From mark at TIPPINGMAR.COM Sat Nov 1 00:29:44 2003 From: mark at TIPPINGMAR.COM (Mark Nienberg) Date: Thu Jan 12 21:20:48 2006 Subject: HTML Spam and other spam In-Reply-To: <3FA26E98.12327.A0CBE70@localhost> References: <3FA28EED.7010903@ucgbook.com> Message-ID: <3FA28DF8.11383.A874BDF@localhost> To correct my previous message, I see that the final release of SA 2.60 has changed the default values to: # Mail which scores outside this range will be fed back into SpamAssassin's # learning system automatically, to train the Bayesian scanner. bayes_auto_learn_threshold_nonspam 0.1 bayes_auto_learn_threshold_spam 12.0 Which is more reasonable than the negative value that was there in earlier versions. Still, you may find 0.1 too low until Bayes is up and running. Mark From dickenson at CFMC.COM Sat Nov 1 00:58:34 2003 From: dickenson at CFMC.COM (Jim Dickenson) Date: Thu Jan 12 21:20:48 2006 Subject: Why not white listed? Message-ID: In /etc/MailScanner/rules/spam.whitelist.rules I have the following as the first line: From: *@*.example.com yes The following headers and change to the subject indicate to me that this rule was not observed with the following information. Can anyone explain why this might have still been flagged as spam? > From: person > Subject: *Spam=5* More M. Davis > Mime-Version: 1.0 > Content-Type: multipart/mixed; > boundary="=====================_131703804==_" > X-MailScanner-Information: Please contact Jim Dickenson for more information > X-MailScanner: Found to be clean > X-MailScanner-SpamCheck: spam, SpamAssassin (score=5.4, required 5, > CALL_NOW 1.07, HOME_EMPLOYMENT 1.65, MORTGAGE_PITCH 0.69, > WEIRD_QUOTING 1.92) > X-MailScanner-SpamScore: sssss TIA -- Jim Dickenson mailto:dickenson@cfmc.com Computers for Marketing Corporation http://www.cfmc.com/ From mkettler at EVI-INC.COM Sat Nov 1 01:05:05 2003 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:20:48 2006 Subject: Why not white listed? In-Reply-To: References: Message-ID: <6.0.0.22.0.20031031200350.01cfd7b8@xanadu.evi-inc.com> At 07:58 PM 10/31/2003, Jim Dickenson wrote: >In /etc/MailScanner/rules/spam.whitelist.rules I have the following as the >first line: > >From: *@*.example.com yes > >The following headers and change to the subject indicate to me that this >rule was not observed with the following information. Can anyone explain why >this might have still been flagged as spam? > > > From: person because *.example.com doesn't match example.com... your whitelist rule will require two dots to be in the From: address.. but the email only has one. From maillist at COMPUTER-MEDIC.US Sat Nov 1 13:51:09 2003 From: maillist at COMPUTER-MEDIC.US (David Shaw) Date: Thu Jan 12 21:20:48 2006 Subject: {Scanned} Re: MailScanner memory spikes In-Reply-To: <1066947230.23428.25.camel@bach.kevinspicer.co.uk> Message-ID: FYI I have been having the same problems here. After about 10 to 13 hours I get a dead box. The memory is maxed out. I did the upgrades and still it's the same. I have 1Gb of RAM but that does help. I have also stop the mail (blocked port 25) and that didn't help. Something just runs the memory out. So I know Redhat 9 doesn't play nice. Does anyone know if debian works with MailScanner? Thanks, David -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Kevin Spicer Sent: Thursday, October 23, 2003 3:14 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: {Scanned} Re: MailScanner memory spikes On Thu, 2003-10-23 at 22:33, Edward L. Hannaford wrote: >The server is currently functional with only 1 child, however the >memory/CPU spike is still present; it just doesn't disable the server >anymore. Any ideas what might cause this? At a guess, frantic swapping. Whats eating the memory? What are the CPU states when the load is high (mostly system or mostly user). Is the CPU maxed out or is the load caused by waiting on I/O? Are you running the MailScanner work directory in tmpfs? If so does taking it out of tmpfs solve the problem (maybe you are getting hit by a flood of huge emails using all your available memory?) What about the number of messages recieved during that time (Look at the mail relayed graph) is the size of the mail in proportion to its volume at that time (or is there a marked disproportionate spike in the Mbytes of Mail transferred graph)? Any cron jobs that happen at those times? BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. -- This message has been scanned for viruses and dangerous content by Guardian Towing, and is believed to be clean. Guardian Towing thanks Computer Medic for their support. www.Computer-Medic.us (909) 704-9628 -- This message has been scanned for viruses and dangerous content by Guardian Towing, and is believed to be clean. Guardian Towing thanks Computer Medic for their support. www.Computer-Medic.us (909) 704-9628 From raymond at PROLOCATION.NET Sat Nov 1 14:05:37 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:20:48 2006 Subject: {Scanned} Re: MailScanner memory spikes In-Reply-To: Message-ID: Hi! > port 25) and that didn't help. Something just runs the memory out. So I know > Redhat 9 doesn't play nice. Does anyone know if debian works with > MailScanner? We process daily around 1.500.000+ messages on RH9 with MS. So its definately not something regular thats going on. Runs perfectly here. Bye, Raymond. From ugob at CAMO-ROUTE.COM Sat Nov 1 14:54:44 2003 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:20:48 2006 Subject: {Scanned} Re: MailScanner memory spikes Message-ID: <54C38A0B814C8E438EF73FC76F3629273AE0C5@mtlnt501fs.CAMOROUTE.COM> > > FYI I have been having the same problems here. After about 10 > to 13 hours I > get a dead box. The memory is maxed out. I did the upgrades > and still it's > the same. I have 1Gb of RAM but that does help. I have also > stop the mail > (blocked > port 25) and that didn't help. Something just runs the memory > out. So I know > Redhat 9 doesn't play nice. Does anyone know if debian works with > MailScanner? Yes, MailScanner works on debian. However, to run the latest version, you must use 'testing' or 'unstable' http://packages.debian.org/cgi-bin/search_packages.pl?keywords=mailscanner&searchon=names&subword=1&version=all&release=all > > Thanks, David > > From raymond at PROLOCATION.NET Sat Nov 1 15:12:16 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:20:48 2006 Subject: {Scanned} Re: MailScanner memory spikes In-Reply-To: <54C38A0B814C8E438EF73FC76F3629273AE0C5@mtlnt501fs.CAMOROUTE.COM> Message-ID: Hi! > > Redhat 9 doesn't play nice. Does anyone know if debian works with > > MailScanner? > Yes, MailScanner works on debian. However, to run the latest version, > you must use 'testing' or 'unstable' I am pretty sure its not the RH9/MS stuff but something else playing up. We have boxes running for months, no problems ... Bye, Raymond. From ugob at CAMO-ROUTE.COM Sat Nov 1 15:15:08 2003 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:20:48 2006 Subject: {Scanned} Re: MailScanner memory spikes Message-ID: <54C38A0B814C8E438EF73FC76F3629273AE0C6@mtlnt501fs.CAMOROUTE.COM> > > > > Redhat 9 doesn't play nice. Does anyone know if debian works with > > > MailScanner? > > > Yes, MailScanner works on debian. However, to run the > latest version, > > you must use 'testing' or 'unstable' > > I am pretty sure its not the RH9/MS stuff but something else > playing up. > We have boxes running for months, no problems ... I know I didn't solve his MS problem, I just answered the question about debian. Might help others. I also run RH9/MS since August and everything is fine. Ugo From kevins at BMRB.CO.UK Sat Nov 1 17:02:40 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:20:48 2006 Subject: autoupdate confusion? In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB00188B072@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB00188B072@pascal.priv.bmrb.co.uk> Message-ID: <1067706160.24666.47.camel@bach.kevinspicer.co.uk> On Sat, 2003-11-01 at 16:38, Jim Flowers wrote: >I studied update_virus_scanners as a possible undocumented? solution >but it >has a number of problems: Its actually the default and offically 'correct' way of doing it for MailScanner (but the install docs on the site do seem to be out of date in this respect). Its used automatically on rpm installs. >1. It expects virus_scanners.conf to have three fields; the one in my >distribution has only two. Without the PACKAGEDIR field, it will do >nothing as written. Then you have a version mismatch between upgrade_virus_scanners and virus_scanners.conf. For the current version of MailScanner the PACKAGEDIR field should be present in virus_scanners.conf. >2. If the PACKAGEDIR field is present, the x$1 test in the >clamav-wrapper >program will fail as $1 is passed as PACKAGEDIR, not -IsItInstalled. Not if you have the same version of that script I have. Its called as... clamav-wrapper $PACKAGEDIR -IsItInstalled The PACKAGEDIR is extracted from $1 then the arguments are shifted to make %1 = "-IsItInstalled" Maybe your version of update_virus_scanners is more recent than your version of MailScanner? The addition of PACKAGEDIR is a recent one and there were changes to MailScanner, the wrapper and autoupdate scripts and update_virus_scanners to support it. >These are easy enough to fix for a shell hacker and even easier to just >run >the freshclam wrapper directly, You definitely should use update_virus_scanners if possible to ensure that mail isn't scanned during the update process. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From jflowers at EZO.NET Sat Nov 1 16:38:50 2003 From: jflowers at EZO.NET (Jim Flowers) Date: Thu Jan 12 21:20:48 2006 Subject: autoupdate confusion? Message-ID: On Fri, 31 Oct 2003 17:58:02 +0000, Kevin Spicer wrote: >You run update_virus_scanners as an hourly cron job (twice daily is way >too infrequent), this calls the appropriate autoupdate script. In most >cases the autoupdate script is a wrapper to the virus scanners own >update mechanism (certainly true in the case of clam) which also creates >a lock which prevents MailScanner trying to scan mail whilst the update >is in progress. > I studied update_virus_scanners as a possible undocumented? solution but it has a number of problems: 1. It expects virus_scanners.conf to have three fields; the one in my distribution has only two. Without the PACKAGEDIR field, it will do nothing as written. 2. If the PACKAGEDIR field is present, the x$1 test in the clamav-wrapper program will fail as $1 is passed as PACKAGEDIR, not -IsItInstalled. These are easy enough to fix for a shell hacker and even easier to just run the freshclam wrapper directly, however, my question was really about documentation of the intended operation. As to the update frequency, I am really appreciative of the service that the ClamAV folks provide as the only truly effective no-cost virus scanner (at least that I have been able to find and qualify) so I don't like to overdo it. My logs show that they infrequently update more than once a day so I think that checking twice a day is sufficient. ClamAV currently traps 4.3% of all incoming mail as containing a known virus and as most of them are directed against my personal account I am very happy to have it. There have been no false positives nor false negatives in several months of use. YMMV. From mailscanner at ecs.soton.ac.uk Sat Nov 1 17:40:24 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:20:48 2006 Subject: ANNOUNCE: Beta 4.25-5 released Message-ID: <5.2.0.9.2.20031101173342.02c1fd00@imap.ecs.soton.ac.uk> There haven't been many changes this month, apart from some new additional code which I haven't yet thoroughly tested. The new code shouldn't get in the way, and the default setup has it disabled anyway. I am not planning a stable release for November, as there really haven't been enough changes to justify it. I have added the "disarm" option for the "Allow ...." HTML checks, so you can choose to just disarm the individual HTML tags rather than convert the entire message to plain text. For other changes, see the ChangeLog below. NOTE: A new module is used now, Net::CIDR. So you will either have to install this module from CPAN or else run the install.sh script again. If you want to install it from CPAN, then it's simply perl -MCPAN -e 'install Net::CIDR' Download as usual from www.mailscanner.info 1/11/2003 New in Version 4.25-5 ================================ * New Features and Improvements * - Panda version 7.0 supported. - Added dependency on Net::CIDR module so could add support for more ways of specifying IP ranges in rulesets. Can now do all of: 152.78. /^152\.78/ 152.78.0.0/16 152.78.0.0-152.78.255.255 - Added support for "disarm" option on all HTML tag detectors, which will disarm those tags while leaving the rest of the HTML intact. - Added support for retrieving configuration from LDAP. - Changed SpamAssassin timeout handler to kill processes and not process group. * Fixes* - RPM distribution install.sh script now checks and creates pod2text properly. - A couple of others I forgot to document :-( -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Sat Nov 1 17:33:41 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:20:48 2006 Subject: autoupdate confusion? In-Reply-To: Message-ID: <5.2.0.9.2.20031101173151.03a24020@imap.ecs.soton.ac.uk> At 16:38 01/11/2003, you wrote: >I studied update_virus_scanners as a possible undocumented? solution but it >has a number of problems: > >1. It expects virus_scanners.conf to have three fields; the one in my >distribution has only two. Without the PACKAGEDIR field, it will do >nothing as written. >2. If the PACKAGEDIR field is present, the x$1 test in the clamav-wrapper >program will fail as $1 is passed as PACKAGEDIR, not -IsItInstalled. > >These are easy enough to fix for a shell hacker and even easier to just run >the freshclam wrapper directly, however, my question was really about >documentation of the intended operation. You have files out of sync using different versions for different files. Your need to use matching versions of the -wrapper scripts, the -autoupdate scripts and virus.scanners.conf. Mix and match versions and all sorts of nasty things will happen, for which I take no responsibility whatsoever. :-) -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From jflowers at EZO.NET Sat Nov 1 18:50:36 2003 From: jflowers at EZO.NET (Jim Flowers) Date: Thu Jan 12 21:20:48 2006 Subject: autoupdate confusion? Message-ID: OK, now I get it. Thanks to you both. I installed MailScanner-4.22-5 from the FreeBSD port. Everything worked fine with a minimum of tweaking. As I was already using ClamAV, I just let freshclam keep doing it's thing. As new versions came along I downloaded 4.23-11 and 4.24.5 but did not install them or upgrade as this is a production machine. Just used them for study. Then I learned about update_virus_scanners on this list, did a 'locate' and found one for each version's work directory but none installed (Makefile doesn't install it). Chose the wrong one to try and didn't realize it. Sorry for the chatter. What a great list this is to respond so rapidly and completely. Much like the early days of FreeBSD. Thanks again. From mailscanner at ecs.soton.ac.uk Sat Nov 1 18:57:53 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:20:48 2006 Subject: autoupdate confusion? In-Reply-To: Message-ID: <5.2.0.9.2.20031101185622.03ab8c40@imap.ecs.soton.ac.uk> At 18:50 01/11/2003, you wrote: >What a great list this is to respond so rapidly and completely. Much like >the early days of FreeBSD. And long may it continue. Thankyou all! -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Sat Nov 1 20:25:22 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:20:48 2006 Subject: Long time no check Message-ID: <5.2.0.9.2.20031101202132.03bfa698@imap.ecs.soton.ac.uk> Folks, I've been really busy for the last month or so (have to do my day job sometimes, despite my very hard working staff), and the list traffic continues to grow. So I haven't been able to keep up with everything that's going on. Many thanks to all of those who answer the regular queries for me, that helps more than you could imagine! Is there anything recently that I've missed and requires my attention? Please don't flood me with stuff, but I might have missed something vital. I'm keeping up (just about) with the mailscanner@ecs traffic, but I have probably dropped a few of them by mistake. P.S. Hopefully the release today will address some of the outstanding important issues! Jules -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From baldguy33165 at YAHOO.COM Sat Nov 1 23:02:10 2003 From: baldguy33165 at YAHOO.COM (Juan C. Quesada) Date: Thu Jan 12 21:20:48 2006 Subject: Released quarantined message problem In-Reply-To: <011e01c39f75$dd2ed5d0$6301a8c0@JK1> Message-ID: <20031101230210.75077.qmail@web20803.mail.yahoo.com> Yep, I think I may be having the same issue, except when I release the mail from quarantine, I see nothing happening to it. --- Janne Karlsson wrote: > I have a little problem whit my quarantine messages > in Mailwatch. > When i release quarantine messages the will be mark > as SPAM again and go > back to qurantain.. > > Any? __________________________________ Do you Yahoo!? Exclusive Video Premiere - Britney Spears http://launch.yahoo.com/promos/britneyspears/ From faq at mailscanner.info Sun Nov 2 00:28:01 2003 From: faq at mailscanner.info (faq@mailscanner.info) Date: Thu Jan 12 21:20:48 2006 Subject: Faq-O-Matic Error Log Message-ID: <200311020028.hA20S1Pd007425@seer.ecs.soton.ac.uk> Errors from MailScanner Faq-O-Matic (v. 2.717): 2003-10-26-07-34-27 2.717 error faq 6478 <(noID)> The file (16>) doesn't exist. 2003-10-29-00-51-17 2.717 error submitPass 14832 <(noID)> An email address must look like 'name@some.domain'. If yours () does and I keep rejecting it, please mail the administrator of this FAQ at faq@mailscanner.info and tell him or her what's happening. 2003-10-31-17-17-41 2.717 error faq 21797 <(noID)> error: Unknown command. Are you a confused robot or an 3l33t h@X0r? If neither, check with site admin to debug the problem. 2003-10-31-17-17-43 2.717 error faq 21798 <(noID)> error: Unknown command. Are you a confused robot or an 3l33t h@X0r? If neither, check with site admin to debug the problem. 2003-10-31-17-19-43 2.717 error faq 22325 <(noID)> error: Unknown command. Are you a confused robot or an 3l33t h@X0r? If neither, check with site admin to debug the problem. 2003-10-31-17-19-48 2.717 error faq 22326 <(noID)> error: Unknown command. Are you a confused robot or an 3l33t h@X0r? If neither, check with site admin to debug the problem. 2003-11-01-17-30-07 2.717 error faq 7259 <(noID)> error: Unknown command. Are you a confused robot or an 3l33t h@X0r? If neither, check with site admin to debug the problem. 2003-11-01-17-30-09 2.717 error faq 7261 <(noID)> error: Unknown command. Are you a confused robot or an 3l33t h@X0r? If neither, check with site admin to debug the problem. 2003-11-01-17-30-37 2.717 error faq 7269 <(noID)> error: Unknown command. Are you a confused robot or an 3l33t h@X0r? If neither, check with site admin to debug the problem. 2003-11-01-17-30-38 2.717 error faq 7270 <(noID)> error: Unknown command. Are you a confused robot or an 3l33t h@X0r? If neither, check with site admin to debug the problem. From baldguy33165 at YAHOO.COM Sun Nov 2 01:12:40 2003 From: baldguy33165 at YAHOO.COM (Juan C. Quesada) Date: Thu Jan 12 21:20:48 2006 Subject: SpamAssassin Could not be found In-Reply-To: <000a01c3a0db$39356b30$0300000a@pete> Message-ID: <20031102011240.90052.qmail@web20808.mail.yahoo.com> I had the same issue when I installed the spamassassin 2.60 rpm. Are you upgrading from 2.44? --- Pete russell wrote: > I had postfix 2.6, red hat 9, mailscanner, mailwatch > and the default RH9 > spam assassin installed and all working nicely. I > stoped the mailscanner > service and did an upgrade of spamassassin using the > RPMs and rpm -Fvh > installing perl-spamassassin, spamassassin and > spamassassin-tools. > > RPM installation appeared to work fine. > > But since restarting Mailscanner SA no longer works > and I see the > following log entries, and lots of them > > ervice error for name=eatathome.com.au type=MX: Host > not found, try > again) > Nov 1 17:33:45 localhost MailScanner[2152]: > MailScanner E-Mail Virus > Scanner version 4.24-5 starting... > Nov 1 17:33:45 localhost MailScanner[2152]: Config: > calling custom init > function MailWatchLogging > Nov 1 17:33:45 localhost MailScanner[2152]: > Initialising database > connection > Nov 1 17:33:45 localhost MailScanner[2152]: > Finished initialising > database connection > Nov 1 17:33:45 localhost MailScanner[2152]: > SpamAssassin installation > could not be found > > Is there anything I must do to point mailscanner at > spamassassin? Or a > different install process to use latest SA? > > Thanks in advance > Pete > __________________________________ Do you Yahoo!? Exclusive Video Premiere - Britney Spears http://launch.yahoo.com/promos/britneyspears/ From baldguy33165 at YAHOO.COM Sun Nov 2 03:43:23 2003 From: baldguy33165 at YAHOO.COM (Juan C. Quesada) Date: Thu Jan 12 21:20:48 2006 Subject: HTML Spam and other spam In-Reply-To: <3FA28EED.7010903@ucgbook.com> Message-ID: <20031102034323.21154.qmail@web20803.mail.yahoo.com> I did install DCC as the INSTALL file stated. how do i verify that it is working with Mailscanner/Spam Assassin? thanks for your help --- Peter Bonivart wrote: > I use Bayes and DCC (instead of Razor) and they do > an amazing job. They > both trigger on almost all spam and together with > the Spamcop RBL which > is pretty aggressive they add 12 points. Bye bye > spam. > > There's a lot of talk about the trouble learning > Bayes but some that > don't run Bayes might have missed that it learns > itself anyway. Messages > with very low score are considered ham and messages > with very high score > are considered spam. I don't use sa-learn and I > still achieve amazing > results. As I said it tags almost every spam message > and it's 99% sure > it's spam so that's a cool 5.4 points. It's a shame > if people don't use > Bayes because they think it's high maintenance. > > DCC is also really good and is easy to setup. Check > the INSTALL file > that comes with SA (or on the web). The instructions > are on four lines. > > /Peter Bonivart > > --Unix lovers do it in the Sun > > Sun Fire V210, Solaris 9, MailScanner 4.23-11, > SpamAssassin 2.60 + DCC > 1.2.9, ClamAV 20030829 > > Juan C. Quesada wrote: > > Im runing the latest Mailscanner with spamassassin > > 2.60. I have not configured Bayes or razor, nor do > I > > know how to do sa-learn. __________________________________ Do you Yahoo!? Exclusive Video Premiere - Britney Spears http://launch.yahoo.com/promos/britneyspears/ From pete at EATATHOME.COM.AU Sun Nov 2 04:39:27 2003 From: pete at EATATHOME.COM.AU (Pete russell) Date: Thu Jan 12 21:20:48 2006 Subject: SpamAssassin Could not be found In-Reply-To: <20031102011240.90052.qmail@web20808.mail.yahoo.com> Message-ID: <000201c3a0fb$4d851a70$0300000a@pete> Yea 2.44 from the installation that installs when you install red hat - how do I undo this and get it working again? Or fix 2.60? Have tried rpm -e and then re install old one, but it doesn't work -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Juan C. Quesada Sent: Sunday, 2 November 2003 12:13 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: SpamAssassin Could not be found I had the same issue when I installed the spamassassin 2.60 rpm. Are you upgrading from 2.44? --- Pete russell wrote: > I had postfix 2.6, red hat 9, mailscanner, mailwatch > and the default RH9 > spam assassin installed and all working nicely. I > stoped the mailscanner > service and did an upgrade of spamassassin using the > RPMs and rpm -Fvh > installing perl-spamassassin, spamassassin and > spamassassin-tools. > > RPM installation appeared to work fine. > > But since restarting Mailscanner SA no longer works > and I see the > following log entries, and lots of them > > ervice error for name=eatathome.com.au type=MX: Host > not found, try > again) > Nov 1 17:33:45 localhost MailScanner[2152]: > MailScanner E-Mail Virus > Scanner version 4.24-5 starting... > Nov 1 17:33:45 localhost MailScanner[2152]: Config: > calling custom init > function MailWatchLogging > Nov 1 17:33:45 localhost MailScanner[2152]: > Initialising database > connection > Nov 1 17:33:45 localhost MailScanner[2152]: > Finished initialising > database connection > Nov 1 17:33:45 localhost MailScanner[2152]: > SpamAssassin installation > could not be found > > Is there anything I must do to point mailscanner at > spamassassin? Or a > different install process to use latest SA? > > Thanks in advance > Pete > __________________________________ Do you Yahoo!? Exclusive Video Premiere - Britney Spears http://launch.yahoo.com/promos/britneyspears/ From matt at FILEHOLDER.NET Sun Nov 2 09:23:16 2003 From: matt at FILEHOLDER.NET (Matt) Date: Thu Jan 12 21:20:48 2006 Subject: Dead Files in Mqueue.in Message-ID: <002a01c3a122$f2ad4eb0$7800a8c0@matthewmpqowmc> I have a number of dead files in mqueue.in and mqueue. Why does that happen? Should I delete them? I imagine the ones in mqueue are just waiting to get delivered and normal. The ones in mqueue.in is what I don't understand. Matt [root mqueue.in]# ls -l total 1761 -rw------- 1 root root 815 Aug 28 11:47 dfh7SF1K325505 -rw------- 1 root root 2169 Aug 28 11:51 dfh7SF5u325867 -rw------- 1 root root 110 Aug 28 12:07 dfh7SFoe329849 -rw------- 1 root root 0 Oct 4 01:53 dfh946rTj26803 -rw------- 1 root root 207683 Oct 7 23:18 dfh983Vtr25169 -rw------- 1 root root 407544 Oct 8 19:56 dfh98MvIs09397 -rw------- 1 root root 114323 Oct 8 19:56 dfh98Navs14423 -rw------- 1 root root 51776 Oct 8 19:56 dfh98NDHs11331 -rw------- 1 root root 13478 Oct 8 19:56 dfh98NGrs11757 -rw------- 1 root root 276907 Oct 8 19:56 dfh98NTls13478 -rw------- 1 root root 19916 Oct 8 19:56 dfh990RVs24475 -rw------- 1 root root 21475 Oct 21 22:06 dfh9M20hI18019 -rw------- 1 root root 530938 Oct 21 22:06 dfh9M288I18969 -rw------- 1 root root 133197 Oct 21 22:06 dfh9M2sZI24796 lrwxrwxrwx 1 root root 26 Mar 17 2003 mqueue.in -> ../../home/spool/mqueue.in [root mqueue.in]# [root mqueue]# ls -l total 409 -rw------- 1 root root 6051 Oct 28 10:12 dfh9SGCP501839 -rw------- 1 root root 22162 Oct 28 18:14 dfh9T0EaE04469 -rw------- 1 root root 133007 Oct 28 18:49 dfh9T0mtE10904 -rw------- 1 root root 124507 Oct 28 18:54 dfh9T0s3E11686 -rw------- 1 root root 10546 Oct 28 21:36 dfh9T3a1W03762 -rw------- 1 root root 8863 Oct 28 21:28 dfh9T3Sil02564 -rw------- 1 root root 24036 Oct 28 22:18 dfh9T45nR07585 -rw------- 1 root root 3482 Oct 29 10:17 dfh9TGHPZ17343 -rw------- 1 root root 67 Oct 29 17:36 dfh9TNaMF19472 -rw------- 1 root root 4264 Oct 29 21:44 dfh9U3i9616673 -rw------- 1 root root 7614 Oct 29 22:24 dfh9U4OMi21740 -rw------- 1 root root 3711 Oct 29 23:07 dfh9U57DE30414 -rw------- 1 root root 5553 Oct 30 03:20 dfh9U96rk23972 -rw------- 1 root root 5631 Oct 30 03:22 dfh9U9Lx425287 -rw------- 1 root root 8927 Oct 30 11:06 dfh9UH6B128842 -rw------- 1 root root 8559 Oct 30 12:56 dfh9UIuSE10621 -rw------- 1 root root 67 Oct 31 01:58 dfh9V7wVl07451 -rw------- 1 root root 67 Oct 31 19:07 dfhA117Cj20773 -rw------- 1 root root 1250 Oct 31 23:13 dfhA15DkE16770 -rw------- 1 root root 67 Nov 1 14:17 dfhA1KHJU30875 -rw------- 1 root root 861 Nov 2 03:13 qfh9SGCP501839 -rw------- 1 root root 833 Nov 2 03:13 qfh9T0EaE04469 -rw------- 1 root root 1039 Nov 2 03:13 qfh9T0mtE10904 -rw------- 1 root root 1171 Nov 2 03:17 qfh9T0s3E11686 -rw------- 1 root root 869 Nov 2 03:13 qfh9T3a1W03762 -rw------- 1 root root 869 Nov 2 03:13 qfh9T3Sil02564 -rw------- 1 root root 878 Nov 2 03:13 qfh9T45nR07585 -rw------- 1 root root 869 Nov 2 03:05 qfh9TGHPZ17343 -rw------- 1 root root 737 Nov 2 03:13 qfh9TNaMF19472 -rw------- 1 root root 864 Nov 2 03:00 qfh9U3i9616673 -rw------- 1 root root 879 Nov 2 03:05 qfh9U4OMi21740 -rw------- 1 root root 848 Nov 2 03:05 qfh9U57DE30414 -rw------- 1 root root 862 Nov 2 03:05 qfh9U96rk23972 -rw------- 1 root root 835 Nov 2 03:10 qfh9U9Lx425287 -rw------- 1 root root 861 Nov 2 03:05 qfh9UH6B128842 -rw------- 1 root root 1184 Nov 2 03:05 qfh9UIuSE10621 -rw------- 1 root root 698 Nov 2 03:05 qfh9V7wVl07451 -rw------- 1 root root 687 Nov 2 03:10 qfhA117Cj20773 -rw------- 1 root root 1248 Nov 2 03:17 qfhA15DkE16770 -rw------- 1 root root 707 Nov 2 03:12 qfhA1KHJU30875 -rw------- 1 root root 0 Nov 2 03:06 xfh9U3i9616673 -rw------- 1 root root 0 Nov 2 03:10 xfh9U4OMi21740 -rw------- 1 root root 0 Nov 2 03:17 xfh9U9Lx425287 -rw------- 1 root root 0 Nov 2 03:12 xfh9UH6B128842 From kevins at BMRB.CO.UK Sun Nov 2 10:51:29 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:20:48 2006 Subject: SpamAssassin Could not be found In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB00188B07D@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB00188B07D@pascal.priv.bmrb.co.uk> Message-ID: <1067770290.24666.59.camel@bach.kevinspicer.co.uk> On Sun, 2003-11-02 at 04:39, Pete russell wrote: >Yea 2.44 from the installation that installs when you install red hat - >how do I undo this and get it working again? Or fix 2.60? >Have tried rpm -e and then re install old one, but it doesn't work Remove spamassassin, then reinstall from the tarball. The rpms are known to cause problems for some folks (but not everyone). I don't think bayes had been introduced at 2.44(?) but if it had you may need to convert your bayes databases for them to work. Theres a guide to installing from the tarball here... http://www.sng.ecs.soton.ac.uk/mailscanner/install/spamassassin.shtml BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From kevins at BMRB.CO.UK Sun Nov 2 10:54:20 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:20:48 2006 Subject: HTML Spam and other spam In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB00188B07C@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB00188B07C@pascal.priv.bmrb.co.uk> Message-ID: <1067770461.24667.63.camel@bach.kevinspicer.co.uk> On Sun, 2003-11-02 at 03:43, Juan C. Quesada wrote: >I did install DCC as the INSTALL file stated. how do i >verify that it is working with Mailscanner/Spam >Assassin? spamassassin -D -t < /some/file And watch the output BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From pete at EATATHOME.COM.AU Sun Nov 2 00:49:51 2003 From: pete at EATATHOME.COM.AU (Pete russell) Date: Thu Jan 12 21:20:48 2006 Subject: SpamAssassin Could not be found Message-ID: <000a01c3a0db$39356b30$0300000a@pete> I had postfix 2.6, red hat 9, mailscanner, mailwatch and the default RH9 spam assassin installed and all working nicely. I stoped the mailscanner service and did an upgrade of spamassassin using the RPMs and rpm -Fvh installing perl-spamassassin, spamassassin and spamassassin-tools. RPM installation appeared to work fine. But since restarting Mailscanner SA no longer works and I see the following log entries, and lots of them ervice error for name=eatathome.com.au type=MX: Host not found, try again) Nov 1 17:33:45 localhost MailScanner[2152]: MailScanner E-Mail Virus Scanner version 4.24-5 starting... Nov 1 17:33:45 localhost MailScanner[2152]: Config: calling custom init function MailWatchLogging Nov 1 17:33:45 localhost MailScanner[2152]: Initialising database connection Nov 1 17:33:45 localhost MailScanner[2152]: Finished initialising database connection Nov 1 17:33:45 localhost MailScanner[2152]: SpamAssassin installation could not be found Is there anything I must do to point mailscanner at spamassassin? Or a different install process to use latest SA? Thanks in advance Pete -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20031102/081d8122/attachment.html From pete at EATATHOME.COM.AU Sun Nov 2 11:41:19 2003 From: pete at EATATHOME.COM.AU (Pete russell) Date: Thu Jan 12 21:20:48 2006 Subject: SpamAssassin Could not be found In-Reply-To: <1067770290.24666.59.camel@bach.kevinspicer.co.uk> Message-ID: <000601c3a136$3bc49230$0300000a@pete> Thank you kindly - this was the perfect solution. I uninstalled the rpms Followed Julian's SA install guide and worked perfectly on start up. Thanks again Pete -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Kevin Spicer Sent: Sunday, 2 November 2003 9:51 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: SpamAssassin Could not be found On Sun, 2003-11-02 at 04:39, Pete russell wrote: >Yea 2.44 from the installation that installs when you install red hat - >how do I undo this and get it working again? Or fix 2.60? >Have tried rpm -e and then re install old one, but it doesn't work Remove spamassassin, then reinstall from the tarball. The rpms are known to cause problems for some folks (but not everyone). I don't think bayes had been introduced at 2.44(?) but if it had you may need to convert your bayes databases for them to work. Theres a guide to installing from the tarball here... http://www.sng.ecs.soton.ac.uk/mailscanner/install/spamassassin.shtml BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From peter at UCGBOOK.COM Sun Nov 2 15:15:07 2003 From: peter at UCGBOOK.COM (Peter Bonivart) Date: Thu Jan 12 21:20:48 2006 Subject: Dead Files in Mqueue.in In-Reply-To: <002a01c3a122$f2ad4eb0$7800a8c0@matthewmpqowmc> References: <002a01c3a122$f2ad4eb0$7800a8c0@matthewmpqowmc> Message-ID: <3FA51F7B.3090909@ucgbook.com> The default behavior of Sendmail is to try delivery for 5 days so if it's older than that it's not gonna get delivered. In your case you have only df-files with no matching qf-files, and since the qf-files contains the header information you can never deliver those anyway so you can just as well delete the df-files. No files in your mqueue-directory are old enough to worry about. /Peter Bonivart --Unix lovers do it in the Sun Sun Fire V210, Solaris 9, MailScanner 4.23-11, SpamAssassin 2.60 + DCC 1.2.9, ClamAV 20030829 Matt wrote: > I have a number of dead files in mqueue.in and mqueue. Why does that > happen? Should I delete them? I imagine the ones in mqueue are just > waiting to get delivered and normal. The ones in mqueue.in is what I don't > understand. From kuh at IGHOSTING.COM Sun Nov 2 16:07:34 2003 From: kuh at IGHOSTING.COM (Kevin Hill) Date: Thu Jan 12 21:20:48 2006 Subject: Implementing per domain scanning Message-ID: I need to implement per-domain rules for both virus and spam checks. Can both "Virus Scanning =" and "Spam Checks =" point to the same ruleset? For example: MailScanner.conf: Virus Scanning = %rulesdir%/per.domain.rules Spam Checks = %rulesdir%/per.domain.rules per.domain.rules: FromOrTo: *@domain1.com no FromOrTo: *@domain2.com no FromOrTo: default yes This would turn off virus and spam checks for domain1 and domain2 and allow checks for all other domains. Would this be the most efficient method? Thanks, Kevin From mailscanner at ecs.soton.ac.uk Sun Nov 2 16:27:48 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:20:48 2006 Subject: Implementing per domain scanning In-Reply-To: Message-ID: <5.2.0.9.2.20031102162722.0382eea8@imap.ecs.soton.ac.uk> At 16:07 02/11/2003, you wrote: >I need to implement per-domain rules for both virus and spam checks. Can >both "Virus Scanning =" and "Spam Checks =" point to the same ruleset? Yes. >For >example: > >MailScanner.conf: >Virus Scanning = %rulesdir%/per.domain.rules >Spam Checks = %rulesdir%/per.domain.rules > > >per.domain.rules: >FromOrTo: *@domain1.com no >FromOrTo: *@domain2.com no >FromOrTo: default yes > >This would turn off virus and spam checks for domain1 and domain2 and allow >checks for all other domains. > >Would this be the most efficient method? Should work just fine. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From henker at S-H-COM.DE Sun Nov 2 17:19:28 2003 From: henker at S-H-COM.DE (Steffan Henke) Date: Thu Jan 12 21:20:48 2006 Subject: OT: sendmail with Exim secondary MX Message-ID: Sorry for being OT this time, but I got a question regarding both sendmail+Exim so I hope to find a guru here instead of being flamed by either sendmail or Exim people on their list. The scenario I have is as follows: mx1.mydomain.com (sendmail+MS) mx2.mydomain.com (Exim, no MS yet, I am not really used to Exim yet) mx1 is a primary MX, mx2 a secondary and has mydomain.com in /etc/secondarymx . Now, what has actually happened is: Emails from ordb.org written as "marvin@marvin.ordb.org"@mydomain.com were accepted by the secondary mx, relayed to the primary mx, which in turn didn't deliver it locally, but instead relayed to marvin@marvin.ordb.org, resulting in a temporary listing at ordb.org. My question about this is: why did the Exim box accept "marvin@marvin.ordb.org"@mydomain.com in the first place ? Is that a valid address according to the RFC ? If it is, is there any way to reject messages written like that in Exim ? It should not relay them at all. Again sorry for being OT, I would appreciate help via PM if you mind replying to the list. If there is any general interest, I can summarize though. Meanwhile, I removed the setup and the secondary host is not listed anymore, but the whole thing buggers me, especially because I reject emails at the SMTP level if the host is listed at ordb.org, duh. Regards, Steffan From prussell at MTELIZA.COM.AU Sun Nov 2 21:25:28 2003 From: prussell at MTELIZA.COM.AU (Peter Russell) Date: Thu Jan 12 21:20:48 2006 Subject: Announce: MailScanner-MRTG 0.06 released Message-ID: Installed 5 or 6 times this weekend, on postfix/rh9/mailscanner machine and worked perfectly everytime. Thanks for this GREAT tool. Pete Kevin Spicer Sent by: MailScanner mailing list 11/01/03 07:20 AM Please respond to MailScanner mailing list To: MAILSCANNER@JISCMAIL.AC.UK cc: Subject: Announce: MailScanner-MRTG 0.06 released I'm pleased to announce that MailScanner-MRTG version 0.06 is now available for download. New features include support for Postfix and Exim MTA's and the Solaris OS. There are also a number of performance enhancements, bugfixes and a few extra statistics, for these reasons users of earlier versions are advised to upgrade See the changelog for a full details. Please be aware when upgrading that there have been significant changes to the config file since the previous release. Downloads are available at the sourceforge project page http://sourceforge.net/projects/mailscannermrtg/ -- Kevin Spicer (kevin AT kevinspicer DOT co DOT uk) This message is digitally signed using the GNU Privacy Guard. My public key may be obtained from http://www.keyserver.net -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/octet-stream Size: 195 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20031103/4c95c930/signature.obj From raymond at PROLOCATION.NET Sun Nov 2 21:24:30 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:20:48 2006 Subject: ANNOUNCE: Beta 4.25-5 released In-Reply-To: <5.2.0.9.2.20031101173342.02c1fd00@imap.ecs.soton.ac.uk> Message-ID: Julian, > 1/11/2003 New in Version 4.25-5 > ================================ > * New Features and Improvements * > - Panda version 7.0 supported. > - Added dependency on Net::CIDR module so could add support for more ways of > specifying IP ranges in rulesets. Can now do all of: > 152.78. > /^152\.78/ > 152.78.0.0/16 > 152.78.0.0-152.78.255.255 Running like a charm. Upgraded two of our production boxes. Thanks, Raymond. From cslyon at NETSVCS.COM Mon Nov 3 00:16:22 2003 From: cslyon at NETSVCS.COM (Christopher Lyon) Date: Thu Jan 12 21:20:48 2006 Subject: Implementing per domain scanning Message-ID: Follow up question: Would this scan only the mail for domain1 but not from? Virus Scanning = %rulesdir%/per.domain.rules per.domain.rules To: *@domain1.com yes FromOrTo: default yes > -----Original Message----- > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > Sent: Sunday, November 02, 2003 8:28 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Implementing per domain scanning > > At 16:07 02/11/2003, you wrote: > >I need to implement per-domain rules for both virus and spam checks. Can > >both "Virus Scanning =" and "Spam Checks =" point to the same ruleset? > > Yes. > > >For > >example: > > > >MailScanner.conf: > >Virus Scanning = %rulesdir%/per.domain.rules > >Spam Checks = %rulesdir%/per.domain.rules > > > > > >per.domain.rules: > >FromOrTo: *@domain1.com no > >FromOrTo: *@domain2.com no > >FromOrTo: default yes > > > >This would turn off virus and spam checks for domain1 and domain2 and > allow > >checks for all other domains. > > > >Would this be the most efficient method? > > Should work just fine. > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mike at CAMAROSS.NET Mon Nov 3 02:17:24 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:20:48 2006 Subject: Implementing per domain scanning In-Reply-To: Message-ID: <200311030214.hA32EvEh027962@genesis.camaross.net> I think so...unless a user@domain1.com sends an email to user2@domain1.com You might need to add From: *@domain1.com no What are you trying to accomplish? > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Christopher Lyon > Sent: Sunday, November 02, 2003 6:16 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Implementing per domain scanning > > Follow up question: > > Would this scan only the mail for domain1 but not from? > > > Virus Scanning = %rulesdir%/per.domain.rules > > per.domain.rules > To: *@domain1.com yes > FromOrTo: default yes > > > > -----Original Message----- > > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > > Sent: Sunday, November 02, 2003 8:28 AM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: Implementing per domain scanning > > > > At 16:07 02/11/2003, you wrote: > > >I need to implement per-domain rules for both virus and > spam checks. > Can > > >both "Virus Scanning =" and "Spam Checks =" point to the same > ruleset? > > > > Yes. > > > > >For > > >example: > > > > > >MailScanner.conf: > > >Virus Scanning = %rulesdir%/per.domain.rules Spam Checks = > > >%rulesdir%/per.domain.rules > > > > > > > > >per.domain.rules: > > >FromOrTo: *@domain1.com no > > >FromOrTo: *@domain2.com no > > >FromOrTo: default yes > > > > > >This would turn off virus and spam checks for domain1 and > domain2 and > > allow > > >checks for all other domains. > > > > > >Would this be the most efficient method? > > > > Should work just fine. > > -- > > Julian Field > > www.MailScanner.info > > Professional Support Services at www.MailScanner.biz MailScanner > > thanks transtec Computers for their support PGP footprint: > EE81 D763 > > 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > From P.G.M.Peters at utwente.nl Mon Nov 3 08:10:08 2003 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Thu Jan 12 21:20:48 2006 Subject: Long time no check In-Reply-To: <5.2.0.9.2.20031101202132.03bfa698@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20031101202132.03bfa698@imap.ecs.soton.ac.uk> Message-ID: On Sat, 1 Nov 2003 20:25:22 +0000, you wrote: >I've been really busy for the last month or so (have to do my day job >sometimes, despite my very hard working staff), and the list traffic >continues to grow. So I haven't been able to keep up with everything that's >going on. Many thanks to all of those who answer the regular queries for >me, that helps more than you could imagine! Glad to help. >Is there anything recently that I've missed and requires my attention? >Please don't flood me with stuff, but I might have missed something vital. >I'm keeping up (just about) with the mailscanner@ecs traffic, but I have >probably dropped a few of them by mistake. > >P.S. Hopefully the release today will address some of the outstanding >important issues! I have been wondering whether we should set something up to prevent feature requests from missing your attention (I kept one aside while you were on vacation). Perhaps features can be discussed in this maillist (or the one for wizards) and when a number of people think it is a good idea someone can mail it to you (at a special address?). -- Peter Peters, senior netwerkbeheerder Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ From alex at SKYNET-SRL.COM Mon Nov 3 08:36:38 2003 From: alex at SKYNET-SRL.COM (Alessandro Bianchi) Date: Thu Jan 12 21:20:48 2006 Subject: SpamAssassin Could not be found In-Reply-To: <200311022356.hA2NuTFR020711@cdnet01.cdnet.it> References: <200311022356.hA2NuTFR020711@cdnet01.cdnet.it> Message-ID: Pete I had the very same problem with the rpm on RH 9. Downloaded the source and compiled it and everything went fine. Hope this helps Alessandro Bianchi > I had postfix 2.6, red hat 9, mailscanner, mailwatch and the default > RH9 > spam assassin installed and all working nicely. I stoped the > mailscanner > service and did an upgrade of spamassassin using the RPMs and rpm -Fvh > installing perl-spamassassin, spamassassin and spamassassin-tools. > > RPM installation appeared to work fine. > > But since restarting Mailscanner SA no longer works and I see the > following log entries, and lots of them > > ervice error for name=eatathome.com.au type=MX: Host not found, try > again) > Nov 1 17:33:45 localhost MailScanner[2152]: MailScanner E-Mail Virus > Scanner version 4.24-5 starting... > Nov 1 17:33:45 localhost MailScanner[2152]: Config: calling custom > init > function MailWatchLogging > Nov 1 17:33:45 localhost MailScanner[2152]: Initialising database > connection > Nov 1 17:33:45 localhost MailScanner[2152]: Finished initialising > database connection > Nov 1 17:33:45 localhost MailScanner[2152]: SpamAssassin installation > could not be found > > Is there anything I must do to point mailscanner at spamassassin? Or a > different install process to use latest SA? > > Thanks in advance > Pete From Kevin.Spicer at BMRB.CO.UK Mon Nov 3 09:04:24 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:20:48 2006 Subject: Long time no check Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A4AE2A@pascal.priv.bmrb.co.uk> Peter Peters wrote: > On Sat, 1 Nov 2003 20:25:22 +0000, you wrote: > I have been wondering whether we should set something up to prevent > feature requests from missing your attention (I kept one aside while > you were on vacation). Perhaps features can be discussed in this > maillist (or the one for wizards) and when a number of people think > it is a good idea someone can mail it to you (at a special address?). Or maybe have a second tier list 'developers' (perhaps) with those that are interested in the development side and/or are active on the users list could cross-post the relevent stuff (missing out the ever growing number of Q. Can I do this... A. Yes with rulesets. posts). I have to say Julian that sometimes you are far too responsive(!), answering simple queries immediately they are posted - if you left them an hour or too the odds are someone would save you the trouble ;). We really should make better use of the FAQ too. One final thought (something I saw on another list recently) how about adding a simple footer to list mail encouraging users with problems to specify important details in their original post (like MailScanner version, MTA, SA version etc.) BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From mailscanner at BARENDSE.TO Mon Nov 3 09:39:36 2003 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:20:48 2006 Subject: New virus? Message-ID: We just received several messages that all contain a zip file. The df message is pasted below. This must be a virus, how can I extract the zip file from the df/qf pair? ------------6693EF700027EA5 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Will meet tonight as we agreed, because on Wednesday I don't think I'll make it, so don't be late. And yes, by the way here is the file you asked for. It's all written there. See you. crkcnapn ------------6693EF700027EA5 Content-Type: application/x-zip-compressed; name="readnow.zip" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="readnow.zip" From Kevin.Spicer at BMRB.CO.UK Mon Nov 3 09:43:42 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:20:48 2006 Subject: New virus? Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0016497E4@pascal.priv.bmrb.co.uk> Remco Barendse wrote: > We just received several messages that all contain a zip file. The df > message is pasted below. I think its probably MiMail-C My Sophos is picking it up but clam is not. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From mailscanner at BARENDSE.TO Mon Nov 3 10:00:29 2003 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:20:48 2006 Subject: New virus? In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0016497E4@pascal.priv.bmrb.co.uk> Message-ID: I think it's a variant of Mimail.e because they are all sent from john@..... I now just totally blocked .zip files :) On Mon, 3 Nov 2003, Spicer, Kevin wrote: > Remco Barendse wrote: > > We just received several messages that all contain a zip file. The df > > message is pasted below. > > I think its probably MiMail-C My Sophos is picking it up but clam is not. > > > > BMRB International > http://www.bmrb.co.uk > +44 (0)20 8566 5000 > _________________________________________________________________ > This message (and any attachment) is intended only for the > recipient and may contain confidential and/or privileged > material. If you have received this in error, please contact the > sender and delete this message immediately. Disclosure, copying > or other action taken in respect of this email or in > reliance on it is prohibited. BMRB International Limited > accepts no liability in relation to any personal emails, or > content of any email which does not directly relate to our > business. > From raymond at PROLOCATION.NET Mon Nov 3 09:45:43 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:20:49 2006 Subject: New virus? In-Reply-To: Message-ID: Hi! > We just received several messages that all contain a zip file. The > df message is pasted below. > > This must be a virus, how can I extract the zip file from the df/qf pair? > so don't be late. And yes, by the way here is the file you asked for. > It's all written there. See you. > > crkcnapn > > ------------6693EF700027EA5 > Content-Type: application/x-zip-compressed; name="readnow.zip" > Content-Transfer-Encoding: base64 > Content-Disposition: attachment; filename="readnow.zip" Could you forward one to me please ? Thanks, Raymond. From shrek-m at GMX.DE Mon Nov 3 10:34:59 2003 From: shrek-m at GMX.DE (shrek-m@gmx.de) Date: Thu Jan 12 21:20:49 2006 Subject: New virus? In-Reply-To: References: Message-ID: <3FA62F53.6090508@gmx.de> Remco Barendse wrote: >I think it's a variant of Mimail.e because they are all sent from >john@..... > > --snip-- List-Subscribe: From: Sophos Alert System To: notification@lists.sophos.com Delivery-date: Mon, 03 Nov 2003 03:34:02 +0100 Subject: Sophos Anti-Virus IDE alert: W32/Mimail-F Name: W32/Mimail-F Aliases: I-Worm.Mimail.g, W32/Mimail.gen@MM Type: Win32 worm Date: 3 November 2003 http://www.sophos.com/virusinfo/analyses/w32mimailf.html --snap-- -- shrek-m From Declan.Grady at NUVOTEM.COM Mon Nov 3 10:38:23 2003 From: Declan.Grady at NUVOTEM.COM (Declan Grady) Date: Thu Jan 12 21:20:49 2006 Subject: changing from redhat 7 to debian stable ? Message-ID: <200311031035.hA3AZotp009879@mailserver.nuvotem.com> Hi, I'm intending to change my mailserver box from redhat 7.0 to debian stable. Im using f-prot and spamassasin with MailScanner 4.23-11 which I installed from rpm's Anything I need to be aware of to install the same setup on debian ? Thanks, Declan From jen at AH.DK Mon Nov 3 10:51:33 2003 From: jen at AH.DK (Jan Elmqvist Nielsen) Date: Thu Jan 12 21:20:49 2006 Subject: Svar: New virus? Message-ID: Hi It's Mimail.e or Mimail.g Kaspersky was catching them from 31/10 F-prot is catching Mimail.e and Mimail.g with sign files from 2/11 I have received about 10 starting from 31/10 /Jan Elmqvist Nielsen >>> mailscanner@BARENDSE.TO 03-11-03 10:39 >>> We just received several messages that all contain a zip file. The df message is pasted below. This must be a virus, how can I extract the zip file from the df/qf pair? ------------6693EF700027EA5 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Will meet tonight as we agreed, because on Wednesday I don't think I'll make it, so don't be late. And yes, by the way here is the file you asked for. It's all written there. See you. crkcnapn ------------6693EF700027EA5 Content-Type: application/x-zip-compressed; name="readnow.zip" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="readnow.zip" From waldner at WALDNER.PRIV.AT Mon Nov 3 10:58:50 2003 From: waldner at WALDNER.PRIV.AT (Robert Waldner) Date: Thu Jan 12 21:20:49 2006 Subject: changing from redhat 7 to debian stable ? In-Reply-To: Your message of "Mon, 03 Nov 2003 10:38:23 GMT." <200311031035.hA3AZotp009879@mailserver.nuvotem.com> References: <200311031035.hA3AZotp009879@mailserver.nuvotem.com> Message-ID: <20031103105909.257FC47061@fsck.waldner.priv.at> On Mon, 03 Nov 2003 10:38:23 GMT, Declan Grady writes: >I'm intending to change my mailserver box from redhat 7.0 to debian stable. Very good idea ;) >Im using f-prot and spamassasin with MailScanner 4.23-11 which I installed >from rpm's > >Anything I need to be aware of to install the same setup on debian ? MailScanner+SpamAssassin in stable are *ancient*, too ancient to be exact. But Adrian Bunk's backports are excellent as always, just throw in the following to your sources.list: # adrian bunk backports, zb spamassassin deb http://www.fs.tum.de/~bunk/debian woody/bunk-1 main contrib non-free cheers, &rw -- -- That's what I like about this place...no LART is so good -- that it can't be improved upon. Jeff McAdams, ASR -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20031103/6731ed0a/attachment.bin From steve.freegard at LBSLTD.CO.UK Mon Nov 3 11:05:37 2003 From: steve.freegard at LBSLTD.CO.UK (Steve Freegard) Date: Thu Jan 12 21:20:49 2006 Subject: New virus? Message-ID: <67D9E7698329D411936E00508B6590B902773BDE@neelix.lbsltd.co.uk> Remco, It's Mimail-F and I've caught a few of these this morning (all have come from a HK Cable TV subnet): Showing records 1 to 4 of 4 Date/Time ID From To Subject Size Score Status 03/11/03 10:52:48 hA3Aq9LV014955 john@xxx xxx@xxx don't be late! ygxesmwl 15.9Kb 12.05 Spam, Virus (W32/Mimail-F) 03/11/03 10:50:45 hA3AoMLV014806 john@xxx xxx@xxx don't be late! morzwkwa 15.9Kb 12.05 Spam, Virus (W32/Mimail-F) 03/11/03 04:11:07 hA34B2bx031518 john@xxx xxx@xxx don't be late! polawaqa 15.9Kb 12.05 Spam, Virus (W32/Mimail-F) 03/11/03 04:10:05 hA349nbx031433 john@xxx xxx@xxx don't be late! xiianuqz 15.9Kb 12.05 Spam, Virus (W32/Mimail-F) According to Sophos - I got the mimail-f IDE at 0214 this morning and have just got an IDE for mimail-h at 1023. Kind regards, Steve. -- Steve Freegard Systems Manager Littlehampton Book Services Ltd. -----Original Message----- From: Remco Barendse [mailto:mailscanner@BARENDSE.TO] Sent: 03 November 2003 10:00 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: New virus? I think it's a variant of Mimail.e because they are all sent from john@..... I now just totally blocked .zip files :) On Mon, 3 Nov 2003, Spicer, Kevin wrote: > Remco Barendse wrote: > > We just received several messages that all contain a zip file. The > > df message is pasted below. > > I think its probably MiMail-C My Sophos is picking it up but clam is > not. > > > > BMRB International > http://www.bmrb.co.uk > +44 (0)20 8566 5000 > _________________________________________________________________ > This message (and any attachment) is intended only for the recipient > and may contain confidential and/or privileged material. If you have > received this in error, please contact the sender and delete this > message immediately. Disclosure, copying or other action taken in > respect of this email or in reliance on it is prohibited. BMRB > International Limited accepts no liability in relation to any personal > emails, or content of any email which does not directly relate to our > business. > -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender and delete the message from your mailbox. This footnote also confirms that this email message has been swept by MailScanner (www.mailscanner.info) for the presence of computer viruses. From shrek-m at GMX.DE Mon Nov 3 11:06:13 2003 From: shrek-m at GMX.DE (shrek-m@gmx.de) Date: Thu Jan 12 21:20:49 2006 Subject: Svar: New virus? In-Reply-To: References: Message-ID: <3FA636A5.5000809@gmx.de> Jan Elmqvist Nielsen wrote: >Hi > >It's Mimail.e or Mimail.g >Kaspersky was catching them from 31/10 >F-prot is catching Mimail.e and Mimail.g with sign files from 2/11 > >I have received about 10 starting from 31/10 > > wow, sophos has since 31/10 3 mimail?s ;-) --mimailc-- Date: Fri, 31 Oct 2003 13:20:04 +0000 (GMT) Subject: Sophos Anti-Virus IDE alert: W32/Mimail-C Name: W32/Mimail-C Aliases: W32/Mimail.C@mm, I-Worm.NetWatch, W32/Bics@mm Type: Win32 worm Date: 31 October 2003 Information about W32/Mimail-C can be found at: http://www.sophos.com/virusinfo/analyses/w32mimailc.html --mimaile-- Date: Sun, 02 Nov 2003 01:11:15 +0000 (GMT) Subject: Sophos Anti-Virus IDE alert: W32/Mimail-E Name: W32/Mimail-E Aliases: I-Worm.Mimail.e Type: Win32 worm Date: 2 November 2003 Information about W32/Mimail-E can be found at: http://www.sophos.com/virusinfo/analyses/w32mimaile.html --mimailf-- Date: Mon, 03 Nov 2003 02:19:21 +0000 (GMT) Subject: Sophos Anti-Virus IDE alert: W32/Mimail-F Name: W32/Mimail-F Aliases: I-Worm.Mimail.g, W32/Mimail.gen@MM Type: Win32 worm Date: 3 November 2003 Information about W32/Mimail-F can be found at: http://www.sophos.com/virusinfo/analyses/w32mimailf.html ---- -- shrek-m From ugob at CAMO-ROUTE.COM Mon Nov 3 11:30:31 2003 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:20:49 2006 Subject: changing from redhat 7 to debian stable ? Message-ID: <54C38A0B814C8E438EF73FC76F3629273AE0C9@mtlnt501fs.CAMOROUTE.COM> > -----Message d'origine----- > De : Declan Grady [mailto:Declan.Grady@NUVOTEM.COM] > Envoy? : Monday, November 03, 2003 5:38 AM > ? : MAILSCANNER@JISCMAIL.AC.UK > Objet : changing from redhat 7 to debian stable ? > > > Hi, > I'm intending to change my mailserver box from redhat 7.0 to > debian stable. > > Im using f-prot and spamassasin with MailScanner 4.23-11 > which I installed > from rpm's > > Anything I need to be aware of to install the same setup on debian ? > > Thanks, > Declan > The most recent version of mailscanner is not available under stable. You must use unstable/testing to get version 4 (3 otherwise). Ugo From shrek-m at GMX.DE Mon Nov 3 12:09:08 2003 From: shrek-m at GMX.DE (shrek-m@gmx.de) Date: Thu Jan 12 21:20:49 2006 Subject: changing from redhat 7 to debian stable ? In-Reply-To: <54C38A0B814C8E438EF73FC76F3629273AE0C9@mtlnt501fs.CAMOROUTE.COM> References: <54C38A0B814C8E438EF73FC76F3629273AE0C9@mtlnt501fs.CAMOROUTE.COM> Message-ID: <3FA64564.4050502@gmx.de> Ugo Bellavance wrote: >>I'm intending to change my mailserver box from redhat 7.0 to >>debian stable. >> >>Im using f-prot and spamassasin with MailScanner 4.23-11 >>which I installed >>from rpm's >> >>Anything I need to be aware of to install the same setup on debian ? >> >> >> >The most recent version of mailscanner is not available under stable. You must use unstable/testing to get version 4 (3 otherwise). > > http://www.debian.org/distrib/packages http://packages.debian.org/stable/mail/mailscanner.html stable = ms 3.13.2-4 http://packages.debian.org/unstable/mail/mailscanner.html unstable = ms 4.24.5-1 http://packages.debian.org/testing/mail/mailscanner.html testing = ms 4.24.5-1 -- shrek-m From ugob at CAMO-ROUTE.COM Mon Nov 3 12:21:37 2003 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:20:49 2006 Subject: changing from redhat 7 to debian stable ? Message-ID: <54C38A0B814C8E438EF73FC76F3629273AE0CA@mtlnt501fs.CAMOROUTE.COM> > >> > >> > >The most recent version of mailscanner is not available > under stable. You must use unstable/testing to get version 4 > (3 otherwise). > > > > > > http://www.debian.org/distrib/packages > > > http://packages.debian.org/stable/mail/mailscanner.html > stable = ms 3.13.2-4 > > http://packages.debian.org/unstable/mail/mailscanner.html > unstable = ms 4.24.5-1 > > http://packages.debian.org/testing/mail/mailscanner.html > testing = ms 4.24.5-1 > > -- > shrek-m > Exactly what I said. Thanks, From miguelk at KONSULTEX.COM.BR Mon Nov 3 12:30:28 2003 From: miguelk at KONSULTEX.COM.BR (Miguel Koren O'Brien de Lacy) Date: Thu Jan 12 21:20:49 2006 Subject: New virus? References: <67D9E7698329D411936E00508B6590B902773BDE@neelix.lbsltd.co.uk> Message-ID: <3FA64A64.4070302@konsultex.com.br> Clam has this virus (with quite a few variations) in the database since Sunday and possibly earlier. I think that the fact that it went through my Clam installation could be because for some reason I did not have the Clam configuration in Mail Scanner set to go into zip files. On the other hand, my particular case may be a new variation of this virus which is not in Clam yet. It could also be some problem between Mail Scanner 4.24-5 and Clam. Just confirmed, this seems a new variation because I have the wrapper set up correctly and clamscan on the command line does not find it. I sent the sample to the Clam team. Miguel Steve Freegard wrote: >Remco, > >It's Mimail-F and I've caught a few of these this morning (all have come >from a HK Cable TV subnet): > >Showing records 1 to 4 of 4 >Date/Time ID From To Subject >Size Score Status >03/11/03 10:52:48 hA3Aq9LV014955 john@xxx xxx@xxx don't be late! ygxesmwl >15.9Kb 12.05 Spam, Virus (W32/Mimail-F) >03/11/03 10:50:45 hA3AoMLV014806 john@xxx xxx@xxx don't be late! morzwkwa >15.9Kb 12.05 Spam, Virus (W32/Mimail-F) >03/11/03 04:11:07 hA34B2bx031518 john@xxx xxx@xxx don't be late! polawaqa >15.9Kb 12.05 Spam, Virus (W32/Mimail-F) >03/11/03 04:10:05 hA349nbx031433 john@xxx xxx@xxx don't be late! xiianuqz >15.9Kb 12.05 Spam, Virus (W32/Mimail-F) > >According to Sophos - I got the mimail-f IDE at 0214 this morning and have >just got an IDE for mimail-h at 1023. > >Kind regards, >Steve. > >-- >Steve Freegard >Systems Manager >Littlehampton Book Services Ltd. > >-----Original Message----- >From: Remco Barendse [mailto:mailscanner@BARENDSE.TO] >Sent: 03 November 2003 10:00 >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: New virus? > > >I think it's a variant of Mimail.e because they are all sent from john@..... > >I now just totally blocked .zip files :) > >On Mon, 3 Nov 2003, Spicer, Kevin wrote: > > > >>Remco Barendse wrote: >> >> >>>We just received several messages that all contain a zip file. The >>>df message is pasted below. >>> >>> >>I think its probably MiMail-C My Sophos is picking it up but clam is >>not. >> >> >> >>BMRB International >>http://www.bmrb.co.uk >>+44 (0)20 8566 5000 >>_________________________________________________________________ >>This message (and any attachment) is intended only for the recipient >>and may contain confidential and/or privileged material. If you have >>received this in error, please contact the sender and delete this >>message immediately. Disclosure, copying or other action taken in >>respect of this email or in reliance on it is prohibited. BMRB >>International Limited accepts no liability in relation to any personal >>emails, or content of any email which does not directly relate to our >>business. >> >> >> > >-- >This email and any files transmitted with it are confidential and >intended solely for the use of the individual or entity to whom they >are addressed. If you have received this email in error please notify >the sender and delete the message from your mailbox. > >This footnote also confirms that this email message has been swept by >MailScanner (www.mailscanner.info) for the presence of computer viruses. > > > -- Esta mensagem foi verificada pelo sistema de antivírus e acredita-se estar livre de perigo. From TGFurnish at HERFF-JONES.COM Mon Nov 3 14:39:50 2003 From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G) Date: Thu Jan 12 21:20:49 2006 Subject: Dead Files in Mqueue.in Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF02A6052C@inex1.herffjones.hj-int> And as for how it happens, killing (or crashing) sendmail can cause it. Be sure if you kill sendmail manually that you only kill the parent. If you kill children as they are still accepting messages, you'll have some cleanup needed. > -----Original Message----- > From: Peter Bonivart [mailto:peter@UCGBOOK.COM] > Sent: Sunday, November 02, 2003 10:15 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Dead Files in Mqueue.in > > > The default behavior of Sendmail is to try delivery for 5 days so if > it's older than that it's not gonna get delivered. In your > case you have > only df-files with no matching qf-files, and since the > qf-files contains > the header information you can never deliver those anyway so you can > just as well delete the df-files. > > No files in your mqueue-directory are old enough to worry about. > > /Peter Bonivart > > --Unix lovers do it in the Sun > > Sun Fire V210, Solaris 9, MailScanner 4.23-11, SpamAssassin 2.60 + DCC > 1.2.9, ClamAV 20030829 > > Matt wrote: > > I have a number of dead files in mqueue.in and mqueue. Why > does that > > happen? Should I delete them? I imagine the ones in > mqueue are just > > waiting to get delivered and normal. The ones in mqueue.in > is what I don't > > understand. > From sw at INTERNETX.DE Mon Nov 3 14:45:00 2003 From: sw at INTERNETX.DE (Sebastian Wiesinger) Date: Thu Jan 12 21:20:49 2006 Subject: ClamAV Error Message-ID: <20031103144500.GA4076@internetx.de> Hi! I got the following error: MailScanner[4411]: ProcessClamAVOutput: unrecognised line "/var/spool/MailScanner/incoming/4411/./hA38NAbE013167/photos.zip: File size limit exceeded.". Please contact the authors! JFYI Sebastian -- InterNetX GmbH Sebastian Wiesinger System Administration Maximilianstrasse 6 D-93047 Regensburg Tel. +49 941 59559-0 Fax +49 941 59559-245 eMail: sebastian.wiesinger@internetx.de GPG-Key: 0x97F5A1D8 (0x8431335F97F5A1D8) From sw at INTERNETX.DE Mon Nov 3 14:49:22 2003 From: sw at INTERNETX.DE (Sebastian Wiesinger) Date: Thu Jan 12 21:20:49 2006 Subject: ClamAV Error In-Reply-To: <20031103144500.GA4076@internetx.de> References: <20031103144500.GA4076@internetx.de> Message-ID: <20031103144922.GA4112@internetx.de> * Sebastian Wiesinger [2003-11-03 15:45]: > Hi! > > I got the following error: > > MailScanner[4411]: ProcessClamAVOutput: unrecognised line > "/var/spool/MailScanner/incoming/4411/./hA38NAbE013167/photos.zip: > File size limit exceeded.". Please contact the authors! And a much greater problem, the Virus is delivered: MailScanner[4411]: Spam Actions: message hA38NAbE013167 actions are deliver MailScanner[4411]: /var/spool/MailScanner/incoming/4411/./hA38NAbE013167/photos.zip: File size limit exceeded. MailScanner[4411]: ProcessClamAVOutput: unrecognised line "/var/spool/MailScanner/incoming/4411/./hA38NAbE013167/photos.zip: File size limit exceeded.". Please contact the authors! MailScanner[4411]: (raw) /var/spool/MailScanner/incoming/4411/./hA38NAbE013167/photos.zip: Worm.Mimail.C FOUND Sebastian -- InterNetX GmbH Sebastian Wiesinger System Administration Maximilianstrasse 6 D-93047 Regensburg Tel. +49 941 59559-0 Fax +49 941 59559-245 eMail: sebastian.wiesinger@internetx.de GPG-Key: 0x97F5A1D8 (0x8431335F97F5A1D8) From TGFurnish at HERFF-JONES.COM Mon Nov 3 15:00:19 2003 From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G) Date: Thu Jan 12 21:20:49 2006 Subject: sendmail message splitting defeats bandwidth savings? Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF0C087A@inex1.herffjones.hj-int> I've had the sendmail message splitting running fine for a while, since it was the only way to get MailScanner whitelisting to be controlled granularly (per user instead of per message). However, I'm concerned that the resulting increase in mail-related bandwidth consumption is many times greater than the actual savings being gained by filtering out spam. (Yes, I realize bandwidth savings aren't the only reason to filter spam, but they are important.) I'm unclear on why, technically, it still makes sense not to have MS split messages only when needed, instead of using sendmail queue groups to do it. It seems MS is already decoding the messages (MCP, HTML tag checking, etc), so the increase in cpu ought to be negligible. All messages landing in mqueue should pass through MS, so MS can easily ensure it doesn't create duplicate queue IDs. Hopefully I'm just incorrect in my current understanding of what happens when a message is split by sendmail (please correct me if so), but this is how I think things change when queue groups are used: Without queue group message splitting: 1. One message comes in meant for many recipients at the same domain. 2. Sendmail writes one queue file pair. 3. MailScanner scans and re-queues that message. 4. Sendmail delivers the message, sending it ONLY ONCE over the wire to the next MX. With queue group message splitting: 1. One message comes in meant for many recipients at the same domain. 2. Sendmail writes many queue file pairs. 3. MailScanner scans and re-queues all of the (now many) messages. 4. Sendmail delivers the messages, one copy per recipient, resulting in the original message being sent MANY TIMES over the wire to the next MX. The message splitting feature applies to ALL messages, not just spam. This means that we may drastically increase our bandwidth usage just by turning it on, regardless of whether we're doing spam checking. I've already seen a few instances where the reason our internal WAN links were pegged for an hour could be directly traced to this change in delivery architecture. By contrast what I'd prefer MS to do is: if a message comes in bound for multiple recipients and only a few of those recipients should be handled specially (whitelisted), create separate copies of the message for those recipients, queuing the files into mqueue by generating its own IDs. To be fair, I realize this is probably not a big concern for most sites, but for a site with mail delivery to remote mail box servers over many expensive WAN links, this can be a significant problem. Any suggestions or corrections would be appreciated. From Kevin.Spicer at BMRB.CO.UK Mon Nov 3 15:01:42 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:20:49 2006 Subject: ClamAV Error Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0016497E7@pascal.priv.bmrb.co.uk> Sebastian Wiesinger wrote: > Hi! > > I got the following error: > > MailScanner[4411]: ProcessClamAVOutput: unrecognised line > "/var/spool/MailScanner/incoming/4411/./hA38NAbE013167/photos.zip: > File size limit exceeded.". Please contact the authors! > This has just been mentioned on the Clam list too. My guess is that the file contains a big all-zeros file which is causing some limit in clam to be exceeded. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From Kevin.Spicer at BMRB.CO.UK Mon Nov 3 15:04:57 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:20:49 2006 Subject: New virus? Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0016497E8@pascal.priv.bmrb.co.uk> Miguel Koren O'Brien de Lacy wrote: > I think that the fact that it went > through my Clam installation could be because for some reason I did > not have the Clam configuration in Mail Scanner set to go into zip > files. Clam scans zipfiles by default. Don't be confused by the --unzip option, that just allows you to specifiy an external unzipper should the built in one fail. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From sw at INTERNETX.DE Mon Nov 3 15:06:31 2003 From: sw at INTERNETX.DE (Sebastian Wiesinger) Date: Thu Jan 12 21:20:49 2006 Subject: ClamAV Error In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0016497E7@pascal.priv.bmrb.co.uk> References: <20031103144500.GA4076@internetx.de> <5C0296D26910694BB9A9BBFC577E7AB0016497E7@pascal.priv.bmrb.co.uk> Message-ID: <20031103150631.GC4182@internetx.de> * Spicer, Kevin [2003-11-03 16:02]: > Sebastian Wiesinger wrote: > > Hi! > > > > I got the following error: > > > > MailScanner[4411]: ProcessClamAVOutput: unrecognised line > > "/var/spool/MailScanner/incoming/4411/./hA38NAbE013167/photos.zip: > > File size limit exceeded.". Please contact the authors! > > > This has just been mentioned on the Clam list too. My guess is that the file contains a big all-zeros file which is causing some limit in clam to be exceeded. Hmm strange.. but I checked my log again and against my prior statement, it seems that MailScanner does clean the message: Nov 3 09:23:29 mailproxy MailScanner[4411]: Spam Checks: Found 1 spam messages Nov 3 09:23:29 mailproxy MailScanner[4411]: Spam Actions: message hA38NAbE013167 actions are deliver Nov 3 09:23:29 mailproxy MailScanner[4411]: Virus and Content Scanning: Starting Nov 3 09:23:30 mailproxy MailScanner[4411]: /var/spool/MailScanner/incoming/4411/./hA38NAbE013167/photos.zip: File size limit exceeded. Nov 3 09:23:30 mailproxy MailScanner[4411]: ProcessClamAVOutput: unrecognised line "/var/spool/MailScanner/incoming/4411/./hA38NAbE013167/photos.zip: File size limit exceeded.". Please contact the authors! Nov 3 09:23:30 mailproxy MailScanner[4411]: ERROR: Can't run unzip Nov 3 09:23:30 mailproxy MailScanner[4411]: ERROR: Can't execute some unpacker. Check paths and permissions on the temporary directory. Nov 3 09:23:30 mailproxy MailScanner[4411]: (raw) /var/spool/MailScanner/incoming/4411/./hA38NAbE013167/photos.zip: Worm.Mimail.C FOUND Nov 3 09:23:30 mailproxy MailScanner[4411]: Virus Scanning: ClamAV found 1 infections Nov 3 09:23:30 mailproxy MailScanner[4411]: Infected message (raw) came from Nov 3 09:23:30 mailproxy MailScanner[4411]: Virus Scanning: Found 1 viruses Nov 3 09:23:30 mailproxy MailScanner[4411]: Uninfected: Delivered 1 messages -- InterNetX GmbH Sebastian Wiesinger System Administration Maximilianstrasse 6 D-93047 Regensburg Tel. +49 941 59559-0 Fax +49 941 59559-245 eMail: sebastian.wiesinger@internetx.de GPG-Key: 0x97F5A1D8 (0x8431335F97F5A1D8) From raymond at PROLOCATION.NET Mon Nov 3 15:13:52 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:20:49 2006 Subject: sendmail message splitting defeats bandwidth savings? In-Reply-To: <8FFC76593085ED4A80D3601BC41EFCDF0C087A@inex1.herffjones.hj-int> Message-ID: Hi! > Hopefully I'm just incorrect in my current understanding of what happens > when a message is split by sendmail (please correct me if so), but this is > how I think things change when queue groups are used: > > Without queue group message splitting: > 1. One message comes in meant for many recipients at the same domain. > 2. Sendmail writes one queue file pair. > 3. MailScanner scans and re-queues that message. > 4. Sendmail delivers the message, sending it ONLY ONCE over the wire to the > next MX. Step 4 is unclear to me, if people have custom rules, and the one user doenst want spam tagging and one user does, how will that be combined into one message? In my eyes, you cant. > 3. MailScanner scans and re-queues all of the (now many) messages. > 4. Sendmail delivers the messages, one copy per recipient, resulting in the > original message being sent MANY TIMES over the wire to the next MX. Even if MS will do this trick i think mailvolume increase is the only way to accomplish this approach. > To be fair, I realize this is probably not a big concern for most sites, but > for a site with mail delivery to remote mail box servers over many expensive > WAN links, this can be a significant problem. Bye, Raymond. From mailscanner at ecs.soton.ac.uk Mon Nov 3 15:24:35 2003 From: mailscanner at ecs.soton.ac.uk (mailscanner@ecs.soton.ac.uk) Date: Thu Jan 12 21:20:49 2006 Subject: NOTIFY-New Guestbook Entry Message-ID: <200311031524.hA3FOZ1t030735@seer.ecs.soton.ac.uk> New Guestbook-Entry from jeans nice site From TGFurnish at HERFF-JONES.COM Mon Nov 3 15:35:04 2003 From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G) Date: Thu Jan 12 21:20:49 2006 Subject: mySQL DB purging Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF0C087B@inex1.herffjones.hj-int> If you're talking about a mysql database with the mailwatch schema, then this might do the trick. Change "7" to match the number of days you want to keep stuff. Works for me, YMMV. Put it into a file (ie "/root/clean_maillog.sql") and run it with mysql like so: mysql -u root -pyourpassword mailscanner -----Original Message----- > From: Kearney, Rob [mailto:RKearney@AZERTY.COM] > Sent: Thursday, October 30, 2003 9:31 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: mySQL DB purging > > > Has anyone written any scripts to purge your growing mysql > database, and > willing to share those scripts. > > -rob > From TGFurnish at HERFF-JONES.COM Mon Nov 3 16:04:07 2003 From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G) Date: Thu Jan 12 21:20:49 2006 Subject: sendmail message splitting defeats bandwidth savings? Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF0C087C@inex1.herffjones.hj-int> > -----Original Message----- > From: Raymond Dijkxhoorn [mailto:raymond@PROLOCATION.NET] > Sent: Monday, November 03, 2003 10:14 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: sendmail message splitting defeats bandwidth savings? > > > Hi! > > > Hopefully I'm just incorrect in my current understanding of > what happens > > when a message is split by sendmail (please correct me if > so), but this is > > how I think things change when queue groups are used: > > > > Without queue group message splitting: > > 1. One message comes in meant for many recipients at the > same domain. > > 2. Sendmail writes one queue file pair. > > 3. MailScanner scans and re-queues that message. > > 4. Sendmail delivers the message, sending it ONLY ONCE over > the wire to the > > next MX. > > Step 4 is unclear to me, if people have custom rules, and the one user > doenst want spam tagging and one user does, how will that be > combined into > one message? In my eyes, you cant. Agreed, but there is a huge difference between splitting only those messages that need special handling (my suggested approach) and splitting ALL messages (the current approach). In fact the difference for a site handling a significant amount of email is likely to be *many* orders of magnitude. > > 3. MailScanner scans and re-queues all of the (now many) messages. > > 4. Sendmail delivers the messages, one copy per recipient, > resulting in the > > original message being sent MANY TIMES over the wire to the next MX. > > Even if MS will do this trick i think mailvolume increase is > the only way > to accomplish this approach. Yes, but again, the question is *how much* it ought to increase. The current approach has the potential to increase it drastically, with most of the increase being completely unrelated to productive mail filtering. Here's a more detailed example. Suppose I want to whitelist mail to bob@foo.com but not to tom@foo.com or harry@foo.com. A single message comes in bound for all of them: To: bob@foo.com, tom@foo.com, harry@foo.com With queue group message splitting, it becomes three messages: To: bob@foo.com To: tom@foo.com To: harry@foo.com With MailScanner doing the message splitting on its own, there would only be a need to for two messages: To: bob@foo.com To: tom@foo.com, harry@foo.com Now suppose a message comes in for harry@foo.com and tom@foo.com. Even though there's no need for message splitting at all, sendmail queue groups would split the message in two, doubling its traffic. I believe in most environments, the percentage of messages that actually need special whitelisting will be FAR outweighed by the percentage of messages that would just pass through MS untouched. And in my case, unfortunately, email messages may be 150MB in size, frequently sent to several local addresses. Put those addresses behind a 192k/s link and multiplying the message-related bandwidth use becomes a big problem. From P.G.M.Peters at utwente.nl Mon Nov 3 16:04:57 2003 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Thu Jan 12 21:20:49 2006 Subject: sendmail message splitting defeats bandwidth savings? In-Reply-To: <8FFC76593085ED4A80D3601BC41EFCDF0C087A@inex1.herffjones.hj-int> References: <8FFC76593085ED4A80D3601BC41EFCDF0C087A@inex1.herffjones.hj-int> Message-ID: On Mon, 3 Nov 2003 10:00:19 -0500, you wrote: >By contrast what I'd prefer MS to do is: if a message comes in bound for >multiple recipients and only a few of those recipients should be handled >specially (whitelisted), create separate copies of the message for those >recipients, queuing the files into mqueue by generating its own IDs. MS should be kept up to date with changes in de qf and df files of sendmail. And it should be able to distinguish between the different sets of changes. -- Peter Peters, senior netwerkbeheerder Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ From cslyon at NETSVCS.COM Mon Nov 3 15:52:44 2003 From: cslyon at NETSVCS.COM (Christopher Lyon) Date: Thu Jan 12 21:20:49 2006 Subject: Implementing per domain scanning Message-ID: What if the MailScanner box was in the DMZ and all mail going in and out of a network was going via that box. That means you wouldn't see internal mail: user1@domain1.com to user2@domain1.com but if *@domain1.com was sending to outside and you don't want there mail touched at all. I think that would be a good way to go about it, right? That is unless we just put the IP address of the device from the inside network forwarding us e-mail. Just trying to see the different things that we can do. > -----Original Message----- > From: Mike Kercher [mailto:mike@CAMAROSS.NET] > Sent: Sunday, November 02, 2003 6:17 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Implementing per domain scanning > > I think so...unless a user@domain1.com sends an email to user2@domain1.com > You might need to add From: *@domain1.com no > > What are you trying to accomplish? > > > -----Original Message----- > > From: MailScanner mailing list > > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Christopher Lyon > > Sent: Sunday, November 02, 2003 6:16 PM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: Implementing per domain scanning > > > > Follow up question: > > > > Would this scan only the mail for domain1 but not from? > > > > > > Virus Scanning = %rulesdir%/per.domain.rules > > > > per.domain.rules > > To: *@domain1.com yes > > FromOrTo: default yes > > > > > > > -----Original Message----- > > > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > > > Sent: Sunday, November 02, 2003 8:28 AM > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > Subject: Re: Implementing per domain scanning > > > > > > At 16:07 02/11/2003, you wrote: > > > >I need to implement per-domain rules for both virus and > > spam checks. > > Can > > > >both "Virus Scanning =" and "Spam Checks =" point to the same > > ruleset? > > > > > > Yes. > > > > > > >For > > > >example: > > > > > > > >MailScanner.conf: > > > >Virus Scanning = %rulesdir%/per.domain.rules Spam Checks = > > > >%rulesdir%/per.domain.rules > > > > > > > > > > > >per.domain.rules: > > > >FromOrTo: *@domain1.com no > > > >FromOrTo: *@domain2.com no > > > >FromOrTo: default yes > > > > > > > >This would turn off virus and spam checks for domain1 and > > domain2 and > > > allow > > > >checks for all other domains. > > > > > > > >Would this be the most efficient method? > > > > > > Should work just fine. > > > -- > > > Julian Field > > > www.MailScanner.info > > > Professional Support Services at www.MailScanner.biz MailScanner > > > thanks transtec Computers for their support PGP footprint: > > EE81 D763 > > > 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > From raymond at PROLOCATION.NET Mon Nov 3 16:17:38 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:20:49 2006 Subject: sendmail message splitting defeats bandwidth savings? In-Reply-To: <8FFC76593085ED4A80D3601BC41EFCDF0C087C@inex1.herffjones.hj-int> Message-ID: Hi! > > Step 4 is unclear to me, if people have custom rules, and the one user > > doenst want spam tagging and one user does, how will that be > > combined into one message? In my eyes, you cant. > Agreed, but there is a huge difference between splitting only those messages > that need special handling (my suggested approach) and splitting ALL > messages (the current approach). In fact the difference for a site handling > a significant amount of email is likely to be *many* orders of magnitude. Very true. The other positive thing if MS can copy them is that it will be generic, eg also Exim users can use it. Currently its limitted to sendmail only as far a i know. > Yes, but again, the question is *how much* it ought to increase. The > current approach has the potential to increase it drastically, with most of > the increase being completely unrelated to productive mail filtering. > > Here's a more detailed example. Suppose I want to whitelist mail to > bob@foo.com but not to tom@foo.com or harry@foo.com. A single message comes > in bound for all of them: > > To: bob@foo.com, tom@foo.com, harry@foo.com > > With queue group message splitting, it becomes three messages: > > To: bob@foo.com > To: tom@foo.com > To: harry@foo.com > > With MailScanner doing the message splitting on its own, there would only be > a need to for two messages: > > To: bob@foo.com > To: tom@foo.com, harry@foo.com > > Now suppose a message comes in for harry@foo.com and tom@foo.com. Even > though there's no need for message splitting at all, sendmail queue groups > would split the message in two, doubling its traffic. Sure, but its all depending on your rulesets, and not generic :) > I believe in most environments, the percentage of messages that actually > need special whitelisting will be FAR outweighed by the percentage of > messages that would just pass through MS untouched. > > And in my case, unfortunately, email messages may be 150MB in size, > frequently sent to several local addresses. Put those addresses behind a > 192k/s link and multiplying the message-related bandwidth use becomes a big > problem. If you have 192k and a 150M limit then you should change your policy :)) Bye, Raymond. From TGFurnish at HERFF-JONES.COM Mon Nov 3 16:22:12 2003 From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G) Date: Thu Jan 12 21:20:49 2006 Subject: sendmail message splitting defeats bandwidth savings? Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF02A60533@inex1.herffjones.hj-int> > -----Original Message----- > From: Raymond Dijkxhoorn [mailto:raymond@PROLOCATION.NET] > Sent: Monday, November 03, 2003 11:18 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: sendmail message splitting defeats bandwidth savings? > [...snip...] > If you have 192k and a 150M limit then you should change your > policy :)) :-) Quite agreed, but let's not get sidetracked. The large messages just exacerbate the problem so much it becomes easy to spot - it's still an issue, even for small messages, given a typical corporate message traffic level. From ka at PACIFIC.NET Mon Nov 3 16:47:57 2003 From: ka at PACIFIC.NET (Ken Anderson) Date: Thu Jan 12 21:20:49 2006 Subject: sendmail message splitting defeats bandwidth savings? In-Reply-To: <8FFC76593085ED4A80D3601BC41EFCDF0C087A@inex1.herffjones.hj-int> References: <8FFC76593085ED4A80D3601BC41EFCDF0C087A@inex1.herffjones.hj-int> Message-ID: <3FA686BD.3050204@pacific.net> Furnish, Trever G wrote: > I've had the sendmail message splitting running fine for a while, since it > was the only way to get MailScanner whitelisting to be controlled granularly > (per user instead of per message). > > However, I'm concerned that the resulting increase in mail-related bandwidth > consumption is many times greater than the actual savings being gained by > filtering out spam. (Yes, I realize bandwidth savings aren't the only > reason to filter spam, but they are important.) > > I'm unclear on why, technically, it still makes sense not to have MS split > messages only when needed, instead of using sendmail queue groups to do it. > It seems MS is already decoding the messages (MCP, HTML tag checking, etc), > so the increase in cpu ought to be negligible. All messages landing in > mqueue should pass through MS, so MS can easily ensure it doesn't create > duplicate queue IDs. > > Hopefully I'm just incorrect in my current understanding of what happens > when a message is split by sendmail (please correct me if so), but this is > how I think things change when queue groups are used: > > Without queue group message splitting: > 1. One message comes in meant for many recipients at the same domain. > 2. Sendmail writes one queue file pair. > 3. MailScanner scans and re-queues that message. > 4. Sendmail delivers the message, sending it ONLY ONCE over the wire to the > next MX. > > With queue group message splitting: > 1. One message comes in meant for many recipients at the same domain. > 2. Sendmail writes many queue file pairs. > 3. MailScanner scans and re-queues all of the (now many) messages. > 4. Sendmail delivers the messages, one copy per recipient, resulting in the > original message being sent MANY TIMES over the wire to the next MX. > > The message splitting feature applies to ALL messages, not just spam. This > means that we may drastically increase our bandwidth usage just by turning > it on, regardless of whether we're doing spam checking. I've already seen a > few instances where the reason our internal WAN links were pegged for an > hour could be directly traced to this change in delivery architecture. > > By contrast what I'd prefer MS to do is: if a message comes in bound for > multiple recipients and only a few of those recipients should be handled > specially (whitelisted), create separate copies of the message for those > recipients, queuing the files into mqueue by generating its own IDs. > > To be fair, I realize this is probably not a big concern for most sites, but > for a site with mail delivery to remote mail box servers over many expensive > WAN links, this can be a significant problem. > > Any suggestions or corrections would be appreciated. It might be worthwhile to put MS/SA machines at the remote sites, or centralize the mail stores a bit and then put MS/SA machines at the remote sites? Some things you can do to help smooth out the load - though this will increase message delay a bit... 1. set your incoming sendmail to limit 'max recipients' per message to some smaller number (10?). 2. set your incoming sendmail 'max recipient throttle' to some lower value, like 2 or 3, so if a message with 10 recipients comes in, and the first 2 are 'user unknown', sendmail will pause a sec before accepting the next. 3. set your incoming sendmail to defer messages based on load avg (this only works IF the load avg of the machine IS being affected in a significant way by the splitting of messages). 4. Use firewall/ipfw/whatever rules to control the bandwidth available to smtp, so your wan links aren't saturated with mail. Ken A. Pacific.Net > From mailscanner at ecs.soton.ac.uk Mon Nov 3 16:49:43 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:20:49 2006 Subject: sendmail message splitting defeats bandwidth savings? In-Reply-To: References: <8FFC76593085ED4A80D3601BC41EFCDF0C087A@inex1.herffjones.hj-int> <8FFC76593085ED4A80D3601BC41EFCDF0C087A@inex1.herffjones.hj-int> Message-ID: <5.2.0.9.2.20031103164139.02dfa430@imap.ecs.soton.ac.uk> At 16:04 03/11/2003, you wrote: >On Mon, 3 Nov 2003 10:00:19 -0500, you wrote: > > >By contrast what I'd prefer MS to do is: if a message comes in bound for > >multiple recipients and only a few of those recipients should be handled > >specially (whitelisted), create separate copies of the message for those > >recipients, queuing the files into mqueue by generating its own IDs. > >MS should be kept up to date with changes in de qf and df files of >sendmail. And it should be able to distinguish between the different >sets of changes. One of the main reasons I haven't done this before is that reading message filenames is a lot easier than creating new ones. For example, Sendmail has changed its format at least once that I can immediately think of, and it is non-trivial to work out (given an empty queue at startup) which format of filename I should use. When only sendmail is creating them, it's easy, I just use whatever filenames it supplies. But if I want to create unique new ones, then how do I work out what to call them? I need to keep strictly to its naming scheme so that if the sendmail folks tighten up their queue filename checking code, everything keeps working. So it's not good enough to "just do something that works", I have to get it 100% correct. I also have to guarantee that any new filename I create won't be possibly re-used later by the MTA. For example... The queues all start off empty, for simplicity. A message 1111 comes in, with 2 recipients with different rules, so it needs to be split. 2222 is a legal name for this MTA, and is not in use right now. So MailScanner creates 2 output messages 1111 and 2222. Then the MTA receives another message, which it decides to call 2222 (which isn't in use in the incoming queue, so I can't stop it doing it). MailScanner processes that and tries to create another message 2222 in the outgoing queue, which clashes with the earlier one. Consider what happens when 2222 has been in the outgoing queue for nearly a week, and is still waiting to be delivered. How do I stop the incoming MTA creating a queue file with a name that hasn't been used in the past week/month/year? It can't be done. I welcome comments to the contrary... :-) -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From brent at MIRABITO.COM Mon Nov 3 17:28:42 2003 From: brent at MIRABITO.COM (Brent Strignano) Date: Thu Jan 12 21:20:49 2006 Subject: sendmail message splitting defeats bandwidth savings? Message-ID: <62E46E0C3CB8024C807447814E1B20A501CCD7@granitemail.mirabito.com> Maybe an idea... Have MailScanner split and resubmit the message, as needed by the rule sets, to sendmail on the loopback interface before spam or virus checking happens. Then sendmail can control its own queue numbers and the message will be single recipient per message for the rest of the checks. Thoughts? Brent Strignano System Administrator Granite Capital Holdings Sidney NY USA -----Original Message----- From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] Sent: Monday, November 03, 2003 11:50 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: sendmail message splitting defeats bandwidth savings? At 16:04 03/11/2003, you wrote: >On Mon, 3 Nov 2003 10:00:19 -0500, you wrote: > > >By contrast what I'd prefer MS to do is: if a message comes in bound > >for multiple recipients and only a few of those recipients should be > >handled specially (whitelisted), create separate copies of the > >message for those recipients, queuing the files into mqueue by > >generating its own IDs. > >MS should be kept up to date with changes in de qf and df files of >sendmail. And it should be able to distinguish between the different >sets of changes. One of the main reasons I haven't done this before is that reading message filenames is a lot easier than creating new ones. For example, Sendmail has changed its format at least once that I can immediately think of, and it is non-trivial to work out (given an empty queue at startup) which format of filename I should use. When only sendmail is creating them, it's easy, I just use whatever filenames it supplies. But if I want to create unique new ones, then how do I work out what to call them? I need to keep strictly to its naming scheme so that if the sendmail folks tighten up their queue filename checking code, everything keeps working. So it's not good enough to "just do something that works", I have to get it 100% correct. I also have to guarantee that any new filename I create won't be possibly re-used later by the MTA. For example... The queues all start off empty, for simplicity. A message 1111 comes in, with 2 recipients with different rules, so it needs to be split. 2222 is a legal name for this MTA, and is not in use right now. So MailScanner creates 2 output messages 1111 and 2222. Then the MTA receives another message, which it decides to call 2222 (which isn't in use in the incoming queue, so I can't stop it doing it). MailScanner processes that and tries to create another message 2222 in the outgoing queue, which clashes with the earlier one. Consider what happens when 2222 has been in the outgoing queue for nearly a week, and is still waiting to be delivered. How do I stop the incoming MTA creating a queue file with a name that hasn't been used in the past week/month/year? It can't be done. I welcome comments to the contrary... :-) -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From steve.freegard at LBSLTD.CO.UK Mon Nov 3 17:38:04 2003 From: steve.freegard at LBSLTD.CO.UK (Steve Freegard) Date: Thu Jan 12 21:20:49 2006 Subject: dcc/razor2/pyzor timeouts anyone? Message-ID: <67D9E7698329D411936E00508B6590B902773BE4@neelix.lbsltd.co.uk> Hi All, I've been having problems with one of my e-mail gateways today - the load average has been spiking at 1.90 with no unusual increase in mail volume and MailScanner's been showing in 'top' using 99.9% CPU. After a bit of investigating (strace -p, debug=yes etc. etc.) - I realised that SpamAssassin was getting timeouts when talking to Razor2/DCC/Pyzor (my timeout's are set to 10 seconds for each with SpamAssassin timeout set to 60 seconds in MailScanner.conf) Also while in Debug=yes/SpamAssassin Debug=yes mode I had an occurrence of 'Process did not exit cleanly, returned 0 with signal 11' just after SpamAssassin ran it's bayes tests (I think it was about to start a DCC/Razor2 or Pyzor check) and upon grepping /var/log/messages - I found 64 occurrences of the 'signal 11' in the logs since it's last log roll. I've since disabled the DCC/Pyzor/Razor2 checks while I work out what's going on - I also haven't had any sig11's in the log since I've done this and my load average is down to 0.04 (however it is after 5.30pm here so a lot of my users have gone home, so it won't get much stressing until tommorow) Anyone else experience anything similar?? - I haven't made any changes to this box for ages. I'm running MailScanner 4.22-4, SA 2.60, DCC 1.1.36, Pyzor 0.4.0, Razor-Agents-2.22 and MailWatch CVS on RH9 running on a Compaq Proliant DL360 G1 933Mhz PIII with 512Mb RAM. Kind regards, Steve. -- Steve Freegard Systems Manager Littlehampton Book Services Ltd. -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender and delete the message from your mailbox. This footnote also confirms that this email message has been swept by MailScanner (www.mailscanner.info) for the presence of computer viruses. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20031103/dbfc2d56/attachment.html From chris at fractalweb.com Mon Nov 3 17:38:27 2003 From: chris at fractalweb.com (Chris Yuzik) Date: Thu Jan 12 21:20:49 2006 Subject: workaround for "file size limit exceeded" messages? Message-ID: <200311030938.27353.chris@fractalweb.com> Is there a workaround for "file size limit exceeded" message issue that I'm seeing in maillog whenever ClamAV detects either Worm.Mimail.C or Worm.Bics? It appears that ClamAV is correctly identifying the virus but that extra status message is causing MailScanner to get confused and (I think) letting the virus through. I just signed up to the ClamAV mailing list, and at least one person is suggesting that this is a MailScanner issue. Any workarounds or fixes? Thanks, Chris -- Chris Yuzik chris@fractalweb.com 604-304-0444 "Reality is that which, when you stop believing in it, doesn't go away". -- Philip K. Dick From RKearney at AZERTY.COM Mon Nov 3 17:39:42 2003 From: RKearney at AZERTY.COM (Kearney, Rob) Date: Thu Jan 12 21:20:49 2006 Subject: Performance Monitoring Possible request? Message-ID: <210DF55DED65B547896F728FB057F3B2019C4903@seaver.ussco.com> Is there any way to monitor the performance of the MailScanner children. I'm looking for stats like seconds to process batch/average seconds per mail message/average mail size (what also would be nice, is the time each module/piece spent doing its job, Content/Virus/SpamAssassin...). It also would be nice to call a custom module to insert this data into an SQL database for graphing and reporting, however logging to syslog would be sufficient also. Some of the reasons for this:: I've been seeing quite the disruption in services from DCC/Pyzor/Razor over the past several weeks, and I would like to be proactive in disabling the services that are causing problems. -rob -- Robert E. Kearney Jr. IT Operations Manager Azerty, a Division of United Stationers Supply Co. p: (716) 662-0200 x2117 f: (716) 667-2409 rkearney@azerty.com From mailscanner at ecs.soton.ac.uk Mon Nov 3 17:43:18 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:20:49 2006 Subject: ANNOUNCE: Beta 4.25-5 released In-Reply-To: References: <5.2.0.9.2.20031101173342.02c1fd00@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20031103174127.03af8ea8@imap.ecs.soton.ac.uk> Some of you have downloaded 4.25-5 and hopefully installed it. Is it all working okay? Raymond is the only person who has commented (from what I've seen). Any problems? Any comments? Has anyone tried the HTML "disarming" options? Should I take it as is and turn it into a "stable" release? Jules. At 21:24 02/11/2003, you wrote: >Julian, > > > 1/11/2003 New in Version 4.25-5 > > ================================ > > * New Features and Improvements * > > - Panda version 7.0 supported. > > - Added dependency on Net::CIDR module so could add support for more > ways of > > specifying IP ranges in rulesets. Can now do all of: > > 152.78. > > /^152\.78/ > > 152.78.0.0/16 > > 152.78.0.0-152.78.255.255 > >Running like a charm. Upgraded two of our production boxes. > >Thanks, >Raymond. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From csm-lists at CSMA.BIZ Mon Nov 3 17:38:09 2003 From: csm-lists at CSMA.BIZ (Corey S. McFadden) Date: Thu Jan 12 21:20:49 2006 Subject: New virus? In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0016497E8@pascal.priv.bmrb.co.uk> Message-ID: Check your virus scanner's website for an update and review your "auto" update configuration. McAfee only released a signature for Mimail.c on Friday. (They didn't have it in their regular Wednesday update.) -Corey On Mon, 3 Nov 2003, Spicer, Kevin wrote: > Miguel Koren O'Brien de Lacy wrote: > > I think that the fact that it went > > through my Clam installation could be because for some reason I did > > not have the Clam configuration in Mail Scanner set to go into zip > > files. > > > Clam scans zipfiles by default. Don't be confused by the --unzip option, that just allows you to specifiy an external unzipper should the built in one fail. > > > > BMRB International > http://www.bmrb.co.uk > +44 (0)20 8566 5000 > _________________________________________________________________ > This message (and any attachment) is intended only for the > recipient and may contain confidential and/or privileged > material. If you have received this in error, please contact the > sender and delete this message immediately. Disclosure, copying > or other action taken in respect of this email or in > reliance on it is prohibited. BMRB International Limited > accepts no liability in relation to any personal emails, or > content of any email which does not directly relate to our > business. > > ********************************************* > This message has been scanned for viruses and > dangerous content, and is believed to be clean. > From mailscanner at ecs.soton.ac.uk Mon Nov 3 17:53:21 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:20:49 2006 Subject: sendmail message splitting defeats bandwidth savings? In-Reply-To: <62E46E0C3CB8024C807447814E1B20A501CCD7@granitemail.mirabit o.com> Message-ID: <5.2.0.9.2.20031103174626.02e38d78@imap.ecs.soton.ac.uk> I would need a *very* reliable SMTP client, for which Net::SMTP (or whatever it's called) might be a good candidate. But it's definitely a cool idea, it's even independent of the MTA which I definitely like. What I would probably have to do is split every message that has multiple recipients, it is hard to work out if any of the rules would produce different results for each recipient of the message. Not impossible, but not easy. I would need to collect the results of every config variable for each message in a batch, and then look through all the results to find ones that aren't all the same. Then I would need to duplicate the message back into loopback once for each recipient and throw away the original (as I probably wouldn't be able to tell at that point which result I should be using). That's got me thinking... (and there I was planning a nice quiet evening watching the telly :-) At 17:28 03/11/2003, you wrote: >Maybe an idea... > >Have MailScanner split and resubmit the message, as needed by the rule >sets, to sendmail on the loopback interface before spam or virus >checking happens. Then sendmail can control its own queue numbers and >the message will be single recipient per message for the rest of the >checks. > >Thoughts? > >Brent Strignano >System Administrator >Granite Capital Holdings >Sidney NY USA > > > >-----Original Message----- >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] >Sent: Monday, November 03, 2003 11:50 AM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: sendmail message splitting defeats bandwidth savings? > > >At 16:04 03/11/2003, you wrote: > >On Mon, 3 Nov 2003 10:00:19 -0500, you wrote: > > > > >By contrast what I'd prefer MS to do is: if a message comes in bound > > >for multiple recipients and only a few of those recipients should be > > >handled specially (whitelisted), create separate copies of the > > >message for those recipients, queuing the files into mqueue by > > >generating its own IDs. > > > >MS should be kept up to date with changes in de qf and df files of > >sendmail. And it should be able to distinguish between the different > >sets of changes. > >One of the main reasons I haven't done this before is that reading >message filenames is a lot easier than creating new ones. For example, >Sendmail has changed its format at least once that I can immediately >think of, and it is non-trivial to work out (given an empty queue at >startup) which format of filename I should use. > >When only sendmail is creating them, it's easy, I just use whatever >filenames it supplies. But if I want to create unique new ones, then how >do I work out what to call them? I need to keep strictly to its naming >scheme so that if the sendmail folks tighten up their queue filename >checking code, everything keeps working. So it's not good enough to >"just do something that works", I have to get it 100% correct. > >I also have to guarantee that any new filename I create won't be >possibly re-used later by the MTA. For example... > >The queues all start off empty, for simplicity. > >A message 1111 comes in, with 2 recipients with different rules, so it >needs to be split. 2222 is a legal name for this MTA, and is not in use >right now. So MailScanner creates 2 output messages 1111 and 2222. Then >the MTA receives another message, which it decides to call 2222 (which >isn't in use in the incoming queue, so I can't stop it doing it). >MailScanner processes that and tries to create another message 2222 in >the outgoing queue, which clashes with the earlier one. > >Consider what happens when 2222 has been in the outgoing queue for >nearly a week, and is still waiting to be delivered. How do I stop the >incoming MTA creating a queue file with a name that hasn't been used in >the past week/month/year? > >It can't be done. > >I welcome comments to the contrary... :-) >-- >Julian Field >www.MailScanner.info >MailScanner thanks transtec Computers for their support > >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Mon Nov 3 17:56:25 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:20:49 2006 Subject: dcc/razor2/pyzor timeouts anyone? In-Reply-To: <67D9E7698329D411936E00508B6590B902773BE4@neelix.lbsltd.co. uk> Message-ID: <5.2.0.9.2.20031103175335.02cc7ea8@imap.ecs.soton.ac.uk> There have been some DDoS attacks against anti-spam service today as the result of the spread of Mimail-C. See this for a bit more info: http://www.theregister.co.uk/content/56/33721.html But I get the feeling that razor has been having its own problems today too. At 17:38 03/11/2003, you wrote: >Hi All, > >I've been having problems with one of my e-mail gateways today - the load >average has been spiking at 1.90 with no unusual increase in mail volume >and MailScanner's been showing in 'top' using 99.9% CPU. > >After a bit of investigating (strace -p, debug=yes etc. etc.) - I realised >that SpamAssassin was getting timeouts when talking to Razor2/DCC/Pyzor >(my timeout's are set to 10 seconds for each with SpamAssassin timeout set >to 60 seconds in MailScanner.conf) > >Also while in Debug=yes/SpamAssassin Debug=yes mode I had an occurrence of >'Process did not exit cleanly, returned 0 with signal 11' just after >SpamAssassin ran it's bayes tests (I think it was about to start a >DCC/Razor2 or Pyzor check) and upon grepping /var/log/messages - I found >64 occurrences of the 'signal 11' in the logs since it's last log roll. > >I've since disabled the DCC/Pyzor/Razor2 checks while I work out what's >going on - I also haven't had any sig11's in the log since I've done this >and my load average is down to 0.04 (however it is after 5.30pm here so a >lot of my users have gone home, so it won't get much stressing until tommorow) > >Anyone else experience anything similar?? - I haven't made any changes to >this box for ages. > >I'm running MailScanner 4.22-4, SA 2.60, DCC 1.1.36, Pyzor 0.4.0, >Razor-Agents-2.22 and MailWatch CVS on RH9 running on a Compaq Proliant >DL360 G1 933Mhz PIII with 512Mb RAM. > >Kind regards, >Steve. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20031103/387568f6/attachment.html From mailscanner at ecs.soton.ac.uk Mon Nov 3 17:58:58 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:20:49 2006 Subject: workaround for "file size limit exceeded" messages? In-Reply-To: <200311030938.27353.chris@fractalweb.com> Message-ID: <5.2.0.9.2.20031103175745.02e3c9b8@imap.ecs.soton.ac.uk> See the earlier posting Date: Mon, 3 Nov 2003 16:06:31 +0100 From: Sebastian Wiesinger Subject: Re: ClamAV Error MailScanner appears to squeal a bit about the error but does trap the virus. At 17:38 03/11/2003, you wrote: >Is there a workaround for "file size limit exceeded" message issue that I'm >seeing in maillog whenever ClamAV detects either Worm.Mimail.C or Worm.Bics? > >It appears that ClamAV is correctly identifying the virus but that extra >status message is causing MailScanner to get confused and (I think) letting >the virus through. I just signed up to the ClamAV mailing list, and at least >one person is suggesting that this is a MailScanner issue. > >Any workarounds or fixes? > >Thanks, >Chris >-- >Chris Yuzik >chris@fractalweb.com >604-304-0444 > >"Reality is that which, when you stop believing in it, doesn't go >away". > -- Philip K. Dick -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From RKearney at AZERTY.COM Mon Nov 3 18:08:51 2003 From: RKearney at AZERTY.COM (Kearney, Rob) Date: Thu Jan 12 21:20:49 2006 Subject: dcc/razor2/pyzor timeouts anyone? Message-ID: <210DF55DED65B547896F728FB057F3B2019C4905@seaver.ussco.com> Been having Pyzor problems.. However DCC and Razor seem to be working fine. Last Friday, it was DCC that was bombing out. Now, I just set 'use_pyzor 0' in spam.assassin.prefs.conf and wait it out. -rob -----Original Message----- From: Steve Freegard [mailto:steve.freegard@LBSLTD.CO.UK] Sent: Monday, November 03, 2003 12:38 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: dcc/razor2/pyzor timeouts anyone? Hi All, I've been having problems with one of my e-mail gateways today - the load average has been spiking at 1.90 with no unusual increase in mail volume and MailScanner's been showing in 'top' using 99.9% CPU. After a bit of investigating (strace -p, debug=yes etc. etc.) - I realised that SpamAssassin was getting timeouts when talking to Razor2/DCC/Pyzor (my timeout's are set to 10 seconds for each with SpamAssassin timeout set to 60 seconds in MailScanner.conf) Also while in Debug=yes/SpamAssassin Debug=yes mode I had an occurrence of 'Process did not exit cleanly, returned 0 with signal 11' just after SpamAssassin ran it's bayes tests (I think it was about to start a DCC/Razor2 or Pyzor check) and upon grepping /var/log/messages - I found 64 occurrences of the 'signal 11' in the logs since it's last log roll. I've since disabled the DCC/Pyzor/Razor2 checks while I work out what's going on - I also haven't had any sig11's in the log since I've done this and my load average is down to 0.04 (however it is after 5.30pm here so a lot of my users have gone home, so it won't get much stressing until tommorow) Anyone else experience anything similar?? - I haven't made any changes to this box for ages. I'm running MailScanner 4.22-4, SA 2.60, DCC 1.1.36, Pyzor 0.4.0, Razor-Agents-2.22 and MailWatch CVS on RH9 running on a Compaq Proliant DL360 G1 933Mhz PIII with 512Mb RAM. Kind regards, Steve. -- Steve Freegard Systems Manager Littlehampton Book Services Ltd. -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender and delete the message from your mailbox. This footnote also confirms that this email message has been swept by MailScanner (www.mailscanner.info) for the presence of computer viruses. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20031103/acb041a1/attachment.html From RKearney at AZERTY.COM Mon Nov 3 18:10:42 2003 From: RKearney at AZERTY.COM (Kearney, Rob) Date: Thu Jan 12 21:20:49 2006 Subject: dcc/razor2/pyzor timeouts anyone? Message-ID: <210DF55DED65B547896F728FB057F3B2019C4906@seaver.ussco.com> OT.. Stealing thread.. How did you get RH9 working on your DL360. We tried, and tried.. and tried again.. but alas went to RH8, which is supported by Compaq anyways. -rob -----Original Message----- From: Steve Freegard [mailto:steve.freegard@LBSLTD.CO.UK] Sent: Monday, November 03, 2003 12:38 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: dcc/razor2/pyzor timeouts anyone? Hi All, I've been having problems with one of my e-mail gateways today - the load average has been spiking at 1.90 with no unusual increase in mail volume and MailScanner's been showing in 'top' using 99.9% CPU. After a bit of investigating (strace -p, debug=yes etc. etc.) - I realised that SpamAssassin was getting timeouts when talking to Razor2/DCC/Pyzor (my timeout's are set to 10 seconds for each with SpamAssassin timeout set to 60 seconds in MailScanner.conf) Also while in Debug=yes/SpamAssassin Debug=yes mode I had an occurrence of 'Process did not exit cleanly, returned 0 with signal 11' just after SpamAssassin ran it's bayes tests (I think it was about to start a DCC/Razor2 or Pyzor check) and upon grepping /var/log/messages - I found 64 occurrences of the 'signal 11' in the logs since it's last log roll. I've since disabled the DCC/Pyzor/Razor2 checks while I work out what's going on - I also haven't had any sig11's in the log since I've done this and my load average is down to 0.04 (however it is after 5.30pm here so a lot of my users have gone home, so it won't get much stressing until tommorow) Anyone else experience anything similar?? - I haven't made any changes to this box for ages. I'm running MailScanner 4.22-4, SA 2.60, DCC 1.1.36, Pyzor 0.4.0, Razor-Agents-2.22 and MailWatch CVS on RH9 running on a Compaq Proliant DL360 G1 933Mhz PIII with 512Mb RAM. Kind regards, Steve. -- Steve Freegard Systems Manager Littlehampton Book Services Ltd. -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender and delete the message from your mailbox. This footnote also confirms that this email message has been swept by MailScanner (www.mailscanner.info) for the presence of computer viruses. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20031103/76f494f5/attachment.html From gdoris at rogers.com Mon Nov 3 18:11:45 2003 From: gdoris at rogers.com (Gerry Doris) Date: Thu Jan 12 21:20:49 2006 Subject: ANNOUNCE: Beta 4.25-5 released In-Reply-To: <5.2.0.9.2.20031103174127.03af8ea8@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20031101173342.02c1fd00@imap.ecs.soton.ac.uk> <5.2.0.9.2.20031103174127.03af8ea8@imap.ecs.soton.ac.uk> Message-ID: <50855.129.80.22.143.1067883105.squirrel@tiger.dorfam.ca> > Some of you have downloaded 4.25-5 and hopefully installed it. Is it all > working okay? > Raymond is the only person who has commented (from what I've seen). > > Any problems? > Any comments? > Has anyone tried the HTML "disarming" options? > > Should I take it as is and turn it into a "stable" release? > > Jules. > I installed the beta version on the weekend. It went in without problems and it working fine. I didn't try the disarming option. Gerry From steinkel at PA.NET Mon Nov 3 18:13:36 2003 From: steinkel at PA.NET (Leland J. Steinke) Date: Thu Jan 12 21:20:49 2006 Subject: sendmail message splitting defeats bandwidth savings? References: <5.2.0.9.2.20031103174626.02e38d78@imap.ecs.soton.ac.uk> Message-ID: <3FA69AD0.1020008@pa.net> Julian Field wrote: > I would need a *very* reliable SMTP client, for which Net::SMTP (or > whatever it's called) might be a good candidate. > But it's definitely a cool idea, it's even independent of the MTA which I > definitely like. The only problem that immediately comes to mind is that a single message to multiple recipients would be logged multiple times. This is very unfriendly to maillog-munchers... Leland From brent at MIRABITO.COM Mon Nov 3 18:17:07 2003 From: brent at MIRABITO.COM (Brent Strignano) Date: Thu Jan 12 21:20:49 2006 Subject: sendmail message splitting defeats bandwidth savings? Message-ID: <62E46E0C3CB8024C807447814E1B20A501225D4D@granitemail.mirabito.com> Is it logged multiple times when sendmail splits the messages? Brent Strignano System Administrator Granite Capital Holdings Sidney NY USA -----Original Message----- From: Leland J. Steinke [mailto:steinkel@PA.NET] Sent: Monday, November 03, 2003 1:14 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: sendmail message splitting defeats bandwidth savings? Julian Field wrote: > I would need a *very* reliable SMTP client, for which Net::SMTP (or > whatever it's called) might be a good candidate. But it's definitely a > cool idea, it's even independent of the MTA which I definitely like. The only problem that immediately comes to mind is that a single message to multiple recipients would be logged multiple times. This is very unfriendly to maillog-munchers... Leland From kevins at BMRB.CO.UK Mon Nov 3 18:18:46 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:20:49 2006 Subject: workaround for "file size limit exceeded" messages? In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB00188B0B1@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB00188B0B1@pascal.priv.bmrb.co.uk> Message-ID: <1067883529.12746.9.camel@bach.kevinspicer.co.uk> On Mon, 2003-11-03 at 17:58, Julian Field wrote: >MailScanner appears to squeal a bit about the error but does trap the >virus. Julian, there are definitely problems with MailScanner handling this and there seems to be some doubt about whether MailScanner really is stopping this. I'm also using Sophos (so the viruses are getting detected anyway). I'm seeing the following in my logs.... ======START-LOG======= Nov 3 06:49:56 scan MailScanner[16970]: Virus and Content Scanning: Starting Nov 3 06:49:57 scan MailScanner[16970]: INFECTED:: W32/Mimail-C:: ./hA36nckm028024/photos.zip Nov 3 06:49:57 scan MailScanner[16970]: Virus Scanning: SophosSAVI found 1 infections Nov 3 06:49:57 scan MailScanner[16970]: /var/spool/MailScanner/incoming/16970/./hA36nckm028024/photos.zip: File size limit exceeded. Nov 3 06:49:57 scan MailScanner[16970]: ProcessClamAVOutput: unrecognised line "/var/spool/MailScanner/incoming/16970/./hA36nckm028024/photos.zip: File size limit exceeded.". Please contact the authors! Nov 3 06:49:57 scan MailScanner[16970]: (raw) /var/spool/MailScanner/incoming/16970/./hA36nckm028024/photos.zip: Worm.Mimail.C FOUND Nov 3 06:49:57 scan MailScanner[16970]: Virus Scanning: ClamAV found 1 infections Nov 3 06:49:57 scan MailScanner[16970]: Infected message (raw) came from Nov 3 06:49:57 scan MailScanner[16970]: Infected message hA36nckm028024 came from xxx.xxx.xxx.xxx Nov 3 06:49:57 scan MailScanner[16970]: Virus Scanning: Found 1 viruses Nov 3 06:49:58 scan MailScanner[16970]: Cleaned: Delivered 1 cleaned messages =====END-LOG======= But the postmaster report looks like this... =====START-REPORT====== The following e-mail messages were found to have viruses or banned attachments in them: Sender: auser@mydomain.co.uk IP Address: xxx.xxx.xxx.xxx Recipient: another.user@mydomain.co.uk Subject: Re[2]: our private photos aisaruor MessageID: hA36nckm028024 Report: SophosSAVI: photos.zip was infected by W32/Mimail-C =====END-REPORT======== No mention of Clam - even though the logs suggest Clam found it. Anecdotal evidence from other posts here and on the clam listy suggests that although the logs show clam catching it that it may not be blocking the mail. I'm guessing from the logs above that it is failing to match the output from clam to the message ID hence the '(raw)', but I might be wide of the mark on that one. Unfortunately I delete not quarantine so I can't test my theory out. Kevin BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From kevins at BMRB.CO.UK Mon Nov 3 18:23:12 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:20:49 2006 Subject: sendmail message splitting defeats bandwidth savings? In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB00188B0B7@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB00188B0B7@pascal.priv.bmrb.co.uk> Message-ID: <1067883793.13151.14.camel@bach.kevinspicer.co.uk> On Mon, 2003-11-03 at 18:13, Leland J. Steinke wrote: >The only problem that immediately comes to mind is that a single >message to >multiple recipients would be logged multiple times. This is very >unfriendly to maillog-munchers... That depends on your maillog-muncher. mailscanner-mrtg looks at the number of recipients and the number of messages. This seems a sound approach, as that way you know how many recipients you are processing for (which doesn't necessarily relate well to the actual number of messages) and how many messages you are processing (if you split messages you certainly increase the amount of work your server does). [disclaimer: I'm one of the developers of mailscanner-mrtg] BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From mailscanner at ecs.soton.ac.uk Mon Nov 3 18:22:10 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:20:49 2006 Subject: workaround for "file size limit exceeded" messages? In-Reply-To: <200311030938.27353.chris@fractalweb.com> Message-ID: <5.2.0.9.2.20031103182023.03c71eb0@imap.ecs.soton.ac.uk> Please can you try the attached patch for /usr/lib/MailScanner/MailScanner/SweepViruses.pm. Copy the patch file into /tmp and do this cd /usr/lib/MailScanner/MailScanner patch -p0 < /tmp/SweepViruses.pm.clam.patch Let me know if this solves the problem or not. At 17:38 03/11/2003, you wrote: >Is there a workaround for "file size limit exceeded" message issue that I'm >seeing in maillog whenever ClamAV detects either Worm.Mimail.C or Worm.Bics? > >It appears that ClamAV is correctly identifying the virus but that extra >status message is causing MailScanner to get confused and (I think) letting >the virus through. I just signed up to the ClamAV mailing list, and at least >one person is suggesting that this is a MailScanner issue. > >Any workarounds or fixes? > >Thanks, >Chris >-- >Chris Yuzik >chris@fractalweb.com >604-304-0444 > >"Reality is that which, when you stop believing in it, doesn't go >away". > -- Philip K. Dick -------------- next part -------------- A non-text attachment was scrubbed... Name: SweepViruses.pm.clam.patch Type: application/octet-stream Size: 703 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20031103/b19dc96a/SweepViruses.pm.clam.obj -------------- next part -------------- -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From lou.baccari at HP.COM Mon Nov 3 18:30:13 2003 From: lou.baccari at HP.COM (Baccari, Lou) Date: Thu Jan 12 21:20:49 2006 Subject: dcc/razor2/pyzor timeouts anyone? Message-ID: What type of problems are you having because I have a few RH9 on DL360's -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Kearney, Rob Sent: Monday, November 03, 2003 1:11 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: dcc/razor2/pyzor timeouts anyone? OT.. Stealing thread.. How did you get RH9 working on your DL360. We tried, and tried.. and tried again.. but alas went to RH8, which is supported by Compaq anyways. -rob -----Original Message----- From: Steve Freegard [mailto:steve.freegard@LBSLTD.CO.UK] Sent: Monday, November 03, 2003 12:38 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: dcc/razor2/pyzor timeouts anyone? Hi All, I've been having problems with one of my e-mail gateways today - the load average has been spiking at 1.90 with no unusual increase in mail volume and MailScanner's been showing in 'top' using 99.9% CPU. After a bit of investigating (strace -p, debug=yes etc. etc.) - I realised that SpamAssassin was getting timeouts when talking to Razor2/DCC/Pyzor (my timeout's are set to 10 seconds for each with SpamAssassin timeout set to 60 seconds in MailScanner.conf) Also while in Debug=yes/SpamAssassin Debug=yes mode I had an occurrence of 'Process did not exit cleanly, returned 0 with signal 11' just after SpamAssassin ran it's bayes tests (I think it was about to start a DCC/Razor2 or Pyzor check) and upon grepping /var/log/messages - I found 64 occurrences of the 'signal 11' in the logs since it's last log roll. I've since disabled the DCC/Pyzor/Razor2 checks while I work out what's going on - I also haven't had any sig11's in the log since I've done this and my load average is down to 0.04 (however it is after 5.30pm here so a lot of my users have gone home, so it won't get much stressing until tommorow) Anyone else experience anything similar?? - I haven't made any changes to this box for ages. I'm running MailScanner 4.22-4, SA 2.60, DCC 1.1.36, Pyzor 0.4.0, Razor-Agents-2.22 and MailWatch CVS on RH9 running on a Compaq Proliant DL360 G1 933Mhz PIII with 512Mb RAM. Kind regards, Steve. -- Steve Freegard Systems Manager Littlehampton Book Services Ltd. -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender and delete the message from your mailbox. This footnote also confirms that this email message has been swept by MailScanner (www.mailscanner.info) for the presence of computer viruses. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20031103/101a49ae/attachment.html From Pascal.Maes at ELEC.UCL.AC.BE Mon Nov 3 18:32:56 2003 From: Pascal.Maes at ELEC.UCL.AC.BE (Pascal Maes) Date: Thu Jan 12 21:20:49 2006 Subject: MailScanner-MRTG 0.06 and solaris In-Reply-To: <200311030000.hA300821007001@gaia.elec.ucl.ac.be> References: <200311030000.hA300821007001@gaia.elec.ucl.ac.be> Message-ID: Hi, the command "ps -eo comm" is used to count the number of MailScanner processes. In my configuration (Solaris 8, perl 5.8.0), this command returns "/bin/perl". So the number of MailScanner process is always 0. "ps -ef" was working fine. Why did you change that ? -- -- Pascal -- -- From mailscanner at LISTS.COM.AR Mon Nov 3 18:42:02 2003 From: mailscanner at LISTS.COM.AR (Mariano Absatz) Date: Thu Jan 12 21:20:49 2006 Subject: too many deletions => lost messages Message-ID: <3FA6774A.21765.32A0B791@localhost> Hi Julian, a few days ago, I noticed a message was aparently "eaten" by my MailScanner... I had it arrived in the (zmailer's) smtpserver, but never showed in my personal MailScanner loggin' (done via CustomConfig.pm). I did a little bit of debuggin' and found that sometimes MailScanner::SMDiskStore::WriteEntireMessage() did not find the message file in $this->{hdpath} (in ZMDiskStore.pm). As I couldn't figure out why, I handed it to Leo (our Perl wizard, who actually wrote much of the ZMailer code) and he found what the problem was (and I found an explanation of why this seems to only affect ZMailer and not the other mailers). Leo filled sources with additional loggin' and he found out the following: The deletion function (MailScanner::MessageBatch::RemoveDeletedMessages) may be called many times for the same message (in the main MailScanner script). Once after DeliverUnscanned() Once after DeleteUnwantedCleaned() Once after DeliverCleaned() ... Message::DeleteMessage is also called from within DisinfectAndDeliver... Now, AFAIK, the filename for a message is not reused in the other MTAs (at least in Sendmail and Exim which have a timestamp codified in the filename, I dunno about Postfix)... but ZMailer queue filenames are only based on the inode number, so they actually repeat a lot and (at least on linux) really fast, since inode numbers can be reused as soon as they become available (e.g. because the file was deleted). Now, if I have the followin' situation: 1) MailScanner process X starts processing a batch which comprises the queue file /var/spool/postoffice-incoming/router/12345 (called like that by ZMailer because its inode number is 12345). 2) MS process X after running after DeleteUnwantedCleaned() calls RemoveDeletedMessages(), which actually removes file /var/spool/postoffice-incoming/router/12345 (thus inode 12345 is now available) 3) ZMailer's smtpserver receives a new message, creates a file and, since the OS assigns inode number 12345 to it, the file finally becomes /var/spool/postoffice-incoming/router/12345 4) MS process Y (not X) starts processing a new batch which comprises this new queue file /var/spool/postoffice-incoming/router/12345. 5) Now, the old MS process X, after calling DeliverCleaned(), again calls DeleteUnwantedCleaned() which, as the message object for the already deleted file is still there with its {deleted} attribute on, tries to delete it again... and, as the file exists, it _is_ actually deleted... but this file belonged to Y's batch. 6) MS process Y wants to copy the message to someplace else to keep processing it, but alas, the file is not there :-( The message was actually lost and cannot be recovered... The problem comes from assuming that queue filenames are not repeated, which is true of Sendmail and Exim (and may be true for Postfix, I don't know), but is blatanly false for ZMailer... OTOH, the {deleted} attribute of the Message object, depending on where it is used means "must be deleted" or "has been deleted". I'm working with 4.23, but I don't think there were many changes in this neighborhood in 4.24 or 4.25... For what I have seen, it should be pretty easy to make {deleted} mean "has to be deleted" and create a new attribute {actuallydeleted} or something like that that be set after actual deletion and checked before it so we don't double-delete messages. More analysis seem to show that SMDiskStore::Delete() is never called... is this dead code? Regards. -- Mariano Absatz El Baby ---------------------------------------------------------- /"\ | \ / ASCII RIBBON CAMPAIGN | X AGAINST HTML MAIL | / \ | From kevin at KEVINSPICER.CO.UK Mon Nov 3 18:57:38 2003 From: kevin at KEVINSPICER.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:20:49 2006 Subject: MailScanner-MRTG 0.06 and solaris In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB00188B0BD@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB00188B0BD@pascal.priv.bmrb.co.uk> Message-ID: <1067885858.12746.48.camel@bach.kevinspicer.co.uk> On Mon, 2003-11-03 at 18:32, Pascal Maes wrote: >the command "ps -eo comm" is used to count the number of MailScanner >processes. >In my configuration (Solaris 8, perl 5.8.0), this command returns >"/bin/perl". >So the number of MailScanner process is always 0. >"ps -ef" was working fine. Why did you change that ? It's never been "ps -ef". It was "ps ax" in 0.05 and "ps -eo comm" in the recent snapshot. 0.05 didn't support Solaris anyway (unless you hacked it to do so). Anyway, that aside, the reason for the change was to get around some problems on Linux with "ps ax" which returned inconsistent results across certain distros / kernel versions. I have access to Solaris machines, but they don't run MailScanner, so although I can check output for sendmail etc I can't easily check for MailScanner on Solaris, It seems that the comm format on Solaris yeilds subtly different output than on Linux. It would be a great help if you could run the following commands for me and send me the output from your system (then I can make sure I get it right this time). ps -eo comm | grep sendmail ps -eo args | grep sendmail ps -eo comm | grep MailScanner ps -eo args | grep MailScanner As you probably guessed I suspect the fix is to change "ps -eo comm" to "ps -eo args" at lines 423 and 277 but I'd like to see the output to be sure. Thanks Kevin -- Kevin Spicer (kevin AT kevinspicer DOT co DOT uk) This message is digitally signed using the GNU Privacy Guard. My public key may be obtained from http://www.keyserver.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20031103/ef608221/attachment.bin From TGFurnish at HERFF-JONES.COM Mon Nov 3 19:01:00 2003 From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G) Date: Thu Jan 12 21:20:49 2006 Subject: sendmail message splitting defeats bandwidth savings? Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF02A60536@inex1.herffjones.hj-int> Brent wrote: > Is it logged multiple times when sendmail splits the messages? Yes. From greyhair at GREYHAIR.NET Mon Nov 3 19:08:43 2003 From: greyhair at GREYHAIR.NET (greyhair) Date: Thu Jan 12 21:20:49 2006 Subject: OT: Linux Distrobutions? Message-ID: <3FA6A7BB.2020309@greyhair.net> Hello. I just got an email about Redhat going enterprise. From redhat email: >As previously communicated, Red Hat will discontinue maintenance and >errata support for Red Hat Linux 7.1, 7.2, 7.3 and 8.0 as of December >31, 2003. Red Hat will discontinue maintenance and errata support for >Red Hat Linux 9 as of April 30, 2004. Red Hat does not plan to release >another product in the Red Hat Linux line. > I run a personal + friends, Not for Profit server for email and web, 100% on my own dime. If I could afford enterprise I would. I know this has nearly nothing to do with mailscanner, but I'm looking for recommendations for Linux Distro's. I like redhat for the ease of updating and use. I like not having to spend time figuring dependencies. I could afford SuSE professional ($80 per 2 years or so). I'm looking for something that I don't have to spend a lot of time tweaking. Recommendations? Thanks for any feedback, Thanks for your time. greyhair From TGFurnish at HERFF-JONES.COM Mon Nov 3 19:14:58 2003 From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G) Date: Thu Jan 12 21:20:49 2006 Subject: sendmail message splitting defeats bandwidth savings? Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF0C087F@inex1.herffjones.hj-int> Well, I had thought of suggesting re-submitting the message after deciding simply that it needed to be split, but that would remove the ability to check based on sender IP, right? On the other hand, if we just do whatever needs to be "done" to the message and then submit it for outbound delivery, then all we have to do is deal with queue formats, right? So maybe we could just use a different queue for outbound messages that have been split. No second pass through MS, just delivery via a modified mechanism. For example, how about delivery through a third sendmail, this one listening on a different port and just accepting submissions and sending them immediately? Ie we'd end up with these sendmail parents: 1. Port 25 listener, queueing into mqueue.in 2. Normal delivery queue runner, watching mqueue 3. Split-message listener/runner, listening on port 1024 and performing immediate delivery, queuing into mqueue.split only if needed. Then again, if you were going that route, then would there still be a significant advantage in keeping both this new delivery method and the "traditional" queue file moving method? (Probably - it seems much faster. But maybe this would make the postfix author a bit more agreeable too. ;-) ) I have the painful apprehension that I may be typing more quicly than I'm thinking. ;-) -t. > -----Original Message----- > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > Sent: Monday, November 03, 2003 12:53 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: sendmail message splitting defeats bandwidth savings? > > > I would need a *very* reliable SMTP client, for which Net::SMTP (or > whatever it's called) might be a good candidate. > But it's definitely a cool idea, it's even independent of the > MTA which I > definitely like. > > What I would probably have to do is split every message that > has multiple > recipients, it is hard to work out if any of the rules would produce > different results for each recipient of the message. Not > impossible, but > not easy. I would need to collect the results of every config > variable for > each message in a batch, and then look through all the > results to find ones > that aren't all the same. Then I would need to duplicate the > message back > into loopback once for each recipient and throw away the > original (as I > probably wouldn't be able to tell at that point which result > I should be > using). > > That's got me thinking... > (and there I was planning a nice quiet evening watching the telly :-) > > At 17:28 03/11/2003, you wrote: > >Maybe an idea... > > > >Have MailScanner split and resubmit the message, as needed > by the rule > >sets, to sendmail on the loopback interface before spam or virus > >checking happens. Then sendmail can control its own queue numbers and > >the message will be single recipient per message for the rest of the > >checks. > > > >Thoughts? > > > >Brent Strignano > >System Administrator > >Granite Capital Holdings > >Sidney NY USA > > > > > > > >-----Original Message----- > >From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > >Sent: Monday, November 03, 2003 11:50 AM > >To: MAILSCANNER@JISCMAIL.AC.UK > >Subject: Re: sendmail message splitting defeats bandwidth savings? > > > > > >At 16:04 03/11/2003, you wrote: > > >On Mon, 3 Nov 2003 10:00:19 -0500, you wrote: > > > > > > >By contrast what I'd prefer MS to do is: if a message > comes in bound > > > >for multiple recipients and only a few of those > recipients should be > > > >handled specially (whitelisted), create separate copies of the > > > >message for those recipients, queuing the files into mqueue by > > > >generating its own IDs. > > > > > >MS should be kept up to date with changes in de qf and df files of > > >sendmail. And it should be able to distinguish between the > different > > >sets of changes. > > > >One of the main reasons I haven't done this before is that reading > >message filenames is a lot easier than creating new ones. > For example, > >Sendmail has changed its format at least once that I can immediately > >think of, and it is non-trivial to work out (given an empty queue at > >startup) which format of filename I should use. > > > >When only sendmail is creating them, it's easy, I just use whatever > >filenames it supplies. But if I want to create unique new > ones, then how > >do I work out what to call them? I need to keep strictly to > its naming > >scheme so that if the sendmail folks tighten up their queue filename > >checking code, everything keeps working. So it's not good enough to > >"just do something that works", I have to get it 100% correct. > > > >I also have to guarantee that any new filename I create won't be > >possibly re-used later by the MTA. For example... > > > >The queues all start off empty, for simplicity. > > > >A message 1111 comes in, with 2 recipients with different > rules, so it > >needs to be split. 2222 is a legal name for this MTA, and is > not in use > >right now. So MailScanner creates 2 output messages 1111 and > 2222. Then > >the MTA receives another message, which it decides to call > 2222 (which > >isn't in use in the incoming queue, so I can't stop it doing it). > >MailScanner processes that and tries to create another > message 2222 in > >the outgoing queue, which clashes with the earlier one. > > > >Consider what happens when 2222 has been in the outgoing queue for > >nearly a week, and is still waiting to be delivered. How do > I stop the > >incoming MTA creating a queue file with a name that hasn't > been used in > >the past week/month/year? > > > >It can't be done. > > > >I welcome comments to the contrary... :-) > >-- > >Julian Field > >www.MailScanner.info > >MailScanner thanks transtec Computers for their support > > > >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > From mailscanner at ecs.soton.ac.uk Mon Nov 3 19:15:57 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:20:49 2006 Subject: OT: Linux Distrobutions? In-Reply-To: <3FA6A7BB.2020309@greyhair.net> Message-ID: <5.2.0.9.2.20031103191302.03bcc750@imap.ecs.soton.ac.uk> The free version of RedHat will continue, but will be now known as "Fedora" (the type of hat) and will be updated a few times each year. They don't guarantee how long support will be provided for any given Fedora release, but I think it's what most people will migrate their boxes to. Lots of people on this list are bound to vote for Debian, but personally I have always found it to be the "enthusiast's" distro. Usual rules on flame wars and religious debates apply :) SuSE is a good alternative to RedHat. At 19:08 03/11/2003, you wrote: >Hello. > >I just got an email about Redhat going enterprise. > From redhat email: > >>As previously communicated, Red Hat will discontinue maintenance and >>errata support for Red Hat Linux 7.1, 7.2, 7.3 and 8.0 as of December >>31, 2003. Red Hat will discontinue maintenance and errata support for >>Red Hat Linux 9 as of April 30, 2004. Red Hat does not plan to release >>another product in the Red Hat Linux line. >I run a personal + friends, Not for Profit server for email and web, >100% on my own dime. >If I could afford enterprise I would. I know this has nearly nothing to >do with mailscanner, >but I'm looking for recommendations for Linux Distro's. I like redhat >for the ease of updating >and use. I like not having to spend time figuring dependencies. I >could afford SuSE >professional ($80 per 2 years or so). I'm looking for something that I >don't have to spend a >lot of time tweaking. > >Recommendations? > >Thanks for any feedback, Thanks for your time. >greyhair -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From shawn at ADVANCEDMANAGED.COM Mon Nov 3 19:16:44 2003 From: shawn at ADVANCEDMANAGED.COM (shawn stecker) Date: Thu Jan 12 21:20:49 2006 Subject: Linux Distrobutions? In-Reply-To: <3FA6A7BB.2020309@greyhair.net> Message-ID: <021301c3a23f$07f2fc30$72cad7c0@pong> mandrake -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of greyhair Sent: Monday, November 03, 2003 11:09 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: OT: Linux Distrobutions? Hello. I just got an email about Redhat going enterprise. From redhat email: >As previously communicated, Red Hat will discontinue maintenance and >errata support for Red Hat Linux 7.1, 7.2, 7.3 and 8.0 as of December >31, 2003. Red Hat will discontinue maintenance and errata support for >Red Hat Linux 9 as of April 30, 2004. Red Hat does not plan to release >another product in the Red Hat Linux line. > I run a personal + friends, Not for Profit server for email and web, 100% on my own dime. If I could afford enterprise I would. I know this has nearly nothing to do with mailscanner, but I'm looking for recommendations for Linux Distro's. I like redhat for the ease of updating and use. I like not having to spend time figuring dependencies. I could afford SuSE professional ($80 per 2 years or so). I'm looking for something that I don't have to spend a lot of time tweaking. Recommendations? Thanks for any feedback, Thanks for your time. greyhair From sailer at BNL.GOV Mon Nov 3 19:17:32 2003 From: sailer at BNL.GOV (Tim Sailer) Date: Thu Jan 12 21:20:49 2006 Subject: OT: Linux Distrobutions? In-Reply-To: <3FA6A7BB.2020309@greyhair.net> References: <3FA6A7BB.2020309@greyhair.net> Message-ID: <20031103191732.GA9750@bnl.gov> One word. "Debian" Tim On Mon, Nov 03, 2003 at 01:08:43PM -0600, greyhair wrote: > Hello. > > I just got an email about Redhat going enterprise. > From redhat email: > > >As previously communicated, Red Hat will discontinue maintenance and > >errata support for Red Hat Linux 7.1, 7.2, 7.3 and 8.0 as of December > >31, 2003. Red Hat will discontinue maintenance and errata support for > >Red Hat Linux 9 as of April 30, 2004. Red Hat does not plan to release > >another product in the Red Hat Linux line. > > > I run a personal + friends, Not for Profit server for email and web, > 100% on my own dime. > If I could afford enterprise I would. I know this has nearly nothing to > do with mailscanner, > but I'm looking for recommendations for Linux Distro's. I like redhat > for the ease of updating > and use. I like not having to spend time figuring dependencies. I > could afford SuSE > professional ($80 per 2 years or so). I'm looking for something that I > don't have to spend a > lot of time tweaking. > > Recommendations? > > Thanks for any feedback, Thanks for your time. > greyhair > -- Tim Sailer Information and Special Technologies Program Office of CounterIntelligence Brookhaven National Laboratory (631) 344-3001 From ugob at CAMO-ROUTE.COM Mon Nov 3 19:19:16 2003 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:20:50 2006 Subject: Linux Distrobutions? Message-ID: <54C38A0B814C8E438EF73FC76F3629273AE0DE@mtlnt501fs.CAMOROUTE.COM> > -----Message d'origine----- > De : greyhair [mailto:greyhair@GREYHAIR.NET] > Envoy? : Monday, November 03, 2003 2:09 PM > ? : MAILSCANNER@JISCMAIL.AC.UK > Objet : OT: Linux Distrobutions? > > > Hello. > > I just got an email about Redhat going enterprise. > From redhat email: > > >As previously communicated, Red Hat will discontinue maintenance and > >errata support for Red Hat Linux 7.1, 7.2, 7.3 and 8.0 as of December > >31, 2003. Red Hat will discontinue maintenance and errata support for > >Red Hat Linux 9 as of April 30, 2004. Red Hat does not plan > to release > >another product in the Red Hat Linux line. > > > I run a personal + friends, Not for Profit server for email and web, > 100% on my own dime. > If I could afford enterprise I would. I know this has nearly > nothing to > do with mailscanner, > but I'm looking for recommendations for Linux Distro's. I like redhat > for the ease of updating > and use. I like not having to spend time figuring dependencies. I > could afford SuSE > professional ($80 per 2 years or so). I'm looking for > something that I > don't have to spend a > lot of time tweaking. > > Recommendations? > > Thanks for any feedback, Thanks for your time. > greyhair One could get into FreeBSD. This might be what I'll do. I don't know too much Fedora, but it worries me a bit. > From joshua.hirsh at PARTNERSOLUTIONS.CA Mon Nov 3 19:15:31 2003 From: joshua.hirsh at PARTNERSOLUTIONS.CA (Hirsh, Joshua) Date: Thu Jan 12 21:20:50 2006 Subject: OT: Linux Distrobutions? Message-ID: <75FEDC422E2309419A9303E7B18F206E04DB5D06@eqmail1.efni.vpn> From what I understand, a project called Fedora-legacy is also being started up which will keep the RH 7/8/9 releases up to date with security fixes after Red Hat drops them from their vocabulary. It hasn't fully gotten off the ground yet though.. Personally, I'm going the route of rebuilding RHEL from the SRPMS.. but challenges are fun sometimes :) Cheers, -Joshua From shrek-m at GMX.DE Mon Nov 3 19:27:09 2003 From: shrek-m at GMX.DE (shrek-m@gmx.de) Date: Thu Jan 12 21:20:50 2006 Subject: OT: Linux Distrobutions? In-Reply-To: <3FA6A7BB.2020309@greyhair.net> References: <3FA6A7BB.2020309@greyhair.net> Message-ID: <3FA6AC0D.6000005@gmx.de> greyhair wrote: > I just got an email about Redhat going enterprise. > From redhat email: > >> As previously communicated, Red Hat will discontinue maintenance and >> errata support for Red Hat Linux 7.1, 7.2, 7.3 and 8.0 as of December >> 31, 2003. Red Hat will discontinue maintenance and errata support for >> Red Hat Linux 9 as of April 30, 2004. Red Hat does not plan to release >> another product in the Red Hat Linux line. >> > I run a personal + friends, Not for Profit server for email and web, > 100% on my own dime. > If I could afford enterprise I would. I know this has nearly nothing to > do with mailscanner, > but I'm looking for recommendations for Linux Distro's. I like redhat > for the ease of updating > and use. I like not having to spend time figuring dependencies. I > could afford SuSE > professional ($80 per 2 years or so). I'm looking for something that I > don't have to spend a > lot of time tweaking. > > Recommendations? "fedora core 1" http://fedora.redhat.com/ http://fedora.redhat.com/about/rhel.html or http://www.distrowatch.com/ debian, slackware, gentoo, ... or freebsd, openbsd, ... -- shrek-m From bob.jones at USG.EDU Mon Nov 3 19:27:49 2003 From: bob.jones at USG.EDU (Bob Jones) Date: Thu Jan 12 21:20:50 2006 Subject: OT: Linux Distrobutions? In-Reply-To: <5.2.0.9.2.20031103191302.03bcc750@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20031103191302.03bcc750@imap.ecs.soton.ac.uk> Message-ID: <3FA6AC35.7070508@usg.edu> Julian Field wrote: > > Lots of people on this list are bound to vote for Debian, but personally I > have always found it to be the "enthusiast's" distro. Usual rules on flame > wars and religious debates apply :) > SuSE is a good alternative to RedHat. And let me be the first of those people. I used to be a Red Hat guy (even have an RHCE), but I heavily endorse Debian now, especially for servers. The 2 main benefits from Debian is it's package management system (the best bar none) and it's stability. The Debian developers fix many bugs that have yet to be fixed in the generic source distribution of many packages. I can sort of understand not running Debian as your desktop unless you really know what your doing because the stable release of Debian have pretty old version of packages (so unless you're comfortable running the development distribution, you might not have all you need). However, for servers, it's the best. You do a very minimal install that and then add the few packages you need for your services. You won't have the bloat of many other distributions for a server box. All IMHO of course, Bob From ugob at CAMO-ROUTE.COM Mon Nov 3 19:31:05 2003 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:20:50 2006 Subject: OT: Linux Distrobutions? Message-ID: <54C38A0B814C8E438EF73FC76F3629273AE0E0@mtlnt501fs.CAMOROUTE.COM> > I can sort of understand not running Debian as your desktop unless you > really know what your doing because the stable release of Debian have > pretty old version of packages (so unless you're comfortable > running the > development distribution, you might not have all you need). However, > for servers, it's the best. You do a very minimal install > that and then > add the few packages you need for your services. You won't have the > bloat of many other distributions for a server box. > > All IMHO of course, > Bob > Interesting, but which distribution are you running? testing or unstable? Thanks, Ugo From jase at SENSIS.COM Mon Nov 3 19:32:53 2003 From: jase at SENSIS.COM (Desai, Jason) Date: Thu Jan 12 21:20:50 2006 Subject: workaround for "file size limit exceeded" messa ges? Message-ID: What about uncommenting all of the ExtraScanOptions in clamav-wrapper? Specifically: # Uncomment next line if you need to disable Clam's DoS protection ExtraScanOptions="--max-files=0 --max-space=0 --max-recursion=0 $ExtraScanOptions" I know these options work with ClamAV 0.60, but I'm not sure about earlier versions. Also, I cannot say for sure if it would fix the problem you're seeing as I have not seen any Mimail.C viruses yet. Jason > -----Original Message----- > From: Chris Yuzik [mailto:chris@FRACTALWEB.COM] > Sent: Monday, November 03, 2003 12:38 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: [MAILSCANNER] workaround for "file size limit > exceeded" messages? > > > Is there a workaround for "file size limit exceeded" message > issue that I'm > seeing in maillog whenever ClamAV detects either > Worm.Mimail.C or Worm.Bics? > > It appears that ClamAV is correctly identifying the virus but > that extra > status message is causing MailScanner to get confused and (I > think) letting > the virus through. I just signed up to the ClamAV mailing > list, and at least > one person is suggesting that this is a MailScanner issue. > > Any workarounds or fixes? > > Thanks, > Chris > -- > Chris Yuzik > chris@fractalweb.com > 604-304-0444 > > "Reality is that which, when you stop believing in it, doesn't go > away". > -- Philip K. Dick > From hermit921 at YAHOO.COM Mon Nov 3 19:21:10 2003 From: hermit921 at YAHOO.COM (hermit921) Date: Thu Jan 12 21:20:50 2006 Subject: rogue MailScanner processes In-Reply-To: <5.2.0.9.2.20031101173342.02c1fd00@imap.ecs.soton.ac.uk> Message-ID: <5.1.0.14.2.20031103111129.01db6f18@pop.mail.yahoo.com> I have 4 RH9 boxes running MS 4.24. The install process was the same on each, and I copied the config files from one box to all the others. After 2 weeks of operation, one of the boxes began to stop delivering mail at irregular intervals, although postfix kept accepting mail and storing it in the postfix.in queue. Stopping and starting MailScanner would start the mail being processed again. I noticed that although MS is supposed to restart itself every 4 hours, when mail stops I find older MS children using 80-99% CPU each. Sometimes killing just one of the rogue processes is enough to start mail flowing again - I suspect that would always work if I selected the correct process. Any ideas where to look? hermit921 # ps -ef |grep Mail postfix 6399 1 0 Nov02 ? 00:00:00 /usr/bin/perl -I/usr/lib/MailScanner /usr/sbin/MailScanner /etc/MailScanner/MailScanner.conf postfix 16265 6399 81 Nov02 ? 20:24:40 /usr/bin/perl -I/usr/lib/MailScanner /usr/sbin/MailScanner /etc/MailScanner/MailScanner.conf postfix 16435 6399 81 Nov02 ? 19:57:56 /usr/bin/perl -I/usr/lib/MailScanner /usr/sbin/MailScanner /etc/MailScanner/MailScanner.conf postfix 21172 6399 0 09:01 ? 00:00:10 /usr/bin/perl -I/usr/lib/MailScanner /usr/sbin/MailScanner /etc/MailScanner/MailScanner.conf postfix 21431 6399 0 09:03 ? 00:00:04 /usr/bin/perl -I/usr/lib/MailScanner /usr/sbin/MailScanner /etc/MailScanner/MailScanner.conf postfix 21491 6399 0 09:03 ? 00:00:04 /usr/bin/perl -I/usr/lib/MailScanner /usr/sbin/MailScanner /etc/MailScanner/MailScanner.conf From bob.jones at USG.EDU Mon Nov 3 19:38:20 2003 From: bob.jones at USG.EDU (Bob Jones) Date: Thu Jan 12 21:20:50 2006 Subject: OT: Linux Distrobutions? In-Reply-To: <54C38A0B814C8E438EF73FC76F3629273AE0E0@mtlnt501fs.CAMOROUTE.COM> References: <54C38A0B814C8E438EF73FC76F3629273AE0E0@mtlnt501fs.CAMOROUTE.COM> Message-ID: <3FA6AEAC.60403@usg.edu> Ugo Bellavance wrote: >>I can sort of understand not running Debian as your desktop unless you >>really know what your doing because the stable release of Debian have >>pretty old version of packages (so unless you're comfortable >>running the >>development distribution, you might not have all you need). However, >>for servers, it's the best. You do a very minimal install >>that and then >>add the few packages you need for your services. You won't have the >>bloat of many other distributions for a server box. >> >>All IMHO of course, >>Bob >> > > > Interesting, but which distribution are you running? testing or unstable? I run unstable on my desktop. In over a year I've had only 2 problems, and both of those were with a Citrix client not working after the libc libraries were updated, and that was fixed in a couple of days. Unstable is sort of a misnomer imo, as I said above I almost never have any problems with it and you get all the latest stuff with it. Now, for a server that was going to run "production" services I would stick with stable, or if you need something a bit newer but still rock-solid, I've never had any problem with testing. When all you have to do is an apt-get update and then apt-get upgrade (or apt-get dist-upgrade if you're running unstable) to update your system on security patches or apt-get install package-name to install something, I don't know why anyone whould choose not to run it. Bob From mailscanner at ecs.soton.ac.uk Mon Nov 3 19:40:09 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:20:50 2006 Subject: rogue MailScanner processes In-Reply-To: <5.1.0.14.2.20031103111129.01db6f18@pop.mail.yahoo.com> References: <5.2.0.9.2.20031101173342.02c1fd00@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20031103193859.03ccc870@imap.ecs.soton.ac.uk> Can you try upgrading one of the troublesome systems to 4.25 and see if that fixes the problem? You will need to install Net::CIDR and then upgrade the MS rpm. At 19:21 03/11/2003, you wrote: >I have 4 RH9 boxes running MS 4.24. The install process was the same on >each, and I copied the config files from one box to all the others. After >2 weeks of operation, one of the boxes began to stop delivering mail at >irregular intervals, although postfix kept accepting mail and storing it in >the postfix.in queue. Stopping and starting MailScanner would start the >mail being processed again. I noticed that although MS is supposed to >restart itself every 4 hours, when mail stops I find older MS children >using 80-99% CPU each. Sometimes killing just one of the rogue processes >is enough to start mail flowing again - I suspect that would always work if >I selected the correct process. Any ideas where to look? > >hermit921 > ># ps -ef |grep Mail >postfix 6399 1 0 Nov02 ? 00:00:00 /usr/bin/perl >-I/usr/lib/MailScanner /usr/sbin/MailScanner /etc/MailScanner/MailScanner.conf >postfix 16265 6399 81 Nov02 ? 20:24:40 /usr/bin/perl >-I/usr/lib/MailScanner /usr/sbin/MailScanner /etc/MailScanner/MailScanner.conf >postfix 16435 6399 81 Nov02 ? 19:57:56 /usr/bin/perl >-I/usr/lib/MailScanner /usr/sbin/MailScanner /etc/MailScanner/MailScanner.conf >postfix 21172 6399 0 09:01 ? 00:00:10 /usr/bin/perl >-I/usr/lib/MailScanner /usr/sbin/MailScanner /etc/MailScanner/MailScanner.conf >postfix 21431 6399 0 09:03 ? 00:00:04 /usr/bin/perl >-I/usr/lib/MailScanner /usr/sbin/MailScanner /etc/MailScanner/MailScanner.conf >postfix 21491 6399 0 09:03 ? 