From ejb at QL.ORG Wed Oct 1 00:36:55 2003 From: ejb at QL.ORG (Jay Berkenbilt) Date: Thu Jan 12 21:20:18 2006 Subject: 4.23-11: major bug: virus warning text itself appears in quarantine In-Reply-To: <200309302300.h8UN0LuJ019482@through.ads.apexinc.com> (LISTSERV@JISCMAIL.AC.UK) References: <200309302300.h8UN0LuJ019482@through.ads.apexinc.com> Message-ID: <200309302336.h8UNato2016273@soup.ads.apexinc.com> > I have just tested this with > > Allow Form Tags = no > > and 3 different combinations of quarantine options: > > 1) Quarantine Infections = yes > Quarantine Whole Message = no > Quarantine Whole Messages As Queue Files = no > > 2) Quarantine Infections = yes > Quarantine Whole Message = yes > Quarantine Whole Messages As Queue Files = no > > 3) Quarantine Infections = yes > Quarantine Whole Message = yes > Quarantine Whole Messages As Queue Files = yes > > In all cases it worked precisely as I would expect it to. > > Can anyone else reproduce this problem? In case it has to do with some specific combination of settings, here is what I changed from the default MailScanner.conf, excluding things that are "obviously" not relevant like "High Scoring Spam Subject Text". If it would help, I can send a copy of my MailScanner.conf privately. I'd rather not post it to the list. Use SpamAssassin = yes High SpamAssassin Score = 12 SpamAssassin Timeout = 20 Max SpamAssassin Timeouts = 5 Spam Actions = %rules-dir%/spam.actions.rules High Scoring Spam Actions = forward some@address Sender Spam Report = %etc-dir%/reports/sender.report.txt Sender Spam List Report = %etc-dir%/reports/sender.report.txt Sender SpamAssassin Report = %etc-dir%/reports/sender.report.txt My spam.actions.rules file: FromAndTo: *@my.domain forward some@address To: *@my.domain bounce forward some@address FromOrTo: default deliver forward some@address my.domain and some@address aren't the real values, of course, but all occurrences of some@address above point to the same address. My configuration files are directly derived from the MailScanner 4.23-11 configuration files. They are not a result of running upgrade_MailScanner_conf. I prefer to re-introduce my changes with each release (using M-x ediff-files-with-ancestor) so that I always have the latest comments, etc. and came make nice enhancements like replacing /etc/MailScanner with %etc-dir%. :-) -- Jay Berkenbilt http://www.ql.org/q/ From ka at PACIFIC.NET Wed Oct 1 00:53:10 2003 From: ka at PACIFIC.NET (Ken Anderson) Date: Thu Jan 12 21:20:18 2006 Subject: SA timed out and was killed. Message-ID: <3F7A1766.1050005@pacific.net> Hello, Watching the maillog, I see things like this every few minutes: MailScanner[21096]: New Batch: Found 44 messages waiting MailScanner[21096]: New Batch: Scanning 16 messages, 320711 bytes MailScanner[21096]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 It never gets to 2. It seems to happen with big batches (a lot of bytes), but not with smaller batches. I first tried adjusting the rbl timeouts and dcc timeout, but no affect, so it seems related to SA timeout of 15 secs.. I upped it to 25 sec, and it seems happy now. Do the messages get requeued if SA is killed? I hope so! Thanks, Ken A. Pacific.Net From harryh at CET.COM Wed Oct 1 01:15:10 2003 From: harryh at CET.COM (Harry Hanson) Date: Thu Jan 12 21:20:18 2006 Subject: Answer: Sendmail configuration on Debian using Mailscanner In-Reply-To: Message-ID: <200310010015.h910FJr10188@ori.rl.ac.uk> Hmm.. Of all things... 'sendmailconfig', then either: /etc/init.d/sendmail reload Or /etc/init.d/sendmail stop /etc/init.d/sendmail start Would not start sendmail with 2 separate queues. However upon reboot, it worked. Go figure. Now on to mailscanner issues :( From dickenson at CFMC.COM Wed Oct 1 01:08:40 2003 From: dickenson at CFMC.COM (Jim Dickenson) Date: Thu Jan 12 21:20:18 2006 Subject: SpamAssassin _HITS_ Message-ID: When I ran SpamAssassin from procmail I could use _HITS_ in the text added to the subject and see the score that SA assigned to a give message. In MailScanner.conf the option "Spam Subject Text" allows one to say what to put in front of the subject. Is there a way to have the current SA score included in this text? TIA, -- Jim Dickenson mailto:dickenson@cfmc.com Computers for Marketing Corporation http://www.cfmc.com/ From harryh at CET.COM Wed Oct 1 01:21:14 2003 From: harryh at CET.COM (Harry Hanson) Date: Thu Jan 12 21:20:18 2006 Subject: Can't set UID 0? In-Reply-To: Message-ID: <200310010021.h910LMr10982@ori.rl.ac.uk> Am receiving this error when starting mailscanner: /etc/init.d/mailscanner start Starting virus scanner... Can't set UID 0 at /usr/share/mailscanner/logger.pl line 60. Logs show: Sep 30 17:00:01 /USR/SBIN/CRON[1939]: (root) CMD ([ -f $LOCKFILE ] && exit 0; trap "rm -f $LOCKFILE" EXIT; touch $LOCKFILE; /usr/sbin/check_mailscanner >/dev/null 2>&1; exit 0) Sep 30 17:00:02 cet mailscanner[1967]: MailScanner E-Mail Virus Scanner version 3.13 starting. Sep 30 17:00:02 mailscanner[1967]: Configuring mailscanner for sendmail... Sep 30 17:00:02 mailscanner[1968]: ECS MailScanner setting UID to root (0) Sep 30 17:00:02 mailscanner[1968]: Can't set UID 0 Sendmail 8.12.3/8.12.3/Debian-6.6 MailScanner 3.13 Please advise. Thank You. From danieltan at shopnsave.com.sg Wed Oct 1 03:35:29 2003 From: danieltan at shopnsave.com.sg (Daniel Tan) Date: Thu Jan 12 21:20:18 2006 Subject: mqueue.in having stuck mails again Message-ID: <004a01c387c4$ae0c7e60$3900a8c0@Daniel> i can't seem to comprehend the error messages in /var/log/messages. my mails are all stuck in /var/spool/mqueue.in yesterday due to power failure in my building, once power resume...the server started having this problem...i have tried restarting and stoppin MailScanner and sendmail separately but no use..anyone knows what the errors says? i ran top and saw MailScanner (defunct) process appearring then disappearing.... Oct 1 10:23:32 mail MailScanner: succeeded Oct 1 10:23:34 mail last message repeated 2 times Oct 1 10:24:24 mail root: Process did not exit cleanly, returned 255 with signa l 0 Oct 1 10:25:04 mail last message repeated 4 times Oct 1 10:26:14 mail last message repeated 7 times Oct 1 10:27:24 mail last message repeated 7 times Oct 1 10:27:44 mail last message repeated 2 times Oct 1 10:27:52 mail ipop3d[24033]: Login failed user=newbiz7 auth=newbiz7 host= [192.168.0.57] Oct 1 10:27:54 mail root: Process did not exit cleanly, returned 255 with signa l 0 Oct 1 10:28:34 mail last message repeated 4 times Regards, Daniel Tan 67469188 Ext.665 DID: 68430665 MIS Department Shop N Save Pte Ltd : danieltan@shopnsave.com.sg [This e-mail is confidential and may also be privileged. If you are not the intended recipient, please delete it and notify us immediately; you should not copy or use it for any purpose, nor disclose its contents to any other person. Thank you.] From danieltan at shopnsave.com.sg Wed Oct 1 05:26:30 2003 From: danieltan at shopnsave.com.sg (Daniel Tan) Date: Thu Jan 12 21:20:18 2006 Subject: reintalling MS Message-ID: <018401c387d4$31d70ee0$3900a8c0@Daniel> hi guys...think i wanna try reinstall MS again to try and overcome my mails getting stuck in mqueue.in folder problem. but i ran install.sh and after some time, it says mailscanner already installed...then quits....how do i force it to reinstall again? Regards, Daniel Tan 67469188 Ext.665 DID: 68430665 MIS Department Shop N Save Pte Ltd : danieltan@shopnsave.com.sg [This e-mail is confidential and may also be privileged. If you are not the intended recipient, please delete it and notify us immediately; you should not copy or use it for any purpose, nor disclose its contents to any other person. Thank you.] From bhughes at ELEVATING.COM Wed Oct 1 05:37:29 2003 From: bhughes at ELEVATING.COM (Bret Hughes) Date: Thu Jan 12 21:20:18 2006 Subject: whitelist issues Message-ID: <1064983057.32623.21.camel@bretsony> mailscanner-4.23-11 redhat 7.3 I am trying to figure out whitelisting from mailscanner (rather than spamassassin) [root@mail1 rules]# cat spam.whitelist.rules # This is where you can build a Spam WhiteList # Addresses matching in here, with the value # "yes" will never be marked as spam. #From: 152.78. yes #From: 130.246. yes To: MAILSCANNER@JISCMAIL.AC.UK yes FromOrTo: default no in MailScanner.conf: [root@mail1 MailScanner]# grep rules-dir MailScanner.conf %rules-dir% = /etc/MailScanner/rules Is Definitely Not Spam = %rules-dir%/spam.whitelist.rules While I have not had mail from this list tagged as spam recently, I cannot see that it is getting whitelisted either. headers have: X-Elevating-MailScanner: Found to be clean X-Elevating-MailScanner-SpamCheck: not spam, SpamAssassin (score=1, required 5, BAYES_01 -5.40, FORGED_RCVD_TRAIL 1.98, IN_REP_TO -0.37, MSGID_GOOD_EXCHANGE -0.14, ORIGINAL_MESSAGE -0.50, RCVD_IN_DSBL 4.29, RCVD_IN_RFCI 1.09) X-Elevating-MailScanner-SpamScore: s any tips appreciated. Bret From djTremors at NEWJACKSWING.DYNDNS.ORG Wed Oct 1 05:41:41 2003 From: djTremors at NEWJACKSWING.DYNDNS.ORG (Dj Tremors) Date: Thu Jan 12 21:20:18 2006 Subject: HTML To Text tends to cause some weird loop..?? In-Reply-To: Message-ID: >debug = yes OK, did that and I found this is causing the error.. debug: auto-learn? safety=4, ham=-2, spam=15, body-hits=0, head-hits=0 debug: auto-learn: currently using scoreset 1. no need to recompute. debug: auto-learn? no: inside auto-learn thresholds or safety zone around required_hits debug: is spam? score=0 required=5 tests= debug: bayes: 22219 untie-ing /usr/bin/perl: relocation error: /lib/i686-linux/auto/HTML/Parser/Parser.so: undefined symbol: Perl_safesysmalloc Do I have a broken HTMl->Parser.so or something???/ thanks, George. From craig at STRONG-BOX.NET Wed Oct 1 06:37:18 2003 From: craig at STRONG-BOX.NET (Craig Pratt) Date: Thu Jan 12 21:20:18 2006 Subject: RAV autoupdate script causing issues today In-Reply-To: Message-ID: <5248C4BB-F3D1-11D7-84F3-0003939D0468@strong-box.net> Yup - seeing the same thing. If I run it manually, it just hangs at "Make remote list of files..." /usr/local/rav8/bin/ravav --update=engine RAV AntiVirus command line for Linux i686. Version: 8.3.1. Copyright (c) 1996-2001 GeCAD The Software Company. All rights reserved. Start updating... Tue Sep 30 22:26:21 2003 Opening a socket ...done! Looking for: ftp.us.ravantivirus.com ...done! Connecting to server: ftp.us.ravantivirus.com ...done! User login ... Password authentification ... Chdir remote... /pub/rav/update/rave Make remote list of files... I seem to remember there being a setting for how often MS will run the autoupdate script. But I don't seem to be able to find it. Are their servers being DOSes - either maliciously or by engine updates perhaps? Craig On Tuesday, Sep 30, 2003, at 14:56 US/Pacific, Dan Williamson wrote: > I'm having the same problem as well. > 4 of my servers locked, queuing several thousand emails before the > calls > started to come in. > > I just recently upgraded all servers to 4.23-11. > I am killing all ravav processes on the hour and restarting > MailScanner. > > regards, > -dan > > -----Original Message----- > From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On > Behalf > Of Mickey Everts > Sent: Tuesday, September 30, 2003 3:34 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: RAV autoupdate script causing issues today > > > > On the two servers that I admin which are running MailScanner 4.20-3, > the > "update_virus_scanners" script that runs hourly has been causing issues > since about 9:00 AM PST. The root cause appears to be that > "ravav --update=engine" command is using taking way to long and using > a lot > of CPU time, enough that MailScanner can't keep up it seems. By the > time I > noticed, there was several hundred messages in the "mqueue.in" > directory. I > have disabled RAV for now, but I have a couple questions: > > Has the "update_virus_scanners" perhaps been improved in recent > versions > perhaps to make it not so vulnerable to this kind of thing? Perhaps > external commands it calls could be "nice'd" to some level that would > not > cause issue if they went awry? Did this happen to anyone else? > > USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND > root 13903 0.0 0.0 1432 444 ? S 13:01 0:00 \_ > CROND > root 13904 0.0 0.1 2048 956 ? S 13:01 0:00 \_ > /bin/bash /usr/bin/run-parts /etc/cron.hourly > root 13922 0.0 0.1 2044 968 ? S 13:01 0:00 > \_ > /bin/bash /usr/sbin/update_virus_scanners > root 13958 0.0 0.2 3284 1448 ? S 13:01 0:00 > | > \_ /usr/bin/perl -w /usr/lib/MailScanner/rav-autoupdate > root 13959 84.0 0.1 1548 676 ? R 13:01 6:57 > | > \_ /usr/local/rav8//bin/ravav --update=engine > > Until now, MailScanner has been ultra-reliable for months. Good job > Julian! > > Mickey > SLP > > -- > This message checked for dangerous content by MailScanner on StrongBox. > > --- Craig Pratt Strongbox Network Services Inc. mailto:craig@strong-box.net dtmf:503.706.2933 -- This message checked for dangerous content by MailScanner on StrongBox. From lists at SAHARA.CO.ZA Wed Oct 1 08:14:08 2003 From: lists at SAHARA.CO.ZA (GTA) Date: Thu Jan 12 21:20:18 2006 Subject: Recommended Spam actions Message-ID: <000a01c387eb$9b047210$df01000a@saharajhb.lan> Hi All I am currently doing the following with spam: Spam Actions = striphtml deliver forward postmaster@sahara.co.za High Scoring Spam Actions = striphtml attachment deliver forward postmaster@sahara.co.za I have been monitoring this for a two months now since I have installed Mailscanner, and have added all the necessary addresses into my spam.whitelist.rules so I don't get any false positives any more. I would like to remove the "deliver" option and change it to "delete" or "bounce". What are you guys doing? Is it worthwile bouncing spam at all? Just as a note on the traffic side, I get about 300 Spam mails per day on a server that does about 5k of messages. Thanks! Gary - PLEASE NOTE - This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Sahara Computers (Pty) Ltd. Finally, while Sahara Computers attempts to ensure that all email is virus-free, Sahara Computers accepts no liability for any damage caused by any virus transmitted by this email. Sahara Computers (PTY) Ltd 89 Gazelle Avenue, Corporate Park, Midrand, South Africa Private Bag X180, Halfway House, 1685, South Africa ----- Scanned and protected by MailScanner @ mail.sahara.co.za From danieltan at shopnsave.com.sg Wed Oct 1 08:19:59 2003 From: danieltan at shopnsave.com.sg (Daniel Tan) Date: Thu Jan 12 21:20:18 2006 Subject: help pls... Message-ID: <001001c387ec$6c820dc0$3900a8c0@Daniel> urgently needs help.... i have tried reinstalling my 4.23-11 of MS and even upgrading SA to 2.60 nothing seems to be able to jump start my incoming queue (mqueue.in)...all mails seems to be just resting in there...not moving...got nothing from the log except this Oct 1 10:24:24 mail root: Process did not exit cleanly, returned 255 with signa l 0 Oct 1 10:25:04 mail last message repeated 4 times Oct 1 10:26:14 mail last message repeated 7 times Oct 1 10:27:24 mail last message repeated 7 times Oct 1 10:27:44 mail last message repeated 2 times what is making it get stuck? i tried not using SA or virus scanning = none to locate the problem..but no help... need Julian or other mailscanner gurus to help me..... my f-prot is fp-linux-ws.rpm (version 4.3) any other details i can give...just ask.... Regards, Daniel Tan 67469188 Ext.665 DID: 68430665 MIS Department Shop N Save Pte Ltd : danieltan@shopnsave.com.sg [This e-mail is confidential and may also be privileged. If you are not the intended recipient, please delete it and notify us immediately; you should not copy or use it for any purpose, nor disclose its contents to any other person. Thank you.] From P.G.M.Peters at utwente.nl Wed Oct 1 08:23:29 2003 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Thu Jan 12 21:20:18 2006 Subject: Beta release 4.24-3 In-Reply-To: <5.2.1.1.2.20030930232003.0274dc00@imap.ecs.soton.ac.uk> References: <3F79CF8B.31186.22216A3@localhost> <5.2.0.9.2.20030930102347.04522e78@imap.ecs.soton.ac.uk> <3F79D071.7598.2259638@localhost> <5.2.1.1.2.20030930232003.0274dc00@imap.ecs.soton.ac.uk> Message-ID: On Tue, 30 Sep 2003 23:21:03 +0100, you wrote: >You should be able to find it on the public PGP key servers. Give me a >shout if you can't. My copy of PGP finds them on the key servers okay. I have found your key. But I can't find the other signer of jkf@ecs.soton.ac.uk. -- Peter Peters, senior netwerkbeheerder Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ From craig at STRONG-BOX.NET Wed Oct 1 08:43:37 2003 From: craig at STRONG-BOX.NET (Craig Pratt) Date: Thu Jan 12 21:20:18 2006 Subject: RAV autoupdate script causing issues today In-Reply-To: <5248C4BB-F3D1-11D7-84F3-0003939D0468@strong-box.net> Message-ID: On Tuesday, Sep 30, 2003, at 22:37 US/Pacific, Craig Pratt wrote: > Yup - seeing the same thing. If I run it manually, it just hangs at > "Make remote list of files..." > > /usr/local/rav8/bin/ravav --update=engine > > RAV AntiVirus command line for Linux i686. > Version: 8.3.1. > Copyright (c) 1996-2001 GeCAD The Software Company. All rights > reserved. > Start updating... Tue Sep 30 22:26:21 2003 > Opening a socket ...done! > Looking for: ftp.us.ravantivirus.com ...done! > Connecting to server: ftp.us.ravantivirus.com ...done! > User login ... > Password authentification ... > Chdir remote... /pub/rav/update/rave > Make remote list of files... > > I seem to remember there being a setting for how often MS will run the > autoupdate script. But I don't seem to be able to find it. DOH - of course, it's cron that's running it. I *think* what's happening is: (1) update script is run by cron (2) Update script grabs the update lock, (3) RAV update stalls (looks like the FTP server has fallen down and RAV's update function busy-waits - caught mine using 98% of CPU) (4) MailScanner stalls waiting for the lock (last log entry is "MailScanner[10669]: Virus and Content Scanning: Starting"). (5) check_MailScanner doesn't detect the condition since the process is running - just blocked Note that I'm running MS 4.12-2. Temporary solution for me: mv /etc/cron.hourly/update_virus_scanners /etc/cron.daily/ Running ftp manually to either ftp.us.ravantivirus.com or ftp.ravantivirus.com seems to demonstrate that their servers are hosed. Don't know why. Craig > On Tuesday, Sep 30, 2003, at 14:56 US/Pacific, Dan Williamson wrote: >> I'm having the same problem as well. >> 4 of my servers locked, queuing several thousand emails before the >> calls >> started to come in. >> >> I just recently upgraded all servers to 4.23-11. >> I am killing all ravav processes on the hour and restarting >> MailScanner. >> >> regards, >> -dan >> >> -----Original Message----- >> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On >> Behalf >> Of Mickey Everts >> Sent: Tuesday, September 30, 2003 3:34 PM >> To: MAILSCANNER@JISCMAIL.AC.UK >> Subject: RAV autoupdate script causing issues today >> >> >> >> On the two servers that I admin which are running MailScanner 4.20-3, >> the >> "update_virus_scanners" script that runs hourly has been causing >> issues >> since about 9:00 AM PST. The root cause appears to be that >> "ravav --update=engine" command is using taking way to long and using >> a lot >> of CPU time, enough that MailScanner can't keep up it seems. By the >> time I >> noticed, there was several hundred messages in the "mqueue.in" >> directory. I >> have disabled RAV for now, but I have a couple questions: >> >> Has the "update_virus_scanners" perhaps been improved in recent >> versions >> perhaps to make it not so vulnerable to this kind of thing? Perhaps >> external commands it calls could be "nice'd" to some level that would >> not >> cause issue if they went awry? Did this happen to anyone else? >> >> USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND >> root 13903 0.0 0.0 1432 444 ? S 13:01 0:00 \_ >> CROND >> root 13904 0.0 0.1 2048 956 ? S 13:01 0:00 \_ >> /bin/bash /usr/bin/run-parts /etc/cron.hourly >> root 13922 0.0 0.1 2044 968 ? S 13:01 0:00 >> \_ >> /bin/bash /usr/sbin/update_virus_scanners >> root 13958 0.0 0.2 3284 1448 ? S 13:01 0:00 >> | >> \_ /usr/bin/perl -w /usr/lib/MailScanner/rav-autoupdate >> root 13959 84.0 0.1 1548 676 ? R 13:01 6:57 >> | >> \_ /usr/local/rav8//bin/ravav --update=engine >> >> Until now, MailScanner has been ultra-reliable for months. Good job >> Julian! >> >> Mickey >> SLP -- This message checked for dangerous content by MailScanner on StrongBox. From michele at BLACKNIGHTSOLUTIONS.COM Wed Oct 1 09:21:27 2003 From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon :: Blacknight Solutions) Date: Thu Jan 12 21:20:18 2006 Subject: Recommended Spam actions In-Reply-To: <000a01c387eb$9b047210$df01000a@saharajhb.lan> Message-ID: <200310010821.h918LHB05142@camelot.blacknightsolutions.com> Bouncing Spam is a really *bad* idea, as a lot of spammers falsify headers, return addresses etc. If you try bouncing them they'll bounce back to you. Deletion is probably the best option Mr. Michele Neylon Blacknight Solutions http://www.blacknightsolutions.ie/ http://www.search.ie/ Probably the cheapest ie's in Ireland Tel. +353 (0)59 9139897 Fax. +353 (0)59 9139897 > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of GTA > Sent: 01 October 2003 08:14 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Recommended Spam actions > > Hi All > > I am currently doing the following with spam: > > Spam Actions = striphtml deliver forward > postmaster@sahara.co.za High Scoring Spam Actions = striphtml > attachment deliver forward postmaster@sahara.co.za > > I have been monitoring this for a two months now since I have > installed Mailscanner, and have added all the necessary > addresses into my spam.whitelist.rules so I don't get any > false positives any more. I would like to remove the > "deliver" option and change it to "delete" or "bounce". > What are you guys doing? Is it worthwile bouncing spam at all? > > Just as a note on the traffic side, I get about 300 Spam > mails per day on a server that does about 5k of messages. > > Thanks! > Gary > > > > > > - PLEASE NOTE - > > This email and any files transmitted with it are confidential > and intended solely for the use of the individual or entity > to whom they are addressed. If you have received this email > in error please notify the system manager. Please note that > any views or opinions presented in this email are solely > those of the author and do not necessarily represent those of > Sahara Computers (Pty) Ltd. Finally, while Sahara Computers > attempts to ensure that all email is virus-free, Sahara > Computers accepts no liability for any damage caused by any > virus transmitted by this email. > > Sahara Computers (PTY) Ltd > 89 Gazelle Avenue, Corporate Park, Midrand, South Africa > Private Bag X180, Halfway House, 1685, South Africa > > ----- > Scanned and protected by MailScanner @ mail.sahara.co.za > > ######################################################### This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance to it is prohibited. From danieltan at shopnsave.com.sg Wed Oct 1 09:48:48 2003 From: danieltan at shopnsave.com.sg (Daniel Tan) Date: Thu Jan 12 21:20:18 2006 Subject: SA causing fault again Message-ID: <009301c387f8$d4db8020$3900a8c0@Daniel> hi all, nobody really replying to my mails...anyway...i found out that mailscanner is complaining of unable to locate SA installtion and even after installing spamassassin 2.60-1 from rpms, it still didn't work. tried installing from tar.gz format but having problems installing...due to perl stuff... looks like i gotta revert it back to the old installation again.... Regards, Daniel Tan 67469188 Ext.665 DID: 68430665 MIS Department Shop N Save Pte Ltd : danieltan@shopnsave.com.sg [This e-mail is confidential and may also be privileged. If you are not the intended recipient, please delete it and notify us immediately; you should not copy or use it for any purpose, nor disclose its contents to any other person. Thank you.] -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. Mailscanner thanks transtec Computers for their support. From mailscanner at ecs.soton.ac.uk Wed Oct 1 08:48:17 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:20:18 2006 Subject: I was wrong...Sophos still not working. In-Reply-To: <002d01c3877d$e4c0acc0$e701a8c0@oisii> References: <3F79C1DA.3010604@gmx.de> Message-ID: <5.2.0.9.2.20031001084751.046b23c8@imap.ecs.soton.ac.uk> But you will still find the sophos-autoupdate doesn't run. You will need to hack that one too to do what you want. At 19:08 30/09/2003, you wrote: >This worked fine. I now get Sophos-wrapper to run. Thank you! > >i had to modify the sophos-wrapper in this way > >$ which sweep >/usr/local/bin/sweep > >$ ls /usr/local/sav >374_ides-20030929.zip icmess.dat simulekc.ide vdl05.vdb vdl11.vdb >backsm-a.ide jsurf-b.ide swpmess.dat vdl06.vdb vdl12.vdb >blaxe-a.ide lovgater.ide vdl01.vdb vdl07.vdb vdl13.vdb >dumaru-b.ide opaservd.ide vdl02.vdb vdl08.vdb >vdl-3.74.dat >dumarue.ide oragon-a.ide vdl03.vdb vdl09.vdb vdl.dat >gibe-f.ide randex-g.ide vdl04.vdb vdl10.vdb yaha-w.ide > > > >$ grep -3 "PackageDir" /usr/lib/MailScanner/sophos-wrapper ># Modified for solaris by CJG ># Then tweaked for heron by JKF again > >#PackageDir=/usr/local/Sophos >PackageDir=/usr/local >prog=sweep # `basename $0` > >#SAV_IDE=$PackageDir/ide >SAV_IDE=$PackageDir/sav >LD_LIBRARY_PATH=$PackageDir/lib >LANG=english >export SAV_IDE >export LD_LIBRARY_PATH >export LANG > >if [ "x$1" = "x-IsItInstalled" ]; then > [ -x ${PackageDir}/bin/$prog ] && exit 0 > exit 1 >fi > >exec ${PackageDir}/bin/$prog "$@" > > >-- >shrek-m -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Oct 1 08:47:07 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:20:18 2006 Subject: I was wrong...Sophos still not working. In-Reply-To: <3F79C1DE.5020809@dalsemi.com> References: <002c01c38779$646af6b0$e701a8c0@oisii> Message-ID: <5.2.0.9.2.20031001084621.0449ee48@imap.ecs.soton.ac.uk> At 18:48 30/09/2003, you wrote: >You might try editing the sophos-wrapper script and changing PackageDir >to point to the directory containing sweep. > >Dave > >John L wrote: > >> From the previous post, I removed Sophos, then installed it using the >>Sophos.install script >> >>All looked fine, but clamav is doing all of the virus scans. Sophos is >>not. >> >> From virus.scanners.conf >>sophos /usr/lib/MailScanner/sophos-wrapper >>/usr/local/Sophos >> >>When I run the sophos-wrapper, I still get: >>/usr/lib/MailScanner/sophos-wrapper: /bin/sweep: No such file or >>directory >>/usr/lib/MailScanner/sophos-wrapper: exec: /bin/sweep: cannot execute: >>No such file or directory >> >>Any suggestions? The correct syntax for scanning the current directory with sophos-wrapper is /usr/lib/MailScanner/sophos-wrapper /usr/local/Sophos . then you should find it works. Don't forget the "." off the end. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Oct 1 08:48:46 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:20:18 2006 Subject: spamassassion installation not found In-Reply-To: <012001c3877e$708f3b90$650ba8c0@home.middlefinger.net> References: <75FEDC422E2309419A9303E7B18F206E04DB5B86@eqmail1.efni.vpn> Message-ID: <5.2.0.9.2.20031001084841.0446ce70@imap.ecs.soton.ac.uk> Should work. At 19:12 30/09/2003, you wrote: >I asked about this the other day. Was rebuilding the .src.rpm equivalent to >installing from the tarball. Never got an answer :) > >Mike > > >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf >Of Hirsh, Joshua >Sent: Tuesday, September 30, 2003 12:54 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: spamassassion installation not found > > >I'm not too sure about everyone else, but my SA RPM worked like a charm on >RH 9 and 7.3. I built from the SRPM though. The file list is as follows: > >spamassassin-2.60-1: >/etc/rc.d/init.d/spamassassin >/usr/bin/sa-learn >/usr/bin/spamassassin >/usr/bin/spamc >/usr/bin/spamd >/usr/include/libspamc.h >/usr/lib/libspamc.so >/usr/share/doc/spamassassin-2.60 /usr/share/doc/spamassassin-2.60/Changes >/usr/share/doc/spamassassin-2.60/INSTALL >/usr/share/doc/spamassassin-2.60/README >/usr/share/doc/spamassassin-2.60/README.spamd >/usr/share/doc/spamassassin-2.60/sample-nonspam.txt >/usr/share/doc/spamassassin-2.60/sample-spam.txt >/usr/share/man/man1/sa-learn.1.gz /usr/share/man/man1/spamassassin.1.gz >/usr/share/man/man1/spamc.1.gz >/usr/share/man/man1/spamd.1.gz > >spamassassin-tools-2.60-1: >all placed under /usr/share/doc/spamassassin-tools-2.60/ > > Cheers, >-Joshua -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Oct 1 08:52:09 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:20:18 2006 Subject: Postfix or Sendmail for MS & SA? In-Reply-To: <3F79E340.9000804@SJC.nl> Message-ID: <5.2.0.9.2.20031001085013.041aa750@imap.ecs.soton.ac.uk> Exim and sendmail will work significantly faster with MailScanner than Postfix will. This is due to the queue structures. Wietse's Postfix may be all very clever but it requires a *lot* more I/O on MailScanner's part, which is not needed with Exim and sendmail. If you need some Exim help, I'm sure you could bribe Tony Finch into helping you get going. Otherwise, there is a very good book called "sendmail Performance Tuning" which will help you get the most out of your system. At 21:10 30/09/2003, you wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >Hello all, > >First of all by asking what's best I know I could be developing a flame >war, although the MS list have been mostly free of those. Let's say it's >not my intention. > >Ok now the real question; > >As some of you might know I'm an consultant (he sorry, it's a living.) >an large customer of my company asked me to look at possibility of >deploying an anti-spam, and potential anti-virus solution. > >Personally I'm a big fan of the mailscanner & spamassassin combination. >In the past I build the sendmail, MS & SA combination for several semi >large companies (1000 users or so). The customer now is in the order of >50.000+ users, current estimate 2 * X FAST intel boxes, due to >geographical redundancy. (3 < X > 8) (please don't ask the cust's name..). > >I could build the sendmail, MS & SA combo again, but I'm looking at >postfix as well. The idea is to deploy mailscanner in front of their >commercial mail platform. The reason to deploy postfix is due to the new >feature in PF 2.0.0, with local_recipient map, which is easy to >integrate with ldap. The data store of the commercial platform. > >I'm fully aware sendmail support ldap as well, but not as easy to >implement. And for this setup where the box will only be an "simple" >relay, a bit heavy. > >The real questions (didn't i mention that before?): > >1) Postfix is "recently" added to the list of supported MTA's, it's not >as long supported as Sendmail. Can somebody provide some educated hints >in regards to stability etc. > >2) Recently Wietse Venema (The auther of Postfix) stated that he had >some issues with the way MS operated. I can understand his point of >view, but nevertheless I like Julians approach. But did somebody ever >encountered (major) issues in this area? > > >P.S. I didn't look at any of the other MTA's due to my personal lack of >knowledge, I only have a (lot of) experience with Postfix & sendmail. >This basicly ruled out the other MTA's, sorry for those fans. > >- -- >Met Vriendelijke groet/Yours Sincerely >Stijn Jonker >-----BEGIN PGP SIGNATURE----- > >iD8DBQE/eeNAjU9r45tKnOARAheVAKC07Nta1XErvpvKa/JxuOwgQ6yZLwCg8b4X >Gj5UIx9sotc7TbVrAvPSny0= >=3vQS >-----END PGP SIGNATURE----- -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Oct 1 09:46:32 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:20:18 2006 Subject: RAV autoupdate script causing issues today In-Reply-To: References: <5248C4BB-F3D1-11D7-84F3-0003939D0468@strong-box.net> Message-ID: <5.2.0.9.2.20031001094556.04151be0@imap.ecs.soton.ac.uk> Try this. It will time out after 5 minutes. At 08:43 01/10/2003, you wrote: >On Tuesday, Sep 30, 2003, at 22:37 US/Pacific, Craig Pratt wrote: >>Yup - seeing the same thing. If I run it manually, it just hangs at >>"Make remote list of files..." >> >>/usr/local/rav8/bin/ravav --update=engine >> >>RAV AntiVirus command line for Linux i686. >>Version: 8.3.1. >>Copyright (c) 1996-2001 GeCAD The Software Company. All rights >>reserved. >>Start updating... Tue Sep 30 22:26:21 2003 >>Opening a socket ...done! >>Looking for: ftp.us.ravantivirus.com ...done! >>Connecting to server: ftp.us.ravantivirus.com ...done! >>User login ... >>Password authentification ... >>Chdir remote... /pub/rav/update/rave >>Make remote list of files... >> >>I seem to remember there being a setting for how often MS will run the >>autoupdate script. But I don't seem to be able to find it. > >DOH - of course, it's cron that's running it. > >I *think* what's happening is: > >(1) update script is run by cron >(2) Update script grabs the update lock, >(3) RAV update stalls (looks like the FTP server has fallen down and >RAV's update function busy-waits - caught mine using 98% of CPU) >(4) MailScanner stalls waiting for the lock (last log entry is >"MailScanner[10669]: Virus and Content Scanning: Starting"). >(5) check_MailScanner doesn't detect the condition since the process is >running - just blocked > >Note that I'm running MS 4.12-2. > >Temporary solution for me: mv /etc/cron.hourly/update_virus_scanners >/etc/cron.daily/ > >Running ftp manually to either ftp.us.ravantivirus.com or >ftp.ravantivirus.com seems to demonstrate that their servers are hosed. >Don't know why. > >Craig > >>On Tuesday, Sep 30, 2003, at 14:56 US/Pacific, Dan Williamson wrote: >>>I'm having the same problem as well. >>>4 of my servers locked, queuing several thousand emails before the >>>calls >>>started to come in. >>> >>>I just recently upgraded all servers to 4.23-11. >>>I am killing all ravav processes on the hour and restarting >>>MailScanner. >>> >>>regards, >>>-dan >>> >>>-----Original Message----- >>>From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On >>>Behalf >>>Of Mickey Everts >>>Sent: Tuesday, September 30, 2003 3:34 PM >>>To: MAILSCANNER@JISCMAIL.AC.UK >>>Subject: RAV autoupdate script causing issues today >>> >>> >>> >>>On the two servers that I admin which are running MailScanner 4.20-3, >>>the >>>"update_virus_scanners" script that runs hourly has been causing >>>issues >>>since about 9:00 AM PST. The root cause appears to be that >>>"ravav --update=engine" command is using taking way to long and using >>>a lot >>>of CPU time, enough that MailScanner can't keep up it seems. By the >>>time I >>>noticed, there was several hundred messages in the "mqueue.in" >>>directory. I >>>have disabled RAV for now, but I have a couple questions: >>> >>>Has the "update_virus_scanners" perhaps been improved in recent >>>versions >>>perhaps to make it not so vulnerable to this kind of thing? Perhaps >>>external commands it calls could be "nice'd" to some level that would >>>not >>>cause issue if they went awry? Did this happen to anyone else? >>> >>>USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND >>>root 13903 0.0 0.0 1432 444 ? S 13:01 0:00 \_ >>>CROND >>>root 13904 0.0 0.1 2048 956 ? S 13:01 0:00 \_ >>>/bin/bash /usr/bin/run-parts /etc/cron.hourly >>>root 13922 0.0 0.1 2044 968 ? S 13:01 0:00 >>> \_ >>>/bin/bash /usr/sbin/update_virus_scanners >>>root 13958 0.0 0.2 3284 1448 ? S 13:01 0:00 >>> | >>>\_ /usr/bin/perl -w /usr/lib/MailScanner/rav-autoupdate >>>root 13959 84.0 0.1 1548 676 ? R 13:01 6:57 >>> | >>>\_ /usr/local/rav8//bin/ravav --update=engine >>> >>>Until now, MailScanner has been ultra-reliable for months. Good job >>>Julian! >>> >>>Mickey >>>SLP > > >-- >This message checked for dangerous content by MailScanner on StrongBox. -------------- next part -------------- A non-text attachment was scrubbed... Name: rav-autoupdate Type: application/octet-stream Size: 2041 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20031001/b5e1dab6/rav-autoupdate.obj -------------- next part -------------- -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From Antony at SOFT-SOLUTIONS.CO.UK Wed Oct 1 09:55:40 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:20:18 2006 Subject: SA causing fault again In-Reply-To: <009301c387f8$d4db8020$3900a8c0@Daniel> References: <009301c387f8$d4db8020$3900a8c0@Daniel> Message-ID: <200310010855.h918tmE17340@agate.rockstone.co.uk> On Wednesday 01 October 2003 9:48 am, Daniel Tan wrote: > hi all, > nobody really replying to my mails...anyway...i found out that > mailscanner is complaining of unable to locate SA installtion and even > after installing spamassassin 2.60-1 from rpms, it still didn't work. tried > installing from tar.gz format but having problems installing...due to perl > stuff... You will find many posts in the list archives saying that installing SA from RPM causes problems. You should buildSA from source in order to ensure it gets installed in the correct location and can be found later by MS. Antony. -- Nostaliga is not what it used to be. From LISTSERV at JISCMAIL.AC.UK Wed Oct 1 10:30:38 2003 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:20:18 2006 Subject: Rejected posting to MAILSCANNER@JISCMAIL.AC.UK Message-ID: Your message is being returned to you unprocessed because it looks like a LISTSERV command, rather than material intended for distribution to the members of the MAILSCANNER list. Please note that LISTSERV commands must ALWAYS be sent to the LISTSERV address; if it was indeed a command you were attempting to issue, please send it again to LISTSERV@JISCMAIL.AC.UK for execution. Otherwise, please accept our apologies and try to rewrite the message with a slightly different wording - for instance, change the first word of the message, enclose it in quotation marks, insert a line of dashes at the beginning of your message, etc. -------------- next part -------------- An embedded message was scrubbed... From: Julian Field Subject: Re: mqueue.in having stuck mails again Date: Wed, 01 Oct 2003 10:22:52 +0100 Size: 3002 Url: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20031001/222fb15e/attachment.mht From mailscanner at ecs.soton.ac.uk Wed Oct 1 10:23:13 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:20:18 2006 Subject: reintalling MS In-Reply-To: <018401c387d4$31d70ee0$3900a8c0@Daniel> Message-ID: <5.2.0.9.2.20031001102303.043ef380@imap.ecs.soton.ac.uk> rpm -e mailscanner At 05:26 01/10/2003, you wrote: >hi guys...think i wanna try reinstall MS again to try and overcome my mails >getting stuck in mqueue.in folder problem. >but i ran install.sh and after some time, it says mailscanner already >installed...then quits....how do i force it to reinstall again? > >Regards, >Daniel Tan >67469188 Ext.665 >DID: 68430665 >MIS Department >Shop N Save Pte Ltd >: danieltan@shopnsave.com.sg > >[This e-mail is confidential and may also be privileged. If you are not the >intended recipient, please delete it and notify us immediately; you should >not copy or use it for any purpose, nor disclose its contents to any other >person. Thank you.] -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Oct 1 10:17:46 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:20:18 2006 Subject: SpamAssassin _HITS_ In-Reply-To: Message-ID: <5.2.0.9.2.20031001101712.0475c4e0@imap.ecs.soton.ac.uk> At 01:08 01/10/2003, you wrote: >When I ran SpamAssassin from procmail I could use _HITS_ in the text added >to the subject and see the score that SA assigned to a give message. > >In MailScanner.conf the option "Spam Subject Text" allows one to say what to >put in front of the subject. Is there a way to have the current SA score >included in this text? In the next release, due shortly. I have chosen to use the string "_SCORE_" as that is more consistent with the terminology I have used elsewhere. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Oct 1 09:51:59 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:20:19 2006 Subject: SA timed out and was killed. In-Reply-To: <3F7A1766.1050005@pacific.net> Message-ID: <5.2.0.9.2.20031001095149.044bae48@imap.ecs.soton.ac.uk> At 00:53 01/10/2003, you wrote: >Hello, > >Watching the maillog, I see things like this every few minutes: > >MailScanner[21096]: New Batch: Found 44 messages waiting >MailScanner[21096]: New Batch: Scanning 16 messages, 320711 bytes >MailScanner[21096]: SpamAssassin timed out and was killed, consecutive >failure 1 of 20 > >It never gets to 2. > >It seems to happen with big batches (a lot of bytes), but not with >smaller batches. I first tried adjusting the rbl timeouts and dcc >timeout, but no affect, so it seems related to SA timeout of 15 secs.. I >upped it to 25 sec, and it seems happy now. > >Do the messages get requeued if SA is killed? Don't worry, you won't lose anything. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Oct 1 09:47:49 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:20:19 2006 Subject: Add to installation guide - How to upgrade Mailscanner In-Reply-To: Message-ID: <5.2.0.9.2.20031001094736.044f1e48@imap.ecs.soton.ac.uk> At 23:45 30/09/2003, you wrote: >I have read a lot about Julian's nifty upgrade process and the way it >handles configuration files. > >I think there should be a blurb on the "Installation Guide" about how to >upgrade Mailscanner and what will happen to the configuration >files. (Always a good idea to proclaim your cool features. This may >cause more admins to choose Mailscanner) Fancy writing one for me? >I'm still not sure how to upgrade, but I think I just need to download the >new file, untar it and run install.sh again, correct? Correct. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Oct 1 10:18:40 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:20:19 2006 Subject: Answer: Sendmail configuration on Debian using Mailscanner In-Reply-To: <200310010015.h910FJr10188@ori.rl.ac.uk> References: Message-ID: <5.2.0.9.2.20031001101806.0426e4c0@imap.ecs.soton.ac.uk> At 01:15 01/10/2003, you wrote: >Hmm.. Of all things... > >'sendmailconfig', then either: > >/etc/init.d/sendmail reload > >Or > >/etc/init.d/sendmail stop >/etc/init.d/sendmail start > >Would not start sendmail with 2 separate queues. However upon reboot, it >worked. Go figure. Now on to mailscanner issues :( No, because that is your original 1-queue sendmail startup script. You need to run /etc/init.d/MailScanner restart to do what you want. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From raymond at PROLOCATION.NET Wed Oct 1 10:38:30 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:20:19 2006 Subject: SA causing fault again In-Reply-To: <009301c387f8$d4db8020$3900a8c0@Daniel> Message-ID: Hi! > nobody really replying to my mails...anyway...i found out that > mailscanner is complaining of unable to locate SA installtion and even after > installing spamassassin 2.60-1 from rpms, it still didn't work. tried > installing from tar.gz format but having problems installing...due to perl > stuff... Thats most likely where your problems are. You asked a question that was asked at least 3 times last week. Dont be surprised if people stop answering those. Bye, Raymond. From mailscanner at BARENDSE.TO Wed Oct 1 10:41:04 2003 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:20:19 2006 Subject: Message Content Protection Message-ID: I am currently trying to use the MCP feature of MailScanner. I have upgraded to SpamAssassin 2.6 and am using the latest version of MS. The maillog mentions that it is starting MCP checks but then nothing is happening. I want to use MCP to filter out Delivery Status Reports (read receipt, not read, etc.) Attached is the rules file I created, below is what I have in my MailScanner.conf. Maybe I have just made a complete mess of the rules files as there seems to be no message whatsoever in the maillog that anything failed! Also am I correct that there is no way to suppress the sender MCP report? I want to suppress these messages originating from our own organization, and don't want any reports returned. %mcp-dir% = /etc/MailScanner/mcp MCP Checks = yes MCP Required SpamAssassin Score = 1 MCP High SpamAssassin Score = 99 MCP Error Score = 1 MCP Header = X-MailScanner-MCPCheck: Non MCP Actions = deliver MCP Actions = deliver High Scoring MCP Actions = delete forward root@linuxgw.ecem.com Is Definitely MCP = no Is Definitely Not MCP = no Definite MCP Is High Scoring = no Always Include MCP Report = no Detailed MCP Report = yes Include Scores In MCP Report = yes Log MCP = yes MCP Max SpamAssassin Timeouts = 20 MCP Max SpamAssassin Size = 100000 MCP SpamAssassin Timeout = 10 MCP SpamAssassin Prefs File = %mcp-dir%/mcp.spam.assassin.prefs.conf MCP SpamAssassin User State Dir = MCP SpamAssassin Local Rules Dir = %mcp-dir% MCP SpamAssassin Default Rules Dir = %mcp-dir% MCP SpamAssassin Install Prefix = %mcp-dir% Sender MCP Report = %report-dir%/en/sender.mcp.report.txt -------------- next part -------------- # # This is where the rules can go for the Message Content Protection system. # Any *.cf file in this directory will be used, so organise them as you like. # # For details on the format of all this, read # man Mail::SpamAssassin::Conf # and look at the *.cf files supplied with SpamAssassin. # # Remember this is not for spam detection, it's for content detection. # header BANNED_HRRNL Subject =~ /Gelezen:/i describe BANNED_HRRNL Blocked read DSR score BANNED_HRRNL 100 header BANNED_HRRES Subject =~ /Le?do:/i describe BANNED_HRRES Blocked read DSR score BANNED_HRRES 100 header BANNED_HRRPT Subject =~ /Lida:/i describe BANNED_HRRPT Blocked read DSR score BANNED_HRRPT 100 header BANNED_HRREN Subject =~ /Read:/i describe BANNED_HRREN Blocked read DSR score BANNED_HRREN 100 header BANNED_HRRPT2 Subject =~ /Lidas:/i describe BANNED_HRRPT2 Blocked read DSR score BANNED_HRRPT2 100 header BANNED_HNRNL Subject =~ /Niet gelezen:/i describe BANNED_HNRNL Blocked not read DSR score BANNED_HNRNL 100 header BANNED_HNRES Subject =~ /No le?do:/i describe BANNED_HNRES Blocked not read DSR score BANNED_HNRES 100 header BANNED_HNREN Subject =~ /Not read:/i describe BANNED_HNREN Blocked not read DSR score BANNED_HNREN 100 body BANNED_BRRPT2 /Esta ? uma confirma??o de recebimento do email que voc? enviou para/i describe BANNED_BRRPT2 Blocked read DSR score BANNED_BRRPT2 100 body BANNED_BRRPT /foi lida em/i describe BANNED_BRRPT Blocked read DSR score BANNED_BRRPT 100 body BANNED_BRREN /was read on/i describe BANNED_BRREN Blocked read DSR score BANNED_BRREN 100 body BANNED_BNREN /was deleted without being read/i describe BANNED_BNREN Blocked read DSR score BANNED_BNREN 100 From raymond at PROLOCATION.NET Wed Oct 1 10:44:58 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:20:19 2006 Subject: Postfix or Sendmail for MS & SA? In-Reply-To: <5.2.0.9.2.20031001085013.041aa750@imap.ecs.soton.ac.uk> Message-ID: Hi! > If you need some Exim help, I'm sure you could bribe Tony Finch into > helping you get going. Otherwise, there is a very good book called > "sendmail Performance Tuning" which will help you get the most out of your > system. Or use the FAQ i submitted ... I recently ordered the Exim 4 book, hopefuly in the next few days :) Bye, Raymond. From kfliong at WOFS.COM Wed Oct 1 11:02:04 2003 From: kfliong at WOFS.COM (kfliong) Date: Thu Jan 12 21:20:19 2006 Subject: mailscanner and sendmail dilemma In-Reply-To: <5.2.0.9.2.20031001102303.043ef380@imap.ecs.soton.ac.uk> References: <018401c387d4$31d70ee0$3900a8c0@Daniel> Message-ID: <5.2.1.1.0.20031001175211.030e8d98@192.168.10.2> Hi all, I know this doesn't seems to be the correct channel to ask for help but I am out of options. The message below I posted to rackshack (my webserver host) forum but no one replied after 3 days. I am now posting it here hoping that the experts here will be able to shed some light into solving my problem. It's quite long so please bear with me. Thanks in advance. -------------- I am having a problem with sendmail and mailscanner. My problem is that some of my mails go through sendmail and some through mailscanner. Those that go through sendmail do not get filter. So, I am still getting lots of spams and virus. Here is my story : I have redhat 7.2 with ensim 3.1.10. I previously configured procmail to fight spams and virus. Then I found out about mailscanner. Then I installed mailscanner (not sure if I removed procmail correctly as too long ago). I followed the guide in the forum how-to to install mailscanner (MS)+f-prot+spamassassin (SA). After installing this, it works great. I stop getting spams and virus. Not long after that, something dreadful happened. What happened, I can only describe from my memory which is kinda blurry on which event happens first. I'll try to list them in the correct order. I then installed a software called mailwatch. It was at version 0.1 beta. Installing this software require me to edit the CustomConfig.pm file. Not sure if this will affect mailscanner in anyway. Still running fine. One day, my server crashed. Not sure what happened. The whole email system got affected. Nobody can login to email to check mails. Not even login to ssh. Only admin and root can login. But websites seems to be still working. I tried and tried and then not even admin login works. It took a few days for rackshack tech to bring it back up. I am not sure what they did as they wouldn't tell me even after I keep pestering them. But I think they did somesort of restore as all the root, admin, ensim password was reset. So, I re-installed mailscanner. This time using mailscanner+clamav+SA howto (which is btw a great howto). I am not sure if I removed the previous mailscanner combo correctly. Then mails stating to act weird. A lot of users are getting mails <<>> in the mails. After searching around and tailling the maillog and some help, i think this problem is due to mailscanner and sendmail both fighting to handle the mail and eventually the message got deleted and being send to the recipient. After trying to re-install mailscanner, i still have this problem. Eventually, after a few weeks, this problem went away. I don't know what I did (too many to remember) but it did go away. But I still have problem of some mails being handled between sendmail and MS. Then I upgraded MS, clamav and SA hoping that it will solve this problem. No good. Still have. I even upgraded to mailwatch to 0.3 (if it's anything to do with it). Still having some mails being handled by MS and sendmail. Mailwatch seems to be working fine aside from the virus report not working. Anyone have solution to this? I really need some expertise here. Should I remove MS+clamav+SA totally and re-install? How to clean them completely? I am waiting for ensim to create the security patch for sendmail which have the buffer overflow bug. But I guess this does not have anything to do with my problem. What about sendmail.cf file? Is there something I should look inside? CustomConfig.pm? should I delete mailwatch which I am not sure is affecting this. BTW, mailwatch is a program that monitors the emails and then create a database to show the stats of emails through a webgui. Thanks for reading my long problem. But if I don't solve this, it will become longer. Also please bear in mind that in the period of having this problem unresolved, I also did some upgrade on other part of the system such as mysql, php, mysqladmin and so on. Any suggestion is highly appreciated. Thanks in advance. From steve.freegard at LBSLTD.CO.UK Wed Oct 1 11:54:44 2003 From: steve.freegard at LBSLTD.CO.UK (Steve Freegard) Date: Thu Jan 12 21:20:19 2006 Subject: mailscanner and sendmail dilemma Message-ID: <67D9E7698329D411936E00508B6590B902773B34@neelix.lbsltd.co.uk> Hello, Can you post the output of the following commands (as root): chkconfig --list sendmail chkconfig --list MailScanner Then, try running the following: service MailScanner stop service sendmail stop wait for a minute then check the output of 'ps ax' to make sure no sendmail or MailScanner processes remain (kill then with 'kill -HUP ' if they do), then restart MailScanner: service MailScanner start then post the relevant lines from /var/log/maillog showing the MailScanner startup and the processing of a test message through mailscanner. Then maybe it'll be obvious to me or someone else as to what is up with your set-up. Kind regards, Steve. -----Original Message----- From: kfliong [mailto:kfliong@WOFS.COM] Sent: 01 October 2003 10:02 To: MAILSCANNER@JISCMAIL.AC.UK Subject: mailscanner and sendmail dilemma Hi all, I know this doesn't seems to be the correct channel to ask for help but I am out of options. The message below I posted to rackshack (my webserver host) forum but no one replied after 3 days. I am now posting it here hoping that the experts here will be able to shed some light into solving my problem. It's quite long so please bear with me. Thanks in advance. -------------- I am having a problem with sendmail and mailscanner. My problem is that some of my mails go through sendmail and some through mailscanner. Those that go through sendmail do not get filter. So, I am still getting lots of spams and virus. Here is my story : I have redhat 7.2 with ensim 3.1.10. I previously configured procmail to fight spams and virus. Then I found out about mailscanner. Then I installed mailscanner (not sure if I removed procmail correctly as too long ago). I followed the guide in the forum how-to to install mailscanner (MS)+f-prot+spamassassin (SA). After installing this, it works great. I stop getting spams and virus. Not long after that, something dreadful happened. What happened, I can only describe from my memory which is kinda blurry on which event happens first. I'll try to list them in the correct order. I then installed a software called mailwatch. It was at version 0.1 beta. Installing this software require me to edit the CustomConfig.pm file. Not sure if this will affect mailscanner in anyway. Still running fine. One day, my server crashed. Not sure what happened. The whole email system got affected. Nobody can login to email to check mails. Not even login to ssh. Only admin and root can login. But websites seems to be still working. I tried and tried and then not even admin login works. It took a few days for rackshack tech to bring it back up. I am not sure what they did as they wouldn't tell me even after I keep pestering them. But I think they did somesort of restore as all the root, admin, ensim password was reset. So, I re-installed mailscanner. This time using mailscanner+clamav+SA howto (which is btw a great howto). I am not sure if I removed the previous mailscanner combo correctly. Then mails stating to act weird. A lot of users are getting mails <<>> in the mails. After searching around and tailling the maillog and some help, i think this problem is due to mailscanner and sendmail both fighting to handle the mail and eventually the message got deleted and being send to the recipient. After trying to re-install mailscanner, i still have this problem. Eventually, after a few weeks, this problem went away. I don't know what I did (too many to remember) but it did go away. But I still have problem of some mails being handled between sendmail and MS. Then I upgraded MS, clamav and SA hoping that it will solve this problem. No good. Still have. I even upgraded to mailwatch to 0.3 (if it's anything to do with it). Still having some mails being handled by MS and sendmail. Mailwatch seems to be working fine aside from the virus report not working. Anyone have solution to this? I really need some expertise here. Should I remove MS+clamav+SA totally and re-install? How to clean them completely? I am waiting for ensim to create the security patch for sendmail which have the buffer overflow bug. But I guess this does not have anything to do with my problem. What about sendmail.cf file? Is there something I should look inside? CustomConfig.pm? should I delete mailwatch which I am not sure is affecting this. BTW, mailwatch is a program that monitors the emails and then create a database to show the stats of emails through a webgui. Thanks for reading my long problem. But if I don't solve this, it will become longer. Also please bear in mind that in the period of having this problem unresolved, I also did some upgrade on other part of the system such as mysql, php, mysqladmin and so on. Any suggestion is highly appreciated. Thanks in advance. -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender and delete the message from your mailbox. This footnote also confirms that this email message has been swept by MailScanner (www.mailscanner.info) for the presence of computer viruses. From michele at BLACKNIGHTSOLUTIONS.COM Wed Oct 1 12:03:53 2003 From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon :: Blacknight Solutions) Date: Thu Jan 12 21:20:19 2006 Subject: mailscanner and sendmail dilemma In-Reply-To: <67D9E7698329D411936E00508B6590B902773B34@neelix.lbsltd.co.uk> Message-ID: <200310011103.h91B3hq14017@camelot.blacknightsolutions.com> It sounds to me like sendmail is running as well as mailscanner. You would need to stop sendmail running independently and edit the startup scripts so that it runs from mailscanner Mr. Michele Neylon Blacknight Solutions http://www.blacknightsolutions.ie/ http://www.search.ie/ Probably the cheapest ie's in Ireland Tel. +353 (0)59 9139897 Fax. +353 (0)59 9139897 > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Steve Freegard > Sent: 01 October 2003 11:55 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: mailscanner and sendmail dilemma > > Hello, > > Can you post the output of the following commands (as root): > > chkconfig --list sendmail > chkconfig --list MailScanner > > Then, try running the following: > > service MailScanner stop > service sendmail stop > > wait for a minute then check the output of 'ps ax' to make > sure no sendmail or MailScanner processes remain (kill then > with 'kill -HUP ' if they do), then restart MailScanner: > > service MailScanner start > > then post the relevant lines from /var/log/maillog showing > the MailScanner startup and the processing of a test message > through mailscanner. > > Then maybe it'll be obvious to me or someone else as to what > is up with your set-up. > > Kind regards, > Steve. > > -----Original Message----- > From: kfliong [mailto:kfliong@WOFS.COM] > Sent: 01 October 2003 10:02 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: mailscanner and sendmail dilemma > > Hi all, > > I know this doesn't seems to be the correct channel to ask > for help but I am out of options. The message below I posted > to rackshack (my webserver > host) forum but no one replied after 3 days. I am now posting > it here hoping that the experts here will be able to shed > some light into solving my problem. > > It's quite long so please bear with me. Thanks in advance. > > -------------- > > I am having a problem with sendmail and mailscanner. My > problem is that some of my mails go through sendmail and some > through mailscanner. Those that go through sendmail do not > get filter. So, I am still getting lots of spams and virus. > > Here is my story : > > I have redhat 7.2 with ensim 3.1.10. > > I previously configured procmail to fight spams and virus. > Then I found out about mailscanner. Then I installed > mailscanner (not sure if I removed procmail correctly as too > long ago). I followed the guide in the forum how-to to > install mailscanner (MS)+f-prot+spamassassin (SA). > > After installing this, it works great. I stop getting spams > and virus. Not long after that, something dreadful happened. > What happened, I can only describe from my memory which is > kinda blurry on which event happens first. > I'll try to list them in the correct order. > > I then installed a software called mailwatch. It was at > version 0.1 beta. > Installing this software require me to edit the > CustomConfig.pm file. Not sure if this will affect > mailscanner in anyway. Still running fine. One day, my server > crashed. Not sure what happened. The whole email system got > affected. Nobody can login to email to check mails. Not even > login to ssh. > Only admin and root can login. But websites seems to be still > working. I tried and tried and then not even admin login > works. It took a few days for rackshack tech to bring it back > up. I am not sure what they did as they wouldn't tell me even > after I keep pestering them. But I think they did somesort of > restore as all the root, admin, ensim password was reset. > > So, I re-installed mailscanner. This time using > mailscanner+clamav+SA howto (which is btw a great howto). I > am not sure if I removed the previous mailscanner combo > correctly. Then mails stating to act weird. A lot of users > are getting mails <<>> in the mails. After > searching around and tailling the maillog and some help, i > think this problem is due to mailscanner and sendmail both > fighting to handle the mail and eventually the message got > deleted and being send to the recipient. After trying to > re-install mailscanner, i still have this problem. > Eventually, after a few weeks, this problem went away. I > don't know what I did (too many to > remember) but it did go away. But I still have problem of > some mails being handled between sendmail and MS. > > Then I upgraded MS, clamav and SA hoping that it will solve > this problem. > No good. Still have. I even upgraded to mailwatch to 0.3 (if > it's anything to do with it). Still having some mails being > handled by MS and sendmail. > Mailwatch seems to be working fine aside from the virus > report not working. > > Anyone have solution to this? I really need some expertise > here. Should I remove MS+clamav+SA totally and re-install? > How to clean them completely? I am waiting for ensim to > create the security patch for sendmail which have the buffer > overflow bug. But I guess this does not have anything to do > with my problem. > > What about sendmail.cf file? Is there something I should look inside? > CustomConfig.pm? should I delete mailwatch which I am not > sure is affecting this. BTW, mailwatch is a program that > monitors the emails and then create a database to show the > stats of emails through a webgui. > > Thanks for reading my long problem. But if I don't solve > this, it will become longer. Also please bear in mind that in > the period of having this problem unresolved, I also did some > upgrade on other part of the system such as mysql, php, > mysqladmin and so on. > > Any suggestion is highly appreciated. Thanks in advance. > > -- > This email and any files transmitted with it are confidential > and intended solely for the use of the individual or entity > to whom they are addressed. If you have received this email > in error please notify the sender and delete the message from > your mailbox. > > This footnote also confirms that this email message has been > swept by MailScanner (www.mailscanner.info) for the presence > of computer viruses. > > ######################################################### This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance to it is prohibited. From David.While at UCE.AC.UK Wed Oct 1 11:28:15 2003 From: David.While at UCE.AC.UK (David While) Date: Thu Jan 12 21:20:19 2006 Subject: mailscanner and sendmail dilemma Message-ID: <107DE25EC0216C45AEF670016024245F6F46@exchangea.staff.uce.ac.uk> Sounds to me like you still have Sendmail running as well as MailScanner. You should stop MailScanner (using service MailScanner stop or similar) and then do a ps -ax|grep sendmail - if you have sendmail processes running then you should kill them off. Once done then restart MailScanner and all should be well. ----------------------------------------------------------------- David While Technical Development Manager Faculty of Computing, Information & English University of Central England Tel: 0121 331 6211 ----------------------------------------------------------------- -----Original Message----- From: kfliong [mailto:kfliong@WOFS.COM] Sent: 01 October 2003 11:02 To: MAILSCANNER@JISCMAIL.AC.UK Subject: mailscanner and sendmail dilemma Hi all, I know this doesn't seems to be the correct channel to ask for help but I am out of options. The message below I posted to rackshack (my webserver host) forum but no one replied after 3 days. I am now posting it here hoping that the experts here will be able to shed some light into solving my problem. It's quite long so please bear with me. Thanks in advance. -------------- I am having a problem with sendmail and mailscanner. My problem is that some of my mails go through sendmail and some through mailscanner. Those that go through sendmail do not get filter. So, I am still getting lots of spams and virus. Here is my story : I have redhat 7.2 with ensim 3.1.10. I previously configured procmail to fight spams and virus. Then I found out about mailscanner. Then I installed mailscanner (not sure if I removed procmail correctly as too long ago). I followed the guide in the forum how-to to install mailscanner (MS)+f-prot+spamassassin (SA). After installing this, it works great. I stop getting spams and virus. Not long after that, something dreadful happened. What happened, I can only describe from my memory which is kinda blurry on which event happens first. I'll try to list them in the correct order. I then installed a software called mailwatch. It was at version 0.1 beta. Installing this software require me to edit the CustomConfig.pm file. Not sure if this will affect mailscanner in anyway. Still running fine. One day, my server crashed. Not sure what happened. The whole email system got affected. Nobody can login to email to check mails. Not even login to ssh. Only admin and root can login. But websites seems to be still working. I tried and tried and then not even admin login works. It took a few days for rackshack tech to bring it back up. I am not sure what they did as they wouldn't tell me even after I keep pestering them. But I think they did somesort of restore as all the root, admin, ensim password was reset. So, I re-installed mailscanner. This time using mailscanner+clamav+SA howto (which is btw a great howto). I am not sure if I removed the previous mailscanner combo correctly. Then mails stating to act weird. A lot of users are getting mails <<>> in the mails. After searching around and tailling the maillog and some help, i think this problem is due to mailscanner and sendmail both fighting to handle the mail and eventually the message got deleted and being send to the recipient. After trying to re-install mailscanner, i still have this problem. Eventually, after a few weeks, this problem went away. I don't know what I did (too many to remember) but it did go away. But I still have problem of some mails being handled between sendmail and MS. Then I upgraded MS, clamav and SA hoping that it will solve this problem. No good. Still have. I even upgraded to mailwatch to 0.3 (if it's anything to do with it). Still having some mails being handled by MS and sendmail. Mailwatch seems to be working fine aside from the virus report not working. Anyone have solution to this? I really need some expertise here. Should I remove MS+clamav+SA totally and re-install? How to clean them completely? I am waiting for ensim to create the security patch for sendmail which have the buffer overflow bug. But I guess this does not have anything to do with my problem. What about sendmail.cf file? Is there something I should look inside? CustomConfig.pm? should I delete mailwatch which I am not sure is affecting this. BTW, mailwatch is a program that monitors the emails and then create a database to show the stats of emails through a webgui. Thanks for reading my long problem. But if I don't solve this, it will become longer. Also please bear in mind that in the period of having this problem unresolved, I also did some upgrade on other part of the system such as mysql, php, mysqladmin and so on. Any suggestion is highly appreciated. Thanks in advance. From Kevin.Spicer at BMRB.CO.UK Wed Oct 1 12:59:10 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:20:19 2006 Subject: Strip HTML weirdness Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A4AE09@pascal.priv.bmrb.co.uk> I'm getting complaints from users about the striphtml action. It seems that the URL's stripped from tags are getting truncated - which means that users can't follow the links (they are Outlook users, and Outlook presents URLS as links even in text) when they receive a false positive. Does anyone know if this is by accident or design? BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From mailscanner at BARENDSE.TO Wed Oct 1 13:28:37 2003 From: mailscanner at BARENDSE.TO (Remco Barendse) Date: Thu Jan 12 21:20:19 2006 Subject: dcc /var/dcc/map file corrupted Message-ID: It seems that somehow my dcc /var/dcc/map and /var/dcc/map.txt got corrupted. I deleted both files but DCC does not automatically re-create them. I have tried reinstalling dcc but this does not create those 2 files either :( Anybody know where to find them? Thanks! From michele at BLACKNIGHTSOLUTIONS.COM Wed Oct 1 13:36:57 2003 From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon :: Blacknight Solutions) Date: Thu Jan 12 21:20:19 2006 Subject: dcc /var/dcc/map file corrupted In-Reply-To: Message-ID: <200310011236.h91CakE02734@camelot.blacknightsolutions.com> I had a similar problem If you remove the entire /var/dcc directory and install dcc from scratch your problems will vanish :-) Mr. Michele Neylon Blacknight Solutions http://www.blacknightsolutions.ie/ http://www.search.ie/ Probably the cheapest ie's in Ireland Tel. +353 (0)59 9139897 Fax. +353 (0)59 9139897 > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Remco Barendse > Sent: 01 October 2003 13:29 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: dcc /var/dcc/map file corrupted > > It seems that somehow my dcc /var/dcc/map and > /var/dcc/map.txt got corrupted. > > I deleted both files but DCC does not automatically re-create > them. I have tried reinstalling dcc but this does not create > those 2 files either :( > > Anybody know where to find them? > > Thanks! > > ######################################################### This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance to it is prohibited. From Kevin.Spicer at BMRB.CO.UK Wed Oct 1 13:37:07 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:20:19 2006 Subject: dcc /var/dcc/map file corrupted Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0016496EC@pascal.priv.bmrb.co.uk> Remco Barendse wrote: > It seems that somehow my dcc /var/dcc/map and /var/dcc/map.txt got > corrupted. > > I deleted both files but DCC does not automatically re-create them. I > have tried reinstalling dcc but this does not create those 2 files > either :( > > Anybody know where to find them? > > Thanks! Delete everything in /var/dcc (or move the directory) then reinstall dcc. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From anders.andersson at LTKALMAR.SE Wed Oct 1 15:00:27 2003 From: anders.andersson at LTKALMAR.SE (Anders Andersson, IT) Date: Thu Jan 12 21:20:19 2006 Subject: Updated swedish report files Message-ID: Hi Thoguht I should do an update on the swedish report files. I would really like some response from swedish users if there is something they dont like. There are some small difference in some text parts but I need feedback which one you consider to be the best before I send it to Julian, so pls message me asap if you think something needs to be changed /Anders -------------- next part -------------- A non-text attachment was scrubbed... Name: swedish.tar Type: application/octet-stream Size: 30720 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20031001/cb593297/swedish.obj From mailscanner at ecs.soton.ac.uk Wed Oct 1 14:55:03 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:20:19 2006 Subject: Strip HTML weirdness In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0A4AE09@pascal.priv.bmrb.co .uk> Message-ID: <5.2.0.9.2.20031001145240.0469f1e8@imap.ecs.soton.ac.uk> At 12:59 01/10/2003, you wrote: >I'm getting complaints from users about the striphtml action. It seems >that the URL's stripped from tags are getting truncated - which means >that users can't follow the links (they are Outlook users, and Outlook >presents URLS as links even in text) when they receive a false >positive. Does anyone know if this is by accident or design? Can you make sure they are not very long URLs that are being split into multiple lines by Outlook? -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From ugob at CAMO-ROUTE.COM Wed Oct 1 14:20:14 2003 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:20:19 2006 Subject: skipped, still being delivered Message-ID: <54C38A0B814C8E438EF73FC76F3629273ADF43@mtlnt501fs.CAMOROUTE.COM> Hi, I got a few of these in my logs: "skipped, still being delivered", and the messages is delivered without body. Any ideas? Thanks, -------------- Ugo Bellavance Camo-route Inc. ugob@camo-route.com 514-593-5811 From Kevin.Spicer at BMRB.CO.UK Wed Oct 1 15:22:28 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:20:19 2006 Subject: Strip HTML weirdness Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0A4AE0B@pascal.priv.bmrb.co.uk> Julian Field wrote: > Can you make sure they are not very long URLs that are being split > into multiple lines by Outlook? No, thats not the case, heres a short extract from the particular mail thats generated complaints (lots of my users are on this list). A couple of curious things 1) The urls are truncated, 2) The URLS are surrounded by <>. The message was tagged as spam and converted to an attachment, but was low scoring spam - which is not set to be stripped - although it looks from the logs that it also triggered one of the dangerous html rules (which are set to strip content). I think the original is online here http://www.bmra.org.uk/mrbusiness/index.asp (although the links are relative in the source of that). MESSAGE EXTRACT FOLLOWS.... 30 September 2003 Issue 25 print search for in --Whole Site-- Sep 2003 Ezine 25 Sep 2003 Ezine 24 Jul 2003 Ezine 23 Jun 2003 Ezine 22 May 2003 Ezine 21 Apr 2003 Ezine 20 submit BMRA frontpage archive contact subscribe calendar BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From ugob at CAMO-ROUTE.COM Wed Oct 1 15:37:22 2003 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:20:19 2006 Subject: virus actions Message-ID: <54C38A0B814C8E438EF73FC76F362927313261@mtlnt501fs.CAMOROUTE.COM> Hi, I'm a bit confused about how to achieve my goal, with respect to virus message warnings. I don't want my users to receive anything, unless an attachment has been cleaned. To sum up, I don't want them to know when MS stops a virus, but only when it cleaned it. Thanks, -------------- Ugo Bellavance Camo-route Inc. ugob@camo-route.com 514-593-5811 From ugob at CAMO-ROUTE.COM Wed Oct 1 15:42:02 2003 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:20:19 2006 Subject: skipped, still being delivered Message-ID: <54C38A0B814C8E438EF73FC76F362927313262@mtlnt501fs.CAMOROUTE.COM> Well, don't worry too much, since I've not been very dilligent. I'm quite sure that this happens when my server is very overloaded. We don't have enough money yet to buy decent hardware for the MS box, so I assume the risk I'm taking. I prevented my users that if they ever get a blank message, to ask back the sender for another copy. That is the only trouble I have, besides slow processing. I should have decent available hardware soon :). Thanks, > -----Message d'origine----- > De : Julian Field [mailto:mailscanner@ECS.SOTON.AC.UK] > Envoy? : Wednesday, October 01, 2003 10:23 AM > ? : MAILSCANNER@JISCMAIL.AC.UK > Objet : Re: skipped, still being delivered > > > Great :( > In this case, I really don't know what is going on. Postfix > generates the > error when it tries to open a message to find it is already locked by > something else. I have been *extremely* careful and paranoid about the > locking and have made sure the file is unlocked before it is > put in the > queue. So how this is still happening beats me. > Sorry. > > At 14:20 01/10/2003, you wrote: > >Hi, > > > > I got a few of these in my logs: "skipped, still being > > delivered", and the messages is delivered without body. Any ideas? > > > >Thanks, > > > >-------------- > >Ugo Bellavance > >Camo-route Inc. > >ugob@camo-route.com > >514-593-5811 > > -- > Julian Field > www.MailScanner.info > MailScanner thanks transtec Computers for their support > From mailscanner at ecs.soton.ac.uk Wed Oct 1 15:22:40 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:20:19 2006 Subject: skipped, still being delivered In-Reply-To: <54C38A0B814C8E438EF73FC76F3629273ADF43@mtlnt501fs.CAMOROUT E.COM> Message-ID: <5.2.0.9.2.20031001152131.0423cec0@imap.ecs.soton.ac.uk> Great :( In this case, I really don't know what is going on. Postfix generates the error when it tries to open a message to find it is already locked by something else. I have been *extremely* careful and paranoid about the locking and have made sure the file is unlocked before it is put in the queue. So how this is still happening beats me. Sorry. At 14:20 01/10/2003, you wrote: >Hi, > > I got a few of these in my logs: "skipped, still being > delivered", and the messages is delivered without body. Any ideas? > >Thanks, > >-------------- >Ugo Bellavance >Camo-route Inc. >ugob@camo-route.com >514-593-5811 -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From chicks at CHICKS.NET Wed Oct 1 15:48:14 2003 From: chicks at CHICKS.NET (Christopher Hicks) Date: Thu Jan 12 21:20:19 2006 Subject: skipped, still being delivered In-Reply-To: <5.2.0.9.2.20031001152131.0423cec0@imap.ecs.soton.ac.uk> Message-ID: On Wed, 1 Oct 2003, Julian Field wrote: > Great :( > In this case, I really don't know what is going on. Postfix generates the > error when it tries to open a message to find it is already locked by > something else. I have been *extremely* careful and paranoid about the > locking and have made sure the file is unlocked before it is put in the > queue. So how this is still happening beats me. > Sorry. Could it be the order files are being copied? -- No, no, you're not thinking, you're just being logical. -Niels Bohr, physicist (1885-1962) From TGFurnish at HERFF-JONES.COM Wed Oct 1 16:00:02 2003 From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G) Date: Thu Jan 12 21:20:19 2006 Subject: whitelist issues Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF0C0804@inex1.herffjones.hj-int> > -----Original Message----- > From: Bret Hughes [mailto:bhughes@ELEVATING.COM] > Sent: Tuesday, September 30, 2003 11:37 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: whitelist issues {Scanned by HJMS} > > [root@mail1 rules]# cat spam.whitelist.rules > # This is where you can build a Spam WhiteList > # Addresses matching in here, with the value > # "yes" will never be marked as spam. > #From: 152.78. yes > #From: 130.246. yes > To: MAILSCANNER@JISCMAIL.AC.UK yes > FromOrTo: default no > > in MailScanner.conf: > [root@mail1 MailScanner]# grep rules-dir MailScanner.conf > %rules-dir% = /etc/MailScanner/rules > Is Definitely Not Spam = %rules-dir%/spam.whitelist.rules I think you're confused about the difference between the address used to deliver the message and the address listed in the headers (which are inside the message). MailScanner sees the address used to deliver the message - ie in this case probably bhughes@elevating.com. That's how the message reaches you and that's what you would have to put in your whitelist (which would obviously be a bad thing - no more filtering for you). In effect when your mail server receives the message it is neither To nor From the list address - it is To you From whoever sent it. When the message is delivered to a mailbox and a MUA (Eudora, Pine, Outlook) opens it, the MUA displays the headers inside the message and behaves as prescribed by those headers. For example, the replies go to the list, the To appears to be the list address, errors go to another address, etc. I don't think you can use MailScanner's whitelists to match the headers inside the message, so it seems like you're stuck filtering on the sender ip address. -t. PS: Hopefully I'm completely wrong and someone will correct me. :-) From Antony at SOFT-SOLUTIONS.CO.UK Wed Oct 1 16:21:53 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:20:19 2006 Subject: virus actions In-Reply-To: <54C38A0B814C8E438EF73FC76F362927313261@mtlnt501fs.CAMOROUTE.COM> References: <54C38A0B814C8E438EF73FC76F362927313261@mtlnt501fs.CAMOROUTE.COM> Message-ID: <200310011522.h91FM3E17692@agate.rockstone.co.uk> On Wednesday 01 October 2003 3:37 pm, Ugo Bellavance wrote: > Hi, > > I'm a bit confused about how to achieve my goal, with respect to > virus message warnings. I don't want my users to receive anything, unless > an attachment has been cleaned. To sum up, I don't want them to know when > MS stops a virus, but only when it cleaned it. I can't suggest a way to achieve what you describe, but I would ask how often you think this is likely to happen at all? In other words, how often do you see emails containing a virus, plus something else which is worth sending on to the recipient after cleaning out the virus? I think it is so infrequent that you may as well ignore it and simply send on nothing to the recipient when a virus is detected. Regards, Antony. -- Perfection in design is achieved not when there is nothing left to add, but rather when there is nothing left to take away. - Antoine de Saint-Exupery From ugob at CAMO-ROUTE.COM Wed Oct 1 16:24:42 2003 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:20:19 2006 Subject: virus actions Message-ID: <54C38A0B814C8E438EF73FC76F3629273ADF4B@mtlnt501fs.CAMOROUTE.COM> > > Hi, > > > > I'm a bit confused about how to achieve my goal, > with respect to > > virus message warnings. I don't want my users to receive > anything, unless > > an attachment has been cleaned. To sum up, I don't want > them to know when > > MS stops a virus, but only when it cleaned it. > > I can't suggest a way to achieve what you describe, but I > would ask how often > you think this is likely to happen at all? > > In other words, how often do you see emails containing a virus, plus > something else which is worth sending on to the recipient > after cleaning out > the virus? > > I think it is so infrequent that you may as well ignore it > and simply send on > nothing to the recipient when a virus is detected. > > Regards, > > Antony. I agree, but how do I tell MailScanner not to send warnings to recipients, but still send warnings to admin & sender? Thanks, From Antony at SOFT-SOLUTIONS.CO.UK Wed Oct 1 16:37:18 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:20:19 2006 Subject: virus actions In-Reply-To: <54C38A0B814C8E438EF73FC76F3629273ADF4B@mtlnt501fs.CAMOROUTE.COM> References: <54C38A0B814C8E438EF73FC76F3629273ADF4B@mtlnt501fs.CAMOROUTE.COM> Message-ID: <200310011537.h91FbSE17703@agate.rockstone.co.uk> On Wednesday 01 October 2003 4:24 pm, Ugo Bellavance wrote: > > In other words, how often do you see emails containing a virus, plus > > something else which is worth sending on to the recipient > > after cleaning out the virus? > > > > I think it is so infrequent that you may as well ignore it > > and simply send on nothing to the recipient when a virus is detected. > I agree, but how do I tell MailScanner not to send warnings to recipients, > but still send warnings to admin & sender? Notify Senders = yes Notices To = admin@domain.com Deliver Cleaned Messages = no Deliver Disinfected Files = no Antony. -- Never write it in Perl if you can do it in Awk. Never do it in Awk if sed can handle it. Never use sed when tr can do the job. Never invoke tr when cat is sufficient. Avoid using cat whenever possible. From mailscanner at ecs.soton.ac.uk Wed Oct 1 16:35:22 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:20:19 2006 Subject: Strip HTML weirdness In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0A4AE0B@pascal.priv.bmrb.co .uk> Message-ID: <5.2.0.9.2.20031001163353.046fc2d0@imap.ecs.soton.ac.uk> Please can you zip up and send me the entire copy of one of these emails before it has been stripped to text. At 15:22 01/10/2003, you wrote: >Julian Field wrote: > > Can you make sure they are not very long URLs that are being split > > into multiple lines by Outlook? > >No, thats not the case, heres a short extract from the particular mail >thats generated complaints (lots of my users are on this list). A couple >of curious things 1) The urls are truncated, 2) The URLS are surrounded by ><>. The message was tagged as spam and converted to an attachment, but >was low scoring spam - which is not set to be stripped - although it looks >from the logs that it also triggered one of the dangerous html rules >(which are set to strip content). I think the original is online here >http://www.bmra.org.uk/mrbusiness/index.asp (although the links are >relative in the source of that). > >MESSAGE EXTRACT FOLLOWS.... > > > > > > 30 September 2003 Issue 25 > >print search for >in --Whole Site-- Sep 2003 Ezine 25 Sep 2003 Ezine 24 Jul 2003 >Ezine 23 Jun 2003 Ezine 22 May 2003 Ezine 21 Apr 2003 Ezine 20 >submit > > > > > BMRA > > frontpage > > archive > contact > > subscribe > calendar > > > > > > >BMRB International >http://www.bmrb.co.uk >+44 (0)20 8566 5000 >_________________________________________________________________ >This message (and any attachment) is intended only for the >recipient and may contain confidential and/or privileged >material. If you have received this in error, please contact the >sender and delete this message immediately. Disclosure, copying >or other action taken in respect of this email or in >reliance on it is prohibited. BMRB International Limited >accepts no liability in relation to any personal emails, or >content of any email which does not directly relate to our >business. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Oct 1 16:29:20 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:20:19 2006 Subject: skipped, still being delivered In-Reply-To: References: <5.2.0.9.2.20031001152131.0423cec0@imap.ecs.soton.ac.uk> Message-ID: <5.2.0.9.2.20031001162912.043c1998@imap.ecs.soton.ac.uk> At 15:48 01/10/2003, you wrote: >On Wed, 1 Oct 2003, Julian Field wrote: > > Great :( > > In this case, I really don't know what is going on. Postfix generates the > > error when it tries to open a message to find it is already locked by > > something else. I have been *extremely* careful and paranoid about the > > locking and have made sure the file is unlocked before it is put in the > > queue. So how this is still happening beats me. > > Sorry. > >Could it be the order files are being copied? There is only 1 file. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Oct 1 16:49:21 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:20:19 2006 Subject: Strip HTML weirdness In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0A4AE0B@pascal.priv.bmrb.co .uk> Message-ID: <5.2.0.9.2.20031001164703.04213ca8@imap.ecs.soton.ac.uk> That is very strange. MailScanner, when stripping HTML to plain text, doesn't surround the links in any punctuation at all, it just puts them in with a space round them so they don't get mingled with the surrounding text. Here's a little example of what is left after processing a short test message: mime-boundary string here Content-type: text/plain; charset="us-ascii" This is an HTML message with a http://www.ecs.soton.ac.uk/ link in it and a link on a line of its own. http://soton.ac.uk/ Link number 2 And it also has a very long link in it like http://www.ecs.soton.ac.uk/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaassssssssssssssssssssssssssssssssssssssssssssssdddddddddddddddddddddddddddddddddddfvfffffffffffffffffffffffffffffffffffff.jpg in it. mime-boundary string here As you see, there are no "<>" characters and no truncation. At 15:22 01/10/2003, you wrote: >Julian Field wrote: > > Can you make sure they are not very long URLs that are being split > > into multiple lines by Outlook? > >No, thats not the case, heres a short extract from the particular mail >thats generated complaints (lots of my users are on this list). A couple >of curious things 1) The urls are truncated, 2) The URLS are surrounded by ><>. The message was tagged as spam and converted to an attachment, but >was low scoring spam - which is not set to be stripped - although it looks >from the logs that it also triggered one of the dangerous html rules >(which are set to strip content). I think the original is online here >http://www.bmra.org.uk/mrbusiness/index.asp (although the links are >relative in the source of that). > >MESSAGE EXTRACT FOLLOWS.... > > > > > > 30 September 2003 Issue 25 > >print search for >in --Whole Site-- Sep 2003 Ezine 25 Sep 2003 Ezine 24 Jul 2003 >Ezine 23 Jun 2003 Ezine 22 May 2003 Ezine 21 Apr 2003 Ezine 20 >submit > > > > > BMRA > > frontpage > > archive > contact > > subscribe > calendar > > > > > > >BMRB International >http://www.bmrb.co.uk >+44 (0)20 8566 5000 >_________________________________________________________________ >This message (and any attachment) is intended only for the >recipient and may contain confidential and/or privileged >material. If you have received this in error, please contact the >sender and delete this message immediately. Disclosure, copying >or other action taken in respect of this email or in >reliance on it is prohibited. BMRB International Limited >accepts no liability in relation to any personal emails, or >content of any email which does not directly relate to our >business. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From dickenson at CFMC.COM Wed Oct 1 16:57:25 2003 From: dickenson at CFMC.COM (Jim Dickenson) Date: Thu Jan 12 21:20:19 2006 Subject: SpamAssassin Config files Message-ID: I am totally confused as to where the various config files for SA are located when using MS. In /etc/MailScanner/MailScanner.conf there are various options that seem to set some SA options. Additionally there are these lines that point to config files as well. SpamAssassin Prefs File = %etc-dir%/spam.assassin.prefs.conf SpamAssassin User State Dir = /var/spool/MailScanner/spamassassin When I was running SA via procmail there were various files in /etc/mail/spamassassin, for system-wide options, and then in /var/lib/spamassassin there were directories in the form of .prefs that had user_prefs as well as other stuff that were specific to a given user. I have searched the mail list archive but got more confused. Can someone please explain, or point me to an explanation, about how SA gets configured when run via MS? TIA, -- Jim Dickenson mailto:dickenson@cfmc.com Computers for Marketing Corporation http://www.cfmc.com/ From pmb1 at YORK.AC.UK Wed Oct 1 17:00:21 2003 From: pmb1 at YORK.AC.UK (Mike Brudenell) Date: Thu Jan 12 21:20:19 2006 Subject: Problems with sophossavi and Sophos 3.74 In-Reply-To: <2147483647.1064916076@pippin.york.ac.uk> References: <2147483647.1064837594@pippin.york.ac.uk> <5.2.1.1.2.20030929210311.03595e70@imap.ecs.soton.ac.uk> <2147483647.1064916076@pippin.york.ac.uk> Message-ID: <2147483647.1065027621@pippin.york.ac.uk> Greetings - Between us the author of the SAVI.pm (Perl-SAVI) module and I have managed to identify the problem, why it occurred for me and not him, and I have had confirmation and a fix from Sophos. Here goes... THE PROBLEM =========== Sophos have made some extensive changes to their libsavi shared library between versions 3.73 and 3.74 of Sophos Anti-Virus. They compile and build their library using GCC and, unfortunately, made use of a function called moddi3 in their revised code, which "Returns the remainder after dividing two signed quads." 'Unfortunately' because this function appears to be GCC specific: it is provided by the libgcc library, but not the standard C or Maths libraries (at least not on Solaris 8, which is the platform I've been having problems with). This gave rise to my problems: I am using Sun's SUNWSpro C compiler to build the SAVI.pm module, which is linked against the shared libsavi library. When executed this latter attempts to find the code for the moddi3 function in the libraries available to it, can't, and so errors out with the 'unreferenced symbol' error message I reported previously. A simple test to try loading SAVI.pm to check this is to fire up your Perl as follows: perl -MSAVI -e exit This should exit silently and cleanly. However I was getting a failure error message instead. Paul Henson, author of SAVI.pm, suggested that simply recompiling SAVI.pm after installing Sophos 3.74 cured the problem. But this only works if you are using GCC (as it notices the need for moddi3 and pulls a copy in from the static libgcc.a library when compiling). For me recompiling didn't work, as I was using the SUNWSpro compiler, without libgcc being in the standard search path. I have been on the phone to Sophos, who have confirmed the problem and its cause. SOLUTIONS ========= There are various solutions you can consider:- Alternative 1 ------------- Use GCC to recompile SAVI.pm after installing Sophos Anti-Virus 3.74 with its updated libsavi shared library. This should pull in the moddi3 function at compile-time and produce you a working version of SAVI.pm. Alternative 2 ------------- If you can't/don't want to use GCC but have a copy of libgcc on your system somewhere add its directory path and a "-l" option to the 'LIBS' definitions in the Makefile.PL file when you're about to build SAVI.pm. For example by adding something like this to its definition string: -L/usr/local/gnu/lib/gcc-lib/sparc-sun-solaris2.8/2.95.2 -lgcc (Of course you'll have to adjust the directory path to suit the location of libgcc.a on your own system.) Alternative 3 ------------- Don't use the standard Sophos Anti-Virus 3.74 kit from the web download or CD. Instead use the just-released 3.74x version, which apparently includes a libsavi shared library built in the same manner as the 3.73 version, but with most/all of the extras included in 3.74 standard. I've been given the go-ahead to post to the list the URL from where 3.74x can be downloaded: I believe releases for other platforms can also be found there using the usual download filenames at the end of the URL. If you are using MajorSophos you can merely change the WEBSITE variable's value. By installing this version of Sophos Anti-Virus you DON'T need to include the GCC library's path etc when building SAVI.pm (because this version of libsavi doesn't use the infamous moddi3 function). Note: I understand that the problem will be resolved in a future monthly release of Sophos Anti-Virus, so probably treat the above URL as transient and existing only for the next few weeks. AND FINALLY... ============== I was going to go for Alternative 2, but just as I was about to build and install things I got the e-mail from Sophos about 3.74x. I've therefore gone with Alternative 3, which is now running happily. Cheers, Mike Brudenell -- The Computing Service, University of York, Heslington, York Yo10 5DD, UK Tel:+44-1904-433811 FAX:+44-1904-433740 * Unsolicited commercial e-mail is NOT welcome at this e-mail address. * From dickenson at CFMC.COM Wed Oct 1 17:04:44 2003 From: dickenson at CFMC.COM (Jim Dickenson) Date: Thu Jan 12 21:20:19 2006 Subject: File ownership Message-ID: In /etc/MailScanner/MailScanner.conf I set the user and group to be smmsp and restarted MS. Incoming email was put into /var/spool/mqueue.in but the owner was root, with group smmsp. The permissions on the inbound mail files were 600 and mail just stacked up in the directory and was not delivered. I am guessing that this is because MS could not read these files. I changed MS.conf to set user to root and the mail was processed. My question is, what controls how the inbound mail files get created so I can fix this problem and set things up the way I would like? -- Jim Dickenson mailto:dickenson@cfmc.com Computers for Marketing Corporation http://www.cfmc.com/ From TGFurnish at HERFF-JONES.COM Wed Oct 1 17:06:44 2003 From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G) Date: Thu Jan 12 21:20:19 2006 Subject: SpamAssassin Config files {Scanned by HJMS} Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF0C0806@inex1.herffjones.hj-int> When spamassassin is used by mailscanner, the spam.assassin.prefs.conf file in the MailScanner configuration directory is what matters. When you, for example, spamassassin -D --lint on the command line different files get used. I would suggest (assuming a typical sendmail install and MailScanner config under /etc/MailScanner) that you do the following: mv /etc/mail/spamassassin/local.cf \ /etc/mail/spamassassin/local.cf-dist ln -s /etc/MailScanner/spam.assassin.prefs.conf \ /etc/mail/spamassassin/local.cf That way when you run sa from the command-line, the mailscanner prefs file will still get used. -t. > -----Original Message----- > From: Jim Dickenson [mailto:dickenson@CFMC.COM] > Sent: Wednesday, October 01, 2003 10:57 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: SpamAssassin Config files {Scanned by HJMS} > > > I am totally confused as to where the various config files for SA are > located when using MS. > > In /etc/MailScanner/MailScanner.conf there are various > options that seem to > set some SA options. Additionally there are these lines that > point to config > files as well. > > SpamAssassin Prefs File = %etc-dir%/spam.assassin.prefs.conf > > SpamAssassin User State Dir = /var/spool/MailScanner/spamassassin > > > > When I was running SA via procmail there were various files in > /etc/mail/spamassassin, for system-wide options, and then in > /var/lib/spamassassin there were directories in the form of > .prefs > that had user_prefs as well as other stuff that were specific > to a given > user. > > I have searched the mail list archive but got more confused. > > Can someone please explain, or point me to an explanation, > about how SA gets > configured when run via MS? > > > TIA, > -- > Jim Dickenson > mailto:dickenson@cfmc.com > > Computers for Marketing Corporation > http://www.cfmc.com/ > From TGFurnish at HERFF-JONES.COM Wed Oct 1 17:09:19 2003 From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G) Date: Thu Jan 12 21:20:19 2006 Subject: File ownership {Scanned by HJMS} Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF8E1CC3@inex1.herffjones.hj-int> > -----Original Message----- > From: Jim Dickenson [mailto:dickenson@CFMC.COM] > Sent: Wednesday, October 01, 2003 11:05 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: File ownership {Scanned by HJMS} > > My question is, what controls how the inbound mail files get > created so I Sendmail. It creates those files, not MailScanner. Not sure whether you can configure sendmail to use different ownership, nor what the ramifications might be if you did. Would be interested to find out though. ;-) From dickenson at CFMC.COM Wed Oct 1 17:36:53 2003 From: dickenson at CFMC.COM (Jim Dickenson) Date: Thu Jan 12 21:20:19 2006 Subject: SpamAssassin Config files {Scanned by HJMS} In-Reply-To: <8FFC76593085ED4A80D3601BC41EFCDF0C0806@inex1.herffjones.hj-int> Message-ID: Thanks for that tip. That gets rid of part of the problem. There are still many options in the MS.conf file and I do not know if they override the spam.assassin.prefs.conf file or if the sa config file overrides the items in the MS.conf file. Also does anyone know about the user specific preferences? -- Jim Dickenson mailto:dickenson@cfmc.com Computers for Marketing Corporation http://www.cfmc.com/ > From: "Furnish, Trever G" > Reply-To: MailScanner mailing list > Date: Wed, 1 Oct 2003 11:06:44 -0500 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: SpamAssassin Config files {Scanned by HJMS} > > When spamassassin is used by mailscanner, the spam.assassin.prefs.conf file > in the MailScanner configuration directory is what matters. When you, for > example, spamassassin -D --lint on the command line different files get > used. I would suggest (assuming a typical sendmail install and MailScanner > config under /etc/MailScanner) that you do the following: > > mv /etc/mail/spamassassin/local.cf \ > /etc/mail/spamassassin/local.cf-dist > ln -s /etc/MailScanner/spam.assassin.prefs.conf \ > /etc/mail/spamassassin/local.cf > > That way when you run sa from the command-line, the mailscanner prefs file > will still get used. > > -t. > > >> -----Original Message----- >> From: Jim Dickenson [mailto:dickenson@CFMC.COM] >> Sent: Wednesday, October 01, 2003 10:57 AM >> To: MAILSCANNER@JISCMAIL.AC.UK >> Subject: SpamAssassin Config files {Scanned by HJMS} >> >> >> I am totally confused as to where the various config files for SA are >> located when using MS. >> >> In /etc/MailScanner/MailScanner.conf there are various >> options that seem to >> set some SA options. Additionally there are these lines that >> point to config >> files as well. >> >> SpamAssassin Prefs File = %etc-dir%/spam.assassin.prefs.conf >> >> SpamAssassin User State Dir = /var/spool/MailScanner/spamassassin >> >> >> >> When I was running SA via procmail there were various files in >> /etc/mail/spamassassin, for system-wide options, and then in >> /var/lib/spamassassin there were directories in the form of >> .prefs >> that had user_prefs as well as other stuff that were specific >> to a given >> user. >> >> I have searched the mail list archive but got more confused. >> >> Can someone please explain, or point me to an explanation, >> about how SA gets >> configured when run via MS? >> >> >> TIA, >> -- >> Jim Dickenson >> mailto:dickenson@cfmc.com >> >> Computers for Marketing Corporation >> http://www.cfmc.com/ >> From Antony at SOFT-SOLUTIONS.CO.UK Wed Oct 1 17:42:53 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:20:19 2006 Subject: Forwarding mail In-Reply-To: References: Message-ID: <200310011643.h91Gh3724063@onyx.rockstone.co.uk> On Wednesday 01 October 2003 5:29 pm, Joe Stuart wrote: > I am trying to setup Mailscanner and spamassasin on a mail server that > is supposed to scan the mail then forward it onto the primary mail > server. Could anyone point me in a direction on how to configure > sendmail to do the forwarding. Put the domains you want to forward mail for into /etc/mail/relay-domains and simply ensure that the DNS records for the domains specify the MailScanner machine in an MX record with a higher value than the MX record for the machine it forwards to. There's a useful guide to this at http://www.sng.ecs.soton.ac.uk/mailscanner/faq.shtml#16 Antony. -- How I want a drink, alcoholic of course, after the heavy chapters involving quantum mechanics. - 3.14159265358979 From ka at PACIFIC.NET Wed Oct 1 17:21:27 2003 From: ka at PACIFIC.NET (Ken Anderson) Date: Thu Jan 12 21:20:19 2006 Subject: whitelist issues In-Reply-To: <8FFC76593085ED4A80D3601BC41EFCDF0C0804@inex1.herffjones.hj-int> References: <8FFC76593085ED4A80D3601BC41EFCDF0C0804@inex1.herffjones.hj-int> Message-ID: <3F7AFF07.4070801@pacific.net> Actually mail from this list comes in like this: Oct 1 07:59:53 mail sm-mta[15866]: h91ExqJ5015866: from=, size=1835, class=-30, nrcpts=1, msgid=<8FFC76593085ED4A80D3601BC41EFCDF0C0804@inex1.herffjones.hj-int>, proto=ESMTP, daemon=MTA, relay=mailfilter.pacific.net [63.162.241.9] So, you can whitelist the list, or the domain. There's also some way to get this address into the message header, so this detective work isn't necessary, but I can't recall whether that's a sendmail config, or a MS/SA config change. Anybody? Ken A. Pacific.Net Furnish, Trever G wrote: >>-----Original Message----- >>From: Bret Hughes [mailto:bhughes@ELEVATING.COM] >>Sent: Tuesday, September 30, 2003 11:37 PM >>To: MAILSCANNER@JISCMAIL.AC.UK >>Subject: whitelist issues {Scanned by HJMS} >> >>[root@mail1 rules]# cat spam.whitelist.rules >># This is where you can build a Spam WhiteList >># Addresses matching in here, with the value >># "yes" will never be marked as spam. >>#From: 152.78. yes >>#From: 130.246. yes >>To: MAILSCANNER@JISCMAIL.AC.UK yes >>FromOrTo: default no >> >>in MailScanner.conf: >>[root@mail1 MailScanner]# grep rules-dir MailScanner.conf >>%rules-dir% = /etc/MailScanner/rules >>Is Definitely Not Spam = %rules-dir%/spam.whitelist.rules > > > I think you're confused about the difference between the address used to > deliver the message and the address listed in the headers (which are inside > the message). > > MailScanner sees the address used to deliver the message - ie in this case > probably bhughes@elevating.com. That's how the message reaches you and > that's what you would have to put in your whitelist (which would obviously > be a bad thing - no more filtering for you). In effect when your mail > server receives the message it is neither To nor From the list address - it > is To you From whoever sent it. > > When the message is delivered to a mailbox and a MUA (Eudora, Pine, Outlook) > opens it, the MUA displays the headers inside the message and behaves as > prescribed by those headers. For example, the replies go to the list, the > To appears to be the list address, errors go to another address, etc. > > I don't think you can use MailScanner's whitelists to match the headers > inside the message, so it seems like you're stuck filtering on the sender ip > address. > > -t. > > PS: Hopefully I'm completely wrong and someone will correct me. :-) > > From mike at CAMAROSS.NET Wed Oct 1 17:55:09 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:20:19 2006 Subject: Forwarding mail In-Reply-To: Message-ID: <00a401c3883c$c652b430$a51cbdcf@home.middlefinger.net> I do it like this: Say the domain you want to forward mail for is foo.com In /etc/mail/relay-domains: foo.com In /etc/mail/mailertable foo.com esmtp:primary.mail.server hash the files to db cd /etc/mail;make Now, in DNS, I remove the MX record for primary.foo.com and replace it with scanning_host.foo.com That way, ALL mail gets routed to the MS box...and spammers don't get to hit the primary.foo.com Mike > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Joe Stuart > Sent: Wednesday, October 01, 2003 11:30 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Forwarding mail > > > I am trying to setup Mailscanner and spamassasin on a mail > server that is supposed to scan the mail then forward it onto > the primary mail server. Could anyone point me in a direction > on how to configure sendmail to do the forwarding. > > Thanks > From jstuart at EDENPR.K12.MN.US Wed Oct 1 17:29:41 2003 From: jstuart at EDENPR.K12.MN.US (Joe Stuart) Date: Thu Jan 12 21:20:19 2006 Subject: Forwarding mail Message-ID: I am trying to setup Mailscanner and spamassasin on a mail server that is supposed to scan the mail then forward it onto the primary mail server. Could anyone point me in a direction on how to configure sendmail to do the forwarding. Thanks From ka at PACIFIC.NET Wed Oct 1 17:44:49 2003 From: ka at PACIFIC.NET (Ken Anderson) Date: Thu Jan 12 21:20:19 2006 Subject: Forwarding mail In-Reply-To: References: Message-ID: <3F7B0481.5030800@pacific.net> That's really a sendmail question, but here's how we do it: The MX for the domain(s) point to MS/SA machine. The MS/SA machine has entries in local-host-names for all domains we accept mail for. Sendmail on MS/SA relays mail to hub using virtusertable entries that point at the hub. --- in sendmail.mc "FEATURE(`virtusertable', `hash /etc/mail/virtusertable')dnl" --- virtusertable looks like this: @domain.com %1@mailhub.domain.com user@someotherdomain.com user@mailhub.domain.com etc.... The first one catches the default domain and forwards mail to the mail hub. The other entries catch virtualuser@otherdomains and forward those to local user mailboxes on the mailhub. Also, the mailhub only accepts SMTP connections from the MS/SA machine, otherwise spammers figure out how to get around your filter. :-( Ken A. Pacific.Net Joe Stuart wrote: > I am trying to setup Mailscanner and spamassasin on a mail server that > is supposed to scan the mail then forward it onto the primary mail > server. Could anyone point me in a direction on how to configure > sendmail to do the forwarding. > > Thanks > > From ka at PACIFIC.NET Wed Oct 1 18:25:33 2003 From: ka at PACIFIC.NET (Ken Anderson) Date: Thu Jan 12 21:20:19 2006 Subject: Forwarding mail In-Reply-To: <3F7B0481.5030800@pacific.net> References: <3F7B0481.5030800@pacific.net> Message-ID: <3F7B0E0D.1010005@pacific.net> Antony, Your solution is much simpler and appropriate for most. We have an extra complication that made the way we do forwarding necessary. We had Postini before we had MS/SA, and a few customers would have our heads if they lost their postini 'message center'. But, Postini costs $$$(and has had some issues lately..), so we don't filter all mail there. Postini forwards to our MS/SA machines and then mail gets forwarded on to the mailhub. So, depending on the first MX to fail doesn't really work in our case. Now, I just need to fix up a good user interface for SA rules and managing quarantined mail and we can dump Postini. p.s. your sigs are always a good read! Ken A. Pacific.Net Ken Anderson wrote: > That's really a sendmail question, but here's how we do it: > > The MX for the domain(s) point to MS/SA machine. > The MS/SA machine has entries in local-host-names for all domains we > accept mail for. Sendmail on MS/SA relays mail to hub using > virtusertable entries that point at the hub. > > --- > in sendmail.mc > "FEATURE(`virtusertable', `hash /etc/mail/virtusertable')dnl" > --- > > virtusertable looks like this: > > @domain.com %1@mailhub.domain.com > user@someotherdomain.com user@mailhub.domain.com > etc.... > > The first one catches the default domain and forwards mail to the mail > hub. The other entries catch virtualuser@otherdomains and forward those > to local user mailboxes on the mailhub. > > Also, the mailhub only accepts SMTP connections from the MS/SA machine, > otherwise spammers figure out how to get around your filter. :-( > > Ken A. > Pacific.Net > > > > Joe Stuart wrote: > >> I am trying to setup Mailscanner and spamassasin on a mail server that >> is supposed to scan the mail then forward it onto the primary mail >> server. Could anyone point me in a direction on how to configure >> sendmail to do the forwarding. >> >> Thanks >> >> > > From harryh at CET.COM Wed Oct 1 18:27:29 2003 From: harryh at CET.COM (Harry Hanson) Date: Thu Jan 12 21:20:19 2006 Subject: Answer: Sendmail configuration on Debian using Mailscanner In-Reply-To: <5.2.0.9.2.20031001101806.0426e4c0@imap.ecs.soton.ac.uk> Message-ID: <200310011727.h91HRqr08146@ori.rl.ac.uk> No, to clariy that was after changing sendmail.conf to sendmail.conf DAEMON_PARMS=" -OPrivacyOptions=noetrn -ODeliveryMode=queueonly -OQueueDirectory=/var/spool/mqueue.in"; Which, for varous reasons will cuase the second queue to start. It was long and I cut out the previous dialog ;p Some reason reloading sendmail didn't do it, but a reboot did. -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Julian Field Sent: Wednesday, October 01, 2003 2:19 AM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Answer: Sendmail configuration on Debian using Mailscanner At 01:15 01/10/2003, you wrote: >Hmm.. Of all things... > >'sendmailconfig', then either: > >/etc/init.d/sendmail reload > >Or > >/etc/init.d/sendmail stop >/etc/init.d/sendmail start > >Would not start sendmail with 2 separate queues. However upon reboot, >it worked. Go figure. Now on to mailscanner issues :( No, because that is your original 1-queue sendmail startup script. You need to run /etc/init.d/MailScanner restart to do what you want. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mailscanner at ecs.soton.ac.uk Wed Oct 1 17:57:21 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:20:19 2006 Subject: File ownership In-Reply-To: Message-ID: <5.2.1.1.2.20031001175703.030bb178@imap.ecs.soton.ac.uk> At 17:04 01/10/2003, you wrote: >In /etc/MailScanner/MailScanner.conf I set the user and group to be smmsp >and restarted MS. Incoming email was put into /var/spool/mqueue.in but the >owner was root, with group smmsp. The permissions on the inbound mail files >were 600 and mail just stacked up in the directory and was not delivered. I >am guessing that this is because MS could not read these files. > >I changed MS.conf to set user to root and the mail was processed. > >My question is, what controls how the inbound mail files get created sendmail. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From jstuart at EDENPR.K12.MN.US Wed Oct 1 19:29:46 2003 From: jstuart at EDENPR.K12.MN.US (Joe Stuart) Date: Thu Jan 12 21:20:19 2006 Subject: Forwarding mail Message-ID: >>> mike@CAMAROSS.NET 10/01/03 11:55AM >>> >I do it like this: > >Say the domain you want to forward mail for is foo.com > >In /etc/mail/relay-domains: > >foo.com > >In /etc/mail/mailertable > >foo.com esmtp:primary.mail.server > >hash the files to db > >cd /etc/mail;make > >Now, in DNS, I remove the MX record for primary.foo.com and replace it with >scanning_host.foo.com >That way, ALL mail gets routed to the MS box...and spammers don't get to hit the >primary.foo.com >Mike Thanks for all the input. From Antony at SOFT-SOLUTIONS.CO.UK Wed Oct 1 19:42:14 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:20:19 2006 Subject: Zero-length attachments Message-ID: <200310011842.h91IgO724280@onyx.rockstone.co.uk> Hi. I have a suggestion for another MailScanner feature :) Attachments of zero size cannot possibly be dangerous, and yet they can give rise to messages such as "Executable files are dangerous in emails". Quite a number of recent viruses which attempt to spread by copying .exe .pif .scr or similar files around have occasionally gone wrong and distributed zero size files instead of the virus. I think it would be useful to have a MailScanner option along the lines of "Ignore Zero-size Attachments" so that they never give rise to filename alerts (because even if the user opens the attachment and it "executes", there's nothing there to execute, therefore there's nothing worth warning them about). If the option is left at "No" or is not present then the current behaviour is maintained. If the option is set at "Yes" then Zero-size attachments bypass the filename, filetype and virus checks (the latter two for efficiency, because there's nothing to bother checking). Thoughts? Antony. -- In science, one tries to tell people in such a way as to be understood by everyone something that no-one ever knew before. In poetry, it is the exact opposite. - Paul Dirac From dickenson at CFMC.COM Wed Oct 1 20:06:53 2003 From: dickenson at CFMC.COM (Jim Dickenson) Date: Thu Jan 12 21:20:19 2006 Subject: SpamAssassin Config files {Scanned by HJMS} In-Reply-To: <8FFC76593085ED4A80D3601BC41EFCDF0C0807@inex1.herffjones.hj-int> Message-ID: See below -- Jim Dickenson mailto:dickenson@cfmc.com Computers for Marketing Corporation http://www.cfmc.com/ > From: "Furnish, Trever G" > Reply-To: MailScanner mailing list > Date: Wed, 1 Oct 2003 13:34:18 -0500 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: SpamAssassin Config files {Scanned by HJMS} > >> There are still many options in the MS.conf file and I do not >> know if they >> override the spam.assassin.prefs.conf file or if the sa config file >> overrides the items in the MS.conf file. > > What are you refering to by "MS.conf" file? If you mean MailScanner.conf, > those values apply to MailScanner, not to SA. And I'm not sure how they > would "override" the settings in spam.assassin.prefs.conf since there are no > attribute names in common. If you want to customize the behavior of SA as > it is used by MS, then the settings you would normally put into a > SA-specific file should be put into spam.assassin.prefs.conf. > In the MailScanner.conf file there are options like: Required SpamAssassin Score = 5 SpamAssassin Auto Whitelist = no SpamAssassin User State Dir = /var/spool/MailScanner/spamassassin I am guessing that options like this override, modify or otherwise change how SA would work if not run via MailScanner. >> Also does anyone know about the user specific preferences? > > You mean like a per-user bayes database? I think you would have to jump > through lots of hoops to make that happen but others have asked the same > question so perhaps someone else will describe what they're doing... > Running SA via spamd and procmail this was straight-forward. The MailScanner option "SpamAssassin User State Dir" seems to imply this has something to do with user specific configurations. I have a couple co-workers that have there own white lists, as an example. This is the primary option I was looking for a way to set on a per user basis. Thanks for all your answers! >> -----Original Message----- >> From: Jim Dickenson [mailto:dickenson@CFMC.COM] >> Sent: Wednesday, October 01, 2003 11:37 AM >> To: MAILSCANNER@JISCMAIL.AC.UK >> Subject: Re: SpamAssassin Config files {Scanned by HJMS} >> >> >> Thanks for that tip. That gets rid of part of the problem. >> >> There are still many options in the MS.conf file and I do not >> know if they >> override the spam.assassin.prefs.conf file or if the sa config file >> overrides the items in the MS.conf file. >> >> Also does anyone know about the user specific preferences? >> -- >> Jim Dickenson >> mailto:dickenson@cfmc.com >> >> Computers for Marketing Corporation >> http://www.cfmc.com/ >> >> >> >>> From: "Furnish, Trever G" >>> Reply-To: MailScanner mailing list >>> Date: Wed, 1 Oct 2003 11:06:44 -0500 >>> To: MAILSCANNER@JISCMAIL.AC.UK >>> Subject: Re: SpamAssassin Config files {Scanned by HJMS} >>> >>> When spamassassin is used by mailscanner, the >> spam.assassin.prefs.conf file >>> in the MailScanner configuration directory is what matters. >> When you, for >>> example, spamassassin -D --lint on the command line >> different files get >>> used. I would suggest (assuming a typical sendmail install >> and MailScanner >>> config under /etc/MailScanner) that you do the following: >>> >>> mv /etc/mail/spamassassin/local.cf \ >>> /etc/mail/spamassassin/local.cf-dist >>> ln -s /etc/MailScanner/spam.assassin.prefs.conf \ >>> /etc/mail/spamassassin/local.cf >>> >>> That way when you run sa from the command-line, the >> mailscanner prefs file >>> will still get used. >>> >>> -t. >>> >>> >>>> -----Original Message----- >>>> From: Jim Dickenson [mailto:dickenson@CFMC.COM] >>>> Sent: Wednesday, October 01, 2003 10:57 AM >>>> To: MAILSCANNER@JISCMAIL.AC.UK >>>> Subject: SpamAssassin Config files {Scanned by HJMS} >>>> >>>> >>>> I am totally confused as to where the various config files >> for SA are >>>> located when using MS. >>>> >>>> In /etc/MailScanner/MailScanner.conf there are various >>>> options that seem to >>>> set some SA options. Additionally there are these lines that >>>> point to config >>>> files as well. >>>> >>>> SpamAssassin Prefs File = %etc-dir%/spam.assassin.prefs.conf >>>> >>>> SpamAssassin User State Dir = /var/spool/MailScanner/spamassassin >>>> >>>> >>>> >>>> When I was running SA via procmail there were various files in >>>> /etc/mail/spamassassin, for system-wide options, and then in >>>> /var/lib/spamassassin there were directories in the form of >>>> .prefs >>>> that had user_prefs as well as other stuff that were specific >>>> to a given >>>> user. >>>> >>>> I have searched the mail list archive but got more confused. >>>> >>>> Can someone please explain, or point me to an explanation, >>>> about how SA gets >>>> configured when run via MS? >>>> >>>> >>>> TIA, >>>> -- >>>> Jim Dickenson >>>> mailto:dickenson@cfmc.com >>>> >>>> Computers for Marketing Corporation >>>> http://www.cfmc.com/ >>>> >> From TGFurnish at HERFF-JONES.COM Wed Oct 1 19:34:18 2003 From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G) Date: Thu Jan 12 21:20:19 2006 Subject: SpamAssassin Config files {Scanned by HJMS} Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF0C0807@inex1.herffjones.hj-int> > There are still many options in the MS.conf file and I do not > know if they > override the spam.assassin.prefs.conf file or if the sa config file > overrides the items in the MS.conf file. What are you refering to by "MS.conf" file? If you mean MailScanner.conf, those values apply to MailScanner, not to SA. And I'm not sure how they would "override" the settings in spam.assassin.prefs.conf since there are no attribute names in common. If you want to customize the behavior of SA as it is used by MS, then the settings you would normally put into a SA-specific file should be put into spam.assassin.prefs.conf. > Also does anyone know about the user specific preferences? You mean like a per-user bayes database? I think you would have to jump through lots of hoops to make that happen but others have asked the same question so perhaps someone else will describe what they're doing... > -----Original Message----- > From: Jim Dickenson [mailto:dickenson@CFMC.COM] > Sent: Wednesday, October 01, 2003 11:37 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: SpamAssassin Config files {Scanned by HJMS} > > > Thanks for that tip. That gets rid of part of the problem. > > There are still many options in the MS.conf file and I do not > know if they > override the spam.assassin.prefs.conf file or if the sa config file > overrides the items in the MS.conf file. > > Also does anyone know about the user specific preferences? > -- > Jim Dickenson > mailto:dickenson@cfmc.com > > Computers for Marketing Corporation > http://www.cfmc.com/ > > > > > From: "Furnish, Trever G" > > Reply-To: MailScanner mailing list > > Date: Wed, 1 Oct 2003 11:06:44 -0500 > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: SpamAssassin Config files {Scanned by HJMS} > > > > When spamassassin is used by mailscanner, the > spam.assassin.prefs.conf file > > in the MailScanner configuration directory is what matters. > When you, for > > example, spamassassin -D --lint on the command line > different files get > > used. I would suggest (assuming a typical sendmail install > and MailScanner > > config under /etc/MailScanner) that you do the following: > > > > mv /etc/mail/spamassassin/local.cf \ > > /etc/mail/spamassassin/local.cf-dist > > ln -s /etc/MailScanner/spam.assassin.prefs.conf \ > > /etc/mail/spamassassin/local.cf > > > > That way when you run sa from the command-line, the > mailscanner prefs file > > will still get used. > > > > -t. > > > > > >> -----Original Message----- > >> From: Jim Dickenson [mailto:dickenson@CFMC.COM] > >> Sent: Wednesday, October 01, 2003 10:57 AM > >> To: MAILSCANNER@JISCMAIL.AC.UK > >> Subject: SpamAssassin Config files {Scanned by HJMS} > >> > >> > >> I am totally confused as to where the various config files > for SA are > >> located when using MS. > >> > >> In /etc/MailScanner/MailScanner.conf there are various > >> options that seem to > >> set some SA options. Additionally there are these lines that > >> point to config > >> files as well. > >> > >> SpamAssassin Prefs File = %etc-dir%/spam.assassin.prefs.conf > >> > >> SpamAssassin User State Dir = /var/spool/MailScanner/spamassassin > >> > >> > >> > >> When I was running SA via procmail there were various files in > >> /etc/mail/spamassassin, for system-wide options, and then in > >> /var/lib/spamassassin there were directories in the form of > >> .prefs > >> that had user_prefs as well as other stuff that were specific > >> to a given > >> user. > >> > >> I have searched the mail list archive but got more confused. > >> > >> Can someone please explain, or point me to an explanation, > >> about how SA gets > >> configured when run via MS? > >> > >> > >> TIA, > >> -- > >> Jim Dickenson > >> mailto:dickenson@cfmc.com > >> > >> Computers for Marketing Corporation > >> http://www.cfmc.com/ > >> > From kevins at BMRB.CO.UK Wed Oct 1 19:59:16 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:20:19 2006 Subject: Zero-length attachments In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB00188AAF3@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB00188AAF3@pascal.priv.bmrb.co.uk> Message-ID: <1065034765.21309.12.camel@bach.kevinspicer.co.uk> On Wed, 2003-10-01 at 19:42, Antony Stone wrote: >If the option is set at "Yes" then Zero-size attachments bypass the >filename, >filetype and virus checks (the latter two for efficiency, because >there's >nothing to bother checking). no they should still be blocked, because... a) its gives the impression of inconsistency b) zero byte files could be used in nuisance social enginering attacks ("please copy the attached updated file - vimportant.dll into C:\windows\system32, love from Microsoft") c) Files appearing to get through the filter could send some managers into a flurry of panic thinking something has gone wrong, causing them not to trust MailScanner. d) Odds are there is something suspect about any mail with a zero byte attachment. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From jase at SENSIS.COM Wed Oct 1 20:57:48 2003 From: jase at SENSIS.COM (Desai, Jason) Date: Thu Jan 12 21:20:19 2006 Subject: Zero-length attachments Message-ID: [snip] > > c) Files appearing to get through the filter could send some managers > > into a flurry of panic thinking something has gone wrong, causing them > > not to trust MailScanner. [snip] > (c) was in fact my reason for raising the suggestion in the first place. An > attachment called Qph.exe which gets past the anti-virus check can trigger > alarm, and too many people don't check to see that it's actually zero bytes > in size. Maybe the best solution is to remove the "attachment" so as to > eliminate both causes for alarm, but I think it's not good for people to see > "Executable files can be dangerous" when in fact there's nothing there... [snip] > I'd still like to see some MailScanner option for treating zero-size > attachments differently from "real" ones. Maybe MailScanner could put the size of the file in ()'s after it's name in the report? Ex: Report: Executable DOS/Windows programs are dangerous in email (patch.exe - 0b) That would at least let you know that it was 0 bytes. Jason From tomaz.borstnar at OVER.NET Wed Oct 1 21:01:48 2003 From: tomaz.borstnar at OVER.NET (Tomaz Borstnar) Date: Thu Jan 12 21:20:19 2006 Subject: more informative admin notify messages possible inside Mailscanner? Message-ID: <6.0.0.22.0.20031001215520.0305b698@127.0.0.1> Hello! so far been running 4.22-5 mostly, but 4.23-11 is the same... What i would like to have is at least better subjects for admin notifications. "Warning: E-mail viruses detected" for everything could lead people into overlooking things. Basically even putting line from Report: in mail would be major improvement. Nice thing would be to also differentiate between local users and external ones eg. make notification visually different for all reports so you can quickly see which reports need immediate attention and which can be looked at later. Idea for 4.24 perhaps? Thanks in advance. Tomaz From Antony at SOFT-SOLUTIONS.CO.UK Wed Oct 1 20:32:20 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:20:19 2006 Subject: Zero-length attachments In-Reply-To: <1065034765.21309.12.camel@bach.kevinspicer.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB00188AAF3@pascal.priv.bmrb.co.uk> <1065034765.21309.12.camel@bach.kevinspicer.co.uk> Message-ID: <200310011932.h91JWU724332@onyx.rockstone.co.uk> On Wednesday 01 October 2003 7:59 pm, Kevin Spicer wrote: > On Wed, 2003-10-01 at 19:42, Antony Stone wrote: > >If the option is set at "Yes" then Zero-size attachments bypass the > >filename, filetype and virus checks (the latter two for efficiency, because > >there's nothing to bother checking). > > no they should still be blocked, because... > > a) its gives the impression of inconsistency > b) zero byte files could be used in nuisance social enginering attacks > ("please copy the attached updated file - vimportant.dll into > C:\windows\system32, love from Microsoft") > c) Files appearing to get through the filter could send some managers > into a flurry of panic thinking something has gone wrong, causing them > not to trust MailScanner. > d) Odds are there is something suspect about any mail with a zero byte > attachment. Actually, I disagree with (a), because complaining about an .exe file which isn't there seems ridiculous to man users - better to say nothing because there's nothing to say it about. (b) is a good point, so maybe there should be the option to add a message saying the attachment was "removed" and anything else in the original email should be regarded with suspicion, etc.... (c) was in fact my reason for raising the suggestion in the first place. An attachment called Qph.exe which gets past the anti-virus check can trigger alarm, and too many people don't check to see that it's actually zero bytes in size. Maybe the best solution is to remove the "attachment" so as to eliminate both causes for alarm, but I think it's not good for people to see "Executable files can be dangerous" when in fact there's nothing there... (d) goes both ways, I think. Many users are capable of attaching files which end up as zero-length by mistake, so it wouldn't be good to assume that all examples are malicious or should be totally eliminated. I'd still like to see some MailScanner option for treating zero-size attachments differently from "real" ones. Regards, Antony. -- Programming is a Dark Art, and it will always be. The programmer is fighting against the two most destructive forces in the universe: entropy and human stupidity. They're not things you can always overcome with a "methodology" or on a schedule. - Damian Conway, Perl God From tomaz.borstnar at OVER.NET Wed Oct 1 21:10:45 2003 From: tomaz.borstnar at OVER.NET (Tomaz Borstnar) Date: Thu Jan 12 21:20:19 2006 Subject: spam ratios? (Was: Recommended Spam actions) In-Reply-To: <000a01c387eb$9b047210$df01000a@saharajhb.lan> References: <000a01c387eb$9b047210$df01000a@saharajhb.lan> Message-ID: <6.0.0.22.0.20031001220635.032e7260@127.0.0.1> At 09:14 1.10.2003, you wrote: >Just as a note on the traffic side, I get about 300 Spam mails per day on a >server that does about 5k of messages. 15 to 20% spam and 8 to 15% of high spam here From kevins at BMRB.CO.UK Wed Oct 1 21:12:10 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:20:19 2006 Subject: Zero-length attachments In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB00188AAF6@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB00188AAF6@pascal.priv.bmrb.co.uk> Message-ID: <1065039131.21150.21.camel@bach.kevinspicer.co.uk> On Wed, 2003-10-01 at 20:32, Antony Stone wrote: >I'd still like to see some MailScanner option for treating zero-size >attachments differently from "real" ones. Hmmm, the more I think of this the less simple it seems! A one byte file isn't dangerous either, or a two byte. When does applying 'common sense' cease to be common sense? There is some merit in including the file size in the report, although Mr. Clueless L. User probably doesn't even know what a byte is (looking at my logs theres certainly plenty of folks who have no appreciation of how big a megabyte is!). Maybe the answer is actually just to tune the reports, so the users get a report which says 'Our policy is to block files of this type as they have been known to carry viruses or other malicious content' Rather than the default rather terse and alarmist reports. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From tomaz.borstnar at OVER.NET Wed Oct 1 21:12:17 2003 From: tomaz.borstnar at OVER.NET (Tomaz Borstnar) Date: Thu Jan 12 21:20:20 2006 Subject: Postfix or Sendmail for MS & SA? In-Reply-To: <5.2.0.9.2.20031001085013.041aa750@imap.ecs.soton.ac.uk> References: <3F79E340.9000804@SJC.nl> <5.2.0.9.2.20031001085013.041aa750@imap.ecs.soton.ac.uk> Message-ID: <6.0.0.22.0.20031001221147.02f9dc50@127.0.0.1> At 09:52 1.10.2003, you wrote: >Exim and sendmail will work significantly faster with MailScanner than >Postfix will. May I also recommend Zmailer to be part of winners as well? :) Tomaz From craig at STRONG-BOX.NET Wed Oct 1 20:37:28 2003 From: craig at STRONG-BOX.NET (Craig Pratt) Date: Thu Jan 12 21:20:20 2006 Subject: RAV autoupdate script causing issues today In-Reply-To: <5.2.0.9.2.20031001094556.04151be0@imap.ecs.soton.ac.uk> Message-ID: On Wednesday, Oct 1, 2003, at 01:46 US/Pacific, Julian Field wrote: > Try this. > > It will time out after 5 minutes. Thanks Julian - I'll try this out. Of course, whatever was going on yesterday has been resolved. So I can't really test it. But it'll still be a good addition. It's strange behavior for an update routine to do something like this (busy-wait instead of outright failing). But the timer is probably a good safety net. C > At 08:43 01/10/2003, you wrote: >> On Tuesday, Sep 30, 2003, at 22:37 US/Pacific, Craig Pratt wrote: >>> Yup - seeing the same thing. If I run it manually, it just hangs at >>> "Make remote list of files..." >>> >>> /usr/local/rav8/bin/ravav --update=engine >>> >>> RAV AntiVirus command line for Linux i686. >>> Version: 8.3.1. >>> Copyright (c) 1996-2001 GeCAD The Software Company. All rights >>> reserved. >>> Start updating... Tue Sep 30 22:26:21 2003 >>> Opening a socket ...done! >>> Looking for: ftp.us.ravantivirus.com ...done! >>> Connecting to server: ftp.us.ravantivirus.com ...done! >>> User login ... >>> Password authentification ... >>> Chdir remote... /pub/rav/update/rave >>> Make remote list of files... >>> >>> I seem to remember there being a setting for how often MS will run >>> the >>> autoupdate script. But I don't seem to be able to find it. >> >> DOH - of course, it's cron that's running it. >> >> I *think* what's happening is: >> >> (1) update script is run by cron >> (2) Update script grabs the update lock, >> (3) RAV update stalls (looks like the FTP server has fallen down and >> RAV's update function busy-waits - caught mine using 98% of CPU) >> (4) MailScanner stalls waiting for the lock (last log entry is >> "MailScanner[10669]: Virus and Content Scanning: Starting"). >> (5) check_MailScanner doesn't detect the condition since the process >> is >> running - just blocked >> >> Note that I'm running MS 4.12-2. >> >> Temporary solution for me: mv /etc/cron.hourly/update_virus_scanners >> /etc/cron.daily/ >> >> Running ftp manually to either ftp.us.ravantivirus.com or >> ftp.ravantivirus.com seems to demonstrate that their servers are >> hosed. >> Don't know why. >> >> Craig >> >>> On Tuesday, Sep 30, 2003, at 14:56 US/Pacific, Dan Williamson wrote: >>>> I'm having the same problem as well. >>>> 4 of my servers locked, queuing several thousand emails before the >>>> calls >>>> started to come in. >>>> >>>> I just recently upgraded all servers to 4.23-11. >>>> I am killing all ravav processes on the hour and restarting >>>> MailScanner. >>>> >>>> regards, >>>> -dan >>>> >>>> -----Original Message----- >>>> From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On >>>> Behalf >>>> Of Mickey Everts >>>> Sent: Tuesday, September 30, 2003 3:34 PM >>>> To: MAILSCANNER@JISCMAIL.AC.UK >>>> Subject: RAV autoupdate script causing issues today >>>> >>>> >>>> >>>> On the two servers that I admin which are running MailScanner >>>> 4.20-3, >>>> the >>>> "update_virus_scanners" script that runs hourly has been causing >>>> issues >>>> since about 9:00 AM PST. The root cause appears to be that >>>> "ravav --update=engine" command is using taking way to long and >>>> using >>>> a lot >>>> of CPU time, enough that MailScanner can't keep up it seems. By the >>>> time I >>>> noticed, there was several hundred messages in the "mqueue.in" >>>> directory. I >>>> have disabled RAV for now, but I have a couple questions: >>>> >>>> Has the "update_virus_scanners" perhaps been improved in recent >>>> versions >>>> perhaps to make it not so vulnerable to this kind of thing? Perhaps >>>> external commands it calls could be "nice'd" to some level that >>>> would >>>> not >>>> cause issue if they went awry? Did this happen to anyone else? >>>> >>>> USER PID %CPU %MEM VSZ RSS TTY STAT START TIME >>>> COMMAND >>>> root 13903 0.0 0.0 1432 444 ? S 13:01 0:00 \_ >>>> CROND >>>> root 13904 0.0 0.1 2048 956 ? S 13:01 0:00 >>>> \_ >>>> /bin/bash /usr/bin/run-parts /etc/cron.hourly >>>> root 13922 0.0 0.1 2044 968 ? S 13:01 0:00 >>>> \_ >>>> /bin/bash /usr/sbin/update_virus_scanners >>>> root 13958 0.0 0.2 3284 1448 ? S 13:01 0:00 >>>> | >>>> \_ /usr/bin/perl -w /usr/lib/MailScanner/rav-autoupdate >>>> root 13959 84.0 0.1 1548 676 ? R 13:01 6:57 >>>> | >>>> \_ /usr/local/rav8//bin/ravav --update=engine >>>> >>>> Until now, MailScanner has been ultra-reliable for months. Good job >>>> Julian! >>>> >>>> Mickey >>>> SLP -- This message checked for dangerous content by MailScanner on StrongBox. From Antony at SOFT-SOLUTIONS.CO.UK Wed Oct 1 21:22:34 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:20:20 2006 Subject: Zero-length attachments In-Reply-To: <1065039131.21150.21.camel@bach.kevinspicer.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB00188AAF6@pascal.priv.bmrb.co.uk> <1065039131.21150.21.camel@bach.kevinspicer.co.uk> Message-ID: <200310012022.h91KMi724422@onyx.rockstone.co.uk> On Wednesday 01 October 2003 9:12 pm, Kevin Spicer wrote: > On Wed, 2003-10-01 at 20:32, Antony Stone wrote: > >I'd still like to see some MailScanner option for treating zero-size > >attachments differently from "real" ones. > > Hmmm, the more I think of this the less simple it seems! A one byte > file isn't dangerous either, or a two byte. When does applying 'common > sense' cease to be common sense? Oh, I agree, but I think there's a clear distinction between a zero-byte (in other words, non-existent) file, and a file with some content in it, no matter what that content may be, or how insiginificant it is. Also, in the example I gave of Sobig.F, where sometimes the virus doesn't propagate correctly, and ends up sending a zero-byte file instead of a virus, I'm not aware of "near-misses", where one byte gets sent, or two bytes, etc. It's either zero, or a virus. > There is some merit in including the file size in the report, although > Mr. Clueless L. User probably doesn't even know what a byte is (looking > at my logs theres certainly plenty of folks who have no appreciation of > how big a megabyte is!). Again, agreed that many users don't know what a byte is, but I think they do know the difference between a zero-size file (ie nothing) and a non-zero-size file (ie something), no matter what units the size of a file is measured in. Antony. -- What a waste it is to lose one's mind -- or not to have a mind. How true that is. - Dan Quayle, vice-president of the United States of America From david at PLATFORMHOSTING.COM Wed Oct 1 22:39:47 2003 From: david at PLATFORMHOSTING.COM (David Hooton) Date: Thu Jan 12 21:20:20 2006 Subject: Inline SPAM warnings In-Reply-To: <6.0.0.22.0.20031001172606.01c34508@xanadu.evi-inc.com> References: <6.0.0.22.0.20031001172606.01c34508@xanadu.evi-inc.com> Message-ID: <3F7B49A3.10705@platformhosting.com> Hi, We have a policy of attach and deliver for messages which are classed as spam. Recently we've had a bunch of complaints about some Outlook users not having the inline spam message inline, but showing up as an attachment. For me using Mozilla everything looks fine, but some exchange & outlook users seem to not be getting things as you'd expect. We updated to the most recent release as of last Friday, but this has made no difference. Does anyone have any tips? TIA -- Regards, David Hooton Senior Partner Platform Hosting 1300 85 HOST www.platformhosting.com ======================================================================== This message has been scanned for spam & viruses by Mail Security. To report SPAM forward the message to: spam@mailsecurity.net.au Mail Security www.mailsecurity.net.au ======================================================================== From jburzenski at AMERICANHM.COM Wed Oct 1 22:43:17 2003 From: jburzenski at AMERICANHM.COM (Jason Burzenski) Date: Thu Jan 12 21:20:20 2006 Subject: Diagram of Mail Flow Message-ID: <9BDD6D4AD0795C46974D7D46C17883B8080AFEDE@ahm_exchange2> The latest version of the MailScanner Process Overview diagram (visio and jpg format) is available at the following URL courtesy of Fortress Systems LTD. http://www.fsl.com/MS-process.htm Julian has also been kind enough to link to this diagram from the MailScanner Features and Description Page (http://www.sng.ecs.soton.ac.uk/mailscanner/readme.shtml). I would like to thank everyone who provided feedback on the first few drafts of this document. If anyone has any recommendations for improvement, please forward them to me or post them to the list. Thank you. Jason Burzenski -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20031001/b25368ae/attachment.html From dan.farmer at PHONEDIR.COM Wed Oct 1 22:32:59 2003 From: dan.farmer at PHONEDIR.COM (Dan Farmer) Date: Thu Jan 12 21:20:20 2006 Subject: Zero-length attachments In-Reply-To: <200310012022.h91KMi724422@onyx.rockstone.co.uk> Message-ID: I had quite a few damaged copies of Sobig.F come through which were not the normal size of Sobig, nor were they 0 bytes either. Since I was blocking subject lines, the only ones that got through to the virus scanner were usually bounced copies with a subject like 'Returned mail: undeliverable user unknown', so it could be that the mail daemon was responsible for truncating the virus. I did also get 0 byte copies as well. The undamaged viruses were caught by clamav, the damaged ones were stripped by the filename checks not clamav, and the 0 byte ones were stripped by filename checks as well. What exactly would be the point of allowing the 0 byte version of a virus through? I understand your point that it would be very hard for a 0 byte file to be harmful, but it just feels wrong to tell users all .exe files will be blocked, and then allow a 0 byte attachment named patch.exe to come through in an email that to most users looks like a perfectly legitimate email from Microsoft. Dan On Wednesday, October 1, 2003, at 02:22 PM, Antony Stone wrote: > Also, in the example I gave of Sobig.F, where sometimes the virus > doesn't > propagate correctly, and ends up sending a zero-byte file instead of a > virus, > I'm not aware of "near-misses", where one byte gets sent, or two > bytes, etc. > It's either zero, or a virus. From mkettler at EVI-INC.COM Wed Oct 1 22:35:10 2003 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:20:20 2006 Subject: SpamAssassin Config files In-Reply-To: References: Message-ID: <6.0.0.22.0.20031001172606.01c34508@xanadu.evi-inc.com> At 11:57 AM 10/1/2003, Jim Dickenson wrote: >Can someone please explain, or point me to an explanation, about how SA gets >configured when run via MS? Under mailscanner SA always is run as a single user, so there's only one single configuration for SA when run under mailscaner. There are no per-user configfiles at all, so there are no equivalents to the '.prefs' files of your old system. Under mailscanner SA loads configfiles as follows: It loads your /usr/share/spamassassin/*.cf files normally It loads your local.cf normally. The user_prefs file is replaced with spam.assasssin.prefs.conf. All bayes and AWL (if you use the awl) state data is stored in the "SpamAssassin User State Dir", instead of in ~/.spamassassin/. However there is only ONE user, no matter who the email is sent to, all email processed against a single bayes database, a single AWL database, and a single prefs file. From TGFurnish at HERFF-JONES.COM Wed Oct 1 22:49:46 2003 From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G) Date: Thu Jan 12 21:20:20 2006 Subject: patch for next / previous links in mailwatch Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF8E1CC9@inex1.herffjones.hj-int> Steve, Attached is a patch for the rep_message_listing.php file distributed as part of mailwatch 0.3. The patch does these things: 1. "fixes" the next/prev links at the bottom of the rep_message_listing.php file distributed as part of mailwatch 0.3. Original behavior was to display a Prev link even on the first page and a Next link even on the last page. Patched behavior is to leave off the Prev link on the first page (since there is no page "previous" to the first page) and the Next link on the last page (ditto). 2. Removes the "A HREF" tags around the current page number in the list of pages at the bottom of the message listing. This provides a visual clue as to the current page number. 3. Adds Next / Prev links at the top of the page as well. This facilitates quickly paging through the list, since the positions of the links at the top of the page change much less between pages than the positions of the links at the bottom of each page. Submitted in the hopes it'll be useful to someone. -- Trever <> -------------- next part -------------- A non-text attachment was scrubbed... Name: rep_message_listing.patch Type: application/octet-stream Size: 2470 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20031001/0f12c704/rep_message_listing.obj From TGFurnish at HERFF-JONES.COM Wed Oct 1 23:01:19 2003 From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G) Date: Thu Jan 12 21:20:20 2006 Subject: Inline SPAM warnings {Scanned by HJMS} Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF8E1CCA@inex1.herffjones.hj-int> AFAIK that's the way outlook works - attachments aren't displayed inline unless they're pictures. And that's also the way I *wish* mozilla worked - the whole point of "attaching" a message (well, unless you're unpacking rfc822 attachments for sa-learn) is to PREVENT the client from displaying the attachment. When you display the spam attachment inline (as mozilla does), you're vulnerable to all the same problems that you are if you just deliver it untouched - images that identify your email address as a valid one and other security exploits that enable *really* bad things. Users complain - it's their nature. Cook a few of them up for the next company barbeque as a lesson to the rest. ;^) (Um, that *was* a joke, in case anyone from my company is reading and humor-impaired.) > -----Original Message----- > From: David Hooton [mailto:david@PLATFORMHOSTING.COM] > Sent: Wednesday, October 01, 2003 4:40 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Inline SPAM warnings {Scanned by HJMS} > > > Hi, > > We have a policy of attach and deliver for messages which are > classed as > spam. Recently we've had a bunch of complaints about some > Outlook users > not having the inline spam message inline, but showing up as > an attachment. > > For me using Mozilla everything looks fine, but some exchange > & outlook > users seem to not be getting things as you'd expect. > > We updated to the most recent release as of last Friday, but this has > made no difference. Does anyone have any tips? > > TIA > -- > Regards, > > David Hooton > Senior Partner > Platform Hosting > 1300 85 HOST > www.platformhosting.com > > > ============================================================== > ========== > This message has been scanned for spam & viruses by Mail Security. > To report SPAM forward the message to: spam@mailsecurity.net.au > Mail Security www.mailsecurity.net.au > ============================================================== > ========== > From jase at SENSIS.COM Wed Oct 1 23:17:53 2003 From: jase at SENSIS.COM (Desai, Jason) Date: Thu Jan 12 21:20:20 2006 Subject: Inline SPAM warnings {Scanned by HJMS} Message-ID: Anybody know if Outlook would display the spam warning if it had a Content-Type of "multipart/report" instead of "multipart/digest"? I've been thinking about trying this but haven't had the time. We have some of our users so well trained that they are even afraid to open any attachments. So when spam is attached, and the warning also shows up as an attachment with a name something like ATT234567.txt, we get a request for help since it looks suspicious. I think Outlook 2k displayed them, but not 2k2. Jason > -----Original Message----- > From: Furnish, Trever G [mailto:TGFurnish@HERFF-JONES.COM] > Sent: Wednesday, October 01, 2003 6:01 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: [MAILSCANNER] Inline SPAM warnings {Scanned by HJMS} > > > AFAIK that's the way outlook works - attachments aren't > displayed inline > unless they're pictures. And that's also the way I *wish* > mozilla worked - > the whole point of "attaching" a message (well, unless you're > unpacking > rfc822 attachments for sa-learn) is to PREVENT the client > from displaying > the attachment. > > When you display the spam attachment inline (as mozilla does), you're > vulnerable to all the same problems that you are if you just > deliver it > untouched - images that identify your email address as a > valid one and other > security exploits that enable *really* bad things. > > Users complain - it's their nature. Cook a few of them up > for the next > company barbeque as a lesson to the rest. ;^) > > (Um, that *was* a joke, in case anyone from my company is reading and > humor-impaired.) > > > -----Original Message----- > > From: David Hooton [mailto:david@PLATFORMHOSTING.COM] > > Sent: Wednesday, October 01, 2003 4:40 PM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Inline SPAM warnings {Scanned by HJMS} > > > > > > Hi, > > > > We have a policy of attach and deliver for messages which are > > classed as > > spam. Recently we've had a bunch of complaints about some > > Outlook users > > not having the inline spam message inline, but showing up as > > an attachment. > > > > For me using Mozilla everything looks fine, but some exchange > > & outlook > > users seem to not be getting things as you'd expect. > > > > We updated to the most recent release as of last Friday, > but this has > > made no difference. Does anyone have any tips? > > > > TIA > > -- > > Regards, > > > > David Hooton > > Senior Partner > > Platform Hosting > > 1300 85 HOST > > www.platformhosting.com > > > > > > ============================================================== > > ========== > > This message has been scanned for spam & viruses by Mail > Security. > > To report SPAM forward the message to: > spam@mailsecurity.net.au > > Mail Security > www.mailsecurity.net.au > > > ============================================================== > > ========== > > > From TGFurnish at HERFF-JONES.COM Wed Oct 1 23:39:46 2003 From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G) Date: Thu Jan 12 21:20:20 2006 Subject: Inline SPAM warnings {Scanned by HJMS} Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF8E1CCD@inex1.herffjones.hj-int> Yes!!! Nice tip. Tested here with outlook 2k sp3 and the warning is displayed inline but the original spam is still displayed as an attachment. I have no clue what the difference is supposed to be between "digest" and "report" though, so no clue whether that would have unwanted side-effects. If not, then that would seem like a nice thing to change for a future MS release... -t. > -----Original Message----- > From: Desai, Jason [mailto:jase@SENSIS.COM] > Sent: Wednesday, October 01, 2003 5:18 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Inline SPAM warnings {Scanned by HJMS} > > > Anybody know if Outlook would display the spam warning if it had a > Content-Type of "multipart/report" instead of > "multipart/digest"? I've been > thinking about trying this but haven't had the time. We have > some of our > users so well trained that they are even afraid to open any > attachments. So > when spam is attached, and the warning also shows up as an > attachment with a > name something like ATT234567.txt, we get a request for help > since it looks > suspicious. I think Outlook 2k displayed them, but not 2k2. > > Jason > > > -----Original Message----- > > From: Furnish, Trever G [mailto:TGFurnish@HERFF-JONES.COM] > > Sent: Wednesday, October 01, 2003 6:01 PM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: [MAILSCANNER] Inline SPAM warnings {Scanned by HJMS} > > > > > > AFAIK that's the way outlook works - attachments aren't > > displayed inline > > unless they're pictures. And that's also the way I *wish* > > mozilla worked - > > the whole point of "attaching" a message (well, unless you're > > unpacking > > rfc822 attachments for sa-learn) is to PREVENT the client > > from displaying > > the attachment. > > > > When you display the spam attachment inline (as mozilla > does), you're > > vulnerable to all the same problems that you are if you just > > deliver it > > untouched - images that identify your email address as a > > valid one and other > > security exploits that enable *really* bad things. > > > > Users complain - it's their nature. Cook a few of them up > > for the next > > company barbeque as a lesson to the rest. ;^) > > > > (Um, that *was* a joke, in case anyone from my company is > reading and > > humor-impaired.) > > > > > -----Original Message----- > > > From: David Hooton [mailto:david@PLATFORMHOSTING.COM] > > > Sent: Wednesday, October 01, 2003 4:40 PM > > > To: MAILSCANNER@JISCMAIL.AC.UK > > > Subject: Inline SPAM warnings {Scanned by HJMS} > > > > > > > > > Hi, > > > > > > We have a policy of attach and deliver for messages which are > > > classed as > > > spam. Recently we've had a bunch of complaints about some > > > Outlook users > > > not having the inline spam message inline, but showing up as > > > an attachment. > > > > > > For me using Mozilla everything looks fine, but some exchange > > > & outlook > > > users seem to not be getting things as you'd expect. > > > > > > We updated to the most recent release as of last Friday, > > but this has > > > made no difference. Does anyone have any tips? > > > > > > TIA > > > -- > > > Regards, > > > > > > David Hooton > > > Senior Partner > > > Platform Hosting > > > 1300 85 HOST > > > www.platformhosting.com > > > > > > > > > ============================================================== > > > ========== > > > This message has been scanned for spam & viruses by Mail > > Security. > > > To report SPAM forward the message to: > > spam@mailsecurity.net.au > > > Mail Security > > www.mailsecurity.net.au > > > > > ============================================================== > > > ========== > > > > > > From ka at PACIFIC.NET Wed Oct 1 23:47:22 2003 From: ka at PACIFIC.NET (Ken Anderson) Date: Thu Jan 12 21:20:20 2006 Subject: Inline SPAM warnings {Scanned by HJMS} In-Reply-To: <8FFC76593085ED4A80D3601BC41EFCDF8E1CCA@inex1.herffjones.hj-int> References: <8FFC76593085ED4A80D3601BC41EFCDF8E1CCA@inex1.herffjones.hj-int> Message-ID: <3F7B597A.2060100@pacific.net> Furnish, Trever G wrote: > AFAIK that's the way outlook works - attachments aren't displayed inline > unless they're pictures. And that's also the way I *wish* mozilla worked - > the whole point of "attaching" a message (well, unless you're unpacking > rfc822 attachments for sa-learn) is to PREVENT the client from displaying > the attachment. > > When you display the spam attachment inline (as mozilla does), you're > vulnerable to all the same problems that you are if you just deliver it > untouched - images that identify your email address as a valid one and other > security exploits that enable *really* bad things. mozilla's "view->attachments inline" allows you do adjust this behavior, as does Outlook (somewhere...) Ken A. > Users complain - it's their nature. Cook a few of them up for the next > company barbeque as a lesson to the rest. ;^) > > (Um, that *was* a joke, in case anyone from my company is reading and > humor-impaired.) > > >>-----Original Message----- >>From: David Hooton [mailto:david@PLATFORMHOSTING.COM] >>Sent: Wednesday, October 01, 2003 4:40 PM >>To: MAILSCANNER@JISCMAIL.AC.UK >>Subject: Inline SPAM warnings {Scanned by HJMS} >> >> >>Hi, >> >>We have a policy of attach and deliver for messages which are >>classed as >>spam. Recently we've had a bunch of complaints about some >>Outlook users >>not having the inline spam message inline, but showing up as >>an attachment. >> >>For me using Mozilla everything looks fine, but some exchange >>& outlook >>users seem to not be getting things as you'd expect. >> >>We updated to the most recent release as of last Friday, but this has >>made no difference. Does anyone have any tips? >> >>TIA >>-- >>Regards, >> >>David Hooton >>Senior Partner >>Platform Hosting >>1300 85 HOST >>www.platformhosting.com >> >> >>============================================================== >>========== >> This message has been scanned for spam & viruses by Mail Security. >> To report SPAM forward the message to: spam@mailsecurity.net.au >> Mail Security www.mailsecurity.net.au >>============================================================== >>========== >> > > > From greyhair at GREYHAIR.NET Wed Oct 1 23:55:38 2003 From: greyhair at GREYHAIR.NET (greyhair) Date: Thu Jan 12 21:20:20 2006 Subject: Two Installations of Perl! In-Reply-To: <5.2.0.9.2.20031001164703.04213ca8@imap.ecs.soton.ac.uk> References: <5.2.0.9.2.20031001164703.04213ca8@imap.ecs.soton.ac.uk> Message-ID: <3F7B5B6A.1000302@greyhair.net> I know it is EVIL to have two installations of perl. My server is, i guess, possessed. Question: how to I tell the system to use one version over the other?? Is there a simple *QUICK* way?? Thanks for any advice. Please note *QUICK*, thank you. From Antony at SOFT-SOLUTIONS.CO.UK Thu Oct 2 00:09:36 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:20:20 2006 Subject: Two Installations of Perl! In-Reply-To: <3F7B5B6A.1000302@greyhair.net> References: <5.2.0.9.2.20031001164703.04213ca8@imap.ecs.soton.ac.uk> <3F7B5B6A.1000302@greyhair.net> Message-ID: <200310012309.h91N9l724599@onyx.rockstone.co.uk> On Wednesday 01 October 2003 11:55 pm, greyhair wrote: > I know it is EVIL to have two installations of perl. My server is, i > guess, possessed. > Question: how to I tell the system to use one version over the other?? > Is there a simple *QUICK* way?? 1. Ensure that only one of the installations is in your path (for each user which may call Perl scripts). 2. Ensure that any scripts which call the Perl interpreter by absolute path point to the one you to be used. One method of bypassing the one you don't to be used might be to delete the contents of the Perl directory you don't want, and then make it a symbolic link to the directory of the version you do want. Regards, Antony. -- Ramdisk is not an installation procedure. From dickenson at CFMC.COM Thu Oct 2 00:34:56 2003 From: dickenson at CFMC.COM (Jim Dickenson) Date: Thu Jan 12 21:20:20 2006 Subject: SpamAssassin Config files In-Reply-To: <6.0.0.22.0.20031001172606.01c34508@xanadu.evi-inc.com> Message-ID: Thanks for the explanation. -- Jim Dickenson mailto:dickenson@cfmc.com Computers for Marketing Corporation http://www.cfmc.com/ > From: Matt Kettler > Reply-To: MailScanner mailing list > Date: Wed, 1 Oct 2003 17:35:10 -0400 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: SpamAssassin Config files > > At 11:57 AM 10/1/2003, Jim Dickenson wrote: >> Can someone please explain, or point me to an explanation, about how SA gets >> configured when run via MS? > > Under mailscanner SA always is run as a single user, so there's only one > single configuration for SA when run under mailscaner. There are no > per-user configfiles at all, so there are no equivalents to the > '.prefs' files of your old system. > > Under mailscanner SA loads configfiles as follows: > It loads your /usr/share/spamassassin/*.cf files normally > It loads your local.cf normally. > The user_prefs file is replaced with spam.assasssin.prefs.conf. > > > All bayes and AWL (if you use the awl) state data is stored in the > "SpamAssassin User State Dir", instead of in ~/.spamassassin/. > > However there is only ONE user, no matter who the email is sent to, all > email processed against a single bayes database, a single AWL database, and > a single prefs file. From mkettler at EVI-INC.COM Thu Oct 2 00:56:41 2003 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:20:20 2006 Subject: Two Installations of Perl! In-Reply-To: <3F7B5B6A.1000302@greyhair.net> References: <5.2.0.9.2.20031001164703.04213ca8@imap.ecs.soton.ac.uk> <3F7B5B6A.1000302@greyhair.net> Message-ID: <6.0.0.22.0.20031001195149.01cca680@xanadu.evi-inc.com> At 06:55 PM 10/1/2003, greyhair wrote: >I know it is EVIL to have two installations of perl. My server is, i >guess, possessed. >Question: how to I tell the system to use one version over the other?? This is a common side effect of a buggy version of CPAN. Sometimes older versions of CPAN would decide to upgrade perl itself in order to install a new package. I had a redhat 7.1 box do this to me when I upgraded SA via cpan. It went and installed a second (newer) copy of perl in /usr/local. My personal solution was to do the following 1) blow away the whole copy of perl in /usr/local/. All the binaries, libraries, etc.. I just rm em. 2) ran cpan (now using my real copy of perl) and used it to upgrade cpan itself. This went smoothly. 3) Then I went and re-installed SA in the correct copy of perl. note: this may not be the best way for you to deal with it, since you may have installed many things into the wrong perl. An alternate short-term solution would be to remove /usr/local/bin (or wherever the alternate perl is) from your path.. unfortunately that affects everything in /usr/local/bin. From bhughes at ELEVATING.COM Thu Oct 2 03:29:26 2003 From: bhughes at ELEVATING.COM (Bret Hughes) Date: Thu Jan 12 21:20:20 2006 Subject: Inline SPAM warnings {Scanned by HJMS} In-Reply-To: <3F7B597A.2060100@pacific.net> References: <8FFC76593085ED4A80D3601BC41EFCDF8E1CCA@inex1.herffjones.hj-int> <3F7B597A.2060100@pacific.net> Message-ID: <1065061767.1632.225.camel@bretsony> On Wed, 2003-10-01 at 17:47, Ken Anderson wrote: > Furnish, Trever G wrote: > > > AFAIK that's the way outlook works - attachments aren't displayed inline > > unless they're pictures. And that's also the way I *wish* mozilla worked - > > the whole point of "attaching" a message (well, unless you're unpacking > > rfc822 attachments for sa-learn) is to PREVENT the client from displaying > > the attachment. > > > > When you display the spam attachment inline (as mozilla does), you're > > vulnerable to all the same problems that you are if you just deliver it > > untouched - images that identify your email address as a valid one and other > > security exploits that enable *really* bad things. > > mozilla's "view->attachments inline" allows you do adjust this behavior, > as does Outlook (somewhere...) > Ken A. > evolution has an additional preference that I like: load images off net - never, always, only if in addressbook Pretty cool. Bret From batucker at ICNET.NET Thu Oct 2 04:05:28 2003 From: batucker at ICNET.NET (Brady A. Tucker) Date: Thu Jan 12 21:20:20 2006 Subject: Forwarding mail In-Reply-To: <00a401c3883c$c652b430$a51cbdcf@home.middlefinger.net> Message-ID: You can also add : define(`SMART_HOST',`YourMain.Mail.Server') to your sendmail.mc, rebuild your sendmail.cf, and setup your MX records as another suggested here to go only to your MS/SA server. If you don't use sendmail.mc add/edit the DS line which is probably just blank now in your sendmail.cf file. You would change it from 'DS' to 'DSYourMain.MailServer' near the top of your sendmail.cf file. I have 3 MS/SA servers, each with different MX values, that accept/scan/spam check, then forward on to the 'Smart Host'. The 'SmartHost' is not listed as an MX host in the the DNS records for any of the domains it checks. Similar to the other user who said they use mailertables, if you list your SmartHost as a secondary MX, mail WILL get there w/o being scanned. IMO, it's better to put up a secondary MS/SA box, and not list the smarthost as an MX, if like me your stuck with a final destination host that doesn't/can't do scanning. Brady A. Tucker Internet Complete! inc. http://www.icnet.net > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Joe Stuart > Sent: Wednesday, October 01, 2003 11:30 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Forwarding mail > > > I am trying to setup Mailscanner and spamassasin on a mail > server that is supposed to scan the mail then forward it onto > the primary mail server. Could anyone point me in a direction > on how to configure sendmail to do the forwarding. > > Thanks > From danieltan at shopnsave.com.sg Thu Oct 2 04:29:06 2003 From: danieltan at shopnsave.com.sg (Daniel Tan) Date: Thu Jan 12 21:20:20 2006 Subject: help pls... {Scanned by HJMS} References: <8FFC76593085ED4A80D3601BC41EFCDF0C0803@inex1.herffjones.hj-int> Message-ID: <017001c38895$564b83c0$3900a8c0@Daniel> main problem is mailscanner complaining can't find spamassassin installation for those having problems with spamassassin installations, please note the following things 1) install SA using tar.gz , do not use rpm as it can't work....dunno for what reason...a lot of MS users will tell you that.... 2) if can't create Makefile.PL (complaining about can't find pod2man), this is due to Lang settings either change your Lang locale to en_US or do this export LANG=C after this it can work! i finally got MS working with SA again....think i better think twice about upgrading perl through up2date again...this sucx! ----- Original Message ----- From: "Furnish, Trever G" To: "'Daniel Tan'" Sent: Wednesday, October 01, 2003 10:46 PM Subject: RE: help pls... {Scanned by HJMS} Did you get help yet? The reply-to on your message is set to you instead of the list (not sure how that happens) so I can't tell whether you've A) gotten no responses or B) gotten lots and lots of responses. :-) Some suggestions / things to check: 1. Do you have a system backup you can restore to if this is an urgent problem? 2. Is MailScanner still running (ps auxww | grep MailScanner). 3. Are the MailScanner processes continuously dying and respawning? 4. Are you out of drive space on any filesystem? 5. Were you having the problem *before* you tried upgrading? 6. Enable mailscanner debugging and see if you get anything more useful in the log? > -----Original Message----- > From: Daniel Tan [mailto:danieltan@SHOPNSAVE.COM.SG] > Sent: Wednesday, October 01, 2003 2:20 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: help pls... {Scanned by HJMS} > > > urgently needs help.... > i have tried reinstalling my 4.23-11 of MS and even upgrading > SA to 2.60 > nothing seems to be able to jump start my incoming queue > (mqueue.in)...all > mails seems to be just resting in there...not moving...got > nothing from the > log except this > Oct 1 10:24:24 mail root: Process did not exit cleanly, > returned 255 with > signa > l 0 > Oct 1 10:25:04 mail last message repeated 4 times > Oct 1 10:26:14 mail last message repeated 7 times > Oct 1 10:27:24 mail last message repeated 7 times > Oct 1 10:27:44 mail last message repeated 2 times > > what is making it get stuck? i tried not using SA or virus > scanning = none > to locate the problem..but no help... > need Julian or other mailscanner gurus to help me..... > > my f-prot is fp-linux-ws.rpm (version 4.3) > any other details i can give...just ask.... > > Regards, > Daniel Tan > 67469188 Ext.665 > DID: 68430665 > MIS Department > Shop N Save Pte Ltd > : danieltan@shopnsave.com.sg > > [This e-mail is confidential and may also be privileged. If > you are not the > intended recipient, please delete it and notify us > immediately; you should > not copy or use it for any purpose, nor disclose its contents > to any other > person. Thank you.] > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. Mailscanner thanks transtec Computers for their support. -- This message has been scanned for viruses and dangerous content by Email Virus Scanner, and is believed to be clean. From mike at CAMAROSS.NET Thu Oct 2 05:26:58 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:20:20 2006 Subject: Maildir and SA Bayes In-Reply-To: Message-ID: <003601c3889d$6b48c500$650ba8c0@home.middlefinger.net> I got this in a Linux Journal newsletter. Thought I'd share it. If you use Maildir mailboxes, in which each mailbox is a directory and not a file, there's an easy way to train SpamAssassin's Bayesian filter on your spam messages. First, save all spam messages to a folder called spam, from your mailer. Then run this script: #!