxes, you just believe that > >it works. MailScanner is a nice program and maybe it would be nice > >to have a separate layer for unpacking, where you can control for > >example the nesting depth and prevent various DoS attacks. > > MailScanner is already protected against this type of DoS attack. The > famous "zip of death" causes no problem at all. Until you get to the virus scanners checking it, I've tried that 42.zip file with my install of mailscanner (not the latest version now, but it was at the time) and both f-prot and clamav used most of the cpu time. Shame there's no way to detect the zip file before passing it through :| -- Simon Dick From mailscanner at ecs.soton.ac.uk Mon Mar 3 20:07:18 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:22 2006 Subject: MS vs. Trend In-Reply-To: <3E63899F.16595.5879BE34@localhost> Message-ID: <5.2.0.9.2.20030303200318.0268b540@imap.ecs.soton.ac.uk> At 19:58 03/03/2003, you wrote: >Hi there, > >I'm faced with making a "business case" of "mailscanner+some commercial av" >against trend micro "complete antivirus/antispam/whatever solution"... I >wonder if anyone out there have some input for it... Short of simply comparing the price, I can probably produce some evidence tomorrow in the office. I have the white paper that MessageLabs released describing why you should use their service. If you knock off the price of their service, you end up with even bigger savings. Have you any more info on what I should be concentrating? The more info the better. The price is easily taken care of. F-Prot is very good and costs $300 per server, + the cost of a little PC to run it all on. How much have you been quoted for Trend Micro's system? Feel free to mail me off-list to stop numbers becoming public knowledge. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From craig at STRONG-BOX.NET Mon Mar 3 20:20:11 2003 From: craig at STRONG-BOX.NET (Craig Pratt) Date: Thu Jan 12 21:17:22 2006 Subject: Attachments - packed files In-Reply-To: <1046721730.628.1.camel@laptop.internal.irrelevant.org> Message-ID: <88EEB8DC-4DB5-11D7-882D-000393B9390A@strong-box.net> I just tested RAV AV with the infamous 42.zip file and it doesn't seem to phase it. It must incorporate some kind of heuristic to limit how much archive decompression it does. The output it produces is: RAV AntiVirus command line for Linux i686. Version: 8.3.1. Copyright (c) 1996-2001 GeCAD The Software Company. All rights reserved. Scan engine 8.11 for i386. Last update: Mon Mar 3 09:18:44 2003 Scanning for 77551 malwares (viruses, trojans and worms). Scan started on Mon Mar 3 12:09:36 2003 42.zip - OK 42.zip->lib 3.zip - OK 42.zip->lib 3.zip->book 3.zip - OK 42.zip->lib 3.zip->book 3.zip->chapter 4.zip - OK 42.zip->lib 3.zip->book 3.zip->chapter 4.zip->doc 0.zip - OK Scan ended on Mon Mar 3 12:09:36 2003 Scan results: Time: 0 second(s). Objects scanned: 5. New objects: 5 Infected: 0. Different virus bodies: 0. Files: 1. Directories: 0. Archives: 5. Packed: 0. Mail files: 0. Warnings: 0. Yet it does work with a nasty zip I created with 3 EICAR test files: eicar.zip.zip.zip.zip - OK eicar.zip.zip.zip.zip->eicar.com Infected: EICAR_Test_File eicar.zip.zip.zip.zip->eicar.zip.zip.zip - OK eicar.zip.zip.zip.zip->eicar.zip.zip.zip->eicar.zip.zip - OK eicar.zip.zip.zip.zip->eicar.zip.zip.zip->eicar.zip.zip->eicar.zip - OK eicar.zip.zip.zip.zip->eicar.zip.zip.zip->eicar.zip.zip->eicar.zip- >eicar.com Infected: EICAR_Test_File eicar.zip.zip.zip.zip->eicar.zip.zip.zip->eicar.com Infected: EICAR_Test_File Time: real 0m1.440s user 0m1.330s sys 0m0.090s So I'd say RAV's doing a good job - FWIW. Craig On Monday, March 3, 2003, at 12:02 PM, Simon Dick wrote: > On Mon, 2003-03-03 at 19:16, Julian Field wrote: >> At 17:47 03/03/2003, you wrote: >>> Julian Field wrote .. >>>> At 15:37 03/03/2003, you wrote: >>>>> I want to just make sure that MailScanner doesn't unpack >>>>> attachments with a corresponding external program. Why am I asking? >>>>> Some antivirus scanners aren't perfect and I want to unpack all the >>>>> compressed attachments for them and then let them scan the unpacked >>>>> files. Has anybody written such hack or his own antivirus wrapper? >>>> >>>> All the decent anti-virus programs unpack every common archive >>>> format >>>> already. If your scanning engine doesn't unpack archives, then I >>>> suggest >>>> you buy a better one :-) >>>> You are quite correct, MailScanner doesn't unpack archives (as it >>>> doesn't >>>> need to). >>>> -- >>>> Julian Field >>>> www.MailScanner.info >>>> MailScanner thanks transtec Computers for their support >>> >>> To be honest, even those decent antivirus programs aren't perfect. >>> The majority of the programs are black boxes, you just believe that >>> it works. MailScanner is a nice program and maybe it would be nice >>> to have a separate layer for unpacking, where you can control for >>> example the nesting depth and prevent various DoS attacks. >> >> MailScanner is already protected against this type of DoS attack. The >> famous "zip of death" causes no problem at all. > > Until you get to the virus scanners checking it, I've tried that 42.zip > file with my install of mailscanner (not the latest version now, but it > was at the time) and both f-prot and clamav used most of the cpu time. > Shame there's no way to detect the zip file before passing it through > :| > > -- > Simon Dick > > -- > This message checked for dangerous content by MailScanner on StrongBox. > -- This message checked for dangerous content by MailScanner on StrongBox. From Kevin.Spicer at BMRB.CO.UK Mon Mar 3 20:21:09 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:17:22 2006 Subject: MS vs. Trend Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A4AD48@pascal.priv.bmrb.co.uk> > > Hi there, > > I'm faced with making a "business case" of "mailscanner+some > commercial av" > against trend micro "complete antivirus/antispam/whatever > solution"... I > wonder if anyone out there have some input for it... > Well I'd start by analysing the speed with which bugs are fixed! (seriously have a look through the list and you'll see!). Argue that the money you spend on the virus vendors mail scanning tool would be better spent on a second AV product - so you can run MailScanner with two virus scanners for better protection, (throw in clam for free and you've got 3 scanners(!)). What about spamassassin integration? The flexibility of rulesets? The extensibility with CustomConfig. Proven reliability. Commercial support options (if thats the worry). Take a look at the list of organisations using MailScanner (on the website). What about the opinions of real users - heres one, "It rocks" (and you can quote me on that!). In future years you can shop around for the best deal on scanning engines without the worry of having to rebuild your mailserver. Take another angle - what benefits does the commercial product offer that MS doesn't to justify its price? BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From jrudd at UCSC.EDU Mon Mar 3 20:38:29 2003 From: jrudd at UCSC.EDU (John Rudd) Date: Thu Jan 12 21:17:22 2006 Subject: rfc822 format Message-ID: <200303032038.h23KcTw08419@kzin.ucsc.edu> Is it currently possible to have mailscanner take its incoming queue messages in rfc822 format instead of sendmail mailqueue format? If it's not, can that be added as a feature? From miguelk at KONSULTEX.COM.BR Mon Mar 3 20:40:47 2003 From: miguelk at KONSULTEX.COM.BR (Miguel Koren OBrien de Lacy) Date: Thu Jan 12 21:17:22 2006 Subject: MS vs. Trend In-Reply-To: <3E63899F.16595.5879BE34@localhost> References: <3E63899F.16595.5879BE34@localhost> Message-ID: <20030303204047.M87338@konsultex.com.br> Mariano; If your comparison is based in Argentina, I would say that at the moment the price (initial and ongoing...) comparison is far more important that appears at first ;-) As Kevin said, I can see absolutely no benefit in a Trend solution. 1) virus catching performance = depends on the engine (is Trend that good?) 2) spam = SpamAssasin is state of the art 3) administration = Mail Scanner is 'set and forget' (unless you use Sophos) We have been running MailScanner (also in Brazil) for about 2 years and the performance, bug fixes, additional tools, etc. have been excellent. We saved a bundle and have not had any problems. We are currently evaluating the use of CLAM to eliminate any cost whatsoever. If you would like system support with this in Buenos Aires let me know by separate mail. Miguel -- Konsultex Informatica (http://www.konsultex.com.br) ---------- Original Message ----------- From: Mariano Absatz To: MAILSCANNER@JISCMAIL.AC.UK Sent: Mon, 3 Mar 2003 16:58:06 -0300 Subject: MS vs. Trend > Hi there, > > I'm faced with making a "business case" of "mailscanner+some commercial av" > against trend micro "complete antivirus/antispam/whatever solution"... I > wonder if anyone out there have some input for it... > > TIA > > -- > Mariano Absatz > El Baby > ---------------------------------------------------------- > It's hard to be humble when you're perfect. ------- End of Original Message ------- From Kevin.Spicer at BMRB.CO.UK Mon Mar 3 20:50:08 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:17:22 2006 Subject: [RHSA-2003:073-06] Updated sendmail packages fix critical sec urity issues Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0EBF43C@pascal.priv.bmrb.co.uk> Thanks for that! One little gotcha to look out for... I just upgraded the rpms on my Mandrake box and the postinstall script kicked off a new sendmail process, bypassing MailScanner (Whoops!). Dunno if this happens with other packages but its worth checking! > -----Original Message----- > From: Richard, Matt [mailto:matthew.richard@COCC.COM] > Sent: Monday, March 03, 2003 9:49 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: FW: [RHSA-2003:073-06] Updated sendmail packages fix critical > sec urity issues > > > For those who have not already seen the advisory. It appears > to effect > sendmail on many different platforms. > > BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From mailscanner at ecs.soton.ac.uk Mon Mar 3 20:56:47 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:22 2006 Subject: rfc822 format In-Reply-To: <200303032038.h23KcTw08419@kzin.ucsc.edu> Message-ID: <5.2.0.9.2.20030303204226.027e2490@imap.ecs.soton.ac.uk> At 20:38 03/03/2003, you wrote: >Is it currently possible to have mailscanner take its incoming queue >messages in rfc822 format instead of sendmail mailqueue format? > >If it's not, can that be added as a feature? It's not there yet, but it could well appear once the postfix integration has been done. After sorting everything out for postfix (which has 1 file per message vs. sendmail+Exim which have 2) this shouldn't be a hard addition and would create compatibility with some other MTA's. But don't hold your breath, it's going to take a while. Once the support load problems are solved (spent this afternoon writing a business proposal :( I hope to have more time to spend on development. You may have noticed there hasn't been much devel in the past couple of months. I've also got plans for some roll-your-own content filtering. An external program that gets passed the contents of parts of messages so you can do whatever filtering you like. Everything from a "Swedish chef" translator (check out http://www.muppetworld.com/cooking/index.html if you don't know what I mean) to a dirty-picture filter looking for areas of pink. I'll leave it up to you to write the filters (with a few examples to get you started). I've yet to get the protocols sorted out, so that the external program can be run for multiple messages. It needs to be fast! -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Mon Mar 3 20:59:10 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:22 2006 Subject: [RHSA-2003:073-06] Updated sendmail packages fix critical sec urity issues In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0EBF43C@pascal.priv.bmrb.co .uk> Message-ID: <5.2.0.9.2.20030303205817.027e37b8@imap.ecs.soton.ac.uk> I wouldn't be surprised if the RPMs do a "chkconfig sendmail on" among other things :-( They really should recognise they are being upgraded and not freshly installed and therefore leave your system alone. At 20:50 03/03/2003, you wrote: >Thanks for that! One little gotcha to look out for... I just upgraded the >rpms on my Mandrake box and the postinstall script kicked off a new >sendmail process, bypassing MailScanner (Whoops!). Dunno if this happens >with other packages but its worth checking! > > > -----Original Message----- > > From: Richard, Matt [mailto:matthew.richard@COCC.COM] > > Sent: Monday, March 03, 2003 9:49 AM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: FW: [RHSA-2003:073-06] Updated sendmail packages fix critical > > sec urity issues > > > > > > For those who have not already seen the advisory. It appears > > to effect > > sendmail on many different platforms. > > > > > > > >BMRB International >http://www.bmrb.co.uk >+44 (0)20 8566 5000 >_________________________________________________________________ >This message (and any attachment) is intended only for the >recipient and may contain confidential and/or privileged >material. If you have received this in error, please contact the >sender and delete this message immediately. Disclosure, copying >or other action taken in respect of this email or in >reliance on it is prohibited. BMRB International Limited >accepts no liability in relation to any personal emails, or >content of any email which does not directly relate to our >business. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Mon Mar 3 20:41:18 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:22 2006 Subject: Attachments - packed files In-Reply-To: <88EEB8DC-4DB5-11D7-882D-000393B9390A@strong-box.net> References: <1046721730.628.1.camel@laptop.internal.irrelevant.org> Message-ID: <5.2.0.9.2.20030303204012.0281ff80@imap.ecs.soton.ac.uk> At 20:20 03/03/2003, you wrote: >I just tested RAV AV with the infamous 42.zip file and it doesn't seem >to phase it. Great. The other ones tend to consume CPU time until MailScanner comes along and kills them for taking too long. >It must incorporate some kind of heuristic to limit how much archive >decompression it does. The output it produces is: > > RAV AntiVirus command line for Linux i686. > Version: 8.3.1. > Copyright (c) 1996-2001 GeCAD The Software Company. All rights >reserved. > > Scan engine 8.11 for i386. > Last update: Mon Mar 3 09:18:44 2003 > Scanning for 77551 malwares (viruses, trojans and worms). > > Scan started on Mon Mar 3 12:09:36 2003 > > 42.zip - OK > 42.zip->lib 3.zip - OK > 42.zip->lib 3.zip->book 3.zip - OK > 42.zip->lib 3.zip->book 3.zip->chapter 4.zip - OK > 42.zip->lib 3.zip->book 3.zip->chapter 4.zip->doc 0.zip - OK > > Scan ended on Mon Mar 3 12:09:36 2003 > > Scan results: > Time: 0 second(s). > Objects scanned: 5. New objects: 5 > Infected: 0. Different virus bodies: 0. > Files: 1. Directories: 0. Archives: 5. Packed: 0. Mail files: 0. > Warnings: 0. > >Yet it does work with a nasty zip I created with 3 EICAR test files: > > eicar.zip.zip.zip.zip - OK > eicar.zip.zip.zip.zip->eicar.com Infected: EICAR_Test_File > eicar.zip.zip.zip.zip->eicar.zip.zip.zip - OK > eicar.zip.zip.zip.zip->eicar.zip.zip.zip->eicar.zip.zip - OK > eicar.zip.zip.zip.zip->eicar.zip.zip.zip->eicar.zip.zip->eicar.zip > - OK > >eicar.zip.zip.zip.zip->eicar.zip.zip.zip->eicar.zip.zip->eicar.zip- > >eicar.com Infected: EICAR_Test_File > eicar.zip.zip.zip.zip->eicar.zip.zip.zip->eicar.com Infected: >EICAR_Test_File > >Time: real 0m1.440s user 0m1.330s sys 0m0.090s > >So I'd say RAV's doing a good job - FWIW. > >Craig > >On Monday, March 3, 2003, at 12:02 PM, Simon Dick wrote: >>On Mon, 2003-03-03 at 19:16, Julian Field wrote: >>>At 17:47 03/03/2003, you wrote: >>>>Julian Field wrote .. >>>>>At 15:37 03/03/2003, you wrote: >>>>>> I want to just make sure that MailScanner doesn't unpack >>>>>>attachments with a corresponding external program. Why am I asking? >>>>>>Some antivirus scanners aren't perfect and I want to unpack all the >>>>>>compressed attachments for them and then let them scan the unpacked >>>>>>files. Has anybody written such hack or his own antivirus wrapper? >>>>> >>>>>All the decent anti-virus programs unpack every common archive >>>>>format >>>>>already. If your scanning engine doesn't unpack archives, then I >>>>>suggest >>>>>you buy a better one :-) >>>>>You are quite correct, MailScanner doesn't unpack archives (as it >>>>>doesn't >>>>>need to). >>>>>-- >>>>>Julian Field >>>>>www.MailScanner.info >>>>>MailScanner thanks transtec Computers for their support >>>> >>>>To be honest, even those decent antivirus programs aren't perfect. >>>>The majority of the programs are black boxes, you just believe that >>>>it works. MailScanner is a nice program and maybe it would be nice >>>>to have a separate layer for unpacking, where you can control for >>>>example the nesting depth and prevent various DoS attacks. >>> >>>MailScanner is already protected against this type of DoS attack. The >>>famous "zip of death" causes no problem at all. >> >>Until you get to the virus scanners checking it, I've tried that 42.zip >>file with my install of mailscanner (not the latest version now, but it >>was at the time) and both f-prot and clamav used most of the cpu time. >>Shame there's no way to detect the zip file before passing it through >>:| >> >>-- >>Simon Dick >> >>-- >>This message checked for dangerous content by MailScanner on StrongBox. > > >-- >This message checked for dangerous content by MailScanner on StrongBox. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From jwilliam at KCR.UKY.EDU Mon Mar 3 21:08:15 2003 From: jwilliam at KCR.UKY.EDU (John Williams) Date: Thu Jan 12 21:17:22 2006 Subject: [RHSA-2003:073-06] Updated sendmail packages fix critical sec urity issues In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0EBF43C@pascal.priv.bmrb.co .uk> Message-ID: <5.1.1.5.2.20030303160620.00b96d08@mail.kcr.uky.edu> Didn't happen on Solaris 8 and Sendmail Switch. I patched it to 2.2.5 Took less than 5 min. I appreciate the heads up about Sendmail! John At 08:50 PM 3/3/2003 +0000, you wrote: >Thanks for that! One little gotcha to look out for... I just upgraded the >rpms on my Mandrake box and the postinstall script kicked off a new >sendmail process, bypassing MailScanner (Whoops!). Dunno if this happens >with other packages but its worth checking! > > > -----Original Message----- > > From: Richard, Matt [mailto:matthew.richard@COCC.COM] > > Sent: Monday, March 03, 2003 9:49 AM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: FW: [RHSA-2003:073-06] Updated sendmail packages fix critical > > sec urity issues > > > > > > For those who have not already seen the advisory. It appears > > to effect > > sendmail on many different platforms. > > > > > > > >BMRB International >http://www.bmrb.co.uk >+44 (0)20 8566 5000 >_________________________________________________________________ >This message (and any attachment) is intended only for the >recipient and may contain confidential and/or privileged >material. If you have received this in error, please contact the >sender and delete this message immediately. Disclosure, copying >or other action taken in respect of this email or in >reliance on it is prohibited. BMRB International Limited >accepts no liability in relation to any personal emails, or >content of any email which does not directly relate to our >business. From Harish.Amin at DEG.STATE.WI.US Mon Mar 3 21:22:58 2003 From: Harish.Amin at DEG.STATE.WI.US (Amin, Harish) Date: Thu Jan 12 21:17:22 2006 Subject: [RHSA-2003:073-06] Updated sendmail packages fix critical sec urity issues Message-ID: <47F3EDACE4BC3A4594D0D7B504062BBD019C69E4@doamail04.doa.wistate.us> You mean Sendmail from SUN on Solaris 8 , can you how you went about it -----Original Message----- From: John Williams [mailto:jwilliam@KCR.UKY.EDU] Sent: Monday, March 03, 2003 3:08 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: [RHSA-2003:073-06] Updated sendmail packages fix critical sec urity issues Didn't happen on Solaris 8 and Sendmail Switch. I patched it to 2.2.5 Took less than 5 min. I appreciate the heads up about Sendmail! John At 08:50 PM 3/3/2003 +0000, you wrote: >Thanks for that! One little gotcha to look out for... I just upgraded the >rpms on my Mandrake box and the postinstall script kicked off a new >sendmail process, bypassing MailScanner (Whoops!). Dunno if this happens >with other packages but its worth checking! > > > -----Original Message----- > > From: Richard, Matt [mailto:matthew.richard@COCC.COM] > > Sent: Monday, March 03, 2003 9:49 AM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: FW: [RHSA-2003:073-06] Updated sendmail packages fix critical > > sec urity issues > > > > > > For those who have not already seen the advisory. It appears > > to effect > > sendmail on many different platforms. > > > > > > > >BMRB International >http://www.bmrb.co.uk >+44 (0)20 8566 5000 >_________________________________________________________________ >This message (and any attachment) is intended only for the >recipient and may contain confidential and/or privileged >material. If you have received this in error, please contact the >sender and delete this message immediately. Disclosure, copying >or other action taken in respect of this email or in >reliance on it is prohibited. BMRB International Limited >accepts no liability in relation to any personal emails, or >content of any email which does not directly relate to our >business. From raymond at PROLOCATION.NET Mon Mar 3 21:26:24 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:17:22 2006 Subject: [RHSA-2003:073-06] Updated sendmail packages fix critical sec urity issues In-Reply-To: <47F3EDACE4BC3A4594D0D7B504062BBD019C69E4@doamail04.doa.wistate.us> Message-ID: Julian, [root@toverdoos root]# chkconfig --list | grep sendmail sendmail 0:off 1:off 2:off 3:off 4:off 5:off 6:off [root@toverdoos root]# Looks on on my fresly upgraded RH 7.3, lets see on the 7.2 ones: [root@fallback root]# chkconfig --list | grep sendmail sendmail 0:off 1:off 2:off 3:off 4:off 5:off 6:off Same here. Seems its not touching it at all with 'upgrade' At least not on my boxes :) Bye, Raymond. From Denis.Beauchemin at USHERBROOKE.CA Mon Mar 3 21:26:44 2003 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:17:22 2006 Subject: [RHSA-2003:073-06] Updated sendmail packages fix critical sec urity issues In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0EBF43C@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0EBF43C@pascal.priv.bmrb.co.uk> Message-ID: <1046726804.1602.26.camel@dbeauchemin.si.usherbrooke.ca> Did OK on my RedHat 7.3 systems. Denis Le lun 03/03/2003 ? 15:50, Spicer, Kevin a ?crit : > Thanks for that! One little gotcha to look out for... I just upgraded the rpms on my Mandrake box and the postinstall script kicked off a new sendmail process, bypassing MailScanner (Whoops!). Dunno if this happens with other packages but its worth checking! > > > -----Original Message----- > > From: Richard, Matt [mailto:matthew.richard@COCC.COM] > > Sent: Monday, March 03, 2003 9:49 AM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: FW: [RHSA-2003:073-06] Updated sendmail packages fix critical > > sec urity issues > > > > > > For those who have not already seen the advisory. It appears > > to effect > > sendmail on many different platforms. > > > > > > > > BMRB International > http://www.bmrb.co.uk > +44 (0)20 8566 5000 > _________________________________________________________________ > This message (and any attachment) is intended only for the > recipient and may contain confidential and/or privileged > material. If you have received this in error, please contact the > sender and delete this message immediately. Disclosure, copying > or other action taken in respect of this email or in > reliance on it is prohibited. BMRB International Limited > accepts no liability in relation to any personal emails, or > content of any email which does not directly relate to our > business. -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From craig at STRONG-BOX.NET Mon Mar 3 21:27:35 2003 From: craig at STRONG-BOX.NET (Craig Pratt) Date: Thu Jan 12 21:17:22 2006 Subject: [RHSA-2003:073-06] Updated sendmail packages fix critical sec urity issues In-Reply-To: <5.2.0.9.2.20030303205817.027e37b8@imap.ecs.soton.ac.uk> Message-ID: I was worried about that too. But I can confirm that the RH update didn't do that - thankfully: $ sudo -H up2date -i sendmail sendmail-cf $ chkconfig --list sendmail sendmail 0:off 1:off 2:off 3:off 4:off 5:off 6:off Craig On Monday, March 3, 2003, at 12:59 PM, Julian Field wrote: > I wouldn't be surprised if the RPMs do a "chkconfig sendmail on" among > other things :-( > They really should recognise they are being upgraded and not freshly > installed and therefore leave your system alone. > > At 20:50 03/03/2003, you wrote: >> Thanks for that! One little gotcha to look out for... I just >> upgraded the >> rpms on my Mandrake box and the postinstall script kicked off a new >> sendmail process, bypassing MailScanner (Whoops!). Dunno if this >> happens >> with other packages but its worth checking! >> >> > -----Original Message----- >> > From: Richard, Matt [mailto:matthew.richard@COCC.COM] >> > Sent: Monday, March 03, 2003 9:49 AM >> > To: MAILSCANNER@JISCMAIL.AC.UK >> > Subject: FW: [RHSA-2003:073-06] Updated sendmail packages fix >> critical >> > sec urity issues >> > >> > >> > For those who have not already seen the advisory. It appears >> > to effect >> > sendmail on many different platforms. >> > >> > >> >> >> >> BMRB International >> http://www.bmrb.co.uk >> +44 (0)20 8566 5000 >> _________________________________________________________________ >> This message (and any attachment) is intended only for the >> recipient and may contain confidential and/or privileged >> material. If you have received this in error, please contact the >> sender and delete this message immediately. Disclosure, copying >> or other action taken in respect of this email or in >> reliance on it is prohibited. BMRB International Limited >> accepts no liability in relation to any personal emails, or >> content of any email which does not directly relate to our >> business. > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > > -- > This message checked for dangerous content by MailScanner on StrongBox. > -- This message checked for dangerous content by MailScanner on StrongBox. From jwilliam at KCR.UKY.EDU Mon Mar 3 21:35:21 2003 From: jwilliam at KCR.UKY.EDU (John Williams) Date: Thu Jan 12 21:17:22 2006 Subject: [RHSA-2003:073-06] Updated sendmail packages fix critical sec urity issues In-Reply-To: <47F3EDACE4BC3A4594D0D7B504062BBD019C69E4@doamail04.doa.wis tate.us> Message-ID: <5.1.1.5.2.20030303162547.00bbae60@mail.kcr.uky.edu> We use a commercial version of Sendmail, Sendmail Switch 2.2. They had a patch that updated it to 2.2.5, which fixes the new bug. We run it on Sun Solaris 8. Sorry, I know that's not much help. At 03:22 PM 3/3/2003 -0600, you wrote: >You mean Sendmail from SUN on Solaris 8 , can you how you went about it > >-----Original Message----- >From: John Williams [mailto:jwilliam@KCR.UKY.EDU] >Sent: Monday, March 03, 2003 3:08 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: [RHSA-2003:073-06] Updated sendmail packages fix critical >sec urity issues > > >Didn't happen on Solaris 8 and Sendmail Switch. I patched it to >2.2.5 Took less than 5 min. > >I appreciate the heads up about Sendmail! > >John > >At 08:50 PM 3/3/2003 +0000, you wrote: > >Thanks for that! One little gotcha to look out for... I just upgraded the > >rpms on my Mandrake box and the postinstall script kicked off a new > >sendmail process, bypassing MailScanner (Whoops!). Dunno if this happens > >with other packages but its worth checking! > > > > > -----Original Message----- > > > From: Richard, Matt [mailto:matthew.richard@COCC.COM] > > > Sent: Monday, March 03, 2003 9:49 AM > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > Subject: FW: [RHSA-2003:073-06] Updated sendmail packages fix critical > > > sec urity issues > > > > > > > > > For those who have not already seen the advisory. It appears > > > to effect > > > sendmail on many different platforms. > > > > > > > > > > > > > >BMRB International > >http://www.bmrb.co.uk > >+44 (0)20 8566 5000 > >_________________________________________________________________ > >This message (and any attachment) is intended only for the > >recipient and may contain confidential and/or privileged > >material. If you have received this in error, please contact the > >sender and delete this message immediately. Disclosure, copying > >or other action taken in respect of this email or in > >reliance on it is prohibited. BMRB International Limited > >accepts no liability in relation to any personal emails, or > >content of any email which does not directly relate to our > >business. From craig at STRONG-BOX.NET Mon Mar 3 21:43:09 2003 From: craig at STRONG-BOX.NET (Craig Pratt) Date: Thu Jan 12 21:17:22 2006 Subject: Warning: SuSE sendmail upgrade turns on sendmail (Was Re: [RHSA-2003:073-06] Updated sendmail packages fix critical security issues) In-Reply-To: <5.2.0.9.2.20030303205817.027e37b8@imap.ecs.soton.ac.uk> Message-ID: <2032737F-4DC1-11D7-882D-000393B9390A@strong-box.net> WARNING: SuSE 8.1 SENDMAIL UPGRADE TURNS ON SENDMAIL AT RUNLEVEL 5 Just upgraded one of our SuSE 8.1 systems. And was watching for this: $ chkconfig --list sendmail sendmail 0:off 1:off 2:off 3:off 4:off 5:off 6:off $ sudo rpm -U sendmail-8.12.6-91.i586.rpm sendmail 0:off 1:off 2:off 3:on 4:off 5:on 6:off With sendmail set to run at runlevel 5, it will bypass mailscanner (and the all-important spam and virus scanning it provides ;^) Note the remedy: $ sudo chkconfig sendmail off $ chkconfig --list sendmail sendmail 0:off 1:off 2:off 3:off 4:off 5:off 6:off Craig craig@strong-box.net On Monday, March 3, 2003, at 12:59 PM, Julian Field wrote: > I wouldn't be surprised if the RPMs do a "chkconfig sendmail on" among > other things :-( > They really should recognise they are being upgraded and not freshly > installed and therefore leave your system alone. > > At 20:50 03/03/2003, you wrote: >> Thanks for that! One little gotcha to look out for... I just >> upgraded the >> rpms on my Mandrake box and the postinstall script kicked off a new >> sendmail process, bypassing MailScanner (Whoops!). Dunno if this >> happens >> with other packages but its worth checking! >> >> > -----Original Message----- >> > From: Richard, Matt [mailto:matthew.richard@COCC.COM] >> > Sent: Monday, March 03, 2003 9:49 AM >> > To: MAILSCANNER@JISCMAIL.AC.UK >> > Subject: FW: [RHSA-2003:073-06] Updated sendmail packages fix >> critical >> > sec urity issues >> > >> > >> > For those who have not already seen the advisory. It appears >> > to effect >> > sendmail on many different platforms. >> > >> > >> >> >> >> BMRB International >> http://www.bmrb.co.uk >> +44 (0)20 8566 5000 >> _________________________________________________________________ >> This message (and any attachment) is intended only for the >> recipient and may contain confidential and/or privileged >> material. If you have received this in error, please contact the >> sender and delete this message immediately. Disclosure, copying >> or other action taken in respect of this email or in >> reliance on it is prohibited. BMRB International Limited >> accepts no liability in relation to any personal emails, or >> content of any email which does not directly relate to our >> business. > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > > -- > This message checked for dangerous content by MailScanner on StrongBox. > -- This message checked for dangerous content by MailScanner on StrongBox. From JeremyE at BSA.CA.GOV Mon Mar 3 22:00:22 2003 From: JeremyE at BSA.CA.GOV (Jeremy Evans) Date: Thu Jan 12 21:17:22 2006 Subject: New INSTALL.OpenBSD Message-ID: <2739ECF7268CD0118F50080009DCC9F00235D2DE@pebble.bsa.ca.gov> Based on some of the changes made in 4.13-3 (no more changes to check_mailscanner), some bugs in the instructions (updating the symbolic links), and some reorganization (separate instructions for new installation vs. upgrade), I've updated the INSTALL.OpenBSD instructions (included below). <> Jeremy Evans Information Systems Analyst California State Auditor 916-445-0255 phone 916-322-7801 fax -------------- next part -------------- A non-text attachment was scrubbed... Name: INSTALL.OpenBSD Type: application/octet-stream Size: 2862 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030303/4de2d82d/INSTALL.obj From Kevin.Spicer at BMRB.CO.UK Mon Mar 3 22:08:57 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:17:22 2006 Subject: [RHSA-2003:073-06] Updated sendmail packages fix critical sec urity issues Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A4AD49@pascal.priv.bmrb.co.uk> Funnily enough I just upgraded my home box and didn't have a problem - reading the post install script it looks like the mandrake rpm runs a 'service sendmail restart' if it fins /var/lock/subsys/sendmail I guess I must have killed sendmail at some point when I built the box. chkconfig didn't turn anything on in either case (just a random sendmail process got kicked off). Julian, there seem to be quite regular messages here from people who either didn't turn sendmail off with chkconfig, or who have random other sendmail processes running, (or who have packaging systems making random changes!) perhaps check_MailScanner should check for this? > -----Original Message----- > From: Spicer, Kevin > Sent: 03 March 2003 20:50 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: [RHSA-2003:073-06] Updated sendmail packages fix critical > sec urity issues > > > Thanks for that! One little gotcha to look out for... I just > upgraded the rpms on my Mandrake box and the postinstall > script kicked off a new sendmail process, bypassing > MailScanner (Whoops!). Dunno if this happens with other > packages but its worth checking! > > > -----Original Message----- > > From: Richard, Matt [mailto:matthew.richard@COCC.COM] > > Sent: Monday, March 03, 2003 9:49 AM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: FW: [RHSA-2003:073-06] Updated sendmail packages > fix critical > > sec urity issues > > > > > > For those who have not already seen the advisory. It appears > > to effect > > sendmail on many different platforms. > > > > > > > > BMRB International > http://www.bmrb.co.uk > +44 (0)20 8566 5000 > _________________________________________________________________ > This message (and any attachment) is intended only for the > recipient and may contain confidential and/or privileged > material. If you have received this in error, please contact the > sender and delete this message immediately. Disclosure, copying > or other action taken in respect of this email or in > reliance on it is prohibited. BMRB International Limited > accepts no liability in relation to any personal emails, or > content of any email which does not directly relate to our > business. > BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From steinkel at PA.NET Mon Mar 3 22:22:34 2003 From: steinkel at PA.NET (Leland J. Steinke) Date: Thu Jan 12 21:17:22 2006 Subject: postfix compatability? References: Message-ID: <3E63D5AA.8010804@pa.net> Peter Bates wrote: > Hello all... > > >>mailscanner@ECS.SOTON.AC.UK 03/01/03 20:02 PM >>> >>Exim is *fairly* easy to configure. I can probably give you some >help if you need it. Get Exim built first, then I guess we need to >set it up so that it listens on port 25, with postfix listening on >port 26. You will have to get postfix listening on port 26 >yourself, I don't know how to do that. > > > Running Postfix still as I am, I can say the answer is in Postfix's 'master.cf' (this controls the transports, where main.cf controls mosts other things). > > There is a line in master.cf saying: > > smtp inet n - y - - smtpd > > where 'smtp' is the name in /etc/services: > smtp 25/tcp mail > look in /etc/postfix/README_FILES/FILTER_README. You can pipe to external processes from within postfix to handle content filtering (this is what we do; actually we invoke a program that converts the messages from postfix queue files into queue files that MailScanner will understand). You can spawn multiple daemon processes to speak on non-standard ports (this is what is discussed in the FILTER_README). Or, you could just set up exim on non-standard ports and let postfix forward to that port; exim could then send the processed messages back on a different port for postfix to handle final queueing and delivery. Anyway, the master.cf file is absolutely key to getting filtering to work with postfix, however you choose to do it. Leland ps: What is the problem with the "official" MailScanner/postfix connection? Maybe we can help. Postfix is VERY powerful, but it takes a couple of "aha!" moments to figure out how to harness that power. Julian has already said that he does not want to build another MTA, so that pretty much removes my second option above. It does not make sense to run exim or another MTA on a postfix-equipped box just so MailScanner will work; just run the non-postfix MTA and be done with it, which removes the third option above. There was a reference to something like "Obtuse SMTPD" as a possible avenue of attack, but I do not recall hearing the outcome of that one. As I already said, we have postfix create MailScanner-compatible queue files, through a perl script; another perl script takes the processed messages and re-injects them into postfix. Postfix is designed to be as secure as possible, with multiple layers of defense against software errors (either accidental or intentional). Postfix queues, and the files therein, are at the very heart of postfix and I would not want to try to "spoof" them into something else. This is why we decided to ignore the issue entirely, make postfix run a program to create files for MailScanner to process, make MailScanner give the processed files back to postfix, and process millions of messages per month. pps: Having said all that, postfix has a "hold" queue. From the postfix docs: "The hold queue is for mail that is frozen in the queue; no delivery attempts are made until someone releases these messages with the postsuper command." Maybe that would be a place to start? From mailscanner at ecs.soton.ac.uk Mon Mar 3 22:28:59 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:22 2006 Subject: [RHSA-2003:073-06] Updated sendmail packages fix critical sec urity issues In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0A4AD49@pascal.priv.bmrb.co .uk> Message-ID: <5.2.0.9.2.20030303222834.0220f1a8@imap.ecs.soton.ac.uk> At 22:08 03/03/2003, you wrote: >Julian, there seem to be quite regular messages here from people who >either didn't turn sendmail off with chkconfig, or who have random other >sendmail processes running, (or who have packaging systems making random >changes!) perhaps check_MailScanner should check for this? If you have any ideas *how* it might do this, I'm all ears :) -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Mon Mar 3 22:32:11 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:22 2006 Subject: postfix compatability? In-Reply-To: <3E63D5AA.8010804@pa.net> References: Message-ID: <5.2.0.9.2.20030303223107.02273fe0@imap.ecs.soton.ac.uk> Any chance of you publishing all your scripts to make your setup work? They would help a lot of people. At 22:22 03/03/2003, you wrote: >Maybe we can help. Postfix is VERY powerful, but it takes a couple of "aha!" >moments to figure out how to harness that power. Julian has already said that >he does not want to build another MTA, so that pretty much removes my second >option above. It does not make sense to run exim or another MTA on a >postfix-equipped box just so MailScanner will work; just run the >non-postfix MTA >and be done with it, which removes the third option above. There was a >reference to something like "Obtuse SMTPD" as a possible avenue of attack, >but I >do not recall hearing the outcome of that one. As I already said, we have >postfix create MailScanner-compatible queue files, through a perl script; >another perl script takes the processed messages and re-injects them into >postfix. Postfix is designed to be as secure as possible, with multiple >layers >of defense against software errors (either accidental or >intentional). Postfix >queues, and the files therein, are at the very heart of postfix and I >would not >want to try to "spoof" them into something else. This is why we decided to >ignore the issue entirely, make postfix run a program to create files for >MailScanner to process, make MailScanner give the processed files back to >postfix, and process millions of messages per month. > >pps: Having said all that, postfix has a "hold" queue. From the postfix >docs: > "The hold queue is for mail that is frozen in the queue; no delivery > attempts >are made until someone releases these messages with the postsuper command." >Maybe that would be a place to start? -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From ms at MLSIS.CO.UK Mon Mar 3 23:04:05 2003 From: ms at MLSIS.CO.UK (Matt Lowe) Date: Thu Jan 12 21:17:22 2006 Subject: postfix compatibility? In-Reply-To: <3E63CCEF.9070700@pa.net> References: <1046548476.1887.32.camel@luggage> <3E63CCEF.9070700@pa.net> Message-ID: <1046732645.1887.121.camel@luggage> Yes please, could you send the config files :) This would make my life VERY much easier :) and if posible some realy easy step by step instructions on how to do this :) The reason im using postfix is cause its setup for me already, and the frontend i have is very easy for my users to add/del accounts. Matt Lowe ms@mlsis.co.uk On Mon, 2003-03-03 at 21:45, Leland J. Steinke wrote: > Matt Lowe wrote: > > On Sat, 2003-03-01 at 19:21, Julian Field wrote: > > > >>At 19:05 01/03/2003, you wrote: > >> > >>>Hi im new to this mailing list, but after searching the arcives all i > >>>could find was a mention of this in the posible future. > >>> > >>>Is there any way to intergrate mailscanner and postfix yet? without > >>>useing sendmail/exim? > >> > >>Someone has some patches somewhere that might integrate the two. Postfix > >>support is our next planned major feature. > > > > > > anyone anyidea where these patches might be? > > > > > we have postfix and mailscanner running quite happily together here, filtering > hundreds of messages per minute on multiple servers for both inbound and > outbound mail. > > It uses two perl scripts. the first one is invoked to take SMTP-inbound > messages from smtpd in master.cf and put them into a spool directory where > MailScanner will find them. The second one is called after spam/virus > processing by MailScanner to re-inject the messages into postfix for queueing > and delivery. It is not perfect, but it works quite well for us... > > If you are interested, I will send you the scripts and how we modified master.cf > to make it all work. > > > Leland > From mailscanner at HRSERVERS.COM Tue Mar 4 00:46:48 2003 From: mailscanner at HRSERVERS.COM (SUBSCRIBE MAILSCANNER Anonymous) Date: Thu Jan 12 21:17:22 2006 Subject: Spamassassin 2.50 & MailScanner 4.13-3 Problems Message-ID: Thank you Jullian for taking the time to explain what was going on with it. Just a little note I posted the same message over at spamassassin.org list and was told by one of the developers that they are aware of this issue and you are exactly right, they plan to fix it in 2.51 but they do not have an official release date as of yet but maybe next couple of weeks. Here is the link to the post and reply... http://www.hughes-family.org/bugzilla/show_bug.cgi?id=1585 Thanks again, JT From mkettler at EVI-INC.COM Tue Mar 4 01:20:10 2003 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:17:22 2006 Subject: Spamassassin 2.50 & MailScanner 4.13-3 Problems In-Reply-To: Message-ID: <5.2.0.9.0.20030303201556.016f0638@192.168.50.2> Actually, that was already filed The bug which has been assigned and is currently tracking the fixing of this problem is this one: http://www.hughes-family.org/bugzilla/show_bug.cgi?id=1556 I'm submitting a dupe-notice to the bugzilla, but I'll let one of the "real" members of saDev officially close 1585 as a duplicate. At 12:46 AM 3/4/2003 +0000, you wrote: >Thank you Jullian for taking the time to explain what was going on with it. > >Just a little note I posted the same message over at spamassassin.org list >and was told by one of the developers that they are aware of this issue >and you are exactly right, they plan to fix it in 2.51 but they do not >have an official release date as of yet but maybe next couple of weeks. >Here is the link to the post and reply... >http://www.hughes-family.org/bugzilla/show_bug.cgi?id=1585 > >Thanks again, >JT From smohan at vsnl.com Tue Mar 4 02:22:04 2003 From: smohan at vsnl.com (S Mohan) Date: Thu Jan 12 21:17:22 2006 Subject: MS vs. Trend In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0A4AD48@pascal.priv.bmrb.co.uk> Message-ID: <002601c2e1f4$daa8ca80$796041db@18yamuna> 1. Speed of fixes and response. 2. Do many things that we cannot without major sendmail hacking E.g. User based archive (alternative is using per user procmail - not so easy -:)) Add disclaimer notice. Create different outgoing queues depending on priorities/ users/ groups etc. 3. Multiple scanners. Trend would only allow its own. 4. in MS architecture, since sendmail receives mail, all sendmail based authentication, features etc is implemented while in Trend Micro's case, it is an SMTP server - can it match sendmail's features? Why compromise? Get the best MTA and the best scanner GW. 5. Trend Micro means another machine investment, maintenance etc.... 6. Trend Micro costing is per user mailbag/ email id based. We can have F-Prot on a server basis in here. If you could Julian's name and commitment on top of the list, it would be the icing on the cake. My 2 paise worth.. Mohan -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Spicer, Kevin Sent: Tuesday, March 04, 2003 1:51 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: MS vs. Trend > > Hi there, > > I'm faced with making a "business case" of "mailscanner+some > commercial av" > against trend micro "complete antivirus/antispam/whatever > solution"... I > wonder if anyone out there have some input for it... > From dot at DOTAT.AT Tue Mar 4 06:40:54 2003 From: dot at DOTAT.AT (Tony Finch) Date: Thu Jan 12 21:17:22 2006 Subject: postfix compatability? In-Reply-To: References: Message-ID: "Leland J. Steinke" wrote: > >look in /etc/postfix/README_FILES/FILTER_README. You can pipe to external >processes from within postfix to handle content filtering (this is what we do; >actually we invoke a program that converts the messages from postfix queue files >into queue files that MailScanner will understand). You can spawn multiple >daemon processes to speak on non-standard ports (this is what is discussed in >the FILTER_README). Or, you could just set up exim on non-standard ports and >let postfix forward to that port; exim could then send the processed messages >back on a different port for postfix to handle final queueing and delivery. >Anyway, the master.cf file is absolutely key to getting filtering to work with >postfix, however you choose to do it. A very vague thought about how MailScanner would fit into a Postfix setup from someone who knows almost nothing about Postfix: Since all messages in Postfix go through the cleanup process before they get to the main queue, and since the cleanup process is not a million miles away from a kind of MailScanner-lite, perhaps that's where MailScanner should plug in to Postfix. Tony. -- f.a.n.finch http://dotat.at/ WEST FITZROY: SOUTHWEST VEERING WEST OR NORTHWEST 5 TO 7, DECREASING 3 OR 4 LATER. RAIN THEN SHOWERS. MODERATE OR POOR BECOMING GOOD. From Kevin.Spicer at BMRB.CO.UK Tue Mar 4 09:00:12 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:17:22 2006 Subject: [RHSA-2003:073-06] Updated sendmail packages fix critical sec urity issues Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0EBF43E@pascal.priv.bmrb.co.uk> > At 22:08 03/03/2003, you wrote: > >Julian, there seem to be quite regular messages here from people who > >either didn't turn sendmail off with chkconfig, or who have > random other > >sendmail processes running, (or who have packaging systems > making random > >changes!) perhaps check_MailScanner should check for this? > > If you have any ideas *how* it might do this, I'm all ears :) Hmmm, fair point! Sounds easy in principle until you remember not everyone has chkconfig (or even uses sysV style init scripts) ;) BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From dh at UPTIME.AT Tue Mar 4 08:56:38 2003 From: dh at UPTIME.AT (David) Date: Thu Jan 12 21:17:22 2006 Subject: Still issues with Spamassassin 2.50 and Mailscanner (after patching) Message-ID: <35958706-4E1F-11D7-BC8A-000393920D6C@uptime.at> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Hello. This message is not directed at Julian, but all of you. I know he is very busy and I really think that we, as a community should take some load off his shoulders. I running redhat 7.3 (hardened but that should not affect anything) with Mailscanner 4.13-3 and spamassassin 2.50 (patch with julains patch). Somehow this setup fails though. it worked for about a week and now it bombs out on me again. The MailScanner process simply sits there and eats 99% of the CPU without doing anything. After about 5-6 Minutes it finally tells me Found XXX messages waiting... but it does not really scan them. Still 99%. As soon as I go back to 2.44 (spamassassin) all is fine again. Has someone observed this behaviour as well? Thank you - -d - -----BEGIN GEEK CODE BLOCK----- Version: 3.12 GCC d+ s: a-- C+ UB++++ P+ L++ E--- W N+ o+++ K w-- O M+ V++ PS PE Y++ PGP++++ t+ 5 X- R+ tv-- b++++ DI D+ G e++++ h+ r++ y++ - ------END GEEK CODE BLOCK------ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (Darwin) iD8DBQE+ZGpKiW/Ta/pxHPQRA4f7AJ4rh19CdUKKJRF5nYKENj6AY1nWmACfYeW3 s7+d4LwxpMA4u2TKY/MdJl0= =2cx7 -----END PGP SIGNATURE----- From Douglas.Hall at PROQUEST.CO.UK Tue Mar 4 12:31:05 2003 From: Douglas.Hall at PROQUEST.CO.UK (Hall, Douglas) Date: Thu Jan 12 21:17:22 2006 Subject: [RHSA-2003:073-06] Updated sendmail packages fix critical sec urity issues Message-ID: <16663F2E4043D711A5EA00A0C9EA06611837FC@exchange.private.chadwyck.co.uk> > -----Original Message----- > From: Amin, Harish [mailto:Harish.Amin@DEG.STATE.WI.US] > You mean Sendmail from SUN on Solaris 8 , can you how you > went about it Well hopefully you've all upgraded by now :) If not, the sun sendmail patch is easy enough to do. Be warned that if you have modified /etc/init.d/sendmail or any of the associated (sym|hard)links in the rcx.d directories they will be overwritten. (I use a different rc script and disabled rc2.d/S88sendmail) The sendmail patch overwrites /etc/mail/local-host-names, other than that I think everything else was untouched. I copied the contents of /etc/mail, the above rc scripts and /usr/lib/mail/cf/* to a temporary directory though just to be safe. The sendmail patch does list all the files that get overwritten! -Douglas From jaearick at COLBY.EDU Tue Mar 4 13:45:01 2003 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:17:22 2006 Subject: child dying of old age? Message-ID: Julian, I got a laugh when I saw this message in my syslog... I suppose it is better to have one's children dying of old age, instead of meeting a violent end with kill()! A new feature of 4.13-3? --- Jeff From mailscanner at ecs.soton.ac.uk Tue Mar 4 13:51:34 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:22 2006 Subject: child dying of old age? In-Reply-To: Message-ID: <5.2.0.9.2.20030304135016.03b88c08@imap.ecs.soton.ac.uk> At 13:45 04/03/2003, you wrote: >Julian, > I got a laugh when I saw this message in my syslog... >I suppose it is better to have one's children dying of >old age, instead of meeting a violent end with kill()! >A new feature of 4.13-3? Just a new bit of logging, so you can see that the new children are "spawned" in response to one of their older siblings dying a natural death. That way you can tell if a child was killed by something or just died naturally. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Tue Mar 4 14:08:33 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:22 2006 Subject: RaQ problems after installing sendmail patch Message-ID: <5.2.0.9.2.20030304140048.03b9cbc0@imap.ecs.soton.ac.uk> On pkgmaster.com there are now packages for the RaQ3 and RaQ4 that apply the sendmail patch everyone has been talking about for the last day or two. When the patch is installed, it messes around with the /var/spool/mqueue directory and leaves it in a state that MailScanner does not like. To solve this: cd /var/spool/mqueue rmdir q1 q2 q3 q4 /etc/rc.d/init.d/MailScanner restart Then you should find everything starts working properly again. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From Jan-Peter.Koopmann at SECEIDOS.DE Tue Mar 4 14:15:09 2003 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:17:22 2006 Subject: FromTo: not working? Message-ID: <4E7026FF8A422749B1553FE508E0068007EE72@message.intern.akctech.de> Hi, I use the following rules file to determine whether or not ot check for viruses: FromTo: *@akctech.de yes FromTo: *@seceidos.de yes FromTo: *@seceidos.net yes FromTo: *@seceidos.org yes FromTo: *@seceidos.com yes FromTo: *@telefonia.de yes FromTo: default no Mails to those domains are getting checked. But mails from one of those domains simply produce things like Mar 4 15:05:58 proxy MailScanner[85988]: New Batch: Forwarding 1 unscanned messages, 1726 bytes Mar 4 15:05:58 proxy MailScanner[85988]: Spam Checks: Starting Mar 4 15:05:58 proxy MailScanner[85988]: Unscanned: Delivered 1 messages Mar 4 15:05:58 proxy MailScanner[85988]: Virus and Content Scanning: Starting Why does it say "unscanned messages"? Once I change default to yes everything works again... Regards, JP From mailscanner at ecs.soton.ac.uk Tue Mar 4 14:16:35 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:23 2006 Subject: FromTo: not working? In-Reply-To: <4E7026FF8A422749B1553FE508E0068007EE72@message.intern.akct ech.de> Message-ID: <5.2.0.9.2.20030304141523.03ba82f8@imap.ecs.soton.ac.uk> At 14:15 04/03/2003, you wrote: >Hi, > >I use the following rules file to determine whether or not ot check for >viruses: > >FromTo: *@akctech.de yes >FromTo: *@seceidos.de yes >FromTo: *@seceidos.net yes >FromTo: *@seceidos.org yes >FromTo: *@seceidos.com yes >FromTo: *@telefonia.de yes >FromTo: default no > > >Mails to those domains are getting checked. But mails from one of those >domains simply produce things like > >Mar 4 15:05:58 proxy MailScanner[85988]: New Batch: Forwarding 1 >unscanned messages, 1726 bytes >Mar 4 15:05:58 proxy MailScanner[85988]: Spam Checks: Starting >Mar 4 15:05:58 proxy MailScanner[85988]: Unscanned: Delivered 1 >messages >Mar 4 15:05:58 proxy MailScanner[85988]: Virus and Content Scanning: >Starting > >Why does it say "unscanned messages"? Once I change default to yes >everything works again... What is the envelope sender address on the message that doesn't get scanned? You will have to either look in your maillog or in the qf file in the queue to get this information. It's not the "From:" address in the headers that matters, it's the envelope sender address. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mike at UNIXSECURITY.ORG Tue Mar 4 15:34:25 2003 From: mike at UNIXSECURITY.ORG (Mike Wallis) Date: Thu Jan 12 21:17:23 2006 Subject: Making check_MailScanner check for extraneous sendmail processes In-Reply-To: <5.2.0.9.2.20030303222834.0220f1a8@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030303222834.0220f1a8@imap.ecs.soton.ac.uk> Message-ID: <3E64C781.8050401@unixsecurity.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Julian Field wrote: | If you have any ideas *how* it might do this, I'm all ears :) This isn't the most elegant solution, but: chkconfig --list sendmail |grep on If anything at all is returned, they've done it wrong and this should probably result in some sort of notification. (As opposed to check_MailScanner trying to fix it for them) But, I've no idea how to handle the extra sendmail processes on systems without chkconfig. - -- Mike Wallis -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1-nr1 (Windows XP) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE+ZMeAXes7jE7XvgsRAmasAKD+XY7xqo2ZLdWgBcYcpBWe+c0YXQCgzW6F 4ybvWpehQ33hN6ZZMZA3HrU= =T87L -----END PGP SIGNATURE----- From gerry at dorfam.ca Tue Mar 4 15:43:52 2003 From: gerry at dorfam.ca (Gerry Doris) Date: Thu Jan 12 21:17:23 2006 Subject: Timeout Errors?? Message-ID: <35420.129.80.22.133.1046792632.squirrel@tiger.dorfam.ca> I starting noticing the following sendmail errors about the time I switched over to SpamAssassin 2.50. However, I'm not totally sure if this was happening before that time or I was just paying more attention after doing the update??? I'm seeing several of these over the day in my maillog. h23LMZk01726: timeout waiting for input from local during Draining Input h23LMjk01729: timeout waiting for input from local during Draining Input h23LOTk01773: timeout waiting for input from local during Draining Input h23LOsk01793: timeout waiting for input from local during Draining Input What exactly are these telling me? They appear to be sendmail errors but is it because sendmail is acting up or has it something to do with MailScanner? Gerry From mbowman at UDCOM.COM Tue Mar 4 15:55:23 2003 From: mbowman at UDCOM.COM (Matthew Bowman) Date: Thu Jan 12 21:17:23 2006 Subject: Fragmented messages cannot be scanned and are removed Message-ID: Hello A client failed to receive 4 e-mails which were flagged as virus with the error Fragmented messages cannot be scanned and are removed. This is the first I've seen this error. Here is an extract from the mail Return-Path: Received: from mail1.tpgi.com.au (mail.tpgi.com.au [203.12.160.57]) by smithers.vbcomm.net (8.11.6/8.11.6) with ESMTP id h2378h100355 for ; Mon, 3 Mar 2003 02:08:43 -0500 Received: from berendsen.com.au ([202.7.160.194]) by mail1.tpgi.com.au (8.11.6/8.11.6) with ESMTP id h237E1p11475 for ; Mon, 3 Mar 2003 18:14:01 +1100 Received: from garryg by berendsen.com.au with SMTP (MDaemon.PRO.v6.5.2.R) for ; Mon, 03 Mar 2003 18:15:58 +1100 Message-ID: <00a101c2e155$28c39010$7ec719ac@garryg> From: "Garry Grant" To: References: Subject: Re: Specs. for Marmora Terrace AS 3439.1-2002 Low-voltage switchgear and controlgear assemblies - Type-tested and partially type-tested assemblie.pdf [2/2] Date: Mon, 3 Mar 2003 18:18:45 +1100 MIME-Version: 1.0 Content-Type: message/partial; total=2; id="01C2E155.25C14C90@garryg"; number=2 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4807.1700 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 X-Return-Path: ggrant@epg.com.au X-MDaemon-Deliver-To: KWestfield@gormanrupp.com My installation is Redhat 7.3 MS 4.10-1 with clamav as the scanner SA 2.43 Any ideas? Matthew From HancockS at MORGANCO.COM Tue Mar 4 16:04:47 2003 From: HancockS at MORGANCO.COM (Hancock, Scott) Date: Thu Jan 12 21:17:23 2006 Subject: Debian ms v4.x install help. Deb, Alien or Source? attn Jason Desai Message-ID: <03Mar4.105815est.119118@gateway.morganco.com> Hello all, I'm running Debian unstable (sarge) mailscanner (3.27) and exim (3.36). Some of my users are asking for features in the latest versions of mailscanner. I notice some posts indicating people (including Jason) are using newer versions of mailscanner than is available at packages.debian.org. I'm mostly interested in the new mailscanner features and was wondering the best approach to installing without a .deb file. Are any dependency issues between exim 3.27 and MS 4.x? I figure my options are: an alternate site that has a .deb file, using Alien against the 4.x RPM file, or compiling from source. All this is being tested off line. Thanks all for your time. Scott From Denis.Beauchemin at USHERBROOKE.CA Tue Mar 4 16:09:26 2003 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:17:23 2006 Subject: Is the new FAQ working? Message-ID: <1046794165.1602.54.camel@dbeauchemin.si.usherbrooke.ca> Hello, A couple of days ago I tried to post new info in the FAQ but couldn't (I don't recall the error message but I think it kept telling me my login was not OK). Now I was looking for some info but I can't seem to find anything besides what Julian put in. All I see are "NewItem" links... with no info in them... I think the setup might not be permissive enough... Denis -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From mailscanner at LISTS.COM.AR Tue Mar 4 16:15:28 2003 From: mailscanner at LISTS.COM.AR (Mariano Absatz) Date: Thu Jan 12 21:17:23 2006 Subject: Fragmented messages cannot be scanned and are removed In-Reply-To: Message-ID: <3E64A6F0.4573.5CD4561E@localhost> This is not a bug... it's a feature... :-D no kidding. This message has its content fragmented in several individual messages. This is intended to be rebuilt at the destination (see the MIME specs for how this works). Now, if you have only part of a message, you can't run a virus scanner thru it. There is an option (see http://mailscanner.info/install/conf.shtml) "Allow Partial Messages" that you could enable (it's 'no' by default) but in that case, any "partial" message would pass thru unscanned. You should _seriously_ think before enabling this... as the docs say, you could enable it thru a very strict ruleset (e.g. only coming from a specific ftpmail server or something like that). El 4 Mar 2003 a las 10:55, Matthew Bowman escribi?: > Hello > > A client failed to receive 4 e-mails which were flagged as virus with the > error Fragmented messages cannot be scanned and are removed. This is the > first I've seen this error. > > Here is an extract from the mail > > Return-Path: > Received: from mail1.tpgi.com.au (mail.tpgi.com.au [203.12.160.57]) > by smithers.vbcomm.net (8.11.6/8.11.6) with ESMTP id > h2378h100355 > for ; Mon, 3 Mar 2003 02:08:43 > -0500 > Received: from berendsen.com.au ([202.7.160.194]) > by mail1.tpgi.com.au (8.11.6/8.11.6) with ESMTP id > h237E1p11475 > for ; Mon, 3 Mar 2003 18:14:01 > +1100 > Received: from garryg by berendsen.com.au > with SMTP (MDaemon.PRO.v6.5.2.R) > for ; Mon, 03 Mar 2003 > 18:15:58 +1100 > Message-ID: <00a101c2e155$28c39010$7ec719ac@garryg> > From: "Garry Grant" > To: > References: > Subject: Re: Specs. for Marmora Terrace AS 3439.1-2002 Low-voltage > switchgear and controlgear assemblies - Type-tested and partially > type-tested assemblie.pdf [2/2] > Date: Mon, 3 Mar 2003 18:18:45 +1100 > MIME-Version: 1.0 > Content-Type: message/partial; > total=2; > id="01C2E155.25C14C90@garryg"; > number=2 > X-Priority: 3 > X-MSMail-Priority: Normal > X-Mailer: Microsoft Outlook Express 5.50.4807.1700 > X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 > X-Return-Path: ggrant@epg.com.au > X-MDaemon-Deliver-To: KWestfield@gormanrupp.com > > My installation is > > Redhat 7.3 > MS 4.10-1 with clamav as the scanner > SA 2.43 > > Any ideas? > > Matthew -- Mariano Absatz El Baby ---------------------------------------------------------- We are born naked, wet and hungry. Then things get worse. From Jan-Peter.Koopmann at SECEIDOS.DE Tue Mar 4 16:23:29 2003 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:17:23 2006 Subject: Exim question: tidy_db Message-ID: <4E7026FF8A422749B1553FE508E0068007EE7C@message.intern.akctech.de> Hi, I noticed an error on http://www.sng.ecs.soton.ac.uk/mailscanner/install/exim.shtml In Exim 4 this should not read defer_router: driver = dnslookup self = defer transport = remote_smtp route_list = "* 127.0.0.1 byname" verify = false Since route_list is only supported for driver = manualroute AFAIK... The intruction then goes on and recommends running exim_tidydb -t 0m /var/spool/exim_incoming retry >/dev/null 1. I do not have a db there yet. 2. Why do I need to do this? Does Exim not maintain this on its own? 3. Why do I not need to do this for the outgoing spool dir? Thanks, JP From Jan-Peter.Koopmann at SECEIDOS.DE Tue Mar 4 16:19:26 2003 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:17:23 2006 Subject: FromTo: not working? Message-ID: <4E7026FF8A422749B1553FE508E0068007EE7B@message.intern.akctech.de> Hi Julian, Have you seen my reply to this to julian.field@mailscanner.info? :-) Regards, JP > -----Original Message----- > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > Sent: Tuesday, March 04, 2003 3:17 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: FromTo: not working? > > > At 14:15 04/03/2003, you wrote: > >Hi, > > > >I use the following rules file to determine whether or not > ot check for > >viruses: > > > >FromTo: *@akctech.de yes > >FromTo: *@seceidos.de yes > >FromTo: *@seceidos.net yes > >FromTo: *@seceidos.org yes > >FromTo: *@seceidos.com yes > >FromTo: *@telefonia.de yes > >FromTo: default no > > > > > >Mails to those domains are getting checked. But mails from > one of those > >domains simply produce things like > > > >Mar 4 15:05:58 proxy MailScanner[85988]: New Batch: Forwarding 1 > >unscanned messages, 1726 bytes Mar 4 15:05:58 proxy > >MailScanner[85988]: Spam Checks: Starting Mar 4 15:05:58 proxy > >MailScanner[85988]: Unscanned: Delivered 1 messages > >Mar 4 15:05:58 proxy MailScanner[85988]: Virus and Content Scanning: > >Starting > > > >Why does it say "unscanned messages"? Once I change default to yes > >everything works again... > > What is the envelope sender address on the message that > doesn't get scanned? You will have to either look in your > maillog or in the qf file in the queue to get this > information. It's not the "From:" address in the headers that > matters, it's the envelope sender address. > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > From mbowman at UDCOM.COM Tue Mar 4 16:25:09 2003 From: mbowman at UDCOM.COM (Matthew Bowman) Date: Thu Jan 12 21:17:23 2006 Subject: Fragmented messages cannot be scanned and are removed Message-ID: Thanks, I don't have the Allow Partial Messages field in my MailScanner.conf file - was this a feature added after 4.10-1 ? Mariano Absatz Sent by: MailScanner mailing list 03/04/2003 11:45 AM Please respond to MailScanner mailing list To: MAILSCANNER@JISCMAIL.AC.UK cc: Subject: Re: Fragmented messages cannot be scanned and are removed This is not a bug... it's a feature... :-D no kidding. This message has its content fragmented in several individual messages. This is intended to be rebuilt at the destination (see the MIME specs for how this works). Now, if you have only part of a message, you can't run a virus scanner thru it. There is an option (see http://mailscanner.info/install/conf.shtml) "Allow Partial Messages" that you could enable (it's 'no' by default) but in that case, any "partial" message would pass thru unscanned. You should _seriously_ think before enabling this... as the docs say, you could enable it thru a very strict ruleset (e.g. only coming from a specific ftpmail server or something like that). El 4 Mar 2003 a las 10:55, Matthew Bowman escribi?: > Hello > > A client failed to receive 4 e-mails which were flagged as virus with the > error Fragmented messages cannot be scanned and are removed. This is the > first I've seen this error. > > Here is an extract from the mail > > Return-Path: > Received: from mail1.tpgi.com.au (mail.tpgi.com.au [203.12.160.57]) > by smithers.vbcomm.net (8.11.6/8.11.6) with ESMTP id > h2378h100355 > for ; Mon, 3 Mar 2003 02:08:43 > -0500 > Received: from berendsen.com.au ([202.7.160.194]) > by mail1.tpgi.com.au (8.11.6/8.11.6) with ESMTP id > h237E1p11475 > for ; Mon, 3 Mar 2003 18:14:01 > +1100 > Received: from garryg by berendsen.com.au > with SMTP (MDaemon.PRO.v6.5.2.R) > for ; Mon, 03 Mar 2003 > 18:15:58 +1100 > Message-ID: <00a101c2e155$28c39010$7ec719ac@garryg> > From: "Garry Grant" > To: > References: > Subject: Re: Specs. for Marmora Terrace AS 3439.1-2002 Low-voltage > switchgear and controlgear assemblies - Type-tested and partially > type-tested assemblie.pdf [2/2] > Date: Mon, 3 Mar 2003 18:18:45 +1100 > MIME-Version: 1.0 > Content-Type: message/partial; > total=2; > id="01C2E155.25C14C90@garryg"; > number=2 > X-Priority: 3 > X-MSMail-Priority: Normal > X-Mailer: Microsoft Outlook Express 5.50.4807.1700 > X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 > X-Return-Path: ggrant@epg.com.au > X-MDaemon-Deliver-To: KWestfield@gormanrupp.com > > My installation is > > Redhat 7.3 > MS 4.10-1 with clamav as the scanner > SA 2.43 > > Any ideas? > > Matthew -- Mariano Absatz El Baby ---------------------------------------------------------- We are born naked, wet and hungry. Then things get worse. From Douglas.Hall at PROQUEST.CO.UK Tue Mar 4 16:32:06 2003 From: Douglas.Hall at PROQUEST.CO.UK (Hall, Douglas) Date: Thu Jan 12 21:17:23 2006 Subject: Timeout Errors?? Message-ID: <16663F2E4043D711A5EA00A0C9EA066118380B@exchange.private.chadwyck.co.uk> > -----Original Message----- > From: Gerry Doris [mailto:gerry@dorfam.ca] > Sent: 04 March 2003 15:44 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Timeout Errors?? > > h23LOsk01793: timeout waiting for input from local during > Draining Input > > > What exactly are these telling me? They appear to be > sendmail errors but > is it because sendmail is acting up or has it something to do with > MailScanner? The sendmail distribution KNOWNBUGS document has the following: * Delivery to programs that generate too much output may cause problems If e-mail is delivered to a program which generates too much output, then sendmail may issue an error: timeout waiting for input from local during Draining Input Make sure that the program does not generate output beyond a status message (corresponding to the exit status). This may require a wrapper around the actual program to redirect output to /dev/null. Such a problem has been reported for bulk_mailer. -Douglas From mailscanner at LISTS.COM.AR Tue Mar 4 16:34:15 2003 From: mailscanner at LISTS.COM.AR (Mariano Absatz) Date: Thu Jan 12 21:17:23 2006 Subject: Fragmented messages cannot be scanned and are removed In-Reply-To: Message-ID: <3E64AB57.6412.5CE5859C@localhost> El 4 Mar 2003 a las 11:25, Matthew Bowman escribi?: > Thanks, > > I don't have the Allow Partial Messages field in my MailScanner.conf file > - was this a feature added after 4.10-1 ? > browsing the changelog... it's been added in 4.12, so it's right, you don't have that available... I guess you'll have to upgrade if you want to use it (but then, it's still a bad idea)... regards. -- Mariano Absatz El Baby ---------------------------------------------------------- I don't care to belong to a club that accepts people like me as members. -- Groucho Marx From mailscanner at ecs.soton.ac.uk Tue Mar 4 15:46:08 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:23 2006 Subject: Timeout Errors?? In-Reply-To: <35420.129.80.22.133.1046792632.squirrel@tiger.dorfam.ca> Message-ID: <5.2.0.9.2.20030304154430.03bd6018@imap.ecs.soton.ac.uk> At 15:43 04/03/2003, you wrote: >I starting noticing the following sendmail errors about the time I >switched over to SpamAssassin 2.50. However, I'm not totally sure if this >was happening before that time or I was just paying more attention after >doing the update??? > >I'm seeing several of these over the day in my maillog. > >h23LMZk01726: timeout waiting for input from local during Draining Input >h23LMjk01729: timeout waiting for input from local during Draining Input >h23LOTk01773: timeout waiting for input from local during Draining Input >h23LOsk01793: timeout waiting for input from local during Draining Input > > >What exactly are these telling me? They appear to be sendmail errors but >is it because sendmail is acting up or has it something to do with >MailScanner? Have you installed my patch for SpamAssassin 2.50? If so, and you are still having problems with it, you are not alone. I have seen a problem on one customer's server that was blocking on SpamAssassin 2.50 even after the patch was applied. My only recommendation in this case is to back off to SpamAssassin 2.44 and wait for 2.51 to be released, which will hopefully fix these problems. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Tue Mar 4 16:25:11 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:23 2006 Subject: FromTo: not working? In-Reply-To: <4E7026FF8A422749B1553FE508E0068007EE7B@message.intern.akct ech.de> Message-ID: <5.2.0.9.2.20030304162354.04873ca0@imap.ecs.soton.ac.uk> At 16:19 04/03/2003, you wrote: >Hi Julian, > >Have you seen my reply to this to julian.field@mailscanner.info? :-) Yes, just haven't had a chance to reply yet. For some reason, your rules aren't matching, but I can't obviously see why not. Have you got some space after the "FromTo:" ? I'm slightly at a loss to know what to suggest, no-one else appears to have this problem. >Regards, > JP > > > -----Original Message----- > > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > > Sent: Tuesday, March 04, 2003 3:17 PM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: FromTo: not working? > > > > > > At 14:15 04/03/2003, you wrote: > > >Hi, > > > > > >I use the following rules file to determine whether or not > > ot check for > > >viruses: > > > > > >FromTo: *@akctech.de yes > > >FromTo: *@seceidos.de yes > > >FromTo: *@seceidos.net yes > > >FromTo: *@seceidos.org yes > > >FromTo: *@seceidos.com yes > > >FromTo: *@telefonia.de yes > > >FromTo: default no > > > > > > > > >Mails to those domains are getting checked. But mails from > > one of those > > >domains simply produce things like > > > > > >Mar 4 15:05:58 proxy MailScanner[85988]: New Batch: Forwarding 1 > > >unscanned messages, 1726 bytes Mar 4 15:05:58 proxy > > >MailScanner[85988]: Spam Checks: Starting Mar 4 15:05:58 proxy > > >MailScanner[85988]: Unscanned: Delivered 1 messages > > >Mar 4 15:05:58 proxy MailScanner[85988]: Virus and Content Scanning: > > >Starting > > > > > >Why does it say "unscanned messages"? Once I change default to yes > > >everything works again... > > > > What is the envelope sender address on the message that > > doesn't get scanned? You will have to either look in your > > maillog or in the qf file in the queue to get this > > information. It's not the "From:" address in the headers that > > matters, it's the envelope sender address. > > -- > > Julian Field > > www.MailScanner.info > > MailScanner thanks transtec Computers for their support > > -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Tue Mar 4 16:34:32 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:23 2006 Subject: Debian ms v4.x install help. Deb, Alien or Source? attn Jason Desai In-Reply-To: <03Mar4.105815est.119118@gateway.morganco.com> Message-ID: <5.2.0.9.2.20030304163247.048c8b20@imap.ecs.soton.ac.uk> At 16:04 04/03/2003, you wrote: >Hello all, > >I'm running Debian unstable (sarge) mailscanner (3.27) and exim (3.36). > >Some of my users are asking for features in the latest versions of >mailscanner. > >I notice some posts indicating people (including Jason) are using newer >versions of mailscanner than is available at packages.debian.org. I'm >mostly interested in the new mailscanner features and was wondering the >best approach to installing without a .deb file. > >Are any dependency issues between exim 3.27 and MS 4.x? > >I figure my options are: an alternate site that has a .deb file, using >Alien against the 4.x RPM file, or compiling from source. If you are prepared to run from /opt/MailScanner then the tar installation will do fine. If you are using 3.27 now, you will have most of the Perl modules already installed. But still go through the tar installation guide and make sure you have them all installed (there will be a few you don't have). Then make any binaries like "tnef" point to tnef.linux and not tnef.solaris. It shouldn't be too hard a job. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Tue Mar 4 16:35:40 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:23 2006 Subject: Is the new FAQ working? In-Reply-To: <1046794165.1602.54.camel@dbeauchemin.si.usherbrooke.ca> Message-ID: <5.2.0.9.2.20030304163526.048c7ff8@imap.ecs.soton.ac.uk> Any faq-o-matic experts out there who can help? At 16:09 04/03/2003, you wrote: >Hello, > >A couple of days ago I tried to post new info in the FAQ but couldn't (I >don't recall the error message but I think it kept telling me my login >was not OK). > >Now I was looking for some info but I can't seem to find anything >besides what Julian put in. > >All I see are "NewItem" links... with no info in them... > >I think the setup might not be permissive enough... > >Denis >-- >Denis Beauchemin, analyste >Universit? de Sherbrooke, S.T.I. >T: 819.821.8000x2252 F: 819.821.8045 -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Tue Mar 4 16:37:09 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:23 2006 Subject: Timeout Errors?? In-Reply-To: <16663F2E4043D711A5EA00A0C9EA066118380B@exchange.private.ch adwyck.co.uk> Message-ID: <5.2.0.9.2.20030304163635.048da008@imap.ecs.soton.ac.uk> At 16:32 04/03/2003, you wrote: > > -----Original Message----- > > From: Gerry Doris [mailto:gerry@dorfam.ca] > > Sent: 04 March 2003 15:44 > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Timeout Errors?? > > > > h23LOsk01793: timeout waiting for input from local during > > Draining Input > > > > > > What exactly are these telling me? They appear to be > > sendmail errors but > > is it because sendmail is acting up or has it something to do with > > MailScanner? > >The sendmail distribution KNOWNBUGS document has the following: > >* Delivery to programs that generate too much output may cause problems > > If e-mail is delivered to a program which generates too much > output, then sendmail may issue an error: > > timeout waiting for input from local during Draining Input > > Make sure that the program does not generate output beyond a > status message (corresponding to the exit status). This may > require a wrapper around the actual program to redirect output > to /dev/null. In which case the problem you are seeing is from whatever program sendmail is running to do the actual delivery of messages. Nothing to do with MailScanner. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From Jan-Peter.Koopmann at SECEIDOS.DE Tue Mar 4 16:43:45 2003 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:17:23 2006 Subject: FromTo: not working? Message-ID: <4E7026FF8A422749B1553FE508E0068007EE7F@message.intern.akctech.de> > Yes, just haven't had a chance to reply yet. > For some reason, your rules aren't matching, but I can't > obviously see why not. Have you got some space after the > "FromTo:" ? I am attaching the file so you can check yourself, ok? > I'm slightly at a loss to know what to suggest, > no-one else appears to have this problem. I am somehow not surprised... :-) Regards, JP -------------- next part -------------- A non-text attachment was scrubbed... Name: virus.scanning.rules Type: application/octet-stream Size: 181 bytes Desc: virus.scanning.rules Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030304/6bd4e38d/virus.scanning.obj From steve.freegard at LBSLTD.CO.UK Tue Mar 4 16:46:16 2003 From: steve.freegard at LBSLTD.CO.UK (Steve Freegard) Date: Thu Jan 12 21:17:23 2006 Subject: Fragmented messages cannot be scanned and are removed Message-ID: <67D9E7698329D411936E00508B6590B902793277@neelix.lbsltd.co.uk> Better still - you could educate the user in question to turn this 'feature' off in Outlook Express and to zip the attachment instead. To turn this off in OE: Select the 'Tools' menu -> Select 'Accounts....' -> Highlight the mail account name e.g. 'BT Internet' -> Click 'Properties' -> Select the 'Advanced' tab -> untick the 'Break apart messages larger than xxx KB' Regards, Steve. -----Original Message----- From: Mariano Absatz [mailto:mailscanner@LISTS.COM.AR] Sent: 04 March 2003 16:34 To: MAILSCANNER@jiscmail.ac.uk Subject: Re: Fragmented messages cannot be scanned and are removed El 4 Mar 2003 a las 11:25, Matthew Bowman escribi?: > Thanks, > > I don't have the Allow Partial Messages field in my MailScanner.conf file > - was this a feature added after 4.10-1 ? > browsing the changelog... it's been added in 4.12, so it's right, you don't have that available... I guess you'll have to upgrade if you want to use it (but then, it's still a bad idea)... regards. -- Mariano Absatz El Baby ---------------------------------------------------------- I don't care to belong to a club that accepts people like me as members. -- Groucho Marx ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.lbsltd.co.uk ********************************************************************** From mk at quadstone.com Tue Mar 4 16:51:14 2003 From: mk at quadstone.com (Michael Keightley) Date: Thu Jan 12 21:17:23 2006 Subject: Problems with check_mailscanner script in v4.13-3 Message-ID: <20030304165114.GA4304@quadstone.com> There is a problem with the check_mailscanner script if the ps line becomes too long. check_mailscanner will start up MailScanner again even when it is running already, this is because it can't see the MailScanner process in the output of ps. This is the output of "ps -ef | grep MailScanner | grep -v grep" on our Mail Gateway: root 16445 16424 0 16:31:36 ? 0:06 /usr/local/bin/perl -I/var/opt/MailScanner/lib /var/opt/MailScanner/bin/MailSca I managed to fix this by looking for /var/opt/MailScanner/lib in my check_mailscanner script. I.e. added this line to the start: mslibdir=/var/opt/MailScanner/lib Changed lines "fgrep $msbindir/$process |" to "fgrep $mslibdir |" Michael -- Michael Keightley Tel: +44 131 220 4491 Systems Manager, Quadstone Limited, Fax: +44 131 220 4492 16 Chester Street, Edinburgh EH3 7RA, Scotland http://www.quadstone.com From Kevin.Spicer at BMRB.CO.UK Tue Mar 4 16:49:43 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:17:23 2006 Subject: Is the new FAQ working? Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0EBF44D@pascal.priv.bmrb.co.uk> > Any faq-o-matic experts out there who can help? > > I'm not - but if it helps I seem to be able to edit the answers I put in last week, but don't seem to be able to add any (even in the same category) Something must have changed.... BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From mailscanner at ecs.soton.ac.uk Tue Mar 4 16:53:48 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:23 2006 Subject: Is the new FAQ working? In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0EBF44D@pascal.priv.bmrb.co .uk> Message-ID: <5.2.0.9.2.20030304165322.03c0bff8@imap.ecs.soton.ac.uk> At 16:49 04/03/2003, you wrote: > > Any faq-o-matic experts out there who can help? > > > > >I'm not - but if it helps I seem to be able to edit the answers I put in >last week, but don't seem to be able to add any (even in the same >category) Something must have changed.... I have just slackened all the permissions. Let's hope no-one makes a mess of it :-) -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Tue Mar 4 16:47:49 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:23 2006 Subject: FromTo: not working? In-Reply-To: <4E7026FF8A422749B1553FE508E0068007EE7F@message.intern.akct ech.de> Message-ID: <5.2.0.9.2.20030304164656.04ae87a8@imap.ecs.soton.ac.uk> This is really odd. Is it working okay for other people? I'm slightly worried... If you tell it to scan messages from "*@mailscanner.info", or just "mailscanner.info" does it then scan messages I send you? At 16:43 04/03/2003, you wrote: > > Yes, just haven't had a chance to reply yet. > > For some reason, your rules aren't matching, but I can't > > obviously see why not. Have you got some space after the > > "FromTo:" ? > >I am attaching the file so you can check yourself, ok? > > > I'm slightly at a loss to know what to suggest, > > no-one else appears to have this problem. > >I am somehow not surprised... :-) > >Regards, > JP -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Tue Mar 4 16:58:10 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:23 2006 Subject: MailScanner Store Message-ID: <5.2.0.9.2.20030304165657.02d8a210@imap.ecs.soton.ac.uk> This has to be the most spectacular failure I have seen in quite a while. Since setting it up, I have sold 4 (yes, four!) items. Boy, am I glad I don't have to pay any rental for the space! :-) -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From Kevin.Spicer at BMRB.CO.UK Tue Mar 4 17:09:44 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:17:23 2006 Subject: FromTo: not working? Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A4AD4C@pascal.priv.bmrb.co.uk> Complete shot in the dark... as the original post doesn't say which domain isn't being scanned & I'm not sure whether MS accepts mixed tabs and spaces, but there is a space and a tab after *@akctech.de whereas everything else is tab separated. > -----Original Message----- > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > Sent: 04 March 2003 16:48 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: FromTo: not working? > > > This is really odd. Is it working okay for other people? I'm slightly > worried... > If you tell it to scan messages from "*@mailscanner.info", or just > "mailscanner.info" does it then scan messages I send you? > > At 16:43 04/03/2003, you wrote: > > > > > > Yes, just haven't had a chance to reply yet. > > > For some reason, your rules aren't matching, but I can't > > > obviously see why not. Have you got some space after the > > > "FromTo:" ? > > > >I am attaching the file so you can check yourself, ok? > > > > > I'm slightly at a loss to know what to suggest, > > > no-one else appears to have this problem. > > > >I am somehow not surprised... :-) > > > >Regards, > > JP > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From jaearick at COLBY.EDU Tue Mar 4 17:13:16 2003 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:17:23 2006 Subject: Is the new FAQ working? In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0EBF44D@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0EBF44D@pascal.priv.bmrb.co.uk> Message-ID: Julian, Despite the fact that I originally suggested faqomatic, I'm no expert with it. I went to "hints for writing FAQ entries", added a test blurb, appended another test blurb, went back to the top level, and didn't see anything. Maybe adding entries requires approval by you before it appears publically? --- Jeff Earickson From dot at DOTAT.AT Tue Mar 4 17:37:11 2003 From: dot at DOTAT.AT (Tony Finch) Date: Thu Jan 12 21:17:23 2006 Subject: Is the new FAQ working? In-Reply-To: Message-ID: Julian Field wrote: > >I have just slackened all the permissions. Let's hope no-one makes a mess >of it :-) Ah good, it has now successfully emailed me a secret. Tony. -- f.a.n.finch http://dotat.at/ CROMARTY FORTH: SOUTH 5 TO 7, OCCASIONALLY GALE 8 IN CROMARTY AT FIRST. RAIN AT FIRST. MODERATE OCCASIONALLY POOR, BECOMING GOOD. From mailscanner at ecs.soton.ac.uk Tue Mar 4 17:38:38 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:23 2006 Subject: Is the new FAQ working? In-Reply-To: References: <5C0296D26910694BB9A9BBFC577E7AB0EBF44D@pascal.priv.bmrb.co.uk> <5C0296D26910694BB9A9BBFC577E7AB0EBF44D@pascal.priv.bmrb.co.uk> Message-ID: <5.2.0.9.2.20030304173358.022d2e50@imap.ecs.soton.ac.uk> At 17:13 04/03/2003, you wrote: >Julian, > > Despite the fact that I originally suggested faqomatic, I'm no >expert with it. I went to "hints for writing FAQ entries", added >a test blurb, appended another test blurb, went back to the top >level, and didn't see anything. Maybe adding entries requires >approval by you before it appears publically? Most things require you to be an authenticated user, but nothing should require more than that. It certainly hasn't sent me any mail informing me of edits. I'll try enabling that and see if I get anything. Can you try it again now? -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From lists at STHOMAS.NET Tue Mar 4 17:58:19 2003 From: lists at STHOMAS.NET (Steve Thomas) Date: Thu Jan 12 21:17:23 2006 Subject: Still issues with Spamassassin 2.50 and Mailscanner (after patching) In-Reply-To: <35958706-4E1F-11D7-BC8A-000393920D6C@uptime.at> Message-ID: <200303041802.h24I2mRg015726@chips.sthomas.net> | patch). Somehow this setup fails though. it worked for about a week and | now it bombs out on me again. The MailScanner process simply sits there | and eats 99% of the CPU without doing anything. After about 5-6 Minutes I saw pretty much the same thing. I applied Julian's patch, which fixed things for a few days, then everything started behaving as it did before patching SA. I turned off SA within MS, and went back to running SA via a perl wrapper around our MDA. I'm hoping that the next release of SA will fix the problem. Kudos to Julian, BTW, for finding and fixing a problem within someone else's software. Way above and beyond, if you ask me. Steve From iradu at UNITBV.RO Tue Mar 4 17:53:55 2003 From: iradu at UNITBV.RO (Radu IONESCU) Date: Thu Jan 12 21:17:23 2006 Subject: flooded by spam Message-ID: Hello, We are using MailScanner in a gateway (RH AS 2.1) for 7 other mail servers. As MailScanner deals with spam I wish it could handle a problem like ours:) It's a kind of mail flood, highly disturbing and making me to re-evaluate the mail gateway topology usefulness as I'm usin: Our University domain name is used abusively by some villains in the wild. They are mass mailing spam with From/Return fields forged with @unitbv.ro. Daily, thousands bounced messages are hitting our gateway. It accepts them, scans them, then sends them internally (mailertables) to our domain server which in turn refuses them. The gateway root mailbox is flooded with postmaster notifies and returned messages sent also back to the Internet, etc. Either the IP address of the originating server is forged (less probable), or they are using a lot of relays, as they are always different. Something like: Return-Path: Received: (qmail 17532 invoked from network); 4 Mar 2003 13:56:42 -0000 Received: from unknown (HELO unitbv.ro) (200.149.179.35) by mail.theofficenet.com with SMTP; 4 Mar 2003 13:56:42 -0000 Message-ID: <001510c8cc55$ace12883$17115632@jfrcoog.fhp> From: To: Subject: Improve Sense Of well Being 310-3 Date: Tue, 04 Mar 2003 23:38:17 -1100 MIME-Version: 1.0 Content-Type: text/html; charset="iso-8859-1" X-Priority: 3 X-Mailer: Microsoft Outlook Express 5.50.4522.1200 Importance: Normal (of course IP 200.149.179.35 is far from our address space) Therefore it is not my hope, that the real spammer could be dropped, but it would be better to have the gateway refusing immediately such messages, after RCPT TO. Not starting a whole chain reaction. It seems that sendmail as set in the gateway host, is not able to do it even for its users: mail from: 250 2.1.0 ... Sender ok rcpt to: 250 2.1.5 ... Recipient ok data 354 Enter mail, end with "." on a line by itself test . 250 2.0.0 h24DukA07795 Message accepted for delivery (which could have to do with sendmail.cf modified by atMail, a webmail server installed on the gateway for another domain) The problem is, to have the gateway checking the user name even before accepting the message in the queue - perhaps off topic. Or checking the content (unitbv.ro not associated with our address space), again before accepting it into the queue(?). Well, any sugestions/help would be highly welcome, thank you! Radu IONESCU Systems Manager, TRANSILVANIA University Brasov From mailscanner at ecs.soton.ac.uk Tue Mar 4 18:05:12 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:23 2006 Subject: Still issues with Spamassassin 2.50 and Mailscanner (after patching) In-Reply-To: <200303041802.h24I2mRg015726@chips.sthomas.net> References: <35958706-4E1F-11D7-BC8A-000393920D6C@uptime.at> Message-ID: <5.2.0.9.2.20030304180317.02600f50@imap.ecs.soton.ac.uk> At 17:58 04/03/2003, you wrote: >| patch). Somehow this setup fails though. it worked for about a week and >| now it bombs out on me again. The MailScanner process simply sits there >| and eats 99% of the CPU without doing anything. After about 5-6 Minutes > >I saw pretty much the same thing. I applied Julian's patch, which fixed >things for a few days, then everything started behaving as it did before >patching SA. Can you make it do it consistently? If so, I might be able to find out what is causing it and get that problem fixed too. If you can make it do it, and can give me remote access to your system, then I'll have a good go and finding it. >I turned off SA within MS, and went back to running SA via a perl wrapper >around our MDA. I'm hoping that the next release of SA will fix the problem. It's dead easy to download and install SA 2.44 which works fine, until we get the 2.50 problems resolved. >Kudos to Julian, BTW, for finding and fixing a problem within someone else's >software. Way above and beyond, if you ask me. Thanks! -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Tue Mar 4 18:10:16 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:23 2006 Subject: flooded by spam In-Reply-To: Message-ID: <5.2.0.9.2.20030304180821.02643f50@imap.ecs.soton.ac.uk> There have been previous discussions of this issue. Exim is now apparently capable of checking recipient addresses against a file/database. Look in the Exim docs for things to do with SMTP address/user authentication and verification. Can anyone remember the Subject: line from the last time this was discussed? For that matter, can someone put a FAQ together for this problem please? At 17:53 04/03/2003, you wrote: >Hello, > >We are using MailScanner in a gateway (RH AS 2.1) for 7 other mail servers. >As MailScanner deals with spam I wish it could handle a problem like ours:) >It's a kind of mail flood, highly disturbing and making me to re-evaluate >the mail gateway topology usefulness as I'm usin: > >Our University domain name is used abusively by some villains in the wild. >They are mass mailing spam with From/Return fields forged with generated user name>@unitbv.ro. >Daily, thousands bounced messages are hitting our gateway. It accepts them, >scans them, then sends them internally (mailertables) to our domain server >which in turn refuses them. The gateway root mailbox is flooded with >postmaster notifies and returned messages sent also back to the Internet, >etc. > >Either the IP address of the originating server is forged (less probable), >or they are using a lot of relays, as they are always different. Something >like: > >Return-Path: >Received: (qmail 17532 invoked from network); 4 Mar 2003 13:56:42 -0000 >Received: from unknown (HELO unitbv.ro) (200.149.179.35) > by mail.theofficenet.com with SMTP; 4 Mar 2003 13:56:42 -0000 >Message-ID: <001510c8cc55$ace12883$17115632@jfrcoog.fhp> >From: >To: >Subject: Improve Sense Of well Being >310-3 >Date: Tue, 04 Mar 2003 23:38:17 -1100 >MIME-Version: 1.0 >Content-Type: text/html; > charset="iso-8859-1" >X-Priority: 3 >X-Mailer: Microsoft Outlook Express 5.50.4522.1200 >Importance: Normal > >(of course IP 200.149.179.35 is far from our address space) > >Therefore it is not my hope, that the real spammer could be dropped, but it >would be better to have the gateway refusing immediately such messages, >after RCPT TO. Not starting a whole chain reaction. > >It seems that sendmail as set in the gateway host, is not able to do it even >for its users: > >mail from: >250 2.1.0 ... Sender ok >rcpt to: >250 2.1.5 ... Recipient ok >data >354 Enter mail, end with "." on a line by itself >test >. >250 2.0.0 h24DukA07795 Message accepted for delivery > >(which could have to do with sendmail.cf modified by atMail, a webmail >server installed on the gateway for another domain) > >The problem is, to have the gateway checking the user name even before >accepting the message in the queue - perhaps off topic. Or checking the >content (unitbv.ro not associated with our address space), again before >accepting it into the queue(?). > >Well, any sugestions/help would be highly welcome, thank you! > >Radu IONESCU >Systems Manager, TRANSILVANIA University Brasov -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at LISTS.COM.AR Tue Mar 4 18:27:55 2003 From: mailscanner at LISTS.COM.AR (Mariano Absatz) Date: Thu Jan 12 21:17:23 2006 Subject: flooded by spam In-Reply-To: <5.2.0.9.2.20030304180821.02643f50@imap.ecs.soton.ac.uk> References: Message-ID: <3E64C5FB.15742.5D4D973D@localhost> Anyway, FTR, this is not a MailScanner problem but a SMTP relay server problem. Every time you have a border server you will experience this kind of things and, if you're a big ISP with automatic provisioning, you can't even block these names at the border since you never know if one of these will be used in two minutes to create a new account. Nevertheless you should configure your _internal_ servers to reject unknown users (you don't want to do this on _external_ servers, since this allows address harvesting). If you are receiving bounces where the envelope from was forged as coming from your domain, these bounces should have an envelope from like "<>" and the internal server's rejection should make your border server to simply drop it (since you can't bounce to "<>"). Regretfully, messages _will_ pass thru your gateway, but they'll be dropped. Incidentally, 200.149.179.35 is a Brazilian address whois 200.149.179.35@whois.lacnic.net sends me to Brazil's whois and: whois 200.149.179.35@whois.nic.br tells me it belongs to "Tele Norte Leste Participa??es S.A." Furthermore http://moensted.dk/spam/?addr=200.149.179.35&Submit=Submit shows it listed many times, in particular, as an open proxy... most professional spammers are abusing proxies nowadays. El 4 Mar 2003 a las 18:10, Julian Field escribi?: > There have been previous discussions of this issue. Exim is now apparently > capable of checking recipient addresses against a file/database. Look in > the Exim docs for things to do with SMTP address/user authentication and > verification. > > Can anyone remember the Subject: line from the last time this was discussed? > For that matter, can someone put a FAQ together for this problem please? > > At 17:53 04/03/2003, you wrote: > >Hello, > > > >We are using MailScanner in a gateway (RH AS 2.1) for 7 other mail servers. > >As MailScanner deals with spam I wish it could handle a problem like ours:) > >It's a kind of mail flood, highly disturbing and making me to re-evaluate > >the mail gateway topology usefulness as I'm usin: > > > >Our University domain name is used abusively by some villains in the wild. > >They are mass mailing spam with From/Return fields forged with >generated user name>@unitbv.ro. > >Daily, thousands bounced messages are hitting our gateway. It accepts them, > >scans them, then sends them internally (mailertables) to our domain server > >which in turn refuses them. The gateway root mailbox is flooded with > >postmaster notifies and returned messages sent also back to the Internet, > >etc. > > > >Either the IP address of the originating server is forged (less probable), > >or they are using a lot of relays, as they are always different. Something > >like: > > > >Return-Path: > >Received: (qmail 17532 invoked from network); 4 Mar 2003 13:56:42 -0000 > >Received: from unknown (HELO unitbv.ro) (200.149.179.35) > > by mail.theofficenet.com with SMTP; 4 Mar 2003 13:56:42 -0000 > >Message-ID: <001510c8cc55$ace12883$17115632@jfrcoog.fhp> > >From: > >To: > >Subject: Improve Sense Of well Being > >310-3 > >Date: Tue, 04 Mar 2003 23:38:17 -1100 > >MIME-Version: 1.0 > >Content-Type: text/html; > > charset="iso-8859-1" > >X-Priority: 3 > >X-Mailer: Microsoft Outlook Express 5.50.4522.1200 > >Importance: Normal > > > >(of course IP 200.149.179.35 is far from our address space) > > > >Therefore it is not my hope, that the real spammer could be dropped, but it > >would be better to have the gateway refusing immediately such messages, > >after RCPT TO. Not starting a whole chain reaction. > > > >It seems that sendmail as set in the gateway host, is not able to do it even > >for its users: > > > >mail from: > >250 2.1.0 ... Sender ok > >rcpt to: > >250 2.1.5 ... Recipient ok > >data > >354 Enter mail, end with "." on a line by itself > >test > >. > >250 2.0.0 h24DukA07795 Message accepted for delivery > > > >(which could have to do with sendmail.cf modified by atMail, a webmail > >server installed on the gateway for another domain) > > > >The problem is, to have the gateway checking the user name even before > >accepting the message in the queue - perhaps off topic. Or checking the > >content (unitbv.ro not associated with our address space), again before > >accepting it into the queue(?). > > > >Well, any sugestions/help would be highly welcome, thank you! > > > >Radu IONESCU > >Systems Manager, TRANSILVANIA University Brasov > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support -- Mariano Absatz El Baby ---------------------------------------------------------- Daddy, why doesn't this magnet pick up this floppy disk? From lists at STHOMAS.NET Tue Mar 4 18:34:55 2003 From: lists at STHOMAS.NET (Steve Thomas) Date: Thu Jan 12 21:17:23 2006 Subject: flooded by spam In-Reply-To: ; from iradu@UNITBV.RO on Tue, Mar 04, 2003 at 07:53:55PM +0200 References: Message-ID: <20030304103455.A15992@sthomas.net> On Tue, Mar 04, 2003 at 07:53:55PM +0200, Radu IONESCU is rumored to have said: > > Daily, thousands bounced messages are hitting our gateway. It accepts them, > scans them, then sends them internally (mailertables) to our domain server > which in turn refuses them. The gateway root mailbox is flooded with > postmaster notifies and returned messages sent also back to the Internet, > etc. I'm switching over from sendmail to exim here at our office for this exact reason, except our problem is with dictionary style spam attacks, not joe-jobbing. I only have MailScanner integration and mbox-maildir conversion left before making the switch. Our user database is kept in an LDAP directory, which sendmail doesn't play very nicely with. Exim works quite well with LDAP, and also has the capability to reject mail for non-local users at RCPT TO: time based on the results of an LDAP lookup. Very slick. To help subvert the problem, a while back I set up another machine to act as our primary MX. It just accepts mail and forwards it on to the secondary MX, which is actually our primary mail server. The way it forwards is via the aliases file. Every 15 minutes, a perl script queries the LDAP directory and gets a list of valid usernames. It adds the hostname of the primary mail server to the domain (user@example.com becomes user@host.example.com), reads a list of addresses which don't exist in the LDAP dir, then writes the whole thing to /etc/aliases and rebuilds. It's kind of kludgy, but it keeps my mailbox from being inundated with bounces, and keeps the queue dir from overflowing. Spammers, however, have been getting smarter (the only direction they could go). They're starting to use secondary MXs for their dictionary attacks, which subverts the entire system I had put in place - hence the switch to exim. If you can, take a look at exim to replace sendmail. It supports LDAP, SQL, dbm files, flat files, etc... I've only been playing with it for about a week, but so far I like what I see. It makes me realize that while sendmail is still very good at what it does, the list of things it doesn't do (or doesn't do well) is growing... St- From cselivanow at QWICNET.COM Tue Mar 4 18:28:10 2003 From: cselivanow at QWICNET.COM (Chris Selivanow) Date: Thu Jan 12 21:17:23 2006 Subject: Problem with Outlook attachments (not Rich text problem) Message-ID: <20030304132810.2efc5613.cselivanow@qwicnet.com> Hi all- Here's the situation. My company has a client that now uses the mailscanner package on their mail server (We installed it). Our problem seems to be with Outlook 97 attachments, but only some of them. It seems that if a user opens Outlook 97 and sends an attachment everything is ok and the receipient is able you save/view the attachment. It also seems that if a user sends an attachment from an application (MS Excel 97 to be exact), the attachment is unusable and appears MIME encoded in-line with the email text and after the Mailscanner "Clean message" signature. Below is the mail log section from showing the delivery of both types of attachments. The excel initiated attachment is first in the logs and in the diff of the message text. The only things that I noticed are the mail file sizes and the "Encoding:" lines. Any help is gladly accepted. -Chris Mar 4 11:53:15 MAIL-SERVER sendmail[30131]: LAA30131: from=, size=9094, class=0, pri=39094, nrcpts=1, msgid=<01C2E244.A3040B80.SENDER>, proto=ESMTP, relay=MAIL-RELAY [aaa.bbb.ccc.ddd] Mar 4 11:53:16 MAIL-SERVER mailscanner[27811]: Scanning 1 messages, 9498 bytes Mar 4 11:53:25 MAIL-SERVER mailscanner[27811]: Scanned 1 messages, 9498 bytes in 4 seconds Mar 4 11:53:26 MAIL-SERVER sendmail[30136]: LAA30131: to=, delay=00:00:11, xdelay=00:00:01, mailer=local, stat=Sent Mar 4 11:53:37 MAIL-SERVER sendmail[30140]: LAA30140: from=, size=19673, class=0, pri=49673, nrcpts=1, msgid=<01C2E244.AFB01040.SENDER>, proto=ESMTP, relay=MAIL-RELAY [aaa.bbb.ccc.ddd] Mar 4 11:53:40 MAIL-SERVER mailscanner[27811]: Scanning 1 messages, 20077 bytes Mar 4 11:53:48 MAIL-SERVER mailscanner[27811]: Scanned 1 messages, 20077 bytes in 3 seconds Mar 4 11:53:50 MAIL-SERVER sendmail[30146]: LAA30140: to=, delay=00:00:14, xdelay=00:00:01, mailer=local, stat=Sent diff -u test-excel test.outlook | more --- test-excel Tue Mar 4 11:49:25 2003 +++ test.outlook Tue Mar 4 11:49:36 2003 @@ -1,20 +1,20 @@ -From SENDER Tue Mar 4 11:48:38 2003 +From SENDER Tue Mar 4 11:48:58 2003 Received: from MAIL-RELAY (MAIL-RELAY [aaa.bbb.ccc.ddd]) - by MAIL-SERVER (8.9.3/8.9.3/Debian/GNU) with ESMTP id LAA30062 - for ; Tue, 4 Mar 2003 11:48:23 -0500 + by MAIL-SERVER (8.9.3/8.9.3/Debian/GNU) with ESMTP id LAA30074 + for ; Tue, 4 Mar 2003 11:48:45 -0500 Received: from vmware-default (host22.internal [192.168.0.22]) - by MAIL-RELAY (8.9.3/8.9.3/Debian 8.9.3-21) with SMTP id LAA15342 - for ; Tue, 4 Mar 2003 11:48:22 -0500 -Received: by localhost with Microsoft MAPI; Tue, 4 Mar 2003 11:48:21 -0500 -Message-ID: <01C2E243.F4EAA5E0.SENDER> + by MAIL-RELAY (8.9.3/8.9.3/Debian 8.9.3-21) with SMTP id LAA15346 + for ; Tue, 4 Mar 2003 11:48:44 -0500 +Received: by localhost with Microsoft MAPI; Tue, 4 Mar 2003 11:48:43 -0500 +Message-ID: <01C2E244.01F9D940.SENDER> From: Chris Selivanow To: "'RECEIPIENT'" -Subject: test.xls -Date: Tue, 4 Mar 2003 11:48:20 -0500 +Subject: test 1 +Date: Tue, 4 Mar 2003 11:48:42 -0500 X-Mailer: Microsoft Internet E-mail/MAPI - 8.0.0.4211 -Encoding: 1 TEXT, 140 UUENCODE +Encoding: 1 TEXT, 311 UUENCODE X-MS-Attachment: test.xls 0 00-00-1980 00:00 -Content-type: multipart/mixed; boundary="----------=_1046796515-27811-8" +Content-type: multipart/mixed; boundary="----------=_1046796535-27811-9" X-MailScanner: Found to be clean X-MailScanner-SpamCheck: not spam, SpamAssassin (score=1.1, required 6, AWL, LINES_OF_YELLING, SPAM_PHRASE_00_01, UPPERCASE_50_75) @@ -23,7 +23,7 @@ The following is a multipart MIME message which was extracted from a uuencoded message. -------------=_1046796515-27811-8 +------------=_1046796535-27811-9 -- Chris Selivanow 585 582-1600 Lead Technician 585 624-3465 (fax) QwicNet, Inc. http://www.qwicnet.com From dpowell at LSSI.NET Tue Mar 4 19:10:24 2003 From: dpowell at LSSI.NET (Darrin Powell) Date: Thu Jan 12 21:17:23 2006 Subject: Email generated by cron.hourly Message-ID: <1046805024.22989.377.camel@powell> Is there anyway I can get this email to stop coming out? Looks as if it is reporting the files not being there?? I am using MailScanner 4.13-3 with Sophos and Spamassassin. Email body /etc/cron.hourly/update_virus_scanners: /usr/lib/MailScanner/clamav-wrapper: /usr/local/bin/clamscan: No such file or directory /usr/lib/MailScanner/clamav-wrapper: exec: /usr/local/bin/clamscan: cannot execute: No such file or directory /usr/lib/MailScanner/f-prot-wrapper: /usr/local/f-prot/f-prot: No such file or directory /usr/lib/MailScanner/f-prot-wrapper: exec: /usr/local/f-prot/f-prot: cannot execute: No such file or directory /usr/lib/MailScanner/kaspersky-wrapper: /opt/AVP/kavscanner: No such file or directory /usr/lib/MailScanner/kaspersky-wrapper: exec: /opt/AVP/kavscanner: cannot execute: No such file or directory /usr/lib/MailScanner/mcafee-wrapper: /usr/local/uvscan/uvscan: No such file or directory /usr/lib/MailScanner/mcafee-wrapper: exec: /usr/local/uvscan/uvscan: cannot execute: No such file or directory sh: /usr/local/rav8/bin/ravlin8: No such file or directory Thanks Darrin From Denis.Beauchemin at USHERBROOKE.CA Tue Mar 4 19:11:53 2003 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:17:23 2006 Subject: flooded by spam In-Reply-To: <20030304103455.A15992@sthomas.net> References: <20030304103455.A15992@sthomas.net> Message-ID: <1046805113.1602.66.camel@dbeauchemin.si.usherbrooke.ca> Le mar 04/03/2003 ? 13:34, Steve Thomas a ?crit : > Our user database is kept in an LDAP directory, which sendmail doesn't play very nicely with. Exim works quite well with LDAP, and also has the capability to reject mail for non-local users at RCPT TO: time based on the results of an LDAP lookup. Very slick. We're using sendmail sendmail-8.11.6-23.73 (on Red Hat 7.3) with LDAP and it works very well. > To help subvert the problem, a while back I set up another machine to act as our primary MX. It just accepts mail and forwards it on to the secondary MX, which is actually our primary mail server. The way it forwards is via the aliases file. Every 15 minutes, a perl script queries the LDAP directory and gets a list of valid usernames. It adds the hostname of the primary mail server to the domain (user@example.com becomes user@host.example.com), reads a list of addresses which don't exist in the LDAP dir, then writes the whole thing to /etc/aliases and rebuilds. It's kind of kludgy, but it keeps my mailbox from being inundated with bounces, and keeps the queue dir from overflowing. > > Spammers, however, have been getting smarter (the only direction they could go). They're starting to use secondary MXs for their dictionary attacks, which subverts the entire system I had put in place - hence the switch to exim. If you are running on Linux, you could make quite easily (with iptables or ipchains) your secondary MX accept incoming mail only from your primary MX, thus forcing everyone to talk directly with your border systems. Denis -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From dot at DOTAT.AT Tue Mar 4 19:15:47 2003 From: dot at DOTAT.AT (Tony Finch) Date: Thu Jan 12 21:17:23 2006 Subject: flooded by spam In-Reply-To: References: Message-ID: Julian Field wrote: >There have been previous discussions of this issue. Exim is now apparently >capable of checking recipient addresses against a file/database. Look in >the Exim docs for things to do with SMTP address/user authentication and >verification. The keyword is "ACLs" (see the URL below). Note that one of the ways you can do recipient checking in Exim that is particularly useful for an email hub that does onward delivery to other servers (especially if they have different sysadmins) is the callout check which contacts the destination host via SMTP in order to ask it to verify the recipient. No user database required on the hub! You can also do callout checking for the return path, which can greatly reduce the number of bounced bounces you have to deal with. http://www.exim.org/exim-html-4.10/doc/html/spec_37.html Tony. -- f.a.n.finch http://dotat.at/ ARDNAMURCHAN POINT TO CAPE WRATH INCLUDING THE OUTER HEBRIDES: SOUTHEAST VEERING SOUTHWEST 5 TO 7, BACKING SOUTH 6 TO GALE 8 FOR A TIME. RAIN THEN SHOWERS. MODERATE BECOMING GOOD. MODERATE OR ROUGH, LOCALLY VERY ROUGH IN THE WEST. From ap at HPI.COM Tue Mar 4 19:23:23 2003 From: ap at HPI.COM (Adam Polkosnik) Date: Thu Jan 12 21:17:23 2006 Subject: Email generated by cron.hourly In-Reply-To: <1046805024.22989.377.camel@powell> Message-ID: It seems that you forget to update the wrappers http://www.sng.ecs.soton.ac.uk/mailscanner/downloads.shtml Best regards, Adam Polkosnik HPI IT Dept -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Darrin Powell Sent: Tuesday, March 04, 2003 2:10 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Email generated by cron.hourly Is there anyway I can get this email to stop coming out? Looks as if it is reporting the files not being there?? I am using MailScanner 4.13-3 with Sophos and Spamassassin. Email body /etc/cron.hourly/update_virus_scanners: /usr/lib/MailScanner/clamav-wrapper: /usr/local/bin/clamscan: No such file or directory /usr/lib/MailScanner/clamav-wrapper: exec: /usr/local/bin/clamscan: cannot execute: No such file or directory /usr/lib/MailScanner/f-prot-wrapper: /usr/local/f-prot/f-prot: No such file or directory /usr/lib/MailScanner/f-prot-wrapper: exec: /usr/local/f-prot/f-prot: cannot execute: No such file or directory /usr/lib/MailScanner/kaspersky-wrapper: /opt/AVP/kavscanner: No such file or directory /usr/lib/MailScanner/kaspersky-wrapper: exec: /opt/AVP/kavscanner: cannot execute: No such file or directory /usr/lib/MailScanner/mcafee-wrapper: /usr/local/uvscan/uvscan: No such file or directory /usr/lib/MailScanner/mcafee-wrapper: exec: /usr/local/uvscan/uvscan: cannot execute: No such file or directory sh: /usr/local/rav8/bin/ravlin8: No such file or directory Thanks Darrin From mike at CAMAROSS.NET Tue Mar 4 19:33:53 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:17:23 2006 Subject: Sophos Updates In-Reply-To: Message-ID: <00f901c2e284$fe5eeeb0$6a01a8c0@home.middlefinger.net> I know we had this discussion a few months back about automating the update of Sophos monthly. I emailed the folks at Sophos and they replied with a script. The script they provided checks date stamps and only downloads if necessary. I have modified it somewhat to fit my needs. If anyone would like a copy of the script in its original form, I'd be happy to post it to the list or off-list if that's more desirable. Mike From mailscanner at ecs.soton.ac.uk Tue Mar 4 19:14:08 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:23 2006 Subject: Email generated by cron.hourly In-Reply-To: <1046805024.22989.377.camel@powell> Message-ID: <5.2.0.9.2.20030304191258.03b04ea8@imap.ecs.soton.ac.uk> Check the contents of your /usr/lib/MailScanner directory. If you have a bunch of .rpmnew files, then rename each one over the top of the existing -wrapper file. There is a script to do this for you on the downloads page. You are running with old -wrapper scripts. At 19:10 04/03/2003, you wrote: >Is there anyway I can get this email to stop coming out? Looks as if it >is reporting the files not being there?? I am using MailScanner 4.13-3 >with Sophos and Spamassassin. > >Email body > >/etc/cron.hourly/update_virus_scanners: > >/usr/lib/MailScanner/clamav-wrapper: /usr/local/bin/clamscan: No such >file or directory >/usr/lib/MailScanner/clamav-wrapper: exec: /usr/local/bin/clamscan: >cannot execute: No such file or directory >/usr/lib/MailScanner/f-prot-wrapper: /usr/local/f-prot/f-prot: No such >file or directory >/usr/lib/MailScanner/f-prot-wrapper: exec: /usr/local/f-prot/f-prot: >cannot execute: No such file or directory >/usr/lib/MailScanner/kaspersky-wrapper: /opt/AVP/kavscanner: No such >file or directory >/usr/lib/MailScanner/kaspersky-wrapper: exec: /opt/AVP/kavscanner: >cannot execute: No such file or directory >/usr/lib/MailScanner/mcafee-wrapper: /usr/local/uvscan/uvscan: No such >file or directory >/usr/lib/MailScanner/mcafee-wrapper: exec: /usr/local/uvscan/uvscan: >cannot execute: No such file or directory >sh: /usr/local/rav8/bin/ravlin8: No such file or directory > > >Thanks >Darrin -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From lists at STHOMAS.NET Tue Mar 4 19:46:09 2003 From: lists at STHOMAS.NET (Steve Thomas) Date: Thu Jan 12 21:17:23 2006 Subject: flooded by spam In-Reply-To: <1046805113.1602.66.camel@dbeauchemin.si.usherbrooke.ca> Message-ID: | We're using sendmail sendmail-8.11.6-23.73 (on Red Hat 7.3) with LDAP | and it works very well. The documentation I found on sendmail's LDAP support didn't seem very good. Maybe I just hadn't had enough coffee that day (or too much), but it was confusing as all get out. Correct me if I'm wrong, but it also looked like in order to use what LDAP functionality sendmail provided, you had to include sendmail-specific schema. Exim gives you a lot more flexibility than that, and was much easier to understand and configure. | If you are running on Linux, you could make quite easily (with iptables | or ipchains) your secondary MX accept incoming mail only from your | primary MX, thus forcing everyone to talk directly with your border | systems. I could, but that would defeat the purpose of having multiple MXs. We also need to provide remote users with SMTP AUTH, which is only done via the primary mail server (2nd MX), so port 25 has to be open to the world. St- From dpowell at LSSI.NET Tue Mar 4 19:50:11 2003 From: dpowell at LSSI.NET (Darrin Powell) Date: Thu Jan 12 21:17:23 2006 Subject: Email generated by cron.hourly In-Reply-To: References: Message-ID: <1046807411.22983.414.camel@powell> That was it. Thanks Darrin On Tue, 2003-03-04 at 14:23, Adam Polkosnik wrote: > It seems that you forget to update the wrappers > > http://www.sng.ecs.soton.ac.uk/mailscanner/downloads.shtml > > Best regards, > Adam Polkosnik > HPI IT Dept > > > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Darrin Powell > Sent: Tuesday, March 04, 2003 2:10 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Email generated by cron.hourly > > > Is there anyway I can get this email to stop coming out? Looks as if it > is reporting the files not being there?? I am using MailScanner 4.13-3 > with Sophos and Spamassassin. > > Email body > > /etc/cron.hourly/update_virus_scanners: > > /usr/lib/MailScanner/clamav-wrapper: /usr/local/bin/clamscan: No such > file or directory > /usr/lib/MailScanner/clamav-wrapper: exec: /usr/local/bin/clamscan: > cannot execute: No such file or directory > /usr/lib/MailScanner/f-prot-wrapper: /usr/local/f-prot/f-prot: No such > file or directory > /usr/lib/MailScanner/f-prot-wrapper: exec: /usr/local/f-prot/f-prot: > cannot execute: No such file or directory > /usr/lib/MailScanner/kaspersky-wrapper: /opt/AVP/kavscanner: No such > file or directory > /usr/lib/MailScanner/kaspersky-wrapper: exec: /opt/AVP/kavscanner: > cannot execute: No such file or directory > /usr/lib/MailScanner/mcafee-wrapper: /usr/local/uvscan/uvscan: No such > file or directory > /usr/lib/MailScanner/mcafee-wrapper: exec: /usr/local/uvscan/uvscan: > cannot execute: No such file or directory > sh: /usr/local/rav8/bin/ravlin8: No such file or directory > > > Thanks > Darrin From steinkel at PA.NET Tue Mar 4 19:55:00 2003 From: steinkel at PA.NET (Leland J. Steinke) Date: Thu Jan 12 21:17:23 2006 Subject: postfix compatability? References: <5.2.0.9.2.20030303223107.02273fe0@imap.ecs.soton.ac.uk> Message-ID: <3E650494.4080305@pa.net> Julian Field wrote: > Any chance of you publishing all your scripts to make your setup work? They > would help a lot of people. > The perl scripts, along with our master.cf file, are in the attached archive. Yes, the scripts can be improved to run more quickly or converted to C, but they are working well enough for us. The final piece is to set the Sendmail2 config option to "/usr/local/spoolerator/despool.pl", while leaving the MTA as sendmail. (Naturally, one can change the location of these scripts to whatever fits your local preferences.) One of our design goals was to minimize hacking on either postfix or MailScanner. With only a single line change in MailScanner.conf and two lines in /etc/postfix/master.cf, I believe we succeeded in that design goal. Leland ps: Be sure to set the spool.pl file to point to the appropriate directories. pps: Test, test, and test again before fielding this on a live system!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: spoolerator.tar.gz Type: application/x-gzip Size: 3359 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030304/9359a92c/spoolerator.tar.gz From mailscanner at LISTS.COM.AR Tue Mar 4 20:08:25 2003 From: mailscanner at LISTS.COM.AR (Mariano Absatz) Date: Thu Jan 12 21:17:23 2006 Subject: Is the new FAQ working? In-Reply-To: <5.2.0.9.2.20030304173358.022d2e50@imap.ecs.soton.ac.uk> References: Message-ID: <3E64DD89.21800.5DA99E13@localhost> It's working fine now... I browsed it all and trashed the "New Item" answers that got spread all over during the weekend of try&fail... Just in case, I added a link to the trashcan in the main page. For all the people that tried to collaborate and were unable, please try again so we can populate the faq... The hints (or faq on faq-o-matic) section is at http://MailScanner.info/serve/cache/52.html I added a playground in case someone wants to try how it works before comitting (I found a couple of entries doing just that). It's at http://MailScanner.info/serve/cache/82.html El 4 Mar 2003 a las 17:38, Julian Field escribi?: > At 17:13 04/03/2003, you wrote: > >Julian, > > > > Despite the fact that I originally suggested faqomatic, I'm no > >expert with it. I went to "hints for writing FAQ entries", added > >a test blurb, appended another test blurb, went back to the top > >level, and didn't see anything. Maybe adding entries requires > >approval by you before it appears publically? > > Most things require you to be an authenticated user, but nothing should > require more than that. It certainly hasn't sent me any mail informing me > of edits. I'll try enabling that and see if I get anything. > > Can you try it again now? > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support -- Mariano Absatz El Baby ---------------------------------------------------------- Love is the answer, but while you're waiting for the answer, sex raises some pretty interesting questions. -- Woody Allen From paul at ESPMAIL.CO.UK Tue Mar 4 23:08:11 2003 From: paul at ESPMAIL.CO.UK (Paul Welsh) Date: Thu Jan 12 21:17:23 2006 Subject: Messages Waiting References: <3E64DD89.21800.5DA99E13@localhost> Message-ID: <008a01c2e2a2$f1128fa0$ece230d5@espmail> When MailScanner restarts I get a lot of messages waiting, yet my mailq is more or less empty. So what are these waiting messages? Mar 4 22:34:47 www mailscanner[2604]: Startup: found 345 messages waiting From howard at harper-adams.ac.uk Wed Mar 5 09:35:42 2003 From: howard at harper-adams.ac.uk (Howard Robinson) Date: Thu Jan 12 21:17:23 2006 Subject: MailScanner Store In-Reply-To: <5.2.0.9.2.20030304165657.02d8a210@imap.ecs.soton.ac.uk> Message-ID: <200303050932.h259WWm01866@blackhole.harper-adams.ac.uk> On 4 Mar 03, at 16:58, Julian Field wrote: > This has to be the most spectacular failure I have seen in quite a while. > Since setting it up, I have sold 4 (yes, four!) items. > Hmm could these be on the Antiques Road Show in twenty years with silly price tags? > Boy, am I glad I don't have to pay any rental for the space! :-) > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support Regards Howard Robinson (Senior Technical Development Officer) Harper Adams University College Edgmond Newport Shropshire TF10 8NB UK E-mail: hrobinson@harper-adams.ac.uk Tel. : +44(0)1952 820280 Via switchboard : +44(0)1952 815253 Direct line Fax. : +44(0)1952 814783 College Web site http://www.harper-adams.ac.uk From thomas.zajic at ROCKSTARVIENNA.COM Wed Mar 5 09:49:49 2003 From: thomas.zajic at ROCKSTARVIENNA.COM (Thomas Zajic) Date: Thu Jan 12 21:17:23 2006 Subject: FromTo: not working? In-Reply-To: <4E7026FF8A422749B1553FE508E0068007EE7F@message.intern.akctech.de> References: <4E7026FF8A422749B1553FE508E0068007EE7F@message.intern.akctech.de> Message-ID: <20030305094949.GA425@thomas.neo.at> On Tue, Mar 04, 2003 at 05:43:45PM +0100, Jan-Peter Koopmann wrote: > > Yes, just haven't had a chance to reply yet. > > For some reason, your rules aren't matching, but I can't > > obviously see why not. Have you got some space after the > > "FromTo:" ? > > I am attaching the file so you can check yourself, ok? > [...] Although the file looks okay at a first glance, there are a couple of things which might or might not confuse MailScanner: [zlatko@thomas]:~/tmp$ od -t c virus.scanning.rules 0000000 F r o m T o : \t * @ a k c t e c 0000020 h . d e \t y e s \t \n F r o m T 0000040 o : \t * @ s e c e i d o s . d e 0000060 \t y e s \n F r o m T o : \t * @ s 0000100 e c e i d o s . n e t \t y e s \n 0000120 F r o m T o : * @ s e c e i d 0000140 o s . o r g \t y e s \n F r o m T 0000160 o : * @ s e c e i d o s . c o 0000200 m \t y e s \n F r o m T o : * @ 0000220 t e l e f o n i a . d e \t y e s 0000240 \n F r o m T o : \t d e f a u l t 0000260 \t \t n o \n 0000265 This translates to: FromTo:*@akctech.deyes FromTo:*@seceidos.deyes FromTo:*@seceidos.netyes FromTo:*@seceidos.orgyes FromTo:*@seceidos.comyes FromTo:*@telefonia.deyes FromTo:defaultno A superfluous and in line 1, and instead of as field separators in lines 4, 5 and 6. Julian, how does your rule file parser handle this? :-) HTH, Thomas -- ----------------------------- Thomas Zajic system administrator ROCKSTAR VIENNA www.rockstarvienna.com From mailscanner at ecs.soton.ac.uk Wed Mar 5 10:15:34 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:23 2006 Subject: Messages Waiting In-Reply-To: <008a01c2e2a2$f1128fa0$ece230d5@espmail> References: <3E64DD89.21800.5DA99E13@localhost> Message-ID: <5.2.0.9.2.20030305101345.024cff98@imap.ecs.soton.ac.uk> At 23:08 04/03/2003, you wrote: >When MailScanner restarts I get a lot of messages waiting, yet my mailq >is more or less empty. > >So what are these waiting messages? > >Mar 4 22:34:47 www mailscanner[2604]: Startup: found 345 messages >waiting You may well have loads of orphaned files in mqeue.in. You can safely delete 1) anything old 2) any df files without matching qf files 3) any qf files without matching df files 4) any xf files But make sure sendmail isn't running when you do this. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Mar 5 10:40:21 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:23 2006 Subject: FromTo: not working? In-Reply-To: <4E7026FF8A422749B1553FE508E0068007EE7F@message.intern.akct ech.de> Message-ID: <5.2.0.9.2.20030305103836.02530b08@imap.ecs.soton.ac.uk> At 16:43 04/03/2003, you wrote: > > Yes, just haven't had a chance to reply yet. > > For some reason, your rules aren't matching, but I can't > > obviously see why not. Have you got some space after the > > "FromTo:" ? > >I am attaching the file so you can check yourself, ok? > > > I'm slightly at a loss to know what to suggest, > > no-one else appears to have this problem. > >I am somehow not surprised... :-) I have just tested your exact rules file, totally untouched, with messages coming from seceidos.de and messages not coming from there. It worked 100% as I would have expected it to work, so it's not a bug. Either you have a corrupted copy of MailScanner, or your envelope sender addresses aren't what you think they are. Other than that, I'm out of ideas :-( -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Mar 5 10:33:02 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:23 2006 Subject: FromTo: not working? In-Reply-To: <20030305094949.GA425@thomas.neo.at> References: <4E7026FF8A422749B1553FE508E0068007EE7F@message.intern.akctech.de> <4E7026FF8A422749B1553FE508E0068007EE7F@message.intern.akctech.de> Message-ID: <5.2.0.9.2.20030305102825.02530e40@imap.ecs.soton.ac.uk> At 09:49 05/03/2003, you wrote: >On Tue, Mar 04, 2003 at 05:43:45PM +0100, Jan-Peter Koopmann wrote: > > > > Yes, just haven't had a chance to reply yet. > > > For some reason, your rules aren't matching, but I can't > > > obviously see why not. Have you got some space after the > > > "FromTo:" ? > > > > I am attaching the file so you can check yourself, ok? > > [...] > >Although the file looks okay at a first glance, there are a couple of >things which might or might not confuse MailScanner: > >[zlatko@thomas]:~/tmp$ od -t c virus.scanning.rules >0000000 F r o m T o : \t * @ a k c t e c >0000020 h . d e \t y e s \t \n F r o m T >0000040 o : \t * @ s e c e i d o s . d e >0000060 \t y e s \n F r o m T o : \t * @ s >0000100 e c e i d o s . n e t \t y e s \n >0000120 F r o m T o : * @ s e c e i d >0000140 o s . o r g \t y e s \n F r o m T >0000160 o : * @ s e c e i d o s . c o >0000200 m \t y e s \n F r o m T o : * @ >0000220 t e l e f o n i a . d e \t y e s >0000240 \n F r o m T o : \t d e f a u l t >0000260 \t \t n o \n >0000265 > >This translates to: > >FromTo:*@akctech.deyes >FromTo:*@seceidos.deyes >FromTo:*@seceidos.netyes >FromTo:*@seceidos.orgyes >FromTo:*@seceidos.comyes >FromTo:*@telefonia.deyes >FromTo:defaultno + a on the end of the last line. >A superfluous and in line 1, and instead of as >field separators in lines 4, 5 and 6. Julian, how does your rule file parser >handle this? :-) The parser does this: /^(\S+)\s+(\S+)\s+(.+)$/ which matches when any whitespace is used, so long as there's something there. If this doesn't match, then a warning is put in the maillog about the syntax error. So this is working if you don't get a syntax error then it should have worked. And why is no-one else hitting this problem? I would expect loads of people to be complaining if this was really a problem in the code :-( -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From dbird at SGHMS.AC.UK Wed Mar 5 10:57:31 2003 From: dbird at SGHMS.AC.UK (Daniel Bird) Date: Thu Jan 12 21:17:23 2006 Subject: SA2.50 problems Message-ID: <3E65D81B.6030604@sghms.ac.uk> For info, RH7.3 MS4.11-1 SA2.50 (with patch) Razor 2.22 This morning we had the following errors in our mail.log Mar 5 10:20:05 mailhub1 MailScanner[1321]: Creating hardcoded struct_flock subroutine for linux (Linux-type) Mar 5 10:20:06 mailhub1 MailScanner[1306]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Mar 5 10:20:22 mailhub1 MailScanner[1353]: Using locktype = posix Mar 5 10:20:22 mailhub1 MailScanner[1353]: Creating hardcoded struct_flock subroutine for linux (Linux-type) Mar 5 10:20:38 mailhub1 MailScanner[1306]: SpamAssassin timed out and was killed, consecutive failure 2 of 20 Mar 5 10:20:38 mailhub1 MailScanner[1354]: Using locktype = posix Mar 5 10:20:38 mailhub1 MailScanner[1354]: Creating hardcoded struct_flock subroutine for linux (Linux-type) Mar 5 10:20:55 mailhub1 MailScanner[1355]: Using locktype = posix Mar 5 10:20:55 mailhub1 MailScanner[1355]: Creating hardcoded struct_flock subroutine for linux (Linux-type) Mar 5 10:21:09 mailhub1 MailScanner[1306]: SpamAssassin timed out and was killed, consecutive failure 3 of 20 Mar 5 10:21:40 mailhub1 MailScanner[1306]: SpamAssassin timed out and was killed, consecutive failure 4 of 20 Mar 5 10:22:12 mailhub1 MailScanner[1306]: SpamAssassin timed out and was killed, consecutive failure 5 of 20 etc... I went back to SA2.44 and all is well... Strangely, another box with the same config is fine! ____________________________________ Daniel Bird Network and Systems Manager Department Of Information Services St. George's Hospital Medical School Tooting London SW17 0RE P: +44 20 8725 2897 F: +44 20 8725 3583 E: dan@sghms.ac.uk ____________________________________ Everything is possible....except skiing through a revolving door. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mailscanner at ecs.soton.ac.uk Wed Mar 5 11:03:28 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:23 2006 Subject: SA2.50 problems In-Reply-To: <3E65D81B.6030604@sghms.ac.uk> Message-ID: <5.2.0.9.2.20030305110138.026e7008@imap.ecs.soton.ac.uk> At 10:57 05/03/2003, you wrote: >For info, > >RH7.3 >MS4.11-1 >SA2.50 (with patch) >Razor 2.22 > >This morning we had the following errors in our mail.log > >Mar 5 10:20:05 mailhub1 MailScanner[1321]: Creating hardcoded >struct_flock subroutine for linux (Linux-type) >Mar 5 10:20:06 mailhub1 MailScanner[1306]: SpamAssassin timed out and >was killed, consecutive failure 1 of 20 >Mar 5 10:20:22 mailhub1 MailScanner[1353]: Using locktype = posix >Mar 5 10:20:22 mailhub1 MailScanner[1353]: Creating hardcoded >struct_flock subroutine for linux (Linux-type) >Mar 5 10:20:38 mailhub1 MailScanner[1306]: SpamAssassin timed out and >was killed, consecutive failure 2 of 20 >Mar 5 10:20:38 mailhub1 MailScanner[1354]: Using locktype = posix >Mar 5 10:20:38 mailhub1 MailScanner[1354]: Creating hardcoded >struct_flock subroutine for linux (Linux-type) >Mar 5 10:20:55 mailhub1 MailScanner[1355]: Using locktype = posix >Mar 5 10:20:55 mailhub1 MailScanner[1355]: Creating hardcoded >struct_flock subroutine for linux (Linux-type) >Mar 5 10:21:09 mailhub1 MailScanner[1306]: SpamAssassin timed out and >was killed, consecutive failure 3 of 20 >Mar 5 10:21:40 mailhub1 MailScanner[1306]: SpamAssassin timed out and >was killed, consecutive failure 4 of 20 >Mar 5 10:22:12 mailhub1 MailScanner[1306]: SpamAssassin timed out and >was killed, consecutive failure 5 of 20 > >etc... > >I went back to SA2.44 and all is well... > >Strangely, another box with the same config is fine! There is still a problem with 2.50. However, I haven't been able to get access to a machine that will reliably time out with this problem, so I haven't been able to investigate it. If someone can get a bunch of mail messages that cause the timeout, on a system that suffers from it, then I might be able to get to the cause of it. Unless I can find the problem, it may not be fixed for 2.51, which would be A Bad Thing (tm). -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From R.A.Gardener at SHU.AC.UK Wed Mar 5 12:22:58 2003 From: R.A.Gardener at SHU.AC.UK (Ray Gardener) Date: Thu Jan 12 21:17:23 2006 Subject: version 4.13-3 and system load Message-ID: <012201c2e311$f4d67600$5a14348f@videoproducer> Hi, I upgraded to version 4.13-3 from version 4.12 on our three mail hubs yesterday and today, and on all machinces I am seeing a vastly increased system load. All three machines are Sun machines running Solaris. Has anyone else seen this? I am wondering if the new version changes the way that Sophos (our virus scanner) is called via the wrapper scripts. Regards _________________________________________________ Ray Gardener CIS Sheffield Hallam University Howard Street Sheffield UK S1 1WB (44) 0114 225 4926 From mailscanner at ecs.soton.ac.uk Wed Mar 5 12:22:27 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:23 2006 Subject: version 4.13-3 and system load In-Reply-To: <012201c2e311$f4d67600$5a14348f@videoproducer> Message-ID: <5.2.0.9.2.20030305122157.03cf41a0@imap.ecs.soton.ac.uk> Did you upgrade SpamAssassin at the same time by any chance? Did you upgrade Sophos at the same time? At 12:22 05/03/2003, you wrote: >Hi, > >I upgraded to version 4.13-3 from version 4.12 on our three mail hubs >yesterday and today, and on all machinces I am seeing a vastly increased >system load. All three machines are Sun machines running Solaris. Has anyone >else seen this? I am wondering if the new version changes the way that >Sophos (our virus scanner) is called via the wrapper scripts. > > >Regards >_________________________________________________ >Ray Gardener >CIS >Sheffield Hallam University >Howard Street >Sheffield >UK >S1 1WB >(44) 0114 225 4926 -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From jaearick at COLBY.EDU Wed Mar 5 12:28:53 2003 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:17:23 2006 Subject: version 4.13-3 and system load In-Reply-To: <012201c2e311$f4d67600$5a14348f@videoproducer> References: <012201c2e311$f4d67600$5a14348f@videoproducer> Message-ID: Hi, I went from 4.12.2 to 4.13.3 on Monday, Solaris 8, spamassassin 2.44, with no change in load. Maybe you are using ORDB or infinite monkeys in the new settings and you didn't before? ----------------------------------- Jeff A. Earickson, Ph.D Senior UNIX Sysadmin and Email Guru Information Technology Services Colby College, 4214 Mayflower Hill, Waterville ME, 04901-8842 phone: 207-872-3659 (fax = 3076) ----------------------------------- On Wed, 5 Mar 2003, Ray Gardener wrote: > Date: Wed, 5 Mar 2003 12:22:58 -0000 > From: Ray Gardener > Reply-To: MailScanner mailing list > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: version 4.13-3 and system load > > Hi, > > I upgraded to version 4.13-3 from version 4.12 on our three mail hubs > yesterday and today, and on all machinces I am seeing a vastly increased > system load. All three machines are Sun machines running Solaris. Has anyone > else seen this? I am wondering if the new version changes the way that > Sophos (our virus scanner) is called via the wrapper scripts. > > > Regards > _________________________________________________ > Ray Gardener > CIS > Sheffield Hallam University > Howard Street > Sheffield > UK > S1 1WB > (44) 0114 225 4926 > From R.A.Gardener at SHU.AC.UK Wed Mar 5 12:33:39 2003 From: R.A.Gardener at SHU.AC.UK (Ray Gardener) Date: Thu Jan 12 21:17:23 2006 Subject: version 4.13-3 and system load References: <5.2.0.9.2.20030305122157.03cf41a0@imap.ecs.soton.ac.uk> Message-ID: <015101c2e313$734969b0$5a14348f@videoproducer> Hi Julian, ----- Original Message ----- From: "Julian Field" To: Sent: Wednesday, March 05, 2003 12:22 PM Subject: Re: version 4.13-3 and system load > Did you upgrade SpamAssassin at the same time by any chance? no > Did you upgrade Sophos at the same time? no Having said that, the installations were done by untarring the distribution and copying the lib docs and bin subdirectories over the original - I don't know whether this is relevant. Regards, Ray > > At 12:22 05/03/2003, you wrote: > >Hi, > > > >I upgraded to version 4.13-3 from version 4.12 on our three mail hubs > >yesterday and today, and on all machinces I am seeing a vastly increased > >system load. All three machines are Sun machines running Solaris. Has anyone > >else seen this? I am wondering if the new version changes the way that > >Sophos (our virus scanner) is called via the wrapper scripts. > > > > > >Regards > >_________________________________________________ > >Ray Gardener > >CIS > >Sheffield Hallam University > >Howard Street > >Sheffield > >UK > >S1 1WB > >(44) 0114 225 4926 > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > From mailscanner at ecs.soton.ac.uk Wed Mar 5 12:34:43 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:23 2006 Subject: version 4.13-3 and system load In-Reply-To: <015101c2e313$734969b0$5a14348f@videoproducer> References: <5.2.0.9.2.20030305122157.03cf41a0@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030305123321.03d20770@imap.ecs.soton.ac.uk> At 12:33 05/03/2003, you wrote: >Hi Julian, > >----- Original Message ----- >From: "Julian Field" >To: >Sent: Wednesday, March 05, 2003 12:22 PM >Subject: Re: version 4.13-3 and system load > > > > Did you upgrade SpamAssassin at the same time by any chance? >no > > > Did you upgrade Sophos at the same time? >no > >Having said that, the installations were done by untarring the distribution >and copying the lib docs and bin subdirectories over the original - I don't >know whether this is relevant. What about the MailScanner.conf file? I would recommend my new upgrade_MailScanner_conf script to help with this. > > At 12:22 05/03/2003, you wrote: > > >I upgraded to version 4.13-3 from version 4.12 on our three mail hubs > > >yesterday and today, and on all machinces I am seeing a vastly increased > > >system load. All three machines are Sun machines running Solaris. Has >anyone > > >else seen this? I am wondering if the new version changes the way that > > >Sophos (our virus scanner) is called via the wrapper scripts. The communication with the -wrapper scripts hasn't changed at all, so all I can suggest is that your configuration is different from what you intended. As someone else suggested, have you got a different "Spam Lists" setting or a different "Max Children" setting? -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From dh at UPTIME.AT Wed Mar 5 12:57:37 2003 From: dh at UPTIME.AT (David) Date: Thu Jan 12 21:17:23 2006 Subject: RFC: calculating scan times for messages. Message-ID: <0ABF0EBC-4F0A-11D7-A01D-000393920D6C@uptime.at> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Hello. I was wondering if any of you have an idea how I could time the scanning process for a message. I am using sendmail and I was thinking about using the delay= data, but that would not be too accurate. What I actually wish to do is for a private littkle project of mine. I would ike to estimate the following: With the checks XX used and sophos, using Spamassassin with checks XXX scanning a 500byte message takes and avergae of XX seconds (and so on) Does this make sense at all? I am just fishing for ideas. - -d - - Face me and you shall surely perish. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (Darwin) iD8DBQE+ZfRFiW/Ta/pxHPQRA9ypAKCFq6d80/fDEM8mtzlnBQE0v1yuxACgggi7 RvE4ix/msVqgu0wj+kIxauc= =DBa7 -----END PGP SIGNATURE----- From mikew at CRUCIS.NET Wed Mar 5 13:50:35 2003 From: mikew at CRUCIS.NET (Mike Watson) Date: Thu Jan 12 21:17:23 2006 Subject: FromTo: not working? In-Reply-To: <5.2.0.9.2.20030305102825.02530e40@imap.ecs.soton.ac.uk> References: <4E7026FF8A422749B1553FE508E0068007EE7F@message.intern.akctech.de> <5.2.0.9.2.20030305102825.02530e40@imap.ecs.soton.ac.uk> Message-ID: <200303050750.35582.mikew@crucis.net> On Wednesday 05 March 2003 04:33 am, you wrote: > At 09:49 05/03/2003, you wrote: > >On Tue, Mar 04, 2003 at 05:43:45PM +0100, Jan-Peter Koopmann wrote: > > > > Yes, just haven't had a chance to reply yet. > > > > For some reason, your rules aren't matching, but I can't > > > > obviously see why not. Have you got some space after the > > > > "FromTo:" ? > > > > > > I am attaching the file so you can check yourself, ok? > > > [...] > > > >Although the file looks okay at a first glance, there are a couple > > of things which might or might not confuse MailScanner: > > > >[zlatko@thomas]:~/tmp$ od -t c virus.scanning.rules > >0000000 F r o m T o : \t * @ a k c t e > > c 0000020 h . d e \t y e s \t \n F r o > > m T 0000040 o : \t * @ s e c e i d o s > > . d e 0000060 \t y e s \n F r o m T o : > > \t * @ s 0000100 e c e i d o s . n e t > > \t y e s \n 0000120 F r o m T o : * @ > > s e c e i d 0000140 o s . o r g \t y e > > s \n F r o m T 0000160 o : * @ s e c > > e i d o s . c o 0000200 m \t y e s \n F > > r o m T o : * @ 0000220 t e l e f o > > n i a . d e \t y e s 0000240 \n F r o m > > T o : \t d e f a u l t 0000260 \t \t n o > > \n > >0000265 > > > >This translates to: > > FromTo:*@akctech.deyes > FromTo:*@seceidos.deyes > FromTo:*@seceidos.netyes > FromTo:*@seceidos.orgyes > FromTo:*@seceidos.comyes > FromTo:*@telefonia.deyes > FromTo:defaultno > > + a on the end of the last line. > > >A superfluous and in line 1, and instead of > > as field separators in lines 4, 5 and 6. Julian, how does > > your rule file parser handle this? :-) > > The parser does this: > /^(\S+)\s+(\S+)\s+(.+)$/ > which matches when any whitespace is used, so long as there's > something there. If this doesn't match, then a warning is put in the > maillog about the syntax error. So this is working if you don't get a > syntax error then it should have worked. > > And why is no-one else hitting this problem? I would expect loads of > people to be complaining if this was really a problem in the code :-( If you're like me, you've just starting using MailScanner and aren't fully falmiliar with all the rules. I added an address to the spam.whitelist.rules and e-mails and to the spamassassin prefs and e-mails from that source are still labeled as SPAM. I only get 2-3 e-mails a month from them, so I just noticed this last night. mw -- Registered Linux - 256979 NRA Life ARS: W?TMW -- This message has been scanned for viruses and dangerous content by F-Prot and MailScanner, and is believed to be clean. From mailscanner at ecs.soton.ac.uk Wed Mar 5 14:03:55 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:23 2006 Subject: RFC: calculating scan times for messages. In-Reply-To: <0ABF0EBC-4F0A-11D7-A01D-000393920D6C@uptime.at> Message-ID: <5.2.0.9.2.20030305140234.03962428@imap.ecs.soton.ac.uk> At 12:57 05/03/2003, you wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: RIPEMD160 > >Hello. > >I was wondering if any of you have an idea how I could time the >scanning process for a message. > >I am using sendmail and I was thinking about using the delay= data, but >that would not be too accurate. >What I actually wish to do is for a private littkle project of mine. > >I would ike to estimate the following: > >With the checks XX used and sophos, using Spamassassin with checks XXX > >scanning a 500byte message takes and avergae of XX seconds (and so on) > >Does this make sense at all? > >I am just fishing for ideas. I do calculations instead that produce a figure for the number of messages per day that can be processed. With multiple scanning thread, the average delay for a message is not actually very relevant, as several messages are being processed during the time. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at LISTS.COM.AR Wed Mar 5 15:31:01 2003 From: mailscanner at LISTS.COM.AR (Mariano Absatz) Date: Thu Jan 12 21:17:23 2006 Subject: RFC: calculating scan times for messages. In-Reply-To: <0ABF0EBC-4F0A-11D7-A01D-000393920D6C@uptime.at> Message-ID: <3E65EE05.15180.61D211A5@localhost> El 5 Mar 2003 a las 13:57, David escribi?: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: RIPEMD160 > > Hello. > > I was wondering if any of you have an idea how I could time the > scanning process for a message. > > I am using sendmail and I was thinking about using the delay= data, but > that would not be too accurate. > What I actually wish to do is for a private littkle project of mine. > > I would ike to estimate the following: > > With the checks XX used and sophos, using Spamassassin with checks XXX > > scanning a 500byte message takes and avergae of XX seconds (and so on) > > Does this make sense at all? Well... not that it doesn't make sense, but it wouldn't be measuring anything too useful... The point is that you can't extrapolate useful info from that data... In order to measure something useful, you should have to bomb your server with a good mixture of mails including spam, ham and viruses and keep an eye on the queues... once you have steadily growing queues you should make a couple of marks in the logs and measure the number of messages per time unit that are passing thru MailScanner. That should give you a rough estimate of performance... it doesn't make too much sense to measure how much does any specific message takes. Note that you need at least 3 machines to do this... the actual test machine, an emisor machine and a receptor machine. The test machine should be configured to route all its outgoing mail to the receptor machine. The receptor machine should have a very fast mail server configured to accept and delete every message inconditionally (kind of, your incoming mail queue should be /dev/null :-) The emisor machine is the hardest... maybe you'll have to hack a small fast program to send the mail. Or you can take something like qmail (which I think sends 1 message per session even though they may be going to the same place), stop the smtp client, fill the outgoing queue with your very large collection mixing spam, ham and virus e-mails and... start the smtp client. It might be a funny process and I would definitively like to have the outcome from that if you do it... maybe also the programs/configuration used. For the client smtp (the emisor) you might also want to take a look at Russel Cocker's postal http://www.coker.com.au/postal/ (the receptor machine is what he calls SMTP sink, if you do it, I guess he'll be glad to know about it). Postal generates garbage for the mail data, but maybe you can modify it so it takes the messages from somewhere. It has a nice set of options for number of simultaneous connections, max number of messages per connection, max message size, rate limitation, etc. -- Mariano Absatz El Baby ---------------------------------------------------------- In theory, there is no difference between theory and practice; but in practice, there is a great deal of difference. From jase at SENSIS.COM Wed Mar 5 16:33:29 2003 From: jase at SENSIS.COM (Desai, Jason) Date: Thu Jan 12 21:17:23 2006 Subject: Debian ms v4.x install help. Deb, Alien or Sour ce? attn Jason Desai Message-ID: Hi Scott - sorry for the late reply ... I installed MailScanner using the .tar file. I am running Debian stable (woody) with exim 3.35. If you need version MailScanner 4.x, I would suggest doing the same - just install from the .tar file. The instructions on the MailScanner web site are pretty good. I am not aware of any dependency issues between MailScanner 4.x and exim. I think I did compile MIME-tools-5.411 myself, to make sure that I got the patches. After applying the patches, I used dh-make-perl to create the files needed to make a debian package, then I ran dpkg-buildpackage -b to make the .deb file. Then I ran dpkg -i to install it. Again, I would suggest using the .tar installation. Let me know if you have any problems. Jason > -----Original Message----- > From: Hancock, Scott [mailto:HancockS@MORGANCO.COM] > Sent: Tuesday, March 04, 2003 11:05 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: [MAILSCANNER] Debian ms v4.x install help. Deb, Alien or > Source? attn Jason Desai > > > Hello all, > > I'm running Debian unstable (sarge) mailscanner (3.27) and > exim (3.36). > > Some of my users are asking for features in the latest versions of > mailscanner. > > I notice some posts indicating people (including Jason) are > using newer > versions of mailscanner than is available at packages.debian.org. I'm > mostly interested in the new mailscanner features and was > wondering the > best approach to installing without a .deb file. > > Are any dependency issues between exim 3.27 and MS 4.x? > > I figure my options are: an alternate site that has a .deb file, using > Alien against the 4.x RPM file, or compiling from source. > > All this is being tested off line. > > Thanks all for your time. > > Scott > From nathan at TCPNETWORKS.NET Wed Mar 5 16:49:22 2003 From: nathan at TCPNETWORKS.NET (Nathan Johanson) Date: Thu Jan 12 21:17:24 2006 Subject: MailScanner Store Message-ID: I wear my new MailScanner T-shirt all of the time. C'mon guys! Throw out the pocket protectors and spruce up your fashion a little bit ;-) Chicks dig MailScanner. Nathan Johanson -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Tuesday, March 04, 2003 8:58 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: MailScanner Store This has to be the most spectacular failure I have seen in quite a while. Since setting it up, I have sold 4 (yes, four!) items. Boy, am I glad I don't have to pay any rental for the space! :-) -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Mar 5 16:49:27 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:24 2006 Subject: RFC: calculating scan times for messages. In-Reply-To: <3E65EE05.15180.61D211A5@localhost> References: <0ABF0EBC-4F0A-11D7-A01D-000393920D6C@uptime.at> Message-ID: <5.2.0.9.2.20030305163850.02e42d88@imap.ecs.soton.ac.uk> At 15:31 05/03/2003, you wrote: >El 5 Mar 2003 a las 13:57, David escribi?: > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: RIPEMD160 > > > > Hello. > > > > I was wondering if any of you have an idea how I could time the > > scanning process for a message. > > > > I am using sendmail and I was thinking about using the delay= data, but > > that would not be too accurate. > > What I actually wish to do is for a private littkle project of mine. > > > > I would ike to estimate the following: > > > > With the checks XX used and sophos, using Spamassassin with checks XXX > > > > scanning a 500byte message takes and avergae of XX seconds (and so on) > > > > Does this make sense at all? >Well... not that it doesn't make sense, but it wouldn't be measuring anything >too useful... > >The point is that you can't extrapolate useful info from that data... In >order to measure something useful, you should have to bomb your server with a >good mixture of mails including spam, ham and viruses and keep an eye on the >queues... once you have steadily growing queues you should make a couple of >marks in the logs and measure the number of messages per time unit that are >passing thru MailScanner. > >That should give you a rough estimate of performance... it doesn't make too >much sense to measure how much does any specific message takes. > >Note that you need at least 3 machines to do this... the actual test machine, >an emisor machine and a receptor machine. > >The test machine should be configured to route all its outgoing mail to the >receptor machine. The receptor machine should have a very fast mail server >configured to accept and delete every message inconditionally (kind of, your >incoming mail queue should be /dev/null :-) > >The emisor machine is the hardest... maybe you'll have to hack a small fast >program to send the mail. Or you can take something like qmail (which I think >sends 1 message per session even though they may be going to the same place), >stop the smtp client, fill the outgoing queue with your very large collection >mixing spam, ham and virus e-mails and... start the smtp client. > >It might be a funny process and I would definitively like to have the outcome >from that if you do it... maybe also the programs/configuration used. > >For the client smtp (the emisor) you might also want to take a look at Russel >Cocker's postal http://www.coker.com.au/postal/ (the receptor machine is what >he calls SMTP sink, if you do it, I guess he'll be glad to know about it). > >Postal generates garbage for the mail data, but maybe you can modify it so it >takes the messages from somewhere. It has a nice set of options for number of >simultaneous connections, max number of messages per connection, max message >size, rate limitation, etc. This is exactly the test setup I already use. I have a test set of 60,000 messages. The emisor uses 10 parallel copies of a Perl script to squirt mail as fast as it possibly can to the MailScanner. The limiting factor here is disk I/O and the lousy i/o scheduler Linux has (it is being re-written for the 2.6 kernels, thank heavens). The emisor's limit is about 8 million messages per day. The MailScanner runs Exim and MailScanner, in a pretty much vanilla configuration, except that the MailScanner/incoming directory is on tmpfs to remove all that nasty disk i/o. It then sends all its output to a perl SMTP sink I wrote in about 10 minutes, which speaks just enough SMTP to convince Exim that it's a real mail server. These fork off to handle traffic, and there are quite often nearly 100 running simultaneously. They throw away everything they are sent. Speed control is done by varying an optional delay in the emisor script, and changing the number of emisor scripts that are run in parallel. It's pretty coarse but is good enough. Tweak the speed until the queue *just* doesn't grow without bounds. That's about the limit of what the MailScanner can handle. Running MailScanner, Sophos, SpamAssassin (2.44 or 2.50, it doesn't matter much) and 3 RBL's, the MailScanner can do about 1.5 million messages per day. Just running MailScanner and SpamAssassin, it can handle 4.4 million per day. In case you are interested, I have attached a little zip file containing the emisor test "harness"(and the shell script that runs them in parallel) and the smtp sink. -------------- next part -------------- A non-text attachment was scrubbed... Name: SpeedTests.zip Type: application/zip Size: 2651 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030305/ee1fdc06/SpeedTests.zip -------------- next part -------------- -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Mar 5 17:11:55 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:24 2006 Subject: Fwd: Re: SA2.50 problems... Message-ID: <5.2.0.9.2.20030305170932.06f343e0@imap.ecs.soton.ac.uk> If you are still having problems with SpamAssassin 2.50 hanging, even with my patch, then do this: >From: Daniel Bird >Subject: Re: SA2.50 problems... >To: Julian Field > >Julian, > >For info, >left "Use Spamassassin = yes" in MailScanner.conf but added >"use_bayes 0" to spam.assassin.prefs.conf > >and MailScanner + SA2.50 are running quite happily now. > >Thanks. > >Dan I have posted a huge great message to the SAtalk list about this problem. Something *very* strange is happening, and I haven't got to the bottom of it yet. It's all connected to file locking and the bayes database, just like the previous problem with it, but this one is a lot more strange.... If anything interesting comes up on SAtalk, I'll be sure to tell you all. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From tjc at ecs.soton.ac.uk Wed Mar 5 17:25:14 2003 From: tjc at ecs.soton.ac.uk (Tim Chown) Date: Thu Jan 12 21:17:24 2006 Subject: MailScanner Store In-Reply-To: References: Message-ID: <20030305172514.GN4962@login.ecs.soton.ac.uk> You mean Chicks dig MaleScanner? On Wed, Mar 05, 2003 at 08:49:22AM -0800, Nathan Johanson wrote: > I wear my new MailScanner T-shirt all of the time. C'mon guys! Throw out > the pocket protectors and spruce up your fashion a little bit ;-) > > Chicks dig MailScanner. > > Nathan Johanson > > > > -----Original Message----- > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > Sent: Tuesday, March 04, 2003 8:58 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: MailScanner Store > > > This has to be the most spectacular failure I have seen in quite a > while. > Since setting it up, I have sold 4 (yes, four!) items. > > Boy, am I glad I don't have to pay any rental for the space! :-) > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support From cselivanow at QWICNET.COM Wed Mar 5 17:24:27 2003 From: cselivanow at QWICNET.COM (Chris Selivanow) Date: Thu Jan 12 21:17:24 2006 Subject: Messages w/o text not being marked clean. Message-ID: <20030305122427.3a616114.cselivanow@qwicnet.com> Hi all- I noticed that if I send an email with an attachment but no text in the body of the email that the mailscanner will scan the message but not append the clean message signature. Of course if there is at least one character in the body then the signature is appended. Is there any way to get the signature appended every time? -Chris -- Chris Selivanow 585 582-1600 Lead Technician 585 624-3465 (fax) QwicNet, Inc. http://www.qwicnet.com From mailscanner at ecs.soton.ac.uk Wed Mar 5 17:26:06 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:24 2006 Subject: The reason why I asked was-->(Re: RFC: calculating scan times for messages.) In-Reply-To: References: <5.2.0.9.2.20030305163850.02e42d88@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030305171505.06fa4b48@imap.ecs.soton.ac.uk> At 17:14 05/03/2003, you wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: RIPEMD160 > > > >Running MailScanner, Sophos, SpamAssassin (2.44 or 2.50, it doesn't >matter much) and 3 RBL's, the MailScanner can do about 1.5 million > >messages per day. Just running MailScanner and SpamAssassin, it can >handle 4.4 million per day. >> >>In case you are interested, I have attached a little zip file >>containing the emisor test "harness"(and the shell script that runs >>them in parallel) and the smtp sink. -- > >Thank you very much. It is no real secret, but I am looking at a >project for one of the major Backbone providers. They hired me to have >a look at their intermediate Mail relays, they were interested in a >solution which is open source, as a proof of concept. Now with their >system we are looking at 26-40 Million messages a day! That is why I >was going to look at precise averaging, but thinking about all of it >for the latter of the day, I can only agree. My approach would not be >measuring anything useful. > >Now what they are granting me as hardware is either a Sun Fire >4500-8-Processor (with 8-12 Processors) and 8-16 Gig RAM. Or a solution >based on multiple Intel Xeon Quad Processor Machines. Personally I would go for the Xeon cluster, as it is more easily scalable later on, as their mail load grows. Also, if half of it goes up in smoke (or needs upgrading/maintaining) you still have a working service, albeit a slightly slower one. I know you can dynamically reconfigure the bigger SunFires, but a cluster does have its appeal... Unfortunately no-one has bought me a quad Xeon machine to test MailScanner on, so I can't give you accurate performance figures. But with dual 2.4GHz Xeon machines, 40 million messages per day would keep 30 of them fairly well occupied. You have to remember, of course, that my load tests are done with a steady stream of mail, and not a peaky load that you would see in real life. As for Exim vs sendmail, I found Exim to lot easier to get to scale up to multi-million figures. And configuring it to punt all mail at 1 other machine is dead easy. I'm no Exim expert, not by a long way. If you need any help whatsoever with this project, please don't hesitate to get in touch. I will offer whatever help and advice I can. >Computing Power really is no issue to them. I do not necessarily need a >solution either where an open Source OS is being used, but the system >itself which performs the scanning and delivers the framework has to be. > >Now I tested a bit with Ultra160 SCSI and the 2.5* kernel series. >Agreeing with Julain usual I/O was lousy, but it is quite up to par now >in the 2.5* series. > >According to their testing (I have no idea how through it has been) >sendmail is the only MTA which can handle the load with their setup, >thus I am on the safe side there as well. I was thinking about using >sophos, but if there is a faster scanner, I am sure they would buy that >one as well. > >- -d > > > > > > we may race and we may run, but we can not undo what has been done. >-----BEGIN PGP SIGNATURE----- >Version: GnuPG v1.2.1 (Darwin) > >iD8DBQE+ZjBhiW/Ta/pxHPQRA8S5AKC/VFc1q9q0k4tXS/3jJQ8a+zJyUACdHJfF >CJx5PYcHGpxb9MSCS42bDmU= >=spYC >-----END PGP SIGNATURE----- -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From cselivanow at QWICNET.COM Wed Mar 5 17:46:09 2003 From: cselivanow at QWICNET.COM (Chris Selivanow) Date: Thu Jan 12 21:17:24 2006 Subject: email address removed from report text Message-ID: <20030305124609.41362099.cselivanow@qwicnet.com> Hi again- I've just noticed this issue and I'm sure that someone else already had this question but I was unable to find it in the archives or the FAQ. Anyways, I noticed that if I have an email address in a report file that the entire line that contains the address is removed and replaced with a blank line. Is there a way to configure mailscanner not to do this? -- Chris Selivanow 585 582-1600 Lead Technician 585 624-3465 (fax) QwicNet, Inc. http://www.qwicnet.com From mailscanner at ecs.soton.ac.uk Wed Mar 5 18:15:44 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:24 2006 Subject: email address removed from report text In-Reply-To: <20030305124609.41362099.cselivanow@qwicnet.com> Message-ID: <5.2.0.9.2.20030305181505.02536ea0@imap.ecs.soton.ac.uk> At 17:46 05/03/2003, you wrote: >Hi again- > >I've just noticed this issue and I'm sure that someone else already had this >question but I was unable to find it in the archives or the FAQ. Anyways, >I noticed that if I have an email address in a report file that the entire >line that contains the address is removed and replaced with a blank line. >Is there a way to configure mailscanner not to do this? I guess you are using version 3. Replace "@" with "\@" in your reports. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Mar 5 18:11:57 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:24 2006 Subject: Messages w/o text not being marked clean. In-Reply-To: <20030305122427.3a616114.cselivanow@qwicnet.com> Message-ID: <5.2.0.9.2.20030305181008.021dddd8@imap.ecs.soton.ac.uk> At 17:24 05/03/2003, you wrote: >Hi all- > >I noticed that if I send an email with an attachment but no text in the body >of the email that the mailscanner will scan the message but not append the >clean message signature. Of course if there is at least one character in the >body then the signature is appended. Is there any way to get the signature >appended every time? It appends the signature to the first html and/or text segment of the message. If there's no body at all, there's nowhere to put the signature. I'll take a look at the possibility of creating a body if needed. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From lists at DILLONST.COM Wed Mar 5 18:53:55 2003 From: lists at DILLONST.COM (Daron) Date: Thu Jan 12 21:17:24 2006 Subject: Blacklist and high scoring spam Message-ID: <20030305185146.M16147@dillonst.com> I have setup several spam senders on the blacklist but it only marks it with the low level subject stamp and delivers it. Is there a way for the blacklist to score as a high score and follow those rules instead? Thanks, Daron From kylist at SHCORP.COM Wed Mar 5 18:57:00 2003 From: kylist at SHCORP.COM (Kurt Yoder) Date: Thu Jan 12 21:17:24 2006 Subject: Debian ms v4.x install help. Deb, Alien or Source? attn Jason Desai In-Reply-To: <03Mar4.105815est.119118@gateway.morganco.com> References: <03Mar4.105815est.119118@gateway.morganco.com> Message-ID: <43870.10.10.1.71.1046890620.squirrel@webmailtest.shcorp.com> <<< No Message Collected >>> From lists at DILLONST.COM Wed Mar 5 19:29:59 2003 From: lists at DILLONST.COM (Daron) Date: Thu Jan 12 21:17:24 2006 Subject: Sendmail before MailScanner Message-ID: <20030305192711.M27763@dillonst.com> I have notice that MailScanner ignores Sendmail rules before scanning. The problem is tons of non-existant users receiving mail gets scanned and processed even though in sendmail aliases file they are set to /dev/nul . Is there a place in the config to adjust this? From didier.belhomme at FUNDP.AC.BE Wed Mar 5 19:45:35 2003 From: didier.belhomme at FUNDP.AC.BE (Didier Belhomme) Date: Thu Jan 12 21:17:24 2006 Subject: Sendmail before MailScanner In-Reply-To: <20030305192711.M27763@dillonst.com> References: <20030305192711.M27763@dillonst.com> Message-ID: <1046893535.3e6653df23561@webmail3.fundp.ac.be> Selon Daron : > I have notice that MailScanner ignores Sendmail rules before scanning. The > problem is tons of non-existant users receiving mail gets scanned and > processed even though in sendmail aliases file they are set to /dev/nul . I hope this is /dev/null... That's a common mistake to think that Sendmail, as Mail Transfert Agent, is responsible for delivering the message. That's wrong : alias expansion is the responsability of the Mail Delivery Agent, which is another program like "deliver" or "procmail". Thus, I dont't think that the Sendmail process that is located *before* MailScanner should be modified in a way to support alias expansion. What is correct would be to use the "access" database in Sendmail in order to reject mail if matching a rule. > Is there a place in the config to adjust this? -- Didier Belhomme FUNDP - SIU Unix Systems Manager From cselivanow at QWICNET.COM Wed Mar 5 19:52:23 2003 From: cselivanow at QWICNET.COM (Chris Selivanow) Date: Thu Jan 12 21:17:24 2006 Subject: Messages w/o text not being marked clean. In-Reply-To: <5.2.0.9.2.20030305181008.021dddd8@imap.ecs.soton.ac.uk> References: <20030305122427.3a616114.cselivanow@qwicnet.com> <5.2.0.9.2.20030305181008.021dddd8@imap.ecs.soton.ac.uk> Message-ID: <20030305145223.26a22937.cselivanow@qwicnet.com> Julian- Thanks for the responce. I had previously posted a question regarding Outlook and attachments. I think that I have solved my issue with that and it seems to be related to this issue and how mailscanner handles uuencoded messages. Here is the situation: I have a client where some people are using outlook 97 and some people are using Eudora 5. Before the mailscanner (3.27)install there were no problems. After the mailscanner install those who were using Eudora were having issues with attachments sent via outlook. Basically the multipart message content was all being displayed in the message body. The reason follows: Mailscanner converts a uuencoded message, which only has one part ie: lacking a "Content-type" header, and converts it into a base64 encoded multipart message. This is all fine and well. However, mailscanner also adds the text: The following is a multipart MIME message which was extracted from a uuencoded message. Mailscanner does not however add a boundery line like: ------------=_1046891750-551-2 before the previous message. This causes Eudora to believe one of two things (as far a I can tell) 1) That the message really isn't a multipart message 2) That it has another part that is missing (ie: the attachment) I'm not really sure of the innerworkings of mailscanner but this seems to be what happens. Is there a way to resolve this? Besides having my client tell their senders to reconfigure thier outlook? -Chris On Wed, 5 Mar 2003 18:11:57 +0000 Julian Field wrote: JF> At 17:24 05/03/2003, you wrote: JF> >Hi all- JF> > JF> >I noticed that if I send an email with an attachment but no text in the body JF> >of the email that the mailscanner will scan the message but not append the JF> >clean message signature. Of course if there is at least one character in the JF> >body then the signature is appended. Is there any way to get the signature JF> >appended every time? JF> JF> It appends the signature to the first html and/or text segment of the JF> message. If there's no body at all, there's nowhere to put the signature. JF> JF> I'll take a look at the possibility of creating a body if needed. JF> -- JF> Julian Field JF> www.MailScanner.info JF> Professional Support Services at www.MailScanner.biz JF> MailScanner thanks transtec Computers for their support -- Chris Selivanow 585 582-1600 Lead Technician 585 624-3465 (fax) QwicNet, Inc. http://www.qwicnet.com From kylist at SHCORP.COM Wed Mar 5 20:34:10 2003 From: kylist at SHCORP.COM (Kurt Yoder) Date: Thu Jan 12 21:17:24 2006 Subject: Debian ms v4.x install help. Deb, Alien or Source? attn Jason Desai Message-ID: <44176.10.10.1.71.1046896450.squirrel@webmailtest.shcorp.com> (sorry, my mail server got messed up, I'm posting this again) I'm running Debian stable (woody) with the tar installation of mailscanner. It's not too bad to install. The only problem is with setting up sendmail to work correctly. The debian sendmail package has an odd way of setting things up that I haven't figured out. Since you're using exim I can't comment on that part of it. Incidentally, does anyone have any instructions on getting the Debian sendmail package working correctly with mailscanner? I had to completely replace the init script to make it work, and now dpkg chokes every time it touches sendmail. Hancock, Scott said: > Hello all, > > I'm running Debian unstable (sarge) mailscanner (3.27) and exim (3.36). > > Some of my users are asking for features in the latest versions of mailscanner. > > I notice some posts indicating people (including Jason) are using newer versions of mailscanner than is available at packages.debian.org. I'm mostly interested in the new mailscanner features and was wondering the best approach to installing without a .deb file. > > Are any dependency issues between exim 3.27 and MS 4.x? > > I figure my options are: an alternate site that has a .deb file, using Alien against the 4.x RPM file, or compiling from source. > > All this is being tested off line. > > Thanks all for your time. > > Scott > -- Kurt Yoder Sport & Health network administrator tel: 703-245-2708 cel: 703-929-3247 -- Kurt Yoder Sport & Health network administrator tel: 703-245-2708 cel: 703-929-3247 From cselivanow at QWICNET.COM Wed Mar 5 20:38:30 2003 From: cselivanow at QWICNET.COM (Chris Selivanow) Date: Thu Jan 12 21:17:24 2006 Subject: Messages w/o text not being marked clean. In-Reply-To: <20030305145223.26a22937.cselivanow@qwicnet.com> References: <20030305122427.3a616114.cselivanow@qwicnet.com> <5.2.0.9.2.20030305181008.021dddd8@imap.ecs.soton.ac.uk> <20030305145223.26a22937.cselivanow@qwicnet.com> Message-ID: <20030305153830.423e6070.cselivanow@qwicnet.com> It actually looks like Eudora is complaining that "MIME-Version: 1.0" isn't in the main headers. If I manually edit the spool file and insert it before the usesr POPs the mail it works fine. Is there a way to have mailscanner check for a "MIME-Version" header and insert it if it doesn't exist and if a uuencoded file was converted? -Chris On Wed, 5 Mar 2003 14:52:23 -0500 Chris Selivanow wrote: CS> Julian- CS> CS> Thanks for the responce. I had previously posted a question regarding Outlook CS> and attachments. I think that I have solved my issue with that and it seems CS> to be related to this issue and how mailscanner handles uuencoded messages. CS> CS> Here is the situation: I have a client where some people are using outlook 97 CS> and some people are using Eudora 5. Before the mailscanner (3.27)install there CS> were no problems. After the mailscanner install those who were using Eudora CS> were having issues with attachments sent via outlook. Basically the multipart CS> message content was all being displayed in the message body. CS> CS> The reason follows: CS> CS> Mailscanner converts a uuencoded message, which only has one part ie: lacking CS> a "Content-type" header, and converts it into a base64 encoded multipart CS> message. This is all fine and well. However, mailscanner also adds the text: CS> CS> The following is a multipart MIME message which was extracted CS> from a uuencoded message. CS> CS> Mailscanner does not however add a boundery line like: CS> CS> ------------=_1046891750-551-2 CS> CS> before the previous message. This causes Eudora to believe one of two things CS> (as far a I can tell) CS> CS> 1) That the message really isn't a multipart message CS> 2) That it has another part that is missing (ie: the attachment) CS> CS> I'm not really sure of the innerworkings of mailscanner but this seems to CS> be what happens. Is there a way to resolve this? Besides having my CS> client tell their senders to reconfigure thier outlook? CS> CS> -Chris CS> CS> On Wed, 5 Mar 2003 18:11:57 +0000 CS> Julian Field wrote: CS> CS> JF> At 17:24 05/03/2003, you wrote: CS> JF> >Hi all- CS> JF> > CS> JF> >I noticed that if I send an email with an attachment but no text in the body CS> JF> >of the email that the mailscanner will scan the message but not append the CS> JF> >clean message signature. Of course if there is at least one character in the CS> JF> >body then the signature is appended. Is there any way to get the signature CS> JF> >appended every time? CS> JF> CS> JF> It appends the signature to the first html and/or text segment of the CS> JF> message. If there's no body at all, there's nowhere to put the signature. CS> JF> CS> JF> I'll take a look at the possibility of creating a body if needed. CS> JF> -- CS> JF> Julian Field CS> JF> www.MailScanner.info CS> JF> Professional Support Services at www.MailScanner.biz CS> JF> MailScanner thanks transtec Computers for their support CS> CS> CS> -- CS> Chris Selivanow 585 582-1600 CS> Lead Technician 585 624-3465 (fax) CS> QwicNet, Inc. http://www.qwicnet.com -- Chris Selivanow 585 582-1600 Lead Technician 585 624-3465 (fax) QwicNet, Inc. http://www.qwicnet.com From iradu at UNITBV.RO Wed Mar 5 20:50:06 2003 From: iradu at UNITBV.RO (Radu IONESCU) Date: Thu Jan 12 21:17:24 2006 Subject: Sendmail before MailScanner In-Reply-To: <1046893535.3e6653df23561@webmail3.fundp.ac.be> Message-ID: Yet, this is my problem too. I wish MailScanner would be able to handle. Our gateway accepts daily thousands of messages, just to receive in turn a 550 user unknown from the internal mail hubs. This messages are generated in our case by SPAM, pretending to be generated by our university domain... The best would be to reject the message before enters the queue, but this is a Sendmail problem I can hardly handle (LDAP routing?). However, a rule something like this would help a lot: drop all messages containing in the body a line with "Received: from ...unitbv.ro" and not "(193.254.23" would stop the chain reaction for each of this messages (thousands of postmaster notify, returned message, etc. in the root mailbox). Can this be put in sendmail "acces" db? Or in SpamAssassin's? Thank you, Radu IONESCU Sys Mgr, Univ TRANSILVANIA Brasov > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Didier Belhomme > Sent: 5 martie 2003 21:46 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Sendmail before MailScanner > > > Selon Daron : > > > I have notice that MailScanner ignores Sendmail rules before > scanning. The > > problem is tons of non-existant users receiving mail gets scanned and > > processed even though in sendmail aliases file they are set to > /dev/nul . > > I hope this is /dev/null... > > That's a common mistake to think that Sendmail, as Mail Transfert > Agent, is > responsible for delivering the message. That's wrong : alias > expansion is the > responsability of the Mail Delivery Agent, which is another program > like "deliver" or "procmail". Thus, I dont't think that the > Sendmail process > that is located *before* MailScanner should be modified in a way > to support > alias expansion. What is correct would be to use the "access" database in > Sendmail in order to reject mail if matching a rule. > > > Is there a place in the config to adjust this? > > > -- > Didier Belhomme > FUNDP - SIU > Unix Systems Manager > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > Mailscanner thanks transtec Computers for their support. > From raymond at PROLOCATION.NET Wed Mar 5 20:58:39 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:17:24 2006 Subject: Sendmail before MailScanner In-Reply-To: Message-ID: Hi! > Yet, this is my problem too. I wish MailScanner would be able to handle. Our > gateway accepts daily thousands of messages, just to receive in turn a 550 > user unknown from the internal mail hubs. This messages are generated in our > case by SPAM, pretending to be generated by our university domain... > > The best would be to reject the message before enters the queue, but this is > a Sendmail problem I can hardly handle (LDAP routing?). > However, a rule something like this would help a lot: > drop all messages containing in the body a line with > "Received: from ...unitbv.ro" and not "(193.254.23" > would stop the chain reaction for each of this messages (thousands of > postmaster notify, returned message, etc. in the root mailbox). > Can this be put in sendmail "acces" db? Or in SpamAssassin's? > Thank you, If you like do do that, use ldap for example and let your relays be away of the users that DO exsist. Its a mailer problem, and you can configure that. Not mailscanner. Bye, Raymond. From craig at STRONG-BOX.NET Wed Mar 5 21:07:49 2003 From: craig at STRONG-BOX.NET (Craig Pratt) Date: Thu Jan 12 21:17:24 2006 Subject: Messages w/o text not being marked clean. In-Reply-To: <20030305153830.423e6070.cselivanow@qwicnet.com> Message-ID: <859F8297-4F4E-11D7-882D-000393B9390A@strong-box.net> Actually, would having it on all messages really be a problem? That would certainly simplify things. Couldn't a procmail recipe that says to just add this header if not present? Craig On Wednesday, March 5, 2003, at 12:38 PM, Chris Selivanow wrote: > It actually looks like Eudora is complaining that "MIME-Version: 1.0" > isn't in the main headers. If I manually edit the spool file and > insert > it before the usesr POPs the mail it works fine. Is there a way to > have > mailscanner check for a "MIME-Version" header and insert it if it > doesn't > exist and if a uuencoded file was converted? > > -Chris > > On Wed, 5 Mar 2003 14:52:23 -0500 > Chris Selivanow wrote: > > CS> Julian- > CS> > CS> Thanks for the responce. I had previously posted a question > regarding Outlook > CS> and attachments. I think that I have solved my issue with that > and it seems > CS> to be related to this issue and how mailscanner handles uuencoded > messages. > CS> > CS> Here is the situation: I have a client where some people are > using outlook 97 > CS> and some people are using Eudora 5. Before the mailscanner > (3.27)install there > CS> were no problems. After the mailscanner install those who were > using Eudora > CS> were having issues with attachments sent via outlook. Basically > the multipart > CS> message content was all being displayed in the message body. > CS> > CS> The reason follows: > CS> > CS> Mailscanner converts a uuencoded message, which only has one part > ie: lacking > CS> a "Content-type" header, and converts it into a base64 encoded > multipart > CS> message. This is all fine and well. However, mailscanner also > adds the text: > CS> > CS> The following is a multipart MIME message which was extracted > CS> from a uuencoded message. > CS> > CS> Mailscanner does not however add a boundery line like: > CS> > CS> ------------=_1046891750-551-2 > CS> > CS> before the previous message. This causes Eudora to believe one of > two things > CS> (as far a I can tell) > CS> > CS> 1) That the message really isn't a multipart message > CS> 2) That it has another part that is missing (ie: the attachment) > CS> > CS> I'm not really sure of the innerworkings of mailscanner but this > seems to > CS> be what happens. Is there a way to resolve this? Besides having > my > CS> client tell their senders to reconfigure thier outlook? > CS> > CS> -Chris > CS> > CS> On Wed, 5 Mar 2003 18:11:57 +0000 > CS> Julian Field wrote: > CS> > CS> JF> At 17:24 05/03/2003, you wrote: > CS> JF> >Hi all- > CS> JF> > > CS> JF> >I noticed that if I send an email with an attachment but no > text in the body > CS> JF> >of the email that the mailscanner will scan the message but > not append the > CS> JF> >clean message signature. Of course if there is at least one > character in the > CS> JF> >body then the signature is appended. Is there any way to get > the signature > CS> JF> >appended every time? > CS> JF> > CS> JF> It appends the signature to the first html and/or text segment > of the > CS> JF> message. If there's no body at all, there's nowhere to put the > signature. > CS> JF> > CS> JF> I'll take a look at the possibility of creating a body if > needed. > CS> JF> -- > CS> JF> Julian Field > CS> JF> www.MailScanner.info > CS> JF> Professional Support Services at www.MailScanner.biz > CS> JF> MailScanner thanks transtec Computers for their support > CS> > CS> > CS> -- > CS> Chris Selivanow 585 582-1600 > CS> Lead Technician 585 624-3465 (fax) > CS> QwicNet, Inc. http://www.qwicnet.com > > > -- > Chris Selivanow 585 582-1600 > Lead Technician 585 624-3465 (fax) > QwicNet, Inc. http://www.qwicnet.com > > -- > This message checked for dangerous content by MailScanner on StrongBox. > -- This message checked for dangerous content by MailScanner on StrongBox. From cselivanow at QWICNET.COM Wed Mar 5 21:27:40 2003 From: cselivanow at QWICNET.COM (Chris Selivanow) Date: Thu Jan 12 21:17:24 2006 Subject: Messages w/o text not being marked clean. In-Reply-To: <859F8297-4F4E-11D7-882D-000393B9390A@strong-box.net> References: <20030305153830.423e6070.cselivanow@qwicnet.com> <859F8297-4F4E-11D7-882D-000393B9390A@strong-box.net> Message-ID: <20030305162740.45501db6.cselivanow@qwicnet.com> On Wed, 5 Mar 2003 13:07:49 -0800 Craig Pratt wrote: CP> Actually, would having it on all messages really be a problem? CP> CP> That would certainly simplify things. Couldn't a procmail recipe that CP> says to just add this header if not present? Actually I could do that however, I think that mailscanner should be adding it because it appears that it actually causes the problem after it converts a uuencoded message to a MIME multipart message. It should be adding the MIME-Version header to the email it modifies. -Chris CP> CP> Craig CP> CP> On Wednesday, March 5, 2003, at 12:38 PM, Chris Selivanow wrote: CP> > It actually looks like Eudora is complaining that "MIME-Version: 1.0" CP> > isn't in the main headers. If I manually edit the spool file and CP> > insert CP> > it before the usesr POPs the mail it works fine. Is there a way to CP> > have CP> > mailscanner check for a "MIME-Version" header and insert it if it CP> > doesn't CP> > exist and if a uuencoded file was converted? CP> > CP> > -Chris CP> > CP> > On Wed, 5 Mar 2003 14:52:23 -0500 CP> > Chris Selivanow wrote: CP> > CP> > CS> Julian- CP> > CS> CP> > CS> Thanks for the responce. I had previously posted a question CP> > regarding Outlook CP> > CS> and attachments. I think that I have solved my issue with that CP> > and it seems CP> > CS> to be related to this issue and how mailscanner handles uuencoded CP> > messages. CP> > CS> CP> > CS> Here is the situation: I have a client where some people are CP> > using outlook 97 CP> > CS> and some people are using Eudora 5. Before the mailscanner CP> > (3.27)install there CP> > CS> were no problems. After the mailscanner install those who were CP> > using Eudora CP> > CS> were having issues with attachments sent via outlook. Basically CP> > the multipart CP> > CS> message content was all being displayed in the message body. CP> > CS> CP> > CS> The reason follows: CP> > CS> CP> > CS> Mailscanner converts a uuencoded message, which only has one part CP> > ie: lacking CP> > CS> a "Content-type" header, and converts it into a base64 encoded CP> > multipart CP> > CS> message. This is all fine and well. However, mailscanner also CP> > adds the text: CP> > CS> CP> > CS> The following is a multipart MIME message which was extracted CP> > CS> from a uuencoded message. CP> > CS> CP> > CS> Mailscanner does not however add a boundery line like: CP> > CS> CP> > CS> ------------=_1046891750-551-2 CP> > CS> CP> > CS> before the previous message. This causes Eudora to believe one of CP> > two things CP> > CS> (as far a I can tell) CP> > CS> CP> > CS> 1) That the message really isn't a multipart message CP> > CS> 2) That it has another part that is missing (ie: the attachment) CP> > CS> CP> > CS> I'm not really sure of the innerworkings of mailscanner but this CP> > seems to CP> > CS> be what happens. Is there a way to resolve this? Besides having CP> > my CP> > CS> client tell their senders to reconfigure thier outlook? CP> > CS> CP> > CS> -Chris CP> > CS> CP> > CS> On Wed, 5 Mar 2003 18:11:57 +0000 CP> > CS> Julian Field wrote: CP> > CS> CP> > CS> JF> At 17:24 05/03/2003, you wrote: CP> > CS> JF> >Hi all- CP> > CS> JF> > CP> > CS> JF> >I noticed that if I send an email with an attachment but no CP> > text in the body CP> > CS> JF> >of the email that the mailscanner will scan the message but CP> > not append the CP> > CS> JF> >clean message signature. Of course if there is at least one CP> > character in the CP> > CS> JF> >body then the signature is appended. Is there any way to get CP> > the signature CP> > CS> JF> >appended every time? CP> > CS> JF> CP> > CS> JF> It appends the signature to the first html and/or text segment CP> > of the CP> > CS> JF> message. If there's no body at all, there's nowhere to put the CP> > signature. CP> > CS> JF> CP> > CS> JF> I'll take a look at the possibility of creating a body if CP> > needed. CP> > CS> JF> -- CP> > CS> JF> Julian Field CP> > CS> JF> www.MailScanner.info CP> > CS> JF> Professional Support Services at www.MailScanner.biz CP> > CS> JF> MailScanner thanks transtec Computers for their support CP> > CS> CP> > CS> CP> > CS> -- CP> > CS> Chris Selivanow 585 582-1600 CP> > CS> Lead Technician 585 624-3465 (fax) CP> > CS> QwicNet, Inc. http://www.qwicnet.com CP> > CP> > CP> > -- CP> > Chris Selivanow 585 582-1600 CP> > Lead Technician 585 624-3465 (fax) CP> > QwicNet, Inc. http://www.qwicnet.com CP> > CP> > -- CP> > This message checked for dangerous content by MailScanner on StrongBox. CP> > CP> CP> CP> -- CP> This message checked for dangerous content by MailScanner on StrongBox. -- Chris Selivanow 585 582-1600 Lead Technician 585 624-3465 (fax) QwicNet, Inc. http://www.qwicnet.com From mailscanner at ecs.soton.ac.uk Wed Mar 5 21:16:09 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:24 2006 Subject: Blacklist and high scoring spam In-Reply-To: <20030305185146.M16147@dillonst.com> Message-ID: <5.2.0.9.2.20030305211451.027c3f50@imap.ecs.soton.ac.uk> At 18:53 05/03/2003, you wrote: >I have setup several spam senders on the blacklist but it only marks it with >the low level subject stamp and delivers it. Is there a way for the >blacklist to score as a high score and follow those rules instead? I have plans for a future feature consisting of a score for the RBL Spam Lists defined in MailScanner.conf. If I was implementing it now I probably wouldn't have bothered with my own "Spam Lists" at all, and just left SpamAssassin to do it all. But then you wouldn't be able to easily do per-domain spam white/black lists. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From cselivanow at QWICNET.COM Wed Mar 5 21:37:05 2003 From: cselivanow at QWICNET.COM (Chris Selivanow) Date: Thu Jan 12 21:17:24 2006 Subject: Messages w/o text not being marked clean. In-Reply-To: <20030305162740.45501db6.cselivanow@qwicnet.com> References: <20030305153830.423e6070.cselivanow@qwicnet.com> <859F8297-4F4E-11D7-882D-000393B9390A@strong-box.net> <20030305162740.45501db6.cselivanow@qwicnet.com> Message-ID: <20030305163705.32555426.cselivanow@qwicnet.com> I must me completely loosing it today..and didn't get the point of your message. It would be a problem to just add the header to all mail messages because it violates RFC1521 which states that if such a header exists then the message is guarenteed to be MIME compliant. Likewise, if a otherwise MIME compliant message doesn't have this header then it also violates the RFC and is therefor uncompliant. http://www.ietf.org/rfc/rfc1521.txt (section 3) (which is why I believe Eudora chokes on the emails) -Chris On Wed, 5 Mar 2003 16:27:40 -0500 Chris Selivanow wrote: CS> On Wed, 5 Mar 2003 13:07:49 -0800 CS> Craig Pratt wrote: CS> CS> CP> Actually, would having it on all messages really be a problem? CS> CP> CS> CP> That would certainly simplify things. Couldn't a procmail recipe that CS> CP> says to just add this header if not present? CS> CS> Actually I could do that however, I think that mailscanner should be adding CS> it because it appears that it actually causes the problem after it CS> converts a uuencoded message to a MIME multipart message. It should be CS> adding the MIME-Version header to the email it modifies. CS> CS> -Chris CS> CS> CP> CS> CP> Craig CS> CP> CS> CP> On Wednesday, March 5, 2003, at 12:38 PM, Chris Selivanow wrote: CS> CP> > It actually looks like Eudora is complaining that "MIME-Version: 1.0" CS> CP> > isn't in the main headers. If I manually edit the spool file and CS> CP> > insert CS> CP> > it before the usesr POPs the mail it works fine. Is there a way to CS> CP> > have CS> CP> > mailscanner check for a "MIME-Version" header and insert it if it CS> CP> > doesn't CS> CP> > exist and if a uuencoded file was converted? CS> CP> > CS> CP> > -Chris CS> CP> > CS> CP> > On Wed, 5 Mar 2003 14:52:23 -0500 CS> CP> > Chris Selivanow wrote: CS> CP> > CS> CP> > CS> Julian- CS> CP> > CS> CS> CP> > CS> Thanks for the responce. I had previously posted a question CS> CP> > regarding Outlook CS> CP> > CS> and attachments. I think that I have solved my issue with that CS> CP> > and it seems CS> CP> > CS> to be related to this issue and how mailscanner handles uuencoded CS> CP> > messages. CS> CP> > CS> CS> CP> > CS> Here is the situation: I have a client where some people are CS> CP> > using outlook 97 CS> CP> > CS> and some people are using Eudora 5. Before the mailscanner CS> CP> > (3.27)install there CS> CP> > CS> were no problems. After the mailscanner install those who were CS> CP> > using Eudora CS> CP> > CS> were having issues with attachments sent via outlook. Basically CS> CP> > the multipart CS> CP> > CS> message content was all being displayed in the message body. CS> CP> > CS> CS> CP> > CS> The reason follows: CS> CP> > CS> CS> CP> > CS> Mailscanner converts a uuencoded message, which only has one part CS> CP> > ie: lacking CS> CP> > CS> a "Content-type" header, and converts it into a base64 encoded CS> CP> > multipart CS> CP> > CS> message. This is all fine and well. However, mailscanner also CS> CP> > adds the text: CS> CP> > CS> CS> CP> > CS> The following is a multipart MIME message which was extracted CS> CP> > CS> from a uuencoded message. CS> CP> > CS> CS> CP> > CS> Mailscanner does not however add a boundery line like: CS> CP> > CS> CS> CP> > CS> ------------=_1046891750-551-2 CS> CP> > CS> CS> CP> > CS> before the previous message. This causes Eudora to believe one of CS> CP> > two things CS> CP> > CS> (as far a I can tell) CS> CP> > CS> CS> CP> > CS> 1) That the message really isn't a multipart message CS> CP> > CS> 2) That it has another part that is missing (ie: the attachment) CS> CP> > CS> CS> CP> > CS> I'm not really sure of the innerworkings of mailscanner but this CS> CP> > seems to CS> CP> > CS> be what happens. Is there a way to resolve this? Besides having CS> CP> > my CS> CP> > CS> client tell their senders to reconfigure thier outlook? CS> CP> > CS> CS> CP> > CS> -Chris CS> CP> > CS> CS> CP> > CS> On Wed, 5 Mar 2003 18:11:57 +0000 CS> CP> > CS> Julian Field wrote: CS> CP> > CS> CS> CP> > CS> JF> At 17:24 05/03/2003, you wrote: CS> CP> > CS> JF> >Hi all- CS> CP> > CS> JF> > CS> CP> > CS> JF> >I noticed that if I send an email with an attachment but no CS> CP> > text in the body CS> CP> > CS> JF> >of the email that the mailscanner will scan the message but CS> CP> > not append the CS> CP> > CS> JF> >clean message signature. Of course if there is at least one CS> CP> > character in the CS> CP> > CS> JF> >body then the signature is appended. Is there any way to get CS> CP> > the signature CS> CP> > CS> JF> >appended every time? CS> CP> > CS> JF> CS> CP> > CS> JF> It appends the signature to the first html and/or text segment CS> CP> > of the CS> CP> > CS> JF> message. If there's no body at all, there's nowhere to put the CS> CP> > signature. CS> CP> > CS> JF> CS> CP> > CS> JF> I'll take a look at the possibility of creating a body if CS> CP> > needed. CS> CP> > CS> JF> -- CS> CP> > CS> JF> Julian Field CS> CP> > CS> JF> www.MailScanner.info CS> CP> > CS> JF> Professional Support Services at www.MailScanner.biz CS> CP> > CS> JF> MailScanner thanks transtec Computers for their support CS> CP> > CS> CS> CP> > CS> CS> CP> > CS> -- CS> CP> > CS> Chris Selivanow 585 582-1600 CS> CP> > CS> Lead Technician 585 624-3465 (fax) CS> CP> > CS> QwicNet, Inc. http://www.qwicnet.com CS> CP> > CS> CP> > CS> CP> > -- CS> CP> > Chris Selivanow 585 582-1600 CS> CP> > Lead Technician 585 624-3465 (fax) CS> CP> > QwicNet, Inc. http://www.qwicnet.com CS> CP> > CS> CP> > -- CS> CP> > This message checked for dangerous content by MailScanner on StrongBox. CS> CP> > CS> CP> CS> CP> CS> CP> -- CS> CP> This message checked for dangerous content by MailScanner on StrongBox. CS> CS> CS> -- CS> Chris Selivanow 585 582-1600 CS> Lead Technician 585 624-3465 (fax) CS> QwicNet, Inc. http://www.qwicnet.com -- Chris Selivanow 585 582-1600 Lead Technician 585 624-3465 (fax) QwicNet, Inc. http://www.qwicnet.com From smohan at vsnl.com Thu Mar 6 01:25:23 2003 From: smohan at vsnl.com (S Mohan) Date: Thu Jan 12 21:17:24 2006 Subject: Sendmail before MailScanner In-Reply-To: Message-ID: <002601c2e37f$4492d360$2e6041db@18yamuna> Use access. The order of the rules matter. Put the deny or reject from IP before domain. I do not think combinations would work. Mohan -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Raymond Dijkxhoorn Sent: Thursday, March 06, 2003 2:29 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Sendmail before MailScanner Hi! > Yet, this is my problem too. I wish MailScanner would be able to > handle. Our gateway accepts daily thousands of messages, just to > receive in turn a 550 user unknown from the internal mail hubs. This > messages are generated in our case by SPAM, pretending to be generated > by our university domain... > > The best would be to reject the message before enters the queue, but > this is a Sendmail problem I can hardly handle (LDAP routing?). > However, a rule something like this would help a lot: drop all > messages containing in the body a line with > "Received: from ...unitbv.ro" and not "(193.254.23" > would stop the chain reaction for each of this messages (thousands of > postmaster notify, returned message, etc. in the root mailbox). Can > this be put in sendmail "acces" db? Or in SpamAssassin's? Thank you, If you like do do that, use ldap for example and let your relays be away of the users that DO exsist. Its a mailer problem, and you can configure that. Not mailscanner. Bye, Raymond. From craig at STRONG-BOX.NET Thu Mar 6 03:22:09 2003 From: craig at STRONG-BOX.NET (Craig Pratt) Date: Thu Jan 12 21:17:24 2006 Subject: Messages w/o text not being marked clean. In-Reply-To: <20030305163705.32555426.cselivanow@qwicnet.com> Message-ID: No - I think you had a good point. If MS (or one of the underlying Perl modules, more likely) is doing this conversion - basically turning RFC822 messages into semi-MIME-compliant messages - it should make them fully-MIME-compliant. However, I do think that addition of the header is still an acceptable work-around. If it's the only thing missing on the semi-MIME-compliant MS-generated messages, those will be OK. And for the non-MIME messages (RFC822, I presume?), there's some interesting verbiage in section 4 of the MIME standard (thanks for the link BTW - very interesting reading): Default RFC 822 messages are typed by this protocol as plain text in the US-ASCII character set, which can be explicitly specified as "Content-type: text/plain; charset=us-ascii". If no Content-Type is specified, this default is assumed. In the presence of a MIME- Version header field, a receiving User Agent can also assume that plain US-ASCII text was the sender's intent. In the absence of a MIME-Version specification, plain US-ASCII text must still be assumed, but the sender's intent might have been otherwise. I dunno - still could be missing something here. But I think - again along the lines of solving your immediate problem - writing a procmail recipe to add the header iff there is a Multipart header and there isn't a Version header is also doable. Sorry that I can't write it off the top of my head, though... Craig craig@strong-box.net On Wednesday, March 5, 2003, at 01:37 PM, Chris Selivanow wrote: > I must me completely loosing it today..and didn't get the > point of your message. It would be a problem to just add > the header to all mail messages because it violates > RFC1521 which states that if such a header exists then the > message is guarenteed to be MIME compliant. Likewise, if > a otherwise MIME compliant message doesn't have this header > then it also violates the RFC and is therefor uncompliant. > > http://www.ietf.org/rfc/rfc1521.txt (section 3) > > (which is why I believe Eudora chokes on the emails) > > -Chris > > On Wed, 5 Mar 2003 16:27:40 -0500 > Chris Selivanow wrote: > > CS> On Wed, 5 Mar 2003 13:07:49 -0800 > CS> Craig Pratt wrote: > CS> > CS> CP> Actually, would having it on all messages really be a problem? > CS> CP> > CS> CP> That would certainly simplify things. Couldn't a procmail > recipe that > CS> CP> says to just add this header if not present? > CS> > CS> Actually I could do that however, I think that mailscanner should > be adding > CS> it because it appears that it actually causes the problem after it > CS> converts a uuencoded message to a MIME multipart message. It > should be > CS> adding the MIME-Version header to the email it modifies. > CS> > CS> -Chris > CS> > CS> CP> > CS> CP> Craig > CS> CP> > CS> CP> On Wednesday, March 5, 2003, at 12:38 PM, Chris Selivanow > wrote: > CS> CP> > It actually looks like Eudora is complaining that > "MIME-Version: 1.0" > CS> CP> > isn't in the main headers. If I manually edit the spool > file and > CS> CP> > insert > CS> CP> > it before the usesr POPs the mail it works fine. Is there a > way to > CS> CP> > have > CS> CP> > mailscanner check for a "MIME-Version" header and insert it > if it > CS> CP> > doesn't > CS> CP> > exist and if a uuencoded file was converted? > CS> CP> > > CS> CP> > -Chris > CS> CP> > > CS> CP> > On Wed, 5 Mar 2003 14:52:23 -0500 > CS> CP> > Chris Selivanow wrote: > CS> CP> > > CS> CP> > CS> Julian- > CS> CP> > CS> > CS> CP> > CS> Thanks for the responce. I had previously posted a > question > CS> CP> > regarding Outlook > CS> CP> > CS> and attachments. I think that I have solved my issue > with that > CS> CP> > and it seems > CS> CP> > CS> to be related to this issue and how mailscanner handles > uuencoded > CS> CP> > messages. > CS> CP> > CS> > CS> CP> > CS> Here is the situation: I have a client where some > people are > CS> CP> > using outlook 97 > CS> CP> > CS> and some people are using Eudora 5. Before the > mailscanner > CS> CP> > (3.27)install there > CS> CP> > CS> were no problems. After the mailscanner install those > who were > CS> CP> > using Eudora > CS> CP> > CS> were having issues with attachments sent via outlook. > Basically > CS> CP> > the multipart > CS> CP> > CS> message content was all being displayed in the message > body. > CS> CP> > CS> > CS> CP> > CS> The reason follows: > CS> CP> > CS> > CS> CP> > CS> Mailscanner converts a uuencoded message, which only has > one part > CS> CP> > ie: lacking > CS> CP> > CS> a "Content-type" header, and converts it into a base64 > encoded > CS> CP> > multipart > CS> CP> > CS> message. This is all fine and well. However, > mailscanner also > CS> CP> > adds the text: > CS> CP> > CS> > CS> CP> > CS> The following is a multipart MIME message which was > extracted > CS> CP> > CS> from a uuencoded message. > CS> CP> > CS> > CS> CP> > CS> Mailscanner does not however add a boundery line like: > CS> CP> > CS> > CS> CP> > CS> ------------=_1046891750-551-2 > CS> CP> > CS> > CS> CP> > CS> before the previous message. This causes Eudora to > believe one of > CS> CP> > two things > CS> CP> > CS> (as far a I can tell) > CS> CP> > CS> > CS> CP> > CS> 1) That the message really isn't a multipart message > CS> CP> > CS> 2) That it has another part that is missing (ie: the > attachment) > CS> CP> > CS> > CS> CP> > CS> I'm not really sure of the innerworkings of mailscanner > but this > CS> CP> > seems to > CS> CP> > CS> be what happens. Is there a way to resolve this? > Besides having > CS> CP> > my > CS> CP> > CS> client tell their senders to reconfigure thier outlook? > CS> CP> > CS> > CS> CP> > CS> -Chris > CS> CP> > CS> > CS> CP> > CS> On Wed, 5 Mar 2003 18:11:57 +0000 > CS> CP> > CS> Julian Field wrote: > CS> CP> > CS> > CS> CP> > CS> JF> At 17:24 05/03/2003, you wrote: > CS> CP> > CS> JF> >Hi all- > CS> CP> > CS> JF> > > CS> CP> > CS> JF> >I noticed that if I send an email with an > attachment but no > CS> CP> > text in the body > CS> CP> > CS> JF> >of the email that the mailscanner will scan the > message but > CS> CP> > not append the > CS> CP> > CS> JF> >clean message signature. Of course if there is at > least one > CS> CP> > character in the > CS> CP> > CS> JF> >body then the signature is appended. Is there any > way to get > CS> CP> > the signature > CS> CP> > CS> JF> >appended every time? > CS> CP> > CS> JF> > CS> CP> > CS> JF> It appends the signature to the first html and/or > text segment > CS> CP> > of the > CS> CP> > CS> JF> message. If there's no body at all, there's nowhere > to put the > CS> CP> > signature. > CS> CP> > CS> JF> > CS> CP> > CS> JF> I'll take a look at the possibility of creating a > body if > CS> CP> > needed. > CS> CP> > CS> JF> -- > CS> CP> > CS> JF> Julian Field > CS> CP> > CS> JF> www.MailScanner.info > CS> CP> > CS> JF> Professional Support Services at www.MailScanner.biz > CS> CP> > CS> JF> MailScanner thanks transtec Computers for their > support > CS> CP> > CS> > CS> CP> > CS> > CS> CP> > CS> -- > CS> CP> > CS> Chris Selivanow 585 582-1600 > CS> CP> > CS> Lead Technician 585 624-3465 (fax) > CS> CP> > CS> QwicNet, Inc. http://www.qwicnet.com > CS> CP> > > CS> CP> > > CS> CP> > -- > CS> CP> > Chris Selivanow 585 582-1600 > CS> CP> > Lead Technician 585 624-3465 (fax) > CS> CP> > QwicNet, Inc. http://www.qwicnet.com > CS> CP> > > CS> CP> > -- > CS> CP> > This message checked for dangerous content by MailScanner on > StrongBox. > CS> CP> > > CS> CP> > CS> CP> > CS> CP> -- > CS> CP> This message checked for dangerous content by MailScanner on > StrongBox. > CS> > CS> > CS> -- > CS> Chris Selivanow 585 582-1600 > CS> Lead Technician 585 624-3465 (fax) > CS> QwicNet, Inc. http://www.qwicnet.com > > > -- > Chris Selivanow 585 582-1600 > Lead Technician 585 624-3465 (fax) > QwicNet, Inc. http://www.qwicnet.com > > -- > This message checked for dangerous content by MailScanner on StrongBox. > -- This message checked for dangerous content by MailScanner on StrongBox. From craig at STRONG-BOX.NET Thu Mar 6 03:28:45 2003 From: craig at STRONG-BOX.NET (Craig Pratt) Date: Thu Jan 12 21:17:24 2006 Subject: Fwd: Hackers' code exploits Sendmail flaw Message-ID: In case you haven't been keeping up on the news, it looks like there are already working exploits of the sendmail vulnerability announced monday. The one discussed below will basically open a remote terminal on the attacked system - presumably as root. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - From http://zdnet.com.com/2100-1105-991041.html Hackers' code exploits Sendmail flaw By Robert Lemos CNET News.com March 5, 2003, 4:31 AM PT A group of four Polish hackers published code to an open security mailing list on Tuesday that can take advantage of a major vulnerability in the Sendmail mail server. The code, released less than a day after the Sendmail flaw's public announcement, allows an attacker to remotely exploit a Red Hat or Slackware Linux computer running a vulnerable version of the mail server, the group--known as the Last Stage of Delirium--stated in the analysis that accompanied the code. While the limited number of platforms affected by the program seems to be good news, the group warned that its quick analysis might have missed other ways of exploiting the problem. "We do not claim that our way of exploitation is the only one," one of the group's members said in an e-mail with CNET News.com. "What we did was to perform the series of experiments aimed at actual verification of (the) vulnerability's impact. According to our results, this impact is much less significant that it might seem." The flaw in Sendmail--in one of the mail server's security functions that parses mail headers--was found by network protection firm Internet Security Systems and announced on Monday. Companies shipping versions of Sendmail affected by the flaw--believed to be more the 15 years old--include IBM, Hewlett-Packard, Apple Computer, Sun Microsystems, Red Hat and other Linux vendors, according to advisories posted Monday by the Sendmail Consortium open-source project. The LSD group's research questioned whether as many types of servers running Sendmail are as vulnerable as previously thought. That's a moot point, said Eric Allman, founder of the Sendmail Consortium and chief technology officer for Sendmail Inc., a company that has created a commercial version of Sendmail. "I don't think anyone should be complacent," he said, stressing that other ways to exploit the flaw may exist. "Just get the patch." Allman wasn't sure how he felt about the security group publishing such extensive details about exploiting the vulnerability so soon after it was announced. For many years, security researchers and hackers have argued whether releasing detailed information about how a software flaw can be abused helps or hinders security. The Sendmail founder had expected that code would be released soon, but not within 24 hours. Moreover, the functional nature of the posted code--the script returns a terminal prompt with which an attacker could issue commands to the compromised host--was overkill, he said. "I would have preferred that they would have done a proof of concept," Allman said. Proof-of-concept code only illustrates how to exploit a vulnerability without actually doing anything overly useful. The LSD group--whose four members claim to be graduates of the Poznan University of Technology--say that releasing such code enhances the community's overall security. "We do believe that open and free information is the best for improving security," the group said in its e-mail to CNET News.com. "In our opinion, publishing the details is the only way to...determine the impact. The lack of appropriate information on the issue can be...even more damaging." -- This message checked for dangerous content by MailScanner on StrongBox. From Jan-Peter.Koopmann at SECEIDOS.DE Thu Mar 6 08:21:18 2003 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:17:24 2006 Subject: Something strange with MS and Exim Message-ID: <4E7026FF8A422749B1553FE508E0068007EE94@message.intern.akctech.de> Hi, please have a look at this log: Mar 6 09:13:13 proxy MailScanner[79130]: Enabling SpamAssassin auto-whitelist functionality... Mar 6 09:13:22 proxy MailScanner[79130]: Using locktype = posix Mar 6 09:13:22 proxy MailScanner[79130]: Creating hardcoded struct_flock subroutine for freebsd (BSD-type) Mar 6 09:13:22 proxy MailScanner[79130]: New Batch: Found 11 messages waiting Mar 6 09:13:22 proxy MailScanner[79130]: New Batch: Scanning 3 messages, 27539 bytes Mar 6 09:13:22 proxy MailScanner[79130]: Spam Checks: Starting Mar 6 09:13:33 proxy MailScanner[79178]: MailScanner E-Mail Virus Scanner version 4.13-3 starting... Mar 6 09:13:34 proxy MailScanner[79178]: Enabling SpamAssassin auto-whitelist functionality... Mar 6 09:13:39 proxy MailScanner[79178]: Using locktype = posix Mar 6 09:13:39 proxy MailScanner[79178]: Creating hardcoded struct_flock subroutine for freebsd (BSD-type) Mar 6 09:13:49 proxy MailScanner[79178]: New Batch: Found 15 messages waiting Mar 6 09:13:49 proxy MailScanner[79178]: New Batch: Scanning 1 messages, 1717 bytes Mar 6 09:13:49 proxy MailScanner[79178]: Spam Checks: Starting Mar 6 09:13:49 proxy MailScanner[79178]: Virus and Content Scanning: Starting Mar 6 09:13:51 proxy MailScanner[79178]: Uninfected: Delivered 1 messages Mar 6 09:13:51 proxy MailScanner[79130]: RBL Check spamcop.net timed out and was killed, consecutive failure 1 of 7 Mar 6 09:14:08 proxy MailScanner[79130]: Virus and Content Scanning: Starting Mar 6 09:14:11 proxy MailScanner[79130]: Uninfected: Delivered 3 messages Mar 6 09:14:11 proxy MailScanner[79130]: New Batch: Scanning 1 messages, 2041 bytes Mar 6 09:14:11 proxy MailScanner[79130]: Spam Checks: Starting Mar 6 09:14:11 proxy MailScanner[79266]: MailScanner E-Mail Virus Scanner version 4.13-3 starting... Mar 6 09:14:15 proxy MailScanner[79130]: Virus and Content Scanning: Starting Mar 6 09:14:15 proxy MailScanner[79266]: Enabling SpamAssassin auto-whitelist functionality... Mar 6 09:14:18 proxy MailScanner[79130]: Uninfected: Delivered 1 messages Mar 6 09:14:20 proxy MailScanner[79266]: Using locktype = posix Mar 6 09:14:20 proxy MailScanner[79266]: Creating hardcoded struct_flock subroutine for freebsd (BSD-type) Mar 6 09:15:30 proxy MailScanner[79266]: New Batch: Scanning 1 messages, 1718 bytes Mar 6 09:15:30 proxy MailScanner[79266]: Spam Checks: Starting Mar 6 09:15:30 proxy MailScanner[79266]: Virus and Content Scanning: Starting Mar 6 09:15:32 proxy MailScanner[79266]: Uninfected: Delivered 1 messages Mar 6 09:15:38 proxy MailScanner[79130]: New Batch: Scanning 1 messages, 2042 bytes Mar 6 09:15:38 proxy MailScanner[79130]: Spam Checks: Starting Mar 6 09:15:40 proxy MailScanner[79130]: Virus and Content Scanning: Starting Mar 6 09:15:41 proxy MailScanner[79130]: Uninfected: Delivered 1 messages Mar 6 09:16:11 proxy MailScanner[79130]: New Batch: Scanning 7 messages, 42792 bytes Mar 6 09:16:11 proxy MailScanner[79130]: Spam Checks: Starting Mar 6 09:16:12 proxy MailScanner[79266]: New Batch: Found 9 messages waiting Mar 6 09:16:12 proxy MailScanner[79266]: New Batch: Scanning 2 messages, 10870 bytes Mar 6 09:16:12 proxy MailScanner[79266]: Spam Checks: Starting Mar 6 09:16:22 proxy MailScanner[79178]: New Batch: Found 43 messages waiting Mar 6 09:16:22 proxy MailScanner[79178]: New Batch: Scanning 10 messages, 52122 bytes Mar 6 09:16:22 proxy MailScanner[79178]: Spam Checks: Starting Mar 6 09:16:25 proxy MailScanner[79266]: Virus and Content Scanning: Starting Mar 6 09:16:30 proxy MailScanner[79266]: Uninfected: Delivered 2 messages Mar 6 09:16:30 proxy MailScanner[79266]: New Batch: Found 18 messages waiting Mar 6 09:16:30 proxy MailScanner[79266]: New Batch: Scanning 1 messages, 5456 bytes Mar 6 09:16:30 proxy MailScanner[79266]: Spam Checks: Starting Mar 6 09:16:36 proxy MailScanner[79266]: Virus and Content Scanning: Starting Mar 6 09:16:39 proxy MailScanner[79266]: Uninfected: Delivered 1 messages Mar 6 09:16:58 proxy MailScanner[79130]: Virus and Content Scanning: Starting Mar 6 09:17:02 proxy MailScanner[79130]: Uninfected: Delivered 7 messages There seems to be a bug in the "New Batch: Found xx messages waiting" routine. This keeps growing and growing even though there are not so many messages in the inbound queue. When it says Mar 6 09:16:30 proxy MailScanner[79266]: New Batch: Found 18 messages waiting Mar 6 09:16:30 proxy MailScanner[79266]: New Batch: Scanning 1 messages, 5456 bytes Mar 6 09:16:30 proxy MailScanner[79266]: Spam Checks: Starting Mar 6 09:16:36 proxy MailScanner[79266]: Virus and Content Scanning: Starting Mar 6 09:16:39 proxy MailScanner[79266]: Uninfected: Delivered 1 messages There is really only 1 message in the queue at this time. I never noticed this with sendmail, only with exim. Any explanations? All my messages seem to come through btw. so this probably is not a misconfiguration. Regards, JP PS: This is with 4.13-3, SA 2.50 and exim 4.12-6. From Jan-Peter.Koopmann at SECEIDOS.DE Thu Mar 6 08:24:50 2003 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:17:24 2006 Subject: OT: Read Receipt Request and this list Message-ID: <4E7026FF8A422749B1553FE508E0068007EE97@message.intern.akctech.de> Hi, damn I will probably always forget to turn this off when writing to this list. Is there no way for the list software to filter the read receipt request from incoming mails? Regards, JP From Jan-Peter.Koopmann at SECEIDOS.DE Thu Mar 6 08:36:13 2003 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:17:24 2006 Subject: SA and Bayes Message-ID: <4E7026FF8A422749B1553FE508E0068007EE98@message.intern.akctech.de> Hi, somehow I get the impression that my SA/MS setup does not use bayes. These are the relevant entries of my spam.assassin.prefs.conf file: auto_whitelist_path /var/spool/spamassassin/auto-whitelist auto_whitelist_file_mode 0666 bayes_path /var/spool/spamassassin/bayes bayes_file_mode 0666 auto_learn 1 use_bayes 1 bayes_ignore_header X-MailScanner bayes_ignore_header X-MailScanner-SpamCheck This is what a check_bayes_db tells me: 0.000 0 0 0 non-token data: db format = on-the-fly probs, expiry, scan-counting 0.000 0 209 0 non-token data: nspam 0.000 0 2320 0 non-token data: nham 0.000 0 0 0 non-token data: ntokens 0.000 0 0 0 non-token data: oldest age 0.000 0 4505 0 non-token data: current scan-count 0.000 0 0 0 non-token data: last expiry scan-count --- snipp --- If I interpret this correctly I have 209 spam and 2320 nonspam messages learned successfully. And as far as I can see both sa-learn and auto_learn seem to work. BUT: I never saw a single mail (spam and nospam) with a BAYES_ tag in the SpamAssassin score. Any ideas? Regards, JP From mailscanner at ecs.soton.ac.uk Thu Mar 6 10:08:50 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:24 2006 Subject: Something strange with MS and Exim In-Reply-To: <4E7026FF8A422749B1553FE508E0068007EE94@message.intern.akct ech.de> Message-ID: <5.2.0.9.2.20030306100553.0229f998@imap.ecs.soton.ac.uk> At 08:21 06/03/2003, you wrote: >Hi, > >There seems to be a bug in the "New Batch: Found xx messages waiting" >routine. This keeps growing and growing even though there are not so >many messages in the inbound queue. When it says Indeed, when it is looking for a new batch, there's a counter that doesn't get reset when it should. I happened to notice this myself yesterday. It's only cosmetic, the behaviour of the program is not affected at all, just the counter number that is printed. It will be fixed in the next release. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Thu Mar 6 10:10:58 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:24 2006 Subject: SA and Bayes In-Reply-To: <4E7026FF8A422749B1553FE508E0068007EE98@message.intern.akct ech.de> Message-ID: <5.2.0.9.2.20030306100952.022a6ea0@imap.ecs.soton.ac.uk> At 08:36 06/03/2003, you wrote: >Hi, > >somehow I get the impression that my SA/MS setup does not use bayes. >These are the relevant entries of my spam.assassin.prefs.conf file: > >auto_whitelist_path /var/spool/spamassassin/auto-whitelist >auto_whitelist_file_mode 0666 > >bayes_path /var/spool/spamassassin/bayes >bayes_file_mode 0666 > >auto_learn 1 > >use_bayes 1 > >bayes_ignore_header X-MailScanner >bayes_ignore_header X-MailScanner-SpamCheck > > >This is what a check_bayes_db tells me: > >0.000 0 0 0 non-token data: db format = on-the-fly >probs, expiry, scan-counting >0.000 0 209 0 non-token data: nspam >0.000 0 2320 0 non-token data: nham >0.000 0 0 0 non-token data: ntokens >0.000 0 0 0 non-token data: oldest age >0.000 0 4505 0 non-token data: current scan-count >0.000 0 0 0 non-token data: last expiry scan-count > >--- snipp --- > >If I interpret this correctly I have 209 spam and 2320 nonspam messages >learned successfully. And as far as I can see both sa-learn and >auto_learn seem to work. BUT: I never saw a single mail (spam and >nospam) with a BAYES_ tag in the SpamAssassin score. I have seen this too, there aren't any signs of it doing anything useful with the bayes rules. I was hoping it was just another SA 2.50 bug which will hopefully be fixed in SA 2.51. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From Jan-Peter.Koopmann at SECEIDOS.DE Thu Mar 6 10:52:24 2003 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:17:24 2006 Subject: SA and Bayes Message-ID: <4E7026FF8A422749B1553FE508E0068007EE9A@message.intern.akctech.de> Hi, > I have seen this too, there aren't any signs of it doing > anything useful with the bayes rules. I was hoping it was > just another SA 2.50 bug which will hopefully be fixed in SA 2.51. Ok. I will crosspost this in SATalk then. Maybe they know what's happening. Thanks, JP From brose at MED.WAYNE.EDU Thu Mar 6 14:03:30 2003 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:17:24 2006 Subject: SA and Bayes Message-ID: What happens if you don't specify anything for bayes and go with the defaults? I think my setup is using bayes because the .spamassassin dir under root has bayes files that are updating. The only problem that I've been seeing with bayes is that it's not very good at cleanup. It leaves lock files there but I've been noticing more sa temp files being left behind in /tmp as well. -----Original Message----- From: Jan-Peter Koopmann [mailto:Jan-Peter.Koopmann@SECEIDOS.DE] Sent: Thursday, March 06, 2003 3:36 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: SA and Bayes Hi, somehow I get the impression that my SA/MS setup does not use bayes. These are the relevant entries of my spam.assassin.prefs.conf file: auto_whitelist_path /var/spool/spamassassin/auto-whitelist auto_whitelist_file_mode 0666 bayes_path /var/spool/spamassassin/bayes bayes_file_mode 0666 auto_learn 1 use_bayes 1 bayes_ignore_header X-MailScanner bayes_ignore_header X-MailScanner-SpamCheck This is what a check_bayes_db tells me: 0.000 0 0 0 non-token data: db format = on-the-fly probs, expiry, scan-counting 0.000 0 209 0 non-token data: nspam 0.000 0 2320 0 non-token data: nham 0.000 0 0 0 non-token data: ntokens 0.000 0 0 0 non-token data: oldest age 0.000 0 4505 0 non-token data: current scan-count 0.000 0 0 0 non-token data: last expiry scan-count --- snipp --- If I interpret this correctly I have 209 spam and 2320 nonspam messages learned successfully. And as far as I can see both sa-learn and auto_learn seem to work. BUT: I never saw a single mail (spam and nospam) with a BAYES_ tag in the SpamAssassin score. Any ideas? Regards, JP From mailscanner at ecs.soton.ac.uk Thu Mar 6 14:15:19 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:24 2006 Subject: SA and Bayes In-Reply-To: Message-ID: <5.2.0.9.2.20030306141400.0470db30@imap.ecs.soton.ac.uk> At 14:03 06/03/2003, you wrote: >What happens if you don't specify anything for bayes and go with the >defaults? I think my setup is using bayes because the .spamassassin dir >under root has bayes files that are updating. The only problem that >I've been seeing with bayes is that it's not very good at cleanup. It >leaves lock files there but I've been noticing more sa temp files being >left behind in /tmp as well. But have you actually seen "BAYES" in any of the spam reports? Switch "Log Spam = yes" and sit back and wait. I've yet to see this being used in anger, although the db files are indeed being updated. I'm currently trying to recreate a faulty system so I can test this. Just got to copy my 60,000 message test set onto the poor thing :-) >-----Original Message----- >From: Jan-Peter Koopmann [mailto:Jan-Peter.Koopmann@SECEIDOS.DE] >Sent: Thursday, March 06, 2003 3:36 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: SA and Bayes > > >Hi, > >somehow I get the impression that my SA/MS setup does not use bayes. >These are the relevant entries of my spam.assassin.prefs.conf file: > >auto_whitelist_path /var/spool/spamassassin/auto-whitelist >auto_whitelist_file_mode 0666 > >bayes_path /var/spool/spamassassin/bayes >bayes_file_mode 0666 > >auto_learn 1 > >use_bayes 1 > >bayes_ignore_header X-MailScanner >bayes_ignore_header X-MailScanner-SpamCheck > > >This is what a check_bayes_db tells me: > >0.000 0 0 0 non-token data: db format = on-the-fly >probs, expiry, scan-counting >0.000 0 209 0 non-token data: nspam >0.000 0 2320 0 non-token data: nham >0.000 0 0 0 non-token data: ntokens >0.000 0 0 0 non-token data: oldest age >0.000 0 4505 0 non-token data: current scan-count >0.000 0 0 0 non-token data: last expiry scan-count > >--- snipp --- > >If I interpret this correctly I have 209 spam and 2320 nonspam messages >learned successfully. And as far as I can see both sa-learn and >auto_learn seem to work. BUT: I never saw a single mail (spam and >nospam) with a BAYES_ tag in the SpamAssassin score. > >Any ideas? > >Regards, > JP -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From brose at MED.WAYNE.EDU Thu Mar 6 14:52:48 2003 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:17:24 2006 Subject: SA and Bayes Message-ID: Yes Bayes_60, Bayes_90, Bayes_80, etc. I counted about 554 instances in the current log. -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Thursday, March 06, 2003 9:15 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: SA and Bayes At 14:03 06/03/2003, you wrote: >What happens if you don't specify anything for bayes and go with the >defaults? I think my setup is using bayes because the .spamassassin >dir under root has bayes files that are updating. The only problem >that I've been seeing with bayes is that it's not very good at cleanup. >It leaves lock files there but I've been noticing more sa temp files >being left behind in /tmp as well. But have you actually seen "BAYES" in any of the spam reports? Switch "Log Spam = yes" and sit back and wait. I've yet to see this being used in anger, although the db files are indeed being updated. I'm currently trying to recreate a faulty system so I can test this. Just got to copy my 60,000 message test set onto the poor thing :-) >-----Original Message----- >From: Jan-Peter Koopmann [mailto:Jan-Peter.Koopmann@SECEIDOS.DE] >Sent: Thursday, March 06, 2003 3:36 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: SA and Bayes > > >Hi, > >somehow I get the impression that my SA/MS setup does not use bayes. >These are the relevant entries of my spam.assassin.prefs.conf file: > >auto_whitelist_path /var/spool/spamassassin/auto-whitelist >auto_whitelist_file_mode 0666 > >bayes_path /var/spool/spamassassin/bayes >bayes_file_mode 0666 > >auto_learn 1 > >use_bayes 1 > >bayes_ignore_header X-MailScanner >bayes_ignore_header X-MailScanner-SpamCheck > > >This is what a check_bayes_db tells me: > >0.000 0 0 0 non-token data: db format = on-the-fly >probs, expiry, scan-counting >0.000 0 209 0 non-token data: nspam >0.000 0 2320 0 non-token data: nham >0.000 0 0 0 non-token data: ntokens >0.000 0 0 0 non-token data: oldest age >0.000 0 4505 0 non-token data: current scan-count >0.000 0 0 0 non-token data: last expiry scan-count > >--- snipp --- > >If I interpret this correctly I have 209 spam and 2320 nonspam messages >learned successfully. And as far as I can see both sa-learn and >auto_learn seem to work. BUT: I never saw a single mail (spam and >nospam) with a BAYES_ tag in the SpamAssassin score. > >Any ideas? > >Regards, > JP -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From andersjk at SOL-INVICTUS.ORG Thu Mar 6 14:47:34 2003 From: andersjk at SOL-INVICTUS.ORG (Kevin Anderson) Date: Thu Jan 12 21:17:24 2006 Subject: Strange score In-Reply-To: Message-ID: HI all! I found a strange spam score: X-MailScanner-SpamCheck: not spam, SpamAssassin (score=-88.2, required 6, ALL_NATURAL, AS_SEEN_ON, CLICK_BELOW, CLICK_HERE_LINK, HAIR_LOSS, HGH, LINES_OF_YELLING, MISSING_MIMEOLE, NO_QS_ASKED, NO_REAL_NAME, SPAM_PHRASE_08_13, SUBJ_HAS_UNIQ_ID, SUPERLONG_LINE, TRACKER_ID, USER_AGENT_OE, USER_IN_WHITELIST, X_MSMAIL_PRIORITY_HIGH, X_PRIORITY_HIGH) has -88.2, auto whitelisting is off. Anything to be worried about? thanks, kevin From john at OFIZ.COM Thu Mar 6 14:47:30 2003 From: john at OFIZ.COM (John Thewlis) Date: Thu Jan 12 21:17:24 2006 Subject: MailScanner Error Message In-Reply-To: <5.2.0.9.2.20030306141400.0470db30@imap.ecs.soton.ac.uk> Message-ID: Hi We are seeing the following in the MailScanner log:- Mar 6 14:44:47 ns sendmail[27402]: error: safesasl(/etc/sasldb) failed: Group readable file Any idea what we need to do about it? Thanks John From mike at CAMAROSS.NET Thu Mar 6 15:07:30 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:17:24 2006 Subject: MailScanner Error Message In-Reply-To: Message-ID: <011301c2e3f2$1c00cb00$b001a8c0@home.middlefinger.net> The simplest answer is to do a 'chmod 600 /etc/sasldb' ... If you want to see which users are in the file do a 'sasldblistusers' as root.. -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of John Thewlis Sent: Thursday, March 06, 2003 8:48 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: MailScanner Error Message Hi We are seeing the following in the MailScanner log:- Mar 6 14:44:47 ns sendmail[27402]: error: safesasl(/etc/sasldb) failed: Group readable file Any idea what we need to do about it? Thanks John From mailscanner at ecs.soton.ac.uk Thu Mar 6 15:03:31 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:24 2006 Subject: MailScanner Error Message In-Reply-To: References: <5.2.0.9.2.20030306141400.0470db30@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030306150253.03bd44c0@imap.ecs.soton.ac.uk> At 14:47 06/03/2003, you wrote: >Hi > >We are seeing the following in the MailScanner log:- It's a sendmail error message, not a MailScanner one. chmod g-r /etc/sasld* should do it. >Mar 6 14:44:47 ns sendmail[27402]: error: safesasl(/etc/sasldb) failed: >Group readable file > >Any idea what we need to do about it? > >Thanks > >John -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at LISTS.COM.AR Thu Mar 6 15:27:28 2003 From: mailscanner at LISTS.COM.AR (Mariano Absatz) Date: Thu Jan 12 21:17:25 2006 Subject: MailScanner Error Message In-Reply-To: References: <5.2.0.9.2.20030306141400.0470db30@imap.ecs.soton.ac.uk> Message-ID: <3E673EB0.19363.66F5406E@localhost> I'm not expert on sendmail or sasl but... sasl is an authentication layer (a library) used by sendmail for authenticating of users via SMTP-AUTH (and maybe for other things?). sasl can be configured to use a user database in /etc/sasldb instead of /etc/passwd or /etc/shadow (I guess it's the default)... Most security aware software is rather picky with it's own configuration files ownership and permissions... since it's complaining that /etc/sasldb is readable by the group, you should try the following: chmod 600 /etc/sasldb El 6 Mar 2003 a las 14:47, John Thewlis escribi?: > Hi > > We are seeing the following in the MailScanner log:- > > Mar 6 14:44:47 ns sendmail[27402]: error: safesasl(/etc/sasldb) failed: > Group readable file > > Any idea what we need to do about it? > > Thanks > > John -- Mariano Absatz El Baby ---------------------------------------------------------- Bug? That's not a bug, that's a feature. -- T. John Wendel From SJCJonker at SJC.NL Thu Mar 6 16:44:07 2003 From: SJCJonker at SJC.NL (Stijn Jonker) Date: Thu Jan 12 21:17:25 2006 Subject: OT: Sendmail/Postfix && LDAP. Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello all, I'm more then aware that this is completly Offtopic, therefor i would like to request to respond in private. I'm looking for an LDAP frontend that can do the following: Store user details such as address, and billing info Work with sendmail and postfix for email routing. As a lot of people are running large email systems i though maybe you could send me some pointers. Again sorry for being offtopic, but I can't seem to understand that i'm the first to search for this. The last thing i have to do is re-invent the wheel... But if i have to i'll take up the tools ;-) to do so. - -- Met Vriendelijke groet/Yours Sincerely Stijn Jonker -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE+Z3rZjU9r45tKnOARAhOtAJwNlITUOBJQ/4OJy4SvcAoD2Org+QCfRg/M eT5uEPIhKQsdzhvTpXdny1A= =qN17 -----END PGP SIGNATURE----- From brose at MED.WAYNE.EDU Thu Mar 6 18:33:49 2003 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:17:25 2006 Subject: Sendmail/Postfix && LDAP. Message-ID: Front-End? Most LDAP servers come with a front-end. I know address is in most ldap schemas and I would think there would be some schema updates out there that might give some billing info type attributes, if not then you could just create your own. You can also make your own frontends. I've used cold fusion & perl and I know folks who use php and java to update directories via ldap. Sendmail just needs to be compiled with the correct site.config and mc files to do ldap lookups. By default it looks for mailrouting info for the standard mail attibutes in ldap and with a few modifications, it can do ldap queries against active directory/exchange environments. -----Original Message----- From: Stijn Jonker [mailto:SJCJonker@SJC.NL] Sent: Thursday, March 06, 2003 11:44 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: OT: Sendmail/Postfix && LDAP. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello all, I'm more then aware that this is completly Offtopic, therefor i would like to request to respond in private. I'm looking for an LDAP frontend that can do the following: Store user details such as address, and billing info Work with sendmail and postfix for email routing. As a lot of people are running large email systems i though maybe you could send me some pointers. Again sorry for being offtopic, but I can't seem to understand that i'm the first to search for this. The last thing i have to do is re-invent the wheel... But if i have to i'll take up the tools ;-) to do so. - -- Met Vriendelijke groet/Yours Sincerely Stijn Jonker -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE+Z3rZjU9r45tKnOARAhOtAJwNlITUOBJQ/4OJy4SvcAoD2Org+QCfRg/M eT5uEPIhKQsdzhvTpXdny1A= =qN17 -----END PGP SIGNATURE----- From mkettler at EVI-INC.COM Thu Mar 6 18:36:49 2003 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:17:25 2006 Subject: Strange score In-Reply-To: References: Message-ID: <5.2.0.9.0.20030306133525.0176ac30@192.168.50.2> The hugely negative score is the result of it matching USER_IN_WHITELIST. This means that the sender (From: line and possibly recieved path) matched a static whitelist. check your whitelist_from and whitelist_from _rcvd entries. Note that there are some default ones present in /usr/share/spamassassin/60_whitelist.cf. At 03:47 PM 3/6/2003 +0100, Kevin Anderson wrote: >HI all! > >I found a strange spam score: > >X-MailScanner-SpamCheck: not spam, SpamAssassin (score=-88.2, required 6, > ALL_NATURAL, AS_SEEN_ON, CLICK_BELOW, CLICK_HERE_LINK, HAIR_LOSS, > HGH, LINES_OF_YELLING, MISSING_MIMEOLE, NO_QS_ASKED, NO_REAL_NAME, > SPAM_PHRASE_08_13, SUBJ_HAS_UNIQ_ID, SUPERLONG_LINE, TRACKER_ID, > USER_AGENT_OE, USER_IN_WHITELIST, X_MSMAIL_PRIORITY_HIGH, > X_PRIORITY_HIGH) > >has -88.2, auto whitelisting is off. Anything to be worried about? > >thanks, >kevin From m.sapsed at BANGOR.AC.UK Thu Mar 6 18:39:18 2003 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:17:25 2006 Subject: Strange score References: Message-ID: <3E6795D6.5030306@bangor.ac.uk> Kevin Anderson wrote: > HI all! > > I found a strange spam score: > > X-MailScanner-SpamCheck: not spam, SpamAssassin (score=-88.2, required 6, > ALL_NATURAL, AS_SEEN_ON, CLICK_BELOW, CLICK_HERE_LINK, HAIR_LOSS, > HGH, LINES_OF_YELLING, MISSING_MIMEOLE, NO_QS_ASKED, NO_REAL_NAME, > SPAM_PHRASE_08_13, SUBJ_HAS_UNIQ_ID, SUPERLONG_LINE, TRACKER_ID, > USER_AGENT_OE, USER_IN_WHITELIST, X_MSMAIL_PRIORITY_HIGH, > X_PRIORITY_HIGH) > > has -88.2, auto whitelisting is off. Anything to be worried about? USER_IN_WHITELIST has a score of -100 IIRC? Would suggest that the address is in SpamAssassin's whitelist? Added before you turned auto-listing off perhaps? Cheers, Martin -- Martin Sapsed Information Services "Who do you say I am?" University of Wales, Bangor Jesus of Nazareth From HancockS at MORGANCO.COM Thu Mar 6 19:24:19 2003 From: HancockS at MORGANCO.COM (Hancock, Scott) Date: Thu Jan 12 21:17:25 2006 Subject: Debian ms v4.x install help. Deb, Alien or Source? attn Jason Desai Message-ID: <03Mar6.141709est.119149@gateway.morganco.com> Thanks for pointer to the tar distribution. I should have thought of that. Anyway, I'm up and running under /opt. My only hitch is the new "striphtml" feature on a high score isn't working. I'm going back to the install docs now but any pointers would be helpful. Maybe be a dependency issue? My buddy is running sendmail and mailscanner. He found there was a single entry that needed to be pointed to mailscanner. He was impressed that the sendmail startup script supported mailscanner with one entry. I've asked him for the info to post here as I don't think he subscribes. Maybe this is enough for you sendmail guys to find it on your own. Perhaps this is to what Nick is referring. Cheers Scott Hancock > -----Original Message----- > From: Nick Phillips [mailto:nwp@LEMON-COMPUTING.COM] > Sent: Wednesday, March 05, 2003 8:30 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Debian ms v4.x install help. Deb, Alien or Source? attn Jason > Desai > > On Wed, Mar 05, 2003 at 03:34:10PM -0500, Kurt Yoder wrote: > > > Incidentally, does anyone have any instructions on getting the Debian > > sendmail package working correctly with mailscanner? I had to completely > > replace the init script to make it work, and now dpkg chokes every time > it > > touches sendmail. > > Easiest way I could see was to set the config variables (can't remember > the > name of the file you put them in; maybe /etc/default/sendmail?) so that > one side was a daemon and the other not, as it doesn't yet seem to be able > to run two daemons with two different sets of args. > > > Cheers, > > > Nick > -- > Nick Phillips -- nwp@lemon-computing.com > You will soon forget this. From HancockS at MORGANCO.COM Thu Mar 6 19:51:52 2003 From: HancockS at MORGANCO.COM (Hancock, Scott) Date: Thu Jan 12 21:17:25 2006 Subject: Debian ms v4.x install help. Deb, Alien or Source? attn Jason Desai Message-ID: <03Mar6.144442est.119058@gateway.morganco.com> > Anyway, I'm up and running under /opt. My only hitch is the new > "striphtml" feature on a high score isn't working. I'm going back to > the install docs now but any pointers would be helpful. Maybe be a > dependency issue? > "striphtml" doesn't automatically imply "deliver" (as you might want to just forward it elsewhere, for example). Does it work if you set Spam Actions = striphtml deliver Nevermind Scott From HancockS at MORGANCO.COM Thu Mar 6 20:06:24 2003 From: HancockS at MORGANCO.COM (Hancock, Scott) Date: Thu Jan 12 21:17:25 2006 Subject: Debian Mailscanner and Sendmail install notes was -- Debian ms v4.x.. Message-ID: <03Mar6.145914est.119160@gateway.morganco.com> Here are the notes from Dan. Pretty similar to Julian's notes at http://www.sng.ecs.soton.ac.uk/mailscanner/install/sendmail.shtml Cheers Scott Subject: RE: Debian ms v4.x install help. Deb, Alien or Source? attn Jason Desai > Feel like posting your doc to the mailscanner list? > Okay... Just typing off the cuff here so don't expect too much In order to get sendmail in Debian to run in a separate listener/queue runner mode all you need to do is change the DAEMON_PARMS line from DAEMON_PARMS=""; to DAEMON_PARMS="-OPrivacyOptions=noetrn -ODeliveryMode=queueonly -OQueueDirectory=/var/spool/mqueue.in"; And create the /var/spool/mqueue.in directory of course... but that's really all you need to do. I haven't tested it in woody, only in sarge but I did write a brief note to the sendmail maintainer who said that it should be fine. He also mentioned that the fact that splitting the sendmail process into a listener and queue runner is included in the conf file at all is due to an early user of mailscanner asking for the feature. The details of how/why it does what it does are in the file /usr/share/sendmail/sendmail. That's really what gets run when the /etc/init.d/sendmail script gets fired off. In there is a bit of logic that just looks to see if parameters are common between the listener and queue runner daemon and either creates one or two daemons to suit. Here's the operative bit: # See if we can share the listener and queue-runner daemon: # * Both must be in daemon mode # * They must have the same (possibly empty) parameters if [ "$DAEMON_MODE" = "daemon" \ -a "$QUEUE_MODE" = "daemon" \ -a "$DAEMON_PARMS" = "$QUEUE_PARMS" ]; then SPLIT_DAEMON=0; else SPLIT_DAEMON=1; fi; So, by changing the DAEMON_PARMS to anything other than the QUEUE_PARMS a second process gets spawned by the startup script and everybody is happy (or at least I was). I think that was really just about all that I had to do. The Debian mailscanner package has been set up with exim in mind so I had to change a few of the config options in mailscanner to sendmail stuff but that was pretty straightforward. Dan From gerry at dorfam.ca Thu Mar 6 20:18:37 2003 From: gerry at dorfam.ca (Gerry Doris) Date: Thu Jan 12 21:17:25 2006 Subject: MailScanner Error Message In-Reply-To: <011301c2e3f2$1c00cb00$b001a8c0@home.middlefinger.net> References: <011301c2e3f2$1c00cb00$b001a8c0@home.middlefinger.net> Message-ID: <36686.129.80.22.143.1046981917.squirrel@tiger.dorfam.ca> > The simplest answer is to do a 'chmod 600 /etc/sasldb' ... > > If you want to see which users are in the file do a 'sasldblistusers' as > root.. > If I remember correctly the /etc/sasldb file must be 0600 or you'll see the error message about it being group readable. On the other the latest versions of sendmail are no longer run as root and can't read the /etc/sasldb file if the permission is 0600. The sendmail doc's suggest using the DONT_BLAME_SENDMAIL directive in sendmail.mc get around this. GErry From HancockS at MORGANCO.COM Thu Mar 6 20:43:27 2003 From: HancockS at MORGANCO.COM (Hancock, Scott) Date: Thu Jan 12 21:17:25 2006 Subject: Debian Mailscanner and Sendmail install notes was -- Debian ms v4.x.. Message-ID: <03Mar6.153616est.119120@gateway.morganco.com> It should be noted that these entries are in /etc/mail/sendmail.conf. The start script /etc/init.d/sendmail requires no modification neither does /usr/share/sendmail/sendmail. Definitely applies to Debian Sarge probably Woody too. Scott > DAEMON_PARMS=""; > > to > > DAEMON_PARMS="-OPrivacyOptions=noetrn -ODeliveryMode=queueonly > -OQueueDirectory=/var/spool/mqueue.in"; From mailscanner at ecs.soton.ac.uk Thu Mar 6 21:27:50 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:25 2006 Subject: Fwd: Re: SA2.50 problems... In-Reply-To: <5.2.0.9.2.20030305170932.06f343e0@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030306212235.02210208@imap.ecs.soton.ac.uk> At 17:11 05/03/2003, you wrote: >If you are still having problems with SpamAssassin 2.50 hanging, even with >my patch, then do this: > >>From: Daniel Bird >>Subject: Re: SA2.50 problems... >>To: Julian Field >> >>Julian, >> >>For info, >>left "Use Spamassassin = yes" in MailScanner.conf but added >>"use_bayes 0" to spam.assassin.prefs.conf >> >>and MailScanner + SA2.50 are running quite happily now. >> >>Thanks. >> >>Dan > >I have posted a huge great message to the SAtalk list about this problem. >Something *very* strange is happening, and I haven't got to the bottom of >it yet. It's all connected to file locking and the bayes database, just >like the previous problem with it, but this one is a lot more strange.... > >If anything interesting comes up on SAtalk, I'll be sure to tell you all. This appears to have been fixed in the CVS of 2.60. Go to http://spamassassin.taint.org/downloads.html and download the CVS of 2.60. Install that (you don't need my SA2.50.patch at all). Also you should install "DB_File" using CPAN, and delete any .dir/.pag files in ~root/.spamassassin. Please let me know how you get on with this. I have been running this for 4 hours on a mail server that had problems with the patched-2.50 code, and the CVS2.60 code is still running fine. Previously it would have shown up in a very few minutes. Don't forget to comment out the "use_bayes" line, you don't need it any more. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From rap at PHYSICS.UBC.CA Thu Mar 6 22:16:21 2003 From: rap at PHYSICS.UBC.CA (Ron Parachoniak) Date: Thu Jan 12 21:17:25 2006 Subject: File descriptors missing on start up: stderr; Bad file number Message-ID: <3E67C8B5.1030401@physics.ubc.ca> I recently installed sendmail 8.12.8 (upgraded from 8.11.6) on a Solaris 8 box. We only use MailScanner for antivirus scanning (we run spamassassin separately). Since upgrading sendmail, I get the following messages in my logfile: Mar 6 14:06:21 warp.physics.ubc.ca MailScanner[19512]: New Batch: Scanning 1 messages, 2240 bytes Mar 6 14:06:21 warp.physics.ubc.ca MailScanner[19512]: Virus and Content Scanning: Starting Mar 6 14:06:22 warp.physics.ubc.ca MailScanner[19512]: Uninfected: Delivered 1 messages Mar 6 14:06:22 physics sendmail[29988]: [ID 702911 mail.warning] File descriptors missing on start up: stderr; Bad file number It appears to be related to MailScanner. Can anyone shed any light on this? Just for info, Don Jones posted a similar problem a while back. He ended switching to RedHat and never solved the problem. ----------------------------------------------------------------------- Message from Don Jones: Hi we are having a strange problem on 2 new 4.7 mailservers, both use sendmail and mailscanner (which does spamassasin and antivirus scanning). The configuration is one sendmail process that listens on port 25 and dumps mail to a queue, then mailscanner picks up the mail form this queue and does its scanning stuff and dumps the mail into a second queue. a second sendmail process then takes the mail from the second queue and delivers it. On both these boxes we are getting this error in /var/log/maillog: Dec 9 08:51:56 mx3 sendmail[39613]: File descriptors missing on startup: stdin, stdout, stderr; Bad file descriptor It ususlly occurs when MailScanner delivers the message to the second queue Dec 9 02:17:38 mx3 MailScanner[37952]: Virus and Content Scanning: Starting Dec 9 02:17:38 mx3 sendmail[37980]: File descriptors missing on startup: stdin, stdout, stderr; Dec 9 02:17:38 mx3 MailScanner[37952]: Uninfected: Delivered 1 messages Sendmail seems to spawn a second process to deal with the delivery and this process is complaining. It still seems to be functioning ok. Mailscanner has 5 processes which seem to be dying over time(over a few days), which may be related to this problem, I need to try and fix this. Can anybody explain what a "Bad file descriptor" actually is and how i would go about fixing it? Someone on the mailscanner mailing list suggested increasing the number of filehandles ("ulimit -a" to show ulimit -n to increase) this didnt seem to work - Im a bit out of my depth with this stuff - anyone have any ideas/advice/explanations? Thanks Don Jones ----------------------------------------------------------------------- -- Ron Ron D. Parachoniak UBC Physics & Astronomy Dept Ph. (604) 838-6437 System Manager 6224 Agricultural Road Fax (604) 822-5324 rap@physics.ubc.ca Vancouver, BC, Canada V6T 1Z1 From nerijus at USERS.SOURCEFORGE.NET Thu Mar 6 23:07:01 2003 From: nerijus at USERS.SOURCEFORGE.NET (Nerijus Baliunas) Date: Thu Jan 12 21:17:25 2006 Subject: File descriptors missing on start up: stderr; Bad file number In-Reply-To: <3E67C8B5.1030401@physics.ubc.ca> References: <3E67C8B5.1030401@physics.ubc.ca> Message-ID: <200303062308.h26N8hZn028942@mx.ktv.lt> On Thu, 6 Mar 2003 14:16:21 -0800 Ron Parachoniak wrote: > I recently installed sendmail 8.12.8 (upgraded from 8.11.6) on a Solaris > descriptors missing on start up: stderr; Bad file number > It appears to be related to MailScanner. Can anyone shed any light on What version of MailScanner are you running? It should be fixed in the newer versions. Regards, Nerijus From jgoggan at DCG.COM Fri Mar 7 02:45:33 2003 From: jgoggan at DCG.COM (John Goggan) Date: Thu Jan 12 21:17:25 2006 Subject: sendmail changing messages after MailScanner finishes... Message-ID: <3E6807CD.1F851039@dcg.com> I've just upgraded from sendmail v8.11 to 8.12.8. Note that there are some significant changes to sendmail between those versions -- the now recommend running them as two instances -- one for just queuing the mail -- and one for processing it after. Interestingly, this is the way that MailScanner has been integrated with my system for a long time now. So, I have one queue-only sendmail that puts all of the incoming messages in /var/spool/mqueue.in. MailScanner sees those, scans them, and puts them in /var/spool/mqueue. In the past, the second sendmail process always took care of them -- passing them along to be delivered locally. With 8.12.8 -- the second sendmail instead changes all of the "qf..." files that MailScanner puts there into "Qf..." files! It seems to want to believe that they are incomplete or something? I don't know why. If I manually copy them from mqueue.in to mqueue before MailScanner has a second to grab them, they get delivered fine. But if MailScanner puts them into mqueue -- sendmail changes them to "Qf..." and they never get delivered (they just stay there forever). I appear to be running MailScanner 3.22. (I know I need to upgrade -- I just haven't had time. Maybe this is a sign that I should just upgrade, eh? If no one can think of anything, I'll try to find time to do that...) Any ideas? Thanks! - John... From jgoggan at DCG.COM Fri Mar 7 02:59:12 2003 From: jgoggan at DCG.COM (John Goggan) Date: Thu Jan 12 21:17:25 2006 Subject: sendmail changing messages after MailScanner finishes... References: <3E6807CD.1F851039@dcg.com> Message-ID: <3E680B00.D9CCB092@dcg.com> I just discovered that sendmail is doing this because the files are being put into the mqueue dir by MailScanner as mode 666. sendmail seems to see this and changes them to Qf. If I change them to 600 -- sendmail then properly delivers them on the next pass through the queue. So -- now my question is: why does MailScanner put them there as 666? They were 600 when they were in mqueue.in. Is there some option to change this easily? Thanks! - John... From rap at PHYSICS.UBC.CA Fri Mar 7 00:28:06 2003 From: rap at PHYSICS.UBC.CA (Ron Parachoniak) Date: Thu Jan 12 21:17:25 2006 Subject: File descriptors missing on start up: stderr; Bad file number References: <3E67C8B5.1030401@physics.ubc.ca> <200303062308.h26N8hZn028942@mx.ktv.lt> Message-ID: <3E67E796.50206@physics.ubc.ca> I am using MailScanner version 4.13.3 Nerijus Baliunas wrote: > On Thu, 6 Mar 2003 14:16:21 -0800 Ron Parachoniak wrote: > > >>I recently installed sendmail 8.12.8 (upgraded from 8.11.6) on a Solaris > > >>descriptors missing on start up: stderr; Bad file number > > >>It appears to be related to MailScanner. Can anyone shed any light on > > > What version of MailScanner are you running? It should be fixed in the > newer versions. > > Regards, > Nerijus -- Ron Ron D. Parachoniak UBC Physics & Astronomy Dept Ph. (604) 838-6437 System Manager 6224 Agricultural Road Fax (604) 822-5324 rap@physics.ubc.ca Vancouver, BC, Canada V6T 1Z1 From jgoggan at DCG.COM Fri Mar 7 03:07:50 2003 From: jgoggan at DCG.COM (John Goggan) Date: Thu Jan 12 21:17:25 2006 Subject: sendmail changing messages after MailScanner finishes... References: <3E6807CD.1F851039@dcg.com> <3E680B00.D9CCB092@dcg.com> Message-ID: <3E680D06.791D0DAC@dcg.com> John Goggan wrote: > I just discovered that sendmail is doing this because the files are > being put into the mqueue dir by MailScanner as mode 666. sendmail seems > to see this and changes them to Qf. If I change them to 600 -- sendmail > then properly delivers them on the next pass through the queue. Oops -- make that: if I change them to 600 AND THEN RENAME them back to "qf..." -- sendmail then processes them correctly next time around... Just to be clear. - John... From mailscanner at ecs.soton.ac.uk Fri Mar 7 09:20:22 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:25 2006 Subject: sendmail changing messages after MailScanner finishes... In-Reply-To: <3E680D06.791D0DAC@dcg.com> References: <3E6807CD.1F851039@dcg.com> <3E680B00.D9CCB092@dcg.com> Message-ID: <5.2.0.9.2.20030307091454.039f2830@imap.ecs.soton.ac.uk> At 03:07 07/03/2003, you wrote: >John Goggan wrote: > > I just discovered that sendmail is doing this because the files are > > being put into the mqueue dir by MailScanner as mode 666. sendmail seems > > to see this and changes them to Qf. If I change them to 600 -- sendmail > > then properly delivers them on the next pass through the queue. > >Oops -- make that: if I change them to 600 AND THEN RENAME them back to >"qf..." -- sendmail then processes them correctly next time around... Can you do umask grep umask /usr/sbin/MailScanner ls -ald /var/spool/mqueue /var/spool/mqueue.in uname -a and tell me what it says. I can't reproduce the behaviour you are seeing. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From Peter.Bates at LSHTM.AC.UK Fri Mar 7 09:51:52 2003 From: Peter.Bates at LSHTM.AC.UK (Peter Bates) Date: Thu Jan 12 21:17:25 2006 Subject: Sophos and 'corrupt' files (slight return) Message-ID: Hello all... In a terrible problem as a result of an upgrade to amavis (no sniggers at the back please), I had to push my 'test' MailScanner box into service yesterday for our site. I'm running: mailscanner-4.13-3 Sophos sweep 3.66 Mcafee 4.12.0 F-prot SB 3.12d SA 2.50 (with Julian's patch, Razor2 and DCC) Sendmail as the MTA ... on RedHat 7.3 I'm still seeing: Subject: Undelivered Mail Returned to Sender MessageID: h274wd530878 Report: Could not check ./h274wd530878/ORS details.doc (corrupt) Report: Could not check ./h274wd530878/TDR Research Training Grants 2003.doc (corrupt) Subject: Undelivered Mail Returned to Sender MessageID: h278AU507615 Report: Could not check ./h278AU507615/our transport, our health.doc (corrupt) Strangely enough, only on what appear to be bounces (hence the subject), and scanning the files from the command-line, it is only Sophos that reports them as 'corrupt'. Shall I disable Sophos from the 'Virus Scanners' bit of MailScanner.conf, or does upgrading to 3.67 solve this? I've also seen: Subject: sending patient data MessageID: h279VD515651 Report: Could not check ./h279VD515651/02.zip/02.jpg (part of multi volume archive) Could not check ./h279VD515651/02.zip (corrupt) ... all 3 of the AV scanners check this zip out OK (just running /usr/lib/MailScanner/x-wrapper 02.zip over them, unless they need arguments to get them to check zip archives?), so what is generating this error? Thanks... ---------------------------------------------------------------------------------------------------> Peter Bates, Systems Support Officer, Network Support Team. London School of Hygiene & Tropical Medicine. Telephone:0207-958 8353 / Fax: 0207- 636 9838 From mailscanner at ecs.soton.ac.uk Fri Mar 7 10:09:14 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:25 2006 Subject: Sophos and 'corrupt' files (slight return) In-Reply-To: Message-ID: <5.2.0.9.2.20030307100520.0445e070@imap.ecs.soton.ac.uk> Can I snigger at the front then? Sophos 3.67 will help this. However, to avoid trouble from what Sophos thinks are corrupt files, you can enable the option Allowed Sophos Error Messages = corrupt in MailScanner.conf. This option is commented out by default. Bear in mind that this will bypass scanning of files that Sophos thinks are corrupt. At 09:51 07/03/2003, you wrote: >Hello all... > >In a terrible problem as a result of an upgrade to amavis (no sniggers at >the back please), >I had to push my 'test' MailScanner box into service yesterday for our site. > >I'm running: >mailscanner-4.13-3 >Sophos sweep 3.66 >Mcafee 4.12.0 >F-prot SB 3.12d >SA 2.50 (with Julian's patch, Razor2 and DCC) >Sendmail as the MTA >... on RedHat 7.3 > >I'm still seeing: > > Subject: Undelivered Mail Returned to Sender > MessageID: h274wd530878 > Report: Could not check ./h274wd530878/ORS details.doc (corrupt) > Report: Could not check ./h274wd530878/TDR Research Training Grants > 2003.doc (corrupt) > > Subject: Undelivered Mail Returned to Sender > MessageID: h278AU507615 > Report: Could not check ./h278AU507615/our transport, our health.doc > (corrupt) > >Strangely enough, only on what appear to be bounces (hence the subject), >and scanning the >files from the command-line, it is only Sophos that reports them as 'corrupt'. > >Shall I disable Sophos from the 'Virus Scanners' bit of MailScanner.conf, >or does upgrading to 3.67 solve this? > >I've also seen: > > Subject: sending patient data > MessageID: h279VD515651 > Report: Could not check ./h279VD515651/02.zip/02.jpg (part of multi > volume archive) >Could not check ./h279VD515651/02.zip (corrupt) > >... all 3 of the AV scanners check this zip out OK (just running >/usr/lib/MailScanner/x-wrapper 02.zip over them, >unless they need arguments to get them to check zip archives?), so what is >generating this error? > >Thanks... > > > >---------------------------------------------------------------------------------------------------> >Peter Bates, Systems Support Officer, Network Support Team. >London School of Hygiene & Tropical Medicine. >Telephone:0207-958 8353 / Fax: 0207- 636 9838 -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From Krishna_shekhar at GMX.NET Fri Mar 7 23:23:10 2003 From: Krishna_shekhar at GMX.NET (Krishna) Date: Thu Jan 12 21:17:25 2006 Subject: MailScanner and Horde/IMP Message-ID: <5.2.0.9.0.20030308044816.00af2bb8@pop.gmx.net> Hi, I installed MailScanner on my RedHat 7.3 box running Horde/IMP cvs version. When I send mails through Outlook or Eudora , the mails get scanned by MailScanner, does both Anti-Virus and Anti-Spam checks. But when I send through Horde/IMP mailscanner does not get executed. The mails goes without a scan via sendmail. Why is this happening? My horde configuration conf.php $conf['mailer']['type'] = 'sendmail'; $conf['mailer']['params'] = array(); $conf['mailer']['params'] = array('sendmail_path' => '/usr/sbin/sendmail'); regards Krishna http://www.KrisinDigitalAge.com From steve.freegard at LBSLTD.CO.UK Fri Mar 7 12:17:46 2003 From: steve.freegard at LBSLTD.CO.UK (Steve Freegard) Date: Thu Jan 12 21:17:25 2006 Subject: MailScanner and Horde/IMP Message-ID: <67D9E7698329D411936E00508B6590B9027932B2@neelix.lbsltd.co.uk> Krishna, I don't know Horde/IMP personally - but the reason that your mail isn't being scanned is because Horde/IMP is invoking sendmail directly which puts the mail into /var/spool/mqueue and therefore doesn't get scanned. You should change the cofiguration to use SMTP, and set the server address to 127.0.0.1 - this will then get picked up by mailscanner. Alternativly - you _might_ be able to change the sendmail_path to 'usr/sbin/sendmail -OQueueDirectory=/var/spool/mqueue.in' which also might do the trick. Regards, Steve. -----Original Message----- From: Krishna [mailto:Krishna_shekhar@GMX.NET] Sent: 07 March 2003 23:23 To: MAILSCANNER@jiscmail.ac.uk Subject: MailScanner and Horde/IMP Hi, I installed MailScanner on my RedHat 7.3 box running Horde/IMP cvs version. When I send mails through Outlook or Eudora , the mails get scanned by MailScanner, does both Anti-Virus and Anti-Spam checks. But when I send through Horde/IMP mailscanner does not get executed. The mails goes without a scan via sendmail. Why is this happening? My horde configuration conf.php $conf['mailer']['type'] = 'sendmail'; $conf['mailer']['params'] = array(); $conf['mailer']['params'] = array('sendmail_path' => '/usr/sbin/sendmail'); regards Krishna http://www.KrisinDigitalAge.com ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.lbsltd.co.uk ********************************************************************** From mailscanner at ecs.soton.ac.uk Fri Mar 7 12:21:35 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:25 2006 Subject: MailScanner and Horde/IMP In-Reply-To: <5.2.0.9.0.20030308044816.00af2bb8@pop.gmx.net> Message-ID: <5.2.0.9.2.20030307122032.044bce18@imap.ecs.soton.ac.uk> At 23:23 07/03/2003, you wrote: >Hi, > I installed MailScanner on my RedHat 7.3 box running Horde/IMP cvs >version. >When I send mails through Outlook or Eudora , the mails get scanned by >MailScanner, does both Anti-Virus and Anti-Spam checks. >But when I send through Horde/IMP mailscanner does not get executed. The >mails goes without a scan via sendmail. > >Why is this happening? > >My horde configuration conf.php > >$conf['mailer']['type'] = 'sendmail'; >$conf['mailer']['params'] = array(); > $conf['mailer']['params'] = array('sendmail_path' => '/usr/sbin/sendmail'); You either need to upgrade to a more recent version of sendmail, or else set this instead of your 3 lines above: $conf['mailer']['type'] = 'smtp'; $conf['mailer']['params'] = array(); $conf['mailer']['params'] = array('host' => 'localhost'); This will force IMP to talk SMTP to the host it is running on, which will get all its mail scanned. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From jgoggan at DCG.COM Fri Mar 7 13:55:25 2003 From: jgoggan at DCG.COM (John Goggan) Date: Thu Jan 12 21:17:25 2006 Subject: sendmail changing messages after MailScanner finishes... References: <3E6807CD.1F851039@dcg.com> <3E680B00.D9CCB092@dcg.com> <5.2.0.9.2.20030307091454.039f2830@imap.ecs.soton.ac.uk> Message-ID: <3E68A4CD.283F7FE0@dcg.com> Here's the info, Julian. Thanks for taking a look. I think I will have time to finally upgrade MailScanner this afternoon, so maybe this will be moot by then... [root@frobozz mqueue]# umask 022 [root@frobozz mqueue]# grep umask /opt/mailscanner/bin/mailscanner umask 0077; # Set nice and safe to no-one else can access anything! [root@frobozz mqueue]# ls -ald /var/spool/mqueue /var/spool/mqueue.in drwx------ 2 root root 8192 Mar 7 08:47 /var/spool/mqueue/ drwxrwxr-x 2 root mail 8192 Mar 7 08:45 /var/spool/mqueue.in/ [root@frobozz mqueue]# uname -a Linux frobozz.dcg.com 2.2.17-21mdk #1 Thu Oct 5 13:16:08 CEST 2000 i686 unknown - John... Julian Field wrote: > Can you do > umask > grep umask /usr/sbin/MailScanner > ls -ald /var/spool/mqueue /var/spool/mqueue.in > uname -a > and tell me what it says. I can't reproduce the behaviour you are seeing. From john at OFIZ.COM Fri Mar 7 14:11:13 2003 From: john at OFIZ.COM (John Thewlis) Date: Thu Jan 12 21:17:25 2006 Subject: MailScanner maillog error In-Reply-To: <3E68A4CD.283F7FE0@dcg.com> Message-ID: Hi Many thanks for all the help on the /etc/sasldb error, it is now fixed. When looking through the MailScanner maillog, I get the following error message each time an email is sent through the server:- Mar 7 14:05:46 ns MailScanner[18807]: New Batch: Scanning 1 messages, 3034 bytes Mar 7 14:05:46 ns MailScanner[18807]: Virus and Content Scanning: Starting Mar 7 14:05:46 ns MailScanner[18807]: Uninfected: Delivered 1 messages Mar 7 14:05:46 ns sendmail[29908]: gethostbyaddr(217.114.166.33) failed: 1 Mar 7 14:05:46 ns sendmail[29908]: gethostbyaddr(217.114.166.34) failed: 1 Mar 7 14:05:46 ns sendmail[29908]: gethostbyaddr(217.114.166.31) failed: 1 Mar 7 14:05:46 ns sendmail[29908]: gethostbyaddr(217.114.166.91) failed: 1 Any ideas as to how to resolve this error? Thanks John From combslm at APPSTATE.EDU Fri Mar 7 14:14:43 2003 From: combslm at APPSTATE.EDU (Laramie Combs) Date: Thu Jan 12 21:17:25 2006 Subject: MailScanner maillog error References: Message-ID: <004901c2e4b3$e67dacb0$160c0a98@maverick> Looks like a sendmail nameserver resolution problem to me. What does your /etc/named.conf look like? Also, what is the result of a nslookup on 217.114.166.133 and then on cnn.com? My nameserver returns Non-existant domain on the 217 address. -Laramie ----- Original Message ----- From: "John Thewlis" To: Sent: Friday, March 07, 2003 9:11 AM Subject: MailScanner maillog error > Hi > > Many thanks for all the help on the /etc/sasldb error, it is now fixed. > > When looking through the MailScanner maillog, I get the following error > message each time an email is sent through the server:- > > > Mar 7 14:05:46 ns MailScanner[18807]: New Batch: Scanning 1 messages, 3034 > bytes > Mar 7 14:05:46 ns MailScanner[18807]: Virus and Content Scanning: Starting > Mar 7 14:05:46 ns MailScanner[18807]: Uninfected: Delivered 1 messages > Mar 7 14:05:46 ns sendmail[29908]: gethostbyaddr(217.114.166.33) failed: 1 > Mar 7 14:05:46 ns sendmail[29908]: gethostbyaddr(217.114.166.34) failed: 1 > Mar 7 14:05:46 ns sendmail[29908]: gethostbyaddr(217.114.166.31) failed: 1 > Mar 7 14:05:46 ns sendmail[29908]: gethostbyaddr(217.114.166.91) failed: 1 > > > Any ideas as to how to resolve this error? > > Thanks > > John > From joe at QITC.CO.UK Fri Mar 7 14:23:38 2003 From: joe at QITC.CO.UK (Joe Quinn) Date: Thu Jan 12 21:17:25 2006 Subject: MailScanner maillog error References: Message-ID: <027b01c2e4b5$25edcc30$5d876751@T20> This is a common entry in the Cobalt RaQ, all it means is the IP in question does not have a PTR record and can't resolve to a host name. Not your problem provided it isn't your IP. If they are your IP's then go into the DNS parameters in the control panel and add PTR records for them (providing of course that you are authoritative for that netblock. Only one record per IP. It may be that your upstream provider hasn't delegated this so you may have to contact them. Cheers, Joe Tel: (UK) +44 776 737 1234 ----- Original Message ----- From: "John Thewlis" To: Sent: Friday, March 07, 2003 2:11 PM Subject: MailScanner maillog error > Hi > > Many thanks for all the help on the /etc/sasldb error, it is now fixed. > > When looking through the MailScanner maillog, I get the following error > message each time an email is sent through the server:- > > > Mar 7 14:05:46 ns MailScanner[18807]: New Batch: Scanning 1 messages, 3034 > bytes > Mar 7 14:05:46 ns MailScanner[18807]: Virus and Content Scanning: Starting > Mar 7 14:05:46 ns MailScanner[18807]: Uninfected: Delivered 1 messages > Mar 7 14:05:46 ns sendmail[29908]: gethostbyaddr(217.114.166.33) failed: 1 > Mar 7 14:05:46 ns sendmail[29908]: gethostbyaddr(217.114.166.34) failed: 1 > Mar 7 14:05:46 ns sendmail[29908]: gethostbyaddr(217.114.166.31) failed: 1 > Mar 7 14:05:46 ns sendmail[29908]: gethostbyaddr(217.114.166.91) failed: 1 > > > Any ideas as to how to resolve this error? > > Thanks > > John > From mailscanner at ecs.soton.ac.uk Fri Mar 7 14:58:39 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:25 2006 Subject: sendmail changing messages after MailScanner finishes... In-Reply-To: <3E68A4CD.283F7FE0@dcg.com> References: <3E6807CD.1F851039@dcg.com> <3E680B00.D9CCB092@dcg.com> <5.2.0.9.2.20030307091454.039f2830@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030307145413.028fc410@imap.ecs.soton.ac.uk> Are the files in /var/spool/mqueue set to rw-rw----? If not, then what? MailScanner doesn't change the permissions on clean messages, it just moves them. If I have to change the permissions as well, that's yet another system call and another disk write for each message, which I would like to avoid if I can. Are *all* the files in /var/spool/mqueue 666? Or are ones that were infected 600? What are the permissions on all the files in /var/spool/mqueue.in? As you see from below, MailScanner sets its own umask to give 600 files, specifically to stop problems like this. At 13:55 07/03/2003, you wrote: >Here's the info, Julian. Thanks for taking a look. I think I will have time >to finally upgrade MailScanner this afternoon, so maybe this will be moot by >then... > >[root@frobozz mqueue]# umask >022 >[root@frobozz mqueue]# grep umask /opt/mailscanner/bin/mailscanner >umask 0077; # Set nice and safe to no-one else can access anything! >[root@frobozz mqueue]# ls -ald /var/spool/mqueue /var/spool/mqueue.in >drwx------ 2 root root 8192 Mar 7 08:47 /var/spool/mqueue/ >drwxrwxr-x 2 root mail 8192 Mar 7 08:45 /var/spool/mqueue.in/ >[root@frobozz mqueue]# uname -a >Linux frobozz.dcg.com 2.2.17-21mdk #1 Thu Oct 5 13:16:08 CEST 2000 i686 >unknown > > - John... > >Julian Field wrote: > > Can you do > > umask > > grep umask /usr/sbin/MailScanner > > ls -ald /var/spool/mqueue /var/spool/mqueue.in > > uname -a > > and tell me what it says. I can't reproduce the behaviour you are seeing. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From jgoggan at DCG.COM Fri Mar 7 15:37:12 2003 From: jgoggan at DCG.COM (John Goggan) Date: Thu Jan 12 21:17:25 2006 Subject: sendmail changing messages after MailScanner finishes... References: <3E6807CD.1F851039@dcg.com> <3E680B00.D9CCB092@dcg.com> <5.2.0.9.2.20030307091454.039f2830@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030307145413.028fc410@imap.ecs.soton.ac.uk> Message-ID: <3E68BCA8.77EDBCAE@dcg.com> Julian Field wrote: > > Are the files in /var/spool/mqueue set to rw-rw----? If not, then > what? Sendmail picks up the messages from port 25 and puts them in mqueue.in. In there, they are rw-------. MailScanner then picks them up from mqueue.in, scans them (with SpamAssassin also -- so every message gets tagged even if clean with at least the SpamAssassin tag), and then puts them back in mqueue. When it puts them there, they are rw-rw-rw-. > Are *all* the files in /var/spool/mqueue 666? Or are ones that were > infected 600? Well, all my files get touched because I am having MailScanner (with SpamAssassin) add the X-MailScanner and X-MailScanner-SpamCheck tags. But, that being said, ALL of the qf files are 666 -- and the df files are 600. > What are the permissions on all the files in /var/spool/mqueue.in? They are all 600 all the time. > As you see from below, MailScanner sets its own umask to give 600 > files, specifically to stop problems like this. Indeed. I'm not quite sure why this is happening. And, unfortunately, I don't know if it was happening before I upgraded sendmail. I also upgraded SpamAssassin to 2.50 (from 2.33, I believe) during this timeperiod. So, I'm not sure if sendmail didn't care with the old version -- or if something in the way the new SpamAssassin scans is changing something. I didn't change the MailScanner configuration at all -- so I assume it is invoking the newer version of SA in the same way. A little later this afternoon, I will have some time and will try rolling back my sendmail to 8.11.x -- just to see if it is the new sendmail ignoring a "problem" with permissions that has always been there for me -- or if it also does the same thing and rejects them (in which case it is more likely related to my upgraded of SA)... - John... From dustin.baer at IHS.COM Fri Mar 7 15:55:02 2003 From: dustin.baer at IHS.COM (Dustin Baer) Date: Thu Jan 12 21:17:25 2006 Subject: sendmail changing messages after MailScanner finishes... References: <3E6807CD.1F851039@dcg.com> <3E680B00.D9CCB092@dcg.com> <5.2.0.9.2.20030307091454.039f2830@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030307145413.028fc410@imap.ecs.soton.ac.uk> <3E68BCA8.77EDBCAE@dcg.com> Message-ID: <3E68C0D6.17D9D8A5@ihs.com> > A little later this afternoon, I will have some time and will try rolling back > my sendmail to 8.11.x -- just to see if it is the new sendmail ignoring a > "problem" with permissions that has always been there for me -- or if it also > does the same thing and rejects them (in which case it is more likely related > to my upgraded of SA)... I upgraded to Sendmail 8.12.8 on Monday. No problems like you are seeing. Dustin -- Dustin Baer Unix Administrator/Postmaster Information Handling Services 15 Inverness Way East Englewood, CO 80112 303-397-2836 From mailscanner at LISTS.COM.AR Fri Mar 7 16:16:39 2003 From: mailscanner at LISTS.COM.AR (Mariano Absatz) Date: Thu Jan 12 21:17:25 2006 Subject: MIME-tools Message-ID: <3E689BB7.1423.6C48B863@localhost> Hi, I know this is an old one... but I have a couple of doubts about MIME-tools. For what I read, I don't want new versions of it, fine. When I browse in CPAN, I find 2 versions: 5.411a (dated 16/11/2001) 5.411 (dated 5/6/2001) I download them both... and find no difference, whatsoever (diff -rc) Is that a packaging problem? anybody knows? The other thing I see is that you provide 4 important security patches at: http://www.sng.ecs.soton.ac.uk/mailscanner/install/mime-tools-patch.txt http://www.sng.ecs.soton.ac.uk/mailscanner/install/mime-tools-patch2.txt http://www.sng.ecs.soton.ac.uk/mailscanner/install/mime-tools-patch3.txt http://www.sng.ecs.soton.ac.uk/mailscanner/install/mime-tools-patch4.txt Now, why don't you combine them into just one? like the one I'm attaching? The result should be the same and it's easier to do, isn't it? TIA -- Mariano Absatz El Baby ---------------------------------------------------------- Error, no keyboard - press F1 to continue. -------------- next part -------------- diff -rc MIME-tools-5.411/lib/MIME/Field/ParamVal.pm MIME-tools-5.411-patched4/lib/MIME/Field/ParamVal.pm *** MIME-tools-5.411/lib/MIME/Field/ParamVal.pm Sat Nov 4 16:54:49 2000 --- MIME-tools-5.411-patched4/lib/MIME/Field/ParamVal.pm Fri Mar 7 12:44:10 2003 *************** *** 9,50 **** =head1 SYNOPSIS # Create an object for a content-type field: ! $field = new Mail::Field 'Content-type'; ! # Set some attributes: $field->param('_' => 'text/html'); $field->param('charset' => 'us-ascii'); $field->param('boundary' => '---ABC---'); ! # Same: $field->set('_' => 'text/html', 'charset' => 'us-ascii', 'boundary' => '---ABC---'); ! # Get an attribute, or undefined if not present: print "no id!" if defined($field->param('id')); ! # Same, but use empty string for missing values: print "no id!" if ($field->paramstr('id') eq ''); ! # Output as string: print $field->stringify, "\n"; =head1 DESCRIPTION ! This is an abstract superclass of most MIME fields. It handles fields with a general syntax like this: Content-Type: Message/Partial; ! number=2; total=3; ! id="oc=jpbe0M2Yt4s@thumper.bellcore.com" Comments are supported I items, like this: Content-Type: Message/Partial; (a comment) ! number=2 (another comment) ; (yet another comment) total=3; ! id="oc=jpbe0M2Yt4s@thumper.bellcore.com" =head1 PUBLIC INTERFACE --- 9,50 ---- =head1 SYNOPSIS # Create an object for a content-type field: ! $field = new Mail::Field 'Content-type'; ! # Set some attributes: $field->param('_' => 'text/html'); $field->param('charset' => 'us-ascii'); $field->param('boundary' => '---ABC---'); ! # Same: $field->set('_' => 'text/html', 'charset' => 'us-ascii', 'boundary' => '---ABC---'); ! # Get an attribute, or undefined if not present: print "no id!" if defined($field->param('id')); ! # Same, but use empty string for missing values: print "no id!" if ($field->paramstr('id') eq ''); ! # Output as string: print $field->stringify, "\n"; =head1 DESCRIPTION ! This is an abstract superclass of most MIME fields. It handles fields with a general syntax like this: Content-Type: Message/Partial; ! number=2; total=3; ! id="oc=jpbe0M2Yt4s@thumper.bellcore.com" Comments are supported I items, like this: Content-Type: Message/Partial; (a comment) ! number=2 (another comment) ; (yet another comment) total=3; ! id="oc=jpbe0M2Yt4s@thumper.bellcore.com" =head1 PUBLIC INTERFACE *************** *** 100,105 **** --- 100,108 ---- # token = 1* # my $TSPECIAL = '()<>@,;:\ 3, 'id' => "ocj=pbe0M2"); ! Note that a single argument is taken to be a I to a paramhash, while multiple args are taken to be the elements of the paramhash themselves. --- 139,145 ---- 'total' => 3, 'id' => "ocj=pbe0M2"); ! Note that a single argument is taken to be a I to a paramhash, while multiple args are taken to be the elements of the paramhash themselves. *************** *** 160,175 **** it as a hash reference. For example, here is a field with parameters: Content-Type: Message/Partial; ! number=2; total=3; ! id="oc=jpbe0M2Yt4s@thumper.bellcore.com" Here is how you'd extract them: $params = $class->parse_params('content-type'); if ($$params{'_'} eq 'message/partial') { ! $number = $$params{'number'}; ! $total = $$params{'total'}; ! $id = $$params{'id'}; } Like field names, parameter names are coerced to lowercase. --- 166,181 ---- it as a hash reference. For example, here is a field with parameters: Content-Type: Message/Partial; ! number=2; total=3; ! id="oc=jpbe0M2Yt4s@thumper.bellcore.com" Here is how you'd extract them: $params = $class->parse_params('content-type'); if ($$params{'_'} eq 'message/partial') { ! $number = $$params{'number'}; ! $total = $$params{'total'}; ! $id = $$params{'id'}; } Like field names, parameter names are coerced to lowercase. *************** *** 181,190 **** --- 187,226 ---- =cut + sub rfc2231decode { + my($val) = @_; + my($enc, $lang, $rest); + + if ($val =~ m/^([^\']*)\'([^\']*)\'(.*)$/) { + # SHOULD REALLY DO SOMETHING MORE INTELLIGENT WITH ENCODING!!! + $enc = $1; + $lang = $2; + $rest = $3; + $rest = rfc2231percent($rest); + } elsif ($val =~ m/^([^\']*)\'([^\']*)$/) { + $enc = $1; + $rest = $2; + $rest = rfc2231percent($rest); + } else { + $rest = rfc2231percent($val); + } + return $rest; + } + + sub rfc2231percent { + # Do percent-subsitution + my($str) = @_; + $str =~ s/%([0-9a-fA-F]{2})/pack("c", hex($1))/ge; + return $str; + } + sub parse_params { my ($self, $raw) = @_; my %params = (); + my %rfc2231params = (); my $param; + my $val; + my $part; # Get raw field, and unfold it: defined($raw) or $raw = ''; *************** *** 200,208 **** $raw =~ m/\G$SPCZ\;$SPCZ/og or last; # skip leading separator $raw =~ m/\G($PARAMNAME)\s*=\s*/og or last; # give up if not a param $param = lc($1); ! $raw =~ m/\G(\"([^\"]+)\")|\G($TOKEN)|\G($ENCTOKEN)/g or last; # give up if no value ! my ($qstr, $str, $token, $enctoken) = ($1, $2, $3, $4); ! $params{$param} = defined($qstr) ? $str : (defined($token) ? $token : $enctoken); debug " field param <$param> = <$params{$param}>"; } --- 236,282 ---- $raw =~ m/\G$SPCZ\;$SPCZ/og or last; # skip leading separator $raw =~ m/\G($PARAMNAME)\s*=\s*/og or last; # give up if not a param $param = lc($1); ! $raw =~ m/\G(\"([^\"]+)\")|\G($ENCTOKEN)|\G($BADTOKEN)|\G($TOKEN)/g or last; # give up if no value" ! my ($qstr, $str, $enctoken, $badtoken, $token) = ($1, $2, $3, $4, $5); ! if (defined($badtoken)) { ! # Strip leading/trailing whitespace from badtoken ! $badtoken =~ s/^\s*//; ! $badtoken =~ s/\s*$//; ! } ! $val = defined($qstr) ? $str : ! (defined($enctoken) ? $enctoken : ! (defined($badtoken) ? $badtoken : $token)); ! ! # Do RFC 2231 processing ! if ($param =~ /\*/) { ! my($name, $num); ! # Pick out the parts of the parameter ! if ($param =~ m/^([^*]+)\*([^*]+)\*?$/) { ! # We have param*number* or param*number ! $name = $1; ! $num = $2; ! } else { ! # Fake a part of zero... not sure how to handle this properly ! $param =~ s/\*//g; ! $name = $param; ! $num = 0; ! } ! # Decode the value unless it was a quoted string ! if (!defined($qstr)) { ! $val = rfc2231decode($val); ! } ! $rfc2231params{$name}{$num} .= $val; ! } else { ! # Make a fake "part zero" for non-RFC2231 params ! $rfc2231params{$param}{"0"} = $val; ! } ! } ! ! # Extract reconstructed parameters ! foreach $param (keys %rfc2231params) { ! foreach $part (sort { $a <=> $b } keys %{$rfc2231params{$param}}) { ! $params{$param} .= $rfc2231params{$param}{$part}; ! } debug " field param <$param> = <$params{$param}>"; } *************** *** 227,233 **** # Allow use as constructor, for MIME::Head: ref($self) or $self = bless({}, $self); ! # Get params, and stuff them into the self object: $self->set($self->parse_params($string)); } --- 301,307 ---- # Allow use as constructor, for MIME::Head: ref($self) or $self = bless({}, $self); ! # Get params, and stuff them into the self object: $self->set($self->parse_params($string)); } diff -rc MIME-tools-5.411/lib/MIME/Parser.pm MIME-tools-5.411-patched4/lib/MIME/Parser.pm *** MIME-tools-5.411/lib/MIME/Parser.pm Sun Nov 12 02:55:11 2000 --- MIME-tools-5.411-patched4/lib/MIME/Parser.pm Fri Mar 7 12:44:47 2003 *************** *** 378,393 **** =item extract_nested_messages OPTION I ! Some MIME messages will contain a part of type C: literally, the text of an embedded mail/news/whatever message. This option controls whether (and how) we parse that embedded message. If the OPTION is false, we treat such a message just as if it were a C document, without attempting to decode its contents. ! If the OPTION is true (the default), the body of the C ! part is parsed by this parser, creating an entity object. ! What happens then is determined by the actual OPTION: =over 4 --- 378,394 ---- =item extract_nested_messages OPTION I ! Some MIME messages will contain a part of type C ! or C or C: literally, the text of an embedded mail/news/whatever message. This option controls whether (and how) we parse that embedded message. If the OPTION is false, we treat such a message just as if it were a C document, without attempting to decode its contents. ! If the OPTION is true (the default), the body of the C ! or C part is parsed by this parser, creating an ! entity object. What happens then is determined by the actual OPTION: =over 4 *************** *** 592,597 **** --- 593,599 ---- # # I # Process and return the next header. + # Return undef if, instead of a header, the encapsulation boundary is found. # Fatal exception on failure. # sub process_header { *************** *** 612,617 **** --- 614,623 ---- foreach (@headlines) { s/[\r\n]+\Z/\n/ } ### fold ### How did we do? + if ($hdr_rdr->eos_type eq 'DELIM') { + $self->whine("bogus part, without CRLF before body"); + return; + } ($hdr_rdr->eos_type eq 'DONE') or $self->error("unexpected end of header\n"); *************** *** 983,989 **** ### Parse and add the header: my $head = $self->process_header($in, $rdr); ! $ent->head($head); ### Tweak the content-type based on context from our parent... ### For example, multipart/digest messages default to type message/rfc822: --- 989,1005 ---- ### Parse and add the header: my $head = $self->process_header($in, $rdr); ! if (not defined $head) { ! $self->debug("bogus empty part"); ! $head = $self->interface('HEAD_CLASS')->new; ! $head->mime_type('text/plain; charset=US-ASCII'); ! $ent->head($head); ! $ent->bodyhandle($self->new_body_for($head)); ! $ent->bodyhandle->open("w")->close; ! $self->results->level(-1); ! return $ent; ! } ! $ent->head($head); ### Tweak the content-type based on context from our parent... ### For example, multipart/digest messages default to type message/rfc822: *************** *** 997,1004 **** if ($type eq 'multipart') { $self->process_multipart($in, $rdr, $ent); } ! elsif (("$type/$subtype" eq "message/rfc822") && ! $self->extract_nested_messages) { $self->debug("attempting to process a nested message"); $self->process_message($in, $rdr, $ent); } --- 1013,1022 ---- if ($type eq 'multipart') { $self->process_multipart($in, $rdr, $ent); } ! elsif (("$type/$subtype" eq "message/rfc822" || ! "$type/$subtype" eq "message/external-body" || ! ("$type/$subtype" eq "message/partial" && $head->mime_attr("content-type.number") == 1)) && ! $self->extract_nested_messages) { $self->debug("attempting to process a nested message"); $self->process_message($in, $rdr, $ent); } diff -rc MIME-tools-5.411/lib/MIME/Words.pm MIME-tools-5.411-patched4/lib/MIME/Words.pm *** MIME-tools-5.411/lib/MIME/Words.pm Fri Nov 10 13:45:12 2000 --- MIME-tools-5.411-patched4/lib/MIME/Words.pm Fri Mar 7 12:44:10 2003 *************** *** 186,192 **** $@ = ''; ### error-return ### Collapse boundaries between adjacent encoded words: ! $encstr =~ s{(\?\=)\r?\n[ \t](\=\?)}{$1$2}gs; pos($encstr) = 0; ### print STDOUT "ENC = [", $encstr, "]\n"; --- 186,192 ---- $@ = ''; ### error-return ### Collapse boundaries between adjacent encoded words: ! $encstr =~ s{(\?\=)\s*(\=\?)}{$1$2}gs; pos($encstr) = 0; ### print STDOUT "ENC = [", $encstr, "]\n"; From mailscanner at LISTS.COM.AR Fri Mar 7 16:28:24 2003 From: mailscanner at LISTS.COM.AR (Mariano Absatz) Date: Thu Jan 12 21:17:25 2006 Subject: MailScanner maillog error In-Reply-To: References: <3E68A4CD.283F7FE0@dcg.com> Message-ID: <3E689E78.2081.6C537882@localhost> hint: if the line says Month day time host sendmail[pid]: ... then the message was generated by sendmail. Month day time host Mailscanner[pid]: ... then the message was generated by MailScanner. Now, this message is sendmail's, and this means that it couldn't resolve a reverse DNS lookup (get host by address) on those addresses. Probably, you got connections from those and sendmail tries to resolve them. I just tried to resolve them from my dns cache resolver and none of them have reverse entries... this is not an error condition, per se... It is considered "bad manners" (or incompentce depending on who you ask) not to have a reverse dns record for a mail server, and one of the first anti- spam measures was to deny smtp connections from hosts without a reverse (or worse still, those with a reverse that didn't match any A or CNAME for the same host). But as more and more incompetent sysadmins are out there, those kind of measures rejected too much legit mail to keep them up... El 7 Mar 2003 a las 14:11, John Thewlis escribi?: > Hi > > Many thanks for all the help on the /etc/sasldb error, it is now fixed. > > When looking through the MailScanner maillog, I get the following error > message each time an email is sent through the server:- > > > Mar 7 14:05:46 ns MailScanner[18807]: New Batch: Scanning 1 messages, 3034 > bytes > Mar 7 14:05:46 ns MailScanner[18807]: Virus and Content Scanning: Starting > Mar 7 14:05:46 ns MailScanner[18807]: Uninfected: Delivered 1 messages > Mar 7 14:05:46 ns sendmail[29908]: gethostbyaddr(217.114.166.33) failed: 1 > Mar 7 14:05:46 ns sendmail[29908]: gethostbyaddr(217.114.166.34) failed: 1 > Mar 7 14:05:46 ns sendmail[29908]: gethostbyaddr(217.114.166.31) failed: 1 > Mar 7 14:05:46 ns sendmail[29908]: gethostbyaddr(217.114.166.91) failed: 1 > > > Any ideas as to how to resolve this error? > > Thanks > > John -- Mariano Absatz El Baby ---------------------------------------------------------- "Walking on water and developing software from a specification are easy if both are frozen." -- Edward V. Berard, "Life-Cycle Approaches" From gerry at dorfam.ca Fri Mar 7 17:00:39 2003 From: gerry at dorfam.ca (Gerry Doris) Date: Thu Jan 12 21:17:25 2006 Subject: sendmail update Message-ID: <59490.129.80.22.143.1047056439.squirrel@tiger.dorfam.ca> I hope everyone has completed their sendmail update. I saw yesterday that scripts have now been released to the internet that will allow remote sessions on non patched sendmail for both Redhat and SuSE. Also, someone was banging away at my home mailserver last night. The log file for the attempt was 89k. Gerry From brose at MED.WAYNE.EDU Fri Mar 7 17:14:39 2003 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:17:25 2006 Subject: MailScanner maillog error Message-ID: I've been using this function for a very long time without much complaint. It's nt any different than mail admins runing systems that act as open relays and are rejected. There are certain SMTP rules that should be obeyed and if they're not then it's up those sysadmin to learn and fix in order to commuicate unimpeded with the rest of us. Of course, if you're blocking anything from the sendmail side, it's a good idea to also use the delay checks feature and add spam:postmaster and spam:abuse lines to your access file so that if there is an issue with someone they can at least email those accounts and not be blocked. Only problem is that if they don't know about setting their mail system up properly then they probably don't know to send a message to postmaster. -----Original Message----- From: Mariano Absatz [mailto:mailscanner@LISTS.COM.AR] Sent: Friday, March 07, 2003 11:28 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: MailScanner maillog error hint: if the line says Month day time host sendmail[pid]: ... then the message was generated by sendmail. Month day time host Mailscanner[pid]: ... then the message was generated by MailScanner. Now, this message is sendmail's, and this means that it couldn't resolve a reverse DNS lookup (get host by address) on those addresses. Probably, you got connections from those and sendmail tries to resolve them. I just tried to resolve them from my dns cache resolver and none of them have reverse entries... this is not an error condition, per se... It is considered "bad manners" (or incompentce depending on who you ask) not to have a reverse dns record for a mail server, and one of the first anti- spam measures was to deny smtp connections from hosts without a reverse (or worse still, those with a reverse that didn't match any A or CNAME for the same host). But as more and more incompetent sysadmins are out there, those kind of measures rejected too much legit mail to keep them up... El 7 Mar 2003 a las 14:11, John Thewlis escribi?: > Hi > > Many thanks for all the help on the /etc/sasldb error, it is now > fixed. > > When looking through the MailScanner maillog, I get the following > error message each time an email is sent through the server:- > > > Mar 7 14:05:46 ns MailScanner[18807]: New Batch: Scanning 1 messages, > 3034 bytes Mar 7 14:05:46 ns MailScanner[18807]: Virus and Content > Scanning: Starting Mar 7 14:05:46 ns MailScanner[18807]: Uninfected: > Delivered 1 messages Mar 7 14:05:46 ns sendmail[29908]: > gethostbyaddr(217.114.166.33) failed: 1 Mar 7 14:05:46 ns > sendmail[29908]: gethostbyaddr(217.114.166.34) failed: 1 Mar 7 > 14:05:46 ns sendmail[29908]: gethostbyaddr(217.114.166.31) failed: 1 > Mar 7 14:05:46 ns sendmail[29908]: gethostbyaddr(217.114.166.91) > failed: 1 > > > Any ideas as to how to resolve this error? > > Thanks > > John -- Mariano Absatz El Baby ---------------------------------------------------------- "Walking on water and developing software from a specification are easy if both are frozen." -- Edward V. Berard, "Life-Cycle Approaches" From mailscanner at ecs.soton.ac.uk Fri Mar 7 16:36:52 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:25 2006 Subject: MIME-tools In-Reply-To: <3E689BB7.1423.6C48B863@localhost> Message-ID: <5.2.0.9.2.20030307163525.04691638@imap.ecs.soton.ac.uk> At 16:16 07/03/2003, you wrote: >Hi, > >I know this is an old one... but I have a couple of doubts about MIME-tools. > >For what I read, I don't want new versions of it, fine. > >When I browse in CPAN, I find 2 versions: >5.411a (dated 16/11/2001) >5.411 (dated 5/6/2001) > >I download them both... and find no difference, whatsoever (diff -rc) > >Is that a packaging problem? anybody knows? Can't remember. Start from 5.411a as it says on mailscanner.info and then apply the 4 patches. >The other thing I see is that you provide 4 important security patches at: >http://www.sng.ecs.soton.ac.uk/mailscanner/install/mime-tools-patch.txt >http://www.sng.ecs.soton.ac.uk/mailscanner/install/mime-tools-patch2.txt >http://www.sng.ecs.soton.ac.uk/mailscanner/install/mime-tools-patch3.txt >http://www.sng.ecs.soton.ac.uk/mailscanner/install/mime-tools-patch4.txt > >Now, why don't you combine them into just one? like the one I'm attaching? >The result should be the same and it's easier to do, isn't it? Because they were all written at different times. If I made them into 1 patch, then it would possibly fail because some patches had been previously applied and some hadn't. There is method in my madness (somewhere).... -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Fri Mar 7 16:12:34 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:25 2006 Subject: sendmail changing messages after MailScanner finishes... In-Reply-To: <3E68BCA8.77EDBCAE@dcg.com> References: <3E6807CD.1F851039@dcg.com> <3E680B00.D9CCB092@dcg.com> <5.2.0.9.2.20030307091454.039f2830@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030307145413.028fc410@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030307161125.04477e00@imap.ecs.soton.ac.uk> At 15:37 07/03/2003, you wrote: >Julian Field wrote: > > > > Are the files in /var/spool/mqueue set to rw-rw----? If not, then > > what? > >Sendmail picks up the messages from port 25 and puts them in mqueue.in. In >there, they are rw-------. MailScanner then picks them up from mqueue.in, >scans them (with SpamAssassin also -- so every message gets tagged even if >clean with at least the SpamAssassin tag), and then puts them back in mqueue. >When it puts them there, they are rw-rw-rw-. > > > Are *all* the files in /var/spool/mqueue 666? Or are ones that were > > infected 600? > >Well, all my files get touched because I am having MailScanner (with >SpamAssassin) add the X-MailScanner and X-MailScanner-SpamCheck tags. But, >that being said, ALL of the qf files are 666 -- and the df files are 600. > > > What are the permissions on all the files in /var/spool/mqueue.in? > >They are all 600 all the time. > > > As you see from below, MailScanner sets its own umask to give 600 > > files, specifically to stop problems like this. Try applying this patch to SMDiskStore.pm. It sets the umask again just before writing the files. --- SMDiskStore.pm.old Fri Mar 7 16:14:58 2003 +++ SMDiskStore.pm Fri Mar 7 16:17:05 2003 @@ -232,6 +232,7 @@ $hfile = $Outq . '/' . $this->{hname}; #print STDERR "tfile = $tfile and hfile = $hfile\n"; + umask 0077; # Add this to try to stop 0666 qf files $Tf = new FileHandle; MailScanner::Lock::openlock($Tf, ">$tfile", "w") or MailScanner::Log::DieLog("Cannot create + lock clean tempfile %s, %s", @@ -300,6 +301,7 @@ #print STDERR "Writing MIME body of \"$id\" to $dfile\n"; + umask 0077; # Add this to try to stop 0666 df files $Df = new FileHandle; MailScanner::Lock::openlock($Df, ">$dfile", "w") or MailScanner::Log::DieLog("Cannot create + lock clean body %s, %s", -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From andersjk at SOL-INVICTUS.ORG Fri Mar 7 18:14:37 2003 From: andersjk at SOL-INVICTUS.ORG (Kevin Anderson) Date: Thu Jan 12 21:17:25 2006 Subject: Strange score In-Reply-To: <3E6795D6.5030306@bangor.ac.uk> Message-ID: thanks, that would be it... kevin On Thu, 6 Mar 2003, Martin Sapsed wrote: > Kevin Anderson wrote: > > HI all! > > > > I found a strange spam score: > > > > X-MailScanner-SpamCheck: not spam, SpamAssassin (score=-88.2, required 6, > > ALL_NATURAL, AS_SEEN_ON, CLICK_BELOW, CLICK_HERE_LINK, HAIR_LOSS, > > HGH, LINES_OF_YELLING, MISSING_MIMEOLE, NO_QS_ASKED, NO_REAL_NAME, > > SPAM_PHRASE_08_13, SUBJ_HAS_UNIQ_ID, SUPERLONG_LINE, TRACKER_ID, > > USER_AGENT_OE, USER_IN_WHITELIST, X_MSMAIL_PRIORITY_HIGH, > > X_PRIORITY_HIGH) > > > > has -88.2, auto whitelisting is off. Anything to be worried about? > > USER_IN_WHITELIST has a score of -100 IIRC? Would suggest that the > address is in SpamAssassin's whitelist? Added before you turned > auto-listing off perhaps? > > Cheers, > > Martin > > -- > Martin Sapsed > Information Services "Who do you say I am?" > University of Wales, Bangor Jesus of Nazareth > -- @ _____________________________________________ chaos, panic and disorder... my job is done... From mailscanner at LISTS.COM.AR Fri Mar 7 18:30:55 2003 From: mailscanner at LISTS.COM.AR (Mariano Absatz) Date: Thu Jan 12 21:17:25 2006 Subject: MIME-tools In-Reply-To: <5.2.0.9.2.20030307163525.04691638@imap.ecs.soton.ac.uk> References: <3E689BB7.1423.6C48B863@localhost> Message-ID: <3E68BB2F.30508.6CC3A527@localhost> El 7 Mar 2003 a las 16:36, Julian Field escribi?: > >The other thing I see is that you provide 4 important security patches at: > >http://www.sng.ecs.soton.ac.uk/mailscanner/install/mime-tools-patch.txt > >http://www.sng.ecs.soton.ac.uk/mailscanner/install/mime-tools-patch2.txt > >http://www.sng.ecs.soton.ac.uk/mailscanner/install/mime-tools-patch3.txt > >http://www.sng.ecs.soton.ac.uk/mailscanner/install/mime-tools-patch4.txt > > > >Now, why don't you combine them into just one? like the one I'm attaching? > >The result should be the same and it's easier to do, isn't it? > > Because they were all written at different times. If I made them into 1 > patch, then it would possibly fail because some patches had been previously > applied and some hadn't. There is method in my madness (somewhere).... But what I did, to generate that patch was the following (that according to _my_ madness should be correct): tar xvzf MIME-tools-5.411.tar.gz patch -p0 < mime-tools-patch.txt patch -p0 < mime-tools-patch2.txt patch -p0 < mime-tools-patch3.txt patch -p0 < mime-tools-patch4.txt mv MIME-tools-5.411 MIME-tools-5.411-patched4 Now MIME-tools-5.411-patched4 has the completely patched MIME-tools. If I do the following: tar xvzf MIME-tools-5.411.tar.gz diff -rc MIME-tools-5.411 MIME-tools-5.411-patched4 \ > mime-tools-patches-1thru4.txt now mime-tools-patches-1thru4.txt has a patch that applied to the original module (in MIME-tools-5.411) generates the completely patched module (in MIME- tools-5.4.11-patched4). Am I wrong? -- Mariano Absatz El Baby ---------------------------------------------------------- If I held you any closer I would be on the other side of you. -- Groucho Marx From mailscanner at LISTS.COM.AR Fri Mar 7 20:50:42 2003 From: mailscanner at LISTS.COM.AR (Mariano Absatz) Date: Thu Jan 12 21:17:26 2006 Subject: typo in instructions? Message-ID: <3E68DBF2.16951.6D43A3FF@localhost> Hi Julian, I'm following the instructions for manual install (in order to have a clean installation with documented modifications of my own) and found (I think) a typo and a probable better sort order: In http://www.sng.ecs.soton.ac.uk/mailscanner/install/mailscanner.shtml you list the files that have to be modified if you change the path where you install MailScanner, but you mention /opt/MailScanner/etc/mailscanner.conf instead of the newer /opt/MailScanner/etc/MailScanner.conf OTOH, in http://www.sng.ecs.soton.ac.uk/mailscanner/install/other.shtml, I'd change the order of steps 4 and 5, since the installation instructions for the TNEF decoder is based in that MailScanner is already installed. Regards. -- Mariano Absatz El Baby ---------------------------------------------------------- Ever notice how fast Windows runs? Neither did I. From dbowen1 at MAC.COM Fri Mar 7 21:13:27 2003 From: dbowen1 at MAC.COM (Daniel Bowen) Date: Thu Jan 12 21:17:26 2006 Subject: Multipart Mime attachment killing MailScanner again Message-ID: <7512413.1047071607313.JavaMail.dbowen1@mac.com> Hi Julian, I have encountered the problem of a single multi-part MIME attachement message killing MailScanner. Here again I will include the error, however, I may have some more pertinent info. I will try to include the qf file here, and both in a tar.gz on an ftp server fo you. The error is as follows: Mar 7 14:26:37 mail MailScanner[17955]: Cannot parse /private/var/spool/MailScanner/incoming/17955/h27GA5sK025282.header and , write-open /private/var/spool/MailScanner/incoming/17955/h27GA5sK025282/LinkousGreen^@3x4^@.crtr: Invalid argument at /Library/Perl/MIME/Body.pm line 414. One interesting thing to note is that I can't use the external TNEF expander, as I am running on darwin Mac OS X. Here is the related portion of MailScanner.conf, for MailScanner 4.12-2. Also it is interesting to note that this message and the last one have been sent from Microsoft Outlook Express for Mac containing a Multipart mime message: # Expand TNEF attachments using an external program (or a Perl module)? # This should be "yes" unless the scanner you are using (Sophos, McAfee) has # the facility built-in. However, if you set it to "no", then the filenames # within the TNEF attachment will not be checked against the filename rules. Expand TNEF = yes # Some versions of Microsoft Outlook generate unparsable Rich Text # format attachments. Do we want to deliver these bad attachments anyway? # Setting this to yes introduces the slight risk of a virus getting through, # but if you have a lot of troubled Outlook users you might need to do this. # We are working on a replacement for the TNEF decoder. # This can also be the filename of a ruleset. Deliver Unparsable TNEF = no # Where the MS-TNEF expander is installed. # This is EITHER the full command (including maxsize option) that runs # the external TNEF expander binary, # OR the keyword "internal" which will make MailScanner use the Perl # module that does the same job. # They are both provided as I am unsure which one is faster and which # one is capable of expanding more file formats (there are plenty!). # # The --maxsize option limits the maximum size that any expanded attachment # may be. It helps protect against Denial Of Service attacks in TNEF files. TNEF Expander = internal # This can also be the filename of a ruleset. #TNEF Expander = /opt/MailScanner/bin/tnef --maxsize=100000000 # The maximum length of time the TNEF Expander is allowed to run for 1 message. # (in seconds) TNEF Timeout = 120 Here is the qfh27GA5sK025282, quoted to hopefully get through the scanners: >V6 >T1047053406 >K0 >N0 >P30559 >B8BITMIME >F8bs >$_znet.groupz.net [216.116.255.2] >$rESMTP >$sznet.groupz.net >${daemon_flags} >${if_addr}66.4.192.160 >S >rRFC822; xxxxx@ortn.edu >RPFD: >H?P?Return-Path: >H??Received: from znet.groupz.net (znet.groupz.net [216.116.255.2]) > by mail.ortn.edu (8.12.7/8.12.6) with ESMTP id h27GA5sK025282 > for ; Fri, 7 Mar 2003 11:10:06 -0500 (EST) >H??Received: from [192.168.154.153] (fwp1016.groupz.net [216.116.243.254]) > by znet.groupz.net (8.8.6 (PHNE_14041)/8.8.8) with ESMTP id LAA21034 > for ; Fri, 7 Mar 2003 11:09:54 -0500 (EST) >H??User-Agent: Microsoft Outlook Express Macintosh Edition - 5.01 (1630) >H??Date: Fri, 07 Mar 2003 11:08:59 -0500 >H??Subject: jpeg - Linkous 3x4 >H??From: xxxxx xxxxx >H??To: >H??Message-ID: >H??Mime-version: 1.0 >H??Content-type: multipart/mixed; > boundary="MS_Mac_OE_3129880139_20285474_MIME_Part" >. From dbowen1 at MAC.COM Fri Mar 7 21:18:56 2003 From: dbowen1 at MAC.COM (Daniel Bowen) Date: Thu Jan 12 21:17:26 2006 Subject: MailScanner maillog error Message-ID: <6486743.1047071936479.JavaMail.dbowen1@mac.com> Well, I have experienced a similar error showing the gethostbyaddr error, and it turned out to be that our DNS servers were not reverse resolving properly. The problem showed up with our mailserver's own IP in the parentheses. Check your reverse DNS resolution on the mail servers, maybe that's it. Dan Bowen Oak Ridge Schools TN On Friday, March 07, 2003, at 09:11AM, John Thewlis wrote: >Hi > >Many thanks for all the help on the /etc/sasldb error, it is now fixed. > >When looking through the MailScanner maillog, I get the following error >message each time an email is sent through the server:- > > >Mar 7 14:05:46 ns MailScanner[18807]: New Batch: Scanning 1 messages, 3034 >bytes >Mar 7 14:05:46 ns MailScanner[18807]: Virus and Content Scanning: Starting >Mar 7 14:05:46 ns MailScanner[18807]: Uninfected: Delivered 1 messages >Mar 7 14:05:46 ns sendmail[29908]: gethostbyaddr(217.114.166.33) failed: 1 >Mar 7 14:05:46 ns sendmail[29908]: gethostbyaddr(217.114.166.34) failed: 1 >Mar 7 14:05:46 ns sendmail[29908]: gethostbyaddr(217.114.166.31) failed: 1 >Mar 7 14:05:46 ns sendmail[29908]: gethostbyaddr(217.114.166.91) failed: 1 > > >Any ideas as to how to resolve this error? > >Thanks > >John > > From mailscanner at lists.com.ar Fri Mar 7 21:52:13 2003 From: mailscanner at lists.com.ar (Mariano Absatz) Date: Thu Jan 12 21:17:26 2006 Subject: mailscanner & zmailer Message-ID: <3E68EA5D.32729.6D7BF40A@localhost> Hi Nick, a few months ago I told Julian I was interested in porting MailScanner to zmailer (http://zmailer.org) since we use it in a quite a few installations, including some medium-sized to large ISPs. He told me I should contact you since you made the port to Exim. In short, zmailer does a three step process: 1) smtpserver listening to port 25, handling only the server part and leaving received messages in a queue directory 2) router picking from that queue, making a routing decision and leaving routed messages in the corresponding output queue (you can have several of these) 3) transport agents, coordinated by a scheduler, processing the output queues as needed. Usually, TAs are simply smtp clients Now, the obvious place to put mailscanner is between 1 & 2. We have already done this with different programs developed by us (e.g. in an SMS-SMTP 2-way gateway for a cellphone company). The only different thing with what I see from a quick browse of the MS sources is that zmailer only uses 1 queue file per message (instead of 2). You have first the envelope data, then a separator line and finally the message itself. Monday morning I'll start working hard on this, hopefully even coding. What I'd like to know in order to further understand the sources is what files you modified to make the sendmail->exim port. For what I can see: Sendmail.pm => Exim.pm SMDiskStore.pm => EximDiskStore.pm Are there other things you had to modify? I don't see any pod in the files... do you have any docs on the functions in mailscanner? TIA. -- Mariano Absatz El Baby ---------------------------------------------------------- --------------------------------------------------------------------------| 1 1 2 3 4 5 6 7 7 0 0 0 0 0 0 0 5 --------------------------------------------------------------------------| -- The 75 column-o-meter -------------- next part -------------- An embedded message was scrubbed... From: Julian Field Subject: Re: Problems after updating to 4.01-5 Date: Tue, 22 Oct 2002 15:12:13 +0100 Size: 4505 Url: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030307/19b652f8/attachment.mht From raxie at BULACAN.PH Sat Mar 8 01:49:41 2003 From: raxie at BULACAN.PH (=?iso-8859-1?Q?Raxie=AE?=) Date: Thu Jan 12 21:17:26 2006 Subject: MailScanner and Horde/IMP References: <5.2.0.9.0.20030308044816.00af2bb8@pop.gmx.net> Message-ID: <002901c2e514$fd430650$1401a8c0@RaxPogi> Krishna, Change your $conf['mailer']['type']='sendmail' to $conf['mailer']['type']='smtp' Raxie ----- Original Message ----- From: "Krishna" To: Sent: Saturday, March 08, 2003 7:23 AM Subject: MailScanner and Horde/IMP > Hi, > I installed MailScanner on my RedHat 7.3 box running Horde/IMP cvs > version. > When I send mails through Outlook or Eudora , the mails get scanned by > MailScanner, does both Anti-Virus and Anti-Spam checks. > But when I send through Horde/IMP mailscanner does not get executed. The > mails goes without a scan via sendmail. > > Why is this happening? > > My horde configuration conf.php > > $conf['mailer']['type'] = 'sendmail'; > $conf['mailer']['params'] = array(); > $conf['mailer']['params'] = array('sendmail_path' => '/usr/sbin/sendmail'); > > regards > Krishna > http://www.KrisinDigitalAge.com From craig at STRONG-BOX.NET Sat Mar 8 02:45:26 2003 From: craig at STRONG-BOX.NET (Craig Pratt) Date: Thu Jan 12 21:17:26 2006 Subject: Replacing original(s) with *.rpmnew In-Reply-To: Message-ID: <044E6020-5110-11D7-B55E-000393B9390A@strong-box.net> The "by the seat of your pants" form, in sh: for file in *.rpmnew; do mv $file $(basename "$file" .rpmnew); done Just make sure there aren't filenames with spaces in them. A better version, which will backup any overwritten files and deal with names with spaces: for file in *.rpmnew; do newname=$(basename "$file" .rpmnew); mv -f "$newname" "$newname.rpmold" ; mv "$file" "$newname" ; done Just be careful with such a thing. .rpmnew files are generated because intelligent choices often need to be made when incorporating the .rpmnew. For me, upgrading MS means merging all the conf files in /etc/MailScanner and leaving the report files as-is - since I've customized them. I just check the .rpmnew report files to ensure there are no surprises in there. Craig On Friday, March 7, 2003, at 03:46 PM, Nathan Johanson wrote: > Hello, > > The other day I upgraded from 4.11-x to 4.13-3. As expected, Julian's > upgrade script simplified the process. However, I noticed several > reports had been replaced. While replacing the originals with the > *.rpmnew files, I figured there must be a better way to do it than "mv > filename.rpmnew filename" ; rm filename.rpmnew" for each file. > > There must be a way to do all *.rpmnew files in a directory with a > short > shell script or compound command. Can someone give me a hand with this? > It would only be usefuly for files or reports I haven't changed, but > could potentially save me a lot of keyboard tapping. > > Thanks in advance! > > Sincerely, > Nathan Johanson > nathan@tcpnetworks.net > > > -----Original Message----- > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > Sent: Friday, March 07, 2003 4:22 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: MailScanner and Horde/IMP > > > At 23:23 07/03/2003, you wrote: >> Hi, >> I installed MailScanner on my RedHat 7.3 box running Horde/IMP > cvs >> version. >> When I send mails through Outlook or Eudora , the mails get scanned by >> MailScanner, does both Anti-Virus and Anti-Spam checks. >> But when I send through Horde/IMP mailscanner does not get executed. > The >> mails goes without a scan via sendmail. >> >> Why is this happening? >> >> My horde configuration conf.php >> >> $conf['mailer']['type'] = 'sendmail'; >> $conf['mailer']['params'] = array(); >> $conf['mailer']['params'] = array('sendmail_path' => > '/usr/sbin/sendmail'); > > You either need to upgrade to a more recent version of sendmail, or > else > set this instead of your 3 lines above: > > $conf['mailer']['type'] = 'smtp'; > $conf['mailer']['params'] = array(); > $conf['mailer']['params'] = array('host' => 'localhost'); > > This will force IMP to talk SMTP to the host it is running on, which > will > get all its mail scanned. > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > -- > This message checked for dangerous content by MailScanner on StrongBox. > -- This message checked for dangerous content by MailScanner on StrongBox. From jgoggan at DCG.COM Sat Mar 8 06:26:15 2003 From: jgoggan at DCG.COM (John Goggan) Date: Thu Jan 12 21:17:26 2006 Subject: sendmail changing messages after MailScanner finishes... References: <3E6807CD.1F851039@dcg.com> <3E680B00.D9CCB092@dcg.com> <5.2.0.9.2.20030307091454.039f2830@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030307145413.028fc410@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030307161125.04477e00@imap.ecs.soton.ac.uk> Message-ID: <3E698D07.57184BD3@dcg.com> Julian Field wrote: > Try applying this patch to SMDiskStore.pm. It sets the umask again just > before writing the files. Remember, I was running an old version of MailScanner -- v3.something. There was no SMDiskStore.pm in that version. :) So, I couldn't test your patch, sorry. However, I did rollback to sendmail v8.11.5 that was working fine before and found that I STILL had the problem. It was therefore my upgrading of SpamAssassin that seemed to cause the problem. I finally took the time to do sendmail right (I've been using an old style sendmail.cf forever without a matching .mc file) -- I started from scratch with a clean mc and have sendmail running as recommend with 8.12.8. I then installed the latest MailScanner. And, now, everything is working just great! So, I'm all set now. Just needed to take the time to upgrade everything instead of doing it piecemeal... Thanks for your help! - John... From support at INVICTANET.CO.UK Sat Mar 8 10:50:40 2003 From: support at INVICTANET.CO.UK (InvictaNet Customer Support) Date: Thu Jan 12 21:17:26 2006 Subject: rules Message-ID: Sorry if this has been asked before. In the rules examples, I note that the default seems to be always at the bottom of the file. Is this a requirement or can it be anywhere in the list? Martyn Routley ----------------------------------------------------------------- InvictaNet - The Internet in Plain English, Guaranteed http://www.invictanet.co.uk martyn@support.invictanet.co.uk phone: 08707 440180 fax: 08707 440181 Ask us about our online Antivirus and Junk mail scanning service ----------------------------------------------------------------- ------------------------------------------------- This message has been scanned for viruses and dangerous content by the http://www.anti84787.com MailScanner, and is believed to be clean. ------------------------------------------------- From nathan at TCPNETWORKS.NET Fri Mar 7 23:46:45 2003 From: nathan at TCPNETWORKS.NET (Nathan Johanson) Date: Thu Jan 12 21:17:26 2006 Subject: Replacing original(s) with *.rpmnew Message-ID: Hello, The other day I upgraded from 4.11-x to 4.13-3. As expected, Julian's upgrade script simplified the process. However, I noticed several reports had been replaced. While replacing the originals with the *.rpmnew files, I figured there must be a better way to do it than "mv filename.rpmnew filename" ; rm filename.rpmnew" for each file. There must be a way to do all *.rpmnew files in a directory with a short shell script or compound command. Can someone give me a hand with this? It would only be usefuly for files or reports I haven't changed, but could potentially save me a lot of keyboard tapping. Thanks in advance! Sincerely, Nathan Johanson nathan@tcpnetworks.net -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Friday, March 07, 2003 4:22 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: MailScanner and Horde/IMP At 23:23 07/03/2003, you wrote: >Hi, > I installed MailScanner on my RedHat 7.3 box running Horde/IMP cvs >version. >When I send mails through Outlook or Eudora , the mails get scanned by >MailScanner, does both Anti-Virus and Anti-Spam checks. >But when I send through Horde/IMP mailscanner does not get executed. The >mails goes without a scan via sendmail. > >Why is this happening? > >My horde configuration conf.php > >$conf['mailer']['type'] = 'sendmail'; >$conf['mailer']['params'] = array(); > $conf['mailer']['params'] = array('sendmail_path' => '/usr/sbin/sendmail'); You either need to upgrade to a more recent version of sendmail, or else set this instead of your 3 lines above: $conf['mailer']['type'] = 'smtp'; $conf['mailer']['params'] = array(); $conf['mailer']['params'] = array('host' => 'localhost'); This will force IMP to talk SMTP to the host it is running on, which will get all its mail scanned. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Sat Mar 8 13:30:48 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:26 2006 Subject: typo in instructions? In-Reply-To: <3E68DBF2.16951.6D43A3FF@localhost> Message-ID: <5.2.0.9.2.20030308133034.0251dbe0@imap.ecs.soton.ac.uk> Thanks for the corrections. Both applied. At 20:50 07/03/2003, you wrote: >Hi Julian, > >I'm following the instructions for manual install (in order to have a clean >installation with documented modifications of my own) and found (I think) a >typo and a probable better sort order: > >In http://www.sng.ecs.soton.ac.uk/mailscanner/install/mailscanner.shtml you >list the files that have to be modified if you change the path where you >install MailScanner, but you mention /opt/MailScanner/etc/mailscanner.conf >instead of the newer /opt/MailScanner/etc/MailScanner.conf > >OTOH, in http://www.sng.ecs.soton.ac.uk/mailscanner/install/other.shtml, I'd >change the order of steps 4 and 5, since the installation instructions for >the TNEF decoder is based in that MailScanner is already installed. > >Regards. > > >-- >Mariano Absatz >El Baby >---------------------------------------------------------- >Ever notice how fast Windows runs? Neither did I. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Sat Mar 8 13:40:55 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:26 2006 Subject: rules In-Reply-To: Message-ID: <5.2.0.9.2.20030308134021.024eb130@imap.ecs.soton.ac.uk> At 10:50 08/03/2003, you wrote: >In the rules examples, I note that the default seems to be always at the >bottom of the file. Is this a requirement or can it be anywhere in the list? Anywhere you like. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Sat Mar 8 13:14:51 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:26 2006 Subject: Replacing original(s) with *.rpmnew In-Reply-To: Message-ID: <5.2.0.9.2.20030308131324.02502e90@imap.ecs.soton.ac.uk> At 23:46 07/03/2003, you wrote: >Hello, > >The other day I upgraded from 4.11-x to 4.13-3. As expected, Julian's >upgrade script simplified the process. However, I noticed several >reports had been replaced. While replacing the originals with the >*.rpmnew files, I figured there must be a better way to do it than "mv >filename.rpmnew filename" ; rm filename.rpmnew" for each file. It only puts in an rpmnew if you have modified or otherwise changed the original file (loading it into an editor and saving it unchanged will modify the datestamp, which is enough). >There must be a way to do all *.rpmnew files in a directory with a short >shell script or compound command. Can someone give me a hand with this? >It would only be usefuly for files or reports I haven't changed, but >could potentially save me a lot of keyboard tapping. for NEW in *.rpmnew do echo $NEW ... F=`echo $NEW | sed -e 's/\.rpmnew//'` [ -f $F ] && mv -f $F ${F}.rpmold mv -f $NEW $F done exit >Thanks in advance! > >Sincerely, >Nathan Johanson >nathan@tcpnetworks.net > > >-----Original Message----- >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] >Sent: Friday, March 07, 2003 4:22 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: MailScanner and Horde/IMP > > >At 23:23 07/03/2003, you wrote: > >Hi, > > I installed MailScanner on my RedHat 7.3 box running Horde/IMP >cvs > >version. > >When I send mails through Outlook or Eudora , the mails get scanned by > >MailScanner, does both Anti-Virus and Anti-Spam checks. > >But when I send through Horde/IMP mailscanner does not get executed. >The > >mails goes without a scan via sendmail. > > > >Why is this happening? > > > >My horde configuration conf.php > > > >$conf['mailer']['type'] = 'sendmail'; > >$conf['mailer']['params'] = array(); > > $conf['mailer']['params'] = array('sendmail_path' => >'/usr/sbin/sendmail'); > >You either need to upgrade to a more recent version of sendmail, or else >set this instead of your 3 lines above: > >$conf['mailer']['type'] = 'smtp'; >$conf['mailer']['params'] = array(); >$conf['mailer']['params'] = array('host' => 'localhost'); > >This will force IMP to talk SMTP to the host it is running on, which >will >get all its mail scanned. >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030308/5050ae82/attachment.html From mailscanner at ecs.soton.ac.uk Sat Mar 8 13:45:38 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:26 2006 Subject: Multipart Mime attachment killing MailScanner again In-Reply-To: <7512413.1047071607313.JavaMail.dbowen1@mac.com> Message-ID: <5.2.0.9.2.20030308134315.026f1f50@imap.ecs.soton.ac.uk> At 21:13 07/03/2003, you wrote: >Hi Julian, > I have encountered the problem of a single multi-part MIME > attachement message killing MailScanner. Here again I will include the > error, however, I may have some more pertinent info. I will try to > include the qf file here, and both in a tar.gz on an ftp server fo > you. The error is as follows: Can you give me the ftp location please? Also, what version are you running? What O/S are you running (and what version of that)? >Mar 7 14:26:37 mail MailScanner[17955]: Cannot parse >/private/var/spool/MailScanner/incoming/17955/h27GA5sK025282.header and , >write-open >/private/var/spool/MailScanner/incoming/17955/h27GA5sK025282/LinkousGreen^@3x4^@.crtr: >Invalid argument at /Library/Perl/MIME/Body.pm line 414. > >One interesting thing to note is that I can't use the external TNEF >expander, as I am running on darwin Mac OS X. Here is the related portion >of MailScanner.conf, for MailScanner 4.12-2. Does it not compile correctly? The source distribution of tnef (with the "--maxsize" patch applied) is in the bin directory in the MailScanner distribution. > Also it is interesting to note that this message and the last one have > been sent from Microsoft Outlook Express for Mac containing a Multipart > mime message: > ># Expand TNEF attachments using an external program (or a Perl module)? ># This should be "yes" unless the scanner you are using (Sophos, McAfee) has ># the facility built-in. However, if you set it to "no", then the filenames ># within the TNEF attachment will not be checked against the filename rules. >Expand TNEF = yes > ># Some versions of Microsoft Outlook generate unparsable Rich Text ># format attachments. Do we want to deliver these bad attachments anyway? ># Setting this to yes introduces the slight risk of a virus getting through, ># but if you have a lot of troubled Outlook users you might need to do this. ># We are working on a replacement for the TNEF decoder. ># This can also be the filename of a ruleset. >Deliver Unparsable TNEF = no > ># Where the MS-TNEF expander is installed. ># This is EITHER the full command (including maxsize option) that runs ># the external TNEF expander binary, ># OR the keyword "internal" which will make MailScanner use the Perl ># module that does the same job. ># They are both provided as I am unsure which one is faster and which ># one is capable of expanding more file formats (there are plenty!). ># ># The --maxsize option limits the maximum size that any expanded attachment ># may be. It helps protect against Denial Of Service attacks in TNEF files. >TNEF Expander = internal ># This can also be the filename of a ruleset. >#TNEF Expander = /opt/MailScanner/bin/tnef --maxsize=100000000 > ># The maximum length of time the TNEF Expander is allowed to run for 1 >message. ># (in seconds) >TNEF Timeout = 120 > > >Here is the qfh27GA5sK025282, quoted to hopefully get through the scanners: > > >V6 > >T1047053406 > >K0 > >N0 > >P30559 > >B8BITMIME > >F8bs > >$_znet.groupz.net [216.116.255.2] > >$rESMTP > >$sznet.groupz.net > >${daemon_flags} > >${if_addr}66.4.192.160 > >S > >rRFC822; xxxxx@ortn.edu > >RPFD: > >H?P?Return-Path: > >H??Received: from znet.groupz.net (znet.groupz.net [216.116.255.2]) > > by mail.ortn.edu (8.12.7/8.12.6) with ESMTP id h27GA5sK025282 > > for ; Fri, 7 Mar 2003 11:10:06 -0500 (EST) > >H??Received: from [192.168.154.153] (fwp1016.groupz.net [216.116.243.254]) > > by znet.groupz.net (8.8.6 (PHNE_14041)/8.8.8) with ESMTP id LAA21034 > > for ; Fri, 7 Mar 2003 11:09:54 -0500 (EST) > >H??User-Agent: Microsoft Outlook Express Macintosh Edition - 5.01 (1630) > >H??Date: Fri, 07 Mar 2003 11:08:59 -0500 > >H??Subject: jpeg - Linkous 3x4 > >H??From: xxxxx xxxxx > >H??To: > >H??Message-ID: > >H??Mime-version: 1.0 > >H??Content-type: multipart/mixed; > > boundary="MS_Mac_OE_3129880139_20285474_MIME_Part" > >. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From Jan-Peter.Koopmann at SECEIDOS.DE Sat Mar 8 14:53:49 2003 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:17:26 2006 Subject: More info Message-ID: <4E7026FF8A422749B1553FE508E0068007EED9@message.intern.akctech.de> Hi Julian, one more thing. I changed the name of the mcafee-wrapper script to see what happened... Mar 8 15:50:46 proxy MailScanner[91306]: New Batch: Scanning 1 messages, 2242 bytes Mar 8 15:50:46 proxy MailScanner[91306]: Spam Checks: Starting Mar 8 15:50:46 proxy MailScanner[91306]: Virus and Content Scanning: Starting Mar 8 15:50:46 proxy MailScanner[92301]: Commercial virus checker failed with real error: Can't run commercial checker mcafee ("/usr/local/MailScanner/lib/mcafee-wrapper"): No such file or directory at MailScanner/SweepViruses.pm line 464. Mar 8 15:50:47 proxy MailScanner[91306]: Uninfected: Delivered 1 messages It could not start it so why the hell is the e-mail sent? Maybe this is somehow related? Remains the issue with the filename.rules.conf... I am using the standard distribution one but still all .com attachments are sent out as normal. Regards, JP From Jan-Peter.Koopmann at SECEIDOS.DE Sat Mar 8 14:44:38 2003 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:17:26 2006 Subject: HELP - Viruses are not detected Message-ID: <4E7026FF8A422749B1553FE508E0068007EED6@message.intern.akctech.de> Hi, I just noticed something very strange: the filename.rules.conf is not obeyed and no viruses are caught (tested with EICAR). This is incoming and outgoing... I first noticed this with 4.13-3. Could this be a bug? My config should be ok. Virus Scanning = yes Virus Scanners = mcafee f-prot Filename Rules = /usr/local/MailScanner/etc/filename.rules.conf Virus Scanner Definitions = /usr/local/MailScanner/etc/virus.scanners.conf This is the virus.scanners.conf: # This is a list of the names of the virus scanning engines, along with the # filename of the command or script to run to invoke each one. sophos /opt/MailScanner/lib/sophos-wrapper f-prot /usr/local/MailScanner/lib/f-prot-wrapper mcafee /usr/local/MailScanner/lib/mcafee-wrapper rav /opt/MailScanner/lib/rav-wrapper kaspersky /opt/MailScanner/lib/kaspersky-wrapper panda /opt/MailScanner/lib/panda-wrapper f-secure /opt/MailScanner/lib/f-secure-wrapper clamav /opt/MailScanner/lib/clamav-wrapper trend /opt/MailScanner/lib/trend-wrapper antivir /usr/lib/Antivir/antivir none /bin/false I checked this and running /usr/local/MailScanner/lib/mcafee-wrapper on the eicar test file works and reports this as a virus. What am I missing here? I switched from sendmail to exim, could this have to do anything with it? Help please, Jan-Peter From lists at STHOMAS.NET Sat Mar 8 16:11:13 2003 From: lists at STHOMAS.NET (Steve Thomas) Date: Thu Jan 12 21:17:26 2006 Subject: HELP - Viruses are not detected In-Reply-To: <4E7026FF8A422749B1553FE508E0068007EED6@message.intern.akctech.de> Message-ID: <000201c2e58d$58269c30$02001fac@winxp> | I switched from sendmail to exim, | could this have to do anything with it? I saw that when I set up a test machine with exim. It turned out to be a exim/MS config problem. First thing, check to see whether or not you're getting any X-MailScanner headers in messages that get delivered. If you are, the mail's getting scanned and you have a problem with your virus scanner or something. If not, did you read the docs about setting up MS with exim? You can't just drop in exim and have MS work with it like it did with sendmail. You didn't mention anything about your configuration, so it's difficult to diagnose what the problem might be. I'd be happy to help if you can give some more details on your setup. Steve From lists at STHOMAS.NET Sat Mar 8 18:03:05 2003 From: lists at STHOMAS.NET (Steve Thomas) Date: Thu Jan 12 21:17:26 2006 Subject: HELP - Viruses are not detected In-Reply-To: <4E7026FF8A422749B1553FE508E0068007EEDE@message.intern.akctech.de>; from Jan-Peter.Koopmann@SECEIDOS.DE on Sat, Mar 08, 2003 at 06:45:31PM +0100 References: <4E7026FF8A422749B1553FE508E0068007EEDE@message.intern.akctech.de> Message-ID: <20030308100305.A15485@sthomas.net> On Sat, Mar 08, 2003 at 06:45:31PM +0100, Jan-Peter Koopmann is rumored to have said: > > > First thing, check to see whether or not you're getting any > > X-MailScanner headers in messages that get delivered. > > I am. Spam check is working as well. Then you're having a different problem than I was seeing. I was hoping that you weren't, then I'd be able to help much more.. :\ > > If you are, the mail's getting scanned and you have a problem > > with your virus scanner or something. > > I opt for "or something". :-) The virus scanners are obviously called. > Moreover the filename.rules.conf is ignored as well which should not > have anything to do with the virus scanners. The only thing I can think of is permissions. Does your log file show anything out of the ordinary? I'm fairly new to MS (only been using it for a couple of weeks), so I doubt I'll be much help since you're experiencing something different than what I was seeing. One thing you could check is the wrapper for your virus scanner. I use sophos, and had to change the paths in the wrapper for it. If you can call -wrapper and successfully catch eicar, then it's working OK. Other than that, I don't think I'll be of much help.. -- Steve Thomas steve at sthomas dot net ---------------------------------------------------------- "...subatomic matter in a particle accelerator that exists for only a few microseconds seems to exhibit more uptime than the RIAA's website." -- Andrew Orlowski TheRegister.co.uk From Jan-Peter.Koopmann at SECEIDOS.DE Sat Mar 8 17:45:31 2003 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:17:26 2006 Subject: HELP - Viruses are not detected Message-ID: <4E7026FF8A422749B1553FE508E0068007EEDE@message.intern.akctech.de> Hi, > I saw that when I set up a test machine with exim. It turned > out to be a exim/MS config problem. I hope so... > First thing, check to see whether or not you're getting any > X-MailScanner headers in messages that get delivered. I am. Spam check is working as well. > If you are, the mail's getting scanned and you have a problem > with your virus scanner or something. I opt for "or something". :-) The virus scanners are obviously called. Moreover the filename.rules.conf is ignored as well which should not have anything to do with the virus scanners. > I'd be happy to help if you can give some more details on your setup. What would you like to know? And by the way: Thanks for the quick response. Regards, JP From mailscanner at ecs.soton.ac.uk Sat Mar 8 18:19:33 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:26 2006 Subject: HELP - Viruses are not detected In-Reply-To: <4E7026FF8A422749B1553FE508E0068007EED6@message.intern.akct ech.de> Message-ID: <5.2.0.9.2.20030308181543.02268688@imap.ecs.soton.ac.uk> At 14:44 08/03/2003, you wrote: >Hi, > >I just noticed something very strange: the filename.rules.conf is not >obeyed and no viruses are caught (tested with EICAR). This is incoming >and outgoing... I first noticed this with 4.13-3. Could this be a bug? > >My config should be ok. > >Virus Scanning = yes >Virus Scanners = mcafee f-prot >Filename Rules = /usr/local/MailScanner/etc/filename.rules.conf >Virus Scanner Definitions = >/usr/local/MailScanner/etc/virus.scanners.conf By default these files are in /opt/MailScanner, not /usr/local/MailScanner. If you are really using /usr/local/MailScanner/etc for these, where have you put the -wrapper scripts? Does the location of your -wrapper scripts match with the contents of you virus.scanners.conf file? If you are using a mixture of /opt and /usr/local, that could cause you all sorts of problems with settings not matching up with the right locations. It looks like you have got the 2 directories confused a bit. In the conf file you mailed me, you hadn't set the "Run as user" or "run as group" options, which are normally used for Exim setups. >This is the virus.scanners.conf: > ># This is a list of the names of the virus scanning engines, along with >the ># filename of the command or script to run to invoke each one. >sophos /opt/MailScanner/lib/sophos-wrapper >f-prot /usr/local/MailScanner/lib/f-prot-wrapper >mcafee /usr/local/MailScanner/lib/mcafee-wrapper >rav /opt/MailScanner/lib/rav-wrapper >kaspersky /opt/MailScanner/lib/kaspersky-wrapper >panda /opt/MailScanner/lib/panda-wrapper >f-secure /opt/MailScanner/lib/f-secure-wrapper >clamav /opt/MailScanner/lib/clamav-wrapper >trend /opt/MailScanner/lib/trend-wrapper >antivir /usr/lib/Antivir/antivir >none /bin/false > >I checked this and running /usr/local/MailScanner/lib/mcafee-wrapper on >the eicar test file works and reports this as a virus. > >What am I missing here? I switched from sendmail to exim, could this >have to do anything with it? > >Help please, > Jan-Peter -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From Jan-Peter.Koopmann at SECEIDOS.DE Sat Mar 8 18:47:05 2003 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:17:26 2006 Subject: HELP - Viruses are not detected Message-ID: <4E7026FF8A422749B1553FE508E0068007EEE8@message.intern.akctech.de> Hi Julian, > By default these files are in /opt/MailScanner, not > /usr/local/MailScanner. I know. > If you are really using > /usr/local/MailScanner/etc for these, where have you put the > -wrapper scripts? In /usr/local/MailScanner/lib > Does the location of your -wrapper scripts > match with the contents of you virus.scanners.conf file? It does I checked. > If > you are using a mixture of /opt and /usr/local, that could > cause you all sorts of problems with settings not matching up > with the right locations. I checked all locations and am running this config for months now. No problems so far. I put some trace statements into the mcafee-wrapper script and I am positive that it is being called: --recursive --ignore-links --analyze --mime --secure --noboot . PWD:/usr/local/MailScanner-4.13.3/lib $0:/usr/local/MailScanner/lib/mcafee-wrapper $1:--recursive $2:--ignore-links $3:--analyze $4:--mime $5:--secure $7:. Should PWD not be something like /var/spool/MailScanner/incoming or so? Moreover, if I change the name of that wrapper script, MailScanner gives me an error. And: Even if there were a config error with /usr/local and /opt, should the filename rules not be obeyes? They are not. > It looks like you have got the 2 directories confused a bit. Don't think so but in case I just linked /usr/local/MailScanner to /opt/MailScanner. Still no change. > In the conf file you mailed me, you hadn't set the "Run as > user" or "run as group" options, which are normally used for > Exim setups. Just changed that as well. No change. Sure this is no bug? Thanks for the quick help over the weekend. I appreciate this a lot. Regards, JP From nathan at TCPNETWORKS.NET Sat Mar 8 18:48:03 2003 From: nathan at TCPNETWORKS.NET (Nathan Johanson) Date: Thu Jan 12 21:17:26 2006 Subject: Replacing original(s) with *.rpmnew Message-ID: Thanks! For some reason, this last upgrade replaced most of the reports in 3-4 of the languages. While it's unlikely I'll ever use these other languages, I figured it would be smart to go with the latest versions in all cases (and renaming them one-by-one seemed to beg for a more efficient method). Next on the agenda...learn some shell scripting. Sincerely, Nathan Johanson Email: nathan@tcpnetworks.net -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Sat 3/8/2003 5:14 AM To: MAILSCANNER@JISCMAIL.AC.UK Cc: Subject: Re: Replacing original(s) with *.rpmnew At 23:46 07/03/2003, you wrote: Hello, The other day I upgraded from 4.11-x to 4.13-3. As expected, Julian's upgrade script simplified the process. However, I noticed several reports had been replaced. While replacing the originals with the *.rpmnew files, I figured there must be a better way to do it than "mv filename.rpmnew filename" ; rm filename.rpmnew" for each file. It only puts in an rpmnew if you have modified or otherwise changed the original file (loading it into an editor and saving it unchanged will modify the datestamp, which is enough). There must be a way to do all *.rpmnew files in a directory with a short shell script or compound command. Can someone give me a hand with this? It would only be usefuly for files or reports I haven't changed, but could potentially save me a lot of keyboard tapping. for NEW in *.rpmnew do echo $NEW ... F=`echo $NEW | sed -e 's/\.rpmnew//'` [ -f $F ] && mv -f $F ${F}.rpmold mv -f $NEW $F done exit -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Sat Mar 8 18:57:25 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:26 2006 Subject: HELP - Viruses are not detected In-Reply-To: <4E7026FF8A422749B1553FE508E0068007EEE8@message.intern.akct ech.de> Message-ID: <5.2.0.9.2.20030308185529.022b3a30@imap.ecs.soton.ac.uk> Can you give me access to your mail server? It's usually a lot faster for me to take a look and try things out directly on your server than have an endless "How about this?" discussion. At 18:47 08/03/2003, you wrote: >Hi Julian, > > > By default these files are in /opt/MailScanner, not > > /usr/local/MailScanner. > >I know. > > > If you are really using > > /usr/local/MailScanner/etc for these, where have you put the > > -wrapper scripts? > >In /usr/local/MailScanner/lib > > > > Does the location of your -wrapper scripts > > match with the contents of you virus.scanners.conf file? > >It does I checked. > > > If > > you are using a mixture of /opt and /usr/local, that could > > cause you all sorts of problems with settings not matching up > > with the right locations. > >I checked all locations and am running this config for months now. No >problems so far. > >I put some trace statements into the mcafee-wrapper script and I am >positive that it is being called: > >--recursive --ignore-links --analyze --mime --secure --noboot . >PWD:/usr/local/MailScanner-4.13.3/lib >$0:/usr/local/MailScanner/lib/mcafee-wrapper >$1:--recursive >$2:--ignore-links >$3:--analyze >$4:--mime >$5:--secure >$7:. > >Should PWD not be something like /var/spool/MailScanner/incoming or so? > >Moreover, if I change the name of that wrapper script, MailScanner gives >me an error. And: Even if there were a config error with /usr/local and >/opt, should the filename rules not be obeyes? They are not. > > > It looks like you have got the 2 directories confused a bit. > >Don't think so but in case I just linked /usr/local/MailScanner to >/opt/MailScanner. Still no change. > > > In the conf file you mailed me, you hadn't set the "Run as > > user" or "run as group" options, which are normally used for > > Exim setups. > >Just changed that as well. No change. > >Sure this is no bug? > >Thanks for the quick help over the weekend. I appreciate this a lot. > >Regards, > JP -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From Jan-Peter.Koopmann at SECEIDOS.DE Sat Mar 8 18:59:55 2003 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:17:26 2006 Subject: HELP - Viruses are not detected Message-ID: <4E7026FF8A422749B1553FE508E0068007EEEE@message.intern.akctech.de> > Can you give me access to your mail server? It's usually a > lot faster for me to take a look and try things out directly > on your server than have an endless "How about this?" discussion. I was afraid you would ask this and unfortunately at the moment that is not possible... Are there some sort of traces I could activate? Any sort of debug mode that would help? Thanks, JP From support at INVICTANET.CO.UK Sat Mar 8 21:56:16 2003 From: support at INVICTANET.CO.UK (InvictaNet Customer Support) Date: Thu Jan 12 21:17:26 2006 Subject: HELP - Viruses are not detected In-Reply-To: <5.2.0.9.2.20030308181543.02268688@imap.ecs.soton.ac.uk> Message-ID: Julian wrote: > > By default these files are in /opt/MailScanner, not > /usr/local/MailScanner. If you are really using > /usr/local/MailScanner/etc for these, where have you put the -wrapper > scripts? Does the location of your -wrapper scripts match with the > contents of you virus.scanners.conf file? If you are using a mixture > of /opt and /usr/local, that could cause you all sorts of problems > with settings not matching up with the right locations. > > It looks like you have got the 2 directories confused a bit. > It possibly won't help Jan-Peter, but I also have a mixed configuration. On my MailScanner server, I am running FreeBSD 4.7, Sophos, F-Prot, Sendmail 8.12.8 and MailScanner 4.13-3 I upgraded Sendmail because of the Security Alert. This, combined with the Sophos change seemed to break my MailScanner 3.x so I decided to go the whole way and move to MailScanner 4. Because of different paths in the source package and on my server etc. I have now ended up with: MailScanner is actually installed in /usr/local/MailScanner-4.13-3 /opt is linked to /usr/local mailscanner and MailScanner are linked to MailScanner-4.13-3 So far, everything seems to be working fine. I do wonder though if I am heading for a fall - advice would be appreciated from anyone who might have considered this method. Martyn Routley ----------------------------------------------------------------- InvictaNet - The Internet in Plain English, Guaranteed http://www.invictanet.co.uk martyn@support.invictanet.co.uk phone: 08707 440180 fax: 08707 440181 Ask us about our online Antivirus and Junk mail scanning service ----------------------------------------------------------------- ------------------------------------------------- This message has been scanned for viruses and dangerous content by the http://www.anti84787.com MailScanner, and is believed to be clean. ------------------------------------------------- From mailscanner at ecs.soton.ac.uk Sat Mar 8 22:16:21 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:26 2006 Subject: HELP - Viruses are not detected In-Reply-To: References: <5.2.0.9.2.20030308181543.02268688@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030308221256.02729d90@imap.ecs.soton.ac.uk> At 21:56 08/03/2003, you wrote: >Julian wrote: > > > > By default these files are in /opt/MailScanner, not > > /usr/local/MailScanner. If you are really using > > /usr/local/MailScanner/etc for these, where have you put the -wrapper > > scripts? Does the location of your -wrapper scripts match with the > > contents of you virus.scanners.conf file? If you are using a mixture > > of /opt and /usr/local, that could cause you all sorts of problems > > with settings not matching up with the right locations. > > > > It looks like you have got the 2 directories confused a bit. > > > >It possibly won't help Jan-Peter, but I also have a mixed configuration. >On my MailScanner server, I am running FreeBSD 4.7, Sophos, F-Prot, Sendmail >8.12.8 and MailScanner 4.13-3 >I upgraded Sendmail because of the Security Alert. This, combined with the >Sophos change seemed to break my MailScanner 3.x so I decided to go the >whole way and move to MailScanner 4. > >Because of different paths in the source package and on my server etc. I >have now ended up with: >MailScanner is actually installed in /usr/local/MailScanner-4.13-3 >/opt is linked to /usr/local >mailscanner and MailScanner are linked to MailScanner-4.13-3 > >So far, everything seems to be working fine. I do wonder though if I am >heading for a fall - advice would be appreciated from anyone who might have >considered this method. That does give me some reassurance that 4.13-3 isn't fundamentally broken. I've just been through every change in the code between 4.12 and 4.13, and there isn't anything that should break it. The only thing I can see that might cause you trouble is potential confusion when doing future upgrades. But if you are happy with that, then I don't see any great problem with it. Thanks for the info! -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From jrudd at UCSC.EDU Sun Mar 9 00:56:05 2003 From: jrudd at UCSC.EDU (John Rudd) Date: Thu Jan 12 21:17:26 2006 Subject: FREQ: infected header value Message-ID: Could it be possible to have an option for putting the name of the virus in the infected header? Something like: Infected Header Value = Found to be infected with $infection where $infection would be a list of names, for the viruses found and/or filename rules that were tripped. From mailscanner at ecs.soton.ac.uk Sun Mar 9 11:12:08 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:26 2006 Subject: FREQ: infected header value In-Reply-To: Message-ID: <5.2.0.9.2.20030309110832.021688a8@imap.ecs.soton.ac.uk> At 00:56 09/03/2003, you wrote: >Could it be possible to have an option for putting the name of the >virus in the infected header? >Something like: >Infected Header Value = Found to be infected with $infection >where $infection would be a list of names, for the viruses found and/or >filename rules that were tripped. I have done this for a couple of the scanners (including F-Prot if I remember rightly) but it's pretty difficult to do generally. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From etate01 at sun.hazelwood.k12.mo.us Sun Mar 9 14:23:41 2003 From: etate01 at sun.hazelwood.k12.mo.us (Ed Tate) Date: Thu Jan 12 21:17:26 2006 Subject: Harebrained Idea for scanning SPAM? Message-ID: <000001c2e647$7c2c74f0$0200a8c0@computer> This is just an idea (maybe a really dumb one) and I was wondering if this is even feasible to consider. This came out of a conversation with my boss who was aggravated because he can't find his important emails among the adds to enlarge his private parts and I told him that I'd at least look into it. MS & SA do an excellent job of working together but the real problem is what do with SPAM once you've identified it as such. What I'd like to do is to set Spam Assassins' score high and just automatically delete those from the system. Then I'd like to run it again with a lower score and stick the {SPAM} in the header and let the user decide. Currently we're configured at 6 and almost everything we catch is SPAM but we miss a lot. When I drop it to 5, I catch almost 100% of all the spam but I also get too many false positives to automatically delete these. I guess the question is can Mailscanner & Spam Assassin be run more than once? Thanks. Ed Tate (etate01@hazelwoodschools.org) From mailscanner at ecs.soton.ac.uk Sun Mar 9 14:30:19 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:26 2006 Subject: Harebrained Idea for scanning SPAM? In-Reply-To: <000001c2e647$7c2c74f0$0200a8c0@computer> Message-ID: <5.2.0.9.2.20030309142857.0216a978@imap.ecs.soton.ac.uk> At 14:23 09/03/2003, you wrote: >This is just an idea (maybe a really dumb one) and I was wondering if this >is even feasible to consider. This came out of a conversation with my boss >who was aggravated because he can't find his important emails among the adds >to enlarge his private parts and I told him that I'd at least look into it. > >MS & SA do an excellent job of working together but the real problem is what >do with SPAM once you've identified it as such. > >What I'd like to do is to set Spam Assassins' score high and just >automatically delete those from the system. Then I'd like to run it again >with a lower score and stick the {SPAM} in the header and let the user >decide. > >Currently we're configured at 6 and almost everything we catch is SPAM but >we miss a lot. When I drop it to 5, I catch almost 100% of all the spam but >I also get too many false positives to automatically delete these. > >I guess the question is can Mailscanner & Spam Assassin be run more than >once? What's the difference between that and using the "High Score" options that are in MailScanner already? Just set "High Scoring Spam Actions = delete" and "Spam Actions = deliver". -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From dbird at SGHMS.AC.UK Sun Mar 9 19:01:26 2003 From: dbird at SGHMS.AC.UK (Daniel Bird) Date: Thu Jan 12 21:17:26 2006 Subject: Problem with 'forward' spam action Message-ID: <3E6B8F86.2000003@sghms.ac.uk> Dear all, I'm running Rh7.3, MS4.13-3, SA2.60-cvs and Exim. in MailScanner.conf I have: High Scoring Spam Actions = store forward spam@sghms.ac.uk I'm seeing the following in my mail.log.... Mar 9 18:22:20 mailhub1 MailScanner[17291]: Spam Actions: message 18s5RA-0004t0-00 actions are forward,store,spam@sghms.ac.uk but in my exim log I see.... 2003-03-09 18:22:20 18s5RA-0004t0-00 Format error in spool file 18s5RA-0004t0-00-H: size=1573 and the message is not forwarded... This is the content of the above file (I've anonymised the original recipient)..... 18s5RA-0004t0-00-H root 0 0 1047234136 0 -helo_name shark1 -deliver_firsttime -host_address 217.39.107.177.3176 -received_protocol esmtp -body_linecount 68 -interface_address 194.82.51.7.25 XX 2 spam@sghms.ac.uk 171P Received: from [217.39.107.177] (helo=shark1) by mailhub1.sghms.ac.uk with esmtp (Exim 4.12) id 18s5RA-0004t0-00 for xxx@sghms.ac.uk; Sun, 09 Mar 2003 18:22:16 +0000 124 Received: from aol.com ([218.88.187.105]) by shark1 with Microsoft SMTPSVC(5.0.2195.1600); Sun, 9 Mar 2003 18:25:45 +0000 055I Message-ID: <00006e8a0b57$000007c8$00006aa7@lycos.com> 024T To: 042F From: "John Darvis" 054 Subject:****VeryLikelySPAM**** Dow Jones in Trouble? 038 Date: Sun, 09 Mar 2003 13:26:21 -1700 018 MIME-Version: 1.0 047 Content-Type: text/html; charset="iso-8859-1" 044 Content-Transfer-Encoding: quoted-printable 030R Reply-To: wasberdll0@juno.com 033 Return-Path: wasberdll0@juno.com 084 X-OriginalArrivalTime: 09 Mar 2003 18:25:47.0928 (UTC) FILETIME=[4E4AE180:01C2E669] 037 X-MailScanner-MH1: Found to be clean 404 X-MailScanner-SpamCheck: spam, SpamAssassin (score=27, required 5, BANG_MONEY, BAYES_90, CLICK_BELOW, EXCUSE_14, FREE_TRIAL, HTML_40_50, HTML_FONT_BIG, HTML_FONT_COLOR_BLUE, HTML_FONT_COLOR_GREEN, HTML_FONT_COLOR_UNSAFE, HTML_LINK_CLICK_HERE, INVALID_DATE_TZ_ABSURD, MSGID_OE_SPAM_4ZERO, MSGID_OUTLOOK_TIME, MSGID_SPAMSIGN_ZEROES, OFFERS_ETC, RAZOR2_CF_RANGE_91_100, RAZOR2_CHECK, SEE_FOR_YOURSELF) 053 X-MailScanner-SpamScore: sssssssssssssssssssssssssss This makes me think MS is not forming the header properly, or am I missing something? regards Dan -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From dbird at SGHMS.AC.UK Sun Mar 9 19:16:34 2003 From: dbird at SGHMS.AC.UK (Daniel Bird) Date: Thu Jan 12 21:17:26 2006 Subject: Problem with 'forward' spam action References: <3E6B8F86.2000003@sghms.ac.uk> Message-ID: <3E6B9312.2030009@sghms.ac.uk> A little more info.. If I put a forward on "Spam Actions", it works fine. Dan Daniel Bird wrote: > Dear all, > I'm running Rh7.3, MS4.13-3, SA2.60-cvs and Exim. in MailScanner.conf I > have: > > High Scoring Spam Actions = store forward spam@sghms.ac.uk > > I'm seeing the following in my mail.log.... > > Mar 9 18:22:20 mailhub1 MailScanner[17291]: Spam Actions: message > 18s5RA-0004t0-00 actions are forward,store,spam@sghms.ac.uk > > but in my exim log I see.... > > 2003-03-09 18:22:20 18s5RA-0004t0-00 Format error in spool file > 18s5RA-0004t0-00-H: size=1573 > > and the message is not forwarded... > > This is the content of the above file (I've anonymised the original > recipient)..... > > 18s5RA-0004t0-00-H > root 0 0 > > 1047234136 0 > -helo_name shark1 > -deliver_firsttime > -host_address 217.39.107.177.3176 > -received_protocol esmtp > -body_linecount 68 > -interface_address 194.82.51.7.25 > XX > 2 > spam@sghms.ac.uk > > 171P Received: from [217.39.107.177] (helo=shark1) > by mailhub1.sghms.ac.uk with esmtp (Exim 4.12) > id 18s5RA-0004t0-00 > for xxx@sghms.ac.uk; Sun, 09 Mar 2003 18:22:16 +0000 > 124 Received: from aol.com ([218.88.187.105]) by shark1 with Microsoft > SMTPSVC(5.0.2195.1600); > Sun, 9 Mar 2003 18:25:45 +0000 > 055I Message-ID: <00006e8a0b57$000007c8$00006aa7@lycos.com> > 024T To: > 042F From: "John Darvis" > 054 Subject:****VeryLikelySPAM**** Dow Jones in Trouble? > 038 Date: Sun, 09 Mar 2003 13:26:21 -1700 > 018 MIME-Version: 1.0 > 047 Content-Type: text/html; > charset="iso-8859-1" > 044 Content-Transfer-Encoding: quoted-printable > 030R Reply-To: wasberdll0@juno.com > 033 Return-Path: wasberdll0@juno.com > 084 X-OriginalArrivalTime: 09 Mar 2003 18:25:47.0928 (UTC) > FILETIME=[4E4AE180:01C2E669] > 037 X-MailScanner-MH1: Found to be clean > 404 X-MailScanner-SpamCheck: spam, SpamAssassin (score=27, required 5, > BANG_MONEY, BAYES_90, CLICK_BELOW, EXCUSE_14, FREE_TRIAL, > HTML_40_50, > HTML_FONT_BIG, HTML_FONT_COLOR_BLUE, HTML_FONT_COLOR_GREEN, > HTML_FONT_COLOR_UNSAFE, HTML_LINK_CLICK_HERE, > INVALID_DATE_TZ_ABSURD, > MSGID_OE_SPAM_4ZERO, MSGID_OUTLOOK_TIME, MSGID_SPAMSIGN_ZEROES, > OFFERS_ETC, RAZOR2_CF_RANGE_91_100, RAZOR2_CHECK, > SEE_FOR_YOURSELF) > 053 X-MailScanner-SpamScore: sssssssssssssssssssssssssss > > This makes me think MS is not forming the header properly, or am I > missing something? > > regards > > Dan > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mailscanner at ecs.soton.ac.uk Sun Mar 9 19:28:18 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:26 2006 Subject: Problem with 'forward' spam action In-Reply-To: <3E6B9312.2030009@sghms.ac.uk> References: <3E6B8F86.2000003@sghms.ac.uk> Message-ID: <5.2.0.9.2.20030309192748.0263f568@imap.ecs.soton.ac.uk> Can you try this patch to Exim.pm please? --- Exim.pm.old Thu Feb 6 17:12:56 2003 +++ Exim.pm Sun Mar 9 19:28:25 2003 @@ -899,6 +899,7 @@ my $this = shift; my($message) = @_; + $message->{metadata}{numrcpts}--; $message->{metadata}{rcpts} = []; $message->{metadata}{nonrcpts} = {}; At 19:16 09/03/2003, you wrote: >A little more info.. >If I put a forward on "Spam Actions", it works fine. > >Dan > >Daniel Bird wrote: > >>Dear all, >>I'm running Rh7.3, MS4.13-3, SA2.60-cvs and Exim. in MailScanner.conf I >>have: >> >>High Scoring Spam Actions = store forward spam@sghms.ac.uk >> >>I'm seeing the following in my mail.log.... >> >>Mar 9 18:22:20 mailhub1 MailScanner[17291]: Spam Actions: message >>18s5RA-0004t0-00 actions are forward,store,spam@sghms.ac.uk >> >>but in my exim log I see.... >> >>2003-03-09 18:22:20 18s5RA-0004t0-00 Format error in spool file >>18s5RA-0004t0-00-H: size=1573 >> >>and the message is not forwarded... >> >>This is the content of the above file (I've anonymised the original >>recipient)..... >> >>18s5RA-0004t0-00-H >>root 0 0 >> >>1047234136 0 >>-helo_name shark1 >>-deliver_firsttime >>-host_address 217.39.107.177.3176 >>-received_protocol esmtp >>-body_linecount 68 >>-interface_address 194.82.51.7.25 >>XX >>2 >>spam@sghms.ac.uk >> >>171P Received: from [217.39.107.177] (helo=shark1) >> by mailhub1.sghms.ac.uk with esmtp (Exim 4.12) >> id 18s5RA-0004t0-00 >> for xxx@sghms.ac.uk; Sun, 09 Mar 2003 18:22:16 +0000 >>124 Received: from aol.com ([218.88.187.105]) by shark1 with Microsoft >>SMTPSVC(5.0.2195.1600); >> Sun, 9 Mar 2003 18:25:45 +0000 >>055I Message-ID: <00006e8a0b57$000007c8$00006aa7@lycos.com> >>024T To: >>042F From: "John Darvis" >>054 Subject:****VeryLikelySPAM**** Dow Jones in Trouble? >>038 Date: Sun, 09 Mar 2003 13:26:21 -1700 >>018 MIME-Version: 1.0 >>047 Content-Type: text/html; >> charset="iso-8859-1" >>044 Content-Transfer-Encoding: quoted-printable >>030R Reply-To: wasberdll0@juno.com >>033 Return-Path: wasberdll0@juno.com >>084 X-OriginalArrivalTime: 09 Mar 2003 18:25:47.0928 (UTC) >>FILETIME=[4E4AE180:01C2E669] >>037 X-MailScanner-MH1: Found to be clean >>404 X-MailScanner-SpamCheck: spam, SpamAssassin (score=27, required 5, >> BANG_MONEY, BAYES_90, CLICK_BELOW, EXCUSE_14, FREE_TRIAL, >>HTML_40_50, >> HTML_FONT_BIG, HTML_FONT_COLOR_BLUE, HTML_FONT_COLOR_GREEN, >> HTML_FONT_COLOR_UNSAFE, HTML_LINK_CLICK_HERE, >>INVALID_DATE_TZ_ABSURD, >> MSGID_OE_SPAM_4ZERO, MSGID_OUTLOOK_TIME, MSGID_SPAMSIGN_ZEROES, >> OFFERS_ETC, RAZOR2_CF_RANGE_91_100, RAZOR2_CHECK, >>SEE_FOR_YOURSELF) >>053 X-MailScanner-SpamScore: sssssssssssssssssssssssssss >> >>This makes me think MS is not forming the header properly, or am I >>missing something? >> >>regards >> >>Dan >> >> >>-- >>This message has been scanned for viruses and >>dangerous content by MailScanner, and is >>believed to be clean. > > > >-- >This message has been scanned for viruses and >dangerous content by MailScanner, and is >believed to be clean. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From dbird at SGHMS.AC.UK Sun Mar 9 19:35:11 2003 From: dbird at SGHMS.AC.UK (Daniel Bird) Date: Thu Jan 12 21:17:26 2006 Subject: Problem with 'forward' spam action References: <3E6B8F86.2000003@sghms.ac.uk> <5.2.0.9.2.20030309192748.0263f568@imap.ecs.soton.ac.uk> Message-ID: <3E6B976F.4080803@sghms.ac.uk> Julian Field wrote: > Can you try this patch to Exim.pm please? > > --- Exim.pm.old Thu Feb 6 17:12:56 2003 > +++ Exim.pm Sun Mar 9 19:28:25 2003 > @@ -899,6 +899,7 @@ > my $this = shift; > my($message) = @_; > > + $message->{metadata}{numrcpts}--; > $message->{metadata}{rcpts} = []; > $message->{metadata}{nonrcpts} = {}; Yup, that's fixed it. thanks Julian, you're a * Dan > > At 19:16 09/03/2003, you wrote: > >> A little more info.. >> If I put a forward on "Spam Actions", it works fine. >> >> Dan >> >> Daniel Bird wrote: >> >>> Dear all, >>> I'm running Rh7.3, MS4.13-3, SA2.60-cvs and Exim. in MailScanner.conf I >>> have: >>> >>> High Scoring Spam Actions = store forward spam@sghms.ac.uk >>> >>> I'm seeing the following in my mail.log.... >>> >>> Mar 9 18:22:20 mailhub1 MailScanner[17291]: Spam Actions: message >>> 18s5RA-0004t0-00 actions are forward,store,spam@sghms.ac.uk >>> >>> but in my exim log I see.... >>> >>> 2003-03-09 18:22:20 18s5RA-0004t0-00 Format error in spool file >>> 18s5RA-0004t0-00-H: size=1573 >>> >>> and the message is not forwarded... >>> >>> This is the content of the above file (I've anonymised the original >>> recipient)..... >>> >>> 18s5RA-0004t0-00-H >>> root 0 0 >>> >>> 1047234136 0 >>> -helo_name shark1 >>> -deliver_firsttime >>> -host_address 217.39.107.177.3176 >>> -received_protocol esmtp >>> -body_linecount 68 >>> -interface_address 194.82.51.7.25 >>> XX >>> 2 >>> spam@sghms.ac.uk >>> >>> 171P Received: from [217.39.107.177] (helo=shark1) >>> by mailhub1.sghms.ac.uk with esmtp (Exim 4.12) >>> id 18s5RA-0004t0-00 >>> for xxx@sghms.ac.uk; Sun, 09 Mar 2003 18:22:16 +0000 >>> 124 Received: from aol.com ([218.88.187.105]) by shark1 with Microsoft >>> SMTPSVC(5.0.2195.1600); >>> Sun, 9 Mar 2003 18:25:45 +0000 >>> 055I Message-ID: <00006e8a0b57$000007c8$00006aa7@lycos.com> >>> 024T To: >>> 042F From: "John Darvis" >>> 054 Subject:****VeryLikelySPAM**** Dow Jones in Trouble? >>> 038 Date: Sun, 09 Mar 2003 13:26:21 -1700 >>> 018 MIME-Version: 1.0 >>> 047 Content-Type: text/html; >>> charset="iso-8859-1" >>> 044 Content-Transfer-Encoding: quoted-printable >>> 030R Reply-To: wasberdll0@juno.com >>> 033 Return-Path: wasberdll0@juno.com >>> 084 X-OriginalArrivalTime: 09 Mar 2003 18:25:47.0928 (UTC) >>> FILETIME=[4E4AE180:01C2E669] >>> 037 X-MailScanner-MH1: Found to be clean >>> 404 X-MailScanner-SpamCheck: spam, SpamAssassin (score=27, required 5, >>> BANG_MONEY, BAYES_90, CLICK_BELOW, EXCUSE_14, FREE_TRIAL, >>> HTML_40_50, >>> HTML_FONT_BIG, HTML_FONT_COLOR_BLUE, HTML_FONT_COLOR_GREEN, >>> HTML_FONT_COLOR_UNSAFE, HTML_LINK_CLICK_HERE, >>> INVALID_DATE_TZ_ABSURD, >>> MSGID_OE_SPAM_4ZERO, MSGID_OUTLOOK_TIME, MSGID_SPAMSIGN_ZEROES, >>> OFFERS_ETC, RAZOR2_CF_RANGE_91_100, RAZOR2_CHECK, >>> SEE_FOR_YOURSELF) >>> 053 X-MailScanner-SpamScore: sssssssssssssssssssssssssss >>> >>> This makes me think MS is not forming the header properly, or am I >>> missing something? >>> >>> regards >>> >>> Dan >>> >>> >>> -- >>> This message has been scanned for viruses and >>> dangerous content by MailScanner, and is >>> believed to be clean. >> >> >> >> >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. > > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From jrudd at UCSC.EDU Sun Mar 9 20:49:45 2003 From: jrudd at UCSC.EDU (John Rudd) Date: Thu Jan 12 21:17:26 2006 Subject: FREQ: infected header value Message-ID: <200303092049.h29Knja15338@kzin.ucsc.edu> > From: Julian Field > > At 00:56 09/03/2003, you wrote: > >Could it be possible to have an option for putting the name of the > >virus in the infected header? > >Something like: > >Infected Header Value = Found to be infected with $infection > >where $infection would be a list of names, for the viruses found and/or > >filename rules that were tripped. > > I have done this for a couple of the scanners (including F-Prot if I > remember rightly) but it's pretty difficult to do generally. Would sophos be one of the ones that would be difficult? From glynn at makati.techsquare.com Mon Mar 10 06:25:51 2003 From: glynn at makati.techsquare.com (Glynn S. Condez) Date: Thu Jan 12 21:17:26 2006 Subject: Spam Score Header Message-ID: <014501c2e6cd$e5d9b710$8201a8c0@proaccessph.com> Hi All, I just upgraded my MailScanner 3 to 4.13-3 awhile ago. What I observed is that Spam Score Header produced "sss" result on it. I'd like to know if its normal? Thanks in advance --- Glynn --- From Jan-Peter.Koopmann at SECEIDOS.DE Mon Mar 10 10:33:59 2003 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:17:26 2006 Subject: HELP - Viruses are not detected Message-ID: <4E7026FF8A422749B1553FE508E0068007EF08@message.intern.akctech.de> Hi, > I just noticed something very strange: the > filename.rules.conf is not obeyed and no viruses are caught > (tested with EICAR). This is incoming and outgoing... I first > noticed this with 4.13-3. Could this be a bug? Just wanted to let you know we found the problem. After an upgrade from 4.12 to 4.13 I forgot to change the SystemDefs.pm in lib/MailScanner. Therefore $global::sed pointed to /bin/sed. Under FreeBSD this must be /usr/bin/sed. This caused the EximDiskStore to fail when reading the message body (since it uses sed there) and passing it over to the MIME::Parser. Therefore the message did not get extracted and since there was nothing to scan, all virus scanners told MS that everything is ok. So all FreeBSD users: Always watch the SystemDefs.pm settings! :-) Thanks to everybody who offered their help.. Regards, Jan-Peter From mailscanner at ecs.soton.ac.uk Mon Mar 10 11:02:22 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:26 2006 Subject: Spam Score Header In-Reply-To: <014501c2e6cd$e5d9b710$8201a8c0@proaccessph.com> Message-ID: <5.2.0.9.2.20030310105948.0234b0f0@imap.ecs.soton.ac.uk> At 06:25 10/03/2003, you wrote: >Hi All, > >I just upgraded my MailScanner 3 to 4.13-3 awhile ago. >What I observed is that Spam Score Header produced "sss" result on it. >I'd like to know if its normal? Read the MailScanner.conf comments for the "Spam Score" header. 3 "s" characters imply that SpamAssassin gave it a score of 3. It is there so that users can easily write their own mail filters to filter messages at any spam score they like. If a user wants to do something with messages scoring over 10, for example, they can just look for "ssssssssss". -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Mon Mar 10 11:04:24 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:26 2006 Subject: can't get spamassassin to work!! In-Reply-To: <5.2.0.9.0.20030311031218.00aabe20@pop.gmx.net> Message-ID: <5.2.0.9.2.20030310110303.0242c398@imap.ecs.soton.ac.uk> At 21:55 10/03/2003, you wrote: >But spamassassin is not doing the checks from this table. >I am running spamd with the options " -q -d -c -a" Note that MailScanner doesn't use spamd (or the "spamassassin" script). It works faster than either of those methods. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From Jan-Peter.Koopmann at SECEIDOS.DE Mon Mar 10 11:30:10 2003 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:17:26 2006 Subject: FromTo: not working? Message-ID: <4E7026FF8A422749B1553FE508E0068007EF15@message.intern.akctech.de> Hi Julian, > I have just tested your exact rules file, totally untouched, > with messages coming from seceidos.de and messages not coming > from there. It worked 100% as I would have expected it to > work, so it's not a bug. I took the liberty to debug this and I think I found the problem. In Config.pm I put MailScanner::Log::WarnLog("Matching From: " . $msg->{from} ."\n"); foreach $to (@{$msg->{to}}) { MailScanner::Log::WarnLog("Matching To: " . $to ."\n"); } MailScanner::Log::WarnLog("Matching against $direction $iporaddr /$regexp/\n"); In the foreach $rule part of the sub Value. This is what the log says when I write a message: Mar 10 12:26:21 proxy MailScanner[66706]: Matching From: Mar 10 12:26:21 proxy MailScanner[66706]: Matching To: jan-peter.koopmann@web.de Mar 10 12:26:21 proxy MailScanner[66706]: Matching against ft t /^.*\@seceidos\.de\.?$/ Mar 10 12:26:21 proxy MailScanner[66706]: Matching From: Mar 10 12:26:21 proxy MailScanner[66706]: Matching To: jan-peter.koopmann@web.de Mar 10 12:26:21 proxy MailScanner[66706]: Matching against ft t /^.*\@seceidos\.net\.?$/ Mar 10 12:26:21 proxy MailScanner[66706]: Matching From: Mar 10 12:26:21 proxy MailScanner[66706]: Matching To: jan-peter.koopmann@web.de Mar 10 12:26:21 proxy MailScanner[66706]: Matching against ft t /^.*\@seceidos\.org\.?$/ Mar 10 12:26:21 proxy MailScanner[66706]: Matching From: Mar 10 12:26:21 proxy MailScanner[66706]: Matching To: jan-peter.koopmann@web.de Mar 10 12:26:21 proxy MailScanner[66706]: Matching against ft t /^.*\@seceidos\.com\.?$/ Mar 10 12:26:21 proxy MailScanner[66706]: Matching From: Mar 10 12:26:21 proxy MailScanner[66706]: Matching To: jan-peter.koopmann@web.de Mar 10 12:26:21 proxy MailScanner[66706]: Matching against ft t /^.*\@telefonia\.de\.?$/ Mar 10 12:26:21 proxy MailScanner[66706]: Matching From: Mar 10 12:26:21 proxy MailScanner[66706]: Matching To: jan-peter.koopmann@web.de Mar 10 12:26:21 proxy MailScanner[66706]: Matching against ft t /^.*\@akctech\.de\.?$/ I was quite surprised to see that $msg->(from) included the '<' and '>'. The call $misses++ unless $msg->{from} =~ /$regexp/i; This does not match due to the trailing '>'. Is it possible that the Sendmail.pm gives you the {from} without '<' and '>' yet the Exim.pm does? Moreover, the {to} part does not have these and therefore the To: part of the rule works. Regards, JP From Krishna_shekhar at GMX.NET Mon Mar 10 19:43:29 2003 From: Krishna_shekhar at GMX.NET (Krishna) Date: Thu Jan 12 21:17:26 2006 Subject: Configuring SpamAssassin with MailScanner <> Message-ID: <5.2.0.9.0.20030311011302.00b0d2f8@pop.gmx.net> Hi, I am using Horde/IMP on RedHat 7.3 with MailScanner running on sendmail. I am using the sam module from Horde/IMP and works alright , though not tested it. First I want to configure it in such a way that users are able to create their own spam preferences and detected spam mails go into a separate folder. I have create the database in mysql via the mysql script which comes with the sam module. What should I do next? regards Krishna http://www.KrisinDigitalAge.com From Krishna_shekhar at GMX.NET Mon Mar 10 21:55:21 2003 From: Krishna_shekhar at GMX.NET (Krishna) Date: Thu Jan 12 21:17:26 2006 Subject: can't get spamassassin to work!! Message-ID: <5.2.0.9.0.20030311031218.00aabe20@pop.gmx.net> Hi, I am using Horde/IMP cvs version on RedHat7.3 with sendmail and MailScanner. I created the userpref table for SpamAssassin in the horde database and checked it by adding rules etc. and it works. This is what local.cf shows for spamassassin in /etc/mail/spamassassin user_scores_dsn DBI:mysql:horde:localhost user_scores_sql_username horde user_scores_sql_password xxxxx user_scores_sql_table userpref But spamassassin is not doing the checks from this table. I am running spamd with the options " -q -d -c -a" The blacklisted rule which I created does not get executed. Any help!! Krishna http://www.KrisinDigitalAge.com From Jan-Peter.Koopmann at SECEIDOS.DE Mon Mar 10 11:42:25 2003 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:17:26 2006 Subject: FromTo: not working? Message-ID: <4E7026FF8A422749B1553FE508E0068007EF18@message.intern.akctech.de> > I was quite surprised to see that $msg->(from) included the > '<' and '>'. Quick fix in Exim.pm: --- Exim.pm.orig Mon Mar 10 12:34:20 2003 +++ Exim.pm Mon Mar 10 12:39:25 2003 @@ -255,7 +255,13 @@ chomp(($metadata{user},$metadata{uid},$metadata{gid}) = split / /, <$RQf>); # envelope-sender (in <>) chomp($metadata{sender} = <$RQf>); - $message->{from} = lc $metadata{sender}; + + $from = lc $metadata{sender}; + $from =~ s/^<\s*//; # leading and + $from =~ s/\s*>$//; # trailing <> + + $message->{from} = $from; + # time msg received (seconds since epoch) # + number of delay warnings sent chomp(($metadata{rcvtime},$metadata{warncnt}) = split / /, <$RQf>); This seems to work here but I am not sure about other implications (esp. for Exim3). Could someone with more Exim experience please have a look at this? Regards, JP From mailscanner at ecs.soton.ac.uk Mon Mar 10 11:48:52 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:26 2006 Subject: HELP - Viruses are not detected In-Reply-To: <4E7026FF8A422749B1553FE508E0068007EF08@message.intern.akct ech.de> Message-ID: <5.2.0.9.2.20030310114803.02290b90@imap.ecs.soton.ac.uk> At 10:33 10/03/2003, you wrote: >Hi, > > > I just noticed something very strange: the > > filename.rules.conf is not obeyed and no viruses are caught > > (tested with EICAR). This is incoming and outgoing... I first > > noticed this with 4.13-3. Could this be a bug? > >Just wanted to let you know we found the problem. After an upgrade from >4.12 to 4.13 I forgot to change the SystemDefs.pm in lib/MailScanner. >Therefore $global::sed pointed to /bin/sed. Under FreeBSD this must be >/usr/bin/sed. This caused the EximDiskStore to fail when reading the >message body (since it uses sed there) and passing it over to the >MIME::Parser. Therefore the message did not get extracted and since >there was nothing to scan, all virus scanners told MS that everything is >ok. > >So all FreeBSD users: Always watch the SystemDefs.pm settings! :-) I have just added a check for all of these settings to make sure they are correct. It won't start up without the programs being present and executable. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Mon Mar 10 12:14:34 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:26 2006 Subject: FromTo: not working? In-Reply-To: <4E7026FF8A422749B1553FE508E0068007EF15@message.intern.akct ech.de> Message-ID: <5.2.0.9.2.20030310121326.02638120@imap.ecs.soton.ac.uk> You are absolutely right. I have just posted a patch to the mailist list. At 11:30 10/03/2003, you wrote: >Hi Julian, > > > I have just tested your exact rules file, totally untouched, > > with messages coming from seceidos.de and messages not coming > > from there. It worked 100% as I would have expected it to > > work, so it's not a bug. > > >I took the liberty to debug this and I think I found the problem. In >Config.pm I put > > MailScanner::Log::WarnLog("Matching From: " . $msg->{from} ."\n"); > > foreach $to (@{$msg->{to}}) { > MailScanner::Log::WarnLog("Matching To: " . $to ."\n"); > > } > MailScanner::Log::WarnLog("Matching against $direction $iporaddr >/$regexp/\n"); > >In the foreach $rule part of the sub Value. This is what the log says >when I write a message: > >Mar 10 12:26:21 proxy MailScanner[66706]: Matching From: > >Mar 10 12:26:21 proxy MailScanner[66706]: Matching To: >jan-peter.koopmann@web.de >Mar 10 12:26:21 proxy MailScanner[66706]: Matching against ft t >/^.*\@seceidos\.de\.?$/ >Mar 10 12:26:21 proxy MailScanner[66706]: Matching From: > >Mar 10 12:26:21 proxy MailScanner[66706]: Matching To: >jan-peter.koopmann@web.de >Mar 10 12:26:21 proxy MailScanner[66706]: Matching against ft t >/^.*\@seceidos\.net\.?$/ >Mar 10 12:26:21 proxy MailScanner[66706]: Matching From: > >Mar 10 12:26:21 proxy MailScanner[66706]: Matching To: >jan-peter.koopmann@web.de >Mar 10 12:26:21 proxy MailScanner[66706]: Matching against ft t >/^.*\@seceidos\.org\.?$/ >Mar 10 12:26:21 proxy MailScanner[66706]: Matching From: > >Mar 10 12:26:21 proxy MailScanner[66706]: Matching To: >jan-peter.koopmann@web.de >Mar 10 12:26:21 proxy MailScanner[66706]: Matching against ft t >/^.*\@seceidos\.com\.?$/ >Mar 10 12:26:21 proxy MailScanner[66706]: Matching From: > >Mar 10 12:26:21 proxy MailScanner[66706]: Matching To: >jan-peter.koopmann@web.de >Mar 10 12:26:21 proxy MailScanner[66706]: Matching against ft t >/^.*\@telefonia\.de\.?$/ >Mar 10 12:26:21 proxy MailScanner[66706]: Matching From: > >Mar 10 12:26:21 proxy MailScanner[66706]: Matching To: >jan-peter.koopmann@web.de >Mar 10 12:26:21 proxy MailScanner[66706]: Matching against ft t >/^.*\@akctech\.de\.?$/ > > >I was quite surprised to see that $msg->(from) included the '<' and '>'. >The call > > $misses++ unless $msg->{from} =~ /$regexp/i; > >This does not match due to the trailing '>'. Is it possible that the >Sendmail.pm gives you the {from} without '<' and '>' yet the Exim.pm >does? Moreover, the {to} part does not have these and therefore the To: >part of the rule works. > >Regards, > JP -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Mon Mar 10 12:10:13 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:26 2006 Subject: FromTo: not working? In-Reply-To: <4E7026FF8A422749B1553FE508E0068007EF18@message.intern.akct ech.de> Message-ID: <5.2.0.9.2.20030310120836.02805f50@imap.ecs.soton.ac.uk> At 11:42 10/03/2003, you wrote: > > I was quite surprised to see that $msg->(from) included the > > '<' and '>'. > >Quick fix in Exim.pm: > >--- Exim.pm.orig Mon Mar 10 12:34:20 2003 >+++ Exim.pm Mon Mar 10 12:39:25 2003 >@@ -255,7 +255,13 @@ > chomp(($metadata{user},$metadata{uid},$metadata{gid}) = split / /, ><$RQf>); > # envelope-sender (in <>) > chomp($metadata{sender} = <$RQf>); >- $message->{from} = lc $metadata{sender}; >+ >+ $from = lc $metadata{sender}; >+ $from =~ s/^<\s*//; # leading and >+ $from =~ s/\s*>$//; # trailing <> >+ >+ $message->{from} = $from; >+ > # time msg received (seconds since epoch) > # + number of delay warnings sent > chomp(($metadata{rcvtime},$metadata{warncnt}) = split / /, <$RQf>); > > >This seems to work here but I am not sure about other implications (esp. >for Exim3). Could someone with more Exim experience please have a look >at this? It's nearly right, but not quite. Try the attached patch instead. Sorry about this folks :-( -------------- next part -------------- A non-text attachment was scrubbed... Name: Exim.pm.patch Type: application/octet-stream Size: 1567 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030310/85a21e8b/Exim.pm.obj -------------- next part -------------- -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From donovan at HUFFDATASYSTEMS.COM Mon Mar 10 12:28:15 2003 From: donovan at HUFFDATASYSTEMS.COM (Donovan Huff | HUFF DATA SYSTEMS) Date: Thu Jan 12 21:17:26 2006 Subject: FromTo: not working? References: <5.2.0.9.2.20030310120836.02805f50@imap.ecs.soton.ac.uk> Message-ID: <00be01c2e700$87167f50$3c82f6d1@x27> Is this patch for MailScanner-4.13-3, how is it properly applied? Donovan ----- Original Message ----- From: "Julian Field" To: Sent: Monday, March 10, 2003 6:10 AM Subject: Re: FromTo: not working? > At 11:42 10/03/2003, you wrote: > > > I was quite surprised to see that $msg->(from) included the > > > '<' and '>'. > > > >Quick fix in Exim.pm: > > > >--- Exim.pm.orig Mon Mar 10 12:34:20 2003 > >+++ Exim.pm Mon Mar 10 12:39:25 2003 > >@@ -255,7 +255,13 @@ > > chomp(($metadata{user},$metadata{uid},$metadata{gid}) = split / /, > ><$RQf>); > > # envelope-sender (in <>) > > chomp($metadata{sender} = <$RQf>); > >- $message->{from} = lc $metadata{sender}; > >+ > >+ $from = lc $metadata{sender}; > >+ $from =~ s/^<\s*//; # leading and > >+ $from =~ s/\s*>$//; # trailing <> > >+ > >+ $message->{from} = $from; > >+ > > # time msg received (seconds since epoch) > > # + number of delay warnings sent > > chomp(($metadata{rcvtime},$metadata{warncnt}) = split / /, <$RQf>); > > > > > >This seems to work here but I am not sure about other implications (esp. > >for Exim3). Could someone with more Exim experience please have a look > >at this? > > It's nearly right, but not quite. Try the attached patch instead. > Sorry about this folks :-( -------------------------------------------------------------------------------- > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support From Jan-Peter.Koopmann at SECEIDOS.DE Mon Mar 10 13:05:43 2003 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:17:26 2006 Subject: FromTo: not working? Message-ID: <4E7026FF8A422749B1553FE508E0068007EF1F@message.intern.akctech.de> > Is this patch for MailScanner-4.13-3, how is it properly applied? Yes it is and you will need it if you are using Exim instead of Sendmail. Go to your /opt/MailScanner/lib/MailScanner dir and execute patch < Exim.pm.patch Then restart MailScanner. That should do the trick. Regards, JP From Cleveland at MAIL.WINNEFOX.ORG Mon Mar 10 13:57:23 2003 From: Cleveland at MAIL.WINNEFOX.ORG (Jody Cleveland) Date: Thu Jan 12 21:17:26 2006 Subject: updated sendmail, now MailScanner isn't catching viruses Message-ID: <84CFA712F666B44A94CE6BE116BAF4B0B4E47E@MAIL> Hello, I'm running redhat 8 with sendmail. I used up2date to update sendmail, and now MailScanner with f-prot is no longer catching viruses. Is there a setting or file that was overwritten when I updated that I need to correct? -- Jody Cleveland (cleveland@winnefox.org) Winnefox Library System Computer Support Specialist From Jan-Peter.Koopmann at SECEIDOS.DE Mon Mar 10 13:58:35 2003 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:17:26 2006 Subject: updated sendmail, now MailScanner isn't catching viruses Message-ID: <4E7026FF8A422749B1553FE508E0068007EF22@message.intern.akctech.de> Hi, > I'm running redhat 8 with sendmail. I used up2date to update > sendmail, and now MailScanner with f-prot is no longer > catching viruses. Is there a setting or file that was > overwritten when I updated that I need to correct? How about some more detailed info? How did you discover that it is not catching viruses any more? Are the MailScanner headers still in the mails? What does the log say? Regards, JP From Cleveland at MAIL.WINNEFOX.ORG Mon Mar 10 14:10:07 2003 From: Cleveland at MAIL.WINNEFOX.ORG (Jody Cleveland) Date: Thu Jan 12 21:17:26 2006 Subject: updated sendmail, now MailScanner isn't catching viruses Message-ID: <84CFA712F666B44A94CE6BE116BAF4B0B4E47F@MAIL> > How about some more detailed info? How did you discover that it is not > catching viruses any more? Are the MailScanner headers still in the > mails? What does the log say? MailScanner is running, and the headers of each message say it found it to be clean. I just starting noticing that I wasn't getting any of the messages saying that viruses are found. I also noticed this morning that backup on our file server is catching viruses on our mail server. ( I have a redhat 8 box that scans mail and sends it off to our exchange server. We have a separate file server that backs up all our windows boxes) Jody From jgoggan at DCG.COM Mon Mar 10 14:18:37 2003 From: jgoggan at DCG.COM (John Goggan) Date: Thu Jan 12 21:17:26 2006 Subject: updated sendmail, now MailScanner isn't catching viruses References: <5C0296D26910694BB9A9BBFC577E7AB0EBF46C@pascal.priv.bmrb.co.uk> Message-ID: <3E6C9EBD.AAE45A4F@dcg.com> "Spicer, Kevin" wrote: > > Have you checked sendmail (on its own) isn't running (bypassing MailScanner). Some of the rpms have a habit of kicking off the sendmail process and/or configuring it to start at boot. Indeed! Especially since the latest version of sendmail runs completely differently than any previous versions. It now invokes two copies of itself -- one that runs as non-root and one that is -- so that it no longer needs to be SUID-root. In any case, it runs one to collect on the SMTP port -- and one to do local mail processing. So, I'm not exactly sure what the "up2date" script would have done as far as that goes... - John... From Kevin.Spicer at BMRB.CO.UK Mon Mar 10 14:06:58 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:17:26 2006 Subject: updated sendmail, now MailScanner isn't catching viruses Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0EBF46C@pascal.priv.bmrb.co.uk> Have you checked sendmail (on its own) isn't running (bypassing MailScanner). Some of the rpms have a habit of kicking off the sendmail process and/or configuring it to start at boot. service sendmail stop service MailScanner stop ps -elf | grep sendmail [ kill any sendmail processes ] chkconfig sendmail off service MailScanner start Then test with eicar.com! > -----Original Message----- > From: Jody Cleveland [mailto:Cleveland@MAIL.WINNEFOX.ORG] > Sent: 10 March 2003 13:57 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: updated sendmail, now MailScanner isn't catching viruses > > > Hello, > > I'm running redhat 8 with sendmail. I used up2date to update > sendmail, and > now MailScanner with f-prot is no longer catching viruses. Is there a > setting or file that was overwritten when I updated that I > need to correct? > > -- > Jody Cleveland > (cleveland@winnefox.org) > > Winnefox Library System > Computer Support Specialist > BMRB International http://www.bmrb.co.uk+44 (0)20 8566 5000_________________________________________________________________This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From john at OFIZ.COM Mon Mar 10 14:25:23 2003 From: john at OFIZ.COM (John Thewlis) Date: Thu Jan 12 21:17:26 2006 Subject: mailscanner-mrtg In-Reply-To: Message-ID: Hi I am attempting to install mrtg for mailscanner monitoring. I have downloaded the mailscanner-mrtg tar file into /home/mailscanner/monitoring on a Cobalt RaQ4r and am attempting to install this. However, it gives the following error. [root monitoring]# tar zxvf mailscanner-mrtg-0.03.tar.gz gzip: stdin: not in gzip format tar: Child returned status 1 tar: Error exit delayed from previous errors Any ideas as to how to fix this error? Many thanks John -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030310/e8796316/attachment.html From ap at HPI.COM Mon Mar 10 15:11:37 2003 From: ap at HPI.COM (Adam Polkosnik) Date: Thu Jan 12 21:17:26 2006 Subject: mailscanner-mrtg In-Reply-To: Message-ID: mailscanner-mrtgI bet that you used some old version of netscape and it decompressed the file after downloading. You can try " cat mailscanner-mrtg-0.03.tar.gz | tar xfv - " -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of John Thewlis Sent: Monday, March 10, 2003 9:25 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: mailscanner-mrtg Hi I am attempting to install mrtg for mailscanner monitoring. I have downloaded the mailscanner-mrtg tar file into /home/mailscanner/monitoring on a Cobalt RaQ4r and am attempting to install this. However, it gives the following error. [root monitoring]# tar zxvf mailscanner-mrtg-0.03.tar.gz gzip: stdin: not in gzip format tar: Child returned status 1 tar: Error exit delayed from previous errors Any ideas as to how to fix this error? Many thanks John -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030310/8ace61ff/attachment.html From Jan-Peter.Koopmann at SECEIDOS.DE Mon Mar 10 16:13:21 2003 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:17:26 2006 Subject: Bayes problem with MailScanner Message-ID: <4E7026FF8A422749B1553FE508E0068007EF29@message.intern.akctech.de> Hi, I am still trying to figure out why MailScanner is not using Bayes at the moment. Therefore I hacked the code a bit to write all SA debug output to a log file even when being called by MailScanner. Here is an interesting part: using "/usr/local/share/spamassassin" for default rules dir using "/usr/local/etc/mail/spamassassin" for site rules dir using "/var/spool/exim.in/.spamassassin" for user state dir using "/usr/local/MailScanner/etc/spam.assassin.prefs.conf" for user prefs file bayes: tie-ing to DB file R/O /var/spool/spamassassin/bayes_toks bayes: tie-ing to DB file R/O /var/spool/spamassassin/bayes_seen debug: Only 53 spam(s) in Bayes DB < 200 So the MailScanner/SA combination thinks it only has 53 spams. But now have a look at this: root@proxy:/usr/ports/mail/p5-Mail-SpamAssassin/work/Mail-SpamAssassin-2 .50/tools # ./check_bayes_db -db /var/spool/spamassassin/bayes 0.000 0 0 0 non-token data: db format = on-the-fly probs, expiry, scan-counting 0.000 0 269 0 non-token data: nspam 0.000 0 2320 0 non-token data: nham 0.000 0 0 0 non-token data: ntokens 0.000 0 0 0 non-token data: oldest age 0.000 0 270 0 non-token data: current scan-count 0.000 0 0 0 non-token data: last expiry scan-count Or this: root@proxy:/tmp # spamassassin -t < 1047306210_0.78770.proxy.intern.akctech.de debug: using "/usr/local/etc/mail/spamassassin" for site rules dir debug: using "/root/.spamassassin" for user state dir debug: using "/root/.spamassassin/user_prefs" for user prefs file debug: bayes: tie-ing to DB file R/O /var/spool/spamassassin/bayes_toks debug: bayes: tie-ing to DB file R/O /var/spool/spamassassin/bayes_seen debug: Score set 3 chosen. --- snipp --- debug: bayes corpus size: nspam = 269, nham = 2320 And of course bayes is used by spamassassin -t.... I simply do not see the difference... both ways use the same database obviously. Why does the SA/MS combination say 53 spams in the DB? BTW: /var/spool/exim.in/.spamassassin and /root/.spamassassin are equal so that sould not be it. Regards, JP From smohan at vsnl.com Mon Mar 10 16:54:31 2003 From: smohan at vsnl.com (S Mohan) Date: Thu Jan 12 21:17:26 2006 Subject: updated sendmail, now MailScanner isn't catching viruses In-Reply-To: <84CFA712F666B44A94CE6BE116BAF4B0B4E47F@MAIL> Message-ID: <003c01c2e725$bfcacb60$d06141db@18yamuna> I had the same problem. Mails were stuck in mqueue.in and were not scanned. I just reinstalled MialScanner after I upgraded sendmail and it started working. Reasons? I have not spent time to understand this as yet. Mohan -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Jody Cleveland Sent: Monday, March 10, 2003 7:40 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: updated sendmail, now MailScanner isn't catching viruses > How about some more detailed info? How did you discover that it is not > catching viruses any more? Are the MailScanner headers still in the > mails? What does the log say? MailScanner is running, and the headers of each message say it found it to be clean. I just starting noticing that I wasn't getting any of the messages saying that viruses are found. I also noticed this morning that backup on our file server is catching viruses on our mail server. ( I have a redhat 8 box that scans mail and sends it off to our exchange server. We have a separate file server that backs up all our windows boxes) Jody From Jan-Peter.Koopmann at seceidos.de Mon Mar 10 16:13:21 2003 From: Jan-Peter.Koopmann at seceidos.de (Jan-Peter Koopmann) Date: Thu Jan 12 21:17:27 2006 Subject: [SAtalk] Bayes problem with MailScanner Message-ID: <4E7026FF8A422749B1553FE508E0068007EF29@message.intern.akctech.de> Hi, I am still trying to figure out why MailScanner is not using Bayes at the moment. Therefore I hacked the code a bit to write all SA debug output to a log file even when being called by MailScanner. Here is an interesting part: using "/usr/local/share/spamassassin" for default rules dir using "/usr/local/etc/mail/spamassassin" for site rules dir using "/var/spool/exim.in/.spamassassin" for user state dir using "/usr/local/MailScanner/etc/spam.assassin.prefs.conf" for user prefs file bayes: tie-ing to DB file R/O /var/spool/spamassassin/bayes_toks bayes: tie-ing to DB file R/O /var/spool/spamassassin/bayes_seen debug: Only 53 spam(s) in Bayes DB < 200 So the MailScanner/SA combination thinks it only has 53 spams. But now have a look at this: root@proxy:/usr/ports/mail/p5-Mail-SpamAssassin/work/Mail-SpamAssassin-2 .50/tools # ./check_bayes_db -db /var/spool/spamassassin/bayes 0.000 0 0 0 non-token data: db format = on-the-fly probs, expiry, scan-counting 0.000 0 269 0 non-token data: nspam 0.000 0 2320 0 non-token data: nham 0.000 0 0 0 non-token data: ntokens 0.000 0 0 0 non-token data: oldest age 0.000 0 270 0 non-token data: current scan-count 0.000 0 0 0 non-token data: last expiry scan-count Or this: root@proxy:/tmp # spamassassin -t < 1047306210_0.78770.proxy.intern.akctech.de debug: using "/usr/local/etc/mail/spamassassin" for site rules dir debug: using "/root/.spamassassin" for user state dir debug: using "/root/.spamassassin/user_prefs" for user prefs file debug: bayes: tie-ing to DB file R/O /var/spool/spamassassin/bayes_toks debug: bayes: tie-ing to DB file R/O /var/spool/spamassassin/bayes_seen debug: Score set 3 chosen. --- snipp --- debug: bayes corpus size: nspam = 269, nham = 2320 And of course bayes is used by spamassassin -t.... I simply do not see the difference... both ways use the same database obviously. Why does the SA/MS combination say 53 spams in the DB? BTW: /var/spool/exim.in/.spamassassin and /root/.spamassassin are equal so that sould not be it. Regards, JP ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Spamassassin-talk mailing list Spamassassin-talk@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/spamassassin-talk From Jan-Peter.Koopmann at SECEIDOS.DE Mon Mar 10 17:12:03 2003 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:17:27 2006 Subject: Bayes problem with MailScanner Message-ID: <4E7026FF8A422749B1553FE508E0068007EF2B@message.intern.akctech.de> Hi, > Does it change if you do a > sa-learn --rebuild > ? I am doing this once an hour via cron job. Have a look at the debug output: It is using the same db as the check_bayes_db AND the same db as it is using when I am manually doing a spamassassin -t. I am 99.9999% sure that the tokens are in the right db and are correctly learned. That's what is so strange about this. Somehow SA interprets the db contents differently depending on how it is called. I had a quick look at the source and could not find anything... Regards, JP From mailscanner at ecs.soton.ac.uk Mon Mar 10 17:03:31 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:27 2006 Subject: Bayes problem with MailScanner In-Reply-To: <4E7026FF8A422749B1553FE508E0068007EF29@message.intern.akct ech.de> Message-ID: <5.2.0.9.2.20030310170316.03f9ac58@imap.ecs.soton.ac.uk> Does it change if you do a sa-learn --rebuild ? At 16:13 10/03/2003, you wrote: >Hi, > >I am still trying to figure out why MailScanner is not using Bayes at >the moment. Therefore I hacked the code a bit to write all SA debug >output to a log file even when being called by MailScanner. Here is an >interesting part: > >using "/usr/local/share/spamassassin" for default rules dir >using "/usr/local/etc/mail/spamassassin" for site rules dir >using "/var/spool/exim.in/.spamassassin" for user state dir >using "/usr/local/MailScanner/etc/spam.assassin.prefs.conf" for user >prefs file >bayes: tie-ing to DB file R/O /var/spool/spamassassin/bayes_toks >bayes: tie-ing to DB file R/O /var/spool/spamassassin/bayes_seen >debug: Only 53 spam(s) in Bayes DB < 200 > >So the MailScanner/SA combination thinks it only has 53 spams. But now >have a look at this: > >root@proxy:/usr/ports/mail/p5-Mail-SpamAssassin/work/Mail-SpamAssassin-2 >.50/tools # ./check_bayes_db -db /var/spool/spamassassin/bayes >0.000 0 0 0 non-token data: db format = on-the-fly >probs, expiry, scan-counting >0.000 0 269 0 non-token data: nspam >0.000 0 2320 0 non-token data: nham >0.000 0 0 0 non-token data: ntokens >0.000 0 0 0 non-token data: oldest age >0.000 0 270 0 non-token data: current scan-count >0.000 0 0 0 non-token data: last expiry scan-count > >Or this: > >root@proxy:/tmp # spamassassin -t < >1047306210_0.78770.proxy.intern.akctech.de >debug: using "/usr/local/etc/mail/spamassassin" for site rules dir >debug: using "/root/.spamassassin" for user state dir >debug: using "/root/.spamassassin/user_prefs" for user prefs file >debug: bayes: tie-ing to DB file R/O /var/spool/spamassassin/bayes_toks >debug: bayes: tie-ing to DB file R/O /var/spool/spamassassin/bayes_seen >debug: Score set 3 chosen. >--- snipp --- >debug: bayes corpus size: nspam = 269, nham = 2320 > >And of course bayes is used by spamassassin -t.... > >I simply do not see the difference... both ways use the same database >obviously. Why does the SA/MS combination say 53 spams in the DB? > >BTW: /var/spool/exim.in/.spamassassin and /root/.spamassassin are equal >so that sould not be it. > >Regards, > JP -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mbowman at UDCOM.COM Mon Mar 10 16:52:03 2003 From: mbowman at UDCOM.COM (Matthew Bowman) Date: Thu Jan 12 21:17:27 2006 Subject: updated sendmail, now MailScanner isn't catching viruses Message-ID: I first updated my sendmail on my RH 7.2 box then applied MailScanner 4.13-3. The only problem that I had was spamc getting connection refused to 127.0.0.1 (localhost), I circumvented that by using the -i flag with spamd in the rc script. No problems encountered with Virus Scanning. Matthew. S Mohan Sent by: MailScanner mailing list 03/10/2003 11:54 AM Please respond to smohan To: MAILSCANNER@JISCMAIL.AC.UK cc: Subject: Re: updated sendmail, now MailScanner isn't catching viruses I had the same problem. Mails were stuck in mqueue.in and were not scanned. I just reinstalled MialScanner after I upgraded sendmail and it started working. Reasons? I have not spent time to understand this as yet. Mohan -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Jody Cleveland Sent: Monday, March 10, 2003 7:40 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: updated sendmail, now MailScanner isn't catching viruses > How about some more detailed info? How did you discover that it is not > catching viruses any more? Are the MailScanner headers still in the > mails? What does the log say? MailScanner is running, and the headers of each message say it found it to be clean. I just starting noticing that I wasn't getting any of the messages saying that viruses are found. I also noticed this morning that backup on our file server is catching viruses on our mail server. ( I have a redhat 8 box that scans mail and sends it off to our exchange server. We have a separate file server that backs up all our windows boxes) Jody From Jan-Peter.Koopmann at SECEIDOS.DE Mon Mar 10 17:29:50 2003 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:17:27 2006 Subject: Spamassassin -r Message-ID: <4E7026FF8A422749B1553FE508E0068007EF2C@message.intern.akctech.de> BTW: Does spamassassin -r also delete X-MailScanner headers or should one do that manually before calling it? Thanks, JP From mailscanner at ecs.soton.ac.uk Mon Mar 10 17:33:21 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:27 2006 Subject: updated sendmail, now MailScanner isn't catching viruses In-Reply-To: Message-ID: <5.2.0.9.2.20030310173309.03daafc8@imap.ecs.soton.ac.uk> But MailScanner doesn't even use spamc... At 16:52 10/03/2003, you wrote: >I first updated my sendmail on my RH 7.2 box then applied MailScanner >4.13-3. The only problem that I had was spamc getting connection refused >to 127.0.0.1 (localhost), I circumvented that by using the -i >flag with spamd in the rc script. No problems encountered with Virus >Scanning. > >Matthew. > > > > > >S Mohan >Sent by: MailScanner mailing list >03/10/2003 11:54 AM >Please respond to smohan > > > To: MAILSCANNER@JISCMAIL.AC.UK > cc: > Subject: Re: updated sendmail, now MailScanner isn't > catching viruses > > >I had the same problem. Mails were stuck in mqueue.in and were not >scanned. I just reinstalled MialScanner after I upgraded sendmail and it >started working. > >Reasons? I have not spent time to understand this as yet. > >Mohan > >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On >Behalf Of Jody Cleveland >Sent: Monday, March 10, 2003 7:40 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: updated sendmail, now MailScanner isn't catching viruses > > > > How about some more detailed info? How did you discover that it is not > > > catching viruses any more? Are the MailScanner headers still in the > > mails? What does the log say? > >MailScanner is running, and the headers of each message say it found it >to be clean. I just starting noticing that I wasn't getting any of the >messages saying that viruses are found. I also noticed this morning that >backup on our file server is catching viruses on our mail server. ( I >have a redhat 8 box that scans mail and sends it off to our exchange >server. We have a separate file server that backs up all our windows >boxes) > >Jody -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From Cleveland at MAIL.WINNEFOX.ORG Mon Mar 10 18:32:19 2003 From: Cleveland at MAIL.WINNEFOX.ORG (Jody Cleveland) Date: Thu Jan 12 21:17:27 2006 Subject: updated sendmail, now MailScanner isn't catching viruses Message-ID: <84CFA712F666B44A94CE6BE116BAF4B0B4E481@MAIL> > I had the same problem. Mails were stuck in mqueue.in and were not > scanned. I just reinstalled MialScanner after I upgraded > sendmail and it > started working. Ok. I notice there's a newer version out, and I would like to update to that one anyhow. My question is, how do I do this seamlessly without disrupting users. Is there an upgrade script that will update the program without messing with settings? Jody From mkettler at EVI-INC.COM Mon Mar 10 19:03:18 2003 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:17:27 2006 Subject: Spamassassin -r In-Reply-To: <4E7026FF8A422749B1553FE508E0068007EF2C@message.intern.akct ech.de> Message-ID: <5.2.0.9.0.20030310135919.01989e70@192.168.50.2> It should not.. SpamAssassin isn't "aware" of MailScanner. SpamAssassin will only auto-remove markups that it generates itself (which MailScanner doesn't use). That said, header changes don't need to be removed.. Razor doesn't examine message headers at all, other than the subject for tracking purposes. What needs to be removed is any BODY changes (and in some modes, spamassassin does generate markups in the message body). Make sure that any custom "scanned by" message footers and other body modifiers get removed prior to calling spamassassin -r and you should be ok. Also make sure the message didn't have any HTML stripping run. At 06:29 PM 3/10/2003 +0100, Jan-Peter Koopmann wrote: >BTW: Does spamassassin -r also delete X-MailScanner headers or should >one do that manually before calling it? > >Thanks, > JP From davidclosson at MSN.COM Mon Mar 10 19:12:55 2003 From: davidclosson at MSN.COM (David Closson) Date: Thu Jan 12 21:17:27 2006 Subject: accumulation of files in /var/spool/mqueue.in Message-ID: Greetings, Using RH 7.3 Using Sendmail 8.11-6 MailScanner 4.13-3 Using McAfee AV I have been happily using MailScanner for almost a year now and have had to remove the accumulation of files in /var/spool/mqueue.in after a month or so. I am not sure if these are messages already delivered and were not removed or ? I have had no reports of missing email. _________ Sincerely, David Closson 209-736-0111 _________________________________________________________________ Help STOP SPAM with the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail From mailscanner at ecs.soton.ac.uk Mon Mar 10 19:27:44 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:27 2006 Subject: accumulation of files in /var/spool/mqueue.in In-Reply-To: Message-ID: <5.2.0.9.2.20030310192506.027bbf80@imap.ecs.soton.ac.uk> At 19:12 10/03/2003, you wrote: >Greetings, > >Using RH 7.3 >Using Sendmail 8.11-6 >MailScanner 4.13-3 >Using McAfee AV > >I have been happily using MailScanner for almost a year now and have had to >remove the accumulation of files in /var/spool/mqueue.in after a month or >so. > >I am not sure if these are messages already delivered and were not removed >or ? > >I have had no reports of missing email. If they are stray files that aren't part of a matching qf / df pair, then you can safely delete them. If an SMTP session into your server gets interrupted for some reason, a stray file will be left behind. The server at the far end of the session knows that its message transmission got interrupted and will retry anyway. SMTP is designed pretty carefully to ensure things don't get lost in transit. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mbowman at UDCOM.COM Mon Mar 10 19:56:14 2003 From: mbowman at UDCOM.COM (Matthew Bowman) Date: Thu Jan 12 21:17:27 2006 Subject: Virus Scanning messages... Message-ID: I updated MailScanner last Wednesday, after updating sendmail. Until I changed MailScanner, maillog was reporting these Mar 5 13:56:31 smithers MailScanner[27140]: Virus Scanning: Found 1 viruses Mar 5 13:56:31 smithers MailScanner[27140]: Silent: Delivered 1 messages containing silent viruses Ever since, I have seen no entries (which is unexpected). I'm running RH 7.2 w/ MailScanner 4.13-3 and clamscan 0.54 Here is an expanded extract from my MailScanner.conf Virus Scanning = yes # Virus Scanners = sophos f-prot mcafee # Virus Scanners = clamav Virus Scanner Timeout = 300 Deliver Disinfected Files = yes Silent Viruses = Klez Yaha-E Bugbear Braid-A WinEvar Still Deliver Silent Viruses = yes #Allowed Sophos Error Messages = corrupt Block Encrypted Messages = no Block Unencrypted Messages = no What has caused this to happen considering my MailScanner.conf was updated with the previous settings? Thanks Matthew From mbowman at UDCOM.COM Mon Mar 10 19:32:17 2003 From: mbowman at UDCOM.COM (Matthew Bowman) Date: Thu Jan 12 21:17:27 2006 Subject: updated sendmail, now MailScanner isn't catching viruses Message-ID: This is a related problem. MailScanner is detecting filename rules but not actual viruses. Even though Virus Scanners = clamav. This was working until I upgraded MailScanner on March 5th. sendmail was patched before I updated MailScanner. I'm running RH 7.2 w/ MailScanner 4.13-3 and clamscan 0.54 Here is an expanded extract from my MailScanner.conf Virus Scanning = yes # Virus Scanners = sophos f-prot mcafee # Virus Scanners = clamav Virus Scanner Timeout = 300 Deliver Disinfected Files = yes Silent Viruses = Klez Yaha-E Bugbear Braid-A WinEvar Still Deliver Silent Viruses = yes #Allowed Sophos Error Messages = corrupt Block Encrypted Messages = no Block Unencrypted Messages = no I'm at a loss as to what has happened. Any ideas what the problem is? Matthew From raymond at PROLOCATION.NET Mon Mar 10 20:33:12 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:17:27 2006 Subject: Delaying identified SPAM In-Reply-To: <20030310202854.GD63427@affymetrix.com> Message-ID: Hi! > I have a feature request. I'd like to be able to delay the delivery of > Spam until some specified time period, for example overnight. The main > goal of this request is to normalize the load on our mail servers by > time-shifting the unimportant Spam. Why not do a simple grep on your queue dir and move them to another dir on your server, and put them back n the delivery queue once you are ready? They do have the {SPAM?} inside so should be easy to catch. You could cron this so automate it. Bye, Raymond. From nicholas_esborn at AFFYMETRIX.COM Mon Mar 10 20:28:54 2003 From: nicholas_esborn at AFFYMETRIX.COM (Nicholas Esborn) Date: Thu Jan 12 21:17:27 2006 Subject: Delaying identified SPAM Message-ID: <20030310202854.GD63427@affymetrix.com> Hello, I have a feature request. I'd like to be able to delay the delivery of Spam until some specified time period, for example overnight. The main goal of this request is to normalize the load on our mail servers by time-shifting the unimportant Spam. Thanks, -nick -- Nicholas Esborn Affymetrix, Inc. 510/428.8505 Every message PGP signed -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030310/4eed17d3/attachment.bin From Antony at SOFT-SOLUTIONS.CO.UK Mon Mar 10 21:00:29 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:17:27 2006 Subject: Delaying identified SPAM In-Reply-To: <20030310202854.GD63427@affymetrix.com> References: <20030310202854.GD63427@affymetrix.com> Message-ID: <200303102100.h2AL0XV14365@Networker.Rockstone.co.uk> On Monday 10 March 2003 8:28 pm, Nicholas Esborn wrote: > Hello, > > I have a feature request. I'd like to be able to delay the delivery of > Spam until some specified time period, for example overnight. The main > goal of this request is to normalize the load on our mail servers by > time-shifting the unimportant Spam. Instead of telling MailScanner to 'deliver' the mail, tell it to 'store' it (and set both Quarantine Whole Message and Quarantine Whole Messages As Queue Files to yes), and then whenever you're ready to deliver the spam, simply move the files from the quarantine queue directory to the sendmail outgoing mail directory (eg with a cron job). Regards, Antony. -- There are only 10 types of people in the world: those who understand binary notation, and those who don't. From smohan at vsnl.com Tue Mar 11 01:39:08 2003 From: smohan at vsnl.com (S Mohan) Date: Thu Jan 12 21:17:27 2006 Subject: accumulation of files in /var/spool/mqueue.in In-Reply-To: Message-ID: <000a01c2e76f$057eb010$7e6041db@18yamuna> I had the same stuff. I looked up a few files and associated mail log. These were remnants of broken SMTP conversations. In order to clear these automatically, I created a daily cron job as under. Find /var/spool/mqueue.in -mtime +6|xargs rm -f I gave 6 days as sendmail will anyway abort after 5 days delivery. Thus files older than that anyway would be broken files. Mohan -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of David Closson Sent: Tuesday, March 11, 2003 1:27 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: accumulation of files in /var/spool/mqueue.in OK, I figured as much. Thank you for the rapid response. We are processing about 350,000 emails a day (heavier day) with MailScanner and Spamassassin. This figure is combined in and out for all of our users. _________ Sincerely, David Closson 209-736-0111 >From: Julian Field >Reply-To: MailScanner mailing list >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: accumulation of files in /var/spool/mqueue.in >Date: Mon, 10 Mar 2003 19:27:44 +0000 >MIME-Version: 1.0 >Received: from cpimssmtpa03.msn.com ([207.46.181.90]) by >mc5-f17.law1.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600); Mon, 10 >Mar 2003 11:30:21 -0800 >Received: from smtp.jiscmail.ac.uk ([130.246.192.48]) by >cpimssmtpa03.msn.com with Microsoft SMTPSVC(5.0.2195.4453); Mon, 10 Mar >2003 11:25:18 -0800 >Received: from LISTSERV.JISCMAIL.AC.UK (jiscmail.ac.uk) by >smtp.jiscmail.ac.uk (LSMTP for Windows NT v1.1b) with SMTP id ><3.0000634F@smtp.jiscmail.ac.uk>; Mon, 10 Mar 2003 19:28:14 +0000 >Received: from JISCMAIL.AC.UK by JISCMAIL.AC.UK (LISTSERV-TCP/IP release >1.8e) with spool id 19357891 for MAILSCANNER@JISCMAIL.AC.UK; Mon, >10 Mar 2003 19:28:14 +0000 >Received: from 130.246.192.52 by JISCMAIL.AC.UK (SMTPL release 1.0h) with >TCP; Mon, 10 Mar 2003 19:28:14 GMT >Received: from raven.ecs.soton.ac.uk (raven.ecs.soton.ac.uk [152.78.70.1]) >by ori.rl.ac.uk (8.11.1/8.11.1) with ESMTP id h2AJSCe29811 for > ; Mon, 10 Mar 2003 19:28:12 GMT >Received: from pigeon.ecs.soton.ac.uk (ns1 [152.78.68.1]) by >raven.ecs.soton.ac.uk (8.9.3/8.9.3) with ESMTP id TAA23530 for >; Mon, 10 Mar 2003 19:28:11 GMT >Received: from thief.ecs.soton.ac.uk (staff-vpn132 [152.78.236.132]) by > pigeon.ecs.soton.ac.uk (8.9.3/8.9.3) with ESMTP id TAA19506 for > ; Mon, 10 Mar 2003 19:28:10 GMT >X-Message-Info: JGTYoYF78jEHjJx36Oi8+Q1OJDRSDidP >X-MSN-Trace: {838B357B-4735-4DB1-A653-A9E73A906214} >X-RAL-MFrom: >X-RAL-Connect: >X-Sender: (Unverified) >X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9 >Message-ID: <5.2.0.9.2.20030310192506.027bbf80@imap.ecs.soton.ac.uk> >Sender: MailScanner mailing list >In-Reply-To: >Precedence: list >Return-Path: owner-mailscanner@JISCMAIL.AC.UK >X-OriginalArrivalTime: 10 Mar 2003 19:25:19.0093 (UTC) >FILETIME=[C9492A50:01C2E73A] > >At 19:12 10/03/2003, you wrote: >>Greetings, >> >>Using RH 7.3 >>Using Sendmail 8.11-6 >>MailScanner 4.13-3 >>Using McAfee AV >> >>I have been happily using MailScanner for almost a year now and have >>had to remove the accumulation of files in /var/spool/mqueue.in after >>a month or so. >> >>I am not sure if these are messages already delivered and were not >>removed or ? >> >>I have had no reports of missing email. > >If they are stray files that aren't part of a matching qf / df pair, >then you can safely delete them. If an SMTP session into your server >gets interrupted for some reason, a stray file will be left behind. The >server at the far end of the session knows that its message >transmission got interrupted and will retry anyway. SMTP is designed >pretty carefully to ensure things don't get lost in transit. >-- >Julian Field >www.MailScanner.info >Professional Support Services at www.MailScanner.biz MailScanner thanks >transtec Computers for their support _________________________________________________________________ Add photos to your e-mail with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail From craig at STRONG-BOX.NET Tue Mar 11 02:47:07 2003 From: craig at STRONG-BOX.NET (Craig Pratt) Date: Thu Jan 12 21:17:27 2006 Subject: accumulation of files in /var/spool/mqueue.in In-Reply-To: <000a01c2e76f$057eb010$7e6041db@18yamuna> Message-ID: Thanks for the tip. I've been seeing these queue files occasionally as well. Most recently, when I updated the sendmail access.db without restarting sendmail/MailScanner. This seemed to cause sendmail to die during SMTP connections - presumably due to the fact that sendmail's cached file state didn't match the actual file. What I'm wondering, though, is it safe to delete the files in mqueue.in with sendmail/MailScanner running? [sounds like a potential FAQ, as well] Craig On Monday, March 10, 2003, at 05:39 PM, S Mohan wrote: > I had the same stuff. I looked up a few files and associated mail log. > These were remnants of broken SMTP conversations. In order to clear > these automatically, I created a daily cron job as under. > > Find /var/spool/mqueue.in -mtime +6|xargs rm -f > > I gave 6 days as sendmail will anyway abort after 5 days delivery. Thus > files older than that anyway would be broken files. > > Mohan > > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of David Closson > Sent: Tuesday, March 11, 2003 1:27 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: accumulation of files in /var/spool/mqueue.in > > > OK, I figured as much. Thank you for the rapid response. > > We are processing about 350,000 emails a day (heavier day) with > MailScanner and Spamassassin. This figure is combined in and out for > all of our users. > > > _________ > Sincerely, > David Closson > 209-736-0111 > > > > > >> From: Julian Field >> Reply-To: MailScanner mailing list >> To: MAILSCANNER@JISCMAIL.AC.UK >> Subject: Re: accumulation of files in /var/spool/mqueue.in >> Date: Mon, 10 Mar 2003 19:27:44 +0000 >> MIME-Version: 1.0 >> Received: from cpimssmtpa03.msn.com ([207.46.181.90]) by >> mc5-f17.law1.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600); Mon, >> 10 > >> Mar 2003 11:30:21 -0800 >> Received: from smtp.jiscmail.ac.uk ([130.246.192.48]) by >> cpimssmtpa03.msn.com with Microsoft SMTPSVC(5.0.2195.4453); Mon, 10 >> Mar > >> 2003 11:25:18 -0800 >> Received: from LISTSERV.JISCMAIL.AC.UK (jiscmail.ac.uk) by >> smtp.jiscmail.ac.uk (LSMTP for Windows NT v1.1b) with SMTP id >> <3.0000634F@smtp.jiscmail.ac.uk>; Mon, 10 Mar 2003 19:28:14 +0000 >> Received: from JISCMAIL.AC.UK by JISCMAIL.AC.UK (LISTSERV-TCP/IP > release >> 1.8e) with spool id 19357891 for MAILSCANNER@JISCMAIL.AC.UK; > Mon, >> 10 Mar 2003 19:28:14 +0000 >> Received: from 130.246.192.52 by JISCMAIL.AC.UK (SMTPL release 1.0h) > with >> TCP; Mon, 10 Mar 2003 19:28:14 GMT >> Received: from raven.ecs.soton.ac.uk (raven.ecs.soton.ac.uk > [152.78.70.1]) >> by ori.rl.ac.uk (8.11.1/8.11.1) with ESMTP id h2AJSCe29811 >> for >> ; Mon, 10 Mar 2003 19:28:12 GMT >> Received: from pigeon.ecs.soton.ac.uk (ns1 [152.78.68.1]) by >> raven.ecs.soton.ac.uk (8.9.3/8.9.3) with ESMTP id TAA23530 for >> ; Mon, 10 Mar 2003 19:28:11 GMT >> Received: from thief.ecs.soton.ac.uk (staff-vpn132 [152.78.236.132]) >> by >> pigeon.ecs.soton.ac.uk (8.9.3/8.9.3) with ESMTP id TAA19506 for >> ; Mon, 10 Mar 2003 19:28:10 GMT >> X-Message-Info: JGTYoYF78jEHjJx36Oi8+Q1OJDRSDidP >> X-MSN-Trace: {838B357B-4735-4DB1-A653-A9E73A906214} >> X-RAL-MFrom: >> X-RAL-Connect: >> X-Sender: (Unverified) >> X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9 >> Message-ID: <5.2.0.9.2.20030310192506.027bbf80@imap.ecs.soton.ac.uk> >> Sender: MailScanner mailing list >> In-Reply-To: >> Precedence: list >> Return-Path: owner-mailscanner@JISCMAIL.AC.UK >> X-OriginalArrivalTime: 10 Mar 2003 19:25:19.0093 (UTC) >> FILETIME=[C9492A50:01C2E73A] >> >> At 19:12 10/03/2003, you wrote: >>> Greetings, >>> >>> Using RH 7.3 >>> Using Sendmail 8.11-6 >>> MailScanner 4.13-3 >>> Using McAfee AV >>> >>> I have been happily using MailScanner for almost a year now and have >>> had to remove the accumulation of files in /var/spool/mqueue.in after >>> a month or so. >>> >>> I am not sure if these are messages already delivered and were not >>> removed or ? >>> >>> I have had no reports of missing email. >> >> If they are stray files that aren't part of a matching qf / df pair, >> then you can safely delete them. If an SMTP session into your server >> gets interrupted for some reason, a stray file will be left behind. >> The > >> server at the far end of the session knows that its message >> transmission got interrupted and will retry anyway. SMTP is designed >> pretty carefully to ensure things don't get lost in transit. >> -- >> Julian Field >> www.MailScanner.info >> Professional Support Services at www.MailScanner.biz MailScanner >> thanks > >> transtec Computers for their support > > > _________________________________________________________________ > Add photos to your e-mail with MSN 8. Get 2 months FREE*. > http://join.msn.com/?page=features/featuredemail > > -- > This message checked for dangerous content by MailScanner on StrongBox. > -- This message checked for dangerous content by MailScanner on StrongBox. From mailscanner at BARENDSE.TO Tue Mar 11 08:01:36 2003 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:17:27 2006 Subject: Bug in filename rules handling? Message-ID: This morning we have received a message with filename extension hiding. The attachment is named ACN.DOC.xls.doc Mar 10 17:38:12 linux MailScanner[17336]: New Batch: Scanning 1 messages, 38249 bytes Mar 10 17:38:12 linux MailScanner[17336]: Virus and Content Scanning: Starting Mar 10 17:38:12 linux MailScanner[17336]: Filename Checks: Found possible filename hiding (ACN.DOC.xls.doc) Mar 10 17:38:12 linux MailScanner[17336]: Other Checks: Found 1 problems Mar 10 17:38:12 linux MailScanner[17336]: Saved entire message to /var/spool/MailScanner/quarantine/20030310/h2AGcBSh018875 Mar 10 17:38:12 linux MailScanner[17336]: Cleaned: Delivered 1 cleaned messages Although a notification was sent to postmaster that a virus had been caught, and the message subject was correctly modified and there was a notification inside the message to look inside VirusWarning.txt things didn't work. The attachment was let through 'as-is' without renaming or without removing it. Furthermore there was no VirusWarning.txt attached to the mail message although the body of the message referred to it. I have set however that warnings should *not* be sent as an attachment so maybe this is another bug? Things worked fine with the 4.12 release, this was found on release 4.13-3 The message went through our Exchange server and because of a forward rule the message was sent outside again. Again MailScanner reported the problem but did not remove the attachment! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From craig at STRONG-BOX.NET Tue Mar 11 08:06:47 2003 From: craig at STRONG-BOX.NET (Craig Pratt) Date: Thu Jan 12 21:17:27 2006 Subject: Bug in filename rules handling? In-Reply-To: Message-ID: <67FF0AEE-5398-11D7-AF6E-000393B9390A@strong-box.net> Have any of the "X-MailScanner" headers been added to the message? If not, this might mean that MailScanner is not actually the one delivering the message. Is it possible that sendmail is running behind MS's back? Craig On Tuesday, March 11, 2003, at 12:01 AM, Remco Barendse wrote: > This morning we have received a message with filename extension hiding. > The attachment is named ACN.DOC.xls.doc > > Mar 10 17:38:12 linux MailScanner[17336]: New Batch: Scanning 1 > messages, 38249 bytes > Mar 10 17:38:12 linux MailScanner[17336]: Virus and Content Scanning: > Starting > Mar 10 17:38:12 linux MailScanner[17336]: Filename Checks: Found > possible filename hiding (ACN.DOC.xls.doc) > Mar 10 17:38:12 linux MailScanner[17336]: Other Checks: Found 1 > problems > Mar 10 17:38:12 linux MailScanner[17336]: Saved entire message to > /var/spool/MailScanner/quarantine/20030310/h2AGcBSh018875 > Mar 10 17:38:12 linux MailScanner[17336]: Cleaned: Delivered 1 cleaned > messages > > Although a notification was sent to postmaster that a virus had been > caught, and the message subject was correctly modified and there was a > notification inside the message to look inside VirusWarning.txt things > didn't work. > > The attachment was let through 'as-is' without renaming or without > removing it. Furthermore there was no VirusWarning.txt attached to the > mail message although the body of the message referred to it. I have > set > however that warnings should *not* be sent as an attachment so maybe > this > is another bug? > > Things worked fine with the 4.12 release, this was found on release > 4.13-3 > > The message went through our Exchange server and because of a forward > rule > the message was sent outside again. Again MailScanner reported the > problem > but did not remove the attachment! > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > Craig Pratt Strongbox Network Services Inc. mailto:craig@strong-box.net -- This message checked for dangerous content by MailScanner on StrongBox. From mailscanner at BARENDSE.TO Tue Mar 11 08:36:59 2003 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:17:27 2006 Subject: Bug in filename rules handling? In-Reply-To: <67FF0AEE-5398-11D7-AF6E-000393B9390A@strong-box.net> Message-ID: Yes the headers were added as they should and the header also said 'found to be infected' Everything seems to be OK but the attachment was not removed and the VirusWarning was not inserted in the message as it should nor was it sent as an attachment. On Tue, 11 Mar 2003, Craig Pratt wrote: > Have any of the "X-MailScanner" headers been added to the message? > > If not, this might mean that MailScanner is not actually the one > delivering the message. Is it possible that sendmail is running behind > MS's back? > > Craig > > On Tuesday, March 11, 2003, at 12:01 AM, Remco Barendse wrote: > > This morning we have received a message with filename extension hiding. > > The attachment is named ACN.DOC.xls.doc > > > > Mar 10 17:38:12 linux MailScanner[17336]: New Batch: Scanning 1 > > messages, 38249 bytes > > Mar 10 17:38:12 linux MailScanner[17336]: Virus and Content Scanning: > > Starting > > Mar 10 17:38:12 linux MailScanner[17336]: Filename Checks: Found > > possible filename hiding (ACN.DOC.xls.doc) > > Mar 10 17:38:12 linux MailScanner[17336]: Other Checks: Found 1 > > problems > > Mar 10 17:38:12 linux MailScanner[17336]: Saved entire message to > > /var/spool/MailScanner/quarantine/20030310/h2AGcBSh018875 > > Mar 10 17:38:12 linux MailScanner[17336]: Cleaned: Delivered 1 cleaned > > messages > > > > Although a notification was sent to postmaster that a virus had been > > caught, and the message subject was correctly modified and there was a > > notification inside the message to look inside VirusWarning.txt things > > didn't work. > > > > The attachment was let through 'as-is' without renaming or without > > removing it. Furthermore there was no VirusWarning.txt attached to the > > mail message although the body of the message referred to it. I have > > set > > however that warnings should *not* be sent as an attachment so maybe > > this > > is another bug? > > > > Things worked fine with the 4.12 release, this was found on release > > 4.13-3 > > > > The message went through our Exchange server and because of a forward > > rule > > the message was sent outside again. Again MailScanner reported the > > problem > > but did not remove the attachment! > > > > > > -- > > This message has been scanned for viruses and > > dangerous content by MailScanner, and is > > believed to be clean. > > > Craig Pratt > Strongbox Network Services Inc. > mailto:craig@strong-box.net > > > -- > This message checked for dangerous content by MailScanner on StrongBox. > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From craig at STRONG-BOX.NET Tue Mar 11 08:46:27 2003 From: craig at STRONG-BOX.NET (Craig Pratt) Date: Thu Jan 12 21:17:27 2006 Subject: Bug in filename rules handling? In-Reply-To: Message-ID: How about the "Deliver Disinfected Files" option? Wouldn't that produce the behavior you're seeing? # Should I attempt to disinfect infected attachments and then deliver # the clean ones. "Disinfection" involves removing viruses from files # (such as removing macro viruses from documents). "Cleaning" is the # replacement of infected attachments with "VirusWarning.txt" text # attachments. # This can also be the filename of a ruleset. Deliver Disinfected Files = yes On Tuesday, March 11, 2003, at 12:36 AM, Remco Barendse wrote: > Yes the headers were added as they should and the header also said > 'found > to be infected' > > Everything seems to be OK but the attachment was not removed and the > VirusWarning was not inserted in the message as it should nor was it > sent > as an attachment. > > On Tue, 11 Mar 2003, Craig Pratt wrote: > >> Have any of the "X-MailScanner" headers been added to the message? >> >> If not, this might mean that MailScanner is not actually the one >> delivering the message. Is it possible that sendmail is running behind >> MS's back? >> >> Craig >> >> On Tuesday, March 11, 2003, at 12:01 AM, Remco Barendse wrote: >>> This morning we have received a message with filename extension >>> hiding. >>> The attachment is named ACN.DOC.xls.doc >>> >>> Mar 10 17:38:12 linux MailScanner[17336]: New Batch: Scanning 1 >>> messages, 38249 bytes >>> Mar 10 17:38:12 linux MailScanner[17336]: Virus and Content Scanning: >>> Starting >>> Mar 10 17:38:12 linux MailScanner[17336]: Filename Checks: Found >>> possible filename hiding (ACN.DOC.xls.doc) >>> Mar 10 17:38:12 linux MailScanner[17336]: Other Checks: Found 1 >>> problems >>> Mar 10 17:38:12 linux MailScanner[17336]: Saved entire message to >>> /var/spool/MailScanner/quarantine/20030310/h2AGcBSh018875 >>> Mar 10 17:38:12 linux MailScanner[17336]: Cleaned: Delivered 1 >>> cleaned >>> messages >>> >>> Although a notification was sent to postmaster that a virus had been >>> caught, and the message subject was correctly modified and there was >>> a >>> notification inside the message to look inside VirusWarning.txt >>> things >>> didn't work. >>> >>> The attachment was let through 'as-is' without renaming or without >>> removing it. Furthermore there was no VirusWarning.txt attached to >>> the >>> mail message although the body of the message referred to it. I have >>> set >>> however that warnings should *not* be sent as an attachment so maybe >>> this >>> is another bug? >>> >>> Things worked fine with the 4.12 release, this was found on release >>> 4.13-3 >>> >>> The message went through our Exchange server and because of a forward >>> rule >>> the message was sent outside again. Again MailScanner reported the >>> problem >>> but did not remove the attachment! >>> >>> >>> -- >>> This message has been scanned for viruses and >>> dangerous content by MailScanner, and is >>> believed to be clean. >>> >> Craig Pratt >> Strongbox Network Services Inc. >> mailto:craig@strong-box.net >> >> >> -- >> This message checked for dangerous content by MailScanner on >> StrongBox. >> > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > Craig Pratt Strongbox Network Services Inc. mailto:craig@strong-box.net -- This message checked for dangerous content by MailScanner on StrongBox. From mailscanner at ecs.soton.ac.uk Tue Mar 11 08:39:15 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:27 2006 Subject: accumulation of files in /var/spool/mqueue.in In-Reply-To: References: <000a01c2e76f$057eb010$7e6041db@18yamuna> Message-ID: <5.2.0.9.2.20030311083805.02f394d0@imap.ecs.soton.ac.uk> At 02:47 11/03/2003, you wrote: >What I'm wondering, though, is it safe to delete the files in mqueue.in >with sendmail/MailScanner running? [sounds like a potential FAQ, as >well] It's pretty safe, yes. The worst that can happen is that you manage to kill a MailScanner child process, which will cause it produce a replacement child process. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From P.G.M.Peters at civ.utwente.nl Tue Mar 11 09:46:11 2003 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:17:27 2006 Subject: Subject Text Message-ID: Hi, I have a feature request. MS offers the possibility to have different strings prepended to the Subject: header in case of a virus disinfected by the anti-virus engine and in case of a filename test. I use Virus Subject Text = {VIRUS!} and Filename Subject Text = {Virus?} to destinguish between a sure virus and a potential risk. It seems MS also uses the string from Virus Subject Text when an IFrame or Object Codebase Tag is detected but I would like to have a separate text for that. Could it be made to have "IFrame Subject Text" and "Object Codebase Subject Text" entries in MailScanner.conf? -- Peter Peters, senior netwerkbeheerder Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ From tal at MUSICGENOME.COM Tue Mar 11 10:27:09 2003 From: tal at MUSICGENOME.COM (Tal Kelrich) Date: Thu Jan 12 21:17:27 2006 Subject: endless respawning with SA enabled Message-ID: <1047378429.2582.71.camel@johnny5> Hi, I've recently upgraded to mailscanner 4.13, and SA 2.50 (patched) now, whenever I enable SA, mailscanner respawns endlessly, without any processing done. works perfectly when disabled. as far as I can tell, it quits sometime in the SA init stage, but I still haven't looked too deeply there. Thanks in advance, Tal Kelrich -- Tal Kelrich PGP fingerprint: 3EDF FCC5 60BB 4729 AB2F CAE6 FEC1 9AAC 12B9 AA69 Key Available at: http://www.hasturkun.com/pub.txt -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030311/b9734e03/attachment.bin From iah at DMU.AC.UK Tue Mar 11 10:59:32 2003 From: iah at DMU.AC.UK (Andy Humberston) Date: Thu Jan 12 21:17:27 2006 Subject: endless respawning with SA enabled Message-ID: > I've recently upgraded to mailscanner 4.13, and SA 2.50 > (patched) now, whenever I enable SA, mailscanner respawns > endlessly, without any processing done. works perfectly when > disabled. as far as I can tell, it quits sometime in the SA > init stage, but I still haven't looked too deeply there. > I noticed a problem similar to this last week and upon investigation I found the following settings (in spam.assassin.prefs.conf) to help greatly: # Settings taken from # http://www.jiscmail.ac.uk/cgi-bin/wa.exe?A2=ind0208&L=mailscanner&P=R9717&I= -3 # SpamAssassin Performance Tips (isp-list@TULSACONNECT.COM) # By default, spamassassin will change the Content-type: header of # suspected spam to "text/plain". This is a safety feature. If you # prefer to leave the Content-type header alone, set this to 0. # defang_mime 0 # By default, SpamAssassin will run RBL checks. If your ISP already # does this, set this to 1. # skip_rbl_checks 1 # only check for a valid MX record once check_mx_attempts 1 Andy From mailscanner at BARENDSE.TO Tue Mar 11 11:09:16 2003 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:17:27 2006 Subject: Bug in filename rules handling? In-Reply-To: Message-ID: I have it set to yes but this has not changed the behaviour of MailScanner before. I think all files in the filename.rules.conf are treated equal? I would not like to be in a situation where somenewvirus.doc.scr would be allowed through because the latest virus definition couldn't recognize the virus and the attachment would then be passed on as 'safe'. Also the attachment wasn't replaced with the VirusWarning.txt! On Tue, 11 Mar 2003, Craig Pratt wrote: > How about the "Deliver Disinfected Files" option? Wouldn't that produce > the behavior you're seeing? > > # Should I attempt to disinfect infected attachments and then deliver > # the clean ones. "Disinfection" involves removing viruses from files > # (such as removing macro viruses from documents). "Cleaning" is the > # replacement of infected attachments with "VirusWarning.txt" text > # attachments. > # This can also be the filename of a ruleset. > Deliver Disinfected Files = yes > > On Tuesday, March 11, 2003, at 12:36 AM, Remco Barendse wrote: > > Yes the headers were added as they should and the header also said > > 'found > > to be infected' > > > > Everything seems to be OK but the attachment was not removed and the > > VirusWarning was not inserted in the message as it should nor was it > > sent > > as an attachment. > > > > On Tue, 11 Mar 2003, Craig Pratt wrote: > > > >> Have any of the "X-MailScanner" headers been added to the message? > >> > >> If not, this might mean that MailScanner is not actually the one > >> delivering the message. Is it possible that sendmail is running behind > >> MS's back? > >> > >> Craig > >> > >> On Tuesday, March 11, 2003, at 12:01 AM, Remco Barendse wrote: > >>> This morning we have received a message with filename extension > >>> hiding. > >>> The attachment is named ACN.DOC.xls.doc > >>> > >>> Mar 10 17:38:12 linux MailScanner[17336]: New Batch: Scanning 1 > >>> messages, 38249 bytes > >>> Mar 10 17:38:12 linux MailScanner[17336]: Virus and Content Scanning: > >>> Starting > >>> Mar 10 17:38:12 linux MailScanner[17336]: Filename Checks: Found > >>> possible filename hiding (ACN.DOC.xls.doc) > >>> Mar 10 17:38:12 linux MailScanner[17336]: Other Checks: Found 1 > >>> problems > >>> Mar 10 17:38:12 linux MailScanner[17336]: Saved entire message to > >>> /var/spool/MailScanner/quarantine/20030310/h2AGcBSh018875 > >>> Mar 10 17:38:12 linux MailScanner[17336]: Cleaned: Delivered 1 > >>> cleaned > >>> messages > >>> > >>> Although a notification was sent to postmaster that a virus had been > >>> caught, and the message subject was correctly modified and there was > >>> a > >>> notification inside the message to look inside VirusWarning.txt > >>> things > >>> didn't work. > >>> > >>> The attachment was let through 'as-is' without renaming or without > >>> removing it. Furthermore there was no VirusWarning.txt attached to > >>> the > >>> mail message although the body of the message referred to it. I have > >>> set > >>> however that warnings should *not* be sent as an attachment so maybe > >>> this > >>> is another bug? > >>> > >>> Things worked fine with the 4.12 release, this was found on release > >>> 4.13-3 > >>> > >>> The message went through our Exchange server and because of a forward > >>> rule > >>> the message was sent outside again. Again MailScanner reported the > >>> problem > >>> but did not remove the attachment! > >>> > >>> > >>> -- > >>> This message has been scanned for viruses and > >>> dangerous content by MailScanner, and is > >>> believed to be clean. > >>> > >> Craig Pratt > >> Strongbox Network Services Inc. > >> mailto:craig@strong-box.net > >> > >> > >> -- > >> This message checked for dangerous content by MailScanner on > >> StrongBox. > >> > > > > > > -- > > This message has been scanned for viruses and > > dangerous content by MailScanner, and is > > believed to be clean. > > > Craig Pratt > Strongbox Network Services Inc. > mailto:craig@strong-box.net > > > -- > This message checked for dangerous content by MailScanner on StrongBox. > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mailscanner at ecs.soton.ac.uk Tue Mar 11 11:29:00 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:27 2006 Subject: Bug in filename rules handling? In-Reply-To: References: Message-ID: <5.2.0.9.2.20030311112651.03ba49c8@imap.ecs.soton.ac.uk> In the process of adding all the code to support proper checking of long/evil filenames, I screwed up. Please can you download and try out version 4.14-1, and let me know how you get on. URL's are Tar distribution: http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/tar/MailScanner-4.13-3.tar RedHat (and others) RPM: http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/rpm/MailScanner-4.13-3.rpm.tar SuSE: http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/suse/MailScanner-4.13-3.suse.tar At 11:09 11/03/2003, you wrote: >I have it set to yes but this has not changed the behaviour of MailScanner >before. I think all files in the filename.rules.conf are treated equal? > >I would not like to be in a situation where somenewvirus.doc.scr would be >allowed through because the latest virus definition couldn't recognize the >virus and the attachment would then be passed on as 'safe'. > >Also the attachment wasn't replaced with the VirusWarning.txt! > >On Tue, 11 Mar 2003, Craig Pratt wrote: > > > How about the "Deliver Disinfected Files" option? Wouldn't that produce > > the behavior you're seeing? > > > > # Should I attempt to disinfect infected attachments and then deliver > > # the clean ones. "Disinfection" involves removing viruses from files > > # (such as removing macro viruses from documents). "Cleaning" is the > > # replacement of infected attachments with "VirusWarning.txt" text > > # attachments. > > # This can also be the filename of a ruleset. > > Deliver Disinfected Files = yes > > > > On Tuesday, March 11, 2003, at 12:36 AM, Remco Barendse wrote: > > > Yes the headers were added as they should and the header also said > > > 'found > > > to be infected' > > > > > > Everything seems to be OK but the attachment was not removed and the > > > VirusWarning was not inserted in the message as it should nor was it > > > sent > > > as an attachment. > > > > > > On Tue, 11 Mar 2003, Craig Pratt wrote: > > > > > >> Have any of the "X-MailScanner" headers been added to the message? > > >> > > >> If not, this might mean that MailScanner is not actually the one > > >> delivering the message. Is it possible that sendmail is running behind > > >> MS's back? > > >> > > >> Craig > > >> > > >> On Tuesday, March 11, 2003, at 12:01 AM, Remco Barendse wrote: > > >>> This morning we have received a message with filename extension > > >>> hiding. > > >>> The attachment is named ACN.DOC.xls.doc > > >>> > > >>> Mar 10 17:38:12 linux MailScanner[17336]: New Batch: Scanning 1 > > >>> messages, 38249 bytes > > >>> Mar 10 17:38:12 linux MailScanner[17336]: Virus and Content Scanning: > > >>> Starting > > >>> Mar 10 17:38:12 linux MailScanner[17336]: Filename Checks: Found > > >>> possible filename hiding (ACN.DOC.xls.doc) > > >>> Mar 10 17:38:12 linux MailScanner[17336]: Other Checks: Found 1 > > >>> problems > > >>> Mar 10 17:38:12 linux MailScanner[17336]: Saved entire message to > > >>> /var/spool/MailScanner/quarantine/20030310/h2AGcBSh018875 > > >>> Mar 10 17:38:12 linux MailScanner[17336]: Cleaned: Delivered 1 > > >>> cleaned > > >>> messages > > >>> > > >>> Although a notification was sent to postmaster that a virus had been > > >>> caught, and the message subject was correctly modified and there was > > >>> a > > >>> notification inside the message to look inside VirusWarning.txt > > >>> things > > >>> didn't work. > > >>> > > >>> The attachment was let through 'as-is' without renaming or without > > >>> removing it. Furthermore there was no VirusWarning.txt attached to > > >>> the > > >>> mail message although the body of the message referred to it. I have > > >>> set > > >>> however that warnings should *not* be sent as an attachment so maybe > > >>> this > > >>> is another bug? > > >>> > > >>> Things worked fine with the 4.12 release, this was found on release > > >>> 4.13-3 > > >>> > > >>> The message went through our Exchange server and because of a forward > > >>> rule > > >>> the message was sent outside again. Again MailScanner reported the > > >>> problem > > >>> but did not remove the attachment! > > >>> > > >>> > > >>> -- > > >>> This message has been scanned for viruses and > > >>> dangerous content by MailScanner, and is > > >>> believed to be clean. > > >>> > > >> Craig Pratt > > >> Strongbox Network Services Inc. > > >> mailto:craig@strong-box.net > > >> > > >> > > >> -- > > >> This message checked for dangerous content by MailScanner on > > >> StrongBox. > > >> > > > > > > > > > -- > > > This message has been scanned for viruses and > > > dangerous content by MailScanner, and is > > > believed to be clean. > > > > > Craig Pratt > > Strongbox Network Services Inc. > > mailto:craig@strong-box.net > > > > > > -- > > This message checked for dangerous content by MailScanner on StrongBox. > > > > >-- >This message has been scanned for viruses and >dangerous content by MailScanner, and is >believed to be clean. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From raymond at PROLOCATION.NET Tue Mar 11 11:38:22 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:17:27 2006 Subject: Bug in filename rules handling? In-Reply-To: <5.2.0.9.2.20030311112651.03ba49c8@imap.ecs.soton.ac.uk> Message-ID: Hi! > In the process of adding all the code to support proper checking of > long/evil filenames, I screwed up. > > Please can you download and try out version 4.14-1, and let me know how you > get on. > URL's are > > Tar distribution: > http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/tar/MailScanner-4.13-3.tar I guess you mean: http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/tar/MailScanner-4.14-1.tar > RedHat (and others) RPM: > http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/rpm/MailScanner-4.13-3.rpm.tar http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/rpm/MailScanner-4.14-1.rpm.tar > SuSE: > http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/suse/MailScanner-4.13-3.suse.tar http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/suse/MailScanner-4.14-1.suse.tar Bye, Raymond. From mailscanner at BARENDSE.TO Tue Mar 11 11:57:00 2003 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:17:27 2006 Subject: Bug in filename rules handling? In-Reply-To: <5.2.0.9.2.20030311112651.03ba49c8@imap.ecs.soton.ac.uk> Message-ID: Thanks for checking! Is the error in the filename.rules.conf or in the MailScanner code? I have my own even more strict filename rules in place. Thanks!! Remco On Tue, 11 Mar 2003, Julian Field wrote: > In the process of adding all the code to support proper checking of > long/evil filenames, I screwed up. > > Please can you download and try out version 4.14-1, and let me know how you > get on. > URL's are > > Tar distribution: > http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/tar/MailScanner-4.13-3.tar > > RedHat (and others) RPM: > http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/rpm/MailScanner-4.13-3.rpm.tar > > SuSE: > http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/suse/MailScanner-4.13-3.suse.tar > > At 11:09 11/03/2003, you wrote: > >I have it set to yes but this has not changed the behaviour of MailScanner > >before. I think all files in the filename.rules.conf are treated equal? > > > >I would not like to be in a situation where somenewvirus.doc.scr would be > >allowed through because the latest virus definition couldn't recognize the > >virus and the attachment would then be passed on as 'safe'. > > > >Also the attachment wasn't replaced with the VirusWarning.txt! > > > >On Tue, 11 Mar 2003, Craig Pratt wrote: > > > > > How about the "Deliver Disinfected Files" option? Wouldn't that produce > > > the behavior you're seeing? > > > > > > # Should I attempt to disinfect infected attachments and then deliver > > > # the clean ones. "Disinfection" involves removing viruses from files > > > # (such as removing macro viruses from documents). "Cleaning" is the > > > # replacement of infected attachments with "VirusWarning.txt" text > > > # attachments. > > > # This can also be the filename of a ruleset. > > > Deliver Disinfected Files = yes > > > > > > On Tuesday, March 11, 2003, at 12:36 AM, Remco Barendse wrote: > > > > Yes the headers were added as they should and the header also said > > > > 'found > > > > to be infected' > > > > > > > > Everything seems to be OK but the attachment was not removed and the > > > > VirusWarning was not inserted in the message as it should nor was it > > > > sent > > > > as an attachment. > > > > > > > > On Tue, 11 Mar 2003, Craig Pratt wrote: > > > > > > > >> Have any of the "X-MailScanner" headers been added to the message? > > > >> > > > >> If not, this might mean that MailScanner is not actually the one > > > >> delivering the message. Is it possible that sendmail is running behind > > > >> MS's back? > > > >> > > > >> Craig > > > >> > > > >> On Tuesday, March 11, 2003, at 12:01 AM, Remco Barendse wrote: > > > >>> This morning we have received a message with filename extension > > > >>> hiding. > > > >>> The attachment is named ACN.DOC.xls.doc > > > >>> > > > >>> Mar 10 17:38:12 linux MailScanner[17336]: New Batch: Scanning 1 > > > >>> messages, 38249 bytes > > > >>> Mar 10 17:38:12 linux MailScanner[17336]: Virus and Content Scanning: > > > >>> Starting > > > >>> Mar 10 17:38:12 linux MailScanner[17336]: Filename Checks: Found > > > >>> possible filename hiding (ACN.DOC.xls.doc) > > > >>> Mar 10 17:38:12 linux MailScanner[17336]: Other Checks: Found 1 > > > >>> problems > > > >>> Mar 10 17:38:12 linux MailScanner[17336]: Saved entire message to > > > >>> /var/spool/MailScanner/quarantine/20030310/h2AGcBSh018875 > > > >>> Mar 10 17:38:12 linux MailScanner[17336]: Cleaned: Delivered 1 > > > >>> cleaned > > > >>> messages > > > >>> > > > >>> Although a notification was sent to postmaster that a virus had been > > > >>> caught, and the message subject was correctly modified and there was > > > >>> a > > > >>> notification inside the message to look inside VirusWarning.txt > > > >>> things > > > >>> didn't work. > > > >>> > > > >>> The attachment was let through 'as-is' without renaming or without > > > >>> removing it. Furthermore there was no VirusWarning.txt attached to > > > >>> the > > > >>> mail message although the body of the message referred to it. I have > > > >>> set > > > >>> however that warnings should *not* be sent as an attachment so maybe > > > >>> this > > > >>> is another bug? > > > >>> > > > >>> Things worked fine with the 4.12 release, this was found on release > > > >>> 4.13-3 > > > >>> > > > >>> The message went through our Exchange server and because of a forward > > > >>> rule > > > >>> the message was sent outside again. Again MailScanner reported the > > > >>> problem > > > >>> but did not remove the attachment! > > > >>> > > > >>> > > > >>> -- > > > >>> This message has been scanned for viruses and > > > >>> dangerous content by MailScanner, and is > > > >>> believed to be clean. > > > >>> > > > >> Craig Pratt > > > >> Strongbox Network Services Inc. > > > >> mailto:craig@strong-box.net > > > >> > > > >> > > > >> -- > > > >> This message checked for dangerous content by MailScanner on > > > >> StrongBox. > > > >> > > > > > > > > > > > > -- > > > > This message has been scanned for viruses and > > > > dangerous content by MailScanner, and is > > > > believed to be clean. > > > > > > > Craig Pratt > > > Strongbox Network Services Inc. > > > mailto:craig@strong-box.net > > > > > > > > > -- > > > This message checked for dangerous content by MailScanner on StrongBox. > > > > > > > > >-- > >This message has been scanned for viruses and > >dangerous content by MailScanner, and is > >believed to be clean. > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mailscanner at ecs.soton.ac.uk Tue Mar 11 11:48:15 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:27 2006 Subject: Bug in filename rules handling? In-Reply-To: References: <5.2.0.9.2.20030311112651.03ba49c8@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030311114740.03b48a50@imap.ecs.soton.ac.uk> I'm not having a good day, am I? :) Yes, I meant the 4.14-1 URLs. At 11:38 11/03/2003, you wrote: >Hi! > > > In the process of adding all the code to support proper checking of > > long/evil filenames, I screwed up. > > > > Please can you download and try out version 4.14-1, and let me know how you > > get on. > > URL's are > > > > Tar distribution: > > > http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/tar/MailScanner-4.13-3.tar > >I guess you mean: > >http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/tar/MailScanner-4.14-1.tar > > > RedHat (and others) RPM: > > > http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/rpm/MailScanner-4.13-3.rpm.tar > >http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/rpm/MailScanner-4.14-1.rpm.tar > > > SuSE: > > > http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/suse/MailScanner-4.13-3.suse.tar > >http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/suse/MailScanner-4.14-1.suse.tar > >Bye, >Raymond. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From paul.hamilton at sme-ecom.co.uk Tue Mar 11 12:08:19 2003 From: paul.hamilton at sme-ecom.co.uk (Paul Hamilton) Date: Thu Jan 12 21:17:27 2006 Subject: Delivering Quarantined Messages with their attachments Message-ID: <000601c2e7c6$ea586e40$fc32000a@4> Hi all, Could someone just confirm the best procedure for forcing delivery of a message out of MailScanner quarantine, so it is not scanned and quarantined again. Particularly where the message contains three parts i.e. dxxxxxxxxxxx, qxxxxxxxxxx and an attachment. Is it a case of just copying all three to q1 or only the d & q message, which will force the attachment to automatically be delivered. Thanks in advance Paul H. From Jan-Peter.Koopmann at SECEIDOS.DE Tue Mar 11 12:12:25 2003 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:17:27 2006 Subject: Bayes problem with MailScanner Message-ID: <4E7026FF8A422749B1553FE508E0068007EF34@message.intern.akctech.de> Hi Julian, > Does it change if you do a > sa-learn --rebuild Nope but we are getting close. To be exact: I have it working here now but I need you to verify something for me. I noticed that I have four databases in my /var/spool/spamassassin file bayes_seen bayes_seen.db bayes_toks bayes_toks.db I always ignored the ones without .db. The strange thing is that sa-learn and check_bayes_db always worked on the files without .db but spamassasin called via MailScanner always used the ones with .db. Since the one with .db only greq via auto-learn though, there were only 53 spams in there indeed and bayes did not work. I linked the files now and suddenly it works. I get BAYES scores in the headers and everything. I looked through the SA source code and could not find any reason for this behaviour. Especially why spamassassin -t uses bayes_toks and MailScanner uses bayes_toks.db but hey... I am no perl guru. So please have a look at your database dirs and see if you have "duplicates" as well. This would explain it then. Regards, JP From mailscanner at BARENDSE.TO Tue Mar 11 12:17:47 2003 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:17:27 2006 Subject: Bug in filename rules handling? In-Reply-To: <5.2.0.9.2.20030311114740.03b48a50@imap.ecs.soton.ac.uk> Message-ID: :) Indeed in 4.14-1 the problem is fixed now, I get the warnings as they should. The other minor bug is still there tho. I have set Warning Is Attachment = no in my MailScanner.conf and still this warning is an attachment. Nothing serious but my users get scared if there's any vague report of viruses and will not open any attachment, even the VirusWarning.txt :) Thanks for fixing the problem! Remco On Tue, 11 Mar 2003, Julian Field wrote: > I'm not having a good day, am I? :) > > Yes, I meant the 4.14-1 URLs. > > At 11:38 11/03/2003, you wrote: > >Hi! > > > > > In the process of adding all the code to support proper checking of > > > long/evil filenames, I screwed up. > > > > > > Please can you download and try out version 4.14-1, and let me know how you > > > get on. > > > URL's are > > > > > > Tar distribution: > > > > > http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/tar/MailScanner-4.13-3.tar > > > >I guess you mean: > > > >http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/tar/MailScanner-4.14-1.tar > > > > > RedHat (and others) RPM: > > > > > http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/rpm/MailScanner-4.13-3.rpm.tar > > > >http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/rpm/MailScanner-4.14-1.rpm.tar > > > > > SuSE: > > > > > http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/suse/MailScanner-4.13-3.suse.tar > > > >http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/suse/MailScanner-4.14-1.suse.tar > > > >Bye, > >Raymond. > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mailscanner at ecs.soton.ac.uk Tue Mar 11 12:29:00 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:27 2006 Subject: endless respawning with SA enabled In-Reply-To: Message-ID: <5.2.0.9.2.20030311122755.037389b8@imap.ecs.soton.ac.uk> What does your maillog say? Does the user you are using to run MailScanner have a real home directory? The SpamAssassin init code fails if there isn't a home directory it can write to. Most commonly a problem when people are using Exim (as they run as non-root). At 10:59 11/03/2003, you wrote: > > I've recently upgraded to mailscanner 4.13, and SA 2.50 > > (patched) now, whenever I enable SA, mailscanner respawns > > endlessly, without any processing done. works perfectly when > > disabled. as far as I can tell, it quits sometime in the SA > > init stage, but I still haven't looked too deeply there. > > > >I noticed a problem similar to this last week and upon >investigation I found the following settings (in >spam.assassin.prefs.conf) to help greatly: > ># Settings taken from ># >http://www.jiscmail.ac.uk/cgi-bin/wa.exe?A2=ind0208&L=mailscanner&P=R9717&I= >-3 ># SpamAssassin Performance Tips (isp-list@TULSACONNECT.COM) > ># By default, spamassassin will change the Content-type: header of ># suspected spam to "text/plain". This is a safety feature. If you ># prefer to leave the Content-type header alone, set this to 0. ># >defang_mime 0 > ># By default, SpamAssassin will run RBL checks. If your ISP already ># does this, set this to 1. ># >skip_rbl_checks 1 > ># only check for a valid MX record once >check_mx_attempts 1 > >Andy -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Tue Mar 11 12:25:49 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:27 2006 Subject: Bug in filename rules handling? In-Reply-To: References: <5.2.0.9.2.20030311112651.03ba49c8@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030311122528.03b591d8@imap.ecs.soton.ac.uk> At 11:57 11/03/2003, you wrote: >Thanks for checking! > >Is the error in the filename.rules.conf or in the MailScanner code? I have >my own even more strict filename rules in place. In the mailscanner code. >Thanks!! > >Remco > >On Tue, 11 Mar 2003, Julian Field wrote: > > > In the process of adding all the code to support proper checking of > > long/evil filenames, I screwed up. > > > > Please can you download and try out version 4.14-1, and let me know how you > > get on. > > URL's are > > > > Tar distribution: > > > http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/tar/MailScanner-4.13-3.tar > > > > RedHat (and others) RPM: > > > http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/rpm/MailScanner-4.13-3.rpm.tar > > > > SuSE: > > > http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/suse/MailScanner-4.13-3.suse.tar > > > > At 11:09 11/03/2003, you wrote: > > >I have it set to yes but this has not changed the behaviour of MailScanner > > >before. I think all files in the filename.rules.conf are treated equal? > > > > > >I would not like to be in a situation where somenewvirus.doc.scr would be > > >allowed through because the latest virus definition couldn't recognize the > > >virus and the attachment would then be passed on as 'safe'. > > > > > >Also the attachment wasn't replaced with the VirusWarning.txt! > > > > > >On Tue, 11 Mar 2003, Craig Pratt wrote: > > > > > > > How about the "Deliver Disinfected Files" option? Wouldn't that produce > > > > the behavior you're seeing? > > > > > > > > # Should I attempt to disinfect infected attachments and then deliver > > > > # the clean ones. "Disinfection" involves removing viruses from files > > > > # (such as removing macro viruses from documents). "Cleaning" is the > > > > # replacement of infected attachments with "VirusWarning.txt" text > > > > # attachments. > > > > # This can also be the filename of a ruleset. > > > > Deliver Disinfected Files = yes > > > > > > > > On Tuesday, March 11, 2003, at 12:36 AM, Remco Barendse wrote: > > > > > Yes the headers were added as they should and the header also said > > > > > 'found > > > > > to be infected' > > > > > > > > > > Everything seems to be OK but the attachment was not removed and the > > > > > VirusWarning was not inserted in the message as it should nor was it > > > > > sent > > > > > as an attachment. > > > > > > > > > > On Tue, 11 Mar 2003, Craig Pratt wrote: > > > > > > > > > >> Have any of the "X-MailScanner" headers been added to the message? > > > > >> > > > > >> If not, this might mean that MailScanner is not actually the one > > > > >> delivering the message. Is it possible that sendmail is running > behind > > > > >> MS's back? > > > > >> > > > > >> Craig > > > > >> > > > > >> On Tuesday, March 11, 2003, at 12:01 AM, Remco Barendse wrote: > > > > >>> This morning we have received a message with filename extension > > > > >>> hiding. > > > > >>> The attachment is named ACN.DOC.xls.doc > > > > >>> > > > > >>> Mar 10 17:38:12 linux MailScanner[17336]: New Batch: Scanning 1 > > > > >>> messages, 38249 bytes > > > > >>> Mar 10 17:38:12 linux MailScanner[17336]: Virus and Content > Scanning: > > > > >>> Starting > > > > >>> Mar 10 17:38:12 linux MailScanner[17336]: Filename Checks: Found > > > > >>> possible filename hiding (ACN.DOC.xls.doc) > > > > >>> Mar 10 17:38:12 linux MailScanner[17336]: Other Checks: Found 1 > > > > >>> problems > > > > >>> Mar 10 17:38:12 linux MailScanner[17336]: Saved entire message to > > > > >>> /var/spool/MailScanner/quarantine/20030310/h2AGcBSh018875 > > > > >>> Mar 10 17:38:12 linux MailScanner[17336]: Cleaned: Delivered 1 > > > > >>> cleaned > > > > >>> messages > > > > >>> > > > > >>> Although a notification was sent to postmaster that a virus had > been > > > > >>> caught, and the message subject was correctly modified and > there was > > > > >>> a > > > > >>> notification inside the message to look inside VirusWarning.txt > > > > >>> things > > > > >>> didn't work. > > > > >>> > > > > >>> The attachment was let through 'as-is' without renaming or without > > > > >>> removing it. Furthermore there was no VirusWarning.txt attached to > > > > >>> the > > > > >>> mail message although the body of the message referred to it. I > have > > > > >>> set > > > > >>> however that warnings should *not* be sent as an attachment so > maybe > > > > >>> this > > > > >>> is another bug? > > > > >>> > > > > >>> Things worked fine with the 4.12 release, this was found on release > > > > >>> 4.13-3 > > > > >>> > > > > >>> The message went through our Exchange server and because of a > forward > > > > >>> rule > > > > >>> the message was sent outside again. Again MailScanner reported the > > > > >>> problem > > > > >>> but did not remove the attachment! > > > > >>> > > > > >>> > > > > >>> -- > > > > >>> This message has been scanned for viruses and > > > > >>> dangerous content by MailScanner, and is > > > > >>> believed to be clean. > > > > >>> > > > > >> Craig Pratt > > > > >> Strongbox Network Services Inc. > > > > >> mailto:craig@strong-box.net > > > > >> > > > > >> > > > > >> -- > > > > >> This message checked for dangerous content by MailScanner on > > > > >> StrongBox. > > > > >> > > > > > > > > > > > > > > > -- > > > > > This message has been scanned for viruses and > > > > > dangerous content by MailScanner, and is > > > > > believed to be clean. > > > > > > > > > Craig Pratt > > > > Strongbox Network Services Inc. > > > > mailto:craig@strong-box.net > > > > > > > > > > > > -- > > > > This message checked for dangerous content by MailScanner on StrongBox. > > > > > > > > > > > > >-- > > >This message has been scanned for viruses and > > >dangerous content by MailScanner, and is > > >believed to be clean. > > > > -- > > Julian Field > > www.MailScanner.info > > MailScanner thanks transtec Computers for their support > > > > > > >-- >This message has been scanned for viruses and >dangerous content by MailScanner, and is >believed to be clean. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Tue Mar 11 12:27:12 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:27 2006 Subject: Bug in filename rules handling? In-Reply-To: References: <5.2.0.9.2.20030311114740.03b48a50@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030311122601.03bc3af8@imap.ecs.soton.ac.uk> At 12:17 11/03/2003, you wrote: >:) > >Indeed in 4.14-1 the problem is fixed now, I get the warnings as they >should. Can someone else confirm that this version is working okay, then I'll put it up on the main web site. >The other minor bug is still there tho. I have set Warning Is Attachment = >no in my MailScanner.conf and still this warning is an attachment. That's down to incorrect handling in email apps. >Nothing serious but my users get scared if there's any vague report of >viruses and will not open any attachment, even the VirusWarning.txt :) I'll take a look at this when I get time, it's not a major problem. >Thanks for fixing the problem! > >Remco > > >On Tue, 11 Mar 2003, Julian Field wrote: > > > I'm not having a good day, am I? :) > > > > Yes, I meant the 4.14-1 URLs. > > > > At 11:38 11/03/2003, you wrote: > > >Hi! > > > > > > > In the process of adding all the code to support proper checking of > > > > long/evil filenames, I screwed up. > > > > > > > > Please can you download and try out version 4.14-1, and let me know > how you > > > > get on. > > > > URL's are > > > > > > > > Tar distribution: > > > > > > > > http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/tar/MailScanner-4.13-3.tar > > > > > >I guess you mean: > > > > > >http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/tar/MailScanner-4.14 > -1.tar > > > > > > > RedHat (and others) RPM: > > > > > > > > http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/rpm/MailScanner-4.13-3.rpm.tar > > > > > >http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/rpm/MailScanner-4.14 > -1.rpm.tar > > > > > > > SuSE: > > > > > > > > http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/suse/MailScanner-4.13-3.suse.tar > > > > > >http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/suse/MailScanner-4.1 > 4-1.suse.tar > > > > > >Bye, > > >Raymond. > > > > -- > > Julian Field > > www.MailScanner.info > > MailScanner thanks transtec Computers for their support > > > > > > >-- >This message has been scanned for viruses and >dangerous content by MailScanner, and is >believed to be clean. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From tal at MUSICGENOME.COM Tue Mar 11 13:11:16 2003 From: tal at MUSICGENOME.COM (Tal Kelrich) Date: Thu Jan 12 21:17:27 2006 Subject: endless respawning with SA enabled Message-ID: On Tue, 11 Mar 2003 12:29:00 +0000, Julian Field wrote: >At 10:59 11/03/2003, you wrote: >> > I've recently upgraded to mailscanner 4.13, and SA 2.50 >> > (patched) now, whenever I enable SA, mailscanner respawns >> > endlessly, without any processing done. works perfectly when >> > disabled. as far as I can tell, it quits sometime in the SA >> > init stage, but I still haven't looked too deeply there. >> > >> >>I noticed a problem similar to this last week and upon >>investigation I found the following settings (in >>spam.assassin.prefs.conf) to help greatly: >> >># Settings taken from >># >>http://www.jiscmail.ac.uk/cgi-bin/wa.exe?A2=ind0208&L=mailscanner&P=R9717&I= >>-3 >># SpamAssassin Performance Tips (isp-list@TULSACONNECT.COM) >> >># By default, spamassassin will change the Content-type: header of >># suspected spam to "text/plain". This is a safety feature. If you >># prefer to leave the Content-type header alone, set this to 0. >># >>defang_mime 0 >> >># By default, SpamAssassin will run RBL checks. If your ISP already >># does this, set this to 1. >># >>skip_rbl_checks 1 >> >># only check for a valid MX record once >>check_mx_attempts 1 >> >>Andy > >What does your maillog say? >Does the user you are using to run MailScanner have a real home >directory? >The SpamAssassin init code fails if there isn't a home directory it can >write to. Most commonly a problem when people are using Exim (as they run >as non-root). > I did some more tests, and it looks like it's dieing in SA.pm in compile_now (dropped log messages in there, no AWL, makes the object, stops at compile_now) when run in debug mode, no errors or anything, just quits. user is root, has a home, and SA works on it's own. Tal From Denis.Beauchemin at USHERBROOKE.CA Tue Mar 11 13:52:03 2003 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:17:27 2006 Subject: Subject Text In-Reply-To: References: Message-ID: <1047390723.28074.68.camel@dbeauchemin.si.usherbrooke.ca> Hello, I second that. I would also like to be able to use a different report file for those 2 because they are not really viruses but potential threats. Denis Le mar 11/03/2003 ? 04:46, Peter Peters a ?crit : > Hi, > > I have a feature request. MS offers the possibility to have different > strings prepended to the Subject: header in case of a virus disinfected > by the anti-virus engine and in case of a filename test. I use Virus > Subject Text = {VIRUS!} and Filename Subject Text = {Virus?} to > destinguish between a sure virus and a potential risk. > > It seems MS also uses the string from Virus Subject Text when an IFrame > or Object Codebase Tag is detected but I would like to have a separate > text for that. > > Could it be made to have "IFrame Subject Text" and "Object Codebase > Subject Text" entries in MailScanner.conf? > > -- > Peter Peters, senior netwerkbeheerder > Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) > Universiteit Twente, Postbus 217, 7500 AE Enschede > telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From Jan-Peter.Koopmann at SECEIDOS.DE Tue Mar 11 13:59:50 2003 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:17:27 2006 Subject: endless respawning with SA enabled Message-ID: <4E7026FF8A422749B1553FE508E0068007EF37@message.intern.akctech.de> Hi Tal, > I did some more tests, and it looks like it's dieing in SA.pm in compile_now (dropped log messages in there, > no AWL, makes the object, stops at compile_now) when run in debug mode, no errors or anything, just quits. > user is root, has a home, and SA works on it's own. I did not get the debug mode to work with MailScanner. Simply quits. Try something like this in SpamAssassin.pm sub dbg { my $dbg=$Mail::SpamAssassin::DEBUG; #return unless $dbg->{enabled}; my ($msg, $codepath, $level) = @_; $msg=join('',@{$msg}) if (ref $msg); if (defined $codepath) { if (not defined $dbg->{$codepath}) { warn("dbg called with codepath $codepath, but it's not defined, skipping (message was \"$msg\"\n"); return 0; } elsif (not defined $level) { warn("dbg called with codepath $codepath, but no level threshold (message was \"$msg\"\n"); } } # Negative levels are just level numbers, the more negative, the more debug return if (defined $level and $level<0 and not $dbg->{$codepath} <= $level); # Positive levels are bit fields return if (defined $level and $level>0 and not $dbg->{$codepath} & $level); # LOG if ( open(DBGFILE, ">>/tmp/sa.log") ) { print DBGFILE $msg . "\n"; close(DBGFILE); } warn "debug: $msg\n"; } Notice the # in front of the return. This will "turn on" debugging even though SA is not in debug mode. This will create a /tmp/sa.log file with all debuggin output of SA. Once you have this output, look for error messages or send a copy of it here. Thanks, JP From Jan-Peter.Koopmann at SECEIDOS.DE Tue Mar 11 13:04:58 2003 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:17:27 2006 Subject: HTML body changed??? - Different SA scores / SA and MA Message-ID: <4E7026FF8A422749B1553FE508E0068007EF36@message.intern.akctech.de> Hi Julian, I am still playing around with SpamAssassin and MailScanner a bit. Here is something strange: I took a junk mail and ran it through spamassassin -t. This is the report: Content analysis details: (25.80 points, 6 required) X_PRIORITY_HIGH (1.9 points) Sent with 'X-Priority' set to high BAYES_90 (2.9 points) BODY: Bayesian classifier says spam probability is 90 to 99% [score: 0.9815] HTML_40_50 (0.4 points) BODY: Message is 40% to 50% HTML HTML_IMAGE_ONLY_02 (1.5 points) BODY: HTML has images with 0-200 bytes of words PYZOR_CHECK (1.2 points) Listed in Pyzor, see http://pyzor.sf.net/ DATE_IN_PAST_12_24 (0.1 points) Date: is 12 to 24 hours before Received: date MSGID_OUTLOOK_TIME (4.4 points) Message-Id is fake (in Outlook Express format) RCVD_FAKE_HELO_DOTCOM_2 (2.8 points) Received contains a faked HELO hostname (2) RCVD_IN_NJABL (1.2 points) RBL: Received via a relay in dnsbl.njabl.org [RBL check: found 3.160.178.202.dnsbl.njabl.org.,] [type: 127.0.0.9] RCVD_IN_OSIRUSOFT_COM (0.5 points) RBL: Received via a relay in relays.osirusoft.com [RBL check: found 3.160.178.202.relays.osirusoft.com., type: 127.0.0.3] RCVD_IN_BL_SPAMCOP_NET (4.0 points) RBL: Received via a relay in bl.spamcop.net [RBL check: found 3.160.178.202.bl.spamcop.net.] RCVD_IN_DSBL (4.3 points) RBL: Received via a relay in list.dsbl.org [RBL check: found 3.160.178.202.list.dsbl.org.] PRIORITY_NO_NAME (0.6 points) Message has priority setting, but no X-Mailer Then I fed exatly the same file into my system using exim -t < msg.txt. This is what SA/MS found: X-MailScanner-SpamCheck: spam, SpamAssassin (score=23.1, required 6, AWL, BAYES_90, DATE_IN_PAST_12_24, HTML_20_30, HTML_IMAGE_ONLY_06, MSGID_OUTLOOK_TIME, PRIORITY_NO_NAME, RCVD_FAKE_HELO_DOTCOM_2, RCVD_IN_BL_SPAMCOP_NET, RCVD_IN_DSBL, RCVD_IN_NJABL, RCVD_IN_OSIRUSOFT_COM, X_PRIORITY_HIGH) MailScanner/SpamAssassin changed HTML_40_50 to HTML_20_30. Why/How? Moreover it shows HTML_IMAGE_ONLY_06 and not _02. Obviously something changed the HTML source. I cannot see an Iframe tag anywhere. Moreover the PYZOR_CHECK is missing which also indicates that the body has been altered by MailScanner. This is the body of the msg.file: This is a multi-part message in MIME format. ------_=_NextPart_001_01C2E70F.C1B22B00 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable I can't wait to meet = 8421PFsC8-249DRPN4997MsTV2-l25=20 ------_=_NextPart_001_01C2E70F.C1B22B00 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