00:00:04 /usr/bin/perl >-I/usr/lib/MailScanner /usr/sbin/MailScanner /etc/MailScanner/MailScanner.conf -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at LISTS.COM.AR Mon Nov 3 19:52:39 2003 From: mailscanner at LISTS.COM.AR (Mariano Absatz) Date: Thu Jan 12 21:20:50 2006 Subject: too many deletions => lost messages In-Reply-To: <3FA6774A.21765.32A0B791@localhost> Message-ID: <3FA687D7.13111.32E15FB0@localhost> El 3 Nov 2003 a las 15:42, Mariano Absatz escribi?: > OTOH, the {deleted} attribute of the Message object, depending on where > it is used means "must be deleted" or "has been deleted". > > I'm working with 4.23, but I don't think there were many changes in this > neighborhood in 4.24 or 4.25... > > For what I have seen, it should be pretty easy to make {deleted} mean > "has to be deleted" and create a new attribute {actuallydeleted} or > something like that that be set after actual deletion and checked before > it so we don't double-delete messages. Attached is a (very raw) patch to 4.23-1 to do this... This _really_ needs testing & embelishment... > > > More analysis seem to show that SMDiskStore::Delete() is never called... > is this dead code? Gee... I see this is gone in 4.24... sorry for the noise... :-) -- Mariano Absatz El Baby ---------------------------------------------------------- CChheecckk yyoouurr dduupplleexx sswwiittcchh!! -------------- next part -------------- --- Message.pm.orig.3110 Mon Nov 3 12:37:11 2003 +++ Message.pm Mon Nov 3 14:51:10 2003 @@ -751,7 +751,10 @@ # Write the new qf file, delete originals and unlock the message $store->WriteHeader($this, $OutQ); - $store->DeleteUnlock(); + unless( $this->{reallydeleted} ) { + $store->DeleteUnlock(); + $this->{reallydeleted} = 1; + } # Note this does not kick the MTA into life here any more } @@ -1846,7 +1849,10 @@ # Write the new qf file, delete originals and unlock the message $store->WriteHeader($this, $OutQ); - $store->DeleteUnlock(); + unless( $this->{reallydeleted} ) { + $store->DeleteUnlock(); + $this->{reallydeleted} = 1; + } # Note this does not kick the MTA into life here any more } @@ -1871,7 +1877,10 @@ my $entity = $this->{entity}; unless ($entity) { #print STDERR "Deleting duff message\n"; - $store->DeleteUnlock(); + unless( $this->{reallydeleted} ) { + $store->DeleteUnlock(); + $this->{reallydeleted} = 1; + } return; } @@ -2015,7 +2024,10 @@ # Write the new qf file, delete originals and unlock the message #print STDERR "Writing the new qf file\n"; $store->WriteHeader($this, $OutQ); - $store->DeleteUnlock(); + unless( $this->{reallydeleted} ) { + $store->DeleteUnlock(); + $this->{reallydeleted} = 1; + } # Note this does not kick the MTA into life here any more } @@ -2026,9 +2038,11 @@ my $this = shift; #print STDERR "DeletingMessage " . $this->{id} . "\n"; - - $this->{store}->DeleteUnlock(); - $this->{deleted} = 1; + unless( $this->{reallydeleted} ) { + $this->{store}->DeleteUnlock(); + $this->{deleted} = 1; + $this->{reallydeleted} = 1; + } } From marco at MUW.EDU Mon Nov 3 20:12:38 2003 From: marco at MUW.EDU (Marco Obaid) Date: Thu Jan 12 21:20:50 2006 Subject: OT: Linux Distrobutions? In-Reply-To: <3FA6AEAC.60403@usg.edu> References: <54C38A0B814C8E438EF73FC76F3629273AE0E0@mtlnt501fs.CAMOROUTE.COM> <3FA6AEAC.60403@usg.edu> Message-ID: <1067890358.3fa6b6b67e0f9@webmail.MUW.Edu> Hi, > Now, for a server that was going to run "production" services I would > stick with stable, or if you need something a bit newer but still > rock-solid, I've never had any problem with testing. My experience with Debian is as follows: * Very very long installation process (lots of screen to read and decisions to make, some are not obvious) * Only ext2 file-system support (no JFS or EXT3 support from what I saw) * Old versions of packages Please note that I am not bashing Debian, I love Linux. I am looking at it from management point-of-view. Is it a good replacement to my productions servers currently running newer versions of packages than what Debian has to offer? ... Probably not !!! I have been using FreeBSD in parallel to Redhat, and it seems to seems to be the best candidate so far. Just my experience and not to flame anything Marco From maillist at HELPINTERNET.CO.UK Mon Nov 3 19:57:32 2003 From: maillist at HELPINTERNET.CO.UK (Richard Sidlin) Date: Thu Jan 12 21:20:50 2006 Subject: Sophos Update Error Message-ID: <003e01c3a244$bb606b40$0a01a8c0@rich> Just attempted to install the newly downloaded file but got the following error when it starts to run: [root /tmp]# /usr/sbin/Sophos.install Clearing out old default Sophos installation libraries Uncompressing Sophos distribution /usr/sbin/Sophos.install: uncompress: command not found What is wrong please? Richard Sidlin From mailscanner at BARENDSE.TO Mon Nov 3 19:57:51 2003 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:20:50 2006 Subject: OT: Linux Distrobutions? In-Reply-To: <3FA6A7BB.2020309@greyhair.net> Message-ID: I have a lot of ppl telling me that gentoo is a good distro. Not only because you never ever need to upgrade the distro anymore, you can update your system to the latest packages with one command but also because the baisc install cd (only 50 megs) contains only basic packages, downloads the latest version of everything and compiles it from scratch, specifically for your architecture. Installing a package should be as simple as typing "emerge package" (provided they support your package ofcourse. Because of the RedHat anouncement I will not only continue to try and build my own RedHat EL version but will install Gentoo on a box tomorrow too. But as usual, if you ask advice on a distro, each reply recommends another distro. On Mon, 3 Nov 2003, greyhair wrote: > Hello. > > I just got an email about Redhat going enterprise. > From redhat email: > > >As previously communicated, Red Hat will discontinue maintenance and > >errata support for Red Hat Linux 7.1, 7.2, 7.3 and 8.0 as of December > >31, 2003. Red Hat will discontinue maintenance and errata support for > >Red Hat Linux 9 as of April 30, 2004. Red Hat does not plan to release > >another product in the Red Hat Linux line. > > > I run a personal + friends, Not for Profit server for email and web, > 100% on my own dime. > If I could afford enterprise I would. I know this has nearly nothing to > do with mailscanner, > but I'm looking for recommendations for Linux Distro's. I like redhat > for the ease of updating > and use. I like not having to spend time figuring dependencies. I > could afford SuSE > professional ($80 per 2 years or so). I'm looking for something that I > don't have to spend a > lot of time tweaking. > > Recommendations? > > Thanks for any feedback, Thanks for your time. > greyhair > From kevins at BMRB.CO.UK Mon Nov 3 20:02:06 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:20:50 2006 Subject: Sophos Update Error In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB00188B0D1@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB00188B0D1@pascal.priv.bmrb.co.uk> Message-ID: <1067889730.14661.1.camel@bach.kevinspicer.co.uk> On Mon, 2003-11-03 at 19:57, Richard Sidlin wrote: >What is wrong please? You don't have an uncompress command. Just uncompress and extract the archive yourself first. (IIRC you can do it with gunzip and tar) BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From maillist at HELPINTERNET.CO.UK Mon Nov 3 20:06:15 2003 From: maillist at HELPINTERNET.CO.UK (Richard Sidlin) Date: Thu Jan 12 21:20:50 2006 Subject: Sophos Update Error In-Reply-To: <1067889730.14661.1.camel@bach.kevinspicer.co.uk> Message-ID: <003f01c3a245$f300b9a0$0a01a8c0@rich> Sorry but how and where do I put the files? Do I then still use Sophos.install? Richard >-----Original Message----- >From: MailScanner mailing list >[mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Kevin Spicer >Sent: 03 November 2003 20:02 >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Sophos Update Error > > >On Mon, 2003-11-03 at 19:57, Richard Sidlin wrote: > > >>What is wrong please? > >You don't have an uncompress command. Just uncompress and >extract the archive yourself first. (IIRC you can do it with >gunzip and tar) > > > > >BMRB International >http://www.bmrb.co.uk >+44 (0)20 8566 5000 >_________________________________________________________________ >This message (and any attachment) is intended only for the >recipient and may contain confidential and/or privileged >material. If you have received this in error, please contact >the sender and delete this message immediately. Disclosure, >copying or other action taken in respect of this email or in >reliance on it is prohibited. BMRB International Limited >accepts no liability in relation to any personal emails, or >content of any email which does not directly relate to our business. > From sanjay.patel at REXWIRE.COM Mon Nov 3 20:07:25 2003 From: sanjay.patel at REXWIRE.COM (Sanjay K. Patel) Date: Thu Jan 12 21:20:50 2006 Subject: OT: Linux Distrobutions? In-Reply-To: Message-ID: <002701c3a246$19cf6ae0$de01a8c0@cardscan.net> I have always liked Mandrake. But their future is always in doubt. -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Remco Barendse Sent: Monday, November 03, 2003 2:58 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: OT: Linux Distrobutions? I have a lot of ppl telling me that gentoo is a good distro. Not only because you never ever need to upgrade the distro anymore, you can update your system to the latest packages with one command but also because the baisc install cd (only 50 megs) contains only basic packages, downloads the latest version of everything and compiles it from scratch, specifically for your architecture. Installing a package should be as simple as typing "emerge package" (provided they support your package ofcourse. Because of the RedHat anouncement I will not only continue to try and build my own RedHat EL version but will install Gentoo on a box tomorrow too. But as usual, if you ask advice on a distro, each reply recommends another distro. On Mon, 3 Nov 2003, greyhair wrote: > Hello. > > I just got an email about Redhat going enterprise. > From redhat email: > > >As previously communicated, Red Hat will discontinue maintenance and > >errata support for Red Hat Linux 7.1, 7.2, 7.3 and 8.0 as of December > >31, 2003. Red Hat will discontinue maintenance and errata support for > >Red Hat Linux 9 as of April 30, 2004. Red Hat does not plan to > >release another product in the Red Hat Linux line. > > > I run a personal + friends, Not for Profit server for email and web, > 100% on my own dime. If I could afford enterprise I would. I know > this has nearly nothing to do with mailscanner, > but I'm looking for recommendations for Linux Distro's. I like redhat > for the ease of updating > and use. I like not having to spend time figuring dependencies. I > could afford SuSE > professional ($80 per 2 years or so). I'm looking for something that I > don't have to spend a > lot of time tweaking. > > Recommendations? > > Thanks for any feedback, Thanks for your time. > greyhair > From marco at MUW.EDU Mon Nov 3 20:25:23 2003 From: marco at MUW.EDU (Marco Obaid) Date: Thu Jan 12 21:20:50 2006 Subject: Sophos Update Error In-Reply-To: <003f01c3a245$f300b9a0$0a01a8c0@rich> References: <003f01c3a245$f300b9a0$0a01a8c0@rich> Message-ID: <1067891123.3fa6b9b30b4f6@webmail.MUW.Edu> Hi, Could you run this command? which uncompress and see if you uncompress is in your path? Thanks, Marco Quoting Richard Sidlin : > Sorry but how and where do I put the files? Do I then still use > Sophos.install? > From maillist at HELPINTERNET.CO.UK Mon Nov 3 20:13:09 2003 From: maillist at HELPINTERNET.CO.UK (Richard Sidlin) Date: Thu Jan 12 21:20:50 2006 Subject: Sophos Update Error In-Reply-To: <1067891123.3fa6b9b30b4f6@webmail.MUW.Edu> Message-ID: <004001c3a246$e9d5a8d0$0a01a8c0@rich> [root /tmp]# which uncompress /usr/bin/which: no uncompress in (/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/bin/X11:/ sbin:/usr/sbin:/usr/local/bin:/usr/local/sbin) Richard >-----Original Message----- >From: MailScanner mailing list >[mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Marco Obaid >Sent: 03 November 2003 20:25 >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Sophos Update Error > > >Hi, > >Could you run this command? > >which uncompress > >and see if you uncompress is in your path? > > >Thanks, >Marco > > >Quoting Richard Sidlin : > >> Sorry but how and where do I put the files? Do I then still use >> Sophos.install? >> > From bob.jones at USG.EDU Mon Nov 3 20:13:08 2003 From: bob.jones at USG.EDU (Bob Jones) Date: Thu Jan 12 21:20:50 2006 Subject: OT: Linux Distrobutions? In-Reply-To: <1067890358.3fa6b6b67e0f9@webmail.MUW.Edu> References: <54C38A0B814C8E438EF73FC76F3629273AE0E0@mtlnt501fs.CAMOROUTE.COM> <3FA6AEAC.60403@usg.edu> <1067890358.3fa6b6b67e0f9@webmail.MUW.Edu> Message-ID: <3FA6B6D4.2060309@usg.edu> Marco Obaid wrote: > > My experience with Debian is as follows: > > * Very very long installation process > (lots of screen to read and decisions to make, some are not obvious) The install process for Debian can be a bit tricky. What you need to realize (and I'm not sure if it's documented) is that you need to skip all the package selecting at install, especially with the ugly beasts they give you to do so. Just say not to using the 2 methods they offer of selecting packages and you'll end up with a basic install of just what's needed. > * Only ext2 file-system support (no JFS or EXT3 support from what I saw) If you install the stable distro, and just do the basic install, this is correct because it installs a 2.2 kernel (once a distro of debian is locked, they don't change except for security updates which are back-ported). There is an install option (I believe bf24 maybe?) that installs a 2.4 kernel and thus gives you the newer filesystems. > * Old versions of packages And I noted this in my description of stable. This is why I said stable was just for servers IMO because you need newer tools for a desktop. But for a server, you get packages which are well integrated, applications that don't crash, and the easiest distro to manage on the planet. If you need newer packages for a server than is on stable, go with testing, which is probably just as stable, but hasn't completed the rigorous testing Debian distros go through. Unlike a lot of distros, Debian just doesn't throw it's new stuff out there, it tests them first... a lot. > Please note that I am not bashing Debian, I love Linux. I am looking at it > from management point-of-view. Is it a good replacement to my productions > servers currently running newer versions of packages than what Debian has to > offer? ... Probably not !!! Once again, you're looking at stable. May I suggest testing, or even unstable. Unstable probably has just a good a track-record as most other distro's stable releases. > I have been using FreeBSD in parallel to Redhat, and it seems to seems to be > the best candidate so far. Though I've never personally used it, I've never heard anything bad about *BSD. Bob From jmunroe at nbnet.nb.ca Mon Nov 3 20:03:29 2003 From: jmunroe at nbnet.nb.ca (Jim Munroe) Date: Thu Jan 12 21:20:50 2006 Subject: maillog message: "WorkList for /var/spool/mqueue.in maxed out at 1" Message-ID: <20031103200329.GZIV14572.simmts4-srv.bellnexxia.net@smtp8.sympatico.ca> Hi, I recently upgrade to MailScanner version 4.24-5 (rpm install) and upgraded sendmail to the Redhat 8.0 rpm ver sendmail-8.12.8-9.80 (hence my confusion as to where the problem really lies). Now the mqueue.in folder is filling up dramatically and mail is moving extremely slow from the mqueue.in. The only message I keep seeing in the maillog is "sendmail[9389]: WorkList for /var/spool/mqueue maxed out at 1". The OS is Redhat Linux 8.0 Pro (kernel 2.4.18-27.8.0) has anyone seen this before and/or have any suggestions on how to fix this situation? Thanks, Jim Munroe From lindsay at pa.net Mon Nov 3 20:16:53 2003 From: lindsay at pa.net (Lindsay Snider) Date: Thu Jan 12 21:20:50 2006 Subject: CustomConfig Message-ID: <200311031516.53306.lindsay@pa.net> I have a customconfig functions to log viruses/spam to a database. Is there a way to save the body of the emails? I ran Datadumper on the message object and it doesn't appear that the body is loaded in. If its not loaded in, is there maybe a filehandle to the file that I could open and read during Always Last? Regards, lindsay From marco at MUW.EDU Mon Nov 3 20:37:07 2003 From: marco at MUW.EDU (Marco Obaid) Date: Thu Jan 12 21:20:50 2006 Subject: Sophos Update Error In-Reply-To: <004001c3a246$e9d5a8d0$0a01a8c0@rich> References: <004001c3a246$e9d5a8d0$0a01a8c0@rich> Message-ID: <1067891827.3fa6bc73dd45c@webmail.MUW.Edu> Richard, It seems that you need the "ncompress" package. Look in your install CD for this package and install it. Hope this helps Marco Quoting Richard Sidlin : > [root /tmp]# which uncompress > /usr/bin/which: no uncompress in > (/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/bin/X11:/ > sbin:/usr/sbin:/usr/local/bin:/usr/local/sbin) > > > Richard From kevins at BMRB.CO.UK Mon Nov 3 20:21:57 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:20:50 2006 Subject: Sophos Update Error In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB00188B0D4@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB00188B0D4@pascal.priv.bmrb.co.uk> Message-ID: <1067890917.14660.5.camel@bach.kevinspicer.co.uk> On Mon, 2003-11-03 at 20:06, Richard Sidlin wrote: > Sorry but how and where do I put the files? Change to the directory with the linux.intel.libc6.tar.Z file in (or whatever Sophos file you need)... gunzip linux.intel.libc6.tar.Z tar xvf linux.intel.libc6.tar This will create and populate a directory named sav-install >Do I then still use Sophos.install? Yes, it will automatically detect that the archive has already been extracted. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From mailscanner at ecs.soton.ac.uk Mon Nov 3 20:27:42 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:20:50 2006 Subject: Sophos Update Error In-Reply-To: <004001c3a246$e9d5a8d0$0a01a8c0@rich> References: <1067891123.3fa6b9b30b4f6@webmail.MUW.Edu> Message-ID: <5.2.0.9.2.20031103202607.03aa2cf8@imap.ecs.soton.ac.uk> tar xzf linux.intel.tar.Z (or whatever the .tar.Z file happens to be called). GNU tar can open at least .Z and .gz formats. Then just run Sophos.install again, and it will find the unpacked version is present and install it. At 20:13 03/11/2003, you wrote: >[root /tmp]# which uncompress >/usr/bin/which: no uncompress in >(/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/bin/X11:/ >sbin:/usr/sbin:/usr/local/bin:/usr/local/sbin) > > >Richard > > >-----Original Message----- > >From: MailScanner mailing list > >[mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Marco Obaid > >Sent: 03 November 2003 20:25 > >To: MAILSCANNER@JISCMAIL.AC.UK > >Subject: Re: Sophos Update Error > > > > > >Hi, > > > >Could you run this command? > > > >which uncompress > > > >and see if you uncompress is in your path? > > > > > >Thanks, > >Marco > > > > > >Quoting Richard Sidlin : > > > >> Sorry but how and where do I put the files? Do I then still use > >> Sophos.install? > >> > > -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From miguelk at KONSULTEX.COM.BR Mon Nov 3 20:33:43 2003 From: miguelk at KONSULTEX.COM.BR (Miguel Koren O'Brien de Lacy) Date: Thu Jan 12 21:20:50 2006 Subject: workaround for "file size limit exceeded" messages? References: <5.2.0.9.2.20031103182023.03c71eb0@imap.ecs.soton.ac.uk> Message-ID: <3FA6BBA7.2000701@konsultex.com.br> Julian; I applied this (MS 4.24-5 on RH9 fully patched except the kernel) and I ran readnow.zip through it with a mail. It was found to be clean and delivered. But of course this is because Clam itself does not catch it. f-Prot on Windows does find W32.Mimail in it. I don't have a sample of the others that were causing problems (being found and still delivered) so I can't test. I sent this file to the Clam team this morning. If you would like to see it anyway, I can send it to you off list. If you can send somehow me a sample of photos.zip I'll run it through also. Since I reverted to blocking *.zip it would have to be renamed. Of course, Clam finds that one so it may not make it anyway.... So all I can say at this point is that MS still works with the patch ;-) Miguel Julian Field wrote: > Please can you try the attached patch for > /usr/lib/MailScanner/MailScanner/SweepViruses.pm. > > Copy the patch file into /tmp and do this > cd /usr/lib/MailScanner/MailScanner > patch -p0 < /tmp/SweepViruses.pm.clam.patch > > Let me know if this solves the problem or not. > > At 17:38 03/11/2003, you wrote: > >> Is there a workaround for "file size limit exceeded" message issue >> that I'm >> seeing in maillog whenever ClamAV detects either Worm.Mimail.C or >> Worm.Bics? >> >> It appears that ClamAV is correctly identifying the virus but that extra >> status message is causing MailScanner to get confused and (I think) >> letting >> the virus through. I just signed up to the ClamAV mailing list, and >> at least >> one person is suggesting that this is a MailScanner issue. >> >> Any workarounds or fixes? >> >> Thanks, >> Chris >> -- >> Chris Yuzik >> chris@fractalweb.com >> 604-304-0444 >> >> "Reality is that which, when you stop believing in it, doesn't go >> away". >> -- Philip K. Dick > > > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- Esta mensagem foi verificada pelo sistema de antivírus e acredita-se estar livre de perigo. From maillist at HELPINTERNET.CO.UK Mon Nov 3 20:36:07 2003 From: maillist at HELPINTERNET.CO.UK (Richard Sidlin) Date: Thu Jan 12 21:20:50 2006 Subject: Sophos Update Error In-Reply-To: <1067890917.14660.5.camel@bach.kevinspicer.co.uk> Message-ID: <004301c3a24a$1eb8e820$0a01a8c0@rich> Excellent. TVM. Richard >-----Original Message----- >From: MailScanner mailing list >[mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Kevin Spicer >Sent: 03 November 2003 20:22 >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Sophos Update Error > > >On Mon, 2003-11-03 at 20:06, Richard Sidlin wrote: > >> Sorry but how and where do I put the files? > >Change to the directory with the linux.intel.libc6.tar.Z file >in (or whatever Sophos file you need)... > >gunzip linux.intel.libc6.tar.Z > >tar xvf linux.intel.libc6.tar > >This will create and populate a directory named sav-install > >>Do I then still use Sophos.install? > >Yes, it will automatically detect that the archive has already >been extracted. > > > > >BMRB International >http://www.bmrb.co.uk >+44 (0)20 8566 5000 >_________________________________________________________________ >This message (and any attachment) is intended only for the >recipient and may contain confidential and/or privileged >material. If you have received this in error, please contact >the sender and delete this message immediately. Disclosure, >copying or other action taken in respect of this email or in >reliance on it is prohibited. BMRB International Limited >accepts no liability in relation to any personal emails, or >content of any email which does not directly relate to our business. > -- This message has been scanned for viruses and dangerous content by the Help Internet Virus Spam Defence, and is believed to be clean. For details on having your email scanned email support@helpinternet.co.uk From TGFurnish at HERFF-JONES.COM Mon Nov 3 20:38:38 2003 From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G) Date: Thu Jan 12 21:20:50 2006 Subject: OT: Linux Distrobutions? Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF02A6053A@inex1.herffjones.hj-int> Can I squeak in one more question on this off-topic topic before it goes away? Did Fedora exist (and actually get used by anyone) before "redhat linux" went away? I have actually built up a considerable level of trust in redhat's development and stability over the years, and I don't mind extending that trust through a simple name change - but I have a hard time with the idea of just extending that trust to a merger of two projects, one of which I had never even heard of before the merger. Off-list replies welcome... > -----Original Message----- > From: Hirsh, Joshua [mailto:joshua.hirsh@PARTNERSOLUTIONS.CA] > Sent: Monday, November 03, 2003 2:16 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: OT: Linux Distrobutions? > > > From what I understand, a project called Fedora-legacy is also being > started up which will keep the RH 7/8/9 releases up to date > with security > fixes after Red Hat drops them from their vocabulary. > > It hasn't fully gotten off the ground yet though.. > > > > Personally, I'm going the route of rebuilding RHEL from the > SRPMS.. but > challenges are fun sometimes :) > > > Cheers, > > -Joshua > From waldner at WALDNER.PRIV.AT Mon Nov 3 20:32:02 2003 From: waldner at WALDNER.PRIV.AT (Robert Waldner) Date: Thu Jan 12 21:20:50 2006 Subject: OT: Linux Distrobutions? In-Reply-To: Your message of "Mon, 03 Nov 2003 15:13:08 EST." <3FA6B6D4.2060309@usg.edu> References: <54C38A0B814C8E438EF73FC76F3629273AE0E0@mtlnt501fs.CAMOROUTE.COM> <3FA6AEAC.60403@usg.edu> <1067890358.3fa6b6b67e0f9@webmail.MUW.Edu> <3FA6B6D4.2060309@usg.edu> Message-ID: <20031103203208.79BF647065@fsck.waldner.priv.at> On Mon, 03 Nov 2003 15:13:08 EST, Bob Jones writes: >> * Very very long installation process >> (lots of screen to read and decisions to make, some are not obvious) >The install process for Debian can be a bit tricky. What you need to >realize (and I'm not sure if it's documented) is that you need to skip >all the package selecting at install, especially with the ugly beasts >they give you to do so. Just say not to using the 2 methods they offer >of selecting packages and you'll end up with a basic install of just >what's needed. Actually, tasksel isn't so bad a tool. Selecting "DNS-server" and/or "C-development" and/or "mailserver" is actually more newbie-friendly than I would've made it. >> * Only ext2 file-system support (no JFS or EXT3 support from what I saw) >If you install the stable distro, and just do the basic install, this is >correct because it installs a 2.2 kernel (once a distro of debian is >locked, they don't change except for security updates which are >back-ported). There is an install option (I believe bf24 maybe?) that >installs a 2.4 kernel and thus gives you the newer filesystems. bf24 it is, yes. And ext3 goes along with it. >> * Old versions of packages >And I noted this in my description of stable. This is why I said stable >was just for servers IMO because you need newer tools for a desktop. >But for a server, you get packages which are well integrated, >applications that don't crash, and the easiest distro to manage on the >planet. If you need newer packages for a server than is on stable, go >with testing, which is probably just as stable, but hasn't completed the >rigorous testing Debian distros go through. Unlike a lot of distros, >Debian just doesn't throw it's new stuff out there, it tests them >first... a lot. And then there are a lot of backports to stable should you need just those 3 apps newer than what's in the official distro. MailScanner and SpamAssassin being prime examples ;) http://www.apt-get.org/ helps you locate them. Of course, as always, there's a tradeoff between stable&secure and shiny&new. Noone can (or should attempt to) make that decision for you. And then there's always OpenBSD... "Only one remote hole in the default install, in more than 7 years!". cheers, &rw -- -- Which brings us to the question, if an NT server crashes in -- the serverroom, and there is no one to log it, did it have -- downtime? Fan Li Tai -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20031103/b886b169/attachment.bin From shrek-m at GMX.DE Mon Nov 3 22:38:35 2003 From: shrek-m at GMX.DE (shrek-m@gmx.de) Date: Thu Jan 12 21:20:50 2006 Subject: OT: Linux Distrobutions? In-Reply-To: <8FFC76593085ED4A80D3601BC41EFCDF02A6053A@inex1.herffjones.hj-int> References: <8FFC76593085ED4A80D3601BC41EFCDF02A6053A@inex1.herffjones.hj-int> Message-ID: <3FA6D8EB.9060907@gmx.de> Furnish, Trever G wrote: >Can I squeak in one more question on this off-topic topic before it goes >away? > >Did Fedora exist (and actually get used by anyone) before "redhat linux" >went away? I have actually built up a considerable level of trust in >redhat's development and stability over the years, and I don't mind >extending that trust through a simple name change - but I have a hard time >with the idea of just extending that trust to a merger of two projects, one >of which I had never even heard of before the merger. > >Off-list replies welcome... > > http://www.fedora.us/ http://www.newsforge.com/article.pl?sid=03/10/01/1417208&mode=thread&tid=51 ----snip---- From: Warren Togami To: phoebe-list redhat com Subject: 3rd Party Software for RHL (was Re: mp3, Real, Flash, plugins..) Date: Mon, 24 Feb 2003 03:07:01 -1000 [...] http://www.fedora.us This project is my idea to rally the combined efforts of volunteer developers to create a body of well maintained 3rd party RPM packages specifically for Red Hat Linux. This idea is very much similar to the Debian community, with Fedora stable, testing and unstable trees in our current plans. Fedora Project is still in infant stages, but things are beginning to roll now with our Bugzilla up and other infrastructure growing. Fedora can be there to save us all time and effort. We Red Hat users, both newbie and experienced, would no longer need to manually configure and compile 3rd party packages, thus saving lots of time. Just imagine the following LUG mailing list question from year 2004: [...] ----snap---- From cHRis-BarNeS at tAMu.eDu Mon Nov 3 22:14:13 2003 From: cHRis-BarNeS at tAMu.eDu (Chris Barnes) Date: Thu Jan 12 21:20:50 2006 Subject: [SAtalk] Am I nuts Message-ID: Background: I had SpamAssassin 2.60 running just fine (using sendmail). I was calling spamd via the /etc/procmail. After installing Mailscanner and ClamAV, I noticed that the original SA conf file was being ignored in favor of the smaller version in the Mailscanner conf file. Since I have custom rules that I really didn't want to loose, I turned SA off in Mailscanner, letting it handle just the the running of ClamAV. SA is still being called by procmail. It seems to work just fine (everything). Q: Is this a "wrong way" to do it (ie. performance issues)? Q: Is it just a "wierd way"? -- + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Chris Barnes AOL IM: CNBarnes chris-barnes@tamu.edu Yahoo IM: chrisnbarnes Computer Systems Manager ph: 979-845-7801 Department of Physics fax: 979-845-2590 Texas A&M University ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Spamassassin-talk mailing list Spamassassin-talk@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/spamassassin-talk From zen23003 at ZEN.CO.UK Mon Nov 3 22:54:53 2003 From: zen23003 at ZEN.CO.UK (Paul) Date: Thu Jan 12 21:20:50 2006 Subject: OT: Linux Distrobutions? Message-ID: <00db01c3a25d$7ea4e5a0$0100000a@lan> I see from the downloads page that there are specific downloads for SuSE and Debian (as well as RH obviously). I see SpamAssassin has a Debian version (and a Gentoo one). I'm not after the latest versions of software. What I really liked about RH 8 was the Up2Date utility that I ran via a weekly cron job to automatically applied security patches for me (I didn't pay for the full maintenance but was considering it seriously). The Fedora project ain't gonna give me this, it seems certain. I have 2 servers, one of which I was planning to migrate my customers to very shortly (have spent hours configuring the darned thing; it's running RH 8) so I have the opportunity before it goes live to bite the bullet and change distros. I'm running a web management front end called 42go that supports SuSE, Debian and Mandrake as well as RH, so this seems to be the choice. Julian's recommendation of SuSE obviously cuts a lot of ice. However, I have had Debian recommended for its ease of updating and Bob Jones's comments on this list reinforce this. So, which distro offers automatic updating, a la Up2Date? I don't mind paying for it, but I'd prefer it to be a one-off charge, unlike RH, who are offering me this: Red Hat Enterprise Linux ES Basic Edition* $174.50/year for 1 system ----- Original Message ----- Date: Mon, 3 Nov 2003 19:15:57 +0000 From: Julian Field Subject: Re: OT: Linux Distrobutions? The free version of RedHat will continue, but will be now known as "Fedora" (the type of hat) and will be updated a few times each year. They don't guarantee how long support will be provided for any given Fedora release, but I think it's what most people will migrate their boxes to. Lots of people on this list are bound to vote for Debian, but personally I have always found it to be the "enthusiast's" distro. Usual rules on flame wars and religious debates apply :) SuSE is a good alternative to RedHat. From ugob at CAMO-ROUTE.COM Mon Nov 3 23:11:50 2003 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:20:50 2006 Subject: OT: Linux Distrobutions? Message-ID: <54C38A0B814C8E438EF73FC76F3629273AE0E6@mtlnt501fs.CAMOROUTE.COM> > > I see from the downloads page that there are specific > downloads for SuSE > and Debian (as well as RH obviously). > > I see SpamAssassin has a Debian version (and a Gentoo one). > > I'm not after the latest versions of software. What I really liked > about RH 8 was the Up2Date utility that I ran via a weekly cron job to > automatically applied security patches for me (I didn't pay > for the full > maintenance but was considering it seriously). The Fedora > project ain't > gonna give me this, it seems certain. apt, which does exactly the same job as up2date, is already working with Fedora. You just need to update your sources.list. http://www.xades.com/proj/fedora_repos.html > > I have 2 servers, one of which I was planning to migrate my > customers to > very shortly (have spent hours configuring the darned thing; it's > running RH 8) so I have the opportunity before it goes live > to bite the > bullet and change distros. > > I'm running a web management front end called 42go that supports SuSE, > Debian and Mandrake as well as RH, so this seems to be the choice. > > Julian's recommendation of SuSE obviously cuts a lot of ice. > However, I > have had Debian recommended for its ease of updating and Bob Jones's > comments on this list reinforce this. > > So, which distro offers automatic updating, a la Up2Date? Debian does, but, in the end, Fedora might do the trick. >I > don't mind > paying for it, but I'd prefer it to be a one-off charge, > unlike RH, who > are offering me this: > > Red Hat Enterprise Linux ES Basic Edition* $174.50/year for 1 system From raymond at PROLOCATION.NET Mon Nov 3 23:16:03 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:20:50 2006 Subject: ANNOUNCE: Beta 4.25-5 released In-Reply-To: <5.2.0.9.2.20031103174127.03af8ea8@imap.ecs.soton.ac.uk> Message-ID: Hi! > Some of you have downloaded 4.25-5 and hopefully installed it. Is it all > working okay? > Raymond is the only person who has commented (from what I've seen). Upgraded it on all my boxes, the other 4 were running 4.250-4 and were running ok since then. > Any comments? > Has anyone tried the HTML "disarming" options? Not me no. > Should I take it as is and turn it into a "stable" release? Lets push out a November release, to keep up with the numbers :) Bye, Raymond. From raymond at PROLOCATION.NET Mon Nov 3 23:19:23 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:20:50 2006 Subject: sendmail message splitting defeats bandwidth savings? In-Reply-To: <5.2.0.9.2.20031103174626.02e38d78@imap.ecs.soton.ac.uk> Message-ID: Hi! > What I would probably have to do is split every message that has multiple > recipients, it is hard to work out if any of the rules would produce > different results for each recipient of the message. Not impossible, but > not easy. I would need to collect the results of every config variable for > each message in a batch, and then look through all the results to find ones > that aren't all the same. Then I would need to duplicate the message back > into loopback once for each recipient and throw away the original (as I > probably wouldn't be able to tell at that point which result I should be > using). > > That's got me thinking... > (and there I was planning a nice quiet evening watching the telly :-) Eh =) I wonder what the performance impact will be. But i like the idea. It really is a pain the some are glued to sendmail currently, to have just this working, i think some would have moved to Exim for example instead if the splitting was possible. Would also be cool to just be able to split with a ruleset... in my case i would only split for the local domains... I diont know if anyone set it up like that in sendmail yet, currently i am splitting all but thats a real waste of processing power... Bye, Raymond. From kevins at BMRB.CO.UK Mon Nov 3 23:20:11 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:20:50 2006 Subject: Linux Distrobutions? In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB00188B0E3@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB00188B0E3@pascal.priv.bmrb.co.uk> Message-ID: <1067901612.14660.18.camel@bach.kevinspicer.co.uk> On Mon, 2003-11-03 at 22:54, Paul wrote: So, which distro offers automatic updating, a la Up2Date? I don't mind paying for it, but I'd prefer it to be a one-off charge, unlike RH, who are offering me this: Mandrake has urpmi (which IMHO is great, if a little under used) theres also the Mandrake Update GUI tool, but I don't run GUIs on servers. What I like about urpmi is that a) its scriptable b) you can use urpmq to check for updates before installing them c) you can mirror the ftp site locally and use that to update/ install from. I basically do this every night (wrapped in some scripting)... fmirror (on the updates ftp site to copy the files locally on 1 machine) urpmi.update -a (On each machine to refresh the package list) urpmq --update --auto-select (To produce a list of updated packages which is then mailed to me) Every morning I review any updates for each server (typically not many as I run stripped down machines) and either test them on a test machine, or if they're not updating anything that worries me just do... urpmi --update -auto-select to install them. BTW I had to use RedHat for something recently and wasn't very impressed with up2date (although maybe I just don't know how to use it well?). Doubtless others will sing the praises of apt-get on Debian (and probably with good cause) BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From raymond at PROLOCATION.NET Mon Nov 3 23:33:05 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:20:50 2006 Subject: Linux Distrobutions? In-Reply-To: <54C38A0B814C8E438EF73FC76F3629273AE0DE@mtlnt501fs.CAMOROUTE.COM> Message-ID: Hi! > One could get into FreeBSD. This might be what I'll do. I don't know > too much Fedora, but it worries me a bit. I am in the Fedora project since it started, i think its a good thing. but then again, i might be biased :) I would not worry that much. Bye, Raymond. From raymond at PROLOCATION.NET Mon Nov 3 23:34:29 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:20:50 2006 Subject: OT: Linux Distrobutions? In-Reply-To: <75FEDC422E2309419A9303E7B18F206E04DB5D06@eqmail1.efni.vpn> Message-ID: Hi! > Personally, I'm going the route of rebuilding RHEL from the SRPMS.. but > challenges are fun sometimes :) Is there a path yet for this ? There was one for the older version, but i didnt see it yet for RH ES 3.0. Would love to see what exacly needs to be changed. Perhaps a new kernel and the sendmail package woould do ? :) Bye, Raymond. From ugob at CAMO-ROUTE.COM Mon Nov 3 23:35:32 2003 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:20:50 2006 Subject: Linux Distrobutions? Message-ID: <54C38A0B814C8E438EF73FC76F3629273AE0E7@mtlnt501fs.CAMOROUTE.COM> > -----Message d'origine----- > De : Kevin Spicer [mailto:kevins@BMRB.CO.UK] > Envoy? : Monday, November 03, 2003 6:20 PM > ? : MAILSCANNER@JISCMAIL.AC.UK > Objet : Re: Linux Distrobutions? > > > On Mon, 2003-11-03 at 22:54, Paul wrote: > > > So, which distro offers automatic updating, a la Up2Date? I > don't mind > paying for it, but I'd prefer it to be a one-off charge, > unlike RH, who > are offering me this: > > Mandrake has urpmi (which IMHO is great, if a little under > used) theres > also the Mandrake Update GUI tool, but I don't run GUIs on servers. > What I like about urpmi is that a) its scriptable b) you can use urpmq > to check for updates before installing them c) you can mirror the ftp > site locally and use that to update/ install from. > > I basically do this every night (wrapped in some scripting)... > fmirror (on the updates ftp site to copy the files locally on 1 > machine) > > urpmi.update -a (On each machine to refresh the package list) > > urpmq --update --auto-select (To produce a list of updated packages > which is then mailed to me) > > Every morning I review any updates for each server (typically not many > as I run stripped down machines) and either test them on a > test machine, > or if they're not updating anything that worries me just do... > > urpmi --update -auto-select > > to install them.