/bin/sh SPAMBOX=$HOME/Maildir/spam mv $SPAMBOX/new/* $SPAMBOX/cur &> /dev/null || exit 0 ls $SPAMBOX/cur/* | xargs sa-learn --file --spam --showdots rm $HOME/Maildir/spam/cur/* # end script This should work from a cron job, because newly saved Maildir messages are placed in the new subdirectory. The exit 0 ends the script if there is no spam to be examined. Mike From raymond at PROLOCATION.NET Thu Oct 2 08:29:05 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:20:20 2006 Subject: Forwarding mail In-Reply-To: Message-ID: Hi! > I am trying to setup Mailscanner and spamassasin on a mail server that > is supposed to scan the mail then forward it onto the primary mail > server. Could anyone point me in a direction on how to configure > sendmail to do the forwarding. You can use the mailertable to do this. Bye, Raymond. From P.G.M.Peters at utwente.nl Thu Oct 2 09:49:55 2003 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Thu Jan 12 21:20:20 2006 Subject: File ownership In-Reply-To: <5.2.1.1.2.20031001175703.030bb178@imap.ecs.soton.ac.uk> References: <5.2.1.1.2.20031001175703.030bb178@imap.ecs.soton.ac.uk> Message-ID: <6hpnnvcc42me6ppm723hgtt8vmluvflu7g@4ax.com> On Wed, 1 Oct 2003 17:57:21 +0100, you wrote: >At 17:04 01/10/2003, you wrote: >>In /etc/MailScanner/MailScanner.conf I set the user and group to be smmsp >>and restarted MS. Incoming email was put into /var/spool/mqueue.in but the >>owner was root, with group smmsp. The permissions on the inbound mail files >>were 600 and mail just stacked up in the directory and was not delivered. I >>am guessing that this is because MS could not read these files. >> >>I changed MS.conf to set user to root and the mail was processed. >> >>My question is, what controls how the inbound mail files get created > >sendmail. Yes, you should use the same user and group with MailScanner as you configured in sendmail. -- Peter Peters, senior netwerkbeheerder Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ From kfliong at WOFS.COM Thu Oct 2 09:37:05 2003 From: kfliong at WOFS.COM (kfliong) Date: Thu Jan 12 21:20:20 2006 Subject: mailscanner and sendmail dilemma In-Reply-To: <67D9E7698329D411936E00508B6590B902773B34@neelix.lbsltd.co. uk> Message-ID: <5.2.1.1.0.20031002161213.03169720@192.168.10.2> > >chkconfig --list sendmail sendmail 0:off 1:off 2:off 3:off 4:off 5:off 6:off >chkconfig --list MailScanner MailScanner 0:off 1:off 2:on 3:on 4:on 5:on 6:off >Then, try running the following: > >service MailScanner stop >service sendmail stop > >wait for a minute then check the output of 'ps ax' to make sure no sendmail >or MailScanner processes remain (kill then with 'kill -HUP ' if they >do), then restart MailScanner: > >service MailScanner start > >then post the relevant lines from /var/log/maillog showing the MailScanner >startup and the processing of a test message through mailscanner. > >Then maybe it'll be obvious to me or someone else as to what is up with your >set-up. > >Kind regards, >Steve. ok, I stopped everything and restarted (which I have already done tons). But could you tell me how to see the processing of a test message through mailscanner? Thanks in advance. >-----Original Message----- >From: kfliong [mailto:kfliong@WOFS.COM] >Sent: 01 October 2003 10:02 >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: mailscanner and sendmail dilemma > >Hi all, > >I know this doesn't seems to be the correct channel to ask for help but I >am out of options. The message below I posted to rackshack (my webserver >host) forum but no one replied after 3 days. I am now posting it here >hoping that the experts here will be able to shed some light into solving >my problem. > >It's quite long so please bear with me. Thanks in advance. > >-------------- > >I am having a problem with sendmail and mailscanner. My problem is that >some of my mails go through sendmail and some through mailscanner. Those >that go through sendmail do not get filter. So, I am still getting lots of >spams and virus. > >Here is my story : > >I have redhat 7.2 with ensim 3.1.10. > >I previously configured procmail to fight spams and virus. Then I found out >about mailscanner. Then I installed mailscanner (not sure if I removed >procmail correctly as too long ago). I followed the guide in the forum >how-to to install mailscanner (MS)+f-prot+spamassassin (SA). > >After installing this, it works great. I stop getting spams and virus. Not >long after that, something dreadful happened. What happened, I can only >describe from my memory which is kinda blurry on which event happens first. >I'll try to list them in the correct order. > >I then installed a software called mailwatch. It was at version 0.1 beta. >Installing this software require me to edit the CustomConfig.pm file. Not >sure if this will affect mailscanner in anyway. Still running fine. One >day, my server crashed. Not sure what happened. The whole email system got >affected. Nobody can login to email to check mails. Not even login to ssh. >Only admin and root can login. But websites seems to be still working. I >tried and tried and then not even admin login works. It took a few days for >rackshack tech to bring it back up. I am not sure what they did as they >wouldn't tell me even after I keep pestering them. But I think they did >somesort of restore as all the root, admin, ensim password was reset. > >So, I re-installed mailscanner. This time using mailscanner+clamav+SA howto >(which is btw a great howto). I am not sure if I removed the previous >mailscanner combo correctly. Then mails stating to act weird. A lot of >users are getting mails <<>> in the mails. After searching >around and tailling the maillog and some help, i think this problem is due >to mailscanner and sendmail both fighting to handle the mail and eventually >the message got deleted and being send to the recipient. After trying to >re-install mailscanner, i still have this problem. Eventually, after a few >weeks, this problem went away. I don't know what I did (too many to >remember) but it did go away. But I still have problem of some mails being >handled between sendmail and MS. > >Then I upgraded MS, clamav and SA hoping that it will solve this problem. >No good. Still have. I even upgraded to mailwatch to 0.3 (if it's anything >to do with it). Still having some mails being handled by MS and sendmail. >Mailwatch seems to be working fine aside from the virus report not working. > >Anyone have solution to this? I really need some expertise here. Should I >remove MS+clamav+SA totally and re-install? How to clean them completely? I >am waiting for ensim to create the security patch for sendmail which have >the buffer overflow bug. But I guess this does not have anything to do with >my problem. > >What about sendmail.cf file? Is there something I should look inside? >CustomConfig.pm? should I delete mailwatch which I am not sure is affecting >this. BTW, mailwatch is a program that monitors the emails and then create >a database to show the stats of emails through a webgui. > >Thanks for reading my long problem. But if I don't solve this, it will >become longer. Also please bear in mind that in the period of having this >problem unresolved, I also did some upgrade on other part of the system >such as mysql, php, mysqladmin and so on. > >Any suggestion is highly appreciated. Thanks in advance. > >-- >This email and any files transmitted with it are confidential and >intended solely for the use of the individual or entity to whom they >are addressed. If you have received this email in error please notify >the sender and delete the message from your mailbox. > >This footnote also confirms that this email message has been swept by >MailScanner (www.mailscanner.info) for the presence of computer viruses. From P.G.M.Peters at utwente.nl Thu Oct 2 09:53:47 2003 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Thu Jan 12 21:20:20 2006 Subject: File ownership {Scanned by HJMS} In-Reply-To: <8FFC76593085ED4A80D3601BC41EFCDF8E1CC3@inex1.herffjones.hj-int> References: <8FFC76593085ED4A80D3601BC41EFCDF8E1CC3@inex1.herffjones.hj-int> Message-ID: <3mpnnvo79t4k5on8jdlebd2vs6l956c1rt@4ax.com> On Wed, 1 Oct 2003 11:09:19 -0500, you wrote: >> My question is, what controls how the inbound mail files get >> created so I > >Sendmail. It creates those files, not MailScanner. Not sure whether you >can configure sendmail to use different ownership, nor what the >ramifications might be if you did. Would be interested to find out though. I have configured sendmail to run as user mail since a couple of years. In the past you had to tweak the security settings very thorough but since 8.11 it handles this as what you would expect. When we log in as user mail instead of root, you can still do everything as that user (even kill some sendmail processes). The only thing you can't do is look in user's mailboxes. And I have restricted the use of mailq to only user mail. O yeah, you can't kill the listening sendmail process. -- Peter Peters, senior netwerkbeheerder Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ From steve.freegard at LBSLTD.CO.UK Thu Oct 2 09:58:43 2003 From: steve.freegard at LBSLTD.CO.UK (Steve Freegard) Date: Thu Jan 12 21:20:20 2006 Subject: mailscanner and sendmail dilemma Message-ID: <67D9E7698329D411936E00508B6590B902773B3D@neelix.lbsltd.co.uk> Hello, >>> But could you tell me how to see the processing of a test message through mailscanner? $ tail -f /var/log/maillog Will show sendmail receiving the message to mqueue.in, MailScanner detecting the message and scanning it, and sendmail delivering it to the recipient. Hope this helps. Kind regards, Steve. -----Original Message----- From: kfliong [mailto:kfliong@WOFS.COM] Sent: 02 October 2003 08:37 To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: mailscanner and sendmail dilemma > >chkconfig --list sendmail sendmail 0:off 1:off 2:off 3:off 4:off 5:off 6:off >chkconfig --list MailScanner MailScanner 0:off 1:off 2:on 3:on 4:on 5:on 6:off >Then, try running the following: > >service MailScanner stop >service sendmail stop > >wait for a minute then check the output of 'ps ax' to make sure no sendmail >or MailScanner processes remain (kill then with 'kill -HUP ' if they >do), then restart MailScanner: > >service MailScanner start > >then post the relevant lines from /var/log/maillog showing the MailScanner >startup and the processing of a test message through mailscanner. > >Then maybe it'll be obvious to me or someone else as to what is up with your >set-up. > >Kind regards, >Steve. ok, I stopped everything and restarted (which I have already done tons). But could you tell me how to see the processing of a test message through mailscanner? Thanks in advance. >-----Original Message----- >From: kfliong [mailto:kfliong@WOFS.COM] >Sent: 01 October 2003 10:02 >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: mailscanner and sendmail dilemma > >Hi all, > >I know this doesn't seems to be the correct channel to ask for help but I >am out of options. The message below I posted to rackshack (my webserver >host) forum but no one replied after 3 days. I am now posting it here >hoping that the experts here will be able to shed some light into solving >my problem. > >It's quite long so please bear with me. Thanks in advance. > >-------------- > >I am having a problem with sendmail and mailscanner. My problem is that >some of my mails go through sendmail and some through mailscanner. Those >that go through sendmail do not get filter. So, I am still getting lots of >spams and virus. > >Here is my story : > >I have redhat 7.2 with ensim 3.1.10. > >I previously configured procmail to fight spams and virus. Then I found out >about mailscanner. Then I installed mailscanner (not sure if I removed >procmail correctly as too long ago). I followed the guide in the forum >how-to to install mailscanner (MS)+f-prot+spamassassin (SA). > >After installing this, it works great. I stop getting spams and virus. Not >long after that, something dreadful happened. What happened, I can only >describe from my memory which is kinda blurry on which event happens first. >I'll try to list them in the correct order. > >I then installed a software called mailwatch. It was at version 0.1 beta. >Installing this software require me to edit the CustomConfig.pm file. Not >sure if this will affect mailscanner in anyway. Still running fine. One >day, my server crashed. Not sure what happened. The whole email system got >affected. Nobody can login to email to check mails. Not even login to ssh. >Only admin and root can login. But websites seems to be still working. I >tried and tried and then not even admin login works. It took a few days for >rackshack tech to bring it back up. I am not sure what they did as they >wouldn't tell me even after I keep pestering them. But I think they did >somesort of restore as all the root, admin, ensim password was reset. > >So, I re-installed mailscanner. This time using mailscanner+clamav+SA howto >(which is btw a great howto). I am not sure if I removed the previous >mailscanner combo correctly. Then mails stating to act weird. A lot of >users are getting mails <<>> in the mails. After searching >around and tailling the maillog and some help, i think this problem is due >to mailscanner and sendmail both fighting to handle the mail and eventually >the message got deleted and being send to the recipient. After trying to >re-install mailscanner, i still have this problem. Eventually, after a few >weeks, this problem went away. I don't know what I did (too many to >remember) but it did go away. But I still have problem of some mails being >handled between sendmail and MS. > >Then I upgraded MS, clamav and SA hoping that it will solve this problem. >No good. Still have. I even upgraded to mailwatch to 0.3 (if it's anything >to do with it). Still having some mails being handled by MS and sendmail. >Mailwatch seems to be working fine aside from the virus report not working. > >Anyone have solution to this? I really need some expertise here. Should I >remove MS+clamav+SA totally and re-install? How to clean them completely? I >am waiting for ensim to create the security patch for sendmail which have >the buffer overflow bug. But I guess this does not have anything to do with >my problem. > >What about sendmail.cf file? Is there something I should look inside? >CustomConfig.pm? should I delete mailwatch which I am not sure is affecting >this. BTW, mailwatch is a program that monitors the emails and then create >a database to show the stats of emails through a webgui. > >Thanks for reading my long problem. But if I don't solve this, it will >become longer. Also please bear in mind that in the period of having this >problem unresolved, I also did some upgrade on other part of the system >such as mysql, php, mysqladmin and so on. > >Any suggestion is highly appreciated. Thanks in advance. > >-- >This email and any files transmitted with it are confidential and >intended solely for the use of the individual or entity to whom they >are addressed. If you have received this email in error please notify >the sender and delete the message from your mailbox. > >This footnote also confirms that this email message has been swept by >MailScanner (www.mailscanner.info) for the presence of computer viruses. -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender and delete the message from your mailbox. This footnote also confirms that this email message has been swept by MailScanner (www.mailscanner.info) for the presence of computer viruses. From raymond at PROLOCATION.NET Thu Oct 2 10:00:12 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:20:20 2006 Subject: mailscanner and sendmail dilemma In-Reply-To: <5.2.1.1.0.20031002161213.03169720@192.168.10.2> Message-ID: Hi! > ok, I stopped everything and restarted (which I have already done tons). > But could you tell me how to see the processing of a test message through > mailscanner? Either look in /var/log/maillog or look on the headers of the processed mail. Bye, Raymond. From t.d.lee at DURHAM.AC.UK Thu Oct 2 10:12:11 2003 From: t.d.lee at DURHAM.AC.UK (David Lee) Date: Thu Jan 12 21:20:20 2006 Subject: Diagram of Mail Flow In-Reply-To: <9BDD6D4AD0795C46974D7D46C17883B8080AFEDE@ahm_exchange2> References: <9BDD6D4AD0795C46974D7D46C17883B8080AFEDE@ahm_exchange2> Message-ID: On Wed, 1 Oct 2003, Jason Burzenski wrote: > The latest version of the MailScanner Process Overview diagram (visio and > jpg format) is available at the following URL courtesy of Fortress Systems > LTD. > > http://www.fsl.com/MS-process.htm > > Julian has also been kind enough to link to this diagram from the > MailScanner Features and Description Page > (http://www.sng.ecs.soton.ac.uk/mailscanner/readme.shtml). > > I would like to thank everyone who provided feedback on the first few drafts > of this document. If anyone has any recommendations for improvement, please > forward them to me or post them to the list. A most useful contribution. Thanks. Would it be possible to make a "printer-friendly" version of the diagram in a common graphics format (png, gif, jpg, ...)? It would omit the HTML navigation panel, etc. Two possibilities (there may be more): 1. A link to the png, gif, jpg, ... 2. Given that you use "css", then some sort of additional "media=print" capability, to suppress the unnecessary-for-print features. I was able to fudge it by examining the source URL and typing in the name of the unearthed "jpg" file, but this procedure is clearly sub-optimal(!) and also doesn't include any "source attribution" and copyright information that you might wish to see retained on such a page. Could you also indicate somehow, somewhere, what use other sites might legitimately make of it? For instance, it would make a useful insert for documentation within a Systems Support department, if your copyright would permit it. Hope that helps. Thanks again. -- : David Lee I.T. Service : : Systems Programmer Computer Centre : : University of Durham : : http://www.dur.ac.uk/t.d.lee/ South Road : : Durham : : Phone: +44 191 334 2752 U.K. : From Kevin.Spicer at BMRB.CO.UK Thu Oct 2 10:26:21 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:20:20 2006 Subject: Diagram of Mail Flow Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0016496F3@pascal.priv.bmrb.co.uk> David Lee wrote: > A most useful contribution. Thanks. > > Would it be possible to make a "printer-friendly" version of the > diagram in a common graphics format (png, gif, jpg, ...)? It would > omit the HTML navigation panel, etc. > > Two possibilities (there may be more): > 1. A link to the png, gif, jpg, ... > > 2. Given that you use "css", then some sort of additional > "media=print" capability, to suppress the unnecessary-for-print > features. IE: Right click 'print picture' or 'save picture as' Mozilla: Right click 'view image' or 'save image as' Opera: Right click 'copy image address' [then paste into address bar] or 'Save image...' Lynx: forget it ;-) BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From dh at UPTIME.AT Thu Oct 2 10:31:56 2003 From: dh at UPTIME.AT (=?ISO-8859-1?Q?=22D=2E_H=F6hn=22?=) Date: Thu Jan 12 21:20:20 2006 Subject: Diagram of Mail Flow In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB0016496F3@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB0016496F3@pascal.priv.bmrb.co.uk> Message-ID: <3F7BF08C.9020506@uptime.at> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Spicer, Kevin said the following on 10/2/03 11:26 AM: > David Lee wrote: > >>A most useful contribution. Thanks. >> >>Would it be possible to make a "printer-friendly" version of the >>diagram in a common graphics format (png, gif, jpg, ...)? It would >>omit the HTML navigation panel, etc. >> >>Two possibilities (there may be more): >>1. A link to the png, gif, jpg, ... >> >>2. Given that you use "css", then some sort of additional >> "media=print" capability, to suppress the unnecessary-for-print >>features. > > > IE: Right click 'print picture' or 'save picture as' > Mozilla: Right click 'view image' or 'save image as' > Opera: Right click 'copy image address' [then paste into address bar] or 'Save image...' > Lynx: forget it ;-) > > Safari (Mac os X) Drag to the printer icon -- done I win SCNR -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (Darwin) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQE/e/CQiW/Ta/pxHPQRA/LMAKDGotx3cBjOBnMSKauqJ6z10jxqNwCePkun mV7RiES9diLzW61Rm3bKFrw= =RuiT -----END PGP SIGNATURE----- From dean.plant at ROKE.CO.UK Thu Oct 2 10:46:58 2003 From: dean.plant at ROKE.CO.UK (Plant, Dean) Date: Thu Jan 12 21:20:20 2006 Subject: Problem with Spamassassin v2.6. Message-ID: Hi, Currently using: MailScanner 4.21-9 Redhat 8.0 Sendmail Dcc Razor SpamAssassin Problem: Since upgrading to SpamAssassin v2.6 I have seen slight increase in the amount of spam mail being missed. I have manually re-run a couple of messages through spamassassin with debug on my main server and my backup server (both running the same configuration) and found that they seem to be giving quite different results from the bayesian detection. 2 samples of missed spam mail had the below results. The Main server also has the message "X-Mail-Format-Warning: Bad RFC2822 header formatting in ??^Q?" at the start of the debug output, the backup server did not.?Would it be best for me to remove the bayesian database and start from scratch or is there a better way to proceed. Thanks Dean Plant Test Results. Main server Mail1 Content analysis details: (2.2 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 1.0 FROM_ENDS_IN_NUMS From: ends in numbers -4.9 BAYES_00 BODY: Bayesian spam probability is 0 to 1% [score: 0.0000] 1.9 MIME_QP_DEFICIENT RAW: Deficient quoted-printable encoding in body 4.1 HEAD_ILLEGAL_CHARS Header contains too many raw illegal characters 0.1 CLICK_BELOW Asks you to click below 0.0 UPPERCASE_25_50 message body is 25-50% uppercase Backup Server Mail1 Content analysis details: (12.5 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 1.0 FROM_ENDS_IN_NUMS From: ends in numbers 5.4 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 1.0000] 1.9 MIME_QP_DEFICIENT RAW: Deficient quoted-printable encoding in body 4.1 HEAD_ILLEGAL_CHARS Header contains too many raw illegal characters 0.1 CLICK_BELOW Asks you to click below 0.0 UPPERCASE_25_50 message body is 25-50% uppercase Main server Mail2 Content analysis details: (1.5 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 NO_REAL_NAME From: does not include a real name 0.1 HTML_LINK_CLICK_HERE BODY: HTML link text says "click here" 0.2 HTML_TAG_BALANCE_A BODY: HTML has excess "a" close tags 0.1 HTML_MESSAGE BODY: HTML included in message -4.9 BAYES_00 BODY: Bayesian spam probability is 0 to 1% [score: 0.0000] 1.6 LINK_TO_NO_SCHEME BODY: Contains link without http:// prefix 4.1 HEAD_ILLEGAL_CHARS Header contains too many raw illegal characters 0.1 CLICK_BELOW Asks you to click below Backup server Mail2 Content analysis details: (11.8 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 NO_REAL_NAME From: does not include a real name 0.1 HTML_LINK_CLICK_HERE BODY: HTML link text says "click here" 0.2 HTML_TAG_BALANCE_A BODY: HTML has excess "a" close tags 0.1 HTML_MESSAGE BODY: HTML included in message 5.4 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 1.0000] 1.6 LINK_TO_NO_SCHEME BODY: Contains link without http:// prefix 4.1 HEAD_ILLEGAL_CHARS Header contains too many raw illegal characters 0.1 CLICK_BELOW Asks you to click below -- Registered Office: Roke Manor Research Ltd, Siemens House, Oldbury, Bracknell, Berkshire. RG12 8FZ The information contained in this e-mail and any attachments is confidential to Roke Manor Research Ltd and must not be passed to any third party without permission. This communication is for information only and shall not create or change any contractual relationship. From martinh at SOLID-STATE-LOGIC.COM Thu Oct 2 09:04:53 2003 From: martinh at SOLID-STATE-LOGIC.COM (Martin Hepworth) Date: Thu Jan 12 21:20:20 2006 Subject: Two Installations of Perl! In-Reply-To: <3F7B5B6A.1000302@greyhair.net> References: <5.2.0.9.2.20031001164703.04213ca8@imap.ecs.soton.ac.uk> <3F7B5B6A.1000302@greyhair.net> Message-ID: <3F7BDC25.30906@solid-state-logic.com> greyhair wrote: > I know it is EVIL to have two installations of perl. My server is, i > guess, possessed. > Question: how to I tell the system to use one version over the other?? > Is there a > simple *QUICK* way?? > > Thanks for any advice. Please note *QUICK*, thank you. Hi those of us running freebsd and employ the ports version of perl always have two perl's install - the system one and the ports one. There's a couple of scripts that change /usr/bin/perl to point at the appropriate binary, which in turn have their own perllib paths etc built in. -- Martin Hepworth Senior Systems Administrator Solid State Logic Ltd +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.mimesweeper.com ********************************************************************** From ugob at CAMO-ROUTE.COM Thu Oct 2 11:14:41 2003 From: ugob at CAMO-ROUTE.COM (Ugo Bellavance) Date: Thu Jan 12 21:20:20 2006 Subject: mailscanner and sendmail dilemma Message-ID: <54C38A0B814C8E438EF73FC76F3629273ADF4E@mtlnt501fs.CAMOROUTE.COM> > ok, I stopped everything and restarted (which I have already > done tons). > But could you tell me how to see the processing of a test > message through > mailscanner? > > Thanks in advance. > > look at your logs, ususally /var/log/maillog to see it in real-time tail -f /var/log/maillog You should see entries from mailscanner. You can also look at received messages headers. UGo From alan at ESSEX.AC.UK Thu Oct 2 11:26:31 2003 From: alan at ESSEX.AC.UK (Stanier, Alan M) Date: Thu Jan 12 21:20:20 2006 Subject: MailScanner repeatedly restarting Message-ID: <76D7B4C0D1A36245AA5678275A410F00019DDF@sernt4.essex.ac.uk> I've just installed MailScanner 4.23-11 on RedHat9 When I start it up, I see messages in /var/adm/maillog every 10 seconds, saying it is starting, and have various defunct MS processes. Can anyone suggest what I might have done wrong, plase? [root@serlinux15 MailScanner-4.23-11]# cd /var/adm [root@serlinux15 adm]# tail -f maillog Oct 2 11:17:15 serlinux15 MailScanner[22187]: MailScanner E-Mail Virus Scanner version 4.23-11 starting... Oct 2 11:17:25 serlinux15 MailScanner[22188]: MailScanner E-Mail Virus Scanner version 4.23-11 starting... Oct 2 11:17:35 serlinux15 MailScanner[22198]: MailScanner E-Mail Virus Scanner version 4.23-11 starting... Oct 2 11:17:45 serlinux15 MailScanner[22199]: MailScanner E-Mail Virus Scanner version 4.23-11 starting... Oct 2 11:17:55 serlinux15 MailScanner[22200]: MailScanner E-Mail Virus Scanner version 4.23-11 starting... Oct 2 11:18:05 serlinux15 MailScanner[22202]: MailScanner E-Mail Virus Scanner version 4.23-11 starting... Oct 2 11:18:15 serlinux15 MailScanner[22203]: MailScanner E-Mail Virus Scanner version 4.23-11 starting... Oct 2 11:18:25 serlinux15 MailScanner[22204]: MailScanner E-Mail Virus Scanner version 4.23-11 starting... [root@serlinux15 adm]# [root@serlinux15 adm]# !ps ps wgaux | grep mail mail 31963 0.0 0.2 3284 1032 ? S Oct01 0:00 /usr/sbin/exim -C /essex/exim/serlinux15_outgoing -q1m mail 2460 0.0 0.2 3296 1076 ? S Oct01 0:02 /usr/sbin/exim -C /essex/exim/serlinux15_incoming -bd mail 21878 0.0 2.3 15804 11988 ? S 11:04 0:00 /usr/bin/perl -I/usr/lib/MailScanner /usr/sbin/MailScanner /etc/MailScanner/MailScanner.conf mail 21879 0.0 0.0 0 0 ? Z 11:04 0:00 [MailScanner ] mail 21895 0.0 0.0 0 0 ? Z 11:04 0:00 [MailScanner ] mail 21909 0.0 0.0 0 0 ? Z 11:04 0:00 [MailScanner ] mail 21919 0.0 0.0 0 0 ? Z 11:04 0:00 [MailScanner ] mail 22229 2.0 0.0 0 0 ? Z 11:19 0:00 [MailScanner ] root 22231 0.0 0.1 3584 616 pts/0 S 11:19 0:00 grep mail -------- Alan Stanier Essex University Information Systems Services Systems Group From david at PLATFORMHOSTING.COM Thu Oct 2 11:52:16 2003 From: david at PLATFORMHOSTING.COM (David Hooton) Date: Thu Jan 12 21:20:20 2006 Subject: Inline SPAM warnings {Scanned by HJMS} In-Reply-To: <1065061767.1632.225.camel@bretsony> References: <8FFC76593085ED4A80D3601BC41EFCDF8E1CCA@inex1.herffjones.hj-int> <3F7B597A.2060100@pacific.net> <1065061767.1632.225.camel@bretsony> Message-ID: <3F7C0360.4080302@platformhosting.com> Thanks guys, this is all well and good, but I'm not concerned with MUA functionality, I'm concerned with MailScanner's inline reports not being universally visible. If we have to ask clients to alter their MUA's just to see a warning it's not a great situation. What I want to know is: Is this a configuration issue on my part? (the warning is set to not be attached, which I thought meant it would be displayed inline) If it's not a config issue, what do I need to do in order to fix it. -- Regards, David Hooton Senior Partner Platform Hosting 1300 85 HOST www.platformhosting.com ======================================================================== This message has been scanned for spam & viruses by Mail Security. To report SPAM forward the message to: spam@mailsecurity.net.au Mail Security www.mailsecurity.net.au ======================================================================== From LISTSERV at JISCMAIL.AC.UK Thu Oct 2 12:13:20 2003 From: LISTSERV at JISCMAIL.AC.UK (L-Soft list server at JISCMAIL (1.8e)) Date: Thu Jan 12 21:20:20 2006 Subject: Rejected posting to MAILSCANNER@JISCMAIL.AC.UK Message-ID: Your message is being returned to you unprocessed because it looks like a LISTSERV command, rather than material intended for distribution to the members of the MAILSCANNER list. Please note that LISTSERV commands must ALWAYS be sent to the LISTSERV address; if it was indeed a command you were attempting to issue, please send it again to LISTSERV@JISCMAIL.AC.UK for execution. Otherwise, please accept our apologies and try to rewrite the message with a slightly different wording - for instance, change the first word of the message, enclose it in quotation marks, insert a line of dashes at the beginning of your message, etc. -------------- next part -------------- An embedded message was scrubbed... From: Julian Field Subject: Re: MailScanner repeatedly restarting Date: Thu, 02 Oct 2003 12:06:24 +0100 Size: 3978 Url: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20031002/0e719bf4/attachment.mht From David.While at UCE.AC.UK Thu Oct 2 13:39:21 2003 From: David.While at UCE.AC.UK (David While) Date: Thu Jan 12 21:20:20 2006 Subject: Another one bites the dust! Message-ID: <107DE25EC0216C45AEF670016024245F6F50@exchangea.staff.uce.ac.uk> Dorkslayers RBL is no more see http://www.dorkslayers.com/ ----------------------------------------------------------------- David While Technical Development Manager Faculty of Computing, Information & English University of Central England Tel: 0121 331 6211 ----------------------------------------------------------------- -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20031002/01a920dd/attachment.html From Kevin.Spicer at BMRB.CO.UK Thu Oct 2 13:55:19 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:20:20 2006 Subject: Another one bites the dust! Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0016496FE@pascal.priv.bmrb.co.uk> David While wrote: > Dorkslayers RBL is no more see http://www.dorkslayers.com/ Actually its been dead since May, but Verislimes recent actions have caused it to start returning an IP rather than NXDOMAIN - which is biting those who hadn't removed it from their configurations. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From Chris.Campbell at FAC.COM Thu Oct 2 14:10:03 2003 From: Chris.Campbell at FAC.COM (Chris Campbell) Date: Thu Jan 12 21:20:20 2006 Subject: sa learn with hundred of users on a gateway box Message-ID: I was wondering if anyone has a similar situation.... I have 4 mailscanner boxes that are in the DMZ ... merely scan for virii and spam, then forward on ... I need to setup some sort of spam email account so that users can forward and sa-learn can do its magic. I currently have a spam acocunt setup, that has over 2000 spam messages from various users....but the question is: Since these emails are already forwarded from an internal user...won't this mess up sa-learn? The FROM will always be from user@ourdomain.com ..... Is anyone else in a similar situation..and does anyone have any opinions? Thanks. ..................................... Christopher S. Campbell UNIX Admin First Albany Corp From steve.freegard at LBSLTD.CO.UK Thu Oct 2 14:18:01 2003 From: steve.freegard at LBSLTD.CO.UK (Steve Freegard) Date: Thu Jan 12 21:20:20 2006 Subject: sa learn with hundred of users on a gateway box Message-ID: <67D9E7698329D411936E00508B6590B902773B46@neelix.lbsltd.co.uk> Hi Chris, What MUA do your users use? If you are using Exchange/Outlook then options are limited as Exchange won't allow you to 'resend' the message or it mangles the headers - have a look back through the archives and in the SpamAssassin-users achives for a solution that works using Public Folders. If you aren't using Exchange, then you're better off as most MUA's will allow you to either 'Bounce' or 'Resend' the spam messages to your spam box. Hope this helps. Kind regards, Steve. -----Original Message----- From: Chris Campbell [mailto:Chris.Campbell@FAC.COM] Sent: 02 October 2003 13:10 To: MAILSCANNER@JISCMAIL.AC.UK Subject: sa learn with hundred of users on a gateway box I was wondering if anyone has a similar situation.... I have 4 mailscanner boxes that are in the DMZ ... merely scan for virii and spam, then forward on ... I need to setup some sort of spam email account so that users can forward and sa-learn can do its magic. I currently have a spam acocunt setup, that has over 2000 spam messages from various users....but the question is: Since these emails are already forwarded from an internal user...won't this mess up sa-learn? The FROM will always be from user@ourdomain.com ..... Is anyone else in a similar situation..and does anyone have any opinions? Thanks. ..................................... Christopher S. Campbell UNIX Admin First Albany Corp -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender and delete the message from your mailbox. This footnote also confirms that this email message has been swept by MailScanner (www.mailscanner.info) for the presence of computer viruses. From dh at UPTIME.AT Thu Oct 2 14:15:21 2003 From: dh at UPTIME.AT (=?ISO-8859-1?Q?=22D=2E_H=F6hn=22?=) Date: Thu Jan 12 21:20:20 2006 Subject: sa learn with hundred of users on a gateway box In-Reply-To: References: Message-ID: <3F7C24E9.3060700@uptime.at> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 > > Is anyone else in a similar situation..and does anyone have any opinions? > Users should be taught to forward the message as attachment. There are various scripts which can extract the attachment and thus feed the original message with the original header back to the sa-learn- - -d -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (Darwin) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQE/fCTtiW/Ta/pxHPQRA4z8AJ0aYtJ02GeOOjInFfv0zWH2wPkTlACgjrwB lWm7WPFoCAKzneU9kyQA2K8= =MYAl -----END PGP SIGNATURE----- From Chris.Campbell at FAC.COM Thu Oct 2 14:19:15 2003 From: Chris.Campbell at FAC.COM (Chris Campbell) Date: Thu Jan 12 21:20:20 2006 Subject: sa learn with hundred of users on a gateway box Message-ID: Very nice... now if I could figure out how to have lotus notes forward as attachements..... ..................................... Christopher S. Campbell UNIX Admin First Albany Corp 518.447.8544 chris.campbell@fac.com |--------+----------------------------> | | "D. H?hn" | | | | | | Sent by: | | | MailScanner | | | mailing list | | | | | | | | | | | | 10/02/2003 09:15 | | | AM | | | Please respond to | | | MailScanner | | | mailing list | | | | |--------+----------------------------> >---------------------------------------------------------------------------------------------------------------| | | | To: MAILSCANNER@JISCMAIL.AC.UK | | cc: | | Subject: Re: sa learn with hundred of users on a gateway box | >---------------------------------------------------------------------------------------------------------------| -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 > > Is anyone else in a similar situation..and does anyone have any opinions? > Users should be taught to forward the message as attachment. There are various scripts which can extract the attachment and thus feed the original message with the original header back to the sa-learn- - -d -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (Darwin) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQE/fCTtiW/Ta/pxHPQRA4z8AJ0aYtJ02GeOOjInFfv0zWH2wPkTlACgjrwB lWm7WPFoCAKzneU9kyQA2K8= =MYAl -----END PGP SIGNATURE----- From marco at MUW.EDU Thu Oct 2 14:35:47 2003 From: marco at MUW.EDU (Marco Obaid) Date: Thu Jan 12 21:20:20 2006 Subject: sa learn with hundred of users on a gateway box In-Reply-To: References: Message-ID: <1065101747.3f7c29b3301ea@webmail.MUW.Edu> Hi, > Since these emails are already forwarded from an internal user...won't this > mess up sa-learn? The FROM will always > be from user@ourdomain.com ..... Forwarding will re-write the original message header and therefore you may get unpredictable results. "Bounce" or "Redirect" a message is what works. On my site, we use IMP Webmail which has "Report As Spam" feature. Basically, if the user determines that a message is spam, they click on this link, which "redirects" the message to a "spam" account that I setup. Once or twice a day I review this account, just in case something was unintentionally reported. Finally, I run the sa-learn scritp. This has been working great for me so far. Others on this list may have differnet approaches to your question. Marco _________________________________________________________________ This mail is sent through MUW Webmail: http://www.MUW.Edu/webmail For the latest MUW Events, visit http://www.MUW.Edu/calendar From dh at UPTIME.AT Thu Oct 2 14:25:32 2003 From: dh at UPTIME.AT (=?ISO-8859-1?Q?=22D=2E_H=F6hn=22?=) Date: Thu Jan 12 21:20:20 2006 Subject: sa learn with hundred of users on a gateway box In-Reply-To: References: Message-ID: <3F7C274C.7080302@uptime.at> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Chris Campbell said the following on 10/2/03 3:19 PM: > Very nice... now if I could figure out how to have lotus notes forward as > attachements..... > ..................................... I have to apologise, I did not take the MUA question into account. I do not know if Lotus offers that at all, we use Mail.app (which can redirect) or Thunderbird (which can forward), the rest I have not looked into yet - -d -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (Darwin) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQE/fCdMiW/Ta/pxHPQRA52ZAKCtqgNdmWC0VK8LVnmUxt3TwXtwjACeJBt0 vNK1BVIJ2+ImaIHprH7YQKo= =NlLU -----END PGP SIGNATURE----- From chris at TRUDEAU.ORG Thu Oct 2 14:52:06 2003 From: chris at TRUDEAU.ORG (Chris Trudeau) Date: Thu Jan 12 21:20:20 2006 Subject: sa learn with hundred of users on a gateway box References: Message-ID: <011b01c388ec$5e6bfa60$8718000a@ATLCPW13671> One option we are looking into for a customer... is to have Notes users "drag and drop" spam messages into a shared folder in notes. bundle up the .nsf nightly and send that to us where we convert it to MBOX and roll through the sa-learn function. CT ----- Original Message ----- From: "Chris Campbell" To: Sent: Thursday, October 02, 2003 9:19 AM Subject: Re: sa learn with hundred of users on a gateway box Very nice... now if I could figure out how to have lotus notes forward as attachements..... ..................................... Christopher S. Campbell UNIX Admin First Albany Corp 518.447.8544 chris.campbell@fac.com |--------+----------------------------> | | "D. H?hn" | | | | | | Sent by: | | | MailScanner | | | mailing list | | | | | | | | | | | | 10/02/2003 09:15 | | | AM | | | Please respond to | | | MailScanner | | | mailing list | | | | |--------+----------------------------> >--------------------------------------------------------------------------- ------------------------------------| | | | To: MAILSCANNER@JISCMAIL.AC.UK | | cc: | | Subject: Re: sa learn with hundred of users on a gateway box | >--------------------------------------------------------------------------- ------------------------------------| -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 > > Is anyone else in a similar situation..and does anyone have any opinions? > Users should be taught to forward the message as attachment. There are various scripts which can extract the attachment and thus feed the original message with the original header back to the sa-learn- - -d -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (Darwin) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQE/fCTtiW/Ta/pxHPQRA4z8AJ0aYtJ02GeOOjInFfv0zWH2wPkTlACgjrwB lWm7WPFoCAKzneU9kyQA2K8= =MYAl -----END PGP SIGNATURE----- = From marco at MUW.EDU Thu Oct 2 15:09:43 2003 From: marco at MUW.EDU (Marco Obaid) Date: Thu Jan 12 21:20:20 2006 Subject: sa learn with hundred of users on a gateway box In-Reply-To: <1065101747.3f7c29b3301ea@webmail.MUW.Edu> References: <1065101747.3f7c29b3301ea@webmail.MUW.Edu> Message-ID: <1065103783.3f7c31a72b0c8@webmail.MUW.Edu> Hi, > What version of IMP do you use? We also use IMP but I don't have such a > button. Have you implemented it yourself? I use IMP 3.2 and I believe this feature has always been there even in IMP 2.x. At any rate, go to your ../horde/imp/config and open conf.php. Here is my section in conf.php: ********************************************************************** /** ** Spam Reporting **/ // Should we display a "report this message as spam" link in the // message view? $conf['spam']['reporting'] = true; // If so, where should those messages be reported to? $conf['spam']['email'] = 'spam@' . $GLOBALS['registry']->getPara('server_name'); ********************************************************************* Hope this helps Marco _________________________________________________________________ This mail is sent through MUW Webmail: http://www.MUW.Edu/webmail For the latest MUW Events, visit http://www.MUW.Edu/calendar From mbowman at UDCOM.COM Thu Oct 2 14:59:59 2003 From: mbowman at UDCOM.COM (Matthew Bowman) Date: Thu Jan 12 21:20:20 2006 Subject: SpamAssassin scores question (feature request?) Message-ID: Hello, These are my current settings Required SpamAssassin Score = 4 High SpamAssassin Score = 12 A client of ours whos mail is routed through both mailscanner boxes is still getting a substantial amount of spam through untagged. Is there a way to have a separate score and high score per domain? For example Required SpamAssassin Score = /etc/MailScanner/rules/spam.scores.rules High SpamAssassin Score = /etc/MailScanner/rules/high.spam.scores.rules Then in each file To: abc.com 3 To: default 4 To: abc.com 10 To: default 12 You may ask why don't they blacklist the domains, well some are but they are getting bombarded with hundreds of different e-mails from different domains and its too much maintenance. Both of my mailscanner boxes are Redhat with MS 4.23-11 and SA 2.60-1 w/ razor2. I haven't setup dcc and/or pyzor... Any advice Many thanks Matthew. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20031002/09e59b7f/attachment.html From P.G.M.Peters at utwente.nl Thu Oct 2 14:43:57 2003 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Thu Jan 12 21:20:20 2006 Subject: sa learn with hundred of users on a gateway box In-Reply-To: <1065101747.3f7c29b3301ea@webmail.MUW.Edu> References: <1065101747.3f7c29b3301ea@webmail.MUW.Edu> Message-ID: On Thu, 2 Oct 2003 08:35:47 -0500, you wrote: >> Since these emails are already forwarded from an internal user...won't this >> mess up sa-learn? The FROM will always >> be from user@ourdomain.com ..... > >Forwarding will re-write the original message header and therefore you may get >unpredictable results. "Bounce" or "Redirect" a message is what works. >On my site, we use IMP Webmail which has "Report As Spam" feature. Basically, >if the user determines that a message is spam, they click on this link, >which "redirects" the message to a "spam" account that I setup. What version of IMP do you use? We also use IMP but I don't have such a button. Have you implemented it yourself? -- Peter Peters, senior netwerkbeheerder Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ From TGFurnish at HERFF-JONES.COM Thu Oct 2 15:08:40 2003 From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G) Date: Thu Jan 12 21:20:20 2006 Subject: Inline SPAM warnings {Scanned by HJMS} Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF0C080A@inex1.herffjones.hj-int> > -----Original Message----- > From: Ken Anderson [mailto:ka@PACIFIC.NET] > Sent: Wednesday, October 01, 2003 5:47 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Inline SPAM warnings {Scanned by HJMS} > > mozilla's "view->attachments inline" allows you do adjust > this behavior, > as does Outlook (somewhere...) > Ken A. That's NOT the desired behavior. The desired behavior is that the MUA display inline those parts marked with a disposition of "inline" and ONLY those parts. If you check the actual content of a message sent with action set to "attach deliver", you'll note that the warning is meant to be displayed inline but the original message isn't. However Outlook ignores the inline disposition setting for the warning when the content-type is multipart/digest. It seems to honor the content-disposition setting however when the content-type is multipart/report. I still wonder why though... From shrek-m at GMX.DE Thu Oct 2 15:16:34 2003 From: shrek-m at GMX.DE (shrek-m@gmx.de) Date: Thu Jan 12 21:20:20 2006 Subject: MailScanner.conf.rpmnew Message-ID: <3F7C3342.4000408@gmx.de> hi, how do you ... - check the actually config-file - export these settings - compare with the new MailScanner.conf.rpmnew - import the old settings into the new MailScanner.conf ... ? 4.22-5 -> 4.23-11, only 1 day-test (with the old-config) -> 4.24-3 # diff MailScanner.conf.rpmnew MailScanner.conf | wc -l 231 # wc -l MailScanner.conf.rpmnew 1256 MailScanner.conf.rpmnew # grep ^[%A-Z] MailScanner.conf.rpmnew | wc -l 167 # grep ^[%A-Z] MailScanner.conf | wc -l 154 # grep ^[%A-Z] MailScanner.conf > ms-conf # grep ^[%A-Z] MailScanner.conf.rpmnew > ms-conf-rpmnew # diff ms-conf ms-conf-rpmnew | wc -l 304 # grep ^[%A-Z] MailScanner.conf | sort > ms-conf # grep ^[%A-Z] MailScanner.conf-funz-4.23x | sort > ms-conf-rpmnew # diff ms-conf ms-conf-rpmnew | wc -l 76 $ grep ^[%A-Z] MailScanner.conf.rpmnew | awk -F= '{print $1}' %report-dir% %etc-dir% %rules-dir% %org-name% Max Children Run As User Run As Group Queue Scan Interval Incoming Queue Dir Outgoing Queue Dir Incoming Work Dir Quarantine Dir PID file Restart Every MTA Sendmail Sendmail2 Max Unscanned Bytes Per Scan Max Unsafe Bytes Per Scan Max Unscanned Messages Per Scan Max Unsafe Messages Per Scan Max Normal Queue Size Maximum Attachments Per Message Expand TNEF Deliver Unparsable TNEF TNEF Expander TNEF Timeout File Command File Timeout Maximum Message Size Virus Scanning Virus Scanners Virus Scanner Timeout Deliver Disinfected Files Silent Viruses Still Deliver Silent Viruses Block Encrypted Messages Block Unencrypted Messages Allowed Sophos Error Messages Sophos IDE Dir Sophos Lib Dir Monitors For Sophos Updates Allow Partial Messages Allow External Message Bodies Allow IFrame Tags Log IFrame Tags Allow Form Tags Allow Object Codebase Tags Convert Dangerous HTML To Text Convert HTML To Text Filename Rules Filetype Rules Quarantine Infections Quarantine Whole Message Quarantine Whole Messages As Queue Files Language Strings Deleted Bad Content Message Report Deleted Bad Filename Message Report Deleted Virus Message Report Stored Bad Content Message Report Stored Bad Filename Message Report Stored Virus Message Report Disinfected Report Inline HTML Signature Inline Text Signature Inline HTML Warning Inline Text Warning Sender Content Report Sender Error Report Sender Bad Filename Report Sender Virus Report Hide Incoming Work Dir Include Scanner Name In Reports Mail Header Spam Header Spam Score Header Information Header Spam Score Character SpamScore Number Instead Of Stars Clean Header Value Infected Header Value Disinfected Header Value Information Header Value Detailed Spam Report Include Scores In SpamAssassin Report Multiple Headers Hostname Sign Messages Already Processed Sign Clean Messages Mark Infected Messages Mark Unscanned Messages Unscanned Header Value Deliver Cleaned Messages Notify Senders Notify Senders Of Viruses Notify Senders Of Blocked Filenames Or Filetypes Notify Senders Of Other Blocked Content Never Notify Senders Of Precedence Scanned Modify Subject Scanned Subject Text Virus Modify Subject Virus Subject Text Filename Modify Subject Filename Subject Text Content Modify Subject Content Subject Text Spam Modify Subject Spam Subject Text High Scoring Spam Modify Subject High Scoring Spam Subject Text Warning Is Attachment Attachment Warning Filename Attachment Encoding Charset Archive Mail Send Notices Notices Include Full Headers Hide Incoming Work Dir in Notices Notice Signature Notices From Notices To Local Postmaster Spam List Definitions Virus Scanner Definitions Spam Checks Spam List Spam Domain List Spam Lists To Reach High Score Spam List Timeout Max Spam List Timeouts Is Definitely Not Spam Is Definitely Spam Definite Spam Is High Scoring Use SpamAssassin Max SpamAssassin Size Required SpamAssassin Score High SpamAssassin Score SpamAssassin Auto Whitelist SpamAssassin Prefs File SpamAssassin Timeout Max SpamAssassin Timeouts Check SpamAssassin If On Spam List Always Include SpamAssassin Report Spam Score Spam Actions High Scoring Spam Actions Non Spam Actions Sender Spam Report Sender Spam List Report Sender SpamAssassin Report Inline Spam Warning Syslog Facility Log Spam Log Permitted Filenames Log Permitted Filetypes SpamAssassin User State Dir SpamAssassin Install Prefix SpamAssassin Local Rules Dir SpamAssassin Default Rules Dir Use Default Rules With Multiple Recipients Debug Debug SpamAssassin Always Looked Up Last Deliver In Background Delivery Method Split Exim Spool Lockfile Dir Minimum Code Status -- shrek-m From ricurtis at HOTMAIL.COM Thu Oct 2 15:11:35 2003 From: ricurtis at HOTMAIL.COM (Richard Curtis) Date: Thu Jan 12 21:20:20 2006 Subject: Uninstalling MailScanner Message-ID: Hi all. Just a brief query. I am about to (hopefully) install Mailscanner onto our mail email server but before I do so, I wanted to confirm something. Firstly, once sendmail is running through MailScanner, previously when a new domain is added to sendmail and/or virtusertable is modified, a simple restart of sendmail is all thats needed to make it see the new domains. Once MailScanner is installed, is it simply a matter of restarting MailScanner to force the changes into effect ? Secondly, If for some reason I needed to remove mailscanner completely, is it simply a matter of stopping mail scanner, removing it from the startup scripts, then starting sendmail normally and re-adding it to the startup scripts ? Finally, what is the license for Inoculan ? I have just downloaded it, and tested it, and it says in the readme that upon first use the license is printed - but it wasnt for me. I am guessing it is not free for use ? Richard From Kevin.Spicer at BMRB.CO.UK Thu Oct 2 15:21:28 2003 From: Kevin.Spicer at BMRB.CO.UK (Spicer, Kevin) Date: Thu Jan 12 21:20:20 2006 Subject: Strip HTML weirdness Message-ID: <5C0296D26910694BB9A9BBFC577E7AB0016496FF@pascal.priv.bmrb.co.uk> Julian Field wrote: > That is very strange. MailScanner, when stripping HTML to plain text, > doesn't surround the links in any punctuation at all, it just puts > them in with a space round them so they don't get mingled with the > surrounding text. I've just managed to get them to send a copy to my webmail address (netscape), and it turns out that this is what the text part of the message looks like - so something they screwed up rather than a MailScanner issue. Am I correct that if the message has a mime type of multipart/alternative then the html component will be discarded, leaving the original plain text componant. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From raymond at PROLOCATION.NET Thu Oct 2 15:24:58 2003 From: raymond at PROLOCATION.NET (Raymond Dijkxhoorn) Date: Thu Jan 12 21:20:20 2006 Subject: Uninstalling MailScanner In-Reply-To: Message-ID: Hi! > new domain is added to sendmail and/or virtusertable is modified, a simple > restart of sendmail is all thats needed to make it see the new domains. > Once MailScanner is installed, is it simply a matter of restarting > MailScanner to force the changes into effect ? Yes. > Secondly, If for some reason I needed to remove mailscanner completely, is > it simply a matter of stopping mail scanner, removing it from the startup > scripts, then starting sendmail normally and re-adding it to the startup > scripts ? service stop MailScanner service start sendmail Thats it. > Finally, what is the license for Inoculan ? I have just downloaded it, and > tested it, and it says in the readme that upon first use the license is > printed - but it wasnt for me. I am guessing it is not free for use ? Cant help you with that one. Dont run Inoculan myself. Bye, Raymond. From TGFurnish at HERFF-JONES.COM Thu Oct 2 15:48:50 2003 From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G) Date: Thu Jan 12 21:20:21 2006 Subject: MailScanner repeatedly restarting {Scanned by HJMS} Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF8E1CD0@inex1.herffjones.hj-int> Did you set the LANG value to en-us? > -----Original Message----- > From: Stanier, Alan M [mailto:alan@ESSEX.AC.UK] > Sent: Thursday, October 02, 2003 5:27 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: MailScanner repeatedly restarting {Scanned by HJMS} > > > I've just installed MailScanner 4.23-11 on RedHat9 > > When I start it up, I see messages in /var/adm/maillog every > 10 seconds, saying it is starting, and have various defunct > MS processes. > > Can anyone suggest what I might have done wrong, plase? > > > [root@serlinux15 MailScanner-4.23-11]# cd /var/adm > [root@serlinux15 adm]# tail -f maillog > Oct 2 11:17:15 serlinux15 MailScanner[22187]: MailScanner > E-Mail Virus Scanner version 4.23-11 starting... > Oct 2 11:17:25 serlinux15 MailScanner[22188]: MailScanner > E-Mail Virus Scanner version 4.23-11 starting... > Oct 2 11:17:35 serlinux15 MailScanner[22198]: MailScanner > E-Mail Virus Scanner version 4.23-11 starting... > Oct 2 11:17:45 serlinux15 MailScanner[22199]: MailScanner > E-Mail Virus Scanner version 4.23-11 starting... > Oct 2 11:17:55 serlinux15 MailScanner[22200]: MailScanner > E-Mail Virus Scanner version 4.23-11 starting... > Oct 2 11:18:05 serlinux15 MailScanner[22202]: MailScanner > E-Mail Virus Scanner version 4.23-11 starting... > Oct 2 11:18:15 serlinux15 MailScanner[22203]: MailScanner > E-Mail Virus Scanner version 4.23-11 starting... > Oct 2 11:18:25 serlinux15 MailScanner[22204]: MailScanner > E-Mail Virus Scanner version 4.23-11 starting... > > [root@serlinux15 adm]# > [root@serlinux15 adm]# !ps > ps wgaux | grep mail > mail 31963 0.0 0.2 3284 1032 ? S Oct01 > 0:00 /usr/sbin/exim -C /essex/exim/serlinux15_outgoing -q1m > mail 2460 0.0 0.2 3296 1076 ? S Oct01 > 0:02 /usr/sbin/exim -C /essex/exim/serlinux15_incoming -bd > mail 21878 0.0 2.3 15804 11988 ? S 11:04 > 0:00 /usr/bin/perl -I/usr/lib/MailScanner > /usr/sbin/MailScanner /etc/MailScanner/MailScanner.conf > mail 21879 0.0 0.0 0 0 ? Z 11:04 > 0:00 [MailScanner ] > mail 21895 0.0 0.0 0 0 ? Z 11:04 > 0:00 [MailScanner ] > mail 21909 0.0 0.0 0 0 ? Z 11:04 > 0:00 [MailScanner ] > mail 21919 0.0 0.0 0 0 ? Z 11:04 > 0:00 [MailScanner ] > mail 22229 2.0 0.0 0 0 ? Z 11:19 > 0:00 [MailScanner ] > root 22231 0.0 0.1 3584 616 pts/0 S 11:19 > 0:00 grep mail > > -------- > Alan Stanier > Essex University Information Systems Services > Systems Group > From bhughes at ELEVATING.COM Thu Oct 2 16:33:12 2003 From: bhughes at ELEVATING.COM (Bret Hughes) Date: Thu Jan 12 21:20:21 2006 Subject: whitelist issues In-Reply-To: <3F7AFF07.4070801@pacific.net> References: <8FFC76593085ED4A80D3601BC41EFCDF0C0804@inex1.herffjones.hj-int> <3F7AFF07.4070801@pacific.net> Message-ID: <1065108794.1632.401.camel@bretsony> On Wed, 2003-10-01 at 11:21, Ken Anderson wrote: > Actually mail from this list comes in like this: > > Oct 1 07:59:53 mail sm-mta[15866]: h91ExqJ5015866: > from=, size=1835, class=-30, nrcpts=1, > msgid=<8FFC76593085ED4A80D3601BC41EFCDF0C0804@inex1.herffjones.hj-int>, > proto=ESMTP, daemon=MTA, relay=mailfilter.pacific.net [63.162.241.9] > > So, you can whitelist the list, or the domain. There's also some way to > get this address into the message header, so this detective work isn't > necessary, but I can't recall whether that's a sendmail config, or a > MS/SA config change. Anybody? > > Ken A. > Pacific.Net I have tried a couple of times to reply to this and say thanks the solution was to change my orig rule to From: rather than To: the sender on the mails that I get is not owner-mailscanner though but simply MAILSCANNER@JISCMAIL.AC.UK Previous replies included lots of headers and diagnostics that must have screwed up my mail causing it to get silently dropped somewhere along the line. Thank you both for the help. Bret From Chris.Campbell at FAC.COM Thu Oct 2 15:53:20 2003 From: Chris.Campbell at FAC.COM (Chris Campbell) Date: Thu Jan 12 21:20:21 2006 Subject: sa learn with hundred of users on a gateway box Message-ID: "drag and drop into a shared folder in notes" .... is this like a mail in database? I have no idea how to setup a shared "folder"... wouldn't you have to create a db and then have that added to the users workspaces? I am *not* a notes admin... FYI :) ..................................... Christopher S. Campbell UNIX Admin First Albany Corp Chris Trudeau cc: Sent by: Subject: Re: sa learn with hundred of users on a gateway box MailScanner mailing list 10/02/2003 09:52 AM Please respond to MailScanner mailing list One option we are looking into for a customer... is to have Notes users "drag and drop" spam messages into a shared folder in notes. bundle up the .nsf nightly and send that to us where we convert it to MBOX and roll through the sa-learn function. CT ----- Original Message ----- From: "Chris Campbell" To: Sent: Thursday, October 02, 2003 9:19 AM Subject: Re: sa learn with hundred of users on a gateway box Very nice... now if I could figure out how to have lotus notes forward as attachements..... ..................................... Christopher S. Campbell UNIX Admin First Albany Corp 518.447.8544 chris.campbell@fac.com |--------+----------------------------> | | "D. H?hn" | | | | | | Sent by: | | | MailScanner | | | mailing list | | | | | | | | | | | | 10/02/2003 09:15 | | | AM | | | Please respond to | | | MailScanner | | | mailing list | | | | |--------+----------------------------> > --------------------------------------------------------------------------- ------------------------------------| | | | To: MAILSCANNER@JISCMAIL.AC.UK | | cc: | | Subject: Re: sa learn with hundred of users on a gateway box | > --------------------------------------------------------------------------- ------------------------------------| -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 > > Is anyone else in a similar situation..and does anyone have any opinions? > Users should be taught to forward the message as attachment. There are various scripts which can extract the attachment and thus feed the original message with the original header back to the sa-learn- - -d -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (Darwin) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQE/fCTtiW/Ta/pxHPQRA4z8AJ0aYtJ02GeOOjInFfv0zWH2wPkTlACgjrwB lWm7WPFoCAKzneU9kyQA2K8= =MYAl -----END PGP SIGNATURE----- = From Anjana.Patel at CRANFIELD.AC.UK Thu Oct 2 15:55:36 2003 From: Anjana.Patel at CRANFIELD.AC.UK (Patel, Anjana) Date: Thu Jan 12 21:20:21 2006 Subject: MailScanner repeatedly restarting Message-ID: I am seeing similar defunct processes on my test installation of 4.23-11 on RedHat 7.3. They seem to appear within split seconds of starting up mailscanner and increase in number. The number of defunct processes seems to be related to the number of mailscanner processes you chose i.e. if Max Children = 5 then there's 5 defunct processes etc. where each defunct process is a child of one of the processes. > -----Original Message----- > From: Stanier, Alan M [mailto:alan@ESSEX.AC.UK] > Sent: 02 October 2003 11:27 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: MailScanner repeatedly restarting > > I've just installed MailScanner 4.23-11 on RedHat9 > > When I start it up, I see messages in /var/adm/maillog every > 10 seconds, saying it is starting, and have various defunct > MS processes. > > Can anyone suggest what I might have done wrong, plase? > > > [root@serlinux15 MailScanner-4.23-11]# cd /var/adm > [root@serlinux15 adm]# tail -f maillog > Oct 2 11:17:15 serlinux15 MailScanner[22187]: MailScanner E-Mail Virus > Scanner version 4.23-11 starting... > Oct 2 11:17:25 serlinux15 MailScanner[22188]: MailScanner E-Mail Virus > Scanner version 4.23-11 starting... > Oct 2 11:17:35 serlinux15 MailScanner[22198]: MailScanner E-Mail Virus > Scanner version 4.23-11 starting... > Oct 2 11:17:45 serlinux15 MailScanner[22199]: MailScanner E-Mail Virus > Scanner version 4.23-11 starting... > Oct 2 11:17:55 serlinux15 MailScanner[22200]: MailScanner E-Mail Virus > Scanner version 4.23-11 starting... > Oct 2 11:18:05 serlinux15 MailScanner[22202]: MailScanner E-Mail Virus > Scanner version 4.23-11 starting... > Oct 2 11:18:15 serlinux15 MailScanner[22203]: MailScanner E-Mail Virus > Scanner version 4.23-11 starting... > Oct 2 11:18:25 serlinux15 MailScanner[22204]: MailScanner E-Mail Virus > Scanner version 4.23-11 starting... > > [root@serlinux15 adm]# > [root@serlinux15 adm]# !ps > ps wgaux | grep mail > mail 31963 0.0 0.2 3284 1032 ? S Oct01 0:00 > /usr/sbin/exim -C /essex/exim/serlinux15_outgoing -q1m > mail 2460 0.0 0.2 3296 1076 ? S Oct01 0:02 > /usr/sbin/exim -C /essex/exim/serlinux15_incoming -bd > mail 21878 0.0 2.3 15804 11988 ? S 11:04 0:00 > /usr/bin/perl -I/usr/lib/MailScanner /usr/sbin/MailScanner > /etc/MailScanner/MailScanner.conf > mail 21879 0.0 0.0 0 0 ? Z 11:04 0:00 > [MailScanner ] > mail 21895 0.0 0.0 0 0 ? Z 11:04 0:00 > [MailScanner ] > mail 21909 0.0 0.0 0 0 ? Z 11:04 0:00 > [MailScanner ] > mail 21919 0.0 0.0 0 0 ? Z 11:04 0:00 > [MailScanner ] > mail 22229 2.0 0.0 0 0 ? Z 11:19 0:00 > [MailScanner ] > root 22231 0.0 0.1 3584 616 pts/0 S 11:19 0:00 grep mail > > -------- > Alan Stanier > Essex University Information Systems Services > Systems Group From mailscanner at ecs.soton.ac.uk Thu Oct 2 16:07:34 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:20:21 2006 Subject: Uninstalling MailScanner In-Reply-To: References: Message-ID: <5.2.0.9.2.20031002160600.048fbae8@imap.ecs.soton.ac.uk> At 15:24 02/10/2003, you wrote: >Hi! > > > new domain is added to sendmail and/or virtusertable is modified, a simple > > restart of sendmail is all thats needed to make it see the new domains. > > Once MailScanner is installed, is it simply a matter of restarting > > MailScanner to force the changes into effect ? > >Yes. > > > Secondly, If for some reason I needed to remove mailscanner completely, is > > it simply a matter of stopping mail scanner, removing it from the startup > > scripts, then starting sendmail normally and re-adding it to the startup > > scripts ? > >service stop MailScanner >service start sendmail > >Thats it. To stop MailScanner starting after a reboot, you might also want to do chkconfig MailScanner off chkconfig sendmail on > > Finally, what is the license for Inoculan ? I have just downloaded it, and > > tested it, and it says in the readme that upon first use the license is > > printed - but it wasnt for me. I am guessing it is not free for use ? Someone recently posted a review of the licensing models and prices of pretty much all the scanners. Try looking for a posting in the archive with the names of several scanners in it. -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support From mbowman at UDCOM.COM Thu Oct 2 16:34:55 2003 From: mbowman at UDCOM.COM (Matthew Bowman) Date: Thu Jan 12 21:20:21 2006 Subject: Inline SPAM warnings {Scanned by HJMS} Message-ID: FWIW Lotus Notes displays the message then the attachment in the same e-mail with the attachment deliver action. In Outlook Express I get both the .eml and attachment as attachments. Although this is a nice add on to MailScanner, for our benefit its not worth attempting to get everyone to change their e-mail client settings... Matthew Ken Anderson Sent by: MailScanner mailing list 10/02/2003 11:24 AM Please respond to MailScanner mailing list To: MAILSCANNER@JISCMAIL.AC.UK cc: Subject: Re: Inline SPAM warnings {Scanned by HJMS} Furnish, Trever G wrote: >>-----Original Message----- >>From: Ken Anderson [mailto:ka@PACIFIC.NET] >>Sent: Wednesday, October 01, 2003 5:47 PM >>To: MAILSCANNER@JISCMAIL.AC.UK >>Subject: Re: Inline SPAM warnings {Scanned by HJMS} >> >>mozilla's "view->attachments inline" allows you do adjust >>this behavior, >>as does Outlook (somewhere...) >>Ken A. > > > That's NOT the desired behavior. The desired behavior is that the MUA > display inline those parts marked with a disposition of "inline" and ONLY > those parts. That's what mozilla/thunderbird does when it's NOT viewing attachments inline. > If you check the actual content of a message sent with action set to "attach > deliver", you'll note that the warning is meant to be displayed inline but > the original message isn't. However Outlook ignores the inline disposition > setting for the warning when the content-type is multipart/digest. It seems > to honor the content-disposition setting however when the content-type is > multipart/report. I still wonder why though... Because it's crap. It also has a default setting to hide attachments. You can turn this off by going (in Outlook Express) to Tools, Options, Security tab. This is presumably to protect the user from the fact that it's crap and will likely "run code of attacker's choice" if you were to allow Outlook to display the attachments. Ken A. > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20031002/30e39b21/attachment.html From ka at PACIFIC.NET Thu Oct 2 16:24:23 2003 From: ka at PACIFIC.NET (Ken Anderson) Date: Thu Jan 12 21:20:21 2006 Subject: Inline SPAM warnings {Scanned by HJMS} In-Reply-To: <8FFC76593085ED4A80D3601BC41EFCDF0C080A@inex1.herffjones.hj-int> References: <8FFC76593085ED4A80D3601BC41EFCDF0C080A@inex1.herffjones.hj-int> Message-ID: <3F7C4327.6020508@pacific.net> Furnish, Trever G wrote: >>-----Original Message----- >>From: Ken Anderson [mailto:ka@PACIFIC.NET] >>Sent: Wednesday, October 01, 2003 5:47 PM >>To: MAILSCANNER@JISCMAIL.AC.UK >>Subject: Re: Inline SPAM warnings {Scanned by HJMS} >> >>mozilla's "view->attachments inline" allows you do adjust >>this behavior, >>as does Outlook (somewhere...) >>Ken A. > > > That's NOT the desired behavior. The desired behavior is that the MUA > display inline those parts marked with a disposition of "inline" and ONLY > those parts. That's what mozilla/thunderbird does when it's NOT viewing attachments inline. > If you check the actual content of a message sent with action set to "attach > deliver", you'll note that the warning is meant to be displayed inline but > the original message isn't. However Outlook ignores the inline disposition > setting for the warning when the content-type is multipart/digest. It seems > to honor the content-disposition setting however when the content-type is > multipart/report. I still wonder why though... Because it's crap. It also has a default setting to hide attachments. You can turn this off by going (in Outlook Express) to Tools, Options, Security tab. This is presumably to protect the user from the fact that it's crap and will likely "run code of attacker's choice" if you were to allow Outlook to display the attachments. Ken A. > From spycobalt at SPYPRODUCTIONS.COM Thu Oct 2 17:20:00 2003 From: spycobalt at SPYPRODUCTIONS.COM (Mike At Spy) Date: Thu Jan 12 21:20:21 2006 Subject: Rules files (blacklist) Message-ID: Is it possible to set a rule that cover the 'subject' line of an email instead of the to or from? If so, would the word 'subject' have to be in a particular format (upper-case, etc). Would I have to adjust anything in the MailScanner.conf file - aside from telling it where to find the rules file? I mean in the /etc/MailScanner/rules/ directory. Thanks, -Mike From mailscanner at ecs.soton.ac.uk Thu Oct 2 17:57:34 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:20:21 2006 Subject: Rules files (blacklist) In-Reply-To: Message-ID: <5.2.1.1.2.20031002175251.031a3f50@imap.ecs.soton.ac.uk> At 17:20 02/10/2003, you wrote: >Is it possible to set a rule that cover the 'subject' line of an email >instead of the to or from? No, sorry. But you could use MCP (Message Content Protection) to catch messages which match the subject you are looking for. One of the reasons I haven't implemented it is the purely practical matter of defining how you could express a rule containing any arbitrary text (eg. spaces, quotes, slashes etc), while still ending up with a rule that can actually be parsed. If you, say, were writing a rule for "Spam Actions" (which takes several keywords as its result), you could end up with this: Subject: this is random text to match deliver forward How on earth do I parse that? Where does the subject end and the result (deliver forward) start? If you can come up with a decent solution to this problem, I'll have a crack at writing it. >If so, would the word 'subject' have to be in a particular format >(upper-case, etc). Would I have to adjust anything in the MailScanner.conf >file - aside from telling it where to find the rules file? > >I mean in the /etc/MailScanner/rules/ directory. > >Thanks, > >-Mike -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support From HancockS at MORGANCO.COM Thu Oct 2 17:00:59 2003 From: HancockS at MORGANCO.COM (Hancock, Scott) Date: Thu Jan 12 21:20:21 2006 Subject: Uninstalling MailScanner Message-ID: <3EA1A302A4978A4C970D2C63F327156E012EF2ED@worc-mail2.int.morganco.com> >Someone recently posted a review of the licensing models and prices of >pretty much all the scanners. Try looking for a posting in the archive >with >the names of several scanners in it. >-- >Julian Field I put the post in the FAQ. I'll delete if I was out of line. Let me know. http://www.sng.ecs.soton.ac.uk/cgi-bin/faq?amp=&auth=ck8855a5ed71d287641 21600405c7e004b&file=213 -Scott From kodak at FRONTIERHOMEMORTGAGE.COM Thu Oct 2 18:16:38 2003 From: kodak at FRONTIERHOMEMORTGAGE.COM (Jason Balicki) Date: Thu Jan 12 21:20:21 2006 Subject: Users like this... Message-ID: <004401c38908$f09e5d80$0501a8c0@darkside> Ok. I just got this message from one of my users. I have no idea why {Filename?