I can't wait to meet 8421PFsC8-249DRPN4997MsTV2-l25 ------_=_NextPart_001_01C2E70F.C1B22B00-- Thanks, JP From mailscanner at ecs.soton.ac.uk Tue Mar 11 14:16:30 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:27 2006 Subject: HTML body changed??? - Different SA scores / SA and MA In-Reply-To: <4E7026FF8A422749B1553FE508E0068007EF36@message.intern.akct ech.de> Message-ID: <5.2.0.9.2.20030311141520.03bbc588@imap.ecs.soton.ac.uk> There is currently a little problem in the MS->SA interface for Exim. It's not very serious but can cause test results that differ a bit from what you expect. There is a fix for it, but I want to do some more testing on it first to be sure it won't break anything else. At 13:04 11/03/2003, you wrote: >Hi Julian, > >I am still playing around with SpamAssassin and MailScanner a bit. Here >is something strange: > >I took a junk mail and ran it through spamassassin -t. This is the >report: > > >Content analysis details: (25.80 points, 6 required) >X_PRIORITY_HIGH (1.9 points) Sent with 'X-Priority' set to high >BAYES_90 (2.9 points) BODY: Bayesian classifier says spam >probability is 90 to 99% > [score: 0.9815] >HTML_40_50 (0.4 points) BODY: Message is 40% to 50% HTML >HTML_IMAGE_ONLY_02 (1.5 points) BODY: HTML has images with 0-200 bytes >of words >PYZOR_CHECK (1.2 points) Listed in Pyzor, see >http://pyzor.sf.net/ >DATE_IN_PAST_12_24 (0.1 points) Date: is 12 to 24 hours before >Received: date >MSGID_OUTLOOK_TIME (4.4 points) Message-Id is fake (in Outlook Express >format) >RCVD_FAKE_HELO_DOTCOM_2 (2.8 points) Received contains a faked HELO >hostname (2) >RCVD_IN_NJABL (1.2 points) RBL: Received via a relay in >dnsbl.njabl.org > [RBL check: found 3.160.178.202.dnsbl.njabl.org.,] > [type: 127.0.0.9] >RCVD_IN_OSIRUSOFT_COM (0.5 points) RBL: Received via a relay in >relays.osirusoft.com > [RBL check: found >3.160.178.202.relays.osirusoft.com., type: 127.0.0.3] >RCVD_IN_BL_SPAMCOP_NET (4.0 points) RBL: Received via a relay in >bl.spamcop.net > [RBL check: found 3.160.178.202.bl.spamcop.net.] >RCVD_IN_DSBL (4.3 points) RBL: Received via a relay in >list.dsbl.org > [RBL check: found 3.160.178.202.list.dsbl.org.] >PRIORITY_NO_NAME (0.6 points) Message has priority setting, but no >X-Mailer > > >Then I fed exatly the same file into my system using exim -t < msg.txt. >This is what SA/MS found: > >X-MailScanner-SpamCheck: spam, SpamAssassin (score=23.1, required 6, >AWL, > BAYES_90, DATE_IN_PAST_12_24, HTML_20_30, HTML_IMAGE_ONLY_06, > MSGID_OUTLOOK_TIME, PRIORITY_NO_NAME, RCVD_FAKE_HELO_DOTCOM_2, > RCVD_IN_BL_SPAMCOP_NET, RCVD_IN_DSBL, RCVD_IN_NJABL, > RCVD_IN_OSIRUSOFT_COM, X_PRIORITY_HIGH) > > >MailScanner/SpamAssassin changed HTML_40_50 to HTML_20_30. Why/How? >Moreover it shows HTML_IMAGE_ONLY_06 and not _02. Obviously something >changed the HTML source. I cannot see an Iframe tag anywhere. Moreover >the PYZOR_CHECK is missing which also indicates that the body has been >altered by MailScanner. > >This is the body of the msg.file: > >This is a multi-part message in MIME format. > >------_=_NextPart_001_01C2E70F.C1B22B00 >Content-Type: text/plain; > charset="iso-8859-1" >Content-Transfer-Encoding: quoted-printable > > I can't wait to meet = >8421PFsC8-249DRPN4997MsTV2-l25=20 > >------_=_NextPart_001_01C2E70F.C1B22B00 >Content-Type: text/html; > charset="iso-8859-1" >Content-Transfer-Encoding: quoted-printable > > >charset=3Diso-8859-1"> >
> >I can't wait to meet > > >8421PFsC8-249DRPN4997MsTV2-l25 > >------_=_NextPart_001_01C2E70F.C1B22B00-- > > >Thanks, > JP -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From Jan-Peter.Koopmann at SECEIDOS.DE Tue Mar 11 14:44:07 2003 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:17:27 2006 Subject: HTML body changed??? - Different SA scores / SA and MA Message-ID: <4E7026FF8A422749B1553FE508E0068007EF3A@message.intern.akctech.de> > There is currently a little problem in the MS->SA interface > for Exim. It's not very serious but can cause test results > that differ a bit from what you expect. There is a fix for > it, but I want to do some more testing on it first to be sure > it won't break anything else. Noted... Thought it would be something like that. Need a guinea pig? Regards, JP From usergroups at THEARGONCOMPANY.COM Tue Mar 11 15:52:38 2003 From: usergroups at THEARGONCOMPANY.COM (Rishi Gangoly) Date: Thu Jan 12 21:17:27 2006 Subject: RaQ problems after installing sendmail patch In-Reply-To: <5.2.0.9.2.20030304140048.03b9cbc0@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030304140048.03b9cbc0@imap.ecs.soton.ac.uk> Message-ID: <200303111552.VAA31810@theargonserver.theargoncompany.com> On Tuesday 04 March 2003 7:38 pm, you wrote: > On pkgmaster.com there are now packages for the RaQ3 and RaQ4 that apply > the sendmail patch everyone has been talking about for the last day or two. > > When the patch is installed, it messes around with the /var/spool/mqueue > directory and leaves it in a state that MailScanner does not like. > > To solve this: > > cd /var/spool/mqueue > rmdir q1 q2 q3 q4 > /etc/rc.d/init.d/MailScanner restart > > Then you should find everything starts working properly again. Does this effect version 3.22-10 of mailscanner? That's the one I have. Should I upgrade my Mailscanner to 4.x? Is there anyone who has upgraded mailscanner form 3.x to 4.x on a Cobalt RaQ4? Regards Rishi From Jan-Peter.Koopmann at SECEIDOS.DE Tue Mar 11 16:05:45 2003 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:17:27 2006 Subject: HTML body changed??? - Different SA scores / SA and MA Message-ID: <4E7026FF8A422749B1553FE508E0068007EF3E@message.intern.akctech.de> Hmm. Something strange again... Maybe this is related to the issue though... I see BAYES_ scores in all messages. Except those that are SPAM (that is their score is above the threshold). Those do not show BAYES_ scores and are not auto-learned even though their score sometimes is over the auto_learn threshold as well. When I feed those messages to spamassassin -t it clearly showes BAYES_ scores. Now for the fun part. If I feed this mail to exim -t and send it through MailScanner/SA again, it is marked with BAYES_scores and auto-learned. Any ideas? I fired up my log again and am wating for new spam to reproduce this and maybe see some sort of error. I'll keep you posted. Regards, JP From jaearick at COLBY.EDU Tue Mar 11 16:08:17 2003 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:17:27 2006 Subject: sophos 3.66 to 3.67, load jumps? Message-ID: Hi, I upgraded from sophos 3.66 to 3.67 yesterday and since then, I've noticed that my load on my mail server has been much higher than before. Anybody else notice this? I've dropped the Max Children setting from 4 to 2 on my system (Sun E220R, 2 CPUs, Sol 8) and that reduced the load. I wonder what changed in Sophos to make such a difference? --- Jeff Earickson From Jan-Peter.Koopmann at SECEIDOS.DE Tue Mar 11 16:15:46 2003 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:17:27 2006 Subject: Problems with outgoing mail being detected as spam Message-ID: <4E7026FF8A422749B1553FE508E0068007EF3F@message.intern.akctech.de> Hi Jeff, > As you suggested, I listed my mailserver first in the list > and outgoing mail is still being detected as spam. So I need > to "turn on" the autowhitelist? No this has nothing to do with autowhitelisting. Are you by any chance running exim? There was a bug in MailScanner (at least in 4.13-3) which would explain exactly this behavior (at least when using domain names). > /etc/MailScanner/rules/spam.whitelist.rules: > > # This is where you can build a Spam WhiteList > # Addresses matching in here, with the value > # "yes" will never be marked as spam. > #From: 152.78. yes > #From: 130.246. yes > FromTo: default no > From: 65.219.192.36 yes > From: 65.219.192.35 yes > As Jeremy mentioned this should read From: 65.219.192.36 yes From: 65.219.192.35 yes FromTo: default no Why are you not using domain names btw? From my point of view this is easier. From: *@image-src.com yes Are you absolutely sure that the envelope shows one of these e-mail adresses as the sender? .... Hmm. Now that I am reading this again, why are you using whitelisting at all for this? I prefer to stop spam checks alltogether for messages from my local domain: In MailScanner.conf put Spam Checks = /opt/MailScanner/etc/rules/spam.checks.rules And in this file put From: *@image-src.com no From: 65.219.192. no FromTo: default yes That should do the trick. Regards, JP From s.kelly at ayrcoll.ac.uk Tue Mar 11 16:19:01 2003 From: s.kelly at ayrcoll.ac.uk (Shane Kelly) Date: Thu Jan 12 21:17:27 2006 Subject: sophos 3.66 to 3.67, load jumps? In-Reply-To: References: Message-ID: <200303111619.01392.s.kelly@ayrcoll.ac.uk> On Tuesday 11 March 2003 4:08 pm, Jeff A. Earickson wrote: > Hi, > > I upgraded from sophos 3.66 to 3.67 yesterday and since then, I've > noticed that my load on my mail server has been much higher than > before. Anybody else notice this? I've dropped the Max Children > setting from 4 to 2 on my system (Sun E220R, 2 CPUs, Sol 8) and that > reduced the load. I wonder what changed in Sophos to make such a > difference? I think it is to do with the way in which sophos now packages its virus definition files - the scan time for one message has gone from 1 second to seven seconds on my (very small) mail hub. > --- Jeff Earickson Regards, Shane Kelly -- Network Infrastructure Manager Ayr College +44 (01292) 265184 =========================== These are my personal opinion(s), and do not necessarily reflect those of my employer. =========================== From jeff at IMAGE-SRC.COM Tue Mar 11 16:06:40 2003 From: jeff at IMAGE-SRC.COM (Jeff Graves) Date: Thu Jan 12 21:17:27 2006 Subject: Problems with outgoing mail being detected as spam In-Reply-To: <2739ECF7268CD0118F50080009DCC9F00235D2D4@pebble.bsa.ca.gov> Message-ID: <001101c2e7e8$33961d20$6401a8c0@bellingham.imagesrc.com> As you suggested, I listed my mailserver first in the list and outgoing mail is still being detected as spam. So I need to "turn on" the autowhitelist? Jeff Graves Customer Support Engineer Image Source, Inc. 10 Mill Street Bellingham, MA 02019 jeff@image-src.com - Email 508.966.5200 X31 - Phone 508.966.5170 - Fax -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Jeremy Evans Sent: Wednesday, February 26, 2003 3:51 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Problems with outgoing mail being detected as spam I think that since default is listed first, it will match everything. Try listing it after the other two addresses. Also, you should only need the address of your mail server, the address of your LAN gateway shouldn't be necessary, unless it is acting as a proxy. Jeremy Evans Information Systems Analyst California State Auditor 916-445-0255 phone 916-322-7801 fax -----Original Message----- From: Jeff Graves [mailto:jeff@IMAGE-SRC.COM] Sent: Wednesday, February 26, 2003 12:38 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Problems with outgoing mail being detected as spam Hello all. I'm running MailScanner 4.12-2 with Sophos AV and SpamAssassin 2.31-16. I checked the archives and they mention a setting in MailScanner.conf but it was sort of outdated. I think I've traced it to adding entries in the /etc/MailScanner/rules/spam.whitelist.rules file. I add the 2 IP's that need no spam checking (my LAN gateway and my Mail Server) but messages sent by my mail server are still be checked for spam (and detected btw). Here's what the entries look like: /etc/MailScanner/rules/spam.whitelist.rules: # This is where you can build a Spam WhiteList # Addresses matching in here, with the value # "yes" will never be marked as spam. #From: 152.78. yes #From: 130.246. yes FromTo: default no From: 65.219.192.36 yes From: 65.219.192.35 yes Is my syntax incorrect? Is there another setting I'm missing? Thanks, Jeff Graves Customer Support Engineer Image Source, Inc. 10 Mill Street Bellingham, MA 02019 jeff@image-src.com - Email 508.966.5200 X31 - Phone 508.966.5170 - Fax From Kevin.Spicer at BMRB.CO.UK Tue Mar 11 16:27:34 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:17:27 2006 Subject: sophos 3.66 to 3.67, load jumps? Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A4AD50@pascal.priv.bmrb.co.uk> > On Tuesday 11 March 2003 4:08 pm, Jeff A. Earickson wrote: > > Hi, > > > > I upgraded from sophos 3.66 to 3.67 yesterday and since then, I've > > noticed that my load on my mail server has been much higher than > > before. Anybody else notice this? I've dropped the Max Children > > setting from 4 to 2 on my system (Sun E220R, 2 CPUs, Sol 8) and that > > reduced the load. I wonder what changed in Sophos to make such a > > difference? > I think it is to do with the way in which sophos now > packages its virus > definition files - the scan time for one message has gone > from 1 second to > seven seconds on my (very small) mail hub. > Yeah 3.67 is not good at all, my MailScanner's running 3.66 still - but I've got several machines using samba-vscan that used to quite happily read the virus defs from an NFS share. When I upgraded them to 3.66 it nearly killed one of the machines (load average went up to high 30's before I got to it and killed samba. I've had to go back to installing and updating each machine seperately (not using NFS) and the performance is still noticably poorer. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From mailscanner at ecs.soton.ac.uk Tue Mar 11 16:23:34 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:27 2006 Subject: RaQ problems after installing sendmail patch In-Reply-To: <200303111552.VAA31810@theargonserver.theargoncompany.com> References: <5.2.0.9.2.20030304140048.03b9cbc0@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030304140048.03b9cbc0@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030311162323.036f0d38@imap.ecs.soton.ac.uk> At 15:52 11/03/2003, you wrote: >On Tuesday 04 March 2003 7:38 pm, you wrote: > > On pkgmaster.com there are now packages for the RaQ3 and RaQ4 that apply > > the sendmail patch everyone has been talking about for the last day or two. > > > > When the patch is installed, it messes around with the /var/spool/mqueue > > directory and leaves it in a state that MailScanner does not like. > > > > To solve this: > > > > cd /var/spool/mqueue > > rmdir q1 q2 q3 q4 > > /etc/rc.d/init.d/MailScanner restart > > > > Then you should find everything starts working properly again. > > >Does this effect version 3.22-10 of mailscanner? Yes. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Tue Mar 11 16:27:25 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:27 2006 Subject: sophos 3.66 to 3.67, load jumps? In-Reply-To: <200303111619.01392.s.kelly@ayrcoll.ac.uk> References: Message-ID: <5.2.0.9.2.20030311162504.0359c1a0@imap.ecs.soton.ac.uk> At 16:19 11/03/2003, you wrote: >On Tuesday 11 March 2003 4:08 pm, Jeff A. Earickson wrote: > > Hi, > > > > I upgraded from sophos 3.66 to 3.67 yesterday and since then, I've > > noticed that my load on my mail server has been much higher than > > before. Anybody else notice this? I've dropped the Max Children > > setting from 4 to 2 on my system (Sun E220R, 2 CPUs, Sol 8) and that > > reduced the load. I wonder what changed in Sophos to make such a > > difference? > I think it is to do with the way in which sophos now packages its > virus >definition files - the scan time for one message has gone from 1 second to >seven seconds on my (very small) mail hub. If I was being really cynical, I might think they were intentionally nobbling systems which use their command-line scanner, encouraging people to use their over-priced mailmonitor package instead. Of course all that will really happen is that they lose customers to their competitors... -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Tue Mar 11 16:43:42 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:27 2006 Subject: sophos 3.66 to 3.67, load jumps? In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0A4AD50@pascal.priv.bmrb.co .uk> Message-ID: <5.2.0.9.2.20030311164250.037b4eb0@imap.ecs.soton.ac.uk> You don't fancy taking this issue up with Sophos support do you? Would sure help if they didn't nobble their (previously fast) scanner. Having a complaint from a user of something other than MailScanner would help quite a bit, I think. Thanks! At 16:27 11/03/2003, you wrote: > > On Tuesday 11 March 2003 4:08 pm, Jeff A. Earickson wrote: > > > Hi, > > > > > > I upgraded from sophos 3.66 to 3.67 yesterday and since then, I've > > > noticed that my load on my mail server has been much higher than > > > before. Anybody else notice this? I've dropped the Max Children > > > setting from 4 to 2 on my system (Sun E220R, 2 CPUs, Sol 8) and that > > > reduced the load. I wonder what changed in Sophos to make such a > > > difference? > > I think it is to do with the way in which sophos now > > packages its virus > > definition files - the scan time for one message has gone > > from 1 second to > > seven seconds on my (very small) mail hub. > > >Yeah 3.67 is not good at all, my MailScanner's running 3.66 still - but >I've got several machines using samba-vscan that used to quite happily >read the virus defs from an NFS share. When I upgraded them to 3.66 it >nearly killed one of the machines (load average went up to high >30's before I got to it and killed samba. I've had to go back to >installing and updating each machine seperately (not using NFS) and the >performance is still noticably poorer. > > > >BMRB International >http://www.bmrb.co.uk >+44 (0)20 8566 5000 >_________________________________________________________________ >This message (and any attachment) is intended only for the >recipient and may contain confidential and/or privileged >material. If you have received this in error, please contact the >sender and delete this message immediately. Disclosure, copying >or other action taken in respect of this email or in >reliance on it is prohibited. BMRB International Limited >accepts no liability in relation to any personal emails, or >content of any email which does not directly relate to our >business. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From m.sapsed at BANGOR.AC.UK Tue Mar 11 16:49:01 2003 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:17:27 2006 Subject: OT: Read Receipt Request and this list References: <4E7026FF8A422749B1553FE508E0068007EE97@message.intern.akctech.de> Message-ID: <3E6E137D.4070703@bangor.ac.uk> Jan-Peter Koopmann wrote: > Hi, > > damn I will probably always forget to turn this off when writing to this > list. Is there no way for the list software to filter the read receipt > request from incoming mails? Unfortunately not - I checked. They can set the software to refuse/delete a post containing a particular header but can't remove the header and let the post through. Cheers, Martin -- Martin Sapsed Information Services "Who do you say I am?" University of Wales, Bangor Jesus of Nazareth From Jan-Peter.Koopmann at SECEIDOS.DE Tue Mar 11 16:50:17 2003 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:17:27 2006 Subject: OT: Read Receipt Request and this list Message-ID: <4E7026FF8A422749B1553FE508E0068007EF41@message.intern.akctech.de> Hi, > Unfortunately not - I checked. They can set the software to > refuse/delete a post containing a particular header but can't > remove the header and let the post through. > What header are we talking about? I will teach my exim to delete it when posts are going to mailing lists. Regards, JP From marco at MUW.EDU Tue Mar 11 17:08:11 2003 From: marco at MUW.EDU (Marco Obaid) Date: Thu Jan 12 21:17:27 2006 Subject: MS 4.14-1 In-Reply-To: <5.2.0.9.2.20030311122601.03bc3af8@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030311114740.03b48a50@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030311122601.03bc3af8@imap.ecs.soton.ac.uk> Message-ID: <1047402491.3e6e17fb82658@webmail.MUW.Edu> Quoting Julian Field : > Can someone else confirm that this version is working okay, then I'll put > it up on the main web site. > I tested it on two machines RH 7.3 and 8.0 and everything seems to be running smoothly on my side. Marco _________________________________________________________________ This mail is sent through MUW Webmail: http://www.MUW.Edu/webmail For the latest MUW Events, visit http://www.MUW.Edu/calendar From Kevin.Spicer at BMRB.CO.UK Tue Mar 11 17:08:23 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:17:27 2006 Subject: sophos 3.66 to 3.67, load jumps? Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A4AD51@pascal.priv.bmrb.co.uk> > You don't fancy taking this issue up with Sophos support do you? > Would sure help if they didn't nobble their (previously fast) scanner. > > Having a complaint from a user of something other than > MailScanner would > help quite a bit, I think. > Okay, just done it! My only concern is that I'm actually using Sophos installed in MailScanner configuration (so I can use MailScanner's Sophos.install and autoupdate script to make my life easier - so I'm hoping they don't ask too much about how its installed!). I also hacked the samba-vscan code to get around an issue caused by Intercheck on Windows client machines. So my setup is probably not representative of samba-vscan users in general. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From m.sapsed at BANGOR.AC.UK Tue Mar 11 17:08:35 2003 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:17:27 2006 Subject: sophos 3.66 to 3.67, load jumps? References: <5.2.0.9.2.20030311164250.037b4eb0@imap.ecs.soton.ac.uk> Message-ID: <3E6E1813.90706@bangor.ac.uk> Julian Field wrote: > You don't fancy taking this issue up with Sophos support do you? > Would sure help if they didn't nobble their (previously fast) scanner. > > Having a complaint from a user of something other than MailScanner would > help quite a bit, I think. Will do. We installed MailScanner with Sophos 3.67 on one of our main mail hubs last night and were disappointed with the performance. We tried tweaking a few things in order to keep its head above water but it was very reassuring when this thread started! Nice to know when a problem wasn't caused by something you did! Cheers, Martin -- Martin Sapsed Information Services "Who do you say I am?" University of Wales, Bangor Jesus of Nazareth From David.Sullivan at BARNET.AC.UK Tue Mar 11 17:27:22 2003 From: David.Sullivan at BARNET.AC.UK (David Sullivan) Date: Thu Jan 12 21:17:27 2006 Subject: sophos 3.66 to 3.67, load jumps? In-Reply-To: <5.2.0.9.2.20030311164250.037b4eb0@imap.ecs.soton.ac.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0A4AD50@pascal.priv.bmrb.co .uk> Message-ID: I did query this increased time about two weeks ago but noone seemed interested or could confirm it for me, if you'd like me to take it up with Sophos I can do. David. On 11 Mar 2003 at 16:43, Julian Field wrote: > You don't fancy taking this issue up with Sophos support do you? > Would sure help if they didn't nobble their (previously fast) scanner. > > Having a complaint from a user of something other than MailScanner > would help quite a bit, I think. > > Thanks! > > At 16:27 11/03/2003, you wrote: > > > On Tuesday 11 March 2003 4:08 pm, Jeff A. Earickson wrote: > > > > Hi, > > > > > > > > I upgraded from sophos 3.66 to 3.67 yesterday and since then, > > > > I've noticed that my load on my mail server has been much higher > > > > than before. Anybody else notice this? I've dropped the Max > > > > Children setting from 4 to 2 on my system (Sun E220R, 2 CPUs, > > > > Sol 8) and that reduced the load. I wonder what changed in > > > > Sophos to make such a difference? > > > I think it is to do with the way in which sophos now > > > packages its virus > > > definition files - the scan time for one message has gone > > > from 1 second to > > > seven seconds on my (very small) mail hub. > > > > >Yeah 3.67 is not good at all, my MailScanner's running 3.66 still - > >but I've got several machines using samba-vscan that used to quite > >happily read the virus defs from an NFS share. When I upgraded them > >to 3.66 it nearly killed one of the machines (load average went up to > >high 30's before I got to it and killed samba. I've had to go back > >to installing and updating each machine seperately (not using NFS) > >and the performance is still noticably poorer. > > ============================================================== This communication may contain privileged or confidential information which is for the exclusive use of the intended recipient. If you are not the intended recipient, please note that you may not distribute or use this communication or the information it contains. If this e-mail has reached you in error, please delete it and any attachment. Internet communications are not secure and Barnet College does not accept legal responsibility for the content of this message. Any views or opinions expressed are those of the author and not necessarily those of Barnet College. Please note that Barnet College reserves the right to monitor the source/destinations of all incoming or outgoing e-mail communications. ============================================================== From mailscanner at ecs.soton.ac.uk Tue Mar 11 17:35:08 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:27 2006 Subject: HTML body changed??? - Different SA scores / SA and MA In-Reply-To: <4E7026FF8A422749B1553FE508E0068007EF3A@message.intern.akct ech.de> Message-ID: <5.2.0.9.2.20030311173326.03b76e78@imap.ecs.soton.ac.uk> At 14:44 11/03/2003, you wrote: > > There is currently a little problem in the MS->SA interface > > for Exim. It's not very serious but can cause test results > > that differ a bit from what you expect. There is a fix for > > it, but I want to do some more testing on it first to be sure > > it won't break anything else. > >Noted... Thought it would be something like that. Need a guinea pig? Yes please. Take your pick of: http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/tar/MailScanner-4.14-2.tar http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/rpm/MailScanner-4.14-2.rpm.tar http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/suse/MailScanner-4.14-2.suse.tar -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From richard.siddall at ELIRION.NET Tue Mar 11 18:01:32 2003 From: richard.siddall at ELIRION.NET (Richard Siddall) Date: Thu Jan 12 21:17:27 2006 Subject: RaQ problems after installing sendmail patch In-Reply-To: <200303111552.VAA31810@theargonserver.theargoncompany.com> References: <5.2.0.9.2.20030304140048.03b9cbc0@imap.ecs.soton.ac.uk> <200303111552.VAA31810@theargonserver.theargoncompany.com> Message-ID: <3E6E247C.3060302@elirion.net> Rishi Gangoly wrote: > Is there anyone who has upgraded mailscanner form 3.x to 4.x on a Cobalt RaQ4? > Yes. I put it off for several months as I mistakenly thought 4.x required Perl 5.6.1, and I did not want to get into installing a second copy of Perl on the RaQ. IIRC, I installed SpamAssassin 2.43 from the tarball and MailScanner 4.x from the RPM. I don't recall any problems other than getting the configuration file tuned up, which was complicated by the fact that 4.x uses different directories and file names than 3.x. Regards, Richard. From marco at MUW.EDU Tue Mar 11 18:13:42 2003 From: marco at MUW.EDU (Marco Obaid) Date: Thu Jan 12 21:17:27 2006 Subject: sophos 3.66 to 3.67, load jumps? Message-ID: <1047406422.3e6e27567585c@webmail.MUW.Edu> I just spoke with Sophos about this issue and I am attaching their response. One interesting note about my conversation with the tech support person is that he did not want me to call my issue a "problem with Sophos". He repeatedly said that the performance jump is due to providing "BETTER" protection. I will let you read their repsponse. ----- Forwarded message from mark.danus@sophos.com ----- Date: Tue, 11 Mar 2003 12:54:44 -0500 Subject: Unix performance issues To: marco@muw.edu Version 3.67 of SAV on non-windows platform sees a big jump in engine capabilities. In particular it contains plug-ins enabling thorough scans of four common file types - pdf, rtf, elf (Linux/BSD binaries) and .class (java 'executables'). Addition of these plug-ins means that the engine is doing more work to provide better protection. As a result of this some customers may report significant increases in the time taken to scan their file systems. Increases will very according to the number and proportion of the file types mentioned above. The extreme example is scanning a set of files consisting solely of pdfs, rtfs, elf binaries and java files. In this case the scan time increases by a factor of just over 3 (60 minutes -> minutes). If you receive calls from customers complaining of scans taking longer to complete or SAVI applications having to work harder than usual, it is more than likely down to these issues. The important thing to remember is that the slowdown is due to the increased level of protection that we need to provide given the continuing growth in the number of different file types that can carry viruses. It is possible to disable these for options when using sweep by adding the following command-line arguments: -nopt=Pdf -nopt=Elf -nopt=Rtf -nopt=Java don't forget that use of any of these options may seriously impact our ability to detect viruses in those types of file. Regards, MGD ----- End forwarded message ----- ____________________________________________________________ _/ _/ _/ _/ _/ _/ | Marco Obaid _/_/ _/_/ _/ _/ _/ _/ | Network Administrator _/ _/ _/ _/ _/ _/ _/ _/ | McDevitt Hall _/ _/ _/ _/ _/_/ _/_/ | W-Box 1621 _/ _/ _/_/_/ _/ _/ | Columbus MS 39701 ____________________________________________________________ M I S S I S S I P P I U N I V E R S I T Y F O R W O M E N _________________________________________________________________ This mail is sent through MUW Webmail: http://www.MUW.Edu/webmail For the latest MUW Events, visit http://www.MUW.Edu/calendar From jeff at IMAGE-SRC.COM Tue Mar 11 18:07:43 2003 From: jeff at IMAGE-SRC.COM (Jeff Graves) Date: Thu Jan 12 21:17:28 2006 Subject: Problems with outgoing mail being detected as spam In-Reply-To: <4E7026FF8A422749B1553FE508E0068007EF3F@message.intern.akctech.de> Message-ID: <003d01c2e7f9$1ca39230$6401a8c0@bellingham.imagesrc.com> Well, I made this change as suggested: .... Hmm. Now that I am reading this again, why are you using whitelisting at all for this? I prefer to stop spam checks alltogether for messages from my local domain: In MailScanner.conf put Spam Checks = /etc/MailScanner/rules/spam.checks.rules And in this file put From: *@image-src.com no From: 65.219.192. no FromTo: default yes That should do the trick. .... And certain outgoing mail is still being checked for spam. I have a script that sends a message for procmail without a from address. This message is being marked as spam even though it came from the mail server. How do I configure MailScanner to not check any mail for spam if it is coming from localhost? Here's the headers: Date: Tue, 11 Mar 2003 13:21:07 -0500 From: <> Message-Id: <200303111821.h2BIL7i2014928@mailsrv.image-src.com> Received: from mailsrv.image-src.com (localhost.localdomain [127.0.0.1]) by mailsrv.image-src.com (8.12.5/8.12.5) with ESMTP id h2BIL744014930 for ; Tue, 11 Mar 2003 13:21:07 -0500 (from jeff@localhost) by mailsrv.image-src.com (8.12.5/8.12.5/Submit) id h2BIL7i2014928; Tue, 11 Mar 2003 13:21:07 -0500 Return-Path: Subject: {Spam} Email To: admin@image-src.com X-MailScanner: Found to be clean X-MailScanner-SpamCheck: spam, SpamAssassin (score=5.2, required 5, FROM_MALFORMED, FROM_NO_USER) X-MailScanner-SpamScore: sssss It seems like the "From:" directive in the spam.checks.rules file I created is actaully checking against the "From:" directive in the envelope. How do I tell MailScanner to not check the mail at all if it came from the local sendmail server? Jeff Graves Customer Support Engineer Image Source, Inc. 10 Mill Street Bellingham, MA 02019 jeff@image-src.com - Email 508.966.5200 X31 - Phone 508.966.5170 - Fax -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Jan-Peter Koopmann Sent: Tuesday, March 11, 2003 11:16 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Problems with outgoing mail being detected as spam Hi Jeff, > As you suggested, I listed my mailserver first in the list > and outgoing mail is still being detected as spam. So I need > to "turn on" the autowhitelist? No this has nothing to do with autowhitelisting. Are you by any chance running exim? There was a bug in MailScanner (at least in 4.13-3) which would explain exactly this behavior (at least when using domain names). > /etc/MailScanner/rules/spam.whitelist.rules: > > # This is where you can build a Spam WhiteList > # Addresses matching in here, with the value > # "yes" will never be marked as spam. > #From: 152.78. yes > #From: 130.246. yes > FromTo: default no > From: 65.219.192.36 yes > From: 65.219.192.35 yes > As Jeremy mentioned this should read From: 65.219.192.36 yes From: 65.219.192.35 yes FromTo: default no Why are you not using domain names btw? From my point of view this is easier. From: *@image-src.com yes Are you absolutely sure that the envelope shows one of these e-mail adresses as the sender? .... Hmm. Now that I am reading this again, why are you using whitelisting at all for this? I prefer to stop spam checks alltogether for messages from my local domain: In MailScanner.conf put Spam Checks = /opt/MailScanner/etc/rules/spam.checks.rules And in this file put From: *@image-src.com no From: 65.219.192. no FromTo: default yes That should do the trick. Regards, JP From Jan-Peter.Koopmann at SECEIDOS.DE Tue Mar 11 18:26:18 2003 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:17:28 2006 Subject: Problems with outgoing mail being detected as spam Message-ID: <4E7026FF8A422749B1553FE508E0068007EF45@message.intern.akctech.de> Have you tried a From: 127.0.0.1 no From: localhost no ? From mailscanner at ecs.soton.ac.uk Tue Mar 11 18:34:06 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:28 2006 Subject: sophos 3.66 to 3.67, load jumps? In-Reply-To: <1047406422.3e6e27567585c@webmail.MUW.Edu> Message-ID: <5.2.0.9.2.20030311182825.0245b3d0@imap.ecs.soton.ac.uk> Can someone do a quick test with cd /usr/lib/MailScanner time ./sophos-wrapper -TNEF /dev/null with 3.66 and 3.67. Then, with 3.67, try turning off their "new options": cd /usr/lib/MailScanner time ./sophos-wrapper -TNEF -nopt=Pdf -nopt=Elf -nopt=Rtf -nopt=Java /dev/null What are the timings like? This will give us the startup time as scanning /dev/null should take 0 time. At 18:13 11/03/2003, you wrote: >I just spoke with Sophos about this issue and I am attaching their response. >One interesting note about my conversation with the tech support person is >that >he did not want me to call my issue a "problem with Sophos". He repeatedly >said >that the performance jump is due to providing "BETTER" protection. I will let >you read their repsponse. > >----- Forwarded message from mark.danus@sophos.com ----- > Date: Tue, 11 Mar 2003 12:54:44 -0500 > Subject: Unix performance issues > To: marco@muw.edu > >Version 3.67 of SAV on non-windows platform sees a big jump in engine >capabilities. In particular it contains plug-ins enabling thorough scans of >four common file types - pdf, rtf, elf (Linux/BSD binaries) and .class >(java 'executables'). > >Addition of these plug-ins means that the engine is doing more work to >provide better protection. > >As a result of this some customers may report significant increases in the >time taken to scan their file systems. Increases will very according to the >number and proportion of the file types mentioned above. The extreme >example is scanning a set of files consisting solely of pdfs, rtfs, elf >binaries and java files. In this case the scan time increases by a factor >of just over 3 (60 minutes -> minutes). > >If you receive calls from customers complaining of scans taking longer to >complete or SAVI applications having to work harder than usual, it is more >than likely down to these issues. > >The important thing to remember is that the slowdown is due to the >increased level of protection that we need to provide given the continuing >growth in the number of different file types that can carry viruses. > >It is possible to disable these for options when using sweep by adding the >following command-line arguments: > >-nopt=Pdf >-nopt=Elf >-nopt=Rtf >-nopt=Java > >don't forget that use of any of these options may seriously impact our >ability to detect viruses in those types of file. > >Regards, > >MGD > > >----- End forwarded message ----- > > >____________________________________________________________ > _/ _/ _/ _/ _/ _/ | Marco Obaid > _/_/ _/_/ _/ _/ _/ _/ | Network Administrator > _/ _/ _/ _/ _/ _/ _/ _/ | McDevitt Hall > _/ _/ _/ _/ _/_/ _/_/ | W-Box 1621 >_/ _/ _/_/_/ _/ _/ | Columbus MS 39701 >____________________________________________________________ >M I S S I S S I P P I U N I V E R S I T Y F O R W O M E N > >_________________________________________________________________ >This mail is sent through MUW Webmail: http://www.MUW.Edu/webmail >For the latest MUW Events, visit http://www.MUW.Edu/calendar -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From David.Sullivan at BARNET.AC.UK Tue Mar 11 18:35:04 2003 From: David.Sullivan at BARNET.AC.UK (David Sullivan) Date: Thu Jan 12 21:17:28 2006 Subject: sophos 3.66 to 3.67, load jumps? In-Reply-To: <1047406422.3e6e27567585c@webmail.MUW.Edu> Message-ID: <3E6E2C58.30289.1469CB@localhost> On 11 Mar 2003 at 12:13, Marco Obaid wrote: > I just spoke with Sophos about this issue and I am attaching their response. > One interesting note about my conversation with the tech support person is that > he did not want me to call my issue a "problem with Sophos". He repeatedly said > that the performance jump is due to providing "BETTER" protection. I will let > you read their repsponse. All very well for possibly decreasing the scan time for large numbers of files but these options seem to have no effect on the time taken to spawn the executable itself which slows down the time taken to scan each batch of messages in MailScanner. David ============================================================== This communication may contain privileged or confidential information which is for the exclusive use of the intended recipient. If you are not the intended recipient, please note that you may not distribute or use this communication or the information it contains. If this e-mail has reached you in error, please delete it and any attachment. Internet communications are not secure and Barnet College does not accept legal responsibility for the content of this message. Any views or opinions expressed are those of the author and not necessarily those of Barnet College. Please note that Barnet College reserves the right to monitor the source/destinations of all incoming or outgoing e-mail communications. ============================================================== From mike at TECHINTER.COM Tue Mar 11 18:35:15 2003 From: mike at TECHINTER.COM (Mike Williams) Date: Thu Jan 12 21:17:28 2006 Subject: Per User Blacklist and white lists In-Reply-To: <4E7026FF8A422749B1553FE508E0068007EF45@message.intern.akctech.de> Message-ID: Is it possible to have a per user blacklist and whitelist? Example in the whitelist file: To: user-1@domain.com /etc/MailScanner/rules/whitelist/user-1-domain.com To: user-2@domain.com /etc/MailScanner/rules/whitelist/user-2-domain.com FromTo: Default no user-1-domain.com From: friend@domain.com yes From: friend1@domain.com yes From: default no and so on? Mike From mailscanner at ecs.soton.ac.uk Tue Mar 11 18:43:57 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:28 2006 Subject: Per User Blacklist and white lists In-Reply-To: References: <4E7026FF8A422749B1553FE508E0068007EF45@message.intern.akctech.de> Message-ID: <5.2.0.9.2.20030311184240.027c12e8@imap.ecs.soton.ac.uk> Take a look in the CustomConfig.pm file in recent distributions. This feature is an example of what you can do with "Custom Functions". You will probably need to change the directories it reads the black/whitelists from, but otherwise it will just work. The code briefly explains what should go in the various config files. At 18:35 11/03/2003, you wrote: >Is it possible to have a per user blacklist and whitelist? Example in the >whitelist file: > >To: user-1@domain.com /etc/MailScanner/rules/whitelist/user-1-domain.com >To: user-2@domain.com /etc/MailScanner/rules/whitelist/user-2-domain.com >FromTo: Default no > > >user-1-domain.com > >From: friend@domain.com yes >From: friend1@domain.com yes >From: default no > >and so on? > >Mike -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Tue Mar 11 18:56:09 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:28 2006 Subject: sophos 3.66 to 3.67, load jumps? In-Reply-To: <5.2.0.9.2.20030311182825.0245b3d0@imap.ecs.soton.ac.uk> References: <1047406422.3e6e27567585c@webmail.MUW.Edu> Message-ID: <5.2.0.9.2.20030311184828.0227bb58@imap.ecs.soton.ac.uk> At 18:34 11/03/2003, you wrote: >Can someone do a quick test with > time sweep -TNEF /dev/null >with 3.66 and 3.67. 3.66: real 0m0.620s user 0m0.610s sys 0m0.020s 3.67: real 0m1.578s user 0m1.550s sys 0m0.030s So startup is 2.5 times slower with 3.67 than 3.66. >Then, with 3.67, try turning off their "new options": > time sweep -TNEF -nopt=Pdf -nopt=Elf -nopt=Rtf >-nopt=Java /dev/null real 0m2.075s user 0m2.040s sys 0m0.030s 3.3 times slower than 3.66, with the options that are supposed to speed it up! Can people get onto Sophos with these startup timing figures? They are appalling. >At 18:13 11/03/2003, you wrote: >>I just spoke with Sophos about this issue and I am attaching their response. >>One interesting note about my conversation with the tech support person is >>that >>he did not want me to call my issue a "problem with Sophos". He repeatedly >>said >>that the performance jump is due to providing "BETTER" protection. I will let >>you read their repsponse. >> >>----- Forwarded message from mark.danus@sophos.com ----- >> Date: Tue, 11 Mar 2003 12:54:44 -0500 >> Subject: Unix performance issues >> To: marco@muw.edu >> >>Version 3.67 of SAV on non-windows platform sees a big jump in engine >>capabilities. In particular it contains plug-ins enabling thorough scans of >>four common file types - pdf, rtf, elf (Linux/BSD binaries) and .class >>(java 'executables'). >> >>Addition of these plug-ins means that the engine is doing more work to >>provide better protection. >> >>As a result of this some customers may report significant increases in the >>time taken to scan their file systems. Increases will very according to the >>number and proportion of the file types mentioned above. The extreme >>example is scanning a set of files consisting solely of pdfs, rtfs, elf >>binaries and java files. In this case the scan time increases by a factor >>of just over 3 (60 minutes -> minutes). >> >>If you receive calls from customers complaining of scans taking longer to >>complete or SAVI applications having to work harder than usual, it is more >>than likely down to these issues. >> >>The important thing to remember is that the slowdown is due to the >>increased level of protection that we need to provide given the continuing >>growth in the number of different file types that can carry viruses. >> >>It is possible to disable these for options when using sweep by adding the >>following command-line arguments: >> >>-nopt=Pdf >>-nopt=Elf >>-nopt=Rtf >>-nopt=Java >> >>don't forget that use of any of these options may seriously impact our >>ability to detect viruses in those types of file. >> >>Regards, >> >>MGD >> >> >>----- End forwarded message ----- >> >> >>____________________________________________________________ >> _/ _/ _/ _/ _/ _/ | Marco Obaid >> _/_/ _/_/ _/ _/ _/ _/ | Network Administrator >> _/ _/ _/ _/ _/ _/ _/ _/ | McDevitt Hall >> _/ _/ _/ _/ _/_/ _/_/ | W-Box 1621 >>_/ _/ _/_/_/ _/ _/ | Columbus MS 39701 >>____________________________________________________________ >>M I S S I S S I P P I U N I V E R S I T Y F O R W O M E N >> >>_________________________________________________________________ >>This mail is sent through MUW Webmail: http://www.MUW.Edu/webmail >>For the latest MUW Events, visit http://www.MUW.Edu/calendar > >-- >Julian Field >www.MailScanner.info >Professional Support Services at www.MailScanner.biz >MailScanner thanks transtec Computers for their support -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From jaearick at COLBY.EDU Tue Mar 11 19:35:07 2003 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:17:28 2006 Subject: sophos 3.66 to 3.67, load jumps? In-Reply-To: <5.2.0.9.2.20030311184828.0227bb58@imap.ecs.soton.ac.uk> References: <1047406422.3e6e27567585c@webmail.MUW.Edu> <5.2.0.9.2.20030311184828.0227bb58@imap.ecs.soton.ac.uk> Message-ID: Julian, Here is what I got on my busy E220R, solaris 8. I reinstalled 3.66 into a seperate directory, downloaded the current ide defs, set the SAV_IDE and LD_LIBRARY_PATH variables accordingly, etc, before running this test. 3.66: timex ./sweep -TNEF /dev/null ---- real 3.63 user 1.60 sys 0.10 3.67: timex ./sweep -TNEF /dev/null ---- real 7.32 user 3.59 sys 0.10 3.67: timex ./sweep -TNEF -nopt=Pdf -nopt=Elf -nopt=Rtf -nopt=Java /dev/null ---- real 10.08 user 3.99 sys 0.18 I'm glad that our PC person still had the 3.66 CD, so I could get 3.66 back. This performance degradation is unacceptable and I'll tell Sophos that in my email to them. I'm rolling back to 3.66 for the time being. ----------------------------------- Jeff A. Earickson, Ph.D Senior UNIX Sysadmin and Email Guru Information Technology Services Colby College, 4214 Mayflower Hill, Waterville ME, 04901-8842 phone: 207-872-3659 (fax = 3076) ----------------------------------- On Tue, 11 Mar 2003, Julian Field wrote: > Date: Tue, 11 Mar 2003 18:56:09 +0000 > From: Julian Field > Reply-To: MailScanner mailing list > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: sophos 3.66 to 3.67, load jumps? > > At 18:34 11/03/2003, you wrote: > >Can someone do a quick test with > > time sweep -TNEF /dev/null > >with 3.66 and 3.67. > > 3.66: > real 0m0.620s > user 0m0.610s > sys 0m0.020s > > 3.67: > real 0m1.578s > user 0m1.550s > sys 0m0.030s > > So startup is 2.5 times slower with 3.67 than 3.66. > > >Then, with 3.67, try turning off their "new options": > > time sweep -TNEF -nopt=Pdf -nopt=Elf -nopt=Rtf > >-nopt=Java /dev/null > > real 0m2.075s > user 0m2.040s > sys 0m0.030s > > 3.3 times slower than 3.66, with the options that are supposed to speed it up! > > Can people get onto Sophos with these startup timing figures? They are > appalling. > > >At 18:13 11/03/2003, you wrote: > >>I just spoke with Sophos about this issue and I am attaching their response. > >>One interesting note about my conversation with the tech support person is > >>that > >>he did not want me to call my issue a "problem with Sophos". He repeatedly > >>said > >>that the performance jump is due to providing "BETTER" protection. I will let > >>you read their repsponse. > >> > >>----- Forwarded message from mark.danus@sophos.com ----- > >> Date: Tue, 11 Mar 2003 12:54:44 -0500 > >> Subject: Unix performance issues > >> To: marco@muw.edu > >> > >>Version 3.67 of SAV on non-windows platform sees a big jump in engine > >>capabilities. In particular it contains plug-ins enabling thorough scans of > >>four common file types - pdf, rtf, elf (Linux/BSD binaries) and .class > >>(java 'executables'). > >> > >>Addition of these plug-ins means that the engine is doing more work to > >>provide better protection. > >> > >>As a result of this some customers may report significant increases in the > >>time taken to scan their file systems. Increases will very according to the > >>number and proportion of the file types mentioned above. The extreme > >>example is scanning a set of files consisting solely of pdfs, rtfs, elf > >>binaries and java files. In this case the scan time increases by a factor > >>of just over 3 (60 minutes -> minutes). > >> > >>If you receive calls from customers complaining of scans taking longer to > >>complete or SAVI applications having to work harder than usual, it is more > >>than likely down to these issues. > >> > >>The important thing to remember is that the slowdown is due to the > >>increased level of protection that we need to provide given the continuing > >>growth in the number of different file types that can carry viruses. > >> > >>It is possible to disable these for options when using sweep by adding the > >>following command-line arguments: > >> > >>-nopt=Pdf > >>-nopt=Elf > >>-nopt=Rtf > >>-nopt=Java > >> > >>don't forget that use of any of these options may seriously impact our > >>ability to detect viruses in those types of file. > >> > >>Regards, > >> > >>MGD > >> > >> > >>----- End forwarded message ----- > >> > >> > >>____________________________________________________________ > >> _/ _/ _/ _/ _/ _/ | Marco Obaid > >> _/_/ _/_/ _/ _/ _/ _/ | Network Administrator > >> _/ _/ _/ _/ _/ _/ _/ _/ | McDevitt Hall > >> _/ _/ _/ _/ _/_/ _/_/ | W-Box 1621 > >>_/ _/ _/_/_/ _/ _/ | Columbus MS 39701 > >>____________________________________________________________ > >>M I S S I S S I P P I U N I V E R S I T Y F O R W O M E N > >> > >>_________________________________________________________________ > >>This mail is sent through MUW Webmail: http://www.MUW.Edu/webmail > >>For the latest MUW Events, visit http://www.MUW.Edu/calendar > > > >-- > >Julian Field > >www.MailScanner.info > >Professional Support Services at www.MailScanner.biz > >MailScanner thanks transtec Computers for their support > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > From Peter.Bates at LSHTM.AC.UK Tue Mar 11 19:37:19 2003 From: Peter.Bates at LSHTM.AC.UK (Peter Bates) Date: Thu Jan 12 21:17:28 2006 Subject: sophos 3.66 to 3.67, load jumps? Message-ID: Hello all... In my position sitting on the fence between amavis(d) and MailScanner, I just thought I'd pipe up... testing with Postfix and MS with the scripts posted to this list recently is however going very well, but that's a different story... Over on the amavis lists they've been moaning about 3.67 since it appeared, due to the increased load/spawning times, and also changes in number of virus-data files, and command-line/SAVI options. Particularly badly hit have been Sophie, the daemonized SAVI-interfacing scanner, and SAVI::Perl, the Perl interface to SAVI, mainly due to the dropping of options, or changing thereof. Always good to know you're not alone in the world... where that leaves the humble Sophos user, is of course yet again another story.. On the note above, I've read Julian's misgivings/dislike about Sophie and daemonized AV scanners, but surely something like SAVI::Perl is an interesting development? ---------------------------------------------------------------------------------------------------> Peter Bates, Systems Support Officer, Network Support Team. London School of Hygiene & Tropical Medicine. Telephone:0207-958 8353 / Fax: 0207- 636 9838 From marco at MUW.EDU Tue Mar 11 19:51:51 2003 From: marco at MUW.EDU (Marco Obaid) Date: Thu Jan 12 21:17:28 2006 Subject: sophos 3.66 to 3.67, load jumps? In-Reply-To: <5.2.0.9.2.20030311184828.0227bb58@imap.ecs.soton.ac.uk> References: <1047406422.3e6e27567585c@webmail.MUW.Edu> <5.2.0.9.2.20030311184828.0227bb58@imap.ecs.soton.ac.uk> Message-ID: <1047412311.3e6e3e573b58f@webmail.MUW.Edu> > Can people get onto Sophos with these startup timing figures? They are > appalling. I did and here is the recommendation from Sophos. First, they are not admitting that it is an "issue". If you request it, which I did, you can install their XRS version. XRS, according to Sophos, is the old engine with the new IDEs. I installed it on two systems and the performance is much better now. Actually ver good according to my systems. Can more people test it now? I have it installed now on a production system and the load is normal. Here is the e-mail from Sophos: ----------- As requested http://www.sophos.com/sophos/products/full/xrs/aix.tar.Z http://www.sophos.com/sophos/products/full/xrs/digitalunix.tar.Z http://www.sophos.com/sophos/products/full/xrs/freebsd.aout.tar.Z http://www.sophos.com/sophos/products/full/xrs/freebsd.elf.tar.Z http://www.sophos.com/sophos/products/full/xrs/hpux.tar.Z http://www.sophos.com/sophos/products/full/xrs/linux.alpha.tar.Z http://www.sophos.com/sophos/products/full/xrs/linux.intel.libc5.tar.Z http://www.sophos.com/sophos/products/full/xrs/linux.intel.libc6.tar.Z http://www.sophos.com/sophos/products/full/xrs/linux.ppc.tar.Z http://www.sophos.com/sophos/products/full/xrs/linux.s390.tar.Z http://www.sophos.com/sophos/products/full/xrs/scoopenserver.tar.Z http://www.sophos.com/sophos/products/full/xrs/scounixware.tar.Z http://www.sophos.com/sophos/products/full/xrs/solaris.intel.tar.Z http://www.sophos.com/sophos/products/full/xrs/solaris.sparc.tar.Z Regards, MGD --------- Marco _________________________________________________________________ This mail is sent through MUW Webmail: http://www.MUW.Edu/webmail For the latest MUW Events, visit http://www.MUW.Edu/calendar From jeff at IMAGE-SRC.COM Tue Mar 11 19:47:32 2003 From: jeff at IMAGE-SRC.COM (Jeff Graves) Date: Thu Jan 12 21:17:28 2006 Subject: Problems with outgoing mail being detected as spam In-Reply-To: <4E7026FF8A422749B1553FE508E0068007EF45@message.intern.akctech.de> Message-ID: <005801c2e807$0e462b90$6401a8c0@bellingham.imagesrc.com> From: 127.0.0.1 no This fixed the issue. Thanks for all your help! Jeff Graves Customer Support Engineer Image Source, Inc. 10 Mill Street Bellingham, MA 02019 jeff@image-src.com - Email 508.966.5200 X31 - Phone 508.966.5170 - Fax From mike at TECHINTER.COM Tue Mar 11 19:50:04 2003 From: mike at TECHINTER.COM (Mike Williams) Date: Thu Jan 12 21:17:28 2006 Subject: Per User Blacklist and white lists In-Reply-To: <5.2.0.9.2.20030311184240.027c12e8@imap.ecs.soton.ac.uk> Message-ID: Julian, Thanks for the info. I'm looking at the code and the example is for bydomain. I'm not sure but it looks like I can have the white and black list by either domain.com or by user@domain.com. The reason I am asking is that each user will need to be able to specify their own black and white list. This makes it possible that one user would wish to block email from a user@spam.com and another user to whitelist or not block a user@spam.com. So if I use a filename of user1@domain.com and user2@domain.com does this in fact make the whitelist and blacklist unique for each user even if they are in the same domain? Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Julian Field Sent: Tuesday, March 11, 2003 12:44 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Per User Blacklist and white lists Take a look in the CustomConfig.pm file in recent distributions. This feature is an example of what you can do with "Custom Functions". You will probably need to change the directories it reads the black/whitelists from, but otherwise it will just work. The code briefly explains what should go in the various config files. At 18:35 11/03/2003, you wrote: >Is it possible to have a per user blacklist and whitelist? Example in the >whitelist file: > >To: user-1@domain.com /etc/MailScanner/rules/whitelist/user-1-domain.com >To: user-2@domain.com /etc/MailScanner/rules/whitelist/user-2-domain.com >FromTo: Default no > > >user-1-domain.com > >From: friend@domain.com yes >From: friend1@domain.com yes >From: default no > >and so on? > >Mike -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From sholland at SUMSYS.COM Tue Mar 11 20:21:54 2003 From: sholland at SUMSYS.COM (Stephen Holland) Date: Thu Jan 12 21:17:28 2006 Subject: Old FAQ #19 Message-ID: <955B9133AB84B54DA680A88B1B75514E02875D@ssisrv02.summit.local> http://www.sng.ecs.soton.ac.uk/mailscanner/faq.shtml#19 Maybe this should be a question for the SA thread, BUT. Is it recommended to not have spamd running and if so do you disable it in SA or MailScanner. I installed this from an RPM that is why I am asking because there is not a way to remove spamd before install like the link says to do above. Or if I use MailScanner which I assume calls SA then do I even need to worry about the spamd on my box. --Stephen -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030311/5199007f/attachment.html From mailscanner at ecs.soton.ac.uk Tue Mar 11 20:24:23 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:28 2006 Subject: Per User Blacklist and white lists In-Reply-To: References: <5.2.0.9.2.20030311184240.027c12e8@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030311202337.027f2e90@imap.ecs.soton.ac.uk> At 19:50 11/03/2003, you wrote: >Julian, > >Thanks for the info. I'm looking at the code and the example is for >bydomain. I'm not sure but it looks like I can have the white and black >list by either domain.com or by user@domain.com. Yes you can. You can even give it IP addresses if I remember rightly. > The reason I am asking is >that each user will need to be able to specify their own black and white >list. This makes it possible that one user would wish to block email from a >user@spam.com and another user to whitelist or not block a user@spam.com. >So if I use a filename of user1@domain.com and user2@domain.com does this in >fact make the whitelist and blacklist unique for each user even if they are >in the same domain? > >Mike > >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On >Behalf Of Julian Field >Sent: Tuesday, March 11, 2003 12:44 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Per User Blacklist and white lists > > >Take a look in the CustomConfig.pm file in recent distributions. This >feature is an example of what you can do with "Custom Functions". You will >probably need to change the directories it reads the black/whitelists from, >but otherwise it will just work. The code briefly explains what should go >in the various config files. > >At 18:35 11/03/2003, you wrote: > >Is it possible to have a per user blacklist and whitelist? Example in the > >whitelist file: > > > >To: user-1@domain.com >/etc/MailScanner/rules/whitelist/user-1-domain.com > >To: user-2@domain.com >/etc/MailScanner/rules/whitelist/user-2-domain.com > >FromTo: Default no > > > > > >user-1-domain.com > > > >From: friend@domain.com yes > >From: friend1@domain.com yes > >From: default no > > > >and so on? > > > >Mike > >-- >Julian Field >www.MailScanner.info >Professional Support Services at www.MailScanner.biz >MailScanner thanks transtec Computers for their support -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Tue Mar 11 20:23:12 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:28 2006 Subject: sophos 3.66 to 3.67, load jumps? In-Reply-To: <1047412311.3e6e3e573b58f@webmail.MUW.Edu> References: <5.2.0.9.2.20030311184828.0227bb58@imap.ecs.soton.ac.uk> <1047406422.3e6e27567585c@webmail.MUW.Edu> <5.2.0.9.2.20030311184828.0227bb58@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030311202206.027f2d50@imap.ecs.soton.ac.uk> The XRS version works at the speed of the old versions, as expected. real 0m0.619s user 0m0.600s sys 0m0.020s At 19:51 11/03/2003, you wrote: > > Can people get onto Sophos with these startup timing figures? They are > > appalling. > >I did and here is the recommendation from Sophos. First, they are not >admitting >that it is an "issue". Hopefully if enough people hassle them, they will agree that it is! > If you request it, which I did, you can install their >XRS version. XRS, according to Sophos, is the old engine with the new IDEs. I >installed it on two systems and the performance is much better now. Actually >ver good according to my systems. Can more people test it now? I have it >installed now on a production system and the load is normal. > >Here is the e-mail from Sophos: > >----------- > >As requested > >http://www.sophos.com/sophos/products/full/xrs/aix.tar.Z >http://www.sophos.com/sophos/products/full/xrs/digitalunix.tar.Z >http://www.sophos.com/sophos/products/full/xrs/freebsd.aout.tar.Z >http://www.sophos.com/sophos/products/full/xrs/freebsd.elf.tar.Z >http://www.sophos.com/sophos/products/full/xrs/hpux.tar.Z >http://www.sophos.com/sophos/products/full/xrs/linux.alpha.tar.Z >http://www.sophos.com/sophos/products/full/xrs/linux.intel.libc5.tar.Z >http://www.sophos.com/sophos/products/full/xrs/linux.intel.libc6.tar.Z >http://www.sophos.com/sophos/products/full/xrs/linux.ppc.tar.Z >http://www.sophos.com/sophos/products/full/xrs/linux.s390.tar.Z >http://www.sophos.com/sophos/products/full/xrs/scoopenserver.tar.Z >http://www.sophos.com/sophos/products/full/xrs/scounixware.tar.Z >http://www.sophos.com/sophos/products/full/xrs/solaris.intel.tar.Z >http://www.sophos.com/sophos/products/full/xrs/solaris.sparc.tar.Z > > >Regards, > >MGD >--------- > >Marco > >_________________________________________________________________ >This mail is sent through MUW Webmail: http://www.MUW.Edu/webmail >For the latest MUW Events, visit http://www.MUW.Edu/calendar -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Tue Mar 11 20:28:41 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:28 2006 Subject: Old FAQ #19 In-Reply-To: <955B9133AB84B54DA680A88B1B75514E02875D@ssisrv02.summit.loc al> Message-ID: <5.2.0.9.2.20030311202806.0288df50@imap.ecs.soton.ac.uk> At 20:21 11/03/2003, you wrote: >http://www.sng.ecs.soton.ac.uk/mailscanner/faq.shtml#19 >Maybe this should be a question for the SA thread, BUT. Is it recommended >to not have spamd running and if so do you disable it in SA or >MailScanner. I installed this from an RPM that is why I am asking because >there is not a way to remove spamd before install like the link says to do >above. Or if I use MailScanner which I assume calls SA then do I even >need to worry about the spamd on my box. MailScanner doesn't use spamd, so feel free to disable it. It won't make any difference. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From ryan at MARINOCRANE.COM Tue Mar 11 20:35:51 2003 From: ryan at MARINOCRANE.COM (Ryan Pitt) Date: Thu Jan 12 21:17:28 2006 Subject: sophos 3.66 to 3.67, load jumps? References: <5.2.0.9.2.20030311184828.0227bb58@imap.ecs.soton.ac.uk> <1047406422.3e6e27567585c@webmail.MUW.Edu> <5.2.0.9.2.20030311184828.0227bb58@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030311202206.027f2d50@imap.ecs.soton.ac.uk> Message-ID: <3E6E48A7.5030604@marinocrane.com> I just took a look at the new Sophos CD (March 2003) and there is an XRS folder which contains the files that are linked to below. Just thought I would try and save some of you the hassle of trying to download them, especially those who dont have a username and password for Sophos. Regards Ryan Julian Field wrote: > The XRS version works at the speed of the old versions, as expected. > real 0m0.619s > user 0m0.600s > sys 0m0.020s > > At 19:51 11/03/2003, you wrote: > >> > Can people get onto Sophos with these startup timing figures? They are >> > appalling. >> >> I did and here is the recommendation from Sophos. First, they are not >> admitting >> that it is an "issue". > > > Hopefully if enough people hassle them, they will agree that it is! > >> If you request it, which I did, you can install their >> XRS version. XRS, according to Sophos, is the old engine with the new >> IDEs. I >> installed it on two systems and the performance is much better now. >> Actually >> ver good according to my systems. Can more people test it now? I have it >> installed now on a production system and the load is normal. >> >> Here is the e-mail from Sophos: >> >> ----------- >> >> As requested >> >> http://www.sophos.com/sophos/products/full/xrs/aix.tar.Z >> http://www.sophos.com/sophos/products/full/xrs/digitalunix.tar.Z >> http://www.sophos.com/sophos/products/full/xrs/freebsd.aout.tar.Z >> http://www.sophos.com/sophos/products/full/xrs/freebsd.elf.tar.Z >> http://www.sophos.com/sophos/products/full/xrs/hpux.tar.Z >> http://www.sophos.com/sophos/products/full/xrs/linux.alpha.tar.Z >> http://www.sophos.com/sophos/products/full/xrs/linux.intel.libc5.tar.Z >> http://www.sophos.com/sophos/products/full/xrs/linux.intel.libc6.tar.Z >> http://www.sophos.com/sophos/products/full/xrs/linux.ppc.tar.Z >> http://www.sophos.com/sophos/products/full/xrs/linux.s390.tar.Z >> http://www.sophos.com/sophos/products/full/xrs/scoopenserver.tar.Z >> http://www.sophos.com/sophos/products/full/xrs/scounixware.tar.Z >> http://www.sophos.com/sophos/products/full/xrs/solaris.intel.tar.Z >> http://www.sophos.com/sophos/products/full/xrs/solaris.sparc.tar.Z >> >> >> Regards, >> >> MGD >> --------- >> >> Marco >> >> _________________________________________________________________ >> This mail is sent through MUW Webmail: http://www.MUW.Edu/webmail >> For the latest MUW Events, visit http://www.MUW.Edu/calendar > > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mailscanner at lists.com.ar Tue Mar 11 21:04:17 2003 From: mailscanner at lists.com.ar (Mariano Absatz) Date: Thu Jan 12 21:17:28 2006 Subject: mailscanner & zmailer In-Reply-To: <20030307231751.GC18283@hoiho.nz.lemon-computing.com> References: <3E68EA5D.32729.6D7BF40A@localhost> Message-ID: <3E6E2521.990.81E9CF83@localhost> Alright, alright, you scared me enough... I browsed the code and it has its things... even the comments in Sendmail.pm are not quite accurate... there are functions documented that don't exist anymore and other (public) not documented... Some of the "documented public" functions are not used outside Sendmail.pm... well. What I'll try to do is to create a zmq2smq and a smq2zmq to translate the queue file formats... Thankfully, I have good documentation on both queue formats (bat book chap 23 and http://zmailer.org/zman/zapp-filefmts.html). Since I couldn't easily find the queue format of Exim, I'll go for the sendmail translator. I won't have any locking problems with zmailer since its one-file approach gives me always a finished unlocked file and I can do likewise when I hand it to zmailer. I'll use flock file locking so I emulate sendmail and don't step over mailscanner. Regards, Mariano. El 8 Mar 2003 a las 12:17, Nick Phillips escribi?: > On Fri, Mar 07, 2003 at 06:52:13PM -0300, Mariano Absatz wrote: > > > Monday morning I'll start working hard on this, hopefully even coding. > > > > What I'd like to know in order to further understand the sources is what > > files you modified to make the sendmail->exim port. > > > > For what I can see: > > Sendmail.pm => Exim.pm > > SMDiskStore.pm => EximDiskStore.pm > > > > Are there other things you had to modify? > > Well, yes, because initially it wasn't designed to be used with different > MTAs. And now it's somewhat more generalised and abstracted, so it should > be fairly easy to port to another MTA with a 2-queuefile system. > > However, there are some areas in which the object-isation didn't go the > whole hog in the move from v3 to v4, and these need to be fixed to > completely abstract the queue-handling stuff out from the main code > before it will reasonably be feasible to support single-queuefile mailers. > > > I don't see any pod in the files... do you have any docs on the functions in > > mailscanner? > > Not really; there are comments at the top of the Exim/Sendmail-specific files > to tell you what's needed. > > There will need to be some fairly significant rearrangement before we can > handle MTAs with single queue-files, though. Or to do it nicely, at least. > > This is the main thing that stopped me doing Postfix a few months ago. > > I've given Julian a bunch of pointers to the things that need to be jiggled > with to put this right, but I don't know how he's getting on yet. > > Keep talking when you get into looking at it. Probably the best thing to do > initially (and what I did before) was to just come up with a file or three > that replace the current mailscanner stuff to make it work, and then to > integrate the necessary changes back into the main code when it's clear > what's needed. And we'll try to get the changes made to support it. > > > Cheers, -- Mariano Absatz El Baby ---------------------------------------------------------- I.R.S.: We've got what it takes to take what you've got! From splee at PLEXIO.COM Tue Mar 11 22:04:37 2003 From: splee at PLEXIO.COM (Stephen Lee) Date: Thu Jan 12 21:17:28 2006 Subject: sophos 3.66 to 3.67, load jumps? In-Reply-To: <5.2.0.9.2.20030311162504.0359c1a0@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030311162504.0359c1a0@imap.ecs.soton.ac.uk> Message-ID: <1047420277.13484.58.camel@ralph.plexio.private> On Tue, 2003-03-11 at 08:27, Julian Field wrote: > At 16:19 11/03/2003, you wrote: > >On Tuesday 11 March 2003 4:08 pm, Jeff A. Earickson wrote: > > > Hi, > > > > > > I upgraded from sophos 3.66 to 3.67 yesterday and since then, I've > > > noticed that my load on my mail server has been much higher than > > > before. Anybody else notice this? I've dropped the Max Children > > > setting from 4 to 2 on my system (Sun E220R, 2 CPUs, Sol 8) and that > > > reduced the load. I wonder what changed in Sophos to make such a > > > difference? > > I think it is to do with the way in which sophos now packages its > > virus > >definition files - the scan time for one message has gone from 1 second to > >seven seconds on my (very small) mail hub. > > If I was being really cynical, I might think they were intentionally > nobbling systems which use their command-line scanner, encouraging people > to use their over-priced mailmonitor package instead. > > Of course all that will really happen is that they lose customers to their > competitors... I don't appear to have this problem: Mar 11 11:29:52 mail MailScanner[9973]: New Batch: Found 5 messages waiting Mar 11 11:29:52 mail MailScanner[9973]: New Batch: Scanning 1 messages, 2921 bytes Mar 11 11:29:52 mail MailScanner[9973]: Spam Checks: Starting Mar 11 11:29:54 mail MailScanner[9973]: Virus and Content Scanning: Starting Mar 11 11:29:56 mail MailScanner[9973]: Uninfected: Delivered 1 messages I'm using MS 4.13-3, Sophos 3.67. I believe Julian already fixed the harmless batch count bug so only 1 message was scanned, not 5. Stephen From nerijus at USERS.SOURCEFORGE.NET Tue Mar 11 22:06:10 2003 From: nerijus at USERS.SOURCEFORGE.NET (Nerijus Baliunas) Date: Thu Jan 12 21:17:28 2006 Subject: 'service MailScanner stop' doesn't stop MailScanner the 1st time Message-ID: <200303112206.h2BM6Fe05211@ori.rl.ac.uk> Hello, I noticed this on 2 machines (RH 7.2 and 7.3): # ps axw|grep -i mail 22138 ? S 0:06 sendmail: accepting connections 22143 ? S 0:01 /usr/sbin/sendmail -q15m 22153 ? S 0:01 /usr/bin/perl -I/usr/lib/MailScanner /usr/sbin/MailScanner /etc/MailScanner/MailScanner.conf 15702 ? S 0:01 /usr/bin/perl -I/usr/lib/MailScanner /usr/sbin/MailScanner /etc/MailScanner/MailScanner.conf 15963 ? S 0:00 /usr/bin/perl -I/usr/lib/MailScanner /usr/sbin/MailScanner /etc/MailScanner/MailScanner.conf # service MailScanner stop Shutting down MailScanner daemons: MailScanner: [ OK ] incoming sendmail: [ OK ] outgoing sendmail: [ OK ] # ps axw|grep -i mail 22153 ? D 0:01 /usr/bin/perl -I/usr/lib/MailScanner /usr/sbin/MailScanner /etc/MailScanner/MailScanner.conf 15702 ? D 0:01 /usr/bin/perl -I/usr/lib/MailScanner /usr/sbin/MailScanner /etc/MailScanner/MailScanner.conf 15963 ? D 0:00 /usr/bin/perl -I/usr/lib/MailScanner /usr/sbin/MailScanner /etc/MailScanner/MailScanner.conf # service MailScanner stop Shutting down MailScanner daemons: MailScanner: [ OK ] incoming sendmail: [FAILED] outgoing sendmail: [FAILED] # ps axw|grep -i mail Only the 2nd 'service MailScanner stop' killed MailScanner processes. Why? Had I to wait a little more time (the processes were in D state)? Regards, Nerijus From mailscanner at lists.com.ar Tue Mar 11 22:13:44 2003 From: mailscanner at lists.com.ar (Mariano Absatz) Date: Thu Jan 12 21:17:28 2006 Subject: zmq2smq Message-ID: <3E6E3568.6954.822963F7@localhost> Hi, I see you originally read the qf in Sendmail::ReadQf, for what I see here, you process the following fields: R S $_ H Do you process or generate any other kind of qf field? or by just translating these and choosing an unused letter to hide the rest would do? Take into account that there won't be any real sendmail around... Other thing, the sendmail entry (in the config) is only used to deliver "new" messages, right? (bounces, warnings, disinfected) I see you use sendmail2 to deliver a bunch of messages... you do this when you already put them in the output queue? That is, my "sendmail2" should be smq2zmq, right? The original qf is not modified further than messing with the R and H lines, is it? Quickie sendmail one... the df does NOT include the header lines, does it? Sorry for the lack of order/logic... I'm browsing the code as I write this :-) Will continue tomorrow, maybe start coding? regards, -- Mariano Absatz El Baby ---------------------------------------------------------- I've never met a human being who would want to read 17,000 pages of documentation, and if there was, I'd kill him to get him out of the gene pool. -- Joseph Costello, President of Cadence From nerijus at USERS.SOURCEFORGE.NET Wed Mar 12 00:23:29 2003 From: nerijus at USERS.SOURCEFORGE.NET (Nerijus Baliunas) Date: Thu Jan 12 21:17:28 2006 Subject: Kaspersky DaemonClient Message-ID: <200303120023.h2C0NZe18238@ori.rl.ac.uk> Hello Julian, It seems kaspersky daemon client support isn't functional (with newest kavdaemon only?) - I see in kavdaemon log: Query for the tests: <0>Mar 11 23:58:33:. Directory . wasn't included in enabled paths. I asked Kaspersky support, and they answered: AvpDaemonClient can not use relevant path, only absolute, due to kavdaemon can use absolute path only in it's internal work for some security reasons. Is it possible to launch virus scanning script(s) with full path? Regards, Nerijus From smohan at vsnl.com Wed Mar 12 02:27:06 2003 From: smohan at vsnl.com (S Mohan) Date: Thu Jan 12 21:17:28 2006 Subject: accumulation of files in /var/spool/mqueue.in In-Reply-To: Message-ID: <002201c2e83e$e29cd2e0$ab6041db@18yamuna> I chose 6 days as beyond that, as per standard setting, sendmail would not deliver anyway. Thus residual files have to be broken. This is assuming MailScanner would probably not have as big a backlog as 5 days. Julian: Is it reasonable to assume that MailScanner picks up the oldest files for processing first? Is there any way of extracting average wait time in mqueue.in so that we can increase number of children if need be and see if it makes a difference else increase Ram/ CPU Power? Mohan -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Craig Pratt Sent: Tuesday, March 11, 2003 8:17 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: accumulation of files in /var/spool/mqueue.in Thanks for the tip. I've been seeing these queue files occasionally as well. Most recently, when I updated the sendmail access.db without restarting sendmail/MailScanner. This seemed to cause sendmail to die during SMTP connections - presumably due to the fact that sendmail's cached file state didn't match the actual file. What I'm wondering, though, is it safe to delete the files in mqueue.in with sendmail/MailScanner running? [sounds like a potential FAQ, as well] Craig On Monday, March 10, 2003, at 05:39 PM, S Mohan wrote: > I had the same stuff. I looked up a few files and associated mail log. > These were remnants of broken SMTP conversations. In order to clear > these automatically, I created a daily cron job as under. > > Find /var/spool/mqueue.in -mtime +6|xargs rm -f > > I gave 6 days as sendmail will anyway abort after 5 days delivery. > Thus files older than that anyway would be broken files. > > Mohan > > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > Behalf Of David Closson > Sent: Tuesday, March 11, 2003 1:27 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: accumulation of files in /var/spool/mqueue.in > > > OK, I figured as much. Thank you for the rapid response. > > We are processing about 350,000 emails a day (heavier day) with > MailScanner and Spamassassin. This figure is combined in and out for > all of our users. > > > _________ > Sincerely, > David Closson > 209-736-0111 > > > > > >> From: Julian Field >> Reply-To: MailScanner mailing list >> To: MAILSCANNER@JISCMAIL.AC.UK >> Subject: Re: accumulation of files in /var/spool/mqueue.in >> Date: Mon, 10 Mar 2003 19:27:44 +0000 >> MIME-Version: 1.0 >> Received: from cpimssmtpa03.msn.com ([207.46.181.90]) by >> mc5-f17.law1.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600); Mon, >> 10 > >> Mar 2003 11:30:21 -0800 >> Received: from smtp.jiscmail.ac.uk ([130.246.192.48]) by >> cpimssmtpa03.msn.com with Microsoft SMTPSVC(5.0.2195.4453); Mon, 10 >> Mar > >> 2003 11:25:18 -0800 >> Received: from LISTSERV.JISCMAIL.AC.UK (jiscmail.ac.uk) by >> smtp.jiscmail.ac.uk (LSMTP for Windows NT v1.1b) with SMTP id >> <3.0000634F@smtp.jiscmail.ac.uk>; Mon, 10 Mar 2003 19:28:14 +0000 >> Received: from JISCMAIL.AC.UK by JISCMAIL.AC.UK (LISTSERV-TCP/IP > release >> 1.8e) with spool id 19357891 for MAILSCANNER@JISCMAIL.AC.UK; > Mon, >> 10 Mar 2003 19:28:14 +0000 >> Received: from 130.246.192.52 by JISCMAIL.AC.UK (SMTPL release 1.0h) > with >> TCP; Mon, 10 Mar 2003 19:28:14 GMT >> Received: from raven.ecs.soton.ac.uk (raven.ecs.soton.ac.uk > [152.78.70.1]) >> by ori.rl.ac.uk (8.11.1/8.11.1) with ESMTP id h2AJSCe29811 >> for >> ; Mon, 10 Mar 2003 19:28:12 GMT >> Received: from pigeon.ecs.soton.ac.uk (ns1 [152.78.68.1]) by >> raven.ecs.soton.ac.uk (8.9.3/8.9.3) with ESMTP id TAA23530 for >> ; Mon, 10 Mar 2003 19:28:11 GMT >> Received: from thief.ecs.soton.ac.uk (staff-vpn132 [152.78.236.132]) >> by >> pigeon.ecs.soton.ac.uk (8.9.3/8.9.3) with ESMTP id TAA19506 for >> ; Mon, 10 Mar 2003 19:28:10 GMT >> X-Message-Info: JGTYoYF78jEHjJx36Oi8+Q1OJDRSDidP >> X-MSN-Trace: {838B357B-4735-4DB1-A653-A9E73A906214} >> X-RAL-MFrom: >> X-RAL-Connect: >> X-Sender: (Unverified) >> X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9 >> Message-ID: <5.2.0.9.2.20030310192506.027bbf80@imap.ecs.soton.ac.uk> >> Sender: MailScanner mailing list >> In-Reply-To: >> Precedence: list >> Return-Path: owner-mailscanner@JISCMAIL.AC.UK >> X-OriginalArrivalTime: 10 Mar 2003 19:25:19.0093 (UTC) >> FILETIME=[C9492A50:01C2E73A] >> >> At 19:12 10/03/2003, you wrote: >>> Greetings, >>> >>> Using RH 7.3 >>> Using Sendmail 8.11-6 >>> MailScanner 4.13-3 >>> Using McAfee AV >>> >>> I have been happily using MailScanner for almost a year now and have >>> had to remove the accumulation of files in /var/spool/mqueue.in >>> after a month or so. >>> >>> I am not sure if these are messages already delivered and were not >>> removed or ? >>> >>> I have had no reports of missing email. >> >> If they are stray files that aren't part of a matching qf / df pair, >> then you can safely delete them. If an SMTP session into your server >> gets interrupted for some reason, a stray file will be left behind. >> The > >> server at the far end of the session knows that its message >> transmission got interrupted and will retry anyway. SMTP is designed >> pretty carefully to ensure things don't get lost in transit. >> -- >> Julian Field >> www.MailScanner.info >> Professional Support Services at www.MailScanner.biz MailScanner >> thanks > >> transtec Computers for their support > > > _________________________________________________________________ > Add photos to your e-mail with MSN 8. Get 2 months FREE*. > http://join.msn.com/?page=features/featuredemail > > -- > This message checked for dangerous content by MailScanner on > StrongBox. > -- This message checked for dangerous content by MailScanner on StrongBox. From nightowl at NIGHTOWLS.NET Wed Mar 12 04:25:15 2003 From: nightowl at NIGHTOWLS.NET (Joseph Dobransky) Date: Thu Jan 12 21:17:28 2006 Subject: MS and SA Message-ID: <001e01c2e84f$61ad1a30$4ad34918@hawaii> Mail-SpamAssassin-2.50, and MS Version 4.13-3 I say yes to using spamassassin to scan for spam, it just dumps my mail into the mqueue.in folder, and leaves it there. I say no, MS works just great. Ideas? **************************** Joseph Dobransky HYPERLINK "http://www.nightowlswebspace.com"http://www.nightowlswebspace.com aim: skeeter1jd icq: 21228143 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.459 / Virus Database: 258 - Release Date: 2/25/2003 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030311/671ace0e/attachment.html From P.G.M.Peters at civ.utwente.nl Wed Mar 12 07:44:43 2003 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:17:28 2006 Subject: 'service MailScanner stop' doesn't stop MailScanner the 1st time In-Reply-To: <200303112206.h2BM6Fe05211@ori.rl.ac.uk> References: <200303112206.h2BM6Fe05211@ori.rl.ac.uk> Message-ID: On Wed, 12 Mar 2003 00:06:10 +0200, you wrote: >Only the 2nd 'service MailScanner stop' killed MailScanner processes. Why? >Had I to wait a little more time (the processes were in D state)? Yes. MS is cleaning reminants of the previous run before stopping. This was a problem with 'service MailScanner restart' because it started MS to soon. That is solved now by waiting a few seconds. -- Peter Peters, senior netwerkbeheerder Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ From peter at ISAB.SE Wed Mar 12 08:27:02 2003 From: peter at ISAB.SE (Peter Dahlman) Date: Thu Jan 12 21:17:28 2006 Subject: I need to straighten out one of the basic-features of Antispam Message-ID: I've got this far: Spamassisn marks alla incomming spam with {spam?} The thing is, i don't wish to receive this mails i want them to be sent to another "trash" account. I edited a line in /etc/MailScanner/MailScanner.conf Spam Actions = forward trash@myhost.com delete And restarted the service by /etc/rc.d/init.d/MailScanner restart But it's not forwarding any mail to the "trash" account and it is not deleting it from the origin account. What am i missing here? From steve at CGPSYSTEMS.COM Tue Mar 11 22:23:30 2003 From: steve at CGPSYSTEMS.COM (Steve Barr) Date: Thu Jan 12 21:17:28 2006 Subject: sophos 3.66 to 3.67, load jumps? In-Reply-To: <1047420277.13484.58.camel@ralph.plexio.private> Message-ID: <071e01c2e81c$d83deae0$6e96a8c0@DELL> > > I don't appear to have this problem: > > Mar 11 11:29:52 mail MailScanner[9973]: New Batch: Found 5 > messages waiting Mar 11 11:29:52 mail MailScanner[9973]: New > Batch: Scanning 1 messages, 2921 bytes Mar 11 11:29:52 mail > MailScanner[9973]: Spam Checks: Starting Mar 11 11:29:54 mail > MailScanner[9973]: Virus and Content Scanning: Starting Mar > 11 11:29:56 mail MailScanner[9973]: Uninfected: Delivered 1 > messages I'm using MS 4.13-3, Sophos 3.67. I believe Julian > already fixed the harmless batch count bug so only 1 message > was scanned, not 5. I've been watching my logs, and I don't see much change with 3.67. Here's a snippet of the log from this afternoon... Mar 11 17:05:30 www MailScanner[32201]: New Batch: Found 4 messages waiting Mar 11 17:05:30 www MailScanner[32201]: New Batch: Scanning 1 messages, 2036 bytes Mar 11 17:05:30 www MailScanner[32201]: Spam Checks: Starting Mar 11 17:05:30 www MailScanner[32201]: Virus and Content Scanning: Starting Mar 11 17:05:33 www MailScanner[32201]: Uninfected: Delivered 1 messages Debian Woody, MailScanner 4.12-2, and Sophos 3.67. The server is a Compaq DL360 P3-1.26, 512mb RAM. Steve -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. (MailScanner 4.11-1, 3.66) From john at OFIZ.COM Wed Mar 12 10:26:22 2003 From: john at OFIZ.COM (John Thewlis) Date: Thu Jan 12 21:17:28 2006 Subject: Cobalt RaQ4r MailScanner Queries In-Reply-To: <057701c2e809$b0c3d910$5d876751@T20> Message-ID: Hi I am finalising the install of MailScanner and SpamAssassin on a Cobalt RaQ4r, and need some advice from anyone who has done these installs on a Cobalt RaQ4 box. Any help would be much appreciated. 1 Has anyone installed any other virus scanner other than f-prot, e.g. Sophos, and if so do you have an install guide or Cobalt specific gotchas that I need to be aware of to add these additional virus scanners? 2 Has anyone added any additional blacklists to improve the accuracy of Spam identification, as lots of Spam is still getting through our box with the spam setting at 5? 3 Has anyone installed MailScanner-MRTG for monitoring the MailScanner on a Cobalt RaQ4, and if so, in what directory did you install it, and what changes did you need to make to any other system files to get it working? Again, many thanks for any help you might be able to offer. John John Thewlis From mailscanner at ecs.soton.ac.uk Wed Mar 12 11:30:59 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:28 2006 Subject: MS and SA In-Reply-To: <001e01c2e84f$61ad1a30$4ad34918@hawaii> Message-ID: <5.2.0.9.2.20030312113032.02270c48@imap.ecs.soton.ac.uk> At 04:25 12/03/2003, you wrote: >Mail-SpamAssassin-2.50, and MS Version 4.13-3 > >I say yes to using spamassassin to scan for spam, it just dumps my mail >into the mqueue.in folder, and leaves it there. I say no, MS works just >great. Ideas? Have you seen the News item on the website about SpamAssassin 2.50? > > >**************************** > > > >Joseph Dobransky >http://www.nightowlswebspace.com >aim: skeeter1jd >icq: 21228143 > > > >--- >Outgoing mail is certified Virus Free. >Checked by AVG anti-virus system (http://www.grisoft.com). >Version: 6.0.459 / Virus Database: 258 - Release Date: 2/25/2003 -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Mar 12 11:25:29 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:28 2006 Subject: 'service MailScanner stop' doesn't stop MailScanner the 1st time In-Reply-To: <200303112206.h2BM6Fe05211@ori.rl.ac.uk> Message-ID: <5.2.0.9.2.20030312112438.022e23a8@imap.ecs.soton.ac.uk> At 22:06 11/03/2003, you wrote: >Hello, > >I noticed this on 2 machines (RH 7.2 and 7.3): > ># ps axw|grep -i mail >22138 ? S 0:06 sendmail: accepting connections >22143 ? S 0:01 /usr/sbin/sendmail -q15m >22153 ? S 0:01 /usr/bin/perl -I/usr/lib/MailScanner >/usr/sbin/MailScanner /etc/MailScanner/MailScanner.conf >15702 ? S 0:01 /usr/bin/perl -I/usr/lib/MailScanner >/usr/sbin/MailScanner /etc/MailScanner/MailScanner.conf >15963 ? S 0:00 /usr/bin/perl -I/usr/lib/MailScanner >/usr/sbin/MailScanner /etc/MailScanner/MailScanner.conf ># service MailScanner stop >Shutting down MailScanner daemons: > MailScanner: [ OK ] > incoming sendmail: [ OK ] > outgoing sendmail: [ OK ] ># ps axw|grep -i mail >22153 ? D 0:01 /usr/bin/perl -I/usr/lib/MailScanner >/usr/sbin/MailScanner /etc/MailScanner/MailScanner.conf >15702 ? D 0:01 /usr/bin/perl -I/usr/lib/MailScanner >/usr/sbin/MailScanner /etc/MailScanner/MailScanner.conf >15963 ? D 0:00 /usr/bin/perl -I/usr/lib/MailScanner >/usr/sbin/MailScanner /etc/MailScanner/MailScanner.conf ># service MailScanner stop >Shutting down MailScanner daemons: > MailScanner: [ OK ] > incoming sendmail: [FAILED] > outgoing sendmail: [FAILED] ># ps axw|grep -i mail > > >Only the 2nd 'service MailScanner stop' killed MailScanner processes. Why? >Had I to wait a little more time (the processes were in D state)? Yes. Give it some time to do the job, it is trying to be very nice to you and is cleaning up all the temporary directories it will have created. After doing the "stop", wait 10 seconds or so before the "ps". -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Mar 12 11:32:16 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:28 2006 Subject: I need to straighten out one of the basic-features of Antispam In-Reply-To: Message-ID: <5.2.0.9.2.20030312113156.02254750@imap.ecs.soton.ac.uk> Because you haven't set the "High Scoring Spam Actions" perhaps? At 08:27 12/03/2003, you wrote: >I've got this far: >Spamassisn marks alla incomming spam with {spam?} > >The thing is, i don't wish to receive this mails i want them to be sent to >another "trash" account. > >I edited a line in /etc/MailScanner/MailScanner.conf >Spam Actions = forward trash@myhost.com delete > >And restarted the service by /etc/rc.d/init.d/MailScanner restart > >But it's not forwarding any mail to the "trash" account and it is not >deleting it from the origin account. > >What am i missing here? -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Mar 12 11:30:00 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:28 2006 Subject: accumulation of files in /var/spool/mqueue.in In-Reply-To: <002201c2e83e$e29cd2e0$ab6041db@18yamuna> References: Message-ID: <5.2.0.9.2.20030312112912.022a2e50@imap.ecs.soton.ac.uk> At 02:27 12/03/2003, you wrote: >I chose 6 days as beyond that, as per standard setting, sendmail would >not deliver anyway. Thus residual files have to be broken. This is >assuming MailScanner would probably not have as big a backlog as 5 days. > >Julian: >Is it reasonable to assume that MailScanner picks up the oldest files >for processing first? Yes it does. It processes them in strict date order. >Is there any way of extracting average wait time in mqueue.in so that we >can increase number of children if need be and see if it makes a >difference else increase Ram/ CPU Power? I'll take a look. >Mohan >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On >Behalf Of Craig Pratt >Sent: Tuesday, March 11, 2003 8:17 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: accumulation of files in /var/spool/mqueue.in > > >Thanks for the tip. I've been seeing these queue files occasionally as >well. > >Most recently, when I updated the sendmail access.db without restarting >sendmail/MailScanner. This seemed to cause sendmail to die during SMTP >connections - presumably due to the fact that sendmail's cached file >state didn't match the actual file. > >What I'm wondering, though, is it safe to delete the files in mqueue.in >with sendmail/MailScanner running? [sounds like a potential FAQ, as >well] > >Craig > >On Monday, March 10, 2003, at 05:39 PM, S Mohan wrote: > > I had the same stuff. I looked up a few files and associated mail log. > > > These were remnants of broken SMTP conversations. In order to clear > > these automatically, I created a daily cron job as under. > > > > Find /var/spool/mqueue.in -mtime +6|xargs rm -f > > > > I gave 6 days as sendmail will anyway abort after 5 days delivery. > > Thus files older than that anyway would be broken files. > > > > Mohan > > > > -----Original Message----- > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On > > Behalf Of David Closson > > Sent: Tuesday, March 11, 2003 1:27 AM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: accumulation of files in /var/spool/mqueue.in > > > > > > OK, I figured as much. Thank you for the rapid response. > > > > We are processing about 350,000 emails a day (heavier day) with > > MailScanner and Spamassassin. This figure is combined in and out for > > all of our users. > > > > > > _________ > > Sincerely, > > David Closson > > 209-736-0111 > > > > > > > > > > > >> From: Julian Field > >> Reply-To: MailScanner mailing list > >> To: MAILSCANNER@JISCMAIL.AC.UK > >> Subject: Re: accumulation of files in /var/spool/mqueue.in > >> Date: Mon, 10 Mar 2003 19:27:44 +0000 > >> MIME-Version: 1.0 > >> Received: from cpimssmtpa03.msn.com ([207.46.181.90]) by > >> mc5-f17.law1.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600); Mon, > >> 10 > > > >> Mar 2003 11:30:21 -0800 > >> Received: from smtp.jiscmail.ac.uk ([130.246.192.48]) by > >> cpimssmtpa03.msn.com with Microsoft SMTPSVC(5.0.2195.4453); Mon, 10 > >> Mar > > > >> 2003 11:25:18 -0800 > >> Received: from LISTSERV.JISCMAIL.AC.UK (jiscmail.ac.uk) by > >> smtp.jiscmail.ac.uk (LSMTP for Windows NT v1.1b) with SMTP id > >> <3.0000634F@smtp.jiscmail.ac.uk>; Mon, 10 Mar 2003 19:28:14 +0000 > >> Received: from JISCMAIL.AC.UK by JISCMAIL.AC.UK (LISTSERV-TCP/IP > > release > >> 1.8e) with spool id 19357891 for MAILSCANNER@JISCMAIL.AC.UK; > > Mon, > >> 10 Mar 2003 19:28:14 +0000 > >> Received: from 130.246.192.52 by JISCMAIL.AC.UK (SMTPL release 1.0h) > > with > >> TCP; Mon, 10 Mar 2003 19:28:14 GMT > >> Received: from raven.ecs.soton.ac.uk (raven.ecs.soton.ac.uk > > [152.78.70.1]) > >> by ori.rl.ac.uk (8.11.1/8.11.1) with ESMTP id h2AJSCe29811 > >> for > >> ; Mon, 10 Mar 2003 19:28:12 GMT > >> Received: from pigeon.ecs.soton.ac.uk (ns1 [152.78.68.1]) by > >> raven.ecs.soton.ac.uk (8.9.3/8.9.3) with ESMTP id TAA23530 for > >> ; Mon, 10 Mar 2003 19:28:11 GMT > >> Received: from thief.ecs.soton.ac.uk (staff-vpn132 [152.78.236.132]) > >> by > >> pigeon.ecs.soton.ac.uk (8.9.3/8.9.3) with ESMTP id TAA19506 for > >> ; Mon, 10 Mar 2003 19:28:10 GMT > >> X-Message-Info: JGTYoYF78jEHjJx36Oi8+Q1OJDRSDidP > >> X-MSN-Trace: {838B357B-4735-4DB1-A653-A9E73A906214} > >> X-RAL-MFrom: > >> X-RAL-Connect: > >> X-Sender: (Unverified) > >> X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9 > >> Message-ID: <5.2.0.9.2.20030310192506.027bbf80@imap.ecs.soton.ac.uk> > >> Sender: MailScanner mailing list > >> In-Reply-To: > >> Precedence: list > >> Return-Path: owner-mailscanner@JISCMAIL.AC.UK > >> X-OriginalArrivalTime: 10 Mar 2003 19:25:19.0093 (UTC) > >> FILETIME=[C9492A50:01C2E73A] > >> > >> At 19:12 10/03/2003, you wrote: > >>> Greetings, > >>> > >>> Using RH 7.3 > >>> Using Sendmail 8.11-6 > >>> MailScanner 4.13-3 > >>> Using McAfee AV > >>> > >>> I have been happily using MailScanner for almost a year now and have > > >>> had to remove the accumulation of files in /var/spool/mqueue.in > >>> after a month or so. > >>> > >>> I am not sure if these are messages already delivered and were not > >>> removed or ? > >>> > >>> I have had no reports of missing email. > >> > >> If they are stray files that aren't part of a matching qf / df pair, > >> then you can safely delete them. If an SMTP session into your server > >> gets interrupted for some reason, a stray file will be left behind. > >> The > > > >> server at the far end of the session knows that its message > >> transmission got interrupted and will retry anyway. SMTP is designed > >> pretty carefully to ensure things don't get lost in transit. > >> -- > >> Julian Field > >> www.MailScanner.info > >> Professional Support Services at www.MailScanner.biz MailScanner > >> thanks > > > >> transtec Computers for their support > > > > > > _________________________________________________________________ > > Add photos to your e-mail with MSN 8. Get 2 months FREE*. > > http://join.msn.com/?page=features/featuredemail > > > > -- > > This message checked for dangerous content by MailScanner on > > StrongBox. > > > > >-- >This message checked for dangerous content by MailScanner on StrongBox. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From nightowl at NIGHTOWLS.NET Wed Mar 12 11:42:23 2003 From: nightowl at NIGHTOWLS.NET (Joseph Dobransky) Date: Thu Jan 12 21:17:28 2006 Subject: MS and SA In-Reply-To: <5.2.0.9.2.20030312113032.02270c48@imap.ecs.soton.ac.uk> Message-ID: <000901c2e88c$72ab9c70$4ad34918@hawaii> kk. Considered beta, but it should at least attempt to work. One would think anyway... **************************** Joseph Dobransky http://www.nightowlswebspace.com aim: skeeter1jd icq: 21228143 -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Julian Field Sent: Wednesday, March 12, 2003 6:31 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: MS and SA At 04:25 12/03/2003, you wrote: >Mail-SpamAssassin-2.50, and MS Version 4.13-3 > >I say yes to using spamassassin to scan for spam, it just dumps my mail >into the mqueue.in folder, and leaves it there. I say no, MS works just >great. Ideas? Have you seen the News item on the website about SpamAssassin 2.50? > > >**************************** > > > >Joseph Dobransky >http://www.nightowlswebspace.com >aim: skeeter1jd >icq: 21228143 > > > >--- >Outgoing mail is certified Virus Free. >Checked by AVG anti-virus system (http://www.grisoft.com). >Version: 6.0.459 / Virus Database: 258 - Release Date: 2/25/2003 -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.459 / Virus Database: 258 - Release Date: 2/25/2003 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.459 / Virus Database: 258 - Release Date: 2/25/2003 From R.A.Gardener at SHU.AC.UK Wed Mar 12 15:00:09 2003 From: R.A.Gardener at SHU.AC.UK (Ray Gardener) Date: Thu Jan 12 21:17:28 2006 Subject: multi part volume (sophos) errors - best way of handling Message-ID: <010801c2e8a8$1b990c80$5a14348f@videoproducer> Hi, sophos (not reasonably) complains that it is unable to handle multi part zip files and reports them as corrupt. e.g. ____________________________________________________________________________ ______________ Sender: <> IP Address: 212.78.202.106.49920 Recipient: a.student@student.shu.ac.uk Subject: Undelivered Mail Returned to Sender MessageID: 18t6j9-00067B-00 Report: Could not check ./18t6j9-00067B-00/Implementation 12March.zip/Implementation/SCM 2/SCM/Debug/vc60.idb (part of multi volume archive) Could not check ./18t6j9-00067B-00/Implementation 12March.zip (corrupt) ____________________________________________________________________________ ___________________ I know that in the latest version of mailscanner you can specified that such errors be ignored using Allowed Sophos Error Messages = corrupt (even though you are warned of the dangers of doing this). Just to clarify - would Allowed Sophos Error Messages = part of multi volume archive also work in allowing through mail with similar errors to the one above? 2) In the case of multi part volumes would mailscanner adding a opening warning attachment telling the users that this hasn't been scanned properly be a sensible or feasible to implement? Regards _________________________________________________ Ray Gardener CIS Sheffield Hallam University Howard Street Sheffield UK S1 1WB (44) 0114 225 4926 -------------- next part -------------- A non-text attachment was scrubbed... Name: Ray Gardener.vcf Type: text/x-vcard Size: 571 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030312/c0dade34/RayGardener.vcf From mailscanner at ecs.soton.ac.uk Wed Mar 12 15:13:47 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:28 2006 Subject: multi part volume (sophos) errors - best way of handling In-Reply-To: <010801c2e8a8$1b990c80$5a14348f@videoproducer> Message-ID: <5.2.0.9.2.20030312151311.04205f68@imap.ecs.soton.ac.uk> At 15:00 12/03/2003, you wrote: >sophos (not reasonably) complains that it is unable to handle multi part zip >files and reports them as corrupt. > > I know that in the latest version of mailscanner you can specified that >such errors be ignored using > >Allowed Sophos Error Messages = corrupt > >Just to clarify - would >Allowed Sophos Error Messages = part of multi volume archive >also work in allowing through mail with similar errors to the one above? Yes, should do. >2) In the case of multi part volumes would mailscanner adding a opening >warning attachment telling the users that this hasn't been scanned properly >be a sensible or feasible to implement? Not very easy I'm afraid. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mike at TECHINTER.COM Wed Mar 12 17:48:26 2003 From: mike at TECHINTER.COM (Mike Williams) Date: Thu Jan 12 21:17:28 2006 Subject: Per User Blacklist and white lists In-Reply-To: <5.2.0.9.2.20030311202337.027f2e90@imap.ecs.soton.ac.uk> Message-ID: Ok, I enabled the bydoaminblacklist and bydoaminwhitelist in the MailScanner.conf with Is Definitely Not Spam = &ByDomainSpamWhitelist Is Definitely Spam = &ByDomainSpamBlacklist The directorys are set to /etc/MailScanner/rules/whitelist and /etc/MailScanner/rules/blacklist. I have a file in blacklist folder named user@domain.com (actual file name is different but same format). In the file user@domain.com I have listed several blacklist items, one is an email account that I have on aol.com. The aol email address doesn't appear in any whitelist. However, when I send email to user@domain.com from the AOL account that is on the blacklist it goes through without even being marked as spam. There are no errors when starting mailscanner and in the logs is says that it read blacklist for 1 domain. I must be missing something but I haven't a clue. Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Julian Field Sent: Tuesday, March 11, 2003 2:24 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Per User Blacklist and white lists At 19:50 11/03/2003, you wrote: >Julian, > >Thanks for the info. I'm looking at the code and the example is for >bydomain. I'm not sure but it looks like I can have the white and black >list by either domain.com or by user@domain.com. Yes you can. You can even give it IP addresses if I remember rightly. > The reason I am asking is >that each user will need to be able to specify their own black and white >list. This makes it possible that one user would wish to block email from a >user@spam.com and another user to whitelist or not block a user@spam.com. >So if I use a filename of user1@domain.com and user2@domain.com does this in >fact make the whitelist and blacklist unique for each user even if they are >in the same domain? > >Mike > >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On >Behalf Of Julian Field >Sent: Tuesday, March 11, 2003 12:44 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Per User Blacklist and white lists > > >Take a look in the CustomConfig.pm file in recent distributions. This >feature is an example of what you can do with "Custom Functions". You will >probably need to change the directories it reads the black/whitelists from, >but otherwise it will just work. The code briefly explains what should go >in the various config files. > >At 18:35 11/03/2003, you wrote: > >Is it possible to have a per user blacklist and whitelist? Example in the > >whitelist file: > > > >To: user-1@domain.com >/etc/MailScanner/rules/whitelist/user-1-domain.com > >To: user-2@domain.com >/etc/MailScanner/rules/whitelist/user-2-domain.com > >FromTo: Default no > > > > > >user-1-domain.com > > > >From: friend@domain.com yes > >From: friend1@domain.com yes > >From: default no > > > >and so on? > > > >Mike > >-- >Julian Field >www.MailScanner.info >Professional Support Services at www.MailScanner.biz >MailScanner thanks transtec Computers for their support -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From Peter.Bates at LSHTM.AC.UK Wed Mar 12 17:54:23 2003 From: Peter.Bates at LSHTM.AC.UK (Peter Bates) Date: Thu Jan 12 21:17:28 2006 Subject: Logging 'subject' field of detected Spam? Message-ID: Hello all... I haven't looked at the code yet, but was wondering how tricky this would be to implement... Now and again I try to add variations of 'known' spam 'Subjects' (and some body content) to my MTA configuration to block it... Is it possible to add logging of 'Subject' to the line: Mar 12 17:25:06 hancock MailScanner[30443]: Message B1F1C15600B from 193.63.251.18 (anstpbat@icecube.lshtm.ac.uk) to lshtm.ac.uk is spam, SpamAssassin (score=13.5, required 8, DATE_IN_PAST_12_24, DCC_CHECK, DRASTIC_REDUCED, HOME_EMPLOYMENT, INVALID_DATE, INVALID_MSGID, NO_REAL_NAME, ONCE_IN_LIFETIME, RAZOR2_CHECK, RCVD _IN_OSIRUSOFT_COM, REMOVE_SUBJ, UNDISC_RECIPS) ... or as an additional line after that? ... ---------------------------------------------------------------------------------------------------> Peter Bates, Systems Support Officer, Network Support Team. London School of Hygiene & Tropical Medicine. Telephone:0207-958 8353 / Fax: 0207- 636 9838 From mailscanner at ecs.soton.ac.uk Wed Mar 12 18:22:36 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:28 2006 Subject: Logging 'subject' field of detected Spam? In-Reply-To: Message-ID: <5.2.0.9.2.20030312182059.02257ef8@imap.ecs.soton.ac.uk> Would this be used by other people as well? It would generate considerably more logging output. The code is is Message.pm around line 343, shouldn't be difficult to add but would require yet another configuration option "Log Spam Subject" to switch it on and off. At 17:54 12/03/2003, you wrote: >Hello all... > >I haven't looked at the code yet, but was wondering >how tricky this would be to implement... > >Now and again I try to add variations of 'known' spam 'Subjects' >(and some body content) to my MTA configuration to block it... > >Is it possible to add logging of 'Subject' to the line: > >Mar 12 17:25:06 hancock MailScanner[30443]: Message B1F1C15600B from >193.63.251.18 >(anstpbat@icecube.lshtm.ac.uk) to lshtm.ac.uk is spam, SpamAssassin >(score=13.5, required 8, >DATE_IN_PAST_12_24, DCC_CHECK, DRASTIC_REDUCED, HOME_EMPLOYMENT, > INVALID_DATE, INVALID_MSGID, NO_REAL_NAME, ONCE_IN_LIFETIME, > RAZOR2_CHECK, RCVD >_IN_OSIRUSOFT_COM, REMOVE_SUBJ, UNDISC_RECIPS) > >... or as an additional line after that? > >... > > > >---------------------------------------------------------------------------------------------------> >Peter Bates, Systems Support Officer, Network Support Team. >London School of Hygiene & Tropical Medicine. >Telephone:0207-958 8353 / Fax: 0207- 636 9838 -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Mar 12 18:18:42 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:28 2006 Subject: Per User Blacklist and white lists In-Reply-To: References: <5.2.0.9.2.20030311202337.027f2e90@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030312181023.0222e958@imap.ecs.soton.ac.uk> Looks like I never wrote the code to do the per-user lists, only per-domain lists. Try editing CustomConfig.pm and making "LookupByDomainList" look like this: sub LookupByDomainList { my($message, $BlackWhite) = @_; return 0 unless $message; # Sanity check the input # Find the "from" address and the first "to" address my($from, $fromdomain, @todomain, $todomain, @to, $to, $ip); $from = $message->{from}; $fromdomain = $message->{fromdomain}; @todomain = @{$message->{todomain}}; $todomain = $todomain[0]; @to = @{$message->{to}}; $to = $to[0]; $ip = $message->{clientip}; # It is in the list if either the exact address is listed, # or the domain is listed return 1 if $BlackWhite->{$to}{$from}; return 1 if $BlackWhite->{$to}{$fromdomain}; return 1 if $BlackWhite->{$to}{$ip}; return 1 if $BlackWhite->{$todomain}{$from}; return 1 if $BlackWhite->{$todomain}{$fromdomain}; return 1 if $BlackWhite->{$todomain}{$ip}; # It is not in the list return 0; } Please give this a try and let me know if it works, so I can include the code in the next release (due very shortly to fix long filename checking bug in 4.13). At 17:48 12/03/2003, you wrote: >Ok, I enabled the bydoaminblacklist and bydoaminwhitelist in the >MailScanner.conf with > >Is Definitely Not Spam = &ByDomainSpamWhitelist >Is Definitely Spam = &ByDomainSpamBlacklist > >The directorys are set to /etc/MailScanner/rules/whitelist and >/etc/MailScanner/rules/blacklist. I have a file in blacklist folder named >user@domain.com (actual file name is different but same format). In the >file user@domain.com I have listed several blacklist items, one is an email >account that I have on aol.com. The aol email address doesn't appear in any >whitelist. However, when I send email to user@domain.com from the AOL >account that is on the blacklist it goes through without even being marked >as spam. There are no errors when starting mailscanner and in the logs is >says that it read blacklist for 1 domain. I must be missing something but I >haven't a clue. > >Mike >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On >Behalf Of Julian Field >Sent: Tuesday, March 11, 2003 2:24 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Per User Blacklist and white lists > > >At 19:50 11/03/2003, you wrote: > >Julian, > > > >Thanks for the info. I'm looking at the code and the example is for > >bydomain. I'm not sure but it looks like I can have the white and black > >list by either domain.com or by user@domain.com. > >Yes you can. You can even give it IP addresses if I remember rightly. > > > The reason I am asking is > >that each user will need to be able to specify their own black and white > >list. This makes it possible that one user would wish to block email from >a > >user@spam.com and another user to whitelist or not block a user@spam.com. > >So if I use a filename of user1@domain.com and user2@domain.com does this >in > >fact make the whitelist and blacklist unique for each user even if they are > >in the same domain? > > > >Mike > > > >-----Original Message----- > >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > >Behalf Of Julian Field > >Sent: Tuesday, March 11, 2003 12:44 PM > >To: MAILSCANNER@JISCMAIL.AC.UK > >Subject: Re: Per User Blacklist and white lists > > > > > >Take a look in the CustomConfig.pm file in recent distributions. This > >feature is an example of what you can do with "Custom Functions". You will > >probably need to change the directories it reads the black/whitelists from, > >but otherwise it will just work. The code briefly explains what should go > >in the various config files. > > > >At 18:35 11/03/2003, you wrote: > > >Is it possible to have a per user blacklist and whitelist? Example in >the > > >whitelist file: > > > > > >To: user-1@domain.com > >/etc/MailScanner/rules/whitelist/user-1-domain.com > > >To: user-2@domain.com > >/etc/MailScanner/rules/whitelist/user-2-domain.com > > >FromTo: Default no > > > > > > > > >user-1-domain.com > > > > > >From: friend@domain.com yes > > >From: friend1@domain.com yes > > >From: default no > > > > > >and so on? > > > > > >Mike > > > >-- > >Julian Field > >www.MailScanner.info > >Professional Support Services at www.MailScanner.biz > >MailScanner thanks transtec Computers for their support > >-- >Julian Field >www.MailScanner.info >Professional Support Services at www.MailScanner.biz >MailScanner thanks transtec Computers for their support -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mike at TECHINTER.COM Wed Mar 12 19:47:00 2003 From: mike at TECHINTER.COM (Mike Williams) Date: Thu Jan 12 21:17:28 2006 Subject: Per User Blacklist and white lists In-Reply-To: <5.2.0.9.2.20030312181023.0222e958@imap.ecs.soton.ac.uk> Message-ID: Works like a charm. Thanks. BTW quick question is there a way to assign a spam score to blacklisted addresses so that it will activate the high score rule? Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Julian Field Sent: Wednesday, March 12, 2003 12:19 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Per User Blacklist and white lists Looks like I never wrote the code to do the per-user lists, only per-domain lists. Try editing CustomConfig.pm and making "LookupByDomainList" look like this: sub LookupByDomainList { my($message, $BlackWhite) = @_; return 0 unless $message; # Sanity check the input # Find the "from" address and the first "to" address my($from, $fromdomain, @todomain, $todomain, @to, $to, $ip); $from = $message->{from}; $fromdomain = $message->{fromdomain}; @todomain = @{$message->{todomain}}; $todomain = $todomain[0]; @to = @{$message->{to}}; $to = $to[0]; $ip = $message->{clientip}; # It is in the list if either the exact address is listed, # or the domain is listed return 1 if $BlackWhite->{$to}{$from}; return 1 if $BlackWhite->{$to}{$fromdomain}; return 1 if $BlackWhite->{$to}{$ip}; return 1 if $BlackWhite->{$todomain}{$from}; return 1 if $BlackWhite->{$todomain}{$fromdomain}; return 1 if $BlackWhite->{$todomain}{$ip}; # It is not in the list return 0; } Please give this a try and let me know if it works, so I can include the code in the next release (due very shortly to fix long filename checking bug in 4.13). At 17:48 12/03/2003, you wrote: >Ok, I enabled the bydoaminblacklist and bydoaminwhitelist in the >MailScanner.conf with > >Is Definitely Not Spam = &ByDomainSpamWhitelist >Is Definitely Spam = &ByDomainSpamBlacklist > >The directorys are set to /etc/MailScanner/rules/whitelist and >/etc/MailScanner/rules/blacklist. I have a file in blacklist folder named >user@domain.com (actual file name is different but same format). In the >file user@domain.com I have listed several blacklist items, one is an email >account that I have on aol.com. The aol email address doesn't appear in any >whitelist. However, when I send email to user@domain.com from the AOL >account that is on the blacklist it goes through without even being marked >as spam. There are no errors when starting mailscanner and in the logs is >says that it read blacklist for 1 domain. I must be missing something but I >haven't a clue. > >Mike >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On >Behalf Of Julian Field >Sent: Tuesday, March 11, 2003 2:24 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Per User Blacklist and white lists > > >At 19:50 11/03/2003, you wrote: > >Julian, > > > >Thanks for the info. I'm looking at the code and the example is for > >bydomain. I'm not sure but it looks like I can have the white and black > >list by either domain.com or by user@domain.com. > >Yes you can. You can even give it IP addresses if I remember rightly. > > > The reason I am asking is > >that each user will need to be able to specify their own black and white > >list. This makes it possible that one user would wish to block email from >a > >user@spam.com and another user to whitelist or not block a user@spam.com. > >So if I use a filename of user1@domain.com and user2@domain.com does this >in > >fact make the whitelist and blacklist unique for each user even if they are > >in the same domain? > > > >Mike > > > >-----Original Message----- > >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > >Behalf Of Julian Field > >Sent: Tuesday, March 11, 2003 12:44 PM > >To: MAILSCANNER@JISCMAIL.AC.UK > >Subject: Re: Per User Blacklist and white lists > > > > > >Take a look in the CustomConfig.pm file in recent distributions. This > >feature is an example of what you can do with "Custom Functions". You will > >probably need to change the directories it reads the black/whitelists from, > >but otherwise it will just work. The code briefly explains what should go > >in the various config files. > > > >At 18:35 11/03/2003, you wrote: > > >Is it possible to have a per user blacklist and whitelist? Example in >the > > >whitelist file: > > > > > >To: user-1@domain.com > >/etc/MailScanner/rules/whitelist/user-1-domain.com > > >To: user-2@domain.com > >/etc/MailScanner/rules/whitelist/user-2-domain.com > > >FromTo: Default no > > > > > > > > >user-1-domain.com > > > > > >From: friend@domain.com yes > > >From: friend1@domain.com yes > > >From: default no > > > > > >and so on? > > > > > >Mike > > > >-- > >Julian Field > >www.MailScanner.info > >Professional Support Services at www.MailScanner.biz > >MailScanner thanks transtec Computers for their support > >-- >Julian Field >www.MailScanner.info >Professional Support Services at www.MailScanner.biz >MailScanner thanks transtec Computers for their support -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From james at PCXPERIENCE.COM Wed Mar 12 20:01:34 2003 From: james at PCXPERIENCE.COM (James A. Pattie) Date: Thu Jan 12 21:17:28 2006 Subject: Outlook and UUENCODED attachments Message-ID: <3E6F921E.9050106@pcxperience.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I'm not 100% sure that this is a MailScanner issue but this issue only started being reported after installing MailScanner. I have a user that is sending file attachments (usually office documents) from Outlook 97 and when they send these e-mails to other internal users the other users get the e-mail but the attachment is empty. When they send the e-mail to me (external using Mozilla mail) I get the e-mail fine. It appears that the originating mail client is encoding using UUENCODE instead of MIME from the following headers: X-Mailer: Microsoft Internet E-mail/MAPI - 8.0.0.4211 Encoding: 15 TEXT, 447 UUENCODE X-MS-Attachment: Doc1.doc 0 00-00-1980 00:00 MailScanner is generating the following body content: The following is a multipart MIME message which was extracted from a uuencoded message. - ------------=_1047489992-23715-0 The message then follows the boundary and goes on. The internal users, also using Outlook 97, are getting the message and when they forward it to me the file attachment looks like this: - ------ =_NextPart_000_01C2E88B.02DAFF40 Content-Type: application/msword; name="Doc1.doc" Content-Transfer-Encoding: base64 - ------ =_NextPart_000_01C2E88B.02DAFF40-- When the user sends me the same attachment, I get the following: - ------------=_1047489992-23715-0 Content-Type: application/octet-stream; name="Doc1.doc"; x-unix-mode="0600" Content-Disposition: inline; filename="Doc1.doc" Content-Transfer-Encoding: base64 MIME-Version: 1.0 X-Mailer: MIME-tools 5.411 (Entity 5.404) - ------------=_1047489992-23715-0-- The originating site is using MailScanner 4.12-2 and I'm using MailScanner 4.13-3. If needed I can send the sanitised e-mails for inspection. - -- James A. Pattie james@pcxperience.com Linux -- SysAdmin / Programmer Xperience, Inc. http://www.pcxperience.com/ http://www.xperienceinc.com/ GPG Key Available at http://www.pcxperience.com/gpgkeys/james.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE+b5IetUXjwPIRLVERAsDaAKC+PZ/17DELSu0Cl2vKcwRlw7Z1owCcDKKR +h+wqbo4UR8b0w9UAK8qhXc= =RBi3 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mailscanner at ecs.soton.ac.uk Wed Mar 12 20:18:53 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:28 2006 Subject: Per User Blacklist and white lists In-Reply-To: References: <5.2.0.9.2.20030312181023.0222e958@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030312200952.025e7890@imap.ecs.soton.ac.uk> At 19:47 12/03/2003, you wrote: >Works like a charm. Thanks. Great. It will be in the next release. > BTW quick question is there a way to assign a >spam score to blacklisted addresses so that it will activate the high score >rule? Not currently, no. But try this: 1) In the blacklisting lookup code, change the code to say this: sub ByDomainSpamBlacklist { my($message) = @_; my($value); $value = LookupByDomainList($message, \%Blacklist); $message->{sascore} = 10 if $value; return $value; } (if you want blacklisting to score 10) Then edit Message.pm and change line 370 from $this->{sascore} = $sascore; # Save the actual figure for use later... to $this->{sascore} += $sascore; # Save the actual figure for use later... Give this a try and let me know how you get on. >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On >Behalf Of Julian Field >Sent: Wednesday, March 12, 2003 12:19 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Per User Blacklist and white lists > > >Looks like I never wrote the code to do the per-user lists, only per-domain >lists. > >Try editing CustomConfig.pm and making "LookupByDomainList" look like this: > >sub LookupByDomainList { > my($message, $BlackWhite) = @_; > > return 0 unless $message; # Sanity check the input > > # Find the "from" address and the first "to" address > my($from, $fromdomain, @todomain, $todomain, @to, $to, $ip); > $from = $message->{from}; > $fromdomain = $message->{fromdomain}; > @todomain = @{$message->{todomain}}; > $todomain = $todomain[0]; > @to = @{$message->{to}}; > $to = $to[0]; > $ip = $message->{clientip}; > > # It is in the list if either the exact address is listed, > # or the domain is listed > return 1 if $BlackWhite->{$to}{$from}; > return 1 if $BlackWhite->{$to}{$fromdomain}; > return 1 if $BlackWhite->{$to}{$ip}; > return 1 if $BlackWhite->{$todomain}{$from}; > return 1 if $BlackWhite->{$todomain}{$fromdomain}; > return 1 if $BlackWhite->{$todomain}{$ip}; > > # It is not in the list > return 0; >} > >Please give this a try and let me know if it works, so I can include the >code in the next release (due very shortly to fix long filename checking >bug in 4.13). > >At 17:48 12/03/2003, you wrote: > >Ok, I enabled the bydoaminblacklist and bydoaminwhitelist in the > >MailScanner.conf with > > > >Is Definitely Not Spam = &ByDomainSpamWhitelist > >Is Definitely Spam = &ByDomainSpamBlacklist > > > >The directorys are set to /etc/MailScanner/rules/whitelist and > >/etc/MailScanner/rules/blacklist. I have a file in blacklist folder named > >user@domain.com (actual file name is different but same format). In the > >file user@domain.com I have listed several blacklist items, one is an email > >account that I have on aol.com. The aol email address doesn't appear in >any > >whitelist. However, when I send email to user@domain.com from the AOL > >account that is on the blacklist it goes through without even being marked > >as spam. There are no errors when starting mailscanner and in the logs is > >says that it read blacklist for 1 domain. I must be missing something but >I > >haven't a clue. > > > >Mike > >-----Original Message----- > >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > >Behalf Of Julian Field > >Sent: Tuesday, March 11, 2003 2:24 PM > >To: MAILSCANNER@JISCMAIL.AC.UK > >Subject: Re: Per User Blacklist and white lists > > > > > >At 19:50 11/03/2003, you wrote: > > >Julian, > > > > > >Thanks for the info. I'm looking at the code and the example is for > > >bydomain. I'm not sure but it looks like I can have the white and black > > >list by either domain.com or by user@domain.com. > > > >Yes you can. You can even give it IP addresses if I remember rightly. > > > > > The reason I am asking is > > >that each user will need to be able to specify their own black and white > > >list. This makes it possible that one user would wish to block email >from > >a > > >user@spam.com and another user to whitelist or not block a >user@spam.com. > > >So if I use a filename of user1@domain.com and user2@domain.com does this > >in > > >fact make the whitelist and blacklist unique for each user even if they >are > > >in the same domain? > > > > > >Mike > > > > > >-----Original Message----- > > >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > >Behalf Of Julian Field > > >Sent: Tuesday, March 11, 2003 12:44 PM > > >To: MAILSCANNER@JISCMAIL.AC.UK > > >Subject: Re: Per User Blacklist and white lists > > > > > > > > >Take a look in the CustomConfig.pm file in recent distributions. This > > >feature is an example of what you can do with "Custom Functions". You >will > > >probably need to change the directories it reads the black/whitelists >from, > > >but otherwise it will just work. The code briefly explains what should go > > >in the various config files. > > > > > >At 18:35 11/03/2003, you wrote: > > > >Is it possible to have a per user blacklist and whitelist? Example in > >the > > > >whitelist file: > > > > > > > >To: user-1@domain.com > > >/etc/MailScanner/rules/whitelist/user-1-domain.com > > > >To: user-2@domain.com > > >/etc/MailScanner/rules/whitelist/user-2-domain.com > > > >FromTo: Default no > > > > > > > > > > > >user-1-domain.com > > > > > > > >From: friend@domain.com yes > > > >From: friend1@domain.com yes > > > >From: default no > > > > > > > >and so on? > > > > > > > >Mike > > > > > >-- > > >Julian Field > > >www.MailScanner.info > > >Professional Support Services at www.MailScanner.biz > > >MailScanner thanks transtec Computers for their support > > > >-- > >Julian Field > >www.MailScanner.info > >Professional Support Services at www.MailScanner.biz > >MailScanner thanks transtec Computers for their support > >-- >Julian Field >www.MailScanner.info >Professional Support Services at www.MailScanner.biz >MailScanner thanks transtec Computers for their support -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Mar 12 20:21:48 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:28 2006 Subject: Outlook and UUENCODED attachments In-Reply-To: <3E6F921E.9050106@pcxperience.com> Message-ID: <5.2.0.9.2.20030312202029.026ec488@imap.ecs.soton.ac.uk> At some point, yes please send me the messages. At the moment I haven't got time to look at it. Are you using "Sign Clean Messages = yes"? If so, can you try setting it to "no" and see what happens. At 20:01 12/03/2003, you wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >I'm not 100% sure that this is a MailScanner issue but this issue only >started being reported after installing MailScanner. > >I have a user that is sending file attachments (usually office >documents) from Outlook 97 and when they send these e-mails to other >internal users the other users get the e-mail but the attachment is >empty. When they send the e-mail to me (external using Mozilla mail) I >get the e-mail fine. > >It appears that the originating mail client is encoding using UUENCODE >instead of MIME from the following headers: > >X-Mailer: Microsoft Internet E-mail/MAPI - 8.0.0.4211 >Encoding: 15 TEXT, 447 UUENCODE >X-MS-Attachment: Doc1.doc 0 00-00-1980 00:00 > >MailScanner is generating the following body content: > >The following is a multipart MIME message which was extracted >from a uuencoded message. > >- ------------=_1047489992-23715-0 > >The message then follows the boundary and goes on. > >The internal users, also using Outlook 97, are getting the message and >when they forward it to me the file attachment looks like this: > >- ------ =_NextPart_000_01C2E88B.02DAFF40 >Content-Type: application/msword; name="Doc1.doc" >Content-Transfer-Encoding: base64 > > >- ------ =_NextPart_000_01C2E88B.02DAFF40-- > >When the user sends me the same attachment, I get the following: > >- ------------=_1047489992-23715-0 >Content-Type: application/octet-stream; name="Doc1.doc"; x-unix-mode="0600" >Content-Disposition: inline; filename="Doc1.doc" >Content-Transfer-Encoding: base64 >MIME-Version: 1.0 >X-Mailer: MIME-tools 5.411 (Entity 5.404) > > > >- ------------=_1047489992-23715-0-- > > >The originating site is using MailScanner 4.12-2 and I'm using >MailScanner 4.13-3. > > >If needed I can send the sanitised e-mails for inspection. > >- -- >James A. Pattie >james@pcxperience.com > >Linux -- SysAdmin / Programmer >Xperience, Inc. >http://www.pcxperience.com/ >http://www.xperienceinc.com/ > >GPG Key Available at http://www.pcxperience.com/gpgkeys/james.html >-----BEGIN PGP SIGNATURE----- >Version: GnuPG v1.0.6 (GNU/Linux) >Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > >iD8DBQE+b5IetUXjwPIRLVERAsDaAKC+PZ/17DELSu0Cl2vKcwRlw7Z1owCcDKKR >+h+wqbo4UR8b0w9UAK8qhXc= >=RBi3 >-----END PGP SIGNATURE----- > > >-- >This message has been scanned for viruses and >dangerous content by MailScanner, and is >believed to be clean. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Mar 12 20:18:53 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:28 2006 Subject: Per User Blacklist and white lists In-Reply-To: References: <5.2.0.9.2.20030312181023.0222e958@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030312200952.025e7890@imap.ecs.soton.ac.uk> At 19:47 12/03/2003, you wrote: >Works like a charm. Thanks. Great. It will be in the next release. > BTW quick question is there a way to assign a >spam score to blacklisted addresses so that it will activate the high score >rule? Not currently, no. But try this: 1) In the blacklisting lookup code, change the code to say this: sub ByDomainSpamBlacklist { my($message) = @_; my($value); $value = LookupByDomainList($message, \%Blacklist); $message->{sascore} = 10 if $value; return $value; } (if you want blacklisting to score 10) Then edit Message.pm and change line 370 from $this->{sascore} = $sascore; # Save the actual figure for use later... to $this->{sascore} += $sascore; # Save the actual figure for use later... Give this a try and let me know how you get on. >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On >Behalf Of Julian Field >Sent: Wednesday, March 12, 2003 12:19 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Per User Blacklist and white lists > > >Looks like I never wrote the code to do the per-user lists, only per-domain >lists. > >Try editing CustomConfig.pm and making "LookupByDomainList" look like this: > >sub LookupByDomainList { > my($message, $BlackWhite) = @_; > > return 0 unless $message; # Sanity check the input > > # Find the "from" address and the first "to" address > my($from, $fromdomain, @todomain, $todomain, @to, $to, $ip); > $from = $message->{from}; > $fromdomain = $message->{fromdomain}; > @todomain = @{$message->{todomain}}; > $todomain = $todomain[0]; > @to = @{$message->{to}}; > $to = $to[0]; > $ip = $message->{clientip}; > > # It is in the list if either the exact address is listed, > # or the domain is listed > return 1 if $BlackWhite->{$to}{$from}; > return 1 if $BlackWhite->{$to}{$fromdomain}; > return 1 if $BlackWhite->{$to}{$ip}; > return 1 if $BlackWhite->{$todomain}{$from}; > return 1 if $BlackWhite->{$todomain}{$fromdomain}; > return 1 if $BlackWhite->{$todomain}{$ip}; > > # It is not in the list > return 0; >} > >Please give this a try and let me know if it works, so I can include the >code in the next release (due very shortly to fix long filename checking >bug in 4.13). > >At 17:48 12/03/2003, you wrote: > >Ok, I enabled the bydoaminblacklist and bydoaminwhitelist in the > >MailScanner.conf with > > > >Is Definitely Not Spam = &ByDomainSpamWhitelist > >Is Definitely Spam = &ByDomainSpamBlacklist > > > >The directorys are set to /etc/MailScanner/rules/whitelist and > >/etc/MailScanner/rules/blacklist. I have a file in blacklist folder named > >user@domain.com (actual file name is different but same format). In the > >file user@domain.com I have listed several blacklist items, one is an email > >account that I have on aol.com. The aol email address doesn't appear in >any > >whitelist. However, when I send email to user@domain.com from the AOL > >account that is on the blacklist it goes through without even being marked > >as spam. There are no errors when starting mailscanner and in the logs is > >says that it read blacklist for 1 domain. I must be missing something but >I > >haven't a clue. > > > >Mike > >-----Original Message----- > >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > >Behalf Of Julian Field > >Sent: Tuesday, March 11, 2003 2:24 PM > >To: MAILSCANNER@JISCMAIL.AC.UK > >Subject: Re: Per User Blacklist and white lists > > > > > >At 19:50 11/03/2003, you wrote: > > >Julian, > > > > > >Thanks for the info. I'm looking at the code and the example is for > > >bydomain. I'm not sure but it looks like I can have the white and black > > >list by either domain.com or by user@domain.com. > > > >Yes you can. You can even give it IP addresses if I remember rightly. > > > > > The reason I am asking is > > >that each user will need to be able to specify their own black and white > > >list. This makes it possible that one user would wish to block email >from > >a > > >user@spam.com and another user to whitelist or not block a >user@spam.com. > > >So if I use a filename of user1@domain.com and user2@domain.com does this > >in > > >fact make the whitelist and blacklist unique for each user even if they >are > > >in the same domain? > > > > > >Mike > > > > > >-----Original Message----- > > >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > >Behalf Of Julian Field > > >Sent: Tuesday, March 11, 2003 12:44 PM > > >To: MAILSCANNER@JISCMAIL.AC.UK > > >Subject: Re: Per User Blacklist and white lists > > > > > > > > >Take a look in the CustomConfig.pm file in recent distributions. This > > >feature is an example of what you can do with "Custom Functions". You >will > > >probably need to change the directories it reads the black/whitelists >from, > > >but otherwise it will just work. The code briefly explains what should go > > >in the various config files. > > > > > >At 18:35 11/03/2003, you wrote: > > > >Is it possible to have a per user blacklist and whitelist? Example in > >the > > > >whitelist file: > > > > > > > >To: user-1@domain.com > > >/etc/MailScanner/rules/whitelist/user-1-domain.com > > > >To: user-2@domain.com > > >/etc/MailScanner/rules/whitelist/user-2-domain.com > > > >FromTo: Default no > > > > > > > > > > > >user-1-domain.com > > > > > > > >From: friend@domain.com yes > > > >From: friend1@domain.com yes > > > >From: default no > > > > > > > >and so on? > > > > > > > >Mike > > > > > >-- > > >Julian Field > > >www.MailScanner.info > > >Professional Support Services at www.MailScanner.biz > > >MailScanner thanks transtec Computers for their support > > > >-- > >Julian Field > >www.MailScanner.info > >Professional Support Services at www.MailScanner.biz > >MailScanner thanks transtec Computers for their support > >-- >Julian Field >www.MailScanner.info >Professional Support Services at www.MailScanner.biz >MailScanner thanks transtec Computers for their support -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses *********************************************************************************** From mailscanner at lists.com.ar Wed Mar 12 20:45:18 2003 From: mailscanner at lists.com.ar (Mariano Absatz) Date: Thu Jan 12 21:17:28 2006 Subject: mailscanner & zmailer In-Reply-To: <20030312201403.GA11369@hoiho.nz.lemon-computing.com> References: <3E6E2521.990.81E9CF83@localhost> Message-ID: <3E6F722E.4165.86FEDA7C@localhost> El 13 Mar 2003 a las 9:14, Nick Phillips escribi?: > On Tue, Mar 11, 2003 at 06:04:17PM -0300, Mariano Absatz wrote: > > Alright, alright, > > > > you scared me enough... > > > > I browsed the code and it has its things... even the comments in Sendmail.pm > > are not quite accurate... there are functions documented that don't exist > > anymore and other (public) not documented... Some of the "documented public" > > functions are not used outside Sendmail.pm... well. > > > > What I'll try to do is to create a zmq2smq and a smq2zmq to translate the > > queue file formats... > > Scared too much, it seems. It would be really good to get something that > would work directly, and we do need to get the restructuring done to work > nicely with single-queue-file systems... OK... I'll try to view that in parallel... that is, I have a time constrain to have something workable up and running quickly, however, I don't like the idea of having to mantain ugly patches like this one either. I'll keep studying the code and see what I can do... I think that what I need is a "clean" interface for the MailScanner::SMDiskStore and MailScanner::Sendmail packages... As I said before, in the comments in Sendmail.pm there's stuff that is supposed to be implemented that is only needed there (or at most in SMDiskStore) and should be more "opaque"... I never played much with Exporter (only copied stuff other people did), but maybe starting to publish a module interface will help... I'm no OO-expert nor religious about this things, but in the long run it will help (as you said in notes.txt)... > > Exim spool documentation is at www.exim.org in the "Exim Specification", > near the end. FWIW. Good!... I was searching for "queue" instead of "spool"... anyway, for now, I'll take the sendmail route... > -- Mariano Absatz El Baby ---------------------------------------------------------- Bus error -- passengers dumped. From mailscanner at ecs.soton.ac.uk Wed Mar 12 21:10:04 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:28 2006 Subject: Stupid luser Message-ID: <5.2.0.9.2.20030312210113.02725ef8@imap.ecs.soton.ac.uk> Just had this from someone whose mail got stopped by MailScanner. They sent me an extremely abusive message (usual threats of legal action which I'm used to now), to which I responded very politely. This is their response: >NO THREAT. NOTHING IDLE AT ALL. HERE'S ANOTHER FACT FOR YOU LITTLE SHIT: >OUR ATTORNEY GENERAL HERE IN MISSOURI DOES'NT CARE FOR INTERNET SPAM. These people make me really glad I give up time to do this :-( And they can't even get their punctuation correct. And as for the grammar in the second "sentence", don't get me started. Where the heck is Missouri anyway? No insult to anyone here from Missouri, but to me it's one of those states "in the middle of the USA somewhere"... Feel free to direct me at a map :) Oh, the reason for these outbursts? They were sent a "sender warning" from an old version of MailScanner which was replying to a copy of Klez. That's my best guess anyway, they weren't exactly clear. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From dwinkler at ALGORITHMICS.COM Wed Mar 12 21:19:32 2003 From: dwinkler at ALGORITHMICS.COM (Derek Winkler) Date: Thu Jan 12 21:17:28 2006 Subject: Stupid luser Message-ID: <06EE2C86D3DAD5119A6C0060943F3C97055E6EC7@tormail1.algorithmics.com> All references to "virus" had to be removed from all reports here. Someone threatened legal action because he sent a clean .exe which violated the filename rules and they didn't like the implication that they had sent a virus. Unfortunately he was taken a little too seriously. -----Original Message----- From: Julian Field [mailto:mailscanner@ecs.soton.ac.uk] Sent: Wednesday, March 12, 2003 4:10 PM To: MAILSCANNER@jiscmail.ac.uk Subject: Stupid luser Just had this from someone whose mail got stopped by MailScanner. They sent me an extremely abusive message (usual threats of legal action which I'm used to now), to which I responded very politely. This is their response: >NO THREAT. NOTHING IDLE AT ALL. HERE'S ANOTHER FACT FOR YOU LITTLE SHIT: >OUR ATTORNEY GENERAL HERE IN MISSOURI DOES'NT CARE FOR INTERNET SPAM. These people make me really glad I give up time to do this :-( And they can't even get their punctuation correct. And as for the grammar in the second "sentence", don't get me started. Where the heck is Missouri anyway? No insult to anyone here from Missouri, but to me it's one of those states "in the middle of the USA somewhere"... Feel free to direct me at a map :) Oh, the reason for these outbursts? They were sent a "sender warning" from an old version of MailScanner which was replying to a copy of Klez. That's my best guess anyway, they weren't exactly clear. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030312/601900a0/attachment.html From henker at SHCOM.US Wed Mar 12 21:22:09 2003 From: henker at SHCOM.US (Steffan Henke) Date: Thu Jan 12 21:17:28 2006 Subject: Stupid luser In-Reply-To: <5.2.0.9.2.20030312210113.02725ef8@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030312210113.02725ef8@imap.ecs.soton.ac.uk> Message-ID: On Wed, 12 Mar 2003, Julian Field wrote: > Just had this from someone whose mail got stopped by MailScanner. > >NO THREAT. NOTHING IDLE AT ALL. HERE'S ANOTHER FACT FOR YOU LITTLE SHIT: > >OUR ATTORNEY GENERAL HERE IN MISSOURI DOES'NT CARE FOR INTERNET SPAM. Oh yes, the dark sides of the net. I also get phone calls from spammers and I really would *not* like to know what people like spamhaus.org have to face every day. I really adore them for doing what they do. Take alone http://www.spamhaus.org/rokso/index.lasso - incredible works ! Too bad so much energy has to be wasted on spammers. Regards, Steffan From james at PCXPERIENCE.COM Wed Mar 12 21:36:16 2003 From: james at PCXPERIENCE.COM (James A. Pattie) Date: Thu Jan 12 21:17:28 2006 Subject: Outlook and UUENCODED attachments In-Reply-To: <5.2.0.9.2.20030312202029.026ec488@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030312202029.026ec488@imap.ecs.soton.ac.uk> Message-ID: <3E6FA850.3080306@pcxperience.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Julian Field wrote: > At some point, yes please send me the messages. At the moment I haven't got > time to look at it. Are you using "Sign Clean Messages = yes"? If so, can > you try setting it to "no" and see what happens. Yes, but I had set up a rules file that was supposed to not sign any messages they sent themselves. Unfortunately, they have 2 different domains that they are using and the sender had her email address in one and was sending to the other domain. Is there any way to do a rule that says don't sign when From = domainA and To = domainY? When I turned off signing clean messages alltogether, then the e-mail went through ok to the other internal users. This doesn't really explain why I was able to get it no problem unless it is an issue with Outlook97 being old or something. :) > > At 20:01 12/03/2003, you wrote: > >> I'm not 100% sure that this is a MailScanner issue but this issue only >> started being reported after installing MailScanner. >> >> I have a user that is sending file attachments (usually office >> documents) from Outlook 97 and when they send these e-mails to other >> internal users the other users get the e-mail but the attachment is >> empty. When they send the e-mail to me (external using Mozilla mail) I >> get the e-mail fine. >> >> It appears that the originating mail client is encoding using UUENCODE >> instead of MIME from the following headers: >> >> X-Mailer: Microsoft Internet E-mail/MAPI - 8.0.0.4211 >> Encoding: 15 TEXT, 447 UUENCODE >> X-MS-Attachment: Doc1.doc 0 00-00-1980 00:00 >> >> MailScanner is generating the following body content: >> >> The following is a multipart MIME message which was extracted >> from a uuencoded message. >> >> - ------------=_1047489992-23715-0 >> >> The message then follows the boundary and goes on. >> >> The internal users, also using Outlook 97, are getting the message and >> when they forward it to me the file attachment looks like this: >> >> - ------ =_NextPart_000_01C2E88B.02DAFF40 >> Content-Type: application/msword; name="Doc1.doc" >> Content-Transfer-Encoding: base64 >> >> >> - ------ =_NextPart_000_01C2E88B.02DAFF40-- >> >> When the user sends me the same attachment, I get the following: >> >> - ------------=_1047489992-23715-0 >> Content-Type: application/octet-stream; name="Doc1.doc"; >> x-unix-mode="0600" >> Content-Disposition: inline; filename="Doc1.doc" >> Content-Transfer-Encoding: base64 >> MIME-Version: 1.0 >> X-Mailer: MIME-tools 5.411 (Entity 5.404) >> >> >> >> - ------------=_1047489992-23715-0-- >> >> >> The originating site is using MailScanner 4.12-2 and I'm using >> MailScanner 4.13-3. >> >> >> If needed I can send the sanitised e-mails for inspection. >> - -- James A. Pattie james@pcxperience.com Linux -- SysAdmin / Programmer Xperience, Inc. http://www.pcxperience.com/ http://www.xperienceinc.com/ GPG Key Available at http://www.pcxperience.com/gpgkeys/james.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE+b6hPtUXjwPIRLVERAlN3AJ0WqX7g2+uOXoWdV7jBEUE4lHWr9wCfbY+K 8MBAZUr/9ozUbUu6/7Y231g= =SAu2 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mike at TECHINTER.COM Wed Mar 12 21:39:24 2003 From: mike at TECHINTER.COM (Mike Williams) Date: Thu Jan 12 21:17:28 2006 Subject: Per User Blacklist and white lists In-Reply-To: <5.2.0.9.2.20030312200952.025e7890@imap.ecs.soton.ac.uk> Message-ID: Ok, this is what I got. X-MailScanner-1: Found to be clean X-MailScanner-SpamCheck-1: spam (blacklisted) X-MailScanner-SpamScore: ssssssssssssssssssss It didn't get caught by the high score rule or even the required score rule. I have my required score set at 3 and high at 9. I set the value at 20 so it should have scored. I checked the required score with a value of 5 also with the same results. Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Julian Field Sent: Wednesday, March 12, 2003 2:19 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Per User Blacklist and white lists At 19:47 12/03/2003, you wrote: >Works like a charm. Thanks. Great. It will be in the next release. > BTW quick question is there a way to assign a >spam score to blacklisted addresses so that it will activate the high score >rule? Not currently, no. But try this: 1) In the blacklisting lookup code, change the code to say this: sub ByDomainSpamBlacklist { my($message) = @_; my($value); $value = LookupByDomainList($message, \%Blacklist); $message->{sascore} = 10 if $value; return $value; } (if you want blacklisting to score 10) Then edit Message.pm and change line 370 from $this->{sascore} = $sascore; # Save the actual figure for use later... to $this->{sascore} += $sascore; # Save the actual figure for use later... Give this a try and let me know how you get on. >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On >Behalf Of Julian Field >Sent: Wednesday, March 12, 2003 12:19 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Per User Blacklist and white lists > > >Looks like I never wrote the code to do the per-user lists, only per-domain >lists. > >Try editing CustomConfig.pm and making "LookupByDomainList" look like this: > >sub LookupByDomainList { > my($message, $BlackWhite) = @_; > > return 0 unless $message; # Sanity check the input > > # Find the "from" address and the first "to" address > my($from, $fromdomain, @todomain, $todomain, @to, $to, $ip); > $from = $message->{from}; > $fromdomain = $message->{fromdomain}; > @todomain = @{$message->{todomain}}; > $todomain = $todomain[0]; > @to = @{$message->{to}}; > $to = $to[0]; > $ip = $message->{clientip}; > > # It is in the list if either the exact address is listed, > # or the domain is listed > return 1 if $BlackWhite->{$to}{$from}; > return 1 if $BlackWhite->{$to}{$fromdomain}; > return 1 if $BlackWhite->{$to}{$ip}; > return 1 if $BlackWhite->{$todomain}{$from}; > return 1 if $BlackWhite->{$todomain}{$fromdomain}; > return 1 if $BlackWhite->{$todomain}{$ip}; > > # It is not in the list > return 0; >} > >Please give this a try and let me know if it works, so I can include the >code in the next release (due very shortly to fix long filename checking >bug in 4.13). > >At 17:48 12/03/2003, you wrote: > >Ok, I enabled the bydoaminblacklist and bydoaminwhitelist in the > >MailScanner.conf with > > > >Is Definitely Not Spam = &ByDomainSpamWhitelist > >Is Definitely Spam = &ByDomainSpamBlacklist > > > >The directorys are set to /etc/MailScanner/rules/whitelist and > >/etc/MailScanner/rules/blacklist. I have a file in blacklist folder named > >user@domain.com (actual file name is different but same format). In the > >file user@domain.com I have listed several blacklist items, one is an email > >account that I have on aol.com. The aol email address doesn't appear in >any > >whitelist. However, when I send email to user@domain.com from the AOL > >account that is on the blacklist it goes through without even being marked > >as spam. There are no errors when starting mailscanner and in the logs is > >says that it read blacklist for 1 domain. I must be missing something but >I > >haven't a clue. > > > >Mike > >-----Original Message----- > >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > >Behalf Of Julian Field > >Sent: Tuesday, March 11, 2003 2:24 PM > >To: MAILSCANNER@JISCMAIL.AC.UK > >Subject: Re: Per User Blacklist and white lists > > > > > >At 19:50 11/03/2003, you wrote: > > >Julian, > > > > > >Thanks for the info. I'm looking at the code and the example is for > > >bydomain. I'm not sure but it looks like I can have the white and black > > >list by either domain.com or by user@domain.com. > > > >Yes you can. You can even give it IP addresses if I remember rightly. > > > > > The reason I am asking is > > >that each user will need to be able to specify their own black and white > > >list. This makes it possible that one user would wish to block email >from > >a > > >user@spam.com and another user to whitelist or not block a >user@spam.com. > > >So if I use a filename of user1@domain.com and user2@domain.com does this > >in > > >fact make the whitelist and blacklist unique for each user even if they >are > > >in the same domain? > > > > > >Mike > > > > > >-----Original Message----- > > >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > >Behalf Of Julian Field > > >Sent: Tuesday, March 11, 2003 12:44 PM > > >To: MAILSCANNER@JISCMAIL.AC.UK > > >Subject: Re: Per User Blacklist and white lists > > > > > > > > >Take a look in the CustomConfig.pm file in recent distributions. This > > >feature is an example of what you can do with "Custom Functions". You >will > > >probably need to change the directories it reads the black/whitelists >from, > > >but otherwise it will just work. The code briefly explains what should go > > >in the various config files. > > > > > >At 18:35 11/03/2003, you wrote: > > > >Is it possible to have a per user blacklist and whitelist? Example in > >the > > > >whitelist file: > > > > > > > >To: user-1@domain.com > > >/etc/MailScanner/rules/whitelist/user-1-domain.com > > > >To: user-2@domain.com > > >/etc/MailScanner/rules/whitelist/user-2-domain.com > > > >FromTo: Default no > > > > > > > > > > > >user-1-domain.com > > > > > > > >From: friend@domain.com yes > > > >From: friend1@domain.com yes > > > >From: default no > > > > > > > >and so on? > > > > > > > >Mike > > > > > >-- > > >Julian Field > > >www.MailScanner.info > > >Professional Support Services at www.MailScanner.biz > > >MailScanner thanks transtec Computers for their support > > > >-- > >Julian Field > >www.MailScanner.info > >Professional Support Services at www.MailScanner.biz > >MailScanner thanks transtec Computers for their support > >-- >Julian Field >www.MailScanner.info >Professional Support Services at www.MailScanner.biz >MailScanner thanks transtec Computers for their support -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From paul at ESPMAIL.CO.UK Wed Mar 12 21:43:12 2003 From: paul at ESPMAIL.CO.UK (Paul Welsh) Date: Thu Jan 12 21:17:29 2006 Subject: Announce List References: <5.2.0.9.2.20030312202029.026ec488@imap.ecs.soton.ac.uk> <3E6FA850.3080306@pcxperience.com> Message-ID: <004801c2e8e0$63f4c860$54e330d5@espmail> Hi Julian Did anything come of the suggestion of having a pure announce list? The volume of mail on this list is getting a bit much for me. From nerijus at USERS.SOURCEFORGE.NET Wed Mar 12 21:55:21 2003 From: nerijus at USERS.SOURCEFORGE.NET (Nerijus Baliunas) Date: Thu Jan 12 21:17:29 2006 Subject: Announce List In-Reply-To: <004801c2e8e0$63f4c860$54e330d5@espmail> References: <5.2.0.9.2.20030312202029.026ec488@imap.ecs.soton.ac.uk> <3E6FA850.3080306@pcxperience.com> <004801c2e8e0$63f4c860$54e330d5@espmail> Message-ID: <200303122156.h2CLuZ804034@nori.rl.ac.uk> On Wed, 12 Mar 2003 21:43:12 -0000 Paul Welsh wrote: > Did anything come of the suggestion of having a pure announce list? > > The volume of mail on this list is getting a bit much for me. I'd suggest to subscribe to new releases at http://freshmeat.net/projects/mailscanner/ - you will receive an email with changes when Julian updates freshmeat record. Regards, Nerijus From mailscanner at ecs.soton.ac.uk Wed Mar 12 21:49:08 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:29 2006 Subject: Announce List In-Reply-To: <004801c2e8e0$63f4c860$54e330d5@espmail> References: <5.2.0.9.2.20030312202029.026ec488@imap.ecs.soton.ac.uk> <3E6FA850.3080306@pcxperience.com> Message-ID: <5.2.0.9.2.20030312214813.026fddf8@imap.ecs.soton.ac.uk> At 21:43 12/03/2003, you wrote: >Hi Julian > >Did anything come of the suggestion of having a pure announce list? > >The volume of mail on this list is getting a bit much for me. If you just want announcements, then subscribe to the project at freshmeat.net. This is on the www.mailscanner.info home page. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Mar 12 21:47:32 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:29 2006 Subject: Outlook and UUENCODED attachments In-Reply-To: <3E6FA850.3080306@pcxperience.com> References: <5.2.0.9.2.20030312202029.026ec488@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030312202029.026ec488@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030312214417.022b3e58@imap.ecs.soton.ac.uk> At 21:36 12/03/2003, you wrote: >Is there any way to do a rule that says don't sign when From = domainA >and To = domainY? No, there isn't. However you could fairly easily implement it in a Custom Function. You just need to construct a list of domains and check that both the fromdomain and the todomain are in the list. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From andrewh at CQG.COM Wed Mar 12 22:49:32 2003 From: andrewh at CQG.COM (Andrew M. Hoying) Date: Thu Jan 12 21:17:29 2006 Subject: Problems since the new McAfee dat file 4252 Message-ID: <8A6DFB0865502242A29E25BDAEFBB945533679@d2sexchtest.cqg.com> I know I'm running a very old version of mailscanner, 3.14, which may be the problem, but since the new dat file came out, Office XP calendar meeting requests are being reported as Exploit-CTCalendar and then the scanner crashes and reports the virus again, 50-60 times a minute until I delete the message from the incoming folder. Is there anything I can do, short of upgrading the a new version, to fix this problem? Andrew Hoying -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030312/d1ef4e3c/attachment.html From etate01 at sun.hazelwood.k12.mo.us Thu Mar 13 00:32:28 2003 From: etate01 at sun.hazelwood.k12.mo.us (Ed Tate) Date: Thu Jan 12 21:17:29 2006 Subject: Stupid luser Message-ID: <000001c2e8f8$0742d8b0$0200a8c0@computer> Having called Missouri "home" for the last 25 years, I think that I can shed some light on where we are and what the "luser" is referring to. Sales people selling everything from insurance to light bulbs bug us Americans by calling us at dinner time. Missouri has a great no-call list that you sign up for and it imposes fines on these guys if they call you and you're on the list. This is run by the attorney general's office in the state capitol. It works fantastic and the entire United States is considering such a law. A legislator and the attorney general have teamed up to introduce a similar bill except for spam. Notice what's important in the first link below. Hint - it's not the proposed legislation. The second link gives the progress of the bill - it isn't official yet but it is moving through the legislative process so it might actually make it to a law. Enforcement should be interesting. http://www.senate.state.mo.us/03INFO/bills/SB010.htm http://www.ago.state.mo.us/photogallery/2002/spamlegislation102102.htm This next link gives you some information about Missouri. And you were right - it's almost smack in the middle of the United States. It's a beautiful state, relatively mild weather in comparison, but we do seem to have more than our share of "lusers". http://encarta.msn.com/encnet/refpages/RefArticle.aspx?refid=761563653 Ed Tate (etate01@hazelwoodschools.org) Coordinator of Technology Support Hazelwood School District Florissant, Missouri From P.G.M.Peters at civ.utwente.nl Thu Mar 13 08:07:58 2003 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:17:29 2006 Subject: Stupid luser In-Reply-To: <06EE2C86D3DAD5119A6C0060943F3C97055E6EC7@tormail1.algorithmics.com> References: <06EE2C86D3DAD5119A6C0060943F3C97055E6EC7@tormail1.algorithmics.com> Message-ID: <70f07v49ms7j171b7bslr915ojcf18mbs9@4ax.com> On Wed, 12 Mar 2003 16:19:32 -0500, you wrote: >Someone threatened legal action because he sent a clean .exe which violated >the filename rules and they didn't like the implication that they had sent a >virus. I am trying to educate the postmaster of a fellow institution to drop his scanner in favour of MS. His scanner sends a virus-warning to all people in the To: and Cc: when the scanner finds blocked extensions. -- Peter Peters, senior netwerkbeheerder Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ From mk at quadstone.com Thu Mar 13 09:41:26 2003 From: mk at quadstone.com (Michael Keightley) Date: Thu Jan 12 21:17:29 2006 Subject: Some Spam still not being marked as Spam Message-ID: <20030313094126.GA1642@quadstone.com> I'm using MailScanner-4.13-3 with SpamAssassin-2.50 (no AWL) on Solaris 9. About 5% of Spam we receive isn't marked as Spam. If I save these messages and run "spamassassin -t" on these messages they get a much higer score (e.g. 9 instead of 4). Why is the score lower when they are processed by MailScanner? Is this a bug? Michael -- Michael Keightley Tel: +44 131 220 4491 Systems Manager, Quadstone Limited, Fax: +44 131 220 4492 16 Chester Street, Edinburgh EH3 7RA, Scotland http://www.quadstone.com From Q.G.Campbell at NEWCASTLE.AC.UK Thu Mar 13 07:58:19 2003 From: Q.G.Campbell at NEWCASTLE.AC.UK (Quentin Campbell) Date: Thu Jan 12 21:17:29 2006 Subject: Logging 'subject' field of detected Spam? Message-ID: <08AC2E825474534ABB2D6EDB643FC7F83CEFB4@bond.ncl.ac.uk> Julian In the UK the "Subject" line is considered to be "content" so logging it would be "interception" under RIPA. Whether such interception by MailScanner is lawful would depend on the circumstances. Note that the above applies even more obviously to quarantining of messages and sites in the UK who do this need to be very clear about the how and the why. Even if the quarantining/interception is lawful the site may still be open to civil suit by their users if they are not careful. I note that the "Subject" line is present in the "virus warning" messages I receive as Postmaster so I may already be operating in breach of the law! However I think this is covered by the Lawful Business Practices Regulations and/or by the provisions in RIPA covering interception for the purposes of ensuring the correct operation of a service. Sigh! Quentin --- PHONE: +44 191 222 8209 Computing Service, University of Newcastle FAX: +44 191 222 8765 Newcastle upon Tyne, United Kingdom, NE1 7RU. ------------------------------------------------------------------------ "Any opinion expressed above is mine. The University can get its own." > -----Original Message----- > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > Sent: 12 March 2003 18:23 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Logging 'subject' field of detected Spam? > > > Would this be used by other people as well? It would generate > considerably more logging output. > > The code is is Message.pm around line 343, shouldn't be > difficult to add but would require yet another configuration > option "Log Spam Subject" to switch it on and off. > > At 17:54 12/03/2003, you wrote: > >Hello all... > > > >I haven't looked at the code yet, but was wondering > >how tricky this would be to implement... > > > >Now and again I try to add variations of 'known' spam > 'Subjects' (and > >some body content) to my MTA configuration to block it... > > > >Is it possible to add logging of 'Subject' to the line: > > > >Mar 12 17:25:06 hancock MailScanner[30443]: Message B1F1C15600B from > >193.63.251.18 > >(anstpbat@icecube.lshtm.ac.uk) to lshtm.ac.uk is spam, SpamAssassin > >(score=13.5, required 8, DATE_IN_PAST_12_24, DCC_CHECK, > >DRASTIC_REDUCED, HOME_EMPLOYMENT, > > INVALID_DATE, INVALID_MSGID, NO_REAL_NAME, ONCE_IN_LIFETIME, > >RAZOR2_CHECK, RCVD _IN_OSIRUSOFT_COM, REMOVE_SUBJ, UNDISC_RECIPS) > > > >... or as an additional line after that? > > > >... > > > > > > > >------------------------------------------------------------- > --------------------------------------> > >Peter Bates, Systems Support Officer, Network Support Team. London > >School of Hygiene & Tropical Medicine. Telephone:0207-958 > 8353 / Fax: > >0207- 636 9838 > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > From Jan-Peter.Koopmann at SECEIDOS.DE Thu Mar 13 09:50:50 2003 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:17:29 2006 Subject: Some Spam still not being marked as Spam Message-ID: <4E7026FF8A422749B1553FE508E0068007EF68@message.intern.akctech.de> Hi Michael, > I'm using MailScanner-4.13-3 with SpamAssassin-2.50 (no AWL) > on Solaris 9. > About 5% of Spam we receive isn't marked as Spam. If I save > these messages and run "spamassassin -t" on these messages > they get a much higer score (e.g. 9 instead of 4). Why is > the score lower when they are processed by MailScanner? Is > this a bug? Not necessarily. I am troubled with the same problem btw. The scoring depends a lot on your settings and whether or not MailScanner/SpamAssassin is using the same set of configuration files than SA alone started by your user. Are you using Exim btw? Please post the SCORES that a suspicious message gets via MS/SA and via spamassassin -t. Regards, JP From mailscanner at ecs.soton.ac.uk Thu Mar 13 10:14:49 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:29 2006 Subject: Problems since the new McAfee dat file 4252 In-Reply-To: <8A6DFB0865502242A29E25BDAEFBB945533679@d2sexchtest.cqg.com > Message-ID: <5.2.0.9.2.20030313101325.025ac8f8@imap.ecs.soton.ac.uk> At 22:49 12/03/2003, you wrote: >I know I'm running a very old version of mailscanner, 3.14, which may be >the problem, but since the new dat file came out, Office XP calendar >meeting requests are being reported as Exploit-CTCalendar and then the >scanner crashes and reports the virus again, 50-60 times a minute until I >delete the message from the incoming folder. Is there anything I can do, >short of upgrading the a new version, to fix this problem? What happens when you run mcafee on the files by hand? Can you mail me the exact output please, and I'll find out what new versions do with it. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From Jan-Peter.Koopmann at SECEIDOS.DE Thu Mar 13 10:20:29 2003 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:17:29 2006 Subject: FreeBSD mcafee-autoupdate Message-ID: <4E7026FF8A422749B1553FE508E0068007EF69@message.intern.akctech.de> Hi, the mcafee-autoupdate script in lib uses /bin/tar. Under FreeBSD this is in /usr/bin/tar. The script starts and downloads the update file but does not untar it. Unfortunately this does NOT give you an error and everything seems to run fine. Please either change this or include a note in INSTALL.FreeBSD. Thanks, JP From mk at quadstone.com Thu Mar 13 10:29:48 2003 From: mk at quadstone.com (Michael Keightley) Date: Thu Jan 12 21:17:29 2006 Subject: Some Spam still not being marked as Spam In-Reply-To: <4E7026FF8A422749B1553FE508E0068007EF68@message.intern.akctech.de> References: <4E7026FF8A422749B1553FE508E0068007EF68@message.intern.akctech.de> Message-ID: <20030313102948.GB1642@quadstone.com> On Thu, Mar 13, 2003 at 10:50:50AM +0100, Jan-Peter Koopmann wrote: > > Hi Michael, > > > I'm using MailScanner-4.13-3 with SpamAssassin-2.50 (no AWL) > > on Solaris 9. > > About 5% of Spam we receive isn't marked as Spam. If I save > > these messages and run "spamassassin -t" on these messages > > they get a much higer score (e.g. 9 instead of 4). Why is > > the score lower when they are processed by MailScanner? Is > > this a bug? > > Not necessarily. I am troubled with the same problem btw. The scoring > depends a lot on your settings and whether or not > MailScanner/SpamAssassin is using the same set of configuration files > than SA alone started by your user. Are you using Exim btw? Please post > the SCORES that a suspicious message gets via MS/SA and via spamassassin > -t. I'm using sendmail-8.12.8. Attached is a Spam message, MS.txt is the message that got delivered, SA.txt is the output of "spamassassin -t". The only change I've made spam.assassin.prefs.conf is to uncomment skip_rbl_checks 1 Michael > > Regards, > JP -- Michael Keightley Tel: +44 131 220 4491 Systems Manager, Quadstone Limited, Fax: +44 131 220 4492 16 Chester Street, Edinburgh EH3 7RA, Scotland http://www.quadstone.com -------------- next part -------------- >From Yaelijy@private.21cn.com Wed Mar 12 22:59:30 2003 Return-Path: Received: from quadstone.com (postie.quadstone.co.uk [194.80.190.3]) by edinburgh.quadstone.com (8.12.8/8.12.8) with ESMTP id h2CMxQ77011882 for ; Wed, 12 Mar 2003 22:59:30 GMT Received: from sxrqwew (ns.htu.or.jp [61.127.212.66]) by quadstone.com (8.12.8/8.12.8) with SMTP id h2CMxLaJ023684 for ; Wed, 12 Mar 2003 22:59:23 GMT Message-Id: <200303122259.h2CMxLaJ023684@quadstone.com> From: Tracee Scatena Subject: Date: Wed, 12 Mar 2003 17:15:50 -0500 Mime-Version: 1.0 Content-Type: text/html Content-Transfer-Encoding: base64 X-MailScanner: Found to be clean X-MailScanner-SpamScore: ssss Status: RO Content-Length: 410 Lines: 6 PGh0bWw+DQo8Ym9keQ0KPGJyPg0KSGksIGhvc3RtYXN0ZXIgLDxicj4NCjxicj4NCjxhIGhy ZWY9Imh0dHA6Ly93d3cubXlydXNzaWFubG92ZXIuY29tLz9vYz0yMzkwIj5BIG5pY2UgbGFk eSB3YW50cyB0byBjb3JyZXNwb25kIHdpdGggeW91Ljxicj4NCjxicj4NCjxhIGhyZWY9Imh0 dHA6Ly93d3cubXlydXNzaWFubG92ZXIuY29tL3JlbW92ZS8/b2M9MjM5MCI+TGV0IG1lIGtu b3cgYW5kIEkgd29uJ3Qgd3JpdGUgeW91IGFnYWluLjxicj4NCjxicj4NCjwvYT48L2Rpdj48 L2JvZHk+PC9odG1sPg0KPC9ib2R5Pg0KPC9odG1sPg== -------------- next part -------------- >From Yaelijy@private.21cn.com Wed Mar 12 22:59:30 2003 Received: from localhost [127.0.0.1] by gromit.quadstone.co.uk with SpamAssassin (2.50 1.173-2003-02-20-exp); Thu, 13 Mar 2003 09:38:39 %z From: Tracee Scatena Subject: Date: Wed, 12 Mar 2003 17:15:50 -0500 Message-Id: <200303122259.h2CMxLaJ023684@quadstone.com> X-Spam-Flag: YES X-Spam-Status: Yes, hits=9.1 required=5.0 tests=BASE64_ENC_TEXT,HTML_50_60,HTML_MESSAGE, HTML_TAG_BALANCE_BODY,MIME_HTML_ONLY,MISSING_HEADERS, MSG_ID_ADDED_BY_MTA_3,RCVD_IN_NJABL,RCVD_IN_OPM, RCVD_IN_OSIRUSOFT_COM,REMOVE_PAGE version=2.50 X-Spam-Level: ********* X-Spam-Checker-Version: SpamAssassin 2.50 1.173-2003-02-20-exp MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----------=_3E70519F.B453720D" This is a multi-part message in MIME format. ------------=_3E70519F.B453720D Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 8bit This mail is probably spam. The original message has been attached along with this report, so you can recognize or block similar unwanted mail in future. See http://spamassassin.org/tag/ for more details. Content preview: Hi, hostmaster , URI:http://www.myrussianlover.com/?oc#90 A nice lady wants to correspond with you. URI:http://www.myrussianlover.com/remove/?oc#90 Let me know and I won't write you again. [...] Content analysis details: (9.10 points, 5 required) HTML_50_60 (0.2 points) BODY: Message is 50% to 60% HTML HTML_MESSAGE (0.1 points) BODY: HTML included in message HTML_TAG_BALANCE_BODY (0.6 points) BODY: HTML has unbalanced "body" tags BASE64_ENC_TEXT (1.7 points) RAW: Message text disguised using base-64 encoding REMOVE_PAGE (0.1 points) URI: URL of page called "remove" MSG_ID_ADDED_BY_MTA_3 (0.3 points) 'Message-Id' was added by a relay (3) MISSING_HEADERS (0.1 points) Missing To: header RCVD_IN_NJABL (1.0 points) RBL: Received via a relay in dnsbl.njabl.org [RBL check: found 66.212.127.61.dnsbl.njabl.org.,] [type: 127.0.0.9] RCVD_IN_OSIRUSOFT_COM (0.6 points) RBL: Received via a relay in relays.osirusoft.com [RBL check: found 66.212.127.61.relays.osirusoft.com., type: 127.0.0.9] RCVD_IN_OPM (4.3 points) RBL: Received via a relay in opm.blitzed.org [RBL check: found 66.212.127.61.opm.blitzed.org.,] [type: 127.1.0.16] MIME_HTML_ONLY (0.1 points) Message only has text/html MIME parts The original message did not contain plain text, and may be unsafe to open with some email clients; in particular, it may contain a virus, or confirm that your address can receive spam. If you wish to view it, it may be safer to save it to a file and open it with an editor. ------------=_3E70519F.B453720D Content-Type: message/rfc822 Content-Description: original message before SpamAssassin Content-Disposition: attachment Content-Transfer-Encoding: 8bit Return-Path: Received: from quadstone.com (postie.quadstone.co.uk [194.80.190.3]) by edinburgh.quadstone.com (8.12.8/8.12.8) with ESMTP id h2CMxQ77011882 for ; Wed, 12 Mar 2003 22:59:30 GMT Received: from sxrqwew (ns.htu.or.jp [61.127.212.66]) by quadstone.com (8.12.8/8.12.8) with SMTP id h2CMxLaJ023684 for ; Wed, 12 Mar 2003 22:59:23 GMT Message-Id: <200303122259.h2CMxLaJ023684@quadstone.com> From: Tracee Scatena Subject: Date: Wed, 12 Mar 2003 17:15:50 -0500 Mime-Version: 1.0 Content-Type: text/html Content-Transfer-Encoding: base64 X-MailScanner: Found to be clean X-MailScanner-SpamScore: ssss Status: RO Content-Length: 410 Lines: 6 PGh0bWw+DQo8Ym9keQ0KPGJyPg0KSGksIGhvc3RtYXN0ZXIgLDxicj4NCjxicj4NCjxhIGhy ZWY9Imh0dHA6Ly93d3cubXlydXNzaWFubG92ZXIuY29tLz9vYz0yMzkwIj5BIG5pY2UgbGFk eSB3YW50cyB0byBjb3JyZXNwb25kIHdpdGggeW91Ljxicj4NCjxicj4NCjxhIGhyZWY9Imh0 dHA6Ly93d3cubXlydXNzaWFubG92ZXIuY29tL3JlbW92ZS8/b2M9MjM5MCI+TGV0IG1lIGtu b3cgYW5kIEkgd29uJ3Qgd3JpdGUgeW91IGFnYWluLjxicj4NCjxicj4NCjwvYT48L2Rpdj48 L2JvZHk+PC9odG1sPg0KPC9ib2R5Pg0KPC9odG1sPg== ------------=_3E70519F.B453720D-- This mail is probably spam. The original message has been attached along with this report, so you can recognize or block similar unwanted mail in future. See http://spamassassin.org/tag/ for more details. Content preview: Hi, hostmaster , URI:http://www.myrussianlover.com/?oc#90 A nice lady wants to correspond with you. URI:http://www.myrussianlover.com/remove/?oc#90 Let me know and I won't write you again. [...] Content analysis details: (9.10 points, 5 required) HTML_50_60 (0.2 points) BODY: Message is 50% to 60% HTML HTML_MESSAGE (0.1 points) BODY: HTML included in message HTML_TAG_BALANCE_BODY (0.6 points) BODY: HTML has unbalanced "body" tags BASE64_ENC_TEXT (1.7 points) RAW: Message text disguised using base-64 encoding REMOVE_PAGE (0.1 points) URI: URL of page called "remove" MSG_ID_ADDED_BY_MTA_3 (0.3 points) 'Message-Id' was added by a relay (3) MISSING_HEADERS (0.1 points) Missing To: header RCVD_IN_NJABL (1.0 points) RBL: Received via a relay in dnsbl.njabl.org [RBL check: found 66.212.127.61.dnsbl.njabl.org.,] [type: 127.0.0.9] RCVD_IN_OSIRUSOFT_COM (0.6 points) RBL: Received via a relay in relays.osirusoft.com [RBL check: found 66.212.127.61.relays.osirusoft.com., type: 127.0.0.9] RCVD_IN_OPM (4.3 points) RBL: Received via a relay in opm.blitzed.org [RBL check: found 66.212.127.61.opm.blitzed.org.,] [type: 127.1.0.16] MIME_HTML_ONLY (0.1 points) Message only has text/html MIME parts From Jan-Peter.Koopmann at SECEIDOS.DE Thu Mar 13 10:41:37 2003 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:17:29 2006 Subject: Some Spam still not being marked as Spam Message-ID: <4E7026FF8A422749B1553FE508E0068007EF6C@message.intern.akctech.de> > Attached is a Spam message, MS.txt is the message that got > delivered, SA.txt is the output of "spamassassin -t". > The only change I've made spam.assassin.prefs.conf is to uncomment > skip_rbl_checks 1 Well unfortunately you configured your MailScanner to only have the X-MailScanner-spam header in it, when spam is detected. So in this example I cannot see what rules where triggered with the MailScanner/SpamAssassin combination. You might want to change this and rerun the test. Your spamassassin -t used RBL checks and triggered three of them with a total of 5.9 points. When you say skip_rbl_checks 1 in your spam.assassin.prefs.conf file then MS/SA are not running those tests and the 5.9 points should be missing. That's most probably the explanation. Regards, JP From dbird at SGHMS.AC.UK Thu Mar 13 13:00:42 2003 From: dbird at SGHMS.AC.UK (Daniel Bird) Date: Thu Jan 12 21:17:29 2006 Subject: Problems since the new McAfee dat file 4252 References: <5.2.0.9.2.20030313101325.025ac8f8@imap.ecs.soton.ac.uk> Message-ID: <3E7080FA.1070200@sghms.ac.uk> Julian Field wrote: > At 22:49 12/03/2003, you wrote: > >> I know I'm running a very old version of mailscanner, 3.14, which may be >> the problem, but since the new dat file came out, Office XP calendar >> meeting requests are being reported as Exploit-CTCalendar and then the >> scanner crashes and reports the virus again, 50-60 times a minute >> until I >> delete the message from the incoming folder. Is there anything I can do, >> short of upgrading the a new version, to fix this problem? > > > What happens when you run mcafee on the files by hand? Can you mail me > the > exact output please, and I'll find out what new versions do with it. We had some problems ealier this week (on Solaris and Linux) with McAfee updates. It was cured by downloading the latest version of the Virus Engine (rather than just the dat.) Regards Dan > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From cleveland at MAIL.WINNEFOX.ORG Thu Mar 13 13:29:30 2003 From: cleveland at MAIL.WINNEFOX.ORG (Jody Cleveland) Date: Thu Jan 12 21:17:29 2006 Subject: MailScanner/ f-prot not catching all viruses Message-ID: <3561.199.242.176.181.1047562170.squirrel@email.winnefox.org> Hello, I'm running MailScanner with f-prot on redhat 8 using sendmail. I've been noticing that it's not catching Sobig and Yaha viruses. Any ideas why? -- Jody Cleveland (cleveland@winnefox.org) From simon at ADVANTAGE-INTERACTIVE.COM Thu Mar 13 13:24:10 2003 From: simon at ADVANTAGE-INTERACTIVE.COM (Simon Dick) Date: Thu Jan 12 21:17:29 2006 Subject: MailScanner/ f-prot not catching all viruses In-Reply-To: <3561.199.242.176.181.1047562170.squirrel@email.winnefox.org> References: <3561.199.242.176.181.1047562170.squirrel@email.winnefox.org> Message-ID: <1047561850.1925.6.camel@devbox> On Thu, 2003-03-13 at 13:29, Jody Cleveland wrote: > Hello, > > I'm running MailScanner with f-prot on redhat 8 using sendmail. I've been > noticing that it's not catching Sobig and Yaha viruses. Any ideas why? I had some Yaha viruses get through recently, but it turned out that they actually bypassed our mx records and went direct to the server which handles the mail after being scanned, my assumption is that that was our old mx record before using mailscanner so it may have a very old cached copy somehow. -- Simon Dick simon@advantage-interactive.com From Jan-Peter.Koopmann at SECEIDOS.DE Thu Mar 13 13:37:24 2003 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:17:29 2006 Subject: MailScanner/ f-prot not catching all viruses Message-ID: <4E7026FF8A422749B1553FE508E0068007EF73@message.intern.akctech.de> > I had some Yaha viruses get through recently, but it turned > out that they actually bypassed our mx records and went > direct to the server which handles the mail after being > scanned, my assumption is that that was our old mx record > before using mailscanner so it may have a very old cached > copy somehow. You have a server out there accepting mail without some sort of protection in front of it? You are relying on MX records only? What about port scans on your network and finding the machine? Would be quite easy to do. If I were you I would think about this setup really quick... :-) Otherwise you might as well get rid of MailScanner in the first place *g* Regards, JP From simon at ADVANTAGE-INTERACTIVE.COM Thu Mar 13 13:47:15 2003 From: simon at ADVANTAGE-INTERACTIVE.COM (Simon Dick) Date: Thu Jan 12 21:17:29 2006 Subject: MailScanner/ f-prot not catching all viruses In-Reply-To: <4E7026FF8A422749B1553FE508E0068007EF73@message.intern.akctech.de> References: <4E7026FF8A422749B1553FE508E0068007EF73@message.intern.akctech.de> Message-ID: <1047563235.2263.9.camel@devbox> On Thu, 2003-03-13 at 13:37, Jan-Peter Koopmann wrote: > > I had some Yaha viruses get through recently, but it turned > > out that they actually bypassed our mx records and went > > direct to the server which handles the mail after being > > scanned, my assumption is that that was our old mx record > > before using mailscanner so it may have a very old cached > > copy somehow. > > You have a server out there accepting mail without some sort of > protection in front of it? You are relying on MX records only? What > about port scans on your network and finding the machine? Would be quite > easy to do. If I were you I would think about this setup really quick... > :-) Otherwise you might as well get rid of MailScanner in the first > place *g* Long story, I should really check that, but the current exim config is "interesting" and not trivial to change like that until I have enough time :) -- Simon Dick simon@advantage-interactive.com From raymond at PROLOCATION.NET Thu Mar 13 13:48:22 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:17:29 2006 Subject: MailScanner/ f-prot not catching all viruses In-Reply-To: <1047563235.2263.9.camel@devbox> Message-ID: Hi! > > You have a server out there accepting mail without some sort of > > protection in front of it? You are relying on MX records only? What > > about port scans on your network and finding the machine? Would be quite > > easy to do. If I were you I would think about this setup really quick... > > :-) Otherwise you might as well get rid of MailScanner in the first > > place *g* > > Long story, I should really check that, but the current exim config is > "interesting" and not trivial to change like that until I have enough > time :) Best is to simply block acceess and only allow your mailserver to drop mail on it, from the outside world. Bye, Raymond. From Cleveland at MAIL.WINNEFOX.ORG Thu Mar 13 14:04:31 2003 From: Cleveland at MAIL.WINNEFOX.ORG (Jody Cleveland) Date: Thu Jan 12 21:17:29 2006 Subject: SpamAssassin via rpm in redhat 8? Message-ID: <84CFA712F666B44A94CE6BE116BAF4B0B4E49A@MAIL> Hello, I'm wanting to install SpamAssassin to work with MailScanner. Has anyone had any luck installing using the RPM with Redhat 8, sendmail, and MailScanner? -- Jody Cleveland (cleveland@winnefox.org) Winnefox Library System Computer Support Specialist From andrewh at CQG.COM Thu Mar 13 14:07:39 2003 From: andrewh at CQG.COM (Andrew Hoying) Date: Thu Jan 12 21:17:29 2006 Subject: Problems since the new McAfee dat file 4252 References: <5.2.0.9.2.20030313101325.025ac8f8@imap.ecs.soton.ac.uk> Message-ID: <001d01c2e969$e85e3080$0300000a@andrew> Here is a copy of the file h2DAmR5G020453.vir : Return-Path: Received: from xx ([xx]) by xx(8.12.8/8.12.8) with ESMTP id h2DAmR5G020453 for ; Thu, 13 Mar 2003 03:48:28 -0700 Full-Name: Yuriy Toropin From: xx To: xx Subject: Meeting with representative from Vested Development Inc. Date: Thu, 13 Mar 2003 13:52:30 +0300 Message-ID: <00b401c2e94e$a61aa480$d4e7a8c0@mxpyuriy> MIME-Version: 1.0 Content-Type: text/calendar; method=REQUEST; charset="utf-8" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.4024 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Importance: Normal Here is the output from uvscan: # uvscan --recursive --ignore-links --analyze --secure --noboot h2DAmR5G020453.vir /root/h2DAmR5G020453.vir Found trojan or variant Exploit-CTCalendar !!! Please send a copy of the file to Network Associates ----- Original Message ----- From: "Julian Field" To: Sent: Thursday, March 13, 2003 3:14 AM Subject: Re: Problems since the new McAfee dat file 4252 > At 22:49 12/03/2003, you wrote: > >I know I'm running a very old version of mailscanner, 3.14, which may be > >the problem, but since the new dat file came out, Office XP calendar > >meeting requests are being reported as Exploit-CTCalendar and then the > >scanner crashes and reports the virus again, 50-60 times a minute until I > >delete the message from the incoming folder. Is there anything I can do, > >short of upgrading the a new version, to fix this problem? > > What happens when you run mcafee on the files by hand? Can you mail me the > exact output please, and I'll find out what new versions do with it. > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > From simon at ADVANTAGE-INTERACTIVE.COM Thu Mar 13 14:26:43 2003 From: simon at ADVANTAGE-INTERACTIVE.COM (Simon Dick) Date: Thu Jan 12 21:17:29 2006 Subject: MailScanner/ f-prot not catching all viruses In-Reply-To: References: Message-ID: <1047565603.1925.12.camel@devbox> On Thu, 2003-03-13 at 13:48, Raymond Dijkxhoorn wrote: > Hi! > > > > You have a server out there accepting mail without some sort of > > > protection in front of it? You are relying on MX records only? What > > > about port scans on your network and finding the machine? Would be quite > > > easy to do. If I were you I would think about this setup really quick... > > > :-) Otherwise you might as well get rid of MailScanner in the first > > > place *g* > > > > Long story, I should really check that, but the current exim config is > > "interesting" and not trivial to change like that until I have enough > > time :) > > Best is to simply block acceess and only allow your mailserver to drop > mail on it, from the outside world. As we use the server for other mail related things too that's not possible, however this has kickstarted me into adding an acl rule to only allow email for certain domains in from the scanner server, thanks ;) -- Simon Dick simon@advantage-interactive.com From Denis.Beauchemin at USHERBROOKE.CA Thu Mar 13 14:28:58 2003 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:17:29 2006 Subject: Problems since the new McAfee dat file 4252 In-Reply-To: <8A6DFB0865502242A29E25BDAEFBB945533679@d2sexchtest.cqg.com> References: <8A6DFB0865502242A29E25BDAEFBB945533679@d2sexchtest.cqg.com> Message-ID: <1047565738.30611.37.camel@dbeauchemin.si.usherbrooke.ca> I have seen only 1 occurrence of this message so far but the file was not quarantined and it didn't cause any MS problem. Denis Le mer 12/03/2003 ? 17:49, Andrew M. Hoying a ?crit : > I know I'm running a very old version of mailscanner, 3.14, which may > be the problem, but since the new dat file came out, Office XP > calendar meeting requests are being reported as Exploit-CTCalendar and > then the scanner crashes and reports the virus again, 50-60 times a > minute until I delete the message from the incoming folder. Is there > anything I can do, short of upgrading the a new version, to fix this > problem? > > Andrew Hoying -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From mailscanner at ecs.soton.ac.uk Thu Mar 13 15:04:29 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:29 2006 Subject: Problems since the new McAfee dat file 4252 In-Reply-To: <001d01c2e969$e85e3080$0300000a@andrew> References: <5.2.0.9.2.20030313101325.025ac8f8@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030313150239.029259f0@imap.ecs.soton.ac.uk> If you look in sweep.pl you should find a function ProcessMcAfeeOutput. Comment out your current version (don't just delete it, you might need it again!). Add this version: sub ProcessMcAfeeOutput { my($line, $infections, $types, $BaseDir) = @_; my($lastline, $report, $dot, $id, $part, @rest); my($logout); chomp $line; $lastline = $currentline; $currentline = $line; # SEP: need to add code to log warnings return 0 unless $line =~ /Found/; # McAfee prints the whole path as opposed to # ./messages/part so make it the same $lastline =~ s/$BaseDir//; # make an equivalent report line from the last 2 $report = "$lastline$currentline"; $logout = $report; $logout =~ s/%/%%/g; #MailScanner::Log::InfoLog($logout); # note: '$dot' does not become '.' ($dot, $id, $part, @rest) = split(/\//, $lastline); $infections->{"$id"}{"$part"} .= $report . "\n"; $types->{"$id"}{"$part"} .= "v"; return 1; } I have commented out the "Log" line as that won't work in version 3. If you look through your original version in sweep.pl you will soon see what that line needs to be. At 14:07 13/03/2003, you wrote: >Here is a copy of the file h2DAmR5G020453.vir : > >Return-Path: >Received: from xx ([xx]) > by xx(8.12.8/8.12.8) with ESMTP id h2DAmR5G020453 > for ; Thu, 13 Mar 2003 03:48:28 -0700 >Full-Name: Yuriy Toropin >From: xx >To: xx >Subject: Meeting with representative from Vested Development Inc. >Date: Thu, 13 Mar 2003 13:52:30 +0300 >Message-ID: <00b401c2e94e$a61aa480$d4e7a8c0@mxpyuriy> >MIME-Version: 1.0 >Content-Type: text/calendar; method=REQUEST; > charset="utf-8" >Content-Transfer-Encoding: 7bit >X-Priority: 3 (Normal) >X-MSMail-Priority: Normal >X-Mailer: Microsoft Outlook, Build 10.0.4024 >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 >Importance: Normal > > >Here is the output from uvscan: > ># uvscan --recursive --ignore-links --analyze --secure --noboot >h2DAmR5G020453.vir >/root/h2DAmR5G020453.vir > Found trojan or variant Exploit-CTCalendar !!! > Please send a copy of the file to Network Associates > > >----- Original Message ----- >From: "Julian Field" >To: >Sent: Thursday, March 13, 2003 3:14 AM >Subject: Re: Problems since the new McAfee dat file 4252 > > > > At 22:49 12/03/2003, you wrote: > > >I know I'm running a very old version of mailscanner, 3.14, which may be > > >the problem, but since the new dat file came out, Office XP calendar > > >meeting requests are being reported as Exploit-CTCalendar and then the > > >scanner crashes and reports the virus again, 50-60 times a minute until I > > >delete the message from the incoming folder. Is there anything I can do, > > >short of upgrading the a new version, to fix this problem? > > > > What happens when you run mcafee on the files by hand? Can you mail me the > > exact output please, and I'll find out what new versions do with it. > > -- > > Julian Field > > www.MailScanner.info > > Professional Support Services at www.MailScanner.biz > > MailScanner thanks transtec Computers for their support > > -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From dot at DOTAT.AT Thu Mar 13 15:36:09 2003 From: dot at DOTAT.AT (Tony Finch) Date: Thu Jan 12 21:17:29 2006 Subject: FreeBSD mcafee-autoupdate In-Reply-To: Message-ID: Jan-Peter Koopmann wrote: > >the mcafee-autoupdate script in lib uses /bin/tar. Under FreeBSD this is >in /usr/bin/tar. The script starts and downloads the update file but >does not untar it. Unfortunately this does NOT give you an error and >everything seems to run fine. Please either change this or include a >note in INSTALL.FreeBSD. The script I use is as follows. It keeps track of the datfile versions that have been installed by storing them in /usr/local/lib/uvscan/NNNN with symlinks from /usr/local/lib/uvscan into the current version. It checks which upstream version is available, and if it is already installed it exits quietly (which makes it nice for running from cron). Otherwise it downloads the new version (using wget since that is more universally available than FreeBSD's fetch utility), checks that it works, then activates it. (In this case it is noisy, so when run from cron you will get an email telling you about the datfile update.) It will not splat an existing setup if the new datfile is corrupt. It uses sh -e to avoid failures propagating and becoming serious, and it relies on a sane PATH setting. It doesn't use locking, but assumes that updating four symlinks will be fast enough that the race won't matter. I also don't use a wrapper script since it's unnecessary if uvscan is installed where McAfee expect it to be. #!/bin/sh -e # # Update the McAfee data files. # # $Cambridge: hermes/build/bin/uvscan-update,v 1.10 2003/02/04 04:52:21 fanf2 Exp $ LIBDIR=/usr/local/lib/uvscan FTPDIR=ftp://ftp.csx.cam.ac.uk/pub/software/antivirus/datfiles/4.x #FTPDIR=ftp://ftpeur.nai.com/pub/antivirus/datfiles/4.x # work out latest dat version SED='/^DATVersion=\([0-9]*\).*$/!d;s//\1/;q' VERSION=`wget -q -O- $FTPDIR/update.ini | sed -e "$SED"` DATDIR=$LIBDIR/$VERSION FILE=dat-$VERSION.tar # already got it? if [ -d $DATDIR ] then case $1 in -v) echo Already have $VERSION esac exit fi echo Latest dat file is $VERSION run() { echo ">" "$@" "$@" } # fetch and extract dat files run mkdir -p $DATDIR run cd $DATDIR run wget --progress=dot:mega $FTPDIR/$FILE run tar xvf $FILE # verify the contents fail () { echo "$OUT" echo Test run failed -- removing bad McAfee data files run rm -rf $DATDIR exit 1 } trap fail EXIT CMD="uvscan --dat $DATDIR --version 2>&1" echo '> OUT=`'$CMD'`' OUT=`$CMD` case "$OUT" in *"Missing or invalid DAT"* | \ *"Data file not found"* | \ *"Removal datafile clean.dat not found"* | \ *"Unable to remove viruses"* ) fail ;; esac trap EXIT echo "$OUT" echo Update OK # change the current dat file links run cd $LIBDIR run ln -sf $VERSION/*.dat . # remove some crap run cd $DATDIR run rm -f *.exe *.tar *.txt # done Tony. -- f.a.n.finch http://dotat.at/ CROMARTY FORTH TYNE: VARIABLE 3 BECOMING SOUTH OR SOUTHEAST 3 OR 4. FAIR. GOOD OCCASIONALLY MODERATE. From jaearick at COLBY.EDU Thu Mar 13 15:48:03 2003 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:17:29 2006 Subject: "Found invalid qf" message running amok Message-ID: Julian, Every once in a while our mail server gets malformed spam that causes a blizzard of "Batch: Found invalid qf queue file" messages in my syslog. This message comes from line 329 of lib/MailScanner/Sendmail.pm (version 4.13-3). I can send you the qf files if you want to look at them, but the messages are always from well-known spam sites with uuencoded message bodies. They have IP numbers of 0.0.0.0 in the qf files, which probably triggers the syslog message. I have to yank the miscreants out of mqueue.in to restore order. Can't MailScanner just note the problem in syslog once, then either nuke the qf/df files in mqueue.in, or maybe move them to /tmp? --- Jeff A. Earickson From Jan-Peter.Koopmann at SECEIDOS.DE Thu Mar 13 15:58:35 2003 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:17:29 2006 Subject: FreeBSD mcafee-autoupdate Message-ID: <4E7026FF8A422749B1553FE508E0068007EF77@message.intern.akctech.de> > The script I use is as follows. Geeee. Thanks Tony. I will try to implement this next week! Regards, JP From andersan at LTKALMAR.SE Thu Mar 13 16:04:15 2003 From: andersan at LTKALMAR.SE (Anders Andersson, IT) Date: Thu Jan 12 21:17:29 2006 Subject: SV: SpamAssassin via rpm in redhat 8? Message-ID: <9F18B7DDBA88E544AB1F199514891666014631@lkl63.ltkalmar.se> It works fine.... but I would recommend you to add spamassassin from the cd installation to get all the necesary perl thingys. Download the uppgrade from SA pages 2.43 and you will find it working nicelly. Still havent uppgrader to SA 2.5 since there been some performance problem so Im waiting untill they fix that. /Anders -----Ursprungligt meddelande----- Fr?n: Jody Cleveland [mailto:Cleveland@MAIL.WINNEFOX.ORG] Skickat: den 13 mars 2003 15:05 Till: MAILSCANNER@JISCMAIL.AC.UK ?mne: SpamAssassin via rpm in redhat 8? Hello, I'm wanting to install SpamAssassin to work with MailScanner. Has anyone had any luck installing using the RPM with Redhat 8, sendmail, and MailScanner? -- Jody Cleveland (cleveland@winnefox.org) Winnefox Library System Computer Support Specialist From andrewh at CQG.COM Thu Mar 13 16:04:36 2003 From: andrewh at CQG.COM (Andrew M. Hoying) Date: Thu Jan 12 21:17:29 2006 Subject: Problems since the new McAfee dat file 4252 Message-ID: <8A6DFB0865502242A29E25BDAEFBB94553367C@d2sexchtest.cqg.com> I updated to the latest uvscan version, Virus Scan for Linux v4.24.0 as was suggested, but scanning the file below still returns the same virus found. I don't know if MailScanner will break again yet, I'll let you know what I find. Thanks. > -----Original Message----- > From: Andrew M. Hoying > Sent: Thursday, March 13, 2003 7:08 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Problems since the new McAfee dat file 4252 > > > Here is a copy of the file h2DAmR5G020453.vir : > > Return-Path: > Received: from xx ([xx]) > by xx(8.12.8/8.12.8) with ESMTP id h2DAmR5G020453 > for ; Thu, 13 Mar 2003 03:48:28 -0700 > Full-Name: Yuriy Toropin > From: xx > To: xx > Subject: Meeting with representative from Vested Development Inc. > Date: Thu, 13 Mar 2003 13:52:30 +0300 > Message-ID: <00b401c2e94e$a61aa480$d4e7a8c0@mxpyuriy> > MIME-Version: 1.0 > Content-Type: text/calendar; method=REQUEST; > charset="utf-8" > Content-Transfer-Encoding: 7bit > X-Priority: 3 (Normal) > X-MSMail-Priority: Normal > X-Mailer: Microsoft Outlook, Build 10.0.4024 > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 > Importance: Normal > > > Here is the output from uvscan: > > # uvscan --recursive --ignore-links --analyze --secure --noboot > h2DAmR5G020453.vir > /root/h2DAmR5G020453.vir > Found trojan or variant Exploit-CTCalendar !!! > Please send a copy of the file to Network Associates > > > ----- Original Message ----- > From: "Julian Field" > To: > Sent: Thursday, March 13, 2003 3:14 AM > Subject: Re: Problems since the new McAfee dat file 4252 > > > > At 22:49 12/03/2003, you wrote: > > >I know I'm running a very old version of mailscanner, > 3.14, which may be > > >the problem, but since the new dat file came out, Office > XP calendar > > >meeting requests are being reported as Exploit-CTCalendar > and then the > > >scanner crashes and reports the virus again, 50-60 times a > minute until I > > >delete the message from the incoming folder. Is there > anything I can do, > > >short of upgrading the a new version, to fix this problem? > > > > What happens when you run mcafee on the files by hand? Can > you mail me the > > exact output please, and I'll find out what new versions do with it. > > -- > > Julian Field > > www.MailScanner.info > > Professional Support Services at www.MailScanner.biz > > MailScanner thanks transtec Computers for their support > > > From andrewh at CQG.COM Thu Mar 13 16:08:18 2003 From: andrewh at CQG.COM (Andrew M. Hoying) Date: Thu Jan 12 21:17:29 2006 Subject: Problems since the new McAfee dat file 4252 Message-ID: <8A6DFB0865502242A29E25BDAEFBB94553367D@d2sexchtest.cqg.com> It still happens, this is the error that is outputted to stderr: /bin/cat: /var/spool/MailScanner/incoming/h2DG5gXl011855.vir.header: No such file or directory /bin/cat: /var/spool/mqueue.in/dfh2DG5gXl011855.vir: No such file or directory > -----Original Message----- > From: Andrew M. Hoying > Sent: Thursday, March 13, 2003 9:05 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Problems since the new McAfee dat file 4252 > > > I updated to the latest uvscan version, Virus Scan for Linux > v4.24.0 as > was suggested, but scanning the file below still returns the > same virus > found. I don't know if MailScanner will break again yet, I'll let you > know what I find. > > Thanks. > > > -----Original Message----- > > From: Andrew M. Hoying > > Sent: Thursday, March 13, 2003 7:08 AM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: Problems since the new McAfee dat file 4252 > > > > > > Here is a copy of the file h2DAmR5G020453.vir : > > > > Return-Path: > > Received: from xx ([xx]) > > by xx(8.12.8/8.12.8) with ESMTP id h2DAmR5G020453 > > for ; Thu, 13 Mar 2003 03:48:28 -0700 > > Full-Name: Yuriy Toropin > > From: xx > > To: xx > > Subject: Meeting with representative from Vested Development Inc. > > Date: Thu, 13 Mar 2003 13:52:30 +0300 > > Message-ID: <00b401c2e94e$a61aa480$d4e7a8c0@mxpyuriy> > > MIME-Version: 1.0 > > Content-Type: text/calendar; method=REQUEST; > > charset="utf-8" > > Content-Transfer-Encoding: 7bit > > X-Priority: 3 (Normal) > > X-MSMail-Priority: Normal > > X-Mailer: Microsoft Outlook, Build 10.0.4024 > > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 > > Importance: Normal > > > > > > Here is the output from uvscan: > > > > # uvscan --recursive --ignore-links --analyze --secure --noboot > > h2DAmR5G020453.vir > > /root/h2DAmR5G020453.vir > > Found trojan or variant Exploit-CTCalendar !!! > > Please send a copy of the file to Network Associates > > > > > > ----- Original Message ----- > > From: "Julian Field" > > To: > > Sent: Thursday, March 13, 2003 3:14 AM > > Subject: Re: Problems since the new McAfee dat file 4252 > > > > > > > At 22:49 12/03/2003, you wrote: > > > >I know I'm running a very old version of mailscanner, > > 3.14, which may be > > > >the problem, but since the new dat file came out, Office > > XP calendar > > > >meeting requests are being reported as Exploit-CTCalendar > > and then the > > > >scanner crashes and reports the virus again, 50-60 times a > > minute until I > > > >delete the message from the incoming folder. Is there > > anything I can do, > > > >short of upgrading the a new version, to fix this problem? > > > > > > What happens when you run mcafee on the files by hand? Can > > you mail me the > > > exact output please, and I'll find out what new versions > do with it. > > > -- > > > Julian Field > > > www.MailScanner.info > > > Professional Support Services at www.MailScanner.biz > > > MailScanner thanks transtec Computers for their support > > > > > > From vic at vicsfamily.net Thu Mar 13 16:14:37 2003 From: vic at vicsfamily.net (Victor Cain) Date: Thu Jan 12 21:17:29 2006 Subject: Kmail and Netscape Mail with Mailscanner Message-ID: <200303131114.37023.vic@vicsfamily.net> I am running mailscanner 3.27, spamassassin 2.43, fetchmail 5.9.11, exim 3.36 and using Kmail to read mail on a Debian Sarge system, thanks to many e-mails from Julian. It is working fine, as long as the Debian incompatabilities don't get too bad, however I would also like to read mail with Netscape Mail as an alternative to Kmail. Netscape Mail can send mail the same way as Kmail, just sending to "localhost" but Netscape Mail doesn't read the mail. Kmail just reads from "localhost" but when I try that with Netscape, nothing happens. Mailx, which is also on the system, does read it, but not Netscape. Do I need for MailScanner to send it to a different place? Any help would be appreciated. The attachment is what I did, for my own records. TIA, -- Victor R. Cain (865)435-5084 Fax:(865)435-9709 E: vic@vicsfamily.net Web: www.vicsfamily.net ------------ Quote of the Hour ------------ The cost of living hasn't affected its popularity. -------------- next part -------------- Steps to installation of MailScanner, Tnef, SpamAssassin, Fetchmail using Exim Operating System: Debian Linux "sarge" (testing) MTA: exim Mail Reader: kmail I INSTALL PACKAGES %%-> apt-get install f-prot-installer (This will tell you where to go to download the actual installation files and where to store them on your hard drive. It then does the install.) %%-> apt-get install tnef mailscanner spamassassin fetchmail fetchmailconf On my system this installed: mailscanner 3.27.1-1 spamassassin 2.43-1 tnef 1.1.1-0.1 fetchmail 5.9.11-7 fetchmailconf 5.9.11-7 exim 3.36-3 (previously installed) II CHANGE EXIM TO RUN AS DAEMON Exim was changed to run as a daemon by commenting out the following line in /etc/inetd.conf # smtp stream tcp nowait mail /usr/sbin/exim exim -bs III CREATE SPOOL DIRECTORIES AND EXIM CONFIG FILES At this point, I followed the instructions in http:///www.sng.ecs.soton.ac.uk/mailscanner/install/exim.shtml along with almost identical instructions in file: /usr/share/doc/mailscanner/README.exim provided with the mailscanner package. Briefly, do this: - create a spool for the incoming queue: mkdir -p /var/spool/exim_incoming mkdir -p /var/spool/exim_incoming/db mkdir -p /var/spool/exim_incoming/input mkdir -p /var/spool/exim_incoming/msglog chown -R mail.mail /var/spool/exim_incoming chmod -R 750 /var/spool/exim_incoming - modify the exim configuration: cp -p /etc/exim/exim.conf /etc/exim/exim_original.conf cp -p /etc/exim/exim.conf /etc/exim/exim_outgoing.conf mv /etc/exim/exim.conf /etc/exim/exim_incoming.conf ln -sf exim_incoming.conf /etc/exim/exim.conf IV MODIFY /ETC/EXIM/EXIM_INCOMING.CONF The upshot of the modifications to /etc/exim/exim_incoming.conf: %%-> diff /etc/exim/exim_original.conf /etc/exim/exim_incoming.conf 27a28,32 > # mailscanner config > spool_directory = /var/spool/exim_incoming > queue_only = true > > 298a304,309 > #mailscanner config -- this added at the _top_ of the directors configuration > defer_director: > driver = smartuser > new_address = :defer: All deliveries are deferred > verify = false > 372a384,391 > #mailscanner config -- this added at the _top_ of the routers configuration > defer_router: > driver = domainlist > self = defer > route_list = "* 127.0.0.1 byname" > verify = false Note that lines 304-309 (defer_director) must be the first entry in the "Director's Configuration" in the file, and lines 384-391 (defer_router) must be the first entry in the "Router's Configuration" in the file. V MODIFY /ETC/EXIM/EXIM_OUTGOING.CONF The comparable changes in /etc/exim/exim_outgoing.conf: %%-> diff /etc/exim/exim_original.conf /etc/exim/exim_outgoing.conf 27a28,32 > > # mailscanner configuration > log_file_path = syslog : /var/log/exim_outgoing/%slog > > 281a287,288 > hosts = smtp.comcast.net > hosts_override = true The two statements at lines 287-288 follow the "driver = smtp" line in the "remote_smtp" transport. Obviously if you are not a Comcast customer, use your ISP's mail server in place of "smtp.comcast.net". (This change was found necessary to keep several SPAM filters from tagging all of my outgoing e-mails as spam. Why, I don't really understand.) VI CREATE NEW EXIM START/STOP SCRIPT %%-> cp /usr/share/doc/mailscanner/exim/exim-init.d /etc/init.d/exim Note that there may be some problems with this script. It uses "start-stop-daemon" to start and stop _two_ daemons and I am not convinced that that program can really do that, but it does start the two daemons needed with the "/etc/init.d/exim start" command, as long as there are not previous versions running. Otherwise, who knows? VII DELETE EXIM CRON.D SCRIPT Comment out all executables in /etc/cron.d/exim (or delete the file). VIII CREATE NEW EXIM CRON.DAILY SCRIPT %%-> cp /usr/share/doc/mailscanner/exim/exim-cron.daily /etc/cron.daily/exim %%-> mkmod a+x /etc/cron.daily/exim I also uncommented the if loop that generates daily e-mail activity reports (just for the fun of it -- not much point if you're not really running a mail server). IX F-PROT Make sure $FProtRoot in /etc/mailscanner/autoupdate/f-prot is set correctly. %%-> grep "FProtRoot " /etc/mailscanner/autoupdate/f-prot $FProtRoot = "/usr/lib/f-prot"; %%-> cat /usr/bin/f-prot #!