\ You can do the exact same thing with apt-get Something like apt-get update apt-get -d -y upgrade, emailed to you. > > BTW I had to use RedHat for something recently and wasn't > very impressed > with up2date (although maybe I just don't know how to use it well?). > > Doubtless others will sing the praises of apt-get on Debian (and > probably with good cause) Well, don't wait and try apt-get for redhat... http://apt.freshrpms.net I think yum and autoupdate might do the same thing. hth Ugo From raymond at PROLOCATION.NET Mon Nov 3 23:44:34 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:20:50 2006 Subject: OT: Linux Distrobutions? In-Reply-To: <8FFC76593085ED4A80D3601BC41EFCDF02A6053A@inex1.herffjones.hj-int> Message-ID: Hi! > Did Fedora exist (and actually get used by anyone) before "redhat linux" > went away? I have actually built up a considerable level of trust in > redhat's development and stability over the years, and I don't mind > extending that trust through a simple name change - but I have a hard time Yes it did. And basicly its the RH guys doing this. I was in Fedora since it started, and running one of the main rsync servers for the project. Its been having nice support. > with the idea of just extending that trust to a merger of two projects, one > of which I had never even heard of before the merger. No. But its a merger with a lot of the regular RH things for sure, just install the latest gratest and have a look on the look and feel. I think you wont notice much difference anyway compared to RH. bye, Raymond. From chris at fractalweb.com Mon Nov 3 23:46:06 2003 From: chris at fractalweb.com (Chris Yuzik) Date: Thu Jan 12 21:20:50 2006 Subject: copy of photos.zip? Message-ID: <200311031546.06588.chris@fractalweb.com> Hi everyone, I can't believe I'm asking for this...but can someone (but not everyone) please send me a copy of "photos.zip" that's infected with worm.mimail.c? I've installed Julian's patch and have been waiting all day for one to come in so I can make sure the patch worked...and nada. Thanks, Chris -- Chris Yuzik chris@fractalweb.com 604-304-0444 "Reality is that which, when you stop believing in it, doesn't go away". -- Philip K. Dick From shrek-m at GMX.DE Mon Nov 3 23:50:41 2003 From: shrek-m at GMX.DE (shrek-m@gmx.de) Date: Thu Jan 12 21:20:50 2006 Subject: OT: Linux Distrobutions? In-Reply-To: <00db01c3a25d$7ea4e5a0$0100000a@lan> References: <00db01c3a25d$7ea4e5a0$0100000a@lan> Message-ID: <3FA6E9D1.6070207@gmx.de> Paul wrote: >I'm not after the latest versions of software. What I really liked >about RH 8 was the Up2Date utility that I ran via a weekly cron job to >automatically applied security patches for me (I didn't pay for the full >maintenance but was considering it seriously). The Fedora project ain't >gonna give me this, it seems certain. > > in rh7.x was rhn-needed-packages in rh8.0/9/fedora-core rhn-applet-gui, rhn-applet-tui up2date can now handle apt and yum - repositories yum will be included in fedora-core (severn) http://ftp.redhat.com/pub/redhat/linux/beta/severn/en/os/i386/RedHat/RPMS/yum-2.0.3-1.noarch.rpm http://linux.duke.edu/projects/yum/ eg. # yum check-update # yum update package* ... apt-get http://freshrpms.net/ # rpm -Fvh http://updates.redhat.com/path/to/your/arch -- shrek-m From raymond at PROLOCATION.NET Tue Nov 4 00:01:34 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:20:50 2006 Subject: copy of photos.zip? In-Reply-To: <200311031546.06588.chris@fractalweb.com> Message-ID: Hi! > I can't believe I'm asking for this...but can someone (but not everyone) > please send me a copy of "photos.zip" that's infected with worm.mimail.c? > I've installed Julian's patch and have been waiting all day for one to come > in so I can make sure the patch worked...and nada. Posted you one offlist. Let me know if it worked out. Thanks, Raymond. From chris at fractalweb.com Tue Nov 4 00:11:26 2003 From: chris at fractalweb.com (Chris Yuzik) Date: Thu Jan 12 21:20:50 2006 Subject: Mimail still getting through In-Reply-To: <200311031546.06588.chris@fractalweb.com> References: <200311031546.06588.chris@fractalweb.com> Message-ID: <200311031611.26934.chris@fractalweb.com> OK, someone was nice enough to send a copy of photos.zip. (thanks RD). I installed the patch that Julian sent earlier today. Unfortunately even after the patch, the virus is arriving in the user's inbox intact. No altered subject line...no virus warning. Any thoughts? Regards, Chris From lance at WARE.NET Tue Nov 4 00:27:57 2003 From: lance at WARE.NET (Lance Ware) Date: Thu Jan 12 21:20:50 2006 Subject: odd spam catching results between 2 mail scanners. Message-ID: <200311040029.hA40TRr14677@ori.rl.ac.uk> Hi Folks, I have two boxes running MailScanner-4.24-5 and Mail-SpamAssassin-2.60. I also am running mailstats 0.25. Here's what's odd. One mailscanner shows a spam percentage of 62.49% and the other only 42.83%. Now I'd expect a little difference, but over 20%? Both boxes are set to 10 in terms of MX preference. Any thoughts??? Is there any easy way to verify that SA is using the same sets of network based tests between boxes? TIA, Lance -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20031103/2d3cd824/attachment.html From kevins at BMRB.CO.UK Tue Nov 4 00:52:30 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:20:50 2006 Subject: odd spam catching results between 2 mail scanners. In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB00188B0F0@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB00188B0F0@pascal.priv.bmrb.co.uk> Message-ID: <1067907150.14660.35.camel@bach.kevinspicer.co.uk> On Tue, 2003-11-04 at 00:27, Lance Ware wrote: >One mailscanner shows a spam percentage of 62.49% and the other only >42.83%. >Both boxes are set to 10 in terms of MX preference. >Any thoughts??? Maybe your DNS servers always return them in the same order and some of the spam tools just pick the last or second on the list? Do they send out 50/50, or do certain senders send through certain machines. I think some spammers/ viruses can pick up the email server from headers of messages rather than DNS (you tend to see this with dictionary attacks, I get countless messages addressed to 'users' @ mymailserver, despite the fact that I have no users with addresses of that form) >Is there any easy way to verify that SA is using the same sets of >network based tests between boxes? Get some sample mails and run them through spamassassin -D -t on each machine and diff the results TIA, Lance BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From zen23003 at ZEN.CO.UK Tue Nov 4 01:26:37 2003 From: zen23003 at ZEN.CO.UK (Paul) Date: Thu Jan 12 21:20:50 2006 Subject: OT: Linux Distrobutions? References: <00db01c3a25d$7ea4e5a0$0100000a@lan> Message-ID: <0a4e01c3a272$b18d3a20$0100000a@lan> > ----- Original Message ----- > Date: Mon, 3 Nov 2003 19:15:57 +0000 > From: Julian Field > Subject: Re: OT: Linux Distrobutions? > > The free version of RedHat will continue, but will be now known as > "Fedora" ... I think it's what most people will migrate their boxes to. > > SuSE is a good alternative to RedHat. Julian I've done some more reading. When you recommend SUSE, does your recommendation apply to the free download of SUSE LINUX for i386 at www.suse.co.uk/uk/private/download/suse_linux/index.html or are you referring to their supported versions such as SUSE LINUX Standard Server 8 at http://www.suse.co.uk/uk/business/products/server/standard/prices.html which will cost me GBP367 per year including support? From joshua.hirsh at PARTNERSOLUTIONS.CA Tue Nov 4 01:50:17 2003 From: joshua.hirsh at PARTNERSOLUTIONS.CA (Hirsh, Joshua) Date: Thu Jan 12 21:20:50 2006 Subject: OT: Linux Distrobutions? Message-ID: <75FEDC422E2309419A9303E7B18F206E04DB5D0C@eqmail1.efni.vpn> > Is there a path yet for this ? There was one for the older > version, but i didnt see it yet for RH ES 3.0. Not quite a full path just yet.. You can avoid alot of the headaches though, by making a release based on server only packages (no gnome, kde, etc). I never liked having multiple CD's to bring around with me anyways ;) -Joshua From ree at THUNDERSTAR.NET Tue Nov 4 02:50:17 2003 From: ree at THUNDERSTAR.NET (Ron E.) Date: Thu Jan 12 21:20:50 2006 Subject: Urgent help needed: mailscanner not processing mail Message-ID: This is urgent, for anyone who may see this and has any ideas on a workaround - I am running MailScanner 4.21-4 and Postfix on RH9. All has been well for months. A few hours ago MailScanner stopped passing any messages to my mta - the number of messages in postfix.in/deferred continues to rise - restarts of mailscanner and a server reboot have not rectified the situation. Occasionally some mail gets passed to my mta but very little and the backlog continues to mount. Also numerous entries in the maillog that say things like: Nov 4 03:41:16 smtp postfix/qmgr[2196]: BF97D160A3D: skipped, still being delivered Any ideas would be welcome. Thanks! -Ron From marco at MUW.EDU Tue Nov 4 05:06:53 2003 From: marco at MUW.EDU (Marco Obaid) Date: Thu Jan 12 21:20:50 2006 Subject: new pyzor host Message-ID: <1067922413.3fa733edc26ae@webmail.MUW.Edu> ----- Forwarded message from Frank Tobin ----- Date: Mon, 3 Nov 2003 23:17:17 -0500 (EST) From: Frank Tobin Reply-To: Frank Tobin Subject: new pyzor host To: pyzor-announce@lists.sourceforge.net, pyzor- users@lists.sourceforge.net The current pyzor host went down earlier today, and the sysadmin is unfortunately unavailable, so I've moved it to a new host, courtesy of Brent Holmes. Simply run 'pyzor discover' and all will be good. -- Frank Tobin http://www.neverending.org/~ftobin/ ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ pyzor-announce mailing list pyzor-announce@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/pyzor-announce ----- End forwarded message ----- From mkettler_sa at comcast.net Tue Nov 4 04:15:24 2003 From: mkettler_sa at comcast.net (Matt Kettler) Date: Thu Jan 12 21:20:50 2006 Subject: [SAtalk] Am I nuts In-Reply-To: Message-ID: <5.2.1.1.0.20031103230301.04a1c200@mail.comcast.net> At 04:14 PM 11/3/03 -0600, Chris Barnes wrote: >Background: I had SpamAssassin 2.60 running just fine (using sendmail). >I was calling spamd via the /etc/procmail. > >After installing Mailscanner and ClamAV, I noticed that the original SA >conf file was being ignored in favor of the smaller version in the >Mailscanner conf file. Since I have custom rules that I really didn't >want to loose, I turned SA off in Mailscanner, letting it handle just >the the running of ClamAV. SA is still being called by procmail. > > >It seems to work just fine (everything). > >Q: Is this a "wrong way" to do it (ie. performance issues)? Not really. >Q: Is it just a "wierd way"? It's a little weird.. Personaly, I like that MS uses a separate conf file.. it allows me to test configfiles with spamassassin --lint before I copy them into the live mailscanner config.. Basicaly I just merged all the stuff from /etc/MailScanner/spam.assassin.prefs.conf into /root/.spamassassin/user_prefs. Whenever I want to make config changes, I edit root's user_prefs, run spamassassin --lint, and then copy it over the mailscanner file. Admittedly I could also get the same effect with a separate user, but this is a bit more convenient than having to su. Also, even under mailscanner /etc/mail/spamassassin/*.cf (ie: local.cf) should still be processed normally.. it's just the user_prefs file that get's over-ridden. If it really bothers you, you can over-ride it back in your mailscanner.conf and point it at /root/.spamassassin/user_prefs. I also like that MailScanner has some extra flexibility about how and when I run SA. But, YMMV and you can do what works for you. ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Spamassassin-talk mailing list Spamassassin-talk@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/spamassassin-talk From Kevin.Spicer at bmrb.co.uk Tue Nov 4 11:07:13 2003 From: Kevin.Spicer at bmrb.co.uk (Spicer, Kevin) Date: Thu Jan 12 21:20:50 2006 Subject: [MAILSCANNER] workaround for "file size limit exceeded" messages? Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0016497ED@pascal.priv.bmrb.co.uk> Julian Field wrote: > Please can you try the attached patch for > /usr/lib/MailScanner/MailScanner/SweepViruses.pm. > > Copy the patch file into /tmp and do this > cd /usr/lib/MailScanner/MailScanner > patch -p0 < /tmp/SweepViruses.pm.clam.patch This causes me false positives, but..... I managed to catch an affected file and this is what I found, first calling clamscan without arguments clamscan message .zip ==== START CLAM OUTPUT ===== photos.zip: File size limit exceeded. photos.zip: Worm.Mimail.C FOUND ----------- SCAN SUMMARY ----------- Known viruses: 9922 Scanned directories: 0 Scanned files: 2 Infected files: 1 Data scanned: 0.01 Mb I/O buffer size: 131072 bytes Time: 0.740 sec (0 m 0 s) ==== END CLAM OUTPUT ======= Then as it would be called by MailScanner clamscan --unzip --unarj --unrar --tar --tgz --lha photos.zip ==== START CLAM OUTPUT ===== /var/spool/MailScanner/quarantine/20031104/hA49pcRQ030174/photos.zip: File size limit exceeded. unzip: cannot find /var/spool/MailScanner/quarantine/20031104/hA49pcRQ030174/photos.zip, /var/spool/MailScanner/quarantine/20031104/hA49pcRQ030174/photos.zip.zip or /var/spool/MailScanner/quarantine/20031104/hA49pcRQ030174/photos.zip.ZIP. /root/tmp/cba5c20453d3d300: Can't open directory. (raw) /var/spool/MailScanner/quarantine/20031104/hA49pcRQ030174/photos.zip: Worm.Mimail.C FOUND ----------- SCAN SUMMARY ----------- Known viruses: 9922 Scanned directories: 1 Scanned files: 2 Infected files: 1 Data scanned: 0.01 Mb I/O buffer size: 131072 bytes Time: 0.322 sec (0 m 0 s) ==== END CLAM OUTPUT ======= So the problem is caused by the --unzip option, which causes the internal scanning engine to prefix (raw). The unzip option is actually unnecessary. --unzip means 'if clams internal unzipper fails then fall back to looking for an external unzip program in the path'. But I'd rather not remove it as its a second line of defence should the internal unzipper fail, plus I suspect the other arguments will cause similar behaviour. So... I think I've now fixed this with the attached patch (I reverted Julian's patch from last night first because it was causing some false positives). Julian. There are two other issues with the clam wrapper, caused by the fact it changes user to 'clam' to run external programs. 1) The default tmpdir (/root/tmp) isn't writable by clam, therefore it can't unzip using an external program. We need to specify --tempdir=/some/writable/path in the wrapper script. Perhaps the wrapper should check for and create a clam writable subdir of /var/spool/MailScanner/incoming ??? 2) Because it changes user it can't read the original files which have restrictive permissions. Maybe we need a mailscanner group which clam (and any other virus scanner users) can be a member of which have read permissions on the whole of the incoming tree? BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. -------------- next part -------------- A non-text attachment was scrubbed... Name: SweepViruses.pm.diff Type: application/octet-stream Size: 496 bytes Desc: SweepViruses.pm.diff Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20031104/e4c0f5e8/SweepViruses.pm.obj From Kevin.Spicer at bmrb.co.uk Tue Nov 4 12:49:44 2003 From: Kevin.Spicer at bmrb.co.uk (Spicer, Kevin) Date: Thu Jan 12 21:20:50 2006 Subject: [MAILSCANNER] workaround for "file size limit exceeded" messages? Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A4AE2D@pascal.priv.bmrb.co.uk> Julian Field wrote: > Good point. Sorry for the lousy code. The attached patch might work > slightly better. You did keep your unpatched original SweepViruses.pm > file, didn't you? :) Yes. I haven't yet applied your patch, can you confirm if this is doing what I think it is doing? I think that (as well as stripping (raw) )if it detects "File size limit exceeded" it is treating it as a virus. Unfortunately clam seems to give this response with any file that achieves a high compression ratio, (ie the same behaviour as last nights patch?) This causes me problems because I have folks sending files with compression ratios around 12:1 which trigger this warning from Clam. I think the answer may be to solve the other issues with the clam wrapper I mentioned so that the external unzipper works (which clam uses when the internal unzipper fails), then ignore this message. [Is the mailing list okay? I'm not getting anything on it, not even my own posts] BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From martinh at SOLID-STATE-LOGIC.COM Tue Nov 4 09:08:30 2003 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:20:50 2006 Subject: Urgent help needed: mailscanner not processing mail In-Reply-To: References: Message-ID: <3FA76C8E.5010804@solid-state-logic.com> Ron E. wrote: > This is urgent, for anyone who may see this and has any ideas on a > workaround - > > I am running MailScanner 4.21-4 and Postfix on RH9. All has been well for > months. > > A few hours ago MailScanner stopped passing any messages to my mta - the > number of messages in postfix.in/deferred continues to rise - restarts of > mailscanner and a server reboot have not rectified the situation. > Occasionally some mail gets passed to my mta but very little and the > backlog continues to mount. Also numerous entries in the maillog that say > things like: > > Nov 4 03:41:16 smtp postfix/qmgr[2196]: BF97D160A3D: skipped, still being > delivered > > Any ideas would be welcome. > > Thanks! > > -Ron Have you stopped and restarted postfix? -- Martin Hepworth Senior Systems Administrator Solid State Logic Ltd tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From t.d.lee at DURHAM.AC.UK Tue Nov 4 10:41:30 2003 From: t.d.lee at DURHAM.AC.UK (David Lee) Date: Thu Jan 12 21:20:50 2006 Subject: ANNOUNCE: Beta 4.25-5 released In-Reply-To: <5.2.0.9.2.20031101173342.02c1fd00@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20031101173342.02c1fd00@imap.ecs.soton.ac.uk> Message-ID: On Sat, 1 Nov 2003, Julian Field wrote: > [...] > I have added the "disarm" option for the "Allow ...." HTML checks, so you > can choose to just disarm the individual HTML tags rather than convert the > entire message to plain text. > [...] > - Added support for "disarm" option on all HTML tag detectors, which will > disarm those tags while leaving the rest of the HTML intact. Excellent! Many thanks. Sounds like what we've been discussing recently on the list about controlled conversion of potentially dangerous bits of HTML (as we discussed offline yesterday evening). I have just installed it on our lowest preference (highest MX number) campus relay. With the aim of allowing most HTML but of de-clawing "Object Codebase", we used to have (4.24-5): Allow IFrame Tags = yes Allow Form Tags = yes Allow Object Codebase Tags = no Convert Dangerous HTML To Text = yes But in practice, this used to affect HTML containing any of those tags, not just OC. I have now (4.25-5) set: Allow IFrame Tags = yes Allow Form Tags = yes Allow Object Codebase Tags = disarm Convert Dangerous HTML To Text = no which I hope should achieve this (permit everything, but de-claw OC). Correct? But I have a suggestion, Julian. Could you clarify the comments in MailScanner.conf about "Convert Dangerous HTML To Text", so that it clearly relates to the words "yes" and "disarm" in the "Allow X" options? It currently says: # This will only apply if you are also allowing the tags to be present # using the configuration options above. Does "allowing to be present" relate to "yes" only, or also to "disarm"? Put another way: How does 'Convert ...' interact with the multiple values of the various 'Allow ...'? > [...] > I am not planning a stable release for November, as there really haven't > been enough changes to justify it. > [...] But for those of us itching to use the new features in major production use, how "unstable" is this beta overall, compared to the previous stable? (The question is more about the basic MailScanner code and possible added risk there, less about the intrinsic risk of the newly enabled features.) Many thanks again for a great product and great support. -- : David Lee I.T. Service : : Systems Programmer Computer Centre : : University of Durham : : http://www.dur.ac.uk/t.d.lee/ South Road : : Durham : : Phone: +44 191 334 2752 U.K. : From Jan-Peter.Koopmann at SECEIDOS.DE Tue Nov 4 13:36:30 2003 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:20:50 2006 Subject: Feature Request Message-ID: Hi Julian, I have a feature request. Not sure if and how this can be done but why not dream about it... :-) Some virusi obviously start using "wrong" zip files. CRC does not match and similar things. Today I received some customer complaints that readnow.zip came through. I analyzed the file a bit and it was only 128 bytes long. Windows XP unzip does not say anything, unzip says things like proxy:/tmp # unzip readnow.zip Archive: readnow.zip warning [readnow.zip]: 3 extra bytes at beginning or within zipfile (attempting to process anyway) file #1: bad zipfile offset (local header sig): 3 (attempting to re-compensate) extracting: readnow.doc.scr Moreover "wrong" ZIP files might not extract with unzip (and therefore clamav etc. might not catch them) but Windows XP will unzip them without complaints. What if we test archives and consider them "Dangerous Contents" (or similar) when they do not check out (CRC, unzip impossible etc.)? Regards, JP From denis at CROOMBS.ORG Tue Nov 4 09:22:14 2003 From: denis at CROOMBS.ORG (Denis Croombs) Date: Thu Jan 12 21:20:50 2006 Subject: MalScanner & Clam V0.60 on Redhat 7.2 system Message-ID: <009501c3a2b5$294cb8a0$85b8fea9@Laptop> MailScanner & ClamAV on a Redhat 7.2 system ! I have 2 problems with this:- 1) /etc/cron.hourly/update_virus_scanners: /usr/bin/clamscan: invalid option -- I This is displaying V.054 if I do a /usr/bin/clamscan -V But if I do a /usr/local/bin/clamscan -V I get V0.60 2) When MailScanner tries to do a virus scan it put the following error in /var/log/maillog "ERROR: Can't access file /usr/local ." Why is it trying to access the FILE /usr/local when this is a directory ? I have other 7.2 & 7.3 systems with the same MS 4.23-11, Spassassin V2.60, clam 0.60 with no problems but have just noticed this on this 1 system. Any clues ? Thanks Denis -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. Marvin the E-Mail scanner From mailscanner at ecs.soton.ac.uk Tue Nov 4 09:52:18 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:20:50 2006 Subject: Urgent help needed: mailscanner not processing mail In-Reply-To: Message-ID: <5.2.0.9.2.20031104095154.04dd6b38@imap.ecs.soton.ac.uk> Upgrade to a more recent MailScanner (4.24 or 4.25) and that Postfix message will disappear. At 02:50 04/11/2003, you wrote: >This is urgent, for anyone who may see this and has any ideas on a >workaround - > >I am running MailScanner 4.21-4 and Postfix on RH9. All has been well for >months. > >A few hours ago MailScanner stopped passing any messages to my mta - the >number of messages in postfix.in/deferred continues to rise - restarts of >mailscanner and a server reboot have not rectified the situation. >Occasionally some mail gets passed to my mta but very little and the >backlog continues to mount. Also numerous entries in the maillog that say >things like: > >Nov 4 03:41:16 smtp postfix/qmgr[2196]: BF97D160A3D: skipped, still being >delivered > >Any ideas would be welcome. > >Thanks! > >-Ron -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From Kevin.Spicer at BMRB.CO.UK Tue Nov 4 09:34:46 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:20:50 2006 Subject: workaround for "file size limit exceeded" messages? Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0016497EC@pascal.priv.bmrb.co.uk> Julian Field wrote: > Please can you try the attached patch for > /usr/lib/MailScanner/MailScanner/SweepViruses.pm. Okay, after waiting overnight I finally got one come in, this is the report now... Report: SophosSAVI: photos.zip was infected by W32/Mimail-C ClamAV: photos.zip contains dangerous broken zip file Which is all very well, but I also saw this cause a genuine (non-infected) zip to get blocked. Considering that clamscan does pick the Mimail virus up (just that MailScanner doesn't seem able to spot it in Clam's output) there must surely be a better solution(?). BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From Kevin.Spicer at BMRB.CO.UK Tue Nov 4 12:49:44 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:20:50 2006 Subject: workaround for "file size limit exceeded" messages? Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A4AE2D@pascal.priv.bmrb.co.uk> Julian Field wrote: > Good point. Sorry for the lousy code. The attached patch might work > slightly better. You did keep your unpatched original SweepViruses.pm > file, didn't you? :) Yes. I haven't yet applied your patch, can you confirm if this is doing what I think it is doing? I think that (as well as stripping (raw) )if it detects "File size limit exceeded" it is treating it as a virus. Unfortunately clam seems to give this response with any file that achieves a high compression ratio, (ie the same behaviour as last nights patch?) This causes me problems because I have folks sending files with compression ratios around 12:1 which trigger this warning from Clam. I think the answer may be to solve the other issues with the clam wrapper I mentioned so that the external unzipper works (which clam uses when the internal unzipper fails), then ignore this message. [Is the mailing list okay? I'm not getting anything on it, not even my own posts] BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From mailscanner at BARENDSE.TO Tue Nov 4 12:34:20 2003 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:20:50 2006 Subject: OT: Linux Distrobutions? In-Reply-To: Message-ID: There isn't yet. I tried building EL 30 on the beta version but a lot of packages failed. I now have shell access to a 3.0 server and am retrying the build. It's about halfway now. Everything seems to be going fine so far, still have to solve some dependencies. Building on a RedHat 9 system will be difficult i'm afraid if already some packages failed on the beta release. On Tue, 4 Nov 2003, Raymond Dijkxhoorn wrote: > Hi! > > > Personally, I'm going the route of rebuilding RHEL from the SRPMS.. but > > challenges are fun sometimes :) > > Is there a path yet for this ? There was one for the older version, but i > didnt see it yet for RH ES 3.0. > > Would love to see what exacly needs to be changed. Perhaps a new kernel > and the sendmail package woould do ? :) > > Bye, > Raymond. > From P.G.M.Peters at utwente.nl Tue Nov 4 09:57:03 2003 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Thu Jan 12 21:20:50 2006 Subject: sendmail message splitting defeats bandwidth savings? In-Reply-To: <62E46E0C3CB8024C807447814E1B20A501CCD7@granitemail.mirabito.com> References: <62E46E0C3CB8024C807447814E1B20A501CCD7@granitemail.mirabito.com> Message-ID: On Mon, 3 Nov 2003 12:28:42 -0500, you wrote: >Maybe an idea... > >Have MailScanner split and resubmit the message, as needed by the rule >sets, to sendmail on the loopback interface before spam or virus >checking happens. Then sendmail can control its own queue numbers and >the message will be single recipient per message for the rest of the >checks. This would put an extra burden on the system because each message has to go through the sendmail processes a couple of extra times. -- Peter Peters, senior netwerkbeheerder Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ From Kevin.Spicer at BMRB.CO.UK Tue Nov 4 11:07:13 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:20:50 2006 Subject: workaround for "file size limit exceeded" messages? Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0016497ED@pascal.priv.bmrb.co.uk> Julian Field wrote: > Please can you try the attached patch for > /usr/lib/MailScanner/MailScanner/SweepViruses.pm. > > Copy the patch file into /tmp and do this > cd /usr/lib/MailScanner/MailScanner > patch -p0 < /tmp/SweepViruses.pm.clam.patch This causes me false positives, but..... I managed to catch an affected file and this is what I found, first calling clamscan without arguments clamscan message .zip ==== START CLAM OUTPUT ===== photos.zip: File size limit exceeded. photos.zip: Worm.Mimail.C FOUND ----------- SCAN SUMMARY ----------- Known viruses: 9922 Scanned directories: 0 Scanned files: 2 Infected files: 1 Data scanned: 0.01 Mb I/O buffer size: 131072 bytes Time: 0.740 sec (0 m 0 s) ==== END CLAM OUTPUT ======= Then as it would be called by MailScanner clamscan --unzip --unarj --unrar --tar --tgz --lha photos.zip ==== START CLAM OUTPUT ===== /var/spool/MailScanner/quarantine/20031104/hA49pcRQ030174/photos.zip: File size limit exceeded. unzip: cannot find /var/spool/MailScanner/quarantine/20031104/hA49pcRQ030174/photos.zip, /var/spool/MailScanner/quarantine/20031104/hA49pcRQ030174/photos.zip.zip or /var/spool/MailScanner/quarantine/20031104/hA49pcRQ030174/photos.zip.ZIP. /root/tmp/cba5c20453d3d300: Can't open directory. (raw) /var/spool/MailScanner/quarantine/20031104/hA49pcRQ030174/photos.zip: Worm.Mimail.C FOUND ----------- SCAN SUMMARY ----------- Known viruses: 9922 Scanned directories: 1 Scanned files: 2 Infected files: 1 Data scanned: 0.01 Mb I/O buffer size: 131072 bytes Time: 0.322 sec (0 m 0 s) ==== END CLAM OUTPUT ======= So the problem is caused by the --unzip option, which causes the internal scanning engine to prefix (raw). The unzip option is actually unnecessary. --unzip means 'if clams internal unzipper fails then fall back to looking for an external unzip program in the path'. But I'd rather not remove it as its a second line of defence should the internal unzipper fail, plus I suspect the other arguments will cause similar behaviour. So... I think I've now fixed this with the attached patch (I reverted Julian's patch from last night first because it was causing some false positives). Julian. There are two other issues with the clam wrapper, caused by the fact it changes user to 'clam' to run external programs. 1) The default tmpdir (/root/tmp) isn't writable by clam, therefore it can't unzip using an external program. We need to specify --tempdir=/some/writable/path in the wrapper script. Perhaps the wrapper should check for and create a clam writable subdir of /var/spool/MailScanner/incoming ??? 2) Because it changes user it can't read the original files which have restrictive permissions. Maybe we need a mailscanner group which clam (and any other virus scanner users) can be a member of which have read permissions on the whole of the incoming tree? BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. -------------- next part -------------- A non-text attachment was scrubbed... Name: SweepViruses.pm.diff Type: application/octet-stream Size: 496 bytes Desc: SweepViruses.pm.diff Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20031104/e4c0f5e8/SweepViruses.pm-0001.obj From P.G.M.Peters at utwente.nl Tue Nov 4 09:55:28 2003 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Thu Jan 12 21:20:50 2006 Subject: sendmail message splitting defeats bandwidth savings? In-Reply-To: <8FFC76593085ED4A80D3601BC41EFCDF0C087C@inex1.herffjones.hj-int> References: <8FFC76593085ED4A80D3601BC41EFCDF0C087C@inex1.herffjones.hj-int> Message-ID: <45teqv0lpqvr50n7g1m4j2g0c9a4d76kpc@4ax.com> On Mon, 3 Nov 2003 11:04:07 -0500, you wrote: >> > 3. MailScanner scans and re-queues all of the (now many) messages. >> > 4. Sendmail delivers the messages, one copy per recipient, >> resulting in the >> > original message being sent MANY TIMES over the wire to the next MX. >> >> Even if MS will do this trick i think mailvolume increase is >> the only way >> to accomplish this approach. > >Yes, but again, the question is *how much* it ought to increase. The >current approach has the potential to increase it drastically, with most of >the increase being completely unrelated to productive mail filtering. I checked and I got 4.500.000 messages last month. The total number of recipients was 4.900.000. So splitting it would increase the load with 9%. I wouldn't call that drastically. Another advantage I see is that the for clause is put into the Received: headers. So people can see for what address the e-mail was originaly received. We have a lot of user with a number of addresses and they complain that sometimes they can filter on the original address and sometimes they can not. -- Peter Peters, senior netwerkbeheerder Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ From mailscanner at ecs.soton.ac.uk Tue Nov 4 12:31:33 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:20:51 2006 Subject: workaround for "file size limit exceeded" messages? In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0016497ED@pascal.priv.bmrb. co.uk> Message-ID: <5.2.0.9.2.20031104123020.08a3f6e0@imap.ecs.soton.ac.uk> Good point. Sorry for the lousy code. The attached patch might work slightly better. You did keep your unpatched original SweepViruses.pm file, didn't you? :) At 11:07 04/11/2003, Spicer, Kevin wrote: >Julian Field wrote: > > Please can you try the attached patch for > > /usr/lib/MailScanner/MailScanner/SweepViruses.pm. > > > > Copy the patch file into /tmp and do this > > cd /usr/lib/MailScanner/MailScanner > > patch -p0 < /tmp/SweepViruses.pm.clam.patch > >This causes me false positives, but..... > >I managed to catch an affected file and this is what I found, first >calling clamscan without arguments > >clamscan message .zip > >==== START CLAM OUTPUT ===== > >photos.zip: File size limit exceeded. >photos.zip: Worm.Mimail.C FOUND > >----------- SCAN SUMMARY ----------- >Known viruses: 9922 >Scanned directories: 0 >Scanned files: 2 >Infected files: 1 >Data scanned: 0.01 Mb >I/O buffer size: 131072 bytes >Time: 0.740 sec (0 m 0 s) > >==== END CLAM OUTPUT ======= > >Then as it would be called by MailScanner > >clamscan --unzip --unarj --unrar --tar --tgz --lha photos.zip > >==== START CLAM OUTPUT ===== > >/var/spool/MailScanner/quarantine/20031104/hA49pcRQ030174/photos.zip: File >size limit exceeded. >unzip: cannot find >/var/spool/MailScanner/quarantine/20031104/hA49pcRQ030174/photos.zip, >/var/spool/MailScanner/quarantine/20031104/hA49pcRQ030174/photos.zip.zip >or /var/spool/MailScanner/quarantine/20031104/hA49pcRQ030174/photos.zip.ZIP. >/root/tmp/cba5c20453d3d300: Can't open directory. >(raw) >/var/spool/MailScanner/quarantine/20031104/hA49pcRQ030174/photos.zip: >Worm.Mimail.C FOUND > >----------- SCAN SUMMARY ----------- >Known viruses: 9922 >Scanned directories: 1 >Scanned files: 2 >Infected files: 1 >Data scanned: 0.01 Mb >I/O buffer size: 131072 bytes >Time: 0.322 sec (0 m 0 s) > >==== END CLAM OUTPUT ======= > >So the problem is caused by the --unzip option, which causes the internal >scanning engine to prefix (raw). The unzip option is actually >unnecessary. --unzip means 'if clams internal unzipper fails then fall >back to looking for an external unzip program in the path'. But I'd >rather not remove it as its a second line of defence should the internal >unzipper fail, plus I suspect the other arguments will cause similar behaviour. > >So... I think I've now fixed this with the attached patch (I reverted >Julian's patch from last night first because it was causing some false >positives). > >Julian. There are two other issues with the clam wrapper, caused by the >fact it changes user to 'clam' to run external programs. > >1) The default tmpdir (/root/tmp) isn't writable by clam, therefore it >can't unzip using an external program. We need to specify >--tempdir=/some/writable/path in the wrapper script. Perhaps the wrapper >should check for and create a clam writable subdir of >/var/spool/MailScanner/incoming ??? > >2) Because it changes user it can't read the original files which have >restrictive permissions. Maybe we need a mailscanner group which >clam (and any other virus scanner users) can be a member of which have >read permissions on the whole of the incoming tree? > > > > >BMRB International >http://www.bmrb.co.uk >+44 (0)20 8566 5000 >_________________________________________________________________ >This message (and any attachment) is intended only for the >recipient and may contain confidential and/or privileged >material. If you have received this in error, please contact the >sender and delete this message immediately. Disclosure, copying >or other action taken in respect of this email or in >reliance on it is prohibited. BMRB International Limited >accepts no liability in relation to any personal emails, or >content of any email which does not directly relate to our >business. > > -------------- next part -------------- A non-text attachment was scrubbed... Name: SweepViruses.pm.clam.patch Type: application/octet-stream Size: 1291 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20031104/572c3272/SweepViruses.pm.clam.obj -------------- next part -------------- -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From prussell at MTELIZA.COM.AU Tue Nov 4 21:09:13 2003 From: prussell at MTELIZA.COM.AU (Peter Russell) Date: Thu Jan 12 21:20:51 2006 Subject: Postfix AROUND MailScanner Message-ID: I am no expert, but maybe you could have a MS or spamassassin rule that whitelists this email address, so it is never ever checked for spams - then it will be passed directly to the outbound queue, and not cause any extra load on MailScanner? As i said, i am bit new to MS myself, so just a thought. Pete Chris Trudeau Sent by: MailScanner mailing list 11/05/03 03:13 AM Please respond to MailScanner mailing list To: MAILSCANNER@JISCMAIL.AC.UK cc: Subject: Postfix AROUND MailScanner here is a tough one... I am using postfix->mailscanner->postfix as a gateway. It works really well so far, but one of the domains that this gateway is processing mail for has an automated monitoring system that is contributing a LARGE share of the total messages being processed. This system is using the domain's Notes server as its next hop SMTP gateway, so the MS gateway is processing all of this mail needlessly. I have attempted to get the monitoring system re-configured...to use some other SMTP gateway, but the user is either unable or unwilling to get the system reconfigured. I would like my inbound instance of postfix (which per the documentation SIMPLY defers all mail for MS to pickup and scan) to actually deliver messages originating FROM this address without sending them to the MS queue. Any ideas? I thought about a simple transport map within the outside instance of postfix, but this would require removing the defer_transports = smtp local virtual relay Configuration within that postfix instance.... Any other ideas? CT From lance at WARE.NET Tue Nov 4 19:01:47 2003 From: lance at WARE.NET (Lance Ware) Date: Thu Jan 12 21:20:51 2006 Subject: odd spam catching results between 2 mail scanners. In-Reply-To: A<1067907150.14660.35.camel@bach.kevinspicer.co.uk> Message-ID: <200311041903.hA4J3Qr18058@ori.rl.ac.uk> Thanks. It appeared Razor hadn't been working for a while on one of the boxes. Lance -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Kevin Spicer Sent: Monday, November 03, 2003 4:53 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: odd spam catching results between 2 mail scanners. On Tue, 2003-11-04 at 00:27, Lance Ware wrote: >One mailscanner shows a spam percentage of 62.49% and the other only >42.83%. >Both boxes are set to 10 in terms of MX preference. >Any thoughts??? Maybe your DNS servers always return them in the same order and some of the spam tools just pick the last or second on the list? Do they send out 50/50, or do certain senders send through certain machines. I think some spammers/ viruses can pick up the email server from headers of messages rather than DNS (you tend to see this with dictionary attacks, I get countless messages addressed to 'users' @ mymailserver, despite the fact that I have no users with addresses of that form) >Is there any easy way to verify that SA is using the same sets of >network based tests between boxes? Get some sample mails and run them through spamassassin -D -t on each machine and diff the results TIA, Lance BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From mdunder at GE.UCL.AC.UK Tue Nov 4 20:50:01 2003 From: mdunder at GE.UCL.AC.UK (Mike Dunderdale) Date: Thu Jan 12 21:20:51 2006 Subject: IMAP and MailScanner In-Reply-To: <6.0.0.22.0.20031104163408.027f2c30@192.168.2.52> References: <6.0.0.22.0.20031104163408.027f2c30@192.168.2.52> Message-ID: We're running Sendmail, Mailscanner and Squirrelmail, UW Imap with Imap proxy as suggested by the FAQ and don't have any such calls. I'd suggest if you're not running Cyrus IMAP then you've got the inherent problem of parsing your mail folders when they're not in single file per message format - this is discussed on the Squirrelmail FAQ. Also, running an IMAP proxy lightens the load a little. Any further questions, contact me off list and I'll try to summarise for the list. M. On Tue, 4 Nov 2003, Morten Norby Larsen wrote: > Hello, > > we have a small mail server (<10 users) with RedHat 7.3, UW-IMAP, sendmail, > etc. Plus Squirrelmail 1.4.1. > > The MailScanner is the standard installation (RPMs, I think) with > SpamAssassin and ClamAV. > > The problem is that from a superficial analysis (running top in a terminal) > that MailScanner gets called every time we access webmail (through > Squirrelmail), which would also explain why Squirrelmail takes more than a > minute long to list a mailbox ( >100 messages ). > > Does anybody know if such a setup would actually run MailScanner during an > IMAP request and, if so, how that could be avoided (MailScanner has been > run when mail is accepted, so no further checks should be needed). > > > Thanks in advance for any info, > > > Morten > > > > ----------------------------------------------------------------------- > Morten Norby Larsen morten@magisterludi.com > Magister Ludi s.r.l. Phone: +39 02 26 11 72 80 > Via Battaglia 8, I-20127 Milano, Italy Fax: +39 02 28 46 037 > http://www.magisterludi.com > ------------------------------------------------------------------------- Mike Dunderdale | tel: ++44 20 7679 2756 IT Systems Manager, Geomatic Engineering | fax: ++44 20 7380 0453 mike.dunderdale@ge.ucl.ac.uk | mob: ++44 7939 455 245 From dbowen1 at MAC.COM Tue Nov 4 19:37:58 2003 From: dbowen1 at MAC.COM (Dan Bowen) Date: Thu Jan 12 21:20:51 2006 Subject: Urgent help needed: mailscanner not processing mail In-Reply-To: Message-ID: <64C23725-0EFE-11D8-B473-0003939E8DDE@mac.com> Check your mail.log for that message ID, I've come across a similar problem where MailScanner's TNEF dies upon opening certain attachements, and MailScanner gets stuck in a loop dying on that one message. removing that message from the mqueue.in or equivalent alleviates the problem here. I'm running MailScanner 4.14-9 on Mac OS X 10.2.6 (apple darwin) with Sendmail and the Perl TNEF decoder. Dan Bowen Oak Ridge Schools Oak Ridge, TN On Monday, November 3, 2003, at 09:50 PM, Ron E. wrote: > This is urgent, for anyone who may see this and has any ideas on a > workaround - > > I am running MailScanner 4.21-4 and Postfix on RH9. All has been well > for > months. > > A few hours ago MailScanner stopped passing any messages to my mta - > the > number of messages in postfix.in/deferred continues to rise - restarts > of > mailscanner and a server reboot have not rectified the situation. > Occasionally some mail gets passed to my mta but very little and the > backlog continues to mount. Also numerous entries in the maillog that > say > things like: > > Nov 4 03:41:16 smtp postfix/qmgr[2196]: BF97D160A3D: skipped, still > being > delivered > > Any ideas would be welcome. > > Thanks! > > -Ron From TGFurnish at HERFF-JONES.COM Tue Nov 4 21:56:22 2003 From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G) Date: Thu Jan 12 21:20:51 2006 Subject: sendmail message splitting defeats bandwidth savings? Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF02A60556@inex1.herffjones.hj-int> > -----Original Message----- > From: Peter Peters [mailto:P.G.M.Peters@utwente.nl] > Sent: Tuesday, November 04, 2003 4:57 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: sendmail message splitting defeats bandwidth savings? > > > On Mon, 3 Nov 2003 12:28:42 -0500, you wrote: > > >Maybe an idea... > > > >Have MailScanner split and resubmit the message, as needed > by the rule > >sets, to sendmail on the loopback interface before spam or virus > >checking happens. Then sendmail can control its own queue numbers and > >the message will be single recipient per message for the rest of the > >checks. > > This would put an extra burden on the system because each > message has to > go through the sendmail processes a couple of extra times. Not *each* message, only those that need to be split. And not *all* the sendmail processes, just the delivery process (and a different one at that, since we can't run both the outbound queue runner and an smtp listener off the same outbound mail queue). From miguelk at KONSULTEX.COM.BR Tue Nov 4 20:55:58 2003 From: miguelk at KONSULTEX.COM.BR (Miguel Koren O'Brien de Lacy) Date: Thu Jan 12 21:20:51 2006 Subject: Clam vs. zipped files Message-ID: <3FA8125E.5000908@konsultex.com.br> According to Clam development, there is a new stable release planned for Thursday which solves the problem with the zip files (W32.Mimail.G) and clamscan. If you need a fix sooner, CVS snapshots work. I can wait so I haven't tried it ;-) Miguel -- Esta mensagem foi verificada pelo sistema de antivírus e acredita-se estar livre de perigo. From marco at MUW.EDU Tue Nov 4 18:37:50 2003 From: marco at MUW.EDU (Marco Obaid) Date: Thu Jan 12 21:20:51 2006 Subject: new pyzor host In-Reply-To: <54C38A0B814C8E438EF73FC76F3629273AE0E8@mtlnt501fs.CAMOROUTE.COM> References: <54C38A0B814C8E438EF73FC76F3629273AE0E8@mtlnt501fs.CAMOROUTE.COM> Message-ID: <1067971070.3fa7f1fe6cf7d@webmail.MUW.Edu> > > Simply run 'pyzor discover' and all will be good. > > > > Should we do that once in a while? You can setup a nightly cron job to run this command, just in case. Marco From chris at fractalweb.com Tue Nov 4 21:17:26 2003 From: chris at fractalweb.com (Chris Yuzik) Date: Thu Jan 12 21:20:51 2006 Subject: Clam vs. zipped files In-Reply-To: <3FA8125E.5000908@konsultex.com.br> References: <3FA8125E.5000908@konsultex.com.br> Message-ID: <200311041317.26973.chris@fractalweb.com> On November 4, 2003 12:55 pm, you wrote: > According to Clam development, there is a new stable release planned for > Thursday which solves the problem with the zip files (W32.Mimail.G) and > clamscan. If you need a fix sooner, CVS snapshots work. > > I can wait so I haven't tried it ;-) Miguel, Just use version 2 of the patch that Julian sent to the list today. MailScanner and ClamAV now catch worm.mimail.c and everything now works great on my system again. Cheers, Chris -- Chris Yuzik chris@fractalweb.com 604-304-0444 "Reality is that which, when you stop believing in it, doesn't go away". -- Philip K. Dick From chris at fractalweb.com Tue Nov 4 20:22:44 2003 From: chris at fractalweb.com (Chris Yuzik) Date: Thu Jan 12 21:20:51 2006 Subject: workaround for "file size limit exceeded" messages? In-Reply-To: <5.2.0.9.2.20031104123020.08a3f6e0@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20031104123020.08a3f6e0@imap.ecs.soton.ac.uk> Message-ID: <200311041222.44857.chris@fractalweb.com> On November 4, 2003 04:31 am, Julian Field wrote: > The attached patch might work slightly better. The attached patch works perfectly on my system. Thank you! Cheers, Chris -- Chris Yuzik chris@fractalweb.com 604-304-0444 "Reality is that which, when you stop believing in it, doesn't go away". -- Philip K. Dick From mailscanner at ecs.soton.ac.uk Tue Nov 4 20:46:44 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:20:51 2006 Subject: workaround for "file size limit exceeded" messages? In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0016497ED@pascal.priv.bmrb. co.uk> Message-ID: <5.2.0.9.2.20031104204606.03a411d8@imap.ecs.soton.ac.uk> A repost of version 2 of the patch. At 11:07 04/11/2003, you wrote: >Julian Field wrote: > > Please can you try the attached patch for > > /usr/lib/MailScanner/MailScanner/SweepViruses.pm. > > > > Copy the patch file into /tmp and do this > > cd /usr/lib/MailScanner/MailScanner > > patch -p0 < /tmp/SweepViruses.pm.clam.patch > >This causes me false positives, but..... > >I managed to catch an affected file and this is what I found, first >calling clamscan without arguments > >clamscan message .zip > >==== START CLAM OUTPUT ===== > >photos.zip: File size limit exceeded. >photos.zip: Worm.Mimail.C FOUND > >----------- SCAN SUMMARY ----------- >Known viruses: 9922 >Scanned directories: 0 >Scanned files: 2 >Infected files: 1 >Data scanned: 0.01 Mb >I/O buffer size: 131072 bytes >Time: 0.740 sec (0 m 0 s) > >==== END CLAM OUTPUT ======= > >Then as it would be called by MailScanner > >clamscan --unzip --unarj --unrar --tar --tgz --lha photos.zip > >==== START CLAM OUTPUT ===== > >/var/spool/MailScanner/quarantine/20031104/hA49pcRQ030174/photos.zip: File >size limit exceeded. >unzip: cannot find >/var/spool/MailScanner/quarantine/20031104/hA49pcRQ030174/photos.zip, >/var/spool/MailScanner/quarantine/20031104/hA49pcRQ030174/photos.zip.zip >or /var/spool/MailScanner/quarantine/20031104/hA49pcRQ030174/photos.zip.ZIP. >/root/tmp/cba5c20453d3d300: Can't open directory. >(raw) >/var/spool/MailScanner/quarantine/20031104/hA49pcRQ030174/photos.zip: >Worm.Mimail.C FOUND > >----------- SCAN SUMMARY ----------- >Known viruses: 9922 >Scanned directories: 1 >Scanned files: 2 >Infected files: 1 >Data scanned: 0.01 Mb >I/O buffer size: 131072 bytes >Time: 0.322 sec (0 m 0 s) > >==== END CLAM OUTPUT ======= > >So the problem is caused by the --unzip option, which causes the internal >scanning engine to prefix (raw). The unzip option is actually >unnecessary. --unzip means 'if clams internal unzipper fails then fall >back to looking for an external unzip program in the path'. But I'd >rather not remove it as its a second line of defence should the internal >unzipper fail, plus I suspect the other arguments will cause similar behaviour. > >So... I think I've now fixed this with the attached patch (I reverted >Julian's patch from last night first because it was causing some false >positives). > >Julian. There are two other issues with the clam wrapper, caused by the >fact it changes user to 'clam' to run external programs. > >1) The default tmpdir (/root/tmp) isn't writable by clam, therefore it >can't unzip using an external program. We need to specify >--tempdir=/some/writable/path in the wrapper script. Perhaps the wrapper >should check for and create a clam writable subdir of >/var/spool/MailScanner/incoming ??? > >2) Because it changes user it can't read the original files which have >restrictive permissions. Maybe we need a mailscanner group which >clam (and any other virus scanner users) can be a member of which have >read permissions on the whole of the incoming tree? > > > > >BMRB International >http://www.bmrb.co.uk >+44 (0)20 8566 5000 >_________________________________________________________________ >This message (and any attachment) is intended only for the >recipient and may contain confidential and/or privileged >material. If you have received this in error, please contact the >sender and delete this message immediately. Disclosure, copying >or other action taken in respect of this email or in >reliance on it is prohibited. BMRB International Limited >accepts no liability in relation to any personal emails, or >content of any email which does not directly relate to our >business. > > -------------- next part -------------- A non-text attachment was scrubbed... Name: SweepViruses.pm.clam.patch Type: application/octet-stream Size: 1291 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20031104/53a493f0/SweepViruses.pm.clam.obj -------------- next part -------------- -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From lance at WARE.NET Tue Nov 4 22:36:26 2003 From: lance at WARE.NET (Lance Ware) Date: Thu Jan 12 21:20:51 2006 Subject: Wacky Request... Message-ID: <200311042238.hA4Mc6r19792@ori.rl.ac.uk> Has anyone seen or done any development on a selective "white list only" solution based on spam scores? I'd really be interested in a solution that basically requires an affirmation by the sender of emails with scores ranging from 5 to say 15. I'm still ok with deleting ones over 15, but I do have a fair number of false positives in the 10-12 range. I'd also be interested in something similar for all emails from dialup/broadband IPs (or any "special" RBL). Anyways, just a thought. Lance -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20031104/1fde755f/attachment.html From ugob at CAMO-ROUTE.COM Tue Nov 4 15:02:33 2003 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:20:51 2006 Subject: new pyzor host Message-ID: <54C38A0B814C8E438EF73FC76F3629273AE0E8@mtlnt501fs.CAMOROUTE.COM> > > The current pyzor host went down earlier today, and the sysadmin is > unfortunately unavailable, so I've moved it to a new host, courtesy of > Brent Holmes. > > Simply run 'pyzor discover' and all will be good. > Should we do that once in a while? > -- > Frank Tobin http://www.neverending.org/~ftobin/ From krice at SERVERSANDSOLUTIONS.COM Tue Nov 4 15:32:02 2003 From: krice at SERVERSANDSOLUTIONS.COM (Ken Rice) Date: Thu Jan 12 21:20:51 2006 Subject: OT: Linux Distrobutions? Message-ID: <20031104103202.66cb3dae.krice@ServersAndSolutions.com> On Mon, 3 Nov 2003 13:08:43 -0600 greyhair wrote: > Hello. > > I just got an email about Redhat going enterprise. > From redhat email: And a colleague just sent me this about Novell purchasing SUSE: http://www.novell.com/news/press/archive/2003/11/pr03069.html Ken Rice Linux SysAdmin The Library Corporation And they "are" my pick for best Oracle on Linux company/distribution... From morten at MAGISTERLUDI.COM Tue Nov 4 15:41:29 2003 From: morten at MAGISTERLUDI.COM (Morten Norby Larsen) Date: Thu Jan 12 21:20:51 2006 Subject: IMAP and MailScanner Message-ID: <6.0.0.22.0.20031104163408.027f2c30@192.168.2.52> Hello, we have a small mail server (<10 users) with RedHat 7.3, UW-IMAP, sendmail, etc. Plus Squirrelmail 1.4.1. The MailScanner is the standard installation (RPMs, I think) with SpamAssassin and ClamAV. The problem is that from a superficial analysis (running top in a terminal) that MailScanner gets called every time we access webmail (through Squirrelmail), which would also explain why Squirrelmail takes more than a minute long to list a mailbox ( >100 messages ). Does anybody know if such a setup would actually run MailScanner during an IMAP request and, if so, how that could be avoided (MailScanner has been run when mail is accepted, so no further checks should be needed). Thanks in advance for any info, Morten ----------------------------------------------------------------------- Morten Norby Larsen morten@magisterludi.com Magister Ludi s.r.l. Phone: +39 02 26 11 72 80 Via Battaglia 8, I-20127 Milano, Italy Fax: +39 02 28 46 037 http://www.magisterludi.com From sw at INTERNETX.DE Tue Nov 4 15:55:16 2003 From: sw at INTERNETX.DE (Sebastian Wiesinger) Date: Thu Jan 12 21:20:51 2006 Subject: workaround for "file size limit exceeded" messages? In-Reply-To: <5.2.0.9.2.20031103182023.03c71eb0@imap.ecs.soton.ac.uk> References: <200311030938.27353.chris@fractalweb.com> <5.2.0.9.2.20031103182023.03c71eb0@imap.ecs.soton.ac.uk> Message-ID: <20031104155516.GA23677@internetx.de> * Julian Field [2003-11-04 09:03]: > Please can you try the attached patch for > /usr/lib/MailScanner/MailScanner/SweepViruses.pm. > > Copy the patch file into /tmp and do this > cd /usr/lib/MailScanner/MailScanner > patch -p0 < /tmp/SweepViruses.pm.clam.patch Hi! With the patch applied I get: Nov 4 14:42:21 mailproxy MailScanner[32200]: Spam Checks: Found 1 spam messages Nov 4 14:42:21 mailproxy MailScanner[32200]: Spam Actions: message hA4DfwbE006778 actions are deliver Nov 4 14:42:21 mailproxy MailScanner[32200]: Virus and Content Scanning: Starting Nov 4 14:42:21 mailproxy MailScanner[32200]: /var/spool/MailScanner/incoming/32200/./hA4DfwbE006778/photos.zip: File size limit exceeded. Nov 4 14:42:21 mailproxy MailScanner[32200]: ERROR: Can't run unzip Nov 4 14:42:21 mailproxy MailScanner[32200]: ERROR: Can't execute some unpacker. Check paths and permissions on the temporary directory. Nov 4 14:42:22 mailproxy MailScanner[32200]: (raw) /var/spool/MailScanner/incoming/32200/./hA4DfwbE006778/photos.zip: Worm.Mimail.C FOUND Nov 4 14:42:22 mailproxy MailScanner[32200]: Virus Scanning: ClamAV found 2 infections Nov 4 14:42:22 mailproxy MailScanner[32200]: Infected message hA4DfwbE006778 came from 80.131.66.37 Nov 4 14:42:22 mailproxy MailScanner[32200]: Infected message (raw) came from Nov 4 14:42:22 mailproxy MailScanner[32200]: Virus Scanning: Found 2 viruses Nov 4 14:42:22 mailproxy MailScanner[32200]: Saved entire message to /var/spool/MailScanner/quarantine/20031104/hA4DfwbE006778 Nov 4 14:42:22 mailproxy MailScanner[32200]: Saved infected "photos.zip" to /var/spool/MailScanner/quarantine/20031104/hA4DfwbE006778 Nov 4 14:42:22 mailproxy MailScanner[32200]: Cleaned: Delivered 1 cleaned messages That should do it for now.. -- InterNetX GmbH Sebastian Wiesinger System Administration Maximilianstrasse 6 D-93047 Regensburg Tel. +49 941 59559-0 Fax +49 941 59559-245 eMail: sebastian.wiesinger@internetx.de GPG-Key: 0x97F5A1D8 (0x8431335F97F5A1D8) From mkipness at GENIANT.COM Tue Nov 4 14:03:05 2003 From: mkipness at GENIANT.COM (Max Kipness) Date: Thu Jan 12 21:20:51 2006 Subject: Blacklist working? Message-ID: <16B156EBAE5213419ADC164EA1D372C705DF42@dalsxc02.geniant.net> I added the following entry a few months ago in spam.blacklist.rules: From: *@greenbamboo.net yes From: support@greenbamboo.net yes I actually had a couple of the support@ entries because they continued to come in and my users were requesting that it be blacklisted over and over. Yes, here is a grep of the logs for "greenbamboo" from today. Am I doing something wrong in the blacklist? Why are they coming through? I know I can block by IP, but is that necessary? Also, these guys are using several IPs. Nov 4 05:08:16 localhost sendmail[6702]: hA4B8FYi006702: from=, size=6944, class=0, nrcpts=1, msgid=<1067936379.8835@mail35.greenbamboo.net>, proto=SMTP, daemon=MTA, relay=mail35.greenbamboo.net [63.77.17.63] Nov 4 05:08:45 localhost sendmail[6730]: hA4B8FYi006702: to=, delay=00:00:30, xdelay=00:00:04, mailer=smtp, pri=120332, relay=[64.64.64.64] [64.64.64.64], dsn=2.0.0, stat=Sent ( <1067936379.8835@mail35.greenbamboo.net> Queued mail for delivery) Nov 4 05:27:08 localhost sendmail[7134]: hA4BR7Yi007134: from=, size=6944, class=0, nrcpts=1, msgid=<1067937511.8284@mail34.greenbamboo.net>, proto=SMTP, daemon=MTA, relay=mail34.greenbamboo.net [63.77.17.62] Nov 4 05:27:25 localhost sendmail[7146]: hA4BR7Yi007134: to=, delay=00:00:18, xdelay=00:00:00, mailer=smtp, pri=120332, relay=[64.64.64.64] [64.64.64.64], dsn=2.0.0, stat=Sent ( <1067937511.8284@mail34.greenbamboo.net> Queued mail for delivery) Nov 4 05:29:02 localhost sendmail[7200]: hA4BT1Yi007200: from=, size=6955, class=0, nrcpts=1, msgid=<1067937625.6380@mail30.greenbamboo.net>, proto=SMTP, daemon=MTA, relay=mail30.greenbamboo.net [63.77.17.58] Nov 4 05:29:30 localhost sendmail[7225]: hA4BT1Yi007200: to=, delay=00:00:28, xdelay=00:00:05, mailer=smtp, pri=120333, relay=[64.64.64.64] [64.64.64.64], dsn=2.0.0, stat=Sent ( <1067937625.6380@mail30.greenbamboo.net> Queued mail for delivery) Nov 4 05:33:53 localhost sendmail[7352]: hA4BXqYi007352: from=, size=6911, class=0, nrcpts=1, msgid=<1067937912.2418@mail18.greenbamboo.net>, proto=SMTP, daemon=MTA, relay=mail18.greenbamboo.net [63.77.17.46] Nov 4 05:34:13 localhost sendmail[7374]: hA4BXqYi007352: to=, delay=00:00:21, xdelay=00:00:01, mailer=smtp, pri=120329, relay=[64.64.64.64] [64.64.64.64], dsn=2.0.0, stat=Sent ( <1067937912.2418@mail18.greenbamboo.net> Queued mail for delivery) Thanks, Max From mkipness at GENIANT.COM Tue Nov 4 14:09:09 2003 From: mkipness at GENIANT.COM (Max Kipness) Date: Thu Jan 12 21:20:51 2006 Subject: Blacklist working (Update)? Message-ID: <16B156EBAE5213419ADC164EA1D372C705DF43@dalsxc02.geniant.net> Sorry, for the waste of bandwidth. I was just looking at the conf file and did not have the spam.blacklist.rules file specified for the ruleset. I guess this happened when I upgraded. Thanks, Max > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Max Kipness > Sent: Tuesday, November 04, 2003 8:03 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Blacklist working? > > I added the following entry a few months ago in spam.blacklist.rules: > > From: *@greenbamboo.net yes > From: support@greenbamboo.net yes > > I actually had a couple of the support@ entries because they > continued to come in and my users were requesting that it be > blacklisted over and over. > > Yes, here is a grep of the logs for "greenbamboo" from today. > Am I doing something wrong in the blacklist? Why are they > coming through? I know I can block by IP, but is that > necessary? Also, these guys are using several IPs. > > > > Nov 4 05:08:16 localhost sendmail[6702]: hA4B8FYi006702: > from=, size=6944, class=0, nrcpts=1, > msgid=<1067936379.8835@mail35.greenbamboo.net>, proto=SMTP, > daemon=MTA, relay=mail35.greenbamboo.net [63.77.17.63] > > Nov 4 05:08:45 localhost sendmail[6730]: hA4B8FYi006702: > to=, delay=00:00:30, xdelay=00:00:04, > mailer=smtp, pri=120332, relay=[64.64.64.64] [64.64.64.64], > dsn=2.0.0, stat=Sent ( > <1067936379.8835@mail35.greenbamboo.net> Queued mail for > delivery) > > Nov 4 05:27:08 localhost sendmail[7134]: hA4BR7Yi007134: > from=, size=6944, class=0, nrcpts=1, > msgid=<1067937511.8284@mail34.greenbamboo.net>, proto=SMTP, > daemon=MTA, relay=mail34.greenbamboo.net [63.77.17.62] > > Nov 4 05:27:25 localhost sendmail[7146]: hA4BR7Yi007134: > to=, delay=00:00:18, xdelay=00:00:00, > mailer=smtp, pri=120332, relay=[64.64.64.64] [64.64.64.64], > dsn=2.0.0, stat=Sent ( > <1067937511.8284@mail34.greenbamboo.net> Queued mail for > delivery) > > Nov 4 05:29:02 localhost sendmail[7200]: hA4BT1Yi007200: > from=, size=6955, class=0, nrcpts=1, > msgid=<1067937625.6380@mail30.greenbamboo.net>, proto=SMTP, > daemon=MTA, relay=mail30.greenbamboo.net [63.77.17.58] > > Nov 4 05:29:30 localhost sendmail[7225]: hA4BT1Yi007200: > to=, delay=00:00:28, xdelay=00:00:05, > mailer=smtp, pri=120333, relay=[64.64.64.64] [64.64.64.64], > dsn=2.0.0, stat=Sent ( > <1067937625.6380@mail30.greenbamboo.net> Queued mail for > delivery) > > Nov 4 05:33:53 localhost sendmail[7352]: hA4BXqYi007352: > from=, size=6911, class=0, nrcpts=1, > msgid=<1067937912.2418@mail18.greenbamboo.net>, proto=SMTP, > daemon=MTA, relay=mail18.greenbamboo.net [63.77.17.46] > > Nov 4 05:34:13 localhost sendmail[7374]: hA4BXqYi007352: > to=, delay=00:00:21, xdelay=00:00:01, > mailer=smtp, pri=120329, relay=[64.64.64.64] [64.64.64.64], > dsn=2.0.0, stat=Sent ( > <1067937912.2418@mail18.greenbamboo.net> Queued mail for delivery) > > Thanks, > Max > From michele at BLACKNIGHTSOLUTIONS.COM Tue Nov 4 17:02:32 2003 From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon :: Blacknight Solutions) Date: Thu Jan 12 21:20:51 2006 Subject: are we up and running. In-Reply-To: <3FA7D383.3060801@solid-state-logic.com> Message-ID: <200311041702.hA4H2TI06265@camelot.blacknightsolutions.com> Why? Was it dead?? Mr. Michele Neylon Blacknight Solutions http://www.blacknightsolutions.ie/ http://www.search.ie/ FREE IE domains - see site for details Tel. +353 (0)59 9139897 Fax. +353 (0)59 9139897 > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Martin Hepworth > Sent: 04 November 2003 16:28 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: are we up and running. > > Testing to see if the list is working yet.. > > > -- > Martin Hepworth > Senior Systems Administrator > Solid State Logic Ltd > tel: +44 (0)1865 842300 > > > > > ********************************************************************** > > This email and any files transmitted with it are confidential > and intended solely for the use of the individual or entity > to whom they are addressed. If you have received this email > in error please notify the system manager. > > This footnote confirms that this email message has been swept > for the presence of computer viruses and is believed to be clean. > > ********************************************************************** > > ######################################################### This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance to it is prohibited. From martinh at SOLID-STATE-LOGIC.COM Tue Nov 4 16:27:47 2003 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:20:51 2006 Subject: are we up and running. Message-ID: <3FA7D383.3060801@solid-state-logic.com> Testing to see if the list is working yet.. -- Martin Hepworth Senior Systems Administrator Solid State Logic Ltd tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From id at W98.US Tue Nov 4 17:46:46 2003 From: id at W98.US (ian douglas) Date: Thu Jan 12 21:20:51 2006 Subject: OT: Linux Distrobutions? In-Reply-To: <20031104103202.66cb3dae.krice@ServersAndSolutions.com> Message-ID: > And a colleague just sent me this about Novell purchasing SUSE: > http://www.novell.com/news/press/archive/2003/11/pr03069.html And, interestingly enough, after that $210 purchase on Novell's part, IBM will be investing $50 million into Novell... -id From chris at TRUDEAU.ORG Tue Nov 4 16:13:57 2003 From: chris at TRUDEAU.ORG (Chris Trudeau) Date: Thu Jan 12 21:20:51 2006 Subject: Postfix AROUND MailScanner References: <1067922413.3fa733edc26ae@webmail.MUW.Edu> Message-ID: <057701c3a2ee$a6d15a40$1117000a@ATLCPW13671> here is a tough one... I am using postfix->mailscanner->postfix as a gateway. It works really well so far, but one of the domains that this gateway is processing mail for has an automated monitoring system that is contributing a LARGE share of the total messages being processed. This system is using the domain's Notes server as its next hop SMTP gateway, so the MS gateway is processing all of this mail needlessly. I have attempted to get the monitoring system re-configured...to use some other SMTP gateway, but the user is either unable or unwilling to get the system reconfigured. I would like my inbound instance of postfix (which per the documentation SIMPLY defers all mail for MS to pickup and scan) to actually deliver messages originating FROM this address without sending them to the MS queue. Any ideas? I thought about a simple transport map within the outside instance of postfix, but this would require removing the defer_transports = smtp local virtual relay Configuration within that postfix instance.... Any other ideas? CT From prussell at MTELIZA.COM.AU Wed Nov 5 00:48:20 2003 From: prussell at MTELIZA.COM.AU (Peter Russell) Date: Thu Jan 12 21:20:51 2006 Subject: SMP Machines Message-ID: Hi there, i have an old NEC 5800 dual P200 - i know this is a very old machine, but i will use 3 of them if i have to - and was wondering if i should make any changes to the MailScanner, SpamAssassin confi to take advantage? I know i can change the amount of child process, if i change this figure from say, 5 to 4, will this mean i have 4 process PER CPU ? Will MailScanner already be using the 2 CPUs, without mne changing anything? We get less than 10k inbound email per day, and we are keen to avoid hardware expenditure, so we will try with this machine i have 2 others built and ready put in with additional MX records if needed. Does anyone know of a system that will generate LOADS od emails and push them to my new server at great volume? I would love to ahve something like this set up on my network to see how it copes? I suppose people dont build things like this due to the abuse potential? Thanks Pete From mark at TIPPINGMAR.COM Wed Nov 5 01:00:29 2003 From: mark at TIPPINGMAR.COM (Mark Nienberg) Date: Thu Jan 12 21:20:51 2006 Subject: Wacky Request... In-Reply-To: <200311042238.hA4Mc6r19792@ori.rl.ac.uk> Message-ID: <3FA7DB2D.19962.1F3CF607@localhost> On 4 Nov 2003 at 14:36, Lance Ware wrote: > I'm still ok with deleting ones over 15, but I do have a fair number of false positives in the 10-12 > range. That surprises me. I get almost no false positives at all, much less with scores that high. Are you using SpamAssassin 2.60? Do you have the Bayes checks turned on? Bayes will often lower the scores of an otherwise spam-like message. Mark From chris at fractalweb.com Wed Nov 5 02:04:23 2003 From: chris at fractalweb.com (Chris Yuzik) Date: Thu Jan 12 21:20:51 2006 Subject: dealing with zips with corrupted headers Message-ID: <200311041804.23128.chris@fractalweb.com> Hi everyone, No sooner do we (well...Julian) come out a workaround for the extra status line that ClamAV was spitting out than another virus using similar zip-header trickery to sneak through our scanners. Worm.Mimail.G arrives in a zip file called "readnow.zip" that strangely gets a simple "OK" from clamscan, and the virus goes right through. After some experimenting, I've figured out that the virus will happily unzip with the console unzip tool, but complains with the following message: # unzip readnow.zip Archive: readnow.zip warning [readnow.zip]: 3 extra bytes at beginning or within zipfile (attempting to process anyway) file #1: bad zipfile offset (local header sig): 3 (attempting to re-compensate) extracting: readnow.doc.scr After reading the man page for clamscan, I came across an option that disables clamscan's internal archive tools. When I typed "clamscan --disable-archive readnow.zip" I got the expected response of "readnow.zip: Worm.Mimail.G FOUND". Is there a disadvantage to editing "/usr/lib/MailScanner/clamav-wrapper" and removing the "--unzip" option and replacing it with "--disable-archive"? Am I on the right track? Thanks, Chris -- Chris Yuzik chris@fractalweb.com 604-304-0444 "Reality is that which, when you stop believing in it, doesn't go away". -- Philip K. Dick From lists at STHOMAS.NET Wed Nov 5 04:00:59 2003 From: lists at STHOMAS.NET (Steve Thomas) Date: Thu Jan 12 21:20:51 2006 Subject: SMP Machines In-Reply-To: ; from prussell@MTELIZA.COM.AU on Wed, Nov 05, 2003 at 11:48:20AM +1100 References: Message-ID: <20031104200059.B32048@sthomas.net> On Wed, Nov 05, 2003 at 11:48:20AM +1100, Peter Russell is rumored to have said: > > Does anyone know of a system that will generate LOADS od emails and push > them to my new server at great volume? I would love to ahve something like > this set up on my network to see how it copes? I did a stupid little perl script to do this a while back. It's very quick and dirty but was able to generate a lot of messages very quickly. Email me offlist if you'd like a copy - I can dig it up when I get to work tomorrow. Steve -- "Half this game is ninety percent mental." - Yogi Berra From vanhorn at whidbey.com Wed Nov 5 04:11:37 2003 From: vanhorn at whidbey.com (G. Armour Van Horn) Date: Thu Jan 12 21:20:51 2006 Subject: OT: Linux Distrobutions? References: <5.2.0.9.2.20031103191302.03bcc750@imap.ecs.soton.ac.uk> Message-ID: <3FA87879.28999B00@whidbey.com> I heard today that Novell had bought SuSE, which scratches that possibility as far as I'm concerned. That's the outfit that seems to routinely acquire and destroy going concerns. Remember WordPerfect? They also created Caldera, which morphed into the current SCO. Everything they touch seems to go to worms. I'm distressed over these developments. I had just decided to rev all my RedHat machines, which is most of my machines, to 9.0 and sign up for the RedHat Network service on all of them, which is no longer an option. Any other distro is going to be a wrenching change compared to that. Van Julian Field wrote: > Lots of people on this list are bound to vote for Debian, but personally I > have always found it to be the "enthusiast's" distro. Usual rules on flame > wars and religious debates apply :) > SuSE is a good alternative to RedHat. -- ---------------------------------------------------------- Sign up now for Quotes of the Day, a handful of quotations on a theme delivered every morning. Enlightenment! Daily, for free! mailto:twisted@whidbey.com?subject=Subscribe_QOTD For web hosting and maintenance, visit Van's home page: http://www.domainvanhorn.com/van/ ---------------------------------------------------------- From kfliong at WOFS.COM Wed Nov 5 04:15:38 2003 From: kfliong at WOFS.COM (kfliong) Date: Thu Jan 12 21:20:51 2006 Subject: Mimail virus In-Reply-To: <20031104200059.B32048@sthomas.net> References: <20031104200059.B32048@sthomas.net> Message-ID: <6.0.0.22.0.20031105121420.04354858@192.168.10.2> How come Mimail virus is getting through my mailscanner + clamav setup? Can I add mimail into my config file like how I added sobig into the config to stop it from coming into my server? From spamassassin at sthomas.net Wed Nov 5 03:56:32 2003 From: spamassassin at sthomas.net (Steve Thomas) Date: Thu Jan 12 21:20:51 2006 Subject: [SAtalk] Am I nuts In-Reply-To: ; from cHRis-BarNeS@tAMu.eDu on Mon, Nov 03, 2003 at 04:14:13PM -0600 References: Message-ID: <20031104195632.A32048@sthomas.net> On Mon, Nov 03, 2003 at 04:14:13PM -0600, Chris Barnes is rumored to have said: > > I turned SA off in Mailscanner, letting it handle just > the the running of ClamAV. SA is still being called by procmail. > > Q: Is it just a "wierd way"? Not weird to me - it's how I do it. I prefer separate tools for separate jobs. I use MailScanner for virus scanning with Sophos and Trend, and procmail/spamc/spamd for anti-spam. This is on my personal server - at work I run MailScanner with SA support, as the users don't have shell accounts (everything's in LDAP) and trying to explain a user_prefs file to my userbase would be like herding cats. -- "It is dangerous to be sincere unless you are also stupid." - George Bernard Shaw (1856-1950) ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Spamassassin-talk mailing list Spamassassin-talk@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/spamassassin-talk From forrie at FORRIE.COM Wed Nov 5 06:11:30 2003 From: forrie at FORRIE.COM (Forrest Aldrich) Date: Thu Jan 12 21:20:51 2006 Subject: Problem with 4.25-5 (beta) startup In-Reply-To: <200308071559.30537.damien@mc-kenna.com> References: <200308071559.30537.damien@mc-kenna.com> Message-ID: <6.0.0.22.2.20031105010944.02044f70@192.168.1.1> Problem being it just doesn't start -- figured I would post pre-emptively while I try to figure it out. The configuration variables and such don't seem to have changed much (if at all). I basically copied over my configs from the previous version. _F From csm-lists at CSMA.BIZ Wed Nov 5 07:00:18 2003 From: csm-lists at CSMA.BIZ (Corey S. McFadden) Date: Thu Jan 12 21:20:51 2006 Subject: SMP Machines In-Reply-To: <20031104200059.B32048@sthomas.net> References: <20031104200059.B32048@sthomas.net> Message-ID: <6.0.0.22.0.20031105014621.028196c8@mail.csma.biz> Dell and Sendmail did a thing a while back with hardware benchmarking on SAMS for a white paper that was pretty interesting. They used an application called Mstone from the Mozilla site for simulating load. The original Word file has apparently been removed from the Dell website, but Google was kind enough to cache an HTML conversion of it. I saved a copy of the page here: http://web.csma.biz/tmp/dell-sendmail.html Hope that's helpful, -Corey PS: If anyone is interested in collaborating on a load simulation process, I've been thinking of doing something along those lines for a while, and probably would if I had some help. At 11:00 PM 11/4/2003, you wrote: >On Wed, Nov 05, 2003 at 11:48:20AM +1100, Peter Russell is rumored to have >said: > > > > Does anyone know of a system that will generate LOADS od emails and push > > them to my new server at great volume? I would love to ahve something like > > this set up on my network to see how it copes? > >I did a stupid little perl script to do this a while back. It's very quick >and dirty but was able to generate a lot of messages very quickly. Email >me offlist if you'd like a copy - I can dig it up when I get to work tomorrow. > > >Steve > >-- >"Half this game is ninety percent mental." >- Yogi Berra > >********************************************* >This message has been scanned for viruses and >dangerous content, and is believed to be clean. ********************************************* This message has been scanned for viruses and dangerous content, and is believed to be clean. From kevins at BMRB.CO.UK Wed Nov 5 07:59:05 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:20:51 2006 Subject: dealing with zips with corrupted headers In-Reply-To: <200311041804.23128.chris@fractalweb.com> References: <200311041804.23128.chris@fractalweb.com> Message-ID: <1068019148.9973.3.camel@bach.kevinspicer.co.uk> On Wed, 2003-11-05 at 02:04, Chris Yuzik wrote: > Is there a disadvantage to editing "/usr/lib/MailScanner/clamav-wrapper" and > removing the "--unzip" option and replacing it with "--disable-archive"? Am I > on the right track? I think there may well be, some viruses inside zip files could not then be found. Theres also a problem (if MailScanner runs as root) with clamscan using external archiving programs (see my earlier posts). Really this should be reported to Clam as a bug. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From kevins at BMRB.CO.UK Wed Nov 5 08:04:08 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:20:51 2006 Subject: dealing with zips with corrupted headers In-Reply-To: <1068019148.9973.3.camel@bach.kevinspicer.co.uk> References: <200311041804.23128.chris@fractalweb.com> <1068019148.9973.3.camel@bach.kevinspicer.co.uk> Message-ID: <1068019448.9973.9.camel@bach.kevinspicer.co.uk> On Wed, 2003-11-05 at 07:59, Kevin Spicer wrote: > On Wed, 2003-11-05 at 02:04, Chris Yuzik wrote: > > > Is there a disadvantage to editing "/usr/lib/MailScanner/clamav-wrapper" and > > removing the "--unzip" option and replacing it with "--disable-archive"? Am I > > on the right track? > > I think there may well be, some viruses inside zip files could not then > be found. Theres also a problem (if MailScanner runs as root) with > clamscan using external archiving programs (see my earlier posts). > Really this should be reported to Clam as a bug. I've posted your original message to clamav-users I'll cross post any relevent replies back here. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From chris at fractalweb.com Wed Nov 5 08:07:13 2003 From: chris at fractalweb.com (Chris Yuzik) Date: Thu Jan 12 21:20:51 2006 Subject: dealing with zips with corrupted headers In-Reply-To: <1068019448.9973.9.camel@bach.kevinspicer.co.uk> References: <200311041804.23128.chris@fractalweb.com> <1068019148.9973.3.camel@bach.kevinspicer.co.uk> <1068019448.9973.9.camel@bach.kevinspicer.co.uk> Message-ID: <200311050007.13608.chris@fractalweb.com> On November 5, 2003 12:04 am, you wrote: > I've posted your original message to clamav-users I'll cross post any > relevent replies back here. Thanks Kevin. Cheers, Chris -- Chris Yuzik chris@fractalweb.com 604-304-0444 "Reality is that which, when you stop believing in it, doesn't go away". -- Philip K. Dick From raymond at PROLOCATION.NET Wed Nov 5 08:20:36 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:20:51 2006 Subject: sendmail message splitting defeats bandwidth savings? In-Reply-To: <45teqv0lpqvr50n7g1m4j2g0c9a4d76kpc@4ax.com> Message-ID: Hi! > I checked and I got 4.500.000 messages last month. The total number of > recipients was 4.900.000. So splitting it would increase the load with > 9%. I wouldn't call that drastically. We processed 55.500.000 messages last month, and rcpts were 92.000.000 so its a little depending on your setup i guess. bye, Raymond. From martinh at SOLID-STATE-LOGIC.COM Wed Nov 5 08:35:14 2003 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:20:51 2006 Subject: are we up and running. In-Reply-To: <200311041702.hA4H2TI06265@camelot.blacknightsolutions.com> References: <200311041702.hA4H2TI06265@camelot.blacknightsolutions.com> Message-ID: <3FA8B642.5030908@solid-state-logic.com> Michele Neylon :: Blacknight Solutions wrote: > Why? Was it dead?? > > Mr. Michele Neylon > Blacknight Solutions > http://www.blacknightsolutions.ie/ > http://www.search.ie/ > FREE IE domains - see site for details > Tel. +353 (0)59 9139897 > Fax. +353 (0)59 9139897 > yep jiscmail.ac.uk seemed the be very dead for most of 4th Nov. last message I got yesterday morning was dated 2am Nov 4. Didn't get anything till I got in 30 mins ago. Asked Julian and he reported that the list was unusually quiet! Or maybe my mailscanner was playing up. -- Martin Hepworth Senior Systems Administrator Solid State Logic Ltd tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From Kevin.Spicer at BMRB.CO.UK Wed Nov 5 09:05:03 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:20:51 2006 Subject: Problem with 4.25-5 (beta) startup Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0016497F1@pascal.priv.bmrb.co.uk> Forrest Aldrich wrote: > Problem being it just doesn't start -- figured I would post > pre-emptively while I try to figure it out. The configuration > variables and such don't seem to have changed much (if at all). I > basically copied over my configs from the previous version. Check your maillog - the reason is probaly in there BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From Kevin.Spicer at BMRB.CO.UK Wed Nov 5 09:06:28 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:20:51 2006 Subject: OT: Linux Distrobutions? Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0016497F2@pascal.priv.bmrb.co.uk> G. Armour Van Horn wrote: > I heard today that Novell had bought SuSE, which scratches that > possibility as far as I'm concerned. That's the outfit that seems to > routinely acquire and destroy going concerns. Remember WordPerfect? > They also created Caldera, which morphed into the current SCO. > Everything they touch seems to go to worms. > > I'm distressed over these developments. I had just decided to rev all > my RedHat machines, which is most of my machines, to 9.0 and sign up > for the RedHat Network service on all of them, which is no longer an > option. Any other distro is going to be a wrenching change compared > to that. I wouldn't say Mandrake is, if anything its easier than RH/Suse and you don't have to pay for the updates. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From steve.freegard at LBSLTD.CO.UK Wed Nov 5 09:07:46 2003 From: steve.freegard at LBSLTD.CO.UK (Steve Freegard) Date: Thu Jan 12 21:20:51 2006 Subject: are we up and running. Message-ID: <67D9E7698329D411936E00508B6590B902773BEA@neelix.lbsltd.co.uk> Hi Martin, Had the same problem here - I got a message at 0544 on 04/11 then nothing until 2031 when I got 25 messages in 3mins... - and it's been fine since. Regards, Steve. -----Original Message----- From: Martin Hepworth [mailto:martinh@SOLID-STATE-LOGIC.COM] Sent: 05 November 2003 08:35 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: are we up and running. Michele Neylon :: Blacknight Solutions wrote: > Why? Was it dead?? > > Mr. Michele Neylon > Blacknight Solutions > http://www.blacknightsolutions.ie/ > http://www.search.ie/ > FREE IE domains - see site for details > Tel. +353 (0)59 9139897 > Fax. +353 (0)59 9139897 > yep jiscmail.ac.uk seemed the be very dead for most of 4th Nov. last message I got yesterday morning was dated 2am Nov 4. Didn't get anything till I got in 30 mins ago. Asked Julian and he reported that the list was unusually quiet! Or maybe my mailscanner was playing up. -- Martin Hepworth Senior Systems Administrator Solid State Logic Ltd tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender and delete the message from your mailbox. This footnote also confirms that this email message has been swept by MailScanner (www.mailscanner.info) for the presence of computer viruses. From mailscanner at ecs.soton.ac.uk Wed Nov 5 09:42:24 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:20:51 2006 Subject: workaround for "file size limit exceeded" messages? In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0A4AE2D@pascal.priv.bmrb.co .uk> Message-ID: <5.2.0.9.2.20031105094142.04ca6500@imap.ecs.soton.ac.uk> At 12:49 04/11/2003, you wrote: >Julian Field wrote: > > Good point. Sorry for the lousy code. The attached patch might work > > slightly better. You did keep your unpatched original SweepViruses.pm > > file, didn't you? :) > >I think that (as well as stripping (raw) )if it detects "File size limit >exceeded" it is treating it as a virus. Unfortunately clam seems to give >this response with any file that achieves a high compression ratio, (ie >the same behaviour as last nights patch?) This causes me problems because >I have folks sending files with compression ratios around 12:1 which >trigger this warning from Clam. > >I think the answer may be to solve the other issues with the clam wrapper >I mentioned so that the external unzipper works (which clam uses when the >internal unzipper fails), then ignore this message. Do other people agree that this is the preferred behaviour? Detect the virus, but ignore "File size limit exceeded" messages? Your votes please... -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Wed Nov 5 09:51:27 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:20:51 2006 Subject: IMAP and MailScanner In-Reply-To: <6.0.0.22.0.20031104163408.027f2c30@192.168.2.52> Message-ID: <5.2.0.9.2.20031105095110.04ca6250@imap.ecs.soton.ac.uk> MailScanner has nothing whatsoever to do with your IMAP daemon. At 15:41 04/11/2003, you wrote: >Hello, > >we have a small mail server (<10 users) with RedHat 7.3, UW-IMAP, sendmail, >etc. Plus Squirrelmail 1.4.1. > >The MailScanner is the standard installation (RPMs, I think) with >SpamAssassin and ClamAV. > >The problem is that from a superficial analysis (running top in a terminal) >that MailScanner gets called every time we access webmail (through >Squirrelmail), which would also explain why Squirrelmail takes more than a >minute long to list a mailbox ( >100 messages ). > >Does anybody know if such a setup would actually run MailScanner during an >IMAP request and, if so, how that could be avoided (MailScanner has been >run when mail is accepted, so no further checks should be needed). > > >Thanks in advance for any info, > > >Morten > > > >----------------------------------------------------------------------- >Morten Norby Larsen morten@magisterludi.com >Magister Ludi s.r.l. Phone: +39 02 26 11 72 80 >Via Battaglia 8, I-20127 Milano, Italy Fax: +39 02 28 46 037 > http://www.magisterludi.com -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Wed Nov 5 09:38:57 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:20:51 2006 Subject: MalScanner & Clam V0.60 on Redhat 7.2 system In-Reply-To: <009501c3a2b5$294cb8a0$85b8fea9@Laptop> Message-ID: <5.2.0.9.2.20031105093748.04b921e0@imap.ecs.soton.ac.uk> At 09:22 04/11/2003, you wrote: >MailScanner & ClamAV on a Redhat 7.2 system ! > >I have 2 problems with this:- > >1) > >/etc/cron.hourly/update_virus_scanners: > >/usr/bin/clamscan: invalid option -- I > >This is displaying V.054 if I do a /usr/bin/clamscan -V > >But if I do a /usr/local/bin/clamscan -V I get V0.60 Just have 1 copy of clam installed and set the relevant line in /etc/MailScanner/MailScanner.conf to point to it. >2) When MailScanner tries to do a virus scan it put the following error >in /var/log/maillog "ERROR: Can't access file /usr/local ." > >Why is it trying to access the FILE /usr/local when this is a directory ? You are using the clamav-wrapper from one version with a different version of MailScanner. Suggest you sort out your versions :-) >I have other 7.2 & 7.3 systems with the same MS 4.23-11, Spassassin V2.60, >clam 0.60 with no problems but have just noticed this on this 1 system. > >Any clues ? > >Thanks > >Denis > > >-- >This message has been scanned for viruses and >dangerous content by MailScanner, and is >believed to be clean. > >Marvin the E-Mail scanner -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Wed Nov 5 09:57:03 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:20:51 2006 Subject: SMP Machines In-Reply-To: Message-ID: <5.2.0.9.2.20031105095540.04c948a8@imap.ecs.soton.ac.uk> At 00:48 05/11/2003, you wrote: >Hi there, i have an old NEC 5800 dual P200 - i know this is a very old >machine, but i will use 3 of them if i have to - and was wondering if i >should make any changes to the MailScanner, SpamAssassin confi to take >advantage? > >I know i can change the amount of child process, if i change this figure >from say, 5 to 4, will this mean i have 4 process PER CPU ? Will >MailScanner already be using the 2 CPUs, without mne changing anything? It means the total number of child processes. You can often run 4 or 5 per CPU quite well, giving you Max Children = 8 or possibly 10. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Wed Nov 5 09:55:19 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:20:51 2006 Subject: Wacky Request... In-Reply-To: <200311042238.hA4Mc6r19792@ori.rl.ac.uk> Message-ID: <5.2.0.9.2.20031105095345.051afc48@imap.ecs.soton.ac.uk> This is exactly what the "auto-whitelist" functionality in SpamAssassin does. It has been discussed many times here before, and after a very thorough investigation (can't remember by whom, sorry) it is agreed that this is best left switched off as it is fairly easy for a spammer to defeat. Handling messages coming from a dialup IP address is exactly what the "MAPS-DUL" Spam List is for. At 22:36 04/11/2003, you wrote: >Has anyone seen or done any development on a selective white list >onlysolution based on spam scores? > > > >Id really be interested in a solution that basically requires an >affirmation by the sender of emails with scores ranging from 5 to say 15. > > > >Im still ok with deleting ones over 15, but I do have a fair number of >false positives in the 10-12 range. > > > >Id also be interested in something similar for all emails from >dialup/broadband IPs (or any specialRBL). > > > >Anyways, just a thought. > > > >Lance > > -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20031105/c2787bb5/attachment.html From mailscanner at ecs.soton.ac.uk Wed Nov 5 09:48:49 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:20:51 2006 Subject: ANNOUNCE: Beta 4.25-5 released In-Reply-To: References: <5.2.0.9.2.20031101173342.02c1fd00@imap.ecs.soton.ac.uk> <5.2.0.9.2.20031101173342.02c1fd00@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20031105094410.04ad2318@imap.ecs.soton.ac.uk> At 10:41 04/11/2003, you wrote: >On Sat, 1 Nov 2003, Julian Field wrote: > > > [...] > > I have added the "disarm" option for the "Allow ...." HTML checks, so you > > can choose to just disarm the individual HTML tags rather than convert the > > entire message to plain text. > > [...] > > - Added support for "disarm" option on all HTML tag detectors, which will > > disarm those tags while leaving the rest of the HTML intact. > >Excellent! Many thanks. Sounds like what we've been discussing recently >on the list about controlled conversion of potentially dangerous bits of >HTML (as we discussed offline yesterday evening). > >I have just installed it on our lowest preference (highest MX number) >campus relay. > >With the aim of allowing most HTML but of de-clawing "Object Codebase", we >used to have (4.24-5): > Allow IFrame Tags = yes > Allow Form Tags = yes > Allow Object Codebase Tags = no > Convert Dangerous HTML To Text = yes >But in practice, this used to affect HTML containing any of those tags, >not just OC. > >I have now (4.25-5) set: > Allow IFrame Tags = yes > Allow Form Tags = yes > Allow Object Codebase Tags = disarm > Convert Dangerous HTML To Text = no > >which I hope should achieve this (permit everything, but de-claw OC). >Correct? Yes. >But I have a suggestion, Julian. Could you clarify the comments in >MailScanner.conf about "Convert Dangerous HTML To Text", so that it >clearly relates to the words "yes" and "disarm" in the "Allow X" options? >It currently says: > # This will only apply if you are also allowing the tags to be present > # using the configuration options above. > >Does "allowing to be present" relate to "yes" only, or also to "disarm"? >Put another way: How does 'Convert ...' interact with the multiple values >of the various 'Allow ...'? I will endeavour to rewrite the comments. Is this better? # Do you want to convert HTML messages to plaint text if they contain # any HTML tags whose settings above are "yes"? # This will only apply if you are also allowing the tags to be present # using the configuration options above. You can allow messages # that contain the tags, but convert them to plain text. This makes # the HTML harmless, while still allowing your users to see the text # content of the messages. # The newer "disarm" settings above can be used instead of this setting, # to selectively disable the individual tags while leaving the rest of # the message as the original HTML. # Settin this to "yes" will cause all graphical content to be removed # from messages, for example. # This can also be the filename of a ruleset, so you can make this apply # only to specific users or domains. Convert Dangerous HTML To Text = no > > [...] > > I am not planning a stable release for November, as there really haven't > > been enough changes to justify it. > > [...] > >But for those of us itching to use the new features in major production >use, how "unstable" is this beta overall, compared to the previous stable? >(The question is more about the basic MailScanner code and possible added >risk there, less about the intrinsic risk of the newly enabled features.) I just want to wait until a few people have tried the HTML disarming before I consider it working. I've tested it myself and it appears to be fine, but I would like to see the results when it is applied to "real world" mail. >Many thanks again for a great product and great support. My pleasure :) -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From michele at BLACKNIGHTSOLUTIONS.COM Wed Nov 5 10:03:24 2003 From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon :: Blacknight Solutions) Date: Thu Jan 12 21:20:51 2006 Subject: IMAP and MailScanner In-Reply-To: <5.2.0.9.2.20031105095110.04ca6250@imap.ecs.soton.ac.uk> References: <6.0.0.22.0.20031104163408.027f2c30@192.168.2.52> <5.2.0.9.2.20031105095110.04ca6250@imap.ecs.soton.ac.uk> Message-ID: <61774.213.79.33.177.1068026604.squirrel@www.blacknightsolutions.com> > MailScanner has nothing whatsoever to do with your IMAP daemon. I'm using IMAP via Squirrel this morning - I can't see any difference :P -- Mr. Michele Neylon Blacknight Solutions http://www.blacknightsolutions.ie/ .ie registration from ?45! ######################################################### This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance to it is prohibited. From denis at CROOMBS.ORG Wed Nov 5 10:18:34 2003 From: denis at CROOMBS.ORG (Denis Croombs) Date: Thu Jan 12 21:20:51 2006 Subject: MalScanner & Clam V0.60 on Redhat 7.2 system References: <5.2.0.9.2.20031105093748.04b921e0@imap.ecs.soton.ac.uk> Message-ID: <008101c3a386$2c96a080$85b8fea9@Laptop> Thanks Julian That sort it. Again many thanks > > Just have 1 copy of clam installed and set the relevant line in > /etc/MailScanner/MailScanner.conf to point to it. > > You are using the clamav-wrapper from one version with a different version > of MailScanner. Suggest you sort out your versions :-) -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. Marvin the E-Mail scanner From Kevin.Spicer at BMRB.CO.UK Wed Nov 5 10:25:43 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:20:51 2006 Subject: workaround for "file size limit exceeded" messages? Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0016497F4@pascal.priv.bmrb.co.uk> Julian Field wrote: > Do other people agree that this is the preferred behaviour? > Detect the virus, but ignore "File size limit exceeded" messages? > > Your votes please... If the problems with running clam as root can be fixed, then clam falls back to the external unzipper when it generates a "File size limit exceeded" message, so the "file size limit exceeded" message doesn't mean the file couldn't be unzipped, it just means the first attempt to unzip the file failed. To recap, the problem when MailScanner calls clam as root is that it drops privileges when calling external programs. This means that unzip can't unzip any files because a) it can't read or write Clams temp directory (by default in ~/tmp i.e. here in /root/tmp) and b) It can't read the files in MailScanner's work directory. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From Ulysees at ULYSEES.COM Wed Nov 5 10:41:32 2003 From: Ulysees at ULYSEES.COM (Ulysees) Date: Thu Jan 12 21:20:51 2006 Subject: dealing with zips with corrupted headers References: <200311041804.23128.chris@fractalweb.com> Message-ID: <001101c3a389$64d73ba0$3201010a@nimitz> is it just me or does the latest version of Sophos not see it either ? Uly > Hi everyone, > > No sooner do we (well...Julian) come out a workaround for the extra status > line that ClamAV was spitting out than another virus using similar zip-header > trickery to sneak through our scanners. > > Worm.Mimail.G arrives in a zip file called "readnow.zip" that strangely gets a > simple "OK" from clamscan, and the virus goes right through. After some > experimenting, I've figured out that the virus will happily unzip with the > console unzip tool, but complains with the following message: > > # unzip readnow.zip > Archive: readnow.zip > warning [readnow.zip]: 3 extra bytes at beginning or within zipfile > (attempting to process anyway) > file #1: bad zipfile offset (local header sig): 3 > (attempting to re-compensate) > extracting: readnow.doc.scr > > After reading the man page for clamscan, I came across an option that disables > clamscan's internal archive tools. When I typed "clamscan --disable-archive > readnow.zip" I got the expected response of "readnow.zip: Worm.Mimail.G > FOUND". > > Is there a disadvantage to editing "/usr/lib/MailScanner/clamav-wrapper" and > removing the "--unzip" option and replacing it with "--disable-archive"? Am I > on the right track? > > Thanks, > Chris > -- > Chris Yuzik > chris@fractalweb.com > 604-304-0444 > > "Reality is that which, when you stop believing in it, doesn't go > away". > -- Philip K. Dick > From t.d.lee at DURHAM.AC.UK Wed Nov 5 10:42:55 2003 From: t.d.lee at DURHAM.AC.UK (David Lee) Date: Thu Jan 12 21:20:51 2006 Subject: ANNOUNCE: Beta 4.25-5 released In-Reply-To: <5.2.0.9.2.20031105094410.04ad2318@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20031101173342.02c1fd00@imap.ecs.soton.ac.uk> <5.2.0.9.2.20031101173342.02c1fd00@imap.ecs.soton.ac.uk> <5.2.0.9.2.20031105094410.04ad2318@imap.ecs.soton.ac.uk> Message-ID: On Wed, 5 Nov 2003, Julian Field wrote: > [...] > I will endeavour to rewrite the comments. > Is this better? > > # Do you want to convert HTML messages to plaint text if they contain > # any HTML tags whose settings above are "yes"? > # This will only apply if you are also allowing the tags to be present > # using the configuration options above. You can allow messages > # that contain the tags, but convert them to plain text. This makes > # the HTML harmless, while still allowing your users to see the text > # content of the messages. > # The newer "disarm" settings above can be used instead of this setting, > # to selectively disable the individual tags while leaving the rest of > # the message as the original HTML. > # Settin this to "yes" will cause all graphical content to be removed > # from messages, for example. > # This can also be the filename of a ruleset, so you can make this apply > # only to specific users or domains. > Convert Dangerous HTML To Text = no There are some details, including a split infinitive, which need attention. And in months and years to come the qualification "newer" to the word "disarm" will be superfluous. But looking wider, I wonder whether it could be simplified (dare I say clarified?) to something like: # The following "Convert Dangerous HTML To Text" only applies if set to # "yes" and if one or more of the above "Allow ... Tags" settings is "no". # It does not apply if those "Allow..." tags are all "yes" or "disarm". # # If an "Allow ... Tags = no" is triggered by a message, and this # "Convert Dangerous HTML To Text" is set to "yes", then the HTML # message will be converted to plain text. This makes the HTML # harmless, while still allowing your users to see the text content # of the messages. Note that all graphical content will be removed. # # This can also be the filename of a ruleset, so you can make this apply # only to specific users or domains. Convert Dangerous HTML To Text = no And even that contains some possibly spurious repetition. > [David Lee had earlier written:] > >But for those of us itching to use the new features in major production > >use, how "unstable" is this beta overall, compared to the previous stable? > >(The question is more about the basic MailScanner code and possible added > >risk there, less about the intrinsic risk of the newly enabled features.) > > I just want to wait until a few people have tried the HTML disarming before > I consider it working. I've tested it myself and it appears to be fine, but > I would like to see the results when it is applied to "real world" mail. General Rule: When providing a computer service, a 99% sure way to break something catastrophically is to go public and say "it works". So here goes: I installed 4.25-5 yesterday on our campus relays (each 40K msgs/day) including the settings: Allow IFrame Tags = yes Allow Form Tags = yes Allow Object Codebase Tags = disarm Convert Dangerous HTML To Text = no and "it works". So now let's wait for it to break later today ("Fireworks Day" in the UK, by the way!) -- : David Lee I.T. Service : : Systems Programmer Computer Centre : : University of Durham : : http://www.dur.ac.uk/t.d.lee/ South Road : : Durham : : Phone: +44 191 334 2752 U.K. : From dot at DOTAT.AT Wed Nov 5 10:43:47 2003 From: dot at DOTAT.AT (Tony Finch) Date: Thu Jan 12 21:20:51 2006 Subject: SMP Machines In-Reply-To: Message-ID: Julian Field wrote: >At 00:48 05/11/2003, you wrote: >>Hi there, i have an old NEC 5800 dual P200 - i know this is a very old >>machine, but i will use 3 of them if i have to - and was wondering if i >>should make any changes to the MailScanner, SpamAssassin confi to take >>advantage? >> >>I know i can change the amount of child process, if i change this figure >>from say, 5 to 4, will this mean i have 4 process PER CPU ? Will >>MailScanner already be using the 2 CPUs, without mne changing anything? > >It means the total number of child processes. You can often run 4 or 5 per >CPU quite well, giving you > Max Children = 8 >or possibly 10. So long as you have enough memory -- allow 25-30 MB per MailScanner process. Tony. -- f.a.n.finch http://dotat.at/ VIKING NORTH UTSIRE: SOUTHERLY 5 TO 7 OCCASIONALLY GALE 8. RAIN LATER. MODERATE OR GOOD. From zen23003 at ZEN.CO.UK Wed Nov 5 10:56:32 2003 From: zen23003 at ZEN.CO.UK (Paul) Date: Thu Jan 12 21:20:51 2006 Subject: OT: Linux Distrobutions? References: <5C0296D26910694BB9A9BBFC577E7AB0016497F2@pascal.priv.bmrb.co.uk> Message-ID: <017001c3a38b$7a248060$0100000a@lan> Aha! Is that a recommendation for Mandrake? Are you using it? ----- Original Message ----- From: "Spicer, Kevin" To: Sent: 05 November 2003 09:06 Subject: Re: OT: Linux Distrobutions? I wouldn't say Mandrake is, if anything its easier than RH/Suse and you don't have to pay for the updates. From miguelk at KONSULTEX.COM.BR Wed Nov 5 11:00:19 2003 From: miguelk at KONSULTEX.COM.BR (Miguel Koren O'Brien de Lacy) Date: Thu Jan 12 21:20:51 2006 Subject: Mimail virus References: <20031104200059.B32048@sthomas.net> <6.0.0.22.0.20031105121420.04354858@192.168.10.2> Message-ID: <3FA8D843.8030806@konsultex.com.br> There are currently 2 problems: a) Julian wrote a patch that solves a problem with interpreting the output from Calm in some cases (Mimail.C) b) clamscan 0.6 has a problem opening the zipped file with Mimail.G So, the best bet today is to block zip files in the configuration. Tomorrow there is suppoesed to be a new stable version of Clam which solves the problem. hem you can install it and apply the patch. If you need this today, any cvs snapshot (of Clam) apparently slves the problem. There is also another solution by running in the mailing list, "--diasble-archive" but I'm not sure what that really does. I tried it and it worked for me. Miguel kfliong wrote: > How come Mimail virus is getting through my mailscanner + clamav > setup? Can > I add mimail into my config file like how I added sobig into the > config to > stop it from coming into my server? > -- Esta mensagem foi verificada pelo sistema de antivírus e acredita-se estar livre de perigo. From Kevin.Spicer at BMRB.CO.UK Wed Nov 5 11:28:03 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:20:51 2006 Subject: Linux Distrobutions? Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0016497F8@pascal.priv.bmrb.co.uk> Paul wrote: > Aha! Is that a recommendation for Mandrake? Are you using it? Guilty on both counts! Works fine with MailScanner. I installed sendmail rather than postfix (the default) and had to specify nodeps when installing MailScanner (just because of one package naming difference) BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From mailscanner at ecs.soton.ac.uk Wed Nov 5 11:29:44 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:20:51 2006 Subject: ANNOUNCE: Beta 4.25-5 released In-Reply-To: References: <5.2.0.9.2.20031105094410.04ad2318@imap.ecs.soton.ac.uk> <5.2.0.9.2.20031101173342.02c1fd00@imap.ecs.soton.ac.uk> <5.2.0.9.2.20031101173342.02c1fd00@imap.ecs.soton.ac.uk> <5.2.0.9.2.20031105094410.04ad2318@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20031105112856.04ac38e0@imap.ecs.soton.ac.uk> At 10:42 05/11/2003, you wrote: >On Wed, 5 Nov 2003, Julian Field wrote: > > > [...] > > I will endeavour to rewrite the comments. > > Is this better? > > > > # Do you want to convert HTML messages to plaint text if they contain > > # any HTML tags whose settings above are "yes"? > > # This will only apply if you are also allowing the tags to be present > > # using the configuration options above. You can allow messages > > # that contain the tags, but convert them to plain text. This makes > > # the HTML harmless, while still allowing your users to see the text > > # content of the messages. > > # The newer "disarm" settings above can be used instead of this setting, > > # to selectively disable the individual tags while leaving the rest of > > # the message as the original HTML. > > # Settin this to "yes" will cause all graphical content to be removed > > # from messages, for example. > > # This can also be the filename of a ruleset, so you can make this apply > > # only to specific users or domains. > > Convert Dangerous HTML To Text = no > >There are some details, including a split infinitive, which need >attention. And in months and years to come the qualification "newer" to >the word "disarm" will be superfluous. > >But looking wider, I wonder whether it could be simplified (dare I say >clarified?) to something like: > > # The following "Convert Dangerous HTML To Text" only applies if set to > # "yes" and if one or more of the above "Allow ... Tags" settings is "no". > # It does not apply if those "Allow..." tags are all "yes" or "disarm". > # > # If an "Allow ... Tags = no" is triggered by a message, and this > # "Convert Dangerous HTML To Text" is set to "yes", then the HTML > # message will be converted to plain text. This makes the HTML > # harmless, while still allowing your users to see the text content > # of the messages. Note that all graphical content will be removed. > # > # This can also be the filename of a ruleset, so you can make this apply > # only to specific users or domains. > Convert Dangerous HTML To Text = no > >And even that contains some possibly spurious repetition. I agree with your improved version (more or less). Thanks for that. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Wed Nov 5 11:46:08 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:20:51 2006 Subject: Allow ..... Tags = disarm Message-ID: <5.2.0.9.2.20031105114451.04befc60@imap.ecs.soton.ac.uk> Just to provide you all with more detail on exactly how this feature works, here is a bit of a description. If, from this, you think I have done something badly wrong, then please tell me. Disarming Form Tags A "Form" tag is replaced with a "MailScannerFormxxxx" tag, where xxxx is an essentially random number (it's actually the process id). As this is an HTML tag not recognised by your email client (or web browser) it will just be ignored completely, as it should be according to the HTML spec. An "Input" tag is modified so its type is a "reset" button, and all JavaScript "on..." methods are removed. A "Button" tag is modified so its type is a "reset" button, and all JavaScript "on..." methods are removed. Disarming Object Codebase Tags An "object" tag which has an attribute called "codebase" will be replaced with a "MailScannerObjectxxxx" tag, just like the "Form" tag above. Disarming IFrame Tags Again, an "iframe" tag will be replaced with a "MailScannerIFramexxxx" tag. Notes The point of the xxxx number on the end of each tag name is to protect against an attack in which a new XML object or stylesheet setting is used to create a new tag called "MailScannerForm" which has the same actions as a conventional "Form" tag. By putting the number on the end, I am protecting against this by insisting that the malicious email author must at least create a new tag for each possible value of xxxx. This is at least 65500 combinations or so. On nice systems the PID is a 32-bit number which makes the attack a whole lot harder. I could have used a real random number, which I will change to if you think it is worth doing. But then I've got to properly seed the random number generator or else it will create a predictable sequence of values which is easier to attack than just using the PID. Ignore upper and lowercase in any of my tag names above, it is of course case-insensitive. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From joshua.hirsh at PARTNERSOLUTIONS.CA Wed Nov 5 12:55:53 2003 From: joshua.hirsh at PARTNERSOLUTIONS.CA (Hirsh, Joshua) Date: Thu Jan 12 21:20:51 2006 Subject: Mimail virus Message-ID: <75FEDC422E2309419A9303E7B18F206E04DB5D1F@eqmail1.efni.vpn> Hey all, Can someone send me a copy of readnow.zip? I haven't seen any quarantined and want to make sure that it is actually being picked up. Email is fine, or send me a URL if you prefer ;) Thanks! -Joshua From Peter.Bates at LSHTM.AC.UK Wed Nov 5 13:07:32 2003 From: Peter.Bates at LSHTM.AC.UK (Peter Bates) Date: Thu Jan 12 21:20:51 2006 Subject: Diagnosing SpamAssassin timeouts... Message-ID: Hello all... I'm still running MailScanner 4.21 (i.e. I should upgrade), so apologies as always if this is a feature that has 'creeped' in. We had backlogs recently (Postfix and MS, SA 2.6, DCC, Razor2 and multiple AV engines) which lead me to look more at the time it was taking to do various tests. Since then, I've disabled Razor2 completely, and switched to DCC with the dccifd interface (which seems to be working fine)... My problem, though, is in identifying where SA is failing... eventually (based on the MS configuration) an SA run will 'time out', but I have no idea whether hanging up on DCC, or Razor or whatever is causing the most 'time spent'. Reading various threads on the list, people comment about 'Razor having problems today' or 'I'm experiencing timeouts with DCC', but I guess I'm wondering what they did to isolate that conclusion... Does SA return this information at all in a way MailScanner can use it (to provide more useful logged error messages), or am I getting this all wrong? Thanks... ---------------------------------------------------------------------------------------------------> Peter Bates, Systems Support Officer, Network Support Team. London School of Hygiene & Tropical Medicine. Telephone:0207-958 8353 / Fax: 0207- 636 9838 From pete at EATATHOME.COM.AU Wed Nov 5 13:17:39 2003 From: pete at EATATHOME.COM.AU (Pete russell) Date: Thu Jan 12 21:20:51 2006 Subject: SMP Machines In-Reply-To: Message-ID: <000001c3a39f$30d48ef0$0300000a@pete> Thanks for the replies - I will try running 8 process (4 per CPU) initially and see how that goes. We are not a hugely busy site, and our p200 Domino R5/Symantec AV currently all in and outbound traffic, so this dual cpu machine should be fine - just want to make sure I don't overload it with too many processes. Will be plugging it in on Friday. Thanks for the tips on testing - the dev guy at work wrote a php script that runs from another test machine, and specifies an amount of emails to repeatedly send by offering a ?numRepeat=xx on the url. This machine also has a faked MX pointing to my MS box. If anyone is interested, we are going to turn this into a form based script tomorrow, allowing tester to choose and include a bunch of copied spam email bodies, which could send a combination of say 10 good email and 10 spams, and repeat 10 times or similar? Not a thorough load test by any means, but its something to see if your machine will accept mail not addressed to you, and a few big hits at once. Thanks again Pete -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Tony Finch Sent: Wednesday, 5 November 2003 9:44 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: SMP Machines Julian Field wrote: >At 00:48 05/11/2003, you wrote: >>Hi there, i have an old NEC 5800 dual P200 - i know this is a very old >>machine, but i will use 3 of them if i have to - and was wondering if i >>should make any changes to the MailScanner, SpamAssassin confi to take >>advantage? >> >>I know i can change the amount of child process, if i change this figure >>from say, 5 to 4, will this mean i have 4 process PER CPU ? Will >>MailScanner already be using the 2 CPUs, without mne changing anything? > >It means the total number of child processes. You can often run 4 or 5 per >CPU quite well, giving you > Max Children = 8 >or possibly 10. So long as you have enough memory -- allow 25-30 MB per MailScanner process. Tony. -- f.a.n.finch http://dotat.at/ VIKING NORTH UTSIRE: SOUTHERLY 5 TO 7 OCCASIONALLY GALE 8. RAIN LATER. MODERATE OR GOOD. From miguelk at KONSULTEX.COM.BR Wed Nov 5 13:30:36 2003 From: miguelk at KONSULTEX.COM.BR (Miguel Koren O'Brien de Lacy) Date: Thu Jan 12 21:20:51 2006 Subject: Mimail virus References: <75FEDC422E2309419A9303E7B18F206E04DB5D1F@eqmail1.efni.vpn> Message-ID: <3FA8FB7C.5090904@konsultex.com.br> I'll send it to you to your other email. Miguel Hirsh, Joshua wrote: >Hey all, > > Can someone send me a copy of readnow.zip? I haven't seen any quarantined >and want to make sure that it is actually being picked up. Email is fine, or >send me a URL if you prefer ;) > > > Thanks! > >-Joshua > > -- Esta mensagem foi verificada pelo sistema de antivírus e acredita-se estar livre de perigo. From Peter.Bates at LSHTM.AC.UK Wed Nov 5 13:41:13 2003 From: Peter.Bates at LSHTM.AC.UK (Peter Bates) Date: Thu Jan 12 21:20:51 2006 Subject: Postfix AROUND MailScanner Message-ID: Hello all... > chris@TRUDEAU.ORG 04/11/03 16:13:57 >>> >I would like my inbound instance of postfix (which per the documentation >SIMPLY defers all mail for MS to pickup and scan) to actually deliver >messages originating FROM this address without sending them to the MS >queue. >Any ideas? I'm using MS with Postfix in a slightly 'non-standard' way, but which is working fine for 13-15K messages we deal with (actually it might be more, I never bothered counting our outgoing email!)... I'm using a 'header_check' like so: In main.cf - header_checks = pcre:/etc/postfix/header_checks In header_checks - /^Received:.*by .*\.lshtm.ac.uk \(Postfix\)/ HOLD This puts the incoming mail in the 'hold' queue, and then I have in MailScanner.conf - Incoming Queue Dir = /var/spool/postfix/hold Outgoing Queue Dir = /var/spool/postfix/incoming I could be wrong, but if you find a pattern, and then do /pattern/ OK above the HOLD pattern, the messages should be passed through Postfix normally. The advantage of this (non-standard) setup is that you only run one instance of the MTA as well, but naturally that needs a little fiddling with the init-script to keep things happy... ---------------------------------------------------------------------------------------------------> Peter Bates, Systems Support Officer, Network Support Team. London School of Hygiene & Tropical Medicine. Telephone:0207-958 8353 / Fax: 0207- 636 9838 From christo at IT4AFRICA.CO.ZA Wed Nov 5 13:47:16 2003 From: christo at IT4AFRICA.CO.ZA (Christo Bezuidenhout) Date: Thu Jan 12 21:20:52 2006 Subject: Sendmail Delivery Problem. Message-ID: <009e01c3a3a3$52f26580$660210ac@christo> Sorry for Submitting this to the list but maybe someone can assist me. I want my mail to be stored in seperate files in a user directory. One file for each message received. I have submitted this on the sendmail news group but no one cared to answer or point me in the correct direction. Thanx Christo Disclaimer ---------------- This message and any attachment/s are confidential and intended solely for the addressee. If you have received this message in error, please notify AG Industries Limited immediately. Any unauthorised use, alteration or dissemination is prohibited. Whilst every effort has been made to ensure no viruses are present in this e-mail and/or attachments, we strongly recommend that you subject this e-mail and attachment/s to your own virus checking procedures prior to opening. AG Industries Limited accepts no liability whatsoever for any loss, whether direct, indirect or consequential, arising from information made available and actions resulting there from. Messages sent via this medium may be subject to delays, non-delivery and unauthorised alteration. Any recipient of an unacceptable communication, a chain letter or offensive material of any nature is requested to report it to Postmaster@ag-industries.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20031105/af0183b3/attachment.html From martinh at SOLID-STATE-LOGIC.COM Wed Nov 5 13:58:27 2003 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:20:52 2006 Subject: Sendmail Delivery Problem. In-Reply-To: <009e01c3a3a3$52f26580$660210ac@christo> References: <009e01c3a3a3$52f26580$660210ac@christo> Message-ID: <3FA90203.3030902@solid-state-logic.com> Christo Bezuidenhout wrote: > Sorry for Submitting this to the list but maybe someone can assist me. > > I want my mail to be stored in seperate files in a user directory. One > file for each message received. I have submitted this on the sendmail > news group but no one cared to answer or point me in the correct direction. > > Thanx > Christo > Disclaimer ---------------- You mean like a maildir type mailbox instead of mbox format? maildrop could be used to do this I guess, sendmail hands to maildrop to actually deliver the email and maildrop puts it in maildir format.... -- Martin Hepworth Senior Systems Administrator Solid State Logic Ltd tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From tony.johansson at SVENSKAKYRKAN.SE Wed Nov 5 15:01:46 2003 From: tony.johansson at SVENSKAKYRKAN.SE (Tony Johansson) Date: Thu Jan 12 21:20:52 2006 Subject: Odd behaviour Message-ID: I've recently seen something that I cannot recall seeing before. Seems like MailScanner spots messages in mqueue.in but only scans a few of them. Nov 5 15:47:24 MS01 MailScanner[17089]: New Batch: Found 26 messages waiting Nov 5 15:47:24 MS01 MailScanner[17089]: New Batch: Scanning 2 messages, 1014386 bytes This happens repeatedly. The queues move but are seldom totally emptied. Anyone else seen this? Regards, Tony From chris at TRUDEAU.ORG Wed Nov 5 15:01:36 2003 From: chris at TRUDEAU.ORG (Chris Trudeau) Date: Thu Jan 12 21:20:52 2006 Subject: Postfix AROUND MailScanner References: Message-ID: <007e01c3a3ad$b58ca930$1117000a@ATLCPW13671> Peter, Thanks for the idea...I have a couple of questions in response: 1. if I do this and WANT to maintain a dual postifx instance will it work? And how would the header check pass a message fitting the variables defined to the outbound instance? Or would it simply deliver it directly? 2. Using a single instance, do you still experience repetative FROM addresses in your notifications? (an apparent mailscanner/postfix logging bug) thanks! CT ----- Original Message ----- From: "Peter Bates" To: Sent: Wednesday, November 05, 2003 8:41 AM Subject: Re: Postfix AROUND MailScanner > Hello all... > > > chris@TRUDEAU.ORG 04/11/03 16:13:57 >>> > >I would like my inbound instance of postfix (which per the > documentation > >SIMPLY defers all mail for MS to pickup and scan) to actually deliver > >messages originating FROM this address without sending them to the MS > > >queue. > >Any ideas? > > I'm using MS with Postfix in a slightly 'non-standard' way, but which > is working fine for 13-15K messages we deal with (actually it might be > more, I never bothered counting our outgoing email!)... > > I'm using a 'header_check' like so: > > In main.cf - > header_checks = pcre:/etc/postfix/header_checks > > In header_checks - > > /^Received:.*by .*\.lshtm.ac.uk \(Postfix\)/ HOLD > > This puts the incoming mail in the 'hold' queue, and then > I have in MailScanner.conf - > > Incoming Queue Dir = /var/spool/postfix/hold > Outgoing Queue Dir = /var/spool/postfix/incoming > > I could be wrong, but if you find a pattern, and then do > > /pattern/ OK > > above the HOLD pattern, the messages should be passed through > Postfix normally. > > The advantage of this (non-standard) setup is that you only run one > instance of the MTA as well, but naturally that needs a little fiddling > with the init-script to keep things happy... > > > > -------------------------------------------------------------------------- -------------------------> > Peter Bates, Systems Support Officer, Network Support Team. > London School of Hygiene & Tropical Medicine. > Telephone:0207-958 8353 / Fax: 0207- 636 9838 From TGFurnish at HERFF-JONES.COM Wed Nov 5 15:07:13 2003 From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G) Date: Thu Jan 12 21:20:52 2006 Subject: Allow ..... Tags = disarm Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF0C088E@inex1.herffjones.hj-int> > -----Original Message----- > From: Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > Sent: Wednesday, November 05, 2003 6:46 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Allow ..... Tags = disarm > > Disarming Form Tags > > A "Form" tag is replaced with a "MailScannerFormxxxx" tag, > where xxxx is an > essentially random number (it's actually the process id). As > this is an > HTML tag not recognised by your email client (or web browser) > it will just > be ignored completely, as it should be according to the HTML spec. > An "Input" tag is modified so its type is a "reset" button, and all > JavaScript "on..." methods are removed. > A "Button" tag is modified so its type is a "reset" button, and all > JavaScript "on..." methods are removed. What's the point of disarming input tags when form tags are taken out? An input without a form does nothing. Changing the type of buttons seems like a very bad idea to me - I can easily imagine a lot of confusion resulting and it doesn't seem like a useful change. > Notes > > The point of the xxxx number on the end of each tag name is to protect > against an attack in which a new XML object or stylesheet > setting is used > to create a new tag called "MailScannerForm" which has the > same actions as > a conventional "Form" tag. I would prefer that the changes to the HTML be reversible - this makes that more difficult. Wouldn't it be just as useful to prepend "MailScanner_%orgname%_"? Seems like that would be enough to defeat the attack. And blocking both