} has been triggered here (and I really don't care -- but I will investigate anyway.) The real point, though, is to make fun of users. I've spent endless hours tuning MS & SA, so I want to ram my head into a wall until I pass out because of this (names have been changed to "xxxxx"): --begin-luser-comment--- Can we let stuff like this through the firewall - $20.00 off on an order is a good deal! Thanks! xxxxx -----Original Message----- From: OfficeDepot.com [mailto:officedepot2@officedepot.rsc01.com] Sent: Wednesday, October 01, 2003 3:02 PM To: xxxxx@FRONTIERHOMEMORTGAGE.COM Subject: {Filename?} Save 20 Dollars on Your Next OfficeDepot.com Order Warning: This message has had one or more attachments removed Warning: (the entire message). Warning: Please read the "VirusWarning.txt" attachment(s) for more information. From michele at BLACKNIGHTSOLUTIONS.COM Thu Oct 2 18:37:12 2003 From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon :: Blacknight Solutions) Date: Thu Jan 12 21:20:21 2006 Subject: Domain by Domain Setup In-Reply-To: Message-ID: <200310021737.h92Hb8b29013@camelot.blacknightsolutions.com> Afaik there aren't any simple frontends available for this at the moment. As things satnd you would need to manually edit the relevant config files Mr. Michele Neylon Blacknight Solutions http://www.blacknightsolutions.ie/ http://www.search.ie/ Probably the cheapest ie's in Ireland Tel. +353 (0)59 9139897 Fax. +353 (0)59 9139897 > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Kyle Harris > Sent: 02 October 2003 18:06 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Domain by Domain Setup > > I feel sure this has already been addressed somewhere, but I > can't find it so please forgive me if this is a redundant question. > > I am curious how to go about setting up MailScanner such that > each domain would have the ability to use different options, > much like an ISP would need. > > If that can be done, I would also like to know if there are > any HTML pages or scripts that would allow the admin of each > domain to configure their own MailScanners settings. I am > aware of the webmin plugin, but that allows for configuration > of the entire MailScanner system, not a domain by domain basis. > > Thanks in advance. > > ######################################################### This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance to it is prohibited. From spycobalt at SPYPRODUCTIONS.COM Thu Oct 2 18:43:56 2003 From: spycobalt at SPYPRODUCTIONS.COM (Mike At Spy) Date: Thu Jan 12 21:20:21 2006 Subject: Rules files (blacklist) In-Reply-To: <5.2.1.1.2.20031002175251.031a3f50@imap.ecs.soton.ac.uk> Message-ID: > > At 17:20 02/10/2003, you wrote: > >Is it possible to set a rule that cover the 'subject' line of an email > >instead of the to or from? > > No, sorry. But you could use MCP (Message Content Protection) to catch > messages which match the subject you are looking for. > Could you tell me more about this, or send me to a link to look into it? I'm new using mailscanner and would like to see what this is about. Thanks! :) -Mike From lists at TRCINTL.COM Thu Oct 2 18:49:20 2003 From: lists at TRCINTL.COM (Kyle Harris) Date: Thu Jan 12 21:20:21 2006 Subject: Domain by Domain Setup Message-ID: Then is it possible to configure this manual, and if so, how? From tomaz.borstnar at OVER.NET Thu Oct 2 18:49:34 2003 From: tomaz.borstnar at OVER.NET (Tomaz Borstnar) Date: Thu Jan 12 21:20:21 2006 Subject: SpamAssassin scores question (feature request?) In-Reply-To: References: Message-ID: <6.0.0.22.0.20031002194806.053a10d0@127.0.0.1> At 15:59 2.10.2003, you wrote: >Both of my mailscanner boxes are Redhat with MS 4.23-11 and SA 2.60-1 w/ >razor2. I haven't setup dcc and/or pyzor... mistake. Use ALL the help you can get. DCC helps a lot here to raise final score which in the end means more spam blocked. Btw: we also use 4 and 12, but looks like high spam could be lowered to 9 or 10. Tomaz From mailscanner at ecs.soton.ac.uk Thu Oct 2 18:45:50 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:20:21 2006 Subject: Rules files (blacklist) In-Reply-To: References: <5.2.1.1.2.20031002175251.031a3f50@imap.ecs.soton.ac.uk> Message-ID: <5.2.1.1.2.20031002184354.031eaeb0@imap.ecs.soton.ac.uk> At 18:43 02/10/2003, you wrote: > > > > At 17:20 02/10/2003, you wrote: > > >Is it possible to set a rule that cover the 'subject' line of an email > > >instead of the to or from? > > > > No, sorry. But you could use MCP (Message Content Protection) to catch > > messages which match the subject you are looking for. > > > >Could you tell me more about this, or send me to a link to look into it? >I'm new using mailscanner and would like to see what this is about. http://www.sng.ecs.soton.ac.uk/mailscanner/install/mcp/ -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Thu Oct 2 18:54:01 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:20:21 2006 Subject: Domain by Domain Setup In-Reply-To: Message-ID: <5.2.1.1.2.20031002185348.02f15d08@imap.ecs.soton.ac.uk> At 18:49 02/10/2003, you wrote: >Then is it possible to configure this manual, and if so, how? Read the files in /etc/MailScanner/rules. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Thu Oct 2 18:53:22 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:20:21 2006 Subject: ANNOUNCE: beta 4.24-4 released Message-ID: <5.2.1.1.2.20031002184552.03157a48@imap.ecs.soton.ac.uk> I have just put up 4.24-4 on www.mailscanner.info. This includes a few corrections and improvements (such as support for Kaspersky 4.5). The full ChangeLog is linked from the News section of the home page. Note that I have started to add PGP signatures to the downloads page. There is also a URL to find my public key. I have intentionally designed the page to make it very difficult to compromise. If I publish the public key directly on the page, anyone who compromised the site could create a key that matched their signature and use that to sign their compromised packages. With attacks against MailScanner such as that done by the Sobig-F worm, it is only a matter of time before someone tries to compromise the distribution. So it really is important that you check the PGP signature of the package you download. There are loads of documents on the net already that tell you how to do this, so I'm not going to give any instructions; I'm sure you will work it out. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From lists at TRCINTL.COM Thu Oct 2 18:05:45 2003 From: lists at TRCINTL.COM (Kyle Harris) Date: Thu Jan 12 21:20:21 2006 Subject: Domain by Domain Setup Message-ID: I feel sure this has already been addressed somewhere, but I can't find it so please forgive me if this is a redundant question. I am curious how to go about setting up MailScanner such that each domain would have the ability to use different options, much like an ISP would need. If that can be done, I would also like to know if there are any HTML pages or scripts that would allow the admin of each domain to configure their own MailScanners settings. I am aware of the webmin plugin, but that allows for configuration of the entire MailScanner system, not a domain by domain basis. Thanks in advance. From HancockS at MORGANCO.COM Thu Oct 2 18:16:28 2003 From: HancockS at MORGANCO.COM (Hancock, Scott) Date: Thu Jan 12 21:20:21 2006 Subject: Uninstalling MailScanner Message-ID: <3EA1A302A4978A4C970D2C63F327156E012EF2F0@worc-mail2.int.morganco.com> Let's try this again http://www.sng.ecs.soton.ac.uk/mailscanner/serve/cache/213.html Scott >-----Original Message----- >From: Hancock, Scott >Sent: Thursday, October 02, 2003 12:01 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Uninstalling MailScanner > > >Someone recently posted a review of the licensing models and prices of > >pretty much all the scanners. Try looking for a posting in the archive > >with > >the names of several scanners in it. > >-- > >Julian Field > >I put the post in the FAQ. I'll delete if I was out of line. Let me >know. > >http://www.sng.ecs.soton.ac.uk/cgi-bin/faq?amp=&auth=ck8855a5ed71d28764 1 >21600405c7e004b&file=213 > > >-Scott From TGFurnish at HERFF-JONES.COM Thu Oct 2 19:36:36 2003 From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G) Date: Thu Jan 12 21:20:21 2006 Subject: Inline SPAM warnings {Scanned by HJMS} Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF8E1CD3@inex1.herffjones.hj-int> > -----Original Message----- > From: David Hooton [mailto:david@PLATFORMHOSTING.COM] > Sent: Thursday, October 02, 2003 5:52 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Inline SPAM warnings {Scanned by HJMS} > > > Thanks guys, this is all well and good, but I'm not concerned with MUA > functionality, I'm concerned with MailScanner's inline > reports not being > universally visible. > > If we have to ask clients to alter their MUA's just to see a warning > it's not a great situation. > > What I want to know is: > > Is this a configuration issue on my part? (the warning is set > to not be > attached, which I thought meant it would be displayed inline) > > If it's not a config issue, what do I need to do in order to fix it. Well I don't really consider it something that is *broken* - it's entirely up to the MUA to decide how it wants to display parts. Outlook just doesn't display them the way you'd like. It's not a MailScanner config issue, but you could alter the MS code pretty simply to use multipart/report instead of multipart/digest. Just changing "digest" to "report" in a couple of places inside Message.pm seems to be enough to get what want (but I am NOT an expert on anything, so although it seems to work for me, don't blame me if it causes your wife to leave you). Tested with mozilla 1.4, outlook 2k sp3, and Imp and all of them still seem to have no problems with the message - but Outlook then displays the inline attachment properly. -t. From TGFurnish at HERFF-JONES.COM Thu Oct 2 19:38:27 2003 From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G) Date: Thu Jan 12 21:20:21 2006 Subject: Uninstalling MailScanner {Scanned by HJMS} Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF8E1CD4@inex1.herffjones.hj-int> http://makeashorterlink.com/?H24012516 ;-P > -----Original Message----- > From: Hancock, Scott [mailto:HancockS@MORGANCO.COM] > Sent: Thursday, October 02, 2003 12:16 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Uninstalling MailScanner {Scanned by HJMS} > > > Let's try this again > > http://www.sng.ecs.soton.ac.uk/mailscanner/serve/cache/213.html > > Scott > > >-----Original Message----- > >From: Hancock, Scott > >Sent: Thursday, October 02, 2003 12:01 PM > >To: MAILSCANNER@JISCMAIL.AC.UK > >Subject: Re: Uninstalling MailScanner > > > > >Someone recently posted a review of the licensing models > and prices > of > > >pretty much all the scanners. Try looking for a posting in the > archive > > >with > > >the names of several scanners in it. > > >-- > > >Julian Field > > > >I put the post in the FAQ. I'll delete if I was out of > line. Let me > >know. > > > > >http://www.sng.ecs.soton.ac.uk/cgi-bin/faq?amp=&auth=ck8855a5 ed71d28764 1 >21600405c7e004b&file=213 > > >-Scott From TGFurnish at HERFF-JONES.COM Thu Oct 2 19:19:45 2003 From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G) Date: Thu Jan 12 21:20:21 2006 Subject: Inline SPAM warnings {Scanned by HJMS} Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF0C080E@inex1.herffjones.hj-int> > -----Original Message----- > From: Ken Anderson [mailto:ka@PACIFIC.NET] > Sent: Thursday, October 02, 2003 10:24 AM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Inline SPAM warnings {Scanned by HJMS} > > Because it's crap. It also has a default setting to hide attachments. > You can turn this off by going (in Outlook Express) to Tools, Options, > Security tab. This is presumably to protect the user from the > fact that > it's crap and will likely "run code of attacker's choice" if > you were to > allow Outlook to display the attachments. ROTFL. :-) Yes, I know it's crap. But that's beside the point. The question is whether multipart/report is more appropriate as a content-type for the message than multipart/digest. >From RFC 1892 1. The Multipart/Report MIME content-type The Multipart/Report MIME content-type is a general "family" or "container" type for electronic mail reports of any kind. Although this memo defines only the use of the Multipart/Report content-type with respect to delivery status reports, mail processing programs will benefit if a single content-type is used to for all kinds of reports. And from RFC 2046 5.1.5. Digest Subtype ... Note: Though it is possible to specify a Content-Type value for a body part in a digest which is other than "message/rfc822", such as a "text/plain" part containing a description of the material in the digest, actually doing so is undesireble. The "multipart/digest" Content-Type is intended to be used to send collections of messages. Personally I would consider the messages produced by "attach and deliver" to be "reports", not "collections of messages". The inline part is a "report" about an attached message, meaning I would consider this to be a nice candidate for changing in a future release of MS. -t. From kevins at BMRB.CO.UK Thu Oct 2 20:17:07 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:20:21 2006 Subject: Need to match subjects in email In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB00188AB47@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB00188AB47@pascal.priv.bmrb.co.uk> Message-ID: <1065122228.21309.32.camel@bach.kevinspicer.co.uk> On Thu, 2003-10-02 at 18:12, Walter D. Wyndroski wrote: > Is this possible? If so please post a short example. Not directly with MailScanner (well not in any relatively simple and elegant way - thats not a criticism BTW). But if the destination for the emails you wish to catch is an account on the linux mailserver (which your post suggests it is) then you could do this quite easily with a procmail recipe. Even if its not a local account you may be able to get your MTA to re-address mails to that account to a local account then process them with procmail (using procmail to forward a copy to the final destination). BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From mailscanner at ecs.soton.ac.uk Thu Oct 2 20:19:21 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:20:21 2006 Subject: Inline SPAM warnings {Scanned by HJMS} In-Reply-To: <8FFC76593085ED4A80D3601BC41EFCDF0C080E@inex1.herffjones.hj -int> Message-ID: <5.2.1.1.2.20031002201905.02818b00@imap.ecs.soton.ac.uk> At 19:19 02/10/2003, you wrote: > > -----Original Message----- > > From: Ken Anderson [mailto:ka@PACIFIC.NET] > > Sent: Thursday, October 02, 2003 10:24 AM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: Inline SPAM warnings {Scanned by HJMS} > > > > Because it's crap. It also has a default setting to hide attachments. > > You can turn this off by going (in Outlook Express) to Tools, Options, > > Security tab. This is presumably to protect the user from the > > fact that > > it's crap and will likely "run code of attacker's choice" if > > you were to > > allow Outlook to display the attachments. > >ROTFL. :-) Yes, I know it's crap. But that's beside the point. > >The question is whether multipart/report is more appropriate as a >content-type for the message than multipart/digest. > > >From RFC 1892 > >1. The Multipart/Report MIME content-type > >The Multipart/Report MIME content-type is a general "family" or >"container" type for electronic mail reports of any kind. Although >this memo defines only the use of the Multipart/Report content-type >with respect to delivery status reports, mail processing programs >will benefit if a single content-type is used to for all kinds of >reports. > >And from RFC 2046 > >5.1.5. Digest Subtype > > ... > Note: Though it is possible to specify a Content-Type value for a > body part in a digest which is other than "message/rfc822", such as a > "text/plain" part containing a description of the material in the > digest, actually doing so is undesireble. The "multipart/digest" > Content-Type is intended to be used to send collections of messages. > >Personally I would consider the messages produced by "attach and deliver" to >be "reports", not "collections of messages". The inline part is a "report" >about an attached message, meaning I would consider this to be a nice >candidate for changing in a future release of MS. 'tis done. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From Denis.Beauchemin at USHERBROOKE.CA Thu Oct 2 20:27:37 2003 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:20:21 2006 Subject: OT: PGP newbie question Message-ID: <1065122857.2962.33.camel@dbeauchemin.sti.usherbrooke.ca> Hi, As Julian started generating sigs for downloads, I looked into gpg to be able to make something good out of this. I initialized the thing with gpg --gen-key, then tried to verify Julian's sig but I always get this error message: # LANG=C gpgv MailScanner-4.24-4.rpm.tar.gz.sig gpgv: Signature made Thu Oct 2 13:09:30 2003 EDT using DSA key ID 1415B654 gpgv: Can't check signature: public key not found So I guess I should get Julian's public key (#1415B654?) but I don't know where to look for it. Digging, I found Julian's pictures of his Canadian vacation (they are really nice!), but no public key... Could someone point me in the right direction please? Thanks again! Denis -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From joshua.hirsh at PARTNERSOLUTIONS.CA Thu Oct 2 20:35:42 2003 From: joshua.hirsh at PARTNERSOLUTIONS.CA (Hirsh, Joshua) Date: Thu Jan 12 21:20:21 2006 Subject: PGP newbie question Message-ID: <75FEDC422E2309419A9303E7B18F206E04DB5BA4@eqmail1.efni.vpn> Hi Denis, If you look on the download page, you'll find a link to his key. This will bring up a page showing information on his key. From here, you'll need to click on his key ID, which will load up his public key. You'll need to save this to a file (NOTE: only save the actual key part, and not the entire HTML) and run 'gpg --import '. This will add his public key to your keychain. Cheers, -Joshua From mailscanner at ecs.soton.ac.uk Thu Oct 2 20:44:39 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:20:21 2006 Subject: OT: PGP newbie question In-Reply-To: <1065122857.2962.33.camel@dbeauchemin.sti.usherbrooke.ca> Message-ID: <5.2.1.1.2.20031002203934.0322aec8@imap.ecs.soton.ac.uk> At 20:27 02/10/2003, you wrote: >Hi, > >As Julian started generating sigs for downloads, I looked into gpg to be >able to make something good out of this. > >I initialized the thing with gpg --gen-key, then tried to verify >Julian's sig but I always get this error message: ># LANG=C gpgv MailScanner-4.24-4.rpm.tar.gz.sig >gpgv: Signature made Thu Oct 2 13:09:30 2003 EDT using DSA key ID 1415B654 >gpgv: Can't check signature: public key not found > >So I guess I should get Julian's public key (#1415B654?) but I don't >know where to look for it. Digging, I found Julian's pictures of his >Canadian vacation (they are really nice!), but no public key... > >Could someone point me in the right direction please? gpg --keyserver pgpkeys.mit.edu --search-keys "Julian Field" That will fetch the keys, but I'm not quite sure what you do next. I do all my PGP stuff on a Windows box :-) -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Thu Oct 2 19:53:23 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:20:21 2006 Subject: Inline SPAM warnings {Scanned by HJMS} In-Reply-To: <8FFC76593085ED4A80D3601BC41EFCDF8E1CD3@inex1.herffjones.hj -int> Message-ID: <5.2.1.1.2.20031002195216.031ea318@imap.ecs.soton.ac.uk> At 19:36 02/10/2003, you wrote: > > -----Original Message----- > > From: David Hooton [mailto:david@PLATFORMHOSTING.COM] > > Sent: Thursday, October 02, 2003 5:52 AM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Re: Inline SPAM warnings {Scanned by HJMS} > > > > > > Thanks guys, this is all well and good, but I'm not concerned with MUA > > functionality, I'm concerned with MailScanner's inline > > reports not being > > universally visible. > > > > If we have to ask clients to alter their MUA's just to see a warning > > it's not a great situation. > > > > What I want to know is: > > > > Is this a configuration issue on my part? (the warning is set > > to not be > > attached, which I thought meant it would be displayed inline) > > > > If it's not a config issue, what do I need to do in order to fix it. > >Well I don't really consider it something that is *broken* - it's entirely >up to the MUA to decide how it wants to display parts. Outlook just doesn't >display them the way you'd like. > >It's not a MailScanner config issue, but you could alter the MS code pretty >simply to use multipart/report instead of multipart/digest. Just changing >"digest" to "report" in a couple of places inside Message.pm seems to be >enough to get what want (but I am NOT an expert on anything, so although it >seems to work for me, don't blame me if it causes your wife to leave you). > >Tested with mozilla 1.4, outlook 2k sp3, and Imp and all of them still seem >to have no problems with the message - but Outlook then displays the inline >attachment properly. Here is a patch for the very latest Message.pm to do this: ----------------------SNIP-------------------- 2637,2638c2637,2638 < # Make it a digest if it wasn't multipart already. < $entity->make_multipart("digest"); --- > # Make it a report if it wasn't multipart already. > $entity->make_multipart("report"); # Used to be digest 2640c2640 < $entity->head->mime_attr("Content-type" => "multipart/digest"); --- > $entity->head->mime_attr("Content-type" => "multipart/report"); # Used to be digest ----------------------SNIP-------------------- Basically just find every occurrence of "digest" in Message.pm and replace it with "report". Please can you try this and let me know if it works okay. If I don't hear any bad comments about it, I will include it in this weekend's (hopefully) release of 4.24. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mike at CamaroSS.net Thu Oct 2 20:10:14 2003 From: mike at CamaroSS.net (Mike Kercher) Date: Thu Jan 12 21:20:21 2006 Subject: Users like this... In-Reply-To: <004401c38908$f09e5d80$0501a8c0@darkside> Message-ID: <005201c38918$d1e2d4b0$650ba8c0@home.middlefinger.net> I had a luser complain about blocking a couple of legit emails once and he asked if I could remove the scanning for his email address. I did him one better (without telling of course). In my rules, I excluded his addy from Spam Checks, but even went a step further. My High Scoring Spam action became = forward luser@domain.com He called back a few hours later... "point well taken" :) Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Jason Balicki Sent: Thursday, October 02, 2003 12:17 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Users like this... Ok. I just got this message from one of my users. I have no idea why {Filename?} has been triggered here (and I really don't care -- but I will investigate anyway.) The real point, though, is to make fun of users. I've spent endless hours tuning MS & SA, so I want to ram my head into a wall until I pass out because of this (names have been changed to "xxxxx"): --begin-luser-comment--- Can we let stuff like this through the firewall - $20.00 off on an order is a good deal! Thanks! xxxxx -----Original Message----- From: OfficeDepot.com [mailto:officedepot2@officedepot.rsc01.com] Sent: Wednesday, October 01, 2003 3:02 PM To: xxxxx@FRONTIERHOMEMORTGAGE.COM Subject: {Filename?} Save 20 Dollars on Your Next OfficeDepot.com Order Warning: This message has had one or more attachments removed Warning: (the entire message). Warning: Please read the "VirusWarning.txt" attachment(s) for more information. From wdwrn at FRIENDLYCITY.NET Thu Oct 2 18:12:34 2003 From: wdwrn at FRIENDLYCITY.NET (Walter D. Wyndroski) Date: Thu Jan 12 21:20:21 2006 Subject: Need to match subjects in email Message-ID: <050b01c38908$5ef90e70$0201a8c0@mother> I need to match email's by their subjects. Here is my a brief description of my problem: Municipality-->Exchange server Municipal ISP (owned by municipality) --> Linux mailserver For ease, some of the mail destined for the municipality is sent directly to the isp mailserver and forward via alias. I need to match a particular email address, then I need to further match a subject. If the subject meets my match criteria, I need that message forwarded to another email address which actually goes to a pager. We are trying to get faster notification of emergency messages from a particular sender. Is this possible? If so please post a short example. Walt Wyndroski ********************************************************************************************** * This message has been scanned by CityNET's email scanner for viruses and dangerous content * * and is believed to be clean. CityNET is proud to use MailScanner. For more information * * concerning MailScanner, visit http://www.mailscanner.info * ********************************************************************************************** -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20031002/bcdb7b3f/attachment.html From Denis.Beauchemin at USHERBROOKE.CA Thu Oct 2 21:04:08 2003 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:20:21 2006 Subject: OT: PGP newbie question In-Reply-To: <5.2.1.1.2.20031002203934.0322aec8@imap.ecs.soton.ac.uk> References: <5.2.1.1.2.20031002203934.0322aec8@imap.ecs.soton.ac.uk> Message-ID: <1065125048.2962.39.camel@dbeauchemin.sti.usherbrooke.ca> Hi, Now I get: $ LANG=C gpg --verify MailScanner-4.24-4.rpm.tar.gz.sig gpg: WARNING: using insecure memory! gpg: please see http://www.gnupg.org/faq.html for more information gpg: Signature made Thu Oct 2 13:09:30 2003 EDT using DSA key ID 1415B654 gpg: Good signature from "Julian Field " gpg: aka "Julian Field " gpg: aka "Julian Field " gpg: aka "Julian Field " gpg: aka "Julian Field " gpg: aka "Julian Field " gpg: aka "Julian Field " gpg: checking the trustdb gpg: checking at depth 0 signed=0 ot(-/q/n/m/f/u)=0/0/0/0/0/1 gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Is this normal? Never mind the first warning, the doc says it is normal as I didn't run the command as root and it is not set-uid root. I'm concerned about the last warning... not the many aliases Julian has registered... 8-) Denis Le jeu 02/10/2003 ? 15:44, Julian Field a ?crit : > At 20:27 02/10/2003, you wrote: > >Hi, > > > >As Julian started generating sigs for downloads, I looked into gpg to be > >able to make something good out of this. > > > >I initialized the thing with gpg --gen-key, then tried to verify > >Julian's sig but I always get this error message: > ># LANG=C gpgv MailScanner-4.24-4.rpm.tar.gz.sig > >gpgv: Signature made Thu Oct 2 13:09:30 2003 EDT using DSA key ID 1415B654 > >gpgv: Can't check signature: public key not found > > > >So I guess I should get Julian's public key (#1415B654?) but I don't > >know where to look for it. Digging, I found Julian's pictures of his > >Canadian vacation (they are really nice!), but no public key... > > > >Could someone point me in the right direction please? > > gpg --keyserver pgpkeys.mit.edu --search-keys "Julian Field" > > That will fetch the keys, but I'm not quite sure what you do next. I do all > my PGP stuff on a Windows box :-) > -- > Julian Field > www.MailScanner.info > Professional Support Services at www.MailScanner.biz > MailScanner thanks transtec Computers for their support > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From mailscanner at ecs.soton.ac.uk Thu Oct 2 21:10:13 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:20:21 2006 Subject: Need to match subjects in email In-Reply-To: <050b01c38908$5ef90e70$0201a8c0@mother> Message-ID: <5.2.1.1.2.20031002210543.02ed1a50@imap.ecs.soton.ac.uk> At 18:12 02/10/2003, you wrote: >I need to match email's by their subjects. Here is my a brief description >of my problem: > >Municipality-->Exchange server > >Municipal ISP (owned by municipality) --> Linux mailserver > >For ease, some of the mail destined for the municipality is sent directly >to the isp mailserver and forward via alias. I need to match a particular >email address, then I need to further match a subject. If the subject >meets my match criteria, I need that message forwarded to another email >address which actually goes to a pager. We are trying to get faster >notification of emergency messages from a particular sender. Is this >possible? If so please post a short example. You can do this with a Custom Function attached to "Non Spam Actions" that checks the subject and the destination address. If it matches then it returns "deliver forward yourpager@domain.com". If it doesn't match then it returns "deliver". sub PagerAction { my($message) = @_; return "deliver" unless $message; if ($message->{to}[0] eq 'targetaddress@you.com' && $message->{subject} =~ /your special subject/i) { return 'deliver forward yourpager@domain.com'; } else { return 'deliver'; } } I haven't tried that, but it should work. Be warned it will only look at the 1st recipient of the message. You will probably want to turn that into a loop to check all the recipients of the message to see if any of them match. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20031002/ff17c092/attachment.html From shrek-m at GMX.DE Thu Oct 2 20:23:33 2003 From: shrek-m at GMX.DE (shrek-m@gmx.de) Date: Thu Jan 12 21:20:21 2006 Subject: MailScanner.conf.rpmnew In-Reply-To: <3F7C3342.4000408@gmx.de> References: <3F7C3342.4000408@gmx.de> Message-ID: <3F7C7B35.2090001@gmx.de> shrek-m@gmx.de wrote: > hi, > > > how do you ... > - check the actually config-file > - export these settings > - compare with the new MailScanner.conf.rpmnew > - import the old settings into the new MailScanner.conf > ... ? thanks for your answers, i have seen it in the "ChangeLog" and oops, while upgrade :-[ # upgrade_MailScanner_conf Usage: RPM === If you are using the RPM distributions then try this: cd /etc/MailScanner upgrade_MailScanner_conf MailScanner.conf MailScanner.conf.rpmnew > MailScanner.new mv MailScanner.conf MailScanner.old mv MailScanner.new MailScanner.conf -- shrek-m From mailscanner at ecs.soton.ac.uk Thu Oct 2 21:19:18 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:20:21 2006 Subject: MailScanner.conf.rpmnew In-Reply-To: <3F7C7B35.2090001@gmx.de> References: <3F7C3342.4000408@gmx.de> <3F7C3342.4000408@gmx.de> Message-ID: <5.2.1.1.2.20031002211606.031fdb00@imap.ecs.soton.ac.uk> At 20:23 02/10/2003, you wrote: >shrek-m@gmx.de wrote: >how do you ... >>- check the actually config-file >>- export these settings >>- compare with the new MailScanner.conf.rpmnew >>- import the old settings into the new MailScanner.conf >> ... ? > >thanks for your answers, > >i have seen it in the "ChangeLog" >and oops, >while upgrade :-[ > ># upgrade_MailScanner_conf >Usage: > >RPM >=== >If you are using the RPM distributions then try this: > >cd /etc/MailScanner >upgrade_MailScanner_conf MailScanner.conf MailScanner.conf.rpmnew > >MailScanner.new >mv MailScanner.conf MailScanner.old >mv MailScanner.new MailScanner.conf Note that I have changed the default behaviour of upgrade_MailScanner_conf. It will now replace the comments in your old conf file with the comments/documentation in the new one. This is so that you get to find out about any new features and new settings that are now possible with existing config options. It has become clear recently that people have not discovered new features due to their old comments/documentation propagating into the new file from their very old ones. If you don't like this feature, then just run "upgrade_MailScanner_conf" and it will tell you how to change it. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From TGFurnish at HERFF-JONES.COM Thu Oct 2 21:19:12 2003 From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G) Date: Thu Jan 12 21:20:21 2006 Subject: OT: PGP newbie question {Scanned by HJMS} Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF0C0810@inex1.herffjones.hj-int> > -----Original Message----- > From: Denis Beauchemin [mailto:Denis.Beauchemin@USHERBROOKE.CA] > Sent: Thursday, October 02, 2003 3:04 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: OT: PGP newbie question {Scanned by HJMS} > > gpg: checking the trustdb > gpg: checking at depth 0 signed=0 ot(-/q/n/m/f/u)=0/0/0/0/0/1 > gpg: WARNING: This key is not certified with a trusted signature! > gpg: There is no indication that the signature > belongs to the owner. > Primary key fingerprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 > 5947 1415 B654 > > > Is this normal? It means no one trusts Julian. ;-) Er, actually, it means no one has yet signed his key indicating that they believe it really belongs to someone named Julian Fields. The way PGP works is that you start by getting one person to trust you - then others are more likely to trust you. If they believe your key is really yours, then they can give your key more credibility by "signing" your key, indicating that they believe it's valid. The more people sign your key, the less likely you are to have to keep answering questions like the one you just asked. I personally don't think it would be that difficult (provided the proper monitary incentive) to trick a significant number of people into trusting the wrong key, but that's definitely a long, very off-topic discussion for a different mailing list. :-) And I'm a paranoid freak by nature. -- Trever From kevins at BMRB.CO.UK Thu Oct 2 21:23:35 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:20:21 2006 Subject: PGP newbie question In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB00188AB4E@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB00188AB4E@pascal.priv.bmrb.co.uk> Message-ID: <1065126224.17459.11.camel@bach.kevinspicer.co.uk> On Thu, 2003-10-02 at 21:04, Denis Beauchemin wrote: >Is this normal? Never mind the first warning, the doc says it is >normal as I didn't run the command as root and it is not set-uid root. Yes, PGP works on a web of trust principle. Just because you have a public key which claims to represent Julian, doesn't mean it does (anyone can produce a key which says they are anyone else). You have to decide for yourself whether (and how much) you trust Julians key - if you do you can sign the key (gpg --sign-key "Julian Field") [You need to have generated your own public and private key first]. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From wdwrn at FRIENDLYCITY.NET Thu Oct 2 21:26:08 2003 From: wdwrn at FRIENDLYCITY.NET (Walter D. Wyndroski) Date: Thu Jan 12 21:20:21 2006 Subject: Need to match subjects in email References: <5C0296D26910694BB9A9BBFC577E7AB00188AB47@pascal.priv.bmrb.co.uk> <1065122228.21309.32.camel@bach.kevinspicer.co.uk> Message-ID: <055d01c38923$69ae09e0$0201a8c0@mother> In the back of my mind, I was thinking I may have to use procmail to accomplish this task. Thank you for confirming that. I've never really had a need to mess with procmail. But I guess now is as good a time to learn as any. I'll just pack it in the wheelbarrow with perl, sql, ksh, bash, and routing. :P hehe. Out of my own laziness and lack of time, could you post a good link for me to get started (for procmail). Thanks again! WDW ----- Original Message ----- From: "Kevin Spicer" To: Sent: Thursday, October 02, 2003 3:17 PM Subject: Re: Need to match subjects in email > On Thu, 2003-10-02 at 18:12, Walter D. Wyndroski wrote: > > Is this possible? If so please post a short example. > > Not directly with MailScanner (well not in any relatively simple and > elegant way - thats not a criticism BTW). But if the destination for > the emails you wish to catch is an account on the linux mailserver > (which your post suggests it is) then you could do this quite easily > with a procmail recipe. Even if its not a local account you may be able > to get your MTA to re-address mails to that account to a local account > then process them with procmail (using procmail to forward a copy to the > final destination). > > > > > BMRB International > http://www.bmrb.co.uk > +44 (0)20 8566 5000 > _________________________________________________________________ > This message (and any attachment) is intended only for the > recipient and may contain confidential and/or privileged > material. If you have received this in error, please contact the > sender and delete this message immediately. Disclosure, copying > or other action taken in respect of this email or in > reliance on it is prohibited. BMRB International Limited > accepts no liability in relation to any personal emails, or > content of any email which does not directly relate to our > business. > > **************************************************************************** ****************** > * This message has been scanned by CityNET's email scanner for viruses and dangerous content * > * and is believed to be clean. CityNET is proud to use MailScanner. For more information * > * concerning MailScanner, visit http://www.mailscanner.info * > **************************************************************************** ****************** > ********************************************************************************************** * This message has been scanned by CityNET's email scanner for viruses and dangerous content * * and is believed to be clean. CityNET is proud to use MailScanner. For more information * * concerning MailScanner, visit http://www.mailscanner.info * ********************************************************************************************** From dan.farmer at PHONEDIR.COM Thu Oct 2 21:23:21 2003 From: dan.farmer at PHONEDIR.COM (Dan Farmer) Date: Thu Jan 12 21:20:22 2006 Subject: Double extensions getting nabbed In-Reply-To: Message-ID: <4465895C-F516-11D7-80EC-0030656E138E@phonedir.com> comment out the check in /etc/MailScanner/filename.rules.conf: # Deny all other double file extensions. This catches any hidden filenames. #deny \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$ Found possible filename hiding Attempt to hide real filename extension dan On Thursday, October 2, 2003, at 02:09 PM, Christian Campbell wrote: > I'm having user complaints that documents named like: > > 00568011.011.txt.pdf > > Are being quarantined because "Attempt to hide real filename > extension". > How can I make it qualify the characters after the last "." only? > > Thanks in advance, > > Christian > > Christian P. Campbell > Systems Engineer > Information Technology Department > Bruegger's Enterprises, Inc. > Desk: (802) 652-9270 > Cell: (802) 734-5023 > Email: ccampbell at brueggers dot com > Registered Linux User #319324 > > PGP public key available via PGP keyservers > or http://www2.brueggers.com/pgp/ccampbell.html > > "We all know Linux is great... > it does infinite loops in 5 seconds." > -- Linus Torvalds > From wdwrn at FRIENDLYCITY.NET Thu Oct 2 21:28:16 2003 From: wdwrn at FRIENDLYCITY.NET (Walter D. Wyndroski) Date: Thu Jan 12 21:20:22 2006 Subject: Need to match subjects in email References: <5.2.1.1.2.20031002210543.02ed1a50@imap.ecs.soton.ac.uk> Message-ID: <056601c38923$b60075d0$0201a8c0@mother> I see what's happening in the code. I agree, it should work. However, would you give me a hint as to the best location in MailScanner to insert this function? Thanks in advance! WDW ----- Original Message ----- From: Julian Field To: MAILSCANNER@JISCMAIL.AC.UK Sent: Thursday, October 02, 2003 4:10 PM Subject: Re: Need to match subjects in email At 18:12 02/10/2003, you wrote: I need to match email's by their subjects. Here is my a brief description of my problem: Municipality-->Exchange server Municipal ISP (owned by municipality) --> Linux mailserver For ease, some of the mail destined for the municipality is sent directly to the isp mailserver and forward via alias. I need to match a particular email address, then I need to further match a subject. If the subject meets my match criteria, I need that message forwarded to another email address which actually goes to a pager. We are trying to get faster notification of emergency messages from a particular sender. Is this possible? If so please post a short example. You can do this with a Custom Function attached to "Non Spam Actions" that checks the subject and the destination address. If it matches then it returns "deliver forward yourpager@domain.com". If it doesn't match then it returns "deliver". sub PagerAction { my($message) = @_; return "deliver" unless $message; if ($message->{to}[0] eq 'targetaddress@you.com' && $message->{subject} =~ /your special subject/i) { return 'deliver forward yourpager@domain.com'; } else { return 'deliver'; } } I haven't tried that, but it should work. Be warned it will only look at the 1st recipient of the message. You will probably want to turn that into a loop to check all the recipients of the message to see if any of them match. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 This message has been scanned by CityNET's email scanner for viruses and dangerous content and is believed to be clean. CityNET is proud to use MailScanner. For more information concerning MailScanner, visit http://www.mailscanner.info ********************************************************************************************** * This message has been scanned by CityNET's email scanner for viruses and dangerous content * * and is believed to be clean. CityNET is proud to use MailScanner. For more information * * concerning MailScanner, visit http://www.mailscanner.info * ********************************************************************************************** -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20031002/5ae80093/attachment.html From mkipness at GENIANT.COM Thu Oct 2 21:37:10 2003 From: mkipness at GENIANT.COM (Max Kipness) Date: Thu Jan 12 21:20:22 2006 Subject: Reading spam dir with PHP? Message-ID: <16B156EBAE5213419ADC164EA1D372C7073404@dalsxc02.geniant.net> Hello, Sorry if I'm off topic. This may be more of a PHP or general linux question. I'm trying to write a php page that reads the ../spam dir. I'm planning on having the page read each q* file and parse the From:, To: and Subject: lines and then have a button for each message that basically copies the q* and d* files to the sendmail queue. At this point I'm trying to figure out the best way to get access to that directory structure as user Apache. All of the dir/files under ./var/spool/MailScanner have rw for root only. Is the answer sudo? Thanks, Max From peter at UCGBOOK.COM Thu Oct 2 21:41:36 2003 From: peter at UCGBOOK.COM (Peter Bonivart) Date: Thu Jan 12 21:20:22 2006 Subject: Updated swedish report files In-Reply-To: References: Message-ID: <3F7C8D80.9040204@ucgbook.com> Looks good Anders. Just a couple of things. The two words below should actually be one word, it's in several texts: Original meddelandet => Originalmeddelandet The subject line below is a little too much English for my taste: Meddelande fr?n MailScanner E-Mail Virus Protection Service Why not a simpler: Meddelande fr?n e-postfiltret In languages.conf: Disinfekterad => Desinficerad godk?nnd => godk?nd Varning: E-post virus detekterat => Varning: farligt inneh?ll detekterat F?ljande e-meddelande inneh?ll virus => F?ljande meddelande hade farligt inneh?ll The last two are because not only viruses trigger those postmaster messages. I think most of us have to modify the texts quite heavily anyway, like inserting customer names and contact information, and we will stick with our set of files through upgrades. But it's always good if the base is as correct as possible. Thank you for your work. /Peter Bonivart --Unix lovers do it in the Sun Sun Fire V210, Solaris 9, MailScanner 4.23-11, SpamAssassin 2.60, ClamAV 20030829 Anders Andersson, IT wrote: > Hi > Thoguht I should do an update on the swedish report files. I would really > like some response from swedish users if there is something they dont like. > There are some small difference in some text parts but I need feedback which > one you consider to be the best before I send it to Julian, so pls message > me asap if you think something needs to be changed > > /Anders > From rherban at HYPERVINE.NET Thu Oct 2 21:47:05 2003 From: rherban at HYPERVINE.NET (Randy Herban) Date: Thu Jan 12 21:20:22 2006 Subject: Reading spam dir with PHP? In-Reply-To: <16B156EBAE5213419ADC164EA1D372C7073404@dalsxc02.geniant.net> References: <16B156EBAE5213419ADC164EA1D372C7073404@dalsxc02.geniant.net> Message-ID: <1065127624.2674.6.camel@rherban.hypervine.net> You can change the permissions on the queue directory to 755 or some other variant. Sendmail might complain some about it but oh well. I would recommend against using 777 on mqueue just for sanity's sake. You might also need to change an option in the sendmail config to have temp files saved with a different mod, i'm not sure offhand though. I've always been able to chmod 755 /var/spool/mqueue and it works fine. Do all the reading as normal user and when you need to move the queue files, use sudo as you suggested. sudoers: apache ALL=NOPASSWD:/bin/mv Randy On Thu, 2003-10-02 at 15:37, Max Kipness wrote: > Hello, > > Sorry if I'm off topic. This may be more of a PHP or general linux question. > > I'm trying to write a php page that reads the ../spam dir. I'm planning on having the page read each q* file and parse the From:, To: and Subject: lines and then have a button for each message that basically copies the q* and d* files to the sendmail queue. > > At this point I'm trying to figure out the best way to get access to that directory structure as user Apache. All of the dir/files under ./var/spool/MailScanner have rw for root only. Is the answer sudo? > > Thanks, > Max From michele at BLACKNIGHTSOLUTIONS.COM Thu Oct 2 21:46:05 2003 From: michele at BLACKNIGHTSOLUTIONS.COM (Michele Neylon :: Blacknight Solutions) Date: Thu Jan 12 21:20:22 2006 Subject: Reading spam dir with PHP? In-Reply-To: <16B156EBAE5213419ADC164EA1D372C7073404@dalsxc02.geniant.net> Message-ID: <200310022046.h92Kk1b30402@camelot.blacknightsolutions.com> Sudo might be the solution, but I would wonder about the implications of letting the 'apache' user access those files Mr. Michele Neylon Blacknight Solutions http://www.blacknightsolutions.ie/ http://www.search.ie/ Probably the cheapest ie's in Ireland Tel. +353 (0)59 9139897 Fax. +353 (0)59 9139897 > -----Original Message----- > From: MailScanner mailing list > [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Max Kipness > Sent: 02 October 2003 21:37 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Reading spam dir with PHP? > > Hello, > > Sorry if I'm off topic. This may be more of a PHP or general > linux question. > > I'm trying to write a php page that reads the ../spam dir. > I'm planning on having the page read each q* file and parse > the From:, To: and Subject: lines and then have a button for > each message that basically copies the q* and d* files to the > sendmail queue. > > At this point I'm trying to figure out the best way to get > access to that directory structure as user Apache. All of the > dir/files under ./var/spool/MailScanner have rw for root > only. Is the answer sudo? > > Thanks, > Max > > ######################################################### This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance to it is prohibited. From TGFurnish at HERFF-JONES.COM Thu Oct 2 21:49:51 2003 From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G) Date: Thu Jan 12 21:20:22 2006 Subject: Reading spam dir with PHP? {Scanned by HJMS} Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF0C0811@inex1.herffjones.hj-int> Hmmm... I guess there are several routes you could take, including sudo. But MailWatch is pretty straight-forward to install and it already offers the functionality you want to create. The approach taken by MailWatch was to run a cronjob every minute as root to recursively chown/chmod the directory. I think a combo of this and sudo might be better - sudo alone would be sort of annoying because everything sudo does gets logged. You could instead check to see whether you can access the files you want (since that will happen rarely) and if not, then use sudo to run a command to modify their ownership/permissions and attempt the access again. That way the chown/chmod would only run when needed and you wouldn't be creating an effectively suid root script that takes input from the web. Your sudo script could be simply: #!/bin/sh chown -R root:apache /var/spool/MailScanner/quarantine chmod -R g+rwx /var/spool/MailScanner/quarantine exit 0 And your php page would only run it if it failed to open a file. If the failure recurs after running the sudo script, then it's not related to permissions. Having started to play with MailWatch though I'm very impressed with it and would recommend trying it first. -t. > -----Original Message----- > From: Max Kipness [mailto:mkipness@GENIANT.COM] > Sent: Thursday, October 02, 2003 3:37 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Reading spam dir with PHP? {Scanned by HJMS} > > > Hello, > > Sorry if I'm off topic. This may be more of a PHP or general > linux question. > > I'm trying to write a php page that reads the ../spam dir. > I'm planning on having the page read each q* file and parse > the From:, To: and Subject: lines and then have a button for > each message that basically copies the q* and d* files to the > sendmail queue. > > At this point I'm trying to figure out the best way to get > access to that directory structure as user Apache. All of the > dir/files under ./var/spool/MailScanner have rw for root > only. Is the answer sudo? > > Thanks, > Max > From ccampbell at BRUEGGERS.COM Thu Oct 2 21:09:52 2003 From: ccampbell at BRUEGGERS.COM (Christian Campbell) Date: Thu Jan 12 21:20:22 2006 Subject: Double extensions getting nabbed Message-ID: I'm having user complaints that documents named like: 00568011.011.txt.pdf Are being quarantined because "Attempt to hide real filename extension". How can I make it qualify the characters after the last "." only? Thanks in advance, Christian Christian P. Campbell Systems Engineer Information Technology Department Bruegger's Enterprises, Inc. Desk: (802) 652-9270 Cell: (802) 734-5023 Email: ccampbell at brueggers dot com Registered Linux User #319324 PGP public key available via PGP keyservers or http://www2.brueggers.com/pgp/ccampbell.html "We all know Linux is great... it does infinite loops in 5 seconds." -- Linus Torvalds From mkipness at GENIANT.COM Thu Oct 2 21:54:43 2003 From: mkipness at GENIANT.COM (Max Kipness) Date: Thu Jan 12 21:20:22 2006 Subject: Reading spam dir with PHP? {Scanned by HJMS} Message-ID: <16B156EBAE5213419ADC164EA1D372C7073405@dalsxc02.geniant.net> Thanks to everyone that answered. Does MailScanner allow you to send the mail through to the user in the case of a false-postitive? The other thing I'm wanting to do is eventually allow individual users to see all spam collected for them (only) and send emails through. Max ________________________________ From: MailScanner mailing list on behalf of Furnish, Trever G Sent: Thu 10/2/2003 3:49 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Reading spam dir with PHP? {Scanned by HJMS} Hmmm... I guess there are several routes you could take, including sudo. But MailWatch is pretty straight-forward to install and it already offers the functionality you want to create. The approach taken by MailWatch was to run a cronjob every minute as root to recursively chown/chmod the directory. I think a combo of this and sudo might be better - sudo alone would be sort of annoying because everything sudo does gets logged. You could instead check to see whether you can access the files you want (since that will happen rarely) and if not, then use sudo to run a command to modify their ownership/permissions and attempt the access again. That way the chown/chmod would only run when needed and you wouldn't be creating an effectively suid root script that takes input from the web. Your sudo script could be simply: #!/bin/sh chown -R root:apache /var/spool/MailScanner/quarantine chmod -R g+rwx /var/spool/MailScanner/quarantine exit 0 And your php page would only run it if it failed to open a file. If the failure recurs after running the sudo script, then it's not related to permissions. Having started to play with MailWatch though I'm very impressed with it and would recommend trying it first. -t. > -----Original Message----- > From: Max Kipness [mailto:mkipness@GENIANT.COM] > Sent: Thursday, October 02, 2003 3:37 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Reading spam dir with PHP? {Scanned by HJMS} > > > Hello, > > Sorry if I'm off topic. This may be more of a PHP or general > linux question. > > I'm trying to write a php page that reads the ../spam dir. > I'm planning on having the page read each q* file and parse > the From:, To: and Subject: lines and then have a button for > each message that basically copies the q* and d* files to the > sendmail queue. > > At this point I'm trying to figure out the best way to get > access to that directory structure as user Apache. All of the > dir/files under ./var/spool/MailScanner have rw for root > only. Is the answer sudo? > > Thanks, > Max > From mailscanner at LISTS.COM.AR Thu Oct 2 21:16:11 2003 From: mailscanner at LISTS.COM.AR (Mariano Absatz) Date: Thu Jan 12 21:20:22 2006 Subject: X-MailScanner-Id: header Message-ID: <3F7C5D5B.7691.C1C2EFC@localhost> Hi, AFAICS my X-MailScanner-Id patches didn't make it into 4.24 (see http://tinyurl.com/phtl and http://tinyurl.com/phu7 ), just in case anyone else (appart from me, that is) is interested in it, I updated the patches for MailScanner-4.24-4. They are still at http://baby.com.ar/MailScanner/id-patch as I said in the original messages. I added a small README.txt (actually, copied and pasted from the emails) and for the benefit of the users (that is, everyone but Julian) all the patches in one complete file you can apply directly (instructions at the bottom of README.txt). If someone is using it, please say it so, so I keep updating them (or try to convince Julian to put them in ;-) Regards. -- Mariano Absatz El Baby ---------------------------------------------------------- "Only wimps use tape backup: _real_ men just upload their important stuff" on ftp and let the rest of the world mirror it." -- Linus Torvalds From mkipness at GENIANT.COM Thu Oct 2 21:58:35 2003 From: mkipness at GENIANT.COM (Max Kipness) Date: Thu Jan 12 21:20:22 2006 Subject: Reading spam dir with PHP? {Scanned by HJMS} Message-ID: <16B156EBAE5213419ADC164EA1D372C7073406@dalsxc02.geniant.net> Sorry, I meant MailWatch... ________________________________ From: MailScanner mailing list on behalf of Max Kipness Sent: Thu 10/2/2003 3:54 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Reading spam dir with PHP? {Scanned by HJMS} Thanks to everyone that answered. Does MailScanner allow you to send the mail through to the user in the case of a false-postitive? The other thing I'm wanting to do is eventually allow individual users to see all spam collected for them (only) and send emails through. Max ________________________________ From: MailScanner mailing list on behalf of Furnish, Trever G Sent: Thu 10/2/2003 3:49 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Reading spam dir with PHP? {Scanned by HJMS} Hmmm... I guess there are several routes you could take, including sudo. But MailWatch is pretty straight-forward to install and it already offers the functionality you want to create. The approach taken by MailWatch was to run a cronjob every minute as root to recursively chown/chmod the directory. I think a combo of this and sudo might be better - sudo alone would be sort of annoying because everything sudo does gets logged. You could instead check to see whether you can access the files you want (since that will happen rarely) and if not, then use sudo to run a command to modify their ownership/permissions and attempt the access again. That way the chown/chmod would only run when needed and you wouldn't be creating an effectively suid root script that takes input from the web. Your sudo script could be simply: #!