/bin/sh # # This is a shell script to invoke the F-Prot OnDemand Scanner for Linux. # exec /usr/lib/f-prot/f-prot ${@+"$@"} MAKE SURE the directories /usr/lib/f-prot and /var/lib/f-prot are owned by "mail.mail". F-PROT UPDATE from /etc/cron.d/f-prot (NOTE: this is modified from the original) %%-> cat /etc/cron.d/f-prot # /etc/cron.d/f-prot 27 4 * * * mail if [ -x /etc/mailscanner/autoupdate/f-prot ]; \ then /etc/mailscanner/autoupdate/f-prot -cron; fi F-PROT Wrapper (without comments): %%-> nocomment /etc/mailscanner/wrapper/f-protwrapper PackageDir=/usr/lib/f-prot # This may vary depending on your OS Scanner=f-prot ScanOptions="" exec ${PackageDir}/$Scanner $ScanOptions "$@" X CHANGE TO /ETC/DEFAULT/MAILSCANNER run_mailscanner=1 XI MODIFY /ETC/MAILSCANNER/MAILSCANNER.CONF The only changes from the Debian default file were: Virus scanner = f-prot Sweep = /etc/mailscanner/wrapper/f-protwrapper Local Postmaster = postmaster@vicsfamily.net Log Spam = yes These are some of the more important settings: Run As User = mail Run As Group = mail Host name = Monarch2 Incoming Work Dir = /var/spool/mailscanner/incoming Quarantine Dir = /var/spool/mailscanner/quarantine Pid File = /var/run/mailscanner/mailscanner.pid Filename Rules = /etc/mailscanner/filename.rules.conf Log Permitted Filenames = no Hide Incoming Work Dir = yes Incoming Queue Dir = /var/spool/exim_incoming/input Outgoing Queue Dir = /var/spool/exim/input MTA = exim Sendmail = /usr/sbin/exim Sendmail2 = /usr/sbin/exim -C /etc/exim/exim_outgoing.conf Log Facility = mail Virus Scanning = yes Virus Scanner = f-prot Sweep = /etc/mailscanner/wrapper/f-protwrapper Virus Scanner Timeout = 300 Expand TNEF = yes TNEF Expander = /usr/bin/tnef --maxsize=100000000 TNEF Timeout = 120 Notify Local Postmaster = yes Postmaster Gets Full Headers = no Local Postmaster = postmaster@vicsfamily.net Local Domains = /etc/mailscanner/localdomains.conf Spam Checks = yes Spam Header = X-MailScanner-SpamCheck: Spam Modify Subject = yes Spam Subject Text = {SPAM?} Spam Action = deliver Log Spam = yes Use SpamAssassin = yes Max SpamAssassin Size = 50000 SpamAssassin Timeout = 15 Max SpamAssassin Timeouts = 10 SpamAssassin Prefs File = /etc/mailscanner/spam.assassin.prefs.conf SpamAssassin Auto Whitelist = yes Compile SpamAssassin Once = yes Always Include SpamAssassin Report = yes Spam List = ORDB-RBL, relays.ordb.org. Spam List Timeout = 5 Max Spam List Timeouts = 7 Delivery Method = batch Lock File Dir = /tmp Deliver Unparsable TNEF = no Deliver In Background = yes Minimum Code Status = supported XII SUGGESTED CHANGE TO /ETC/MAILSCANNER/SPAM.ASSASSIN.PREFS.CONF Required_hits = 9 ### Not done yet XIII KMAIL CONFIGURATION NOTE: Kmail does not communicate directly with the ISP's mail server Incoming (Receiving) POP Host: localhost Port: 110 Dest Fldr: inbox Outgoing (Sending) SMTP Host: localhost Port: 25 XIV NETSCAPE MAIL CONFIGURATION I don't have the slightest idea how to get Netscape Mail to read the incoming mail. I did succeed in getting the outgoing mail working by just changing the ISP mail server (smtp.comcast.net) with "localhost", leaving everything else alone. IF ANYONE KNOWS HOW TO DO THIS, PLEASE LET ME KNOW! XV FETCHMAIL Run fetchmailconf (not as root) %%-> cd %%-> /usr/bin/fetchmailconf %%-> su -c "cp .fetchmailrc /etc/fetchmailrc" %%-> su -c "chown fetchmail.nogroup /etc/fetchmailrc" This is my copy of /etc/fetchmailrc, with 'u's for the user name and 'p's for the password, if you just want to copy it. This one checks the ISP for mail every ten minutes. # Configuration created Wed Mar 5 15:59:51 2003 by fetchmailconf set postmaster "vic" set bouncemail set no spambounce set properties "" set daemon 600 poll pop3.comcast.net with proto POP3 user 'uuuuuu' there with password 'pppppp' is 'vic' here options fetchall XVI CREATE OUTGOING LOG DIRECTORY %%-> cd /var/log %%-> mkdir exim_outgoing %%-> chown mail.adm exim_outgoing %%-> chmod --reference=exim exim_outgoing XVII START EVERYTHING UP I'm not sure just what you should do -- it all seems to start up if you reboot. I assume that there is some proper sequence of commands like: /etc/init.d/mailscanner restart /etc/init.d/exim restart /etc/init.d/fetchmail restart From email at ace.net.au Thu Mar 13 16:33:58 2003 From: email at ace.net.au (Peter Nitschke) Date: Thu Jan 12 21:17:29 2006 Subject: Wildcards In-Reply-To: <5.2.0.9.2.20030312210113.02725ef8@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030312210113.02725ef8@imap.ecs.soton.ac.uk> Message-ID: <200303140303580314.0715D4A7@smtp1.ace.net.au> Having the problem of spam being sent "from" one of my domains, so getting back huge numbers of bounces. That domain doesn't have any numbers in the user names, but all the spam bounce messages do. Is it possible to block mail to addresses with numbers, eg some rules like: *1*@domain.com *2*@domain.com etc I would prefer to block at the sendmail level if possible. Peter From andrewh at CQG.COM Wed Mar 12 22:49:32 2003 From: andrewh at CQG.COM (Andrew M. Hoying) Date: Thu Jan 12 21:17:29 2006 Subject: Problems since the new McAfee dat file 4252 Message-ID: <8A6DFB0865502242A29E25BDAEFBB945533679@d2sexchtest.cqg.com> I know I'm running a very old version of mailscanner, 3.14, which may be the problem, but since the new dat file came out, Office XP calendar meeting requests are being reported as Exploit-CTCalendar and then the scanner crashes and reports the virus again, 50-60 times a minute until I delete the message from the incoming folder. Is there anything I can do, short of upgrading the a new version, to fix this problem? Andrew Hoying This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses *********************************************************************************** -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030312/d1ef4e3c/attachment-0001.html From mike at TECHINTER.COM Thu Mar 13 18:22:56 2003 From: mike at TECHINTER.COM (Mike Williams) Date: Thu Jan 12 21:17:29 2006 Subject: Per User Blacklist and white lists In-Reply-To: <5.2.0.9.2.20030312200952.025e7890@imap.ecs.soton.ac.uk> Message-ID: Ok, that didn't do anything either but when I add $message->{ishigh} = 1; to the CustomConfig.pm in the lines you gave me it triggers the high score. Only problem I noticed with this is when To: contains multiple recipients and when CC: contains recipients. It will allow that message to go through. I suspect because the other addresses are not on the in the spam checking and it somehow resets to a not scanned message. Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Julian Field Sent: Wednesday, March 12, 2003 2:19 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Per User Blacklist and white lists At 19:47 12/03/2003, you wrote: >Works like a charm. Thanks. Great. It will be in the next release. > BTW quick question is there a way to assign a >spam score to blacklisted addresses so that it will activate the high score >rule? Not currently, no. But try this: 1) In the blacklisting lookup code, change the code to say this: sub ByDomainSpamBlacklist { my($message) = @_; my($value); $value = LookupByDomainList($message, \%Blacklist); $message->{sascore} = 10 if $value; return $value; } (if you want blacklisting to score 10) Then edit Message.pm and change line 370 from $this->{sascore} = $sascore; # Save the actual figure for use later... to $this->{sascore} += $sascore; # Save the actual figure for use later... Give this a try and let me know how you get on. >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On >Behalf Of Julian Field >Sent: Wednesday, March 12, 2003 12:19 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Per User Blacklist and white lists > > >Looks like I never wrote the code to do the per-user lists, only per-domain >lists. > >Try editing CustomConfig.pm and making "LookupByDomainList" look like this: > >sub LookupByDomainList { > my($message, $BlackWhite) = @_; > > return 0 unless $message; # Sanity check the input > > # Find the "from" address and the first "to" address > my($from, $fromdomain, @todomain, $todomain, @to, $to, $ip); > $from = $message->{from}; > $fromdomain = $message->{fromdomain}; > @todomain = @{$message->{todomain}}; > $todomain = $todomain[0]; > @to = @{$message->{to}}; > $to = $to[0]; > $ip = $message->{clientip}; > > # It is in the list if either the exact address is listed, > # or the domain is listed > return 1 if $BlackWhite->{$to}{$from}; > return 1 if $BlackWhite->{$to}{$fromdomain}; > return 1 if $BlackWhite->{$to}{$ip}; > return 1 if $BlackWhite->{$todomain}{$from}; > return 1 if $BlackWhite->{$todomain}{$fromdomain}; > return 1 if $BlackWhite->{$todomain}{$ip}; > > # It is not in the list > return 0; >} > >Please give this a try and let me know if it works, so I can include the >code in the next release (due very shortly to fix long filename checking >bug in 4.13). > >At 17:48 12/03/2003, you wrote: > >Ok, I enabled the bydoaminblacklist and bydoaminwhitelist in the > >MailScanner.conf with > > > >Is Definitely Not Spam = &ByDomainSpamWhitelist > >Is Definitely Spam = &ByDomainSpamBlacklist > > > >The directorys are set to /etc/MailScanner/rules/whitelist and > >/etc/MailScanner/rules/blacklist. I have a file in blacklist folder named > >user@domain.com (actual file name is different but same format). In the > >file user@domain.com I have listed several blacklist items, one is an email > >account that I have on aol.com. The aol email address doesn't appear in >any > >whitelist. However, when I send email to user@domain.com from the AOL > >account that is on the blacklist it goes through without even being marked > >as spam. There are no errors when starting mailscanner and in the logs is > >says that it read blacklist for 1 domain. I must be missing something but >I > >haven't a clue. > > > >Mike > >-----Original Message----- > >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > >Behalf Of Julian Field > >Sent: Tuesday, March 11, 2003 2:24 PM > >To: MAILSCANNER@JISCMAIL.AC.UK > >Subject: Re: Per User Blacklist and white lists > > > > > >At 19:50 11/03/2003, you wrote: > > >Julian, > > > > > >Thanks for the info. I'm looking at the code and the example is for > > >bydomain. I'm not sure but it looks like I can have the white and black > > >list by either domain.com or by user@domain.com. > > > >Yes you can. You can even give it IP addresses if I remember rightly. > > > > > The reason I am asking is > > >that each user will need to be able to specify their own black and white > > >list. This makes it possible that one user would wish to block email >from > >a > > >user@spam.com and another user to whitelist or not block a >user@spam.com. > > >So if I use a filename of user1@domain.com and user2@domain.com does this > >in > > >fact make the whitelist and blacklist unique for each user even if they >are > > >in the same domain? > > > > > >Mike > > > > > >-----Original Message----- > > >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > >Behalf Of Julian Field > > >Sent: Tuesday, March 11, 2003 12:44 PM > > >To: MAILSCANNER@JISCMAIL.AC.UK > > >Subject: Re: Per User Blacklist and white lists > > > > > > > > >Take a look in the CustomConfig.pm file in recent distributions. This > > >feature is an example of what you can do with "Custom Functions". You >will > > >probably need to change the directories it reads the black/whitelists >from, > > >but otherwise it will just work. The code briefly explains what should go > > >in the various config files. > > > > > >At 18:35 11/03/2003, you wrote: > > > >Is it possible to have a per user blacklist and whitelist? Example in > >the > > > >whitelist file: > > > > > > > >To: user-1@domain.com > > >/etc/MailScanner/rules/whitelist/user-1-domain.com > > > >To: user-2@domain.com > > >/etc/MailScanner/rules/whitelist/user-2-domain.com > > > >FromTo: Default no > > > > > > > > > > > >user-1-domain.com > > > > > > > >From: friend@domain.com yes > > > >From: friend1@domain.com yes > > > >From: default no > > > > > > > >and so on? > > > > > > > >Mike > > > > > >-- > > >Julian Field > > >www.MailScanner.info > > >Professional Support Services at www.MailScanner.biz > > >MailScanner thanks transtec Computers for their support > > > >-- > >Julian Field > >www.MailScanner.info > >Professional Support Services at www.MailScanner.biz > >MailScanner thanks transtec Computers for their support > >-- >Julian Field >www.MailScanner.info >Professional Support Services at www.MailScanner.biz >MailScanner thanks transtec Computers for their support -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses ************************************************************************** ********* From mailscanner at LISTS.COM.AR Thu Mar 13 18:15:47 2003 From: mailscanner at LISTS.COM.AR (Mariano Absatz) Date: Thu Jan 12 21:17:29 2006 Subject: "Found invalid qf" message running amok In-Reply-To: Message-ID: <3E70A0A3.24984.8B9C667A@localhost> Hi Jeff, this message _did_ come in thru sendmail? I just looked at the code and the reason of that error is that one or more of these 3 conditions are true: 1) the qf lacks a "S" line (sender) 2) the qf lacks a "R" line (recipient) 3) the qf lacks a "$_" line which should have the originating address in it in a format [NNN.NNN.NNN.NNN] or "someone@localhost". Anyway, if the "$_" line IS in there, MailScanner won't fail there. El 13 Mar 2003 a las 10:48, Jeff A. Earickson escribi?: > Julian, > > Every once in a while our mail server gets malformed spam that > causes a blizzard of "Batch: Found invalid qf queue file" messages > in my syslog. This message comes from line 329 of > lib/MailScanner/Sendmail.pm (version 4.13-3). I can send you the > qf files if you want to look at them, but the messages are always > from well-known spam sites with uuencoded message bodies. They have > IP numbers of 0.0.0.0 in the qf files, which probably triggers the > syslog message. I have to yank the miscreants out of mqueue.in to > restore order. > > Can't MailScanner just note the problem in syslog once, then either > nuke the qf/df files in mqueue.in, or maybe move them to /tmp? > > --- Jeff A. Earickson -- Mariano Absatz El Baby ---------------------------------------------------------- Hello, I must be going. -- Groucho Marx From mailscanner at ecs.soton.ac.uk Thu Mar 13 19:02:26 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:29 2006 Subject: Wildcards In-Reply-To: <200303140303580314.0715D4A7@smtp1.ace.net.au> References: <5.2.0.9.2.20030312210113.02725ef8@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030312210113.02725ef8@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030313190023.0204b008@imap.ecs.soton.ac.uk> At 16:33 13/03/2003, you wrote: >Having the problem of spam being sent "from" one of my domains, so getting >back huge numbers of bounces. > >That domain doesn't have any numbers in the user names, but all the spam >bounce messages do. > >Is it possible to block mail to addresses with numbers, eg some rules like: > >*1*@domain.com >*2*@domain.com >etc > >I would prefer to block at the sendmail level if possible. This is an MTA problem, not a MailScanner one. As an example of blocking a pattern, I use this: KIsEcsList2 regex -a@MATCH ^.*-all(-[0-9])?$ SLocal_check_rcpt R$* <@ *LOCAL* > $* $: $(IsEcsList2 $1 $) <@ *LOCAL* > $2 ECS list? -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Thu Mar 13 20:17:21 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:29 2006 Subject: Beta test please Message-ID: <5.2.0.9.2.20030313200314.02721ea0@imap.ecs.soton.ac.uk> Before I publish this to the world, can you test these for me please? http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/tar/MailScanner-4.14-3.tar http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/rpm/MailScanner-4.14-3.rpm.tar http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/suse/MailScanner-4.14-3.suse.tar Hopefully this is okay now, but let me know... Only the mailscanner*rpm has changed, the other RPM's are as before. The ChangeLog says this: * New Features and Improvements * - Improved OpenBSD installation and upgrading instructions. - Added check of location of all required system commands. - Improved wording of message to spam senders. - Increased max size of messages sent to SpamAssassin. Spam messages are getting bigger. * Fixes * - Fixed important bug in filename checking code causing it not to check long filenames properly. - Changed setuid/setgid code so taint mode is not switched on. - Fixed various other issues kindly brought to my attention by Tony Finch at Cambridge Univ. - Fixed problem with deleting recipients from messages with Exim. - Fixed problem with headers being passed to SpamAssassin from Exim incorrectly. Thanks folks! -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mike at ZANKER.ORG Thu Mar 13 21:14:25 2003 From: mike at ZANKER.ORG (Mike Zanker) Date: Thu Jan 12 21:17:29 2006 Subject: Beta test please In-Reply-To: <5.2.0.9.2.20030313200314.02721ea0@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030313200314.02721ea0@imap.ecs.soton.ac.uk> Message-ID: <220707593.1047590065@jemima.zanker.org> On 13 March 2003 20:17 +0000 Julian Field wrote: > Before I publish this to the world, can you test these for me please? Been meaning to mention this for a while but keep forgetting. Any particular reason for the install process starting MailScanner when installing from rpm? Could this not cause problems if MailScanner.conf hasn't been edited yet? Thanks, Mike. From JeremyE at BSA.CA.GOV Thu Mar 13 22:19:10 2003 From: JeremyE at BSA.CA.GOV (Jeremy Evans) Date: Thu Jan 12 21:17:29 2006 Subject: Beta test please Message-ID: <2739ECF7268CD0118F50080009DCC9F00235D2F7@pebble.bsa.ca.gov> After running the upgrade_MailScanner_conf program I noticed that the Archive Mail setting was removed, and the Information Header section was added a second time. Here are the diffs between the new version (created by upgrade_MailScanner_conf) and the old MailScanner.conf: 426a427,434 > Information Header = X-MailScanner-Information: > > # Add this extra header to all mail as it is processed. > # The contents is set by "Information Header Value" and is intended for > # you to be able to insert a help URL for your users. > # If you don't want an information header at all, just comment out this > # setting or set it to be blank. > # This can also be the filename of a ruleset. 599,612d606 < < # < # Mail Archiving and Monitoring < # ----------------------------- < # < < # Space-separated list of email address and directory names where you want < # a copy of all mail to be forwarded or stored. < # < # If you give this option a ruleset, you can control exactly whose mail < # is archived or forwarded. If you do this, beware of the legal implications < # as this could be deemed to be illegal interception unless the police have < # asked you to do this. < Archive Mail = /opt/MailScanner/etc/rules/archive.rules Here are the relevant parts of the diffs between the new file created by upgrade_MailScanner_conf and the 4.14-3 default MailScanner.conf: 427a429,436 > # Add this extra header to all mail as it is processed. > # The contents is set by "Information Header Value" and is intended for > # you to be able to insert a help URL for your users. > # If you don't want an information header at all, just comment out this > # setting or set it to be blank. > # This can also be the filename of a ruleset. > #Information Header = X-MailScanner-Information: > 600,613d608 < # Mail Archiving and Monitoring < # ----------------------------- < # < < # Space-separated list of email address and directory names where you want < # a copy of all mail to be forwarded or stored. < # < # If you give this option a ruleset, you can control exactly whose mail < # is archived or forwarded. If you do this, beware of the legal implications < # as this could be deemed to be illegal interception unless the police have < # asked you to do this. < #Archive Mail = /var/spool/MailScanner/archive < < # Here is the output from upgrade_MailScanner_conf: Added new: Information Header = X-MailScanner-Information: Removed old: Archive Mail = /opt/MailScanner/etc/rules/archive.rules Summary ------- Read 125 settings from old /opt/MailScanner/etc/MailScanner.conf Used 124 settings from old /opt/MailScanner/etc/MailScanner.conf Used 1 default settings from new ./MailScanner.conf2 Notes ----- I would advise you to check on any parameters which are different between the default new conf file and the conf file you just created, so that you find any parameters whose default values have changed. If you ran this with a command like this upgrade_MailScanner_conf MailScanner.conf MailScanner.conf.rpmnew > MailScanner.conf.new then you should do diff MailScanner.conf.rpmnew MailScanner.conf.new and check for any differences in values you have not changed yourself. Once you have checked that MailScanner.new contains what you want, you can then save your old one and move the new one into place, using commands like these: mv -f MailScanner.conf MailScanner.old mv -f MailScanner.new MailScanner.conf Did I make a mistake somewhere, or is there something wrong with the script? It's obviously pretty trivial to fix the problems manually, but it'd be nice to know if I made a mistake or if there is an error in the script. Thanks. Sincerely, Jeremy Evans Information Systems Analyst California State Auditor 916-445-0255 phone 916-322-7801 fax -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Thursday, March 13, 2003 12:17 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Beta test please Before I publish this to the world, can you test these for me please? http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/tar/MailScanner-4.14-3.ta r http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/rpm/MailScanner-4.14-3.rp m.tar http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/suse/MailScanner-4.14-3.s use.tar Hopefully this is okay now, but let me know... Only the mailscanner*rpm has changed, the other RPM's are as before. The ChangeLog says this: * New Features and Improvements * - Improved OpenBSD installation and upgrading instructions. - Added check of location of all required system commands. - Improved wording of message to spam senders. - Increased max size of messages sent to SpamAssassin. Spam messages are getting bigger. * Fixes * - Fixed important bug in filename checking code causing it not to check long filenames properly. - Changed setuid/setgid code so taint mode is not switched on. - Fixed various other issues kindly brought to my attention by Tony Finch at Cambridge Univ. - Fixed problem with deleting recipients from messages with Exim. - Fixed problem with headers being passed to SpamAssassin from Exim incorrectly. Thanks folks! -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Thu Mar 13 22:19:10 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:29 2006 Subject: Beta test please In-Reply-To: <220707593.1047590065@jemima.zanker.org> References: <5.2.0.9.2.20030313200314.02721ea0@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030313200314.02721ea0@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030313221320.02cf0d00@imap.ecs.soton.ac.uk> At 21:14 13/03/2003, you wrote: >On 13 March 2003 20:17 +0000 Julian Field >wrote: > >>Before I publish this to the world, can you test these for me please? > >Been meaning to mention this for a while but keep forgetting. Any >particular reason for the install process starting MailScanner when >installing from rpm? Could this not cause problems if MailScanner.conf >hasn't been edited yet? It does a restart when it has been upgraded. If I totally stop it, then I end up cutting off the SMTP service as well, which I don't want to do. It's a bit of an awkward problem. As the new config file will have been put in as .rpmnew, it will just be running with default values for the new parameters. All your old settings will still be used. On the whole my default values are chosen to be "sensible" and not do anything stupid with your mail. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Thu Mar 13 22:35:40 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:29 2006 Subject: Beta test please In-Reply-To: <2739ECF7268CD0118F50080009DCC9F00235D2F7@pebble.bsa.ca.gov > Message-ID: <5.2.0.9.2.20030313223035.02f23e58@imap.ecs.soton.ac.uk> At 22:19 13/03/2003, you wrote: >After running the upgrade_MailScanner_conf program I noticed that the >Archive Mail setting was removed, and the Information Header section was >added a second time. Here are the diffs between the new version (created by >upgrade_MailScanner_conf) and the old MailScanner.conf: > >426a427,434 > > Information Header = X-MailScanner-Information: > > > > # Add this extra header to all mail as it is processed. > > # The contents is set by "Information Header Value" and is intended for > > # you to be able to insert a help URL for your users. > > # If you don't want an information header at all, just comment out this > > # setting or set it to be blank. > > # This can also be the filename of a ruleset. >599,612d606 >< >< # >< # Mail Archiving and Monitoring >< # ----------------------------- >< # >< >< # Space-separated list of email address and directory names where you want >< # a copy of all mail to be forwarded or stored. >< # >< # If you give this option a ruleset, you can control exactly whose mail >< # is archived or forwarded. If you do this, beware of the legal >implications >< # as this could be deemed to be illegal interception unless the police >have >< # asked you to do this. >< Archive Mail = /opt/MailScanner/etc/rules/archive.rules > >Here are the relevant parts of the diffs between the new file created by >upgrade_MailScanner_conf and the 4.14-3 default MailScanner.conf: > >427a429,436 > > # Add this extra header to all mail as it is processed. > > # The contents is set by "Information Header Value" and is intended for > > # you to be able to insert a help URL for your users. > > # If you don't want an information header at all, just comment out this > > # setting or set it to be blank. > > # This can also be the filename of a ruleset. > > #Information Header = X-MailScanner-Information: > > >600,613d608 >< # Mail Archiving and Monitoring >< # ----------------------------- >< # >< >< # Space-separated list of email address and directory names where you want >< # a copy of all mail to be forwarded or stored. >< # >< # If you give this option a ruleset, you can control exactly whose mail >< # is archived or forwarded. If you do this, beware of the legal >implications >< # as this could be deemed to be illegal interception unless the police >have >< # asked you to do this. >< #Archive Mail = /var/spool/MailScanner/archive >< >< # > > >Here is the output from upgrade_MailScanner_conf: > >Added new: Information Header = X-MailScanner-Information: >Removed old: Archive Mail = /opt/MailScanner/etc/rules/archive.rules It is commented out in the supplied .conf file, with the result that the upgrade script thinks it has been removed as it can't find it. I wanted the upgrade script to work with any version upgrade, with the result that it doesn't do 100% of the job for you. It does tell you where to look though, and hopefully you will be able to fix up the remains by hand. The only other option was to make it read the syntax structure of the new conf file from ConfigDefs.pl, which would have made the script enormously more complicated. And as for working with any version, that would be almost impossible. So I went for the "works 98% of the time with any upgrade" version than the "works 100% of the time in exactly the right situation" version. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From JeremyE at BSA.CA.GOV Thu Mar 13 22:48:54 2003 From: JeremyE at BSA.CA.GOV (Jeremy Evans) Date: Thu Jan 12 21:17:29 2006 Subject: Beta test please Message-ID: <2739ECF7268CD0118F50080009DCC9F00235D2F8@pebble.bsa.ca.gov> Thanks for the quick response as always. Starting now, I'm leaving the Information Header setting blank instead of commenting it out, so that I won't have a problem with it next time. I'm not sure if I understand what went wrong with the Archive Mail setting. It wasn't commented out in the supplied file (though it is commented out in the default file, as are other settings such as Lock Type and Allowed Sophos Error Messages). Maybe you should change the Archive Mail setting to blank or "no" instead of or in addition to having it commented out (same for the other settings that are commented out by default). Would that fix the problem with Archive Mail? I'm guessing I didn't have a problem with those other settings because they were commented out in both the default and the supplied files. -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Thursday, March 13, 2003 2:36 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Beta test please At 22:19 13/03/2003, you wrote: >After running the upgrade_MailScanner_conf program I noticed that the >Archive Mail setting was removed, and the Information Header section was >added a second time. Here are the diffs between the new version (created by >upgrade_MailScanner_conf) and the old MailScanner.conf: > >426a427,434 > > Information Header = X-MailScanner-Information: > > > > # Add this extra header to all mail as it is processed. > > # The contents is set by "Information Header Value" and is intended for > > # you to be able to insert a help URL for your users. > > # If you don't want an information header at all, just comment out this > > # setting or set it to be blank. > > # This can also be the filename of a ruleset. >599,612d606 >< >< # >< # Mail Archiving and Monitoring >< # ----------------------------- >< # >< >< # Space-separated list of email address and directory names where you want >< # a copy of all mail to be forwarded or stored. >< # >< # If you give this option a ruleset, you can control exactly whose mail >< # is archived or forwarded. If you do this, beware of the legal >implications >< # as this could be deemed to be illegal interception unless the police >have >< # asked you to do this. >< Archive Mail = /opt/MailScanner/etc/rules/archive.rules > >Here are the relevant parts of the diffs between the new file created by >upgrade_MailScanner_conf and the 4.14-3 default MailScanner.conf: > >427a429,436 > > # Add this extra header to all mail as it is processed. > > # The contents is set by "Information Header Value" and is intended for > > # you to be able to insert a help URL for your users. > > # If you don't want an information header at all, just comment out this > > # setting or set it to be blank. > > # This can also be the filename of a ruleset. > > #Information Header = X-MailScanner-Information: > > >600,613d608 >< # Mail Archiving and Monitoring >< # ----------------------------- >< # >< >< # Space-separated list of email address and directory names where you want >< # a copy of all mail to be forwarded or stored. >< # >< # If you give this option a ruleset, you can control exactly whose mail >< # is archived or forwarded. If you do this, beware of the legal >implications >< # as this could be deemed to be illegal interception unless the police >have >< # asked you to do this. >< #Archive Mail = /var/spool/MailScanner/archive >< >< # > > >Here is the output from upgrade_MailScanner_conf: > >Added new: Information Header = X-MailScanner-Information: >Removed old: Archive Mail = /opt/MailScanner/etc/rules/archive.rules It is commented out in the supplied .conf file, with the result that the upgrade script thinks it has been removed as it can't find it. I wanted the upgrade script to work with any version upgrade, with the result that it doesn't do 100% of the job for you. It does tell you where to look though, and hopefully you will be able to fix up the remains by hand. The only other option was to make it read the syntax structure of the new conf file from ConfigDefs.pl, which would have made the script enormously more complicated. And as for working with any version, that would be almost impossible. So I went for the "works 98% of the time with any upgrade" version than the "works 100% of the time in exactly the right situation" version. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From jrudd at UCSC.EDU Thu Mar 13 22:47:12 2003 From: jrudd at UCSC.EDU (John Rudd) Date: Thu Jan 12 21:17:29 2006 Subject: MailScanner and Communigate Pro Message-ID: <200303132247.h2DMlCT00523@kzin.ucsc.edu> For anyone who is interested, I've got a preliminary set of wrapper scripts set up for using Communigate Pro with MailScanner. The way they work is that Communigate Pro has an "Execute" rule which invokes my first wrapper. That wrapper creates a sendmail format pair of queue files, and puts them into mailscanner's incoming queue. The rule then discards the message (since mailscanner will change the body and/or subject of the message if it finds various things). When mailscanner is done with the message, it invokes my 2nd wrapper script, which converts the message out of sendmail paired queue file format and then sends the message out using Communigate Pro's legacy "sendmail" command. (unfortunately, the legacy sendmail command does not take in queue file messages via the "-qI" method that mailscanner uses) There are only a very few interdependancies, two of which I'm going to try to eliminate: 1) my wrappers need to be told where your mailscanner queue's are (both incoming and outgoing). 2) mailscanner's "Sendmail2" variable needs to be set to my 2nd wrapper script (I do not know how the "Sendmail" variable works, by generating a message via queue files, as with Sendmail2, or generating a message via stdin ... so that's one untested issue so far). Mailscanner keeps the "MTA" variable set to sendmail, so it doesn't really know it's not actually using sendmail. 3) both Communigate Pro and mailscanner have to agree upon the Information header. That's how Communigate Pro knows that the message has been scanned already. I am thinking about having Communigate Pro use a different header that my wrapper scripts will insert into the message, and then Communigate Pro will remove the header in a later rule. The reason I'm thinking about this, is that it makes me nervous that maybe a spammer or virus author could pre-include headers to try to bypass mailscanner. So, if I put in a header that only communigate pro, mailscanner, and my wrapper scripts will ever see, then I'll feel a little better about that. (the two things I need to resolve are the issue about mailscanner's "Sendmail" variable, and how it generates informational messages, and the thing in item 3) Otherwise, a little code commenting and clean up, some documentation, and I'll be ready to release this thing for other people to look over. My two reasons for posting about it now are: a) can some people who are more mailscanner savy than I look at what I am asking in item #2 above, and b) is there anyone in either community who is interested in testing this? once I do those cleanup things, I'd like to let other people look it over and report if they find any problems. if you are interested, mail me back, off of both lists, with the subject "Test MS-CGP Interface" and I'll get back to you (probably next week) when I'm ready to give it out. (once I feel it has been well tested, I'll then make it available for general download) For those on the Communigate Pro mailing list who may not know what MailScanner is, MailScanner is a program written in perl which manages various tools for checking the contents of your email on a site wide basis. It can be set up with a wide range of virus scanning engines (sophos, mcafee, f-prot, f-secure, clamav, kapersky, rav, panda, trend), spam assassin, and various RBL services. It then allows you to specify different actions for different results (quarantine messages, delete them without delivery, deliver them with subject and/or header markups, replace viruses with reports about what was found, send reports to the postmaster, and many other options). For more information about MailScanner, see www.mailscanner.info John Rudd From mike at ZANKER.ORG Fri Mar 14 06:09:05 2003 From: mike at ZANKER.ORG (Mike Zanker) Date: Thu Jan 12 21:17:29 2006 Subject: Beta test please In-Reply-To: <5.2.0.9.2.20030313221320.02cf0d00@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030313200314.02721ea0@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030313200314.02721ea0@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030313221320.02cf0d00@imap.ecs.soton.ac.uk> Message-ID: <252787921.1047622145@jemima.zanker.org> On 13 March 2003 22:19 +0000 Julian Field wrote: > It does a restart when it has been upgraded. If I totally stop it, > then I end up cutting off the SMTP service as well, which I don't > want to do. It's a bit of an awkward problem. OK, I hadn't really thought about it in the context of large sites. > As the new config file will have been put in as .rpmnew, it will just > be running with default values for the new parameters. All your old > settings will still be used. On the whole my default values are > chosen to be "sensible" and not do anything stupid with your mail. That's true, so it's not as bad as I thought it would be. Thanks, Mike. From mailscanner at ecs.soton.ac.uk Fri Mar 14 11:18:45 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:29 2006 Subject: Beta test please In-Reply-To: <2739ECF7268CD0118F50080009DCC9F00235D2F8@pebble.bsa.ca.gov > Message-ID: <5.2.0.9.2.20030314111326.04158568@imap.ecs.soton.ac.uk> I've been through the conf file and set values for all the variables, so none are commented out. This should improve things. The values are just blank if they were commented out before. Hopefully upgrade_MailScanner_conf will have an easier time now. Which distribution are you using? Can I just mail you a new URL to try this out please? At 22:48 13/03/2003, you wrote: >Thanks for the quick response as always. > >Starting now, I'm leaving the Information Header setting blank instead of >commenting it out, so that I won't have a problem with it next time. > >I'm not sure if I understand what went wrong with the Archive Mail setting. >It wasn't commented out in the supplied file (though it is commented out in >the default file, as are other settings such as Lock Type and Allowed Sophos >Error Messages). Maybe you should change the Archive Mail setting to blank >or "no" instead of or in addition to having it commented out (same for the >other settings that are commented out by default). Would that fix the >problem with Archive Mail? I'm guessing I didn't have a problem with those >other settings because they were commented out in both the default and the >supplied files. > >-----Original Message----- >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] >Sent: Thursday, March 13, 2003 2:36 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Beta test please > > >At 22:19 13/03/2003, you wrote: > >After running the upgrade_MailScanner_conf program I noticed that the > >Archive Mail setting was removed, and the Information Header section was > >added a second time. Here are the diffs between the new version (created >by > >upgrade_MailScanner_conf) and the old MailScanner.conf: > > > >426a427,434 > > > Information Header = X-MailScanner-Information: > > > > > > # Add this extra header to all mail as it is processed. > > > # The contents is set by "Information Header Value" and is intended for > > > # you to be able to insert a help URL for your users. > > > # If you don't want an information header at all, just comment out this > > > # setting or set it to be blank. > > > # This can also be the filename of a ruleset. > >599,612d606 > >< > >< # > >< # Mail Archiving and Monitoring > >< # ----------------------------- > >< # > >< > >< # Space-separated list of email address and directory names where you >want > >< # a copy of all mail to be forwarded or stored. > >< # > >< # If you give this option a ruleset, you can control exactly whose mail > >< # is archived or forwarded. If you do this, beware of the legal > >implications > >< # as this could be deemed to be illegal interception unless the police > >have > >< # asked you to do this. > >< Archive Mail = /opt/MailScanner/etc/rules/archive.rules > > > >Here are the relevant parts of the diffs between the new file created by > >upgrade_MailScanner_conf and the 4.14-3 default MailScanner.conf: > > > >427a429,436 > > > # Add this extra header to all mail as it is processed. > > > # The contents is set by "Information Header Value" and is intended for > > > # you to be able to insert a help URL for your users. > > > # If you don't want an information header at all, just comment out this > > > # setting or set it to be blank. > > > # This can also be the filename of a ruleset. > > > #Information Header = X-MailScanner-Information: > > > > >600,613d608 > >< # Mail Archiving and Monitoring > >< # ----------------------------- > >< # > >< > >< # Space-separated list of email address and directory names where you >want > >< # a copy of all mail to be forwarded or stored. > >< # > >< # If you give this option a ruleset, you can control exactly whose mail > >< # is archived or forwarded. If you do this, beware of the legal > >implications > >< # as this could be deemed to be illegal interception unless the police > >have > >< # asked you to do this. > >< #Archive Mail = /var/spool/MailScanner/archive > >< > >< # > > > > > >Here is the output from upgrade_MailScanner_conf: > > > >Added new: Information Header = X-MailScanner-Information: > >Removed old: Archive Mail = /opt/MailScanner/etc/rules/archive.rules > >It is commented out in the supplied .conf file, with the result that the >upgrade script thinks it has been removed as it can't find it. I wanted the >upgrade script to work with any version upgrade, with the result that it >doesn't do 100% of the job for you. It does tell you where to look though, >and hopefully you will be able to fix up the remains by hand. > >The only other option was to make it read the syntax structure of the new >conf file from ConfigDefs.pl, which would have made the script enormously >more complicated. And as for working with any version, that would be almost >impossible. So I went for the "works 98% of the time with any upgrade" >version than the "works 100% of the time in exactly the right situation" >version. >-- >Julian Field >www.MailScanner.info >Professional Support Services at www.MailScanner.biz >MailScanner thanks transtec Computers for their support -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From JeremyE at BSA.CA.GOV Fri Mar 14 15:08:48 2003 From: JeremyE at BSA.CA.GOV (Jeremy Evans) Date: Thu Jan 12 21:17:29 2006 Subject: Beta test please Message-ID: <2739ECF7268CD0118F50080009DCC9F00235D2FA@pebble.bsa.ca.gov> I'm using the tar distribution running on OpenBSD. You can mail me the URL, I'll have time to test it this morning. Thanks for fixing this quickly. -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Friday, March 14, 2003 3:19 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Beta test please I've been through the conf file and set values for all the variables, so none are commented out. This should improve things. The values are just blank if they were commented out before. Hopefully upgrade_MailScanner_conf will have an easier time now. Which distribution are you using? Can I just mail you a new URL to try this out please? At 22:48 13/03/2003, you wrote: >Thanks for the quick response as always. > >Starting now, I'm leaving the Information Header setting blank instead of >commenting it out, so that I won't have a problem with it next time. > >I'm not sure if I understand what went wrong with the Archive Mail setting. >It wasn't commented out in the supplied file (though it is commented out in >the default file, as are other settings such as Lock Type and Allowed Sophos >Error Messages). Maybe you should change the Archive Mail setting to blank >or "no" instead of or in addition to having it commented out (same for the >other settings that are commented out by default). Would that fix the >problem with Archive Mail? I'm guessing I didn't have a problem with those >other settings because they were commented out in both the default and the >supplied files. > >-----Original Message----- >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] >Sent: Thursday, March 13, 2003 2:36 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Beta test please > > >At 22:19 13/03/2003, you wrote: > >After running the upgrade_MailScanner_conf program I noticed that the > >Archive Mail setting was removed, and the Information Header section was > >added a second time. Here are the diffs between the new version (created >by > >upgrade_MailScanner_conf) and the old MailScanner.conf: > > > >426a427,434 > > > Information Header = X-MailScanner-Information: > > > > > > # Add this extra header to all mail as it is processed. > > > # The contents is set by "Information Header Value" and is intended for > > > # you to be able to insert a help URL for your users. > > > # If you don't want an information header at all, just comment out this > > > # setting or set it to be blank. > > > # This can also be the filename of a ruleset. > >599,612d606 > >< > >< # > >< # Mail Archiving and Monitoring > >< # ----------------------------- > >< # > >< > >< # Space-separated list of email address and directory names where you >want > >< # a copy of all mail to be forwarded or stored. > >< # > >< # If you give this option a ruleset, you can control exactly whose mail > >< # is archived or forwarded. If you do this, beware of the legal > >implications > >< # as this could be deemed to be illegal interception unless the police > >have > >< # asked you to do this. > >< Archive Mail = /opt/MailScanner/etc/rules/archive.rules > > > >Here are the relevant parts of the diffs between the new file created by > >upgrade_MailScanner_conf and the 4.14-3 default MailScanner.conf: > > > >427a429,436 > > > # Add this extra header to all mail as it is processed. > > > # The contents is set by "Information Header Value" and is intended for > > > # you to be able to insert a help URL for your users. > > > # If you don't want an information header at all, just comment out this > > > # setting or set it to be blank. > > > # This can also be the filename of a ruleset. > > > #Information Header = X-MailScanner-Information: > > > > >600,613d608 > >< # Mail Archiving and Monitoring > >< # ----------------------------- > >< # > >< > >< # Space-separated list of email address and directory names where you >want > >< # a copy of all mail to be forwarded or stored. > >< # > >< # If you give this option a ruleset, you can control exactly whose mail > >< # is archived or forwarded. If you do this, beware of the legal > >implications > >< # as this could be deemed to be illegal interception unless the police > >have > >< # asked you to do this. > >< #Archive Mail = /var/spool/MailScanner/archive > >< > >< # > > > > > >Here is the output from upgrade_MailScanner_conf: > > > >Added new: Information Header = X-MailScanner-Information: > >Removed old: Archive Mail = /opt/MailScanner/etc/rules/archive.rules > >It is commented out in the supplied .conf file, with the result that the >upgrade script thinks it has been removed as it can't find it. I wanted the >upgrade script to work with any version upgrade, with the result that it >doesn't do 100% of the job for you. It does tell you where to look though, >and hopefully you will be able to fix up the remains by hand. > >The only other option was to make it read the syntax structure of the new >conf file from ConfigDefs.pl, which would have made the script enormously >more complicated. And as for working with any version, that would be almost >impossible. So I went for the "works 98% of the time with any upgrade" >version than the "works 100% of the time in exactly the right situation" >version. >-- >Julian Field >www.MailScanner.info >Professional Support Services at www.MailScanner.biz >MailScanner thanks transtec Computers for their support -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From David.While at UCE.AC.UK Fri Mar 14 15:15:11 2003 From: David.While at UCE.AC.UK (David While) Date: Thu Jan 12 21:17:29 2006 Subject: ANNOUNCE: mailstats.pl V0.17 Message-ID: For those people who use my script to analyse the mail log file you will find a new version which has the following additions: It can now report which spam traps have been triggered eg the RBLs so you get a report showing spamassassin, osirusoft.com etc and how many spam each of them has detected. I have also separated the configuration values into a separate file so that future upgrades of the software are easier to install - you shouldn't have to change your configuration file. I have also changed the code which scans the log file to make it substantially quicker. The report also includes the current number of mail messages in the mail queue. You can view the output at http://www.boys-brigade.org.uk/mrtg/ You can download as usual from http://staff.cie.uce.ac.uk/~dwhile/mailstats/ ----------------------------------------------------------------- David While Technical Development Manager Faculty of Computing, Information & English University of Central England Tel: 0121 331 6211 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030314/22982d4b/attachment.html From mbowman at UDCOM.COM Fri Mar 14 15:26:17 2003 From: mbowman at UDCOM.COM (Matthew Bowman) Date: Thu Jan 12 21:17:29 2006 Subject: Virus Notifications Message-ID: Is it possible to have multiple users who can receive virus notifications produced by mailscanner aside from postmaster, sender and recipient? That is if viruses were sent to @abc.com I would want notifications to goto postmaster (me) the sender, the recipient and george@abc.com (who could be their IT contact) Or is it a case of RTFM :) ? Thanks Matthew From richard.siddall at ELIRION.NET Fri Mar 14 15:45:54 2003 From: richard.siddall at ELIRION.NET (Richard Siddall) Date: Thu Jan 12 21:17:29 2006 Subject: Stupid luser In-Reply-To: <5.2.0.9.2.20030312210113.02725ef8@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030312210113.02725ef8@imap.ecs.soton.ac.uk> Message-ID: <3E71F932.5040507@elirion.net> Julian Field wrote: > Just had this from someone whose mail got stopped by MailScanner. > [snip] > Oh, the reason for these outbursts? They were sent a "sender warning" from > an old version of MailScanner which was replying to a copy of Klez. That's > my best guess anyway, they weren't exactly clear. Poor Julian! It might help if you provided a page to explain to the luser how to find out who really sent the e-mail and followed the lead of the SpamAssassin site by having in big, bold letters at the top of www.mailscanner.info, the message "If you were sent here because you received an e-mail message from MailScanner, please go to this page." You've got better things to do than waste your time on these in-duh-viduals. Regards, Richard Siddall From mbowman at UDCOM.COM Fri Mar 14 16:25:42 2003 From: mbowman at UDCOM.COM (Matthew Bowman) Date: Thu Jan 12 21:17:29 2006 Subject: Virus Notifications Message-ID: Thanks. Could you add this to the rules/EXAMPLES file in the next release? Julian Field Sent by: MailScanner mailing list 03/14/2003 11:09 AM Please respond to MailScanner mailing list To: MAILSCANNER@JISCMAIL.AC.UK cc: Subject: Re: Virus Notifications At 15:26 14/03/2003, you wrote: >Is it possible to have multiple users who can receive virus notifications >produced by mailscanner aside from postmaster, sender and recipient? > >That is if viruses were sent to @abc.com I would want notifications to >goto postmaster (me) the sender, the recipient and >george@abc.com (who could be their IT contact) > >Or is it a case of RTFM :) ? Afraid so. You can list multiple recipients for the postmaster notifications. What you then do is set the address using a ruleset, so that, for example Notices To = /etc/MailScanner/rules/notices.to.rules then in that file put To: @abc.com postmaster@me.com george@abc.com To: @def.com postmaster@me.com bill@def.com FromOrTo: default postmaster@me.com -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Fri Mar 14 16:09:05 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:29 2006 Subject: Virus Notifications In-Reply-To: Message-ID: <5.2.0.9.2.20030314160700.02fcdec0@imap.ecs.soton.ac.uk> At 15:26 14/03/2003, you wrote: >Is it possible to have multiple users who can receive virus notifications >produced by mailscanner aside from postmaster, sender and recipient? > >That is if viruses were sent to @abc.com I would want notifications to >goto postmaster (me) the sender, the recipient and >george@abc.com (who could be their IT contact) > >Or is it a case of RTFM :) ? Afraid so. You can list multiple recipients for the postmaster notifications. What you then do is set the address using a ruleset, so that, for example Notices To = /etc/MailScanner/rules/notices.to.rules then in that file put To: @abc.com postmaster@me.com george@abc.com To: @def.com postmaster@me.com bill@def.com FromOrTo: default postmaster@me.com -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Fri Mar 14 16:51:59 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:29 2006 Subject: Virus Notifications In-Reply-To: Message-ID: <5.2.0.9.2.20030314165154.03c3a3f8@imap.ecs.soton.ac.uk> Sure thing. At 16:25 14/03/2003, you wrote: >Thanks. Could you add this to the rules/EXAMPLES file in the next release? > > > > > > > >Julian Field >Sent by: MailScanner mailing list >03/14/2003 11:09 AM >Please respond to MailScanner mailing list > > > To: MAILSCANNER@JISCMAIL.AC.UK > cc: > Subject: Re: Virus Notifications > > >At 15:26 14/03/2003, you wrote: > >Is it possible to have multiple users who can receive virus notifications > >produced by mailscanner aside from postmaster, sender and recipient? > > > >That is if viruses were sent to @abc.com I would want notifications to > >goto postmaster (me) the sender, the recipient and > >george@abc.com (who could be their IT contact) > > > >Or is it a case of RTFM :) ? > >Afraid so. > >You can list multiple recipients for the postmaster notifications. What >you >then do is set the address using a ruleset, so that, for example >Notices To = /etc/MailScanner/rules/notices.to.rules > >then in that file put >To: @abc.com postmaster@me.com george@abc.com >To: @def.com postmaster@me.com bill@def.com >FromOrTo: default postmaster@me.com >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From nicholas_esborn at AFFYMETRIX.COM Fri Mar 14 22:19:26 2003 From: nicholas_esborn at AFFYMETRIX.COM (Nicholas Esborn) Date: Thu Jan 12 21:17:29 2006 Subject: Delivery of Spam to alternate location? Message-ID: <20030314221926.GC82996@affymetrix.com> Hello, I was wondering if it's possible to have MailScanner deliver identified Spam to an alternate server or email address? The idea would be to send the Spam to a quarantine mailserver, where users could browse their Spam with a webmail client, thus reducing the load on the primary mailservers. Thanks, -nick -- Nicholas Esborn Affymetrix, Inc. 510/428.8505 Every message PGP signed -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030314/c28e0e2d/attachment.bin From mailscanner at ecs.soton.ac.uk Fri Mar 14 22:58:22 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:29 2006 Subject: Delivery of Spam to alternate location? In-Reply-To: <20030314221926.GC82996@affymetrix.com> Message-ID: <5.2.0.9.2.20030314225638.02270a58@imap.ecs.soton.ac.uk> Take a look at the setting Spam Actions = forward in the MailScanner.conf file. At 22:19 14/03/2003, you wrote: >Hello, > >I was wondering if it's possible to have MailScanner deliver identified >Spam to an alternate server or email address? The idea would be to send >the Spam to a quarantine mailserver, where users could browse their Spam >with a webmail client, thus reducing the load on the primary mailservers. > >Thanks, > >-nick > >-- >Nicholas Esborn >Affymetrix, Inc. > >510/428.8505 > >Every message PGP signed -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From james at PCXPERIENCE.COM Fri Mar 14 23:52:09 2003 From: james at PCXPERIENCE.COM (James A. Pattie) Date: Thu Jan 12 21:17:29 2006 Subject: Corrupt pgp-signed messages In-Reply-To: <1047671810.685abe4f51bd8@www.emery.homelinux.net> References: <1047671810.685abe4f51bd8@www.emery.homelinux.net> Message-ID: <3E726B29.5040900@pcxperience.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Rick Emery wrote: > I searched the documentation and list archives (at least, I think I did it > right; I've never used listserv before) but couldn't find anything on this. > > I configured MailScanner (a *great* product, by the way) to sign all clean > messages. My mail client is configured to verify pgp signatures, and I noticed > that I started getting a lot of "BAD pgp signature" messages. A little research > showed that the MailScanner signature was being added to the bottom of (inside) > the signed part of the message, apparently corrupting it. > > I am a member of several MailMan mailing lists, and noticed that several of them > were configured to sign all messages as well. However, it appears that the > mailing list signature is added after the pgp signature, outside of the signed > portion of the message. I don't know enough to explain this with technical > accuracy, so I hope this makes sense. > > My questions are: > > 1. is there a way to configure MailScanner to sign the message _after_ the pgp > signed portion? > > 2. Am I the only one seeing this behaviour? > > Thanks in advance for any guidance, > Rick > > P.S. I turned off the MailScanner signature, and everything is working fine (I > can tell by the headers that mail is being scanned). I just like the idea of a > signature telling everyone that the message was scanned (and I like advertising > MailScanner too :-) I gpg sign my e-mails and have never had this issue. I have had the issue where a certificate signed e-mail (S/MIME) has an issue since the signing of the e-mail by MailScanner changes the content. This was talked about several months ago. :) - -- James A. Pattie james@pcxperience.com Linux -- SysAdmin / Programmer Xperience, Inc. http://www.pcxperience.com/ http://www.xperienceinc.com/ GPG Key Available at http://www.pcxperience.com/gpgkeys/james.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE+cmsotUXjwPIRLVERAmrAAJ0RPOCKWQ6itragPNuVDsdErTaw/wCgjBMQ NdH7oCMMXEYdlIbR5yCW2XM= =bSqU -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From nicholas_esborn at AFFYMETRIX.COM Sat Mar 15 00:41:47 2003 From: nicholas_esborn at AFFYMETRIX.COM (Nicholas Esborn) Date: Thu Jan 12 21:17:30 2006 Subject: Delivery of Spam to alternate location? In-Reply-To: <5.2.0.9.2.20030314225638.02270a58@imap.ecs.soton.ac.uk> References: <20030314221926.GC82996@affymetrix.com> <5.2.0.9.2.20030314225638.02270a58@imap.ecs.soton.ac.uk> Message-ID: <20030315004147.GA37304@affymetrix.com> Julian, I see that Action, but unless I'm mistaken, mail would be forwarded to a specified email address. Rather than that, I'm looking for a way of sending the Spam to an alternative mail server, keeping the destination address intact or modifying it in a specific way. For example, if MailScanner identified as Spam a message sent to nicholas_esborn@affymetrix.com, it could rewrite the address as nicholas_esborn@spambin.affymetrix.com and send it along. Then, instead of moving on to the normal affymetrix.com mailserver, the message would go to spambin.affymetrix.com, which might deliver the message locally into per-user accounts of some sort. That way, the main affymetrix.com mailservers would be spared the burden of handling the Spam, yet users would be able to retrieve their Spam from their accounts on spambin. Am I missing how the existing Action = forward directive could do this? Thanks! -nick On Fri, Mar 14, 2003 at 10:58:22PM +0000, Julian Field wrote: > Take a look at the setting > Spam Actions = forward > in the MailScanner.conf file. > > At 22:19 14/03/2003, you wrote: > >Hello, > > > >I was wondering if it's possible to have MailScanner deliver identified > >Spam to an alternate server or email address? The idea would be to send > >the Spam to a quarantine mailserver, where users could browse their Spam > >with a webmail client, thus reducing the load on the primary mailservers. > > > >Thanks, > > > >-nick > > > >-- > >Nicholas Esborn > >Affymetrix, Inc. > > > >510/428.8505 > > > >Every message PGP signed > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support -- Nicholas Esborn Affymetrix, Inc. 510/428.8505 Every message PGP signed -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030314/6724d78e/attachment.bin From Kevin.Spicer at BMRB.CO.UK Sat Mar 15 01:07:38 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:17:30 2006 Subject: Delivery of Spam to alternate location? Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A4AD55@pascal.priv.bmrb.co.uk> > > Julian, > > I see that Action, but unless I'm mistaken, mail would be forwarded to > a specified email address. Rather than that, I'm looking for a way of > sending the Spam to an alternative mail server, keeping the > destination > address intact or modifying it in a specific way. > Off the top of my head here's an idea that _might_ work (assuming you don't quarantine virus mails). set Spam Actions = store (and High Scoring Spam Actions = store). Make sure Quarantine Whole Messages As Queue Files = yes. Then run a seperate sendmail process which just runs the 'queue' in the quarantine directory using a different sendmail.cf with a smarthost specified which all mail should be forwarded to. I suppose if you're quarantining viruses you may be able to do some filtering by subject (look for {Virus?}) using a procmail rule perhaps on the destination machine (quarantining them there instead). BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From donovan at HUFFDATASYSTEMS.COM Sat Mar 15 03:04:57 2003 From: donovan at HUFFDATASYSTEMS.COM (Donovan Huff | HUFF DATA SYSTEMS) Date: Thu Jan 12 21:17:30 2006 Subject: How is SPAM filtering turned off for reply e-mail? Also, reply issues... Message-ID: <003701c2ea9f$aa1d1ed0$ec7d9d40@x27> I had a problem when I first installed MailScanner and Spamassassin with replies to e-mail I sent, all the replies would have the {Spam?} added to the subject even though the scores were low (below 5) and they were not marked as SPAM in the header. I turned on the Auto Whitelisting feature and this stopped. However, what was odd is if I turn off spam filtering for low or high scored e-mails and then turn it back on again (never changing the auto whitelist, it is still turned on) then I would have the same problem. What I had to do is turn off SPAM filtering for both low and high and also turn off the auto whitelisting feature. After I did that (of course I stopped and started MailScanner between config changes) I could then turn them all back on (low and high SPAM filtering and auto whitelisting) and it would start working again, meaning replies were not having {Spam?} added to the subject line (this took a while to figure out, I have assumed it is some kind of bug where something does not get set properly if you turn the individual settings on and off, but it does when you turn them all off then on). I heard some talk about adding 127.0.0.1 to the spam whitelist (i.e. /etc/MailScanner/rules/spam.whitelist.rules), not sure if this would fix the issue or not. I have not done anything unusual to the MailScanner config or Spamassasin config just to let you know. Other people must be having or have had this issue as well, what is the fix? I really just want to make it so that all e-mail that is a reply is whitelisted (not marked as SPAM ever). I wondering though, if this will cause issues with SPAM filtering in the future as SPAMMERS could likely make the e-mail appear to be a reply. I am using MailScanner 4.14-3 with SpamAssassin 2.50 patched (2.51?) to fix the bug where it has issues working with MailScanner. TIA, Donovan From dcmwai at AMTB-M.ORG.MY Sat Mar 15 04:21:52 2003 From: dcmwai at AMTB-M.ORG.MY (Chan Min Wai) Date: Thu Jan 12 21:17:30 2006 Subject: Corrupt pgp-signed messages References: <1047671810.685abe4f51bd8@www.emery.homelinux.net> Message-ID: <3E72AA60.2010306@amtb-m.org.my> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello Rick, ~ I'm sure you know what is pgp sinature check for with the signature. The Signature is just like the "Parity Bit" On the Digital Message. And you cannot Modify anything inside the body of the message however. You can try to modify the subject of the message that will solve the problem but you will never be able to add footer on the Message. ~ There is one gpg Signature that is static "Non Changing with the content" But that will not be a secure to your message and people does be able to change the content during transmisttion. ~ I'm not sure if there is a way to solve this problem. ~ This problem become worst if you are transmisting an Encryted message. ~ If you get the answer, please do tell me as well. Thank You Chan Min Wai Rick Emery ´£¨ì: |I searched the documentation and list archives (at least, I think I did it |right; I've never used listserv before) but couldn't find anything on this. | |I configured MailScanner (a *great* product, by the way) to sign all clean |messages. My mail client is configured to verify pgp signatures, and I noticed |that I started getting a lot of "BAD pgp signature" messages. A little research |showed that the MailScanner signature was being added to the bottom of (inside) |the signed part of the message, apparently corrupting it. | |I am a member of several MailMan mailing lists, and noticed that several of them |were configured to sign all messages as well. However, it appears that the |mailing list signature is added after the pgp signature, outside of the signed |portion of the message. I don't know enough to explain this with technical |accuracy, so I hope this makes sense. | |My questions are: | |1. is there a way to configure MailScanner to sign the message _after_ the pgp |signed portion? | |2. Am I the only one seeing this behaviour? | |Thanks in advance for any guidance, |Rick | |P.S. I turned off the MailScanner signature, and everything is working fine (I |can tell by the headers that mail is being scanned). I just like the idea of a |signature telling everyone that the message was scanned (and I like advertising |MailScanner too :-) | |------------------------------------------------ |This email was sent using IMP v4.0-cvs, part of |the Horde suite of information management tools. |http://horde.org/ | | -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE+cqpfV0p9slMZLW4RAmcQAKDI0SwgRF/MPf/zrD8gLDLU4nRYXwCgqrJw Ynqq4W6erfAWJxVfkRSocpU= =NkTI -----END PGP SIGNATURE----- From mailscanner at ecs.soton.ac.uk Sat Mar 15 15:28:18 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:30 2006 Subject: How is SPAM filtering turned off for reply e-mail? Also, reply issues... In-Reply-To: <003701c2ea9f$aa1d1ed0$ec7d9d40@x27> Message-ID: <5.2.0.9.2.20030315152710.02265bc0@imap.ecs.soton.ac.uk> The easiest thing is to add your entire netblock to the spam whitelist. At work, we have the whole 152.78 so I just put this in spam.whitelist.rules From: 152.78. yes FromOrTo: default no At 03:04 15/03/2003, you wrote: >I had a problem when I first installed MailScanner and Spamassassin with >replies to e-mail I sent, all the replies would have the >{Spam?} added to the subject even though the scores were low (below 5) and >they were not marked as SPAM in the header. I turned on >the Auto Whitelisting feature and this stopped. However, what was odd is >if I turn off spam filtering for low or high scored >e-mails and then turn it back on again (never changing the auto whitelist, >it is still turned on) then I would have the same >problem. What I had to do is turn off SPAM filtering for both low and >high and also turn off the auto whitelisting feature. After >I did that (of course I stopped and started MailScanner between config >changes) I could then turn them all back on (low and high >SPAM filtering and auto whitelisting) and it would start working again, >meaning replies were not having {Spam?} added to the subject >line (this took a while to figure out, I have assumed it is some kind of >bug where something does not get set properly if you turn >the individual settings on and off, but it does when you turn them all off >then on). > >I heard some talk about adding 127.0.0.1 to the spam whitelist (i.e. >/etc/MailScanner/rules/spam.whitelist.rules), not sure if this >would fix the issue or not. I have not done anything unusual to the >MailScanner config or Spamassasin config just to let you know. >Other people must be having or have had this issue as well, what is the >fix? I really just want to make it so that all e-mail that >is a reply is whitelisted (not marked as SPAM ever). I wondering though, >if this will cause issues with SPAM filtering in the >future as SPAMMERS could likely make the e-mail appear to be a reply. > >I am using MailScanner 4.14-3 with SpamAssassin 2.50 patched (2.51?) to >fix the bug where it has issues working with MailScanner. > > >TIA, > >Donovan -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Sat Mar 15 15:12:37 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:30 2006 Subject: Corrupt pgp-signed messages In-Reply-To: <3E726B29.5040900@pcxperience.com> References: <1047671810.685abe4f51bd8@www.emery.homelinux.net> <1047671810.685abe4f51bd8@www.emery.homelinux.net> Message-ID: <5.2.0.9.2.20030315150822.02581800@imap.ecs.soton.ac.uk> At 23:52 14/03/2003, you wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >Rick Emery wrote: > > I searched the documentation and list archives (at least, I think I did it > > right; I've never used listserv before) but couldn't find anything on >this. > > > > I configured MailScanner (a *great* product, by the way) to sign all clean > > messages. My mail client is configured to verify pgp signatures, and I >noticed > > that I started getting a lot of "BAD pgp signature" messages. A little >research > > showed that the MailScanner signature was being added to the bottom of >(inside) > > the signed part of the message, apparently corrupting it. > > > > I am a member of several MailMan mailing lists, and noticed that >several of them > > were configured to sign all messages as well. However, it appears that the > > mailing list signature is added after the pgp signature, outside of >the signed > > portion of the message. I don't know enough to explain this with technical > > accuracy, so I hope this makes sense. I would like to see the difference in the MIME structure between what MailMan does and what MailScanner does. I just add the signature on to the end of the first in-line text+html segments of the message, which will be what you see. So the signature should be put in place after the signature, and therefore hopefully outside the signed portion of the message. > > My questions are: > > > > 1. is there a way to configure MailScanner to sign the message _after_ >the pgp > > signed portion? > > > > 2. Am I the only one seeing this behaviour? > > > > Thanks in advance for any guidance, > > Rick > > > > P.S. I turned off the MailScanner signature, and everything is working >fine (I > > can tell by the headers that mail is being scanned). I just like the >idea of a > > signature telling everyone that the message was scanned (and I like >advertising > > MailScanner too :-) The other alternative is by using the Subject: line modification feature (e.g. add "{Scanned}" on the end of the subject line). >I gpg sign my e-mails and have never had this issue. > >I have had the issue where a certificate signed e-mail (S/MIME) has an >issue since the signing of the e-mail by MailScanner changes the >content. This was talked about several months ago. :) > >- -- >James A. Pattie >james@pcxperience.com > >Linux -- SysAdmin / Programmer >Xperience, Inc. >http://www.pcxperience.com/ >http://www.xperienceinc.com/ > >GPG Key Available at http://www.pcxperience.com/gpgkeys/james.html >-----BEGIN PGP SIGNATURE----- >Version: GnuPG v1.0.6 (GNU/Linux) >Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > >iD8DBQE+cmsotUXjwPIRLVERAmrAAJ0RPOCKWQ6itragPNuVDsdErTaw/wCgjBMQ >NdH7oCMMXEYdlIbR5yCW2XM= >=bSqU >-----END PGP SIGNATURE----- > > >-- >This message has been scanned for viruses and >dangerous content by MailScanner, and is >believed to be clean. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Sat Mar 15 15:25:56 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:30 2006 Subject: Delivery of Spam to alternate location? In-Reply-To: <20030315004147.GA37304@affymetrix.com> References: <5.2.0.9.2.20030314225638.02270a58@imap.ecs.soton.ac.uk> <20030314221926.GC82996@affymetrix.com> <5.2.0.9.2.20030314225638.02270a58@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030315151335.022e93a0@imap.ecs.soton.ac.uk> At 00:41 15/03/2003, you wrote: >I see that Action, but unless I'm mistaken, mail would be forwarded to >a specified email address. Rather than that, I'm looking for a way of >sending the Spam to an alternative mail server, keeping the destination >address intact or modifying it in a specific way. > >For example, if MailScanner identified as Spam a message sent to >nicholas_esborn@affymetrix.com, it could rewrite the address as >nicholas_esborn@spambin.affymetrix.com and send it along. Okay, this is exactly the sort thing that a "Custom Function" could do. Bung this in CustomConfig.pm: my $spamserver = 'spambin'; sub SpamActions { my($message) = @_; return "deliver" unless $message; # Default if no message passed in my($to, $user, $domain, result); # Loop through each recipient of the message, building the Spam Actions foreach $to (@{$message->{to}}) { # Get the user@domain bits out ($user, $domain) = split(/@/, $to, 2); $result .= "forward $user\@$spamserver.$domain "; } return "deliver" unless $result; # If something was wrong, no recipients? return $result; } That all goes in CustomConfig.pm. You should also create empty functions called InitSpamActions and EndSpamActions to be neat and tidy. Then in your MailScanner.conf, set Spam Actions = &SpamActions High Scoring Spam Actions = &SpamActions and restart MailScanner. Obviously you should change the value of "spamserver" at the top of the code to whatever your spam mail servers are going to be called. I haven't tested it at all, but it should basically work okay. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From rick at EMERY.HOMELINUX.NET Sat Mar 15 16:34:31 2003 From: rick at EMERY.HOMELINUX.NET (Rick Emery) Date: Thu Jan 12 21:17:30 2006 Subject: Corrupt pgp-signed messages In-Reply-To: <5.2.0.9.2.20030315150822.02581800@imap.ecs.soton.ac.uk> References: <1047671810.685abe4f51bd8@www.emery.homelinux.net> <1047671810.685abe4f51bd8@www.emery.homelinux.net> <5.2.0.9.2.20030315150822.02581800@imap.ecs.soton.ac.uk> Message-ID: <1047746071.ec3314e36e4eb@www.emery.homelinux.net> Quoting Julian Field : > I would like to see the difference in the MIME structure between what > MailMan does and what MailScanner does. I just add the signature on to the > end of the first in-line text+html segments of the message, which will be > what you see. So the signature should be put in place after the signature, > and therefore hopefully outside the signed portion of the message. Would this involve just forwarding the sample message to you? How can I view the mime structure of a message? I'm sorry, but my technical knowledge of this is pretty spare. However, your explanation above makes sense. What I'm seeing is that MailScanner is attaching its signature at the end of the first in-line text segment of the message (exactly as you desribed above). I think the problem is that that is the signed part of the message. If I'm understanding this correctly, a signed message has (at least) two mime parts; the message, and the pgp signature. It looks like MailMan might add a third part, the text signature for the mailing list. > The other alternative is by using the Subject: line modification feature > (e.g. add "{Scanned}" on the end of the subject line). I'm not too worried about this; it isn't mission critical and, as I said, I know the messages are being scanned because of the headers being added. I just thought the signature was cool. Thanks for your help, and a *great* product, and if I can provide any additional information or troubleshoot it further, please let me know. Rick ------------------------------------------------ This email was sent using IMP v4.0-cvs, part of the Horde suite of information management tools. http://horde.org/ From rick at emery.homelinux.net Sat Mar 15 16:34:31 2003 From: rick at emery.homelinux.net (Rick Emery) Date: Thu Jan 12 21:17:30 2006 Subject: [MAILSCANNER] Corrupt pgp-signed messages In-Reply-To: <5.2.0.9.2.20030315150822.02581800@imap.ecs.soton.ac.uk> References: <1047671810.685abe4f51bd8@www.emery.homelinux.net> <1047671810.685abe4f51bd8@www.emery.homelinux.net> <5.2.0.9.2.20030315150822.02581800@imap.ecs.soton.ac.uk> Message-ID: <1047746071.ec3314e36e4eb@www.emery.homelinux.net> Quoting Julian Field : > I would like to see the difference in the MIME structure between what > MailMan does and what MailScanner does. I just add the signature on to the > end of the first in-line text+html segments of the message, which will be > what you see. So the signature should be put in place after the signature, > and therefore hopefully outside the signed portion of the message. Would this involve just forwarding the sample message to you? How can I view the mime structure of a message? I'm sorry, but my technical knowledge of this is pretty spare. However, your explanation above makes sense. What I'm seeing is that MailScanner is attaching its signature at the end of the first in-line text segment of the message (exactly as you desribed above). I think the problem is that that is the signed part of the message. If I'm understanding this correctly, a signed message has (at least) two mime parts; the message, and the pgp signature. It looks like MailMan might add a third part, the text signature for the mailing list. > The other alternative is by using the Subject: line modification feature > (e.g. add "{Scanned}" on the end of the subject line). I'm not too worried about this; it isn't mission critical and, as I said, I know the messages are being scanned because of the headers being added. I just thought the signature was cool. Thanks for your help, and a *great* product, and if I can provide any additional information or troubleshoot it further, please let me know. Rick ------------------------------------------------ This email was sent using IMP v4.0-cvs, part of the Horde suite of information management tools. http://horde.org/ From rick at EMERY.HOMELINUX.NET Sat Mar 15 16:45:41 2003 From: rick at EMERY.HOMELINUX.NET (Rick Emery) Date: Thu Jan 12 21:17:30 2006 Subject: Corrupt pgp-signed messages In-Reply-To: <3E726B29.5040900@pcxperience.com> References: <1047671810.685abe4f51bd8@www.emery.homelinux.net> <3E726B29.5040900@pcxperience.com> Message-ID: <1047746741.59dc6ec661254@www.emery.homelinux.net> Quoting "James A. Pattie" : > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Rick Emery wrote: > > I searched the documentation and list archives (at least, I think I did it > > right; I've never used listserv before) but couldn't find anything on > this. > > > > I configured MailScanner (a *great* product, by the way) to sign all clean > > messages. My mail client is configured to verify pgp signatures, and I > noticed > > that I started getting a lot of "BAD pgp signature" messages. A little > research > > showed that the MailScanner signature was being added to the bottom of > (inside) > > the signed part of the message, apparently corrupting it. > > > > I am a member of several MailMan mailing lists, and noticed that > several of them > > were configured to sign all messages as well. However, it appears that the > > mailing list signature is added after the pgp signature, outside of > the signed > > portion of the message. I don't know enough to explain this with technical > > accuracy, so I hope this makes sense. > > > > My questions are: > > > > 1. is there a way to configure MailScanner to sign the message _after_ > the pgp > > signed portion? > > > > 2. Am I the only one seeing this behaviour? > > > > Thanks in advance for any guidance, > > Rick > > > > P.S. I turned off the MailScanner signature, and everything is working > fine (I > > can tell by the headers that mail is being scanned). I just like the > idea of a > > signature telling everyone that the message was scanned (and I like > advertising > > MailScanner too :-) > > I gpg sign my e-mails and have never had this issue. > > I have had the issue where a certificate signed e-mail (S/MIME) has an > issue since the signing of the e-mail by MailScanner changes the > content. This was talked about several months ago. :) > > - -- > James A. Pattie > james@pcxperience.com > > Linux -- SysAdmin / Programmer > Xperience, Inc. > http://www.pcxperience.com/ > http://www.xperienceinc.com/ > > GPG Key Available at http://www.pcxperience.com/gpgkeys/james.html > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.6 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQE+cmsotUXjwPIRLVERAmrAAJ0RPOCKWQ6itragPNuVDsdErTaw/wCgjBMQ > NdH7oCMMXEYdlIbR5yCW2XM= > =bSqU > -----END PGP SIGNATURE----- > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > Forgive me for quoting the entire message, but it's a good indicator of what's going on. As you can see above, your message contains: # -----BEGIN PGP SIGNED MESSAGE----- # the message # -----BEGIN PGP SIGNATURE----- # the signature # -----END PGP SIGNATURE----- # MailScanner's text signature When I view the corrupt messages, MailScanner's text signature appears just above the "BEGIN PGP SIGNATURE" line. What I don't understand is why your setup attached the MailScanner signature after the PGP SIGNATURE, but mine puts it before. I couldn't find a configuration option for this. Could it have anything to do with the message composer? Something I've noticed is that the corrupt messages don't say "BEGIN PGP SIGNED MESSAGE", they have a cryptic string of letters, numbers, and symbols at the beginning and end. Again I apologize for all of the noise, but I don't understand enough about mime and pgp to figure it out. Thanks again, Rick ------------------------------------------------ This email was sent using IMP v4.0-cvs, part of the Horde suite of information management tools. http://horde.org/ From mailscanner at ecs.soton.ac.uk Sat Mar 15 16:46:30 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:30 2006 Subject: Corrupt pgp-signed messages In-Reply-To: <1047746071.ec3314e36e4eb@www.emery.homelinux.net> References: <5.2.0.9.2.20030315150822.02581800@imap.ecs.soton.ac.uk> <1047671810.685abe4f51bd8@www.emery.homelinux.net> <1047671810.685abe4f51bd8@www.emery.homelinux.net> <5.2.0.9.2.20030315150822.02581800@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030315164402.0283af00@imap.ecs.soton.ac.uk> At 16:34 15/03/2003, you wrote: >Quoting Julian Field : > > > I would like to see the difference in the MIME structure between what > > MailMan does and what MailScanner does. I just add the signature on to the > > end of the first in-line text+html segments of the message, which will be > > what you see. So the signature should be put in place after the signature, > > and therefore hopefully outside the signed portion of the message. > >Would this involve just forwarding the sample message to you? How can I >view the >mime structure of a message? I'm sorry, but my technical knowledge of this is >pretty spare. However, your explanation above makes sense. If you can find one (possibly using the "Archive Mail" feature), copy the raw queue files for a couple of sample messages generated by MailMan. 1 without the pgp sig and 1 with the pgp sig would be ideal. >What I'm seeing is that MailScanner is attaching its signature at the end >of the >first in-line text segment of the message (exactly as you desribed above). I >think the problem is that that is the signed part of the message. If I'm >understanding this correctly, a signed message has (at least) two mime parts; >the message, and the pgp signature. It looks like MailMan might add a third >part, the text signature for the mailing list. The snag with that is getting all email programs to actually display the 3rd bit (i.e. the signature). I would be interested to see how MailMan gets around the problem. > > The other alternative is by using the Subject: line modification feature > > (e.g. add "{Scanned}" on the end of the subject line). > >I'm not too worried about this; it isn't mission critical and, as I said, >I know >the messages are being scanned because of the headers being added. I just >thought the signature was cool. > >Thanks for your help, and a *great* product, Thanks! > and if I can provide any additional >information or troubleshoot it further, please let me know. > >Rick > >------------------------------------------------ >This email was sent using IMP v4.0-cvs, part of >the Horde suite of information management tools. >http://horde.org/ -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From Kevin.Spicer at BMRB.CO.UK Sat Mar 15 16:53:29 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:17:30 2006 Subject: Corrupt pgp-signed messages Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A4AD56@pascal.priv.bmrb.co.uk> > I would like to see the difference in the MIME structure between what > MailMan does and what MailScanner does. I just add the > signature on to the > end of the first in-line text+html segments of the message, > which will be > what you see. So the signature should be put in place after > the signature, > and therefore hopefully outside the signed portion of the message. > I don't use mailman but I've been able to produce the same/a similar behaviour with differences between Outlook on Windows (with the gdata gpg plugin) and Evolution on Linux. Outlook / Gdata plugin... Mime type : text/plain Single part message, PGP Message and Signature are all within the body of the message and MailScanner signe the message after the PGP signature. On receipt the PGP signature validates okay. Evolution... Multi part MIME message (content type: multipart/signed) First section (text/plain) contains the message itself (without the PGP signature) with the MailScanner signature appended. Second section (application/pgp-signature) contains the PGP signature. In this case the mailscanner signature breaks the PGP signature. Julian - if you'd like a closer look I'll happily send you my test messages off-list. As an aside - I prefer the way evolution handles it from a security point of view, but unfortunately this doesn't work at all with gdata's plugin! BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From Kevin.Spicer at BMRB.CO.UK Sat Mar 15 17:16:31 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:17:30 2006 Subject: Corrupt pgp-signed messages Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0EBF49F@pascal.priv.bmrb.co.uk> > > Evolution... > Multi part MIME message (content type: multipart/signed) > First section (text/plain) contains the message itself > (without the PGP signature) with the MailScanner signature appended. > Second section (application/pgp-signature) contains the PGP signature. > In this case the mailscanner signature breaks the PGP signature. > Hmmm, replying to myself - first sign of madness! Looks like this is specified in RFC1847 http://www.faqs.org/rfcs/rfc1847.html On a first scan the important paragraphs seem to be these... The entire contents of the multipart/signed container must be treated as opaque while it is in transit from an originator to a recipient. Intermediate message transfer agents must not alter the content of a multipart/signed in any way, including, but not limited to, changing the content transfer encoding of the body part or any of its encapsulated body parts. The signature in a multipart/signed only applies to the material that is actually within the multipart/signed object. In particular, it does not apply to any enclosing message material, nor does it apply to entities that are referenced (e.g. via a MIME message/external- body) by rather than included in the signed content. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From lists at STHOMAS.NET Sat Mar 15 19:39:00 2003 From: lists at STHOMAS.NET (Steve Thomas) Date: Thu Jan 12 21:17:30 2006 Subject: Warm fuzzy Message-ID: <20030315113900.B11309@sthomas.net> I just got my new super-comfy fuzzy warm MailScanner fleece jacket in the mail. Man, is this thing comfortable. It makes the temporary crown I also just got seem a little more bearable. Aren't you jealous? Don't be! You too can have one! Visit the MailScanner Store today! :) -- Steve Thomas steve +at+ sthomas -dot- net ---------------------------------------------------------- "...subatomic matter in a particle accelerator that exists for only a few microseconds seems to exhibit more uptime than the RIAA's website." -- Andrew Orlowski TheRegister.co.uk From donovan at HUFFDATASYSTEMS.COM Sat Mar 15 20:58:26 2003 From: donovan at HUFFDATASYSTEMS.COM (Donovan Huff | HUFF DATA SYSTEMS) Date: Thu Jan 12 21:17:30 2006 Subject: How is SPAM filtering turned off for reply e-mail? Also, reply issues... References: <5.2.0.9.2.20030315152710.02265bc0@imap.ecs.soton.ac.uk> Message-ID: <002901c2eb35$a0bd26a0$73ef1d43@x27> Is there a way for a user to say forward e-mail that they wish to be whitelisted automatically? How about for blacklisting? Can they forward and e-mail from themselves to say user-whitelist@domain.tld (where user@domain.tld is the normal password) or anything like this? Someone had given me the impression that this was an option, but I did not see it in the config. Donovan ----- Original Message ----- From: "Julian Field" To: Sent: Saturday, March 15, 2003 9:28 AM Subject: Re: How is SPAM filtering turned off for reply e-mail? Also, reply issues... > The easiest thing is to add your entire netblock to the spam whitelist. At > work, we have the whole 152.78 so I just put this in spam.whitelist.rules > From: 152.78. yes > FromOrTo: default no > > At 03:04 15/03/2003, you wrote: > >I had a problem when I first installed MailScanner and Spamassassin with > >replies to e-mail I sent, all the replies would have the > >{Spam?} added to the subject even though the scores were low (below 5) and > >they were not marked as SPAM in the header. I turned on > >the Auto Whitelisting feature and this stopped. However, what was odd is > >if I turn off spam filtering for low or high scored > >e-mails and then turn it back on again (never changing the auto whitelist, > >it is still turned on) then I would have the same > >problem. What I had to do is turn off SPAM filtering for both low and > >high and also turn off the auto whitelisting feature. After > >I did that (of course I stopped and started MailScanner between config > >changes) I could then turn them all back on (low and high > >SPAM filtering and auto whitelisting) and it would start working again, > >meaning replies were not having {Spam?} added to the subject > >line (this took a while to figure out, I have assumed it is some kind of > >bug where something does not get set properly if you turn > >the individual settings on and off, but it does when you turn them all off > >then on). > > > >I heard some talk about adding 127.0.0.1 to the spam whitelist (i.e. > >/etc/MailScanner/rules/spam.whitelist.rules), not sure if this > >would fix the issue or not. I have not done anything unusual to the > >MailScanner config or Spamassasin config just to let you know. > >Other people must be having or have had this issue as well, what is the > >fix? I really just want to make it so that all e-mail that > >is a reply is whitelisted (not marked as SPAM ever). I wondering though, > >if this will cause issues with SPAM filtering in the > >future as SPAMMERS could likely make the e-mail appear to be a reply. > > > >I am using MailScanner 4.14-3 with SpamAssassin 2.50 patched (2.51?) to > >fix the bug where it has issues working with MailScanner. > > > > > >TIA, > > > >Donovan > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support From dh at UPTIME.AT Sun Mar 16 14:08:48 2003 From: dh at UPTIME.AT (David) Date: Thu Jan 12 21:17:30 2006 Subject: Maybe a bit OT, auto adjusting high scoring value.. Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Hello. First of all let me explain my setup. I have a "low" score of 5.3 and a high score of 13. High scoring spam is deleted, but the message is forwarded to me none the less, so I can check, that it is really not a message that has some value to the user. This is something we all agreed on. Out of curiosity I collected 631 Spam messages, all verified by me to be actual spam. Some of them are above the threshold of 13, others are within the range of 5.3-13. I have written a little Perl script, which reads that Mbox, collects all the Spam Scores and tosses them into a little array on which I am able to perform some statistical operations using Statistics::Lite. For me that returns: Max Value: 31.7 Min Value: 5.3 (kinda expected) Data Range: 26.4 Std. Variance: 26.2935.... Std. Deviation: 5.0292... Mean Score: 13.81410... Median: 13.4 Now my question is and I am posting to this list because I know there are many talented mathematicians out there. a) Does this kind of collecting data make sense? b) which statistical functions would make sense ? What I am trying to do is the following. I am noticing, that there is a LOT of verified Spam in the range between 5.3 to 13 and I am trying to find the best value for our typical Spam flow which will catch most verified spam and still allow the seldom false positives to pass through to the user. If you recall, I delete the high scoring Spam. So basically I need to find the best value for "High scoring"- I would be very happy if you could tell me how to tackle this, because I really know nothing about math and I think what I just did has little to no value - -d - - ? Fantasie ist wichtiger als Wissen.? - Albert Einstein -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (Darwin) iD8DBQE+dIV0iW/Ta/pxHPQRAzVvAKDGv6WRjGyMqc5pRAQyi/467M7fHwCghgsh TaL4ldLqeIEb0qtZdPwOF2Y= =Ua2i -----END PGP SIGNATURE----- From mailscanner at ecs.soton.ac.uk Sun Mar 16 19:23:52 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:30 2006 Subject: SpamAssassin 2.50 problems Message-ID: <5.2.0.9.2.20030316191403.024b9aa0@imap.ecs.soton.ac.uk> I have just managed to work around the nasty problem with SpamAssassin 2.50 repeatedly timing out. The symptom was that SpamAssassin 2.50 would suddenly time out 20 times in a row for no apparent reason, at which point SpamAssassin was disabled until the next scheduled restart ("Restart Every" in MailScanner.conf). I have fixed this, and it was caused by the style of file locking used by the SpamAssassin code that cannot clear up after itself if the process is killed. MailScanner uses flock()-style locking which cleans up after itself automatically. There is still a problem, that will have to be addressed by the SpamAssassin developers, that the Bayes database files are locked for a long time during each test. Only 1 MailScanner child process can access the files at a time, resulting in a situation where all the other MailScanner child processes are waiting for the files to be unlocked. ! change that should help is to reduce the time between locking attempts. Currently it waits for 0.5 - 1.5 seconds between attempts. Shortening that to 0.1 - 0.2 seconds should improve things. But unfortunately the timing numbers are hard-wired into the SpamAssassin code. If you are interested, it is in line 59 of /usr/lib/perl5/5.6.1/site_perl/Mail/SpamAssassin/UnixLocker.pm. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From lance at WARE.NET Sun Mar 16 19:34:48 2003 From: lance at WARE.NET (Lance Ware) Date: Thu Jan 12 21:17:30 2006 Subject: Archiving Human Readable Messages Message-ID: <9F214F8D10934845A3664A21425C79FC60857C@dhcp5.ware.net> Hello, I've just installed MailScanner, first I'd like to say thanks to Julian and the rest of the contributors - it looks to be a great project. In combination with SpamAssasin it's already catching 200+ SPAMs a day for me. I'm using it to front end my Qmail/Vpopmail system so it runs on a separate box with a mailertable entry (I couldn't move the main box because it hosts email for some 200+ domains that I don't want to filter just yet). Now the challenge - I've got a number of "spam pots" which I'd like to use to increase the hit rate for spam detection. My initial plan for this was to use the "archive" feature of MailScanner to log all the mails to these various dead email addresses. I got that setup ok, but it's creating the 2 queue files per email. I've tried tinkering with: Quarantine Whole Messages As Queue Files = no But so far I've been unsuccessful in simply archiving the full text of the message. Since most of my users are on Windows with Outlook 2002 or OE it's not very easy to bounce mail back for adding to the Bayesian filters and Razor/etc. Any tips on getting the archiving to a single file to work are greatly appreciated. TIA, Lance -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030316/efee57a5/attachment.html From mailscanner at ecs.soton.ac.uk Sun Mar 16 19:48:01 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:30 2006 Subject: Archiving Human Readable Messages In-Reply-To: <9F214F8D10934845A3664A21425C79FC60857C@dhcp5.ware.net> Message-ID: <5.2.0.9.2.20030316194639.022c41b8@imap.ecs.soton.ac.uk> At 19:34 16/03/2003, you wrote: >Ive just installed MailScanner, first Id like to say thanks to Julian and >the rest of the contributors it looks to be a great project. In >combination with SpamAssasin its already catching 200+ SPAMs a day for me. >Im using it to front end my Qmail/Vpopmail system so it runs on a separate >box with a mailertable entry (I couldnt move the main box because it hosts >email for some 200+ domains that I dont want to filter just yet). >Now the challenge Ive got a number of spam potswhich Id like to use to >increase the hit rate for spam detection. >My initial plan for this was to use the archivefeature of MailScanner to >log all the mails to these various dead email addresses. I got that setup >ok, but its creating the 2 queue files per email. Ive tried tinkering with: >Quarantine Whole Messages As Queue Files = no >But so far Ive been unsuccessful in simply archiving the full text of the >message. That is the correct setting. Just make sure you do a "reload" afterwards ("service MailScanner reload" on RedHat). This will produce a single file of the headers and the body. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From lance at WARE.NET Sun Mar 16 20:03:39 2003 From: lance at WARE.NET (Lance Ware) Date: Thu Jan 12 21:17:30 2006 Subject: Archiving Human Readable Messages Message-ID: <9F214F8D10934845A3664A21425C79FC60857D@dhcp5.ware.net> > -----Original Message----- > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > Sent: Sunday, March 16, 2003 11:48 AM > > At 19:34 16/03/2003, you wrote: > >Ive just installed MailScanner, first Id like to say thanks to Julian and > >the rest of the contributors it looks to be a great project. In > >combination with SpamAssasin its already catching 200+ SPAMs a day for > me. > >Im using it to front end my Qmail/Vpopmail system so it runs on a > separate > >box with a mailertable entry (I couldnt move the main box because it > hosts > >email for some 200+ domains that I dont want to filter just yet). > >Now the challenge Ive got a number of spam potswhich Id like to use to > >increase the hit rate for spam detection. > >My initial plan for this was to use the archivefeature of MailScanner to > >log all the mails to these various dead email addresses. I got that setup > >ok, but its creating the 2 queue files per email. Ive tried tinkering > with: > >Quarantine Whole Messages As Queue Files = no > >But so far Ive been unsuccessful in simply archiving the full text of the > >message. > > That is the correct setting. Just make sure you do a "reload" afterwards > ("service MailScanner reload" on RedHat). This will produce a single file > of the headers and the body. I've tried the reloading - still no luck. And it all seemed so simple. I have: Archive Mail = /etc/MailScanner/rules/logSpamTrolls.rules And in that file: To: edhunt_1@webcam.com /var/log/spam/ To: duckvonlong@webcam.com /var/log/spam/ To: oral@webcam.com /var/log/spam/ To: fcdxsza@webcam.com /var/log/spam/ FromOrTo: default no I still get 2 files per email. Lance From dcmwai at AMTB-M.ORG.MY Mon Mar 17 05:27:14 2003 From: dcmwai at AMTB-M.ORG.MY (Chan Min Wai) Date: Thu Jan 12 21:17:30 2006 Subject: About some Rules on SpamAssassin... Message-ID: <3E755CB2.3050506@amtb-m.org.my> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello all, I don't know if I'm asking in the wrong places, but this is happenning all the time and very annoying. Our Organization use Chinese More often then english and SpamAssassin always think that the mail is spam and it score very high. Most of the time, Mail sent by Outlook express will be marked as Spam, no mather they are from a MaxOs or from Windows. Can someone have experience with this help me. (this is part of the header) X-MailScanner-SpamCheck: spam, SpamAssassin (score=10.4, required 5, CHARSET_FARAWAY, CHARSET_FARAWAY_HEADERS, MAILTO_TO_SPAM_ADDR, NOSPAM_INC, SPAM_PHRASE_00_01, SUBJ_FULL_OF_8BITS, UPPERCASE_25_50, USER_AGENT, USER_AGENT_MOZILLA_UA, X_ACCEPT_LANG) Thank You -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE+dVyyV0p9slMZLW4RAo+gAKD4IhhONkgpsdxigDXFt4agfogkewCbBdyV ujW8Q9SUN8kz/Ww9sNpWZ6g= =MBhg -----END PGP SIGNATURE----- From Kevin.Spicer at BMRB.CO.UK Mon Mar 17 08:11:45 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:17:30 2006 Subject: About some Rules on SpamAssassin... Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A4AD58@pascal.priv.bmrb.co.uk> > > I don't know if I'm asking in the wrong places, but this is happenning > all the time and very annoying. > Our Organization use Chinese More often then english and SpamAssassin > always think that the mail is spam and it score very high. Most of the > time, Mail sent by Outlook express will be marked as Spam, no mather > they are from a MaxOs or from Windows. I think you need the following in spam.assassin.prefs.conf... ok_languages en zh ok_locales en zh NOTE: ok_locales en is already specified in spam.assassing.prefs.conf, so you'll need to find and change that line. ok_languages is not in there are the default is to allow all languages - so you might just omit it anyway. If you're really having problems omit/comment out ok_languages and ok_locales to let everything through without perfoming any of these language/ locale checks. If that doesn't work you could also assign a zero score to those tests which are causing false positives for you. e.g. (I'm guessing you might see this one quite a bit...) score SUBJ_FULL_OF_8BITS 0 (CHARSET_FARAWAY and CHARSET_FARAWAY_HEADERS should both be sorted by changing ok_locales) more info... http://www.spamassassin.org/doc/Mail_SpamAssassin_Conf.html BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From Jan-Peter.Koopmann at SECEIDOS.DE Mon Mar 17 09:01:44 2003 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:17:30 2006 Subject: About some Rules on SpamAssassin... Message-ID: <4E7026FF8A422749B1553FE508E0068007EF92@message.intern.akctech.de> > Our Organization use Chinese More often then english and SpamAssassin > always think that the mail is spam and it score very high. Most of the > time, Mail sent by Outlook express will be marked as Spam, no mather > they are from a MaxOs or from Windows. Have you tried ok_languages en zh ok_locales en zh to tell SpamAssassin that Chinese is ok? > required 5, CHARSET_FARAWAY, CHARSET_FARAWAY_HEADERS, > MAILTO_TO_SPAM_ADDR, NOSPAM_INC, SPAM_PHRASE_00_01, > SUBJ_FULL_OF_8BITS, UPPERCASE_25_50, USER_AGENT, > USER_AGENT_MOZILLA_UA, X_ACCEPT_LANG) You might change the scores for some of these tests. Regards, JP From mailscanner at ecs.soton.ac.uk Mon Mar 17 08:54:51 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:30 2006 Subject: About some Rules on SpamAssassin... In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0A4AD58@pascal.priv.bmrb.co .uk> Message-ID: <5.2.0.9.2.20030317085351.01295a28@imap.ecs.soton.ac.uk> I have removed ok_languages. We're probably better off without it at all. Thanks for letting me know. At 08:11 17/03/2003, you wrote: > > > > I don't know if I'm asking in the wrong places, but this is happenning > > all the time and very annoying. > > Our Organization use Chinese More often then english and SpamAssassin > > always think that the mail is spam and it score very high. Most of the > > time, Mail sent by Outlook express will be marked as Spam, no mather > > they are from a MaxOs or from Windows. > >I think you need the following in spam.assassin.prefs.conf... > >ok_languages en zh >ok_locales en zh > >NOTE: ok_locales en is already specified in spam.assassing.prefs.conf, so >you'll need to find and change that line. ok_languages is not in there >are the default is to allow all languages - so you might just omit it >anyway. If you're really having problems omit/comment out ok_languages >and ok_locales to let everything through without perfoming any of these >language/ locale checks. >If that doesn't work you could also assign a zero score to those tests >which are causing false positives for you. e.g. (I'm guessing you might >see this one quite a bit...) >score SUBJ_FULL_OF_8BITS 0 > >(CHARSET_FARAWAY and CHARSET_FARAWAY_HEADERS should both be sorted by >changing ok_locales) > >more info... http://www.spamassassin.org/doc/Mail_SpamAssassin_Conf.html > > > >BMRB International >http://www.bmrb.co.uk >+44 (0)20 8566 5000 >_________________________________________________________________ >This message (and any attachment) is intended only for the >recipient and may contain confidential and/or privileged >material. If you have received this in error, please contact the >sender and delete this message immediately. Disclosure, copying >or other action taken in respect of this email or in >reliance on it is prohibited. BMRB International Limited >accepts no liability in relation to any personal emails, or >content of any email which does not directly relate to our >business. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From dcmwai at AMTB-M.ORG.MY Mon Mar 17 09:03:16 2003 From: dcmwai at AMTB-M.ORG.MY (Chan Min Wai) Date: Thu Jan 12 21:17:30 2006 Subject: About some Rules on SpamAssassin... References: <5C0296D26910694BB9A9BBFC577E7AB0A4AD58@pascal.priv.bmrb.co.uk> Message-ID: <3E758F54.8090305@amtb-m.org.my> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Thank Kevin, It should be done :) Spicer, Kevin ´£¨ì: |>I don't know if I'm asking in the wrong places, but this is happenning |>all the time and very annoying. |>Our Organization use Chinese More often then english and SpamAssassin |>always think that the mail is spam and it score very high. Most of the |>time, Mail sent by Outlook express will be marked as Spam, no mather |>they are from a MaxOs or from Windows. | | |I think you need the following in spam.assassin.prefs.conf... | |ok_languages en zh |ok_locales en zh | |NOTE: ok_locales en is already specified in spam.assassing.prefs.conf, so you'll need to find and change that line. ok_languages is not in there are the default is to allow all languages - so you might just omit it anyway. If you're really having problems omit/comment out ok_languages and ok_locales to let everything through without perfoming any of these language/ locale checks. |If that doesn't work you could also assign a zero score to those tests which are causing false positives for you. e.g. (I'm guessing you might see this one quite a bit...) |score SUBJ_FULL_OF_8BITS 0 | |(CHARSET_FARAWAY and CHARSET_FARAWAY_HEADERS should both be sorted by changing ok_locales) | |more info... http://www.spamassassin.org/doc/Mail_SpamAssassin_Conf.html | | | |BMRB International |http://www.bmrb.co.uk |+44 (0)20 8566 5000 |_________________________________________________________________ |This message (and any attachment) is intended only for the |recipient and may contain confidential and/or privileged |material. If you have received this in error, please contact the |sender and delete this message immediately. Disclosure, copying |or other action taken in respect of this email or in |reliance on it is prohibited. BMRB International Limited |accepts no liability in relation to any personal emails, or |content of any email which does not directly relate to our |business. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE+dY9TV0p9slMZLW4RAj11AKDPg9RvSFFmMHqkz1lHZD+B7GZA8gCgpRvH ctYpkE7NijKUbxyTjtc01Ow= =XkDT -----END PGP SIGNATURE----- From mailscanner at BARENDSE.TO Mon Mar 17 12:24:25 2003 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:17:30 2006 Subject: About some Rules on SpamAssassin... In-Reply-To: <5.2.0.9.2.20030317085351.01295a28@imap.ecs.soton.ac.uk> Message-ID: Interesting setting. We are getting loads and loads of spam crap in chinese, although nobody speaks chinese here. Would setting ok_languages en block all messages in chinese? We do get some legitimate e-mail from china which will cause the e-mails that are replied on to contain some chinese characters but the majority of characters will be english. Would that setting block everything even with one or 2 characters in it or only mail that contains only chinese? On Mon, 17 Mar 2003, Julian Field wrote: > I have removed ok_languages. We're probably better off without it at all. > Thanks for letting me know. > > At 08:11 17/03/2003, you wrote: > > > > > > I don't know if I'm asking in the wrong places, but this is happenning > > > all the time and very annoying. > > > Our Organization use Chinese More often then english and SpamAssassin > > > always think that the mail is spam and it score very high. Most of the > > > time, Mail sent by Outlook express will be marked as Spam, no mather > > > they are from a MaxOs or from Windows. > > > >I think you need the following in spam.assassin.prefs.conf... > > > >ok_languages en zh > >ok_locales en zh > > > >NOTE: ok_locales en is already specified in spam.assassing.prefs.conf, so > >you'll need to find and change that line. ok_languages is not in there > >are the default is to allow all languages - so you might just omit it > >anyway. If you're really having problems omit/comment out ok_languages > >and ok_locales to let everything through without perfoming any of these > >language/ locale checks. > >If that doesn't work you could also assign a zero score to those tests > >which are causing false positives for you. e.g. (I'm guessing you might > >see this one quite a bit...) > >score SUBJ_FULL_OF_8BITS 0 > > > >(CHARSET_FARAWAY and CHARSET_FARAWAY_HEADERS should both be sorted by > >changing ok_locales) > > > >more info... http://www.spamassassin.org/doc/Mail_SpamAssassin_Conf.html > > > > > > > >BMRB International > >http://www.bmrb.co.uk > >+44 (0)20 8566 5000 > >_________________________________________________________________ > >This message (and any attachment) is intended only for the > >recipient and may contain confidential and/or privileged > >material. If you have received this in error, please contact the > >sender and delete this message immediately. Disclosure, copying > >or other action taken in respect of this email or in > >reliance on it is prohibited. BMRB International Limited > >accepts no liability in relation to any personal emails, or > >content of any email which does not directly relate to our > >business. > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From m.sapsed at BANGOR.AC.UK Mon Mar 17 13:49:14 2003 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:17:30 2006 Subject: Beta test please References: <5.2.0.9.2.20030313200314.02721ea0@imap.ecs.soton.ac.uk> Message-ID: <3E75D25A.2010905@bangor.ac.uk> Julian Field wrote: > Before I publish this to the world, can you test these for me please? > > Only the mailscanner*rpm has changed, the other RPM's are as before. > > The ChangeLog says this: > * New Features and Improvements * > [...] > - Improved wording of message to spam senders. Does this mean the translations will need updating or have you improved all the translations too? ;-) Cheers, Martin -- Martin Sapsed Information Services "Who do you say I am?" University of Wales, Bangor Jesus of Nazareth From mbowman at UDCOM.COM Mon Mar 17 13:28:53 2003 From: mbowman at UDCOM.COM (Matthew Bowman) Date: Thu Jan 12 21:17:30 2006 Subject: Correct Syntax for allowing files Message-ID: Hello, A client of ours sends out a virus definition file update in the form of a .bat file. The filename is Virus Definition Update-Remote Users.bat. In my filename.rules.conf file I put in the following line then restarted MailScanner allow 'Virus Definition Update-Remote Users.bat' - - MailScanner still blocked it as it looked at .bat as the extension as the full filename. Where am I going wrong here? Thanks Regards, Matthew K Bowman From mailscanner at ecs.soton.ac.uk Mon Mar 17 13:55:00 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:30 2006 Subject: Correct Syntax for allowing files In-Reply-To: Message-ID: <5.2.0.9.2.20030317135311.03cc9dd0@imap.ecs.soton.ac.uk> At 13:28 17/03/2003, you wrote: >Hello, > >A client of ours sends out a virus definition file update in the form >of a .bat file. The filename is Virus Definition Update-Remote Users.bat. > > >In my filename.rules.conf file I put in the following line then restarted >MailScanner > >allow 'Virus Definition Update-Remote Users.bat' - - 2 problems. Remove the quotes and make sure there are tabs between the 4 fields in the line, not spaces. I would also advise changing ".bat" to "\.bat$" as you want a literal "." and not "any character" and the test should be tied to the end of the filename, or else someone could send you "........bat.exe" and it would get through. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Mon Mar 17 13:57:10 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:30 2006 Subject: Beta test please In-Reply-To: <3E75D25A.2010905@bangor.ac.uk> References: <5.2.0.9.2.20030313200314.02721ea0@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030317135554.04743b30@imap.ecs.soton.ac.uk> At 13:49 17/03/2003, you wrote: >Julian Field wrote: >>Before I publish this to the world, can you test these for me please? >> >>Only the mailscanner*rpm has changed, the other RPM's are as before. >> >>The ChangeLog says this: >>* New Features and Improvements * >>[...] >>- Improved wording of message to spam senders. > >Does this mean the translations will need updating or have you improved >all the translations too? ;-) Ideally, an update of the translations would be nice. The new English text is "If you are sending spam and continue to do so, your Internet Service Provider may be contacted and requested to close your account." Thanks folks! BTW I have fixed the remaining problems with SpamAssassin 2.50 as well. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From raymond at PROLOCATION.NET Mon Mar 17 14:15:37 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:17:30 2006 Subject: Beta test please In-Reply-To: <5.2.0.9.2.20030317135554.04743b30@imap.ecs.soton.ac.uk> Message-ID: Hi! > >Does this mean the translations will need updating or have you improved > >all the translations too? ;-) > Thanks folks! > BTW I have fixed the remaining problems with SpamAssassin 2.50 as well. Any version we could test yet ? :) Bye, Raymond. From mbowman at UDCOM.COM Mon Mar 17 14:10:57 2003 From: mbowman at UDCOM.COM (Matthew Bowman) Date: Thu Jan 12 21:17:30 2006 Subject: Correct Syntax for allowing files Message-ID: Thanks that worked like a charm. Matthew Julian Field Sent by: MailScanner mailing list 03/17/2003 08:55 AM Please respond to MailScanner mailing list To: MAILSCANNER@JISCMAIL.AC.UK cc: Subject: Re: Correct Syntax for allowing files At 13:28 17/03/2003, you wrote: >Hello, > >A client of ours sends out a virus definition file update in the form >of a .bat file. The filename is Virus Definition Update-Remote Users.bat. > > >In my filename.rules.conf file I put in the following line then restarted >MailScanner > >allow 'Virus Definition Update-Remote Users.bat' - - 2 problems. Remove the quotes and make sure there are tabs between the 4 fields in the line, not spaces. I would also advise changing ".bat" to "\.bat$" as you want a literal "." and not "any character" and the test should be tied to the end of the filename, or else someone could send you "........bat.exe" and it would get through. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From Denis.Beauchemin at USHERBROOKE.CA Mon Mar 17 14:21:12 2003 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:17:30 2006 Subject: Beta test please In-Reply-To: <5.2.0.9.2.20030317135554.04743b30@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030313200314.02721ea0@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030317135554.04743b30@imap.ecs.soton.ac.uk> Message-ID: <1047910872.31992.4.camel@dbeauchemin.si.usherbrooke.ca> Le lun 17/03/2003 ? 08:57, Julian Field a ?crit : > Ideally, an update of the translations would be nice. The new English text is > > "If you are sending spam and continue to do so, your > Internet Service Provider may be contacted and requested to close your > account." In French: Si vous continuez ? nous envoyer des polluriels nous allons contacter votre fournisseur de services Internet pour lui demander de bloquer votre compte. Denis -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From Cleveland at MAIL.WINNEFOX.ORG Mon Mar 17 14:28:42 2003 From: Cleveland at MAIL.WINNEFOX.ORG (Jody Cleveland) Date: Thu Jan 12 21:17:30 2006 Subject: need to restart when adding to whitelist? Message-ID: <84CFA712F666B44A94CE6BE116BAF4B0B4E4A8@MAIL> Hello, Do I need to restart MailScanner each time I add to the whitelist? -- Jody Cleveland (cleveland@winnefox.org) Winnefox Library System Computer Support Specialist From raymond at PROLOCATION.NET Mon Mar 17 14:31:14 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:17:30 2006 Subject: need to restart when adding to whitelist? In-Reply-To: <84CFA712F666B44A94CE6BE116BAF4B0B4E4A8@MAIL> Message-ID: Hi! > Do I need to restart MailScanner each time I add to the whitelist? If you want to activate the changes, yes :) Bye, Raymond. From Cleveland at MAIL.WINNEFOX.ORG Mon Mar 17 14:37:34 2003 From: Cleveland at MAIL.WINNEFOX.ORG (Jody Cleveland) Date: Thu Jan 12 21:17:30 2006 Subject: need to restart when adding to whitelist? Message-ID: <84CFA712F666B44A94CE6BE116BAF4B0B4E4A9@MAIL> > If you want to activate the changes, yes :) Ok, that's what I thought. Now, I am using spamassassin with it. Should I use the whitelist for that, or is the one for MailScanner ok? Jody From raymond at PROLOCATION.NET Mon Mar 17 14:24:50 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:17:30 2006 Subject: Beta test please In-Reply-To: <1047910872.31992.4.camel@dbeauchemin.si.usherbrooke.ca> Message-ID: Hi! > > "If you are sending spam and continue to do so, your > > Internet Service Provider may be contacted and requested to close your > > account." Dutch: Als u spam stuurt en van plan bent hiermee door te gaan kan uw Internet Service Provider benaderd worden en gevraagd worden uw account op te heffen. Bye, Raymond. > > Denis > From t.d.lee at DURHAM.AC.UK Mon Mar 17 14:43:32 2003 From: t.d.lee at DURHAM.AC.UK (David Lee) Date: Thu Jan 12 21:17:30 2006 Subject: Beta test please In-Reply-To: <1047910872.31992.4.camel@dbeauchemin.si.usherbrooke.ca> References: <5.2.0.9.2.20030313200314.02721ea0@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030317135554.04743b30@imap.ecs.soton.ac.uk> <1047910872.31992.4.camel@dbeauchemin.si.usherbrooke.ca> Message-ID: On Mon, 17 Mar 2003, Denis Beauchemin wrote: > Le lun 17/03/2003 ? 08:57, Julian Field a ?crit : > > Ideally, an update of the translations would be nice. The new English text is > > > > "If you are sending spam and continue to do so, your > > Internet Service Provider may be contacted and requested to close your > > account." > > In French: > Si vous continuez ? nous envoyer des polluriels nous allons contacter > votre fournisseur de services Internet pour lui demander de bloquer > votre compte. To my shame, I have largely forgotten the French I learned at school. But it strikes me that the translation of: your [ISP] may be contacted into: nous allons contacter votre [...] seems subtly different on two counts: 1. The "may" has become "will" (lit. "are going to"); 2. The "passive" has become "active" ("we" will do the contacting). A re-translation back to English would become "we will contact ...", wouldn't it? Is that the intention of the message? If so, perhaps that is what the English version, too, should say. -- : David Lee I.T. Service : : Systems Programmer Computer Centre : : University of Durham : : http://www.dur.ac.uk/t.d.lee/ South Road : : Durham : : Phone: +44 191 374 2882 U.K. : From m.sapsed at BANGOR.AC.UK Mon Mar 17 14:51:38 2003 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:17:30 2006 Subject: Kmail and Netscape Mail with Mailscanner References: <200303131114.37023.vic@vicsfamily.net> Message-ID: <3E75E0FA.8000303@bangor.ac.uk> Victor Cain wrote: > I am running mailscanner 3.27, spamassassin 2.43, fetchmail 5.9.11, exim 3.36 > and using Kmail to read mail on a Debian Sarge system, thanks to many e-mails > from Julian. It is working fine, as long as the Debian incompatabilities > don't get too bad, however I would also like to read mail with Netscape Mail > as an alternative to Kmail. > > Netscape Mail can send mail the same way as Kmail, just sending to "localhost" > but Netscape Mail doesn't read the mail. Kmail just reads from "localhost" > but when I try that with Netscape, nothing happens. Mailx, which is also on > the system, does read it, but not Netscape. Do I need for MailScanner to > send it to a different place? Any help would be appreciated. [...] > XIII KMAIL CONFIGURATION > > NOTE: Kmail does not communicate directly with the ISP's mail server > > Incoming (Receiving) > POP Host: localhost > Port: 110 > Dest Fldr: inbox > > Outgoing (Sending) > SMTP Host: localhost > Port: 25 > > XIV NETSCAPE MAIL CONFIGURATION > > I don't have the slightest idea how to get Netscape Mail to read the incoming mail. > I did succeed in getting the outgoing mail working by just changing the ISP mail > server (smtp.comcast.net) with "localhost", leaving everything else alone. > > IF ANYONE KNOWS HOW TO DO THIS, PLEASE LET ME KNOW! If KMail is reading using POP from localhost, you need to configure Netscape to do the same. It's in the Mail&Newsgroup preferences somewhere depending on which version of Netscape you're using. Cheers, Martin -- Martin Sapsed Information Services "Who do you say I am?" University of Wales, Bangor Jesus of Nazareth From mailscanner at ecs.soton.ac.uk Mon Mar 17 14:52:02 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:30 2006 Subject: Beta test please In-Reply-To: References: <5.2.0.9.2.20030317135554.04743b30@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030317144809.049aba40@imap.ecs.soton.ac.uk> At 14:15 17/03/2003, you wrote: >Hi! > > > >Does this mean the translations will need updating or have you improved > > >all the translations too? ;-) > > > Thanks folks! > > BTW I have fixed the remaining problems with SpamAssassin 2.50 as well. > >Any version we could test yet ? :) Sure. Beta version 4.14-5 is posted on the web site. This email is intentionally not billed as an announcement, I don't want everyone running this. The only RPM I have changed is the mailscanner rpm itself. The ChangeLog currently looks like this: * New Features and Improvements * - Signed and/or encrypted messages can now be signed without breaking the PGP/GPG signed portion of the message. - Improved OpenBSD installation and upgrading instructions. - Added check of location of all required system commands. - Improved wording of message to spam senders. - Increased max size of messages sent to SpamAssassin. Spam messages are getting bigger. - All variables in the supplied conf file are now set to something, even if just a blank value. This will make upgrade_MailScanner_conf work better. * Fixes * - Fixed important bug in filename checking code causing it not to check long filenames properly. - Changed setuid/setgid code so taint mode is not switched on. - Fixed various other issues kindly brought to my attention by Tony Finch at Cambridge Univ. - Fixed problem with deleting recipients from messages with Exim. - Fixed problem with headers being passed to SpamAssassin from Exim incorrectly. - Fixed problem when running internal TNEF decoder. - Fixed locking problems when SpamAssassin 2.50 times out. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Mon Mar 17 14:35:27 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:30 2006 Subject: need to restart when adding to whitelist? In-Reply-To: References: <84CFA712F666B44A94CE6BE116BAF4B0B4E4A8@MAIL> Message-ID: <5.2.0.9.2.20030317143442.04748e60@imap.ecs.soton.ac.uk> At 14:31 17/03/2003, you wrote: >Hi! > > > Do I need to restart MailScanner each time I add to the whitelist? > >If you want to activate the changes, yes :) A "reload" will do. This just sends a "kill -HUP" to each of the processes, forcing them to re-read their configuration files. It's quicker than doing a "restart". -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Mon Mar 17 14:46:31 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:30 2006 Subject: need to restart when adding to whitelist? In-Reply-To: <84CFA712F666B44A94CE6BE116BAF4B0B4E4A9@MAIL> Message-ID: <5.2.0.9.2.20030317144555.0497c930@imap.ecs.soton.ac.uk> At 14:37 17/03/2003, you wrote: > > If you want to activate the changes, yes :) > >Ok, that's what I thought. Now, I am using spamassassin with it. Should I >use the whitelist for that, or is the one for MailScanner ok? If you use any other spam features in MailScanner such as the "Spam Lists", then you should definitely put it in the MailScanner whitelist. If not, then it's pretty much up to you... -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Mon Mar 17 14:45:46 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:30 2006 Subject: Beta test please In-Reply-To: References: <1047910872.31992.4.camel@dbeauchemin.si.usherbrooke.ca> <5.2.0.9.2.20030313200314.02721ea0@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030317135554.04743b30@imap.ecs.soton.ac.uk> <1047910872.31992.4.camel@dbeauchemin.si.usherbrooke.ca> Message-ID: <5.2.0.9.2.20030317144458.02f10f30@imap.ecs.soton.ac.uk> At 14:43 17/03/2003, you wrote: >On Mon, 17 Mar 2003, Denis Beauchemin wrote: > > > Le lun 17/03/2003 ? 08:57, Julian Field a ?crit : > > > Ideally, an update of the translations would be nice. The new English > text is > > > > > > "If you are sending spam and continue to do so, your > > > Internet Service Provider may be contacted and requested to close your > > > account." > > > > In French: > > Si vous continuez ? nous envoyer des polluriels nous allons contacter > > votre fournisseur de services Internet pour lui demander de bloquer > > votre compte. > >To my shame, I have largely forgotten the French I learned at school. > >But it strikes me that the translation of: > your [ISP] may be contacted >into: > nous allons contacter votre [...] > >seems subtly different on two counts: > >1. The "may" has become "will" (lit. "are going to"); Should definitely be "may". It's a threat, not a promise. >2. The "passive" has become "active" ("we" will do the contacting). I sure ain't doin' no contactin' :-) -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From Denis.Beauchemin at USHERBROOKE.CA Mon Mar 17 14:54:41 2003 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:17:30 2006 Subject: Beta test please In-Reply-To: References: <5.2.0.9.2.20030313200314.02721ea0@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030317135554.04743b30@imap.ecs.soton.ac.uk> <1047910872.31992.4.camel@dbeauchemin.si.usherbrooke.ca> Message-ID: <1047912881.31992.13.camel@dbeauchemin.si.usherbrooke.ca> David, Your French is not bad at all... You are right about my translation. I think that "MAY" is not strong enough. It's like telling someone facing murder charges that we don't like the way he dresses... he couldn't care less! In fact here in Qu?bec this point is rather moot because our ISPs don't care about such complaints. They only act when the authorities (police or government) force them to. Denis Le lun 17/03/2003 ? 09:43, David Lee a ?crit : > On Mon, 17 Mar 2003, Denis Beauchemin wrote: > > > Le lun 17/03/2003 ? 08:57, Julian Field a ?crit : > > > Ideally, an update of the translations would be nice. The new English text is > > > > > > "If you are sending spam and continue to do so, your > > > Internet Service Provider may be contacted and requested to close your > > > account." > > > > In French: > > Si vous continuez ? nous envoyer des polluriels nous allons contacter > > votre fournisseur de services Internet pour lui demander de bloquer > > votre compte. > > To my shame, I have largely forgotten the French I learned at school. > > But it strikes me that the translation of: > your [ISP] may be contacted > into: > nous allons contacter votre [...] > > seems subtly different on two counts: > > 1. The "may" has become "will" (lit. "are going to"); > > 2. The "passive" has become "active" ("we" will do the contacting). > > A re-translation back to English would become "we will contact ...", > wouldn't it? Is that the intention of the message? If so, perhaps that > is what the English version, too, should say. -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From mailscanner at LISTS.COM.AR Mon Mar 17 15:44:22 2003 From: mailscanner at LISTS.COM.AR (Mariano Absatz) Date: Thu Jan 12 21:17:30 2006 Subject: Beta test please In-Reply-To: <5.2.0.9.2.20030317135554.04743b30@imap.ecs.soton.ac.uk> References: <3E75D25A.2010905@bangor.ac.uk> Message-ID: <3E75C326.30099.9FAB8147@localhost> El 17 Mar 2003 a las 13:57, Julian Field escribi?: > At 13:49 17/03/2003, you wrote: > >Julian Field wrote: > >>Before I publish this to the world, can you test these for me please? > >> > >>Only the mailscanner*rpm has changed, the other RPM's are as before. > >> > >>The ChangeLog says this: > >>* New Features and Improvements * > >>[...] > >>- Improved wording of message to spam senders. > > > >Does this mean the translations will need updating or have you improved > >all the translations too? ;-) > > Ideally, an update of the translations would be nice. The new English text is > > "If you are sending spam and continue to do so, your > Internet Service Provider may be contacted and requested to close your > account." Spanish: Si usted est? enviando spam y contin?a haci?ndolo, su Proveedor de Internet podr? ser contactado para requerirle que le clausure su cuenta. Luis? R-U there? Waddaya think? -- Mariano Absatz El Baby ---------------------------------------------------------- Windows, another fine product from the folks who gave us EDLIN. From jgoggan at DCG.COM Mon Mar 17 16:03:31 2003 From: jgoggan at DCG.COM (John Goggan) Date: Thu Jan 12 21:17:30 2006 Subject: How to test emails through SA using MS config? Message-ID: <3E75F1D3.13C33D22@dcg.com> Is there some easy way to do message testing/reporting via SA using the MailScanner config? In other words, I run MS with SA -- and let's say it marks something as spam -- and now I'd like to see a full report. If I was just using SA, I could just to "spamassassin -t < spam.message" to see the report. If I do that as it is now, I don't get the same report -- since my MailScanner config enables things like whitelists and such. How do I go about getting SA to use my MailScanner config options so that I get the report I expect? It just seems that there should be a "MailScanner -t < spam.message" sort of way to do such things easily, yes? - John... From andersan at LTKALMAR.SE Mon Mar 17 16:10:58 2003 From: andersan at LTKALMAR.SE (Anders Andersson, IT) Date: Thu Jan 12 21:17:30 2006 Subject: SV: Beta test please Message-ID: <9F18B7DDBA88E544AB1F19951489166601463F@lkl63.ltkalmar.se> > -----Ursprungligt meddelande----- > Fr?n: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > Skickat: den 17 mars 2003 14:57 > Till: MAILSCANNER@JISCMAIL.AC.UK > ?mne: Re: Beta test please > > > At 13:49 17/03/2003, you wrote: > >Julian Field wrote: > >>Before I publish this to the world, can you test these for > me please? > >> > >>Only the mailscanner*rpm has changed, the other RPM's are as before. > >> > >>The ChangeLog says this: > >>* New Features and Improvements * > >>[...] > >>- Improved wording of message to spam senders. > > > >Does this mean the translations will need updating or have > you improved > >all the translations too? ;-) > > Ideally, an update of the translations would be nice. The new > English text is > > "If you are sending spam and continue to do so, your > Internet Service Provider may be contacted and requested to > close your account." Swedish: Om ni skickar SPAM och fors?tter att skicka SPAM, kommer er ISP att kontaktas med rekommendationen att ert konto st?ngs med omedelbar verkan. > > Thanks folks! > > BTW I have fixed the remaining problems with SpamAssassin > 2.50 as well. > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > From Kevin.Spicer at BMRB.CO.UK Mon Mar 17 16:32:46 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:17:30 2006 Subject: Clam Antivirus Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A4AD59@pascal.priv.bmrb.co.uk> Does anyone know whats going on with Clam? Their website seems to have been down since Friday. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From nerijus at USERS.SOURCEFORGE.NET Mon Mar 17 16:47:57 2003 From: nerijus at USERS.SOURCEFORGE.NET (Nerijus Baliunas) Date: Thu Jan 12 21:17:30 2006 Subject: Read quarantined spam in mail cient? In-Reply-To: <3E75FB6E.4528BC6C@dcg.com> References: <3E75FB6E.4528BC6C@dcg.com> Message-ID: <20030317164630.A8884144F3@mx.ktv.lt> On Mon, 17 Mar 2003 11:44:30 -0500 John Goggan wrote: > I have some interest in storing them the new default way though -- as actual > individual files with the header and message in one file. Is there an easy > way to concatenate these together into a client-readable (i.e. mbox format) > version fairly easily? Yes, you can concatenate them after adding From header required for mbox to every message (smth like echo From...>>mbox; cat file>>mbox), or copy single files to Maildir. Regards, Nerijus From jgoggan at DCG.COM Mon Mar 17 16:44:30 2003 From: jgoggan at DCG.COM (John Goggan) Date: Thu Jan 12 21:17:30 2006 Subject: Read quarantined spam in mail cient? Message-ID: <3E75FB6E.4528BC6C@dcg.com> A few months ago, I asked about being able to read the quarantined spam easily with a normal mail client (I do this after I make significant spam-catching changes to make sure I'm not identifying too much real mail as spam). At the time, only queue-based (df/qf) storage occurred -- so Julian did up the handy df2mbox -- which works well. I have some interest in storing them the new default way though -- as actual individual files with the header and message in one file. Is there an easy way to concatenate these together into a client-readable (i.e. mbox format) version fairly easily? I assume it should be fairly trivial, but just don't know how to do it myself, sorry. If it is a big problem/difficulty, I guess I could just go back to the queue-file format and continue to use df2mbox. Thanks. - John... From mailscanner at ecs.soton.ac.uk Mon Mar 17 16:29:26 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:30 2006 Subject: How to test emails through SA using MS config? In-Reply-To: <3E75F1D3.13C33D22@dcg.com> Message-ID: <5.2.0.9.2.20030317162723.040296d8@imap.ecs.soton.ac.uk> At 16:03 17/03/2003, you wrote: >Is there some easy way to do message testing/reporting via SA using the >MailScanner config? > >In other words, I run MS with SA -- and let's say it marks something as spam >-- and now I'd like to see a full report. If I was just using SA, I could >just to "spamassassin -t < spam.message" to see the report. If I do that as >it is now, I don't get the same report -- since my MailScanner config enables >things like whitelists and such. How do I go about getting SA to use my >MailScanner config options so that I get the report I expect? You just surely need to configure a SpamAssassin installation to use the same options as your MailScanner config uses when talking to SpamAssassin. You could even set up a script run via an account with a ".forward" file, so that it took the message, ran it through spamassassin -t and then replied with the report. >It just seems that there should be a "MailScanner -t < spam.message" sort of >way to do such things easily, yes? It's not quite as easy as that... -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From carles at descom.es Mon Mar 17 17:04:41 2003 From: carles at descom.es (Carles Xavier Munyoz =?iso-8859-1?q?Bald=F3?=) Date: Thu Jan 12 21:17:30 2006 Subject: Clam Antivirus In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0A4AD59@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0A4AD59@pascal.priv.bmrb.co.uk> Message-ID: <200303171804.44524.carles@descom.es> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Monday 17 March 2003 17:32, Spicer, Kevin wrote: > Does anyone know whats going on with Clam? Their website seems to have > been down since Friday. Yes, and I get the error: [...] Checking for a new database - started at Mon Mar 17 15:31:47 2003 viruses.db2 is up to date. ERROR: The checksum of viruses.db database isn't ok. Please check it yourself or try again. [...] When the update daemon tries to update its virus database. Greetings. - --- Carles Xavier Munyoz Bald? carles@descom.es Descom Consulting Telf: +34 965861024 Fax: +34 965861024 http://www.descom.es/ - --- -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQA/AwUBPnYAKTvYAf7VZNaaEQKzLwCbBMuSbcCpdSO9Mh/eW8DYeGA7wEIAn0Y/ wFi7kgm7VHG6bwookLcoeXud =CBmf -----END PGP SIGNATURE----- From ivan at NUCCI.COM.BR Mon Mar 17 17:13:17 2003 From: ivan at NUCCI.COM.BR (Ivan Mirisola) Date: Thu Jan 12 21:17:30 2006 Subject: Clam Antivirus References: <5C0296D26910694BB9A9BBFC577E7AB0A4AD59@pascal.priv.bmrb.co.uk> <200303171804.44524.carles@descom.es> Message-ID: <3E76022D.2070100@nucci.com.br> I am also getting an error: ]# /usr/bin/freshclam Checking for a new database - started at Mon Mar 17 14:08:30 2003 Current working dir is /var/lib/clamav ERROR: Can't connect to port 80 of host clamav.elektrapro.com ERROR: Connection with clamav.elektrapro.com failed. I think that they had some problems with their servers or internet link. Or maybe they just retired, who knows. Let?s wait and see if they come back soon. >On Monday 17 March 2003 17:32, Spicer, Kevin wrote: > > >>Does anyone know whats going on with Clam? Their website seems to have >>been down since Friday. >> >> Greetings, ---------------------------- Ivan Mirisola Analista de Sistemas Nucci Systems ivan@nucci.com.br +55 11 3049-3610 From mailscanner at ecs.soton.ac.uk Mon Mar 17 16:58:45 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:30 2006 Subject: Read quarantined spam in mail cient? In-Reply-To: <20030317164630.A8884144F3@mx.ktv.lt> References: <3E75FB6E.4528BC6C@dcg.com> <3E75FB6E.4528BC6C@dcg.com> Message-ID: <5.2.0.9.2.20030317165546.02edfdc8@imap.ecs.soton.ac.uk> At 16:47 17/03/2003, you wrote: >On Mon, 17 Mar 2003 11:44:30 -0500 John Goggan wrote: > > > I have some interest in storing them the new default way though -- as > actual > > individual files with the header and message in one file. Is there an easy > > way to concatenate these together into a client-readable (i.e. mbox format) > > version fairly easily? > >Yes, you can concatenate them after adding From header required for mbox >to every message (smth like echo From...>>mbox; cat file>>mbox), or copy >single files to Maildir. Something like this will give you the idea: Call this make.mbox.sh #!/bin/sh for f in * do echo 'From someone@somewhere.com' cat $f echo done And then do ./make.mbox.sh > mailbox-file it will cat together all the files in the current directory with an message break between each one. Someone will probably tell me I can't just use "From someone@somewhere.com", but give it a try anyway. Hopefully that gives you the general idea. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From james at PCXPERIENCE.COM Mon Mar 17 19:51:40 2003 From: james at PCXPERIENCE.COM (James A. Pattie) Date: Thu Jan 12 21:17:30 2006 Subject: Config File Idea Message-ID: <3E76274C.8070207@pcxperience.com> What if the MailScanner code remembered the date/time stamp of each config file when it initially started and parsed them. Then before using the data structure for a given config file, it checks to see if the file has changed and if it did, re-loads the config file. Obviously, we would need some form of file locking, etc. to make sure that you don't read a config file that is half way created and to make this work, we would need a script that locked the file and then let you run vi, etc. and then unlocked it when you were done. The reason I bring this up is for the ideas of making a web configuration interface that many users could be changing settings in a database and then the config program re-generates the config files every X minutes or as the user finishes their changes. But we don't want to constantly be restarting MailScanner or telling the user they are going to have to wait X minutes before their changes are live if we do restart MailScanner all the time, etc. Any thoughts, suggestions, etc. welcome. Anyone interested in working on a user configuration interface? -- James A. Pattie james@pcxperience.com Linux -- SysAdmin / Programmer Xperience, Inc. http://www.pcxperience.com/ http://www.xperienceinc.com/ GPG Key Available at http://www.pcxperience.com/gpgkeys/james.html -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From craig at STRONG-BOX.NET Mon Mar 17 20:00:24 2003 From: craig at STRONG-BOX.NET (Craig Pratt) Date: Thu Jan 12 21:17:30 2006 Subject: Read quarantined spam in mail cient? In-Reply-To: <3E75FB6E.4528BC6C@dcg.com> Message-ID: <1755838E-58B3-11D7-9E13-000393B9390A@strong-box.net> What we do is tag the message subject with "[bulk]" using the MS "Spam Subject Text" options. Then we use a global procmail rule to store the spam messages in a folder in each user's ~/Mail/Bulk folder: ... MAILDIR=${HOME}/mail #First check what your mail directory is! ... :0: * ^Subject:.\[BULK\] Bulk They can view these with IMAP and SquirrelMail when they want to sort through the tailings. You can easily write these into an single file as well. Just give a full path for the mail folder. Craig --- Craig Pratt Strongbox Network Services Inc. mailto:craig@strong-box.net On Monday, March 17, 2003, at 08:44 AM, John Goggan wrote: > A few months ago, I asked about being able to read the quarantined > spam easily > with a normal mail client (I do this after I make significant > spam-catching > changes to make sure I'm not identifying too much real mail as spam). > At the > time, only queue-based (df/qf) storage occurred -- so Julian did up > the handy > df2mbox -- which works well. > > I have some interest in storing them the new default way though -- as > actual > individual files with the header and message in one file. Is there an > easy > way to concatenate these together into a client-readable (i.e. mbox > format) > version fairly easily? I assume it should be fairly trivial, but just > don't > know how to do it myself, sorry. If it is a big problem/difficulty, I > guess I > could just go back to the queue-file format and continue to use > df2mbox. > > Thanks. > > - John... -- This message checked for dangerous content by MailScanner on StrongBox. From mailscanner at ecs.soton.ac.uk Mon Mar 17 20:09:30 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:30 2006 Subject: Config File Idea In-Reply-To: <3E76274C.8070207@pcxperience.com> Message-ID: <5.2.0.9.2.20030317200921.0226c008@imap.ecs.soton.ac.uk> There are already a few possibilities here. If you are changing the config files, then you should use flock() (advisory file locks) exclusive locks on them while you are updating them, that will make sure that MailScanner isn't trying to read a few you are half way through writing. You can shorten the "Restart Every" time to a few minutes, which just regularly does the same as a MailScanner "reload" does. There is very little efficiency hit by doing this, it just causes MailScanner to scrap scanning the current batches of messages and start processing them again. On a reasonably-loaded MailScanner server that will only cause a few messages to be re-scanned. Or else you can do a "reload" when the config files have been updated. You don't need to do a "restart" which is a much more heavyweight operation. All a "reload" does is do a "kill -HUP" on all the MailScanner processes, causing them all to scrap the current batch, re-read the config files and start again. As for writing a configuration user interface, I don't really have much intention of doing that. Everyone's requirements are so different that it would be impossible to create one which suited everyone. For certain groups of users, this has already been done, such as the Webmin module which has been written. At 19:51 17/03/2003, you wrote: >What if the MailScanner code remembered the date/time stamp of each >config file when it initially started and parsed them. Then before >using the data structure for a given config file, it checks to see if >the file has changed and if it did, re-loads the config file. > >Obviously, we would need some form of file locking, etc. to make sure >that you don't read a config file that is half way created and to make >this work, we would need a script that locked the file and then let you >run vi, etc. and then unlocked it when you were done. > >The reason I bring this up is for the ideas of making a web >configuration interface that many users could be changing settings in a >database and then the config program re-generates the config files every >X minutes or as the user finishes their changes. But we don't want to >constantly be restarting MailScanner or telling the user they are going >to have to wait X minutes before their changes are live if we do restart >MailScanner all the time, etc. > >Any thoughts, suggestions, etc. welcome. > >Anyone interested in working on a user configuration interface? > >-- >James A. Pattie >james@pcxperience.com > >Linux -- SysAdmin / Programmer >Xperience, Inc. >http://www.pcxperience.com/ >http://www.xperienceinc.com/ > >GPG Key Available at http://www.pcxperience.com/gpgkeys/james.html > > >-- >This message has been scanned for viruses and >dangerous content by MailScanner, and is >believed to be clean. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From wkuiters at FREE.FR Mon Mar 17 20:14:26 2003 From: wkuiters at FREE.FR (Willem Kuiters) Date: Thu Jan 12 21:17:30 2006 Subject: sophos 3.67 and wrapper script Message-ID: <20030317201426.GA2561@bragann> I use mailscanner 3.27.1-1 on a debian (sarge) system with sophos. I use Julians IDE-update script and the sophoswrapper script. Mine looks like this: #PackageDir=/usr/local #prog=sweep # `basename $0` # #SAV_IDE=$PackageDir/ide #LD_LIBRARY_PATH=$PackageDir/lib #export SAV_IDE #export LD_LIBRARY_PATH # #exec ${PackageDir}/bin/$prog "$@" Since I upgraded to sophos 3.67, running the sophoswrapper script returns the error: "Error initialising detection engine - missing part of virus data" I tried using the file that came on the Sophos CD in case the fault was caused by an error in downloading the update but the result remained the same. Launching the command "sweep" on the command line works fine. I do not quite see what could cause this error and hope for some hints. Willem From mailscanner at ecs.soton.ac.uk Mon Mar 17 20:24:17 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:30 2006 Subject: sophos 3.67 and wrapper script In-Reply-To: <20030317201426.GA2561@bragann> Message-ID: <5.2.0.9.2.20030317201844.02190ac0@imap.ecs.soton.ac.uk> You will need the scripts out of the version 4 distribution, which I have attached for you. You may need to tweak the paths at the top of them a bit. By the way, there are *major* performance problems with Sophos 3.67. It takes 3 times longer to start up than previous versions. Please lodge a complaint with Sophos tech support, so that they get their lousy new code fixed. The new 3.67 using the old (fast) engine is available, it is the "XRS" version. If you don't have these on your CD from Sophos, contact their tech support and ask where you can download them from. Their new engine is appallingly slow to start up, and the more people that complain about it, the greater chance of them actually fixing it. At 20:14 17/03/2003, you wrote: >I use mailscanner 3.27.1-1 on a debian (sarge) system with sophos. I use >Julians IDE-update script and the sophoswrapper script. > >Mine looks like this: > >#PackageDir=/usr/local >#prog=sweep # `basename $0` ># >#SAV_IDE=$PackageDir/ide >#LD_LIBRARY_PATH=$PackageDir/lib >#export SAV_IDE >#export LD_LIBRARY_PATH ># >#exec ${PackageDir}/bin/$prog "$@" > >Since I upgraded to sophos 3.67, running the sophoswrapper script >returns the error: > >"Error initialising detection engine - missing part of virus data" > >I tried using the file that came on the Sophos CD in case the fault was >caused by an error in downloading the update but the result remained the >same. Launching the command "sweep" on the command line works fine. > >I do not quite see what could cause this error and hope for some hints. > >Willem -------------- next part -------------- A non-text attachment was scrubbed... Name: sophos-autoupdate Type: application/octet-stream Size: 3673 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030317/0831b8f7/sophos-autoupdate.obj -------------- next part -------------- A non-text attachment was scrubbed... Name: sophos-wrapper Type: application/octet-stream Size: 1502 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030317/0831b8f7/sophos-wrapper.obj -------------- next part -------------- A non-text attachment was scrubbed... Name: Sophos.install Type: application/x-internet-signup Size: 2231 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030317/0831b8f7/Sophos.bin -------------- next part -------------- -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From wkuiters at FREE.FR Mon Mar 17 20:58:17 2003 From: wkuiters at FREE.FR (Willem Kuiters) Date: Thu Jan 12 21:17:30 2006 Subject: sophos 3.67 and wrapper script In-Reply-To: <5.2.0.9.2.20030317201844.02190ac0@imap.ecs.soton.ac.uk> References: <20030317201426.GA2561@bragann> <5.2.0.9.2.20030317201844.02190ac0@imap.ecs.soton.ac.uk> Message-ID: <20030317205817.GA3183@bragann> On Mon, Mar 17, 2003 at 08:24:17PM +0000, Julian Field wrote: > You will need the scripts out of the version 4 distribution, which I have > attached for you. > You may need to tweak the paths at the top of them a bit. > > By the way, there are *major* performance problems with Sophos 3.67. It > takes 3 times longer to start up than previous versions. Please lodge a > complaint with Sophos tech support, so that they get their lousy new code > fixed. The new 3.67 using the old (fast) engine is available, it is the > "XRS" version. If you don't have these on your CD from Sophos, contact > their tech support and ask where you can download them from. > > Their new engine is appallingly slow to start up, and the more people that > complain about it, the greater chance of them actually fixing it. Many thanks, that solved it. I installed the XRS version and your new scripts. I'll write a complaint about the performance problems of the 3.67 engine now. Willem complaint to Sophos tech support From patricksteiner at BLUEWIN.CH Mon Mar 17 21:01:53 2003 From: patricksteiner at BLUEWIN.CH (Patrick Steiner) Date: Thu Jan 12 21:17:30 2006 Subject: delivery spam as attachement Message-ID: <3E7637C1.3060809@bluewin.ch> Please add e function that i can set the delivery mode to attached. then every spammail is deliverit as attachement (like amavis). at the bottom you can see the mail that is generated by amavis. this is useful for spammails with including external htmlcode (sorry for my bad english) English: ======= This mail is probably spam. The original message has been attached along with this report. Please report problems directly to sysman. Content analysis details: (52.90 points, 4.4 required) FROM_ENDS_IN_NUMS (0.7 points) From: ends in numbers X_PRIORITY_HIGH (2.0 points) Sent with 'X-Priority' set to high MSGID_SPAMSIGN_6LETTER (4.4 points) Message-Id generated by spam tool (6-letter variant) MIME_ODD_CASE (4.3 points) MiME-Version header (oddly capitalized) RCVD_FAKE_HELO_DOTCOM (2.3 points) Received contains a faked HELO hostname SUBJ_HAS_SPACES (2.0 points) Subject contains lots of white space HTML_SHOUTING9 (2.7 points) BODY: HTML has very strong "shouting" markup HTML_FONT_BIG (0.1 points) BODY: FONT Size +2 and up or 3 and up HTML_70_80 (0.4 points) BODY: Message is 70% to 80% HTML HTML_FONT_COLOR_RED (0.1 points) BODY: HTML font color is red HTML_IMAGE_ONLY_06 (1.1 points) BODY: HTML has images with 400-600 bytes of words HTML_MESSAGE (0.1 points) BODY: HTML included in message HIDE_WIN_STATUS (2.2 points) BODY: Javascript to hide URLs in browser MIME_MISSING_BOUNDARY (0.8 points) RAW: MIME section missing boundary BASE64_ENC_TEXT (1.7 points) RAW: Message text disguised using base-64 encoding NORMAL_HTTP_TO_IP (0.5 points) URI: Uses a dotted-decimal IP address in URL MSGID_OUTLOOK_TIME (4.4 points) Message-Id is fake (in Outlook Express format) FORGED_AOL_RCVD (4.3 points) Received forged, contains fake AOL relays FORGED_RCVD_TRAIL (1.8 points) trail of Received: headers seems to be forged FORGED_YAHOO_RCVD (2.3 points) 'From' yahoo.com does not match 'Received' headers SUBJ_HAS_UNIQ_ID (0.8 points) Subject contains a unique ID MULTI_FORGED (4.3 points) Received headers indicate multiple forgeries FORGED_MUA_AOL (3.8 points) Forged mail pretending to be from AOL MIME_HTML_ONLY (0.1 points) Message only has text/html MIME parts MISSING_MIMEOLE (0.5 points) Message has X-MSMail-Priority, but no X-MimeOLE MISSING_OUTLOOK_NAME (0.9 points) Message looks like Outlook, but isn't CONFIRMED_FORGED (4.3 points) Received headers are forged The original message did not contain plain text, and may be unsafe to open with some email clients; in particular, it may contain a virus, or confirm that your address can receive spam. If you wish to view it, it may be safer to save it to a file and open it with an editor. From james at PCXPERIENCE.COM Mon Mar 17 21:16:45 2003 From: james at PCXPERIENCE.COM (James A. Pattie) Date: Thu Jan 12 21:17:30 2006 Subject: Config File Idea In-Reply-To: <5.2.0.9.2.20030317200921.0226c008@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030317200921.0226c008@imap.ecs.soton.ac.uk> Message-ID: <3E763B3D.4090500@pcxperience.com> Julian Field wrote: > There are already a few possibilities here. If you are changing the config > files, then you should use flock() (advisory file locks) exclusive locks on > them while you are updating them, that will make sure that MailScanner > isn't trying to read a few you are half way through writing. > > You can shorten the "Restart Every" time to a few minutes, which just > regularly does the same as a MailScanner "reload" does. There is very > little efficiency hit by doing this, it just causes MailScanner to scrap > scanning the current batches of messages and start processing them again. > On a reasonably-loaded MailScanner server that will only cause a few > messages to be re-scanned. > > Or else you can do a "reload" when the config files have been updated. You > don't need to do a "restart" which is a much more heavyweight operation. > All a "reload" does is do a "kill -HUP" on all the MailScanner processes, > causing them all to scrap the current batch, re-read the config files and > start again. Sorry, I was thinking "reload" and wrote "restart". Actually, I'm thinking about an environment where you are running from apache and don't want to have to "reload" MailScanner when a change happens either because you haven't got sudo permissions setup, etc. or apache won't allow you to run a suid/guid program with a uid/gid < 500. I was just proposing an idea to see if you had any objections, etc. and if not, I was going to work on it in my spare time. :) > > As for writing a configuration user interface, I don't really have much > intention of doing that. Everyone's requirements are so different that it > would be impossible to create one which suited everyone. For certain groups > of users, this has already been done, such as the Webmin module which has > been written. I'm not asking for you to make it, I was just seeing if anyone else wanted something that would be more for an end user (say an ISP client like yahoo, etc.) to enable spam, virus checks, add some whitelist/blacklist entries but not actually to administer MailScanner overall like the Webmin module already tries to. > > At 19:51 17/03/2003, you wrote: > >> What if the MailScanner code remembered the date/time stamp of each >> config file when it initially started and parsed them. Then before >> using the data structure for a given config file, it checks to see if >> the file has changed and if it did, re-loads the config file. >> >> Obviously, we would need some form of file locking, etc. to make sure >> that you don't read a config file that is half way created and to make >> this work, we would need a script that locked the file and then let you >> run vi, etc. and then unlocked it when you were done. >> >> The reason I bring this up is for the ideas of making a web >> configuration interface that many users could be changing settings in a >> database and then the config program re-generates the config files every >> X minutes or as the user finishes their changes. But we don't want to >> constantly be restarting MailScanner or telling the user they are going >> to have to wait X minutes before their changes are live if we do restart >> MailScanner all the time, etc. >> >> Any thoughts, suggestions, etc. welcome. >> >> Anyone interested in working on a user configuration interface? -- James A. Pattie james@pcxperience.com Linux -- SysAdmin / Programmer Xperience, Inc. http://www.pcxperience.com/ http://www.xperienceinc.com/ GPG Key Available at http://www.pcxperience.com/gpgkeys/james.html -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mailscanner at ecs.soton.ac.uk Mon Mar 17 21:27:24 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:30 2006 Subject: Config File Idea In-Reply-To: <3E763B3D.4090500@pcxperience.com> References: <5.2.0.9.2.20030317200921.0226c008@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030317200921.0226c008@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030317212452.021c3ff0@imap.ecs.soton.ac.uk> At 21:16 17/03/2003, you wrote: >Sorry, I was thinking "reload" and wrote "restart". >Actually, I'm thinking about an environment where you are running from >apache and don't want to have to "reload" MailScanner when a change >happens either because you haven't got sudo permissions setup, etc. or >apache won't allow you to run a suid/guid program with a uid/gid < 500. In that case I would just make the "Restart Every" time nice and short, say 10 minutes or so. Minimal overhead. >I'm not asking for you to make it, I was just seeing if anyone else >wanted something that would be more for an end user (say an ISP client >like yahoo, etc.) to enable spam, virus checks, add some >whitelist/blacklist entries but not actually to administer MailScanner >overall like the Webmin module already tries to. It would be really useful if you fancy writing one, and I'm sure it would be appreciated by other users on this list. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From HancockS at MORGANCO.COM Mon Mar 17 21:47:35 2003 From: HancockS at MORGANCO.COM (Hancock, Scott) Date: Thu Jan 12 21:17:31 2006 Subject: Messages Waiting Incoming queue Message-ID: <03Mar17.163729est.119050@gateway.morganco.com> Greetings all, I have waiting files in my exim incoming queue. I believe these files are orphaned when I terminate mailscanner. When I stop mailscanner I continue to receive incoming to my incoming queue. When I start mailscanner again it does not process the mail that has already arrived. However, any new mail that arrives does get processed. I'm still waiting 3 days later (on 3 insignificant emails). The -H and -D files look ok to me. Below is a -H and -D file in the queue. I admit my start stop scripts maybe a contributing factor. Below is my start stop /etc/init.d/mailscanner modified from the Debian package to address the /opt directory. Does this script need some modification to address the new child spawning in 4.x? Debian Sarg Exim 3.36 Mailscanner 4.13 (running as mail, tar installation) SA 2.44 Thanks for any help. Scott Hancock **************start script ***************************** #! /bin/sh # # skeleton example file to build /etc/init.d/ scripts. # This file should be used to construct scripts for /etc/init.d. # # Written by Miquel van Smoorenburg . # Modified for Debian GNU/Linux # by Ian Murdock . # # Version: @(#)skeleton 1.8 03-Mar-1998 miquels@cistron.nl # # This file was automatically customized by dh-make on Fri, 4 Jan 2002 20:05:18 +0100 #PATH=/sbin:/bin:/usr/sbin:/usr/bin PATH=/sbin:/bin:/usr/sbin:/usr/bin:/opt/MailScanner/bin #DAEMON=/usr/sbin/check_mailscanner DAEMON=/opt/MailScanner/bin/check_mailscanner NAME=MailScanner DESC=MailScanner test -f $DAEMON || exit 0 set -e run_mailscanner=0 if [ -f /etc/default/mailscanner ]; then . /etc/default/mailscanner fi if [ $run_mailscanner = 0 ]; then cat <&2 echo "Usage: $N {start|stop|restart|force-reload}" >&2 exit 1 ;; esac exit 0 ************ -H *********************** 18tuPF-0001Uk-00-H root 0 0 <3dsmax_MAXScript.listmanager@support.discreet.com> 1047668389 0 -helo_name morganco.com -host_address ###.###.###.###.31248 ==>## replace my internal ip's -interface_address ###.###.###.### -received_protocol esmtp -body_linecount 14 -deliver_firsttime XX 1 hancocks@morganco.com 191P Received: from [172.16.2.3] (helo=morganco.com) by pebbles.morganco.com with esmtp (Exim 3.36 #1 (Debian)) id 18tuPF-0001Uk-00 for ; Fri, 14 Mar 2003 08:59:49 -1000 131P Received: from mut.autodesk.com ([198.102.112.26]) by gateway.morganco.com with ESMTP id <119237>; Fri, 14 Mar 2003 08:50:06 -0500 182P Received: from support.discreet.com (disweb03.autodesk.com [144.111.4.235]) by mut.autodesk.com (8.12.8/8.12.6) with ESMTP id h2EDwsQF027351; Fri, 14 Mar 2003 05:58:54 -0800 (PST) 045 Date: Fri, 14 Mar 2003 05:58:54 -0800 (PST) 059I Message-Id: <200303141358.h2EDwsQF027351@mut.autodesk.com> 091F From: "3dsmax_MAXScript: James Carson" <3dsmax_MAXScript.listmanager@support.discreet.com> 020 Subject: Tutorials? 068R Reply-To: "MAXScript" <3dsmax_MAXScript.39397@support.discreet.com> 026 X-Mailer: WebBoard 6.0.15 017 Precedence: Bulk 027T To: Unlisted-recipients :; **************** -D file *********************************** 18tuPF-0001Uk-00-D From: "James Carson" 1 Meg I think.. I sent you an email on my work email you can send it to if you want. Put my work email here, then remember the spam trolls :) Thanks!! To reply: mailto:3dsmax_MAXScript.39397@support.discreet.com To start a new topic: mailto:3dsmax_MAXScript@support.discreet.com To login: http://support.discreet.com/webboard/wbpx.dll/~3dsmax To (un)subscribe: mailto: 3dsmax_MAXScript.list-request@support.discreet.com > -----Original Message----- > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > Sent: Wednesday, March 05, 2003 5:16 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Messages Waiting > > At 23:08 04/03/2003, you wrote: > >When MailScanner restarts I get a lot of messages waiting, yet my mailq > >is more or less empty. > > > >So what are these waiting messages? > > > >Mar 4 22:34:47 www mailscanner[2604]: Startup: found 345 messages > >waiting > > You may well have loads of orphaned files in mqeue.in. You can safely > delete > 1) anything old > 2) any df files without matching qf files > 3) any qf files without matching df files > 4) any xf files > But make sure sendmail isn't running when you do this. > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support From jase at SENSIS.COM Mon Mar 17 22:06:13 2003 From: jase at SENSIS.COM (Desai, Jason) Date: Thu Jan 12 21:17:31 2006 Subject: Messages Waiting Incoming queue Message-ID: Does exim -Mvl 18tuPF-0001Uk-00 give you any clues? (Run "exim -Mvl ") Jason > -----Original Message----- > From: Hancock, Scott [mailto:HancockS@MORGANCO.COM] > Sent: Monday, March 17, 2003 4:48 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: [MAILSCANNER] Messages Waiting Incoming queue > > > Greetings all, > > I have waiting files in my exim incoming queue. I believe these files > are orphaned when I terminate mailscanner. > > When I stop mailscanner I continue to receive incoming to my incoming > queue. When I start mailscanner again it does not process > the mail that > has already arrived. However, any new mail that arrives does get > processed. I'm still waiting 3 days later (on 3 > insignificant emails). > The -H and -D files look ok to me. Below is a -H and -D file in the > queue. > > I admit my start stop scripts maybe a contributing factor. Below is my > start stop /etc/init.d/mailscanner modified from the Debian package to > address the /opt directory. Does this script need some > modification to > address the new child spawning in 4.x? > > Debian Sarg > Exim 3.36 > Mailscanner 4.13 (running as mail, tar installation) > SA 2.44 > > Thanks for any help. > > Scott Hancock > > > > **************start script ***************************** > > #! /bin/sh > # > # skeleton example file to build /etc/init.d/ scripts. > # This file should be used to construct scripts for > /etc/init.d. > # > # Written by Miquel van Smoorenburg > . > # Modified for Debian GNU/Linux > # by Ian Murdock . > # > # Version: @(#)skeleton 1.8 03-Mar-1998 miquels@cistron.nl > # > # This file was automatically customized by dh-make on Fri, > 4 Jan 2002 > 20:05:18 +0100 > > #PATH=/sbin:/bin:/usr/sbin:/usr/bin > PATH=/sbin:/bin:/usr/sbin:/usr/bin:/opt/MailScanner/bin > #DAEMON=/usr/sbin/check_mailscanner > DAEMON=/opt/MailScanner/bin/check_mailscanner > NAME=MailScanner > DESC=MailScanner > > test -f $DAEMON || exit 0 > > set -e > > run_mailscanner=0 > if [ -f /etc/default/mailscanner ]; then > . /etc/default/mailscanner > fi > > if [ $run_mailscanner = 0 ]; then > cat < > Please edit the file /etc/mailscanner/mailscanner.conf > according to your > needs. > Then configure sendmail or exim for use with mailscanner. > > After you are done you will have to edit /etc/default/mailscanner as > well. There you will have to set the variable run_mailscanner to 1, > and then type "/etc/init.d/mailscanner start" to start the mailscanner > daemon. > > EOF > exit 0 > fi > > case "$1" in > start) > #echo -n "Starting $DESC: " > start-stop-daemon --start --quiet --pidfile > /opt/MailScanner/var/$NAME.pid \ > --exec $DAEMON > RETVAL=$? > if [ $RETVAL -eq 0 ]; then > touch /var/lock/subsys/mailscanner > fi > #echo "$NAME." > echo ' ' > ;; > stop) > echo -n "Stopping $DESC: " > start-stop-daemon --stop --quiet --pidfile > /opt/MailScanner/var/$NAME.pid > RETVAL=$? > if [ $RETVAL -eq 0 ]; then > rm -f /var/lock/subsys/mailscanner > fi > echo "$NAME." > ;; > restart|force-reload) > # > # If the "reload" option is implemented, move the > "force-reload" > # option to the "reload" entry above. If not, > "force-reload" is > # just the same as "restart". > # > echo "Restarting $DESC: " > start-stop-daemon --stop --quiet --pidfile > /opt/MailScanner/var/$NAME.pid > RETVAL=$? > if [ $RETVAL -eq 0 ]; then > rm -f /var/lock/subsys/mailscanner > fi > sleep 1 > start-stop-daemon --start --quiet --pidfile > /opt/MailScanner/var/$NAME.pid \ > --exec $DAEMON > RETVAL=$? > if [ $RETVAL -eq 0 ]; then > touch /var/lock/subsys/mailscanner > fi > #echo NAME." > echo ' ' > ;; > *) > N=/etc/init.d/$NAME > # echo "Usage: $N > {start|stop|restart|reload|force-reload}" >&2 > echo "Usage: $N {start|stop|restart|force-reload}" >&2 > exit 1 > ;; > esac > > exit 0 > > > > > > ************ -H *********************** > > 18tuPF-0001Uk-00-H > root 0 0 > <3dsmax_MAXScript.listmanager@support.discreet.com> > 1047668389 0 > -helo_name morganco.com > -host_address ###.###.###.###.31248 ==>## replace my internal ip's > -interface_address ###.###.###.### > -received_protocol esmtp > -body_linecount 14 > -deliver_firsttime > XX > 1 > hancocks@morganco.com > > 191P Received: from [172.16.2.3] (helo=morganco.com) > by pebbles.morganco.com with esmtp (Exim 3.36 #1 (Debian)) > id 18tuPF-0001Uk-00 > for ; Fri, 14 Mar 2003 08:59:49 -1000 > 131P Received: from mut.autodesk.com ([198.102.112.26]) by > gateway.morganco.com with ESMTP id <119237>; Fri, 14 Mar 2003 08:50:06 > -0500 > 182P Received: from support.discreet.com (disweb03.autodesk.com > [144.111.4.235]) > by mut.autodesk.com (8.12.8/8.12.6) with ESMTP id > h2EDwsQF027351; > Fri, 14 Mar 2003 05:58:54 -0800 (PST) > 045 Date: Fri, 14 Mar 2003 05:58:54 -0800 (PST) > 059I Message-Id: <200303141358.h2EDwsQF027351@mut.autodesk.com> > 091F From: "3dsmax_MAXScript: James Carson" > <3dsmax_MAXScript.listmanager@support.discreet.com> > 020 Subject: Tutorials? > 068R Reply-To: "MAXScript" > <3dsmax_MAXScript.39397@support.discreet.com> > 026 X-Mailer: WebBoard 6.0.15 > 017 Precedence: Bulk > 027T To: Unlisted-recipients :; > > **************** -D file *********************************** > > 18tuPF-0001Uk-00-D > From: "James Carson" > > 1 Meg I think.. > > I sent you an email on my work email you can send it to if you want. > Put my work email here, then remember the spam trolls :) > > Thanks!! > > > To reply: mailto:3dsmax_MAXScript.39397@support.discreet.com > To start a new topic: mailto:3dsmax_MAXScript@support.discreet.com > To login: http://support.discreet.com/webboard/wbpx.dll/~3dsmax > To (un)subscribe: mailto: > 3dsmax_MAXScript.list-request@support.discreet.com > > > > > > -----Original Message----- > > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > > Sent: Wednesday, March 05, 2003 5:16 AM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: Messages Waiting > > > > At 23:08 04/03/2003, you wrote: > > >When MailScanner restarts I get a lot of messages waiting, yet my > mailq > > >is more or less empty. > > > > > >So what are these waiting messages? > > > > > >Mar 4 22:34:47 www mailscanner[2604]: Startup: found 345 messages > > >waiting > > > > You may well have loads of orphaned files in mqeue.in. You > can safely > > delete > > 1) anything old > > 2) any df files without matching qf files > > 3) any qf files without matching df files > > 4) any xf files > > But make sure sendmail isn't running when you do this. > > -- > > Julian Field > > www.MailScanner.info > > Professional Support Services at www.MailScanner.biz > > MailScanner thanks transtec Computers for their support > From jgoggan at DCG.COM Mon Mar 17 22:17:22 2003 From: jgoggan at DCG.COM (John Goggan) Date: Thu Jan 12 21:17:31 2006 Subject: SA score in archived spam messages? Message-ID: <3E764972.FD21068D@dcg.com> For some people, I have spam stored as queue files in the quarantine. I sometimes rebuild these into an mbox format using the df2mbox tool and look over them to make sure it is all spam. Is there a way to configure things so that these messages also have the X-MailScanner-SpamCheck line with the SA score and such? Or, I basically just want a dump of all of the spam in an mbox readable format with the headers intact... Maybe there is a better way to do that instead of going to the quarantine store? Maybe instead of "store", I should redirect it to a spam-catch account or something? Or is there some reason why one way might be better than the other? I'm open to suggestions. Thanks. - John... From jgoggan at DCG.COM Tue Mar 18 00:23:01 2003 From: jgoggan at DCG.COM (John Goggan) Date: Thu Jan 12 21:17:31 2006 Subject: Read quarantined spam in mail client? References: <3E75FB6E.4528BC6C@dcg.com> <3E75FB6E.4528BC6C@dcg.com> <5.2.0.9.2.20030317165546.02edfdc8@imap.ecs.soton.ac.uk> Message-ID: <3E7666E5.41501FC4@dcg.com> If anyone is interested, I modified Julian's df2mbox to instead handle the combined ("h-file") format and create valid mbox files. Like df2mbox, you can give it multiple directories in the quarantine and it will go through, process each one, and give you a "spam." file in mbox format. Here it is: --- #!/bin/sh # # JKF 27/06/2002 (C) Julian Field # # This script will create an "mbox" format file called "spam." # in the current directory for each of the directories which are passed # on the command-line to this script. So you can do # cd /var/spool/MailScanner/quarantine # h2mbox * # and it will create a "spam." file in the current directory, # where each is one of the directory names passed on the # command line. This file will contain all the messages that were # quarantined in their entirety. # So if you have # Quarantine Whole Message = no # the only thing in these directories will be spam, not viruses (but # it will include spam that contained viruses, so be careful!). # # Note that h2mbox is for use when you have # Quarantine Whole Messages As Queue Files = no # set. If you have that set to yes, then you need df2mbox instead. # # Version 1.1 (df2mbox) Include date format fix # Version 1.2 (df2mbox) Supports directory layout in MailScanner V4 # Version 1.3 h2mbox based on df2mbox; modified by jgoggan@dcg.com for # use with the new "header then body in 1 file" format. # parentdir=`pwd` export parentdir while [ -n "$1" ] do dir="$1" shift echo -n "Processing directory $dir..." if [ \! -d $dir ]; then echo $dir is not a directory exit 1 fi cd $dir/spam for h in h* do from=`grep 'From:' $h | sed 's/.*\(<.*>\)/\1/g'` echo From $from `date "+%a %b %d %T %Y"` cat $h echo done > mbox.$dir cd $parentdir mv $dir/spam/mbox.$dir spam.$dir echo done --- - John... From Jan-Peter.Koopmann at SECEIDOS.DE Tue Mar 18 09:28:52 2003 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:17:31 2006 Subject: FreeBSD port beta test Message-ID: <4E7026FF8A422749B1553FE508E0068007EFA8@message.intern.akctech.de> Hello everybody, I am working on a FreeBSD port of MailScanner at the moment. I still have some things to do in terms of man pages etc. but the Makefiles/patches/etc. will most probably be ready sometime today. I am now looking for FreeBSD beta testers. Anyone willing to participate please drop me an e-mail. Thanks, Jan-Peter From E.H.Beekman at AMC.UVA.NL Tue Mar 18 09:25:27 2003 From: E.H.Beekman at AMC.UVA.NL (Ewald Beekman) Date: Thu Jan 12 21:17:31 2006 Subject: Infinite Monkeys and spamassassin Message-ID: <20030318092523.GC1186@elmo.amc.uva.nl> Spam which slips through (score less than 5) is often identified by the Infinite-Monkeys RBL. Because i wanted this to add to the score i told spamassassin to also do RBL checks (skip_rbl_checks 0), but apparently spamassassin doesn'r use the Infinite-Monkeys list because the score stays low? X-AMC-SpamCheck: spam, Infinite-Monkeys, SpamAssassin (score=3.3, vereist 5, BIG_FONT, HTML_50_70, HTML_WITH_BGCOLOR, MIME_HTML_NO_CHARSET, MISSING_MIMEOLE, SPAM_PHRASE_00_01, USER_AGENT_OE, WEB_BUGS) X-AMC-SpamScore: sss regards, Ewald... -- Ewald Beekman, Security Engineer, Academic Medical Center, dept. ADB/ICT Computer & Network Services, The Netherlands ## Your mind-mint is: The idea is to die young as late as possible. -- Ashley Montague From mailscanner at ecs.soton.ac.uk Tue Mar 18 09:55:49 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:31 2006 Subject: Infinite Monkeys and spamassassin In-Reply-To: <20030318092523.GC1186@elmo.amc.uva.nl> Message-ID: <5.2.0.9.2.20030318095209.049d3b00@imap.ecs.soton.ac.uk> Take a look at /usr/share/spamassassin/20_head_tests.cf. You need to create a new rule something along these lines: header RCVD_IN_INFINITE_MONKEYS rbleval:check_rbl('relay', 'proxies.relays.monkeys.com.') describe RCVD_IN_INFINITE_MONKEYS Received via a relay in proxies.relays.monkeys.com tflags RCVD_IN_INFINITE_MONKEYS net score RCVD_IN_INFINITE_MONKEYS 5.00 This will have to go in the SpamAssassin configuration file (other people on the list will be able to give you an exact location). At 09:25 18/03/2003, you wrote: >Spam which slips through (score less than 5) is often identified by the >Infinite-Monkeys RBL. Because i wanted this to add to the score i told >spamassassin to also do RBL checks (skip_rbl_checks 0), but apparently >spamassassin doesn'r use the Infinite-Monkeys list because the score stays >low? > > X-AMC-SpamCheck: spam, Infinite-Monkeys, SpamAssassin (score=3.3, vereist 5, > BIG_FONT, HTML_50_70, HTML_WITH_BGCOLOR, MIME_HTML_NO_CHARSET, > MISSING_MIMEOLE, SPAM_PHRASE_00_01, USER_AGENT_OE, WEB_BUGS) > X-AMC-SpamScore: sss -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From m.sapsed at bangor.ac.uk Tue Mar 18 10:54:19 2003 From: m.sapsed at bangor.ac.uk (Martin Sapsed) Date: Thu Jan 12 21:17:31 2006 Subject: Beta test please References: <5.2.0.9.2.20030313200314.02721ea0@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030317135554.04743b30@imap.ecs.soton.ac.uk> Message-ID: <3E76FADB.4050601@bangor.ac.uk> Julian Field wrote: > Ideally, an update of the translations would be nice. The new English > text is > > "If you are sending spam and continue to do so, your > Internet Service Provider may be contacted and requested to close your > account." Welsh version is "Os ydych yn anfon sbam - ac yn parhau i wneud hynny - mae'n bosibl y cysylltir ?'ch Darparwr Gwasanaeth Rhyngrwyd a gofyn iddo gau eich cyfrif." Cheers, Martin -- Martin Sapsed Information Services "Who do you say I am?" University of Wales, Bangor Jesus of Nazareth From rc at ITSS.NERC.AC.UK Tue Mar 18 12:03:30 2003 From: rc at ITSS.NERC.AC.UK (Ron Campbell) Date: Thu Jan 12 21:17:31 2006 Subject: spam volume Message-ID: <3E770B12.6020906@itss.nerc.ac.uk> are we alone in thinking there has been a significant increase in the amount on SPAM (much of it pretty nasty) which has arrived in the last few days ? Does anyone have an explanation or is it just a sad fact of the modern Internet. Thanks ... Ron From mailscanner at ecs.soton.ac.uk Tue Mar 18 12:10:12 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:31 2006 Subject: spam volume In-Reply-To: <3E770B12.6020906@itss.nerc.ac.uk> Message-ID: <5.2.0.9.2.20030318120909.04c5df10@imap.ecs.soton.ac.uk> At 12:03 18/03/2003, you wrote: > are we alone in thinking there has been a significant increase in the >amount on SPAM (much of it pretty nasty) which has arrived in the last >few days ? > > >Does anyone have an explanation or is it just a sad fact of the modern >Internet. Over the past few months, we have seen spam rise from 15% to over 25% of our total mail volume. I strongly advise people to start using the "striphtml" spam action to clean up nasty spam. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From Ulysees at ULYSEES.COM Tue Mar 18 12:26:30 2003 From: Ulysees at ULYSEES.COM (Ulysees) Date: Thu Jan 12 21:17:31 2006 Subject: [OTish] Sophos & licensing Message-ID: <000501c2ed49$9ad1a020$3201010a@nimitz> I'm just after talking with the Sophos distributor for Ireland as I'm looking to renew some savi licenses that I have. I've now been told that the license is based on the number of users that will benefit from the product as opposed to the number of users that use it. Can anybody shed a bit of light on this ? By this logic if someone inside sends an infected mail to 1000 people outside the organisation and my mailscanner grabs it 1000 people have benefited. Or if I had a webserver that ran icheckd, theoretically every user that visits the website benefits. Is this the new Sophos stance ? Start slower and license you to infinity. If so I'll be moving to a different engine. Great product btw Julian, it's made my life a lot easier. Uly From wkuiters at FREE.FR Tue Mar 18 12:55:11 2003 From: wkuiters at FREE.FR (Willem Kuiters) Date: Thu Jan 12 21:17:31 2006 Subject: sophos 3.67 and wrapper script In-Reply-To: <20030317205817.GA3183@bragann> References: <20030317201426.GA2561@bragann> <5.2.0.9.2.20030317201844.02190ac0@imap.ecs.soton.ac.uk> <20030317205817.GA3183@bragann> Message-ID: <20030318125511.GA1894@bragann> On Mon, Mar 17, 2003 at 09:58:17PM +0100, Willem Kuiters wrote: > > Their new engine is appallingly slow to start up, and the more people that > > complain about it, the greater chance of them actually fixing it. > > Many thanks, that solved it. I installed the XRS version and your new > scripts. I'll write a complaint about the performance problems of the > 3.67 engine now. Here is their reply: Willem. The reason for the slow down in performance is the increased detection rates for certain files.. if you wish to turn this off then please look at eth following document... This message is about slow-downs in scan speeds that may be reported with SAV v3.67 on Unix platforms. Version 3.67 of Sophos Anti-Virus on non-Windows platform sees a big jump in engine capabilities. In particular it contains plug-ins enabling thorough scans of four common file types - pdf, rtf, elf (Linux/BSD binaries) and .class (java 'executables'). The addition of these plug-ins means that the engine is doing more work to provide better protection. As a result of this some customers may report significant increases in the time taken to scan their filesystems. Increases will vary according to the number and proportion of the file types mentioned above. The extreme example is scanning a set of files consisting solely of pdfs, rtfs, elf binaries and java files. In this case the scan time increases by a factor of just over 3 (60 minutes -> 195 minutes). The important thing to remember is that the slowdown is due to the increased level of protection that we need to provide given the continuing growth in the number of different file types that can carry viruses. It is possible to disable these four options when using sweep by adding the following command-line arguments: -nopt=Pdf -nopt=Elf -nopt=Rtf -nopt=Java Don't forget that use of any of these options may seriously impact our ability to detect viruses in those types of file. Part of the speed reduction appears to be due to the internationalisation that was also introduced in v3.67. We are looking into that and other areas of concern and hope to be able to offer some performance improvements without compromising security in the coming months. Stephen Higgins Technical Support Engineer From nerijus at USERS.SOURCEFORGE.NET Tue Mar 18 13:34:43 2003 From: nerijus at USERS.SOURCEFORGE.NET (Nerijus Baliunas) Date: Thu Jan 12 21:17:31 2006 Subject: sophos 3.67 and wrapper script In-Reply-To: <20030318125511.GA1894@bragann> References: <20030317201426.GA2561@bragann><5.2.0.9.2.20030317201844.02190ac0@imap.ecs.soton.ac.uk><20030317205817.GA3183@bragann> <20030318125511.GA1894@bragann> Message-ID: <200303181338.h2IDcOR8008917@mx.ktv.lt> As it was already reported here, disabling these four options makes scanning even slower. You can report it to Sophos. > On Mon, Mar 17, 2003 at 09:58:17PM +0100, Willem Kuiters wrote: > > > Their new engine is appallingly slow to start up, and the more people that > > > complain about it, the greater chance of them actually fixing it. > > > > Many thanks, that solved it. I installed the XRS version and your new > > scripts. I'll write a complaint about the performance problems of the > > 3.67 engine now. > > Here is their reply: > > Willem. > > The reason for the slow down in performance is the increased detection > rates for certain files.. if you wish to turn this off then please look at > eth following document... > > This message is about slow-downs in scan speeds that may be reported with > SAV v3.67 on Unix platforms. > > Version 3.67 of Sophos Anti-Virus on non-Windows platform sees a big jump > in engine capabilities. In particular it contains plug-ins enabling > thorough scans of four common file types - pdf, rtf, elf (Linux/BSD > binaries) and .class (java 'executables'). > > The addition of these plug-ins means that the engine is doing more work to > provide better protection. > > As a result of this some customers may report significant increases in the > time taken to scan their filesystems. Increases will vary according to the > number and proportion of the file types mentioned above. The extreme > example is scanning a set of files consisting solely of pdfs, rtfs, elf > binaries and java files. In this case the scan time increases by a factor > of just over 3 (60 minutes -> 195 minutes). > > The important thing to remember is that the slowdown is due to the > increased level of protection that we need to provide given the continuing > growth in the number of different file types that can carry viruses. > > It is possible to disable these four options when using sweep by adding the > following command-line arguments: > > -nopt=Pdf > -nopt=Elf > -nopt=Rtf > -nopt=Java > > Don't forget that use of any of these options may seriously impact our > ability to detect viruses in those types of file. > > Part of the speed reduction appears to be due to the internationalisation > that was also introduced in v3.67. We are looking into that and other areas > of concern and hope to be able to offer some performance improvements > without compromising security in the coming months. > > Stephen Higgins > > Technical Support Engineer From Denis.Beauchemin at USHERBROOKE.CA Tue Mar 18 13:49:12 2003 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:17:31 2006 Subject: Beta test please In-Reply-To: <20030317232737.GH21673@hoiho.nz.lemon-computing.com> References: <5.2.0.9.2.20030313200314.02721ea0@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030317135554.04743b30@imap.ecs.soton.ac.uk> <1047910872.31992.4.camel@dbeauchemin.si.usherbrooke.ca> <1047912881.31992.13.camel@dbeauchemin.si.usherbrooke.ca> <20030317232737.GH21673@hoiho.nz.lemon-computing.com> Message-ID: <1047995352.4057.35.camel@dbeauchemin.si.usherbrooke.ca> Le lun 17/03/2003 ? 18:27, Nick Phillips a ?crit : > My French needs practise, so Denis, how about something like: > "Si vous continuez a (sorry, haven't got my compose key sorted out on this > machine yet) envoyer des polluriels, vous pourriez attendre que l'on > contactera votre fournisseur de services Internet pour lui demander de > bloquer votre compte." OK, here it goes in the true original meaning of Julian's words: Si vous continuez ? envoyer des polluriels, nous pourrions d?cider de contacter votre fournisseur de services Internet pour lui demander de bloquer votre compte. Denis -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From jase at SENSIS.COM Tue Mar 18 13:50:39 2003 From: jase at SENSIS.COM (Desai, Jason) Date: Thu Jan 12 21:17:31 2006 Subject: Infinite Monkeys and spamassassin Message-ID: Is this the typical way of adding new tests to spamassassin? Would it make more sense to put these lines in MailScanner's spam.assassin.prefs.conf? Or is there some limitation with this specific test that it has to go in 20_head_tests.cf? The advantage of putting it in spam.assassin.prefs.conf is that when you upgrade spamassassin, you don't need to remember to update the 20_head_test.cf file. The advantage of putting it in the 20_head_test.cf file would be that other applications that use spamassassin can use the same rule. So where do people normally put new spamassassin rules? Jason > -----Original Message----- > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > Sent: Tuesday, March 18, 2003 4:56 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: [MAILSCANNER] Infinite Monkeys and spamassassin > > > Take a look at /usr/share/spamassassin/20_head_tests.cf. You > need to create > a new rule something along these lines: > > header RCVD_IN_INFINITE_MONKEYS rbleval:check_rbl('relay', > 'proxies.relays.monkeys.com.') > describe RCVD_IN_INFINITE_MONKEYS Received via a relay in > proxies.relays.monkeys.com > tflags RCVD_IN_INFINITE_MONKEYS net > > score RCVD_IN_INFINITE_MONKEYS 5.00 > > This will have to go in the SpamAssassin configuration file > (other people > on the list will be able to give you an exact location). > > At 09:25 18/03/2003, you wrote: > >Spam which slips through (score less than 5) is often > identified by the > >Infinite-Monkeys RBL. Because i wanted this to add to the > score i told > >spamassassin to also do RBL checks (skip_rbl_checks 0), but > apparently > >spamassassin doesn'r use the Infinite-Monkeys list because > the score stays > >low? > > > > X-AMC-SpamCheck: spam, Infinite-Monkeys, SpamAssassin > (score=3.3, vereist 5, > > BIG_FONT, HTML_50_70, HTML_WITH_BGCOLOR, > MIME_HTML_NO_CHARSET, > > MISSING_MIMEOLE, SPAM_PHRASE_00_01, USER_AGENT_OE, WEB_BUGS) > > X-AMC-SpamScore: sss > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > From Chris.Campbell at FAC.COM Tue Mar 18 14:03:33 2003 From: Chris.Campbell at FAC.COM (Chris Campbell) Date: Thu Jan 12 21:17:31 2006 Subject: spam volume Message-ID: The strip_html feature only works on emails marked as spam...correct? Is there any way that *all* email could be stripped of the 1 image nasty porn emails? Or even maybe a list of users who want this feature? Thanks, ..................................... Christopher S. Campbell UNIX Admin First Albany Corp Julian Field Sent by: MailScanner mailing list 03/18/2003 07:10 AM Please respond to MailScanner mailing list To: MAILSCANNER@JISCMAIL.AC.UK cc: Subject: Re: spam volume At 12:03 18/03/2003, you wrote: > are we alone in thinking there has been a significant increase in the >amount on SPAM (much of it pretty nasty) which has arrived in the last >few days ? > > >Does anyone have an explanation or is it just a sad fact of the modern >Internet. Over the past few months, we have seen spam rise from 15% to over 25% of our total mail volume. I strongly advise people to start using the "striphtml" spam action to clean up nasty spam. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030318/034d7976/attachment.html From mailscanner at ecs.soton.ac.uk Tue Mar 18 13:55:24 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:31 2006 Subject: [OTish] Sophos & licensing In-Reply-To: <000501c2ed49$9ad1a020$3201010a@nimitz> Message-ID: <5.2.0.9.2.20030318135438.03e29ae8@imap.ecs.soton.ac.uk> At 12:26 18/03/2003, you wrote: >I'm just after talking with the Sophos distributor for Ireland as I'm >looking to renew some savi licenses that I have. >I've now been told that the license is based on the number of users that >will benefit from the product as opposed to the number of users that use it. >Can anybody shed a bit of light on this ? Just count the number of people inside your site. It's them who you are (primarily) protecting. >By this logic if someone inside sends an infected mail to 1000 people >outside the organisation and my mailscanner grabs it 1000 people have >benefited. >Or if I had a webserver that ran icheckd, theoretically every user that >visits the website benefits. > >Is this the new Sophos stance ? >Start slower and license you to infinity. >If so I'll be moving to a different engine. > >Great product btw Julian, it's made my life a lot easier. > >Uly -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Tue Mar 18 13:57:32 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:31 2006 Subject: sophos 3.67 and wrapper script In-Reply-To: <20030318125511.GA1894@bragann> References: <20030317205817.GA3183@bragann> <20030317201426.GA2561@bragann> <5.2.0.9.2.20030317201844.02190ac0@imap.ecs.soton.ac.uk> <20030317205817.GA3183@bragann> Message-ID: <5.2.0.9.2.20030318135548.04c44e90@imap.ecs.soton.ac.uk> The basis of the complaint is not that it is much slower to scan files, but it spends 3 times longer starting up before scanning the first file! Just get them to do a time sweep /dev/null and they will soon see the difference between 3.66 and 3.67. The extra "disabling" switches reduce the time to scan each time, but make the startup time even slower :-( At 12:55 18/03/2003, you wrote: >On Mon, Mar 17, 2003 at 09:58:17PM +0100, Willem Kuiters wrote: > > > Their new engine is appallingly slow to start up, and the more people > that > > > complain about it, the greater chance of them actually fixing it. > > > > Many thanks, that solved it. I installed the XRS version and your new > > scripts. I'll write a complaint about the performance problems of the > > 3.67 engine now. > >Here is their reply: > >Willem. > >The reason for the slow down in performance is the increased detection >rates for certain files.. if you wish to turn this off then please look at >eth following document... > >This message is about slow-downs in scan speeds that may be reported with >SAV v3.67 on Unix platforms. > >Version 3.67 of Sophos Anti-Virus on non-Windows platform sees a big jump >in engine capabilities. In particular it contains plug-ins enabling >thorough scans of four common file types - pdf, rtf, elf (Linux/BSD >binaries) and .class (java 'executables'). > >The addition of these plug-ins means that the engine is doing more work to >provide better protection. > >As a result of this some customers may report significant increases in the >time taken to scan their filesystems. Increases will vary according to the >number and proportion of the file types mentioned above. The extreme >example is scanning a set of files consisting solely of pdfs, rtfs, elf >binaries and java files. In this case the scan time increases by a factor >of just over 3 (60 minutes -> 195 minutes). > >The important thing to remember is that the slowdown is due to the >increased level of protection that we need to provide given the continuing >growth in the number of different file types that can carry viruses. > >It is possible to disable these four options when using sweep by adding the >following command-line arguments: > > -nopt=Pdf > -nopt=Elf > -nopt=Rtf > -nopt=Java > >Don't forget that use of any of these options may seriously impact our >ability to detect viruses in those types of file. > >Part of the speed reduction appears to be due to the internationalisation >that was also introduced in v3.67. We are looking into that and other areas >of concern and hope to be able to offer some performance improvements >without compromising security in the coming months. > >Stephen Higgins > >Technical Support Engineer -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at LISTS.COM.AR Tue Mar 18 14:22:17 2003 From: mailscanner at LISTS.COM.AR (Mariano Absatz) Date: Thu Jan 12 21:17:31 2006 Subject: (Fwd) Spamassassin Configuration Generator (BETA) - RE: [SAtal Message-ID: <3E770169.15171.A486C7AE@localhost> FYI, I thought this could be interesting to MS users... and maybe someone is willing to do something similar for the MS config files... ------- Forwarded message follows ------- From: "Michael Moncur" To: "Justin Mason" , Subject: Spamassassin Configuration Generator (BETA) - RE: [SAtalk] a config script X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Sender: spamassassin-talk-admin@lists.sourceforge.net Date: Tue, 18 Mar 2003 04:34:57 -0700 OK, here's my first attempt at an online configurator for SpamAssassin 2.5x. You specify the options in the online form, and the result is a commented local.cf file that you can download and drop into your SpamAssassin installation. http://www.yrex.com/spam/spamconfig.php Please try it and take a look - I can't guarantee the settings are 100% right but I believe they are. It includes the basic options like required_hits, rewrite_subject, report_safe, Bayes and auto-learning, enable or disable RBLs/Razor/DCC/Pyzor, and ok_languages / ok_locales. Things I might add/change in future versions: - Enable/disable or change scores for specific RBLs? - Support for more settings? - Maybe split it into multiple pages, or advanced/beginner modes with more/less settings? - Pare down the ok_languages list to common options or make a better interface for it? Let me know what you think. -- Michael Moncur mgm at starlingtech.com http://www.starlingtech.com/ "I don't necessarily agree with everything I say." --Marshall McLuhan > -----Original Message----- > From: spamassassin-talk-admin@lists.sourceforge.net > [mailto:spamassassin-talk-admin@lists.sourceforge.net]On Behalf Of > Michael Moncur > Sent: Monday, March 17, 2003 11:50 PM > To: Justin Mason; spamassassin-talk@lists.sourceforge.net > Subject: RE: [SAtalk] a config script > > > > > and I would suggest something like the "interactive muttrc builder" (cf > > google) would work nicely, and not require core code changes, while > > providing a better UI too. > > > > Probably 10 questions would be enough to make a good config. > > > > Anyone out there care to stick up such a CGI? ;) > > I'll whip one up and have a first draft online tonight. > > -- > Michael Moncur mgm at starlingtech.com http://www.starlingtech.com/ > "Our constitution protects aliens, drunks and U.S. Senators." > --Will Rogers ------- End of forwarded message ------- -- Mariano Absatz El Baby ---------------------------------------------------------- Logic: The art of being wrong with confidence... From Janssen at RZ.UNI-FRANKFURT.DE Tue Mar 18 14:09:57 2003 From: Janssen at RZ.UNI-FRANKFURT.DE (Michael Janssen) Date: Thu Jan 12 21:17:31 2006 Subject: Beta test please In-Reply-To: <5.2.0.9.2.20030317135554.04743b30@imap.ecs.soton.ac.uk> Message-ID: On Mon, 17 Mar 2003, Julian Field wrote: > Ideally, an update of the translations would be nice. The new English text is > > "If you are sending spam and continue to do so, your > Internet Service Provider may be contacted and requested to close your > account." german ("may" as "besteht die M?glichkeit" ~ "there is the possibility") "Falls Sie Spam versendet haben und damit fortfahren, besteht die Moeglichkeit, dass Ihr Internet Service Provider benachrichtigt wird und um Schliessung Ihres Accounts gebeten wird." (already 8bit clean as the rest of the existing templates) Michael From mailscanner at ecs.soton.ac.uk Tue Mar 18 14:03:05 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:31 2006 Subject: spam volume In-Reply-To: Message-ID: <5.2.0.9.2.20030318140121.04d23e08@imap.ecs.soton.ac.uk> At 14:03 18/03/2003, you wrote: >The strip_html feature only works on emails marked as spam...correct? The "striphtml" action can be applied to spam, yes. >Is there any way that *all* email could be stripped of the 1 image nasty >porn emails? >Or even maybe a list of users who want this feature? You can convert *all* incoming mail to a user (or group of users, domain, whatever) by using the # Do you want to convert all HTML messages into plain text? # This is very useful for users who are children or are easily offended # by nasty things like pornographic spam. # This can also be the filename of a ruleset, so you can switch this # feature on and off for particular users or domains. Convert HTML To Text = yes and using a ruleset to set it for different people. This would be applied to all their mail, not just spam. >Julian Field >Sent by: MailScanner mailing list > >03/18/2003 07:10 AM >Please respond to MailScanner mailing list > > To: MAILSCANNER@JISCMAIL.AC.UK > cc: > Subject: Re: spam volume > > >At 12:03 18/03/2003, you wrote: > > are we alone in thinking there has been a significant increase in the > >amount on SPAM (much of it pretty nasty) which has arrived in the last > >few days ? > > > > > >Does anyone have an explanation or is it just a sad fact of the modern > >Internet. > >Over the past few months, we have seen spam rise from 15% to over 25% of >our total mail volume. > >I strongly advise people to start using the "striphtml" spam action to >clean up nasty spam. >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support > -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From campbell at CNPAPERS.COM Tue Mar 18 15:18:55 2003 From: campbell at CNPAPERS.COM (Stephe Campbell) Date: Thu Jan 12 21:17:31 2006 Subject: Body SA rule Message-ID: <002501c2ed61$b28582a0$9c01a8c0@cnpapers.net> This is not a MS problem, but I have yet been able to find anything in the SA archives and hope that someone using MS has done this before. I'm not versed in Perl, so I sort of need assistance. The people of this maillist really seem to be on the ball. We receive a lot of spam from a particular group. Each mailing is from various sources, but all have the following line in them(actually a reply link where I have replaced the real address with x's, y's, etc): visit at http://www.xx-yyyyy.com/34606zzz.html I would like to use a body or rawbody (uri or full maybe?) rule to find "html://www.xx-yyyyy.com" and give it a score in SA by adding it to my spam.assassin.prefs.conf file but have not yet figured out how to write it. My Header rules work fine, but all of my attempts at this seem to be all for nothing. Any help would be appreciated and sorry for the non-MS stuff. steve campbell campbell@cnpapers.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030318/7b3b77d2/attachment.html From HancockS at MORGANCO.COM Tue Mar 18 17:08:57 2003 From: HancockS at MORGANCO.COM (Hancock, Scott) Date: Thu Jan 12 21:17:31 2006 Subject: Messages Waiting Incoming queue Message-ID: <03Mar18.115836est.119095@gateway.morganco.com> > Do you have the correct config file specified? Yes, I just named mine differently. According to tar install docs (I believe) > I thought you were > concerned > with messages in the incoming queue. I am. > Should the config file be > /etc/exim/exim.conf or /etc/exim/exim_receive.conf? The config files are right. If they weren't even specified correctly new mail would not processed. -Scott From nicholas_esborn at AFFYMETRIX.COM Tue Mar 18 17:26:57 2003 From: nicholas_esborn at AFFYMETRIX.COM (Nicholas Esborn) Date: Thu Jan 12 21:17:31 2006 Subject: FreeBSD port beta test In-Reply-To: <4E7026FF8A422749B1553FE508E0068007EFA8@message.intern.akctech.de> References: <4E7026FF8A422749B1553FE508E0068007EFA8@message.intern.akctech.de> Message-ID: <20030318172657.GA51848@affymetrix.com> I'll beta test your port. -nick On Tue, Mar 18, 2003 at 10:28:52AM +0100, Jan-Peter Koopmann wrote: > Hello everybody, > > I am working on a FreeBSD port of MailScanner at the moment. I still > have some things to do in terms of man pages etc. but the > Makefiles/patches/etc. will most probably be ready sometime today. I am > now looking for FreeBSD beta testers. Anyone willing to participate > please drop me an e-mail. > > Thanks, > Jan-Peter > -- Nicholas Esborn Affymetrix, Inc. 510/428.8505 Every message PGP signed From m.sapsed at BANGOR.AC.UK Tue Mar 18 17:25:34 2003 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:17:31 2006 Subject: sophos 3.67 and wrapper script References: <20030317205817.GA3183@bragann> <20030317201426.GA2561@bragann> <5.2.0.9.2.20030317201844.02190ac0@imap.ecs.soton.ac.uk> <20030317205817.GA3183@bragann> <5.2.0.9.2.20030318135548.04c44e90@imap.ecs.soton.ac.uk> Message-ID: <3E77568E.20705@bangor.ac.uk> Julian Field wrote: > The basis of the complaint is not that it is much slower to scan files, but > it spends 3 times longer starting up before scanning the first file! > > Just get them to do a > time sweep /dev/null > and they will soon see the difference between 3.66 and 3.67. > > The extra "disabling" switches reduce the time to scan each time, but make > the startup time even slower Here's my latest reply from a Sophos person about some more questions on this: ----- In 3.67 we introduced several new features to the way that Sweep for UNIX works. Firstly the new 'harvester' *.vdb files which as I mentioned before is designed to reduce network bandwidth during updating. However for the future it is hoped that Enterprise Manager will eventually be looking after updates for the *NIX platforms. The ability to 'understand' regional characters. A quote from the UNIX readme: "This version of Sophos Anti-Virus for Unix contains support for international characters in multibyte format on the Linux/Intel (libc6 only) and Solaris/SPARC plus Solaris/Intel platforms. Other platforms do not currently support the use of international characters." This seems to be causing an unexpected slow down. The "international character support" issue should be resolved in the next version 3.68. However calling sweep from a command line is going to take longer than it used to due to the new functionality we are constantly adding. Sophos has also changed the way we scan certain file types (mainly *.pdf and *.rtf). This change does appear to be slowing down sweep as well. You could also try the following: Create a file called veex.ini and put it with the vdl.dat, edit it and put this in it: [Default] Pdf=OFF Elf=OFF Rtf=OFF Java=OFF This will automatically turn off PDF / ELF / RTF / JAVA file handling and should speed it up a bit. The bottom line is that the time to start sweep will improve, but not ever go back to the speed it used to start. If speed is still suffering it might be worth looking at Sophie (www.vanja.com) which uses SAVI and can run as a background daemon (service). ------ I'd asked things like why split the vdl's as that only really helps Remote Update users which only runs on Windows. It's interesting that they promote Sophie but don't talk to Jules any more! Cheers, Martin -- Martin Sapsed Information Services "Who do you say I am?" University of Wales, Bangor Jesus of Nazareth From m.sapsed at bangor.ac.uk Tue Mar 18 17:46:58 2003 From: m.sapsed at bangor.ac.uk (Martin Sapsed) Date: Thu Jan 12 21:17:31 2006 Subject: Straw poll: spam thresholds? Message-ID: <3E775B92.2030708@bangor.ac.uk> Hi folks, Since we've finally gone site wide with MailScanner we've had a few grumbles that we're not picking up enough spam! (Some people are never satisfied!) Would people mind mailing me with the spam and spamhigh numbers you use and I'll summarise the responses next week if anyone's interested? Please leave "Straw poll" in the subject so I can filter the responses. Cheers, Martin -- Martin Sapsed Information Services "Who do you say I am?" University of Wales, Bangor Jesus of Nazareth From mailscanner at LISTS.COM.AR Tue Mar 18 18:05:00 2003 From: mailscanner at LISTS.COM.AR (Mariano Absatz) Date: Thu Jan 12 21:17:31 2006 Subject: Body SA rule In-Reply-To: <005201c2ed66$14189e40$9c01a8c0@cnpapers.net> Message-ID: <3E77359C.8678.A552B356@localhost> El 18 Mar 2003 a las 10:50, Stephe Campbell escribi?: > Mr. Winkler, > > Thank you very much. That seemed to work, although I think I may have > tried that same rule you provided. The difference was I used a rule name > with a hyphen instead of underscore. Do you know if that is a real > issue? I might be wrong though on whether I used your regexp prior, I > tried so many. Hi Steve, I don't know much of the inner workings of SA, but I'd bet it uses the rule numbers as Perl identifiers (or part of Perl identifiers) at one time or another (e.g. as an index to a hash). Then a "-" would be an invalid character in a Perl identifier and that would prevent it from working, whereas "_" is a valid character. Just my 2c. > > Thanks again > > Steve Campbell > campbell@cnpapers.com > > ----- Original Message ----- > From: Derek Winkler > To: MAILSCANNER@JISCMAIL.AC.UK > Sent: Tuesday, March 18, 2003 10:30 AM > Subject: Re: Body SA rule > > Here's one I use... > > rawbody LOCAL_CNTNTFRM_vresp /https?:\/\/.*?\.vresp\.com/i > describe LOCAL_CNTNTFRM_vresp Has " http://*.vresp.com > " in body > score LOCAL_CNTNTFRM_vresp 3 > > In the reg exp /s and .s must be preceded by \, makes it confusing. The > ? makes the s optional so http or https will work. The i after the final > / means case insensitive. > > Your reg exp would be "/http:\/\/www\.xx-yyyyy\.com/" off the top of my > head anyways. > > -----Original Message----- > From: Stephe Campbell [mailto:campbell@cnpapers.com] > Sent: Tuesday, March 18, 2003 10:19 AM > To: MAILSCANNER@jiscmail.ac.uk > Subject: Body SA rule > > > This is not a MS problem, but I have yet been able to find anything in > the SA archives and hope that someone using MS has done this before. I'm > not versed in Perl, so I sort of need assistance. The people of this > maillist really seem to be on the ball. > > We receive a lot of spam from a particular group. Each mailing is from > various sources, but all have the following line in them(actually a > reply link where I have replaced the real address with x's, y's, etc): > > > visit at > http://www.xx-yyyyy.com/34606zzz.html > > I would like to use a body or rawbody (uri or full maybe?) rule to find > "html://www.xx-yyyyy.com" and give it a score in SA by adding it to my > spam.assassin.prefs.conf file but have not yet figured out how to write > it. My Header rules work fine, but all of my attempts at this seem to be > all for nothing. > > Any help would be appreciated and sorry for the non-MS stuff. > > > > steve campbell > campbell@cnpapers.com > > -- Mariano Absatz El Baby ---------------------------------------------------------- Make it idiot proof and someone will make a better idiot. From mkettler at EVI-INC.COM Tue Mar 18 18:25:06 2003 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:17:31 2006 Subject: Body SA rule In-Reply-To: <3E77359C.8678.A552B356@localhost> References: <005201c2ed66$14189e40$9c01a8c0@cnpapers.net> Message-ID: <5.2.0.9.0.20030318131613.01cf3c50@xanadu.evi-inc.com> Yes, dashes are explicitly prohibited from being in rule names in SA. If you read the perldoc for Mail::SpamAssassin::Conf in version 2.50 you'll find these bits on rule-naming: -- Test names should not start with a number, and must contain only alphanumerics and underscores. It is suggested that lower-case characters not be used, as an informal convention. Dashes are not allowed. Note that test names which begin with '__' are reserved for meta-match sub-rules, and are not scored or listed in the 'tests hit' reports. Test names which begin with 'T_' are reserved for tests which are undergoing QA, and these are given a very low score. --- Version 2.43 mentions the '__' bit but not the part about allowed characters. At 03:05 PM 3/18/2003 -0300, Mariano Absatz wrote: >I don't know much of the inner workings of SA, but I'd bet it uses the rule >numbers as Perl identifiers (or part of Perl identifiers) at one time or >another (e.g. as an index to a hash). Then a "-" would be an invalid >character in a Perl identifier and that would prevent it from working, >whereas "_" is a valid character. From dwinkler at ALGORITHMICS.COM Tue Mar 18 15:30:22 2003 From: dwinkler at ALGORITHMICS.COM (Derek Winkler) Date: Thu Jan 12 21:17:31 2006 Subject: Body SA rule Message-ID: <06EE2C86D3DAD5119A6C0060943F3C97055E6ED1@tormail1.algorithmics.com> Here's one I use... rawbody LOCAL_CNTNTFRM_vresp /https?:\/\/.*?\.vresp\.com/i describe LOCAL_CNTNTFRM_vresp Has " http://*.vresp.com " in body score LOCAL_CNTNTFRM_vresp 3 In the reg exp /s and .s must be preceded by \, makes it confusing. The ? makes the s optional so http or https will work. The i after the final / means case insensitive. Your reg exp would be "/http:\/\/www\.xx-yyyyy\.com/" off the top of my head anyways. -----Original Message----- From: Stephe Campbell [mailto:campbell@cnpapers.com] Sent: Tuesday, March 18, 2003 10:19 AM To: MAILSCANNER@jiscmail.ac.uk Subject: Body SA rule This is not a MS problem, but I have yet been able to find anything in the SA archives and hope that someone using MS has done this before. I'm not versed in Perl, so I sort of need assistance. The people of this maillist really seem to be on the ball. We receive a lot of spam from a particular group. Each mailing is from various sources, but all have the following line in them(actually a reply link where I have replaced the real address with x's, y's, etc): visit at http://www.xx-yyyyy.com/34606zzz.html I would like to use a body or rawbody (uri or full maybe?) rule to find "html://www.xx-yyyyy.com" and give it a score in SA by adding it to my spam.assassin.prefs.conf file but have not yet figured out how to write it. My Header rules work fine, but all of my attempts at this seem to be all for nothing. Any help would be appreciated and sorry for the non-MS stuff. steve campbell campbell@cnpapers.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030318/cd703ccc/attachment.html From dwinkler at ALGORITHMICS.COM Tue Mar 18 15:56:41 2003 From: dwinkler at ALGORITHMICS.COM (Derek Winkler) Date: Thu Jan 12 21:17:31 2006 Subject: Body SA rule Message-ID: <06EE2C86D3DAD5119A6C0060943F3C97055E6ED4@tormail1.algorithmics.com> I'm not sure whether that is an issue or not. -----Original Message----- From: Stephe Campbell [mailto:campbell@cnpapers.com] Sent: Tuesday, March 18, 2003 10:50 AM To: MAILSCANNER@jiscmail.ac.uk Subject: Re: Body SA rule Mr. Winkler, Thank you very much. That seemed to work, although I think I may have tried that same rule you provided. The difference was I used a rule name with a hyphen instead of underscore. Do you know if that is a real issue? I might be wrong though on whether I used your regexp prior, I tried so many. Thanks again Steve Campbell campbell@cnpapers.com ----- Original Message ----- From: Derek Winkler To: MAILSCANNER@JISCMAIL.AC.UK Sent: Tuesday, March 18, 2003 10:30 AM Subject: Re: Body SA rule Here's one I use... rawbody LOCAL_CNTNTFRM_vresp /https?:\/\/.