/bin/sh chown -R root:apache /var/spool/MailScanner/quarantine chmod -R g+rwx /var/spool/MailScanner/quarantine exit 0 And your php page would only run it if it failed to open a file. If the failure recurs after running the sudo script, then it's not related to permissions. Having started to play with MailWatch though I'm very impressed with it and would recommend trying it first. -t. > -----Original Message----- > From: Max Kipness [mailto:mkipness@GENIANT.COM] > Sent: Thursday, October 02, 2003 3:37 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Reading spam dir with PHP? {Scanned by HJMS} > > > Hello, > > Sorry if I'm off topic. This may be more of a PHP or general > linux question. > > I'm trying to write a php page that reads the ../spam dir. > I'm planning on having the page read each q* file and parse > the From:, To: and Subject: lines and then have a button for > each message that basically copies the q* and d* files to the > sendmail queue. > > At this point I'm trying to figure out the best way to get > access to that directory structure as user Apache. All of the > dir/files under ./var/spool/MailScanner have rw for root > only. Is the answer sudo? > > Thanks, > Max > From TGFurnish at HERFF-JONES.COM Thu Oct 2 22:09:59 2003 From: TGFurnish at HERFF-JONES.COM (Furnish, Trever G) Date: Thu Jan 12 21:20:22 2006 Subject: Reading spam dir with PHP? {Scanned by HJMS} Message-ID: <8FFC76593085ED4A80D3601BC41EFCDF8E1CDC@inex1.herffjones.hj-int> Yes. And I think the addition of a user-level interface to allow users to handle their own quarantine *may* happen soon too... > -----Original Message----- > From: Max Kipness [mailto:mkipness@GENIANT.COM] > Sent: Thursday, October 02, 2003 3:59 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Reading spam dir with PHP? {Scanned by HJMS} > > > Sorry, I meant MailWatch... > > ________________________________ > > From: MailScanner mailing list on behalf of Max Kipness > Sent: Thu 10/2/2003 3:54 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Reading spam dir with PHP? {Scanned by HJMS} > > > > Thanks to everyone that answered. > > Does MailScanner allow you to send the mail through to the > user in the case of a false-postitive? > > The other thing I'm wanting to do is eventually allow > individual users to see all spam collected for them (only) > and send emails through. > > Max > > ________________________________ > > From: MailScanner mailing list on behalf of Furnish, Trever G > Sent: Thu 10/2/2003 3:49 PM > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: Re: Reading spam dir with PHP? {Scanned by HJMS} > > > > Hmmm... I guess there are several routes you could take, > including sudo. > > But MailWatch is pretty straight-forward to install and it > already offers > the functionality you want to create. > > The approach taken by MailWatch was to run a cronjob every > minute as root to > recursively chown/chmod the directory. > > I think a combo of this and sudo might be better - sudo alone > would be sort > of annoying because everything sudo does gets logged. You > could instead > check to see whether you can access the files you want (since > that will > happen rarely) and if not, then use sudo to run a command to > modify their > ownership/permissions and attempt the access again. That way the > chown/chmod would only run when needed and you wouldn't be creating an > effectively suid root script that takes input from the web. > > Your sudo script could be simply: > #!/bin/sh > chown -R root:apache /var/spool/MailScanner/quarantine > chmod -R g+rwx /var/spool/MailScanner/quarantine > exit 0 > > And your php page would only run it if it failed to open a > file. If the > failure recurs after running the sudo script, then it's not related to > permissions. > > Having started to play with MailWatch though I'm very > impressed with it and > would recommend trying it first. > > -t. > > > > -----Original Message----- > > From: Max Kipness [mailto:mkipness@GENIANT.COM] > > Sent: Thursday, October 02, 2003 3:37 PM > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: Reading spam dir with PHP? {Scanned by HJMS} > > > > > > Hello, > > > > Sorry if I'm off topic. This may be more of a PHP or general > > linux question. > > > > I'm trying to write a php page that reads the ../spam dir. > > I'm planning on having the page read each q* file and parse > > the From:, To: and Subject: lines and then have a button for > > each message that basically copies the q* and d* files to the > > sendmail queue. > > > > At this point I'm trying to figure out the best way to get > > access to that directory structure as user Apache. All of the > > dir/files under ./var/spool/MailScanner have rw for root > > only. Is the answer sudo? > > > > Thanks, > > Max > > > From kevins at BMRB.CO.UK Thu Oct 2 22:11:36 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:20:22 2006 Subject: Need to match subjects in email In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB00188AB55@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB00188AB55@pascal.priv.bmrb.co.uk> Message-ID: <1065129102.19421.4.camel@bach.kevinspicer.co.uk> On Thu, 2003-10-02 at 21:26, Walter D. Wyndroski wrote: >Out of my own laziness and lack of time, could you post a good link for >me >to get started (for procmail). Thanks again! The best documentation for procmail I've used is the man pages man procmail (the program itself) man procmailrc (the procmailrc file and recipes) man procmailex (some examples) Its not the friendliest syntax in the world! But it is flexible and powerful. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From mailscanner at ecs.soton.ac.uk Thu Oct 2 21:44:23 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:20:22 2006 Subject: PGP newbie question In-Reply-To: <1065126224.17459.11.camel@bach.kevinspicer.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB00188AB4E@pascal.priv.bmrb.co.uk> <5C0296D26910694BB9A9BBFC577E7AB00188AB4E@pascal.priv.bmrb.co.uk> Message-ID: <5.2.1.1.2.20031002213100.02e5ee78@imap.ecs.soton.ac.uk> At 21:23 02/10/2003, you wrote: >On Thu, 2003-10-02 at 21:04, Denis Beauchemin wrote: > > >Is this normal? Never mind the first warning, the doc says it is > >normal as I didn't run the command as root and it is not set-uid root. > >Yes, PGP works on a web of trust principle. Just because you have a >public key which claims to represent Julian, doesn't mean it does >(anyone can produce a key which says they are anyone else). You have to >decide for yourself whether (and how much) you trust Julians key - if >you do you can sign the key (gpg --sign-key "Julian Field") [You need to >have generated your own public and private key first]. Peter Peters has signed my key, but it appears the key servers haven't sync-ed with each other yet as it's not on pgpkeys.mit.edu yet, and I don't know which key server he uploaded it to. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From bhughes at ELEVATING.COM Thu Oct 2 22:57:42 2003 From: bhughes at ELEVATING.COM (Bret Hughes) Date: Thu Jan 12 21:20:22 2006 Subject: Need to match subjects in email In-Reply-To: <055d01c38923$69ae09e0$0201a8c0@mother> References: <5C0296D26910694BB9A9BBFC577E7AB00188AB47@pascal.priv.bmrb.co.uk> <1065122228.21309.32.camel@bach.kevinspicer.co.uk> <055d01c38923$69ae09e0$0201a8c0@mother> Message-ID: <1065131863.9497.43.camel@bretsony> On Thu, 2003-10-02 at 15:26, Walter D. Wyndroski wrote: > In the back of my mind, I was thinking I may have to use procmail to > accomplish this task. Thank you for confirming that. I've never really had a > need to mess with procmail. But I guess now is as good a time to learn as > any. I'll just pack it in the wheelbarrow with perl, sql, ksh, bash, and > routing. :P hehe. > > Out of my own laziness and lack of time, could you post a good link for me > to get started (for procmail). Thanks again! > > WDW man procmailex is one of the best tools I have seen for procmail Bret From fredd at CI.ASPEN.CO.US Thu Oct 2 23:45:42 2003 From: fredd at CI.ASPEN.CO.US (Fred Dick) Date: Thu Jan 12 21:20:22 2006 Subject: OT: Sophos CID password error Message-ID: <6.0.0.22.2.20031002163927.023660e0@commons> Hi Sophos Gurus: Been getting the message when trying to auto update: Error: Could not find central installation setup program. The specified network password is not correct. Happens with 3.73 & 3.74. Win2k PC client running against Sun Solaris 2.6 CID. Reset sweepupd passwd, account, uninstalled and reinstalled Sophos numerous times on both server and client. Any ideas??? This has been working fine for 2 years...no recent changes to system. Thanks, Fred From mailscanner at AVERYHILLS.COM Fri Oct 3 00:07:43 2003 From: mailscanner at AVERYHILLS.COM (Noway) Date: Thu Jan 12 21:20:22 2006 Subject: {Filename?} filtering, how to allow? Message-ID: <000f01c38939$fc215550$1489a8c0@averyhills.com> I have a reoccuring email that needs to get through, and have it setup in spam.whitelist.rules to allow but it still seems to get filtered with {Filename?} for dangerous HTML code. Is there a way to bypass that filtering also? Or is spam.whitelist.rules suppose to do that? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20031002/57872996/attachment.html From henker at S-H-COM.DE Fri Oct 3 01:01:49 2003 From: henker at S-H-COM.DE (Steffan Henke) Date: Thu Jan 12 21:20:22 2006 Subject: Reading spam dir with PHP? In-Reply-To: <1065127624.2674.6.camel@rherban.hypervine.net> References: <16B156EBAE5213419ADC164EA1D372C7073404@dalsxc02.geniant.net> <1065127624.2674.6.camel@rherban.hypervine.net> Message-ID: On Thu, 2 Oct 2003, Randy Herban wrote: > Do all the reading as normal user and when you need to move the queue > files, use sudo as you suggested. > sudoers: > apache ALL=NOPASSWD:/bin/mv Please don't even *think* of doing this !!! You don't want to "sudo /bin/mv /boot/vmlinuz /dev/null" , would you ? Regards, Steffan From hb.maillists at DFS.DK Fri Oct 3 00:58:20 2003 From: hb.maillists at DFS.DK (Maillists) Date: Thu Jan 12 21:20:22 2006 Subject: How-to translate reports? In-Reply-To: <5.2.1.1.2.20031002213100.02e5ee78@imap.ecs.soton.ac.uk> Message-ID: <00e701c38941$0e9aa040$6400a8c0@FOX31> I would like to update the translation of the Danish reports. But have some questions before I do: Is it standard to do an "almost" exact translation from the English reports, or is normal to add additional information? Why are the reports not in example: Danish and English? /henrik From mkettler at EVI-INC.COM Fri Oct 3 02:23:14 2003 From: mkettler at EVI-INC.COM (Matt Kettler) Date: Thu Jan 12 21:20:22 2006 Subject: {Filename?} filtering, how to allow? In-Reply-To: <000f01c38939$fc215550$1489a8c0@averyhills.com> References: <000f01c38939$fc215550$1489a8c0@averyhills.com> Message-ID: <6.0.0.22.0.20031002212138.01df6670@xanadu.evi-inc.com> At 07:07 PM 10/2/2003, Noway wrote: >I have a reoccuring email that needs to get through, and have it setup in > >spam.whitelist.rules to allow but it still seems to get filtered with >{Filename?} for dangerous HTML code. > >Is there a way to bypass that filtering also? Or is spam.whitelist.rules >suppose to do that? The "dangerous HTML" stuff is done in mailscanner.conf See the following settings in your mailscanner.conf file: Allow External Message Bodies Allow IFrame Tags Allow Form Tags Allow Object Codebase Tags From kfliong at WOFS.COM Fri Oct 3 02:55:37 2003 From: kfliong at WOFS.COM (kfliong) Date: Thu Jan 12 21:20:22 2006 Subject: mailscanner and sendmail dilemma In-Reply-To: <67D9E7698329D411936E00508B6590B902773B3D@neelix.lbsltd.co. uk> Message-ID: <5.2.1.1.0.20031003094845.03169a38@192.168.10.2> Here is some of the info i get tailling maillog : # tail -f /var/log/maillog Oct 3 09:44:24 ensim sendmail[8131]: h93DiFk08096: to=, delay=00:00:08, xdelay=00:00:00, mailer=virthostmail, pri=122262, relay=mydomain1.com, dsn=2.0.0, stat=Sent (h93DiOe08136 Message accepted for delivery) Oct 3 09:44:24 ensim virthostmail[8138]: Chrooting to /home/virtual/site8/fst Oct 3 09:44:24 ensim sendmail[8141]: h93DiOk08141: from=, size=2837, class=0, nrcpts=1, msgid=<9i50$2-t49tx658irq2$v@xy0h.0u>, proto=ESMTP, daemon=MTA, relay=ensim.wofsproperties.com [216.12.213.201] Oct 3 09:44:24 ensim sendmail[8141]: h93DiOk08141: to=, delay=00:00:00, mailer=virthostmail, pri=32837, stat=queued Oct 3 09:44:24 ensim sendmail[8137]: h93DiOe08136: to=autodelete@mydomain2.com, delay=00:00:00, xdelay=00:00:00, mailer=esmtp, pri=31697, relay=mail.mydomain2.com. [216.12.213.201], dsn=2.0.0, stat=Sent (h93DiOk08141 Message accepted for delivery) Oct 3 09:44:24 ensim sendmail[8142]: h93DiO408142: from=, size=3162, class=0, nrcpts=1, msgid=, proto=ESMTP, relay=root@localhost Oct 3 09:44:24 ensim sendmail[8131]: h93DiGk08097: to=, delay=00:00:07, xdelay=00:00:00, mailer=virthostmail, pri=122803, relay=mydomain1.com, dsn=2.0.0, stat=Sent (h93DiO408142 Message accepted for delivery) Oct 3 09:44:24 ensim sendmail[8145]: h93DiOk08145: from= , size=3346, class=0, nrcpts=1, msgid=, proto=ESMTP, daemon=MTA, relay=ensim.wofsproperties.com [216.12.213.201] Oct 3 09:44:24 ensim sendmail[8145]: h93DiOk08145: to=, delay=00:00:00, mailer=virthostmail, pri=33346, stat=queued Oct 3 09:44:24 ensim sendmail[8143]: h93DiO408142: to=autodelete@mydomain2.com, delay=00:00:00, xdelay=00:00:00, mailer=esmtp, pri=32339, relay=mail.mydomain2.com. [216.12.213.201], dsn=2.0.0, stat=Sent (h93DiOk08145 Message accepted for delivery) Oct 3 09:44:25 ensim sendmail[8117]: h93DiLk08117: from=, size=2065, class=0, nrcpts=1, msgid=<59705970owqhwzrunCzriv1frp@DELL>, proto=SMTP, daemon=MTA, relay=adsl-66-120-230-99.dsl.lsan03.pacbell.net [66.120.230.99] Oct 3 09:44:25 ensim sendmail[8117]: h93DiLk08117: to=, delay=00:00:02, mailer=virthostmail, pri=32065, stat=queued Oct 3 09:44:25 ensim sendmail[8112]: h93DiJk08112: from=, size=1231, class=0, nrcpts=5, msgid=, proto=SMTP, daemon=MTA, relay=[218.76.156.194] Oct 3 09:44:25 ensim sendmail[8112]: h93DiJk08112: to=, delay=00:00:06, mailer=virthostmail, pri=151231, stat=queued Oct 3 09:44:25 ensim sendmail[8112]: h93DiJk08112: to=, delay=00:00:06, mailer=virthostmail, pri=151231, stat=queued Oct 3 09:44:25 ensim sendmail[8112]: h93DiJk08112: to=, delay=00:00:06, mailer=virthostmail, pri=151231, stat=queued Oct 3 09:44:25 ensim sendmail[8112]: h93DiJk08112: to=, delay=00:00:06, mailer=virthostmail, pri=151231, stat=queued Oct 3 09:44:25 ensim sendmail[8112]: h93DiJk08112: to=, delay=00:00:06, mailer=virthostmail, pri=151231, stat=queued Oct 3 09:44:26 ensim MailScanner[8147]: MailScanner E-Mail Virus Scanner version 4.23-11 starting... Oct 3 09:44:26 ensim MailScanner[8147]: Config: calling custom init function MailWatchLogging Oct 3 09:44:26 ensim MailScanner[8147]: Initialising database connection Oct 3 09:44:26 ensim MailScanner[8147]: Finished initialising database connection Oct 3 09:44:27 ensim MailScanner[8147]: Using locktype = flock Oct 3 09:44:27 ensim MailScanner[8147]: New Batch: Scanning 4 messages, 11578 bytes Oct 3 09:44:27 ensim sendmail[8118]: h93DiMk08118: from=, size=1610, class=0, nrcpts=1, msgid=<8r2$00zbr4dl$2$9q0v8-dh-h$ig83@1dz.qypvn>, proto=SMTP, daemon=MTA, relay=dhcp16478068.woh.rr.com [24.164.78.68] Oct 3 09:44:27 ensim sendmail[8118]: h93DiMk08118: to=, delay=00:00:03, mailer=virthostmail, pri=31610, stat=queued Oct 3 09:44:28 ensim sendmail[8155]: h93DiRk08155: from=, size=715, class=0, nrcpts=1, msgid=<15493910352750_2569@202.157.132.113>, proto=SMTP, daemon=MTA, relay=ns1.stronium.com [202.157.132.113] Oct 3 09:44:28 ensim sendmail[8155]: h93DiRk08155: to=, delay=00:00:01, mailer=virthostmail, pri=30715, stat=queued Oct 3 09:44:28 ensim sendmail[8151]: NOQUEUE: dsl-200-95-72-229.prodigy.net.mx [200.95.72.229] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA Oct 3 09:44:28 ensim MailScanner[8147]: Spam Checks: Found 1 spam messages -------------------- Does this help? Hmm...how does sendmail know to send all mails to mqueue.in? Could it be possibly that is was confused and send it directly to recipients instead? FYI, when I stop MailScanner service, sendmail is still running. Then I have to stop sendmail also. But when I start, I only start MailScanner which will automatically starts sendmail. Thanks again. Thanks in advance. At 09:58 AM 10/2/2003 +0100, you wrote: >Hello, > > >>> But could you tell me how to see the processing of a test message >through mailscanner? > >$ tail -f /var/log/maillog > >Will show sendmail receiving the message to mqueue.in, MailScanner detecting >the message and scanning it, and sendmail delivering it to the recipient. > >Hope this helps. > >Kind regards, >Steve. > >-----Original Message----- >From: kfliong [mailto:kfliong@WOFS.COM] >Sent: 02 October 2003 08:37 >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: mailscanner and sendmail dilemma > > > > >chkconfig --list sendmail > >sendmail 0:off 1:off 2:off 3:off 4:off 5:off 6:off > > >chkconfig --list MailScanner > >MailScanner 0:off 1:off 2:on 3:on 4:on 5:on 6:off > > > > >Then, try running the following: > > > >service MailScanner stop > >service sendmail stop > > > >wait for a minute then check the output of 'ps ax' to make sure no sendmail > >or MailScanner processes remain (kill then with 'kill -HUP ' if they > >do), then restart MailScanner: > > > >service MailScanner start > > > >then post the relevant lines from /var/log/maillog showing the MailScanner > >startup and the processing of a test message through mailscanner. > > > >Then maybe it'll be obvious to me or someone else as to what is up with >your > >set-up. > > > >Kind regards, > >Steve. > >ok, I stopped everything and restarted (which I have already done tons). >But could you tell me how to see the processing of a test message through >mailscanner? > >Thanks in advance. > > > > >-----Original Message----- > >From: kfliong [mailto:kfliong@WOFS.COM] > >Sent: 01 October 2003 10:02 > >To: MAILSCANNER@JISCMAIL.AC.UK > >Subject: mailscanner and sendmail dilemma > > > >Hi all, > > > >I know this doesn't seems to be the correct channel to ask for help but I > >am out of options. The message below I posted to rackshack (my webserver > >host) forum but no one replied after 3 days. I am now posting it here > >hoping that the experts here will be able to shed some light into solving > >my problem. > > > >It's quite long so please bear with me. Thanks in advance. > > > >-------------- > > > >I am having a problem with sendmail and mailscanner. My problem is that > >some of my mails go through sendmail and some through mailscanner. Those > >that go through sendmail do not get filter. So, I am still getting lots of > >spams and virus. > > > >Here is my story : > > > >I have redhat 7.2 with ensim 3.1.10. > > > >I previously configured procmail to fight spams and virus. Then I found out > >about mailscanner. Then I installed mailscanner (not sure if I removed > >procmail correctly as too long ago). I followed the guide in the forum > >how-to to install mailscanner (MS)+f-prot+spamassassin (SA). > > > >After installing this, it works great. I stop getting spams and virus. Not > >long after that, something dreadful happened. What happened, I can only > >describe from my memory which is kinda blurry on which event happens first. > >I'll try to list them in the correct order. > > > >I then installed a software called mailwatch. It was at version 0.1 beta. > >Installing this software require me to edit the CustomConfig.pm file. Not > >sure if this will affect mailscanner in anyway. Still running fine. One > >day, my server crashed. Not sure what happened. The whole email system got > >affected. Nobody can login to email to check mails. Not even login to ssh. > >Only admin and root can login. But websites seems to be still working. I > >tried and tried and then not even admin login works. It took a few days for > >rackshack tech to bring it back up. I am not sure what they did as they > >wouldn't tell me even after I keep pestering them. But I think they did > >somesort of restore as all the root, admin, ensim password was reset. > > > >So, I re-installed mailscanner. This time using mailscanner+clamav+SA howto > >(which is btw a great howto). I am not sure if I removed the previous > >mailscanner combo correctly. Then mails stating to act weird. A lot of > >users are getting mails <<>> in the mails. After searching > >around and tailling the maillog and some help, i think this problem is due > >to mailscanner and sendmail both fighting to handle the mail and eventually > >the message got deleted and being send to the recipient. After trying to > >re-install mailscanner, i still have this problem. Eventually, after a few > >weeks, this problem went away. I don't know what I did (too many to > >remember) but it did go away. But I still have problem of some mails being > >handled between sendmail and MS. > > > >Then I upgraded MS, clamav and SA hoping that it will solve this problem. > >No good. Still have. I even upgraded to mailwatch to 0.3 (if it's anything > >to do with it). Still having some mails being handled by MS and sendmail. > >Mailwatch seems to be working fine aside from the virus report not working. > > > >Anyone have solution to this? I really need some expertise here. Should I > >remove MS+clamav+SA totally and re-install? How to clean them completely? I > >am waiting for ensim to create the security patch for sendmail which have > >the buffer overflow bug. But I guess this does not have anything to do with > >my problem. > > > >What about sendmail.cf file? Is there something I should look inside? > >CustomConfig.pm? should I delete mailwatch which I am not sure is affecting > >this. BTW, mailwatch is a program that monitors the emails and then create > >a database to show the stats of emails through a webgui. > > > >Thanks for reading my long problem. But if I don't solve this, it will > >become longer. Also please bear in mind that in the period of having this > >problem unresolved, I also did some upgrade on other part of the system > >such as mysql, php, mysqladmin and so on. > > > >Any suggestion is highly appreciated. Thanks in advance. > > > >-- > >This email and any files transmitted with it are confidential and > >intended solely for the use of the individual or entity to whom they > >are addressed. If you have received this email in error please notify > >the sender and delete the message from your mailbox. > > > >This footnote also confirms that this email message has been swept by > >MailScanner (www.mailscanner.info) for the presence of computer viruses. > >-- >This email and any files transmitted with it are confidential and >intended solely for the use of the individual or entity to whom they >are addressed. If you have received this email in error please notify >the sender and delete the message from your mailbox. > >This footnote also confirms that this email message has been swept by >MailScanner (www.mailscanner.info) for the presence of computer viruses. From mailscanner at AVERYHILLS.COM Fri Oct 3 03:11:48 2003 From: mailscanner at AVERYHILLS.COM (Noway) Date: Thu Jan 12 21:20:22 2006 Subject: {Filename?} filtering, how to allow? References: <000f01c38939$fc215550$1489a8c0@averyhills.com> <6.0.0.22.0.20031002212138.01df6670@xanadu.evi-inc.com> Message-ID: <001f01c38953$b3b48930$1489a8c0@averyhills.com> So if I set all of these to = %rules-dir%/html.content.rules and html.content.rules would be From: *@domain.com yes From: default no is that right then? > Allow External Message Bodies > Allow IFrame Tags > Allow Form Tags > Allow Object Codebase Tags From mailscanner at AVERYHILLS.COM Fri Oct 3 03:17:25 2003 From: mailscanner at AVERYHILLS.COM (Noway) Date: Thu Jan 12 21:20:22 2006 Subject: MailScanner repeatedly restarting References: Message-ID: <002d01c38954$7c6aad50$1489a8c0@averyhills.com> Time to update to RedHat 9.0 I am seeing similar defunct processes on my test installation of 4.23-11 on RedHat 7.3. They seem to appear within split seconds of starting up mailscanner and increase in number. The number of defunct processes seems to be related to the number of mailscanner processes you chose i.e. if Max Children = 5 then there's 5 defunct processes etc. where each defunct process is a child of one of the processes. > -----Original Message----- > From: Stanier, Alan M [mailto:alan@ESSEX.AC.UK] > Sent: 02 October 2003 11:27 > To: MAILSCANNER@JISCMAIL.AC.UK > Subject: MailScanner repeatedly restarting > > I've just installed MailScanner 4.23-11 on RedHat9 > > When I start it up, I see messages in /var/adm/maillog every > 10 seconds, saying it is starting, and have various defunct > MS processes. > > Can anyone suggest what I might have done wrong, plase? > > > [root@serlinux15 MailScanner-4.23-11]# cd /var/adm > [root@serlinux15 adm]# tail -f maillog > Oct 2 11:17:15 serlinux15 MailScanner[22187]: MailScanner E-Mail Virus > Scanner version 4.23-11 starting... > Oct 2 11:17:25 serlinux15 MailScanner[22188]: MailScanner E-Mail Virus > Scanner version 4.23-11 starting... > Oct 2 11:17:35 serlinux15 MailScanner[22198]: MailScanner E-Mail Virus > Scanner version 4.23-11 starting... > Oct 2 11:17:45 serlinux15 MailScanner[22199]: MailScanner E-Mail Virus > Scanner version 4.23-11 starting... > Oct 2 11:17:55 serlinux15 MailScanner[22200]: MailScanner E-Mail Virus > Scanner version 4.23-11 starting... > Oct 2 11:18:05 serlinux15 MailScanner[22202]: MailScanner E-Mail Virus > Scanner version 4.23-11 starting... > Oct 2 11:18:15 serlinux15 MailScanner[22203]: MailScanner E-Mail Virus > Scanner version 4.23-11 starting... > Oct 2 11:18:25 serlinux15 MailScanner[22204]: MailScanner E-Mail Virus > Scanner version 4.23-11 starting... > > [root@serlinux15 adm]# > [root@serlinux15 adm]# !ps > ps wgaux | grep mail > mail 31963 0.0 0.2 3284 1032 ? S Oct01 0:00 > /usr/sbin/exim -C /essex/exim/serlinux15_outgoing -q1m > mail 2460 0.0 0.2 3296 1076 ? S Oct01 0:02 > /usr/sbin/exim -C /essex/exim/serlinux15_incoming -bd > mail 21878 0.0 2.3 15804 11988 ? S 11:04 0:00 > /usr/bin/perl -I/usr/lib/MailScanner /usr/sbin/MailScanner > /etc/MailScanner/MailScanner.conf > mail 21879 0.0 0.0 0 0 ? Z 11:04 0:00 > [MailScanner ] > mail 21895 0.0 0.0 0 0 ? Z 11:04 0:00 > [MailScanner ] > mail 21909 0.0 0.0 0 0 ? Z 11:04 0:00 > [MailScanner ] > mail 21919 0.0 0.0 0 0 ? Z 11:04 0:00 > [MailScanner ] > mail 22229 2.0 0.0 0 0 ? Z 11:19 0:00 > [MailScanner ] > root 22231 0.0 0.1 3584 616 pts/0 S 11:19 0:00 grep mail > > -------- > Alan Stanier > Essex University Information Systems Services > Systems Group From ricurtis at HOTMAIL.COM Fri Oct 3 08:04:36 2003 From: ricurtis at HOTMAIL.COM (Richard Curtis) Date: Thu Jan 12 21:20:22 2006 Subject: Uninstalling MailScanner References: <3EA1A302A4978A4C970D2C63F327156E012EF2ED@worc-mail2.int.morganco.com> Message-ID: >>Someone recently posted a review of the licensing models and prices of >>pretty much all the scanners. Try looking for a posting in the archive >>with >>the names of several scanners in it. >>-- >>Julian Field > >I put the post in the FAQ. I'll delete if I was out of line. Let me >know. > >http://www.sng.ecs.soton.ac.uk/cgi-bin/faq?amp=&auth=ck8855a5ed71d287641 >21600405c7e004b&file=213 Thanks. That is a useful article although it doesnt mention Inoculan. I am curious as in the config files for MailScanner there is a link to download the Inoculan virus scanner - and nowhere do I have to accept any license terms. Strange Richard From P.G.M.Peters at utwente.nl Fri Oct 3 08:25:08 2003 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Thu Jan 12 21:20:22 2006 Subject: Users like this... In-Reply-To: <004401c38908$f09e5d80$0501a8c0@darkside> References: <004401c38908$f09e5d80$0501a8c0@darkside> Message-ID: On Thu, 2 Oct 2003 12:16:38 -0500, you wrote: >Can we let stuff like this through the firewall - $20.00 off on an order is >a good deal! That same user probably thinks 2 - 3 inches added to some bodypart is also a good deal. -- Peter Peters, senior netwerkbeheerder Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ From P.G.M.Peters at utwente.nl Fri Oct 3 09:15:25 2003 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Thu Jan 12 21:20:22 2006 Subject: PGP newbie question In-Reply-To: <5.2.1.1.2.20031002213100.02e5ee78@imap.ecs.soton.ac.uk> References: <5C0296D26910694BB9A9BBFC577E7AB00188AB4E@pascal.priv.bmrb.co.uk> <5C0296D26910694BB9A9BBFC577E7AB00188AB4E@pascal.priv.bmrb.co.uk> <1065126224.17459.11.camel@bach.kevinspicer.co.uk> <5.2.1.1.2.20031002213100.02e5ee78@imap.ecs.soton.ac.uk> Message-ID: On Thu, 2 Oct 2003 21:44:23 +0100, you wrote: >>Yes, PGP works on a web of trust principle. Just because you have a >>public key which claims to represent Julian, doesn't mean it does >>(anyone can produce a key which says they are anyone else). You have to >>decide for yourself whether (and how much) you trust Julians key - if >>you do you can sign the key (gpg --sign-key "Julian Field") [You need to >>have generated your own public and private key first]. > >Peter Peters has signed my key, but it appears the key servers haven't >sync-ed with each other yet as it's not on pgpkeys.mit.edu yet, and I don't >know which key server he uploaded it to. pgp.surfnet.nl. When I download your key again I notice it is signed bij James Ogden also. -- Peter Peters, senior netwerkbeheerder Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ From P.G.M.Peters at utwente.nl Fri Oct 3 09:19:23 2003 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Thu Jan 12 21:20:22 2006 Subject: {Filename?} filtering, how to allow? In-Reply-To: <001f01c38953$b3b48930$1489a8c0@averyhills.com> References: <000f01c38939$fc215550$1489a8c0@averyhills.com> <6.0.0.22.0.20031002212138.01df6670@xanadu.evi-inc.com> <001f01c38953$b3b48930$1489a8c0@averyhills.com> Message-ID: On Thu, 2 Oct 2003 21:11:48 -0500, you wrote: >So if I set all of these to = %rules-dir%/html.content.rules > >and html.content.rules would be > >From: *@domain.com yes >From: default no > >is that right then? It looks alright. But I prefer to use different rules for every setting: |AllowFormTags.rules |AllowIFrameTags.rules |AllowObjectCodebaseTags.rules So I can selectively push holes in our protection. I accept form tags from one address (not a complete domain) but no iframe tages. -- Peter Peters, senior netwerkbeheerder Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ From P.G.M.Peters at utwente.nl Fri Oct 3 09:21:31 2003 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Thu Jan 12 21:20:22 2006 Subject: How-to translate reports? In-Reply-To: <00e701c38941$0e9aa040$6400a8c0@FOX31> References: <5.2.1.1.2.20031002213100.02e5ee78@imap.ecs.soton.ac.uk> <00e701c38941$0e9aa040$6400a8c0@FOX31> Message-ID: On Fri, 3 Oct 2003 01:58:20 +0200, you wrote: >I would like to update the translation of the Danish reports. But have some >questions before I do: > >Is it standard to do an "almost" exact translation from the English reports, >or is normal to add additional information? > >Why are the reports not in example: Danish and English? I am trying to get Dutch/English reports. At this moment I have taken both versions and put them in one file beneath eachother. I am trying to compose one where Dutch is on the left and English on the right. With the report spread over the complete width. -- Peter Peters, senior netwerkbeheerder Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ From P.G.M.Peters at utwente.nl Fri Oct 3 09:32:33 2003 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Thu Jan 12 21:20:22 2006 Subject: mailscanner and sendmail dilemma In-Reply-To: <5.2.1.1.0.20031003094845.03169a38@192.168.10.2> References: <67D9E7698329D411936E00508B6590B902773B3D@neelix.lbsltd.co. uk> <5.2.1.1.0.20031003094845.03169a38@192.168.10.2> Message-ID: <6ecqnvc2qt2cq3fre230ofscd50na38uhd@4ax.com> On Fri, 3 Oct 2003 09:55:37 +0800, you wrote: >Here is some of the info i get tailling maillog : > ># tail -f /var/log/maillog It is a whole lot of information. >Oct 3 09:44:24 ensim sendmail[8141]: h93DiOk08141: >from=, size=2837, class=0, nrcpts=1, >msgid=<9i50$2-t49tx658irq2$v@xy0h.0u>, proto=ESMTP, daemon=MTA, >relay=ensim.wofsproperties.com [216.12.213.201] >Oct 3 09:44:24 ensim sendmail[8141]: h93DiOk08141: >to=, delay=00:00:00, mailer=virthostmail, >pri=32837, stat=queued These seem alright. >Oct 3 09:44:24 ensim sendmail[8137]: h93DiOe08136: >to=autodelete@mydomain2.com, delay=00:00:00, xdelay=00:00:00, mailer=esmtp, >pri=31697, relay=mail.mydomain2.com. [216.12.213.201], dsn=2.0.0, stat=Sent >(h93DiOk08141 Message accepted for delivery) But I expect MailScanner logs before this one. >Oct 3 09:44:26 ensim MailScanner[8147]: MailScanner E-Mail Virus Scanner >version 4.23-11 starting... >Oct 3 09:44:26 ensim MailScanner[8147]: Config: calling custom init >function MailWatchLogging >Oct 3 09:44:26 ensim MailScanner[8147]: Initialising database connection >Oct 3 09:44:26 ensim MailScanner[8147]: Finished initialising database >connection >Oct 3 09:44:27 ensim MailScanner[8147]: Using locktype = flock >Oct 3 09:44:27 ensim MailScanner[8147]: New Batch: Scanning 4 messages, >11578 bytes You started MailScanner at this moment? >Oct 3 09:44:27 ensim sendmail[8118]: h93DiMk08118: >from=, size=1610, class=0, nrcpts=1, >msgid=<8r2$00zbr4dl$2$9q0v8-dh-h$ig83@1dz.qypvn>, proto=SMTP, daemon=MTA, >relay=dhcp16478068.woh.rr.com [24.164.78.68] >Oct 3 09:44:27 ensim sendmail[8118]: h93DiMk08118: >to=, delay=00:00:03, mailer=virthostmail, >pri=31610, stat=queued This looks good also. >Oct 3 09:44:28 ensim MailScanner[8147]: Spam Checks: Found 1 spam messages I need a little more. MailSCanner should log what he did with the message. I get |Oct 3 10:26:04 netlx014 MailScanner[18615]: Spam Actions: message h938Q0001399 actions are deliver By looking at the queue-ID (h938Q0001399) you can check whether the message that had "stat=queued" in it was processed. You won't get a "Spam Actions" line every queued message (I hope). >Hmm...how does sendmail know to send all mails to mqueue.in? Could it be >possibly that is was confused and send it directly to recipients instead? You tell the sendmail listening on port 25 to queue in mqueue.in. >FYI, when I stop MailScanner service, sendmail is still running. Then I >have to stop sendmail also. But when I start, I only start MailScanner >which will automatically starts sendmail. If you stop MailScanner there could be a few remenant sendmail processes waiting on a close. You should check (ps axf) what sendmails are running. You should have one "sendmail: accepting connections" with a lot of children. You should have a queue-running sendmail (in my case " /usr/sbin/sendmail -q30m") with a number of children. And you could have a sendmail listening on the client port. The sendmail accepting connections should not also do queue runs. It would do them from mqueue.in whereas the special queue running sendmail does it from mqueueu. -- Peter Peters, senior netwerkbeheerder Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ From ricurtis at HOTMAIL.COM Fri Oct 3 11:14:07 2003 From: ricurtis at HOTMAIL.COM (Richard Curtis) Date: Thu Jan 12 21:20:22 2006 Subject: Remove "X-Mail-Scanner: Not scanned" ? Message-ID: Hi again. Is it possible to configure mailscanner so that if (via a rule set) it doesnt scan an email for virus's, it doesnt add the above header. I am noticing that on emails not scanned, the headers: X-Mail-Scanner-Information: Please contact the ISP for more information X-Mail-Scanner: Not scanned: please contact your Internet E-Mail Service Provider for details X-Mail-Scanner-SpamCheck: are all added... it would be nice if it simply didnt modify the headers in any way if scanning is disabled for a given domain etc. Richard From Antony at SOFT-SOLUTIONS.CO.UK Fri Oct 3 11:43:19 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:20:22 2006 Subject: Rules files (blacklist) In-Reply-To: <5.2.1.1.2.20031002175251.031a3f50@imap.ecs.soton.ac.uk> References: <5.2.1.1.2.20031002175251.031a3f50@imap.ecs.soton.ac.uk> Message-ID: <200310031043.h93AhM727622@onyx.rockstone.co.uk> On Thursday 02 October 2003 5:57 pm, Julian Field wrote: > One of the reasons I haven't implemented it is the purely practical matter > of defining how you could express a rule containing any arbitrary text (eg. > spaces, quotes, slashes etc), while still ending up with a rule that can > actually be parsed. If you, say, were writing a rule for "Spam Actions" > (which takes several keywords as its result), you could end up with this: > Subject: this is random text to match deliver forward > How on earth do I parse that? Where does the subject end and the result > (deliver forward) start? > > If you can come up with a decent solution to this problem, I'll have a > crack at writing it. How about separating the expression from the actions using a tab character, and requiring that the expression to be searched for is a regex, so that if it needs to contain a tab character of its own, that's shown as \t ? Antony. -- Having been asked to provide a reference for this man, I can confidently state that you will be very lucky indeed if you can get him to work for you. From mailscanner at ecs.soton.ac.uk Fri Oct 3 12:01:06 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:20:22 2006 Subject: Remove "X-Mail-Scanner: Not scanned" ? In-Reply-To: Message-ID: <5.2.0.9.2.20031003120033.050dccc8@imap.ecs.soton.ac.uk> At 11:14 03/10/2003, you wrote: >Hi again. > Is it possible to configure mailscanner so that if (via a rule set) it >doesnt scan an email for virus's, it doesnt add the above header. >I am noticing that on emails not scanned, the headers: >X-Mail-Scanner-Information: Please contact the ISP for more information >X-Mail-Scanner: Not scanned: please contact your Internet E-Mail Service >Provider for details >X-Mail-Scanner-SpamCheck: > >are all added... it would be nice if it simply didnt modify the headers in >any way if scanning is disabled for a given domain etc. If I remember rightly, set the header names to be blank (using a ruleset of course, so you only set them blank for non-scanned addresses). -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From Denis.Beauchemin at USHERBROOKE.CA Fri Oct 3 13:35:22 2003 From: Denis.Beauchemin at USHERBROOKE.CA (Denis Beauchemin) Date: Thu Jan 12 21:20:22 2006 Subject: MailScanner repeatedly restarting In-Reply-To: <002d01c38954$7c6aad50$1489a8c0@averyhills.com> References: <002d01c38954$7c6aad50$1489a8c0@averyhills.com> Message-ID: <1065184521.2962.46.camel@dbeauchemin.sti.usherbrooke.ca> My 3 RH 7.3 boxes are running just fine here (MS 4.23-11 and SA 2.60). Denis Le jeu 02/10/2003 ? 22:17, Noway a ?crit : > Time to update to RedHat 9.0 > > > I am seeing similar defunct processes on my test installation of 4.23-11 > on RedHat 7.3. They seem to appear within split seconds of starting up > mailscanner and increase in number. The number of defunct processes > seems to be related to the number of mailscanner processes you chose > i.e. if Max Children = 5 then there's 5 defunct processes etc. where > each defunct process is a child of one of the processes. > > > > -----Original Message----- > > From: Stanier, Alan M [mailto:alan@ESSEX.AC.UK] > > Sent: 02 October 2003 11:27 > > To: MAILSCANNER@JISCMAIL.AC.UK > > Subject: MailScanner repeatedly restarting > > > > I've just installed MailScanner 4.23-11 on RedHat9 > > > > When I start it up, I see messages in /var/adm/maillog every > > 10 seconds, saying it is starting, and have various defunct > > MS processes. > > > > Can anyone suggest what I might have done wrong, plase? > > > > > > [root@serlinux15 MailScanner-4.23-11]# cd /var/adm > > [root@serlinux15 adm]# tail -f maillog > > Oct 2 11:17:15 serlinux15 MailScanner[22187]: MailScanner E-Mail > Virus > > Scanner version 4.23-11 starting... > > Oct 2 11:17:25 serlinux15 MailScanner[22188]: MailScanner E-Mail > Virus > > Scanner version 4.23-11 starting... > > Oct 2 11:17:35 serlinux15 MailScanner[22198]: MailScanner E-Mail > Virus > > Scanner version 4.23-11 starting... > > Oct 2 11:17:45 serlinux15 MailScanner[22199]: MailScanner E-Mail > Virus > > Scanner version 4.23-11 starting... > > Oct 2 11:17:55 serlinux15 MailScanner[22200]: MailScanner E-Mail > Virus > > Scanner version 4.23-11 starting... > > Oct 2 11:18:05 serlinux15 MailScanner[22202]: MailScanner E-Mail > Virus > > Scanner version 4.23-11 starting... > > Oct 2 11:18:15 serlinux15 MailScanner[22203]: MailScanner E-Mail > Virus > > Scanner version 4.23-11 starting... > > Oct 2 11:18:25 serlinux15 MailScanner[22204]: MailScanner E-Mail > Virus > > Scanner version 4.23-11 starting... > > > > [root@serlinux15 adm]# > > [root@serlinux15 adm]# !ps > > ps wgaux | grep mail > > mail 31963 0.0 0.2 3284 1032 ? S Oct01 0:00 > > /usr/sbin/exim -C /essex/exim/serlinux15_outgoing -q1m > > mail 2460 0.0 0.2 3296 1076 ? S Oct01 0:02 > > /usr/sbin/exim -C /essex/exim/serlinux15_incoming -bd > > mail 21878 0.0 2.3 15804 11988 ? S 11:04 0:00 > > /usr/bin/perl -I/usr/lib/MailScanner /usr/sbin/MailScanner > > /etc/MailScanner/MailScanner.conf > > mail 21879 0.0 0.0 0 0 ? Z 11:04 0:00 > > [MailScanner ] > > mail 21895 0.0 0.0 0 0 ? Z 11:04 0:00 > > [MailScanner ] > > mail 21909 0.0 0.0 0 0 ? Z 11:04 0:00 > > [MailScanner ] > > mail 21919 0.0 0.0 0 0 ? Z 11:04 0:00 > > [MailScanner ] > > mail 22229 2.0 0.0 0 0 ? Z 11:19 0:00 > > [MailScanner ] > > root 22231 0.0 0.1 3584 616 pts/0 S 11:19 0:00 grep > mail > > > > -------- > > Alan Stanier > > Essex University Information Systems Services > > Systems Group -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 From Antony at SOFT-SOLUTIONS.CO.UK Fri Oct 3 13:52:20 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:20:22 2006 Subject: MailScanner repeatedly restarting In-Reply-To: <76D7B4C0D1A36245AA5678275A410F00019DDF@sernt4.essex.ac.uk> References: <76D7B4C0D1A36245AA5678275A410F00019DDF@sernt4.essex.ac.uk> Message-ID: <200310031252.h93CqN728142@onyx.rockstone.co.uk> On Thursday 02 October 2003 11:26 am, Stanier, Alan M wrote: > I've just installed MailScanner 4.23-11 on RedHat9 > > When I start it up, I see messages in /var/adm/maillog every > 10 seconds, saying it is starting, and have various defunct > MS processes. > > Can anyone suggest what I might have done wrong, plase? This is usually an indication of a parsing error in MailScanner.conf Check your /var/log/syslog to see if you get any more information, or else start MailScanner manually (/opt/MailScanner/bin/check_mailscanner) and see what it tells you the error is. Regards, Antony. > Oct 2 11:17:15 serlinux15 MailScanner[22187]: MailScanner E-Mail Virus > Scanner version 4.23-11 starting... Oct 2 11:17:25 serlinux15 > MailScanner[22188]: MailScanner E-Mail Virus Scanner version 4.23-11 > starting... Oct 2 11:17:35 serlinux15 MailScanner[22198]: MailScanner > E-Mail Virus Scanner version 4.23-11 starting... Oct 2 11:17:45 serlinux15 > MailScanner[22199]: MailScanner E-Mail Virus Scanner version 4.23-11 > starting... Oct 2 11:17:55 serlinux15 MailScanner[22200]: MailScanner > E-Mail Virus Scanner version 4.23-11 starting... Oct 2 11:18:05 serlinux15 > MailScanner[22202]: MailScanner E-Mail Virus Scanner version 4.23-11 > starting... Oct 2 11:18:15 serlinux15 MailScanner[22203]: MailScanner > E-Mail Virus Scanner version 4.23-11 starting... Oct 2 11:18:25 serlinux15 > MailScanner[22204]: MailScanner E-Mail Virus Scanner version 4.23-11 > starting... -- Your email has been returned due to insufficient voltage. From anders.andersson at LTKALMAR.SE Fri Oct 3 14:31:53 2003 From: anders.andersson at LTKALMAR.SE (Anders Andersson, IT) Date: Thu Jan 12 21:20:22 2006 Subject: SV: How-to translate reports? Message-ID: > -----Ursprungligt meddelande----- > Fr?n: Maillists [mailto:hb.maillists@DFS.DK] > Skickat: den 3 oktober 2003 01:58 > Till: MAILSCANNER@JISCMAIL.AC.UK > ?mne: How-to translate reports? > > > I would like to update the translation of the Danish reports. > But have some questions before I do: > > Is it standard to do an "almost" exact translation from the > English reports, or is normal to add additional information? I can only speak for the swedish translation and we have change some parts, but nothing big. Just to make it more understandable in swedish... well at least I hope it will :) > > Why are the reports not in example: Danish and English? Not sure of the reason from the begining but unless Im totally wrong here you can make different rules to send different notifications to certain adresses... all mail that come from xxx@xxx.es will get spanish notification.... rather clever I think. Especially since my spanish isnt good enough to do it my self I cna just use the ones included > > /henrik > From ryanw at FALSEHOPE.COM Fri Oct 3 15:14:24 2003 From: ryanw at FALSEHOPE.COM (Ryan Weaver) Date: Thu Jan 12 21:20:22 2006 Subject: refreshing spam.whitelist.rules Message-ID: Two things... First, does the FromTo: default have to be listed last in spam.whitelist.rules? Secondly, does MailScanner reload spam.whitelist.rules when it does it's self-reloading every so often? It seems to me that it would, but I'd like confirmation because I am working on a web form to facilitate semi-auto temporary whitelisting after passing a human input validatation phase (captcha)... Thanks in advance. From mailscanner at ecs.soton.ac.uk Fri Oct 3 15:15:45 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:20:22 2006 Subject: refreshing spam.whitelist.rules In-Reply-To: Message-ID: <5.2.0.9.2.20031003151454.0bb31df0@imap.ecs.soton.ac.uk> At 15:14 03/10/2003, you wrote: >Two things... > >First, does the FromTo: default have to be listed last in >spam.whitelist.rules? No, but it's good practice to always specify the default. It doesn't have to be at the end (handy if you are generating rules automatically). >Secondly, does MailScanner reload spam.whitelist.rules when it does it's >self-reloading every so often? Yes. > It seems to me that it would, but I'd like >confirmation because I am working on a web form to facilitate semi-auto >temporary whitelisting after passing a human input validatation phase >(captcha)... -- Julian Field www.MailScanner.info MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at LISTS.COM.AR Fri Oct 3 15:24:57 2003 From: mailscanner at LISTS.COM.AR (Mariano Absatz) Date: Thu Jan 12 21:20:22 2006 Subject: How-to translate reports? In-Reply-To: Message-ID: <3F7D5C89.7926.10010B14@localhost> El 3 Oct 2003 a las 15:31, Anders Andersson, IT escribi?: > > > > Why are the reports not in example: Danish and English? > > Not sure of the reason from the begining but unless Im totally wrong here > you can make different rules to send different notifications to certain > adresses... all mail that come from xxx@xxx.es will get spanish > notification.... rather clever I think. Especially since my spanish isnt > good enough to do it my self I cna just use the ones included I wanted to do a Spanish+English (but never got to)... the idea behind it is sometimes based on reports sent back to a sender which you may not know what language he/she speaks. In Argentina you expect everyone to speak Spanish, but many correspondants from abroad might not do so, so you include English as an international fall- back. I think that is the rationale behind this... don't know if this is completely valid, but at least I think it's reasonable. Regards. -- Mariano Absatz El Baby ---------------------------------------------------------- What is a "free" gift ? Aren't all gifts free? From m.sapsed at BANGOR.AC.UK Fri Oct 3 15:28:11 2003 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:20:22 2006 Subject: Double extensions getting nabbed References: <4465895C-F516-11D7-80EC-0030656E138E@phonedir.com> Message-ID: <3F7D877B.8060803@bangor.ac.uk> Dan Farmer wrote: > comment out the check in /etc/MailScanner/filename.rules.conf: > > # Deny all other double file extensions. This catches any hidden > filenames. > #deny \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$ Found possible filename > hiding Attempt to hide real filename extension > > dan > > On Thursday, October 2, 2003, at 02:09 PM, Christian Campbell wrote: > >> I'm having user complaints that documents named like: >> >> 00568011.011.txt.pdf >> >> Are being quarantined because "Attempt to hide real filename >> extension". >> How can I make it qualify the characters after the last "." only? or explicitly allow .pdf, .doc, .xls etc (or both!) Cheers, Martin -- Martin Sapsed Information Services "Who do you say I am?" University of Wales, Bangor Jesus of Nazareth From joshua.hirsh at PARTNERSOLUTIONS.CA Fri Oct 3 15:24:42 2003 From: joshua.hirsh at PARTNERSOLUTIONS.CA (Hirsh, Joshua) Date: Thu Jan 12 21:20:22 2006 Subject: Exchange blocking duplicate messages? Message-ID: <75FEDC422E2309419A9303E7B18F206E04DB5BB4@eqmail1.efni.vpn> Hey all, Has anyone run into the case where an Exchange 5.5 server will block messages with the same Message-ID field? In my case, if I release a message from the quarantine, some users will never get it. It appears that it's because Exchange ignores the message since it already received one with the same Message-ID (which was sent notifying the user that the attachment was removed). I was able to reproduce it by manually sending SMTP commands to Exchange and sent a message with the same Message-ID a few times. In all cases, only the first one went through. It's definately more of an Exchange issue, but I'm hoping some of you might have run into this before :) Thanks, -Joshua From m.sapsed at BANGOR.AC.UK Fri Oct 3 15:29:53 2003 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:20:22 2006 Subject: How-to translate reports? References: <5.2.1.1.2.20031002213100.02e5ee78@imap.ecs.soton.ac.uk> <00e701c38941$0e9aa040$6400a8c0@FOX31> Message-ID: <3F7D87E1.90704@bangor.ac.uk> Peter Peters wrote: > On Fri, 3 Oct 2003 01:58:20 +0200, you wrote: > >>I would like to update the translation of the Danish reports. But have some >>questions before I do: >> >>Is it standard to do an "almost" exact translation from the English reports, >>or is normal to add additional information? >> >>Why are the reports not in example: Danish and English? > > I am trying to get Dutch/English reports. At this moment I have taken > both versions and put them in one file beneath eachother. I am trying to > compose one where Dutch is on the left and English on the right. With > the report spread over the complete width. If you have a look at my bilingual Welsh/English reports in the cy+en directory, it might save you a bit of work... Cheers, Martin -- Martin Sapsed Information Services "Who do you say I am?" University of Wales, Bangor Jesus of Nazareth From m.sapsed at BANGOR.AC.UK Fri Oct 3 15:38:24 2003 From: m.sapsed at BANGOR.AC.UK (Martin Sapsed) Date: Thu Jan 12 21:20:22 2006 Subject: OT: Sophos CID password error References: <6.0.0.22.2.20031002163927.023660e0@commons> Message-ID: <3F7D89E0.1030707@bangor.ac.uk> Fred Dick wrote: > Hi Sophos Gurus: > > Been getting the message when trying to auto update: > > Error: Could not find central installation setup program. The specified > network password is not correct. > > Happens with 3.73 & 3.74. Win2k PC client running against Sun Solaris 2.6 > CID. Reset sweepupd passwd, account, uninstalled and reinstalled Sophos > numerous times on both server and client. Any ideas??? This has been > working fine for 2 years...no recent changes to system. I don't think it says so anywhere but my experience indicates that Sophos autoupdate only works on XP (and presumably 2k) if encrypted passwords work. Since I assume you're using Samba on the Sun, are you accepting encrypted passwords? Although having just read your message again, since it's been working for ages, I guess you are...! Cheers, Martin -- Martin Sapsed Information Services "Who do you say I am?" University of Wales, Bangor Jesus of Nazareth From campbell at CNPAPERS.COM Fri Oct 3 16:57:57 2003 From: campbell at CNPAPERS.COM (Stephe Campbell) Date: Thu Jan 12 21:20:22 2006 Subject: RBL suggestions - please. Message-ID: <006401c389c7$1d534700$c101a8c0@cnpapers.net> I realize this has been beat to death since the recent closure of a couple of RBLs, but here's one more request for suggestions. I do not do RBL checks in MS(4.22-5), but do try to use them in SA(2.55). Ever since the loss of Infinite-Monkeys, when ever I turn off (#skip_rbl_checks 1) in my spam.assassin.prefs.conf file, mail backs up in mqueue.in to rediculous levels. I am not seeming any timeouts in my logs. I have the recommended tests zeroed out as below score RCVD_IN_OSIRUSOFT_COM 0 score X_OSIRU_DUL 0 score X_OSIRU_DUL_FH 0 score X_OSIRU_OPEN_RELAY 0 score X_OSIRU_SPAMWARE_SITE 0 score X_OSIRU_SPAM_SRC 0 and I didn't see any test specific to Infinite-Monkeys. Can anyone make a suggestion on what is required now to do efficient checks in SA? Thanks much... Steve Campbell campbell@cnpapers.com Charleston Newspapers From gdr at GNO.ORG Fri Oct 3 16:40:50 2003 From: gdr at GNO.ORG (Devin Reade) Date: Thu Jan 12 21:20:22 2006 Subject: Exchange blocking duplicate messages? In-Reply-To: <75FEDC422E2309419A9303E7B18F206E04DB5BB4@eqmail1.efni.vpn> References: <75FEDC422E2309419A9303E7B18F206E04DB5BB4@eqmail1.efni.vpn> Message-ID: <7140000.1065195650@crashlander.invidi.com> Hirsh, Joshua wrote: > Has anyone run into the case where an Exchange 5.5 server will block > messages with the same Message-ID field? I don't use Exchange, so I've not seen that kind of behavior per se, however Exchange would not be the only MDA that does it. Cyrus IMAPd, for example, can be configured for duplicate delivery supression (which, IMO, is a very nice feature). I don't have a solution for you other than to change the message ID; none of my servers quarantine messages/attachments; they delete them outright. -- Devin Reade From lists at STHOMAS.NET Fri Oct 3 17:50:05 2003 From: lists at STHOMAS.NET (Steve Thomas) Date: Thu Jan 12 21:20:22 2006 Subject: Reading spam dir with PHP? In-Reply-To: ; from henker@S-H-COM.DE on Fri, Oct 03, 2003 at 02:01:49AM +0200 References: <16B156EBAE5213419ADC164EA1D372C7073404@dalsxc02.geniant.net> <1065127624.2674.6.camel@rherban.hypervine.net> Message-ID: <20031003095005.D24460@sthomas.net> On Fri, Oct 03, 2003 at 02:01:49AM +0200, Steffan Henke is rumored to have said: > > On Thu, 2 Oct 2003, Randy Herban wrote: > > > Do all the reading as normal user and when you need to move the queue > > files, use sudo as you suggested. > > sudoers: > > apache ALL=NOPASSWD:/bin/mv > > Please don't even *think* of doing this !!! > You don't want to "sudo /bin/mv /boot/vmlinuz /dev/null" , would you ? Agreed. Instead, you could write a shell script that only does exactly what you want, perhaps based on arguments provided, in it's own little sandbox. -- "A husband is what is left of the lover after the nerve has been extracted." - Helen Rowland (1876-1950) From Ulysees at ULYSEES.COM Fri Oct 3 18:01:04 2003 From: Ulysees at ULYSEES.COM (Ulysees) Date: Thu Jan 12 21:20:22 2006 Subject: ICANN & Verisign Message-ID: <000501c389cf$f0ad2320$3201010a@nimitz> looks like a bit of good news to me. http://www.icann.org/correspondence/twomey-to-lewis-03oct03.htm From kevins at BMRB.CO.UK Fri Oct 3 18:29:33 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:20:22 2006 Subject: Exchange blocking duplicate messages? In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB00188AB7A@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB00188AB7A@pascal.priv.bmrb.co.uk> Message-ID: <1065202174.19418.16.camel@bach.kevinspicer.co.uk> On Fri, 2003-10-03 at 15:24, Hirsh, Joshua wrote: > Has anyone run into the case where an Exchange 5.5 server will block >messages with the same Message-ID field? In my case, if I release a >message >from the quarantine, some users will never get it. It appears that it's >because Exchange ignores the message since it already received one with >the >same Message-ID (which was sent notifying the user that the attachment >was >removed). I've certainly seen that behaviour with Exchange 2000. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From joshua.hirsh at PARTNERSOLUTIONS.CA Fri Oct 3 18:42:54 2003 From: joshua.hirsh at PARTNERSOLUTIONS.CA (Hirsh, Joshua) Date: Thu Jan 12 21:20:22 2006 Subject: Exchange blocking duplicate messages? Message-ID: <75FEDC422E2309419A9303E7B18F206E04DB5BBC@eqmail1.efni.vpn> Modifying the Message-ID field even slightly would do the trick. I'm not too sure how tricky this will be depending on which MTA is in use though. In my case, I quarantine the entire message as a queue file and just dump it back into the queue directly if the user requests it. So in the end, the user gets the original message without the attachments and the note saying why they were removed, then when it's released the message goes through again with the attachments using the same Message-ID. Do you think it's feasible to slightly modify the Message-ID on the first message when the attachments are removed, but keep it intact for the saved queue file? I've noticed that it seems to be a time based filter on Exchange. If I release the message right away, they never get it. If I wait a few hours then release it, it always goes through. Exchange must keep a table of the past x amount of Message-ID's it sees coming in. Thanks, -Joshua From kevins at BMRB.CO.UK Fri Oct 3 19:04:51 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:20:22 2006 Subject: Exchange blocking duplicate messages? In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB00188AB83@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB00188AB83@pascal.priv.bmrb.co.uk> Message-ID: <1065204291.19421.36.camel@bach.kevinspicer.co.uk> On Fri, 2003-10-03 at 18:38, Julian Field wrote: >>I've certainly seen that behaviour with Exchange 2000. >Any proposed solutions to this problem? Could be a bit tricky, as I see it the issue is two messages (with different content) end up with the same message ID. Presumably the 'correct' solution is to generate one of the messages in such a way that it does not retain the original MID. I was thinking that simply re-injecting the quarantined message into the SMTP stream (by converting it into an SMTP transaction and connecting to localhost:25) or by formatting as a message (rather than queue files) and invoking sendmail directly to requeue it. However that idea has a couple of 'issues' - a) re-queuing it means MS will scan it again and (hopefully, although in this case undesirably) reach the same conclusion and quarantine it again. b) You are (even only in a small way) _changing_the_original_message_, to my mind the resent quarantined message should be _the_original_message_intact. You could make some small change to the messageID, but thats not one for the purists. MessageID's should only ever be generated by the MTA (I'm also not sure whether exchange checks only the most recent MID, or all MID's appearing in the message - so it could get really messy!). Altering MID's breaks the ability of the MTA to guarantee unique MID's, since it would no longer control the whole process. All in all I think that would be A Bad Thing (tm). It seems the 'correct' thing to do would be to generate the alert indicating the mail has been quarantined as a new message (since really this is what it is). I suspect (from the point of view of coding) this isn't as easy as the other options. You would presumably need to pick up header information from the original message if this is to be preserved and at the least the Reply-To field (if this doesn't exist then it would have to be created from the original From header). presumably you would also need to fake the envelope sender in case downstream MTA's decide to reject the message. Incidentally I came across this issue when I had problems with exchange sending ETRN requests to my MS server, causing sendmail to sometimes deliver an empty message before the MailScanner processed message (users only got the first, empty, message). I don't quarantine anything so it never occurred to me that this could be an issue, I'm surprised its not come up before. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From kevins at BMRB.CO.UK Fri Oct 3 19:11:08 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:20:22 2006 Subject: Mailscanner vs Spamassassin settings for changing the message headers In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB00188AB85@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB00188AB85@pascal.priv.bmrb.co.uk> Message-ID: <1065204668.19418.43.camel@bach.kevinspicer.co.uk> On Fri, 2003-10-03 at 18:48, Boulytchev, Vasiliy wrote: >******************************************************************* >Content preview: Copy Any DVD to CD, Easy - Fast - Convenient! You Thats a neat feature, I'd certainly find it useful if anyone implemented it. I keep getting calls from users who are frightened to open the attachment (because of the warning in the attachment report), but frightened to delete the mail (in case its actually relevent). e.g. One recent case one of our people who deals with requests for quotes etc received a Spam entitled 'Urgent Business Proposal' and had to call me so I could decide whether it was 'safe' to open (go on, guess what it was...) BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From vboulytchev at COINFOTECH.COM Fri Oct 3 19:16:11 2003 From: vboulytchev at COINFOTECH.COM (Boulytchev, Vasiliy) Date: Thu Jan 12 21:20:22 2006 Subject: Mailscanner vs Spamassassin settings for changing the message headers Message-ID: <1958DE295D9656499ECAAD3642822DE03832CB@willow.office.coinfotech.com> penis enlargement? :))))))))))))))))) So what do you guys think, is it doable? Vasiliy Boulytchev Colorado Information Technologies, Inc. http://www.coinfotech.com -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Kevin Spicer Sent: Friday, October 03, 2003 12:11 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Mailscanner vs Spamassassin settings for changing the message headers On Fri, 2003-10-03 at 18:48, Boulytchev, Vasiliy wrote: >******************************************************************* >Content preview: Copy Any DVD to CD, Easy - Fast - Convenient! You Thats a neat feature, I'd certainly find it useful if anyone implemented it. I keep getting calls from users who are frightened to open the attachment (because of the warning in the attachment report), but frightened to delete the mail (in case its actually relevent). e.g. One recent case one of our people who deals with requests for quotes etc received a Spam entitled 'Urgent Business Proposal' and had to call me so I could decide whether it was 'safe' to open (go on, guess what it was...) BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From mailscanner at ecs.soton.ac.uk Fri Oct 3 18:38:26 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:20:23 2006 Subject: Exchange blocking duplicate messages? In-Reply-To: <1065202174.19418.16.camel@bach.kevinspicer.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB00188AB7A@pascal.priv.bmrb.co.uk> <5C0296D26910694BB9A9BBFC577E7AB00188AB7A@pascal.priv.bmrb.co.uk> Message-ID: <5.2.1.1.2.20031003183806.02c24008@imap.ecs.soton.ac.uk> At 18:29 03/10/2003, you wrote: >On Fri, 2003-10-03 at 15:24, Hirsh, Joshua wrote: > > > Has anyone run into the case where an Exchange 5.5 server will block > >messages with the same Message-ID field? In my case, if I release a > >message > >from the quarantine, some users will never get it. It appears that it's > >because Exchange ignores the message since it already received one with > >the > >same Message-ID (which was sent notifying the user that the attachment > >was > >removed). > >I've certainly seen that behaviour with Exchange 2000. Any proposed solutions to this problem? -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From vboulytchev at COINFOTECH.COM Fri Oct 3 18:48:08 2003 From: vboulytchev at COINFOTECH.COM (Boulytchev, Vasiliy) Date: Thu Jan 12 21:20:23 2006 Subject: Mailscanner vs Spamassassin settings for changing the message headers Message-ID: <1958DE295D9656499ECAAD3642822DE005CE72@willow.office.coinfotech.com> Ladies and Gents, We are in the process of migrating from Spamassassin to Mailscanner (using spamassasin). The last obstacle we have to overcome, is how the spam message looks to the end user. It gets tagged as SPAM and SCORE in the subject. So thats working. The difference people will see is how the body of the message looks. The SPAM is always attached, but the old body looked like this: ***************************************************************************** Content preview: Copy Any DVD to CD, Easy - Fast - Convenient! You will be astonished by what this new, revolutionary software has to offer. Fastest Possible Technology 3-Click System Ready in less than 1 min. Immediate Download Full Money-back Guarantee Free Lifetime Support and Updates [...] This mail is probably spam. The original message has been attached along with this report, so you can recognize or block similar unwanted mail in future. See http://spamassassin.org/tag/ for more details. Content analysis details: (7.20 points, 6 required) CLICK_BELOW_CAPS (0.5 points) BODY: Asks you to click below (in capital letters) BANG_MORE (0.7 points) BODY: Talks about more with an exclamation! HTML_60_70 (0.1 points) BODY: Message is 60% to 70% HTML HTML_MESSAGE (0.1 points) BODY: HTML included in message HTML_LINK_CLICK_CAPS (1.1 points) BODY: HTML link text says "CLICK" HTML_FONT_BIG (0.3 points) BODY: FONT Size +2 and up or 3 and up HTML_FONT_COLOR_BLUE (0.1 points) BODY: HTML font color is blue HTML_LINK_CLICK_HERE (0.1 points) BODY: HTML link text says "click here" HTML_FONT_COLOR_GRAY (0.1 points) BODY: HTML font color is gray FORGED_MUA_OUTLOOK (3.5 points) Forged mail pretending to be from MS Outlook MIME_HTML_ONLY (0.1 points) Message only has text/html MIME parts MISSING_MIMEOLE (0.5 points) Message has X-MSMail-Priority, but no X-MimeOLE The original message did not contain plain text, and may be unsafe to open with some email clients; in particular, it may contain a virus, or confirm that your address can receive spam. If you wish to view it, it may be safer to save it to a file and open it with an editor. ******************************************************(actual spam attached) So, as you all see we had 2 userful features that everyone got really used to. First being the quick preview (very useful for Outlook clients) and second being the Score explanations. Now our SPAM looks like this: ********************************************** Our MailScanner believes that the attachment to this message sent to you From: quickresponse837a@quicksponder.biz Subject: Vasiliy, You Have Made A Great Decision is Unsolicited Commerial Email (spam). Unless you are sure that this message is incorrectly thought to be spam, please delete this message without opening it. Opening spam messages might allow the spammer to verify your email address. If you believe that this message has been incorrectly marked a spam, please forward this email to postmaster. ******************************************** (spam attached) We had to rewrite some perl to get SPAMSCORE in the subject. Should we expect the same? Where do you suggest we start? THANKS!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Vasiliy Boulytchev Colorado Information Technologies, Inc. http://www.coinfotech.com From mailscanner at ecs.soton.ac.uk Fri Oct 3 19:31:51 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:20:23 2006 Subject: Mailscanner vs Spamassassin settings for changing the message headers In-Reply-To: <1958DE295D9656499ECAAD3642822DE03832CB@willow.office.coinf otech.com> Message-ID: <5.2.1.1.2.20031003192837.02db7c68@imap.ecs.soton.ac.uk> At 19:16 03/10/2003, you wrote: >penis enlargement? :))))))))))))))))) > > > > >So what do you guys think, is it doable? The use of _SCORE_ in the subject line text is in the next version, but not the content preview. What do you think should be in the content preview? I could try to parse the original content and extract the first 40 or 50 characters. But this would need to be totally dis-armed text as 40 or 50 bytes is plenty to put in an exploit or attack. The whole point of the attachment method is that you can guarantee the initial message you see (which does include the sanitised subject line) is harmless. Including anything from the original message has to be done *very* carefully. > >Vasiliy Boulytchev >Colorado Information Technologies, Inc. >http://www.coinfotech.com > > >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On >Behalf Of Kevin Spicer >Sent: Friday, October 03, 2003 12:11 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Mailscanner vs Spamassassin settings for changing the >message headers > > > >On Fri, 2003-10-03 at 18:48, Boulytchev, Vasiliy wrote: > > > >******************************************************************* > >Content preview: Copy Any DVD to CD, Easy - Fast - Convenient! You > >Thats a neat feature, I'd certainly find it useful if anyone implemented >it. I keep getting calls from users who are frightened to open the >attachment (because of the warning in the attachment report), but >frightened to delete the mail (in case its actually relevent). e.g. One >recent case one of our people who deals with requests for quotes etc >received a Spam entitled 'Urgent Business Proposal' and had to call me >so I could decide whether it was 'safe' to open (go on, guess what it >was...) > > > > > >BMRB International >http://www.bmrb.co.uk >+44 (0)20 8566 5000 >_________________________________________________________________ >This message (and any attachment) is intended only for the >recipient and may contain confidential and/or privileged >material. If you have received this in error, please contact the >sender and delete this message immediately. Disclosure, copying >or other action taken in respect of this email or in >reliance on it is prohibited. BMRB International Limited >accepts no liability in relation to any personal emails, or >content of any email which does not directly relate to our >business. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From kevins at BMRB.CO.UK Fri Oct 3 20:03:37 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:20:23 2006 Subject: Mailscanner vs Spamassassin settings for changing the message headers In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB00188AB89@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB00188AB89@pascal.priv.bmrb.co.uk> Message-ID: <1065207817.19421.63.camel@bach.kevinspicer.co.uk> On Fri, 2003-10-03 at 19:31, Julian Field wrote: >The whole point of the attachment method is that >you can guarantee the initial message you see (which does include the >sanitised subject line) is harmless. Yes, but that fails if users end up opening the attachment anyway because they have the slightest doubt it is spam. >Including anything from the >original >message has to be done *very* carefully. Yes. Not such an issue if the message has a text/plain part or has been stripped of html. I'd suggest stripping the first few lines of the message, maybe even sanitising (single punctuation marks, single spaces and alphanumeric characters only, perhaps) For messages with html content (where the striphtml action isn't chosen) I guess you'd have to grab the first X lines, pass them through the striphtml and behave as above with the result. I imagine this is rather more hassle. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From mike at CAMAROSS.NET Fri Oct 3 20:53:55 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:20:23 2006 Subject: Mailscanner vs Spamassassin settings for changing the message headers In-Reply-To: <5.2.1.1.2.20031003202421.03156f68@imap.ecs.soton.ac.uk> Message-ID: <003901c389e8$1685eec0$650ba8c0@home.middlefinger.net> Gawd...houses are heavy! I just started moving the stuff inside instead! :) Mike P.S. I'm helping a friend move house this weekend, so don't expect me to be around much. I haven't changed 4.24-4 much since releasing that, so it will go stable as 4.24-5 Real Soon Now(tm). -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From hciss at HCIWS.COM Fri Oct 3 20:51:26 2003 From: hciss at HCIWS.COM (Matt) Date: Thu Jan 12 21:20:23 2006 Subject: mqueue full, please help Message-ID: <010901c389e7$bb28f4a0$7801a8c0@matthew> On my Raq4i I have over 1000 messages in my mqueue. My RAQ is at a crawl. Some have only this in them: link_stat rsync : No such file or directory rsync error: some files could not be transferred (code 23) at main.c(620) Others contain this: MDeferred: pursuit.deleted_for_privacy.com.: No route to host What caused this and how the heck do I get rid of them? Please help! Matt From Antony at SOFT-SOLUTIONS.CO.UK Fri Oct 3 20:53:09 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:20:23 2006 Subject: Mailscanner vs Spamassassin settings for changing the message headers In-Reply-To: <003901c389e8$1685eec0$650ba8c0@home.middlefinger.net> References: <003901c389e8$1685eec0$650ba8c0@home.middlefinger.net> Message-ID: <200310031953.h93JrC730085@onyx.rockstone.co.uk> On Friday 03 October 2003 8:53 pm, Mike Kercher wrote: > Gawd...houses are heavy! I just started moving the stuff inside instead! :) Yes, but I find you tend to get attached to places, and don't want to leave, and in most cases you *can* move them bit by bit, which makes the job much easier. If they could do it for London Bridge, and move that to Arizona, I'm sure a normal house is a bit easier :) Antony. -- Software development can be quick, high-quality, or low-cost. The customer gets to pick any two out of three. From mike at CAMAROSS.NET Fri Oct 3 21:00:09 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:20:23 2006 Subject: mqueue full, please help In-Reply-To: <010901c389e7$bb28f4a0$7801a8c0@matthew> Message-ID: <003a01c389e8$f409d950$650ba8c0@home.middlefinger.net> Got any maillog entries? Are your MailScanner processes running? Mike -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Matt Sent: Friday, October 03, 2003 2:51 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: mqueue full, please help On my Raq4i I have over 1000 messages in my mqueue. My RAQ is at a crawl. Some have only this in them: link_stat rsync : No such file or directory rsync error: some files could not be transferred (code 23) at main.c(620) Others contain this: MDeferred: pursuit.deleted_for_privacy.com.: No route to host What caused this and how the heck do I get rid of them? Please help! Matt From mailscanner at ecs.soton.ac.uk Fri Oct 3 21:02:53 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:20:23 2006 Subject: mqueue full, please help In-Reply-To: <010901c389e7$bb28f4a0$7801a8c0@matthew> Message-ID: <5.2.1.1.2.20031003205808.02c00b68@imap.ecs.soton.ac.uk> At 20:51 03/10/2003, you wrote: >On my Raq4i I have over 1000 messages in my mqueue. My RAQ is at a crawl. > >Some have only this in them: > >link_stat rsync : No such file or directory >rsync error: some files could not be transferred (code 23) at main.c(620) > >Others contain this: > >MDeferred: pursuit.deleted_for_privacy.com.: No route to host > >What caused this and how the heck do I get rid of them? Please help! > >Matt How about cd /var/spool/mqueue egrep 'link_stat rsync : No such file|pursuit.deleted_for_privacy.com.: No route to host' * > /tmp/aaa while read a do msgid=`echo $a | sed -e 's/^[qd]f//'` echo $msgid rm -f qf$msgid df$msgid done < /tmp/aaa -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From vboulytchev at COINFOTECH.COM Fri Oct 3 20:06:49 2003 From: vboulytchev at COINFOTECH.COM (Boulytchev, Vasiliy) Date: Thu Jan 12 21:20:23 2006 Subject: Mailscanner vs Spamassassin settings for changing the message headers Message-ID: <1958DE295D9656499ECAAD3642822DE03832CF@willow.office.coinfotech.com> Julian, We are not doing anything special. We are using what Spamassassin does by default... I just read Kevin's email. I agree with him. Here is a snap from what Spamassasin does right now. THANKS!!!!!!!!!!!!!!!!!!! Content preview: Copy Any DVD to CD, Easy - Fast - Convenient! You will be astonished by what this new, revolutionary software has to offer. Fastest Possible Technology 3-Click System Ready in less than 1 min. Immediate Download Full Money-back Guarantee Free Lifetime Support and Updates [...] This mail is probably spam. The original message has been attached along with this report, so you can recognize or block similar unwanted mail in future. See http://spamassassin.org/tag/ for more details. Content analysis details: (7.20 points, 6 required) CLICK_BELOW_CAPS (0.5 points) BODY: Asks you to click below (in capital letters) BANG_MORE (0.7 points) BODY: Talks about more with an exclamation! HTML_60_70 (0.1 points) BODY: Message is 60% to 70% HTML HTML_MESSAGE (0.1 points) BODY: HTML included in message HTML_LINK_CLICK_CAPS (1.1 points) BODY: HTML link text says "CLICK" HTML_FONT_BIG (0.3 points) BODY: FONT Size +2 and up or 3 and up HTML_FONT_COLOR_BLUE (0.1 points) BODY: HTML font color is blue HTML_LINK_CLICK_HERE (0.1 points) BODY: HTML link text says "click here" HTML_FONT_COLOR_GRAY (0.1 points) BODY: HTML font color is gray FORGED_MUA_OUTLOOK (3.5 points) Forged mail pretending to be from MS Outlook MIME_HTML_ONLY (0.1 points) Message only has text/html MIME parts MISSING_MIMEOLE (0.5 points) Message has X-MSMail-Priority, but no X-MimeOLE The original message did not contain plain text, and may be unsafe to open with some email clients; in particular, it may contain a virus, or confirm that your address can receive spam. If you wish to view it, it may be safer to save it to a file and open it with an editor. Vasiliy Boulytchev Colorado Information Technologies, Inc. http://www.coinfotech.com -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Julian Field Sent: Friday, October 03, 2003 12:32 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Re: Mailscanner vs Spamassassin settings for changing the message headers At 19:16 03/10/2003, you wrote: >penis enlargement? :))))))))))))))))) > > > > >So what do you guys think, is it doable? The use of _SCORE_ in the subject line text is in the next version, but not the content preview. What do you think should be in the content preview? I could try to parse the original content and extract the first 40 or 50 characters. But this would need to be totally dis-armed text as 40 or 50 bytes is plenty to put in an exploit or attack. The whole point of the attachment method is that you can guarantee the initial message you see (which does include the sanitised subject line) is harmless. Including anything from the original message has to be done *very* carefully. > >Vasiliy Boulytchev >Colorado Information Technologies, Inc. >http://www.coinfotech.com > > >-----Original Message----- >From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On >Behalf Of Kevin Spicer >Sent: Friday, October 03, 2003 12:11 PM >To: MAILSCANNER@JISCMAIL.AC.UK >Subject: Re: Mailscanner vs Spamassassin settings for changing the >message headers > > > >On Fri, 2003-10-03 at 18:48, Boulytchev, Vasiliy wrote: > > > >******************************************************************* > >Content preview: Copy Any DVD to CD, Easy - Fast - Convenient! You > >Thats a neat feature, I'd certainly find it useful if anyone implemented >it. I keep getting calls from users who are frightened to open the >attachment (because of the warning in the attachment report), but >frightened to delete the mail (in case its actually relevent). e.g. One >recent case one of our people who deals with requests for quotes etc >received a Spam entitled 'Urgent Business Proposal' and had to call me >so I could decide whether it was 'safe' to open (go on, guess what it >was...) > > > > > >BMRB International >http://www.bmrb.co.uk >+44 (0)20 8566 5000 >_________________________________________________________________ >This message (and any attachment) is intended only for the >recipient and may contain confidential and/or privileged >material. If you have received this in error, please contact the >sender and delete this message immediately. Disclosure, copying >or other action taken in respect of this email or in >reliance on it is prohibited. BMRB International Limited >accepts no liability in relation to any personal emails, or >content of any email which does not directly relate to our >business. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From emcc-mailscanner at CTCNET.COM Fri Oct 3 21:15:50 2003 From: emcc-mailscanner at CTCNET.COM (Eric McClelland) Date: Thu Jan 12 21:20:23 2006 Subject: skipped, still being delivered In-Reply-To: <5.2.0.9.2.20031001152131.0423cec0@imap.ecs.soton.ac.uk>; from mailscanner@ECS.SOTON.AC.UK on Wed, Oct 01, 2003 at 03:22:40PM +0100 References: <54C38A0B814C8E438EF73FC76F3629273ADF43@mtlnt501fs.CAMOROUT <5.2.0.9.2.20031001152131.0423cec0@imap.ecs.soton.ac.uk> Message-ID: <20031003161550.A20294@Nexium.CTCNet.com> On Wed, Oct 01, 2003 at 03:22:40PM +0100, Julian Field wrote: > Great :( > In this case, I really don't know what is going on. Postfix generates the > error when it tries to open a message to find it is already locked by > something else. I have been *extremely* careful and paranoid about the > locking and have made sure the file is unlocked before it is put in the > queue. So how this is still happening beats me. Within the past couple days I started seeing this problem as well, and there is one thing I have noticed, yet not seen discussed, namely that MailScanner appears to be opening files in a directory - /var/spool/postfix.in/incoming/ - where AFAICT it should not: ==================== [root@Gabriel log]# lsof | grep /var/spool/postfix.in/incoming nqmgr 15792 root 8r DIR 72,2 4096 1954564 /var/spool/postfix.in/incoming nqmgr 15792 root 12r DIR 72,2 4096 521221 /var/spool/postfix.in/incoming/6 nqmgr 15792 root 13r DIR 72,2 4096 895861 /var/spool/postfix.in/incoming/6/3 MailScann 15897 root 5u REG 72,2 3226 1956954 /var/spool/postfix.in/incoming/1/8/18C9A1DDC5A MailScann 15897 root 19u REG 72,2 8602 1957133 /var/spool/postfix.in/incoming/4/3/43B771DDD0D MailScann 15897 root 20u REG 72,2 8713 1957134 /var/spool/postfix.in/incoming/4/7/473F31DDD0E MailScann 15897 root 21u REG 72,2 8256 1956916 /var/spool/postfix.in/incoming/4/1/411D11DDC34 MailScann 15963 root 28u REG 72,2 2687 1956812 /var/spool/postfix.in/incoming/1/8/18A571DDBCC cleanup 16029 root 12u REG 72,2 0 1957467 /var/spool/postfix.in/incoming/C/A/CADDD1DDE5B cleanup 16276 root 12u REG 72,2 0 1957469 /var/spool/postfix.in/incoming/A/8/A85B71DDE5D cleanup 16308 root 12u REG 72,2 0 1957464 /var/spool/postfix.in/incoming/9/D/9D1D51DDE58 cleanup 16366 root 12u REG 72,2 0 1957466 /var/spool/postfix.in/incoming/7/D/7D3C21DDE5A cleanup 16372 root 12u REG 72,2 0 1957468 /var/spool/postfix.in/incoming/8/6/86CB71DDE5C MailScann 16375 root 14u REG 72,2 2131 1957194 /var/spool/postfix.in/incoming/4/1/41AD51DDD4A ==================== ...For brevity's sake I don't feel it necessary to include the rest of the output, as they're all various queue files being accessed by MailScanner or cleanup, but I certainly can if folks want (I omitted maybe two dozen lines or so). Similarly, I can post my full configs, but I think this is sufficient for now: Incoming Queue Dir = /var/spool/postfix.in/deferred Incoming Work Dir = /var/spool/MailScanner/incoming Outgoing Queue Dir = /var/spool/postfix/incoming While it's obvious that MailScanner should read queue files in /var/spool/postfix.in/DEFERRED/ [my caps] and write them to /var/spool/postfix/incoming/ , I don't think it should be touching anything in /var/spool/postfix.IN/INCOMING/ . Am I wrong in this? Below are some other pieces of information which may or may not be helpful: 1) I'm running RedHat 7.3 on a Compaq DL360 with two 1GHz processors and 1GB RAM; I've seen no problems with system load. 2) MailScanner version is 4.22-5; Postfix version 1.1.12; SpamAssassin version 2.55. 3) I thought I had turned off all defunct DNS-based spam checks, but MS seemed (sorry, no hard numbers) to be taking a long time to scan messages, especially late last night (between roughly midnight and 2am GMT-04, but I was also actively changing configurations and restarting MS & Co., which seemed to cause bursts of duplicate/blank emails and "skipped, still being delivered" messages). I was unable to get MS to complain of any RBL timeouts (including with Debug = yes in MailScanner.conf), but to make a long story shorter, I turned off all of the following DNS-based spam checks on a hunch (some, again, had already been offf): ==================== Fri Oct 3 15:56:36 /etc/MailScanner root@Gabriel# ls -l /etc/mail/spamassassin/local.cf -r--r--r-- 1 root root 780 Oct 3 02:13 /etc/mail/spamassassin/local.cf Fri Oct 3 15:56:39 /etc/MailScanner root@Gabriel# grep score /etc/mail/spamassassin/local.cf score RCVD_IN_RELAYS_ORDB_ORG 0.0 score RCVD_IN_OSIRUSOFT_COM 0.0 score X_OSIRU_DUL 0.0 score X_OSIRU_DUL_FH 0.0 score X_OSIRU_OPEN_RELAY 0.0 score X_OSIRU_SPAMWARE_SITE 0.0 score X_OSIRU_SPAM_SRC 0.0 score RCVD_IN_RFCI 0.0 score RCVD_IN_ORBS 0.0 score RCVD_IN_DSBL 0.0 score RCVD_IN_MULTIHOP_DSBL 0.0 score RCVD_IN_SBL 0.0 score RCVD_IN_UNCONFIRMED_DSBL 0.0 score RCVD_IN_BONDEDSENDER 0.0 score RCVD_IN_OPM 0.0 score RCVD_IN_NJABL 0.0 score X_NJABL_OPEN_PROXY 0.0 score X_NJABL_DIALUP 0.0 ==================== 4) Very quickly after that, my inbound queue from from 6,000 to "zero" and my "skipped, still being delivered" messages stopped - from this I hypothesize that some DNS-based spam check was timing out (I tested some, but not all), causing MailScanner (and I'm going well beyond my expertise here) to start losing a race condition of some sort with the inbound Postfix process. ==================== Fri Oct 3 02:16:16 /etc/mail/spamassassin ---------->Checking inbound, pre-MS/SA queue<---------- root@Gabriel# postqueue -c /etc/postfix.in -p | tail -1 -- 74771 Kbytes in 6368 Requests. Fri Oct 3 02:16:32 /etc/mail/spamassassin ---------->Checking outbound, post-MS/SA queue<---------- root@Gabriel# postqueue -p | tail -1 -- 511 Kbytes in 257 Requests. Fri Oct 3 02:16:35 /etc/mail/spamassassin root@Gabriel# postqueue -c /etc/postfix.in -p | tail -1 -- 74904 Kbytes in 6384 Requests. Fri Oct 3 02:18:38 /etc/mail/spamassassin root@Gabriel# postqueue -p | tail -1 -- 644 Kbytes in 360 Requests. Fri Oct 3 02:18:42 /etc/mail/spamassassin root@Gabriel# postqueue -c /etc/postfix.in -p | tail -1 -- 75055 Kbytes in 6402 Requests. Fri Oct 3 02:21:19 /etc/mail/spamassassin root@Gabriel# postqueue -p | tail -1 -- 1168 Kbytes in 628 Requests. Fri Oct 3 02:21:25 /etc/mail/spamassassin root@Gabriel# postqueue -c /etc/postfix.in -p | tail -1 -- 74947 Kbytes in 6394 Requests. Fri Oct 3 02:22:54 /etc/mail/spamassassin root@Gabriel# postqueue -p | tail -1 -- 889 Kbytes in 465 Requests. Fri Oct 3 02:22:56 /etc/mail/spamassassin root@Gabriel# postqueue -c /etc/postfix.in -p | tail -1 -- 73887 Kbytes in 6245 Requests. Fri Oct 3 02:26:04 /etc/mail/spamassassin root@Gabriel# postqueue -p | tail -1 -- 2131 Kbytes in 665 Requests. Fri Oct 3 02:26:07 /etc/mail/spamassassin root@Gabriel# postqueue -c /etc/postfix.in -p | tail -1 -- 71968 Kbytes in 5934 Requests. Fri Oct 3 02:27:12 /etc/mail/spamassassin root@Gabriel# postqueue -p | tail -1 -- 3866 Kbytes in 851 Requests. Fri Oct 3 02:27:18 /etc/mail/spamassassin root@Gabriel# Fri Oct 3 02:30:28 /etc/mail/spamassassin root@Gabriel# postqueue -c /etc/postfix.in -p | tail -1 -- 68222 Kbytes in 5465 Requests. Fri Oct 3 02:30:37 /etc/mail/spamassassin root@Gabriel# postqueue -p | tail -1 -- 7310 Kbytes in 1032 Requests. Fri Oct 3 02:30:43 /etc/mail/spamassassin root@Gabriel# Fri Oct 3 03:46:02 /etc/mail/spamassassin root@Gabriel# postqueue -c /etc/postfix.in -p | tail -1 Mail queue is empty Fri Oct 3 03:46:03 /etc/mail/spamassassin root@Gabriel# postqueue -p | tail -1 -- 2032 Kbytes in 310 Requests. Fri Oct 3 03:46:06 /etc/mail/spamassassin root@Gabriel# Fri Oct 3 09:26:59 /etc/mail/spamassassin root@Gabriel# postqueue -c /etc/postfix.in -p | tail -1 Mail queue is empty Fri Oct 3 09:27:00 /etc/mail/spamassassin root@Gabriel# postqueue -p | tail -1 -- 35 Kbytes in 6 Requests. Fri Oct 3 09:27:02 /etc/mail/spamassassin root@Gabriel# Fri Oct 3 11:13:48 /etc/mail/spamassassin root@Gabriel# postqueue -c /etc/postfix.in -p | tail -1 Mail queue is empty Fri Oct 3 11:13:49 /etc/mail/spamassassin root@Gabriel# postqueue -p | tail -1 -- 35 Kbytes in 6 Requests. Fri Oct 3 11:58:53 /etc/mail/spamassassin root@Gabriel# postqueue -c /etc/postfix.in -p | tail -1 Mail queue is empty Fri Oct 3 11:58:54 /etc/mail/spamassassin root@Gabriel# postqueue -p | tail -1 -- 39 Kbytes in 7 Requests. Fri Oct 3 11:58:57 /etc/mail/spamassassin Fri Oct 3 16:05:27 /etc/MailScanner root@Gabriel# grep "skipped, still being delivered" /var/log/maillog | tail -2 Oct 3 02:51:24 Gabriel postfix/nqmgr[13729]: 095461DE774: skipped, still being delivered Oct 3 02:51:24 Gabriel postfix/nqmgr[13729]: 09AE61DEBC9: skipped, still being delivered ==================== I still need to finish testing the DNS-based spam checks to find which one(s) were timing out. My testing and documentation weren't the best on this one, but I apparently did something which coincided with the remission of my immediate problem. :) --Eric From Antony at SOFT-SOLUTIONS.CO.UK Fri Oct 3 20:16:07 2003 From: Antony at SOFT-SOLUTIONS.CO.UK (Antony Stone) Date: Thu Jan 12 21:20:23 2006 Subject: Mailscanner vs Spamassassin settings for changing the message headers In-Reply-To: <1958DE295D9656499ECAAD3642822DE03832CF@willow.office.coinfotech.com> References: <1958DE295D9656499ECAAD3642822DE03832CF@willow.office.coinfotech.com> Message-ID: <200310031916.h93JGA729976@onyx.rockstone.co.uk> On Friday 03 October 2003 8:06 pm, Boulytchev, Vasiliy wrote: > Julian, > We are not doing anything special. We are using what Spamassassin > does by default... I just read Kevin's email. I agree with him. Here is > a snap from what Spamassasin does right now. > > Content preview: Copy Any DVD to CD, Easy - Fast - Convenient! You will > be astonished by what this new, revolutionary software has to offer. > Fastest Possible Technology 3-Click System Ready in less than 1 min. > Immediate Download Full Money-back Guarantee Free Lifetime Support and > Updates [...] What do you get in the delivered email if the first 3 lines contain hyperlinks or other potentially dangerous content? Do they get sanitised in any way, or simply passed on to the end user, and you hope they don't click on something dangerous? I must admit that a pattern match such as [A-Za-z0-9 .,;:!?] should be sufficient for people to see what the original mail was about, whilst destroying any dangerous content in what gets passed on, and I too like the idea of being able to incude a 'preview' like this in suspect spam. In fact, I'll even suggest an option for implementing it to provide additional flexibility: Spam Preview Size = followed by the number of characters to be included in the email which gets delivered. If the option is missing, or the value is zero, the current behavious (no preview) is maintained, otherwise a preview of (up to) the number of characters specified is included in the report delivered to the recipient. Regards, Antony. -- Obviously Linux owes its heritage to Unix, but not its code. We would not, nor will not, make such a claim. - Darl McBride, CEO SCO, 28th August 2002 From mailscanner at ecs.soton.ac.uk Fri Oct 3 20:27:01 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:20:23 2006 Subject: Mailscanner vs Spamassassin settings for changing the message headers In-Reply-To: <1065207817.19421.63.camel@bach.kevinspicer.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB00188AB89@pascal.priv.bmrb.co.uk> <5C0296D26910694BB9A9BBFC577E7AB00188AB89@pascal.priv.bmrb.co.uk> Message-ID: <5.2.1.1.2.20031003202421.03156f68@imap.ecs.soton.ac.uk> At 20:03 03/10/2003, you wrote: >On Fri, 2003-10-03 at 19:31, Julian Field wrote: > >The whole point of the attachment method is that > >you can guarantee the initial message you see (which does include the > >sanitised subject line) is harmless. > >Yes, but that fails if users end up opening the attachment anyway >because they have the slightest doubt it is spam. > > >Including anything from the >original > >message has to be done *very* carefully. > >Yes. Not such an issue if the message has a text/plain part or has been >stripped of html. > >I'd suggest stripping the first few lines of the message, maybe even >sanitising (single punctuation marks, single spaces and alphanumeric >characters only, perhaps) >For messages with html content (where the striphtml action isn't chosen) >I guess you'd have to grab the first X lines, pass them through the >striphtml and behave as above with the result. I imagine this is rather >more hassle. I'll take a look at this problem, it would indeed be a useful feature. But not for this weekend's release. P.S. I'm helping a friend move house this weekend, so don't expect me to be around much. I haven't changed 4.24-4 much since releasing that, so it will go stable as 4.24-5 Real Soon Now(tm). -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From kevins at BMRB.CO.UK Fri Oct 3 21:38:54 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:20:23 2006 Subject: Mailscanner vs Spamassassin settings for changing the message headers In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB00188AB8D@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB00188AB8D@pascal.priv.bmrb.co.uk> Message-ID: <1065213535.19418.65.camel@bach.kevinspicer.co.uk> On Fri, 2003-10-03 at 20:27, Julian Field wrote: P.S. I'm helping a friend move house this weekend, And I thought you could do everything with a small perl script, ah well. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From mike at CAMAROSS.NET Fri Oct 3 21:00:32 2003 From: mike at CAMAROSS.NET (Mike Kercher) Date: Thu Jan 12 21:20:23 2006 Subject: ICANN & Verisign *Verisign Complies* In-Reply-To: <000501c389cf$f0ad2320$3201010a@nimitz> Message-ID: <003b01c389e9$007b1f00$650ba8c0@home.middlefinger.net> http://asia.reuters.com/newsArticle.jhtml?type=internetNews&storyID=3555798 -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK] On Behalf Of Ulysees Sent: Friday, October 03, 2003 12:01 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: ICANN & Verisign looks like a bit of good news to me. http://www.icann.org/correspondence/twomey-to-lewis-03oct03.htm From lists at STHOMAS.NET Fri Oct 3 21:55:42 2003 From: lists at STHOMAS.NET (Steve Thomas) Date: Thu Jan 12 21:20:23 2006 Subject: ICANN & Verisign *Verisign Complies* In-Reply-To: <003b01c389e9$007b1f00$650ba8c0@home.middlefinger.net>; from mike@CAMAROSS.NET on Fri, Oct 03, 2003 at 03:00:32PM -0500 References: <000501c389cf$f0ad2320$3201010a@nimitz> <003b01c389e9$007b1f00$650ba8c0@home.middlefinger.net> Message-ID: <20031003135542.A30013@sthomas.net> On Fri, Oct 03, 2003 at 03:00:32PM -0500, Mike Kercher is rumored to have said: > > http://asia.reuters.com/newsArticle.jhtml?type=internetNews&storyID=3555798 > "Thwarting efforts such as providing new services will hinder innovation on the Internet, he added." Nobody's saying that Verislime shouldn't be able to provide new services. Their problem was with how they *broke* so many applications that expected the DNS system to work the way it was intended. Sheesh. This quote's from a Washington Post article: "Before agreeing to take down Site Finder, VeriSign had promised to work with the Internet community to iron out any glitches triggered by Site Finder." "glitches triggered by Site Finder"??? WHAT?!?! Site Finder CREATED those glitches. Verislime's acting like the software was buggy and all they did was expose the bugs. The software was written properly - it's VS that's broken. Like someone over on NANOG said, they sure are playing the victim. /me is playing the worlds smallest violin for Verislime... -- "I'll moider da bum." - Heavyweight boxer Tony Galento, when asked what he thought of William Shakespeare From mailscanner at ecs.soton.ac.uk Fri Oct 3 23:13:14 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:20:23 2006 Subject: skipped, still being delivered In-Reply-To: <20031003161550.A20294@Nexium.CTCNet.com> References: <5.2.0.9.2.20031001152131.0423cec0@imap.ecs.soton.ac.uk> <54C38A0B814C8E438EF73FC76F3629273ADF43@mtlnt501fs.CAMOROUT <5.2.0.9.2.20031001152131.0423cec0@imap.ecs.soton.ac.uk> Message-ID: <5.2.1.1.2.20031003230900.0323e9f8@imap.ecs.soton.ac.uk> Okay, you got my attention :-) Can you reproduce it? If so, can you do lsof | grep /var/spool/postfix this time instead, so I can see all the files open in the incoming and outgoing queues? In actual fact, you could skip the "grep" altogether and just mail me the whole lot. I want to see if the same inode number crops up more than once, which implies postfix is moving the file around at the time. Thanks for this, it's *really* helpful. Just not quite enough, yet :-) At 21:15 03/10/2003, you wrote: >==================== >[root@Gabriel log]# lsof | grep /var/spool/postfix.in/incoming >nqmgr 15792 root 8r DIR 72,2 4096 1954564 >/var/spool/postfix.in/incoming >nqmgr 15792 root 12r DIR 72,2 4096 521221 >/var/spool/postfix.in/incoming/6 >nqmgr 15792 root 13r DIR 72,2 4096 895861 >/var/spool/postfix.in/incoming/6/3 >MailScann 15897 root 5u REG 72,2 3226 1956954 >/var/spool/postfix.in/incoming/1/8/18C9A1DDC5A >MailScann 15897 root 19u REG 72,2 8602 1957133 >/var/spool/postfix.in/incoming/4/3/43B771DDD0D >MailScann 15897 root 20u REG 72,2 8713 1957134 >/var/spool/postfix.in/incoming/4/7/473F31DDD0E >MailScann 15897 root 21u REG 72,2 8256 1956916 >/var/spool/postfix.in/incoming/4/1/411D11DDC34 > >MailScann 15963 root 28u REG 72,2 2687 1956812 >/var/spool/postfix.in/incoming/1/8/18A571DDBCC >cleanup 16029 root 12u REG 72,2 0 1957467 >/var/spool/postfix.in/incoming/C/A/CADDD1DDE5B >cleanup 16276 root 12u REG 72,2 0 1957469 >/var/spool/postfix.in/incoming/A/8/A85B71DDE5D >cleanup 16308 root 12u REG 72,2 0 1957464 >/var/spool/postfix.in/incoming/9/D/9D1D51DDE58 >cleanup 16366 root 12u REG 72,2 0 1957466 >/var/spool/postfix.in/incoming/7/D/7D3C21DDE5A >cleanup 16372 root 12u REG 72,2 0 1957468 >/var/spool/postfix.in/incoming/8/6/86CB71DDE5C >MailScann 16375 root 14u REG 72,2 2131 1957194 >/var/spool/postfix.in/incoming/4/1/41AD51DDD4A > >==================== >...For brevity's sake I don't feel it necessary to include the rest of the >output, as they're all various queue files being accessed by MailScanner >or cleanup, but I certainly can if folks want (I omitted maybe two dozen >lines or so). > >Similarly, I can post my full configs, but I think this is sufficient for now: >Incoming Queue Dir = /var/spool/postfix.in/deferred >Incoming Work Dir = /var/spool/MailScanner/incoming >Outgoing Queue Dir = /var/spool/postfix/incoming > >While it's obvious that MailScanner should read queue files in >/var/spool/postfix.in/DEFERRED/ [my caps] and write them to >/var/spool/postfix/incoming/ , I don't think it should be touching >anything in /var/spool/postfix.IN/INCOMING/ . Am I wrong in this? > >Below are some other pieces of information which may or may not be helpful: > >1) I'm running RedHat 7.3 on a Compaq DL360 with two 1GHz processors and >1GB RAM; I've seen no problems with system load. > >2) MailScanner version is 4.22-5; Postfix version 1.1.12; SpamAssassin >version 2.55. > >3) I thought I had turned off all defunct DNS-based spam checks, but MS >seemed (sorry, no hard numbers) to be taking a long time to scan messages, >especially late last night (between roughly midnight and 2am GMT-04, but I >was also actively changing configurations and restarting MS & Co., which >seemed to cause bursts of duplicate/blank emails and "skipped, still being >delivered" messages). I was unable to get MS to complain of any RBL >timeouts (including with Debug = yes in MailScanner.conf), but to make a >long story shorter, I turned off all of the following DNS-based spam >checks on a hunch (some, again, had already been offf): > >==================== >Fri Oct 3 15:56:36 /etc/MailScanner >root@Gabriel# ls -l /etc/mail/spamassassin/local.cf >-r--r--r-- 1 root root 780 Oct 3 02:13 >/etc/mail/spamassassin/local.cf > >Fri Oct 3 15:56:39 /etc/MailScanner >root@Gabriel# grep score /etc/mail/spamassassin/local.cf >score RCVD_IN_RELAYS_ORDB_ORG 0.0 >score RCVD_IN_OSIRUSOFT_COM 0.0 >score X_OSIRU_DUL 0.0 >score X_OSIRU_DUL_FH 0.0 >score X_OSIRU_OPEN_RELAY 0.0 >score X_OSIRU_SPAMWARE_SITE 0.0 >score X_OSIRU_SPAM_SRC 0.0 >score RCVD_IN_RFCI 0.0 >score RCVD_IN_ORBS 0.0 >score RCVD_IN_DSBL 0.0 >score RCVD_IN_MULTIHOP_DSBL 0.0 >score RCVD_IN_SBL 0.0 >score RCVD_IN_UNCONFIRMED_DSBL 0.0 >score RCVD_IN_BONDEDSENDER 0.0 >score RCVD_IN_OPM 0.0 >score RCVD_IN_NJABL 0.0 >score X_NJABL_OPEN_PROXY 0.0 >score X_NJABL_DIALUP 0.0 >==================== > >4) Very quickly after that, my inbound queue from from 6,000 to "zero" and >my "skipped, still being delivered" messages stopped - from this I >hypothesize that some DNS-based spam check was timing out (I tested some, >but not all), causing MailScanner (and I'm going well beyond my expertise >here) to start losing a race condition of some sort with the inbound >Postfix process. > >==================== >Fri Oct 3 02:16:16 /etc/mail/spamassassin > >---------->Checking inbound, pre-MS/SA queue<---------- > >root@Gabriel# postqueue -c /etc/postfix.in -p | tail -1 >-- 74771 Kbytes in 6368 Requests. > >Fri Oct 3 02:16:32 /etc/mail/spamassassin > >---------->Checking outbound, post-MS/SA queue<---------- > >root@Gabriel# postqueue -p | tail -1 >-- 511 Kbytes in 257 Requests. > >Fri Oct 3 02:16:35 /etc/mail/spamassassin >root@Gabriel# postqueue -c /etc/postfix.in -p | tail -1 >-- 74904 Kbytes in 6384 Requests. > >Fri Oct 3 02:18:38 /etc/mail/spamassassin >root@Gabriel# postqueue -p | tail -1 >-- 644 Kbytes in 360 Requests. > >Fri Oct 3 02:18:42 /etc/mail/spamassassin >root@Gabriel# postqueue -c /etc/postfix.in -p | tail -1 >-- 75055 Kbytes in 6402 Requests. > >Fri Oct 3 02:21:19 /etc/mail/spamassassin >root@Gabriel# postqueue -p | tail -1 >-- 1168 Kbytes in 628 Requests. > >Fri Oct 3 02:21:25 /etc/mail/spamassassin >root@Gabriel# postqueue -c /etc/postfix.in -p | tail -1 >-- 74947 Kbytes in 6394 Requests. > >Fri Oct 3 02:22:54 /etc/mail/spamassassin >root@Gabriel# postqueue -p | tail -1 >-- 889 Kbytes in 465 Requests. > >Fri Oct 3 02:22:56 /etc/mail/spamassassin >root@Gabriel# postqueue -c /etc/postfix.in -p | tail -1 >-- 73887 Kbytes in 6245 Requests. > >Fri Oct 3 02:26:04 /etc/mail/spamassassin >root@Gabriel# postqueue -p | tail -1 >-- 2131 Kbytes in 665 Requests. > >Fri Oct 3 02:26:07 /etc/mail/spamassassin >root@Gabriel# postqueue -c /etc/postfix.in -p | tail -1 >-- 71968 Kbytes in 5934 Requests. > >Fri Oct 3 02:27:12 /etc/mail/spamassassin >root@Gabriel# postqueue -p | tail -1 >-- 3866 Kbytes in 851 Requests. > >Fri Oct 3 02:27:18 /etc/mail/spamassassin >root@Gabriel# > >Fri Oct 3 02:30:28 /etc/mail/spamassassin >root@Gabriel# postqueue -c /etc/postfix.in -p | tail -1 >-- 68222 Kbytes in 5465 Requests. > >Fri Oct 3 02:30:37 /etc/mail/spamassassin >root@Gabriel# postqueue -p | tail -1 >-- 7310 Kbytes in 1032 Requests. > >Fri Oct 3 02:30:43 /etc/mail/spamassassin >root@Gabriel# > >Fri Oct 3 03:46:02 /etc/mail/spamassassin >root@Gabriel# postqueue -c /etc/postfix.in -p | tail -1 >Mail queue is empty > >Fri Oct 3 03:46:03 /etc/mail/spamassassin >root@Gabriel# postqueue -p | tail -1 >-- 2032 Kbytes in 310 Requests. > >Fri Oct 3 03:46:06 /etc/mail/spamassassin >root@Gabriel# > >Fri Oct 3 09:26:59 /etc/mail/spamassassin >root@Gabriel# postqueue -c /etc/postfix.in -p | tail -1 >Mail queue is empty > >Fri Oct 3 09:27:00 /etc/mail/spamassassin >root@Gabriel# postqueue -p | tail -1 >-- 35 Kbytes in 6 Requests. > >Fri Oct 3 09:27:02 /etc/mail/spamassassin >root@Gabriel# > >Fri Oct 3 11:13:48 /etc/mail/spamassassin >root@Gabriel# postqueue -c /etc/postfix.in -p | tail -1 >Mail queue is empty > >Fri Oct 3 11:13:49 /etc/mail/spamassassin >root@Gabriel# postqueue -p | tail -1 >-- 35 Kbytes in 6 Requests. >Fri Oct 3 11:58:53 /etc/mail/spamassassin >root@Gabriel# postqueue -c /etc/postfix.in -p | tail -1 >Mail queue is empty > >Fri Oct 3 11:58:54 /etc/mail/spamassassin >root@Gabriel# postqueue -p | tail -1 >-- 39 Kbytes in 7 Requests. > >Fri Oct 3 11:58:57 /etc/mail/spamassassin > >Fri Oct 3 16:05:27 /etc/MailScanner >root@Gabriel# grep "skipped, still being delivered" /var/log/maillog | tail -2 >Oct 3 02:51:24 Gabriel postfix/nqmgr[13729]: 095461DE774: skipped, still >being delivered >Oct 3 02:51:24 Gabriel postfix/nqmgr[13729]: 09AE61DEBC9: skipped, still >being delivered >==================== > >I still need to finish testing the DNS-based spam checks to find which >one(s) were timing out. My testing and documentation weren't the best on >this one, but I apparently did something which coincided with the >remission of my immediate problem. :) > >--Eric -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Fri Oct 3 21:06:28 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:20:23 2006 Subject: Mailscanner vs Spamassassin settings for changing the message headers In-Reply-To: <200310031953.h93JrC730085@onyx.rockstone.co.uk> References: <003901c389e8$1685eec0$650ba8c0@home.middlefinger.net> <003901c389e8$1685eec0$650ba8c0@home.middlefinger.net> Message-ID: <5.2.1.1.2.20031003210446.03157fa8@imap.ecs.soton.ac.uk> At 20:53 03/10/2003, you wrote: >If they could do it for London Bridge, and move that to Arizona, I'm sure a >normal house is a bit easier :) The good bit about that story is that the luser thought he was buying *Tower* bridge, not *London* bridge. London bridge is a pretty boring run-of-the-mill bridge, it's Tower bridge that is the impressive one. One of the best con jobs ever pulled... -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Fri Oct 3 23:45:29 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:20:23 2006 Subject: skipped, still being delivered In-Reply-To: <20031003161550.A20294@Nexium.CTCNet.com> References: <5.2.0.9.2.20031001152131.0423cec0@imap.ecs.soton.ac.uk> <54C38A0B814C8E438EF73FC76F3629273ADF43@mtlnt501fs.CAMOROUT <5.2.0.9.2.20031001152131.0423cec0@imap.ecs.soton.ac.uk> Message-ID: <5.2.1.1.2.20031003234242.03245008@imap.ecs.soton.ac.uk> Also, exactly what version of Postfix are you using? And on what OS and version? I have just tried breaking my DNS server, pumping mail as fast as I can at Postfix and MailScanner, and doing lots of lsof | grep /var/spool/postfix | grep MailScanner and I can't get it show anything other than /var/spool/postfix.in/deferred. Which is what it should be doing. Any ideas on how I might reproduce the behaviour of your system? At 21:15 03/10/2003, you wrote: >On Wed, Oct 01, 2003 at 03:22:40PM +0100, Julian Field wrote: > > Great :( > > In this case, I really don't know what is going on. Postfix generates the > > error when it tries to open a message to find it is already locked by > > something else. I have been *extremely* careful and paranoid about the > > locking and have made sure the file is unlocked before it is put in the > > queue. So how this is still happening beats me. > >Within the past couple days I started seeing this problem as well, and >there is one thing I have noticed, yet not seen discussed, namely that >MailScanner appears to be opening files in a directory - >/var/spool/postfix.in/incoming/ - where AFAICT it should not: > >==================== >[root@Gabriel log]# lsof | grep /var/spool/postfix.in/incoming >nqmgr 15792 root 8r DIR 72,2 4096 1954564 >/var/spool/postfix.in/incoming >nqmgr 15792 root 12r DIR 72,2 4096 521221 >/var/spool/postfix.in/incoming/6 >nqmgr 15792 root 13r DIR 72,2 4096 895861 >/var/spool/postfix.in/incoming/6/3 >MailScann 15897 root 5u REG 72,2 3226 1956954 >/var/spool/postfix.in/incoming/1/8/18C9A1DDC5A >MailScann 15897 root 19u REG 72,2 8602 1957133 >/var/spool/postfix.in/incoming/4/3/43B771DDD0D >MailScann 15897 root 20u REG 72,2 8713 1957134 >/var/spool/postfix.in/incoming/4/7/473F31DDD0E >MailScann 15897 root 21u REG 72,2 8256 1956916 >/var/spool/postfix.in/incoming/4/1/411D11DDC34 > >MailScann 15963 root 28u REG 72,2 2687 1956812 >/var/spool/postfix.in/incoming/1/8/18A571DDBCC >cleanup 16029 root 12u REG 72,2 0 1957467 >/var/spool/postfix.in/incoming/C/A/CADDD1DDE5B >cleanup 16276 root 12u REG 72,2 0 1957469 >/var/spool/postfix.in/incoming/A/8/A85B71DDE5D >cleanup 16308 root 12u REG 72,2 0 1957464 >/var/spool/postfix.in/incoming/9/D/9D1D51DDE58 >cleanup 16366 root 12u REG 72,2 0 1957466 >/var/spool/postfix.in/incoming/7/D/7D3C21DDE5A >cleanup 16372 root 12u REG 72,2 0 1957468 >/var/spool/postfix.in/incoming/8/6/86CB71DDE5C >MailScann 16375 root 14u REG 72,2 2131 1957194 >/var/spool/postfix.in/incoming/4/1/41AD51DDD4A > >==================== >...For brevity's sake I don't feel it necessary to include the rest of the >output, as they're all various queue files being accessed by MailScanner >or cleanup, but I certainly can if folks want (I omitted maybe two dozen >lines or so). > >Similarly, I can post my full configs, but I think this is sufficient for now: >Incoming Queue Dir = /var/spool/postfix.in/deferred >Incoming Work Dir = /var/spool/MailScanner/incoming >Outgoing Queue Dir = /var/spool/postfix/incoming > >While it's obvious that MailScanner should read queue files in >/var/spool/postfix.in/DEFERRED/ [my caps] and write them to >/var/spool/postfix/incoming/ , I don't think it should be touching >anything in /var/spool/postfix.IN/INCOMING/ . Am I wrong in this? > >Below are some other pieces of information which may or may not be helpful: > >1) I'm running RedHat 7.3 on a Compaq DL360 with two 1GHz processors and >1GB RAM; I've seen no problems with system load. > >2) MailScanner version is 4.22-5; Postfix version 1.1.12; SpamAssassin >version 2.55. > >3) I thought I had turned off all defunct DNS-based spam checks, but MS >seemed (sorry, no hard numbers) to be taking a long time to scan messages, >especially late last night (between roughly midnight and 2am GMT-04, but I >was also actively changing configurations and restarting MS & Co., which >seemed to cause bursts of duplicate/blank emails and "skipped, still being >delivered" messages). I was unable to get MS to complain of any RBL >timeouts (including with Debug = yes in MailScanner.conf), but to make a >long story shorter, I turned off all of the following DNS-based spam >checks on a hunch (some, again, had already been offf): > >==================== >Fri Oct 3 15:56:36 /etc/MailScanner >root@Gabriel# ls -l /etc/mail/spamassassin/local.cf >-r--r--r-- 1 root root 780 Oct 3 02:13 >/etc/mail/spamassassin/local.cf > >Fri Oct 3 15:56:39 /etc/MailScanner >root@Gabriel# grep score /etc/mail/spamassassin/local.cf >score RCVD_IN_RELAYS_ORDB_ORG 0.0 >score RCVD_IN_OSIRUSOFT_COM 0.0 >score X_OSIRU_DUL 0.0 >score X_OSIRU_DUL_FH 0.0 >score X_OSIRU_OPEN_RELAY 0.0 >score X_OSIRU_SPAMWARE_SITE 0.0 >score X_OSIRU_SPAM_SRC 0.0 >score RCVD_IN_RFCI 0.0 >score RCVD_IN_ORBS 0.0 >score RCVD_IN_DSBL 0.0 >score RCVD_IN_MULTIHOP_DSBL 0.0 >score RCVD_IN_SBL 0.0 >score RCVD_IN_UNCONFIRMED_DSBL 0.0 >score RCVD_IN_BONDEDSENDER 0.0 >score RCVD_IN_OPM 0.0 >score RCVD_IN_NJABL 0.0 >score X_NJABL_OPEN_PROXY 0.0 >score X_NJABL_DIALUP 0.0 >==================== > >4) Very quickly after that, my inbound queue from from 6,000 to "zero" and >my "skipped, still being delivered" messages stopped - from this I >hypothesize that some DNS-based spam check was timing out (I tested some, >but not all), causing MailScanner (and I'm going well beyond my expertise >here) to start losing a race condition of some sort with the inbound >Postfix process. > >==================== >Fri Oct 3 02:16:16 /etc/mail/spamassassin > >---------->Checking inbound, pre-MS/SA queue<---------- > >root@Gabriel# postqueue -c /etc/postfix.in -p | tail -1 >-- 74771 Kbytes in 6368 Requests. > >Fri Oct 3 02:16:32 /etc/mail/spamassassin > >---------->Checking outbound, post-MS/SA queue<---------- > >root@Gabriel# postqueue -p | tail -1 >-- 511 Kbytes in 257 Requests. > >Fri Oct 3 02:16:35 /etc/mail/spamassassin >root@Gabriel# postqueue -c /etc/postfix.in -p | tail -1 >-- 74904 Kbytes in 6384 Requests. > >Fri Oct 3 02:18:38 /etc/mail/spamassassin >root@Gabriel# postqueue -p | tail -1 >-- 644 Kbytes in 360 Requests. > >Fri Oct 3 02:18:42 /etc/mail/spamassassin >root@Gabriel# postqueue -c /etc/postfix.in -p | tail -1 >-- 75055 Kbytes in 6402 Requests. > >Fri Oct 3 02:21:19 /etc/mail/spamassassin >root@Gabriel# postqueue -p | tail -1 >-- 1168 Kbytes in 628 Requests. > >Fri Oct 3 02:21:25 /etc/mail/spamassassin >root@Gabriel# postqueue -c /etc/postfix.in -p | tail -1 >-- 74947 Kbytes in 6394 Requests. > >Fri Oct 3 02:22:54 /etc/mail/spamassassin >root@Gabriel# postqueue -p | tail -1 >-- 889 Kbytes in 465 Requests. > >Fri Oct 3 02:22:56 /etc/mail/spamassassin >root@Gabriel# postqueue -c /etc/postfix.in -p | tail -1 >-- 73887 Kbytes in 6245 Requests. > >Fri Oct 3 02:26:04 /etc/mail/spamassassin >root@Gabriel# postqueue -p | tail -1 >-- 2131 Kbytes in 665 Requests. > >Fri Oct 3 02:26:07 /etc/mail/spamassassin >root@Gabriel# postqueue -c /etc/postfix.in -p | tail -1 >-- 71968 Kbytes in 5934 Requests. > >Fri Oct 3 02:27:12 /etc/mail/spamassassin >root@Gabriel# postqueue -p | tail -1 >-- 3866 Kbytes in 851 Requests. > >Fri Oct 3 02:27:18 /etc/mail/spamassassin >root@Gabriel# > >Fri Oct 3 02:30:28 /etc/mail/spamassassin >root@Gabriel# postqueue -c /etc/postfix.in -p | tail -1 >-- 68222 Kbytes in 5465 Requests. > >Fri Oct 3 02:30:37 /etc/mail/spamassassin >root@Gabriel# postqueue -p | tail -1 >-- 7310 Kbytes in 1032 Requests. > >Fri Oct 3 02:30:43 /etc/mail/spamassassin >root@Gabriel# > >Fri Oct 3 03:46:02 /etc/mail/spamassassin >root@Gabriel# postqueue -c /etc/postfix.in -p | tail -1 >Mail queue is empty > >Fri Oct 3 03:46:03 /etc/mail/spamassassin >root@Gabriel# postqueue -p | tail -1 >-- 2032 Kbytes in 310 Requests. > >Fri Oct 3 03:46:06 /etc/mail/spamassassin >root@Gabriel# > >Fri Oct 3 09:26:59 /etc/mail/spamassassin >root@Gabriel# postqueue -c /etc/postfix.in -p | tail -1 >Mail queue is empty > >Fri Oct 3 09:27:00 /etc/mail/spamassassin >root@Gabriel# postqueue -p | tail -1 >-- 35 Kbytes in 6 Requests. > >Fri Oct 3 09:27:02 /etc/mail/spamassassin >root@Gabriel# > >Fri Oct 3 11:13:48 /etc/mail/spamassassin >root@Gabriel# postqueue -c /etc/postfix.in -p | tail -1 >Mail queue is empty > >Fri Oct 3 11:13:49 /etc/mail/spamassassin >root@Gabriel# postqueue -p | tail -1 >-- 35 Kbytes in 6 Requests. >Fri Oct 3 11:58:53 /etc/mail/spamassassin >root@Gabriel# postqueue -c /etc/postfix.in -p | tail -1 >Mail queue is empty > >Fri Oct 3 11:58:54 /etc/mail/spamassassin >root@Gabriel# postqueue -p | tail -1 >-- 39 Kbytes in 7 Requests. > >Fri Oct 3 11:58:57 /etc/mail/spamassassin > >Fri Oct 3 16:05:27 /etc/MailScanner >root@Gabriel# grep "skipped, still being delivered" /var/log/maillog | tail -2 >Oct 3 02:51:24 Gabriel postfix/nqmgr[13729]: 095461DE774: skipped, still >being delivered >Oct 3 02:51:24 Gabriel postfix/nqmgr[13729]: 09AE61DEBC9: skipped, still >being delivered >==================== > >I still need to finish testing the DNS-based spam checks to find which >one(s) were timing out. My testing and documentation weren't the best on >this one, but I apparently did something which coincided with the >remission of my immediate problem. :) > >--Eric -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From mailscanner at ecs.soton.ac.uk Sat Oct 4 00:54:09 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:20:23 2006 Subject: skipped, still being delivered -- proposed solution In-Reply-To: <5.2.1.1.2.20031003234242.03245008@imap.ecs.soton.ac.uk> References: <20031003161550.A20294@Nexium.CTCNet.com> <5.2.0.9.2.20031001152131.0423cec0@imap.ecs.soton.ac.uk> <54C38A0B814C8E438EF73FC76F3629273ADF43@mtlnt501fs.CAMOROUT <5.2.0.9.2.20031001152131.0423cec0@imap.ecs.soton.ac.uk> Message-ID: <5.2.1.1.2.20031004004506.02f7fb50@imap.ecs.soton.ac.uk> Okay, I have spent the last hour in bed staring at the ceiling, failing to get to sleep, thinking about how this could possibly happen. MailScanner never directly accessed any file in /etc/postfix.in/incoming, of that I am certain. So the only way this can be happening is if the file in "incoming" is linked to the file in "deferred". This could happen if Wietse designed the message creation the way I now think he did. He gets the envelope information and the headers from the SMTP session. He uses that to create the queue message file in "incoming". Based on the headers and envelope, he works out that the message wants to go into "deferred", so he links the file into there. Then he reads the message body from SMTP and adds it onto the end of the queue message file (which is now in both "incoming" and "deferred"). Then he removes the link from "incoming", leaving the message only in "deferred". If that is true, it would also explain why you were first seeing a message with no body, then the same message again but with the body the second time. What it boils down to is a simple patch for Postfix.pm, which I would really appreciate you trying. If it doesn't work, it won't do any harm. It is attached to this message as I didn't want my mailer wrapping it. I'm going back to bed now... At 23:45 03/10/2003, you wrote: >Also, exactly what version of Postfix are you using? >And on what OS and version? > >I have just tried breaking my DNS server, pumping mail as fast as I can at >Postfix and MailScanner, and doing lots of > lsof | grep /var/spool/postfix | grep MailScanner >and I can't get it show anything other than /var/spool/postfix.in/deferred. >Which is what it should be doing. >Any ideas on how I might reproduce the behaviour of your system? > >At 21:15 03/10/2003, you wrote: >>On Wed, Oct 01, 2003 at 03:22:40PM +0100, Julian Field wrote: >> > Great :( >> > In this case, I really don't know what is going on. Postfix generates the >> > error when it tries to open a message to find it is already locked by >> > something else. I have been *extremely* careful and paranoid about the >> > locking and have made sure the file is unlocked before it is put in the >> > queue. So how this is still happening beats me. >> >>Within the past couple days I started seeing this problem as well, and >>there is one thing I have noticed, yet not seen discussed, namely that >>MailScanner appears to be opening files in a directory - >>/var/spool/postfix.in/incoming/ - where AFAICT it should not: >> >>==================== >>[root@Gabriel log]# lsof | grep /var/spool/postfix.in/incoming >>nqmgr 15792 root 8r DIR 72,2 4096 1954564 >>/var/spool/postfix.in/incoming >>nqmgr 15792 root 12r DIR 72,2 4096 521221 >>/var/spool/postfix.in/incoming/6 >>nqmgr 15792 root 13r DIR 72,2 4096 895861 >>/var/spool/postfix.in/incoming/6/3 >>MailScann 15897 root 5u REG 72,2 3226 1956954 >>/var/spool/postfix.in/incoming/1/8/18C9A1DDC5A >>MailScann 15897 root 19u REG 72,2 8602 1957133 >>/var/spool/postfix.in/incoming/4/3/43B771DDD0D >>MailScann 15897 root 20u REG 72,2 8713 1957134 >>/var/spool/postfix.in/incoming/4/7/473F31DDD0E >>MailScann 15897 root 21u REG 72,2 8256 1956916 >>/var/spool/postfix.in/incoming/4/1/411D11DDC34 >> >>MailScann 15963 root 28u REG 72,2 2687 1956812 >>/var/spool/postfix.in/incoming/1/8/18A571DDBCC >>cleanup 16029 root 12u REG 72,2 0 1957467 >>/var/spool/postfix.in/incoming/C/A/CADDD1DDE5B >>cleanup 16276 root 12u REG 72,2 0 1957469 >>/var/spool/postfix.in/incoming/A/8/A85B71DDE5D >>cleanup 16308 root 12u REG 72,2 0 1957464 >>/var/spool/postfix.in/incoming/9/D/9D1D51DDE58 >>cleanup 16366 root 12u REG 72,2 0 1957466 >>/var/spool/postfix.in/incoming/7/D/7D3C21DDE5A >>cleanup 16372 root 12u REG 72,2 0 1957468 >>/var/spool/postfix.in/incoming/8/6/86CB71DDE5C >>MailScann 16375 root 14u REG 72,2 2131 1957194 >>/var/spool/postfix.in/incoming/4/1/41AD51DDD4A >> >>==================== >>...For brevity's sake I don't feel it necessary to include the rest of the >>output, as they're all various queue files being accessed by MailScanner >>or cleanup, but I certainly can if folks want (I omitted maybe two dozen >>lines or so). >> >>Similarly, I can post my full configs, but I think this is sufficient for >>now: >>Incoming Queue Dir = /var/spool/postfix.in/deferred >>Incoming Work Dir = /var/spool/MailScanner/incoming >>Outgoing Queue Dir = /var/spool/postfix/incoming >> >>While it's obvious that MailScanner should read queue files in >>/var/spool/postfix.in/DEFERRED/ [my caps] and write them to >>/var/spool/postfix/incoming/ , I don't think it should be touching >>anything in /var/spool/postfix.IN/INCOMING/ . Am I wrong in this? >> >>Below are some other pieces of information which may or may not be helpful: >> >>1) I'm running RedHat 7.3 on a Compaq DL360 with two 1GHz processors and >>1GB RAM; I've seen no problems with system load. >> >>2) MailScanner version is 4.22-5; Postfix version 1.1.12; SpamAssassin >>version 2.55. >> >>3) I thought I had turned off all defunct DNS-based spam checks, but MS >>seemed (sorry, no hard numbers) to be taking a long time to scan messages, >>especially late last night (between roughly midnight and 2am GMT-04, but I >>was also actively changing configurations and restarting MS & Co., which >>seemed to cause bursts of duplicate/blank emails and "skipped, still being >>delivered" messages). I was unable to get MS to complain of any RBL >>timeouts (including with Debug = yes in MailScanner.conf), but to make a >>long story shorter, I turned off all of the following DNS-based spam >>checks on a hunch (some, again, had already been offf): >> >>==================== >>Fri Oct 3 15:56:36 /etc/MailScanner >>root@Gabriel# ls -l /etc/mail/spamassassin/local.cf >>-r--r--r-- 1 root root 780 Oct 3 02:13 >>/etc/mail/spamassassin/local.cf >> >>Fri Oct 3 15:56:39 /etc/MailScanner >>root@Gabriel# grep score /etc/mail/spamassassin/local.cf >>score RCVD_IN_RELAYS_ORDB_ORG 0.0 >>score RCVD_IN_OSIRUSOFT_COM 0.0 >>score X_OSIRU_DUL 0.0 >>score X_OSIRU_DUL_FH 0.0 >>score X_OSIRU_OPEN_RELAY 0.0 >>score X_OSIRU_SPAMWARE_SITE 0.0 >>score X_OSIRU_SPAM_SRC 0.0 >>score RCVD_IN_RFCI 0.0 >>score RCVD_IN_ORBS 0.0 >>score RCVD_IN_DSBL 0.0 >>score RCVD_IN_MULTIHOP_DSBL 0.0 >>score RCVD_IN_SBL 0.0 >>score RCVD_IN_UNCONFIRMED_DSBL 0.0 >>score RCVD_IN_BONDEDSENDER 0.0 >>score RCVD_IN_OPM 0.0 >>score RCVD_IN_NJABL 0.0 >>score X_NJABL_OPEN_PROXY 0.0 >>score X_NJABL_DIALUP 0.0 >>==================== >> >>4) Very quickly after that, my inbound queue from from 6,000 to "zero" and >>my "skipped, still being delivered" messages stopped - from this I >>hypothesize that some DNS-based spam check was timing out (I tested some, >>but not all), causing MailScanner (and I'm going well beyond my expertise >>here) to start losing a race condition of some sort with the inbound >>Postfix process. >> >>==================== >>Fri Oct 3 02:16:16 /etc/mail/spamassassin >> >>---------->Checking inbound, pre-MS/SA queue<---------- >> >>root@Gabriel# postqueue -c /etc/postfix.in -p | tail -1 >>-- 74771 Kbytes in 6368 Requests. >> >>Fri Oct 3 02:16:32 /etc/mail/spamassassin >> >>---------->Checking outbound, post-MS/SA queue<---------- >> >>root@Gabriel# postqueue -p | tail -1 >>-- 511 Kbytes in 257 Requests. >> >>Fri Oct 3 02:16:35 /etc/mail/spamassassin >>root@Gabriel# postqueue -c /etc/postfix.in -p | tail -1 >>-- 74904 Kbytes in 6384 Requests. >> >>Fri Oct 3 02:18:38 /etc/mail/spamassassin >>root@Gabriel# postqueue -p | tail -1 >>-- 644 Kbytes in 360 Requests. >> >>Fri Oct 3 02:18:42 /etc/mail/spamassassin >>root@Gabriel# postqueue -c /etc/postfix.in -p | tail -1 >>-- 75055 Kbytes in 6402 Requests. >> >>Fri Oct 3 02:21:19 /etc/mail/spamassassin >>root@Gabriel# postqueue -p | tail -1 >>-- 1168 Kbytes in 628 Requests. >> >>Fri Oct 3 02:21:25 /etc/mail/spamassassin >>root@Gabriel# postqueue -c /etc/postfix.in -p | tail -1 >>-- 74947 Kbytes in 6394 Requests. >> >>Fri Oct 3 02:22:54 /etc/mail/spamassassin >>root@Gabriel# postqueue -p | tail -1 >>-- 889 Kbytes in 465 Requests. >> >>Fri Oct 3 02:22:56 /etc/mail/spamassassin >>root@Gabriel# postqueue -c /etc/postfix.in -p | tail -1 >>-- 73887 Kbytes in 6245 Requests. >> >>Fri Oct 3 02:26:04 /etc/mail/spamassassin >>root@Gabriel# postqueue -p | tail -1 >>-- 2131 Kbytes in 665 Requests. >> >>Fri Oct 3 02:26:07 /etc/mail/spamassassin >>root@Gabriel# postqueue -c /etc/postfix.in -p | tail -1 >>-- 71968 Kbytes in 5934 Requests. >> >>Fri Oct 3 02:27:12 /etc/mail/spamassassin >>root@Gabriel# postqueue -p | tail -1 >>-- 3866 Kbytes in 851 Requests. >> >>Fri Oct 3 02:27:18 /etc/mail/spamassassin >>root@Gabriel# >> >>Fri Oct 3 02:30:28 /etc/mail/spamassassin >>root@Gabriel# postqueue -c /etc/postfix.in -p | tail -1 >>-- 68222 Kbytes in 5465 Requests. >> >>Fri Oct 3 02:30:37 /etc/mail/spamassassin >>root@Gabriel# postqueue -p | tail -1 >>-- 7310 Kbytes in 1032 Requests. >> >>Fri Oct 3 02:30:43 /etc/mail/spamassassin >>root@Gabriel# >> >>Fri Oct 3 03:46:02 /etc/mail/spamassassin >>root@Gabriel# postqueue -c /etc/postfix.in -p | tail -1 >>Mail queue is empty >> >>Fri Oct 3 03:46:03 /etc/mail/spamassassin >>root@Gabriel# postqueue -p | tail -1 >>-- 2032 Kbytes in 310 Requests. >> >>Fri Oct 3 03:46:06 /etc/mail/spamassassin >>root@Gabriel# >> >>Fri Oct 3 09:26:59 /etc/mail/spamassassin >>root@Gabriel# postqueue -c /etc/postfix.in -p | tail -1 >>Mail queue is empty >> >>Fri Oct 3 09:27:00 /etc/mail/spamassassin >>root@Gabriel# postqueue -p | tail -1 >>-- 35 Kbytes in 6 Requests. >> >>Fri Oct 3 09:27:02 /etc/mail/spamassassin >>root@Gabriel# >> >>Fri Oct 3 11:13:48 /etc/mail/spamassassin >>root@Gabriel# postqueue -c /etc/postfix.in -p | tail -1 >>Mail queue is empty >> >>Fri Oct 3 11:13:49 /etc/mail/spamassassin >>root@Gabriel# postqueue -p | tail -1 >>-- 35 Kbytes in 6 Requests. >>Fri Oct 3 11:58:53 /etc/mail/spamassassin >>root@Gabriel# postqueue -c /etc/postfix.in -p | tail -1 >>Mail queue is empty >> >>Fri Oct 3 11:58:54 /etc/mail/spamassassin >>root@Gabriel# postqueue -p | tail -1 >>-- 39 Kbytes in 7 Requests. >> >>Fri Oct 3 11:58:57 /etc/mail/spamassassin >> >>Fri Oct 3 16:05:27 /etc/MailScanner >>root@Gabriel# grep "skipped, still being delivered" /var/log/maillog | >>tail -2 >>Oct 3 02:51:24 Gabriel postfix/nqmgr[13729]: 095461DE774: skipped, still >>being delivered >>Oct 3 02:51:24 Gabriel postfix/nqmgr[13729]: 09AE61DEBC9: skipped, still >>being delivered >>==================== >> >>I still need to finish testing the DNS-based spam checks to find which >>one(s) were timing out. My testing and documentation weren't the best on >>this one, but I apparently did something which coincided with the >>remission of my immediate problem. :) >> >>--Eric > >-- >Julian Field >www.MailScanner.info >Professional Support Services at www.MailScanner.biz >MailScanner thanks transtec Computers for their support >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -------------- next part -------------- A non-text attachment was scrubbed... Name: Postfix.pm.patch Type: application/octet-stream Size: 1674 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20031004/0cb930a0/Postfix.pm.obj -------------- next part -------------- -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From splee at PLEXIO.COM Sat Oct 4 03:31:25 2003 From: splee at PLEXIO.COM (Stephen Lee) Date: Thu Jan 12 21:20:23 2006 Subject: OT: Sophos CID password error In-Reply-To: <3F7D89E0.1030707@bangor.ac.uk> References: <6.0.0.22.2.20031002163927.023660e0@commons> <3F7D89E0.1030707@bangor.ac.uk> Message-ID: <1065234685.30867.188.camel@ralph.plexio.private> On Fri, 2003-10-03 at 07:38, Martin Sapsed wrote: > Fred Dick wrote: > > Hi Sophos Gurus: > > > > Been getting the message when trying to auto update: > > > > Error: Could not find central installation setup program. The specified > > network password is not correct. > > > > Happens with 3.73 & 3.74. Win2k PC client running against Sun Solaris 2.6 > > CID. Reset sweepupd passwd, account, uninstalled and reinstalled Sophos > > numerous times on both server and client. Any ideas??? This has been > > working fine for 2 years...no recent changes to system. > > I don't think it says so anywhere but my experience indicates that > Sophos autoupdate only works on XP (and presumably 2k) if encrypted > passwords work. Since I assume you're using Samba on the Sun, are you > accepting encrypted passwords? Although having just read your message > again, since it's been working for ages, I guess you are...! > Actually you need to add the sweepupd account in the following manner: http://www.sophos.com/sophos/docs/eng/supps/w2k_sen.pdf Stephen From smohan at VSNL.COM Sat Oct 4 04:30:13 2003 From: smohan at VSNL.COM (S Mohan) Date: Thu Jan 12 21:20:23 2006 Subject: Exchange blocking duplicate messages? In-Reply-To: <75FEDC422E2309419A9303E7B18F206E04DB5BB4@eqmail1.efni.vpn> Message-ID: I've seen this being followed for POP access by Outlook/OE where the messages are not deleted from the server. Maybe Exchange follows that for SMTP too to avoid duplicate messages. Regards Mohan -----Original Message----- From: MailScanner mailing list [mailto:MAILSCANNER@JISCMAIL.AC.UK]On Behalf Of Hirsh, Joshua Sent: Friday, October 03, 2003 7:55 PM To: MAILSCANNER@JISCMAIL.AC.UK Subject: Exchange blocking duplicate messages? Hey all, Has anyone run into the case where an Exchange 5.5 server will block messages with the same Message-ID field? In my case, if I release a message from the quarantine, some users will never get it. It appears that it's because Exchange ignores the message since it already received one with the same Message-ID (which was sent notifying the user that the attachment was removed). I was able to reproduce it by manually sending SMTP commands to Exchange and sent a message with the same Message-ID a few times. In all cases, only the first one went through. It's definately more of an Exchange issue, but I'm hoping some of you might have run into this before :) Thanks, -Joshua From shrek-m at GMX.DE Sat Oct 4 15:14:02 2003 From: shrek-m at GMX.DE (shrek-m@gmx.de) Date: Thu Jan 12 21:20:23 2006 Subject: man MailScanner Message-ID: <3F7ED5AA.5030909@gmx.de> hi, $ cat /etc/redhat-release Red Hat Linux release 8.0 (Psyche) $ rpm -q mailscanner mailscanner-4.24-4 $ man MailScanner --------
-------- the same result with : $ man /usr/share/doc/mailscanner-4.24/html/man/MailScanner.8 $ cat /usr/share/doc/mailscanner-4.24/html/man/MailScanner.8 $ man MailScanner.conf here are no problems $ ls /usr/share/doc/mailscanner-4.24/ COPYING html $ ls /usr/share/doc/mailscanner-4.24/html/man/ MailScanner.8 MailScanner.8.html MailScanner.conf.5 MailScanner.conf.5.html -- shrek-m From Jan-Peter.Koopmann at SECEIDOS.DE Sat Oct 4 15:42:04 2003 From: Jan-Peter.Koopmann at SECEIDOS.DE (Jan-Peter Koopmann) Date: Thu Jan 12 21:20:23 2006 Subject: FreeBSD Message-ID: Hi, > I don?t know the schedule of when the next version > appears in ports. I was on vacation. Sorry. I think I will have the next port version ready during the next week. Regards, JP From shrek-m at GMX.DE Sat Oct 4 16:16:33 2003 From: shrek-m at GMX.DE (shrek-m@gmx.de) Date: Thu Jan 12 21:20:23 2006 Subject: Sophos.install -> sweep: relocation error: sweep: undefined symbol: initializeDriveMap Message-ID: <3F7EE451.8080101@gmx.de> hi, $ lynx /usr/share/doc/mailscanner-4.24/html/install/linux.shtml#sophos afaik # cd /usr/local # tar xzvf linux.intel.libc6.tar.Z # cd ../sav-install # ./install.sh sophos will be installed with "install.sh" in "/usr/local/sav/" and not with "Sophos.install" "/usr/local/Sophos" # rpm -qf `which Sophos.install` mailscanner-4.24-4 OOPS, could you please *mention* that Sophos.install is an MailScanner-tool which need additional settings. ===> Checking paths are accessible Warning: $PATH does not include /usr/local/Sophos/bin To run Sophos Anti-Virus you need to set environment variable $PATH so that it includes /usr/local/Sophos/bin. Warning: Neither $LD_LIBRARY_PATH nor /etc/ld.so.conf include /usr/local/Sophos/lib. You need to either include an entry for /usr/local/Sophos/lib in /etc/ld.so.conf, or set environment variable $LD_LIBRARY_PATH to include /usr/local/Sophos/lib or you will not be able to use Sophos Anti-Virus. # sweep . sweep: relocation error: sweep: undefined symbol: initializeDriveMap solved with the sophos own install.sh # /usr/local/sav-install/install.sh # sweep . 3 Dateien ?berpr?ft in 1 Sekunde. Es wurden keine Viren gefunden. Ende von Sweep. once again, with the correct PATH and entry in ld.so.conf # Sophos.install ===> Checking paths are accessible $PATH is OK Library path is OK Manual path is OK # sweep . 3 Dateien ?berpr?ft in 1 Sekunde. Es wurden keine Viren gefunden. Ende von Sweep. thanks :-( -- shrek-m From me at DESIGNSMART.CO.UK Sat Oct 4 21:00:16 2003 From: me at DESIGNSMART.CO.UK (Bob) Date: Thu Jan 12 21:20:23 2006 Subject: MailScanner / ClamAV Message-ID: Hi, I'm having some problems getting ClamAV to work with MailScanner. ClamAV finds the infection in the attachment, but the message is still delivered with no mention of it being infected. I'm sure that this must be a simple configuration error on my part, but I'm stumped! Any help would be appreciated. Thanks! Oct 4 19:53:15 altec MailScanner[18320]: New Batch: Scanning 1 messages, 2152 bytes Oct 4 19:53:15 altec MailScanner[18320]: Virus and Content Scanning: Starting Oct 4 19:53:15 altec MailScanner [18320]: /home/MailScanner/incoming/18320/./h94IrBE18380/eicar_com.zip: Eicar-Test-Signature FOUND Oct 4 19:53:15 altec MailScanner[18320]: Virus Scanning: ClamAV found 1 infections Oct 4 19:53:15 altec MailScanner[18320]: Virus Scanning: Found 1 viruses Oct 4 19:53:15 altec MailScanner[18320]: Uninfected: Delivered 1 messages Bob - Running MailScanner 4.23 From tjc at ecs.soton.ac.uk Sat Oct 4 11:49:00 2003 From: tjc at ecs.soton.ac.uk (Tim Chown) Date: Thu Jan 12 21:20:23 2006 Subject: [Fwd: ICANN asks Verisign to shutdown SiteFinder in 48 hours] Message-ID: <20031004104900.GD25957@login.ecs.soton.ac.uk> Yay. -------------- next part -------------- An embedded message was scrubbed... From: william@elan.net Subject: Re: Fwd: ICANN asks Verisign to shutdown SiteFinder in 48 hours Date: Fri, 3 Oct 2003 10:29:33 -0700 (PDT) Size: 4619 Url: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20031004/70f3dc03/attachment.mht From mailscanner at ecs.soton.ac.uk Sun Oct 5 09:45:32 2003 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 12 21:20:23 2006 Subject: Sophos.install -> sweep: relocation error: sweep: undefined symbol: initializeDriveMap In-Reply-To: <3F7EE451.8080101@gmx.de> Message-ID: <5.2.1.1.2.20031005094437.02ae47f8@imap.ecs.soton.ac.uk> At 16:16 04/10/2003, you wrote: >OOPS, >could you please *mention* that Sophos.install is an MailScanner-tool >which need additional settings. > >===> Checking paths are accessible >Warning: $PATH does not include /usr/local/Sophos/bin > To run Sophos Anti-Virus you need to set environment variable > $PATH so > that it includes /usr/local/Sophos/bin. > >Warning: Neither $LD_LIBRARY_PATH nor /etc/ld.so.conf include > /usr/local/Sophos/lib. > You need to either include an entry for /usr/local/Sophos/lib in > /etc/ld.so.conf, or set environment variable $LD_LIBRARY_PATH to > include /usr/local/Sophos/lib or you will not be able to use Sophos > Anti-Virus. > You don't need to do either of those steps for the sophos-wrapper script to work, which is why I don't mention them. Just trust my script and it will work fine. -- Julian Field www.MailScanner.info Professional Support Services at www.MailScanner.biz MailScanner thanks transtec Computers for their support PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From shrek-m at GMX.DE Sun Oct 5 11:32:02 2003 From: shrek-m at GMX.DE (shrek-m@gmx.de) Date: Thu Jan 12 21:20:23 2006 Subject: Sophos.install -> sweep: relocation error: sweep: undefined symbol: initializeDriveMap In-Reply-To: <5.2.1.1.2.20031005094437.02ae47f8@imap.ecs.soton.ac.uk> References: <5.2.1.1.2.20031005094437.02ae47f8@imap.ecs.soton.ac.uk> Message-ID: <3F7FF322.8020007@gmx.de> Julian Field wrote: > At 16:16 04/10/2003, you wrote: > >> OOPS, >> could you please *mention* that Sophos.install is an MailScanner-tool >> which need additional settings. >> >> ===> Checking paths are accessible >> Warning: $PATH does not include /usr/local/Sophos/bin >> To run Sophos Anti-Virus you need to set environment variable >> $PATH so >> that it includes /usr/local/Sophos/bin. >> >> Warning: Neither $LD_LIBRARY_PATH nor /etc/ld.so.conf include >> /usr/local/Sophos/lib. >> You need to either include an entry for /usr/local/Sophos/lib in >> /etc/ld.so.conf, or set environment variable $LD_LIBRARY_PATH to >> include /usr/local/Sophos/lib or you will not be able to use >> Sophos >> Anti-Virus. >> > > > You don't need to do either of those steps for the sophos-wrapper > script to > work, which is why I don't mention them. > Just trust my script [...] no, not 100% ;-) $ grep "linux.intel" /usr/sbin/Sophos.install COMPD=linux.intel.libc6.tar.Z DISTRIB=linux.intel.libc6.tar i had never tested what will happen with linux.intel.libc6.tar.Z and glibc-2.2 $ ls /download/sophos/linux.intel.libc6.* linux.intel.libc6.glibc.2.2.tar.Z linux.intel.libc6.tar.Z $ cat /etc/redhat-release Red Hat Linux release 7.3 (Valhalla) $ rhn-needed-packages No packages needed. $ rpm -q glibc glibc-2.2.5-43 @home rhl >=8.0, i had no problems - here i would trust you and your script @work, i will try now mailscanner on rhl 7.3 (an old little-productive server) squid-proxy, ... only sometimes mail-server sophos: downloads/updates sav.cfg-RolloutNumber, ... - here i will not trust your script. -- shrek-m From dh at UPTIME.AT Sun Oct 5 11:40:38 2003 From: dh at UPTIME.AT (David H.) Date: Thu Jan 12 21:20:23 2006 Subject: Sophos.install -> sweep: relocation error: sweep: undefined symbol: initializeDriveMap In-Reply-To: <3F7FF322.8020007@gmx.de> References: <5.2.1.1.2.20031005094437.02ae47f8@imap.ecs.soton.ac.uk> <3F7FF322.8020007@gmx.de> Message-ID: <3F7FF526.5080900@uptime.at> shrek-m@gmx.de wrote: > - here i will not trust your script. > You can trust the script. I have many 7.3 redhat server in production and it works just fine, always worked just fine, right out of the box ;) -d -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 186 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20031005/3a67c2a4/attachment.bin From shrek-m at GMX.DE Sun Oct 5 16:07:14 2003 From: shrek-m at GMX.DE (shrek-m@gmx.de) Date: Thu Jan 12 21:20:23 2006 Subject: Sophos.install -> sweep: relocation error: sweep: undefined symbol: initializeDriveMap In-Reply-To: <3F7FF526.5080900@uptime.at> References: <5.2.1.1.2.20031005094437.02ae47f8@imap.ecs.soton.ac.uk> <3F7FF322.8020007@gmx.de> <3F7FF526.5080900@uptime.at> Message-ID: <3F8033A2.80601@gmx.de> David H. wrote: > shrek-m@gmx.de wrote: > > >> - here i will not trust your script. >> > You can trust the script. I have many 7.3 redhat server in production > and it works just fine, always worked just fine, right out of the box ;) thanks, seems to work ;-) ---- redhat $ cat /etc/redhat-release Red Hat Linux release 7.3 (Valhalla) $ rhn-needed-packages No packages needed. $ rpm -q sendmail sendmail-8.11.6-27.73 $ rpm -q perl perl-5.6.1-36.1.73 ---- spamassassin.org src.rpm $ rpm -q perl-Mail-SpamAssassin perl-Mail-SpamAssassin-2.60-1 $ rpm -q spamassassin spamassassin-2.60-1 ---- mailscanner.info $ rpm -q mailscanner mailscanner-4.23-11 ---- sophos # sweep -v | grep "version" Produktversion : 3.74 -- shrek-m From kevins at BMRB.CO.UK Sun Oct 5 16:23:34 2003 From: kevins at BMRB.CO.UK (Kevin Spicer) Date: Thu Jan 12 21:20:23 2006 Subject: Sophos.install -> sweep: relocation error: sweep: undefined symbol: initializeDriveMap In-Reply-To: <5C0296D26910694BB9A9BBFC577E7AB00188ABA4@pascal.priv.bmrb.co.uk> References: <5C0296D26910694BB9A9BBFC577E7AB00188ABA4@pascal.priv.bmrb.co.uk> Message-ID: <1065367414.10228.10.camel@bach.kevinspicer.co.uk> shrek-m@gmx.de wrote: > - here i will not trust your script. What a strange statement, you are installing MailScanner, a substantial program which you seem to be prepared to trust to move mail between mail queues, filter mail, scan for spam/viruses, block unwanted mail, alter mail, keep your virus scanners up to date etc.etc. Yet, you do not trust a small shell script by _the_same_author_ to install the virus scanner, without giving any reason. I can't even begin to understand that position. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. From k0rnshell at CHARTER.NET Sun Oct 5 17:23:04 2003 From: k0rnshell at CHARTER.NET (Chris Tatro) Date: Thu Jan 12 21:20:23 2006 Subject: spamassassin -tD creates higher score than Message-ID: <000001c38b5c$f5589060$0201a8c0@tater> I ran spamassassin -tD < /root/email-sample-spam.txt and the output is below on spamassassin 2.6 and spamassassin rated it a 13.6. But when I paste the contents of email-sample-spam.txt into an email and send it through MailScanner Version 4.23-11 it only scores a 2.064. My MailScanner.conf file is default except I turned off virus scanning and turned on spam logging I posted it below also. Does anyone know why this is happening is it a MailScanner issue or a SpamAssassin issue or no issue at all just a miss configuration? Please help.... Also I had previously been running SpamAssassin 2.55 and this message had always scored a 5 when I sent it through MailScanner and now with SpamAssassin 2.6 it only scores a 2 so I had to lower my Required SpamAssassin Score = 2 to get it to catch it. This is what my mail log says when I send email-sample-spam.txt in an email through mailscanner: Message h95Dvsqx018858 from 192.168.1.50 (tatroc@testdomain.com) to testdomain.com is spam, SpamAssassin (score=2.064, required 2, DRASTIC_REDUCED 2.00, HTML_MESSAGE 0.00, LINES_OF_YELLING 0.01, REMOVE_SUBJ 0.05) # spamassassin -tD < /root/email-sample-spam.txt debug: Score set 0 chosen. debug: running in taint mode? yes debug: Running in taint mode, removing unsafe env vars, and resetting PATH debug: PATH included '/bin', keeping. debug: PATH included '/usr/bin', keeping. debug: PATH included '/sbin', keeping. debug: PATH included '/usr/sbin', keeping. debug: PATH included '/usr/local/bin', keeping. debug: Final PATH set to: /bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin debug: using "/usr/share/spamassassin" for default rules dir debug: using "/etc/mail/spamassassin" for site rules dir debug: using "/root/.spamassassin" for user state dir debug: using "/root/.spamassassin/user_prefs" for user prefs file debug: using "/root/.spamassassin" for user state dir debug: bayes: 18268 tie-ing to DB file R/O /root/.spamassassin/bayes_toks debug: bayes: 18268 tie-ing to DB file R/O /root/.spamassassin/bayes_seen debug: bayes: found bayes db version 2 debug: bayes: Not available for scanning, only 1 spam(s) in Bayes DB < 200 debug: bayes: 18268 untie-ing debug: bayes: 18268 untie-ing db_toks debug: bayes: 18268 untie-ing db_seen debug: Score set 1 chosen. debug: Initialising learner debug: using "/root/.spamassassin" for user state dir debug: bayes: 18268 tie-ing to DB file R/O /root/.spamassassin/bayes_toks debug: bayes: 18268 tie-ing to DB file R/O /root/.spamassassin/bayes_seen debug: bayes: found bayes db version 2 debug: bayes: Not available for scanning, only 1 spam(s) in Bayes DB < 200 debug: bayes: 18268 untie-ing debug: bayes: 18268 untie-ing db_toks debug: bayes: 18268 untie-ing db_seen debug: received-header: parsed as [ ip=212.17.35.15 rdns=dogma.slashnull.org helo=dogma.slashnull.org by=mail.netnoteinc.com ident= ] debug: received-header: parsed as [ ip=128.195.21.213 rdns=xent.ics.uci.edu helo=XeNT.ics.uci.edu by=dogma.slashnull.org ident= ] debug: received-header: parsed as [ ip=208.184.130.52 rdns=blue.mydomain.com helo=blue.mydomain.com by=XeNT.ics.uci.edu ident= ] debug: is Net::DNS::Resolver available? yes debug: trying (3) leo.org... debug: looking up MX for 'leo.org' debug: MX for 'leo.org' exists? 1 debug: MX lookup of leo.org succeeded => Dns available (set dns_available to hardcode) debug: is DNS available? 1 debug: looking up PTR record for '200.28.105.254' debug: PTR for '200.28.105.254': '' debug: received-header: parsed as [ ip=200.28.105.254 rdns=200.28.105.254 helo=ns.fundch.cl by=blue.mydomain.com ident= ] debug: looking up PTR record for '63.10.249.142' debug: PTR for '63.10.249.142': '' debug: received-header: parsed as [ ip=63.10.249.142 rdns=63.10.249.142 helo=y068k3017 by=ns.fundch.cl ident= ] debug: received-header: relay 212.17.35.15 trusted? no debug: received-header: relay 128.195.21.213 trusted? no debug: received-header: relay 208.184.130.52 trusted? no debug: received-header: relay 200.28.105.254 trusted? no debug: received-header: relay 63.10.249.142 trusted? no debug: all '*From' addrs: xl6Ety00V@fismat1.fcfm.buap.mx dev_null_sample_spam@example.com debug: running header regexp tests; score so far=0 debug: running body-text per-line regexp tests; score so far=2.588 debug: Razor2 is available debug: entering helper-app run mode debug: Using results from Razor v2.36 debug: Found Razor2 part: part=0 engine=4 ct=0 cf=100 debug: leaving helper-app run mode Razor-Log: Computed razorhome from env: /root/.razor Razor-Log: Found razorhome: /root/.razor Razor-Log: No /root/.razor/razor-agent.conf found, skipping. Razor-Log: No razor-agent.conf found, using defaults. Oct 05 08:42:56.837229 check[18268]: [ 1] [bootup] Logging initiated LogDebugLevel=9 to stdout Oct 05 08:42:56.841718 check[18268]: [ 5] computed razorhome=/root/.razor, conf=, ident=/root/.razor/identity Oct 05 08:42:56.845357 check[18268]: [ 8] Client supported_engines: 1 2 3 4 Oct 05 08:42:56.849286 check[18268]: [ 8] prep_mail done: mail 1 headers=1580, mime0=3140 Oct 05 08:42:56.855019 check[18268]: [ 5] read_file: 1 items read from /root/.razor/servers.discovery.lst Oct 05 08:42:56.857741 check[18268]: [ 5] read_file: 2 items read from /root/.razor/servers.nomination.lst Oct 05 08:42:56.859417 check[18268]: [ 5] read_file: 2 items read from /root/.razor/servers.catalogue.lst Oct 05 08:42:56.860971 check[18268]: [ 9] Assigning defaults to joy.cloudmark.com Oct 05 08:42:56.861965 check[18268]: [ 9] Assigning defaults to folly.cloudmark.com Oct 05 08:42:56.862717 check[18268]: [ 9] Assigning defaults to stress.cloudmark.com Oct 05 08:42:56.863510 check[18268]: [ 9] Assigning defaults to truth.cloudmark.com Oct 05 08:42:56.867140 check[18268]: [ 5] read_file: 12 items read from /root/.razor/server.stress.cloudmark.com.conf Oct 05 08:42:56.869577 check[18268]: [ 5] read_file: 12 items read from /root/.razor/server.stress.cloudmark.com.conf Oct 05 08:42:56.872427 check[18268]: [ 5] 32299 seconds before closest server discovery Oct 05 08:42:56.873287 check[18268]: [ 6] stress.cloudmark.com is a Catalogue Server srl 72; computed min_cf=6, Server se: 58 Oct 05 08:42:56.875008 check[18268]: [ 8] Computed supported_engines: 4 Oct 05 08:42:56.875664 check[18268]: [ 8] Using next closest server stress.cloudmark.com:2703, cached info srl 72 Oct 05 08:42:56.876633 check[18268]: [ 8] mail 1 Subject: Home Based Business for Grownups Oct 05 08:42:56.882555 check[18268]: [ 6] preproc: mail 1.0 went from 3140 bytes to 3100 Oct 05 08:42:56.883465 check[18268]: [ 6] computing sigs for mail 1.0, len 3100 Oct 05 08:42:56.891044 check[18268]: [ 6] skipping whitelist file (empty?): /root/.razor/razor-whitelist Oct 05 08:42:56.891681 check[18268]: [ 5] Connecting to stress.cloudmark.com ... Oct 05 08:42:57.066455 check[18268]: [ 8] Connection established Oct 05 08:42:57.068673 check[18268]: [ 4] stress.cloudmark.com >> 29 server greeting: sn=C&srl=72&ep4=7542-10&a=l Oct 05 08:42:57.071352 check[18268]: [ 6] stress.cloudmark.com is a Catalogue Server srl 72; computed min_cf=6, Server se: 58 Oct 05 08:42:57.072451 check[18268]: [ 8] Computed supported_engines: 4 Oct 05 08:42:57.072995 check[18268]: [ 8] mail 1.0 e4 sig: 04rRJ9uwTYgQJ5mkkDDpFS6NpiEA Oct 05 08:42:57.073659 check[18268]: [ 8] preparing 1 queries Oct 05 08:42:57.074909 check[18268]: [ 8] sending 1 batches Oct 05 08:42:57.077156 check[18268]: [ 4] stress.cloudmark.com << 52 Oct 05 08:42:57.077454 check[18268]: [ 6] a=c&e=4&ep4=7542-10&s=04rRJ9uwTYgQJ5mkkDDpFS6NpiEA Oct 05 08:42:57.221494 check[18268]: [ 4] stress.cloudmark.com >> 12 Oct 05 08:42:57.221890 check[18268]: [ 6] response to sent.1 p=1&cf=100 Oct 05 08:42:57.224138 check[18268]: [ 6] mail 1.0 e=4 sig=04rRJ9uwTYgQJ5mkkDDpFS6NpiEA: Is spam: cf 100 >= min_cf 6 Oct 05 08:42:57.224617 check[18268]: [ 7] method 4: mail 1.0: no-contention part, spam=1 Oct 05 08:42:57.224912 check[18268]: [ 7] method 4: mail 1: a non-contention part was spam, mail spam Oct 05 08:42:57.225451 check[18268]: [ 3] mail 1 is known spam. Oct 05 08:42:57.225821 check[18268]: [ 5] disconnecting from server stress.cloudmark.com Oct 05 08:42:57.227883 check[18268]: [ 4] stress.cloudmark.com << 5 Oct 05 08:42:57.228299 check[18268]: [ 6] a=q debug: Razor2 results: spam? 1 highest cf score: 100 debug: running raw-body-text per-line regexp tests; score so far=6.203 debug: running uri tests; score so far=6.203 debug: uri tests: Done uriRE debug: running full-text regexp tests; score so far=6.203 debug: Razor2 is available debug: Current PATH is: /bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin debug: executable for pyzor was found at /usr/bin/pyzor debug: Pyzor is available: /usr/bin/pyzor debug: entering helper-app run mode debug: Pyzor: got response: 66.92.49.157:24441 (200, 'OK') 25 0 debug: leaving helper-app run mode debug: Pyzor: Listed! 25 of 5 and whitelist is 0 debug: DCCifd is not available: no r/w dccifd socket found. debug: DCC is not available: no executable dccproc found. debug: looking up PTR record for '63.10.249.142' debug: PTR for '63.10.249.142': '' debug: round-the-world: mail relayed through ns.fundch.cl by 63.10.249.142 (HELO y068k3017, rev DNS says ) debug: round-the-world: probably not debug: all '*To' addrs: dev_null_sample_spam@netnoteinc.com dev_null_sample_spam@jmason.org debug: DNS MX records found: 1 debug: forged-HELO: from=slashnull.org helo=slashnull.org by=netnoteinc.com debug: forged-HELO: from=uci.edu helo=uci.edu by=slashnull.org debug: forged-HELO: from=mydomain.com helo=mydomain.com by=uci.edu debug: forged-HELO: from=200.28.105.254 helo=ns.fundch.cl by=mydomain.com debug: forged-HELO: mismatch on HELO: 'ns.fundch.cl' != '200.28.105.254' debug: forged-HELO: from=63.10.249.142 helo=y068k3017 by=ns.fundch.cl debug: forged-HELO: mismatch on from: '200.28.105.254' != 'ns.fundch.cl' debug: RBL: success for 46 of 46 queries debug: running meta tests; score so far=11.813 debug: auto-learn? ham=0.1, spam=12, body-hits=8.84, head-hits=8.198 debug: auto-learn: currently using scoreset 1. no need to recompute. debug: auto-learn? yes, spam (13.613 > 12) debug: Learning Spam debug: uri tests: Done uriRE debug: using "/root/.spamassassin" for user state dir debug: lock: 18268 created /root/.spamassassin/bayes.lock.relay.18268 debug: lock: 18268 trying to get lock on /root/.spamassassin/bayes with 0 retries debug: lock: 18268 link to /root/.spamassassin/bayes.lock: link ok debug: bayes: 18268 tie-ing to DB file R/W /root/.spamassassin/bayes_toks debug: bayes: 18268 tie-ing to DB file R/W /root/.spamassassin/bayes_seen debug: bayes: found bayes db version 2 debug: N1msdrbJXNPfV4wg9: already learnt correctly, not learning twice debug: bayes: 18268 untie-ing debug: bayes: 18268 untie-ing db_toks debug: bayes: 18268 untie-ing db_seen debug: bayes: files locked, now unlocking lock debug: unlock: 18268 unlink /root/.spamassassin/bayes.lock debug: bayes: 18268 untie-ing debug: is spam? score=13.613 required=5 tests=DATE_IN_PAST_12_24,DNS_FROM_RFCI_DSN,DRASTIC_REDUCED,FROM_HAS_MIXE D_NUMS,FROM_HAS_MIXED_NUMS3,INVALID_MSGID,LINES_OF_YELLING,NO_REAL_NAME, PYZOR_CHECK,RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,RCVD_IN_DSBL,RCVD_IN_NJA BL,RCVD_IN_NJABL_RELAY,RCVD_IN_SORBS,REMOVE_SUBJ Received: from localhost [127.0.0.1] by relay with SpamAssassin (2.60 1.212-2003-09-23-exp); Sun, 05 Oct 2003 08:42:59 -0500 From: xl6Ety00V@fismat1.fcfm.buap.mx To: undisclosed-recipients: ; Subject: Home Based Business for Grownups Date: 21 Jan 01 8:24:27 PM Message-Id: X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on relay X-Spam-Level: ************* X-Spam-Status: Yes, hits=13.6 required=5.0 tests=DATE_IN_PAST_12_24, DNS_FROM_RFCI_DSN,DRASTIC_REDUCED,FROM_HAS_MIXED_NUMS, FROM_HAS_MIXED_NUMS3,INVALID_MSGID,LINES_OF_YELLING,NO_REAL_NAME, PYZOR_CHECK,RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,RCVD_IN_DSBL, RCVD_IN_NJABL,RCVD_IN_NJABL_RELAY,RCVD_IN_SORBS,REMOVE_SUBJ autolearn=no version=2.60 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----------=_3F801FE3.73C31184" This is a multi-part message in MIME format. ------------=_3F801FE3.73C31184 Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 8bit Spam detection software, running on the system "relay", has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or block similar future email. If you have any questions, see tatroc@testdomain.com for details. Content preview: THIS ENTERPRISE IS AWESOMELY FEATURED IN SEPTEMBER 2000 MILLIONAIRE, AUGUST 2000 TYCOONS AND AUGUST 2000 ENTREPRENEUR Magazine. ====> Do you have a burning desire to change the quality of your existing life? [...] Content analysis details: (13.6 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.3 FROM_HAS_MIXED_NUMS From: contains numbers mixed in with letters 0.3 NO_REAL_NAME From: does not include a real name 2.0 FROM_HAS_MIXED_NUMS3 From: contains numbers mixed in with letters 0.1 REMOVE_SUBJ BODY: List removal information 2.0 DRASTIC_REDUCED BODY: Drastically Reduced 0.0 LINES_OF_YELLING BODY: A WHOLE LINE OF YELLING DETECTED 1.6 RAZOR2_CF_RANGE_51_100 BODY: Razor2 gives confidence between 51 and 100 [cf: 100] 0.9 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) 0.3 PYZOR_CHECK Listed in Pyzor (http://pyzor.sf.net/) 0.4 DATE_IN_PAST_12_24 Date: is 12 to 24 hours before Received: date 1.1 RCVD_IN_DSBL RBL: Received via a relay in list.dsbl.org [] 1.3 RCVD_IN_NJABL_RELAY RBL: NJABL: sender is confirmed open relay [200.28.105.254 listed in dnsbl.njabl.org] 0.1 RCVD_IN_SORBS RBL: SORBS: sender is listed in SORBS [63.10.249.142 listed in dnsbl.sorbs.net] 1.4 DNS_FROM_RFCI_DSN RBL: From: sender listed in dsn.rfc-ignorant.org 0.1 RCVD_IN_NJABL RBL: Received via a relay in dnsbl.njabl.org [200.28.105.254 listed in dnsbl.njabl.org] 1.8 INVALID_MSGID Message-Id is not valid, according to RFC 2822 ------------=_3F801FE3.73C31184 Content-Type: message/rfc822; x-spam-type=original Content-Description: original message before SpamAssassin Content-Disposition: inline Content-Transfer-Encoding: 8bit Return-Path: dev_null_sample_spam@example.com Delivery-Date: Mon, 22 Jan 2001 12:36:25 +0000 Return-Path: Delivered-To: dev_null_sample_spam@netnoteinc.com Received: from dogma.slashnull.org (dogma.slashnull.org [212.17.35.15]) by mail.netnoteinc.com (Postfix) with ESMTP id F138F114121 for ; Mon, 22 Jan 2001 12:36:21 +0000 (Eire) Received: (from dev_null_sample_spam@localhost) by dogma.slashnull.org (8.9.3/8.9.3) id MAA17343 for dev_null_sample_spam@netnoteinc.com; Mon, 22 Jan 2001 12:36:21 GMT Received: from XeNT.ics.uci.edu (xent.ics.uci.edu [128.195.21.213]) by dogma.slashnull.org (8.9.3/8.9.3) with ESMTP id MAA17336 for ; Mon, 22 Jan 2001 12:36:16 GMT From: xl6Ety00V@fismat1.fcfm.buap.mx Received: from blue.mydomain.com (blue.mydomain.com [208.184.130.52]) by XeNT.ics.uci.edu (8.8.5/8.8.5) with ESMTP id EAA16254 for ; Mon, 22 Jan 2001 04:38:11 -0800 (PST) Received: from ns.fundch.cl (unknown [200.28.105.254]) by blue.mydomain.com (Postfix) with ESMTP id C32333424F for ; Sun, 21 Jan 2001 20:33:02 -0500 (EST) X-Antispam: rblchk: (RSS) 3 Relayed through blacklisted site 200.28.105.254 Received: from y068k3017 [63.10.249.142] by ns.fundch.cl (SMTPD32-6.00) id A92614DC012A; Sun, 21 Jan 2001 22:21:26 -0400 DATE: 21 Jan 01 8:24:27 PM Message-ID: Subject: Home Based Business for Grownups To: undisclosed-recipients: ; Sender: dev_null_sample_spam@example.com THIS ENTERPRISE IS AWESOMELY FEATURED IN SEPTEMBER 2000 MILLIONAIRE, AUGUST 2000 TYCOONS AND AUGUST 2000 ENTREPRENEUR Magazine. ====> Do you have a burning desire to change the quality of your existing life? ====> Would you like to live the life that others only dream about? ====> The fact is we have many people in our enterprise that earn over 50k per month from the privacy of their own home and are retiring in 2-3 years. ====> Become Wealthy and having total freedom both personal and financial. READ ON! READ ON! READ ON! READ ON! READ ON! READ ON! READ ON!!! How would you like to:(LEGALLY & LAWFULLY) 1. KEEP MOST OF YOUR TAX DOLLARS 2. Drastically reduce personal, business and capital gains taxes? 3. Protect all assets from any form of seizure, liens, or judgments? 4. Create a six figure income every 4 months? 5. Restoring and preserving complete personal and financial privacy? 6. Create and amass personal wealth, multiply it and protect it? 7. Realize a 3 to 6 times greater returns on your money? 8. Legally make yourself and your assets completely judgment-proof, SEIZURE-PROOOOF, LIEN-PROOOOOOF, DIVORCE-PROOOOOOF, ATTORNEY-PROOOOOOF, IRS-PROOOOOOF ((((((((((((((((((((BECOME COMPLETELY INSULATED)))))))))))))))))))))))) (((((((((((((((((((((((((HELP PEOPLE DO THE SAME)))))))))))))))))))))))))) ===> Are you a thinker, and a person that believes they deserve to have the best in life? ===> Are you capable of recognizing a once in a lifetime opportunity when it's looking right at you? ===> Countless others have missed their shot. Don't look back years later and wish you made the move. ===> It's to my benefit to train you for success. ===> In fact, I'm so sure that I can do so, I'm willing to put my money where my mouth is! ===> Upon accepting you as a member on my team, I will provide you with complete Professional Training as well as FRESH inquiring LEADS to put you immediately on the road to success. If you are skeptical that's OK but don't let that stop you from getting all the information you need. DROP THE MOUSE=====> AND CALL 800-320-9895 x2068 <======= DROP THE MOUSE AND CALL ************************************800-320-9895 x2068************************************** ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Your E-mail Address Removal/Deletion Instructions: We comply with proposed federal legislation regarding unsolicited commercial e-mail by providing you with a method for your e-mail address to be permanently removed from our database and any future mailings from our company. To remove your address, please send an e-mail message with the word REMOVE in the subject line to: maillistdrop@post.com If you do not type the word REMOVE in the subject line, your request to be removed will not be processed. ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ------------=_3F801FE3.73C31184-- Spam detection software, running on the system "relay", has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or block similar future email. If you have any questions, see tatroc@testdomain.com for details. Content preview: THIS ENTERPRISE IS AWESOMELY FEATURED IN SEPTEMBER 2000 MILLIONAIRE, AUGUST 2000 TYCOONS AND AUGUST 2000 ENTREPRENEUR Magazine. ====> Do you have a burning desire to change the quality of your existing life? [...] Content analysis details: (13.6 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.3 FROM_HAS_MIXED_NUMS From: contains numbers mixed in with letters 0.3 NO_REAL_NAME From: does not include a real name 2.0 FROM_HAS_MIXED_NUMS3 From: contains numbers mixed in with letters 0.1 REMOVE_SUBJ BODY: List removal information 2.0 DRASTIC_REDUCED BODY: Drastically Reduced 0.0 LINES_OF_YELLING BODY: A WHOLE LINE OF YELLING DETECTED 1.6 RAZOR2_CF_RANGE_51_100 BODY: Razor2 gives confidence between 51 and 100 [cf: 100] 0.9 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) 0.3 PYZOR_CHECK Listed in Pyzor (http://pyzor.sf.net/) 0.4 DATE_IN_PAST_12_24 Date: is 12 to 24 hours before Received: date 1.1 RCVD_IN_DSBL RBL: Received via a relay in list.dsbl.org [] 1.3 RCVD_IN_NJABL_RELAY RBL: NJABL: sender is confirmed open relay [200.28.105.254 listed in dnsbl.njabl.org] 0.1 RCVD_IN_SORBS RBL: SORBS: sender is listed in SORBS [63.10.249.142 listed in dnsbl.sorbs.net] 1.4 DNS_FROM_RFCI_DSN RBL: From: sender listed in dsn.rfc-ignorant.org 0.1 RCVD_IN_NJABL RBL: Received via a relay in dnsbl.njabl.org [200.28.105.254 listed in dnsbl.njabl.org] 1.8 INVALID_MSGID Message-Id is not valid, according to RFC 2822 # Main configuration file for the MailScanner E-Mail Virus Scanner # # It's good practice to check through configuration files to make sure # they fit with your system and your needs, whatever you expect them to # contain. # # Note: If your directories are symlinked (soft-linked) in any way, # please put their *real* location in here, not a path that # includes any links. You may get some very strange error # messages from some of the virus scanners if you don't. # # Note for Version 4.00 and above: # A lot of the settings can take a ruleset as well as just simple # values. These rulesets are files containing rules which are applied # to the current message to calculate the value of the configuration # option. The rules are checked in the order they appear in the ruleset. # # Note for Version 4.03 and above: # As well as rulesets, you can now include your own functions in # here. Look at the directory containing Config.pm and you will find # CustomConfig.pm. In here, you can add your own "value" function and # an Initvalue function to set up any global state you need such as # database connections. Then for a setting below, you can put: # Configuration Option = &ValueFunction # where "ValueFunction" is the name of the function you have # written in CustomConfig.pm. # # # Definition of variables which are substituted into definitions below # # Set the directory containing all the reports in the required language %report-dir% = /etc/MailScanner/reports/en # Configuration directory containing this file %etc-dir% = /etc/MailScanner # Rulesets directory containing your ".rules" files %rules-dir% = /etc/MailScanner/rules # Enter a short identifying name for your organisation below, this is # used to make the X-MailScanner headers unique for your organisation. # Multiple servers within one site should use an identical value here # to avoid adding multiple redundant headers where mail has passed # through several servers within your organisation. %org-name% = yoursite # # System settings # --------------- # # How many MailScanner processes do you want to run at a time? # There is no point increasing this figure if your MailScanner server # is happily keeping up with your mail traffic. # If you are running on a server with more than 1 CPU, or you have a # high mail load (and/or slow DNS lookups) then you should see better # performance if you increase this figure. # If you are running on a small system with limited RAM, you should # note that each child takes just over 20MB. # # As a rough guide, try 5 children per CPU. But read the notes above. Max Children = 5 # User to run as (not normally used for sendmail) #Run As User = mail #Run As User = postfix Run As User = # Group to run as (not normally used for sendmail) #Run As Group = mail #Run As Group = postfix Run As Group = # How often (in seconds) should each process check the incoming mail # queue for new messages? If you have a quiet mail server, you might # want to increase this value so it causes less load on your server, at # the cost of slightly increasing the time taken for an average message # to be processed. Queue Scan Interval = 5 # Set location of incoming mail queue # # This can be any one of # 1. A directory name # Example: /var/spool/mqueue.in # 2. A wildcard giving directory names # Example: /var/spool/mqueue.in/* # 3. The name of a file containing a list of directory names, # which can in turn contain wildcards. # Example: /etc/MailScanner/mqueue.in.list.conf # Incoming Queue Dir = /var/spool/mqueue.in # Set location of outgoing mail queue. # This can also be the filename of a ruleset. Outgoing Queue Dir = /var/spool/mqueue # Set where to unpack incoming messages before scanning them Incoming Work Dir = /var/spool/MailScanner/incoming # Set where to store infected and message attachments (if they are kept) # This can also be the filename of a ruleset. Quarantine Dir = /var/spool/MailScanner/quarantine # Set where to store the process id number so you can stop MailScanner PID file = /var/run/MailScanner.pid # To avoid resource leaks, re-start periodically Restart Every = 14400 # Set whether to use postfix, sendmail, exim or zmailer. # If you are using postfix, then see the "SpamAssassin User State Dir" # setting near the end of this file MTA = sendmail # Set how to invoke MTA when sending messages MailScanner has created # (e.g. to sender/recipient saying "found a virus in your message") # This can also be the filename of a ruleset. Sendmail = /usr/sbin/sendmail # Sendmail2 is provided for Exim users. # It is the command used to attempt delivery of outgoing cleaned/disinfected # messages. # This is not usually required for sendmail. # This can also be the filename of a ruleset. #For Exim users: Sendmail2 = /usr/sbin/exim -C /etc/exim/exim_send.conf #For sendmail users: Sendmail2 = /usr/sbin/sendmail #Sendmail2 = /usr/sbin/sendmail -C /etc/exim/exim_send.conf Sendmail2 = /usr/sbin/sendmail # # Processing Incoming Mail # ------------------------ # # In every batch of virus-scanning, limit the maximum # a) number of unscanned messages to deliver # b) number of potentially infected messages to unpack and scan # c) total size of unscanned messages to deliver # d) total size of potentially infected messages to unpack and scan Max Unscanned Bytes Per Scan = 100000000 Max Unsafe Bytes Per Scan = 50000000 Max Unscanned Messages Per Scan = 30 Max Unsafe Messages Per Scan = 30 # Expand TNEF attachments using an external program (or a Perl module)? # This should be "yes" unless the scanner you are using (Sophos, McAfee) has # the facility built-in. However, if you set it to "no", then the filenames # within the TNEF attachment will not be checked against the filename rules. Expand TNEF = yes # Some versions of Microsoft Outlook generate unparsable Rich Text # format attachments. Do we want to deliver these bad attachments anyway? # Setting this to yes introduces the slight risk of a virus getting through, # but if you have a lot of troubled Outlook users you might need to do this. # We are working on a replacement for the TNEF decoder. # This can also be the filename of a ruleset. Deliver Unparsable TNEF = no # Where the MS-TNEF expander is installed. # This is EITHER the full command (including maxsize option) that runs # the external TNEF expander binary, # OR the keyword "internal" which will make MailScanner use the Perl # module that does the same job. # They are both provided as I am unsure which one is faster and which # one is capable of expanding more file formats (there are plenty!). # # The --maxsize option limits the maximum size that any expanded attachment # may be. It helps protect against Denial Of Service attacks in TNEF files. #TNEF Expander = internal # This can also be the filename of a ruleset. TNEF Expander = /usr/bin/tnef --maxsize=100000000 # The maximum length of time the TNEF Expander is allowed to run for 1 message. # (in seconds) TNEF Timeout = 120 # Where the "file" command is installed. # This is used for checking the content type of files, regardless of their # filename. # To disable Filetype checking, set this value to blank. File Command = #/usr/bin/file # The maximum length of time the "file" command is allowed to run for 1 # batch of messages (in seconds) File Timeout = 20 # The maximum size of any message including the headers. If this is set to # zero, then no size checking is done. # This can also be the filename of a ruleset, so you can have different # settings for different users. You might want to set this quite small for # dialup users so their email applications don't time out downloading huge # messages. Maximum Message Size = 0 # # Virus Scanning and Vulnerability Testing # ---------------------------------------- # # Do you want to scan email for viruses? # A few people don't have a virus scanner licence and so want to disable # all the virus scanning. # NOTE: This switch actually switches on/off all processing of the email # messages. If you just want to switch off actual virus scanning, # then set "Virus Scanners = none" instead. # # If you want to be able to switch scanning on/off for different users or # different domains, set this to the filename of a ruleset. # This can also be the filename of a ruleset. Virus Scanning = no # Which Virus Scanning package to use: # sophos from www.sophos.com, or # sophossavi (also from www.sophos.com, using the SAVI perl module), or # mcafee from www.mcafee.com, or # command from www.command.co.uk, or # kaspersky from www.kaspersky.com, or # kavdaemonclient from www.kaspersky.com, or # etrust from http://www3.ca.com/Solutions/Product.asp?ID=156, or # inoculate from www.cai.com/products/inoculateit.htm, or # inoculan from ftp.ca.com/pub/getbbs/linux.eng/inoctar.LINUX.Z, or # nod32 from www.nod32.com, or # f-secure from www.f-secure.com, or # f-prot from www.f-prot.com, or # panda from www.pandasoftware.com, or # rav from www.ravantivirus.com, or # antivir from www.antivir.de, or # clamav from clamav.elektrapro.com, or # trend from www.trendmicro.com, or # none (no virus scanning at all) # # Note for McAfee users: do not use any symlinks with McAfee at all. It is # very strange but may not detect all viruses when # started from a symlink or scanning a directory path # including symlinks. # # Note: If you want to use multiple virus scanners, then this should be a # space-separated list of virus scanners. For example: # Virus Scanners = sophos f-prot mcafee # # Note: Make sure that you check that the base installation directory in the # 3rd column of virus.scanners.conf matches the location you have # installed each of your virus scanners. The supplied # virus.scanners.conf file assumes the default installation locations # recommended by each of the virus scanner installation guides. # Virus Scanners = none # The maximum length of time the commercial virus scanner is allowed to run # for 1 batch of messages (in seconds). Virus Scanner Timeout = 300 # Should I attempt to disinfect infected attachments and then deliver # the clean ones. "Disinfection" involves removing viruses from files # (such as removing macro viruses from documents). "Cleaning" is the # replacement of infected attachments with "VirusWarning.txt" text # attachments. # This can also be the filename of a ruleset. Deliver Disinfected Files = yes # Strings listed here will be searched for in the output of the virus scanners. # It is used to list which viruses should be handled differently from other # viruses. If a virus name is given here, then # 1) The sender will not be warned that he sent it # 2) No attempt at true disinfection will take place # (but it will still be "cleaned" by removing the nasty attachments # from the message) # 3) The recipient will not receive the message, # unless the "Still Deliver Silent Viruses" option is set # Other words that can be put in this list are the 3 special keywords # HTML-IFrame : inserting this will stop senders being warned about # HTML Iframe tags, when they are not allowed. # HTML-Codebase : inserting this will stop senders being warned about # HTML Object Codebase tags, when they are not allowed. # HTML-Form : inserting this will stop senders being warned about # HTML Form tags, when they are not allowed. # All-Viruses : inserting this will stop senders being warned about # any virus, while still allowing you to warn senders # about HTML-based attacks. # # This can also be the filename of a ruleset. Silent Viruses = HTML-IFrame Klez Yaha-E Bugbear Braid-A WinEvar Palyh Sobig Fizzer Ganda Mimail # Still deliver (after cleaning) messages that contained viruses listed # in the above option ("Silent Viruses") to the recipient? # Setting this to "yes" is good because it shows management that MailScanner # is protecting them, but it is bad because they have to filter/delete all # the incoming virus warnings. # This can also be the filename of a ruleset. Still Deliver Silent Viruses = yes # Should encrypted messages be blocked? # This is useful if you are wary about your users sending encrypted # messages to your competition. # This can be a ruleset so you can block encrypted message to certain domains. Block Encrypted Messages = no # Should unencrypted messages be blocked? # This could be used to ensure all your users send messages outside your # company encrypted to avoid snooping of mail to your business partners. # This can be a ruleset so you can just check mail to certain users/domains. Block Unencrypted Messages = no # # Options specific to Sophos Anti-Virus # ------------------------------------- # # Anything on the next line that appears in brackets at the end of a line # of output from Sophos will cause the error/infection to be ignored. # Use of this option is dangerous, and should only be used if you are having # trouble with lots of corrupt PDF files, for example. # If you need to specify more than 1 string to find in the error message, # then put each string in quotes and separate them with a comma. # For example: #Allowed Sophos Error Messages = "corrupt", "format not supported" Allowed Sophos Error Messages = # The directory (or a link to it) containing all the Sophos *.ide files. # This is only used by the "sophossavi" virus scanner, and is irrelevant # for all other scanners. Sophos IDE Dir = /usr/local/Sophos/ide # The directory (or a link to it) containing all the Sophos *.so libraries. # This is only used by the "sophossavi" virus scanner, and is irrelevant # for all other scanners. Sophos Lib Dir = /usr/local/Sophos/lib # SophosSAVI only: monitor each of these files for changes in size to # detect when a Sophos update has happened. The date of the Sophos Lib Dir # is also monitored. # This is only used by the "sophossavi" virus scanner, not the "sophos" # scanner setting. Monitors For Sophos Updates = /usr/local/Sophos/ide/*ides.zip # # Removing/Logging dangerous or potentially offensive content # ----------------------------------------------------------- # # Do you want to allow partial messages, which only contain a fraction of # the attachments, not the whole thing? There is absolutely no way to # scan these "partial messages" properly for viruses, as MailScanner never # sees all of the attachment at the same time. Enabling this option can # allow viruses through. You have been warned. # This can also be the filename of a ruleset so you can, for example, allow # them in outgoing mail but not in incoming mail. Allow Partial Messages = no # Do you want to allow messages whose body is stored somewhere else on the # internet, which is downloaded separately by the user's email package? # There is no way to guarantee that the file fetched by the user's email # package is free from viruses, as MailScanner never sees it. # This feature is dangerous as it can allow viruses to be fetched from # other Internet sites by a user's email package. The user would just # think it was a normal email attachment and would have been scanned by # MailScanner. # It is only currently supported by Netscape 6 anyway, and the only people # who it are the IETF. So I would strongly advise leaving this switched off. # This can also be the filename of a ruleset. Allow External Message Bodies = no # Do you want to allow