*?\.vresp\.com/i describe LOCAL_CNTNTFRM_vresp Has " http://*.vresp.com " in body score LOCAL_CNTNTFRM_vresp 3 In the reg exp /s and .s must be preceded by \, makes it confusing. The ? makes the s optional so http or https will work. The i after the final / means case insensitive. Your reg exp would be "/http:\/\/www\.xx-yyyyy\.com/" off the top of my head anyways. -----Original Message----- From: Stephe Campbell [mailto:campbell@cnpapers.com] Sent: Tuesday, March 18, 2003 10:19 AM To: MAILSCANNER@jiscmail.ac.uk Subject: Body SA rule This is not a MS problem, but I have yet been able to find anything in the SA archives and hope that someone using MS has done this before. I'm not versed in Perl, so I sort of need assistance. The people of this maillist really seem to be on the ball. We receive a lot of spam from a particular group. Each mailing is from various sources, but all have the following line in them(actually a reply link where I have replaced the real address with x's, y's, etc): visit at http://www.xx-yyyyy.com/34606zzz.html I would like to use a body or rawbody (uri or full maybe?) rule to find "html://www.xx-yyyyy.com" and give it a score in SA by adding it to my spam.assassin.prefs.conf file but have not yet figured out how to write it. My Header rules work fine, but all of my attempts at this seem to be all for nothing. Any help would be appreciated and sorry for the non-MS stuff. steve campbell campbell@cnpapers.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030318/848e30a2/attachment.html From HancockS at MORGANCO.COM Tue Mar 18 16:22:07 2003 From: HancockS at MORGANCO.COM (Hancock, Scott) Date: Thu Jan 12 21:17:31 2006 Subject: Messages Waiting Incoming queue Message-ID: <03Mar18.111150est.119099@gateway.morganco.com> The response is: "failed to open msglog file for : No such file or directory." Same response to: exim -C /etc/exim/exim_send.conf -Mvl It seems to me mailscanner isn't attempting to process these queued messages. I expect on start mailscanner queries the incoming directory for messages to scan. Either this is not happening or there is a condition on these files/messages that's causing mailscanner to ignore them. Is there a short list of possibilities somewhere? Is there a way to manually invoke mailscanner with the messageID as an argument to see the specific error message? I've looked in the log files and haven't seen anything unusual around time of delivery. Maybe I'll redirect incoming and restart to capture any log info. Also, I've search my inbox and these messages definitely did not get delivered. Thanks for the response. Scott > > Does > > exim -Mvl 18tuPF-0001Uk-00 > > give you any clues? (Run "exim -Mvl ") > > Jason > > > From mailscanner at ecs.soton.ac.uk Tue Mar 18 16:14:14 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:31 2006 Subject: Body SA rule In-Reply-To: <002501c2ed61$b28582a0$9c01a8c0@cnpapers.net> Message-ID: <5.2.0.9.2.20030318160941.04b66490@imap.ecs.soton.ac.uk> At 15:18 18/03/2003, you wrote: >This is not a MS problem, but I have yet been able to find anything in the >SA archives and hope that someone using MS has done this before. I'm not >versed in Perl, so I sort of need assistance. The people of this maillist >really seem to be on the ball. > >We receive a lot of spam from a particular group. Each mailing is from >various sources, but all have the following line in them(actually a reply >link where I have replaced the real address with x's, y's, etc): > > > visit at > http://www.xx-yyyyy.com/34606zzz.html > >I would like to use a body or rawbody (uri or full maybe?) rule to find >"html://www.xx-yyyyy.com" and give it a score in SA by adding it to my >spam.assassin.prefs.conf file but have not yet figured out how to write >it. My Header rules work fine, but all of my attempts at this seem to be >all for nothing. > >Any help would be appreciated and sorry for the non-MS stuff. uri YOUR_RULE /^https?\:\/\/www\.xx-yyyy\.com/34606zzz\.html?/ describe YOUR_RULE The name of your rule score YOUR_RULE 5.0 If you want the "z" characters to need to be numbers, then put [0-9] in place of each one. ? means the preceding object (character, [ ], etc) is optional. Hence the ? after https as the s is optional. Any odd characters such as : or / or . need to be "escaped" by putting a \ before them. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From Andrew.Magnusson at COCC.COM Tue Mar 18 16:20:35 2003 From: Andrew.Magnusson at COCC.COM (Magnusson, Andrew) Date: Thu Jan 12 21:17:31 2006 Subject: SQL logging: default attachment logging? Message-ID: At our site we want to log filename attachments for all email, not just those that generate a virus alert. Looking at the current SQL code, it only gets the attachment filename when there's a virus alert. Is there any way to pull out a filename, or filename list, from MailScanner when it doesn't generate an alert? I glanced through Message.pm, and it seems to only determine filenames upon virus checking. Andrew Magnusson Internet Product Analyst COCC 1-877-678-0444 extension 640 From jase at SENSIS.COM Tue Mar 18 16:40:09 2003 From: jase at SENSIS.COM (Desai, Jason) Date: Thu Jan 12 21:17:31 2006 Subject: Messages Waiting Incoming queue Message-ID: Do you have the correct config file specified? I thought you were concerned with messages in the incoming queue. Should the config file be /etc/exim/exim.conf or /etc/exim/exim_receive.conf? Jason > -----Original Message----- > From: Hancock, Scott [mailto:HancockS@MORGANCO.COM] > Sent: Tuesday, March 18, 2003 11:22 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: [MAILSCANNER] Messages Waiting Incoming queue > > > The response is: "failed to open msglog file for : No such > file or directory." > > Same response to: exim -C /etc/exim/exim_send.conf -Mvl > > It seems to me mailscanner isn't attempting to process these queued > messages. I expect on start mailscanner queries the incoming > directory > for messages to scan. Either this is not happening or there is a > condition on these files/messages that's causing mailscanner to ignore > them. Is there a short list of possibilities somewhere? > > Is there a way to manually invoke mailscanner with the messageID as an > argument to see the specific error message? I've looked in > the log files > and haven't seen anything unusual around time of delivery. Maybe I'll > redirect incoming and restart to capture any log info. > > Also, I've search my inbox and these messages definitely did not get > delivered. > > Thanks for the response. > > Scott > > > > > > > Does > > > > exim -Mvl 18tuPF-0001Uk-00 > > > > give you any clues? (Run "exim -Mvl ") > > > > Jason > > > > > > From campbell at CNPAPERS.COM Tue Mar 18 15:50:19 2003 From: campbell at CNPAPERS.COM (Stephe Campbell) Date: Thu Jan 12 21:17:31 2006 Subject: Body SA rule References: <06EE2C86D3DAD5119A6C0060943F3C97055E6ED1@tormail1.algorithmics.com> Message-ID: <005201c2ed66$14189e40$9c01a8c0@cnpapers.net> Mr. Winkler, Thank you very much. That seemed to work, although I think I may have tried that same rule you provided. The difference was I used a rule name with a hyphen instead of underscore. Do you know if that is a real issue? I might be wrong though on whether I used your regexp prior, I tried so many. Thanks again Steve Campbell campbell@cnpapers.com ----- Original Message ----- From: Derek Winkler To: MAILSCANNER@JISCMAIL.AC.UK Sent: Tuesday, March 18, 2003 10:30 AM Subject: Re: Body SA rule Here's one I use... rawbody LOCAL_CNTNTFRM_vresp /https?:\/\/.*?\.vresp\.com/i describe LOCAL_CNTNTFRM_vresp Has "http://*.vresp.com" in body score LOCAL_CNTNTFRM_vresp 3 In the reg exp /s and .s must be preceded by \, makes it confusing. The ? makes the s optional so http or https will work. The i after the final / means case insensitive. Your reg exp would be "/http:\/\/www\.xx-yyyyy\.com/" off the top of my head anyways. -----Original Message----- From: Stephe Campbell [mailto:campbell@cnpapers.com] Sent: Tuesday, March 18, 2003 10:19 AM To: MAILSCANNER@jiscmail.ac.uk Subject: Body SA rule This is not a MS problem, but I have yet been able to find anything in the SA archives and hope that someone using MS has done this before. I'm not versed in Perl, so I sort of need assistance. The people of this maillist really seem to be on the ball. We receive a lot of spam from a particular group. Each mailing is from various sources, but all have the following line in them(actually a reply link where I have replaced the real address with x's, y's, etc): visit at http://www.xx-yyyyy.com/34606zzz.html I would like to use a body or rawbody (uri or full maybe?) rule to find "html://www.xx-yyyyy.com" and give it a score in SA by adding it to my spam.assassin.prefs.conf file but have not yet figured out how to write it. My Header rules work fine, but all of my attempts at this seem to be all for nothing. Any help would be appreciated and sorry for the non-MS stuff. steve campbell campbell@cnpapers.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030318/ef5d1c25/attachment.html From mailscanner at ecs.soton.ac.uk Tue Mar 18 18:56:46 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:31 2006 Subject: SQL logging: default attachment logging? In-Reply-To: Message-ID: <5.2.0.9.2.20030318185636.02810ec0@imap.ecs.soton.ac.uk> At 16:20 18/03/2003, you wrote: >At our site we want to log filename attachments for all email, not just >those that generate a virus alert. Looking at the current SQL code, it only >gets the attachment filename when there's a virus alert. Is there any way to >pull out a filename, or filename list, from MailScanner when it doesn't >generate an alert? I glanced through Message.pm, and it seems to only >determine filenames upon virus checking. # Log all the filenames that are allowed by the Filename Rules, or just # the filenames that are denied? # This can also be the filename of a ruleset. Log Permitted Filenames = no -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From baldguy33165 at YAHOO.COM Tue Mar 18 19:21:45 2003 From: baldguy33165 at YAHOO.COM (Juan Quesada) Date: Thu Jan 12 21:17:31 2006 Subject: SA Exception Rule, please help. Message-ID: <20030318192145.39926.qmail@web20807.mail.yahoo.com> I want to create a rule in SA that will not add all the scores. For instance, if the the subject or body =~ /Example/ don't add any scores just allow this email through. I want to know if this is possible. I could whitelist the domains, but I would have to call all the airlines and ask them for domain info. __________________________________________________ Do you Yahoo!? Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop! http://platinum.yahoo.com From mailscanner at ecs.soton.ac.uk Tue Mar 18 19:09:02 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:31 2006 Subject: Networkshop Message-ID: <5.2.0.9.2.20030318190728.027ffdf8@imap.ecs.soton.ac.uk> For the UK academic people here, a very simple question: I am doing a BoF session at the Networkshop in York. What would you like to discuss or learn about MailScanner? -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mkettler at EVI-INC.COM Tue Mar 18 19:28:54 2003 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:17:31 2006 Subject: SA Exception Rule, please help. In-Reply-To: <20030318192145.39926.qmail@web20807.mail.yahoo.com> Message-ID: <5.2.0.9.0.20030318142445.01b70ed8@xanadu.evi-inc.com> No, there's no "exception" option in SA that will prevent it from running and scoring the rest of the ruleset. However, you can have a close approximation by assigning a huge negative score to the rule.. such as -100. It will still check other rules and add them, but I've never seen a spam message score more than 100, even the crackmonkey email that was carefully constructed to maximize SA score didn't go that high. This is exactly how the SpamAssassin "whitelist_from", "whitelist_from_rcvd" and "all_spam_to" mechanisms work. They don't actually stop rule processing, they just add a -100 score, which means you'd have to try very hard to still get marked, if it's even possible. At 11:21 AM 3/18/2003 -0800, you wrote: >I want to create a rule in SA that will not add all >the scores. For instance, if the the subject or body >=~ /Example/ don't add any scores just allow this >email through. > >I want to know if this is possible. > >I could whitelist the domains, but I would have to >call all the airlines and ask them for domain info. From Andrew.Magnusson at COCC.COM Tue Mar 18 19:45:44 2003 From: Andrew.Magnusson at COCC.COM (Magnusson, Andrew) Date: Thu Jan 12 21:17:31 2006 Subject: SQL logging: default attachment logging? Message-ID: This variable is for maillog logging, correct? My question is more 'how do I get that information into a variable so I can add it to the SQL insert query?' Sorry I wasn't more clear. Andrew Magnusson Internet Product Analyst COCC 1-877-678-0444 extension 640 -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Tuesday, March 18, 2003 1:57 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: SQL logging: default attachment logging? At 16:20 18/03/2003, you wrote: >At our site we want to log filename attachments for all email, not just >those that generate a virus alert. Looking at the current SQL code, it only >gets the attachment filename when there's a virus alert. Is there any way to >pull out a filename, or filename list, from MailScanner when it doesn't >generate an alert? I glanced through Message.pm, and it seems to only >determine filenames upon virus checking. # Log all the filenames that are allowed by the Filename Rules, or just # the filenames that are denied? # This can also be the filename of a ruleset. Log Permitted Filenames = no -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Tue Mar 18 19:57:50 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:31 2006 Subject: SQL logging: default attachment logging? In-Reply-To: Message-ID: <5.2.0.9.2.20030318195518.027ff0a0@imap.ecs.soton.ac.uk> You would need to list all the files in the workarea/id directory. Not as trivial as the other logging info. At 19:45 18/03/2003, you wrote: >This variable is for maillog logging, correct? My question is more 'how do I >get that information into a variable so I can add it to the SQL insert >query?' Sorry I wasn't more clear. > >Andrew Magnusson >Internet Product Analyst >COCC >1-877-678-0444 extension 640 > > > >-----Original Message----- >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] >Sent: Tuesday, March 18, 2003 1:57 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: SQL logging: default attachment logging? > > >At 16:20 18/03/2003, you wrote: > >At our site we want to log filename attachments for all email, not just > >those that generate a virus alert. Looking at the current SQL code, it only > >gets the attachment filename when there's a virus alert. Is there any way >to > >pull out a filename, or filename list, from MailScanner when it doesn't > >generate an alert? I glanced through Message.pm, and it seems to only > >determine filenames upon virus checking. > ># Log all the filenames that are allowed by the Filename Rules, or just ># the filenames that are denied? ># This can also be the filename of a ruleset. >Log Permitted Filenames = no > >-- >Julian Field >www.MailScanner.info >Professional Support Services at www.MailScanner.biz >MailScanner thanks transtec Computers for their support -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mkettler at EVI-INC.COM Tue Mar 18 20:02:22 2003 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:17:31 2006 Subject: Infinite Monkeys and spamassassin In-Reply-To: <5.2.0.9.2.20030318095209.049d3b00@imap.ecs.soton.ac.uk> References: <20030318092523.GC1186@elmo.amc.uva.nl> Message-ID: <5.2.0.9.0.20030318145715.01bb9d00@xanadu.evi-inc.com> Julian is correct that SA by default does not include infinite monkeys in the list of RBLs. If you're going to add rules, add them to your /etc/mail/local.cf or your MailScanner spam.assassin.prefs.conf. Whatever you do, don't add them to any file /usr/share/spamassassin/. Also note that just telling SA "skip_rbl_checks = 0" is NOT enough to enable RBL checks. In particular, if you don't have the perl module "Net::DNS" installed, it can't possibly do RBL checks. Try running the command line spamassassin with debug output on (ie: spamassassin -D Take a look at /usr/share/spamassassin/20_head_tests.cf. You need to create >a new rule something along these lines: > >header RCVD_IN_INFINITE_MONKEYS rbleval:check_rbl('relay', >'proxies.relays.monkeys.com.') >describe RCVD_IN_INFINITE_MONKEYS Received via a relay in >proxies.relays.monkeys.com >tflags RCVD_IN_INFINITE_MONKEYS net > >score RCVD_IN_INFINITE_MONKEYS 5.00 > >This will have to go in the SpamAssassin configuration file (other people >on the list will be able to give you an exact location). > >At 09:25 18/03/2003, you wrote: >>Spam which slips through (score less than 5) is often identified by the >>Infinite-Monkeys RBL. Because i wanted this to add to the score i told >>spamassassin to also do RBL checks (skip_rbl_checks 0), but apparently >>spamassassin doesn'r use the Infinite-Monkeys list because the score stays >>low? >> >> X-AMC-SpamCheck: spam, Infinite-Monkeys, SpamAssassin (score=3.3, >> vereist 5, >> BIG_FONT, HTML_50_70, HTML_WITH_BGCOLOR, MIME_HTML_NO_CHARSET, >> MISSING_MIMEOLE, SPAM_PHRASE_00_01, USER_AGENT_OE, WEB_BUGS) >> X-AMC-SpamScore: sss > >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support From jrudd at UCSC.EDU Tue Mar 18 20:20:09 2003 From: jrudd at UCSC.EDU (John Rudd) Date: Thu Jan 12 21:17:31 2006 Subject: spam volume Message-ID: <200303182020.h2IKK9W19905@kzin.ucsc.edu> > From: Julian Field > > At 14:03 18/03/2003, you wrote: > > >Is there any way that *all* email could be stripped of the 1 image nasty > >porn emails? > >Or even maybe a list of users who want this feature? > > You can convert *all* incoming mail to a user (or group of users, domain, > whatever) by using the > > Convert HTML To Text = yes > > and using a ruleset to set it for different people. This would be applied > to all their mail, not just spam. > Note that if you do this, you will not then be able to effectively report this message to vipul's razor, if you're using that. That's my main reason for not converting html to text (otherwise I definitely would). From Andrew.Magnusson at COCC.COM Tue Mar 18 21:25:24 2003 From: Andrew.Magnusson at COCC.COM (Magnusson, Andrew) Date: Thu Jan 12 21:17:31 2006 Subject: SQL logging: default attachment logging? Message-ID: > You would need to list all the files in the workarea/id directory. Not as > trivial as the other logging info. I was afraid of that. Back to the drawing board, I guess. Andrew Magnusson Internet Product Analyst COCC 1-877-678-0444 extension 640 From brian at UNEARTHED.ORG Tue Mar 18 22:17:08 2003 From: brian at UNEARTHED.ORG (Brian May) Date: Thu Jan 12 21:17:31 2006 Subject: Infinite Monkeys and spamassassin References: Message-ID: <002801c2ed9d$07470b20$8801020a@brianmay> /etc/mail/spamassassin/local.cf everything in /usr/share/spamassassin/ get over written during upgrades... local.cf is never touched. ----- Original Message ----- From: "Desai, Jason" To: Sent: Tuesday, March 18, 2003 5:50 AM Subject: Re: Infinite Monkeys and spamassassin Is this the typical way of adding new tests to spamassassin? Would it make more sense to put these lines in MailScanner's spam.assassin.prefs.conf? Or is there some limitation with this specific test that it has to go in 20_head_tests.cf? The advantage of putting it in spam.assassin.prefs.conf is that when you upgrade spamassassin, you don't need to remember to update the 20_head_test.cf file. The advantage of putting it in the 20_head_test.cf file would be that other applications that use spamassassin can use the same rule. So where do people normally put new spamassassin rules? Jason > -----Original Message----- > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > Sent: Tuesday, March 18, 2003 4:56 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: [MAILSCANNER] Infinite Monkeys and spamassassin > > > Take a look at /usr/share/spamassassin/20_head_tests.cf. You > need to create > a new rule something along these lines: > > header RCVD_IN_INFINITE_MONKEYS rbleval:check_rbl('relay', > 'proxies.relays.monkeys.com.') > describe RCVD_IN_INFINITE_MONKEYS Received via a relay in > proxies.relays.monkeys.com > tflags RCVD_IN_INFINITE_MONKEYS net > > score RCVD_IN_INFINITE_MONKEYS 5.00 > > This will have to go in the SpamAssassin configuration file > (other people > on the list will be able to give you an exact location). > > At 09:25 18/03/2003, you wrote: > >Spam which slips through (score less than 5) is often > identified by the > >Infinite-Monkeys RBL. Because i wanted this to add to the > score i told > >spamassassin to also do RBL checks (skip_rbl_checks 0), but > apparently > >spamassassin doesn'r use the Infinite-Monkeys list because > the score stays > >low? > > > > X-AMC-SpamCheck: spam, Infinite-Monkeys, SpamAssassin > (score=3.3, vereist 5, > > BIG_FONT, HTML_50_70, HTML_WITH_BGCOLOR, > MIME_HTML_NO_CHARSET, > > MISSING_MIMEOLE, SPAM_PHRASE_00_01, USER_AGENT_OE, WEB_BUGS) > > X-AMC-SpamScore: sss > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > From hciss at HCIWS.COM Wed Mar 19 00:33:13 2003 From: hciss at HCIWS.COM (Matt) Date: Thu Jan 12 21:17:31 2006 Subject: SPAM Bounce Message-ID: <004701c2edaf$20ba5fa0$6401a8c0@matthew> I am/was currently bouncing SPAM by using blacklists in sendmail.cf. This had the benefit of letting the sender know that the message did not go though and used minimal resources. If it bounceded a legitiment message the sender would know rather then quietly deleting it. No one liked the SPAM tagging I tried in the past either. I used Spamcop, Ordb and the proxy list at monkeys. The real problem with it was that if one of my users wanted it turned off for there account there was no way to do that. So I bravely upgraded my Raq4i from MS 3.x to 4.x last night. Set it up to bounce SPAM based on the same blacklists and let it go(hours later, ugh). Now my admin account filled up with messages from "Mail Delivery Subsystem" due to the undeliverable messages and it also seems that my queues flooded full to. I am no linux/sendmail whatever expert so was not real sure what all was going on. Anyway, is anyone out there using the SPAM "bounce" option with success? Matt From hciss at HCIWS.COM Wed Mar 19 00:18:51 2003 From: hciss at HCIWS.COM (Matt) Date: Thu Jan 12 21:17:31 2006 Subject: Notify Senders = local on 4.x Message-ID: <002901c2edad$1e8ae760$6401a8c0@matthew> It seems like this option has been removed from 4.x, is that true? It seemed like such a great way to do it too. Matt From Kevin.Spicer at BMRB.CO.UK Wed Mar 19 08:25:43 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:17:31 2006 Subject: Notify Senders = local on 4.x Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0EBF4A4@pascal.priv.bmrb.co.uk> > > It seems like this option has been removed from 4.x, is that true? It > seemed like such a great way to do it too. > > Matt You should be able to recreate any functionality thats missing with a ruleset. Have a read of the README and EXAMPLE files in /etc/MailScanner/rules (or wherever they are on your System). BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From Kevin.Spicer at BMRB.CO.UK Wed Mar 19 08:23:09 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:17:31 2006 Subject: SPAM Bounce Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A4AD5A@pascal.priv.bmrb.co.uk> >. I > am no linux/sendmail whatever expert so was not real sure > what all was going > on. > What you are seeing is most probably a side effect of the bounce action working as designed! This happens because MailScanner processes the message after it has been accepted by the MTA - therefore it can only 'bounce' a message by _sending_ a rejection message, rather than by simply _rejecting_ the message instead of accepting it (like an MTA would do). Of course, as spammers often forge the headers, many of these rejection messages would be undeliverable - which results in a message to the postmaster. There is a rather useful script by David While which can dynamically update the sendmail access database to get the MTA to block persistent spammers (as well as producing some rather nifty stats), which you might like to look at (http://staff.cie.uce.ac.uk/~dwhile/mailstats/ ). Maybe using this in conjunction with the MS bounce action would help your spam problem whilst cutting down the number of postmaster messages you get. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From Kevin.Spicer at BMRB.CO.UK Wed Mar 19 08:25:43 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:17:31 2006 Subject: Notify Senders = local on 4.x Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0EBF4A4@pascal.priv.bmrb.co.uk> > > It seems like this option has been removed from 4.x, is that true? It > seemed like such a great way to do it too. > > Matt You should be able to recreate any functionality thats missing with a ruleset. Have a read of the README and EXAMPLE files in /etc/MailScanner/rules (or wherever they are on your System). BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses *********************************************************************************** From henker at SHCOM.US Wed Mar 19 09:05:27 2003 From: henker at SHCOM.US (Steffan Henke) Date: Thu Jan 12 21:17:31 2006 Subject: SPAM Bounce In-Reply-To: <004701c2edaf$20ba5fa0$6401a8c0@matthew> References: <004701c2edaf$20ba5fa0$6401a8c0@matthew> Message-ID: On Tue, 18 Mar 2003, Matt wrote: > at monkeys. The real problem with it was that if one of my users wanted it > turned off for there account there was no way to do that. So I bravely > upgraded my Raq4i from MS 3.x to 4.x last night. Set it up to bounce SPAM > based on the same blacklists and let it go(hours later, ugh). Now my admin > account filled up with messages from "Mail Delivery Subsystem" due to the Matt, I see that your questions have already been answered by Kevin, but just out of curiosity, why would a user want rbl-checks off ? Since the day I started using list.dsbl.org, sbl.spamhaus.org and relays.ordb.org, the amounts of incoming spam have decreased enormously and since the sender gets a clear hint where to find out more, eg. "554 Email blocked using spamhaus.org - see " I don't see any reason why somebody would have turned it off. It took a while to tweak and to choose the right rbl (some block dial-up-accounts in general), but the benefits of it are well worth it. Regards, Steffan From Peter.Bates at LSHTM.AC.UK Wed Mar 19 09:44:19 2003 From: Peter.Bates at LSHTM.AC.UK (Peter Bates) Date: Thu Jan 12 21:17:31 2006 Subject: Networkshop Message-ID: Hello all... ---------------------------------------------------------------------------------------------------> Peter Bates, Systems Support Officer, Network Support Team. London School of Hygiene & Tropical Medicine. Telephone:0207-958 8353 / Fax: 0207- 636 9838 >>> mailscanner@ECS.SOTON.AC.UK 18/03/03 19:09:02 >>> >For the UK academic people here, a very simple question: >I am doing a BoF session at the Networkshop in York. >What would you like to discuss or learn about MailScanner? Ahhh... Notworkshop... there's some good talks in the offing this year, and I'd already noticed you were going to be present, Julian. Can we discuss convincing my boss to pay you loads of money to add Postfix support to MS? ;) Alternatively, maybe a foray into MailScanner and RIPA, following my request the other week to be able to see the 'Subject:' field of incoming email ... Having said both of those, the MailScanner BoF is at the same time as the announcement of the Bandwidth Management Advisory Service, which is bad scheduling from my angle, as I should be attending both. From mailscanner at ecs.soton.ac.uk Wed Mar 19 10:16:58 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:31 2006 Subject: Notify Senders = local on 4.x In-Reply-To: <002901c2edad$1e8ae760$6401a8c0@matthew> Message-ID: <5.2.0.9.2.20030319101552.022bcc98@imap.ecs.soton.ac.uk> At 00:18 19/03/2003, you wrote: >It seems like this option has been removed from 4.x, is that true? It >seemed like such a great way to do it too. The feature is still there, it just needs to use a ruleset now. If you set Notify Senders = /etc/MailScanner/rules/notify.senders.rules and then in that file put From: yourdomain.com yes FromOrTo: default no that will achieve the same thing. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From usergroups at THEARGONCOMPANY.COM Wed Mar 19 11:21:58 2003 From: usergroups at THEARGONCOMPANY.COM (Rishi Gangoly - User Groups) Date: Thu Jan 12 21:17:31 2006 Subject: Restart Every = 14400 # 4 hours - MailScanner on Cobalt RaQ4 Message-ID: <200303191122.QAA20656@theargonserver.theargoncompany.com> Hi I am using the following on my Cobalt RaQ4 server - sendmail-8.10.2-C1sol1 - mailscanner-3.22-10 I keep getting a "User Unknown" bounce error message for random valid users on a daily basis. This has been happening for a while and I suspect the problem is because of this setting in the mailscanner.conf file. --------------------------------------------------------------- # To avoid resource leaks, re-start periodically. Restart Every = 14400 # 4 hours --------------------------------------------------------------- Has anyone faced similar problems? If yes does the latest 3.x version of mailscanner solve this problem? Regards Rishi From linux at mostert.nom.za Wed Mar 19 12:11:35 2003 From: linux at mostert.nom.za (Mozzi) Date: Thu Jan 12 21:17:31 2006 Subject: Exim problem Message-ID: <200303191411.35119.linux@mostert.nom.za> Hallo all After my recent problems I decided to give Exim a try. I have only one problem. I have managed to setup exim and get the mailhubbing done but if I send to that host I get the following error on all messages Both these adresses are known to work and were tested with other mx's 2003-03-19 10:33:02 H=(smtp.lantic.net) [196.25.53.195] sender verify fail for : Unrouteable address 2003-03-19 10:33:02 H=(smtp.lantic.net) [196.25.53.195] F= rejected RCPT : Sender verify failed Tnx Mozzi From mailscanner at LISTS.COM.AR Wed Mar 19 15:25:04 2003 From: mailscanner at LISTS.COM.AR (Mariano Absatz) Date: Thu Jan 12 21:17:31 2006 Subject: not quite a bug Message-ID: <3E7861A0.28566.A9E6B1B4@localhost> Hi Julian, browsing the code I found this in Sendmail.pm: sub KickMessage { my(@ids) = @_; my($idlist); $idlist = join(' -qI', @ids); $idlist .= ' &' if MailScanner::Config::Value('deliverinbackground'); #print STDERR "About to do \"Sendmail2 -qI$idlist\"\n"; system(MailScanner::Config::Value('sendmail2') . ' -qI' . $idlist); } and this generates: sendmail -qI -qIxxxx -qIzzzz -qIwwww Just for cleanup, I think it should be: sub KickMessage { my(@ids) = @_; my($idlist); $idlist = join(' -qI', @ids); $idlist .= ' &' if MailScanner::Config::Value('deliverinbackground'); #print STDERR "About to do \"Sendmail2 -qI$idlist\"\n"; system(MailScanner::Config::Value('sendmail2') . $idlist); } -- Mariano Absatz El Baby ---------------------------------------------------------- Errors have been made. Others will be blamed. From mailscanner at ecs.soton.ac.uk Wed Mar 19 16:09:01 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:31 2006 Subject: not quite a bug In-Reply-To: <3E7861A0.28566.A9E6B1B4@localhost> Message-ID: <5.2.0.9.2.20030319160825.04453568@imap.ecs.soton.ac.uk> At 15:25 19/03/2003, you wrote: >Hi Julian, > >browsing the code I found this in Sendmail.pm: > > sub KickMessage { > my(@ids) = @_; > my($idlist); > > $idlist = join(' -qI', @ids); > $idlist .= ' &' if MailScanner::Config::Value('deliverinbackground'); > #print STDERR "About to do \"Sendmail2 -qI$idlist\"\n"; > system(MailScanner::Config::Value('sendmail2') . ' -qI' . $idlist); > } > >and this generates: >sendmail -qI -qIxxxx -qIzzzz -qIwwww It shouldn't. It should put a " -qI" between each id, but without one at the beginning. >Just for cleanup, I think it should be: > sub KickMessage { > my(@ids) = @_; > my($idlist); > > $idlist = join(' -qI', @ids); > $idlist .= ' &' if MailScanner::Config::Value('deliverinbackground'); > #print STDERR "About to do \"Sendmail2 -qI$idlist\"\n"; > system(MailScanner::Config::Value('sendmail2') . $idlist); > } > > >-- >Mariano Absatz >El Baby >---------------------------------------------------------- >Errors have been made. Others will be blamed. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at LISTS.COM.AR Wed Mar 19 17:11:13 2003 From: mailscanner at LISTS.COM.AR (Mariano Absatz) Date: Thu Jan 12 21:17:31 2006 Subject: not a bug at all (was Re: not quite a bug) In-Reply-To: <5.2.0.9.2.20030319160825.04453568@imap.ecs.soton.ac.uk> References: <3E7861A0.28566.A9E6B1B4@localhost> Message-ID: <3E787A81.30718.AA47E285@localhost> You're right... sorry... subject has been amended :-D El 19 Mar 2003 a las 16:09, Julian Field escribi?: > At 15:25 19/03/2003, you wrote: > >Hi Julian, > > > >browsing the code I found this in Sendmail.pm: > > > > sub KickMessage { > > my(@ids) = @_; > > my($idlist); > > > > $idlist = join(' -qI', @ids); > > $idlist .= ' &' if MailScanner::Config::Value('deliverinbackground'); > > #print STDERR "About to do \"Sendmail2 -qI$idlist\"\n"; > > system(MailScanner::Config::Value('sendmail2') . ' -qI' . $idlist); > > } > > > >and this generates: > >sendmail -qI -qIxxxx -qIzzzz -qIwwww > > It shouldn't. It should put a " -qI" between each id, but without one at > the beginning. > > > >Just for cleanup, I think it should be: > > sub KickMessage { > > my(@ids) = @_; > > my($idlist); > > > > $idlist = join(' -qI', @ids); > > $idlist .= ' &' if MailScanner::Config::Value('deliverinbackground'); > > #print STDERR "About to do \"Sendmail2 -qI$idlist\"\n"; > > system(MailScanner::Config::Value('sendmail2') . $idlist); > > } > > > > > >-- > >Mariano Absatz > >El Baby > >---------------------------------------------------------- > >Errors have been made. Others will be blamed. > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support -- Mariano Absatz El Baby ---------------------------------------------------------- Why should I care about posterity? What's posterity ever done for me? -- Groucho Marx From ivan at NUCCI.COM.BR Wed Mar 19 18:29:50 2003 From: ivan at NUCCI.COM.BR (Ivan Mirisola) Date: Thu Jan 12 21:17:31 2006 Subject: Clam Antivirus References: <5C0296D26910694BB9A9BBFC577E7AB0A4AD59@pascal.priv.bmrb.co.uk> <200303171804.44524.carles@descom.es> Message-ID: <3E78B71E.7030900@nucci.com.br> Dear friends, As everyone might?ve noticed, clamav?s site was down for a week+. But fortunatly they are back, check out! Does anyone know what happened? TIA Ivan Carles Xavier Munyoz Bald? wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >On Monday 17 March 2003 17:32, Spicer, Kevin wrote: > > >>Does anyone know whats going on with Clam? Their website seems to have >>been down since Friday. >> >> > >Yes, and I get the error: >[...] >Checking for a new database - started at Mon Mar 17 15:31:47 2003 >viruses.db2 is up to date. >ERROR: The checksum of viruses.db database isn't ok. Please check it yourself >or try again. >[...] > >When the update daemon tries to update its virus database. > >Greetings. >- --- >Carles Xavier Munyoz Bald? >carles@descom.es >Descom Consulting >Telf: +34 965861024 >Fax: +34 965861024 >http://www.descom.es/ >- --- >-----BEGIN PGP SIGNATURE----- >Version: PGP 6.5.8 > >iQA/AwUBPnYAKTvYAf7VZNaaEQKzLwCbBMuSbcCpdSO9Mh/eW8DYeGA7wEIAn0Y/ >wFi7kgm7VHG6bwookLcoeXud >=CBmf >-----END PGP SIGNATURE----- > > -- Atenciosamente, ---------------------------- Ivan Mirisola Analista de Sistemas Nucci Systems ivan@nucci.com.br +55 11 3049-3610 From Jan-Peter.Koopmann at SECEIDOS.DE Wed Mar 19 19:15:18 2003 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:17:31 2006 Subject: ANNOUNCE: mailstats.pl V0.17 Message-ID: <4E7026FF8A422749B1553FE508E0068007EFCA@message.intern.akctech.de> Hi David, am I correct in assuming that your script "only" supports sendmail and not exim? If so, will exim support ever be included by you? Thanks, JP ------------------------------------------------------------------------ ----- Seceidos GmbH | Jan-Peter Koopmann | Senior Engineer Wilhelminenstr. 2 | Tel: +49 (0)6151 66843-43 D-64283 Darmstadt | +49 (0)6151 9511-252 (24H Voicecenter) Germany | Fax: +49 (0)6151 66843-52 ------------------------------------------------------------------------ ----- _____ From: David While [mailto:David.While@UCE.AC.UK] Sent: Friday, March 14, 2003 4:15 PM To: MAILSCANNER@JISCMAIL.AC.UK For those people who use my script to analyse the mail log file you will find a new version which has the following additions: -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030319/32e77780/attachment.html From David.While at UCE.AC.UK Wed Mar 19 21:37:58 2003 From: David.While at UCE.AC.UK (David While) Date: Thu Jan 12 21:17:32 2006 Subject: ANNOUNCE: mailstats.pl V0.17 Message-ID: An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030319/62e328c0/attachment.html From ms at MLSIS.CO.UK Wed Mar 19 22:21:44 2003 From: ms at MLSIS.CO.UK (Matt Lowe) Date: Thu Jan 12 21:17:32 2006 Subject: wat licence do you need? Message-ID: <1048112504.7974.9.camel@luggage> Hi this question has probably been asked before, but i cant find a definite answer on the site :( If i am using mailscanner to scan incoming emails, what license do i need? I have been looking at RAV and SOPHOS, and (mainly RAV) a workstation and a server version of there software which version do i need to install to scan using mailscanner? I use mailscanner on a single machine with direct DynDNS access and receive all my emails directly to this machine in one location, and in a couple of other locations i have a router box, acting as an internal mail server for small networks. I know there is a lot of problems as in networked mail servers need licenses for all attached users etc, but what about the single workstation? and CAN the single workstation version work OK with a networked mailscanner? I'm not asking anyone to tell me how/how not to break the law, its just a general question. Any help would be great. P.S. I have gone off the free virus scanners a bit after hearing CLAM was down for a week :( plus some of my customers want to pay for AV as they believe paying means more reliability (they don't mention that when faced with the quotes for a Linux based server against a windoz based server!!!) From P.G.M.Peters at civ.utwente.nl Thu Mar 20 07:35:45 2003 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:17:32 2006 Subject: wat licence do you need? In-Reply-To: <1048112504.7974.9.camel@luggage> References: <1048112504.7974.9.camel@luggage> Message-ID: On Wed, 19 Mar 2003 22:21:44 +0000, you wrote: >Any help would be great. >P.S. I have gone off the free virus scanners a bit after hearing CLAM >was down for a week :( plus some of my customers want to pay for AV as >they believe paying means more reliability (they don't mention that when >faced with the quotes for a Linux based server against a windoz based >server!!!) F-prot is done on a per server basis. We have it running on two servers. I know of an ISP running it on their main mailserver. They tried to buy more licenses and have them register to customers with their own mailserver but frisk was unresponsive. So they decided to route all mail for these customers also through their main mailserver to avoid licensing problems. -- Peter Peters, senior netwerkbeheerder Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ From melilela at TIME.NET.MY Thu Mar 20 04:38:54 2003 From: melilela at TIME.NET.MY (Ramli Mohd) Date: Thu Jan 12 21:17:32 2006 Subject: What it Mean In-Reply-To: <5.2.0.9.2.20030319160825.04453568@imap.ecs.soton.ac.uk> Message-ID: Daer Julian, When I on spam check i got this error in my log file what it mean and how to overcome this problem Mar 20 12:36:35 pop MailScanner[7404]: Looked up unknown string spam in language translation file /etc/MailScanner/reports/en/languages.conf Mar 20 12:36:35 pop MailScanner[7404]: Config Error: Cannot match against destination IP address when resolving configuration option "spamwhitelist" Mar 20 12:36:35 pop MailScanner[7404]: Config Error: Cannot match against destination IP address when resolving configuration option "spamwhitelist" From mailscanner at ecs.soton.ac.uk Thu Mar 20 10:00:48 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:32 2006 Subject: What it Mean In-Reply-To: References: <5.2.0.9.2.20030319160825.04453568@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030320095750.02292308@imap.ecs.soton.ac.uk> At 04:38 20/03/2003, you wrote: >Daer Julian, > >When I on spam check i got this error in my log file what it mean and how to >overcome this problem > > >Mar 20 12:36:35 pop MailScanner[7404]: Looked up unknown string spam in >language translation file /etc/MailScanner/reports/en/languages.conf You are using a slightly old version of the languages file that doesn't have the line spam=spam in it. It's a harmless error. >Mar 20 12:36:35 pop MailScanner[7404]: Config Error: Cannot match against >destination IP address when resolving configuration option "spamwhitelist" >Mar 20 12:36:35 pop MailScanner[7404]: Config Error: Cannot match against >destination IP address when resolving configuration option "spamwhitelist" You have something wrong with your "Is Definitely Not Spam" setting. You have tried to use To: some-IP-address in your spam whitelist file. You can't do this as you don't know the IP address you are going to send it to until you have actually sent it. When using IP addresses in rules, you can only match "From". Matching "To" is simply not possible. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From howard at harper-adams.ac.uk Thu Mar 20 12:52:45 2003 From: howard at harper-adams.ac.uk (Howard Robinson) Date: Thu Jan 12 21:17:32 2006 Subject: Attachment size Message-ID: <200303201248.h2KCmwD25705@blackhole.harper-adams.ac.uk> Dear list members. All our mail goes to the mailscanner box and then after scanning is forwarded back to the relevant Novell server internally or to the outside world. Internally we have set Mercury on the novell server to 15mb. I know that some sites restrict incoming email attachment or 1 or 2 mb so large emails are rejected. However we have had complaints from some sites that large attachments, but below their limits, are not getting out to them nor can they send them to us. Internally we don't have a problem - I've just sent my self a 10mb attachment to check. Is there a setting in mailscanner or send mail that limits the size of an attachment. Does it/can it differentiate between on site and off site mail? Regards Howard Robinson (Senior Technical Development Officer) Harper Adams University College Edgmond Newport Shropshire TF10 8NB UK E-mail: hrobinson@harper-adams.ac.uk Tel. : +44(0)1952 820280 Via switchboard : +44(0)1952 815253 Direct line Fax. : +44(0)1952 814783 College Web site http://www.harper-adams.ac.uk From michael at ERG.ABDN.AC.UK Thu Mar 20 13:12:05 2003 From: michael at ERG.ABDN.AC.UK (Michael Forrest) Date: Thu Jan 12 21:17:32 2006 Subject: Rulesets Message-ID: Hi All, At the moment we use a "Required SpamAssassin Score" of 5 and a high setting of 10 (which we bounce,delete). But over the past few months the mail queues have been building up substantially with deferred connections which are all bounces to real spam email and not false positives. I was wondering if it was possible to change the behaviour slightly, in such a way as to use more than just the raw SA score. For example :- SA Score >20 - delete SA Score >10 AND NOT in SpamList - bounce,delete SA Score >10 AND in SpamList - delete SA Score >5 - Mark as {Spam?} Spam List being ORDB-RBL Infinite-Monkeys and RAZOR(I realise SA does the RAZOR check:-().... Any thoughts? or am i looking at this from the wrong angle. Could you cc my address in the reply, since i'm currently set to digest mode for the list group and would not see replies till midnight :-( Thanks, Michael. From mailscanner at ecs.soton.ac.uk Thu Mar 20 13:55:30 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:32 2006 Subject: Attachment size In-Reply-To: <200303201248.h2KCmwD25705@blackhole.harper-adams.ac.uk> Message-ID: <5.2.0.9.2.20030320135336.0487a070@imap.ecs.soton.ac.uk> At 12:52 20/03/2003, you wrote: >Dear list members. >All our mail goes to the mailscanner box and then after scanning is > forwarded back to the relevant Novell server internally or to the >outside world. Internally we have set Mercury on the novell server to >15mb. I know that some sites restrict incoming email attachment >or 1 or 2 mb so large emails are rejected. >However we have had complaints from some sites that large >attachments, but below their limits, are not getting out to them nor >can they send them to us. Internally we don't have a problem - I've >just sent my self a 10mb attachment to check. Just remember that the email encoding of the attachment involves expanding it by about 30% or so to put it in the email. So if they try to send a file that is 15Mb, it will be turned into a 20Mb (or so) message. >Is there a setting in mailscanner No. > or send mail that limits the size of >an attachment. Yes, there is a O MaxMessageSize= setting. > Does it/can it differentiate between on site and off >site mail? > > > > >Regards > >Howard Robinson >(Senior Technical Development Officer) >Harper Adams University College >Edgmond >Newport >Shropshire >TF10 8NB UK > >E-mail: hrobinson@harper-adams.ac.uk >Tel. : +44(0)1952 820280 Via switchboard > : +44(0)1952 815253 Direct line >Fax. : +44(0)1952 814783 >College Web site http://www.harper-adams.ac.uk -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From howard at harper-adams.ac.uk Thu Mar 20 14:31:43 2003 From: howard at harper-adams.ac.uk (Howard Robinson) Date: Thu Jan 12 21:17:32 2006 Subject: Mailscanner Message-ID: <200303201428.h2KESH029505@blackhole.harper-adams.ac.uk> test - Mailscanner maile being rejected by LISTSERV@JISCMAIL.AC.UK Regards Howard Robinson (Senior Technical Development Officer) Harper Adams University College Edgmond Newport Shropshire TF10 8NB UK E-mail: hrobinson@harper-adams.ac.uk Tel. : +44(0)1952 820280 Via switchboard : +44(0)1952 815253 Direct line Fax. : +44(0)1952 814783 College Web site http://www.harper-adams.ac.uk From mailscanner at ecs.soton.ac.uk Thu Mar 20 14:14:13 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:32 2006 Subject: Rulesets In-Reply-To: Message-ID: <5.2.0.9.2.20030320135624.03dc5bf8@imap.ecs.soton.ac.uk> This is a perfect use for a Custom Function. Set these in your MailScanner.conf file Required SpamAssassin Score = 5 Spam Actions = &SpamActions High SpamAssassin Score = 20 High Scoring Spam Actions = delete That handles the score>20 situation for you. So you would have something like sub SpamActions { my($message) = @_; return 'deliver' unless $message; # Sanity check in case something went wrong my $score = $message->{sascore}; my $spamlist = $message->{isrblspam}; return 'bounce delete' if $score>=10 && !$spamlist; return 'delete' if $score>=10; return 'deliver'; } That code goes in CustomConfig.pm by the way. At 13:12 20/03/2003, you wrote: >Hi All, > >At the moment we use a "Required SpamAssassin Score" of 5 and a high >setting of 10 (which we bounce,delete). But over the past few months the >mail queues have been building up substantially with deferred connections >which are all bounces to real spam email and not false positives. > >I was wondering if it was possible to change the behaviour slightly, in >such a way as to use more than just the raw SA score. For example :- > > SA Score >20 - delete > SA Score >10 AND NOT in SpamList - bounce,delete > SA Score >10 AND in SpamList - delete > SA Score >5 - Mark as {Spam?} > >Spam List being ORDB-RBL Infinite-Monkeys and RAZOR(I realise SA does >the RAZOR check:-().... > >Any thoughts? or am i looking at this from the wrong angle. Could you cc >my address in the reply, since i'm currently set to digest mode for the >list group and would not see replies till midnight :-( > >Thanks, > >Michael. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From michael at erg.abdn.ac.uk Thu Mar 20 14:36:13 2003 From: michael at erg.abdn.ac.uk (Michael Forrest) Date: Thu Jan 12 21:17:32 2006 Subject: Rulesets In-Reply-To: <5.2.0.9.2.20030320135624.03dc5bf8@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030320135624.03dc5bf8@imap.ecs.soton.ac.uk> Message-ID: Thanks Julian as always :-) Will that spamlist variable in the code include RAZOR2? or will i have to parse the output returned back from SA for any "RAZOR2_" tags? Mar 20 14:03:09 mail.erg.abdn.ac.uk MailScanner[29811]: Message h2KE2snL001370 from 216.95.201.40 (cid=1-uid=25805950-mid=989--@bounce.jsuati.com) to erg.abdn.ac.uk is spam, SpamAssassin (score=28.9, required 5, ADVERT_CODE, BAYES_90, CLICK_BELOW, EXCUSE_1, EXCUSE_19, EXCUSE_24, GUARANTEED_STUFF, HTML_40_50, HTML_LINK_CLICK_HERE, HTML_TAG_EXISTS_TBODY, HTML_WEB_BUGS, MARKETING_PARTNERS , NO_COST,OFFER, OFFERS_ETC, RAZOR2_CF_RANGE_91_100, RAZOR2_CHECK, RCVD_IN_BL_SPAMCOP_NET, RCVD_IN_NJABL, RECEIVE_OFFER, REMOVAL_INSTRUCTIONS, REMOVE_IN_QUOTES, REMOVE_SUBJ, SATISFACTION, SUBJ_ALL_CAPS) Thanks, Michael On Thu, 20 Mar 2003, Julian Field wrote: > This is a perfect use for a Custom Function. > > Set these in your MailScanner.conf file > > Required SpamAssassin Score = 5 > Spam Actions = &SpamActions > High SpamAssassin Score = 20 > High Scoring Spam Actions = delete > > That handles the score>20 situation for you. > > So you would have something like > > sub SpamActions { > my($message) = @_; > > return 'deliver' unless $message; # Sanity check in case something went > wrong > > my $score = $message->{sascore}; > my $spamlist = $message->{isrblspam}; > > return 'bounce delete' if $score>=10 && !$spamlist; > return 'delete' if $score>=10; > return 'deliver'; > } > > That code goes in CustomConfig.pm by the way. > > At 13:12 20/03/2003, you wrote: > >Hi All, > > > >At the moment we use a "Required SpamAssassin Score" of 5 and a high > >setting of 10 (which we bounce,delete). But over the past few months the > >mail queues have been building up substantially with deferred connections > >which are all bounces to real spam email and not false positives. > > > >I was wondering if it was possible to change the behaviour slightly, in > >such a way as to use more than just the raw SA score. For example :- > > > > SA Score >20 - delete > > SA Score >10 AND NOT in SpamList - bounce,delete > > SA Score >10 AND in SpamList - delete > > SA Score >5 - Mark as {Spam?} > > > >Spam List being ORDB-RBL Infinite-Monkeys and RAZOR(I realise SA does > >the RAZOR check:-().... > > > >Any thoughts? or am i looking at this from the wrong angle. Could you cc > >my address in the reply, since i'm currently set to digest mode for the > >list group and would not see replies till midnight :-( > > > >Thanks, > > > >Michael. > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > From r.westlake at MAIL.CRYST.BBK.AC.UK Thu Mar 20 14:48:31 2003 From: r.westlake at MAIL.CRYST.BBK.AC.UK (Richard Westlake) Date: Thu Jan 12 21:17:32 2006 Subject: SPAM Bounce In-Reply-To: <200303200000.h2K00ID09460@pat.cryst.bbk.ac.uk> References: <200303200000.h2K00ID09460@pat.cryst.bbk.ac.uk> Message-ID: Sorry it this has already been covered by I only read the list in digest form. Steffan Don't assume that people read or understand the bounce/failure messages from a mail system, or even that the bounce message text ever get to the sender. Some mail clients seem to filter out the bounce message and replace it all with a really useful message like "Protocol error". :-( I have users who don't even read the text in the "Sorry we haven't been able to deliver you message for the last four hours, but we will keep trying", they forward it to support assume that our system is broken. In late 1999, after loud complaints from our users we started blocking email connections from open relays, this greatly reduced the amount of spam. We returned an error message with a URL for more information and I assumed that people would either look at the URL and understand the problem or ask there local computer support what it meant, after all some of our users would forward to support the "Sorry we haven't been able to deliver you message for the last four hours, but we will keep trying" messages. What we found was that most people simply ignored the bounce, resent several times and then gave up. Sometimes if we were lucky they would phone the recipient and fax us a copy of the bounce message, that was when we discovered that some mail clients or systems didn't show the bounce text only a stupid message like "Protocol error". We had to switch off most of the blocking in January 2000 as the users who complained loudest about the spam before the blocking then complained just as loud if not louder about the blocking, they sill complain about the spam. :-( At the time I was rather surprised by some of the people running open relays, including mail hubs for large organisations, which should have known better. Hopefully things have since improved, I know that JANET (the UK academic network) now has a zero tolerance policy on open relays. After Jan 2000 we only blocked know dial up addresses from the MAPS DUL however recently we switched to the MAPS RBL+ via the JANET. No complaints about the blocking so far, but we are still getting a lot of spam some of which is tagged by SpamAssassin. We use the Dynamic Relay Authorization Control (DRAC) http://mail.cc.umanitoba.ca/drac/ software to allow our users to send mail from dial up connections, which would normally be locked by the dialup black hole lists. DRAC provides IMAP(or pop) login before SMTP relaying. All the best Richard Westlake School of Crystallography, Birkbeck College, Malet Street, London WC1E 7HX Tel: 020-7631-6859 ---------------------------------------------------------------------- Truth endures but spelling changes -- Anon. ---------------------------------------------------------------------- From howard at harper-adams.ac.uk Thu Mar 20 14:50:17 2003 From: howard at harper-adams.ac.uk (Howard Robinson) Date: Thu Jan 12 21:17:32 2006 Subject: Attachment size further problem In-Reply-To: <5.2.0.9.2.20030320135336.0487a070@imap.ecs.soton.ac.uk> References: <200303201248.h2KCmwD25705@blackhole.harper-adams.ac.uk> Message-ID: <200303201446.h2KEkYY01753@blackhole.harper-adams.ac.uk> On 20 Mar 03, at 13:55, Julian Field wrote: Thanks to those who replied to my email. snipped first bits > > or send mail that limits the size of > >an attachment. > > Yes, there is a > O MaxMessageSize= > setting. this was remmed out so I unremmed it in sendmail.cf restarted mailscanner after a few moments I got the following mesage Error initialising detection engine - missing part of virus data I checked the date, time and version for the ide and its correct. I re-remmed the size setting and restarted mailscanner. Still the same I did a manual down load of the last signature just in case it had corrupted and restarted mailscanner. Still the same. I emailed the list and got it thrown back - rejected by Listserv.. Shut down and restarted mailgateway sent the test message and its now fine. Is there more to amending the sendmail.cf than meets the eye? Regards Howard Robinson (Senior Technical Development Officer) Harper Adams University College Edgmond Newport Shropshire TF10 8NB UK E-mail: hrobinson@harper-adams.ac.uk Tel. : +44(0)1952 820280 Via switchboard : +44(0)1952 815253 Direct line Fax. : +44(0)1952 814783 College Web site http://www.harper-adams.ac.uk From mailscanner at ecs.soton.ac.uk Thu Mar 20 15:03:18 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:32 2006 Subject: Rulesets In-Reply-To: References: <5.2.0.9.2.20030320135624.03dc5bf8@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030320135624.03dc5bf8@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030320150000.0484f980@imap.ecs.soton.ac.uk> At 14:36 20/03/2003, Michael Forrest wrote: >Thanks Julian as always :-) > >Will that spamlist variable in the code include RAZOR2? No. > or will i have to >parse the output returned back from SA for any "RAZOR2_" tags? Yes, you could do my $spamlist = $message->{isrblspam}; $spamlist = 1 if $message->{spamreport} =~ /RAZOR2/; >Mar 20 14:03:09 mail.erg.abdn.ac.uk MailScanner[29811]: Message >h2KE2snL001370 from 216.95.201.40 >(cid=1-uid=25805950-mid=989--@bounce.jsuati.com) to erg.abdn.ac.uk is spam, >SpamAssassin (score=28.9, required 5, ADVERT_CODE, BAYES_90, CLICK_BELOW, >EXCUSE_1, EXCUSE_19, EXCUSE_24, GUARANTEED_STUFF, HTML_40_50, >HTML_LINK_CLICK_HERE, HTML_TAG_EXISTS_TBODY, HTML_WEB_BUGS, MARKETING_PARTNERS >, NO_COST,OFFER, OFFERS_ETC, RAZOR2_CF_RANGE_91_100, RAZOR2_CHECK, >RCVD_IN_BL_SPAMCOP_NET, RCVD_IN_NJABL, RECEIVE_OFFER, >REMOVAL_INSTRUCTIONS, REMOVE_IN_QUOTES, REMOVE_SUBJ, SATISFACTION, >SUBJ_ALL_CAPS) > >Thanks, > >Michael > > >On Thu, 20 Mar 2003, Julian Field wrote: > > > This is a perfect use for a Custom Function. > > > > Set these in your MailScanner.conf file > > > > Required SpamAssassin Score = 5 > > Spam Actions = &SpamActions > > High SpamAssassin Score = 20 > > High Scoring Spam Actions = delete > > > > That handles the score>20 situation for you. > > > > So you would have something like > > > > sub SpamActions { > > my($message) = @_; > > > > return 'deliver' unless $message; # Sanity check in case something went > > wrong > > > > my $score = $message->{sascore}; > > my $spamlist = $message->{isrblspam}; > > > > return 'bounce delete' if $score>=10 && !$spamlist; > > return 'delete' if $score>=10; > > return 'deliver'; > > } > > > > That code goes in CustomConfig.pm by the way. > > > > At 13:12 20/03/2003, you wrote: > > >Hi All, > > > > > >At the moment we use a "Required SpamAssassin Score" of 5 and a high > > >setting of 10 (which we bounce,delete). But over the past few months the > > >mail queues have been building up substantially with deferred connections > > >which are all bounces to real spam email and not false positives. > > > > > >I was wondering if it was possible to change the behaviour slightly, in > > >such a way as to use more than just the raw SA score. For example :- > > > > > > SA Score >20 - delete > > > SA Score >10 AND NOT in SpamList - bounce,delete > > > SA Score >10 AND in SpamList - delete > > > SA Score >5 - Mark as {Spam?} > > > > > >Spam List being ORDB-RBL Infinite-Monkeys and RAZOR(I realise SA does > > >the RAZOR check:-().... > > > > > >Any thoughts? or am i looking at this from the wrong angle. Could you cc > > >my address in the reply, since i'm currently set to digest mode for the > > >list group and would not see replies till midnight :-( > > > > > >Thanks, > > > > > >Michael. > > > > -- > > Julian Field > > www.MailScanner.info > > MailScanner thanks transtec Computers for their support > > > > -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From jrudd at UCSC.EDU Thu Mar 20 15:27:45 2003 From: jrudd at UCSC.EDU (John Rudd) Date: Thu Jan 12 21:17:32 2006 Subject: Rulesets Message-ID: <200303201527.h2KFRjR20141@kzin.ucsc.edu> For one, I don't think you''ll get any value out of bouncing messages. Spam just isn't reliably bouncable. And some spam that is bouncable ends up bouncing to an address that isn't the actual sender. But, for what you're trying to do, I'd probably do a delete,forward instead of bounce,delete. I'd forward the message to an alias which is a program, and that program would parse out the message finding out what spam catagories the message falls into (spam assassin+razor, which rbls, etc), and then takes action based upon those things in the SpamCheck header. From dcmwai at AMTB-M.ORG.MY Thu Mar 20 15:23:57 2003 From: dcmwai at AMTB-M.ORG.MY (Chan Min Wai) Date: Thu Jan 12 21:17:32 2006 Subject: wat licence do you need? In-Reply-To: <1048112504.7974.9.camel@luggage> References: <1048112504.7974.9.camel@luggage> Message-ID: <3E79DD0D.1020407@amtb-m.org.my> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello Matt, I would like to know the asnwer as well, I'm thinking of RAV USD 299 I've asked sophos, guess what is the price? :) USD 1500/year :D Man that is too much. I just don't know one thing, I think you need build RAV packages am I right? Thank You Matt Lowe wrote: |Hi |this question has probably been asked before, but i cant find a definite |answer on the site :( | | |If i am using mailscanner to scan incoming emails, what license do i |need? |I have been looking at RAV and SOPHOS, and (mainly RAV) a workstation |and a server version of there software which version do i need to |install to scan using mailscanner? |I use mailscanner on a single machine with direct DynDNS access and |receive all my emails directly to this machine in one location, and in a |couple of other locations i have a router box, acting as an internal |mail server for small networks. | |I know there is a lot of problems as in networked mail servers need |licenses for all attached users etc, but what about the single |workstation? and CAN the single workstation version work OK with a |networked mailscanner? | |I'm not asking anyone to tell me how/how not to break the law, its just |a general question. | |Any help would be great. |P.S. I have gone off the free virus scanners a bit after hearing CLAM |was down for a week :( plus some of my customers want to pay for AV as |they believe paying means more reliability (they don't mention that when |faced with the quotes for a Linux based server against a windoz based |server!!!) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAj553Q0ACgkQV0p9slMZLW7G9ACfYPvs7mzzx+diED6ApvDLwB+E c0IAoJ1oVm0ER7W18A1kf+PpN30rq9Bg =nGbh -----END PGP SIGNATURE----- From jrudd at UCSC.EDU Thu Mar 20 15:43:41 2003 From: jrudd at UCSC.EDU (John Rudd) Date: Thu Jan 12 21:17:32 2006 Subject: Rulesets Message-ID: <200303201543.h2KFhfx20263@kzin.ucsc.edu> > From: John Rudd > > For one, I don't think you''ll get any value out of bouncing messages. > Spam just isn't reliably bouncable. And some spam that is bouncable > ends up bouncing to an address that isn't the actual sender. I still think this is true, but ... > But, for what you're trying to do, I'd probably do a delete,forward instead > of bounce,delete. I'd forward the message to an alias which is a program, > and that program would parse out the message finding out what spam catagories > the message falls into (spam assassin+razor, which rbls, etc), and then takes > action based upon those things in the SpamCheck header. Julian's answer on this side is probably better than mine :-} From brian at UNEARTHED.ORG Thu Mar 20 16:07:21 2003 From: brian at UNEARTHED.ORG (Brian May) Date: Thu Jan 12 21:17:32 2006 Subject: wat licence do you need? In-Reply-To: <3E79DD0D.1020407@amtb-m.org.my> Message-ID: <08038137-5AEE-11D7-8DDA-000A9579E1DA@unearthed.org> F-Secure is $80 USD a year.. and I've been running it for months with no problems.. Brian On Thursday, March 20, 2003, at 07:23 AM, Chan Min Wai wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hello Matt, > > I would like to know the asnwer as well, I'm thinking of RAV USD 299 > I've asked sophos, guess what is the price? :) USD 1500/year :D > > Man that is too much. > > I just don't know one thing, I think you need build RAV packages am I > right? > > Thank You > > Matt Lowe wrote: > > |Hi > |this question has probably been asked before, but i cant find a > definite > |answer on the site :( > | > | > |If i am using mailscanner to scan incoming emails, what license do i > |need? > |I have been looking at RAV and SOPHOS, and (mainly RAV) a workstation > |and a server version of there software which version do i need to > |install to scan using mailscanner? > |I use mailscanner on a single machine with direct DynDNS access and > |receive all my emails directly to this machine in one location, and > in a > |couple of other locations i have a router box, acting as an internal > |mail server for small networks. > | > |I know there is a lot of problems as in networked mail servers need > |licenses for all attached users etc, but what about the single > |workstation? and CAN the single workstation version work OK with a > |networked mailscanner? > | > |I'm not asking anyone to tell me how/how not to break the law, its > just > |a general question. > | > |Any help would be great. > |P.S. I have gone off the free virus scanners a bit after hearing CLAM > |was down for a week :( plus some of my customers want to pay for AV as > |they believe paying means more reliability (they don't mention that > when > |faced with the quotes for a Linux based server against a windoz based > |server!!!) > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.6 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iEYEARECAAYFAj553Q0ACgkQV0p9slMZLW7G9ACfYPvs7mzzx+diED6ApvDLwB+E > c0IAoJ1oVm0ER7W18A1kf+PpN30rq9Bg > =nGbh > -----END PGP SIGNATURE----- From nospam at WCC.NET Thu Mar 20 18:27:52 2003 From: nospam at WCC.NET (Kip Turk) Date: Thu Jan 12 21:17:32 2006 Subject: /var/spool/mqueue not flushing Message-ID: For some reason, Sendmail isn't being invoked to flush messages in /var/spool/mqueue after scanning. The path for it is correct in MailScanner.conf and it reads like MailScanner is responsible for triggering Sendmail to flush this queue. # Set whether to use sendmail or exim MTA = sendmail # Set how to invoke MTA when sending messages MailScanner has created # (e.g. to sender/recipient saying "found a virus in your message") # This can also be the filename of a ruleset. Sendmail = /usr/sbin/sendmail I've also changed the QUEUETIME in /etc/rc.d/init.d/MailScanner to 1m, but that isn't helping either. So far, I've set up a cronjob to handle it, but I can't see this as the normal course of action. What am I missing? I use MailScanner-4.13-3 and Sendmail 8.12.8. Thanks, -- Kip Turk, RHCE spamdies@wcc.net Systems Administrator/Killer of Spam/Writer of Code/Penguin Proponent West Central Net - tel: 915.234.5678 / 800.695.9016 fax: 915.656.0071 -.-. --- -.. . / -- --- -. -.- . -.-- --..-- / .... .- -.-. -.- . .-. From mailscanner at ecs.soton.ac.uk Thu Mar 20 18:54:15 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:32 2006 Subject: /var/spool/mqueue not flushing In-Reply-To: Message-ID: <5.2.0.9.2.20030320185346.026b39b8@imap.ecs.soton.ac.uk> At 18:27 20/03/2003, you wrote: >For some reason, Sendmail isn't being invoked to flush messages in >/var/spool/mqueue after scanning. The path for it is correct in >MailScanner.conf and it reads like MailScanner is responsible for >triggering Sendmail to flush this queue. The setting for this is "Sendmail2". Is that correct? ># Set whether to use sendmail or exim >MTA = sendmail > ># Set how to invoke MTA when sending messages MailScanner has created ># (e.g. to sender/recipient saying "found a virus in your message") ># This can also be the filename of a ruleset. >Sendmail = /usr/sbin/sendmail > > >I've also changed the QUEUETIME in /etc/rc.d/init.d/MailScanner to 1m, >but that isn't helping either. > >So far, I've set up a cronjob to handle it, but I can't see this as the >normal course of action. What am I missing? I use MailScanner-4.13-3 >and Sendmail 8.12.8. > >Thanks, >-- >Kip Turk, RHCE spamdies@wcc.net >Systems Administrator/Killer of Spam/Writer of Code/Penguin Proponent >West Central Net - tel: 915.234.5678 / 800.695.9016 fax: 915.656.0071 >-.-. --- -.. . / -- --- -. -.- . -.-- --..-- / .... .- -.-. -.- . .-. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From nospam at WCC.NET Thu Mar 20 19:14:03 2003 From: nospam at WCC.NET (Kip Turk) Date: Thu Jan 12 21:17:32 2006 Subject: /var/spool/mqueue not flushing In-Reply-To: <5.2.0.9.2.20030320185346.026b39b8@imap.ecs.soton.ac.uk> Message-ID: On Thu, 20 Mar 2003, Julian Field wrote: > At 18:27 20/03/2003, you wrote: > >For some reason, Sendmail isn't being invoked to flush messages in > >/var/spool/mqueue after scanning. The path for it is correct in > >MailScanner.conf and it reads like MailScanner is responsible for > >triggering Sendmail to flush this queue. > > The setting for this is "Sendmail2". Is that correct? It also points to the sendmail binary. # Sendmail2 is provided for Exim users. # It is the command used to attempt delivery of outgoing cleaned/disinfected # messages. # This is not usually required for sendmail. # This can also be the filename of a ruleset. #For Exim users: Sendmail2 = /usr/sbin/exim -C /etc/exim/exim_send.conf #For sendmail users: Sendmail2 = /usr/sbin/sendmail Sendmail2 = /usr/sbin/sendmail #Sendmail2 = /usr/sbin/sendmail -C /etc/exim/exim_send.conf [root@ns2 /etc/MailScanner]# which sendmail /usr/sbin/sendmail [root@ns2 /etc/MailScanner]# ls -alh $(which sendmail) -r-xr-sr-x 1 root smmsp 556k Mar 4 11:46 /usr/sbin/sendmail -- Kip Turk, RHCE spamdies@wcc.net Systems Administrator/Killer of Spam/Writer of Code/Penguin Proponent West Central Net - tel: 915.234.5678 / 800.695.9016 fax: 915.656.0071 -.-. --- -.. . / -- --- -. -.- . -.-- --..-- / .... .- -.-. -.- . .-. From campbell at CNPAPERS.COM Thu Mar 20 19:36:45 2003 From: campbell at CNPAPERS.COM (Stephe Campbell) Date: Thu Jan 12 21:17:32 2006 Subject: CC question Message-ID: <005001c2ef18$0a615640$9c01a8c0@cnpapers.net> To any that may know Man, am I getting hit hard by someone with an email that includes CC (carbon copy). I'm not sure how they are doing this, but the original header usually has a blank from field, and is being sent to an expired address (no longer valid). I can block the primary non-CC mail recipient with MS and SA ( I think ), but what happens to the email going to the CC recipients? If I delete the email based on a blacklisted "To" non CC address, will this also kill the CC email also? The returned mail messages are around 500 a day and a bother to others, I'm sure! Thanks Steve Campbell campbell@cnpapers.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030320/ec82f314/attachment.html From E.H.Beekman at AMC.UVA.NL Thu Mar 20 19:41:10 2003 From: E.H.Beekman at AMC.UVA.NL (Ewald Beekman) Date: Thu Jan 12 21:17:32 2006 Subject: format not supported? Message-ID: <20030320194110.GI7408@elmo.amc.uva.nl> I noticed some rar archives could not be processed with the following error report: Report: Could not check ./h2IFZvpD027967/nbi.rar/NBI\Berkhout\hist.txt (format not supported) Could not check ./h2IFZvpD027967/nbi.rar/NBI\Berkhout\spot4.hr3.bmp (format not supported) Could not check ./h2IFZvpD027967/nbi.rar/NBI\Berkhout\spot4.nbi3.bmp (format not supported) etc. apparently MailScanner doesn't need an external unrar program, but when i downloaded one to test the archive myself i found that the 2.x version had a problem where the 3.1 version succeeded: [super@sukke h2H8QbvF028301]# unrar t aliens.rar UNRAR 3.10 freeware Copyright (c) 1993-2002 Eugene Roshal Testing archive aliens.rar Testing ALIENS.BMP OK All OK [super@sukke h2H8QbvF028301]# unrar t aliens.rar UNRAR 2.71 freeware Copyright (c) 1993-2000 Eugene Roshal Testing archive aliens.rar Unknown method in ALIENS.BMP No files to extract Ewald... -- Ewald Beekman, Security Engineer, Academic Medical Center, dept. ADB/ICT Computer & Network Services, The Netherlands ## Your mind-mint is: No discipline is ever requisite to force attendance upon lectures which are really worth the attending. -- Adam Smith, "The Wealth of Nations" From mailscanner at ecs.soton.ac.uk Thu Mar 20 19:35:24 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:32 2006 Subject: /var/spool/mqueue not flushing In-Reply-To: References: <5.2.0.9.2.20030320185346.026b39b8@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030320193406.022edeb0@imap.ecs.soton.ac.uk> In that case, do you have "Delivery Method = batch" ? It's very hard to diagnose problems of this sort remotely (without access), there are all sorts of things that could be wrong, causing problems like this :( At 19:14 20/03/2003, you wrote: >On Thu, 20 Mar 2003, Julian Field wrote: > > At 18:27 20/03/2003, you wrote: > > >For some reason, Sendmail isn't being invoked to flush messages in > > >/var/spool/mqueue after scanning. The path for it is correct in > > >MailScanner.conf and it reads like MailScanner is responsible for > > >triggering Sendmail to flush this queue. > > > > The setting for this is "Sendmail2". Is that correct? > >It also points to the sendmail binary. > ># Sendmail2 is provided for Exim users. ># It is the command used to attempt delivery of outgoing cleaned/disinfected ># messages. ># This is not usually required for sendmail. ># This can also be the filename of a ruleset. >#For Exim users: Sendmail2 = /usr/sbin/exim -C /etc/exim/exim_send.conf >#For sendmail users: Sendmail2 = /usr/sbin/sendmail >Sendmail2 = /usr/sbin/sendmail >#Sendmail2 = /usr/sbin/sendmail -C /etc/exim/exim_send.conf > > >[root@ns2 /etc/MailScanner]# which sendmail >/usr/sbin/sendmail >[root@ns2 /etc/MailScanner]# ls -alh $(which sendmail) >-r-xr-sr-x 1 root smmsp 556k Mar 4 11:46 /usr/sbin/sendmail > >-- >Kip Turk, RHCE spamdies@wcc.net >Systems Administrator/Killer of Spam/Writer of Code/Penguin Proponent >West Central Net - tel: 915.234.5678 / 800.695.9016 fax: 915.656.0071 >-.-. --- -.. . / -- --- -. -.- . -.-- --..-- / .... .- -.-. -.- . .-. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From E.H.Beekman at AMC.UVA.NL Thu Mar 20 19:33:12 2003 From: E.H.Beekman at AMC.UVA.NL (Ewald Beekman) Date: Thu Jan 12 21:17:32 2006 Subject: Infinite Monkeys and spamassassin In-Reply-To: <002801c2ed9d$07470b20$8801020a@brianmay> References: <002801c2ed9d$07470b20$8801020a@brianmay> Message-ID: <20030320193312.GH7408@elmo.amc.uva.nl> Thanks everybody for the help so far, My systems didn't have Net::DNS so that was a good tip; Julian, perhaps you could add that to your webpage "MailScanner Installation Guide -- SpamAssassin" ? i added the monkey rules to /etc/mail/spamassassin/local.cf so it now looks like: dns_available yes header RCVD_IN_INFINITE_MONKEYS rbleval:check_rbl('relay', 'proxies.relays.monkeys.com.') describe RCVD_IN_INFINITE_MONKEYS Received via a relay in proxies.relays.monkeys.com tflags RCVD_IN_INFINITE_MONKEYS net score RCVD_IN_INFINITE_MONKEYS 5.00 The strange thing is that in some mails i now see it flagged by SpamAssassin: Mar 20 19:59:41 sukke MailScanner[3982]: Message h2KIxZr1005344 from 212.85.0.129 (brian_salserj88@hotmail.com) to amc.uva.nl is spam, ORDB-RBL, SpamAssassin (score=23.7, vereist 5, ALL_CAP_PORN, CLICK_BELOW, DATE_IN_FUTURE_06_12, EXCUSE_3, FAKED_UNDISC_RECIPS, FORGED_HOTMAIL_RCVD, FROM_ENDS_IN_NUMS, INVALID_DATE_TZ_ABSURD, ONLY_COST, RCVD_IN_DSBL, RCVD_IN_INFINITE_MONKEYS, REMOVE_PAGE, SPAM_PHRASE_08_13, SUPERLONG_LINE, SUPPLIES_LIMITED, TO_HAS_SPACES, TO_MALFORMED) But other mails MailScanner finds it in the Infinite-Monkeys, but SpamAssassin doesn't Mar 20 20:09:38 sukke MailScanner[3982]: Message h2KJ9Rqu006131 from 200.170.149.193 (eonsexxynnickab@aol.com) to amc.uva.nl is spam, Infinite-Monkeys, SpamAssassin (score=13.1, vereist 5, BIG_FONT, CLICK_BELOW, CLICK_BELOW_CAPS, COMPLETELY_FREE, CTYPE_JUST_HTML, FORGED_AOL_RCVD, FREE_ACCESS, HOT_NASTY, HTML_50_70, HTML_COMMENT_UNIQUE_ID, HTML_FONT_COLOR_MAGENTA, MSG_ID_ADDED_BY_MTA_2, OPT_IN, PORN_4, REMOVE_PAGE, SPAM_PHRASE_05_08, TRACKER_ID) Ewald... On Tue, Mar 18, 2003 at 02:17:08PM -0800, Brian May wrote: > /etc/mail/spamassassin/local.cf > > everything in /usr/share/spamassassin/ get over written during upgrades... > local.cf is never touched. > > > ----- Original Message ----- > From: "Desai, Jason" > To: > Sent: Tuesday, March 18, 2003 5:50 AM > Subject: Re: Infinite Monkeys and spamassassin > > > Is this the typical way of adding new tests to spamassassin? Would it make > more sense to put these lines in MailScanner's spam.assassin.prefs.conf? Or > is there some limitation with this specific test that it has to go in > 20_head_tests.cf? > > The advantage of putting it in spam.assassin.prefs.conf is that when you > upgrade spamassassin, you don't need to remember to update the > 20_head_test.cf file. The advantage of putting it in the 20_head_test.cf > file would be that other applications that use spamassassin can use the same > rule. > > So where do people normally put new spamassassin rules? > > Jason > > > -----Original Message----- > > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > > Sent: Tuesday, March 18, 2003 4:56 AM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: [MAILSCANNER] Infinite Monkeys and spamassassin > > > > > > Take a look at /usr/share/spamassassin/20_head_tests.cf. You > > need to create > > a new rule something along these lines: > > > > header RCVD_IN_INFINITE_MONKEYS rbleval:check_rbl('relay', > > 'proxies.relays.monkeys.com.') > > describe RCVD_IN_INFINITE_MONKEYS Received via a relay in > > proxies.relays.monkeys.com > > tflags RCVD_IN_INFINITE_MONKEYS net > > > > score RCVD_IN_INFINITE_MONKEYS 5.00 > > > > This will have to go in the SpamAssassin configuration file > > (other people > > on the list will be able to give you an exact location). > > > > At 09:25 18/03/2003, you wrote: > > >Spam which slips through (score less than 5) is often > > identified by the > > >Infinite-Monkeys RBL. Because i wanted this to add to the > > score i told > > >spamassassin to also do RBL checks (skip_rbl_checks 0), but > > apparently > > >spamassassin doesn'r use the Infinite-Monkeys list because > > the score stays > > >low? > > > > > > X-AMC-SpamCheck: spam, Infinite-Monkeys, SpamAssassin > > (score=3.3, vereist 5, > > > BIG_FONT, HTML_50_70, HTML_WITH_BGCOLOR, > > MIME_HTML_NO_CHARSET, > > > MISSING_MIMEOLE, SPAM_PHRASE_00_01, USER_AGENT_OE, WEB_BUGS) > > > X-AMC-SpamScore: sss > > > > -- > > Julian Field > > www.MailScanner.info > > MailScanner thanks transtec Computers for their support > > -- Ewald Beekman, Security Engineer, Academic Medical Center, dept. ADB/ICT Computer & Network Services, The Netherlands ## Your mind-mint is: Does the name Pavlov ring a bell? From Denis.Beauchemin at USHERBROOKE.CA Thu Mar 20 19:57:48 2003 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:17:32 2006 Subject: format not supported? In-Reply-To: <20030320194110.GI7408@elmo.amc.uva.nl> References: <20030320194110.GI7408@elmo.amc.uva.nl> Message-ID: <1048190268.5096.21.camel@dbeauchemin.si.usherbrooke.ca> Ewald, MS doesn't have to do process archives by itself because it is your virus scanner that does the job. Look into your virus scanner for this kind of problem. Denis Le jeu 20/03/2003 ? 14:41, Ewald Beekman a ?crit : > I noticed some rar archives could not be processed with the following > error report: > > Report: Could not check ./h2IFZvpD027967/nbi.rar/NBI\Berkhout\hist.txt (format not supported) > Could not check ./h2IFZvpD027967/nbi.rar/NBI\Berkhout\spot4.hr3.bmp (format not supported) > Could not check ./h2IFZvpD027967/nbi.rar/NBI\Berkhout\spot4.nbi3.bmp (format not supported) > etc. > > apparently MailScanner doesn't need an external unrar program, but when > i downloaded one to test the archive myself i found that the > 2.x version had a problem where the 3.1 version succeeded: > > [super@sukke h2H8QbvF028301]# unrar t aliens.rar > UNRAR 3.10 freeware Copyright (c) 1993-2002 Eugene Roshal > > Testing archive aliens.rar > > Testing ALIENS.BMP OK > All OK > > [super@sukke h2H8QbvF028301]# unrar t aliens.rar > UNRAR 2.71 freeware Copyright (c) 1993-2000 Eugene Roshal > > > Testing archive aliens.rar > > Unknown method in ALIENS.BMP > No files to extract > > Ewald... > > -- > Ewald Beekman, Security Engineer, Academic Medical Center, > dept. ADB/ICT Computer & Network Services, The Netherlands > ## Your mind-mint is: > No discipline is ever requisite to force attendance upon lectures which are > really worth the attending. > -- Adam Smith, "The Wealth of Nations" -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From mailscanner at ecs.soton.ac.uk Thu Mar 20 19:54:55 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:32 2006 Subject: CC question In-Reply-To: <005001c2ef18$0a615640$9c01a8c0@cnpapers.net> Message-ID: <5.2.0.9.2.20030320195236.0237f828@imap.ecs.soton.ac.uk> At 19:36 20/03/2003, you wrote: >To any that may know > >Man, am I getting hit hard by someone with an email that includes CC >(carbon copy). I'm not sure how they are doing this, but the original >header usually has a blank from field, and is being sent to an expired >address (no longer valid). > >I can block the primary non-CC mail recipient with MS and SA ( I think ), >but what happens to the email going to the CC recipients? If I delete the >email based on a blacklisted "To" non CC address, will this also kill the >CC email also? The returned mail messages are around 500 a day and a >bother to others, I'm sure! MailScanner works solely on the message's real recipients (in the envelope), regardless of what may happen to be in the headers. The headers are not used to determine the delivery addresses, they are purely for user consumption. The "To:" and "Cc:" headers are irrelevant to MailScanner, as they are to the delivery process. If you want to block them, you need to see the real recipient addresses in your mail log. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Thu Mar 20 19:52:04 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:32 2006 Subject: format not supported? In-Reply-To: <20030320194110.GI7408@elmo.amc.uva.nl> Message-ID: <5.2.0.9.2.20030320195056.02198670@imap.ecs.soton.ac.uk> You are using Sophos, which currently does not support RAR version 3. I believe they are intending to add support for it in a future release. You can choose whether to allow these archives through using the "Allowed Sophos Error Messages" option. At 19:41 20/03/2003, you wrote: >I noticed some rar archives could not be processed with the following >error report: > > Report: Could not check > ./h2IFZvpD027967/nbi.rar/NBI\Berkhout\hist.txt (format not supported) >Could not check ./h2IFZvpD027967/nbi.rar/NBI\Berkhout\spot4.hr3.bmp >(format not supported) >Could not check ./h2IFZvpD027967/nbi.rar/NBI\Berkhout\spot4.nbi3.bmp >(format not supported) >etc. > >apparently MailScanner doesn't need an external unrar program, but when >i downloaded one to test the archive myself i found that the >2.x version had a problem where the 3.1 version succeeded: > >[super@sukke h2H8QbvF028301]# unrar t aliens.rar >UNRAR 3.10 freeware Copyright (c) 1993-2002 Eugene Roshal > >Testing archive aliens.rar > >Testing ALIENS.BMP OK >All OK > >[super@sukke h2H8QbvF028301]# unrar t aliens.rar >UNRAR 2.71 freeware Copyright (c) 1993-2000 Eugene Roshal > > >Testing archive aliens.rar > >Unknown method in ALIENS.BMP >No files to extract > >Ewald... > >-- >Ewald Beekman, Security Engineer, Academic Medical Center, >dept. ADB/ICT Computer & Network Services, The Netherlands >## Your mind-mint is: >No discipline is ever requisite to force attendance upon lectures which are >really worth the attending. > -- Adam Smith, "The Wealth of Nations" -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Thu Mar 20 19:59:32 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:32 2006 Subject: Infinite Monkeys and spamassassin In-Reply-To: <20030320193312.GH7408@elmo.amc.uva.nl> References: <002801c2ed9d$07470b20$8801020a@brianmay> <002801c2ed9d$07470b20$8801020a@brianmay> Message-ID: <5.2.0.9.2.20030320195914.021cabc8@imap.ecs.soton.ac.uk> At 19:33 20/03/2003, you wrote: >My systems didn't have Net::DNS so that was a good tip; >Julian, perhaps you could add that to your webpage >"MailScanner Installation Guide -- SpamAssassin" ? Added. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From nospam at WCC.NET Thu Mar 20 20:13:30 2003 From: nospam at WCC.NET (Kip Turk) Date: Thu Jan 12 21:17:32 2006 Subject: /var/spool/mqueue not flushing In-Reply-To: <5.2.0.9.2.20030320193406.022edeb0@imap.ecs.soton.ac.uk> Message-ID: On Thu, 20 Mar 2003, Julian Field wrote: > In that case, do you have "Delivery Method = batch" ? > It's very hard to diagnose problems of this sort remotely (without access), > there are all sorts of things that could be wrong, causing problems like > this :( Ah. It helps once I read thru the list archives to get a better explanation of the delivery methods. Reading the info in the config, I went with 'queue' orignally as it sounded more suited to my environment. Not having a runner around to flush that queue, Sendmail obviously didn't have a clue it needed to do anything. Problem solved. Thanks again, -- Kip Turk, RHCE spamdies@wcc.net Systems Administrator/Killer of Spam/Writer of Code/Penguin Proponent West Central Net - tel: 915.234.5678 / 800.695.9016 fax: 915.656.0071 -.-. --- -.. . / -- --- -. -.- . -.-- --..-- / .... .- -.-. -.- . .-. From campbell at CNPAPERS.COM Thu Mar 20 20:37:23 2003 From: campbell at CNPAPERS.COM (Stephe Campbell) Date: Thu Jan 12 21:17:32 2006 Subject: CC question References: <5.2.0.9.2.20030320195236.0237f828@imap.ecs.soton.ac.uk> Message-ID: <002601c2ef20$8370e0c0$9c01a8c0@cnpapers.net> Mr. Field, How do I determine the envelop of the email. If I look at the message source, with all the headers and everything, what part of that is the envelop? Anyway, if I can delete the original message using MS & SA, does that prevent the CC recipients from being sent also? Where in the process of all of this does the CC recipients get their email from. Somehow, with what appears to be no "From" in the original message, the return-path is being set to the original recipient, which makes all of the CC bounces come back here, as though they were sent from the original recipient.. Steve Campbell campbell@cnpapers.com ----- Original Message ----- From: "Julian Field" To: Sent: Thursday, March 20, 2003 2:54 PM Subject: Re: CC question > At 19:36 20/03/2003, you wrote: > >To any that may know > > > >Man, am I getting hit hard by someone with an email that includes CC > >(carbon copy). I'm not sure how they are doing this, but the original > >header usually has a blank from field, and is being sent to an expired > >address (no longer valid). > > > >I can block the primary non-CC mail recipient with MS and SA ( I think ), > >but what happens to the email going to the CC recipients? If I delete the > >email based on a blacklisted "To" non CC address, will this also kill the > >CC email also? The returned mail messages are around 500 a day and a > >bother to others, I'm sure! > > MailScanner works solely on the message's real recipients (in the > envelope), regardless of what may happen to be in the headers. The headers > are not used to determine the delivery addresses, they are purely for user > consumption. The "To:" and "Cc:" headers are irrelevant to MailScanner, as > they are to the delivery process. > > If you want to block them, you need to see the real recipient addresses in > your mail log. > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Thu Mar 20 20:54:58 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:32 2006 Subject: CC question In-Reply-To: <002601c2ef20$8370e0c0$9c01a8c0@cnpapers.net> References: <5.2.0.9.2.20030320195236.0237f828@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030320205021.02197b78@imap.ecs.soton.ac.uk> At 20:37 20/03/2003, you wrote: >How do I determine the envelop of the email. If I look at the message >source, with all the headers and everything, what part of that is the >envelop? It's not in the message. The sender and recipients will be in your mail log. >Anyway, if I can delete the original message using MS & SA, does that >prevent the CC recipients from being sent also? Where in the process of all >of this does the CC recipients get their email from. In the normal course of events, the recipients are the "To:" addresses + the "Cc:" addresses + the "Bcc:" addresses. The "To:" and "Cc:" addresses are put in the corresponding headers. Sounds like they are putting an address listed in the recipients in the sender address. Read the RFC on SMTP and RFC822 for more information. > Somehow, with what >appears to be no "From" in the original message, the return-path is being >set to the original recipient, which makes all of the CC bounces come back >here, as though they were sent from the original recipient.. > >Steve Campbell >campbell@cnpapers.com > > >----- Original Message ----- >From: "Julian Field" >To: >Sent: Thursday, March 20, 2003 2:54 PM >Subject: Re: CC question > > > > At 19:36 20/03/2003, you wrote: > > >To any that may know > > > > > >Man, am I getting hit hard by someone with an email that includes CC > > >(carbon copy). I'm not sure how they are doing this, but the original > > >header usually has a blank from field, and is being sent to an expired > > >address (no longer valid). > > > > > >I can block the primary non-CC mail recipient with MS and SA ( I think ), > > >but what happens to the email going to the CC recipients? If I delete the > > >email based on a blacklisted "To" non CC address, will this also kill the > > >CC email also? The returned mail messages are around 500 a day and a > > >bother to others, I'm sure! > > > > MailScanner works solely on the message's real recipients (in the > > envelope), regardless of what may happen to be in the headers. The headers > > are not used to determine the delivery addresses, they are purely for user > > consumption. The "To:" and "Cc:" headers are irrelevant to MailScanner, as > > they are to the delivery process. > > > > If you want to block them, you need to see the real recipient addresses in > > your mail log. > > -- > > Julian Field > > www.MailScanner.info > > Professional Support Services at www.MailScanner.biz > > MailScanner thanks transtec Computers for their support -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mkettler at EVI-INC.COM Thu Mar 20 21:01:14 2003 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:17:32 2006 Subject: Fwd: [SAdev] SpamAssassin 2.51 released Message-ID: <5.2.0.9.0.20030320155826.015f8d28@xanadu.evi-inc.com> Just in off the spamassassin-devel list, 2.51 was released. The PerMsgStatus.pm bugfix was accepted to be rolled into this release, so that bug should no longer be an issue for MailScanner users. Of course, I've not tried it yet, so proceed with caution. >To: SpamAssassin-announce@lists.sourceforge.net, > SpamAssassin-talk@lists.sourceforge.net, > SpamAssassin-devel@lists.sourceforge.net >From: jm@jmason.org (Justin Mason) >X-Original-Date: Thu, 20 Mar 2003 12:46:20 -0800 >Date: Thu, 20 Mar 2003 12:46:20 -0800 > >Download at: > > http://spamassassin.org/downloads.html > >If you're running 2.50, this release is strongly recommended, since 2.50 >cannot expire Bayes tokens from its databases. It's also no longer a >beta release. > >Changes: > > - Bayes locking and concurrency issues fixed > - Bayes expiration was not working; fixed > - spamd was not enabling Bayes after auto-learning without restart; > fixed > - safer way to attach spams, for broken mail clients, using 'report_safe > 2' > - a few doco cleanups > >--j. From campbell at CNPAPERS.COM Thu Mar 20 21:15:35 2003 From: campbell at CNPAPERS.COM (Stephe Campbell) Date: Thu Jan 12 21:17:32 2006 Subject: CC question References: <5.2.0.9.2.20030320195236.0237f828@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030320205021.02197b78@imap.ecs.soton.ac.uk> Message-ID: <005c01c2ef25$d90c8520$9c01a8c0@cnpapers.net> Ok, I'll look at the RFC. Thanks. I still don't understand, though what's going on. The mail log indicates the original "From" as being from "<>". The bounced message comes back from one of the CC recipients with the original "To" recipient in the "From" field, and our mail log never references the CC "To" anywhere, as though we aren't sending it at all. To make all of that simpler, the maillog indicates: Mar 20 15:52:16 kanawha sendmail[21040]: h2KKqGM21040: from=<>, size=5333, class=0 , nrcpts=1, msgid=, proto=SMTP, daemo n=Daemon0, relay=mailgw.cnpapers.net [208.247.228.18] Mar 20 15:52:16 kanawha sendmail[21040]: h2KKqGM21040: to=, delay=00:00:00, mailer=virtual, pri=35333, stat=queued The bounced message has xxxxxxxx@yyyyyyy.com as the returned-path and one of the CC recipients as the "to". Does that sound like what may be going on? Is there anything common to set up in MS, SA, or sendmail to stop this. Sorry to be such a bother. Steve Campbell campbell@cnpapers.com ----- Original Message ----- From: "Julian Field" To: Sent: Thursday, March 20, 2003 3:54 PM Subject: Re: CC question > At 20:37 20/03/2003, you wrote: > >How do I determine the envelop of the email. If I look at the message > >source, with all the headers and everything, what part of that is the > >envelop? > > It's not in the message. The sender and recipients will be in your mail log. > > >Anyway, if I can delete the original message using MS & SA, does that > >prevent the CC recipients from being sent also? Where in the process of all > >of this does the CC recipients get their email from. > > In the normal course of events, the recipients are the "To:" addresses + > the "Cc:" addresses + the "Bcc:" addresses. The "To:" and "Cc:" addresses > are put in the corresponding headers. Sounds like they are putting an > address listed in the recipients in the sender address. > > Read the RFC on SMTP and RFC822 for more information. > > > Somehow, with what > >appears to be no "From" in the original message, the return-path is being > >set to the original recipient, which makes all of the CC bounces come back > >here, as though they were sent from the original recipient.. > > > >Steve Campbell > >campbell@cnpapers.com > > > > > >----- Original Message ----- > >From: "Julian Field" > >To: > >Sent: Thursday, March 20, 2003 2:54 PM > >Subject: Re: CC question > > > > > > > At 19:36 20/03/2003, you wrote: > > > >To any that may know > > > > > > > >Man, am I getting hit hard by someone with an email that includes CC > > > >(carbon copy). I'm not sure how they are doing this, but the original > > > >header usually has a blank from field, and is being sent to an expired > > > >address (no longer valid). > > > > > > > >I can block the primary non-CC mail recipient with MS and SA ( I think ), > > > >but what happens to the email going to the CC recipients? If I delete the > > > >email based on a blacklisted "To" non CC address, will this also kill the > > > >CC email also? The returned mail messages are around 500 a day and a > > > >bother to others, I'm sure! > > > > > > MailScanner works solely on the message's real recipients (in the > > > envelope), regardless of what may happen to be in the headers. The headers > > > are not used to determine the delivery addresses, they are purely for user > > > consumption. The "To:" and "Cc:" headers are irrelevant to MailScanner, as > > > they are to the delivery process. > > > > > > If you want to block them, you need to see the real recipient addresses in > > > your mail log. > > > -- > > > Julian Field > > > www.MailScanner.info > > > Professional Support Services at www.MailScanner.biz > > > MailScanner thanks transtec Computers for their support > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support From brian at UNEARTHED.ORG Thu Mar 20 21:40:16 2003 From: brian at UNEARTHED.ORG (Brian May) Date: Thu Jan 12 21:17:32 2006 Subject: wat licence do you need? References: <3E79DD0D.1020407@amtb-m.org.my> <08038137-5AEE-11D7-8DDA-000A9579E1DA@unearthed.org> <20030320210242.GK13310@hoiho.nz.lemon-computing.com> Message-ID: <002c01c2ef2a$71174310$8801020a@brianmay> Specifially what am I looking for? The last match for 'F-Secure' was October 2002, and like I said.. I haven't seen a virus in months.. but I do see all of resulting emails that get blocked.. (what was wrong with it.. what virus.. etc..) ----- Original Message ----- From: "Nick Phillips" To: "Brian May" Sent: Thursday, March 20, 2003 1:02 PM Subject: Re: wat licence do you need? On Thu, Mar 20, 2003 at 08:07:21AM -0800, Brian May wrote: > F-Secure is $80 USD a year.. and I've been running it for months with > no problems.. Hmmm... search the archives for "F-Secure"... Cheers, Nick -- Nick Phillips -- nwp@lemon-computing.com Afternoon very favorable for romance. Try a single person for a change. From mailscanner at ecs.soton.ac.uk Thu Mar 20 22:03:13 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:32 2006 Subject: Fwd: [SAdev] SpamAssassin 2.51 released In-Reply-To: <5.2.0.9.0.20030320155826.015f8d28@xanadu.evi-inc.com> Message-ID: <5.2.0.9.2.20030320220031.025f11f0@imap.ecs.soton.ac.uk> At 21:01 20/03/2003, you wrote: >Just in off the spamassassin-devel list, 2.51 was released. > >The PerMsgStatus.pm bugfix was accepted to be rolled into this release, so >that bug should no longer be an issue for MailScanner users. The other bug, to do with untie-ing not always happening when it should, has also been fixed. I have it up and running on Solaris and all seems fine so far. >Of course, I've not tried it yet, so proceed with caution. > >>To: SpamAssassin-announce@lists.sourceforge.net, >> SpamAssassin-talk@lists.sourceforge.net, >> SpamAssassin-devel@lists.sourceforge.net >>From: jm@jmason.org (Justin Mason) >>X-Original-Date: Thu, 20 Mar 2003 12:46:20 -0800 >>Date: Thu, 20 Mar 2003 12:46:20 -0800 >> >>Download at: >> >> http://spamassassin.org/downloads.html >> >>If you're running 2.50, this release is strongly recommended, since 2.50 >>cannot expire Bayes tokens from its databases. It's also no longer a >>beta release. >> >>Changes: >> >> - Bayes locking and concurrency issues fixed >> - Bayes expiration was not working; fixed >> - spamd was not enabling Bayes after auto-learning without restart; >> fixed >> - safer way to attach spams, for broken mail clients, using 'report_safe >> 2' >> - a few doco cleanups >> >>--j. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From hden at KCBBS.GEN.NZ Thu Mar 20 23:22:36 2003 From: hden at KCBBS.GEN.NZ (Hendrik den Hartog) Date: Thu Jan 12 21:17:32 2006 Subject: Perl Modules In-Reply-To: <5.2.0.9.2.20030320220031.025f11f0@imap.ecs.soton.ac.uk>; from mailscanner@ECS.SOTON.AC.UK on Thu, Mar 20, 2003 at 10:03:13PM +0000 References: <5.2.0.9.0.20030320155826.015f8d28@xanadu.evi-inc.com> <5.2.0.9.2.20030320220031.025f11f0@imap.ecs.soton.ac.uk> Message-ID: <20030321112236.A2829@mew.kcbbs.gen.nz> Hello I'm building a reolacement Gateway Server Redhat 7.3 UPGRADED to 8.0 Trying to install MailScanner, getting an error 'perl-MIME-tools >= 5.411 is needed by mailscanner-4.14-5' But..I have installed MIME-tools both via CPAN and then [in desperation] via manual install?? However, the MS install still seems to think I haven't?? also, slightly related, I originally tried the method as per QuickInstall... rpmbuild --rebuild perl-IO-stringy-2.108-1.src.rpm but at the end of this process, got.. RPM build errors: Installed (but unpackaged) file(s) found: /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/IO-stringy/.packlist /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/perllocal.pod Any/All help appreciated Cheers! Hendrik From dh at UPTIME.AT Thu Mar 20 23:12:46 2003 From: dh at UPTIME.AT (David) Date: Thu Jan 12 21:17:32 2006 Subject: Mailscanner restarting every 5 minutes after spamassassin 2.51 upgrade Message-ID: <7639B07A-5B29-11D7-94B4-000393920D6C@uptime.at> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Hello all. Once more something funny. Still the same patched redhat system. I simply upgraded to 2.51 following Julians recommendation. I touched NOTHING else and all of a sudden our Mailscanner restarts every 5 minutes. I am using the mailscanner-mrtg script, but I checked their settings and all seems fine. Ideas ? - -d - - we may race and we may run, but we can not undo what has been done. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (Darwin) iD8DBQE+ekryiW/Ta/pxHPQRA264AKClR/JlszmRpKe0dD7uTQrAuaGsjACfYY29 JdFOsVzGhSSe77s9jXneeD8= =Sbhs -----END PGP SIGNATURE----- From dh at UPTIME.AT Thu Mar 20 23:23:45 2003 From: dh at UPTIME.AT (David) Date: Thu Jan 12 21:17:32 2006 Subject: Mailscanner restarting every 5 minutes after spamassassin 2.51 upgrade In-Reply-To: <7639B07A-5B29-11D7-94B4-000393920D6C@uptime.at> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 On Freitag, M?rz 21, 2003, at 12:12 Uhr, David wrote: Ignore me, it seems something screwed up and it temporarily merely started 4 instaed of 5 Mailscanner processes and mailscanner-mrtg was set to 5 not seing 5 it restarted mailscanner... - -d sorry sorry sorry - - ? Fantasie ist wichtiger als Wissen.? - Albert Einstein -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (Darwin) iD8DBQE+ek2GiW/Ta/pxHPQRAykSAKDK6RYappRPuXjO0qXgS+7lcYiGlgCgocHj 2/5l7BZts/M9Ay2zrEWoqG0= =klxD -----END PGP SIGNATURE----- From jrudd at UCSC.EDU Fri Mar 21 00:00:39 2003 From: jrudd at UCSC.EDU (John Rudd) Date: Thu Jan 12 21:17:32 2006 Subject: Mailscanner + CommuniGate Pro Message-ID: <200303210000.h2L00dl25034@kzin.ucsc.edu> I'm ready to make a first release of my scripts for integrating MailScanner and CommuniGate Pro. I've put up a web page which gives instructions on how to make it all work together, has some notes on where I'd like this to go, and has links for where to get the scripts from. Some notes for any perl hackers out there: my code may look a little ugly to you, because I tend to avoid using default/assumed variables, like $_ in my perl code. I go out of my way to make use of named variables so that the code is (in my opinion) easier to read. Just an FYI in reading my code that "yes, I know I don't have to do that, I choose to on purpose". I look forward to feedback (good and bad) about this stuff. If you find bugs, please let me know. If you have suggestions about how to make certain parts work better/faster, I'd like to hear those too. The URL is: http://people.ucsc.edu/~jrudd/MailScanner/ Thanks, John Rudd From mkettler at EVI-INC.COM Fri Mar 21 02:33:10 2003 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:17:32 2006 Subject: Fwd: [SAdev] SpamAssassin 2.51 released In-Reply-To: <5.2.0.9.2.20030320220031.025f11f0@imap.ecs.soton.ac.uk> References: <5.2.0.9.0.20030320155826.015f8d28@xanadu.evi-inc.com> Message-ID: <5.2.0.9.0.20030320212939.01b62580@xanadu.evi-inc.com> Well, it looks like 2.51 has major problems in some setups. Not sure if it affects MailScanner, but it is bayes related. If you're getting "synch journal" problems, it's this bug: http://www.hughes-family.org/bugzilla/show_bug.cgi?id=1664 Looks like we'll see 2.52 in the very near future :) At 10:03 PM 3/20/2003 +0000, Julian wrote: >The other bug, to do with untie-ing not always happening when it should, >has also been fixed. >I have it up and running on Solaris and all seems fine so far. From smohan at VSNL.COM Fri Mar 21 05:02:38 2003 From: smohan at VSNL.COM (S Mohan) Date: Thu Jan 12 21:17:32 2006 Subject: Attachment size In-Reply-To: <200303201248.h2KCmwD25705@blackhole.harper-adams.ac.uk> Message-ID: <000a01c2ef67$27119990$f86141db@18yamuna> Default maximum size in sendmail per mail is 2MB. A declarative exists in sendmail.cf for Maxmessagesize. AFAIK, this restriction is applied only if either the recepient or sender are non-local. If sender and recepient are users on the same system, this does not apply. Mohan -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Howard Robinson Sent: Thursday, March 20, 2003 6:23 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Attachment size Dear list members. All our mail goes to the mailscanner box and then after scanning is forwarded back to the relevant Novell server internally or to the outside world. Internally we have set Mercury on the novell server to 15mb. I know that some sites restrict incoming email attachment or 1 or 2 mb so large emails are rejected. However we have had complaints from some sites that large attachments, but below their limits, are not getting out to them nor can they send them to us. Internally we don't have a problem - I've just sent my self a 10mb attachment to check. Is there a setting in mailscanner or send mail that limits the size of an attachment. Does it/can it differentiate between on site and off site mail? Regards Howard Robinson (Senior Technical Development Officer) Harper Adams University College Edgmond Newport Shropshire TF10 8NB UK E-mail: hrobinson@harper-adams.ac.uk Tel. : +44(0)1952 820280 Via switchboard : +44(0)1952 815253 Direct line Fax. : +44(0)1952 814783 College Web site http://www.harper-adams.ac.uk From Jan-Peter.Koopmann at SECEIDOS.DE Fri Mar 21 08:11:54 2003 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:17:32 2006 Subject: Perl Modules Message-ID: <4E7026FF8A422749B1553FE508E0068007EFD5@message.intern.akctech.de> Hi, > 'perl-MIME-tools >= 5.411 is needed by mailscanner-4.14-5' > > But..I have installed MIME-tools both via CPAN and then [in > desperation] via manual install?? Yes but what version of perl-MIME-tools? From smohan at VSNL.COM Fri Mar 21 05:02:38 2003 From: smohan at VSNL.COM (S Mohan) Date: Thu Jan 12 21:17:32 2006 Subject: Attachment size further problem In-Reply-To: <200303201446.h2KEkYY01753@blackhole.harper-adams.ac.uk> Message-ID: <000601c2ef67$2306e6c0$f86141db@18yamuna> Your virus engine is not called properly. Earlier posts exist on this. If you are using Sophos, sophos-wrapper is the one called by MailScanner. It has environment variable settings. I had the same problem. I edited sophos-wrapper and commented the environmrnt variable settings. Sophos-wrapper worked fine from there on. My logic was that sweep was getting executed perfectly from command line. Sophos-wrapper failed with the engine initialisation error. Thus, maybe due to changes in default installs etc, the environment variable settings were not needed and the dat files were where sweep expects them to be by default. After this I ran sophos-wrapper and it went thro' well. Mohan -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Howard Robinson Sent: Thursday, March 20, 2003 8:20 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Attachment size further problem On 20 Mar 03, at 13:55, Julian Field wrote: Thanks to those who replied to my email. snipped first bits > > or send mail that limits the size of > >an attachment. > > Yes, there is a > O MaxMessageSize= > setting. this was remmed out so I unremmed it in sendmail.cf restarted mailscanner after a few moments I got the following mesage Error initialising detection engine - missing part of virus data I checked the date, time and version for the ide and its correct. I re-remmed the size setting and restarted mailscanner. Still the same I did a manual down load of the last signature just in case it had corrupted and restarted mailscanner. Still the same. I emailed the list and got it thrown back - rejected by Listserv.. Shut down and restarted mailgateway sent the test message and its now fine. Is there more to amending the sendmail.cf than meets the eye? Regards Howard Robinson (Senior Technical Development Officer) Harper Adams University College Edgmond Newport Shropshire TF10 8NB UK E-mail: hrobinson@harper-adams.ac.uk Tel. : +44(0)1952 820280 Via switchboard : +44(0)1952 815253 Direct line Fax. : +44(0)1952 814783 College Web site http://www.harper-adams.ac.uk From Kevin.Spicer at BMRB.CO.UK Fri Mar 21 09:09:18 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:17:32 2006 Subject: Perl Modules Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A4AD5B@pascal.priv.bmrb.co.uk> > Trying to install MailScanner, getting an error > > 'perl-MIME-tools >= 5.411 is needed by mailscanner-4.14-5' > > But..I have installed MIME-tools both via CPAN and then [in > desperation] via manual install?? > but at the end of this process, got.. > RPM build errors: > Installed (but unpackaged) file(s) found: > > /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/IO > -stringy/.packlist > > /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/perllocal.pod > In both cases I think you are getting errors because you have been installing 'unpackaged' files i.e. not rpms. CPAN is great but really shouldn't be used on rpm based systems for exactly this reason. Although you may have manually installed packages this won't necessarily satisfy the dependencies in the rpms you try to install later as they won't be recorded in the rpm database. If you are sure that you have installed the dependencies you could install using --nodeps. I think theres an option to the MailScanner install script to do this. You don't say whether the second error caused the rebuild to fail - you might like to check if the packages were built (in a subdirectory off /usr/src/redhat/RPMS) If so try installing them with --force . Really though the best answer is to track down rpms for anything you may have installed manually or from Cpan and install the rpms (at least then you can keep them up-to-date easily). BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From mailscanner at ecs.soton.ac.uk Fri Mar 21 09:03:14 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:32 2006 Subject: Perl Modules In-Reply-To: <20030321112236.A2829@mew.kcbbs.gen.nz> References: <5.2.0.9.2.20030320220031.025f11f0@imap.ecs.soton.ac.uk> <5.2.0.9.0.20030320155826.015f8d28@xanadu.evi-inc.com> <5.2.0.9.2.20030320220031.025f11f0@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030321090008.03e1eaa0@imap.ecs.soton.ac.uk> At 23:22 20/03/2003, you wrote: >Hello > > I'm building a reolacement Gateway Server > > Redhat 7.3 UPGRADED to 8.0 > > Trying to install MailScanner, getting an error > > 'perl-MIME-tools >= 5.411 is needed by mailscanner-4.14-5' Beware with RedHat 7.3 to 8.0 upgrades. The new search path in perl doesn't include any of the perl 5.6.1 search directories. So you will have to re-install modules you are using. You might want to actually remove any old site_perl directories (/usr/lib/perl5/site_perl/5.6*) so they do not get in the way of your new installation. >But..I have installed MIME-tools both via CPAN and then [in >desperation] via manual install?? > >However, the MS install still seems to think I haven't?? > > >also, slightly related, I originally tried the method as per >QuickInstall... > >rpmbuild --rebuild perl-IO-stringy-2.108-1.src.rpm > >but at the end of this process, got.. > > > >RPM build errors: > Installed (but unpackaged) file(s) found: > >/usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/IO-stringy/.packlist > /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/perllocal.pod > > There is a catch for this in the install.sh script, use that and this problem won't arise. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From m.sapsed at BANGOR.AC.UK Fri Mar 21 10:38:41 2003 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:17:32 2006 Subject: format not supported? References: <5.2.0.9.2.20030320195056.02198670@imap.ecs.soton.ac.uk> Message-ID: <3E7AEBB1.8070705@bangor.ac.uk> Hi Jules et al, Julian Field wrote: > You are using Sophos, which currently does not support RAR version 3. I > believe they are intending to add support for it in a future release. You > can choose whether to allow these archives through using the "Allowed > Sophos Error Messages" option. What structure is required for having multiple possibilities for this option? My first guess would be: Allowed Sophos Error Messages = corrupt "format not supported" Is that right? I hope Sophos don't use adding RAR 3 support as an excuse for slowing sweep down again! ;-) Cheers, Martin -- Martin Sapsed Information Services "Who do you say I am?" University of Wales, Bangor Jesus of Nazareth From mailscanner at ecs.soton.ac.uk Fri Mar 21 11:13:52 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:32 2006 Subject: format not supported? In-Reply-To: <3E7AEBB1.8070705@bangor.ac.uk> References: <5.2.0.9.2.20030320195056.02198670@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030321111241.04a296b8@imap.ecs.soton.ac.uk> At 10:38 21/03/2003, you wrote: >Hi Jules et al, > >Julian Field wrote: >>You are using Sophos, which currently does not support RAR version 3. I >>believe they are intending to add support for it in a future release. You >>can choose whether to allow these archives through using the "Allowed >>Sophos Error Messages" option. > >What structure is required for having multiple possibilities for this >option? My first guess would be: > >Allowed Sophos Error Messages = corrupt "format not supported" > >Is that right? It's even simpler than that at the moment, just >Allowed Sophos Error Messages = corrupt format not supported will do the job. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From joan.bryan at KCL.AC.UK Fri Mar 21 11:51:40 2003 From: joan.bryan at KCL.AC.UK (Joan Bryan) Date: Thu Jan 12 21:17:32 2006 Subject: Mailscanner and Multiple output queues Message-ID: <002701c2efa0$3c3cab50$24254989@godiva> Hi We are considering implementing mutliple output queues to try to improve performance on our mailserver and I wonder if anyone could give me an idea of a ruleset for this. Ideally we would like mailscanner to write to one of a set of output queues, distributing mail roughly evenly across these directories. Thanks Joan Bryan Information Systems King's College London 020 7848 2671 mailto:joan.bryan@kcl.ac.uk From dh at UPTIME.AT Fri Mar 21 12:12:00 2003 From: dh at UPTIME.AT (David) Date: Thu Jan 12 21:17:32 2006 Subject: Mailscanner and Multiple output queues In-Reply-To: <002701c2efa0$3c3cab50$24254989@godiva> Message-ID: <51C0339B-5B96-11D7-BCE8-000393920D6C@uptime.at> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 On Freitag, M?rz 21, 2003, at 12:51 Uhr, Joan Bryan wrote: > Hi > > We are considering implementing mutliple output queues to try to > improve > performance on our mailserver and I wonder if anyone could give me an > idea of a ruleset for this. Ideally we would like mailscanner to write > to one of a set of output queues, distributing mail roughly evenly > across these directories. > If you are using sendmail, have a look at the built in queuing ability that has been included with it since 8.12.* I have such a setup running here and it works like a charm. - -d > PS: If oyu need more info please do contact me off list - - we may race and we may run, but we can not undo what has been done. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (Darwin) iD8DBQE+ewGWiW/Ta/pxHPQRA54eAJwOa7OwNaDb9eQHQfw4Ir3D1+spbQCgk4EV fqQdteugiQOH15sU1/K7J8I= =wbCH -----END PGP SIGNATURE----- From mailscanner at ecs.soton.ac.uk Fri Mar 21 12:18:29 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:32 2006 Subject: Mailscanner and Multiple output queues In-Reply-To: <002701c2efa0$3c3cab50$24254989@godiva> Message-ID: <5.2.0.9.2.20030321121546.0467e008@imap.ecs.soton.ac.uk> At 11:51 21/03/2003, you wrote: >We are considering implementing mutliple output queues to try to improve >performance on our mailserver and I wonder if anyone could give me an >idea of a ruleset for this. Ideally we would like mailscanner to write >to one of a set of output queues, distributing mail roughly evenly >across these directories. Outgoing Queue Dir = /etc/MailScanner/rules/outgoing.queue.rules and then in that file: From: /^[a-g]/ /var/spool/mqueue1 From: /^[h-m]/ /var/spool/mqueue2 From: /^[n-s]/ /var/spool/mqueue3 From: /^[t-z]/ /var/spool/mqueue4 FromOrTo: default /var/spool/mqueue5 This just splits into 5 queues based on the first letter of the sender's address. Hopefully that gives you enough of an idea of what you can do... -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From P.G.M.Peters at civ.utwente.nl Fri Mar 21 13:13:22 2003 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:17:32 2006 Subject: /var/spool/mqueue not flushing In-Reply-To: References: <5.2.0.9.2.20030320193406.022edeb0@imap.ecs.soton.ac.uk> Message-ID: On Thu, 20 Mar 2003 14:13:30 -0600, you wrote: >> In that case, do you have "Delivery Method = batch" ? >> It's very hard to diagnose problems of this sort remotely (without access), >> there are all sorts of things that could be wrong, causing problems like >> this :( > >Ah. It helps once I read thru the list archives to get a better >explanation of the delivery methods. Reading the info in the config, I >went with 'queue' orignally as it sounded more suited to my environment. >Not having a runner around to flush that queue, Sendmail obviously >didn't have a clue it needed to do anything. Problem solved. I would suggest have Sendmail do a queuerun occasionally. When the first attempt failes with a temporary error the message is placed in the queue and without queuerun it will stay in there infinite. -- Peter Peters, senior netwerkbeheerder Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ From P.G.M.Peters at civ.utwente.nl Fri Mar 21 13:15:14 2003 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:17:32 2006 Subject: CC question In-Reply-To: <5.2.0.9.2.20030320205021.02197b78@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030320195236.0237f828@imap.ecs.soton.ac.uk> <002601c2ef20$8370e0c0$9c01a8c0@cnpapers.net> <5.2.0.9.2.20030320205021.02197b78@imap.ecs.soton.ac.uk> Message-ID: On Thu, 20 Mar 2003 20:54:58 +0000, you wrote: >Read the RFC on SMTP and RFC822 for more information. RFC's are now 2822 and 2821. -- Peter Peters, senior netwerkbeheerder Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ From Cleveland at MAIL.WINNEFOX.ORG Fri Mar 21 13:38:09 2003 From: Cleveland at MAIL.WINNEFOX.ORG (Jody Cleveland) Date: Thu Jan 12 21:17:32 2006 Subject: is localhost good to block? Message-ID: <84CFA712F666B44A94CE6BE116BAF4B0B4E4BF@MAIL> Hello, I was just unsubscribed to a listserv I belong to. So, I looked at the header of a message I had once received from that list, and noticed it says it's coming from (localhost 127.0.0.1]) Should I contact the listmom to ask them to change this, or should I just allow mail from localhost? If I contact them, what should I say? -- Jody Cleveland (cleveland@winnefox.org) Winnefox Library System Computer Support Specialist From mbowman at UDCOM.COM Fri Mar 21 14:34:22 2003 From: mbowman at UDCOM.COM (Matthew Bowman) Date: Thu Jan 12 21:17:32 2006 Subject: Disabling virus scanning for outbound e-mail w/ attachments Message-ID: Greetings A client of ours has requested that all of their outbound e-mail is not passed through for filename checking (so they can send out .exe .bat files etc) but they still want outbound e-mail checked for Viruses. Is this possible with version 4.13-3 of mailscanner? Or would one just have to disable Virus Scanning for their entire domain? Thanks Matthew K Bowman From mbowman at UDCOM.COM Fri Mar 21 14:45:31 2003 From: mbowman at UDCOM.COM (Matthew Bowman) Date: Thu Jan 12 21:17:32 2006 Subject: Disabling virus scanning for outbound e-mail w/ attachments Message-ID: Julian - you are a gentlemen and a scholar. Thank you. Matthew K Bowman Julian Field Sent by: MailScanner mailing list 03/21/2003 09:42 AM Please respond to MailScanner mailing list To: MAILSCANNER@JISCMAIL.AC.UK cc: Subject: Re: Disabling virus scanning for outbound e-mail w/ attachments At 14:34 21/03/2003, you wrote: >Greetings > >A client of ours has requested that all of their outbound e-mail is not >passed through >for filename checking (so they can send out .exe .bat files etc) but they >still want >outbound e-mail checked for Viruses. > >Is this possible with version 4.13-3 of mailscanner? Yes. >Or would one just have to disable Virus Scanning for their entire domain? No. Set Filename Rules = /etc/MailScanner/rules/filename.rules.rules In that file put this: From: domain.com /etc/MailScanner/allow.everything FromOrTo: default /etc/MailScanner/filename.rules.conf In the "allow.everything" file put this: allow . - - (remembering to put tabs between each of the 4 words on that line). This has created a ruleset so that mail from domain.com gets the "allow.everything" filename rules file. Everyone else gets the normal "filename.rules.conf". The "allow.everything" file just works by having 1 rule which will match any filename, allowing it. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From carl.boberg at NRM.SE Fri Mar 21 14:51:28 2003 From: carl.boberg at NRM.SE (Carl Boberg) Date: Thu Jan 12 21:17:32 2006 Subject: Bayes? Message-ID: Hi, Just qurious about spamassassins bayes function in connection with MS. Is MS utilizing the bayes function automatically or do you have to configure something to make it work? If so what, and do you have to run a "learning session" with it? That is, do you have to run some definitly SPAM emails and some non SPAM emails through it? My aim is to maybe stop using the RBLs since they blacklist whole domains which forces me to put a lot of addresses in the whitelis rule. Cheers! --------------------------------- Carl Boberg System & Network Administrator Dept. of Information Technology Swedish Museum of Natural History Frescativ. 40 104 05 Stockholm carl.boberg@nrm.se Phone: 08-519 551 16 Mobile: 0701-82 40 55 --------------------------------- From mailscanner at ecs.soton.ac.uk Fri Mar 21 14:49:53 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:32 2006 Subject: Disabling virus scanning for outbound e-mail w/ attachments In-Reply-To: Message-ID: <5.2.0.9.2.20030321144920.03e058b8@imap.ecs.soton.ac.uk> Someone fancy writing up a few things like this in the faq-o-matic? It seems to have gone very quiet. No-one has actually written very much content for it yet. At 14:45 21/03/2003, you wrote: >Julian - you are a gentlemen and a scholar. Thank you. > > >Matthew K Bowman > > > > > >Julian Field >Sent by: MailScanner mailing list >03/21/2003 09:42 AM >Please respond to MailScanner mailing list > > > To: MAILSCANNER@JISCMAIL.AC.UK > cc: > Subject: Re: Disabling virus scanning for outbound e-mail > w/ attachments > > >At 14:34 21/03/2003, you wrote: > >Greetings > > > >A client of ours has requested that all of their outbound e-mail is not > >passed through > >for filename checking (so they can send out .exe .bat files etc) but they > >still want > >outbound e-mail checked for Viruses. > > > >Is this possible with version 4.13-3 of mailscanner? > >Yes. > > >Or would one just have to disable Virus Scanning for their entire domain? > >No. > >Set >Filename Rules = /etc/MailScanner/rules/filename.rules.rules > >In that file put this: > >From: domain.com /etc/MailScanner/allow.everything >FromOrTo: default /etc/MailScanner/filename.rules.conf > >In the "allow.everything" file put this: >allow . - - >(remembering to put tabs between each of the 4 words on that line). > >This has created a ruleset so that mail from domain.com gets the >"allow.everything" filename rules file. Everyone else gets the normal >"filename.rules.conf". > >The "allow.everything" file just works by having 1 rule which will match >any filename, allowing it. >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Fri Mar 21 14:42:26 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:32 2006 Subject: Disabling virus scanning for outbound e-mail w/ attachments In-Reply-To: Message-ID: <5.2.0.9.2.20030321143859.03ea2d40@imap.ecs.soton.ac.uk> At 14:34 21/03/2003, you wrote: >Greetings > >A client of ours has requested that all of their outbound e-mail is not >passed through >for filename checking (so they can send out .exe .bat files etc) but they >still want >outbound e-mail checked for Viruses. > >Is this possible with version 4.13-3 of mailscanner? Yes. >Or would one just have to disable Virus Scanning for their entire domain? No. Set Filename Rules = /etc/MailScanner/rules/filename.rules.rules In that file put this: From: domain.com /etc/MailScanner/allow.everything FromOrTo: default /etc/MailScanner/filename.rules.conf In the "allow.everything" file put this: allow . - - (remembering to put tabs between each of the 4 words on that line). This has created a ruleset so that mail from domain.com gets the "allow.everything" filename rules file. Everyone else gets the normal "filename.rules.conf". The "allow.everything" file just works by having 1 rule which will match any filename, allowing it. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Fri Mar 21 14:57:08 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:32 2006 Subject: Bayes? In-Reply-To: Message-ID: <5.2.0.9.2.20030321145005.03e055e8@imap.ecs.soton.ac.uk> At 14:51 21/03/2003, you wrote: >Just qurious about spamassassins bayes function in connection with MS. >Is MS utilizing the bayes function automatically Yes. > or do you have to >configure something to make it work? No. > If so what, and do you have to >run a "learning session" with it? No. > That is, do you have to run some >definitly SPAM emails and some non SPAM emails through it? No. MailScanner is using the bayes function automatically. Uniquely, the bayes engine in SpamAssassin is "self-learning"; it uses the other rules to identify messages which have either a very high score or a very low score, and it continuously feeds them to the bayes engine itself without you needing to do anything. If you want to teach it when it gets it wrong, you can have it run the "sa-learn" script to learn about particular messages. I have set up 2 addresses here, "spam" and "notspam". Their mailboxes live on the main MailScanner server, and people can just redirect wrongly-classified messages to one of the addresses. Then once an hour the script below is run by cron to teach the bayes engine about the messages it got wrong. For the script below, I have copied SpamAssassin's "sa-learn" script into the MailScanner bin directory. You should also run a nightly cron job that does a "sa-learn --rebuild" as well, to do all the housekeeping the Bayes engine requires. #!/bin/sh SPAM=/var/mail/spam NOTSPAM=/var/mail/notspam LOGFILE=/var/log/learn.spam.log PREFS=/opt/MailScanner/etc/spam.assassin.prefs.conf SALEARN=/opt/MailScanner/bin/sa-learn date >> $LOGFILE if [ -f $SPAM ]; then BOX=${SPAM}.processing mv $SPAM $BOX sleep 5 # Wait for writing current message to complete $SALEARN --prefs-file=$PREFS --spam --mbox $BOX >> $LOGFILE 2>&1 rm -f $BOX fi if [ -f $NOTSPAM ]; then BOX=${NOTSPAM}.processing mv $NOTSPAM $BOX sleep 5 # Wait for writing current message to complete $SALEARN --prefs-file=$PREFS --ham --mbox $BOX >> $LOGFILE 2>&1 rm -f $BOX fi -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From carl.boberg at NRM.SE Fri Mar 21 15:37:57 2003 From: carl.boberg at NRM.SE (Carl Boberg) Date: Thu Jan 12 21:17:32 2006 Subject: Bayes? In-Reply-To: <5.2.0.9.2.20030321145005.03e055e8@imap.ecs.soton.ac.uk> Message-ID: Grrreat! Just two minor things: I use the rpm version of MS and cant find a bin dir? (I can ofcourse create one). I use the Perl CPAN install of spamassassin and cant find any sa-learn script? When theese two are sorted out I will definately set up a config like the one you told me about. Very Happy :-) Thanks / Carl >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On >Behalf Of Julian Field >Sent: Friday, March 21, 2003 15:57 >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Bayes? > > >At 14:51 21/03/2003, you wrote: >>Just qurious about spamassassins bayes function in connection with MS. >>Is MS utilizing the bayes function automatically > >Yes. > >> or do you have to >>configure something to make it work? > >No. > >> If so what, and do you have to >>run a "learning session" with it? > >No. > >> That is, do you have to run some >>definitly SPAM emails and some non SPAM emails through it? > >No. > >MailScanner is using the bayes function automatically. Uniquely, the bayes >engine in SpamAssassin is "self-learning"; it uses the other rules to >identify messages which have either a very high score or a very low score, >and it continuously feeds them to the bayes engine itself without you >needing to do anything. > >If you want to teach it when it gets it wrong, you can have it run the >"sa-learn" script to learn about particular messages. I have set up 2 >addresses here, "spam" and "notspam". Their mailboxes live on the main >MailScanner server, and people can just redirect wrongly-classified >messages to one of the addresses. Then once an hour the script below is run >by cron to teach the bayes engine about the messages it got wrong. For the >script below, I have copied SpamAssassin's "sa-learn" script into the >MailScanner bin directory. > >You should also run a nightly cron job that does a "sa-learn --rebuild" as >well, to do all the housekeeping the Bayes engine requires. > >#!/bin/sh > >SPAM=/var/mail/spam >NOTSPAM=/var/mail/notspam > >LOGFILE=/var/log/learn.spam.log >PREFS=/opt/MailScanner/etc/spam.assassin.prefs.conf >SALEARN=/opt/MailScanner/bin/sa-learn > >date >> $LOGFILE >if [ -f $SPAM ]; then > BOX=${SPAM}.processing > mv $SPAM $BOX > sleep 5 # Wait for writing current message to complete > $SALEARN --prefs-file=$PREFS --spam --mbox $BOX >> $LOGFILE 2>&1 > rm -f $BOX >fi > >if [ -f $NOTSPAM ]; then > BOX=${NOTSPAM}.processing > mv $NOTSPAM $BOX > sleep 5 # Wait for writing current message to complete > $SALEARN --prefs-file=$PREFS --ham --mbox $BOX >> $LOGFILE 2>&1 > rm -f $BOX >fi > >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support > From mailscanner at ecs.soton.ac.uk Fri Mar 21 15:50:12 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:32 2006 Subject: Bayes? In-Reply-To: References: <5.2.0.9.2.20030321145005.03e055e8@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030321154910.09282b98@imap.ecs.soton.ac.uk> At 15:37 21/03/2003, you wrote: >Grrreat! >Just two minor things: >I use the rpm version of MS and cant find a bin dir? (I can ofcourse >create one). Just put it somewhere useful, e.g. /usr/sbin. >I use the Perl CPAN install of spamassassin and cant find any sa-learn script? If you look in the directory it has built SA from, you'll find it there. Have a root around under /root/.cpan/build >When theese two are sorted out I will definately set up a config like the >one you >told me about. > >Very Happy :-) >Thanks / Carl > > >-----Original Message----- > >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > >Behalf Of Julian Field > >Sent: Friday, March 21, 2003 15:57 > >To: MAILSCANNER@JISCMAIL.AC.UK > >Subject: Re: Bayes? > > > > > >At 14:51 21/03/2003, you wrote: > >>Just qurious about spamassassins bayes function in connection with MS. > >>Is MS utilizing the bayes function automatically > > > >Yes. > > > >> or do you have to > >>configure something to make it work? > > > >No. > > > >> If so what, and do you have to > >>run a "learning session" with it? > > > >No. > > > >> That is, do you have to run some > >>definitly SPAM emails and some non SPAM emails through it? > > > >No. > > > >MailScanner is using the bayes function automatically. Uniquely, the bayes > >engine in SpamAssassin is "self-learning"; it uses the other rules to > >identify messages which have either a very high score or a very low score, > >and it continuously feeds them to the bayes engine itself without you > >needing to do anything. > > > >If you want to teach it when it gets it wrong, you can have it run the > >"sa-learn" script to learn about particular messages. I have set up 2 > >addresses here, "spam" and "notspam". Their mailboxes live on the main > >MailScanner server, and people can just redirect wrongly-classified > >messages to one of the addresses. Then once an hour the script below is run > >by cron to teach the bayes engine about the messages it got wrong. For the > >script below, I have copied SpamAssassin's "sa-learn" script into the > >MailScanner bin directory. > > > >You should also run a nightly cron job that does a "sa-learn --rebuild" as > >well, to do all the housekeeping the Bayes engine requires. > > > >#!/bin/sh > > > >SPAM=/var/mail/spam > >NOTSPAM=/var/mail/notspam > > > >LOGFILE=/var/log/learn.spam.log > >PREFS=/opt/MailScanner/etc/spam.assassin.prefs.conf > >SALEARN=/opt/MailScanner/bin/sa-learn > > > >date >> $LOGFILE > >if [ -f $SPAM ]; then > > BOX=${SPAM}.processing > > mv $SPAM $BOX > > sleep 5 # Wait for writing current message to complete > > $SALEARN --prefs-file=$PREFS --spam --mbox $BOX >> $LOGFILE 2>&1 > > rm -f $BOX > >fi > > > >if [ -f $NOTSPAM ]; then > > BOX=${NOTSPAM}.processing > > mv $NOTSPAM $BOX > > sleep 5 # Wait for writing current message to complete > > $SALEARN --prefs-file=$PREFS --ham --mbox $BOX >> $LOGFILE 2>&1 > > rm -f $BOX > >fi > > > >-- > >Julian Field > >www.MailScanner.info > >MailScanner thanks transtec Computers for their support > > -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From chicks at CHICKS.NET Fri Mar 21 16:55:34 2003 From: chicks at CHICKS.NET (Christopher Hicks) Date: Thu Jan 12 21:17:32 2006 Subject: Disabling virus scanning for outbound e-mail w/ attachments In-Reply-To: <5.2.0.9.2.20030321143859.03ea2d40@imap.ecs.soton.ac.uk> Message-ID: On Fri, 21 Mar 2003, Julian Field wrote: > Set > Filename Rules = /etc/MailScanner/rules/filename.rules.rules > > In that file put this: > > From: domain.com /etc/MailScanner/allow.everything > FromOrTo: default /etc/MailScanner/filename.rules.conf > > In the "allow.everything" file put this: > allow . - - > (remembering to put tabs between each of the 4 words on that line). > > This has created a ruleset so that mail from domain.com gets the > "allow.everything" filename rules file. Everyone else gets the normal > "filename.rules.conf". > > The "allow.everything" file just works by having 1 rule which will match > any filename, allowing it. This would be good to add to the FAQ or the rule examples. :) OT question: Does anyone have a good URL explaining how to deal with Outlook not seeing standard attachments (like from pine)? I've googled quite a bit and all I've found so far is hundreds of pages dealing with Outlook sending nonstandard attachments, but my problem is the other way around. -- The death of democracy is not likely to be an assassination from ambush. It will be a slow extinction from apathy, indifference, and undernourishment. -Robert Maynard Hutchins, educator (1899-1977) From steinkel at PA.NET Fri Mar 21 18:12:08 2003 From: steinkel at PA.NET (Leland J. Steinke) Date: Thu Jan 12 21:17:32 2006 Subject: MS ruleset file sizes Message-ID: <3E7B55F8.1080208@pa.net> I am pretty sure that there are no built-in limitations on the size of MailScanner rulesets, but what are the practical limits on their size? We are considering giving our customers the ability to customize a subset of their MS settings. How will MS performance be effected if there are potentially tens of thousands of entries in several rulesets? Thanks, Leland From brent at WHITE-DEV.QUATRO.COM Fri Mar 21 18:02:12 2003 From: brent at WHITE-DEV.QUATRO.COM (Brent) Date: Thu Jan 12 21:17:32 2006 Subject: by domain whitelist/blacklist Message-ID: <581E96807D8F164BAC721997E5B8E4060D937A@bto.quatro.com> What syntax is valid for the per domain whitelisting and blacklisting. In the example there is domain.com and user@domain.com. Does *domain.com or *.domain.com work ? Am I able to block all sub domains of a primary domains. For example eletters1.ziffdavis.com vs. ziffdavis.com. Whats the proper sytax to whitelist mailings from all of ziffdavis? Thanks, Brent -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030321/c5ae5149/attachment.html From steve at AVALON.DARTMOUTH.EDU Fri Mar 21 18:20:32 2003 From: steve at AVALON.DARTMOUTH.EDU (Steve Campbell) Date: Thu Jan 12 21:17:33 2006 Subject: tnef-1.1.4+sizelimit compile fails on Tru64 Message-ID: <200303211820.h2LIKWxp012953@avalon.Dartmouth.EDU> Folks, The version of tnef shipped with MailScanner-4.13-3, tnef-1.1.4+sizelimit, does not compile on my Tru64 V5.1A system using cc. The problem seems to be with the declaration of the basename function: cc: Warning: basename.h, line 30: In this declaration, parameter 1 has a different type than specified in an earlier declaration of this function. (mismatparam) basename (const char* path); ^ cc: Error: basename.h, line 30: In this declaration, the type of "basename" is not compatible with the type of a previous declaration of "basename" at line number 165 in file /usr/include/string.h. (notcompat) basename (const char* path); ^ Does anyone have any suggests for fixing this? Stephen Campbell Network Services Dartmouth College 6223 Berry-Baker Library Hanover, New Hampshire 03755 603.646.3231 Fax: 603.646.1041 From jase at SENSIS.COM Fri Mar 21 18:21:02 2003 From: jase at SENSIS.COM (Desai, Jason) Date: Thu Jan 12 21:17:33 2006 Subject: Bayes? Message-ID: Very interesting! Two questions: 1) I'm assuming that your users just forward their emails to these addresses. Will it make a difference to the bayes filter that the message has been forwarded, or is it just looking at the body of the message? 2) Do you have to worry about some kind of locking of the bayes database when running sa-learn, so that sa-learn is not updating it while MailScanner is calling spamassassin to use it at the same time? Thanks. Jason > -----Original Message----- > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > Sent: Friday, March 21, 2003 9:57 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: [MAILSCANNER] Bayes? > > > At 14:51 21/03/2003, you wrote: > >Just qurious about spamassassins bayes function in > connection with MS. > >Is MS utilizing the bayes function automatically > > Yes. > > > or do you have to > >configure something to make it work? > > No. > > > If so what, and do you have to > >run a "learning session" with it? > > No. > > > That is, do you have to run some > >definitly SPAM emails and some non SPAM emails through it? > > No. > > MailScanner is using the bayes function automatically. > Uniquely, the bayes > engine in SpamAssassin is "self-learning"; it uses the other rules to > identify messages which have either a very high score or a > very low score, > and it continuously feeds them to the bayes engine itself without you > needing to do anything. > > If you want to teach it when it gets it wrong, you can have it run the > "sa-learn" script to learn about particular messages. I have set up 2 > addresses here, "spam" and "notspam". Their mailboxes live on the main > MailScanner server, and people can just redirect wrongly-classified > messages to one of the addresses. Then once an hour the > script below is run > by cron to teach the bayes engine about the messages it got > wrong. For the > script below, I have copied SpamAssassin's "sa-learn" script into the > MailScanner bin directory. > > You should also run a nightly cron job that does a "sa-learn > --rebuild" as > well, to do all the housekeeping the Bayes engine requires. > > #!/bin/sh > > SPAM=/var/mail/spam > NOTSPAM=/var/mail/notspam > > LOGFILE=/var/log/learn.spam.log > PREFS=/opt/MailScanner/etc/spam.assassin.prefs.conf > SALEARN=/opt/MailScanner/bin/sa-learn > > date >> $LOGFILE > if [ -f $SPAM ]; then > BOX=${SPAM}.processing > mv $SPAM $BOX > sleep 5 # Wait for writing current message to complete > $SALEARN --prefs-file=$PREFS --spam --mbox $BOX >> $LOGFILE 2>&1 > rm -f $BOX > fi > > if [ -f $NOTSPAM ]; then > BOX=${NOTSPAM}.processing > mv $NOTSPAM $BOX > sleep 5 # Wait for writing current message to complete > $SALEARN --prefs-file=$PREFS --ham --mbox $BOX >> $LOGFILE 2>&1 > rm -f $BOX > fi > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > From ms at MLSIS.CO.UK Fri Mar 21 18:27:23 2003 From: ms at MLSIS.CO.UK (Matt Lowe) Date: Thu Jan 12 21:17:33 2006 Subject: wat licence do i need? (re-worded) Message-ID: <1048271243.7974.14.camel@luggage> Hi, alrite no one seamed to understand the last post, so ill try again :) Can mailscanner work with the 'workstation' versions of linux anti-virus software? like RAV workstation and mcafee workstation? (as in the versions that cost under ?30!) thanks matt From mailscanner at ecs.soton.ac.uk Fri Mar 21 18:25:17 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:33 2006 Subject: by domain whitelist/blacklist In-Reply-To: <581E96807D8F164BAC721997E5B8E4060D937A@bto.quatro.com> Message-ID: <5.2.0.9.2.20030321182056.0288a3c0@imap.ecs.soton.ac.uk> At 18:02 21/03/2003, you wrote: >What syntax is valid for the per domain whitelisting and blacklisting. In >the example there is domain.com and >user@domain.com. Does *domain.com or *.domain.com >work ? No, they don't. > Am I able to block all sub domains of a primary domains. For example > eletters1.ziffdavis.com vs. ziffdavis.com. Whats the proper sytax to > whitelist mailings from all of ziffdavis? You can't (yet). It just takes 1) entire email addresses user@domain.com 2) exact domains domain.com or *@domain.com 3) IP addresses. It's currently fairly simple code, designed to run as fast as possible. As a result it doesn't do complicated lookups. You are welcome to re-write "LookupByDomainList" in CustomConfig.pm :-) -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Fri Mar 21 18:28:04 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:33 2006 Subject: MS ruleset file sizes In-Reply-To: <3E7B55F8.1080208@pa.net> Message-ID: <5.2.0.9.2.20030321182531.02271da8@imap.ecs.soton.ac.uk> At 18:12 21/03/2003, you wrote: >I am pretty sure that there are no built-in limitations on the size of >MailScanner rulesets, but what are the practical limits on their size? > >We are considering giving our customers the ability to customize a subset of >their MS settings. How will MS performance be effected if there are >potentially >tens of thousands of entries in several rulesets? What I would do in that case is use a database to store all the user settings. Slurp the tables into hash arrays at startup time, then at run-time just look up their settings in the fast hash arrays. You can do all this with Custom Functions. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Fri Mar 21 18:35:22 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:33 2006 Subject: wat licence do i need? (re-worded) In-Reply-To: <1048271243.7974.14.camel@luggage> Message-ID: <5.2.0.9.2.20030321183423.02610008@imap.ecs.soton.ac.uk> At 18:27 21/03/2003, you wrote: >Hi, >alrite no one seamed to understand the last post, so ill try again :) > >Can mailscanner work with the 'workstation' versions of linux anti-virus >software? like RAV workstation and mcafee workstation? Yes, you want the command-line scanner. However, whether that is legal or not depends on the terms of the licence for the workstation version. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Fri Mar 21 18:33:49 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:33 2006 Subject: Bayes? In-Reply-To: Message-ID: <5.2.0.9.2.20030321183212.02844b40@imap.ecs.soton.ac.uk> At 18:21 21/03/2003, you wrote: >Very interesting! Two questions: > >1) I'm assuming that your users just forward their emails to these >addresses. They "bounce" or "redirect" not "forward". Forwarding a message changes the message a lot, and throws away all the headers. Unfortunately it looks like Outlook can't redirect/bounce a message at all, which is pretty stupid. > Will it make a difference to the bayes filter that the message >has been forwarded, or is it just looking at the body of the message? It's looking at all of it, headers and body. >2) Do you have to worry about some kind of locking of the bayes database >when running sa-learn, so that sa-learn is not updating it while MailScanner >is calling spamassassin to use it at the same time? The locking is all taken care of for you. Don't worry. > > -----Original Message----- > > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > > Sent: Friday, March 21, 2003 9:57 AM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: [MAILSCANNER] Bayes? > > > > > > At 14:51 21/03/2003, you wrote: > > >Just qurious about spamassassins bayes function in > > connection with MS. > > >Is MS utilizing the bayes function automatically > > > > Yes. > > > > > or do you have to > > >configure something to make it work? > > > > No. > > > > > If so what, and do you have to > > >run a "learning session" with it? > > > > No. > > > > > That is, do you have to run some > > >definitly SPAM emails and some non SPAM emails through it? > > > > No. > > > > MailScanner is using the bayes function automatically. > > Uniquely, the bayes > > engine in SpamAssassin is "self-learning"; it uses the other rules to > > identify messages which have either a very high score or a > > very low score, > > and it continuously feeds them to the bayes engine itself without you > > needing to do anything. > > > > If you want to teach it when it gets it wrong, you can have it run the > > "sa-learn" script to learn about particular messages. I have set up 2 > > addresses here, "spam" and "notspam". Their mailboxes live on the main > > MailScanner server, and people can just redirect wrongly-classified > > messages to one of the addresses. Then once an hour the > > script below is run > > by cron to teach the bayes engine about the messages it got > > wrong. For the > > script below, I have copied SpamAssassin's "sa-learn" script into the > > MailScanner bin directory. > > > > You should also run a nightly cron job that does a "sa-learn > > --rebuild" as > > well, to do all the housekeeping the Bayes engine requires. > > > > #!/bin/sh > > > > SPAM=/var/mail/spam > > NOTSPAM=/var/mail/notspam > > > > LOGFILE=/var/log/learn.spam.log > > PREFS=/opt/MailScanner/etc/spam.assassin.prefs.conf > > SALEARN=/opt/MailScanner/bin/sa-learn > > > > date >> $LOGFILE > > if [ -f $SPAM ]; then > > BOX=${SPAM}.processing > > mv $SPAM $BOX > > sleep 5 # Wait for writing current message to complete > > $SALEARN --prefs-file=$PREFS --spam --mbox $BOX >> $LOGFILE 2>&1 > > rm -f $BOX > > fi > > > > if [ -f $NOTSPAM ]; then > > BOX=${NOTSPAM}.processing > > mv $NOTSPAM $BOX > > sleep 5 # Wait for writing current message to complete > > $SALEARN --prefs-file=$PREFS --ham --mbox $BOX >> $LOGFILE 2>&1 > > rm -f $BOX > > fi > > > > -- > > Julian Field > > www.MailScanner.info > > MailScanner thanks transtec Computers for their support > > -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Fri Mar 21 18:31:58 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:33 2006 Subject: tnef-1.1.4+sizelimit compile fails on Tru64 In-Reply-To: <200303211820.h2LIKWxp012953@avalon.Dartmouth.EDU> Message-ID: <5.2.0.9.2.20030321183120.0279fb88@imap.ecs.soton.ac.uk> Remove line 30 from basename.h would be my best suggestion. As it is already declared in string.h, you don't need to declare it again anyway. At 18:20 21/03/2003, you wrote: >Folks, > >The version of tnef shipped with MailScanner-4.13-3, tnef-1.1.4+sizelimit, >does not compile on my Tru64 V5.1A system using cc. The problem seems to be >with the declaration of the basename function: > >cc: Warning: basename.h, line 30: In this declaration, parameter 1 has a >different type than specified in an earlier declaration of this function. >(mismatparam) >basename (const char* path); >^ >cc: Error: basename.h, line 30: In this declaration, the type of "basename" is >not compatible with the type of a previous declaration of "basename" at line >number 165 in file /usr/include/string.h. (notcompat) >basename (const char* path); >^ > >Does anyone have any suggests for fixing this? > >Stephen Campbell >Network Services >Dartmouth College >6223 Berry-Baker Library >Hanover, New Hampshire 03755 >603.646.3231 Fax: 603.646.1041 -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From steve at AVALON.DARTMOUTH.EDU Fri Mar 21 18:50:33 2003 From: steve at AVALON.DARTMOUTH.EDU (Steve Campbell) Date: Thu Jan 12 21:17:33 2006 Subject: tnef-1.1.4+sizelimit compile fails on Tru64 Message-ID: <200303211850.h2LIoXxp013419@avalon.Dartmouth.EDU> Yes, that makes it compile. Thanks. Incidently, 2 files in that distribution - basename.h and malloc.c - were in CR/LF mode. That generates warnings from the compiler, but it's easy to fix. Steve Campbell Dartmouth College Julian wrote: > Remove line 30 from basename.h would be my best suggestion. As it is > already declared in string.h, you don't need to declare it again anyway. > > At 18:20 21/03/2003, you wrote: > >Folks, > > > >The version of tnef shipped with MailScanner-4.13-3, tnef-1.1.4+sizelimit, > >does not compile on my Tru64 V5.1A system using cc. The problem seems to be > >with the declaration of the basename function: > > > >cc: Warning: basename.h, line 30: In this declaration, parameter 1 has a > >different type than specified in an earlier declaration of this function. > >(mismatparam) > >basename (const char* path); > >^ > >cc: Error: basename.h, line 30: In this declaration, the type of "basename" is > >not compatible with the type of a previous declaration of "basename" at line > >number 165 in file /usr/include/string.h. (notcompat) > >basename (const char* path); > >^ > > > >Does anyone have any suggests for fixing this? > > > >Stephen Campbell > >Network Services > >Dartmouth College > >6223 Berry-Baker Library > >Hanover, New Hampshire 03755 > >603.646.3231 Fax: 603.646.1041 > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support From raymond at PROLOCATION.NET Fri Mar 21 19:13:51 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:17:33 2006 Subject: MS ruleset file sizes In-Reply-To: <5.2.0.9.2.20030321182531.02271da8@imap.ecs.soton.ac.uk> Message-ID: Hi Julian! > What I would do in that case is use a database to store all the user > settings. Slurp the tables into hash arrays at startup time, then at > run-time just look up their settings in the fast hash arrays. You can do > all this with Custom Functions. What about making the rule sets in .db format. Just liek the sendmail files, saves a restart also when i only update the rulesets. Would that be possible? Faster for looking up also. Bye, Raymond. From mkettler at EVI-INC.COM Fri Mar 21 19:21:24 2003 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:17:33 2006 Subject: is localhost good to block? In-Reply-To: <84CFA712F666B44A94CE6BE116BAF4B0B4E4BF@MAIL> Message-ID: <5.2.0.9.0.20030321141959.01d33208@xanadu.evi-inc.com> Unless you're sure that nobody originates mail directly from your mailserver using network loopbacks, including cron jobs, etc, blocking localhost is a _bad_ idea. At 07:38 AM 3/21/2003 -0600, you wrote: >Hello, > >I was just unsubscribed to a listserv I belong to. So, I looked at the >header of a message I had once received from that list, and noticed it says >it's coming from (localhost 127.0.0.1]) Should I contact the listmom to ask >them to change this, or should I just allow mail from localhost? If I >contact them, what should I say? > >-- >Jody Cleveland >(cleveland@winnefox.org) > >Winnefox Library System >Computer Support Specialist From mailscanner at ecs.soton.ac.uk Fri Mar 21 19:24:27 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:33 2006 Subject: MS ruleset file sizes In-Reply-To: References: <5.2.0.9.2.20030321182531.02271da8@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030321192248.021a94d0@imap.ecs.soton.ac.uk> At 19:13 21/03/2003, you wrote: >Hi Julian! > > > What I would do in that case is use a database to store all the user > > settings. Slurp the tables into hash arrays at startup time, then at > > run-time just look up their settings in the fast hash arrays. You can do > > all this with Custom Functions. > >What about making the rule sets in .db format. Just liek the sendmail >files, saves a restart also when i only update the rulesets. Would that be >possible? Faster for looking up also. The ruleset testing involves iterating through all the rules until a match is found. If they are .db format, then the order of the rules is lost, which is very important. As for speed, the current lookups are done from RAM, which is faster than any disk-based lookup such as .db files. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From raymond at PROLOCATION.NET Fri Mar 21 19:44:59 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:17:33 2006 Subject: MS ruleset file sizes In-Reply-To: <5.2.0.9.2.20030321192248.021a94d0@imap.ecs.soton.ac.uk> Message-ID: Hi! > >What about making the rule sets in .db format. Just liek the sendmail > >files, saves a restart also when i only update the rulesets. Would that be > >possible? Faster for looking up also. > The ruleset testing involves iterating through all the rules until a match > is found. If they are .db format, then the order of the rules is lost, > which is very important. As for speed, the current lookups are done from > RAM, which is faster than any disk-based lookup such as .db files. So whats the current limitation, how long could those files be ? :) Bye, Raymond. From steinkel at PA.NET Fri Mar 21 20:03:03 2003 From: steinkel at PA.NET (Leland J. Steinke) Date: Thu Jan 12 21:17:33 2006 Subject: MS ruleset file sizes References: Message-ID: <3E7B6FF7.3090607@pa.net> Raymond Dijkxhoorn wrote: > So whats the current limitation, how long could those files be ? :) How much RAM do you have ;-) Leland From Cleveland at MAIL.WINNEFOX.ORG Fri Mar 21 20:03:50 2003 From: Cleveland at MAIL.WINNEFOX.ORG (Jody Cleveland) Date: Thu Jan 12 21:17:33 2006 Subject: ANNOUNCE: mailstats.pl V0.17 Message-ID: <84CFA712F666B44A94CE6BE116BAF4B0B4E4D5@MAIL> Hi David, I just downloaded ver .18. When trying to run it, I get this error: Can't locate /config.pl in @INC (@INC contains: /usr/lib/perl5/5.8.0/i386-linux- thread-multi /usr/lib/perl5/5.8.0 /usr/lib/perl5/site_perl/5.8.0/i386-linux-thre ad-multi /usr/lib/perl5/site_perl/5.8.0 /usr/lib/perl5/site_perl /usr/lib/perl5/ vendor_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.0 /usr/ lib/perl5/vendor_perl .) at mailstats.pl line 44. Where exactly should config.pl go? Right now, I've got it in the same folder as mailstats.pl Jody -----Original Message----- From: David While [mailto:David.While@UCE.AC.UK] Sent: Friday, March 14, 2003 9:15 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: ANNOUNCE: mailstats.pl V0.17 For those people who use my script to analyse the mail log file you will find a new version which has the following additions: It can now report which spam traps have been triggered eg the RBLs so you get a report showing spamassassin, osirusoft.com etc and how many spam each of them has detected. I have also separated the configuration values into a separate file so that future upgrades of the software are easier to install - you shouldn't have to change your configuration file. I have also changed the code which scans the log file to make it substantially quicker. The report also includes the current number of mail messages in the mail queue. You can view the output at http://www.boys-brigade.org.uk/mrtg/ You can download as usual from http://staff.cie.uce.ac.uk/~dwhile/mailstats/ ----------------------------------------------------------------- David While Technical Development Manager Faculty of Computing, Information & English University of Central England Tel: 0121 331 6211 From mailscanner at ecs.soton.ac.uk Fri Mar 21 20:08:06 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:33 2006 Subject: MS ruleset file sizes In-Reply-To: References: <5.2.0.9.2.20030321192248.021a94d0@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030321200634.021bb248@imap.ecs.soton.ac.uk> At 19:44 21/03/2003, you wrote: >Hi! > > > >What about making the rule sets in .db format. Just liek the sendmail > > >files, saves a restart also when i only update the rulesets. Would that be > > >possible? Faster for looking up also. > > > The ruleset testing involves iterating through all the rules until a match > > is found. If they are .db format, then the order of the rules is lost, > > which is very important. As for speed, the current lookups are done from > > RAM, which is faster than any disk-based lookup such as .db files. > >So whats the current limitation, how long could those files be ? :) As I have said elsewhere, the best approach for large config files is to slurp them all in from a database at startup time, then look them up in local hash tables at run time. I can't see tens of thousands causing much of a problem. There is no hard-wired limit at all. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From brose at MED.WAYNE.EDU Fri Mar 21 20:42:54 2003 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:17:33 2006 Subject: SA 2.51 and Bayes Message-ID: I didn't get a response on the SA list but is Bayes even working for anyone. By that I mean is it autolearning correctly or manually using sa-learn? I cleared out the bayes files form .spamassassin and it recreated them but the databases are still 0 except for the msg count one. If I run "sa-learn --spam --file sample-spam.txt" I get "AnyDBM_File doesn't define an EXISTS method at lib/Mail/SpamAssassin/BayesStore.pm line 677" Also if I do a spamassassin -D -T < message.txt I see the same message in the debug output when it trys to autolearn. -=B -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030321/addb8ef5/attachment.html From nospam at WCC.NET Fri Mar 21 20:48:10 2003 From: nospam at WCC.NET (Kip Turk) Date: Thu Jan 12 21:17:33 2006 Subject: False DoS report Message-ID: I have some users sending around some proprietary files that get extremely large when uncompressed. The files are sent as filename.zip, and the typical message size is around 500k. From what I can discern, tnef is attempting to extract these files to scan and is considering them to be a DoS against the virus scanner. The maximum-size for tnef is already 100M and I hesitate to increase it to accomodate these few users. In fact, I hate to set the ruleset here as I'm not positive these expanded files wouldn't actually be a DoS against my system, however unintentional. As a stop-gap method, I've stopped virus scanning completely for these users. Obviously, this isn't an optimal solution. What I'd like to do is skip tnef expansion or virus scanning for filename.zip files sent to or from these users. Unfortunately, it looks to me like this would require a nested ruleset. Anyone have a clever solution I'm missing? And is a nested ruleset safe/functional? -- Kip Turk, RHCE spamdies@wcc.net Systems Administrator/Killer of Spam/Writer of Code/Penguin Proponent West Central Net - tel: 915.234.5678 / 800.695.9016 fax: 915.656.0071 -.-. --- -.. . / -- --- -. -.- . -.-- --..-- / .... .- -.-. -.- . .-. From raymond at PROLOCATION.NET Fri Mar 21 21:04:48 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:17:33 2006 Subject: MS ruleset file sizes In-Reply-To: <3E7B6FF7.3090607@pa.net> Message-ID: Hi! > > So whats the current limitation, how long could those files be ? :) > How much RAM do you have ;-) Well, 2 gig, but still, its a little depending on how Julian worked it out i guess ? Or just virtually unlimmited ? Did anyone test yet with _large_ configs ? eg. 50.000+ mailbox rules ? bye, Raymond. From raymond at PROLOCATION.NET Fri Mar 21 21:05:56 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:17:33 2006 Subject: MS ruleset file sizes In-Reply-To: <5.2.0.9.2.20030321200634.021bb248@imap.ecs.soton.ac.uk> Message-ID: Hi! > >So whats the current limitation, how long could those files be ? :) > As I have said elsewhere, the best approach for large config files is to > slurp them all in from a database at startup time, then look them up in > local hash tables at run time. I can't see tens of thousands causing much > of a problem. There is no hard-wired limit at all. I'll do some filed testing with large lists soon, will post some reports on the list when i am ready. Thanks, Raymond. From raymond at PROLOCATION.NET Fri Mar 21 21:09:18 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:17:33 2006 Subject: Osirusoft ? In-Reply-To: Message-ID: Hi! Anyone else having problems with the osirusoft spam lists ? They are not reachable it seems, tried from various networks... Bye, Raymond. From Cleveland at MAIL.WINNEFOX.ORG Fri Mar 21 21:13:37 2003 From: Cleveland at MAIL.WINNEFOX.ORG (Jody Cleveland) Date: Thu Jan 12 21:17:33 2006 Subject: ip addresses in whitelist are still being blocked Message-ID: <84CFA712F666B44A94CE6BE116BAF4B0B4E4D8@MAIL> Hello, I've got MailScanner running on a redhat 8 box with sendmail. I had spamassassin installed, and it was a little over zealous in what it blocked, so I started added ip addresses to the MailScanner whitelist. Well, email to those very ip addresses were still being blocked. So, I stopped the SpamAssassin service in Redhat, and also turned it off in the MailScanner.conf file. Email is still being blocked. Any ideas on what may be causing this? After each change, I restarted mailscanner, but still no luck. -- Jody Cleveland (cleveland@winnefox.org) Winnefox Library System Computer Support Specialist From brose at MED.WAYNE.EDU Fri Mar 21 21:27:00 2003 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:17:33 2006 Subject: ip addresses in whitelist are still being blocked Message-ID: Are you sure it's not your sendmail? SA doesn't block. And MS does nothing but tag unless you've created a rule to do something else with a message. -----Original Message----- From: Jody Cleveland [mailto:Cleveland@MAIL.WINNEFOX.ORG] Sent: Friday, March 21, 2003 4:14 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: ip addresses in whitelist are still being blocked Hello, I've got MailScanner running on a redhat 8 box with sendmail. I had spamassassin installed, and it was a little over zealous in what it blocked, so I started added ip addresses to the MailScanner whitelist. Well, email to those very ip addresses were still being blocked. So, I stopped the SpamAssassin service in Redhat, and also turned it off in the MailScanner.conf file. Email is still being blocked. Any ideas on what may be causing this? After each change, I restarted mailscanner, but still no luck. -- Jody Cleveland (cleveland@winnefox.org) Winnefox Library System Computer Support Specialist From brose at MED.WAYNE.EDU Fri Mar 21 21:28:20 2003 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:17:33 2006 Subject: Osirusoft ? Message-ID: Yeh I think it's down. Early in January they had some power problems and were down then. This looks like it network related. Traceroutes are aborting after too many timeouts. -----Original Message----- From: Raymond Dijkxhoorn [mailto:raymond@PROLOCATION.NET] Sent: Friday, March 21, 2003 4:09 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Osirusoft ? Hi! Anyone else having problems with the osirusoft spam lists ? They are not reachable it seems, tried from various networks... Bye, Raymond. From ycayer at 3WEBMEDIA.COM Fri Mar 21 21:34:07 2003 From: ycayer at 3WEBMEDIA.COM (Yannick Cayer) Date: Thu Jan 12 21:17:33 2006 Subject: Does MailScanner support Ensim's Webppliance for Linux Message-ID: Greetings, I was wondering if there is a way to integrate MailScanner into Ensim's Webppliance for Linux? If so, what is procedure or the link to the procedure to do this. Thank you in advance --Yannick -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030321/f56bbe37/attachment.html From Cleveland at MAIL.WINNEFOX.ORG Fri Mar 21 21:33:50 2003 From: Cleveland at MAIL.WINNEFOX.ORG (Jody Cleveland) Date: Thu Jan 12 21:17:33 2006 Subject: ip addresses in whitelist are still being blocked Message-ID: <84CFA712F666B44A94CE6BE116BAF4B0B4E4DE@MAIL> > Are you sure it's not your sendmail? SA doesn't block. And MS does > nothing but tag unless you've created a rule to do something > else with a message. OMG. I'm using webmin, and I just checked the spam controls for sendmail, and there are a ton of ip addresses in there. I know for a fact they didn't use to be. How did they get in there? is it something spamassassin did? Jody From brose at MED.WAYNE.EDU Fri Mar 21 21:39:07 2003 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:17:33 2006 Subject: ip addresses in whitelist are still being blocked Message-ID: SA doesn't do anything to sendmail. Also sendmail needs to be compiled to use an access file. -----Original Message----- From: Jody Cleveland [mailto:Cleveland@MAIL.WINNEFOX.ORG] Sent: Friday, March 21, 2003 4:34 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: ip addresses in whitelist are still being blocked > Are you sure it's not your sendmail? SA doesn't block. And MS does > nothing but tag unless you've created a rule to do something else with > a message. OMG. I'm using webmin, and I just checked the spam controls for sendmail, and there are a ton of ip addresses in there. I know for a fact they didn't use to be. How did they get in there? is it something spamassassin did? Jody From Cleveland at MAIL.WINNEFOX.ORG Fri Mar 21 21:29:53 2003 From: Cleveland at MAIL.WINNEFOX.ORG (Jody Cleveland) Date: Thu Jan 12 21:17:33 2006 Subject: ip addresses in whitelist are still being blocked Message-ID: <84CFA712F666B44A94CE6BE116BAF4B0B4E4DD@MAIL> > Are you sure it's not your sendmail? SA doesn't block. And MS does > nothing but tag unless you've created a rule to do something > else with a message. It didn't start blocking until I started SpamAssassin and told MailScanner to use it. Jody From raymond at PROLOCATION.NET Fri Mar 21 21:33:26 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:17:33 2006 Subject: Osirusoft ? In-Reply-To: Message-ID: Hi! > Yeh I think it's down. Early in January they had some power problems > and were down then. This looks like it network related. Traceroutes > are aborting after too many timeouts. I'll mail them once its get back. Would be nice to see they using some more nameservers also outside their own network for the resolving. I could offer one to them, wont be a big problem... But thanks for the reply, then i know its not just /me :) Bye, Raymond. From Kevin.Spicer at BMRB.CO.UK Fri Mar 21 21:57:31 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:17:33 2006 Subject: ip addresses in whitelist are still being blocked Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0EBF4A7@pascal.priv.bmrb.co.uk> > > Are you sure it's not your sendmail? SA doesn't block. And MS does > > nothing but tag unless you've created a rule to do something > > else with a message. > > OMG. I'm using webmin, and I just checked the spam controls > for sendmail, > and there are a ton of ip addresses in there. I know for a > fact they didn't > use to be. How did they get in there? is it something > spamassassin did? You posted earlier that you were trying to get mailstats.pl working. mailstats.pl doesn't just produce statistics, it also will automatically add the ip of spam senders to sendmails blacklist [note this can be turned off in the mailstats config file] - it looks like perhaps that is what is happening. AFAIK MS and SA don't alter sendmails access datbase themselves. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From brent at WHITE-DEV.QUATRO.COM Fri Mar 21 22:00:13 2003 From: brent at WHITE-DEV.QUATRO.COM (Brent) Date: Thu Jan 12 21:17:33 2006 Subject: Osirusoft ? In-Reply-To: <581E96807D8F164BAC721997E5B8E40676B6DC@bto.quatro.com> Message-ID: <581E96807D8F164BAC721997E5B8E4060D9383@bto.quatro.com> It would appear osirusoft was improving their system: host relays.osirusoft.com relays.osirusoft.com has address 63.203.10.226 relays.osirusoft.com has address 63.203.10.227 relays.osirusoft.com has address 63.203.10.228 relays.osirusoft.com has address 63.203.10.229 relays.osirusoft.com has address 63.203.10.230 relays.osirusoft.com has address 168.103.84.163 relays.osirusoft.com has address 168.103.84.164 relays.osirusoft.com has address 168.103.84.165 relays.osirusoft.com has address 216.102.236.42 relays.osirusoft.com has address 216.102.236.44 -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Raymond Dijkxhoorn Sent: Friday, March 21, 2003 4:33 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Osirusoft ? Hi! > Yeh I think it's down. Early in January they had some power problems > and were down then. This looks like it network related. Traceroutes > are aborting after too many timeouts. I'll mail them once its get back. Would be nice to see they using some more nameservers also outside their own network for the resolving. I could offer one to them, wont be a big problem... But thanks for the reply, then i know its not just /me :) Bye, Raymond. From raymond at PROLOCATION.NET Fri Mar 21 22:20:09 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:17:33 2006 Subject: Osirusoft ? In-Reply-To: <581E96807D8F164BAC721997E5B8E4060D9383@bto.quatro.com> Message-ID: Hi! > host relays.osirusoft.com > relays.osirusoft.com has address 63.203.10.226 > relays.osirusoft.com has address 63.203.10.227 > relays.osirusoft.com has address 63.203.10.228 But all 4 nameservers were unreachable, the ones that point towards their domain itself... Ok, good to see its working again :) Bye, Raymond. From lindsay at pa.net Fri Mar 21 22:37:52 2003 From: lindsay at pa.net (Lindsay Snider) Date: Thu Jan 12 21:17:33 2006 Subject: MS ruleset file sizes In-Reply-To: References: Message-ID: <200303211737.52647.lindsay@pa.net> On Friday 21 March 2003 16:05, you wrote: > Hi! > > > >So whats the current limitation, how long could those files be ? :) > > > > As I have said elsewhere, the best approach for large config files is to > > slurp them all in from a database at startup time, then look them up in > > local hash tables at run time. I can't see tens of thousands causing much > > of a problem. There is no hard-wired limit at all. > > I'll do some filed testing with large lists soon, will post some reports > on the list when i am ready. > In the next week or two, I too plan to test w/ somewhere in that range of mailbox rules. I too will share what I find. Would a database work for files that are order dependent? If the current data is not order dependent I'll save you time, stop reading, the rest of this email means nothing.... :) >From the source, it looks like each file is loaded into an array. Thus, searches on the array will be linear. Am I understanding the code correctly? Each file is stored as an array and then each array is put into a hash based on the variable name of the file? Does anyone have performance data on when the number of rules might become relevant? If someone does need 'log n' performance, maybe parts of the file can be loaded into a memory hash where the order doesn't matter. With a goal of minimal changes/hacking in mind, here's an idea. Maybe, within the data files, comments could be used to start and end sections of entries that are not order dependent. Then as a modification to mailscanner, we can look for those comment. All data in between the comments could be treated as one element in the array. That element would be a reference to a hash of the elements within. Then when reading the arrays, we'd watch for hash references and search down through them when found. It's just an idea, any thoughts? If needed, is there any communal interest in working on this? I really like the modularity and readability of the code. Cheers to Julian!! lindsay > Thanks, > Raymond. From lists at STHOMAS.NET Fri Mar 21 23:02:25 2003 From: lists at STHOMAS.NET (Steve Thomas) Date: Thu Jan 12 21:17:33 2006 Subject: Attachments in Outlook (was Disabling virus scanning for outbound e-mail...) In-Reply-To: Message-ID: | OT question: Does anyone have a good URL explaining how to deal with | Outlook not seeing standard attachments (like from pine)? I've googled | quite a bit and all I've found so far is hundreds of pages dealing with | Outlook sending nonstandard attachments, but my problem is the other way | around. Is it a case of Outlook 2002 (or 2000 w/sp) blocking access to them? What are the filenames (or more specifically, the extensions)? Have a look at http://support.microsoft.com/default.aspx?scid=kb;en-us;Q290497 and see if that's the problem. From lists at STHOMAS.NET Fri Mar 21 23:04:50 2003 From: lists at STHOMAS.NET (Steve Thomas) Date: Thu Jan 12 21:17:33 2006 Subject: False DoS report In-Reply-To: Message-ID: Would password-protecting the zip files stop MS from delivering them? If not, you could leave everything as-is and tell those users to password those zip files. | I have some users sending around some proprietary files that get | extremely large when uncompressed. The files are sent as filename.zip, | ... | Unfortunately, it looks to me like this would require a nested ruleset. | Anyone have a clever solution I'm missing? And is a nested ruleset | safe/functional? From donovan at HUFFDATASYSTEMS.COM Fri Mar 21 23:01:55 2003 From: donovan at HUFFDATASYSTEMS.COM (Donovan Huff | HUFF DATA SYSTEMS) Date: Thu Jan 12 21:17:33 2006 Subject: Does MailScanner support Ensim's Webppliance for Linux References: Message-ID: <004001c2effe$4d757470$6ef91d43@x27> Message Yes, see the following URL for a HOW-TO: http://ncmanage.com/howto/mailscanner-spam.html Also, you might want to install the newer version of MailScanner as the how-to has instructions for a version which is a little older. Regards, Donovan Huff Owner/Operator HUFF DATA SYSTEMS donovan@huffdatasystems.com http://www.huffdatasystems.com/ (361) 781-0631 ------------------------------------------------------ Web Hosting Starting at $5.00/mo http://www.huffdatasystems.com/ ------------------------------------------------------ ----- Original Message ----- From: Yannick Cayer To: MAILSCANNER@JISCMAIL.AC.UK Sent: Friday, March 21, 2003 3:34 PM Subject: Does MailScanner support Ensim's Webppliance for Linux Greetings, I was wondering if there is a way to integrate MailScanner into Ensim's Webppliance for Linux? If so, what is procedure or the link to the procedure to do this. Thank you in advance --Yannick From DanielK at AVALONPUB.COM Sat Mar 22 00:12:22 2003 From: DanielK at AVALONPUB.COM (Daniel Kleinsinger) Date: Thu Jan 12 21:17:33 2006 Subject: Attachments in Outlook (was Disabling virus scanning for outb ound e-mail...) Message-ID: <830753182358D411978800D0B78EE86601032D53@NTS-A?> Or how about OL2002: Attachments Do Not Appear When You Use a UNIX POP3 Server http://support.microsoft.com/default.aspx?scid=kb;en-us;309493 Daniel -----Original Message----- From: Steve Thomas [mailto:lists@STHOMAS.NET] Sent: Friday, March 21, 2003 3:02 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Attachments in Outlook (was Disabling virus scanning for outbound e-mail...) | OT question: Does anyone have a good URL explaining how to deal with | Outlook not seeing standard attachments (like from pine)? I've | googled quite a bit and all I've found so far is hundreds of pages | dealing with Outlook sending nonstandard attachments, but my problem | is the other way around. Is it a case of Outlook 2002 (or 2000 w/sp) blocking access to them? What are the filenames (or more specifically, the extensions)? Have a look at http://support.microsoft.com/default.aspx?scid=kb;en-us;Q290497 and see if that's the problem. From stone at HKUST.SE Sat Mar 22 04:37:32 2003 From: stone at HKUST.SE (Magnus Stenman) Date: Thu Jan 12 21:17:33 2006 Subject: HideVirusScanner patch Message-ID: <3E7BE88C.D8C985AE@hkust.se> Hi! I was a bit annoyed to always have to look in the log file to find out which virus scanner missed/reported which virus, so I modified MailScanner to optionally show the virus scanner names in the reports. I also modified the indentation a little bit. patches for MS 4.13 attached (apply with "patch targetfile < targetfile.diff") /magnus test mail with one .exe file and two .zip files with viruses yields: --- The following e-mail messages were found to have viruses in them: Sender: stone@hkust.se IP Address: 194.237.47.33 Recipient: stone@hkust.se Subject: test MessageID: h2M44aE31264 Report: Executable DOS/Windows programs are dangerous in email (eicar.exe) Report: FProt: eicar_com.zip->eicar.com Infection: EICAR_Test_File McAfee: eicar_com.zip/EICAR.COM Found: EICAR test file NOT a virus. Report: FProt: eicar_com-1.zip->eicar.com Infection: EICAR_Test_File McAfee: eicar_com-1.zip/EICAR.COM Found: EICAR test file NOT a virus. Full headers are: Return-Path: --- instead of --- The following e-mail messages were found to have viruses in them: Sender: stone@hkust.se IP Address: 194.237.47.33 Recipient: stone@hkust.se Subject: test MessageID: h2M4T5E32112 Report: Executable DOS/Windows programs are dangerous in email (eicar.exe) Report: eicar_com.zip->eicar.com Infection: EICAR_Test_File eicar_com.zip/EICAR.COM Found: EICAR test file NOT a virus. Report: eicar_com-1.zip->eicar.com Infection: EICAR_Test_File eicar_com-1.zip/EICAR.COM Found: EICAR test file NOT a virus. Full headers are Return-Path: --- -------------- next part -------------- A non-text attachment was scrubbed... Name: hidescanner.tgz Type: application/x-unknown-content-type-winrar Size: 2082 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030322/480d4d5c/hidescanner.bin From raymond at PROLOCATION.NET Sat Mar 22 09:31:01 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:17:33 2006 Subject: HideVirusScanner patch In-Reply-To: <3E7BE88C.D8C985AE@hkust.se> Message-ID: Hi! > I was a bit annoyed to always have to look in the log file to find out > which virus scanner missed/reported which virus, so I modified > MailScanner to optionally show the virus scanner names in the reports. > > I also modified the indentation a little bit. Same applies for the spam scans, could those be included in the reports also Julian ? For the helpdesk it would mean less work since they dont have to lookup the list that did the job... Bye, Raymond. From David.While at UCE.AC.UK Sat Mar 22 09:34:33 2003 From: David.While at UCE.AC.UK (David While) Date: Thu Jan 12 21:17:33 2006 Subject: ANNOUNCE: mailstats.pl V0.17 Message-ID: If you run it manually then you need to type ./mailstats.pl or use the full path name. The config.pl file should be in the same directory as the mailstats.pl file. ----------------------------------------------------------------- David While Technical Development Manager Faculty of Computing, Information & English University of Central England Tel: 0121 331 6211 Jody Cleveland cc: Sent by: Subject: Re: ANNOUNCE: mailstats.pl V0.17 MailScanner mailing list 21/03/2003 20:03 Please respond to MailScanner mailing list Hi David, I just downloaded ver .18. When trying to run it, I get this error: Can't locate /config.pl in @INC (@INC contains: /usr/lib/perl5/5.8.0/i386-linux- thread-multi /usr/lib/perl5/5.8.0 /usr/lib/perl5/site_perl/5.8.0/i386-linux-thre ad-multi /usr/lib/perl5/site_perl/5.8.0 /usr/lib/perl5/site_perl /usr/lib/perl5/ vendor_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.0 /usr/ lib/perl5/vendor_perl .) at mailstats.pl line 44. Where exactly should config.pl go? Right now, I've got it in the same folder as mailstats.pl Jody -----Original Message----- From: David While [mailto:David.While@UCE.AC.UK] Sent: Friday, March 14, 2003 9:15 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: ANNOUNCE: mailstats.pl V0.17 For those people who use my script to analyse the mail log file you will find a new version which has the following additions: It can now report which spam traps have been triggered eg the RBLs so you get a report showing spamassassin, osirusoft.com etc and how many spam each of them has detected. I have also separated the configuration values into a separate file so that future upgrades of the software are easier to install - you shouldn't have to change your configuration file. I have also changed the code which scans the log file to make it substantially quicker. The report also includes the current number of mail messages in the mail queue. You can view the output at http://www.boys-brigade.org.uk/mrtg/ You can download as usual from http://staff.cie.uce.ac.uk/~dwhile/mailstats/ ----------------------------------------------------------------- David While Technical Development Manager Faculty of Computing, Information & English University of Central England Tel: 0121 331 6211 From Jan-Peter.Koopmann at SECEIDOS.DE Sat Mar 22 10:27:52 2003 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:17:33 2006 Subject: SA 2.51 and Bayes Message-ID: <4E7026FF8A422749B1553FE508E0068007EFE6@message.intern.akctech.de> Hi Bobby, install DB_Files from CPAN. Looks to me like you do not have any DB engine installed that SA works with. Regards, JP _____ From: Rose, Bobby [mailto:brose@MED.WAYNE.EDU] Sent: Friday, March 21, 2003 9:43 PM To: MAILSCANNER@JISCMAIL.AC.UK I didn't get a response on the SA list but is Bayes even working for anyone. By that I mean is it autolearning correctly or manually using sa-learn? I cleared out the bayes files form .spamassassin and it recreated them but the databases are still 0 except for the msg count one. If I run "sa-learn --spam --file sample-spam.txt" I get "AnyDBM_File doesn't define an EXISTS method at lib/Mail/SpamAssassin/BayesStore.pm line 677" Also if I do a spamassassin -D -T < message.txt I see the same message in the debug output when it trys to autolearn. -=B -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030322/dc1a2839/attachment.html From mailscanner at ecs.soton.ac.uk Sat Mar 22 18:11:57 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:33 2006 Subject: HideVirusScanner patch In-Reply-To: <3E7BE88C.D8C985AE@hkust.se> Message-ID: <5.2.0.9.2.20030322181009.026e7ed8@imap.ecs.soton.ac.uk> Thanks for that. I have implemented it a bit differently, and there will be a new configuration option in the next release: # Include the name of the viru scanner in each of the scanner reports. # Very useful if you use several virus scanners, but a bad idea if you # don't want to let your customers know which scanners you use. Include Scanner Name In Reports = no It is "no" by default so that the report format doesn't change when you start using the new version. It is up to you to choose to start including the scanner name if you want to. At 04:37 22/03/2003, you wrote: >Hi! > >I was a bit annoyed to always have to look in the log file to find out >which virus scanner missed/reported which virus, so I modified >MailScanner to optionally show the virus scanner names in the reports. > >I also modified the indentation a little bit. > > > >patches for MS 4.13 attached >(apply with "patch targetfile < targetfile.diff") > > >/magnus > > >test mail with one .exe file and two .zip files with viruses yields: >--- >The following e-mail messages were found to have viruses in them: > > Sender: stone@hkust.se >IP Address: 194.237.47.33 > Recipient: stone@hkust.se > Subject: test > MessageID: h2M44aE31264 > Report: Executable DOS/Windows programs are dangerous in email >(eicar.exe) > Report: FProt: eicar_com.zip->eicar.com Infection: EICAR_Test_File > McAfee: eicar_com.zip/EICAR.COM Found: EICAR test >file NOT a virus. > Report: FProt: eicar_com-1.zip->eicar.com Infection: >EICAR_Test_File > McAfee: eicar_com-1.zip/EICAR.COM Found: EICAR test >file NOT a virus. > >Full headers are: > > Return-Path: >--- >instead of >--- >The following e-mail messages were found to have viruses in them: > > Sender: stone@hkust.se >IP Address: 194.237.47.33 > Recipient: stone@hkust.se > Subject: test > MessageID: h2M4T5E32112 > Report: Executable DOS/Windows programs are dangerous in email >(eicar.exe) > Report: eicar_com.zip->eicar.com Infection: EICAR_Test_File >eicar_com.zip/EICAR.COM Found: EICAR test file NOT a virus. > Report: eicar_com-1.zip->eicar.com Infection: EICAR_Test_File >eicar_com-1.zip/EICAR.COM Found: EICAR test file NOT a virus. > >Full headers are > Return-Path: >--- -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Sat Mar 22 17:27:22 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:33 2006 Subject: HideVirusScanner patch In-Reply-To: References: <3E7BE88C.D8C985AE@hkust.se> Message-ID: <5.2.0.9.2.20030322172640.026d5ea0@imap.ecs.soton.ac.uk> At 09:31 22/03/2003, you wrote: > > I was a bit annoyed to always have to look in the log file to find out > > which virus scanner missed/reported which virus, so I modified > > MailScanner to optionally show the virus scanner names in the reports. > >Same applies for the spam scans, could those be included in the reports >also Julian ? For the helpdesk it would mean less work since they dont >have to lookup the list that did the job... Which spam reports? The ones sent back to the sender if the "bounce" action is taken? -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From henker at SHCOM.US Sat Mar 22 18:33:00 2003 From: henker at SHCOM.US (Steffan Henke) Date: Thu Jan 12 21:17:33 2006 Subject: Does MailScanner support Ensim's Webppliance for Linux In-Reply-To: <5.2.0.9.2.20030322171501.026c6eb8@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030322171501.026c6eb8@imap.ecs.soton.ac.uk> Message-ID: On Sat, 22 Mar 2003, Julian Field wrote: > try this myself very soon and try to iron out any problems with the > installation procedure. I need to make sure it is all working properly with > all the bandwidth monitoring libraries as well, as I'm not sure it is at > the moment. The bw monitoring is the only issue I still have with ensim. Apart from that, MS is just running fine. Regards, Steffan From raymond at PROLOCATION.NET Sat Mar 22 18:23:09 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:17:33 2006 Subject: HideVirusScanner patch In-Reply-To: <5.2.0.9.2.20030322172640.026d5ea0@imap.ecs.soton.ac.uk> Message-ID: Hi! > >Same applies for the spam scans, could those be included in the reports > >also Julian ? For the helpdesk it would mean less work since they dont > >have to lookup the list that did the job... > > Which spam reports? The ones sent back to the sender if the "bounce" action > is taken? Yes. Bye, Raymond From cleveland at MAIL.WINNEFOX.ORG Sat Mar 22 18:35:34 2003 From: cleveland at MAIL.WINNEFOX.ORG (Jody Cleveland) Date: Thu Jan 12 21:17:33 2006 Subject: ip addresses in whitelist are still being blocked In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0EBF4A7@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0EBF4A7@pascal.priv.bmrb.co.uk> Message-ID: <1168.172.30.59.6.1048358134.squirrel@email.winnefox.org> > You posted earlier that you were trying to get mailstats.pl working. > mailstats.pl doesn't just produce statistics, it also will automatically > add the ip of spam senders to sendmails blacklist [note this can be turned > off in the mailstats config file] - it looks like perhaps that is what is > happening. AFAIK MS and SA don't alter sendmails access datbase > themselves. Wow. I had no idea. What setting exactly do I change? Jody From mailscanner at ecs.soton.ac.uk Sat Mar 22 17:01:29 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:33 2006 Subject: False DoS report In-Reply-To: References: Message-ID: <5.2.0.9.2.20030322170040.026e9f50@imap.ecs.soton.ac.uk> No, it would not stop MS from delivering them. At 23:04 21/03/2003, you wrote: >Would password-protecting the zip files stop MS from delivering them? If >not, you could leave everything as-is and tell those users to password those >zip files. > >| I have some users sending around some proprietary files that get >| extremely large when uncompressed. The files are sent as filename.zip, >| ... >| Unfortunately, it looks to me like this would require a nested ruleset. >| Anyone have a clever solution I'm missing? And is a nested ruleset >| safe/functional? -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Sat Mar 22 17:05:24 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:33 2006 Subject: ip addresses in whitelist are still being blocked In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0EBF4A7@pascal.priv.bmrb.co .uk> Message-ID: <5.2.0.9.2.20030322170444.026be388@imap.ecs.soton.ac.uk> At 21:57 21/03/2003, you wrote: > > > Are you sure it's not your sendmail? SA doesn't block. And MS does > > > nothing but tag unless you've created a rule to do something > > > else with a message. > > > > OMG. I'm using webmin, and I just checked the spam controls > > for sendmail, > > and there are a ton of ip addresses in there. I know for a > > fact they didn't > > use to be. How did they get in there? is it something > > spamassassin did? > >AFAIK MS and SA don't alter sendmails access datbase themselves. Correct. MS and SA don't touch anything outside their own control. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Sat Mar 22 17:19:25 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:33 2006 Subject: Does MailScanner support Ensim's Webppliance for Linux In-Reply-To: <004001c2effe$4d757470$6ef91d43@x27> References: Message-ID: <5.2.0.9.2.20030322171501.026c6eb8@imap.ecs.soton.ac.uk> At 23:01 21/03/2003, you wrote: >Message >Yes, see the following URL for a HOW-TO: >http://ncmanage.com/howto/mailscanner-spam.html >Also, you might want to install the newer version of MailScanner as the >how-to has instructions for a version which is a little >older. I have bought a copy of Ensim and have it installed at work. So I intend to try this myself very soon and try to iron out any problems with the installation procedure. I need to make sure it is all working properly with all the bandwidth monitoring libraries as well, as I'm not sure it is at the moment. Also, having just read it, you want to install SpamAssassin 2.51 (at least) and not 2.50. >----- Original Message ----- >From: Yannick Cayer >To: MAILSCANNER@JISCMAIL.AC.UK >Sent: Friday, March 21, 2003 3:34 PM >Subject: Does MailScanner support Ensim's Webppliance for Linux > > >Greetings, > > >I was wondering if there is a way to integrate MailScanner into Ensim's >Webppliance for Linux? > > >If so, what is procedure or the link to the procedure to do this. > > > >Thank you in advance > > > >--Yannick -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Sat Mar 22 16:59:10 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:33 2006 Subject: SA 2.51 and Bayes In-Reply-To: Message-ID: <5.2.0.9.2.20030322165544.02711e70@imap.ecs.soton.ac.uk> If you have "use AnyDBM_File;" at the top of your SA.pm, delete it. This is one of the changes I have made for the latest version. My systems are auto-learning and manually-learning just fine. At 20:42 21/03/2003, you wrote: >I didn't get a response on the SA list but is Bayes even working for >anyone. By that I mean is it autolearning correctly or manually using >sa-learn? I cleared out the bayes files form .spamassassin and it >recreated them but the databases are still 0 except for the msg count >one. If I run "sa-learn --spam --file sample-spam.txt" I get >"AnyDBM_File doesn't define an EXISTS method at >lib/Mail/SpamAssassin/BayesStore.pm line 677" Check you have the Berekely DB library installed (it comes as standard on most Linux distributions, but Solaris doesn't have it, you need to download and build it yourself on Solaris systems). It sounds a bit as if your system is not using a good DBM_File format. The purpose of AnyDBM_File is to try various different libraries until it finds one that is installed. > >Also if I do a spamassassin -D -T < message.txt I see the same message in >the debug output when it trys to autolearn. > >-=B -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030322/a1e848b8/attachment.html From mailscanner at ecs.soton.ac.uk Sat Mar 22 17:02:28 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:33 2006 Subject: SA 2.51 and Bayes In-Reply-To: <4E7026FF8A422749B1553FE508E0068007EFE6@message.intern.akct ech.de> Message-ID: <5.2.0.9.2.20030322170152.021e7148@imap.ecs.soton.ac.uk> I believe it is called "DB_File". You still need to delete any "use Any_DBM...." at the top of SA.pm. At 10:27 22/03/2003, you wrote: >Hi Bobby, > >install DB_Files from CPAN. Looks to me like you do not have any DB engine >installed that SA works with. > >Regards, > JP > > > >---------- >From: Rose, Bobby [mailto:brose@MED.WAYNE.EDU] >Sent: Friday, March 21, 2003 9:43 PM >To: MAILSCANNER@JISCMAIL.AC.UK > >I didn't get a response on the SA list but is Bayes even working for >anyone. By that I mean is it autolearning correctly or manually using >sa-learn? I cleared out the bayes files form .spamassassin and it >recreated them but the databases are still 0 except for the msg count >one. If I run "sa-learn --spam --file sample-spam.txt" I get >"AnyDBM_File doesn't define an EXISTS method at >lib/Mail/SpamAssassin/BayesStore.pm line 677" > >Also if I do a spamassassin -D -T < message.txt I see the same message in >the debug output when it trys to autolearn. > >-=B -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030322/cadcc141/attachment.html From brose at MED.WAYNE.EDU Sat Mar 22 18:19:23 2003 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:17:33 2006 Subject: SA 2.51 and Bayes Message-ID: Hmm that worked thanks! I rechecked the install for SA and I don't see any mention of this requirement for 2.51. It wasn't for 2.50. Thanks again -=B -----Original Message----- From: Jan-Peter Koopmann [mailto:Jan-Peter.Koopmann@SECEIDOS.DE] Sent: Saturday, March 22, 2003 5:28 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: SA 2.51 and Bayes Hi Bobby, install DB_Files from CPAN. Looks to me like you do not have any DB engine installed that SA works with. Regards, JP _____ From: Rose, Bobby [mailto:brose@MED.WAYNE.EDU] Sent: Friday, March 21, 2003 9:43 PM To: MAILSCANNER@JISCMAIL.AC.UK I didn't get a response on the SA list but is Bayes even working for anyone. By that I mean is it autolearning correctly or manually using sa-learn? I cleared out the bayes files form .spamassassin and it recreated them but the databases are still 0 except for the msg count one. If I run "sa-learn --spam --file sample-spam.txt" I get "AnyDBM_File doesn't define an EXISTS method at lib/Mail/SpamAssassin/BayesStore.pm line 677" Also if I do a spamassassin -D -T < message.txt I see the same message in the debug output when it trys to autolearn. -=B -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030322/37466635/attachment.html From mailscanner at ecs.soton.ac.uk Sat Mar 22 17:14:23 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:33 2006 Subject: MS ruleset file sizes In-Reply-To: <200303211737.52647.lindsay@pa.net> References: Message-ID: <5.2.0.9.2.20030322170803.026db678@imap.ecs.soton.ac.uk> At 22:37 21/03/2003, you wrote: >On Friday 21 March 2003 16:05, you wrote: > > Hi! > > > > > >So whats the current limitation, how long could those files be ? :) > > > > > > As I have said elsewhere, the best approach for large config files is to > > > slurp them all in from a database at startup time, then look them up in > > > local hash tables at run time. I can't see tens of thousands causing much > > > of a problem. There is no hard-wired limit at all. > > > > I'll do some filed testing with large lists soon, will post some reports > > on the list when i am ready. > > > >In the next week or two, I too plan to test w/ somewhere in that range of >mailbox rules. I too will share what I find. > >Would a database work for files that are order dependent? If the current >data >is not order dependent I'll save you time, stop reading, the rest of this >email means nothing.... :) The current implementation of the per-domain black+whitelists is based on the fact that they aren't order-dependent at all, so they work very fast as they are just a few hash table lookups. > >From the source, it looks like each file is loaded into an array. Thus, >searches on the array will be linear. Am I understanding the code >correctly? >Each file is stored as an array and then each array is put into a hash based >on the variable name of the file? That's basically it, yes. >Does anyone have performance data on when the number of rules might become >relevant? If someone does need 'log n' performance, maybe parts of the file >can be loaded into a memory hash where the order doesn't matter. With a goal >of minimal changes/hacking in mind, here's an idea. > >Maybe, within the data files, comments could be used to start and end >sections >of entries that are not order dependent. Then as a modification to >mailscanner, we can look for those comment. All data in between the comments >could be treated as one element in the array. That element would be a >reference to a hash of the elements within. Then when reading the arrays, >we'd watch for hash references and search down through them when found. This would end up being (I think) a hash of lists of hashes of lookup values. Wow, this is going to have a lot of brackets in it! :-) >It's just an idea, any thoughts? If needed, is there any communal >interest in >working on this? This could all be implemented in Custom Functions, so you don't have to play with the main code at all, which will make life much easier for you. In what situations do you actually need lists of hashes for a particular config variable? Look at it from a user perspective first, what problem are you trying to solve. Once you have concrete examples of what people need to be able to do, you get a much clearer idea of what you are trying to implement. Don't go in hacking code from the start, without doing some (informal) user requirements analysis first. It *will* save you time... >I really like the modularity and readability of the code. Cheers to Julian!! On good days, even I can figure out most of it now :-) -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From lance at WARE.NET Sun Mar 23 07:44:55 2003 From: lance at WARE.NET (Lance Ware) Date: Thu Jan 12 21:17:33 2006 Subject: Bayes and MailScanner Message-ID: <9F214F8D10934845A3664A21425C79FC674437@dhcp5.ware.net> Can someone tell me where the site wide Bayes files are and how I can add some "ham" to the database? Thanks, Lance -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030322/510a6140/attachment.html From Kevin.Spicer at BMRB.CO.UK Sat Mar 22 20:56:15 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:17:33 2006 Subject: ip addresses in whitelist are still being blocked Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A4AD5C@pascal.priv.bmrb.co.uk> > > You posted earlier that you were trying to get mailstats.pl working. > > mailstats.pl doesn't just produce statistics, it also will > automatically > > add the ip of spam senders to sendmails blacklist [note > this can be turned > > off in the mailstats config file] - it looks like perhaps > that is what is > > happening. AFAIK MS and SA don't alter sendmails access datbase > > themselves. > > Wow. I had no idea. What setting exactly do I change? > > Jody > There isn't a seperate config file as I implied. The settings are neat the beginning of the perl script itself and are well commented. The specific one you need to change to stop it editing the access db is $UseAccess = 1; which you should change to $UseAccess = 0; Don't forget that you'll also need to go through the access database (/etc/mail/access commonly) and take out the entries it has added if you want to revearse the work it has done - don't forget to rebuild access.db (makemap hash /etc/mail/access < /etc/mail/access) and restart MailScanner (in order to restart the sendmail processes). BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From support at INVICTANET.CO.UK Sun Mar 23 22:48:25 2003 From: support at INVICTANET.CO.UK (InvictaNet Customer Support) Date: Thu Jan 12 21:17:33 2006 Subject: Whitelist problem In-Reply-To: <1048456295.7974.74.camel@luggage> Message-ID: I would be grateful for any assistance with this problem. We scan email for an Estate Agent. They have forms on numerous 3rd party web sites for enquirers to send requests for information.The from address will be different each time. Is there a simple way I can whitelist the emails? Perhaps there is a way I can whitelist the server? (asserta.net) TIA Martyn Routley ----------------------------------------------------------------- InvictaNet - The Internet in Plain English, Guaranteed http://www.invictanet.co.uk martyn@support.invictanet.co.uk phone: 08707 440180 fax: 08707 440181 Ask us about our online Antivirus and Junk mail scanning service ----------------------------------------------------------------- Sample headers are as follows: Return-Path: Received: from krusty.dc.asserta.net ([217.204.56.189]) by lemsip.invictanet.co.uk (8.12.8/8.12.8) with ESMTP id h2LBWIxu041604 for ; Fri, 21 Mar 2003 11:32:18 GMT (envelope-from ENQUIRERS@EMAIL.ADDRESS) Received: from gonzo (gonzo [10.1.0.84]) by krusty.dc.asserta.net (8.11.6+Sun/8.11.6) with ESMTP id h2LBWFC27483 for ; Fri, 21 Mar 2003 11:32:15 GMT Date: Fri, 21 Mar 2003 11:32:15 GMT Message-ID: <13587361.1048246335881.JavaMail.weblogic@gonzo> From: ENQUIRERS@EMAIL.ADDRESS To: sales@OURCUSTOMER.COM Subject: {Spam?} asserta home request: email agent Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_Part_782_174500.1048246335877" X-MailScanner-Information: Please contact the ISP for more information X-MailScanner: Found to be clean X-MailScanner-SpamCheck: spam, SpamAssassin (score=5.6, required 5, MORTGAGE_OBFU, NO_MX_FOR_FROM, NO_REAL_NAME, SPAM_PHRASE_00_01) X-MailScanner-SpamScore: sssss X-UIDL: PMj!! References: <5.2.0.9.2.20030303223107.02273fe0@imap.ecs.soton.ac.uk> <3E650494.4080305@pa.net> Message-ID: <1048456295.7974.74.camel@luggage> Hi, Finaly got these scripts onto a test server along with MailScanner 4.13.3. changed 2 lines in the master.cf file, added the scripts (all in the location sujested in the posting) But the main problem im getting at the moment is the mailscanner startup script, which is trying to start sendmail instead of postfix and is passing options to it that postfix dosn't reconise :( it is also aparently (i may be misreading the code here) trying to start 2 instances of sendmail :( how have you edited the start script for mailscanner for use with postfix? Thanks for the help :) Matt Lowe On Tue, 2003-03-04 at 19:55, Leland J. Steinke wrote: > Julian Field wrote: > > Any chance of you publishing all your scripts to make your setup work? They > > would help a lot of people. > > > > The perl scripts, along with our master.cf file, are in the attached archive. > Yes, the scripts can be improved to run more quickly or converted to C, but they > are working well enough for us. > > The final piece is to set the Sendmail2 config option to > "/usr/local/spoolerator/despool.pl", while leaving the MTA as sendmail. > (Naturally, one can change the location of these scripts to whatever fits your > local preferences.) > > One of our design goals was to minimize hacking on either postfix or > MailScanner. With only a single line change in MailScanner.conf and two lines > in /etc/postfix/master.cf, I believe we succeeded in that design goal. > > > Leland > > ps: Be sure to set the spool.pl file to point to the appropriate directories. > pps: Test, test, and test again before fielding this on a live system!!! From linux at mostert.nom.za Mon Mar 24 09:26:46 2003 From: linux at mostert.nom.za (Mozzi) Date: Thu Jan 12 21:17:33 2006 Subject: Mailscanner in mem Message-ID: <200303241126.46062.linux@mostert.nom.za> Hallo all Can anyone remeber the subject for the thrad on running mailscanner in memory? I have a box with 3Gig ram here and I need the performance. Has anyone entered it into the FAQ-O-MATIC? Mozzi From carl.boberg at NRM.SE Mon Mar 24 09:11:55 2003 From: carl.boberg at NRM.SE (Carl Boberg) Date: Thu Jan 12 21:17:33 2006 Subject: Bayes? In-Reply-To: <5.2.0.9.2.20030321183212.02844b40@imap.ecs.soton.ac.uk> Message-ID: Hmm... My users usually forward their spam/not spam emails. Does this make a large difference to the bayes/sa-learn script? Since they are all using outlook I wonder if there is some way around those clients not being able to bounce or redirect? Does anybody know? Best regards Carl >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On >Behalf Of Julian Field >Sent: Friday, March 21, 2003 19:34 >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Bayes? > > >At 18:21 21/03/2003, you wrote: >>Very interesting! Two questions: >> >>1) I'm assuming that your users just forward their emails to these >>addresses. > >They "bounce" or "redirect" not "forward". Forwarding a message changes the >message a lot, and throws away all the headers. Unfortunately it looks like >Outlook can't redirect/bounce a message at all, which is pretty stupid. > >> Will it make a difference to the bayes filter that the message >>has been forwarded, or is it just looking at the body of the message? > >It's looking at all of it, headers and body. > >>2) Do you have to worry about some kind of locking of the bayes database >>when running sa-learn, so that sa-learn is not updating it while >MailScanner >>is calling spamassassin to use it at the same time? > >The locking is all taken care of for you. Don't worry. > >> > -----Original Message----- >> > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] >> > Sent: Friday, March 21, 2003 9:57 AM >> > To: MAILSCANNER@JISCMAIL.AC.UK >> > Subject: Re: [MAILSCANNER] Bayes? >> > >> > >> > At 14:51 21/03/2003, you wrote: >> > >Just qurious about spamassassins bayes function in >> > connection with MS. >> > >Is MS utilizing the bayes function automatically >> > >> > Yes. >> > >> > > or do you have to >> > >configure something to make it work? >> > >> > No. >> > >> > > If so what, and do you have to >> > >run a "learning session" with it? >> > >> > No. >> > >> > > That is, do you have to run some >> > >definitly SPAM emails and some non SPAM emails through it? >> > >> > No. >> > >> > MailScanner is using the bayes function automatically. >> > Uniquely, the bayes >> > engine in SpamAssassin is "self-learning"; it uses the other rules to >> > identify messages which have either a very high score or a >> > very low score, >> > and it continuously feeds them to the bayes engine itself without you >> > needing to do anything. >> > >> > If you want to teach it when it gets it wrong, you can have it run the >> > "sa-learn" script to learn about particular messages. I have set up 2 >> > addresses here, "spam" and "notspam". Their mailboxes live on the main >> > MailScanner server, and people can just redirect wrongly-classified >> > messages to one of the addresses. Then once an hour the >> > script below is run >> > by cron to teach the bayes engine about the messages it got >> > wrong. For the >> > script below, I have copied SpamAssassin's "sa-learn" script into the >> > MailScanner bin directory. >> > >> > You should also run a nightly cron job that does a "sa-learn >> > --rebuild" as >> > well, to do all the housekeeping the Bayes engine requires. >> > >> > #!/bin/sh >> > >> > SPAM=/var/mail/spam >> > NOTSPAM=/var/mail/notspam >> > >> > LOGFILE=/var/log/learn.spam.log >> > PREFS=/opt/MailScanner/etc/spam.assassin.prefs.conf >> > SALEARN=/opt/MailScanner/bin/sa-learn >> > >> > date >> $LOGFILE >> > if [ -f $SPAM ]; then >> > BOX=${SPAM}.processing >> > mv $SPAM $BOX >> > sleep 5 # Wait for writing current message to complete >> > $SALEARN --prefs-file=$PREFS --spam --mbox $BOX >> $LOGFILE 2>&1 >> > rm -f $BOX >> > fi >> > >> > if [ -f $NOTSPAM ]; then >> > BOX=${NOTSPAM}.processing >> > mv $NOTSPAM $BOX >> > sleep 5 # Wait for writing current message to complete >> > $SALEARN --prefs-file=$PREFS --ham --mbox $BOX >> $LOGFILE 2>&1 >> > rm -f $BOX >> > fi >> > >> > -- >> > Julian Field >> > www.MailScanner.info >> > MailScanner thanks transtec Computers for their support >> > > >-- >Julian Field >www.MailScanner.info >Professional Support Services at www.MailScanner.biz >MailScanner thanks transtec Computers for their support > From Kevin.Spicer at BMRB.CO.UK Mon Mar 24 10:08:48 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:17:33 2006 Subject: Bayes? Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0EBF4A9@pascal.priv.bmrb.co.uk> Doe anyone who is running SA2.5x know the answer to the following question... When putting a 'false positive' through sa-learn do you first need to remove {SPAM?} from the Subject and the X-MailScanner headers? BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From jrudd at UCSC.EDU Mon Mar 24 07:47:19 2003 From: jrudd at UCSC.EDU (John Rudd) Date: Thu Jan 12 21:17:33 2006 Subject: Mailscanner+CommuniGate Pro update Message-ID: [the first time I sent this, it got rejected by the mailscanner list because I sent it from the wrong address (my home email addr); so I'm re-sending it ... sorry if it shows up twice anywhere] I noticed earlier today that there was in important step missing from the directions for setting up MailScanner with CommuniGate Pro. Specifically, if you're using the MailScanner start up script, rc.MailScanner, instead of just invoking check_mailscanner, then you need to disable the sendmail parts of rc.MailScanner. I suggest a couple ways to do that in my directions, in the step before saying to start MailScanner. I have also added an introductory section which attempts to answer the questions "what is mailscanner?", "what is communigate pro?", and "what is this page for?" http://people.ucsc.edu/~jrudd/MailScanner/ John From so-mlist-alias at all-about-shift.com Mon Mar 24 10:40:50 2003 From: so-mlist-alias at all-about-shift.com (Soeren Gerlach) Date: Thu Jan 12 21:17:33 2006 Subject: Bayes? In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0EBF4A9@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0EBF4A9@pascal.priv.bmrb.co.uk> Message-ID: <32037.193.194.7.77.1048502450.squirrel@miyako.all-about-shift.com> > Doe anyone who is running SA2.5x know the answer to the following > question... When putting a 'false positive' through sa-learn do you > first need to remove {SPAM?} from the Subject and the X-MailScanner > headers? As sa-learn analyzes the whole message (but knows the difference between a message header, it's body and subject) it is recommended (regarding to the docs) to use the message before it has passed MS and has been tagged by it with footer, mail header lines etc. to get "clean" results in the Bayes database. But I don't know what happens if you feed some 1,000s messages into the database all with a "Scanned by MailScanner...." footer in them, my guess is that it will treat just these words a little like spam. regards, Soeren Gerlach From mailscanner at ecs.soton.ac.uk Mon Mar 24 10:55:48 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:34 2006 Subject: Mailscanner in mem In-Reply-To: <200303241126.46062.linux@mostert.nom.za> Message-ID: <5.2.0.9.2.20030324105235.02378b00@imap.ecs.soton.ac.uk> At 09:26 24/03/2003, you wrote: >Hallo all > >Can anyone remeber the subject for the thrad on running mailscanner in memory? > >I have a box with 3Gig ram here and I need the performance. You can safely run with the MailScanner/incoming directory in RAM (just use tmpfs) as long as you aren't using F-Prot (which for some reason doesn't like tmpfs and won't recurse directories properly). Putting your mqueue.in and mqueue in RAM is very dodgy unless your RAM is battery-backed and your system is never rebooted with anything in its mail queues. If you are running Linux, then add a "-" in front of the log filename in syslog.conf. So instead of it logging to /var/log/maillog make it -/var/log/maillog That will stop syslogd from fsync-ing after every log entry, which can make quite a difference to your disk traffic. Running with MailScanner/incoming in tmpfs can add up to 30% to your max throughput. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Mon Mar 24 10:51:53 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:34 2006 Subject: Bayes? In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0EBF4A9@pascal.priv.bmrb.co .uk> Message-ID: <5.2.0.9.2.20030324104400.0234ee38@imap.ecs.soton.ac.uk> At 10:08 24/03/2003, you wrote: >Doe anyone who is running SA2.5x know the answer to the following question... >When putting a 'false positive' through sa-learn do you first need to >remove {SPAM?} from the Subject and the X-MailScanner headers? The headers "X-MailScanner" and "X-MailScanner-SpamCheck" are listed in SpamAssassin already as headers to be ignored. If you have changed these at all, you need to add # For spam and notspam bins bayes_ignore_header X-MailScanner bayes_ignore_header X-MailScanner-SpamCheck bayes_ignore_header X-MailScanner-SpamScore to your spam.assassin.prefs.conf. >BMRB International >http://www.bmrb.co.uk >+44 (0)20 8566 5000 >_________________________________________________________________ >This message (and any attachment) is intended only for the >recipient and may contain confidential and/or privileged >material. If you have received this in error, please contact the >sender and delete this message immediately. Disclosure, copying >or other action taken in respect of this email or in >reliance on it is prohibited. BMRB International Limited >accepts no liability in relation to any personal emails, or >content of any email which does not directly relate to our >business. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Mon Mar 24 10:39:35 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:34 2006 Subject: Bayes and MailScanner In-Reply-To: <9F214F8D10934845A3664A21425C79FC674437@dhcp5.ware.net> Message-ID: <5.2.0.9.2.20030324103824.026c3238@imap.ecs.soton.ac.uk> At 07:44 23/03/2003, you wrote: >Can someone tell me where the site wide Bayes files are ~root/.spamassassin > and how I can add some "ham" to the database? Use the "sa-learn" script that comes with SpamAssassin. Run it with "--help" to get the usage guide. Remember it does auto-learn as well, so this is often unnecessary. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Mon Mar 24 10:43:29 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:34 2006 Subject: Whitelist problem In-Reply-To: References: <1048456295.7974.74.camel@luggage> Message-ID: <5.2.0.9.2.20030324104021.02378d40@imap.ecs.soton.ac.uk> At 22:48 23/03/2003, you wrote: >I would be grateful for any assistance with this problem. > >We scan email for an Estate Agent. They have forms on numerous 3rd party web >sites for enquirers to send requests for information.The from address will >be different each time. > >Is there a simple way I can whitelist the emails? Perhaps there is a way I >can whitelist the server? (asserta.net) You can whitelist From and To addresses, but you can also whitelist "From" IP numbers if that helps. You can't whitelist "To" IP numbers (as you don't know the address until you have sent the message). You could whitelist "asserta.net" so none of the mail going to them gets spam-scanned. >TIA >Martyn Routley >----------------------------------------------------------------- >InvictaNet - The Internet in Plain English, Guaranteed >http://www.invictanet.co.uk >martyn@support.invictanet.co.uk >phone: 08707 440180 >fax: 08707 440181 >Ask us about our online Antivirus and Junk mail scanning service >----------------------------------------------------------------- > > >Sample headers are as follows: > >Return-Path: >Received: from krusty.dc.asserta.net ([217.204.56.189]) > by lemsip.invictanet.co.uk (8.12.8/8.12.8) with ESMTP id h2LBWIxu041604 > for ; Fri, 21 Mar 2003 11:32:18 GMT > (envelope-from ENQUIRERS@EMAIL.ADDRESS) >Received: from gonzo (gonzo [10.1.0.84]) > by krusty.dc.asserta.net (8.11.6+Sun/8.11.6) with ESMTP id h2LBWFC27483 > for ; Fri, 21 Mar 2003 11:32:15 GMT >Date: Fri, 21 Mar 2003 11:32:15 GMT >Message-ID: <13587361.1048246335881.JavaMail.weblogic@gonzo> >From: ENQUIRERS@EMAIL.ADDRESS >To: sales@OURCUSTOMER.COM >Subject: {Spam?} asserta home request: email agent >Mime-Version: 1.0 >Content-Type: multipart/alternative; > boundary="----=_Part_782_174500.1048246335877" >X-MailScanner-Information: Please contact the ISP for more information >X-MailScanner: Found to be clean >X-MailScanner-SpamCheck: spam, SpamAssassin (score=5.6, required 5, > MORTGAGE_OBFU, NO_MX_FOR_FROM, NO_REAL_NAME, SPAM_PHRASE_00_01) >X-MailScanner-SpamScore: sssss >X-UIDL: PMj!! > The headers "X-MailScanner" and "X-MailScanner-SpamCheck" are > listed in > SpamAssassin already as headers to be ignored. If you have > changed these at > all, you need to add > > # For spam and notspam bins > bayes_ignore_header X-MailScanner > bayes_ignore_header X-MailScanner-SpamCheck > bayes_ignore_header X-MailScanner-SpamScore > > to your spam.assassin.prefs.conf. > > Presumably X-MailScanner-Information needs to be added too. What about the subject tag, do you think thats important (bearing in mind that false positives will be tagged {SPAM?} and false negatives won't) BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From linux at mostert.nom.za Mon Mar 24 11:20:36 2003 From: linux at mostert.nom.za (Mozzi) Date: Thu Jan 12 21:17:34 2006 Subject: Mailscanner in mem In-Reply-To: <5.2.0.9.2.20030324105235.02378b00@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030324105235.02378b00@imap.ecs.soton.ac.uk> Message-ID: <200303241320.36763.linux@mostert.nom.za> Tnx I use fprot so there goes that idea Mozzi On Monday 24 March 2003 12:55, you wrote: > At 09:26 24/03/2003, you wrote: > >Hallo all > > > >Can anyone remeber the subject for the thrad on running mailscanner in > > memory? > > > >I have a box with 3Gig ram here and I need the performance. > > You can safely run with the MailScanner/incoming directory in RAM (just use > tmpfs) as long as you aren't using F-Prot (which for some reason doesn't > like tmpfs and won't recurse directories properly). Putting your mqueue.in > and mqueue in RAM is very dodgy unless your RAM is battery-backed and your > system is never rebooted with anything in its mail queues. > > If you are running Linux, then add a "-" in front of the log filename in > syslog.conf. So instead of it logging to > /var/log/maillog > make it > -/var/log/maillog > That will stop syslogd from fsync-ing after every log entry, which can make > quite a difference to your disk traffic. > > Running with MailScanner/incoming in tmpfs can add up to 30% to your max > throughput. > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Mon Mar 24 11:51:54 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:34 2006 Subject: Mailscanner in mem In-Reply-To: <200303241320.36763.linux@mostert.nom.za> References: <5.2.0.9.2.20030324105235.02378b00@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030324105235.02378b00@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030324115113.02873bc8@imap.ecs.soton.ac.uk> Try scanning a directory structure in tmpfs with the latest F-Prot code, it's possible they have fixed it. Let me know what you find. At 11:20 24/03/2003, you wrote: >Tnx >I use fprot so there goes that idea > >Mozzi > >On Monday 24 March 2003 12:55, you wrote: > > At 09:26 24/03/2003, you wrote: > > >Hallo all > > > > > >Can anyone remeber the subject for the thrad on running mailscanner in > > > memory? > > > > > >I have a box with 3Gig ram here and I need the performance. > > > > You can safely run with the MailScanner/incoming directory in RAM (just use > > tmpfs) as long as you aren't using F-Prot (which for some reason doesn't > > like tmpfs and won't recurse directories properly). Putting your mqueue.in > > and mqueue in RAM is very dodgy unless your RAM is battery-backed and your > > system is never rebooted with anything in its mail queues. > > > > If you are running Linux, then add a "-" in front of the log filename in > > syslog.conf. So instead of it logging to > > /var/log/maillog > > make it > > -/var/log/maillog > > That will stop syslogd from fsync-ing after every log entry, which can make > > quite a difference to your disk traffic. > > > > Running with MailScanner/incoming in tmpfs can add up to 30% to your max > > throughput. > > -- > > Julian Field > > www.MailScanner.info > > Professional Support Services at www.MailScanner.biz > > MailScanner thanks transtec Computers for their support -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From dbird at SGHMS.AC.UK Mon Mar 24 12:30:05 2003 From: dbird at SGHMS.AC.UK (Daniel Bird) Date: Thu Jan 12 21:17:34 2006 Subject: spam.assassin.prefs.conf Message-ID: <3E7EFA4D.4020707@sghms.ac.uk> Just a quickie, Does MailScanner need to be restarted when changes are made to spam.assassin.prefs.conf? Dan ____________________________________ Daniel Bird Network & Systems Manager St. George's Hosptial Medical School Tooting London SW17 0RE P: +44 20 8725 2897 F: +44 20 8725 3583 E: dan@sghms.ac.uk ____________________________________ Hex dump: Where witches put used curses... -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mailscanner at ecs.soton.ac.uk Mon Mar 24 13:31:27 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:34 2006 Subject: spam.assassin.prefs.conf In-Reply-To: <3E7EFA4D.4020707@sghms.ac.uk> Message-ID: <5.2.0.9.2.20030324133115.030a2be0@imap.ecs.soton.ac.uk> At 12:30 24/03/2003, you wrote: >Just a quickie, >Does MailScanner need to be restarted when changes are made to >spam.assassin.prefs.conf? Yes. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From dbird at SGHMS.AC.UK Mon Mar 24 14:22:33 2003 From: dbird at SGHMS.AC.UK (Daniel Bird) Date: Thu Jan 12 21:17:34 2006 Subject: spam.assassin.prefs.conf References: <5.2.0.9.2.20030324133115.030a2be0@imap.ecs.soton.ac.uk> Message-ID: <3E7F14A9.6040704@sghms.ac.uk> Thought so. That poses another question (may be getting a little OT here). I have multiple mailhubs running identical configs. What, if anything do people do to automate updates to preference files like this? I currently run a simple rcp for spam.assassin.prefs.conf, as an unprivileged user but with permissions to overwrite the file. But restarting MailScanner would require root privilege would it not?, and out of the box RH Linux doesn't allow that. Dan Julian Field wrote: > At 12:30 24/03/2003, you wrote: > >> Just a quickie, >> Does MailScanner need to be restarted when changes are made to >> spam.assassin.prefs.conf? > > > Yes. > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > -- ____________________________________ Daniel Bird Network & Systems Manager St. George's Hosptial Medical School Tooting London SW17 0RE P: +44 20 8725 2897 F: +44 20 8725 3583 E: dan@sghms.ac.uk ____________________________________ Hex dump: Where witches put used curses... "#define QUESTION ((bb) || !(bb)) - Shakespeare." -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From dene at DATATECHIE.COM Mon Mar 24 14:11:36 2003 From: dene at DATATECHIE.COM (Dene Ulmschneider) Date: Thu Jan 12 21:17:34 2006 Subject: confirming SPAM Message-ID: <5.1.0.14.2.20030324091107.027efe98@192.168.1.112> Hi All- I just installed and configured MailScanner yesterday to test it out and it seems to be working great. I am also it with the spam catching capabilities of SpamAssassin and here is where my question comes in. I notice that all emails that are tagged as spam have the default alteration in the subject field of {SPAM?}. How do you tell the server that it is or is not spam for future knowledge? Can it be forwarded to an email address on the server for whitelisting or blacklisting? Is there a GUI for normal end users to set these questionable emails as spam or regular email? If not - do all of these questionable emails have to be either delivered, deleted, bounced, etc. (only set by options in config file?) Any assistance would be greatly appreciated. Thank You Dene Ulmschneider Data Techie Inc. ------------------------------------------------------------------------- office: 718.738.8859 cell: 646.996.2976 email: dene@datatechie.com pager mail: denenow@datatechie.com website: www.datatechie.com ------------------------------------------------------------------------- "Life is too short...-...you should have dessert first" -- This message has been scanned for viruses and dangerous content by Data Techie, and is believed to be clean. Data Techie... always there to protect you! From Cleveland at MAIL.WINNEFOX.ORG Mon Mar 24 14:33:40 2003 From: Cleveland at MAIL.WINNEFOX.ORG (Jody Cleveland) Date: Thu Jan 12 21:17:34 2006 Subject: ip addresses in whitelist are still being blocked Message-ID: <84CFA712F666B44A94CE6BE116BAF4B0B4E4E3@MAIL> > Don't forget that you'll also need to go through the access > database (/etc/mail/access commonly) and take out the entries > it has added if you want to reverse the work it has done - > don't forget to rebuild access.db (makemap hash > /etc/mail/access < /etc/mail/access) and restart MailScanner > (in order to restart the sendmail processes). Thank you so much for your help! I made the change in the configuration file for mailstats, and emptied out the entries from the access database, then ran the makemap. I looked at my mailstats page and it still says 44 addresses are blocked. That number is down considerably, but it's still there. I double checked the sendmail access file, and that's still empty. Any ideas as to why there are still some blocked IP's? Jody From mailscanner at ecs.soton.ac.uk Mon Mar 24 14:21:13 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:34 2006 Subject: spam.assassin.prefs.conf In-Reply-To: <3E7F14A9.6040704@sghms.ac.uk> References: <5.2.0.9.2.20030324133115.030a2be0@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030324142036.03d2e3a0@imap.ecs.soton.ac.uk> At 14:22 24/03/2003, you wrote: >Thought so. That poses another question (may be getting a little OT >here). I have multiple mailhubs running identical configs. What, if >anything do people do to automate updates to preference files like this? > >I currently run a simple rcp for spam.assassin.prefs.conf, as an >unprivileged user but with permissions to overwrite the file. But >restarting MailScanner would require root privilege would it not?, and >out of the box RH Linux doesn't allow that. Read about "sudo". >Julian Field wrote: >>At 12:30 24/03/2003, you wrote: >>>Just a quickie, >>>Does MailScanner need to be restarted when changes are made to >>>spam.assassin.prefs.conf? >> >>Yes. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From raymond at PROLOCATION.NET Mon Mar 24 14:36:36 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:17:34 2006 Subject: spam.assassin.prefs.conf In-Reply-To: <5.2.0.9.2.20030324142036.03d2e3a0@imap.ecs.soton.ac.uk> Message-ID: Hi! > >I currently run a simple rcp for spam.assassin.prefs.conf, as an > >unprivileged user but with permissions to overwrite the file. But > >restarting MailScanner would require root privilege would it not?, and > >out of the box RH Linux doesn't allow that. > > Read about "sudo". Or use ssh to restart it. Also possible. In combination with scp a little more secure then a plain rcp. Bye, Raymond. From dbird at SGHMS.AC.UK Mon Mar 24 14:37:20 2003 From: dbird at SGHMS.AC.UK (Daniel Bird) Date: Thu Jan 12 21:17:34 2006 Subject: spam.assassin.prefs.conf References: <5.2.0.9.2.20030324133115.030a2be0@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030324142036.03d2e3a0@imap.ecs.soton.ac.uk> Message-ID: <3E7F1820.2060507@sghms.ac.uk> Julian Field wrote: > At 14:22 24/03/2003, you wrote: > >> Thought so. That poses another question (may be getting a little OT >> here). I have multiple mailhubs running identical configs. What, if >> anything do people do to automate updates to preference files like this? >> >> I currently run a simple rcp for spam.assassin.prefs.conf, as an >> unprivileged user but with permissions to overwrite the file. But >> restarting MailScanner would require root privilege would it not?, and >> out of the box RH Linux doesn't allow that. > > > Read about "sudo". Tnx, alreay thought of that one. Just thought there may be some other 'quick and dirty' solution ... must be getting lazy in my old age... :-) > >> Julian Field wrote: >> >>> At 12:30 24/03/2003, you wrote: >>> >>>> Just a quickie, >>>> Does MailScanner need to be restarted when changes are made to >>>> spam.assassin.prefs.conf? >>> >>> >>> Yes. >> > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > -- ____________________________________ Daniel Bird Network & Systems Manager St. George's Hosptial Medical School Tooting London SW17 0RE P: +44 20 8725 2897 F: +44 20 8725 3583 E: dan@sghms.ac.uk ____________________________________ Hex dump: Where witches put used curses... "#define QUESTION ((bb) || !(bb)) - Shakespeare." -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From Kevin.Spicer at BMRB.CO.UK Mon Mar 24 14:38:16 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:17:34 2006 Subject: ip addresses in whitelist are still being blocked Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A4AD5F@pascal.priv.bmrb.co.uk> > > Thank you so much for your help! I made the change in the > configuration file > for mailstats, and emptied out the entries from the access > database, then > ran the makemap. I looked at my mailstats page and it still says 44 > addresses are blocked. That number is down considerably, but > it's still > there. I double checked the sendmail access file, and that's > still empty. > Any ideas as to why there are still some blocked IP's? > I found that mailstats reports as 'blocked' any IP that it would block, were blocking turned on, even when blocking it turned off. I presume this is still the same in the latest version. (You might like to check your access file hasn't changed just to be sure!). My, (ahem) fix for this was to edit mailstats.pl to change the work 'blocked' to 'blockable' (just to not alarm other people who were looking at it!). BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From Kevin.Spicer at BMRB.CO.UK Mon Mar 24 14:48:06 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:17:34 2006 Subject: ip addresses in whitelist are still being blocked Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0EBF4B3@pascal.priv.bmrb.co.uk> > Thanks, I made that change too. I did check the access file, > and it looks > ok. What version of the script are you using? > 0.16, haven't got round to changing it yet. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From Cleveland at MAIL.WINNEFOX.ORG Mon Mar 24 14:52:13 2003 From: Cleveland at MAIL.WINNEFOX.ORG (Jody Cleveland) Date: Thu Jan 12 21:17:34 2006 Subject: ip addresses in whitelist are still being blocked Message-ID: <84CFA712F666B44A94CE6BE116BAF4B0B4E4E5@MAIL> > 0.16, haven't got round to changing it yet. Does yours have a section marked "Trap"? I'm just wondering what that is. Jody From Cleveland at MAIL.WINNEFOX.ORG Mon Mar 24 14:45:12 2003 From: Cleveland at MAIL.WINNEFOX.ORG (Jody Cleveland) Date: Thu Jan 12 21:17:34 2006 Subject: ip addresses in whitelist are still being blocked Message-ID: <84CFA712F666B44A94CE6BE116BAF4B0B4E4E4@MAIL> > I found that mailstats reports as 'blocked' any IP that it > would block, were blocking turned on, even when blocking it > turned off. I presume this is still the same in the latest > version. (You might like to check your access file hasn't > changed just to be sure!). My, (ahem) fix for this was to > edit mailstats.pl to change the work 'blocked' to 'blockable' > (just to not alarm other people who were looking at it!). Thanks, I made that change too. I did check the access file, and it looks ok. What version of the script are you using? Jody From dene at DATATECHIE.COM Mon Mar 24 14:57:28 2003 From: dene at DATATECHIE.COM (Dene Ulmschneider) Date: Thu Jan 12 21:17:34 2006 Subject: confirming SPAM Message-ID: <5.1.0.14.2.20030324095603.02668e78@192.168.1.112> Hello- I am new to this list and would really appreciate some assistance... I just installed and configured MailScanner yesterday to test it out and it seems to be working great. I am also it with the spam catching capabilities of SpamAssassin and here is where my question comes in. I notice that all emails that are tagged as spam have the default alteration in the subject field of {SPAM?}. How do you tell the server that it is or is not spam for future knowledge? Can it be forwarded to an email address on the server for whitelisting or blacklisting? Is there a GUI for normal end users to set these questionable emails as spam or regular email? If not - do all of these questionable emails have to be either delivered, deleted, bounced, etc. (only set by options in config file?) Again, any assistance would be greatly appreciated. Thank You Dene Ulmschneider Data Techie Inc. ------------------------------------------------------------------------- office: 718.738.8859 cell: 646.996.2976 email: dene@datatechie.com pager mail: denenow@datatechie.com website: www.datatechie.com ------------------------------------------------------------------------- "Life is too short...-...you should have dessert first" -- This message has been scanned for viruses and dangerous content by Data Techie, and is believed to be clean. Data Techie... always there to protect you! From Peter.Bates at LSHTM.AC.UK Mon Mar 24 15:01:14 2003 From: Peter.Bates at LSHTM.AC.UK (Peter Bates) Date: Thu Jan 12 21:17:34 2006 Subject: postfix compatability? Message-ID: Hello all... ---------------------------------------------------------------------------------------------------> Peter Bates, Systems Support Officer, Network Support Team. London School of Hygiene & Tropical Medicine. Telephone:0207-958 8353 / Fax: 0207- 636 9838 >>> ms@MLSIS.CO.UK 23/03/03 21:51:35 >>> >But the main problem im getting at the moment is the mailscanner startup >script, which is trying to start sendmail instead of postfix and is >passing options to it that postfix dosn't reconise :( >it is also aparently (i may be misreading the code here) trying to start >2 instances of sendmail :( >how have you edited the start script for mailscanner for use with >postfix? I'm assuming you meant the /etc/rc.d/init.d/MailScanner script (or wherever it may reside)... personally I edited it to remove the 'StartInSendmail' call from the 'start' case bit, and similarly elsewhere, so the MailScanner startup script didn't actually stop/start Postfix at all... There is probably a way of making it a bit more transparent, based around RedHat's (for example) mail switch wrapper stuff to allow Postfix & Sendmail to co-exist on a box but be switched around, but for me it was quicker to do the above. I also noticed that you have to remove the chroot bit in master.cf to get the filter script to work fine... with a bit more time it would probably be nice to fiddle it to work with the content_filter thing (just a change in master.cf, I think)... Having written the above, when I switched my main load of traffic here over to Postfix & MailScanner, something went horribly wrong that didn't show in the small user-set I was testing with before, so I switched it back in panic... From Cleveland at MAIL.WINNEFOX.ORG Mon Mar 24 15:08:51 2003 From: Cleveland at MAIL.WINNEFOX.ORG (Jody Cleveland) Date: Thu Jan 12 21:17:34 2006 Subject: ip addresses in whitelist are still being blocked Message-ID: <84CFA712F666B44A94CE6BE116BAF4B0B4E4E8@MAIL> > That is new in 0.18 - it indicates what spam trap was triggered - spamassassin or RBL etc. What are all these?: Infinite-Monkeys 14 ORDB-RBL 6 Mar 22 12:35:44 storm sendmail[29682]: h2MIZY7M029674: to= 1 dsn=2.0.0 1 pri=120741 1 delay=00:00:10 1 xdelay=00:00:07 1 mailer=esmtp 1 relay=ori.rl.ac.uk. [130.246.192.52] 1 stat=Sent (h2MILJt19220 Message accepted for delivery) 1 From mailscanner at ecs.soton.ac.uk Mon Mar 24 15:06:44 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:34 2006 Subject: confirming SPAM In-Reply-To: <5.1.0.14.2.20030324095603.02668e78@192.168.1.112> Message-ID: <5.2.0.9.2.20030324150117.03b5e328@imap.ecs.soton.ac.uk> At 14:57 24/03/2003, you wrote: >I notice that all emails that are tagged as spam have the default >alteration in the subject field of {SPAM?}. How do you tell the server that >it is or is not spam for future knowledge? Can it be forwarded to an email >address on the server for whitelisting or blacklisting? Sounds like you want to use "Razor2" which you can as part of SpamAssassin. This system uses checksums of messages that are known to be spam, and stores the checksums on central servers. Every time you receive a message it checks it against the known spam checksums and uses that to decide if it is spam or not. Look at http://razor.sourceforge.net/ (I think) and you should find lots more about Razor and Razor2. Also, using the new Bayes engine in SpamAssassin 2.51 (but I would advise you to wait for 2.52 release), the anti-spam engine will learn about spam messages that it got wrong by your users feeding back the spam into the engine. I have 2 addresses here, "spam" and "notspam", which users bounce mail to when the spam engine gets it wrong. So its performance improves with time as it learns lots of new spam. > Is there a GUI for >normal end users to set these questionable emails as spam or regular email? >If not - do all of these questionable emails have to be either delivered, >deleted, bounced, etc. (only set by options in config file?) You can let your users set their own preferences by using rulesets in the MailScanner.conf file. Take a look in /etc/MailScanner/rules for some brief instructions and examples. This can all, for example, be linked to a database containing all the users' preferences. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From David.While at UCE.AC.UK Mon Mar 24 15:04:16 2003 From: David.While at UCE.AC.UK (David While) Date: Thu Jan 12 21:17:34 2006 Subject: ip addresses in whitelist are still being blocked Message-ID: That is new in 0.18 - it indicates what spam trap was triggered - spamassassin or RBL etc. ----------------------------------------------------------------- David While Technical Development Manager Faculty of Computing, Information & English University of Central England Tel: 0121 331 6211 Jody Cleveland Sent by: MailScanner mailing list 24/03/2003 14:52 Please respond to MailScanner mailing list To: MAILSCANNER@JISCMAIL.AC.UK cc: Subject: Re: ip addresses in whitelist are still being blocked > 0.16, haven't got round to changing it yet. Does yours have a section marked "Trap"? I'm just wondering what that is. Jody -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030324/f882c2de/attachment.html From Kevin.Spicer at BMRB.CO.UK Mon Mar 24 15:01:18 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:17:34 2006 Subject: ip addresses in whitelist are still being blocked Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0EBF4B4@pascal.priv.bmrb.co.uk> > > Does yours have a section marked "Trap"? I'm just wondering > what that is. > > Jody > No. must be something 'new' BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From lindsay at pa.net Mon Mar 24 15:19:05 2003 From: lindsay at pa.net (Lindsay Snider) Date: Thu Jan 12 21:17:34 2006 Subject: postfix compatability? In-Reply-To: <1048456295.7974.74.camel@luggage> References: <3E650494.4080305@pa.net> <1048456295.7974.74.camel@luggage> Message-ID: <200303241019.05448.lindsay@pa.net> Hey Matt, I sit next to Leland. We had the same situation thus, I went through and commented out the unnecessary lines in /etc/init.d/MailScanner. I'm embarrassed to post this for the code is not cleaned up but, it works. Note, we made changes to the two variables WORKDIR+INQDIR so you will need to modify those. lindsay On Sunday 23 March 2003 16:51, you wrote: > Hi, > Finaly got these scripts onto a test server along with MailScanner > 4.13.3. > changed 2 lines in the master.cf file, added the scripts (all in the > location sujested in the posting) > > But the main problem im getting at the moment is the mailscanner startup > script, which is trying to start sendmail instead of postfix and is > passing options to it that postfix dosn't reconise :( > it is also aparently (i may be misreading the code here) trying to start > 2 instances of sendmail :( > how have you edited the start script for mailscanner for use with > postfix? > > Thanks for the help :) > Matt Lowe > > On Tue, 2003-03-04 at 19:55, Leland J. Steinke wrote: > > Julian Field wrote: > > > Any chance of you publishing all your scripts to make your setup work? > > > They would help a lot of people. > > > > The perl scripts, along with our master.cf file, are in the attached > > archive. Yes, the scripts can be improved to run more quickly or > > converted to C, but they are working well enough for us. > > > > The final piece is to set the Sendmail2 config option to > > "/usr/local/spoolerator/despool.pl", while leaving the MTA as sendmail. > > (Naturally, one can change the location of these scripts to whatever fits > > your local preferences.) > > > > One of our design goals was to minimize hacking on either postfix or > > MailScanner. With only a single line change in MailScanner.conf and two > > lines in /etc/postfix/master.cf, I believe we succeeded in that design > > goal. > > > > > > Leland > > > > ps: Be sure to set the spool.pl file to point to the appropriate > > directories. pps: Test, test, and test again before fielding this on a > > live system!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: MailScanner Type: application/x-shellscript Size: 4554 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030324/f6874869/MailScanner.bin From Kevin.Spicer at BMRB.CO.UK Mon Mar 24 15:20:53 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:17:34 2006 Subject: ip addresses in whitelist are still being blocked Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0EBF4B5@pascal.priv.bmrb.co.uk> > What are all these?: > > Infinite-Monkeys 14 > ORDB-RBL 6 > Mar 22 12:35:44 storm sendmail[29682]: h2MIZY7M029674: to= 1 > dsn=2.0.0 1 > pri=120741 1 > delay=00:00:10 1 > xdelay=00:00:07 1 > mailer=esmtp 1 > relay=ori.rl.ac.uk. [130.246.192.52] 1 > stat=Sent (h2MILJt19220 Message accepted for delivery) 1 > I guess you just got them in a mail - I had a few of those, I think its when you get a partial line in the log which mailstats can't parse. Look for the following code (if its the same in your version)... else { $SpamBucket{$IP} = 999999; } $SpamCount++; } else { print $Line; } last SWITCH; }; and comment out the three 'else' lines... else { $SpamBucket{$IP} = 999999; } $SpamCount++; } # else { # print $Line; # } last SWITCH; }; That should stop it. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From Jan-Peter.Koopmann at SECEIDOS.DE Mon Mar 24 15:32:05 2003 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:17:34 2006 Subject: FreeBSD port Message-ID: <4E7026FF8A422749B1553FE508E0068007EFFD@message.intern.akctech.de> Hi Julian, the FreeBSD guys seem to need some time to process the official port request. I am not sure how long it will take them to put it in the official ports tree. How about putting an inofficial version on your download page and make it a public beta? Thanks, JP From Jan-Peter.Koopmann at SECEIDOS.DE Mon Mar 24 15:35:04 2003 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:17:34 2006 Subject: spam.assassin.prefs.conf Message-ID: <4E7026FF8A422749B1553FE508E0068007EFFE@message.intern.akctech.de> Hi Julian, it is not possible to depend the spam.assassin.prefs.conf file being used on a ruleset, is it? If so, how complicated would it be to implement this? :-) Regards, JP From Denis.Beauchemin at USHERBROOKE.CA Mon Mar 24 16:01:37 2003 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:17:34 2006 Subject: Ruleset for Silent Viruses In-Reply-To: <5CA287DBA85BF649A45916B75FD20E0E122637@exchange.usu.edu> References: <5CA287DBA85BF649A45916B75FD20E0E122637@exchange.usu.edu> Message-ID: <1048521697.5096.34.camel@dbeauchemin.si.usherbrooke.ca> John, I have the following: # grep rules/viruses.to.delete.conf MailScanner.conf Silent Viruses = /etc/MailScanner/rules/viruses.to.delete.conf # cat rules/viruses.to.delete.conf FromorTo: default W32/Klez W32/Yaha W32/Bugbear@MM W32/Braid W32/Korvar W32/Sobig W32/Lirva W32/Avril W32/Ganda There is really no need for a rules file (as I did). The simplest thing to do is to define the following in MailScanner.conf (all on the same line): Silent Viruses = W32/Klez W32/Yaha W32/Bugbear@MM W32/Braid W32/Korvar W32/Sobig W32/Lirva W32/Avril W32/Ganda Denis Le lun 24/03/2003 ? 10:47, John B. Hanks a ?crit : > Would someone using a ruleset for this option (Silent Viruses) who is > also using McAfee please post the rulest they are using? I'd like to > start expanding the list of viruses I discard, but am not exactly sure > what to use in this file that will work with McAfee uvscan. > > Thanks, > > jbh -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From john.hanks at USU.EDU Mon Mar 24 15:47:44 2003 From: john.hanks at USU.EDU (John B. Hanks) Date: Thu Jan 12 21:17:34 2006 Subject: Ruleset for Silent Viruses Message-ID: <5CA287DBA85BF649A45916B75FD20E0E122637@exchange.usu.edu> Would someone using a ruleset for this option (Silent Viruses) who is also using McAfee please post the rulest they are using? I'd like to start expanding the list of viruses I discard, but am not exactly sure what to use in this file that will work with McAfee uvscan. Thanks, jbh From dot at DOTAT.AT Mon Mar 24 16:32:40 2003 From: dot at DOTAT.AT (Tony Finch) Date: Thu Jan 12 21:17:34 2006 Subject: FreeBSD port In-Reply-To: Message-ID: Jan-Peter Koopmann wrote: > >the FreeBSD guys seem to need some time to process the official port >request. I am not sure how long it will take them to put it in the >official ports tree. How about putting an inofficial version on your >download page and make it a public beta? Although I'm both a FreeBSD committer and a MailScanner user, I'm not a sendmail user so I can't do a full review of a properly-integrated port. I would be interested in having a look over it though. Tony. -- f.a.n.finch http://dotat.at/ MULL OF KINTYRE TO ARDNAMURCHAN POINT: SOUTH TO SOUTHEAST 3 OR 4, VEERING SOUTHWEST, LATER INCREASING 5 IN THE NORTH. FAIR. MODERATE OR GOOD, LOCALLY POOR AT FIRST. MODERATE. From Jan-Peter.Koopmann at SECEIDOS.DE Mon Mar 24 16:51:17 2003 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:17:34 2006 Subject: FreeBSD port Message-ID: <4E7026FF8A422749B1553FE508E0068007F002@message.intern.akctech.de> Hi, > Although I'm both a FreeBSD committer and a MailScanner user, > I'm not a sendmail user so I can't do a full review of a > properly-integrated port. Since the port is installing MailScanner "only" and not a complete sendmail/exim integration, you should be the ideal beta tester. > I would be interested in having a > look over it though. Let's see whether Julian is willing to put it on his website. If no, I will send you the port. Regards, JP From Jan-Peter.Koopmann at SECEIDOS.DE Mon Mar 24 16:53:37 2003 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:17:34 2006 Subject: FreeBSD port Message-ID: <4E7026FF8A422749B1553FE508E0068007F003@message.intern.akctech.de> Hi Simon, > It needs some updating though before it's committed, I've > send Jan-Peter the details already Yep. I would upload the most current version to Julian. > (also it's not in the > regulation shar format ;) It would have been bigger than 20k and the porters handbook said to put it into a compressed tar... :-) Regards, JP From mailscanner at ecs.soton.ac.uk Mon Mar 24 16:45:05 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:34 2006 Subject: spam.assassin.prefs.conf In-Reply-To: <4E7026FF8A422749B1553FE508E0068007EFFE@message.intern.akct ech.de> Message-ID: <5.2.0.9.2.20030324164436.031d9d80@imap.ecs.soton.ac.uk> At 15:35 24/03/2003, you wrote: >Hi Julian, > >it is not possible to depend the spam.assassin.prefs.conf file being >used on a ruleset, is it? Not possible I'm afraid. The spam.assassin.prefs.conf is processed once at startup. > If so, how complicated would it be to >implement this? :-) > >Regards, > JP -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From simon at ADVANTAGE-INTERACTIVE.COM Mon Mar 24 16:47:26 2003 From: simon at ADVANTAGE-INTERACTIVE.COM (Simon Dick) Date: Thu Jan 12 21:17:34 2006 Subject: FreeBSD port In-Reply-To: References: Message-ID: <1048524445.582.8.camel@laptop.internal.irrelevant.org> On Mon, 2003-03-24 at 16:32, Tony Finch wrote: > Jan-Peter Koopmann wrote: > > > >the FreeBSD guys seem to need some time to process the official port > >request. I am not sure how long it will take them to put it in the > >official ports tree. How about putting an inofficial version on your > >download page and make it a public beta? > > Although I'm both a FreeBSD committer and a MailScanner user, I'm not > a sendmail user so I can't do a full review of a properly-integrated > port. I would be interested in having a look over it though. ports/50158 It needs some updating though before it's committed, I've send Jan-Peter the details already (also it's not in the regulation shar format ;) -- Simon Dick From steinkel at PA.NET Mon Mar 24 16:44:16 2003 From: steinkel at PA.NET (Leland J. Steinke) Date: Thu Jan 12 21:17:34 2006 Subject: postfix compatability? References: <3E650494.4080305@pa.net> <1048456295.7974.74.camel@luggage> <200303241019.05448.lindsay@pa.net> Message-ID: <3E7F35E0.508@pa.net> Lindsay Snider wrote: > Hey Matt, > I sit next to Leland. We had the same situation thus, I went through and > commented out the unnecessary lines in /etc/init.d/MailScanner. I'm > embarrassed to post this for the code is not cleaned up but, it works. Note, > we made changes to the two variables WORKDIR+INQDIR so you will need to > modify those. > lindsay Please be aware that the environment in which our postfix/mailscanner interface scripts operate has evolved since the scripts were originally written 6-7 months ago for MailScanner 3.X, when mailscanner was started from cron, rather than from an rc script, along with innumerable other changes. I am sorry I neglected those changes in my original message. As MailScanner becomes capable of dealing with more and more MTAs, it might be useful to add something to /etc/sysconfig (on RH linux, at least) to handle the MTA interface selection. It's just a thought... Leland From steinkel at PA.NET Mon Mar 24 17:03:39 2003 From: steinkel at PA.NET (Leland J. Steinke) Date: Thu Jan 12 21:17:34 2006 Subject: postfix compatability? References: <3E650494.4080305@pa.net> <1048456295.7974.74.camel@luggage> <200303241019.05448.lindsay@pa.net> <3E7F35E0.508@pa.net> Message-ID: <3E7F3A6B.80706@pa.net> Leland J. Steinke wrote: > > As MailScanner becomes capable of dealing with more and more MTAs, it > might be > useful to add something to /etc/sysconfig (on RH linux, at least) to > handle the > MTA interface selection. It's just a thought... Rather, "manage the MTA interface selection in the rc script". Leland From mailscanner at ecs.soton.ac.uk Mon Mar 24 16:44:27 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:34 2006 Subject: FreeBSD port In-Reply-To: <4E7026FF8A422749B1553FE508E0068007EFFD@message.intern.akct ech.de> Message-ID: <5.2.0.9.2.20030324164407.031d9c38@imap.ecs.soton.ac.uk> At 15:32 24/03/2003, you wrote: >Hi Julian, > >the FreeBSD guys seem to need some time to process the official port >request. I am not sure how long it will take them to put it in the >official ports tree. How about putting an inofficial version on your >download page and make it a public beta? Sure. Can you give me a link to a page people can download it from? -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From simon at ADVANTAGE-INTERACTIVE.COM Mon Mar 24 17:01:01 2003 From: simon at ADVANTAGE-INTERACTIVE.COM (Simon Dick) Date: Thu Jan 12 21:17:34 2006 Subject: FreeBSD port In-Reply-To: <4E7026FF8A422749B1553FE508E0068007F003@message.intern.akctech.de> References: <4E7026FF8A422749B1553FE508E0068007F003@message.intern.akctech.de> Message-ID: <1048525261.582.10.camel@laptop.internal.irrelevant.org> On Mon, 2003-03-24 at 16:53, Jan-Peter Koopmann wrote: > Hi Simon, > > > It needs some updating though before it's committed, I've > > send Jan-Peter the details already > > Yep. I would upload the most current version to Julian. I'd suggest following up the pr with a diff to bring it up to the latest version you have, then the proper one will get committed straight away. > > (also it's not in the > > regulation shar format ;) > > It would have been bigger than 20k and the porters handbook said to put > it into a compressed tar... :-) Missed that, never submitted a port that needed as many patches :) -- Simon Dick From Jan-Peter.Koopmann at SECEIDOS.DE Mon Mar 24 17:28:26 2003 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:17:34 2006 Subject: FreeBSD port Message-ID: <4E7026FF8A422749B1553FE508E0068007F005@message.intern.akctech.de> > I'd suggest following up the pr with a diff to bring it up to > the latest version you have, then the proper one will get > committed straight away. Will do that either tonight or first thing tomorrow morning. > Missed that, never submitted a port that needed as many patches :) Well I hope Julian will put the man pages and the corresponding html version into the tarball soon. Then these will disappear from the patches and things will be a lot smaller. Regards, JP From patricksteiner at BLUEWIN.CH Mon Mar 24 18:14:32 2003 From: patricksteiner at BLUEWIN.CH (Patrick Steiner) Date: Thu Jan 12 21:17:34 2006 Subject: Mailscanner4 on Debian System with SA 2.5 / experience??? Message-ID: <3E7F4B08.1030402@bluewin.ch> Hi folks Have anybody experience with Mailscanner 4 on a Debian System? At the moment i use Mailscanner 3.27.1-1 from Debian unstable with SA 2.50-1 but when i want update to version 4 i have problem with spamassassin. every spammails have a to low spamscore (>3). but when i pipe the spammail directly to spamassassin then the spamscore is >7 i think spamassasin works fine but mailscanner have "communication" problem with spamassassin. ideas??? p?de From brose at MED.WAYNE.EDU Mon Mar 24 18:24:29 2003 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:17:34 2006 Subject: MailScanner and SA 2.51 and Bayes Message-ID: Can anyone confirm if this is even working now? If I run a spamassassin -D -t < message I see debug code for Bayes that appears to me that it's working. Also in ~/.spamassassin I see bayes_seen, bayes_toks and bayes_msgcount updating. If SA is called from MS, only bayes_msgcount is changing. It also creates bayes_seen.dir, bayes_seen.pag, bayes_toks.dir, and bayes_toks.pag files but they remain 0k. From mailscanner at ecs.soton.ac.uk Mon Mar 24 18:41:40 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:34 2006 Subject: MailScanner and SA 2.51 and Bayes In-Reply-To: Message-ID: <5.2.0.9.2.20030324183946.0564da00@imap.ecs.soton.ac.uk> At 18:24 24/03/2003, you wrote: >Can anyone confirm if this is even working now? If I run a spamassassin >-D -t < message I see debug code for Bayes that appears to me that it's >working. Also in ~/.spamassassin I see bayes_seen, bayes_toks and >bayes_msgcount updating. > >If SA is called from MS, only bayes_msgcount is changing. It also >creates bayes_seen.dir, bayes_seen.pag, bayes_toks.dir, and >bayes_toks.pag files but they remain 0k. Install "DB_File" using CPAN. Then comment out the "use AnyDBM_File" at the top of SA.pm. This will be in the next release (due about 4th April after I get back from Networkshop). Still not had any requests for anything to discuss in the BoF session at Networkshop. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From brose at MED.WAYNE.EDU Mon Mar 24 19:49:46 2003 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:17:34 2006 Subject: MailScanner and SA 2.51 and Bayes Message-ID: Sorry Julian, you did say that before. My mistake. That took care of it. Thanks. PS I saw a message on the SA dev list that they were talking about release 2.52 this last weekend but it didn't happen so it could be soon. -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Monday, March 24, 2003 1:42 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: MailScanner and SA 2.51 and Bayes At 18:24 24/03/2003, you wrote: >Can anyone confirm if this is even working now? If I run a >spamassassin -D -t < message I see debug code for Bayes that appears to >me that it's working. Also in ~/.spamassassin I see bayes_seen, >bayes_toks and bayes_msgcount updating. > >If SA is called from MS, only bayes_msgcount is changing. It also >creates bayes_seen.dir, bayes_seen.pag, bayes_toks.dir, and >bayes_toks.pag files but they remain 0k. Install "DB_File" using CPAN. Then comment out the "use AnyDBM_File" at the top of SA.pm. This will be in the next release (due about 4th April after I get back from Networkshop). Still not had any requests for anything to discuss in the BoF session at Networkshop. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From gerry at dorfam.ca Mon Mar 24 20:10:43 2003 From: gerry at dorfam.ca (Gerry Doris) Date: Thu Jan 12 21:17:34 2006 Subject: SpamAssassin caused error messages Message-ID: <36554.129.80.22.133.1048536643.squirrel@tiger.dorfam.ca> I continue to get the error "timeout waiting for input from local during Draining Input" appearing in my log when using spamassassin. It generally occurs during heavy system loads. It is described on the sendmail website and occurs when "e-mail is delivered to a program which generates too much output". Experimenting with spamassassin I've found that turning off spamassassin calls by MS and calling spamassassin in procmail will eliminate the problem. However, using spamc instead of spamassassin in procmail will also cause the error messages to appear. This appears to be consistent with direct calls from MS. I've mentioned this behaviour on the SpamAssassin mailing list but been told that no one else is seeing the problem. In any case, I just wanted to mention it here in case others might be experiencing the problem. BTW, it isn't unique to 2.50 or 2.51. I was seeing these errors back on 2.43. Gerry From mailscanner at ecs.soton.ac.uk Mon Mar 24 22:04:23 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:34 2006 Subject: SpamAssassin caused error messages In-Reply-To: <36554.129.80.22.133.1048536643.squirrel@tiger.dorfam.ca> Message-ID: <5.2.0.9.2.20030324220355.022dbd30@imap.ecs.soton.ac.uk> I believe this is fixed in the next release. At 20:10 24/03/2003, you wrote: >I continue to get the error > >"timeout waiting for input from local during Draining Input" > >appearing in my log when using spamassassin. It generally occurs during >heavy system loads. It is described on the sendmail website and occurs >when "e-mail is delivered to a program which generates too much output". > >Experimenting with spamassassin I've found that turning off spamassassin >calls by MS and calling spamassassin in procmail will eliminate the >problem. However, using spamc instead of spamassassin in procmail will >also cause the error messages to appear. This appears to be consistent >with direct calls from MS. > >I've mentioned this behaviour on the SpamAssassin mailing list but been >told that no one else is seeing the problem. > >In any case, I just wanted to mention it here in case others might be >experiencing the problem. BTW, it isn't unique to 2.50 or 2.51. I was >seeing these errors back on 2.43. > >Gerry -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From raymond at PROLOCATION.NET Mon Mar 24 22:07:54 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:17:34 2006 Subject: SpamAssassin caused error messages In-Reply-To: <5.2.0.9.2.20030324220355.022dbd30@imap.ecs.soton.ac.uk> Message-ID: Hi Julian, > I believe this is fixed in the next release. > >I've mentioned this behaviour on the SpamAssassin mailing list but been > >told that no one else is seeing the problem. > > > >In any case, I just wanted to mention it here in case others might be > >experiencing the problem. BTW, it isn't unique to 2.50 or 2.51. I was > >seeing these errors back on 2.43. Is this close to due ? If needed i can fieldtest. Bye, Raymond. From lindsay at pa.net Mon Mar 24 22:18:23 2003 From: lindsay at pa.net (Lindsay Snider) Date: Thu Jan 12 21:17:34 2006 Subject: Mailscanner in mem In-Reply-To: <5.2.0.9.2.20030324115113.02873bc8@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030324105235.02378b00@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030324115113.02873bc8@imap.ecs.soton.ac.uk> Message-ID: <200303241718.23586.lindsay@pa.net> I revisited this w/ the newest f-prot (3.12d) to see if things have changed. No luck. I submitted a bug to their site for 3.12d. Here's a command line work around. /usr/local/f-prot/f-prot `/usr/bin/find /dev/shm/$workdir -type f` As a hack, maybe change the call on line 464 (sub TryOneCommercial) of SweepViruses.pm? Here is the patch. I wish I had a server I could test this on but since I don't, this is untested. ---------------------------------------------------------------------------------------------------- --- SweepViruses.pm 2003-03-24 16:56:22.000000000 -0500 +++ SweepViruses2.pm 2003-03-24 16:57:07.000000000 -0500 @@ -461,7 +461,7 @@ } else { # In the child POSIX::setsid(); - exec "$sweepcommand $voptions $subdir" + exec "$sweepcommand $voptions `/usr/bin/find $subdir -type f`" or die "Can't run commercial checker $scanner (\"$sweepcommand\"): $!"; } }; ---------------------------------------------------------------------------------------------------- If you try it, I'd be curious to see how well it works. I too would like to put the working directory on /dev/shm. lindsay On Monday 24 March 2003 06:51, you wrote: > Try scanning a directory structure in tmpfs with the latest F-Prot code, > it's possible they have fixed it. > Let me know what you find. > > At 11:20 24/03/2003, you wrote: > >Tnx > >I use fprot so there goes that idea > > > >Mozzi > > > >On Monday 24 March 2003 12:55, you wrote: > > > At 09:26 24/03/2003, you wrote: > > > >Hallo all > > > > > > > >Can anyone remeber the subject for the thrad on running mailscanner in > > > > memory? > > > > > > > >I have a box with 3Gig ram here and I need the performance. > > > > > > You can safely run with the MailScanner/incoming directory in RAM (just > > > use tmpfs) as long as you aren't using F-Prot (which for some reason > > > doesn't like tmpfs and won't recurse directories properly). Putting > > > your mqueue.in and mqueue in RAM is very dodgy unless your RAM is > > > battery-backed and your system is never rebooted with anything in its > > > mail queues. > > > > > > If you are running Linux, then add a "-" in front of the log filename > > > in syslog.conf. So instead of it logging to > > > /var/log/maillog > > > make it > > > -/var/log/maillog > > > That will stop syslogd from fsync-ing after every log entry, which can > > > make quite a difference to your disk traffic. > > > > > > Running with MailScanner/incoming in tmpfs can add up to 30% to your > > > max throughput. > > > -- > > > Julian Field > > > www.MailScanner.info > > > Professional Support Services at www.MailScanner.biz > > > MailScanner thanks transtec Computers for their support From ms at MLSIS.CO.UK Mon Mar 24 23:30:59 2003 From: ms at MLSIS.CO.UK (Matt Lowe) Date: Thu Jan 12 21:17:34 2006 Subject: postfix compatability? In-Reply-To: <3E7F3A6B.80706@pa.net> References: <3E650494.4080305@pa.net> <1048456295.7974.74.camel@luggage> <200303241019.05448.lindsay@pa.net> <3E7F35E0.508@pa.net> <3E7F3A6B.80706@pa.net> Message-ID: <1048548660.7974.166.camel@luggage> ok, that now works ok :) thanks. now i get the following problems when trying to send an email to the mailserver Mar 24 16:59:44 gateway postfix/smtpd[30341]: connect from unknown[192.168.1.1] Mar 24 16:59:44 gateway postfix/smtpd[30341]: A5840DFB56: client=unknown[192.168.1.1] Mar 24 16:59:44 gateway postfix/cleanup[30342]: A5840DFB56: message-id= Mar 24 21:59:44 gateway postfix/qmgr[26267]: A5840DFB56: from=, size=509, nrcpt=1 (queue active) Mar 24 16:59:44 gateway postfix/smtpd[30341]: disconnect from unknown[192.168.1.1] Mar 24 21:59:44 gateway postfix/pipe[30344]: fatal: get_service_attr: unknown username: filter Mar 24 21:59:45 gateway postfix/qmgr[26267]: warning: premature end-of-input from private/filter socket while reading input attribute name Mar 24 21:59:45 gateway postfix/qmgr[26267]: warning: private/filter socket: malformed response Mar 24 21:59:45 gateway postfix/qmgr[26267]: warning: transport filter failure -- see a previous warning/fatal/panic logfile record for the problem description Mar 24 21:59:45 gateway postfix/master[11483]: warning: process /usr/libexec/postfix/pipe pid 30344 exit status 1 Mar 24 21:59:45 gateway postfix/master[11483]: warning: /usr/libexec/postfix/pipe: bad command startup -- throttling Mar 24 22:01:04 gateway MailScanner[30482]: MailScanner E-Mail Virus Scanner version 4.13-3 starting... Mar 24 22:01:04 gateway update.virus.scanners: Found rav installed Mar 24 22:01:04 gateway update.virus.scanners: Updating rav Mar 24 22:01:05 gateway MailScanner[30482]: Using locktype = flock Mar 24 17:01:05 gateway postfix/pickup[28916]: 4759CDFB58: uid=0 from= Mar 24 17:01:05 gateway postfix/cleanup[30342]: 4759CDFB58: message-id=<20030324220105.4759CDFB58@FQDN-of-Mailserver> Mar 24 22:01:05 gateway postfix/qmgr[26267]: 4759CDFB58: from=, size=571, nrcpt=1 (queue active) Mar 24 22:01:05 gateway postfix/local[30529]: 4759CDFB58: to=, relay=local, delay=0, status=sent (mailbox) Mar 24 22:01:14 gateway MailScanner[30530]: MailScanner E-Mail Virus Scanner version 4.13-3 starting... Mar 24 22:01:14 gateway MailScanner[30530]: Using locktype = flock Mar 24 22:01:24 gateway MailScanner[30531]: MailScanner E-Mail Virus Scanner version 4.13-3 starting... Mar 24 22:01:24 gateway MailScanner[30531]: Using locktype = flock Mar 24 22:01:34 gateway MailScanner[30532]: MailScanner E-Mail Virus Scanner version 4.13-3 starting... Mar 24 22:01:34 gateway MailScanner[30532]: Using locktype = flock my master.cf file is as follows :- # # ========================================================================== # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (50) # ========================================================================== smtp inet n - y - - smtpd -o content_filter=filter: #smtps inet n - n - - smtpd # -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes #submission inet n - n - - smtpd # -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes #628 inet n - n - - qmqpd pickup fifo n - y 60 1 pickup cleanup unix n - y - 0 cleanup qmgr fifo n - n 300 1 qmgr #qmgr fifo n - y 300 1 nqmgr #tlsmgr fifo - - n 300 1 tlsmgr rewrite unix - - y - - trivial-rewrite bounce unix - - y - 0 bounce defer unix - - y - 0 bounce flush unix n - y 1000? 0 flush smtp unix - - y - - smtp showq unix n - y - - showq error unix - - y - - error local unix - n n - - local virtual unix - n y - - virtual lmtp unix - - y - - lmtp # # Interfaces to non-Postfix software. Be sure to examine the manual # pages of the non-Postfix software to find out what options it wants. # The Cyrus deliver program has changed incompatibly. # cyrus unix - n n - - pipe flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user} uucp unix - n n - - pipe flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail.postfix ($recipient) ifmail unix - n n - - pipe flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) bsmtp unix - n n - - pipe flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient filter unix - n n - - pipe user=filter argv=/usr/local/spoolerator/enspool.pl -f ${sender} -- ${recipient} anyone any ideas? thanks in advance i can paste any other info needed to solve this if anyone wants it, but you'll need to tell me what is needed :) From mailscanner at ecs.soton.ac.uk Tue Mar 25 08:50:38 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:34 2006 Subject: SpamAssassin caused error messages In-Reply-To: References: <5.2.0.9.2.20030324220355.022dbd30@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030325085010.064dddf8@imap.ecs.soton.ac.uk> I will update the "unstable" listing as soon as I can. I just need a couple of files from Jan first. At 22:07 24/03/2003, you wrote: >Hi Julian, > > > I believe this is fixed in the next release. > > > >I've mentioned this behaviour on the SpamAssassin mailing list but been > > >told that no one else is seeing the problem. > > > > > >In any case, I just wanted to mention it here in case others might be > > >experiencing the problem. BTW, it isn't unique to 2.50 or 2.51. I was > > >seeing these errors back on 2.43. > >Is this close to due ? >If needed i can fieldtest. > >Bye, >Raymond. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Tue Mar 25 08:56:03 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:34 2006 Subject: Mailscanner in mem In-Reply-To: <200303241718.23586.lindsay@pa.net> References: <5.2.0.9.2.20030324115113.02873bc8@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030324105235.02378b00@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030324115113.02873bc8@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030325085057.0654b7b0@imap.ecs.soton.ac.uk> At 22:18 24/03/2003, you wrote: >I revisited this w/ the newest f-prot (3.12d) to see if things have changed. >No luck. I submitted a bug to their site for 3.12d. Here's a command line >work around. I agree with Nick completely, this should be in the -wrapper script. I will add it as an optional bit of code in the wrapper. Please try the attached -wrapper (with the "RamDisk" variable set to "yes"). >/usr/local/f-prot/f-prot `/usr/bin/find /dev/shm/$workdir -type f` > >As a hack, maybe change the call on line 464 (sub TryOneCommercial) of >SweepViruses.pm? > >Here is the patch. I wish I had a server I could test this on but since I >don't, this is untested. >---------------------------------------------------------------------------------------------------- >--- SweepViruses.pm 2003-03-24 16:56:22.000000000 -0500 >+++ SweepViruses2.pm 2003-03-24 16:57:07.000000000 -0500 >@@ -461,7 +461,7 @@ > } else { > # In the child > POSIX::setsid(); >- exec "$sweepcommand $voptions $subdir" >+ exec "$sweepcommand $voptions `/usr/bin/find $subdir -type f`" > or die "Can't run commercial checker $scanner (\"$sweepcommand\"): >$!"; > } > }; >---------------------------------------------------------------------------------------------------- > >If you try it, I'd be curious to see how well it works. I too would like to >put the working directory on /dev/shm. > >lindsay > > > >On Monday 24 March 2003 06:51, you wrote: > > Try scanning a directory structure in tmpfs with the latest F-Prot code, > > it's possible they have fixed it. > > Let me know what you find. > > > > At 11:20 24/03/2003, you wrote: > > >Tnx > > >I use fprot so there goes that idea > > > > > >Mozzi > > > > > >On Monday 24 March 2003 12:55, you wrote: > > > > At 09:26 24/03/2003, you wrote: > > > > >Hallo all > > > > > > > > > >Can anyone remeber the subject for the thrad on running mailscanner in > > > > > memory? > > > > > > > > > >I have a box with 3Gig ram here and I need the performance. > > > > > > > > You can safely run with the MailScanner/incoming directory in RAM (just > > > > use tmpfs) as long as you aren't using F-Prot (which for some reason > > > > doesn't like tmpfs and won't recurse directories properly). Putting > > > > your mqueue.in and mqueue in RAM is very dodgy unless your RAM is > > > > battery-backed and your system is never rebooted with anything in its > > > > mail queues. > > > > > > > > If you are running Linux, then add a "-" in front of the log filename > > > > in syslog.conf. So instead of it logging to > > > > /var/log/maillog > > > > make it > > > > -/var/log/maillog > > > > That will stop syslogd from fsync-ing after every log entry, which can > > > > make quite a difference to your disk traffic. > > > > > > > > Running with MailScanner/incoming in tmpfs can add up to 30% to your > > > > max throughput. > > > > -- > > > > Julian Field > > > > www.MailScanner.info > > > > Professional Support Services at www.MailScanner.biz > > > > MailScanner thanks transtec Computers for their support -------------- next part -------------- A non-text attachment was scrubbed... Name: f-prot-wrapper Type: application/octet-stream Size: 2738 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030325/9fab024e/f-prot-wrapper.obj -------------- next part -------------- -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From m.sapsed at BANGOR.AC.UK Tue Mar 25 09:07:48 2003 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:17:34 2006 Subject: Mailscanner4 on Debian System with SA 2.5 / experience??? References: <3E7F4B08.1030402@bluewin.ch> Message-ID: <3E801C64.60108@bangor.ac.uk> Patrick Steiner wrote: > Have anybody experience with Mailscanner 4 on a Debian System? At the > moment i use Mailscanner 3.27.1-1 from Debian unstable with SA 2.50-1 > but when i want update to version 4 i have problem with spamassassin. > every spammails have a to low spamscore (>3). but when i pipe the > spammail directly to spamassassin then the spamscore is >7 i think > spamassasin works fine but mailscanner have "communication" problem > with spamassassin. I have had MailScanner-4.13-3 running on Debian (woody) for some time and it works fine. I have only got version 2.43-1 of the SpamAssassin package in place though.... Cheers, Martin -- Martin Sapsed Information Services "Who do you say I am?" University of Wales, Bangor Jesus of Nazareth From m.sapsed at BANGOR.AC.UK Tue Mar 25 09:13:14 2003 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:17:34 2006 Subject: spam.assassin.prefs.conf References: <5.2.0.9.2.20030324133115.030a2be0@imap.ecs.soton.ac.uk> <3E7F14A9.6040704@sghms.ac.uk> Message-ID: <3E801DAA.8000601@bangor.ac.uk> Daniel Bird wrote: > Thought so. That poses another question (may be getting a little OT > here). I have multiple mailhubs running identical configs. What, if > anything do people do to automate updates to preference files like this? > > I currently run a simple rcp for spam.assassin.prefs.conf, as an > unprivileged user but with permissions to overwrite the file. But > restarting MailScanner would require root privilege would it not?, and > out of the box RH Linux doesn't allow that. Bear in mind though that MailScanner restarts itself after (by default IIRC) every 4 hours so if your change isn't urgent it will be applied in a while...? (This is still the case with the V4 multiple children stuff isn't it Julian?) Cheers, Martin -- Martin Sapsed Information Services "Who do you say I am?" University of Wales, Bangor Jesus of Nazareth From mailscanner at ecs.soton.ac.uk Tue Mar 25 09:14:54 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:34 2006 Subject: SpamAssassin 2.52 released Message-ID: <5.2.0.9.2.20030325091422.062c7040@imap.ecs.soton.ac.uk> I am building and installing it now, will let you know if anything nasty happens. If you don't hear anything, it's working nicely :-) -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From m.sapsed at BANGOR.AC.UK Tue Mar 25 09:35:19 2003 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:17:34 2006 Subject: Summary: spam thresholds? References: <3E775B92.2030708@bangor.ac.uk> Message-ID: <3E8022D7.3050509@bangor.ac.uk> Hello again, Martin Sapsed wrote: > Since we've finally gone site wide with MailScanner we've had a few > grumbles that we're not picking up enough spam! (Some people are never > satisfied!) > > Would people mind mailing me with the spam and spamhigh numbers you use > and I'll summarise the responses next week if anyone's interested? OK - I had 12 responses (although one wasn't a direct response but someone put the numbers in another message!) plus ourselves. Average ordinary threshold was 5.6 and average High score was 13.3. 6 of the 13 are using 5 as the low score, we're now using 4.5 and the lowest in standard use was 4.4 although someone said they used 4 personally but 5 for everyone else. The highest lower threshold was 9. On the High SpamAssassin Score, a number of people either didn't use it or left it at the default of 20. Just using the 6 who had changed the value, the average was 10. To some extent experience of the values will vary depending on the version of SpamAssassin in use. We've provided a web page for people to visit to request addresses for whitelisting in order to address the false positives. It will be interesting to see whether the Bayes stuff in 2.5x will address some of the more cunning spammers, especially the ones who put HTML comments with random content in the middle of the words that SpamAssassin looks for! Thanks to those who responded... Cheers, Martin -- Martin Sapsed Information Services "Who do you say I am?" University of Wales, Bangor Jesus of Nazareth From Peter.Bates at LSHTM.AC.UK Tue Mar 25 10:00:45 2003 From: Peter.Bates at LSHTM.AC.UK (Peter Bates) Date: Thu Jan 12 21:17:34 2006 Subject: postfix compatability? Message-ID: Hello there... Remember, the logs are your friends. >now i get the following problems when trying to send an email to the >mailserver >Mar 24 21:59:44 gateway postfix/pipe[30344]: fatal: get_service_attr: >unknown username: filter my master.cf file is as follows :- # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (50) # ========================================================================== smtp inet n - y - - smtpd -o content_filter=filter: filter unix - n n - - pipe user=filter argv=/usr/local/spoolerator/enspool.pl -f ${sender} -- ${recipient} Firstly, I think you need to add a user 'filter', as the content_filter actually runs as that user (see user=x in lines above)... secondly, same problem I had, you probably need to change the chroot from 'y' to 'n' on smtp as otherwise Postfix doesn't actually recognise that user, or really run the script at all... Hence: smtp inet n - n - - smtpd -o content_filter=filter: ... and that's pretty much what I have working fine on a box here. As Leland said , it's those lines in master.cf, and then a bit of changing of the MailScanner configuration. ---------------------------------------------------------------------------------------------------> Peter Bates, Systems Support Officer, Network Support Team. London School of Hygiene & Tropical Medicine. Telephone:0207-958 8353 / Fax: 0207- 636 9838 From jase at SENSIS.COM Tue Mar 25 13:55:54 2003 From: jase at SENSIS.COM (Desai, Jason) Date: Thu Jan 12 21:17:34 2006 Subject: Mailscanner4 on Debian System with SA 2.5 / exp erience??? Message-ID: I too have MailScanner 4 working fine on a Debian System. Debian Woody MailScanner 4.12-2 SpamAssassin 2.43 and 2.51 I installed both MailScanner and SpamAssassin from their source (not Debian packages). Jason > -----Original Message----- > From: Martin Sapsed [mailto:m.sapsed@BANGOR.AC.UK] > Sent: Tuesday, March 25, 2003 4:08 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: [MAILSCANNER] Mailscanner4 on Debian System with SA 2.5 / > experience??? > > > Patrick Steiner wrote: > > Have anybody experience with Mailscanner 4 on a Debian > System? At the > > moment i use Mailscanner 3.27.1-1 from Debian unstable > with SA 2.50-1 > > but when i want update to version 4 i have problem with > spamassassin. > > every spammails have a to low spamscore (>3). but when i pipe the > > spammail directly to spamassassin then the spamscore is >7 i think > > spamassasin works fine but mailscanner have "communication" problem > > with spamassassin. > > I have had MailScanner-4.13-3 running on Debian (woody) for some time > and it works fine. I have only got version 2.43-1 of the SpamAssassin > package in place though.... > > Cheers, > > Martin > > -- > Martin Sapsed > Information Services "Who do you say I am?" > University of Wales, Bangor Jesus of Nazareth > From keith at ZORKA.COM Tue Mar 25 14:15:07 2003 From: keith at ZORKA.COM (Keith Elder) Date: Thu Jan 12 21:17:34 2006 Subject: Can't locate loadable object for module HTML::Parser Message-ID: <47445F99-5E08-11D7-90CC-000393DB784A@zorka.com> Greetings: I receive the error stated in the subject and below when I start MailScanner on a RH 7.2 machine. Here is the complete error I get. I've tried putting in the correct CPAN files but still get this error. The version I am running is 4.13. I assume this is a simple perl fix but I have exceeded my perl knowledge. ---------- ERROR ---------- MailScanner: Can't locate loadable object for module HTML::Parser in @INC (@INC contains: /usr/lib/MailScanner /usr/lib/perl5/5.6.0/i386-linux /usr/lib/perl5/5.6.0 /usr/lib/perl5/site_perl/5.6.0/i386-linux /usr/lib/perl5/site_perl/5.6.0 /usr/lib/perl5/site_perl . /usr/lib/MailScanner) at /usr/lib/perl5/5.6.0/i386-linux/HTML/Entities.pm line 108 Compilation failed in require at /usr/lib/perl5/5.6.0/i386-linux/HTML/Entities.pm line 108. Compilation failed in require at /usr/lib/perl5/5.6.0/i386-linux/HTML/TokeParser.pm line 11. BEGIN failed--compilation aborted at /usr/lib/perl5/5.6.0/i386-linux/HTML/TokeParser.pm line 11. Compilation failed in require at /usr/lib/MailScanner/MailScanner/Message.pm line 43. BEGIN failed--compilation aborted at /usr/lib/MailScanner/MailScanner/Message.pm line 43. Compilation failed in require at /usr/sbin/MailScanner line 47. BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 47. Thanks, Keith From mailscanner at ecs.soton.ac.uk Tue Mar 25 15:11:54 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:34 2006 Subject: New beta release and FreeBSD port Message-ID: <5.2.0.9.2.20030325151049.0895afa0@imap.ecs.soton.ac.uk> I have just put 4.14-6 on the web site. Note this is not intended for use on production servers. Hopefully it will play nicely with SpamAssassin 2.52. None of the other RPMs involved have changed, just mailscanner*rpm. Major new feature: There is now a FreeBSD port, courtesy of Jan-Peter Koopmann. The ChangeLog since 4.13 now looks like this: * New Features and Improvements * - Improved OpenBSD installation and upgrading instructions. - Added check of location of all required system commands. - Improved wording of message to spam senders. - Increased max size of messages sent to SpamAssassin. Spam messages are getting bigger. - All variables in the supplied conf file are now set to something, even if just a blank value. This will make upgrade_MailScanner_conf work better. - Signed and/or encrypted messages can now be signed without breaking the PGP/GPG signed portion of the message. - RAV support improved in Cobalt RaQ systems. - Speeded up deletion of working area directories (thanks to Tony F for that). - Added "Include Scanner Name In Reports" option to allow the virus scanner name to appear in the scanning reports. - Added optional support in f-prot-wrapper script to support tmpfs and ramdisks which F-Prot cannot use without assistance. * Fixes * - Fixed important bug in filename checking code causing it not to check long filenames properly. I strongly advise all 4.13 users to upgrade. - Changed setuid/setgid code so taint mode is not switched on. - Fixed various other issues kindly brought to my attention by Tony Finch at Cambridge Univ. - Fixed problem with deleting recipients from messages with Exim. - Fixed problem with headers being passed to SpamAssassin from Exim incorrectly. - Fixed problem when running internal TNEF decoder. - Fixed locking problems when SpamAssassin 2.50 times out. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Tue Mar 25 15:14:07 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:34 2006 Subject: Can't locate loadable object for module HTML::Parser In-Reply-To: <47445F99-5E08-11D7-90CC-000393DB784A@zorka.com> Message-ID: <5.2.0.9.2.20030325151332.065ace38@imap.ecs.soton.ac.uk> Looks like the HTML::Parser module didn't install for some reason. What did it say when you ran "./install.sh" and it tried to install HTML::Parser? At 14:15 25/03/2003, you wrote: >Greetings: > >I receive the error stated in the subject and below when I start >MailScanner on a RH 7.2 machine. Here is the complete error I get. >I've tried putting in the correct CPAN files but still get this error. >The version I am running is 4.13. I assume this is a simple perl fix >but I have exceeded my perl knowledge. > >---------- ERROR ---------- >MailScanner: Can't locate loadable object for module HTML::Parser >in @INC (@INC contains: /usr/lib/MailScanner >/usr/lib/perl5/5.6.0/i386-linux /usr/lib/perl5/5.6.0 >/usr/lib/perl5/site_perl/5.6.0/i386-linux >/usr/lib/perl5/site_perl/5.6.0 /usr/lib/perl5/site_perl . >/usr/lib/MailScanner) at >/usr/lib/perl5/5.6.0/i386-linux/HTML/Entities.pm line 108 >Compilation failed in require at >/usr/lib/perl5/5.6.0/i386-linux/HTML/Entities.pm line 108. >Compilation failed in require at >/usr/lib/perl5/5.6.0/i386-linux/HTML/TokeParser.pm line 11. >BEGIN failed--compilation aborted at >/usr/lib/perl5/5.6.0/i386-linux/HTML/TokeParser.pm line 11. >Compilation failed in require at >/usr/lib/MailScanner/MailScanner/Message.pm line 43. >BEGIN failed--compilation aborted at >/usr/lib/MailScanner/MailScanner/Message.pm line 43. >Compilation failed in require at /usr/sbin/MailScanner line 47. >BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 47. > >Thanks, > >Keith -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From jase at SENSIS.COM Tue Mar 25 15:45:49 2003 From: jase at SENSIS.COM (Desai, Jason) Date: Thu Jan 12 21:17:34 2006 Subject: RBL Check timed out Message-ID: Hello. Yesterday I received a bunch of "RBL Check timed out and was killed" messages in mail.log. Here is a sample output from my logs: $ grep "MailScanner\[6171\]: RBL" /var/log/mail.log Mar 24 11:47:53 dimstar MailScanner[6171]: RBL Check timed out and was killed, consecutive failure 1 of 7 Mar 24 11:54:50 dimstar MailScanner[6171]: RBL Check timed out and was killed, consecutive failure 2 of 7 Mar 24 11:55:01 dimstar MailScanner[6171]: RBL Check timed out and was killed, consecutive failure 3 of 7 Mar 24 11:59:44 dimstar MailScanner[6171]: RBL Check timed out and was killed, consecutive failure 4 of 7 Mar 24 12:01:06 dimstar MailScanner[6171]: RBL Check timed out and was killed, consecutive failure 5 of 7 Mar 24 12:03:40 dimstar MailScanner[6171]: RBL Check timed out and was killed, consecutive failure 6 of 7 Mar 24 12:06:53 dimstar MailScanner[6171]: RBL Check timed out and was killed, consecutive failure 7 of 7 Mar 24 12:10:07 dimstar MailScanner[6171]: RBL Check timed out and was killed, consecutive failure 8 of 7 Mar 24 12:11:20 dimstar MailScanner[6171]: RBL Check timed out and was killed, consecutive failure 9 of 7 Mar 24 12:12:07 dimstar MailScanner[6171]: RBL Check timed out and was killed, consecutive failure 10 of 7 Mar 24 12:16:45 dimstar MailScanner[6171]: RBL Check timed out and was killed, consecutive failure 11 of 7 Mar 24 12:20:09 dimstar MailScanner[6171]: RBL Check timed out and was killed, consecutive failure 12 of 7 Mar 24 12:45:20 dimstar MailScanner[6171]: RBL Check timed out and was killed, consecutive failure 13 of 7 Mar 24 12:46:26 dimstar MailScanner[6171]: RBL Check timed out and was killed, consecutive failure 14 of 7 Mar 24 12:49:00 dimstar MailScanner[6171]: RBL Check timed out and was killed, consecutive failure 15 of 7 Mar 24 12:50:14 dimstar MailScanner[6171]: RBL Check timed out and was killed, consecutive failure 16 of 7 Mar 24 13:56:02 dimstar MailScanner[6171]: RBL Check timed out and was killed, consecutive failure 17 of 7 In my MailScanner.conf file, I have Spam List = I'm pretty sure that I tried commenting out the Spam List entry too, and I've seen similar messages. I am trying to prevent MailScanner from doing any RBL checks (I only want SpamAssassin to do this). I don't understand why it would be trying to do RBL checks, and why it keeps on failing even after 7 consecutive failures. I am running MailScanner 4.12-2. Is this a bug in the code or do I have something configured wrong? Jason From mailscanner at ecs.soton.ac.uk Tue Mar 25 16:29:46 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:34 2006 Subject: RBL Check timed out In-Reply-To: Message-ID: <5.2.0.9.2.20030325161004.068b0ec0@imap.ecs.soton.ac.uk> I fixed this for SA in 4.11. Forgot to fix it for RBLs :( Please can you try this patch to SA.pm and let me know how you get on. --- RBLs.pm.old Fri Mar 14 11:30:42 2003 +++ RBLs.pm Tue Mar 25 16:34:16 2003 @@ -44,6 +44,7 @@ $VERSION = substr q$Revision: 1.18.2.2 $, 10; my %spamlistfailures; # Number of consecutive failures for both lists +my %deadspamlists; # All the dead spam lists # # Constructor. @@ -207,11 +208,17 @@ if ($pid>0) { # Increment the "Failures" counter for this RBL $spamlistfailures{"$Checked"}++; - if ($maxfailures>0) { + if (!$deadspamlists{"$Checked"} && $maxfailures>0) { MailScanner::Log::WarnLog("RBL Check $Checked timed out and was " . "killed, consecutive failure " . $spamlistfailures{"$Checked"} . " of " . $maxfailures); + # Kill this list as it has exceeded maxfailures + if ($spamlistfailures{"$Checked"}>=$maxfailures) { + MailScanner::Log::WarnLog("RBL Check %s temporarily disabled", + $Checked); + $deadspamlists{"$Checked"} = 1; + } } else { MailScanner::Log::WarnLog("RBL Check $Checked timed out and was killed"); } At 15:45 25/03/2003, you wrote: >Hello. > >Yesterday I received a bunch of "RBL Check timed out and was killed" >messages in mail.log. Here is a sample output from my logs: > >$ grep "MailScanner\[6171\]: RBL" /var/log/mail.log >Mar 24 11:47:53 dimstar MailScanner[6171]: RBL Check timed out and was >killed, consecutive failure 1 of 7 >Mar 24 11:54:50 dimstar MailScanner[6171]: RBL Check timed out and was >killed, consecutive failure 2 of 7 >Mar 24 11:55:01 dimstar MailScanner[6171]: RBL Check timed out and was >killed, consecutive failure 3 of 7 >Mar 24 11:59:44 dimstar MailScanner[6171]: RBL Check timed out and was >killed, consecutive failure 4 of 7 >Mar 24 12:01:06 dimstar MailScanner[6171]: RBL Check timed out and was >killed, consecutive failure 5 of 7 >Mar 24 12:03:40 dimstar MailScanner[6171]: RBL Check timed out and was >killed, consecutive failure 6 of 7 >Mar 24 12:06:53 dimstar MailScanner[6171]: RBL Check timed out and was >killed, consecutive failure 7 of 7 >Mar 24 12:10:07 dimstar MailScanner[6171]: RBL Check timed out and was >killed, consecutive failure 8 of 7 >Mar 24 12:11:20 dimstar MailScanner[6171]: RBL Check timed out and was >killed, consecutive failure 9 of 7 >Mar 24 12:12:07 dimstar MailScanner[6171]: RBL Check timed out and was >killed, consecutive failure 10 of 7 >Mar 24 12:16:45 dimstar MailScanner[6171]: RBL Check timed out and was >killed, consecutive failure 11 of 7 >Mar 24 12:20:09 dimstar MailScanner[6171]: RBL Check timed out and was >killed, consecutive failure 12 of 7 >Mar 24 12:45:20 dimstar MailScanner[6171]: RBL Check timed out and was >killed, consecutive failure 13 of 7 >Mar 24 12:46:26 dimstar MailScanner[6171]: RBL Check timed out and was >killed, consecutive failure 14 of 7 >Mar 24 12:49:00 dimstar MailScanner[6171]: RBL Check timed out and was >killed, consecutive failure 15 of 7 >Mar 24 12:50:14 dimstar MailScanner[6171]: RBL Check timed out and was >killed, consecutive failure 16 of 7 >Mar 24 13:56:02 dimstar MailScanner[6171]: RBL Check timed out and was >killed, consecutive failure 17 of 7 > >In my MailScanner.conf file, I have > >Spam List = > >I'm pretty sure that I tried commenting out the Spam List entry too, and >I've seen similar messages. I am trying to prevent MailScanner from doing >any RBL checks (I only want SpamAssassin to do this). I don't understand >why it would be trying to do RBL checks, and why it keeps on failing even >after 7 consecutive failures. I am running MailScanner 4.12-2. Is this a >bug in the code or do I have something configured wrong? > >Jason -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Tue Mar 25 16:32:09 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:34 2006 Subject: RBL Check timed out In-Reply-To: Message-ID: <5.2.0.9.2.20030325163107.066a4730@imap.ecs.soton.ac.uk> The other part of your problem (the fact that it didn't notice you wanted no RBL checks at all) is already fixed in the latest code. New release due about 4th April or so. At 15:45 25/03/2003, you wrote: >Hello. > >Yesterday I received a bunch of "RBL Check timed out and was killed" >messages in mail.log. Here is a sample output from my logs: > >$ grep "MailScanner\[6171\]: RBL" /var/log/mail.log >Mar 24 11:47:53 dimstar MailScanner[6171]: RBL Check timed out and was >killed, consecutive failure 1 of 7 > >In my MailScanner.conf file, I have > >Spam List = > >I'm pretty sure that I tried commenting out the Spam List entry too, and >I've seen similar messages. I am trying to prevent MailScanner from doing >any RBL checks (I only want SpamAssassin to do this). I don't understand >why it would be trying to do RBL checks, and why it keeps on failing even >after 7 consecutive failures. I am running MailScanner 4.12-2. Is this a >bug in the code or do I have something configured wrong? -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From nathan at TCPNETWORKS.NET Tue Mar 25 17:32:20 2003 From: nathan at TCPNETWORKS.NET (Nathan Johanson) Date: Thu Jan 12 21:17:34 2006 Subject: Different Subject for Object Codebase/IFrame Message-ID: Hello, Someone requested this feature earlier, but I never caught the response to it. Is it possible to append a different subject modifier for Object Codebase and Iframe tags. I don't necessarily need a special modifier for each, but one for both would suffice. At this point, the subject is appended with (Virus?} for these two issues, which can be misleading for some of our end users. These are not really viruses. A different subject modifier will help make it clearer to our users what is actually happening. If they receive messages with that they want to read (such as CNN news updates), they can request the message to be whitelisted and improve their experience. Many of our users get scared by the (VIRUS) annotation, and usually avoid the message altogether. If there is a different subject modifier (such as INSECURE), they can easily identify the problem and submit the message for whitelisting. Furthermore, a different modifier for these kinds of objections could further refine any statistics we collect on viruses down the road. For instance, I'm thinking of the following; Message contains a "real" virus (klez, sobig, etc.), append {VIRUS?} to the subject line. Message contains dangerous Iframe or Objecte Codebase, append (INSECURE) --or some other annotation-- to the subject line. Thanks. Nathan Johanson Email: nathan@tcpnetworks.net From mailscanner at ecs.soton.ac.uk Tue Mar 25 17:37:33 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:34 2006 Subject: Different Subject for Object Codebase/IFrame In-Reply-To: Message-ID: <5.2.0.9.2.20030325173510.021d9c60@imap.ecs.soton.ac.uk> But at the moment the attachment (or even the whole message body) is removed. So what you actually want is the option to allow and tag Codebase/IFrames, and to have a different tag for them. This will take rather more work, as the "allow and tag" code isn't there. If you don't hear anything from me in the next few weeks, prod me again. At 17:32 25/03/2003, you wrote: >Hello, > >Someone requested this feature earlier, but I never caught the response >to it. > >Is it possible to append a different subject modifier for Object >Codebase and Iframe tags. I don't necessarily need a special modifier >for each, but one for both would suffice. > >At this point, the subject is appended with (Virus?} for these two >issues, which can be misleading for some of our end users. These are not >really viruses. A different subject modifier will help make it clearer >to our users what is actually happening. If they receive messages with >that they want to read (such as CNN news updates), they can request the >message to be whitelisted and improve their experience. Many of our >users get scared by the (VIRUS) annotation, and usually avoid the >message altogether. If there is a different subject modifier (such as >INSECURE), they can easily identify the problem and submit the message >for whitelisting. Furthermore, a different modifier for these kinds of >objections could further refine any statistics we collect on viruses >down the road. > >For instance, I'm thinking of the following; > >Message contains a "real" virus (klez, sobig, etc.), append {VIRUS?} to >the subject line. >Message contains dangerous Iframe or Objecte Codebase, append (INSECURE) >--or some other annotation-- to the subject line. > >Thanks. > >Nathan Johanson >Email: nathan@tcpnetworks.net -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From nathan at TCPNETWORKS.NET Tue Mar 25 17:53:09 2003 From: nathan at TCPNETWORKS.NET (Nathan Johanson) Date: Thu Jan 12 21:17:35 2006 Subject: Different Subject for Object Codebase/IFrame Message-ID: Actually, I don't want to allow the message. I'm looking to deny them (or rather remove the attachment or message body), but simply tag them differently than viruses (with a modifier like (INSECURE). In other words, the messages would be denied, all dangerous stuff would be removed, the same notices will be sent to all parties (most importantly the recipient and the postmaster)--the only difference would be the subject tag. If I subsequently allow them via whitelist entries, I wouldn't want the subject modified at all. Does that make sense? Nathan -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Tuesday, March 25, 2003 9:38 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Different Subject for Object Codebase/IFrame But at the moment the attachment (or even the whole message body) is removed. So what you actually want is the option to allow and tag Codebase/IFrames, and to have a different tag for them. This will take rather more work, as the "allow and tag" code isn't there. If you don't hear anything from me in the next few weeks, prod me again. At 17:32 25/03/2003, you wrote: >Hello, > >Someone requested this feature earlier, but I never caught the response >to it. > >Is it possible to append a different subject modifier for Object >Codebase and Iframe tags. I don't necessarily need a special modifier >for each, but one for both would suffice. > >At this point, the subject is appended with (Virus?} for these two >issues, which can be misleading for some of our end users. These are not >really viruses. A different subject modifier will help make it clearer >to our users what is actually happening. If they receive messages with >that they want to read (such as CNN news updates), they can request the >message to be whitelisted and improve their experience. Many of our >users get scared by the (VIRUS) annotation, and usually avoid the >message altogether. If there is a different subject modifier (such as >INSECURE), they can easily identify the problem and submit the message >for whitelisting. Furthermore, a different modifier for these kinds of >objections could further refine any statistics we collect on viruses >down the road. > >For instance, I'm thinking of the following; > >Message contains a "real" virus (klez, sobig, etc.), append {VIRUS?} to >the subject line. >Message contains dangerous Iframe or Objecte Codebase, append (INSECURE) >--or some other annotation-- to the subject line. > >Thanks. > >Nathan Johanson >Email: nathan@tcpnetworks.net -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From patricksteiner at BLUEWIN.CH Tue Mar 25 20:30:07 2003 From: patricksteiner at BLUEWIN.CH (Patrick Steiner) Date: Thu Jan 12 21:17:35 2006 Subject: Online Spam test dosen't work Message-ID: <3E80BC4F.10604@bluewin.ch> Any Spamtestmails that i send by http://www.declude.com/tools/spamsend.html doesen't mark as spam (spamscore <1)! with mailscanner 3.27 and sa 2.50 any mails tagged as spam (spamscore >5) why? SA version: 2.52 MS version: 4.13-3 Mail1: ----------snip-------------- Subject: BADHEADERS test file X-MailScanner: Found to be clean X-MailScanner-SpamCheck: not spam, SpamAssassin (score=0.4, required 5, AWL, INVALID_DATE) This is a test message that was sent to you because you (or someone you know) visited our page at http://www.declude.com/tools . This is a sample E-mail designed to trigger spam tests. Depending on the software you use, it may or may not get marked as spam. Visit http://www.declude.com for our Declude JunkMail solution for IMail servers. Test: BADHEADERS Description: This E-mail was sent with a bogus Date: header that will likely get caught by anti-spam software that analyzes the headers of the E-mail. It should fail the Declude JunkMail BADHEADERS test. --------snip----------------- Mail2: --------snip----------------- Subject: SPAMHEADERS test file Message-Id: X-MailScanner: Found to be clean X-MailScanner-SpamCheck: not spam, SpamAssassin (score=0.1, required 5, AWL) This is a test message that was sent to you because you (or someone you know) visited our page at http://www.declude.com/tools . This is a sample E-mail designed to trigger spam tests. Depending on the software you use, it may or may not get marked as spam. Visit http://www.declude.com for our Declude JunkMail solution for IMail servers. Test: SPAMHEADERS Description: This E-mail was sent with spam-like (but valid, RFC-compliant) headers, that may get caught by anti-spam software that analyzes the headers of the E-mail. It should fail the Declude JunkMail SPAMHEADERS test. --------snip----------------- From mailscanner at ecs.soton.ac.uk Tue Mar 25 20:41:04 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:35 2006 Subject: Online Spam test dosen't work In-Reply-To: <3E80BC4F.10604@bluewin.ch> Message-ID: <5.2.0.9.2.20030325203730.03fd05a0@imap.ecs.soton.ac.uk> At 20:30 25/03/2003, you wrote: >Any Spamtestmails that i send by >http://www.declude.com/tools/spamsend.html doesen't mark as spam >(spamscore <1)! >with mailscanner 3.27 and sa 2.50 any mails tagged as spam (spamscore >5) >why? Short answer is I don't know. I suggest you ask the SpamAssassin folks. Simple things like bad dates shouldn't trigger spam traps on their own, there are email apps out there in use that create badly formatted dates. Using that alone as a trigger is very dangerous and will cause lots of false alarms. It appears that the declude folks have created a set of tests that exactly match the few particular things they look for in messages. SpamAssassin is a lot cleverer than that, it executes loads of tests and uses a scoring system to calculate how likely the message is to be spam. It doesn't trigger on 1 feature alone, unlike the declude product. If you want to pay declude for an inferior product, feel free :-) >SA version: 2.52 >MS version: 4.13-3 > > >Mail1: > >----------snip-------------- > >Subject: BADHEADERS test file >X-MailScanner: Found to be clean >X-MailScanner-SpamCheck: not spam, SpamAssassin (score=0.4, required 5, AWL, > INVALID_DATE) > >This is a test message that was sent to you because you >(or someone you know) visited our page at >http://www.declude.com/tools . > >This is a sample E-mail designed to trigger spam tests. >Depending on the software you use, it may or may not get >marked as spam. Visit http://www.declude.com for our >Declude JunkMail solution for IMail servers. > >Test: BADHEADERS > >Description: This E-mail was sent with a bogus Date: header >that will likely get caught by anti-spam software that >analyzes the headers of the E-mail. It should fail the >Declude JunkMail BADHEADERS test. > >--------snip----------------- > > >Mail2: >--------snip----------------- > >Subject: SPAMHEADERS test file >Message-Id: >X-MailScanner: Found to be clean >X-MailScanner-SpamCheck: not spam, SpamAssassin (score=0.1, required 5, AWL) > >This is a test message that was sent to you because you >(or someone you know) visited our page at >http://www.declude.com/tools . > >This is a sample E-mail designed to trigger spam tests. >Depending on the software you use, it may or may not get >marked as spam. Visit http://www.declude.com for our >Declude JunkMail solution for IMail servers. > >Test: SPAMHEADERS > >Description: This E-mail was sent with spam-like (but valid, >RFC-compliant) headers, that may get caught by anti-spam >software that analyzes the headers of the E-mail. It should >fail the Declude JunkMail SPAMHEADERS test. > >--------snip----------------- -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From jaearick at COLBY.EDU Tue Mar 25 20:44:35 2003 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:17:35 2006 Subject: Spamassassin conf files and MailScanner? Message-ID: Julian, I upgraded to SA 2.52 today, for MS 4.13-3. Everything seems fine but I have questions and ye olde faqomatic didn't have any answers. I wonder: Q. Which config files does SpamAssassin use when installed with MailScanner? Where should I put my own SA configurations? On my system, there is: * /opt/MailScanner/etc/spam.assassin.prefs.conf (your file) * the /.spamassassin directory in root, which SA recreates if it is removed, and contains .pag and .dir files. For 2.52 there is also bayes_msgcount as well as the DB files. If I have a user_prefs file in this directory, is it used? Should I put changes there? * /etc/mail/spamassassin directory, where I found a local.cf file that I put there at one time. Q. How can I tell that the Bayes learning stuff is working right for SA 2.5x? Q. My /.spamassassin directory has a huge 70 MB auto-whitelist.pag file in it that grows over time. Is this a bad thing (assuming it doesn't fill up my root partition)? Does it get zeroed out by MS occasionally, like at reboot or the four hour restart interval? Should I zero it out by hand? ----------------------------------- Jeff A. Earickson, Ph.D Senior UNIX Sysadmin and Email Guru Information Technology Services Colby College, 4214 Mayflower Hill, Waterville ME, 04901-8842 phone: 207-872-3659 (fax = 3076) ----------------------------------- From Denis.Beauchemin at USHERBROOKE.CA Tue Mar 25 21:11:41 2003 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:17:35 2006 Subject: Different Subject for Object Codebase/IFrame In-Reply-To: References: Message-ID: <1048626700.7950.0.camel@dbeauchemin.si.usherbrooke.ca> Le mar 25/03/2003 ? 12:53, Nathan Johanson a ?crit : > Actually, I don't want to allow the message. > I'm looking to deny them (or rather remove the attachment or message > body), but simply tag them differently than viruses (with a modifier > like (INSECURE). In other words, the messages would be denied, all > dangerous stuff would be removed, the same notices will be sent to all > parties (most importantly the recipient and the postmaster)--the only > difference would be the subject tag. > > If I subsequently allow them via whitelist entries, I wouldn't want the > subject modified at all. > > Does that make sense? It does to me and I would like it that way. Denis -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From jase at SENSIS.COM Tue Mar 25 21:19:16 2003 From: jase at SENSIS.COM (Desai, Jason) Date: Thu Jan 12 21:17:35 2006 Subject: RBL Check timed out Message-ID: I will try this patch and let you know if there are any problems. I'm not sure if I'll be able to fully test it as yesterday was the first time ever we had more than 1 consecutive RBL Check timeout. Thanks! Jason > -----Original Message----- > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > Sent: Tuesday, March 25, 2003 11:30 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: [MAILSCANNER] RBL Check timed out > > > I fixed this for SA in 4.11. Forgot to fix it for RBLs :( > > Please can you try this patch to SA.pm and let me know how you get on. > > --- RBLs.pm.old Fri Mar 14 11:30:42 2003 > +++ RBLs.pm Tue Mar 25 16:34:16 2003 > @@ -44,6 +44,7 @@ > $VERSION = substr q$Revision: 1.18.2.2 $, 10; > > my %spamlistfailures; # Number of consecutive failures for > both lists > +my %deadspamlists; # All the dead spam lists > > # > # Constructor. > @@ -207,11 +208,17 @@ > if ($pid>0) { > # Increment the "Failures" counter for this RBL > $spamlistfailures{"$Checked"}++; > - if ($maxfailures>0) { > + if (!$deadspamlists{"$Checked"} && $maxfailures>0) { > MailScanner::Log::WarnLog("RBL Check $Checked timed > out and was " . > "killed, consecutive failure " . > $spamlistfailures{"$Checked"} . " of " . > $maxfailures); > + # Kill this list as it has exceeded maxfailures > + if ($spamlistfailures{"$Checked"}>=$maxfailures) { > + MailScanner::Log::WarnLog("RBL Check %s temporarily > disabled", > + $Checked); > + $deadspamlists{"$Checked"} = 1; > + } > } else { > MailScanner::Log::WarnLog("RBL Check $Checked timed > out and was > killed"); > } > > > At 15:45 25/03/2003, you wrote: > >Hello. > > > >Yesterday I received a bunch of "RBL Check timed out and was killed" > >messages in mail.log. Here is a sample output from my logs: > > > >$ grep "MailScanner\[6171\]: RBL" /var/log/mail.log > >Mar 24 11:47:53 dimstar MailScanner[6171]: RBL Check timed > out and was > >killed, consecutive failure 1 of 7 > >Mar 24 11:54:50 dimstar MailScanner[6171]: RBL Check timed > out and was > >killed, consecutive failure 2 of 7 > >Mar 24 11:55:01 dimstar MailScanner[6171]: RBL Check timed > out and was > >killed, consecutive failure 3 of 7 > >Mar 24 11:59:44 dimstar MailScanner[6171]: RBL Check timed > out and was > >killed, consecutive failure 4 of 7 > >Mar 24 12:01:06 dimstar MailScanner[6171]: RBL Check timed > out and was > >killed, consecutive failure 5 of 7 > >Mar 24 12:03:40 dimstar MailScanner[6171]: RBL Check timed > out and was > >killed, consecutive failure 6 of 7 > >Mar 24 12:06:53 dimstar MailScanner[6171]: RBL Check timed > out and was > >killed, consecutive failure 7 of 7 > >Mar 24 12:10:07 dimstar MailScanner[6171]: RBL Check timed > out and was > >killed, consecutive failure 8 of 7 > >Mar 24 12:11:20 dimstar MailScanner[6171]: RBL Check timed > out and was > >killed, consecutive failure 9 of 7 > >Mar 24 12:12:07 dimstar MailScanner[6171]: RBL Check timed > out and was > >killed, consecutive failure 10 of 7 > >Mar 24 12:16:45 dimstar MailScanner[6171]: RBL Check timed > out and was > >killed, consecutive failure 11 of 7 > >Mar 24 12:20:09 dimstar MailScanner[6171]: RBL Check timed > out and was > >killed, consecutive failure 12 of 7 > >Mar 24 12:45:20 dimstar MailScanner[6171]: RBL Check timed > out and was > >killed, consecutive failure 13 of 7 > >Mar 24 12:46:26 dimstar MailScanner[6171]: RBL Check timed > out and was > >killed, consecutive failure 14 of 7 > >Mar 24 12:49:00 dimstar MailScanner[6171]: RBL Check timed > out and was > >killed, consecutive failure 15 of 7 > >Mar 24 12:50:14 dimstar MailScanner[6171]: RBL Check timed > out and was > >killed, consecutive failure 16 of 7 > >Mar 24 13:56:02 dimstar MailScanner[6171]: RBL Check timed > out and was > >killed, consecutive failure 17 of 7 > > > >In my MailScanner.conf file, I have > > > >Spam List = > > > >I'm pretty sure that I tried commenting out the Spam List > entry too, and > >I've seen similar messages. I am trying to prevent > MailScanner from doing > >any RBL checks (I only want SpamAssassin to do this). I > don't understand > >why it would be trying to do RBL checks, and why it keeps on > failing even > >after 7 consecutive failures. I am running MailScanner > 4.12-2. Is this a > >bug in the code or do I have something configured wrong? > > > >Jason > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > From nicholas_esborn at AFFYMETRIX.COM Tue Mar 25 21:54:59 2003 From: nicholas_esborn at AFFYMETRIX.COM (Nicholas Esborn) Date: Thu Jan 12 21:17:35 2006 Subject: Scanning mail only for particular users Message-ID: <20030325215459.GC70692@affymetrix.com> Hello, I'm wondering if MailScanner could be configured to scan mail only for particular destination email addresses, passing the rest untouched (aside from MTA headers). Is this possible? Thanks, -nick -- Nicholas Esborn Affymetrix, Inc. 510/428.8505 Every message PGP signed -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030325/b6ecc540/attachment.bin From raymond at PROLOCATION.NET Tue Mar 25 21:57:51 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:17:35 2006 Subject: Scanning mail only for particular users In-Reply-To: <20030325215459.GC70692@affymetrix.com> Message-ID: Hi! > I'm wondering if MailScanner could be configured to scan mail only for > particular destination email addresses, passing the rest untouched (aside > from MTA headers). Is this possible? Sure, just make a list of what should be scanned, you can make a rule, see config... Bye, Raymond. From brent at WHITE-DEV.QUATRO.COM Tue Mar 25 22:11:01 2003 From: brent at WHITE-DEV.QUATRO.COM (Brent) Date: Thu Jan 12 21:17:35 2006 Subject: FromTo vs FromOrTo Message-ID: <581E96807D8F164BAC721997E5B8E4060D93A0@bto.quatro.com> Looking through the ruleset documentation I noticed that there are mentions of FromTo as well as FromOrTo. Is this the same thing and one of these is an error? Or are these used in different locations for different purposes. I'm not certain as the documentation and examples change back and forth between the two terms. At the moment I use FromOrTwo and it is working. Brent -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030325/7e36f1fe/attachment.html From keith at ZORKA.COM Wed Mar 26 00:53:47 2003 From: keith at ZORKA.COM (Keith Elder) Date: Thu Jan 12 21:17:35 2006 Subject: Can't locate loadable object for module HTML::Parser In-Reply-To: <5.2.0.9.2.20030325151332.065ace38@imap.ecs.soton.ac.uk> Message-ID: <66FD72C6-5F25-11D7-B743-000393DB784A@zorka.com> Nothing came up when I did the install that is the weird part. Running this I get: [root@foo i386]# rpm -qa | grep Parser perl-XML-Parser-2.30-7 perl-BIND-Conf_Parser-0.96a-1 perl-HTML-Parser-3.26-16 [root@foo i386]# Keith On Tuesday, March 25, 2003, at 10:14 AM, Julian Field wrote: > Looks like the HTML::Parser module didn't install for some reason. > What did > it say when you ran "./install.sh" and it tried to install > HTML::Parser? > > At 14:15 25/03/2003, you wrote: >> Greetings: >> >> I receive the error stated in the subject and below when I start >> MailScanner on a RH 7.2 machine. Here is the complete error I get. >> I've tried putting in the correct CPAN files but still get this error. >> The version I am running is 4.13. I assume this is a simple perl fix >> but I have exceeded my perl knowledge. >> >> ---------- ERROR ---------- >> MailScanner: Can't locate loadable object for module >> HTML::Parser >> in @INC (@INC contains: /usr/lib/MailScanner >> /usr/lib/perl5/5.6.0/i386-linux /usr/lib/perl5/5.6.0 >> /usr/lib/perl5/site_perl/5.6.0/i386-linux >> /usr/lib/perl5/site_perl/5.6.0 /usr/lib/perl5/site_perl . >> /usr/lib/MailScanner) at >> /usr/lib/perl5/5.6.0/i386-linux/HTML/Entities.pm line 108 >> Compilation failed in require at >> /usr/lib/perl5/5.6.0/i386-linux/HTML/Entities.pm line 108. >> Compilation failed in require at >> /usr/lib/perl5/5.6.0/i386-linux/HTML/TokeParser.pm line 11. >> BEGIN failed--compilation aborted at >> /usr/lib/perl5/5.6.0/i386-linux/HTML/TokeParser.pm line 11. >> Compilation failed in require at >> /usr/lib/MailScanner/MailScanner/Message.pm line 43. >> BEGIN failed--compilation aborted at >> /usr/lib/MailScanner/MailScanner/Message.pm line 43. >> Compilation failed in require at /usr/sbin/MailScanner line 47. >> BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 47. >> >> Thanks, >> >> Keith > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support From raymond at PROLOCATION.NET Wed Mar 26 01:08:07 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:17:35 2006 Subject: Can't locate loadable object for module HTML::Parser In-Reply-To: <66FD72C6-5F25-11D7-B743-000393DB784A@zorka.com> Message-ID: Hi! > Nothing came up when I did the install that is the weird part. > Running this I get: > > [root@foo i386]# rpm -qa | grep Parser > perl-XML-Parser-2.30-7 > perl-BIND-Conf_Parser-0.96a-1 > perl-HTML-Parser-3.26-16 > [root@foo i386]# Do you have multiple versions of Perl installed by accident ? Bye, Raymond. From support at INVICTANET.CO.UK Wed Mar 26 06:54:36 2003 From: support at INVICTANET.CO.UK (InvictaNet Customer Support) Date: Thu Jan 12 21:17:35 2006 Subject: {Spam?} Sophos Anti-Virus IDE alert: W32/Lovgate-E In-Reply-To: <1048597836.e21de494a713c15453975ec1c654fa2e@dover.sophos.com> Message-ID: Hmmmmm. Is this a rebellion against Sophos for version 3.7? X-MailScanner-SpamCheck: spam, SpamAssassin (score=5, required 5, RAZOR2_CHECK, SPAM_PHRASE_03_05) Martyn Routley ----------------------------------------------------------------- InvictaNet - The Internet in Plain English, Guaranteed http://www.invictanet.co.uk martyn@support.invictanet.co.uk phone: 08707 440180 fax: 08707 440181 Ask us about our online Antivirus and Junk mail scanning service ----------------------------------------------------------------- -----Original Message----- From: Sophos Alert System [mailto:notification-return@lists.sophos.com] Sent: 25 March 2003 13:11 To: notification@lists.sophos.com Subject: {Spam?} Sophos Anti-Virus IDE alert: W32/Lovgate-E From Jan-Peter.Koopmann at SECEIDOS.DE Wed Mar 26 08:16:34 2003 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:17:35 2006 Subject: Online Spam test dosen't work Message-ID: <4E7026FF8A422749B1553FE508E0068007F027@message.intern.akctech.de> Hi, > It appears that the declude folks have created a set of tests > that exactly match the few particular things they look for in > messages. Exactly. I would not worry at all. I tried their spam-test-website and to be honest: They are not sending spam messages. What they call "BAD HEADERS" is quite common for dumb MUAs I suppose. All three test messages scored <0 at my site. Nevertheless my SpamAssassin catches about 95% of all spam I get with no false positive for the past three weeks. Regards, JP From Jan-Peter.Koopmann at SECEIDOS.DE Wed Mar 26 08:25:44 2003 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:17:35 2006 Subject: Spamassassin conf files and MailScanner? Message-ID: <4E7026FF8A422749B1553FE508E0068007F028@message.intern.akctech.de> Hi, Hi, > * /opt/MailScanner/etc/spam.assassin.prefs.conf (your file) This is the only realy important file. If you are using SpamAssassin tools besides MailScanner then you should take a look at this a bit more. I run a site-wide installation and linked my spam.assassin.prefs.conf to local.cf e.g. > * the /.spamassassin directory in root, which SA recreates if it > is removed, and contains .pag and .dir files. For 2.52 there > is also bayes_msgcount as well as the DB files. If I have a > user_prefs file in this directory, is it used? Should I put > changes there? The user_prefs file should not be used with MailScanner AFAIK. > * /etc/mail/spamassassin directory, where I found a local.cf file > that I put there at one time. As I said: That is the one I linked to spam.assassin.prefs.conf. I then put all my relevant directives there. This is helpful here since I have to run sa-learn etc. from time to time and I want it to use the same directives. > Q. How can I tell that the Bayes learning stuff is working right > for SA 2.5x? Are you seeing BAYES_ scores in your Header/Logs (assuming you turned the SpamScore on)? Do a check_bayes_db -db pathtoyourdbfiles And have a look at the number of spam/ham messages in the bayes db. You should really use DB_files btw. and either use the latest MailScanner code or get rid of the use AnyDBM_File statement (I do not remember the exact location and wording, look in the mailinglist-archives for that) in on of the /opt/MailScanner/lib/MailScanner files. > Q. My /.spamassassin directory has a huge 70 MB > auto-whitelist.pag file in it that grows over time. Is this > a bad thing (assuming it > doesn't fill up my root partition)? Does it get zeroed out by > MS occasionally, like at reboot or the four hour restart interval? > Should I zero it out by hand? To be honest I am not sure if SA shrinks the autowhitelist from time to time. With SA 2.52 they managed to get this working for the Bayes DB but for the autowhitelist I am not sure. Two questions/remarks though: 1. Why is this called .pag? What database format are you using? 2. root partition????? Files like this really should be in /var somewhere and not in /. At least not for site wide installations. You might try things like auto_whitelist_path /var/spool/spamassassin/auto-whitelist auto_whitelist_file_mode 0666 bayes_path /var/spool/spamassassin/bayes bayes_file_mode 0666 auto_learn 1 use_bayes 1 in your SA config. > Senior UNIX Sysadmin and Email Guru I have to remember that... :-) Regards, JP From Jan-Peter.Koopmann at SECEIDOS.DE Wed Mar 26 08:29:08 2003 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:17:35 2006 Subject: FromTo vs FromOrTo Message-ID: <4E7026FF8A422749B1553FE508E0068007F029@message.intern.akctech.de> Hi Brent, > At the moment I use FromOrTwo and it is working. No it is not. FromOrTo might though...:-) Sorry could not resist: > Looking through the ruleset documentation I noticed that there > are mentions of FromTo as well as FromOrTo. Is this the same thing and > one of these is an error? Scan the maillinglist-archives. This has been discussed a lot. But yes: It is the same thing. Regards, JP From m.sapsed at BANGOR.AC.UK Wed Mar 26 08:32:17 2003 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:17:35 2006 Subject: {S-p-a-m?} Sophos Anti-Virus IDE alert: W32/Lovgate-E References: Message-ID: <3E816591.5010506@bangor.ac.uk> InvictaNet Customer Support wrote: > Hmmmmm. > > Is this a rebellion against Sophos for version 3.7? > > X-MailScanner-SpamCheck: spam, SpamAssassin (score=5, required 5, > RAZOR2_CHECK, SPAM_PHRASE_03_05) Dunno about that but it's probably best to remove or alter the standard MailScanner tags when sending stuff to the list. Otherwise, messages get filtered! Cheers, Martin -- Martin Sapsed Information Services "Who do you say I am?" University of Wales, Bangor Jesus of Nazareth From Jan-Peter.Koopmann at SECEIDOS.DE Wed Mar 26 08:38:51 2003 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:17:35 2006 Subject: {S-p-a-m?} Sophos Anti-Virus IDE alert: W32/Lovgate-E Message-ID: <4E7026FF8A422749B1553FE508E0068007F02B@message.intern.akctech.de> > Dunno about that but it's probably best to remove or alter > the standard MailScanner tags when sending stuff to the list. > Otherwise, messages get filtered! Your MailScanner should not really care about the tags of other MailScanners, should it? I would not really know since I only check for incoming spam, not for outgoing... No real need for that, is there? Regards, JP From keith at ZORKA.COM Wed Mar 26 06:14:40 2003 From: keith at ZORKA.COM (Keith Elder) Date: Thu Jan 12 21:17:35 2006 Subject: Can't locate loadable object for module HTML::Parser In-Reply-To: Message-ID: <3A9CBCC6-5F52-11D7-BFD3-000393DB784A@zorka.com> The only RPM of perl on there is: perl-5.6.0-17 Note, this is an ensim web appliance pretty much straight out of the box with no add ons. Keith On Tuesday, March 25, 2003, at 08:08 PM, Raymond Dijkxhoorn wrote: > Hi! > >> Nothing came up when I did the install that is the weird part. >> Running this I get: >> >> [root@foo i386]# rpm -qa | grep Parser >> perl-XML-Parser-2.30-7 >> perl-BIND-Conf_Parser-0.96a-1 >> perl-HTML-Parser-3.26-16 >> [root@foo i386]# > > Do you have multiple versions of Perl installed by accident ? > > Bye, > Raymond. From mailscanner at ecs.soton.ac.uk Wed Mar 26 09:37:31 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:35 2006 Subject: Scanning mail only for particular users In-Reply-To: <20030325215459.GC70692@affymetrix.com> Message-ID: <5.2.0.9.2.20030326093608.0259aa88@imap.ecs.soton.ac.uk> Take a look in /etc/MailScanner/rules. You just need to use a simple ruleset like this: In MailScanner.conf put Virus Scanning = /etc/MailScanner/rules/virus.scanning.rules and then in that file put To: user1@domain.com yes To: user2@domain.com yes To: *@domain2.com yes FromOrTo: default no At 21:54 25/03/2003, you wrote: >Hello, > >I'm wondering if MailScanner could be configured to scan mail only for >particular destination email addresses, passing the rest untouched (aside >from MTA headers). Is this possible? > >Thanks, > >-nick > >-- >Nicholas Esborn >Affymetrix, Inc. > >510/428.8505 > >Every message PGP signed -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Mar 26 09:38:16 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:35 2006 Subject: FromTo vs FromOrTo In-Reply-To: <581E96807D8F164BAC721997E5B8E4060D93A0@bto.quatro.com> Message-ID: <5.2.0.9.2.20030326093739.025c3e50@imap.ecs.soton.ac.uk> At 22:11 25/03/2003, you wrote: >Looking through the ruleset documentation I noticed that there are >mentions of FromTo as well as FromOrTo. Is this the same thing and one of >these is an error? Or are these used in different locations for different >purposes. Im not certain as the documentation and examples change back >and forth between the two terms. At the moment I use FromOrTwo and it is >working. Ideally use FromOrTo but FromTo (and even FromOrTwo) should work. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Mar 26 09:39:45 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:35 2006 Subject: Can't locate loadable object for module HTML::Parser In-Reply-To: <3A9CBCC6-5F52-11D7-BFD3-000393DB784A@zorka.com> References: Message-ID: <5.2.0.9.2.20030326093904.025a4b30@imap.ecs.soton.ac.uk> As a check, try running these 2 commands /usr/bin/perl -v /usr/local/bin/perl -v The 2nd one should produce an error. At 06:14 26/03/2003, you wrote: >The only RPM of perl on there is: > >perl-5.6.0-17 > >Note, this is an ensim web appliance pretty much straight out of the >box with no add ons. > >Keith > >On Tuesday, March 25, 2003, at 08:08 PM, Raymond Dijkxhoorn wrote: > >>Hi! >> >>>Nothing came up when I did the install that is the weird part. >>>Running this I get: >>> >>>[root@foo i386]# rpm -qa | grep Parser >>>perl-XML-Parser-2.30-7 >>>perl-BIND-Conf_Parser-0.96a-1 >>>perl-HTML-Parser-3.26-16 >>>[root@foo i386]# >> >>Do you have multiple versions of Perl installed by accident ? >> >>Bye, >>Raymond. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mike at ZANKER.ORG Wed Mar 26 11:28:00 2003 From: mike at ZANKER.ORG (Mike Zanker) Date: Thu Jan 12 21:17:35 2006 Subject: SpamAssassin 2.52 released In-Reply-To: <3E818C98.5D08FE53@whidbey.com> References: <5.2.0.9.2.20030325091422.062c7040@imap.ecs.soton.ac.uk> <3E818C98.5D08FE53@whidbey.com> Message-ID: <12159484.1048678080@mallard.open.ac.uk> On 26 March 2003 03:18 -0800 "G. Armour Van Horn" wrote: > I downloaded it and looked at the INSTALL file, which said to use > cpan, which hasn't heard of this version yet. I guess I'll wait a few > days, eh? I don't like using CPAN unless absolutely necessary. I installed it from the tar.gz bundle without any problems. Mike. From vanhorn at whidbey.com Wed Mar 26 11:18:48 2003 From: vanhorn at whidbey.com (G. Armour Van Horn) Date: Thu Jan 12 21:17:35 2006 Subject: SpamAssassin 2.52 released References: <5.2.0.9.2.20030325091422.062c7040@imap.ecs.soton.ac.uk> Message-ID: <3E818C98.5D08FE53@whidbey.com> I downloaded it and looked at the INSTALL file, which said to use cpan, which hasn't heard of this version yet. I guess I'll wait a few days, eh? Van Julian Field wrote: > I am building and installing it now, will let you know if anything nasty > happens. > If you don't hear anything, it's working nicely :-) > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support -- ---------------------------------------------------------- Sign up now for Quotes of the Day, a handful of quotations on a theme delivered every morning. Enlightenment! Daily, for free! mailto:twisted@whidbey.com?subject=Subscribe_QOTD For web hosting and maintenance, visit Van's home page: http://www.domainvanhorn.com/van/ ---------------------------------------------------------- From vanhorn at whidbey.com Wed Mar 26 11:17:30 2003 From: vanhorn at whidbey.com (G. Armour Van Horn) Date: Thu Jan 12 21:17:35 2006 Subject: MailScanner and SA 2.51 and Bayes References: <5.2.0.9.2.20030324183946.0564da00@imap.ecs.soton.ac.uk> Message-ID: <3E818C4A.2595CEF8@whidbey.com> I saw this, and figured that I would probably need it as well, so I ran perl -MCPAN -e shell and then install DB_File things ran swimmingly for a moment, looking very productive, and then died. The following is the tail end of that run: DB_File needs compatible versions of libdb & db.h you have db.h version 3.2.9 and libdb version 3.3.11 Compilation failed in require at t/db-btree.t line 34. BEGIN failed--compilation aborted at t/db-btree.t line 34. t/db-btree....dubious Test returned status 2 (wstat 512, 0x200) t/db-hash..... DB_File needs compatible versions of libdb & db.h you have db.h version 3.2.9 and libdb version 3.3.11 Compilation failed in require at t/db-hash.t line 23. BEGIN failed--compilation aborted at t/db-hash.t line 23. t/db-hash.....dubious Test returned status 2 (wstat 512, 0x200) t/db-recno.... DB_File needs compatible versions of libdb & db.h you have db.h version 3.2.9 and libdb version 3.3.11 Compilation failed in require at t/db-recno.t line 23. BEGIN failed--compilation aborted at t/db-recno.t line 23. t/db-recno....dubious Test returned status 2 (wstat 512, 0x200) FAILED--3 test scripts could be run, alas--no output ever seen make: *** [test_dynamic] Error 2 /usr/bin/make test -- NOT OK Running make install make test had returned bad status, won't install without force Any hints in there of what I'm missing? Van Julian Field wrote: > At 18:24 24/03/2003, you wrote: > >Can anyone confirm if this is even working now? If I run a spamassassin > >-D -t < message I see debug code for Bayes that appears to me that it's > >working. Also in ~/.spamassassin I see bayes_seen, bayes_toks and > >bayes_msgcount updating. > > > >If SA is called from MS, only bayes_msgcount is changing. It also > >creates bayes_seen.dir, bayes_seen.pag, bayes_toks.dir, and > >bayes_toks.pag files but they remain 0k. > > Install "DB_File" using CPAN. Then comment out the "use AnyDBM_File" at the > top of SA.pm. This will be in the next release (due about 4th April after I > get back from Networkshop). > > Still not had any requests for anything to discuss in the BoF session at > Networkshop. > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support -- ---------------------------------------------------------- Sign up now for Quotes of the Day, a handful of quotations on a theme delivered every morning. Enlightenment! Daily, for free! mailto:twisted@whidbey.com?subject=Subscribe_QOTD For web hosting and maintenance, visit Van's home page: http://www.domainvanhorn.com/van/ ---------------------------------------------------------- From m.sapsed at BANGOR.AC.UK Wed Mar 26 10:47:58 2003 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:17:35 2006 Subject: {S-p-a-m?} Sophos Anti-Virus IDE alert: W32/Lovgate-E References: <4E7026FF8A422749B1553FE508E0068007F02B@message.intern.akctech.de> Message-ID: <3E81855E.3040108@bangor.ac.uk> Jan-Peter Koopmann wrote: >>Dunno about that but it's probably best to remove or alter >>the standard MailScanner tags when sending stuff to the list. >>Otherwise, messages get filtered! > > Your MailScanner should not really care about the tags of other > MailScanners, should it? I would not really know since I only check for > incoming spam, not for outgoing... No real need for that, is there? My MailScanner doesn't care but my procmail doesn't know who put the tag on! Maybe I'll try changing the order of my procmail rules... Cheers, Martin -- Martin Sapsed Information Services "Who do you say I am?" University of Wales, Bangor Jesus of Nazareth From mailscanner at ecs.soton.ac.uk Wed Mar 26 11:41:56 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:35 2006 Subject: MailScanner and SA 2.51 and Bayes In-Reply-To: <3E818C4A.2595CEF8@whidbey.com> References: <5.2.0.9.2.20030324183946.0564da00@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030326114048.03d94b58@imap.ecs.soton.ac.uk> You need version 3 of the BerkeleyDB library installed. Beware of version 4, it's not what you are looking for. If you need to install it from source, go to www.sleepycat.com as that is the home of BerkeleyDB (and don't ask how I remember that :-) At 11:17 26/03/2003, you wrote: >I saw this, and figured that I would probably need it as well, so I ran > >perl -MCPAN -e shell > >and then > >install DB_File > >things ran swimmingly for a moment, looking very productive, and then >died. The >following is the tail end of that run: > >DB_File needs compatible versions of libdb & db.h > you have db.h version 3.2.9 and libdb version 3.3.11 >Compilation failed in require at t/db-btree.t line 34. >BEGIN failed--compilation aborted at t/db-btree.t line 34. >t/db-btree....dubious > Test returned status 2 (wstat 512, 0x200) >t/db-hash..... >DB_File needs compatible versions of libdb & db.h > you have db.h version 3.2.9 and libdb version 3.3.11 >Compilation failed in require at t/db-hash.t line 23. >BEGIN failed--compilation aborted at t/db-hash.t line 23. >t/db-hash.....dubious > Test returned status 2 (wstat 512, 0x200) >t/db-recno.... >DB_File needs compatible versions of libdb & db.h > you have db.h version 3.2.9 and libdb version 3.3.11 >Compilation failed in require at t/db-recno.t line 23. >BEGIN failed--compilation aborted at t/db-recno.t line 23. >t/db-recno....dubious > Test returned status 2 (wstat 512, 0x200) >FAILED--3 test scripts could be run, alas--no output ever seen >make: *** [test_dynamic] Error 2 > /usr/bin/make test -- NOT OK >Running make install > make test had returned bad status, won't install without force > > >Any hints in there of what I'm missing? > >Van > > > >Julian Field wrote: > > > At 18:24 24/03/2003, you wrote: > > >Can anyone confirm if this is even working now? If I run a spamassassin > > >-D -t < message I see debug code for Bayes that appears to me that it's > > >working. Also in ~/.spamassassin I see bayes_seen, bayes_toks and > > >bayes_msgcount updating. > > > > > >If SA is called from MS, only bayes_msgcount is changing. It also > > >creates bayes_seen.dir, bayes_seen.pag, bayes_toks.dir, and > > >bayes_toks.pag files but they remain 0k. > > > > Install "DB_File" using CPAN. Then comment out the "use AnyDBM_File" at the > > top of SA.pm. This will be in the next release (due about 4th April after I > > get back from Networkshop). > > > > Still not had any requests for anything to discuss in the BoF session at > > Networkshop. > > -- > > Julian Field > > www.MailScanner.info > > Professional Support Services at www.MailScanner.biz > > MailScanner thanks transtec Computers for their support > >-- >---------------------------------------------------------- >Sign up now for Quotes of the Day, a handful of quotations >on a theme delivered every morning. >Enlightenment! Daily, for free! >mailto:twisted@whidbey.com?subject=Subscribe_QOTD > >For web hosting and maintenance, >visit Van's home page: http://www.domainvanhorn.com/van/ >---------------------------------------------------------- -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From jaearick at COLBY.EDU Wed Mar 26 13:19:56 2003 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:17:35 2006 Subject: How to stop every exe from being flagged as a virus? In-Reply-To: <84CFA712F666B44A94CE6BE116BAF4B0B4E50B@MAIL> References: <84CFA712F666B44A94CE6BE116BAF4B0B4E50B@MAIL> Message-ID: Hi, We tell our users to zip anything executable before sending it. The default setup in Mailscanner is to let zip files go through. --- Jeff Earickson On Wed, 26 Mar 2003, Jody Cleveland wrote: > Date: Wed, 26 Mar 2003 07:16:36 -0600 > From: Jody Cleveland > Reply-To: MailScanner mailing list > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: How to stop every exe from being flagged as a virus? > > Hello, > > Is there any way to stop having every .exe attachment from being shot down > in flames? We have a few users who transfer files back and forth, so it's > been an issue for them. I'm using mailscanner with f-prot on redhat 8. > > -- > Jody Cleveland > (cleveland@winnefox.org) > > Winnefox Library System > Computer Support Specialist > From paul_houselander at BRISTOL-LEA.ORG.UK Wed Mar 26 13:28:41 2003 From: paul_houselander at BRISTOL-LEA.ORG.UK (Paul Houselander) Date: Thu Jan 12 21:17:35 2006 Subject: How to stop every exe from being flagged as a virus? References: <84CFA712F666B44A94CE6BE116BAF4B0B4E50B@MAIL> Message-ID: <007a01c2f39b$9eb15f20$7b10140a@education.bcc.lan> You can set up a ruleset to have different filename.rules.conf files for different users, see "Filename Rules" in MailScanner.conf and allow exe files or if the files are always called the same then add an entry to filename.rules.conf to allow that specific filename. Paul ----- Original Message ----- From: "Jody Cleveland" To: Sent: Wednesday, March 26, 2003 1:16 PM Subject: How to stop every exe from being flagged as a virus? > Hello, > > Is there any way to stop having every .exe attachment from being shot down > in flames? We have a few users who transfer files back and forth, so it's > been an issue for them. I'm using mailscanner with f-prot on redhat 8. > > -- > Jody Cleveland > (cleveland@winnefox.org) > > Winnefox Library System > Computer Support Specialist > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From Cleveland at MAIL.WINNEFOX.ORG Wed Mar 26 13:16:36 2003 From: Cleveland at MAIL.WINNEFOX.ORG (Jody Cleveland) Date: Thu Jan 12 21:17:35 2006 Subject: How to stop every exe from being flagged as a virus? Message-ID: <84CFA712F666B44A94CE6BE116BAF4B0B4E50B@MAIL> Hello, Is there any way to stop having every .exe attachment from being shot down in flames? We have a few users who transfer files back and forth, so it's been an issue for them. I'm using mailscanner with f-prot on redhat 8. -- Jody Cleveland (cleveland@winnefox.org) Winnefox Library System Computer Support Specialist From Jan-Peter.Koopmann at SECEIDOS.DE Wed Mar 26 14:03:23 2003 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:17:35 2006 Subject: How to stop every exe from being flagged as a virus? Message-ID: <4E7026FF8A422749B1553FE508E0068007F030@message.intern.akctech.de> > Is there any way to stop having every .exe attachment from > being shot down in flames? We have a few users who transfer > files back and forth, so it's been an issue for them. I'm > using mailscanner with f-prot on redhat 8. Look for the exe line in filename.rules.conf (in /opt/MailScanner/etc or equivalent) and comment it out. If you want to do this on a per-user/per-domain basis, you will have to work with rulesets and different filename.rules.conf files. Regards, JP From steve.freegard at LBSLTD.CO.UK Wed Mar 26 14:10:39 2003 From: steve.freegard at LBSLTD.CO.UK (Steve Freegard) Date: Thu Jan 12 21:17:35 2006 Subject: MailScanner and SA+Bayes - bug fixed?? Message-ID: <67D9E7698329D411936E00508B6590B90279338A@neelix.lbsltd.co.uk> Hi all, I'm currently evaluating MailScanner to replace our existing mail solution and I've been having problems getting the bayes part of SA to work with MailScanner since 2.50 came out, all I get is a single file called bayes_toks.db which is empty, and nothing else - yet bayes runs fine when I call spamassasin from the command-line. I'm running MS 4.12-2 and have been waiting to SA 2.52 to come out to see if this cured the problem I had with SA bayes and MailScanner - it didn't, so I decided to have a look at the MailScanner source, and realised that in SA.pm there is a line that says 'use AnyDBM_File; # doing this here keeps SpamAssassin quiet' - I've changed this to say 'use DB_File;' instead, and this seems to have cured my problem - I now see all the bayes* files (without the .db extension), and the bayes_msgcount is growing as it should. I'm not sure why this was causing a problem - as my Perl isn't really up to much - but I thought if anyone else was having the same problem - this might help. Kind regards, Steve -- Steve Freegard Systems Manager Littlehampton Book Services Ltd. Tel: +44 (0)1903 82 8594 Fax: +44 (0)1903 82 8620 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.lbsltd.co.uk ********************************************************************** -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030326/02b5dfcc/attachment.html From brose at MED.WAYNE.EDU Wed Mar 26 14:01:29 2003 From: brose at MED.WAYNE.EDU (Rose, Bobby) Date: Thu Jan 12 21:17:35 2006 Subject: {S-p-a-m?} Sophos Anti-Virus IDE alert: W32/Lovgate-E Message-ID: Obviously it's getting tagged because of the Razor-check. Someone has reported it as spam to razor probably because they aren't checking. Just revoke it using razor. You can read the docs on razor to learn how to do this. It will change the trust level of the person who reported it forcing them to have to rebuild their trust level score before razor take sthem seriously again. -----Original Message----- From: Martin Sapsed [mailto:m.sapsed@BANGOR.AC.UK] Sent: Wednesday, March 26, 2003 3:32 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: {S-p-a-m?} Sophos Anti-Virus IDE alert: W32/Lovgate-E InvictaNet Customer Support wrote: > Hmmmmm. > > Is this a rebellion against Sophos for version 3.7? > > X-MailScanner-SpamCheck: spam, SpamAssassin (score=5, required 5, > RAZOR2_CHECK, SPAM_PHRASE_03_05) Dunno about that but it's probably best to remove or alter the standard MailScanner tags when sending stuff to the list. Otherwise, messages get filtered! Cheers, Martin -- Martin Sapsed Information Services "Who do you say I am?" University of Wales, Bangor Jesus of Nazareth From keith at ZORKA.COM Wed Mar 26 14:23:26 2003 From: keith at ZORKA.COM (Keith Elder) Date: Thu Jan 12 21:17:35 2006 Subject: Can't locate loadable object for module HTML::Parser In-Reply-To: <5.2.0.9.2.20030326093904.025a4b30@imap.ecs.soton.ac.uk> Message-ID: <81FC0000-5F96-11D7-BFD3-000393DB784A@zorka.com> Here is the output: On Wednesday, March 26, 2003, at 04:39 AM, Julian Field wrote: > As a check, try running these 2 commands > /usr/bin/perl -v root]# /usr/bin/perl -v This is perl, v5.6.0 built for i386-linux > /usr/local/bin/perl -v > The 2nd one should produce an error. > root]# /usr/local/bin/perl -v bash: /usr/local/bin/perl: No such file or directory > At 06:14 26/03/2003, you wrote: >> The only RPM of perl on there is: >> >> perl-5.6.0-17 >> >> Note, this is an ensim web appliance pretty much straight out of the >> box with no add ons. >> >> Keith >> >> On Tuesday, March 25, 2003, at 08:08 PM, Raymond Dijkxhoorn wrote: >> >>> Hi! >>> >>>> Nothing came up when I did the install that is the weird part. >>>> Running this I get: >>>> >>>> [root@foo i386]# rpm -qa | grep Parser >>>> perl-XML-Parser-2.30-7 >>>> perl-BIND-Conf_Parser-0.96a-1 >>>> perl-HTML-Parser-3.26-16 >>>> [root@foo i386]# >>> >>> Do you have multiple versions of Perl installed by accident ? >>> >>> Bye, >>> Raymond. > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support From keith at ZORKA.COM Wed Mar 26 14:59:21 2003 From: keith at ZORKA.COM (Keith Elder) Date: Thu Jan 12 21:17:35 2006 Subject: Can't locate loadable object for module HTML::Parser In-Reply-To: <81FC0000-5F96-11D7-BFD3-000393DB784A@zorka.com> Message-ID: <86EA093D-5F9B-11D7-BFD3-000393DB784A@zorka.com> FYI, I resolved this issue. Someone on another list suggested the following: perl -MCPAN -e 'install Bundle::LWP' and it solved it. MailScanner is now starting up. Thanks, Keith On Wednesday, March 26, 2003, at 09:23 AM, Keith Elder wrote: > Here is the output: > > On Wednesday, March 26, 2003, at 04:39 AM, Julian Field wrote: > >> As a check, try running these 2 commands >> /usr/bin/perl -v > > root]# /usr/bin/perl -v > > This is perl, v5.6.0 built for i386-linux > > >> /usr/local/bin/perl -v >> The 2nd one should produce an error. >> > > root]# /usr/local/bin/perl -v > bash: /usr/local/bin/perl: No such file or directory > >> At 06:14 26/03/2003, you wrote: >>> The only RPM of perl on there is: >>> >>> perl-5.6.0-17 >>> >>> Note, this is an ensim web appliance pretty much straight out of the >>> box with no add ons. >>> >>> Keith >>> >>> On Tuesday, March 25, 2003, at 08:08 PM, Raymond Dijkxhoorn wrote: >>> >>>> Hi! >>>> >>>>> Nothing came up when I did the install that is the weird part. >>>>> Running this I get: >>>>> >>>>> [root@foo i386]# rpm -qa | grep Parser >>>>> perl-XML-Parser-2.30-7 >>>>> perl-BIND-Conf_Parser-0.96a-1 >>>>> perl-HTML-Parser-3.26-16 >>>>> [root@foo i386]# >>>> >>>> Do you have multiple versions of Perl installed by accident ? >>>> >>>> Bye, >>>> Raymond. >> >> -- >> Julian Field >> www.MailScanner.info >> Professional Support Services at www.MailScanner.biz >> MailScanner thanks transtec Computers for their support From jase at SENSIS.COM Wed Mar 26 15:20:32 2003 From: jase at SENSIS.COM (Desai, Jason) Date: Thu Jan 12 21:17:35 2006 Subject: {S-p-a-m?} Sophos Anti-Virus IDE alert: W32/Lov gate-E Message-ID: I think he was talking about the subject. People probably check for {Spam?} in the subject field. Jason > -----Original Message----- > From: Jan-Peter Koopmann [mailto:Jan-Peter.Koopmann@SECEIDOS.DE] > Sent: Wednesday, March 26, 2003 3:39 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: [MAILSCANNER] {S-p-a-m?} Sophos Anti-Virus IDE alert: > W32/Lovgate-E > > > > Dunno about that but it's probably best to remove or alter > > the standard MailScanner tags when sending stuff to the list. > > Otherwise, messages get filtered! > > Your MailScanner should not really care about the tags of other > MailScanners, should it? I would not really know since I only > check for > incoming spam, not for outgoing... No real need for that, is there? > > Regards, > JP > From jaearick at COLBY.EDU Wed Mar 26 15:40:30 2003 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:17:35 2006 Subject: SA, bayes, BerkeleyDB Message-ID: Julian, You commented on the list the other day "you need version 3 of BerkeleyDB installed, beware of version 4". Why I wonder? I have 4.1 installed in /usr/local/BerkeleyDB4.1 with a symlink of /usr/local/BerkeleyDB -> BerkeleyDB4.1. Things seem to be working ok with SA, after I changed the "use AnyDBM_file" in SA.pm to "use DB_file". The bayes stuff in /.spamassassin is updating for me... --- Jeff Earickson From mailscanner at ecs.soton.ac.uk Wed Mar 26 15:14:37 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:35 2006 Subject: MailScanner and SA+Bayes - bug fixed?? In-Reply-To: <67D9E7698329D411936E00508B6590B90279338A@neelix.lbsltd.co. uk> Message-ID: <5.2.0.9.2.20030326151322.03e37ab0@imap.ecs.soton.ac.uk> At 14:10 26/03/2003, you wrote: >Hi all, > >I'm currently evaluating MailScanner to replace our existing mail solution >and I've been having problems getting the bayes part of SA to work with >MailScanner since 2.50 came out, all I get is a single file called >bayes_toks.db which is empty, and nothing else - yet bayes runs fine when >I call spamassasin from the command-line. > >I'm running MS 4.12-2 and have been waiting to SA 2.52 to come out to see >if this cured the problem I had with SA bayes and MailScanner - it didn't, >so I decided to have a look at the MailScanner source, and realised that >in SA.pm there is a line that says 'use AnyDBM_File; # doing this here >keeps SpamAssassin quiet' - I've changed this to say 'use DB_File;' >instead, and this seems to have cured my problem - I now see all the >bayes* files (without the .db extension), and the bayes_msgcount is >growing as it should. > >I'm not sure why this was causing a problem - as my Perl isn't really up >to much - but I thought if anyone else was having the same problem - this >might help. Yes. Comment out the "use AnyDBM_File;" at the top of SA.pm. Also install "DB_File" using CPAN. This is all resolved in the next version of MailScanner. You just happened to hit it at a time when SpamAssassin has changed quite a lot, and so the MailScanner support for it has had to change too. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Mar 26 15:20:52 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:35 2006 Subject: Can't locate loadable object for module HTML::Parser In-Reply-To: <81FC0000-5F96-11D7-BFD3-000393DB784A@zorka.com> References: <5.2.0.9.2.20030326093904.025a4b30@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030326151502.03e48520@imap.ecs.soton.ac.uk> Good, you have 1 version of Perl installed. Try uninstalling your current RPM of HTML-Parser rpm -e perl-HTML-Parser then running ./install.sh again. Keep an eye open for any errors it may produce. There are plenty of opportunities to press Ctrl-S to pause the output (Ctrl-Q to resume output). At 14:23 26/03/2003, you wrote: >Here is the output: > >On Wednesday, March 26, 2003, at 04:39 AM, Julian Field wrote: > >>As a check, try running these 2 commands >> /usr/bin/perl -v > >root]# /usr/bin/perl -v > >This is perl, v5.6.0 built for i386-linux > > >> /usr/local/bin/perl -v >>The 2nd one should produce an error. > >root]# /usr/local/bin/perl -v >bash: /usr/local/bin/perl: No such file or directory > >>At 06:14 26/03/2003, you wrote: >>>The only RPM of perl on there is: >>> >>>perl-5.6.0-17 >>> >>>Note, this is an ensim web appliance pretty much straight out of the >>>box with no add ons. >>> >>>Keith >>> >>>On Tuesday, March 25, 2003, at 08:08 PM, Raymond Dijkxhoorn wrote: >>> >>>>Hi! >>>> >>>>>Nothing came up when I did the install that is the weird part. >>>>>Running this I get: >>>>> >>>>>[root@foo i386]# rpm -qa | grep Parser >>>>>perl-XML-Parser-2.30-7 >>>>>perl-BIND-Conf_Parser-0.96a-1 >>>>>perl-HTML-Parser-3.26-16 >>>>>[root@foo i386]# >>>> >>>>Do you have multiple versions of Perl installed by accident ? >>>> >>>>Bye, >>>>Raymond. >> >>-- >>Julian Field >>www.MailScanner.info >>Professional Support Services at www.MailScanner.biz >>MailScanner thanks transtec Computers for their support -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Mar 26 15:44:12 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:35 2006 Subject: SA, bayes, BerkeleyDB In-Reply-To: Message-ID: <5.2.0.9.2.20030326154325.031cbb38@imap.ecs.soton.ac.uk> At 15:40 26/03/2003, you wrote: >Julian, > You commented on the list the other day "you need version 3 >of BerkeleyDB installed, beware of version 4". Why I wonder? >I have 4.1 installed in /usr/local/BerkeleyDB4.1 with a symlink >of /usr/local/BerkeleyDB -> BerkeleyDB4.1. Things seem to be >working ok with SA, after I changed the "use AnyDBM_file" in >SA.pm to "use DB_file". The bayes stuff in /.spamassassin is >updating for me... I was using DB4.1 on Solaris, and SpamAssassin wasn't working properly at all. It couldn't even get the nspam and nham counters out of the database files. It may well be okay on Linux. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From Cleveland at MAIL.WINNEFOX.ORG Wed Mar 26 16:09:08 2003 From: Cleveland at MAIL.WINNEFOX.ORG (Jody Cleveland) Date: Thu Jan 12 21:17:35 2006 Subject: How to stop every exe from being flagged as a virus? Message-ID: <84CFA712F666B44A94CE6BE116BAF4B0B4E516@MAIL> > Look for the exe line in filename.rules.conf (in > /opt/MailScanner/etc or > equivalent) and comment it out. If you want to do this on a > per-user/per-domain basis, you will have to work with rulesets and > different filename.rules.conf files. Thanks! Jody From jaearick at COLBY.EDU Wed Mar 26 16:24:48 2003 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:17:35 2006 Subject: SA, bayes, BerkeleyDB In-Reply-To: <5.2.0.9.2.20030326154325.031cbb38@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030326154325.031cbb38@imap.ecs.soton.ac.uk> Message-ID: Julian, I'm on Solaris 8, db 4.1. My /.spamassassin directory looks like thus: -rw-r--r-- 1 root daemon 1714 Mar 26 11:15 bayes_msgcount -rw-r--r-- 1 root daemon 24576 Mar 26 11:15 bayes_seen -rw-r--r-- 1 root daemon 671744 Mar 26 11:15 bayes_toks (BTW, defining auto_whitelist_path in the MailScanner spam.assassin.prefs.conf file has no effect on where the .spamassassin dir goes, still into the root directory). When I do "check_bayes_db -db /.spamassassin/bayes | more" I get: 0.000 0 0 0 non-token data: db format = on-the-fly probs, expiry, scan-counting 0.000 0 4 0 non-token data: nspam 0.000 0 150 0 non-token data: nham 0.000 0 14387 0 non-token data: ntokens 0.000 0 0 0 non-token data: oldest age 0.000 0 1698 0 non-token data: current scan-count 0.000 0 0 0 non-token data: last expiry scan-count 0.090 0 2 1542 Sentinel 0.020 0 11 1698 N:NNNNNNNN 0.149 0 1 1543 H*m:RCXN13905 (lots more) >From staring at the source code to check_bayes_db, this seems to be correct behavior, I think. --- Jeff On Wed, 26 Mar 2003, Julian Field wrote: > Date: Wed, 26 Mar 2003 15:44:12 +0000 > From: Julian Field > Reply-To: MailScanner mailing list > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: SA, bayes, BerkeleyDB > > At 15:40 26/03/2003, you wrote: > >Julian, > > You commented on the list the other day "you need version 3 > >of BerkeleyDB installed, beware of version 4". Why I wonder? > >I have 4.1 installed in /usr/local/BerkeleyDB4.1 with a symlink > >of /usr/local/BerkeleyDB -> BerkeleyDB4.1. Things seem to be > >working ok with SA, after I changed the "use AnyDBM_file" in > >SA.pm to "use DB_file". The bayes stuff in /.spamassassin is > >updating for me... > > I was using DB4.1 on Solaris, and SpamAssassin wasn't working properly at > all. It couldn't even get the nspam and nham counters out of the database > files. > It may well be okay on Linux. > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > From rdegraaf at VERANO.COM Wed Mar 26 16:28:07 2003 From: rdegraaf at VERANO.COM (Rennie deGraaf) Date: Thu Jan 12 21:17:35 2006 Subject: MailScanner 4.13-3 not cleaning mesages Message-ID: <3E81D517.5080307@verano.com> I'm using MailScanner 4.13-3 with clamav 0.54 and Exim 4.14 on a Red Hat 7.3 box. Mail gets through, but MailScanner does not clean viruses that clamav finds. The following log segment was generated by me sending a copy of the Klez worm to myself. Unfortunately, I don't have any other viruses lying around to test. Mar 25 14:46:24 permafrost exim[22818]: 2003-03-25 14:46:24 18xwFU-0005w2-2Z <=rdegraaf@verano.com H=(verano.com) [192.168.3.175] P=esmtp S=59908 id=3E80CDB0.2080305@verano.com Mar 25 14:46:24 permafrost exim[22819]: 2003-03-25 14:46:24 18xwFU-0005w2-2Z == rdegraaf@verano.com R=defer_router defer (-1): remote host address is the local host Mar 25 14:46:28 permafrost MailScanner[22817]: New Batch: Scanning messages, 60221 bytes Mar 25 14:46:28 permafrost MailScanner[22817]: Spam Checks: Starting Mar 25 14:46:29 permafrost MailScanner[22817]: Virus and Content Scanning: Starting Mar 25 14:46:29 permafrost MailScanner[22817]: /home/mqueue/tmp/22817/./18xwFU-0005w2-2Z/this.pif.gz: Worm/Klez.H FOUND Mar 25 14:46:29 permafrost MailScanner[22817]: Virus Scanning: clamav found 1 infections Mar 25 14:46:29 permafrost MailScanner[22817]: Virus Scanning: Found 1 viruses Mar 25 14:46:29 permafrost MailScanner[22817]: Uninfected: Delivered 1 messages Mar 25 14:46:29 permafrost exim[22827]: 2003-03-25 14:46:29 18xwFU-0005w2-2Z => rdegraaf R=localuser T=local_delivery Mar 25 14:46:29 permafrost exim[22827]: 2003-03-25 14:46:29 18xwFU-0005w2-2Z Completed It appears that clamscan correctly identified the virus, but MailScanner failed to take action. The relevant options in MailScanner.conf are: Virus Scanning = yes Virus Scanners = clamav Virus Scanner Timeout = 300 Deliver Disinfected Files = yes Silent Viruses = Klez Yaha-E Bugbear Braid-A WinEvar Still Deliver Silent Viruses = yes Block Encrypted Messages = no Block Unencrypted Messages = no If I understand MailScanner correctly, I should have recieved a warning message instead of the virus, but I recieved the original message back, complete with an "X-MailScanner: Found to be clean" header. Is this a problem with MailScanner, or did I fubar my setup somewhere? Rennie deGraaf System Administrator Verano From mailscanner at ecs.soton.ac.uk Wed Mar 26 17:47:44 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:35 2006 Subject: SA, bayes, BerkeleyDB In-Reply-To: References: <5.2.0.9.2.20030326154325.031cbb38@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030326154325.031cbb38@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030326174656.04434890@imap.ecs.soton.ac.uk> I was generating DB output by doing sa-learn -D 1 --rebuild and it was saying the nspam and nham were 0. Maybe your Solaris version didn't have the same problem my Solaris did? At 16:24 26/03/2003, you wrote: >Julian, > I'm on Solaris 8, db 4.1. My /.spamassassin directory looks like thus: > >-rw-r--r-- 1 root daemon 1714 Mar 26 11:15 bayes_msgcount >-rw-r--r-- 1 root daemon 24576 Mar 26 11:15 bayes_seen >-rw-r--r-- 1 root daemon 671744 Mar 26 11:15 bayes_toks > >(BTW, defining auto_whitelist_path in the MailScanner spam.assassin.prefs.conf >file has no effect on where the .spamassassin dir goes, still into >the root directory). > >When I do "check_bayes_db -db /.spamassassin/bayes | more" >I get: > >0.000 0 0 0 non-token data: db format = on-the-fly >probs, >expiry, scan-counting >0.000 0 4 0 non-token data: nspam >0.000 0 150 0 non-token data: nham >0.000 0 14387 0 non-token data: ntokens >0.000 0 0 0 non-token data: oldest age >0.000 0 1698 0 non-token data: current scan-count >0.000 0 0 0 non-token data: last expiry scan-count >0.090 0 2 1542 Sentinel >0.020 0 11 1698 N:NNNNNNNN >0.149 0 1 1543 H*m:RCXN13905 >(lots more) > > >From staring at the source code to check_bayes_db, this seems to be >correct behavior, I think. > >--- Jeff > >On Wed, 26 Mar 2003, Julian Field wrote: > > > Date: Wed, 26 Mar 2003 15:44:12 +0000 > > From: Julian Field > > Reply-To: MailScanner mailing list > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: SA, bayes, BerkeleyDB > > > > At 15:40 26/03/2003, you wrote: > > >Julian, > > > You commented on the list the other day "you need version 3 > > >of BerkeleyDB installed, beware of version 4". Why I wonder? > > >I have 4.1 installed in /usr/local/BerkeleyDB4.1 with a symlink > > >of /usr/local/BerkeleyDB -> BerkeleyDB4.1. Things seem to be > > >working ok with SA, after I changed the "use AnyDBM_file" in > > >SA.pm to "use DB_file". The bayes stuff in /.spamassassin is > > >updating for me... > > > > I was using DB4.1 on Solaris, and SpamAssassin wasn't working properly at > > all. It couldn't even get the nspam and nham counters out of the database > > files. > > It may well be okay on Linux. > > -- > > Julian Field > > www.MailScanner.info > > MailScanner thanks transtec Computers for their support > > -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From jaearick at COLBY.EDU Wed Mar 26 18:21:55 2003 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:17:35 2006 Subject: SA, bayes, BerkeleyDB In-Reply-To: <5.2.0.9.2.20030326174656.04434890@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030326154325.031cbb38@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030326154325.031cbb38@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030326174656.04434890@imap.ecs.soton.ac.uk> Message-ID: Julian, Here's what I got: sa-learn -D 1 --rebuild please specify target type with --dir, --file, or --mbox: 1 debug: Score set 0 chosen. debug: using "/opt/perl5/share/spamassassin" for default rules dir debug: using "/etc/mail/spamassassin" for site rules dir debug: using "/home/admin/jaearick/.spamassassin/user_prefs" for user prefs file debug: bayes: 9613 tie-ing to DB file R/O /var/spool/spamassassin/bayes_toks debug: bayes: 9613 tie-ing to DB file R/O /var/spool/spamassassin/bayes_seen debug: debug: Only 11 spam(s) in Bayes DB < 200 debug: bayes: 9613 untie-ing debug: bayes: 9613 untie-ing db_toks debug: bayes: 9613 untie-ing db_seen debug: Score set 0 chosen. debug: Initialising learner debug: Initialising learner debug: lock: 9613 created /var/spool/spamassassin/bayes.lock.emerald.9613 debug: lock: 9613 trying to get lock on /var/spool/spamassassin/bayes with 0 retries debug: lock: 9613 link to /var/spool/spamassassin/bayes.lock: link ok debug: bayes: 9613 tie-ing to DB file R/W /var/spool/spamassassin/bayes_toks debug: bayes: 9613 tie-ing to DB file R/W /var/spool/spamassassin/bayes_seen debug: bayes: 9613 untie-ing debug: bayes: 9613 untie-ing db_toks debug: bayes: 9613 untie-ing db_seen debug: bayes: files locked, now unlocking lock debug: unlock: 9613 unlink /var/spool/spamassassin/bayes.lock debug: bayes: 9613 untie-ing Note that On my first try, it complained about the "auto_report_threshold" variable in spam.assassin.prefs.conf, so I commented that out. I also tried "spamassassin -D --lint" to see what directories it was using and this same complaint. My Sol 8 is up-to-date on patches. My DB is 4.1.25, built with Sun's Forte 7 compiler, not gcc. --- Jeff On Wed, 26 Mar 2003, Julian Field wrote: > Date: Wed, 26 Mar 2003 17:47:44 +0000 > From: Julian Field > Reply-To: MailScanner mailing list > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: SA, bayes, BerkeleyDB > > I was generating DB output by doing > sa-learn -D 1 --rebuild > and it was saying the nspam and nham were 0. > > Maybe your Solaris version didn't have the same problem my Solaris did? > > At 16:24 26/03/2003, you wrote: > >Julian, > > I'm on Solaris 8, db 4.1. My /.spamassassin directory looks like thus: > > > >-rw-r--r-- 1 root daemon 1714 Mar 26 11:15 bayes_msgcount > >-rw-r--r-- 1 root daemon 24576 Mar 26 11:15 bayes_seen > >-rw-r--r-- 1 root daemon 671744 Mar 26 11:15 bayes_toks > > > >(BTW, defining auto_whitelist_path in the MailScanner spam.assassin.prefs.conf > >file has no effect on where the .spamassassin dir goes, still into > >the root directory). > > > >When I do "check_bayes_db -db /.spamassassin/bayes | more" > >I get: > > > >0.000 0 0 0 non-token data: db format = on-the-fly > >probs, > >expiry, scan-counting > >0.000 0 4 0 non-token data: nspam > >0.000 0 150 0 non-token data: nham > >0.000 0 14387 0 non-token data: ntokens > >0.000 0 0 0 non-token data: oldest age > >0.000 0 1698 0 non-token data: current scan-count > >0.000 0 0 0 non-token data: last expiry scan-count > >0.090 0 2 1542 Sentinel > >0.020 0 11 1698 N:NNNNNNNN > >0.149 0 1 1543 H*m:RCXN13905 > >(lots more) > > > > >From staring at the source code to check_bayes_db, this seems to be > >correct behavior, I think. > > > >--- Jeff > > > >On Wed, 26 Mar 2003, Julian Field wrote: > > > > > Date: Wed, 26 Mar 2003 15:44:12 +0000 > > > From: Julian Field > > > Reply-To: MailScanner mailing list > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > Subject: Re: SA, bayes, BerkeleyDB > > > > > > At 15:40 26/03/2003, you wrote: > > > >Julian, > > > > You commented on the list the other day "you need version 3 > > > >of BerkeleyDB installed, beware of version 4". Why I wonder? > > > >I have 4.1 installed in /usr/local/BerkeleyDB4.1 with a symlink > > > >of /usr/local/BerkeleyDB -> BerkeleyDB4.1. Things seem to be > > > >working ok with SA, after I changed the "use AnyDBM_file" in > > > >SA.pm to "use DB_file". The bayes stuff in /.spamassassin is > > > >updating for me... > > > > > > I was using DB4.1 on Solaris, and SpamAssassin wasn't working properly at > > > all. It couldn't even get the nspam and nham counters out of the database > > > files. > > > It may well be okay on Linux. > > > -- > > > Julian Field > > > www.MailScanner.info > > > MailScanner thanks transtec Computers for their support > > > > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > From Lou.Baccari at HP.COM Wed Mar 26 18:56:30 2003 From: Lou.Baccari at HP.COM (Baccari, Lou) Date: Thu Jan 12 21:17:35 2006 Subject: MailScanner 4.12-2 / 4.13-3 incoming failed Message-ID: Hi, I'm having this problem that when I run 'service MailScanner status' the output displays the following error: Checking MailScanner daemons: MailScanner: [ OK ] incoming sendmail: [FAILED] outgoing sendmail: [ OK ] I've verified mail is working both in and out bound correctly, so I don't know why the error. I have RedHatV8.0, and I just upgrade today to MailScanner 4.13-3. I also had the problem with MailScanner V4.12-2. I never notice the problem before until I upgraded the kernel and glib rpms last week for security reasons. Has anyone else seen this problem yet? Thanks, Lou. From raymond at PROLOCATION.NET Wed Mar 26 18:57:57 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:17:35 2006 Subject: MailScanner 4.12-2 / 4.13-3 incoming failed In-Reply-To: Message-ID: Hi! > Checking MailScanner daemons: > MailScanner: [ OK ] > incoming sendmail: [FAILED] > outgoing sendmail: [ OK ] > > I've verified mail is working both in and out bound correctly, so I > don't know why the error. Most likely you have sendmail running on its own. Stop mailscanner and check if there is sendmail running after you shut it down. Bye, Raymond. From Lou.Baccari at HP.COM Wed Mar 26 19:02:35 2003 From: Lou.Baccari at HP.COM (Baccari, Lou) Date: Thu Jan 12 21:17:35 2006 Subject: MailScanner 4.12-2 / 4.13-3 incoming failed Message-ID: Raymond, Thanks for the info, but that was not the problem. This MailScanner installation is 4 months and I've never notice this problem until after the kernel/glib upgrades. Thanks again, Lou -----Original Message----- From: Raymond Dijkxhoorn [mailto:raymond@PROLOCATION.NET] Sent: Wednesday, March 26, 2003 1:58 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: MailScanner 4.12-2 / 4.13-3 incoming failed Hi! > Checking MailScanner daemons: > MailScanner: [ OK ] > incoming sendmail: [FAILED] > outgoing sendmail: [ OK ] > > I've verified mail is working both in and out bound correctly, so I > don't know why the error. Most likely you have sendmail running on its own. Stop mailscanner and check if there is sendmail running after you shut it down. Bye, Raymond. From mailscanner at ecs.soton.ac.uk Wed Mar 26 19:06:21 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:35 2006 Subject: SA, bayes, BerkeleyDB In-Reply-To: References: <5.2.0.9.2.20030326174656.04434890@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030326154325.031cbb38@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030326154325.031cbb38@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030326174656.04434890@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030326190527.0235cd00@imap.ecs.soton.ac.uk> It looks like you are lucky and yours works. Mine didn't manage to find any spams in the Bayes DB. At 18:21 26/03/2003, you wrote: >Julian, > Here's what I got: > >sa-learn -D 1 --rebuild >please specify target type with --dir, --file, or --mbox: 1 >debug: Score set 0 chosen. >debug: using "/opt/perl5/share/spamassassin" for default rules dir >debug: using "/etc/mail/spamassassin" for site rules dir >debug: using "/home/admin/jaearick/.spamassassin/user_prefs" for user >prefs file >debug: bayes: 9613 tie-ing to DB file R/O >/var/spool/spamassassin/bayes_toks >debug: bayes: 9613 tie-ing to DB file R/O >/var/spool/spamassassin/bayes_seen >debug: debug: Only 11 spam(s) in Bayes DB < 200 >debug: bayes: 9613 untie-ing >debug: bayes: 9613 untie-ing db_toks >debug: bayes: 9613 untie-ing db_seen >debug: Score set 0 chosen. >debug: Initialising learner >debug: Initialising learner >debug: lock: 9613 created /var/spool/spamassassin/bayes.lock.emerald.9613 >debug: lock: 9613 trying to get lock on /var/spool/spamassassin/bayes with >0 retries >debug: lock: 9613 link to /var/spool/spamassassin/bayes.lock: link ok >debug: bayes: 9613 tie-ing to DB file R/W >/var/spool/spamassassin/bayes_toks >debug: bayes: 9613 tie-ing to DB file R/W >/var/spool/spamassassin/bayes_seen >debug: bayes: 9613 untie-ing >debug: bayes: 9613 untie-ing db_toks >debug: bayes: 9613 untie-ing db_seen >debug: bayes: files locked, now unlocking lock >debug: unlock: 9613 unlink /var/spool/spamassassin/bayes.lock >debug: bayes: 9613 untie-ing > >Note that On my first try, it complained about the "auto_report_threshold" >variable in spam.assassin.prefs.conf, so I commented that out. I also >tried "spamassassin -D --lint" to see what directories it was using and >this same complaint. My Sol 8 is up-to-date on patches. My DB is 4.1.25, >built with Sun's Forte 7 compiler, not gcc. > >--- Jeff > > >On Wed, 26 Mar 2003, Julian Field wrote: > > > Date: Wed, 26 Mar 2003 17:47:44 +0000 > > From: Julian Field > > Reply-To: MailScanner mailing list > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: SA, bayes, BerkeleyDB > > > > I was generating DB output by doing > > sa-learn -D 1 --rebuild > > and it was saying the nspam and nham were 0. > > > > Maybe your Solaris version didn't have the same problem my Solaris did? > > > > At 16:24 26/03/2003, you wrote: > > >Julian, > > > I'm on Solaris 8, db 4.1. My /.spamassassin directory looks like > thus: > > > > > >-rw-r--r-- 1 root daemon 1714 Mar 26 11:15 bayes_msgcount > > >-rw-r--r-- 1 root daemon 24576 Mar 26 11:15 bayes_seen > > >-rw-r--r-- 1 root daemon 671744 Mar 26 11:15 bayes_toks > > > > > >(BTW, defining auto_whitelist_path in the MailScanner > spam.assassin.prefs.conf > > >file has no effect on where the .spamassassin dir goes, still into > > >the root directory). > > > > > >When I do "check_bayes_db -db /.spamassassin/bayes | more" > > >I get: > > > > > >0.000 0 0 0 non-token data: db format = on-the-fly > > >probs, > > >expiry, scan-counting > > >0.000 0 4 0 non-token data: nspam > > >0.000 0 150 0 non-token data: nham > > >0.000 0 14387 0 non-token data: ntokens > > >0.000 0 0 0 non-token data: oldest age > > >0.000 0 1698 0 non-token data: current scan-count > > >0.000 0 0 0 non-token data: last expiry scan-count > > >0.090 0 2 1542 Sentinel > > >0.020 0 11 1698 N:NNNNNNNN > > >0.149 0 1 1543 H*m:RCXN13905 > > >(lots more) > > > > > > >From staring at the source code to check_bayes_db, this seems to be > > >correct behavior, I think. > > > > > >--- Jeff > > > > > >On Wed, 26 Mar 2003, Julian Field wrote: > > > > > > > Date: Wed, 26 Mar 2003 15:44:12 +0000 > > > > From: Julian Field > > > > Reply-To: MailScanner mailing list > > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > > Subject: Re: SA, bayes, BerkeleyDB > > > > > > > > At 15:40 26/03/2003, you wrote: > > > > >Julian, > > > > > You commented on the list the other day "you need version 3 > > > > >of BerkeleyDB installed, beware of version 4". Why I wonder? > > > > >I have 4.1 installed in /usr/local/BerkeleyDB4.1 with a symlink > > > > >of /usr/local/BerkeleyDB -> BerkeleyDB4.1. Things seem to be > > > > >working ok with SA, after I changed the "use AnyDBM_file" in > > > > >SA.pm to "use DB_file". The bayes stuff in /.spamassassin is > > > > >updating for me... > > > > > > > > I was using DB4.1 on Solaris, and SpamAssassin wasn't working > properly at > > > > all. It couldn't even get the nspam and nham counters out of the > database > > > > files. > > > > It may well be okay on Linux. > > > > -- > > > > Julian Field > > > > www.MailScanner.info > > > > MailScanner thanks transtec Computers for their support > > > > > > > > -- > > Julian Field > > www.MailScanner.info > > MailScanner thanks transtec Computers for their support > > -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From brahn at woh.rr.com Wed Mar 26 19:06:26 2003 From: brahn at woh.rr.com (Bruce Rahn) Date: Thu Jan 12 21:17:35 2006 Subject: MailScanner 4.12-2 / 4.13-3 incoming failed In-Reply-To: Message-ID: Same problem noticed here. Bruce Rahn brahn@woh.rr.com Wisdom has two parts: 1. having a lot to say; and 2. not saying it! -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Baccari, Lou Sent: Wednesday, March 26, 2003 1:57 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: MailScanner 4.12-2 / 4.13-3 incoming failed Hi, I'm having this problem that when I run 'service MailScanner status' the output displays the following error: Checking MailScanner daemons: MailScanner: [ OK ] incoming sendmail: [FAILED] outgoing sendmail: [ OK ] I've verified mail is working both in and out bound correctly, so I don't know why the error. I have RedHatV8.0, and I just upgrade today to MailScanner 4.13-3. I also had the problem with MailScanner V4.12-2. I never notice the problem before until I upgraded the kernel and glib rpms last week for security reasons. Has anyone else seen this problem yet? Thanks, Lou. From jaearick at COLBY.EDU Wed Mar 26 19:08:11 2003 From: jaearick at COLBY.EDU (Jeff A. Earickson) Date: Thu Jan 12 21:17:35 2006 Subject: additions to spam.assassin.prefs.conf? Message-ID: Julian, Could the following items be added to spam.assassin.prefs.conf for the next edition, so that SA doesn't scribble bayes/whitelist files in the root directory, ie /.spamassassin? # specify a path for whitelist and bayes DB files auto_whitelist_path /var/spool/spamassassin/auto-whitelist auto_whitelist_file_mode 0644 bayes_path /var/spool/spamassassin/bayes bayes_file_mode 0644 This assumes a system-wide MS installation; I guess most sites use MS this way? -- Jeff Earickson From mailscanner at ecs.soton.ac.uk Wed Mar 26 19:10:14 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:35 2006 Subject: MailScanner 4.12-2 / 4.13-3 incoming failed In-Reply-To: Message-ID: <5.2.0.9.2.20030326190708.02458ac0@imap.ecs.soton.ac.uk> At 18:56 26/03/2003, you wrote: >Hi, > > I'm having this problem that when I run 'service MailScanner status' the > output displays the following error: > >Checking MailScanner daemons: > MailScanner: [ OK ] > incoming sendmail: [FAILED] > outgoing sendmail: [ OK ] > > I've verified mail is working both in and out bound correctly, so I > don't know why the error. > > I have RedHatV8.0, and I just upgrade today to MailScanner 4.13-3. I > also had the problem with MailScanner V4.12-2. I never notice the > problem before until I upgraded the kernel and glib rpms last week for > security reasons. > > Has anyone else seen this problem yet? The sendmail replacement RPM issued by RedHat Network does a service sendmail restart which re-runs sendmail :-( I stopped it doing it in future by adding intentional syntax errors to /etc/sysconfig/sendmail (I added a load of text on the end explaining what I had done, which of course generates load of sh syntax errors) -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From raymond at PROLOCATION.NET Wed Mar 26 19:14:14 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:17:35 2006 Subject: MailScanner 4.12-2 / 4.13-3 incoming failed In-Reply-To: <5.2.0.9.2.20030326190708.02458ac0@imap.ecs.soton.ac.uk> Message-ID: Hi! > > I have RedHatV8.0, and I just upgrade today to MailScanner 4.13-3. I > > also had the problem with MailScanner V4.12-2. I never notice the > > problem before until I upgraded the kernel and glib rpms last week for > > security reasons. > I stopped it doing it in future by adding intentional syntax errors to > /etc/sysconfig/sendmail > (I added a load of text on the end explaining what I had done, which of > course generates load of sh syntax errors) Thats why i adked check if sendmail is running, but he posted on the list that wasnt the case. Weird. Bye, Raymond. From mailscanner at ecs.soton.ac.uk Wed Mar 26 19:17:14 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:35 2006 Subject: additions to spam.assassin.prefs.conf? In-Reply-To: Message-ID: <5.2.0.9.2.20030326191321.0230c400@imap.ecs.soton.ac.uk> At 19:08 26/03/2003, you wrote: >Julian, > > Could the following items be added to spam.assassin.prefs.conf >for the next edition, so that SA doesn't scribble bayes/whitelist >files in the root directory, ie /.spamassassin? > ># specify a path for whitelist and bayes DB files >auto_whitelist_path /var/spool/spamassassin/auto-whitelist >auto_whitelist_file_mode 0644 >bayes_path /var/spool/spamassassin/bayes >bayes_file_mode 0644 The snag is that this will break people's (including mine) already-built bayes databases. It would also involve the creation of /var/spool/spamassassin which is awkward for the tar distribution. I could however add them but leave them commented out with a note about why you might want them. Then when people suffer their root fs filling up, they will find the comment in the conf file. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From raymond at PROLOCATION.NET Wed Mar 26 19:37:03 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:17:35 2006 Subject: MailScanner 4.12-2 / 4.13-3 incoming failed In-Reply-To: Message-ID: Hi! > Something strange which I forgot to mention is that when I try to stop > MailScanner the output shows no errors: But what does: ps ax | grep sendmail show when you have shut down mailscanner? Bye, Raymond. From Lou.Baccari at HP.COM Wed Mar 26 19:42:28 2003 From: Lou.Baccari at HP.COM (Baccari, Lou) Date: Thu Jan 12 21:17:35 2006 Subject: MailScanner 4.12-2 / 4.13-3 incoming failed Message-ID: Raymond.. I'm sorry. When I stop MailScanner and check for sendmail, there are no sendmail process running. Lou -----Original Message----- From: Raymond Dijkxhoorn [mailto:raymond@PROLOCATION.NET] Sent: Wednesday, March 26, 2003 2:37 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: MailScanner 4.12-2 / 4.13-3 incoming failed Hi! > Something strange which I forgot to mention is that when I try to stop > MailScanner the output shows no errors: But what does: ps ax | grep sendmail show when you have shut down mailscanner? Bye, Raymond. From Lou.Baccari at HP.COM Wed Mar 26 19:30:54 2003 From: Lou.Baccari at HP.COM (Baccari, Lou) Date: Thu Jan 12 21:17:35 2006 Subject: MailScanner 4.12-2 / 4.13-3 incoming failed Message-ID: Something strange which I forgot to mention is that when I try to stop MailScanner the output shows no errors: service MailScanner start Starting MailScanner daemons: incoming sendmail: [ OK ] outgoing sendmail: [ OK ] MailScanner: [ OK ] service MailScanner status Checking MailScanner daemons: MailScanner: [ OK ] incoming sendmail: [FAILED] outgoing sendmail: [ OK ] service MailScanner stop Shutting down MailScanner daemons: MailScanner: [ OK ] incoming sendmail: [ OK ] outgoing sendmail: [ OK ] Lou. -----Original Message----- From: Raymond Dijkxhoorn [mailto:raymond@PROLOCATION.NET] Sent: Wednesday, March 26, 2003 1:58 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: MailScanner 4.12-2 / 4.13-3 incoming failed Hi! > Checking MailScanner daemons: > MailScanner: [ OK ] > incoming sendmail: [FAILED] > outgoing sendmail: [ OK ] > > I've verified mail is working both in and out bound correctly, so I > don't know why the error. Most likely you have sendmail running on its own. Stop mailscanner and check if there is sendmail running after you shut it down. Bye, Raymond. From brent at WHITE-DEV.QUATRO.COM Wed Mar 26 21:18:03 2003 From: brent at WHITE-DEV.QUATRO.COM (Brent) Date: Thu Jan 12 21:17:35 2006 Subject: cap sensitive white/blacklisting Message-ID: <581E96807D8F164BAC721997E5B8E4060D93AE@bto.quatro.com> I'm not sure about site wide whitelisting and blacklisting, but for by domain whitelisting it appears to be cap sensitive. It would be nice down the line to have that caps insensitive so it doesn't matter how a user types out the address. I found this by accident today. Brent -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030326/fefb7f3b/attachment.html From brahn at woh.rr.com Wed Mar 26 21:13:56 2003 From: brahn at woh.rr.com (Bruce Rahn) Date: Thu Jan 12 21:17:35 2006 Subject: MailScanner 4.12-2 / 4.13-3 incoming failed In-Reply-To: <5.2.0.9.2.20030326190708.02458ac0@imap.ecs.soton.ac.uk> Message-ID: Allow me to add a more detailed observation in addition to my first posting of "seeing the same problem here". First off, this discrepancy started after the last kernel/glibc updates. Everything was fine before that. I too was bitten by the sendmail 'auto start' issue when I upgraded, but that one was quick and easy to track down. Now two more tid-bits. While it indicates failed, it indeed is running after a MailScanner start up and stops after a MailScanner stop. So why the error that it failed? It indeed works. Also, after the kernel/glibc update, the MailScanner-MRTG graph of Copies Of Sendmail went from showing two down to showing zero. If I were smarter, I'm sure this is a clue. It's not a show stopper, just leaves one with a false impression that things are not working when indeed they are. Regards -- Bruce Bruce Rahn brahn@woh.rr.com Wisdom has two parts: 1. having a lot to say; and 2. not saying it! -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Julian Field Sent: Wednesday, March 26, 2003 2:10 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: MailScanner 4.12-2 / 4.13-3 incoming failed At 18:56 26/03/2003, you wrote: >Hi, > > I'm having this problem that when I run 'service MailScanner status' the > output displays the following error: > >Checking MailScanner daemons: > MailScanner: [ OK ] > incoming sendmail: [FAILED] > outgoing sendmail: [ OK ] > > I've verified mail is working both in and out bound correctly, so I > don't know why the error. > > I have RedHatV8.0, and I just upgrade today to MailScanner 4.13-3. I > also had the problem with MailScanner V4.12-2. I never notice the > problem before until I upgraded the kernel and glib rpms last week for > security reasons. > > Has anyone else seen this problem yet? The sendmail replacement RPM issued by RedHat Network does a service sendmail restart which re-runs sendmail :-( I stopped it doing it in future by adding intentional syntax errors to /etc/sysconfig/sendmail (I added a load of text on the end explaining what I had done, which of course generates load of sh syntax errors) -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From brent at MIRABITO.COM Wed Mar 26 21:23:41 2003 From: brent at MIRABITO.COM (Brent Strignano) Date: Thu Jan 12 21:17:35 2006 Subject: Default Filename Extension Handling Message-ID: <62E46E0C3CB8024C807447814E1B20A501CC7D@granitemail.mirabito.com> Julian, First of all let me say.... Great Program!! What is the default for handling files whose extensions don't appear in filename.rules.conf ? Example, .xls files are being replaced by a blank txt document and that extension in not in the rules file for either allow or deny. MS 4.13-3 SA 2.50 RH 8 Thanks, Brent Strignano System Administrator Granite Capital Holdings -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030326/b256c5b0/attachment.html From Kevin.Spicer at BMRB.CO.UK Wed Mar 26 21:56:51 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:17:35 2006 Subject: MailScanner 4.12-2 / 4.13-3 incoming failed Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0EBF4C1@pascal.priv.bmrb.co.uk> > > > Something strange which I forgot to mention is that when I > try to stop > > MailScanner the output shows no errors: > > But what does: ps ax | grep sendmail > show when you have shut down mailscanner? > More to the point what does: ps ax | grep sendmail show when MailScanner is running? The init script simply does: ps ax | grep sendmai[l]: accepting connections to find out if the incoming sendmail is running - if the format's changed slightly that would explain the problem BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From SJCJonker at SJC.NL Wed Mar 26 22:11:12 2003 From: SJCJonker at SJC.NL (Stijn Jonker) Date: Thu Jan 12 21:17:35 2006 Subject: MailScanner 4.12-2 / 4.13-3 incoming failed In-Reply-To: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello all, I have seen this problem with diffrent scripts and programs on my system. If you are all running redhat, the following has happend afaik. Redhat silently upgraded glibc from 2.2.X to 2.3.X while incorporating the latest sun rpc fix. (The reason for the upgrade iirc) Now some (if not most processes) show up as: 773 ? S 0:00 [sendmail] 782 ? S 0:00 [sendmail] when doing a ps -ax or ps -eaf. I blame it on the glibc upgrade and had to modify a bunch of scripts. I don't know what the exact meaning is if a process is in between [] brackets. Couldn't find it that quick. I had to "repair" a lot of monitoring and reporting tools and I don't have time to make ps do the right thing again. Hope this helps! Stijn. On Wed, 26 Mar 2003, Bruce Rahn wrote: > Allow me to add a more detailed observation in addition to my first posting > of "seeing the same problem here". > > First off, this discrepancy started after the last kernel/glibc updates. > Everything was fine before that. I too was bitten by the sendmail 'auto > start' issue when I upgraded, but that one was quick and easy to track down. > > Now two more tid-bits. While it indicates failed, it indeed is running > after a MailScanner start up and stops after a MailScanner stop. So why the > error that it failed? It indeed works. > > Also, after the kernel/glibc update, the MailScanner-MRTG graph of Copies Of > Sendmail went from showing two down to showing zero. If I were smarter, I'm > sure this is a clue. > > It's not a show stopper, just leaves one with a false impression that things > are not working when indeed they are. > > Regards -- Bruce > > Bruce Rahn > > brahn@woh.rr.com > > Wisdom has two parts: > 1. having a lot to say; and > 2. not saying it! > > > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf Of Julian Field > Sent: Wednesday, March 26, 2003 2:10 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: MailScanner 4.12-2 / 4.13-3 incoming failed > > > At 18:56 26/03/2003, you wrote: > >Hi, > > > > I'm having this problem that when I run 'service MailScanner status' the > > output displays the following error: > > > >Checking MailScanner daemons: > > MailScanner: [ OK ] > > incoming sendmail: [FAILED] > > outgoing sendmail: [ OK ] > > > > I've verified mail is working both in and out bound correctly, so I > > don't know why the error. > > > > I have RedHatV8.0, and I just upgrade today to MailScanner 4.13-3. I > > also had the problem with MailScanner V4.12-2. I never notice the > > problem before until I upgraded the kernel and glib rpms last week for > > security reasons. > > > > Has anyone else seen this problem yet? > > The sendmail replacement RPM issued by RedHat Network does a > service sendmail restart > which re-runs sendmail :-( > I stopped it doing it in future by adding intentional syntax errors to > /etc/sysconfig/sendmail > (I added a load of text on the end explaining what I had done, which of > course generates load of sh syntax errors) > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > - -- Met Vriendelijke groet/Yours Sincerely Stijn Jonker -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE+giWBjU9r45tKnOARAsMAAKCw6pdmfqhJ1VQz50yhsO03VKuSAQCgymzV p6xUtvdCRaRdGCEFlxbNWFY= =KZvN -----END PGP SIGNATURE----- From craig at STRONG-BOX.NET Wed Mar 26 22:23:50 2003 From: craig at STRONG-BOX.NET (Craig Pratt) Date: Thu Jan 12 21:17:36 2006 Subject: MailScanner 4.12-2 / 4.13-3 incoming failed In-Reply-To: Message-ID: <9ED30EBC-5FD9-11D7-9B28-000393B9390A@strong-box.net> On Wednesday, March 26, 2003, at 02:11 PM, Stijn Jonker wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hello all, > > I have seen this problem with diffrent scripts and programs on my > system. > If you are all running redhat, the following has happend afaik. > > Redhat silently upgraded glibc from 2.2.X to 2.3.X while incorporating > the > latest sun rpc fix. (The reason for the upgrade iirc) > > Now some (if not most processes) show up as: > 773 ? S 0:00 [sendmail] > 782 ? S 0:00 [sendmail] > when doing a ps -ax or ps -eaf. Funny. I've put all the updates on my RH 7.2 system and don't see what you're describing - at least for the sendmail process: [craig@orange craig]$ rpm -q glibc sendmail samba kernel glibc-2.2.4-32 sendmail-8.11.6-23.72 samba-2.2.7a-1 kernel-2.4.18-27.7.x [craig@orange craig]$ ps -ax | fgrep sendmail 3219 ? S 0:00 sendmail: accepting connections 3224 ? S 0:00 /usr/sbin/sendmail -q15m 6877 pts/0 S 0:00 fgrep sendmail > I blame it on the glibc upgrade and had to modify a bunch of scripts. Have you upgraded your kernel for the strace() problem? I'd be more suspicious of a kernel upgrade causing this kind of thing. Craig > > I don't know what the exact meaning is if a process is in between [] > brackets. Couldn't find it that quick. I had to "repair" a lot of > monitoring and reporting tools and I don't have time to make ps do the > right thing again. > > Hope this helps! > > Stijn. > > > > On Wed, 26 Mar 2003, Bruce Rahn wrote: > >> Allow me to add a more detailed observation in addition to my first >> posting >> of "seeing the same problem here". >> >> First off, this discrepancy started after the last kernel/glibc >> updates. >> Everything was fine before that. I too was bitten by the sendmail >> 'auto >> start' issue when I upgraded, but that one was quick and easy to >> track down. >> >> Now two more tid-bits. While it indicates failed, it indeed is >> running >> after a MailScanner start up and stops after a MailScanner stop. So >> why the >> error that it failed? It indeed works. >> >> Also, after the kernel/glibc update, the MailScanner-MRTG graph of >> Copies Of >> Sendmail went from showing two down to showing zero. If I were >> smarter, I'm >> sure this is a clue. >> >> It's not a show stopper, just leaves one with a false impression that >> things >> are not working when indeed they are. >> >> Regards -- Bruce >> >> Bruce Rahn >> >> brahn@woh.rr.com >> >> Wisdom has two parts: >> 1. having a lot to say; and >> 2. not saying it! >> >> >> -----Original Message----- >> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On >> Behalf Of Julian Field >> Sent: Wednesday, March 26, 2003 2:10 PM >> To: MAILSCANNER@JISCMAIL.AC.UK >> Subject: Re: MailScanner 4.12-2 / 4.13-3 incoming failed >> >> >> At 18:56 26/03/2003, you wrote: >>> Hi, >>> >>> I'm having this problem that when I run 'service MailScanner >>> status' the >>> output displays the following error: >>> >>> Checking MailScanner daemons: >>> MailScanner: [ OK ] >>> incoming sendmail: [FAILED] >>> outgoing sendmail: [ OK ] >>> >>> I've verified mail is working both in and out bound correctly, so I >>> don't know why the error. >>> >>> I have RedHatV8.0, and I just upgrade today to MailScanner 4.13-3. >>> I >>> also had the problem with MailScanner V4.12-2. I never notice the >>> problem before until I upgraded the kernel and glib rpms last week >>> for >>> security reasons. >>> >>> Has anyone else seen this problem yet? >> >> The sendmail replacement RPM issued by RedHat Network does a >> service sendmail restart >> which re-runs sendmail :-( >> I stopped it doing it in future by adding intentional syntax errors to >> /etc/sysconfig/sendmail >> (I added a load of text on the end explaining what I had done, which >> of >> course generates load of sh syntax errors) >> >> -- >> Julian Field >> www.MailScanner.info >> Professional Support Services at www.MailScanner.biz >> MailScanner thanks transtec Computers for their support >> > > - -- > Met Vriendelijke groet/Yours Sincerely > Stijn Jonker > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.7 (GNU/Linux) > > iD8DBQE+giWBjU9r45tKnOARAsMAAKCw6pdmfqhJ1VQz50yhsO03VKuSAQCgymzV > p6xUtvdCRaRdGCEFlxbNWFY= > =KZvN > -----END PGP SIGNATURE----- > --- Craig Pratt Strongbox Network Services Inc. mailto:craig@strong-box.net -- This message checked for dangerous content by MailScanner on StrongBox. From mailscanner at ecs.soton.ac.uk Wed Mar 26 21:58:52 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:36 2006 Subject: cap sensitive white/blacklisting In-Reply-To: <581E96807D8F164BAC721997E5B8E4060D93AE@bto.quatro.com> Message-ID: <5.2.0.9.2.20030326215639.028bdec8@imap.ecs.soton.ac.uk> At 21:18 26/03/2003, you wrote: >Im not sure about site wide whitelisting and blacklisting, but for by >domain whitelisting it appears to be cap sensitive. It would be nice down >the line to have that caps insensitive so it doesnt matter how a user >types out the address. I found this by accident today. Should be fixed in the next release. Just requires this change: $BlackWhite->{$filename}{$_} = 1; # Store the whitelist entry to $BlackWhite->{$filename}{lc($_)} = 1; # Store the whitelist entry around line 224. All that code is just provided as a reasonably complex example of what you can do with Custom Functions. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Mar 26 22:09:37 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:36 2006 Subject: Default Filename Extension Handling In-Reply-To: <62E46E0C3CB8024C807447814E1B20A501CC7D@granitemail.mirabit o.com> Message-ID: <5.2.0.9.2.20030326215914.05127e10@imap.ecs.soton.ac.uk> At 21:23 26/03/2003, you wrote: >First of all let me say&. Great Program!! Thanks. >What is the default for handling files whose extensions dont appear in >filename.rules.conf ? Example, .xls files are being replaced by a blank >txt document and that extension in not in the rules file for either allow >or deny. They are allowed. I have just put a .xls file through my system and it gets through just fine. Anyone else seeing this? >MS 4.13-3 >SA 2.50 Strongly advise you upgrade to SA 2.52 some time soon. Possibly when I release 4.14. >RH 8 > >Thanks, > >Brent Strignano >System Administrator >Granite Capital Holdings -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Mar 26 22:36:40 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:36 2006 Subject: MailScanner 4.12-2 / 4.13-3 incoming failed In-Reply-To: References: Message-ID: <5.2.0.9.2.20030326223218.02299de0@imap.ecs.soton.ac.uk> Really helps when vendors/distributors do nice things like that :-( Attached are new versions of /etc/rc.d/init.d/MailScanner /usr/sbin/check_mailscanner This now makes it impossible to make it work perfectly on all versions of RedHat Linux. It can now no longer tell the difference between the outgoing sendmail process in glibc 2.2 and the incoming sendmail process in glibc 2.3 as they both produce the same output. Also the incoming and outgoing sendmail processes in glibc 2.3 produce exactly the same ps output, making it impossible to differentiate between the 2. So it's about as good as I can get it, but it will tend to be a bit optimistic when doing a "status". At 22:11 26/03/2003, you wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >Hello all, > >I have seen this problem with diffrent scripts and programs on my system. >If you are all running redhat, the following has happend afaik. > >Redhat silently upgraded glibc from 2.2.X to 2.3.X while incorporating the >latest sun rpc fix. (The reason for the upgrade iirc) > >Now some (if not most processes) show up as: >773 ? S 0:00 [sendmail] >782 ? S 0:00 [sendmail] >when doing a ps -ax or ps -eaf. > >I blame it on the glibc upgrade and had to modify a bunch of scripts. > >I don't know what the exact meaning is if a process is in between [] >brackets. Couldn't find it that quick. I had to "repair" a lot of >monitoring and reporting tools and I don't have time to make ps do the >right thing again. > >Hope this helps! > >Stijn. > > > >On Wed, 26 Mar 2003, Bruce Rahn wrote: > > > Allow me to add a more detailed observation in addition to my first posting > > of "seeing the same problem here". > > > > First off, this discrepancy started after the last kernel/glibc updates. > > Everything was fine before that. I too was bitten by the sendmail 'auto > > start' issue when I upgraded, but that one was quick and easy to track > down. > > > > Now two more tid-bits. While it indicates failed, it indeed is running > > after a MailScanner start up and stops after a MailScanner stop. So > why the > > error that it failed? It indeed works. > > > > Also, after the kernel/glibc update, the MailScanner-MRTG graph of > Copies Of > > Sendmail went from showing two down to showing zero. If I were > smarter, I'm > > sure this is a clue. > > > > It's not a show stopper, just leaves one with a false impression that > things > > are not working when indeed they are. > > > > Regards -- Bruce > > > > Bruce Rahn > > > > brahn@woh.rr.com > > > > Wisdom has two parts: > > 1. having a lot to say; and > > 2. not saying it! > > > > > > -----Original Message----- > > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > > Behalf Of Julian Field > > Sent: Wednesday, March 26, 2003 2:10 PM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: MailScanner 4.12-2 / 4.13-3 incoming failed > > > > > > At 18:56 26/03/2003, you wrote: > > >Hi, > > > > > > I'm having this problem that when I run 'service MailScanner status' the > > > output displays the following error: > > > > > >Checking MailScanner daemons: > > > MailScanner: [ OK ] > > > incoming sendmail: [FAILED] > > > outgoing sendmail: [ OK ] > > > > > > I've verified mail is working both in and out bound correctly, so I > > > don't know why the error. > > > > > > I have RedHatV8.0, and I just upgrade today to MailScanner 4.13-3. I > > > also had the problem with MailScanner V4.12-2. I never notice the > > > problem before until I upgraded the kernel and glib rpms last week for > > > security reasons. > > > > > > Has anyone else seen this problem yet? > > > > The sendmail replacement RPM issued by RedHat Network does a > > service sendmail restart > > which re-runs sendmail :-( > > I stopped it doing it in future by adding intentional syntax errors to > > /etc/sysconfig/sendmail > > (I added a load of text on the end explaining what I had done, which of > > course generates load of sh syntax errors) > > > > -- > > Julian Field > > www.MailScanner.info > > Professional Support Services at www.MailScanner.biz > > MailScanner thanks transtec Computers for their support > > > >- -- >Met Vriendelijke groet/Yours Sincerely >Stijn Jonker > >-----BEGIN PGP SIGNATURE----- >Version: GnuPG v1.0.7 (GNU/Linux) > >iD8DBQE+giWBjU9r45tKnOARAsMAAKCw6pdmfqhJ1VQz50yhsO03VKuSAQCgymzV >p6xUtvdCRaRdGCEFlxbNWFY= >=KZvN >-----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: MailScanner Type: application/octet-stream Size: 4069 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030326/e0b8b9e6/MailScanner.obj -------------- next part -------------- A non-text attachment was scrubbed... Name: check_mailscanner Type: application/octet-stream Size: 3452 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030326/e0b8b9e6/check_mailscanner.obj -------------- next part -------------- -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From raymond at PROLOCATION.NET Wed Mar 26 22:30:10 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:17:36 2006 Subject: MailScanner 4.12-2 / 4.13-3 incoming failed In-Reply-To: <9ED30EBC-5FD9-11D7-9B28-000393B9390A@strong-box.net> Message-ID: Hi! > > 773 ? S 0:00 [sendmail] > > 782 ? S 0:00 [sendmail] > > when doing a ps -ax or ps -eaf. > > Funny. I've put all the updates on my RH 7.2 system and don't see what > you're describing - at least for the sendmail process: He is most likely talking about RH 8.0. RH 7.2 and 7.3 dont suffer this problems as far as i know. For 8.0 RH upgraded to 2.3.2 when you apply the errata. Bye, Raymond. From jrudd at UCSC.EDU Wed Mar 26 23:08:06 2003 From: jrudd at UCSC.EDU (John Rudd) Date: Thu Jan 12 21:17:36 2006 Subject: {S-p-a-m?} Sophos Anti-Virus IDE alert: W32/Lovgate-E Message-ID: <200303262308.h2QN86X11227@kzin.ucsc.edu> > From: Martin Sapsed > > Jan-Peter Koopmann wrote: > >>Dunno about that but it's probably best to remove or alter > >>the standard MailScanner tags when sending stuff to the list. > >>Otherwise, messages get filtered! > > > > Your MailScanner should not really care about the tags of other > > MailScanners, should it? I would not really know since I only check for > > incoming spam, not for outgoing... No real need for that, is there? > > My MailScanner doesn't care but my procmail doesn't know who put the tag > on! Maybe I'll try changing the order of my procmail rules... > are you using the default mailscanner headers? like "X-MailScanner:"? then don't. Make them site specific, like "X-BANGOR-AC-UK-MAILSCANNER", and adjust your procmail script accordingly. Then you don't need to care what the other site found. From jrudd at UCSC.EDU Wed Mar 26 23:27:09 2003 From: jrudd at UCSC.EDU (John Rudd) Date: Thu Jan 12 21:17:36 2006 Subject: Feature idea Message-ID: <200303262327.h2QNR9J11531@kzin.ucsc.edu> With viruses, we have the option of replacing the infected attachment with a warning message. Why not have a similar option with spam? Have 2 new spam action settings 1) do like the newer versions of spam assassin where the entire original message is put in an attachment, and then in the main body put the verbose report of which rules were tripped, etc. 2) remove the entire original message and replace it with a message that still appears to be from that sender, but the body is a report of the original subject and score. I'd preserve the original sender in the latter case so that if it's a false positive, you can reply to the message directly (without jumping through any hoops) and contact the sender about it. From stone at HKUST.SE Thu Mar 27 00:11:25 2003 From: stone at HKUST.SE (Magnus Stenman) Date: Thu Jan 12 21:17:36 2006 Subject: MailScanner 4.12-2 / 4.13-3 incoming failed References: <5.2.0.9.2.20030326223218.02299de0@imap.ecs.soton.ac.uk> Message-ID: <3E8241AD.A96AE4E1@hkust.se> I'm running 4 sendmail daemons, and I use the pid files to tell the difference in the init script. It gets the work done. Maybe something for mailscanner? init script attached /magnus Julian Field wrote: > > Really helps when vendors/distributors do nice things like that :-( > Attached are new versions of > /etc/rc.d/init.d/MailScanner > /usr/sbin/check_mailscanner > > This now makes it impossible to make it work perfectly on all versions of > RedHat Linux. It can now no longer tell the difference between the outgoing > sendmail process in glibc 2.2 and the incoming sendmail process in glibc > 2.3 as they both produce the same output. Also the incoming and outgoing > sendmail processes in glibc 2.3 produce exactly the same ps output, making > it impossible to differentiate between the 2. > ... > > ------------------------------------------------------------------------ > Name: MailScanner > MailScanner Type: unspecified type (application/octet-stream) > Encoding: base64 > > Name: check_mailscanner > check_mailscanner Type: unspecified type (application/octet-stream) > Encoding: base64 > > ------------------------------------------------------------------------ > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support -------------- next part -------------- #!/bin/bash # # sendmail sendmail daemons at max.hkust.se # # chkconfig: 2345 80 30 # description: sendmail daemons at max.hkust.se. # (mailscanner sendmail daemons + extra daemons for slow queue and list submissions) # processname: sendmail # config: /etc/sendmail.cf # pidfile: /var/run/sendmail-in.pid # pidfile: /var/run/sendmail-out.pid # pidfile: /var/run/sendmail-slow.pid # pidfile: /var/run/sendmail-list.pid # Source function library. . /etc/rc.d/init.d/functions # Source networking configuration. . /etc/sysconfig/network # Source config. if [ -f /etc/sysconfig/sendmail-special ] ; then . /etc/sysconfig/sendmail-special else QUEUETIME=5m INQDIR=/var/spool/mqueue.in SLOWQTIME=2h SLOWQDIR='/var/spool/mqueue/out-*' LISTQDIR=/var/spool/mqueue.out LIST_MTA_PORT=24 fi # Check that networking is up. [ ${NETWORKING} = "no" ] && exit 0 [ -f /usr/sbin/sendmail ] || exit 0 RETVAL=0 # sendmail starters start_in() { echo -n $"Starting sendmail-in: " daemon /usr/sbin/sendmail -bd -OPrivacyOptions=noetrn \ -ODeliveryMode=queueonly \ -OQueueDirectory=$INQDIR \ -ODaemonPortOptions=Name=inMTA \ -OPidFile=/var/run/sendmail-in.pid RETVAL=$? echo [ $RETVAL -eq 0 ] && touch /var/lock/subsys/sendmail-in return $RETVAL } start_out() { echo -n $"Starting sendmail-out: " daemon /usr/sbin/sendmail $([ -n "$QUEUETIME" ] && echo -q$QUEUETIME) \ -ODaemonPortOptions=Name=outMTA \ -OPidFile=/var/run/sendmail-out.pid RETVAL=$? echo [ $RETVAL -eq 0 ] && touch /var/lock/subsys/sendmail-out return $RETVAL } start_slow() { echo -n $"Starting sendmail-slow: " daemon /usr/sbin/sendmail -q1h -OQueueDirectory=$SLOWQDIR \ -ODaemonPortOptions=Name=slowMTA \ -OPidFile=/var/run/sendmail-slow.pid RETVAL=$? echo [ $RETVAL -eq 0 ] && touch /var/lock/subsys/sendmail-slow return $RETVAL } start_list() { echo -n $"Starting sendmail-list: " daemon /usr/sbin/sendmail -bd -ODeliveryMode=defer \ -ODaemonPortOptions=Name=listMTA,Port=24,M=E,Addr=localhost \ -OPidFile=/var/run/sendmail-list.pid RETVAL=$? echo [ $RETVAL -eq 0 ] && touch /var/lock/subsys/sendmail-list return $RETVAL } # sendmail stoppers stop_in() { echo -n $"Shutting down sendmail-in: " kill `head -1 /var/run/sendmail-in.pid` RETVAL=$? echo [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/sendmail-in [ $RETVAL -eq 0 ] && rm -f /var/run/sendmail-in.pid return $RETVAL } stop_out() { echo -n $"Shutting down sendmail-out: " kill `head -1 /var/run/sendmail-out.pid` RETVAL=$? echo [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/sendmail-out [ $RETVAL -eq 0 ] && rm -f /var/run/sendmail-out.pid return $RETVAL } stop_slow() { echo -n $"Shutting down sendmail-slow: " kill `head -1 /var/run/sendmail-slow.pid` RETVAL=$? echo [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/sendmail-slow [ $RETVAL -eq 0 ] && rm -f /var/run/sendmail-slow.pid return $RETVAL } stop_list() { echo -n $"Shutting down sendmail-list: " kill `head -1 /var/run/sendmail-list.pid` RETVAL=$? echo [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/sendmail-list [ $RETVAL -eq 0 ] && rm -f /var/run/sendmail-list.pid return $RETVAL } # See how we were called. case "$1" in start) start_in start_out start_slow start_list ;; stop) stop_in stop_out stop_slow stop_list ;; restart|reload) stop_in stop_out stop_slow stop_list start_in start_out start_slow start_list RETVAL=$? ;; *) echo $"Usage: $0 {start|stop|restart}" exit 1 esac exit $RETVAL From stone at HKUST.SE Thu Mar 27 00:27:27 2003 From: stone at HKUST.SE (Magnus Stenman) Date: Thu Jan 12 21:17:36 2006 Subject: b0rken autoresponder Message-ID: <3E82456F.43BCC4E5@hkust.se> Yay, a broken auto-responder on the list... Someone want to unsubscribe this person? ------- Return-Path: Received: from EX-SERVER1.napier.ac.uk (exchange2.napier.ac.uk [146.176.2.203]) by max.hkust.se (8.11.6/8.11.6) with ESMTP id h2R0ICE15715 for ; Thu, 27 Mar 2003 01:18:13 +0100 Received: by ex-server1.napier.ac.uk with Internet Mail Service (5.5.2653.19) id ; Thu, 27 Mar 2003 00:11:16 -0000 Message-ID: <36402DCC1069D411922D00508B5B2CC21790702E@ex-server1.napier.ac.uk> From: "Moxey, Jennifer" To: Magnus Stenman Subject: Out of Office AutoReply: MailScanner 4.12-2 / 4.13-3 incoming fa iled Date: Thu, 27 Mar 2003 00:11:14 -0000 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="windows-1252" X-MailScanner-Information: Virusscanner at http://www.hkust.se/virus/ X-MailScanner: Clean (max.hkust.se) I will be out of the office until Wednesday 2nd April 2003. Please contact C&ITS Support Desk Tel: 0131 455 3000 in my absence. Jen Moxey ------ From mkettler at EVI-INC.COM Thu Mar 27 01:15:16 2003 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:17:36 2006 Subject: b0rken autoresponder In-Reply-To: <3E82456F.43BCC4E5@hkust.se> Message-ID: <5.2.0.9.0.20030326201302.0173b030@xanadu.evi-inc.com> Sadly, this list is probably the second worst offender for broken autoresponders of the lists that I subscribe to.. snort-users is the worst (and that's a network security tool user list! you'd think that amidst protecting their network from DoS attacks, they'd learn about mail loops). At 01:27 AM 3/27/2003 +0100, you wrote: >Yay, a broken auto-responder on the list... From SJCJonker at SJC.NL Thu Mar 27 05:13:15 2003 From: SJCJonker at SJC.NL (Stijn Jonker) Date: Thu Jan 12 21:17:36 2006 Subject: MailScanner 4.12-2 / 4.13-3 incoming failed In-Reply-To: <9ED30EBC-5FD9-11D7-9B28-000393B9390A@strong-box.net> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, 26 Mar 2003, Craig Pratt wrote: > On Wednesday, March 26, 2003, at 02:11 PM, Stijn Jonker wrote: > > Redhat silently upgraded glibc from 2.2.X to 2.3.X while incorporating > > the > > latest sun rpc fix. (The reason for the upgrade iirc) > > > > Now some (if not most processes) show up as: > > 773 ? S 0:00 [sendmail] > > 782 ? S 0:00 [sendmail] > > when doing a ps -ax or ps -eaf. > > Funny. I've put all the updates on my RH 7.2 system and don't see what > you're describing - at least for the sendmail process: > > [craig@orange craig]$ rpm -q glibc sendmail samba kernel > glibc-2.2.4-32 > sendmail-8.11.6-23.72 > samba-2.2.7a-1 > kernel-2.4.18-27.7.x > [craig@orange craig]$ ps -ax | fgrep sendmail > 3219 ? S 0:00 sendmail: accepting connections > 3224 ? S 0:00 /usr/sbin/sendmail -q15m > 6877 pts/0 S 0:00 fgrep sendmail > > > I blame it on the glibc upgrade and had to modify a bunch of scripts. > > Have you upgraded your kernel for the strace() problem? I'd be more > suspicious of a kernel upgrade causing this kind of thing. > Ehh, yeah, forgot, i did that at the same time also, i guess to many flavours or systems && to many systems ;-)) Ok blame it on the kernel.. ;-) > Craig > > > > > I don't know what the exact meaning is if a process is in between [] > > brackets. Couldn't find it that quick. I had to "repair" a lot of > > monitoring and reporting tools and I don't have time to make ps do the > > right thing again. > > > > Hope this helps! > > > > Stijn. > > > > > > > > On Wed, 26 Mar 2003, Bruce Rahn wrote: > > > >> Allow me to add a more detailed observation in addition to my first > >> posting > >> of "seeing the same problem here". > >> > >> First off, this discrepancy started after the last kernel/glibc > >> updates. > >> Everything was fine before that. I too was bitten by the sendmail > >> 'auto > >> start' issue when I upgraded, but that one was quick and easy to > >> track down. > >> > >> Now two more tid-bits. While it indicates failed, it indeed is > >> running > >> after a MailScanner start up and stops after a MailScanner stop. So > >> why the > >> error that it failed? It indeed works. > >> > >> Also, after the kernel/glibc update, the MailScanner-MRTG graph of > >> Copies Of > >> Sendmail went from showing two down to showing zero. If I were > >> smarter, I'm > >> sure this is a clue. > >> > >> It's not a show stopper, just leaves one with a false impression that > >> things > >> are not working when indeed they are. > >> > >> Regards -- Bruce > >> > >> Bruce Rahn > >> > >> brahn@woh.rr.com > >> > >> Wisdom has two parts: > >> 1. having a lot to say; and > >> 2. not saying it! > >> > >> > >> -----Original Message----- > >> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > >> Behalf Of Julian Field > >> Sent: Wednesday, March 26, 2003 2:10 PM > >> To: MAILSCANNER@JISCMAIL.AC.UK > >> Subject: Re: MailScanner 4.12-2 / 4.13-3 incoming failed > >> > >> > >> At 18:56 26/03/2003, you wrote: > >>> Hi, > >>> > >>> I'm having this problem that when I run 'service MailScanner > >>> status' the > >>> output displays the following error: > >>> > >>> Checking MailScanner daemons: > >>> MailScanner: [ OK ] > >>> incoming sendmail: [FAILED] > >>> outgoing sendmail: [ OK ] > >>> > >>> I've verified mail is working both in and out bound correctly, so I > >>> don't know why the error. > >>> > >>> I have RedHatV8.0, and I just upgrade today to MailScanner 4.13-3. > >>> I > >>> also had the problem with MailScanner V4.12-2. I never notice the > >>> problem before until I upgraded the kernel and glib rpms last week > >>> for > >>> security reasons. > >>> > >>> Has anyone else seen this problem yet? > >> > >> The sendmail replacement RPM issued by RedHat Network does a > >> service sendmail restart > >> which re-runs sendmail :-( > >> I stopped it doing it in future by adding intentional syntax errors to > >> /etc/sysconfig/sendmail > >> (I added a load of text on the end explaining what I had done, which > >> of > >> course generates load of sh syntax errors) > >> > >> -- > >> Julian Field > >> www.MailScanner.info > >> Professional Support Services at www.MailScanner.biz > >> MailScanner thanks transtec Computers for their support > >> > > > > - -- > > Met Vriendelijke groet/Yours Sincerely > > Stijn Jonker > > > > -----BEGIN PGP SIGNATURE----- > > Version: GnuPG v1.0.7 (GNU/Linux) > > > > iD8DBQE+giWBjU9r45tKnOARAsMAAKCw6pdmfqhJ1VQz50yhsO03VKuSAQCgymzV > > p6xUtvdCRaRdGCEFlxbNWFY= > > =KZvN > > -----END PGP SIGNATURE----- > > > --- > Craig Pratt > Strongbox Network Services Inc. > mailto:craig@strong-box.net > > > -- > This message checked for dangerous content by MailScanner on StrongBox. > - -- Met Vriendelijke groet/Yours Sincerely Stijn Jonker -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE+gohtjU9r45tKnOARAkt1AKDShw0R+n2ltqLppu1ewlZ5ydnuuACg9mhI Osaj7RWLq2qhc1hraNjWprA= =cybg -----END PGP SIGNATURE----- From Jan-Peter.Koopmann at SECEIDOS.DE Thu Mar 27 08:19:24 2003 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:17:36 2006 Subject: additions to spam.assassin.prefs.conf? Message-ID: <4E7026FF8A422749B1553FE508E0068007F035@message.intern.akctech.de> > > Could the following items be added to > spam.assassin.prefs.conf for > >the next edition, so that SA doesn't scribble > bayes/whitelist files in > >the root directory, ie /.spamassassin? > > > ># specify a path for whitelist and bayes DB files > >auto_whitelist_path /var/spool/spamassassin/auto-whitelist > >auto_whitelist_file_mode 0644 > >bayes_path /var/spool/spamassassin/bayes > >bayes_file_mode 0644 Sounds good to me. > The snag is that this will break people's (including mine) > already-built bayes databases. It would also involve the > creation of /var/spool/spamassassin which is awkward for the > tar distribution. Agreed but not for the FreeBSD port... :-) I hopefully will find some time tomorrow to update the port a bit. I will either simply create the directory and patch those lines into spam.assassin.prefs.conf (probably commented though) or will make this an install option. > I could however add them but leave them commented out with a > note about why you might want them. Then when people suffer > their root fs filling up, they will find the comment in the conf file. That you should do! Regards, JP From email at ace.net.au Thu Mar 27 08:36:12 2003 From: email at ace.net.au (Peter Nitschke) Date: Thu Jan 12 21:17:36 2006 Subject: MailScanner 4.12-2 / 4.13-3 incoming failed In-Reply-To: <5.2.0.9.2.20030326223218.02299de0@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030326223218.02299de0@imap.ecs.soton.ac.uk> Message-ID: <200303271906120243.249E76B1@smtp1.ace.net.au> Might get more interesting with RH-9 due out starting next week. *********** REPLY SEPARATOR *********** On 26/03/2003 at 10:36 PM Julian Field wrote: >Really helps when vendors/distributors do nice things like that :-( >Attached are new versions of > /etc/rc.d/init.d/MailScanner > /usr/sbin/check_mailscanner > >This now makes it impossible to make it work perfectly on all versions of >RedHat Linux. It can now no longer tell the difference between the outgoing >sendmail process in glibc 2.2 and the incoming sendmail process in glibc >2.3 as they both produce the same output. Also the incoming and outgoing >sendmail processes in glibc 2.3 produce exactly the same ps output, making >it impossible to differentiate between the 2. > >So it's about as good as I can get it, but it will tend to be a bit >optimistic when doing a "status". > >At 22:11 26/03/2003, you wrote: >>-----BEGIN PGP SIGNED MESSAGE----- >>Hash: SHA1 >> >>Hello all, >> >>I have seen this problem with diffrent scripts and programs on my system. >>If you are all running redhat, the following has happend afaik. >> >>Redhat silently upgraded glibc from 2.2.X to 2.3.X while incorporating the >>latest sun rpc fix. (The reason for the upgrade iirc) >> >>Now some (if not most processes) show up as: >>773 ? S 0:00 [sendmail] >>782 ? S 0:00 [sendmail] >>when doing a ps -ax or ps -eaf. >> >>I blame it on the glibc upgrade and had to modify a bunch of scripts. >> >>I don't know what the exact meaning is if a process is in between [] >>brackets. Couldn't find it that quick. I had to "repair" a lot of >>monitoring and reporting tools and I don't have time to make ps do the >>right thing again. >> >>Hope this helps! >> >>Stijn. >> >> >> >>On Wed, 26 Mar 2003, Bruce Rahn wrote: >> >> > Allow me to add a more detailed observation in addition to my first >posting >> > of "seeing the same problem here". >> > >> > First off, this discrepancy started after the last kernel/glibc >updates. >> > Everything was fine before that. I too was bitten by the sendmail >'auto >> > start' issue when I upgraded, but that one was quick and easy to track >> down. >> > >> > Now two more tid-bits. While it indicates failed, it indeed is running >> > after a MailScanner start up and stops after a MailScanner stop. So >> why the >> > error that it failed? It indeed works. >> > >> > Also, after the kernel/glibc update, the MailScanner-MRTG graph of >> Copies Of >> > Sendmail went from showing two down to showing zero. If I were >> smarter, I'm >> > sure this is a clue. >> > >> > It's not a show stopper, just leaves one with a false impression that >> things >> > are not working when indeed they are. >> > >> > Regards -- Bruce >> > >> > Bruce Rahn >> > >> > brahn@woh.rr.com >> > >> > Wisdom has two parts: >> > 1. having a lot to say; and >> > 2. not saying it! >> > >> > >> > -----Original Message----- >> > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On >> > Behalf Of Julian Field >> > Sent: Wednesday, March 26, 2003 2:10 PM >> > To: MAILSCANNER@JISCMAIL.AC.UK >> > Subject: Re: MailScanner 4.12-2 / 4.13-3 incoming failed >> > >> > >> > At 18:56 26/03/2003, you wrote: >> > >Hi, >> > > >> > > I'm having this problem that when I run 'service MailScanner >status' the >> > > output displays the following error: >> > > >> > >Checking MailScanner daemons: >> > > MailScanner: [ OK ] >> > > incoming sendmail: [FAILED] >> > > outgoing sendmail: [ OK ] >> > > >> > > I've verified mail is working both in and out bound correctly, so I >> > > don't know why the error. >> > > >> > > I have RedHatV8.0, and I just upgrade today to MailScanner 4.13-3. >I >> > > also had the problem with MailScanner V4.12-2. I never notice the >> > > problem before until I upgraded the kernel and glib rpms last week >for >> > > security reasons. >> > > >> > > Has anyone else seen this problem yet? >> > >> > The sendmail replacement RPM issued by RedHat Network does a >> > service sendmail restart >> > which re-runs sendmail :-( >> > I stopped it doing it in future by adding intentional syntax errors to >> > /etc/sysconfig/sendmail >> > (I added a load of text on the end explaining what I had done, which of >> > course generates load of sh syntax errors) >> > >> > -- >> > Julian Field >> > www.MailScanner.info >> > Professional Support Services at www.MailScanner.biz >> > MailScanner thanks transtec Computers for their support >> > >> >>- -- >>Met Vriendelijke groet/Yours Sincerely >>Stijn Jonker >> >>-----BEGIN PGP SIGNATURE----- >>Version: GnuPG v1.0.7 (GNU/Linux) >> >>iD8DBQE+giWBjU9r45tKnOARAsMAAKCw6pdmfqhJ1VQz50yhsO03VKuSAQCgymzV >>p6xUtvdCRaRdGCEFlxbNWFY= >>=KZvN >>-----END PGP SIGNATURE----- > >-- >Julian Field >www.MailScanner.info >Professional Support Services at www.MailScanner.biz >MailScanner thanks transtec Computers for their support From craig at STRONG-BOX.NET Thu Mar 27 02:16:21 2003 From: craig at STRONG-BOX.NET (Craig Pratt) Date: Thu Jan 12 21:17:36 2006 Subject: MailScanner 4.12-2 / 4.13-3 incoming failed In-Reply-To: <5.2.0.9.2.20030326223218.02299de0@imap.ecs.soton.ac.uk> Message-ID: <1A5A770F-5FFA-11D7-9B28-000393B9390A@strong-box.net> OK, Julian. Using the word "impossible" is very thinly-guised bait, if I ever saw it. ;^) I don't have a test system that exhibits this problem. But I think I'm getting an idea of what the process IDs enclosed in "[" and "]" refer to. I believe these processes have an empty /proc//cmdline file and PS substitutes the "Name" field from /proc//status (or maybe /proc//stat) for the command line - with the brackets around it. Not sure where glibc fits into this picture, though. Unfortunately, I think this means that the proc cmdline file won't help - since I'm betting they're empty in this case. But here are two other options - at least for Linux. I don't know if you can wrangle any of this out of ps to make it more platform-neutral. 1) The /proc//cwd file will point to different directories [craig@orange craig]$ ps -C sendmail PID TTY TIME CMD 3219 ? 00:00:00 sendmail 3224 ? 00:00:00 sendmail [craig@orange craig]$ sudo ls -l /proc/3219/cwd /proc/3224/cwd lrwxrwxrwx 1 root root 0 Mar 26 18:12 /proc/3219/cwd -> /var/spool/mqueue.in lrwxrwxrwx 1 root root 0 Mar 26 18:12 /proc/3224/cwd -> /var/spool/mqueue 2) You could use the fact that the incoming sendmail has two sockets open and the outgoing only has one - presuming that's a safe bet: [craig@orange craig]$ ps -ax | fgrep sendmail 3219 ? S 0:00 sendmail: accepting connections 3224 ? S 0:00 /usr/sbin/sendmail -q15m 7843 pts/0 S 0:00 fgrep sendmail [craig@orange craig]$ sudo ls -l /proc/3219/fd /proc/3224/fd /proc/3219/fd: total 0 lr-x------ 1 root root 64 Mar 26 18:01 0 -> /dev/null l-wx------ 1 root root 64 Mar 26 18:01 1 -> /dev/null l-wx------ 1 root root 64 Mar 26 18:01 2 -> /dev/null lrwx------ 1 root root 64 Mar 26 18:01 3 -> socket:[335288] lrwx------ 1 root root 64 Mar 26 18:01 4 -> socket:[335293] /proc/3224/fd: total 0 lr-x------ 1 root root 64 Mar 26 18:01 0 -> /dev/null l-wx------ 1 root root 64 Mar 26 18:01 1 -> /dev/null l-wx------ 1 root root 64 Mar 26 18:01 2 -> /dev/null lrwx------ 1 root root 64 Mar 26 18:01 3 -> socket:[335300] Craig On Wednesday, March 26, 2003, at 02:36 PM, Julian Field wrote: > Really helps when vendors/distributors do nice things like that :-( > Attached are new versions of > /etc/rc.d/init.d/MailScanner > /usr/sbin/check_mailscanner > > This now makes it impossible to make it work perfectly on all versions > of > RedHat Linux. It can now no longer tell the difference between the > outgoing > sendmail process in glibc 2.2 and the incoming sendmail process in > glibc > 2.3 as they both produce the same output. Also the incoming and > outgoing > sendmail processes in glibc 2.3 produce exactly the same ps output, > making > it impossible to differentiate between the 2. > > So it's about as good as I can get it, but it will tend to be a bit > optimistic when doing a "status". > > At 22:11 26/03/2003, you wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Hello all, >> >> I have seen this problem with diffrent scripts and programs on my >> system. >> If you are all running redhat, the following has happend afaik. >> >> Redhat silently upgraded glibc from 2.2.X to 2.3.X while >> incorporating the >> latest sun rpc fix. (The reason for the upgrade iirc) >> >> Now some (if not most processes) show up as: >> 773 ? S 0:00 [sendmail] >> 782 ? S 0:00 [sendmail] >> when doing a ps -ax or ps -eaf. >> >> I blame it on the glibc upgrade and had to modify a bunch of scripts. >> >> I don't know what the exact meaning is if a process is in between [] >> brackets. Couldn't find it that quick. I had to "repair" a lot of >> monitoring and reporting tools and I don't have time to make ps do the >> right thing again. >> >> Hope this helps! >> >> Stijn. >> >> >> >> On Wed, 26 Mar 2003, Bruce Rahn wrote: >> >> > Allow me to add a more detailed observation in addition to my first >> posting >> > of "seeing the same problem here". >> > >> > First off, this discrepancy started after the last kernel/glibc >> updates. >> > Everything was fine before that. I too was bitten by the sendmail >> 'auto >> > start' issue when I upgraded, but that one was quick and easy to >> track >> down. >> > >> > Now two more tid-bits. While it indicates failed, it indeed is >> running >> > after a MailScanner start up and stops after a MailScanner stop. So >> why the >> > error that it failed? It indeed works. >> > >> > Also, after the kernel/glibc update, the MailScanner-MRTG graph of >> Copies Of >> > Sendmail went from showing two down to showing zero. If I were >> smarter, I'm >> > sure this is a clue. >> > >> > It's not a show stopper, just leaves one with a false impression >> that >> things >> > are not working when indeed they are. >> > >> > Regards -- Bruce >> > >> > Bruce Rahn >> > >> > brahn@woh.rr.com >> > >> > Wisdom has two parts: >> > 1. having a lot to say; and >> > 2. not saying it! >> > >> > >> > -----Original Message----- >> > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On >> > Behalf Of Julian Field >> > Sent: Wednesday, March 26, 2003 2:10 PM >> > To: MAILSCANNER@JISCMAIL.AC.UK >> > Subject: Re: MailScanner 4.12-2 / 4.13-3 incoming failed >> > >> > >> > At 18:56 26/03/2003, you wrote: >> > >Hi, >> > > >> > > I'm having this problem that when I run 'service MailScanner >> status' the >> > > output displays the following error: >> > > >> > >Checking MailScanner daemons: >> > > MailScanner: [ OK ] >> > > incoming sendmail: [FAILED] >> > > outgoing sendmail: [ OK ] >> > > >> > > I've verified mail is working both in and out bound correctly, >> so I >> > > don't know why the error. >> > > >> > > I have RedHatV8.0, and I just upgrade today to MailScanner >> 4.13-3. I >> > > also had the problem with MailScanner V4.12-2. I never notice the >> > > problem before until I upgraded the kernel and glib rpms last >> week for >> > > security reasons. >> > > >> > > Has anyone else seen this problem yet? >> > >> > The sendmail replacement RPM issued by RedHat Network does a >> > service sendmail restart >> > which re-runs sendmail :-( >> > I stopped it doing it in future by adding intentional syntax errors >> to >> > /etc/sysconfig/sendmail >> > (I added a load of text on the end explaining what I had done, >> which of >> > course generates load of sh syntax errors) >> > >> > -- >> > Julian Field >> > www.MailScanner.info >> > Professional Support Services at www.MailScanner.biz >> > MailScanner thanks transtec Computers for their support >> > >> >> - -- >> Met Vriendelijke groet/Yours Sincerely >> Stijn Jonker >> >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v1.0.7 (GNU/Linux) >> >> iD8DBQE+giWBjU9r45tKnOARAsMAAKCw6pdmfqhJ1VQz50yhsO03VKuSAQCgymzV >> p6xUtvdCRaRdGCEFlxbNWFY= >> =KZvN >> -----END PGP SIGNATURE----- > > -- > This message checked for dangerous content by MailScanner on StrongBox. > > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support --- Craig Pratt Strongbox Network Services Inc. mailto:craig@strong-box.net -- This message checked for dangerous content by MailScanner on StrongBox. From t.d.lee at DURHAM.AC.UK Thu Mar 27 09:50:14 2003 From: t.d.lee at DURHAM.AC.UK (David Lee) Date: Thu Jan 12 21:17:36 2006 Subject: UK Networkshop BOF [ Was Re: MailScanner and SA 2.51 and Bayes] In-Reply-To: <5.2.0.9.2.20030324183946.0564da00@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030324183946.0564da00@imap.ecs.soton.ac.uk> Message-ID: On Mon, 24 Mar 2003, Julian Field wrote: > [...] > Still not had any requests for anything to discuss in the BoF session at > Networkshop. [ "Networkshop" is basically an annual get-together of the people in UK universities who run the networks. ] Julian: I wonder whether the lack of response to your BoF [Birds of a Feather] request for "Networkshop" is because the people who run MailScanner are often not those who go to Networkshop? Years and years ago, networking "applications" (FTP (as NIFTP), JTMP, email) were a major component of Networkshop, and the people who did networking were involved across the majority of levels of the ISO seven-layer model. But in recent years things have got more specialised (less "general practice"). I've got the feeling that Networkshop is concentrating, probably rightly, on just the lower layers (trnsaport/TCP and below), whereas email services can take transport/TCP for granted. (I used to go to Networkshop regularly, but I haven't been at all in recent years.) Networkshop a couple of years ago did a great advertising job of bringing MS to the attention of university I.T. departments via their networking folk. But perhaps it isn't the appropriate forum for the non-advertising, technical detail of MS developments and services. -- : David Lee I.T. Service : : Systems Programmer Computer Centre : : University of Durham : : http://www.dur.ac.uk/t.d.lee/ South Road : : Durham : : Phone: +44 191 334 2752 U.K. : From mailscanner at ecs.soton.ac.uk Thu Mar 27 10:03:06 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:36 2006 Subject: MailScanner 4.12-2 / 4.13-3 incoming failed In-Reply-To: <3E8241AD.A96AE4E1@hkust.se> References: <5.2.0.9.2.20030326223218.02299de0@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030327100206.0229a408@imap.ecs.soton.ac.uk> At 00:11 27/03/2003, you wrote: >I'm running 4 sendmail daemons, and I use the pid files to >tell the difference in the init script. >It gets the work done. > >Maybe something for mailscanner? Good idea. New /etc/rc.d/init.d/MailScanner and /usr/sbin/check_mailscanner are attached. -------------- next part -------------- A non-text attachment was scrubbed... Name: MailScanner Type: application/octet-stream Size: 4498 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030327/a135d608/MailScanner.obj -------------- next part -------------- A non-text attachment was scrubbed... Name: check_mailscanner Type: application/octet-stream Size: 3452 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030327/a135d608/check_mailscanner.obj -------------- next part -------------- -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From tjc at ecs.soton.ac.uk Thu Mar 27 10:56:32 2003 From: tjc at ecs.soton.ac.uk (Tim Chown) Date: Thu Jan 12 21:17:36 2006 Subject: UK Networkshop BOF [ Was Re: MailScanner and SA 2.51 and Bayes] In-Reply-To: References: <5.2.0.9.2.20030324183946.0564da00@imap.ecs.soton.ac.uk> Message-ID: <20030327105632.GE6938@login.ecs.soton.ac.uk> I think the BoF should be useful. It's in the agenda I think, rather than being advertised on the day, so I'd expect some new potential users to turn up, plus those generally interested in anti-virus, anti-spam solutions. Of course, most sites have now deployed *something*, so may be unlikely to change unless they see the cost benefits (savings) of moving away from a per-seat charging system. Tim On Thu, Mar 27, 2003 at 09:50:14AM +0000, David Lee wrote: > On Mon, 24 Mar 2003, Julian Field wrote: > > > [...] > > Still not had any requests for anything to discuss in the BoF session at > > Networkshop. > > [ "Networkshop" is basically an annual get-together of the people in UK > universities who run the networks. ] > > Julian: I wonder whether the lack of response to your BoF [Birds of a > Feather] request for "Networkshop" is because the people who run > MailScanner are often not those who go to Networkshop? > > Years and years ago, networking "applications" (FTP (as NIFTP), JTMP, > email) were a major component of Networkshop, and the people who did > networking were involved across the majority of levels of the ISO > seven-layer model. > > But in recent years things have got more specialised (less "general > practice"). I've got the feeling that Networkshop is concentrating, > probably rightly, on just the lower layers (trnsaport/TCP and below), > whereas email services can take transport/TCP for granted. > > (I used to go to Networkshop regularly, but I haven't been at all in > recent years.) > > Networkshop a couple of years ago did a great advertising job of bringing > MS to the attention of university I.T. departments via their networking > folk. But perhaps it isn't the appropriate forum for the non-advertising, > technical detail of MS developments and services. > > -- > > : David Lee I.T. Service : > : Systems Programmer Computer Centre : > : University of Durham : > : http://www.dur.ac.uk/t.d.lee/ South Road : > : Durham : > : Phone: +44 191 334 2752 U.K. : From S.R.Patterson at soton.ac.uk Thu Mar 27 10:50:08 2003 From: S.R.Patterson at soton.ac.uk (Steven Patterson) Date: Thu Jan 12 21:17:36 2006 Subject: [uknot] spam (fwd) Message-ID: I found this interesting. ---------- Forwarded message ---------- Date: Thu, 27 Mar 2003 09:12:07 +0000 From: Andrew Ogilvie
According to this story: http://www.guardian.co.uk/online/story/0,3605,903312,00.html "There are really only 150 spammers doing 90% of all the spam we get in the US and Europe... at least 40 of them are in Boca Raton." Do you think this is true? If it is true, then is it not case that the government/EU's 'clampdown' on spam is just irrelevant farting about: http://www.guardian.co.uk/business/story/0,3604,922549,00.html Andrew === Steve -- Steven Patterson, MSci OCP. Tel: +44 (0)2380 595810 Primary Information Services Support and Development Information Systems Services, University of Southampton, UK. Public PGP Key: http://www.bottleneck.org/pubkey.php From linux at mostert.nom.za Thu Mar 27 11:41:27 2003 From: linux at mostert.nom.za (Mozzi) Date: Thu Jan 12 21:17:36 2006 Subject: f-prot update error Message-ID: <200303271341.27704.linux@mostert.nom.za> Hallo all I got the following error *************************************** * F-Prot signature file update script * *************************************** There's a new version of: "Application/Script viruses and Trojans" signatures on the web. Starting to download... Download completed. Fatal error, error while unzipping file. Please check the file permissions and try again. Fatal error: exiting... I ran this cript as root so I don't understand how my file permissions can be an issue Can someone shed lite on this for me please Mozzi From m.sapsed at BANGOR.AC.UK Thu Mar 27 11:41:45 2003 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:17:36 2006 Subject: UK Networkshop BOF References: <5.2.0.9.2.20030324183946.0564da00@imap.ecs.soton.ac.uk> Message-ID: <3E82E379.40606@bangor.ac.uk> David Lee wrote: > Julian: I wonder whether the lack of response to your BoF [Birds of a > Feather] request for "Networkshop" is because the people who run > MailScanner are often not those who go to Networkshop? That's certainly why I won't be there - our Network Development/External networks bod is going. I think it was him who alerted us to MailScanner's existence after the original presentation there. Would have been good to meet up with other users had I (and they) been going... Cheers, Martin -- Martin Sapsed Information Services "Who do you say I am?" University of Wales, Bangor Jesus of Nazareth From tjc at ecs.soton.ac.uk Thu Mar 27 11:47:34 2003 From: tjc at ecs.soton.ac.uk (Tim Chown) Date: Thu Jan 12 21:17:36 2006 Subject: UK Networkshop BOF In-Reply-To: <3E82E379.40606@bangor.ac.uk> References: <5.2.0.9.2.20030324183946.0564da00@imap.ecs.soton.ac.uk> <3E82E379.40606@bangor.ac.uk> Message-ID: <20030327114734.GN6938@login.ecs.soton.ac.uk> On Thu, Mar 27, 2003 at 11:41:45AM +0000, Martin Sapsed wrote: > > That's certainly why I won't be there - our Network Development/External > networks bod is going. I think it was him who alerted us to > MailScanner's existence after the original presentation there. > > Would have been good to meet up with other users had I (and they) been > going... Networkshop isa great place to chat to people you only otherwise meet via email. Also the agenda always has some useful new tricks to be learnt in it somewhere. Tim From Lou.Baccari at HP.COM Thu Mar 27 13:27:16 2003 From: Lou.Baccari at HP.COM (Baccari, Lou) Date: Thu Jan 12 21:17:36 2006 Subject: MailScanner 4.12-2 / 4.13-3 incoming failed Message-ID: Julian, I get the following error. service MailScanner start Starting MailScanner daemons: incoming sendmail: [ OK ] outgoing sendmail: [ OK ] MailScanner: /usr/sbin/check_MailScanner: line 107: cd: /opt/MailScanner/bin: No such file or directory /usr/sbin/check_MailScanner: line 108: MailScanner: command not found Lou. -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Thursday, March 27, 2003 5:03 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: MailScanner 4.12-2 / 4.13-3 incoming failed At 00:11 27/03/2003, you wrote: >I'm running 4 sendmail daemons, and I use the pid files to >tell the difference in the init script. >It gets the work done. > >Maybe something for mailscanner? Good idea. New /etc/rc.d/init.d/MailScanner and /usr/sbin/check_mailscanner are attached. From Peter.Bates at LSHTM.AC.UK Thu Mar 27 13:33:07 2003 From: Peter.Bates at LSHTM.AC.UK (Peter Bates) Date: Thu Jan 12 21:17:36 2006 Subject: UK Networkshop BOF [ Was Re: MailScanner and SA 2.51 and Bayes] Message-ID: Hello all... > [...] > Still not had any requests for anything to discuss in the BoF session at > Networkshop. >[ "Networkshop" is basically an annual get-together of the people in UK >universities who run the networks. ] I recall replying in vague terms about this when it was first mentioned by Julian on this list. I also recall it being listed in the agenda as occurring at the same time as a BoF about the new 'Bandwidth Management Advisory Service', so I grumbled about that. I'd agree with other comments made here about the shift of Networkshop from discussing topics further up the OSI layer tree to more 'host level' issues (there is a presentation from Messagelabs and assorted JANET-CERT shenanigans)... in the case of our much smaller site, I do look after our email, but then also our firewall, Cisco routers, Squid proxy, etc... Networkshop is probably therefore reflecting a shift in responsibilities of some of the people attending as much as anything else... I'd still like to hear a brief discussion about the impact of RIPA on our responsibilities as 'email administrators' though, but I suppose that isn't MS specific... it just happened to rear its ugly head with regard to me requesting that the 'Subject:' field of an email be logged with a positive identification so I could use it to improve local filters. ---------------------------------------------------------------------------------------------------> Peter Bates, Systems Support Officer, Network Support Team. London School of Hygiene & Tropical Medicine. Telephone:0207-958 8353 / Fax: 0207- 636 9838 From mbowman at UDCOM.COM Thu Mar 27 13:44:07 2003 From: mbowman at UDCOM.COM (Matthew Bowman) Date: Thu Jan 12 21:17:36 2006 Subject: Could not check (corrupt) messages Message-ID: Hello, What causes the Could not check ./.../filename.ext (corrupt) messages. A client is trying to receive 2 .xls files which MailScanner (SweepViruses.pm) thinks are corrupt. Any ideas? Thanks Matthew K Bowman Systems Administrator; Hostmaster; Miva Administrator Universal Digital Communications, Mansfield Ohio. From Cleveland at MAIL.WINNEFOX.ORG Thu Mar 27 13:44:44 2003 From: Cleveland at MAIL.WINNEFOX.ORG (Jody Cleveland) Date: Thu Jan 12 21:17:36 2006 Subject: ip addresses in whitelist are still being blocked Message-ID: <84CFA712F666B44A94CE6BE116BAF4B0B4E528@MAIL> Hello again, > > What are all these?: > > > > Infinite-Monkeys 14 > > ORDB-RBL 6 > > Mar 22 12:35:44 storm sendmail[29682]: h2MIZY7M029674: to= 1 > > dsn=2.0.0 1 > > pri=120741 1 > > delay=00:00:10 1 > > xdelay=00:00:07 1 > > mailer=esmtp 1 > > relay=ori.rl.ac.uk. [130.246.192.52] 1 > > stat=Sent (h2MILJt19220 Message accepted for delivery) 1 > > > > I guess you just got them in a mail - I had a few of those, I > think its when you get a partial line in the log which > mailstats can't parse. Look for the following code (if its > the same in your version)... I made the change you suggested, and nothing new has been added that looks strange, but I've still got the ones that were there before. Do you know how I would remove these from the stats page?: > > Mar 22 12:35:44 storm sendmail[29682]: h2MIZY7M029674: to= 1 > > dsn=2.0.0 1 > > pri=120741 1 > > delay=00:00:10 1 > > xdelay=00:00:07 1 > > mailer=esmtp 1 > > relay=ori.rl.ac.uk. [130.246.192.52] 1 > > stat=Sent (h2MILJt19220 Message accepted for delivery) 1 Thanks! Jody From Kevin.Spicer at BMRB.CO.UK Thu Mar 27 14:04:13 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:17:36 2006 Subject: ip addresses in whitelist are still being blocked Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0EBF4C7@pascal.priv.bmrb.co.uk> > I made the change you suggested, and nothing new has been > added that looks > strange, but I've still got the ones that were there before. > Do you know how > I would remove these from the stats page?: Sorry, I think I misunderstood your original posting & jumped to the conclusion it was the same problm I had had (that change fixes another problem). I don't know what migh be causing this and I haven't seen it myself. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From tjc at ecs.soton.ac.uk Thu Mar 27 14:06:56 2003 From: tjc at ecs.soton.ac.uk (Tim Chown) Date: Thu Jan 12 21:17:36 2006 Subject: UK Networkshop BOF [ Was Re: MailScanner and SA 2.51 and Bayes] In-Reply-To: References: Message-ID: <20030327140656.GV6938@login.ecs.soton.ac.uk> It may be that the organisers don't notice the shift. Of course, most of the talks are what people offer to present, so if you have neat ideas in the apps area, submit them :) Tim On Thu, Mar 27, 2003 at 01:33:07PM +0000, Peter Bates wrote: > Hello all... > > > [...] > > Still not had any requests for anything to discuss in the BoF session at > > Networkshop. > > >[ "Networkshop" is basically an annual get-together of the people in UK > >universities who run the networks. ] > > I recall replying in vague terms about this when it was first mentioned by Julian on this list. > > I also recall it being listed in the agenda as occurring at the same time as a BoF about the new 'Bandwidth Management Advisory Service', so I grumbled about that. > > I'd agree with other comments made here about the shift of Networkshop from discussing topics further up the OSI layer tree to more 'host level' issues (there is a presentation from Messagelabs and assorted JANET-CERT shenanigans)... in the case of our much smaller site, I do look after our email, but then also our firewall, Cisco routers, Squid proxy, etc... > > Networkshop is probably therefore reflecting a shift in responsibilities of some of the people attending as much as anything else... > > I'd still like to hear a brief discussion about the impact of RIPA on our responsibilities as 'email administrators' though, but I suppose that isn't MS specific... it just happened to rear its ugly head with regard to me requesting that the 'Subject:' field of an email be logged with a positive identification so I could use it to improve local filters. > > > > ---------------------------------------------------------------------------------------------------> > Peter Bates, Systems Support Officer, Network Support Team. > London School of Hygiene & Tropical Medicine. > Telephone:0207-958 8353 / Fax: 0207- 636 9838 From mailscanner at ecs.soton.ac.uk Thu Mar 27 13:58:10 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:36 2006 Subject: Could not check (corrupt) messages In-Reply-To: Message-ID: <5.2.0.9.2.20030327135730.04346950@imap.ecs.soton.ac.uk> At 13:44 27/03/2003, you wrote: >Hello, > >What causes the Could not check ./.../filename.ext (corrupt) messages. > >A client is trying to receive 2 .xls files which MailScanner >(SweepViruses.pm) thinks are corrupt. > >Any ideas? Some (3.66) versions of Sophos are fussy about some file structures. Try the XRS version of 3.67 instead. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Thu Mar 27 13:56:00 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:36 2006 Subject: MailScanner 4.12-2 / 4.13-3 incoming failed In-Reply-To: Message-ID: <5.2.0.9.2.20030327135504.041add38@imap.ecs.soton.ac.uk> Sorry about that. When I build a Linux distribution I automatically go through and change all the paths to their Linux equivalents. Take a look right near the top of check_MailScanner and you will probably find some directory names that need to be changed. At 13:27 27/03/2003, you wrote: >Julian, > > I get the following error. > > service MailScanner start >Starting MailScanner daemons: > incoming sendmail: [ OK ] > outgoing sendmail: [ OK ] > MailScanner: /usr/sbin/check_MailScanner: line 107: cd: > /opt/MailScanner/bin: No such file or directory >/usr/sbin/check_MailScanner: line 108: MailScanner: command not found > >Lou. > > >-----Original Message----- >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] >Sent: Thursday, March 27, 2003 5:03 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: MailScanner 4.12-2 / 4.13-3 incoming failed > > >At 00:11 27/03/2003, you wrote: > >I'm running 4 sendmail daemons, and I use the pid files to > >tell the difference in the init script. > >It gets the work done. > > > >Maybe something for mailscanner? > >Good idea. > >New /etc/rc.d/init.d/MailScanner and /usr/sbin/check_mailscanner are attached. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From Lou.Baccari at HP.COM Thu Mar 27 14:13:22 2003 From: Lou.Baccari at HP.COM (Baccari, Lou) Date: Thu Jan 12 21:17:36 2006 Subject: MailScanner 4.12-2 / 4.13-3 incoming failed Message-ID: It looks like the following two lines are causing the problem. non-working new check_mailscanner file: msbindir=/opt/MailScanner/bin config=/opt/MailScanner/etc/MailScanner.conf working old check_mailscanner file: msbindir=/usr/sbin config=/etc/MailScanner/MailScanner.conf -----Original Message----- From: Baccari, Lou Sent: Thursday, March 27, 2003 8:27 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: MailScanner 4.12-2 / 4.13-3 incoming failed Julian, I get the following error. service MailScanner start Starting MailScanner daemons: incoming sendmail: [ OK ] outgoing sendmail: [ OK ] MailScanner: /usr/sbin/check_MailScanner: line 107: cd: /opt/MailScanner/bin: No such file or directory /usr/sbin/check_MailScanner: line 108: MailScanner: command not found Lou. -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Thursday, March 27, 2003 5:03 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: MailScanner 4.12-2 / 4.13-3 incoming failed At 00:11 27/03/2003, you wrote: >I'm running 4 sendmail daemons, and I use the pid files to >tell the difference in the init script. >It gets the work done. > >Maybe something for mailscanner? Good idea. New /etc/rc.d/init.d/MailScanner and /usr/sbin/check_mailscanner are attached. From hdbtroll at MOMENT.NET Thu Mar 27 14:06:38 2003 From: hdbtroll at MOMENT.NET (DB Troll) Date: Thu Jan 12 21:17:36 2006 Subject: failed Message-ID: <3E83056E.7090609@moment.net> I am using SuSE 8.0, perl 5.61, MailScanner 4.13-3, fresh install. The output of install is> Attempting to build and install perl-HTML-Parser-3.26-2 > Installing perl-HTML-Parser-3.26-2.src.rpm > Executing(%prep): /bin/sh -e /var/tmp/rpm-tmp.72039 > + umask 022 > + cd /usr/src/packages/BUILD > + cd /usr/src/packages/BUILD > + rm -rf HTML-Parser-3.26 > + /bin/gzip -dc /usr/src/packages/SOURCES/HTML-Parser-3.26.tar.gz > + tar -xf - > + STATUS=0 > + '[' 0 -ne 0 ']' > + cd HTML-Parser-3.26 > ++ /usr/bin/id -u > + '[' 0 = 0 ']' > + /bin/chown -Rhf root . > ++ /usr/bin/id -u > + '[' 0 = 0 ']' > + /bin/chgrp -Rhf root . > + /bin/chmod -Rf a+rX,g-w,o-w . > + exit 0 > Executing(%build): /bin/sh -e /var/tmp/rpm-tmp.45905 > + umask 022 > + cd /usr/src/packages/BUILD > + cd HTML-Parser-3.26 > + CFLAGS=-O2 -march=i486 -mcpu=i686 > + perl Makefile.PL PREFIX=/var/tmp/perl-HTML-Parser-root/usr > Checking if your kit is complete... > Looks good > Writing Makefile for HTML::Parser > + make > cp lib/HTML/HeadParser.pm blib/lib/HTML/HeadParser.pm > cp lib/HTML/LinkExtor.pm blib/lib/HTML/LinkExtor.pm > cp lib/HTML/PullParser.pm blib/lib/HTML/PullParser.pm > cp Parser.pm blib/lib/HTML/Parser.pm > cp lib/HTML/Entities.pm blib/lib/HTML/Entities.pm > cp lib/HTML/TokeParser.pm blib/lib/HTML/TokeParser.pm > cp lib/HTML/Filter.pm blib/lib/HTML/Filter.pm > /usr/bin/perl /usr/lib/perl5/5.6.1/ExtUtils/xsubpp -typemap /usr/lib/perl5/5.6. > 1/ExtUtils/typemap -typemap typemap Parser.xs > Parser.xsc && mv Parser.xsc Par > ser.c > /usr/bin/perl mkhctype >hctype.h > /usr/bin/perl mkpfunc >pfunc.h > cc -c -fno-strict-aliasing -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -O2 -pip > e -DVERSION=\"3.26\" -DXS_VERSION=\"3.26\" -fPIC "-I/usr/lib/perl5/5.6.1/i586- > linux/CORE" -DMARKED_SECTION Parser.c > Running Mkbootstrap for HTML::Parser () > chmod 644 Parser.bs > rm -f blib/arch/auto/HTML/Parser/Parser.so > LD_RUN_PATH="" cc -shared Parser.o -o blib/arch/auto/HTML/Parser/Parser.so > > chmod 755 blib/arch/auto/HTML/Parser/Parser.so > cp Parser.bs blib/arch/auto/HTML/Parser/Parser.bs > chmod 644 blib/arch/auto/HTML/Parser/Parser.bs > Manifying blib/man3/HTML::HeadParser.3pm > Manifying blib/man3/HTML::LinkExtor.3pm > Manifying blib/man3/HTML::PullParser.3pm > Manifying blib/man3/HTML::Parser.3pm > Manifying blib/man3/HTML::TokeParser.3pm > Manifying blib/man3/HTML::Entities.3pm > Manifying blib/man3/HTML::Filter.3pm > + exit 0 > Executing(%install): /bin/sh -e /var/tmp/rpm-tmp.32518 > + umask 022 > + cd /usr/src/packages/BUILD > + cd HTML-Parser-3.26 > + rm -rf /var/tmp/perl-HTML-Parser-root > ++ perl -V:installarchlib > + eval 'installarchlib='\''/usr/lib/perl5/5.6.1/i586-linux'\'';' > ++ installarchlib=/usr/lib/perl5/5.6.1/i586-linux > + mkdir -p /var/tmp/perl-HTML-Parser-root//usr/lib/perl5/5.6.1/i586-linux > + make install > Installing /var/tmp/perl-HTML-Parser-root/usr/lib/perl5/site_perl/5.6.1/i586-lin > ux/auto/HTML/Parser/Parser.bs > Installing /var/tmp/perl-HTML-Parser-root/usr/lib/perl5/site_perl/5.6.1/i586-lin > ux/auto/HTML/Parser/Parser.so > Files found in blib/arch: installing files in blib/lib into architecture depende > nt library tree > Installing /var/tmp/perl-HTML-Parser-root/usr/lib/perl5/site_perl/5.6.1/i586-lin > ux/HTML/TokeParser.pm > Installing /var/tmp/perl-HTML-Parser-root/usr/lib/perl5/site_perl/5.6.1/i586-lin > ux/HTML/HeadParser.pm > Installing /var/tmp/perl-HTML-Parser-root/usr/lib/perl5/site_perl/5.6.1/i586-lin > ux/HTML/Entities.pm > Installing /var/tmp/perl-HTML-Parser-root/usr/lib/perl5/site_perl/5.6.1/i586-lin > ux/HTML/PullParser.pm > Installing /var/tmp/perl-HTML-Parser-root/usr/lib/perl5/site_perl/5.6.1/i586-lin > ux/HTML/Parser.pm > Installing /var/tmp/perl-HTML-Parser-root/usr/lib/perl5/site_perl/5.6.1/i586-lin > ux/HTML/Filter.pm > Installing /var/tmp/perl-HTML-Parser-root/usr/lib/perl5/site_perl/5.6.1/i586-lin > ux/HTML/LinkExtor.pm > Installing /var/tmp/perl-HTML-Parser-root/usr/man/man3/HTML::HeadParser.3pm > Installing /var/tmp/perl-HTML-Parser-root/usr/man/man3/HTML::TokeParser.3pm > Installing /var/tmp/perl-HTML-Parser-root/usr/man/man3/HTML::Parser.3pm > Installing /var/tmp/perl-HTML-Parser-root/usr/man/man3/HTML::Filter.3pm > Installing /var/tmp/perl-HTML-Parser-root/usr/man/man3/HTML::Entities.3pm > Installing /var/tmp/perl-HTML-Parser-root/usr/man/man3/HTML::PullParser.3pm > Installing /var/tmp/perl-HTML-Parser-root/usr/man/man3/HTML::LinkExtor.3pm > Writing /var/tmp/perl-HTML-Parser-root/usr/lib/perl5/site_perl/5.6.1/i586-linux/ > auto/HTML/Parser/.packlist > Appending installation info to /var/tmp/perl-HTML-Parser-root/usr/lib/perl5/site > _perl/5.6.1/i586-linux/perllocal.pod > + '[' -x /usr/lib/rpm/brp-compress ']' > + /usr/lib/rpm/brp-compress > + find /var/tmp/perl-HTML-Parser-root/usr -type f -print > + sed 's@^/var/tmp/perl-HTML-Parser-root@@g' > + grep -v perllocal.pod > + grep -v '\.packlist' > ++ cat HTML-Parser-3.26-filelist > + '[' '/usr/lib/perl5/site_perl/5.6.1/i586-linux/HTML/TokeParser.pm > /usr/lib/perl5/site_perl/5.6.1/i586-linux/HTML/HeadParser.pm > /usr/lib/perl5/site_perl/5.6.1/i586-linux/HTML/Entities.pm > /usr/lib/perl5/site_perl/5.6.1/i586-linux/HTML/PullParser.pm > /usr/lib/perl5/site_perl/5.6.1/i586-linux/HTML/Parser.pm > /usr/lib/perl5/site_perl/5.6.1/i586-linux/HTML/Filter.pm > /usr/lib/perl5/site_perl/5.6.1/i586-linux/HTML/LinkExtor.pm > /usr/lib/perl5/site_perl/5.6.1/i586-linux/auto/HTML/Parser/Parser.bs > /usr/lib/perl5/site_perl/5.6.1/i586-linux/auto/HTML/Parser/Parser.so > /usr/man/man3/HTML::Filter.3pm.gz > /usr/man/man3/HTML::HeadParser.3pm.gz > /usr/man/man3/HTML::Entities.3pm.gz > /usr/man/man3/HTML::Parser.3pm.gz > /usr/man/man3/HTML::LinkExtor.3pm.gz > /usr/man/man3/HTML::TokeParser.3pm.gz > /usr/man/man3/HTML::PullParser.3pm.gzX' = X ']' > + RPM_BUILD_ROOT=/var/tmp/perl-HTML-Parser-root > + export RPM_BUILD_ROOT > + test -x /usr/sbin/Check -a 0 = 0 -o -x /usr/sbin/Check -a '!' -z /var/tmp/perl > -HTML-Parser-root > + echo 'I call /usr/sbin/Check...' > I call /usr/sbin/Check... > + /usr/sbin/Check > + /usr/lib/rpm/brp-compress > Processing files: perl-HTML-Parser-3.26-2 > Finding Provides: (using /usr/lib/rpm/find-provides)... > Finding Requires: (using /usr/lib/rpm/find-requires)... > Provides: Parser.so > Requires: ld-linux.so.2 libc.so.6 libc.so.6(GLIBC_2.0) libc.so.6(GLIBC_2.1.3) > Wrote: /usr/src/packages/RPMS/i386/perl-HTML-Parser-3.26-2.i386.rpm > Executing(%clean): /bin/sh -e /var/tmp/rpm-tmp.91007 > + umask 022 > + cd /usr/src/packages/BUILD > + cd HTML-Parser-3.26 > + rm -rf /var/tmp/perl-HTML-Parser-root > + exit 0 > Executing(--clean): /bin/sh -e /var/tmp/rpm-tmp.91007 > + umask 022 > + cd /usr/src/packages/BUILD > + rm -rf HTML-Parser-3.26 > + exit 0 > > > > > Do not worry too much about errors from the next command. > It is quite likely that some of the Perl modules are > already installed on your system. > > The important ones are HTML-Parser and MIME-tools. > > perl-HTML-Parser ################################################## > cannot remove /usr/lib/perl5/site_perl/5.6.1/i586-linux/auto/HTML/Parser - direc > tory not empty > cannot remove /usr/lib/perl5/site_perl/5.6.1/i586-linux/HTML - directory not emp > ty > Please do not forget to kill your MailScanner version 3 processes > before starting version 4. > linux:/home/dbtrol/MailScanner-4.13-3 # rcsendmail stop > Shutting down SMTP port done > linux:/home/dbtrol/MailScanner-4.13-3 # chkconfig senmail off > senmail: unknown service > linux:/home/dbtrol/MailScanner-4.13-3 # chkconfig sendmail off > linux:/home/dbtrol/MailScanner-4.13-3 # chk MailScanner on > bash: chk: command not found > linux:/home/dbtrol/MailScanner-4.13-3 # chkconfig MailScanner on > linux:/home/dbtrol/MailScanner-4.13-3 # rcMailScanner start > Initializing sendmail and MailScanner failed Can someone tell me what to do. TIA David From Lou.Baccari at HP.COM Thu Mar 27 14:23:14 2003 From: Lou.Baccari at HP.COM (Baccari, Lou) Date: Thu Jan 12 21:17:36 2006 Subject: MailScanner 4.12-2 / 4.13-3 incoming failed Message-ID: Okay I believe I'm doing this correctly but I'm still having problems. Any ideas?? cp MailScanner /etc/init.d/MailScanner cp check_mailscanner /usr/sbin/check_mailscanner ls -als /usr/sbin/check_* 0 lrwxrwxrwx 1 root root 27 Mar 27 09:04 /usr/sbin/check_mailscanner -> /usr/sbin/check_MailScanner 4 -rwxr-xr-x 1 root root 3438 Mar 27 09:19 /usr/sbin/check_MailScanner 4 -rwxr-xr-x 1 root root 3439 Mar 27 08:23 /usr/sbin/check_mailscanner.old rm /usr/sbin/check_mailscanner cp check_mailscanner /usr/sbin/check_mailscanner ls -als /usr/sbin/check_* [root@crl-ns1 tmp]# ls -als /usr/sbin/check_* 4 -rwxr--r-- 1 root root 3438 Mar 27 09:19 /usr/sbin/check_mailscanner 4 -rwxr-xr-x 1 root root 3438 Mar 27 09:19 /usr/sbin/check_MailScanner 4 -rwxr-xr-x 1 root root 3439 Mar 27 08:23 /usr/sbin/check_mailscanner.old service MailScanner start Starting MailScanner daemons: incoming sendmail: [ OK ] outgoing sendmail: [ OK ] MailScanner: [ OK ] # service MailScanner status Checking MailScanner daemons: MailScanner: [ OK ] incoming sendmail: [FAILED] outgoing sendmail: [ OK ] -----Original Message----- From: Baccari, Lou Sent: Thursday, March 27, 2003 9:13 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: MailScanner 4.12-2 / 4.13-3 incoming failed It looks like the following two lines are causing the problem. non-working new check_mailscanner file: msbindir=/opt/MailScanner/bin config=/opt/MailScanner/etc/MailScanner.conf working old check_mailscanner file: msbindir=/usr/sbin config=/etc/MailScanner/MailScanner.conf -----Original Message----- From: Baccari, Lou Sent: Thursday, March 27, 2003 8:27 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: MailScanner 4.12-2 / 4.13-3 incoming failed Julian, I get the following error. service MailScanner start Starting MailScanner daemons: incoming sendmail: [ OK ] outgoing sendmail: [ OK ] MailScanner: /usr/sbin/check_MailScanner: line 107: cd: /opt/MailScanner/bin: No such file or directory /usr/sbin/check_MailScanner: line 108: MailScanner: command not found Lou. -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Thursday, March 27, 2003 5:03 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: MailScanner 4.12-2 / 4.13-3 incoming failed At 00:11 27/03/2003, you wrote: >I'm running 4 sendmail daemons, and I use the pid files to >tell the difference in the init script. >It gets the work done. > >Maybe something for mailscanner? Good idea. New /etc/rc.d/init.d/MailScanner and /usr/sbin/check_mailscanner are attached. From ryanb at AACRAO.ORG Thu Mar 27 14:17:59 2003 From: ryanb at AACRAO.ORG (Bingham, Ryan) Date: Thu Jan 12 21:17:36 2006 Subject: MailScanner 4.12-2 / 4.13-3 incoming failed Message-ID: <87D5B85DDDAAD111960F0060971C59D1019715F0@AACRAO4> FWIW, this behavior started for me (incoming sendmail status failing, MRTG showing no instance of sendmail running) after I applied the kernel update from RedHat. I did NOT apply the glibc update, so it looks like something in the kernel is the culprit... Ryan From mailscanner at ecs.soton.ac.uk Thu Mar 27 14:31:35 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:36 2006 Subject: failed In-Reply-To: <3E83056E.7090609@moment.net> Message-ID: <5.2.0.9.2.20030327142855.043a8eb8@imap.ecs.soton.ac.uk> Okay, the installation of the HTML-Parser RPM didn't work. First, try to remove the old one: rpm -e perl-HTML-Parser rm -rf /usr/lib/perl5/site_perl/5.6.1/i586-linux/auto/HTML/Parser Then try running ./install.sh again. At 14:06 27/03/2003, you wrote: >I am using SuSE 8.0, perl 5.61, MailScanner 4.13-3, fresh install. The >output of install is> Attempting to build and install >perl-HTML-Parser-3.26-2 > > Installing perl-HTML-Parser-3.26-2.src.rpm > > Executing(%prep): /bin/sh -e /var/tmp/rpm-tmp.72039 > > + umask 022 > > + cd /usr/src/packages/BUILD > > + cd /usr/src/packages/BUILD > > + rm -rf HTML-Parser-3.26 > > + /bin/gzip -dc /usr/src/packages/SOURCES/HTML-Parser-3.26.tar.gz > > + tar -xf - > > + STATUS=0 > > + '[' 0 -ne 0 ']' > > + cd HTML-Parser-3.26 > > ++ /usr/bin/id -u > > + '[' 0 = 0 ']' > > + /bin/chown -Rhf root . > > ++ /usr/bin/id -u > > + '[' 0 = 0 ']' > > + /bin/chgrp -Rhf root . > > + /bin/chmod -Rf a+rX,g-w,o-w . > > + exit 0 > > Executing(%build): /bin/sh -e /var/tmp/rpm-tmp.45905 > > + umask 022 > > + cd /usr/src/packages/BUILD > > + cd HTML-Parser-3.26 > > + CFLAGS=-O2 -march=i486 -mcpu=i686 > > + perl Makefile.PL PREFIX=/var/tmp/perl-HTML-Parser-root/usr > > Checking if your kit is complete... > > Looks good > > Writing Makefile for HTML::Parser > > + make > > cp lib/HTML/HeadParser.pm blib/lib/HTML/HeadParser.pm > > cp lib/HTML/LinkExtor.pm blib/lib/HTML/LinkExtor.pm > > cp lib/HTML/PullParser.pm blib/lib/HTML/PullParser.pm > > cp Parser.pm blib/lib/HTML/Parser.pm > > cp lib/HTML/Entities.pm blib/lib/HTML/Entities.pm > > cp lib/HTML/TokeParser.pm blib/lib/HTML/TokeParser.pm > > cp lib/HTML/Filter.pm blib/lib/HTML/Filter.pm > > /usr/bin/perl /usr/lib/perl5/5.6.1/ExtUtils/xsubpp -typemap >/usr/lib/perl5/5.6. > > 1/ExtUtils/typemap -typemap typemap Parser.xs > Parser.xsc && mv >Parser.xsc Par > > ser.c > > /usr/bin/perl mkhctype >hctype.h > > /usr/bin/perl mkpfunc >pfunc.h > > cc -c -fno-strict-aliasing -D_LARGEFILE_SOURCE >-D_FILE_OFFSET_BITS=64 -O2 -pip > > e -DVERSION=\"3.26\" -DXS_VERSION=\"3.26\" -fPIC >"-I/usr/lib/perl5/5.6.1/i586- > > linux/CORE" -DMARKED_SECTION Parser.c > > Running Mkbootstrap for HTML::Parser () > > chmod 644 Parser.bs > > rm -f blib/arch/auto/HTML/Parser/Parser.so > > LD_RUN_PATH="" cc -shared Parser.o -o >blib/arch/auto/HTML/Parser/Parser.so > > > > chmod 755 blib/arch/auto/HTML/Parser/Parser.so > > cp Parser.bs blib/arch/auto/HTML/Parser/Parser.bs > > chmod 644 blib/arch/auto/HTML/Parser/Parser.bs > > Manifying blib/man3/HTML::HeadParser.3pm > > Manifying blib/man3/HTML::LinkExtor.3pm > > Manifying blib/man3/HTML::PullParser.3pm > > Manifying blib/man3/HTML::Parser.3pm > > Manifying blib/man3/HTML::TokeParser.3pm > > Manifying blib/man3/HTML::Entities.3pm > > Manifying blib/man3/HTML::Filter.3pm > > + exit 0 > > Executing(%install): /bin/sh -e /var/tmp/rpm-tmp.32518 > > + umask 022 > > + cd /usr/src/packages/BUILD > > + cd HTML-Parser-3.26 > > + rm -rf /var/tmp/perl-HTML-Parser-root > > ++ perl -V:installarchlib > > + eval 'installarchlib='\''/usr/lib/perl5/5.6.1/i586-linux'\'';' > > ++ installarchlib=/usr/lib/perl5/5.6.1/i586-linux > > + mkdir -p /var/tmp/perl-HTML-Parser-root//usr/lib/perl5/5.6.1/i586-linux > > + make install > > Installing >/var/tmp/perl-HTML-Parser-root/usr/lib/perl5/site_perl/5.6.1/i586-lin > > ux/auto/HTML/Parser/Parser.bs > > Installing >/var/tmp/perl-HTML-Parser-root/usr/lib/perl5/site_perl/5.6.1/i586-lin > > ux/auto/HTML/Parser/Parser.so > > Files found in blib/arch: installing files in blib/lib into >architecture depende > > nt library tree > > Installing >/var/tmp/perl-HTML-Parser-root/usr/lib/perl5/site_perl/5.6.1/i586-lin > > ux/HTML/TokeParser.pm > > Installing >/var/tmp/perl-HTML-Parser-root/usr/lib/perl5/site_perl/5.6.1/i586-lin > > ux/HTML/HeadParser.pm > > Installing >/var/tmp/perl-HTML-Parser-root/usr/lib/perl5/site_perl/5.6.1/i586-lin > > ux/HTML/Entities.pm > > Installing >/var/tmp/perl-HTML-Parser-root/usr/lib/perl5/site_perl/5.6.1/i586-lin > > ux/HTML/PullParser.pm > > Installing >/var/tmp/perl-HTML-Parser-root/usr/lib/perl5/site_perl/5.6.1/i586-lin > > ux/HTML/Parser.pm > > Installing >/var/tmp/perl-HTML-Parser-root/usr/lib/perl5/site_perl/5.6.1/i586-lin > > ux/HTML/Filter.pm > > Installing >/var/tmp/perl-HTML-Parser-root/usr/lib/perl5/site_perl/5.6.1/i586-lin > > ux/HTML/LinkExtor.pm > > Installing >/var/tmp/perl-HTML-Parser-root/usr/man/man3/HTML::HeadParser.3pm > > Installing >/var/tmp/perl-HTML-Parser-root/usr/man/man3/HTML::TokeParser.3pm > > Installing /var/tmp/perl-HTML-Parser-root/usr/man/man3/HTML::Parser.3pm > > Installing /var/tmp/perl-HTML-Parser-root/usr/man/man3/HTML::Filter.3pm > > Installing /var/tmp/perl-HTML-Parser-root/usr/man/man3/HTML::Entities.3pm > > Installing >/var/tmp/perl-HTML-Parser-root/usr/man/man3/HTML::PullParser.3pm > > Installing >/var/tmp/perl-HTML-Parser-root/usr/man/man3/HTML::LinkExtor.3pm > > Writing >/var/tmp/perl-HTML-Parser-root/usr/lib/perl5/site_perl/5.6.1/i586-linux/ > > auto/HTML/Parser/.packlist > > Appending installation info to >/var/tmp/perl-HTML-Parser-root/usr/lib/perl5/site > > _perl/5.6.1/i586-linux/perllocal.pod > > + '[' -x /usr/lib/rpm/brp-compress ']' > > + /usr/lib/rpm/brp-compress > > + find /var/tmp/perl-HTML-Parser-root/usr -type f -print > > + sed 's@^/var/tmp/perl-HTML-Parser-root@@g' > > + grep -v perllocal.pod > > + grep -v '\.packlist' > > ++ cat HTML-Parser-3.26-filelist > > + '[' '/usr/lib/perl5/site_perl/5.6.1/i586-linux/HTML/TokeParser.pm > > /usr/lib/perl5/site_perl/5.6.1/i586-linux/HTML/HeadParser.pm > > /usr/lib/perl5/site_perl/5.6.1/i586-linux/HTML/Entities.pm > > /usr/lib/perl5/site_perl/5.6.1/i586-linux/HTML/PullParser.pm > > /usr/lib/perl5/site_perl/5.6.1/i586-linux/HTML/Parser.pm > > /usr/lib/perl5/site_perl/5.6.1/i586-linux/HTML/Filter.pm > > /usr/lib/perl5/site_perl/5.6.1/i586-linux/HTML/LinkExtor.pm > > /usr/lib/perl5/site_perl/5.6.1/i586-linux/auto/HTML/Parser/Parser.bs > > /usr/lib/perl5/site_perl/5.6.1/i586-linux/auto/HTML/Parser/Parser.so > > /usr/man/man3/HTML::Filter.3pm.gz > > /usr/man/man3/HTML::HeadParser.3pm.gz > > /usr/man/man3/HTML::Entities.3pm.gz > > /usr/man/man3/HTML::Parser.3pm.gz > > /usr/man/man3/HTML::LinkExtor.3pm.gz > > /usr/man/man3/HTML::TokeParser.3pm.gz > > /usr/man/man3/HTML::PullParser.3pm.gzX' = X ']' > > + RPM_BUILD_ROOT=/var/tmp/perl-HTML-Parser-root > > + export RPM_BUILD_ROOT > > + test -x /usr/sbin/Check -a 0 = 0 -o -x /usr/sbin/Check -a '!' -z >/var/tmp/perl > > -HTML-Parser-root > > + echo 'I call /usr/sbin/Check...' > > I call /usr/sbin/Check... > > + /usr/sbin/Check > > + /usr/lib/rpm/brp-compress > > Processing files: perl-HTML-Parser-3.26-2 > > Finding Provides: (using /usr/lib/rpm/find-provides)... > > Finding Requires: (using /usr/lib/rpm/find-requires)... > > Provides: Parser.so > > Requires: ld-linux.so.2 libc.so.6 libc.so.6(GLIBC_2.0) >libc.so.6(GLIBC_2.1.3) > > Wrote: /usr/src/packages/RPMS/i386/perl-HTML-Parser-3.26-2.i386.rpm > > Executing(%clean): /bin/sh -e /var/tmp/rpm-tmp.91007 > > + umask 022 > > + cd /usr/src/packages/BUILD > > + cd HTML-Parser-3.26 > > + rm -rf /var/tmp/perl-HTML-Parser-root > > + exit 0 > > Executing(--clean): /bin/sh -e /var/tmp/rpm-tmp.91007 > > + umask 022 > > + cd /usr/src/packages/BUILD > > + rm -rf HTML-Parser-3.26 > > + exit 0 > > > > > > > > > > Do not worry too much about errors from the next command. > > It is quite likely that some of the Perl modules are > > already installed on your system. > > > > The important ones are HTML-Parser and MIME-tools. > > > > perl-HTML-Parser >################################################## > > cannot remove >/usr/lib/perl5/site_perl/5.6.1/i586-linux/auto/HTML/Parser - direc > > tory not empty > > cannot remove /usr/lib/perl5/site_perl/5.6.1/i586-linux/HTML - >directory not emp > > ty > Please do not forget to kill your MailScanner version 3 processes > > before starting version 4. > > linux:/home/dbtrol/MailScanner-4.13-3 # rcsendmail stop > > Shutting down SMTP port done > > linux:/home/dbtrol/MailScanner-4.13-3 # chkconfig senmail off > > senmail: unknown service > > linux:/home/dbtrol/MailScanner-4.13-3 # chkconfig sendmail off > > linux:/home/dbtrol/MailScanner-4.13-3 # chk MailScanner on > > bash: chk: command not found > > linux:/home/dbtrol/MailScanner-4.13-3 # chkconfig MailScanner on > > linux:/home/dbtrol/MailScanner-4.13-3 # rcMailScanner start > > Initializing sendmail and MailScanner >failed >Can someone tell me what to do. >TIA >David -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Thu Mar 27 14:32:48 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:36 2006 Subject: MailScanner 4.12-2 / 4.13-3 incoming failed In-Reply-To: Message-ID: <5.2.0.9.2.20030327143221.043ceb38@imap.ecs.soton.ac.uk> At 14:23 27/03/2003, you wrote: >cp check_mailscanner /usr/sbin/check_mailscanner > >ls -als /usr/sbin/check_* > 0 lrwxrwxrwx 1 root root 27 Mar 27 09:04 > /usr/sbin/check_mailscanner -> /usr/sbin/check_MailScanner > 4 -rwxr-xr-x 1 root root 3438 Mar 27 09:19 > /usr/sbin/check_MailScanner > 4 -rwxr-xr-x 1 root root 3439 Mar 27 08:23 > /usr/sbin/check_mailscanner.old > >rm /usr/sbin/check_mailscanner Why did you just delete the file you copied? >cp check_mailscanner /usr/sbin/check_mailscanner > >ls -als /usr/sbin/check_* >[root@crl-ns1 tmp]# ls -als /usr/sbin/check_* > 4 -rwxr--r-- 1 root root 3438 Mar 27 09:19 > /usr/sbin/check_mailscanner > 4 -rwxr-xr-x 1 root root 3438 Mar 27 09:19 > /usr/sbin/check_MailScanner > 4 -rwxr-xr-x 1 root root 3439 Mar 27 08:23 > /usr/sbin/check_mailscanner.old > >service MailScanner start >Starting MailScanner daemons: > incoming sendmail: [ OK ] > outgoing sendmail: [ OK ] > MailScanner: [ OK ] ># service MailScanner status >Checking MailScanner daemons: > MailScanner: [ OK ] > incoming sendmail: [FAILED] > outgoing sendmail: [ OK ] > > > > >-----Original Message----- >From: Baccari, Lou >Sent: Thursday, March 27, 2003 9:13 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: MailScanner 4.12-2 / 4.13-3 incoming failed > > >It looks like the following two lines are causing the problem. > >non-working new check_mailscanner file: > >msbindir=/opt/MailScanner/bin >config=/opt/MailScanner/etc/MailScanner.conf > >working old check_mailscanner file: > >msbindir=/usr/sbin >config=/etc/MailScanner/MailScanner.conf > > > > >-----Original Message----- >From: Baccari, Lou >Sent: Thursday, March 27, 2003 8:27 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: MailScanner 4.12-2 / 4.13-3 incoming failed > > >Julian, > > I get the following error. > > service MailScanner start >Starting MailScanner daemons: > incoming sendmail: [ OK ] > outgoing sendmail: [ OK ] > MailScanner: /usr/sbin/check_MailScanner: line 107: cd: > /opt/MailScanner/bin: No such file or directory >/usr/sbin/check_MailScanner: line 108: MailScanner: command not found > >Lou. > > >-----Original Message----- >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] >Sent: Thursday, March 27, 2003 5:03 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: MailScanner 4.12-2 / 4.13-3 incoming failed > > >At 00:11 27/03/2003, you wrote: > >I'm running 4 sendmail daemons, and I use the pid files to > >tell the difference in the init script. > >It gets the work done. > > > >Maybe something for mailscanner? > >Good idea. > >New /etc/rc.d/init.d/MailScanner and /usr/sbin/check_mailscanner are attached. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From Lou.Baccari at HP.COM Thu Mar 27 14:38:22 2003 From: Lou.Baccari at HP.COM (Baccari, Lou) Date: Thu Jan 12 21:17:36 2006 Subject: MailScanner 4.12-2 / 4.13-3 incoming failed Message-ID: Julian and group, After cleaning up some hung sendmail processes and restarting MailScanner everything appears to be working correctly. Thanks for the help..... Lou -----Original Message----- From: Baccari, Lou Sent: Thursday, March 27, 2003 9:23 AM To: 'MailScanner mailing list' Subject: RE: MailScanner 4.12-2 / 4.13-3 incoming failed Okay I believe I'm doing this correctly but I'm still having problems. Any ideas?? cp MailScanner /etc/init.d/MailScanner cp check_mailscanner /usr/sbin/check_mailscanner ls -als /usr/sbin/check_* 0 lrwxrwxrwx 1 root root 27 Mar 27 09:04 /usr/sbin/check_mailscanner -> /usr/sbin/check_MailScanner 4 -rwxr-xr-x 1 root root 3438 Mar 27 09:19 /usr/sbin/check_MailScanner 4 -rwxr-xr-x 1 root root 3439 Mar 27 08:23 /usr/sbin/check_mailscanner.old rm /usr/sbin/check_mailscanner cp check_mailscanner /usr/sbin/check_mailscanner ls -als /usr/sbin/check_* [root@crl-ns1 tmp]# ls -als /usr/sbin/check_* 4 -rwxr--r-- 1 root root 3438 Mar 27 09:19 /usr/sbin/check_mailscanner 4 -rwxr-xr-x 1 root root 3438 Mar 27 09:19 /usr/sbin/check_MailScanner 4 -rwxr-xr-x 1 root root 3439 Mar 27 08:23 /usr/sbin/check_mailscanner.old service MailScanner start Starting MailScanner daemons: incoming sendmail: [ OK ] outgoing sendmail: [ OK ] MailScanner: [ OK ] # service MailScanner status Checking MailScanner daemons: MailScanner: [ OK ] incoming sendmail: [FAILED] outgoing sendmail: [ OK ] -----Original Message----- From: Baccari, Lou Sent: Thursday, March 27, 2003 9:13 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: MailScanner 4.12-2 / 4.13-3 incoming failed It looks like the following two lines are causing the problem. non-working new check_mailscanner file: msbindir=/opt/MailScanner/bin config=/opt/MailScanner/etc/MailScanner.conf working old check_mailscanner file: msbindir=/usr/sbin config=/etc/MailScanner/MailScanner.conf -----Original Message----- From: Baccari, Lou Sent: Thursday, March 27, 2003 8:27 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: MailScanner 4.12-2 / 4.13-3 incoming failed Julian, I get the following error. service MailScanner start Starting MailScanner daemons: incoming sendmail: [ OK ] outgoing sendmail: [ OK ] MailScanner: /usr/sbin/check_MailScanner: line 107: cd: /opt/MailScanner/bin: No such file or directory /usr/sbin/check_MailScanner: line 108: MailScanner: command not found Lou. -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Thursday, March 27, 2003 5:03 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: MailScanner 4.12-2 / 4.13-3 incoming failed At 00:11 27/03/2003, you wrote: >I'm running 4 sendmail daemons, and I use the pid files to >tell the difference in the init script. >It gets the work done. > >Maybe something for mailscanner? Good idea. New /etc/rc.d/init.d/MailScanner and /usr/sbin/check_mailscanner are attached. From mailscanner at ecs.soton.ac.uk Thu Mar 27 14:38:07 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:36 2006 Subject: Another beta release Message-ID: <5.2.0.9.2.20030327143436.043dbee0@imap.ecs.soton.ac.uk> I have just put 4.14-7 on the web site. This implements some more changes and improvements courtesy of Tony Finch at Cambridge, who really seems to enjoy examining every line of code! :-) I'm glad someone does, he has found all sort of idiosyncrasies in my code. It now supports Exim split spool directories, and can debug SpamAssassin from within MailScanner. If you want to install SpamAssassin somewhere other than the default locations, you can do that now too (though you will have to ask me for the names of the configuration options to add to MailScanner.conf to move it). Usual caveats about beta releases apply. Please let me know how you get on with it. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From Harish.Amin at DEG.STATE.WI.US Thu Mar 27 14:47:36 2003 From: Harish.Amin at DEG.STATE.WI.US (Amin, Harish) Date: Thu Jan 12 21:17:36 2006 Subject: how to get digest of this list Message-ID: <47F3EDACE4BC3A4594D0D7B504062BBD019C6ADB@doamail04.doa.wistate.us> Since lately we are getting too many mails I would appreciate to know how I can change my subscription to digest mode (one consolidated mail per day) Thanx Harish From linux at mostert.nom.za Thu Mar 27 15:11:00 2003 From: linux at mostert.nom.za (Mozzi) Date: Thu Jan 12 21:17:36 2006 Subject: Mailscanner in mem In-Reply-To: <5.2.0.9.2.20030324115113.02873bc8@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030324105235.02378b00@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030324115113.02873bc8@imap.ecs.soton.ac.uk> Message-ID: <200303271711.00491.linux@mostert.nom.za> Hi Julien I use redhat 7.3 with the latest MailScanner I just setup tmpfs and I have /var/spool/MailScanner/incoming mounted(I use fstab) Now I Just sent myself a message and all looks fine the message was accepted and got delivered. Mar 27 17:04:04 mailscanner sendmail[4430]: h2RF44H04430: to=, delay=00:00:00, mailer=smtp, pri=30556, stat=queued Mar 27 17:04:07 mailscanner MailScanner[4331]: New Batch: Scanning 1 messages, 1000 bytes Mar 27 17:04:12 mailscanner MailScanner[4331]: Virus and Content Scanning: Starting Mar 27 17:04:12 mailscanner MailScanner[4331]: Uninfected: Delivered 1 messages Mar 27 17:04:12 mailscanner sendmail[4435]: h2RF44H04430: to=, delay=00:00:08, xdelay=00:00:00, mailer=smtp, pri=120556, relay=[196.25.84.194] [196.25.84.194], dsn=2.0.0, stat=Sent (h2RF4Muc003419 Message accepted for delivery) I havn't tested it under load but it looks like it wil work Mozzi On Monday 24 March 2003 13:51, you wrote: > Try scanning a directory structure in tmpfs with the latest F-Prot code, > it's possible they have fixed it. > Let me know what you find. > > At 11:20 24/03/2003, you wrote: > >Tnx > >I use fprot so there goes that idea > > > >Mozzi > > > >On Monday 24 March 2003 12:55, you wrote: > > > At 09:26 24/03/2003, you wrote: > > > >Hallo all > > > > > > > >Can anyone remeber the subject for the thrad on running mailscanner in > > > > memory? > > > > > > > >I have a box with 3Gig ram here and I need the performance. > > > > > > You can safely run with the MailScanner/incoming directory in RAM (just > > > use tmpfs) as long as you aren't using F-Prot (which for some reason > > > doesn't like tmpfs and won't recurse directories properly). Putting > > > your mqueue.in and mqueue in RAM is very dodgy unless your RAM is > > > battery-backed and your system is never rebooted with anything in its > > > mail queues. > > > > > > If you are running Linux, then add a "-" in front of the log filename > > > in syslog.conf. So instead of it logging to > > > /var/log/maillog > > > make it > > > -/var/log/maillog > > > That will stop syslogd from fsync-ing after every log entry, which can > > > make quite a difference to your disk traffic. > > > > > > Running with MailScanner/incoming in tmpfs can add up to 30% to your > > > max throughput. > > > -- > > > Julian Field > > > www.MailScanner.info > > > Professional Support Services at www.MailScanner.biz > > > MailScanner thanks transtec Computers for their support > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support From hdbtroll at MOMENT.NET Thu Mar 27 15:27:15 2003 From: hdbtroll at MOMENT.NET (DB Troll) Date: Thu Jan 12 21:17:36 2006 Subject: failed References: <5.2.0.9.2.20030327142855.043a8eb8@imap.ecs.soton.ac.uk> Message-ID: <3E831853.9010409@moment.net> Julian Field wrote: > Okay, the installation of the HTML-Parser RPM didn't work. > First, try to remove the old one: > rpm -e perl-HTML-Parser > rm -rf /usr/lib/perl5/site_perl/5.6.1/i586-linux/auto/HTML/Parser > Then try running ./install.sh again. > >Hi Julian, Did as above and it still failed> package perl-MIME-tools-5.411-pl4.2 is already installed > file /usr/man/man3/MIME::Body.3pm.gz from install of perl-MIME-tools-5.411-pl4.2 conflicts with file from package perl-MIME-tools-5.411-pl4.2 > file /usr/man/man3/MIME::Decoder.3pm.gz from install of perl-MIME-tools-5.411-pl4.2 conflicts with file from package perl-MIME-tools-5.411-pl4.2 > file /usr/man/man3/MIME::Decoder::Base64.3pm.gz from install of perl-MIME-tools-5.411-pl4.2 conflicts with file from package perl-MIME-tools-5.411-pl4.2 > file /usr/man/man3/MIME::Decoder::Binary.3pm.gz from install of perl-MIME-tools-5.411-pl4.2 conflicts with file from package perl-MIME-tools-5.411-pl4.2 > file /usr/man/man3/MIME::Decoder::Gzip64.3pm.gz from install of perl-MIME-tools-5.411-pl4.2 conflicts with file from package perl-MIME-tools-5.411-pl4.2 > file /usr/man/man3/MIME::Decoder::NBit.3pm.gz from install of perl-MIME-tools-5.411-pl4.2 conflicts with file from package perl-MIME-tools-5.411-pl4.2 > file /usr/man/man3/MIME::Decoder::QuotedPrint.3pm.gz from install of perl-MIME-tools-5.411-pl4.2 conflicts with file from package perl-MIME-tools-5.411-pl4.2 > file /usr/man/man3/MIME::Decoder::UU.3pm.gz from install of perl-MIME-tools-5.411-pl4.2 conflicts with file from package perl-MIME-tools-5.411-pl4.2 > file /usr/man/man3/MIME::Entity.3pm.gz from install of perl-MIME-tools-5.411-pl4.2 conflicts with file from package perl-MIME-tools-5.411-pl4.2 > file /usr/man/man3/MIME::Field::ConTraEnc.3pm.gz from install of perl-MIME-tools From mailscanner at ecs.soton.ac.uk Thu Mar 27 15:30:43 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:36 2006 Subject: failed In-Reply-To: <3E831853.9010409@moment.net> References: <5.2.0.9.2.20030327142855.043a8eb8@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030327152916.043f0878@imap.ecs.soton.ac.uk> At 15:27 27/03/2003, you wrote: >Julian Field wrote: >>Okay, the installation of the HTML-Parser RPM didn't work. >>First, try to remove the old one: >> rpm -e perl-HTML-Parser >> rm -rf /usr/lib/perl5/site_perl/5.6.1/i586-linux/auto/HTML/Parser >>Then try running ./install.sh again. >> >>Hi Julian, >Did as above and it still failed> package perl-MIME-tools-5.411-pl4.2 is >already installed Your errors below shouldn't actually matter. You can always do a "rpm -e perl-MIME-tools" before you run ./install.sh if you like. It's just trying to install the same thing over the version it already has. >>file /usr/man/man3/MIME::Body.3pm.gz from install of >>perl-MIME-tools-5.411-pl4.2 conflicts with file from package >>perl-MIME-tools-5.411-pl4.2 >>file /usr/man/man3/MIME::Decoder.3pm.gz from install of >>perl-MIME-tools-5.411-pl4.2 conflicts with file from package >>perl-MIME-tools-5.411-pl4.2 >>file /usr/man/man3/MIME::Decoder::Base64.3pm.gz from install of >>perl-MIME-tools-5.411-pl4.2 conflicts with file from package >>perl-MIME-tools-5.411-pl4.2 >>file /usr/man/man3/MIME::Decoder::Binary.3pm.gz from install of >>perl-MIME-tools-5.411-pl4.2 conflicts with file from package >>perl-MIME-tools-5.411-pl4.2 >>file /usr/man/man3/MIME::Decoder::Gzip64.3pm.gz from install of >>perl-MIME-tools-5.411-pl4.2 conflicts with file from package >>perl-MIME-tools-5.411-pl4.2 >>file /usr/man/man3/MIME::Decoder::NBit.3pm.gz from install of >>perl-MIME-tools-5.411-pl4.2 conflicts with file from package >>perl-MIME-tools-5.411-pl4.2 >>file /usr/man/man3/MIME::Decoder::QuotedPrint.3pm.gz from install of >>perl-MIME-tools-5.411-pl4.2 conflicts with file from package >>perl-MIME-tools-5.411-pl4.2 >>file /usr/man/man3/MIME::Decoder::UU.3pm.gz from install of >>perl-MIME-tools-5.411-pl4.2 conflicts with file from package >>perl-MIME-tools-5.411-pl4.2 >>file /usr/man/man3/MIME::Entity.3pm.gz from install of >>perl-MIME-tools-5.411-pl4.2 conflicts with file from package >>perl-MIME-tools-5.411-pl4.2 >>file /usr/man/man3/MIME::Field::ConTraEnc.3pm.gz from install of >>perl-MIME-tools -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From lindsay at pa.net Thu Mar 27 15:38:05 2003 From: lindsay at pa.net (Lindsay Snider) Date: Thu Jan 12 21:17:36 2006 Subject: Mailscanner in mem In-Reply-To: <200303271711.00491.linux@mostert.nom.za> References: <5.2.0.9.2.20030324105235.02378b00@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030324115113.02873bc8@imap.ecs.soton.ac.uk> <200303271711.00491.linux@mostert.nom.za> Message-ID: <200303271038.05759.lindsay@pa.net> On Thursday 27 March 2003 10:11, you wrote: > Hi Julien > I use redhat 7.3 with the latest MailScanner > I just setup tmpfs and I have /var/spool/MailScanner/incoming mounted(I use > fstab) > Now I Just sent myself a message and all looks fine the message was > accepted and got delivered. > Have you tried sending a virus through it yet? That's where I saw the problem. There were no errrors, f-prot would simply not catch viruses. > Mar 27 17:04:04 mailscanner sendmail[4430]: h2RF44H04430: > to=, delay=00:00:00, mailer=smtp, pri=30556, stat=queued > Mar 27 17:04:07 mailscanner MailScanner[4331]: New Batch: Scanning 1 > messages, 1000 bytes > Mar 27 17:04:12 mailscanner MailScanner[4331]: Virus and Content Scanning: > Starting > Mar 27 17:04:12 mailscanner MailScanner[4331]: Uninfected: Delivered 1 > messages > Mar 27 17:04:12 mailscanner sendmail[4435]: h2RF44H04430: > to=, delay=00:00:08, xdelay=00:00:00, mailer=smtp, > pri=120556, relay=[196.25.84.194] [196.25.84.194], dsn=2.0.0, stat=Sent > (h2RF4Muc003419 Message accepted for delivery) > > I havn't tested it under load but it looks like it wil work > > > Mozzi > > On Monday 24 March 2003 13:51, you wrote: > > Try scanning a directory structure in tmpfs with the latest F-Prot code, > > it's possible they have fixed it. > > Let me know what you find. > > > > At 11:20 24/03/2003, you wrote: > > >Tnx > > >I use fprot so there goes that idea > > > > > >Mozzi > > > > > >On Monday 24 March 2003 12:55, you wrote: > > > > At 09:26 24/03/2003, you wrote: > > > > >Hallo all > > > > > > > > > >Can anyone remeber the subject for the thrad on running mailscanner > > > > > in memory? > > > > > > > > > >I have a box with 3Gig ram here and I need the performance. > > > > > > > > You can safely run with the MailScanner/incoming directory in RAM > > > > (just use tmpfs) as long as you aren't using F-Prot (which for some > > > > reason doesn't like tmpfs and won't recurse directories properly). > > > > Putting your mqueue.in and mqueue in RAM is very dodgy unless your > > > > RAM is battery-backed and your system is never rebooted with anything > > > > in its mail queues. > > > > > > > > If you are running Linux, then add a "-" in front of the log filename > > > > in syslog.conf. So instead of it logging to > > > > /var/log/maillog > > > > make it > > > > -/var/log/maillog > > > > That will stop syslogd from fsync-ing after every log entry, which > > > > can make quite a difference to your disk traffic. > > > > > > > > Running with MailScanner/incoming in tmpfs can add up to 30% to your > > > > max throughput. > > > > -- > > > > Julian Field > > > > www.MailScanner.info > > > > Professional Support Services at www.MailScanner.biz > > > > MailScanner thanks transtec Computers for their support > > > > -- > > Julian Field > > www.MailScanner.info > > Professional Support Services at www.MailScanner.biz > > MailScanner thanks transtec Computers for their support From sevans at FOUNDATION.SDSU.EDU Thu Mar 27 16:03:16 2003 From: sevans at FOUNDATION.SDSU.EDU (Steve Evans) Date: Thu Jan 12 21:17:36 2006 Subject: Embedded Disallowed Filename Extension in Word Document Message-ID: I attached a word document with an embedded exe file (exe's are on my disallow list). Is that supposed to get through? Any smart ideas on how to stop that. Also I'm headed out of town in a few minutes so I could try it when I get back but what happens if you embedded a virus inside a word document? Would the virus scanner catch it then? Steve Evans SDSU Foundation (619) 594-0653 -------------- next part -------------- A non-text attachment was scrubbed... Name: Doc1.doc Type: application/msword Size: 329216 bytes Desc: Doc1.doc Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030327/b2405c5e/Doc1.doc From mailscanner at ecs.soton.ac.uk Thu Mar 27 16:18:31 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:36 2006 Subject: Embedded Disallowed Filename Extension in Word Document In-Reply-To: Message-ID: <5.2.0.9.2.20030327161610.0413bb78@imap.ecs.soton.ac.uk> At 16:03 27/03/2003, you wrote: >I attached a word document with an embedded exe file (exe's are on my >disallow list). Is that supposed to get through? Yes, sorry. > Any smart ideas on >how to stop that. Not really. Would be quite a lot of extra work to add support for pulling all the filenames out of OLE documents (and just spotting the OLE documents in the first place). > Also I'm headed out of town in a few minutes so I >could try it when I get back but what happens if you embedded a virus >inside a word document? Would the virus scanner catch it then? Most virus scanners find documents with viruses in them, as no-one manually puts a virus in a document, they come ready-supplied with the virus already in them :) (i.e. Word macro viruses, etc will be caught by the virus scanners, but not all scanners will find a copy of EICAR embedded manually in a word doc) -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mbowman at UDCOM.COM Thu Mar 27 16:39:04 2003 From: mbowman at UDCOM.COM (Matthew Bowman) Date: Thu Jan 12 21:17:36 2006 Subject: F-Prot errors Message-ID: Trying to setup F-Prot for evaluation w/ MailScanner and got this error: Either you've found a bug in MailScanner's F-Prot output parser, or F-Prot's output format has changed! F-Prot said this "Switches: -ARCHIVE -OLD". Please mail the author of MailScanner The file I loaded was fp-linux-eb-3.13-0.i386.rpm I followed the notes in the FAQ I'm using MS 4.13-3 on a RH 7.2 box. Any ideas? Thanks Matthew From HancockS at MORGANCO.COM Thu Mar 27 17:08:13 2003 From: HancockS at MORGANCO.COM (Hancock, Scott) Date: Thu Jan 12 21:17:36 2006 Subject: email in exim incoming queue is not getting processed -- Please help Message-ID: <3EA1A302A4978A4C970D2C63F327156ED541F5@worc-mail2.int.morganco.com> Greetings all, This is a restate of a previous help request. Exim incoming has written a pile of messages to /var/spool/exim/incoming/input. For some reason mailscanner is not acting on these messages. Any guidance on how to troubleshoot or information on under what conditions mailscanner would not find or accept these files would be greatly appreciated. Debian sarge Exim 3.36 MS 4.13 Sa 2.44 All new incoming mails are scanned and delivered. exim -bp shows the mail in the incoming directory without any errors. The queue originally had 1500 unscanned emails a Mainscanner restart delivered half of these but I still have about 700 waiting for deliver. I'll gladly post any conf files. Please help. Scott Hancock From chicks at CHICKS.NET Thu Mar 27 17:10:05 2003 From: chicks at CHICKS.NET (Christopher Hicks) Date: Thu Jan 12 21:17:36 2006 Subject: Embedded Disallowed Filename Extension in Word Document In-Reply-To: <5.2.0.9.2.20030327161610.0413bb78@imap.ecs.soton.ac.uk> Message-ID: On Thu, 27 Mar 2003, Julian Field wrote: > (i.e. Word macro viruses, etc will be caught by the virus scanners, but not > all scanners will find a copy of EICAR embedded manually in a word doc) Does anybody have any experience with which would and which wouldn't? -- The death of democracy is not likely to be an assassination from ambush. It will be a slow extinction from apathy, indifference, and undernourishment. -Robert Maynard Hutchins, educator (1899-1977) From Jan-Peter.Koopmann at SECEIDOS.DE Thu Mar 27 17:15:09 2003 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:17:36 2006 Subject: Another beta release Message-ID: <4E7026FF8A422749B1553FE508E0068007F042@message.intern.akctech.de> FreeBSD port will follow some time tomorrow. I will announce it here. Regards, JP From dbird at SGHMS.AC.UK Thu Mar 27 17:17:20 2003 From: dbird at SGHMS.AC.UK (Daniel Bird) Date: Thu Jan 12 21:17:36 2006 Subject: email in exim incoming queue is not getting processed -- Please help References: <3EA1A302A4978A4C970D2C63F327156ED541F5@worc-mail2.int.morganco.com> Message-ID: <3E833220.5070600@sghms.ac.uk> Scott, I had a similar problem with exim and finding it's input and ouput queues. For some reason my version (4.12, but also when I was using 3.x - probably a configure option;-) decided if I told it to use /var/spool/exim/input it actually looked in /var/spool/exim/input/input and likewise for /var/spool/exim/output (/var/spool/exim/output/input). ie, always added 'input' to the dir structure To get 'round this I have : in exim.conf.out spool_directory = /var/spool/exim/outgoing and in MailScanner.conf Incoming Queue Dir = /var/spool/exim/input Outgoing Queue Dir = /var/spool/exim/outgoing/input Works for me! Regards Dan Hancock, Scott wrote: >Greetings all, > >This is a restate of a previous help request. > >Exim incoming has written a pile of messages to >/var/spool/exim/incoming/input. > >For some reason mailscanner is not acting on these messages. > >Any guidance on how to troubleshoot or information on under what >conditions mailscanner would not find or accept these files would be >greatly appreciated. > >Debian sarge >Exim 3.36 >MS 4.13 >Sa 2.44 > >All new incoming mails are scanned and delivered. > >exim -bp shows the mail in the incoming directory without any errors. >The queue originally had 1500 unscanned emails a Mainscanner restart >delivered half of these but I still have about 700 waiting for deliver. > >I'll gladly post any conf files. > >Please help. > >Scott Hancock > > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. Mailscanner thanks transtec Computers for their support. From hdbtroll at MOMENT.NET Thu Mar 27 17:33:48 2003 From: hdbtroll at MOMENT.NET (DB Troll) Date: Thu Jan 12 21:17:36 2006 Subject: failed References: <5.2.0.9.2.20030327142855.043a8eb8@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030327152916.043f0878@imap.ecs.soton.ac.uk> Message-ID: <3E8335FC.4010204@moment.net> Julian Field wrote: > At 15:27 27/03/2003, you wrote: > >> Julian Field wrote: >> >>> Okay, the installation of the HTML-Parser RPM didn't work. >>> First, try to remove the old one: >>> rpm -e perl-HTML-Parser >>> rm -rf >>> /usr/lib/perl5/site_perl/5.6.1/i586-linux/auto/HTML/Parser >>> Then try running ./install.sh again. >>> >>> Hi Julian, >> >> Did as above and it still failed> package perl-MIME-tools-5.411-pl4.2 is >> already installed > > > Your errors below shouldn't actually matter. > You can always do a "rpm -e perl-MIME-tools" before you run ./install.sh if > you like. > It's just trying to install the same thing over the version it already has. > >>> file /usr/man/man3/MIME::Body.3pm.gz from install of >>> perl-MIME-tools-5.411-pl4.2 conflicts with file from package >>> perl-MIME-tools-5.411-pl4.2 >>> file /usr/man/man3/MIME::Decoder.3pm.gz from install of >>> perl-MIME-tools-5.411-pl4.2 conflicts with file from package >>> perl-MIME-tools-5.411-pl4.2 >>> file /usr/man/man3/MIME::Decoder::Base64.3pm.gz from install of >>> perl-MIME-tools-5.411-pl4.2 conflicts with file from package >>> perl-MIME-tools-5.411-pl4.2 >>> file /usr/man/man3/MIME::Decoder::Binary.3pm.gz from install of >>> perl-MIME-tools-5.411-pl4.2 conflicts with file from package >>> perl-MIME-tools-5.411-pl4.2 >>> file /usr/man/man3/MIME::Decoder::Gzip64.3pm.gz from install of >>> perl-MIME-tools-5.411-pl4.2 conflicts with file from package >>> perl-MIME-tools-5.411-pl4.2 >>> file /usr/man/man3/MIME::Decoder::NBit.3pm.gz from install of >>> perl-MIME-tools-5.411-pl4.2 conflicts with file from package >>> perl-MIME-tools-5.411-pl4.2 >>> file /usr/man/man3/MIME::Decoder::QuotedPrint.3pm.gz from install of >>> perl-MIME-tools-5.411-pl4.2 conflicts with file from package >>> perl-MIME-tools-5.411-pl4.2 >>> file /usr/man/man3/MIME::Decoder::UU.3pm.gz from install of >>> perl-MIME-tools-5.411-pl4.2 conflicts with file from package >>> perl-MIME-tools-5.411-pl4.2 >>> file /usr/man/man3/MIME::Entity.3pm.gz from install of >>> perl-MIME-tools-5.411-pl4.2 conflicts with file from package >>> perl-MIME-tools-5.411-pl4.2 >>> file /usr/man/man3/MIME::Field::ConTraEnc.3pm.gz from install of >>> perl-MIME-tools >> > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > Any ideas on where to look for the reason rcMailScanner keeps failing. TIA David From mailscanner at ecs.soton.ac.uk Thu Mar 27 17:38:43 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:36 2006 Subject: F-Prot errors In-Reply-To: Message-ID: <5.2.0.9.2.20030327173727.02283220@imap.ecs.soton.ac.uk> At 16:39 27/03/2003, you wrote: >Trying to setup F-Prot for evaluation w/ MailScanner and got this error: > >Either you've found a bug in MailScanner's F-Prot output parser, or >F-Prot's output format has changed! F-Prot said >this "Switches: -ARCHIVE -OLD". Please mail the author of MailScanner > >The file I loaded was fp-linux-eb-3.13-0.i386.rpm Where did you find 3.13? I can only find 3.12d. Any chance you could mail me 3.13 (me, not the whole list!). Then I will make sure the output parser works with 3.13. >I followed the notes in the FAQ > > >I'm using MS 4.13-3 on a RH 7.2 box. > >Any ideas? > >Thanks > >Matthew -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Thu Mar 27 17:42:38 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:36 2006 Subject: failed In-Reply-To: <3E8335FC.4010204@moment.net> References: <5.2.0.9.2.20030327142855.043a8eb8@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030327152916.043f0878@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030327174113.0256bd80@imap.ecs.soton.ac.uk> At 17:33 27/03/2003, you wrote: >Julian Field wrote: >>At 15:27 27/03/2003, you wrote: >> >>>Julian Field wrote: >>> >>>>Okay, the installation of the HTML-Parser RPM didn't work. >>>>First, try to remove the old one: >>>> rpm -e perl-HTML-Parser >>>> rm -rf >>>>/usr/lib/perl5/site_perl/5.6.1/i586-linux/auto/HTML/Parser >>>>Then try running ./install.sh again. >>>> >>>>Hi Julian, >>> >>>Did as above and it still failed> package perl-MIME-tools-5.411-pl4.2 is >>>already installed >> >> >>Your errors below shouldn't actually matter. >>You can always do a "rpm -e perl-MIME-tools" before you run ./install.sh if >>you like. >>It's just trying to install the same thing over the version it already has. >> >>>>file /usr/man/man3/MIME::Body.3pm.gz from install of >>>>perl-MIME-tools-5.411-pl4.2 conflicts with file from package >>>>perl-MIME-tools-5.411-pl4.2 >>>>file /usr/man/man3/MIME::Decoder.3pm.gz from install of >>>>perl-MIME-tools-5.411-pl4.2 conflicts with file from package >>>>perl-MIME-tools-5.411-pl4.2 >>>>file /usr/man/man3/MIME::Decoder::Base64.3pm.gz from install of >>>>perl-MIME-tools-5.411-pl4.2 conflicts with file from package >>>>perl-MIME-tools-5.411-pl4.2 >>>>file /usr/man/man3/MIME::Decoder::Binary.3pm.gz from install of >>>>perl-MIME-tools-5.411-pl4.2 conflicts with file from package >>>>perl-MIME-tools-5.411-pl4.2 >>>>file /usr/man/man3/MIME::Decoder::Gzip64.3pm.gz from install of >>>>perl-MIME-tools-5.411-pl4.2 conflicts with file from package >>>>perl-MIME-tools-5.411-pl4.2 >>>>file /usr/man/man3/MIME::Decoder::NBit.3pm.gz from install of >>>>perl-MIME-tools-5.411-pl4.2 conflicts with file from package >>>>perl-MIME-tools-5.411-pl4.2 >>>>file /usr/man/man3/MIME::Decoder::QuotedPrint.3pm.gz from install of >>>>perl-MIME-tools-5.411-pl4.2 conflicts with file from package >>>>perl-MIME-tools-5.411-pl4.2 >>>>file /usr/man/man3/MIME::Decoder::UU.3pm.gz from install of >>>>perl-MIME-tools-5.411-pl4.2 conflicts with file from package >>>>perl-MIME-tools-5.411-pl4.2 >>>>file /usr/man/man3/MIME::Entity.3pm.gz from install of >>>>perl-MIME-tools-5.411-pl4.2 conflicts with file from package >>>>perl-MIME-tools-5.411-pl4.2 >>>>file /usr/man/man3/MIME::Field::ConTraEnc.3pm.gz from install of >>>>perl-MIME-tools >> >>-- >>Julian Field >>www.MailScanner.info >>MailScanner thanks transtec Computers for their support >> >Any ideas on where to look for the reason rcMailScanner keeps failing. Where did "rcMailScanner" come from? I've never written anything called that, as far as I can remember :) How are you trying to start up MailScanner? (what command?) -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From jase at SENSIS.COM Thu Mar 27 17:49:58 2003 From: jase at SENSIS.COM (Desai, Jason) Date: Thu Jan 12 21:17:36 2006 Subject: email in exim incoming queue is not getting pro cessed -- Please help Message-ID: Perhaps exim has the files locked for some reason? You can try killing the incoming exim process and see if MailScanner picks up the files then. But don't forget to restart exim! Jason > -----Original Message----- > From: Hancock, Scott [mailto:HancockS@MORGANCO.COM] > Sent: Thursday, March 27, 2003 12:08 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: [MAILSCANNER] email in exim incoming queue is not getting > processed -- Please help > > > Greetings all, > > This is a restate of a previous help request. > > Exim incoming has written a pile of messages to > /var/spool/exim/incoming/input. > > For some reason mailscanner is not acting on these messages. > > Any guidance on how to troubleshoot or information on under what > conditions mailscanner would not find or accept these files would be > greatly appreciated. > > Debian sarge > Exim 3.36 > MS 4.13 > Sa 2.44 > > All new incoming mails are scanned and delivered. > > exim -bp shows the mail in the incoming directory without any errors. > The queue originally had 1500 unscanned emails a Mainscanner restart > delivered half of these but I still have about 700 waiting > for deliver. > > I'll gladly post any conf files. > > Please help. > > Scott Hancock > From hdbtroll at MOMENT.NET Thu Mar 27 17:56:11 2003 From: hdbtroll at MOMENT.NET (DB Troll) Date: Thu Jan 12 21:17:37 2006 Subject: failed References: <5.2.0.9.2.20030327142855.043a8eb8@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030327152916.043f0878@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030327174113.0256bd80@imap.ecs.soton.ac.uk> Message-ID: <3E833B3B.50505@moment.net> Julian Field wrote: > At 17:33 27/03/2003, you wrote: > >> Julian Field wrote: >> >>> At 15:27 27/03/2003, you wrote: >>> >>>> Julian Field wrote: >>>> >>>>> Okay, the installation of the HTML-Parser RPM didn't work. >>>>> First, try to remove the old one: >>>>> rpm -e perl-HTML-Parser >>>>> rm -rf >>>>> /usr/lib/perl5/site_perl/5.6.1/i586-linux/auto/HTML/Parser >>>>> Then try running ./install.sh again. >>>>> >>>>> Hi Julian, >>>> >>>> >>>> Did as above and it still failed> package >>>> perl-MIME-tools-5.411-pl4.2 is >>>> already installed >>> >>> >>> >>> Your errors below shouldn't actually matter. >>> You can always do a "rpm -e perl-MIME-tools" before you run >>> ./install.sh if >>> you like. >>> It's just trying to install the same thing over the version it >>> already has. >>> >>>>> file /usr/man/man3/MIME::Body.3pm.gz from install of >>>>> perl-MIME-tools-5.411-pl4.2 conflicts with file from package >>>>> perl-MIME-tools-5.411-pl4.2 >>>>> file /usr/man/man3/MIME::Decoder.3pm.gz from install of >>>>> perl-MIME-tools-5.411-pl4.2 conflicts with file from package >>>>> perl-MIME-tools-5.411-pl4.2 >>>>> file /usr/man/man3/MIME::Decoder::Base64.3pm.gz from install of >>>>> perl-MIME-tools-5.411-pl4.2 conflicts with file from package >>>>> perl-MIME-tools-5.411-pl4.2 >>>>> file /usr/man/man3/MIME::Decoder::Binary.3pm.gz from install of >>>>> perl-MIME-tools-5.411-pl4.2 conflicts with file from package >>>>> perl-MIME-tools-5.411-pl4.2 >>>>> file /usr/man/man3/MIME::Decoder::Gzip64.3pm.gz from install of >>>>> perl-MIME-tools-5.411-pl4.2 conflicts with file from package >>>>> perl-MIME-tools-5.411-pl4.2 >>>>> file /usr/man/man3/MIME::Decoder::NBit.3pm.gz from install of >>>>> perl-MIME-tools-5.411-pl4.2 conflicts with file from package >>>>> perl-MIME-tools-5.411-pl4.2 >>>>> file /usr/man/man3/MIME::Decoder::QuotedPrint.3pm.gz from install of >>>>> perl-MIME-tools-5.411-pl4.2 conflicts with file from package >>>>> perl-MIME-tools-5.411-pl4.2 >>>>> file /usr/man/man3/MIME::Decoder::UU.3pm.gz from install of >>>>> perl-MIME-tools-5.411-pl4.2 conflicts with file from package >>>>> perl-MIME-tools-5.411-pl4.2 >>>>> file /usr/man/man3/MIME::Entity.3pm.gz from install of >>>>> perl-MIME-tools-5.411-pl4.2 conflicts with file from package >>>>> perl-MIME-tools-5.411-pl4.2 >>>>> file /usr/man/man3/MIME::Field::ConTraEnc.3pm.gz from install of >>>>> perl-MIME-tools >>>> >>> >>> -- >>> Julian Field >>> www.MailScanner.info >>> MailScanner thanks transtec Computers for their support >>> >> Any ideas on where to look for the reason rcMailScanner keeps failing. > > > Where did "rcMailScanner" come from? I've never written anything called > that, as far as I can remember :) > How are you trying to start up MailScanner? (what command?) > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > > It came at the bottom of ./install.sh to start MailScanner rcsendmail stop chkconfig sendmail off chkconfig MailScanner on rcMailScanner start David From HancockS at MORGANCO.COM Thu Mar 27 17:56:25 2003 From: HancockS at MORGANCO.COM (Hancock, Scott) Date: Thu Jan 12 21:17:37 2006 Subject: email in exim incoming queue is not getting processed -- Please help Message-ID: <3EA1A302A4978A4C970D2C63F327156E658588@worc-mail2.int.morganco.com> Dan, Do you think this could still be the problem given I'm able to process new mail? This email passed through the same queue's to and from the list. To me you're suggestion infers the assumption it's not working at all. What do you think? Scott > -----Original Message----- > From: Daniel Bird [mailto:dbird@SGHMS.AC.UK] > Sent: Thursday, March 27, 2003 12:17 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: email in exim incoming queue is not getting processed -- > Please help > > Scott, > I had a similar problem with exim and finding it's input and ouput queues. > For some reason my version (4.12, but also when I was using 3.x - > probably a configure option;-) decided if I told it to use > > /var/spool/exim/input > > it actually looked in /var/spool/exim/input/input > and likewise for /var/spool/exim/output (/var/spool/exim/output/input). > ie, always added 'input' to the dir structure > > To get 'round this I have : > > in exim.conf.out > spool_directory = /var/spool/exim/outgoing > > and in MailScanner.conf > Incoming Queue Dir = /var/spool/exim/input > Outgoing Queue Dir = /var/spool/exim/outgoing/input > > Works for me! > > Regards > Dan > > Hancock, Scott wrote: > > >Greetings all, > > > >This is a restate of a previous help request. > > > >Exim incoming has written a pile of messages to > >/var/spool/exim/incoming/input. > > > >For some reason mailscanner is not acting on these messages. > > > >Any guidance on how to troubleshoot or information on under what > >conditions mailscanner would not find or accept these files would be > >greatly appreciated. > > > >Debian sarge > >Exim 3.36 > >MS 4.13 > >Sa 2.44 > > > >All new incoming mails are scanned and delivered. > > > >exim -bp shows the mail in the incoming directory without any errors. > >The queue originally had 1500 unscanned emails a Mainscanner restart > >delivered half of these but I still have about 700 waiting for deliver. > > > >I'll gladly post any conf files. > > > >Please help. > > > >Scott Hancock > > > > > > > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > Mailscanner thanks transtec Computers for their support. From raymond at PROLOCATION.NET Thu Mar 27 18:02:43 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:17:37 2006 Subject: F-Prot errors In-Reply-To: Message-ID: Hi! > The file I loaded was fp-linux-eb-3.13-0.i386.rpm Strange, on their website i only found 3.12d. Could you try with a 3.12x version pf f-prot? bye, Raymond. From dbird at SGHMS.AC.UK Thu Mar 27 18:02:34 2003 From: dbird at SGHMS.AC.UK (Daniel Bird) Date: Thu Jan 12 21:17:37 2006 Subject: email in exim incoming queue is not getting processed -- Please help References: <3EA1A302A4978A4C970D2C63F327156E658588@worc-mail2.int.morganco.com> Message-ID: <3E833CBA.7010700@sghms.ac.uk> I didn't read the last bit of your mail properly! It sounds MS is processing your mail. What does your maillog say? Or your exim log? Hancock, Scott wrote: >Dan, > >Do you think this could still be the problem given I'm able to process >new mail? > >This email passed through the same queue's to and from the list. > >To me you're suggestion infers the assumption it's not working at all. > >What do you think? > > Sorry, I didn't read your mail properly! It sounds MS is processing your mail OK if new mails are delivered. What does your maillog say? MS should give an indication of how many messages it sees in your input queue Or your exim log? Any unusual events there? Dan >Scott > > > >>-----Original Message----- >>From: Daniel Bird [mailto:dbird@SGHMS.AC.UK] >>Sent: Thursday, March 27, 2003 12:17 PM >>To: MAILSCANNER@JISCMAIL.AC.UK >>Subject: Re: email in exim incoming queue is not getting processed -- >>Please help >> >>Scott, >>I had a similar problem with exim and finding it's input and ouput >> >> >queues. > > >>For some reason my version (4.12, but also when I was using 3.x - >>probably a configure option;-) decided if I told it to use >> >>/var/spool/exim/input >> >>it actually looked in /var/spool/exim/input/input >>and likewise for /var/spool/exim/output >> >> >(/var/spool/exim/output/input). > > >>ie, always added 'input' to the dir structure >> >>To get 'round this I have : >> >>in exim.conf.out >>spool_directory = /var/spool/exim/outgoing >> >>and in MailScanner.conf >>Incoming Queue Dir = /var/spool/exim/input >>Outgoing Queue Dir = /var/spool/exim/outgoing/input >> >>Works for me! >> >>Regards >>Dan >> >>Hancock, Scott wrote: >> >> >> >>>Greetings all, >>> >>>This is a restate of a previous help request. >>> >>>Exim incoming has written a pile of messages to >>>/var/spool/exim/incoming/input. >>> >>>For some reason mailscanner is not acting on these messages. >>> >>>Any guidance on how to troubleshoot or information on under what >>>conditions mailscanner would not find or accept these files would be >>>greatly appreciated. >>> >>>Debian sarge >>>Exim 3.36 >>>MS 4.13 >>>Sa 2.44 >>> >>>All new incoming mails are scanned and delivered. >>> >>>exim -bp shows the mail in the incoming directory without any >>> >>> >errors. > > >>>The queue originally had 1500 unscanned emails a Mainscanner restart >>>delivered half of these but I still have about 700 waiting for >>> >>> >deliver. > > >>>I'll gladly post any conf files. >>> >>>Please help. >>> >>>Scott Hancock >>> >>> >>> >>> >>> >> >>-- >>This message has been scanned for viruses and >>dangerous content by MailScanner, and is >>believed to be clean. >>Mailscanner thanks transtec Computers for their support. >> >> > > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. Mailscanner thanks transtec Computers for their support. From HancockS at MORGANCO.COM Thu Mar 27 18:30:09 2003 From: HancockS at MORGANCO.COM (Hancock, Scott) Date: Thu Jan 12 21:17:37 2006 Subject: email in exim incoming queue is not getting processed -- Please help Message-ID: <3EA1A302A4978A4C970D2C63F327156E658589@worc-mail2.int.morganco.com> Here is some of my mail.log file. I did the restart at 8:23. Looks like the queue went down yesterday at 14:21 Gaps below indicate places I snipped the log. Thanks Scott Mar 26 14:21:09 pebbles MailScanner[17287]: New Batch: Found 36 messages waiting Mar 26 14:21:09 pebbles MailScanner[17287]: New Batch: Scanning 1 messages, 2078 bytes Mar 26 14:21:09 pebbles MailScanner[17287]: Virus and Content Scanning: Starting Mar 26 14:21:10 pebbles MailScanner[17287]: Uninfected: Delivered 1 messages Mar 26 14:21:29 pebbles MailScanner[12401]: MailScanner child caught a SIGHUP Mar 26 14:21:29 pebbles MailScanner[17681]: MailScanner child caught a SIGHUP Mar 26 14:21:29 pebbles MailScanner[13277]: MailScanner child caught a SIGHUP Mar 26 14:21:29 pebbles MailScanner[17287]: MailScanner child caught a SIGHUP Mar 26 14:21:29 pebbles MailScanner[16329]: MailScanner child caught a SIGHUP Mar 26 14:21:29 pebbles MailScanner[15128]: MailScanner child caught a SIGHUP Mar 26 14:21:29 pebbles MailScanner[13549]: MailScanner child caught a SIGHUP Mar 26 14:21:29 pebbles MailScanner[14608]: MailScanner child caught a SIGHUP Mar 26 14:21:29 pebbles MailScanner[761]: MailScanner child caught a SIGHUP Mar 26 14:21:29 pebbles MailScanner[26346]: MailScanner child caught a SIGHUP Mar 26 15:01:56 pebbles F-Prot autoupdate[28704]: F-Prot successfully updated. Mar 26 18:00:08 pebbles F-Prot autoupdate[31632]: F-Prot did not need updating. Mar 26 21:00:02 pebbles F-Prot autoupdate[5522]: F-Prot did not need updating. Mar 27 00:00:02 pebbles F-Prot autoupdate[14688]: F-Prot did not need updating. Mar 27 03:00:04 pebbles F-Prot autoupdate[27398]: F-Prot did not need updating. Mar 27 06:00:02 pebbles F-Prot autoupdate[11650]: F-Prot did not need updating. Mar 27 08:23:54 pebbles MailScanner[23069]: MailScanner E-Mail Virus Scanner version 4.13-3 starting... Mar 27 08:23:54 pebbles MailScanner[23069]: User's home directory /root is not writable Mar 27 08:23:56 pebbles MailScanner[23069]: Using locktype = posix Mar 27 08:23:56 pebbles MailScanner[23069]: Creating hardcoded struct_flock subroutine for linux (Linux-type) Mar 27 08:23:56 pebbles MailScanner[23069]: New Batch: Found 2180 messages waiting Mar 27 08:23:56 pebbles MailScanner[23069]: New Batch: Scanning 100 messages, 4393367 bytes Mar 27 08:24:04 pebbles MailScanner[23097]: MailScanner E-Mail Virus Scanner version 4.13-3 starting... Mar 27 08:24:04 pebbles MailScanner[23097]: User's home directory /root is not writable Mar 27 08:24:09 pebbles MailScanner[23097]: Using locktype = posix Mar 27 08:24:09 pebbles MailScanner[23097]: Creating hardcoded struct_flock subroutine for linux (Linux-type) Mar 27 08:24:09 pebbles MailScanner[23097]: New Batch: Found 2181 messages waiting Mar 27 08:24:09 pebbles MailScanner[23097]: New Batch: Scanning 100 messages, 11392498 bytes Mar 27 08:24:14 pebbles MailScanner[23150]: MailScanner E-Mail Virus Scanner version 4.13-3 starting... Mar 27 08:24:14 pebbles MailScanner[23150]: User's home directory /root is not writable Mar 27 08:24:17 pebbles MailScanner[23150]: Using locktype = posix Mar 27 08:24:17 pebbles MailScanner[23150]: Creating hardcoded struct_flock subroutine for linux (Linux-type) Mar 27 08:24:18 pebbles MailScanner[23150]: New Batch: Found 2182 messages waiting Mar 27 08:24:18 pebbles MailScanner[23150]: New Batch: Scanning 100 messages, 5726911 bytes Mar 27 08:24:24 pebbles MailScanner[23232]: MailScanner E-Mail Virus Scanner version 4.13-3 starting... Mar 27 08:24:24 pebbles MailScanner[23232]: User's home directory /root is not writable Mar 27 08:24:27 pebbles MailScanner[23232]: Using locktype = posix Mar 27 08:24:27 pebbles MailScanner[23232]: Creating hardcoded struct_flock subroutine for linux (Linux-type) Mar 27 08:24:28 pebbles MailScanner[23232]: New Batch: Found 2182 messages waiting Mar 27 08:24:28 pebbles MailScanner[23232]: New Batch: Scanning 100 messages, 4924347 bytes Mar 27 08:25:36 pebbles MailScanner[23590]: New Batch: Found 2185 messages waiting Mar 27 08:25:36 pebbles MailScanner[23590]: New Batch: Scanning 100 messages, 1542723 bytes Mar 27 08:25:38 pebbles MailScanner[23097]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Mar 27 08:25:48 pebbles MailScanner[23422]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Mar 27 08:26:04 pebbles MailScanner[23150]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Mar 27 08:26:07 pebbles MailScanner[23232]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Mar 27 08:26:19 pebbles MailScanner[23307]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Mar 27 08:26:25 pebbles MailScanner[23590]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Mar 27 08:26:47 pebbles MailScanner[23484]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Mar 27 08:27:07 pebbles MailScanner[23097]: Spam Checks: Found 13 spam messages Mar 27 08:27:23 pebbles MailScanner[23534]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Mar 27 08:27:40 pebbles MailScanner[23097]: Virus and Content Scanning: Starting Mar 27 08:27:47 pebbles MailScanner[23307]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Mar 27 08:27:56 pebbles MailScanner[23097]: Uninfected: Delivered 100 messages Mar 27 08:28:01 pebbles MailScanner[23097]: New Batch: Found 2093 messages waiting Mar 27 08:28:01 pebbles MailScanner[23097]: New Batch: Scanning 100 messages, 1443894 bytes Mar 27 08:28:23 pebbles MailScanner[23150]: Spam Checks: Found 12 spam messages Mar 27 08:28:33 pebbles MailScanner[23534]: SpamAssassin timed out and was killed, consecutive failure 2 of 20 Mar 27 08:28:38 pebbles MailScanner[23365]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Mar 27 08:28:44 pebbles MailScanner[23150]: Virus and Content Scanning: Starting Mar 27 08:28:51 pebbles MailScanner[23150]: /var/spool/MailScanner/incoming/23150/18yMjm-00026K-00/UGINE.zip->103290 $ Mar 27 08:28:51 pebbles MailScanner[23150]: /var/spool/MailScanner/incoming/23150/18yMjm-00026K-00/UGINE.zip->103290 $ Mar 27 08:28:51 pebbles MailScanner[23150]: /var/spool/MailScanner/incoming/23150/18yMjm-00026K-00/UGINE.zip->103290 $ Mar 27 08:28:51 pebbles MailScanner[23150]: /var/spool/MailScanner/incoming/23150/18yMjm-00026K-00/UGINE.zip->103290 $ Mar 27 08:28:51 pebbles MailScanner[23150]: /var/spool/MailScanner/incoming/23150/18yMjm-00026K-00/UGINE.zip->103296 $ Mar 27 08:28:51 pebbles MailScanner[23150]: /var/spool/MailScanner/incoming/23150/18yMjm-00026K-00/UGINE.zip->103296 $ Mar 27 08:28:57 pebbles MailScanner[23150]: Uninfected: Delivered 100 messages Mar 27 08:29:01 pebbles MailScanner[23150]: New Batch: Found 1998 messages waiting Mar 27 08:29:02 pebbles MailScanner[23150]: New Batch: Scanning 100 messages, 5453460 bytes Mar 27 08:29:26 pebbles MailScanner[23097]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Mar 27 08:29:56 pebbles MailScanner[23150]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Mar 27 08:30:02 pebbles MailScanner[23307]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Mar 27 08:30:04 pebbles MailScanner[23590]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Mar 27 08:30:43 pebbles MailScanner[23097]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Mar 27 08:30:48 pebbles MailScanner[23590]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Mar 27 08:31:07 pebbles MailScanner[23307]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Mar 27 08:31:30 pebbles MailScanner[23307]: Spam Checks: Found 16 spam messages Mar 27 08:32:05 pebbles MailScanner[23307]: Virus and Content Scanning: Starting Mar 27 08:32:17 pebbles MailScanner[23307]: /var/spool/MailScanner/incoming/23307/18yNkh-0005cs-00/msg-23307-29.txt- $ Mar 27 08:32:17 pebbles MailScanner[23307]: Virus Scanning: F-Prot found virus W32/Klez.H@mm Mar 27 08:32:17 pebbles MailScanner[23307]: Virus Scanning: f-prot found 1 infections Mar 27 08:32:17 pebbles MailScanner[23307]: Virus Scanning: Found 1 viruses Mar 27 08:32:19 pebbles MailScanner[23307]: Saved infected "msg-23307-29.txt" to /var/spool/MailScanner/quarantine/2$ Mar 27 08:32:20 pebbles MailScanner[23150]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Mar 27 12:39:59 pebbles MailScanner[737]: Expanding TNEF archive at /var/spool/MailScanner/incoming/737/18yg2L-0001uC-00/winmail.dat Mar 27 12:40:00 pebbles MailScanner[737]: Corrupt TNEF winmail.dat that cannot be analysed in message 18yg2L-0001uC-00 Mar 27 12:40:00 pebbles MailScanner[737]: Virus and Content Scanning: Starting Mar 27 12:51:54 pebbles MailScanner[737]: Virus and Content Scanning: Starting Mar 27 12:51:54 pebbles MailScanner[737]: Content Checks: Fixed awkward MIME boundary for Cyrus IMAP server in 18ygDM-0002tP-00 Mar 27 12:51:54 pebbles MailScanner[737]: Uninfected: Delivered 1 messages Mar 27 12:51:58 pebbles MailScanner[775]: New Batch: Found 1414 messages waiting Mar 27 12:58:08 pebbles MailScanner[737]: Virus and Content Scanning: Starting Mar 27 12:58:08 pebbles MailScanner[737]: Uninfected: Delivered 1 messages Mar 27 12:58:11 pebbles MailScanner[775]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Mar 27 12:58:16 pebbles MailScanner[737]: New Batch: Found 1421 messages waiting Mar 27 12:58:16 pebbles MailScanner[737]: New Batch: Scanning 1 messages, 3036 bytes pebbles MailScanner[775]: New Batch: Scanning 1 messages, 1521 bytes Mar 27 12:32:33 pebbles MailScanner[775]: Virus and Content Scanning: Starting Mar 27 12:32:33 pebbles MailScanner[737]: New Batch: Found 2120 messages waiting Mar 27 12:32:33 pebbles MailScanner[737]: New Batch: Scanning 1 messages, 3360 bytes Mar 27 12:32:33 pebbles MailScanner[775]: Uninfected: Delivered 1 messages Mar 27 12:32:34 pebbles MailScanner[737]: Virus and Content Scanning: Starting Mar 27 12:32:35 pebbles MailScanner[737]: Uninfected: Delivered 1 messages Mar 27 12:32:41 pebbles MailScanner[775]: New Batch: Found 1414 messages waiting Mar 27 12:32:41 pebbles MailScanner[775]: New Batch: Scanning 1 messages, 5214 bytes Mar 27 12:32:42 pebbles MailScanner[775]: Virus and Content Scanning: Starting Mar 27 12:32:43 pebbles MailScanner[775]: Uninfected: Delivered 1 messages Mar 27 12:32:55 pebbles MailScanner[737]: New Batch: Found 2826 messages waiting Mar 27 12:32:55 pebbles MailScanner[737]: New Batch: Scanning 1 messages, 1265 bytes Mar 27 12:32:56 pebbles MailScanner[737]: Virus and Content Scanning: Starting Mar 27 12:32:57 pebbles MailScanner[737]: Uninfected: Delivered 1 messages Mar 27 12:33:58 pebbles MailScanner[775]: New Batch: Found 9180 messages waiting Mar 27 12:33:58 pebbles MailScanner[775]: New Batch: Scanning 1 messages, 2093 bytes Mar 27 12:33:59 pebbles MailScanner[775]: Spam Checks: Found 1 spam messages Mar 27 12:33:59 pebbles MailScanner[775]: Virus and Content Scanning: Starting Mar 27 12:33:59 pebbles MailScanner[775]: Uninfected: Delivered 1 messages Mar 27 12:34:01 pebbles MailScanner[775]: New Batch: Found 707 messages waiting Mar 27 12:34:01 pebbles MailScanner[775]: New Batch: Scanning 1 messages, 3288 bytes Mar 27 12:34:02 pebbles MailScanner[775]: Virus and Content Scanning: Starting Mar 27 12:34:03 pebbles MailScanner[775]: Uninfected: Delivered 1 messages Mar 27 12:34:04 pebbles MailScanner[775]: New Batch: Found 707 messages waiting Mar 27 12:34:04 pebbles MailScanner[775]: New Batch: Scanning 1 messages, 4155 bytes Mar 27 12:34:06 pebbles MailScanner[775]: Virus and Content Scanning: Starting Mar 27 12:34:06 pebbles MailScanner[775]: Uninfected: Delivered 1 messages Mar 27 12:35:38 pebbles MailScanner[737]: New Batch: Found 19065 messages waiting Mar 27 12:35:38 pebbles MailScanner[737]: New Batch: Scanning 1 messages, 7559 bytes Mar 27 12:35:40 pebbles MailScanner[737]: Virus and Content Scanning: Starting Mar 27 12:35:41 pebbles MailScanner[737]: Uninfected: Delivered 1 messages Mar 27 12:35:45 pebbles MailScanner[775]: New Batch: Found 12004 messages waiting Mar 27 12:35:45 pebbles MailScanner[775]: New Batch: Scanning 1 messages, 9559 bytes Mar 27 12:35:47 pebbles MailScanner[775]: Virus and Content Scanning: Starting Mar 27 12:35:48 pebbles MailScanner[775]: Uninfected: Delivered 1 messages Mar 27 12:35:49 pebbles MailScanner[737]: New Batch: Found 1414 messages waiting Mar 27 12:35:49 pebbles MailScanner[737]: New Batch: Scanning 1 messages, 3765 bytes Mar 27 12:35:50 pebbles MailScanner[737]: Virus and Content Scanning: Starting Mar 27 12:58:17 pebbles MailScanner[737]: Virus and Content Scanning: Starting Mar 27 12:58:18 pebbles MailScanner[737]: Uninfected: Delivered 1 messages Mar 27 12:58:32 pebbles MailScanner[737]: New Batch: Found 2131 messages waiting Mar 27 12:58:32 pebbles MailScanner[737]: New Batch: Scanning 1 messages, 9922 bytes Mar 27 12:58:57 pebbles MailScanner[775]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Mar 27 12:59:02 pebbles MailScanner[737]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Mar 27 12:59:15 pebbles MailScanner[737]: Virus and Content Scanning: Starting Mar 27 12:59:16 pebbles MailScanner[737]: Uninfected: Delivered 1 messages Mar 27 12:59:17 pebbles MailScanner[737]: New Batch: Found 716 messages waiting Mar 27 12:59:17 pebbles MailScanner[737]: New Batch: Scanning 6 messages, 8703101 bytes Mar 27 12:59:41 pebbles MailScanner[775]: SpamAssassin timed out and was killed, consecutive failure 2 of 20 Mar 27 12:59:49 pebbles MailScanner[737]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Mar 27 12:59:54 pebbles MailScanner[775]: Virus and Content Scanning: Starting Mar 27 12:59:55 pebbles MailScanner[775]: Uninfected: Delivered 4 messages Mar 27 12:59:56 pebbles MailScanner[775]: New Batch: Found 715 messages waiting Mar 27 12:59:57 pebbles MailScanner[775]: New Batch: Scanning 3 messages, 21151 bytes Mar 27 13:00:27 pebbles MailScanner[775]: SpamAssassin timed out and was killed, consecutive failure 3 of 20 Mar 27 13:00:35 pebbles MailScanner[737]: SpamAssassin timed out and was killed, consecutive failure 2 of 20 Mar 27 13:01:10 pebbles MailScanner[775]: SpamAssassin timed out and was killed, consecutive failure 4 of 20 Mar 27 13:01:19 pebbles MailScanner[737]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Mar 27 13:01:23 pebbles MailScanner[775]: Virus and Content Scanning: Starting Mar 27 13:01:24 pebbles MailScanner[775]: Uninfected: Delivered 3 messages Mar 27 13:01:26 pebbles MailScanner[775]: New Batch: Found 720 messages waiting > -----Original Message----- > From: Daniel Bird [mailto:dbird@SGHMS.AC.UK] > Sent: Thursday, March 27, 2003 1:03 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: email in exim incoming queue is not getting processed -- > Please help > > I didn't read the last bit of your mail properly! It sounds MS is > processing your mail. > > What does your maillog say? Or your exim log? > > Hancock, Scott wrote: > > >Dan, > > > >Do you think this could still be the problem given I'm able to process > >new mail? > > > >This email passed through the same queue's to and from the list. > > > >To me you're suggestion infers the assumption it's not working at all. > > > >What do you think? > > > > > Sorry, I didn't read your mail properly! It sounds MS is processing your > mail OK if new mails are delivered. > > What does your maillog say? MS should give an indication of how many > messages it sees in your input queue > > Or your exim log? Any unusual events there? > > Dan > > >Scott > > > > > > > >>-----Original Message----- > >>From: Daniel Bird [mailto:dbird@SGHMS.AC.UK] > >>Sent: Thursday, March 27, 2003 12:17 PM > >>To: MAILSCANNER@JISCMAIL.AC.UK > >>Subject: Re: email in exim incoming queue is not getting processed -- > >>Please help > >> > >>Scott, > >>I had a similar problem with exim and finding it's input and ouput > >> > >> > >queues. > > > > > >>For some reason my version (4.12, but also when I was using 3.x - > >>probably a configure option;-) decided if I told it to use > >> > >>/var/spool/exim/input > >> > >>it actually looked in /var/spool/exim/input/input > >>and likewise for /var/spool/exim/output > >> > >> > >(/var/spool/exim/output/input). > > > > > >>ie, always added 'input' to the dir structure > >> > >>To get 'round this I have : > >> > >>in exim.conf.out > >>spool_directory = /var/spool/exim/outgoing > >> > >>and in MailScanner.conf > >>Incoming Queue Dir = /var/spool/exim/input > >>Outgoing Queue Dir = /var/spool/exim/outgoing/input > >> > >>Works for me! > >> > >>Regards > >>Dan > >> > >>Hancock, Scott wrote: > >> > >> > >> > >>>Greetings all, > >>> > >>>This is a restate of a previous help request. > >>> > >>>Exim incoming has written a pile of messages to > >>>/var/spool/exim/incoming/input. > >>> > >>>For some reason mailscanner is not acting on these messages. > >>> > >>>Any guidance on how to troubleshoot or information on under what > >>>conditions mailscanner would not find or accept these files would be > >>>greatly appreciated. > >>> > >>>Debian sarge > >>>Exim 3.36 > >>>MS 4.13 > >>>Sa 2.44 > >>> > >>>All new incoming mails are scanned and delivered. > >>> > >>>exim -bp shows the mail in the incoming directory without any > >>> > >>> > >errors. > > > > > >>>The queue originally had 1500 unscanned emails a Mainscanner restart > >>>delivered half of these but I still have about 700 waiting for > >>> > >>> > >deliver. > > > > > >>>I'll gladly post any conf files. > >>> > >>>Please help. > >>> > >>>Scott Hancock > >>> > >>> > >>> > >>> > >>> > >> > >>-- > >>This message has been scanned for viruses and > >>dangerous content by MailScanner, and is > >>believed to be clean. > >>Mailscanner thanks transtec Computers for their support. > >> > >> > > > > > > > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > Mailscanner thanks transtec Computers for their support. From dbird at SGHMS.AC.UK Thu Mar 27 18:41:35 2003 From: dbird at SGHMS.AC.UK (Daniel Bird) Date: Thu Jan 12 21:17:37 2006 Subject: email in exim incoming queue is not getting processed -- Please help References: <3EA1A302A4978A4C970D2C63F327156E658589@worc-mail2.int.morganco.com> Message-ID: <3E8345DF.6000607@sghms.ac.uk> Hancock, Scott wrote: >Here is some of my mail.log file. > >I did the restart at 8:23. Looks like the queue went down yesterday at >14:21 > >Gaps below indicate places I snipped the log. > > >Thanks > >Scott > >< snip> >Mar 27 08:23:56 pebbles MailScanner[23069]: Using locktype = posix >Mar 27 08:23:56 pebbles MailScanner[23069]: Creating hardcoded >struct_flock subroutine for linux (Linux-type) >Mar 27 08:23:56 pebbles MailScanner[23069]: New Batch: Found 2180 >messages waiting >Mar 27 08:23:56 pebbles MailScanner[23069]: New Batch: Scanning 100 >messages, 4393367 bytes >Mar 27 08:24:04 pebbles MailScanner[23097]: MailScanner E-Mail Virus >Scanner version 4.13-3 starting... > > some thing to check out?.... >Mar 27 08:24:04 pebbles MailScanner[23097]: User's home directory /root >is not writable > Also, from you log it looks as though MS is seeing all your messges, as the numbers are changing. What's the load like on your system? I don't know if it's significant but there is a huge jump in the number of messages MS is seeing... >Mar 27 12:34:04 pebbles MailScanner[775]: New Batch: Found 707 messages >waiting >Mar 27 12:34:04 pebbles MailScanner[775]: New Batch: Scanning 1 >messages, 4155 bytes >Mar 27 12:34:06 pebbles MailScanner[775]: Virus and Content Scanning: >Starting >Mar 27 12:34:06 pebbles MailScanner[775]: Uninfected: Delivered 1 >messages >Mar 27 12:35:38 pebbles MailScanner[737]: New Batch: Found 19065 >messages waiting Are any of the remaining messages in your queue marked as frozen or locked in your exim log? > > >>-----Original Message----- >>From: Daniel Bird [mailto:dbird@SGHMS.AC.UK] >>Sent: Thursday, March 27, 2003 1:03 PM >>To: MAILSCANNER@JISCMAIL.AC.UK >>Subject: Re: email in exim incoming queue is not getting processed -- >>Please help >> >>I didn't read the last bit of your mail properly! It sounds MS is >>processing your mail. >> >>What does your maillog say? Or your exim log? >> >>Hancock, Scott wrote: >> >> >> >>>Dan, >>> >>>Do you think this could still be the problem given I'm able to >>> >>> >process > > >>>new mail? >>> >>>This email passed through the same queue's to and from the list. >>> >>>To me you're suggestion infers the assumption it's not working at >>> >>> >all. > > >>>What do you think? >>> >>> >>> >>> >>Sorry, I didn't read your mail properly! It sounds MS is processing >> >> >your > > >>mail OK if new mails are delivered. >> >>What does your maillog say? MS should give an indication of how many >>messages it sees in your input queue >> >>Or your exim log? Any unusual events there? >> >>Dan >> >> >> >>>Scott >>> >>> >>> >>> >>> >>>>-----Original Message----- >>>>From: Daniel Bird [mailto:dbird@SGHMS.AC.UK] >>>>Sent: Thursday, March 27, 2003 12:17 PM >>>>To: MAILSCANNER@JISCMAIL.AC.UK >>>>Subject: Re: email in exim incoming queue is not getting processed >>>> >>>> >-- > > >>>>Please help >>>> >>>>Scott, >>>>I had a similar problem with exim and finding it's input and ouput >>>> >>>> >>>> >>>> >>>queues. >>> >>> >>> >>> >>>>For some reason my version (4.12, but also when I was using 3.x - >>>>probably a configure option;-) decided if I told it to use >>>> >>>>/var/spool/exim/input >>>> >>>>it actually looked in /var/spool/exim/input/input >>>>and likewise for /var/spool/exim/output >>>> >>>> >>>> >>>> >>>(/var/spool/exim/output/input). >>> >>> >>> >>> >>>>ie, always added 'input' to the dir structure >>>> >>>>To get 'round this I have : >>>> >>>>in exim.conf.out >>>>spool_directory = /var/spool/exim/outgoing >>>> >>>>and in MailScanner.conf >>>>Incoming Queue Dir = /var/spool/exim/input >>>>Outgoing Queue Dir = /var/spool/exim/outgoing/input >>>> >>>>Works for me! >>>> >>>>Regards >>>>Dan >>>> >>>>Hancock, Scott wrote: >>>> >>>> >>>> >>>> >>>> >>>>>Greetings all, >>>>> >>>>>This is a restate of a previous help request. >>>>> >>>>>Exim incoming has written a pile of messages to >>>>>/var/spool/exim/incoming/input. >>>>> >>>>>For some reason mailscanner is not acting on these messages. >>>>> >>>>>Any guidance on how to troubleshoot or information on under what >>>>>conditions mailscanner would not find or accept these files would >>>>> >>>>> >be > > >>>>>greatly appreciated. >>>>> >>>>>Debian sarge >>>>>Exim 3.36 >>>>>MS 4.13 >>>>>Sa 2.44 >>>>> >>>>>All new incoming mails are scanned and delivered. >>>>> >>>>>exim -bp shows the mail in the incoming directory without any >>>>> >>>>> >>>>> >>>>> >>>errors. >>> >>> >>> >>> >>>>>The queue originally had 1500 unscanned emails a Mainscanner >>>>> >>>>> >restart > > >>>>>delivered half of these but I still have about 700 waiting for >>>>> >>>>> >>>>> >>>>> >>>deliver. >>> >>> >>> >>> >>>>>I'll gladly post any conf files. >>>>> >>>>>Please help. >>>>> >>>>>Scott Hancock >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>-- >>>>This message has been scanned for viruses and >>>>dangerous content by MailScanner, and is >>>>believed to be clean. >>>>Mailscanner thanks transtec Computers for their support. >>>> >>>> >>>> >>>> >>> >>> >>> >> >>-- >>This message has been scanned for viruses and >>dangerous content by MailScanner, and is >>believed to be clean. >>Mailscanner thanks transtec Computers for their support. >> >> > > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. Mailscanner thanks transtec Computers for their support. From HancockS at MORGANCO.COM Thu Mar 27 18:42:17 2003 From: HancockS at MORGANCO.COM (Hancock, Scott) Date: Thu Jan 12 21:17:37 2006 Subject: email in exim incoming queue is not getting processed -- Please help Message-ID: <3EA1A302A4978A4C970D2C63F327156E65858B@worc-mail2.int.morganco.com> Let's try an attachment so it's readable. Sorry for the double post. Scott > -----Original Message----- > From: Hancock, Scott > Sent: Thursday, March 27, 2003 1:30 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: email in exim incoming queue is not getting processed -- > Please help > > Here is some of my mail.log file. > > I did the restart at 8:23. Looks like the queue went down yesterday at > 14:21 > > Gaps below indicate places I snipped the log. > > > Thanks > > Scott > > > Mar 26 14:21:09 pebbles MailScanner[17287]: New Batch: Found 36 messages > waiting > Mar 26 14:21:09 pebbles MailScanner[17287]: New Batch: Scanning 1 > messages, 2078 bytes > Mar 26 14:21:09 pebbles MailScanner[17287]: Virus and Content Scanning: > Starting -------------- next part -------------- Mar 26 14:21:09 pebbles MailScanner[17287]: New Batch: Found 36 messages waiting Mar 26 14:21:09 pebbles MailScanner[17287]: New Batch: Scanning 1 messages, 2078 bytes Mar 26 14:21:09 pebbles MailScanner[17287]: Virus and Content Scanning: Starting Mar 26 14:21:10 pebbles MailScanner[17287]: Uninfected: Delivered 1 messages Mar 26 14:21:29 pebbles MailScanner[12401]: MailScanner child caught a SIGHUP Mar 26 14:21:29 pebbles MailScanner[17681]: MailScanner child caught a SIGHUP Mar 26 14:21:29 pebbles MailScanner[13277]: MailScanner child caught a SIGHUP Mar 26 14:21:29 pebbles MailScanner[17287]: MailScanner child caught a SIGHUP Mar 26 14:21:29 pebbles MailScanner[16329]: MailScanner child caught a SIGHUP Mar 26 14:21:29 pebbles MailScanner[15128]: MailScanner child caught a SIGHUP Mar 26 14:21:29 pebbles MailScanner[13549]: MailScanner child caught a SIGHUP Mar 26 14:21:29 pebbles MailScanner[14608]: MailScanner child caught a SIGHUP Mar 26 14:21:29 pebbles MailScanner[761]: MailScanner child caught a SIGHUP Mar 26 14:21:29 pebbles MailScanner[26346]: MailScanner child caught a SIGHUP Mar 26 15:01:56 pebbles F-Prot autoupdate[28704]: F-Prot successfully updated. Mar 26 18:00:08 pebbles F-Prot autoupdate[31632]: F-Prot did not need updating. Mar 26 21:00:02 pebbles F-Prot autoupdate[5522]: F-Prot did not need updating. Mar 27 00:00:02 pebbles F-Prot autoupdate[14688]: F-Prot did not need updating. Mar 27 03:00:04 pebbles F-Prot autoupdate[27398]: F-Prot did not need updating. Mar 27 06:00:02 pebbles F-Prot autoupdate[11650]: F-Prot did not need updating. Mar 27 08:23:54 pebbles MailScanner[23069]: MailScanner E-Mail Virus Scanner version 4.13-3 starting... Mar 27 08:23:54 pebbles MailScanner[23069]: User's home directory /root is not writable Mar 27 08:23:56 pebbles MailScanner[23069]: Using locktype = posix Mar 27 08:23:56 pebbles MailScanner[23069]: Creating hardcoded struct_flock subroutine for linux (Linux-type) Mar 27 08:23:56 pebbles MailScanner[23069]: New Batch: Found 2180 messages waiting Mar 27 08:23:56 pebbles MailScanner[23069]: New Batch: Scanning 100 messages, 4393367 bytes Mar 27 08:24:04 pebbles MailScanner[23097]: MailScanner E-Mail Virus Scanner version 4.13-3 starting... Mar 27 08:24:04 pebbles MailScanner[23097]: User's home directory /root is not writable Mar 27 08:24:09 pebbles MailScanner[23097]: Using locktype = posix Mar 27 08:24:09 pebbles MailScanner[23097]: Creating hardcoded struct_flock subroutine for linux (Linux-type) Mar 27 08:24:09 pebbles MailScanner[23097]: New Batch: Found 2181 messages waiting Mar 27 08:24:09 pebbles MailScanner[23097]: New Batch: Scanning 100 messages, 11392498 bytes Mar 27 08:24:14 pebbles MailScanner[23150]: MailScanner E-Mail Virus Scanner version 4.13-3 starting... Mar 27 08:24:14 pebbles MailScanner[23150]: User's home directory /root is not writable Mar 27 08:24:17 pebbles MailScanner[23150]: Using locktype = posix Mar 27 08:24:17 pebbles MailScanner[23150]: Creating hardcoded struct_flock subroutine for linux (Linux-type) Mar 27 08:24:18 pebbles MailScanner[23150]: New Batch: Found 2182 messages waiting Mar 27 08:24:18 pebbles MailScanner[23150]: New Batch: Scanning 100 messages, 5726911 bytes Mar 27 08:24:24 pebbles MailScanner[23232]: MailScanner E-Mail Virus Scanner version 4.13-3 starting... Mar 27 08:24:24 pebbles MailScanner[23232]: User's home directory /root is not writable Mar 27 08:24:27 pebbles MailScanner[23232]: Using locktype = posix Mar 27 08:24:27 pebbles MailScanner[23232]: Creating hardcoded struct_flock subroutine for linux (Linux-type) Mar 27 08:24:28 pebbles MailScanner[23232]: New Batch: Found 2182 messages waiting Mar 27 08:24:28 pebbles MailScanner[23232]: New Batch: Scanning 100 messages, 4924347 bytes Mar 27 08:25:36 pebbles MailScanner[23590]: New Batch: Found 2185 messages waiting Mar 27 08:25:36 pebbles MailScanner[23590]: New Batch: Scanning 100 messages, 1542723 bytes Mar 27 08:25:38 pebbles MailScanner[23097]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Mar 27 08:25:48 pebbles MailScanner[23422]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Mar 27 08:26:04 pebbles MailScanner[23150]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Mar 27 08:26:07 pebbles MailScanner[23232]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Mar 27 08:26:19 pebbles MailScanner[23307]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Mar 27 08:26:25 pebbles MailScanner[23590]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Mar 27 08:26:47 pebbles MailScanner[23484]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Mar 27 08:27:07 pebbles MailScanner[23097]: Spam Checks: Found 13 spam messages Mar 27 08:27:23 pebbles MailScanner[23534]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Mar 27 08:27:40 pebbles MailScanner[23097]: Virus and Content Scanning: Starting Mar 27 08:27:47 pebbles MailScanner[23307]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Mar 27 08:27:56 pebbles MailScanner[23097]: Uninfected: Delivered 100 messages Mar 27 08:28:01 pebbles MailScanner[23097]: New Batch: Found 2093 messages waiting Mar 27 08:28:01 pebbles MailScanner[23097]: New Batch: Scanning 100 messages, 1443894 bytes Mar 27 08:28:23 pebbles MailScanner[23150]: Spam Checks: Found 12 spam messages Mar 27 08:28:33 pebbles MailScanner[23534]: SpamAssassin timed out and was killed, consecutive failure 2 of 20 Mar 27 08:28:38 pebbles MailScanner[23365]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Mar 27 08:28:44 pebbles MailScanner[23150]: Virus and Content Scanning: Starting Mar 27 08:28:51 pebbles MailScanner[23150]: /var/spool/MailScanner/incoming/23150/18yMjm-00026K-00/UGINE.zip->103290$ Mar 27 08:28:51 pebbles MailScanner[23150]: /var/spool/MailScanner/incoming/23150/18yMjm-00026K-00/UGINE.zip->103290$ Mar 27 08:28:51 pebbles MailScanner[23150]: /var/spool/MailScanner/incoming/23150/18yMjm-00026K-00/UGINE.zip->103290$ Mar 27 08:28:51 pebbles MailScanner[23150]: /var/spool/MailScanner/incoming/23150/18yMjm-00026K-00/UGINE.zip->103290$ Mar 27 08:28:51 pebbles MailScanner[23150]: /var/spool/MailScanner/incoming/23150/18yMjm-00026K-00/UGINE.zip->103296$ Mar 27 08:28:51 pebbles MailScanner[23150]: /var/spool/MailScanner/incoming/23150/18yMjm-00026K-00/UGINE.zip->103296$ Mar 27 08:28:57 pebbles MailScanner[23150]: Uninfected: Delivered 100 messages Mar 27 08:29:01 pebbles MailScanner[23150]: New Batch: Found 1998 messages waiting Mar 27 08:29:02 pebbles MailScanner[23150]: New Batch: Scanning 100 messages, 5453460 bytes Mar 27 08:29:26 pebbles MailScanner[23097]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Mar 27 08:29:56 pebbles MailScanner[23150]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Mar 27 08:30:02 pebbles MailScanner[23307]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Mar 27 08:30:04 pebbles MailScanner[23590]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Mar 27 08:30:43 pebbles MailScanner[23097]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Mar 27 08:30:48 pebbles MailScanner[23590]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Mar 27 08:31:07 pebbles MailScanner[23307]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Mar 27 08:31:30 pebbles MailScanner[23307]: Spam Checks: Found 16 spam messages Mar 27 08:32:05 pebbles MailScanner[23307]: Virus and Content Scanning: Starting Mar 27 08:32:17 pebbles MailScanner[23307]: /var/spool/MailScanner/incoming/23307/18yNkh-0005cs-00/msg-23307-29.txt-$ Mar 27 08:32:17 pebbles MailScanner[23307]: Virus Scanning: F-Prot found virus W32/Klez.H@mm Mar 27 08:32:17 pebbles MailScanner[23307]: Virus Scanning: f-prot found 1 infections Mar 27 08:32:17 pebbles MailScanner[23307]: Virus Scanning: Found 1 viruses Mar 27 08:32:19 pebbles MailScanner[23307]: Saved infected "msg-23307-29.txt" to /var/spool/MailScanner/quarantine/2$ Mar 27 08:32:20 pebbles MailScanner[23150]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Mar 27 12:39:59 pebbles MailScanner[737]: Expanding TNEF archive at /var/spool/MailScanner/incoming/737/18yg2L-0001uC-00/winmail.dat Mar 27 12:40:00 pebbles MailScanner[737]: Corrupt TNEF winmail.dat that cannot be analysed in message 18yg2L-0001uC-00 Mar 27 12:40:00 pebbles MailScanner[737]: Virus and Content Scanning: Starting Mar 27 12:51:54 pebbles MailScanner[737]: Virus and Content Scanning: Starting Mar 27 12:51:54 pebbles MailScanner[737]: Content Checks: Fixed awkward MIME boundary for Cyrus IMAP server in 18ygDM-0002tP-00 Mar 27 12:51:54 pebbles MailScanner[737]: Uninfected: Delivered 1 messages Mar 27 12:51:58 pebbles MailScanner[775]: New Batch: Found 1414 messages waiting Mar 27 12:58:08 pebbles MailScanner[737]: Virus and Content Scanning: Starting Mar 27 12:58:08 pebbles MailScanner[737]: Uninfected: Delivered 1 messages Mar 27 12:58:11 pebbles MailScanner[775]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Mar 27 12:58:16 pebbles MailScanner[737]: New Batch: Found 1421 messages waiting Mar 27 12:58:16 pebbles MailScanner[737]: New Batch: Scanning 1 messages, 3036 bytes pebbles MailScanner[775]: New Batch: Scanning 1 messages, 1521 bytes Mar 27 12:32:33 pebbles MailScanner[775]: Virus and Content Scanning: Starting Mar 27 12:32:33 pebbles MailScanner[737]: New Batch: Found 2120 messages waiting Mar 27 12:32:33 pebbles MailScanner[737]: New Batch: Scanning 1 messages, 3360 bytes Mar 27 12:32:33 pebbles MailScanner[775]: Uninfected: Delivered 1 messages Mar 27 12:32:34 pebbles MailScanner[737]: Virus and Content Scanning: Starting Mar 27 12:32:35 pebbles MailScanner[737]: Uninfected: Delivered 1 messages Mar 27 12:32:41 pebbles MailScanner[775]: New Batch: Found 1414 messages waiting Mar 27 12:32:41 pebbles MailScanner[775]: New Batch: Scanning 1 messages, 5214 bytes Mar 27 12:32:42 pebbles MailScanner[775]: Virus and Content Scanning: Starting Mar 27 12:32:43 pebbles MailScanner[775]: Uninfected: Delivered 1 messages Mar 27 12:32:55 pebbles MailScanner[737]: New Batch: Found 2826 messages waiting Mar 27 12:32:55 pebbles MailScanner[737]: New Batch: Scanning 1 messages, 1265 bytes Mar 27 12:32:56 pebbles MailScanner[737]: Virus and Content Scanning: Starting Mar 27 12:32:57 pebbles MailScanner[737]: Uninfected: Delivered 1 messages Mar 27 12:33:58 pebbles MailScanner[775]: New Batch: Found 9180 messages waiting Mar 27 12:33:58 pebbles MailScanner[775]: New Batch: Scanning 1 messages, 2093 bytes Mar 27 12:33:59 pebbles MailScanner[775]: Spam Checks: Found 1 spam messages Mar 27 12:33:59 pebbles MailScanner[775]: Virus and Content Scanning: Starting Mar 27 12:33:59 pebbles MailScanner[775]: Uninfected: Delivered 1 messages Mar 27 12:34:01 pebbles MailScanner[775]: New Batch: Found 707 messages waiting Mar 27 12:34:01 pebbles MailScanner[775]: New Batch: Scanning 1 messages, 3288 bytes Mar 27 12:34:02 pebbles MailScanner[775]: Virus and Content Scanning: Starting Mar 27 12:34:03 pebbles MailScanner[775]: Uninfected: Delivered 1 messages Mar 27 12:34:04 pebbles MailScanner[775]: New Batch: Found 707 messages waiting Mar 27 12:34:04 pebbles MailScanner[775]: New Batch: Scanning 1 messages, 4155 bytes Mar 27 12:34:06 pebbles MailScanner[775]: Virus and Content Scanning: Starting Mar 27 12:34:06 pebbles MailScanner[775]: Uninfected: Delivered 1 messages Mar 27 12:35:38 pebbles MailScanner[737]: New Batch: Found 19065 messages waiting Mar 27 12:35:38 pebbles MailScanner[737]: New Batch: Scanning 1 messages, 7559 bytes Mar 27 12:35:40 pebbles MailScanner[737]: Virus and Content Scanning: Starting Mar 27 12:35:41 pebbles MailScanner[737]: Uninfected: Delivered 1 messages Mar 27 12:35:45 pebbles MailScanner[775]: New Batch: Found 12004 messages waiting Mar 27 12:35:45 pebbles MailScanner[775]: New Batch: Scanning 1 messages, 9559 bytes Mar 27 12:35:47 pebbles MailScanner[775]: Virus and Content Scanning: Starting Mar 27 12:35:48 pebbles MailScanner[775]: Uninfected: Delivered 1 messages Mar 27 12:35:49 pebbles MailScanner[737]: New Batch: Found 1414 messages waiting Mar 27 12:35:49 pebbles MailScanner[737]: New Batch: Scanning 1 messages, 3765 bytes Mar 27 12:35:50 pebbles MailScanner[737]: Virus and Content Scanning: Starting Mar 27 12:58:17 pebbles MailScanner[737]: Virus and Content Scanning: Starting Mar 27 12:58:18 pebbles MailScanner[737]: Uninfected: Delivered 1 messages Mar 27 12:58:32 pebbles MailScanner[737]: New Batch: Found 2131 messages waiting Mar 27 12:58:32 pebbles MailScanner[737]: New Batch: Scanning 1 messages, 9922 bytes Mar 27 12:58:57 pebbles MailScanner[775]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Mar 27 12:59:02 pebbles MailScanner[737]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Mar 27 12:59:15 pebbles MailScanner[737]: Virus and Content Scanning: Starting Mar 27 12:59:16 pebbles MailScanner[737]: Uninfected: Delivered 1 messages Mar 27 12:59:17 pebbles MailScanner[737]: New Batch: Found 716 messages waiting Mar 27 12:59:17 pebbles MailScanner[737]: New Batch: Scanning 6 messages, 8703101 bytes Mar 27 12:59:41 pebbles MailScanner[775]: SpamAssassin timed out and was killed, consecutive failure 2 of 20 Mar 27 12:59:49 pebbles MailScanner[737]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Mar 27 12:59:54 pebbles MailScanner[775]: Virus and Content Scanning: Starting Mar 27 12:59:55 pebbles MailScanner[775]: Uninfected: Delivered 4 messages Mar 27 12:59:56 pebbles MailScanner[775]: New Batch: Found 715 messages waiting Mar 27 12:59:57 pebbles MailScanner[775]: New Batch: Scanning 3 messages, 21151 bytes Mar 27 13:00:27 pebbles MailScanner[775]: SpamAssassin timed out and was killed, consecutive failure 3 of 20 Mar 27 13:00:35 pebbles MailScanner[737]: SpamAssassin timed out and was killed, consecutive failure 2 of 20 Mar 27 13:01:10 pebbles MailScanner[775]: SpamAssassin timed out and was killed, consecutive failure 4 of 20 Mar 27 13:01:19 pebbles MailScanner[737]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Mar 27 13:01:23 pebbles MailScanner[775]: Virus and Content Scanning: Starting Mar 27 13:01:24 pebbles MailScanner[775]: Uninfected: Delivered 3 messages Mar 27 13:01:26 pebbles MailScanner[775]: New Batch: Found 720 messages waiting Mar 27 13:01:26 pebbles MailScanner[775]: New Batch: Scanning 8 messages, 102822 bytes From mailscanner at ecs.soton.ac.uk Thu Mar 27 18:48:56 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:37 2006 Subject: email in exim incoming queue is not getting processed -- Please help In-Reply-To: <3EA1A302A4978A4C970D2C63F327156E65858B@worc-mail2.int.morg anco.com> Message-ID: <5.2.0.9.2.20030327184621.023ea1f0@imap.ecs.soton.ac.uk> In your MailScanner.conf, what are the values of MTA Run As User Run As Group Incoming Queue Dir Outgoing Queue Dir Incoming Work Dir Quarantine Dir PID file For the relevant "Run As User", please supply the line from the /etc/passwd file. For the relevant "Run As User", please do "ls -ld" of the home directory. For each of the "Dir" variables above, please do an "ls -ld" of each one. Sounds like its a permissions problem. At 18:42 27/03/2003, you wrote: >Let's try an attachment so it's readable. > >Sorry for the double post. > >Scott > > > -----Original Message----- > > From: Hancock, Scott > > Sent: Thursday, March 27, 2003 1:30 PM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: email in exim incoming queue is not getting processed -- > > Please help > > > > Here is some of my mail.log file. > > > > I did the restart at 8:23. Looks like the queue went down yesterday >at > > 14:21 > > > > Gaps below indicate places I snipped the log. > > > > > > Thanks > > > > Scott > > > > > > Mar 26 14:21:09 pebbles MailScanner[17287]: New Batch: Found 36 >messages > > waiting > > Mar 26 14:21:09 pebbles MailScanner[17287]: New Batch: Scanning 1 > > messages, 2078 bytes > > Mar 26 14:21:09 pebbles MailScanner[17287]: Virus and Content >Scanning: > > Starting -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From HancockS at MORGANCO.COM Thu Mar 27 19:11:53 2003 From: HancockS at MORGANCO.COM (Hancock, Scott) Date: Thu Jan 12 21:17:37 2006 Subject: email in exim incoming queue is not getting processed -- Please help Message-ID: <3EA1A302A4978A4C970D2C63F327156ED541F8@worc-mail2.int.morganco.com> Julian, Thanks for your interest in my problem. Below are the answers to your questions Thanks again. Scott > In your MailScanner.conf, what are the values of > MTA > Run As User > Run As Group > Incoming Queue Dir > Outgoing Queue Dir > Incoming Work Dir > Quarantine Dir > PID file # As a rough guide, try 5 children per CPU. Max Children = 10 # User to run as (not normally used for sendmail) Run As User = mail # Group to run as (not normally used for sendmail) Run As Group = mail Queue Scan Interval = 5 Incoming Queue Dir = /var/spool/exim_incoming/input # Set location of outgoing mail queue. # This can also be the filename of a ruleset. Outgoing Queue Dir = /var/spool/exim/input # Set where to unpack incoming messages before scanning them Incoming Work Dir = /var/spool/MailScanner/incoming # Set where to store infected and message attachments (if they are kept) # This can also be the filename of a ruleset. Quarantine Dir = /var/spool/MailScanner/quarantine # Set where to store the process id number so you can stop MailScanner PID file = /opt/MailScanner/var/MailScanner.pid # To avoid resource leaks, re-start periodically Restart Every = 14400 # Set whether to use sendmail or exim MTA = exim Sendmail = /usr/sbin/exim Sendmail2 = /usr/sbin/sendmail -C /etc/exim/exim_send.conf > > For the relevant "Run As User", please supply the line from the > /etc/passwd > file. mail:x:8:8:mail:/var/mail:/bin/sh > For the relevant "Run As User", please do "ls -ld" of the home directory. > For each of the "Dir" variables above, please do an "ls -ld" of each one. > output for var/mail lrwxrwsr-x 3 root mail 4096 /var/mail/ output for /bin/sh lrwxrwxrwx 1 root root 4 Feb 26 15:19 /bin/sh -> bash > Sounds like its a permissions problem. > > > At 18:42 27/03/2003, you wrote: > >Let's try an attachment so it's readable. > > > >Sorry for the double post. > > > >Scott > > > > > -----Original Message----- > > > From: Hancock, Scott > > > Sent: Thursday, March 27, 2003 1:30 PM > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > Subject: Re: email in exim incoming queue is not getting processed -- > > > Please help > > > > > > Here is some of my mail.log file. > > > > > > I did the restart at 8:23. Looks like the queue went down yesterday > >at > > > 14:21 > > > > > > Gaps below indicate places I snipped the log. > > > > > > > > > Thanks > > > > > > Scott > > > > > > > > > Mar 26 14:21:09 pebbles MailScanner[17287]: New Batch: Found 36 > >messages > > > waiting > > > Mar 26 14:21:09 pebbles MailScanner[17287]: New Batch: Scanning 1 > > > messages, 2078 bytes > > > Mar 26 14:21:09 pebbles MailScanner[17287]: Virus and Content > >Scanning: > > > Starting > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support From HancockS at MORGANCO.COM Thu Mar 27 19:25:26 2003 From: HancockS at MORGANCO.COM (Hancock, Scott) Date: Thu Jan 12 21:17:37 2006 Subject: email in exim incoming queue is not getting processed -- Please help Message-ID: <3EA1A302A4978A4C970D2C63F327156E65858E@worc-mail2.int.morganco.com> Julian, You might be interested to know that there are many messages in the /var/spool/MailScanner/incoming directories modified at 10:56 today or 3 hours ago. I have to run out for a bit. I maybe as long as 2 hours. Thanks again Scott From joe at QITC.CO.UK Thu Mar 27 19:38:53 2003 From: joe at QITC.CO.UK (Joe Quinn) Date: Thu Jan 12 21:17:37 2006 Subject: Custom spam score References: <9F18B7DDBA88E544AB1F1995148916660145E0@lkl63.ltkalmar.se> <005201c2d774$26dea9a0$0d4bd3c8@A3C4J5> <007201c2d776$21e6ecd0$01000001@Compaq> <038901c2d809$8307b1a0$18720550@T20> <1045666320.2167.44.camel@dbeauchemin.si.usherbrooke.ca> <004501c2d82f$b3ab84a0$2d30c3c1@T20> Message-ID: <05f901c2f498$7fe64940$5d876751@T20> Hi, In the /etc/MailScanner/spam.assassin.prefs.conf what do I put to get a custom spam score for email coming into my server *to* a particular email address, what I want is that any email coming to this address is deleted. Cheers, Joe www.qitc.net From mailscanner at ecs.soton.ac.uk Thu Mar 27 20:08:37 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:37 2006 Subject: Custom spam score In-Reply-To: <05f901c2f498$7fe64940$5d876751@T20> References: <9F18B7DDBA88E544AB1F1995148916660145E0@lkl63.ltkalmar.se> <005201c2d774$26dea9a0$0d4bd3c8@A3C4J5> <007201c2d776$21e6ecd0$01000001@Compaq> <038901c2d809$8307b1a0$18720550@T20> <1045666320.2167.44.camel@dbeauchemin.si.usherbrooke.ca> <004501c2d82f$b3ab84a0$2d30c3c1@T20> Message-ID: <5.2.0.9.2.20030327200632.0258f978@imap.ecs.soton.ac.uk> At 19:38 27/03/2003, you wrote: >Hi, > >In the /etc/MailScanner/spam.assassin.prefs.conf what do I put to get a >custom spam score for email >coming into my server *to* a particular email address, what I want is that >any email coming to this >address is deleted. Read "man Mail::SpamAssassin::Conf". From the start of that: header FROM_HAS_MIXED_NUMS From =~ /\d+[a-z]+\d+\S*@/i describe FROM_HAS_MIXED_NUMS From: contains numbers mixed in with letters score A_HREF_TO_REMOVE 2.0 so you could have something like header TO_DELETE To =~ /email@address\.com/i describe TO_DELETE To: contains dead email address score TO_DELETE 100.0 then make the "High Scoring Spam Actions" delete for this address. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Thu Mar 27 20:01:38 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:37 2006 Subject: F-Prot errors In-Reply-To: Message-ID: <5.2.0.9.2.20030327195433.02747cc0@imap.ecs.soton.ac.uk> Apply this patch to /usr/lib/MailScanner/MailScanner/SweepViruses.pm : --- /root/v4/mailscanner/mailscanner/bin/MailScanner/SweepViruses.pm Wed Mar 26 21:47:01 2003 +++ SweepViruses.pm Thu Mar 27 19:58:26 2003 @@ -992,16 +992,19 @@ my($report, $infected, $dot, $id, $part, $virus, @rest); my($logout); - #print STDERR $line; + #print STDERR "$fprot_InCruft $line"; chomp $line; # Look for the "Program version: 4...." line which shows we are running # version 4 and therefore have different headers at the start of the # scan output. - if ($fprot_InCruft==-2 && $line =~ /program\s+version:\s*4/i) { - $fprot_InCruft -= 1; - return 0; + if ($fprot_InCruft==-2) { + my $version = $1 if $line =~ /program\s+version:\s*([\d.]+)/i; + if ($version > 3.12) { + $fprot_InCruft -= 1; + return 0; + } }c return 0 if $fprot_InCruft > 0; # Return if we are still in headers # One header paragraph has finished, count it I will put this code in the next release. At 16:39 27/03/2003, you wrote: >Trying to setup F-Prot for evaluation w/ MailScanner and got this error: > >Either you've found a bug in MailScanner's F-Prot output parser, or >F-Prot's output format has changed! F-Prot said >this "Switches: -ARCHIVE -OLD". Please mail the author of MailScanner > >The file I loaded was fp-linux-eb-3.13-0.i386.rpm > >I followed the notes in the FAQ > > >I'm using MS 4.13-3 on a RH 7.2 box. > >Any ideas? > >Thanks > >Matthew -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Thu Mar 27 20:04:48 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:37 2006 Subject: email in exim incoming queue is not getting processed -- Please help In-Reply-To: <3EA1A302A4978A4C970D2C63F327156ED541F8@worc-mail2.int.morg anco.com> Message-ID: <5.2.0.9.2.20030327200315.02776088@imap.ecs.soton.ac.uk> At 19:11 27/03/2003, you wrote: >Julian, > >Thanks for your interest in my problem. > >Below are the answers to your questions > >Thanks again. > >Scott > > > In your MailScanner.conf, what are the values of > > MTA > > Run As User > > Run As Group > > Incoming Queue Dir > > Outgoing Queue Dir > > Incoming Work Dir > > Quarantine Dir > > PID file > ># As a rough guide, try 5 children per CPU. >Max Children = 10 > ># User to run as (not normally used for sendmail) >Run As User = mail > ># Group to run as (not normally used for sendmail) >Run As Group = mail > >Queue Scan Interval = 5 > >Incoming Queue Dir = /var/spool/exim_incoming/input > ># Set location of outgoing mail queue. ># This can also be the filename of a ruleset. >Outgoing Queue Dir = /var/spool/exim/input > ># Set where to unpack incoming messages before scanning them >Incoming Work Dir = /var/spool/MailScanner/incoming > ># Set where to store infected and message attachments (if they are kept) ># This can also be the filename of a ruleset. >Quarantine Dir = /var/spool/MailScanner/quarantine > ># Set where to store the process id number so you can stop MailScanner >PID file = /opt/MailScanner/var/MailScanner.pid > ># To avoid resource leaks, re-start periodically >Restart Every = 14400 > ># Set whether to use sendmail or exim >MTA = exim > >Sendmail = /usr/sbin/exim > >Sendmail2 = /usr/sbin/sendmail -C /etc/exim/exim_send.conf This should be "/usr/sbin/exim -C /etc/exim/exim_send.conf" ideally. > > > > For the relevant "Run As User", please supply the line from the > > /etc/passwd > > file. > >mail:x:8:8:mail:/var/mail:/bin/sh > > > > For the relevant "Run As User", please do "ls -ld" of the home >directory. > > For each of the "Dir" variables above, please do an "ls -ld" of each >one. > > > >output for var/mail > >lrwxrwsr-x 3 root mail 4096 /var/mail/ Where does this link point to, and what is the "ls -ld" of the directory it points to. >output for /bin/sh > >lrwxrwxrwx 1 root root 4 Feb 26 15:19 /bin/sh -> bash I need the "ls -ld" for all the other directories I mentioned too. > > Sounds like its a permissions problem. > > > > > > At 18:42 27/03/2003, you wrote: > > >Let's try an attachment so it's readable. > > > > > >Sorry for the double post. > > > > > >Scott > > > > > > > -----Original Message----- > > > > From: Hancock, Scott > > > > Sent: Thursday, March 27, 2003 1:30 PM > > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > > Subject: Re: email in exim incoming queue is not getting processed >-- > > > > Please help > > > > > > > > Here is some of my mail.log file. > > > > > > > > I did the restart at 8:23. Looks like the queue went down >yesterday > > >at > > > > 14:21 > > > > > > > > Gaps below indicate places I snipped the log. > > > > > > > > > > > > Thanks > > > > > > > > Scott > > > > > > > > > > > > Mar 26 14:21:09 pebbles MailScanner[17287]: New Batch: Found 36 > > >messages > > > > waiting > > > > Mar 26 14:21:09 pebbles MailScanner[17287]: New Batch: Scanning 1 > > > > messages, 2078 bytes > > > > Mar 26 14:21:09 pebbles MailScanner[17287]: Virus and Content > > >Scanning: > > > > Starting > > > > -- > > Julian Field > > www.MailScanner.info > > Professional Support Services at www.MailScanner.biz > > MailScanner thanks transtec Computers for their support -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From martyn at CHETNET.CO.UK Thu Mar 27 20:18:26 2003 From: martyn at CHETNET.CO.UK (chet) Date: Thu Jan 12 21:17:37 2006 Subject: Custom spam score References: <9F18B7DDBA88E544AB1F1995148916660145E0@lkl63.ltkalmar.se> <005201c2d774$26dea9a0$0d4bd3c8@A3C4J5> <007201c2d776$21e6ecd0$01000001@Compaq> <038901c2d809$8307b1a0$18720550@T20> <1045666320.2167.44.camel@dbeauchemin.si.usherbrooke.ca> <004501c2d82f$b3ab84a0$2d30c3c1@T20> <5.2.0.9.2.20030327200632.0258f978@imap.ecs.soton.ac.uk> Message-ID: <02e001c2f49e$08442910$0103a8c0@danni> how do you un-subscribe from this mailing list Regards ----------------------------------------------- www.chetnet.co.uk Cable Modem FAQ and portal ------------------------------------------------ ----- Original Message ----- From: "Julian Field" To: Sent: Thursday, March 27, 2003 8:08 PM Subject: Re: Custom spam score > At 19:38 27/03/2003, you wrote: > >Hi, > > > >In the /etc/MailScanner/spam.assassin.prefs.conf what do I put to get a > >custom spam score for email > >coming into my server *to* a particular email address, what I want is that > >any email coming to this > >address is deleted. > > Read "man Mail::SpamAssassin::Conf". From the start of that: > > header FROM_HAS_MIXED_NUMS From =~ /\d+[a-z]+\d+\S*@/i > describe FROM_HAS_MIXED_NUMS From: contains numbers mixed in with letters > score A_HREF_TO_REMOVE 2.0 > > so you could have something like > header TO_DELETE To =~ /email@address\.com/i > describe TO_DELETE To: contains dead email address > score TO_DELETE 100.0 > > then make the "High Scoring Spam Actions" delete for this address. > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.449 / Virus Database: 251 - Release Date: 27/01/2003 From mbowman at UDCOM.COM Thu Mar 27 20:24:48 2003 From: mbowman at UDCOM.COM (Matthew Bowman) Date: Thu Jan 12 21:17:37 2006 Subject: F-Prot errors Message-ID: Nevermind I had d, not d. also had to remove the c after the } Its fine now. From mbowman at UDCOM.COM Thu Mar 27 20:18:21 2003 From: mbowman at UDCOM.COM (Matthew Bowman) Date: Thu Jan 12 21:17:37 2006 Subject: F-Prot errors Message-ID: Thanks, Now I get this error: Mar 27 15:16:43 smithers MailScanner[20157]: Files: "Dumb" scan of all files Mar 27 15:16:43 smithers MailScanner[20157]: Either you've found a bug in MailScanner's F-Prot output parser, or F-Prot's output format has changed! F-Prot said this "Files: "Dumb" scan of all files". Please mail the author of MailScanner Mar 27 15:16:43 smithers MailScanner[20157]: Switches: -ARCHIVE -OLD Regards, Matthew K Bowman Systems Administrator; Hostmaster; Miva Administrator Universal Digital Communications, Mansfield Ohio. Julian Field Sent by: MailScanner mailing list 03/27/2003 03:01 PM Please respond to MailScanner mailing list To: MAILSCANNER@JISCMAIL.AC.UK cc: Subject: Re: F-Prot errors Apply this patch to /usr/lib/MailScanner/MailScanner/SweepViruses.pm : --- /root/v4/mailscanner/mailscanner/bin/MailScanner/SweepViruses.pm Wed Mar 26 21:47:01 2003 +++ SweepViruses.pm Thu Mar 27 19:58:26 2003 @@ -992,16 +992,19 @@ my($report, $infected, $dot, $id, $part, $virus, @rest); my($logout); - #print STDERR $line; + #print STDERR "$fprot_InCruft $line"; chomp $line; # Look for the "Program version: 4...." line which shows we are running # version 4 and therefore have different headers at the start of the # scan output. - if ($fprot_InCruft==-2 && $line =~ /program\s+version:\s*4/i) { - $fprot_InCruft -= 1; - return 0; + if ($fprot_InCruft==-2) { + my $version = $1 if $line =~ /program\s+version:\s*([\d.]+)/i; + if ($version > 3.12) { + $fprot_InCruft -= 1; + return 0; + } }c return 0 if $fprot_InCruft > 0; # Return if we are still in headers # One header paragraph has finished, count it I will put this code in the next release. At 16:39 27/03/2003, you wrote: >Trying to setup F-Prot for evaluation w/ MailScanner and got this error: > >Either you've found a bug in MailScanner's F-Prot output parser, or >F-Prot's output format has changed! F-Prot said >this "Switches: -ARCHIVE -OLD". Please mail the author of MailScanner > >The file I loaded was fp-linux-eb-3.13-0.i386.rpm > >I followed the notes in the FAQ > > >I'm using MS 4.13-3 on a RH 7.2 box. > >Any ideas? > >Thanks > >Matthew -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From HancockS at MORGANCO.COM Thu Mar 27 20:47:10 2003 From: HancockS at MORGANCO.COM (Hancock, Scott) Date: Thu Jan 12 21:17:37 2006 Subject: email in exim incoming queue is not getting processed -- Please help Message-ID: <3EA1A302A4978A4C970D2C63F327156ED541F9@worc-mail2.int.morganco.com> FYI: Currently this server is nothing but a mail gateway no local logon's. > This should be "/usr/sbin/exim -C /etc/exim/exim_send.conf" ideally. I change the sendmail to exim but did not restart. Other outputs. Ls -ld drwxr-x--- 18 mail mail 4096 Mar 27 08:32 /var/spool/MailScanner/quarantine -rw-r--r-- 1 mail mail 4 Mar 27 10:55 /opt/MailScanner/var/MailScanner.pid drwxr-x--- 12 mail mail 4096 Mar 27 14:57 /var/spool/MailScanner/incoming drwxr-x--- 2 mail mail 126976 Mar 27 15:31 /var/spool/exim_incoming/input drwxr-x--- 2 mail mail 126976 Mar 27 15:31 /var/spool/exim_incoming/input ls -la of /var/mail ??? link here???? total 16 drwxrwsr-x 3 root mail 4096 Feb 27 15:54 . drwxr-xr-x 15 root root 4096 Feb 28 08:28 .. -rw------- 1 mail mail 1025 Mar 17 15:02 .bash_history drwx--S--- 2 mail mail 4096 Mar 5 15:00 .spamassassin -rw-rw---- 1 scott mail 0 Feb 27 15:52 scott From mailscanner at ecs.soton.ac.uk Thu Mar 27 20:46:57 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:37 2006 Subject: F-Prot errors In-Reply-To: Message-ID: <5.2.0.9.2.20030327204641.02806e90@imap.ecs.soton.ac.uk> At 20:24 27/03/2003, you wrote: >Nevermind I had d, not d. also had to remove the c after the } > >Its fine now. Just to confirm: my patch worked or not? -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mbowman at UDCOM.COM Thu Mar 27 20:44:49 2003 From: mbowman at UDCOM.COM (Matthew Bowman) Date: Thu Jan 12 21:17:37 2006 Subject: F-Prot errors Message-ID: Yes it worked. From mailscanner at ecs.soton.ac.uk Thu Mar 27 20:52:38 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:37 2006 Subject: email in exim incoming queue is not getting processed -- Please help In-Reply-To: <3EA1A302A4978A4C970D2C63F327156ED541F9@worc-mail2.int.morg anco.com> Message-ID: <5.2.0.9.2.20030327205119.027f4358@imap.ecs.soton.ac.uk> Any chance of remote access? I can usually sort these in a few minutes, they are almost impossible by mail (as you have found). At 20:47 27/03/2003, you wrote: >FYI: Currently this server is nothing but a mail gateway no local >logon's. > > > This should be "/usr/sbin/exim -C /etc/exim/exim_send.conf" ideally. > >I change the sendmail to exim but did not restart. > >Other outputs. Ls -ld > >drwxr-x--- 18 mail mail 4096 Mar 27 08:32 >/var/spool/MailScanner/quarantine > > >-rw-r--r-- 1 mail mail 4 Mar 27 10:55 >/opt/MailScanner/var/MailScanner.pid > > >drwxr-x--- 12 mail mail 4096 Mar 27 14:57 >/var/spool/MailScanner/incoming > >drwxr-x--- 2 mail mail 126976 Mar 27 15:31 >/var/spool/exim_incoming/input > >drwxr-x--- 2 mail mail 126976 Mar 27 15:31 >/var/spool/exim_incoming/input > >ls -la of /var/mail ??? link here???? > >total 16 >drwxrwsr-x 3 root mail 4096 Feb 27 15:54 . >drwxr-xr-x 15 root root 4096 Feb 28 08:28 .. >-rw------- 1 mail mail 1025 Mar 17 15:02 .bash_history >drwx--S--- 2 mail mail 4096 Mar 5 15:00 .spamassassin >-rw-rw---- 1 scott mail 0 Feb 27 15:52 scott -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From ycayer at 3WEBMEDIA.COM Thu Mar 27 23:19:09 2003 From: ycayer at 3WEBMEDIA.COM (Yannick Cayer) Date: Thu Jan 12 21:17:37 2006 Subject: MailScanner with Ensim Message-ID: Greetings, I have followed the docs on how to install MailScanner with Ensim. Evrything works fine except for one thing: The MailScanner.conf file sits in /etc/MailScanner/MailScanner.conf the problem with this is that whenever I send a virus to a user of a virutal site, the site sits in a chroot environment so MailScanner is unable to find the MailScanner.conf file so it defaults to no configuration. I detects the virus but it doesn't take into account the conf file since It cannot find it from the virtual server point of view... I can I fix this? Thank you -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030327/3f68bd92/attachment.html From dene at DATATECHIE.COM Fri Mar 28 02:52:05 2003 From: dene at DATATECHIE.COM (Dene Ulmschneider) Date: Thu Jan 12 21:17:37 2006 Subject: confirming SPAM In-Reply-To: <5.2.0.9.2.20030324150117.03b5e328@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20030324095603.02668e78@192.168.1.112> Message-ID: <5.1.0.14.2.20030327214537.00ba32e8@192.168.1.112> Thanks for the input Julian. I have MailScanner working and it is bouncing all spam it finds as well as forwarding it to me as the system admin. I have gotten Razor2 installed and working. I have successfully registered on the network. I am having difficulty with two issues: >Also, using the new Bayes engine in SpamAssassin 2.51 (but I would advise >you to wait for 2.52 release), the anti-spam engine will learn about spam >messages that it got wrong by your users feeding back the spam into the >engine. I have 2 addresses here, "spam" and "notspam", which users bounce >mail to when the spam engine gets it wrong. So its performance improves >with time as it learns lots of new spam. 1- You mentioned that you have 2 addresses setup for reporting spam called "spam" and "notspam". I have not found any documentation on how to accomplish this. Do you know where I can find documentation? I would like to make it as easy as possible for Windows users to be able to report spam and forwarding any incorrect messages to an email address would make it a snap (needless to say that I don't want them forwarding to my address). 2- I have SpamAssassin working with MailScanner and have not seen any settings or configs for Bayes. How do I turn it on or set it up? Thanks for any assistance or info. Dene Ulmschneider Data Techie Inc. ------------------------------------------------------------------------- office: 718.738.8859 cell: 646.996.2976 email: dene@datatechie.com pager mail: denenow@datatechie.com website: www.datatechie.com ------------------------------------------------------------------------- "Life is too short...-...you should have dessert first" -- This message has been scanned for viruses and dangerous content by Data Techie, and is believed to be clean. Data Techie... always there to protect you! http://www.datatechie.com From melilela at TIME.NET.MY Fri Mar 28 03:17:45 2003 From: melilela at TIME.NET.MY (Ramli Mohd) Date: Thu Jan 12 21:17:37 2006 Subject: confirming SPAM In-Reply-To: <5.1.0.14.2.20030327214537.00ba32e8@192.168.1.112> Message-ID: Dear Julan, Instead of quarantine email. Can I forward certain attachment that filter forward email address like jpg, pps etc attchment TQ -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Dene Ulmschneider Sent: 28 March 2003 - Friday 10:52 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: confirming SPAM Thanks for the input Julian. I have MailScanner working and it is bouncing all spam it finds as well as forwarding it to me as the system admin. I have gotten Razor2 installed and working. I have successfully registered on the network. I am having difficulty with two issues: >Also, using the new Bayes engine in SpamAssassin 2.51 (but I would advise >you to wait for 2.52 release), the anti-spam engine will learn about spam >messages that it got wrong by your users feeding back the spam into the >engine. I have 2 addresses here, "spam" and "notspam", which users bounce >mail to when the spam engine gets it wrong. So its performance improves >with time as it learns lots of new spam. 1- You mentioned that you have 2 addresses setup for reporting spam called "spam" and "notspam". I have not found any documentation on how to accomplish this. Do you know where I can find documentation? I would like to make it as easy as possible for Windows users to be able to report spam and forwarding any incorrect messages to an email address would make it a snap (needless to say that I don't want them forwarding to my address). 2- I have SpamAssassin working with MailScanner and have not seen any settings or configs for Bayes. How do I turn it on or set it up? Thanks for any assistance or info. Dene Ulmschneider Data Techie Inc. ------------------------------------------------------------------------- office: 718.738.8859 cell: 646.996.2976 email: dene@datatechie.com pager mail: denenow@datatechie.com website: www.datatechie.com ------------------------------------------------------------------------- "Life is too short...-...you should have dessert first" -- This message has been scanned for viruses and dangerous content by Data Techie, and is believed to be clean. Data Techie... always there to protect you! http://www.datatechie.com From HancockS at MORGANCO.COM Thu Mar 27 19:11:53 2003 From: HancockS at MORGANCO.COM (Hancock, Scott) Date: Thu Jan 12 21:17:37 2006 Subject: email in exim incoming queue is not getting processed -- Please help Message-ID: <3EA1A302A4978A4C970D2C63F327156ED541F8@worc-mail2.int.morganco.com> Julian, Thanks for your interest in my problem. Below are the answers to your questions Thanks again. Scott > In your MailScanner.conf, what are the values of > MTA > Run As User > Run As Group > Incoming Queue Dir > Outgoing Queue Dir > Incoming Work Dir > Quarantine Dir > PID file # As a rough guide, try 5 children per CPU. Max Children = 10 # User to run as (not normally used for sendmail) Run As User = mail # Group to run as (not normally used for sendmail) Run As Group = mail Queue Scan Interval = 5 Incoming Queue Dir = /var/spool/exim_incoming/input # Set location of outgoing mail queue. # This can also be the filename of a ruleset. Outgoing Queue Dir = /var/spool/exim/input # Set where to unpack incoming messages before scanning them Incoming Work Dir = /var/spool/MailScanner/incoming # Set where to store infected and message attachments (if they are kept) # This can also be the filename of a ruleset. Quarantine Dir = /var/spool/MailScanner/quarantine # Set where to store the process id number so you can stop MailScanner PID file = /opt/MailScanner/var/MailScanner.pid # To avoid resource leaks, re-start periodically Restart Every = 14400 # Set whether to use sendmail or exim MTA = exim Sendmail = /usr/sbin/exim Sendmail2 = /usr/sbin/sendmail -C /etc/exim/exim_send.conf > > For the relevant "Run As User", please supply the line from the > /etc/passwd > file. mail:x:8:8:mail:/var/mail:/bin/sh > For the relevant "Run As User", please do "ls -ld" of the home directory. > For each of the "Dir" variables above, please do an "ls -ld" of each one. > output for var/mail lrwxrwsr-x 3 root mail 4096 /var/mail/ output for /bin/sh lrwxrwxrwx 1 root root 4 Feb 26 15:19 /bin/sh -> bash > Sounds like its a permissions problem. > > > At 18:42 27/03/2003, you wrote: > >Let's try an attachment so it's readable. > > > >Sorry for the double post. > > > >Scott > > > > > -----Original Message----- > > > From: Hancock, Scott > > > Sent: Thursday, March 27, 2003 1:30 PM > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > Subject: Re: email in exim incoming queue is not getting processed -- > > > Please help > > > > > > Here is some of my mail.log file. > > > > > > I did the restart at 8:23. Looks like the queue went down yesterday > >at > > > 14:21 > > > > > > Gaps below indicate places I snipped the log. > > > > > > > > > Thanks > > > > > > Scott > > > > > > > > > Mar 26 14:21:09 pebbles MailScanner[17287]: New Batch: Found 36 > >messages > > > waiting > > > Mar 26 14:21:09 pebbles MailScanner[17287]: New Batch: Scanning 1 > > > messages, 2078 bytes > > > Mar 26 14:21:09 pebbles MailScanner[17287]: Virus and Content > >Scanning: > > > Starting > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses *********************************************************************************** From mailscanner at ecs.soton.ac.uk Thu Mar 27 18:48:56 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:37 2006 Subject: email in exim incoming queue is not getting processed -- Please help In-Reply-To: <3EA1A302A4978A4C970D2C63F327156E65858B@worc-mail2.int.morg anco.com> Message-ID: <5.2.0.9.2.20030327184621.023ea1f0@imap.ecs.soton.ac.uk> In your MailScanner.conf, what are the values of MTA Run As User Run As Group Incoming Queue Dir Outgoing Queue Dir Incoming Work Dir Quarantine Dir PID file For the relevant "Run As User", please supply the line from the /etc/passwd file. For the relevant "Run As User", please do "ls -ld" of the home directory. For each of the "Dir" variables above, please do an "ls -ld" of each one. Sounds like its a permissions problem. At 18:42 27/03/2003, you wrote: >Let's try an attachment so it's readable. > >Sorry for the double post. > >Scott > > > -----Original Message----- > > From: Hancock, Scott > > Sent: Thursday, March 27, 2003 1:30 PM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: email in exim incoming queue is not getting processed -- > > Please help > > > > Here is some of my mail.log file. > > > > I did the restart at 8:23. Looks like the queue went down yesterday >at > > 14:21 > > > > Gaps below indicate places I snipped the log. > > > > > > Thanks > > > > Scott > > > > > > Mar 26 14:21:09 pebbles MailScanner[17287]: New Batch: Found 36 >messages > > waiting > > Mar 26 14:21:09 pebbles MailScanner[17287]: New Batch: Scanning 1 > > messages, 2078 bytes > > Mar 26 14:21:09 pebbles MailScanner[17287]: Virus and Content >Scanning: > > Starting -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses *********************************************************************************** From dbird at SGHMS.AC.UK Thu Mar 27 18:41:35 2003 From: dbird at SGHMS.AC.UK (Daniel Bird) Date: Thu Jan 12 21:17:37 2006 Subject: email in exim incoming queue is not getting processed -- Please help References: <3EA1A302A4978A4C970D2C63F327156E658589@worc-mail2.int.morganco.com> Message-ID: <3E8345DF.6000607@sghms.ac.uk> Hancock, Scott wrote: >Here is some of my mail.log file. > >I did the restart at 8:23. Looks like the queue went down yesterday at >14:21 > >Gaps below indicate places I snipped the log. > > >Thanks > >Scott > >< snip> >Mar 27 08:23:56 pebbles MailScanner[23069]: Using locktype = posix >Mar 27 08:23:56 pebbles MailScanner[23069]: Creating hardcoded >struct_flock subroutine for linux (Linux-type) >Mar 27 08:23:56 pebbles MailScanner[23069]: New Batch: Found 2180 >messages waiting >Mar 27 08:23:56 pebbles MailScanner[23069]: New Batch: Scanning 100 >messages, 4393367 bytes >Mar 27 08:24:04 pebbles MailScanner[23097]: MailScanner E-Mail Virus >Scanner version 4.13-3 starting... > > some thing to check out?.... >Mar 27 08:24:04 pebbles MailScanner[23097]: User's home directory /root >is not writable > Also, from you log it looks as though MS is seeing all your messges, as the numbers are changing. What's the load like on your system? I don't know if it's significant but there is a huge jump in the number of messages MS is seeing... >Mar 27 12:34:04 pebbles MailScanner[775]: New Batch: Found 707 messages >waiting >Mar 27 12:34:04 pebbles MailScanner[775]: New Batch: Scanning 1 >messages, 4155 bytes >Mar 27 12:34:06 pebbles MailScanner[775]: Virus and Content Scanning: >Starting >Mar 27 12:34:06 pebbles MailScanner[775]: Uninfected: Delivered 1 >messages >Mar 27 12:35:38 pebbles MailScanner[737]: New Batch: Found 19065 >messages waiting Are any of the remaining messages in your queue marked as frozen or locked in your exim log? > > >>-----Original Message----- >>From: Daniel Bird [mailto:dbird@SGHMS.AC.UK] >>Sent: Thursday, March 27, 2003 1:03 PM >>To: MAILSCANNER@JISCMAIL.AC.UK >>Subject: Re: email in exim incoming queue is not getting processed -- >>Please help >> >>I didn't read the last bit of your mail properly! It sounds MS is >>processing your mail. >> >>What does your maillog say? Or your exim log? >> >>Hancock, Scott wrote: >> >> >> >>>Dan, >>> >>>Do you think this could still be the problem given I'm able to >>> >>> >process > > >>>new mail? >>> >>>This email passed through the same queue's to and from the list. >>> >>>To me you're suggestion infers the assumption it's not working at >>> >>> >all. > > >>>What do you think? >>> >>> >>> >>> >>Sorry, I didn't read your mail properly! It sounds MS is processing >> >> >your > > >>mail OK if new mails are delivered. >> >>What does your maillog say? MS should give an indication of how many >>messages it sees in your input queue >> >>Or your exim log? Any unusual events there? >> >>Dan >> >> >> >>>Scott >>> >>> >>> >>> >>> >>>>-----Original Message----- >>>>From: Daniel Bird [mailto:dbird@SGHMS.AC.UK] >>>>Sent: Thursday, March 27, 2003 12:17 PM >>>>To: MAILSCANNER@JISCMAIL.AC.UK >>>>Subject: Re: email in exim incoming queue is not getting processed >>>> >>>> >-- > > >>>>Please help >>>> >>>>Scott, >>>>I had a similar problem with exim and finding it's input and ouput >>>> >>>> >>>> >>>> >>>queues. >>> >>> >>> >>> >>>>For some reason my version (4.12, but also when I was using 3.x - >>>>probably a configure option;-) decided if I told it to use >>>> >>>>/var/spool/exim/input >>>> >>>>it actually looked in /var/spool/exim/input/input >>>>and likewise for /var/spool/exim/output >>>> >>>> >>>> >>>> >>>(/var/spool/exim/output/input). >>> >>> >>> >>> >>>>ie, always added 'input' to the dir structure >>>> >>>>To get 'round this I have : >>>> >>>>in exim.conf.out >>>>spool_directory = /var/spool/exim/outgoing >>>> >>>>and in MailScanner.conf >>>>Incoming Queue Dir = /var/spool/exim/input >>>>Outgoing Queue Dir = /var/spool/exim/outgoing/input >>>> >>>>Works for me! >>>> >>>>Regards >>>>Dan >>>> >>>>Hancock, Scott wrote: >>>> >>>> >>>> >>>> >>>> >>>>>Greetings all, >>>>> >>>>>This is a restate of a previous help request. >>>>> >>>>>Exim incoming has written a pile of messages to >>>>>/var/spool/exim/incoming/input. >>>>> >>>>>For some reason mailscanner is not acting on these messages. >>>>> >>>>>Any guidance on how to troubleshoot or information on under what >>>>>conditions mailscanner would not find or accept these files would >>>>> >>>>> >be > > >>>>>greatly appreciated. >>>>> >>>>>Debian sarge >>>>>Exim 3.36 >>>>>MS 4.13 >>>>>Sa 2.44 >>>>> >>>>>All new incoming mails are scanned and delivered. >>>>> >>>>>exim -bp shows the mail in the incoming directory without any >>>>> >>>>> >>>>> >>>>> >>>errors. >>> >>> >>> >>> >>>>>The queue originally had 1500 unscanned emails a Mainscanner >>>>> >>>>> >restart > > >>>>>delivered half of these but I still have about 700 waiting for >>>>> >>>>> >>>>> >>>>> >>>deliver. >>> >>> >>> >>> >>>>>I'll gladly post any conf files. >>>>> >>>>>Please help. >>>>> >>>>>Scott Hancock >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>-- >>>>This message has been scanned for viruses and >>>>dangerous content by MailScanner, and is >>>>believed to be clean. >>>>Mailscanner thanks transtec Computers for their support. >>>> >>>> >>>> >>>> >>> >>> >>> >> >>-- >>This message has been scanned for viruses and >>dangerous content by MailScanner, and is >>believed to be clean. >>Mailscanner thanks transtec Computers for their support. >> >> > > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. Mailscanner thanks transtec Computers for their support. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses *********************************************************************************** From HancockS at MORGANCO.COM Thu Mar 27 19:25:26 2003 From: HancockS at MORGANCO.COM (Hancock, Scott) Date: Thu Jan 12 21:17:37 2006 Subject: email in exim incoming queue is not getting processed -- Please help Message-ID: <3EA1A302A4978A4C970D2C63F327156E65858E@worc-mail2.int.morganco.com> Julian, You might be interested to know that there are many messages in the /var/spool/MailScanner/incoming directories modified at 10:56 today or 3 hours ago. I have to run out for a bit. I maybe as long as 2 hours. Thanks again Scott This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses *********************************************************************************** From joe at QITC.CO.UK Thu Mar 27 19:38:53 2003 From: joe at QITC.CO.UK (Joe Quinn) Date: Thu Jan 12 21:17:37 2006 Subject: Custom spam score References: <9F18B7DDBA88E544AB1F1995148916660145E0@lkl63.ltkalmar.se> <005201c2d774$26dea9a0$0d4bd3c8@A3C4J5> <007201c2d776$21e6ecd0$01000001@Compaq> <038901c2d809$8307b1a0$18720550@T20> <1045666320.2167.44.camel@dbeauchemin.si.usherbrooke.ca> <004501c2d82f$b3ab84a0$2d30c3c1@T20> Message-ID: <05f901c2f498$7fe64940$5d876751@T20> Hi, In the /etc/MailScanner/spam.assassin.prefs.conf what do I put to get a custom spam score for email coming into my server *to* a particular email address, what I want is that any email coming to this address is deleted. Cheers, Joe www.qitc.net This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses *********************************************************************************** From HancockS at MORGANCO.COM Thu Mar 27 18:30:09 2003 From: HancockS at MORGANCO.COM (Hancock, Scott) Date: Thu Jan 12 21:17:37 2006 Subject: email in exim incoming queue is not getting processed -- Please help Message-ID: <3EA1A302A4978A4C970D2C63F327156E658589@worc-mail2.int.morganco.com> Here is some of my mail.log file. I did the restart at 8:23. Looks like the queue went down yesterday at 14:21 Gaps below indicate places I snipped the log. Thanks Scott Mar 26 14:21:09 pebbles MailScanner[17287]: New Batch: Found 36 messages waiting Mar 26 14:21:09 pebbles MailScanner[17287]: New Batch: Scanning 1 messages, 2078 bytes Mar 26 14:21:09 pebbles MailScanner[17287]: Virus and Content Scanning: Starting Mar 26 14:21:10 pebbles MailScanner[17287]: Uninfected: Delivered 1 messages Mar 26 14:21:29 pebbles MailScanner[12401]: MailScanner child caught a SIGHUP Mar 26 14:21:29 pebbles MailScanner[17681]: MailScanner child caught a SIGHUP Mar 26 14:21:29 pebbles MailScanner[13277]: MailScanner child caught a SIGHUP Mar 26 14:21:29 pebbles MailScanner[17287]: MailScanner child caught a SIGHUP Mar 26 14:21:29 pebbles MailScanner[16329]: MailScanner child caught a SIGHUP Mar 26 14:21:29 pebbles MailScanner[15128]: MailScanner child caught a SIGHUP Mar 26 14:21:29 pebbles MailScanner[13549]: MailScanner child caught a SIGHUP Mar 26 14:21:29 pebbles MailScanner[14608]: MailScanner child caught a SIGHUP Mar 26 14:21:29 pebbles MailScanner[761]: MailScanner child caught a SIGHUP Mar 26 14:21:29 pebbles MailScanner[26346]: MailScanner child caught a SIGHUP Mar 26 15:01:56 pebbles F-Prot autoupdate[28704]: F-Prot successfully updated. Mar 26 18:00:08 pebbles F-Prot autoupdate[31632]: F-Prot did not need updating. Mar 26 21:00:02 pebbles F-Prot autoupdate[5522]: F-Prot did not need updating. Mar 27 00:00:02 pebbles F-Prot autoupdate[14688]: F-Prot did not need updating. Mar 27 03:00:04 pebbles F-Prot autoupdate[27398]: F-Prot did not need updating. Mar 27 06:00:02 pebbles F-Prot autoupdate[11650]: F-Prot did not need updating. Mar 27 08:23:54 pebbles MailScanner[23069]: MailScanner E-Mail Virus Scanner version 4.13-3 starting... Mar 27 08:23:54 pebbles MailScanner[23069]: User's home directory /root is not writable Mar 27 08:23:56 pebbles MailScanner[23069]: Using locktype = posix Mar 27 08:23:56 pebbles MailScanner[23069]: Creating hardcoded struct_flock subroutine for linux (Linux-type) Mar 27 08:23:56 pebbles MailScanner[23069]: New Batch: Found 2180 messages waiting Mar 27 08:23:56 pebbles MailScanner[23069]: New Batch: Scanning 100 messages, 4393367 bytes Mar 27 08:24:04 pebbles MailScanner[23097]: MailScanner E-Mail Virus Scanner version 4.13-3 starting... Mar 27 08:24:04 pebbles MailScanner[23097]: User's home directory /root is not writable Mar 27 08:24:09 pebbles MailScanner[23097]: Using locktype = posix Mar 27 08:24:09 pebbles MailScanner[23097]: Creating hardcoded struct_flock subroutine for linux (Linux-type) Mar 27 08:24:09 pebbles MailScanner[23097]: New Batch: Found 2181 messages waiting Mar 27 08:24:09 pebbles MailScanner[23097]: New Batch: Scanning 100 messages, 11392498 bytes Mar 27 08:24:14 pebbles MailScanner[23150]: MailScanner E-Mail Virus Scanner version 4.13-3 starting... Mar 27 08:24:14 pebbles MailScanner[23150]: User's home directory /root is not writable Mar 27 08:24:17 pebbles MailScanner[23150]: Using locktype = posix Mar 27 08:24:17 pebbles MailScanner[23150]: Creating hardcoded struct_flock subroutine for linux (Linux-type) Mar 27 08:24:18 pebbles MailScanner[23150]: New Batch: Found 2182 messages waiting Mar 27 08:24:18 pebbles MailScanner[23150]: New Batch: Scanning 100 messages, 5726911 bytes Mar 27 08:24:24 pebbles MailScanner[23232]: MailScanner E-Mail Virus Scanner version 4.13-3 starting... Mar 27 08:24:24 pebbles MailScanner[23232]: User's home directory /root is not writable Mar 27 08:24:27 pebbles MailScanner[23232]: Using locktype = posix Mar 27 08:24:27 pebbles MailScanner[23232]: Creating hardcoded struct_flock subroutine for linux (Linux-type) Mar 27 08:24:28 pebbles MailScanner[23232]: New Batch: Found 2182 messages waiting Mar 27 08:24:28 pebbles MailScanner[23232]: New Batch: Scanning 100 messages, 4924347 bytes Mar 27 08:25:36 pebbles MailScanner[23590]: New Batch: Found 2185 messages waiting Mar 27 08:25:36 pebbles MailScanner[23590]: New Batch: Scanning 100 messages, 1542723 bytes Mar 27 08:25:38 pebbles MailScanner[23097]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Mar 27 08:25:48 pebbles MailScanner[23422]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Mar 27 08:26:04 pebbles MailScanner[23150]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Mar 27 08:26:07 pebbles MailScanner[23232]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Mar 27 08:26:19 pebbles MailScanner[23307]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Mar 27 08:26:25 pebbles MailScanner[23590]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Mar 27 08:26:47 pebbles MailScanner[23484]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Mar 27 08:27:07 pebbles MailScanner[23097]: Spam Checks: Found 13 spam messages Mar 27 08:27:23 pebbles MailScanner[23534]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Mar 27 08:27:40 pebbles MailScanner[23097]: Virus and Content Scanning: Starting Mar 27 08:27:47 pebbles MailScanner[23307]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Mar 27 08:27:56 pebbles MailScanner[23097]: Uninfected: Delivered 100 messages Mar 27 08:28:01 pebbles MailScanner[23097]: New Batch: Found 2093 messages waiting Mar 27 08:28:01 pebbles MailScanner[23097]: New Batch: Scanning 100 messages, 1443894 bytes Mar 27 08:28:23 pebbles MailScanner[23150]: Spam Checks: Found 12 spam messages Mar 27 08:28:33 pebbles MailScanner[23534]: SpamAssassin timed out and was killed, consecutive failure 2 of 20 Mar 27 08:28:38 pebbles MailScanner[23365]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Mar 27 08:28:44 pebbles MailScanner[23150]: Virus and Content Scanning: Starting Mar 27 08:28:51 pebbles MailScanner[23150]: /var/spool/MailScanner/incoming/23150/18yMjm-00026K-00/UGINE.zip->103290 $ Mar 27 08:28:51 pebbles MailScanner[23150]: /var/spool/MailScanner/incoming/23150/18yMjm-00026K-00/UGINE.zip->103290 $ Mar 27 08:28:51 pebbles MailScanner[23150]: /var/spool/MailScanner/incoming/23150/18yMjm-00026K-00/UGINE.zip->103290 $ Mar 27 08:28:51 pebbles MailScanner[23150]: /var/spool/MailScanner/incoming/23150/18yMjm-00026K-00/UGINE.zip->103290 $ Mar 27 08:28:51 pebbles MailScanner[23150]: /var/spool/MailScanner/incoming/23150/18yMjm-00026K-00/UGINE.zip->103296 $ Mar 27 08:28:51 pebbles MailScanner[23150]: /var/spool/MailScanner/incoming/23150/18yMjm-00026K-00/UGINE.zip->103296 $ Mar 27 08:28:57 pebbles MailScanner[23150]: Uninfected: Delivered 100 messages Mar 27 08:29:01 pebbles MailScanner[23150]: New Batch: Found 1998 messages waiting Mar 27 08:29:02 pebbles MailScanner[23150]: New Batch: Scanning 100 messages, 5453460 bytes Mar 27 08:29:26 pebbles MailScanner[23097]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Mar 27 08:29:56 pebbles MailScanner[23150]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Mar 27 08:30:02 pebbles MailScanner[23307]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Mar 27 08:30:04 pebbles MailScanner[23590]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Mar 27 08:30:43 pebbles MailScanner[23097]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Mar 27 08:30:48 pebbles MailScanner[23590]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Mar 27 08:31:07 pebbles MailScanner[23307]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Mar 27 08:31:30 pebbles MailScanner[23307]: Spam Checks: Found 16 spam messages Mar 27 08:32:05 pebbles MailScanner[23307]: Virus and Content Scanning: Starting Mar 27 08:32:17 pebbles MailScanner[23307]: /var/spool/MailScanner/incoming/23307/18yNkh-0005cs-00/msg-23307-29.txt- $ Mar 27 08:32:17 pebbles MailScanner[23307]: Virus Scanning: F-Prot found virus W32/Klez.H@mm Mar 27 08:32:17 pebbles MailScanner[23307]: Virus Scanning: f-prot found 1 infections Mar 27 08:32:17 pebbles MailScanner[23307]: Virus Scanning: Found 1 viruses Mar 27 08:32:19 pebbles MailScanner[23307]: Saved infected "msg-23307-29.txt" to /var/spool/MailScanner/quarantine/2$ Mar 27 08:32:20 pebbles MailScanner[23150]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Mar 27 12:39:59 pebbles MailScanner[737]: Expanding TNEF archive at /var/spool/MailScanner/incoming/737/18yg2L-0001uC-00/winmail.dat Mar 27 12:40:00 pebbles MailScanner[737]: Corrupt TNEF winmail.dat that cannot be analysed in message 18yg2L-0001uC-00 Mar 27 12:40:00 pebbles MailScanner[737]: Virus and Content Scanning: Starting Mar 27 12:51:54 pebbles MailScanner[737]: Virus and Content Scanning: Starting Mar 27 12:51:54 pebbles MailScanner[737]: Content Checks: Fixed awkward MIME boundary for Cyrus IMAP server in 18ygDM-0002tP-00 Mar 27 12:51:54 pebbles MailScanner[737]: Uninfected: Delivered 1 messages Mar 27 12:51:58 pebbles MailScanner[775]: New Batch: Found 1414 messages waiting Mar 27 12:58:08 pebbles MailScanner[737]: Virus and Content Scanning: Starting Mar 27 12:58:08 pebbles MailScanner[737]: Uninfected: Delivered 1 messages Mar 27 12:58:11 pebbles MailScanner[775]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Mar 27 12:58:16 pebbles MailScanner[737]: New Batch: Found 1421 messages waiting Mar 27 12:58:16 pebbles MailScanner[737]: New Batch: Scanning 1 messages, 3036 bytes pebbles MailScanner[775]: New Batch: Scanning 1 messages, 1521 bytes Mar 27 12:32:33 pebbles MailScanner[775]: Virus and Content Scanning: Starting Mar 27 12:32:33 pebbles MailScanner[737]: New Batch: Found 2120 messages waiting Mar 27 12:32:33 pebbles MailScanner[737]: New Batch: Scanning 1 messages, 3360 bytes Mar 27 12:32:33 pebbles MailScanner[775]: Uninfected: Delivered 1 messages Mar 27 12:32:34 pebbles MailScanner[737]: Virus and Content Scanning: Starting Mar 27 12:32:35 pebbles MailScanner[737]: Uninfected: Delivered 1 messages Mar 27 12:32:41 pebbles MailScanner[775]: New Batch: Found 1414 messages waiting Mar 27 12:32:41 pebbles MailScanner[775]: New Batch: Scanning 1 messages, 5214 bytes Mar 27 12:32:42 pebbles MailScanner[775]: Virus and Content Scanning: Starting Mar 27 12:32:43 pebbles MailScanner[775]: Uninfected: Delivered 1 messages Mar 27 12:32:55 pebbles MailScanner[737]: New Batch: Found 2826 messages waiting Mar 27 12:32:55 pebbles MailScanner[737]: New Batch: Scanning 1 messages, 1265 bytes Mar 27 12:32:56 pebbles MailScanner[737]: Virus and Content Scanning: Starting Mar 27 12:32:57 pebbles MailScanner[737]: Uninfected: Delivered 1 messages Mar 27 12:33:58 pebbles MailScanner[775]: New Batch: Found 9180 messages waiting Mar 27 12:33:58 pebbles MailScanner[775]: New Batch: Scanning 1 messages, 2093 bytes Mar 27 12:33:59 pebbles MailScanner[775]: Spam Checks: Found 1 spam messages Mar 27 12:33:59 pebbles MailScanner[775]: Virus and Content Scanning: Starting Mar 27 12:33:59 pebbles MailScanner[775]: Uninfected: Delivered 1 messages Mar 27 12:34:01 pebbles MailScanner[775]: New Batch: Found 707 messages waiting Mar 27 12:34:01 pebbles MailScanner[775]: New Batch: Scanning 1 messages, 3288 bytes Mar 27 12:34:02 pebbles MailScanner[775]: Virus and Content Scanning: Starting Mar 27 12:34:03 pebbles MailScanner[775]: Uninfected: Delivered 1 messages Mar 27 12:34:04 pebbles MailScanner[775]: New Batch: Found 707 messages waiting Mar 27 12:34:04 pebbles MailScanner[775]: New Batch: Scanning 1 messages, 4155 bytes Mar 27 12:34:06 pebbles MailScanner[775]: Virus and Content Scanning: Starting Mar 27 12:34:06 pebbles MailScanner[775]: Uninfected: Delivered 1 messages Mar 27 12:35:38 pebbles MailScanner[737]: New Batch: Found 19065 messages waiting Mar 27 12:35:38 pebbles MailScanner[737]: New Batch: Scanning 1 messages, 7559 bytes Mar 27 12:35:40 pebbles MailScanner[737]: Virus and Content Scanning: Starting Mar 27 12:35:41 pebbles MailScanner[737]: Uninfected: Delivered 1 messages Mar 27 12:35:45 pebbles MailScanner[775]: New Batch: Found 12004 messages waiting Mar 27 12:35:45 pebbles MailScanner[775]: New Batch: Scanning 1 messages, 9559 bytes Mar 27 12:35:47 pebbles MailScanner[775]: Virus and Content Scanning: Starting Mar 27 12:35:48 pebbles MailScanner[775]: Uninfected: Delivered 1 messages Mar 27 12:35:49 pebbles MailScanner[737]: New Batch: Found 1414 messages waiting Mar 27 12:35:49 pebbles MailScanner[737]: New Batch: Scanning 1 messages, 3765 bytes Mar 27 12:35:50 pebbles MailScanner[737]: Virus and Content Scanning: Starting Mar 27 12:58:17 pebbles MailScanner[737]: Virus and Content Scanning: Starting Mar 27 12:58:18 pebbles MailScanner[737]: Uninfected: Delivered 1 messages Mar 27 12:58:32 pebbles MailScanner[737]: New Batch: Found 2131 messages waiting Mar 27 12:58:32 pebbles MailScanner[737]: New Batch: Scanning 1 messages, 9922 bytes Mar 27 12:58:57 pebbles MailScanner[775]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Mar 27 12:59:02 pebbles MailScanner[737]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Mar 27 12:59:15 pebbles MailScanner[737]: Virus and Content Scanning: Starting Mar 27 12:59:16 pebbles MailScanner[737]: Uninfected: Delivered 1 messages Mar 27 12:59:17 pebbles MailScanner[737]: New Batch: Found 716 messages waiting Mar 27 12:59:17 pebbles MailScanner[737]: New Batch: Scanning 6 messages, 8703101 bytes Mar 27 12:59:41 pebbles MailScanner[775]: SpamAssassin timed out and was killed, consecutive failure 2 of 20 Mar 27 12:59:49 pebbles MailScanner[737]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Mar 27 12:59:54 pebbles MailScanner[775]: Virus and Content Scanning: Starting Mar 27 12:59:55 pebbles MailScanner[775]: Uninfected: Delivered 4 messages Mar 27 12:59:56 pebbles MailScanner[775]: New Batch: Found 715 messages waiting Mar 27 12:59:57 pebbles MailScanner[775]: New Batch: Scanning 3 messages, 21151 bytes Mar 27 13:00:27 pebbles MailScanner[775]: SpamAssassin timed out and was killed, consecutive failure 3 of 20 Mar 27 13:00:35 pebbles MailScanner[737]: SpamAssassin timed out and was killed, consecutive failure 2 of 20 Mar 27 13:01:10 pebbles MailScanner[775]: SpamAssassin timed out and was killed, consecutive failure 4 of 20 Mar 27 13:01:19 pebbles MailScanner[737]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Mar 27 13:01:23 pebbles MailScanner[775]: Virus and Content Scanning: Starting Mar 27 13:01:24 pebbles MailScanner[775]: Uninfected: Delivered 3 messages Mar 27 13:01:26 pebbles MailScanner[775]: New Batch: Found 720 messages waiting > -----Original Message----- > From: Daniel Bird [mailto:dbird@SGHMS.AC.UK] > Sent: Thursday, March 27, 2003 1:03 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: email in exim incoming queue is not getting processed -- > Please help > > I didn't read the last bit of your mail properly! It sounds MS is > processing your mail. > > What does your maillog say? Or your exim log? > > Hancock, Scott wrote: > > >Dan, > > > >Do you think this could still be the problem given I'm able to process > >new mail? > > > >This email passed through the same queue's to and from the list. > > > >To me you're suggestion infers the assumption it's not working at all. > > > >What do you think? > > > > > Sorry, I didn't read your mail properly! It sounds MS is processing your > mail OK if new mails are delivered. > > What does your maillog say? MS should give an indication of how many > messages it sees in your input queue > > Or your exim log? Any unusual events there? > > Dan > > >Scott > > > > > > > >>-----Original Message----- > >>From: Daniel Bird [mailto:dbird@SGHMS.AC.UK] > >>Sent: Thursday, March 27, 2003 12:17 PM > >>To: MAILSCANNER@JISCMAIL.AC.UK > >>Subject: Re: email in exim incoming queue is not getting processed -- > >>Please help > >> > >>Scott, > >>I had a similar problem with exim and finding it's input and ouput > >> > >> > >queues. > > > > > >>For some reason my version (4.12, but also when I was using 3.x - > >>probably a configure option;-) decided if I told it to use > >> > >>/var/spool/exim/input > >> > >>it actually looked in /var/spool/exim/input/input > >>and likewise for /var/spool/exim/output > >> > >> > >(/var/spool/exim/output/input). > > > > > >>ie, always added 'input' to the dir structure > >> > >>To get 'round this I have : > >> > >>in exim.conf.out > >>spool_directory = /var/spool/exim/outgoing > >> > >>and in MailScanner.conf > >>Incoming Queue Dir = /var/spool/exim/input > >>Outgoing Queue Dir = /var/spool/exim/outgoing/input > >> > >>Works for me! > >> > >>Regards > >>Dan > >> > >>Hancock, Scott wrote: > >> > >> > >> > >>>Greetings all, > >>> > >>>This is a restate of a previous help request. > >>> > >>>Exim incoming has written a pile of messages to > >>>/var/spool/exim/incoming/input. > >>> > >>>For some reason mailscanner is not acting on these messages. > >>> > >>>Any guidance on how to troubleshoot or information on under what > >>>conditions mailscanner would not find or accept these files would be > >>>greatly appreciated. > >>> > >>>Debian sarge > >>>Exim 3.36 > >>>MS 4.13 > >>>Sa 2.44 > >>> > >>>All new incoming mails are scanned and delivered. > >>> > >>>exim -bp shows the mail in the incoming directory without any > >>> > >>> > >errors. > > > > > >>>The queue originally had 1500 unscanned emails a Mainscanner restart > >>>delivered half of these but I still have about 700 waiting for > >>> > >>> > >deliver. > > > > > >>>I'll gladly post any conf files. > >>> > >>>Please help. > >>> > >>>Scott Hancock > >>> > >>> > >>> > >>> > >>> > >> > >>-- > >>This message has been scanned for viruses and > >>dangerous content by MailScanner, and is > >>believed to be clean. > >>Mailscanner thanks transtec Computers for their support. > >> > >> > > > > > > > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > Mailscanner thanks transtec Computers for their support. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses *********************************************************************************** From HancockS at MORGANCO.COM Thu Mar 27 18:42:17 2003 From: HancockS at MORGANCO.COM (Hancock, Scott) Date: Thu Jan 12 21:17:37 2006 Subject: email in exim incoming queue is not getting processed -- Please help Message-ID: <3EA1A302A4978A4C970D2C63F327156E65858B@worc-mail2.int.morganco.com> Let's try an attachment so it's readable. Sorry for the double post. Scott > -----Original Message----- > From: Hancock, Scott > Sent: Thursday, March 27, 2003 1:30 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: email in exim incoming queue is not getting processed -- > Please help > > Here is some of my mail.log file. > > I did the restart at 8:23. Looks like the queue went down yesterday at > 14:21 > > Gaps below indicate places I snipped the log. > > > Thanks > > Scott > > > Mar 26 14:21:09 pebbles MailScanner[17287]: New Batch: Found 36 messages > waiting > Mar 26 14:21:09 pebbles MailScanner[17287]: New Batch: Scanning 1 > messages, 2078 bytes > Mar 26 14:21:09 pebbles MailScanner[17287]: Virus and Content Scanning: > Starting This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses *********************************************************************************** -------------- next part -------------- Mar 26 14:21:09 pebbles MailScanner[17287]: New Batch: Found 36 messages waiting Mar 26 14:21:09 pebbles MailScanner[17287]: New Batch: Scanning 1 messages, 2078 bytes Mar 26 14:21:09 pebbles MailScanner[17287]: Virus and Content Scanning: Starting Mar 26 14:21:10 pebbles MailScanner[17287]: Uninfected: Delivered 1 messages Mar 26 14:21:29 pebbles MailScanner[12401]: MailScanner child caught a SIGHUP Mar 26 14:21:29 pebbles MailScanner[17681]: MailScanner child caught a SIGHUP Mar 26 14:21:29 pebbles MailScanner[13277]: MailScanner child caught a SIGHUP Mar 26 14:21:29 pebbles MailScanner[17287]: MailScanner child caught a SIGHUP Mar 26 14:21:29 pebbles MailScanner[16329]: MailScanner child caught a SIGHUP Mar 26 14:21:29 pebbles MailScanner[15128]: MailScanner child caught a SIGHUP Mar 26 14:21:29 pebbles MailScanner[13549]: MailScanner child caught a SIGHUP Mar 26 14:21:29 pebbles MailScanner[14608]: MailScanner child caught a SIGHUP Mar 26 14:21:29 pebbles MailScanner[761]: MailScanner child caught a SIGHUP Mar 26 14:21:29 pebbles MailScanner[26346]: MailScanner child caught a SIGHUP Mar 26 15:01:56 pebbles F-Prot autoupdate[28704]: F-Prot successfully updated. Mar 26 18:00:08 pebbles F-Prot autoupdate[31632]: F-Prot did not need updating. Mar 26 21:00:02 pebbles F-Prot autoupdate[5522]: F-Prot did not need updating. Mar 27 00:00:02 pebbles F-Prot autoupdate[14688]: F-Prot did not need updating. Mar 27 03:00:04 pebbles F-Prot autoupdate[27398]: F-Prot did not need updating. Mar 27 06:00:02 pebbles F-Prot autoupdate[11650]: F-Prot did not need updating. Mar 27 08:23:54 pebbles MailScanner[23069]: MailScanner E-Mail Virus Scanner version 4.13-3 starting... Mar 27 08:23:54 pebbles MailScanner[23069]: User's home directory /root is not writable Mar 27 08:23:56 pebbles MailScanner[23069]: Using locktype = posix Mar 27 08:23:56 pebbles MailScanner[23069]: Creating hardcoded struct_flock subroutine for linux (Linux-type) Mar 27 08:23:56 pebbles MailScanner[23069]: New Batch: Found 2180 messages waiting Mar 27 08:23:56 pebbles MailScanner[23069]: New Batch: Scanning 100 messages, 4393367 bytes Mar 27 08:24:04 pebbles MailScanner[23097]: MailScanner E-Mail Virus Scanner version 4.13-3 starting... Mar 27 08:24:04 pebbles MailScanner[23097]: User's home directory /root is not writable Mar 27 08:24:09 pebbles MailScanner[23097]: Using locktype = posix Mar 27 08:24:09 pebbles MailScanner[23097]: Creating hardcoded struct_flock subroutine for linux (Linux-type) Mar 27 08:24:09 pebbles MailScanner[23097]: New Batch: Found 2181 messages waiting Mar 27 08:24:09 pebbles MailScanner[23097]: New Batch: Scanning 100 messages, 11392498 bytes Mar 27 08:24:14 pebbles MailScanner[23150]: MailScanner E-Mail Virus Scanner version 4.13-3 starting... Mar 27 08:24:14 pebbles MailScanner[23150]: User's home directory /root is not writable Mar 27 08:24:17 pebbles MailScanner[23150]: Using locktype = posix Mar 27 08:24:17 pebbles MailScanner[23150]: Creating hardcoded struct_flock subroutine for linux (Linux-type) Mar 27 08:24:18 pebbles MailScanner[23150]: New Batch: Found 2182 messages waiting Mar 27 08:24:18 pebbles MailScanner[23150]: New Batch: Scanning 100 messages, 5726911 bytes Mar 27 08:24:24 pebbles MailScanner[23232]: MailScanner E-Mail Virus Scanner version 4.13-3 starting... Mar 27 08:24:24 pebbles MailScanner[23232]: User's home directory /root is not writable Mar 27 08:24:27 pebbles MailScanner[23232]: Using locktype = posix Mar 27 08:24:27 pebbles MailScanner[23232]: Creating hardcoded struct_flock subroutine for linux (Linux-type) Mar 27 08:24:28 pebbles MailScanner[23232]: New Batch: Found 2182 messages waiting Mar 27 08:24:28 pebbles MailScanner[23232]: New Batch: Scanning 100 messages, 4924347 bytes Mar 27 08:25:36 pebbles MailScanner[23590]: New Batch: Found 2185 messages waiting Mar 27 08:25:36 pebbles MailScanner[23590]: New Batch: Scanning 100 messages, 1542723 bytes Mar 27 08:25:38 pebbles MailScanner[23097]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Mar 27 08:25:48 pebbles MailScanner[23422]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Mar 27 08:26:04 pebbles MailScanner[23150]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Mar 27 08:26:07 pebbles MailScanner[23232]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Mar 27 08:26:19 pebbles MailScanner[23307]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Mar 27 08:26:25 pebbles MailScanner[23590]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Mar 27 08:26:47 pebbles MailScanner[23484]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Mar 27 08:27:07 pebbles MailScanner[23097]: Spam Checks: Found 13 spam messages Mar 27 08:27:23 pebbles MailScanner[23534]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Mar 27 08:27:40 pebbles MailScanner[23097]: Virus and Content Scanning: Starting Mar 27 08:27:47 pebbles MailScanner[23307]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Mar 27 08:27:56 pebbles MailScanner[23097]: Uninfected: Delivered 100 messages Mar 27 08:28:01 pebbles MailScanner[23097]: New Batch: Found 2093 messages waiting Mar 27 08:28:01 pebbles MailScanner[23097]: New Batch: Scanning 100 messages, 1443894 bytes Mar 27 08:28:23 pebbles MailScanner[23150]: Spam Checks: Found 12 spam messages Mar 27 08:28:33 pebbles MailScanner[23534]: SpamAssassin timed out and was killed, consecutive failure 2 of 20 Mar 27 08:28:38 pebbles MailScanner[23365]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Mar 27 08:28:44 pebbles MailScanner[23150]: Virus and Content Scanning: Starting Mar 27 08:28:51 pebbles MailScanner[23150]: /var/spool/MailScanner/incoming/23150/18yMjm-00026K-00/UGINE.zip->103290$ Mar 27 08:28:51 pebbles MailScanner[23150]: /var/spool/MailScanner/incoming/23150/18yMjm-00026K-00/UGINE.zip->103290$ Mar 27 08:28:51 pebbles MailScanner[23150]: /var/spool/MailScanner/incoming/23150/18yMjm-00026K-00/UGINE.zip->103290$ Mar 27 08:28:51 pebbles MailScanner[23150]: /var/spool/MailScanner/incoming/23150/18yMjm-00026K-00/UGINE.zip->103290$ Mar 27 08:28:51 pebbles MailScanner[23150]: /var/spool/MailScanner/incoming/23150/18yMjm-00026K-00/UGINE.zip->103296$ Mar 27 08:28:51 pebbles MailScanner[23150]: /var/spool/MailScanner/incoming/23150/18yMjm-00026K-00/UGINE.zip->103296$ Mar 27 08:28:57 pebbles MailScanner[23150]: Uninfected: Delivered 100 messages Mar 27 08:29:01 pebbles MailScanner[23150]: New Batch: Found 1998 messages waiting Mar 27 08:29:02 pebbles MailScanner[23150]: New Batch: Scanning 100 messages, 5453460 bytes Mar 27 08:29:26 pebbles MailScanner[23097]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Mar 27 08:29:56 pebbles MailScanner[23150]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Mar 27 08:30:02 pebbles MailScanner[23307]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Mar 27 08:30:04 pebbles MailScanner[23590]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Mar 27 08:30:43 pebbles MailScanner[23097]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Mar 27 08:30:48 pebbles MailScanner[23590]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Mar 27 08:31:07 pebbles MailScanner[23307]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Mar 27 08:31:30 pebbles MailScanner[23307]: Spam Checks: Found 16 spam messages Mar 27 08:32:05 pebbles MailScanner[23307]: Virus and Content Scanning: Starting Mar 27 08:32:17 pebbles MailScanner[23307]: /var/spool/MailScanner/incoming/23307/18yNkh-0005cs-00/msg-23307-29.txt-$ Mar 27 08:32:17 pebbles MailScanner[23307]: Virus Scanning: F-Prot found virus W32/Klez.H@mm Mar 27 08:32:17 pebbles MailScanner[23307]: Virus Scanning: f-prot found 1 infections Mar 27 08:32:17 pebbles MailScanner[23307]: Virus Scanning: Found 1 viruses Mar 27 08:32:19 pebbles MailScanner[23307]: Saved infected "msg-23307-29.txt" to /var/spool/MailScanner/quarantine/2$ Mar 27 08:32:20 pebbles MailScanner[23150]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Mar 27 12:39:59 pebbles MailScanner[737]: Expanding TNEF archive at /var/spool/MailScanner/incoming/737/18yg2L-0001uC-00/winmail.dat Mar 27 12:40:00 pebbles MailScanner[737]: Corrupt TNEF winmail.dat that cannot be analysed in message 18yg2L-0001uC-00 Mar 27 12:40:00 pebbles MailScanner[737]: Virus and Content Scanning: Starting Mar 27 12:51:54 pebbles MailScanner[737]: Virus and Content Scanning: Starting Mar 27 12:51:54 pebbles MailScanner[737]: Content Checks: Fixed awkward MIME boundary for Cyrus IMAP server in 18ygDM-0002tP-00 Mar 27 12:51:54 pebbles MailScanner[737]: Uninfected: Delivered 1 messages Mar 27 12:51:58 pebbles MailScanner[775]: New Batch: Found 1414 messages waiting Mar 27 12:58:08 pebbles MailScanner[737]: Virus and Content Scanning: Starting Mar 27 12:58:08 pebbles MailScanner[737]: Uninfected: Delivered 1 messages Mar 27 12:58:11 pebbles MailScanner[775]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Mar 27 12:58:16 pebbles MailScanner[737]: New Batch: Found 1421 messages waiting Mar 27 12:58:16 pebbles MailScanner[737]: New Batch: Scanning 1 messages, 3036 bytes pebbles MailScanner[775]: New Batch: Scanning 1 messages, 1521 bytes Mar 27 12:32:33 pebbles MailScanner[775]: Virus and Content Scanning: Starting Mar 27 12:32:33 pebbles MailScanner[737]: New Batch: Found 2120 messages waiting Mar 27 12:32:33 pebbles MailScanner[737]: New Batch: Scanning 1 messages, 3360 bytes Mar 27 12:32:33 pebbles MailScanner[775]: Uninfected: Delivered 1 messages Mar 27 12:32:34 pebbles MailScanner[737]: Virus and Content Scanning: Starting Mar 27 12:32:35 pebbles MailScanner[737]: Uninfected: Delivered 1 messages Mar 27 12:32:41 pebbles MailScanner[775]: New Batch: Found 1414 messages waiting Mar 27 12:32:41 pebbles MailScanner[775]: New Batch: Scanning 1 messages, 5214 bytes Mar 27 12:32:42 pebbles MailScanner[775]: Virus and Content Scanning: Starting Mar 27 12:32:43 pebbles MailScanner[775]: Uninfected: Delivered 1 messages Mar 27 12:32:55 pebbles MailScanner[737]: New Batch: Found 2826 messages waiting Mar 27 12:32:55 pebbles MailScanner[737]: New Batch: Scanning 1 messages, 1265 bytes Mar 27 12:32:56 pebbles MailScanner[737]: Virus and Content Scanning: Starting Mar 27 12:32:57 pebbles MailScanner[737]: Uninfected: Delivered 1 messages Mar 27 12:33:58 pebbles MailScanner[775]: New Batch: Found 9180 messages waiting Mar 27 12:33:58 pebbles MailScanner[775]: New Batch: Scanning 1 messages, 2093 bytes Mar 27 12:33:59 pebbles MailScanner[775]: Spam Checks: Found 1 spam messages Mar 27 12:33:59 pebbles MailScanner[775]: Virus and Content Scanning: Starting Mar 27 12:33:59 pebbles MailScanner[775]: Uninfected: Delivered 1 messages Mar 27 12:34:01 pebbles MailScanner[775]: New Batch: Found 707 messages waiting Mar 27 12:34:01 pebbles MailScanner[775]: New Batch: Scanning 1 messages, 3288 bytes Mar 27 12:34:02 pebbles MailScanner[775]: Virus and Content Scanning: Starting Mar 27 12:34:03 pebbles MailScanner[775]: Uninfected: Delivered 1 messages Mar 27 12:34:04 pebbles MailScanner[775]: New Batch: Found 707 messages waiting Mar 27 12:34:04 pebbles MailScanner[775]: New Batch: Scanning 1 messages, 4155 bytes Mar 27 12:34:06 pebbles MailScanner[775]: Virus and Content Scanning: Starting Mar 27 12:34:06 pebbles MailScanner[775]: Uninfected: Delivered 1 messages Mar 27 12:35:38 pebbles MailScanner[737]: New Batch: Found 19065 messages waiting Mar 27 12:35:38 pebbles MailScanner[737]: New Batch: Scanning 1 messages, 7559 bytes Mar 27 12:35:40 pebbles MailScanner[737]: Virus and Content Scanning: Starting Mar 27 12:35:41 pebbles MailScanner[737]: Uninfected: Delivered 1 messages Mar 27 12:35:45 pebbles MailScanner[775]: New Batch: Found 12004 messages waiting Mar 27 12:35:45 pebbles MailScanner[775]: New Batch: Scanning 1 messages, 9559 bytes Mar 27 12:35:47 pebbles MailScanner[775]: Virus and Content Scanning: Starting Mar 27 12:35:48 pebbles MailScanner[775]: Uninfected: Delivered 1 messages Mar 27 12:35:49 pebbles MailScanner[737]: New Batch: Found 1414 messages waiting Mar 27 12:35:49 pebbles MailScanner[737]: New Batch: Scanning 1 messages, 3765 bytes Mar 27 12:35:50 pebbles MailScanner[737]: Virus and Content Scanning: Starting Mar 27 12:58:17 pebbles MailScanner[737]: Virus and Content Scanning: Starting Mar 27 12:58:18 pebbles MailScanner[737]: Uninfected: Delivered 1 messages Mar 27 12:58:32 pebbles MailScanner[737]: New Batch: Found 2131 messages waiting Mar 27 12:58:32 pebbles MailScanner[737]: New Batch: Scanning 1 messages, 9922 bytes Mar 27 12:58:57 pebbles MailScanner[775]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Mar 27 12:59:02 pebbles MailScanner[737]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Mar 27 12:59:15 pebbles MailScanner[737]: Virus and Content Scanning: Starting Mar 27 12:59:16 pebbles MailScanner[737]: Uninfected: Delivered 1 messages Mar 27 12:59:17 pebbles MailScanner[737]: New Batch: Found 716 messages waiting Mar 27 12:59:17 pebbles MailScanner[737]: New Batch: Scanning 6 messages, 8703101 bytes Mar 27 12:59:41 pebbles MailScanner[775]: SpamAssassin timed out and was killed, consecutive failure 2 of 20 Mar 27 12:59:49 pebbles MailScanner[737]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Mar 27 12:59:54 pebbles MailScanner[775]: Virus and Content Scanning: Starting Mar 27 12:59:55 pebbles MailScanner[775]: Uninfected: Delivered 4 messages Mar 27 12:59:56 pebbles MailScanner[775]: New Batch: Found 715 messages waiting Mar 27 12:59:57 pebbles MailScanner[775]: New Batch: Scanning 3 messages, 21151 bytes Mar 27 13:00:27 pebbles MailScanner[775]: SpamAssassin timed out and was killed, consecutive failure 3 of 20 Mar 27 13:00:35 pebbles MailScanner[737]: SpamAssassin timed out and was killed, consecutive failure 2 of 20 Mar 27 13:01:10 pebbles MailScanner[775]: SpamAssassin timed out and was killed, consecutive failure 4 of 20 Mar 27 13:01:19 pebbles MailScanner[737]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 Mar 27 13:01:23 pebbles MailScanner[775]: Virus and Content Scanning: Starting Mar 27 13:01:24 pebbles MailScanner[775]: Uninfected: Delivered 3 messages Mar 27 13:01:26 pebbles MailScanner[775]: New Batch: Found 720 messages waiting Mar 27 13:01:26 pebbles MailScanner[775]: New Batch: Scanning 8 messages, 102822 bytes From mbowman at UDCOM.COM Thu Mar 27 20:24:48 2003 From: mbowman at UDCOM.COM (Matthew Bowman) Date: Thu Jan 12 21:17:37 2006 Subject: F-Prot errors Message-ID: Nevermind I had d, not d. also had to remove the c after the } Its fine now. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses *********************************************************************************** From mailscanner at ecs.soton.ac.uk Thu Mar 27 20:01:38 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:37 2006 Subject: F-Prot errors In-Reply-To: Message-ID: <5.2.0.9.2.20030327195433.02747cc0@imap.ecs.soton.ac.uk> Apply this patch to /usr/lib/MailScanner/MailScanner/SweepViruses.pm : --- /root/v4/mailscanner/mailscanner/bin/MailScanner/SweepViruses.pm Wed Mar 26 21:47:01 2003 +++ SweepViruses.pm Thu Mar 27 19:58:26 2003 @@ -992,16 +992,19 @@ my($report, $infected, $dot, $id, $part, $virus, @rest); my($logout); - #print STDERR $line; + #print STDERR "$fprot_InCruft $line"; chomp $line; # Look for the "Program version: 4...." line which shows we are running # version 4 and therefore have different headers at the start of the # scan output. - if ($fprot_InCruft==-2 && $line =~ /program\s+version:\s*4/i) { - $fprot_InCruft -= 1; - return 0; + if ($fprot_InCruft==-2) { + my $version = $1 if $line =~ /program\s+version:\s*([\d.]+)/i; + if ($version > 3.12) { + $fprot_InCruft -= 1; + return 0; + } }c return 0 if $fprot_InCruft > 0; # Return if we are still in headers # One header paragraph has finished, count it I will put this code in the next release. At 16:39 27/03/2003, you wrote: >Trying to setup F-Prot for evaluation w/ MailScanner and got this error: > >Either you've found a bug in MailScanner's F-Prot output parser, or >F-Prot's output format has changed! F-Prot said >this "Switches: -ARCHIVE -OLD". Please mail the author of MailScanner > >The file I loaded was fp-linux-eb-3.13-0.i386.rpm > >I followed the notes in the FAQ > > >I'm using MS 4.13-3 on a RH 7.2 box. > >Any ideas? > >Thanks > >Matthew -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses *********************************************************************************** From mbowman at UDCOM.COM Thu Mar 27 20:18:21 2003 From: mbowman at UDCOM.COM (Matthew Bowman) Date: Thu Jan 12 21:17:37 2006 Subject: F-Prot errors Message-ID: Thanks, Now I get this error: Mar 27 15:16:43 smithers MailScanner[20157]: Files: "Dumb" scan of all files Mar 27 15:16:43 smithers MailScanner[20157]: Either you've found a bug in MailScanner's F-Prot output parser, or F-Prot's output format has changed! F-Prot said this "Files: "Dumb" scan of all files". Please mail the author of MailScanner Mar 27 15:16:43 smithers MailScanner[20157]: Switches: -ARCHIVE -OLD Regards, Matthew K Bowman Systems Administrator; Hostmaster; Miva Administrator Universal Digital Communications, Mansfield Ohio. Julian Field Sent by: MailScanner mailing list 03/27/2003 03:01 PM Please respond to MailScanner mailing list To: MAILSCANNER@JISCMAIL.AC.UK cc: Subject: Re: F-Prot errors Apply this patch to /usr/lib/MailScanner/MailScanner/SweepViruses.pm : --- /root/v4/mailscanner/mailscanner/bin/MailScanner/SweepViruses.pm Wed Mar 26 21:47:01 2003 +++ SweepViruses.pm Thu Mar 27 19:58:26 2003 @@ -992,16 +992,19 @@ my($report, $infected, $dot, $id, $part, $virus, @rest); my($logout); - #print STDERR $line; + #print STDERR "$fprot_InCruft $line"; chomp $line; # Look for the "Program version: 4...." line which shows we are running # version 4 and therefore have different headers at the start of the # scan output. - if ($fprot_InCruft==-2 && $line =~ /program\s+version:\s*4/i) { - $fprot_InCruft -= 1; - return 0; + if ($fprot_InCruft==-2) { + my $version = $1 if $line =~ /program\s+version:\s*([\d.]+)/i; + if ($version > 3.12) { + $fprot_InCruft -= 1; + return 0; + } }c return 0 if $fprot_InCruft > 0; # Return if we are still in headers # One header paragraph has finished, count it I will put this code in the next release. At 16:39 27/03/2003, you wrote: >Trying to setup F-Prot for evaluation w/ MailScanner and got this error: > >Either you've found a bug in MailScanner's F-Prot output parser, or >F-Prot's output format has changed! F-Prot said >this "Switches: -ARCHIVE -OLD". Please mail the author of MailScanner > >The file I loaded was fp-linux-eb-3.13-0.i386.rpm > >I followed the notes in the FAQ > > >I'm using MS 4.13-3 on a RH 7.2 box. > >Any ideas? > >Thanks > >Matthew -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses *********************************************************************************** From mailscanner at ecs.soton.ac.uk Thu Mar 27 20:04:48 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:37 2006 Subject: email in exim incoming queue is not getting processed -- Please help In-Reply-To: <3EA1A302A4978A4C970D2C63F327156ED541F8@worc-mail2.int.morg anco.com> Message-ID: <5.2.0.9.2.20030327200315.02776088@imap.ecs.soton.ac.uk> At 19:11 27/03/2003, you wrote: >Julian, > >Thanks for your interest in my problem. > >Below are the answers to your questions > >Thanks again. > >Scott > > > In your MailScanner.conf, what are the values of > > MTA > > Run As User > > Run As Group > > Incoming Queue Dir > > Outgoing Queue Dir > > Incoming Work Dir > > Quarantine Dir > > PID file > ># As a rough guide, try 5 children per CPU. >Max Children = 10 > ># User to run as (not normally used for sendmail) >Run As User = mail > ># Group to run as (not normally used for sendmail) >Run As Group = mail > >Queue Scan Interval = 5 > >Incoming Queue Dir = /var/spool/exim_incoming/input > ># Set location of outgoing mail queue. ># This can also be the filename of a ruleset. >Outgoing Queue Dir = /var/spool/exim/input > ># Set where to unpack incoming messages before scanning them >Incoming Work Dir = /var/spool/MailScanner/incoming > ># Set where to store infected and message attachments (if they are kept) ># This can also be the filename of a ruleset. >Quarantine Dir = /var/spool/MailScanner/quarantine > ># Set where to store the process id number so you can stop MailScanner >PID file = /opt/MailScanner/var/MailScanner.pid > ># To avoid resource leaks, re-start periodically >Restart Every = 14400 > ># Set whether to use sendmail or exim >MTA = exim > >Sendmail = /usr/sbin/exim > >Sendmail2 = /usr/sbin/sendmail -C /etc/exim/exim_send.conf This should be "/usr/sbin/exim -C /etc/exim/exim_send.conf" ideally. > > > > For the relevant "Run As User", please supply the line from the > > /etc/passwd > > file. > >mail:x:8:8:mail:/var/mail:/bin/sh > > > > For the relevant "Run As User", please do "ls -ld" of the home >directory. > > For each of the "Dir" variables above, please do an "ls -ld" of each >one. > > > >output for var/mail > >lrwxrwsr-x 3 root mail 4096 /var/mail/ Where does this link point to, and what is the "ls -ld" of the directory it points to. >output for /bin/sh > >lrwxrwxrwx 1 root root 4 Feb 26 15:19 /bin/sh -> bash I need the "ls -ld" for all the other directories I mentioned too. > > Sounds like its a permissions problem. > > > > > > At 18:42 27/03/2003, you wrote: > > >Let's try an attachment so it's readable. > > > > > >Sorry for the double post. > > > > > >Scott > > > > > > > -----Original Message----- > > > > From: Hancock, Scott > > > > Sent: Thursday, March 27, 2003 1:30 PM > > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > > Subject: Re: email in exim incoming queue is not getting processed >-- > > > > Please help > > > > > > > > Here is some of my mail.log file. > > > > > > > > I did the restart at 8:23. Looks like the queue went down >yesterday > > >at > > > > 14:21 > > > > > > > > Gaps below indicate places I snipped the log. > > > > > > > > > > > > Thanks > > > > > > > > Scott > > > > > > > > > > > > Mar 26 14:21:09 pebbles MailScanner[17287]: New Batch: Found 36 > > >messages > > > > waiting > > > > Mar 26 14:21:09 pebbles MailScanner[17287]: New Batch: Scanning 1 > > > > messages, 2078 bytes > > > > Mar 26 14:21:09 pebbles MailScanner[17287]: Virus and Content > > >Scanning: > > > > Starting > > > > -- > > Julian Field > > www.MailScanner.info > > Professional Support Services at www.MailScanner.biz > > MailScanner thanks transtec Computers for their support -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses *********************************************************************************** From martyn at CHETNET.CO.UK Thu Mar 27 20:18:26 2003 From: martyn at CHETNET.CO.UK (chet) Date: Thu Jan 12 21:17:37 2006 Subject: Custom spam score References: <9F18B7DDBA88E544AB1F1995148916660145E0@lkl63.ltkalmar.se> <005201c2d774$26dea9a0$0d4bd3c8@A3C4J5> <007201c2d776$21e6ecd0$01000001@Compaq> <038901c2d809$8307b1a0$18720550@T20> <1045666320.2167.44.camel@dbeauchemin.si.usherbrooke.ca> <004501c2d82f$b3ab84a0$2d30c3c1@T20> <5.2.0.9.2.20030327200632.0258f978@imap.ecs.soton.ac.uk> Message-ID: <02e001c2f49e$08442910$0103a8c0@danni> how do you un-subscribe from this mailing list Regards ----------------------------------------------- www.chetnet.co.uk Cable Modem FAQ and portal ------------------------------------------------ ----- Original Message ----- From: "Julian Field" To: Sent: Thursday, March 27, 2003 8:08 PM Subject: Re: Custom spam score > At 19:38 27/03/2003, you wrote: > >Hi, > > > >In the /etc/MailScanner/spam.assassin.prefs.conf what do I put to get a > >custom spam score for email > >coming into my server *to* a particular email address, what I want is that > >any email coming to this > >address is deleted. > > Read "man Mail::SpamAssassin::Conf". From the start of that: > > header FROM_HAS_MIXED_NUMS From =~ /\d+[a-z]+\d+\S*@/i > describe FROM_HAS_MIXED_NUMS From: contains numbers mixed in with letters > score A_HREF_TO_REMOVE 2.0 > > so you could have something like > header TO_DELETE To =~ /email@address\.com/i > describe TO_DELETE To: contains dead email address > score TO_DELETE 100.0 > > then make the "High Scoring Spam Actions" delete for this address. > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.449 / Virus Database: 251 - Release Date: 27/01/2003 This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses *********************************************************************************** From HancockS at MORGANCO.COM Thu Mar 27 20:47:10 2003 From: HancockS at MORGANCO.COM (Hancock, Scott) Date: Thu Jan 12 21:17:37 2006 Subject: email in exim incoming queue is not getting processed -- Please help Message-ID: <3EA1A302A4978A4C970D2C63F327156ED541F9@worc-mail2.int.morganco.com> FYI: Currently this server is nothing but a mail gateway no local logon's. > This should be "/usr/sbin/exim -C /etc/exim/exim_send.conf" ideally. I change the sendmail to exim but did not restart. Other outputs. Ls -ld drwxr-x--- 18 mail mail 4096 Mar 27 08:32 /var/spool/MailScanner/quarantine -rw-r--r-- 1 mail mail 4 Mar 27 10:55 /opt/MailScanner/var/MailScanner.pid drwxr-x--- 12 mail mail 4096 Mar 27 14:57 /var/spool/MailScanner/incoming drwxr-x--- 2 mail mail 126976 Mar 27 15:31 /var/spool/exim_incoming/input drwxr-x--- 2 mail mail 126976 Mar 27 15:31 /var/spool/exim_incoming/input ls -la of /var/mail ??? link here???? total 16 drwxrwsr-x 3 root mail 4096 Feb 27 15:54 . drwxr-xr-x 15 root root 4096 Feb 28 08:28 .. -rw------- 1 mail mail 1025 Mar 17 15:02 .bash_history drwx--S--- 2 mail mail 4096 Mar 5 15:00 .spamassassin -rw-rw---- 1 scott mail 0 Feb 27 15:52 scott This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses *********************************************************************************** From mailscanner at ecs.soton.ac.uk Thu Mar 27 20:08:37 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:37 2006 Subject: Custom spam score In-Reply-To: <05f901c2f498$7fe64940$5d876751@T20> References: <9F18B7DDBA88E544AB1F1995148916660145E0@lkl63.ltkalmar.se> <005201c2d774$26dea9a0$0d4bd3c8@A3C4J5> <007201c2d776$21e6ecd0$01000001@Compaq> <038901c2d809$8307b1a0$18720550@T20> <1045666320.2167.44.camel@dbeauchemin.si.usherbrooke.ca> <004501c2d82f$b3ab84a0$2d30c3c1@T20> Message-ID: <5.2.0.9.2.20030327200632.0258f978@imap.ecs.soton.ac.uk> At 19:38 27/03/2003, you wrote: >Hi, > >In the /etc/MailScanner/spam.assassin.prefs.conf what do I put to get a >custom spam score for email >coming into my server *to* a particular email address, what I want is that >any email coming to this >address is deleted. Read "man Mail::SpamAssassin::Conf". From the start of that: header FROM_HAS_MIXED_NUMS From =~ /\d+[a-z]+\d+\S*@/i describe FROM_HAS_MIXED_NUMS From: contains numbers mixed in with letters score A_HREF_TO_REMOVE 2.0 so you could have something like header TO_DELETE To =~ /email@address\.com/i describe TO_DELETE To: contains dead email address score TO_DELETE 100.0 then make the "High Scoring Spam Actions" delete for this address. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses *********************************************************************************** From mbowman at UDCOM.COM Thu Mar 27 20:44:49 2003 From: mbowman at UDCOM.COM (Matthew Bowman) Date: Thu Jan 12 21:17:37 2006 Subject: F-Prot errors Message-ID: Yes it worked. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses *********************************************************************************** From mailscanner at ecs.soton.ac.uk Thu Mar 27 20:46:57 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:37 2006 Subject: F-Prot errors In-Reply-To: Message-ID: <5.2.0.9.2.20030327204641.02806e90@imap.ecs.soton.ac.uk> At 20:24 27/03/2003, you wrote: >Nevermind I had d, not d. also had to remove the c after the } > >Its fine now. Just to confirm: my patch worked or not? -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses *********************************************************************************** From mailscanner at ecs.soton.ac.uk Thu Mar 27 20:52:38 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:37 2006 Subject: email in exim incoming queue is not getting processed -- Please help In-Reply-To: <3EA1A302A4978A4C970D2C63F327156ED541F9@worc-mail2.int.morg anco.com> Message-ID: <5.2.0.9.2.20030327205119.027f4358@imap.ecs.soton.ac.uk> Any chance of remote access? I can usually sort these in a few minutes, they are almost impossible by mail (as you have found). At 20:47 27/03/2003, you wrote: >FYI: Currently this server is nothing but a mail gateway no local >logon's. > > > This should be "/usr/sbin/exim -C /etc/exim/exim_send.conf" ideally. > >I change the sendmail to exim but did not restart. > >Other outputs. Ls -ld > >drwxr-x--- 18 mail mail 4096 Mar 27 08:32 >/var/spool/MailScanner/quarantine > > >-rw-r--r-- 1 mail mail 4 Mar 27 10:55 >/opt/MailScanner/var/MailScanner.pid > > >drwxr-x--- 12 mail mail 4096 Mar 27 14:57 >/var/spool/MailScanner/incoming > >drwxr-x--- 2 mail mail 126976 Mar 27 15:31 >/var/spool/exim_incoming/input > >drwxr-x--- 2 mail mail 126976 Mar 27 15:31 >/var/spool/exim_incoming/input > >ls -la of /var/mail ??? link here???? > >total 16 >drwxrwsr-x 3 root mail 4096 Feb 27 15:54 . >drwxr-xr-x 15 root root 4096 Feb 28 08:28 .. >-rw------- 1 mail mail 1025 Mar 17 15:02 .bash_history >drwx--S--- 2 mail mail 4096 Mar 5 15:00 .spamassassin >-rw-rw---- 1 scott mail 0 Feb 27 15:52 scott -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses *********************************************************************************** From ycayer at 3WEBMEDIA.COM Thu Mar 27 23:19:09 2003 From: ycayer at 3WEBMEDIA.COM (Yannick Cayer) Date: Thu Jan 12 21:17:37 2006 Subject: MailScanner with Ensim Message-ID: Greetings, I have followed the docs on how to install MailScanner with Ensim. Evrything works fine except for one thing: The MailScanner.conf file sits in /etc/MailScanner/MailScanner.conf the problem with this is that whenever I send a virus to a user of a virutal site, the site sits in a chroot environment so MailScanner is unable to find the MailScanner.conf file so it defaults to no configuration. I detects the virus but it doesn't take into account the conf file since It cannot find it from the virtual server point of view... I can I fix this? Thank you This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses *********************************************************************************** -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030327/3f68bd92/attachment-0001.html From dene at DATATECHIE.COM Fri Mar 28 02:52:05 2003 From: dene at DATATECHIE.COM (Dene Ulmschneider) Date: Thu Jan 12 21:17:37 2006 Subject: confirming SPAM In-Reply-To: <5.2.0.9.2.20030324150117.03b5e328@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20030324095603.02668e78@192.168.1.112> Message-ID: <5.1.0.14.2.20030327214537.00ba32e8@192.168.1.112> Thanks for the input Julian. I have MailScanner working and it is bouncing all spam it finds as well as forwarding it to me as the system admin. I have gotten Razor2 installed and working. I have successfully registered on the network. I am having difficulty with two issues: >Also, using the new Bayes engine in SpamAssassin 2.51 (but I would advise >you to wait for 2.52 release), the anti-spam engine will learn about spam >messages that it got wrong by your users feeding back the spam into the >engine. I have 2 addresses here, "spam" and "notspam", which users bounce >mail to when the spam engine gets it wrong. So its performance improves >with time as it learns lots of new spam. 1- You mentioned that you have 2 addresses setup for reporting spam called "spam" and "notspam". I have not found any documentation on how to accomplish this. Do you know where I can find documentation? I would like to make it as easy as possible for Windows users to be able to report spam and forwarding any incorrect messages to an email address would make it a snap (needless to say that I don't want them forwarding to my address). 2- I have SpamAssassin working with MailScanner and have not seen any settings or configs for Bayes. How do I turn it on or set it up? Thanks for any assistance or info. Dene Ulmschneider Data Techie Inc. ------------------------------------------------------------------------- office: 718.738.8859 cell: 646.996.2976 email: dene@datatechie.com pager mail: denenow@datatechie.com website: www.datatechie.com ------------------------------------------------------------------------- "Life is too short...-...you should have dessert first" -- This message has been scanned for viruses and dangerous content by Data Techie, and is believed to be clean. Data Techie... always there to protect you! http://www.datatechie.com This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses *********************************************************************************** From raymond at PROLOCATION.NET Fri Mar 28 08:43:16 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:17:37 2006 Subject: F-Prot errors In-Reply-To: <5.2.0.9.2.20030327204641.02806e90@imap.ecs.soton.ac.uk> Message-ID: Hi! > >Nevermind I had d, not d. also had to remove the c after the } > > > >Its fine now. > > Just to confirm: my patch worked or not? Am i the only one getting resends on the list ? I just got a whole bunch of messages i allready got last night. Bye, Raymond. From craig at STRONG-BOX.NET Fri Mar 28 08:49:21 2003 From: craig at STRONG-BOX.NET (Craig Pratt) Date: Thu Jan 12 21:17:37 2006 Subject: List resends In-Reply-To: Message-ID: <2B85F2C8-60FA-11D7-9B28-000393B9390A@strong-box.net> On Friday, March 28, 2003, at 12:43 AM, Raymond Dijkxhoorn wrote: > Hi! > >>> Nevermind I had d, not d. also had to remove the c after the } >>> >>> Its fine now. >> >> Just to confirm: my patch worked or not? > > Am i the only one getting resends on the list ? I just got a whole > bunch > of messages i allready got last night. > > Bye, > Raymond. I just saw this too - a big clump of messages from thursday received at 08:13 GMT friday. -- Craig Pratt Strongbox Network Services Inc. mailto:craig@strong-box.net -- This message checked for dangerous content by MailScanner on StrongBox. From evertjan at VANRAMSELAAR.NL Fri Mar 28 08:50:13 2003 From: evertjan at VANRAMSELAAR.NL (Evert Jan van Ramselaar) Date: Thu Jan 12 21:17:37 2006 Subject: F-Prot errors In-Reply-To: References: <5.2.0.9.2.20030327204641.02806e90@imap.ecs.soton.ac.uk> Message-ID: <5019.194.151.195.222.1048841413.squirrel@mail.vanramselaar.nl> Raymond Dijkxhoorn said: > Am i the only one getting resends on the list ? I just got a whole bunch > of messages i allready got last night. Same here. Again. Can someone find out who is causing this and block this person from the list? This is not the first time we are being 'spammed' with doubles. -- Evert Jan van Ramselaar Van Ramselaar Info Tech From mailscanner at ecs.soton.ac.uk Fri Mar 28 08:36:09 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:37 2006 Subject: MailScanner with Ensim In-Reply-To: Message-ID: <5.2.0.9.2.20030328083504.04388780@imap.ecs.soton.ac.uk> Well, it sounds like 1 easy solution is to set up a little cron job that regular copies the MailScanner configuration into each of the virtual hosts. But I agree, there should be a better solution to this. Search the mailing list archives for "Ensim" and see if anyone has mentioned this before. At 23:19 27/03/2003, you wrote: >Greetings, > >I have followed the docs on how to install MailScanner with Ensim. > >Evrything works fine except for one thing: > >The MailScanner.conf file sits in /etc/MailScanner/MailScanner.conf the >problem with this is that whenever I send a virus to a user of a virutal >site, the site sits in a chroot environment so MailScanner is unable to >find the MailScanner.conf file so it defaults to no configuration. I >detects the virus but it doesn't take into account the conf file since It >cannot find it from the virtual server point of view... > > >I can I fix this? > > >Thank you > > >This footnote also confirms that this email message has been swept by >MIMEsweeper for the presence of computer viruses >*********************************************************************************** -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Fri Mar 28 08:43:43 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:37 2006 Subject: F-Prot errors In-Reply-To: References: <5.2.0.9.2.20030327204641.02806e90@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030328084313.0437f8f8@imap.ecs.soton.ac.uk> At 08:43 28/03/2003, you wrote: >Hi! > > > >Nevermind I had d, not d. also had to remove the c after the } > > > > > >Its fine now. > > > > Just to confirm: my patch worked or not? > >Am i the only one getting resends on the list ? I just got a whole bunch >of messages i allready got last night. No you're not. I just got some too. Methinks that jiscmail.ac.uk are having a few "issues" with their mail server queues. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Fri Mar 28 08:42:31 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:37 2006 Subject: confirming SPAM In-Reply-To: <5.1.0.14.2.20030327214537.00ba32e8@192.168.1.112> References: <5.2.0.9.2.20030324150117.03b5e328@imap.ecs.soton.ac.uk> <5.1.0.14.2.20030324095603.02668e78@192.168.1.112> Message-ID: <5.2.0.9.2.20030328083658.04371b60@imap.ecs.soton.ac.uk> At 02:52 28/03/2003, you wrote: >Thanks for the input Julian. > >I have MailScanner working and it is bouncing all spam it finds as well as >forwarding it to me as the system admin. > >I have gotten Razor2 installed and working. I have successfully registered >on the network. I am having difficulty with two issues: > >>Also, using the new Bayes engine in SpamAssassin 2.51 (but I would advise >>you to wait for 2.52 release), the anti-spam engine will learn about spam >>messages that it got wrong by your users feeding back the spam into the >>engine. I have 2 addresses here, "spam" and "notspam", which users bounce >>mail to when the spam engine gets it wrong. So its performance improves >>with time as it learns lots of new spam. > > >1- You mentioned that you have 2 addresses setup for reporting spam called >"spam" and "notspam". I have not found any documentation on how to >accomplish this. Do you know where I can find documentation? I would like >to make it as easy as possible for Windows users to be able to report spam >and forwarding any incorrect messages to an email address would make it a >snap (needless to say that I don't want them forwarding to my address). Create a couple of local accounts, called "spam" and "notspam" whose mailboxes will live on the MailScanner server. The following script makes a few assumptions on where things live, but you can easily edit them to suit your environment. Create a cron job to run this script every hour or so. The "sa-learn" command is a script that comes with SpamAssassin. #!/bin/sh SPAM=/var/mail/spam NOTSPAM=/var/mail/notspam TOTAL=.cumulative LOGFILE=/var/log/learn.spam.log PREFS=/opt/MailScanner/etc/spam.assassin.prefs.conf SALEARN=/opt/MailScanner/bin/sa-learn date >> $LOGFILE if [ -f $SPAM ]; then BOX=${SPAM}.processing mv $SPAM $BOX sleep 5 # Wait for writing current message to complete $SALEARN --prefs-file=$PREFS --spam --mbox $BOX >> $LOGFILE 2>&1 cat $BOX >> ${SPAM}${TOTAL} echo >> ${SPAM}${TOTAL} rm -f $BOX fi if [ -f $NOTSPAM ]; then BOX=${NOTSPAM}.processing mv $NOTSPAM $BOX sleep 5 # Wait for writing current message to complete $SALEARN --prefs-file=$PREFS --ham --mbox $BOX >> $LOGFILE 2>&1 cat $BOX >> ${NOTSPAM}${TOTAL} echo >> ${NOTSPAM}${TOTAL} rm -f $BOX fi >2- I have SpamAssassin working with MailScanner and have not seen any >settings or configs for Bayes. How do I turn it on or set it up? Make sure you have installed "DB_File" using CPAN. If that fails, you probably haven't got BerkeleyDB installed (www.sleepycat.com). Remove the "use AnyDBM_File;" statement from the top of /usr/lib/MailScanner/MailScanner/SA.pm. Delete all the database files in /root/.spamassassin. Then start up MailScanner again and it should start learning Bayes statistics from mail it sees. The default settings for SpamAssassin's Bayes filter will work just fine. >Thanks for any assistance or info. > > >Dene Ulmschneider >Data Techie Inc. >------------------------------------------------------------------------- >office: 718.738.8859 >cell: 646.996.2976 >email: dene@datatechie.com >pager mail: denenow@datatechie.com >website: www.datatechie.com >------------------------------------------------------------------------- >"Life is too short...-...you should have dessert first" > > >-- >This message has been scanned for viruses and dangerous >content by Data Techie, and is believed to be clean. >Data Techie... always there to protect you! >http://www.datatechie.com -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From Kevin.Spicer at BMRB.CO.UK Fri Mar 28 08:52:17 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:17:37 2006 Subject: List resends Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0EBF4D0@pascal.priv.bmrb.co.uk> Seems to be from the same place as usual... Received: from relay1.bt.net (relay1.bt.net [194.72.6.100]) by dori.rl.ac.uk (8.11.1/8.11.1) with ESMTP id h2S8DCO19545 for ; Fri, 28 Mar 2003 08:13:12 GMT Received: from [194.72.158.100] (helo=[192.168.1.2]) by relay1.bt.net with esmtp (Exim 3.36 #1) id 18yoz9-00073X-00 for MAILSCANNER@jiscmail.ac.uk; Fri, 28 Mar 2003 08:13:11 +0000 Received: from smtp.jiscmail.ac.uk (unverified) by cohen (Content Technologies SMTPRS 4.3.6) with SMTP id for ; Thu, 27 Mar 2003 20:44:40 +0000 The signature is the giveaway.... This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses *********************************************************************************** Somehow I don't think very many people on list use MIMEsweeper! Yet this is appended to all the resends > > BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From mailscanner at ecs.soton.ac.uk Fri Mar 28 08:49:51 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:37 2006 Subject: List resends In-Reply-To: <2B85F2C8-60FA-11D7-9B28-000393B9390A@strong-box.net> References: Message-ID: <5.2.0.9.2.20030328084908.043d9200@imap.ecs.soton.ac.uk> At 08:49 28/03/2003, you wrote: >On Friday, March 28, 2003, at 12:43 AM, Raymond Dijkxhoorn wrote: > >>Hi! >> >>>>Nevermind I had d, not d. also had to remove the c after the } >>>> >>>>Its fine now. >>> >>>Just to confirm: my patch worked or not? >> >>Am i the only one getting resends on the list ? I just got a whole >>bunch >>of messages i allready got last night. >> >>Bye, >>Raymond. > >I just saw this too - a big clump of messages from thursday received at >08:13 GMT friday. Found the culprit, and have suspended his subscription until he gets in touch with me. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From linux at mostert.nom.za Fri Mar 28 08:59:35 2003 From: linux at mostert.nom.za (Mozzi) Date: Thu Jan 12 21:17:37 2006 Subject: Sendmail Message-ID: <200303281059.35684.linux@mostert.nom.za> Hi all I suddenly got a problem here I run Red Hat 7.3 -All paches With sendmail Standard install I get this when telneting to localhost telnet localhost 25 Trying 127.0.0.1... telnet: connect to address 127.0.0.1: Connection refused >From othr hosts I can telnet in I checked where it is listening and got this tcp 0 0 192.168.1.1:25 0.0.0.0:* LISTEN Tnx Mozzi From mailscanner at ecs.soton.ac.uk Fri Mar 28 08:55:24 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:37 2006 Subject: Sendmail In-Reply-To: <200303281059.35684.linux@mostert.nom.za> Message-ID: <5.2.0.9.2.20030328085432.0356c960@imap.ecs.soton.ac.uk> At 08:59 28/03/2003, you wrote: >Hi all >I suddenly got a problem here >I run Red Hat 7.3 -All paches >With sendmail Standard install > >I get this when telneting to localhost >telnet localhost 25 >Trying 127.0.0.1... >telnet: connect to address 127.0.0.1: Connection refused > > >From othr hosts I can telnet in >I checked where it is listening and got this >tcp 0 0 192.168.1.1:25 0.0.0.0:* LISTEN Looks like you have either been playing with /etc/hosts or the DaemonOptions in sendmail.cf. Your sendmail is only listening on 192.168.1.1 where it should be listening on everything. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From raymond at PROLOCATION.NET Fri Mar 28 09:03:10 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:17:37 2006 Subject: Sendmail In-Reply-To: <200303281059.35684.linux@mostert.nom.za> Message-ID: Hi! > I suddenly got a problem here > I run Red Hat 7.3 -All paches > With sendmail Standard install > Trying 127.0.0.1... > telnet: connect to address 127.0.0.1: Connection refused Default RH install does not listen on the public interface... So you need to alter sendmail.cf Bye, Raymond From P.G.M.Peters at civ.utwente.nl Fri Mar 28 09:24:12 2003 From: P.G.M.Peters at civ.utwente.nl (Peter Peters) Date: Thu Jan 12 21:17:38 2006 Subject: List resends In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0EBF4D0@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0EBF4D0@pascal.priv.bmrb.co.uk> Message-ID: On Fri, 28 Mar 2003 08:52:17 -0000, you wrote: >The signature is the giveaway.... > >This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses >*********************************************************************************** > >Somehow I don't think very many people on list use MIMEsweeper! Yet this is appended to all the resends The makers of MIMEsweeper are afraid of Julian's good product and they want to disable the competition. ;-) -- Peter Peters, senior netwerkbeheerder Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ From mailscanner at BARENDSE.TO Fri Mar 28 09:53:27 2003 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:17:38 2006 Subject: Sendmail In-Reply-To: <200303281059.35684.linux@mostert.nom.za> Message-ID: I had the same problem. I traced it back to an update that was installed last week when running RedHat up2date. Every server that ran up2date and was updated appeared to be down from the internet. The server would be fine when looking at if from the console. Rebooting fixed the problem (are they copycatting from Micro$oft at RedHat??) Had identical problems with RedHat 8 servers. SSH stopped working, as did sendmail, POP3, IMAP and some other services. Remco On Fri, 28 Mar 2003, Mozzi wrote: > Hi all > I suddenly got a problem here > I run Red Hat 7.3 -All paches > With sendmail Standard install > > I get this when telneting to localhost > telnet localhost 25 > Trying 127.0.0.1... > telnet: connect to address 127.0.0.1: Connection refused > > >From othr hosts I can telnet in > I checked where it is listening and got this > tcp 0 0 192.168.1.1:25 0.0.0.0:* LISTEN > > Tnx > > Mozzi > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mailscanner at BARENDSE.TO Fri Mar 28 09:55:32 2003 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:17:38 2006 Subject: confirming SPAM In-Reply-To: <5.2.0.9.2.20030328083658.04371b60@imap.ecs.soton.ac.uk> Message-ID: Would it be possible to automate the creation of the accounts and scripts in the MailScanner install? Maybe make ik ask a question during the install? On Fri, 28 Mar 2003, Julian Field wrote: > At 02:52 28/03/2003, you wrote: > >Thanks for the input Julian. > > > >I have MailScanner working and it is bouncing all spam it finds as well as > >forwarding it to me as the system admin. > > > >I have gotten Razor2 installed and working. I have successfully registered > >on the network. I am having difficulty with two issues: > > > >>Also, using the new Bayes engine in SpamAssassin 2.51 (but I would advise > >>you to wait for 2.52 release), the anti-spam engine will learn about spam > >>messages that it got wrong by your users feeding back the spam into the > >>engine. I have 2 addresses here, "spam" and "notspam", which users bounce > >>mail to when the spam engine gets it wrong. So its performance improves > >>with time as it learns lots of new spam. > > > > > >1- You mentioned that you have 2 addresses setup for reporting spam called > >"spam" and "notspam". I have not found any documentation on how to > >accomplish this. Do you know where I can find documentation? I would like > >to make it as easy as possible for Windows users to be able to report spam > >and forwarding any incorrect messages to an email address would make it a > >snap (needless to say that I don't want them forwarding to my address). > > Create a couple of local accounts, called "spam" and "notspam" whose > mailboxes will live on the MailScanner server. The following script makes a > few assumptions on where things live, but you can easily edit them to suit > your environment. Create a cron job to run this script every hour or so. > The "sa-learn" command is a script that comes with SpamAssassin. > > #!/bin/sh > > SPAM=/var/mail/spam > NOTSPAM=/var/mail/notspam > TOTAL=.cumulative > > LOGFILE=/var/log/learn.spam.log > PREFS=/opt/MailScanner/etc/spam.assassin.prefs.conf > SALEARN=/opt/MailScanner/bin/sa-learn > > date >> $LOGFILE > if [ -f $SPAM ]; then > BOX=${SPAM}.processing > mv $SPAM $BOX > sleep 5 # Wait for writing current message to complete > $SALEARN --prefs-file=$PREFS --spam --mbox $BOX >> $LOGFILE 2>&1 > cat $BOX >> ${SPAM}${TOTAL} > echo >> ${SPAM}${TOTAL} > rm -f $BOX > fi > > if [ -f $NOTSPAM ]; then > BOX=${NOTSPAM}.processing > mv $NOTSPAM $BOX > sleep 5 # Wait for writing current message to complete > $SALEARN --prefs-file=$PREFS --ham --mbox $BOX >> $LOGFILE 2>&1 > cat $BOX >> ${NOTSPAM}${TOTAL} > echo >> ${NOTSPAM}${TOTAL} > rm -f $BOX > fi > > > >2- I have SpamAssassin working with MailScanner and have not seen any > >settings or configs for Bayes. How do I turn it on or set it up? > > Make sure you have installed "DB_File" using CPAN. If that fails, you > probably haven't got BerkeleyDB installed (www.sleepycat.com). Remove the > "use AnyDBM_File;" statement from the top of > /usr/lib/MailScanner/MailScanner/SA.pm. Delete all the database files in > /root/.spamassassin. Then start up MailScanner again and it should start > learning Bayes statistics from mail it sees. The default settings for > SpamAssassin's Bayes filter will work just fine. > > > >Thanks for any assistance or info. > > > > > >Dene Ulmschneider > >Data Techie Inc. > >------------------------------------------------------------------------- > >office: 718.738.8859 > >cell: 646.996.2976 > >email: dene@datatechie.com > >pager mail: denenow@datatechie.com > >website: www.datatechie.com > >------------------------------------------------------------------------- > >"Life is too short...-...you should have dessert first" > > > > > >-- > >This message has been scanned for viruses and dangerous > >content by Data Techie, and is believed to be clean. > >Data Techie... always there to protect you! > >http://www.datatechie.com > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From m.sapsed at BANGOR.AC.UK Fri Mar 28 12:21:48 2003 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:17:38 2006 Subject: how to get digest of this list References: <47F3EDACE4BC3A4594D0D7B504062BBD019C6ADB@doamail04.doa.wistate.us> Message-ID: <3E843E5C.20903@bangor.ac.uk> Amin, Harish wrote: > Since lately we are getting too many mails > I would appreciate to know how I can change my subscription to digest mode > (one consolidated mail per day) To search/view the archives, leave the list or to change options (like requesting digest mode) visit http://www.jiscmail.ac.uk/lists/mailscanner.html Cheers, Martin -- Martin Sapsed Information Services "Who do you say I am?" University of Wales, Bangor Jesus of Nazareth From Peter.Bates at LSHTM.AC.UK Fri Mar 28 13:15:15 2003 From: Peter.Bates at LSHTM.AC.UK (Peter Bates) Date: Thu Jan 12 21:17:38 2006 Subject: Sophos, SAVI, etc. Message-ID: Hello all (or possibly mainly Julian)... Any thoughts on the SAVI::Perl module? http://www.cpan.org/authors/id/P/PH/PHENSON/SAVI-Perl-0.05.readme (newer version doesn't appear to be on CPAN, and I can't reach search.cpan.org at the moment): http://www.csupomona.edu/~henson/www/projects/SAVI-Perl/dist/ I just thought it might be a (tiny) bit faster, if available, than calling 'sweep', as I presume MS does at the moment on a batch of messages? And also considering MS respawning itself on a regular basis, the virus signatures would also be renewed without intervention (as opposed to say daemonized things like Sophie of which I know you don't approve)... ---------------------------------------------------------------------------------------------------> Peter Bates, Systems Support Officer, Network Support Team. London School of Hygiene & Tropical Medicine. Telephone:0207-958 8353 / Fax: 0207- 636 9838 From Lou.Baccari at HP.COM Fri Mar 28 13:44:03 2003 From: Lou.Baccari at HP.COM (Baccari, Lou) Date: Thu Jan 12 21:17:38 2006 Subject: spam mail not being tagged as spam Message-ID: Hi, Yesterday I tried to send out a question to the group regarding spam mail not being tagged. I attached the spam message and extracted some of maillog. I never received a copy of this message, which I have to assume the mail server supporting this list is using MailScanner and removed it. How do I send an example of a spam mail and the maillog / header log to the group for you review? Thanks, Lou -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030328/2ae2537c/attachment.html From Kevin.Spicer at BMRB.CO.UK Fri Mar 28 14:03:36 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:17:38 2006 Subject: spam mail not being tagged as spam Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0EBF4DB@pascal.priv.bmrb.co.uk> >Hi, > > Yesterday I tried to send out a question to the group regarding spam mail not being >tagged. I attached the spam message and extracted some of maillog. I never received a copy >of this message, which I have to assume the mail server supporting this list is using >MailScanner and removed it. > > How do I send an example of a spam mail and the maillog / header log to the group for you review? I can't resist pointing out that Outlook (when displaying messages grouped by conversion topic) displays the Thread-Topic header as the conversation topic - which can be entertaining when others forward a mail, deleting the body and changing the subject. I presume that was the title of the original spam and not part of your regular correspondence ;) Seriously though, why don't you just post the headers & maillog I wouldn't have thought the actual content of the spam makes much difference. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From linux at mostert.nom.za Fri Mar 28 14:27:27 2003 From: linux at mostert.nom.za (Mozzi) Date: Thu Jan 12 21:17:38 2006 Subject: Mailscanner in mem In-Reply-To: <200303271711.00491.linux@mostert.nom.za> References: <5.2.0.9.2.20030324105235.02378b00@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030324115113.02873bc8@imap.ecs.soton.ac.uk> <200303271711.00491.linux@mostert.nom.za> Message-ID: <200303281627.27350.linux@mostert.nom.za> Just to report back on this to all It worked.so far after I have put it on my graphs show that from 11:30am to 16:30pm I have I have processed "Current :34.9 k messages " ;-) So all seems well Mozzi On Thursday 27 March 2003 17:11, Mozzi wrote: > Hi Julien > I use redhat 7.3 with the latest MailScanner > I just setup tmpfs and I have /var/spool/MailScanner/incoming mounted(I use > fstab) > Now I Just sent myself a message and all looks fine the message was > accepted and got delivered. > > Mar 27 17:04:04 mailscanner sendmail[4430]: h2RF44H04430: > to=, delay=00:00:00, mailer=smtp, pri=30556, stat=queued > Mar 27 17:04:07 mailscanner MailScanner[4331]: New Batch: Scanning 1 > messages, 1000 bytes > Mar 27 17:04:12 mailscanner MailScanner[4331]: Virus and Content Scanning: > Starting > Mar 27 17:04:12 mailscanner MailScanner[4331]: Uninfected: Delivered 1 > messages > Mar 27 17:04:12 mailscanner sendmail[4435]: h2RF44H04430: > to=, delay=00:00:08, xdelay=00:00:00, mailer=smtp, > pri=120556, relay=[196.25.84.194] [196.25.84.194], dsn=2.0.0, stat=Sent > (h2RF4Muc003419 Message accepted for delivery) > > I havn't tested it under load but it looks like it wil work > > > Mozzi > > On Monday 24 March 2003 13:51, you wrote: > > Try scanning a directory structure in tmpfs with the latest F-Prot code, > > it's possible they have fixed it. > > Let me know what you find. > > > > At 11:20 24/03/2003, you wrote: > > >Tnx > > >I use fprot so there goes that idea > > > > > >Mozzi > > > > > >On Monday 24 March 2003 12:55, you wrote: > > > > At 09:26 24/03/2003, you wrote: > > > > >Hallo all > > > > > > > > > >Can anyone remeber the subject for the thrad on running mailscanner > > > > > in memory? > > > > > > > > > >I have a box with 3Gig ram here and I need the performance. > > > > > > > > You can safely run with the MailScanner/incoming directory in RAM > > > > (just use tmpfs) as long as you aren't using F-Prot (which for some > > > > reason doesn't like tmpfs and won't recurse directories properly). > > > > Putting your mqueue.in and mqueue in RAM is very dodgy unless your > > > > RAM is battery-backed and your system is never rebooted with anything > > > > in its mail queues. > > > > > > > > If you are running Linux, then add a "-" in front of the log filename > > > > in syslog.conf. So instead of it logging to > > > > /var/log/maillog > > > > make it > > > > -/var/log/maillog > > > > That will stop syslogd from fsync-ing after every log entry, which > > > > can make quite a difference to your disk traffic. > > > > > > > > Running with MailScanner/incoming in tmpfs can add up to 30% to your > > > > max throughput. > > > > -- > > > > Julian Field > > > > www.MailScanner.info > > > > Professional Support Services at www.MailScanner.biz > > > > MailScanner thanks transtec Computers for their support > > > > -- > > Julian Field > > www.MailScanner.info > > Professional Support Services at www.MailScanner.biz > > MailScanner thanks transtec Computers for their support From Lou.Baccari at HP.COM Fri Mar 28 14:32:03 2003 From: Lou.Baccari at HP.COM (Baccari, Lou) Date: Thu Jan 12 21:17:38 2006 Subject: spam mail not being tagged as spam Message-ID: Here goes: output from maillog: ================================================================== Mar 27 08:25:55 crl-mail sendmail[1957]: h2RDPo5O001957: from=, size=3860, class=0, nrcpts=4, msgid=, proto=SMTP, daemon=MTA, relay=[210.22.108.5] Mar 27 08:25:55 crl-mail MailScanner[32619]: New Batch: Scanning 1 messages, 4416 bytes Mar 27 08:25:55 crl-mail MailScanner[32619]: Spam Checks: Starting Mar 27 08:25:55 crl-mail MailScanner[32619]: Virus and Content Scanning: Starting Mar 27 08:25:55 crl-mail MailScanner[32619]: Uninfected: Delivered 1 messages Mar 27 08:25:56 crl-mail sendmail[1964]: h2RDPo5O001957: to=CRLProblems@compaq.com,Andrew.Christian@compaq.com,Jim.Rehg@compaq.com,j amey.hicks@compaq.com , delay=00:00:04, xdelay=00:00:01, mailer=esmtp, pri=210584, relay=cceexg11.americas.cpqcorp.net. [16.110.250. 125], dsn=2.0.0, stat=Sent ( Queued mail for delivery) Mar 27 08:25:58 crl-mail sendmail[1945]: h2RDOL5O001930: to=, delay=00:01:37, xdelay=00:00:05, mailer=esmtp, p ri=3511168, relay=pop.bhplus.com. [66.106.30.251], dsn=2.0.0, stat=Sent (OK) Mar 27 08:26:01 crl-mail sendmail[1964]: h2RDPo5O001957: to=alden@quabbin.crl.dec.com, delay=00:00:09, xdelay=00:00:05, mailer=esmtp , pri=210584, relay=quabbin.crl.dec.com. [16.11.0.45], dsn=5.1.1, stat=User unknown Mar 27 08:26:01 crl-mail sendmail[1964]: h2RDPo5O001957: h2RDPt5X001964: DSN: User unknown header info from mail messages: ================================================================== Received: from 192.58.206.9 ([210.22.108.5]) by crl-mail.crl.dec.com (8.12.8/8.12.5) with SMTP id h2RDPo5O001957; Thu, 27 Mar 2003 08:25:52 -0500 Received: from vll.aa88.com [180.112.242.203] by 192.58.206.9 with ESMTP id <095654-97600>; Thu, 27 Mar 2003 16:17:37 +0300 Message-ID: From: "Jacques Burgos" To: , , , , Subject: Re:Want a king-size P-E-N-I-S in one week? ihtklrhyomc Date: Thu, 27 Mar 03 16:17:37 GMT X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: eGroups Message Poster MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="_.A._ECE.433CADD750_D" X-MailScanner: Found to be clean Return-Path: yqs3285ev@msn.com X-OriginalArrivalTime: 27 Mar 2003 13:25:56.0453 (UTC) FILETIME=[65F92950:01C2F464] --_.A._ECE.433CADD750_D Content-Type: text/html Content-Transfer-Encoding: quoted-printable --_.A._ECE.433CADD750_D-- -----Original Message----- From: Spicer, Kevin [mailto:Kevin.Spicer@BMRB.CO.UK] Sent: Friday, March 28, 2003 9:04 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: spam mail not being tagged as spam >Hi, > > Yesterday I tried to send out a question to the group regarding spam mail not being >tagged. I attached the spam message and extracted some of maillog. I never received a copy >of this message, which I have to assume the mail server supporting this list is using >MailScanner and removed it. > > How do I send an example of a spam mail and the maillog / header log to the group for you review? I can't resist pointing out that Outlook (when displaying messages grouped by conversion topic) displays the Thread-Topic header as the conversation topic - which can be entertaining when others forward a mail, deleting the body and changing the subject. I presume that was the title of the original spam and not part of your regular correspondence ;) Seriously though, why don't you just post the headers & maillog I wouldn't have thought the actual content of the spam makes much difference. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From mailscanner at ecs.soton.ac.uk Fri Mar 28 14:03:41 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:38 2006 Subject: Sophos, SAVI, etc. In-Reply-To: Message-ID: <5.2.0.9.2.20030328140157.042ca0e8@imap.ecs.soton.ac.uk> Very interesting reading. I never knew this existed. If Sophos can't make 3.68 start up any faster than 3.67, then I will certainly start using this. Many thanks for showing me this. At 13:15 28/03/2003, you wrote: >Hello all (or possibly mainly Julian)... > >Any thoughts on the SAVI::Perl module? > >http://www.cpan.org/authors/id/P/PH/PHENSON/SAVI-Perl-0.05.readme >(newer version doesn't appear to be on CPAN, and I can't >reach search.cpan.org at the moment): >http://www.csupomona.edu/~henson/www/projects/SAVI-Perl/dist/ > >I just thought it might be a (tiny) bit faster, if available, than calling >'sweep', as I presume MS does at the moment on a batch of messages? > >And also considering MS respawning itself on a regular basis, the virus >signatures would also be renewed without intervention (as opposed to say >daemonized things like Sophie of which I know you don't approve)... > > > > > >---------------------------------------------------------------------------------------------------> >Peter Bates, Systems Support Officer, Network Support Team. >London School of Hygiene & Tropical Medicine. >Telephone:0207-958 8353 / Fax: 0207- 636 9838 -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Fri Mar 28 14:05:25 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:38 2006 Subject: spam mail not being tagged as spam In-Reply-To: Message-ID: <5.2.0.9.2.20030328140427.034bb608@imap.ecs.soton.ac.uk> At 13:44 28/03/2003, you wrote: >Hi, > > Yesterday I tried to send out a question to the group regarding spam > mail not being tagged. I attached the spam message and extracted some of > maillog. I never received a copy of this message, which I have to assume > the mail server supporting this list is using MailScanner and removed it. No, they look for signs that the message looked like a delivery failure report. > How do I send an example of a spam mail and the maillog / header log to > the group for you review? Bung it in an attachment, and the mailing list server won't get confused. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From Kevin.Spicer at BMRB.CO.UK Fri Mar 28 14:39:49 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:17:38 2006 Subject: spam mail not being tagged as spam Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0EBF4DC@pascal.priv.bmrb.co.uk> Its difficult to tell from this why it wasn't picked up. If you set Always Include SpamAssassin Report = yes in MailScanner.conf you'll be able to see which rules it triggered and what score it got, even if its not tagged as spam. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From SJCJonker at SJC.NL Fri Mar 28 15:12:22 2003 From: SJCJonker at SJC.NL (Stijn Jonker) Date: Thu Jan 12 21:17:38 2006 Subject: List resends In-Reply-To: <5.2.0.9.2.20030328084908.043d9200@imap.ecs.soton.ac.uk> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Julian, This happened to this guy/mail server on several occasions now, isn't it time we pursued him / nottinghamcity.gov.uk to finally ditch their email system with mimesweeper with a nice unix based solution with mailscanner? Until that time they are denied access ;-)? On Fri, 28 Mar 2003, Julian Field wrote: > At 08:49 28/03/2003, you wrote: > >On Friday, March 28, 2003, at 12:43 AM, Raymond Dijkxhoorn wrote: > > > >>Hi! > >> > >>>>Nevermind I had d, not d. also had to remove the c after the } > >>>> > >>>>Its fine now. > >>> > >>>Just to confirm: my patch worked or not? > >> > >>Am i the only one getting resends on the list ? I just got a whole > >>bunch > >>of messages i allready got last night. > >> > >>Bye, > >>Raymond. > > > >I just saw this too - a big clump of messages from thursday received at > >08:13 GMT friday. > > Found the culprit, and have suspended his subscription until he gets in > touch with me. > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > - -- Met Vriendelijke groet/Yours Sincerely Stijn Jonker -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE+hGZYjU9r45tKnOARAkhfAKCdazKDBDjOB8oUQhAMfJz66UqbygCcCfws 5jSxMv3M+Enx6KQfAPmPgAI= =3sWZ -----END PGP SIGNATURE----- From bnixon at NIXTECH.NET Fri Mar 28 15:41:29 2003 From: bnixon at NIXTECH.NET (bnixon) Date: Thu Jan 12 21:17:38 2006 Subject: query sql Message-ID: <003d01c2f540$80c76b20$3e00a8c0@nixtech.net> I read the list and found very little information about mailscanners ability to query a mysql database. Since mailscanner does not use spamc/spamd the beautiful web interface for users to customize their settings will not work. Can mailscanner directly query the mqsql database and if so could someone give me at least a hint as to how to do it. Any help would be much appreciated. Brad Nixon -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. Mailscanner thanks transtec Computers for their support. From jase at SENSIS.COM Fri Mar 28 15:25:57 2003 From: jase at SENSIS.COM (Desai, Jason) Date: Thu Jan 12 21:17:38 2006 Subject: RBL Check timed out Message-ID: Julian, Just wanted to let you know that I think you patch worked. $ grep "MailScanner\[28998\]: RBL" /var/log/mail.log Mar 28 10:01:55 dimstar MailScanner[28998]: RBL Check timed out and was killed, consecutive failure 1 of 7 Mar 28 10:04:06 dimstar MailScanner[28998]: RBL Check timed out and was killed, consecutive failure 2 of 7 Mar 28 10:05:13 dimstar MailScanner[28998]: RBL Check timed out and was killed, consecutive failure 3 of 7 Mar 28 10:06:15 dimstar MailScanner[28998]: RBL Check timed out and was killed, consecutive failure 4 of 7 Mar 28 10:07:46 dimstar MailScanner[28998]: RBL Check timed out and was killed, consecutive failure 5 of 7 Mar 28 10:08:18 dimstar MailScanner[28998]: RBL Check timed out and was killed, consecutive failure 6 of 7 Mar 28 10:09:40 dimstar MailScanner[28998]: RBL Check timed out and was killed, consecutive failure 7 of 7 Mar 28 10:09:40 dimstar MailScanner[28998]: RBL Check temporarily disabled Mar 28 10:10:45 dimstar MailScanner[28998]: RBL Check timed out and was killed Mar 28 10:11:28 dimstar MailScanner[28998]: RBL Check timed out and was killed Mar 28 10:12:15 dimstar MailScanner[28998]: RBL Check timed out and was killed Mar 28 10:14:14 dimstar MailScanner[28998]: RBL Check timed out and was killed Mar 28 10:15:52 dimstar MailScanner[28998]: RBL Check timed out and was killed Mar 28 10:16:42 dimstar MailScanner[28998]: RBL Check timed out and was killed Mar 28 10:18:00 dimstar MailScanner[28998]: RBL Check timed out and was killed Mar 28 10:19:09 dimstar MailScanner[28998]: RBL Check timed out and was killed Mar 28 10:20:14 dimstar MailScanner[28998]: RBL Check timed out and was killed Mar 28 10:21:11 dimstar MailScanner[28998]: RBL Check timed out and was killed Mar 28 10:22:10 dimstar MailScanner[28998]: RBL Check timed out and was killed Mar 28 10:23:35 dimstar MailScanner[28998]: RBL Check timed out and was killed Thanks! Jason > -----Original Message----- > From: Desai, Jason > Sent: Tuesday, March 25, 2003 4:19 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: [MAILSCANNER] RBL Check timed out > > > I will try this patch and let you know if there are any > problems. I'm not > sure if I'll be able to fully test it as yesterday was the > first time ever > we had more than 1 consecutive RBL Check timeout. Thanks! > > Jason > > > > -----Original Message----- > > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > > Sent: Tuesday, March 25, 2003 11:30 AM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: [MAILSCANNER] RBL Check timed out > > > > > > I fixed this for SA in 4.11. Forgot to fix it for RBLs :( > > > > Please can you try this patch to SA.pm and let me know how > you get on. > > > > --- RBLs.pm.old Fri Mar 14 11:30:42 2003 > > +++ RBLs.pm Tue Mar 25 16:34:16 2003 > > @@ -44,6 +44,7 @@ > > $VERSION = substr q$Revision: 1.18.2.2 $, 10; > > > > my %spamlistfailures; # Number of consecutive failures for > > both lists > > +my %deadspamlists; # All the dead spam lists > > > > # > > # Constructor. > > @@ -207,11 +208,17 @@ > > if ($pid>0) { > > # Increment the "Failures" counter for this RBL > > $spamlistfailures{"$Checked"}++; > > - if ($maxfailures>0) { > > + if (!$deadspamlists{"$Checked"} && $maxfailures>0) { > > MailScanner::Log::WarnLog("RBL Check $Checked timed > > out and was " . > > "killed, consecutive failure " . > > $spamlistfailures{"$Checked"} . " of " . > > $maxfailures); > > + # Kill this list as it has exceeded maxfailures > > + if ($spamlistfailures{"$Checked"}>=$maxfailures) { > > + MailScanner::Log::WarnLog("RBL Check %s temporarily > > disabled", > > + $Checked); > > + $deadspamlists{"$Checked"} = 1; > > + } > > } else { > > MailScanner::Log::WarnLog("RBL Check $Checked timed > > out and was > > killed"); > > } > > > > > > At 15:45 25/03/2003, you wrote: > > >Hello. > > > > > >Yesterday I received a bunch of "RBL Check timed out and > was killed" > > >messages in mail.log. Here is a sample output from my logs: > > > > > >$ grep "MailScanner\[6171\]: RBL" /var/log/mail.log > > >Mar 24 11:47:53 dimstar MailScanner[6171]: RBL Check timed > > out and was > > >killed, consecutive failure 1 of 7 > > >Mar 24 11:54:50 dimstar MailScanner[6171]: RBL Check timed > > out and was > > >killed, consecutive failure 2 of 7 > > >Mar 24 11:55:01 dimstar MailScanner[6171]: RBL Check timed > > out and was > > >killed, consecutive failure 3 of 7 > > >Mar 24 11:59:44 dimstar MailScanner[6171]: RBL Check timed > > out and was > > >killed, consecutive failure 4 of 7 > > >Mar 24 12:01:06 dimstar MailScanner[6171]: RBL Check timed > > out and was > > >killed, consecutive failure 5 of 7 > > >Mar 24 12:03:40 dimstar MailScanner[6171]: RBL Check timed > > out and was > > >killed, consecutive failure 6 of 7 > > >Mar 24 12:06:53 dimstar MailScanner[6171]: RBL Check timed > > out and was > > >killed, consecutive failure 7 of 7 > > >Mar 24 12:10:07 dimstar MailScanner[6171]: RBL Check timed > > out and was > > >killed, consecutive failure 8 of 7 > > >Mar 24 12:11:20 dimstar MailScanner[6171]: RBL Check timed > > out and was > > >killed, consecutive failure 9 of 7 > > >Mar 24 12:12:07 dimstar MailScanner[6171]: RBL Check timed > > out and was > > >killed, consecutive failure 10 of 7 > > >Mar 24 12:16:45 dimstar MailScanner[6171]: RBL Check timed > > out and was > > >killed, consecutive failure 11 of 7 > > >Mar 24 12:20:09 dimstar MailScanner[6171]: RBL Check timed > > out and was > > >killed, consecutive failure 12 of 7 > > >Mar 24 12:45:20 dimstar MailScanner[6171]: RBL Check timed > > out and was > > >killed, consecutive failure 13 of 7 > > >Mar 24 12:46:26 dimstar MailScanner[6171]: RBL Check timed > > out and was > > >killed, consecutive failure 14 of 7 > > >Mar 24 12:49:00 dimstar MailScanner[6171]: RBL Check timed > > out and was > > >killed, consecutive failure 15 of 7 > > >Mar 24 12:50:14 dimstar MailScanner[6171]: RBL Check timed > > out and was > > >killed, consecutive failure 16 of 7 > > >Mar 24 13:56:02 dimstar MailScanner[6171]: RBL Check timed > > out and was > > >killed, consecutive failure 17 of 7 > > > > > >In my MailScanner.conf file, I have > > > > > >Spam List = > > > > > >I'm pretty sure that I tried commenting out the Spam List > > entry too, and > > >I've seen similar messages. I am trying to prevent > > MailScanner from doing > > >any RBL checks (I only want SpamAssassin to do this). I > > don't understand > > >why it would be trying to do RBL checks, and why it keeps on > > failing even > > >after 7 consecutive failures. I am running MailScanner > > 4.12-2. Is this a > > >bug in the code or do I have something configured wrong? > > > > > >Jason > > > > -- > > Julian Field > > www.MailScanner.info > > MailScanner thanks transtec Computers for their support > > > From jase at SENSIS.COM Fri Mar 28 15:33:42 2003 From: jase at SENSIS.COM (Desai, Jason) Date: Thu Jan 12 21:17:38 2006 Subject: RBL Check timed out Message-ID: Sorry to reply to my own message (again), but now I'm not so sure that the patch completely worked. If the RBL Check was disabled, why does it keep on timing out? Could this have to do with the fact that I have Spam List = in MailScanner.conf? Jason > -----Original Message----- > From: Desai, Jason > Sent: Friday, March 28, 2003 10:26 AM > To: 'MailScanner mailing list' > Subject: RE: [MAILSCANNER] RBL Check timed out > > > Julian, > > Just wanted to let you know that I think you patch worked. > > $ grep "MailScanner\[28998\]: RBL" /var/log/mail.log > Mar 28 10:01:55 dimstar MailScanner[28998]: RBL Check timed > out and was killed, consecutive failure 1 of 7 > Mar 28 10:04:06 dimstar MailScanner[28998]: RBL Check timed > out and was killed, consecutive failure 2 of 7 > Mar 28 10:05:13 dimstar MailScanner[28998]: RBL Check timed > out and was killed, consecutive failure 3 of 7 > Mar 28 10:06:15 dimstar MailScanner[28998]: RBL Check timed > out and was killed, consecutive failure 4 of 7 > Mar 28 10:07:46 dimstar MailScanner[28998]: RBL Check timed > out and was killed, consecutive failure 5 of 7 > Mar 28 10:08:18 dimstar MailScanner[28998]: RBL Check timed > out and was killed, consecutive failure 6 of 7 > Mar 28 10:09:40 dimstar MailScanner[28998]: RBL Check timed > out and was killed, consecutive failure 7 of 7 > Mar 28 10:09:40 dimstar MailScanner[28998]: RBL Check > temporarily disabled > Mar 28 10:10:45 dimstar MailScanner[28998]: RBL Check timed > out and was killed > Mar 28 10:11:28 dimstar MailScanner[28998]: RBL Check timed > out and was killed > Mar 28 10:12:15 dimstar MailScanner[28998]: RBL Check timed > out and was killed > Mar 28 10:14:14 dimstar MailScanner[28998]: RBL Check timed > out and was killed > Mar 28 10:15:52 dimstar MailScanner[28998]: RBL Check timed > out and was killed > Mar 28 10:16:42 dimstar MailScanner[28998]: RBL Check timed > out and was killed > Mar 28 10:18:00 dimstar MailScanner[28998]: RBL Check timed > out and was killed > Mar 28 10:19:09 dimstar MailScanner[28998]: RBL Check timed > out and was killed > Mar 28 10:20:14 dimstar MailScanner[28998]: RBL Check timed > out and was killed > Mar 28 10:21:11 dimstar MailScanner[28998]: RBL Check timed > out and was killed > Mar 28 10:22:10 dimstar MailScanner[28998]: RBL Check timed > out and was killed > Mar 28 10:23:35 dimstar MailScanner[28998]: RBL Check timed > out and was killed > > Thanks! > > Jason > > > -----Original Message----- > > From: Desai, Jason > > Sent: Tuesday, March 25, 2003 4:19 PM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: [MAILSCANNER] RBL Check timed out > > > > > > I will try this patch and let you know if there are any > > problems. I'm not > > sure if I'll be able to fully test it as yesterday was the > > first time ever > > we had more than 1 consecutive RBL Check timeout. Thanks! > > > > Jason > > > > > > > -----Original Message----- > > > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > > > Sent: Tuesday, March 25, 2003 11:30 AM > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > Subject: Re: [MAILSCANNER] RBL Check timed out > > > > > > > > > I fixed this for SA in 4.11. Forgot to fix it for RBLs :( > > > > > > Please can you try this patch to SA.pm and let me know how > > you get on. > > > > > > --- RBLs.pm.old Fri Mar 14 11:30:42 2003 > > > +++ RBLs.pm Tue Mar 25 16:34:16 2003 > > > @@ -44,6 +44,7 @@ > > > $VERSION = substr q$Revision: 1.18.2.2 $, 10; > > > > > > my %spamlistfailures; # Number of consecutive failures for > > > both lists > > > +my %deadspamlists; # All the dead spam lists > > > > > > # > > > # Constructor. > > > @@ -207,11 +208,17 @@ > > > if ($pid>0) { > > > # Increment the "Failures" counter for this RBL > > > $spamlistfailures{"$Checked"}++; > > > - if ($maxfailures>0) { > > > + if (!$deadspamlists{"$Checked"} && $maxfailures>0) { > > > MailScanner::Log::WarnLog("RBL Check $Checked timed > > > out and was " . > > > "killed, consecutive failure " . > > > $spamlistfailures{"$Checked"} . " of " . > > > $maxfailures); > > > + # Kill this list as it has exceeded maxfailures > > > + if ($spamlistfailures{"$Checked"}>=$maxfailures) { > > > + MailScanner::Log::WarnLog("RBL Check %s temporarily > > > disabled", > > > + $Checked); > > > + $deadspamlists{"$Checked"} = 1; > > > + } > > > } else { > > > MailScanner::Log::WarnLog("RBL Check $Checked timed > > > out and was > > > killed"); > > > } > > > > > > > > > At 15:45 25/03/2003, you wrote: > > > >Hello. > > > > > > > >Yesterday I received a bunch of "RBL Check timed out and > > was killed" > > > >messages in mail.log. Here is a sample output from my logs: > > > > > > > >$ grep "MailScanner\[6171\]: RBL" /var/log/mail.log > > > >Mar 24 11:47:53 dimstar MailScanner[6171]: RBL Check timed > > > out and was > > > >killed, consecutive failure 1 of 7 > > > >Mar 24 11:54:50 dimstar MailScanner[6171]: RBL Check timed > > > out and was > > > >killed, consecutive failure 2 of 7 > > > >Mar 24 11:55:01 dimstar MailScanner[6171]: RBL Check timed > > > out and was > > > >killed, consecutive failure 3 of 7 > > > >Mar 24 11:59:44 dimstar MailScanner[6171]: RBL Check timed > > > out and was > > > >killed, consecutive failure 4 of 7 > > > >Mar 24 12:01:06 dimstar MailScanner[6171]: RBL Check timed > > > out and was > > > >killed, consecutive failure 5 of 7 > > > >Mar 24 12:03:40 dimstar MailScanner[6171]: RBL Check timed > > > out and was > > > >killed, consecutive failure 6 of 7 > > > >Mar 24 12:06:53 dimstar MailScanner[6171]: RBL Check timed > > > out and was > > > >killed, consecutive failure 7 of 7 > > > >Mar 24 12:10:07 dimstar MailScanner[6171]: RBL Check timed > > > out and was > > > >killed, consecutive failure 8 of 7 > > > >Mar 24 12:11:20 dimstar MailScanner[6171]: RBL Check timed > > > out and was > > > >killed, consecutive failure 9 of 7 > > > >Mar 24 12:12:07 dimstar MailScanner[6171]: RBL Check timed > > > out and was > > > >killed, consecutive failure 10 of 7 > > > >Mar 24 12:16:45 dimstar MailScanner[6171]: RBL Check timed > > > out and was > > > >killed, consecutive failure 11 of 7 > > > >Mar 24 12:20:09 dimstar MailScanner[6171]: RBL Check timed > > > out and was > > > >killed, consecutive failure 12 of 7 > > > >Mar 24 12:45:20 dimstar MailScanner[6171]: RBL Check timed > > > out and was > > > >killed, consecutive failure 13 of 7 > > > >Mar 24 12:46:26 dimstar MailScanner[6171]: RBL Check timed > > > out and was > > > >killed, consecutive failure 14 of 7 > > > >Mar 24 12:49:00 dimstar MailScanner[6171]: RBL Check timed > > > out and was > > > >killed, consecutive failure 15 of 7 > > > >Mar 24 12:50:14 dimstar MailScanner[6171]: RBL Check timed > > > out and was > > > >killed, consecutive failure 16 of 7 > > > >Mar 24 13:56:02 dimstar MailScanner[6171]: RBL Check timed > > > out and was > > > >killed, consecutive failure 17 of 7 > > > > > > > >In my MailScanner.conf file, I have > > > > > > > >Spam List = > > > > > > > >I'm pretty sure that I tried commenting out the Spam List > > > entry too, and > > > >I've seen similar messages. I am trying to prevent > > > MailScanner from doing > > > >any RBL checks (I only want SpamAssassin to do this). I > > > don't understand > > > >why it would be trying to do RBL checks, and why it keeps on > > > failing even > > > >after 7 consecutive failures. I am running MailScanner > > > 4.12-2. Is this a > > > >bug in the code or do I have something configured wrong? > > > > > > > >Jason > > > > > > -- > > > Julian Field > > > www.MailScanner.info > > > MailScanner thanks transtec Computers for their support > > > > > > From Harish.Amin at DEG.STATE.WI.US Fri Mar 28 16:10:24 2003 From: Harish.Amin at DEG.STATE.WI.US (Amin, Harish) Date: Thu Jan 12 21:17:38 2006 Subject: Getting this in the maillog file "470 Attempted virus scan failed Please try again later" Message-ID: <47F3EDACE4BC3A4594D0D7B504062BBD019C6AE6@doamail04.doa.wistate.us> MailScanner Version details on Sun Solaris 8 __________________________________________________ Mar 28 10:02:24 badger MailScanner[21575]: MailScanner E-Mail Virus Scanner version 4.02-2 starting... Mar 28 10:02:25 badger MailScanner[21575]: Enabling SpamAssassin auto-whitelist functionality... Mar 28 10:02:27 badger MailScanner[21575]: Using locktype = flock LogFile Details +++++++++++++++++++++++++++ 1:18, mailer=esmtp, pri=943717, relay=smtp.mail.gr. [193.41.150.37], dsn=4.0.0, stat=Deferred: 470 Attempted virus scan failed . Please try again later Mar 28 00:28:38 badger sendmail[17155]: [ID 801593 mail.info] h2S6SKB17155: from=<>, size=1030, class=0, nrcpts=1, msgid=<1048 83186401@mailserver.mail.gr>, proto=ESMTP, daemon=MTA-IPv4, relay=[193.41.150.37] Mar 28 00:35:34 badger sendmail[17139]: [ID 801593 mail.notice] h2QK7hi22264: timeout waiting for input from smtp.mail.gr. dur ing client QUIT Mar 28 00:35:34 badger sendmail[17139]: [ID 801593 mail.info] h2QK7hi22264: to=kg@randolph.k12.wi.us, delay=1+10:27:51, xdelay =00:02:00, mailer=esmtp, pri=11720794, relay=mail.randolph.k12.wi.us., dsn=4.0.0, stat=Deferred: Connection timed out with smt p.mail.gr. Mar 28 01:13:14 badger sendmail[17449]: [ID 801593 mail.info] h2RNx8A14297: to=rotimiwest@mail.gr, delay=07:14:06, xdelay=00:0 3:26, mailer=esmtp, pri=1033717, relay=smtp.mail.gr. [193.41.150.37], dsn=4.0.0, stat=Deferred: 470 Attempted virus scan faile d. Please try again later Mar 28 01:22:43 badger sendmail[17449]: [ID 801593 mail.notice] h2QK7hi22264: timeout waiting for input from smtp.mail.gr. dur ing client QUIT Mar 28 01:22:43 badger sendmail[17449]: [ID 801593 mail.info] h2QK7hi22264: to=kg@randolph.k12.wi.us, delay=1+11:15:00, xdelay =00:02:00, mailer=esmtp, pri=11810794, relay=mail.randolph.k12.wi.us., dsn=4.0.0, stat=Deferred: Connection timed out with smt p.mail.gr. Mar 28 01:56:23 badger sendmail[17529]: [ID 801593 mail.info] h2RNx8A14297: to=rotimiwest@mail.gr, delay=07:57:15, xdelay=00:0 1:36, mailer=esmtp, pri=1123717, relay=smtp.mail.gr. [193.41.150.37], dsn=4.0.0, stat=Deferred: 470 Attempted virus scan faile d. Please try again later Mar 28 02:05:53 badger sendmail[17529]: [ID 801593 mail.notice] h2QK7hi22264: timeout waiting for input from smtp.mail.gr. dur ing client QUIT Mar 28 02:05:53 badger sendmail[17529]: [ID 801593 mail.info] h2QK7hi22264: to=kg@randolph.k12.wi.us, delay=1+11:58:10, xdelay =00:02:00, mailer=esmtp, pri=11900794, relay=mail.randolph.k12.wi.us., dsn=4.0.0, stat=Deferred: Connection timed out with smt p.mail.gr. Mar 28 02:39:47 badger sendmail[17624]: [ID 801593 mail.info] h2RNx8A14297: to=rotimiwest@mail.gr, delay=08:40:39, xdelay=00:0 0:00, mailer=esmtp, pri=1213717, relay=smtp.mail.gr. [193.41.150.37], dsn=4.0.0, stat=Deferred: Connection reset by smtp.mail. gr. Mar 28 03:28:35 badger sendmail[17794]: [ID 801593 mail.info] h2RNx8A14297: to=rotimiwest@mail.gr, delay=09:29:27, xdelay=00:0 3:48, mailer=esmtp, pri=1303717, relay=smtp.mail.gr. [193.41.150.37], dsn=4.0.0, stat=Deferred: 470 Attempted virus scan faile d. Please try again later Mar 28 03:38:05 badger sendmail[17794]: [ID 801593 mail.notice] h2QK7hi22264: timeout waiting for input from smtp.mail.gr. dur ing client QUIT Mar 28 03:38:05 badger sendmail[17794]: [ID 801593 mail.info] h2QK7hi22264: to=kg@randolph.k12.wi.us, delay=1+13:30:22, xdelay =00:02:00, mailer=esmtp, pri=12080794, relay=mail.randolph.k12.wi.us., dsn=4.0.0, stat=Deferred: Connection timed out with smt p.mail.gr. Mar 28 04:14:57 badger sendmail[17976]: [ID 801593 mail.notice] h2RNx8A14297: timeout waiting for input from smtp.mail.gr. dur ing client greeting Mar 28 04:14:57 badger sendmail[17976]: [ID 801593 mail.info] h2RNx8A14297: to=rotimiwest@mail.gr, delay=10:15:49, xdelay=00:0 5:10, mailer=esmtp, pri=1393717, relay=smtp.mail.gr. [193.41.150.37], dsn=4.0.0, stat=Deferred: Connection reset by smtp.mail. gr. Mar 28 04:57:15 badger sendmail[18069]: [ID 801593 mail.info] h2RNx8A14297: to=rotimiwest@mail.gr, delay=10:58:07, xdelay=00:0 2:28, mailer=esmtp, pri=1483717, relay=smtp.mail.gr. [193.41.150.37], dsn=4.0.0, stat=Deferred: 470 Attempted virus scan faile d. Please try again later From mailscanner at ecs.soton.ac.uk Fri Mar 28 16:11:13 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:38 2006 Subject: query sql In-Reply-To: <003d01c2f540$80c76b20$3e00a8c0@nixtech.net> Message-ID: <5.2.0.9.2.20030328160954.04412400@imap.ecs.soton.ac.uk> Have a look in CustomConfig.pm. You need to write a Custom Function which you can call from the MailScanner.conf file. In the "Init" function you read in all the database values into some Perl hash arrays. Then at lookup time you just look the values in the Perl hash array (which is *very* fast). At 15:41 28/03/2003, you wrote: >I read the list and found very little information about mailscanners >ability to query a mysql database. >Since mailscanner does not use spamc/spamd the beautiful web interface >for users to customize their settings will not work. Can mailscanner >directly query the mqsql database and if so could someone give me at >least a hint as to how to do it. >Any help would be much appreciated. > >Brad Nixon > > >-- >This message has been scanned for viruses and >dangerous content by MailScanner, and is >believed to be clean. >Mailscanner thanks transtec Computers for their support. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Fri Mar 28 16:16:39 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:38 2006 Subject: RBL Check timed out In-Reply-To: Message-ID: <5.2.0.9.2.20030328161625.040bffe0@imap.ecs.soton.ac.uk> At 15:33 28/03/2003, you wrote: >Sorry to reply to my own message (again), but now I'm not so sure that the >patch completely worked. If the RBL Check was disabled, why does it keep on >timing out? Could this have to do with the fact that I have > >Spam List = > >in MailScanner.conf? I have already fixed this in the latest beta release. >Jason > > > -----Original Message----- > > From: Desai, Jason > > Sent: Friday, March 28, 2003 10:26 AM > > To: 'MailScanner mailing list' > > Subject: RE: [MAILSCANNER] RBL Check timed out > > > > > > Julian, > > > > Just wanted to let you know that I think you patch worked. > > > > $ grep "MailScanner\[28998\]: RBL" /var/log/mail.log > > Mar 28 10:01:55 dimstar MailScanner[28998]: RBL Check timed > > out and was killed, consecutive failure 1 of 7 > > Mar 28 10:04:06 dimstar MailScanner[28998]: RBL Check timed > > out and was killed, consecutive failure 2 of 7 > > Mar 28 10:05:13 dimstar MailScanner[28998]: RBL Check timed > > out and was killed, consecutive failure 3 of 7 > > Mar 28 10:06:15 dimstar MailScanner[28998]: RBL Check timed > > out and was killed, consecutive failure 4 of 7 > > Mar 28 10:07:46 dimstar MailScanner[28998]: RBL Check timed > > out and was killed, consecutive failure 5 of 7 > > Mar 28 10:08:18 dimstar MailScanner[28998]: RBL Check timed > > out and was killed, consecutive failure 6 of 7 > > Mar 28 10:09:40 dimstar MailScanner[28998]: RBL Check timed > > out and was killed, consecutive failure 7 of 7 > > Mar 28 10:09:40 dimstar MailScanner[28998]: RBL Check > > temporarily disabled > > Mar 28 10:10:45 dimstar MailScanner[28998]: RBL Check timed > > out and was killed > > Mar 28 10:11:28 dimstar MailScanner[28998]: RBL Check timed > > out and was killed > > Mar 28 10:12:15 dimstar MailScanner[28998]: RBL Check timed > > out and was killed > > Mar 28 10:14:14 dimstar MailScanner[28998]: RBL Check timed > > out and was killed > > Mar 28 10:15:52 dimstar MailScanner[28998]: RBL Check timed > > out and was killed > > Mar 28 10:16:42 dimstar MailScanner[28998]: RBL Check timed > > out and was killed > > Mar 28 10:18:00 dimstar MailScanner[28998]: RBL Check timed > > out and was killed > > Mar 28 10:19:09 dimstar MailScanner[28998]: RBL Check timed > > out and was killed > > Mar 28 10:20:14 dimstar MailScanner[28998]: RBL Check timed > > out and was killed > > Mar 28 10:21:11 dimstar MailScanner[28998]: RBL Check timed > > out and was killed > > Mar 28 10:22:10 dimstar MailScanner[28998]: RBL Check timed > > out and was killed > > Mar 28 10:23:35 dimstar MailScanner[28998]: RBL Check timed > > out and was killed > > > > Thanks! > > > > Jason > > > > > -----Original Message----- > > > From: Desai, Jason > > > Sent: Tuesday, March 25, 2003 4:19 PM > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > Subject: Re: [MAILSCANNER] RBL Check timed out > > > > > > > > > I will try this patch and let you know if there are any > > > problems. I'm not > > > sure if I'll be able to fully test it as yesterday was the > > > first time ever > > > we had more than 1 consecutive RBL Check timeout. Thanks! > > > > > > Jason > > > > > > > > > > -----Original Message----- > > > > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > > > > Sent: Tuesday, March 25, 2003 11:30 AM > > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > > Subject: Re: [MAILSCANNER] RBL Check timed out > > > > > > > > > > > > I fixed this for SA in 4.11. Forgot to fix it for RBLs :( > > > > > > > > Please can you try this patch to SA.pm and let me know how > > > you get on. > > > > > > > > --- RBLs.pm.old Fri Mar 14 11:30:42 2003 > > > > +++ RBLs.pm Tue Mar 25 16:34:16 2003 > > > > @@ -44,6 +44,7 @@ > > > > $VERSION = substr q$Revision: 1.18.2.2 $, 10; > > > > > > > > my %spamlistfailures; # Number of consecutive failures for > > > > both lists > > > > +my %deadspamlists; # All the dead spam lists > > > > > > > > # > > > > # Constructor. > > > > @@ -207,11 +208,17 @@ > > > > if ($pid>0) { > > > > # Increment the "Failures" counter for this RBL > > > > $spamlistfailures{"$Checked"}++; > > > > - if ($maxfailures>0) { > > > > + if (!$deadspamlists{"$Checked"} && $maxfailures>0) { > > > > MailScanner::Log::WarnLog("RBL Check $Checked timed > > > > out and was " . > > > > "killed, consecutive failure " . > > > > $spamlistfailures{"$Checked"} . " of " . > > > > $maxfailures); > > > > + # Kill this list as it has exceeded maxfailures > > > > + if ($spamlistfailures{"$Checked"}>=$maxfailures) { > > > > + MailScanner::Log::WarnLog("RBL Check %s temporarily > > > > disabled", > > > > + $Checked); > > > > + $deadspamlists{"$Checked"} = 1; > > > > + } > > > > } else { > > > > MailScanner::Log::WarnLog("RBL Check $Checked timed > > > > out and was > > > > killed"); > > > > } > > > > > > > > > > > > At 15:45 25/03/2003, you wrote: > > > > >Hello. > > > > > > > > > >Yesterday I received a bunch of "RBL Check timed out and > > > was killed" > > > > >messages in mail.log. Here is a sample output from my logs: > > > > > > > > > >$ grep "MailScanner\[6171\]: RBL" /var/log/mail.log > > > > >Mar 24 11:47:53 dimstar MailScanner[6171]: RBL Check timed > > > > out and was > > > > >killed, consecutive failure 1 of 7 > > > > >Mar 24 11:54:50 dimstar MailScanner[6171]: RBL Check timed > > > > out and was > > > > >killed, consecutive failure 2 of 7 > > > > >Mar 24 11:55:01 dimstar MailScanner[6171]: RBL Check timed > > > > out and was > > > > >killed, consecutive failure 3 of 7 > > > > >Mar 24 11:59:44 dimstar MailScanner[6171]: RBL Check timed > > > > out and was > > > > >killed, consecutive failure 4 of 7 > > > > >Mar 24 12:01:06 dimstar MailScanner[6171]: RBL Check timed > > > > out and was > > > > >killed, consecutive failure 5 of 7 > > > > >Mar 24 12:03:40 dimstar MailScanner[6171]: RBL Check timed > > > > out and was > > > > >killed, consecutive failure 6 of 7 > > > > >Mar 24 12:06:53 dimstar MailScanner[6171]: RBL Check timed > > > > out and was > > > > >killed, consecutive failure 7 of 7 > > > > >Mar 24 12:10:07 dimstar MailScanner[6171]: RBL Check timed > > > > out and was > > > > >killed, consecutive failure 8 of 7 > > > > >Mar 24 12:11:20 dimstar MailScanner[6171]: RBL Check timed > > > > out and was > > > > >killed, consecutive failure 9 of 7 > > > > >Mar 24 12:12:07 dimstar MailScanner[6171]: RBL Check timed > > > > out and was > > > > >killed, consecutive failure 10 of 7 > > > > >Mar 24 12:16:45 dimstar MailScanner[6171]: RBL Check timed > > > > out and was > > > > >killed, consecutive failure 11 of 7 > > > > >Mar 24 12:20:09 dimstar MailScanner[6171]: RBL Check timed > > > > out and was > > > > >killed, consecutive failure 12 of 7 > > > > >Mar 24 12:45:20 dimstar MailScanner[6171]: RBL Check timed > > > > out and was > > > > >killed, consecutive failure 13 of 7 > > > > >Mar 24 12:46:26 dimstar MailScanner[6171]: RBL Check timed > > > > out and was > > > > >killed, consecutive failure 14 of 7 > > > > >Mar 24 12:49:00 dimstar MailScanner[6171]: RBL Check timed > > > > out and was > > > > >killed, consecutive failure 15 of 7 > > > > >Mar 24 12:50:14 dimstar MailScanner[6171]: RBL Check timed > > > > out and was > > > > >killed, consecutive failure 16 of 7 > > > > >Mar 24 13:56:02 dimstar MailScanner[6171]: RBL Check timed > > > > out and was > > > > >killed, consecutive failure 17 of 7 > > > > > > > > > >In my MailScanner.conf file, I have > > > > > > > > > >Spam List = > > > > > > > > > >I'm pretty sure that I tried commenting out the Spam List > > > > entry too, and > > > > >I've seen similar messages. I am trying to prevent > > > > MailScanner from doing > > > > >any RBL checks (I only want SpamAssassin to do this). I > > > > don't understand > > > > >why it would be trying to do RBL checks, and why it keeps on > > > > failing even > > > > >after 7 consecutive failures. I am running MailScanner > > > > 4.12-2. Is this a > > > > >bug in the code or do I have something configured wrong? > > > > > > > > > >Jason > > > > > > > > -- > > > > Julian Field > > > > www.MailScanner.info > > > > MailScanner thanks transtec Computers for their support > > > > > > > > > -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Fri Mar 28 16:17:21 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:38 2006 Subject: Getting this in the maillog file "470 Attempted virus scan failed Please try again later" In-Reply-To: <47F3EDACE4BC3A4594D0D7B504062BBD019C6AE6@doamail04.doa.wis tate.us> Message-ID: <5.2.0.9.2.20030328161702.04365240@imap.ecs.soton.ac.uk> Well that message certainly didn't come from MailScanner! At 16:10 28/03/2003, you wrote: >MailScanner Version details on Sun Solaris 8 >__________________________________________________ >Mar 28 10:02:24 badger MailScanner[21575]: MailScanner E-Mail Virus Scanner >version 4.02-2 starting... >Mar 28 10:02:25 badger MailScanner[21575]: Enabling SpamAssassin >auto-whitelist functionality... >Mar 28 10:02:27 badger MailScanner[21575]: Using locktype = flock > > >LogFile Details >+++++++++++++++++++++++++++ > >1:18, mailer=esmtp, pri=943717, relay=smtp.mail.gr. [193.41.150.37], >dsn=4.0.0, stat=Deferred: 470 Attempted virus scan failed >. Please try again later >Mar 28 00:28:38 badger sendmail[17155]: [ID 801593 mail.info] h2S6SKB17155: >from=<>, size=1030, class=0, nrcpts=1, msgid=<1048 >83186401@mailserver.mail.gr>, proto=ESMTP, daemon=MTA-IPv4, >relay=[193.41.150.37] >Mar 28 00:35:34 badger sendmail[17139]: [ID 801593 mail.notice] >h2QK7hi22264: timeout waiting for input from smtp.mail.gr. dur >ing client QUIT >Mar 28 00:35:34 badger sendmail[17139]: [ID 801593 mail.info] h2QK7hi22264: >to=kg@randolph.k12.wi.us, delay=1+10:27:51, xdelay >=00:02:00, mailer=esmtp, pri=11720794, relay=mail.randolph.k12.wi.us., >dsn=4.0.0, stat=Deferred: Connection timed out with smt >p.mail.gr. >Mar 28 01:13:14 badger sendmail[17449]: [ID 801593 mail.info] h2RNx8A14297: >to=rotimiwest@mail.gr, delay=07:14:06, xdelay=00:0 >3:26, mailer=esmtp, pri=1033717, relay=smtp.mail.gr. [193.41.150.37], >dsn=4.0.0, stat=Deferred: 470 Attempted virus scan faile >d. Please try again later >Mar 28 01:22:43 badger sendmail[17449]: [ID 801593 mail.notice] >h2QK7hi22264: timeout waiting for input from smtp.mail.gr. dur >ing client QUIT >Mar 28 01:22:43 badger sendmail[17449]: [ID 801593 mail.info] h2QK7hi22264: >to=kg@randolph.k12.wi.us, delay=1+11:15:00, xdelay >=00:02:00, mailer=esmtp, pri=11810794, relay=mail.randolph.k12.wi.us., >dsn=4.0.0, stat=Deferred: Connection timed out with smt >p.mail.gr. >Mar 28 01:56:23 badger sendmail[17529]: [ID 801593 mail.info] h2RNx8A14297: >to=rotimiwest@mail.gr, delay=07:57:15, xdelay=00:0 >1:36, mailer=esmtp, pri=1123717, relay=smtp.mail.gr. [193.41.150.37], >dsn=4.0.0, stat=Deferred: 470 Attempted virus scan faile >d. Please try again later >Mar 28 02:05:53 badger sendmail[17529]: [ID 801593 mail.notice] >h2QK7hi22264: timeout waiting for input from smtp.mail.gr. dur >ing client QUIT >Mar 28 02:05:53 badger sendmail[17529]: [ID 801593 mail.info] h2QK7hi22264: >to=kg@randolph.k12.wi.us, delay=1+11:58:10, xdelay >=00:02:00, mailer=esmtp, pri=11900794, relay=mail.randolph.k12.wi.us., >dsn=4.0.0, stat=Deferred: Connection timed out with smt >p.mail.gr. >Mar 28 02:39:47 badger sendmail[17624]: [ID 801593 mail.info] h2RNx8A14297: >to=rotimiwest@mail.gr, delay=08:40:39, xdelay=00:0 >0:00, mailer=esmtp, pri=1213717, relay=smtp.mail.gr. [193.41.150.37], >dsn=4.0.0, stat=Deferred: Connection reset by smtp.mail. >gr. >Mar 28 03:28:35 badger sendmail[17794]: [ID 801593 mail.info] h2RNx8A14297: >to=rotimiwest@mail.gr, delay=09:29:27, xdelay=00:0 >3:48, mailer=esmtp, pri=1303717, relay=smtp.mail.gr. [193.41.150.37], >dsn=4.0.0, stat=Deferred: 470 Attempted virus scan faile >d. Please try again later >Mar 28 03:38:05 badger sendmail[17794]: [ID 801593 mail.notice] >h2QK7hi22264: timeout waiting for input from smtp.mail.gr. dur >ing client QUIT >Mar 28 03:38:05 badger sendmail[17794]: [ID 801593 mail.info] h2QK7hi22264: >to=kg@randolph.k12.wi.us, delay=1+13:30:22, xdelay >=00:02:00, mailer=esmtp, pri=12080794, relay=mail.randolph.k12.wi.us., >dsn=4.0.0, stat=Deferred: Connection timed out with smt >p.mail.gr. >Mar 28 04:14:57 badger sendmail[17976]: [ID 801593 mail.notice] >h2RNx8A14297: timeout waiting for input from smtp.mail.gr. dur >ing client greeting >Mar 28 04:14:57 badger sendmail[17976]: [ID 801593 mail.info] h2RNx8A14297: >to=rotimiwest@mail.gr, delay=10:15:49, xdelay=00:0 >5:10, mailer=esmtp, pri=1393717, relay=smtp.mail.gr. [193.41.150.37], >dsn=4.0.0, stat=Deferred: Connection reset by smtp.mail. >gr. >Mar 28 04:57:15 badger sendmail[18069]: [ID 801593 mail.info] h2RNx8A14297: >to=rotimiwest@mail.gr, delay=10:58:07, xdelay=00:0 >2:28, mailer=esmtp, pri=1483717, relay=smtp.mail.gr. [193.41.150.37], >dsn=4.0.0, stat=Deferred: 470 Attempted virus scan faile >d. Please try again later -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From sylvain.phaneuf at IMSU.OXFORD.AC.UK Fri Mar 28 16:25:35 2003 From: sylvain.phaneuf at IMSU.OXFORD.AC.UK (Sylvain Phaneuf) Date: Thu Jan 12 21:17:38 2006 Subject: mailstats 0.18 Message-ID: Is anyone running mailstats 0.18 with mrtg 2.9.27 ? I have been trying for several hours and cannot get it to work. We are running the lot on RH 8.0 I keep getting errors like: ---------------- /usr/local/mrtg-2/bin/rateup: No such file or directory Rateup Error: Can't open mrtg/images/mesgs/mesgs-day.png for write ERROR: Skipping webupdates because rateup did not return anything sensible WARNING: rateup died from Signal 0 with Exit Value 1 when doing router 'mesgs' Signal was 0, Returncode was 1 ..... Rateup is installed and in the coorect location... Any ideas? Sylvain =========================================================== Sylvain Phaneuf --- Computing Manager | phone : +44 (0)1865 221323 Information Management Services Unit (Clinical School) Oxford University | email : sylvain.phaneuf@imsu.ox.ac.uk Room 3A25B John Radcliffe Hospital | fax : +44 (0) 1865 221322 Oxford OX3 9DU England =========================================================== From bruce at OTHEROTHER.COM Fri Mar 28 16:46:27 2003 From: bruce at OTHEROTHER.COM (Bruce Thompson) Date: Thu Jan 12 21:17:38 2006 Subject: How to open a spam trap? In-Reply-To: Message-ID: Hi, I've been running MailScanner and SpamAssassin for about a month now and it's been a fantastic addition. There's still some spam slipping through, but the volume is way down. Now it's time to start the attack back. Sort of. What I want to do is to create a spam trap address. This is a mail address that receives nothing legitimate. Any mail arriving at that address is guaranteed to be spam. I've hacked up a log scanner that looks for unknown addresses in my mail log with the intention of adding them as aliases for the spam trap. For dealing with the spam, I'd like to automate things as much as possible. The first thought is to have a procmail script that automatically forwards incoming email to spamassassin's autolearn, forwards to razor, bayes, etc. etc. This script will be easier to write if I can turn off all MailScanner manipulations on incoming email on that account. This way I have the email in its pristine form to work with. The alternative is to have a script that processes the mail before handing it off to autolearn et al. On the one hand this would give me the chance to ignore email that is already correctly tagged, but it would also require me to strip off the MailScanner headers. First off, what do folks recommend? Second, is there a way to tell MailScanner to simply pass through mail for a particular user? Cheers, Bruce. From mailscanner at ecs.soton.ac.uk Fri Mar 28 17:27:48 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:38 2006 Subject: How to open a spam trap? In-Reply-To: References: Message-ID: <5.2.0.9.2.20030328172659.0221dea8@imap.ecs.soton.ac.uk> At 16:46 28/03/2003, you wrote: >Hi, > I've been running MailScanner and SpamAssassin for about a month >now and it's been a fantastic addition. There's still some spam >slipping through, but the volume is way down. > > Now it's time to start the attack back. Sort of. What I want to do >is to create a spam trap address. This is a mail address that receives >nothing legitimate. Any mail arriving at that address is guaranteed to >be spam. I've hacked up a log scanner that looks for unknown addresses >in my mail log with the intention of adding them as aliases for the >spam trap. > > For dealing with the spam, I'd like to automate things as much as >possible. The first thought is to have a procmail script that >automatically forwards incoming email to spamassassin's autolearn, >forwards to razor, bayes, etc. etc. This script will be easier to write >if I can turn off all MailScanner manipulations on incoming email on >that account. This way I have the email in its pristine form to work >with. The alternative is to have a script that processes the mail >before handing it off to autolearn et al. On the one hand this would >give me the chance to ignore email that is already correctly tagged, >but it would also require me to strip off the MailScanner headers. > > First off, what do folks recommend? Second, is there a way to tell >MailScanner to simply pass through mail for a particular user? The 2nd question is easy. Just use a ruleset for "Virus Scanning" and "Spam Checks" that produces the answer "no" for your spam-trap address, but produces "yes" by default. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From bruce at OTHEROTHER.COM Fri Mar 28 18:20:02 2003 From: bruce at OTHEROTHER.COM (Bruce Thompson) Date: Thu Jan 12 21:17:38 2006 Subject: How to open a spam trap? In-Reply-To: <5.2.0.9.2.20030328172659.0221dea8@imap.ecs.soton.ac.uk> Message-ID: On Friday, March 28, 2003, at 09:27 AM, Julian Field wrote: > The 2nd question is easy. Just use a ruleset for "Virus Scanning" and > "Spam > Checks" that produces the answer "no" for your spam-trap address, but > produces "yes" by default. > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > > Ah ha! I knew there would be a way to do this. Thanks! Cheers, Bruce. From Lou.Baccari at HP.COM Fri Mar 28 19:00:01 2003 From: Lou.Baccari at HP.COM (Baccari, Lou) Date: Thu Jan 12 21:17:38 2006 Subject: spam mail not being tagged as spam Message-ID: Hello, After enabling the 'SpamAssassin Report' I now have the following information. Can someone explain how SpamAssassin scores a 20 but MailScanner states 'not spam'?? Lou. mail header info: ======================================================================================== Subject: {^} Teen Celebs - Totally Scandalous! {^} 5523-4 Date: Fri, 28 Mar 2003 09:33:38 +0900 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_00E5_68C85A6A.D2272A27" X-Priority: 3 X-Mailer: AOL 7.0 for Windows US sub 118 Importance: Normal X-MailScanner: Found to be clean X-MailScanner-SpamCheck: not spam (whitelisted), SpamAssassin (score=20, required 5, BASE64_ENC_TEXT, BIG_FONT, FORGED_YAHOO_RCVD, HTML_50_70, HTML_WITH_BGCOLOR, MIME_MISSING_BOUNDARY, NASTY_GIRLS, NO_REAL_NAME, PORN_4, RCVD_FAKE_HELO_DOTCOM, RCVD_IN_DSBL, SPAM_PHRASE_00_01, SUBJ_HAS_SPACES, SUBJ_HAS_UNIQ_ID, TRACKER_ID, USER_AGENT_AOL) Return-Path: dommknotsvnub@yahoo.com X-OriginalArrivalTime: 28 Mar 2003 18:29:20.0112 (UTC) FILETIME=[F29CD700:01C2F557] ------=_NextPart_000_00E5_68C85A6A.D2272A27 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: base6 From mailscanner at ecs.soton.ac.uk Fri Mar 28 19:10:51 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:38 2006 Subject: spam mail not being tagged as spam In-Reply-To: Message-ID: <5.2.0.9.2.20030328191027.0248a238@imap.ecs.soton.ac.uk> Exactly as it says, it is in your MailScanner spam whitelist. At 19:00 28/03/2003, you wrote: >Hello, > > After enabling the 'SpamAssassin Report' I now have the following > information. Can someone explain how SpamAssassin scores a 20 but > MailScanner states 'not spam'?? > >Lou. > >mail header info: >======================================================================================== >Subject: {^} Teen Celebs - Totally Scandalous! >{^} 5523-4 >Date: Fri, 28 Mar 2003 09:33:38 +0900 >MIME-Version: 1.0 >Content-Type: multipart/mixed; > boundary="----=_NextPart_000_00E5_68C85A6A.D2272A27" >X-Priority: 3 >X-Mailer: AOL 7.0 for Windows US sub 118 >Importance: Normal >X-MailScanner: Found to be clean >X-MailScanner-SpamCheck: not spam (whitelisted), SpamAssassin (score=20, > required 5, BASE64_ENC_TEXT, BIG_FONT, FORGED_YAHOO_RCVD, HTML_50_70, > HTML_WITH_BGCOLOR, MIME_MISSING_BOUNDARY, NASTY_GIRLS, NO_REAL_NAME, > PORN_4, RCVD_FAKE_HELO_DOTCOM, RCVD_IN_DSBL, SPAM_PHRASE_00_01, > SUBJ_HAS_SPACES, SUBJ_HAS_UNIQ_ID, TRACKER_ID, USER_AGENT_AOL) >Return-Path: dommknotsvnub@yahoo.com >X-OriginalArrivalTime: 28 Mar 2003 18:29:20.0112 (UTC) >FILETIME=[F29CD700:01C2F557] > >------=_NextPart_000_00E5_68C85A6A.D2272A27 >Content-Type: text/html; > charset="iso-8859-1" >Content-Transfer-Encoding: base6 -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From Lou.Baccari at HP.COM Fri Mar 28 19:20:55 2003 From: Lou.Baccari at HP.COM (Baccari, Lou) Date: Thu Jan 12 21:17:38 2006 Subject: spam mail not being tagged as spam Message-ID: Julian, I felt that was the case but I checked /etc/MailScanner/rules/spam.whitelist.rules first and it does not have anything with yahoo.com, 'dommknotsvnub@yahoo.com', entered. Could I be looking at the wrong whitelist file? I just received the following spam with the same whitelist message and again I have nothing pointing to hotmail.com Lou. email header info: =================================================================================== MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="3E..8F1_.B19_.0CCA" X-MailScanner: Found to be clean X-MailScanner-SpamCheck: not spam (whitelisted), SpamAssassin (score=13.2, required 5, DATE_IN_FUTURE_03_06, FORGED_HOTMAIL_RCVD, HTML_FONT_COLOR_BLUE, HTML_FONT_COLOR_RED, HTML_FONT_COLOR_UNSAFE, HTML_FONT_COLOR_YELLOW, MAY_BE_FORGED, MIME_HTML_NO_CHARSET, MIME_LONG_LINE_QP, MISSING_MIMEOLE, RCVD_IN_DSBL, RCVD_IN_OSIRUSOFT_COM, SPAM_PHRASE_03_05, USER_AGENT_OE, X_OSIRU_SPAM_SRC) Return-Path: SelanoX16R@hotmail.com X-OriginalArrivalTime: 28 Mar 2003 18:51:00.0349 (UTC) FILETIME=[F99D42D0:01C2F55A] --3E..8F1_.B19_.0CCA Content-Type: text/html Content-Transfer-Encoding: quoted-printable --3E..8F1_.B19_.0CCA-- -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Friday, March 28, 2003 2:11 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: spam mail not being tagged as spam Exactly as it says, it is in your MailScanner spam whitelist. At 19:00 28/03/2003, you wrote: >Hello, > > After enabling the 'SpamAssassin Report' I now have the following > information. Can someone explain how SpamAssassin scores a 20 but > MailScanner states 'not spam'?? > >Lou. > >mail header info: >======================================================================================== >Subject: {^} Teen Celebs - Totally Scandalous! >{^} 5523-4 >Date: Fri, 28 Mar 2003 09:33:38 +0900 >MIME-Version: 1.0 >Content-Type: multipart/mixed; > boundary="----=_NextPart_000_00E5_68C85A6A.D2272A27" >X-Priority: 3 >X-Mailer: AOL 7.0 for Windows US sub 118 >Importance: Normal >X-MailScanner: Found to be clean >X-MailScanner-SpamCheck: not spam (whitelisted), SpamAssassin (score=20, > required 5, BASE64_ENC_TEXT, BIG_FONT, FORGED_YAHOO_RCVD, HTML_50_70, > HTML_WITH_BGCOLOR, MIME_MISSING_BOUNDARY, NASTY_GIRLS, NO_REAL_NAME, > PORN_4, RCVD_FAKE_HELO_DOTCOM, RCVD_IN_DSBL, SPAM_PHRASE_00_01, > SUBJ_HAS_SPACES, SUBJ_HAS_UNIQ_ID, TRACKER_ID, USER_AGENT_AOL) >Return-Path: dommknotsvnub@yahoo.com >X-OriginalArrivalTime: 28 Mar 2003 18:29:20.0112 (UTC) >FILETIME=[F29CD700:01C2F557] > >------=_NextPart_000_00E5_68C85A6A.D2272A27 >Content-Type: text/html; > charset="iso-8859-1" >Content-Transfer-Encoding: base6 -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Fri Mar 28 19:25:17 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:38 2006 Subject: spam mail not being tagged as spam In-Reply-To: Message-ID: <5.2.0.9.2.20030328192418.02663aa0@imap.ecs.soton.ac.uk> Remember that MailScanner uses the envelope addresses in your maillog, and not whatever happens to be in the headers. At 19:20 28/03/2003, you wrote: >Julian, > > I felt that was the case but I checked > /etc/MailScanner/rules/spam.whitelist.rules first and it does not have > anything with yahoo.com, 'dommknotsvnub@yahoo.com', entered. Could I be > looking at the wrong whitelist file? > > I just received the following spam with the same whitelist message and > again I have nothing pointing to hotmail.com > >Lou. > > >email header info: >=================================================================================== >MIME-Version: 1.0 >Content-Type: multipart/alternative; > boundary="3E..8F1_.B19_.0CCA" >X-MailScanner: Found to be clean >X-MailScanner-SpamCheck: not spam (whitelisted), SpamAssassin (score=13.2, > required 5, DATE_IN_FUTURE_03_06, FORGED_HOTMAIL_RCVD, > HTML_FONT_COLOR_BLUE, HTML_FONT_COLOR_RED, HTML_FONT_COLOR_UNSAFE, > HTML_FONT_COLOR_YELLOW, MAY_BE_FORGED, MIME_HTML_NO_CHARSET, > MIME_LONG_LINE_QP, MISSING_MIMEOLE, RCVD_IN_DSBL, > RCVD_IN_OSIRUSOFT_COM, SPAM_PHRASE_03_05, USER_AGENT_OE, > X_OSIRU_SPAM_SRC) >Return-Path: SelanoX16R@hotmail.com >X-OriginalArrivalTime: 28 Mar 2003 18:51:00.0349 (UTC) >FILETIME=[F99D42D0:01C2F55A] > >--3E..8F1_.B19_.0CCA >Content-Type: text/html >Content-Transfer-Encoding: quoted-printable > > >--3E..8F1_.B19_.0CCA-- > >-----Original Message----- >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] >Sent: Friday, March 28, 2003 2:11 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: spam mail not being tagged as spam > > >Exactly as it says, it is in your MailScanner spam whitelist. > >At 19:00 28/03/2003, you wrote: > >Hello, > > > > After enabling the 'SpamAssassin Report' I now have the following > > information. Can someone explain how SpamAssassin scores a 20 but > > MailScanner states 'not spam'?? > > > >Lou. > > > >mail header info: > >========================================================================= > =============== > >Subject: {^} Teen Celebs - Totally Scandalous! > >{^} 5523-4 > >Date: Fri, 28 Mar 2003 09:33:38 +0900 > >MIME-Version: 1.0 > >Content-Type: multipart/mixed; > > boundary="----=_NextPart_000_00E5_68C85A6A.D2272A27" > >X-Priority: 3 > >X-Mailer: AOL 7.0 for Windows US sub 118 > >Importance: Normal > >X-MailScanner: Found to be clean > >X-MailScanner-SpamCheck: not spam (whitelisted), SpamAssassin (score=20, > > required 5, BASE64_ENC_TEXT, BIG_FONT, FORGED_YAHOO_RCVD, > HTML_50_70, > > HTML_WITH_BGCOLOR, MIME_MISSING_BOUNDARY, NASTY_GIRLS, > NO_REAL_NAME, > > PORN_4, RCVD_FAKE_HELO_DOTCOM, RCVD_IN_DSBL, SPAM_PHRASE_00_01, > > SUBJ_HAS_SPACES, SUBJ_HAS_UNIQ_ID, TRACKER_ID, USER_AGENT_AOL) > >Return-Path: dommknotsvnub@yahoo.com > >X-OriginalArrivalTime: 28 Mar 2003 18:29:20.0112 (UTC) > >FILETIME=[F29CD700:01C2F557] > > > >------=_NextPart_000_00E5_68C85A6A.D2272A27 > >Content-Type: text/html; > > charset="iso-8859-1" > >Content-Transfer-Encoding: base6 > >-- >Julian Field >www.MailScanner.info >Professional Support Services at www.MailScanner.biz >MailScanner thanks transtec Computers for their support -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From Lou.Baccari at HP.COM Fri Mar 28 19:36:10 2003 From: Lou.Baccari at HP.COM (Baccari, Lou) Date: Thu Jan 12 21:17:38 2006 Subject: spam mail not being tagged as spam Message-ID: Julian, Can you please enlighten me. Here is text from my maillog file. Lou. Mar 28 13:29:17 crl-mail sendmail[5103]: h2SISo18005103: from=, size=3135, class=0, nrcpts=5, msgid=<000810 a1ac07$aec62805$20222223@saxpqrv.quk>, proto=SMTP, daemon=MTA, relay=dsl-200-67-152-155.prodigy.net.mx [200.67.152.155] Mar 28 13:29:18 crl-mail MailScanner[32600]: New Batch: Scanning 1 messages, 3804 bytes Mar 28 13:29:18 crl-mail MailScanner[32600]: Spam Checks: Starting Mar 28 13:29:19 crl-mail sendmail[5133]: h2SIT818005124: to=, delay=00:00:11, xdelay=00:00:06, mailer=esmtp, pr i=121423, relay=alum.mit.edu. [18.7.21.81], dsn=2.0.0, stat=Sent (h2SITIpL002127 Message accepted for delivery) Mar 28 13:29:19 crl-mail MailScanner[32600]: Virus and Content Scanning: Starting Mar 28 13:29:19 crl-mail MailScanner[32600]: Uninfected: Delivered 1 messages Mar 28 13:29:19 crl-mail sendmail[5141]: h2SISo18005103: h2SITJK3005141: clone: owner=owner-gbtc@quabbin.crl.dec.com Mar 28 13:29:20 crl-mail sendmail[5141]: h2SISo18005103: to=Simon.Kasif@compaq.com,jamey.hicks@compaq.com ,CRLProblems@compaq.com, d elay=00:00:23, xdelay=00:00:01, mailer=esmtp, pri=240507, relay=tayexg12.americas.cpqcorp.net. [16.103.130.103], dsn=2.0.0, stat=Sen t ( <000810a1ac07$aec62805$20222223@saxpqrv.quk> Queued mail for delivery) Mar 28 13:29:25 crl-mail sendmail[5141]: h2SISo18005103: to=herlihy@quabbin.crl.dec.com, delay=00:00:28, xdelay=00:00:05, mailer=esm tp, pri=240507, relay=quabbin.crl.dec.com. [16.11.0.45], dsn=2.0.0, stat=Sent (h2SITPf500106 Message accepted for delivery) -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Friday, March 28, 2003 2:25 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: spam mail not being tagged as spam Remember that MailScanner uses the envelope addresses in your maillog, and not whatever happens to be in the headers. At 19:20 28/03/2003, you wrote: >Julian, > > I felt that was the case but I checked > /etc/MailScanner/rules/spam.whitelist.rules first and it does not have > anything with yahoo.com, 'dommknotsvnub@yahoo.com', entered. Could I be > looking at the wrong whitelist file? > > I just received the following spam with the same whitelist message and > again I have nothing pointing to hotmail.com > >Lou. > > >email header info: >=================================================================================== >MIME-Version: 1.0 >Content-Type: multipart/alternative; > boundary="3E..8F1_.B19_.0CCA" >X-MailScanner: Found to be clean >X-MailScanner-SpamCheck: not spam (whitelisted), SpamAssassin (score=13.2, > required 5, DATE_IN_FUTURE_03_06, FORGED_HOTMAIL_RCVD, > HTML_FONT_COLOR_BLUE, HTML_FONT_COLOR_RED, HTML_FONT_COLOR_UNSAFE, > HTML_FONT_COLOR_YELLOW, MAY_BE_FORGED, MIME_HTML_NO_CHARSET, > MIME_LONG_LINE_QP, MISSING_MIMEOLE, RCVD_IN_DSBL, > RCVD_IN_OSIRUSOFT_COM, SPAM_PHRASE_03_05, USER_AGENT_OE, > X_OSIRU_SPAM_SRC) >Return-Path: SelanoX16R@hotmail.com >X-OriginalArrivalTime: 28 Mar 2003 18:51:00.0349 (UTC) >FILETIME=[F99D42D0:01C2F55A] > >--3E..8F1_.B19_.0CCA >Content-Type: text/html >Content-Transfer-Encoding: quoted-printable > > >--3E..8F1_.B19_.0CCA-- > >-----Original Message----- >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] >Sent: Friday, March 28, 2003 2:11 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: spam mail not being tagged as spam > > >Exactly as it says, it is in your MailScanner spam whitelist. > >At 19:00 28/03/2003, you wrote: > >Hello, > > > > After enabling the 'SpamAssassin Report' I now have the following > > information. Can someone explain how SpamAssassin scores a 20 but > > MailScanner states 'not spam'?? > > > >Lou. > > > >mail header info: > >========================================================================= > =============== > >Subject: {^} Teen Celebs - Totally Scandalous! > >{^} 5523-4 > >Date: Fri, 28 Mar 2003 09:33:38 +0900 > >MIME-Version: 1.0 > >Content-Type: multipart/mixed; > > boundary="----=_NextPart_000_00E5_68C85A6A.D2272A27" > >X-Priority: 3 > >X-Mailer: AOL 7.0 for Windows US sub 118 > >Importance: Normal > >X-MailScanner: Found to be clean > >X-MailScanner-SpamCheck: not spam (whitelisted), SpamAssassin (score=20, > > required 5, BASE64_ENC_TEXT, BIG_FONT, FORGED_YAHOO_RCVD, > HTML_50_70, > > HTML_WITH_BGCOLOR, MIME_MISSING_BOUNDARY, NASTY_GIRLS, > NO_REAL_NAME, > > PORN_4, RCVD_FAKE_HELO_DOTCOM, RCVD_IN_DSBL, SPAM_PHRASE_00_01, > > SUBJ_HAS_SPACES, SUBJ_HAS_UNIQ_ID, TRACKER_ID, USER_AGENT_AOL) > >Return-Path: dommknotsvnub@yahoo.com > >X-OriginalArrivalTime: 28 Mar 2003 18:29:20.0112 (UTC) > >FILETIME=[F29CD700:01C2F557] > > > >------=_NextPart_000_00E5_68C85A6A.D2272A27 > >Content-Type: text/html; > > charset="iso-8859-1" > >Content-Transfer-Encoding: base6 > >-- >Julian Field >www.MailScanner.info >Professional Support Services at www.MailScanner.biz >MailScanner thanks transtec Computers for their support -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at BARENDSE.TO Fri Mar 28 19:37:25 2003 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:17:38 2006 Subject: How to open a spam trap? In-Reply-To: Message-ID: I wouldn't start adding all the servers from which mail originates to a broken address to the spam lists. That one important customer who mistakenly forgot a dot or something else in one of the e-mail addresses within your organization might be 'not amused' to find his server added to all blacklists :) On Fri, 28 Mar 2003, Bruce Thompson wrote: > Hi, > I've been running MailScanner and SpamAssassin for about a month > now and it's been a fantastic addition. There's still some spam > slipping through, but the volume is way down. > > Now it's time to start the attack back. Sort of. What I want to do > is to create a spam trap address. This is a mail address that receives > nothing legitimate. Any mail arriving at that address is guaranteed to > be spam. I've hacked up a log scanner that looks for unknown addresses > in my mail log with the intention of adding them as aliases for the > spam trap. > > For dealing with the spam, I'd like to automate things as much as > possible. The first thought is to have a procmail script that > automatically forwards incoming email to spamassassin's autolearn, > forwards to razor, bayes, etc. etc. This script will be easier to write > if I can turn off all MailScanner manipulations on incoming email on > that account. This way I have the email in its pristine form to work > with. The alternative is to have a script that processes the mail > before handing it off to autolearn et al. On the one hand this would > give me the chance to ignore email that is already correctly tagged, > but it would also require me to strip off the MailScanner headers. > > First off, what do folks recommend? Second, is there a way to tell > MailScanner to simply pass through mail for a particular user? > > Cheers, > Bruce. > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mailscanner at ecs.soton.ac.uk Fri Mar 28 19:49:18 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:38 2006 Subject: spam mail not being tagged as spam In-Reply-To: Message-ID: <5.2.0.9.2.20030328194814.027e0f68@imap.ecs.soton.ac.uk> At 19:36 28/03/2003, you wrote: >Julian, > > Can you please enlighten me. Here is text from my maillog file. The from address in your log file matches with what you are whitelisting. Strange. Anyone experiencing similar problems? Have I broken the code? >Lou. > >Mar 28 13:29:17 crl-mail sendmail[5103]: h2SISo18005103: >from=, size=3135, class=0, nrcpts=5, msgid=<000810 >a1ac07$aec62805$20222223@saxpqrv.quk>, proto=SMTP, daemon=MTA, >relay=dsl-200-67-152-155.prodigy.net.mx [200.67.152.155] >Mar 28 13:29:18 crl-mail MailScanner[32600]: New Batch: Scanning 1 >messages, 3804 bytes >Mar 28 13:29:18 crl-mail MailScanner[32600]: Spam Checks: Starting >Mar 28 13:29:19 crl-mail sendmail[5133]: h2SIT818005124: >to=, delay=00:00:11, xdelay=00:00:06, mailer=esmtp, pr >i=121423, relay=alum.mit.edu. [18.7.21.81], dsn=2.0.0, stat=Sent >(h2SITIpL002127 Message accepted for delivery) >Mar 28 13:29:19 crl-mail MailScanner[32600]: Virus and Content Scanning: >Starting >Mar 28 13:29:19 crl-mail MailScanner[32600]: Uninfected: Delivered 1 messages >Mar 28 13:29:19 crl-mail sendmail[5141]: h2SISo18005103: h2SITJK3005141: >clone: owner=owner-gbtc@quabbin.crl.dec.com >Mar 28 13:29:20 crl-mail sendmail[5141]: h2SISo18005103: >to=Simon.Kasif@compaq.com,jamey.hicks@compaq.com ,CRLProblems@compaq.com, d >elay=00:00:23, xdelay=00:00:01, mailer=esmtp, pri=240507, >relay=tayexg12.americas.cpqcorp.net. [16.103.130.103], dsn=2.0.0, stat=Sen >t ( <000810a1ac07$aec62805$20222223@saxpqrv.quk> Queued mail for delivery) >Mar 28 13:29:25 crl-mail sendmail[5141]: h2SISo18005103: >to=herlihy@quabbin.crl.dec.com, delay=00:00:28, xdelay=00:00:05, mailer=esm >tp, pri=240507, relay=quabbin.crl.dec.com. [16.11.0.45], dsn=2.0.0, >stat=Sent (h2SITPf500106 Message accepted for delivery) > > >-----Original Message----- >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] >Sent: Friday, March 28, 2003 2:25 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: spam mail not being tagged as spam > > >Remember that MailScanner uses the envelope addresses in your maillog, and >not whatever happens to be in the headers. > >At 19:20 28/03/2003, you wrote: > >Julian, > > > > I felt that was the case but I checked > > /etc/MailScanner/rules/spam.whitelist.rules first and it does not have > > anything with yahoo.com, 'dommknotsvnub@yahoo.com', entered. Could I be > > looking at the wrong whitelist file? > > > > I just received the following spam with the same whitelist message and > > again I have nothing pointing to hotmail.com > > > >Lou. > > > > > >email header info: > >========================================================================= > ========== > >MIME-Version: 1.0 > >Content-Type: multipart/alternative; > > boundary="3E..8F1_.B19_.0CCA" > >X-MailScanner: Found to be clean > >X-MailScanner-SpamCheck: not spam (whitelisted), SpamAssassin (score=13.2, > > required 5, DATE_IN_FUTURE_03_06, FORGED_HOTMAIL_RCVD, > > HTML_FONT_COLOR_BLUE, HTML_FONT_COLOR_RED, HTML_FONT_COLOR_UNSAFE, > > HTML_FONT_COLOR_YELLOW, MAY_BE_FORGED, MIME_HTML_NO_CHARSET, > > MIME_LONG_LINE_QP, MISSING_MIMEOLE, RCVD_IN_DSBL, > > RCVD_IN_OSIRUSOFT_COM, SPAM_PHRASE_03_05, USER_AGENT_OE, > > X_OSIRU_SPAM_SRC) > >Return-Path: SelanoX16R@hotmail.com > >X-OriginalArrivalTime: 28 Mar 2003 18:51:00.0349 (UTC) > >FILETIME=[F99D42D0:01C2F55A] > > > >--3E..8F1_.B19_.0CCA > >Content-Type: text/html > >Content-Transfer-Encoding: quoted-printable > > > > > >--3E..8F1_.B19_.0CCA-- > > > >-----Original Message----- > >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > >Sent: Friday, March 28, 2003 2:11 PM > >To: MAILSCANNER@JISCMAIL.AC.UK > >Subject: Re: spam mail not being tagged as spam > > > > > >Exactly as it says, it is in your MailScanner spam whitelist. > > > >At 19:00 28/03/2003, you wrote: > > >Hello, > > > > > > After enabling the 'SpamAssassin Report' I now have the following > > > information. Can someone explain how SpamAssassin scores a 20 but > > > MailScanner states 'not spam'?? > > > > > >Lou. > > > > > >mail header info: > > >========================================================================= > > =============== > > >Subject: {^} Teen Celebs - Totally Scandalous! > > >{^} 5523-4 > > >Date: Fri, 28 Mar 2003 09:33:38 +0900 > > >MIME-Version: 1.0 > > >Content-Type: multipart/mixed; > > > boundary="----=_NextPart_000_00E5_68C85A6A.D2272A27" > > >X-Priority: 3 > > >X-Mailer: AOL 7.0 for Windows US sub 118 > > >Importance: Normal > > >X-MailScanner: Found to be clean > > >X-MailScanner-SpamCheck: not spam (whitelisted), SpamAssassin (score=20, > > > required 5, BASE64_ENC_TEXT, BIG_FONT, FORGED_YAHOO_RCVD, > > HTML_50_70, > > > HTML_WITH_BGCOLOR, MIME_MISSING_BOUNDARY, NASTY_GIRLS, > > NO_REAL_NAME, > > > PORN_4, RCVD_FAKE_HELO_DOTCOM, RCVD_IN_DSBL, SPAM_PHRASE_00_01, > > > SUBJ_HAS_SPACES, SUBJ_HAS_UNIQ_ID, TRACKER_ID, USER_AGENT_AOL) > > >Return-Path: dommknotsvnub@yahoo.com > > >X-OriginalArrivalTime: 28 Mar 2003 18:29:20.0112 (UTC) > > >FILETIME=[F29CD700:01C2F557] > > > > > >------=_NextPart_000_00E5_68C85A6A.D2272A27 > > >Content-Type: text/html; > > > charset="iso-8859-1" > > >Content-Transfer-Encoding: base6 > > > >-- > >Julian Field > >www.MailScanner.info > >Professional Support Services at www.MailScanner.biz > >MailScanner thanks transtec Computers for their support > >-- >Julian Field >www.MailScanner.info >Professional Support Services at www.MailScanner.biz >MailScanner thanks transtec Computers for their support -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From Lou.Baccari at HP.COM Fri Mar 28 19:59:34 2003 From: Lou.Baccari at HP.COM (Baccari, Lou) Date: Thu Jan 12 21:17:38 2006 Subject: spam mail not being tagged as spam Message-ID: Julian, I have another example I received today. Again this address is not in my whitelist file. Lou email header: ======================================================== 67.speedyterra.com.br with ESMTP id 82037737; Sat, 29 Mar 2003 00:43:45 -0700 Message-ID: <6rj-mwm$q-v4o$n$4ax83@6lxs0i> From: "Jon Jones" To: , , , Subject: MEN: 14 Doctors develop REAL Male-Enhancement Date: Sat, 29 Mar 03 00:43:45 GMT X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2615.200 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="3E..8F1_.B19_.0CCA" X-MailScanner: Found to be clean X-MailScanner-SpamCheck: not spam (whitelisted), SpamAssassin (score=13.2, required 5, DATE_IN_FUTURE_03_06, FORGED_HOTMAIL_RCVD, HTML_FONT_COLOR_BLUE, HTML_FONT_COLOR_RED, HTML_FONT_COLOR_UNSAFE, HTML_FONT_COLOR_YELLOW, MAY_BE_FORGED, MIME_HTML_NO_CHARSET, MIME_LONG_LINE_QP, MISSING_MIMEOLE, RCVD_IN_DSBL, RCVD_IN_OSIRUSOFT_COM, SPAM_PHRASE_03_05, USER_AGENT_OE, X_OSIRU_SPAM_SRC) Return-Path: SelanoX16R@hotmail.com X-OriginalArrivalTime: 28 Mar 2003 18:51:00.0349 (UTC) FILETIME=[F99D42D0:01C2F55A] --3E..8F1_.B19_.0CCA Content-Type: text/html Content-Transfer-Encoding: quoted-printable --3E..8F1_.B19_.0CCA-- maillog file: ======================================================== Mar 28 13:50:54 crl-ns1 sendmail[14751]: h2SIobTq014751: from=, size=3999, class=0, nrcpts=4, msgid=<6rj-mwm $q-v4o$n$4ax83@6lxs0i>, proto=SMTP, daemon=MTA, relay=200-168-158-67.speedyterra.com.br [200.168.158.67] (may be forged) Mar 28 13:50:54 crl-ns1 MailScanner[12902]: New Batch: Scanning 1 messages, 4701 bytes Mar 28 13:50:58 crl-ns1 MailScanner[12902]: Virus and Content Scanning: Starting Mar 28 13:50:59 crl-ns1 MailScanner[12902]: Uninfected: Delivered 1 messages Mar 28 13:51:00 crl-ns1 sendmail[14759]: h2SIobTq014751: to=Scott.Blackwell@compaq.com,Neil.Reynolds@compaq.com,jamey.hicks@compaq.c om ,Lou.Baccari@compaq.com, delay=00:00:15, xdelay=00:00:01, mailer=esmtp, pri=210576, relay=cacexg11.americas.cpqcorp.net. [16.105. 250.94], dsn=2.0.0, stat=Sent ( <6rj-mwm$q-v4o$n$4ax83@6lxs0i> Queued mail for delivery) From bruce at OTHEROTHER.COM Fri Mar 28 19:32:35 2003 From: bruce at OTHEROTHER.COM (Bruce Thompson) Date: Thu Jan 12 21:17:38 2006 Subject: spam mail not being tagged as spam In-Reply-To: Message-ID: <072067CD-6154-11D7-9DB2-0030654CB3AC@otherother.com> See below: On Friday, March 28, 2003, at 11:00 AM, Baccari, Lou wrote: > Hello, > > After enabling the 'SpamAssassin Report' I now have the following > information. Can someone explain how SpamAssassin scores a 20 but > MailScanner states 'not spam'?? > > Lou. > > mail header info: > ======================================================================= > ================= > Subject: {^} Teen Celebs - Totally Scandalous! {^} > 5523-4 > Date: Fri, 28 Mar 2003 09:33:38 +0900 > MIME-Version: 1.0 > Content-Type: multipart/mixed; > boundary="----=_NextPart_000_00E5_68C85A6A.D2272A27" > X-Priority: 3 > X-Mailer: AOL 7.0 for Windows US sub 118 > Importance: Normal > X-MailScanner: Found to be clean > X-MailScanner-SpamCheck: not spam (whitelisted), SpamAssassin > (score=20, This line contains the key. The mail was not marked as spam because it was whitelisted. Now the question becomes why was it whitelisted? I would recommend looking at either your MailScanner whitelist config, or SpamAssassin's whitelisting... Cheers, Bruce. From chicks at CHICKS.NET Fri Mar 28 20:45:22 2003 From: chicks at CHICKS.NET (Christopher Hicks) Date: Thu Jan 12 21:17:38 2006 Subject: people putting {s p a m ?} in subject of list messages Message-ID: People putting {spam?} in the subject of list messages makes differentiating between valid mailing list messages and possible spam harder. Is there any way to get the mailing list to turn {spam?} into {s p a m ?} or something similar? Please, please. -- The death of democracy is not likely to be an assassination from ambush. It will be a slow extinction from apathy, indifference, and undernourishment. -Robert Maynard Hutchins, educator (1899-1977) From james at PCXPERIENCE.COM Fri Mar 28 21:11:10 2003 From: james at PCXPERIENCE.COM (James A. Pattie) Date: Thu Jan 12 21:17:38 2006 Subject: F-Secure parsing change? Message-ID: <3E84BA6E.5010307@pcxperience.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I've gotten a report from a DansGuardian Anti-Virus user that F-Secure was acting up. His output from running f-secure-wrapper is: /usr/lib/DGVirus/f-secure-wrapper /var/www/html/dansguardian/quarantine/20030326/Barbara/http\:/www.eicar.org/ download/eicar.com.txt/fileKSqUM5 F-Secure Anti-Virus for i386-linux Release 4.14 build 4062 Frisk Software International F-PROT engine version 3.10 build 701 sign.def version 2003-03-26 sign2.def version 2002-12-17 fsmacro.def version 2003-03-25 /var/www/html/dansguardian/quarantine/20030326/Barbara/http:/www.eicar.org/d ownload/eicar.com.txt/fileKSqUM5 infection: EICAR_Test_File 1 files scanned 1 infections found [root@mail.intern.fischer.or.at dansguardian]# Upon investigation it appears that F-Secure is no longer outputing []'s around the filename from looking at the 4.13-3 sources. I went to F-Secure's website and could not determine what the latest version is they are using, so I don't know if 4.14 is old or the latest. Just giving a heads up. :) - -- James A. Pattie james@pcxperience.com Linux -- SysAdmin / Programmer Xperience, Inc. http://www.pcxperience.com/ http://www.xperienceinc.com/ GPG Key Available at http://www.pcxperience.com/gpgkeys/james.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE+hLputUXjwPIRLVERAkiDAKCEbCz1wmL2N+2OOtNK86ItfylaFgCgvXV5 zgB5miHcJU7vvek+crO4X+I= =f6Z3 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From lance at WARE.NET Sat Mar 29 02:19:36 2003 From: lance at WARE.NET (Lance Ware) Date: Thu Jan 12 21:17:38 2006 Subject: mailstats 0.18 Message-ID: <9F214F8D10934845A3664A21425C79FC67461B@dhcp5.ware.net> I keep getting the same but haven't had the time to track down. Any tips are appreciated. > -----Original Message----- > From: Sylvain Phaneuf [mailto:sylvain.phaneuf@IMSU.OXFORD.AC.UK] > Sent: Friday, March 28, 2003 8:26 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: mailstats 0.18 > > > Is anyone running mailstats 0.18 with mrtg 2.9.27 ? > > I have been trying for several hours and cannot get it to > work. We are running the lot on RH 8.0 > > I keep getting errors like: > ---------------- > /usr/local/mrtg-2/bin/rateup: No such file or directory > Rateup Error: Can't open mrtg/images/mesgs/mesgs-day.png for write > ERROR: Skipping webupdates because rateup did not return > anything sensible > WARNING: rateup died from Signal 0 > with Exit Value 1 when doing router 'mesgs' > Signal was 0, Returncode was 1 > ..... > > Rateup is installed and in the coorect location... Any ideas? > > > > > Sylvain > > =========================================================== > Sylvain Phaneuf --- Computing Manager | phone : +44 (0)1865 221323 > Information Management Services Unit (Clinical School) > Oxford University | email : > sylvain.phaneuf@imsu.ox.ac.uk > Room 3A25B John Radcliffe Hospital | fax : +44 (0) 1865 221322 > Oxford OX3 9DU England > =========================================================== > From raymond at PROLOCATION.NET Sat Mar 29 08:37:59 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:17:38 2006 Subject: F-Prot In-Reply-To: <9F214F8D10934845A3664A21425C79FC67461B@dhcp5.ware.net> Message-ID: Hi! The new version is publicly available also now it seems: Got linux/fp-linux-sb.deb.md5 50 0 Got linux/fp-linux-sb.rpm.md5 50 1 Got linux/fp-linux-sb.tar.gz.md5 53 0 Got linux/fp-linux-sb_3.13-0_i386.deb.md5 62 1 Got linux/MD5SUMS 377 0 Got linux/fp-linux-sb-3.13-0.i386.rpm.md5 62 1 Got linux/fp-linux-sb-3.13.tar.gz.md5 58 0 Got linux/fp-linux-sb-3.13-0.i386.rpm 2011445 7 Got linux/fp-linux-sb-3.13.tar.gz 2020370 6 Got linux/fp-linux-sb_3.13-0_i386.deb 2010248 6 Julian, any timepath for the new release, to avoid confusion it would be nice to have the fixed f-prot scripts available :) Bye, Raymond. From mailscanner at ecs.soton.ac.uk Sat Mar 29 09:59:44 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:38 2006 Subject: F-Prot 3.13 support In-Reply-To: References: <9F214F8D10934845A3664A21425C79FC67461B@dhcp5.ware.net> Message-ID: <5.2.0.9.2.20030329095347.023a1660@imap.ecs.soton.ac.uk> Here is the patch to SweepViruses.pm to support the new version of F-Prot. On Linux systems, for example, you should be able to apply it with this (assumes you saved the patch file in /tmp) cd /usr/lib/MailScanner/MailScanner patch < /tmp/SweepViruses.pm.patch At 08:37 29/03/2003, you wrote: >Hi! > >The new version is publicly available also now it seems: > >Got linux/fp-linux-sb.deb.md5 50 0 >Got linux/fp-linux-sb.rpm.md5 50 1 >Got linux/fp-linux-sb.tar.gz.md5 53 0 >Got linux/fp-linux-sb_3.13-0_i386.deb.md5 62 1 >Got linux/MD5SUMS 377 0 >Got linux/fp-linux-sb-3.13-0.i386.rpm.md5 62 1 >Got linux/fp-linux-sb-3.13.tar.gz.md5 58 0 >Got linux/fp-linux-sb-3.13-0.i386.rpm 2011445 7 >Got linux/fp-linux-sb-3.13.tar.gz 2020370 6 >Got linux/fp-linux-sb_3.13-0_i386.deb 2010248 6 > >Julian, any timepath for the new release, to avoid confusion it would be >nice to have the fixed f-prot scripts available :) -------------- next part -------------- A non-text attachment was scrubbed... Name: SweepViruses.pm.patch Type: application/octet-stream Size: 711 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030329/f7f44b01/SweepViruses.pm.obj -------------- next part -------------- -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From Lou.Baccari at HP.COM Sat Mar 29 10:13:26 2003 From: Lou.Baccari at HP.COM (Baccari, Lou) Date: Thu Jan 12 21:17:38 2006 Subject: spam mail not being tagged as spam Message-ID: Julian, I'm sorry if I caused you any headaches, but I just realized that one of the 4 recipients of this message is using IMAPAssassin and requested that all his mail be whitelisted. So I'm assuming MailScanner is whitelisting this message for all recipients, is this correct? If so is there a work around for this? I'm using 'To: recipients_name' in the whitelist file. Lou. -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Friday, March 28, 2003 2:49 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: spam mail not being tagged as spam At 19:36 28/03/2003, you wrote: >Julian, > > Can you please enlighten me. Here is text from my maillog file. The from address in your log file matches with what you are whitelisting. Strange. Anyone experiencing similar problems? Have I broken the code? >Lou. > >Mar 28 13:29:17 crl-mail sendmail[5103]: h2SISo18005103: >from=, size=3135, class=0, nrcpts=5, msgid=<000810 >a1ac07$aec62805$20222223@saxpqrv.quk>, proto=SMTP, daemon=MTA, >relay=dsl-200-67-152-155.prodigy.net.mx [200.67.152.155] >Mar 28 13:29:18 crl-mail MailScanner[32600]: New Batch: Scanning 1 >messages, 3804 bytes >Mar 28 13:29:18 crl-mail MailScanner[32600]: Spam Checks: Starting >Mar 28 13:29:19 crl-mail sendmail[5133]: h2SIT818005124: >to=, delay=00:00:11, xdelay=00:00:06, mailer=esmtp, pr >i=121423, relay=alum.mit.edu. [18.7.21.81], dsn=2.0.0, stat=Sent >(h2SITIpL002127 Message accepted for delivery) >Mar 28 13:29:19 crl-mail MailScanner[32600]: Virus and Content Scanning: >Starting >Mar 28 13:29:19 crl-mail MailScanner[32600]: Uninfected: Delivered 1 messages >Mar 28 13:29:19 crl-mail sendmail[5141]: h2SISo18005103: h2SITJK3005141: >clone: owner=owner-gbtc@quabbin.crl.dec.com >Mar 28 13:29:20 crl-mail sendmail[5141]: h2SISo18005103: >to=Simon.Kasif@compaq.com,jamey.hicks@compaq.com ,CRLProblems@compaq.com, d >elay=00:00:23, xdelay=00:00:01, mailer=esmtp, pri=240507, >relay=tayexg12.americas.cpqcorp.net. [16.103.130.103], dsn=2.0.0, stat=Sen >t ( <000810a1ac07$aec62805$20222223@saxpqrv.quk> Queued mail for delivery) >Mar 28 13:29:25 crl-mail sendmail[5141]: h2SISo18005103: >to=herlihy@quabbin.crl.dec.com, delay=00:00:28, xdelay=00:00:05, mailer=esm >tp, pri=240507, relay=quabbin.crl.dec.com. [16.11.0.45], dsn=2.0.0, >stat=Sent (h2SITPf500106 Message accepted for delivery) > > >-----Original Message----- >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] >Sent: Friday, March 28, 2003 2:25 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: spam mail not being tagged as spam > > >Remember that MailScanner uses the envelope addresses in your maillog, and >not whatever happens to be in the headers. > >At 19:20 28/03/2003, you wrote: > >Julian, > > > > I felt that was the case but I checked > > /etc/MailScanner/rules/spam.whitelist.rules first and it does not have > > anything with yahoo.com, 'dommknotsvnub@yahoo.com', entered. Could I be > > looking at the wrong whitelist file? > > > > I just received the following spam with the same whitelist message and > > again I have nothing pointing to hotmail.com > > > >Lou. > > > > > >email header info: > >========================================================================= > ========== > >MIME-Version: 1.0 > >Content-Type: multipart/alternative; > > boundary="3E..8F1_.B19_.0CCA" > >X-MailScanner: Found to be clean > >X-MailScanner-SpamCheck: not spam (whitelisted), SpamAssassin (score=13.2, > > required 5, DATE_IN_FUTURE_03_06, FORGED_HOTMAIL_RCVD, > > HTML_FONT_COLOR_BLUE, HTML_FONT_COLOR_RED, HTML_FONT_COLOR_UNSAFE, > > HTML_FONT_COLOR_YELLOW, MAY_BE_FORGED, MIME_HTML_NO_CHARSET, > > MIME_LONG_LINE_QP, MISSING_MIMEOLE, RCVD_IN_DSBL, > > RCVD_IN_OSIRUSOFT_COM, SPAM_PHRASE_03_05, USER_AGENT_OE, > > X_OSIRU_SPAM_SRC) > >Return-Path: SelanoX16R@hotmail.com > >X-OriginalArrivalTime: 28 Mar 2003 18:51:00.0349 (UTC) > >FILETIME=[F99D42D0:01C2F55A] > > > >--3E..8F1_.B19_.0CCA > >Content-Type: text/html > >Content-Transfer-Encoding: quoted-printable > > > > > >--3E..8F1_.B19_.0CCA-- > > > >-----Original Message----- > >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > >Sent: Friday, March 28, 2003 2:11 PM > >To: MAILSCANNER@JISCMAIL.AC.UK > >Subject: Re: spam mail not being tagged as spam > > > > > >Exactly as it says, it is in your MailScanner spam whitelist. > > > >At 19:00 28/03/2003, you wrote: > > >Hello, > > > > > > After enabling the 'SpamAssassin Report' I now have the following > > > information. Can someone explain how SpamAssassin scores a 20 but > > > MailScanner states 'not spam'?? > > > > > >Lou. > > > > > >mail header info: > > >========================================================================= > > =============== > > >Subject: {^} Teen Celebs - Totally Scandalous! > > >{^} 5523-4 > > >Date: Fri, 28 Mar 2003 09:33:38 +0900 > > >MIME-Version: 1.0 > > >Content-Type: multipart/mixed; > > > boundary="----=_NextPart_000_00E5_68C85A6A.D2272A27" > > >X-Priority: 3 > > >X-Mailer: AOL 7.0 for Windows US sub 118 > > >Importance: Normal > > >X-MailScanner: Found to be clean > > >X-MailScanner-SpamCheck: not spam (whitelisted), SpamAssassin (score=20, > > > required 5, BASE64_ENC_TEXT, BIG_FONT, FORGED_YAHOO_RCVD, > > HTML_50_70, > > > HTML_WITH_BGCOLOR, MIME_MISSING_BOUNDARY, NASTY_GIRLS, > > NO_REAL_NAME, > > > PORN_4, RCVD_FAKE_HELO_DOTCOM, RCVD_IN_DSBL, SPAM_PHRASE_00_01, > > > SUBJ_HAS_SPACES, SUBJ_HAS_UNIQ_ID, TRACKER_ID, USER_AGENT_AOL) > > >Return-Path: dommknotsvnub@yahoo.com > > >X-OriginalArrivalTime: 28 Mar 2003 18:29:20.0112 (UTC) > > >FILETIME=[F29CD700:01C2F557] > > > > > >------=_NextPart_000_00E5_68C85A6A.D2272A27 > > >Content-Type: text/html; > > > charset="iso-8859-1" > > >Content-Transfer-Encoding: base6 > > > >-- > >Julian Field > >www.MailScanner.info > >Professional Support Services at www.MailScanner.biz > >MailScanner thanks transtec Computers for their support > >-- >Julian Field >www.MailScanner.info >Professional Support Services at www.MailScanner.biz >MailScanner thanks transtec Computers for their support -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From evertjan at VANRAMSELAAR.NL Sat Mar 29 10:23:35 2003 From: evertjan at VANRAMSELAAR.NL (Evert Jan van Ramselaar) Date: Thu Jan 12 21:17:38 2006 Subject: F-Prot 3.13 support In-Reply-To: <5.2.0.9.2.20030329095347.023a1660@imap.ecs.soton.ac.uk> References: <9F214F8D10934845A3664A21425C79FC67461B@dhcp5.ware.net> <5.2.0.9.2.20030329095347.023a1660@imap.ecs.soton.ac.uk> Message-ID: <3E857427.5000002@vanramselaar.nl> Julian Field wrote: > Here is the patch to SweepViruses.pm to support the new version of F-Prot. > > On Linux systems, for example, you should be able to apply it with this > (assumes you saved the patch file in /tmp) > cd /usr/lib/MailScanner/MailScanner > patch < /tmp/SweepViruses.pm.patch Seems to work fine (after I realized I had to reload MailScanner). Thanks for the superb service! -- Evert Jan van Ramselaar Van Ramselaar Info Tech From raymond at PROLOCATION.NET Sat Mar 29 11:10:01 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:17:38 2006 Subject: F-Prot 3.13 support In-Reply-To: <5.2.0.9.2.20030329095347.023a1660@imap.ecs.soton.ac.uk> Message-ID: Hi Julian, > Here is the patch to SweepViruses.pm to support the new version of F-Prot. > > On Linux systems, for example, you should be able to apply it with this > (assumes you saved the patch file in /tmp) > cd /usr/lib/MailScanner/MailScanner > patch < /tmp/SweepViruses.pm.patch Looking good so far: Mar 29 12:06:55 master MailScanner[27854]: New Batch: Scanning 1 messages, 332806 bytes Mar 29 12:06:56 master MailScanner[27854]: Virus and Content Scanning: Starting Mar 29 12:06:56 master MailScanner[27854]: /var/spool/MailScanner/incoming/27854/h2TB6sr28220/scanner.zip->MSO-Patch-0071.exe Infection: W32/Lirva.D@mm Mar 29 12:06:56 master MailScanner[27854]: Virus Scanning: F-Prot found virus W32/Lirva.D@mm Mar 29 12:06:56 master MailScanner[27854]: /var/spool/MailScanner/incoming/27854/h2TB6sr28220/scanner.zip->name.exe Infection: W32/Klez.H@mm Mar 29 12:06:56 master MailScanner[27854]: Virus Scanning: F-Prot found virus W32/Klez.H@mm Mar 29 12:06:56 master MailScanner[27854]: /var/spool/MailScanner/incoming/27854/h2TB6sr28220/scanner.zip->setup.exe Infection: W32/Klez.H@mm Mar 29 12:06:56 master MailScanner[27854]: Virus Scanning: F-Prot found virus W32/Klez.H@mm Mar 29 12:06:56 master MailScanner[27854]: /var/spool/MailScanner/incoming/27854/h2TB6sr28220/scanner.zip->SQL_4_Free.scr Infection: W32/Lentin.H@mm Mar 29 12:06:56 master MailScanner[27854]: Virus Scanning: F-Prot found virus W32/Lentin.H@mm Mar 29 12:06:56 master MailScanner[27854]: /var/spool/MailScanner/incoming/27854/h2TB6sr28220/scanner.zip->width.pif Infection: W32/Klez.H@mm Mar 29 12:06:56 master MailScanner[27854]: Virus Scanning: F-Prot found virus W32/Klez.H@mm Mar 29 12:06:56 master MailScanner[27854]: /var/spool/MailScanner/incoming/27854/h2TB6sr28220/scanner.zip->you.exe Infection: W32/Klez.H@mm Mar 29 12:06:56 master MailScanner[27854]: Virus Scanning: F-Prot found virus W32/Klez.H@mm Mar 29 12:06:56 master MailScanner[27854]: Virus Scanning: f-prot found 6 infections Mar 29 12:06:57 master MailScanner[27854]: Virus Scanning: Found 6 viruses Mar 29 12:06:57 master MailScanner[27854]: Saved infected "scanner.zip" to /var/spool/MailScanner/quarantine/20030329/h2TB6sr28220 Thanks again for the speedy fix. I'll let it running on one of my production machines. And if running ok i'll also upgrade the others. Cheers! Raymond. From mailscanner at ecs.soton.ac.uk Sat Mar 29 11:42:47 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:38 2006 Subject: Sophos, SAVI, etc. In-Reply-To: Message-ID: <5.2.0.9.2.20030329113840.022c5e80@imap.ecs.soton.ac.uk> The module is not exactly easy to install, but it can be done. I will produce some detailed instructions on how to do this, as I don't think many of you will manage it without some help. I have got it all working so that MailScanner can now use it. I haven't written the macro-virus disinfection code, but that's very minor these days as 99% of the viruses you see can't be disinfected anyway (you end up having to jusr remove the attachment). I will aim to publish a beta release supporting it later today. This will hopefully solve all the "startup speed" problems with Sophos, as this only gets done once when MailScanner starts. At 13:15 28/03/2003, you wrote: >Hello all (or possibly mainly Julian)... > >Any thoughts on the SAVI::Perl module? > >http://www.cpan.org/authors/id/P/PH/PHENSON/SAVI-Perl-0.05.readme >(newer version doesn't appear to be on CPAN, and I can't >reach search.cpan.org at the moment): >http://www.csupomona.edu/~henson/www/projects/SAVI-Perl/dist/ > >I just thought it might be a (tiny) bit faster, if available, than calling >'sweep', as I presume MS does at the moment on a batch of messages? > >And also considering MS respawning itself on a regular basis, the virus >signatures would also be renewed without intervention (as opposed to say >daemonized things like Sophie of which I know you don't approve)... > > > > > >---------------------------------------------------------------------------------------------------> >Peter Bates, Systems Support Officer, Network Support Team. >London School of Hygiene & Tropical Medicine. >Telephone:0207-958 8353 / Fax: 0207- 636 9838 -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Sat Mar 29 11:50:54 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:38 2006 Subject: spam mail not being tagged as spam In-Reply-To: Message-ID: <5.2.0.9.2.20030329114922.0271cce0@imap.ecs.soton.ac.uk> MailScanner applies the same results to all recipients of a message, it doesn't start duplicating messages. So if one recipient has whitelisted the message, the whitelisted message will be delivered to all the recipients. Spam addressed to multiple recipients is pretty rare these days, so I don't consider it to be a major problem. At 10:13 29/03/2003, you wrote: > I'm sorry if I caused you any headaches, but I just realized that one of > the 4 recipients of this message is using IMAPAssassin and requested that > all his mail be whitelisted. So I'm assuming MailScanner is whitelisting > this message for all recipients, is this correct? If so is there a work > around for this? I'm using 'To: recipients_name' in the whitelist file. > >Lou. > >-----Original Message----- >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] >Sent: Friday, March 28, 2003 2:49 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: spam mail not being tagged as spam > > >At 19:36 28/03/2003, you wrote: > >Julian, > > > > Can you please enlighten me. Here is text from my maillog file. > >The from address in your log file matches with what you are whitelisting. >Strange. >Anyone experiencing similar problems? Have I broken the code? > > > >Lou. > > > >Mar 28 13:29:17 crl-mail sendmail[5103]: h2SISo18005103: > >from=, size=3135, class=0, nrcpts=5, msgid=<000810 > >a1ac07$aec62805$20222223@saxpqrv.quk>, proto=SMTP, daemon=MTA, > >relay=dsl-200-67-152-155.prodigy.net.mx [200.67.152.155] > >Mar 28 13:29:18 crl-mail MailScanner[32600]: New Batch: Scanning 1 > >messages, 3804 bytes > >Mar 28 13:29:18 crl-mail MailScanner[32600]: Spam Checks: Starting > >Mar 28 13:29:19 crl-mail sendmail[5133]: h2SIT818005124: > >to=, delay=00:00:11, xdelay=00:00:06, mailer=esmtp, pr > >i=121423, relay=alum.mit.edu. [18.7.21.81], dsn=2.0.0, stat=Sent > >(h2SITIpL002127 Message accepted for delivery) > >Mar 28 13:29:19 crl-mail MailScanner[32600]: Virus and Content Scanning: > >Starting > >Mar 28 13:29:19 crl-mail MailScanner[32600]: Uninfected: Delivered 1 > messages > >Mar 28 13:29:19 crl-mail sendmail[5141]: h2SISo18005103: h2SITJK3005141: > >clone: owner=owner-gbtc@quabbin.crl.dec.com > >Mar 28 13:29:20 crl-mail sendmail[5141]: h2SISo18005103: > >to=Simon.Kasif@compaq.com,jamey.hicks@compaq.com ,CRLProblems@compaq.com, d > >elay=00:00:23, xdelay=00:00:01, mailer=esmtp, pri=240507, > >relay=tayexg12.americas.cpqcorp.net. [16.103.130.103], dsn=2.0.0, stat=Sen > >t ( <000810a1ac07$aec62805$20222223@saxpqrv.quk> Queued mail for delivery) > >Mar 28 13:29:25 crl-mail sendmail[5141]: h2SISo18005103: > >to=herlihy@quabbin.crl.dec.com, delay=00:00:28, xdelay=00:00:05, mailer=esm > >tp, pri=240507, relay=quabbin.crl.dec.com. [16.11.0.45], dsn=2.0.0, > >stat=Sent (h2SITPf500106 Message accepted for delivery) > > > > > >-----Original Message----- > >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > >Sent: Friday, March 28, 2003 2:25 PM > >To: MAILSCANNER@JISCMAIL.AC.UK > >Subject: Re: spam mail not being tagged as spam > > > > > >Remember that MailScanner uses the envelope addresses in your maillog, and > >not whatever happens to be in the headers. > > > >At 19:20 28/03/2003, you wrote: > > >Julian, > > > > > > I felt that was the case but I checked > > > /etc/MailScanner/rules/spam.whitelist.rules first and it does not have > > > anything with yahoo.com, 'dommknotsvnub@yahoo.com', entered. Could I be > > > looking at the wrong whitelist file? > > > > > > I just received the following spam with the same whitelist message and > > > again I have nothing pointing to hotmail.com > > > > > >Lou. > > > > > > > > >email header info: > > >========================================================================= > > ========== > > >MIME-Version: 1.0 > > >Content-Type: multipart/alternative; > > > boundary="3E..8F1_.B19_.0CCA" > > >X-MailScanner: Found to be clean > > >X-MailScanner-SpamCheck: not spam (whitelisted), SpamAssassin (score=13.2, > > > required 5, DATE_IN_FUTURE_03_06, FORGED_HOTMAIL_RCVD, > > > HTML_FONT_COLOR_BLUE, HTML_FONT_COLOR_RED, > HTML_FONT_COLOR_UNSAFE, > > > HTML_FONT_COLOR_YELLOW, MAY_BE_FORGED, MIME_HTML_NO_CHARSET, > > > MIME_LONG_LINE_QP, MISSING_MIMEOLE, RCVD_IN_DSBL, > > > RCVD_IN_OSIRUSOFT_COM, SPAM_PHRASE_03_05, USER_AGENT_OE, > > > X_OSIRU_SPAM_SRC) > > >Return-Path: SelanoX16R@hotmail.com > > >X-OriginalArrivalTime: 28 Mar 2003 18:51:00.0349 (UTC) > > >FILETIME=[F99D42D0:01C2F55A] > > > > > >--3E..8F1_.B19_.0CCA > > >Content-Type: text/html > > >Content-Transfer-Encoding: quoted-printable > > > > > > > > >--3E..8F1_.B19_.0CCA-- > > > > > >-----Original Message----- > > >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > > >Sent: Friday, March 28, 2003 2:11 PM > > >To: MAILSCANNER@JISCMAIL.AC.UK > > >Subject: Re: spam mail not being tagged as spam > > > > > > > > >Exactly as it says, it is in your MailScanner spam whitelist. > > > > > >At 19:00 28/03/2003, you wrote: > > > >Hello, > > > > > > > > After enabling the 'SpamAssassin Report' I now have the following > > > > information. Can someone explain how SpamAssassin scores a 20 but > > > > MailScanner states 'not spam'?? > > > > > > > >Lou. > > > > > > > >mail header info: > > > >===================================================================== > ==== > > > =============== > > > >Subject: {^} Teen Celebs - Totally Scandalous! > > > >{^} 5523-4 > > > >Date: Fri, 28 Mar 2003 09:33:38 +0900 > > > >MIME-Version: 1.0 > > > >Content-Type: multipart/mixed; > > > > boundary="----=_NextPart_000_00E5_68C85A6A.D2272A27" > > > >X-Priority: 3 > > > >X-Mailer: AOL 7.0 for Windows US sub 118 > > > >Importance: Normal > > > >X-MailScanner: Found to be clean > > > >X-MailScanner-SpamCheck: not spam (whitelisted), SpamAssassin (score=20, > > > > required 5, BASE64_ENC_TEXT, BIG_FONT, FORGED_YAHOO_RCVD, > > > HTML_50_70, > > > > HTML_WITH_BGCOLOR, MIME_MISSING_BOUNDARY, NASTY_GIRLS, > > > NO_REAL_NAME, > > > > PORN_4, RCVD_FAKE_HELO_DOTCOM, RCVD_IN_DSBL, SPAM_PHRASE_00_01, > > > > SUBJ_HAS_SPACES, SUBJ_HAS_UNIQ_ID, TRACKER_ID, USER_AGENT_AOL) > > > >Return-Path: dommknotsvnub@yahoo.com > > > >X-OriginalArrivalTime: 28 Mar 2003 18:29:20.0112 (UTC) > > > >FILETIME=[F29CD700:01C2F557] > > > > > > > >------=_NextPart_000_00E5_68C85A6A.D2272A27 > > > >Content-Type: text/html; > > > > charset="iso-8859-1" > > > >Content-Transfer-Encoding: base6 > > > > > >-- > > >Julian Field > > >www.MailScanner.info > > >Professional Support Services at www.MailScanner.biz > > >MailScanner thanks transtec Computers for their support > > > >-- > >Julian Field > >www.MailScanner.info > >Professional Support Services at www.MailScanner.biz > >MailScanner thanks transtec Computers for their support > >-- >Julian Field >www.MailScanner.info >Professional Support Services at www.MailScanner.biz >MailScanner thanks transtec Computers for their support -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From patricksteiner at BLUEWIN.CH Sat Mar 29 13:00:38 2003 From: patricksteiner at BLUEWIN.CH (Patrick Steiner) Date: Thu Jan 12 21:17:38 2006 Subject: Mailscanner dosen't make any DNS Test Message-ID: <3E8598F6.3000309@bluewin.ch> Hi Im running Mailscanner 4.13-3 with sa 2.52 but i have seem does the mailscanner not make any dns test. have anybody a idea why. Need i any special perl packages? or what i can do to activate this feature. Thanks From patricksteiner at BLUEWIN.CH Sat Mar 29 14:12:03 2003 From: patricksteiner at BLUEWIN.CH (Patrick Steiner) Date: Thu Jan 12 21:17:38 2006 Subject: Does Mailscanner support DCC and Pyzor ?? Message-ID: <3E85A9B3.2080508@bluewin.ch> Does Mailscanner support DCC ( http://www.rhyolite.com/anti-spam/ ) and pyzor ( http://pyzor.sourceforge.net/ ) when i install dccproc and the i start spamassissin with option -D then it prints the follow: debug: DCC is available: /usr/local/bin/dccproc debug: entering helper-app run mode debug: DCC: got response: X-DCC-wanadoo-be-Metrics: onuris 1016; Body=many Fuz1=many Fuz2=many debug: leaving helper-app run mode debug: DCC: Listed! BODY: 999999 of 999999 FUZ1: 999999 of 999999 FUZ2: 999999 of 999999 but when i start sa bye the mailscanner then i can see spamassasin makes no dcc spam checks. From patricksteiner at BLUEWIN.CH Sat Mar 29 14:17:58 2003 From: patricksteiner at BLUEWIN.CH (Patrick Steiner) Date: Thu Jan 12 21:17:38 2006 Subject: Does Mailscanner support DCC and Pyzor ?? In-Reply-To: <3E85A9B3.2080508@bluewin.ch> References: <3E85A9B3.2080508@bluewin.ch> Message-ID: <3E85AB16.4020308@bluewin.ch> sorry i have found the options to active dcc. but what is e good spamscore for dcc check? Patrick Steiner wrote: > Does Mailscanner support DCC ( http://www.rhyolite.com/anti-spam/ ) > and pyzor ( http://pyzor.sourceforge.net/ ) > > when i install dccproc and the i start spamassissin with option -D then > it prints the follow: > > debug: DCC is available: /usr/local/bin/dccproc > debug: entering helper-app run mode > debug: DCC: got response: X-DCC-wanadoo-be-Metrics: onuris 1016; > Body=many Fuz1=many Fuz2=many > debug: leaving helper-app run mode > debug: DCC: Listed! BODY: 999999 of 999999 FUZ1: 999999 of 999999 FUZ2: > 999999 of 999999 > > > but when i start sa bye the mailscanner then i can see spamassasin makes > no dcc spam checks. > > From mailscanner at ecs.soton.ac.uk Sat Mar 29 14:30:18 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:38 2006 Subject: Mailscanner dosen't make any DNS Test In-Reply-To: <3E8598F6.3000309@bluewin.ch> Message-ID: <5.2.0.9.2.20030329142924.02587de8@imap.ecs.soton.ac.uk> At 13:00 29/03/2003, you wrote: >Hi > >Im running Mailscanner 4.13-3 with sa 2.52 but i have seem does the >mailscanner not make any dns test. >have anybody a idea why. Need i any special perl packages? or what i can >do to activate this feature. If you mean you want it to check the DNS blacklists, then this is set in the "Spam Lists" configuration option in MailScanner.conf. If you mean you actually want SpamAssassin to do dns tests for you, you must install the "Net::DNS" Perl module and then SpamAssassin will start using it. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From Peter.Bates at LSHTM.AC.UK Sat Mar 29 16:08:47 2003 From: Peter.Bates at LSHTM.AC.UK (Peter Bates) Date: Thu Jan 12 21:17:38 2006 Subject: Sophos, SAVI, etc. Message-ID: Hello all... ---------------------------------------------------------------------------------------------------> Peter Bates, Systems Support Officer, Network Support Team. London School of Hygiene & Tropical Medicine. Telephone:0207-958 8353 / Fax: 0207- 636 9838 >>> mailscanner@ECS.SOTON.AC.UK 03/29/03 11:44 AM >>> >The module is not exactly easy to install, but it can >be done. I will produce some detailed instructions on >how to do this, as I don't think many of you will >manage it without some help. Mmm... possibly as a migrating amavis user, I had all the relevant stuff in the right place to build Sophie and/or SAVI::Perl over time... other than having to specify the location of libsavi, I don't recall any problems? Do you mean the modifications you have to make because of Sophos slightly changing some of the SAVI stuff with the relase of 3.67? >I will aim to publish a beta release supporting it >later today. I'll look forward to having a butchers at that, then... I already have a box with SAVI::Perl on (to see if it installed), and MS, so should be able to test fairly quickly. From mailscanner at ecs.soton.ac.uk Sat Mar 29 16:17:43 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:38 2006 Subject: Sophos, SAVI, etc. In-Reply-To: Message-ID: <5.2.0.9.2.20030329161730.021d1870@imap.ecs.soton.ac.uk> At 16:08 29/03/2003, you wrote: >Hello all... > >---------------------------------------------------------------------------------------------------> >Peter Bates, Systems Support Officer, Network Support Team. >London School of Hygiene & Tropical Medicine. >Telephone:0207-958 8353 / Fax: 0207- 636 9838 > >>> mailscanner@ECS.SOTON.AC.UK 03/29/03 11:44 AM >>> > >The module is not exactly easy to install, but it can >be done. I will > produce some detailed instructions on >how to do this, as I don't think > many of you will >manage it without some help. > >Mmm... possibly as a migrating amavis user, I had all the relevant stuff >in the right place to build Sophie and/or SAVI::Perl over time... other >than having to specify the location of libsavi, I don't recall any >problems? Do you mean the modifications you have to make because of Sophos >slightly changing some of the SAVI stuff with the relase of 3.67? > > >I will aim to publish a beta release supporting it >later today. > >I'll look forward to having a butchers at that, then... I already have a >box with SAVI::Perl on (to see if it installed), and MS, so should be able >to test fairly quickly. And as if by magic... -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From sc2 at GMX.AT Sat Mar 29 16:18:42 2003 From: sc2 at GMX.AT (Richard Anony) Date: Thu Jan 12 21:17:38 2006 Subject: perl Message-ID: <004d01c2f60e$e0928930$e492633e@anonymous> > hello > i use the perl version 5.8.0 > when i try to install mailscanner he means i must install > perl 5.00 or higher ==>> > but perl is installed. When i install it with > --nodeps then it doesnt works...(mail incoming) > > i cant see any errors in the logs only that the scanner trys to start every > time like > > MailScanner starts > Mailscanner starts ... > etc etc > in the log > > any idea? or idea how i can turn on debug mode...maybe on screen > thanks > > cya -bernhard ------------------------------ Technische/Server Administration - Support www.strikenet.at - www.gameservers.cc ------------------------------ *******************Internet Email Confidentiality Footer******************* Privileged/Confidential Information may be contained in this message. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone. In such case, you should destroy this message and kindly notify the sender by reply email. Please advise immediately if you or your employer does not consent to Internet email for messages of this kind. Opinions, conclusions and other information in this message that do not relate to the official business of my firm shall be understood as neither given nor endorsed by it. From mailscanner at ecs.soton.ac.uk Sat Mar 29 16:37:04 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:38 2006 Subject: New beta release (F-Prot and Sophos/SAVI) Message-ID: <5.2.0.9.2.20030329161805.022f6ea8@imap.ecs.soton.ac.uk> I have just put up 4.14-8 on the web site. Important changes are: 1. Support for F-Prot 3.13 with its slightly different output format. 2. Support for the Perl SAVI module which uses Sophos Anti-Virus without any of the problems we have recently been having with "sweep" or "sophos-wrapper" taking ages to start. Step-by-step Installation instructions for the perl module are in the "Installation Guides" part of the docs. I have tried it out myself and it appears to work okay. Obviously give me a shout if you find any problems. Download as per usual from www.mailscanner.info. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Sat Mar 29 16:38:58 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:38 2006 Subject: perl In-Reply-To: <004d01c2f60e$e0928930$e492633e@anonymous> Message-ID: <5.2.0.9.2.20030329163756.02330dc0@imap.ecs.soton.ac.uk> Have you run the "./install.sh" script in the directory full of rpm files? You need to run that to install it properly. The most likely problem is that you are using a module which is not installed. If you set "Use SpamAssassin = yes", have you actually installed SpamAssassin? At 16:18 29/03/2003, you wrote: > > hello > > i use the perl version 5.8.0 > > when i try to install mailscanner he means i must install > > perl 5.00 or higher ==>> > > but perl is installed. When i install it with > > --nodeps then it doesnt works...(mail incoming) > > > > i cant see any errors in the logs only that the scanner trys to start >every > > time like > > > > MailScanner starts > > Mailscanner starts ... > > etc etc > > in the log > > > > any idea? or idea how i can turn on debug mode...maybe on screen > > thanks > > > > > >cya >-bernhard >------------------------------ >Technische/Server Administration - Support >www.strikenet.at - www.gameservers.cc >------------------------------ >*******************Internet Email Confidentiality Footer******************* >Privileged/Confidential Information may be contained in this message. If >you are not the addressee indicated in this message (or responsible for >delivery of the message to such person), you may not copy or deliver this >message to anyone. In such case, you should destroy this message and kindly >notify the sender by reply email. Please advise immediately if you or your >employer does not consent to Internet email for messages of this kind. >Opinions, conclusions and other information in this message that do not >relate to the official business of my firm shall be understood as neither >given nor endorsed by it. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From sc2 at GMX.AT Sat Mar 29 16:48:05 2003 From: sc2 at GMX.AT (Richard Anony) Date: Thu Jan 12 21:17:38 2006 Subject: perl References: <5.2.0.9.2.20030329163756.02330dc0@imap.ecs.soton.ac.uk> Message-ID: <003501c2f612$f8d52e40$e492633e@anonymous> hello thx for answer again how i cant test if spam ass is correctly installed. im no nub and having installed mailscanner often..from 1st version to yet but only now it doesnt works... hmm maybe its spamassassin how i can see it (i have installed it i know it) but which path is mailscanner using From mailscanner at ecs.soton.ac.uk Sat Mar 29 16:58:12 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:38 2006 Subject: perl In-Reply-To: <003501c2f612$f8d52e40$e492633e@anonymous> References: <5.2.0.9.2.20030329163756.02330dc0@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030329165602.0277deb8@imap.ecs.soton.ac.uk> At 16:48 29/03/2003, you wrote: >hello thx for answer again > >how i cant test if spam ass is correctly installed. >im no nub and having installed mailscanner often..from 1st version to yet >but only now it doesnt works... Try the "spamassassin" script that is shipped as part of SpamAssassin. What version were you running successfully before you just upgraded? >hmm maybe its spamassassin how i can see it (i have installed it i know it) >but which path is mailscanner using MailScanner doesn't use a "path" to SpamAssassin. It calls it directly without any other processes involved at all. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From steve at SWANEY.COM Sat Mar 29 19:10:09 2003 From: steve at SWANEY.COM (Steve Swaney) Date: Thu Jan 12 21:17:38 2006 Subject: Problem with High Spam Score delivery options Message-ID: <0F353635-621A-11D7-A1F0-000393CE3676@swaney.com> The "High Scoring Spam Action" was working just fine but since upgrading to SpamAssassin 2.51 and then 2.52 along with MailScanner 4.13.3, I cannot get the "High Scoring Spam Action" setting have any effect. I have reinstalled all from scratch and only changed: Virus Scanner = sophos High Scoring Spam Action = bounce Use SpamAssassin = yes All else works as advertised I'm running redhat 8.0 and installed MailScanner and SpamAssassin from the rpms. Thanks, Steve Steve Swaney Phone: (202) 352-3262 Fax: (202) 294-9496 Steve@Swaney.com From mailscanner at ecs.soton.ac.uk Sat Mar 29 19:22:32 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:38 2006 Subject: Problem with High Spam Score delivery options In-Reply-To: <0F353635-621A-11D7-A1F0-000393CE3676@swaney.com> Message-ID: <5.2.0.9.2.20030329192207.0231ca38@imap.ecs.soton.ac.uk> Has anyone else seen this problem? At 19:10 29/03/2003, you wrote: >The "High Scoring Spam Action" was working just fine but since >upgrading to SpamAssassin 2.51 and then 2.52 along with MailScanner >4.13.3, I cannot get the "High Scoring Spam Action" setting have any >effect. > >I have reinstalled all from scratch and only changed: > >Virus Scanner = sophos >High Scoring Spam Action = bounce >Use SpamAssassin = yes > > >All else works as advertised > >I'm running redhat 8.0 and installed MailScanner and SpamAssassin from >the rpms. > >Thanks, > >Steve >Steve Swaney >Phone: (202) 352-3262 >Fax: (202) 294-9496 >Steve@Swaney.com -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From raymond at PROLOCATION.NET Sat Mar 29 19:50:12 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:17:38 2006 Subject: New beta release (F-Prot and Sophos/SAVI) In-Reply-To: <5.2.0.9.2.20030329161805.022f6ea8@imap.ecs.soton.ac.uk> Message-ID: Hi Julian, > 1. Support for F-Prot 3.13 with its slightly different output format. > > 2. Support for the Perl SAVI module which uses Sophos Anti-Virus without > any of the problems we have recently been having with "sweep" or > "sophos-wrapper" taking ages to start. Step-by-step Installation > instructions for the perl module are in the "Installation Guides" part of > the docs. Mar 29 20:36:50 master MailScanner[8187]: MailScanner E-Mail Virus Scanner version 4.14-8 starting... Mar 29 20:36:50 master MailScanner[8187]: Error in configuration file line 264, directory /usr/local/Sophos/ide for sophoside does not exist (or is not readable) Mar 29 20:37:00 master MailScanner[8209]: MailScanner E-Mail Virus Scanner version 4.14-8 starting... Mar 29 20:37:00 master MailScanner[8209]: Error in configuration file line 264, directory /usr/local/Sophos/ide for sophoside does not exist (or is not readable) I dont use Sophos at all, but it seems it still parses the config values for that. I commented out those one and it was running just fine, i would expect however it would be ignored... Since thats what the config told me :) I also noticed when i use the new setting: Include Scanner Name In Reports = yes It only reported one virus in the log, but i sended a test zip with 6. :) Mar 29 20:43:29 master MailScanner[8749]: Virus Scanning: F-Prot found virus W32/Klez.H@mm Mar 29 20:43:29 master MailScanner[8749]: Virus Scanning: f-prot found 6 infections Mar 29 20:43:29 master MailScanner[8749]: Virus Scanning: Found 6 viruses In the report file its okay: Report: F-Prot: /var/spool/MailScanner/incoming/8749/h2TJhO209027/scanner.zip->MSO-Patch-0071.exe Infection:W32/Lirva.D@mm F-Prot: /var/spool/MailScanner/incoming/8749/h2TJhO209027/scanner.zip->name.exe Infection: W32/Klez.H@mm F-Prot: /var/spool/MailScanner/incoming/8749/h2TJhO209027/scanner.zip->setup.exe Infection: W32/Klez.H@mm F-Prot: /var/spool/MailScanner/incoming/8749/h2TJhO209027/scanner.zip->SQL_4_Free.scr Infection: W32/Lentin.H@mm F-Prot: /var/spool/MailScanner/incoming/8749/h2TJhO209027/scanner.zip->width.pif Infection: W32/Klez.H@mm F-Prot: /var/spool/MailScanner/incoming/8749/h2TJhO209027/scanner.zip->you.exe Infection: W32/Klez.H@mm But i guess the others also should be added in the logfile ? And not only reporting it found one Klez, in fact it found 4 x Klez, 1 x Lentin and 1 x Lirva... Besides that its running ok it seems :) To keep all the same i would also suggest to convert the one lowercase: Virus Scanning: f-prot found 6 infections Into Virus Scanning: F-prot found 6 infections =) Bye, Raymond. From raymond at PROLOCATION.NET Sat Mar 29 19:53:41 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:17:39 2006 Subject: sendmail 8.12.9 available (fwd) Message-ID: Hi! For people running sendmail 8.x ... ---------- Forwarded message ---------- Date: Sat, 29 Mar 2003 11:19:48 -0800 From: Claus Assmann To: bugtraq@securityfocus.com, vulnwatch@vulnwatch.org Subject: sendmail 8.12.9 available -----BEGIN PGP SIGNED MESSAGE----- Sendmail, Inc., and the Sendmail Consortium announce the availability of sendmail 8.12.9. It contains a fix for a critical security problem discovered by Michal Zalewski whom we thank for bringing this problem to our attention. Sendmail urges all users to either upgrade to sendmail 8.12.9 or apply a patch for your sendmail version that is part of this announcement. Remember to check the PGP signatures of patches or releases obtained via FTP or HTTP (to check the correctness of the patches in this announcement please verify the PGP signature of it). For those not running the open source version, check with your vendor for a patch. We apologize for releasing this information today (2003-03-29) but we were forced to do so by an e-mail on a public mailing list (that has been sent by an irresponsible individual) which contains information about the security flaw. For a complete list of changes see the release notes down below. Please send bug reports to sendmail-bugs@sendmail.org as usual. Note: We have changed the way we digitally sign the source code distributions to simplify verification: in contrast to earlier versions two .sig files are provided, one each for the gzip'ed version and the compressed version. That is, instead of signing the tar file, we sign the compressed/gzip'ed files, so you do not need to uncompress the file before checking the signature. This version can be found at ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.9.tar.gz ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.9.tar.gz.sig ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.9.tar.Z ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.9.tar.Z.sig and the usual mirror sites. MD5 signatures: 3dba3b6d769b3681640d0a38b0eba48c sendmail.8.12.9.tar.gz 19e39c9e9bc8fae288245c546639e1f4 sendmail.8.12.9.tar.gz.sig 268fc4045ba3eac6dfd9dc95d889ba5f sendmail.8.12.9.tar.Z 19e39c9e9bc8fae288245c546639e1f4 sendmail.8.12.9.tar.Z.sig You either need the first two files or the third and fourth, i.e., the gzip'ed version or the compressed version and the corresponding .sig file. The PGP signature was created using the Sendmail Signing Key/2003, available on the web site (http://www.sendmail.org/) or on the public key servers. Since sendmail 8.11 and later includes hooks to cryptography, the following information from OpenSSL applies to sendmail as well. PLEASE REMEMBER THAT EXPORT/IMPORT AND/OR USE OF STRONG CRYPTOGRAPHY SOFTWARE, PROVIDING CRYPTOGRAPHY HOOKS OR EVEN JUST COMMUNICATING TECHNICAL DETAILS ABOUT CRYPTOGRAPHY SOFTWARE IS ILLEGAL IN SOME PARTS OF THE WORLD. SO, WHEN YOU IMPORT THIS PACKAGE TO YOUR COUNTRY, RE-DISTRIBUTE IT FROM THERE OR EVEN JUST EMAIL TECHNICAL SUGGESTIONS OR EVEN SOURCE PATCHES TO THE AUTHOR OR OTHER PEOPLE YOU ARE STRONGLY ADVISED TO PAY CLOSE ATTENTION TO ANY EXPORT/IMPORT AND/OR USE LAWS WHICH APPLY TO YOU. THE AUTHORS ARE NOT LIABLE FOR ANY VIOLATIONS YOU MAKE HERE. SO BE CAREFUL, IT IS YOUR RESPONSIBILITY. SENDMAIL RELEASE NOTES $Id: RELEASE_NOTES,v 8.1340.2.132 2003/03/29 14:02:26 ca Exp $ This listing shows the version of the sendmail binary, the version of the sendmail configuration files, the date of release, and a summary of the changes in that release. 8.12.9/8.12.9 2003/03/29 SECURITY: Fix a buffer overflow in address parsing due to a char to int conversion problem which is potentially remotely exploitable. Problem found by Michal Zalewski. Note: an MTA that is not patched might be vulnerable to data that it receives from untrusted sources, which includes DNS. To provide partial protection to internal, unpatched sendmail MTAs, 8.12.9 changes by default (char)0xff to (char)0x7f in headers etc. To turn off this conversion compile with -DALLOW_255 or use the command line option -d82.101. To provide partial protection for internal, unpatched MTAs that may be performing 7->8 or 8->7 bit MIME conversions, the default for MaxMimeHeaderLength has been changed to 2048/1024. Note: this does have a performance impact, and it only protects against frontal attacks from the outside. To disable the checks and return to pre-8.12.9 defaults, set MaxMimeHeaderLength to 0/0. Do not complain about -ba when submitting mail. Problem noted by Derek Wueppelmann. Fix compilation with Berkeley DB 1.85 on systems that do not have flock(2). Problem noted by Andy Harper of Kings College London. Properly initialize data structure for dns maps to avoid various errors, e.g., looping processes. Problem noted by Maurice Makaay. CONFIG: Prevent multiple application of rule to add smart host. Patch from Andrzej Filip. CONFIG: Fix queue group declaration in MAILER(`usenet'). CONTRIB: buildvirtuser: New option -t builds the virtusertable text file instead of the database map. Portability: Revert wrong change made in 8.12.7 and actually use the builtin getopt() version in sendmail on Linux. This can be overridden by using -DSM_CONF_GETOPT=0 in which case the OS supplied version will be used. Instructions to extract and apply the patches for sendmail: The data below is a uuencoded, gzip'ed tar file. Store the data between "========= begin patch ========" and "========= end patch ==========" into a file called "patch.sm" and apply the following command: uudecode -p < patch.sm | gunzip -c | tar -xf - This will give you these files (explanation for each file is on the left, only "prescan.VERSION.patch" are the files). prescan.8.12.8.patch only for 8.12.8, changes version string to 8.12.8p1 prescan.8.12.patch for 8.12.0 - 8.12.7, does not change version string prescan.8.11.6.patch only for 8.11.6, changes version string to 8.11.6p2 prescan.8.11.patch for 8.11.0 - 8.11.5, does not change version string prescan.8.9.3.patch only for 8.9.3, changes version string to 8.9.3p2 prescan.8.9.patch for 8.9.0 - 8.9.2, does not change version string Apply the appropriate patch to your version of the sendmail source code (change the version number below to the right one!), e.g., cd sendmail-8.12.8/sendmail patch < prescan.8.12.8.patch recompile sendmail, and install the new binary. ========= begin patch ======== ========= end patch ========== -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (OpenBSD) iQCVAwUBPoXFgyGD4bE5bweJAQEk9gQAvhx73sgGCLaUiNkDRKiPECbrDcgn9fH0 JncwWXpYNlLoVFgk1VHbBTeFqtGwTVXIFUOyQvIwO8Vh53iHbffv/4NZCsZuWwpT L7v+uCAN0IvYQUZUUvvcJJJsEUkyYzSKCnNewYhFGDmLa1Sx6x59fYw2hfseZ/HK hjC59XbAdSk= =t4zn -----END PGP SIGNATURE----- From dene at DATATECHIE.COM Sat Mar 29 20:14:46 2003 From: dene at DATATECHIE.COM (Dene Ulmschneider) Date: Thu Jan 12 21:17:39 2006 Subject: confirming SPAM In-Reply-To: <5.2.0.9.2.20030328083658.04371b60@imap.ecs.soton.ac.uk> References: <5.1.0.14.2.20030327214537.00ba32e8@192.168.1.112> <5.2.0.9.2.20030324150117.03b5e328@imap.ecs.soton.ac.uk> <5.1.0.14.2.20030324095603.02668e78@192.168.1.112> Message-ID: <5.1.0.14.2.20030329150747.0273beb8@192.168.1.112> Julian- please see below >Create a couple of local accounts, called "spam" and "notspam" whose >mailboxes will live on the MailScanner server. The following script makes a >few assumptions on where things live, but you can easily edit them to suit >your environment. Create a cron job to run this script every hour or so. >The "sa-learn" command is a script that comes with SpamAssassin. > >#!/bin/sh > >SPAM=/var/mail/spam >NOTSPAM=/var/mail/notspam >TOTAL=.cumulative > >LOGFILE=/var/log/learn.spam.log >PREFS=/opt/MailScanner/etc/spam.assassin.prefs.conf >SALEARN=/opt/MailScanner/bin/sa-learn > >date >> $LOGFILE >if [ -f $SPAM ]; then > BOX=${SPAM}.processing > mv $SPAM $BOX > sleep 5 # Wait for writing current message to complete > $SALEARN --prefs-file=$PREFS --spam --mbox $BOX >> $LOGFILE 2>&1 > cat $BOX >> ${SPAM}${TOTAL} > echo >> ${SPAM}${TOTAL} > rm -f $BOX >fi > >if [ -f $NOTSPAM ]; then > BOX=${NOTSPAM}.processing > mv $NOTSPAM $BOX > sleep 5 # Wait for writing current message to complete > $SALEARN --prefs-file=$PREFS --ham --mbox $BOX >> $LOGFILE 2>&1 > cat $BOX >> ${NOTSPAM}${TOTAL} > echo >> ${NOTSPAM}${TOTAL} > rm -f $BOX >fi This will be implemented as the next step after I resolve the issue below. >Make sure you have installed "DB_File" using CPAN. If that fails, you >probably haven't got BerkeleyDB installed (www.sleepycat.com). Remove the >"use AnyDBM_File;" statement from the top of >/usr/lib/MailScanner/MailScanner/SA.pm. Delete all the database files in >/root/.spamassassin. Then start up MailScanner again and it should start >learning Bayes statistics from mail it sees. The default settings for >SpamAssassin's Bayes filter will work just fine. I did not have DB_File installed. I installed it form CPAN and the install went smoothly. All other components seem to be installed. I then deleted the files you mentioned and they were recreated automatically. At this point I believe that Bayes is working - but is there a way to verify that it is learning? I see the "bayes_msgcount" file but it does not appear to be growing over time. The file is 2.5Kb and contains only a long line of DOTS (or periods). How can I verify that Bayes is working correctly? Thank You Dene Ulmschneider Data Techie Inc. ------------------------------------------------------------------------- office: 718.738.8859 cell: 646.996.2976 email: dene@datatechie.com pager mail: denenow@datatechie.com website: www.datatechie.com ------------------------------------------------------------------------- "Life is too short...-...you should have dessert first" -- This message has been scanned for viruses and dangerous content by Data Techie, and is believed to be clean. Data Techie... always there to protect you! http://www.datatechie.com From mailscanner at ecs.soton.ac.uk Sat Mar 29 20:50:04 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:39 2006 Subject: New beta release (F-Prot and Sophos/SAVI) In-Reply-To: References: <5.2.0.9.2.20030329161805.022f6ea8@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030329203856.027bdec8@imap.ecs.soton.ac.uk> At 19:50 29/03/2003, you wrote: >Mar 29 20:36:50 master MailScanner[8187]: MailScanner E-Mail Virus Scanner >version 4.14-8 starting... >Mar 29 20:36:50 master MailScanner[8187]: Error in configuration file line >264, directory /usr/local/Sophos/ide for sophoside does not exist (or is >not readable) >Mar 29 20:37:00 master MailScanner[8209]: MailScanner E-Mail Virus Scanner >version 4.14-8 starting... >Mar 29 20:37:00 master MailScanner[8209]: Error in configuration file line >264, directory /usr/local/Sophos/ide for sophoside does not exist (or is >not readable) To fix that, in ConfigDefs.pl move the sophoside and sophoslib lines to the "Simple,Other" section instead of the "Simple,Dir" section. >I also noticed when i use the new setting: > >Include Scanner Name In Reports = yes > >It only reported one virus in the log, but i sended a test zip with 6. :) > >Mar 29 20:43:29 master MailScanner[8749]: Virus Scanning: F-Prot found >virus W32/Klez.H@mm >Mar 29 20:43:29 master MailScanner[8749]: Virus Scanning: f-prot found 6 >infections >Mar 29 20:43:29 master MailScanner[8749]: Virus Scanning: Found 6 viruses > >In the report file its okay: > > Report: > > F-Prot: >/var/spool/MailScanner/incoming/8749/h2TJhO209027/scanner.zip->MSO-Patch-0071.exe >Infection:W32/Lirva.D@mm > F-Prot: >/var/spool/MailScanner/incoming/8749/h2TJhO209027/scanner.zip->name.exe >Infection: W32/Klez.H@mm > F-Prot: >/var/spool/MailScanner/incoming/8749/h2TJhO209027/scanner.zip->setup.exe >Infection: W32/Klez.H@mm > F-Prot: >/var/spool/MailScanner/incoming/8749/h2TJhO209027/scanner.zip->SQL_4_Free.scr >Infection: W32/Lentin.H@mm > F-Prot: >/var/spool/MailScanner/incoming/8749/h2TJhO209027/scanner.zip->width.pif >Infection: W32/Klez.H@mm > F-Prot: >/var/spool/MailScanner/incoming/8749/h2TJhO209027/scanner.zip->you.exe >Infection: W32/Klez.H@mm > >But i guess the others also should be added in the logfile ? And not only >reporting it found one Klez, in fact it found 4 x Klez, 1 x Lentin and 1 x >Lirva... Not sure about that one, something odd must be happening. It's only cosmetic though... >Besides that its running ok it seems :) > >To keep all the same i would also suggest to convert the one lowercase: > >Virus Scanning: f-prot found 6 infections > >Into > >Virus Scanning: F-prot found 6 infections --- SweepViruses.pm Sat Mar 29 15:47:30 2003 +++ SweepViruses.pm.new Sat Mar 29 20:13:21 2003 @@ -490,7 +493,8 @@ $rCounter, $disinfect); $counter += $result; MailScanner::Log::InfoLog("%s: %s found %d infections", $logtitle, - $scanner, $$rCounter) if $$rCounter; + $Scanners{$scanner}{Name}, $$rCounter) + if $$rCounter; } return $counter; > =) > >Bye, >Raymond. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Sat Mar 29 20:54:43 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:39 2006 Subject: confirming SPAM In-Reply-To: <5.1.0.14.2.20030329150747.0273beb8@192.168.1.112> References: <5.2.0.9.2.20030328083658.04371b60@imap.ecs.soton.ac.uk> <5.1.0.14.2.20030327214537.00ba32e8@192.168.1.112> <5.2.0.9.2.20030324150117.03b5e328@imap.ecs.soton.ac.uk> <5.1.0.14.2.20030324095603.02668e78@192.168.1.112> Message-ID: <5.2.0.9.2.20030329205216.027c1530@imap.ecs.soton.ac.uk> At 20:14 29/03/2003, you wrote: >I did not have DB_File installed. I installed it form CPAN and the install >went smoothly. All other components seem to be installed. I then deleted >the files you mentioned and they were recreated automatically. At this >point I believe that Bayes is working - but is there a way to verify that >it is learning? I see the "bayes_msgcount" file but it does not appear to >be growing over time. The file is 2.5Kb and contains only a long line of >DOTS (or periods). How can I verify that Bayes is working correctly? The number of messages processed by bayes is given by the length of the file. Its contents are irrelevant, it's the length that matters. It won't start using bayes until it has at least 200 spam and 200 non-spam in its database. It will only add to its database messages that are *definitely* not spam or *definitely* spam (it has some large score threshold values to define this). -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From donovan at HUFFDATASYSTEMS.COM Sun Mar 30 00:15:37 2003 From: donovan at HUFFDATASYSTEMS.COM (Donovan Huff | HUFF DATA SYSTEMS) Date: Thu Jan 12 21:17:39 2006 Subject: Rule for Non-English/foreign SPAM to be tagged as SPAM? Message-ID: <01f901c2f651$7ebe2690$f0793841@x27> It seems that SPAM in languages other than English are becoming more and more common, especially Spanish and French. Since all of my customers are US based and send e-mail in English and likely only receive e-mail in English, I want Non-English/foreign SPAM to be tagged higher. I do not want to block them complete, just cut out the SPAM. Looking at the headers of these e-mails they actually have TLDs like .fr and .mx so it should not be too difficult there (have a list of TLDs that you want to tag higher), but is there a way to look at the actual text and tell if it is non-English as well? I am basically looking for an add-in rule to do this, however, I think an option in the MailScanner config for setting the country/language would be helpful for a lot of people. I'm not trying to sound USA/English centric, it is just an issue I have and I know a lot of other people must as well. I'm not experience in custom rules for MailScanner so if someone familer with the rules would make one up for the above purpose that would be great and I can use it for future reference. TIA, Donovan From craig at STRONG-BOX.NET Sun Mar 30 03:28:04 2003 From: craig at STRONG-BOX.NET (Craig Pratt) Date: Thu Jan 12 21:17:39 2006 Subject: Fwd: CERT Advisory CA-2003-12 Buffer Overflow in Sendmail Message-ID: <3C277926-6257-11D7-94CC-000393B9390A@strong-box.net> Yes, it's time to patch sendmail again. The only distro at this time with the new version (8.12.9) or patch is slackware, AFAIK. Why does this always happen on the weekend? Craig --- Craig Pratt Strongbox Network Services Inc. mailto:craig@strong-box.net Begin forwarded message: > From: CERT Advisory > Date: Sat Mar 29, 2003 11:57:59 AM US/Pacific > To: cert-advisory@cert.org > Subject: CERT Advisory CA-2003-12 Buffer Overflow in Sendmail > X-Mailscanner-Spamcheck: not spam, SpamAssassin (score=1.4, required > 4, AWL, FROM_AND_TO_SAME_5, LINES_OF_YELLING, NOSPAM_INC, > PGP_SIGNATURE, SPAM_PHRASE_02_03) > X-Mailscanner-Spamscore: s > > > > -----BEGIN PGP SIGNED MESSAGE----- > > CERT Advisory CA-2003-12 Buffer Overflow in Sendmail > > Original release date: March 29, 2003 > Last revised: > Source: CERT/CC > > A complete revision history can be found at the end of this file. > > Systems Affected > > * Sendmail Pro (all versions) > * Sendmail Switch 2.1 prior to 2.1.6 > * Sendmail Switch 2.2 prior to 2.2.6 > * Sendmail Switch 3.0 prior to 3.0.4 > * Sendmail for NT 2.X prior to 2.6.3 > * Sendmail for NT 3.0 prior to 3.0.4 > * Systems running open-source sendmail versions prior to > 8.12.9, > including UNIX and Linux systems > > Overview > > There is a vulnerability in sendmail that can be exploited to > cause a > denial-of-service condition and could allow a remote attacker > to > execute arbitrary code with the privileges of the sendmail > daemon, > typically root. > > I. Description > > There is a remotely exploitable vulnerability in sendmail that > could > allow an attacker to gain control of a vulnerable sendmail > server. > Address parsing code in sendmail does not adequately check the > length > of email addresses. An email message with a specially crafted > address > could trigger a stack overflow. This vulnerability was discovered > by > Michal Zalewski. > > This vulnerability is different than the one described in > CA-2003-07. > > Most organizations have a variety of mail transfer agents (MTAs) > at > various locations within their network, with at least one exposed > to > the Internet. Since sendmail is the most popular MTA, > most > medium-sized to large organizations are likely to have at least > one > vulnerable sendmail server. In addition, many UNIX and > Linux > workstations provide a sendmail implementation that is enabled > and > running by default. > > This vulnerability is message-oriented as opposed > to > connection-oriented. That means that the vulnerability is triggered > by > the contents of a specially-crafted email message rather than > by > lower-level network traffic. This is important because an MTA > that > does not contain the vulnerability will pass the malicious > message > along to other MTAs that may be protected at the network level. > In > other words, vulnerable sendmail servers on the interior of a > network > are still at risk, even if the site's border MTA uses software > other > than sendmail. Also, messages capable of exploiting this > vulnerability > may pass undetected through many common packet filters or firewalls. > > This vulnerability has been successfully exploited to cause > a > denial-of-service condition in a laboratory environment. It > is > possible that this vulnerability could be used to execute code on > some > vulnerable systems. > > The CERT/CC is tracking this issue as VU#897604. This reference > number > corresponds to CVE candidate CAN-2003-0161. > > For more information, please see > > http://www.sendmail.org > http://www.sendmail.org/8.12.9.html > http://www.sendmail.com/security/ > > For the latest information about this vulnerability, including > the > most recent vendor information, please see > > http://www.kb.cert.org/vuls/id/897604 > > This vulnerability is distinct from VU#398025. > > II. Impact > > Successful exploitation of this vulnerability may cause > a > denial-of-service condition or allow an attacker to gain > the > privileges of the sendmail daemon, typically root. Even > vulnerable > sendmail servers on the interior of a given network may be at > risk > since the vulnerability is triggered by the contents of a > malicious > email message. > > III. Solution > > Apply a patch from Sendmail, Inc. > > Sendmail has produced patches for versions 8.9, 8.10, 8.11, and > 8.12. > However, the vulnerability also exists in earlier versions of > the > code; therefore, site administrators using an earlier version > are > encouraged to upgrade to 8.12.9. These patches, and a signature > file, > are located at > > ftp://ftp.sendmail.org/pub/sendmail/prescan.tar.gz.uu > ftp://ftp.sendmail.org/pub/sendmail/prescan.tar.gz.uu.asc > > Apply a patch from your vendor > > Many vendors include vulnerable sendmail servers as part of > their > software distributions. We have notified vendors of this > vulnerability > and recorded the statements they provided in Appendix A of > this > advisory. The most recent vendor information can be found in > the > systems affected section of VU#897604. > > Enable the RunAsUser option > > There is no known workaround for this vulnerability. Until a patch > can > be applied, you may wish to set the RunAsUser option to reduce > the > impact of this vulnerability. As a good general practice, the > CERT/CC > recommends limiting the privileges of an application or > service > whenever possible. > > Appendix A. - Vendor Information > > This appendix contains information provided by vendors for > this > advisory. As vendors report new information to the CERT/CC, we > will > update this section and note the changes in our revision history. > If a > particular vendor is not listed below, we have not received > their > comments. > > Red Hat Inc. > > Red Hat distributes sendmail in all Red Hat Linux distributions. > We > are currently [Mar29] working on producing errata packages to > correct > this issue, when complete these will be available along with > our > advisory at the URL below. At the same time users of the Red > Hat > Network will be able to update their systems using the 'up2date' > tool. > > Red Hat Linux: > > http://rhn.redhat.com/errata/RHSA-2003-120.html > > Red Hat Enterprise Linux: > > http://rhn.redhat.com/errata/RHSA-2003-121.html > > The Sendmail Consortium > > The Sendmail Consortium recommends that sites upgrade to > 8.12.9 > whenever possible. Alternatively, patches are available for 8.9, > 8.10, > 8.11, and 8.12 on http://www.sendmail.org/. > > Sendmail, Inc. > > All commercial releases including Sendmail Switch, Sendmail > Advanced > Message Server (which includes the Sendmail Switch MTA), Sendmail > for > NT, and Sendmail Pro are affected by this issue. Patch information > is > available at http://www.sendmail.com/security/. > _________________________________________________________________ > > Our thanks to Eric Allman, Claus Assmann, Greg Shapiro, and > Dave > Anderson of Sendmail for reporting this problem and for > their > assistance in coordinating the response to this problem. We also > thank > Michal Zalewski for discovering this vulnerability. > _________________________________________________________________ > > Authors: Art Manion and Shawn V. Hernan > > ______________________________________________________________________ > > This document is available from: > http://www.cert.org/advisories/CA-2003-12.html > > ______________________________________________________________________ > > CERT/CC Contact Information > > Email: cert@cert.org > Phone: +1 412-268-7090 (24-hour hotline) > Fax: +1 412-268-6989 > Postal address: > CERT Coordination Center > Software Engineering Institute > Carnegie Mellon University > Pittsburgh PA 15213-3890 > U.S.A. > > CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) > / > EDT(GMT-4) Monday through Friday; they are on call for > emergencies > during other hours, on U.S. holidays, and on weekends. > > Using encryption > > We strongly urge you to encrypt sensitive information sent by > email. > Our public PGP key is available from > http://www.cert.org/CERT_PGP.key > > If you prefer to use DES, please call the CERT hotline for > more > information. > > Getting security information > > CERT publications and other security information are available > from > our web site > http://www.cert.org/ > > To subscribe to the CERT mailing list for advisories and > bulletins, > send email to majordomo@cert.org. Please include in the body of > your > message > > subscribe cert-advisory > > * "CERT" and "CERT Coordination Center" are registered in the > U.S. > Patent and Trademark Office. > > ______________________________________________________________________ > > NO WARRANTY > Any material furnished by Carnegie Mellon University and the > Software > Engineering Institute is furnished on an "as is" basis. > Carnegie > Mellon University makes no warranties of any kind, either expressed > or > implied as to any matter including, but not limited to, warranty > of > fitness for a particular purpose or merchantability, exclusivity > or > results obtained from use of the material. Carnegie Mellon > University > does not make any warranty of any kind with respect to freedom > from > patent, trademark, or copyright infringement. > _________________________________________________________________ > > Conditions for use, disclaimers, and sponsorship information > > Copyright 2003 Carnegie Mellon University. > Revision History > > March 29,2003: Initial release > > -----BEGIN PGP SIGNATURE----- > Version: PGP 6.5.8 > > iQCVAwUBPoX5XGjtSoHZUTs5AQHvjgQAqTy3GQnszPHtUnUBX7VDM4NKSesFHHvC > 2JmDAMPYmCO2b32xvWDmMcWdPhOBmJLB2o6zv7mRWX1K0B1GN5TBErIii6dxTaDD > OAUNjirMGdTr+WnxIjdk0gj57JbOU6ZdHHcAijG5SE/dZq4sMrOCGEAMJTVNDzYp > BtHbFwDeLEY= > =dgBI > -----END PGP SIGNATURE----- -- This message checked for dangerous content by MailScanner on StrongBox. From Kevin.Spicer at BMRB.CO.UK Sun Mar 30 12:12:27 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:17:39 2006 Subject: Rule for Non-English/foreign SPAM to be tagged as SPAM? Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A4AD63@pascal.priv.bmrb.co.uk> > is there a way to look at the actual text and tell if it is > non-English as well? I am basically looking for an add-in rule to do SpamAssassin can do this, take a look at the SpamAssasin docs http://www.spamassassin.org/doc/Mail_SpamAssassin_Conf.html [ok_languages and ok_locales are the directives you'll be interested in], add the approriate directives to spam.assassin.prefs.conf (in the MailScanner configuration directory). If this isn't enough on its own you could also increase the score for the tests triggered (mentioned in the above link) to increase the likelihood of mails in a foreign language to exceed the spam threshold. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From so-mlist-alias at all-about-shift.com Sun Mar 30 15:46:08 2003 From: so-mlist-alias at all-about-shift.com (Soeren Gerlach) Date: Thu Jan 12 21:17:39 2006 Subject: Ruleset problem/question Message-ID: <200303301646.08115.so-mlist-alias@all-about-shift.com> Hi, referencing to the ruleset example I set up a simple rule for MailScanner to use different files for the "Deleted Bad Filename Message" parameter. It looke like so in my config file: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Deleted Bad Filename Message Report = /opt/MailScanner/etc/rules/deleted_bad_filename_message_report.rules - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - There, some rules are defined for several domains: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - To: *@all-about-shift.com /opt/MailScanner/etc/rules/messages/deleted_bad_filename_message_report.all-about-shift.com.txt To: *@all-about-shift.de /opt/MailScanner/etc/reports/de/deleted.filename.message.txt - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - The file for the first domain exists and is a customized version of the general version used as default in MailScanner. But when starting MailScanner, it reports the following error via Syslog: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Syntax error in line 1 of ruleset file /opt/MailScanner/etc/rules/deleted_bad_filename_message_report.rules for keyword deletedfilenamemessage - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - What am I missing? It looks quite perfect to me (at least....) ,-)) Two questions regarding this problem: How does M. distinguish in the config file between a rulefile and the final text file to use for this (and other parameters) as both versions take a file in the config file itself. The second question accompanies the "M. in mem" thread which goes on for some days: Will all the referenced text files be read upon start so they are in mem while a M.process is running? If yes, does this also apply for customn rules as shown above? Best regards, Soeren Gerlach From mailscanner at ecs.soton.ac.uk Sun Mar 30 15:52:31 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:39 2006 Subject: Ruleset problem/question In-Reply-To: <200303301646.08115.so-mlist-alias@all-about-shift.com> Message-ID: <5.2.0.9.2.20030330154943.02366e88@imap.ecs.soton.ac.uk> At 15:46 30/03/2003, you wrote: >Hi, > >referencing to the ruleset example I set up a simple rule for MailScanner to >use different files for the "Deleted Bad Filename Message" parameter. It >looke like so in my config file: > >- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - >Deleted Bad Filename Message Report = >/opt/MailScanner/etc/rules/deleted_bad_filename_message_report.rules >- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > >There, some rules are defined for several domains: > >- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - >To: *@all-about-shift.com >/opt/MailScanner/etc/rules/messages/deleted_bad_filename_message_report.all-about-shift.com.txt >To: *@all-about-shift.de >/opt/MailScanner/etc/reports/de/deleted.filename.message.txt >- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > > >The file for the first domain exists and is a customized version of the >general version used as default in MailScanner. But when starting >MailScanner, it reports the following error via Syslog: > >- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - >Syntax error in line 1 of ruleset file >/opt/MailScanner/etc/rules/deleted_bad_filename_message_report.rules for >keyword deletedfilenamemessage >- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > >What am I missing? It looks quite perfect to me (at least....) ,-)) My guess would be that your text editor split it over 2 lines. So it is complaining that there is no filename on the first line. >Two questions regarding this problem: How does M. distinguish in the config >file between a rulefile and the final text file to use for this (and other >parameters) as both versions take a file in the config file itself. Most other settings are easy to distinguish (rules files have to be files that exist). But in this case, they rely on the filename ending in ".rule" or ".rules". >The second question accompanies the "M. in mem" thread which goes on for >some days: Will all the referenced text files be read upon start so they >are in mem while a M.process is running? No, they are read each time they are used. > If yes, does this also apply for >customn rules as shown above? The rules are read once at startup, and every time MailScanner restarts itself (see "Restart Every" in MailScanner.conf). -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From so-mlist-alias at all-about-shift.com Sun Mar 30 16:08:32 2003 From: so-mlist-alias at all-about-shift.com (Soeren Gerlach) Date: Thu Jan 12 21:17:39 2006 Subject: Ruleset problem/question Message-ID: <200303301708.32809.so-mlist-alias@all-about-shift.com> Wrong address... ---------- Weitergeleitete Nachricht ---------- > >There, some rules are defined for several domains: > > > >- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > >To: *@all-about-shift.com > >/opt/MailScanner/etc/rules/messages/deleted_bad_filename_message_report. > >all-about-shift.com.txt To: *@all-about-shift.de > >/opt/MailScanner/etc/reports/de/deleted.filename.message.txt > >- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > > > > > >The file for the first domain exists and is a customized version of the > >general version used as default in MailScanner. But when starting > >MailScanner, it reports the following error via Syslog: > > > >- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > >Syntax error in line 1 of ruleset file > >/opt/MailScanner/etc/rules/deleted_bad_filename_message_report.rules for > >keyword deletedfilenamemessage > >- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > > > >What am I missing? It looks quite perfect to me (at least....) ,-)) > > My guess would be that your text editor split it over 2 lines. So it is > complaining that there is no filename on the first line. No, this is not the case. It is created via a script but I checked it too after your answer with a very wide terminal ,-) Can it be that the filename is too long or the overall line lenght is too long? I attached the file to this mail so you can check. > >Two questions regarding this problem: How does M. distinguish in the > > config file between a rulefile and the final text file to use for this > > (and other parameters) as both versions take a file in the config file > > itself. > > Most other settings are easy to distinguish (rules files have to be files > that exist). But in this case, they rely on the filename ending in > ".rule" or ".rules". Okay, quite easy then. > >The second question accompanies the "M. in mem" thread which goes on for > >some days: Will all the referenced text files be read upon start so they > >are in mem while a M.process is running? > > No, they are read each time they are used. So for performance reasons It would be another issue to put the referenced files on a ramdisk. Although I think this will be a small improvement only as this files are read only and not written to. thanks & regards, Soeren -------------- next part -------------- To: *@all-about-shift.com /opt/MailScanner/etc/rules/messages/deleted_bad_filename_message_report.all-about-shift.com.txt To: *@all-about-shift.de /opt/MailScanner/etc/reports/de/deleted.filename.message.txt To: *@asos-clan.de /opt/MailScanner/etc/reports/de/deleted.filename.message.txt To: *@baumweg.net /opt/MailScanner/etc/reports/de/deleted.filename.message.txt To: *@fides.net /opt/MailScanner/etc/reports/de/deleted.filename.message.txt To: *@quanteam.de /opt/MailScanner/etc/reports/de/deleted.filename.message.txt To: *@visordesign.de /opt/MailScanner/etc/reports/de/deleted.filename.message.txt From mailscanner at ecs.soton.ac.uk Sun Mar 30 17:35:52 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:39 2006 Subject: Ruleset problem/question In-Reply-To: <200303301708.32809.so-mlist-alias@all-about-shift.com> Message-ID: <5.2.0.9.2.20030330173403.022f2840@imap.ecs.soton.ac.uk> At 16:08 30/03/2003, you wrote: >---------- Weitergeleitete Nachricht ---------- > > > >There, some rules are defined for several domains: > > > > > >- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > > >To: *@all-about-shift.com > > >/opt/MailScanner/etc/rules/messages/deleted_bad_filename_message_report. > > >all-about-shift.com.txt To: *@all-about-shift.de > > >/opt/MailScanner/etc/reports/de/deleted.filename.message.txt > > >- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > > > > > > > > >The file for the first domain exists and is a customized version of the > > >general version used as default in MailScanner. But when starting > > >MailScanner, it reports the following error via Syslog: > > > > > >- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > > >Syntax error in line 1 of ruleset file > > >/opt/MailScanner/etc/rules/deleted_bad_filename_message_report.rules for > > >keyword deletedfilenamemessage > > >- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > > > > > >What am I missing? It looks quite perfect to me (at least....) ,-)) > > > > My guess would be that your text editor split it over 2 lines. So it is > > complaining that there is no filename on the first line. > >No, this is not the case. It is created via a script but I checked it too >after your answer with a very wide terminal ,-) Can it be that the filename >is too long or the overall line lenght is too long? I attached the file to >this mail so you can check. It's a DOS text file, not a Unix text file. >So for performance reasons It would be another issue to put the referenced >files on a ramdisk. Although I think this will be a small improvement only >as this files are read only and not written to. If they are being read often then the operating system will have already loaded them into buffer ram anyway, so this won't make any difference at all. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From so-mlist-alias at all-about-shift.com Sun Mar 30 17:55:52 2003 From: so-mlist-alias at all-about-shift.com (Soeren Gerlach) Date: Thu Jan 12 21:17:39 2006 Subject: Ruleset problem/question In-Reply-To: <5.2.0.9.2.20030330173403.022f2840@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030330173403.022f2840@imap.ecs.soton.ac.uk> Message-ID: <200303301855.52992.so-mlist-alias@all-about-shift.com> Am Sonntag, 30. M?rz 2003 18:35 schrieben Sie: > At 16:08 30/03/2003, you wrote: > >---------- Weitergeleitete Nachricht ---------- > > > > > >There, some rules are defined for several domains: > > > > > > > >- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > > > >To: *@all-about-shift.com > > > >/opt/MailScanner/etc/rules/messages/deleted_bad_filename_message_rep > > > >ort. all-about-shift.com.txt To: *@all-about-shift.de > > > >/opt/MailScanner/etc/reports/de/deleted.filename.message.txt > > > >- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > > > > > > > > > > > >The file for the first domain exists and is a customized version of > > > > the general version used as default in MailScanner. But when > > > > starting MailScanner, it reports the following error via Syslog: > > > > > > > >- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > > > >Syntax error in line 1 of ruleset file > > > >/opt/MailScanner/etc/rules/deleted_bad_filename_message_report.rules > > > > for keyword deletedfilenamemessage > > > >- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > > > > > > > >What am I missing? It looks quite perfect to me (at least....) ,-)) > > > > > > My guess would be that your text editor split it over 2 lines. So it > > > is complaining that there is no filename on the first line. > > > >No, this is not the case. It is created via a script but I checked it > > too after your answer with a very wide terminal ,-) Can it be that the > > filename is too long or the overall line lenght is too long? I attached > > the file to this mail so you can check. > > It's a DOS text file, not a Unix text file. Sorry, I have to insist that it's a Unix file . It's created using Perl with "\n" linefeed (nothing else) and Linux (and I've checked the file from the mailing list too ,-)). Anyhow: I've a couple of other rule files which are created the same way and which work quite well, only the rule files with the file references don't work, so I think, it *might* be something regarding this file reference. Thanks & regards, Soeren Gerlach From so-mlist-alias at all-about-shift.com Sun Mar 30 18:09:07 2003 From: so-mlist-alias at all-about-shift.com (Soeren Gerlach) Date: Thu Jan 12 21:17:39 2006 Subject: Ruleset problem/question => The final solution In-Reply-To: <200303301855.52992.so-mlist-alias@all-about-shift.com> References: <5.2.0.9.2.20030330173403.022f2840@imap.ecs.soton.ac.uk> <200303301855.52992.so-mlist-alias@all-about-shift.com> Message-ID: <200303301909.07768.so-mlist-alias@all-about-shift.com> The final solution to this thread: I just checked the scripts and found out that MailScanner is not able to access the referenced file because of wrong permissions - fixing this issue brought everything back to live . An improvment from this: Instead of saying "syntax error in line ..." it would be nice to have a more precise error message like "cannot find referenced file..." or so if the file is missing. Thanks, Soeren Gerlach From mailscanner at ecs.soton.ac.uk Sun Mar 30 18:10:39 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:39 2006 Subject: Ruleset problem/question In-Reply-To: <200303301855.52992.so-mlist-alias@all-about-shift.com> References: <5.2.0.9.2.20030330173403.022f2840@imap.ecs.soton.ac.uk> <5.2.0.9.2.20030330173403.022f2840@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20030330180602.02605ec0@imap.ecs.soton.ac.uk> At 17:55 30/03/2003, you wrote: >Am Sonntag, 30. M?rz 2003 18:35 schrieben Sie: > > At 16:08 30/03/2003, you wrote: > > >---------- Weitergeleitete Nachricht ---------- > > > > > > > >There, some rules are defined for several domains: > > > > > > > > > >- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > > > > >To: *@all-about-shift.com > > > > >/opt/MailScanner/etc/rules/messages/deleted_bad_filename_message_rep > > > > >ort. all-about-shift.com.txt To: *@all-about-shift.de > > > > >/opt/MailScanner/etc/reports/de/deleted.filename.message.txt > > > > >- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > > > > > > > > > > > > > > >The file for the first domain exists and is a customized version of > > > > > the general version used as default in MailScanner. But when > > > > > starting MailScanner, it reports the following error via Syslog: > > > > > > > > > >- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > > > > >Syntax error in line 1 of ruleset file > > > > >/opt/MailScanner/etc/rules/deleted_bad_filename_message_report.rules > > > > > for keyword deletedfilenamemessage > > > > >- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > > > > > > > > > >What am I missing? It looks quite perfect to me (at least....) ,-)) > > > > > > > > My guess would be that your text editor split it over 2 lines. So it > > > > is complaining that there is no filename on the first line. > > > > > >No, this is not the case. It is created via a script but I checked it > > > too after your answer with a very wide terminal ,-) Can it be that the > > > filename is too long or the overall line lenght is too long? I attached > > > the file to this mail so you can check. > > > > It's a DOS text file, not a Unix text file. > >Sorry, I have to insist that it's a Unix file . It's created using Perl >with "\n" linefeed (nothing else) and Linux (and I've checked the file from >the mailing list too ,-)). Anyhow: I've a couple of other rule files which >are created the same way and which work quite well, only the rule files >with the file references don't work, so I think, it *might* be something >regarding this file reference. I just managed to reproduce your error by not creating the report file referred to in the rules file. Are you sure the report files you referenced all exist and are spelt correctly? -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Sun Mar 30 18:19:36 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:39 2006 Subject: Ruleset problem/question => The final solution In-Reply-To: <200303301909.07768.so-mlist-alias@all-about-shift.com> References: <200303301855.52992.so-mlist-alias@all-about-shift.com> <5.2.0.9.2.20030330173403.022f2840@imap.ecs.soton.ac.uk> <200303301855.52992.so-mlist-alias@all-about-shift.com> Message-ID: <5.2.0.9.2.20030330181852.0249cda0@imap.ecs.soton.ac.uk> At 18:09 30/03/2003, you wrote: >The final solution to this thread: I just checked the scripts and found out >that MailScanner is not able to access the referenced file because of wrong >permissions - fixing this issue brought everything back to live . > >An improvment from this: Instead of saying "syntax error in line ..." it >would be nice to have a more precise error message like "cannot find >referenced file..." or so if the file is missing. Indeed it would. It will be improved in the next release. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From so-mlist-alias at all-about-shift.com Sun Mar 30 18:23:40 2003 From: so-mlist-alias at all-about-shift.com (Soeren Gerlach) Date: Thu Jan 12 21:17:39 2006 Subject: Ruleset problem/question => The final solution In-Reply-To: <5.2.0.9.2.20030330181852.0249cda0@imap.ecs.soton.ac.uk> References: <200303301855.52992.so-mlist-alias@all-about-shift.com> <5.2.0.9.2.20030330181852.0249cda0@imap.ecs.soton.ac.uk> Message-ID: <200303301923.40435.so-mlist-alias@all-about-shift.com> > >An improvment from this: Instead of saying "syntax error in line ..." it > >would be nice to have a more precise error message like "cannot find > >referenced file..." or so if the file is missing. > > Indeed it would. It will be improved in the next release. Great! Greetings to all people working on Sundays in the office ,-)) Soeren Gerlach From E.H.Beekman at AMC.UVA.NL Sun Mar 30 20:37:08 2003 From: E.H.Beekman at AMC.UVA.NL (Ewald Beekman) Date: Thu Jan 12 21:17:39 2006 Subject: Fwd: CERT Advisory CA-2003-12 Buffer Overflow in Sendmail In-Reply-To: <3C277926-6257-11D7-94CC-000393B9390A@strong-box.net> References: <3C277926-6257-11D7-94CC-000393B9390A@strong-box.net> Message-ID: <20030330193708.GA29632@elmo.amc.uva.nl> Saw on rpmfind.net that the Polish Linux Distro also had a rpm out for the new 8.12.9 ftp://fr2.rpmfind.net/linux/PLD/dists/ra/updates/security/i686/sendmail-8.12.9-1.i686.rpm With a little tweaking you can run that binary on RH-8, you also have to install db3.1 from RH-7.2 and add two links: [~]# cd /lib [/lib]# ln -s libcrypto.so.0.9.6b libcrypto.so.0.9.6.1 [/lib]# ln -s libssl.so.0.9.6b libssl.so.0.9.6.1 But if you are using certain features with your sendmail config you might run into trouble because the PLD version has less options compiled in: []# /usr/sbin/sendmail-8.12.9 -d0.1 < /dev/null Version 8.12.9 Compiled with: DNSMAP LDAPMAP LOG MATCHGECOS MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6 NETUNIX NEWDB NIS PIPELINING SASL SCANF STARTTLS USERDB USE_LDAP_INIT []# /usr/sbin/sendmail.sendmail -d0.1 < /dev/null Version 8.12.8 Compiled with: DNSMAP HESIOD HES_GETMAILHOST LDAPMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6 NETUNIX NEWDB NIS PIPELINING SASL SCANF STARTTLS TCPWRAPPERS USERDB USE_LDAP_INIT Ewald... On Sat, Mar 29, 2003 at 06:28:04PM -0800, Craig Pratt wrote: > Yes, it's time to patch sendmail again. > > The only distro at this time with the new version (8.12.9) or patch is > slackware, AFAIK. > > Why does this always happen on the weekend? > > Craig > > --- > Craig Pratt > Strongbox Network Services Inc. > mailto:craig@strong-box.net > > Begin forwarded message: > >From: CERT Advisory > >Date: Sat Mar 29, 2003 11:57:59 AM US/Pacific > >To: cert-advisory@cert.org > >Subject: CERT Advisory CA-2003-12 Buffer Overflow in Sendmail > >X-Mailscanner-Spamcheck: not spam, SpamAssassin (score=1.4, required > >4, AWL, FROM_AND_TO_SAME_5, LINES_OF_YELLING, NOSPAM_INC, > >PGP_SIGNATURE, SPAM_PHRASE_02_03) > >X-Mailscanner-Spamscore: s > > > > > > > >-----BEGIN PGP SIGNED MESSAGE----- > > > >CERT Advisory CA-2003-12 Buffer Overflow in Sendmail > > > > Original release date: March 29, 2003 > > Last revised: > > Source: CERT/CC > > > > A complete revision history can be found at the end of this file. > > > >Systems Affected > > > > * Sendmail Pro (all versions) > > * Sendmail Switch 2.1 prior to 2.1.6 > > * Sendmail Switch 2.2 prior to 2.2.6 > > * Sendmail Switch 3.0 prior to 3.0.4 > > * Sendmail for NT 2.X prior to 2.6.3 > > * Sendmail for NT 3.0 prior to 3.0.4 > > * Systems running open-source sendmail versions prior to > >8.12.9, > > including UNIX and Linux systems > > > >Overview > > > > There is a vulnerability in sendmail that can be exploited to > >cause a > > denial-of-service condition and could allow a remote attacker > >to > > execute arbitrary code with the privileges of the sendmail > >daemon, > > typically root. > > > >I. Description > > > > There is a remotely exploitable vulnerability in sendmail that > >could > > allow an attacker to gain control of a vulnerable sendmail > >server. > > Address parsing code in sendmail does not adequately check the > >length > > of email addresses. An email message with a specially crafted > >address > > could trigger a stack overflow. This vulnerability was discovered > >by > > Michal Zalewski. > > > > This vulnerability is different than the one described in > >CA-2003-07. > > > > Most organizations have a variety of mail transfer agents (MTAs) > >at > > various locations within their network, with at least one exposed > >to > > the Internet. Since sendmail is the most popular MTA, > >most > > medium-sized to large organizations are likely to have at least > >one > > vulnerable sendmail server. In addition, many UNIX and > >Linux > > workstations provide a sendmail implementation that is enabled > >and > > running by default. > > > > This vulnerability is message-oriented as opposed > >to > > connection-oriented. That means that the vulnerability is triggered > >by > > the contents of a specially-crafted email message rather than > >by > > lower-level network traffic. This is important because an MTA > >that > > does not contain the vulnerability will pass the malicious > >message > > along to other MTAs that may be protected at the network level. > >In > > other words, vulnerable sendmail servers on the interior of a > >network > > are still at risk, even if the site's border MTA uses software > >other > > than sendmail. Also, messages capable of exploiting this > >vulnerability > > may pass undetected through many common packet filters or firewalls. > > > > This vulnerability has been successfully exploited to cause > > a > > denial-of-service condition in a laboratory environment. It > >is > > possible that this vulnerability could be used to execute code on > >some > > vulnerable systems. > > > > The CERT/CC is tracking this issue as VU#897604. This reference > >number > > corresponds to CVE candidate CAN-2003-0161. > > > > For more information, please see > > > > http://www.sendmail.org > > http://www.sendmail.org/8.12.9.html > > http://www.sendmail.com/security/ > > > > For the latest information about this vulnerability, including > >the > > most recent vendor information, please see > > > > http://www.kb.cert.org/vuls/id/897604 > > > > This vulnerability is distinct from VU#398025. > > > >II. Impact > > > > Successful exploitation of this vulnerability may cause > > a > > denial-of-service condition or allow an attacker to gain > >the > > privileges of the sendmail daemon, typically root. Even > >vulnerable > > sendmail servers on the interior of a given network may be at > >risk > > since the vulnerability is triggered by the contents of a > >malicious > > email message. > > > >III. Solution > > > >Apply a patch from Sendmail, Inc. > > > > Sendmail has produced patches for versions 8.9, 8.10, 8.11, and > >8.12. > > However, the vulnerability also exists in earlier versions of > >the > > code; therefore, site administrators using an earlier version > >are > > encouraged to upgrade to 8.12.9. These patches, and a signature > >file, > > are located at > > > > ftp://ftp.sendmail.org/pub/sendmail/prescan.tar.gz.uu > > ftp://ftp.sendmail.org/pub/sendmail/prescan.tar.gz.uu.asc > > > >Apply a patch from your vendor > > > > Many vendors include vulnerable sendmail servers as part of > >their > > software distributions. We have notified vendors of this > >vulnerability > > and recorded the statements they provided in Appendix A of > >this > > advisory. The most recent vendor information can be found in > >the > > systems affected section of VU#897604. > > > >Enable the RunAsUser option > > > > There is no known workaround for this vulnerability. Until a patch > >can > > be applied, you may wish to set the RunAsUser option to reduce > >the > > impact of this vulnerability. As a good general practice, the > >CERT/CC > > recommends limiting the privileges of an application or > >service > > whenever possible. > > > >Appendix A. - Vendor Information > > > > This appendix contains information provided by vendors for > >this > > advisory. As vendors report new information to the CERT/CC, we > >will > > update this section and note the changes in our revision history. > >If a > > particular vendor is not listed below, we have not received > >their > > comments. > > > >Red Hat Inc. > > > > Red Hat distributes sendmail in all Red Hat Linux distributions. > >We > > are currently [Mar29] working on producing errata packages to > >correct > > this issue, when complete these will be available along with > >our > > advisory at the URL below. At the same time users of the Red > >Hat > > Network will be able to update their systems using the 'up2date' > >tool. > > > > Red Hat Linux: > > > > http://rhn.redhat.com/errata/RHSA-2003-120.html > > > > Red Hat Enterprise Linux: > > > > http://rhn.redhat.com/errata/RHSA-2003-121.html > > > >The Sendmail Consortium > > > > The Sendmail Consortium recommends that sites upgrade to > >8.12.9 > > whenever possible. Alternatively, patches are available for 8.9, > >8.10, > > 8.11, and 8.12 on http://www.sendmail.org/. > > > >Sendmail, Inc. > > > > All commercial releases including Sendmail Switch, Sendmail > >Advanced > > Message Server (which includes the Sendmail Switch MTA), Sendmail > >for > > NT, and Sendmail Pro are affected by this issue. Patch information > >is > > available at http://www.sendmail.com/security/. > > _________________________________________________________________ > > > > Our thanks to Eric Allman, Claus Assmann, Greg Shapiro, and > >Dave > > Anderson of Sendmail for reporting this problem and for > >their > > assistance in coordinating the response to this problem. We also > >thank > > Michal Zalewski for discovering this vulnerability. > > _________________________________________________________________ > > > > Authors: Art Manion and Shawn V. Hernan > > > >______________________________________________________________________ > > > > This document is available from: > > http://www.cert.org/advisories/CA-2003-12.html > > > >______________________________________________________________________ > > > >CERT/CC Contact Information > > > > Email: cert@cert.org > > Phone: +1 412-268-7090 (24-hour hotline) > > Fax: +1 412-268-6989 > > Postal address: > > CERT Coordination Center > > Software Engineering Institute > > Carnegie Mellon University > > Pittsburgh PA 15213-3890 > > U.S.A. > > > > CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) > > / > > EDT(GMT-4) Monday through Friday; they are on call for > >emergencies > > during other hours, on U.S. holidays, and on weekends. > > > >Using encryption > > > > We strongly urge you to encrypt sensitive information sent by > >email. > > Our public PGP key is available from > > http://www.cert.org/CERT_PGP.key > > > > If you prefer to use DES, please call the CERT hotline for > >more > > information. > > > >Getting security information > > > > CERT publications and other security information are available > >from > > our web site > > http://www.cert.org/ > > > > To subscribe to the CERT mailing list for advisories and > >bulletins, > > send email to majordomo@cert.org. Please include in the body of > >your > > message > > > > subscribe cert-advisory > > > > * "CERT" and "CERT Coordination Center" are registered in the > >U.S. > > Patent and Trademark Office. > > > >______________________________________________________________________ > > > > NO WARRANTY > > Any material furnished by Carnegie Mellon University and the > >Software > > Engineering Institute is furnished on an "as is" basis. > >Carnegie > > Mellon University makes no warranties of any kind, either expressed > >or > > implied as to any matter including, but not limited to, warranty > >of > > fitness for a particular purpose or merchantability, exclusivity > >or > > results obtained from use of the material. Carnegie Mellon > >University > > does not make any warranty of any kind with respect to freedom > >from > > patent, trademark, or copyright infringement. > > _________________________________________________________________ > > > > Conditions for use, disclaimers, and sponsorship information > > > > Copyright 2003 Carnegie Mellon University. > > Revision History > > > > March 29,2003: Initial release > > > >-----BEGIN PGP SIGNATURE----- > >Version: PGP 6.5.8 > > > >iQCVAwUBPoX5XGjtSoHZUTs5AQHvjgQAqTy3GQnszPHtUnUBX7VDM4NKSesFHHvC > >2JmDAMPYmCO2b32xvWDmMcWdPhOBmJLB2o6zv7mRWX1K0B1GN5TBErIii6dxTaDD > >OAUNjirMGdTr+WnxIjdk0gj57JbOU6ZdHHcAijG5SE/dZq4sMrOCGEAMJTVNDzYp > >BtHbFwDeLEY= > >=dgBI > >-----END PGP SIGNATURE----- > > > -- > This message checked for dangerous content by MailScanner on StrongBox. -- Ewald Beekman, Security Engineer, Academic Medical Center, dept. ADB/ICT Computer & Network Services, The Netherlands ## Your mind-mint is: This fortune is false. From mailscanner at BARENDSE.TO Sun Mar 30 23:36:35 2003 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:17:39 2006 Subject: MailScanner child dying of old age Message-ID: I am getting this message in my maillog every 5 minutes : Mar 30 21:09:42 MailScanner[4834]: MailScanner child dying of old age Is this something I should be worried about or how can I fix it? -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mailscanner at BARENDSE.TO Sun Mar 30 23:41:03 2003 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:17:39 2006 Subject: MailScanner child dying of old age In-Reply-To: Message-ID: Oops! Am a bit off there on the timing: Mar 30 04:55:13 MailScanner[12509]: MailScanner child dying of old age Mar 30 06:59:15 MailScanner[15500]: MailScanner child dying of old age Mar 30 07:02:20 MailScanner[12792]: MailScanner child dying of old age Mar 30 08:10:30 MailScanner[13714]: MailScanner child dying of old age Mar 30 08:54:32 MailScanner[13061]: MailScanner child dying of old age Mar 30 10:56:14 MailScanner[24458]: MailScanner child dying of old age Mar 30 11:25:14 MailScanner[26690]: MailScanner child dying of old age Mar 30 13:49:47 MailScanner[27912]: MailScanner child dying of old age Mar 30 15:15:38 MailScanner[30821]: MailScanner child dying of old age Mar 30 17:03:50 MailScanner[31326]: MailScanner child dying of old age Mar 30 18:16:56 MailScanner[26575]: MailScanner child dying of old age Mar 30 18:21:12 MailScanner[28601]: MailScanner child dying of old age Mar 30 21:09:42 MailScanner[4834]: MailScanner child dying of old age Mar 30 21:19:40 MailScanner[1376]: MailScanner child dying of old age Mar 30 21:25:15 MailScanner[2989]: MailScanner child dying of old age Mar 30 22:31:29 MailScanner[6319]: MailScanner child dying of old age On Mon, 31 Mar 2003, Remco Barendse wrote: > I am getting this message in my maillog every 5 minutes : > Mar 30 21:09:42 MailScanner[4834]: MailScanner child dying of old age > > Is this something I should be worried about or how can I fix it? -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From rick at EMERY.HOMELINUX.NET Mon Mar 31 00:33:05 2003 From: rick at EMERY.HOMELINUX.NET (Rick Emery) Date: Thu Jan 12 21:17:39 2006 Subject: Fwd: CERT Advisory CA-2003-12 Buffer Overflow in Sendmail In-Reply-To: <200303302304.h2UN4mf29337@emery.homelinux.net> References: <200303302304.h2UN4mf29337@emery.homelinux.net> Message-ID: <1049067185.6fadfb585f3db@www.emery.homelinux.net> Quoting Craig Pratt : > Why does this always happen on the weekend? Just FYI, from Claus Assmann on the bugtraq list: We apologize for releasing this information today (2003-03-29) but we were forced to do so by an e-mail on a public mailing list (that has been sent by an irresponsible individual) which contains information about the security flaw. ------------------------------------------------ This email was sent using IMP v4.0-cvs, part of the Horde suite of information management tools. http://horde.org/ From sylvain.phaneuf at IMSU.OXFORD.AC.UK Mon Mar 31 11:26:55 2003 From: sylvain.phaneuf at IMSU.OXFORD.AC.UK (Sylvain Phaneuf) Date: Thu Jan 12 21:17:39 2006 Subject: mailstats 0.18 Message-ID: Hi, I have found what the problem was - at least on our box. The mrtg.cfg file in mailstats/mrtg needed the full path for the first 3 lines: LogDir: /opt/mailstats/mrtg Htmldir: /opt/mailstats/mrtg ImageDir: /opt/mailstats/mrtg/images I am far from being a mailstats expert. If this doesn't help you, you may want to email the author of mailstats. I have asked him questions directly a few months ago and he was very helpfull. Good luck, Sylvain >>> lance@WARE.NET 29/03/2003 02:19:36 >>> I keep getting the same but haven't had the time to track down. Any tips are appreciated. > -----Original Message----- > From: Sylvain Phaneuf [mailto:sylvain.phaneuf@IMSU.OXFORD.AC.UK] > Sent: Friday, March 28, 2003 8:26 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: mailstats 0.18 > > > Is anyone running mailstats 0.18 with mrtg 2.9.27 ? > > I have been trying for several hours and cannot get it to > work. We are running the lot on RH 8.0 > > I keep getting errors like: > ---------------- > /usr/local/mrtg-2/bin/rateup: No such file or directory > Rateup Error: Can't open mrtg/images/mesgs/mesgs-day.png for write > ERROR: Skipping webupdates because rateup did not return > anything sensible > WARNING: rateup died from Signal 0 > with Exit Value 1 when doing router 'mesgs' > Signal was 0, Returncode was 1 > ..... > > Rateup is installed and in the coorect location... Any ideas? > > > > > Sylvain > > =========================================================== > Sylvain Phaneuf --- Computing Manager | phone : +44 (0)1865 221323 > Information Management Services Unit (Clinical School) > Oxford University | email : > sylvain.phaneuf@imsu.ox.ac.uk > Room 3A25B John Radcliffe Hospital | fax : +44 (0) 1865 221322 > Oxford OX3 9DU England > =========================================================== > From David.While at UCE.AC.UK Mon Mar 31 11:31:39 2003 From: David.While at UCE.AC.UK (David While) Date: Thu Jan 12 21:17:39 2006 Subject: mailstats 0.18 Message-ID: Can you check the setting of $WorkDir and $HTMLDir in your mailstats config? The settings in the mrtg.cfg file you changed should be set from these values. ----------------------------------------------------------------- David While Technical Development Manager Faculty of Computing, Information & English University of Central England Tel: 0121 331 6211 Sylvain Phaneuf Sent by: MailScanner mailing list 31/03/2003 11:26 Please respond to MailScanner mailing list To: MAILSCANNER@JISCMAIL.AC.UK cc: Subject: Re: mailstats 0.18 Hi, I have found what the problem was - at least on our box. The mrtg.cfg file in mailstats/mrtg needed the full path for the first 3 lines: LogDir: /opt/mailstats/mrtg Htmldir: /opt/mailstats/mrtg ImageDir: /opt/mailstats/mrtg/images I am far from being a mailstats expert. If this doesn't help you, you may want to email the author of mailstats. I have asked him questions directly a few months ago and he was very helpfull. Good luck, Sylvain >>> lance@WARE.NET 29/03/2003 02:19:36 >>> I keep getting the same but haven't had the time to track down. Any tips are appreciated. > -----Original Message----- > From: Sylvain Phaneuf [mailto:sylvain.phaneuf@IMSU.OXFORD.AC.UK] > Sent: Friday, March 28, 2003 8:26 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: mailstats 0.18 > > > Is anyone running mailstats 0.18 with mrtg 2.9.27 ? > > I have been trying for several hours and cannot get it to > work. We are running the lot on RH 8.0 > > I keep getting errors like: > ---------------- > /usr/local/mrtg-2/bin/rateup: No such file or directory > Rateup Error: Can't open mrtg/images/mesgs/mesgs-day.png for write > ERROR: Skipping webupdates because rateup did not return > anything sensible > WARNING: rateup died from Signal 0 > with Exit Value 1 when doing router 'mesgs' > Signal was 0, Returncode was 1 > ..... > > Rateup is installed and in the coorect location... Any ideas? > > > > > Sylvain > > =========================================================== > Sylvain Phaneuf --- Computing Manager | phone : +44 (0)1865 221323 > Information Management Services Unit (Clinical School) > Oxford University | email : > sylvain.phaneuf@imsu.ox.ac.uk > Room 3A25B John Radcliffe Hospital | fax : +44 (0) 1865 221322 > Oxford OX3 9DU England > =========================================================== > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030331/bd983147/attachment.html From m.sapsed at BANGOR.AC.UK Mon Mar 31 14:31:14 2003 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:17:39 2006 Subject: MailScanner child dying of old age References: Message-ID: <3E884322.7060909@bangor.ac.uk> Remco Barendse wrote: > I am getting this message in my maillog every 5 minutes : > Mar 30 21:09:42 MailScanner[4834]: MailScanner child dying of old age > > Is this something I should be worried about or how can I fix it? Isn't this a FAQ? I would assume that this is the message you get when a mailscanner process has been running for "Restart every..." minutes? Cheers, Martin -- Martin Sapsed Information Services "Who do you say I am?" University of Wales, Bangor Jesus of Nazareth From Cleveland at MAIL.WINNEFOX.ORG Mon Mar 31 14:42:13 2003 From: Cleveland at MAIL.WINNEFOX.ORG (Jody Cleveland) Date: Thu Jan 12 21:17:39 2006 Subject: About to update sendmail, but a few questions first. Message-ID: <84CFA712F666B44A94CE6BE116BAF4B0B4E586@MAIL> Hello, I'm running MailScanner with sendmail on redhat 8. I'm about to update the sendmail package, but because of troubles doing that in the past I thought I'd ask the group. Is there anything I need to be aware of before I update sendmail? Is there anything I need to do after? Has anyone here done it yet? Thanks! -- Jody Cleveland (cleveland@winnefox.org) Winnefox Library System Computer Support Specialist From mailscanner at ecs.soton.ac.uk Mon Mar 31 14:44:40 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:39 2006 Subject: About to update sendmail, but a few questions first. In-Reply-To: <84CFA712F666B44A94CE6BE116BAF4B0B4E586@MAIL> Message-ID: <5.2.0.9.2.20030331144219.0690c5c0@imap.ecs.soton.ac.uk> At 14:42 31/03/2003, you wrote: >Hello, > >I'm running MailScanner with sendmail on redhat 8. I'm about to update the >sendmail package, but because of troubles doing that in the past I thought >I'd ask the group. Is there anything I need to be aware of before I update >sendmail? Is there anything I need to do after? Has anyone here done it yet? You will probably find that doing the update will do a service sendmail restart which you don't want. One easy way to stop that is, *before* you update, to add some intentional syntax errors to /etc/sysconfig/sendmail My copy of that file says this: DAEMON=yes QUEUE=1h this is a syntax error to make service sendmail start barf horribly so that it cannot be started by accident. exit -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From Cleveland at MAIL.WINNEFOX.ORG Mon Mar 31 15:29:59 2003 From: Cleveland at MAIL.WINNEFOX.ORG (Jody Cleveland) Date: Thu Jan 12 21:17:39 2006 Subject: About to update sendmail, but a few questions first. Message-ID: <84CFA712F666B44A94CE6BE116BAF4B0B4E587@MAIL> > You will probably find that doing the update will do a > service sendmail restart > which you don't want. One easy way to stop that is, *before* Wow, thanks for writing me back so quickly! Will up2date overwrite any configuration files that you know of? Jody From m.sapsed at BANGOR.AC.UK Mon Mar 31 15:32:30 2003 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:17:39 2006 Subject: people putting {s p a m ?} in subject of list messages References: Message-ID: <3E88517E.2050902@bangor.ac.uk> Christopher Hicks wrote: > People putting {spam?} in the subject of list messages makes > differentiating between valid mailing list messages and possible spam > harder. Is there any way to get the mailing list to turn {spam?} into > {s p a m ?} or something similar? Please, please. I don't believe so. I think the listserv can be persuaded to refuse messages with {Spam?} in the subject but not alter them. Cheers, Martin -- Martin Sapsed Information Services "Who do you say I am?" University of Wales, Bangor Jesus of Nazareth From nerijus at USERS.SOURCEFORGE.NET Mon Mar 31 16:10:54 2003 From: nerijus at USERS.SOURCEFORGE.NET (Nerijus Baliunas) Date: Thu Jan 12 21:17:39 2006 Subject: Embedded Disallowed Filename Extension in Word Document In-Reply-To: References: Message-ID: <20030331152001.4C6B34C51B@mx.ktv.lt> On Thu, 27 Mar 2003 12:10:05 -0500 Christopher Hicks wrote: > > (i.e. Word macro viruses, etc will be caught by the virus scanners, but not > > all scanners will find a copy of EICAR embedded manually in a word doc) > > Does anybody have any experience with which would and which wouldn't? Kaspersky does: Current object: Doc1.doc Doc1.doc archive: Embedded Doc1.doc/C:/windows/IsUninst.exe ok. Scan process completed. Sector Objects : 0 Known viruses : 0 Files : 2 Virus bodies : 0 Folders : 0 Disinfected : 0 Archives : 1 Deleted : 0 Packed : 0 Warnings : 0 Suspicious : 0 Speed (Kb/sec) : 322 Corrupted : 0 Scan time : 00:00:01 I/O Errors : 0 Regards, Nerijus From HancockS at MORGANCO.COM Mon Mar 31 16:24:37 2003 From: HancockS at MORGANCO.COM (Hancock, Scott) Date: Thu Jan 12 21:17:39 2006 Subject: Whitelist help with domain rule. Message-ID: <3EA1A302A4978A4C970D2C63F327156ED54208@worc-mail2.int.morganco.com> Geetings all, I'm having some trouble with whitelisting domains. Below is the clip from my mail log 2003-03-31 09:54:54 1905Ms-0003yY-00 <= scott@gas.overthebars.com H=(gas.overthebars.com) [216.47.36.91] P=esmtp S=693 id= 20030331145520.GE4942@gas.overthebars.com I can whitelist this server with this rule. From: 216.47.36.91 yes But this rule will not work FromOrTo: *@*.overthebars.com yes This rule will not work either. From: *@gas.overthebars.com yes Am I missing something obvious? Thanks Scott Hancock From mailscanner at ecs.soton.ac.uk Mon Mar 31 16:26:46 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:39 2006 Subject: About to update sendmail, but a few questions first. In-Reply-To: <84CFA712F666B44A94CE6BE116BAF4B0B4E587@MAIL> Message-ID: <5.2.0.9.2.20030331162631.06997088@imap.ecs.soton.ac.uk> At 15:29 31/03/2003, you wrote: > > You will probably find that doing the update will do a > > service sendmail restart > > which you don't want. One easy way to stop that is, *before* > >Wow, thanks for writing me back so quickly! :-) > Will up2date overwrite any >configuration files that you know of? It should not, no. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From patricksteiner at BLUEWIN.CH Mon Mar 31 16:44:31 2003 From: patricksteiner at BLUEWIN.CH (Patrick Steiner) Date: Thu Jan 12 21:17:39 2006 Subject: Dcc check doesn't work Message-ID: <3E88625F.3090407@bluewin.ch> sorry for my stupid question again It seems DCC is not used by spamassassin when started from mailscanner. but when i start spamassassin form the command line with the options -D i see that dcc works fine. i have activate a packet sniffer on my firewall to check the connections from my mailserver. when i run spamassassin from the command line i see the follow connection: 10.0.0.3:1525 <--> 195.74.212.70:6277 UDP and this is the dcc check but when mailscanner check the mail for spam then i can't see any connection on UDP port 6277 so i think there is a "communication" problem between mailscanner and spamassassin in the file (/opt/MailScanner/etc/spam.assassin.prefs.conf) i have activate this options to use dcc check # MailScanner: Comment out the next line to enable DCC checking if you # have dcc installed (optional part of SpamAssassin) score DCC_CHECK 5 the same problem i have with razor1 do you have any idea what i can do to active dcc checking? From Kevin.Spicer at BMRB.CO.UK Mon Mar 31 16:59:49 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:17:39 2006 Subject: Dcc check doesn't work Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0EBF4E3@pascal.priv.bmrb.co.uk> > > It seems DCC is not used by spamassassin when started from > mailscanner. but when > i start spamassassin form the command line with the options > -D i see that dcc works > fine. It's turned off in spam.assassin.prefs.conf by default, have you tried commenting out the appropriate line in that file (can remember the exact directive, just search for dcc!) BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From patricksteiner at BLUEWIN.CH Mon Mar 31 17:14:38 2003 From: patricksteiner at BLUEWIN.CH (Patrick Steiner) Date: Thu Jan 12 21:17:39 2006 Subject: Dcc check doesn't work In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0EBF4E3@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0EBF4E3@pascal.priv.bmrb.co.uk> Message-ID: <3E88696E.109@bluewin.ch> yes i have. and i can't find any options to active dcc. here is my spam.assassin.prefs.conf file this line is the only one that i can find -------snip----------- ########################################################################### # Add your own customised scores for some tests below. The default scores are # read from the installed "spamassassin.cf" file, but you can override them # here. To see the list of tests and their default scores, go to # http://spamassassin.taint.org/tests.html . # MailScanner: Comment out the next line to enable DCC checking if you # have dcc installed (optional part of SpamAssassin) score DCC_CHECK 5 # # Added for MailScanner 14/6/2002 # If you specify these scores, SpamAssassin will do RBL checks as well as # MailScanner, which just wastes CPU power and network bandwidth. Either # do them here by uncommenting the rules below (if you have paid for them) # or else uncomment the "skip_rbl_checks" line above and let MailScanner # do the checks instead. # ------snip----------- Spicer, Kevin wrote: >>It seems DCC is not used by spamassassin when started from >>mailscanner. but when >>i start spamassassin form the command line with the options >>-D i see that dcc works >>fine. >> >> > >It's turned off in spam.assassin.prefs.conf by default, have you tried commenting out the appropriate line in that file (can remember the exact directive, just search for dcc!) > > > >BMRB International >http://www.bmrb.co.uk >+44 (0)20 8566 5000 >_________________________________________________________________ >This message (and any attachment) is intended only for the >recipient and may contain confidential and/or privileged >material. If you have received this in error, please contact the >sender and delete this message immediately. Disclosure, copying >or other action taken in respect of this email or in >reliance on it is prohibited. BMRB International Limited >accepts no liability in relation to any personal emails, or >content of any email which does not directly relate to our >business. > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030331/dba74b9f/attachment.html From patricksteiner at BLUEWIN.CH Mon Mar 31 18:07:30 2003 From: patricksteiner at BLUEWIN.CH (Patrick Steiner) Date: Thu Jan 12 21:17:39 2006 Subject: command line spamassassin make not the same test as mailscanner Message-ID: <3E8875D2.20302@bluewin.ch> command line spamassassin make not the same test as mailscanner but this test is for me very important because it defined are this mail spam or not and this mail is a spam mail EXAMPLE: ------------- The follow report is from a spammail and mailscanner doesent catch this mail as spam Spamassassin -D ----------------- Content analysis details: (6.40 points, 5 required) SEARCH_ENGINE_PROMO (1.7 points) BODY: Discusses search engine listings HTML_WEB_BUGS (0.1 points) BODY: Image tag with an ID code to identify you HTML_30_40 (0.8 points) BODY: Message is 30% to 40% HTML HTML_MESSAGE (0.1 points) BODY: HTML included in message HTML_LINK_CLICK_HERE (0.1 points) BODY: HTML link text says "click here" HTML_TABLE_THICK_BORDER (1.1 points) BODY: HTML table has thick border HTML_FONT_COLOR_GRAY (0.1 points) BODY: HTML font color is gray RCVD_IN_OSIRUSOFT_COM (0.6 points) RBL: Received via a relay in relays.osirusoft.com [RBL check: found 228.40.150.66.relays.osirusoft.com., type: 127.0.0.6] X_OSIRU_SPAMWARE_SITE (1.1 points) RBL: DNSBL: sender is a Spamware site or vendor RCVD_IN_SBL (0.6 points) RBL: Received via SBLed relay, see http://www.spamhaus.org/sbl/ [RBL check: found 228.40.150.66.sbl.spamhaus.org.] CLICK_BELOW (0.1 points) Asks you to click below Mailscanner: ------------- X-MailScanner-SpamCheck: not spam, SpamAssassin (score=4.1, required 4.4, CLICK_BELOW, HTML_30_40, HTML_FONT_COLOR_GRAY, HTML_LINK_CLICK_HERE, HTML_MESSAGE, HTML_TABLE_THICK_BORDER, HTML_WEB_BUGS, SEARCH_ENGINE_PROMO) From Kevin.Spicer at BMRB.CO.UK Mon Mar 31 18:30:59 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:17:39 2006 Subject: Dcc check doesn't work Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0EBF4E4@pascal.priv.bmrb.co.uk> >this line is the only one that i can find > ># MailScanner: Comment out the next line to enable DCC checking if you ># have dcc installed (optional part of SpamAssassin) >score DCC_CHECK 5 Thats the one! Normally it is... score DCC_CHECK 0 (giving a test a zero score disables it) so you would either comment it out (to use the default spamassassin score) or give it a none zero value, which is what you have done. It should be working. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From Kevin.Spicer at BMRB.CO.UK Mon Mar 31 18:44:42 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:17:39 2006 Subject: command line spamassassin make not the same test as mailscanner Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A4AD66@pascal.priv.bmrb.co.uk> Well these are the tests that SpamAssassin picks up on its own (but not through MS)... > RCVD_IN_OSIRUSOFT_COM (0.6 points) RBL: Received via a relay in > relays.osirusoft.com > [RBL check: found > 228.40.150.66.relays.osirusoft.com., type: 127.0.0.6] > X_OSIRU_SPAMWARE_SITE (1.1 points) RBL: DNSBL: sender is a Spamware > site or vendor > RCVD_IN_SBL (0.6 points) RBL: Received via SBLed relay, see > http://www.spamhaus.org/sbl/ > [RBL check: found 228.40.150.66.sbl.spamhaus.org.] > ...I'd say its pretty likely that RBL checks (like these) are disabled in spam.assassin.prefs.conf (and maybe MS is doing RBL checks) You have two choices... 1) Let MS do the RBL checks (Make sure 'Spam List' is uncommented & has value in MailScanner.conf) disable spam checks in SpamAssassin (skip_rbl_checks 1 in spam.assassing.prefs.conf). In this circumstance you may want to drop the spam threshold slightly... 2) Disable RBL checks in MS (by commenting 'Spam List' in MailScanner.conf - Don't change 'Spam Checks' though, that still needs to be yes. Turn on RBL checking in SA by commenting skip_rbl_checks in spam.assassin.prefs.conf and uncommenting the names of the checks you wish to do near the bottom of the file. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From patricksteiner at BLUEWIN.CH Mon Mar 31 19:01:09 2003 From: patricksteiner at BLUEWIN.CH (Patrick Steiner) Date: Thu Jan 12 21:17:39 2006 Subject: Dcc check doesn't work In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0EBF4E4@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0EBF4E4@pascal.priv.bmrb.co.uk> Message-ID: <3E888265.2030107@bluewin.ch> yes but it dosen't working and i don't now why....... i hope any people has any ideas to fix my problem Spicer, Kevin wrote: >>this line is the only one that i can find >> >># MailScanner: Comment out the next line to enable DCC checking if you >># have dcc installed (optional part of SpamAssassin) >>score DCC_CHECK 5 >> >> > >Thats the one! Normally it is... >score DCC_CHECK 0 >(giving a test a zero score disables it) so you would either comment it out (to use the default spamassassin score) or give it a none zero value, which is what you have done. It should be working. > > > >BMRB International >http://www.bmrb.co.uk >+44 (0)20 8566 5000 >_________________________________________________________________ >This message (and any attachment) is intended only for the >recipient and may contain confidential and/or privileged >material. If you have received this in error, please contact the >sender and delete this message immediately. Disclosure, copying >or other action taken in respect of this email or in >reliance on it is prohibited. BMRB International Limited >accepts no liability in relation to any personal emails, or >content of any email which does not directly relate to our >business. > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030331/619e011f/attachment.html From raymond at PROLOCATION.NET Mon Mar 31 19:21:57 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:17:39 2006 Subject: [RHSA-2003:120-01] Updated sendmail packages fix vulnerability (fwd) Message-ID: Hi! For RH users... : ---------- Forwarded message ---------- Date: Mon, 31 Mar 2003 12:14 -0500 From: bugzilla@redhat.com To: redhat-watch-list@redhat.com, redhat-announce-list@redhat.com Cc: bugtraq@securityfocus.com, full-disclosure@lists.netsys.com Subject: [RHSA-2003:120-01] Updated sendmail packages fix vulnerability --------------------------------------------------------------------- Red Hat Security Advisory Synopsis: Updated sendmail packages fix vulnerability Advisory ID: RHSA-2003:120-01 Issue date: 2003-03-31 Updated on: 2003-03-31 Product: Red Hat Linux Keywords: sendmail Cross references: Obsoletes: RHSA-2003:073 CVE Names: CAN-2003-0161 --------------------------------------------------------------------- 1. Topic: Updated Sendmail packages are available to fix a vulnerability that allows local and possibly remote attackers to gain root privileges. 2. Relevant releases/architectures: Red Hat Linux 6.2 - i386 Red Hat Linux 7.0 - i386 Red Hat Linux 7.1 - i386 Red Hat Linux 7.2 - i386, ia64 Red Hat Linux 7.3 - i386 Red Hat Linux 8.0 - i386 Red Hat Linux 9 - i386 3. Problem description: Sendmail is a widely used Mail Transport Agent (MTA) which is included in all Red Hat Linux distributions. There is a vulnerability in Sendmail versions prior to and including 8.12.8. The address parser performs insufficient bounds checking in certain conditions due to a char to int conversion, making it possible for an attacker to take control of the application. Although no exploit currently exists, this issue is probably locally exploitable and may also be remotely exploitable. All users are advised to update to these erratum packages containing a backported patch which corrects these vulnerabilities. Red Hat would like to thank Michal Zalewski for finding and reporting this issue. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via Red Hat Network. Many people find this an easier way to apply updates. To use Red Hat Network, launch the Red Hat Update Agent with the following command: up2date This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. 5. RPMs required: Red Hat Linux 6.2: SRPMS: ftp://updates.redhat.com/6.2/en/os/SRPMS/sendmail-8.11.6-1.62.3.src.rpm i386: ftp://updates.redhat.com/6.2/en/os/i386/sendmail-8.11.6-1.62.3.i386.rpm ftp://updates.redhat.com/6.2/en/os/i386/sendmail-cf-8.11.6-1.62.3.i386.rpm ftp://updates.redhat.com/6.2/en/os/i386/sendmail-doc-8.11.6-1.62.3.i386.rpm Red Hat Linux 7.0: SRPMS: ftp://updates.redhat.com/7.0/en/os/SRPMS/sendmail-8.11.6-25.70.src.rpm i386: ftp://updates.redhat.com/7.0/en/os/i386/sendmail-8.11.6-25.70.i386.rpm ftp://updates.redhat.com/7.0/en/os/i386/sendmail-cf-8.11.6-25.70.i386.rpm ftp://updates.redhat.com/7.0/en/os/i386/sendmail-devel-8.11.6-25.70.i386.rpm ftp://updates.redhat.com/7.0/en/os/i386/sendmail-doc-8.11.6-25.70.i386.rpm Red Hat Linux 7.1: SRPMS: ftp://updates.redhat.com/7.1/en/os/SRPMS/sendmail-8.11.6-25.71.src.rpm i386: ftp://updates.redhat.com/7.1/en/os/i386/sendmail-8.11.6-25.71.i386.rpm ftp://updates.redhat.com/7.1/en/os/i386/sendmail-cf-8.11.6-25.71.i386.rpm ftp://updates.redhat.com/7.1/en/os/i386/sendmail-devel-8.11.6-25.71.i386.rpm ftp://updates.redhat.com/7.1/en/os/i386/sendmail-doc-8.11.6-25.71.i386.rpm Red Hat Linux 7.2: SRPMS: ftp://updates.redhat.com/7.2/en/os/SRPMS/sendmail-8.11.6-25.72.src.rpm i386: ftp://updates.redhat.com/7.2/en/os/i386/sendmail-8.11.6-25.72.i386.rpm ftp://updates.redhat.com/7.2/en/os/i386/sendmail-cf-8.11.6-25.72.i386.rpm ftp://updates.redhat.com/7.2/en/os/i386/sendmail-devel-8.11.6-25.72.i386.rpm ftp://updates.redhat.com/7.2/en/os/i386/sendmail-doc-8.11.6-25.72.i386.rpm ia64: ftp://updates.redhat.com/7.2/en/os/ia64/sendmail-8.11.6-25.72.ia64.rpm ftp://updates.redhat.com/7.2/en/os/ia64/sendmail-cf-8.11.6-25.72.ia64.rpm ftp://updates.redhat.com/7.2/en/os/ia64/sendmail-devel-8.11.6-25.72.ia64.rpm ftp://updates.redhat.com/7.2/en/os/ia64/sendmail-doc-8.11.6-25.72.ia64.rpm Red Hat Linux 7.3: SRPMS: ftp://updates.redhat.com/7.3/en/os/SRPMS/sendmail-8.11.6-25.73.src.rpm i386: ftp://updates.redhat.com/7.3/en/os/i386/sendmail-8.11.6-25.73.i386.rpm ftp://updates.redhat.com/7.3/en/os/i386/sendmail-cf-8.11.6-25.73.i386.rpm ftp://updates.redhat.com/7.3/en/os/i386/sendmail-devel-8.11.6-25.73.i386.rpm ftp://updates.redhat.com/7.3/en/os/i386/sendmail-doc-8.11.6-25.73.i386.rpm Red Hat Linux 8.0: SRPMS: ftp://updates.redhat.com/8.0/en/os/SRPMS/sendmail-8.12.8-5.80.src.rpm i386: ftp://updates.redhat.com/8.0/en/os/i386/sendmail-8.12.8-5.80.i386.rpm ftp://updates.redhat.com/8.0/en/os/i386/sendmail-cf-8.12.8-5.80.i386.rpm ftp://updates.redhat.com/8.0/en/os/i386/sendmail-devel-8.12.8-5.80.i386.rpm ftp://updates.redhat.com/8.0/en/os/i386/sendmail-doc-8.12.8-5.80.i386.rpm Red Hat Linux 9: SRPMS: ftp://updates.redhat.com/9/en/os/SRPMS/sendmail-8.12.8-5.90.src.rpm i386: ftp://updates.redhat.com/9/en/os/i386/sendmail-8.12.8-5.90.i386.rpm ftp://updates.redhat.com/9/en/os/i386/sendmail-cf-8.12.8-5.90.i386.rpm ftp://updates.redhat.com/9/en/os/i386/sendmail-devel-8.12.8-5.90.i386.rpm ftp://updates.redhat.com/9/en/os/i386/sendmail-doc-8.12.8-5.90.i386.rpm 6. Verification: MD5 sum Package Name -------------------------------------------------------------------------- 25bec1ec6aff40327f051cf5400a55c8 6.2/en/os/SRPMS/sendmail-8.11.6-1.62.3.src.rpm 98cbc533ab27d4145fca5d0b75697eba 6.2/en/os/i386/sendmail-8.11.6-1.62.3.i386.rpm edb796a81e0916d27d768d5ea948762c 6.2/en/os/i386/sendmail-cf-8.11.6-1.62.3.i386.rpm d932f3df0f6ff85117b80099ef6018ba 6.2/en/os/i386/sendmail-doc-8.11.6-1.62.3.i386.rpm 2e9c2920c804174aa5b4b36376280a73 7.0/en/os/SRPMS/sendmail-8.11.6-25.70.src.rpm 8a5d3dbd633a74e85129882ef4cb8949 7.0/en/os/i386/sendmail-8.11.6-25.70.i386.rpm 95ea041b1f867b375c0b51bbc7747195 7.0/en/os/i386/sendmail-cf-8.11.6-25.70.i386.rpm 0ee0e855770c75ecbdba88a9fde57ba8 7.0/en/os/i386/sendmail-devel-8.11.6-25.70.i386.rpm ade66612e4e8397b58b98b5727e5e2a5 7.0/en/os/i386/sendmail-doc-8.11.6-25.70.i386.rpm 835ddd29ba9d926cc74b154582d27bc6 7.1/en/os/SRPMS/sendmail-8.11.6-25.71.src.rpm 0a107e87606aea194828f15091633a64 7.1/en/os/i386/sendmail-8.11.6-25.71.i386.rpm d66b2716ea71021875e17f63c54753c1 7.1/en/os/i386/sendmail-cf-8.11.6-25.71.i386.rpm 6b1b8871b4ed4ce67594222864dcf01a 7.1/en/os/i386/sendmail-devel-8.11.6-25.71.i386.rpm b78a97ca20b17a25b638fb4a9c958bf3 7.1/en/os/i386/sendmail-doc-8.11.6-25.71.i386.rpm 8a4b2636b0bba80f4dfb7cab9b6d39b9 7.2/en/os/SRPMS/sendmail-8.11.6-25.72.src.rpm c55e36f27f0e871901634f2e569a27c0 7.2/en/os/i386/sendmail-8.11.6-25.72.i386.rpm 79eaee7161e16721db6de44c5c76e6f9 7.2/en/os/i386/sendmail-cf-8.11.6-25.72.i386.rpm d31c0978a188395bb164baa479882256 7.2/en/os/i386/sendmail-devel-8.11.6-25.72.i386.rpm 5eb4102d16bf2a2b84a20405eed447a3 7.2/en/os/i386/sendmail-doc-8.11.6-25.72.i386.rpm 42b3b6c89a1c6865490ccd6f972d24ed 7.2/en/os/ia64/sendmail-8.11.6-25.72.ia64.rpm 38c3cec537424d7c558e7697e85ca08c 7.2/en/os/ia64/sendmail-cf-8.11.6-25.72.ia64.rpm d2ff64efd64c91087f94723716c186fc 7.2/en/os/ia64/sendmail-devel-8.11.6-25.72.ia64.rpm d07d3544200a58aca31e3e174dc0cfb9 7.2/en/os/ia64/sendmail-doc-8.11.6-25.72.ia64.rpm f3686bceb53446bcdb270a7b5560f2c6 7.3/en/os/SRPMS/sendmail-8.11.6-25.73.src.rpm 4cfa915e89b4dd70ebe215666bade465 7.3/en/os/i386/sendmail-8.11.6-25.73.i386.rpm 760a980ca97b16e1f86008346e216bb5 7.3/en/os/i386/sendmail-cf-8.11.6-25.73.i386.rpm 997c535e8794d4066b3539bd2ecb368e 7.3/en/os/i386/sendmail-devel-8.11.6-25.73.i386.rpm 3dc5ae59b23a9cb349d722db77ded402 7.3/en/os/i386/sendmail-doc-8.11.6-25.73.i386.rpm aed187a50991bb1a20d09796b3f15369 8.0/en/os/SRPMS/sendmail-8.12.8-5.80.src.rpm 4b437527303dd0794a9e0ebb8eb1aad4 8.0/en/os/i386/sendmail-8.12.8-5.80.i386.rpm a3c07f2d84f60a5b04238b5034a12558 8.0/en/os/i386/sendmail-cf-8.12.8-5.80.i386.rpm 0e17408c933de3cf5b6c448d0b4bb9d6 8.0/en/os/i386/sendmail-devel-8.12.8-5.80.i386.rpm ebff02d1f8a60a58fca72b6e556f82b6 8.0/en/os/i386/sendmail-doc-8.12.8-5.80.i386.rpm 6890269d1da992a454b6d109d5d47db6 9/en/os/SRPMS/sendmail-8.12.8-5.90.src.rpm b6e03531852eeb3faddec11cbecbd207 9/en/os/i386/sendmail-8.12.8-5.90.i386.rpm fcdcbe2bf542773ee00292c42c809b56 9/en/os/i386/sendmail-cf-8.12.8-5.90.i386.rpm 8d8301e9286510343399703049ab7b43 9/en/os/i386/sendmail-devel-8.12.8-5.90.i386.rpm 7b4126ee338184d9053c339433ab02f2 9/en/os/i386/sendmail-doc-8.12.8-5.90.i386.rpm These packages are GPG signed by Red Hat for security. Our key is available at http://www.redhat.com/solutions/security/news/publickey/ You can verify each package with the following command: rpm --checksig -v If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command: md5sum 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0161 8. Contact: The Red Hat security contact is . More contact details at http://www.redhat.com/solutions/security/news/contact/ Copyright 2003 Red Hat, Inc. _______________________________________________ Redhat-watch-list mailing list To unsubscribe, visit: https://listman.redhat.com/mailman/listinfo/redhat-watch-list From mailscanner at ecs.soton.ac.uk Mon Mar 31 19:35:43 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:39 2006 Subject: command line spamassassin make not the same test as mailscanner In-Reply-To: <3E8875D2.20302@bluewin.ch> Message-ID: <5.2.0.9.2.20030331193454.02647698@imap.ecs.soton.ac.uk> The differences are that MailScanner for some reason didn't do the RBL checks. RCVD_IN_OSIRUSOFT_COM (0.6 points) RBL: Received via a relay in relays.osirusoft.com [RBL check: found 228.40.150.66.relays.osirusoft.com., type: 127.0.0.6] X_OSIRU_SPAMWARE_SITE (1.1 points) RBL: DNSBL: sender is a Spamware site or vendor RCVD_IN_SBL (0.6 points) RBL: Received via SBLed relay, see http://www.spamhaus.org/sbl/ [RBL check: found 228.40.150.66.sbl.spamhaus.org.] Please check you spam.assassin.prefs.conf file and be sure you haven't got "skip_rbl_checks" set. At 18:07 31/03/2003, you wrote: >command line spamassassin make not the same test as mailscanner >but this test is for me very important because it defined are this mail >spam or not >and this mail is a spam mail > >EXAMPLE: >------------- > >The follow report is from a spammail and mailscanner doesent catch this mail >as spam > > >Spamassassin -D >----------------- > >Content analysis details: (6.40 points, 5 required) >SEARCH_ENGINE_PROMO (1.7 points) BODY: Discusses search engine listings >HTML_WEB_BUGS (0.1 points) BODY: Image tag with an ID code to >identify you >HTML_30_40 (0.8 points) BODY: Message is 30% to 40% HTML >HTML_MESSAGE (0.1 points) BODY: HTML included in message >HTML_LINK_CLICK_HERE (0.1 points) BODY: HTML link text says "click here" >HTML_TABLE_THICK_BORDER (1.1 points) BODY: HTML table has thick border >HTML_FONT_COLOR_GRAY (0.1 points) BODY: HTML font color is gray >RCVD_IN_OSIRUSOFT_COM (0.6 points) RBL: Received via a relay in >relays.osirusoft.com > [RBL check: found >228.40.150.66.relays.osirusoft.com., type: 127.0.0.6] >X_OSIRU_SPAMWARE_SITE (1.1 points) RBL: DNSBL: sender is a Spamware >site or vendor >RCVD_IN_SBL (0.6 points) RBL: Received via SBLed relay, see >http://www.spamhaus.org/sbl/ > [RBL check: found 228.40.150.66.sbl.spamhaus.org.] >CLICK_BELOW (0.1 points) Asks you to click below > > > > > >Mailscanner: >------------- > >X-MailScanner-SpamCheck: not spam, SpamAssassin (score=4.1, required 4.4, > > CLICK_BELOW, HTML_30_40, HTML_FONT_COLOR_GRAY, HTML_LINK_CLICK_HERE, > HTML_MESSAGE, HTML_TABLE_THICK_BORDER, HTML_WEB_BUGS, > SEARCH_ENGINE_PROMO) -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From mbowman at UDCOM.COM Mon Mar 31 20:31:02 2003 From: mbowman at UDCOM.COM (Matthew Bowman) Date: Thu Jan 12 21:17:39 2006 Subject: [OT] Virus Scanning E-Valulation Message-ID: Hello All, I have been evaluating Sophos, F-Prot and Clam on our server running MailScanner. MS 4.13-4 SA 2.43 RH 7.2 w/ sendmail updated Based on 136 files in /var/spool/MailScanner/quarantine, each of the 3 programs reported the following: clamscan -r . ----------- SCAN SUMMARY ----------- Known viruses: 7495 Scanned directories: 114 Scanned files: 136 Infected files: 0 Data scanned: 25.83 Mb Used threads: 2 I/O buffer size: 131072 bytes Time: 1.735 sec (0 m 1 s) sweep -f -di . 136 files swept in 4 seconds. No viruses were discovered. End of Sweep. f-prot -auto -disinf . Files: 136 MBRs: 0 Boot sectors: 0 Objects scanned: 293 Infected: 78 Suspicious: 0 Disinfected: 0 Deleted: 0 Renamed: 0 Example of f-prot output: var/spool/MailScanner/quarantine/20030331/h2VJKYg01851/message->CADDZ3NN.scr Infection: W32/Klez.H@mm Virus-infected files in archives cannot be deleted. What is everyone else using for their scanner 'options' at the command line and scan e-mails through mailscanner? Are the options that I am using to evaluate wrong in anyway? Thanks Matthew K Bowman Sys Admin UDCom From mailscanner at ecs.soton.ac.uk Mon Mar 31 20:44:29 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:39 2006 Subject: [OT] Virus Scanning E-Valulation In-Reply-To: Message-ID: <5.2.0.9.2.20030331204009.02662af8@imap.ecs.soton.ac.uk> If you look in SweepViruses.pm you will find the list of command-line options that MailScanner passes to each of the -wrapper scripts to do the scanning: clamscan -r --disable-summary --stdout sweep -sc -f -all -rec -ss -archive -loopback --no-follow-symlinks --no-reset-atime -TNEF f-prot -old -archive -dumb Try that lot and see how your tests compare. At 20:31 31/03/2003, you wrote: >Hello All, > >I have been evaluating Sophos, F-Prot and Clam on our server running >MailScanner. > >MS 4.13-4 >SA 2.43 >RH 7.2 w/ sendmail updated > >Based on 136 files in /var/spool/MailScanner/quarantine, each of the 3 >programs reported the following: > > >clamscan -r . > >----------- SCAN SUMMARY ----------- >Known viruses: 7495 >Scanned directories: 114 >Scanned files: 136 >Infected files: 0 >Data scanned: 25.83 Mb >Used threads: 2 >I/O buffer size: 131072 bytes >Time: 1.735 sec (0 m 1 s) > > >sweep -f -di . > >136 files swept in 4 seconds. >No viruses were discovered. >End of Sweep. > >f-prot -auto -disinf . > >Files: 136 >MBRs: 0 >Boot sectors: 0 >Objects scanned: 293 >Infected: 78 >Suspicious: 0 >Disinfected: 0 >Deleted: 0 >Renamed: 0 > >Example of f-prot output: > >var/spool/MailScanner/quarantine/20030331/h2VJKYg01851/message->CADDZ3NN.scr > Infection: W32/Klez.H@mm >Virus-infected files in archives cannot be deleted. > >What is everyone else using for their scanner 'options' at the command >line and scan e-mails through mailscanner? > >Are the options that I am using to evaluate wrong in anyway? > >Thanks > >Matthew K Bowman >Sys Admin >UDCom -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From craig at STRONG-BOX.NET Mon Mar 31 21:30:55 2003 From: craig at STRONG-BOX.NET (Craig Pratt) Date: Thu Jan 12 21:17:39 2006 Subject: CERT Advisory CA-2003-12 Buffer Overflow in Sendmail In-Reply-To: <1049067185.6fadfb585f3db@www.emery.homelinux.net> Message-ID: It looks like RedHat has their sendmail update out. Their servers are difficult to get onto right now. But I found the updates on one mirror: ftp://ftp.dc.aleron.net/pub/linux/redhat/ftp.redhat.com/linux/updates/ I haven't had any luck running up2date either - just get errors referring to "high load". --- Craig Pratt Strongbox Network Services Inc. mailto:craig@strong-box.net -- This message checked for dangerous content by MailScanner on StrongBox. From jase at SENSIS.COM Mon Mar 31 21:45:00 2003 From: jase at SENSIS.COM (Desai, Jason) Date: Thu Jan 12 21:17:39 2006 Subject: Dcc check doesn't work Message-ID: I was just having this problem too. I think I fixed it by making a symbolic link to dccproc in /usr/bin ln -s /usr/local/bin/dccproc /usr/bin I guess /usr/local/bin is not in the MailScanner's path. You can also make sure you have use_dcc 1 in spam.assassin.prefs.conf Jason -----Original Message----- From: Patrick Steiner [mailto:patricksteiner@BLUEWIN.CH] Sent: Monday, March 31, 2003 1:01 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: [MAILSCANNER] Dcc check doesn't work yes but it dosen't working and i don't now why....... i hope any people has any ideas to fix my problem Spicer, Kevin wrote: this line is the only one that i can find # MailScanner: Comment out the next line to enable DCC checking if you # have dcc installed (optional part of SpamAssassin) score DCC_CHECK 5 Thats the one! Normally it is... score DCC_CHECK 0 (giving a test a zero score disables it) so you would either comment it out (to use the default spamassassin score) or give it a none zero value, which is what you have done. It should be working. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030331/84b4f3ea/attachment.html From mailscanner at ecs.soton.ac.uk Mon Mar 31 21:54:40 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:17:39 2006 Subject: Dcc check doesn't work In-Reply-To: Message-ID: <5.2.0.9.2.20030331215247.0269d340@imap.ecs.soton.ac.uk> At 21:45 31/03/2003, you wrote: >I was just having this problem too. I think I fixed it by making a >symbolic link to dccproc in /usr/bin > >ln -s /usr/local/bin/dccproc /usr/bin > >I guess /usr/local/bin is not in the MailScanner's path. Indeed. MailScanner's path is /sbin:/bin:/usr/sbin:/usr/bin so that only system binaries will be found. This is quite intentional :) It's at line 73 of /usr/sbin/MailScanner if you really want to change it. > >You can also make sure you have > >use_dcc 1 > >in spam.assassin.prefs.conf > >Jason >-----Original Message----- >From: Patrick Steiner [mailto:patricksteiner@BLUEWIN.CH] >Sent: Monday, March 31, 2003 1:01 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: [MAILSCANNER] Dcc check doesn't work > >yes but it dosen't working and i don't now why....... >i hope any people has any ideas to fix my problem > >Spicer, Kevin wrote: >>> >>>this line is the only one that i can find >>> >>> >>># MailScanner: Comment out the next line to enable DCC checking if you >>> >>># have dcc installed (optional part of SpamAssassin) >>> >>>score DCC_CHECK 5 >>> >>> >> >> >> >>Thats the one! Normally it is... >> >>score DCC_CHECK 0 >> >>(giving a test a zero score disables it) so you would either comment it >>out (to use the default spamassassin score) or give it a none zero value, >>which is what you have done. It should be working. >> >> >> >> >>BMRB International >> >>http://www.bmrb.co.uk >> >>+44 (0)20 8566 5000 >> >>_________________________________________________________________ >> >>This message (and any attachment) is intended only for the >> >>recipient and may contain confidential and/or privileged >> >>material. If you have received this in error, please contact the >> >>sender and delete this message immediately. Disclosure, copying >> >>or other action taken in respect of this email or in >> >>reliance on it is prohibited. BMRB International Limited >> >>accepts no liability in relation to any personal emails, or >> >>content of any email which does not directly relate to our >> >>business. >> >> >> >> -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030331/85c34dab/attachment.html From hden at KCBBS.GEN.NZ Mon Mar 31 22:35:48 2003 From: hden at KCBBS.GEN.NZ (Hendrik den Hartog) Date: Thu Jan 12 21:17:39 2006 Subject: MailScanner Status Check In-Reply-To: <5.2.0.9.2.20030331215247.0269d340@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20030331215247.0269d340@imap.ecs.soton.ac.uk> Message-ID: <20030331213548.GC2792@mew.kcbbs.gen.nz> Hello I've just upgraded sendmail on a Redhat 8.0 to v 8.12.8-5.80 Am using Mailscanner 4.14.5 The status reports... Checking MailScanner daemons: MailScanner: [ OK ] incoming sendmail: [FAILED] outgoing sendmail: [ OK ] But....everything *seems* to be working OK? Anything to worry about? Change? Check? Help/advice appreciated,,, Cheers! Hendrik From steve at SWANEY.COM Mon Mar 31 23:18:30 2003 From: steve at SWANEY.COM (Steve Swaney) Date: Thu Jan 12 21:17:39 2006 Subject: Problem with High Spam Score delivery options In-Reply-To: <5.2.0.9.2.20030329192207.0231ca38@imap.ecs.soton.ac.uk> Message-ID: I haven't seen anyone else respond to Julian's email, so I'm guessing the problem may be specific to my system or configuration. I know enough perl to hurt myself so if anyone has any ideas on how I might trouble shoot this problem, I'd appreciate the hint. I'm guessing the problem I'm having is probably in my MailScanner configuration since SpamAssassin doesn't appear to have a mechanism to reject spam - only to mark it. BTW I have read the FAQs and Documentation but I may have missed something. All help is greatly appreciated as I really LOVED the delete function. Thanks, Steve On Saturday, March 29, 2003, at 02:22 PM, Julian Field wrote: > Has anyone else seen this problem? > > At 19:10 29/03/2003, you wrote: >> The "High Scoring Spam Action" was working just fine but since >> upgrading to SpamAssassin 2.51 and then 2.52 along with MailScanner >> 4.13.3, I cannot get the "High Scoring Spam Action" setting have any >> effect. >> >> I have reinstalled all from scratch and only changed: >> >> Virus Scanner = sophos >> High Scoring Spam Action = bounce >> Use SpamAssassin = yes >> >> >> All else works as advertised >> >> I'm running redhat 8.0 and installed MailScanner and SpamAssassin from >> the rpms. >> >> Thanks, >> >> Steve >> Steve Swaney >> Phone: (202) 352-3262 >> Fax: (202) 294-9496 >> Steve@Swaney.com > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > From steve at SWANEY.COM Mon Mar 31 23:27:46 2003 From: steve at SWANEY.COM (Steve Swaney) Date: Thu Jan 12 21:17:39 2006 Subject: Embedded Disallowed Filename Extension in Word Document In-Reply-To: <20030331220117.GA16686@hoiho.nz.lemon-computing.com> Message-ID: Sophos won't allow and "double" dot files. I've have to educate my users that filename.xxx.doc won't leave the site or be deilvered to the site. Steve Steve Swaney Phone: (202) 352-3262 Fax: (202) 294-9496 Steve@Swaney.com On Monday, March 31, 2003, at 05:01 PM, Nick Phillips wrote: > On Mon, Mar 31, 2003 at 05:10:54PM +0200, Nerijus Baliunas wrote: > >>> Does anybody have any experience with which would and which wouldn't? >> >> Kaspersky does: >> >> Current object: Doc1.doc >> Doc1.doc archive: Embedded >> Doc1.doc/C:/windows/IsUninst.exe ok. >> Scan process completed. >> >> Sector Objects : 0 Known viruses : >> 0 >> Files : 2 Virus bodies : >> 0 >> Folders : 0 Disinfected : >> 0 >> Archives : 1 Deleted : >> 0 >> Packed : 0 Warnings : >> 0 >> Suspicious : >> 0 >> Speed (Kb/sec) : 322 Corrupted : >> 0 >> Scan time : 00:00:01 I/O Errors : >> 0 > > > Hmmm... I haven't seen that type of output from Kaspersky before; have > you > checked what happens when you run that file past mailscanner? > > > Cheers, > > > Nick > > -- > Nick Phillips -- nwp@lemon-computing.com > You have the capacity to learn from mistakes. You'll learn a lot > today. > >